diff options
Diffstat (limited to 'meta/recipes-extended')
44 files changed, 3183 insertions, 20 deletions
diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch new file mode 100644 index 0000000000..9841644881 --- /dev/null +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch @@ -0,0 +1,33 @@ +From 11e1fac27eb8a3076382200736874c78e09b75d6 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Tue, 28 May 2019 19:35:18 +0200 +Subject: [PATCH] Make sure nSelectors is not out of range + +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf +which is + UChar selectorMtf[BZ_MAX_SELECTORS]; +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory +access + +Fixes out of bounds access discovered while fuzzying karchive +CVE: CVE-2019-12900 +Upstream-Status: Backport +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +--- + decompress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/decompress.c b/decompress.c +index 311f566..b6e0a29 100644 +--- a/decompress.c ++++ b/decompress.c +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); + for (i = 0; i < nSelectors; i++) { + j = 0; + while (True) { diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch new file mode 100644 index 0000000000..362e6cf319 --- /dev/null +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/fix-regression-CVE-2019-12900.patch @@ -0,0 +1,82 @@ +From 212f3ed7ac3931c9e0e9167a0bdc16eeb3c76af4 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard <mark@klomp.org> +Date: Wed, 3 Jul 2019 01:28:11 +0200 +Subject: [PATCH] Accept as many selectors as the file format allows. + +But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS. + +The theoretical maximum number of selectors depends on the maximum +blocksize (900000 bytes) and the number of symbols (50) that can be +encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002. + +But the bzip2 file format allows the number of selectors to be encoded +with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in +14 bits). So the file format maximum is 32767 selectors. + +Some bzip2 encoders might actually have written out more selectors +than the theoretical maximum because they rounded up the number of +selectors to some convenient factor of 8. + +The extra 14766 selectors can never be validly used by the decompression +algorithm. So we can read them, but then discard them. + +This is effectively what was done (by accident) before we added a +check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate +CVE-2019-12900. + +The extra selectors were written out after the array inside the +EState struct. But the struct has extra space allocated after the +selector arrays of 18060 bytes (which is larger than 14766). +All of which will be initialized later (so the overwrite of that +space with extra selector values would have been harmless). + +Upstream-Status: Backport +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +--- + compress.c | 2 +- + decompress.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/compress.c b/compress.c +index caf7696..19b662b 100644 +--- a/compress.c ++++ b/compress.c +@@ -454,7 +454,7 @@ void sendMTFValues ( EState* s ) + + AssertH( nGroups < 8, 3002 ); + AssertH( nSelectors < 32768 && +- nSelectors <= (2 + (900000 / BZ_G_SIZE)), ++ nSelectors <= BZ_MAX_SELECTORS, + 3003 ); + + +diff --git a/decompress.c b/decompress.c +index b6e0a29..78060c9 100644 +--- a/decompress.c ++++ b/decompress.c +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +- if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); ++ if (nSelectors < 1) RETURN(BZ_DATA_ERROR); + for (i = 0; i < nSelectors; i++) { + j = 0; + while (True) { +@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s ) + j++; + if (j >= nGroups) RETURN(BZ_DATA_ERROR); + } +- s->selectorMtf[i] = j; ++ /* Having more than BZ_MAX_SELECTORS doesn't make much sense ++ since they will never be used, but some implementations might ++ "round up" the number of selectors, so just ignore those. */ ++ if (i < BZ_MAX_SELECTORS) ++ s->selectorMtf[i] = j; + } ++ if (nSelectors > BZ_MAX_SELECTORS) ++ nSelectors = BZ_MAX_SELECTORS; + + /*--- Undo the MTF values for the selectors. ---*/ + { diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb index 025f45c472..33cb8dda97 100644 --- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb +++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb @@ -14,6 +14,8 @@ SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \ file://Makefile.am;subdir=${BP} \ file://run-ptest \ file://CVE-2016-3189.patch \ + file://CVE-2019-12900.patch \ + file://fix-regression-CVE-2019-12900.patch \ " SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b" diff --git a/meta/recipes-extended/cups/cups/0001-don-t-try-to-run-generated-binaries.patch b/meta/recipes-extended/cups/cups/0001-don-t-try-to-run-generated-binaries.patch index db013cf08c..d6a69f2833 100644 --- a/meta/recipes-extended/cups/cups/0001-don-t-try-to-run-generated-binaries.patch +++ b/meta/recipes-extended/cups/cups/0001-don-t-try-to-run-generated-binaries.patch @@ -1,20 +1,21 @@ -Upstream-Status: Inappropriate [embedded specific] - -From 90069586167b930befce7303aea57078f04b4ed8 Mon Sep 17 00:00:00 2001 +From 1fb07162a9ed187cccf06e34c9bf841d15c6e64e Mon Sep 17 00:00:00 2001 From: Koen Kooi <koen@dominion.thruhere.net> Date: Sun, 30 Jan 2011 16:37:27 +0100 Subject: [PATCH] don't try to run generated binaries +Upstream-Status: Inappropriate [embedded specific] + Signed-off-by: Koen Kooi <koen@dominion.thruhere.net> + --- - ppdc/Makefile | 30 +++++++++++++++--------------- - 1 files changed, 15 insertions(+), 15 deletions(-) + ppdc/Makefile | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) -Index: cups-2.2.6/ppdc/Makefile -=================================================================== ---- cups-2.2.6.orig/ppdc/Makefile -+++ cups-2.2.6/ppdc/Makefile -@@ -228,8 +228,8 @@ genstrings: genstrings.o libcupsppdc.a +diff --git a/ppdc/Makefile b/ppdc/Makefile +index e563988..973dd3f 100644 +--- a/ppdc/Makefile ++++ b/ppdc/Makefile +@@ -189,8 +189,8 @@ genstrings: genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \ $(LD_CXX) $(ARCHFLAGS) $(LDFLAGS) -o genstrings genstrings.o \ libcupsppdc.a ../cups/$(LIBCUPSSTATIC) $(LIBGSSAPI) $(SSLLIBS) \ $(DNSSDLIBS) $(COMMONLIBS) $(LIBZ) @@ -25,10 +26,10 @@ Index: cups-2.2.6/ppdc/Makefile # -@@ -246,9 +246,9 @@ ppdc-static: ppdc.o libcupsppdc.a ../cu - $(LD_CXX) $(ARCHFLAGS) $(LDFLAGS) -o ppdc-static ppdc.o libcupsppdc.a \ +@@ -209,9 +209,9 @@ ppdc-static: ppdc.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) foo.drv foo-fr.po ../cups/$(LIBCUPSSTATIC) $(LIBGSSAPI) $(SSLLIBS) $(DNSSDLIBS) \ $(COMMONLIBS) $(LIBZ) + $(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@ - echo Testing PPD compiler... - ./ppdc-static -l en,fr -I ../data foo.drv - ./ppdc-static -l en,fr -z -I ../data foo.drv @@ -38,10 +39,10 @@ Index: cups-2.2.6/ppdc/Makefile # -@@ -274,17 +274,17 @@ ppdi-static: ppdc-static ppdi.o libcups - $(LD_CXX) $(ARCHFLAGS) $(LDFLAGS) -o ppdi-static ppdi.o libcupsppdc.a \ +@@ -240,17 +240,17 @@ ppdi-static: ppdc-static ppdi.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) ../cups/$(LIBCUPSSTATIC) $(LIBGSSAPI) $(SSLLIBS) $(DNSSDLIBS) \ $(COMMONLIBS) $(LIBZ) + $(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@ - echo Testing PPD importer... - $(RM) -r ppd ppd2 sample-import.drv - ./ppdc-static -l en -I ../data sample.drv diff --git a/meta/recipes-extended/cups/cups_2.2.10.bb b/meta/recipes-extended/cups/cups_2.2.10.bb new file mode 100644 index 0000000000..490c84e2f4 --- /dev/null +++ b/meta/recipes-extended/cups/cups_2.2.10.bb @@ -0,0 +1,6 @@ +require cups.inc + +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=f212b4338db0da8cb892e94bf2949460" + +SRC_URI[md5sum] = "3d22d747403ec5dcd0b66d1332564816" +SRC_URI[sha256sum] = "77c8b2b3bb7fe8b5fbfffc307f2c817b2d7ec67b657f261a1dd1c61ab81205bb" diff --git a/meta/recipes-extended/cups/cups_2.2.8.bb b/meta/recipes-extended/cups/cups_2.2.8.bb deleted file mode 100644 index de1bd84bf7..0000000000 --- a/meta/recipes-extended/cups/cups_2.2.8.bb +++ /dev/null @@ -1,6 +0,0 @@ -require cups.inc - -LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=f212b4338db0da8cb892e94bf2949460" - -SRC_URI[md5sum] = "33150d08993a04c8e22176e93805a051" -SRC_URI[sha256sum] = "3968fc1d26fc48727508db1c1380e36c6694ab90177fd6920aec5f6cc73af9e4" diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch new file mode 100644 index 0000000000..30ce04a7b1 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch @@ -0,0 +1,99 @@ +From ad3ad6b389653722507e588c5cb34d8731e49e89 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Mon, 26 Nov 2018 18:01:25 +0000 +Subject: [PATCH] Have gs_cet.ps run from gs_init.ps + +Previously gs_cet.ps was run on the command line, to set up the interpreter +state so our output more closely matches the example output for the QL CET +tests. + +Allow a -dCETMODE command line switch, which will cause gs_init.ps to run the +file directly. + +This works better for gpdl as it means the changes are made in the intial +interpreter state, rather than after initialisation is complete. + +This also means adding a definition of the default procedure for black +generation and under color removal (rather it being defined in-line in +.setdefaultbgucr + +Also, add a check so gs_cet.ps only runs once - if we try to run it a second +time, we'll just skip over the file, flushing through to the end. + +CVE: CVE-2019-3835 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + Resource/Init/gs_cet.ps | 11 ++++++++++- + Resource/Init/gs_init.ps | 13 ++++++++++++- + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps +index d3e1686..75534bb 100644 +--- a/Resource/Init/gs_cet.ps ++++ b/Resource/Init/gs_cet.ps +@@ -1,6 +1,11 @@ + %!PS + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET + ++systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq ++{ ++ (%END GS_CET) .skipeof ++} if ++ + % do this in the server level so it is persistent across jobs + //true 0 startjob not { + (*** Warning: CET startup is not in server default) = flush +@@ -25,7 +30,9 @@ currentglobal //true setglobal + + /UNROLLFORMS true def + +-{ } bind dup ++(%.defaultbgrucrproc) cvn { } bind def ++ ++(%.defaultbgrucrproc) cvn load dup + setblackgeneration + setundercolorremoval + 0 array cvx readonly dup dup dup setcolortransfer +@@ -109,3 +116,5 @@ userdict /.smoothness currentsmoothness put + % end of slightly nasty hack to give consistent cluster results + + //false 0 startjob pop % re-enter encapsulated mode ++ ++%END GS_CET +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 45bebf4..e6b9cd2 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -1538,10 +1538,18 @@ setpacking + % any-part-of-pixel rule. + 0.5 .setfilladjust + } bind def ++ + % Set the default screen and BG/UCR. ++% We define the proc here, rather than inline in .setdefaultbgucr ++% for the benefit of gs_cet.ps so jobs that do anything that causes ++% .setdefaultbgucr to be called will still get the redefined proc ++% in gs_cet.ps ++(%.defaultbgrucrproc) cvn { pop 0 } def ++ + /.setdefaultbgucr { + systemdict /setblackgeneration known { +- { pop 0 } dup setblackgeneration setundercolorremoval ++ (%.defaultbgrucrproc) cvn load dup ++ setblackgeneration setundercolorremoval + } if + } bind def + /.useloresscreen { % - .useloresscreen <bool> +@@ -2491,4 +2499,7 @@ WRITESYSTEMDICT { + % be 'true' in some cases. + userdict /AGM_preserve_spots //false put + ++systemdict /CETMODE .knownget ++{ { (gs_cet.ps) runlibfile } if } if ++ + % The interpreter will run the initial procedure (start). +-- +2.18.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch new file mode 100644 index 0000000000..590b92e186 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch @@ -0,0 +1,71 @@ +From ba6dbd6e61dbb3cc6ee6db9dd3a4f70cc18f706e Mon Sep 17 00:00:00 2001 +From: Nancy Durgin <nancy.durgin@artifex.com> +Date: Thu, 14 Feb 2019 10:09:00 -0800 +Subject: [PATCH] Undef /odef in gs_init.ps + +Made a new temporary utility function in gs_cet.ps (.odef) to use instead +of /odef. This makes it fine to undef odef with all the other operators in +gs_init.ps + +This punts the bigger question of what to do with .makeoperator, but it +doesn't make the situation any worse than it already was. + +CVE: CVE-2019-3835 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + Resource/Init/gs_cet.ps | 10 ++++++++-- + Resource/Init/gs_init.ps | 1 + + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps +index 75534bb..dbc5c4e 100644 +--- a/Resource/Init/gs_cet.ps ++++ b/Resource/Init/gs_cet.ps +@@ -1,6 +1,10 @@ + %!PS + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET + ++/.odef { % <name> <proc> odef - ++ 1 index exch .makeoperator def ++} bind def ++ + systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq + { + (%END GS_CET) .skipeof +@@ -93,8 +97,8 @@ userdict /.smoothness currentsmoothness put + } { + /setsmoothness .systemvar /typecheck signalerror + } ifelse +-} bind odef +-/currentsmoothness { userdict /.smoothness get } bind odef % for 09-55.PS, 09-57.PS . ++} bind //.odef exec ++/currentsmoothness { userdict /.smoothness get } bind //.odef exec % for 09-55.PS, 09-57.PS . + + % slightly nasty hack to give consistent cluster results + /ofnfa systemdict /filenameforall get def +@@ -113,6 +117,8 @@ userdict /.smoothness currentsmoothness put + } ifelse + ofnfa + } bind def ++ ++currentdict /.odef undef + % end of slightly nasty hack to give consistent cluster results + + //false 0 startjob pop % re-enter encapsulated mode +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index e6b9cd2..80d9585 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2257,6 +2257,7 @@ SAFER { .setsafeglobal } if + /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams + /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice + /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack /.applypolicies ++ /odef + + % Used by a free user in the Library of Congress. Apparently this is used to + % draw a partial page, which is then filled in by the results of a barcode +-- +2.18.