diff options
Diffstat (limited to 'meta')
41 files changed, 1862 insertions, 30 deletions
diff --git a/meta/classes/pypi.bbclass b/meta/classes/pypi.bbclass index e5d7ab3ce1..87b4c85fc0 100644 --- a/meta/classes/pypi.bbclass +++ b/meta/classes/pypi.bbclass | |||
@@ -22,5 +22,5 @@ SECTION = "devel/python" | |||
22 | SRC_URI += "${PYPI_SRC_URI}" | 22 | SRC_URI += "${PYPI_SRC_URI}" |
23 | S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}" | 23 | S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}" |
24 | 24 | ||
25 | UPSTREAM_CHECK_URI ?= "https://pypi.python.org/pypi/${PYPI_PACKAGE}/" | 25 | UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/" |
26 | UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)" | 26 | UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/" |
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 889695eae3..69b6edee5f 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc | |||
@@ -6,9 +6,9 @@ | |||
6 | # to the distro running on the build machine. | 6 | # to the distro running on the build machine. |
7 | # | 7 | # |
8 | 8 | ||
9 | UNINATIVE_MAXGLIBCVERSION = "2.31" | 9 | UNINATIVE_MAXGLIBCVERSION = "2.32" |
10 | 10 | ||
11 | UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.8/" | 11 | UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/" |
12 | UNINATIVE_CHECKSUM[aarch64] ?= "989187344bf9539b464fb7ed9c223e51f4bdb4c7a677d2c314e6fed393176efe" | 12 | UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81" |
13 | UNINATIVE_CHECKSUM[i686] ?= "cc3e45bc8594488b407363e3fa9af5a099279dab2703c64342098719bd674990" | 13 | UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36" |
14 | UNINATIVE_CHECKSUM[x86_64] ?= "a09922172c3a439105e0ae6b943daad2d83505b17da0aba97961ff433b8c21ab" | 14 | UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423" |
diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh index 4c4b4deb4c..2e0fe94963 100644 --- a/meta/files/toolchain-shar-extract.sh +++ b/meta/files/toolchain-shar-extract.sh | |||
@@ -1,13 +1,8 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | 2 | ||
3 | [ -z "$ENVCLEANED" ] && exec /usr/bin/env -i ENVCLEANED=1 HOME="$HOME" \ | 3 | export LC_ALL=en_US.UTF-8 |
4 | LC_ALL=en_US.UTF-8 \ | 4 | # Remove invalid PATH elements first (maybe from a previously setup toolchain now deleted |
5 | TERM=$TERM \ | 5 | PATH=`python3 -c 'import os; print(":".join(e for e in os.environ["PATH"].split(":") if os.path.exists(e)))'` |
6 | ICECC_PATH="$ICECC_PATH" \ | ||
7 | http_proxy="$http_proxy" https_proxy="$https_proxy" ftp_proxy="$ftp_proxy" \ | ||
8 | no_proxy="$no_proxy" all_proxy="$all_proxy" GIT_PROXY_COMMAND="$GIT_PROXY_COMMAND" "$0" "$@" | ||
9 | [ -f /etc/environment ] && . /etc/environment | ||
10 | export PATH=`echo "$PATH" | sed -e 's/:\.//' -e 's/::/:/'` | ||
11 | 6 | ||
12 | tweakpath () { | 7 | tweakpath () { |
13 | case ":${PATH}:" in | 8 | case ":${PATH}:" in |
diff --git a/meta/lib/oeqa/core/utils/concurrencytest.py b/meta/lib/oeqa/core/utils/concurrencytest.py index 0f7b3dcc11..e6b14da89d 100644 --- a/meta/lib/oeqa/core/utils/concurrencytest.py +++ b/meta/lib/oeqa/core/utils/concurrencytest.py | |||
@@ -261,7 +261,7 @@ def fork_for_tests(concurrency_num, suite): | |||
261 | oe.path.copytree(selftestdir, newselftestdir) | 261 | oe.path.copytree(selftestdir, newselftestdir) |
262 | 262 | ||
263 | for e in os.environ: | 263 | for e in os.environ: |
264 | if builddir in os.environ[e]: | 264 | if builddir + "/" in os.environ[e] or os.environ[e].endswith(builddir): |
265 | os.environ[e] = os.environ[e].replace(builddir, newbuilddir) | 265 | os.environ[e] = os.environ[e].replace(builddir, newbuilddir) |
266 | 266 | ||
267 | subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True) | 267 | subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True) |
diff --git a/meta/lib/oeqa/sdkext/testsdk.py b/meta/lib/oeqa/sdkext/testsdk.py index 785b5dda53..c5c46df6cd 100644 --- a/meta/lib/oeqa/sdkext/testsdk.py +++ b/meta/lib/oeqa/sdkext/testsdk.py | |||
@@ -25,11 +25,8 @@ class TestSDKExt(TestSDKBase): | |||
25 | 25 | ||
26 | subprocesstweak.errors_have_output() | 26 | subprocesstweak.errors_have_output() |
27 | 27 | ||
28 | # extensible sdk can be contaminated if native programs are | 28 | # We need the original PATH for testing the eSDK, not with our manipulations |
29 | # in PATH, i.e. use perl-native instead of eSDK one. | 29 | os.environ['PATH'] = d.getVar("BB_ORIGENV", False).getVar("PATH") |
30 | paths_to_avoid = [d.getVar('STAGING_DIR'), | ||
31 | d.getVar('BASE_WORKDIR')] | ||
32 | os.environ['PATH'] = avoid_paths_in_environ(paths_to_avoid) | ||
33 | 30 | ||
34 | tcname = d.expand("${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.sh") | 31 | tcname = d.expand("${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.sh") |
35 | if not os.path.exists(tcname): | 32 | if not os.path.exists(tcname): |
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py index 7d3922ce44..d4fea91350 100644 --- a/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py | |||
@@ -166,7 +166,7 @@ class TestImage(OESelftestTestCase): | |||
166 | bitbake('core-image-full-cmdline socat') | 166 | bitbake('core-image-full-cmdline socat') |
167 | bitbake('-c testimage core-image-full-cmdline') | 167 | bitbake('-c testimage core-image-full-cmdline') |
168 | 168 | ||
169 | def test_testimage_virgl_gtk(self): | 169 | def disabled_test_testimage_virgl_gtk(self): |
170 | """ | 170 | """ |
171 | Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk frontend | 171 | Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk frontend |
172 | Expected: 1. Check that virgl kernel driver is loaded and 3d acceleration is enabled | 172 | Expected: 1. Check that virgl kernel driver is loaded and 3d acceleration is enabled |
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py index 5c4e01b2c3..5b8f9bbd38 100644 --- a/meta/lib/oeqa/selftest/cases/signing.py +++ b/meta/lib/oeqa/selftest/cases/signing.py | |||
@@ -44,7 +44,9 @@ class Signing(OESelftestTestCase): | |||
44 | origenv = os.environ.copy() | 44 | origenv = os.environ.copy() |
45 | 45 | ||
46 | for e in os.environ: | 46 | for e in os.environ: |
47 | if builddir in os.environ[e]: | 47 | if builddir + "/" in os.environ[e]: |
48 | os.environ[e] = os.environ[e].replace(builddir + "/", newbuilddir + "/") | ||
49 | if os.environ[e].endswith(builddir): | ||
48 | os.environ[e] = os.environ[e].replace(builddir, newbuilddir) | 50 | os.environ[e] = os.environ[e].replace(builddir, newbuilddir) |
49 | 51 | ||
50 | os.chdir(newbuilddir) | 52 | os.chdir(newbuilddir) |
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch new file mode 100644 index 0000000000..dec5672657 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From ca543240380475d888d660ea3296fc880ce52f35 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Wed, 15 Jul 2020 16:07:51 +1000 | ||
4 | Subject: [PATCH] bind: Always keep a copy of the message | ||
5 | |||
6 | this allows it to be available even when dns_message_parse() | ||
7 | returns a error. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2020-8622 | ||
11 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
12 | --- | ||
13 | lib/dns/message.c | 24 +++++++++++++----------- | ||
14 | 1 file changed, 13 insertions(+), 11 deletions(-) | ||
15 | |||
16 | diff --git a/lib/dns/message.c b/lib/dns/message.c | ||
17 | index ac637a2..39ed80f 100644 | ||
18 | --- a/lib/dns/message.c | ||
19 | +++ b/lib/dns/message.c | ||
20 | @@ -1679,6 +1679,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, | ||
21 | msg->header_ok = 0; | ||
22 | msg->question_ok = 0; | ||
23 | |||
24 | + if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { | ||
25 | + isc_buffer_usedregion(&origsource, &msg->saved); | ||
26 | + } else { | ||
27 | + msg->saved.length = isc_buffer_usedlength(&origsource); | ||
28 | + msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); | ||
29 | + if (msg->saved.base == NULL) { | ||
30 | + return (ISC_R_NOMEMORY); | ||
31 | + } | ||
32 | + memmove(msg->saved.base, isc_buffer_base(&origsource), | ||
33 | + msg->saved.length); | ||
34 | + msg->free_saved = 1; | ||
35 | + } | ||
36 | + | ||
37 | isc_buffer_remainingregion(source, &r); | ||
38 | if (r.length < DNS_MESSAGE_HEADERLEN) | ||
39 | return (ISC_R_UNEXPECTEDEND); | ||
40 | @@ -1754,17 +1767,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, | ||
41 | } | ||
42 | |||
43 | truncated: | ||
44 | - if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) | ||
45 | - isc_buffer_usedregion(&origsource, &msg->saved); | ||
46 | - else { | ||
47 | - msg->saved.length = isc_buffer_usedlength(&origsource); | ||
48 | - msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); | ||
49 | - if (msg->saved.base == NULL) | ||
50 | - return (ISC_R_NOMEMORY); | ||
51 | - memmove(msg->saved.base, isc_buffer_base(&origsource), | ||
52 | - msg->saved.length); | ||
53 | - msg->free_saved = 1; | ||
54 | - } | ||
55 | |||
56 | if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) | ||
57 | return (DNS_R_RECOVERABLE); | ||
58 | -- | ||
59 | 1.9.1 | ||
60 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch new file mode 100644 index 0000000000..8e5412a89e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch | |||
@@ -0,0 +1,402 @@ | |||
1 | From 8d807cc21655eaa6e6a08afafeec3682c0f3f2ab Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org> | ||
3 | Date: Tue, 21 Jul 2020 14:42:47 +0200 | ||
4 | Subject: [PATCH] Fix crash in pk11_numbits() when native-pkcs11 is used | ||
5 | |||
6 | When pk11_numbits() is passed a user provided input that contains all | ||
7 | zeroes (via crafted DNS message), it would crash with assertion | ||
8 | failure. Fix that by properly handling such input. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2020-8623 | ||
12 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
13 | --- | ||
14 | lib/dns/pkcs11dh_link.c | 15 ++++++- | ||
15 | lib/dns/pkcs11dsa_link.c | 8 +++- | ||
16 | lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++-------- | ||
17 | lib/isc/include/pk11/internal.h | 3 +- | ||
18 | lib/isc/pk11.c | 61 ++++++++++++++++--------- | ||
19 | 5 files changed, 121 insertions(+), 45 deletions(-) | ||
20 | |||
21 | diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c | ||
22 | index e2b60ea7c5..4cd8e32d60 100644 | ||
23 | --- a/lib/dns/pkcs11dh_link.c | ||
24 | +++ b/lib/dns/pkcs11dh_link.c | ||
25 | @@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
26 | CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; | ||
27 | CK_ATTRIBUTE *attr; | ||
28 | int special = 0; | ||
29 | + unsigned int bits; | ||
30 | isc_result_t result; | ||
31 | |||
32 | isc_buffer_remainingregion(data, &r); | ||
33 | @@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
34 | pub = r.base; | ||
35 | isc_region_consume(&r, publen); | ||
36 | |||
37 | - key->key_size = pk11_numbits(prime, plen_); | ||
38 | + result = pk11_numbits(prime, plen_, &bits); | ||
39 | + if (result != ISC_R_SUCCESS) { | ||
40 | + goto cleanup; | ||
41 | + } | ||
42 | + key->key_size = bits; | ||
43 | |||
44 | dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); | ||
45 | if (dh->repr == NULL) | ||
46 | @@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
47 | dst_private_t priv; | ||
48 | isc_result_t ret; | ||
49 | int i; | ||
50 | + unsigned int bits; | ||
51 | pk11_object_t *dh = NULL; | ||
52 | CK_ATTRIBUTE *attr; | ||
53 | isc_mem_t *mctx; | ||
54 | @@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
55 | |||
56 | attr = pk11_attribute_bytype(dh, CKA_PRIME); | ||
57 | INSIST(attr != NULL); | ||
