diff options
Diffstat (limited to 'meta-oe/recipes-connectivity')
24 files changed, 1504 insertions, 131 deletions
diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch new file mode 100644 index 0000000000..6d04bf8980 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch @@ -0,0 +1,110 @@ +From 4e661f0085ec5f969c76c0896a34322c6c432de4 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 17 Oct 2022 20:25:11 -0400 +Subject: [PATCH] Fix integer overflows in PAC parsing + +In krb5_parse_pac(), check for buffer counts large enough to threaten +integer overflow in the header length and memory length calculations. +Avoid potential integer overflows when checking the length of each +buffer. Credit to OSS-Fuzz for discovering one of the issues. + +CVE-2022-42898: + +In MIT krb5 releases 1.8 and later, an authenticated attacker may be +able to cause a KDC or kadmind process to crash by reading beyond the +bounds of allocated memory, creating a denial of service. A +privileged attacker may similarly be able to cause a Kerberos or GSS +application service to crash. On 32-bit platforms, an attacker can +also cause insufficient memory to be allocated for the result, +potentially leading to remote code execution in a KDC, kadmind, or GSS +or Kerberos application server process. An attacker with the +privileges of a cross-realm KDC may be able to extract secrets from a +KDC process's memory by having them copied into the PAC of a new +ticket. + +(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583) + +ticket: 9074 +version_fixed: 1.19.4 + +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4] +CVE: CVE-2022-42898 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/krb5/krb/pac.c | 9 +++++++-- + src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index cc74f37..70428a1 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -27,6 +27,8 @@ + #include "k5-int.h" + #include "authdata.h" + ++#define MAX_BUFFERS 4096 ++ + /* draft-brezak-win2k-krb-authz-00 */ + + /* +@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, + if (version != 0) + return EINVAL; + ++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) ++ return ERANGE; ++ + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); + if (len < header_len) + return ERANGE; +@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, + krb5_pac_free(context, pac); + return EINVAL; + } +- if (buffer->Offset < header_len || +- buffer->Offset + buffer->cbBufferSize > len) { ++ if (buffer->Offset < header_len || buffer->Offset > len || ++ buffer->cbBufferSize > len - buffer->Offset) { + krb5_pac_free(context, pac); + return ERANGE; + } +diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c +index 7b756a2..2353e9f 100644 +--- a/src/lib/krb5/krb/t_pac.c ++++ b/src/lib/krb5/krb/t_pac.c +@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { + 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 + }; + ++static const unsigned char fuzz1[] = { ++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, ++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 ++}; ++ ++static const unsigned char fuzz2[] = { ++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, ++ 0x20, 0x20 ++}; ++ + static const char *s4u_principal = "w2k8u@ACME.COM"; + static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; + +@@ -646,6 +656,14 @@ main(int argc, char **argv) + krb5_free_principal(context, sep); + } + ++ /* Check problematic PACs found by fuzzing. */ ++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ + /* + * Test empty free + */ +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch new file mode 100644 index 0000000000..160c090bce --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2023-36054.patch @@ -0,0 +1,68 @@ +From ef08b09c9459551aabbe7924fb176f1583053cdd Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 21 Aug 2023 03:08:15 +0000 +Subject: [PATCH] Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE: CVE-2023-36054 + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +ticket: 9099 (new) +tags: pullup +target_version: 1.21-next +target_version: 1.20-next + +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 2892d41..94b1ce8 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + +-- +2.40.0 diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb index 6e0b2fdacb..a92066171b 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb @@ -32,6 +32,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://krb5-admin-server.service \ file://CVE-2021-36222.patch;striplevel=2 \ file://CVE-2021-37750.patch;striplevel=2 \ + file://CVE-2022-42898.patch;striplevel=2 \ + file://CVE-2023-36054.patch;striplevel=2 \ " SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f" SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134" diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb index 2fa24b29b3..28a3e1e77a 100644 --- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb +++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb @@ -11,6 +11,10 @@ SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https \ " SRCREV = "756f70010779927dc0691e1e722ed433d5d295e1" +CVE_CHECK_IGNORE += "\ + CVE-2009-1760 \ +" + PV = "0.13.8" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.2.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.2.bb index a5fcb8d72d..24b9e9a071 100644 --- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.2.bb +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.2.2.bb @@ -4,6 +4,7 @@ LICENSE = "MIT & Zlib & BSD-3-Clause & Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=c8bea43a2eb5d713c338819a0be07797" DEPENDS = "zlib" +DEPENDS:append:class-native = " libcap-native" S = "${WORKDIR}/git" SRCREV = "8d605f0649ed1ab6d27a443c7688598ea21fdb75" @@ -41,3 +42,8 @@ RDEPENDS:${PN} += " ${@bb.utils.contains('PACKAGECONFIG', 'libuv', '${PN}-evlib- RDEPENDS:${PN} += " ${@bb.utils.contains('PACKAGECONFIG', 'libev', '${PN}-evlib-ev', '', d)}" RDEPENDS:${PN}-dev += " ${@bb.utils.contains('PACKAGECONFIG', 'static', '${PN}-staticdev', '', d)}" + +# Avoid absolute paths to end up in the sysroot. +SSTATE_SCAN_FILES += "*.cmake" + +BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch b/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch new file mode 100644 index 0000000000..83bdae858f --- /dev/null +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch @@ -0,0 +1,42 @@ +From dfd38cb29c0768692f886d3ab9158bd2b3132582 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Tue, 22 Nov 2022 15:20:48 +0800 +Subject: [PATCH] makefile: use conditional assignment for KBUILD_OUTPUT + +Refer [1],from make 4.4, all variables that are marked as export will +also be passed to the shell started by the shell function. use "=" will +make KBUILD_OUTPUT always empty for shell function, use "?=" to make +"export KBUILD_OUTPUT" in enrironment can work. + +[snip of 4.4 NEWS] +* WARNING: Backward-incompatibility! + Previously makefile variables marked as export were not exported to commands + started by the $(shell ...) function. Now, all exported variables are + exported to $(shell ...). +[snip] + +[1] https://git.savannah.gnu.org/cgit/make.git/tree/NEWS?h=4.4&id=ed493f6c9116cc217b99c2cfa6a95f15803235a2#n74 + +Upstream-Status: Backport [d3dd51ba611802d7cbb28631cb943cb882fa4aac] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/makefile b/makefile +index 529d8a0..3db60fa 100644 +--- a/makefile ++++ b/makefile +@@ -15,7 +15,7 @@ + # with this program; if not, write to the Free Software Foundation, Inc., + # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +-KBUILD_OUTPUT = ++KBUILD_OUTPUT ?= + + DEBUG = + CC ?