summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-support')
-rw-r--r--meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch999
-rw-r--r--meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch68
-rw-r--r--meta/recipes-support/aspell/aspell_0.60.7.bb2
-rw-r--r--meta/recipes-support/attr/acl_2.2.52.bb3
-rw-r--r--meta/recipes-support/attr/attr_2.4.47.bb3
-rw-r--r--meta/recipes-support/gnupg/gnupg_2.2.19.bb (renamed from meta/recipes-support/gnupg/gnupg_2.2.17.bb)4
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2020-13777-a.patch90
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch137
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2020-13777-c.patch68
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch117
-rw-r--r--meta/recipes-support/gnutls/gnutls/posix-shell.patch39
-rw-r--r--meta/recipes-support/gnutls/gnutls_3.6.13.bb (renamed from meta/recipes-support/gnutls/gnutls_3.6.8.bb)9
-rw-r--r--meta/recipes-support/icu/icu/CVE-2020-10531.patch122
-rw-r--r--meta/recipes-support/icu/icu_64.2.bb12
-rw-r--r--meta/recipes-support/iso-codes/iso-codes_4.3.bb2
-rw-r--r--meta/recipes-support/libexif/libexif/CVE-2020-13114.patch73
-rw-r--r--meta/recipes-support/libexif/libexif_0.6.21.bb4
-rw-r--r--meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch41
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch19
-rw-r--r--meta/recipes-support/libpcre/libpcre2_10.33.bb1
-rw-r--r--meta/recipes-support/libpcre/libpcre_8.43.bb1
-rw-r--r--meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch110
-rw-r--r--meta/recipes-support/nss/nss_3.45.bb1
-rw-r--r--meta/recipes-support/sqlite/files/CVE-2020-11655.patch32
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch33
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch50
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch65
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch33
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch31
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch46
-rw-r--r--meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch31
-rw-r--r--meta/recipes-support/sqlite/sqlite3_3.29.0.bb11
-rw-r--r--meta/recipes-support/vim/vim_8.1.1518.bb5
33 files changed, 2212 insertions, 50 deletions
diff --git a/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch
new file mode 100644
index 0000000000..fd68461e32
--- /dev/null
+++ b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch
@@ -0,0 +1,999 @@
1From de29341638833ba7717bd6b5e6850998454b044b Mon Sep 17 00:00:00 2001
2From: Kevin Atkinson <kevina@gnu.org>
3Date: Sat, 17 Aug 2019 17:06:53 -0400
4Subject: [PATCH 1/2] Don't allow null-terminated UCS-2/4 strings using the
5 original API.
6
7Detect if the encoding is UCS-2/4 and the length is -1 in affected API
8functions and refuse to convert the string. If the string ends up
9being converted somehow, abort with an error message in DecodeDirect
10and ConvDirect. To convert a null terminated string in
11Decode/ConvDirect, a negative number corresponding to the width of the
12underlying character type for the encoding is expected; for example,
13if the encoding is "ucs-2" then a the size is expected to be -2.
14
15Also fix a 1-3 byte over-read in DecodeDirect when reading UCS-2/4
16strings when a size is provided (found by OSS-Fuzz).
17
18Also fix a bug in DecodeDirect that caused DocumentChecker to return
19the wrong offsets when working with UCS-2/4 strings.
20
21CVE: CVE-2019-20433
22Upstream-Status: Backport [https://github.com/GNUAspell/aspell/commit/de29341638833ba7717bd6b5e6850998454b044b]
23
24[SG: - adjusted context
25 - discarded test changes as test framework is not available
26 - discarded manual entry changes for features that aren't backported]
27Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
28---
29 auto/MkSrc/CcHelper.pm | 99 ++++++++++++++++++++++++++++++++++---
30 auto/MkSrc/Create.pm | 5 +-
31 auto/MkSrc/Info.pm | 5 +-
32 auto/MkSrc/ProcCc.pm | 24 +++++----
33 auto/MkSrc/ProcImpl.pm | 57 +++++++++++++++------
34 auto/MkSrc/Read.pm | 4 +-
35 auto/mk-src.in | 44 +++++++++++++++--
36 common/convert.cpp | 39 ++++++++++++---
37 common/convert.hpp | 38 +++++++++++++-
38 common/document_checker.cpp | 17 ++++++-
39 common/document_checker.hpp | 1 +
40 common/version.cpp | 15 ++++--
41 configure.ac | 8 +++
42 manual/aspell.texi | 58 ++++++++++++++++------
43 manual/readme.texi | 70 +++++++++++++++++++++-----
44 15 files changed, 409 insertions(+), 75 deletions(-)
45
46diff --git a/auto/MkSrc/CcHelper.pm b/auto/MkSrc/CcHelper.pm
47index f2de991..0044335 100644
48--- a/auto/MkSrc/CcHelper.pm
49+++ b/auto/MkSrc/CcHelper.pm
50@@ -10,8 +10,8 @@ BEGIN {
51 use Exporter;
52 our @ISA = qw(Exporter);
53 our @EXPORT = qw(to_c_return_type c_error_cond
54- to_type_name make_desc make_func call_func
55- make_c_method call_c_method form_c_method
56+ to_type_name make_desc make_func call_func get_c_func_name
57+ make_c_method make_wide_macro call_c_method form_c_method
58 make_cxx_method);
59 }
60
61@@ -90,6 +90,69 @@ sub make_func ( $ \@ $ ; \% ) {
62 ')'));
63 }
64
65+=item make_wide_version NAME @TYPES PARMS ; %ACCUM
66+
67+Creates the wide character version of the function if needed
68+
69+=cut
70+
71+sub make_wide_version ( $ \@ $ ; \% ) {
72+ my ($name, $d, $p, $accum) = @_;
73+ my @d = @$d;
74+ shift @d;
75+ return '' unless grep {$_->{type} eq 'encoded string'} @d;
76+ $accum->{sys_headers}{'stddef.h'} = true;
77+ $accum->{suffix}[5] = <<'---';
78+
79+/******************* private implemantion details *********************/
80+
81+#ifdef __cplusplus
82+# define aspell_cast_(type, expr) (static_cast<type>(expr))
83+# define aspell_cast_from_wide_(str) (static_cast<const void *>(str))
84+#else
85+# define aspell_cast_(type, expr) ((type)(expr))
86+# define aspell_cast_from_wide_(str) ((const char *)(str))
87+#endif
88+---
89+ my @parms = map {$_->{type} eq 'encoded string'
90+ ? ($_->{name}, $_->{name}.'_size')
91+ : $_->{name}} @d;
92+ $name = to_lower $name;
93+ $accum->{suffix}[0] = <<'---';
94+/**********************************************************************/
95+
96+#ifdef ASPELL_ENCODE_SETTING_SECURE
97+---
98+ $accum->{suffix}[2] = "#endif\n";
99+ my @args = map {$_->{type} eq 'encoded string'
100+ ? ($_->{name}, "$_->{name}_size", '-1')
101+ : $_->{name}} @d;
102+ $accum->{suffix}[1] .=
103+ (join '',
104+ "#define $name",
105+ '(', join(', ', @parms), ')',
106+ "\\\n ",
107+ $name, '_wide',
108+ '(', join(', ', @args), ')',
109+ "\n");
110+ @args = map {$_->{type} eq 'encoded string'
111+ ? ("aspell_cast_from_wide_($_->{name})",
112+ "$_->{name}_size*aspell_cast_(int,sizeof(*($_->{name})))",
113+ "sizeof(*($_->{name}))")
114+ : $_->{name}} @d;
115+ return (join '',
116+ "\n",
117+ "/* version of $name that is safe to use with (null terminated) wide characters */\n",
118+ '#define ',
119+ $name, '_w',
120+ '(', join(', ', @parms), ')',
121+ "\\\n ",
122+ $name, '_wide',
123+ '(', join(', ', @args), ')',
124+ "\n");
125+}
126+
127+
128 =item call_func NAME @TYPES PARMS ; %ACCUM
129
130 Return a string to call a func. Will prefix the function with return
131@@ -103,7 +166,6 @@ Parms can be any of:
132
133 sub call_func ( $ \@ $ ; \% ) {
134 my ($name, $d, $p, $accum) = @_;
135- $accum = {} unless defined $accum;
136 my @d = @$d;
137 my $func_ret = to_type_name(shift @d, {%$p,pos=>'return'}, %$accum);
138 return (join '',
139@@ -148,8 +210,14 @@ sub to_type_name ( $ $ ; \% ) {
140 my $name = $t->{name};
141 my $type = $t->{type};
142
143- return ( (to_type_name {%$d, type=>'string'}, $p, %$accum) ,
144- (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum) )
145+ if ($name eq 'encoded string' && $is_cc && $pos eq 'parm') {
146+ my @types = ((to_type_name {%$d, type=>($p->{wide}?'const void pointer':'string')}, $p, %$accum),
147+ (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum));
148+ push @types, (to_type_name {%$d, type=>'int', name=>"$d->{name}_type_width"}, $p, %$accum) if $p->{wide};
149+ return @types;
150+ }
151+ return ( (to_type_name {%$d, type=>($p->{wide}?'const void pointer':'string')}, $p, %$accum) ,
152+ (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum) )
153 if $name eq 'encoded string' && $is_cc && $pos eq 'parm';
154
155 my $str;
156@@ -174,7 +242,7 @@ sub to_type_name ( $ $ ; \% ) {
157 $str .= "String";
158 }
159 } elsif ($name eq 'encoded string') {
160- $str .= "const char *";
161+ $str .= $p->{wide} ? "const void *" : "const char *";
162 } elsif ($name eq '') {
163 $str .= "void";
164 } elsif ($name eq 'bool' && $is_cc) {
165@@ -186,7 +254,7 @@ sub to_type_name ( $ $ ; \% ) {
166 if ($t->{pointer}) {
167 $accum->{types}->{$name} = $t;
168 } else {
169- $accum->{headers}->{$t->{created_in}} = true;
170+ $accum->{headers}->{$t->{created_in}} = true unless $mode eq 'cc';
171 }
172 $str .= "$c_type Aspell" if $mode eq 'cc';
173 $str .= to_mixed($name);
174@@ -214,6 +282,7 @@ sub to_type_name ( $ $ ; \% ) {
175 return $str;
176 }
177
178+
179 =item make_desc DESC ; LEVEL
180
181 Make a C comment out of DESC optionally indenting it LEVEL spaces.
182@@ -286,6 +355,7 @@ sub form_c_method ($ $ $ ; \% )
183 } else {
184 $func = "aspell $class $name";
185 }
186+ $func .= " wide" if $p->{wide};
187 if (exists $d->{'const'}) {
188 splice @data, 1, 0, {type => "const $class", name=> $this_name};
189 } else {
190@@ -306,6 +376,21 @@ sub make_c_method ($ $ $ ; \%)
191 return &make_func(@ret);
192 }
193
194+sub get_c_func_name ($ $ $)
195+{
196+ my @ret = &form_c_method(@_);
197+ return undef unless @ret > 0;
198+ return to_lower $ret[0];
199+}
200+
201+sub make_wide_macro ($ $ $ ; \%)
202+{
203+ my @ret = &form_c_method(@_);
204+ return undef unless @ret > 0;
205+ my $str = &make_wide_version(@ret);
206+ return $str;
207+}
208+
209 sub call_c_method ($ $ $ ; \%)
210 {
211 my @ret = &form_c_method(@_);
212diff --git a/auto/MkSrc/Create.pm b/auto/MkSrc/Create.pm
213index d39b60e..630ede5 100644
214--- a/auto/MkSrc/Create.pm
215+++ b/auto/MkSrc/Create.pm
216@@ -77,8 +77,10 @@ sub create_cc_file ( % ) {
217 $file .= "#include \"aspell.h\"\n" if $p{type} eq 'cxx';
218 $file .= "#include \"settings.h\"\n" if $p{type} eq 'native_impl' && $p{name} eq 'errors';
219 $file .= "#include \"gettext.h\"\n" if $p{type} eq 'native_impl' && $p{name} eq 'errors';
220+ $file .= cmap {"#include <$_>\n"} sort keys %{$accum{sys_headers}};
221 $file .= cmap {"#include \"".to_lower($_).".hpp\"\n"} sort keys %{$accum{headers}};
222- $file .= "#ifdef __cplusplus\nextern \"C\" {\n#endif\n" if $p{header} && !$p{cxx};
223+ $file .= "\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n" if $p{header} && !$p{cxx};
224+ $file .= join('', grep {defined $_} @{$accum{prefix}});
225 $file .= "\nnamespace $p{namespace} {\n\n" if $p{cxx};
226 if (defined $info{forward}{proc}{$p{type}}) {
227 my @types = sort {$a->{name} cmp $b->{name}} (values %{$accum{types}});
228@@ -86,6 +88,7 @@ sub create_cc_file ( % ) {
229 }
230 $file .= "\n";
231 $file .= $body;
232+ $file .= join('', grep {defined $_} @{$accum{suffix}});
233 $file .= "\n\n}\n\n" if $p{cxx};
234 $file .= "#ifdef __cplusplus\n}\n#endif\n" if $p{header} && !$p{cxx};
235 $file .= "#endif /* $hm */\n" if $p{header};
236diff --git a/auto/MkSrc/Info.pm b/auto/MkSrc/Info.pm
237index c644028..ace8e21 100644
238--- a/auto/MkSrc/Info.pm
239+++ b/auto/MkSrc/Info.pm
240@@ -60,6 +60,7 @@ each proc sub should take the following argv
241 the object from which it is a member of
242 no native: do not attempt to create a native implementation
243 treat as object: treat as a object rather than a pointer
244+ no conv: do not converted an encoded string
245
246 The %info structure is initialized as follows:
247
248@@ -104,8 +105,8 @@ The %info structure is initialized as follows:
249 errors => {}, # possible errors
250 method => {
251 # A class method
252- options => ['desc', 'posib err', 'c func', 'const',
253- 'c only', 'c impl', 'cxx impl'],
254+ options => ['desc', 'posib err', 'c func', 'const', 'no conv', 'on conv error',
255+ 'c only', 'c impl', 'cxx impl', 'cc extra'],
256 groups => undef},
257 constructor => {
258 # A class constructor
259diff --git a/auto/MkSrc/ProcCc.pm b/auto/MkSrc/ProcCc.pm
260index 47c4338..98cc435 100644
261--- a/auto/MkSrc/ProcCc.pm
262+++ b/auto/MkSrc/ProcCc.pm
263@@ -23,7 +23,7 @@ use MkSrc::Info;
264 sub make_c_object ( $ @ );
265
266 $info{group}{proc}{cc} = sub {
267- my ($data) = @_;
268+ my ($data,@rest) = @_;
269 my $ret;
270 my $stars = (70 - length $data->{name})/2;
271 $ret .= "/";
272@@ -33,14 +33,14 @@ $info{group}{proc}{cc} = sub {
273 $ret .= "/\n";
274 foreach my $d (@{$data->{data}}) {
275 $ret .= "\n\n";
276- $ret .= $info{$d->{type}}{proc}{cc}->($d);
277+ $ret .= $info{$d->{type}}{proc}{cc}->($d,@rest);
278 }
279 $ret .= "\n\n";
280 return $ret;
281 };
282
283 $info{enum}{proc}{cc} = sub {
284- my ($d) = @_;
285+ my ($d,@rest) = @_;
286 my $n = "Aspell".to_mixed($d->{name});
287 return ("\n".
