summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/pypi.bbclass4
-rw-r--r--meta/conf/distro/include/yocto-uninative.inc10
-rw-r--r--meta/files/toolchain-shar-extract.sh11
-rw-r--r--meta/lib/oeqa/core/utils/concurrencytest.py2
-rw-r--r--meta/lib/oeqa/sdkext/testsdk.py7
-rw-r--r--meta/lib/oeqa/selftest/cases/runtime_test.py2
-rw-r--r--meta/lib/oeqa/selftest/cases/signing.py4
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch60
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch402
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch33
-rw-r--r--meta/recipes-connectivity/bind/bind_9.11.19.bb3
-rw-r--r--meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch35
-rw-r--r--meta/recipes-core/images/build-appliance-image_15.0.0.bb2
-rw-r--r--meta/recipes-core/meta/buildtools-extended-tarball.bb36
-rw-r--r--meta/recipes-core/meta/buildtools-tarball.bb6
-rw-r--r--meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb3
-rw-r--r--meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch80
-rw-r--r--meta/recipes-devtools/binutils/binutils_2.32.bb5
-rw-r--r--meta/recipes-devtools/go/go-1.12.inc4
-rw-r--r--meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch28
-rw-r--r--meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch131
-rw-r--r--meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch110
-rw-r--r--meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch429
-rw-r--r--meta/recipes-devtools/python/python3-testtools/no_traceback2.patch23
-rw-r--r--meta/recipes-devtools/python/python3-testtools_2.3.0.bb2
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc4
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch40
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch93
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch64
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch49
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch37
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb1
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc2
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb2
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb2
-rw-r--r--meta/recipes-support/attr/acl_2.2.52.bb3
-rw-r--r--meta/recipes-support/attr/attr_2.4.47.bb3
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch117
-rw-r--r--meta/recipes-support/gnutls/gnutls_3.6.13.bb1
-rw-r--r--meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch41
-rw-r--r--meta/recipes-support/libpcre/libpcre_8.43.bb1
41 files changed, 1862 insertions, 30 deletions
diff --git a/meta/classes/pypi.bbclass b/meta/classes/pypi.bbclass
index e5d7ab3ce1..87b4c85fc0 100644
--- a/meta/classes/pypi.bbclass
+++ b/meta/classes/pypi.bbclass
@@ -22,5 +22,5 @@ SECTION = "devel/python"
22SRC_URI += "${PYPI_SRC_URI}" 22SRC_URI += "${PYPI_SRC_URI}"
23S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}" 23S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}"
24 24
25UPSTREAM_CHECK_URI ?= "https://pypi.python.org/pypi/${PYPI_PACKAGE}/" 25UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/"
26UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)" 26UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/"
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 889695eae3..69b6edee5f 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
6# to the distro running on the build machine. 6# to the distro running on the build machine.
7# 7#
8 8
9UNINATIVE_MAXGLIBCVERSION = "2.31" 9UNINATIVE_MAXGLIBCVERSION = "2.32"
10 10
11UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.8/" 11UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/"
12UNINATIVE_CHECKSUM[aarch64] ?= "989187344bf9539b464fb7ed9c223e51f4bdb4c7a677d2c314e6fed393176efe" 12UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81"
13UNINATIVE_CHECKSUM[i686] ?= "cc3e45bc8594488b407363e3fa9af5a099279dab2703c64342098719bd674990" 13UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36"
14UNINATIVE_CHECKSUM[x86_64] ?= "a09922172c3a439105e0ae6b943daad2d83505b17da0aba97961ff433b8c21ab" 14UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423"
diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh
index 4c4b4deb4c..2e0fe94963 100644
--- a/meta/files/toolchain-shar-extract.sh
+++ b/meta/files/toolchain-shar-extract.sh
@@ -1,13 +1,8 @@
1#!/bin/sh 1#!/bin/sh
2 2
3[ -z "$ENVCLEANED" ] && exec /usr/bin/env -i ENVCLEANED=1 HOME="$HOME" \ 3export LC_ALL=en_US.UTF-8
4 LC_ALL=en_US.UTF-8 \ 4# Remove invalid PATH elements first (maybe from a previously setup toolchain now deleted
5 TERM=$TERM \ 5PATH=`python3 -c 'import os; print(":".join(e for e in os.environ["PATH"].split(":") if os.path.exists(e)))'`
6 ICECC_PATH="$ICECC_PATH" \
7 http_proxy="$http_proxy" https_proxy="$https_proxy" ftp_proxy="$ftp_proxy" \
8 no_proxy="$no_proxy" all_proxy="$all_proxy" GIT_PROXY_COMMAND="$GIT_PROXY_COMMAND" "$0" "$@"
9[ -f /etc/environment ] && . /etc/environment
10export PATH=`echo "$PATH" | sed -e 's/:\.//' -e 's/::/:/'`
11 6
12tweakpath () { 7tweakpath () {
13 case ":${PATH}:" in 8 case ":${PATH}:" in
diff --git a/meta/lib/oeqa/core/utils/concurrencytest.py b/meta/lib/oeqa/core/utils/concurrencytest.py
index 0f7b3dcc11..e6b14da89d 100644
--- a/meta/lib/oeqa/core/utils/concurrencytest.py
+++ b/meta/lib/oeqa/core/utils/concurrencytest.py
@@ -261,7 +261,7 @@ def fork_for_tests(concurrency_num, suite):
261 oe.path.copytree(selftestdir, newselftestdir) 261 oe.path.copytree(selftestdir, newselftestdir)
262 262
263 for e in os.environ: 263 for e in os.environ:
264 if builddir in os.environ[e]: 264 if builddir + "/" in os.environ[e] or os.environ[e].endswith(builddir):
265 os.environ[e] = os.environ[e].replace(builddir, newbuilddir) 265 os.environ[e] = os.environ[e].replace(builddir, newbuilddir)
266 266
267 subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True) 267 subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True)
diff --git a/meta/lib/oeqa/sdkext/testsdk.py b/meta/lib/oeqa/sdkext/testsdk.py
index 785b5dda53..c5c46df6cd 100644
--- a/meta/lib/oeqa/sdkext/testsdk.py
+++ b/meta/lib/oeqa/sdkext/testsdk.py
@@ -25,11 +25,8 @@ class TestSDKExt(TestSDKBase):
25 25
26 subprocesstweak.errors_have_output() 26 subprocesstweak.errors_have_output()
27 27
28 # extensible sdk can be contaminated if native programs are 28 # We need the original PATH for testing the eSDK, not with our manipulations
29 # in PATH, i.e. use perl-native instead of eSDK one. 29 os.environ['PATH'] = d.getVar("BB_ORIGENV", False).getVar("PATH")
30 paths_to_avoid = [d.getVar('STAGING_DIR'),
31 d.getVar('BASE_WORKDIR')]
32 os.environ['PATH'] = avoid_paths_in_environ(paths_to_avoid)
33 30
34 tcname = d.expand("${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.sh") 31 tcname = d.expand("${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.sh")
35 if not os.path.exists(tcname): 32 if not os.path.exists(tcname):
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index 7d3922ce44..d4fea91350 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -166,7 +166,7 @@ class TestImage(OESelftestTestCase):
166 bitbake('core-image-full-cmdline socat') 166 bitbake('core-image-full-cmdline socat')
167 bitbake('-c testimage core-image-full-cmdline') 167 bitbake('-c testimage core-image-full-cmdline')
168 168
169 def test_testimage_virgl_gtk(self): 169 def disabled_test_testimage_virgl_gtk(self):
170 """ 170 """
171 Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk frontend 171 Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk frontend
172 Expected: 1. Check that virgl kernel driver is loaded and 3d acceleration is enabled 172 Expected: 1. Check that virgl kernel driver is loaded and 3d acceleration is enabled
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 5c4e01b2c3..5b8f9bbd38 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -44,7 +44,9 @@ class Signing(OESelftestTestCase):
44 origenv = os.environ.copy() 44 origenv = os.environ.copy()
45 45
46 for e in os.environ: 46 for e in os.environ:
47 if builddir in os.environ[e]: 47 if builddir + "/" in os.environ[e]:
48 os.environ[e] = os.environ[e].replace(builddir + "/", newbuilddir + "/")
49 if os.environ[e].endswith(builddir):
48 os.environ[e] = os.environ[e].replace(builddir, newbuilddir) 50 os.environ[e] = os.environ[e].replace(builddir, newbuilddir)
49 51
50 os.chdir(newbuilddir) 52 os.chdir(newbuilddir)
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch
new file mode 100644
index 0000000000..dec5672657
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch
@@ -0,0 +1,60 @@
1From ca543240380475d888d660ea3296fc880ce52f35 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Wed, 15 Jul 2020 16:07:51 +1000
4Subject: [PATCH] bind: Always keep a copy of the message
5
6this allows it to be available even when dns_message_parse()
7returns a error.
8
9Upstream-Status: Backport
10CVE: CVE-2020-8622
11Signed-off-by: Li Zhou <li.zhou@windriver.com>
12---
13 lib/dns/message.c | 24 +++++++++++++-----------
14 1 file changed, 13 insertions(+), 11 deletions(-)
15
16diff --git a/lib/dns/message.c b/lib/dns/message.c
17index ac637a2..39ed80f 100644
18--- a/lib/dns/message.c
19+++ b/lib/dns/message.c
20@@ -1679,6 +1679,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
21 msg->header_ok = 0;
22 msg->question_ok = 0;
23
24+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
25+ isc_buffer_usedregion(&origsource, &msg->saved);
26+ } else {
27+ msg->saved.length = isc_buffer_usedlength(&origsource);
28+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
29+ if (msg->saved.base == NULL) {
30+ return (ISC_R_NOMEMORY);
31+ }
32+ memmove(msg->saved.base, isc_buffer_base(&origsource),
33+ msg->saved.length);
34+ msg->free_saved = 1;
35+ }
36+
37 isc_buffer_remainingregion(source, &r);
38 if (r.length < DNS_MESSAGE_HEADERLEN)
39 return (ISC_R_UNEXPECTEDEND);
40@@ -1754,17 +1767,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
41 }
42
43 truncated:
44- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
45- isc_buffer_usedregion(&origsource, &msg->saved);
46- else {
47- msg->saved.length = isc_buffer_usedlength(&origsource);
48- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
49- if (msg->saved.base == NULL)
50- return (ISC_R_NOMEMORY);
51- memmove(msg->saved.base, isc_buffer_base(&origsource),
52- msg->saved.length);
53- msg->free_saved = 1;
54- }
55
56 if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
57 return (DNS_R_RECOVERABLE);
58--
591.9.1
60
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch
new file mode 100644
index 0000000000..8e5412a89e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch
@@ -0,0 +1,402 @@
1From 8d807cc21655eaa6e6a08afafeec3682c0f3f2ab Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
3Date: Tue, 21 Jul 2020 14:42:47 +0200
4Subject: [PATCH] Fix crash in pk11_numbits() when native-pkcs11 is used
5
6When pk11_numbits() is passed a user provided input that contains all
7zeroes (via crafted DNS message), it would crash with assertion
8failure. Fix that by properly handling such input.