58 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
59 | + | ||
60 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
61 | + if (ret != ISC_R_SUCCESS) { | ||
62 | + goto err; | ||
63 | + } | ||
64 | + key->key_size = bits; | ||
65 | |||
66 | return (ISC_R_SUCCESS); | ||
67 | |||
68 | diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c | ||
69 | index 12d707a112..24d4c149ff 100644 | ||
70 | --- a/lib/dns/pkcs11dsa_link.c | ||
71 | +++ b/lib/dns/pkcs11dsa_link.c | ||
72 | @@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
73 | dst_private_t priv; | ||
74 | isc_result_t ret; | ||
75 | int i; | ||
76 | + unsigned int bits; | ||
77 | pk11_object_t *dsa = NULL; | ||
78 | CK_ATTRIBUTE *attr; | ||
79 | isc_mem_t *mctx = key->mctx; | ||
80 | @@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
81 | |||
82 | attr = pk11_attribute_bytype(dsa, CKA_PRIME); | ||
83 | INSIST(attr != NULL); | ||
84 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
85 | + | ||
86 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
87 | + if (ret != ISC_R_SUCCESS) { | ||
88 | + goto err; | ||
89 | + } | ||
90 | + key->key_size = bits; | ||
91 | |||
92 | return (ISC_R_SUCCESS); | ||
93 | |||
94 | diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c | ||
95 | index 096c1a8e91..1d10d26564 100644 | ||
96 | --- a/lib/dns/pkcs11rsa_link.c | ||
97 | +++ b/lib/dns/pkcs11rsa_link.c | ||
98 | @@ -332,6 +332,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, | ||
99 | key->key_alg == DST_ALG_RSASHA256 || | ||
100 | key->key_alg == DST_ALG_RSASHA512); | ||
101 | #endif | ||
102 | + REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS); | ||
103 | |||
104 | /* | ||
105 | * Reject incorrect RSA key lengths. | ||
106 | @@ -376,6 +377,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, | ||
107 | for (attr = pk11_attribute_first(rsa); | ||
108 | attr != NULL; | ||
109 | attr = pk11_attribute_next(rsa, attr)) | ||
110 | + { | ||
111 | switch (attr->type) { | ||
112 | case CKA_MODULUS: | ||
113 | INSIST(keyTemplate[5].type == attr->type); | ||
114 | @@ -396,12 +398,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, | ||
115 | memmove(keyTemplate[6].pValue, attr->pValue, | ||
116 | attr->ulValueLen); | ||
117 | keyTemplate[6].ulValueLen = attr->ulValueLen; | ||
118 | - if (pk11_numbits(attr->pValue, | ||
119 | - attr->ulValueLen) > maxbits && | ||
120 | - maxbits != 0) | ||
121 | + unsigned int bits; | ||
122 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, | ||
123 | + &bits); | ||
124 | + if (ret != ISC_R_SUCCESS || | ||
125 | + (bits > maxbits && maxbits != 0)) { | ||
126 | DST_RET(DST_R_VERIFYFAILURE); | ||
127 | + } | ||
128 | break; | ||
129 | } | ||
130 | + } | ||
131 | pk11_ctx->object = CK_INVALID_HANDLE; | ||
132 | pk11_ctx->ontoken = false; | ||
133 | PK11_RET(pkcs_C_CreateObject, | ||
134 | @@ -1072,6 +1078,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { | ||
135 | keyTemplate[5].ulValueLen = attr->ulValueLen; | ||
136 | break; | ||
137 | case CKA_PUBLIC_EXPONENT: | ||
138 | + unsigned int bits; | ||
139 | INSIST(keyTemplate[6].type == attr->type); | ||
140 | keyTemplate[6].pValue = isc_mem_get(dctx->mctx, | ||
141 | attr->ulValueLen); | ||
142 | @@ -1080,10 +1087,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { | ||
143 | memmove(keyTemplate[6].pValue, attr->pValue, | ||
144 | attr->ulValueLen); | ||
145 | keyTemplate[6].ulValueLen = attr->ulValueLen; | ||
146 | - if (pk11_numbits(attr->pValue, | ||
147 | - attr->ulValueLen) | ||
148 | - > RSA_MAX_PUBEXP_BITS) | ||
149 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, | ||
150 | + &bits); | ||
151 | + if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS) | ||
152 | + { | ||
153 | DST_RET(DST_R_VERIFYFAILURE); | ||
154 | + } | ||
155 | break; | ||
156 | } | ||
157 | pk11_ctx->object = CK_INVALID_HANDLE; | ||
158 | @@ -1461,6 +1470,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
159 | CK_BYTE *exponent = NULL, *modulus = NULL; | ||
160 | CK_ATTRIBUTE *attr; | ||
161 | unsigned int length; | ||
162 | + unsigned int bits; | ||
163 | + isc_result_t ret = ISC_R_SUCCESS; | ||
164 | |||
165 | isc_buffer_remainingregion(data, &r); | ||
166 | if (r.length == 0) | ||
167 | @@ -1478,9 +1489,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
168 | |||
169 | if (e_bytes == 0) { | ||
170 | if (r.length < 2) { | ||
171 | - isc_safe_memwipe(rsa, sizeof(*rsa)); | ||
172 | - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); | ||
173 | - return (DST_R_INVALIDPUBLICKEY); | ||
174 | + DST_RET(DST_R_INVALIDPUBLICKEY); | ||
175 | } | ||
176 | e_bytes = (*r.base) << 8; | ||
177 | isc_region_consume(&r, 1); | ||
178 | @@ -1489,16 +1498,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
179 | } | ||
180 | |||
181 | if (r.length < e_bytes) { | ||
182 | - isc_safe_memwipe(rsa, sizeof(*rsa)); | ||
183 | - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); | ||
184 | - return (DST_R_INVALIDPUBLICKEY); | ||
185 | + DST_RET(DST_R_INVALIDPUBLICKEY); | ||
186 | } | ||
187 | exponent = r.base; | ||
188 | isc_region_consume(&r, e_bytes); | ||
189 | modulus = r.base; | ||
190 | mod_bytes = r.length; | ||
191 | |||
192 | - key->key_size = pk11_numbits(modulus, mod_bytes); | ||
193 | + ret = pk11_numbits(modulus, mod_bytes, &bits); | ||
194 | + if (ret != ISC_R_SUCCESS) { | ||
195 | + goto err; | ||
196 | + } | ||
197 | + key->key_size = bits; | ||
198 | |||
199 | isc_buffer_forward(data, length); | ||
200 | |||
201 | @@ -1548,9 +1559,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { | ||
202 | rsa->repr, | ||
203 | rsa->attrcnt * sizeof(*attr)); | ||
204 | } | ||
205 | + ret = ISC_R_NOMEMORY; | ||
206 | + | ||
207 | + err: | ||
208 | isc_safe_memwipe(rsa, sizeof(*rsa)); | ||
209 | isc_mem_put(key->mctx, rsa, sizeof(*rsa)); | ||
210 | - return (ISC_R_NOMEMORY); | ||
211 | + return (ret); | ||
212 | } | ||
213 | |||
214 | static isc_result_t | ||
215 | @@ -1729,6 +1743,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, | ||
216 | pk11_object_t *pubrsa; | ||
217 | pk11_context_t *pk11_ctx = NULL; | ||
218 | isc_result_t ret; | ||
219 | + unsigned int bits; | ||
220 | |||
221 | if (label == NULL) | ||
222 | return (DST_R_NOENGINE); | ||
223 | @@ -1815,7 +1830,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, | ||
224 | |||
225 | attr = pk11_attribute_bytype(rsa, CKA_MODULUS); | ||
226 | INSIST(attr != NULL); | ||
227 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
228 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
229 | + if (ret != ISC_R_SUCCESS) { | ||
230 | + goto err; | ||
231 | + } | ||
232 | + key->key_size = bits; | ||
233 | |||
234 | return (ISC_R_SUCCESS); | ||
235 | |||
236 | @@ -1901,6 +1920,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
237 | CK_ATTRIBUTE *attr; | ||
238 | isc_mem_t *mctx = key->mctx; | ||
239 | const char *engine = NULL, *label = NULL; | ||
240 | + unsigned int bits; | ||
241 | |||
242 | /* read private key file */ | ||
243 | ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); | ||
244 | @@ -2044,12 +2064,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { | ||
245 | |||
246 | attr = pk11_attribute_bytype(rsa, CKA_MODULUS); | ||
247 | INSIST(attr != NULL); | ||
248 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
249 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
250 | + if (ret != ISC_R_SUCCESS) { | ||
251 | + goto err; | ||
252 | + } | ||
253 | + key->key_size = bits; | ||
254 | |||
255 | attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); | ||
256 | INSIST(attr != NULL); | ||
257 | - if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) | ||
258 | + | ||
259 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
260 | + if (ret != ISC_R_SUCCESS) { | ||
261 | + goto err; | ||
262 | + } | ||
263 | + if (bits > RSA_MAX_PUBEXP_BITS) { | ||
264 | DST_RET(ISC_R_RANGE); | ||
265 | + } | ||
266 | |||
267 | dst__privstruct_free(&priv, mctx); | ||
268 | isc_safe_memwipe(&priv, sizeof(priv)); | ||
269 | @@ -2084,6 +2114,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, | ||
270 | pk11_context_t *pk11_ctx = NULL; | ||
271 | isc_result_t ret; | ||
272 | unsigned int i; | ||
273 | + unsigned int bits; | ||
274 | |||
275 | UNUSED(pin); | ||
276 | |||
277 | @@ -2178,12 +2209,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, | ||
278 | |||
279 | attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); | ||
280 | INSIST(attr != NULL); | ||
281 | - if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) | ||
282 | + | ||
283 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
284 | + if (ret != ISC_R_SUCCESS) { | ||
285 | + goto err; | ||
286 | + } | ||
287 | + if (bits > RSA_MAX_PUBEXP_BITS) { | ||
288 | DST_RET(ISC_R_RANGE); | ||
289 | + } | ||
290 | |||
291 | attr = pk11_attribute_bytype(rsa, CKA_MODULUS); | ||
292 | INSIST(attr != NULL); | ||
293 | - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); | ||
294 | + ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); | ||
295 | + if (ret != ISC_R_SUCCESS) { | ||
296 | + goto err; | ||
297 | + } | ||
298 | + key->key_size = bits; | ||
299 | |||
300 | pk11_return_session(pk11_ctx); | ||
301 | isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); | ||
302 | diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h | ||
303 | index aa8907ab08..7cc8ec812b 100644 | ||
304 | --- a/lib/isc/include/pk11/internal.h | ||
305 | +++ b/lib/isc/include/pk11/internal.h | ||
306 | @@ -25,7 +25,8 @@ void pk11_mem_put(void *ptr, size_t size); | ||
307 | |||
308 | CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); | ||
309 | |||
310 | -unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); | ||
311 | +isc_result_t | ||
312 | +pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits); | ||
313 | |||
314 | CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); | ||
315 | |||
316 | diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c | ||
317 | index 012afd968a..4e4052044b 100644 | ||
318 | --- a/lib/isc/pk11.c | ||
319 | +++ b/lib/isc/pk11.c | ||
320 | @@ -962,13 +962,15 @@ pk11_get_best_token(pk11_optype_t optype) { | ||
321 | return (token->slotid); | ||
322 | } | ||
323 | |||
324 | -unsigned int | ||
325 | -pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { | ||
326 | +isc_result_t | ||
327 | +pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) { | ||
328 | unsigned int bitcnt, i; | ||
329 | CK_BYTE top; | ||
330 | |||
331 | - if (bytecnt == 0) | ||
332 | - return (0); | ||
333 | + if (bytecnt == 0) { | ||
334 | + *bits = 0; | ||
335 | + return (ISC_R_SUCCESS); | ||
336 | + } | ||
337 | bitcnt = bytecnt * 8; | ||
338 | for (i = 0; i < bytecnt; i++) { | ||
339 | top = data[i]; | ||
340 | @@ -976,26 +978,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { | ||
341 | bitcnt -= 8; | ||
342 | continue; | ||
343 | } | ||
344 | - if (top & 0x80) | ||
345 | - return (bitcnt); | ||
346 | - if (top & 0x40) | ||
347 | - return (bitcnt - 1); | ||
348 | - if (top & 0x20) | ||
349 | - return (bitcnt - 2); | ||
350 | - if (top & 0x10) | ||
351 | - return (bitcnt - 3); | ||
352 | - if (top & 0x08) | ||
353 | - return (bitcnt - 4); | ||
354 | - if (top & 0x04) | ||
355 | - return (bitcnt - 5); | ||
356 | - if (top & 0x02) | ||
357 | - return (bitcnt - 6); | ||
358 | - if (top & 0x01) | ||
359 | - return (bitcnt - 7); | ||
360 | + if (top & 0x80) { | ||
361 | + *bits = bitcnt; | ||
362 | + return (ISC_R_SUCCESS); | ||
363 | + } | ||
364 | + if (top & 0x40) { | ||
365 | + *bits = bitcnt - 1; | ||
366 | + return (ISC_R_SUCCESS); | ||
367 | + } | ||
368 | + if (top & 0x20) { | ||
369 | + *bits = bitcnt - 2; | ||