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch new file mode 100644 index 0000000000..a339fa2f33 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch @@ -0,0 +1,295 @@ +From 4203e04ef9e6ca22ed68a1ab10a878aa9ceaeedc Mon Sep 17 00:00:00 2001 +From: Ray Johnston <ray.johnston@artifex.com> +Date: Thu, 14 Feb 2019 10:20:03 -0800 +Subject: [PATCH] Fix bug 700585: Restrict superexec and remove it from + internals and gs_cet.ps + +Also while changing things, restructure the CETMODE so that it will +work with -dSAFER. The gs_cet.ps is now run when we are still at save +level 0 with systemdict writeable. Allows us to undefine .makeoperator +and .setCPSImode internal operators after CETMODE is handled. + +Change previous uses of superexec to using .forceput (with the usual +.bind executeonly to hide it). + +CVE: CVE-2019-3835 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + Resource/Init/gs_cet.ps | 38 ++++++++++++++------------------------ + Resource/Init/gs_dps1.ps | 2 +- + Resource/Init/gs_fonts.ps | 8 ++++---- + Resource/Init/gs_init.ps | 38 +++++++++++++++++++++++++++----------- + Resource/Init/gs_ttf.ps | 8 ++++---- + Resource/Init/gs_type1.ps | 6 +++--- + 6 files changed, 53 insertions(+), 47 deletions(-) + +diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps +index dbc5c4e..3cc6883 100644 +--- a/Resource/Init/gs_cet.ps ++++ b/Resource/Init/gs_cet.ps +@@ -1,37 +1,29 @@ + %!PS + % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET + +-/.odef { % <name> <proc> odef - +- 1 index exch .makeoperator def +-} bind def +- ++% skip if we've already run this -- based on fake "product" + systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq + { + (%END GS_CET) .skipeof + } if + +-% do this in the server level so it is persistent across jobs +-//true 0 startjob not { +- (*** Warning: CET startup is not in server default) = flush +-} if ++% Note: this must be run at save level 0 and when systemdict is writeable ++currentglobal //true setglobal ++systemdict dup dup dup ++/version (3017.102) readonly .forceput % match CPSI 3017.102 ++/product (PhotoPRINT SE 5.0v2) readonly .forceput % match CPSI 3017.102 ++/revision 0 put % match CPSI 3017.103 Tek shows revision 5 ++/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI 3017.102 Tek shows serialnumber 1401788461 ++ ++systemdict /.odef { % <name> <proc> odef - ++ 1 index exch //.makeoperator def ++} .bind .forceput % this will be undefined at the end + + 300 .sethiresscreen % needed for language switch build since it + % processes gs_init.ps BEFORE setting the resolution + + 0 array 0 setdash % CET 09-08 wants local setdash + +-currentglobal //true setglobal +- +-{ +- systemdict dup dup dup +- /version (3017.102) readonly put % match CPSI 3017.102 +- /product (PhotoPRINT SE 5.0v2) readonly put % match CPSI 3017.102 +- /revision 0 put % match CPSI 3017.103 Tek shows revision 5 +- /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461 +- systemdict /deviceinfo undef % for CET 20-23-1 +-% /UNROLLFORMS true put % CET files do unreasonable things inside forms +-} 1183615869 internaldict /superexec get exec +- + /UNROLLFORMS true def + + (%.defaultbgrucrproc) cvn { } bind def +@@ -118,9 +110,7 @@ userdict /.smoothness currentsmoothness put + ofnfa + } bind def + +-currentdict /.odef undef +-% end of slightly nasty hack to give consistent cluster results +- +-//false 0 startjob pop % re-enter encapsulated mode ++systemdict /.odef .undef + ++% end of slightly nasty hack to give consistent cluster results + %END GS_CET +diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps +index 3d2cf7a..c4fd839 100644 +--- a/Resource/Init/gs_dps1.ps ++++ b/Resource/Init/gs_dps1.ps +@@ -89,7 +89,7 @@ level2dict begin + % definition, copy it into the local directory. + //systemdict /SharedFontDirectory .knownget + { 1 index .knownget +- { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly ++ { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly + if + } + if +diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps +index 0562235..f2b4e19 100644 +--- a/Resource/Init/gs_fonts.ps ++++ b/Resource/Init/gs_fonts.ps +@@ -519,11 +519,11 @@ buildfontdict 3 /.buildfont3 cvx put + % the font in LocalFontDirectory. + .currentglobal + { //systemdict /LocalFontDirectory .knownget +- { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly ++ { 2 index 2 index .forceput } % readonly + if + } + if +- dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly ++ dup //.FontDirectory 4 -2 roll .forceput % readonly + % If the font originated as a resource, register it. + currentfile .currentresourcefile eq { dup .registerfont } if + readonly +@@ -1191,13 +1191,13 @@ $error /SubstituteFont { } put + //.FontDirectory 1 index known not { + 2 dict dup /FontName 3 index put + dup /FontType 1 put +- //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly ++ //.FontDirectory 3 1 roll //.forceput exec % readonly + } { + pop + } ifelse + } forall + } forall +- } ++ } executeonly % hide .forceput + FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined + + % Install initial fonts from Fontmap. +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 80d9585..0d5c4f7 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2188,9 +2188,6 @@ SAFER { .setsafeglobal } if + /.endtransparencygroup % transparency-example.ps + /.setdotlength % Bug687720.ps + /.sort /.setdebug /.mementolistnewblocks /getenv +- +- /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER +- + /unread + ] + {systemdict exch .forceundef} forall +@@ -2270,7 +2267,6 @@ SAFER { .setsafeglobal } if + + % Used by our own test suite files + %/.fileposition %image-qa.ps +- %/.makeoperator /.setCPSImode % gs_cet.ps + + % Either our code uses these in ways which mean they can't be undefined, or they are used directly by + % test files/utilities, or engineers expressed a desire to keep them visible. +@@ -2457,6 +2453,16 @@ end + /vmreclaim where + { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if + } if ++ ++% Do this before systemdict is locked (see below for additional CETMODE setup using gs_cet.ps) ++systemdict /CETMODE .knownget { ++ { ++ (gs_cet.ps) runlibfile ++ } if ++} if ++systemdict /.makeoperator .undef % must be after gs_cet.ps ++systemdict /.setCPSImode .undef % must be after gs_cet.ps ++ + DELAYBIND not { + systemdict /.bindnow .undef % We only need this for DELAYBIND + systemdict /.forcecopynew .undef % remove temptation +@@ -2464,16 +2470,29 @@ DELAYBIND not { + systemdict /.forceundef .undef % ditto + } if + +-% Move superexec to internaldict if superexec is defined. +-systemdict /superexec .knownget { +- 1183615869 internaldict /superexec 3 -1 roll put +- systemdict /superexec .undef ++% Move superexec to internaldict if superexec is defined. (Level 2 or later) ++systemdict /superexec known { ++ % restrict superexec to single known use by PScript5.dll ++ % We could do this only for SAFER mode, but internaldict and superexec are ++ % not very well documented, and we don't want them to be used. ++ 1183615869 internaldict /superexec { ++ 2 index /Private eq % first check for typical use in PScript5.dll ++ 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec ++ 1 index 0 get systemdict /put get eq and ++ { ++ //superexec exec % the only usage we allow ++ } { ++ /superexec load /invalidaccess signalerror ++ } ifelse ++ } bind cvx executeonly put ++ systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator + } if + + % Can't remove this one until the last minute :-) + DELAYBIND not { + systemdict /.undef .undef + } if ++ + WRITESYSTEMDICT { + SAFER { + (\n *** WARNING - you have selected SAFER, indicating you want Ghostscript\n) print +@@ -2500,7 +2519,4 @@ WRITESYSTEMDICT { + % be 'true' in some cases. + userdict /AGM_preserve_spots //false put + +-systemdict /CETMODE .knownget +-{ { (gs_cet.ps) runlibfile } if } if +- + % The interpreter will run the initial procedure (start). +diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps +index 05943c5..da97afa 100644 +--- a/Resource/Init/gs_ttf.ps ++++ b/Resource/Init/gs_ttf.ps +@@ -1421,7 +1421,7 @@ mark + TTFDEBUG { (\n1 setting alias: ) print dup ==only + ( to be the same as ) print 2 index //== exec } if + +- 7 index 2 index 3 -1 roll exch //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ 7 index 2 index 3 -1 roll exch .forceput + } forall + pop pop pop + } +@@ -1439,7 +1439,7 @@ mark + exch pop + TTFDEBUG { (\n2 setting alias: ) print 1 index ==only + ( to use glyph index: ) print dup //== exec } if +- 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ 5 index 3 1 roll .forceput + //false + } + { +@@ -1456,7 +1456,7 @@ mark + { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer) + TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only + ( to be index: ) print dup //== exec } if +- exch pop 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ exch pop 5 index 3 1 roll .forceput + } + { + pop pop +@@ -1486,7 +1486,7 @@ mark + } ifelse + ] + TTFDEBUG { (Encoding: ) print dup === flush } if +-} bind def ++} .bind executeonly odef % hides .forceput + + % to be removed 9.09...... + currentdict /postalias undef +diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps +index 96e1ced..61f5269 100644 +--- a/Resource/Init/gs_type1.ps ++++ b/Resource/Init/gs_type1.ps +@@ -116,7 +116,7 @@ + { % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname aglname + CFFDEBUG { (\nsetting alias: ) print dup ==only + ( to be the same as glyph: ) print 1 index //== exec } if +- 3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ 3 index exch 3 index .forceput + % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname + } + {pop} ifelse +@@ -135,7 +135,7 @@ + 3 1 roll pop pop + } if + pop +- dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse ++ dup /.AGLprocessed~GS //true .forceput + } if + + %% We need to excute the C .buildfont1 in a stopped context so that, if there +@@ -148,7 +148,7 @@ + {//.buildfont1} stopped + 4 3 roll .setglobal + {//.buildfont1 $error /errorname get signalerror} if +- } bind def ++ } .bind executeonly def % hide .forceput + + % If the diskfont feature isn't included, define a dummy .loadfontdict. + /.loadfontdict where +-- +2.20.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch new file mode 100644 index 0000000000..5228cace24 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch @@ -0,0 +1,167 @@ +From 5845e667dda3c945ee793fbe6af021533cb4fbec Mon Sep 17 00:00:00 2001 +From: Ray Johnston <ray.johnston@artifex.com> +Date: Sun, 24 Feb 2019 22:01:04 -0800 +Subject: [PATCH] Bug 700585: Obliterate "superexec". We don't need it, nor + do any known apps. + +We were under the impression that the Windows driver 'PScript5.dll' used +superexec, but after testing with our extensive suite of PostScript file, +and analysis of the PScript5 "Adobe CoolType ProcSet, it does not appear +that this operator is needed anymore. Get rid of superexec and all of the +references to it, since it is a potential security hole. + +CVE: CVE-2019-3835 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + Resource/Init/gs_init.ps | 18 ------------------ + psi/icontext.c | 1 - + psi/icstate.h | 1 - + psi/zcontrol.c | 30 ------------------------------ + psi/zdict.c | 6 ++---- + psi/zgeneric.c | 3 +-- + 6 files changed, 3 insertions(+), 56 deletions(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 0d5c4f7..c5ac82a 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2470,24 +2470,6 @@ DELAYBIND not { + systemdict /.forceundef .undef % ditto + } if + +-% Move superexec to internaldict if superexec is defined. (Level 2 or later) +-systemdict /superexec known { +- % restrict superexec to single known use by PScript5.dll +- % We could do this only for SAFER mode, but internaldict and superexec are +- % not very well documented, and we don't want them to be used. +- 1183615869 internaldict /superexec { +- 2 index /Private eq % first check for typical use in PScript5.dll +- 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec +- 1 index 0 get systemdict /put get eq and +- { +- //superexec exec % the only usage we allow +- } { +- /superexec load /invalidaccess signalerror +- } ifelse +- } bind cvx executeonly put +- systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator +-} if +- + % Can't remove this one until the last minute :-) + DELAYBIND not { + systemdict /.undef .undef +diff --git a/psi/icontext.c b/psi/icontext.c +index 1fbe486..7462ea3 100644 +--- a/psi/icontext.c ++++ b/psi/icontext.c +@@ -151,7 +151,6 @@ context_state_alloc(gs_context_state_t ** ppcst, + pcst->rand_state = rand_state_initial; + pcst->usertime_total = 0; + pcst->keep_usertime = false; +- pcst->in_superexec = 0; + pcst->plugin_list = 0; + make_t(&pcst->error_object, t__invalid); + { /* +diff --git a/psi/icstate.h b/psi/icstate.h +index 4c6a14d..1009d85 100644 +--- a/psi/icstate.h ++++ b/psi/icstate.h +@@ -54,7 +54,6 @@ struct gs_context_state_s { + long usertime_total; /* total accumulated usertime, */ + /* not counting current time if running */ + bool keep_usertime; /* true if context ever executed usertime */ +- int in_superexec; /* # of levels of superexec */ + /* View clipping is handled in the graphics state. */ + ref error_object; /* t__invalid or error object from operator */ + ref userparams; /* t_dictionary */ +diff --git a/psi/zcontrol.c b/psi/zcontrol.c +index 0362cf4..dc813e8 100644 +--- a/psi/zcontrol.c ++++ b/psi/zcontrol.c +@@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p) + return o_push_estack; + } + +-/* <obj> superexec - */ +-static int end_superexec(i_ctx_t *); +-static int +-zsuperexec(i_ctx_t *i_ctx_p) +-{ +- os_ptr op = osp; +- es_ptr ep; +- +- check_op(1); +- if (!r_has_attr(op, a_executable)) +- return 0; /* literal object just gets pushed back */ +- check_estack(2); +- ep = esp += 3; +- make_mark_estack(ep - 2, es_other, end_superexec); /* error case */ +- make_op_estack(ep - 1, end_superexec); /* normal case */ +- ref_assign(ep, op); +- esfile_check_cache(); +- pop(1); +- i_ctx_p->in_superexec++; +- return o_push_estack; +-} +-static int +-end_superexec(i_ctx_t *i_ctx_p) +-{ +- i_ctx_p->in_superexec--; +- return 0; +-} +- + /* <array> <executable> .runandhide <obj> */ + /* before executing <executable>, <array> is been removed from */ + /* the operand stack and placed on the execstack with attributes */ +@@ -971,8 +943,6 @@ const op_def zcontrol3_op_defs[] = { + {"0%loop_continue", loop_continue}, + {"0%repeat_continue", repeat_continue}, + {"0%stopped_push", stopped_push}, +- {"1superexec", zsuperexec}, +- {"0%end_superexec", end_superexec}, + {"2.runandhide", zrunandhide}, + {"0%end_runandhide", end_runandhide}, + op_def_end(0) +diff --git a/psi/zdict.c b/psi/zdict.c +index b0deaaa..e2e525d 100644 +--- a/psi/zdict.c ++++ b/psi/zdict.c +@@ -212,8 +212,7 @@ zundef(i_ctx_t *i_ctx_p) + int code; + + check_type(*op1, t_dictionary); +- if (i_ctx_p->in_superexec == 0) +- check_dict_write(*op1); ++ check_dict_write(*op1); + code = idict_undef(op1, op); + if (code < 0 && code != gs_error_undefined) /* ignore undefined error */ + return code; +@@ -504,8 +503,7 @@ zsetmaxlength(i_ctx_t *i_ctx_p) + int code; + + check_type(*op1, t_dictionary); +- if (i_ctx_p->in_superexec == 0) +- check_dict_write(*op1); ++ check_dict_write(*op1); + check_type(*op, t_integer); + if (op->value.intval < 0) + return_error(gs_error_rangecheck); +diff --git a/psi/zgeneric.c b/psi/zgeneric.c +index 8048e28..d4edddb 100644 +--- a/psi/zgeneric.c ++++ b/psi/zgeneric.c +@@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p) + + switch (r_type(op2)) { + case t_dictionary: +- if (i_ctx_p->in_superexec == 0) +- check_dict_write(*op2); ++ check_dict_write(*op2); + { + int code = idict_put(op2, op1, op); + +-- +2.18.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch new file mode 100644 index 0000000000..593109fb9f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch @@ -0,0 +1,34 @@ +From 53f0cb4c54ac951697704cb87d24154ae08aecce Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 20 Feb 2019 09:54:28 +0000 +Subject: [PATCH] Bug 700576: Make a transient proc executeonly (in + DefineResource). + +This prevents access to .forceput + +Solution originally suggested by cbuissar@redhat.com. + +CVE: CVE-2019-3838 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + Resource/Init/gs_res.ps | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps +index 89c0ed6..a163541 100644 +--- a/Resource/Init/gs_res.ps ++++ b/Resource/Init/gs_res.ps +@@ -426,7 +426,7 @@ status { + % so we have to use .forceput here. + currentdict /.Instances 2 index .forceput % Category dict is read-only + } executeonly if +- } ++ } executeonly + { .LocalInstances dup //.emptydict eq + { pop 3 dict localinstancedict Category 2 index put + } +-- +2.18.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch new file mode 100644 index 0000000000..921e5b6876 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch @@ -0,0 +1,30 @@ +From 0cb5e967c0200559f946291b5b54f8da30c32cd6 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Fri, 22 Feb 2019 12:28:23 +0000 +Subject: [PATCH] Bug 700576(redux): an extra transient proc needs + executeonly'ed. + +CVE: CVE-2019-3838 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + Resource/Init/gs_res.ps | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps +index a163541..8ce4ae3 100644 +--- a/Resource/Init/gs_res.ps ++++ b/Resource/Init/gs_res.ps +@@ -438,7 +438,7 @@ status { + % Now make the resource value read-only. + 0 2 copy get { readonly } .internalstopped pop + dup 4 1 roll put exch pop exch pop +- } ++ } executeonly + { /defineresource cvx /typecheck signaloperror + } + ifelse +-- +2.18.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb index ad4c5e17d2..bb32347880 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb @@ -39,6 +39,12 @@ SRC_URI = "${SRC_URI_BASE} \ file://CVE-2019-6116-0005.patch \ file://CVE-2019-6116-0006.patch \ file://CVE-2019-6116-0007.patch \ + file://CVE-2019-3835-0001.patch \ + file://CVE-2019-3835-0002.patch \ + file://CVE-2019-3835-0003.patch \ + file://CVE-2019-3835-0004.patch \ + file://CVE-2019-3838-0001.patch \ + file://CVE-2019-3838-0002.patch \ " SRC_URI_class-native = "${SRC_URI_BASE} \ diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch new file mode 100644 index 0000000000..ce638370bd --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000877.patch @@ -0,0 +1,38 @@ +CVE: CVE-2018-1000877 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 20 Nov 2018 17:56:29 +1100 +Subject: [PATCH] Avoid a double-free when a window size of 0 is specified + +new_size can be 0 with a malicious or corrupted RAR archive. + +realloc(area, 0) is equivalent to free(area), so the region would +be free()d here and the free()d again in the cleanup function. + +Found with a setup running AFL, afl-rb, and qsym. +--- + libarchive/archive_read_support_format_rar.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 23452222..6f419c27 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a) + new_size = DICTIONARY_MAX_SIZE; + else + new_size = rar_fls((unsigned int)rar->unp_size) << 1; ++ if (new_size == 0) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Zero window size is invalid."); ++ return (ARCHIVE_FATAL); ++ } + new_window = realloc(rar->lzss.window, new_size); + if (new_window == NULL) { + archive_set_error(&a->archive, ENOMEM, +-- +2.20.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch new file mode 100644 index 0000000000..7468fd3c93 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000878.patch @@ -0,0 +1,79 @@ +CVE: CVE-2018-1000878 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 4 Dec 2018 00:55:22 +1100 +Subject: [PATCH] rar: file split across multi-part archives must match + +Fuzzing uncovered some UAF and memory overrun bugs where a file in a +single file archive reported that it was split across multiple +volumes. This was caused by ppmd7 operations calling +rar_br_fillup. This would invoke rar_read_ahead, which would in some +situations invoke archive_read_format_rar_read_header. That would +check the new file name against the old file name, and if they didn't +match up it would free the ppmd7 buffer and allocate a new +one. However, because the ppmd7 decoder wasn't actually done with the +buffer, it would continue to used the freed buffer. Both reads and +writes to the freed region can be observed. + +This is quite tricky to solve: once the buffer has been freed it is +too late, as the ppmd7 decoder functions almost universally assume +success - there's no way for ppmd_read to signal error, nor are there +good ways for functions like Range_Normalise to propagate them. So we +can't detect after the fact that we're in an invalid state - e.g. by +checking rar->cursor, we have to prevent ourselves from ever ending up +there. So, when we are in the dangerous part or rar_read_ahead that +assumes a valid split, we set a flag force read_header to either go +down the path for split files or bail. This means that the ppmd7 +decoder keeps a valid buffer and just runs out of data. + +Found with a combination of AFL, afl-rb and qsym. +--- + libarchive/archive_read_support_format_rar.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 6f419c27..a8cc5c94 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -258,6 +258,7 @@ struct rar + struct data_block_offsets *dbo; + unsigned int cursor; + unsigned int nodes; ++ char filename_must_match; + + /* LZSS members */ + struct huffman_code maincode; +@@ -1560,6 +1561,12 @@ read_header(struct archive_read *a, struct archive_entry *entry, + } + return ret; + } ++ else if (rar->filename_must_match) ++ { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Mismatch of file parts split across multi-volume archive"); ++ return (ARCHIVE_FATAL); ++ } + + rar->filename_save = (char*)realloc(rar->filename_save, + filename_size + 1); +@@ -2933,12 +2940,14 @@ rar_read_ahead(struct archive_read *a, size_t min, ssize_t *avail) + else if (*avail == 0 && rar->main_flags & MHD_VOLUME && + rar->file_flags & FHD_SPLIT_AFTER) + { ++ rar->filename_must_match = 1; + ret = archive_read_format_rar_read_header(a, a->entry); + if (ret == (ARCHIVE_EOF)) + { + rar->has_endarc_header = 1; + ret = archive_read_format_rar_read_header(a, a->entry); + } ++ rar->filename_must_match = 0; + if (ret != (ARCHIVE_OK)) + return NULL; + return rar_read_ahead(a, min, avail); +-- +2.20.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch new file mode 100644 index 0000000000..9f25932a1a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000879.patch @@ -0,0 +1,50 @@ +CVE: CVE-2018-1000879 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 4 Dec 2018 14:29:42 +1100 +Subject: [PATCH] Skip 0-length ACL fields + +Currently, it is possible to create an archive that crashes bsdtar +with a malformed ACL: + +Program received signal SIGSEGV, Segmentation fault. +archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726 +1726 switch (*s) { +(gdb) p n +$1 = 1 +(gdb) p field[n] +$2 = {start = 0x0, end = 0x0} + +Stop this by checking that the length is not zero before beginning +the switch statement. + +I am pretty sure this is the bug mentioned in the qsym paper [1], +and I was able to replicate it with a qsym + AFL + afl-rb setup. + +[1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun +--- + libarchive/archive_acl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c +index 512beee1..7beeee86 100644 +--- a/libarchive/archive_acl.c ++++ b/libarchive/archive_acl.c +@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text, + st = field[n].start + 1; + len = field[n].end - field[n].start; + ++ if (len == 0) { ++ ret = ARCHIVE_WARN; ++ continue; ++ } ++ + switch (*s) { + case 'u': + if (len == 1 || (len == 4 +-- +2.20.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch new file mode 100644 index 0000000000..bc264a1242 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2018-1000880.patch @@ -0,0 +1,44 @@ +CVE: CVE-2018-1000880 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 4 Dec 2018 16:33:42 +1100 +Subject: [PATCH] warc: consume data once read + +The warc decoder only used read ahead, it wouldn't actually consume +data that had previously been printed. This means that if you specify +an invalid content length, it will just reprint the same data over +and over and over again until it hits the desired length. + +This means that a WARC resource with e.g. +Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665 +but only a few hundred bytes of data, causes a quasi-infinite loop. + +Consume data in subsequent calls to _warc_read. + +Found with an AFL + afl-rb + qsym setup. +--- + libarchive/archive_read_support_format_warc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c +index e8753853..e8fc8428 100644 +--- a/libarchive/archive_read_support_format_warc.c ++++ b/libarchive/archive_read_support_format_warc.c +@@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off) + return (ARCHIVE_EOF); + } + ++ if (w->unconsumed) { ++ __archive_read_consume(a, w->unconsumed); ++ w->unconsumed = 0U; ++ } ++ + rab = __archive_read_ahead(a, 1U, &nrd); + if (nrd < 0) { + *bsz = 0U; +-- +2.20.0 + diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch new file mode 100644 index 0000000000..f6f1add5e0 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000019.patch @@ -0,0 +1,59 @@ +CVE: CVE-2018-1000019 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 65a23f5dbee4497064e9bb467f81138a62b0dae1 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 1 Jan 2019 16:01:40 +1100 +Subject: [PATCH 2/2] 7zip: fix crash when parsing certain archives + +Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data() +would sometimes fail to return at least 'minimum' bytes. This can cause +the crc32() invocation in header_bytes to read off into invalid memory. + +A specially crafted archive can use this to cause a crash. + +An ASAN trace is below, but ASAN is not required - an uninstrumented +binary will also crash. + +==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0) +==7719==The signal is caused by a READ memory access. + #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c) + #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb) + #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156) + #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134) + #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690) + #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7) + #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63) + #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd) + #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f) + #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be) + #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb) + #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 + #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09) + +This was primarly done with afl and FairFuzz. Some early corpus entries +may have been generated by qsym. +--- + libarchive/archive_read_support_format_7zip.