diff options
299 files changed, 19946 insertions, 779 deletions
diff --git a/contrib/pw-am.sh b/contrib/pw-am.sh index 8987eee8eb..d9d1187b0b 100755 --- a/contrib/pw-am.sh +++ b/contrib/pw-am.sh @@ -9,7 +9,7 @@ for patchnumber in $@; do - wget -nv http://patches.openembedded.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch + wget -nv http://patchwork.yoctoproject.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch git am -s pw-am-$patchnumber.patch rm pw-am-$patchnumber.patch done diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb index 6f5cb6cee9..efb331d7b2 100644 --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb @@ -10,8 +10,7 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \ file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \ " S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}" -SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c" -SRC_URI[sha256sum] = "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5" +SRC_URI[sha256sum] = "f20e36ee68074b845e3629e6bced4706ad053804cbaf062fbae60738f854170c" UPSTREAM_CHECK_URI = "https://www.tuxera.com/community/open-source-ntfs-3g/" UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz" @@ -50,3 +49,5 @@ do_install_append() { # Satisfy the -dev runtime dependency ALLOW_EMPTY_${PN} = "1" + +CVE_PRODUCT = "tuxera:ntfs-3g" diff --git a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb index 24b17fc93b..dc9132a82e 100644 --- a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb +++ b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb @@ -22,6 +22,8 @@ UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>3(\.\d+)+).tar.xz" inherit meson pkgconfig +CVE_PRODUCT = "fuse_project:fuse" + DEPENDS = "udev" PACKAGES =+ "fuse3-utils" diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb index 49682b3cd4..4ec1213519 100644 --- a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb +++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb @@ -27,6 +27,8 @@ CVE_CHECK_WHITELIST += "CVE-2019-14860" UPSTREAM_CHECK_URI = "https://github.com/libfuse/libfuse/releases" UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>2(\.\d+)+).tar.gz" +CVE_PRODUCT = "fuse_project:fuse" + inherit autotools pkgconfig update-rc.d systemd INITSCRIPT_NAME = "fuse" diff --git a/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb b/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb index a47bf6fcf8..b10efbedc5 100644 --- a/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb +++ b/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb @@ -10,7 +10,7 @@ DEPENDS = " \ libpam \ " -REQUIRED_DISTRO_FEATURES = "x11 systemd pam" +REQUIRED_DISTRO_FEATURES = "x11 systemd pam polkit" inherit gnomebase gsettings gobject-introspection gettext systemd useradd upstream-version-is-even features_check diff --git a/meta-gnome/recipes-support/ibus/ibus.inc b/meta-gnome/recipes-support/ibus/ibus.inc index c0c0b3b31f..2e03f7c6a7 100644 --- a/meta-gnome/recipes-support/ibus/ibus.inc +++ b/meta-gnome/recipes-support/ibus/ibus.inc @@ -10,7 +10,7 @@ PV = "1.5.22" DEPENDS = "unicode-ucd" SRC_URI = " \ - git://github.com/ibus/ibus.git;branch=master;protocol=https \ + git://github.com/ibus/ibus.git;branch=main;protocol=https \ file://0001-Do-not-try-to-start-dbus-we-do-not-have-dbus-lauch.patch \ " SRCREV = "e3262f08b9e3efc57808700823b0622ec03a1b5f" diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb index c0797ac5c6..9d3d7b55cc 100644 --- a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb +++ b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb @@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo" S = "${WORKDIR}/git" SRCREV = "a1d2ae93408c3408e672d7eba4550fdf27fb0201" -SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=master \ +SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=main \ file://grubby-rename-grub2-editenv-to-grub-editenv.patch \ file://run-ptest \ file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \ diff --git a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb index c651d8113d..47f7af46bd 100644 --- a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb +++ b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb @@ -3,7 +3,7 @@ LICENSE = "CC-BY-3.0" # http://www.bigbuckbunny.org/index.php/about/ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7" -SRC_URI = "https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi" +SRC_URI = "http://www.peach.themazzone.com/big_buck_bunny_1080p_surround.avi" SRC_URI[md5sum] = "223991c8b33564eb77988a4c13c1c76a" SRC_URI[sha256sum] = "69fe2cfe7154a6e752688e3a0d7d6b07b1605bbaf75b56f6470dc7b4c20c06ea" diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb index 33a2b7c0ce..a28372dd1f 100644 --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb @@ -33,11 +33,12 @@ SRC_URI_append_libc-musl = " \ file://musl/0003-Fix-build-with-musl-for-n-dhcp4.patch \ file://musl/0004-Fix-build-with-musl-systemd-specific.patch \ " -SRC_URI[sha256sum] = "2b29ccc1531ba7ebba95a97f40c22b963838e8b6833745efe8e6fb71fd8fca77" +SRC_URI[sha256sum] = "377aa053752eaa304b72c9906f9efcd9fbd5f7f6cb4cd4ad72425a68982cffc6" S = "${WORKDIR}/NetworkManager-${PV}" EXTRA_OECONF = " \ + --disable-firewalld-zone \ --disable-ifcfg-rh \ --disable-more-warnings \ --with-iptables=${sbindir}/iptables \ diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch new file mode 100644 index 0000000000..0d1cbe5ad4 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch @@ -0,0 +1,93 @@ +From 3f62a590b02bf4c888a995017e2575d3b2ec6ac9 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett <abartlet@samba.org> +Date: Tue, 12 Sep 2023 18:59:44 +1200 +Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by + default + +The rpcecho server is useful in development and testing, but should never +have been allowed into production, as it includes the facility to +do a blocking sleep() in the single-threaded rpc worker. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 + +Signed-off-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://www.samba.org/samba/ftp/patches/security/samba-4.17.12-security-2023-10-10.patch] +CVE: CVE-2023-42669 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- + lib/param/loadparm.c | 2 +- + selftest/target/Samba4.pm | 2 +- + source3/param/loadparm.c | 2 +- + source4/rpc_server/wscript_build | 3 ++- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +index 8a217cc..c6642b7 100644 +--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml ++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +@@ -6,6 +6,6 @@ + <para>Specifies which DCE/RPC endpoint servers should be run.</para> + </description> + +-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> ++<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> + <value type="example">rpcecho</value> + </samba:parameter> +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 4c3dfff..db4ae5e 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2653,7 +2653,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); + lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); + +- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); ++ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); + lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); + /* the winbind method for domain controllers is for both RODC +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index a7a6c4c..ffa4b95 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -773,7 +773,7 @@ sub provision_raw_step1($$) + wins support = yes + server role = $ctx->{server_role} + server services = +echo $services +- dcerpc endpoint servers = +winreg +srvsvc ++ dcerpc endpoint servers = +winreg +srvsvc +rpcecho + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 0db44e9..b052d42 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -877,7 +877,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); + +- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); ++ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); + + Globals.tls_enabled = true; + Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index 510335a..a95e070 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -36,7 +36,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', + source='echo/rpc_echo.c', + subsystem='dcerpc_server', + init_function='dcerpc_server_rpcecho_init', +- deps='ndr-standard events' ++ deps='ndr-standard events', ++ enabled=bld.CONFIG_GET('ENABLE_SELFTEST') + ) + + +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb index d7b5864715..3b8da2b1cb 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb @@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \ file://CVE-2020-14318.patch \ file://CVE-2020-14383.patch \ + file://CVE-2023-42669.patch \ " SRC_URI_append_libc-musl = " \ file://samba-pam.patch \ diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch new file mode 100644 index 0000000000..88794aa7ab --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch @@ -0,0 +1,111 @@ +From d255bf90834fb45be52decf9bc0b4fb46c90f205 Mon Sep 17 00:00:00 2001 +From: Martin Dummer <md11@users.sourceforge.net> +Date: Sun, 12 Sep 2021 22:52:26 +0200 +Subject: [PATCH] fix buffer overflow in atftpd + +Andreas B. Mundt <andi@debian.org> reports: + +I've found a problem in atftpd that might be relevant for security. +The daemon can be crashed by any client sending a crafted combination +of TFTP options to the server. As TFTP is usually only used in the LAN, +it's probably not too dramatic. + +Observations and how to reproduce the issue +=========================================== + +Install bullseye packages and prepare tftp-root: + sudo apt install atftp atftpd + mkdir tmp + touch tmp/file.txt + +Run server: + /usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \ + --logfile=/dev/stdout --verbose=7 --port 2000 tmp + +Fetch file from client: + /usr/bin/atftp -g --trace --option "blksize 8" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Crash server by adding another option to the tiny blksize: + /usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Analysis +======== + +The reason for the crash is a buffer overflow. The size of the buffer keeping the data +to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode +and block number). However, the same buffer is used for the OACK, which for a blksize=8 +overflows as soon as another option is set. + +Signed-off-by: Martin Dummer <md11@users.sourceforge.net> + +CVE: CVE-2021-41054 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/d255bf90834fb45be52decf9bc0b4fb46c90f205.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + tftpd_file.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/tftpd_file.c b/tftpd_file.c +index ff40e8d..37a0906 100644 +--- a/tftpd_file.c ++++ b/tftpd_file.c +@@ -168,11 +168,24 @@ int tftpd_receive_file(struct thread_data *data) + logger(LOG_DEBUG, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +@@ -531,11 +544,24 @@ int tftpd_send_file(struct thread_data *data) + logger(LOG_INFO, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch new file mode 100644 index 0000000000..310728aaca --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch @@ -0,0 +1,48 @@ +From 9cf799c40738722001552618518279e9f0ef62e5 Mon Sep 17 00:00:00 2001 +From: Simon Rettberg <simon.rettberg@rz.uni-freiburg.de> +Date: Wed, 10 Jan 2018 17:01:20 +0100 +Subject: [PATCH] options.c: Proper fix for the read-past-end-of-array + +This properly fixes what commit:b3e36dd tried to do. + +CVE: CVE-2021-46671 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/9cf799c40738722001552618518279e9f0ef62e5.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + options.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/options.c b/options.c +index ee419c6..c716994 100644 +--- a/options.c ++++ b/options.c +@@ -43,6 +43,12 @@ int opt_parse_request(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - requests always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + /* read filename */ + entry = argz_next(tftp_data->th_stuff, size, entry); + if (!entry) +@@ -79,6 +85,12 @@ int opt_parse_options(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - options always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) + { + tmp = entry; +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb index ddddb1b07a..32b776e578 100644 --- a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb +++ b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb @@ -9,6 +9,8 @@ SRCREV = "52b71f0831dcbde508bd3a961d84abb80a62480f" SRC_URI = "git://git.code.sf.net/p/atftp/code;branch=master \ file://atftpd.init \ file://atftpd.service \ + file://0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch \ + file://0001-fix-buffer-overflow-in-atftpd.patch \ " SRC_URI_append_libc-musl = " file://0001-argz.h-fix-musl-compile-add-missing-defines.patch \ file://0002-tftp.h-tftpd.h-fix-musl-compile-missing-include.patch \ diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 0000000000..0ddea03c69 --- /dev/null +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,83 @@ +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 15 Jun 2022 10:44:50 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 95f5f707..5d20759b 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb index db5f94444f..3e7056d67d 100644 --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \ file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \ file://0001-makeinit.sh-fix-parallel-build-issue.patch \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb index e7bb3e9d32..2612e12be4 100644 --- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb +++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb @@ -15,5 +15,5 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \ file://0001-fix-build-with-glibc-2.34.patch \ " -SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec" -UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz" +SRC_URI[sha256sum] = "5f71658546d9b65863249dec3a189d084ea0596e23dc4613c579ad3ae75b10d2" +UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz" diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch new file mode 100644 index 0000000000..712d5db07d --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch @@ -0,0 +1,51 @@ +From ed31fe2cbd5b8b1148b467f84f7acea66fa43bb8 Mon Sep 17 00:00:00 2001 +From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com> +Date: Tue, 3 Aug 2021 21:53:28 +0200 +Subject: [PATCH] CVE-2021-46854 + +mod_radius: copy _only_ the password + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43] +CVE: CVE-2021-46854 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + contrib/mod_radius.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c +index b56cdfe..f234dd5 100644 +--- a/contrib/mod_radius.c ++++ b/contrib/mod_radius.c +@@ -2319,21 +2319,26 @@ static void radius_add_passwd(radius_packet_t *packet, unsigned char type, + + pwlen = strlen((const char *) passwd); + ++ /* Clear the buffers. */ ++ memset(pwhash, '\0', sizeof(pwhash)); ++ + if (pwlen == 0) { + pwlen = RADIUS_PASSWD_LEN; + + } if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) { ++ /* pwlen is not a multiple of RADIUS_PASSWD_LEN, need to prepare a proper buffer */ ++ memcpy(pwhash, passwd, pwlen); + + /* Round up the length. */ + pwlen += (RADIUS_PASSWD_LEN - 1); + + /* Truncate the length, as necessary. */ + pwlen &= ~(RADIUS_PASSWD_LEN - 1); ++ } else { ++ /* pwlen is a multiple of RADIUS_PASSWD_LEN, we can just use it. */ ++ memcpy(pwhash, passwd, pwlen); + } + +- /* Clear the buffers. */ +- memset(pwhash, '\0', sizeof(pwhash)); +- memcpy(pwhash, passwd, pwlen); + + /* Find the password attribute. */ + attrib = radius_get_attrib(packet, RADIUS_PASSWORD); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch new file mode 100644 index 0000000000..12f6948075 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch @@ -0,0 +1,278 @@ +From 97bbe68363ccf2de0c07f67170ec64a8b4d62592 Mon Sep 17 00:00:00 2001 +From: TJ Saunders <tj@castaglia.org> +Date: Sun, 6 Aug 2023 13:16:26 -0700 +Subject: [PATCH] Issue #1683: Avoid an edge case when handling unexpectedly + formatted input text from client, caused by quote/backslash semantics, by + skipping those semantics. + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592] +CVE: CVE-2023-51713 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/str.h | 3 ++- + src/main.c | 35 +++++++++++++++++++++++++++++----- + src/str.c | 22 +++++++++++++--------- + tests/api/str.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 94 insertions(+), 16 deletions(-) + +diff --git a/include/str.h b/include/str.h +index 316a32a..049a1b2 100644 +--- a/include/str.h ++++ b/include/str.h +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -121,6 +121,7 @@ const char *pr_gid2str(pool *, gid_t); + #define PR_STR_FL_PRESERVE_COMMENTS 0x0001 + #define PR_STR_FL_PRESERVE_WHITESPACE 0x0002 + #define PR_STR_FL_IGNORE_CASE 0x0004 ++#define PR_STR_FL_IGNORE_QUOTES 0x0008 + + char *pr_str_get_token(char **, char *); + char *pr_str_get_token2(char **, char *, size_t *); +diff --git a/src/main.c b/src/main.c +index 1ead27f..01b1ef8 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -787,8 +787,24 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + return NULL; + } + ++ /* By default, pr_str_get_word will handle quotes and backslashes for ++ * escaping characters. This can produce words which are shorter, use ++ * fewer bytes than the corresponding input buffer. ++ * ++ * In this particular situation, we use the length of this initial word ++ * for determining the length of the remaining buffer bytes, assumed to ++ * contain the FTP command arguments. If this initial word is thus ++ * unexpectedly "shorter", due to nonconformant FTP text, it can lead ++ * the subsequent buffer scan, looking for CRNUL sequencees, to access ++ * unexpected memory addresses (Issue #1683). ++ * ++ * Thus for this particular situation, we tell the function to ignore/skip ++ * such quote/backslash semantics, and treat them as any other character ++ * using the IGNORE_QUOTES flag. ++ */ ++ + ptr = buf; +- wrd = pr_str_get_word(&ptr, str_flags); ++ wrd = pr_str_get_word(&ptr, str_flags|PR_STR_FL_IGNORE_QUOTES); + if (wrd == NULL) { + /* Nothing there...bail out. */ + pr_trace_msg("ctrl", 5, "command '%s' is empty, ignoring", buf); +@@ -796,6 +812,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + return NULL; + } + ++ /* Note that this first word is the FTP command. This is why we make ++ * use of the ptr buffer, which advances through the input buffer as ++ * we read words from the buffer. ++ */ ++ + subpool = make_sub_pool(p); + pr_pool_tag(subpool, "make_ftp_cmd pool"); + cmd = pcalloc(subpool, sizeof(cmd_rec)); +@@ -822,6 +843,7 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + arg_len = buflen - strlen(wrd); + arg = pcalloc(cmd->pool, arg_len + 1); + ++ /* Remember that ptr here is advanced past the first word. */ + for (i = 0, j = 0; i < arg_len; i++) { + pr_signals_handle(); + if (i > 1 && +@@ -830,15 +852,13 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + + /* Strip out the NUL by simply not copying it into the new buffer. */ + have_crnul = TRUE; +- ++ + } else { + arg[j++] = ptr[i]; + } + } + +- cmd->arg = arg; +- +- if (have_crnul) { ++ if (have_crnul == TRUE) { + char *dup_arg; + + /* Now make a copy of the stripped argument; this is what we need to +@@ -848,6 +868,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + ptr = dup_arg; + } + ++ cmd->arg = arg; ++ ++ /* Now we can read the remamining words, as command arguments, from the ++ * input buffer. ++ */ + while ((wrd = pr_str_get_word(&ptr, str_flags)) != NULL) { + pr_signals_handle(); + *((char **) push_array(tarr)) = pstrdup(cmd->pool, wrd); +diff --git a/src/str.c b/src/str.c +index eeed096..04188ce 100644 +--- a/src/str.c ++++ b/src/str.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -1209,7 +1209,7 @@ int pr_str_get_nbytes(const char *str, const char *units, off_t *nbytes) { + + char *pr_str_get_word(char **cp, int flags) { + char *res, *dst; +- char quote_mode = 0; ++ int quote_mode = FALSE; + + if (cp == NULL || + !*cp || +@@ -1238,24 +1238,28 @@ char *pr_str_get_word(char **cp, int flags) { + } + } + +- if (**cp == '\"') { +- quote_mode++; +- (*cp)++; ++ if (!(flags & PR_STR_FL_IGNORE_QUOTES)) { ++ if (**cp == '\"') { ++ quote_mode = TRUE; ++ (*cp)++; ++ } + } + + while (**cp && (quote_mode ? (**cp != '\"') : !PR_ISSPACE(**cp))) { + pr_signals_handle(); + +- if (**cp == '\\' && quote_mode) { +- ++ if (**cp == '\\' && ++ quote_mode == TRUE) { + /* Escaped char */ + if (*((*cp)+1)) { +- *dst = *(++(*cp)); ++ *dst++ = *(++(*cp)); ++ (*cp)++; ++ continue; + } + } + + *dst++ = **cp; +- ++(*cp); ++ (*cp)++; + } + + if (**cp) { +diff --git a/tests/api/str.c b/tests/api/str.c +index 7c6e110..77fda8f 100644 +--- a/tests/api/str.c ++++ b/tests/api/str.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server testsuite +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -695,19 +695,23 @@ END_TEST + START_TEST (get_word_test) { + char *ok, *res, *str; + ++ mark_point(); + res = pr_str_get_word(NULL, 0); + fail_unless(res == NULL, "Failed to handle null arguments"); + fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); + ++ mark_point(); + str = NULL; + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle null str argument"); + fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); + ++ mark_point(); + str = pstrdup(p, " "); + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle whitespace argument"); + ++ mark_point(); + str = pstrdup(p, " foo"); + res = pr_str_get_word(&str, PR_STR_FL_PRESERVE_WHITESPACE); + fail_unless(res != NULL, "Failed to handle whitespace argument: %s", +@@ -723,6 +727,7 @@ START_TEST (get_word_test) { + ok = "foo"; + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + ++ mark_point(); + str = pstrdup(p, " # foo"); + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle commented argument"); +@@ -742,6 +747,8 @@ START_TEST (get_word_test) { + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + + /* Test multiple embedded quotes. */ ++ ++ mark_point(); + str = pstrdup(p, "foo \"bar baz\" qux \"quz norf\""); + res = pr_str_get_word(&str, 0); + fail_unless(res != NULL, "Failed to handle quoted argument: %s", +@@ -770,6 +777,47 @@ START_TEST (get_word_test) { + + ok = "quz norf"; + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ ++ /* Test embedded quotes with backslashes (Issue #1683). */ ++ mark_point(); ++ ++ str = pstrdup(p, "\"\\\\SYST\""); ++ res = pr_str_get_word(&str, 0); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ ++ ok = "\\SYST"; ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ mark_point(); ++ str = pstrdup(p, "\"\"\\\\SYST"); ++ res = pr_str_get_word(&str, 0); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ ++ /* Note that pr_str_get_word() is intended to be called multiple times ++ * on an advancing buffer, effectively tokenizing the buffer. This is ++ * why the function does NOT decrement its quote mode. ++ */ ++ ok = ""; ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ /* Now do the same tests with the IGNORE_QUOTES flag */ ++ mark_point(); ++ ++ str = ok = pstrdup(p, "\"\\\\SYST\""); ++ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ mark_point(); ++ str = ok = pstrdup(p, "\"\"\\\\SYST"); ++ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + } + END_TEST + +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb index 1e4697a633..aa1f9e4ef9 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb @@ -12,6 +12,8 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \ file://contrib.patch \ file://build_fixup.patch \ file://proftpd.service \ + file://CVE-2021-46854.patch \ + file://CVE-2023-51713.patch \ " SRC_URI[md5sum] = "13270911c42aac842435f18205546a1b" SRC_URI[sha256sum] = "91ef74b143495d5ff97c4d4770c6804072a8c8eb1ad1ecc8cc541b40e152ecaf" diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch new file mode 100644 index 0000000000..b11721041e --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch @@ -0,0 +1,608 @@ +Partial backport of: + +From 6ea12e8fb590ac6959e9356a81aa3370576568c3 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Tue, 26 Jul 2022 15:05:54 +0000 +Subject: [PATCH] Remove support for Gopher protocol (#1092) + +Gopher code quality remains too low for production use in most +environments. The code is a persistent source of vulnerabilities and +fixing it requires significant effort. We should not be spending scarce +Project resources on improving that code, especially given the lack of +strong demand for Gopher support. + +With this change, Gopher requests will be handled like any other request +with an unknown (to Squid) protocol. For example, HTTP requests with +Gopher URI scheme result in ERR_UNSUP_REQ. + +Default Squid configuration still considers TCP port 70 "safe". The +corresponding Safe_ports ACL rule has not been removed for consistency +sake: We consider WAIS port safe even though Squid refuses to forward +WAIS requests: + + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46728.