9
10Upstream-Status: Backport
11CVE: CVE-2020-8623
12Signed-off-by: Li Zhou <li.zhou@windriver.com>
13---
14 lib/dns/pkcs11dh_link.c | 15 ++++++-
15 lib/dns/pkcs11dsa_link.c | 8 +++-
16 lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++--------
17 lib/isc/include/pk11/internal.h | 3 +-
18 lib/isc/pk11.c | 61 ++++++++++++++++---------
19 5 files changed, 121 insertions(+), 45 deletions(-)
20
21diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
22index e2b60ea7c5..4cd8e32d60 100644
23--- a/lib/dns/pkcs11dh_link.c
24+++ b/lib/dns/pkcs11dh_link.c
25@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
26 CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
27 CK_ATTRIBUTE *attr;
28 int special = 0;
29+ unsigned int bits;
30 isc_result_t result;
31
32 isc_buffer_remainingregion(data, &r);
33@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
34 pub = r.base;
35 isc_region_consume(&r, publen);
36
37- key->key_size = pk11_numbits(prime, plen_);
38+ result = pk11_numbits(prime, plen_, &bits);
39+ if (result != ISC_R_SUCCESS) {
40+ goto cleanup;
41+ }
42+ key->key_size = bits;
43
44 dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
45 if (dh->repr == NULL)
46@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
47 dst_private_t priv;
48 isc_result_t ret;
49 int i;
50+ unsigned int bits;
51 pk11_object_t *dh = NULL;
52 CK_ATTRIBUTE *attr;
53 isc_mem_t *mctx;
54@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
55
56 attr = pk11_attribute_bytype(dh, CKA_PRIME);
57 INSIST(attr != NULL);
58- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
59+
60+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
61+ if (ret != ISC_R_SUCCESS) {
62+ goto err;
63+ }
64+ key->key_size = bits;
65
66 return (ISC_R_SUCCESS);
67
68diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
69index 12d707a112..24d4c149ff 100644
70--- a/lib/dns/pkcs11dsa_link.c
71+++ b/lib/dns/pkcs11dsa_link.c
72@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
73 dst_private_t priv;
74 isc_result_t ret;
75 int i;
76+ unsigned int bits;
77 pk11_object_t *dsa = NULL;
78 CK_ATTRIBUTE *attr;
79 isc_mem_t *mctx = key->mctx;
80@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
81
82 attr = pk11_attribute_bytype(dsa, CKA_PRIME);
83 INSIST(attr != NULL);
84- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
85+
86+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
87+ if (ret != ISC_R_SUCCESS) {
88+ goto err;
89+ }
90+ key->key_size = bits;
91
92 return (ISC_R_SUCCESS);
93
94diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
95index 096c1a8e91..1d10d26564 100644
96--- a/lib/dns/pkcs11rsa_link.c
97+++ b/lib/dns/pkcs11rsa_link.c
98@@ -332,6 +332,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
99 key->key_alg == DST_ALG_RSASHA256 ||
100 key->key_alg == DST_ALG_RSASHA512);
101 #endif
102+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
103
104 /*
105 * Reject incorrect RSA key lengths.
106@@ -376,6 +377,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
107 for (attr = pk11_attribute_first(rsa);
108 attr != NULL;
109 attr = pk11_attribute_next(rsa, attr))
110+ {
111 switch (attr->type) {
112 case CKA_MODULUS:
113 INSIST(keyTemplate[5].type == attr->type);
114@@ -396,12 +398,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
115 memmove(keyTemplate[6].pValue, attr->pValue,
116 attr->ulValueLen);
117 keyTemplate[6].ulValueLen = attr->ulValueLen;
118- if (pk11_numbits(attr->pValue,
119- attr->ulValueLen) > maxbits &&
120- maxbits != 0)
121+ unsigned int bits;
122+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
123+ &bits);
124+ if (ret != ISC_R_SUCCESS ||
125+ (bits > maxbits && maxbits != 0)) {
126 DST_RET(DST_R_VERIFYFAILURE);
127+ }
128 break;
129 }
130+ }
131 pk11_ctx->object = CK_INVALID_HANDLE;
132 pk11_ctx->ontoken = false;
133 PK11_RET(pkcs_C_CreateObject,
134@@ -1072,6 +1078,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
135 keyTemplate[5].ulValueLen = attr->ulValueLen;
136 break;
137 case CKA_PUBLIC_EXPONENT:
138+ unsigned int bits;
139 INSIST(keyTemplate[6].type == attr->type);
140 keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
141 attr->ulValueLen);
142@@ -1080,10 +1087,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
143 memmove(keyTemplate[6].pValue, attr->pValue,
144 attr->ulValueLen);
145 keyTemplate[6].ulValueLen = attr->ulValueLen;
146- if (pk11_numbits(attr->pValue,
147- attr->ulValueLen)
148- > RSA_MAX_PUBEXP_BITS)
149+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
150+ &bits);
151+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
152+ {
153 DST_RET(DST_R_VERIFYFAILURE);
154+ }
155 break;
156 }
157 pk11_ctx->object = CK_INVALID_HANDLE;
158@@ -1461,6 +1470,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
159 CK_BYTE *exponent = NULL, *modulus = NULL;
160 CK_ATTRIBUTE *attr;
161 unsigned int length;
162+ unsigned int bits;
163+ isc_result_t ret = ISC_R_SUCCESS;
164
165 isc_buffer_remainingregion(data, &r);
166 if (r.length == 0)
167@@ -1478,9 +1489,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
168
169 if (e_bytes == 0) {
170 if (r.length < 2) {
171- isc_safe_memwipe(rsa, sizeof(*rsa));
172- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
173- return (DST_R_INVALIDPUBLICKEY);
174+ DST_RET(DST_R_INVALIDPUBLICKEY);
175 }
176 e_bytes = (*r.base) << 8;
177 isc_region_consume(&r, 1);
178@@ -1489,16 +1498,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
179 }
180
181 if (r.length < e_bytes) {
182- isc_safe_memwipe(rsa, sizeof(*rsa));
183- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
184- return (DST_R_INVALIDPUBLICKEY);
185+ DST_RET(DST_R_INVALIDPUBLICKEY);
186 }
187 exponent = r.base;
188 isc_region_consume(&r, e_bytes);
189 modulus = r.base;
190 mod_bytes = r.length;
191
192- key->key_size = pk11_numbits(modulus, mod_bytes);
193+ ret = pk11_numbits(modulus, mod_bytes, &bits);
194+ if (ret != ISC_R_SUCCESS) {
195+ goto err;
196+ }
197+ key->key_size = bits;
198
199 isc_buffer_forward(data, length);
200
201@@ -1548,9 +1559,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
202 rsa->repr,
203 rsa->attrcnt * sizeof(*attr));
204 }
205+ ret = ISC_R_NOMEMORY;
206+
207+ err:
208 isc_safe_memwipe(rsa, sizeof(*rsa));
209 isc_mem_put(key->mctx, rsa, sizeof(*rsa));
210- return (ISC_R_NOMEMORY);
211+ return (ret);
212 }
213
214 static isc_result_t
215@@ -1729,6 +1743,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
216 pk11_object_t *pubrsa;
217 pk11_context_t *pk11_ctx = NULL;
218 isc_result_t ret;
219+ unsigned int bits;
220
221 if (label == NULL)
222 return (DST_R_NOENGINE);
223@@ -1815,7 +1830,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
224
225 attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
226 INSIST(attr != NULL);
227- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
228+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
229+ if (ret != ISC_R_SUCCESS) {
230+ goto err;
231+ }
232+ key->key_size = bits;
233
234 return (ISC_R_SUCCESS);
235
236@@ -1901,6 +1920,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
237 CK_ATTRIBUTE *attr;
238 isc_mem_t *mctx = key->mctx;
239 const char *engine = NULL, *label = NULL;
240+ unsigned int bits;
241
242 /* read private key file */
243 ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
244@@ -2044,12 +2064,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
245
246 attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
247 INSIST(attr != NULL);
248- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
249+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
250+ if (ret != ISC_R_SUCCESS) {
251+ goto err;
252+ }
253+ key->key_size = bits;
254
255 attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
256 INSIST(attr != NULL);
257- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
258+
259+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
260+ if (ret != ISC_R_SUCCESS) {
261+ goto err;
262+ }
263+ if (bits > RSA_MAX_PUBEXP_BITS) {
264 DST_RET(ISC_R_RANGE);
265+ }
266
267 dst__privstruct_free(&priv, mctx);
268 isc_safe_memwipe(&priv, sizeof(priv));
269@@ -2084,6 +2114,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
270 pk11_context_t *pk11_ctx = NULL;
271 isc_result_t ret;
272 unsigned int i;
273+ unsigned int bits;
274
275 UNUSED(pin);
276
277@@ -2178,12 +2209,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
278
279 attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
280 INSIST(attr != NULL);
281- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
282+
283+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
284+ if (ret != ISC_R_SUCCESS) {
285+ goto err;
286+ }
287+ if (bits > RSA_MAX_PUBEXP_BITS) {
288 DST_RET(ISC_R_RANGE);
289+ }
290
291 attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
292 INSIST(attr != NULL);
293- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
294+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
295+ if (ret != ISC_R_SUCCESS) {
296+ goto err;
297+ }
298+ key->key_size = bits;
299
300 pk11_return_session(pk11_ctx);
301 isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
302diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
303index aa8907ab08..7cc8ec812b 100644
304--- a/lib/isc/include/pk11/internal.h
305+++ b/lib/isc/include/pk11/internal.h
306@@ -25,7 +25,8 @@ void pk11_mem_put(void *ptr, size_t size);
307
308 CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
309
310-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
311+isc_result_t
312+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
313
314 CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
315
316diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
317index 012afd968a..4e4052044b 100644
318--- a/lib/isc/pk11.c
319+++ b/lib/isc/pk11.c
320@@ -962,13 +962,15 @@ pk11_get_best_token(pk11_optype_t optype) {
321 return (token->slotid);
322 }
323
324-unsigned int
325-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
326+isc_result_t
327+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
328 unsigned int bitcnt, i;
329 CK_BYTE top;
330
331- if (bytecnt == 0)
332- return (0);
333+ if (bytecnt == 0) {
334+ *bits = 0;
335+ return (ISC_R_SUCCESS);
336+ }
337 bitcnt = bytecnt * 8;
338 for (i = 0; i < bytecnt; i++) {
339 top = data[i];
340@@ -976,26 +978,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
341 bitcnt -= 8;
342 continue;
343 }
344- if (top & 0x80)
345- return (bitcnt);
346- if (top & 0x40)
347- return (bitcnt - 1);
348- if (top & 0x20)
349- return (bitcnt - 2);
350- if (top & 0x10)
351- return (bitcnt - 3);
352- if (top & 0x08)
353- return (bitcnt - 4);
354- if (top & 0x04)
355- return (bitcnt - 5);
356- if (top & 0x02)
357- return (bitcnt - 6);
358- if (top & 0x01)
359- return (bitcnt - 7);
360+ if (top & 0x80) {
361+ *bits = bitcnt;
362+ return (ISC_R_SUCCESS);
363+ }
364+ if (top & 0x40) {
365+ *bits = bitcnt - 1;
366+ return (ISC_R_SUCCESS);
367+ }
368+ if (top & 0x20) {
369+ *bits = bitcnt - 2;
370+ return (ISC_R_SUCCESS);
371+ }
372+ if (top & 0x10) {
373+ *bits = bitcnt - 3;
374+ return (ISC_R_SUCCESS);
375+ }
376+ if (top & 0x08) {
377+ *bits = bitcnt - 4;
378+ return (ISC_R_SUCCESS);
379+ }
380+ if (top & 0x04) {
381+ *bits = bitcnt - 5;
382+ return (ISC_R_SUCCESS);
383+ }
384+ if (top & 0x02) {
385+ *bits = bitcnt - 6;
386+ return (ISC_R_SUCCESS);
387+ }
388+ if (top & 0x01) {
389+ *bits = bitcnt - 7;
390+ return (ISC_R_SUCCESS);
391+ }
392 break;
393 }
394- INSIST(0);
395- ISC_UNREACHABLE();
396+ return (ISC_R_RANGE);
397 }
398
399 CK_ATTRIBUTE *
400--
4012.17.1
402
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
new file mode 100644
index 0000000000..9cffe358bf
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
@@ -0,0 +1,33 @@
1From a73c3d30de7fe98af9e4dc0e490f732a48412380 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Wed, 29 Jul 2020 23:36:03 +1000
4Subject: [PATCH] bind: Update-policy 'subdomain' was incorrectly treated as
5 'zonesub'
6
7resulting in names outside the specified subdomain having the wrong
8restrictions for the given key.