288 make_desc($d->{desc}).
289@@ -58,21 +58,26 @@ $info{struct}{proc}{cc} = sub {
290 };
291
292 $info{union}{proc}{cc} = sub {
293- return make_c_object "union", $_[0];
294+ return make_c_object "union", @_;
295 };
296
297 $info{class}{proc}{cc} = sub {
298- my ($d) = @_;
299+ my ($d,$accum) = @_;
300 my $class = $d->{name};
301 my $classname = "Aspell".to_mixed($class);
302 my $ret = "";
303 $ret .= "typedef struct $classname $classname;\n\n";
304 foreach (@{$d->{data}}) {
305- my $s = make_c_method($class, $_, {mode=>'cc'});
306+ my $s = make_c_method($class, $_, {mode=>'cc'}, %$accum);
307 next unless defined $s;
308 $ret .= "\n";
309 $ret .= make_desc($_->{desc});
310- $ret .= make_c_method($class, $_, {mode=>'cc'}).";\n";
311+ $ret .= make_c_method($class, $_, {mode=>'cc'}, %$accum).";\n";
312+ if (grep {$_->{type} eq 'encoded string'} @{$_->{data}}) {
313+ $ret .= make_c_method($class, $_, {mode=>'cc', wide=>true}, %$accum).";\n";
314+ $ret .= make_wide_macro($class, $_, {mode=>'cc'}, %$accum);
315+ }
316+ $ret .= "\n".$_->{'cc extra'}."\n" if defined $_->{'cc extra'};
317 }
318 $ret .= "\n";
319 return $ret;
320@@ -105,7 +110,8 @@ $info{errors}{proc}{cc} = sub {
321 };
322
323 sub make_c_object ( $ @ ) {
324- my ($t, $d) = @_;
325+ my ($t, $d, $accum) = @_;
326+ $accum = {} unless defined $accum;
327 my $struct;
328 $struct .= "Aspell";
329 $struct .= to_mixed($d->{name});
330@@ -120,7 +126,7 @@ sub make_c_object ( $ @ ) {
331 "\n};\n"),
332 "typedef $t $struct $struct;",
333 join ("\n",
334- map {make_c_method($d->{name}, $_, {mode=>'cc'}).";"}
335+ map {make_c_method($d->{name}, $_, {mode=>'cc'}, %$accum).";"}
336 grep {$_->{type} eq 'method'}
337 @{$d->{data}})
338 )."\n";
339diff --git a/auto/MkSrc/ProcImpl.pm b/auto/MkSrc/ProcImpl.pm
340index b8628fd..3d0f220 100644
341--- a/auto/MkSrc/ProcImpl.pm
342+++ b/auto/MkSrc/ProcImpl.pm
343@@ -45,10 +45,13 @@ $info{class}{proc}{impl} = sub {
344 foreach (grep {$_ ne ''} split /\s*,\s*/, $data->{'c impl headers'}) {
345 $accum->{headers}{$_} = true;
346 }
347- foreach my $d (@{$data->{data}}) {
348+ my @d = @{$data->{data}};
349+ while (@d) {
350+ my $d = shift @d;
351+ my $need_wide = false;
352 next unless one_of $d->{type}, qw(method constructor destructor);
353 my @parms = @{$d->{data}} if exists $d->{data};
354- my $m = make_c_method $data->{name}, $d, {mode=>'cc_cxx', use_name=>true}, %$accum;
355+ my $m = make_c_method $data->{name}, $d, {mode=>'cc_cxx', use_name=>true, wide=>$d->{wide}}, %$accum;
356 next unless defined $m;
357 $ret .= "extern \"C\" $m\n";
358 $ret .= "{\n";
359@@ -57,24 +60,49 @@ $info{class}{proc}{impl} = sub {
360 } else {
361 if ($d->{type} eq 'method') {
362 my $ret_type = shift @parms;
363- my $ret_native = to_type_name $ret_type, {mode=>'native_no_err', pos=>'return'}, %$accum;
364+ my $ret_native = to_type_name $ret_type, {mode=>'native_no_err', pos=>'return', wide=>$d->{wide}}, %$accum;
365 my $snum = 0;
366+ my $call_fun = $d->{name};
367+ my @call_parms;
368 foreach (@parms) {
369 my $n = to_lower($_->{name});
370- if ($_->{type} eq 'encoded string') {
371- $accum->{headers}{'mutable string'} = true;
372- $accum->{headers}{'convert'} = true;
373- $ret .= " ths->temp_str_$snum.clear();\n";
374- $ret .= " ths->to_internal_->convert($n, ${n}_size, ths->temp_str_$snum);\n";
375- $ret .= " unsigned int s$snum = ths->temp_str_$snum.size();\n";
376- $_ = "MutableString(ths->temp_str_$snum.mstr(), s$snum)";
377- $snum++;
378+ if ($_->{type} eq 'encoded string' && !exists($d->{'no conv'})) {
379+ $need_wide = true unless $d->{wide};
380+ die unless exists $d->{'posib err'};
381+ $accum->{headers}{'mutable string'} = true;
382+ $accum->{headers}{'convert'} = true;
383+ my $name = get_c_func_name $data->{name}, $d, {mode=>'cc_cxx', use_name=>true, wide=>$d->{wide}};
384+ $ret .= " ths->temp_str_$snum.clear();\n";
385+ if ($d->{wide}) {
386+ $ret .= " ${n}_size = get_correct_size(\"$name\", ths->to_internal_->in_type_width(), ${n}_size, ${n}_type_width);\n";
387+ } else {
388+ $ret .= " PosibErr<int> ${n}_fixed_size = get_correct_size(\"$name\", ths->to_internal_->in_type_width(), ${n}_size);\n";
389+ if (exists($d->{'on conv error'})) {
390+ $ret .= " if (${n}_fixed_size.get_err()) {\n";
391+ $ret .= " ".$d->{'on conv error'}."\n";
392+ $ret .= " } else {\n";
393+ $ret .= " ${n}_size = ${n}_fixed_size;\n";
394+ $ret .= " }\n";
395+ } else {
396+ $ret .= " ths->err_.reset(${n}_fixed_size.release_err());\n";
397+ $ret .= " if (ths->err_ != 0) return ".(c_error_cond $ret_type).";\n";
398+ }
399+ }
400+ $ret .= " ths->to_internal_->convert($n, ${n}_size, ths->temp_str_$snum);\n";
401+ $ret .= " unsigned int s$snum = ths->temp_str_$snum.size();\n";
402+ push @call_parms, "MutableString(ths->temp_str_$snum.mstr(), s$snum)";
403+ $snum++;
404+ } elsif ($_->{type} eq 'encoded string') {
405+ $need_wide = true unless $d->{wide};
406+ push @call_parms, $n, "${n}_size";
407+ push @call_parms, "${n}_type_width" if $d->{wide};
408+ $call_fun .= " wide" if $d->{wide};
409 } else {
410- $_ = $n;
411+ push @call_parms, $n;
412 }
413 }
414- my $parms = '('.(join ', ', @parms).')';
415- my $exp = "ths->".to_lower($d->{name})."$parms";
416+ my $parms = '('.(join ', ', @call_parms).')';
417+ my $exp = "ths->".to_lower($call_fun)."$parms";
418 if (exists $d->{'posib err'}) {
419 $accum->{headers}{'posib err'} = true;
420 $ret .= " PosibErr<$ret_native> ret = $exp;\n";
421@@ -118,6 +146,7 @@ $info{class}{proc}{impl} = sub {
422 }
423 }
424 $ret .= "}\n\n";
425+ unshift @d,{%$d, wide=>true} if $need_wide;
426 }
427 return $ret;
428 };
429diff --git a/auto/MkSrc/Read.pm b/auto/MkSrc/Read.pm
430index 4b3d1d0..4bf640e 100644
431--- a/auto/MkSrc/Read.pm
432+++ b/auto/MkSrc/Read.pm
433@@ -88,13 +88,13 @@ sub advance ( ) {
434 $in_pod = $1 if $line =~ /^\=(\w+)/;
435 $line = '' if $in_pod;
436 $in_pod = undef if $in_pod && $in_pod eq 'cut';
437- $line =~ s/\#.*$//;
438+ $line =~ s/(?<!\\)\#.*$//;
439 $line =~ s/^(\t*)//;
440 $level = $base_level + length($1);
441 $line =~ s/\s*$//;
442 ++$base_level if $line =~ s/^\{$//;
443 --$base_level if $line =~ s/^\}$//;
444- $line =~ s/\\([{}])/$1/g;
445+ $line =~ s/\\([{}#\\])/$1/g;
446 } while ($line eq '');
447 #print "$level:$line\n";
448 }
449diff --git a/auto/mk-src.in b/auto/mk-src.in
450index 0e7833a..eb3353f 100644
451--- a/auto/mk-src.in
452+++ b/auto/mk-src.in
453@@ -608,6 +608,7 @@ errors:
454 invalid expression
455 mesg => "%expression" is not a valid regular expression.
456 parms => expression
457+
458 }
459 group: speller
460 {
461@@ -650,6 +651,7 @@ class: speller
462 posib err
463 desc => Returns 0 if it is not in the dictionary,
464 1 if it is, or -1 on error.
465+ on conv error => return 0;
466 /
467 bool
468 encoded string: word
469@@ -715,6 +717,8 @@ class: speller
470 desc => Return NULL on error.
471 The word list returned by suggest is only
472 valid until the next call to suggest.
473+ on conv error =>
474+ word = NULL; word_size = 0;
475 /
476 const word list
477 encoded string: word
478@@ -840,7 +844,6 @@ class: document checker
479 void
480
481 method: process
482-
483 desc => Process a string.
484 The string passed in should only be split on
485 white space characters. Furthermore, between
486@@ -849,10 +852,10 @@ class: document checker
487 in the document. Passing in strings out of
488 order, skipping strings or passing them in
489 more than once may lead to undefined results.
490+ no conv
491 /
492 void
493- string: str
494- int: size
495+ encoded string: str
496
497 method: next misspelling
498
499@@ -860,9 +863,23 @@ class: document checker
500 processed string. If there are no more
501 misspelled words, then token.word will be
502 NULL and token.size will be 0
503+ cc extra =>
504+ \#define aspell_document_checker_next_misspelling_w(type, ths) \\
505+ aspell_document_checker_next_misspelling_adj(ths, sizeof(type))
506 /
507 token object
508
509+ method: next misspelling adj
510+ desc => internal: do not use
511+ c impl =>
512+ Token res = ths->next_misspelling();
513+ res.offset /= type_width;
514+ res.len /= type_width;
515+ return res;
516+ /
517+ token object
518+ int: type_width
519+
520 method: filter
521
522 desc => Returns the underlying filter class.