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3] +CVE: CVE-2023-46728 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + doc/Programming-Guide/Groups.dox | 5 - + doc/debug-sections.txt | 1 - + doc/manuals/de.po | 2 +- + doc/manuals/en.po | 2 +- + doc/manuals/en_AU.po | 2 +- + doc/manuals/es.po | 2 +- + doc/manuals/fr.po | 2 +- + doc/manuals/it.po | 2 +- + errors/af.po | 6 +- + errors/az.po | 6 +- + errors/bg.po | 6 +- + errors/ca.po | 6 +- + errors/cs.po | 6 +- + errors/da.po | 6 +- + errors/de.po | 6 +- + errors/el.po | 4 +- + errors/en.po | 6 +- + errors/errorpage.css | 2 +- + errors/es-mx.po | 3 +- + errors/es.po | 4 +- + errors/et.po | 6 +- + errors/fi.po | 7 +- + errors/fr.po | 6 +- + errors/he.po | 6 +- + errors/hu.po | 6 +- + errors/hy.po | 6 +- + errors/it.po | 4 +- + errors/ja.po | 6 +- + errors/ko.po | 6 +- + errors/lt.po | 6 +- + errors/lv.po | 6 +- + errors/nl.po | 6 +- + errors/pl.po | 6 +- + errors/pt-br.po | 6 +- + errors/pt.po | 6 +- + errors/ro.po | 4 +- + errors/ru.po | 6 +- + errors/sk.po | 6 +- + errors/sl.po | 6 +- + errors/sr-latn.po | 4 +- + errors/sv.po | 6 +- + errors/templates/ERR_UNSUP_REQ | 2 +- + errors/tr.po | 6 +- + errors/uk.po | 6 +- + errors/vi.po | 4 +- + errors/zh-hans.po | 6 +- + errors/zh-hant.po | 7 +- + src/FwdState.cc | 5 - + src/HttpRequest.cc | 6 - + src/IoStats.h | 2 +- + src/Makefile.am | 8 - + src/adaptation/ecap/Host.cc | 1 - + src/adaptation/ecap/MessageRep.cc | 2 - + src/anyp/ProtocolType.h | 1 - + src/anyp/Uri.cc | 1 - + src/anyp/UriScheme.cc | 3 - + src/cf.data.pre | 5 +- + src/client_side_request.cc | 4 - + src/error/forward.h | 2 +- + src/gopher.cc | 993 ----------------------- + src/gopher.h | 29 - + src/http/Message.h | 1 - + src/mgr/IoAction.cc | 3 - + src/mgr/IoAction.h | 2 - + src/squid.8.in | 2 +- + src/stat.cc | 19 - + src/tests/Stub.am | 1 - + src/tests/stub_gopher.cc | 17 - + test-suite/squidconf/regressions-3.4.0.1 | 1 - + 69 files changed, 88 insertions(+), 1251 deletions(-) + delete mode 100644 src/gopher.cc + delete mode 100644 src/gopher.h + delete mode 100644 src/tests/stub_gopher.cc + +--- a/src/FwdState.cc ++++ b/src/FwdState.cc +@@ -28,7 +28,6 @@ + #include "fde.h" + #include "FwdState.h" + #include "globals.h" +-#include "gopher.h" + #include "hier_code.h" + #include "http.h" + #include "http/Stream.h" +@@ -1004,10 +1003,6 @@ FwdState::dispatch() + httpStart(this); + break; + +- case AnyP::PROTO_GOPHER: +- gopherStart(this); +- break; +- + case AnyP::PROTO_FTP: + if (request->flags.ftpNative) + Ftp::StartRelay(this); +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -18,7 +18,6 @@ + #include "Downloader.h" + #include "err_detail_type.h" + #include "globals.h" +-#include "gopher.h" + #include "http.h" + #include "http/one/RequestParser.h" + #include "http/Stream.h" +@@ -556,11 +555,6 @@ HttpRequest::maybeCacheable() + return false; + break; + +- case AnyP::PROTO_GOPHER: +- if (!gopherCachable(this)) +- return false; +- break; +- + case AnyP::PROTO_CACHE_OBJECT: + return false; + +--- a/src/IoStats.h ++++ b/src/IoStats.h +@@ -22,7 +22,7 @@ public: + int writes; + int write_hist[histSize]; + } +- Http, Ftp, Gopher; ++ Http, Ftp; + }; + + #endif /* SQUID_IOSTATS_H_ */ +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -306,8 +306,6 @@ squid_SOURCES = \ + FwdState.h \ + Generic.h \ + globals.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + helper.h \ + hier_code.h \ +@@ -1259,8 +1257,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + hier_code.h \ + helper.cc \ + $(HTCPSOURCE) \ +@@ -1678,8 +1674,6 @@ tests_testEvent_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -1914,8 +1908,6 @@ tests_testEventLoop_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -2145,8 +2137,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -2461,8 +2451,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -3307,8 +3295,6 @@ tests_testURL_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +--- a/src/adaptation/ecap/Host.cc ++++ b/src/adaptation/ecap/Host.cc +@@ -49,7 +49,6 @@ Adaptation::Ecap::Host::Host() + libecap::protocolHttp.assignHostId(AnyP::PROTO_HTTP); + libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS); + libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP); +- libecap::protocolGopher.assignHostId(AnyP::PROTO_GOPHER); + libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS); + libecap::protocolUrn.assignHostId(AnyP::PROTO_URN); + libecap::protocolWhois.assignHostId(AnyP::PROTO_WHOIS); +--- a/src/adaptation/ecap/MessageRep.cc ++++ b/src/adaptation/ecap/MessageRep.cc +@@ -140,8 +140,6 @@ Adaptation::Ecap::FirstLineRep::protocol + return libecap::protocolHttps; + case AnyP::PROTO_FTP: + return libecap::protocolFtp; +- case AnyP::PROTO_GOPHER: +- return libecap::protocolGopher; + case AnyP::PROTO_WAIS: + return libecap::protocolWais; + case AnyP::PROTO_WHOIS: +--- a/src/anyp/ProtocolType.h ++++ b/src/anyp/ProtocolType.h +@@ -27,7 +27,6 @@ typedef enum { + PROTO_HTTPS, + PROTO_COAP, + PROTO_COAPS, +- PROTO_GOPHER, + PROTO_WAIS, + PROTO_CACHE_OBJECT, + PROTO_ICP, +--- a/src/anyp/Uri.cc ++++ b/src/anyp/Uri.cc +@@ -852,8 +852,6 @@ urlCheckRequest(const HttpRequest * r) + if (r->method == Http::METHOD_PUT) + rc = 1; + +- case AnyP::PROTO_GOPHER: +- + case AnyP::PROTO_WAIS: + + case AnyP::PROTO_WHOIS: +--- a/src/anyp/UriScheme.cc ++++ b/src/anyp/UriScheme.cc +@@ -87,9 +87,6 @@ AnyP::UriScheme::defaultPort() const + // Assuming IANA policy of allocating same port for base and TLS protocol versions will occur. + return 5683; + +- case AnyP::PROTO_GOPHER: +- return 70; +- + case AnyP::PROTO_WAIS: + return 210; + +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -33,7 +33,6 @@ + #include "fd.h" + #include "fde.h" + #include "format/Token.h" +-#include "gopher.h" + #include "helper.h" + #include "helper/Reply.h" + #include "http.h" +@@ -965,9 +964,6 @@ clientHierarchical(ClientHttpRequest * h + if (request->url.getScheme() == AnyP::PROTO_HTTP) + return method.respMaybeCacheable(); + +- if (request->url.getScheme() == AnyP::PROTO_GOPHER) +- return gopherCachable(request); +- + if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT) + return 0; + +--- a/src/err_type.h ++++ b/src/err_type.h +@@ -65,7 +65,7 @@ typedef enum { + ERR_GATEWAY_FAILURE, + + /* Special Cases */ +- ERR_DIR_LISTING, /* Display of remote directory (FTP, Gopher) */ ++ ERR_DIR_LISTING, /* Display of remote directory (FTP) */ + ERR_SQUID_SIGNATURE, /* not really an error */ + ERR_SHUTTING_DOWN, + ERR_PROTOCOL_UNKNOWN, +--- a/src/HttpMsg.h ++++ b/src/HttpMsg.h +@@ -38,7 +38,6 @@ public: + srcFtp = 1 << (16 + 1), ///< ftp_port or FTP server + srcIcap = 1 << (16 + 2), ///< traditional ICAP service without encryption + srcEcap = 1 << (16 + 3), ///< eCAP service that uses insecure libraries/daemons +- srcGopher = 1 << (16 + 14), ///< Gopher server + srcWhois = 1 << (16 + 15), ///< Whois server + srcUnsafe = 0xFFFF0000, ///< Unsafe sources mask + srcSafe = 0x0000FFFF ///< Safe sources mask +--- a/src/mgr/IoAction.cc ++++ b/src/mgr/IoAction.cc +@@ -35,9 +35,6 @@ Mgr::IoActionData::operator += (const Io + ftp_reads += stats.ftp_reads; + for (int i = 0; i < IoStats::histSize; ++i) + ftp_read_hist[i] += stats.ftp_read_hist[i]; +- gopher_reads += stats.gopher_reads; +- for (int i = 0; i < IoStats::histSize; ++i) +- gopher_read_hist[i] += stats.gopher_read_hist[i]; + + return *this; + } +--- a/src/mgr/IoAction.h ++++ b/src/mgr/IoAction.h +@@ -27,10 +27,8 @@ public: + public: + double http_reads; + double ftp_reads; +- double gopher_reads; + double http_read_hist[IoStats::histSize]; + double ftp_read_hist[IoStats::histSize]; +- double gopher_read_hist[IoStats::histSize]; + }; + + /// implement aggregated 'io' action +--- a/src/stat.cc ++++ b/src/stat.cc +@@ -206,12 +206,6 @@ GetIoStats(Mgr::IoActionData& stats) + for (i = 0; i < IoStats::histSize; ++i) { + stats.ftp_read_hist[i] = IOStats.Ftp.read_hist[i]; + } +- +- stats.gopher_reads = IOStats.Gopher.reads; +- +- for (i = 0; i < IoStats::histSize; ++i) { +- stats.gopher_read_hist[i] = IOStats.Gopher.read_hist[i]; +- } + } + + void +@@ -245,19 +239,6 @@ DumpIoStats(Mgr::IoActionData& stats, St + } + + storeAppendPrintf(sentry, "\n"); +- storeAppendPrintf(sentry, "Gopher I/O\n"); +- storeAppendPrintf(sentry, "number of reads: %.0f\n", stats.gopher_reads); +- storeAppendPrintf(sentry, "Read Histogram:\n"); +- +- for (i = 0; i < IoStats::histSize; ++i) { +- storeAppendPrintf(sentry, "%5d-%5d: %9.0f %2.0f%%\n", +- i ? (1 << (i - 1)) + 1 : 1, +- 1 << i, +- stats.gopher_read_hist[i], +- Math::doublePercent(stats.gopher_read_hist[i], stats.gopher_reads)); +- } +- +- storeAppendPrintf(sentry, "\n"); + } + + static const char * +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -263,7 +263,7 @@ am__squid_SOURCES_DIST = AclRegs.cc Auth + ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ + FadingCounter.h FadingCounter.cc fatal.h fatal.cc fd.h fd.cc \ + fde.cc fde.h FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h Generic.h globals.h gopher.h gopher.cc \ ++ FwdState.cc FwdState.h Generic.h globals.h \ + helper.cc helper.h hier_code.h HierarchyLogEntry.h htcp.cc \ + htcp.h http.cc http.h HttpHeaderFieldStat.h HttpHdrCc.h \ + HttpHdrCc.cc HttpHdrCc.cci HttpHdrRange.cc HttpHdrSc.cc \ +@@ -352,7 +352,7 @@ am_squid_OBJECTS = $(am__objects_1) Acce + EventLoop.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) FadingCounter.$(OBJEXT) \ + fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpHdrCc.$(OBJEXT) HttpHdrRange.$(OBJEXT) HttpHdrSc.$(OBJEXT) \ + HttpHdrScTarget.$(OBJEXT) HttpHdrContRange.$(OBJEXT) \ +@@ -539,7 +539,7 @@ am__tests_testCacheManager_SOURCES_DIST + tests/stub_ETag.cc event.cc external_acl.cc \ + ExternalACLEntry.cc fatal.h tests/stub_fatal.cc fd.h fd.cc \ + fde.cc FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h gopher.h gopher.cc hier_code.h \ ++ FwdState.cc FwdState.h hier_code.h \ + helper.cc htcp.cc htcp.h http.cc HttpBody.h HttpBody.cc \ + HttpHeader.h HttpHeader.cc HttpHeaderFieldInfo.h \ + HttpHeaderTools.h HttpHeaderTools.cc HttpHeaderFieldStat.h \ +@@ -594,7 +594,7 @@ am_tests_testCacheManager_OBJECTS = Acce + event.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) HttpHeader.$(OBJEXT) \ + HttpHeaderTools.$(OBJEXT) HttpHdrCc.$(OBJEXT) \ +@@ -838,7 +838,7 @@ am__tests_testEvent_SOURCES_DIST = Acces + EventLoop.h EventLoop.cc external_acl.cc ExternalACLEntry.cc \ + FadingCounter.cc fatal.h tests/stub_fatal.cc fd.h fd.cc fde.cc \ + FileMap.h filemap.cc fqdncache.h fqdncache.cc FwdState.cc \ +- FwdState.h gopher.h gopher.cc helper.cc hier_code.h htcp.cc \ ++ FwdState.h helper.cc hier_code.h htcp.cc \ + htcp.h http.cc HttpBody.h HttpBody.cc \ + tests/stub_HttpControlMsg.cc HttpHeader.h HttpHeader.cc \ + HttpHeaderFieldInfo.h HttpHeaderTools.h HttpHeaderTools.cc \ +@@ -891,7 +891,7 @@ am_tests_testEvent_OBJECTS = AccessLogEn + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + FadingCounter.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -975,8 +975,8 @@ am__tests_testEventLoop_SOURCES_DIST = A + tests/stub_ETag.cc EventLoop.h EventLoop.cc event.cc \ + external_acl.cc ExternalACLEntry.cc FadingCounter.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeader.h HttpHeader.cc HttpHeaderFieldInfo.h \ + HttpHeaderTools.h HttpHeaderTools.cc HttpHeaderFieldStat.h \ +@@ -1029,7 +1029,7 @@ am_tests_testEventLoop_OBJECTS = AccessL + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + FadingCounter.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -1187,7 +1187,7 @@ am__tests_testHttpRequest_SOURCES_DIST = + fs_io.cc dlink.h dlink.cc dns_internal.cc errorpage.cc \ + tests/stub_ETag.cc external_acl.cc ExternalACLEntry.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h gopher.h gopher.cc helper.cc \ ++ FwdState.cc FwdState.h helper.cc \ + hier_code.h htcp.cc htcp.h http.cc HttpBody.h HttpBody.cc \ + tests/stub_HttpControlMsg.cc HttpHeader.h HttpHeader.cc \ + HttpHeaderFieldInfo.h HttpHeaderTools.h HttpHeaderTools.cc \ +@@ -1243,7 +1243,7 @@ am_tests_testHttpRequest_OBJECTS = Acces + $(am__objects_4) errorpage.$(OBJEXT) tests/stub_ETag.$(OBJEXT) \ + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + tests/stub_fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -1670,8 +1670,8 @@ am__tests_testURL_SOURCES_DIST = AccessL + fs_io.cc dlink.h dlink.cc dns_internal.cc errorpage.cc ETag.cc \ + event.cc external_acl.cc ExternalACLEntry.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeaderFieldStat.h HttpHdrCc.h HttpHdrCc.cc HttpHdrCc.cci \ + HttpHdrContRange.cc HttpHdrRange.cc HttpHdrSc.cc \ +@@ -1725,7 +1725,7 @@ am_tests_testURL_OBJECTS = AccessLogEntr + event.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHdrCc.$(OBJEXT) HttpHdrContRange.$(OBJEXT) \ +@@ -1925,8 +1925,8 @@ am__tests_test_http_range_SOURCES_DIST = + dns_internal.cc errorpage.cc tests/stub_ETag.cc event.cc \ + FadingCounter.cc fatal.h tests/stub_libauth.cc \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeaderFieldStat.h HttpHdrCc.h HttpHdrCc.cc HttpHdrCc.cci \ + HttpHdrContRange.cc HttpHdrRange.cc HttpHdrSc.cc \ +@@ -1979,7 +1979,7 @@ am_tests_test_http_range_OBJECTS = Acces + FadingCounter.$(OBJEXT) tests/stub_libauth.$(OBJEXT) \ + tests/stub_fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) \ + filemap.$(OBJEXT) fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ +- gopher.$(OBJEXT) helper.$(OBJEXT) $(am__objects_5) \ ++ helper.$(OBJEXT) $(am__objects_5) \ + http.$(OBJEXT) HttpBody.$(OBJEXT) \ + tests/stub_HttpControlMsg.$(OBJEXT) HttpHdrCc.$(OBJEXT) \ + HttpHdrContRange.$(OBJEXT) HttpHdrRange.$(OBJEXT) \ +@@ -2131,7 +2131,7 @@ am__depfiles_remade = ./$(DEPDIR)/Access + ./$(DEPDIR)/external_acl.Po ./$(DEPDIR)/fatal.Po \ + ./$(DEPDIR)/fd.Po ./$(DEPDIR)/fde.Po ./$(DEPDIR)/filemap.Po \ + ./$(DEPDIR)/fqdncache.Po ./$(DEPDIR)/fs_io.Po \ +- ./$(DEPDIR)/globals.Po ./$(DEPDIR)/gopher.Po \ ++ ./$(DEPDIR)/globals.Po \ + ./$(DEPDIR)/helper.Po ./$(DEPDIR)/hier_code.Po \ + ./$(DEPDIR)/htcp.Po ./$(DEPDIR)/http.Po \ + ./$(DEPDIR)/icp_opcode.Po ./$(DEPDIR)/icp_v2.Po \ +@@ -3043,7 +3043,7 @@ squid_SOURCES = $(ACL_REGISTRATION_SOURC + ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ + FadingCounter.h FadingCounter.cc fatal.h fatal.cc fd.h fd.cc \ + fde.cc fde.h FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h Generic.h globals.h gopher.h gopher.cc \ ++ FwdState.cc FwdState.h Generic.h globals.h \ + helper.cc helper.h hier_code.h HierarchyLogEntry.h \ + $(HTCPSOURCE) http.cc http.h HttpHeaderFieldStat.h HttpHdrCc.h \ + HttpHdrCc.cc HttpHdrCc.cci HttpHdrRange.cc HttpHdrSc.cc \ +@@ -3708,8 +3708,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + hier_code.h \ + helper.cc \ + $(HTCPSOURCE) \ +@@ -4134,8 +4132,6 @@ tests_testEvent_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4371,8 +4367,6 @@ tests_testEventLoop_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4604,8 +4598,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4924,8 +4916,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -5777,8 +5767,6 @@ tests_testURL_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -6823,7 +6811,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fqdncache.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fs_io.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/globals.Po@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gopher.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/helper.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hier_code.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/htcp.Po@am__quote@ # am--include-marker +@@ -7804,7 +7791,6 @@ distclean: distclean-recursive + -rm -f ./$(DEPDIR)/fqdncache.Po + -rm -f ./$(DEPDIR)/fs_io.Po + -rm -f ./$(DEPDIR)/globals.Po +- -rm -f ./$(DEPDIR)/gopher.Po + -rm -f ./$(DEPDIR)/helper.Po + -rm -f ./$(DEPDIR)/hier_code.Po + -rm -f ./$(DEPDIR)/htcp.Po +@@ -8129,7 +8115,6 @@ maintainer-clean: maintainer-clean-recur + -rm -f ./$(DEPDIR)/fqdncache.Po + -rm -f ./$(DEPDIR)/fs_io.Po + -rm -f ./$(DEPDIR)/globals.Po +- -rm -f ./$(DEPDIR)/gopher.Po + -rm -f ./$(DEPDIR)/helper.Po + -rm -f ./$(DEPDIR)/hier_code.Po + -rm -f ./$(DEPDIR)/htcp.Po diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch new file mode 100644 index 0000000000..5b4e370d49 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch @@ -0,0 +1,1154 @@ +Backport of: + +From 417da4006cf5c97d44e74431b816fc58fec9e270 Mon Sep 17 00:00:00 2001 +From: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com> +Date: Mon, 18 Mar 2019 17:48:21 +0000 +Subject: [PATCH] Fix incremental parsing of chunked quoted extensions (#310) + +Before this change, incremental parsing of quoted chunked extensions +was broken for two reasons: + +* Http::One::Parser::skipLineTerminator() unexpectedly threw after + partially received quoted chunk extension value. + +* When Http::One::Tokenizer was unable to parse a quoted extension, + it incorrectly restored the input buffer to the beginning of the + extension value (instead of the extension itself), thus making + further incremental parsing iterations impossible. + +IMO, the reason for this problem was that Http::One::Tokenizer::qdText() +could not distinguish two cases (returning false in both): + +* the end of the quoted string not yet reached + +* an input error, e.g., wrong/unexpected character + +A possible approach could be to improve Http::One::Tokenizer, making it +aware about "needs more data" state. However, to be acceptable, +these improvements should be done in the base Parser::Tokenizer +class instead. These changes seem to be non-trivial and could be +done separately and later. + +Another approach, used here, is to simplify the complex and error-prone +chunked extensions parsing algorithm, fixing incremental parsing bugs +and still parse incrementally in almost all cases. The performance +regression could be expected only in relatively rare cases of partially +received or malformed extensions. + +Also: +* fixed parsing of partial use-original-body extension values +* do not treat an invalid use-original-body as an unknown extension +* optimization: parse use-original-body extension only in ICAP context + (i.e., where it is expected) +* improvement: added a new API to TeChunkedParser to specify known + chunked extensions list + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46846-pre1.