9
10Upstream-Status: Backport
11CVE: CVE-2020-8624
12Signed-off-by: Li Zhou <li.zhou@windriver.com>
13---
14 bin/named/zoneconf.c | 3 ++-
15 1 file changed, 2 insertions(+), 1 deletion(-)
16
17diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
18index e237bdb..4898447 100644
19--- a/bin/named/zoneconf.c
20+++ b/bin/named/zoneconf.c
21@@ -237,7 +237,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
22
23 str = cfg_obj_asstring(matchtype);
24 CHECK(dns_ssu_mtypefromstring(str, &mtype));
25- if (mtype == dns_ssumatchtype_subdomain) {
26+ if (mtype == dns_ssumatchtype_subdomain &&
27+ strcasecmp(str, "zonesub") == 0) {
28 usezone = true;
29 }
30
31--
321.9.1
33
diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
index a77be8678f..d4467b0b48 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.19.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -18,6 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
18 file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ 18 file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
19 file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ 19 file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
20 file://0001-avoid-start-failure-with-bind-user.patch \ 20 file://0001-avoid-start-failure-with-bind-user.patch \
21 file://CVE-2020-8622.patch \
22 file://CVE-2020-8623.patch \
23 file://CVE-2020-8624.patch \
21 " 24 "
22 25
23SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329" 26SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
index 3aad603ada..5cd235f6ac 100644
--- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
+++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
@@ -65,6 +65,35 @@ index 7c1cc3eecb..53cb8bfc59 100644
65 65
66 /* Load the locale data for CATEGORY from the file specified by *NAME. 66 /* Load the locale data for CATEGORY from the file specified by *NAME.
67 If *NAME is "", use environment variables as specified by POSIX, and 67 If *NAME is "", use environment variables as specified by POSIX, and
68-- 68Index: git/locale/programs/locale.c
692.22.0 69===================================================================
70 70--- git.orig/locale/programs/locale.c
71+++ git/locale/programs/locale.c
72@@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b
73 ((const struct nameent *) b)->name);
74 }
75
76+static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME;
77
78 static int
79 write_archive_locales (void **all_datap, char *linebuf)
80@@ -645,7 +646,7 @@ write_archive_locales (void **all_datap,
81 int fd, ret = 0;
82 uint32_t cnt;
83
84- fd = open64 (ARCHIVE_NAME, O_RDONLY);
85+ fd = open64 (_write_archive_locales_path, O_RDONLY);
86 if (fd < 0)
87 return 0;
88
89@@ -700,8 +701,8 @@ write_archive_locales (void **all_datap,
90 if (cnt)
91 putchar_unlocked ('\n');
92
93- printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n",
94- names[cnt].name, linebuf);
95+ printf ("locale: %-15.15s archive: %s\n%s\n",
96+ names[cnt].name, _write_archive_locales_path, linebuf);
97
98 locrec = (struct locrecent *) (addr + names[cnt].locrec_offset);
99
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 7d8b665e6b..e993bde2d7 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk"
24 24
25inherit core-image module-base setuptools3 25inherit core-image module-base setuptools3
26 26
27SRCREV ?= "0ae1964fb16a0e92b163f48ceb127a40e8397339" 27SRCREV ?= "f4b1c01110bf6cf7691aa6f214cecd89a52d5661"
28SRC_URI = "git://git.yoctoproject.org/poky;branch=zeus \ 28SRC_URI = "git://git.yoctoproject.org/poky;branch=zeus \
29 file://Yocto_Build_Appliance.vmx \ 29 file://Yocto_Build_Appliance.vmx \
30 file://Yocto_Build_Appliance.vmxf \ 30 file://Yocto_Build_Appliance.vmxf \
diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb
new file mode 100644
index 0000000000..94ed57585b
--- /dev/null
+++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb
@@ -0,0 +1,36 @@
1require recipes-core/meta/buildtools-tarball.bb
2
3DESCRIPTION = "SDK type target for building a standalone tarball containing build-essentials, python3, chrpath, \
4 make, git and tar. The tarball can be used to run bitbake builds on systems which don't meet the \
5 usual version requirements and have ancient compilers."
6SUMMARY = "Standalone tarball for running builds on systems with inadequate software and ancient compilers"
7LICENSE = "MIT"
8
9# Add nativesdk equivalent of build-essentials
10TOOLCHAIN_HOST_TASK += "\
11 nativesdk-automake \
12 nativesdk-autoconf \
13 nativesdk-binutils \
14 nativesdk-binutils-symlinks \
15 nativesdk-cpp \
16 nativesdk-cpp-symlinks \
17 nativesdk-gcc \
18 nativesdk-gcc-symlinks \
19 nativesdk-g++ \
20 nativesdk-g++-symlinks \
21 nativesdk-gettext \
22 nativesdk-libatomic \
23 nativesdk-libgcc \
24 nativesdk-libstdc++ \
25 nativesdk-libstdc++-dev \
26 nativesdk-libstdc++-staticdev \
27 nativesdk-libtool \
28 nativesdk-pkgconfig \
29 nativesdk-glibc-utils \
30 nativesdk-python \
31 nativesdk-libxcrypt-dev \
32 "
33
34TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}"
35
36SDK_TITLE = "Extended Build tools"
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index 66201514d7..ceb60b0e48 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -73,7 +73,13 @@ create_sdk_files_append () {
73 toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS} 73 toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS}
74 74
75 echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script 75 echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
76 echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
77 echo 'export OPENSSL_CONF="${SDKPATHNATIVE}${sysconfdir}/ssl/openssl.cnf"' >>$script
76 78
79 mkdir -p ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/
80 echo '${SDKPATHNATIVE}${libdir}
81${SDKPATHNATIVE}${base_libdir}
82include /etc/ld.so.conf' > ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ld.so.conf
77 if [ "${SDKMACHINE}" = "i686" ]; then 83 if [ "${SDKMACHINE}" = "i686" ]; then
78 echo 'export NO32LIBS="0"' >>$script 84 echo 'export NO32LIBS="0"' >>$script
79 echo 'echo "$BB_ENV_EXTRAWHITE" | grep -q "NO32LIBS"' >>$script 85 echo 'echo "$BB_ENV_EXTRAWHITE" | grep -q "NO32LIBS"' >>$script
diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
index 5bc11b9daf..cfa41c4ae6 100644
--- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
+++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
@@ -15,12 +15,15 @@ DUMMYPROVIDES_PACKAGES = "\
15 nativesdk-perl-module-file-find \ 15 nativesdk-perl-module-file-find \
16 nativesdk-perl-module-file-glob \ 16 nativesdk-perl-module-file-glob \
17 nativesdk-perl-module-file-path \ 17 nativesdk-perl-module-file-path \
18 nativesdk-perl-module-file-spec \
18 nativesdk-perl-module-file-stat \ 19 nativesdk-perl-module-file-stat \
19 nativesdk-perl-module-getopt-long \ 20 nativesdk-perl-module-getopt-long \
20 nativesdk-perl-module-io-file \ 21 nativesdk-perl-module-io-file \
22 nativesdk-perl-module-overloading \
21 nativesdk-perl-module-posix \ 23 nativesdk-perl-module-posix \
22 nativesdk-perl-module-thread-queue \ 24 nativesdk-perl-module-thread-queue \
23 nativesdk-perl-module-threads \ 25 nativesdk-perl-module-threads \
26 nativesdk-perl-module-warnings \
24" 27"
25 28
26DUMMYPROVIDES = "\ 29DUMMYPROVIDES = "\
diff --git a/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch
new file mode 100644
index 0000000000..408f7d18b7
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch
@@ -0,0 +1,80 @@
1We need binutils to look at our ld.so.conf file within the SDK to ensure
2we search the SDK's libdirs as well as those from the host system.
