diff options
Diffstat (limited to 'meta/recipes-support')
33 files changed, 2212 insertions, 50 deletions
diff --git a/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch new file mode 100644 index 0000000000..fd68461e32 --- /dev/null +++ b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch | |||
@@ -0,0 +1,999 @@ | |||
1 | From de29341638833ba7717bd6b5e6850998454b044b Mon Sep 17 00:00:00 2001 | ||
2 | From: Kevin Atkinson <kevina@gnu.org> | ||
3 | Date: Sat, 17 Aug 2019 17:06:53 -0400 | ||
4 | Subject: [PATCH 1/2] Don't allow null-terminated UCS-2/4 strings using the | ||
5 | original API. | ||
6 | |||
7 | Detect if the encoding is UCS-2/4 and the length is -1 in affected API | ||
8 | functions and refuse to convert the string. If the string ends up | ||
9 | being converted somehow, abort with an error message in DecodeDirect | ||
10 | and ConvDirect. To convert a null terminated string in | ||
11 | Decode/ConvDirect, a negative number corresponding to the width of the | ||
12 | underlying character type for the encoding is expected; for example, | ||
13 | if the encoding is "ucs-2" then a the size is expected to be -2. | ||
14 | |||
15 | Also fix a 1-3 byte over-read in DecodeDirect when reading UCS-2/4 | ||
16 | strings when a size is provided (found by OSS-Fuzz). | ||
17 | |||
18 | Also fix a bug in DecodeDirect that caused DocumentChecker to return | ||
19 | the wrong offsets when working with UCS-2/4 strings. | ||
20 | |||
21 | CVE: CVE-2019-20433 | ||
22 | Upstream-Status: Backport [https://github.com/GNUAspell/aspell/commit/de29341638833ba7717bd6b5e6850998454b044b] | ||
23 | |||
24 | [SG: - adjusted context | ||
25 | - discarded test changes as test framework is not available | ||
26 | - discarded manual entry changes for features that aren't backported] | ||
27 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
28 | --- | ||
29 | auto/MkSrc/CcHelper.pm | 99 ++++++++++++++++++++++++++++++++++--- | ||
30 | auto/MkSrc/Create.pm | 5 +- | ||
31 | auto/MkSrc/Info.pm | 5 +- | ||
32 | auto/MkSrc/ProcCc.pm | 24 +++++---- | ||
33 | auto/MkSrc/ProcImpl.pm | 57 +++++++++++++++------ | ||
34 | auto/MkSrc/Read.pm | 4 +- | ||
35 | auto/mk-src.in | 44 +++++++++++++++-- | ||
36 | common/convert.cpp | 39 ++++++++++++--- | ||
37 | common/convert.hpp | 38 +++++++++++++- | ||
38 | common/document_checker.cpp | 17 ++++++- | ||
39 | common/document_checker.hpp | 1 + | ||
40 | common/version.cpp | 15 ++++-- | ||
41 | configure.ac | 8 +++ | ||
42 | manual/aspell.texi | 58 ++++++++++++++++------ | ||
43 | manual/readme.texi | 70 +++++++++++++++++++++----- | ||
44 | 15 files changed, 409 insertions(+), 75 deletions(-) | ||
45 | |||
46 | diff --git a/auto/MkSrc/CcHelper.pm b/auto/MkSrc/CcHelper.pm | ||
47 | index f2de991..0044335 100644 | ||
48 | --- a/auto/MkSrc/CcHelper.pm | ||
49 | +++ b/auto/MkSrc/CcHelper.pm | ||
50 | @@ -10,8 +10,8 @@ BEGIN { | ||
51 | use Exporter; | ||
52 | our @ISA = qw(Exporter); | ||
53 | our @EXPORT = qw(to_c_return_type c_error_cond | ||
54 | - to_type_name make_desc make_func call_func | ||
55 | - make_c_method call_c_method form_c_method | ||
56 | + to_type_name make_desc make_func call_func get_c_func_name | ||
57 | + make_c_method make_wide_macro call_c_method form_c_method | ||
58 | make_cxx_method); | ||
59 | } | ||
60 | |||
61 | @@ -90,6 +90,69 @@ sub make_func ( $ \@ $ ; \% ) { | ||
62 | ')')); | ||
63 | } | ||
64 | |||
65 | +=item make_wide_version NAME @TYPES PARMS ; %ACCUM | ||
66 | + | ||
67 | +Creates the wide character version of the function if needed | ||
68 | + | ||
69 | +=cut | ||
70 | + | ||
71 | +sub make_wide_version ( $ \@ $ ; \% ) { | ||
72 | + my ($name, $d, $p, $accum) = @_; | ||
73 | + my @d = @$d; | ||
74 | + shift @d; | ||
75 | + return '' unless grep {$_->{type} eq 'encoded string'} @d; | ||
76 | + $accum->{sys_headers}{'stddef.h'} = true; | ||
77 | + $accum->{suffix}[5] = <<'---'; | ||
78 | + | ||
79 | +/******************* private implemantion details *********************/ | ||
80 | + | ||
81 | +#ifdef __cplusplus | ||
82 | +# define aspell_cast_(type, expr) (static_cast<type>(expr)) | ||
83 | +# define aspell_cast_from_wide_(str) (static_cast<const void *>(str)) | ||
84 | +#else | ||
85 | +# define aspell_cast_(type, expr) ((type)(expr)) | ||
86 | +# define aspell_cast_from_wide_(str) ((const char *)(str)) | ||
87 | +#endif | ||
88 | +--- | ||
89 | + my @parms = map {$_->{type} eq 'encoded string' | ||
90 | + ? ($_->{name}, $_->{name}.'_size') | ||
91 | + : $_->{name}} @d; | ||
92 | + $name = to_lower $name; | ||
93 | + $accum->{suffix}[0] = <<'---'; | ||
94 | +/**********************************************************************/ | ||
95 | + | ||
96 | +#ifdef ASPELL_ENCODE_SETTING_SECURE | ||
97 | +--- | ||
98 | + $accum->{suffix}[2] = "#endif\n"; | ||
99 | + my @args = map {$_->{type} eq 'encoded string' | ||
100 | + ? ($_->{name}, "$_->{name}_size", '-1') | ||
101 | + : $_->{name}} @d; | ||
102 | + $accum->{suffix}[1] .= | ||
103 | + (join '', | ||
104 | + "#define $name", | ||
105 | + '(', join(', ', @parms), ')', | ||
106 | + "\\\n ", | ||
107 | + $name, '_wide', | ||
108 | + '(', join(', ', @args), ')', | ||
109 | + "\n"); | ||
110 | + @args = map {$_->{type} eq 'encoded string' | ||
111 | + ? ("aspell_cast_from_wide_($_->{name})", | ||
112 | + "$_->{name}_size*aspell_cast_(int,sizeof(*($_->{name})))", | ||
113 | + "sizeof(*($_->{name}))") | ||
114 | + : $_->{name}} @d; | ||
115 | + return (join '', | ||
116 | + "\n", | ||
117 | + "/* version of $name that is safe to use with (null terminated) wide characters */\n", | ||
118 | + '#define ', | ||
119 | + $name, '_w', | ||
120 | + '(', join(', ', @parms), ')', | ||
121 | + "\\\n ", | ||
122 | + $name, '_wide', | ||
123 | + '(', join(', ', @args), ')', | ||
124 | + "\n"); | ||
125 | +} | ||
126 | + | ||
127 | + | ||
128 | =item call_func NAME @TYPES PARMS ; %ACCUM | ||
129 | |||
130 | Return a string to call a func. Will prefix the function with return | ||
131 | @@ -103,7 +166,6 @@ Parms can be any of: | ||
132 | |||
133 | sub call_func ( $ \@ $ ; \% ) { | ||
134 | my ($name, $d, $p, $accum) = @_; | ||
135 | - $accum = {} unless defined $accum; | ||
136 | my @d = @$d; | ||
137 | my $func_ret = to_type_name(shift @d, {%$p,pos=>'return'}, %$accum); | ||
138 | return (join '', | ||
139 | @@ -148,8 +210,14 @@ sub to_type_name ( $ $ ; \% ) { | ||
140 | my $name = $t->{name}; | ||
141 | my $type = $t->{type}; | ||
142 | |||
143 | - return ( (to_type_name {%$d, type=>'string'}, $p, %$accum) , | ||
144 | - (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum) ) | ||
145 | + if ($name eq 'encoded string' && $is_cc && $pos eq 'parm') { | ||
146 | + my @types = ((to_type_name {%$d, type=>($p->{wide}?'const void pointer':'string')}, $p, %$accum), | ||
147 | + (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum)); | ||
148 | + push @types, (to_type_name {%$d, type=>'int', name=>"$d->{name}_type_width"}, $p, %$accum) if $p->{wide}; | ||
149 | + return @types; | ||
150 | + } | ||
151 | + return ( (to_type_name {%$d, type=>($p->{wide}?'const void pointer':'string')}, $p, %$accum) , | ||
152 | + (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum) ) | ||
153 | if $name eq 'encoded string' && $is_cc && $pos eq 'parm'; | ||
154 | |||
155 | my $str; | ||
156 | @@ -174,7 +242,7 @@ sub to_type_name ( $ $ ; \% ) { | ||
157 | $str .= "String"; | ||
158 | } | ||
159 | } elsif ($name eq 'encoded string') { | ||
160 | - $str .= "const char *"; | ||
161 | + $str .= $p->{wide} ? "const void *" : "const char *"; | ||
162 | } elsif ($name eq '') { | ||
163 | $str .= "void"; | ||
164 | } elsif ($name eq 'bool' && $is_cc) { | ||
165 | @@ -186,7 +254,7 @@ sub to_type_name ( $ $ ; \% ) { | ||
166 | if ($t->{pointer}) { | ||
167 | $accum->{types}->{$name} = $t; | ||
168 | } else { | ||
169 | - $accum->{headers}->{$t->{created_in}} = true; | ||
170 | + $accum->{headers}->{$t->{created_in}} = true unless $mode eq 'cc'; | ||
171 | } | ||
172 | $str .= "$c_type Aspell" if $mode eq 'cc'; | ||
173 | $str .= to_mixed($name); | ||
174 | @@ -214,6 +282,7 @@ sub to_type_name ( $ $ ; \% ) { | ||
175 | return $str; | ||
176 | } | ||
177 | |||
178 | + | ||
179 | =item make_desc DESC ; LEVEL | ||
180 | |||
181 | Make a C comment out of DESC optionally indenting it LEVEL spaces. | ||
182 | @@ -286,6 +355,7 @@ sub form_c_method ($ $ $ ; \% ) | ||
183 | } else { | ||
184 | $func = "aspell $class $name"; | ||
185 | } | ||
186 | + $func .= " wide" if $p->{wide}; | ||
187 | if (exists $d->{'const'}) { | ||
188 | splice @data, 1, 0, {type => "const $class", name=> $this_name}; | ||
189 | } else { | ||
190 | @@ -306,6 +376,21 @@ sub make_c_method ($ $ $ ; \%) | ||
191 | return &make_func(@ret); | ||
192 | } | ||
193 | |||
194 | +sub get_c_func_name ($ $ $) | ||
195 | +{ | ||
196 | + my @ret = &form_c_method(@_); | ||
197 | + return undef unless @ret > 0; | ||
198 | + return to_lower $ret[0]; | ||
199 | +} | ||
200 | + | ||
201 | +sub make_wide_macro ($ $ $ ; \%) | ||
202 | +{ | ||
203 | + my @ret = &form_c_method(@_); | ||
204 | + return undef unless @ret > 0; | ||
205 | + my $str = &make_wide_version(@ret); | ||
206 | + return $str; | ||
207 | +} | ||
208 | + | ||
209 | sub call_c_method ($ $ $ ; \%) | ||
210 | { | ||
211 | my @ret = &form_c_method(@_); | ||
212 | diff --git a/auto/MkSrc/Create.pm b/auto/MkSrc/Create.pm | ||
213 | index d39b60e..630ede5 100644 | ||
214 | --- a/auto/MkSrc/Create.pm | ||
215 | +++ b/auto/MkSrc/Create.pm | ||
216 | @@ -77,8 +77,10 @@ sub create_cc_file ( % ) { | ||
217 | $file .= "#include \"aspell.h\"\n" if $p{type} eq 'cxx'; | ||
218 | $file .= "#include \"settings.h\"\n" if $p{type} eq 'native_impl' && $p{name} eq 'errors'; | ||
219 | $file .= "#include \"gettext.h\"\n" if $p{type} eq 'native_impl' && $p{name} eq 'errors'; | ||
220 | + $file .= cmap {"#include <$_>\n"} sort keys %{$accum{sys_headers}}; | ||
221 | $file .= cmap {"#include \"".to_lower($_).".hpp\"\n"} sort keys %{$accum{headers}}; | ||
222 | - $file .= "#ifdef __cplusplus\nextern \"C\" {\n#endif\n" if $p{header} && !$p{cxx}; | ||
223 | + $file .= "\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n" if $p{header} && !$p{cxx}; | ||
224 | + $file .= join('', grep {defined $_} @{$accum{prefix}}); | ||
225 | $file .= "\nnamespace $p{namespace} {\n\n" if $p{cxx}; | ||
226 | if (defined $info{forward}{proc}{$p{type}}) { | ||
227 | my @types = sort {$a->{name} cmp $b->{name}} (values %{$accum{types}}); | ||
228 | @@ -86,6 +88,7 @@ sub create_cc_file ( % ) { | ||
229 | } | ||
230 | $file .= "\n"; | ||
231 | $file .= $body; | ||
232 | + $file .= join('', grep {defined $_} @{$accum{suffix}}); | ||
233 | $file .= "\n\n}\n\n" if $p{cxx}; | ||
234 | $file .= "#ifdef __cplusplus\n}\n#endif\n" if $p{header} && !$p{cxx}; | ||
235 | $file .= "#endif /* $hm */\n" if $p{header}; | ||
236 | diff --git a/auto/MkSrc/Info.pm b/auto/MkSrc/Info.pm | ||
237 | index c644028..ace8e21 100644 | ||
238 | --- a/auto/MkSrc/Info.pm | ||
239 | +++ b/auto/MkSrc/Info.pm | ||
240 | @@ -60,6 +60,7 @@ each proc sub should take the following argv | ||
241 | the object from which it is a member of | ||
242 | no native: do not attempt to create a native implementation | ||
243 | treat as object: treat as a object rather than a pointer | ||
244 | + no conv: do not converted an encoded string | ||
245 | |||
246 | The %info structure is initialized as follows: | ||
247 | |||
248 | @@ -104,8 +105,8 @@ The %info structure is initialized as follows: | ||
249 | errors => {}, # possible errors | ||
250 | method => { | ||
251 | # A class method | ||
252 | - options => ['desc', 'posib err', 'c func', 'const', | ||
253 | - 'c only', 'c impl', 'cxx impl'], | ||
254 | + options => ['desc', 'posib err', 'c func', 'const', 'no conv', 'on conv error', | ||
255 | + 'c only', 'c impl', 'cxx impl', 'cc extra'], | ||
256 | groups => undef}, | ||
257 | constructor => { | ||
258 | # A class constructor | ||
259 | diff --git a/auto/MkSrc/ProcCc.pm b/auto/MkSrc/ProcCc.pm | ||
260 | index 47c4338..98cc435 100644 | ||
261 | --- a/auto/MkSrc/ProcCc.pm | ||
262 | +++ b/auto/MkSrc/ProcCc.pm | ||
263 | @@ -23,7 +23,7 @@ use MkSrc::Info; | ||
264 | sub make_c_object ( $ @ ); | ||
265 | |||
266 | $info{group}{proc}{cc} = sub { | ||
267 | - my ($data) = @_; | ||
268 | + my ($data,@rest) = @_; | ||
269 | my $ret; | ||
270 | my $stars = (70 - length $data->{name})/2; | ||
271 | $ret .= "/"; | ||
272 | @@ -33,14 +33,14 @@ $info{group}{proc}{cc} = sub { | ||
273 | $ret .= "/\n"; | ||
274 | foreach my $d (@{$data->{data}}) { | ||
275 | $ret .= "\n\n"; | ||
276 | - $ret .= $info{$d->{type}}{proc}{cc}->($d); | ||
277 | + $ret .= $info{$d->{type}}{proc}{cc}->($d,@rest); | ||
278 | } | ||
279 | $ret .= "\n\n"; | ||
280 | return $ret; | ||
281 | }; | ||
282 | |||
283 | $info{enum}{proc}{cc} = sub { | ||
284 | - my ($d) = @_; | ||
285 | + my ($d,@rest) = @_; | ||
286 | my $n = "Aspell".to_mixed($d->{name}); | ||
287 | return ("\n". | ||
288 | make_desc($d->{desc}). | ||
289 | @@ -58,21 +58,26 @@ $info{struct}{proc}{cc} = sub { | ||
290 | }; | ||
291 | |||
292 | $info{union}{proc}{cc} = sub { | ||
293 | - return make_c_object "union", $_[0]; | ||
294 | + return make_c_object "union", @_; | ||
295 | }; | ||
296 | |||
297 | $info{class}{proc}{cc} = sub { | ||
298 | - my ($d) = @_; | ||
299 | + my ($d,$accum) = @_; | ||
300 | my $class = $d->{name}; | ||
301 | my $classname = "Aspell".to_mixed($class); | ||
302 | my $ret = ""; | ||
303 | $ret .= "typedef struct $classname $classname;\n\n"; | ||
304 | foreach (@{$d->{data}}) { | ||
305 | - my $s = make_c_method($class, $_, {mode=>'cc'}); | ||
306 | + my $s = make_c_method($class, $_, {mode=>'cc'}, %$accum); | ||
307 | next unless defined $s; | ||
308 | $ret .= "\n"; | ||
309 | $ret .= make_desc($_->{desc}); | ||
310 | - $ret .= make_c_method($class, $_, {mode=>'cc'}).";\n"; | ||