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270] +CVE: CVE-2023-46846 #Dependency Patch1 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/adaptation/icap/ModXact.cc | 21 ++++- + src/adaptation/icap/ModXact.h | 20 +++++ + src/http/one/Parser.cc | 35 ++++---- + src/http/one/Parser.h | 10 ++- + src/http/one/RequestParser.cc | 16 ++-- + src/http/one/RequestParser.h | 8 +- + src/http/one/ResponseParser.cc | 17 ++-- + src/http/one/ResponseParser.h | 2 +- + src/http/one/TeChunkedParser.cc | 139 ++++++++++++++++++-------------- + src/http/one/TeChunkedParser.h | 41 ++++++++-- + src/http/one/Tokenizer.cc | 104 ++++++++++++------------ + src/http/one/Tokenizer.h | 89 ++++++++------------ + src/http/one/forward.h | 3 + + src/parser/BinaryTokenizer.h | 3 +- + src/parser/Makefile.am | 1 + + src/parser/Tokenizer.cc | 40 +++++++++ + src/parser/Tokenizer.h | 13 +++ + src/parser/forward.h | 22 +++++ + 18 files changed, 364 insertions(+), 220 deletions(-) + create mode 100644 src/parser/forward.h + +--- a/src/adaptation/icap/ModXact.cc ++++ b/src/adaptation/icap/ModXact.cc +@@ -25,12 +25,13 @@ + #include "comm.h" + #include "comm/Connection.h" + #include "err_detail_type.h" +-#include "http/one/TeChunkedParser.h" + #include "HttpHeaderTools.h" + #include "HttpMsg.h" + #include "HttpReply.h" + #include "HttpRequest.h" + #include "MasterXaction.h" ++#include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + #include "SquidTime.h" + + // flow and terminology: +@@ -44,6 +45,8 @@ CBDATA_NAMESPACED_CLASS_INIT(Adaptation: + + static const size_t TheBackupLimit = BodyPipe::MaxCapacity; + ++const SBuf Adaptation::Icap::ChunkExtensionValueParser::UseOriginalBodyName("use-original-body"); ++ + Adaptation::Icap::ModXact::State::State() + { + memset(this, 0, sizeof(*this)); +@@ -1108,6 +1111,7 @@ void Adaptation::Icap::ModXact::decideOn + state.parsing = State::psBody; + replyHttpBodySize = 0; + bodyParser = new Http1::TeChunkedParser; ++ bodyParser->parseExtensionValuesWith(&extensionParser); + makeAdaptedBodyPipe("adapted response from the ICAP server"); + Must(state.sending == State::sendingAdapted); + } else { +@@ -1142,9 +1146,8 @@ void Adaptation::Icap::ModXact::parseBod + } + + if (parsed) { +- if (state.readyForUob && bodyParser->useOriginBody >= 0) { +- prepPartialBodyEchoing( +- static_cast<uint64_t>(bodyParser->useOriginBody)); ++ if (state.readyForUob && extensionParser.sawUseOriginalBody()) { ++ prepPartialBodyEchoing(extensionParser.useOriginalBody()); + stopParsing(); + return; + } +@@ -2014,3 +2017,14 @@ void Adaptation::Icap::ModXactLauncher:: + } + } + ++void ++Adaptation::Icap::ChunkExtensionValueParser::parse(Tokenizer &tok, const SBuf &extName) ++{ ++ if (extName == UseOriginalBodyName) { ++ useOriginalBody_ = tok.udec64("use-original-body"); ++ assert(useOriginalBody_ >= 0); ++ } else { ++ Ignore(tok, extName); ++ } ++} ++ +--- a/src/adaptation/icap/ModXact.h ++++ b/src/adaptation/icap/ModXact.h +@@ -15,6 +15,7 @@ + #include "adaptation/icap/Xaction.h" + #include "BodyPipe.h" + #include "http/one/forward.h" ++#include "http/one/TeChunkedParser.h" + + /* + * ICAPModXact implements ICAP REQMOD and RESPMOD transaction using +@@ -105,6 +106,23 @@ private: + enum State { stDisabled, stWriting, stIeof, stDone } theState; + }; + ++/// handles ICAP-specific chunk extensions supported by Squid ++class ChunkExtensionValueParser: public Http1::ChunkExtensionValueParser ++{ ++public: ++ /* Http1::ChunkExtensionValueParser API */ ++ virtual void parse(Tokenizer &tok, const SBuf &extName) override; ++ ++ bool sawUseOriginalBody() const { return useOriginalBody_ >= 0; } ++ uint64_t useOriginalBody() const { assert(sawUseOriginalBody()); return static_cast<uint64_t>(useOriginalBody_); } ++ ++private: ++ static const SBuf UseOriginalBodyName; ++ ++ /// the value of the parsed use-original-body chunk extension (or -1) ++ int64_t useOriginalBody_ = -1; ++}; ++ + class ModXact: public Xaction, public BodyProducer, public BodyConsumer + { + CBDATA_CLASS(ModXact); +@@ -270,6 +288,8 @@ private: + + int adaptHistoryId; ///< adaptation history slot reservation + ++ ChunkExtensionValueParser extensionParser; ++ + class State + { + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -7,10 +7,11 @@ + */ + + #include "squid.h" ++#include "base/CharacterSet.h" + #include "Debug.h" + #include "http/one/Parser.h" +-#include "http/one/Tokenizer.h" + #include "mime_header.h" ++#include "parser/Tokenizer.h" + #include "SquidConfig.h" + + /// RFC 7230 section 2.6 - 7 magic octets +@@ -61,20 +62,19 @@ Http::One::Parser::DelimiterCharacters() + RelaxedDelimiterCharacters() : CharacterSet::SP; + } + +-bool +-Http::One::Parser::skipLineTerminator(Http1::Tokenizer &tok) const ++void ++Http::One::Parser::skipLineTerminator(Tokenizer &tok) const + { + if (tok.skip(Http1::CrLf())) +- return true; ++ return; + + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) +- return true; ++ return; + + if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- return false; // need more data ++ throw InsufficientInput(); + + throw TexcHere("garbage instead of CRLF line terminator"); +- return false; // unreachable, but make naive compilers happy + } + + /// all characters except the LF line terminator +@@ -102,7 +102,7 @@ LineCharacters() + void + Http::One::Parser::cleanMimePrefix() + { +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + while (tok.skipOne(RelaxedDelimiterCharacters())) { + (void)tok.skipAll(LineCharacters()); // optional line content + // LF terminator is required. +@@ -137,7 +137,7 @@ Http::One::Parser::cleanMimePrefix() + void + Http::One::Parser::unfoldMime() + { +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + const auto szLimit = mimeHeaderBlock_.length(); + mimeHeaderBlock_.clear(); + // prevent the mime sender being able to make append() realloc/grow multiple times. +@@ -228,7 +228,7 @@ Http::One::Parser::getHostHeaderField() + debugs(25, 5, "looking for " << name); + + // while we can find more LF in the SBuf +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + SBuf p; + + while (tok.prefix(p, LineCharacters())) { +@@ -250,7 +250,7 @@ Http::One::Parser::getHostHeaderField() + p.consume(namelen + 1); + + // TODO: optimize SBuf::trim to take CharacterSet directly +- Http1::Tokenizer t(p); ++ Tokenizer t(p); + t.skipAll(CharacterSet::WSP); + p = t.remaining(); + +@@ -278,10 +278,15 @@ Http::One::ErrorLevel() + } + + // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule +-bool +-Http::One::ParseBws(Tokenizer &tok) ++void ++Http::One::ParseBws(Parser::Tokenizer &tok) + { +- if (const auto count = tok.skipAll(Parser::WhitespaceCharacters())) { ++ const auto count = tok.skipAll(Parser::WhitespaceCharacters()); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); // even if count is positive ++ ++ if (count) { + // Generating BWS is a MUST-level violation so warn about it as needed. + debugs(33, ErrorLevel(), "found " << count << " BWS octets"); + // RFC 7230 says we MUST parse BWS, so we fall through even if +@@ -289,6 +294,6 @@ Http::One::ParseBws(Tokenizer &tok) + } + // else we successfully "parsed" an empty BWS sequence + +- return true; ++ // success: no more BWS characters expected + } + +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -12,6 +12,7 @@ + #include "anyp/ProtocolVersion.h" + #include "http/one/forward.h" + #include "http/StatusCode.h" ++#include "parser/forward.h" + #include "sbuf/SBuf.h" + + namespace Http { +@@ -40,6 +41,7 @@ class Parser : public RefCountable + { + public: + typedef SBuf::size_type size_type; ++ typedef ::Parser::Tokenizer Tokenizer; + + Parser() : parseStatusCode(Http::scNone), parsingStage_(HTTP_PARSE_NONE), hackExpectsMime_(false) {} + virtual ~Parser() {} +@@ -118,11 +120,11 @@ protected: + * detect and skip the CRLF or (if tolerant) LF line terminator + * consume from the tokenizer. + * +- * throws if non-terminator is detected. ++ * \throws exception on bad or InsuffientInput. + * \retval true only if line terminator found. + * \retval false incomplete or missing line terminator, need more data. + */ +- bool skipLineTerminator(Http1::Tokenizer &tok) const; ++ void skipLineTerminator(Tokenizer &) const; + + /** + * Scan to find the mime headers block for current message. +@@ -159,8 +161,8 @@ private: + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \returns true (always; unlike all the skip*() functions) +-bool ParseBws(Tokenizer &tok); ++/// \throws InsufficientInput when the end of BWS cannot be confirmed ++void ParseBws(Parser::Tokenizer &); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +--- a/src/http/one/RequestParser.cc ++++ b/src/http/one/RequestParser.cc +@@ -9,8 +9,8 @@ + #include "squid.h" + #include "Debug.h" + #include "http/one/RequestParser.h" +-#include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" ++#include "parser/Tokenizer.h" + #include "profiler/Profiler.h" + #include "SquidConfig.h" + +@@ -64,7 +64,7 @@ Http::One::RequestParser::skipGarbageLin + * RFC 7230 section 2.6, 3.1 and 3.5 + */ + bool +-Http::One::RequestParser::parseMethodField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseMethodField(Tokenizer &tok) + { + // method field is a sequence of TCHAR. + // Limit to 32 characters to prevent overly long sequences of non-HTTP +@@ -145,7 +145,7 @@ Http::One::RequestParser::RequestTargetC + } + + bool +-Http::One::RequestParser::parseUriField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseUriField(Tokenizer &tok) + { + /* Arbitrary 64KB URI upper length limit. + * +@@ -178,7 +178,7 @@ Http::One::RequestParser::parseUriField( + } + + bool +-Http::One::RequestParser::parseHttpVersionField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseHttpVersionField(Tokenizer &tok) + { + static const SBuf http1p0("HTTP/1.0"); + static const SBuf http1p1("HTTP/1.1"); +@@ -253,7 +253,7 @@ Http::One::RequestParser::skipDelimiter( + + /// Parse CRs at the end of request-line, just before the terminating LF. + bool +-Http::One::RequestParser::skipTrailingCrs(Http1::Tokenizer &tok) ++Http::One::RequestParser::skipTrailingCrs(Tokenizer &tok) + { + if (Config.onoff.relaxed_header_parser) { + (void)tok.skipAllTrailing(CharacterSet::CR); // optional; multiple OK +@@ -289,12 +289,12 @@ Http::One::RequestParser::parseRequestFi + // Earlier, skipGarbageLines() took care of any leading LFs (if allowed). + // Now, the request line has to end at the first LF. + static const CharacterSet lineChars = CharacterSet::LF.complement("notLF"); +- ::Parser::Tokenizer lineTok(buf_); ++ Tokenizer lineTok(buf_); + if (!lineTok.prefix(line, lineChars) || !lineTok.skip('\n')) { + if (buf_.length() >= Config.maxRequestHeaderSize) { + /* who should we blame for our failure to parse this line? */ + +- Http1::Tokenizer methodTok(buf_); ++ Tokenizer methodTok(buf_); + if (!parseMethodField(methodTok)) + return -1; // blame a bad method (or its delimiter) + +@@ -308,7 +308,7 @@ Http::One::RequestParser::parseRequestFi + return 0; + } + +- Http1::Tokenizer tok(line); ++ Tokenizer tok(line); + + if (!parseMethodField(tok)) + return -1; +--- a/src/http/one/RequestParser.h ++++ b/src/http/one/RequestParser.h +@@ -54,11 +54,11 @@ private: + bool doParse(const SBuf &aBuf); + + /* all these return false and set parseStatusCode on parsing failures */ +- bool parseMethodField(Http1::Tokenizer &); +- bool parseUriField(Http1::Tokenizer &); +- bool parseHttpVersionField(Http1::Tokenizer &); ++ bool parseMethodField(Tokenizer &); ++ bool parseUriField(Tokenizer &); ++ bool parseHttpVersionField(Tokenizer &); + bool skipDelimiter(const size_t count, const char *where); +- bool skipTrailingCrs(Http1::Tokenizer &tok); ++ bool skipTrailingCrs(Tokenizer &tok); + + bool http0() const {return !msgProtocol_.major;} + static const CharacterSet &RequestTargetCharacters(); +--- a/src/http/one/ResponseParser.cc ++++ b/src/http/one/ResponseParser.cc +@@ -9,8 +9,8 @@ + #include "squid.h" + #include "Debug.h" + #include "http/one/ResponseParser.h" +-#include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" ++#include "parser/Tokenizer.h" + #include "profiler/Profiler.h" + #include "SquidConfig.h" + +@@ -47,7 +47,7 @@ Http::One::ResponseParser::firstLineSize + // NP: we found the protocol version and consumed it already. + // just need the status code and reason phrase + int +-Http::One::ResponseParser::parseResponseStatusAndReason(Http1::Tokenizer &tok, const CharacterSet &WspDelim) ++Http::One::ResponseParser::parseResponseStatusAndReason(Tokenizer &tok, const CharacterSet &WspDelim) + { + if (!completedStatus_) { + debugs(74, 9, "seek status-code in: " << tok.remaining().substr(0,10) << "..."); +@@ -87,14 +87,13 @@ Http::One::ResponseParser::parseResponse + static const CharacterSet phraseChars = CharacterSet::WSP + CharacterSet::VCHAR + CharacterSet::OBSTEXT; + (void)tok.prefix(reasonPhrase_, phraseChars); // optional, no error if missing + try { +- if (skipLineTerminator(tok)) { +- debugs(74, DBG_DATA, "parse remaining buf={length=" << tok.remaining().length() << ", data='" << tok.remaining() << "'}"); +- buf_ = tok.remaining(); // resume checkpoint +- return 1; +- } ++ skipLineTerminator(tok); ++ buf_ = tok.remaining(); // resume checkpoint ++ debugs(74, DBG_DATA, Raw("leftovers", buf_.rawContent(), buf_.length())); ++ return 1; ++ } catch (const InsufficientInput &) { + reasonPhrase_.clear(); + return 0; // need more to be sure we have it all +- + } catch (const std::exception &ex) { + debugs(74, 6, "invalid status-line: " << ex.what()); + } +@@ -119,7 +118,7 @@ Http::One::ResponseParser::parseResponse + int + Http::One::ResponseParser::parseResponseFirstLine() + { +- Http1::Tokenizer tok(buf_); ++ Tokenizer tok(buf_); + + const CharacterSet &WspDelim = DelimiterCharacters(); + +--- a/src/http/one/ResponseParser.h ++++ b/src/http/one/ResponseParser.h +@@ -43,7 +43,7 @@ public: + + private: + int parseResponseFirstLine(); +- int parseResponseStatusAndReason(Http1::Tokenizer&, const CharacterSet &); ++ int parseResponseStatusAndReason(Tokenizer&, const CharacterSet &); + + /// magic prefix for identifying ICY response messages + static const SBuf IcyMagic; +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -13,10 +13,13 @@ + #include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" + #include "MemBuf.h" ++#include "parser/Tokenizer.h" + #include "Parsing.h" ++#include "sbuf/Stream.h" + #include "SquidConfig.h" + +-Http::One::TeChunkedParser::TeChunkedParser() ++Http::One::TeChunkedParser::TeChunkedParser(): ++ customExtensionValueParser(nullptr) + { + // chunked encoding only exists in HTTP/1.1 + Http1::Parser::msgProtocol_ = Http::ProtocolVersion(1,1); +@@ -31,7 +34,11 @@ Http::One::TeChunkedParser::clear() + buf_.clear(); + theChunkSize = theLeftBodySize = 0; + theOut = NULL; +- useOriginBody = -1; ++ // XXX: We do not reset customExtensionValueParser here. Based on the ++ // clear() API description, we must, but it makes little sense and could ++ // break method callers if they appear because some of them may forget to ++ // reset customExtensionValueParser. TODO: Remove Http1::Parser as our ++ // parent class and this unnecessary method with it. + } + + bool +@@ -49,14 +56,14 @@ Http::One::TeChunkedParser::parse(const + if (parsingStage_ == Http1::HTTP_PARSE_NONE) + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; + +- Http1::Tokenizer tok(buf_); ++ Tokenizer tok(buf_); + + // loop for as many chunks as we can + // use do-while instead of while so that we can incrementally + // restart in the middle of a chunk/frame + do { + +- if (parsingStage_ == Http1::HTTP_PARSE_CHUNK_EXT && !parseChunkExtension(tok, theChunkSize)) ++ if (parsingStage_ == Http1::HTTP_PARSE_CHUNK_EXT && !parseChunkMetadataSuffix(tok)) + return false; + + if (parsingStage_ == Http1::HTTP_PARSE_CHUNK && !parseChunkBody(tok)) +@@ -80,7 +87,7 @@ Http::One::TeChunkedParser::needsMoreSpa + + /// RFC 7230 section 4.1 chunk-size + bool +-Http::One::TeChunkedParser::parseChunkSize(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkSize(Tokenizer &tok) + { + Must(theChunkSize <= 0); // Should(), really + +@@ -104,66 +111,75 @@ Http::One::TeChunkedParser::parseChunkSi + return false; // should not be reachable + } + +-/** +- * Parses chunk metadata suffix, looking for interesting extensions and/or +- * getting to the line terminator. RFC 7230 section 4.1.1 and its Errata #4667: +- * +- * chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +- * chunk-ext-name = token +- * chunk-ext-val = token / quoted-string +- * +- * ICAP 'use-original-body=N' extension is supported. +- */ +-bool +-Http::One::TeChunkedParser::parseChunkExtension(Http1::Tokenizer &tok, bool skipKnown) +-{ +- SBuf ext; +- SBuf value; +- while ( +- ParseBws(tok) && // Bug 4492: IBM_HTTP_Server sends SP after chunk-size +- tok.skip(';') && +- ParseBws(tok) && // Bug 4492: ICAP servers send SP before chunk-ext-name +- tok.prefix(ext, CharacterSet::TCHAR)) { // chunk-ext-name +- +- // whole value part is optional. if no '=' expect next chunk-ext +- if (ParseBws(tok) && tok.skip('=') && ParseBws(tok)) { +- +- if (!skipKnown) { +- if (ext.cmp("use-original-body",17) == 0 && tok.int64(useOriginBody, 10)) { +- debugs(94, 3, "Found chunk extension " << ext << "=" << useOriginBody); +- buf_ = tok.remaining(); // parse checkpoint +- continue; +- } +- } +- +- debugs(94, 5, "skipping unknown chunk extension " << ext); +- +- // unknown might have a value token or quoted-string +- if (tok.quotedStringOrToken(value) && !tok.atEnd()) { +- buf_ = tok.remaining(); // parse checkpoint +- continue; +- } +- +- // otherwise need more data OR corrupt syntax +- break; +- } +- +- if (!tok.atEnd()) +- buf_ = tok.remaining(); // parse checkpoint (unless there might be more token name) +- } +- +- if (skipLineTerminator(tok)) { +- buf_ = tok.remaining(); // checkpoint +- // non-0 chunk means data, 0-size means optional Trailer follows ++/// Parses "[chunk-ext] CRLF" from RFC 7230 section 4.1.1: ++/// chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF ++/// last-chunk = 1*"0" [ chunk-ext ] CRLF ++bool ++Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) ++{ ++ // Code becomes much simpler when incremental parsing functions throw on ++ // bad or insufficient input, like in the code below. TODO: Expand up. ++ try { ++ parseChunkExtensions(tok); // a possibly empty chunk-ext list ++ skipLineTerminator(tok); ++ buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; + return true; ++ } catch (const InsufficientInput &) { ++ tok.reset(buf_); // backtrack to the last commit point ++ return false; + } ++ // other exceptions bubble up to kill message parsing ++} ++ ++/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667): ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++void ++Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok) ++{ ++ do { ++ ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + +- return false; ++ if (!tok.skip(';')) ++ return; // reached the end of extensions (if any) ++ ++ parseOneChunkExtension(tok); ++ buf_ = tok.remaining(); // got one extension ++ } while (true); ++} ++ ++void ++Http::One::ChunkExtensionValueParser::Ignore(Tokenizer &tok, const SBuf &extName) ++{ ++ const auto ignoredValue = tokenOrQuotedString(tok); ++ debugs(94, 5, extName << " with value " << ignoredValue); ++} ++ ++/// Parses a single chunk-ext list element: ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++void ++Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok) ++{ ++ ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name ++ ++ const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR); ++ ++ ParseBws(tok); ++ ++ if (!tok.skip('=')) ++ return; // parsed a valueless chunk-ext ++ ++ ParseBws(tok); ++ ++ // optimization: the only currently supported extension needs last-chunk ++ if (!theChunkSize && customExtensionValueParser) ++ customExtensionValueParser->parse(tok, extName); ++ else ++ ChunkExtensionValueParser::Ignore(tok, extName); + } + + bool +-Http::One::TeChunkedParser::parseChunkBody(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkBody(Tokenizer &tok) + { + if (theLeftBodySize > 0) { + buf_ = tok.remaining(); // sync buffers before buf_ use +@@ -188,17 +204,20 @@ Http::One::TeChunkedParser::parseChunkBo + } + + bool +-Http::One::TeChunkedParser::parseChunkEnd(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkEnd(Tokenizer &tok) + { + Must(theLeftBodySize == 0); // Should(), really + +- if (skipLineTerminator(tok)) { ++ try { ++ skipLineTerminator(tok); + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; + return true; + } +- +- return false; ++ catch (const InsufficientInput &) { ++ return false; ++ } ++ // other exceptions bubble up to kill message parsing + } + +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -18,6 +18,26 @@ namespace Http + namespace One + { + ++using ::Parser::InsufficientInput; ++ ++// TODO: Move this class into http/one/ChunkExtensionValueParser.* ++/// A customizable parser of a single chunk extension value (chunk-ext-val). ++/// From RFC 7230 section 4.1.1 and its Errata #4667: ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++/// chunk-ext-name = token ++/// chunk-ext-val = token / quoted-string ++class ChunkExtensionValueParser ++{ ++public: ++ typedef ::Parser::Tokenizer Tokenizer; ++ ++ /// extracts and ignores the value of a named extension ++ static void Ignore(Tokenizer &tok, const SBuf &extName); ++ ++ /// extracts and then interprets (or ignores) the extension value ++ virtual void parse(Tokenizer &tok, const SBuf &extName) = 0; ++}; ++ + /** + * An incremental parser for chunked transfer coding + * defined in RFC 7230 section 4.1. +@@ -25,7 +45,7 @@ namespace One + * + * The parser shovels content bytes from the raw + * input buffer into the content output buffer, both caller-supplied. +- * Ignores chunk extensions except for ICAP's ieof. ++ * Chunk extensions like use-original-body are handled via parseExtensionValuesWith(). + * Trailers are available via mimeHeader() if wanted. + */ + class TeChunkedParser : public Http1::Parser +@@ -37,6 +57,10 @@ public: + /// set the buffer to be used to store decoded chunk data + void setPayloadBuffer(MemBuf *parsedContent) {theOut = parsedContent;} + ++ /// Instead of ignoring all chunk extension values, give the supplied ++ /// parser a chance to handle them. Only applied to last-chunk (for now). ++ void parseExtensionValuesWith(ChunkExtensionValueParser *parser) { customExtensionValueParser = parser; } ++ + bool needsMoreSpace() const; + + /* Http1::Parser API */ +@@ -45,17 +69,20 @@ public: + virtual Parser::size_type firstLineSize() const {return 0;} // has no meaning with multiple chunks + + private: +- bool parseChunkSize(Http1::Tokenizer &tok); +- bool parseChunkExtension(Http1::Tokenizer &tok, bool skipKnown); +- bool parseChunkBody(Http1::Tokenizer &tok); +- bool parseChunkEnd(Http1::Tokenizer &tok); ++ bool parseChunkSize(Tokenizer &tok); ++ bool parseChunkMetadataSuffix(Tokenizer &); ++ void parseChunkExtensions(Tokenizer &); ++ void parseOneChunkExtension(Tokenizer &); ++ bool parseChunkBody(Tokenizer &tok); ++ bool parseChunkEnd(Tokenizer &tok); + + MemBuf *theOut; + uint64_t theChunkSize; + uint64_t theLeftBodySize; + +-public: +- int64_t useOriginBody; ++ /// An optional plugin for parsing and interpreting custom chunk-ext-val. ++ /// This "visitor" object is owned by our creator. ++ ChunkExtensionValueParser *customExtensionValueParser; + }; + + } // namespace One +--- a/src/http/one/Tokenizer.cc ++++ b/src/http/one/Tokenizer.cc +@@ -8,35 +8,18 @@ + + #include "squid.h" + #include "Debug.h" ++#include "http/one/Parser.h" + #include "http/one/Tokenizer.h" ++#include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + +-bool +-Http::One::Tokenizer::quotedString(SBuf &returnedToken, const bool http1p0) ++/// Extracts quoted-string after the caller removes the initial '"'. ++/// \param http1p0 whether to prohibit \-escaped characters in quoted strings ++/// \throws InsufficientInput when input can be a token _prefix_ ++/// \returns extracted quoted string (without quotes and with chars unescaped) ++static SBuf ++parseQuotedStringSuffix(Parser::Tokenizer &tok, const bool http1p0) + { +- checkpoint(); +- +- if (!skip('"')) +- return false; +- +- return qdText(returnedToken, http1p0); +-} +- +-bool +-Http::One::Tokenizer::quotedStringOrToken(SBuf &returnedToken, const bool http1p0) +-{ +- checkpoint(); +- +- if (!skip('"')) +- return prefix(returnedToken, CharacterSet::TCHAR); +- +- return qdText(returnedToken, http1p0); +-} +- +-bool +-Http::One::Tokenizer::qdText(SBuf &returnedToken, const bool http1p0) +-{ +- // the initial DQUOTE has been skipped by the caller +- + /* + * RFC 1945 - defines qdtext: + * inclusive of LWS (which includes CR and LF) +@@ -61,12 +44,17 @@ Http::One::Tokenizer::qdText(SBuf &retur + // best we can do is a conditional reference since http1p0 value may change per-client + const CharacterSet &tokenChars = (http1p0 ? qdtext1p0 : qdtext1p1); + +- for (;;) { +- SBuf::size_type prefixLen = buf().findFirstNotOf(tokenChars); +- returnedToken.append(consume(prefixLen)); ++ SBuf parsedToken; ++ ++ while (!tok.atEnd()) { ++ SBuf qdText; ++ if (tok.prefix(qdText, tokenChars)) ++ parsedToken.append(qdText); ++ ++ if (!http1p0 && tok.skip('\\')) { // HTTP/1.1 allows quoted-pair, HTTP/1.0 does not ++ if (tok.atEnd()) ++ break; + +- // HTTP/1.1 allows quoted-pair, HTTP/1.0 does not +- if (!http1p0 && skip('\\')) { + /* RFC 7230 section 3.2.6 + * + * The backslash octet ("\") can be used as a single-octet quoting +@@ -78,32 +66,42 @@ Http::One::Tokenizer::qdText(SBuf &retur + */ + static const CharacterSet qPairChars = CharacterSet::HTAB + CharacterSet::SP + CharacterSet::VCHAR + CharacterSet::OBSTEXT; + SBuf escaped; +- if (!prefix(escaped, qPairChars, 1)) { +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; +- } +- returnedToken.append(escaped); ++ if (!tok.prefix(escaped, qPairChars, 1)) ++ throw TexcHere("invalid escaped character in quoted-pair"); ++ ++ parsedToken.append(escaped); + continue; ++ } + +- } else if (skip('"')) { +- break; // done ++ if (tok.skip('"')) ++ return parsedToken; // may be empty + +- } else if (atEnd()) { +- // need more data +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; +- } ++ if (tok.atEnd()) ++ break; + +- // else, we have an error +- debugs(24, 8, "invalid bytes for set " << tokenChars.name); +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; ++ throw