3
4We therefore pass in the directory to the code using a define, then add
5it to a section we relocate in a similar way to the way we relocate the
6gcc internal paths. This ensures that ld works correctly in our buildtools
7tarball.
8
9Standard sysroot relocation doesn't work since we're not in a sysroot,
10we want to use both the host system and SDK libs.
11
12Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
132020/1/17
14Upstream-Status: Inappropriate [OE specific tweak]
15
16Index: git/ld/Makefile.am
17===================================================================
18--- git.orig/ld/Makefile.am
19+++ git/ld/Makefile.am
20@@ -36,7 +36,8 @@ am__skipyacc =
21
22 ELF_CLFAGS=-DELF_LIST_OPTIONS=@elf_list_options@ \
23 -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \
24- -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@
25+ -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \
26+ -DSYSCONFDIR="\"$(sysconfdir)\""
27 WARN_CFLAGS = @WARN_CFLAGS@
28 NO_WERROR = @NO_WERROR@
29 AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS)
30Index: git/ld/Makefile.in
31===================================================================
32--- git.orig/ld/Makefile.in
33+++ git/ld/Makefile.in
34@@ -546,7 +546,8 @@ am__skiplex =
35 am__skipyacc =
36 ELF_CLFAGS = -DELF_LIST_OPTIONS=@elf_list_options@ \
37 -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \
38- -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@
39+ -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \
40+ -DSYSCONFDIR="\"$(sysconfdir)\""
41
42 AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS)
43 @ENABLE_PLUGINS_FALSE@PLUGIN_C =
44Index: git/ld/emultempl/elf32.em
45===================================================================
46--- git.orig/ld/emultempl/elf32.em
47+++ git/ld/emultempl/elf32.em
48@@ -1024,7 +1024,7 @@ gld${EMULATION_NAME}_check_ld_so_conf (c
49
50 info.path = NULL;
51 info.len = info.alloc = 0;
52- tmppath = concat (ld_sysroot, "${prefix}/etc/ld.so.conf",
53+ tmppath = concat (ld_sysconfdir, "/ld.so.conf",
54 (const char *) NULL);
55 if (!gld${EMULATION_NAME}_parse_ld_so_conf (&info, tmppath))
56 {
57Index: git/ld/ldmain.c
58===================================================================
59--- git.orig/ld/ldmain.c
60+++ git/ld/ldmain.c
61@@ -68,6 +68,7 @@ char *program_name;
62
63 /* The prefix for system library directories. */
64 const char *ld_sysroot;
65+char ld_sysconfdir[4096] __attribute__ ((section (".gccrelocprefix"))) = SYSCONFDIR;
66
67 /* The canonical representation of ld_sysroot. */
68 char *ld_canon_sysroot;
69Index: git/ld/ldmain.h
70===================================================================
71--- git.orig/ld/ldmain.h
72+++ git/ld/ldmain.h
73@@ -23,6 +23,7 @@
74
75 extern char *program_name;
76 extern const char *ld_sysroot;
77+extern char ld_sysconfdir[4096];
78 extern char *ld_canon_sysroot;
79 extern int ld_canon_sysroot_len;
80 extern FILE *saved_script_handle;
diff --git a/meta/recipes-devtools/binutils/binutils_2.32.bb b/meta/recipes-devtools/binutils/binutils_2.32.bb
index 89315915c4..ecdab96658 100644
--- a/meta/recipes-devtools/binutils/binutils_2.32.bb
+++ b/meta/recipes-devtools/binutils/binutils_2.32.bb
@@ -51,5 +51,10 @@ do_install_class-native () {
51PACKAGE_BEFORE_PN += "libbfd" 51PACKAGE_BEFORE_PN += "libbfd"
52FILES_libbfd = "${libdir}/libbfd-*.so" 52FILES_libbfd = "${libdir}/libbfd-*.so"
53 53
54SRC_URI_append_class-nativesdk = "file://nativesdk-relocation.patch"
55
56USE_ALTERNATIVES_FOR_class-nativesdk = ""
57FILES_${PN}_append_class-nativesdk = " ${bindir}"
58
54BBCLASSEXTEND = "native nativesdk" 59BBCLASSEXTEND = "native nativesdk"
55 60
diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc
index 6aecaad75d..2a0680aeaa 100644
--- a/meta/recipes-devtools/go/go-1.12.inc
+++ b/meta/recipes-devtools/go/go-1.12.inc
@@ -18,6 +18,10 @@ SRC_URI += "\
18 file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ 18 file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
19 file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ 19 file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \
20 file://0010-fix-CVE-2019-17596.patch \ 20 file://0010-fix-CVE-2019-17596.patch \
21 file://CVE-2020-15586.patch \
22 file://CVE-2020-16845.patch \
23 file://0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch \
24 file://CVE-2020-24553.patch \
21" 25"
22SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" 26SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
23 27
diff --git a/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch
new file mode 100644
index 0000000000..7c07961c03
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch
@@ -0,0 +1,28 @@
1From 8390c478600b852392cb116741b3cb239c94d123 Mon Sep 17 00:00:00 2001
2From: Brad Fitzpatrick <bradfitz@golang.org>
3Date: Wed, 15 Jan 2020 18:08:10 +0000
4Subject: [PATCH] net/http/cgi: rename a test file to be less cute
5
6My fault (from CL 4245070), sorry.
7
8Change-Id: Ib95d3170dc326e74aa74c22421c4e44a8b00f577
9Reviewed-on: https://go-review.googlesource.com/c/go/+/214920
10Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
11TryBot-Result: Gobot Gobot <gobot@golang.org>
12Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
13
14Upstream-Status: Backport
15[lz: Add this patch for merging the patch for CVE-2020-24553]
16Signed-off-by: Li Zhou <li.zhou@windriver.com>
17---
18 src/net/http/cgi/{matryoshka_test.go => integration_test.go} | 0
19 1 file changed, 0 insertions(+), 0 deletions(-)
20 rename src/net/http/cgi/{matryoshka_test.go => integration_test.go} (100%)
21
22diff --git a/src/net/http/cgi/matryoshka_test.go b/src/net/http/cgi/integration_test.go
23similarity index 100%
24rename from src/net/http/cgi/matryoshka_test.go
25rename to src/net/http/cgi/integration_test.go
26--
272.17.1
28
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch
new file mode 100644
index 0000000000..ebdc5aec6d
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-15586.patch
@@ -0,0 +1,131 @@
1From fa98f46741f818913a8c11b877520a548715131f Mon Sep 17 00:00:00 2001
2From: Russ Cox <rsc@golang.org>
3Date: Mon, 13 Jul 2020 13:27:22 -0400
4Subject: [PATCH] net/http: synchronize "100 Continue" write and Handler writes
5
6The expectContinueReader writes to the connection on the first
7Request.Body read. Since a Handler might be doing a read in parallel or
8before a write, expectContinueReader needs to synchronize with the
9ResponseWriter, and abort if a response already went out.
10
11The tests will land in a separate CL.
12
13Fixes #34902
14Fixes CVE-2020-15586
15
16Change-Id: Icdd8dd539f45e8863762bd378194bb4741e875fc
17Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793350
18Reviewed-by: Filippo Valsorda <valsorda@google.com>
19Reviewed-on: https://go-review.googlesource.com/c/go/+/242598
20Run-TryBot: Katie Hockman <katie@golang.org>
21Reviewed-by: Filippo Valsorda <filippo@golang.org>
22TryBot-Result: Gobot Gobot <gobot@golang.org>
23
24Upstream-Status: Backport
25CVE: CVE-2020-15586
26Signed-off-by: Li Zhou <li.zhou@windriver.com>
27---
28 src/net/http/server.go | 43 +++++++++++++++++++++++++++++++++++-------
29 1 file changed, 36 insertions(+), 7 deletions(-)
30
31diff --git a/src/net/http/server.go b/src/net/http/server.go
32index a995a50658..d41b5f6f48 100644
33--- a/src/net/http/server.go
34+++ b/src/net/http/server.go
35@@ -425,6 +425,16 @@ type response struct {
36 wants10KeepAlive bool // HTTP/1.0 w/ Connection "keep-alive"
37 wantsClose bool // HTTP request has Connection "close"
38
39+ // canWriteContinue is a boolean value accessed as an atomic int32
40+ // that says whether or not a 100 Continue header can be written
41+ // to the connection.
42+ // writeContinueMu must be held while writing the header.
43+ // These two fields together synchronize the body reader
44+ // (the expectContinueReader, which wants to write 100 Continue)
45+ // against the main writer.
46+ canWriteContinue atomicBool
47+ writeContinueMu sync.Mutex
48+
49 w *bufio.Writer // buffers output in chunks to chunkWriter
50 cw chunkWriter
51
52@@ -515,6 +525,7 @@ type atomicBool int32
53
54 func (b *atomicBool) isSet() bool { return atomic.LoadInt32((*int32)(b)) != 0 }
55 func (b *atomicBool) setTrue() { atomic.StoreInt32((*int32)(b), 1) }
56+func (b *atomicBool) setFalse() { atomic.StoreInt32((*int32)(b), 0) }
57
58 // declareTrailer is called for each Trailer header when the
59 // response header is written. It notes that a header will need to be
60@@ -878,21 +889,27 @@ type expectContinueReader struct {
61 resp *response
62 readCloser io.ReadCloser
63 closed bool
64- sawEOF bool
65+ sawEOF atomicBool
66 }
67
68 func (ecr *expectContinueReader) Read(p []byte) (n int, err error) {
69 if ecr.closed {
70 return 0, ErrBodyReadAfterClose
71 }
72- if !ecr.resp.wroteContinue && !ecr.resp.conn.hijacked() {
73- ecr.resp.wroteContinue = true
74- ecr.resp.conn.bufw.WriteString("HTTP/1.1 100 Continue\r\n\r\n")
75- ecr.resp.conn.bufw.Flush()
76+ w := ecr.resp
77+ if !w.wroteContinue && w.canWriteContinue.isSet() && !w.conn.hijacked() {
78+ w.wroteContinue = true
79+ w.writeContinueMu.Lock()
80+ if w.canWriteContinue.isSet() {
81+ w.conn.bufw.WriteString("HTTP/1.1 100 Continue\r\n\r\n")
82+ w.conn.bufw.Flush()
83+ w.canWriteContinue.setFalse()
84+ }
85+ w.writeContinueMu.Unlock()
86 }
87 n, err = ecr.readCloser.Read(p)
88 if err == io.EOF {
89- ecr.sawEOF = true
90+ ecr.sawEOF.setTrue()
91 }
92 return
93 }
94@@ -1311,7 +1328,7 @@ func (cw *chunkWriter) writeHeader(p []byte) {
95 // because we don't know if the next bytes on the wire will be
96 // the body-following-the-timer or the subsequent request.