311 | + $ret .= make_c_method($class, $_, {mode=>'cc'}, %$accum).";\n"; | ||
312 | + if (grep {$_->{type} eq 'encoded string'} @{$_->{data}}) { | ||
313 | + $ret .= make_c_method($class, $_, {mode=>'cc', wide=>true}, %$accum).";\n"; | ||
314 | + $ret .= make_wide_macro($class, $_, {mode=>'cc'}, %$accum); | ||
315 | + } | ||
316 | + $ret .= "\n".$_->{'cc extra'}."\n" if defined $_->{'cc extra'}; | ||
317 | } | ||
318 | $ret .= "\n"; | ||
319 | return $ret; | ||
320 | @@ -105,7 +110,8 @@ $info{errors}{proc}{cc} = sub { | ||
321 | }; | ||
322 | |||
323 | sub make_c_object ( $ @ ) { | ||
324 | - my ($t, $d) = @_; | ||
325 | + my ($t, $d, $accum) = @_; | ||
326 | + $accum = {} unless defined $accum; | ||
327 | my $struct; | ||
328 | $struct .= "Aspell"; | ||
329 | $struct .= to_mixed($d->{name}); | ||
330 | @@ -120,7 +126,7 @@ sub make_c_object ( $ @ ) { | ||
331 | "\n};\n"), | ||
332 | "typedef $t $struct $struct;", | ||
333 | join ("\n", | ||
334 | - map {make_c_method($d->{name}, $_, {mode=>'cc'}).";"} | ||
335 | + map {make_c_method($d->{name}, $_, {mode=>'cc'}, %$accum).";"} | ||
336 | grep {$_->{type} eq 'method'} | ||
337 | @{$d->{data}}) | ||
338 | )."\n"; | ||
339 | diff --git a/auto/MkSrc/ProcImpl.pm b/auto/MkSrc/ProcImpl.pm | ||
340 | index b8628fd..3d0f220 100644 | ||
341 | --- a/auto/MkSrc/ProcImpl.pm | ||
342 | +++ b/auto/MkSrc/ProcImpl.pm | ||
343 | @@ -45,10 +45,13 @@ $info{class}{proc}{impl} = sub { | ||
344 | foreach (grep {$_ ne ''} split /\s*,\s*/, $data->{'c impl headers'}) { | ||
345 | $accum->{headers}{$_} = true; | ||
346 | } | ||
347 | - foreach my $d (@{$data->{data}}) { | ||
348 | + my @d = @{$data->{data}}; | ||
349 | + while (@d) { | ||
350 | + my $d = shift @d; | ||
351 | + my $need_wide = false; | ||
352 | next unless one_of $d->{type}, qw(method constructor destructor); | ||
353 | my @parms = @{$d->{data}} if exists $d->{data}; | ||
354 | - my $m = make_c_method $data->{name}, $d, {mode=>'cc_cxx', use_name=>true}, %$accum; | ||
355 | + my $m = make_c_method $data->{name}, $d, {mode=>'cc_cxx', use_name=>true, wide=>$d->{wide}}, %$accum; | ||
356 | next unless defined $m; | ||
357 | $ret .= "extern \"C\" $m\n"; | ||
358 | $ret .= "{\n"; | ||
359 | @@ -57,24 +60,49 @@ $info{class}{proc}{impl} = sub { | ||
360 | } else { | ||
361 | if ($d->{type} eq 'method') { | ||
362 | my $ret_type = shift @parms; | ||
363 | - my $ret_native = to_type_name $ret_type, {mode=>'native_no_err', pos=>'return'}, %$accum; | ||
364 | + my $ret_native = to_type_name $ret_type, {mode=>'native_no_err', pos=>'return', wide=>$d->{wide}}, %$accum; | ||
365 | my $snum = 0; | ||
366 | + my $call_fun = $d->{name}; | ||
367 | + my @call_parms; | ||
368 | foreach (@parms) { | ||
369 | my $n = to_lower($_->{name}); | ||
370 | - if ($_->{type} eq 'encoded string') { | ||
371 | - $accum->{headers}{'mutable string'} = true; | ||
372 | - $accum->{headers}{'convert'} = true; | ||
373 | - $ret .= " ths->temp_str_$snum.clear();\n"; | ||
374 | - $ret .= " ths->to_internal_->convert($n, ${n}_size, ths->temp_str_$snum);\n"; | ||
375 | - $ret .= " unsigned int s$snum = ths->temp_str_$snum.size();\n"; | ||
376 | - $_ = "MutableString(ths->temp_str_$snum.mstr(), s$snum)"; | ||
377 | - $snum++; | ||
378 | + if ($_->{type} eq 'encoded string' && !exists($d->{'no conv'})) { | ||
379 | + $need_wide = true unless $d->{wide}; | ||
380 | + die unless exists $d->{'posib err'}; | ||
381 | + $accum->{headers}{'mutable string'} = true; | ||
382 | + $accum->{headers}{'convert'} = true; | ||
383 | + my $name = get_c_func_name $data->{name}, $d, {mode=>'cc_cxx', use_name=>true, wide=>$d->{wide}}; | ||
384 | + $ret .= " ths->temp_str_$snum.clear();\n"; | ||
385 | + if ($d->{wide}) { | ||
386 | + $ret .= " ${n}_size = get_correct_size(\"$name\", ths->to_internal_->in_type_width(), ${n}_size, ${n}_type_width);\n"; | ||
387 | + } else { | ||
388 | + $ret .= " PosibErr<int> ${n}_fixed_size = get_correct_size(\"$name\", ths->to_internal_->in_type_width(), ${n}_size);\n"; | ||
389 | + if (exists($d->{'on conv error'})) { | ||
390 | + $ret .= " if (${n}_fixed_size.get_err()) {\n"; | ||
391 | + $ret .= " ".$d->{'on conv error'}."\n"; | ||
392 | + $ret .= " } else {\n"; | ||
393 | + $ret .= " ${n}_size = ${n}_fixed_size;\n"; | ||
394 | + $ret .= " }\n"; | ||
395 | + } else { | ||
396 | + $ret .= " ths->err_.reset(${n}_fixed_size.release_err());\n"; | ||
397 | + $ret .= " if (ths->err_ != 0) return ".(c_error_cond $ret_type).";\n"; | ||
398 | + } | ||
399 | + } | ||
400 | + $ret .= " ths->to_internal_->convert($n, ${n}_size, ths->temp_str_$snum);\n"; | ||
401 | + $ret .= " unsigned int s$snum = ths->temp_str_$snum.size();\n"; | ||
402 | + push @call_parms, "MutableString(ths->temp_str_$snum.mstr(), s$snum)"; | ||
403 | + $snum++; | ||
404 | + } elsif ($_->{type} eq 'encoded string') { | ||
405 | + $need_wide = true unless $d->{wide}; | ||
406 | + push @call_parms, $n, "${n}_size"; | ||
407 | + push @call_parms, "${n}_type_width" if $d->{wide}; | ||
408 | + $call_fun .= " wide" if $d->{wide}; | ||
409 | } else { | ||
410 | - $_ = $n; | ||
411 | + push @call_parms, $n; | ||
412 | } | ||
413 | } | ||
414 | - my $parms = '('.(join ', ', @parms).')'; | ||
415 | - my $exp = "ths->".to_lower($d->{name})."$parms"; | ||
416 | + my $parms = '('.(join ', ', @call_parms).')'; | ||
417 | + my $exp = "ths->".to_lower($call_fun)."$parms"; | ||
418 | if (exists $d->{'posib err'}) { | ||
419 | $accum->{headers}{'posib err'} = true; | ||
420 | $ret .= " PosibErr<$ret_native> ret = $exp;\n"; | ||
421 | @@ -118,6 +146,7 @@ $info{class}{proc}{impl} = sub { | ||
422 | } | ||
423 | } | ||
424 | $ret .= "}\n\n"; | ||
425 | + unshift @d,{%$d, wide=>true} if $need_wide; | ||
426 | } | ||
427 | return $ret; | ||
428 | }; | ||
429 | diff --git a/auto/MkSrc/Read.pm b/auto/MkSrc/Read.pm | ||
430 | index 4b3d1d0..4bf640e 100644 | ||
431 | --- a/auto/MkSrc/Read.pm | ||
432 | +++ b/auto/MkSrc/Read.pm | ||
433 | @@ -88,13 +88,13 @@ sub advance ( ) { | ||
434 | $in_pod = $1 if $line =~ /^\=(\w+)/; | ||
435 | $line = '' if $in_pod; | ||
436 | $in_pod = undef if $in_pod && $in_pod eq 'cut'; | ||
437 | - $line =~ s/\#.*$//; | ||
438 | + $line =~ s/(?<!\\)\#.*$//; | ||
439 | $line =~ s/^(\t*)//; | ||
440 | $level = $base_level + length($1); | ||
441 | $line =~ s/\s*$//; | ||
442 | ++$base_level if $line =~ s/^\{$//; | ||
443 | --$base_level if $line =~ s/^\}$//; | ||
444 | - $line =~ s/\\([{}])/$1/g; | ||
445 | + $line =~ s/\\([{}#\\])/$1/g; | ||
446 | } while ($line eq ''); | ||
447 | #print "$level:$line\n"; | ||
448 | } | ||
449 | diff --git a/auto/mk-src.in b/auto/mk-src.in | ||
450 | index 0e7833a..eb3353f 100644 | ||
451 | --- a/auto/mk-src.in | ||
452 | +++ b/auto/mk-src.in | ||
453 | @@ -608,6 +608,7 @@ errors: | ||
454 | invalid expression | ||
455 | mesg => "%expression" is not a valid regular expression. | ||
456 | parms => expression | ||
457 | + | ||
458 | } | ||
459 | group: speller | ||
460 | { | ||
461 | @@ -650,6 +651,7 @@ class: speller | ||
462 | posib err | ||
463 | desc => Returns 0 if it is not in the dictionary, | ||
464 | 1 if it is, or -1 on error. | ||
465 | + on conv error => return 0; | ||
466 | / | ||
467 | bool | ||
468 | encoded string: word | ||
469 | @@ -715,6 +717,8 @@ class: speller | ||
470 | desc => Return NULL on error. | ||
471 | The word list returned by suggest is only | ||
472 | valid until the next call to suggest. | ||
473 | + on conv error => | ||
474 | + word = NULL; word_size = 0; | ||
475 | / | ||
476 | const word list | ||
477 | encoded string: word | ||
478 | @@ -840,7 +844,6 @@ class: document checker | ||
479 | void | ||
480 | |||
481 | method: process | ||
482 | - | ||
483 | desc => Process a string. | ||
484 | The string passed in should only be split on | ||
485 | white space characters. Furthermore, between | ||
486 | @@ -849,10 +852,10 @@ class: document checker | ||
487 | in the document. Passing in strings out of | ||
488 | order, skipping strings or passing them in | ||
489 | more than once may lead to undefined results. | ||
490 | + no conv | ||
491 | / | ||
492 | void | ||
493 | - string: str | ||
494 | - int: size | ||
495 | + encoded string: str | ||
496 | |||
497 | method: next misspelling | ||
498 | |||
499 | @@ -860,9 +863,23 @@ class: document checker | ||
500 | processed string. If there are no more | ||
501 | misspelled words, then token.word will be | ||
502 | NULL and token.size will be 0 | ||
503 | + cc extra => | ||
504 | + \#define aspell_document_checker_next_misspelling_w(type, ths) \\ | ||
505 | + aspell_document_checker_next_misspelling_adj(ths, sizeof(type)) | ||
506 | / | ||
507 | token object | ||
508 | |||
509 | + method: next misspelling adj | ||
510 | + desc => internal: do not use | ||
511 | + c impl => | ||
512 | + Token res = ths->next_misspelling(); | ||
513 | + res.offset /= type_width; | ||
514 | + res.len /= type_width; | ||
515 | + return res; | ||
516 | + / | ||
517 | + token object | ||
518 | + int: type_width | ||
519 | + | ||
520 | method: filter | ||
521 | |||
522 | desc => Returns the underlying filter class. | ||
523 | @@ -922,9 +939,30 @@ class: string enumeration | ||
524 | ths->from_internal_->append_null(ths->temp_str); | ||
525 | return ths->temp_str.data(); | ||
526 | \} | ||
527 | + cc extra => | ||
528 | + \#define aspell_string_enumeration_next_w(type, ths) \\ | ||
529 | + aspell_cast_(const type *, aspell_string_enumeration_next_wide(ths, sizeof(type))) | ||
530 | / | ||
531 | const string | ||
532 | |||
533 | + method: next wide | ||
534 | + c impl => | ||
535 | + const char * s = ths->next(); | ||
536 | + if (s == 0) { | ||
537 | + return s; | ||
538 | + } else if (ths->from_internal_ == 0) \{ | ||
539 | + assert(type_width == 1); | ||
540 | + return s; | ||
541 | + \} else \{ | ||
542 | + assert(type_width == ths->from_internal_->out_type_width()); | ||
543 | + ths->temp_str.clear(); | ||
544 | + ths->from_internal_->convert(s,-1,ths->temp_str); | ||
545 | + ths->from_internal_->append_null(ths->temp_str); | ||
546 | + return ths->temp_str.data(); | ||
547 | + \} | ||
548 | + / | ||
549 | + const void pointer | ||
550 | + int: type_width | ||
551 | } | ||
552 | group: info | ||
553 | { | ||
554 | diff --git a/common/convert.cpp b/common/convert.cpp | ||
555 | index 1add95a..7ae0317 100644 | ||
556 | --- a/common/convert.cpp | ||
557 | +++ b/common/convert.cpp | ||
558 | @@ -541,18 +541,25 @@ namespace acommon { | ||
559 | // Trivial Conversion | ||
560 | // | ||
561 | |||
562 | + const char * unsupported_null_term_wide_string_msg = | ||
563 | + "Null-terminated wide-character strings unsupported when used this way."; | ||
564 | + | ||
565 | template <typename Chr> | ||
566 | struct DecodeDirect : public Decode | ||
567 | { | ||
568 | + DecodeDirect() {type_width = sizeof(Chr);} | ||
569 | void decode(const char * in0, int size, FilterCharVector & out) const { | ||
570 | const Chr * in = reinterpret_cast<const Chr *>(in0); | ||
571 | - if (size == -1) { | ||
572 | + if (size == -sizeof(Chr)) { | ||
573 | for (;*in; ++in) | ||
574 | - out.append(*in); | ||
575 | + out.append(*in, sizeof(Chr)); | ||
576 | + } else if (size <= -1) { | ||
577 | + fprintf(stderr, "%s\n", unsupported_null_term_wide_string_msg); | ||
578 | + abort(); | ||
579 | } else { | ||
580 | - const Chr * stop = reinterpret_cast<const Chr *>(in0 +size); | ||
581 | + const Chr * stop = reinterpret_cast<const Chr *>(in0) + size/sizeof(Chr); | ||
582 | for (;in != stop; ++in) | ||
583 | - out.append(*in); | ||
584 | + out.append(*in, sizeof(Chr)); | ||
585 | } | ||
586 | } | ||
587 | PosibErr<void> decode_ec(const char * in0, int size, | ||
588 | @@ -565,6 +572,7 @@ namespace acommon { | ||
589 | template <typename Chr> | ||
590 | struct EncodeDirect : public Encode | ||
591 | { | ||
592 | + EncodeDirect() {type_width = sizeof(Chr);} | ||
593 | void encode(const FilterChar * in, const FilterChar * stop, | ||
594 | CharVector & out) const { | ||
595 | for (; in != stop; ++in) { | ||
596 | @@ -594,11 +602,15 @@ namespace acommon { | ||
597 | template <typename Chr> | ||
598 | struct ConvDirect : public DirectConv | ||
599 | { | ||
600 | + ConvDirect() {type_width = sizeof(Chr);} | ||
601 | void convert(const char * in0, int size, CharVector & out) const { | ||
602 | - if (size == -1) { | ||
603 | + if (size == -sizeof(Chr)) { | ||
604 | const Chr * in = reinterpret_cast<const Chr *>(in0); | ||
605 | for (;*in != 0; ++in) | ||
606 | out.append(in, sizeof(Chr)); | ||
607 | + } else if (size <= -1) { | ||
608 | + fprintf(stderr, "%s\n", unsupported_null_term_wide_string_msg); | ||
609 | + abort(); | ||
610 | } else { | ||
611 | out.append(in0, size); | ||
612 | } | ||
613 | @@ -1121,5 +1133,20 @@ namespace acommon { | ||
614 | } | ||
615 | return 0; | ||
616 | } | ||
617 | - | ||
618 | + | ||
619 | + PosibErr<void> unsupported_null_term_wide_string_err_(const char * func) { | ||
620 | + static bool reported_to_stderr = false; | ||
621 | + PosibErr<void> err = make_err(other_error, unsupported_null_term_wide_string_msg); | ||
622 | + if (!reported_to_stderr) { | ||
623 | + CERR.printf("ERROR: %s: %s\n", func, unsupported_null_term_wide_string_msg); | ||
624 | + reported_to_stderr = true; | ||
625 | + } | ||
626 | + return err; | ||
627 | + } | ||
628 | + | ||
629 | + void unsupported_null_term_wide_string_abort_(const char * func) { | ||
630 | + CERR.printf("%s: %s\n", unsupported_null_term_wide_string_msg); | ||
631 | + abort(); | ||
632 | + } | ||
633 | + | ||
634 | } | ||
635 | diff --git a/common/convert.hpp b/common/convert.hpp | ||
636 | index 76332ee..c948973 100644 | ||
637 | --- a/common/convert.hpp | ||
638 | +++ b/common/convert.hpp | ||
639 | @@ -7,6 +7,8 @@ | ||
640 | #ifndef ASPELL_CONVERT__HPP | ||
641 | #define ASPELL_CONVERT__HPP | ||
642 | |||
