diff options
Diffstat (limited to 'meta/recipes-extended')
10 files changed, 234 insertions, 412 deletions
diff --git a/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch b/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch deleted file mode 100644 index 78dcc1b636..0000000000 --- a/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch +++ /dev/null | |||
@@ -1,402 +0,0 @@ | |||
1 | From 951bdaad7a18cc0dc1036bba86b18b90874d39ff Mon Sep 17 00:00:00 2001 | ||
2 | From: Chet Ramey <chet.ramey@case.edu> | ||
3 | Date: Mon, 1 Jul 2019 09:03:53 -0400 | ||
4 | Subject: [PATCH] commit bash-20190628 snapshot | ||
5 | |||
6 | An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. | ||
7 | By default, if Bash is run with its effective UID not equal to its real UID, | ||
8 | it will drop privileges by setting its effective UID to its real UID. | ||
9 | However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, | ||
10 | the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for | ||
11 | runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore | ||
12 | regains privileges. However, binaries running with an effective UID of 0 are unaffected. | ||
13 | |||
14 | Upstream-Status: Backport [https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff] | ||
15 | CVE: CVE-2019-18276 | ||
16 | Signed-off-by: Chet Ramey <chet.ramey@case.edu> | ||
17 | Signed-off-by: De Huo <De.Huo@windriver.com> | ||
18 | --- | ||
19 | MANIFEST | 2 ++ | ||
20 | bashline.c | 50 +------------------------------------------------- | ||
21 | builtins/help.def | 2 +- | ||
22 | config.h.in | 10 +++++++++- | ||
23 | configure | 11 +++++++++++ | ||
24 | configure.ac | 1 + | ||
25 | doc/bash.1 | 3 ++- | ||
26 | doc/bashref.texi | 3 ++- | ||
27 | lib/glob/glob.c | 5 ++++- | ||
28 | pathexp.c | 16 ++++++++++++++-- | ||
29 | shell.c | 8 ++++++++ | ||
30 | tests/glob.tests | 2 ++ | ||
31 | tests/glob6.sub | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
32 | tests/glob7.sub | 11 +++++++++++ | ||
33 | 14 files changed, 122 insertions(+), 56 deletions(-) | ||
34 | create mode 100644 tests/glob6.sub | ||
35 | create mode 100644 tests/glob7.sub | ||
36 | |||
37 | diff --git a/MANIFEST b/MANIFEST | ||
38 | index 03de221..f9ccad7 100644 | ||
39 | --- a/MANIFEST | ||
40 | +++ b/MANIFEST | ||
41 | @@ -1037,6 +1037,8 @@ tests/extglob3.tests f | ||
42 | tests/extglob3.right f | ||
43 | tests/extglob4.sub f | ||
44 | tests/extglob5.sub f | ||
45 | +tests/glob6.sub f | ||
46 | +tests/glob7.sub f | ||
47 | tests/func.tests f | ||
48 | tests/func.right f | ||
49 | tests/func1.sub f | ||
50 | diff --git a/bashline.c b/bashline.c | ||
51 | index 824ea9d..d86b47d 100644 | ||
52 | --- a/bashline.c | ||
53 | +++ b/bashline.c | ||
54 | @@ -3718,55 +3718,7 @@ static int | ||
55 | completion_glob_pattern (string) | ||
56 | char *string; | ||
57 | { | ||
58 | - register int c; | ||
59 | - char *send; | ||
60 | - int open; | ||
61 | - | ||
62 | - DECLARE_MBSTATE; | ||
63 | - | ||
64 | - open = 0; | ||
65 | - send = string + strlen (string); | ||
66 | - | ||
67 | - while (c = *string++) | ||
68 | - { | ||
69 | - switch (c) | ||
70 | - { | ||
71 | - case '?': | ||
72 | - case '*': | ||
73 | - return (1); | ||
74 | - | ||
75 | - case '[': | ||
76 | - open++; | ||
77 | - continue; | ||
78 | - | ||
79 | - case ']': | ||
80 | - if (open) | ||
81 | - return (1); | ||
82 | - continue; | ||
83 | - | ||
84 | - case '+': | ||
85 | - case '@': | ||
86 | - case '!': | ||
87 | - if (*string == '(') /*)*/ | ||
88 | - return (1); | ||
89 | - continue; | ||
90 | - | ||
91 | - case '\\': | ||
92 | - if (*string++ == 0) | ||
93 | - return (0); | ||
94 | - } | ||
95 | - | ||
96 | - /* Advance one fewer byte than an entire multibyte character to | ||
97 | - account for the auto-increment in the loop above. */ | ||
98 | -#ifdef HANDLE_MULTIBYTE | ||
99 | - string--; | ||