97 // See Issue 11549.
98- if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF {
99+ if ecr, ok := w.req.Body.(*expectContinueReader); ok && !ecr.sawEOF.isSet() {
100 w.closeAfterReply = true
101 }
102
103@@ -1561,6 +1578,17 @@ func (w *response) write(lenData int, dataB []byte, dataS string) (n int, err er
104 }
105 return 0, ErrHijacked
106 }
107+
108+ if w.canWriteContinue.isSet() {
109+ // Body reader wants to write 100 Continue but hasn't yet.
110+ // Tell it not to. The store must be done while holding the lock
111+ // because the lock makes sure that there is not an active write
112+ // this very moment.
113+ w.writeContinueMu.Lock()
114+ w.canWriteContinue.setFalse()
115+ w.writeContinueMu.Unlock()
116+ }
117+
118 if !w.wroteHeader {
119 w.WriteHeader(StatusOK)
120 }
121@@ -1872,6 +1900,7 @@ func (c *conn) serve(ctx context.Context) {
122 if req.ProtoAtLeast(1, 1) && req.ContentLength != 0 {
123 // Wrap the Body reader with one that replies on the connection
124 req.Body = &expectContinueReader{readCloser: req.Body, resp: w}
125+ w.canWriteContinue.setTrue()
126 }
127 } else if req.Header.get("Expect") != "" {
128 w.sendExpectationFailed()
129--
1302.17.1
131
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
new file mode 100644
index 0000000000..80f467522f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
@@ -0,0 +1,110 @@
1From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001
2From: Katie Hockman <katie@golang.org>
3Date: Tue, 4 Aug 2020 11:45:32 -0400
4Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in
5 ReadUvarint
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This CL ensures that ReadUvarint consumes only a limited
11amount of input (instead of an unbounded amount).
12
13On some inputs, ReadUvarint could read an arbitrary number
14of bytes before deciding to return an overflow error.
15After this CL, ReadUvarint returns that same overflow
16error sooner, after reading at most MaxVarintLen64 bytes.
17
18Fix authored by Robert Griesemer and Filippo Valsorda.
19
20Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani,
21and Preston Van Loon for reporting this.
22
23Fixes #40618
24Fixes CVE-2020-16845
25
26Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f
27Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099
28Reviewed-by: Filippo Valsorda <valsorda@google.com>
29Reviewed-on: https://go-review.googlesource.com/c/go/+/247120
30Run-TryBot: Katie Hockman <katie@golang.org>
31TryBot-Result: Gobot Gobot <gobot@golang.org>
32Reviewed-by: Alexander Rakoczy <alex@golang.org>
33
34Upstream-Status: Backport [https://github.com/golang/go.git]
35CVE: CVE-2020-16845
36Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
37---
38 src/encoding/binary/varint.go | 5 +++--
39 src/encoding/binary/varint_test.go | 18 ++++++++++++------
40 2 files changed, 15 insertions(+), 8 deletions(-)
41
42diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go
43index bcb8ac9a45..38af61075c 100644
44--- a/src/encoding/binary/varint.go
45+++ b/src/encoding/binary/varint.go
46@@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer")
47 func ReadUvarint(r io.ByteReader) (uint64, error) {
48 var x uint64
49 var s uint
50- for i := 0; ; i++ {
51+ for i := 0; i < MaxVarintLen64; i++ {
52 b, err := r.ReadByte()
53 if err != nil {
54 return x, err
55 }
56 if b < 0x80 {
57- if i > 9 || i == 9 && b > 1 {
58+ if i == 9 && b > 1 {
59 return x, overflow
60 }
61 return x | uint64(b)<<s, nil
62@@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) {
63 x |= uint64(b&0x7f) << s
64 s += 7
65 }
66+ return x, overflow
67 }
68
69 // ReadVarint reads an encoded signed integer from r and returns it as an int64.
70diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go
71index ca411ecbd6..6ef4c99505 100644
72--- a/src/encoding/binary/varint_test.go
73+++ b/src/encoding/binary/varint_test.go
74@@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) {
75 }
76 }
77
78-func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) {
79+func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) {
80 x, n := Uvarint(buf)
81 if x != 0 || n != n0 {
82 t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0)
83 }
84
85- x, err := ReadUvarint(bytes.NewReader(buf))
86- if x != 0 || err != err0 {
87- t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0)
88+ r := bytes.NewReader(buf)
89+ len := r.Len()
90+ x, err := ReadUvarint(r)
91+ if x != x0 || err != err0 {
92+ t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0)
93+ }
94+ if read := len - r.Len(); read > MaxVarintLen64 {
95+ t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read)
96 }
97 }
98
99 func TestOverflow(t *testing.T) {
100- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow)
101- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow)
102+ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow)
103+ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow)
104+ testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow
105 }
106
107 func TestNonCanonicalZero(t *testing.T) {
108--
1092.17.0
110
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch
new file mode 100644
index 0000000000..18a218bc9a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch
@@ -0,0 +1,429 @@
1From eb07103a083237414145a45f029c873d57037e06 Mon Sep 17 00:00:00 2001
2From: Roberto Clapis <roberto@golang.org>
3Date: Wed, 26 Aug 2020 08:53:03 +0200
4Subject: [PATCH] [release-branch.go1.15-security] net/http/cgi,net/http/fcgi:
5 add Content-Type detection
6
7This CL ensures that responses served via CGI and FastCGI
8have a Content-Type header based on the content of the
9response if not explicitly set by handlers.
10
11If the implementers of the handler did not explicitly
12specify a Content-Type both CGI implementations would default
13to "text/html", potentially causing cross-site scripting.
14
15Thanks to RedTeam Pentesting GmbH for reporting this.
16
17Fixes CVE-2020-24553
18
19Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
20Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
21Reviewed-by: Russ Cox <rsc@google.com>
22(cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0)
23Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835311
24Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
25
26Upstream-Status: Backport
27CVE: CVE-2020-24553
28Signed-off-by: Li Zhou <li.zhou@windriver.com>
29---
30 src/net/http/cgi/child.go | 36 ++++++++++-----
31 src/net/http/cgi/child_test.go | 69 ++++++++++++++++++++++++++++
32 src/net/http/cgi/integration_test.go | 53 ++++++++++++++++++++-
33 src/net/http/fcgi/child.go | 39 ++++++++++++----
34 src/net/http/fcgi/fcgi_test.go | 52 +++++++++++++++++++++
35 5 files changed, 227 insertions(+), 22 deletions(-)
36
37diff --git a/src/net/http/cgi/child.go b/src/net/http/cgi/child.go
38index 9474175f17..61de6165f6 100644
39--- a/src/net/http/cgi/child.go
40+++ b/src/net/http/cgi/child.go
41@@ -163,10 +163,12 @@ func Serve(handler http.Handler) error {
42 }
43
44 type response struct {
45- req *http.Request
46- header http.Header
47- bufw *bufio.Writer
48- headerSent bool
49+ req *http.Request
50+ header http.Header
51+ code int
52+ wroteHeader bool
53+ wroteCGIHeader bool
54+ bufw *bufio.Writer
55 }
56
57 func (r *response) Flush() {
58@@ -178,26 +180,38 @@ func (r *response) Header() http.Header {
59 }
60
61 func (r *response) Write(p []byte) (n int, err error) {
62- if !r.headerSent {
63+ if !r.wroteHeader {
64 r.WriteHeader(http.StatusOK)
65 }
66+ if !r.wroteCGIHeader {
67+ r.writeCGIHeader(p)
68+ }
69 return r.bufw.Write(p)
70 }
71
72 func (r *response) WriteHeader(code int) {
73- if r.headerSent {
74+ if r.wroteHeader {
75 // Note: explicitly using Stderr, as Stdout is our HTTP output.
76 fmt.Fprintf(os.Stderr, "CGI attempted to write header twice on request for %s", r.req.URL)
77 return
78 }
79- r.headerSent = true
80- fmt.Fprintf(r.bufw, "Status: %d %s\r\n", code, http.StatusText(code))
81+ r.wroteHeader = true
82+ r.code = code
83+}
84
85- // Set a default Content-Type
86+// writeCGIHeader finalizes the header sent to the client and writes it to the output.
87+// p is not written by writeHeader, but is the first chunk of the body
88+// that will be written. It is sniffed for a Content-Type if none is
89+// set explicitly.