TexcHere(ToSBuf("invalid bytes for set ", tokenChars.name)); + } + +- // found the whole string +- return true; ++ throw Http::One::InsufficientInput(); ++} ++ ++SBuf ++Http::One::tokenOrQuotedString(Parser::Tokenizer &tok, const bool http1p0) ++{ ++ if (tok.skip('"')) ++ return parseQuotedStringSuffix(tok, http1p0); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); ++ ++ SBuf parsedToken; ++ if (!tok.prefix(parsedToken, CharacterSet::TCHAR)) ++ throw TexcHere("invalid input while expecting an HTTP token"); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); ++ ++ // got the complete token ++ return parsedToken; + } + +--- a/src/http/one/Tokenizer.h ++++ b/src/http/one/Tokenizer.h +@@ -9,68 +9,47 @@ + #ifndef SQUID_SRC_HTTP_ONE_TOKENIZER_H + #define SQUID_SRC_HTTP_ONE_TOKENIZER_H + +-#include "parser/Tokenizer.h" ++#include "parser/forward.h" ++#include "sbuf/forward.h" + + namespace Http { + namespace One { + + /** +- * Lexical processor extended to tokenize HTTP/1.x syntax. ++ * Extracts either an HTTP/1 token or quoted-string while dealing with ++ * possibly incomplete input typical for incremental text parsers. ++ * Unescapes escaped characters in HTTP/1.1 quoted strings. + * +- * \see ::Parser::Tokenizer for more detail ++ * \param http1p0 whether to prohibit \-escaped characters in quoted strings ++ * \throws InsufficientInput as appropriate, including on unterminated tokens ++ * \returns extracted token or quoted string (without quotes) ++ * ++ * Governed by: ++ * - RFC 1945 section 2.1 ++ * " ++ * A string of text is parsed as a single word if it is quoted using ++ * double-quote marks. ++ * ++ * quoted-string = ( <"> *(qdtext) <"> ) ++ * ++ * qdtext = <any CHAR except <"> and CTLs, ++ * but including LWS> ++ * ++ * Single-character quoting using the backslash ("\") character is not ++ * permitted in HTTP/1.0. ++ * " ++ * ++ * - RFC 7230 section 3.2.6 ++ * " ++ * A string of text is parsed as a single value if it is quoted using ++ * double-quote marks. ++ * ++ * quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE ++ * qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text ++ * obs-text = %x80-FF ++ * " + */ +-class Tokenizer : public ::Parser::Tokenizer +-{ +-public: +- Tokenizer(SBuf &s) : ::Parser::Tokenizer(s), savedStats_(0) {} +- +- /** +- * Attempt to parse a quoted-string lexical construct. +- * +- * Governed by: +- * - RFC 1945 section 2.1 +- * " +- * A string of text is parsed as a single word if it is quoted using +- * double-quote marks. +- * +- * quoted-string = ( <"> *(qdtext) <"> ) +- * +- * qdtext = <any CHAR except <"> and CTLs, +- * but including LWS> +- * +- * Single-character quoting using the backslash ("\") character is not +- * permitted in HTTP/1.0. +- * " +- * +- * - RFC 7230 section 3.2.6 +- * " +- * A string of text is parsed as a single value if it is quoted using +- * double-quote marks. +- * +- * quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE +- * qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text +- * obs-text = %x80-FF +- * " +- * +- * \param escaped HTTP/1.0 does not permit \-escaped characters +- */ +- bool quotedString(SBuf &value, const bool http1p0 = false); +- +- /** +- * Attempt to parse a (token / quoted-string ) lexical construct. +- */ +- bool quotedStringOrToken(SBuf &value, const bool http1p0 = false); +- +-private: +- /// parse the internal component of a quote-string, and terminal DQUOTE +- bool qdText(SBuf &value, const bool http1p0); +- +- void checkpoint() { savedCheckpoint_ = buf(); savedStats_ = parsedSize(); } +- void restoreLastCheckpoint() { undoParse(savedCheckpoint_, savedStats_); } +- +- SBuf savedCheckpoint_; +- SBuf::size_type savedStats_; +-}; ++SBuf tokenOrQuotedString(Parser::Tokenizer &tok, const bool http1p0 = false); + + } // namespace One + } // namespace Http +--- a/src/http/one/forward.h ++++ b/src/http/one/forward.h +@@ -10,6 +10,7 @@ + #define SQUID_SRC_HTTP_ONE_FORWARD_H + + #include "base/RefCount.h" ++#include "parser/forward.h" + #include "sbuf/forward.h" + + namespace Http { +@@ -31,6 +32,8 @@ typedef RefCount<Http::One::ResponsePars + /// CRLF textual representation + const SBuf &CrLf(); + ++using ::Parser::InsufficientInput; ++ + } // namespace One + } // namespace Http + +--- a/src/parser/BinaryTokenizer.h ++++ b/src/parser/BinaryTokenizer.h +@@ -9,6 +9,7 @@ + #ifndef SQUID_SRC_PARSER_BINARYTOKENIZER_H + #define SQUID_SRC_PARSER_BINARYTOKENIZER_H + ++#include "parser/forward.h" + #include "sbuf/SBuf.h" + + namespace Parser +@@ -44,7 +45,7 @@ public: + class BinaryTokenizer + { + public: +- class InsufficientInput {}; // thrown when a method runs out of data ++ typedef ::Parser::InsufficientInput InsufficientInput; + typedef uint64_t size_type; // enough for the largest supported offset + + BinaryTokenizer(); +--- a/src/parser/Makefile.am ++++ b/src/parser/Makefile.am +@@ -13,6 +13,7 @@ noinst_LTLIBRARIES = libparser.la + libparser_la_SOURCES = \ + BinaryTokenizer.h \ + BinaryTokenizer.cc \ ++ forward.h \ + Tokenizer.h \ + Tokenizer.cc + +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -10,7 +10,9 @@ + + #include "squid.h" + #include "Debug.h" ++#include "parser/forward.h" + #include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + + #include <cerrno> + #if HAVE_CTYPE_H +@@ -96,6 +98,23 @@ Parser::Tokenizer::prefix(SBuf &returned + return true; + } + ++SBuf ++Parser::Tokenizer::prefix(const char *description, const CharacterSet &tokenChars, const SBuf::size_type limit) ++{ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ SBuf result; ++ ++ if (!prefix(result, tokenChars, limit)) ++ throw TexcHere(ToSBuf("cannot parse ", description)); ++ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ return result; ++} ++ + bool + Parser::Tokenizer::suffix(SBuf &returnedToken, const CharacterSet &tokenChars, const SBuf::size_type limit) + { +@@ -283,3 +302,24 @@ Parser::Tokenizer::int64(int64_t & resul + return success(s - range.rawContent()); + } + ++int64_t ++Parser::Tokenizer::udec64(const char *description, const SBuf::size_type limit) ++{ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ int64_t result = 0; ++ ++ // Since we only support unsigned decimals, a parsing failure with a ++ // non-empty input always implies invalid/malformed input (or a buggy ++ // limit=0 caller). TODO: Support signed and non-decimal integers by ++ // refactoring int64() to detect insufficient input. ++ if (!int64(result, 10, false, limit)) ++ throw TexcHere(ToSBuf("cannot parse ", description)); ++ ++ if (atEnd()) ++ throw InsufficientInput(); // more digits may be coming ++ ++ return result; ++} ++ +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -143,6 +143,19 @@ public: + */ + bool int64(int64_t &result, int base = 0, bool allowSign = true, SBuf::size_type limit = SBuf::npos); + ++ /* ++ * The methods below mimic their counterparts documented above, but they ++ * throw on errors, including InsufficientInput. The field description ++ * parameter is used for error reporting and debugging. ++ */ ++ ++ /// prefix() wrapper but throws InsufficientInput if input contains ++ /// nothing but the prefix (i.e. if the prefix is not "terminated") ++ SBuf prefix(const char *description, const CharacterSet &tokenChars, SBuf::size_type limit = SBuf::npos); ++ ++ /// int64() wrapper but limited to unsigned decimal integers (for now) ++ int64_t udec64(const char *description, SBuf::size_type limit = SBuf::npos); ++ + protected: + SBuf consume(const SBuf::size_type n); + SBuf::size_type success(const SBuf::size_type n); +--- /dev/null ++++ b/src/parser/forward.h +@@ -0,0 +1,22 @@ ++/* ++ * Copyright (C) 1996-2019 The Squid Software Foundation and contributors ++ * ++ * Squid software is distributed under GPLv2+ license and includes ++ * contributions from numerous individuals and organizations. ++ * Please see the COPYING and CONTRIBUTORS files for details. ++ */ ++ ++#ifndef SQUID_PARSER_FORWARD_H ++#define SQUID_PARSER_FORWARD_H ++ ++namespace Parser { ++class Tokenizer; ++class BinaryTokenizer; ++ ++// TODO: Move this declaration (to parser/Elements.h) if we need more like it. ++/// thrown by modern "incremental" parsers when they need more data ++class InsufficientInput {}; ++} // namespace Parser ++ ++#endif /* SQUID_PARSER_FORWARD_H */ ++ diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch new file mode 100644 index 0000000000..a6d0965e7a --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch @@ -0,0 +1,169 @@ +From 05f6af2f4c85cc99323cfff6149c3d74af661b6d Mon Sep 17 00:00:00 2001 +From: Amos Jeffries <yadij@users.noreply.github.com> +Date: Fri, 13 Oct 2023 08:44:16 +0000 +Subject: [PATCH] RFC 9112: Improve HTTP chunked encoding compliance (#1498) + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46846.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/05f6af2f4c85cc99323cfff6149c3d74af661b6d] +CVE: CVE-2023-46846 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/http/one/Parser.cc | 8 +------- + src/http/one/Parser.h | 4 +--- + src/http/one/TeChunkedParser.cc | 23 ++++++++++++++++++----- + src/parser/Tokenizer.cc | 12 ++++++++++++ + src/parser/Tokenizer.h | 7 +++++++ + 5 files changed, 39 insertions(+), 15 deletions(-) + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -65,16 +65,10 @@ Http::One::Parser::DelimiterCharacters() + void + Http::One::Parser::skipLineTerminator(Tokenizer &tok) const + { +- if (tok.skip(Http1::CrLf())) +- return; +- + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) + return; + +- if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- throw InsufficientInput(); +- +- throw TexcHere("garbage instead of CRLF line terminator"); ++ tok.skipRequired("line-terminating CRLF", Http1::CrLf()); + } + + /// all characters except the LF line terminator +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -120,9 +120,7 @@ protected: + * detect and skip the CRLF or (if tolerant) LF line terminator + * consume from the tokenizer. + * +- * \throws exception on bad or InsuffientInput. +- * \retval true only if line terminator found. +- * \retval false incomplete or missing line terminator, need more data. ++ * \throws exception on bad or InsufficientInput + */ + void skipLineTerminator(Tokenizer &) const; + +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -91,6 +91,11 @@ Http::One::TeChunkedParser::parseChunkSi + { + Must(theChunkSize <= 0); // Should(), really + ++ static const SBuf bannedHexPrefixLower("0x"); ++ static const SBuf bannedHexPrefixUpper("0X"); ++ if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper)) ++ throw TextException("chunk starts with 0x", Here()); ++ + int64_t size = -1; + if (tok.int64(size, 16, false) && !tok.atEnd()) { + if (size < 0) +@@ -121,7 +126,7 @@ Http::One::TeChunkedParser::parseChunkMe + // bad or insufficient input, like in the code below. TODO: Expand up. + try { + parseChunkExtensions(tok); // a possibly empty chunk-ext list +- skipLineTerminator(tok); ++ tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; + return true; +@@ -132,12 +137,14 @@ Http::One::TeChunkedParser::parseChunkMe + // other exceptions bubble up to kill message parsing + } + +-/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667): ++/// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) + void +-Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { + do { ++ auto tok = callerTok; ++ + ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + + if (!tok.skip(';')) +@@ -145,6 +152,7 @@ Http::One::TeChunkedParser::parseChunkEx + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension ++ callerTok = tok; + } while (true); + } + +@@ -158,11 +166,14 @@ Http::One::ChunkExtensionValueParser::Ig + /// Parses a single chunk-ext list element: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) + void +-Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok) ++Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &callerTok) + { ++ auto tok = callerTok; ++ + ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name + + const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR); ++ callerTok = tok; // in case we determine that this is a valueless chunk-ext + + ParseBws(tok); + +@@ -176,6 +187,8 @@ Http::One::TeChunkedParser::parseOneChun + customExtensionValueParser->parse(tok, extName); + else + ChunkExtensionValueParser::Ignore(tok, extName); ++ ++ callerTok = tok; + } + + bool +@@ -209,7 +222,7 @@ Http::One::TeChunkedParser::parseChunkEn + Must(theLeftBodySize == 0); // Should(), really + + try { +- skipLineTerminator(tok); ++ tok.skipRequired("chunk CRLF", Http1::CrLf()); + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -147,6 +147,18 @@ Parser::Tokenizer::skipAll(const Charact + return success(prefixLen); + } + ++void ++Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip) ++{ ++ if (skip(tokenToSkip) || tokenToSkip.isEmpty()) ++ return; ++ ++ if (tokenToSkip.startsWith(buf_)) ++ throw InsufficientInput(); ++ ++ throw TextException(ToSBuf("cannot skip ", description), Here()); ++} ++ + bool + Parser::Tokenizer::skipOne(const CharacterSet &chars) + { +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -115,6 +115,13 @@ public: + */ + SBuf::size_type skipAll(const CharacterSet &discardables); + ++ /** skips a given character sequence (string); ++ * does nothing if the sequence is empty ++ * ++ * \throws exception on mismatching prefix or InsufficientInput ++ */ ++ void skipRequired(const char *description, const SBuf &tokenToSkip); ++ + /** Removes a single trailing character from the set. + * + * \return whether a character was removed diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch new file mode 100644 index 0000000000..d9f29569d1 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch @@ -0,0 +1,47 @@ +From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001 +From: squidadm <squidadm@users.noreply.github.com> +Date: Wed, 18 Oct 2023 04:50:56 +1300 +Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization + (#1517) + +The bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html +where it was filed as "Stack Buffer Overflow in Digest Authentication". + +--------- + +Co-authored-by: Alex Bason <nonsleepr@gmail.com> +Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com> + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3] +CVE: CVE-2023-46847 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/auth/digest/Config.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index 2d25fee..4c206e1 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -862,11 +862,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) + break; + + case DIGEST_NC: +- if (value.size() != 8) { ++ if (value.size() == 8) { ++ // for historical reasons, the nc value MUST be exactly 8 bytes ++ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size"); ++ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); ++ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); ++ } else { + debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'"); ++ digest_request->nc[0] = 0; + } +- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); +- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); + break; + + case DIGEST_CNONCE: +-- +2.40.1 diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch new file mode 100644 index 0000000000..d3cc549f98 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch @@ -0,0 +1,35 @@ +From 77b3fb4df0f126784d5fd4967c28ed40eb8d521b Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Wed, 25 Oct 2023 19:41:45 +0000 +Subject: [PATCH] RFC 1123: Fix date parsing (#1538) + +The bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html +where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time +Handling". + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b] +CVE: CVE-2023-49285 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/rfc1123.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/rfc1123.c b/lib/rfc1123.c +index e5bf9a4d705..cb484cc002b 100644 +--- a/lib/rfc1123.c ++++ b/lib/rfc1123.c +@@ -50,7 +50,13 @@ make_month(const char *s) + char month[3]; + + month[0] = xtoupper(*s); ++ if (!month[0]) ++ return -1; // protects *(s + 1) below ++ + month[1] = xtolower(*(s + 1)); ++ if (!month[1]) ++ return -1; // protects *(s + 2) below ++ + month[2] = xtolower(*(s + 2)); + + for (i = 0; i < 12; i++) diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch new file mode 100644 index 0000000000..8e0bdf387c --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch @@ -0,0 +1,87 @@ +From 6014c6648a2a54a4ecb7f952ea1163e0798f9264 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Fri, 27 Oct 2023 21:27:20 +0000 +Subject: [PATCH] Exit without asserting when helper process startup fails + (#1543) + +... to dup() after fork() and before execvp(). + +Assertions are for handling program logic errors. Helper initialization +code already handled system call errors correctly (i.e. by exiting the +newly created helper process with an error), except for a couple of +assert()s that could be triggered by dup(2) failures. + +This bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html +where it was filed as 'Assertion in Squid "Helper" Process Creator'. + +Origin: http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264] +CVE: CVE-2023-49286 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ipc.cc | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +--- a/src/ipc.cc ++++ b/src/ipc.cc +@@ -20,6 +20,12 @@ + #include "SquidIpc.h" + #include "tools.h" + ++#include <cstdlib> ++ ++#if HAVE_UNISTD_H ++#include <unistd.h> ++#endif ++ + static const char *hello_string = "hi there\n"; + #ifndef HELLO_BUF_SZ + #define HELLO_BUF_SZ 32 +@@ -365,6 +371,22 @@ + } + + PutEnvironment(); ++ ++ // A dup(2) wrapper that reports and exits the process on errors. The ++ // exiting logic is only suitable for this child process context. ++ const auto dupOrExit = [prog,name](const int oldFd) { ++ const auto newFd = dup(oldFd); ++ if (newFd < 0) { ++ const auto savedErrno = errno; ++ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name); ++ debugs(54, DBG_CRITICAL, "helper (CHILD) PID: " << getpid()); ++ debugs(54, DBG_CRITICAL, "helper program name: " << prog); ++ debugs(54, DBG_CRITICAL, "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno)); ++ _exit(1); ++ } ++ return newFd; ++ }; ++ + /* + * This double-dup stuff avoids problems when one of + * crfd, cwfd, or debug_log are in the rage 0-2. +@@ -372,17 +394,16 @@ + + do { + /* First make sure 0-2 is occupied by something. Gets cleaned up later */ +- x = dup(crfd); +- assert(x > -1); +- } while (x < 3 && x > -1); ++ x = dupOrExit(crfd); ++ } while (x < 3); + + close(x); + +- t1 = dup(crfd); ++ t1 = dupOrExit(crfd); + +- t2 = dup(cwfd); ++ t2 = dupOrExit(cwfd); + +- t3 = dup(fileno(debug_log)); ++ t3 = dupOrExit(fileno(debug_log)); + + assert(t1 > 2 && t2 > 2 && t3 > 2); + diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch new file mode 100644 index 0000000000..51c895e0ef --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch @@ -0,0 +1,62 @@ +From: Markus Koschany <apo@debian.org> +Date: Tue, 26 Dec 2023 19:58:12 +0100 +Subject: CVE-2023-50269 + +Bug-Debian: https://bugs.debian.org/1058721 +Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d] +CVE: CVE-2023-50269 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ClientRequestContext.h | 4 ++++ + src/client_side_request.cc | 17 +++++++++++++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/src/ClientRequestContext.h ++++ b/src/ClientRequestContext.h +@@ -81,6 +81,10 @@ + #endif + ErrorState *error; ///< saved error page for centralized/delayed processing + bool readNextRequest; ///< whether Squid should read after error handling ++ ++#if FOLLOW_X_FORWARDED_FOR ++ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far ++#endif + }; + + #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -78,6 +78,11 @@ + static const char *const crlf = "\r\n"; + + #if FOLLOW_X_FORWARDED_FOR ++ ++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) ++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 ++#endif ++ + static void clientFollowXForwardedForCheck(allow_t answer, void *data); + #endif /* FOLLOW_X_FORWARDED_FOR */ + +@@ -485,8 +490,16 @@ + /* override the default src_addr tested if we have to go deeper than one level into XFF */ + Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; + } +- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); +- return; ++ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { ++ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); ++ return; ++ } ++ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; ++ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses"); ++ debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber); ++ debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr); ++ debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator); ++ // fall through to resume clientAccessCheck() processing + } + } + diff --git a/meta-networking/recipes-daemons/squid/squid_4.9.bb b/meta-networking/recipes-daemons/squid/squid_4.9.bb index 19949acd84..09c0a2cd7c 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.9.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.9.bb @@ -24,6 +24,13 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2 file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch \ file://0001-tools.cc-fixed-unused-result-warning.patch \ file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \ + file://CVE-2023-46847.patch \ + file://CVE-2023-46728.patch \ + file://CVE-2023-46846-pre1.patch \ + file://CVE-2023-46846.patch \ + file://CVE-2023-49285.patch \ + file://CVE-2023-49286.patch \ + file://CVE-2023-50269.patch \ " SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch deleted file mode 100644 index a9dc9dc2b7..0000000000 --- a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch +++ /dev/null @@ -1,29 +0,0 @@ -From ce8faa3ee266ea69431805e6ed4bd7102d982508 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Thu, 12 Nov 2020 09:43:38 +0100 -Subject: [PATCH] compat: SYM_FUNC_{START,END} were backported to 5.4 - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> - -Upstream-Status: Backport -Fixes build failure in Dunfell. - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - compat/compat-asm.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: src/compat/compat-asm.h -=================================================================== ---- src.orig/compat/compat-asm.h -+++ src/compat/compat-asm.h -@@ -40,7 +40,7 @@ - #undef pull - #endif - --#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) -+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 76) - #define SYM_FUNC_START ENTRY - #define SYM_FUNC_END ENDPROC - #endif diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch deleted file mode 100644 index f01cfe4e1c..0000000000 --- a/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 122f06bfd8fc7b06a0899fa9adc4ce8e06900d98 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Sun, 7 Mar 2021 08:14:33 -0700 -Subject: [PATCH] compat: icmp_ndo_send functions were backported extensively - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> - -Upstream-Status: Backport - -Fixes build with 5.4.103 update. -/include/linux/icmpv6.h:56:6: note: previous declaration of 'icmpv6_ndo_send' was here -| 56 | void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info); - -Signed-of-by: Armin Kuster <akuster808@gmail.com> - ---- - src/compat/compat.