643 | +#include "settings.h" | ||
644 | + | ||
645 | #include "string.hpp" | ||
646 | #include "posib_err.hpp" | ||
647 | #include "char_vector.hpp" | ||
648 | @@ -25,8 +27,9 @@ namespace acommon { | ||
649 | typedef const Config CacheConfig; | ||
650 | typedef const char * CacheKey; | ||
651 | String key; | ||
652 | + int type_width; // type width in bytes | ||
653 | bool cache_key_eq(const char * l) const {return key == l;} | ||
654 | - ConvBase() {} | ||
655 | + ConvBase() : type_width(1) {} | ||
656 | private: | ||
657 | ConvBase(const ConvBase &); | ||
658 | void operator=(const ConvBase &); | ||
659 | @@ -56,6 +59,8 @@ namespace acommon { | ||
660 | virtual ~Encode() {} | ||
661 | }; | ||
662 | struct DirectConv { // convert directly from in_code to out_code. | ||
663 | + int type_width; // type width in bytes | ||
664 | + DirectConv() : type_width(1) {} | ||
665 | // should not take ownership of decode and encode. | ||
666 | // decode and encode guaranteed to stick around for the life | ||
667 | // of the object. | ||
668 | @@ -126,6 +131,9 @@ namespace acommon { | ||
669 | const char * in_code() const {return decode_->key.c_str();} | ||
670 | const char * out_code() const {return encode_->key.c_str();} | ||
671 | |||
672 | + int in_type_width() const {return decode_->type_width;} | ||
673 | + int out_type_width() const {return encode_->type_width;} | ||
674 | + | ||
675 | void append_null(CharVector & out) const | ||
676 | { | ||
677 | const char nul[4] = {0,0,0,0}; // 4 should be enough | ||
678 | @@ -191,6 +199,10 @@ namespace acommon { | ||
679 | } | ||
680 | } | ||
681 | |||
682 | + void convert(const void * in, int size, CharVector & out) { | ||
683 | + convert(static_cast<const char *>(in), size, out); | ||
684 | + } | ||
685 | + | ||
686 | void generic_convert(const char * in, int size, CharVector & out); | ||
687 | |||
688 | }; | ||
689 | @@ -412,6 +424,30 @@ namespace acommon { | ||
690 | return operator()(str, str + byte_size);} | ||
691 | }; | ||
692 | |||
693 | +#ifdef SLOPPY_NULL_TERM_STRINGS | ||
694 | + static const bool sloppy_null_term_strings = true; | ||
695 | +#else | ||
696 | + static const bool sloppy_null_term_strings = false; | ||
697 | +#endif | ||
698 | + | ||
699 | + PosibErr<void> unsupported_null_term_wide_string_err_(const char * func); | ||
700 | + void unsupported_null_term_wide_string_abort_(const char * func); | ||
701 | + | ||
702 | + static inline PosibErr<int> get_correct_size(const char * func, int conv_type_width, int size) { | ||
703 | + if (sloppy_null_term_strings && size <= -1) | ||
704 | + return -conv_type_width; | ||
705 | + if (size <= -1 && -conv_type_width != size) | ||
706 | + return unsupported_null_term_wide_string_err_(func); | ||
707 | + return size; | ||
708 | + } | ||
709 | + static inline int get_correct_size(const char * func, int conv_type_width, int size, int type_width) { | ||
710 | + if ((sloppy_null_term_strings || type_width <= -1) && size <= -1) | ||
711 | + return -conv_type_width; | ||
712 | + if (size <= -1 && conv_type_width != type_width) | ||
713 | + unsupported_null_term_wide_string_abort_(func); | ||
714 | + return size; | ||
715 | + } | ||
716 | + | ||
717 | } | ||
718 | |||
719 | #endif | ||
720 | diff --git a/common/document_checker.cpp b/common/document_checker.cpp | ||
721 | index 5e510c4..0ccf1cd 100644 | ||
722 | --- a/common/document_checker.cpp | ||
723 | +++ b/common/document_checker.cpp | ||
724 | @@ -44,7 +44,9 @@ namespace acommon { | ||
725 | void DocumentChecker::process(const char * str, int size) | ||
726 | { | ||
727 | proc_str_.clear(); | ||
728 | - conv_->decode(str, size, proc_str_); | ||
729 | + PosibErr<int> fixed_size = get_correct_size("aspell_document_checker_process", conv_->in_type_width(), size); | ||
730 | + if (!fixed_size.has_err()) | ||
731 | + conv_->decode(str, fixed_size, proc_str_); | ||
732 | proc_str_.append(0); | ||
733 | FilterChar * begin = proc_str_.pbegin(); | ||
734 | FilterChar * end = proc_str_.pend() - 1; | ||
735 | @@ -53,6 +55,19 @@ namespace acommon { | ||
736 | tokenizer_->reset(begin, end); | ||
737 | } | ||
738 | |||
739 | + void DocumentChecker::process_wide(const void * str, int size, int type_width) | ||
740 | + { | ||
741 | + proc_str_.clear(); | ||
742 | + int fixed_size = get_correct_size("aspell_document_checker_process", conv_->in_type_width(), size, type_width); | ||
743 | + conv_->decode(static_cast<const char *>(str), fixed_size, proc_str_); | ||
744 | + proc_str_.append(0); | ||
745 | + FilterChar * begin = proc_str_.pbegin(); | ||
746 | + FilterChar * end = proc_str_.pend() - 1; | ||
747 | + if (filter_) | ||
748 | + filter_->process(begin, end); | ||
749 | + tokenizer_->reset(begin, end); | ||
750 | + } | ||
751 | + | ||
752 | Token DocumentChecker::next_misspelling() | ||
753 | { | ||
754 | bool correct; | ||
755 | diff --git a/common/document_checker.hpp b/common/document_checker.hpp | ||
756 | index d35bb88..11a3c73 100644 | ||
757 | --- a/common/document_checker.hpp | ||
758 | +++ b/common/document_checker.hpp | ||
759 | @@ -36,6 +36,7 @@ namespace acommon { | ||
760 | PosibErr<void> setup(Tokenizer *, Speller *, Filter *); | ||
761 | void reset(); | ||
762 | void process(const char * str, int size); | ||
763 | + void process_wide(const void * str, int size, int type_width); | ||
764 | Token next_misspelling(); | ||
765 | |||
766 | Filter * filter() {return filter_;} | ||
767 | diff --git a/common/version.cpp b/common/version.cpp | ||
768 | index 414d938..9e60b75 100644 | ||
769 | --- a/common/version.cpp | ||
770 | +++ b/common/version.cpp | ||
771 | @@ -1,8 +1,17 @@ | ||
772 | #include "settings.h" | ||
773 | |||
774 | -extern "C" const char * aspell_version_string() { | ||
775 | #ifdef NDEBUG | ||
776 | - return VERSION " NDEBUG"; | ||
777 | +# define NDEBUG_STR " NDEBUG" | ||
778 | +#else | ||
779 | +# define NDEBUG_STR | ||
780 | +#endif | ||
781 | + | ||
782 | +#ifdef SLOPPY_NULL_TERM_STRINGS | ||
783 | +# define SLOPPY_STR " SLOPPY" | ||
784 | +#else | ||
785 | +# define SLOPPY_STR | ||
786 | #endif | ||
787 | - return VERSION; | ||
788 | + | ||
789 | +extern "C" const char * aspell_version_string() { | ||
790 | + return VERSION NDEBUG_STR SLOPPY_STR; | ||
791 | } | ||
792 | diff --git a/configure.ac b/configure.ac | ||
793 | index 60e3b39..a5d51e3 100644 | ||
794 | --- a/configure.ac | ||
795 | +++ b/configure.ac | ||
796 | @@ -73,6 +73,9 @@ AC_ARG_ENABLE(filter-version-control, | ||
797 | AC_ARG_ENABLE(32-bit-hash-fun, | ||
798 | AS_HELP_STRING([--enable-32-bit-hash-fun],[use 32-bit hash function for compiled dictionaries])) | ||
799 | |||
800 | +AC_ARG_ENABLE(sloppy-null-term-strings, | ||
801 | + AS_HELP_STRING([--enable-sloppy-null-term-strings],[allows allow null terminated UCS-2 and UCS-4 strings])) | ||
802 | + | ||
803 | AC_ARG_ENABLE(pspell-compatibility, | ||
804 | AS_HELP_STRING([--disable-pspell-compatibility],[don't install pspell compatibility libraries])) | ||
805 | |||
806 | @@ -141,6 +144,11 @@ then | ||
807 | AC_DEFINE(USE_32_BIT_HASH_FUN, 1, [Defined if 32-bit hash function should be used for compiled dictionaries.]) | ||
808 | fi | ||
809 | |||
810 | +if test "$enable_sloppy_null_term_strings" = "yes" | ||
811 | +then | ||
812 | + AC_DEFINE(SLOPPY_NULL_TERM_STRINGS, 1, [Defined if null-terminated UCS-2 and UCS-4 strings should always be allowed.]) | ||
813 | +fi | ||
814 | + | ||
815 | AM_CONDITIONAL(PSPELL_COMPATIBILITY, | ||
816 | [test "$enable_pspell_compatibility" != "no"]) | ||
817 | AM_CONDITIONAL(INCREMENTED_SONAME, | ||
818 | diff --git a/manual/aspell.texi b/manual/aspell.texi | ||
819 | index 45fa091..f400e06 100644 | ||
820 | --- a/manual/aspell.texi | ||
821 | +++ b/manual/aspell.texi | ||
822 | @@ -158,7 +158,8 @@ Installing | ||
823 | |||
824 | * Generic Install Instructions:: | ||
825 | * HTML Manuals and "make clean":: | ||
826 | -* Curses Notes:: | ||
827 | +* Curses Notes:: | ||
828 | +* Upgrading from Aspell 0.60.7:: | ||
829 | * Loadable Filter Notes:: | ||
830 | * Upgrading from Aspell 0.50:: | ||
831 | * Upgrading from Aspell .33/Pspell .12:: | ||
832 | @@ -2206,18 +2207,26 @@ int correct = aspell_speller_check(spell_checker, @var{word}, @var{size}); | ||
833 | @end smallexample | ||
834 | |||
835 | @noindent | ||
836 | -@var{word} is expected to be a @code{const char *} character | ||
837 | -string. If the encoding is set to be @code{ucs-2} or | ||
838 | -@code{ucs-4} @var{word} is expected to be a cast | ||
839 | -from either @code{const u16int *} or @code{const u32int *} | ||
840 | -respectively. @code{u16int} and @code{u32int} are generally | ||
841 | -@code{unsigned short} and @code{unsigned int} respectively. | ||
842 | -@var{size} is the length of the string or @code{-1} if the string | ||
843 | -is null terminated. If the string is a cast from @code{const u16int | ||
844 | -*} or @code{const u32int *} then @code{@i{size}} is the amount of | ||
845 | -space in bytes the string takes up after being cast to @code{const | ||
846 | -char *} and not the true size of the string. @code{sspell_speller_check} | ||
847 | -will return @code{0} if it is not found and non-zero otherwise. | ||
848 | +@var{word} is expected to be a @code{const char *} character string. | ||
849 | +@var{size} is the length of the string or @code{-1} if the string is | ||
850 | +null terminated. @code{aspell_speller_check} will return @code{0} if it is not found | ||
851 | +and non-zero otherwise. | ||
852 | + | ||
853 | +If you are using the @code{ucs-2} or @code{ucs-4} encoding then the | ||
854 | +string is expected to be either a 2 or 4 byte wide integer | ||
855 | +(respectively) and the @code{_w} macro vesion should be used: | ||
856 | + | ||
857 | +@smallexample | ||
858 | +int correct = aspell_speller_check_w(spell_checker, @var{word}, @var{size}); | ||
859 | +@end smallexample | ||
860 | + | ||
861 | +The macro will cast the string to to the correct type and convert | ||
862 | +@var{size} into bytes for you and then a call the special wide version of the | ||
863 | +function that will make sure the encoding is correct for the type | ||
864 | +passed in. For compatibility with older versions of Aspell the normal | ||
865 | +non-wide functions can still be used provided that the size of the | ||
866 | +string, in bytes, is also passed in. Null terminated @code{ucs-2} or | ||
867 | +@code{ucs-4} are no longer supported when using the non-wide functions. | ||
868 | |||
869 | If the word is not correct, then the @code{suggest} method can be used | ||
870 | to come up with likely replacements. | ||
871 | @@ -2236,7 +2245,28 @@ delete_aspell_string_enumeration(elements); | ||
872 | |||
873 | Notice how @code{elements} is deleted but @code{suggestions} is not. | ||
874 | The value returned by @code{suggestions} is only valid to the next | ||
875 | -call to @code{suggest}. Once a replacement is made the | ||
876 | +call to @code{suggest}. | ||
877 | + | ||
878 | +If you are using the @code{ucs-2} or @code{ucs-4} encoding then, in | ||
879 | +addition to using the @code{_w} macro for the @code{suggest} method, you | ||
880 | +should also use the @code{_w} macro with the @code{next} method which | ||
881 | +will cast the string to the correct type for you. For example, if you | ||
882 | +are using the @code{ucs-2} encoding and the string is a @code{const | ||
883 | +uint16_t *} then you should use: | ||
884 | + | ||
885 | +@smallexample | ||
886 | +AspellWordList * suggestions = aspell_speller_suggest_w(spell_checker, | ||
887 | + @var{word}, @var{size}); | ||
888 | +AspellStringEnumeration * elements = aspell_word_list_elements(suggestions); | ||
889 | +const uint16_t * word; | ||
890 | +while ( (word = aspell_string_enumeration_next_w(uint16_t, aspell_elements)) != NULL ) | ||
891 | +@{ | ||
892 | + // add to suggestion list | ||
893 | +@} | ||
894 | +delete_aspell_string_enumeration(elements); | ||
895 | +@end smallexample | ||
896 | + | ||
897 | +Once a replacement is made the | ||
898 | @code{store_repl} method should be used to communicate the replacement | ||
899 | pair back to the spell checker (for the reason, @pxref{Notes on | ||
900 | Storing Replacement Pairs}). Its usage is as follows: | ||
901 | diff --git a/manual/readme.texi b/manual/readme.texi | ||
902 | index 669ab8e..531721f 100644 | ||
903 | --- a/manual/readme.texi | ||
904 | +++ b/manual/readme.texi | ||
905 | @@ -15,15 +15,16 @@ The latest version can always be found at GNU Aspell's home page at | ||
906 | @uref{http://aspell.net}. | ||
907 | |||
908 | @menu | ||
909 | -* Generic Install Instructions:: | ||
910 | -* HTML Manuals and "make clean":: | ||
911 | -* Curses Notes:: | ||
912 | -* Loadable Filter Notes:: | ||
913 | -* Using 32-Bit Dictionaries on a 64-Bit System:: | ||
914 | -* Upgrading from Aspell 0.50:: | ||
915 | -* Upgrading from Aspell .33/Pspell .12:: | ||
916 | -* Upgrading from a Pre-0.50 snapshot:: | ||
917 | -* WIN32 Notes:: | ||
918 | +* Generic Install Instructions:: | ||
919 | +* HTML Manuals and "make clean":: | ||
920 | +* Curses Notes:: | ||
921 | +* Upgrading from Aspell 0.60.7:: | ||
922 | +* Loadable Filter Notes:: | ||
923 | +* Using 32-Bit Dictionaries on a 64-Bit System:: | ||
924 | +* Upgrading from Aspell 0.50:: | ||
925 | +* Upgrading from Aspell .33/Pspell .12:: | ||
926 | +* Upgrading from a Pre-0.50 snapshot:: | ||
927 | +* WIN32 Notes:: | ||
928 | @end menu | ||
929 | |||
930 | @node Generic Install Instructions | ||
931 | @@ -121,17 +122,62 @@ In addition your system must also support the @code{mblen} function. | ||
932 | Although this function was defined in the ISO C89 standard (ANSI | ||
933 | X3.159-1989), not all systems have it. | ||
934 | |||
935 | +@node Upgrading from Aspell 0.60.7 | ||
936 | +@appendixsec Upgrading from Aspell 0.60.7 | ||
937 | + | ||
938 | +To prevent a potentially unbounded buffer over-read, Aspell no longer | ||