370 | + return (ISC_R_SUCCESS); | ||
371 | + } | ||
372 | + if (top & 0x10) { | ||
373 | + *bits = bitcnt - 3; | ||
374 | + return (ISC_R_SUCCESS); | ||
375 | + } | ||
376 | + if (top & 0x08) { | ||
377 | + *bits = bitcnt - 4; | ||
378 | + return (ISC_R_SUCCESS); | ||
379 | + } | ||
380 | + if (top & 0x04) { | ||
381 | + *bits = bitcnt - 5; | ||
382 | + return (ISC_R_SUCCESS); | ||
383 | + } | ||
384 | + if (top & 0x02) { | ||
385 | + *bits = bitcnt - 6; | ||
386 | + return (ISC_R_SUCCESS); | ||
387 | + } | ||
388 | + if (top & 0x01) { | ||
389 | + *bits = bitcnt - 7; | ||
390 | + return (ISC_R_SUCCESS); | ||
391 | + } | ||
392 | break; | ||
393 | } | ||
394 | - INSIST(0); | ||
395 | - ISC_UNREACHABLE(); | ||
396 | + return (ISC_R_RANGE); | ||
397 | } | ||
398 | |||
399 | CK_ATTRIBUTE * | ||
400 | -- | ||
401 | 2.17.1 | ||
402 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch new file mode 100644 index 0000000000..9cffe358bf --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From a73c3d30de7fe98af9e4dc0e490f732a48412380 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Wed, 29 Jul 2020 23:36:03 +1000 | ||
4 | Subject: [PATCH] bind: Update-policy 'subdomain' was incorrectly treated as | ||
5 | 'zonesub' | ||
6 | |||
7 | resulting in names outside the specified subdomain having the wrong | ||
8 | restrictions for the given key. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2020-8624 | ||
12 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
13 | --- | ||
14 | bin/named/zoneconf.c | 3 ++- | ||
15 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c | ||
18 | index e237bdb..4898447 100644 | ||
19 | --- a/bin/named/zoneconf.c | ||
20 | +++ b/bin/named/zoneconf.c | ||
21 | @@ -237,7 +237,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, | ||
22 | |||
23 | str = cfg_obj_asstring(matchtype); | ||
24 | CHECK(dns_ssu_mtypefromstring(str, &mtype)); | ||
25 | - if (mtype == dns_ssumatchtype_subdomain) { | ||
26 | + if (mtype == dns_ssumatchtype_subdomain && | ||
27 | + strcasecmp(str, "zonesub") == 0) { | ||
28 | usezone = true; | ||
29 | } | ||
30 | |||
31 | -- | ||
32 | 1.9.1 | ||
33 | |||
diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb index a77be8678f..d4467b0b48 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.19.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb | |||
@@ -18,6 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
18 | file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ | 18 | file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ |
19 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ | 19 | file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ |
20 | file://0001-avoid-start-failure-with-bind-user.patch \ | 20 | file://0001-avoid-start-failure-with-bind-user.patch \ |
21 | file://CVE-2020-8622.patch \ | ||
22 | file://CVE-2020-8623.patch \ | ||
23 | file://CVE-2020-8624.patch \ | ||
21 | " | 24 | " |
22 | 25 | ||
23 | SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329" | 26 | SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329" |
diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch index 3aad603ada..5cd235f6ac 100644 --- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch +++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch | |||
@@ -65,6 +65,35 @@ index 7c1cc3eecb..53cb8bfc59 100644 | |||
65 | 65 | ||
66 | /* Load the locale data for CATEGORY from the file specified by *NAME. | 66 | /* Load the locale data for CATEGORY from the file specified by *NAME. |
67 | If *NAME is "", use environment variables as specified by POSIX, and | 67 | If *NAME is "", use environment variables as specified by POSIX, and |
68 | -- | 68 | Index: git/locale/programs/locale.c |
69 | 2.22.0 | 69 | =================================================================== |
70 | 70 | --- git.orig/locale/programs/locale.c | |
71 | +++ git/locale/programs/locale.c | ||
72 | @@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b | ||
73 | ((const struct nameent *) b)->name); | ||
74 | } | ||
75 | |||
76 | +static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME; | ||
77 | |||
78 | static int | ||
79 | write_archive_locales (void **all_datap, char *linebuf) | ||
80 | @@ -645,7 +646,7 @@ write_archive_locales (void **all_datap, | ||
81 | int fd, ret = 0; | ||
82 | uint32_t cnt; | ||
83 | |||
84 | - fd = open64 (ARCHIVE_NAME, O_RDONLY); | ||
85 | + fd = open64 (_write_archive_locales_path, O_RDONLY); | ||
86 | if (fd < 0) | ||
87 | return 0; | ||
88 | |||
89 | @@ -700,8 +701,8 @@ write_archive_locales (void **all_datap, | ||
90 | if (cnt) | ||
91 | putchar_unlocked ('\n'); | ||
92 | |||
93 | - printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n", | ||
94 | - names[cnt].name, linebuf); | ||
95 | + printf ("locale: %-15.15s archive: %s\n%s\n", | ||
96 | + names[cnt].name, _write_archive_locales_path, linebuf); | ||
97 | |||
98 | locrec = (struct locrecent *) (addr + names[cnt].locrec_offset); | ||
99 | |||
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 7d8b665e6b..e993bde2d7 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb | |||
@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk" | |||
24 | 24 | ||
25 | inherit core-image module-base setuptools3 | 25 | inherit core-image module-base setuptools3 |
26 | 26 | ||
27 | SRCREV ?= "0ae1964fb16a0e92b163f48ceb127a40e8397339" | 27 | SRCREV ?= "f4b1c01110bf6cf7691aa6f214cecd89a52d5661" |
28 | SRC_URI = "git://git.yoctoproject.org/poky;branch=zeus \ | 28 | SRC_URI = "git://git.yoctoproject.org/poky;branch=zeus \ |
29 | file://Yocto_Build_Appliance.vmx \ | 29 | file://Yocto_Build_Appliance.vmx \ |
30 | file://Yocto_Build_Appliance.vmxf \ | 30 | file://Yocto_Build_Appliance.vmxf \ |
diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb new file mode 100644 index 0000000000..94ed57585b --- /dev/null +++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb | |||
@@ -0,0 +1,36 @@ | |||
1 | require recipes-core/meta/buildtools-tarball.bb | ||
2 | |||
3 | DESCRIPTION = "SDK type target for building a standalone tarball containing build-essentials, python3, chrpath, \ | ||
4 | make, git and tar. The tarball can be used to run bitbake builds on systems which don't meet the \ | ||
5 | usual version requirements and have ancient compilers." | ||
6 | SUMMARY = "Standalone tarball for running builds on systems with inadequate software and ancient compilers" | ||
7 | LICENSE = "MIT" | ||
8 | |||
9 | # Add nativesdk equivalent of build-essentials | ||
10 | TOOLCHAIN_HOST_TASK += "\ | ||
11 | nativesdk-automake \ | ||
12 | nativesdk-autoconf \ | ||
13 | nativesdk-binutils \ | ||
14 | nativesdk-binutils-symlinks \ | ||
15 | nativesdk-cpp \ | ||
16 | nativesdk-cpp-symlinks \ | ||
17 | nativesdk-gcc \ | ||
18 | nativesdk-gcc-symlinks \ | ||
19 | nativesdk-g++ \ | ||
20 | nativesdk-g++-symlinks \ | ||
21 | nativesdk-gettext \ | ||
22 | nativesdk-libatomic \ | ||
23 | nativesdk-libgcc \ | ||
24 | nativesdk-libstdc++ \ | ||
25 | nativesdk-libstdc++-dev \ | ||
26 | nativesdk-libstdc++-staticdev \ | ||
27 | nativesdk-libtool \ | ||
28 | nativesdk-pkgconfig \ | ||
29 | nativesdk-glibc-utils \ | ||
30 | nativesdk-python \ | ||
31 | nativesdk-libxcrypt-dev \ | ||
32 | " | ||
33 | |||
34 | TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}" | ||
35 | |||
36 | SDK_TITLE = "Extended Build tools" | ||
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb index 66201514d7..ceb60b0e48 100644 --- a/meta/recipes-core/meta/buildtools-tarball.bb +++ b/meta/recipes-core/meta/buildtools-tarball.bb | |||
@@ -73,7 +73,13 @@ create_sdk_files_append () { | |||
73 | toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS} | 73 | toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS} |
74 | 74 | ||
75 | echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script | 75 | echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script |
76 | echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script | ||
77 | echo 'export OPENSSL_CONF="${SDKPATHNATIVE}${sysconfdir}/ssl/openssl.cnf"' >>$script | ||
76 | 78 | ||
79 | mkdir -p ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ | ||
80 | echo '${SDKPATHNATIVE}${libdir} | ||
81 | ${SDKPATHNATIVE}${base_libdir} | ||
82 | include /etc/ld.so.conf' > ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ld.so.conf | ||
77 | if [ "${SDKMACHINE}" = "i686" ]; then | 83 | if [ "${SDKMACHINE}" = "i686" ]; then |
78 | echo 'export NO32LIBS="0"' >>$script | 84 | echo 'export NO32LIBS="0"' >>$script |
79 | echo 'echo "$BB_ENV_EXTRAWHITE" | grep -q "NO32LIBS"' >>$script | 85 | echo 'echo "$BB_ENV_EXTRAWHITE" | grep -q "NO32LIBS"' >>$script |
diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb index 5bc11b9daf..cfa41c4ae6 100644 --- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb +++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb | |||
@@ -15,12 +15,15 @@ DUMMYPROVIDES_PACKAGES = "\ | |||
15 | nativesdk-perl-module-file-find \ | 15 | nativesdk-perl-module-file-find \ |
16 | nativesdk-perl-module-file-glob \ | 16 | nativesdk-perl-module-file-glob \ |
17 | nativesdk-perl-module-file-path \ | 17 | nativesdk-perl-module-file-path \ |
18 | nativesdk-perl-module-file-spec \ | ||
18 | nativesdk-perl-module-file-stat \ | 19 | nativesdk-perl-module-file-stat \ |
19 | nativesdk-perl-module-getopt-long \ | 20 | nativesdk-perl-module-getopt-long \ |
20 | nativesdk-perl-module-io-file \ | 21 | nativesdk-perl-module-io-file \ |
22 | nativesdk-perl-module-overloading \ | ||
21 | nativesdk-perl-module-posix \ | 23 | nativesdk-perl-module-posix \ |
22 | nativesdk-perl-module-thread-queue \ | 24 | nativesdk-perl-module-thread-queue \ |
23 | nativesdk-perl-module-threads \ | 25 | nativesdk-perl-module-threads \ |
26 | nativesdk-perl-module-warnings \ | ||
24 | " | 27 | " |
25 | 28 | ||
26 | DUMMYPROVIDES = "\ | 29 | DUMMYPROVIDES = "\ |
diff --git a/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch new file mode 100644 index 0000000000..408f7d18b7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | We need binutils to look at our ld.so.conf file within the SDK to ensure | ||
2 | we search the SDK's libdirs as well as those from the host system. | ||
3 | |||
4 | We therefore pass in the directory to the code using a define, then add | ||
5 | it to a section we relocate in a similar way to the way we relocate the | ||
6 | gcc internal paths. This ensures that ld works correctly in our buildtools | ||
7 | tarball. | ||
8 | |||
9 | Standard sysroot relocation doesn't work since we're not in a sysroot, | ||
10 | we want to use both the host system and SDK libs. | ||
11 | |||
12 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
13 | 2020/1/17 | ||
14 | Upstream-Status: Inappropriate [OE specific tweak] | ||
15 | |||
16 | Index: git/ld/Makefile.am | ||
17 | =================================================================== | ||
18 | --- git.orig/ld/Makefile.am | ||
19 | +++ git/ld/Makefile.am | ||
20 | @@ -36,7 +36,8 @@ am__skipyacc = | ||
21 | |||
22 | ELF_CLFAGS=-DELF_LIST_OPTIONS=@elf_list_options@ \ | ||
23 | -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \ | ||
24 | - -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ | ||
25 | + -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \ | ||
26 | + -DSYSCONFDIR="\"$(sysconfdir)\"" | ||
27 | WARN_CFLAGS = @WARN_CFLAGS@ | ||
28 | NO_WERROR = @NO_WERROR@ | ||
29 | AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS) | ||
30 | Index: git/ld/Makefile.in | ||
31 | =================================================================== | ||
32 | --- git.orig/ld/Makefile.in | ||
33 | +++ git/ld/Makefile.in | ||