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: src/compat/compat.h -=================================================================== ---- src.orig/compat/compat.h -+++ src/compat/compat.h -@@ -946,7 +946,7 @@ static inline int skb_ensure_writable(st - } - #endif - --#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) -+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 102) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 178) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 223) && LINUX_VERSION_CODE > KERNEL_VERSION(4, 10, 0)) || LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 259) || defined(ISRHEL8) || defined(ISUBUNTU1804) - #if IS_ENABLED(CONFIG_NF_NAT) - #include <linux/ip.h> - #include <linux/icmpv6.h> diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb deleted file mode 100644 index 9215f4a6d8..0000000000 --- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb +++ /dev/null @@ -1,30 +0,0 @@ -require wireguard.inc - -SRCREV = "43f57dac7b8305024f83addc533c9eede6509129" - -SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat;branch=master \ - file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch \ - file://0001-compat-icmp_ndo_send-functions-were-backported-exten.patch " - -inherit module kernel-module-split - -DEPENDS = "virtual/kernel libmnl" - -# This module requires Linux 3.10 higher and several networking related -# configuration options. For exact kernel requirements visit: -# https://www.wireguard.io/install/#kernel-requirements - -EXTRA_OEMAKE_append = " \ - KERNELDIR=${STAGING_KERNEL_DIR} \ - " - -MAKE_TARGETS = "module" - -RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" -MODULE_NAME = "wireguard" - -module_do_install() { - install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} - install -m 0644 ${MODULE_NAME}.ko \ - ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko -} diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb new file mode 100644 index 0000000000..df2db15349 --- /dev/null +++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb @@ -0,0 +1,23 @@ +require wireguard.inc + +SRCREV = "18fbcd68a35a892527345dc5679d0b2d860ee004" + +SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat;protocol=https;branch=master" + +inherit module kernel-module-split + +DEPENDS = "virtual/kernel libmnl" + +# This module requires Linux 3.10 higher and several networking related +# configuration options. For exact kernel requirements visit: +# https://www.wireguard.io/install/#kernel-requirements + +EXTRA_OEMAKE_append = " \ + KERNELDIR=${STAGING_KERNEL_DIR} \ + " + +MAKE_TARGETS = "module" +MODULES_INSTALL_TARGET = "module-install" + +RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" +MODULE_NAME = "wireguard" diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb index 9e486ecc34..b63ef88182 100644 --- a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb +++ b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb @@ -1,6 +1,6 @@ require wireguard.inc -SRCREV = "a8063adc8ae9b4fc9848500e93f94bee8ad2e585" +SRCREV = "3ba6527130c502144e7388b900138bca6260f4e8" SRC_URI = "git://git.zx2c4.com/wireguard-tools;branch=master" inherit bash-completion systemd pkgconfig @@ -9,7 +9,7 @@ DEPENDS += "wireguard-module libmnl" do_install () { oe_runmake DESTDIR="${D}" PREFIX="${prefix}" SYSCONFDIR="${sysconfdir}" \ - SYSTEMDUNITDIR="${systemd_unitdir}" \ + SYSTEMDUNITDIR="${systemd_system_unitdir}" \ WITH_SYSTEMDUNITS=${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'yes', '', d)} \ WITH_BASHCOMPLETION=yes \ WITH_WGQUICK=yes \ diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch new file mode 100644 index 0000000000..4e537c8859 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch @@ -0,0 +1,116 @@ +From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001 +From: Bill Fenner <fenner@gmail.com> +Date: Fri, 25 Nov 2022 08:41:24 -0800 +Subject: [PATCH ] snmp_agent: disallow SET with NULL varbind + +Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57] +CVE: CVE-2022-44792 & CVE-2022-44793 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + agent/snmp_agent.c | 32 +++++++++++++++++++ + apps/snmpset.c | 1 + + .../default/T0142snmpv2csetnull_simple | 31 ++++++++++++++++++ + 3 files changed, 64 insertions(+) + create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 26653f4..eba5b4e 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -3708,12 +3708,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status) + return 1; + } + ++static int ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp) ++{ ++ int i; ++ netsnmp_variable_list *v = NULL; ++ ++ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) { ++ if (v->type == ASN_NULL) { ++ /* ++ * Protect SET implementations that do not protect themselves ++ * against wrong type. ++ */ ++ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i)); ++ asp->index = i; ++ return SNMP_ERR_WRONGTYPE; ++ } ++ } ++ return SNMP_ERR_NOERROR; ++} ++ + int + handle_pdu(netsnmp_agent_session *asp) + { + int status, inclusives = 0; + netsnmp_variable_list *v = NULL; + ++#ifndef NETSNMP_NO_WRITE_SUPPORT ++ /* ++ * Check for ASN_NULL in SET request ++ */ ++ if (asp->pdu->command == SNMP_MSG_SET) { ++ status = check_set_pdu_for_null_varbind(asp); ++ if (status != SNMP_ERR_NOERROR) { ++ return status; ++ } ++ } ++#endif /* NETSNMP_NO_WRITE_SUPPORT */ ++ + /* + * for illegal requests, mark all nodes as ASN_NULL + */ +diff --git a/apps/snmpset.c b/apps/snmpset.c +index a2374bc..cd01b9a 100644 +--- a/apps/snmpset.c ++++ b/apps/snmpset.c +@@ -182,6 +182,7 @@ main(int argc, char *argv[]) + case 'x': + case 'd': + case 'b': ++ case 'n': /* undocumented */ + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case 'I': + case 'U': +diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple +new file mode 100644 +index 0000000..0f1b8f3 +--- /dev/null ++++ b/testing/fulltests/default/T0142snmpv2csetnull_simple +@@ -0,0 +1,31 @@ ++#!/bin/sh ++ ++. ../support/simple_eval_tools.sh ++ ++HEADER SNMPv2c set of system.sysContact.0 with NULL varbind ++ ++SKIPIF NETSNMP_DISABLE_SET_SUPPORT ++SKIPIF NETSNMP_NO_WRITE_SUPPORT ++SKIPIF NETSNMP_DISABLE_SNMPV2C ++SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE ++ ++# ++# Begin test ++# ++ ++# standard V2C configuration: testcomunnity ++snmp_write_access='all' ++. ./Sv2cconfig ++STARTAGENT ++ ++CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0" ++ ++CHECK ".1.3.6.1.2.1.1.4.0 = STRING:" ++ ++CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x" ++ ++CHECK "Reason: wrongType" ++ ++STOPAGENT ++ ++FINISHED +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb index 6b4b6ce8ed..79f2c1d89d 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb @@ -35,6 +35,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \ file://CVE-2020-15861-0004.patch \ file://CVE-2020-15861-0005.patch \ file://CVE-2020-15862.patch \ + file://CVE-2022-44792-CVE-2022-44793.patch \ " SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a" SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf" diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc index ab538c620e..c425b48e19 100644 --- a/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-networking/recipes-protocols/openflow/openflow.inc @@ -35,3 +35,7 @@ do_install_append() { # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run } + +# This CVE is not for this product but cve-check assumes it is +# because two CPE collides when checking the NVD database +CVE_CHECK_WHITELIST = "CVE-2018-1078" diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch new file mode 100644 index 0000000000..bdb48a3993 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch @@ -0,0 +1,117 @@ +From b2484f4df6414a6b3dd68b4069b79279c746cc27 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski <mt@suse.com> +Date: Fri Nov 11 09:07:22 UTC 2022 +Subject: [PATCH] quagga: unsafe chown/chmod operations may lead to privileges escalation + +Reference: https://bugzilla.suse.com/show_bug.cgi?id=1191890 + +Patch taken from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch + +CVE: CVE-2021-44038 +Signed-off-by: Marius Tomaschewski <mt@suse.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + redhat/bgpd.service | 2 -- + redhat/isisd.service | 2 -- + redhat/ospf6d.service | 2 -- + redhat/ospfd.service | 2 -- + redhat/ripd.service | 2 -- + redhat/ripngd.service | 2 -- + redhat/zebra.service | 3 --- + 7 files changed, 15 deletions(-) + +diff --git a/redhat/bgpd.service b/redhat/bgpd.service +index a50bfff..6f46a97 100644 +--- a/redhat/bgpd.service ++++ b/redhat/bgpd.service +@@ -10,8 +10,6 @@ Documentation=man:bgpd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf + ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf + Restart=on-abort + +diff --git a/redhat/isisd.service b/redhat/isisd.service +index 93663aa..c1464c0 100644 +--- a/redhat/isisd.service ++++ b/redhat/isisd.service +@@ -10,8 +10,6 @@ Documentation=man:isisd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf + ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf + Restart=on-abort + +diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service +index 3c1c978..d493429 100644 +--- a/redhat/ospf6d.service ++++ b/redhat/ospf6d.service +@@ -10,8 +10,6 @@ Documentation=man:ospf6d + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf + ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf + Restart=on-abort + +diff --git a/redhat/ospfd.service b/redhat/ospfd.service +index 0084b6c..6c84580 100644 +--- a/redhat/ospfd.service ++++ b/redhat/ospfd.service +@@ -10,8 +10,6 @@ Documentation=man:ospfd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf + ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf + Restart=on-abort + +diff --git a/redhat/ripd.service b/redhat/ripd.service +index 103b5a9..be0f75c 100644 +--- a/redhat/ripd.service ++++ b/redhat/ripd.service +@@ -10,8 +10,6 @@ Documentation=man:ripd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf + ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf + Restart=on-abort + +diff --git a/redhat/ripngd.service b/redhat/ripngd.service +index 6fe6ba8..23447da 100644 +--- a/redhat/ripngd.service ++++ b/redhat/ripngd.service +@@ -10,8 +10,6 @@ Documentation=man:ripngd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf + ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf + Restart=on-abort + +diff --git a/redhat/zebra.service b/redhat/zebra.service +index fa5a004..e3cf0ab 100644 +--- a/redhat/zebra.service ++++ b/redhat/zebra.service +@@ -10,9 +10,6 @@ Documentation=man:zebra + Type=forking + EnvironmentFile=-/etc/sysconfig/quagga + ExecStartPre=/sbin/ip route flush proto zebra +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf +-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf + ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf + Restart=on-abort + +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc index 134a33d478..5ef3843b15 100644 --- a/meta-networking/recipes-protocols/quagga/quagga.inc +++ b/meta-networking/recipes-protocols/quagga/quagga.inc @@ -34,8 +34,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga/quagga-${PV}.tar.gz; \ file://ripd.service \ file://ripngd.service \ file://zebra.service \ + file://CVE-2021-44038.patch \ " - PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap" PACKAGECONFIG[pam] = "--with-libpam, --without-libpam, libpam" diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb index 4f8e4d4282..dcfa7406d2 100644 --- a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb +++ b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb @@ -23,3 +23,5 @@ PACKAGECONFIG[inet] = "--enable-inet,--disable-inet," PACKAGECONFIG[inet6] = "--enable-inet6,--disable-inet6," EXTRA_OECONF += "--disable-debug" + +CVE_VERSION = "0.9.3.0" diff --git a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb index d693ae9a93..4b195ededa 100644 --- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb +++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f9d20a453221a1b7e32ae84694da2c37" SRCREV = "42c1aefc303fdf891fbb099ea51f00dca83ab606" SRC_URI = "\ - git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git;branch=master \ + git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git;branch=main \ file://kernel-headers.patch \ file://0005-build-don-t-ignore-CFLAGS-from-environment.patch \ file://0006-libbridge-Modifying-the-AR-to-cross-toolchain.patch \ diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..b2ef22c06f --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch @@ -0,0 +1,188 @@ +From 70df9f9104c8f0661966298b58caf794b99e26e1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 22 Sep 2022 17:39:21 +0530 +Subject: [PATCH] CVE-2022-0934 + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39] +CVE: CVE-2022-0934 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CHANGELOG | 2 ++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 29 insertions(+), 21 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 60b08d0..d1d7e41 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -88,6 +88,8 @@ version 2.81 + + Add --script-on-renewal option. + ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. + + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method +diff --git a/src/rfc3315.c b/src/rfc3315.c +index b3f0a0a..eef1360 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RENEW: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRENEW", NULL, NULL); + +@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1251,7 +1252,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch new file mode 100644 index 0000000000..dd3bd27408 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch @@ -0,0 +1,63 @@ +From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5] +CVE: CVE-2023-28450 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + CHANGELOG | 8 ++++++++ + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index d1d7e41..7a560d3 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -91,6 +91,14 @@ version 2.81 + Fix write-after-free error in DHCPv6 server code. + CVE-2022-0934 refers. + ++ Set the default maximum DNS UDP packet sice to 1232. This ++ has been the recommended value since 2020 because it's the ++ largest value that avoid fragmentation, and fragmentation ++ is just not reliable on the modern internet, especially ++ for IPv6. It's still possible to override this with ++ --edns-packet-max for special circumstances. ++ ++ + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method + for the initial patch and motivation. +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index f2803f9..3cca4bc 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max=<size> + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port=<query_port> + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index 54f6f48..29ac3e7 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.18.2 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb index 2fb389915b..f2b8feac56 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb @@ -11,4 +11,6 @@ SRC_URI += "\ file://CVE-2020-25686-1.patch \ file://CVE-2020-25686-2.patch \ file://CVE-2021-3448.patch \ + file://CVE-2022-0934.patch \ + file://CVE-2023-28450.patch \ " diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb index 3be1313d38..0efcbec1fc 100644 --- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb +++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb @@ -10,7 +10,7 @@ SECTION = "libdevel" GEOIP_DATABASE_VERSION = "20181205" -SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=master;protocol=https \ +SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=main;protocol=https \ http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \ http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \ http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \ diff --git a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb index 14d743f820..1e113de519 100644 --- a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb +++ b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb @@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "b55af0bbdf5acc02d1eb6ab18da2acd77a400bafd074489003f3df0967 inherit autotools +CVE_PRODUCT = "netcat_project:netcat" + do_install_append() { install -d ${D}${bindir} mv ${D}${bindir}/nc ${D}${bindir}/nc.${BPN} diff --git a/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch b/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch new file mode 100644 index 0000000000..734c6f197b --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch @@ -0,0 +1,340 @@ +ntp: backport patch for 5 CVEs CVE-2023-26551/2/3/4/5 + +Upstream-Status: Backport [https://archive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15-3806-3807.patch] +CVE: CVE-2023-26551 +CVE: CVE-2023-26552 +CVE: CVE-2023-26553 +CVE: CVE-2023-26554 +CVE: CVE-2023-26555 + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/ntp_fp.h | 4 +- + libntp/mstolfp.c | 108 +++++++++++++++------------------------ + ntpd/refclock_palisade.c | 50 +++++++++++++++--- + tests/libntp/strtolfp.c | 33 +++++++----- + 4 files changed, 104 insertions(+), 91 deletions(-) + +diff --git a/include/ntp_fp.h b/include/ntp_fp.h +index afd1f82..fe6e390 100644 +--- a/include/ntp_fp.h ++++ b/include/ntp_fp.h +@@ -195,9 +195,9 @@ typedef u_int32 u_fp; + do { \ + int32 add_f = (int32)(f); \ + if (add_f >= 0) \ +- M_ADD((r_i), (r_f), 0, (uint32)( add_f)); \ ++ M_ADD((r_i), (r_f), 0, (u_int32)( add_f)); \ + else \ +- M_SUB((r_i), (r_f), 0, (uint32)(-add_f)); \ ++ M_SUB((r_i), (r_f), 0, (u_int32)(-add_f)); \ + } while(0) + + #define M_ISNEG(v_i) /* v < 0 */ \ +diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c +index 3dfc4ef..a906d76 100644 +--- a/libntp/mstolfp.c ++++ b/libntp/mstolfp.c +@@ -14,86 +14,58 @@ mstolfp( + l_fp *lfp + ) + { +- register const char *cp; +- register char *bp; +- register const char *cpdec; +- char buf[100]; ++ int ch, neg = 0; ++ u_int32 q, r; + + /* + * We understand numbers of the form: + * + * [spaces][-|+][digits][.][digits][spaces|\n|\0] + * +- * This is one enormous hack. Since I didn't feel like +- * rewriting the decoding routine for milliseconds, what +- * is essentially done here is to make a copy of the string +- * with the decimal moved over three places so the seconds +- * decoding routine can be used. ++ * This is kinda hack. We use 'atolfp' to do the basic parsing ++ * (after some initial checks) and then divide the result by ++ * 1000. The original implementation avoided that by ++ * hacking up the input string to move the decimal point, but ++ * that needed string manipulations prone to buffer overruns. ++ * To avoid that trouble we do the conversion first and adjust ++ * the result. + */ +- bp = buf; +- cp = str; +- while (isspace((unsigned char)*cp)) +- cp++; + +- if (*cp == '-' || *cp == '+') { +- *bp++ = *cp++; +- } +- +- if (*cp != '.' && !isdigit((unsigned char)*cp)) +- return 0; +- ++ while (isspace(ch = *(const unsigned char*)str)) ++ ++str; + +- /* +- * Search forward for the decimal point or the end of the string. +- */ +- cpdec = cp; +- while (isdigit((unsigned char)*cpdec)) +- cpdec++; +- +- /* +- * Found something. If we have more than three digits copy the +- * excess over, else insert a leading 0. +- */ +- if ((cpdec - cp) > 3) { +- do { +- *bp++ = (char)*cp++; +- } while ((cpdec - cp) > 3); +- } else { +- *bp++ = '0'; ++ switch (ch) { ++ case '-': neg = TRUE; ++ case '+': ++str; ++ default : break; + } + +- /* +- * Stick the decimal in. If we've got less than three digits in +- * front of the millisecond decimal we insert the appropriate number +- * of zeros. +- */ +- *bp++ = '.'; +- if ((cpdec - cp) < 3) { +- size_t i = 3 - (cpdec - cp); +- do { +- *bp++ = '0'; +- } while (--i > 0); +- } ++ if (!isdigit(ch = *(const unsigned char*)str) && (ch != '.')) ++ return 0; ++ if (!atolfp(str, lfp)) ++ return 0; + +- /* +- * Copy the remainder up to the millisecond decimal. If cpdec +- * is pointing at a decimal point, copy in the trailing number too. ++ /* now do a chained/overlapping division by 1000 to get from ++ * seconds to msec. 1000 is small enough to go with temporary ++ * 32bit accus for Q and R. + */ +- while (cp < cpdec) +- *bp++ = (char)*cp++; +- +- if (*cp == '.') { +- cp++; +- while (isdigit((unsigned char)*cp)) +- *bp++ = (char)*cp++; +- } +- *bp = '\0'; ++ q = lfp->l_ui / 1000u; ++ r = lfp->l_ui - (q * 1000u); ++ lfp->l_ui = q; + +- /* +- * Check to make sure the string is properly terminated. If +- * so, give the buffer to the decoding routine. +- */ +- if (*cp != '\0' && !isspace((unsigned char)*cp)) +- return 0; +- return atolfp(buf, lfp); ++ r = (r << 16) | (lfp->l_uf >> 16); ++ q = r / 1000u; ++ r = ((r - q * 1000) << 16) | (lfp->l_uf & 0x0FFFFu); ++ lfp->l_uf = q << 16; ++ q = r / 1000; ++ lfp->l_uf |= q; ++ r -= q * 1000u; ++ ++ /* fix sign */ ++ if (neg) ++ L_NEG(lfp); ++ /* round */ ++ if (r >= 500) ++ L_ADDF(lfp, (neg ? -1 : 1)); ++ return 1; + } +diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c +index cb68255..15c21d8 100644 +--- a/ntpd/refclock_palisade.c ++++ b/ntpd/refclock_palisade.c +@@ -1225,9 +1225,9 @@ palisade_poll ( + return; /* using synchronous packet input */ + + if(up->type == CLK_PRAECIS) { +- if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) ++ if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) { + msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit); +- else { ++ } else { + praecis_msg = 1; + return; + } +@@ -1249,20 +1249,53 @@ praecis_parse ( + + pp = peer->procptr; + +- memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length); ++ if (p + rbufp->recv_length >= sizeof buf) { ++ struct palisade_unit *up; ++ up = pp->unitptr; ++ ++ /* ++ * We COULD see if there is a \r\n in the incoming ++ * buffer before it overflows, and then process the ++ * current line. ++ * ++ * Similarly, if we already have a hunk of data that ++ * we're now flushing, that will cause the line of ++ * data we're in the process of collecting to be garbage. ++ * ++ * Since we now check for this overflow and log when it ++ * happens, we're now in a better place to easily see ++ * what's going on and perhaps better choices can be made. ++ */ ++ ++ /* Do we need to log the size of the overflow? */ ++ msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow", ++ up->unit); ++ ++ p = 0; ++ praecis_msg = 0; ++ ++ refclock_report(peer, CEVNT_BADREPLY); ++ ++ return; ++ } ++ ++ memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length); + p += rbufp->recv_length; + +- if(buf[p-2] == '\r' && buf[p-1] == '\n') { ++ if ( p >= 2 ++ && buf[p-2] == '\r' ++ && buf[p-1] == '\n') { + buf[p-2] = '\0'; + record_clock_stats(&peer->srcadr, buf); + + p = 0; + praecis_msg = 0; + +- if (HW_poll(pp) < 0) ++ if (HW_poll(pp) < 0) { + refclock_report(peer, CEVNT_FAULT); +- ++ } + } ++ return; + } + + static void +@@ -1407,7 +1440,10 @@ HW_poll ( + + /* Edge trigger */ + if (up->type == CLK_ACUTIME) +- write (pp->io.fd, "", 1); ++ if (write (pp->io.fd, "", 1) != 1) ++ msyslog(LOG_WARNING, ++ "Palisade(%d) HW_poll: failed to send trigger: %m", ++ up->unit); + + if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) { + #ifdef DEBUG +diff --git a/tests/libntp/strtolfp.c b/tests/libntp/strtolfp.c +index 6855d9b..9090159 100644 +--- a/tests/libntp/strtolfp.c ++++ b/tests/libntp/strtolfp.c +@@ -26,6 +26,13 @@ setUp(void) + return; + } + ++static const char* fmtLFP(const l_fp *e, const l_fp *a) ++{ ++ static char buf[100]; ++ snprintf(buf, sizeof(buf), "e=$%08x.