= $(CROSS_COMPILE)gcc +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp_3.1.1.bb b/meta-oe/recipes-connectivity/linuxptp/linuxptp_3.1.1.bb index 9c0f56e736..9c8e649b1a 100644 --- a/meta-oe/recipes-connectivity/linuxptp/linuxptp_3.1.1.bb +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp_3.1.1.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v3.1/linuxptp-${PV}.tgz \ file://build-Allow-CC-and-prefix-to-be-overriden.patch \ file://Use-cross-cpp-in-incdefs.patch \ + file://0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch \ " UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/linuxptp/files/" diff --git a/meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch b/meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch index 7c3e7750af..914760512a 100644 --- a/meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch +++ b/meta-oe/recipes-connectivity/modemmanager/files/0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch @@ -1,42 +1,44 @@ -From f7a3292c1c753b29384e216693f51a4213fea7d0 Mon Sep 17 00:00:00 2001 +From 35173fa04d0116ba30a86dc1a19f859f2be14a24 Mon Sep 17 00:00:00 2001 From: "Bruce A. Johnson" <waterfordtrack@gmail.com> Date: Wed, 22 Dec 2021 14:24:02 -0500 -Subject: [PATCH 1/2] core: switch bash shell scripts to use /bin/sh for use +Subject: [PATCH] core: switch bash shell scripts to use /bin/sh for use w/Busybox. Fixes https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/483 + +%% original patch: 0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch --- - data/fcc-unlock/105b | 2 +- - data/fcc-unlock/1199 | 2 +- - data/fcc-unlock/1eac | 2 +- - test/mmcli-test-sms | 2 +- - tools/tests/test-wrapper.sh.in | 2 +- + data/dispatcher-fcc-unlock/105b | 2 +- + data/dispatcher-fcc-unlock/1199 | 2 +- + data/dispatcher-fcc-unlock/1eac | 2 +- + test/mmcli-test-sms | 2 +- + tools/tests/test-wrapper.sh.in | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) -diff --git a/data/fcc-unlock/105b b/data/fcc-unlock/105b -index 21fe5329..f276050f 100644 ---- a/data/fcc-unlock/105b -+++ b/data/fcc-unlock/105b +diff --git a/data/dispatcher-fcc-unlock/105b b/data/dispatcher-fcc-unlock/105b +index 444bd51f..772c90f4 100644 +--- a/data/dispatcher-fcc-unlock/105b ++++ b/data/dispatcher-fcc-unlock/105b @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # SPDX-License-Identifier: CC0-1.0 # 2021 Aleksander Morgado <aleksander@aleksander.es> -diff --git a/data/fcc-unlock/1199 b/data/fcc-unlock/1199 -index 0109c6ab..e1d3804c 100644 ---- a/data/fcc-unlock/1199 -+++ b/data/fcc-unlock/1199 +diff --git a/data/dispatcher-fcc-unlock/1199 b/data/dispatcher-fcc-unlock/1199 +index 83ab2c9e..6dbf8d1b 100644 +--- a/data/dispatcher-fcc-unlock/1199 ++++ b/data/dispatcher-fcc-unlock/1199 @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # SPDX-License-Identifier: CC0-1.0 # 2021 Aleksander Morgado <aleksander@aleksander.es> -diff --git a/data/fcc-unlock/1eac b/data/fcc-unlock/1eac -index 1068d9c2..d9342852 100644 ---- a/data/fcc-unlock/1eac -+++ b/data/fcc-unlock/1eac +diff --git a/data/dispatcher-fcc-unlock/1eac b/data/dispatcher-fcc-unlock/1eac +index 1a048dc8..44ce46d7 100644 +--- a/data/dispatcher-fcc-unlock/1eac ++++ b/data/dispatcher-fcc-unlock/1eac @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh @@ -64,5 +66,5 @@ index d64ea4cb..fcdb56de 100644 # For debugging behavior of test-modemmanager-service.py, you can modify # this line to add --log-file option -- -2.34.1 +2.35.3 diff --git a/meta-oe/recipes-connectivity/modemmanager/files/0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch b/meta-oe/recipes-connectivity/modemmanager/files/0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch deleted file mode 100644 index d911d54ce4..0000000000 --- a/meta-oe/recipes-connectivity/modemmanager/files/0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch +++ /dev/null @@ -1,100 +0,0 @@ -From ddf634b92bf96b35f521db6da329628b4525c2eb Mon Sep 17 00:00:00 2001 -From: Sven Schwermer <sven.schwermer@disruptive-technologies.com> -Date: Fri, 25 Feb 2022 21:37:13 +0100 -Subject: [PATCH 2/2] fcc-unlock: Make scripts POSIX shell compatible - -This allows us to not rely on bash which may not be available on -constrained systems, e.g. Yocto-built embedded systems. The scripts now -pass shellcheck. - -Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com> ---- - data/fcc-unlock/105b | 8 ++++---- - data/fcc-unlock/1199 | 6 +++--- - data/fcc-unlock/1eac | 8 ++++---- - 3 files changed, 11 insertions(+), 11 deletions(-) - -diff --git a/data/fcc-unlock/105b b/data/fcc-unlock/105b -index f276050f..772c90f4 100644 ---- a/data/fcc-unlock/105b -+++ b/data/fcc-unlock/105b -@@ -15,20 +15,20 @@ shift - # second and next arguments are control port names - for PORT in "$@"; do - # match port type in Linux 5.14 and newer -- grep -q MBIM /sys/class/wwan/${PORT}/type 2>/dev/null && { -+ grep -q MBIM "/sys/class/wwan/$PORT/type" 2>/dev/null && { - MBIM_PORT=$PORT - break - } - # match port name in Linux 5.13 -- [[ $PORT == *"MBIM"* ]] && { -+ echo "$PORT" | grep -q MBIM && { - MBIM_PORT=$PORT - break - } - done - - # fail if no MBIM port exposed --[ -n "${MBIM_PORT}" ] || exit 2 -+[ -n "$MBIM_PORT" ] || exit 2 - - # run qmicli operation over MBIM --qmicli --device-open-proxy --device=/dev/${MBIM_PORT} --dms-foxconn-set-fcc-authentication=0 -+qmicli --device-open-proxy --device="/dev/$MBIM_PORT" --dms-foxconn-set-fcc-authentication=0 - exit $? -diff --git a/data/fcc-unlock/1199 b/data/fcc-unlock/1199 -index e1d3804c..6dbf8d1b 100644 ---- a/data/fcc-unlock/1199 -+++ b/data/fcc-unlock/1199 -@@ -19,15 +19,15 @@ shift - # second and next arguments are control port names - for PORT in "$@"; do - # match port name -- [[ $PORT == *"cdc-wdm"* ]] && { -+ echo "$PORT" | grep -q cdc-wdm && { - CDC_WDM_PORT=$PORT - break - } - done - - # fail if no cdc-wdm port exposed --[ -n "${CDC_WDM_PORT}" ] || exit 2 -+[ -n "$CDC_WDM_PORT" ] || exit 2 - - # run qmicli operation --qmicli --device-open-proxy --device=/dev/${CDC_WDM_PORT} --dms-set-fcc-authentication -+qmicli --device-open-proxy --device="/dev/$CDC_WDM_PORT" --dms-set-fcc-authentication - exit $? -diff --git a/data/fcc-unlock/1eac b/data/fcc-unlock/1eac -index d9342852..44ce46d7 100644 ---- a/data/fcc-unlock/1eac -+++ b/data/fcc-unlock/1eac -@@ -15,20 +15,20 @@ shift - # second and next arguments are control port names - for PORT in "$@"; do - # match port type in Linux 5.14 and newer -- grep -q MBIM /sys/class/wwan/${PORT}/type 2>/dev/null && { -+ grep -q MBIM "/sys/class/wwan/$PORT/type" 2>/dev/null && { - MBIM_PORT=$PORT - break - } - # match port name in Linux 5.13 -- [[ $PORT == *"MBIM"* ]] && { -+ echo "$PORT" | grep -q MBIM && { - MBIM_PORT=$PORT - break - } - done - - # fail if no MBIM port exposed --[ -n "${MBIM_PORT}" ] || exit 2 -+[ -n "$MBIM_PORT" ] || exit 2 - - # run mbimcli operation --mbimcli --device-open-proxy --device=/dev/${MBIM_PORT} --quectel-set-radio-state=on -+mbimcli --device-open-proxy --device="/dev/$MBIM_PORT" --quectel-set-radio-state=on - exit $? --- -2.34.1 - diff --git a/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.6.bb b/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.8.bb index 14d9942c02..28f81ba6e5 100644 --- a/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.6.bb +++ b/meta-oe/recipes-connectivity/modemmanager/modemmanager_1.18.8.bb @@ -12,13 +12,12 @@ inherit gnomebase gettext systemd gobject-introspection bash-completion DEPENDS = "glib-2.0 libgudev libxslt-native dbus" -SRCREV ?= "a7bcf2036b34d5043dbc33fee7d98bae5859c4d3" +SRCREV ?= "0d8b5e93fc62eb0f41e18a2d9d845331d7af36ec" -# Patches 0001, 0002 will be in ModemManager > 1.18.6 +# Patch 0001 will be in ModemManager > 1.19 SRC_URI = " \ git://gitlab.freedesktop.org/mobile-broadband/ModemManager.git;protocol=https;branch=mm-1-18 \ file://0001-core-switch-bash-shell-scripts-to-use-bin-sh-for-use.patch \ - file://0002-fcc-unlock-Make-scripts-POSIX-shell-compatible.