100 | - ADVANCE_CHAR_P (string, send - string); | ||
101 | - string++; | ||
102 | -#else | ||
103 | - ADVANCE_CHAR_P (string, send - string); | ||
104 | -#endif | ||
105 | - } | ||
106 | - return (0); | ||
107 | + return (glob_pattern_p (string) == 1); | ||
108 | } | ||
109 | |||
110 | static char *globtext; | ||
111 | diff --git a/builtins/help.def b/builtins/help.def | ||
112 | index 006c4b5..92f9b38 100644 | ||
113 | --- a/builtins/help.def | ||
114 | +++ b/builtins/help.def | ||
115 | @@ -128,7 +128,7 @@ help_builtin (list) | ||
116 | |||
117 | /* We should consider making `help bash' do something. */ | ||
118 | |||
119 | - if (glob_pattern_p (list->word->word)) | ||
120 | + if (glob_pattern_p (list->word->word) == 1) | ||
121 | { | ||
122 | printf ("%s", ngettext ("Shell commands matching keyword `", "Shell commands matching keywords `", (list->next ? 2 : 1))); | ||
123 | print_word_list (list, ", "); | ||
124 | diff --git a/config.h.in b/config.h.in | ||
125 | index 8554aec..ad4b1e8 100644 | ||
126 | --- a/config.h.in | ||
127 | +++ b/config.h.in | ||
128 | @@ -1,6 +1,6 @@ | ||
129 | /* config.h -- Configuration file for bash. */ | ||
130 | |||
131 | -/* Copyright (C) 1987-2009,2011-2012 Free Software Foundation, Inc. | ||
132 | +/* Copyright (C) 1987-2009,2011-2012,2013-2019 Free Software Foundation, Inc. | ||
133 | |||
134 | This file is part of GNU Bash, the Bourne Again SHell. | ||
135 | |||
136 | @@ -807,6 +807,14 @@ | ||
137 | #undef HAVE_SETREGID | ||
138 | #undef HAVE_DECL_SETREGID | ||
139 | |||
140 | +/* Define if you have the setregid function. */ | ||
141 | +#undef HAVE_SETRESGID | ||
142 | +#undef HAVE_DECL_SETRESGID | ||
143 | + | ||
144 | +/* Define if you have the setresuid function. */ | ||
145 | +#undef HAVE_SETRESUID | ||
146 | +#undef HAVE_DECL_SETRESUID | ||
147 | + | ||
148 | /* Define if you have the setvbuf function. */ | ||
149 | #undef HAVE_SETVBUF | ||
150 | |||
151 | diff --git a/configure b/configure | ||
152 | index 2f62662..b3321c9 100755 | ||
153 | --- a/configure | ||
154 | +++ b/configure | ||
155 | @@ -10281,6 +10281,17 @@ cat >>confdefs.h <<_ACEOF | ||
156 | #define HAVE_DECL_SETREGID $ac_have_decl | ||
157 | _ACEOF | ||
158 | |||
159 | +ac_fn_c_check_decl "$LINENO" "" "ac_cv_have_decl_" "$ac_includes_default" | ||
160 | +if test "x$ac_cv_have_decl_" = xyes; then : | ||
161 | + ac_have_decl=1 | ||
162 | +else | ||
163 | + ac_have_decl=0 | ||
164 | +fi | ||
165 | + | ||
166 | +cat >>confdefs.h <<_ACEOF | ||
167 | +#define HAVE_DECL_ $ac_have_decl | ||
168 | +_ACEOF | ||
169 | +(setresuid, setresgid) | ||
170 | ac_fn_c_check_decl "$LINENO" "strcpy" "ac_cv_have_decl_strcpy" "$ac_includes_default" | ||
171 | if test "x$ac_cv_have_decl_strcpy" = xyes; then : | ||
172 | ac_have_decl=1 | ||
173 | diff --git a/configure.ac b/configure.ac | ||
174 | index 52b4cdb..549adef 100644 | ||
175 | --- a/configure.ac | ||
176 | +++ b/configure.ac | ||
177 | @@ -810,6 +810,7 @@ AC_CHECK_DECLS([confstr]) | ||
178 | AC_CHECK_DECLS([printf]) | ||
179 | AC_CHECK_DECLS([sbrk]) | ||
180 | AC_CHECK_DECLS([setregid]) | ||
181 | +AC_CHECK_DECLS[(setresuid, setresgid]) | ||
182 | AC_CHECK_DECLS([strcpy]) | ||
183 | AC_CHECK_DECLS([strsignal]) | ||
184 | |||
185 | diff --git a/doc/bash.1 b/doc/bash.1 | ||
186 | index e6cd08d..9e58a0b 100644 | ||
187 | --- a/doc/bash.1 | ||
188 | +++ b/doc/bash.1 | ||
189 | @@ -4681,7 +4681,8 @@ above). | ||
190 | .PD | ||
191 | .SH "SIMPLE COMMAND EXPANSION" | ||
192 | When a simple command is executed, the shell performs the following | ||
193 | -expansions, assignments, and redirections, from left to right. | ||
194 | +expansions, assignments, and redirections, from left to right, in | ||
195 | +the following order. | ||
196 | .IP 1. | ||
197 | The words that the parser has marked as variable assignments (those | ||
198 | preceding the command name) and redirections are saved for later | ||