34 | @@ -546,7 +546,8 @@ am__skiplex = | ||
35 | am__skipyacc = | ||
36 | ELF_CLFAGS = -DELF_LIST_OPTIONS=@elf_list_options@ \ | ||
37 | -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \ | ||
38 | - -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ | ||
39 | + -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \ | ||
40 | + -DSYSCONFDIR="\"$(sysconfdir)\"" | ||
41 | |||
42 | AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS) | ||
43 | @ENABLE_PLUGINS_FALSE@PLUGIN_C = | ||
44 | Index: git/ld/emultempl/elf32.em | ||
45 | =================================================================== | ||
46 | --- git.orig/ld/emultempl/elf32.em | ||
47 | +++ git/ld/emultempl/elf32.em | ||
48 | @@ -1024,7 +1024,7 @@ gld${EMULATION_NAME}_check_ld_so_conf (c | ||
49 | |||
50 | info.path = NULL; | ||
51 | info.len = info.alloc = 0; | ||
52 | - tmppath = concat (ld_sysroot, "${prefix}/etc/ld.so.conf", | ||
53 | + tmppath = concat (ld_sysconfdir, "/ld.so.conf", | ||
54 | (const char *) NULL); | ||
55 | if (!gld${EMULATION_NAME}_parse_ld_so_conf (&info, tmppath)) | ||
56 | { | ||
57 | Index: git/ld/ldmain.c | ||
58 | =================================================================== | ||
59 | --- git.orig/ld/ldmain.c | ||
60 | +++ git/ld/ldmain.c | ||
61 | @@ -68,6 +68,7 @@ char *program_name; | ||
62 | |||
63 | /* The prefix for system library directories. */ | ||
64 | const char *ld_sysroot; | ||
65 | +char ld_sysconfdir[4096] __attribute__ ((section (".gccrelocprefix"))) = SYSCONFDIR; | ||
66 | |||
67 | /* The canonical representation of ld_sysroot. */ | ||
68 | char *ld_canon_sysroot; | ||
69 | Index: git/ld/ldmain.h | ||
70 | =================================================================== | ||
71 | --- git.orig/ld/ldmain.h | ||
72 | +++ git/ld/ldmain.h | ||
73 | @@ -23,6 +23,7 @@ | ||
74 | |||
75 | extern char *program_name; | ||
76 | extern const char *ld_sysroot; | ||
77 | +extern char ld_sysconfdir[4096]; | ||
78 | extern char *ld_canon_sysroot; | ||
79 | extern int ld_canon_sysroot_len; | ||
80 | extern FILE *saved_script_handle; | ||
diff --git a/meta/recipes-devtools/binutils/binutils_2.32.bb b/meta/recipes-devtools/binutils/binutils_2.32.bb index 89315915c4..ecdab96658 100644 --- a/meta/recipes-devtools/binutils/binutils_2.32.bb +++ b/meta/recipes-devtools/binutils/binutils_2.32.bb | |||
@@ -51,5 +51,10 @@ do_install_class-native () { | |||
51 | PACKAGE_BEFORE_PN += "libbfd" | 51 | PACKAGE_BEFORE_PN += "libbfd" |
52 | FILES_libbfd = "${libdir}/libbfd-*.so" | 52 | FILES_libbfd = "${libdir}/libbfd-*.so" |
53 | 53 | ||
54 | SRC_URI_append_class-nativesdk = "file://nativesdk-relocation.patch" | ||
55 | |||
56 | USE_ALTERNATIVES_FOR_class-nativesdk = "" | ||
57 | FILES_${PN}_append_class-nativesdk = " ${bindir}" | ||
58 | |||
54 | BBCLASSEXTEND = "native nativesdk" | 59 | BBCLASSEXTEND = "native nativesdk" |
55 | 60 | ||
diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc index 6aecaad75d..2a0680aeaa 100644 --- a/meta/recipes-devtools/go/go-1.12.inc +++ b/meta/recipes-devtools/go/go-1.12.inc | |||
@@ -18,6 +18,10 @@ SRC_URI += "\ | |||
18 | file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ | 18 | file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ |
19 | file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ | 19 | file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ |
20 | file://0010-fix-CVE-2019-17596.patch \ | 20 | file://0010-fix-CVE-2019-17596.patch \ |
21 | file://CVE-2020-15586.patch \ | ||
22 | file://CVE-2020-16845.patch \ | ||
23 | file://0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch \ | ||
24 | file://CVE-2020-24553.patch \ | ||
21 | " | 25 | " |
22 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 26 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
23 | 27 | ||
diff --git a/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch new file mode 100644 index 0000000000..7c07961c03 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 8390c478600b852392cb116741b3cb239c94d123 Mon Sep 17 00:00:00 2001 | ||
2 | From: Brad Fitzpatrick <bradfitz@golang.org> | ||
3 | Date: Wed, 15 Jan 2020 18:08:10 +0000 | ||
4 | Subject: [PATCH] net/http/cgi: rename a test file to be less cute | ||
5 | |||
6 | My fault (from CL 4245070), sorry. | ||
7 | |||
8 | Change-Id: Ib95d3170dc326e74aa74c22421c4e44a8b00f577 | ||
9 | Reviewed-on: https://go-review.googlesource.com/c/go/+/214920 | ||
10 | Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> | ||
11 | TryBot-Result: Gobot Gobot <gobot@golang.org> | ||
12 | Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | [lz: Add this patch for merging the patch for CVE-2020-24553] | ||
16 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
17 | --- | ||
18 | src/net/http/cgi/{matryoshka_test.go => integration_test.go} | 0 | ||
19 | 1 file changed, 0 insertions(+), 0 deletions(-) | ||
20 | rename src/net/http/cgi/{matryoshka_test.go => integration_test.go} (100%) | ||
21 | |||
22 | diff --git a/src/net/http/cgi/matryoshka_test.go b/src/net/http/cgi/integration_test.go | ||
23 | similarity index 100% | ||
24 | rename from src/net/http/cgi/matryoshka_test.go | ||
25 | rename to src/net/http/cgi/integration_test.go | ||
26 | -- | ||
27 | 2.17.1 | ||
28 | |||
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch new file mode 100644 index 0000000000..ebdc5aec6d --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch | |||
@@ -0,0 +1,131 @@ | |||
1 | From fa98f46741f818913a8c11b877520a548715131f Mon Sep 17 00:00:00 2001 | ||
2 | From: Russ Cox <rsc@golang.org> | ||
3 | Date: Mon, 13 Jul 2020 13:27:22 -0400 | ||
4 | Subject: [PATCH] net/http: synchronize "100 Continue" write and Handler writes | ||
5 | |||
6 | The expectContinueReader writes to the connection on the first | ||
7 | Request.Body read. Since a Handler might be doing a read in parallel or | ||
8 | before a write, expectContinueReader needs to synchronize with the | ||
9 | ResponseWriter, and abort if a response already went out. | ||
10 | |||
11 | The tests will land in a separate CL. | ||
12 | |||
13 | Fixes #34902 | ||
14 | Fixes CVE-2020-15586 | ||
15 | |||
16 | Change-Id: Icdd8dd539f45e8863762bd378194bb4741e875fc | ||
17 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793350 | ||
18 | Reviewed-by: Filippo Valsorda <valsorda@google.com> | ||
19 | Reviewed-on: https://go-review.googlesource.com/c/go/+/242598 | ||
20 | Run-TryBot: Katie Hockman <katie@golang.org> | ||
21 | Reviewed-by: Filippo Valsorda <filippo@golang.org> | ||
22 | TryBot-Result: Gobot Gobot <gobot@golang.org> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | CVE: CVE-2020-15586 | ||
26 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
27 | --- | ||
28 | src/net/http/server.go | 43 +++++++++++++++++++++++++++++++++++------- | ||
29 | 1 file changed, 36 insertions(+), 7 deletions(-) | ||
30 | |||
31 | diff --git a/src/net/http/server.go b/src/net/http/server.go | ||
32 | index a995a50658..d41b5f6f48 100644 | ||
33 | --- a/src/net/http/server.go | ||
34 | +++ b/src/net/http/server.go | ||
35 | @@ -425,6 +425,16 @@ type response struct { | ||
36 | wants10KeepAlive bool // HTTP/1.0 w/ Connection "keep-alive" | ||
37 | wantsClose bool // HTTP request has Connection "close" | ||
38 | |||
39 | + // canWriteContinue is a boolean value accessed as an atomic int32 | ||
40 | + // that says whether or not a 100 Continue header can be written | ||
41 | + // to the connection. | ||
42 | + // writeContinueMu must be held while writing the header. | ||
43 | + // These two fields together synchronize the body reader | ||
44 | + // (the expectContinueReader, which wants to write 100 Continue) | ||
45 | + // against the main writer. | ||
46 | + canWriteContinue atomicBool | ||
47 | + writeContinueMu sync.Mutex | ||
48 | + | ||
49 | w *bufio.Writer // buffers output in chunks to chunkWriter | ||
50 | cw chunkWriter | ||
51 | |||
52 | @@ -515,6 +525,7 @@ type atomicBool int32 | ||
53 | |||
54 | func (b *atomicBool) isSet() bool { return atomic.LoadInt32((*int32)(b)) != 0 } | ||
55 | func (b *atomicBool) setTrue() { atomic.StoreInt32((*int32)(b), 1) } | ||
56 | +func (b *atomicBool) setFalse() { atomic.StoreInt32((*int32)(b), 0) } | ||
57 | |||
58 | // declareTrailer is called for each Trailer header when the | ||
59 | // response header is written. It notes that a header will need to be | ||
60 | @@ -878,21 +889,27 @@ type expectContinueReader struct { | ||
61 | resp *response | ||
62 | readCloser io.ReadCloser | ||
63 | closed bool | ||
64 | - sawEOF bool | ||
65 | + sawEOF atomicBool | ||
66 | } | ||
67 | |||
68 | func (ecr *expectContinueReader) Read(p []byte) (n int, err error) { | ||
69 | if ecr.closed { | ||
70 | return 0, ErrBodyReadAfterClose | ||
71 | } | ||
72 | - if !ecr.resp.wroteContinue && !ecr.resp.conn.hijacked() { | ||
73 | - ecr.resp.wroteContinue = true | ||
74 | - ecr.resp.conn.bufw.WriteString("HTTP/1.1 100 Continue\r\n\r\n") | ||
75 | - ecr.resp.conn.bufw.Flush() | ||
76 | + w := ecr.resp | ||
77 | + if !w.wroteContinue && w.canWriteContinue.isSet() && !w.conn.hijacked() { | ||
78 | + w.wroteContinue = true | ||
79 | + w.writeContinueMu.Lock() | ||
80 | + if w.canWriteContinue.isSet() { | ||
81 | + w.conn.bufw.WriteString("HTTP/1.1 100 Continue\r\n\r\n") | ||
82 | + w.conn.bufw.Flush() | ||
83 | + w.canWriteContinue.setFalse() | ||
84 | + } | ||
85 | + w.writeContinueMu.Unlock() | ||
86 | } | ||
87 | n, err = ecr.readCloser.Read(p) | ||
88 | if err == io.EOF { | ||
89 | - ecr.sawEOF = true | ||
90 | + ecr.sawEOF.setTrue() | ||
91 | } | ||
92 | return | ||
93 | } | ||
94 | @@ -1311,7 +1328,7 @@ func (cw *chunkWriter) writeHeader(p []byte) { | ||
95 | // because we don't know if the next bytes on the wire will be | ||
96 | // the body-following-the-timer or the subsequent request. | ||
97 | // See Issue 11549. | ||
98 | - if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF { | ||
99 | + if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF.isSet() { | ||
100 | w.closeAfterReply = true | ||
101 | } | ||
102 | |||
103 | @@ -1561,6 +1578,17 @@ func (w *response) write(lenData int, dataB []byte, dataS string) (n int, err er | ||
104 | } | ||
105 | return 0, ErrHijacked | ||
106 | } | ||
107 | + | ||
108 | + if w.canWriteContinue.isSet() { | ||
109 | + // Body reader wants to write 100 Continue but hasn't yet. | ||
110 | + // Tell it not to. The store must be done while holding the lock | ||
111 | + // because the lock makes sure that there is not an active write | ||
112 | + // this very moment. | ||
113 | + w.writeContinueMu.Lock() | ||
114 | + w.canWriteContinue.setFalse() | ||
115 | + w.writeContinueMu.Unlock() | ||
116 | + } | ||
117 | + | ||
118 | if !w.wroteHeader { | ||
119 | w.WriteHeader(StatusOK) | ||
120 | } | ||
121 | @@ -1872,6 +1900,7 @@ func (c *conn) serve(ctx context.Context) { | ||
122 | if req.ProtoAtLeast(1, 1) && req.ContentLength != 0 { | ||
123 | // Wrap the Body reader with one that replies on the connection | ||
124 | req.Body = &expectContinueReader{readCloser: req.Body, resp: w} | ||
125 | + w.canWriteContinue.setTrue() | ||
126 | } | ||
127 | } else if req.Header.get("Expect") != "" { | ||
128 | w.sendExpectationFailed() | ||
129 | -- | ||
130 | 2.17.1 | ||
131 | |||
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch new file mode 100644 index 0000000000..80f467522f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch | |||
@@ -0,0 +1,110 @@ | |||
1 | From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001 | ||
2 | From: Katie Hockman <katie@golang.org> | ||
3 | Date: Tue, 4 Aug 2020 11:45:32 -0400 | ||