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c +index bccbf8966..b6d1505d3 100644 +--- a/libarchive/archive_read_support_format_7zip.c ++++ b/libarchive/archive_read_support_format_7zip.c +@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size, + if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) { + /* Copy mode. */ + +- /* +- * Note: '1' here is a performance optimization. +- * Recall that the decompression layer returns a count of +- * available bytes; asking for more than that forces the +- * decompressor to combine reads by copying data. +- */ +- *buff = __archive_read_ahead(a, 1, &bytes_avail); ++ *buff = __archive_read_ahead(a, minimum, &bytes_avail); + if (bytes_avail <= 0) { + archive_set_error(&a->archive, + ARCHIVE_ERRNO_FILE_FORMAT, diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch new file mode 100644 index 0000000000..3e63921346 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2019-1000020.patch @@ -0,0 +1,61 @@ +CVE: CVE-2018-1000020 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 8312eaa576014cd9b965012af51bc1f967b12423 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 1 Jan 2019 17:10:49 +1100 +Subject: [PATCH 1/2] iso9660: Fail when expected Rockridge extensions is + missing + +A corrupted or malicious ISO9660 image can cause read_CE() to loop +forever. + +read_CE() calls parse_rockridge(), expecting a Rockridge extension +to be read. However, parse_rockridge() is structured as a while +loop starting with a sanity check, and if the sanity check fails +before the loop has run, the function returns ARCHIVE_OK without +advancing the position in the file. This causes read_CE() to retry +indefinitely. + +Make parse_rockridge() return ARCHIVE_WARN if it didn't read an +extension. As someone with no real knowledge of the format, this +seems more apt than ARCHIVE_FATAL, but both the call-sites escalate +it to a fatal error immediately anyway. + +Found with a combination of AFL, afl-rb (FairFuzz) and qsym. +--- + libarchive/archive_read_support_format_iso9660.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c +index 28acfefbb..bad8f1dfe 100644 +--- a/libarchive/archive_read_support_format_iso9660.c ++++ b/libarchive/archive_read_support_format_iso9660.c +@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file, + const unsigned char *p, const unsigned char *end) + { + struct iso9660 *iso9660; ++ int entry_seen = 0; + + iso9660 = (struct iso9660 *)(a->format->data); + +@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file, + } + + p += p[2]; ++ entry_seen = 1; ++ } ++ ++ if (entry_seen) ++ return (ARCHIVE_OK); ++ else { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Tried to parse Rockridge extensions, but none found"); ++ return (ARCHIVE_WARN); + } +- return (ARCHIVE_OK); + } + + static int + diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb index 46a3d43762..af5ca65297 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.3.3.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.3.3.bb @@ -34,6 +34,12 @@ EXTRA_OECONF += "--enable-largefile" SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://non-recursive-extract-and-list.patch \ file://bug1066.patch \ + file://CVE-2018-1000877.patch \ + file://CVE-2018-1000878.patch \ + file://CVE-2018-1000879.patch \ + file://CVE-2018-1000880.patch \ + file://CVE-2019-1000019.patch \ + file://CVE-2019-1000020.patch \ " SRC_URI[md5sum] = "4038e366ca5b659dae3efcc744e72120" diff --git a/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch b/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch new file mode 100644 index 0000000000..b10fd82770 --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch @@ -0,0 +1,33 @@ +From fcd9e3aba122a220af617a802c4f47bad4b51e64 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Fri, 7 Dec 2018 07:05:10 +0100 +Subject: [PATCH] Fix: Dereference of null pointer +Reply-To: muislam@microsoft.com +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits + +--- + ext/repo_repomdxml.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/repo_repomdxml.c b/ext/repo_repomdxml.c +index 760d481f..b2a5b8dd 100644 +--- a/ext/repo_repomdxml.c ++++ b/ext/repo_repomdxml.c +@@ -181,7 +181,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha + while (value) + { + char *p = strchr(value, ','); +- if (*p) ++ if (p) + *p++ = 0; + if (*value) + repodata_add_poolstr_array(pd->data, SOLVID_META, REPOSITORY_UPDATES, value); +-- +2.23.0 + diff --git a/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch b/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch new file mode 100644 index 0000000000..fde19940ed --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch @@ -0,0 +1,36 @@ +From 58053b44c9ed043d48fa7dd595d213849b733f0f Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 09:50:06 +0100 +Subject: [PATCH] Fix: Add va_end() before return +Reply-To: muislam@microsoft.com + +The va_end() performs cleanup. +If va_end() is not called before a function that calls va_start() returns, +the behavior is undefined. + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + src/pool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/pool.c b/src/pool.c +index 60cc0f49..f03b43f9 100644 +--- a/src/pool.c ++++ b/src/pool.c +@@ -1505,6 +1505,7 @@ pool_debug(Pool *pool, int type, const char *format, ...) + vprintf(format, args); + else + vfprintf(stderr, format, args); ++ va_end(args); + return; + } + vsnprintf(buf, sizeof(buf), format, args); +-- +2.23.0 + diff --git a/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch b/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch new file mode 100644 index 0000000000..85398a82ec --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch @@ -0,0 +1,158 @@ +From 6c99f33252d8bf8ff3e49013b8ad78aacf71c5d8 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 10:14:04 +0100 +Subject: [PATCH] Fix: Memory leaks +Reply-To: muislam@microsoft.com + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + ext/repo_rpmdb.c | 16 ++++++++++++++++ + ext/testcase.c | 4 ++++ + tools/repo2solv.c | 1 + + 3 files changed, 21 insertions(+) + +diff --git a/ext/repo_rpmdb.c b/ext/repo_rpmdb.c +index 75bb6780..ff939978 100644 +--- a/ext/repo_rpmdb.c ++++ b/ext/repo_rpmdb.c +@@ -1939,6 +1939,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (fread(lead, 96 + 16, 1, fp) != 1 || getu32(lead) != 0xedabeedb) + { + pool_error(pool, -1, "%s: not a rpm", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -1951,12 +1953,16 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (lead[78] != 0 || lead[79] != 5) + { + pool_error(pool, -1, "%s: not a rpm v5 header", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } + if (getu32(lead + 96) != 0x8eade801) + { + pool_error(pool, -1, "%s: bad signature header", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -1965,6 +1971,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (sigcnt >= MAX_SIG_CNT || sigdsize >= MAX_SIG_DSIZE) + { + pool_error(pool, -1, "%s: bad signature header", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -1975,6 +1983,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + { + if (!headfromfp(&state, rpm, fp, lead + 96, sigcnt, sigdsize, sigpad, chksumh, leadsigchksumh)) + { ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2014,6 +2024,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (fread(lead, l, 1, fp) != 1) + { + pool_error(pool, -1, "%s: unexpected EOF", rpm); ++ solv_chksum_free(leadsigchksumh, NULL); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2034,6 +2046,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (fread(lead, 16, 1, fp) != 1) + { + pool_error(pool, -1, "%s: unexpected EOF", rpm); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2042,6 +2055,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (getu32(lead) != 0x8eade801) + { + pool_error(pool, -1, "%s: bad header", rpm); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2050,6 +2064,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + if (sigcnt >= MAX_HDR_CNT || sigdsize >= MAX_HDR_DSIZE) + { + pool_error(pool, -1, "%s: bad header", rpm); ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +@@ -2057,6 +2072,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags) + + if (!headfromfp(&state, rpm, fp, lead, sigcnt, sigdsize, 0, chksumh, 0)) + { ++ solv_chksum_free(chksumh, NULL); + fclose(fp); + return 0; + } +diff --git a/ext/testcase.c b/ext/testcase.c +index aa72a8d7..3901d90d 100644 +--- a/ext/testcase.c ++++ b/ext/testcase.c +@@ -2348,6 +2348,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha + if (fclose(fp)) + { + pool_error(solv->pool, 0, "testcase_write: write error"); ++ solv_free(result); + strqueue_free(&sq); + return 0; + } +@@ -2360,12 +2361,14 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha + if (!(fp = fopen(out, "w"))) + { + pool_error(solv->pool, 0, "testcase_write: could not open '%s' for writing", out); ++ solv_free(cmd); + strqueue_free(&sq); + return 0; + } + if (*cmd && fwrite(cmd, strlen(cmd), 1, fp) != 1) + { + pool_error(solv->pool, 0, "testcase_write: write error"); ++ solv_free(cmd); + strqueue_free(&sq); + fclose(fp); + return 0; +@@ -2373,6 +2376,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha + if (fclose(fp)) + { + pool_error(solv->pool, 0, "testcase_write: write error"); ++ solv_free(cmd); + strqueue_free(&sq); + return 0; + } +diff --git a/tools/repo2solv.c b/tools/repo2solv.c +index e055e408..30a41f42 100644 +--- a/tools/repo2solv.c ++++ b/tools/repo2solv.c +@@ -208,6 +208,7 @@ read_plaindir_repo(Repo *repo, const char *dir) + repodata_set_location(data, p, 0, 0, bp[0] == '.' && bp[1] == '/' ? bp + 2 : bp); + solv_free(rpm); + } ++ solv_free(buf); + fclose(fp); + while (waitpid(pid, &wstatus, 0) == -1) + { +-- +2.23.0 + diff --git a/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch b/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch new file mode 100644 index 0000000000..559aefb1ec --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch @@ -0,0 +1,41 @@ +From 823bf65087a017d2f488f01e09ee284fa36f7446 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 10:22:09 +0100 +Subject: [PATCH] Fix: testsolv segfault +Reply-To: muislam@microsoft.com + +ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fab0e11bf2b bp 0x7ffdfc044b70 sp 0x7ffdfc044a90 T0) +0 0x7fab0e11bf2a in testcase_str2dep_complex /home/company/real_sanitize/libsolv-master/ext/testcase.c:577 +1 0x7fab0e11c80f in testcase_str2dep /home/company/real_sanitize/libsolv-master/ext/testcase.c:656 +2 0x7fab0e12e64a in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2952 +3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148 +4 0x7fab0d9d2a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) +5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8) + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + ext/testcase.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/testcase.c b/ext/testcase.c +index 3901d90d..dd20de14 100644 +--- a/ext/testcase.c ++++ b/ext/testcase.c +@@ -571,6 +571,8 @@ testcase_str2dep_complex(Pool *pool, const char **sp, int relop) + Id flags, id, id2, namespaceid = 0; + struct oplist *op; + ++ if (!s) ++ return 0; + while (*s == ' ' || *s == '\t') + s++; + if (!strncmp(s, "namespace:", 10)) +-- +2.23.0 + diff --git a/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch b/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch new file mode 100644 index 0000000000..5c13ce5e9d --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch @@ -0,0 +1,47 @@ +From 43928ee565b9c4f69daa1875da66f92b2d5bf932 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 10:27:15 +0100 +Subject: [PATCH] Fix: testsolv segfaults +Reply-To: muislam@microsoft.com + +ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002f0 (pc 0x7f31501d3bd2 bp 0x7ffcfe4d4a50 sp 0x7ffcfe4d4a30 T0) +0 0x7f31501d3bd1 in pool_whatprovides /home/company/real_sanitize/libsolv-master/src/pool.h:331 +1 0x7f31501d895e in testcase_str2solvid /home/company/real_sanitize/libsolv-master/ext/testcase.c:793 +2 0x7f31501e8388 in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2807 +3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148 +4 0x7f314fa8da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) +5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8) + +ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5af9e7815f bp 0x7ffc4c843a40 sp 0x7ffc4c8436c0 T0) +0 0x7f5af9e7815e in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2799 +1 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148 +2 0x7f5af971da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) +3 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8) + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + ext/testcase.