199 | diff --git a/doc/bashref.texi b/doc/bashref.texi | ||
200 | index d33cd57..3065126 100644 | ||
201 | --- a/doc/bashref.texi | ||
202 | +++ b/doc/bashref.texi | ||
203 | @@ -2964,7 +2964,8 @@ is not specified. If the file does not exist, it is created. | ||
204 | @cindex command expansion | ||
205 | |||
206 | When a simple command is executed, the shell performs the following | ||
207 | -expansions, assignments, and redirections, from left to right. | ||
208 | +expansions, assignments, and redirections, from left to right, in | ||
209 | +the following order. | ||
210 | |||
211 | @enumerate | ||
212 | @item | ||
213 | diff --git a/lib/glob/glob.c b/lib/glob/glob.c | ||
214 | index 398253b..2eaa33e 100644 | ||
215 | --- a/lib/glob/glob.c | ||
216 | +++ b/lib/glob/glob.c | ||
217 | @@ -607,6 +607,7 @@ glob_vector (pat, dir, flags) | ||
218 | register unsigned int i; | ||
219 | int mflags; /* Flags passed to strmatch (). */ | ||
220 | int pflags; /* flags passed to sh_makepath () */ | ||
221 | + int hasglob; /* return value from glob_pattern_p */ | ||
222 | int nalloca; | ||
223 | struct globval *firstmalloc, *tmplink; | ||
224 | char *convfn; | ||
225 | @@ -648,10 +649,12 @@ glob_vector (pat, dir, flags) | ||
226 | patlen = (pat && *pat) ? strlen (pat) : 0; | ||
227 | |||
228 | /* If the filename pattern (PAT) does not contain any globbing characters, | ||
229 | + or contains a pattern with only backslash escapes (hasglob == 2), | ||
230 | we can dispense with reading the directory, and just see if there is | ||
231 | a filename `DIR/PAT'. If there is, and we can access it, just make the | ||
232 | vector to return and bail immediately. */ | ||
233 | - if (skip == 0 && glob_pattern_p (pat) == 0) | ||
234 | + hasglob = 0; | ||
235 | + if (skip == 0 && (hasglob = glob_pattern_p (pat)) == 0 || hasglob == 2) | ||
236 | { | ||
237 | int dirlen; | ||
238 | struct stat finfo; | ||
239 | diff --git a/pathexp.c b/pathexp.c | ||
240 | index c1bf2d8..e6c5392 100644 | ||
241 | --- a/pathexp.c | ||
242 | +++ b/pathexp.c | ||
243 | @@ -58,7 +58,10 @@ int extended_glob = EXTGLOB_DEFAULT; | ||
244 | /* Control enabling special handling of `**' */ | ||
245 | int glob_star = 0; | ||
246 | |||
247 | -/* Return nonzero if STRING has any unquoted special globbing chars in it. */ | ||
248 | +/* Return nonzero if STRING has any unquoted special globbing chars in it. | ||
249 | + This is supposed to be called when pathname expansion is performed, so | ||
250 | + it implements the rules in Posix 2.13.3, specifically that an unquoted | ||
251 | + slash cannot appear in a bracket expression. */ | ||
252 | int | ||
253 | unquoted_glob_pattern_p (string) | ||
254 | register char *string; | ||
255 | @@ -85,10 +88,14 @@ unquoted_glob_pattern_p (string) | ||
256 | continue; | ||
257 | |||
258 | case ']': | ||
259 | - if (open) | ||
260 | + if (open) /* XXX - if --open == 0? */ | ||
261 | return (1); | ||
262 | continue; | ||
263 | |||
264 | + case '/': | ||
265 | + if (open) | ||
266 | + open = 0; | ||
267 | + | ||
268 | case '+': | ||
269 | case '@': | ||
270 | case '!': | ||
271 | @@ -106,6 +113,11 @@ unquoted_glob_pattern_p (string) | ||
272 | string++; | ||
273 | continue; | ||
274 | } | ||
275 | + else if (open && *string == '/') | ||
276 | + { | ||
277 | + string++; /* quoted slashes in bracket expressions are ok */ | ||
278 | + continue; | ||
279 | + } | ||
280 | else if (*string == 0) | ||
281 | return (0); | ||
282 | |||
283 | diff --git a/shell.c b/shell.c | ||
284 | index a2b2a55..6adabc8 100644 | ||
285 | --- a/shell.c | ||
286 | +++ b/shell.c | ||
287 | @@ -1293,7 +1293,11 @@ disable_priv_mode () | ||
288 | { | ||
289 | int e; | ||
290 | |||
291 | +#if HAVE_DECL_SETRESUID | ||
292 | + if (setresuid (current_user.uid, current_user.uid, current_user.uid) < 0) | ||
293 | +#else | ||
294 | if (setuid (current_user.uid) < 0) | ||