523@@ -922,9 +939,30 @@ class: string enumeration
524 ths->from_internal_->append_null(ths->temp_str);
525 return ths->temp_str.data();
526 \}
527+ cc extra =>
528+ \#define aspell_string_enumeration_next_w(type, ths) \\
529+ aspell_cast_(const type *, aspell_string_enumeration_next_wide(ths, sizeof(type)))
530 /
531 const string
532
533+ method: next wide
534+ c impl =>
535+ const char * s = ths->next();
536+ if (s == 0) {
537+ return s;
538+ } else if (ths->from_internal_ == 0) \{
539+ assert(type_width == 1);
540+ return s;
541+ \} else \{
542+ assert(type_width == ths->from_internal_->out_type_width());
543+ ths->temp_str.clear();
544+ ths->from_internal_->convert(s,-1,ths->temp_str);
545+ ths->from_internal_->append_null(ths->temp_str);
546+ return ths->temp_str.data();
547+ \}
548+ /
549+ const void pointer
550+ int: type_width
551 }
552 group: info
553 {
554diff --git a/common/convert.cpp b/common/convert.cpp
555index 1add95a..7ae0317 100644
556--- a/common/convert.cpp
557+++ b/common/convert.cpp
558@@ -541,18 +541,25 @@ namespace acommon {
559 // Trivial Conversion
560 //
561
562+ const char * unsupported_null_term_wide_string_msg =
563+ "Null-terminated wide-character strings unsupported when used this way.";
564+
565 template <typename Chr>
566 struct DecodeDirect : public Decode
567 {
568+ DecodeDirect() {type_width = sizeof(Chr);}
569 void decode(const char * in0, int size, FilterCharVector & out) const {
570 const Chr * in = reinterpret_cast<const Chr *>(in0);
571- if (size == -1) {
572+ if (size == -sizeof(Chr)) {
573 for (;*in; ++in)
574- out.append(*in);
575+ out.append(*in, sizeof(Chr));
576+ } else if (size <= -1) {
577+ fprintf(stderr, "%s\n", unsupported_null_term_wide_string_msg);
578+ abort();
579 } else {
580- const Chr * stop = reinterpret_cast<const Chr *>(in0 +size);
581+ const Chr * stop = reinterpret_cast<const Chr *>(in0) + size/sizeof(Chr);
582 for (;in != stop; ++in)
583- out.append(*in);
584+ out.append(*in, sizeof(Chr));
585 }
586 }
587 PosibErr<void> decode_ec(const char * in0, int size,
588@@ -565,6 +572,7 @@ namespace acommon {
589 template <typename Chr>
590 struct EncodeDirect : public Encode
591 {
592+ EncodeDirect() {type_width = sizeof(Chr);}
593 void encode(const FilterChar * in, const FilterChar * stop,
594 CharVector & out) const {
595 for (; in != stop; ++in) {
596@@ -594,11 +602,15 @@ namespace acommon {
597 template <typename Chr>
598 struct ConvDirect : public DirectConv
599 {
600+ ConvDirect() {type_width = sizeof(Chr);}
601 void convert(const char * in0, int size, CharVector & out) const {
602- if (size == -1) {
603+ if (size == -sizeof(Chr)) {
604 const Chr * in = reinterpret_cast<const Chr *>(in0);
605 for (;*in != 0; ++in)
606 out.append(in, sizeof(Chr));
607+ } else if (size <= -1) {
608+ fprintf(stderr, "%s\n", unsupported_null_term_wide_string_msg);
609+ abort();
610 } else {
611 out.append(in0, size);
612 }
613@@ -1121,5 +1133,20 @@ namespace acommon {
614 }
615 return 0;
616 }
617-
618+
619+ PosibErr<void> unsupported_null_term_wide_string_err_(const char * func) {
620+ static bool reported_to_stderr = false;
621+ PosibErr<void> err = make_err(other_error, unsupported_null_term_wide_string_msg);
622+ if (!reported_to_stderr) {
623+ CERR.printf("ERROR: %s: %s\n", func, unsupported_null_term_wide_string_msg);
624+ reported_to_stderr = true;
625+ }
626+ return err;
627+ }
628+
629+ void unsupported_null_term_wide_string_abort_(const char * func) {
630+ CERR.printf("%s: %s\n", unsupported_null_term_wide_string_msg);
631+ abort();
632+ }
633+
634 }
635diff --git a/common/convert.hpp b/common/convert.hpp
636index 76332ee..c948973 100644
637--- a/common/convert.hpp
638+++ b/common/convert.hpp
639@@ -7,6 +7,8 @@
640 #ifndef ASPELL_CONVERT__HPP
641 #define ASPELL_CONVERT__HPP
642
643+#include "settings.h"
644+
645 #include "string.hpp"
646 #include "posib_err.hpp"
647 #include "char_vector.hpp"
648@@ -25,8 +27,9 @@ namespace acommon {
649 typedef const Config CacheConfig;
650 typedef const char * CacheKey;
651 String key;
652+ int type_width; // type width in bytes
653 bool cache_key_eq(const char * l) const {return key == l;}
654- ConvBase() {}
655+ ConvBase() : type_width(1) {}
656 private:
657 ConvBase(const ConvBase &);
658 void operator=(const ConvBase &);
659@@ -56,6 +59,8 @@ namespace acommon {
660 virtual ~Encode() {}
661 };
662 struct DirectConv { // convert directly from in_code to out_code.
663+ int type_width; // type width in bytes
664+ DirectConv() : type_width(1) {}
665 // should not take ownership of decode and encode.
666 // decode and encode guaranteed to stick around for the life
667 // of the object.
668@@ -126,6 +131,9 @@ namespace acommon {
669 const char * in_code() const {return decode_->key.c_str();}
670 const char * out_code() const {return encode_->key.c_str();}
671
672+ int in_type_width() const {return decode_->type_width;}
673+ int out_type_width() const {return encode_->type_width;}
674+
675 void append_null(CharVector & out) const
676 {
677 const char nul[4] = {0,0,0,0}; // 4 should be enough
678@@ -191,6 +199,10 @@ namespace acommon {
679 }
680 }
681
682+ void convert(const void * in, int size, CharVector & out) {
683+ convert(static_cast<const char *>(in), size, out);
684+ }
685+
686 void generic_convert(const char * in, int size, CharVector & out);
687
688 };
689@@ -412,6 +424,30 @@ namespace acommon {
690 return operator()(str, str + byte_size);}
691 };
692
693+#ifdef SLOPPY_NULL_TERM_STRINGS
694+ static const bool sloppy_null_term_strings = true;
695+#else
696+ static const bool sloppy_null_term_strings = false;
697+#endif
698+
699+ PosibErr<void> unsupported_null_term_wide_string_err_(const char * func);
700+ void unsupported_null_term_wide_string_abort_(const char * func);
701+
702+ static inline PosibErr<int> get_correct_size(const char * func, int conv_type_width, int size) {
703+ if (sloppy_null_term_strings && size <= -1)
704+ return -conv_type_width;
705+ if (size <= -1 && -conv_type_width != size)
706+ return unsupported_null_term_wide_string_err_(func);
707+ return size;
708+ }
709+ static inline int get_correct_size(const char * func, int conv_type_width, int size, int type_width) {
710+ if ((sloppy_null_term_strings || type_width <= -1) && size <= -1)
711+ return -conv_type_width;
712+ if (size <= -1 && conv_type_width != type_width)
713+ unsupported_null_term_wide_string_abort_(func);
714+ return size;
715+ }
716+
717 }
718
719 #endif
720diff --git a/common/document_checker.cpp b/common/document_checker.cpp
721index 5e510c4..0ccf1cd 100644
722--- a/common/document_checker.cpp
723+++ b/common/document_checker.cpp
724@@ -44,7 +44,9 @@ namespace acommon {
725 void DocumentChecker::process(const char * str, int size)
726 {
727 proc_str_.clear();
728- conv_->decode(str, size, proc_str_);
729+ PosibErr<int> fixed_size = get_correct_size("aspell_document_checker_process", conv_->in_type_width(), size);
730+ if (!fixed_size.has_err())
731+ conv_->decode(str, fixed_size, proc_str_);
732 proc_str_.append(0);
733 FilterChar * begin = proc_str_.pbegin();
734 FilterChar * end = proc_str_.pend() - 1;
735@@ -53,6 +55,19 @@ namespace acommon {
736 tokenizer_->reset(begin, end);
737 }
738
739+ void DocumentChecker::process_wide(const void * str, int size, int type_width)
740+ {
741+ proc_str_.clear();
742+ int fixed_size = get_correct_size("aspell_document_checker_process", conv_->in_type_width(), size, type_width);
743+ conv_->decode(static_cast<const char *>(str), fixed_size, proc_str_);
744+ proc_str_.append(0);
745+ FilterChar * begin = proc_str_.pbegin();
746+ FilterChar * end = proc_str_.pend() - 1;
747+ if (filter_)
748+ filter_->process(begin, end);
749+ tokenizer_->reset(begin, end);
750+ }
751+
752 Token DocumentChecker::next_misspelling()
753 {
754 bool correct;
755diff --git a/common/document_checker.hpp b/common/document_checker.hpp
756index d35bb88..11a3c73 100644
757--- a/common/document_checker.hpp
758+++ b/common/document_checker.hpp
759@@ -36,6 +36,7 @@ namespace acommon {
760 PosibErr<void> setup(Tokenizer *, Speller *, Filter *);
761 void reset();
762 void process(const char * str, int size);
763+ void process_wide(const void * str, int size, int type_width);
764 Token next_misspelling();
765
766 Filter * filter() {return filter_;}
767diff --git a/common/version.cpp b/common/version.cpp
768index 414d938..9e60b75 100644
769--- a/common/version.cpp
770+++ b/common/version.cpp
771@@ -1,8 +1,17 @@
772 #include "settings.h"
773
774-extern "C" const char * aspell_version_string() {
775 #ifdef NDEBUG
776- return VERSION " NDEBUG";
777+# define NDEBUG_STR " NDEBUG"
778+#else
779+# define NDEBUG_STR
780+#endif
781+
782+#ifdef SLOPPY_NULL_TERM_STRINGS
783+# define SLOPPY_STR " SLOPPY"
784+#else
785+# define SLOPPY_STR
786 #endif
787- return VERSION;
788+
789+extern "C" const char * aspell_version_string() {
790+ return VERSION NDEBUG_STR SLOPPY_STR;
791 }
792diff --git a/configure.ac b/configure.ac
793index 60e3b39..a5d51e3 100644
794--- a/configure.ac
795+++ b/configure.ac
796@@ -73,6 +73,9 @@ AC_ARG_ENABLE(filter-version-control,
797 AC_ARG_ENABLE(32-bit-hash-fun,
798 AS_HELP_STRING([--enable-32-bit-hash-fun],[use 32-bit hash function for compiled dictionaries]))
799
800+AC_ARG_ENABLE(sloppy-null-term-strings,
801+ AS_HELP_STRING([--enable-sloppy-null-term-strings],[allows allow null terminated UCS-2 and UCS-4 strings]))
802+
803 AC_ARG_ENABLE(pspell-compatibility,
804 AS_HELP_STRING([--disable-pspell-compatibility],[don't install pspell compatibility libraries]))
805
806@@ -141,6 +144,11 @@ then
807 AC_DEFINE(USE_32_BIT_HASH_FUN, 1, [Defined if 32-bit hash function should be used for compiled dictionaries.])
808 fi
809
810+if test "$enable_sloppy_null_term_strings" = "yes"
811+then
812+ AC_DEFINE(SLOPPY_NULL_TERM_STRINGS, 1, [Defined if null-terminated UCS-2 and UCS-4 strings should always be allowed.])
813+fi
814+
815 AM_CONDITIONAL(PSPELL_COMPATIBILITY,
816 [test "$enable_pspell_compatibility" != "no"])
817 AM_CONDITIONAL(INCREMENTED_SONAME,
818diff --git a/manual/aspell.texi b/manual/aspell.texi
819index 45fa091..f400e06 100644
820--- a/manual/aspell.texi
821+++ b/manual/aspell.texi
822@@ -158,7 +158,8 @@ Installing
823
824 * Generic Install Instructions::
825 * HTML Manuals and "make clean"::
826-* Curses Notes::
827+* Curses Notes::
828+* Upgrading from Aspell 0.60.7::
829 * Loadable Filter Notes::
830 * Upgrading from Aspell 0.50::
831 * Upgrading from Aspell .33/Pspell .12::
832@@ -2206,18 +2207,26 @@ int correct = aspell_speller_check(spell_checker, @var{word}, @var{size});
833 @end smallexample
834
835 @noindent
836-@var{word} is expected to be a @code{const char *} character
837-string. If the encoding is set to be @code{ucs-2} or
838-@code{ucs-4} @var{word} is expected to be a cast
839-from either @code{const u16int *} or @code{const u32int *}
840-respectively. @code{u16int} and @code{u32int} are generally
841-@code{unsigned short} and @code{unsigned int} respectively.
842-@var{size} is the length of the string or @code{-1} if the string
843-is null terminated. If the string is a cast from @code{const u16int
844-*} or @code{const u32int *} then @code{@i{size}} is the amount of
845-space in bytes the string takes up after being cast to @code{const
846-char *} and not the true size of the string. @code{sspell_speller_check}
847-will return @code{0} if it is not found and non-zero otherwise.
848+@var{word} is expected to be a @code{const char *} character string.
849+@var{size} is the length of the string or @code{-1} if the string is
850+null terminated. @code{aspell_speller_check} will return @code{0} if it is not found
851+and non-zero otherwise.
852+
853+If you are using the @code{ucs-2} or @code{ucs-4} encoding then the
854+string is expected to be either a 2 or 4 byte wide integer
855+(respectively) and the @code{_w} macro vesion should be used:
856+
857+@smallexample
858+int correct = aspell_speller_check_w(spell_checker, @var{word}, @var{size});
859+@end smallexample
860+
861+The macro will cast the string to to the correct type and convert
862+@var{size} into bytes for you and then a call the special wide version of the
863+function that will make sure the encoding is correct for the type
864+passed in. For compatibility with older versions of Aspell the normal
865+non-wide functions can still be used provided that the size of the
866+string, in bytes, is also passed in. Null terminated @code{ucs-2} or
867+@code{ucs-4} are no longer supported when using the non-wide functions.
868
869 If the word is not correct, then the @code{suggest} method can be used
870 to come up with likely replacements.
