3 files changed, 9 insertions, 182 deletions
diff --git a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch b/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
deleted file mode 100644
index e26594d19b..0000000000
--- a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
-Date: Wed, 14 Nov 2018 07:35:28 +0100
-Subject: extensions: format-security fixes in libip[6]t_icmp
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-introduced support for gcc feature to check format string against passed
-argument.  This commit adds missing bits to extenstions's libipt_icmp.c
-and libip6t_icmp6.c that were causing build to fail.
-Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Upstream-Status: Backport
---
- extensions/libip6t_icmp6.c | 4 ++--
- extensions/libipt_icmp.c   | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
-index 45a71875..cc7bfaeb 100644
--- a/extensions/libip6t_icmp6.c
-+++ b/extensions/libip6t_icmp6.c
-@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
-        type_name = icmp6_type_xlate(icmptype);
- 
-        if (type_name) {
-               xt_xlate_add(xl, type_name);
-+               xt_xlate_add(xl, "%s", type_name);
-        } else {
-                for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
-                        if (icmpv6_codes[i].type == icmptype &&
-@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
-                                break;
- 
-                if (i != ARRAY_SIZE(icmpv6_codes))
-                       xt_xlate_add(xl, icmpv6_codes[i].name);
-+                       xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
-                else
-                        return 0;
-        }
-diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
-index 54189976..e76257c5 100644
--- a/extensions/libipt_icmp.c
-+++ b/extensions/libipt_icmp.c
-@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
-                        if (icmp_codes[i].type == icmptype &&
-                            icmp_codes[i].code_min == code_min &&
-                            icmp_codes[i].code_max == code_max) {
-                               xt_xlate_add(xl, icmp_codes[i].name);
-+                               xt_xlate_add(xl, "%s", icmp_codes[i].name);
-                                return 1;
-                        }
-        }
-- 
-cgit v1.2.1
diff --git a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
deleted file mode 100644
index f67164fbcc..0000000000
--- a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Mon, 22 Apr 2019 23:17:27 +0200
-Subject: [PATCH] xshared: check for maximum buffer length in
- add_param_to_argv()
-Bail out if we go over the boundary, based on patch from Sebastian.
-Reported-by: Sebastian Neef <contact@0day.work>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Upstream-Status: Backport
-CVE: CVE-2019-11360
-Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
- iptables/xshared.c | 46 ++++++++++++++++++++++++++++------------------
- 1 file changed, 28 insertions(+), 18 deletions(-)
-diff --git a/iptables/xshared.c b/iptables/xshared.c
-index fb186fb1..36a2ec5f 100644
--- a/iptables/xshared.c
-+++ b/iptables/xshared.c
-@@ -433,10 +433,24 @@ void save_argv(void)
-        }
- }
- 
-+struct xt_param_buf {
-+       char    buffer[1024];
-+       int     len;
-+};
-+
-+static void add_param(struct xt_param_buf *param, const char *curchar)
-+{
-+       param->buffer[param->len++] = *curchar;
-+       if (param->len >= sizeof(param->buffer))
-+               xtables_error(PARAMETER_PROBLEM,
-+                             "Parameter too long!");
-+}
-+
- void add_param_to_argv(char *parsestart, int line)
- {
-       int quote_open = 0, escaped = 0, param_len = 0;
-       char param_buffer[1024], *curchar;
-+       int quote_open = 0, escaped = 0;
-+       struct xt_param_buf param = {};
-+       char *curchar;
- 
-        /* After fighting with strtok enough, here's now
-         * a 'real' parser. According to Rusty I'm now no
-@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
-        for (curchar = parsestart; *curchar; curchar++) {
-                if (quote_open) {
-                        if (escaped) {
-                               param_buffer[param_len++] = *curchar;
-+                               add_param(&param, curchar);
-                                escaped = 0;
-                                continue;
-                        } else if (*curchar == '\\') {
-@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
-                                quote_open = 0;
-                                *curchar = '"';
-                        } else {
-                               param_buffer[param_len++] = *curchar;
-+                               add_param(&param, curchar);
-                                continue;
-                        }
-                } else {
-@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
-                case ' ':
-                case '\t':
-                case '\n':
-                       if (!param_len) {
-+                       if (!param.len) {
-                                /* two spaces? */
-                                continue;
-                        }
-                        break;
-                default:
-                        /* regular character, copy to buffer */
-                       param_buffer[param_len++] = *curchar;
-
-                       if (param_len >= sizeof(param_buffer))
