diff options
14 files changed, 252 insertions, 20 deletions
diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch new file mode 100644 index 0000000000..83bef30229 --- /dev/null +++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch @@ -0,0 +1,52 @@ +From 28bdae3d113ef479c1660a581ef720cdc33bf466 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Fri, 13 Jul 2018 15:15:36 -0700 +Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options + +The old code permits the following behavior: + +$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount +mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument) + +However, backslashes do not have any special meaning for the kernel here. + +As it happens, you can't abuse this because there is no FUSE mount option +that takes a string value that can contain backslashes; but this is very +brittle. Don't interpret "escape characters" in places where they don't +work. + +CVE: CVE-2018-10906 +Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/28bdae3d113ef479c1660a581ef720cdc33bf466] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + util/fusermount.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/util/fusermount.c b/util/fusermount.c +index 0e1d34d..143bd4a 100644 +--- a/util/fusermount.c ++++ b/util/fusermount.c +@@ -29,6 +29,7 @@ + #include <sys/socket.h> + #include <sys/utsname.h> + #include <sched.h> ++#include <stdbool.h> + + #define FUSE_COMMFD_ENV "_FUSE_COMMFD" + +@@ -754,8 +755,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode, + unsigned len; + const char *fsname_str = "fsname="; + const char *subtype_str = "subtype="; ++ bool escape_ok = begins_with(s, fsname_str) || ++ begins_with(s, subtype_str); + for (len = 0; s[len]; len++) { +- if (s[len] == '\\' && s[len + 1]) ++ if (escape_ok && s[len] == '\\' && s[len + 1]) + len++; + else if (s[len] == ',') + break; +-- +2.13.3 + diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch new file mode 100644 index 0000000000..104aa171bd --- /dev/null +++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch @@ -0,0 +1,48 @@ +From 5018a0c016495155ee598b7e0167b43d5d902414 Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Sat, 14 Jul 2018 03:47:50 -0700 +Subject: [PATCH] fusermount: refuse unknown options + +Blacklists are notoriously fragile; especially if the kernel wishes to add +some security-critical mount option at a later date, all existing systems +with older versions of fusermount installed will suddenly have a security +problem. +Additionally, if the kernel's option parsing became a tiny bit laxer, the +blacklist could probably be bypassed. + +Whitelist known-harmless flags instead, even if it's slightly more +inconvenient. + +CVE: CVE-2018-10906 +Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/5018a0c016495155ee598b7e0167b43d5d902414] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + util/fusermount.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/util/fusermount.c b/util/fusermount.c +index 4e0f51a..2792407 100644 +--- a/util/fusermount.c ++++ b/util/fusermount.c +@@ -819,10 +819,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode, + flags |= flag; + else + flags &= ~flag; +- } else { ++ } else if (opt_eq(s, len, "default_permissions") || ++ opt_eq(s, len, "allow_other") || ++ begins_with(s, "max_read=") || ++ begins_with(s, "blksize=")) { + memcpy(d, s, len); + d += len; + *d++ = ','; ++ } else { ++ fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s); ++ exit(1); + } + } + } +-- +2.13.3 + diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb index 202d4c3eb8..1eb9b70077 100644 --- a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb +++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb @@ -15,6 +15,8 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar. file://aarch64.patch \ file://0001-fuse-fix-the-return-value-of-help-option.patch \ file://fuse.conf \ + file://CVE-2018-10906-1.patch \ + file://CVE-2018-10906-2.patch \ " SRC_URI[md5sum] = "9bd4ce8184745fd3d000ca2692adacdb" SRC_URI[sha256sum] = "832432d1ad4f833c20e13b57cf40ce5277a9d33e483205fc63c78111b3358874" diff --git a/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch b/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch new file mode 100644 index 0000000000..213403e82f --- /dev/null +++ b/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch @@ -0,0 +1,82 @@ +From a27e07d90a4608ceaf928b1babb27d4d803e1992 Mon Sep 17 00:00:00 2001 +From: "Alexander V. Lukyanov" <lavv17f@gmail.com> +Date: Tue, 31 Jul 2018 10:57:35 +0300 +Subject: [PATCH] mirror: prepend ./ to rm and chmod arguments to avoid URL + recognition (fix #452) + +CVE: CVE-2018-10916 +Upstream-Status: Backport from v4.8.4 + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + src/MirrorJob.cc | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +diff --git a/src/MirrorJob.cc b/src/MirrorJob.cc +index cf106c40..0be45431 100644 +--- a/src/MirrorJob.cc ++++ b/src/MirrorJob.cc +@@ -1164,24 +1164,21 @@ int MirrorJob::Do() + } + continue; + } ++ bool use_rmdir = (file->TypeIs(file->DIRECTORY) ++ && recursion_mode==RECURSION_NEVER); + if(script) + { +- ArgV args("rm"); +- if(file->TypeIs(file->DIRECTORY)) +- { +- if(recursion_mode==RECURSION_NEVER) +- args.setarg(0,"rmdir"); +- else +- args.Append("-r"); +- } ++ ArgV args(use_rmdir?"rmdir":"rm"); ++ if(file->TypeIs(file->DIRECTORY) && !use_rmdir) ++ args.Append("-r"); + args.Append(target_session->GetFileURL(file->name)); + xstring_ca cmd(args.CombineQuoted()); + fprintf(script,"%s\n",cmd.get()); + } + if(!script_only) + { +- ArgV *args=new ArgV("rm"); +- args->Append(file->name); ++ ArgV *args=new ArgV(use_rmdir?"rmdir":"rm"); ++ args->Append(dir_file(".",file->name)); + args->seek(1); + rmJob *j=new rmJob(target_session->Clone(),args); + j->cmdline.set_allocated(args->Combine()); +@@ -1185,10 +1182,7 @@ int MirrorJob::Do() + if(file->TypeIs(file->DIRECTORY)) + { + if(recursion_mode==RECURSION_NEVER) +- { +- args->setarg(0,"rmdir"); + j->Rmdir(); +- } + else + j->Recurse(); + } +@@ -1252,7 +1246,7 @@ int MirrorJob::Do() + if(!script_only) + { + ArgV *a=new ArgV("chmod"); +- a->Append(file->name); ++ a->Append(dir_file(".",file->name)); + a->seek(1); + ChmodJob *cj=new ChmodJob(target_session->Clone(), + file->mode&~mode_mask,a); +@@ -1372,7 +1366,7 @@ int MirrorJob::Do() + if(!script_only) + { + ArgV *args=new ArgV("rm"); +- args->Append(file->name); ++ args->Append(dir_file(".",file->name)); + args->seek(1); + rmJob *j=new rmJob(source_session->Clone(),args); + j->cmdline.set_allocated(args->Combine()); +-- +2.13.3 + diff --git a/meta-networking/recipes-connectivity/lftp/lftp_4.7.7.bb b/meta-networking/recipes-connectivity/lftp/lftp_4.7.7.bb index b6b65da736..042b0aa54c 100644 --- a/meta-networking/recipes-connectivity/lftp/lftp_4.7.7.bb +++ b/meta-networking/recipes-connectivity/lftp/lftp_4.7.7.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRC_URI = "http://lftp.yar.ru/ftp/lftp-${PV}.tar.bz2 \ file://fix-gcc-6-conflicts-signbit.patch \ + file://CVE-2018-10916.patch \ " SRC_URI[md5sum] = "3701e7675baa5619c92622eb141c8301" SRC_URI[sha256sum] = "fe441f20a9a317cfb99a8b8e628ba0457df472b6d93964d17374d5b5ebdf9280" diff --git a/meta-networking/recipes-support/wireshark/wireshark_2.2.12.bb b/meta-networking/recipes-support/wireshark/wireshark_2.2.16.bb index 6c0b644c62..abeef693e8 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_2.2.12.