%08x, a=$%08x.%08x", ++ e->l_ui, e->l_uf, a->l_ui, a->l_uf); ++ return buf; ++} + + void test_PositiveInteger(void) { + const char *str = "500"; +@@ -37,8 +44,8 @@ void test_PositiveInteger(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeInteger(void) { +@@ -54,8 +61,8 @@ void test_NegativeInteger(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_PositiveFraction(void) { +@@ -68,8 +75,8 @@ void test_PositiveFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeFraction(void) { +@@ -85,8 +92,8 @@ void test_NegativeFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_PositiveMsFraction(void) { +@@ -100,9 +107,8 @@ void test_PositiveMsFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); +- ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeMsFraction(void) { +@@ -118,9 +124,8 @@ void test_NegativeMsFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); +- ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_InvalidChars(void) { +-- +2.25.1 + diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index 7e168825e0..1a223db6fa 100644 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb @@ -22,8 +22,8 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g file://sntp.service \ file://sntp \ file://ntpd.list \ + file://CVE-2023-2655x.patch \ " - SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19" inherit autotools update-rc.d useradd systemd pkgconfig @@ -61,6 +61,14 @@ PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging" PACKAGECONFIG[mdns] = "ac_cv_header_dns_sd_h=yes,ac_cv_header_dns_sd_h=no,mdns" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +do_configure_append() { + # tests are generated but also checked-in to source control + # when CVE-2023-2655x.patch changes timestamp of test source file, Makefile detects it and tries to regenerate it + # however it fails because of missing ruby interpretter; adding ruby-native as dependency fixes it + # since the regenerated file is identical to the one from source control, touch the generated file instead of adding heavy dependency + touch ${S}/tests/libntp/run-strtolfp.c +} + do_install_append() { install -d ${D}${sysconfdir}/init.d install -m 644 ${WORKDIR}/ntp.conf ${D}${sysconfdir} diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb b/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb index 529e3912bb..55e66036b7 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb @@ -14,8 +14,11 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" -SRC_URI[md5sum] = "52863fa9b98e5a3d7f8bec1d5785a2ba" -SRC_URI[sha256sum] = "46b268ef88e67ca6de2e9f19943eb9e5ac8544e55f5c1f3af677298d03e64b6e" +SRC_URI[md5sum] = "e83d430947fb7c9ad1a174987317d1dc" +SRC_URI[sha256sum] = "66952d9c95490e5875f04c9f8fa313b5e816d1b7b4d6cda3fb2ff749ad405dee" + +# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. +CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569" SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch new file mode 100644 index 0000000000..b7118ba1fb --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch @@ -0,0 +1,62 @@ +From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 17:52:08 +0200 +Subject: [PATCH] Reject RSASSA-PSS params with negative salt length + +The `salt_len` member in the struct is of type `ssize_t` because we use +negative values for special automatic salt lengths when generating +signatures. + +Not checking this could lead to an integer overflow. The value is assigned +to the `len` field of a chunk (`size_t`), which is further used in +calculations to check the padding structure and (if that is passed by a +matching crafted signature value) eventually a memcpy() that will result +in a segmentation fault. + +Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") +Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") +Fixes: CVE-2021-41990 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41990] +CVE: CVE-2021-41990 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/keys/signature_params.c | 6 +++++- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c +index d89bd2c96bb5..837de8443d43 100644 +--- a/src/libstrongswan/credentials/keys/signature_params.c ++++ b/src/libstrongswan/credentials/keys/signature_params.c +@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) + case RSASSA_PSS_PARAMS_SALT_LEN: + if (object.len) + { +- params->salt_len = (size_t)asn1_parse_integer_uint64(object); ++ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object); ++ if (params->salt_len < 0) ++ { ++ goto end; ++ } + } + break; + case RSASSA_PSS_PARAMS_TRAILER: +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index f9bd1d314dec..3a775090883e 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, + int i; + bool success = FALSE; + +- if (!params) ++ if (!params || params->salt_len < 0) + { + return FALSE; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch new file mode 100644 index 0000000000..2d898fa5cf --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch @@ -0,0 +1,41 @@ +From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 19:38:22 +0200 +Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change + +random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually +equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added +directly to that offset before applying`% CACHE_SIZE` to get an index into +the cache array. If the random value was very high, this resulted in an +integer overflow and a negative index value and, therefore, an out-of-bounds +access of the array and in turn dereferencing invalid pointers when trying +to acquire the read lock. This most likely results in a segmentation fault. + +Fixes: 764e8b2211ce ("reimplemented certificate cache") +Fixes: CVE-2021-41991 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41991] +CVE: CVE-2021-41991 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/sets/cert_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c +index f1579c60a9bc..ceebb3843725 100644 +--- a/src/libstrongswan/credentials/sets/cert_cache.c ++++ b/src/libstrongswan/credentials/sets/cert_cache.c +@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this, + for (try = 0; try < REPLACE_TRIES; try++) + { + /* replace a random relation */ +- offset = random(); ++ offset = random() % CACHE_SIZE; + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[(i + offset) % CACHE_SIZE]; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch new file mode 100644 index 0000000000..97aa6a0efc --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch @@ -0,0 +1,156 @@ +From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Dec 2021 10:51:35 +0100 +Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails + +Without this, the authentication succeeded if the server sent an early +EAP-Success message for mutual, key-generating EAP methods like EAP-TLS, +which may be used in EAP-only scenarios but would complete without server +or client authentication. For clients configured for such EAP-only +scenarios, a rogue server could capture traffic after the tunnel is +established or even access hosts behind the client. For non-mutual EAP +methods, public key server authentication has been enforced for a while. + +A server previously could also crash a client by sending an EAP-Success +immediately without initiating an actual EAP method. + +Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") +Fixes: CVE-2021-45079 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch] +CVE: CVE-2021-45079 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +- + src/libcharon/plugins/eap_md5/eap_md5.c | 2 +- + src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++- + src/libcharon/sa/eap/eap_method.h | 8 ++++- + .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++--- + 5 files changed, 40 insertions(+), 8 deletions(-) + +diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c +index 95ba090b79ce..cffb6222c2f8 100644 +--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c ++++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c +@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_gtc_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c +index ab5f7ff6a823..3a92ad7c0a04 100644 +--- a/src/libcharon/plugins/eap_md5/eap_md5.c ++++ b/src/libcharon/plugins/eap_md5/eap_md5.c +@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_md5_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, is_mutual, bool, +diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c +index 2dc7a423e702..5336dead13d9 100644 +--- a/src/libcharon/plugins/eap_radius/eap_radius.c ++++ b/src/libcharon/plugins/eap_radius/eap_radius.c +@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t, + *out = msk; + return SUCCESS; + } +- return FAILED; ++ /* we assume the selected method did not establish an MSK, if it failed ++ * to establish one, process() would have failed */ ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h +index 0b5218dfec15..33564831f86e 100644 +--- a/src/libcharon/sa/eap/eap_method.h ++++ b/src/libcharon/sa/eap/eap_method.h +@@ -114,10 +114,16 @@ struct eap_method_t { + * Not all EAP methods establish a shared secret. For implementations of + * the EAP-Identity method, get_msk() returns the received identity. + * ++ * @note Returning NOT_SUPPORTED is important for implementations of EAP ++ * methods that don't establish an MSK. In particular as client because ++ * key-generating EAP methods MUST fail to process EAP-Success messages if ++ * no MSK is established. ++ * + * @param msk chunk receiving internal stored MSK + * @return +- * - SUCCESS, or ++ * - SUCCESS, if MSK is established + * - FAILED, if MSK not established (yet) ++ * - NOT_SUPPORTED, for non-MSK-establishing methods + */ + status_t (*get_msk) (eap_method_t *this, chunk_t *msk); + +diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +index e1e6cd7ee6f3..87548fc471a6 100644 +--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c ++++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + this->method->destroy(this->method); + return server_initiate_eap(this, FALSE); + } +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ switch (this->method->get_msk(this->method, &this->msk)) + { +- this->msk = chunk_clone(this->msk); ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "failed to establish MSK"); ++ goto failure; + } + if (vendor) + { +@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); + case FAILED: + default: ++failure: + /* type might have changed for virtual methods */ + type = this->method->get_type(this->method, &vendor); + if (vendor) +@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t, + uint32_t vendor; + auth_cfg_t *cfg; + +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ if (!this->method) + { +- this->msk = chunk_clone(this->msk); ++ DBG1(DBG_IKE, "received unexpected %N", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; ++ } ++ switch (this->method->get_msk(this->method, &this->msk)) ++ { ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "received %N but failed to establish MSK", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; + } + type = this->method->get_type(this->method, &vendor); + if (vendor) +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch new file mode 100644 index 0000000000..66e5047125 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch @@ -0,0 +1,210 @@ +From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 22 Jul 2022 15:37:43 +0200 +Subject: [PATCH] credential-manager: Do online revocation checks only after + basic trust chain validation + +This avoids querying URLs of potentially untrusted certificates, e.g. if +an attacker sends a specially crafted end-entity and intermediate CA +certificate with a CDP that points to a server that completes the +TCP handshake but then does not send any further data, which will block +the fetcher thread (depending on the plugin) for as long as the default +timeout for TCP. Doing that multiple times will block all worker threads, +leading to a DoS attack. + +The logging during the certificate verification obviously changes. The +following example shows the output of `pki --verify` for the current +strongswan.org certificate: + +new: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + reached self-signed root ca with a path length of 1 +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good +certificate trusted, lifetimes valid, certificate not revoked + +old: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good + reached self-signed root ca with a path length of 1 +certificate trusted, lifetimes valid, certificate not revoked + +Note that this also fixes an issue with the previous dual-use of the +`trusted` flag. It not only indicated whether the chain is trusted but +also whether the current issuer is the root anchor (the corresponding +flag in the `cert_validator_t` interface is called `anchor`). This was +a problem when building multi-level trust chains for pre-trusted +end-entity certificates (i.e. where `trusted` is TRUE from the start). +This caused the main loop to get aborted after the first intermediate CA +certificate and the mentioned `anchor` flag wasn't correct in any calls +to `cert_validator_t` implementations. + +Fixes: CVE-2022-40617 + +CVE: CVE-2022-40617 +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2022-40617/strongswan-5.1.0-5.9.7_cert_online_validate.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + .../credentials/credential_manager.c | 54 +++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c +index e93b5943a3a7..798785544e41 100644 +--- a/src/libstrongswan/credentials/credential_manager.c ++++ b/src/libstrongswan/credentials/credential_manager.c +@@ -556,7 +556,7 @@ static void cache_queue(private_credential_manager_t *this) + */ + static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + time_t not_before, not_after; + cert_validator_t *validator; +@@ -571,7 +571,7 @@ static bool check_lifetime(private_credential_manager_t *this, + continue; + } + status = validator->check_lifetime(validator, cert, +- pathlen, trusted, auth); ++ pathlen, anchor, auth); + if (status != NEED_MORE) + { + break; +@@ -604,13 +604,13 @@ static bool check_lifetime(private_credential_manager_t *this, + */ + static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, bool online, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || +- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) ++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) + { + return FALSE; + } +@@ -623,7 +623,7 @@ static bool check_certificate(private_credential_manager_t *this, + continue; + } + if (!validator->validate(validator, subject, issuer, +- online, pathlen, trusted, auth)) ++ online, pathlen, anchor, auth)) + { + enumerator->destroy(enumerator); + return FALSE; +@@ -726,6 +726,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth_cfg_t *auth; + signature_params_t *scheme; + int pathlen; ++ bool is_anchor = FALSE; + + auth = auth_cfg_create(); + get_key_strength(subject, auth); +@@ -743,7 +744,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); +- trusted = TRUE; ++ trusted = is_anchor = TRUE; + } + else + { +@@ -778,11 +779,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, " issuer is \"%Y\"", + current->get_issuer(current)); + call_hook(this, CRED_HOOK_NO_ISSUER, current); ++ if (trusted) ++ { ++ DBG1(DBG_CFG, " reached end of incomplete trust chain for " ++ "trusted certificate \"%Y\"", ++ subject->get_subject(subject)); ++ } + break; + } + } +- if (!check_certificate(this, current, issuer, online, +- pathlen, trusted, auth)) ++ /* don't do online verification here */ ++ if (!check_certificate(this, current, issuer, FALSE, ++ pathlen, is_anchor, auth)) + { + trusted = FALSE; + issuer->destroy(issuer); +@@ -794,7 +802,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + } + current->destroy(current); + current = issuer; +- if (trusted) ++ if (is_anchor) + { + DBG1(DBG_CFG, " reached self-signed root ca with a " + "path length of %d", pathlen); +@@ -807,6 +815,34 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); + } ++ else if (trusted && online) ++ { ++ enumerator_t *enumerator; ++ auth_rule_t rule; ++ ++ /* do online revocation checks after basic validation of the chain */ ++ pathlen = 0; ++ current = subject; ++ enumerator = auth->create_enumerator(auth); ++ while (enumerator->enumerate(enumerator, &rule, &issuer)) ++ { ++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) ++ { ++ if (!check_certificate(this, current, issuer, TRUE, pathlen++, ++ rule == AUTH_RULE_CA_CERT, auth)) ++ { ++ trusted = FALSE; ++ break; ++ } ++ else if (rule == AUTH_RULE_CA_CERT) ++ { ++ break; ++ } ++ current = issuer; ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + if (trusted) + { + result->merge(result, auth, FALSE); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch new file mode 100644 index 0000000000..c0de1f1588 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch @@ -0,0 +1,46 @@ +From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 11 Jul 2023 12:12:25 +0200 +Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer + overflow + +Seems this was forgotten in the referenced commit and actually could lead +to a buffer overflow. Since charon-tkm is untrusted this isn't that +much of an issue but could at least be easily exploited for a DoS attack +as DH public values are set when handling IKE_SA_INIT requests. + +Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") +Fixes: CVE-2023-41913 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch] +CVE: CVE-2023-41913 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 2b2d103d03e9..6999ad360d7e 100644 +--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, + return TRUE; + } + +- + METHOD(diffie_hellman_t, set_other_public_value, bool, + private_tkm_diffie_hellman_t *this, chunk_t value) + { + dh_pubvalue_type othervalue; ++ ++ if (!key_exchange_verify_pubkey(this->group, value) || ++ value.len > sizeof(othervalue.data)) ++ { ++ return FALSE; ++ } + othervalue.size = value.len; + memcpy(&othervalue.data, value.ptr, value.len); + +-- +2.34.1 + diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb index 8a8809243a..9f676d0b18 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb @@ -11,6 +11,11 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://fix-funtion-parameter.patch \ file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \ file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \ + file://CVE-2021-41990.patch \ + file://CVE-2021-41991.patch \ + file://CVE-2021-45079.patch \ + file://CVE-2022-40617.patch \ + file://CVE-2023-41913.patch \ " SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29" diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch new file mode 100644 index 0000000000..5f5c68ccd6 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch @@ -0,0 +1,111 @@ +From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 30 Sep 2020 11:37:30 -0700 +Subject: [PATCH] Handle very large -f files by rejecting them. + +_read(), on Windows, has a 32-bit size argument and a 32-bit return +value, so reject -f files that have more than 2^31-1 characters. + +Add some #defines so that, on Windows, we use _fstati64 to get the size +of that file, to handle large files. + +Don't assume that our definition for ssize_t is the same size as size_t; +by the time we want to print the return value of the read, we know it'll +fit into an int, so just cast it to int and print it with %d. + +(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77) + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86] + +Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> + +--- + netdissect-stdinc.h | 16 +++++++++++++++- + tcpdump.c | 15 ++++++++++++--- + 2 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h +index 8282c5846..9941c2a16 100644 +--- a/netdissect-stdinc.h ++++ b/netdissect-stdinc.h +@@ -149,10 +149,17 @@ + #ifdef _MSC_VER + #define stat _stat + #define open _open +-#define fstat _fstat + #define read _read + #define close _close + #define O_RDONLY _O_RDONLY ++ ++/* ++ * We define our_fstat64 as _fstati64, and define our_statb as ++ * struct _stati64, so we get 64-bit file sizes. ++ */ ++#define our_fstat _fstati64 ++#define our_statb struct _stati64 ++ + #endif /* _MSC_VER */ + + /* +@@ -211,6 +218,13 @@ typedef char* caddr_t; + + #include <arpa/inet.h> + ++/* ++ * We should have large file support enabled, if it's available, ++ * so just use fstat as our_fstat and struct stat as our_statb. ++ */ ++#define our_fstat fstat ++#define our_statb struct stat ++ + #endif /* _WIN32 */ + + #ifndef HAVE___ATTRIBUTE__ +diff --git a/tcpdump.c b/tcpdump.c +index 043bda1d7..8f27ba2a4 100644 +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -108,6 +108,7 @@ The Regents of the University of California. All rights reserved.\n"; + #endif /* HAVE_CAP_NG_H */ + #endif /* HAVE_LIBCAP_NG */ + ++#include "netdissect-stdinc.h" + #include "netdissect.h" + #include "interface.h" + #include "addrtoname.h" +@@ -861,15 +862,22 @@ read_infile(char *fname) + { + register int i, fd, cc; + register char *cp; +- struct stat buf; ++ our_statb buf; + + fd = open(fname, O_RDONLY|O_BINARY); + if (fd < 0) + error("can't open %s: %s", fname, pcap_strerror(errno)); + +- if (fstat(fd, &buf) < 0) ++ if (our_fstat(fd, &buf) < 0) + error("can't stat %s: %s", fname, pcap_strerror(errno)); + ++ /* ++ * Reject files whose size doesn't fit into an int; a filter ++ * *that* large will probably be too big. ++ */ ++ if (buf.st_size > INT_MAX) ++ error("%s is too large", fname); ++ + cp = malloc((u_int)buf.st_size + 1); + if (cp == NULL) + error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, +@@ -878,7 +886,8 @@ read_infile(char *fname) + if (cc < 0) + error("read %s: %s", fname, pcap_strerror(errno)); + if (cc != buf.st_size) +- error("short read %s (%d != %d)", fname, cc, (int)buf.st_size); ++ error("short read %s (%d != %d)", fname, (int) cc, ++ (int)buf.st_size); + + close(fd); + /* replace "# comment" with spaces */ diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb index 2ea493863a..66bf217751 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb @@ -18,6 +18,7 @@ SRC_URI = " \ file://add-ptest.patch \ file://run-ptest \ file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \ + file://CVE-2018-16301.patch \ " SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae" diff --git a/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch new file mode 100644 index 0000000000..3ca9a831f4 --- /dev/null +++ b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch @@ -0,0 +1,37 @@ +From d3110859064b15408dbca1294dc7e31c2208504d Mon Sep 17 00:00:00 2001 +From: Gabriel Ganne <gabriel.ganne@gmail.com> +Date: Mon, 3 Aug 2020 08:26:38 +0200 +Subject: [PATCH] fix heap-buffer-overflow when DLT_JUNIPER_ETHER + +The test logic on datalen was inverted. + +Processing truncated packats should now raise a warning like the +following: + Warning: <pcap> was captured using a snaplen of 4 bytes. This may mean you have truncated packets. + +Fixes #616 #617 + +CVE: CVE-2020-24265 +CVE: CVE-2020-24266 +Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/d3110859064b15408dbca1294dc7e31c2208504d] + +Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com> +Signed-off-by: Akash Hadke <akash.hadke@kpit.com> +Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> +--- + src/common/get.