295 | +#endif | ||
296 | { | ||
297 | e = errno; | ||
298 | sys_error (_("cannot set uid to %d: effective uid %d"), current_user.uid, current_user.euid); | ||
299 | @@ -1302,7 +1306,11 @@ disable_priv_mode () | ||
300 | exit (e); | ||
301 | #endif | ||
302 | } | ||
303 | +#if HAVE_DECL_SETRESGID | ||
304 | + if (setresgid (current_user.gid, current_user.gid, current_user.gid) < 0) | ||
305 | +#else | ||
306 | if (setgid (current_user.gid) < 0) | ||
307 | +#endif | ||
308 | sys_error (_("cannot set gid to %d: effective gid %d"), current_user.gid, current_user.egid); | ||
309 | |||
310 | current_user.euid = current_user.uid; | ||
311 | diff --git a/tests/glob.tests b/tests/glob.tests | ||
312 | index 01913bb..fb012f7 100644 | ||
313 | --- a/tests/glob.tests | ||
314 | +++ b/tests/glob.tests | ||
315 | @@ -12,6 +12,8 @@ ${THIS_SH} ./glob1.sub | ||
316 | ${THIS_SH} ./glob2.sub | ||
317 | ${THIS_SH} ./glob3.sub | ||
318 | ${THIS_SH} ./glob4.sub | ||
319 | +${THIS_SH} ./glob6.sub | ||
320 | +${THIS_SH} ./glob7.sub | ||
321 | |||
322 | MYDIR=$PWD # save where we are | ||
323 | |||
324 | diff --git a/tests/glob6.sub b/tests/glob6.sub | ||
325 | new file mode 100644 | ||
326 | index 0000000..b099811 | ||
327 | --- /dev/null | ||
328 | +++ b/tests/glob6.sub | ||
329 | @@ -0,0 +1,54 @@ | ||
330 | +# tests of the backslash-in-glob-patterns discussion on the austin-group ML | ||
331 | + | ||
332 | +: ${TMPDIR:=/var/tmp} | ||
333 | + | ||
334 | +ORIG=$PWD | ||
335 | +GLOBDIR=$TMPDIR/bash-glob-$$ | ||
336 | +mkdir $GLOBDIR && cd $GLOBDIR | ||
337 | + | ||
338 | +# does the pattern matcher allow backslashes as escape characters and remove | ||
339 | +# them as part of matching? | ||
340 | +touch abcdefg | ||
341 | +pat='ab\cd*' | ||
342 | +printf '<%s>\n' $pat | ||
343 | +pat='\.' | ||
344 | +printf '<%s>\n' $pat | ||
345 | +rm abcdefg | ||
346 | + | ||
347 | +# how about when escaping pattern characters? | ||
348 | +touch '*abc.c' | ||
349 | +a='\**.c' | ||
350 | +printf '%s\n' $a | ||
351 | +rm -f '*abc.c' | ||
352 | + | ||
353 | +# how about when making the distinction between readable and searchable path | ||
354 | +# components? | ||
355 | +mkdir -m a=x searchable | ||
356 | +mkdir -m a=r readable | ||
357 | + | ||
358 | +p='searchable/\.' | ||
359 | +printf "%s\n" $p | ||
360 | + | ||
361 | +p='searchable/\./.' | ||
362 | +printf "%s\n" $p | ||
363 | + | ||
364 | +p='readable/\.' | ||
365 | +printf "%s\n" $p | ||
366 | + | ||
367 | +p='readable/\./.' | ||
368 | +printf "%s\n" $p | ||
369 | + | ||
370 | +printf "%s\n" 'searchable/\.' | ||
371 | +printf "%s\n" 'readable/\.' | ||
372 | + | ||
373 | +echo */. | ||
374 | + | ||
375 | +p='*/\.' | ||
376 | +echo $p | ||
377 | + | ||
378 | +echo */'.' | ||
379 | + | ||
380 | +rmdir searchable readable | ||
381 | + | ||
382 | +cd $ORIG | ||
383 | +rmdir $GLOBDIR | ||
384 | diff --git a/tests/glob7.sub b/tests/glob7.sub | ||
385 | new file mode 100644 | ||
386 | index 0000000..0212b8e | ||
387 | --- /dev/null | ||
388 | +++ b/tests/glob7.sub | ||
389 | @@ -0,0 +1,11 @@ | ||
390 | +# according to Posix 2.13.3, a slash in a bracket expression renders that | ||
391 | +# bracket expression invalid | ||
392 | +shopt -s nullglob | ||
393 | + | ||
394 | +echo 1: [qwe/qwe] | ||
395 | +echo 2: [qwe/ | ||
396 | +echo 3: [qwe/] | ||
397 | + | ||
398 | +echo 4: [qwe\/qwe] | ||
399 | +echo 5: [qwe\/ | ||
400 | +echo 6: [qwe\/] | ||
401 | -- | ||
402 | 1.9.1 | ||
diff --git a/meta/recipes-extended/bash/bash_5.0.bb b/meta/recipes-extended/bash/bash_5.0.bb index 1b7058746f..eadc82279d 100644 --- a/meta/recipes-extended/bash/bash_5.0.bb +++ b/meta/recipes-extended/bash/bash_5.0.bb | |||
@@ -19,7 +19,6 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ | |||
19 | file://run-ptest \ | 19 | file://run-ptest \ |
20 | file://run-bash-ptests \ | 20 | file://run-bash-ptests \ |