939 | +supports null-terminated UCS-2 and UCS-4 encoded strings with the | ||
940 | +original C API. Null-termianted 8-bit or UTF-8 encoded strings are | ||
941 | +still supported, as are UCS-2 and UCS-4 encoded strings when the | ||
942 | +length is passed in. | ||
943 | + | ||
944 | +As of Aspell 0.60.8 a function from the original API that expects an | ||
945 | +encoded string as a parameter will return meaningless results (or an | ||
946 | +error code) if string is null terminated and the encoding is set to | ||
947 | +@code{ucs-2} or @code{ucs-4}. In addition, a single: | ||
948 | +@example | ||
949 | +ERROR: aspell_speller_check: Null-terminated wide-character strings unsupported when used this way. | ||
950 | +@end example | ||
951 | +will be printed to standard error the first time one of those | ||
952 | +functions is called. | ||
953 | + | ||
954 | +Application that use null-terminated UCS-2/4 strings should either (1) | ||
955 | +use the interface intended for working with wide-characters | ||
956 | +(@xref{Through the C API}); or (2) define | ||
957 | +@code{ASPELL_ENCODE_SETTING_SECURE} before including @code{aspell.h}. | ||
958 | +In the latter case is is important that the application explicitly | ||
959 | +sets the encoding to a known value. Defining | ||
960 | +@code{ASPELL_ENCODE_SETTING_SECURE} and not setting the encoding | ||
961 | +explicitly or allowing user of the application to set the encoding | ||
962 | +could result in an unbounded buffer over-read. | ||
963 | + | ||
964 | +If it is necessary to preserve binary compatibility with older | ||
965 | +versions of Aspell, the easiest thing would be to determine the length | ||
966 | +of the UCS-2/4 string---in bytes---and pass that in. Due to an | ||
967 | +implemenation detail, existing API functions can be made to work with | ||
968 | +null-terminated UCS-2/4 strings safely by passing in either @code{-2} | ||
969 | +or @code{-4} (corresponding to the width of the character type) as the | ||
970 | +size. Doing so, however, will cause a buffer over-read for unpatched | ||
971 | +version of Aspell. To avoid this it will be necessary to parse the | ||
972 | +version string to determine the correct value to use. However, no | ||
973 | +official support will be provided for the latter method. | ||
974 | + | ||
975 | +If the application can not be recompiled, then Aspell can be configured | ||
976 | +to preserve the old behavior by passing | ||
977 | +@option{--enable-sloppy-null-term-strings} to @command{configure}. When Aspell | ||
978 | +is compiled this way the version string will include the string | ||
979 | +@samp{ SLOPPY}. | ||
980 | + | ||
981 | @node Loadable Filter Notes | ||
982 | @appendixsec Loadable Filter Notes | ||
983 | - | ||
984 | + | ||
985 | Support for being able to load additional filter modules at run-time | ||
986 | has only been verified to work on Linux platforms. If you get linker | ||
987 | errors when trying to use a filter, then it is likely that loadable | ||
988 | filter support is not working yet on your platform. Thus, in order to | ||
989 | get Aspell to work correctly you will need to avoid compiling the | ||
990 | filters as individual modules by using the | ||
991 | -@option{--enable-compile-in-filters} when configuring Aspell with | ||
992 | -@command{./configure}. | ||
993 | +@option{--enable-compile-in-filters} @command{configure} option. | ||
994 | |||
995 | @node Using 32-Bit Dictionaries on a 64-Bit System | ||
996 | @appendixsec Using 32-Bit Dictionaries on a 64-Bit System | ||
997 | -- | ||
998 | 2.17.1 | ||
999 | |||
diff --git a/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch new file mode 100644 index 0000000000..9569ddeebe --- /dev/null +++ b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From cefd447e5528b08bb0cd6656bc52b4255692cefc Mon Sep 17 00:00:00 2001 | ||
2 | From: Kevin Atkinson <kevina@gnu.org> | ||
3 | Date: Sat, 17 Aug 2019 20:25:21 -0400 | ||
4 | Subject: [PATCH 2/2] Increment library version to reflect API changes. | ||
5 | |||
6 | CVE: CVE-2019-20433 | ||
7 | Upstream-Status: Backport [https://github.com/GNUAspell/aspell/commit/cefd447e5528b08bb0cd6656bc52b4255692cefc] | ||
8 | |||
9 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
10 | --- | ||
11 | Makefile.am | 31 +++++++++++++++++-------------- | ||
12 | 1 file changed, 17 insertions(+), 14 deletions(-) | ||
13 | |||
14 | diff --git a/Makefile.am b/Makefile.am | ||
15 | index 7e15851..19dc044 100644 | ||
16 | --- a/Makefile.am | ||
17 | +++ b/Makefile.am | ||
18 | @@ -94,18 +94,25 @@ libaspell_la_SOURCES =\ | ||
19 | |||
20 | libaspell_la_LIBADD = $(LTLIBINTL) $(PTHREAD_LIB) | ||
21 | |||
22 | -## Libtool to so name | ||
23 | -## C:R:A => (C-A).(A).(R) | ||
24 | -## 16:5:0 => 16.0.5 | ||
25 | -## 16:5:1 => 15.1.5 | ||
26 | -## 18:0:2 => 16.2.0 | ||
27 | -## 17:0:2 => 15.2.0 | ||
28 | - | ||
29 | +## The version string is current[:revision[:age]] | ||
30 | +## | ||
31 | +## Before a release that has changed the source code at all | ||
32 | +## increment revision. | ||
33 | +## | ||
34 | +## After merging changes that have changed the API in a backwards | ||
35 | +## comptable way set revision to 0 and bump both current and age. | ||
36 | +## | ||
37 | +## Do not change the API in a backwards incompatible way. | ||
38 | +## | ||
39 | +## See "Libtool: Updating version info" | ||
40 | +## (https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html) | ||
41 | +## for more into | ||
42 | +## | ||
43 | if INCREMENTED_SONAME | ||
44 | -libaspell_la_LDFLAGS = -version-info 18:0:2 -no-undefined | ||
45 | +libaspell_la_LDFLAGS = -version-info 19:0:3 -no-undefined | ||
46 | else | ||
47 | ## Use C-1:R:A | ||
48 | -libaspell_la_LDFLAGS = -version-info 17:0:2 -no-undefined | ||
49 | +libaspell_la_LDFLAGS = -version-info 18:0:3 -no-undefined | ||
50 | endif | ||
51 | |||
52 | if PSPELL_COMPATIBILITY | ||
53 | @@ -113,11 +120,7 @@ libpspell_la_SOURCES = lib/dummy.cpp | ||
54 | |||
55 | libpspell_la_LIBADD = libaspell.la | ||
56 | |||
57 | -if INCREMENTED_SONAME | ||
58 | -libpspell_la_LDFLAGS = -version-info 18:0:2 -no-undefined | ||
59 | -else | ||
60 | -libpspell_la_LDFLAGS = -version-info 17:0:2 -no-undefined | ||
61 | -endif | ||
62 | +libpspell_la_LDFLAGS = $(libaspell_la_LDFLAGS) | ||
63 | |||
64 | endif | ||
65 | |||
66 | -- | ||
67 | 2.17.1 | ||
68 | |||
diff --git a/meta/recipes-support/aspell/aspell_0.60.7.bb b/meta/recipes-support/aspell/aspell_0.60.7.bb index b565cb3c6e..1e104c263c 100644 --- a/meta/recipes-support/aspell/aspell_0.60.7.bb +++ b/meta/recipes-support/aspell/aspell_0.60.7.bb | |||
@@ -8,6 +8,8 @@ PR = "r1" | |||
8 | 8 | ||
9 | SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \ | 9 | SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \ |
10 | file://0001-Fix-various-bugs-found-by-OSS-Fuze.patch \ | 10 | file://0001-Fix-various-bugs-found-by-OSS-Fuze.patch \ |
11 | file://CVE-2019-20433-0001.patch \ | ||
12 | file://CVE-2019-20433-0002.patch \ | ||
11 | " | 13 | " |
12 | SRC_URI[md5sum] = "8ef2252609c511cd2bb26f3a3932ef28" | 14 | SRC_URI[md5sum] = "8ef2252609c511cd2bb26f3a3932ef28" |
13 | SRC_URI[sha256sum] = "5ca8fc8cb0370cc6c9eb5b64c6d1bc5d57b3750dbf17887726c3407d833b70e4" | 15 | SRC_URI[sha256sum] = "5ca8fc8cb0370cc6c9eb5b64c6d1bc5d57b3750dbf17887726c3407d833b70e4" |
diff --git a/meta/recipes-support/attr/acl_2.2.52.bb b/meta/recipes-support/attr/acl_2.2.52.bb index 6bc77d868d..31ec64a43d 100644 --- a/meta/recipes-support/attr/acl_2.2.52.bb +++ b/meta/recipes-support/attr/acl_2.2.52.bb | |||
@@ -25,6 +25,9 @@ SRC_URI[sha256sum] = "179074bb0580c06c4b4137be4c5a92a701583277967acdb5546043c787 | |||
25 | 25 | ||
26 | require ea-acl.inc | 26 | require ea-acl.inc |
27 | 27 | ||
28 | # Has issues with newer versions of make | ||
29 | PARALLEL_MAKEINST = "" | ||
30 | |||
28 | # avoid RPATH hardcode to staging dir | 31 | # avoid RPATH hardcode to staging dir |
29 | do_configure_append() { | 32 | do_configure_append() { |
30 | sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\', | 33 | sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\', |
diff --git a/meta/recipes-support/attr/attr_2.4.47.bb b/meta/recipes-support/attr/attr_2.4.47.bb index fc88bef830..c3da66a0c7 100644 --- a/meta/recipes-support/attr/attr_2.4.47.bb +++ b/meta/recipes-support/attr/attr_2.4.47.bb | |||
@@ -12,4 +12,7 @@ SRC_URI += "file://attr-Missing-configure.ac.patch \ | |||
12 | SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" | 12 | SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" |
13 | SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" | 13 | SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" |
14 | 14 | ||
15 | # Has issues with newer versions of make | ||
16 | PARALLEL_MAKEINST = "" | ||
17 | |||
15 | BBCLASSEXTEND = "native nativesdk" | 18 | BBCLASSEXTEND = "native nativesdk" |
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.17.bb b/meta/recipes-support/gnupg/gnupg_2.2.19.bb index 689cf8a75e..a0577d61d3 100644 --- a/meta/recipes-support/gnupg/gnupg_2.2.17.bb +++ b/meta/recipes-support/gnupg/gnupg_2.2.19.bb | |||
@@ -19,8 +19,8 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ | |||
19 | SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ | 19 | SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ |
20 | file://relocate.patch" | 20 | file://relocate.patch" |
21 | 21 | ||
22 | SRC_URI[md5sum] = "1ba2d9b70c377f8e967742064c27a19c" | 22 | SRC_URI[md5sum] = "cb3b373d08ba078c325299945a7f2818" |
23 | SRC_URI[sha256sum] = "afa262868e39b651a2db4c071fba90415154243e83a830ca00516f9a807fd514" | 23 | SRC_URI[sha256sum] = "242554c0e06f3a83c420b052f750b65ead711cc3fddddb5e7274fcdbb4e9dec0" |
24 | 24 | ||
25 | EXTRA_OECONF = "--disable-ldap \ | 25 | EXTRA_OECONF = "--disable-ldap \ |
26 | --disable-ccid-driver \ | 26 | --disable-ccid-driver \ |
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-a.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-a.patch new file mode 100644 index 0000000000..1811afc2ff --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-a.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From 6e798091d057de6b7f94b9dede4c5c919ec41f89 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Tue, 2 Jun 2020 20:53:11 +0200 | ||
4 | Subject: [PATCH 1/3] stek: differentiate initial state from valid time window | ||
5 | of TOTP | ||
6 | |||
7 | commit c2646aeee94e71cb15c90a3147cf3b5b0ca158ca from https://gitlab.com/gnutls/gnutls.git | ||
8 | |||
9 | There was a confusion in the TOTP implementation in stek.c. When the | ||
10 | mechanism is initialized at the first time, it records the timestamp | ||
11 | but doesn't initialize the key. This removes the timestamp recording | ||
12 | at the initialization phase, so the key is properly set later. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
17 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> | ||
18 | --- | ||
19 | lib/stek.c | 17 +++++------------ | ||
20 | tests/resume-with-previous-stek.c | 4 ++-- | ||
21 | tests/tls13/prf-early.c | 8 ++++---- | ||
22 | 3 files changed, 11 insertions(+), 18 deletions(-) | ||
23 | |||
24 | diff --git a/lib/stek.c b/lib/stek.c | ||
25 | index 2f885ce..5ab9e7d 100644 | ||
26 | --- a/lib/stek.c | ||
27 | +++ b/lib/stek.c | ||
28 | @@ -323,20 +323,13 @@ int _gnutls_initialize_session_ticket_key_rotation(gnutls_session_t session, con | ||
29 | if (unlikely(session == NULL || key == NULL)) | ||
30 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); | ||
31 | |||
32 | - if (session->key.totp.last_result == 0) { | ||
33 | - int64_t t; | ||
34 | - memcpy(session->key.initial_stek, key->data, key->size); | ||
35 | - t = totp_next(session); | ||
36 | - if (t < 0) | ||
37 | - return gnutls_assert_val(t); | ||
38 | + if (unlikely(session->key.totp.last_result != 0)) | ||
39 | + return GNUTLS_E_INVALID_REQUEST; | ||
40 | |||
41 | - session->key.totp.last_result = t; | ||
42 | - session->key.totp.was_rotated = 0; | ||
43 | - | ||
44 | - return GNUTLS_E_SUCCESS; | ||
45 | - } | ||
46 | + memcpy(session->key.initial_stek, key->data, key->size); | ||
47 | |||
48 | - return GNUTLS_E_INVALID_REQUEST; | ||
49 | + session->key.totp.was_rotated = 0; | ||
50 | + return 0; | ||
51 | } | ||
52 | |||
53 | /* | ||
54 | diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c | ||
55 | index f212b18..05c1c90 100644 | ||
56 | --- a/tests/resume-with-previous-stek.c | ||
57 | +++ b/tests/resume-with-previous-stek.c | ||
58 | @@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio) | ||
59 | serverx509cred = NULL; | ||
60 | } | ||
61 | |||
62 | - if (num_stek_rotations != 2) | ||
63 | - fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations); | ||
64 | + if (num_stek_rotations != 3) | ||
65 | + fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations); | ||
66 | |||
67 | if (serverx509cred) | ||
68 | gnutls_certificate_free_credentials(serverx509cred); | ||
69 | diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c | ||
70 | index 414b1db..bc31962 100644 | ||
71 | --- a/tests/tls13/prf-early.c | ||
72 | +++ b/tests/tls13/prf-early.c | ||
73 | @@ -123,10 +123,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size) | ||
74 | } \ | ||
75 | } | ||
76 | |||
77 | -#define KEY_EXP_VALUE "\xc0\x1e\xc2\xa4\xb7\xb4\x04\xaa\x91\x5d\xaf\xe8\xf7\x4d\x19\xdf\xd0\xe6\x08\xd6\xb4\x3b\xcf\xca\xc9\x32\x75\x3b\xe3\x11\x19\xb1\xac\x68" | ||
78 | -#define HELLO_VALUE "\x77\xdb\x10\x0b\xe8\xd0\xb9\x38\xbc\x49\xe6\xbe\xf2\x47\x2a\xcc\x6b\xea\xce\x85\x04\xd3\x9e\xd8\x06\x16\xad\xff\xcd\xbf\x4b" | ||
79 | -#define CONTEXT_VALUE "\xf2\x17\x9f\xf2\x66\x56\x87\x66\xf9\x5c\x8a\xd7\x4e\x1d\x46\xee\x0e\x44\x41\x4c\xcd\xac\xcb\xc0\x31\x41\x2a\xb6\xd7\x01\x62" | ||