871@@ -2236,7 +2245,28 @@ delete_aspell_string_enumeration(elements);
872
873 Notice how @code{elements} is deleted but @code{suggestions} is not.
874 The value returned by @code{suggestions} is only valid to the next
875-call to @code{suggest}. Once a replacement is made the
876+call to @code{suggest}.
877+
878+If you are using the @code{ucs-2} or @code{ucs-4} encoding then, in
879+addition to using the @code{_w} macro for the @code{suggest} method, you
880+should also use the @code{_w} macro with the @code{next} method which
881+will cast the string to the correct type for you. For example, if you
882+are using the @code{ucs-2} encoding and the string is a @code{const
883+uint16_t *} then you should use:
884+
885+@smallexample
886+AspellWordList * suggestions = aspell_speller_suggest_w(spell_checker,
887+ @var{word}, @var{size});
888+AspellStringEnumeration * elements = aspell_word_list_elements(suggestions);
889+const uint16_t * word;
890+while ( (word = aspell_string_enumeration_next_w(uint16_t, aspell_elements)) != NULL )
891+@{
892+ // add to suggestion list
893+@}
894+delete_aspell_string_enumeration(elements);
895+@end smallexample
896+
897+Once a replacement is made the
898 @code{store_repl} method should be used to communicate the replacement
899 pair back to the spell checker (for the reason, @pxref{Notes on
900 Storing Replacement Pairs}). Its usage is as follows:
901diff --git a/manual/readme.texi b/manual/readme.texi
902index 669ab8e..531721f 100644
903--- a/manual/readme.texi
904+++ b/manual/readme.texi
905@@ -15,15 +15,16 @@ The latest version can always be found at GNU Aspell's home page at
906 @uref{http://aspell.net}.
907
908 @menu
909-* Generic Install Instructions::
910-* HTML Manuals and "make clean"::
911-* Curses Notes::
912-* Loadable Filter Notes::
913-* Using 32-Bit Dictionaries on a 64-Bit System::
914-* Upgrading from Aspell 0.50::
915-* Upgrading from Aspell .33/Pspell .12::
916-* Upgrading from a Pre-0.50 snapshot::
917-* WIN32 Notes::
918+* Generic Install Instructions::
919+* HTML Manuals and "make clean"::
920+* Curses Notes::
921+* Upgrading from Aspell 0.60.7::
922+* Loadable Filter Notes::
923+* Using 32-Bit Dictionaries on a 64-Bit System::
924+* Upgrading from Aspell 0.50::
925+* Upgrading from Aspell .33/Pspell .12::
926+* Upgrading from a Pre-0.50 snapshot::
927+* WIN32 Notes::
928 @end menu
929
930 @node Generic Install Instructions
931@@ -121,17 +122,62 @@ In addition your system must also support the @code{mblen} function.
932 Although this function was defined in the ISO C89 standard (ANSI
933 X3.159-1989), not all systems have it.
934
935+@node Upgrading from Aspell 0.60.7
936+@appendixsec Upgrading from Aspell 0.60.7
937+
938+To prevent a potentially unbounded buffer over-read, Aspell no longer
939+supports null-terminated UCS-2 and UCS-4 encoded strings with the
940+original C API. Null-termianted 8-bit or UTF-8 encoded strings are
941+still supported, as are UCS-2 and UCS-4 encoded strings when the
942+length is passed in.
943+
944+As of Aspell 0.60.8 a function from the original API that expects an
945+encoded string as a parameter will return meaningless results (or an
946+error code) if string is null terminated and the encoding is set to
947+@code{ucs-2} or @code{ucs-4}. In addition, a single:
948+@example
949+ERROR: aspell_speller_check: Null-terminated wide-character strings unsupported when used this way.
950+@end example
951+will be printed to standard error the first time one of those
952+functions is called.
953+
954+Application that use null-terminated UCS-2/4 strings should either (1)
955+use the interface intended for working with wide-characters
956+(@xref{Through the C API}); or (2) define
957+@code{ASPELL_ENCODE_SETTING_SECURE} before including @code{aspell.h}.
958+In the latter case is is important that the application explicitly
959+sets the encoding to a known value. Defining
960+@code{ASPELL_ENCODE_SETTING_SECURE} and not setting the encoding
961+explicitly or allowing user of the application to set the encoding
962+could result in an unbounded buffer over-read.
963+
964+If it is necessary to preserve binary compatibility with older
965+versions of Aspell, the easiest thing would be to determine the length
966+of the UCS-2/4 string---in bytes---and pass that in. Due to an
967+implemenation detail, existing API functions can be made to work with
968+null-terminated UCS-2/4 strings safely by passing in either @code{-2}
969+or @code{-4} (corresponding to the width of the character type) as the
970+size. Doing so, however, will cause a buffer over-read for unpatched
971+version of Aspell. To avoid this it will be necessary to parse the
972+version string to determine the correct value to use. However, no
973+official support will be provided for the latter method.
974+
975+If the application can not be recompiled, then Aspell can be configured
976+to preserve the old behavior by passing
977+@option{--enable-sloppy-null-term-strings} to @command{configure}. When Aspell
978+is compiled this way the version string will include the string
979+@samp{ SLOPPY}.
980+
981 @node Loadable Filter Notes
982 @appendixsec Loadable Filter Notes
983-
984+
985 Support for being able to load additional filter modules at run-time
986 has only been verified to work on Linux platforms. If you get linker
987 errors when trying to use a filter, then it is likely that loadable
988 filter support is not working yet on your platform. Thus, in order to
989 get Aspell to work correctly you will need to avoid compiling the
990 filters as individual modules by using the
991-@option{--enable-compile-in-filters} when configuring Aspell with
992-@command{./configure}.
993+@option{--enable-compile-in-filters} @command{configure} option.
994
995 @node Using 32-Bit Dictionaries on a 64-Bit System
996 @appendixsec Using 32-Bit Dictionaries on a 64-Bit System
997--
9982.17.1
999
diff --git a/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch
new file mode 100644
index 0000000000..9569ddeebe
--- /dev/null
+++ b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch
@@ -0,0 +1,68 @@
1From cefd447e5528b08bb0cd6656bc52b4255692cefc Mon Sep 17 00:00:00 2001
2From: Kevin Atkinson <kevina@gnu.org>
3Date: Sat, 17 Aug 2019 20:25:21 -0400
4Subject: [PATCH 2/2] Increment library version to reflect API changes.
5
6CVE: CVE-2019-20433
7Upstream-Status: Backport [https://github.com/GNUAspell/aspell/commit/cefd447e5528b08bb0cd6656bc52b4255692cefc]
8
9Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
10---
11 Makefile.am | 31 +++++++++++++++++--------------
12 1 file changed, 17 insertions(+), 14 deletions(-)
13
14diff --git a/Makefile.am b/Makefile.am
15index 7e15851..19dc044 100644
16--- a/Makefile.am
17+++ b/Makefile.am
18@@ -94,18 +94,25 @@ libaspell_la_SOURCES =\
19
20 libaspell_la_LIBADD = $(LTLIBINTL) $(PTHREAD_LIB)
21
22-## Libtool to so name
23-## C:R:A => (C-A).(A).(R)
24-## 16:5:0 => 16.0.5
25-## 16:5:1 => 15.1.5
26-## 18:0:2 => 16.2.0
27-## 17:0:2 => 15.2.0
28-
29+## The version string is current[:revision[:age]]
30+##
31+## Before a release that has changed the source code at all
32+## increment revision.
33+##
34+## After merging changes that have changed the API in a backwards
35+## comptable way set revision to 0 and bump both current and age.
36+##
37+## Do not change the API in a backwards incompatible way.
38+##
39+## See "Libtool: Updating version info"
40+## (https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html)
41+## for more into
42+##
43 if INCREMENTED_SONAME
44-libaspell_la_LDFLAGS = -version-info 18:0:2 -no-undefined
45+libaspell_la_LDFLAGS = -version-info 19:0:3 -no-undefined
46 else
47 ## Use C-1:R:A
48-libaspell_la_LDFLAGS = -version-info 17:0:2 -no-undefined
49+libaspell_la_LDFLAGS = -version-info 18:0:3 -no-undefined
50 endif
51
52 if PSPELL_COMPATIBILITY
53@@ -113,11 +120,7 @@ libpspell_la_SOURCES = lib/dummy.cpp
54
55 libpspell_la_LIBADD = libaspell.la
56
57-if INCREMENTED_SONAME
58-libpspell_la_LDFLAGS = -version-info 18:0:2 -no-undefined
59-else
60-libpspell_la_LDFLAGS = -version-info 17:0:2 -no-undefined
61-endif
62+libpspell_la_LDFLAGS = $(libaspell_la_LDFLAGS)
63
64 endif
65
66--
672.17.1
68
diff --git a/meta/recipes-support/aspell/aspell_0.60.7.bb b/meta/recipes-support/aspell/aspell_0.60.7.bb
index b565cb3c6e..1e104c263c 100644
--- a/meta/recipes-support/aspell/aspell_0.60.7.bb
+++ b/meta/recipes-support/aspell/aspell_0.60.7.bb
@@ -8,6 +8,8 @@ PR = "r1"
8 8
9SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \ 9SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \
10 file://0001-Fix-various-bugs-found-by-OSS-Fuze.patch \ 10 file://0001-Fix-various-bugs-found-by-OSS-Fuze.patch \
11 file://CVE-2019-20433-0001.patch \
12 file://CVE-2019-20433-0002.patch \
11 " 13 "
12SRC_URI[md5sum] = "8ef2252609c511cd2bb26f3a3932ef28" 14SRC_URI[md5sum] = "8ef2252609c511cd2bb26f3a3932ef28"
13SRC_URI[sha256sum] = "5ca8fc8cb0370cc6c9eb5b64c6d1bc5d57b3750dbf17887726c3407d833b70e4" 15SRC_URI[sha256sum] = "5ca8fc8cb0370cc6c9eb5b64c6d1bc5d57b3750dbf17887726c3407d833b70e4"
diff --git a/meta/recipes-support/attr/acl_2.2.52.bb b/meta/recipes-support/attr/acl_2.2.52.bb
index 6bc77d868d..31ec64a43d 100644
--- a/meta/recipes-support/attr/acl_2.2.52.bb
+++ b/meta/recipes-support/attr/acl_2.2.52.bb
@@ -25,6 +25,9 @@ SRC_URI[sha256sum] = "179074bb0580c06c4b4137be4c5a92a701583277967acdb5546043c787
25 25
26require ea-acl.inc 26require ea-acl.inc
27 27
28# Has issues with newer versions of make
29PARALLEL_MAKEINST = ""
30
28# avoid RPATH hardcode to staging dir 31# avoid RPATH hardcode to staging dir
29do_configure_append() { 32do_configure_append() {
30 sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\', 33 sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\',
diff --git a/meta/recipes-support/attr/attr_2.4.47.bb b/meta/recipes-support/attr/attr_2.4.47.bb
index fc88bef830..c3da66a0c7 100644
--- a/meta/recipes-support/attr/attr_2.4.47.bb
+++ b/meta/recipes-support/attr/attr_2.4.47.bb
@@ -12,4 +12,7 @@ SRC_URI += "file://attr-Missing-configure.ac.patch \
12SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" 12SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7"
13SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" 13SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859"
14 14
15# Has issues with newer versions of make
16PARALLEL_MAKEINST = ""
17
15BBCLASSEXTEND = "native nativesdk" 18BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.17.bb b/meta/recipes-support/gnupg/gnupg_2.2.19.bb
index 689cf8a75e..a0577d61d3 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.17.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.19.bb
@@ -19,8 +19,8 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
19SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ 19SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
20 file://relocate.patch" 20 file://relocate.patch"
21 21
22SRC_URI[md5sum] = "1ba2d9b70c377f8e967742064c27a19c" 22SRC_URI[md5sum] = "cb3b373d08ba078c325299945a7f2818"
23SRC_URI[sha256sum] = "afa262868e39b651a2db4c071fba90415154243e83a830ca00516f9a807fd514" 23SRC_URI[sha256sum] = "242554c0e06f3a83c420b052f750b65ead711cc3fddddb5e7274fcdbb4e9dec0"
24 24
25EXTRA_OECONF = "--disable-ldap \ 25EXTRA_OECONF = "--disable-ldap \
26 --disable-ccid-driver \ 26 --disable-ccid-driver \
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-a.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-a.patch
new file mode 100644
index 0000000000..1811afc2ff
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-a.patch
@@ -0,0 +1,90 @@
1From 6e798091d057de6b7f94b9dede4c5c919ec41f89 Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <ueno@gnu.org>
3Date: Tue, 2 Jun 2020 20:53:11 +0200
4Subject: [PATCH 1/3] stek: differentiate initial state from valid time window
5 of TOTP
6
7commit c2646aeee94e71cb15c90a3147cf3b5b0ca158ca from https://gitlab.com/gnutls/gnutls.git
8
9There was a confusion in the TOTP implementation in stek.c. When the
10mechanism is initialized at the first time, it records the timestamp
11but doesn't initialize the key. This removes the timestamp recording
12at the initialization phase, so the key is properly set later.