21 | file://fix-run-builtins.patch \ | 21 | file://fix-run-builtins.patch \ |
22 | file://bash-CVE-2019-18276.patch \ | ||
23 | " | 22 | " |
24 | 23 | ||
25 | SRC_URI[tarball.md5sum] = "2b44b47b905be16f45709648f671820b" | 24 | SRC_URI[tarball.md5sum] = "2b44b47b905be16f45709648f671820b" |
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch new file mode 100644 index 0000000000..9bec7343f5 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-10216.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 2 Aug 2019 15:18:26 +0100 | ||
4 | Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly | ||
5 | |||
6 | Upstream-Status: Backport [http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19] | ||
7 | CVE: CVE-2019-10216 | ||
8 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
9 | |||
10 | --- | ||
11 | Resource/Init/gs_type1.ps | 14 +++++++------- | ||
12 | 1 file changed, 7 insertions(+), 7 deletions(-) | ||
13 | |||
14 | diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps | ||
15 | index 6c7735bc0..a039ccee3 100644 | ||
16 | --- a/Resource/Init/gs_type1.ps | ||
17 | +++ b/Resource/Init/gs_type1.ps | ||
18 | @@ -118,25 +118,25 @@ | ||
19 | ( to be the same as glyph: ) print 1 index //== exec } if | ||
20 | 3 index exch 3 index .forceput | ||
21 | % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname | ||
22 | - } | ||
23 | + }executeonly | ||
24 | {pop} ifelse | ||
25 | - } forall | ||
26 | + } executeonly forall | ||
27 | pop pop | ||
28 | - } | ||
29 | + } executeonly | ||
30 | { | ||
31 | pop pop pop | ||
32 | } ifelse | ||
33 | - } | ||
34 | + } executeonly | ||
35 | { | ||
36 | % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname | ||
37 | pop pop | ||
38 | } ifelse | ||
39 | - } forall | ||
40 | + } executeonly forall | ||
41 | 3 1 roll pop pop | ||
42 | - } if | ||
43 | + } executeonly if | ||
44 | pop | ||
45 | dup /.AGLprocessed~GS //true .forceput | ||
46 | - } if | ||
47 | + } executeonly if | ||
48 | |||
49 | %% We need to excute the C .buildfont1 in a stopped context so that, if there | ||
50 | %% are errors we can put the stack back sanely and exit. Otherwise callers won't | ||
51 | -- | ||
52 | 2.17.1 | ||
53 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb index 32f938f254..bbd17104e1 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb | |||
@@ -29,6 +29,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d | |||
29 | file://CVE-2019-14817-0001.patch \ | 29 | file://CVE-2019-14817-0001.patch \ |
30 | file://CVE-2019-14817-0002.patch \ | 30 | file://CVE-2019-14817-0002.patch \ |
31 | file://CVE-2019-14869-0001.patch \ | 31 | file://CVE-2019-14869-0001.patch \ |
32 | file://CVE-2019-10216.patch \ | ||
32 | " | 33 | " |
33 | 34 | ||
34 | SRC_URI = "${SRC_URI_BASE} \ | 35 | SRC_URI = "${SRC_URI_BASE} \ |
diff --git a/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch b/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch new file mode 100644 index 0000000000..a84c1f1f76 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From c1fe0a8cc8dde8ba3eae3d17e34060d2d6e4eb96 Mon Sep 17 00:00:00 2001 | ||
2 | From: Grzegorz Antoniak <ga@anadoxin.org> | ||
3 | Date: Sun, 2 Feb 2020 08:04:41 +0100 | ||
4 | Subject: [PATCH] RAR5 reader: reject files that declare invalid header flags | ||
5 | |||
6 | One of the fields in RAR5's base block structure is the size of the | ||
7 | header. Some invalid files declare a 0 header size setting, which can | ||
8 | confuse the unpacker. Minimum header size for RAR5 base blocks is 7 | ||
9 | bytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0 | ||
10 | bytes should be rejected at header parsing stage. | ||
11 | |||
12 | The fix adds an error condition if header size of 0 bytes is detected. | ||
13 | In this case, the unpacker will not attempt to unpack the file, as the | ||
14 | header is corrupted. | ||
15 | |||