-                               xtables_error(PARAMETER_PROBLEM,
-                                             "Parameter too long!");
-+                       add_param(&param, curchar);
-                        continue;
-                }
- 
-               param_buffer[param_len] = '\0';
-+               param.buffer[param.len] = '\0';
- 
-                /* check if table name specified */
-               if ((param_buffer[0] == '-' &&
-                    param_buffer[1] != '-' &&
-                    strchr(param_buffer, 't')) ||
-                   (!strncmp(param_buffer, "--t", 3) &&
-                    !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
-+               if ((param.buffer[0] == '-' &&
-+                    param.buffer[1] != '-' &&
-+                    strchr(param.buffer, 't')) ||
-+                   (!strncmp(param.buffer, "--t", 3) &&
-+                    !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
-                        xtables_error(PARAMETER_PROBLEM,
-                                      "The -t option (seen in line %u) cannot be used in %s.\n",
-                                      line, xt_params->program_name);
-                }
- 
-               add_argv(param_buffer, 0);
-               param_len = 0;
-+               add_argv(param.buffer, 0);
-+               param.len = 0;
-        }
- }
- 
-- 
-2.17.1
diff --git a/meta/recipes-extended/iptables/iptables_1.8.2.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 8d8483d95c..6ac3fc60c5 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.2.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
 SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
-           file://0003-extensions-format-security-fixes-in-libipt_icmp.patch  \
-           file://CVE-2019-11360.patch \
 "
-SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"
+SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
-SRC_URI[sha256sum] = "a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af"
+SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
 inherit autotools pkgconfig
@@ -49,6 +47,13 @@ python populate_packages_prepend() {
 FILES_${PN} += "${datadir}/xtables"
+# Include the symlinks as well in respective packages
+FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
+FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
+INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
+INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
 ALLOW_EMPTY_${PN}-modules = "1"
 RDEPENDS_${PN} = "${PN}-module-xt-standard"

diff --git a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch b/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch deleted file mode 100644 index e26594d19b..0000000000 --- a/meta/recipes-extended/iptables/iptables/0003-extensions-format-security-fixes-in-libipt_icmp.patch +++ /dev/null
@@ -1,61 +0,0 @@
1	From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
3	Date: Wed, 14 Nov 2018 07:35:28 +0100
4	Subject: extensions: format-security fixes in libip[6]t_icmp
5	MIME-Version: 1.0
6	Content-Type: text/plain; charset=UTF-8
7	Content-Transfer-Encoding: 8bit
8
9	commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
10	introduced support for gcc feature to check format string against passed
11	argument. This commit adds missing bits to extenstions's libipt_icmp.c
12	and libip6t_icmp6.c that were causing build to fail.
13
14	Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
15	Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
16	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
17
18	Upstream-Status: Backport
19	---
20	extensions/libip6t_icmp6.c \| 4 ++--
21	extensions/libipt_icmp.c \| 2 +-
22	2 files changed, 3 insertions(+), 3 deletions(-)
23
24	diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
25	index 45a71875..cc7bfaeb 100644
26	--- a/extensions/libip6t_icmp6.c
27	+++ b/extensions/libip6t_icmp6.c
28	@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
29	type_name = icmp6_type_xlate(icmptype);
30
31	if (type_name) {
32	- xt_xlate_add(xl, type_name);
33	+ xt_xlate_add(xl, "%s", type_name);
34	} else {
35	for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
36	if (icmpv6_codes[i].type == icmptype &&
37	@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
38	break;
39
40	if (i != ARRAY_SIZE(icmpv6_codes))
41	- xt_xlate_add(xl, icmpv6_codes[i].name);
42	+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
43	else
44	return 0;
45	}
46	diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
47	index 54189976..e76257c5 100644
48	--- a/extensions/libipt_icmp.c
49	+++ b/extensions/libipt_icmp.c
50	@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
51	if (icmp_codes[i].type == icmptype &&
52	icmp_codes[i].code_min == code_min &&
53	icmp_codes[i].code_max == code_max) {
54	- xt_xlate_add(xl, icmp_codes[i].name);
55	+ xt_xlate_add(xl, "%s", icmp_codes[i].name);
56	return 1;
57	}
58	}
59	--
60	cgit v1.2.1
61


diff --git a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch b/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch deleted file mode 100644 index f67164fbcc..0000000000 --- a/meta/recipes-extended/iptables/iptables/CVE-2019-11360.patch +++ /dev/null
@@ -1,117 +0,0 @@
1	From 2ae1099a42e6a0f06de305ca13a842ac83d4683e Mon Sep 17 00:00:00 2001
2	From: Pablo Neira Ayuso <pablo@netfilter.org>
3	Date: Mon, 22 Apr 2019 23:17:27 +0200
4	Subject: [PATCH] xshared: check for maximum buffer length in
5	add_param_to_argv()