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch b/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch new file mode 100644 index 0000000000..93949fc21d --- /dev/null +++ b/meta-oe/recipes-connectivity/rabbitmq-c/files/CVE-2023-35789.patch @@ -0,0 +1,135 @@ +From 463054383fbeef889b409a7f843df5365288e2a0 Mon Sep 17 00:00:00 2001 +From: Christian Kastner <ckk@kvr.at> +Date: Tue, 13 Jun 2023 14:21:52 +0200 +Subject: [PATCH] Add option to read username/password from file (#781) + +* Add option to read username/password from file + +CVE: CVE-2023-35789 + +Upstream-Status: Backport [https://github.com/alanxz/rabbitmq-c/commit/463054383fbeef889b409a7f843df5365288e2a0] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + tools/common.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 66 insertions(+) + +diff --git a/tools/common.c b/tools/common.c +index 53ea788..35b2b9f 100644 +--- a/tools/common.c ++++ b/tools/common.c +@@ -54,6 +54,11 @@ + #include "compat.h" + #endif + ++/* For when reading auth data from a file */ ++#define MAXAUTHTOKENLEN 128 ++#define USERNAMEPREFIX "username:" ++#define PASSWORDPREFIX "password:" ++ + void die(const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); +@@ -161,6 +166,7 @@ static char *amqp_vhost; + static char *amqp_username; + static char *amqp_password; + static int amqp_heartbeat = 0; ++static char *amqp_authfile; + #ifdef WITH_SSL + static int amqp_ssl = 0; + static char *amqp_cacert = "/etc/ssl/certs/cacert.pem"; +@@ -183,6 +189,8 @@ struct poptOption connect_options[] = { + "the password to login with", "password"}, + {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0, + "heartbeat interval, set to 0 to disable", "heartbeat"}, ++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0, ++ "path to file containing username/password for authentication", "file"}, + #ifdef WITH_SSL + {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL}, + {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0, +@@ -194,6 +202,50 @@ struct poptOption connect_options[] = { + #endif /* WITH_SSL */ + {NULL, '\0', 0, NULL, 0, NULL, NULL}}; + ++void read_authfile(const char *path) { ++ size_t n; ++ FILE *fp = NULL; ++ char token[MAXAUTHTOKENLEN]; ++ ++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL || ++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) { ++ die("Out of memory"); ++ } else if ((fp = fopen(path, "r")) == NULL) { ++ die("Could not read auth data file %s", path); ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) { ++ die("Malformed auth file (missing username)"); ++ } ++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_username); ++ if (amqp_username[n - 1] != '\n') { ++ die("Username too long"); ++ } else { ++ amqp_username[n - 1] = '\0'; ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) { ++ die("Malformed auth file (missing password)"); ++ } ++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_password); ++ if (amqp_password[n - 1] != '\n') { ++ die("Password too long"); ++ } else { ++ amqp_password[n - 1] = '\0'; ++ } ++ ++ (void)fgetc(fp); ++ if (!feof(fp)) { ++ die("Malformed auth file (trailing data)"); ++ } ++} ++ + static void init_connection_info(struct amqp_connection_info *ci) { + ci->user = NULL; + ci->password = NULL; +@@ -269,6 +321,8 @@ static void init_connection_info(struct amqp_connection_info *ci) { + if (amqp_username) { + if (amqp_url) { + die("--username and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--username and --authfile options cannot be used at the same time"); + } + + ci->user = amqp_username; +@@ -277,11 +331,23 @@ static void init_connection_info(struct amqp_connection_info *ci) { + if (amqp_password) { + if (amqp_url) { + die("--password and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--password and --authfile options cannot be used at the same time"); + } + + ci->password = amqp_password; + } + ++ if (amqp_authfile) { ++ if (amqp_url) { ++ die("--authfile and --url options cannot be used at the same time"); ++ } ++ ++ read_authfile(amqp_authfile); ++ ci->user = amqp_username; ++ ci->password = amqp_password; ++ } ++ + if (amqp_vhost) { + if (amqp_url) { + die("--vhost and --url options cannot be used at the same time"); +-- +2.40.0 diff --git a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.11.0.bb b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.11.0.bb index 304171c88c..1cc4ada3b5 100644 --- a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.11.0.bb +++ b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.11.0.bb @@ -3,7 +3,9 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c" LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=6b7424f9db80cfb11fdd5c980b583f53" LICENSE = "MIT" -SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https" +SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https \ + file://CVE-2023-35789.patch \ + " # v0.11.0-master SRCREV = "a64c08c68aff34d49a2ac152f04988cd921084f9" diff --git a/meta-oe/recipes-connectivity/ser2net/ser2net_4.3.5.bb b/meta-oe/recipes-connectivity/ser2net/ser2net_4.3.5.bb index 79d54038eb..a33265063c 100644 --- a/meta-oe/recipes-connectivity/ser2net/ser2net_4.3.5.bb +++ b/meta-oe/recipes-connectivity/ser2net/ser2net_4.3.5.bb @@ -14,5 +14,3 @@ SRC_URI[sha256sum] = "848c4fe863806e506832f1ee85b8b68258f06eb19dad43dbeee16a2cfe UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/ser2net/files/ser2net" inherit autotools pkgconfig - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb b/meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb index 2d601a2f9d..8141abef51 100644 --- a/meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb +++ b/meta-oe/recipes-connectivity/thrift/thrift_0.16.0.bb @@ -15,6 +15,8 @@ SRC_URI[sha256sum] = "f460b5c1ca30d8918ff95ea3eb6291b3951cf518553566088f3f2be898 BBCLASSEXTEND = "native nativesdk" +CVE_PRODUCT = "apache:thrift" + inherit pkgconfig cmake python3native export STAGING_INCDIR diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch new file mode 100644 index 0000000000..6028520923 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-43515.patch @@ -0,0 +1,37 @@ +From 6b5dfdb31aa503bb0358784c632ff3a04e7a8ff4 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Wed, 4 Jan 2023 13:51:03 +0800 +Subject: [PATCH] [DEV-2301] fixed spoofing X-Forwarded-For request header + allows to access Frontend in maintenace mode + +Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e] +CVE: CVE-2022-43515 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + ui/include/classes/user/CWebUser.php | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ui/include/classes/user/CWebUser.php b/ui/include/classes/user/CWebUser.php +index e6e651e..bfacce7 100644 +--- a/ui/include/classes/user/CWebUser.php ++++ b/ui/include/classes/user/CWebUser.php +@@ -231,13 +231,11 @@ class CWebUser { + } + + /** +- * Get user ip address. ++ * Get user IP address. + * + * @return string + */ + public static function getIp(): string { +- return (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_FOR'] !