80 | -#define NULL_CONTEXT_VALUE "\xcd\x79\x07\x93\xeb\x96\x07\x3e\xec\x78\x90\x89\xf7\x16\x42\x6d\x27\x87\x56\x7c\x7b\x60\x2b\x20\x44\xd1\xea\x0c\x89\xfb\x8b" | ||
81 | +#define KEY_EXP_VALUE "\xc1\x6b\x6c\xb9\x88\x33\xd5\x28\x80\xec\x27\x87\xa2\x6f\x4b\xd0\x01\x5e\x7f\xca\xd7\xd4\x8a\x3f\xe2\x48\x92\xef\x02\x14\xfb\x81\x90\x04" | ||
82 | +#define HELLO_VALUE "\x2a\x73\xd9\x74\x04\x4e\x0a\x5f\x41\x8a\x09\xcb\x45\x33\x1a\xec\xd3\xfc\xdc\x1b\x2c\x67\x26\xe4\x9c\xfe\x1f\xa5\x74\xf1\x4f" | ||
83 | +#define CONTEXT_VALUE "\x87\xf6\x88\xe3\xd7\xf2\x05\xbc\xa4\x10\xa3\x48\x9f\xf5\xcf\x97\x06\x22\x4e\xfd\x18\x32\x52\x1d\xbd\x26\xf5\x5b\x21\x20\xec" | ||
84 | +#define NULL_CONTEXT_VALUE "\xf9\xca\xfe\x45\x44\x96\xdb\xc5\x41\x8f\x7e\x8e\xd7\xb0\x7d\x19\x45\xaf\x09\xbc\x1e\x82\x94\xac\x55\xe5\xb9\xb4\x3b\xe8\xc0" | ||
85 | |||
86 | static int handshake_callback_called; | ||
87 | |||
88 | -- | ||
89 | 2.17.1 | ||
90 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch new file mode 100644 index 0000000000..12486e1710 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch | |||
@@ -0,0 +1,137 @@ | |||
1 | From 6c7f9703e42bc5278d0a4a6f0a39d07d62123ea3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <dueno@redhat.com> | ||
3 | Date: Tue, 31 Mar 2020 06:58:48 +0200 | ||
4 | Subject: [PATCH 2/3] build: use valgrind client request to detect undefined | ||
5 | memory use | ||
6 | |||
7 | commit 50ad8778a81f9421effa4c5a3b457f98e559b178 from https://gitlab.com/gnutls/gnutls.git | ||
8 | |||
9 | This tightens the check introduced in | ||
10 | ac2f71b892d13a7ab4cc39086eef179042c7e23c, by using the valgrind client | ||
11 | request to explicitly mark the "uninitialized but initialization is | ||
12 | needed before use" regions. With this patch and the | ||
13 | fix (c01011c2d8533dbbbe754e49e256c109cb848d0d) reverted, you will see | ||
14 | the following error when running dtls_hello_random_value under | ||
15 | valgrind: | ||
16 | |||
17 | $ valgrind ./dtls_hello_random_value | ||
18 | testing: default | ||
19 | ==520145== Conditional jump or move depends on uninitialised value(s) | ||
20 | ==520145== at 0x4025F5: hello_callback (dtls_hello_random_value.c:90) | ||
21 | ==520145== by 0x488BF97: _gnutls_call_hook_func (handshake.c:1215) | ||
22 | ==520145== by 0x488C1AA: _gnutls_send_handshake2 (handshake.c:1332) | ||
23 | ==520145== by 0x488FC7E: send_client_hello (handshake.c:2290) | ||
24 | ==520145== by 0x48902A1: handshake_client (handshake.c:2908) | ||
25 | ==520145== by 0x48902A1: gnutls_handshake (handshake.c:2740) | ||
26 | ==520145== by 0x402CB3: client (dtls_hello_random_value.c:153) | ||
27 | ==520145== by 0x402CB3: start (dtls_hello_random_value.c:317) | ||
28 | ==520145== by 0x402EFE: doit (dtls_hello_random_value.c:331) | ||
29 | ==520145== by 0x4023D4: main (utils.c:254) | ||
30 | ==520145== | ||
31 | |||
32 | Upstream-Status: Backport | ||
33 | |||
34 | Signed-off-by: Daiki Ueno <dueno@redhat.com> | ||
35 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> | ||
36 | --- | ||
37 | configure.ac | 2 ++ | ||
38 | lib/handshake.c | 15 +++++++++++++++ | ||
39 | lib/state.c | 21 ++++++++++++++++++--- | ||
40 | 3 files changed, 35 insertions(+), 3 deletions(-) | ||
41 | |||
42 | diff --git a/configure.ac b/configure.ac | ||
43 | index 172cf42..12da283 100644 | ||
44 | --- a/configure.ac | ||
45 | +++ b/configure.ac | ||
46 | @@ -233,6 +233,8 @@ AS_IF([test "$ac_cv_search___atomic_load_4" = "none required" || test "$ac_cv_se | ||
47 | dnl We use its presence to detect C11 threads | ||
48 | AC_CHECK_HEADERS([threads.h]) | ||
49 | |||
50 | +AC_CHECK_HEADERS([valgrind/memcheck.h]) | ||
51 | + | ||
52 | AC_ARG_ENABLE(padlock, | ||
53 | AS_HELP_STRING([--disable-padlock], [unconditionally disable padlock acceleration]), | ||
54 | use_padlock=$enableval) | ||
55 | diff --git a/lib/handshake.c b/lib/handshake.c | ||
56 | index 84a0e52..8d58fa4 100644 | ||
57 | --- a/lib/handshake.c | ||
58 | +++ b/lib/handshake.c | ||
59 | @@ -57,6 +57,9 @@ | ||
60 | #include "secrets.h" | ||
61 | #include "tls13/session_ticket.h" | ||
62 | #include "locks.h" | ||
63 | +#ifdef HAVE_VALGRIND_MEMCHECK_H | ||
64 | +#include <valgrind/memcheck.h> | ||
65 | +#endif | ||
66 | |||
67 | #define TRUE 1 | ||
68 | #define FALSE 0 | ||
69 | @@ -242,6 +245,12 @@ int _gnutls_gen_client_random(gnutls_session_t session) | ||
70 | return gnutls_assert_val(ret); | ||
71 | } | ||
72 | |||
73 | +#ifdef HAVE_VALGRIND_MEMCHECK_H | ||
74 | + if (RUNNING_ON_VALGRIND) | ||
75 | + VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.client_random, | ||
76 | + GNUTLS_RANDOM_SIZE); | ||
77 | +#endif | ||
78 | + | ||
79 | return 0; | ||
80 | } | ||
81 | |||
82 | @@ -320,6 +329,12 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version) | ||
83 | return ret; | ||
84 | } | ||
85 | |||
86 | +#ifdef HAVE_VALGRIND_MEMCHECK_H | ||
87 | + if (RUNNING_ON_VALGRIND) | ||
88 | + VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.server_random, | ||
89 | + GNUTLS_RANDOM_SIZE); | ||
90 | +#endif | ||
91 | + | ||
92 | return 0; | ||
93 | } | ||
94 | |||
95 | diff --git a/lib/state.c b/lib/state.c | ||
96 | index 0e1d155..98900c1 100644 | ||
97 | --- a/lib/state.c | ||
98 | +++ b/lib/state.c | ||
99 | @@ -55,6 +55,9 @@ | ||
100 | #include "ext/cert_types.h" | ||
101 | #include "locks.h" | ||
102 | #include "kx.h" | ||
103 | +#ifdef HAVE_VALGRIND_MEMCHECK_H | ||
104 | +#include <valgrind/memcheck.h> | ||
105 | +#endif | ||
106 | |||
107 | /* to be used by supplemental data support to disable TLS1.3 | ||
108 | * when supplemental data have been globally registered */ | ||
109 | @@ -564,10 +567,22 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) | ||
110 | UINT32_MAX; | ||
111 | } | ||
112 | |||
113 | - /* everything else not initialized here is initialized | ||
114 | - * as NULL or 0. This is why calloc is used. | ||
115 | + /* Everything else not initialized here is initialized as NULL | ||
116 | + * or 0. This is why calloc is used. However, we want to | ||
117 | + * ensure that certain portions of data are initialized at | ||
118 | + * runtime before being used. Mark such regions with a | ||
119 | + * valgrind client request as undefined. | ||
120 | */ | ||
121 | - | ||
122 | +#ifdef HAVE_VALGRIND_MEMCHECK_H | ||
123 | + if (RUNNING_ON_VALGRIND) { | ||
124 | + if (flags & GNUTLS_CLIENT) | ||
125 | + VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random, | ||
126 | + GNUTLS_RANDOM_SIZE); | ||
127 | + if (flags & GNUTLS_SERVER) | ||
128 | + VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random, | ||
129 | + GNUTLS_RANDOM_SIZE); | ||
130 | + } | ||
131 | +#endif | ||
132 | handshake_internal_state_clear1(*session); | ||
133 | |||
134 | #ifdef HAVE_WRITEV | ||
135 | -- | ||
136 | 2.17.1 | ||
137 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-c.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-c.patch new file mode 100644 index 0000000000..2d8efeb889 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-c.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From b34da057dc9eb01df30b436ba9cb047c21fb0151 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Tue, 2 Jun 2020 21:45:17 +0200 | ||
4 | Subject: [PATCH 3/3] valgrind: check if session ticket key is used without | ||
5 | initialization | ||
6 | |||
7 | commit 3d7fae761e65e9d0f16d7247ee8a464d4fe002da from https://gitlab.com/gnutls/gnutls.git | ||
8 | |||
9 | This adds a valgrind client request for | ||
10 | session->key.session_ticket_key to make sure that it is not used | ||
11 | without initialization. | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
16 | Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> | ||
17 | --- | ||
18 | lib/state.c | 5 ++++- | ||
19 | lib/stek.c | 8 ++++++++ | ||
20 | 2 files changed, 12 insertions(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/lib/state.c b/lib/state.c | ||
23 | index 98900c1..cabdf7d 100644 | ||
24 | --- a/lib/state.c | ||
25 | +++ b/lib/state.c | ||
26 | @@ -578,9 +578,12 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags) | ||
27 | if (flags & GNUTLS_CLIENT) | ||
28 | VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random, | ||
29 | GNUTLS_RANDOM_SIZE); | ||
30 | - if (flags & GNUTLS_SERVER) | ||
31 | + if (flags & GNUTLS_SERVER) { | ||
32 | VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random, | ||
33 | GNUTLS_RANDOM_SIZE); | ||
34 | + VALGRIND_MAKE_MEM_UNDEFINED((*session)->key.session_ticket_key, | ||
35 | + TICKET_MASTER_KEY_SIZE); | ||
36 | + } | ||
37 | } | ||
38 | #endif | ||
39 | handshake_internal_state_clear1(*session); | ||
40 | diff --git a/lib/stek.c b/lib/stek.c | ||
41 | index 5ab9e7d..316555b 100644 | ||
42 | --- a/lib/stek.c | ||
43 | +++ b/lib/stek.c | ||
44 | @@ -21,6 +21,9 @@ | ||
45 | */ | ||
46 | #include "gnutls_int.h" | ||
47 | #include "stek.h" | ||
48 | +#ifdef HAVE_VALGRIND_MEMCHECK_H | ||
49 | +#include <valgrind/memcheck.h> | ||
50 | +#endif | ||
51 | |||
52 | #define NAME_POS (0) | ||
53 | #define KEY_POS (TICKET_KEY_NAME_SIZE) | ||
54 | @@ -143,6 +146,11 @@ static int rotate(gnutls_session_t session) | ||
55 | call_rotation_callback(session, key, t); | ||
56 | session->key.totp.last_result = t; | ||
57 | memcpy(session->key.session_ticket_key, key, sizeof(key)); | ||
58 | +#ifdef HAVE_VALGRIND_MEMCHECK_H | ||
59 | + if (RUNNING_ON_VALGRIND) | ||
60 | + VALGRIND_MAKE_MEM_DEFINED(session->key.session_ticket_key, | ||
61 | + TICKET_MASTER_KEY_SIZE); | ||
62 | +#endif | ||
63 | |||
64 | session->key.totp.was_rotated = 1; | ||
65 | } else if (t < 0) { | ||
66 | -- | ||
67 | 2.17.1 | ||
68 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch new file mode 100644 index 0000000000..1702325e66 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch | |||
@@ -0,0 +1,117 @@ | |||
1 | From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Sat, 22 Aug 2020 17:19:39 +0200 | ||
4 | Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is | ||
5 | incomplete | ||
6 | |||
7 | If the initial handshake is incomplete and the server sends a | ||
8 | no_renegotiation alert, the client should treat it as a fatal error | ||
9 | even if its level is warning. Otherwise the same handshake | ||
10 | state (e.g., DHE parameters) are reused in the next gnutls_handshake | ||
11 | call, if it is called in the loop idiom: | ||
12 | |||
13 | do { | ||
14 | ret = gnutls_handshake(session); | ||
15 | } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); | ||
16 | |||
17 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
18 | CVE: CVE-2020-24659 | ||
19 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git] | ||
20 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
21 | --- | ||
22 | lib/gnutls_int.h | 1 + | ||
23 | lib/handshake.c | 48 +++++++++++++----- | ||
24 | 2 files changed, 36 insertions(+), 13 deletions(-) | ||
25 | |||
26 | diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h | ||
27 | index bb6c19713..31cec5c0c 100644 | ||
28 | --- a/lib/gnutls_int.h | ||
29 | +++ b/lib/gnutls_int.h | ||
30 | @@ -1370,6 +1370,7 @@ typedef struct { | ||
31 | #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */ | ||
32 | #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */ | ||
33 | #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */ | ||
34 | +#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */ | ||
35 | |||
36 | /* The hsk_flags are for use within the ongoing handshake; | ||
37 | * they are reset to zero prior to handshake start by gnutls_handshake. */ | ||
38 | diff --git a/lib/handshake.c b/lib/handshake.c | ||
39 | index b40f84b3d..ce2d160e2 100644 | ||
40 | --- a/lib/handshake.c | ||
41 | +++ b/lib/handshake.c | ||
42 | @@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session, | ||
43 | if (ret < 0) | ||
44 | return gnutls_assert_val(ret); | ||
45 | |||
46 | + session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED; | ||
47 | + | ||
48 | return 0; | ||
49 | } | ||
50 | |||
51 | @@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session) | ||
52 | return 0; | ||
53 | } | ||
54 | |||
55 | +/* This function checks whether the error code should be treated fatal | ||
56 | + * or not, and also does the necessary state transition. In | ||
57 | + * particular, in the case of a rehandshake abort it resets the | ||
58 | + * handshake's internal state. | ||
59 | + */ | ||
60 | inline static int | ||
61 | _gnutls_abort_handshake(gnutls_session_t session, int ret) | ||
62 | { | ||
63 | - if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && | ||
64 | - (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) | ||
65 | - || ret == GNUTLS_E_GOT_APPLICATION_DATA) | ||
66 | - return 0; | ||
67 | + switch (ret) { | ||
68 | + case GNUTLS_E_WARNING_ALERT_RECEIVED: | ||
69 | + if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) { | ||
70 | + /* The server always toleretes a "no_renegotiation" alert. */ | ||
71 | + if (session->security_parameters.entity == GNUTLS_SERVER) { | ||
72 | + STATE = STATE0; | ||
73 | + return ret; | ||
74 | + } | ||
75 | + | ||
76 | + /* The client should tolerete a "no_renegotiation" alert only if: | ||
77 | + * - the initial handshake has completed, or | ||
78 | + * - a Server Hello is not yet received | ||
79 | + */ | ||
80 | + if (session->internals.initial_negotiation_completed || | ||
81 | + !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) { | ||
82 | + STATE = STATE0; | ||
83 | + return ret; | ||
84 | + } | ||
85 | |||
86 | - /* this doesn't matter */ | ||
87 | - return GNUTLS_E_INTERNAL_ERROR; | ||
88 | + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); | ||
89 | + } | ||
90 | + return ret; | ||
91 | + case GNUTLS_E_GOT_APPLICATION_DATA: | ||
92 | + STATE = STATE0; | ||
93 | + return ret; | ||
94 | + default: | ||
95 | + return ret; | ||
96 | + } | ||
97 | } | ||
98 | |||
99 | |||
100 | @@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session) | ||
101 | } | ||
102 | |||