90+func (r *response) writeCGIHeader(p []byte) {
91+ if r.wroteCGIHeader {
92+ return
93+ }
94+ r.wroteCGIHeader = true
95+ fmt.Fprintf(r.bufw, "Status: %d %s\r\n", r.code, http.StatusText(r.code))
96 if _, hasType := r.header["Content-Type"]; !hasType {
97- r.header.Add("Content-Type", "text/html; charset=utf-8")
98+ r.header.Set("Content-Type", http.DetectContentType(p))
99 }
100-
101 r.header.Write(r.bufw)
102 r.bufw.WriteString("\r\n")
103 r.bufw.Flush()
104diff --git a/src/net/http/cgi/child_test.go b/src/net/http/cgi/child_test.go
105index 14e0af475f..f6ecb6eb80 100644
106--- a/src/net/http/cgi/child_test.go
107+++ b/src/net/http/cgi/child_test.go
108@@ -7,6 +7,11 @@
109 package cgi
110
111 import (
112+ "bufio"
113+ "bytes"
114+ "net/http"
115+ "net/http/httptest"
116+ "strings"
117 "testing"
118 )
119
120@@ -148,3 +153,67 @@ func TestRequestWithoutRemotePort(t *testing.T) {
121 t.Errorf("RemoteAddr: got %q; want %q", g, e)
122 }
123 }
124+
125+type countingWriter int
126+
127+func (c *countingWriter) Write(p []byte) (int, error) {
128+ *c += countingWriter(len(p))
129+ return len(p), nil
130+}
131+func (c *countingWriter) WriteString(p string) (int, error) {
132+ *c += countingWriter(len(p))
133+ return len(p), nil
134+}
135+
136+func TestResponse(t *testing.T) {
137+ var tests = []struct {
138+ name string
139+ body string
140+ wantCT string
141+ }{
142+ {
143+ name: "no body",
144+ wantCT: "text/plain; charset=utf-8",
145+ },
146+ {
147+ name: "html",
148+ body: "<html><head><title>test page</title></head><body>This is a body</body></html>",
149+ wantCT: "text/html; charset=utf-8",
150+ },
151+ {
152+ name: "text",
153+ body: strings.Repeat("gopher", 86),
154+ wantCT: "text/plain; charset=utf-8",
155+ },
156+ {
157+ name: "jpg",
158+ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
159+ wantCT: "image/jpeg",
160+ },
161+ }
162+ for _, tt := range tests {
163+ t.Run(tt.name, func(t *testing.T) {
164+ var buf bytes.Buffer
165+ resp := response{
166+ req: httptest.NewRequest("GET", "/", nil),
167+ header: http.Header{},
168+ bufw: bufio.NewWriter(&buf),
169+ }
170+ n, err := resp.Write([]byte(tt.body))
171+ if err != nil {
172+ t.Errorf("Write: unexpected %v", err)
173+ }
174+ if want := len(tt.body); n != want {
175+ t.Errorf("reported short Write: got %v want %v", n, want)
176+ }
177+ resp.writeCGIHeader(nil)
178+ resp.Flush()
179+ if got := resp.Header().Get("Content-Type"); got != tt.wantCT {
180+ t.Errorf("wrong content-type: got %q, want %q", got, tt.wantCT)
181+ }
182+ if !bytes.HasSuffix(buf.Bytes(), []byte(tt.body)) {
183+ t.Errorf("body was not correctly written")
184+ }
185+ })
186+ }
187+}
188diff --git a/src/net/http/cgi/integration_test.go b/src/net/http/cgi/integration_test.go
189index 32d59c09a3..295c3b82d4 100644
190--- a/src/net/http/cgi/integration_test.go
191+++ b/src/net/http/cgi/integration_test.go
192@@ -16,7 +16,9 @@ import (
193 "io"
194 "net/http"
195 "net/http/httptest"
196+ "net/url"
197 "os"
198+ "strings"
199 "testing"
200 "time"
201 )
202@@ -52,7 +54,7 @@ func TestHostingOurselves(t *testing.T) {
203 }
204 replay := runCgiTest(t, h, "GET /test.go?foo=bar&a=b HTTP/1.0\nHost: example.com\n\n", expectedMap)
205
206- if expected, got := "text/html; charset=utf-8", replay.Header().Get("Content-Type"); got != expected {
207+ if expected, got := "text/plain; charset=utf-8", replay.Header().Get("Content-Type"); got != expected {
208 t.Errorf("got a Content-Type of %q; expected %q", got, expected)
209 }
210 if expected, got := "X-Test-Value", replay.Header().Get("X-Test-Header"); got != expected {
211@@ -152,6 +154,51 @@ func TestChildOnlyHeaders(t *testing.T) {
212 }
213 }
214
215+func TestChildContentType(t *testing.T) {
216+ testenv.MustHaveExec(t)
217+
218+ h := &Handler{
219+ Path: os.Args[0],
220+ Root: "/test.go",
221+ Args: []string{"-test.run=TestBeChildCGIProcess"},
222+ }
223+ var tests = []struct {
224+ name string
225+ body string
226+ wantCT string
227+ }{
228+ {
229+ name: "no body",
230+ wantCT: "text/plain; charset=utf-8",
231+ },
232+ {
233+ name: "html",
234+ body: "<html><head><title>test page</title></head><body>This is a body</body></html>",
235+ wantCT: "text/html; charset=utf-8",
236+ },
237+ {
238+ name: "text",
239+ body: strings.Repeat("gopher", 86),
240+ wantCT: "text/plain; charset=utf-8",
241+ },
242+ {
243+ name: "jpg",
244+ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
245+ wantCT: "image/jpeg",
246+ },
247+ }
248+ for _, tt := range tests {
249+ t.Run(tt.name, func(t *testing.T) {
250+ expectedMap := map[string]string{"_body": tt.body}
251+ req := fmt.Sprintf("GET /test.go?exact-body=%s HTTP/1.0\nHost: example.com\n\n", url.QueryEscape(tt.body))
252+ replay := runCgiTest(t, h, req, expectedMap)
253+ if got := replay.Header().Get("Content-Type"); got != tt.wantCT {
254+ t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT)
255+ }
256+ })
257+ }
258+}
259+
260 // golang.org/issue/7198
261 func Test500WithNoHeaders(t *testing.T) { want500Test(t, "/immediate-disconnect") }
262 func Test500WithNoContentType(t *testing.T) { want500Test(t, "/no-content-type") }
263@@ -203,6 +250,10 @@ func TestBeChildCGIProcess(t *testing.T) {
264 if req.FormValue("no-body") == "1" {
265 return
266 }
267+ if eb, ok := req.Form["exact-body"]; ok {
268+ io.WriteString(rw, eb[0])
269+ return
270+ }
271 if req.FormValue("write-forever") == "1" {
272 io.Copy(rw, neverEnding('a'))
273 for {
274diff --git a/src/net/http/fcgi/child.go b/src/net/http/fcgi/child.go
275index 30a6b2ce2d..a31273b3ec 100644
276--- a/src/net/http/fcgi/child.go
277+++ b/src/net/http/fcgi/child.go
278@@ -74,10 +74,12 @@ func (r *request) parseParams() {
279
280 // response implements http.ResponseWriter.
281 type response struct {
282- req *request
283- header http.Header
284- w *bufWriter
285- wroteHeader bool
286+ req *request
287+ header http.Header
288+ code int
289+ wroteHeader bool
290+ wroteCGIHeader bool
291+ w *bufWriter
292 }
293
294 func newResponse(c *child, req *request) *response {
295@@ -92,11 +94,14 @@ func (r *response) Header() http.Header {
296 return r.header
297 }
298
299-func (r *response) Write(data []byte) (int, error) {
300+func (r *response) Write(p []byte) (n int, err error) {
301 if !r.wroteHeader {
302 r.WriteHeader(http.StatusOK)
303 }
304- return r.w.Write(data)
305+ if !r.wroteCGIHeader {
306+ r.writeCGIHeader(p)
307+ }
308+ return r.w.Write(p)
309 }
310
311 func (r *response) WriteHeader(code int) {
312@@ -104,22 +109,34 @@ func (r *response) WriteHeader(code int) {
313 return
314 }
315 r.wroteHeader = true
316+ r.code = code
317 if code == http.StatusNotModified {
318 // Must not have body.
319 r.header.Del("Content-Type")
320 r.header.Del("Content-Length")
321 r.header.Del("Transfer-Encoding")
322- } else if r.header.Get("Content-Type") == "" {
323- r.header.Set("Content-Type", "text/html; charset=utf-8")
324 }
325-
326 if r.header.Get("Date") == "" {
327 r.header.Set("Date", time.Now().UTC().Format(http.TimeFormat))
328 }
329+}
330
331- fmt.Fprintf(r.w, "Status: %d %s\r\n", code, http.StatusText(code))
332+// writeCGIHeader finalizes the header sent to the client and writes it to the output.
333+// p is not written by writeHeader, but is the first chunk of the body
334+// that will be written. It is sniffed for a Content-Type if none is
335+// set explicitly.
336+func (r *response) writeCGIHeader(p []byte) {
337+ if r.wroteCGIHeader {
338+ return
339+ }
340+ r.wroteCGIHeader = true
341+ fmt.Fprintf(r.w, "Status: %d %s\r\n", r.code, http.StatusText(r.code))
342+ if _, hasType := r.header["Content-Type"]; r.code != http.StatusNotModified && !hasType {
343+ r.header.Set("Content-Type", http.DetectContentType(p))
344+ }
345 r.header.Write(r.w)
346 r.w.WriteString("\r\n")
347+ r.w.Flush()
348 }
349
350 func (r *response) Flush() {
351@@ -290,6 +307,8 @@ func (c *child) serveRequest(req *request, body io.ReadCloser) {
352 httpReq = httpReq.WithContext(envVarCtx)
353 c.handler.ServeHTTP(r, httpReq)
354 }
355+ // Make sure we serve something even if nothing was written to r
356+ r.Write(nil)
357 r.Close()
358 c.mu.Lock()
359 delete(c.requests, req.reqId)
360diff --git a/src/net/http/fcgi/fcgi_test.go b/src/net/http/fcgi/fcgi_test.go
361index e9d2b34023..4a27a12c35 100644
362--- a/src/net/http/fcgi/fcgi_test.go
363+++ b/src/net/http/fcgi/fcgi_test.go
364@@ -10,6 +10,7 @@ import (
365 "io"
366 "io/ioutil"
367 "net/http"
368+ "strings"
369 "testing"
370 )
371
372@@ -344,3 +345,54 @@ func TestChildServeReadsEnvVars(t *testing.T) {
373 <-done
374 }
375 }
376+
377+func TestResponseWriterSniffsContentType(t *testing.T) {
378+ var tests = []struct {
379+ name string
380+ body string
381+ wantCT string
382+ }{
383+ {
384+ name: "no body",
385+ wantCT: "text/plain; charset=utf-8",
386+ },
387+ {
388+ name: "html",
389+ body: "<html><head><title>test page</title></head><body>This is a body</body></html>",
390+ wantCT: "text/html; charset=utf-8",
391+ },
392+ {
393+ name: "text",
394+ body: strings.Repeat("gopher", 86),
395+ wantCT: "text/plain; charset=utf-8",
396+ },
397+ {
398+ name: "jpg",
399+ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
400+ wantCT: "image/jpeg",
401+ },
402+ }
403+ for _, tt := range tests {
404+ t.Run(tt.name, func(t *testing.T) {
405+ input := make([]byte, len(streamFullRequestStdin))
406+ copy(input, streamFullRequestStdin)
407+ rc := nopWriteCloser{bytes.NewBuffer(input)}
408+ done := make(chan bool)
409+ var resp *response
410+ c := newChild(rc, http.HandlerFunc(func(
411+ w http.ResponseWriter,
412+ r *http.Request,
413+ ) {
414+ io.WriteString(w, tt.body)
415+ resp = w.(*response)
416+ done <- true
417+ }))
418+ defer c.cleanUp()
419+ go c.serve()
420+ <-done
421+ if got := resp.Header().Get("Content-Type"); got != tt.wantCT {
422+ t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT)
423+ }
424+ })
425+ }
426+}
427--
4282.17.1
429
diff --git a/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch
new file mode 100644
index 0000000000..594510342b
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch
@@ -0,0 +1,23 @@
1traceback2 adds traceback for python2. Rather than depend on traceback2, we're
2python3 only so just use traceback.