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/testcase.c b/ext/testcase.c +index dd20de14..83467fe2 100644 +--- a/ext/testcase.c ++++ b/ext/testcase.c +@@ -2772,7 +2772,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res + { + int i = strlen(pieces[1]); + s = strchr(pieces[1], '('); +- if (!s && pieces[1][i - 1] != ')') ++ if (!s || pieces[1][i - 1] != ')') + { + pool_error(pool, 0, "testcase_read: bad namespace '%s'", pieces[1]); + } +-- +2.23.0 + diff --git a/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch b/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch new file mode 100644 index 0000000000..fdea9dbdb5 --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch @@ -0,0 +1,37 @@ +From ebb51f73491987435664ac14b79bebe16ffbdd5c Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 12:40:42 +0100 +Subject: [PATCH] Fix: Be sure that NONBLOCK is set +Reply-To: muislam@microsoft.com + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + examples/solv/fastestmirror.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/examples/solv/fastestmirror.c b/examples/solv/fastestmirror.c +index d2ebd97a..0ee4e73b 100644 +--- a/examples/solv/fastestmirror.c ++++ b/examples/solv/fastestmirror.c +@@ -68,7 +68,11 @@ findfastest(char **urls, int nurls) + socks[i] = socket(result->ai_family, result->ai_socktype, result->ai_protocol); + if (socks[i] >= 0) + { +- fcntl(socks[i], F_SETFL, O_NONBLOCK); ++ if (fcntl(socks[i], F_SETFL, O_NONBLOCK) == -1) ++ { ++ close(socks[i]); ++ socks[i] = -1; ++ } + if (connect(socks[i], result->ai_addr, result->ai_addrlen) == -1) + { + if (errno != EINPROGRESS) +-- +2.23.0 + diff --git a/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch b/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch new file mode 100644 index 0000000000..8b4a993d22 --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch @@ -0,0 +1,113 @@ +From edf87c92cf59c2eed9c1e33c51a47163da15d90b Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel <jrohel@redhat.com> +Date: Tue, 11 Dec 2018 12:58:34 +0100 +Subject: [PATCH] Don't set values that are never read +Reply-To: muislam@microsoft.com + +CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 + +Upstream-Status: Backport + +Signed-off-by: Muminul Islam <muislam@microsoft.com> + +Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits +--- + ext/pool_fileconflicts.c | 1 - + ext/repo_appdata.c | 2 +- + ext/repo_comps.c | 2 +- + src/cleandeps.c | 1 - + src/dirpool.c | 2 +- + src/order.c | 1 - + src/repopage.c | 1 - + 7 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/ext/pool_fileconflicts.c b/ext/pool_fileconflicts.c +index eaeb52b2..2fd3d540 100644 +--- a/ext/pool_fileconflicts.c ++++ b/ext/pool_fileconflicts.c +@@ -590,7 +590,6 @@ findfileconflicts_alias_cb(void *cbdatav, const char *fn, struct filelistinfo *i + + if (!info->dirlen) + return; +- dp = fn + info->dirlen; + if (info->diridx != cbdata->lastdiridx) + { + cbdata->lastdiridx = info->diridx; +diff --git a/ext/repo_appdata.c b/ext/repo_appdata.c +index 62faf2d8..69d46386 100644 +--- a/ext/repo_appdata.c ++++ b/ext/repo_appdata.c +@@ -103,7 +103,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha + { + struct parsedata *pd = xmlp->userdata; + Pool *pool = pd->pool; +- Solvable *s = pd->solvable; ++ Solvable *s; + const char *type; + + /* ignore all language tags */ +diff --git a/ext/repo_comps.c b/ext/repo_comps.c +index 255ecb16..e59f8d12 100644 +--- a/ext/repo_comps.c ++++ b/ext/repo_comps.c +@@ -107,7 +107,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha + { + struct parsedata *pd = xmlp->userdata; + Pool *pool = pd->pool; +- Solvable *s = pd->solvable; ++ Solvable *s; + + switch(state) + { +diff --git a/src/cleandeps.c b/src/cleandeps.c +index 1da28f6e..b2fde317 100644 +--- a/src/cleandeps.c ++++ b/src/cleandeps.c +@@ -748,7 +748,6 @@ solver_createcleandepsmap(Solver *solv, Map *cleandepsmap, int unneeded) + continue; + if (strncmp(pool_id2str(pool, s->name), "pattern:", 8) != 0) + continue; +- dp = s->repo->idarraydata + s->requires; + for (dp = s->repo->idarraydata + s->requires; *dp; dp++) + FOR_PROVIDES(p, pp, *dp) + if (pool->solvables[p].repo == installed) +diff --git a/src/dirpool.c b/src/dirpool.c +index afb26ea5..bed9435e 100644 +--- a/src/dirpool.c ++++ b/src/dirpool.c +@@ -85,7 +85,7 @@ dirpool_make_dirtraverse(Dirpool *dp) + return; + dp->dirs = solv_extend_resize(dp->dirs, dp->ndirs, sizeof(Id), DIR_BLOCK); + dirtraverse = solv_calloc_block(dp->ndirs, sizeof(Id), DIR_BLOCK); +- for (parent = 0, i = 0; i < dp->ndirs; i++) ++ for (i = 0; i < dp->ndirs; i++) + { + if (dp->dirs[i] > 0) + continue; +diff --git a/src/order.c b/src/order.c +index c92c3328..cfde40c9 100644 +--- a/src/order.c ++++ b/src/order.c +@@ -1066,7 +1066,6 @@ transaction_order(Transaction *trans, int flags) + #if 0 + printf("do %s [%d]\n", pool_solvid2str(pool, te->p), temedianr[i]); + #endif +- s = pool->solvables + te->p; + for (j = te->edges; od.invedgedata[j]; j++) + { + struct _TransactionElement *te2 = od.tes + od.invedgedata[j]; +diff --git a/src/repopage.c b/src/repopage.c +index 2b7a863b..85d53eb9 100644 +--- a/src/repopage.c ++++ b/src/repopage.c +@@ -399,7 +399,6 @@ match_done: + litlen -= 32; + } + } +- litofs = 0; + } + return oo; + } +-- +2.23.0 + diff --git a/meta/recipes-extended/libsolv/libsolv_0.6.35.bb b/meta/recipes-extended/libsolv/libsolv_0.6.35.bb index 12dfc5d3a2..ed6a7cbfd5 100644 --- a/meta/recipes-extended/libsolv/libsolv_0.6.35.bb +++ b/meta/recipes-extended/libsolv/libsolv_0.6.35.bb @@ -10,6 +10,13 @@ DEPENDS = "expat zlib" SRC_URI = "git://github.com/openSUSE/libsolv.git" SRC_URI_append_libc-musl = " file://0001-Add-fallback-fopencookie-implementation.patch \ file://0002-Fixes-to-internal-fopencookie-implementation.patch \ + file://0003-Fix-Dereference-of-null-pointer.patch \ + file://0004-Fix-Add-va_end-before-return.patch \ + file://0005-Fix-Memory-leaks.patch \ + file://0006-Fix-testsolv-segfault.patch \ + file://0007-Fix-testsolv-segfaults.patch \ + file://0008-Fix-Be-sure-that-NONBLOCK-is-set.patch \ + file://0009-Don-t-set-values-that-are-never-read.patch \ " SRCREV = "38c5374d4712667b0b6ada4bf78ddbb343095d0c" diff --git a/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch b/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch new file mode 100644 index 0000000000..f3a0402c4b --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch @@ -0,0 +1,51 @@ +CVE: CVE-2019-11072 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 32120d5b8b3203fc21ccb9eafb0eaf824bb59354 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Wed, 10 Apr 2019 11:28:10 -0400 +Subject: [PATCH] [core] fix abort in http-parseopts (fixes #2945) + +fix abort in server.http-parseopts with url-path-2f-decode enabled + +(thx stze) + +x-ref: + "Security - SIGABRT during GET request handling with url-path-2f-decode enabled" + https://redmine.lighttpd.net/issues/2945 +--- + src/burl.c | 6 ++++-- + src/t/test_burl.c | 2 ++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/burl.c b/src/burl.c +index 51182628..c4b928fd 100644 +--- a/src/burl.c ++++ b/src/burl.c +@@ -252,8 +252,10 @@ static int burl_normalize_2F_to_slash_fix (buffer *b, int qs, int i) + } + } + if (qs >= 0) { +- memmove(s+j, s+qs, blen - qs); +- j += blen - qs; ++ const int qslen = blen - qs; ++ memmove(s+j, s+qs, (size_t)qslen); ++ qs = j; ++ j += qslen; + } + buffer_string_set_length(b, j); + return qs; +diff --git a/src/t/test_burl.c b/src/t/test_burl.c +index 7be9be50..f7a16815 100644 +--- a/src/t/test_burl.c ++++ b/src/t/test_burl.c +@@ -97,6 +97,8 @@ static void test_burl_normalize (void) { + flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE; + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?")); ++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb?c=/"), CONST_STR_LEN("/a/b?c=/")); diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb index f28fd2f690..5c828da5b0 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.t file://lighttpd \ file://lighttpd.service \ file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \ + file://fix-http-parseopts.patch \ " SRC_URI[md5sum] = "6e68c19601af332fa3c5f174245f59bf" diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch new file mode 100644 index 0000000000..f954fac8fc --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch @@ -0,0 +1,170 @@ +Treat an ID of -1 as invalid since that means "no change". +Fixes CVE-2019-14287. +Found by Joe Vennix from Apple Information Security. + +CVE: CVE-2019-14287 +Upstream-Status: Backport +[https://www.sudo.ws/repos/sudo/rev/83db8dba09e7] + +Signed-off-by: Dan Tran <dantran@microsoft.com> + +Index: sudo-1.8.21p2/lib/util/strtoid.c +=================================================================== +--- sudo-1.8.21p2.orig/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400 ++++ sudo-1.8.21p2/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400 +@@ -42,6 +42,27 @@ + #include "sudo_util.h" + + /* ++ * Make sure that the ID ends with a valid separator char. ++ */ ++static bool ++valid_separator(const char *p, const char *ep, const char *sep) ++{ ++ bool valid = false; ++ debug_decl(valid_separator, SUDO_DEBUG_UTIL) ++ ++ if (ep != p) { ++ /* check for valid separator (including '\0') */ ++ if (sep == NULL) ++ sep = ""; ++ do { ++ if (*ep == *sep) ++ valid = true; ++ } while (*sep++ != '\0'); ++ } ++ debug_return_bool(valid); ++} ++ ++/* + * Parse a uid/gid in string form. + * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) + * If endp is non-NULL it is set to the next char after the ID. +@@ -55,36 +76,33 @@ sudo_strtoid_v1(const char *p, const cha + char *ep; + id_t ret = 0; + long long llval; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ ++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ + errno = 0; + llval = strtoll(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); ++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too large"); ++ goto done; + } +- if (!valid) { ++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { ++ errno = ERANGE; + if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; ++ *errstr = N_("value too small"); + goto done; + } +- if (errno == ERANGE) { +- if (errstr != NULL) { +- if (llval == LLONG_MAX) +- *errstr = N_("value too large"); +- else +- *errstr = N_("value too small"); +- } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; + goto done; + } + ret = (id_t)llval; +@@ -101,30 +119,15 @@ sudo_strtoid_v1(const char *p, const cha + { + char *ep; + id_t ret = 0; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ + errno = 0; + if (*p == '-') { + long lval = strtol(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { +- if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; +- goto done; +- } + if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { + errno = ERANGE; + if (errstr != NULL) +@@ -137,28 +140,31 @@ sudo_strtoid_v1(const char *p, const cha + *errstr = N_("value too small"); + goto done; + } +- ret = (id_t)lval; +- } else { +- unsigned long ulval = strtoul(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || lval == -1) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } ++ ret = (id_t)lval; ++ } else { ++ unsigned long ulval = strtoul(p, &ep, 10); + if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { + errno = ERANGE; + if (errstr != NULL) + *errstr = N_("value too large"); + goto done; + } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; ++ goto done; ++ } + ret = (id_t)ulval; + } + if (errstr != NULL) diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch new file mode 100644 index 0000000000..dcb2703d23 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch @@ -0,0 +1,98 @@ +CVE: CVE-2019-14287 +Upstream-Status: Backport +[https://www.sudo.ws/repos/sudo/rev/db06a8336c09] + +Signed-off-by: Dan Tran <dantran@microsoft.com> + +Index: sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c +=================================================================== +--- sudo-1.8.21p2.orig/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:13:07.471005893 -0400 +@@ -24,6 +24,7 @@ + #else + # include "compat/stdbool.h" + #endif ++#include <errno.h> + + #include "sudo_compat.h" + #include "sudo_util.h" +@@ -78,15 +79,20 @@ static struct strtoid_data { + id_t id; + const char *sep; + const char *ep; ++ int errnum; + } strtoid_data[] = { +- { "0,1", 0, ",", "," }, +- { "10", 10, NULL, NULL }, +- { "-2", -2, NULL, NULL }, ++ { "0,1", 0, ",", ",", 0 }, ++ { "10", 10, NULL, NULL, 0 }, ++ { "-1", 0, NULL, NULL, EINVAL }, ++ { "4294967295", 0, NULL, NULL, EINVAL }, ++ { "4294967296", 0, NULL, NULL, ERANGE }, ++ { "-2147483649", 0, NULL, NULL, ERANGE }, ++ { "-2", -2, NULL, NULL, 0 }, + #if SIZEOF_ID_T != SIZEOF_LONG_LONG +- { "-2", 4294967294U, NULL, NULL }, ++ { "-2", (id_t)4294967294U, NULL, NULL, 0 }, + #endif +- { "4294967294", 4294967294U, NULL, NULL }, +- { NULL, 0, NULL, NULL } ++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 }, ++ { NULL, 0, NULL, NULL, 0 } + }; + + static int +@@ -102,11 +108,23 @@ test_strtoid(int *ntests) + (*ntests)++; + errstr = "some error"; + value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr); +- if (errstr != NULL) { +- if (d->id != (id_t)-1) { +- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ if (d->errnum != 0) { ++ if (errstr == NULL) { ++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d", ++ d->idstr, d->errnum); ++ errors++; ++ } else if (value != 0) { ++ sudo_warnx_nodebug("FAIL: %s should return 0 on error", ++ d->idstr); ++ errors++; ++ } else if (errno != d->errnum) { ++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d", ++ d->idstr, errno, d->errnum); + errors++; + } ++ } else if (errstr != NULL) { ++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ errors++; + } else if (value != d->id) { + sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id); + errors++; +Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok +=================================================================== +--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.870655365 -0400 +@@ -4,7 +4,7 @@ Parse error in sudoers near line 1. + Entries for user root: + + Command unmatched +-testsudoers: test5.inc should be owned by gid 4294967295 ++testsudoers: test5.inc should be owned by gid 4294967294 + Parse error in sudoers near line 1. + + Entries for user root: +Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh +=================================================================== +--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.sh 2019-10-11 07:11:49.874655384 -0400 ++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh 2019-10-11 07:11:49.870655365 -0400 +@@ -24,7 +24,7 @@ EOF + + # Test group writable + chmod 664 $TESTFILE +-./testsudoers -U $MYUID -G -1 root id <<EOF ++./testsudoers -U $MYUID -G -2 root id <<EOF + #include $TESTFILE + EOF + diff --git a/meta/recipes-extended/sudo/sudo_1.8.23.bb b/meta/recipes-extended/sudo/sudo_1.8.23.bb index ce32bd187e..d12cf2d549 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.23.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.23.bb @@ -3,6 +3,8 @@ require sudo.inc SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-Include-sys-types.h-for-id_t-definition.patch \ + file://CVE-2019-14287_p1.patch \ + file://CVE-2019-14287_p2.patch \ " PAM_SRC_URI = "file://sudo.pam" diff --git a/meta/recipes-extended/tar/tar/CVE-2018-20482.patch b/meta/recipes-extended/tar/tar/CVE-2018-20482.patch new file mode 100644 index 0000000000..2a13148427 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2018-20482.patch @@ -0,0 +1,405 @@ +From 331be56598b284d41370c67046df25673b040a55 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Thu, 27 Dec 2018 17:48:57 +0200 +Subject: [PATCH] Fix CVE-2018-20482 + +* NEWS: Update. +* src/sparse.c (sparse_dump_region): Handle short read condition. +(sparse_extract_region,check_data_region): Fix dumped_size calculation. +Handle short read condition. +(pax_decode_header): Fix dumped_size calculation. +* tests/Makefile.am: Add new testcases. +* tests/testsuite.at: Likewise. + +* tests/sptrcreat.at: New file. +* tests/sptrdiff00.at: New file. +* tests/sptrdiff01.at: New file. + +CVE: CVE-2018-20482 +Upstream-Status: Backport +[http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + src/sparse.c | 50 +++++++++++++++++++++++++++++++----- + tests/Makefile.am | 5 +++- + tests/sptrcreat.at | 62 +++++++++++++++++++++++++++++++++++++++++++++ + tests/sptrdiff00.at | 55 ++++++++++++++++++++++++++++++++++++++++ + tests/sptrdiff01.at | 55 ++++++++++++++++++++++++++++++++++++++++ + tests/testsuite.at | 5 +++- + 6 files changed, 224 insertions(+), 8 deletions(-) + create mode 100644 tests/sptrcreat.at + create mode 100644 tests/sptrdiff00.at + create mode 100644 tests/sptrdiff01.at + +diff --git a/src/sparse.c b/src/sparse.c +index 0830f62..e8e8259 100644 +--- a/src/sparse.c ++++ b/src/sparse.c +@@ -1,6 +1,6 @@ + /* Functions for dealing with sparse files + +- Copyright 2003-2007, 2010, 2013-2017 Free Software Foundation, Inc. ++ Copyright 2003-2007, 2010, 2013-2018 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the +@@ -427,6 +427,30 @@ sparse_dump_region (struct tar_sparse_file *file, size_t i) + bufsize); + return false; + } ++ else if (bytes_read == 0) ++ { ++ char buf[UINTMAX_STRSIZE_BOUND]; ++ struct stat st; ++ size_t n; ++ if (fstat (file->fd, &st) == 0) ++ n = file->stat_info->stat.st_size - st.st_size; ++ else ++ n = file->stat_info->stat.st_size ++ - (file->stat_info->sparse_map[i].offset ++ + file->stat_info->sparse_map[i].numbytes ++ - bytes_left); ++ ++ WARNOPT (WARN_FILE_SHRANK, ++ (0, 0, ++ ngettext ("%s: File shrank by %s byte; padding with zeros", ++ "%s: File shrank by %s bytes; padding with zeros", ++ n), ++ quotearg_colon (file->stat_info->orig_file_name), ++ STRINGIFY_BIGINT (n, buf))); ++ if (! ignore_failed_read_option) ++ set_exit_status (TAREXIT_DIFFERS); ++ return false; ++ } + + memset (blk->buffer + bytes_read, 0, BLOCKSIZE - bytes_read); + bytes_left -= bytes_read; +@@ -464,9 +488,9 @@ sparse_extract_region (struct tar_sparse_file *file, size_t i) + return false; + } + set_next_block_after (blk); ++ file->dumped_size += BLOCKSIZE; + count = blocking_write (file->fd, blk->buffer, wrbytes); + write_size -= count; +- file->dumped_size += count; + mv_size_left (file->stat_info->archive_file_size - file->dumped_size); + file->offset += count; + if (count != wrbytes) +@@ -598,6 +622,12 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end) + rdsize); + return false; + } ++ else if (bytes_read == 0) ++ { ++ report_difference (file->stat_info, _("Size differs")); ++ return false; ++ } ++ + if (!zero_block_p (diff_buffer, bytes_read)) + { + char begbuf[INT_BUFSIZE_BOUND (off_t)]; +@@ -609,6 +639,7 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end) + + beg += bytes_read; + } ++ + return true; + } + +@@ -635,6 +666,7 @@ check_data_region (struct tar_sparse_file *file, size_t i) + return false; + } + set_next_block_after (blk); ++ file->dumped_size += BLOCKSIZE; + bytes_read = safe_read (file->fd, diff_buffer, rdsize); + if (bytes_read == SAFE_READ_ERROR) + { +@@ -645,7 +677,11 @@ check_data_region (struct tar_sparse_file *file, size_t i) + rdsize); + return false; + } +- file->dumped_size += bytes_read; ++ else if (bytes_read == 0) ++ { ++ report_difference (¤t_stat_info, _("Size differs")); ++ return false; ++ } + size_left -= bytes_read; + mv_size_left (file->stat_info->archive_file_size - file->dumped_size); + if (memcmp (blk->buffer, diff_buffer, rdsize)) +@@ -1213,7 +1249,8 @@ pax_decode_header (struct tar_sparse_file *file) + union block *blk; + char *p; + size_t i; +- ++ off_t start; ++ + #define COPY_BUF(b,buf,src) do \ + { \ + char *endp = b->buffer + BLOCKSIZE; \ +@@ -1229,7 +1266,6 @@ pax_decode_header (struct tar_sparse_file *file) + if (src == endp) \ + { \ + set_next_block_after (b); \ +- file->dumped_size += BLOCKSIZE; \ + b = find_next_block (); \ + if (!b) \ + FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \ +@@ -1242,8 +1278,8 @@ pax_decode_header (struct tar_sparse_file *file) + dst[-1] = 0; \ + } while (0) + ++ start = current_block_ordinal (); + set_next_block_after (current_header); +- file->dumped_size += BLOCKSIZE; + blk = find_next_block (); + if (!blk) + FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); +@@ -1282,6 +1318,8 @@ pax_decode_header (struct tar_sparse_file *file) + sparse_add_map (file->stat_info, &sp); + } + set_next_block_after (blk); ++ ++ file->dumped_size += BLOCKSIZE * (current_block_ordinal () - start); + } + + return true; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 2d7939d..ac3b6e7 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -1,6 +1,6 @@ + # Makefile for GNU tar regression tests. + +-# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2015 Free Software ++# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2018 Free Software + + # This file is part of GNU tar. + +@@ -228,6 +228,9 @@ TESTSUITE_AT = \ + spmvp00.at\ + spmvp01.at\ + spmvp10.at\ ++ sptrcreat.at\ ++ sptrdiff00.at\ ++ sptrdiff01.at\ + time01.at\ + time02.at\ + truncate.at\ +diff --git a/tests/sptrcreat.at b/tests/sptrcreat.at +new file mode 100644 +index 0000000..8e28f0e +--- /dev/null ++++ b/tests/sptrcreat.at +@@ -0,0 +1,62 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++ ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++ ++# This file is part of GNU tar. ++ ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++ ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# Tar up to 1.30 would loop endlessly if a sparse file had been truncated ++# while being archived (with --sparse flag). ++# ++# The bug has been assigned id CVE-2018-20482 (on the grounds that it is a ++# denial of service possibility). ++# ++# Reported by: Chris Siebenmann <cks.gnutar-01@cs.toronto.edu> ++# References: <20181226223948.781EB32008E@apps1.cs.toronto.edu>, ++# <http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html> ++# <https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug> ++# <https://nvd.nist.gov/vuln/detail/CVE-2018-20482> ++ ++AT_SETUP([sparse file truncated while archiving]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrcreat]) ++ ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++genfile --run --checkpoint 3 --length 200m --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vcf bar foo baz ++echo Exit status: $? ++echo separator ++genfile --file foo --seek 200m --length 11575296 --pattern=zeros ++tar dvf bar], ++[1], ++[foo ++baz ++Exit status: 1 ++separator ++foo ++foo: Mod time differs ++baz ++], ++[tar: foo: File shrank by 11575296 bytes; padding with zeros ++], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/sptrdiff00.at b/tests/sptrdiff00.at +new file mode 100644 +index 0000000..c410561 +--- /dev/null ++++ b/tests/sptrdiff00.at +@@ -0,0 +1,55 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++# ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++# ++# This file is part of GNU tar. ++# ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered ++# that similar bug exists in file checking code (tar d). ++# This test case checks if tar correctly handles a short read condition ++# appearing in check_sparse_region. ++ ++AT_SETUP([file truncated in sparse region while comparing]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff]) ++ ++# This triggers short read in check_sparse_region. ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++echo creating ++tar --sparse -vcf bar foo baz ++echo comparing ++genfile --run --checkpoint 3 --length 200m --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo='Write checkpoint %u' \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vdf bar ++], ++[1], ++[creating ++foo ++baz ++comparing ++foo ++foo: Size differs ++baz ++], ++[], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/sptrdiff01.at b/tests/sptrdiff01.at +new file mode 100644 +index 0000000..2da2267 +--- /dev/null ++++ b/tests/sptrdiff01.at +@@ -0,0 +1,55 @@ ++# Process this file with autom4te to create testsuite. -*- Autotest -*- ++# ++# Test suite for GNU tar. ++# Copyright 2018 Free Software Foundation, Inc. ++# ++# This file is part of GNU tar. ++# ++# GNU tar is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# GNU tar is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <http://www.gnu.org/licenses/>. ++ ++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered ++# that similar bug exists in file checking code (tar d). ++# This test case checks if tar correctly handles a short read condition ++# appearing in check_data_region. ++ ++AT_SETUP([file truncated in data region while comparing]) ++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff]) ++ ++# This triggers short read in check_data_region. ++AT_TAR_CHECK([ ++genfile --sparse --block-size=1024 --file foo \ ++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ ++genfile --file baz ++echo creating ++tar --sparse -vcf bar foo baz ++echo comparing ++genfile --run --checkpoint 5 --length 221278210 --truncate foo -- \ ++ tar --checkpoint=1 \ ++ --checkpoint-action=echo='Write checkpoint %u' \ ++ --checkpoint-action=sleep=1 \ ++ --sparse -vdf bar ++], ++[1], ++[creating ++foo ++baz ++comparing ++foo ++foo: Size differs ++baz ++], ++[], ++[],[],[posix, gnu, oldgnu]) ++ ++AT_CLEANUP +diff --git a/tests/testsuite.at b/tests/testsuite.at +index 2a83757..23386f7 100644 +--- a/tests/testsuite.at ++++ b/tests/testsuite.at +@@ -1,7 +1,7 @@ + # Process this file with autom4te to create testsuite. -*- Autotest -*- + + # Test suite for GNU tar. +-# Copyright 2004-2008, 2010-2017 Free Software Foundation, Inc. ++# Copyright 2004-2008, 2010-2018 Free Software Foundation, Inc. + + # This file is part of GNU tar. + +@@ -405,6 +405,9 @@ m4_include([sparsemv.at]) + m4_include([spmvp00.at]) + m4_include([spmvp01.at]) + m4_include([spmvp10.at]) ++m4_include([sptrcreat.at]) ++m4_include([sptrdiff00.at]) ++m4_include([sptrdiff01.at]) + + AT_BANNER([Updates]) + m4_include([update.at]) +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/meta/recipes-extended/tar/tar/CVE-2019-9923.patch b/meta/recipes-extended/tar/tar/CVE-2019-9923.patch new file mode 100644 index 0000000000..146cbffea5 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2019-9923.patch @@ -0,0 +1,38 @@ +From