103 | if (ret < 0) { | ||
104 | - /* In the case of a rehandshake abort | ||
105 | - * we should reset the handshake's internal state. | ||
106 | - */ | ||
107 | - if (_gnutls_abort_handshake(session, ret) == 0) | ||
108 | - STATE = STATE0; | ||
109 | - | ||
110 | - return ret; | ||
111 | + return _gnutls_abort_handshake(session, ret); | ||
112 | } | ||
113 | |||
114 | /* clear handshake buffer */ | ||
115 | -- | ||
116 | 2.17.0 | ||
117 | |||
diff --git a/meta/recipes-support/gnutls/gnutls/posix-shell.patch b/meta/recipes-support/gnutls/gnutls/posix-shell.patch deleted file mode 100644 index 938e2d1e18..0000000000 --- a/meta/recipes-support/gnutls/gnutls/posix-shell.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | Don't embed the path to the build-time POSIX shell as this will be | ||
2 | $TMPDIR/hosttools/bash, which is no good on the target. | ||
3 | |||
4 | Instead default to /bin/sh but allow it to be set in the environment. | ||
5 | |||
6 | This isn't really upstreamable but I filed a bug at | ||
7 | https://gitlab.com/gnutls/gnutls/issues/807 and hope a proper fix will be | ||
8 | integrated. | ||
9 | |||
10 | Upstream-Status: Inappropriate | ||
11 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
12 | |||
13 | diff --git a/src/libopts/m4/libopts.m4 b/src/libopts/m4/libopts.m4 | ||
14 | index c6ad738..a62faca 100644 | ||
15 | --- a/src/libopts/m4/libopts.m4 | ||
16 | +++ b/src/libopts/m4/libopts.m4 | ||
17 | @@ -112,21 +112,7 @@ AC_DEFUN([INVOKE_LIBOPTS_MACROS_FIRST],[ | ||
18 | AC_CHECK_FUNCS([mmap canonicalize_file_name snprintf strdup strchr \ | ||
19 | strrchr strsignal fchmod fstat chmod]) | ||
20 | AC_PROG_SED | ||
21 | - [while : | ||
22 | - do | ||
23 | - POSIX_SHELL=`which bash` | ||
24 | - test -x "$POSIX_SHELL" && break | ||
25 | - POSIX_SHELL=`which dash` | ||
26 | - test -x "$POSIX_SHELL" && break | ||
27 | - POSIX_SHELL=/usr/xpg4/bin/sh | ||
28 | - test -x "$POSIX_SHELL" && break | ||
29 | - POSIX_SHELL=`/bin/sh -c ' | ||
30 | - exec 2>/dev/null | ||
31 | - if ! true ; then exit 1 ; fi | ||
32 | - echo /bin/sh'` | ||
33 | - test -x "$POSIX_SHELL" && break | ||
34 | - ]AC_MSG_ERROR([cannot locate a working POSIX shell])[ | ||
35 | - done] | ||
36 | + POSIX_SHELL="${POSIX_SHELL:-/bin/sh}" | ||
37 | AC_DEFINE_UNQUOTED([POSIX_SHELL], ["${POSIX_SHELL}"], | ||
38 | [define to a working POSIX compliant shell]) | ||
39 | AC_SUBST([POSIX_SHELL]) | ||
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.8.bb b/meta/recipes-support/gnutls/gnutls_3.6.13.bb index c927063f0a..2ed012f9d6 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.8.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.13.bb | |||
@@ -19,11 +19,14 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" | |||
19 | 19 | ||
20 | SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ | 20 | SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ |
21 | file://arm_eabi.patch \ | 21 | file://arm_eabi.patch \ |
22 | file://posix-shell.patch \ | 22 | file://CVE-2020-13777-a.patch \ |
23 | file://CVE-2020-13777-b.patch \ | ||
24 | file://CVE-2020-13777-c.patch \ | ||
25 | file://CVE-2020-24659.patch \ | ||
23 | " | 26 | " |
24 | 27 | ||
25 | SRC_URI[md5sum] = "9dcf0aa45d1a42e1b3ca5d39ec7c61a8" | 28 | SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f" |
26 | SRC_URI[sha256sum] = "aa81944e5635de981171772857e72be231a7e0f559ae0292d2737de475383e83" | 29 | SRC_URI[sha256sum] = "32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38" |
27 | 30 | ||
28 | inherit autotools texinfo pkgconfig gettext lib_package gtk-doc | 31 | inherit autotools texinfo pkgconfig gettext lib_package gtk-doc |
29 | 32 | ||
diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch new file mode 100644 index 0000000000..56303fc0f2 --- /dev/null +++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001 | ||
2 | From: Frank Tang <ftang@chromium.org> | ||
3 | Date: Sat, 1 Feb 2020 02:39:04 +0000 | ||
4 | Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append | ||
5 | |||
6 | See #971 | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca] | ||
9 | CVE: CVE-2020-10531 | ||
10 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
11 | --- | ||
12 | icu4c/source/common/unistr.cpp | 6 ++- | ||
13 | icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++ | ||
14 | icu4c/source/test/intltest/ustrtest.h | 1 + | ||
15 | 3 files changed, 68 insertions(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp | ||
18 | index 901bb3358ba..077b4d6ef20 100644 | ||
19 | --- a/icu4c/source/common/unistr.cpp | ||
20 | +++ b/icu4c/source/common/unistr.cpp | ||
21 | @@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng | ||
22 | } | ||
23 | |||
24 | int32_t oldLength = length(); | ||
25 | - int32_t newLength = oldLength + srcLength; | ||
26 | + int32_t newLength; | ||
27 | + if (uprv_add32_overflow(oldLength, srcLength, &newLength)) { | ||
28 | + setToBogus(); | ||
29 | + return *this; | ||
30 | + } | ||
31 | |||
32 | // Check for append onto ourself | ||
33 | const UChar* oldArray = getArrayStart(); | ||
34 | diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp | ||
35 | index b6515ea813c..ad38bdf53a3 100644 | ||
36 | --- a/icu4c/source/test/intltest/ustrtest.cpp | ||
37 | +++ b/icu4c/source/test/intltest/ustrtest.cpp | ||
38 | @@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* & | ||
39 | TESTCASE_AUTO(TestWCharPointers); | ||
40 | TESTCASE_AUTO(TestNullPointers); | ||
41 | TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf); | ||
42 | + TESTCASE_AUTO(TestLargeAppend); | ||
43 | TESTCASE_AUTO_END; | ||
44 | } | ||
45 | |||
46 | @@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() { | ||
47 | str.insert(2, sub); | ||
48 | assertEquals("", u"abbcdcde", str); | ||
49 | } | ||
50 | + | ||
51 | +void UnicodeStringTest::TestLargeAppend() { | ||
52 | + if(quick) return; | ||
53 | + | ||
54 | + IcuTestErrorCode status(*this, "TestLargeAppend"); | ||
55 | + // Make a large UnicodeString | ||
56 | + int32_t len = 0xAFFFFFF; | ||
57 | + UnicodeString str; | ||
58 | + char16_t *buf = str.getBuffer(len); | ||
59 | + // A fast way to set buffer to valid Unicode. | ||
60 | + // 4E4E is a valid unicode character | ||
61 | + uprv_memset(buf, 0x4e, len * 2); | ||
62 | + str.releaseBuffer(len); | ||
63 | + UnicodeString dest; | ||
64 | + // Append it 16 times | ||
65 | + // 0xAFFFFFF times 16 is 0xA4FFFFF1, | ||
66 | + // which is greater than INT32_MAX, which is 0x7FFFFFFF. | ||
67 | + int64_t total = 0; | ||
68 | + for (int32_t i = 0; i < 16; i++) { | ||
69 | + dest.append(str); | ||
70 | + total += len; | ||
71 | + if (total <= INT32_MAX) { | ||
72 | + assertFalse("dest is not bogus", dest.isBogus()); | ||
73 | + } else { | ||
74 | + assertTrue("dest should be bogus", dest.isBogus()); | ||
75 | + } | ||
76 | + } | ||
77 | + dest.remove(); | ||
78 | + total = 0; | ||
79 | + for (int32_t i = 0; i < 16; i++) { | ||
80 | + dest.append(str); | ||
81 | + total += len; | ||
82 | + if (total + len <= INT32_MAX) { | ||
83 | + assertFalse("dest is not bogus", dest.isBogus()); | ||
84 | + } else if (total <= INT32_MAX) { | ||
85 | + // Check that a string of exactly the maximum size works | ||
86 | + UnicodeString str2; | ||
87 | + int32_t remain = INT32_MAX - total; | ||
88 | + char16_t *buf2 = str2.getBuffer(remain); | ||
89 | + if (buf2 == nullptr) { | ||
90 | + // if somehow memory allocation fail, return the test | ||
91 | + return; | ||
92 | + } | ||
93 | + uprv_memset(buf2, 0x4e, remain * 2); | ||
94 | + str2.releaseBuffer(remain); | ||
95 | + dest.append(str2); | ||
96 | + total += remain; | ||
97 | + assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total); | ||
98 | + assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length()); | ||
99 | + assertFalse("dest is not bogus", dest.isBogus()); | ||
100 | + | ||
101 | + // Check that a string size+1 goes bogus | ||
102 | + str2.truncate(1); | ||
103 | + dest.append(str2); | ||
104 | + total++; | ||
105 | + assertTrue("dest should be bogus", dest.isBogus()); | ||
106 | + } else { | ||
107 | + assertTrue("dest should be bogus", dest.isBogus()); | ||
108 | + } | ||
109 | + } | ||
110 | +} | ||
111 | diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h | ||
112 | index 218befdcc68..4a356a92c7a 100644 | ||
113 | --- a/icu4c/source/test/intltest/ustrtest.h | ||
114 | +++ b/icu4c/source/test/intltest/ustrtest.h | ||
115 | @@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest { | ||
116 | void TestWCharPointers(); | ||
117 | void TestNullPointers(); | ||
118 | void TestUnicodeStringInsertAppendToSelf(); | ||
119 | + void TestLargeAppend(); | ||
120 | }; | ||
121 | |||
122 | #endif | ||
diff --git a/meta/recipes-support/icu/icu_64.2.bb b/meta/recipes-support/icu/icu_64.2.bb index 10bac7aac0..d09776f4bc 100644 --- a/meta/recipes-support/icu/icu_64.2.bb +++ b/meta/recipes-support/icu/icu_64.2.bb | |||
@@ -6,18 +6,24 @@ def icu_download_version(d): | |||
6 | pvsplit = d.getVar('PV').split('.') | 6 | pvsplit = d.getVar('PV').split('.') |
7 | return pvsplit[0] + "_" + pvsplit[1] | 7 | return pvsplit[0] + "_" + pvsplit[1] |
8 | 8 | ||
9 | def icu_download_folder(d): | ||
10 | pvsplit = d.getVar('PV').split('.') | ||
11 | return pvsplit[0] + "-" + pvsplit[1] | ||
12 | |||
9 | ICU_PV = "${@icu_download_version(d)}" | 13 | ICU_PV = "${@icu_download_version(d)}" |
14 | ICU_FOLDER = "${@icu_download_folder(d)}" | ||
10 | 15 | ||
11 | # http://errors.yoctoproject.org/Errors/Details/20486/ | 16 | # http://errors.yoctoproject.org/Errors/Details/20486/ |
12 | ARM_INSTRUCTION_SET_armv4 = "arm" | 17 | ARM_INSTRUCTION_SET_armv4 = "arm" |
13 | ARM_INSTRUCTION_SET_armv5 = "arm" | 18 | ARM_INSTRUCTION_SET_armv5 = "arm" |
14 | 19 | ||
15 | BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-${ICU_PV}-src.tgz" | 20 | BASE_SRC_URI = "https://github.com/unicode-org/icu/releases/download/release-${ICU_FOLDER}/icu4c-${ICU_PV}-src.tgz" |
16 | SRC_URI = "${BASE_SRC_URI} \ | 21 | SRC_URI = "${BASE_SRC_URI} \ |
17 | file://icu-pkgdata-large-cmd.patch \ | 22 | file://icu-pkgdata-large-cmd.patch \ |
18 | file://fix-install-manx.patch \ | 23 | file://fix-install-manx.patch \ |
19 | file://0001-Fix-big-endian-build.patch \ | 24 | file://0001-Fix-big-endian-build.patch \ |
20 | file://0001-icu-Added-armeb-support.patch \ | 25 | file://0001-icu-Added-armeb-support.patch \ |
26 | file://CVE-2020-10531.patch;striplevel=3 \ | ||
21 | " | 27 | " |
22 | 28 | ||
23 | SRC_URI_append_class-target = "\ | 29 | SRC_URI_append_class-target = "\ |
@@ -26,5 +32,5 @@ SRC_URI_append_class-target = "\ | |||
26 | SRC_URI[md5sum] = "a3d18213beec454e3cdec9a3116d6b05" | 32 | SRC_URI[md5sum] = "a3d18213beec454e3cdec9a3116d6b05" |
27 | SRC_URI[sha256sum] = "627d5d8478e6d96fc8c90fed4851239079a561a6a8b9e48b0892f24e82d31d6c" | 33 | SRC_URI[sha256sum] = "627d5d8478e6d96fc8c90fed4851239079a561a6a8b9e48b0892f24e82d31d6c" |
28 | 34 | ||
29 | UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/" | 35 | UPSTREAM_CHECK_REGEX = "icu4c-(?P<pver>\d+(_\d+)+)-src" |
30 | UPSTREAM_CHECK_URI = "http://download.icu-project.org/files/icu4c/" | 36 | UPSTREAM_CHECK_URI = "https://github.com/unicode-org/icu/releases" |
diff --git a/meta/recipes-support/iso-codes/iso-codes_4.3.bb b/meta/recipes-support/iso-codes/iso-codes_4.3.bb index 5651a96c66..566c147690 100644 --- a/meta/recipes-support/iso-codes/iso-codes_4.3.bb +++ b/meta/recipes-support/iso-codes/iso-codes_4.3.bb | |||
@@ -5,7 +5,7 @@ BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues" | |||
5 | LICENSE = "LGPLv2.1" | 5 | LICENSE = "LGPLv2.1" |
6 | LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" | 6 | LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" |
7 | 7 | ||
8 | SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http" | 8 | SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;" |
9 | SRCREV = "43398a317371e309361ce43072603863cb2f57e1" | 9 | SRCREV = "43398a317371e309361ce43072603863cb2f57e1" |
10 | 10 | ||
11 | # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which | 11 | # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which |
diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch new file mode 100644 index 0000000000..06b8b46c21 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001 | ||
2 | From: Dan Fandrich <dan@coneharvesters.com> | ||
3 | Date: Sat, 16 May 2020 19:32:30 +0200 | ||
4 | Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote | ||
5 | |||
6 | subtags. | ||
7 | |||
8 | A malicious file could be crafted to cause extremely large values in some | ||
9 | tags without tripping any buffer range checks. This is bad with the libexif | ||
10 | representation of Canon MakerNotes because some arrays are turned into | ||
11 | individual tags that the application must loop around. | ||
12 | |||
13 | The largest value I've seen for failsafe_size in a (very small) sample of valid | ||
14 | Canon files is <5000. The limit is set two orders of magnitude larger to avoid | ||
15 | tripping up falsely in case some models use much larger values. | ||
16 | |||
17 | Patch from Google. | ||
18 | |||
19 | CVE-2020-13114 | ||
20 | |||
21 | Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab] | ||
22 | CVE: CVE-2020-13114 | ||
23 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++ | ||
26 | 1 file changed, 21 insertions(+) | ||
27 | |||
28 | diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c | ||
29 | index eb53598..72fd7a3 100644 | ||
30 | --- a/libexif/canon/exif-mnote-data-canon.c | ||
31 | +++ b/libexif/canon/exif-mnote-data-canon.c | ||
32 | @@ -32,6 +32,9 @@ | ||
33 | |||
34 | #define DEBUG | ||
35 | |||
36 | +/* Total size limit to prevent abuse by DoS */ | ||
37 | +#define FAILSAFE_SIZE_MAX 1000000L | ||
38 | + | ||
39 | static void | ||
40 | exif_mnote_data_canon_clear (ExifMnoteDataCanon *n) | ||
41 | { | ||