3This caused breakage in oe-selftest -j which uses testtools on the autobuilder
4using buildtools-tarball.
5
6Upstream-Status: Inappropriate [Our recipe is python3 specific]
7(Once py2 is EOL upstream probably could/should take this)
8Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
9
10Index: testtools-2.3.0/testtools/content.py
11===================================================================
12--- testtools-2.3.0.orig/testtools/content.py
13+++ testtools-2.3.0/testtools/content.py
14@@ -19,8 +19,7 @@ import os
15 import sys
16
17 from extras import try_import
18-# To let setup.py work, make this a conditional import.
19-traceback = try_import('traceback2')
20+import traceback
21
22 from testtools.compat import (
23 _b,
diff --git a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb
index 896ecee65c..a254b90a75 100644
--- a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb
+++ b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb
@@ -1,2 +1,4 @@
1inherit setuptools3 1inherit setuptools3
2require python-testtools.inc 2require python-testtools.inc
3
4SRC_URI += "file://no_traceback2.patch"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5cdba1f02c..ec32c90ad5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
39 file://CVE-2020-11869.patch \ 39 file://CVE-2020-11869.patch \
40 file://CVE-2020-13765.patch \ 40 file://CVE-2020-13765.patch \
41 file://CVE-2020-10702.patch \ 41 file://CVE-2020-10702.patch \
42 file://CVE-2020-16092.patch \
43 file://CVE-2020-10756.patch \
44 file://CVE-2020-15863.patch \
45 file://CVE-2020-14364.patch \
42 " 46 "
43UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 47UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
44 48
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
new file mode 100644
index 0000000000..306aef061b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
@@ -0,0 +1,40 @@
1From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001
2From: Ralf Haferkamp <rhafer@suse.com>
3Date: Fri, 3 Jul 2020 14:51:16 +0200
4Subject: [PATCH] Drop bogus IPv6 messages
5
6Drop IPv6 message shorter than what's mentioned in the payload
7length header (+ the size of the IPv6 header). They're invalid an could
8lead to data leakage in icmp6_send_echoreply().
9
10CVE: CVE-2020-10756
11Upstream-Status: Backport
12https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
13
14[SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context]
15Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
16---
17 slirp/src/ip6_input.c | 7 +++++++
18 1 file changed, 7 insertions(+)
19
20diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
21index d9d2b7e9..0f2b1785 100644
22--- a/slirp/src/ip6_input.c
23+++ b/slirp/src/ip6_input.c
24@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
25 goto bad;
26 }
27
28+ // Check if the message size is big enough to hold what's
29+ // set in the payload length header. If not this is an invalid
30+ // packet
31+ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
32+ goto bad;
33+ }
34+
35 /* check ip_ttl for a correct ICMP reply */
36 if (ip6->ip_hl == 0) {
37 icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
38--
392.17.1
40
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
new file mode 100644
index 0000000000..a109ac08d6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
@@ -0,0 +1,93 @@
1From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 25 Aug 2020 07:36:36 +0200
4Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
5
6Store calculated setup_len in a local variable, verify it, and only
7write it to the struct (USBDevice->setup_len) in case it passed the
8sanity checks.
9
10This prevents other code (do_token_{in,out} functions specifically)
11from working with invalid USBDevice->setup_len values and overrunning
12the USBDevice->setup_buf[] buffer.
13
14Fixes: CVE-2020-14364
15Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
16Tested-by: Gonglei <arei.gonglei@huawei.com>
17Reviewed-by: Li Qiang <liq3ea@gmail.com>
18Message-id: 20200825053636.29648-1-kraxel@redhat.com
19
20Upstream-Status: Backport
21CVE: CVE-2020-14364
22[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb]
23Signed-off-by: Li Wang <li.wang@windriver.com>
24---
25 hw/usb/core.c | 16 ++++++++++------
26 1 file changed, 10 insertions(+), 6 deletions(-)
27
28diff --git a/hw/usb/core.c b/hw/usb/core.c
29index 5abd128..5234dcc 100644
30--- a/hw/usb/core.c
31+++ b/hw/usb/core.c
32@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
33 static void do_token_setup(USBDevice *s, USBPacket *p)
34 {
35 int request, value, index;
36+ unsigned int setup_len;
37
38 if (p->iov.size != 8) {
39 p->status = USB_RET_STALL;
40@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
41 usb_packet_copy(p, s->setup_buf, p->iov.size);
42 s->setup_index = 0;
43 p->actual_length = 0;
44- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
45- if (s->setup_len > sizeof(s->data_buf)) {
46+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
47+ if (setup_len > sizeof(s->data_buf)) {
48 fprintf(stderr,
49 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
50- s->setup_len, sizeof(s->data_buf));
51+ setup_len, sizeof(s->data_buf));
52 p->status = USB_RET_STALL;
53 return;
54 }
55+ s->setup_len = setup_len;
56
57 request = (s->setup_buf[0] << 8) | s->setup_buf[1];
58 value = (s->setup_buf[3] << 8) | s->setup_buf[2];
59@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
60 static void do_parameter(USBDevice *s, USBPacket *p)
61 {
62 int i, request, value, index;
63+ unsigned int setup_len;
64
65 for (i = 0; i < 8; i++) {
66 s->setup_buf[i] = p->parameter >> (i*8);
67 }
68
69 s->setup_state = SETUP_STATE_PARAM;
70- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
71 s->setup_index = 0;
72
73 request = (s->setup_buf[0] << 8) | s->setup_buf[1];
74 value = (s->setup_buf[3] << 8) | s->setup_buf[2];
75 index = (s->setup_buf[5] << 8) | s->setup_buf[4];
76
77- if (s->setup_len > sizeof(s->data_buf)) {
78+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
79+ if (setup_len > sizeof(s->data_buf)) {
80 fprintf(stderr,
81 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
82- s->setup_len, sizeof(s->data_buf));
83+ setup_len, sizeof(s->data_buf));
84 p->status = USB_RET_STALL;
85 return;
86 }
87+ s->setup_len = setup_len;
88
89 if (p->pid == USB_TOKEN_OUT) {
90 usb_packet_copy(p, s->data_buf, s->setup_len);
91--
922.17.1
93
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
new file mode 100644
index 0000000000..9927584d11
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,64 @@
1From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Fri, 10 Jul 2020 11:19:41 +0200
4Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
5
6A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
7occurs while sending an Ethernet frame due to missing break statements
8and improper checking of the buffer size.
9
10Reported-by: Ziming Zhang <ezrakiez@gmail.com>
11Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
12Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15CVE: CVE-2020-15863
16Upstream-Status: Backport
17[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555]
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19Signed-off-by: Li Wang <li.wang@windriver.com>
20---
21 hw/net/xgmac.c | 14 ++++++++++++--
22 1 file changed, 12 insertions(+), 2 deletions(-)
23
24diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
25index f49df95..f496f7e 100644
26--- a/hw/net/xgmac.c
27+++ b/hw/net/xgmac.c
28@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
29 }
30 len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
31
32+ /*
33+ * FIXME: these cases of malformed tx descriptors (bad sizes)
34+ * should probably be reported back to the guest somehow
35+ * rather than simply silently stopping processing, but we
36+ * don't know what the hardware does in this situation.
37+ * This will only happen for buggy guests anyway.
38+ */
39 if ((bd.buffer1_size & 0xfff) > 2048) {
40 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
41 "xgmac buffer 1 len on send > 2048 (0x%x)\n",
42 __func__, bd.buffer1_size & 0xfff);
43+ break;
44 }
45 if ((bd.buffer2_size & 0xfff) != 0) {
46 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
47 "xgmac buffer 2 len on send != 0 (0x%x)\n",
48 __func__, bd.buffer2_size & 0xfff);
49+ break;
50 }
51- if (len >= sizeof(frame)) {
52+ if (frame_size + len >= sizeof(frame)) {
53 DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
54- "buffer\n" , __func__, len, sizeof(frame));
55+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
56 DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
57 __func__, bd.buffer1_size, bd.buffer2_size);
58+ break;
59 }
60
61 cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
62--
631.9.1
64
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
new file mode 100644
index 0000000000..8ce01e26ad
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
@@ -0,0 +1,49 @@
1From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Sat, 1 Aug 2020 18:42:38 +0200
4Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
5 net_tx_pkt_add_raw_fragment()
6
7An assertion failure issue was found in the code that processes network
8packets
9while adding data fragments into the packet context. It could be abused
10by a
11malicious guest to abort the QEMU process on the host. This patch
12replaces the
13affected assert() with a conditional statement, returning false if the
14current
15data fragment exceeds max_raw_frags.
16
17Reported-by: Alexander Bulekov <alxndr@bu.edu>
18Reported-by: Ziming Zhang <ezrakiez@gmail.com>
19Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
20Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
21Signed-off-by: Jason Wang <jasowang@redhat.com>
22
23Upstream-Status: Backport
24CVE: CVE-2020-16092
25[https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8]
26Signed-off-by: Li Wang <li.wang@windriver.com>
27---
28 hw/net/net_tx_pkt.c | 5 ++++-
29 1 file changed, 4 insertions(+), 1 deletion(-)
30
31diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
32index 162f802..54d4c3b 100644
33--- a/hw/net/net_tx_pkt.c
34+++ b/hw/net/net_tx_pkt.c
35@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
36 hwaddr mapped_len = 0;
37 struct iovec *ventry;
38 assert(pkt);
39- assert(pkt->max_raw_frags > pkt->raw_frags);
40+
41+ if (pkt->raw_frags >= pkt->max_raw_frags) {
42+ return false;
43+ }
44
45 if (!len) {
46 return true;
47--
482.17.1
49
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
new file mode 100644
index 0000000000..20a604869b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
@@ -0,0 +1,37 @@
1From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
2From: Matthieu Herrb <matthieu@herrb.eu>
3Date: Sat, 25 Jul 2020 19:33:50 +0200
4Subject: [PATCH] fix for ZDI-11426
5
6Avoid leaking un-initalized memory to clients by zeroing the
7whole pixmap on initial allocation.