13
14Upstream-Status: Backport
15
16Signed-off-by: Daiki Ueno <ueno@gnu.org>
17Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
18---
19 lib/stek.c | 17 +++++------------
20 tests/resume-with-previous-stek.c | 4 ++--
21 tests/tls13/prf-early.c | 8 ++++----
22 3 files changed, 11 insertions(+), 18 deletions(-)
23
24diff --git a/lib/stek.c b/lib/stek.c
25index 2f885ce..5ab9e7d 100644
26--- a/lib/stek.c
27+++ b/lib/stek.c
28@@ -323,20 +323,13 @@ int _gnutls_initialize_session_ticket_key_rotation(gnutls_session_t session, con
29 if (unlikely(session == NULL || key == NULL))
30 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
31
32- if (session->key.totp.last_result == 0) {
33- int64_t t;
34- memcpy(session->key.initial_stek, key->data, key->size);
35- t = totp_next(session);
36- if (t < 0)
37- return gnutls_assert_val(t);
38+ if (unlikely(session->key.totp.last_result != 0))
39+ return GNUTLS_E_INVALID_REQUEST;
40
41- session->key.totp.last_result = t;
42- session->key.totp.was_rotated = 0;
43-
44- return GNUTLS_E_SUCCESS;
45- }
46+ memcpy(session->key.initial_stek, key->data, key->size);
47
48- return GNUTLS_E_INVALID_REQUEST;
49+ session->key.totp.was_rotated = 0;
50+ return 0;
51 }
52
53 /*
54diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c
55index f212b18..05c1c90 100644
56--- a/tests/resume-with-previous-stek.c
57+++ b/tests/resume-with-previous-stek.c
58@@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio)
59 serverx509cred = NULL;
60 }
61
62- if (num_stek_rotations != 2)
63- fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations);
64+ if (num_stek_rotations != 3)
65+ fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations);
66
67 if (serverx509cred)
68 gnutls_certificate_free_credentials(serverx509cred);
69diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c
70index 414b1db..bc31962 100644
71--- a/tests/tls13/prf-early.c
72+++ b/tests/tls13/prf-early.c
73@@ -123,10 +123,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size)
74 } \
75 }
76
77-#define KEY_EXP_VALUE "\xc0\x1e\xc2\xa4\xb7\xb4\x04\xaa\x91\x5d\xaf\xe8\xf7\x4d\x19\xdf\xd0\xe6\x08\xd6\xb4\x3b\xcf\xca\xc9\x32\x75\x3b\xe3\x11\x19\xb1\xac\x68"
78-#define HELLO_VALUE "\x77\xdb\x10\x0b\xe8\xd0\xb9\x38\xbc\x49\xe6\xbe\xf2\x47\x2a\xcc\x6b\xea\xce\x85\x04\xd3\x9e\xd8\x06\x16\xad\xff\xcd\xbf\x4b"
79-#define CONTEXT_VALUE "\xf2\x17\x9f\xf2\x66\x56\x87\x66\xf9\x5c\x8a\xd7\x4e\x1d\x46\xee\x0e\x44\x41\x4c\xcd\xac\xcb\xc0\x31\x41\x2a\xb6\xd7\x01\x62"
80-#define NULL_CONTEXT_VALUE "\xcd\x79\x07\x93\xeb\x96\x07\x3e\xec\x78\x90\x89\xf7\x16\x42\x6d\x27\x87\x56\x7c\x7b\x60\x2b\x20\x44\xd1\xea\x0c\x89\xfb\x8b"
81+#define KEY_EXP_VALUE "\xc1\x6b\x6c\xb9\x88\x33\xd5\x28\x80\xec\x27\x87\xa2\x6f\x4b\xd0\x01\x5e\x7f\xca\xd7\xd4\x8a\x3f\xe2\x48\x92\xef\x02\x14\xfb\x81\x90\x04"
82+#define HELLO_VALUE "\x2a\x73\xd9\x74\x04\x4e\x0a\x5f\x41\x8a\x09\xcb\x45\x33\x1a\xec\xd3\xfc\xdc\x1b\x2c\x67\x26\xe4\x9c\xfe\x1f\xa5\x74\xf1\x4f"
83+#define CONTEXT_VALUE "\x87\xf6\x88\xe3\xd7\xf2\x05\xbc\xa4\x10\xa3\x48\x9f\xf5\xcf\x97\x06\x22\x4e\xfd\x18\x32\x52\x1d\xbd\x26\xf5\x5b\x21\x20\xec"
84+#define NULL_CONTEXT_VALUE "\xf9\xca\xfe\x45\x44\x96\xdb\xc5\x41\x8f\x7e\x8e\xd7\xb0\x7d\x19\x45\xaf\x09\xbc\x1e\x82\x94\xac\x55\xe5\xb9\xb4\x3b\xe8\xc0"
85
86 static int handshake_callback_called;
87
88--
892.17.1
90
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch
new file mode 100644
index 0000000000..12486e1710
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-b.patch
@@ -0,0 +1,137 @@
1From 6c7f9703e42bc5278d0a4a6f0a39d07d62123ea3 Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <dueno@redhat.com>
3Date: Tue, 31 Mar 2020 06:58:48 +0200
4Subject: [PATCH 2/3] build: use valgrind client request to detect undefined
5 memory use
6
7commit 50ad8778a81f9421effa4c5a3b457f98e559b178 from https://gitlab.com/gnutls/gnutls.git
8
9This tightens the check introduced in
10ac2f71b892d13a7ab4cc39086eef179042c7e23c, by using the valgrind client
11request to explicitly mark the "uninitialized but initialization is
12needed before use" regions. With this patch and the
13fix (c01011c2d8533dbbbe754e49e256c109cb848d0d) reverted, you will see
14the following error when running dtls_hello_random_value under
15valgrind:
16
17 $ valgrind ./dtls_hello_random_value
18 testing: default
19 ==520145== Conditional jump or move depends on uninitialised value(s)
20 ==520145== at 0x4025F5: hello_callback (dtls_hello_random_value.c:90)
21 ==520145== by 0x488BF97: _gnutls_call_hook_func (handshake.c:1215)
22 ==520145== by 0x488C1AA: _gnutls_send_handshake2 (handshake.c:1332)
23 ==520145== by 0x488FC7E: send_client_hello (handshake.c:2290)
24 ==520145== by 0x48902A1: handshake_client (handshake.c:2908)
25 ==520145== by 0x48902A1: gnutls_handshake (handshake.c:2740)
26 ==520145== by 0x402CB3: client (dtls_hello_random_value.c:153)
27 ==520145== by 0x402CB3: start (dtls_hello_random_value.c:317)
28 ==520145== by 0x402EFE: doit (dtls_hello_random_value.c:331)
29 ==520145== by 0x4023D4: main (utils.c:254)
30 ==520145==
31
32Upstream-Status: Backport
33
34Signed-off-by: Daiki Ueno <dueno@redhat.com>
35Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
36---
37 configure.ac | 2 ++
38 lib/handshake.c | 15 +++++++++++++++
39 lib/state.c | 21 ++++++++++++++++++---
40 3 files changed, 35 insertions(+), 3 deletions(-)
41
42diff --git a/configure.ac b/configure.ac
43index 172cf42..12da283 100644
44--- a/configure.ac
45+++ b/configure.ac
46@@ -233,6 +233,8 @@ AS_IF([test "$ac_cv_search___atomic_load_4" = "none required" || test "$ac_cv_se
47 dnl We use its presence to detect C11 threads
48 AC_CHECK_HEADERS([threads.h])
49
50+AC_CHECK_HEADERS([valgrind/memcheck.h])
51+
52 AC_ARG_ENABLE(padlock,
53 AS_HELP_STRING([--disable-padlock], [unconditionally disable padlock acceleration]),
54 use_padlock=$enableval)
55diff --git a/lib/handshake.c b/lib/handshake.c
56index 84a0e52..8d58fa4 100644
57--- a/lib/handshake.c
58+++ b/lib/handshake.c
59@@ -57,6 +57,9 @@
60 #include "secrets.h"
61 #include "tls13/session_ticket.h"
62 #include "locks.h"
63+#ifdef HAVE_VALGRIND_MEMCHECK_H
64+#include <valgrind/memcheck.h>
65+#endif
66
67 #define TRUE 1
68 #define FALSE 0
69@@ -242,6 +245,12 @@ int _gnutls_gen_client_random(gnutls_session_t session)
70 return gnutls_assert_val(ret);
71 }
72
73+#ifdef HAVE_VALGRIND_MEMCHECK_H
74+ if (RUNNING_ON_VALGRIND)
75+ VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.client_random,
76+ GNUTLS_RANDOM_SIZE);
77+#endif
78+
79 return 0;
80 }
81
82@@ -320,6 +329,12 @@ int _gnutls_gen_server_random(gnutls_session_t session, int version)
83 return ret;
84 }
85
86+#ifdef HAVE_VALGRIND_MEMCHECK_H
87+ if (RUNNING_ON_VALGRIND)
88+ VALGRIND_MAKE_MEM_DEFINED(session->security_parameters.server_random,
89+ GNUTLS_RANDOM_SIZE);
90+#endif
91+
92 return 0;
93 }
94
95diff --git a/lib/state.c b/lib/state.c
96index 0e1d155..98900c1 100644
97--- a/lib/state.c
98+++ b/lib/state.c
99@@ -55,6 +55,9 @@
100 #include "ext/cert_types.h"
101 #include "locks.h"
102 #include "kx.h"
103+#ifdef HAVE_VALGRIND_MEMCHECK_H
104+#include <valgrind/memcheck.h>
105+#endif
106
107 /* to be used by supplemental data support to disable TLS1.3
108 * when supplemental data have been globally registered */
109@@ -564,10 +567,22 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags)
110 UINT32_MAX;
111 }
112
113- /* everything else not initialized here is initialized
114- * as NULL or 0. This is why calloc is used.
115+ /* Everything else not initialized here is initialized as NULL
116+ * or 0. This is why calloc is used. However, we want to
117+ * ensure that certain portions of data are initialized at
118+ * runtime before being used. Mark such regions with a
119+ * valgrind client request as undefined.
120 */
121-
122+#ifdef HAVE_VALGRIND_MEMCHECK_H
123+ if (RUNNING_ON_VALGRIND) {
124+ if (flags & GNUTLS_CLIENT)
125+ VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random,
126+ GNUTLS_RANDOM_SIZE);
127+ if (flags & GNUTLS_SERVER)
128+ VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random,
129+ GNUTLS_RANDOM_SIZE);
130+ }
131+#endif
132 handshake_internal_state_clear1(*session);
133
134 #ifdef HAVE_WRITEV
135--
1362.17.1
137
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-c.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-c.patch
new file mode 100644
index 0000000000..2d8efeb889
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-13777-c.patch
@@ -0,0 +1,68 @@
1From b34da057dc9eb01df30b436ba9cb047c21fb0151 Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <ueno@gnu.org>
3Date: Tue, 2 Jun 2020 21:45:17 +0200
4Subject: [PATCH 3/3] valgrind: check if session ticket key is used without
5 initialization
6
7commit 3d7fae761e65e9d0f16d7247ee8a464d4fe002da from https://gitlab.com/gnutls/gnutls.git
8
9This adds a valgrind client request for
10session->key.session_ticket_key to make sure that it is not used
11without initialization.
12
13Upstream-Status: Backport
14
15Signed-off-by: Daiki Ueno <ueno@gnu.org>
16Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
17---
18 lib/state.c | 5 ++++-
19 lib/stek.c | 8 ++++++++
20 2 files changed, 12 insertions(+), 1 deletion(-)
21
22diff --git a/lib/state.c b/lib/state.c
23index 98900c1..cabdf7d 100644
24--- a/lib/state.c
25+++ b/lib/state.c
26@@ -578,9 +578,12 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags)
27 if (flags & GNUTLS_CLIENT)
28 VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.client_random,
29 GNUTLS_RANDOM_SIZE);
30- if (flags & GNUTLS_SERVER)
31+ if (flags & GNUTLS_SERVER) {
32 VALGRIND_MAKE_MEM_UNDEFINED((*session)->security_parameters.server_random,
33 GNUTLS_RANDOM_SIZE);
34+ VALGRIND_MAKE_MEM_UNDEFINED((*session)->key.session_ticket_key,
35+ TICKET_MASTER_KEY_SIZE);
36+ }
37 }
38 #endif
39 handshake_internal_state_clear1(*session);
40diff --git a/lib/stek.c b/lib/stek.c
41index 5ab9e7d..316555b 100644
42--- a/lib/stek.c
43+++ b/lib/stek.c
44@@ -21,6 +21,9 @@
45 */
46 #include "gnutls_int.h"
47 #include "stek.h"
48+#ifdef HAVE_VALGRIND_MEMCHECK_H
49+#include <valgrind/memcheck.h>
50+#endif
51
52 #define NAME_POS (0)
53 #define KEY_POS (TICKET_KEY_NAME_SIZE)
54@@ -143,6 +146,11 @@ static int rotate(gnutls_session_t session)
55 call_rotation_callback(session, key, t);
56 session->key.totp.last_result = t;
57 memcpy(session->key.session_ticket_key, key, sizeof(key));
58+#ifdef HAVE_VALGRIND_MEMCHECK_H
59+ if (RUNNING_ON_VALGRIND)
60+ VALGRIND_MAKE_MEM_DEFINED(session->key.session_ticket_key,
61+ TICKET_MASTER_KEY_SIZE);
62+#endif
63
64 session->key.totp.was_rotated = 1;
65 } else if (t < 0) {
66--
672.17.1
68
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
new file mode 100644
index 0000000000..1702325e66
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
@@ -0,0 +1,117 @@
1From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <ueno@gnu.org>
3Date: Sat, 22 Aug 2020 17:19:39 +0200
4Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is
5 incomplete
6
7If the initial handshake is incomplete and the server sends a
8no_renegotiation alert, the client should treat it as a fatal error
9even if its level is warning. Otherwise the same handshake
10state (e.g., DHE parameters) are reused in the next gnutls_handshake
11call, if it is called in the loop idiom:
12
13 do {
14 ret = gnutls_handshake(session);
15 } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
16
17Signed-off-by: Daiki Ueno <ueno@gnu.org>
18CVE: CVE-2020-24659
19Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git]
20Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
21---
22 lib/gnutls_int.h | 1 +
23 lib/handshake.c | 48 +++++++++++++-----
24 2 files changed, 36 insertions(+), 13 deletions(-)
25
26diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
27index bb6c19713..31cec5c0c 100644
28--- a/lib/gnutls_int.h
29+++ b/lib/gnutls_int.h
30@@ -1370,6 +1370,7 @@ typedef struct {
31 #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
32 #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
33 #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
34+#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
35
36 /* The hsk_flags are for use within the ongoing handshake;
37 * they are reset to zero prior to handshake start by gnutls_handshake. */
38diff --git a/lib/handshake.c b/lib/handshake.c
39index b40f84b3d..ce2d160e2 100644
40--- a/lib/handshake.c
41+++ b/lib/handshake.c
42@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session,
43 if (ret < 0)
44 return gnutls_assert_val(ret);
45
46+ session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
47+
48 return 0;
49 }
50
51@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session)
52 return 0;
53 }
54
55+/* This function checks whether the error code should be treated fatal
56+ * or not, and also does the necessary state transition. In
57+ * particular, in the case of a rehandshake abort it resets the
58+ * handshake's internal state.