16 | The commit also adds OSSFuzz #20459 sample to test further regressions | ||
17 | in this area. | ||
18 | |||
19 | Upstream-Status: Backport[https://github.com/libarchive/libarchive/commit/94821008d6eea81e315c5881cdf739202961040a] | ||
20 | CVE: CVE-2020-9308 | ||
21 | |||
22 | Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> | ||
23 | --- | ||
24 | Makefile.am | 1 + | ||
25 | libarchive/archive_read_support_format_rar5.c | 17 +++++++++++++++-- | ||
26 | libarchive/test/test_read_format_rar5.c | 15 +++++++++++++++ | ||
27 | ...d_format_rar5_block_size_is_too_small.rar.uu | 8 ++++++++ | ||
28 | 4 files changed, 39 insertions(+), 2 deletions(-) | ||
29 | create mode 100644 libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu | ||
30 | |||
31 | diff --git a/Makefile.am b/Makefile.am | ||
32 | index da78b24..01abf20 100644 | ||
33 | --- a/Makefile.am | ||
34 | +++ b/Makefile.am | ||
35 | @@ -863,6 +863,7 @@ libarchive_test_EXTRA_DIST=\ | ||
36 | libarchive/test/test_read_format_rar5_symlink.rar.uu \ | ||
37 | libarchive/test/test_read_format_rar5_truncated_huff.rar.uu \ | ||
38 | libarchive/test/test_read_format_rar5_win32.rar.uu \ | ||
39 | + libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ | ||
40 | libarchive/test/test_read_format_raw.bufr.uu \ | ||
41 | libarchive/test/test_read_format_raw.data.gz.uu \ | ||
42 | libarchive/test/test_read_format_raw.data.Z.uu \ | ||
43 | diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c | ||
44 | index 7c24627..f73393c 100644 | ||
45 | --- a/libarchive/archive_read_support_format_rar5.c | ||
46 | +++ b/libarchive/archive_read_support_format_rar5.c | ||
47 | @@ -2034,6 +2034,8 @@ static int scan_for_signature(struct archive_read* a); | ||
48 | static int process_base_block(struct archive_read* a, | ||
49 | struct archive_entry* entry) | ||
50 | { | ||
51 | + const size_t SMALLEST_RAR5_BLOCK_SIZE = 3; | ||
52 | + | ||
53 | struct rar5* rar = get_context(a); | ||
54 | uint32_t hdr_crc, computed_crc; | ||
55 | size_t raw_hdr_size = 0, hdr_size_len, hdr_size; | ||
56 | @@ -2057,15 +2059,26 @@ static int process_base_block(struct archive_read* a, | ||
57 | return ARCHIVE_EOF; | ||
58 | } | ||
59 | |||
60 | + hdr_size = raw_hdr_size + hdr_size_len; | ||
61 | + | ||
62 | /* Sanity check, maximum header size for RAR5 is 2MB. */ | ||
63 | - if(raw_hdr_size > (2 * 1024 * 1024)) { | ||
64 | + if(hdr_size > (2 * 1024 * 1024)) { | ||
65 | archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, | ||
66 | "Base block header is too large"); | ||
67 | |||
68 | return ARCHIVE_FATAL; | ||
69 | } | ||
70 | |||
71 | - hdr_size = raw_hdr_size + hdr_size_len; | ||
72 | + /* Additional sanity checks to weed out invalid files. */ | ||
73 | + if(raw_hdr_size == 0 || hdr_size_len == 0 || | ||
74 | + hdr_size < SMALLEST_RAR5_BLOCK_SIZE) | ||
75 | + { | ||
76 | + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, | ||
77 | + "Too small block encountered (%ld bytes)", | ||
78 | + raw_hdr_size); | ||
79 | + | ||
80 | + return ARCHIVE_FATAL; | ||
81 | + } | ||
82 | |||
83 | /* Read the whole header data into memory, maximum memory use here is | ||
84 | * 2MB. */ | ||
85 | diff --git a/libarchive/test/test_read_format_rar5.c b/libarchive/test/test_read_format_rar5.c | ||
86 | index 1408f37..32e7ed8 100644 | ||
87 | --- a/libarchive/test/test_read_format_rar5.c | ||
88 | +++ b/libarchive/test/test_read_format_rar5.c | ||
89 | @@ -1194,3 +1194,18 @@ DEFINE_TEST(test_read_format_rar5_fileattr) | ||
90 | |||
91 | EPILOGUE(); | ||
92 | } | ||
93 | + | ||
94 | +DEFINE_TEST(test_read_format_rar5_block_size_is_too_small) | ||
95 | +{ | ||
96 | + char buf[4096]; | ||
97 | + PROLOGUE("test_read_format_rar5_block_size_is_too_small.rar"); | ||
98 | + | ||
99 | + /* This file is damaged, so those functions should return failure. | ||
100 | + * Additionally, SIGSEGV shouldn't be raised during execution | ||
101 | + * of those functions. */ | ||