8
9This vulnerability was discovered by:
10Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
11
12Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
13Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
14
15Upstream-Status: Backport
16CVE: CVE-2020-14347
17Signed-off-by: Li Zhou <li.zhou@windriver.com>
18---
19 dix/pixmap.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/dix/pixmap.c b/dix/pixmap.c
23index 1186d7dbb..5a0146bbb 100644
24--- a/dix/pixmap.c
25+++ b/dix/pixmap.c
26@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
27 if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
28 return NullPixmap;
29
30- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
31+ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
32 if (!pPixmap)
33 return NullPixmap;
34
35--
362.17.1
37
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
index 3de6d22e57..f0f15a2584 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
5 file://0001-test-xtest-Initialize-array-with-braces.patch \ 5 file://0001-test-xtest-Initialize-array-with-braces.patch \
6 file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \ 6 file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \
7 file://sdksyms-no-build-path.patch \ 7 file://sdksyms-no-build-path.patch \
8 file://CVE-2020-14347.patch \
8 " 9 "
9SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130" 10SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130"
10SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d" 11SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc
index bc24b05fec..92b473add6 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://gstreamer.freedesktop.org/"
3BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer" 3BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer"
4SECTION = "multimedia" 4SECTION = "multimedia"
5 5
6DEPENDS = "gstreamer1.0 glib-2.0-native" 6DEPENDS = "gstreamer1.0 glib-2.0-native make-native"
7 7
8SRC_URI_append = " file://gtk-doc-tweaks.patch" 8SRC_URI_append = " file://gtk-doc-tweaks.patch"
9 9
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb
index 15ef5d1b28..b7470b0047 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.2.bb
@@ -4,7 +4,7 @@ SECTION = "multimedia"
4LICENSE = "LGPLv2" 4LICENSE = "LGPLv2"
5LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d" 5LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d"
6 6
7DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base" 7DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base make-native"
8 8
9PNREAL = "gst-rtsp-server" 9PNREAL = "gst-rtsp-server"
10 10
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb
index cf7c1bca12..96a6ade22b 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.2.bb
@@ -6,7 +6,7 @@ BUGTRACKER = "https://bugzilla.gnome.org/enter_bug.cgi?product=Gstreamer"
6SECTION = "multimedia" 6SECTION = "multimedia"
7LICENSE = "LGPLv2+" 7LICENSE = "LGPLv2+"
8 8
9DEPENDS = "glib-2.0 glib-2.0-native libcap libxml2 bison-native flex-native" 9DEPENDS = "glib-2.0 glib-2.0-native libcap libxml2 bison-native flex-native make-native"
10 10
11inherit autotools pkgconfig gettext upstream-version-is-even gobject-introspection gtk-doc ptest 11inherit autotools pkgconfig gettext upstream-version-is-even gobject-introspection gtk-doc ptest
12 12
diff --git a/meta/recipes-support/attr/acl_2.2.52.bb b/meta/recipes-support/attr/acl_2.2.52.bb
index 6bc77d868d..31ec64a43d 100644
--- a/meta/recipes-support/attr/acl_2.2.52.bb
+++ b/meta/recipes-support/attr/acl_2.2.52.bb
@@ -25,6 +25,9 @@ SRC_URI[sha256sum] = "179074bb0580c06c4b4137be4c5a92a701583277967acdb5546043c787
25 25
26require ea-acl.inc 26require ea-acl.inc
27 27
28# Has issues with newer versions of make
29PARALLEL_MAKEINST = ""
30
28# avoid RPATH hardcode to staging dir 31# avoid RPATH hardcode to staging dir
29do_configure_append() { 32do_configure_append() {
30 sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\', 33 sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\',
diff --git a/meta/recipes-support/attr/attr_2.4.47.bb b/meta/recipes-support/attr/attr_2.4.47.bb
index fc88bef830..c3da66a0c7 100644
--- a/meta/recipes-support/attr/attr_2.4.47.bb
+++ b/meta/recipes-support/attr/attr_2.4.47.bb
@@ -12,4 +12,7 @@ SRC_URI += "file://attr-Missing-configure.ac.patch \
12SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" 12SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7"
13SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" 13SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859"
14 14
15# Has issues with newer versions of make
16PARALLEL_MAKEINST = ""
17
15BBCLASSEXTEND = "native nativesdk" 18BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
new file mode 100644
index 0000000000..1702325e66
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
@@ -0,0 +1,117 @@
1From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001
2From: Daiki Ueno <ueno@gnu.org>
3Date: Sat, 22 Aug 2020 17:19:39 +0200
4Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is
5 incomplete
6
7If the initial handshake is incomplete and the server sends a
8no_renegotiation alert, the client should treat it as a fatal error
9even if its level is warning. Otherwise the same handshake
10state (e.g., DHE parameters) are reused in the next gnutls_handshake
11call, if it is called in the loop idiom:
12
13 do {
14 ret = gnutls_handshake(session);
15 } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
16
17Signed-off-by: Daiki Ueno <ueno@gnu.org>
18CVE: CVE-2020-24659
19Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git]
20Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
21---
22 lib/gnutls_int.h | 1 +
23 lib/handshake.c | 48 +++++++++++++-----
24 2 files changed, 36 insertions(+), 13 deletions(-)
25
26diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
27index bb6c19713..31cec5c0c 100644
28--- a/lib/gnutls_int.h
29+++ b/lib/gnutls_int.h
30@@ -1370,6 +1370,7 @@ typedef struct {
31 #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
32 #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
33 #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
34+#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
35
36 /* The hsk_flags are for use within the ongoing handshake;
37 * they are reset to zero prior to handshake start by gnutls_handshake. */
38diff --git a/lib/handshake.c b/lib/handshake.c
39index b40f84b3d..ce2d160e2 100644
40--- a/lib/handshake.c
41+++ b/lib/handshake.c
42@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session,
43 if (ret < 0)
44 return gnutls_assert_val(ret);
45
46+ session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
47+
48 return 0;
49 }
50
51@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session)
52 return 0;
53 }
54
55+/* This function checks whether the error code should be treated fatal
56+ * or not, and also does the necessary state transition. In
57+ * particular, in the case of a rehandshake abort it resets the
58+ * handshake's internal state.
59+ */
60 inline static int
61 _gnutls_abort_handshake(gnutls_session_t session, int ret)
62 {
63- if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
64- (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
65- || ret == GNUTLS_E_GOT_APPLICATION_DATA)
66- return 0;
67+ switch (ret) {
68+ case GNUTLS_E_WARNING_ALERT_RECEIVED:
69+ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
70+ /* The server always toleretes a "no_renegotiation" alert. */
71+ if (session->security_parameters.entity == GNUTLS_SERVER) {
72+ STATE = STATE0;
73+ return ret;
74+ }
75+
76+ /* The client should tolerete a "no_renegotiation" alert only if:
77+ * - the initial handshake has completed, or
78+ * - a Server Hello is not yet received
79+ */
80+ if (session->internals.initial_negotiation_completed ||
81+ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
82+ STATE = STATE0;
83+ return ret;
84+ }
85
86- /* this doesn't matter */
87- return GNUTLS_E_INTERNAL_ERROR;
88+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
89+ }
90+ return ret;
91+ case GNUTLS_E_GOT_APPLICATION_DATA:
92+ STATE = STATE0;
93+ return ret;
94+ default:
95+ return ret;
96+ }
97 }
98
99
100@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session)
101 }
102
103 if (ret < 0) {
104- /* In the case of a rehandshake abort
105- * we should reset the handshake's internal state.
106- */
107- if (_gnutls_abort_handshake(session, ret) == 0)
108- STATE = STATE0;
109-
110- return ret;
111+ return _gnutls_abort_handshake(session, ret);
112 }
113
114 /* clear handshake buffer */
115--
1162.17.0
117
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.13.bb b/meta/recipes-support/gnutls/gnutls_3.6.13.bb
index ab537981ac..2ed012f9d6 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.13.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.13.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
22 file://CVE-2020-13777-a.patch \ 22 file://CVE-2020-13777-a.patch \
23 file://CVE-2020-13777-b.patch \ 23 file://CVE-2020-13777-b.patch \
24 file://CVE-2020-13777-c.patch \ 24 file://CVE-2020-13777-c.patch \
25 file://CVE-2020-24659.patch \
25" 26"
26 27
27SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f" 28SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f"
diff --git a/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch
new file mode 100644
index 0000000000..183512fd7d
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch
@@ -0,0 +1,41 @@
1--- pcre-8.43/pcre_compile.c 2020-07-05 22:26:25.310501521 +0530
2+++ pcre-8.43/pcre_compile1.c 2020-07-05 22:30:22.254489562 +0530
3
4CVE: CVE-2020-14155
5Upstream-Status: Backport [https://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?view=patch&r1=1761&r2=1760&pathrev=1761]
6Signed-off-by: Rahul Taya<Rahul.Taya@kpit.com>
7
8@@ -6,7 +6,7 @@
9 and semantics are as close as possible to those of the Perl 5 language.
10
11 Written by Philip Hazel
12- Copyright (c) 1997-2018 University of Cambridge
13+ Copyright (c) 1997-2020 University of Cambridge
14
15 -----------------------------------------------------------------------------
16 Redistribution and use in source and binary forms, with or without
17@@ -7130,17 +7130,19 @@
18 int n = 0;
19 ptr++;
20 while(IS_DIGIT(*ptr))
21+ {
22 n = n * 10 + *ptr++ - CHAR_0;
23+ if (n > 255)
24+ {
25+ *errorcodeptr = ERR38;
26+ goto FAILED;
27+ }
28+ }
29 if (*ptr != CHAR_RIGHT_PARENTHESIS)
30 {
31 *errorcodeptr = ERR39;
32 goto FAILED;
33 }
34- if (n > 255)
35- {
36- *errorcodeptr = ERR38;
37- goto FAILED;
38- }
39 *code++ = n;
40 PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */
41 PUT(code, LINK_SIZE, 0); /* Default length */
diff --git a/meta/recipes-support/libpcre/libpcre_8.43.bb b/meta/recipes-support/libpcre/libpcre_8.43.bb
index b97af08b25..60ece64504 100644
--- a/meta/recipes-support/libpcre/libpcre_8.43.bb
+++ b/meta/recipes-support/libpcre/libpcre_8.43.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \
12 file://out-of-tree.patch \ 12 file://out-of-tree.patch \
13 file://run-ptest \ 13 file://run-ptest \
14 file://Makefile \ 14 file://Makefile \
15 file://CVE-2020-14155.patch \
15" 16"
16 17
17SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4" 18SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-10 06:02:46 +0000