cb07844454d8cc9fb21f53ace75975f91185a120 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Mon, 14 Jan 2019 15:22:09 +0200 +Subject: [PATCH] Fix possible NULL dereference (savannah bug #55369) + +* src/sparse.c (pax_decode_header): Check return from find_next_block. + +Upstream-Status: Backport +CVE: CVE-2019-9923 +Affects: tar < 1.32 +Signed-off-by: Armin kuster <akuster@mvista.com> + +--- + src/sparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: tar-1.30/src/sparse.c +=================================================================== +--- tar-1.30.orig/src/sparse.c ++++ tar-1.30/src/sparse.c +@@ -1231,6 +1231,8 @@ pax_decode_header (struct tar_sparse_fil + set_next_block_after (b); \ + file->dumped_size += BLOCKSIZE; \ + b = find_next_block (); \ ++ if (!b) \ ++ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \ + src = b->buffer; \ + endp = b->buffer + BLOCKSIZE; \ + } \ +@@ -1243,6 +1245,8 @@ pax_decode_header (struct tar_sparse_fil + set_next_block_after (current_header); + file->dumped_size += BLOCKSIZE; + blk = find_next_block (); ++ if (!blk) ++ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); + p = blk->buffer; + COPY_BUF (blk,nbuf,p); + if (!decode_num (&u, nbuf, TYPE_MAXIMUM (size_t))) diff --git a/meta/recipes-extended/tar/tar_1.30.bb b/meta/recipes-extended/tar/tar_1.30.bb index bd24f4762f..7cf0522455 100644 --- a/meta/recipes-extended/tar/tar_1.30.bb +++ b/meta/recipes-extended/tar/tar_1.30.bb @@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://remove-gets.patch \ file://musl_dirent.patch \ + file://CVE-2019-9923.patch \ + file://CVE-2018-20482.patch \ " SRC_URI[md5sum] = "8404e4c1fc5a3000228ab2b8ad674a65" diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch new file mode 100644 index 0000000000..d485a1bd6e --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch @@ -0,0 +1,33 @@ +From 080d52c3c9416c731f637f9c6e003961ef43f079 Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Mon, 27 May 2019 08:20:32 -0700 +Subject: [PATCH 1/3] Fix bug in undefer_input() that misplaced the input + state. + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + fileio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fileio.c b/fileio.c +index 7605a29..14460f3 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -532,8 +532,10 @@ void undefer_input(__G) + * This condition was checked when G.incnt_leftover was set > 0 in + * defer_leftover_input(), and it is NOT allowed to touch G.csize + * before calling undefer_input() when (G.incnt_leftover > 0) +- * (single exception: see read_byte()'s "G.csize <= 0" handling) !! ++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !! + */ ++ if (G.csize < 0L) ++ G.csize = 0L; + G.incnt = G.incnt_leftover + (int)G.csize; + G.inptr = G.inptr_leftover - (int)G.csize; + G.incnt_leftover = 0; +-- +2.22.0.vfs.1.1.57.gbaf16c8 diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch new file mode 100644 index 0000000000..41037a8e24 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch @@ -0,0 +1,356 @@ +From 1aae47fa8935654a84403768f32c03ecbb1be470 Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Tue, 11 Jun 2019 22:01:18 -0700 +Subject: [PATCH 2/3] Detect and reject a zip bomb using overlapped entries. + +This detects an invalid zip file that has at least one entry that +overlaps with another entry or with the central directory to the +end of the file. A Fifield zip bomb uses overlapped local entries +to vastly increase the potential inflation ratio. Such an invalid +zip file is rejected. + +See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's +analysis, construction, and examples of such zip bombs. + +The detection maintains a list of covered spans of the zip files +so far, where the central directory to the end of the file and any +bytes preceding the first entry at zip file offset zero are +considered covered initially. Then as each entry is decompressed +or tested, it is considered covered. When a new entry is about to +be processed, its initial offset is checked to see if it is +contained by a covered span. If so, the zip file is rejected as +invalid. + +This commit depends on a preceding commit: "Fix bug in +undefer_input() that misplaced the input state." + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + globals.c | 1 + + globals.h | 3 + + process.c | 10 +++ + unzip.h | 1 + + 5 files changed, 204 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 24db2a8..2bb72ba 100644 +--- a/extract.c ++++ b/extract.c +@@ -321,6 +321,125 @@ static ZCONST char Far UnsupportedExtraField[] = + "\nerror: unsupported extra-field compression type (%u)--skipping\n"; + static ZCONST char Far BadExtraFieldCRC[] = + "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; ++static ZCONST char Far NotEnoughMemCover[] = ++ "error: not enough memory for bomb detection\n"; ++static ZCONST char Far OverlappedComponents[] = ++ "error: invalid zip file with overlapped components (possible zip bomb)\n"; ++ ++ ++ ++ ++ ++/* A growable list of spans. */ ++typedef zoff_t bound_t; ++typedef struct { ++ bound_t beg; /* start of the span */ ++ bound_t end; /* one past the end of the span */ ++} span_t; ++typedef struct { ++ span_t *span; /* allocated, distinct, and sorted list of spans */ ++ size_t num; /* number of spans in the list */ ++ size_t max; /* allocated number of spans (num <= max) */ ++} cover_t; ++ ++/* ++ * Return the index of the first span in cover whose beg is greater than val. ++ * If there is no such span, then cover->num is returned. ++ */ ++static size_t cover_find(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t lo = 0, hi = cover->num; ++ while (lo < hi) { ++ size_t mid = (lo + hi) >> 1; ++ if (val < cover->span[mid].beg) ++ hi = mid; ++ else ++ lo = mid + 1; ++ } ++ return hi; ++} ++ ++/* Return true if val lies within any one of the spans in cover. */ ++static int cover_within(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t pos = cover_find(cover, val); ++ return pos > 0 && val < cover->span[pos - 1].end; ++} ++ ++/* ++ * Add a new span to the list, but only if the new span does not overlap any ++ * spans already in the list. The new span covers the values beg..end-1. beg ++ * must be less than end. ++ * ++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for ++ * the list as needed. On success, 0 is returned. If the new span overlaps any ++ * existing spans, then 1 is returned and the new span is not added to the ++ * list. If the new span is invalid because beg is greater than or equal to ++ * end, then -1 is returned. If the list needs to be grown but the memory ++ * allocation fails, then -2 is returned. ++ */ ++static int cover_add(cover, beg, end) ++ cover_t *cover; ++ bound_t beg; ++ bound_t end; ++{ ++ size_t pos; ++ int prec, foll; ++ ++ if (beg >= end) ++ /* The new span is invalid. */ ++ return -1; ++ ++ /* Find where the new span should go, and make sure that it does not ++ overlap with any existing spans. */ ++ pos = cover_find(cover, beg); ++ if ((pos > 0 && beg < cover->span[pos - 1].end) || ++ (pos < cover->num && end > cover->span[pos].beg)) ++ return 1; ++ ++ /* Check for adjacencies. */ ++ prec = pos > 0 && beg == cover->span[pos - 1].end; ++ foll = pos < cover->num && end == cover->span[pos].beg; ++ if (prec && foll) { ++ /* The new span connects the preceding and following spans. Merge the ++ following span into the preceding span, and delete the following ++ span. */ ++ cover->span[pos - 1].end = cover->span[pos].end; ++ cover->num--; ++ memmove(cover->span + pos, cover->span + pos + 1, ++ (cover->num - pos) * sizeof(span_t)); ++ } ++ else if (prec) ++ /* The new span is adjacent only to the preceding span. Extend the end ++ of the preceding span. */ ++ cover->span[pos - 1].end = end; ++ else if (foll) ++ /* The new span is adjacent only to the following span. Extend the ++ beginning of the following span. */ ++ cover->span[pos].beg = beg; ++ else { ++ /* The new span has gaps between both the preceding and the following ++ spans. Assure that there is room and insert the span. */ ++ if (cover->num == cover->max) { ++ size_t max = cover->max == 0 ? 16 : cover->max << 1; ++ span_t *span = realloc(cover->span, max * sizeof(span_t)); ++ if (span == NULL) ++ return -2; ++ cover->span = span; ++ cover->max = max; ++ } ++ memmove(cover->span + pos + 1, cover->span + pos, ++ (cover->num - pos) * sizeof(span_t)); ++ cover->num++; ++ cover->span[pos].beg = beg; ++ cover->span[pos].end = end; ++ } ++ return 0; ++} + + + +@@ -376,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + ++ /* One more: initialize cover structure for bomb detection. Start with a ++ span that covers the central directory though the end of the file. */ ++ if (G.cover == NULL) { ++ G.cover = malloc(sizeof(cover_t)); ++ if (G.cover == NULL) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ ((cover_t *)G.cover)->span = NULL; ++ ((cover_t *)G.cover)->max = 0; ++ } ++ ((cover_t *)G.cover)->num = 0; ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ cover_add((cover_t *)G.cover, ++ G.extra_bytes + G.ecrec.offset_start_central_directory, ++ G.ziplen) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- + rectory lies at the end of the zipfile and the member files lie at the +@@ -593,7 +735,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + if (error > error_in_archive) + error_in_archive = error; + /* ...and keep going (unless disk full or user break) */ +- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) { ++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC || ++ error == PK_BOMB) { + /* clear reached_end to signal premature stop ... */ + reached_end = FALSE; + /* ... and cancel scanning the central directory */ +@@ -1062,6 +1205,11 @@ static int extract_or_test_entrylist(__G__ numchunk, + + /* seek_zipf(__G__ pInfo->offset); */ + request = G.pInfo->offset + G.extra_bytes; ++ if (cover_within((cover_t *)G.cover, request)) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + inbuf_offset = request % INBUFSIZ; + bufstart = request - inbuf_offset; + +@@ -1593,6 +1741,18 @@ reprompt: + return IZ_CTRLC; /* cancel operation by user request */ + } + #endif ++ error = cover_add((cover_t *)G.cover, request, ++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); ++ if (error < 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ if (error != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ + UserStop(); + #endif +@@ -1994,6 +2154,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + } + + undefer_input(__G); ++ ++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { ++ /* skip over data descriptor (harder than it sounds, due to signature ++ * ambiguity) ++ */ ++# define SIG 0x08074b50 ++# define LOW 0xffffffff ++ uch buf[12]; ++ unsigned shy = 12 - readbuf((char *)buf, 12); ++ ulg crc = shy ? 0 : makelong(buf); ++ ulg clen = shy ? 0 : makelong(buf + 4); ++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */ ++ if (crc == SIG && /* if not SIG, no signature */ ++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */ ++ (clen == SIG && /* if not SIG, no signature */ ++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ ++ (ulen == SIG && /* if not SIG, no signature */ ++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG ++ /* if not SIG, have signature */ ++ ))))) ++ /* skip four more bytes to account for signature */ ++ shy += 4 - readbuf((char *)buf, 4); ++ if (G.zip64) ++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ ++ if (shy) ++ error = PK_ERR; ++ } ++ + return error; + + } /* end function extract_or_test_member() */ +diff --git a/globals.c b/globals.c +index fa8cca5..1e0f608 100644 +--- a/globals.c ++++ b/globals.c +@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor() + # if (!defined(NO_TIMESTAMPS)) + uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */ + # endif ++ G.cover = NULL; /* not allocated yet */ + #endif + + uO.lflag=(-1); +diff --git a/globals.h b/globals.h +index 11b7215..2bdcdeb 100644 +--- a/globals.h ++++ b/globals.h +@@ -260,12 +260,15 @@ typedef struct Globals { + ecdir_rec ecrec; /* used in unzip.c, extract.c */ + z_stat statbuf; /* used by main, mapname, check_for_newer */ + ++ int zip64; /* true if Zip64 info in extra field */ ++ + int mem_mode; + uch *outbufptr; /* extract.c static */ + ulg outsize; /* extract.c static */ + int reported_backslash; /* extract.c static */ + int disk_full; + int newfile; ++ void **cover; /* used in extract.c for bomb detection */ + + int didCRlast; /* fileio static */ + ulg numlines; /* fileio static: number of lines printed */ +diff --git a/process.c b/process.c +index a3c1a4d..208619c 100644 +--- a/process.c ++++ b/process.c +@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */ + } + #endif + ++ /* Free the cover span list and the cover structure. */ ++ if (G.cover != NULL) { ++ free(*(G.cover)); ++ free(G.cover); ++ G.cover = NULL; ++ } ++ + } /* end function free_G_buffers() */ + + +@@ -1905,6 +1912,7 @@ int getZip64Data(__G__ ef_buf, ef_len) + + #define Z64FLGS 0xffff + #define Z64FLGL 0xffffffff ++ G.zip64 = FALSE; + + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; +@@ -1964,6 +1972,8 @@ int getZip64Data(__G__ ef_buf, ef_len) + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); + offset += 4; + } ++ ++ G.zip64 = TRUE; + #if 0 + break; /* Expect only one EF_PKSZ64 block. */ + #endif /* 0 */ +diff --git a/unzip.h b/unzip.h +index 