42 | @@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, | ||
43 | ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne; | ||
44 | ExifShort c; | ||
45 | size_t i, tcount, o, datao; | ||
46 | + long failsafe_size = 0; | ||
47 | |||
48 | if (!n || !buf || !buf_size) { | ||
49 | exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, | ||
50 | @@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, | ||
51 | memcpy (n->entries[tcount].data, buf + dataofs, s); | ||
52 | } | ||
53 | |||
54 | + /* Track the size of decoded tag data. A malicious file could | ||
55 | + * be crafted to cause extremely large values here without | ||
56 | + * tripping any buffer range checks. This is especially bad | ||
57 | + * with the libexif representation of Canon MakerNotes because | ||
58 | + * some arrays are turned into individual tags that the | ||
59 | + * application must loop around. */ | ||
60 | + failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]); | ||
61 | + | ||
62 | + if (failsafe_size > FAILSAFE_SIZE_MAX) { | ||
63 | + /* Abort if the total size of the data in the tags extraordinarily large, */ | ||
64 | + exif_mem_free (ne->mem, n->entries[tcount].data); | ||
65 | + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, | ||
66 | + "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)", | ||
67 | + failsafe_size, FAILSAFE_SIZE_MAX); | ||
68 | + break; | ||
69 | + } | ||
70 | + | ||
71 | /* Tag was successfully parsed */ | ||
72 | ++tcount; | ||
73 | } | ||
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb index d847beab18..3f6fa32b25 100644 --- a/meta/recipes-support/libexif/libexif_0.6.21.bb +++ b/meta/recipes-support/libexif/libexif_0.6.21.bb | |||
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" | |||
7 | SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ | 7 | SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ |
8 | file://CVE-2017-7544.patch \ | 8 | file://CVE-2017-7544.patch \ |
9 | file://CVE-2016-6328.patch \ | 9 | file://CVE-2016-6328.patch \ |
10 | file://CVE-2018-20030.patch" | 10 | file://CVE-2018-20030.patch \ |
11 | file://CVE-2020-13114.patch \ | ||
12 | " | ||
11 | 13 | ||
12 | SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" | 14 | SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" |
13 | SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" | 15 | SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" |
diff --git a/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch new file mode 100644 index 0000000000..183512fd7d --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | --- pcre-8.43/pcre_compile.c 2020-07-05 22:26:25.310501521 +0530 | ||
2 | +++ pcre-8.43/pcre_compile1.c 2020-07-05 22:30:22.254489562 +0530 | ||
3 | |||
4 | CVE: CVE-2020-14155 | ||
5 | Upstream-Status: Backport [https://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?view=patch&r1=1761&r2=1760&pathrev=1761] | ||
6 | Signed-off-by: Rahul Taya<Rahul.Taya@kpit.com> | ||
7 | |||
8 | @@ -6,7 +6,7 @@ | ||
9 | and semantics are as close as possible to those of the Perl 5 language. | ||
10 | |||
11 | Written by Philip Hazel | ||
12 | - Copyright (c) 1997-2018 University of Cambridge | ||
13 | + Copyright (c) 1997-2020 University of Cambridge | ||
14 | |||
15 | ----------------------------------------------------------------------------- | ||
16 | Redistribution and use in source and binary forms, with or without | ||
17 | @@ -7130,17 +7130,19 @@ | ||
18 | int n = 0; | ||
19 | ptr++; | ||
20 | while(IS_DIGIT(*ptr)) | ||
21 | + { | ||
22 | n = n * 10 + *ptr++ - CHAR_0; | ||
23 | + if (n > 255) | ||
24 | + { | ||
25 | + *errorcodeptr = ERR38; | ||
26 | + goto FAILED; | ||
27 | + } | ||
28 | + } | ||
29 | if (*ptr != CHAR_RIGHT_PARENTHESIS) | ||
30 | { | ||
31 | *errorcodeptr = ERR39; | ||
32 | goto FAILED; | ||
33 | } | ||
34 | - if (n > 255) | ||
35 | - { | ||
36 | - *errorcodeptr = ERR38; | ||
37 | - goto FAILED; | ||
38 | - } | ||
39 | *code++ = n; | ||
40 | PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ | ||
41 | PUT(code, LINK_SIZE, 0); /* Default length */ | ||
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch new file mode 100644 index 0000000000..51f95a7097 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_jit_compile.c?r1=1092&r2=1091&pathrev=1092] | ||
2 | CVE: CVE-2020-8002 | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | --- pcre2-10.30/src/pcre2_jit_compile.c 2019/05/13 16:26:17 1091 | ||
6 | +++ pcre2-10.30/src/pcre2_jit_compile.c 2019/05/13 16:38:18 1092 | ||
7 | @@ -8571,7 +8571,10 @@ | ||
8 | PCRE2_SPTR bptr; | ||
9 | uint32_t c; | ||
10 | |||
11 | -GETCHARINC(c, cc); | ||
12 | +/* Patch by PH */ | ||
13 | +/* GETCHARINC(c, cc); */ | ||
14 | + | ||
15 | +c = *cc++; | ||
16 | #if PCRE2_CODE_UNIT_WIDTH == 32 | ||
17 | if (c >= 0x110000) | ||
18 | return NULL; | ||
19 | |||
diff --git a/meta/recipes-support/libpcre/libpcre2_10.33.bb b/meta/recipes-support/libpcre/libpcre2_10.33.bb index 50b26753b4..1020df99b8 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.33.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.33.bb | |||
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37" | |||
12 | 12 | ||
13 | SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ | 13 | SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ |
14 | file://pcre-cross.patch \ | 14 | file://pcre-cross.patch \ |
15 | file://CVE-2019-20454.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||
17 | SRC_URI[md5sum] = "80b355f2dce909a2e2424f5c79eddb44" | 18 | SRC_URI[md5sum] = "80b355f2dce909a2e2424f5c79eddb44" |
diff --git a/meta/recipes-support/libpcre/libpcre_8.43.bb b/meta/recipes-support/libpcre/libpcre_8.43.bb index b97af08b25..60ece64504 100644 --- a/meta/recipes-support/libpcre/libpcre_8.43.bb +++ b/meta/recipes-support/libpcre/libpcre_8.43.bb | |||
@@ -12,6 +12,7 @@ SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \ | |||
12 | file://out-of-tree.patch \ | 12 | file://out-of-tree.patch \ |
13 | file://run-ptest \ | 13 | file://run-ptest \ |
14 | file://Makefile \ | 14 | file://Makefile \ |
15 | file://CVE-2020-14155.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||
17 | SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4" | 18 | SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4" |
diff --git a/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch b/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch new file mode 100644 index 0000000000..517c277ae0 --- /dev/null +++ b/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch | |||
@@ -0,0 +1,110 @@ | |||
1 | From 5942c26888ba12ad5e0d92fb62f23d7cde6dc159 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
3 | Date: Mon, 13 Jul 2020 06:25:56 +0000 | ||
4 | Subject: [PATCH] Bug 1631576 - Force a fixed length for DSA exponentiation | ||
5 | r=pereida,bbrumley | ||
6 | |||
7 | Differential Revision: https://phabricator.services.mozilla.com/D72011 | ||
8 | |||
9 | Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e] | ||
10 | |||
11 | Authored-by: Robert Relyea <rrelyea@redhat.com> | ||
12 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
13 | --- | ||
14 | nss/lib/freebl/dsa.c | 45 ++++++++++++++++++++++++++++++++++---------- | ||
15 | 1 file changed, 35 insertions(+), 10 deletions(-) | ||
16 | |||
17 | diff --git a/nss/lib/freebl/dsa.c b/nss/lib/freebl/dsa.c | ||
18 | index aef3539..389c9de 100644 | ||
19 | --- a/nss/lib/freebl/dsa.c | ||
20 | +++ b/nss/lib/freebl/dsa.c | ||
21 | @@ -313,13 +313,14 @@ DSA_NewKeyFromSeed(const PQGParams *params, | ||
22 | |||
23 | static SECStatus | ||
24 | dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, | ||
25 | - const unsigned char *kb) | ||
26 | + const unsigned char *kbytes) | ||
27 | { | ||
28 | mp_int p, q, g; /* PQG parameters */ | ||
29 | mp_int x, k; /* private key & pseudo-random integer */ | ||
30 | mp_int r, s; /* tuple (r, s) is signature) */ | ||
31 | mp_int t; /* holding tmp values */ | ||
32 | mp_int ar; /* holding blinding values */ | ||
33 | + mp_digit fuzz; /* blinding multiplier for q */ | ||
34 | mp_err err = MP_OKAY; | ||
35 | SECStatus rv = SECSuccess; | ||
36 | unsigned int dsa_subprime_len, dsa_signature_len, offset; | ||
37 | @@ -373,6 +374,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, | ||
38 | CHECK_MPI_OK(mp_init(&s)); | ||
39 | CHECK_MPI_OK(mp_init(&t)); | ||
40 | CHECK_MPI_OK(mp_init(&ar)); | ||
41 | + | ||
42 | /* | ||
43 | ** Convert stored PQG and private key into MPI integers. | ||
44 | */ | ||
45 | @@ -380,14 +382,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, | ||
46 | SECITEM_TO_MPINT(key->params.subPrime, &q); | ||
47 | SECITEM_TO_MPINT(key->params.base, &g); | ||
48 | SECITEM_TO_MPINT(key->privateValue, &x); | ||
49 | - OCTETS_TO_MPINT(kb, &k, dsa_subprime_len); | ||
50 | + OCTETS_TO_MPINT(kbytes, &k, dsa_subprime_len); | ||
51 | + | ||
52 | + /* k blinding create a single value that has the high bit set in | ||
53 | + * the mp_digit*/ | ||
54 | + if (RNG_GenerateGlobalRandomBytes(&fuzz, sizeof(mp_digit)) != SECSuccess) { | ||
55 | + PORT_SetError(SEC_ERROR_NEED_RANDOM); | ||
56 | + rv = SECFailure; | ||
57 | + goto cleanup; | ||
58 | + } | ||
59 | + fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1)); | ||
60 | /* | ||
61 | ** FIPS 186-1, Section 5, Step 1 | ||
62 | ** | ||
63 | ** r = (g**k mod p) mod q | ||
64 | */ | ||
65 | - CHECK_MPI_OK(mp_exptmod(&g, &k, &p, &r)); /* r = g**k mod p */ | ||
66 | - CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */ | ||
67 | + CHECK_MPI_OK(mp_mul_d(&q, fuzz, &t)); /* t = q*fuzz */ | ||
68 | + CHECK_MPI_OK(mp_add(&k, &t, &t)); /* t = k+q*fuzz */ | ||
69 | + /* length of t is now fixed, bits in k have been blinded */ | ||
70 | + CHECK_MPI_OK(mp_exptmod(&g, &t, &p, &r)); /* r = g**t mod p */ | ||
71 | + /* r is now g**(k+q*fuzz) == g**k mod p */ | ||
72 | + CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */ | ||
73 | + | ||
74 | /* | ||
75 | ** FIPS 186-1, Section 5, Step 2 | ||
76 | ** | ||
77 | @@ -411,15 +427,24 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, | ||
78 | /* Using mp_invmod on k directly would leak bits from k. */ | ||
79 | CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */ | ||
80 | CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */ | ||
81 | - CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */ | ||
82 | + /* k is now k*t*ar */ | ||
83 | + CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */ | ||
84 | + /* k is now (k*t*ar)**-1 */ | ||
85 | CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */ | ||
86 | - SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */ | ||
87 | + /* k is now (k*ar)**-1 */ | ||
88 | + SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */ | ||
89 | /* To avoid leaking secret bits here the addition is blinded. */ | ||
90 | - CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */ | ||
91 | - CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */ | ||
92 | + CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */ | ||
93 | + /* x is now x*ar */ | ||
94 | + CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */ | ||
95 | + /* x is now x*r*ar */ | ||
96 | CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */ | ||
97 | - CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */ | ||
98 | - CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */ | ||
99 | + /* t is now hash(M)*ar */ | ||
100 | + CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */ | ||
101 | + /* s is now (HASH(M)+x*r)*ar */ | ||
102 | + CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */ | ||
103 | + /* s is now (HASH(M)+x*r)*ar*(k*ar)**-1 = (k**-1)*(HASH(M)+x*r) */ | ||
104 | + | ||
105 | /* | ||
106 | ** verify r != 0 and s != 0 | ||
107 | ** mentioned as optional in FIPS 186-1. | ||
108 | -- | ||
109 | 2.18.1 | ||
110 | |||
diff --git a/meta/recipes-support/nss/nss_3.45.bb b/meta/recipes-support/nss/nss_3.45.bb index c8005a5b3a..9fe27af5db 100644 --- a/meta/recipes-support/nss/nss_3.45.bb +++ b/meta/recipes-support/nss/nss_3.45.bb | |||
@@ -32,6 +32,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO | |||
32 | file://blank-cert9.db \ | 32 | file://blank-cert9.db \ |
33 | file://blank-key4.db \ | 33 | file://blank-key4.db \ |
34 | file://system-pkcs11.txt \ | 34 | file://system-pkcs11.txt \ |
35 | file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \ | ||
35 | " | 36 | " |
36 | 37 | ||
37 | SRC_URI[md5sum] = "f1752d7223ee9d910d551e57264bafa8" | 38 | SRC_URI[md5sum] = "f1752d7223ee9d910d551e57264bafa8" |
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-11655.patch b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch new file mode 100644 index 0000000000..c2360cb867 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From a4601326d61bf1a11151ac6b78b50804bfd03b4d Mon Sep 17 00:00:00 2001 | ||
2 | From: Sakib Sajal <sakib.sajal@windriver.com> | ||
3 | Date: Thu, 30 Apr 2020 10:46:16 -0700 | ||
4 | Subject: [PATCH 2/2] In the event of a semantic error in an aggregate query, | ||
5 | early-out the resetAccumulator() function to prevent problems due to | ||
6 | incomplete or incorrect initialization of the AggInfo object. Fix for ticket | ||
7 | [af4556bb5c285c08]. | ||
8 | |||
9 | FossilOrigin-Name: 4a302b42c7bf5e11ddb5522ca999f74aba397d3a7eb91b1844bb02852f772441 | ||
10 | Upstream-Status: Backport [c415d91007e1680e4eb17def583b202c3c83c718] | ||
11 | |||
12 | CVE: CVE-2020-11655 | ||
13 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
14 | --- | ||
15 | sqlite3.c | 1 + | ||
16 | 1 file changed, 1 insertion(+) | ||
17 | |||
18 | diff --git a/sqlite3.c b/sqlite3.c | ||
19 | index 1df6633..726adf7 100644 | ||
20 | --- a/sqlite3.c | ||
21 | +++ b/sqlite3.c | ||
22 | @@ -133242,6 +133242,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){ | ||
23 | struct AggInfo_func *pFunc; | ||
24 | int nReg = pAggInfo->nFunc + pAggInfo->nColumn; | ||