4 | Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in | ||
5 | ReadUvarint | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | This CL ensures that ReadUvarint consumes only a limited | ||
11 | amount of input (instead of an unbounded amount). | ||
12 | |||
13 | On some inputs, ReadUvarint could read an arbitrary number | ||
14 | of bytes before deciding to return an overflow error. | ||
15 | After this CL, ReadUvarint returns that same overflow | ||
16 | error sooner, after reading at most MaxVarintLen64 bytes. | ||
17 | |||
18 | Fix authored by Robert Griesemer and Filippo Valsorda. | ||
19 | |||
20 | Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, | ||
21 | and Preston Van Loon for reporting this. | ||
22 | |||
23 | Fixes #40618 | ||
24 | Fixes CVE-2020-16845 | ||
25 | |||
26 | Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f | ||
27 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099 | ||
28 | Reviewed-by: Filippo Valsorda <valsorda@google.com> | ||
29 | Reviewed-on: https://go-review.googlesource.com/c/go/+/247120 | ||
30 | Run-TryBot: Katie Hockman <katie@golang.org> | ||
31 | TryBot-Result: Gobot Gobot <gobot@golang.org> | ||
32 | Reviewed-by: Alexander Rakoczy <alex@golang.org> | ||
33 | |||
34 | Upstream-Status: Backport [https://github.com/golang/go.git] | ||
35 | CVE: CVE-2020-16845 | ||
36 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
37 | --- | ||
38 | src/encoding/binary/varint.go | 5 +++-- | ||
39 | src/encoding/binary/varint_test.go | 18 ++++++++++++------ | ||
40 | 2 files changed, 15 insertions(+), 8 deletions(-) | ||
41 | |||
42 | diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go | ||
43 | index bcb8ac9a45..38af61075c 100644 | ||
44 | --- a/src/encoding/binary/varint.go | ||
45 | +++ b/src/encoding/binary/varint.go | ||
46 | @@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer") | ||
47 | func ReadUvarint(r io.ByteReader) (uint64, error) { | ||
48 | var x uint64 | ||
49 | var s uint | ||
50 | - for i := 0; ; i++ { | ||
51 | + for i := 0; i < MaxVarintLen64; i++ { | ||
52 | b, err := r.ReadByte() | ||
53 | if err != nil { | ||
54 | return x, err | ||
55 | } | ||
56 | if b < 0x80 { | ||
57 | - if i > 9 || i == 9 && b > 1 { | ||
58 | + if i == 9 && b > 1 { | ||
59 | return x, overflow | ||
60 | } | ||
61 | return x | uint64(b)<<s, nil | ||
62 | @@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) { | ||
63 | x |= uint64(b&0x7f) << s | ||
64 | s += 7 | ||
65 | } | ||
66 | + return x, overflow | ||
67 | } | ||
68 | |||
69 | // ReadVarint reads an encoded signed integer from r and returns it as an int64. | ||
70 | diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go | ||
71 | index ca411ecbd6..6ef4c99505 100644 | ||
72 | --- a/src/encoding/binary/varint_test.go | ||
73 | +++ b/src/encoding/binary/varint_test.go | ||
74 | @@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) { | ||
75 | } | ||
76 | } | ||
77 | |||
78 | -func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) { | ||
79 | +func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) { | ||
80 | x, n := Uvarint(buf) | ||
81 | if x != 0 || n != n0 { | ||
82 | t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0) | ||
83 | } | ||
84 | |||
85 | - x, err := ReadUvarint(bytes.NewReader(buf)) | ||
86 | - if x != 0 || err != err0 { | ||
87 | - t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0) | ||
88 | + r := bytes.NewReader(buf) | ||
89 | + len := r.Len() | ||
90 | + x, err := ReadUvarint(r) | ||
91 | + if x != x0 || err != err0 { | ||
92 | + t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0) | ||
93 | + } | ||
94 | + if read := len - r.Len(); read > MaxVarintLen64 { | ||
95 | + t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read) | ||
96 | } | ||
97 | } | ||
98 | |||
99 | func TestOverflow(t *testing.T) { | ||
100 | - testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow) | ||
101 | - testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow) | ||
102 | + testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow) | ||
103 | + testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow) | ||
104 | + testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow | ||
105 | } | ||
106 | |||
107 | func TestNonCanonicalZero(t *testing.T) { | ||
108 | -- | ||
109 | 2.17.0 | ||
110 | |||
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch new file mode 100644 index 0000000000..18a218bc9a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch | |||
@@ -0,0 +1,429 @@ | |||
1 | From eb07103a083237414145a45f029c873d57037e06 Mon Sep 17 00:00:00 2001 | ||
2 | From: Roberto Clapis <roberto@golang.org> | ||
3 | Date: Wed, 26 Aug 2020 08:53:03 +0200 | ||
4 | Subject: [PATCH] [release-branch.go1.15-security] net/http/cgi,net/http/fcgi: | ||
5 | add Content-Type detection | ||
6 | |||
7 | This CL ensures that responses served via CGI and FastCGI | ||
8 | have a Content-Type header based on the content of the | ||
9 | response if not explicitly set by handlers. | ||
10 | |||
11 | If the implementers of the handler did not explicitly | ||
12 | specify a Content-Type both CGI implementations would default | ||
13 | to "text/html", potentially causing cross-site scripting. | ||
14 | |||
15 | Thanks to RedTeam Pentesting GmbH for reporting this. | ||
16 | |||
17 | Fixes CVE-2020-24553 | ||
18 | |||
19 | Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 | ||
20 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 | ||
21 | Reviewed-by: Russ Cox <rsc@google.com> | ||
22 | (cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0) | ||
23 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835311 | ||
24 | Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
25 | |||
26 | Upstream-Status: Backport | ||
27 | CVE: CVE-2020-24553 | ||
28 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
29 | --- | ||
30 | src/net/http/cgi/child.go | 36 ++++++++++----- | ||
31 | src/net/http/cgi/child_test.go | 69 ++++++++++++++++++++++++++++ | ||
32 | src/net/http/cgi/integration_test.go | 53 ++++++++++++++++++++- | ||
33 | src/net/http/fcgi/child.go | 39 ++++++++++++---- | ||
34 | src/net/http/fcgi/fcgi_test.go | 52 +++++++++++++++++++++ | ||
35 | 5 files changed, 227 insertions(+), 22 deletions(-) | ||
36 | |||
37 | diff --git a/src/net/http/cgi/child.go b/src/net/http/cgi/child.go | ||
38 | index 9474175f17..61de6165f6 100644 | ||
39 | --- a/src/net/http/cgi/child.go | ||
40 | +++ b/src/net/http/cgi/child.go | ||
41 | @@ -163,10 +163,12 @@ func Serve(handler http.Handler) error { | ||
42 | } | ||
43 | |||
44 | type response struct { | ||
45 | - req *http.Request | ||
46 | - header http.Header | ||
47 | - bufw *bufio.Writer | ||
48 | - headerSent bool | ||
49 | + req *http.Request | ||
50 | + header http.Header | ||
51 | + code int | ||
52 | + wroteHeader bool | ||
53 | + wroteCGIHeader bool | ||
54 | + bufw *bufio.Writer | ||
55 | } | ||
56 | |||
57 | func (r *response) Flush() { | ||
58 | @@ -178,26 +180,38 @@ func (r *response) Header() http.Header { | ||
59 | } | ||
60 | |||
61 | func (r *response) Write(p []byte) (n int, err error) { | ||
62 | - if !r.headerSent { | ||
63 | + if !r.wroteHeader { | ||
64 | r.WriteHeader(http.StatusOK) | ||
65 | } | ||
66 | + if !r.wroteCGIHeader { | ||
67 | + r.writeCGIHeader(p) | ||
68 | + } | ||
69 | return r.bufw.Write(p) | ||
70 | } | ||
71 | |||
72 | func (r *response) WriteHeader(code int) { | ||
73 | - if r.headerSent { | ||
74 | + if r.wroteHeader { | ||
75 | // Note: explicitly using Stderr, as Stdout is our HTTP output. | ||
76 | fmt.Fprintf(os.Stderr, "CGI attempted to write header twice on request for %s", r.req.URL) | ||
77 | return | ||
78 | } | ||
79 | - r.headerSent = true | ||
80 | - fmt.Fprintf(r.bufw, "Status: %d %s\r\n", code, http.StatusText(code)) | ||
81 | + r.wroteHeader = true | ||
82 | + r.code = code | ||
83 | +} | ||
84 | |||
85 | - // Set a default Content-Type | ||
86 | +// writeCGIHeader finalizes the header sent to the client and writes it to the output. | ||
87 | +// p is not written by writeHeader, but is the first chunk of the body | ||
88 | +// that will be written. It is sniffed for a Content-Type if none is | ||
89 | +// set explicitly. | ||
90 | +func (r *response) writeCGIHeader(p []byte) { | ||
91 | + if r.wroteCGIHeader { | ||
92 | + return | ||
93 | + } | ||
94 | + r.wroteCGIHeader = true | ||
95 | + fmt.Fprintf(r.bufw, "Status: %d %s\r\n", r.code, http.StatusText(r.code)) | ||
96 | if _, hasType := r.header["Content-Type"]; !hasType { | ||
97 | - r.header.Add("Content-Type", "text/html; charset=utf-8") | ||
98 | + r.header.Set("Content-Type", http.DetectContentType(p)) | ||
99 | } | ||
100 | - | ||
101 | r.header.Write(r.bufw) | ||
102 | r.bufw.WriteString("\r\n") | ||
103 | r.bufw.Flush() | ||
104 | diff --git a/src/net/http/cgi/child_test.go b/src/net/http/cgi/child_test.go | ||
105 | index 14e0af475f..f6ecb6eb80 100644 | ||
106 | --- a/src/net/http/cgi/child_test.go | ||
107 | +++ b/src/net/http/cgi/child_test.go | ||
108 | @@ -7,6 +7,11 @@ | ||
109 | package cgi | ||
110 | |||
111 | import ( | ||
112 | + "bufio" | ||
113 | + "bytes" | ||
114 | + "net/http" | ||
115 | + "net/http/httptest" | ||
116 | + "strings" | ||
117 | "testing" | ||
118 | ) | ||
119 | |||
120 | @@ -148,3 +153,67 @@ func TestRequestWithoutRemotePort(t *testing.T) { | ||
121 | t.Errorf("RemoteAddr: got %q; want %q", g, e) | ||
122 | } | ||
123 | } | ||
124 | + | ||
125 | +type countingWriter int | ||
126 | + | ||
127 | +func (c *countingWriter) Write(p []byte) (int, error) { | ||
128 | + *c += countingWriter(len(p)) | ||
129 | + return len(p), nil | ||
130 | +} | ||
131 | +func (c *countingWriter) WriteString(p string) (int, error) { | ||
132 | + *c += countingWriter(len(p)) | ||
133 | + return len(p), nil | ||
134 | +} | ||
135 | + | ||
136 | +func TestResponse(t *testing.T) { | ||
137 | + var tests = []struct { | ||
138 | + name string | ||
139 | + body string | ||
140 | + wantCT string | ||
141 | + }{ | ||
142 | + { | ||
143 | + name: "no body", | ||
144 | + wantCT: "text/plain; charset=utf-8", | ||
145 | + }, | ||
146 | + { | ||
147 | + name: "html", | ||
148 | + body: "<html><head><title>test page</title></head><body>This is a body</body></html>", | ||
149 | + wantCT: "text/html; charset=utf-8", | ||
150 | + }, | ||
151 | + { | ||
152 | + name: "text", | ||
153 | + body: strings.Repeat("gopher", 86), | ||
154 | + wantCT: "text/plain; charset=utf-8", | ||
155 | + }, | ||
156 | + { | ||
157 | + name: "jpg", | ||
158 | + body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), | ||
159 | + wantCT: "image/jpeg", | ||
160 | + }, | ||
161 | + } | ||
162 | + for _, tt := range tests { | ||
163 | + t.Run(tt.name, func(t *testing.T) { | ||
164 | + var buf bytes.Buffer | ||
165 | + resp := response{ | ||
166 | + req: httptest.NewRequest("GET", "/", nil), | ||
167 | + header: http.Header{}, | ||
168 | + bufw: bufio.NewWriter(&buf), | ||
169 | + } | ||
170 | + n, err := resp.Write([]byte(tt.body)) | ||
171 | + if err != nil { | ||
172 | + t.Errorf("Write: unexpected %v", err) | ||
173 | + } | ||
174 | + if want := len(tt.body); n != want { | ||
175 | + t.Errorf("reported short Write: got %v want %v", n, want) | ||
176 | + } | ||
177 | + resp.writeCGIHeader(nil) | ||
178 | + resp.Flush() | ||
179 | + if got := resp.Header().Get("Content-Type"); got != tt.wantCT { | ||
180 | + t.Errorf("wrong content-type: got %q, want %q", got, tt.wantCT) | ||
181 | + } | ||
182 | + if !bytes.HasSuffix(buf.Bytes(), []byte(tt.body)) { | ||
183 | + t.Errorf("body was not correctly written") | ||
184 | + } | ||
185 | + }) | ||
186 | + } | ||
187 | +} | ||