5b2a326..ed24a5b 100644 +--- a/unzip.h ++++ b/unzip.h +@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec { + #define PK_NOZIP 9 /* zipfile not found */ + #define PK_PARAM 10 /* bad or illegal parameters specified */ + #define PK_FIND 11 /* no files found */ ++#define PK_BOMB 12 /* likely zip bomb */ + #define PK_DISK 50 /* disk full */ + #define PK_EOF 51 /* unexpected EOF */ + +-- +2.22.0.vfs.1.1.57.gbaf16c8 diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch new file mode 100644 index 0000000000..fd26fdd833 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch @@ -0,0 +1,121 @@ +From be88aa4811af47ca06d8b7dcda294f899eba70ea Mon Sep 17 00:00:00 2001 +From: Mark Adler <madler@alumni.caltech.edu> +Date: Thu, 25 Jul 2019 20:43:17 -0700 +Subject: [PATCH 3/3] Do not raise a zip bomb alert for a misplaced central + directory. + +There is a zip-like file in the Firefox distribution, omni.ja, +which is a zip container with the central directory placed at the +start of the file instead of after the local entries as required +by the zip standard. This commit marks the actual location of the +central directory, as well as the end of central directory records, +as disallowed locations. This now permits such containers to not +raise a zip bomb alert, where in fact there are no overlaps. + +CVE: CVE-2019-13232 +Upstream-Status: Backport +[https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + extract.c | 25 +++++++++++++++++++------ + process.c | 6 ++++++ + unzpriv.h | 10 ++++++++++ + 3 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/extract.c b/extract.c +index 2bb72ba..a9dcca8 100644 +--- a/extract.c ++++ b/extract.c +@@ -495,8 +495,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + +- /* One more: initialize cover structure for bomb detection. Start with a +- span that covers the central directory though the end of the file. */ ++ /* One more: initialize cover structure for bomb detection. Start with ++ spans that cover any extra bytes at the start, the central directory, ++ the end of central directory record (including the Zip64 end of central ++ directory locator, if present), and the Zip64 end of central directory ++ record, if present. */ + if (G.cover == NULL) { + G.cover = malloc(sizeof(cover_t)); + if (G.cover == NULL) { +@@ -508,15 +511,25 @@ int extract_or_test_files(__G) /* return PK-type error code */ + ((cover_t *)G.cover)->max = 0; + } + ((cover_t *)G.cover)->num = 0; +- if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || +- cover_add((cover_t *)G.cover, ++ if (cover_add((cover_t *)G.cover, + G.extra_bytes + G.ecrec.offset_start_central_directory, +- G.ziplen) != 0) { ++ G.extra_bytes + G.ecrec.offset_start_central_directory + ++ G.ecrec.size_central_directory) != 0) { + Info(slide, 0x401, ((char *)slide, + LoadFarString(NotEnoughMemCover))); + return PK_MEM; + } ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ (G.ecrec.have_ecr64 && ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start, ++ G.ecrec.ec64_end) != 0) || ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start, ++ G.ecrec.ec_end) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- +diff --git a/process.c b/process.c +index 208619c..5f8f6c6 100644 +--- a/process.c ++++ b/process.c +@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ + + /* Now, we are (almost) sure that we have a Zip64 archive. */ + G.ecrec.have_ecr64 = 1; ++ G.ecrec.ec_start -= ECLOC64_SIZE+4; ++ G.ecrec.ec64_start = ecrec64_start_offset; ++ G.ecrec.ec64_end = ecrec64_start_offset + ++ 12 + makeint64(&byterec[ECREC64_LENGTH]); + + /* Update the "end-of-central-dir offset" for later checks. */ + G.real_ecrec_offset = ecrec64_start_offset; +@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ + makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); + G.ecrec.zipfile_comment_length = + makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); ++ G.ecrec.ec_start = G.real_ecrec_offset; ++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; + + /* Now, we have to read the archive comment, BEFORE the file pointer + is moved away backwards to seek for a Zip64 ECLOC64 structure. +diff --git a/unzpriv.h b/unzpriv.h +index c8d3eab..5e177c7 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf { + int have_ecr64; /* valid Zip64 ecdir-record exists */ + int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ + ush zipfile_comment_length; ++ zusz_t ec_start, ec_end; /* offsets of start and end of the ++ end of central directory record, ++ including if present the Zip64 ++ end of central directory locator, ++ which immediately precedes the ++ end of central directory record */ ++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these ++ are the offsets of the start and ++ end of the Zip64 end of central ++ directory record */ + } ecdir_rec; + + +-- +2.22.0.vfs.1.1.57.gbaf16c8 + diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index daba722722..464d73d0f3 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -22,6 +22,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://symlink.patch \ file://0001-unzip-fix-CVE-2018-1000035.patch \ file://CVE-2018-18384.patch \ + file://CVE-2019-13232_p1.patch \ + file://CVE-2019-13232_p2.patch \ + file://CVE-2019-13232_p3.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch new file mode 100644 index 0000000000..cbc4a127a8 --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch @@ -0,0 +1,73 @@ +From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Wed, 26 Dec 2018 13:51:48 +0100 +Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default + +* src/init.c (defaults): Set enable_xattr to false by default +* src/main.c (print_help): Reverse option logic of --xattr +* doc/wget.texi: Add description for --xattr + +Users may not be aware that the origin URL and Referer are saved +including credentials, and possibly access tokens within +the urls. + +CVE: CVE-2018-20483 patch 1 +Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8] +Signed-off-by: Aviraj CJ <acj@cisco.com> +--- + doc/wget.texi | 8 ++++++++ + src/init.c | 4 ---- + src/main.c | 2 +- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/doc/wget.texi b/doc/wget.texi +index eaf6b380..3f9d7c1c 100644 +--- a/doc/wget.texi ++++ b/doc/wget.texi +@@ -540,6 +540,14 @@ right NUMBER. + Set preferred location for Metalink resources. This has effect if multiple + resources with same priority are available. + ++@cindex xattr ++@item --xattr ++Enable use of file system's extended attributes to save the ++original URL and the Referer HTTP header value if used. ++ ++Be aware that the URL might contain private information like ++access tokens or credentials. ++ + + @cindex force html + @item -F +diff --git a/src/init.c b/src/init.c +index eb81ab47..800970c5 100644 +--- a/src/init.c ++++ b/src/init.c +@@ -509,11 +509,7 @@ defaults (void) + opt.hsts = true; + #endif + +-#ifdef ENABLE_XATTR +- opt.enable_xattr = true; +-#else + opt.enable_xattr = false; +-#endif + } + + /* Return the user's home directory (strdup-ed), or NULL if none is +diff --git a/src/main.c b/src/main.c +index 81db9319..6ac1621b 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -754,7 +754,7 @@ Download:\n"), + #endif + #ifdef ENABLE_XATTR + N_("\ +- --no-xattr turn off storage of metadata in extended file attributes\n"), ++ --xattr turn on storage of metadata in extended file attributes\n"), + #endif + "\n", + +-- +2.19.1 + diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch new file mode 100644 index 0000000000..72ce8a0b33 --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch @@ -0,0 +1,127 @@ +From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Wed, 26 Dec 2018 14:38:18 +0100 +Subject: [PATCH 2/2] Don't save user/pw with --xattr + +Also the Referer info is reduced to scheme+host+port. + +* src/ftp.c (getftp): Change params of set_file_metadata() +* src/http.c (gethttp): Change params of set_file_metadata() +* src/xattr.c (set_file_metadata): Remove user/password from origin URL, + reduce Referer value to scheme/host/port. +* src/xattr.h: Change prototype of set_file_metadata() + +CVE: CVE-2018-20483 patch 2 +Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa] +Signed-off-by: Aviraj CJ <acj@cisco.com> +--- + src/ftp.c | 2 +- + src/http.c | 4 ++-- + src/xattr.c | 24 ++++++++++++++++++++---- + src/xattr.h | 3 ++- + 4 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/src/ftp.c b/src/ftp.c +index 69148936..db8a6267 100644 +--- a/src/ftp.c ++++ b/src/ftp.c +@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n")); + + #ifdef ENABLE_XATTR + if (opt.enable_xattr) +- set_file_metadata (u->url, NULL, fp); ++ set_file_metadata (u, NULL, fp); + #endif + + fd_close (local_sock); +diff --git a/src/http.c b/src/http.c +index 77bdbbed..472c328f 100644 +--- a/src/http.c ++++ b/src/http.c +@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, + if (opt.enable_xattr) + { + if (original_url != u) +- set_file_metadata (u->url, original_url->url, fp); ++ set_file_metadata (u, original_url, fp); + else +- set_file_metadata (u->url, NULL, fp); ++ set_file_metadata (u, NULL, fp); + } + #endif + +diff --git a/src/xattr.c b/src/xattr.c +index 66524226..0f20fadf 100644 +--- a/src/xattr.c ++++ b/src/xattr.c +@@ -21,6 +21,7 @@ + #include <string.h> + + #include "log.h" ++#include "utils.h" + #include "xattr.h" + + #ifdef USE_XATTR +@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp) + #endif /* USE_XATTR */ + + int +-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp) ++set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp) + { + /* Save metadata about where the file came from (requested, final URLs) to + * user POSIX Extended Attributes of retrieved file. +@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp) + * [http://0pointer.de/lennart/projects/mod_mime_xattr/]. + */ + int retval = -1; ++ char *value; + + if (!origin_url || !fp) + return retval; + +- retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp); +- if ((!retval) && referrer_url) +- retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp); ++ value = url_string (origin_url, URL_AUTH_HIDE); ++ retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp); ++ xfree (value); ++ ++ if (!retval && referrer_url) ++ { ++ struct url u; ++ ++ memset(&u, 0, sizeof(u)); ++ u.scheme = referrer_url->scheme; ++ u.host = referrer_url->host; ++ u.port = referrer_url->port; ++ ++ value = url_string (&u, 0); ++ retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp); ++ xfree (value); ++ } + + return retval; + } +diff --git a/src/xattr.h b/src/xattr.h +index 10f3ed11..40c7a8d3 100644 +--- a/src/xattr.h ++++ b/src/xattr.h +@@ -16,12 +16,13 @@ + along with this program; if not, see <http://www.gnu.org/licenses/>. */ + + #include <stdio.h> ++#include <url.h> + + #ifndef _XATTR_H + #define _XATTR_H + + /* Store metadata name/value attributes against fp. */ +-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp); ++int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp); + + #if defined(__linux) + /* libc on Linux has fsetxattr (5 arguments). */ +-- +2.19.1 + diff --git a/meta/recipes-extended/wget/wget/CVE-2019-5953.patch b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch new file mode 100644 index 0000000000..e43e8e545b --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch @@ -0,0 +1,51 @@ +From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001 +From: Tim Ruehsen <tim.ruehsen@gmx.de> +Date: Fri, 5 Apr 2019 11:50:44 +0200 +Subject: [PATCH] Fix a buffer overflow vulnerability + +* src/iri.c(do_conversion): Reallocate the output buffer to a larger + size if it is already full + +Upstream-Status: Backport +http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c +CVE: CVE-2019-5953 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/iri.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +Index: wget-1.19.5/src/iri.c +=================================================================== +--- wget-1.19.5.orig/src/iri.c ++++ wget-1.19.5/src/iri.c +@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const + *out = s = xmalloc (outlen + 1); + done = 0; + ++ DEBUGP (("iconv %s -> %s\n", tocode, fromcode)); ++ + for (;;) + { ++ DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen)); + if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) && + iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1)) + { +@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const + } + else if (errno == E2BIG) /* Output buffer full */ + { ++ logprintf (LOG_VERBOSE, ++ _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen); + tooshort++; + done = len; +- len = outlen = done + inlen * 2; +- s = xrealloc (s, outlen + 1); +- *out = s + done; ++ len = done + inlen * 2; ++ s = xrealloc (s, len + 1); ++ *out = s + done - outlen; ++ outlen += inlen * 2; + } + else /* Weird, we got an unspecified error */ + { diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb index e37d8c7847..a53844bb8f 100644 --- a/meta/recipes-extended/wget/wget_1.19.5.bb +++ b/meta/recipes-extended/wget/wget_1.19.5.bb @@ -1,6 +1,9 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \ file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ file://0002-improve-reproducibility.patch \ + file://CVE-2019-5953.patch \ + file://CVE-2018-20483_p1.patch \ + file://CVE-2018-20483_p2.patch \ " SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da" |