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_2.2.16.bb @@ -10,8 +10,8 @@ SRC_URI = "https://2.na.dl.wireshark.org/src/all-versions/${BP}.tar.bz2" PE = "1" -SRC_URI[md5sum] = "ebf3d4230d7a13408758cdf037c42d66" -SRC_URI[sha256sum] = "3274458d1bb1658a5001465ecb07c7cbfc709571ef36bd062897570d4bab3ebc" +SRC_URI[md5sum] = "22128e617f3abdf87f7b5d7864d6d79e" +SRC_URI[sha256sum] = "7dcc4e9f29ad8dd75849aa3b6f70b6ec82ab6899cb168096572775a6d97ced8a" inherit autotools pkgconfig perlnative diff --git a/meta-oe/recipes-extended/rarpd/rarpd_ss981107.bb b/meta-oe/recipes-extended/rarpd/rarpd_ss981107.bb index 4025b8087e..7c9f2df9db 100644 --- a/meta-oe/recipes-extended/rarpd/rarpd_ss981107.bb +++ b/meta-oe/recipes-extended/rarpd/rarpd_ss981107.bb @@ -38,13 +38,11 @@ do_install() { install -m 644 rarpd.8 ${D}${mandir}/man8/rarpd.8 install -m 644 ${WORKDIR}/ethers.sample ${D}${sysconfdir}/ethers - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/rarpd.service ${D}${systemd_unitdir}/system/ - fi + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/rarpd.service ${D}${systemd_unitdir}/system/ } -inherit ${@bb.utils.filter('VIRTUAL-RUNTIME_init_manager', 'systemd', d)} +inherit systemd SYSTEMD_PACKAGES = "${PN}" SYSTEMD_SERVICE_${PN} = "rarpd.service" diff --git a/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb b/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb index c6b9f1019b..3db8c14842 100644 --- a/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb +++ b/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb @@ -28,7 +28,7 @@ SRC_URI[md5sum] = "28021cdabc73690a94f4f9d57254ce30" SRC_URI[sha256sum] = "634a67b2f7ac3b386a79160eb44413d618e33e4e7fc74ae68b0240484af149dd" inherit autotools -inherit ${@bb.utils.filter('VIRTUAL-RUNTIME_init_manager', 'systemd', d)} +inherit systemd SYSTEMD_PACKAGES = "${PN}" SYSTEMD_SERVICE_${PN} = "sblim-sfcb.service" @@ -53,10 +53,8 @@ do_install() { oe_runmake DESTDIR=${D} install - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/sfcb.service ${D}${systemd_unitdir}/system/sblim-sfcb.service - fi + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/sfcb.service ${D}${systemd_unitdir}/system/sblim-sfcb.service install -d ${D}${sysconfdir}/init.d mv ${D}${sysconfdir}/init.d/sfcb ${D}${sysconfdir}/init.d/sblim-sfcb diff --git a/meta-oe/recipes-graphics/glm/glm_0.9.8.5.bb b/meta-oe/recipes-graphics/glm/glm_0.9.9-a2.bb index a174f2af09..ed050a148c 100644 --- a/meta-oe/recipes-graphics/glm/glm_0.9.8.5.bb +++ b/meta-oe/recipes-graphics/glm/glm_0.9.9-a2.bb @@ -8,10 +8,10 @@ BUGTRACKER = "https://github.com/g-truc/glm/issues" SECTION = "libs" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://copying.txt;md5=4431606d144252143c9c3df384a74cad" +LIC_FILES_CHKSUM = "file://readme.md;beginline=21;endline=22;md5=3075b5727d36f29edccf97b93e72b790" -SRC_URI = "git://github.com/g-truc/glm;branch=0.9.8" -SRCREV = "6fa203eeb7fbcbb6f620501fad40359c8a456049" +SRC_URI = "git://github.com/g-truc/glm;branch=master" +SRCREV = "fcbedf5058ef8613dd02aac62ef00d55dcfeadd7" S = "${WORKDIR}/git" inherit cmake diff --git a/meta-oe/recipes-support/openct/openct_0.6.20.bb b/meta-oe/recipes-support/openct/openct_0.6.20.bb index c7d7203eda..913290cd97 100644 --- a/meta-oe/recipes-support/openct/openct_0.6.20.bb +++ b/meta-oe/recipes-support/openct/openct_0.6.20.bb @@ -25,7 +25,7 @@ SRC_URI[sha256sum] = "6cd3e2933d29eb1f875c838ee58b8071fd61f0ec8ed5922a86c01c805d LICENSE = "LGPLv2+" LIC_FILES_CHKSUM = "file://LGPL-2.1;md5=2d5025d4aa3495befef8f17206a5b0a1" -inherit ${@bb.utils.filter('VIRTUAL-RUNTIME_init_manager', 'systemd', d)} +inherit systemd SYSTEMD_SERVICE_${PN} += "openct.service " SYSTEMD_AUTO_ENABLE = "enable" @@ -77,10 +77,8 @@ do_install () { install -Dpm 755 ${WORKDIR}/openct.init ${D}/etc/init.d/openct install -Dpm 644 ${WORKDIR}/openct.sysconfig ${D}/etc/sysconfig/openct - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openct.service ${D}/${systemd_unitdir}/system - fi + install -d ${D}/${systemd_unitdir}/system + install -m 644 ${WORKDIR}/openct.service ${D}/${systemd_unitdir}/system so=$(find ${D} -name \*.so | sed "s|^${D}||") sed -i -e 's|\\(LIBPATH\\s*\\).