59+ */
60 inline static int
61 _gnutls_abort_handshake(gnutls_session_t session, int ret)
62 {
63- if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
64- (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
65- || ret == GNUTLS_E_GOT_APPLICATION_DATA)
66- return 0;
67+ switch (ret) {
68+ case GNUTLS_E_WARNING_ALERT_RECEIVED:
69+ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
70+ /* The server always toleretes a "no_renegotiation" alert. */
71+ if (session->security_parameters.entity == GNUTLS_SERVER) {
72+ STATE = STATE0;
73+ return ret;
74+ }
75+
76+ /* The client should tolerete a "no_renegotiation" alert only if:
77+ * - the initial handshake has completed, or
78+ * - a Server Hello is not yet received
79+ */
80+ if (session->internals.initial_negotiation_completed ||
81+ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
82+ STATE = STATE0;
83+ return ret;
84+ }
85
86- /* this doesn't matter */
87- return GNUTLS_E_INTERNAL_ERROR;
88+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
89+ }
90+ return ret;
91+ case GNUTLS_E_GOT_APPLICATION_DATA:
92+ STATE = STATE0;
93+ return ret;
94+ default:
95+ return ret;
96+ }
97 }
98
99
100@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session)
101 }
102
103 if (ret < 0) {
104- /* In the case of a rehandshake abort
105- * we should reset the handshake's internal state.
106- */
107- if (_gnutls_abort_handshake(session, ret) == 0)
108- STATE = STATE0;
109-
110- return ret;
111+ return _gnutls_abort_handshake(session, ret);
112 }
113
114 /* clear handshake buffer */
115--
1162.17.0
117
diff --git a/meta/recipes-support/gnutls/gnutls/posix-shell.patch b/meta/recipes-support/gnutls/gnutls/posix-shell.patch
deleted file mode 100644
index 938e2d1e18..0000000000
--- a/meta/recipes-support/gnutls/gnutls/posix-shell.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1Don't embed the path to the build-time POSIX shell as this will be
2$TMPDIR/hosttools/bash, which is no good on the target.
3
4Instead default to /bin/sh but allow it to be set in the environment.
5
6This isn't really upstreamable but I filed a bug at
7https://gitlab.com/gnutls/gnutls/issues/807 and hope a proper fix will be
8integrated.
9
10Upstream-Status: Inappropriate
11Signed-off-by: Ross Burton <ross.burton@intel.com>
12
13diff --git a/src/libopts/m4/libopts.m4 b/src/libopts/m4/libopts.m4
14index c6ad738..a62faca 100644
15--- a/src/libopts/m4/libopts.m4
16+++ b/src/libopts/m4/libopts.m4
17@@ -112,21 +112,7 @@ AC_DEFUN([INVOKE_LIBOPTS_MACROS_FIRST],[
18 AC_CHECK_FUNCS([mmap canonicalize_file_name snprintf strdup strchr \
19 strrchr strsignal fchmod fstat chmod])
20 AC_PROG_SED
21- [while :
22- do
23- POSIX_SHELL=`which bash`
24- test -x "$POSIX_SHELL" && break
25- POSIX_SHELL=`which dash`
26- test -x "$POSIX_SHELL" && break
27- POSIX_SHELL=/usr/xpg4/bin/sh
28- test -x "$POSIX_SHELL" && break
29- POSIX_SHELL=`/bin/sh -c '
30- exec 2>/dev/null
31- if ! true ; then exit 1 ; fi
32- echo /bin/sh'`
33- test -x "$POSIX_SHELL" && break
34- ]AC_MSG_ERROR([cannot locate a working POSIX shell])[
35- done]
36+ POSIX_SHELL="${POSIX_SHELL:-/bin/sh}"
37 AC_DEFINE_UNQUOTED([POSIX_SHELL], ["${POSIX_SHELL}"],
38 [define to a working POSIX compliant shell])
39 AC_SUBST([POSIX_SHELL])
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.8.bb b/meta/recipes-support/gnutls/gnutls_3.6.13.bb
index c927063f0a..2ed012f9d6 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.8.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.13.bb
@@ -19,11 +19,14 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
19 19
20SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ 20SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
21 file://arm_eabi.patch \ 21 file://arm_eabi.patch \
22 file://posix-shell.patch \ 22 file://CVE-2020-13777-a.patch \
23 file://CVE-2020-13777-b.patch \
24 file://CVE-2020-13777-c.patch \
25 file://CVE-2020-24659.patch \
23" 26"
24 27
25SRC_URI[md5sum] = "9dcf0aa45d1a42e1b3ca5d39ec7c61a8" 28SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f"
26SRC_URI[sha256sum] = "aa81944e5635de981171772857e72be231a7e0f559ae0292d2737de475383e83" 29SRC_URI[sha256sum] = "32041df447d9f4644570cf573c9f60358e865637d69b7e59d1159b7240b52f38"
27 30
28inherit autotools texinfo pkgconfig gettext lib_package gtk-doc 31inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
29 32
diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000000..56303fc0f2
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
@@ -0,0 +1,122 @@
1From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
2From: Frank Tang <ftang@chromium.org>
3Date: Sat, 1 Feb 2020 02:39:04 +0000
4Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
5
6See #971
7
8Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca]
9CVE: CVE-2020-10531
10Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
11---
12 icu4c/source/common/unistr.cpp | 6 ++-
13 icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
14 icu4c/source/test/intltest/ustrtest.h | 1 +
15 3 files changed, 68 insertions(+), 1 deletion(-)
16
17diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
18index 901bb3358ba..077b4d6ef20 100644
19--- a/icu4c/source/common/unistr.cpp
20+++ b/icu4c/source/common/unistr.cpp
21@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
22 }
23
24 int32_t oldLength = length();
25- int32_t newLength = oldLength + srcLength;
26+ int32_t newLength;
27+ if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
28+ setToBogus();
29+ return *this;
30+ }
31
32 // Check for append onto ourself
33 const UChar* oldArray = getArrayStart();
34diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp
35index b6515ea813c..ad38bdf53a3 100644
36--- a/icu4c/source/test/intltest/ustrtest.cpp
37+++ b/icu4c/source/test/intltest/ustrtest.cpp
38@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
39 TESTCASE_AUTO(TestWCharPointers);
40 TESTCASE_AUTO(TestNullPointers);
41 TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
42+ TESTCASE_AUTO(TestLargeAppend);
43 TESTCASE_AUTO_END;
44 }
45
46@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
47 str.insert(2, sub);
48 assertEquals("", u"abbcdcde", str);
49 }
50+
51+void UnicodeStringTest::TestLargeAppend() {
52+ if(quick) return;
53+
54+ IcuTestErrorCode status(*this, "TestLargeAppend");
55+ // Make a large UnicodeString
56+ int32_t len = 0xAFFFFFF;
57+ UnicodeString str;
58+ char16_t *buf = str.getBuffer(len);
59+ // A fast way to set buffer to valid Unicode.
60+ // 4E4E is a valid unicode character
61+ uprv_memset(buf, 0x4e, len * 2);
62+ str.releaseBuffer(len);
63+ UnicodeString dest;
64+ // Append it 16 times
65+ // 0xAFFFFFF times 16 is 0xA4FFFFF1,
66+ // which is greater than INT32_MAX, which is 0x7FFFFFFF.
67+ int64_t total = 0;
68+ for (int32_t i = 0; i < 16; i++) {
69+ dest.append(str);
70+ total += len;
71+ if (total <= INT32_MAX) {
72+ assertFalse("dest is not bogus", dest.isBogus());
73+ } else {
74+ assertTrue("dest should be bogus", dest.isBogus());
75+ }
76+ }
77+ dest.remove();
78+ total = 0;
79+ for (int32_t i = 0; i < 16; i++) {
80+ dest.append(str);
81+ total += len;
82+ if (total + len <= INT32_MAX) {
83+ assertFalse("dest is not bogus", dest.isBogus());
84+ } else if (total <= INT32_MAX) {
85+ // Check that a string of exactly the maximum size works
86+ UnicodeString str2;
87+ int32_t remain = INT32_MAX - total;
88+ char16_t *buf2 = str2.getBuffer(remain);
89+ if (buf2 == nullptr) {
90+ // if somehow memory allocation fail, return the test
91+ return;
92+ }
93+ uprv_memset(buf2, 0x4e, remain * 2);
94+ str2.releaseBuffer(remain);
95+ dest.append(str2);
96+ total += remain;
97+ assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
98+ assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
99+ assertFalse("dest is not bogus", dest.isBogus());
100+
101+ // Check that a string size+1 goes bogus
102+ str2.truncate(1);
103+ dest.append(str2);
104+ total++;
105+ assertTrue("dest should be bogus", dest.isBogus());
106+ } else {
107+ assertTrue("dest should be bogus", dest.isBogus());
108+ }
109+ }
110+}
111diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h
112index 218befdcc68..4a356a92c7a 100644
113--- a/icu4c/source/test/intltest/ustrtest.h
114+++ b/icu4c/source/test/intltest/ustrtest.h
115@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
116 void TestWCharPointers();
117 void TestNullPointers();
118 void TestUnicodeStringInsertAppendToSelf();
119+ void TestLargeAppend();
120 };
121
122 #endif
diff --git a/meta/recipes-support/icu/icu_64.2.bb b/meta/recipes-support/icu/icu_64.2.bb
index 10bac7aac0..d09776f4bc 100644
--- a/meta/recipes-support/icu/icu_64.2.bb
+++ b/meta/recipes-support/icu/icu_64.2.bb
@@ -6,18 +6,24 @@ def icu_download_version(d):
6 pvsplit = d.getVar('PV').split('.') 6 pvsplit = d.getVar('PV').split('.')
7 return pvsplit[0] + "_" + pvsplit[1] 7 return pvsplit[0] + "_" + pvsplit[1]
8 8
9def icu_download_folder(d):
10 pvsplit = d.getVar('PV').split('.')
11 return pvsplit[0] + "-" + pvsplit[1]
12
9ICU_PV = "${@icu_download_version(d)}" 13ICU_PV = "${@icu_download_version(d)}"
14ICU_FOLDER = "${@icu_download_folder(d)}"
10 15
11# http://errors.yoctoproject.org/Errors/Details/20486/ 16# http://errors.yoctoproject.org/Errors/Details/20486/
12ARM_INSTRUCTION_SET_armv4 = "arm" 17ARM_INSTRUCTION_SET_armv4 = "arm"
13ARM_INSTRUCTION_SET_armv5 = "arm" 18ARM_INSTRUCTION_SET_armv5 = "arm"
14 19
15BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-${ICU_PV}-src.tgz" 20BASE_SRC_URI = "https://github.com/unicode-org/icu/releases/download/release-${ICU_FOLDER}/icu4c-${ICU_PV}-src.tgz"
16SRC_URI = "${BASE_SRC_URI} \ 21SRC_URI = "${BASE_SRC_URI} \
17 file://icu-pkgdata-large-cmd.patch \ 22 file://icu-pkgdata-large-cmd.patch \
18 file://fix-install-manx.patch \ 23 file://fix-install-manx.patch \
19 file://0001-Fix-big-endian-build.patch \ 24 file://0001-Fix-big-endian-build.patch \
20 file://0001-icu-Added-armeb-support.patch \ 25 file://0001-icu-Added-armeb-support.patch \
26 file://CVE-2020-10531.patch;striplevel=3 \
21 " 27 "
22 28
23SRC_URI_append_class-target = "\ 29SRC_URI_append_class-target = "\
@@ -26,5 +32,5 @@ SRC_URI_append_class-target = "\
26SRC_URI[md5sum] = "a3d18213beec454e3cdec9a3116d6b05" 32SRC_URI[md5sum] = "a3d18213beec454e3cdec9a3116d6b05"
27SRC_URI[sha256sum] = "627d5d8478e6d96fc8c90fed4851239079a561a6a8b9e48b0892f24e82d31d6c" 33SRC_URI[sha256sum] = "627d5d8478e6d96fc8c90fed4851239079a561a6a8b9e48b0892f24e82d31d6c"
28 34
29UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/" 35UPSTREAM_CHECK_REGEX = "icu4c-(?P<pver>\d+(_\d+)+)-src"
30UPSTREAM_CHECK_URI = "http://download.icu-project.org/files/icu4c/" 36UPSTREAM_CHECK_URI = "https://github.com/unicode-org/icu/releases"
diff --git a/meta/recipes-support/iso-codes/iso-codes_4.3.bb b/meta/recipes-support/iso-codes/iso-codes_4.3.bb
index 5651a96c66..566c147690 100644
--- a/meta/recipes-support/iso-codes/iso-codes_4.3.bb
+++ b/meta/recipes-support/iso-codes/iso-codes_4.3.bb
@@ -5,7 +5,7 @@ BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues"
5LICENSE = "LGPLv2.1" 5LICENSE = "LGPLv2.1"
6LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" 6LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
7 7
8SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http" 8SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;"
9SRCREV = "43398a317371e309361ce43072603863cb2f57e1" 9SRCREV = "43398a317371e309361ce43072603863cb2f57e1"
10 10
11# inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which 11# inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which
diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
new file mode 100644
index 0000000000..06b8b46c21
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
1From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
2From: Dan Fandrich <dan@coneharvesters.com>
3Date: Sat, 16 May 2020 19:32:30 +0200
4Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
5
6 subtags.