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/get.c b/src/common/get.c +index f9ee92d3..0517bf0a 100644 +--- a/src/common/get.c ++++ b/src/common/get.c +@@ -178,7 +178,7 @@ get_l2len(const u_char *pktdata, const int datalen, const int datalink) + break; + + case DLT_JUNIPER_ETHER: +- if (datalen >= 5) { ++ if (datalen < 5) { + l2_len = -1; + break; + } diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb index 39be950ad4..557d323311 100644 --- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb @@ -6,7 +6,8 @@ SECTION = "net" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=890b830b22fd632e9ffd996df20338f8" -SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz" +SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \ + file://CVE-2020-24265-and-CVE-2020-24266.patch" SRC_URI[md5sum] = "53b52bf64f0b6b9443428e657b37bc6b" SRC_URI[sha256sum] = "ed2402caa9434ff5c74b2e7b31178c73e7c7c5c4ea1e1d0e2e39a7dc46958fde" diff --git a/meta-networking/recipes-support/traceroute/traceroute_2.1.0.bb b/meta-networking/recipes-support/traceroute/traceroute_2.1.3.bb index 19bbf03f1d..c1ad203bc0 100644 --- a/meta-networking/recipes-support/traceroute/traceroute_2.1.0.bb +++ b/meta-networking/recipes-support/traceroute/traceroute_2.1.3.bb @@ -19,8 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/traceroute/traceroute/${BP}/${BP}.tar.gz \ file://filter-out-the-patches-from-subdirs.patch \ " -SRC_URI[md5sum] = "84d329d67abc3fb83fc8cb12aeaddaba" -SRC_URI[sha256sum] = "3669d22a34d3f38ed50caba18cd525ba55c5c00d5465f2d20d7472e5d81603b6" +SRC_URI[sha256sum] = "05ebc7aba28a9100f9bbae54ceecbf75c82ccf46bdfce8b5d64806459a7e0412" EXTRA_OEMAKE = "VPATH=${STAGING_LIBDIR}" diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch new file mode 100644 index 0000000000..1fc4a5fe38 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch @@ -0,0 +1,93 @@ +From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 13 May 2023 21:45:16 -0400 +Subject: GDSDB: Make sure our offset advances. + +add_uint_string() returns the next offset to use, not the number +of bytes consumed. So to consume all the bytes and make sure the +offset advances, return the entire reported tvb length, not the +number of bytes remaining. + +Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f + +Fixes #19068 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677] +CVE: CVE-2022-0585 & CVE-2023-2879 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c +index 95fed7e..950d68f 100644 +--- a/epan/dissectors/packet-gdsdb.c ++++ b/epan/dissectors/packet-gdsdb.c +@@ -15,6 +15,7 @@ + #include "config.h" + + #include <epan/packet.h> ++#include <epan/expert.h> + + void proto_register_gdsdb(void); + void proto_reg_handoff_gdsdb(void); +@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1; + static int hf_gdsdb_sqlresponse_messages = -1; + #endif + ++static expert_field ei_gdsdb_invalid_length = EI_INIT; ++ + enum + { + op_void = 0, +@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o + offset, 4, ENC_ASCII|ENC_BIG_ENDIAN); + length = dword_align(tvb_get_ntohl(tvb, offset))+4; + proto_item_set_len(ti, length); +- return offset + length; ++ int ret_offset = offset + length; ++ if (length < 4 || ret_offset < offset) { ++ expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length); ++ return tvb_reported_length(tvb); ++ } ++ return ret_offset; + } + + static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset) +@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U + offset, 4, ENC_BIG_ENDIAN); + + /* opcode < op_max */ ++ int old_offset = offset; + offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4); ++ if (offset <= old_offset) { ++ expert_add_info(NULL, ti, &ei_gdsdb_invalid_length); ++ return tvb_reported_length_remaining(tvb, old_offset); ++ } + if (offset < 0) + { + /* But at this moment we don't know how much we will need */ +@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void) + &ett_gdsdb_connect_pref + }; + ++/* Expert info */ ++ static ei_register_info ei[] = { ++ { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR, ++ "Invalid length", EXPFILL }}, ++ }; ++ + proto_gdsdb = proto_register_protocol( + "Firebird SQL Database Remote Protocol", + "FB/IB GDS DB", "gdsdb"); + + proto_register_field_array(proto_gdsdb, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); ++ expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb); ++ expert_register_field_array(expert_gdsdb, ei, array_length(ei)); + } + + void +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch new file mode 100644 index 0000000000..938b7cf772 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch @@ -0,0 +1,52 @@ +From 39db474f80af87449ce0f034522dccc80ed4153f Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 1 Dec 2022 20:46:15 -0500 +Subject: [PATCH] openflow_v6: Prevent infinite loops in too short ofp_stats + +The ofp_stats struct length field includes the fixed 4 bytes. +If the length is smaller than that, report the length error +and break out. In particular, a value of zero can cause +infinite loops if this isn't done. + + +(cherry picked from commit 13823bb1059cf70f401892ba1b1eaa2400cdf3db) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f] +CVE: CVE-2022-4345 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + epan/dissectors/packet-openflow_v6.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-openflow_v6.c b/epan/dissectors/packet-openflow_v6.c +index f3bd0ef..96a3233 100644 +--- a/epan/dissectors/packet-openflow_v6.c ++++ b/epan/dissectors/packet-openflow_v6.c +@@ -1118,17 +1118,23 @@ dissect_openflow_v6_oxs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + static int + dissect_openflow_stats_v6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 length _U_) + { ++ proto_item *ti; + guint32 stats_length; + int oxs_end; + guint32 padding; + + proto_tree_add_item(tree, hf_openflow_v6_stats_reserved, tvb, offset, 2, ENC_NA); + +- proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length); ++ ti = proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length); + + oxs_end = offset + stats_length; + offset+=4; + ++ if (stats_length < 4) { ++ expert_add_info(pinfo, ti, &ei_openflow_v6_length_too_short); ++ return offset; ++ } ++ + while (offset < oxs_end) { + offset = dissect_openflow_v6_oxs(tvb, pinfo, tree, offset, oxs_end - offset); + } +-- +2.40.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch new file mode 100644 index 0000000000..e6fc158c3a --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch @@ -0,0 +1,153 @@ +From 35418a73f7c9cefebe392b1ea0f012fccaf89801 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 19 Aug 2020 23:58:20 -0700 +Subject: [PATCH] Add format_text_string(), which gets the length with + strlen(). + +format_text(alloc, string, strlen(string)) is a common idiom; provide +format_text_string(), which does the strlen(string) for you. (Any +string used in a %s to set the text of a protocol tree item, if it was +directly extracted from the packet, should be run through a format_text +routine, to ensure that it's valid UTF-8 and that control characters are +handled correctly.) + +Update comments while we're at it. + +Change-Id: Ia8549efa1c96510ffce97178ed4ff7be4b02eb6e +Reviewed-on: https://code.wireshark.org/review/38202 +Petri-Dish: Guy Harris <gharris@sonic.net> +Tested-by: Petri Dish Buildbot +Reviewed-by: Guy Harris <gharris@sonic.net> + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/35418a73f7c9cefebe392b1ea0f012fccaf89801] +Comment: to backport fix for CVE-2023-0667, add function format_text_string(). +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/strutil.c | 33 ++++++++++++++++++++++++++++---- + epan/strutil.h | 51 ++++++++++++++++++++++++++++++++++++++++++++++---- + 2 files changed, 76 insertions(+), 8 deletions(-) + +diff --git a/epan/strutil.c b/epan/strutil.c +index 347a173..bc3b19e 100644 +--- a/epan/strutil.c ++++ b/epan/strutil.c +@@ -193,10 +193,11 @@ get_token_len(const guchar *linep, const guchar *lineend, + #define UNPOOP 0x1F4A9 + + /* +- * Given a string, expected to be in UTF-8 but possibly containing +- * invalid sequences (as it may have come from packet data), generate +- * a valid UTF-8 string from it, allocated with the specified wmem +- * allocator, that: ++ * Given a wmem scope, a not-necessarily-null-terminated string, ++ * expected to be in UTF-8 but possibly containing invalid sequences ++ * (as it may have come from packet data), and the length of the string, ++ * generate a valid UTF-8 string from it, allocated in the specified ++ * wmem scope, that: + * + * shows printable Unicode characters as themselves; + * +@@ -493,6 +494,30 @@ format_text(wmem_allocator_t* allocator, const guchar *string, size_t len) + return fmtbuf; + } + ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ */ ++gchar * ++format_text_string(wmem_allocator_t* allocator, const guchar *string) ++{ ++ return format_text(allocator, string, strlen(string)); ++} ++ + /* + * Given a string, generate a string from it that shows non-printable + * characters as C-style escapes except a whitespace character +diff --git a/epan/strutil.h b/epan/strutil.h +index 2046cb0..705beb5 100644 +--- a/epan/strutil.h ++++ b/epan/strutil.h +@@ -46,18 +46,61 @@ WS_DLL_PUBLIC + int get_token_len(const guchar *linep, const guchar *lineend, + const guchar **next_token); + +-/** Given a string, generate a string from it that shows non-printable +- * characters as C-style escapes, and return a pointer to it. ++/** Given a wmem scope, a not-necessarily-null-terminated string, ++ * expected to be in UTF-8 but possibly containing invalid sequences ++ * (as it may have come from packet data), and the length of the string, ++ * generate a valid UTF-8 string from it, allocated in the specified ++ * wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. + * + * @param allocator The wmem scope +- * @param line A pointer to the input string ++ * @param string A pointer to the input string + * @param len The length of the input string + * @return A pointer to the formatted string + * + * @see tvb_format_text() + */ + WS_DLL_PUBLIC +-gchar* format_text(wmem_allocator_t* allocator, const guchar *line, size_t len); ++gchar* format_text(wmem_allocator_t* allocator, const guchar *string, size_t len); ++ ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ * ++ * @param allocator The wmem scope ++ * @param string A pointer to the input string ++ * @return A pointer to the formatted string ++ * ++ * @see tvb_format_text() ++ */ ++WS_DLL_PUBLIC ++gchar* format_text_string(wmem_allocator_t* allocator, const guchar *string); + + /** + * Given a string, generate a string from it that shows non-printable +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch new file mode 100644 index 0000000000..3fc5296073 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch @@ -0,0 +1,66 @@ +From 85fbca8adb09ea8e1af635db3d92727fbfa1e28a Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 18 May 2023 18:06:36 -0400 +Subject: [PATCH] MS-MMS: Use format_text_string() + +The length of a string transcoded from UTF-16 to UTF-8 can be +shorter (or longer) than the original length in bytes in the packet. +Use the new string length, not the original length. + +Use format_text_string, which is a convenience function that +calls strlen. + +Fix #19086 + +(cherry picked from commit 1c45a899f83fa88e60ab69936bea3c4754e7808b) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a] +CVE: CVE-2023-0667 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-ms-mms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c +index db1d2cc..3d5c7ee 100644 +--- a/epan/dissectors/packet-ms-mms.c ++++ b/epan/dissectors/packet-ms-mms.c +@@ -739,7 +739,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro + transport_info, "Transport: (%s)", transport_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20)); ++ format_text_string(pinfo->pool, (const guchar*)transport_info)); + + + /* Try to extract details from this string */ +@@ -836,7 +836,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')", +- format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version))); ++ format_text_string(pinfo->pool, (const guchar*)server_version)); + } + offset += (server_version_length*2); + +@@ -890,7 +890,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_ + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info))); ++ format_text_string(pinfo->pool, (const guchar*)player_info)); + } + + /* Dissect info about where client wants to start playing from */ +@@ -965,7 +965,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file))); ++ format_text_string(pinfo->pool, (const guchar*)server_file)); + } + + /* Dissect media details from server */ +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch new file mode 100644 index 0000000000..42f8108301 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch @@ -0,0 +1,33 @@ +From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 20 May 2023 23:08:08 -0400 +Subject: [PATCH] synphasor: Use val_to_str_const + +Don't use a value from packet data to directly index a value_string, +particularly when the value string doesn't cover all possible values. + +Fix #19087 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9] +CVE: CVE-2023-0668 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-synphasor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c +index 2d2f4ad..47120f5 100644 +--- a/epan/dissectors/packet-synphasor.c ++++ b/epan/dissectors/packet-synphasor.c +@@ -1130,7 +1130,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c + + data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, + ett_conf_phflags, NULL, "Phasor Data flags: %s", +- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); ++ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); + + /* first and second bytes - phasor modification flags*/ + phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch new file mode 100644 index 0000000000..2fbef6bae0 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch @@ -0,0 +1,62 @@ +From 3c8be14c827f1587da3c2b3bb0d9c04faff57413 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sun, 19 Mar 2023 15:16:39 -0400 +Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets + +Add a frame end routine for a global which is assigned to packet +scoped memory. It really should be made proto data, but is used +in a function in the header (that doesn't take the packet info +struct as an argument) and this fix needs to be made in stable +branches. + +Fix #18852 +--- +Upstream-Status: Backport from [https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff57413] +CVE: CVE-2023-1992 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c +index 680187b2653..3f250f0ea1c 100644 +--- a/epan/dissectors/packet-rpcrdma.c ++++ b/epan/dissectors/packet-rpcrdma.c +@@ -24,6 +24,7 @@ + #include <epan/addr_resolv.h> + + #include "packet-rpcrdma.h" ++#include "packet-frame.h" + #include "packet-infiniband.h" + #include "packet-iwarp-ddp-rdmap.h" + +@@ -285,6 +286,18 @@ void rpcrdma_insert_offset(gint offset) + wmem_array_append_one(gp_rdma_write_offsets, offset); + } + ++/* ++ * Reset the array of write offsets at the end of the frame. These ++ * are packet scoped, so they don't need to be freed, but we want ++ * to ensure that the global doesn't point to no longer allocated ++ * memory in a later packet. ++ */ ++static void ++reset_write_offsets(void) ++{ ++ gp_rdma_write_offsets = NULL; ++} ++ + /* Get conversation state, it is created if it does not exist */ + static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo) + { +@@ -1600,6 +1613,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data + if (write_size > 0 && !pinfo->fd->visited) { + /* Initialize array of write chunk offsets */ + gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint)); ++ register_frame_end_routine(pinfo, reset_write_offsets); + TRY { + /* + * Call the upper layer dissector to get a list of offsets +-- +GitLab + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..a6370f91cf --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch @@ -0,0 +1,117 @@ +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb] +CVE: CVE-2023-2855 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/candump.c | 47 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 3eb17dd..954b509 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -57,9 +58,20 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + if (msg->is_fd) + { +- canfd_frame_t canfd_frame; ++ canfd_frame_t canfd_frame = {0}; ++ ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } + +- memset(&canfd_frame, 0, sizeof(canfd_frame)); + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -69,10 +81,21 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + } + else + { +- can_frame_t can_frame; ++ can_frame_t can_frame = {0}; ++ ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } + +- memset(&can_frame, 0, sizeof(can_frame)); +- can_frame.can_id = msg->id; ++ can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); + +@@ -86,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -193,9 +218,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -219,9 +242,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + /* +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..1fb75353b4 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch @@ -0,0 +1,68 @@ +From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca] +CVE: CVE-2023-2856 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 84e3def..fa77689 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -310,6 +310,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -366,7 +367,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -382,9 +383,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch new file mode 100644 index 0000000000..150b4609bb --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch @@ -0,0 +1,94 @@ +From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105] +CVE: CVE-2023-2858 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 93da9a2..f835dfa 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -1082,13 +1082,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info) + + #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1153,6 +1153,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1166,6 +1168,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1183,6 +1187,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1466,14 +1472,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + TIMEDEFV##ver((rec),fp,type);\ + FULLPART##SIZEDEFV##ver((rec),fp,ver);\ +@@ -1580,7 +1586,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, + g_free(nstrace_tmpbuff); + return FALSE; + } +- + hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize(hdp) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch new file mode 100644 index 0000000000..3a81a3c714 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch @@ -0,0 +1,38 @@ +From 44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d Mon Sep 17 00:00:00 2001 +From: Jaap Keuter <jaap.keuter@xs4all.nl> +Date: Thu, 27 Jul 2023 20:21:19 +0200 +Subject: [PATCH] CP2179: Handle timetag info response without records + +Fixes #19229 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d] +CVE: CVE-2023-2906 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-cp2179.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-cp2179.c b/epan/dissectors/packet-cp2179.c +index 142cac3..9fc9a47 100644 +--- a/epan/dissectors/packet-cp2179.c ++++ b/epan/dissectors/packet-cp2179.c +@@ -721,11 +721,14 @@ dissect_response_frame(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, int + proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_numsets, tvb, offset, 1, ENC_LITTLE_ENDIAN); + + num_records = tvb_get_guint8(tvb, offset) & 0x7F; ++ offset += 1; ++ ++ if (num_records == 0 || numberofcharacters <= 1) ++ break; ++ + recordsize = (numberofcharacters-1) / num_records; + num_values = (recordsize-6) / 2; /* Determine how many 16-bit analog values are present in each event record */ + +- offset += 1; +- + for (x = 0; x < num_records; x++) + { + cp2179_event_tree = proto_tree_add_subtree_format(cp2179_proto_tree, tvb, offset, recordsize, ett_cp2179_event, NULL, "Event Record # %d", x+1); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 0000000000..82098271ec --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch @@ -0,0 +1,97 @@ +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 +From: Gerald Combs <gerald@wireshark.org> +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] +CVE: CVE-2023-2952 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index f59d899..6c1445f 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + if(packet_start_pointer_field_present) { + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); + +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + while (docsis_start + 6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + docsis_start += 1; + continue; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch new file mode 100644 index 0000000000..5e92bd8a28 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch @@ -0,0 +1,231 @@ +From 75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 24 Jun 2023 00:34:50 -0400 +Subject: [PATCH] iscsi: Check bounds when extracting TargetAddress + +Use tvb_ functions that do bounds checking when parsing the +TargetAddress string, instead of incrementing a pointer to an +extracted char* and sometimes accidentally overrunning the +string. + +While we're there, go ahead and add support for IPv6 addresses. + +Fix #19164 + +(backported from commit 94349bbdaeb384b12d554dd65e7be7ceb0e93d21) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c] +CVE: CVE-2023-3649 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-iscsi.c | 146 +++++++++++++++++---------------- + 1 file changed, 75 insertions(+), 71 deletions(-) + +diff --git a/epan/dissectors/packet-iscsi.c b/epan/dissectors/packet-iscsi.c +index 8a80f49..08f44a8 100644 +--- a/epan/dissectors/packet-iscsi.c ++++ b/epan/dissectors/packet-iscsi.c +@@ -20,8 +20,6 @@ + + #include "config.h" + +-#include <stdio.h> +- + #include <epan/packet.h> + #include <epan/prefs.h> + #include <epan/conversation.h> +@@ -29,6 +27,7 @@ + #include "packet-scsi.h" + #include <epan/crc32-tvb.h> + #include <wsutil/crc32.h> ++#include <wsutil/inet_addr.h> + #include <wsutil/strtoi.h> + + void proto_register_iscsi(void); +@@ -512,70 +511,81 @@ typedef struct _iscsi_conv_data { + dissector for the address/port that TargetAddress points to. + (it starts to be common to use redirectors to point to non-3260 ports) + */ ++static address null_address = ADDRESS_INIT_NONE; ++ + static void +-iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, char *val, guint offset) ++iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, guint offset) + { +- address *addr = NULL; ++ address addr = ADDRESS_INIT_NONE; + guint16 port; +- char *value = wmem_strdup(wmem_packet_scope(), val); +- char *p = NULL, *pgt = NULL; +- +- if (value[0] == '[') { +- /* this looks like an ipv6 address */ +- p = strchr(value, ']'); +- if (p != NULL) { +- *p = 0; +- p += 2; /* skip past "]:" */ +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } ++ int colon_offset; ++ int end_offset; ++ char *ip_str, *port_str; ++ ++ colon_offset = tvb_find_guint8(tvb, offset, -1, ':'); ++ if (colon_offset == -1) { ++ /* RFC 7143 13.8 TargetAddress "If the TCP port is not specified, ++ * it is assumed to be the IANA-assigned default port for iSCSI", ++ * so nothing to do here. ++ */ ++ return; ++ } + +- /* can't handle ipv6 yet */ ++ /* We found a colon, so there's at least one byte and this won't fail. */ ++ if (tvb_get_guint8(tvb, offset) == '[') { ++ offset++; ++ /* could be an ipv6 address */ ++ end_offset = tvb_find_guint8(tvb, offset, -1, ']'); ++ if (end_offset == -1) { ++ return; + } +- } else { +- /* This is either a ipv4 address or a dns name */ +- int i0,i1,i2,i3; +- if (sscanf(value, "%d.