*|\\1$so|' etc/reader.conf diff --git a/meta-python/recipes-devtools/python/python-evdev_0.7.0.bb b/meta-python/recipes-devtools/python/python-evdev_0.7.0.bb index 0875da45c3..0940b0057b 100644 --- a/meta-python/recipes-devtools/python/python-evdev_0.7.0.bb +++ b/meta-python/recipes-devtools/python/python-evdev_0.7.0.bb @@ -6,6 +6,13 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=18debddbb3f52c661a129724a883a8e2" SRC_URI[md5sum] = "c7e855ae9f97f869a59e75b29f05ce74" SRC_URI[sha256sum] = "57edafc469a414f58b51af1bfb9ee2babb9f626dd2df530d71c1176871850aa1" +do_compile_prepend() { + rm -rf ${S}/evdev/ecodes.c +} + +DISTUTILS_BUILD_ARGS = "build_ecodes --evdev-headers ${STAGING_DIR_TARGET}/usr/include/linux/input.h:${STAGING_DIR_TARGET}/usr/include/linux/input-event-codes.h" + + inherit pypi setuptools RDEPENDS_${PN} += "\ diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb index 4e893dbba1..dcd397670b 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb @@ -10,6 +10,7 @@ inherit autotools pkgconfig native SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ + file://CVE-2018-1333.patch \ " S = "${WORKDIR}/httpd-${PV}" diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb index 18808676a4..280350006d 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb @@ -21,6 +21,7 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://apache2-volatile.conf \ file://apache2.service \ file://volatiles.04_apache2 \ + file://CVE-2018-1333.patch \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" diff --git a/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch new file mode 100644 index 0000000000..9cd207c041 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch @@ -0,0 +1,44 @@ +From 83a2e3866918ce6567a683eb4c660688d047ee81 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <stefan.eissing@greenbytes.de> +Date: Wed, 18 Apr 2018 11:55:17 +0200 +Subject: [PATCH] * fixes a race condition where aborting streams triggers an + unnecessary timeout. + +Note: Re-factored upstream fix +https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81, +so that it applies to httpd v2.4.27 code. Similarly done at +http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_bucket_beam.c?r1=1828879&r2=1828878&pathrev=1828879 + +CVE: CVE-2018-1333 +Upstream-Status: Backport [https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> + +diff -Naurp httpd-2.4.27_org/modules/http2/h2_bucket_beam.c httpd-2.4.27/modules/http2/h2_bucket_beam.c +--- httpd-2.4.27_org/modules/http2/h2_bucket_beam.c 2017-04-21 06:52:05.000000000 -0700 ++++ httpd-2.4.27/modules/http2/h2_bucket_beam.c 2018-07-24 23:44:40.888330955 -0700 +@@ -512,6 +512,7 @@ static void recv_buffer_cleanup(h2_bucke + apr_brigade_destroy(bb); + if (bl) enter_yellow(beam, bl); + ++ apr_thread_cond_broadcast(beam->change); + if (beam->cons_ev_cb) { + beam->cons_ev_cb(beam->cons_ctx, beam); + } +@@ -685,12 +686,10 @@ void h2_beam_abort(h2_bucket_beam *beam) + h2_beam_lock bl; + + if (enter_yellow(beam, &bl) == APR_SUCCESS) { +- if (!beam->aborted) { +- beam->aborted = 1; +- r_purge_sent(beam); +- h2_blist_cleanup(&beam->send_list); +- report_consumption(beam, &bl); +- } ++ beam->aborted = 1; ++ r_purge_sent(beam); ++ h2_blist_cleanup(&beam->send_list); ++ report_consumption(beam, &bl); + if (beam->cond) { + apr_thread_cond_broadcast(beam->cond); + } |