188 | diff --git a/src/net/http/cgi/integration_test.go b/src/net/http/cgi/integration_test.go | ||
189 | index 32d59c09a3..295c3b82d4 100644 | ||
190 | --- a/src/net/http/cgi/integration_test.go | ||
191 | +++ b/src/net/http/cgi/integration_test.go | ||
192 | @@ -16,7 +16,9 @@ import ( | ||
193 | "io" | ||
194 | "net/http" | ||
195 | "net/http/httptest" | ||
196 | + "net/url" | ||
197 | "os" | ||
198 | + "strings" | ||
199 | "testing" | ||
200 | "time" | ||
201 | ) | ||
202 | @@ -52,7 +54,7 @@ func TestHostingOurselves(t *testing.T) { | ||
203 | } | ||
204 | replay := runCgiTest(t, h, "GET /test.go?foo=bar&a=b HTTP/1.0\nHost: example.com\n\n", expectedMap) | ||
205 | |||
206 | - if expected, got := "text/html; charset=utf-8", replay.Header().Get("Content-Type"); got != expected { | ||
207 | + if expected, got := "text/plain; charset=utf-8", replay.Header().Get("Content-Type"); got != expected { | ||
208 | t.Errorf("got a Content-Type of %q; expected %q", got, expected) | ||
209 | } | ||
210 | if expected, got := "X-Test-Value", replay.Header().Get("X-Test-Header"); got != expected { | ||
211 | @@ -152,6 +154,51 @@ func TestChildOnlyHeaders(t *testing.T) { | ||
212 | } | ||
213 | } | ||
214 | |||
215 | +func TestChildContentType(t *testing.T) { | ||
216 | + testenv.MustHaveExec(t) | ||
217 | + | ||
218 | + h := &Handler{ | ||
219 | + Path: os.Args[0], | ||
220 | + Root: "/test.go", | ||
221 | + Args: []string{"-test.run=TestBeChildCGIProcess"}, | ||
222 | + } | ||
223 | + var tests = []struct { | ||
224 | + name string | ||
225 | + body string | ||
226 | + wantCT string | ||
227 | + }{ | ||
228 | + { | ||
229 | + name: "no body", | ||
230 | + wantCT: "text/plain; charset=utf-8", | ||
231 | + }, | ||
232 | + { | ||
233 | + name: "html", | ||
234 | + body: "<html><head><title>test page</title></head><body>This is a body</body></html>", | ||
235 | + wantCT: "text/html; charset=utf-8", | ||
236 | + }, | ||
237 | + { | ||
238 | + name: "text", | ||
239 | + body: strings.Repeat("gopher", 86), | ||
240 | + wantCT: "text/plain; charset=utf-8", | ||
241 | + }, | ||
242 | + { | ||
243 | + name: "jpg", | ||
244 | + body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), | ||
245 | + wantCT: "image/jpeg", | ||
246 | + }, | ||
247 | + } | ||
248 | + for _, tt := range tests { | ||
249 | + t.Run(tt.name, func(t *testing.T) { | ||
250 | + expectedMap := map[string]string{"_body": tt.body} | ||
251 | + req := fmt.Sprintf("GET /test.go?exact-body=%s HTTP/1.0\nHost: example.com\n\n", url.QueryEscape(tt.body)) | ||
252 | + replay := runCgiTest(t, h, req, expectedMap) | ||
253 | + if got := replay.Header().Get("Content-Type"); got != tt.wantCT { | ||
254 | + t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT) | ||
255 | + } | ||
256 | + }) | ||
257 | + } | ||
258 | +} | ||
259 | + | ||
260 | // golang.org/issue/7198 | ||
261 | func Test500WithNoHeaders(t *testing.T) { want500Test(t, "/immediate-disconnect") } | ||
262 | func Test500WithNoContentType(t *testing.T) { want500Test(t, "/no-content-type") } | ||
263 | @@ -203,6 +250,10 @@ func TestBeChildCGIProcess(t *testing.T) { | ||
264 | if req.FormValue("no-body") == "1" { | ||
265 | return | ||
266 | } | ||
267 | + if eb, ok := req.Form["exact-body"]; ok { | ||
268 | + io.WriteString(rw, eb[0]) | ||
269 | + return | ||
270 | + } | ||
271 | if req.FormValue("write-forever") == "1" { | ||
272 | io.Copy(rw, neverEnding('a')) | ||
273 | for { | ||
274 | diff --git a/src/net/http/fcgi/child.go b/src/net/http/fcgi/child.go | ||
275 | index 30a6b2ce2d..a31273b3ec 100644 | ||
276 | --- a/src/net/http/fcgi/child.go | ||
277 | +++ b/src/net/http/fcgi/child.go | ||
278 | @@ -74,10 +74,12 @@ func (r *request) parseParams() { | ||
279 | |||
280 | // response implements http.ResponseWriter. | ||
281 | type response struct { | ||
282 | - req *request | ||
283 | - header http.Header | ||
284 | - w *bufWriter | ||
285 | - wroteHeader bool | ||
286 | + req *request | ||
287 | + header http.Header | ||
288 | + code int | ||
289 | + wroteHeader bool | ||
290 | + wroteCGIHeader bool | ||
291 | + w *bufWriter | ||
292 | } | ||
293 | |||
294 | func newResponse(c *child, req *request) *response { | ||
295 | @@ -92,11 +94,14 @@ func (r *response) Header() http.Header { | ||
296 | return r.header | ||
297 | } | ||
298 | |||
299 | -func (r *response) Write(data []byte) (int, error) { | ||
300 | +func (r *response) Write(p []byte) (n int, err error) { | ||
301 | if !r.wroteHeader { | ||
302 | r.WriteHeader(http.StatusOK) | ||
303 | } | ||
304 | - return r.w.Write(data) | ||
305 | + if !r.wroteCGIHeader { | ||
306 | + r.writeCGIHeader(p) | ||
307 | + } | ||
308 | + return r.w.Write(p) | ||
309 | } | ||
310 | |||
311 | func (r *response) WriteHeader(code int) { | ||
312 | @@ -104,22 +109,34 @@ func (r *response) WriteHeader(code int) { | ||
313 | return | ||
314 | } | ||
315 | r.wroteHeader = true | ||
316 | + r.code = code | ||
317 | if code == http.StatusNotModified { | ||
318 | // Must not have body. | ||
319 | r.header.Del("Content-Type") | ||
320 | r.header.Del("Content-Length") | ||
321 | r.header.Del("Transfer-Encoding") | ||
322 | - } else if r.header.Get("Content-Type") == "" { | ||
323 | - r.header.Set("Content-Type", "text/html; charset=utf-8") | ||
324 | } | ||
325 | - | ||
326 | if r.header.Get("Date") == "" { | ||
327 | r.header.Set("Date", time.Now().UTC().Format(http.TimeFormat)) | ||
328 | } | ||
329 | +} | ||
330 | |||
331 | - fmt.Fprintf(r.w, "Status: %d %s\r\n", code, http.StatusText(code)) | ||
332 | +// writeCGIHeader finalizes the header sent to the client and writes it to the output. | ||
333 | +// p is not written by writeHeader, but is the first chunk of the body | ||
334 | +// that will be written. It is sniffed for a Content-Type if none is | ||
335 | +// set explicitly. | ||
336 | +func (r *response) writeCGIHeader(p []byte) { | ||
337 | + if r.wroteCGIHeader { | ||
338 | + return | ||
339 | + } | ||
340 | + r.wroteCGIHeader = true | ||
341 | + fmt.Fprintf(r.w, "Status: %d %s\r\n", r.code, http.StatusText(r.code)) | ||
342 | + if _, hasType := r.header["Content-Type"]; r.code != http.StatusNotModified && !hasType { | ||
343 | + r.header.Set("Content-Type", http.DetectContentType(p)) | ||
344 | + } | ||
345 | r.header.Write(r.w) | ||
346 | r.w.WriteString("\r\n") | ||
347 | + r.w.Flush() | ||
348 | } | ||
349 | |||
350 | func (r *response) Flush() { | ||
351 | @@ -290,6 +307,8 @@ func (c *child) serveRequest(req *request, body io.ReadCloser) { | ||
352 | httpReq = httpReq.WithContext(envVarCtx) | ||
353 | c.handler.ServeHTTP(r, httpReq) | ||
354 | } | ||
355 | + // Make sure we serve something even if nothing was written to r | ||
356 | + r.Write(nil) | ||
357 | r.Close() | ||
358 | c.mu.Lock() | ||
359 | delete(c.requests, req.reqId) | ||
360 | diff --git a/src/net/http/fcgi/fcgi_test.go b/src/net/http/fcgi/fcgi_test.go | ||
361 | index e9d2b34023..4a27a12c35 100644 | ||
362 | --- a/src/net/http/fcgi/fcgi_test.go | ||
363 | +++ b/src/net/http/fcgi/fcgi_test.go | ||
364 | @@ -10,6 +10,7 @@ import ( | ||
365 | "io" | ||
366 | "io/ioutil" | ||
367 | "net/http" | ||
368 | + "strings" | ||
369 | "testing" | ||
370 | ) | ||
371 | |||
372 | @@ -344,3 +345,54 @@ func TestChildServeReadsEnvVars(t *testing.T) { | ||
373 | <-done | ||
374 | } | ||
375 | } | ||
376 | + | ||
377 | +func TestResponseWriterSniffsContentType(t *testing.T) { | ||
378 | + var tests = []struct { | ||
379 | + name string | ||
380 | + body string | ||
381 | + wantCT string | ||
382 | + }{ | ||
383 | + { | ||
384 | + name: "no body", | ||
385 | + wantCT: "text/plain; charset=utf-8", | ||
386 | + }, | ||
387 | + { | ||
388 | + name: "html", | ||
389 | + body: "<html><head><title>test page</title></head><body>This is a body</body></html>", | ||
390 | + wantCT: "text/html; charset=utf-8", | ||
391 | + }, | ||
392 | + { | ||
393 | + name: "text", | ||
394 | + body: strings.Repeat("gopher", 86), | ||
395 | + wantCT: "text/plain; charset=utf-8", | ||
396 | + }, | ||
397 | + { | ||
398 | + name: "jpg", | ||
399 | + body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), | ||
400 | + wantCT: "image/jpeg", | ||
401 | + }, | ||
402 | + } | ||
403 | + for _, tt := range tests { | ||
404 | + t.Run(tt.name, func(t *testing.T) { | ||
405 | + input := make([]byte, len(streamFullRequestStdin)) | ||
406 | + copy(input, streamFullRequestStdin) | ||
407 | + rc := nopWriteCloser{bytes.NewBuffer(input)} | ||
408 | + done := make(chan bool) | ||
409 | + var resp *response | ||
410 | + c := newChild(rc, http.HandlerFunc(func( | ||
411 | + w http.ResponseWriter, | ||
412 | + r *http.Request, | ||
413 | + ) { | ||
414 | + io.WriteString(w, tt.body) | ||
415 | + resp = w.(*response) | ||
416 | + done <- true | ||
417 | + })) | ||
418 | + defer c.cleanUp() | ||
419 | + go c.serve() | ||
420 | + <-done | ||
421 | + if got := resp.Header().Get("Content-Type"); got != tt.wantCT { | ||
422 | + t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT) | ||
423 | + } | ||
424 | + }) | ||
425 | + } | ||
426 | +} | ||
427 | -- | ||
428 | 2.17.1 | ||
429 | |||
diff --git a/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch new file mode 100644 index 0000000000..594510342b --- /dev/null +++ b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | traceback2 adds traceback for python2. Rather than depend on traceback2, we're | ||
2 | python3 only so just use traceback. | ||
3 | This caused breakage in oe-selftest -j which uses testtools on the autobuilder | ||
4 | using buildtools-tarball. | ||
5 | |||
6 | Upstream-Status: Inappropriate [Our recipe is python3 specific] | ||
7 | (Once py2 is EOL upstream probably could/should take this) | ||
8 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
9 | |||
10 | Index: testtools-2.3.0/testtools/content.py | ||
11 | =================================================================== | ||
12 | --- testtools-2.3.0.orig/testtools/content.py | ||
13 | +++ testtools-2.3.0/testtools/content.py | ||
14 | @@ -19,8 +19,7 @@ import os | ||
15 | import sys | ||
16 | |||
17 | from extras import try_import | ||
18 | -# To let setup.py work, make this a conditional import. | ||
19 | -traceback = try_import('traceback2') | ||
20 | +import traceback | ||
21 | |||
22 | from testtools.compat import ( | ||
23 | _b, | ||
diff --git a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb index 896ecee65c..a254b90a75 100644 --- a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb +++ b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb | |||
@@ -1,2 +1,4 @@ | |||
1 | inherit setuptools3 | 1 | inherit setuptools3 |
2 | require python-testtools.inc | 2 | require python-testtools.inc |
3 | |||
4 | SRC_URI += "file://no_traceback2.patch" | ||
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5cdba1f02c..ec32c90ad5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -39,6 +39,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
39 | file://CVE-2020-11869.patch \ | 39 | file://CVE-2020-11869.patch \ |
40 | file://CVE-2020-13765.patch \ | 40 | file://CVE-2020-13765.patch \ |
41 | file://CVE-2020-10702.patch \ | 41 | file://CVE-2020-10702.patch \ |
42 | file://CVE-2020-16092.patch \ | ||
43 | file://CVE-2020-10756.patch \ | ||
44 | file://CVE-2020-15863.patch \ | ||
45 | file://CVE-2020-14364.patch \ | ||
42 | " | 46 | " |
43 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 47 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
44 | 48 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch new file mode 100644 index 0000000000..306aef061b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ralf Haferkamp <rhafer@suse.com> | ||