7
8A malicious file could be crafted to cause extremely large values in some
9tags without tripping any buffer range checks. This is bad with the libexif
10representation of Canon MakerNotes because some arrays are turned into
11individual tags that the application must loop around.
12
13The largest value I've seen for failsafe_size in a (very small) sample of valid
14Canon files is <5000. The limit is set two orders of magnitude larger to avoid
15tripping up falsely in case some models use much larger values.
16
17Patch from Google.
18
19CVE-2020-13114
20
21Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
22CVE: CVE-2020-13114
23Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
24---
25 libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
26 1 file changed, 21 insertions(+)
27
28diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
29index eb53598..72fd7a3 100644
30--- a/libexif/canon/exif-mnote-data-canon.c
31+++ b/libexif/canon/exif-mnote-data-canon.c
32@@ -32,6 +32,9 @@
33
34 #define DEBUG
35
36+/* Total size limit to prevent abuse by DoS */
37+#define FAILSAFE_SIZE_MAX 1000000L
38+
39 static void
40 exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
41 {
42@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
43 ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
44 ExifShort c;
45 size_t i, tcount, o, datao;
46+ long failsafe_size = 0;
47
48 if (!n || !buf || !buf_size) {
49 exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
50@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
51 memcpy (n->entries[tcount].data, buf + dataofs, s);
52 }
53
54+ /* Track the size of decoded tag data. A malicious file could
55+ * be crafted to cause extremely large values here without
56+ * tripping any buffer range checks. This is especially bad
57+ * with the libexif representation of Canon MakerNotes because
58+ * some arrays are turned into individual tags that the
59+ * application must loop around. */
60+ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
61+
62+ if (failsafe_size > FAILSAFE_SIZE_MAX) {
63+ /* Abort if the total size of the data in the tags extraordinarily large, */
64+ exif_mem_free (ne->mem, n->entries[tcount].data);
65+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
66+ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
67+ failsafe_size, FAILSAFE_SIZE_MAX);
68+ break;
69+ }
70+
71 /* Tag was successfully parsed */
72 ++tcount;
73 }
diff --git a/meta/recipes-support/libexif/libexif_0.6.21.bb b/meta/recipes-support/libexif/libexif_0.6.21.bb
index d847beab18..3f6fa32b25 100644
--- a/meta/recipes-support/libexif/libexif_0.6.21.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.21.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad"
7SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ 7SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
8 file://CVE-2017-7544.patch \ 8 file://CVE-2017-7544.patch \
9 file://CVE-2016-6328.patch \ 9 file://CVE-2016-6328.patch \
10 file://CVE-2018-20030.patch" 10 file://CVE-2018-20030.patch \
11 file://CVE-2020-13114.patch \
12"
11 13
12SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27" 14SRC_URI[md5sum] = "27339b89850f28c8f1c237f233e05b27"
13SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a" 15SRC_URI[sha256sum] = "16cdaeb62eb3e6dfab2435f7d7bccd2f37438d21c5218ec4e58efa9157d4d41a"
diff --git a/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch
new file mode 100644
index 0000000000..183512fd7d
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch
@@ -0,0 +1,41 @@
1--- pcre-8.43/pcre_compile.c 2020-07-05 22:26:25.310501521 +0530
2+++ pcre-8.43/pcre_compile1.c 2020-07-05 22:30:22.254489562 +0530
3
4CVE: CVE-2020-14155
5Upstream-Status: Backport [https://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?view=patch&r1=1761&r2=1760&pathrev=1761]
6Signed-off-by: Rahul Taya<Rahul.Taya@kpit.com>
7
8@@ -6,7 +6,7 @@
9 and semantics are as close as possible to those of the Perl 5 language.
10
11 Written by Philip Hazel
12- Copyright (c) 1997-2018 University of Cambridge
13+ Copyright (c) 1997-2020 University of Cambridge
14
15 -----------------------------------------------------------------------------
16 Redistribution and use in source and binary forms, with or without
17@@ -7130,17 +7130,19 @@
18 int n = 0;
19 ptr++;
20 while(IS_DIGIT(*ptr))
21+ {
22 n = n * 10 + *ptr++ - CHAR_0;
23+ if (n > 255)
24+ {
25+ *errorcodeptr = ERR38;
26+ goto FAILED;
27+ }
28+ }
29 if (*ptr != CHAR_RIGHT_PARENTHESIS)
30 {
31 *errorcodeptr = ERR39;
32 goto FAILED;
33 }
34- if (n > 255)
35- {
36- *errorcodeptr = ERR38;
37- goto FAILED;
38- }
39 *code++ = n;
40 PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */
41 PUT(code, LINK_SIZE, 0); /* Default length */
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch
new file mode 100644
index 0000000000..51f95a7097
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch
@@ -0,0 +1,19 @@
1Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_jit_compile.c?r1=1092&r2=1091&pathrev=1092]
2CVE: CVE-2020-8002
3Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
4
5--- pcre2-10.30/src/pcre2_jit_compile.c 2019/05/13 16:26:17 1091
6+++ pcre2-10.30/src/pcre2_jit_compile.c 2019/05/13 16:38:18 1092
7@@ -8571,7 +8571,10 @@
8 PCRE2_SPTR bptr;
9 uint32_t c;
10
11-GETCHARINC(c, cc);
12+/* Patch by PH */
13+/* GETCHARINC(c, cc); */
14+
15+c = *cc++;
16 #if PCRE2_CODE_UNIT_WIDTH == 32
17 if (c >= 0x110000)
18 return NULL;
19
diff --git a/meta/recipes-support/libpcre/libpcre2_10.33.bb b/meta/recipes-support/libpcre/libpcre2_10.33.bb
index 50b26753b4..1020df99b8 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.33.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.33.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37"
12 12
13SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ 13SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
14 file://pcre-cross.patch \ 14 file://pcre-cross.patch \
15 file://CVE-2019-20454.patch \
15" 16"
16 17
17SRC_URI[md5sum] = "80b355f2dce909a2e2424f5c79eddb44" 18SRC_URI[md5sum] = "80b355f2dce909a2e2424f5c79eddb44"
diff --git a/meta/recipes-support/libpcre/libpcre_8.43.bb b/meta/recipes-support/libpcre/libpcre_8.43.bb
index b97af08b25..60ece64504 100644
--- a/meta/recipes-support/libpcre/libpcre_8.43.bb
+++ b/meta/recipes-support/libpcre/libpcre_8.43.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \
12 file://out-of-tree.patch \ 12 file://out-of-tree.patch \
13 file://run-ptest \ 13 file://run-ptest \
14 file://Makefile \ 14 file://Makefile \
15 file://CVE-2020-14155.patch \
15" 16"
16 17
17SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4" 18SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4"
diff --git a/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch b/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
new file mode 100644
index 0000000000..517c277ae0
--- /dev/null
+++ b/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
@@ -0,0 +1,110 @@
1From 5942c26888ba12ad5e0d92fb62f23d7cde6dc159 Mon Sep 17 00:00:00 2001
2From: Ovidiu Panait <ovidiu.panait@windriver.com>
3Date: Mon, 13 Jul 2020 06:25:56 +0000
4Subject: [PATCH] Bug 1631576 - Force a fixed length for DSA exponentiation
5 r=pereida,bbrumley
6
7Differential Revision: https://phabricator.services.mozilla.com/D72011
8
9Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e]
10
11Authored-by: Robert Relyea <rrelyea@redhat.com>
12Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
13---
14 nss/lib/freebl/dsa.c | 45 ++++++++++++++++++++++++++++++++++----------
15 1 file changed, 35 insertions(+), 10 deletions(-)
16
17diff --git a/nss/lib/freebl/dsa.c b/nss/lib/freebl/dsa.c
18index aef3539..389c9de 100644
19--- a/nss/lib/freebl/dsa.c
20+++ b/nss/lib/freebl/dsa.c
21@@ -313,13 +313,14 @@ DSA_NewKeyFromSeed(const PQGParams *params,
22
23 static SECStatus
24 dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
25- const unsigned char *kb)
26+ const unsigned char *kbytes)
27 {
28 mp_int p, q, g; /* PQG parameters */
29 mp_int x, k; /* private key & pseudo-random integer */
30 mp_int r, s; /* tuple (r, s) is signature) */
31 mp_int t; /* holding tmp values */
32 mp_int ar; /* holding blinding values */
33+ mp_digit fuzz; /* blinding multiplier for q */
34 mp_err err = MP_OKAY;
35 SECStatus rv = SECSuccess;
36 unsigned int dsa_subprime_len, dsa_signature_len, offset;
37@@ -373,6 +374,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
38 CHECK_MPI_OK(mp_init(&s));
39 CHECK_MPI_OK(mp_init(&t));
40 CHECK_MPI_OK(mp_init(&ar));
41+
42 /*
43 ** Convert stored PQG and private key into MPI integers.
44 */
45@@ -380,14 +382,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
46 SECITEM_TO_MPINT(key->params.subPrime, &q);
47 SECITEM_TO_MPINT(key->params.base, &g);
48 SECITEM_TO_MPINT(key->privateValue, &x);
49- OCTETS_TO_MPINT(kb, &k, dsa_subprime_len);
50+ OCTETS_TO_MPINT(kbytes, &k, dsa_subprime_len);
51+
52+ /* k blinding create a single value that has the high bit set in
53+ * the mp_digit*/
54+ if (RNG_GenerateGlobalRandomBytes(&fuzz, sizeof(mp_digit)) != SECSuccess) {
55+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
56+ rv = SECFailure;
57+ goto cleanup;
58+ }
59+ fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1));
60 /*
61 ** FIPS 186-1, Section 5, Step 1
62 **
63 ** r = (g**k mod p) mod q
64 */
65- CHECK_MPI_OK(mp_exptmod(&g, &k, &p, &r)); /* r = g**k mod p */
66- CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */
67+ CHECK_MPI_OK(mp_mul_d(&q, fuzz, &t)); /* t = q*fuzz */
68+ CHECK_MPI_OK(mp_add(&k, &t, &t)); /* t = k+q*fuzz */
69+ /* length of t is now fixed, bits in k have been blinded */
70+ CHECK_MPI_OK(mp_exptmod(&g, &t, &p, &r)); /* r = g**t mod p */
71+ /* r is now g**(k+q*fuzz) == g**k mod p */
72+ CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */
73+
74 /*
75 ** FIPS 186-1, Section 5, Step 2
76 **
77@@ -411,15 +427,24 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
78 /* Using mp_invmod on k directly would leak bits from k. */
79 CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */
80 CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
81- CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
82+ /* k is now k*t*ar */
83+ CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
84+ /* k is now (k*t*ar)**-1 */
85 CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
86- SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
87+ /* k is now (k*ar)**-1 */
88+ SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
89 /* To avoid leaking secret bits here the addition is blinded. */
90- CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
91- CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
92+ CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
93+ /* x is now x*ar */
94+ CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
95+ /* x is now x*r*ar */
96 CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */
97- CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
98- CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
99+ /* t is now hash(M)*ar */
100+ CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
101+ /* s is now (HASH(M)+x*r)*ar */
102+ CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
103+ /* s is now (HASH(M)+x*r)*ar*(k*ar)**-1 = (k**-1)*(HASH(M)+x*r) */
104+
105 /*
106 ** verify r != 0 and s != 0
107 ** mentioned as optional in FIPS 186-1.
108--
1092.18.1
110
diff --git a/meta/recipes-support/nss/nss_3.45.bb b/meta/recipes-support/nss/nss_3.45.bb
index c8005a5b3a..9fe27af5db 100644
--- a/meta/recipes-support/nss/nss_3.45.bb
+++ b/meta/recipes-support/nss/nss_3.45.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
32 file://blank-cert9.db \ 32 file://blank-cert9.db \
33 file://blank-key4.db \ 33 file://blank-key4.db \
34 file://system-pkcs11.txt \ 34 file://system-pkcs11.txt \
35 file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
35 " 36 "
36 37
37SRC_URI[md5sum] = "f1752d7223ee9d910d551e57264bafa8" 38SRC_URI[md5sum] = "f1752d7223ee9d910d551e57264bafa8"
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-11655.patch b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch
new file mode 100644
index 0000000000..c2360cb867
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-11655.patch
@@ -0,0 +1,32 @@
1From a4601326d61bf1a11151ac6b78b50804bfd03b4d Mon Sep 17 00:00:00 2001
2From: Sakib Sajal <sakib.sajal@windriver.com>
3Date: Thu, 30 Apr 2020 10:46:16 -0700
4Subject: [PATCH 2/2] In the event of a semantic error in an aggregate query,
5 early-out the resetAccumulator() function to prevent problems due to
6 incomplete or incorrect initialization of the AggInfo object. Fix for ticket
7 [af4556bb5c285c08].