25 | if( nReg==0 ) return; | ||
26 | + if( pParse->nErr ) return; | ||
27 | #ifdef SQLITE_DEBUG | ||
28 | /* Verify that all AggInfo registers are within the range specified by | ||
29 | ** AggInfo.mnReg..AggInfo.mxReg */ | ||
30 | -- | ||
31 | 2.17.1 | ||
32 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch new file mode 100644 index 0000000000..3f70979acc --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | CVE: CVE-2019-19244 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 0f690d4ae5ffe656762fdbb7f36cc4c2dcbb2d9d Mon Sep 17 00:00:00 2001 | ||
6 | From: dan <dan@noemail.net> | ||
7 | Date: Fri, 22 Nov 2019 10:14:01 +0000 | ||
8 | Subject: [PATCH] Fix a crash that could occur if a sub-select that uses both | ||
9 | DISTINCT and window functions also used an ORDER BY that is the same as its | ||
10 | select list. | ||
11 | |||
12 | Amalgamation version of the patch: | ||
13 | FossilOrigin-Name: bcdd66c1691955c697f3d756c2b035acfe98f6aad72e90b0021bab6e9023b3ba | ||
14 | --- | ||
15 | sqlite3.c | 5 +++-- | ||
16 | sqlite3.h | 2 +- | ||
17 | 2 files changed, 4 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/sqlite3.c b/sqlite3.c | ||
20 | index 8fd740b..db1c649 100644 | ||
21 | --- a/sqlite3.c | ||
22 | +++ b/sqlite3.c | ||
23 | @@ -131679,6 +131679,7 @@ SQLITE_PRIVATE int sqlite3Select( | ||
24 | */ | ||
25 | if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct | ||
26 | && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0 | ||
27 | + && p->pWin==0 | ||
28 | ){ | ||
29 | p->selFlags &= ~SF_Distinct; | ||
30 | pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0); | ||
31 | -- | ||
32 | 2.24.1 | ||
33 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch new file mode 100644 index 0000000000..b1b866b250 --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | CVE: CVE-2019-19923 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From b64463719dc53bde98b0ce3930b10a32560c3a02 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Wed, 18 Dec 2019 20:51:58 +0000 | ||
8 | Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of | ||
9 | check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer | ||
10 | query is DISTINCT. Without this fix, if an index scan is run on the table | ||
11 | within the view on the right-hand side of the LEFT JOIN, stale result | ||
12 | registers might be accessed yielding incorrect results, and/or an | ||
13 | OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a | ||
14 | NULL-pointer dereference. This problem was found by the Yongheng and Rui | ||
15 | fuzzer. | ||
16 | |||
17 | FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e | ||
18 | --- | ||
19 | sqlite3.c | 10 +++++++--- | ||
20 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
21 | |||
22 | diff --git a/sqlite3.c b/sqlite3.c | ||
23 | index d29da07..5bc06c8 100644 | ||
24 | --- a/sqlite3.c | ||
25 | +++ b/sqlite3.c | ||
26 | @@ -129216,6 +129216,7 @@ static void substSelect( | ||
27 | ** (3b) the FROM clause of the subquery may not contain a virtual | ||
28 | ** table and | ||
29 | ** (3c) the outer query may not be an aggregate. | ||
30 | +** (3d) the outer query may not be DISTINCT. | ||
31 | ** | ||
32 | ** (4) The subquery can not be DISTINCT. | ||
33 | ** | ||
34 | @@ -129412,8 +129413,11 @@ static int flattenSubquery( | ||
35 | */ | ||
36 | if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){ | ||
37 | isLeftJoin = 1; | ||
38 | - if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){ | ||
39 | - /* (3a) (3c) (3b) */ | ||
40 | + if( pSubSrc->nSrc>1 /* (3a) */ | ||
41 | + || isAgg /* (3b) */ | ||
42 | + || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */ | ||
43 | + || (p->selFlags & SF_Distinct)!=0 /* (3d) */ | ||
44 | + ){ | ||
45 | return 0; | ||
46 | } | ||
47 | } | ||
48 | -- | ||
49 | 2.24.1 | ||
50 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch new file mode 100644 index 0000000000..80d5edbb0c --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | CVE: CVE-2019-19924 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Thu, 19 Dec 2019 20:37:32 +0000 | ||
8 | Subject: [PATCH] When an error occurs while rewriting the parser tree for | ||
9 | window functions in the sqlite3WindowRewrite() routine, make sure that | ||
10 | pParse->nErr is set, and make sure that this shuts down any subsequent code | ||
11 | generation that might depend on the transformations that were implemented. | ||
12 | This fixes a problem discovered by the Yongheng and Rui fuzzer. | ||
13 | |||
14 | Amalgamation format of backported patch | ||
15 | FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f | ||
16 | --- | ||
17 | sqlite3.c | 16 +++++++++++----- | ||
18 | sqlite3.h | 2 +- | ||
19 | 2 files changed, 12 insertions(+), 6 deletions(-) | ||
20 | |||
21 | diff --git a/sqlite3.c b/sqlite3.c | ||
22 | index 408ec4c..857c28e 100644 | ||
23 | --- a/sqlite3.c | ||
24 | +++ b/sqlite3.c | ||
25 | @@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){ | ||
26 | */ | ||
27 | static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){ | ||
28 | assert( p->nOp>0 || p->aOp==0 ); | ||
29 | - assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed ); | ||
30 | + assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed | ||
31 | + || p->pParse->nErr>0 ); | ||
32 | if( p->nOp ){ | ||
33 | assert( p->aOp ); | ||
34 | sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment); | ||
35 | @@ -97872,6 +97873,7 @@ static int codeCompare( | ||
36 | int addr; | ||
37 | CollSeq *p4; | ||
38 | |||
39 | + if( pParse->nErr ) return 0; | ||
40 | p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight); | ||
41 | p5 = binaryCompareP5(pLeft, pRight, jumpIfNull); | ||
42 | addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1, | ||
43 | @@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){ | ||
44 | |||
45 | pTab = sqlite3DbMallocZero(db, sizeof(Table)); | ||
46 | if( pTab==0 ){ | ||
47 | - return SQLITE_NOMEM; | ||
48 | + return sqlite3ErrorToParser(db, SQLITE_NOMEM); | ||
49 | } | ||
50 | |||
51 | p->pSrc = 0; | ||
52 | @@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){ | ||
53 | sqlite3DbFree(db, pTab); | ||
54 | } | ||
55 | |||
56 | + if( rc && pParse->nErr==0 ){ | ||
57 | + assert( pParse->db->mallocFailed ); | ||
58 | + return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM); | ||
59 | + } | ||
60 | return rc; | ||
61 | } | ||
62 | |||
63 | -- | ||
64 | 2.24.1 | ||
65 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch new file mode 100644 index 0000000000..ffc2c6afff --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | CVE: CVE-2019-19925 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From e92580434d2cdca228649d32f76167492de4f512 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Thu, 19 Dec 2019 15:15:40 +0000 | ||
8 | Subject: [PATCH] Fix the zipfile extension so that INSERT works even if the | ||
9 | pathname of the file being inserted is a NULL. Bug discovered by the | ||
10 | Yongheng and Rui fuzzer. | ||
11 | |||
12 | FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06 | ||
13 | --- | ||
14 | shell.c | 1 + | ||
15 | sqlite3.c | 4 ++-- | ||
16 | sqlite3.h | 2 +- | ||
17 | 3 files changed, 4 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/shell.c b/shell.c | ||
20 | index 053180c..404a8d4 100644 | ||
21 | --- a/shell.c | ||
22 | +++ b/shell.c | ||
23 | @@ -5827,6 +5827,7 @@ static int zipfileUpdate( | ||
24 | |||
25 | if( rc==SQLITE_OK ){ | ||
26 | zPath = (const char*)sqlite3_value_text(apVal[2]); | ||
27 | + if( zPath==0 ) zPath = ""; | ||
28 | nPath = (int)strlen(zPath); | ||
29 | mTime = zipfileGetTime(apVal[4]); | ||
30 | } | ||
31 | -- | ||
32 | 2.24.1 | ||
33 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch new file mode 100644 index 0000000000..92bc7908bc --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | CVE: CVE-2019-19926 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 4165b1e1e0001165ace9051a70f938099505eadc Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Thu, 19 Dec 2019 22:08:19 +0000 | ||
8 | Subject: [PATCH] Continuation of [e2bddcd4c55ba3cb]: Add another spot where it | ||
9 | is necessary to abort early due to prior errors in sqlite3WindowRewrite(). | ||
10 | |||
11 | FossilOrigin-Name: cba2a2a44cdf138a629109bb0ad088ed4ef67fc66bed3e0373554681a39615d2 | ||
12 | --- | ||
13 | sqlite3.c | 7 ++++--- | ||
14 | sqlite3.h | 2 +- | ||
15 | 2 files changed, 5 insertions(+), 4 deletions(-) | ||
16 | |||
17 | diff --git a/sqlite3.c b/sqlite3.c | ||
18 | index 857c28e..19a474d 100644 | ||
19 | --- a/sqlite3.c | ||
20 | +++ b/sqlite3.c | ||
21 | @@ -128427,6 +128427,7 @@ static int multiSelect( | ||
22 | } | ||
23 | #endif | ||
24 | } | ||
25 | + if( pParse->nErr ) goto multi_select_end; | ||
26 | |||
27 | /* Compute collating sequences used by | ||
28 | ** temporary tables needed to implement the compound select. | ||
29 | -- | ||
30 | 2.24.1 | ||
31 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch new file mode 100644 index 0000000000..cba8ec9d30 --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | CVE: CVE-2019-19959 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From f83f7e8141ee7cbbf7f2dc8985279a7372b259b6 Mon Sep 17 00:00:00 2001 | ||
6 | From: "D. Richard Hipp" <drh@hwaci.com> | ||
7 | Date: Mon, 23 Dec 2019 21:04:33 +0000 | ||
8 | Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that | ||
9 | it is able to deal with goofy filenames that contain embedded zeros. | ||
10 | |||
11 | FossilOrigin-Name: cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf | ||
12 | --- | ||
13 | shell.c | 4 ++-- | ||
14 | sqlite3.c | 4 ++-- | ||
15 | sqlite3.h | 2 +- | ||
16 | 3 files changed, 5 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/shell.c b/shell.c | ||
19 | index 404a8d4..48065e9 100644 | ||
20 | --- a/shell.c | ||
21 | +++ b/shell.c | ||
22 | @@ -5841,7 +5841,7 @@ static int zipfileUpdate( | ||
23 | zFree = sqlite3_mprintf("%s/", zPath); | ||
24 | if( zFree==0 ){ rc = SQLITE_NOMEM; } | ||
25 | zPath = (const char*)zFree; | ||
26 | - nPath++; | ||
27 | + nPath = (int)strlen(zPath); | ||
28 | } | ||
29 | } | ||
30 | |||
31 | @@ -6242,11 +6242,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){ | ||
32 | }else{ | ||
33 | if( zName[nName-1]!='/' ){ | ||
34 | zName = zFree = sqlite3_mprintf("%s/", zName); | ||
35 | - nName++; | ||
36 | if( zName==0 ){ | ||
37 | rc = SQLITE_NOMEM; | ||
38 | goto zipfile_step_out; | ||
39 | } | ||
40 | + nName = (int)strlen(zName); | ||
41 | }else{ | ||
42 | while( nName>1 && zName[nName-2]=='/' ) nName--; | ||
43 | } | ||
44 | -- | ||
45 | 2.24.1 | ||
46 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch new file mode 100644 index 0000000000..fb6cd6df2d --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | CVE: CVE-2019-20218 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 6bbd76d34f29f61483791231f2ce579dcadab8a5 Mon Sep 17 00:00:00 2001 | ||
6 | From: Dan Kennedy <danielk1977@gmail.com> | ||
7 | Date: Fri, 27 Dec 2019 20:54:42 +0000 | ||
8 | Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object | ||
9 | following an error. This fixes a separate case to [de6e6d68]. | ||
10 | |||
11 | FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92 | ||
12 | --- | ||
13 | sqlite3.c | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/sqlite3.c b/sqlite3.c | ||
17 | index 5bc06c8..408ec4c 100644 | ||
18 | --- a/sqlite3.c | ||
19 | +++ b/sqlite3.c | ||
20 | @@ -130570,7 +130570,7 @@ static int selectExpander(Walker *pWalker, Select *p){ | ||
21 | |||
22 | /* Process NATURAL keywords, and ON and USING clauses of joins. | ||
23 | */ | ||
24 | - if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){ | ||
25 | + if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){ | ||
26 | return WRC_Abort; | ||
27 | } | ||
28 | |||
29 | -- | ||
30 | 2.24.1 | ||
31 | |||
diff --git a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb index 34066fbe89..95e1174b07 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb | |||
@@ -4,6 +4,15 @@ LICENSE = "PD" | |||
4 | LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" | 4 | LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" |
5 | 5 | ||
6 | SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \ | 6 | SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \ |
7 | file://0001-Fix-CVE-2019-16168.patch" | 7 | file://0001-Fix-CVE-2019-16168.patch \ |
8 | file://CVE-2019-19244.patch \ | ||
9 | file://CVE-2019-19923.patch \ | ||
10 | file://CVE-2019-19924.patch \ | ||
11 | file://CVE-2019-19925.patch \ | ||
12 | file://CVE-2019-19926.patch \ | ||
13 | file://CVE-2019-19959.patch \ | ||
14 | file://CVE-2019-20218.patch \ | ||
15 | file://CVE-2020-11655.patch \ | ||
16 | " | ||
8 | SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc" | 17 | SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc" |
9 | SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b" | 18 | SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b" |
diff --git a/meta/recipes-support/vim/vim_8.1.1518.bb b/meta/recipes-support/vim/vim_8.1.1518.bb index 60946a181f..709b6ddb55 100644 --- a/meta/recipes-support/vim/vim_8.1.1518.bb +++ b/meta/recipes-support/vim/vim_8.1.1518.bb | |||
@@ -8,3 +8,8 @@ BBCLASSEXTEND = "native" | |||
8 | ALTERNATIVE_${PN}_append = " xxd" | 8 | ALTERNATIVE_${PN}_append = " xxd" |
9 | ALTERNATIVE_TARGET[xxd] = "${bindir}/xxd" | 9 | ALTERNATIVE_TARGET[xxd] = "${bindir}/xxd" |
10 | ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd" | 10 | ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd" |
11 | |||
12 | # We override the default in security_flags.inc because vim (not vim-tiny!) will abort | ||
13 | # in many places for _FORTIFY_SOURCE=2. Security flags become part of CC. | ||
14 | # | ||
15 | lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=1',d)}" | ||