3 | Date: Fri, 3 Jul 2020 14:51:16 +0200 | ||
4 | Subject: [PATCH] Drop bogus IPv6 messages | ||
5 | |||
6 | Drop IPv6 message shorter than what's mentioned in the payload | ||
7 | length header (+ the size of the IPv6 header). They're invalid an could | ||
8 | lead to data leakage in icmp6_send_echoreply(). | ||
9 | |||
10 | CVE: CVE-2020-10756 | ||
11 | Upstream-Status: Backport | ||
12 | https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0 | ||
13 | |||
14 | [SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context] | ||
15 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
16 | --- | ||
17 | slirp/src/ip6_input.c | 7 +++++++ | ||
18 | 1 file changed, 7 insertions(+) | ||
19 | |||
20 | diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c | ||
21 | index d9d2b7e9..0f2b1785 100644 | ||
22 | --- a/slirp/src/ip6_input.c | ||
23 | +++ b/slirp/src/ip6_input.c | ||
24 | @@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) | ||
25 | goto bad; | ||
26 | } | ||
27 | |||
28 | + // Check if the message size is big enough to hold what's | ||
29 | + // set in the payload length header. If not this is an invalid | ||
30 | + // packet | ||
31 | + if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { | ||
32 | + goto bad; | ||
33 | + } | ||
34 | + | ||
35 | /* check ip_ttl for a correct ICMP reply */ | ||
36 | if (ip6->ip_hl == 0) { | ||
37 | icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); | ||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch new file mode 100644 index 0000000000..a109ac08d6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Tue, 25 Aug 2020 07:36:36 +0200 | ||
4 | Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) | ||
5 | |||
6 | Store calculated setup_len in a local variable, verify it, and only | ||
7 | write it to the struct (USBDevice->setup_len) in case it passed the | ||
8 | sanity checks. | ||
9 | |||
10 | This prevents other code (do_token_{in,out} functions specifically) | ||
11 | from working with invalid USBDevice->setup_len values and overrunning | ||
12 | the USBDevice->setup_buf[] buffer. | ||
13 | |||
14 | Fixes: CVE-2020-14364 | ||
15 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
16 | Tested-by: Gonglei <arei.gonglei@huawei.com> | ||
17 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
18 | Message-id: 20200825053636.29648-1-kraxel@redhat.com | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | CVE: CVE-2020-14364 | ||
22 | [https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb] | ||
23 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
24 | --- | ||
25 | hw/usb/core.c | 16 ++++++++++------ | ||
26 | 1 file changed, 10 insertions(+), 6 deletions(-) | ||
27 | |||
28 | diff --git a/hw/usb/core.c b/hw/usb/core.c | ||
29 | index 5abd128..5234dcc 100644 | ||
30 | --- a/hw/usb/core.c | ||
31 | +++ b/hw/usb/core.c | ||
32 | @@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) | ||
33 | static void do_token_setup(USBDevice *s, USBPacket *p) | ||
34 | { | ||
35 | int request, value, index; | ||
36 | + unsigned int setup_len; | ||
37 | |||
38 | if (p->iov.size != 8) { | ||
39 | p->status = USB_RET_STALL; | ||
40 | @@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) | ||
41 | usb_packet_copy(p, s->setup_buf, p->iov.size); | ||
42 | s->setup_index = 0; | ||
43 | p->actual_length = 0; | ||
44 | - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; | ||
45 | - if (s->setup_len > sizeof(s->data_buf)) { | ||
46 | + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; | ||
47 | + if (setup_len > sizeof(s->data_buf)) { | ||
48 | fprintf(stderr, | ||
49 | "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", | ||
50 | - s->setup_len, sizeof(s->data_buf)); | ||
51 | + setup_len, sizeof(s->data_buf)); | ||
52 | p->status = USB_RET_STALL; | ||
53 | return; | ||
54 | } | ||
55 | + s->setup_len = setup_len; | ||
56 | |||
57 | request = (s->setup_buf[0] << 8) | s->setup_buf[1]; | ||
58 | value = (s->setup_buf[3] << 8) | s->setup_buf[2]; | ||
59 | @@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) | ||
60 | static void do_parameter(USBDevice *s, USBPacket *p) | ||
61 | { | ||
62 | int i, request, value, index; | ||
63 | + unsigned int setup_len; | ||
64 | |||
65 | for (i = 0; i < 8; i++) { | ||
66 | s->setup_buf[i] = p->parameter >> (i*8); | ||
67 | } | ||
68 | |||
69 | s->setup_state = SETUP_STATE_PARAM; | ||
70 | - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; | ||
71 | s->setup_index = 0; | ||
72 | |||
73 | request = (s->setup_buf[0] << 8) | s->setup_buf[1]; | ||
74 | value = (s->setup_buf[3] << 8) | s->setup_buf[2]; | ||
75 | index = (s->setup_buf[5] << 8) | s->setup_buf[4]; | ||
76 | |||
77 | - if (s->setup_len > sizeof(s->data_buf)) { | ||
78 | + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; | ||
79 | + if (setup_len > sizeof(s->data_buf)) { | ||
80 | fprintf(stderr, | ||
81 | "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", | ||
82 | - s->setup_len, sizeof(s->data_buf)); | ||
83 | + setup_len, sizeof(s->data_buf)); | ||
84 | p->status = USB_RET_STALL; | ||
85 | return; | ||
86 | } | ||
87 | + s->setup_len = setup_len; | ||
88 | |||
89 | if (p->pid == USB_TOKEN_OUT) { | ||
90 | usb_packet_copy(p, s->data_buf, s->setup_len); | ||
91 | -- | ||
92 | 2.17.1 | ||
93 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..9927584d11 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Fri, 10 Jul 2020 11:19:41 +0200 | ||
4 | Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() | ||
5 | |||
6 | A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It | ||
7 | occurs while sending an Ethernet frame due to missing break statements | ||
8 | and improper checking of the buffer size. | ||
9 | |||
10 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
11 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
12 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | CVE: CVE-2020-15863 | ||
16 | Upstream-Status: Backport | ||
17 | [https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
20 | --- | ||
21 | hw/net/xgmac.c | 14 ++++++++++++-- | ||
22 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c | ||
25 | index f49df95..f496f7e 100644 | ||
26 | --- a/hw/net/xgmac.c | ||
27 | +++ b/hw/net/xgmac.c | ||
28 | @@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s) | ||
29 | } | ||
30 | len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); | ||
31 | |||
32 | + /* | ||
33 | + * FIXME: these cases of malformed tx descriptors (bad sizes) | ||
34 | + * should probably be reported back to the guest somehow | ||
35 | + * rather than simply silently stopping processing, but we | ||
36 | + * don't know what the hardware does in this situation. | ||
37 | + * This will only happen for buggy guests anyway. | ||
38 | + */ | ||
39 | if ((bd.buffer1_size & 0xfff) > 2048) { | ||
40 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
41 | "xgmac buffer 1 len on send > 2048 (0x%x)\n", | ||
42 | __func__, bd.buffer1_size & 0xfff); | ||
43 | + break; | ||
44 | } | ||
45 | if ((bd.buffer2_size & 0xfff) != 0) { | ||
46 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
47 | "xgmac buffer 2 len on send != 0 (0x%x)\n", | ||
48 | __func__, bd.buffer2_size & 0xfff); | ||
49 | + break; | ||
50 | } | ||
51 | - if (len >= sizeof(frame)) { | ||
52 | + if (frame_size + len >= sizeof(frame)) { | ||
53 | DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " | ||
54 | - "buffer\n" , __func__, len, sizeof(frame)); | ||
55 | + "buffer\n" , __func__, frame_size + len, sizeof(frame)); | ||
56 | DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", | ||
57 | __func__, bd.buffer1_size, bd.buffer2_size); | ||
58 | + break; | ||
59 | } | ||
60 | |||
61 | cpu_physical_memory_read(bd.buffer1_addr, ptr, len); | ||
62 | -- | ||
63 | 1.9.1 | ||
64 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch new file mode 100644 index 0000000000..8ce01e26ad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Sat, 1 Aug 2020 18:42:38 +0200 | ||
4 | Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in | ||
5 | net_tx_pkt_add_raw_fragment() | ||
6 | |||
7 | An assertion failure issue was found in the code that processes network | ||
8 | packets | ||
9 | while adding data fragments into the packet context. It could be abused | ||
10 | by a | ||
11 | malicious guest to abort the QEMU process on the host. This patch | ||
12 | replaces the | ||
13 | affected assert() with a conditional statement, returning false if the | ||
14 | current | ||
15 | data fragment exceeds max_raw_frags. | ||
16 | |||
17 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
18 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
19 | Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com> | ||
20 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
21 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2020-16092 | ||
25 | [https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8] | ||
26 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
27 | --- | ||
28 | hw/net/net_tx_pkt.c | 5 ++++- | ||
29 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c | ||
32 | index 162f802..54d4c3b 100644 | ||
33 | --- a/hw/net/net_tx_pkt.c | ||
34 | +++ b/hw/net/net_tx_pkt.c | ||
35 | @@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa, | ||
36 | hwaddr mapped_len = 0; | ||
37 | struct iovec *ventry; | ||
38 | assert(pkt); | ||
39 | - assert(pkt->max_raw_frags > pkt->raw_frags); | ||
40 | + | ||
41 | + if (pkt->raw_frags >= pkt->max_raw_frags) { | ||
42 | + return false; | ||
43 | + } | ||
44 | |||
45 | if (!len) { | ||
46 | return true; | ||
47 | -- | ||
48 | 2.17.1 | ||
49 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch new file mode 100644 index 0000000000..20a604869b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthieu Herrb <matthieu@herrb.eu> | ||
3 | Date: Sat, 25 Jul 2020 19:33:50 +0200 | ||
4 | Subject: [PATCH] fix for ZDI-11426 | ||
5 | |||
6 | Avoid leaking un-initalized memory to clients by zeroing the | ||
7 | whole pixmap on initial allocation. | ||
8 | |||
9 | This vulnerability was discovered by: | ||
10 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative | ||
11 | |||
12 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> | ||
13 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | CVE: CVE-2020-14347 | ||
17 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
18 | --- | ||
19 | dix/pixmap.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/dix/pixmap.c b/dix/pixmap.c | ||
23 | index 1186d7dbb..5a0146bbb 100644 | ||
24 | --- a/dix/pixmap.c | ||
25 | +++ b/dix/pixmap.c | ||
26 | @@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) | ||
27 | if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) | ||
28 | return NullPixmap; | ||
29 | |||
30 | - pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); | ||
31 | + pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); | ||
32 | if (!pPixmap) | ||
33 | return NullPixmap; | ||
34 | |||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb index 3de6d22e57..f0f15a2584 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb | |||
@@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat | |||
5 | file://0001-test-xtest-Initialize-array-with-braces.patch \ | 5 | file://0001-test-xtest-Initialize-array-with-braces.patch \ |
6 | file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \ | 6 | file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \ |
7 | file://sdksyms-no-build-path.patch \ | 7 | file://sdksyms-no-build-path.patch \ |
8 | file://CVE-2020-14347.patch \ | ||
8 | " | 9 | " |