== '') +- ? $_SERVER['HTTP_X_FORWARDED_FOR'] +- : $_SERVER['REMOTE_ADDR']; ++ return $_SERVER['REMOTE_ADDR']; + } + } +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch new file mode 100644 index 0000000000..debd0aaa8e --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2022-46768.patch @@ -0,0 +1,53 @@ +From 7373f92c80eb89941428468cd6b9d5c8879a7f93 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Wed, 4 Jan 2023 14:23:34 +0800 +Subject: [PATCH] [DEV-2283] added validation of the scheduled report + generation URL to zabbix-web-service + +Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/fdb03971867] +CVE: CVE-2022-46768 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + .../zabbix_web_service/pdf_report_creator.go | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/go/cmd/zabbix_web_service/pdf_report_creator.go b/src/go/cmd/zabbix_web_service/pdf_report_creator.go +index 391b58b..8452a3d 100644 +--- a/src/go/cmd/zabbix_web_service/pdf_report_creator.go ++++ b/src/go/cmd/zabbix_web_service/pdf_report_creator.go +@@ -29,6 +29,7 @@ import ( + "net/http" + "net/url" + "strconv" ++ "strings" + "time" + + "github.com/chromedp/cdproto/emulation" +@@ -123,6 +124,23 @@ func (h *handler) report(w http.ResponseWriter, r *http.Request) { + return + } + ++ if u.Scheme != "http" && u.Scheme != "https" { ++ logAndWriteError(w, fmt.Sprintf("Unexpected URL scheme: \"%s\"", u.Scheme), http.StatusBadRequest) ++ return ++ } ++ ++ if !strings.HasSuffix(u.Path, "/zabbix.php") { ++ logAndWriteError(w, fmt.Sprintf("Unexpected URL path: \"%s\"", u.Path), http.StatusBadRequest) ++ return ++ } ++ ++ queryParams := u.Query() ++ ++ if queryParams.Get("action") != "dashboard.print" { ++ logAndWriteError(w, fmt.Sprintf("Unexpected URL action: \"%s\"", queryParams.Get("action")), http.StatusBadRequest) ++ return ++ } ++ + log.Tracef( + "making chrome headless request with parameters url: %s, width: %s, height: %s for report request from %s", + u.String(), req.Parameters["width"], req.Parameters["height"], r.RemoteAddr) +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch new file mode 100644 index 0000000000..675d9e0f35 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29449.patch @@ -0,0 +1,247 @@ +From 240754ccee1b6b35ac47862be56dacec11e65b32 Mon Sep 17 00:00:00 2001 +From: Dmitrijs Goloscapovs <dmitrijs.goloscapovs@zabbix.com> +Date: Thu, 27 Jul 2023 11:23:54 +0000 +Subject: [PATCH] .......PS. [DEV-2387] added new limits for JS objects + +Merge in ZBX/zabbix from feature/DEV-2387-6.0 to release/6.0 + +* commit '16e5f15a70cfbf00c646cb92d1fcb8a362900285': + .......PS. [DEV-2387] removed logsize check based on json buffer + .......PS. [DEV-2387] removed logsize check based on json buffer + .......PS. [DEV-2387] fixed pr comments + .......PS. [DEV-2387] removed useless include + .......PS. [DEV-2387] added limits for logging and adding httprequest headers + .......PS. [DEV-2387] limited initialization of new HttpRequest objects + +CVE: CVE-2023-29449 + +Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/240754ccee1] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + src/libs/zbxembed/console.c | 23 ++++++++++++----------- + src/libs/zbxembed/embed.c | 1 + + src/libs/zbxembed/embed.h | 3 +++ + src/libs/zbxembed/httprequest.c | 28 ++++++++++++++++++++++++++++ + src/libs/zbxembed/zabbix.c | 23 ++++++++++++----------- + 5 files changed, 56 insertions(+), 22 deletions(-) + +diff --git a/src/libs/zbxembed/console.c b/src/libs/zbxembed/console.c +index c733487..60c48fc 100644 +--- a/src/libs/zbxembed/console.c ++++ b/src/libs/zbxembed/console.c +@@ -90,27 +90,28 @@ static duk_ret_t es_log_message(duk_context *ctx, int level) + else + msg_output = zbx_strdup(msg_output, "undefined"); + +- zabbix_log(level, "%s", msg_output); +- + duk_get_memory_functions(ctx, &out_funcs); + env = (zbx_es_env_t *)out_funcs.udata; + +- if (NULL == env->json) +- goto out; +- +- if (ZBX_ES_LOG_MEMORY_LIMIT < env->json->buffer_size) /* approximate limit */ ++ if (ZBX_ES_LOG_MEMORY_LIMIT < env->log_size) + { + err_index = duk_push_error_object(ctx, DUK_RET_EVAL_ERROR, "log exceeds the maximum size of " + ZBX_FS_UI64 " bytes.", ZBX_ES_LOG_MEMORY_LIMIT); + goto out; + } + +- zbx_json_addobject(env->json, NULL); +- zbx_json_adduint64(env->json, "level", (zbx_uint64_t)level); +- zbx_json_adduint64(env->json, "ms", zbx_get_duration_ms(&env->start_time)); +- zbx_json_addstring(env->json, "message", msg_output, ZBX_JSON_TYPE_STRING); +- zbx_json_close(env->json); ++ zabbix_log(level, "%s", msg_output); ++ ++ if (NULL != env->json) ++ { ++ zbx_json_addobject(env->json, NULL); ++ zbx_json_adduint64(env->json, "level", (zbx_uint64_t)level); ++ zbx_json_adduint64(env->json, "ms", zbx_get_duration_ms(&env->start_time)); ++ zbx_json_addstring(env->json, "message", msg_output, ZBX_JSON_TYPE_STRING); ++ zbx_json_close(env->json); ++ } + out: ++ env->log_size += strlen(msg_output); + zbx_free(msg_output); + + if (-1 != err_index) +diff --git a/src/libs/zbxembed/embed.c b/src/libs/zbxembed/embed.c +index 34d8d18..cc80925 100644 +--- a/src/libs/zbxembed/embed.c ++++ b/src/libs/zbxembed/embed.c +@@ -444,6 +444,7 @@ int zbx_es_execute(zbx_es_t *es, const char *script, const char *code, int size, + zabbix_log(LOG_LEVEL_DEBUG, "In %s() param:%s", __func__, param); + + zbx_timespec(&es->env->start_time); ++ es->env->http_req_objects = 0; + + if (NULL != es->env->json) + { +diff --git a/src/libs/zbxembed/embed.h b/src/libs/zbxembed/embed.h +index a0a360c..2b954a8 100644 +--- a/src/libs/zbxembed/embed.h ++++ b/src/libs/zbxembed/embed.h +@@ -48,6 +48,9 @@ struct zbx_es_env + struct zbx_json *json; + + jmp_buf loc; ++ ++ int http_req_objects; ++ size_t log_size; + }; + + zbx_es_env_t *zbx_es_get_env(duk_context *ctx); +diff --git a/src/libs/zbxembed/httprequest.c b/src/libs/zbxembed/httprequest.c +index 8c2839c..7f0eed9 100644 +--- a/src/libs/zbxembed/httprequest.c ++++ b/src/libs/zbxembed/httprequest.c +@@ -52,6 +52,7 @@ typedef struct + size_t headers_in_alloc; + size_t headers_in_offset; + unsigned char custom_header; ++ size_t headers_sz; + } + zbx_es_httprequest_t; + +@@ -145,13 +146,21 @@ static duk_ret_t es_httprequest_dtor(duk_context *ctx) + ******************************************************************************/ + static duk_ret_t es_httprequest_ctor(duk_context *ctx) + { ++#define MAX_HTTPREQUEST_OBJECT_COUNT 10 + zbx_es_httprequest_t *request; + CURLcode err; ++ zbx_es_env_t *env; + int err_index = -1; + + if (!duk_is_constructor_call(ctx)) + return DUK_RET_TYPE_ERROR; + ++ if (NULL == (env = zbx_es_get_env(ctx))) ++ return duk_error(ctx, DUK_RET_TYPE_ERROR, "cannot access internal environment"); ++ ++ if (MAX_HTTPREQUEST_OBJECT_COUNT == env->http_req_objects) ++ return duk_error(ctx, DUK_RET_EVAL_ERROR, "maximum count of HttpRequest objects was reached"); ++ + duk_push_this(ctx); + + request = (zbx_es_httprequest_t *)zbx_malloc(NULL, sizeof(zbx_es_httprequest_t)); +@@ -189,7 +198,10 @@ out: + return duk_throw(ctx); + } + ++ env->http_req_objects++; ++ + return 0; ++#undef MAX_HTTPREQUEST_OBJECT_COUNT + } + + /****************************************************************************** +@@ -201,10 +213,12 @@ out: + ******************************************************************************/ + static duk_ret_t es_httprequest_add_header(duk_context *ctx) + { ++#define ZBX_ES_MAX_HEADERS_SIZE ZBX_KIBIBYTE * 128 + zbx_es_httprequest_t *request; + CURLcode err; + char *utf8 = NULL; + int err_index = -1; ++ size_t header_sz; + + if (NULL == (request = es_httprequest(ctx))) + return duk_error(ctx, DUK_RET_EVAL_ERROR, "internal scripting error: null object"); +@@ -215,9 +229,20 @@ static duk_ret_t es_httprequest_add_header(duk_context *ctx) + goto out; + } + ++ header_sz = strlen(utf8); ++ ++ if (ZBX_ES_MAX_HEADERS_SIZE < request->headers_sz + header_sz) ++ { ++ err_index = duk_push_error_object(ctx, DUK_RET_TYPE_ERROR, "headers exceeded maximum size of " ++ ZBX_FS_UI64 " bytes.", ZBX_ES_MAX_HEADERS_SIZE); ++ ++ goto out; ++ } ++ + request->headers = curl_slist_append(request->headers, utf8); + ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_HTTPHEADER, request->headers, err); + request->custom_header = 1; ++ request->headers_sz += header_sz + 1; + out: + zbx_free(utf8); + +@@ -225,6 +250,7 @@ out: + return duk_throw(ctx); + + return 0; ++#undef ZBX_ES_MAX_HEADERS_SIZE + } + + /****************************************************************************** +@@ -244,6 +270,7 @@ static duk_ret_t es_httprequest_clear_header(duk_context *ctx) + curl_slist_free_all(request->headers); + request->headers = NULL; + request->custom_header = 0; ++ request->headers_sz = 0; + + return 0; + } +@@ -311,6 +338,7 @@ static duk_ret_t es_httprequest_query(duk_context *ctx, const char *http_request + { + curl_slist_free_all(request->headers); + request->headers = NULL; ++ request->headers_sz = 0; + } + + if (NULL != contents) +diff --git a/src/libs/zbxembed/zabbix.c b/src/libs/zbxembed/zabbix.c +index 820768f..0ecde86 100644 +--- a/src/libs/zbxembed/zabbix.c ++++ b/src/libs/zbxembed/zabbix.c +@@ -81,27 +81,28 @@ static duk_ret_t es_zabbix_log(duk_context *ctx) + zbx_replace_invalid_utf8(message); + } + +- zabbix_log(level, "%s", message); +- + duk_get_memory_functions(ctx, &out_funcs); + env = (zbx_es_env_t *)out_funcs.udata; + +- if (NULL == env->json) +- goto out; +- +- if (ZBX_ES_LOG_MEMORY_LIMIT < env->json->buffer_size) /* approximate limit */ ++ if (ZBX_ES_LOG_MEMORY_LIMIT < env->log_size) + { + err_index = duk_push_error_object(ctx, DUK_RET_EVAL_ERROR, "log exceeds the maximum size of " + ZBX_FS_UI64 " bytes.", ZBX_ES_LOG_MEMORY_LIMIT); + goto out; + } + +- zbx_json_addobject(env->json, NULL); +- zbx_json_adduint64(env->json, "level", (zbx_uint64_t)level); +- zbx_json_adduint64(env->json, "ms", zbx_get_duration_ms(&env->start_time)); +- zbx_json_addstring(env->json, "message", message, ZBX_JSON_TYPE_STRING); +- zbx_json_close(env->json); ++ zabbix_log(level, "%s", message); ++ ++ if (NULL != env->json) ++ { ++ zbx_json_addobject(env->json, NULL); ++ zbx_json_adduint64(env->json, "level", (zbx_uint64_t)level); ++ zbx_json_adduint64(env->json, "ms", zbx_get_duration_ms(&env->start_time)); ++ zbx_json_addstring(env->json, "message", message, ZBX_JSON_TYPE_STRING); ++ zbx_json_close(env->json); ++ } + out: ++ env->log_size += strlen(message); + zbx_free(message); + + if (-1 != err_index) +-- +2.35.5 diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch new file mode 100644 index 0000000000..ea790f0a93 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29450.patch @@ -0,0 +1,241 @@ +From 76f6a80cb3d6131e9c3e98918305c1bf1805fa2a Mon Sep 17 00:00:00 2001 +From: Vladislavs Sokurenko <vladislavs.sokurenko@zabbix.com> +Date: Thu, 27 Jul 2023 12:43:02 +0000 +Subject: [PATCH] ...G...PS. [DEV-2429] fixed unauthorised file system access + when using cURL + +Merge in ZBX/zabbix from feature/DEV-2429-6.0 to release/6.0 + +* commit 'abf345230ee185d61cc0bd70d432fa4b093b8a53': + ...G...PS. [DEV-2429] fixed unautorized file system access when using curl + .......PS. [DEV-2429] fixed unautorized file system access in JS preprocessing + +CVE: CVE-2023-29450 + +Upstream-Status: Backport [https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/76f6a80cb3d] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + src/libs/zbxembed/httprequest.c | 4 +++ + src/libs/zbxhistory/history_elastic.c | 30 ++++++++++++++++++++++ + src/libs/zbxhttp/http.c | 9 +++++++ + src/libs/zbxmedia/email.c | 6 +++++ + src/libs/zbxsysinfo/common/http.c | 9 +++++++ + src/libs/zbxsysinfo/simple/simple.c | 11 ++++++++ + src/zabbix_server/httppoller/httptest.c | 9 +++++++ + src/zabbix_server/reporter/report_writer.c | 10 ++++++++ + src/zabbix_server/vmware/vmware.c | 9 +++++++ + 9 files changed, 97 insertions(+) + +diff --git a/src/libs/zbxembed/httprequest.c b/src/libs/zbxembed/httprequest.c +index 7f0eed9..871b925 100644 +--- a/src/libs/zbxembed/httprequest.c ++++ b/src/libs/zbxembed/httprequest.c +@@ -354,6 +354,10 @@ static duk_ret_t es_httprequest_query(duk_context *ctx, const char *http_request + ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_CUSTOMREQUEST, http_request, err); + ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_TIMEOUT_MS, timeout_ms - elapsed_ms, err); + ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_POSTFIELDS, ZBX_NULL2EMPTY_STR(contents), err); ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ ZBX_CURL_SETOPT(ctx, request->handle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS, err); ++#endif + + request->data_offset = 0; + request->headers_in_offset = 0; +diff --git a/src/libs/zbxhistory/history_elastic.c b/src/libs/zbxhistory/history_elastic.c +index 8b3ea84..fc881da 100644 +--- a/src/libs/zbxhistory/history_elastic.c ++++ b/src/libs/zbxhistory/history_elastic.c +@@ -406,6 +406,16 @@ static void elastic_writer_add_iface(zbx_history_iface_t *hist) + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PROTOCOLS, ++ CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ zabbix_log(LOG_LEVEL_ERR, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err)); ++ goto out; ++ } ++#endif ++ + *page_w[hist->value_type].errbuf = '\0'; + + if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PRIVATE, &page_w[hist->value_type]))) +@@ -722,6 +732,16 @@ static int elastic_get_values(zbx_history_iface_t *hist, zbx_uint64_t itemid, in + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(data->handle, opt = CURLOPT_PROTOCOLS, ++ CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ zabbix_log(LOG_LEVEL_ERR, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err)); ++ goto out; ++ } ++#endif ++ + zabbix_log(LOG_LEVEL_DEBUG, "sending query to %s; post data: %s", data->post_url, query.buffer); + + page_r.offset = 0; +@@ -1065,6 +1085,16 @@ void zbx_elastic_version_extract(struct zbx_json *json) + goto clean; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(handle, opt = CURLOPT_PROTOCOLS, ++ CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ zabbix_log(LOG_LEVEL_WARNING, "cannot set cURL option %d: [%s]", (int)opt, curl_easy_strerror(err)); ++ goto clean; ++ } ++#endif ++ + *errbuf = '\0'; + + if (CURLE_OK != (err = curl_easy_perform(handle))) +diff --git a/src/libs/zbxhttp/http.c b/src/libs/zbxhttp/http.c +index c10922c..36774cc 100644 +--- a/src/libs/zbxhttp/http.c ++++ b/src/libs/zbxhttp/http.c +@@ -333,6 +333,15 @@ int zbx_http_get(const char *url, const char *header, long timeout, char **out, + goto clean; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ *error = zbx_dsprintf(NULL, "Cannot set allowed protocols: %s", curl_easy_strerror(err)); ++ goto clean; ++ } ++#endif ++ + if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_URL, url))) + { + *error = zbx_dsprintf(NULL, "Cannot specify URL: %s", curl_easy_strerror(err)); +diff --git a/src/libs/zbxmedia/email.c b/src/libs/zbxmedia/email.c +index 3b987d9..d3af744 100644 +--- a/src/libs/zbxmedia/email.c ++++ b/src/libs/zbxmedia/email.c +@@ -661,6 +661,12 @@ static int send_email_curl(const char *smtp_server, unsigned short smtp_port, co + if ('\0' != *smtp_helo) + zbx_snprintf(url + url_offset, sizeof(url) - url_offset, "/%s", smtp_helo); + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_SMTPS | CURLPROTO_SMTP))) ++ goto error; ++#endif ++ + if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_URL, url))) + goto error; + +diff --git a/src/libs/zbxsysinfo/common/http.c b/src/libs/zbxsysinfo/common/http.c +index acd77e1..8dc4793 100644 +--- a/src/libs/zbxsysinfo/common/http.c ++++ b/src/libs/zbxsysinfo/common/http.c +@@ -176,6 +176,15 @@ static int curl_page_get(char *url, char **buffer, char **error) + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ *error = zbx_dsprintf(*error, "Cannot set allowed protocols: %s", curl_easy_strerror(err)); ++ goto out; ++ } ++#endif ++ + if (CURLE_OK == (err = curl_easy_perform(easyhandle))) + { + if (NULL != buffer) +diff --git a/src/libs/zbxsysinfo/simple/simple.c b/src/libs/zbxsysinfo/simple/simple.c +index be1b9f9..80c5eac 100644 +--- a/src/libs/zbxsysinfo/simple/simple.c ++++ b/src/libs/zbxsysinfo/simple/simple.c +@@ -189,6 +189,17 @@ static int check_https(const char *host, unsigned short port, int timeout, int * + goto clean; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_PROTOCOLS, ++ CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ zabbix_log(LOG_LEVEL_DEBUG, "%s: could not set cURL option [%d]: %s", ++ __func__, (int)opt, curl_easy_strerror(err)); ++ goto clean; ++ } ++#endif ++ + if (NULL != CONFIG_SOURCE_IP) + { + if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_INTERFACE, CONFIG_SOURCE_IP))) +diff --git a/src/zabbix_server/httppoller/httptest.c b/src/zabbix_server/httppoller/httptest.c +index 0ff70ef..0201442 100644 +--- a/src/zabbix_server/httppoller/httptest.c ++++ b/src/zabbix_server/httppoller/httptest.c +@@ -696,6 +696,15 @@ static void process_httptest(DC_HOST *host, zbx_httptest_t *httptest) + goto clean; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ err_str = zbx_strdup(err_str, curl_easy_strerror(err)); ++ goto clean; ++ } ++#endif ++ + if (SUCCEED != zbx_http_prepare_ssl(easyhandle, httptest->httptest.ssl_cert_file, + httptest->httptest.ssl_key_file, httptest->httptest.ssl_key_password, + httptest->httptest.verify_peer, httptest->httptest.verify_host, &err_str)) +diff --git a/src/zabbix_server/reporter/report_writer.c b/src/zabbix_server/reporter/report_writer.c +index 87d1364..7530ed0 100644 +--- a/src/zabbix_server/reporter/report_writer.c ++++ b/src/zabbix_server/reporter/report_writer.c +@@ -162,6 +162,16 @@ static int rw_get_report(const char *url, const char *cookie, int width, int hei + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(curl, opt = CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ *error = zbx_dsprintf(*error, "Cannot set cURL option %d: %s.", (int)opt, ++ (curl_error = rw_curl_error(err))); ++ goto out; ++ } ++#endif ++ + if (NULL != CONFIG_TLS_CA_FILE && '\0' != *CONFIG_TLS_CA_FILE) + { + if (CURLE_OK != (err = curl_easy_setopt(curl, opt = CURLOPT_CAINFO, CONFIG_TLS_CA_FILE)) || +diff --git a/src/zabbix_server/vmware/vmware.c b/src/zabbix_server/vmware/vmware.c +index b02c8c7..718d519 100644 +--- a/src/zabbix_server/vmware/vmware.c ++++ b/src/zabbix_server/vmware/vmware.c +@@ -2045,6 +2045,15 @@ static int vmware_service_authenticate(zbx_vmware_service_t *service, CURL *easy + goto out; + } + ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ /* CURLOPT_PROTOCOLS is supported starting with version 7.19.4 (0x071304) */ ++ if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS))) ++ { ++ *error = zbx_dsprintf(*error, "Cannot set cURL option %d: %s.", (int)opt, curl_easy_strerror(err)); ++ goto out; ++ } ++#endif ++ + if (NULL != CONFIG_SOURCE_IP) + { + if (CURLE_OK != (err = curl_easy_setopt(easyhandle, opt = CURLOPT_INTERFACE, CONFIG_SOURCE_IP))) +-- +2.35.5 diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch new file mode 100644 index 0000000000..453f67a920 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-29451.patch @@ -0,0 +1,116 @@ +From 90274a56b2505997cd1677f0bd6a8b89b21df163 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Wed, 26 Apr 2023 15:00:07 +0800 +Subject: [PATCH] Fix CVE-2023-29451 + +.......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character + +Merge in ZBX/zabbix from feature/DEV-2450-6.0 to release/6.0 + +* commit '97efb4ed5069d4febe825671e2c3d106478d082d': + .......PS. [DEV-2450] added mock test + .......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character + .......PS. [DEV-2450] fixed JSON validation not detecting invalid unicode characters and out of bounds access with JSONPath on invalid unicode character + +Upstream-Status: Backport +[https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3b6a8c84612a67daaf89879226349420104bff24] +CVE: CVE-2023-29451 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/libs/zbxdiag/diag.c | 3 ++- + src/libs/zbxjson/json.c | 2 +- + src/libs/zbxjson/json.h | 1 + + src/libs/zbxjson/json_parser.c | 15 +++++---------- + src/zabbix_server/reporter/report_protocol.c | 3 ++- + 5 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/src/libs/zbxdiag/diag.c b/src/libs/zbxdiag/diag.c +index 6fc5509..dc47407 100644 +--- a/src/libs/zbxdiag/diag.c ++++ b/src/libs/zbxdiag/diag.c +@@ -673,7 +673,8 @@ static void diag_get_simple_values(const struct zbx_json_parse *jp, char **msg) + { + if (FAIL == zbx_json_brackets_open(pnext, &jp_value)) + { +- zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, &type); ++ if (NULL == zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, &type)) ++ type = ZBX_JSON_TYPE_NULL; + + if (0 != msg_offset) + zbx_chrcpy_alloc(msg, &msg_alloc, &msg_offset, ' '); +diff --git a/src/libs/zbxjson/json.c b/src/libs/zbxjson/json.c +index 4161ef0..c043d7e 100644 +--- a/src/libs/zbxjson/json.c ++++ b/src/libs/zbxjson/json.c +@@ -764,7 +764,7 @@ static unsigned int zbx_hex2num(char c) + * 0 on error (invalid escape sequence) * + * * + ******************************************************************************/ +-static unsigned int zbx_json_decode_character(const char **p, unsigned char *bytes) ++unsigned int zbx_json_decode_character(const char **p, unsigned char *bytes) + { + bytes[0] = '\0'; + +diff --git a/src/libs/zbxjson/json.h b/src/libs/zbxjson/json.h +index c59646a..4008411 100644 +--- a/src/libs/zbxjson/json.h ++++ b/src/libs/zbxjson/json.h +@@ -29,5 +29,6 @@ + SKIP_WHITESPACE(src) + + void zbx_set_json_strerror(const char *fmt, ...) __zbx_attr_format_printf(1, 2); ++unsigned int zbx_json_decode_character(const char **p, unsigned char *bytes); + + #endif +diff --git a/src/libs/zbxjson/json_parser.c b/src/libs/zbxjson/json_parser.c +index c8dcee4..64d24cf 100644 +--- a/src/libs/zbxjson/json_parser.c ++++ b/src/libs/zbxjson/json_parser.c +@@ -88,7 +88,7 @@ static zbx_int64_t json_parse_string(const char *start, char **error) + if ('\\' == *ptr) + { + const char *escape_start = ptr; +- int i; ++ unsigned char uc[4]; /* decoded Unicode character takes 1-4 bytes in UTF-8 */ + + /* unexpected end of string data, failing */ + if ('\0' == *(++ptr)) +@@ -107,16 +107,11 @@ static zbx_int64_t json_parse_string(const char *start, char **error) + break; + case 'u': + /* check if the \u is followed with 4 hex digits */ +- for (i = 0; i < 4; i++) +- { +- if (0 == isxdigit((unsigned char)*(++ptr))) +- { +- return json_error("invalid escape sequence in string", +- escape_start, error); +- } ++ if (0 == zbx_json_decode_character(&ptr, uc)) { ++ return json_error("invalid escape sequence in string", ++ escape_start, error); + } +- +- break; ++ continue; + default: + return json_error("invalid escape sequence in string data", + escape_start, error); +diff --git a/src/zabbix_server/reporter/report_protocol.c b/src/zabbix_server/reporter/report_protocol.c +index 5f55f51..ee0e02e 100644 +--- a/src/zabbix_server/reporter/report_protocol.c ++++ b/src/zabbix_server/reporter/report_protocol.c +@@ -421,7 +421,8 @@ void zbx_report_test(const struct zbx_json_parse *jp, zbx_uint64_t userid, struc + size_t value_alloc = 0; + zbx_ptr_pair_t pair; + +- zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, NULL); ++ if (NULL == zbx_json_decodevalue_dyn(pnext, &value, &value_alloc, NULL)) ++ continue; + pair.first = zbx_strdup(NULL, key); + pair.second = value; + zbx_vector_ptr_pair_append(¶ms, pair); +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch new file mode 100644 index 0000000000..b9c37bc045 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32726.patch @@ -0,0 +1,160 @@ +From 