102 | + | ||
103 | + assertA(archive_read_next_header(a, &ae) != ARCHIVE_OK); | ||
104 | + assertA(archive_read_data(a, buf, sizeof(buf)) <= 0); | ||
105 | + | ||
106 | + EPILOGUE(); | ||
107 | +} | ||
108 | diff --git a/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu b/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu | ||
109 | new file mode 100644 | ||
110 | index 0000000..5cad219 | ||
111 | --- /dev/null | ||
112 | +++ b/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu | ||
113 | @@ -0,0 +1,8 @@ | ||
114 | +begin 644 test_read_format_rar5_block_size_is_too_small.rar | ||
115 | +M4F%R(1H'`0"-[P+2``+'(!P,("`@N`,!`B`@("`@("`@("`@("`@("#_("`@ | ||
116 | +M("`@("`@("`@((:Q;2!4-'-^4B`!((WO`M(``O\@$/\@-R`@("`@("`@("`@ | ||
117 | +M``X@("`@("`@____("`@("`@(/\@("`@("`@("`@("#_(+6U,2"UM;6UM[CU | ||
118 | +M)B`@*(0G(`!.`#D\3R``(/__(,+_````-0#_($&%*/HE=C+N`"```"```"`D | ||
119 | +J`)$#("#_("#__P`@__\@_R#_("`@("`@("#_("#__R`@(/__("#__R`" | ||
120 | +` | ||
121 | +end | ||
122 | -- | ||
123 | 2.23.0 | ||
124 | |||
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb index c196382b07..db45ccf654 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb | |||
@@ -33,6 +33,7 @@ EXTRA_OECONF += "--enable-largefile" | |||
33 | 33 | ||
34 | SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ | 34 | SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ |
35 | file://CVE-2019-19221.patch \ | 35 | file://CVE-2019-19221.patch \ |
36 | file://0001-RAR5-reader-reject-files-that-declare-invalid-header.patch \ | ||
36 | " | 37 | " |
37 | 38 | ||
38 | SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac" | 39 | SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac" |
diff --git a/meta/recipes-extended/pam/libpam/pam.d/common-password b/meta/recipes-extended/pam/libpam/pam.d/common-password index 3896057328..52478dae77 100644 --- a/meta/recipes-extended/pam/libpam/pam.d/common-password +++ b/meta/recipes-extended/pam/libpam/pam.d/common-password | |||
@@ -10,13 +10,10 @@ | |||
10 | # The "sha512" option enables salted SHA512 passwords. Without this option, | 10 | # The "sha512" option enables salted SHA512 passwords. Without this option, |
11 | # the default is Unix crypt. Prior releases used the option "md5". | 11 | # the default is Unix crypt. Prior releases used the option "md5". |
12 | # | 12 | # |
13 | # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in | ||
14 | # login.defs. | ||
15 | # | ||
16 | # See the pam_unix manpage for other options. | 13 | # See the pam_unix manpage for other options. |
17 | 14 | ||
18 | # here are the per-package modules (the "Primary" block) | 15 | # here are the per-package modules (the "Primary" block) |
19 | password [success=1 default=ignore] pam_unix.so obscure sha512 | 16 | password [success=1 default=ignore] pam_unix.so sha512 |
20 | # here's the fallback if no module succeeds | 17 | # here's the fallback if no module succeeds |
21 | password requisite pam_deny.so | 18 | password requisite pam_deny.so |
22 | # prime the stack with a positive return value if there isn't one already; | 19 | # prime the stack with a positive return value if there isn't one already; |
diff --git a/meta/recipes-extended/screen/screen/CVE-2020-9366.patch b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch new file mode 100644 index 0000000000..a52b9e6e68 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 8ce90c1d3d5bece150479d8bc9303fd9d9f45e03 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net> | ||
3 | Date: Thu, 30 Jan 2020 17:56:27 +0100 | ||
4 | Subject: [PATCH] Fix out of bounds access when setting w_xtermosc after OSC 49 | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net> | ||
10 | MIME-Version: 1.0 | ||
11 | Content-Type: text/plain; charset=UTF-8 | ||
12 | Content-Transfer-Encoding: 8bit | ||
13 | |||
14 | echo -e "\e]49\e; \n\ec" | ||
15 | crashes screen. | ||