9 | SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130" | 10 | SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130" |
10 | SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d" | 11 | SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d" |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc index bc24b05fec..92b473add6 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc | |||
@@ -3,7 +3,7 @@ HOMEPAGE = "http://gstreamer.freedesktop.org/" | |||
3 | BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer" | 3 | BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer" |
4 | SECTION = "multimedia" | 4 | SECTION = "multimedia" |
5 | 5 | ||
6 | DEPENDS = "gstreamer1.0 glib-2.0-native" | 6 | DEPENDS = "gstreamer1.0 glib-2.0-native make-native" |
7 | 7 | ||
8 | SRC_URI_append = " file://gtk-doc-tweaks.patch" | 8 | SRC_URI_append = " file://gtk-doc-tweaks.patch" |
9 | 9 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb index 15ef5d1b28..b7470b0047 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb | |||
@@ -4,7 +4,7 @@ SECTION = "multimedia" | |||
4 | LICENSE = "LGPLv2" | 4 | LICENSE = "LGPLv2" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d" |
6 | 6 | ||
7 | DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base" | 7 | DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base make-native" |
8 | 8 | ||
9 | PNREAL = "gst-rtsp-server" | 9 | PNREAL = "gst-rtsp-server" |
10 | 10 | ||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb index cf7c1bca12..96a6ade22b 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb | |||
@@ -6,7 +6,7 @@ BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer" | |||
6 | SECTION = "multimedia" | 6 | SECTION = "multimedia" |
7 | LICENSE = "LGPLv2+" | 7 | LICENSE = "LGPLv2+" |
8 | 8 | ||
9 | DEPENDS = "glib-2.0 glib-2.0-native libcap libxml2 bison-native flex-native" | 9 | DEPENDS = "glib-2.0 glib-2.0-native libcap libxml2 bison-native flex-native make-native" |
10 | 10 | ||
11 | inherit autotools pkgconfig gettext upstream-version-is-even gobject-introspection gtk-doc ptest | 11 | inherit autotools pkgconfig gettext upstream-version-is-even gobject-introspection gtk-doc ptest |
12 | 12 | ||
diff --git a/meta/recipes-support/attr/acl_2.2.52.bb b/meta/recipes-support/attr/acl_2.2.52.bb index 6bc77d868d..31ec64a43d 100644 --- a/meta/recipes-support/attr/acl_2.2.52.bb +++ b/meta/recipes-support/attr/acl_2.2.52.bb | |||
@@ -25,6 +25,9 @@ SRC_URI[sha256sum] = "179074bb0580c06c4b4137be4c5a92a701583277967acdb5546043c787 | |||
25 | 25 | ||
26 | require ea-acl.inc | 26 | require ea-acl.inc |
27 | 27 | ||
28 | # Has issues with newer versions of make | ||
29 | PARALLEL_MAKEINST = "" | ||
30 | |||
28 | # avoid RPATH hardcode to staging dir | 31 | # avoid RPATH hardcode to staging dir |
29 | do_configure_append() { | 32 | do_configure_append() { |
30 | sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\', | 33 | sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\', |
diff --git a/meta/recipes-support/attr/attr_2.4.47.bb b/meta/recipes-support/attr/attr_2.4.47.bb index fc88bef830..c3da66a0c7 100644 --- a/meta/recipes-support/attr/attr_2.4.47.bb +++ b/meta/recipes-support/attr/attr_2.4.47.bb | |||
@@ -12,4 +12,7 @@ SRC_URI += "file://attr-Missing-configure.ac.patch \ | |||
12 | SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" | 12 | SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" |
13 | SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" | 13 | SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" |
14 | 14 | ||
15 | # Has issues with newer versions of make | ||
16 | PARALLEL_MAKEINST = "" | ||
17 | |||
15 | BBCLASSEXTEND = "native nativesdk" | 18 | BBCLASSEXTEND = "native nativesdk" |
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch new file mode 100644 index 0000000000..1702325e66 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch | |||
@@ -0,0 +1,117 @@ | |||
1 | From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Sat, 22 Aug 2020 17:19:39 +0200 | ||
4 | Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is | ||
5 | incomplete | ||
6 | |||
7 | If the initial handshake is incomplete and the server sends a | ||
8 | no_renegotiation alert, the client should treat it as a fatal error | ||
9 | even if its level is warning. Otherwise the same handshake | ||
10 | state (e.g., DHE parameters) are reused in the next gnutls_handshake | ||
11 | call, if it is called in the loop idiom: | ||
12 | |||
13 | do { | ||
14 | ret = gnutls_handshake(session); | ||
15 | } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); | ||
16 | |||
17 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
18 | CVE: CVE-2020-24659 | ||
19 | Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git] | ||
20 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
21 | --- | ||
22 | lib/gnutls_int.h | 1 + | ||
23 | lib/handshake.c | 48 +++++++++++++----- | ||
24 | 2 files changed, 36 insertions(+), 13 deletions(-) | ||
25 | |||
26 | diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h | ||
27 | index bb6c19713..31cec5c0c 100644 | ||
28 | --- a/lib/gnutls_int.h | ||
29 | +++ b/lib/gnutls_int.h | ||
30 | @@ -1370,6 +1370,7 @@ typedef struct { | ||
31 | #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */ | ||
32 | #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */ | ||
33 | #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */ | ||
34 | +#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */ | ||
35 | |||
36 | /* The hsk_flags are for use within the ongoing handshake; | ||
37 | * they are reset to zero prior to handshake start by gnutls_handshake. */ | ||
38 | diff --git a/lib/handshake.c b/lib/handshake.c | ||
39 | index b40f84b3d..ce2d160e2 100644 | ||
40 | --- a/lib/handshake.c | ||
41 | +++ b/lib/handshake.c | ||
42 | @@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session, | ||
43 | if (ret < 0) | ||
44 | return gnutls_assert_val(ret); | ||
45 | |||
46 | + session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED; | ||
47 | + | ||
48 | return 0; | ||
49 | } | ||
50 | |||
51 | @@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session) | ||
52 | return 0; | ||
53 | } | ||
54 | |||
55 | +/* This function checks whether the error code should be treated fatal | ||
56 | + * or not, and also does the necessary state transition. In | ||
57 | + * particular, in the case of a rehandshake abort it resets the | ||
58 | + * handshake's internal state. | ||
59 | + */ | ||
60 | inline static int | ||
61 | _gnutls_abort_handshake(gnutls_session_t session, int ret) | ||
62 | { | ||
63 | - if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && | ||
64 | - (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) | ||
65 | - || ret == GNUTLS_E_GOT_APPLICATION_DATA) | ||
66 | - return 0; | ||
67 | + switch (ret) { | ||
68 | + case GNUTLS_E_WARNING_ALERT_RECEIVED: | ||
69 | + if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) { | ||
70 | + /* The server always toleretes a "no_renegotiation" alert. */ | ||
71 | + if (session->security_parameters.entity == GNUTLS_SERVER) { | ||
72 | + STATE = STATE0; | ||
73 | + return ret; | ||
74 | + } | ||
75 | + | ||
76 | + /* The client should tolerete a "no_renegotiation" alert only if: | ||
77 | + * - the initial handshake has completed, or | ||
78 | + * - a Server Hello is not yet received | ||
79 | + */ | ||
80 | + if (session->internals.initial_negotiation_completed || | ||
81 | + !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) { | ||
82 | + STATE = STATE0; | ||
83 | + return ret; | ||
84 | + } | ||
85 | |||
86 | - /* this doesn't matter */ | ||
87 | - return GNUTLS_E_INTERNAL_ERROR; | ||
88 | + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); | ||
89 | + } | ||
90 | + return ret; | ||
91 | + case GNUTLS_E_GOT_APPLICATION_DATA: | ||
92 | + STATE = STATE0; | ||
93 | + return ret; | ||
94 | + default: | ||
95 | + return ret; | ||
96 | + } | ||
97 | } | ||
98 | |||
99 | |||
100 | @@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session) | ||
101 | } | ||
102 | |||
103 | if (ret < 0) { | ||
104 | - /* In the case of a rehandshake abort | ||
105 | - * we should reset the handshake's internal state. | ||
106 | - */ | ||
107 | - if (_gnutls_abort_handshake(session, ret) == 0) | ||
108 | - STATE = STATE0; | ||
109 | - | ||
110 | - return ret; | ||
111 | + return _gnutls_abort_handshake(session, ret); | ||
112 | } | ||
113 | |||
114 | /* clear handshake buffer */ | ||
115 | -- | ||
116 | 2.17.0 | ||
117 | |||
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.13.bb b/meta/recipes-support/gnutls/gnutls_3.6.13.bb index ab537981ac..2ed012f9d6 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.13.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.13.bb | |||
@@ -22,6 +22,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar | |||
22 | file://CVE-2020-13777-a.patch \ | 22 | file://CVE-2020-13777-a.patch \ |
23 | file://CVE-2020-13777-b.patch \ | 23 | file://CVE-2020-13777-b.patch \ |
24 | file://CVE-2020-13777-c.patch \ | 24 | file://CVE-2020-13777-c.patch \ |
25 | file://CVE-2020-24659.patch \ | ||
25 | " | 26 | " |
26 | 27 | ||
27 | SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f" | 28 | SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f" |
diff --git a/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch new file mode 100644 index 0000000000..183512fd7d --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | --- pcre-8.43/pcre_compile.c 2020-07-05 22:26:25.310501521 +0530 | ||
2 | +++ pcre-8.43/pcre_compile1.c 2020-07-05 22:30:22.254489562 +0530 | ||
3 | |||
4 | CVE: CVE-2020-14155 | ||
5 | Upstream-Status: Backport [https://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?view=patch&r1=1761&r2=1760&pathrev=1761] | ||
6 | Signed-off-by: Rahul Taya<Rahul.Taya@kpit.com> | ||
7 | |||
8 | @@ -6,7 +6,7 @@ | ||
9 | and semantics are as close as possible to those of the Perl 5 language. | ||
10 | |||
11 | Written by Philip Hazel | ||
12 | - Copyright (c) 1997-2018 University of Cambridge | ||
13 | + Copyright (c) 1997-2020 University of Cambridge | ||
14 | |||
15 | ----------------------------------------------------------------------------- | ||
16 | Redistribution and use in source and binary forms, with or without | ||
17 | @@ -7130,17 +7130,19 @@ | ||
18 | int n = 0; | ||
19 | ptr++; | ||
20 | while(IS_DIGIT(*ptr)) | ||
21 | + { | ||
22 | n = n * 10 + *ptr++ - CHAR_0; | ||
23 | + if (n > 255) | ||
24 | + { | ||
25 | + *errorcodeptr = ERR38; | ||
26 | + goto FAILED; | ||
27 | + } | ||
28 | + } | ||
29 | if (*ptr != CHAR_RIGHT_PARENTHESIS) | ||
30 | { | ||
31 | *errorcodeptr = ERR39; | ||
32 | goto FAILED; | ||
33 | } | ||
34 | - if (n > 255) | ||
35 | - { | ||
36 | - *errorcodeptr = ERR38; | ||
37 | - goto FAILED; | ||
38 | - } | ||
39 | *code++ = n; | ||
40 | PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ | ||
41 | PUT(code, LINK_SIZE, 0); /* Default length */ | ||
diff --git a/meta/recipes-support/libpcre/libpcre_8.43.bb b/meta/recipes-support/libpcre/libpcre_8.43.bb index b97af08b25..60ece64504 100644 --- a/meta/recipes-support/libpcre/libpcre_8.43.bb +++ b/meta/recipes-support/libpcre/libpcre_8.43.bb | |||
@@ -12,6 +12,7 @@ SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \ | |||
12 | file://out-of-tree.patch \ | 12 | file://out-of-tree.patch \ |
13 | file://run-ptest \ | 13 | file://run-ptest \ |
14 | file://Makefile \ | 14 | file://Makefile \ |
15 | file://CVE-2020-14155.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||
17 | SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4" | 18 | SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4" |