6
7	Bail out if we go over the boundary, based on patch from Sebastian.
8
9	Reported-by: Sebastian Neef <contact@0day.work>
10	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
11
12	Upstream-Status: Backport
13	CVE: CVE-2019-11360
14	Signed-off-by: Li Zhou <li.zhou@windriver.com>
15	---
16	iptables/xshared.c \| 46 ++++++++++++++++++++++++++++------------------
17	1 file changed, 28 insertions(+), 18 deletions(-)
18
19	diff --git a/iptables/xshared.c b/iptables/xshared.c
20	index fb186fb1..36a2ec5f 100644
21	--- a/iptables/xshared.c
22	+++ b/iptables/xshared.c
23	@@ -433,10 +433,24 @@ void save_argv(void)
24	}
25	}
26
27	+struct xt_param_buf {
28	+ char buffer[1024];
29	+ int len;
30	+};
31	+
32	+static void add_param(struct xt_param_buf param, const char curchar)
33	+{
34	+ param->buffer[param->len++] = *curchar;
35	+ if (param->len >= sizeof(param->buffer))
36	+ xtables_error(PARAMETER_PROBLEM,
37	+ "Parameter too long!");
38	+}
39	+
40	void add_param_to_argv(char *parsestart, int line)
41	{
42	- int quote_open = 0, escaped = 0, param_len = 0;
43	- char param_buffer[1024], *curchar;
44	+ int quote_open = 0, escaped = 0;
45	+ struct xt_param_buf param = {};
46	+ char *curchar;
47
48	/* After fighting with strtok enough, here's now
49	* a 'real' parser. According to Rusty I'm now no
50	@@ -445,7 +459,7 @@ void add_param_to_argv(char *parsestart, int line)
51	for (curchar = parsestart; *curchar; curchar++) {
52	if (quote_open) {
53	if (escaped) {
54	- param_buffer[param_len++] = *curchar;
55	+ add_param(&param, curchar);
56	escaped = 0;
57	continue;
58	} else if (*curchar == '\\') {
59	@@ -455,7 +469,7 @@ void add_param_to_argv(char *parsestart, int line)
60	quote_open = 0;
61	*curchar = '"';
62	} else {
63	- param_buffer[param_len++] = *curchar;
64	+ add_param(&param, curchar);
65	continue;
66	}
67	} else {
68	@@ -471,36 +485,32 @@ void add_param_to_argv(char *parsestart, int line)
69	case ' ':
70	case '\t':
71	case '\n':
72	- if (!param_len) {
73	+ if (!param.len) {
74	/* two spaces? */
75	continue;
76	}
77	break;
78	default:
79	/* regular character, copy to buffer */
80	- param_buffer[param_len++] = *curchar;
81	-
82	- if (param_len >= sizeof(param_buffer))
83	- xtables_error(PARAMETER_PROBLEM,
84	- "Parameter too long!");
85	+ add_param(&param, curchar);
86	continue;
87	}
88
89	- param_buffer[param_len] = '\0';
90	+ param.buffer[param.len] = '\0';
91
92	/* check if table name specified */
93	- if ((param_buffer[0] == '-' &&
94	- param_buffer[1] != '-' &&
95	- strchr(param_buffer, 't')) \|\|
96	- (!strncmp(param_buffer, "--t", 3) &&
97	- !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
98	+ if ((param.buffer[0] == '-' &&
99	+ param.buffer[1] != '-' &&
100	+ strchr(param.buffer, 't')) \|\|
101	+ (!strncmp(param.buffer, "--t", 3) &&
102	+ !strncmp(param.buffer, "--table", strlen(param.buffer)))) {
103	xtables_error(PARAMETER_PROBLEM,
104	"The -t option (seen in line %u) cannot be used in %s.\n",
105	line, xt_params->program_name);
106	}
107
108	- add_argv(param_buffer, 0);
109	- param_len = 0;
110	+ add_argv(param.buffer, 0);
111	+ param.len = 0;
112	}
113	}
114
115	--
116	2.17.1
117


diff --git a/meta/recipes-extended/iptables/iptables_1.8.2.bb b/meta/recipes-extended/iptables/iptables_1.8.3.bb index 8d8483d95c..6ac3fc60c5 100644 --- a/meta/recipes-extended/iptables/iptables_1.8.2.bb +++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -10,12 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
10	SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \	10	SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
11	file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \	11	file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
12	file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \	12	file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
13	file://0003-extensions-format-security-fixes-in-libipt_icmp.patch \
14	file://CVE-2019-11360.patch \
15	"	13	"
16		14
17	SRC_URI[md5sum] = "944558e88ddcc3b9b0d9550070fa3599"	15	SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
18	SRC_URI[sha256sum] = "a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af"	16	SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
19		17
20	inherit autotools pkgconfig	18	inherit autotools pkgconfig
21		19
@@ -49,6 +47,13 @@ python populate_packages_prepend() {
49		47
50	FILES_${PN} += "${datadir}/xtables"	48	FILES_${PN} += "${datadir}/xtables"
51		49
		50	# Include the symlinks as well in respective packages
		51	FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
		52	FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
		53
		54	INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
		55	INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
		56
52	ALLOW_EMPTY_${PN}-modules = "1"	57	ALLOW_EMPTY_${PN}-modules = "1"
53		58
54	RDEPENDS_${PN} = "${PN}-module-xt-standard"	59	RDEPENDS_${PN} = "${PN}-module-xt-standard"