16 | |||
17 | This happens because 49 is divided by 10 and used as table index | ||
18 | resulting in access to w_xtermosc[4], which is out of bounds with table | ||
19 | itself being size 4. Increase size of table by 1 to 5, which is enough | ||
20 | for all current uses. | ||
21 | |||
22 | As this overwrites memory based on user input it is potential security | ||
23 | issue. | ||
24 | |||
25 | Reported-by: pippin@gimp.org | ||
26 | Signed-off-by: Amadeusz Sławiński <amade@asmblr.net> | ||
27 | |||
28 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?h=v.4.8.0&id=68386dfb1fa33471372a8cd2e74686758a2f527b] | ||
29 | CVE: CVE-2020-9366 | ||
30 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
31 | |||
32 | --- | ||
33 | window.h | 2 +- | ||
34 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/window.h b/window.h | ||
37 | index bd10dcd..a8afa19 100644 | ||
38 | --- a/window.h | ||
39 | +++ b/window.h | ||
40 | @@ -237,7 +237,7 @@ struct win | ||
41 | char w_vbwait; | ||
42 | char w_norefresh; /* dont redisplay when switching to that win */ | ||
43 | #ifdef RXVT_OSC | ||
44 | - char w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */ | ||
45 | + char w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */ | ||
46 | #endif | ||
47 | int w_mouse; /* mouse mode 0,9,1000 */ | ||
48 | #ifdef HAVE_BRAILLE | ||
diff --git a/meta/recipes-extended/screen/screen_4.6.2.bb b/meta/recipes-extended/screen/screen_4.6.2.bb index 21b476ddb0..d00b849021 100644 --- a/meta/recipes-extended/screen/screen_4.6.2.bb +++ b/meta/recipes-extended/screen/screen_4.6.2.bb | |||
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \ | |||
25 | file://0001-fix-for-multijob-build.patch \ | 25 | file://0001-fix-for-multijob-build.patch \ |
26 | file://0001-configure.ac-fix-configure-failed-while-build-dir-ha.patch \ | 26 | file://0001-configure.ac-fix-configure-failed-while-build-dir-ha.patch \ |
27 | file://0001-Remove-more-compatibility-stuff.patch \ | 27 | file://0001-Remove-more-compatibility-stuff.patch \ |
28 | file://CVE-2020-9366.patch \ | ||
28 | " | 29 | " |
29 | 30 | ||
30 | SRC_URI[md5sum] = "a0f529d3333b128dfaa324d978ba73a8" | 31 | SRC_URI[md5sum] = "a0f529d3333b128dfaa324d978ba73a8" |
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc index f6bab1acb4..e542290c3c 100644 --- a/meta/recipes-extended/timezone/timezone.inc +++ b/meta/recipes-extended/timezone/timezone.inc | |||
@@ -4,7 +4,7 @@ SECTION = "base" | |||
4 | LICENSE = "PD & BSD & BSD-3-Clause" | 4 | LICENSE = "PD & BSD & BSD-3-Clause" |
5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" | 5 | LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" |
6 | 6 | ||
7 | PV = "2019c" | 7 | PV = "2020a" |
8 | 8 | ||
9 | SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ | 9 | SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ |
10 | http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ | 10 | http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ |
@@ -12,7 +12,7 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz | |||
12 | 12 | ||
13 | UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" | 13 | UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" |
14 | 14 | ||
15 | SRC_URI[tzcode.md5sum] = "195a17454c5db05cab96595380650391" | 15 | SRC_URI[tzcode.md5sum] = "f87c3477e85a5c4b00df0def6c6a0055" |
16 | SRC_URI[tzcode.sha256sum] = "f6ebd3668e02d5ed223d3b7b1947561bf2d2da2f4bd1db61efefd9e06c167ed4" | 16 | SRC_URI[tzcode.sha256sum] = "7d2af7120ee03df71fbca24031ccaf42404752e639196fe93c79a41b38a6d669" |
17 | SRC_URI[tzdata.md5sum] = "f6987e6dfdb2eb83a1b5076a50b80894" | 17 | SRC_URI[tzdata.md5sum] = "96a985bb8eeab535fb8aa2132296763a" |
18 | SRC_URI[tzdata.sha256sum] = "79c7806dab09072308da0e3d22c37d3b245015a591891ea147d3b133b60ffc7c" | 18 | SRC_URI[tzdata.sha256sum] = "547161eca24d344e0b5f96aff6a76b454da295dc14ed4ca50c2355043fb899a2" |