8
9FossilOrigin-Name: 4a302b42c7bf5e11ddb5522ca999f74aba397d3a7eb91b1844bb02852f772441
10Upstream-Status: Backport [c415d91007e1680e4eb17def583b202c3c83c718]
11
12CVE: CVE-2020-11655
13Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
14---
15 sqlite3.c | 1 +
16 1 file changed, 1 insertion(+)
17
18diff --git a/sqlite3.c b/sqlite3.c
19index 1df6633..726adf7 100644
20--- a/sqlite3.c
21+++ b/sqlite3.c
22@@ -133242,6 +133242,7 @@ static void resetAccumulator(Parse *pParse, AggInfo *pAggInfo){
23 struct AggInfo_func *pFunc;
24 int nReg = pAggInfo->nFunc + pAggInfo->nColumn;
25 if( nReg==0 ) return;
26+ if( pParse->nErr ) return;
27 #ifdef SQLITE_DEBUG
28 /* Verify that all AggInfo registers are within the range specified by
29 ** AggInfo.mnReg..AggInfo.mxReg */
30--
312.17.1
32
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch
new file mode 100644
index 0000000000..3f70979acc
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch
@@ -0,0 +1,33 @@
1CVE: CVE-2019-19244
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 0f690d4ae5ffe656762fdbb7f36cc4c2dcbb2d9d Mon Sep 17 00:00:00 2001
6From: dan <dan@noemail.net>
7Date: Fri, 22 Nov 2019 10:14:01 +0000
8Subject: [PATCH] Fix a crash that could occur if a sub-select that uses both
9 DISTINCT and window functions also used an ORDER BY that is the same as its
10 select list.
11
12Amalgamation version of the patch:
13FossilOrigin-Name: bcdd66c1691955c697f3d756c2b035acfe98f6aad72e90b0021bab6e9023b3ba
14---
15 sqlite3.c | 5 +++--
16 sqlite3.h | 2 +-
17 2 files changed, 4 insertions(+), 3 deletions(-)
18
19diff --git a/sqlite3.c b/sqlite3.c
20index 8fd740b..db1c649 100644
21--- a/sqlite3.c
22+++ b/sqlite3.c
23@@ -131679,6 +131679,7 @@ SQLITE_PRIVATE int sqlite3Select(
24 */
25 if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct
26 && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0
27+ && p->pWin==0
28 ){
29 p->selFlags &= ~SF_Distinct;
30 pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0);
31--
322.24.1
33
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch
new file mode 100644
index 0000000000..b1b866b250
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch
@@ -0,0 +1,50 @@
1CVE: CVE-2019-19923
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From b64463719dc53bde98b0ce3930b10a32560c3a02 Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Wed, 18 Dec 2019 20:51:58 +0000
8Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of
9 check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
10 query is DISTINCT. Without this fix, if an index scan is run on the table
11 within the view on the right-hand side of the LEFT JOIN, stale result
12 registers might be accessed yielding incorrect results, and/or an
13 OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
14 NULL-pointer dereference. This problem was found by the Yongheng and Rui
15 fuzzer.
16
17FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
18---
19 sqlite3.c | 10 +++++++---
20 1 file changed, 7 insertions(+), 3 deletions(-)
21
22diff --git a/sqlite3.c b/sqlite3.c
23index d29da07..5bc06c8 100644
24--- a/sqlite3.c
25+++ b/sqlite3.c
26@@ -129216,6 +129216,7 @@ static void substSelect(
27 ** (3b) the FROM clause of the subquery may not contain a virtual
28 ** table and
29 ** (3c) the outer query may not be an aggregate.
30+** (3d) the outer query may not be DISTINCT.
31 **
32 ** (4) The subquery can not be DISTINCT.
33 **
34@@ -129412,8 +129413,11 @@ static int flattenSubquery(
35 */
36 if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){
37 isLeftJoin = 1;
38- if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){
39- /* (3a) (3c) (3b) */
40+ if( pSubSrc->nSrc>1 /* (3a) */
41+ || isAgg /* (3b) */
42+ || IsVirtual(pSubSrc->a[0].pTab) /* (3c) */
43+ || (p->selFlags & SF_Distinct)!=0 /* (3d) */
44+ ){
45 return 0;
46 }
47 }
48--
492.24.1
50
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
new file mode 100644
index 0000000000..80d5edbb0c
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
@@ -0,0 +1,65 @@
1CVE: CVE-2019-19924
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Thu, 19 Dec 2019 20:37:32 +0000
8Subject: [PATCH] When an error occurs while rewriting the parser tree for
9 window functions in the sqlite3WindowRewrite() routine, make sure that
10 pParse->nErr is set, and make sure that this shuts down any subsequent code
11 generation that might depend on the transformations that were implemented.
12 This fixes a problem discovered by the Yongheng and Rui fuzzer.
13
14Amalgamation format of backported patch
15FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f
16---
17 sqlite3.c | 16 +++++++++++-----
18 sqlite3.h | 2 +-
19 2 files changed, 12 insertions(+), 6 deletions(-)
20
21diff --git a/sqlite3.c b/sqlite3.c
22index 408ec4c..857c28e 100644
23--- a/sqlite3.c
24+++ b/sqlite3.c
25@@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
26 */
27 static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
28 assert( p->nOp>0 || p->aOp==0 );
29- assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
30+ assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
31+ || p->pParse->nErr>0 );
32 if( p->nOp ){
33 assert( p->aOp );
34 sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
35@@ -97872,6 +97873,7 @@ static int codeCompare(
36 int addr;
37 CollSeq *p4;
38
39+ if( pParse->nErr ) return 0;
40 p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
41 p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
42 addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
43@@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){
44
45 pTab = sqlite3DbMallocZero(db, sizeof(Table));
46 if( pTab==0 ){
47- return SQLITE_NOMEM;
48+ return sqlite3ErrorToParser(db, SQLITE_NOMEM);
49 }
50
51 p->pSrc = 0;
52@@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){
53 sqlite3DbFree(db, pTab);
54 }
55
56+ if( rc && pParse->nErr==0 ){
57+ assert( pParse->db->mallocFailed );
58+ return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM);
59+ }
60 return rc;
61 }
62
63--
642.24.1
65
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch
new file mode 100644
index 0000000000..ffc2c6afff
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch
@@ -0,0 +1,33 @@
1CVE: CVE-2019-19925
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From e92580434d2cdca228649d32f76167492de4f512 Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Thu, 19 Dec 2019 15:15:40 +0000
8Subject: [PATCH] Fix the zipfile extension so that INSERT works even if the
9 pathname of the file being inserted is a NULL. Bug discovered by the
10 Yongheng and Rui fuzzer.
11
12FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06
13---
14 shell.c | 1 +
15 sqlite3.c | 4 ++--
16 sqlite3.h | 2 +-
17 3 files changed, 4 insertions(+), 3 deletions(-)
18
19diff --git a/shell.c b/shell.c
20index 053180c..404a8d4 100644
21--- a/shell.c
22+++ b/shell.c
23@@ -5827,6 +5827,7 @@ static int zipfileUpdate(
24
25 if( rc==SQLITE_OK ){
26 zPath = (const char*)sqlite3_value_text(apVal[2]);
27+ if( zPath==0 ) zPath = "";
28 nPath = (int)strlen(zPath);
29 mTime = zipfileGetTime(apVal[4]);
30 }
31--
322.24.1
33
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch
new file mode 100644
index 0000000000..92bc7908bc
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch
@@ -0,0 +1,31 @@
1CVE: CVE-2019-19926
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 4165b1e1e0001165ace9051a70f938099505eadc Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Thu, 19 Dec 2019 22:08:19 +0000
8Subject: [PATCH] Continuation of [e2bddcd4c55ba3cb]: Add another spot where it
9 is necessary to abort early due to prior errors in sqlite3WindowRewrite().
10
11FossilOrigin-Name: cba2a2a44cdf138a629109bb0ad088ed4ef67fc66bed3e0373554681a39615d2
12---
13 sqlite3.c | 7 ++++---
14 sqlite3.h | 2 +-
15 2 files changed, 5 insertions(+), 4 deletions(-)
16
17diff --git a/sqlite3.c b/sqlite3.c
18index 857c28e..19a474d 100644
19--- a/sqlite3.c
20+++ b/sqlite3.c
21@@ -128427,6 +128427,7 @@ static int multiSelect(
22 }
23 #endif
24 }
25+ if( pParse->nErr ) goto multi_select_end;
26
27 /* Compute collating sequences used by
28 ** temporary tables needed to implement the compound select.
29--
302.24.1
31
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch
new file mode 100644
index 0000000000..cba8ec9d30
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch
@@ -0,0 +1,46 @@
1CVE: CVE-2019-19959
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From f83f7e8141ee7cbbf7f2dc8985279a7372b259b6 Mon Sep 17 00:00:00 2001
6From: "D. Richard Hipp" <drh@hwaci.com>
7Date: Mon, 23 Dec 2019 21:04:33 +0000
8Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that
9 it is able to deal with goofy filenames that contain embedded zeros.
10
11FossilOrigin-Name: cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf
12---
13 shell.c | 4 ++--
14 sqlite3.c | 4 ++--
15 sqlite3.h | 2 +-
16 3 files changed, 5 insertions(+), 5 deletions(-)
17
18diff --git a/shell.c b/shell.c
19index 404a8d4..48065e9 100644
20--- a/shell.c
21+++ b/shell.c
22@@ -5841,7 +5841,7 @@ static int zipfileUpdate(
23 zFree = sqlite3_mprintf("%s/", zPath);
24 if( zFree==0 ){ rc = SQLITE_NOMEM; }
25 zPath = (const char*)zFree;
26- nPath++;
27+ nPath = (int)strlen(zPath);
28 }
29 }
30
31@@ -6242,11 +6242,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){
32 }else{
33 if( zName[nName-1]!='/' ){
34 zName = zFree = sqlite3_mprintf("%s/", zName);
35- nName++;
36 if( zName==0 ){
37 rc = SQLITE_NOMEM;
38 goto zipfile_step_out;
39 }
40+ nName = (int)strlen(zName);
41 }else{
42 while( nName>1 && zName[nName-2]=='/' ) nName--;
43 }
44--
452.24.1
46
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch
new file mode 100644
index 0000000000..fb6cd6df2d
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch
@@ -0,0 +1,31 @@
1CVE: CVE-2019-20218
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@intel.com>
4
5From 6bbd76d34f29f61483791231f2ce579dcadab8a5 Mon Sep 17 00:00:00 2001
6From: Dan Kennedy <danielk1977@gmail.com>
7Date: Fri, 27 Dec 2019 20:54:42 +0000
8Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object
9 following an error. This fixes a separate case to [de6e6d68].
10
11FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92
12---
13 sqlite3.c | 2 +-
14 1 file changed, 1 insertion(+), 1 deletion(-)
15
16diff --git a/sqlite3.c b/sqlite3.c
17index 5bc06c8..408ec4c 100644
18--- a/sqlite3.c
19+++ b/sqlite3.c
20@@ -130570,7 +130570,7 @@ static int selectExpander(Walker *pWalker, Select *p){
21
22 /* Process NATURAL keywords, and ON and USING clauses of joins.
23 */
24- if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
25+ if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
26 return WRC_Abort;
27 }
28
29--
302.24.1
31
diff --git a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
index 34066fbe89..95e1174b07 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
@@ -4,6 +4,15 @@ LICENSE = "PD"
4LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" 4LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66"
5 5
6SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \ 6SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \
7 file://0001-Fix-CVE-2019-16168.patch" 7 file://0001-Fix-CVE-2019-16168.patch \
8 file://CVE-2019-19244.patch \
9 file://CVE-2019-19923.patch \
10 file://CVE-2019-19924.patch \
11 file://CVE-2019-19925.patch \
12 file://CVE-2019-19926.patch \
13 file://CVE-2019-19959.patch \
14 file://CVE-2019-20218.patch \
15 file://CVE-2020-11655.patch \
16"
8SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc" 17SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc"
9SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b" 18SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b"
diff --git a/meta/recipes-support/vim/vim_8.1.1518.bb b/meta/recipes-support/vim/vim_8.1.1518.bb
index 60946a181f..709b6ddb55 100644
--- a/meta/recipes-support/vim/vim_8.1.1518.bb
+++ b/meta/recipes-support/vim/vim_8.1.1518.bb
@@ -8,3 +8,8 @@ BBCLASSEXTEND = "native"
8ALTERNATIVE_${PN}_append = " xxd" 8ALTERNATIVE_${PN}_append = " xxd"
9ALTERNATIVE_TARGET[xxd] = "${bindir}/xxd" 9ALTERNATIVE_TARGET[xxd] = "${bindir}/xxd"
10ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd" 10ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd"
11
12# We override the default in security_flags.inc because vim (not vim-tiny!) will abort
13# in many places for _FORTIFY_SOURCE=2. Security flags become part of CC.
14#
15lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=1',d)}"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-27 10:50:22 +0000