53ef2b7119f57f4140e6bd9c5cd2d3c6af228179 Mon Sep 17 00:00:00 2001 +From: Armands Arseniuss Skolmeisters <armands.skolmeisters@zabbix.com> +Date: Thu, 11 Jan 2024 12:00:24 +0000 +Subject: [PATCH] ...G...... [DEV-2702] fixed buffer overread in DNS response + +* commit '893902999ab7f0b15cce91e8555cb251b32b6df4': + ...G...... [DEV-2702] fixed DNS record data length check + ...G...... [DEV-2702] improved DNS error messages + ...G...... [DEV-2702] fixed DNS error messages + ...G...... [DEV-2702] improved DNS error messages + ...G...... [DEV-2702] fixed buffer overread in DNS response + +CVE: CVE-2023-32726 +Upstream-Status: Backport [https://github.com/zabbix/zabbix/commit/53ef2b7119f57f4140e6bd9c5cd2d3c6af228179] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + src/libs/zbxsysinfo/common/dns.c | 65 +++++++++++++++++++++++++++----- + 1 file changed, 56 insertions(+), 9 deletions(-) + +diff --git a/src/libs/zbxsysinfo/common/dns.c b/src/libs/zbxsysinfo/common/dns.c +index e8938d8..bf456f2 100644 +--- a/src/libs/zbxsysinfo/common/dns.c ++++ b/src/libs/zbxsysinfo/common/dns.c +@@ -638,7 +638,8 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans + { + if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++ SET_MSG_RESULT(result, zbx_strdup(NULL, ++ "Cannot decode DNS response: cannot expand domain name.")); + ret = SYSINFO_RET_FAIL; + goto clean; + } +@@ -651,6 +652,13 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans + GETSHORT(q_len, msg_ptr); + offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %-8s", decode_type(q_type)); + ++ if (msg_ptr + q_len > msg_end) ++ { ++ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response: record overflow.")); ++ ret = SYSINFO_RET_FAIL; ++ goto clean; ++ } ++ + switch (q_type) + { + case T_A: +@@ -695,8 +703,40 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans + case T_PTR: + if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++#define ERR_MSG_PREFIX "Cannot decode DNS response: cannot expand " ++ const char *err_msg = NULL; ++ ++ switch (q_type) ++ { ++ case T_NS: ++ err_msg = ERR_MSG_PREFIX "name server name."; ++ break; ++ case T_CNAME: ++ err_msg = ERR_MSG_PREFIX "canonical name."; ++ break; ++ case T_MB: ++ err_msg = ERR_MSG_PREFIX "mailbox name."; ++ break; ++ case T_MD: ++ err_msg = ERR_MSG_PREFIX "mail destination name."; ++ break; ++ case T_MF: ++ err_msg = ERR_MSG_PREFIX "mail forwarder name."; ++ break; ++ case T_MG: ++ err_msg = ERR_MSG_PREFIX "mail group name."; ++ break; ++ case T_MR: ++ err_msg = ERR_MSG_PREFIX "renamed mailbox name."; ++ break; ++ case T_PTR: ++ err_msg = ERR_MSG_PREFIX "PTR name."; ++ break; ++ } ++ ++ SET_MSG_RESULT(result, zbx_strdup(NULL, err_msg)); + return SYSINFO_RET_FAIL; ++#undef ERR_MSG_PREFIX + } + offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name); + break; +@@ -706,7 +746,8 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans + + if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* exchange */ + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:" ++ " cannot expand mail exchange name.")); + return SYSINFO_RET_FAIL; + } + offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name); +@@ -715,14 +756,16 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans + case T_SOA: + if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* source host */ + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:" ++ " cannot expand source nameserver name.")); + return SYSINFO_RET_FAIL; + } + offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name); + + if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* administrator */ + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:" ++ " cannot expand administrator mailbox name.")); + return SYSINFO_RET_FAIL; + } + offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name); +@@ -750,7 +793,8 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans + case T_WKS: + if (INT32SZ + 1 > q_len) + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:" ++ " malformed WKS resource record.")); + return SYSINFO_RET_FAIL; + } + +@@ -816,14 +860,16 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans + case T_MINFO: + if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* mailbox responsible for mailing lists */ + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:" ++ " cannot expand mailbox responsible for mailing lists.")); + return SYSINFO_RET_FAIL; + } + offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name); + + if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* mailbox for error messages */ + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:" ++ " cannot expand mailbox for error messages.")); + return SYSINFO_RET_FAIL; + } + offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name); +@@ -854,7 +900,8 @@ static int dns_query(AGENT_REQUEST *request, AGENT_RESULT *result, int short_ans + + if (NULL == (name = get_name(answer.buffer, msg_end, &msg_ptr))) /* target */ + { +- SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response.")); ++ SET_MSG_RESULT(result, zbx_strdup(NULL, "Cannot decode DNS response:" ++ " cannot expand service target hostname.")); + return SYSINFO_RET_FAIL; + } + offset += zbx_snprintf(buffer + offset, sizeof(buffer) - offset, " %s", name); +-- +2.40.0 diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch new file mode 100644 index 0000000000..5c1e0c5af6 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0001.patch @@ -0,0 +1,193 @@ +From 93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 Mon Sep 17 00:00:00 2001 +From: Andris Zeila <andris.zeila@zabbix.com> +Date: Fri, 12 Jan 2024 05:48:31 +0000 +Subject: [PATCH] .......PS. [DEV-2695] changed fping tests to read address + from file + +Merge in ZBX/zabbix from feature/DEV-2695-6.0 to release/6.0 + +* commit '6603893ff94620e28fc543d5d0d4c86b9be3342e': + .......PS. [DEV-2695] fixed signal blocking + .......PS. [DEV-2695] added target hostname/ip validation in fping feature tests + .......PS. [DEV-2695] added error messages when failed to prepare temporary file for fping tests + .......PS. [DEV-2695] changed fping tests to read address from file + +CVE: CVE-2023-32727 +Upstream-Status: BAckport [https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + src/libs/zbxicmpping/icmpping.c | 125 ++++++++++++++++++++++++++++---- + 1 file changed, 112 insertions(+), 13 deletions(-) + +diff --git a/src/libs/zbxicmpping/icmpping.c b/src/libs/zbxicmpping/icmpping.c +index 72f7e86..9a751b7 100644 +--- a/src/libs/zbxicmpping/icmpping.c ++++ b/src/libs/zbxicmpping/icmpping.c +@@ -59,6 +59,8 @@ static void get_source_ip_option(const char *fping, const char **option, unsigne + + zbx_snprintf(tmp, sizeof(tmp), "%s -h 2>&1", fping); + ++ zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp); ++ + if (NULL == (f = popen(tmp, "r"))) + return; + +@@ -85,6 +87,110 @@ static void get_source_ip_option(const char *fping, const char **option, unsigne + *checked = 1; + } + ++/****************************************************************************** ++ * * ++ * Purpose: execute external program and return stdout and stderr values * ++ * * ++ * Parameters: fping - [IN] location of fping program * ++ * out - [OUT] stdout and stderr values * ++ * error - [OUT] error string if function fails * ++ * max_error_len - [IN] length of error buffer * ++ * * ++ * Return value: SUCCEED if processed successfully or FAIL otherwise * ++ * * ++ ******************************************************************************/ ++static int get_fping_out(const char *fping, const char *address, char **out, char *error, size_t max_error_len) ++{ ++ FILE *f; ++ size_t buf_size = 0, offset = 0, len; ++ ssize_t n; ++ char tmp[MAX_STRING_LEN], *buffer = NULL; ++ int ret = FAIL, fd; ++ sigset_t mask, orig_mask; ++ char filename[MAX_STRING_LEN]; ++ ++ if (FAIL == zbx_validate_hostname(address) && FAIL == is_supported_ip(address)) ++ { ++ zbx_strlcpy(error, "Invalid host name or IP address", max_error_len); ++ return FAIL; ++ } ++ ++ zbx_snprintf(filename, sizeof(filename), "%s/%s_XXXXXX", CONFIG_TMPDIR, progname); ++ if (-1 == (fd = mkstemp(filename))) ++ { ++ zbx_snprintf(error, max_error_len, "Cannot create temporary file \"%s\": %s", filename, ++ zbx_strerror(errno)); ++ ++ return FAIL; ++ } ++ ++ sigemptyset(&mask); ++ sigaddset(&mask, SIGINT); ++ sigaddset(&mask, SIGQUIT); ++ ++ len = strlen(address); ++ if (-1 == (n = write(fd, address, len))) ++ { ++ zbx_snprintf(error, max_error_len, "Cannot write address into temporary file: %s", zbx_strerror(errno)); ++ (void)close(fd); ++ goto out; ++ } ++ ++ if (n != (ssize_t)len) ++ { ++ zbx_strlcpy(error, "Cannot write full address into temporary file", max_error_len); ++ (void)close(fd); ++ goto out; ++ } ++ ++ if (-1 == close(fd)) ++ { ++ zbx_snprintf(error, max_error_len, "Cannot close temporary file: %s", zbx_strerror(errno)); ++ goto out; ++ } ++ ++ zbx_snprintf(tmp, sizeof(tmp), "%s 2>&1 < %s", fping, filename); ++ ++ if (0 > sigprocmask(SIG_BLOCK, &mask, &orig_mask)) ++ zbx_error("cannot set sigprocmask to block the user signal"); ++ ++ zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp); ++ ++ if (NULL == (f = popen(tmp, "r"))) ++ { ++ zbx_strlcpy(error, zbx_strerror(errno), max_error_len); ++ goto out; ++ } ++ ++ while (NULL != zbx_fgets(tmp, sizeof(tmp), f)) ++ { ++ len = strlen(tmp); ++ ++ if (MAX_EXECUTE_OUTPUT_LEN < offset + len) ++ break; ++ ++ zbx_strncpy_alloc(&buffer, &buf_size, &offset, tmp, len); ++ } ++ ++ pclose(f); ++ ++ if (NULL == buffer) ++ { ++ zbx_strlcpy(error, "Cannot obtain the program output", max_error_len); ++ goto out; ++ } ++ ++ *out = buffer; ++ ret = SUCCEED; ++out: ++ unlink(filename); ++ ++ if (0 > sigprocmask(SIG_SETMASK, &orig_mask, NULL)) ++ zbx_error("cannot restore sigprocmask"); ++ ++ return ret; ++} ++ + /****************************************************************************** + * * + * Function: get_interval_option * +@@ -137,19 +243,12 @@ static int get_interval_option(const char *fping, ZBX_FPING_HOST *hosts, int hos + + zabbix_log(LOG_LEVEL_DEBUG, "testing fping interval %u ms", intervals[j]); + +- zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u %s", fping, intervals[j], dst); ++ zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u", fping, intervals[j]); + + zbx_free(out); + + /* call fping, ignore its exit code but mind execution failures */ +- if (TIMEOUT_ERROR == (ret_exec = zbx_execute(tmp, &out, err, sizeof(err), 1, +- ZBX_EXIT_CODE_CHECKS_DISABLED, NULL))) +- { +- zbx_snprintf(error, max_error_len, "Timeout while executing \"%s\"", tmp); +- goto out; +- } +- +- if (FAIL == ret_exec) ++ if (SUCCEED != (ret_exec = get_fping_out(tmp, dst, &out, err, sizeof(err)))) + { + zbx_snprintf(error, max_error_len, "Cannot execute \"%s\": %s", tmp, err); + goto out; +@@ -251,10 +350,10 @@ static int get_ipv6_support(const char * fping, const char *dst) + int ret; + char tmp[MAX_STRING_LEN], error[255], *out = NULL; + +- zbx_snprintf(tmp, sizeof(tmp), "%s -6 -c1 -t50 %s", fping, dst); ++ zbx_snprintf(tmp, sizeof(tmp), "%s -6 -c1 -t50", fping); + +- if ((SUCCEED == (ret = zbx_execute(tmp, &out, error, sizeof(error), 1, ZBX_EXIT_CODE_CHECKS_DISABLED, NULL)) && +- ZBX_KIBIBYTE > strlen(out) && NULL != strstr(out, dst)) || TIMEOUT_ERROR == ret) ++ if (SUCCEED == (ret = get_fping_out(tmp, dst, &out, error, sizeof(error)) && ++ ZBX_KIBIBYTE > strlen(out) && NULL != strstr(out, dst))) + { + ret = SUCCEED; + } +@@ -538,7 +637,7 @@ static int process_ping(ZBX_FPING_HOST *hosts, int hosts_count, int count, int i + + fclose(f); + +- zabbix_log(LOG_LEVEL_DEBUG, "%s", tmp); ++ zabbix_log(LOG_LEVEL_DEBUG, "executing %s", tmp); + + sigemptyset(&mask); + sigaddset(&mask, SIGINT); +-- +2.40.0 diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch new file mode 100644 index 0000000000..aabc675b6a --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2023-32727_0002.patch @@ -0,0 +1,49 @@ +From 610f9fdbb86667f4094972547deb936c6cdfc6d5 Mon Sep 17 00:00:00 2001 +From: Andris Zeila <andris.zeila@zabbix.com> +Date: Fri, 12 Jan 2024 06:06:02 +0000 +Subject: [PATCH] .......PS. [DEV-2695] removed group/all access flags for + fping temporary files + +Merge in ZBX/zabbix from feature/DEV-2695-6.5 to master + +* commit 'cf07db1d5c2b8fe4a9de85fed22cf05035e08914': + .......PS. [DEV-2695] remove group/all access flags when creating fping input file for testing fping features + +(cherry picked from commit cd12f0a2d89c3ef05f0e9f50dcb73fdaf3a7e8a9) + +CVE: CVE-2023-32727 +Upstream_Status: Backport [https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + src/libs/zbxicmpping/icmpping.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/libs/zbxicmpping/icmpping.c b/src/libs/zbxicmpping/icmpping.c +index 9a751b7..bab3d09 100644 +--- a/src/libs/zbxicmpping/icmpping.c ++++ b/src/libs/zbxicmpping/icmpping.c +@@ -108,6 +108,7 @@ static int get_fping_out(const char *fping, const char *address, char **out, cha + int ret = FAIL, fd; + sigset_t mask, orig_mask; + char filename[MAX_STRING_LEN]; ++ mode_t mode; + + if (FAIL == zbx_validate_hostname(address) && FAIL == is_supported_ip(address)) + { +@@ -116,7 +117,12 @@ static int get_fping_out(const char *fping, const char *address, char **out, cha + } + + zbx_snprintf(filename, sizeof(filename), "%s/%s_XXXXXX", CONFIG_TMPDIR, progname); +- if (-1 == (fd = mkstemp(filename))) ++ ++ mode = umask(077); ++ fd = mkstemp(filename); ++ umask(mode); ++ ++ if (-1 == fd) + { + zbx_snprintf(error, max_error_len, "Cannot create temporary file \"%s\": %s", filename, + zbx_strerror(errno)); +-- +2.40.0 diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb index 66c80758ce..2793f0ca5f 100644 --- a/meta-oe/recipes-connectivity/zabbix/zabbix_5.2.6.bb +++ b/meta-oe/recipes-connectivity/zabbix/zabbix_5.4.12.bb @@ -23,13 +23,21 @@ DEPENDS = "libevent libpcre openldap virtual/libiconv zlib" PACKAGE_ARCH = "${MACHINE_ARCH}" -SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.2/${BPN}-${PV}.tar.gz \ +SRC_URI = "https://cdn.zabbix.com/zabbix/sources/stable/5.4/${BPN}-${PV}.tar.gz \ file://0001-Fix-configure.ac.patch \ file://zabbix-agent.service \ + file://CVE-2022-43515.patch \ + file://CVE-2022-46768.patch \ + file://CVE-2023-29451.patch \ + file://CVE-2023-29449.patch \ + file://CVE-2023-29450.patch \ + file://CVE-2023-32726.patch \ + file://CVE-2023-32727_0001.patch \ + file://CVE-2023-32727_0002.patch \ " -SRC_URI[md5sum] = "31dab3535a1fa212f5724902727f6d4d" -SRC_URI[sha256sum] = "76cb704f2a04fbc87bb3eff44fa71339c355d467f7bbd8fb53f8927c760e1680" +SRC_URI[md5sum] = "f295fd2df86143d72f6ff26e47d9e39e" +SRC_URI[sha256sum] = "d60d5515807c30c05d0900b83a7e6ef6479929aef7d6f248fba481c4816bacf4" inherit autotools-brokensep linux-kernel-base pkgconfig systemd useradd diff --git a/meta-oe/recipes-connectivity/zeromq/czmq_4.2.1.bb b/meta-oe/recipes-connectivity/zeromq/czmq_4.2.1.bb index 86fde7ccfb..ce9d758d9f 100644 --- a/meta-oe/recipes-connectivity/zeromq/czmq_4.2.1.bb +++ b/meta-oe/recipes-connectivity/zeromq/czmq_4.2.1.bb @@ -30,8 +30,6 @@ PACKAGECONFIG[nss] = "-DCZMQ_WITH_NSS=ON,-DCZMQ_WITH_NSS=OFF,nss" PACKAGECONFIG[systemd] = "-DCZMQ_WITH_SYSTEMD=ON,-DCZMQ_WITH_SYSTEMD=OFF,systemd" PACKAGECONFIG[uuid] = "-DCZMQ_WITH_UUID=ON,-DCZMQ_WITH_UUID=OFF,util-linux" -BBCLASSEXTEND = "nativesdk" - do_install:append() { mkdir -p ${D}/${includedir}/${BPN} mv ${D}/${includedir}/sha1.h ${D}/${includedir}/${BPN}/. |