%d.%d.%d", &i0,&i1,&i2,&i3) == 4) { +- /* looks like a ipv4 address */ +- p = strchr(value, ':'); +- if (p != NULL) { +- char *addr_data; +- +- *p++ = 0; +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } + +- addr_data = (char *) wmem_alloc(wmem_packet_scope(), 4); +- addr_data[0] = i0; +- addr_data[1] = i1; +- addr_data[2] = i2; +- addr_data[3] = i3; +- +- addr = wmem_new(wmem_packet_scope(), address); +- addr->type = AT_IPv4; +- addr->len = 4; +- addr->data = addr_data; ++ /* look for the colon before the port, if any */ ++ colon_offset = tvb_find_guint8(tvb, end_offset, -1, ':'); ++ if (colon_offset == -1) { ++ return; ++ } + +- if (!ws_strtou16(p, NULL, &port)) { +- proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, +- tvb, offset + (guint)strlen(value), (guint)strlen(p), "Invalid port: %s", p); +- } +- } ++ ws_in6_addr *ip6_addr = wmem_new(pinfo->pool, ws_in6_addr); ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, end_offset - offset, ENC_ASCII); ++ if (ws_inet_pton6(ip_str, ip6_addr)) { ++ /* looks like a ipv6 address */ ++ set_address(&addr, AT_IPv6, sizeof(ws_in6_addr), ip6_addr); ++ } + ++ } else { ++ /* This is either a ipv4 address or a dns name */ ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, colon_offset - offset, ENC_ASCII); ++ ws_in4_addr *ip4_addr = wmem_new(pinfo->pool, ws_in4_addr); ++ if (ws_inet_pton4(ip_str, ip4_addr)) { ++ /* looks like a ipv4 address */ ++ set_address(&addr, AT_IPv4, 4, ip4_addr); + } ++ /* else a DNS host name; we could, theoretically, try to use ++ * name resolution information in the capture to lookup the address. ++ */ + } + ++ /* Extract the port */ ++ end_offset = tvb_find_guint8(tvb, colon_offset, -1, ','); ++ int port_len; ++ if (end_offset == -1) { ++ port_len = tvb_reported_length_remaining(tvb, colon_offset + 1); ++ } else { ++ port_len = end_offset - (colon_offset + 1); ++ } ++ port_str = tvb_get_string_enc(pinfo->pool, tvb, colon_offset + 1, port_len, ENC_ASCII); ++ if (!ws_strtou16(port_str, NULL, &port)) { ++ proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, ++ tvb, colon_offset + 1, port_len, "Invalid port: %s", port_str); ++ return; ++ } + + /* attach a conversation dissector to this address/port tuple */ +- if (addr && !pinfo->fd->visited) { ++ if (!addresses_equal(&addr, &null_address) && !pinfo->fd->visited) { + conversation_t *conv; + +- conv = conversation_new(pinfo->num, addr, addr, ENDPOINT_TCP, port, port, NO_ADDR2|NO_PORT2); ++ conv = conversation_new(pinfo->num, &addr, &null_address, ENDPOINT_TCP, port, 0, NO_ADDR2|NO_PORT2); + if (conv == NULL) { + return; + } +@@ -587,30 +597,24 @@ iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, + static gint + addTextKeys(packet_info *pinfo, proto_tree *tt, tvbuff_t *tvb, gint offset, guint32 text_len) { + const gint limit = offset + text_len; ++ tvbuff_t *keyvalue_tvb; ++ int len, value_offset; + + while(offset < limit) { +- char *key = NULL, *value = NULL; +- gint len = tvb_strnlen(tvb, offset, limit - offset); +- +- if(len == -1) { +- len = limit - offset; +- } else { +- len = len + 1; +- } +- +- key = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_ASCII); +- if (key == NULL) { +- break; +- } +- value = strchr(key, '='); +- if (value == NULL) { ++ /* RFC 7143 6.1 Text Format: "Every key=value pair, including the ++ * last or only pair in a LTDS, MUST be followed by one null (0x00) ++ * delimiter. ++ */ ++ proto_tree_add_item_ret_length(tt, hf_iscsi_KeyValue, tvb, offset, -1, ENC_ASCII, &len); ++ keyvalue_tvb = tvb_new_subset_length(tvb, offset, len); ++ value_offset = tvb_find_guint8(keyvalue_tvb, 0, len, '='); ++ if (value_offset == -1) { + break; + } +- *value++ = 0; ++ value_offset++; + +- proto_tree_add_item(tt, hf_iscsi_KeyValue, tvb, offset, len, ENC_ASCII|ENC_NA); +- if (!strcmp(key, "TargetAddress")) { +- iscsi_dissect_TargetAddress(pinfo, tvb, tt, value, offset + (guint)strlen("TargetAddress") + 2); ++ if (tvb_strneql(keyvalue_tvb, 0, "TargetAddress=", strlen("TargetAddress=")) == 0) { ++ iscsi_dissect_TargetAddress(pinfo, keyvalue_tvb, tt, value_offset); + } + + offset += len; +@@ -2941,7 +2945,7 @@ proto_register_iscsi(void) + }, + { &hf_iscsi_KeyValue, + { "KeyValue", "iscsi.keyvalue", +- FT_STRING, BASE_NONE, NULL, 0, ++ FT_STRINGZ, BASE_NONE, NULL, 0, + "Key/value pair", HFILL } + }, + { &hf_iscsi_Text_F, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch new file mode 100644 index 0000000000..c4dfb6c37d --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch @@ -0,0 +1,42 @@ +From a8586fde3a6512466afb2a660538ef3fe712076b Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 23 Nov 2023 13:47:51 -0500 +Subject: [PATCH] gvcp: Don't try to add a NULL string to a column + +This was caught as an invalid argument by g_strlcpy before 4.2, +but it was never a good idea. + +Fix #19496 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/a8586fde3a6512466afb2a660538ef3fe712076b] +CVE: CVE-2024-0208 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gvcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/epan/dissectors/packet-gvcp.c b/epan/dissectors/packet-gvcp.c +index 2de4552..b94ddea 100644 +--- a/epan/dissectors/packet-gvcp.c ++++ b/epan/dissectors/packet-gvcp.c +@@ -2222,15 +2222,12 @@ static void dissect_readreg_ack(proto_tree *gvcp_telegram_tree, tvbuff_t *tvb, p + if (addr_list_size > 0) + { + address_string = get_register_name_from_address(*((guint32*)wmem_array_index(gvcp_trans->addr_list, 0)), gvcp_info, &is_custom_register); ++ col_append_str(pinfo->cinfo, COL_INFO, address_string); + } + + if (num_registers) + { +- col_append_fstr(pinfo->cinfo, COL_INFO, "%s Value=0x%08X", address_string, tvb_get_ntohl(tvb, offset)); +- } +- else +- { +- col_append_str(pinfo->cinfo, COL_INFO, address_string); ++ col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "Value=0x%08X", tvb_get_ntohl(tvb, offset)); + } + } + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch new file mode 100644 index 0000000000..54438dd870 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch @@ -0,0 +1,22 @@ +Fix update to build for alt arch machine. + +Commit 9ca6e39c7ee26570e29dc87332ffb0f6c1d0e4a4 changed the UseLemon to use +the target lemon built by the target wireshark. Revert to use the one built by +wireshark-native. + +Upstream-Status: Inappropriate [configuration] +Signed-off: Armin Kuster <akuster@mvista.com> + +Index: wireshark-3.2.18/cmake/modules/UseLemon.cmake +=================================================================== +--- wireshark-3.2.18.orig/cmake/modules/UseLemon.cmake ++++ wireshark-3.2.18/cmake/modules/UseLemon.cmake +@@ -13,7 +13,7 @@ MACRO(ADD_LEMON_FILES _source _generated + # These files are generated as side-effect + ${_out}.h + ${_out}.out +- COMMAND $<TARGET_FILE:lemon> ++ COMMAND lemon + -T${_lemonpardir}/lempar.c + -d. + ${_in} diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.15.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index 36e84d0ccd..8054cbb5aa 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.15.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb @@ -8,11 +8,25 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native " -SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz" - +SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \ + file://fix_lemon_path.patch \ + file://CVE-2023-2855.patch \ + file://CVE-2023-2856.patch \ + file://CVE-2023-2858.patch \ + file://CVE-2023-2952.patch \ + file://CVE-2023-0667-pre1.patch \ + file://CVE-2023-0667.patch \ + file://CVE-2023-0668.patch \ + file://CVE-2023-2906.patch \ + file://CVE-2023-3649.patch \ + file://CVE-2022-0585-CVE-2023-2879.patch \ + file://CVE-2022-4345.patch \ + file://CVE-2024-0208.patch \ + file://CVE-2023-1992.patch \ + " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "32f6cfd67b00903a1bfca02ecc4ccf72db6b70d4fda33e4a099fefb03e849bdb" +SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887" PE = "1" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb index f55247d9ed..604d989ed9 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb @@ -22,7 +22,7 @@ SRCREV_FORMAT = "rwmem_inih" SRC_URI = " \ git://github.com/tomba/rwmem.git;protocol=https;name=rwmem;branch=master \ - git://github.com/benhoyt/inih.git;protocol=https;name=inih;nobranch=1;destsuffix=git/ext/inih \ + git://github.com/benhoyt/inih.git;protocol=https;name=inih;branch=master;destsuffix=git/ext/inih \ " S = "${WORKDIR}/git" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb index 7ef8f69827..cc15a8de31 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb @@ -56,6 +56,8 @@ EXTRA_OESCONS = "--prefix=${D}${prefix} \ LINKFLAGS='${LDFLAGS}' \ CXXFLAGS='${CXXFLAGS}' \ TARGET_ARCH=${TARGET_ARCH} \ + MONGO_VERSION=${PV} \ + OBJCOPY=${OBJCOPY} \ --ssl \ --disable-warnings-as-errors \ --use-system-zlib \ diff --git a/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb b/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb index 90db9c3f3e..fa1bad021c 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb @@ -39,5 +39,3 @@ RRECOMMENDS_${PN} = "python3-matplotlib python3-numpy" PACKAGE_BEFORE_PN = "smemcap" FILES_smemcap = "${bindir}/smemcap" - -BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch b/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch new file mode 100644 index 0000000000..c56fa64e58 --- /dev/null +++ b/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch @@ -0,0 +1,76 @@ +From b85ba8c3ff3fb9ae708576ccef03434d2ef73054 Mon Sep 17 00:00:00 2001 +From: Martin Jansa <Martin.Jansa@gmail.com> +Date: Tue, 14 Jun 2022 09:54:18 +0000 +Subject: [PATCH] waflib: fix compatibility with python-3.11 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* https://docs.python.org/3.11/whatsnew/3.11.html#changes-in-the-python-api + + open(), io.open(), codecs.open() and fileinput.FileInput no longer + accept 'U' (“universal newline”) in the file mode. This flag was + deprecated since Python 3.3. In Python 3, the “universal newline” is + used by default when a file is open in text mode. The newline parameter + of open() controls how universal newlines works. (Contributed by Victor + Stinner in bpo-37330.) + +* fixes: +Waf: The wscript in '/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git' is unreadable +Traceback (most recent call last): + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Scripting.py", line 104, in waf_entry_point + set_main_module(os.path.normpath(os.path.join(Context.run_dir,Context.WSCRIPT_FILE))) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Scripting.py", line 135, in set_main_module + Context.g_module=Context.load_module(file_path) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Context.py", line 343, in load_module + code=Utils.readf(path,m='rU',encoding=encoding) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Utils.py", line 117, in readf + f=open(fname,m) + ^^^^^^^^^^^^^ +ValueError: invalid mode: 'rUb' + +Upstream-Status: Submitted [https://github.com/glmark2/glmark2/pull/178] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + waflib/ConfigSet.py | 2 +- + waflib/Context.py | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/waflib/ConfigSet.py b/waflib/ConfigSet.py +index 16142a2..87de4ad 100644 +--- a/waflib/ConfigSet.py ++++ b/waflib/ConfigSet.py +@@ -140,7 +140,7 @@ class ConfigSet(object): + Utils.writef(filename,''.join(buf)) + def load(self,filename): + tbl=self.table +- code=Utils.readf(filename,m='rU') ++ code=Utils.readf(filename,m='r') + for m in re_imp.finditer(code): + g=m.group + tbl[g(2)]=eval(g(3)) +diff --git a/waflib/Context.py b/waflib/Context.py +index 8f2cbfb..f3e35ae 100644 +--- a/waflib/Context.py ++++ b/waflib/Context.py +@@ -109,7 +109,7 @@ class Context(ctx): + cache[node]=True + self.pre_recurse(node) + try: +- function_code=node.read('rU',encoding) ++ function_code=node.read('r',encoding) + exec(compile(function_code,node.abspath(),'exec'),self.exec_dict) + finally: + self.post_recurse(node) +@@ -340,7 +340,7 @@ def load_module(path,encoding=None): + pass + module=imp.new_module(WSCRIPT_FILE) + try: +- code=Utils.readf(path,m='rU',encoding=encoding) ++ code=Utils.readf(path,encoding=encoding) + except EnvironmentError: + raise Errors.WafError('Could not read the file %r'%path) + module_dir=os.path.dirname(path) diff --git a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb index 4976bf6905..2b2ff53c7e 100644 --- a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb +++ b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb @@ -15,9 +15,10 @@ PV = "20191226+${SRCPV}" COMPATIBLE_HOST_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '.*-linux*', 'null', d)}" SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https;branch=master \ - file://python3.patch" + file://python3.patch \ + file://0001-waflib-fix-compatibility-with-python-3.11.patch \ + " SRCREV = "72dabc5d72b49c6d45badeb8a941ba4d829b0bd6" - S = "${WORKDIR}/git" inherit waf pkgconfig features_check diff --git a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb index 4a520e3be5..86e5fef530 100644 --- a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb +++ b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb @@ -19,3 +19,5 @@ EXTRA_OECONF = "--exec-prefix=${STAGING_DIR_HOST}${layout_exec_prefix}" PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch new file mode 100644 index 0000000000..450cdde1f8 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch @@ -0,0 +1,46 @@ +From 0ef151550d96cc4460f98832df84b4a1e87c65e9 Mon Sep 17 00:00:00 2001 +From: "Bruce A. Mah" <bmah@es.net> +Date: Fri, 7 Jul 2023 11:35:02 -0700 +Subject: [PATCH] Fix memory allocation hazard (#1542). (#1543) + +Reported by: @someusername123 on GitHub +--- + src/iperf_api.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/iperf_api.c b/src/iperf_api.c +index f2d4162..a95e024 100644 +--- a/src/iperf_api.c ++++ b/src/iperf_api.c +@@ -2670,6 +2670,7 @@ static cJSON * + JSON_read(int fd) + { + uint32_t hsize, nsize; ++ size_t strsize; + char *str; + cJSON *json = NULL; + int rc; +@@ -2682,7 +2683,9 @@ JSON_read(int fd) + if (Nread(fd, (char*) &nsize, sizeof(nsize), Ptcp) >= 0) { + hsize = ntohl(nsize); + /* Allocate a buffer to hold the JSON */ +- str = (char *) calloc(sizeof(char), hsize+1); /* +1 for trailing null */ ++ strsize = hsize + 1; /* +1 for trailing NULL */ ++ if (strsize) { ++ str = (char *) calloc(sizeof(char), strsize); + if (str != NULL) { + rc = Nread(fd, str, hsize, Ptcp); + if (rc >= 0) { +@@ -2701,6 +2704,10 @@ JSON_read(int fd) + } + } + free(str); ++ } ++ else { ++ printf("WARNING: Data length overflow\n"); ++ } + } + return json; + } +-- +2.25.1 diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb index 8536de3518..19be5d94c0 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb @@ -15,6 +15,7 @@ DEPENDS = "openssl" SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0002-Remove-pg-from-profile_CFLAGS.patch \ + file://0001-Fix-memory-allocation-hazard-1542-.-1543.patch \ " SRCREV = "dfcea9f6a09ead01089a3c9d20c7032f2c0af2c1" @@ -28,3 +29,5 @@ PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sc CFLAGS += "-D_GNU_SOURCE" EXTRA_OECONF = "--with-openssl=${RECIPE_SYSROOT}${prefix}" + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch new file mode 100644 index 0000000000..6d04bf8980 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch @@ -0,0 +1,110 @@ +From 4e661f0085ec5f969c76c0896a34322c6c432de4 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 17 Oct 2022 20:25:11 -0400 +Subject: [PATCH] Fix integer overflows in PAC parsing + +In krb5_parse_pac(), check for buffer counts large enough to threaten +integer overflow in the header length and memory length calculations. +Avoid potential integer overflows when checking the length of each +buffer. Credit to OSS-Fuzz for discovering one of the issues. + +CVE-2022-42898: + +In MIT krb5 releases 1.8 and later, an authenticated attacker may be +able to cause a KDC or kadmind process to crash by reading beyond the +bounds of allocated memory, creating a denial of service. A +privileged attacker may similarly be able to cause a Kerberos or GSS +application service to crash. On 32-bit platforms, an attacker can +also cause insufficient memory to be allocated for the result, +potentially leading to remote code execution in a KDC, kadmind, or GSS +or Kerberos application server process. An attacker with the +privileges of a cross-realm KDC may be able to extract secrets from a +KDC process's memory by having them copied into the PAC of a new +ticket. + +(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583) + +ticket: 9074 +version_fixed: 1.19.4 + +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4] +CVE: CVE-2022-42898 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/krb5/krb/pac.c | 9 +++++++-- + src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index cc74f37..70428a1 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -27,6 +27,8 @@ + #include "k5-int.h" + #include "authdata.h" + ++#define MAX_BUFFERS 4096 ++ + /* draft-brezak-win2k-krb-authz-00 */ + + /* +@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, + if (version != 0) + return EINVAL; + ++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) ++ return ERANGE; ++ + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); + if (len < header_len) + return ERANGE; +@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, + krb5_pac_free(context, pac); + return EINVAL; + } +- if (buffer->Offset < header_len || +- buffer->Offset + buffer->cbBufferSize > len) { ++ if (buffer->Offset < header_len || buffer->Offset > len || ++ buffer->cbBufferSize > len - buffer->Offset) { + krb5_pac_free(context, pac); + return ERANGE; + } +diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c +index 7b756a2..2353e9f 100644 +--- a/src/lib/krb5/krb/t_pac.c ++++ b/src/lib/krb5/krb/t_pac.c +@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { + 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 + }; + ++static const unsigned char fuzz1[] = { ++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, ++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 ++}; ++ ++static const unsigned char fuzz2[] = { ++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, ++ 0x20, 0x20 ++}; ++ + static const char *s4u_principal = "w2k8u@ACME.COM"; + static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; + +@@ -646,6 +656,14 @@ main(int argc, char **argv) + krb5_free_principal(context, sep); + } + ++ /* Check problematic PACs found by fuzzing. */ ++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ + /* + * Test empty free + */ +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb index ae58e2df35..ebcfbc524c 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb @@ -31,6 +31,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://krb5-kdc.service \ file://krb5-admin-server.service \ file://CVE-2021-36222.patch \ + file://CVE-2022-42898.patch;striplevel=2 \ " SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878" SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181" diff --git a/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch new file mode 100644 index 0000000000..426388c3bf --- /dev/null +++ b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch @@ -0,0 +1,32 @@ +From 40dad53252e82eb4ee6e0c000e0c9ab15c7af312 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Thu, 18 Jan 2024 14:51:40 +0100 +Subject: [PATCH] fix: always zero-terminate idna output + +CVE: CVE-2024-24806 +Upstream commit: 0f2d7e784a256b54b2385043438848047bc2a629 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +--- + src/idna.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/idna.c b/src/idna.c +index 13ffac6b..874f1caf 100644 +--- a/src/idna.c ++++ b/src/idna.c +@@ -284,8 +284,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { + return rc; + } + +- if (d < de) +- *d++ = '\0'; ++ if (d >= de) ++ return UV_EINVAL; + ++ *d++ = '\0'; + return d - ds; /* Number of bytes written. */ + } +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch new file mode 100644 index 0000000000..f231cf96b9 --- /dev/null +++ b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch @@ -0,0 +1,30 @@ +From 6b8bce71f3ea435fcb286d49df1204c23ef3ea01 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Thu, 18 Jan 2024 14:52:38 +0100 +Subject: [PATCH] fix: reject zero-length idna inputs + +CVE: CVE-2024-24806 +Upstream commit: 3530bcc30350d4a6ccf35d2f7b33e23292b9de70 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +--- + src/idna.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/idna.c b/src/idna.c +index 874f1caf..97edf06c 100644 +--- a/src/idna.c ++++ b/src/idna.c +@@ -254,6 +254,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { + char* ds; + int rc; + ++ if (s == se) ++ return UV_EINVAL; ++ + ds = d; + + for (si = s; si < se; /* empty */) { +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb index 41e95f56ae..da99b41fdd 100644 --- a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb +++ b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb @@ -6,7 +6,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47" SRCREV = "533b738838ad8407032e14b6772b29ef9af63cfa" SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https \ - file://CVE-2020-8252.patch" + file://CVE-2020-8252.patch \ + file://CVE-2024-24806-1.patch \ + file://CVE-2024-24806-2.patch" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch b/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch new file mode 100644 index 0000000000..83bdae858f --- /dev/null +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch @@ -0,0 +1,42 @@ +From dfd38cb29c0768692f886d3ab9158bd2b3132582 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Tue, 22 Nov 2022 15:20:48 +0800 +Subject: [PATCH] makefile: use conditional assignment for KBUILD_OUTPUT + +Refer [1],from make 4.4, all variables that are marked as export will +also be passed to the shell started by the shell function. use "=" will +make KBUILD_OUTPUT always empty for shell function, use "?=" to make +"export KBUILD_OUTPUT" in enrironment can work. + +[snip of 4.4 NEWS] +* WARNING: Backward-incompatibility! + Previously makefile variables marked as export were not exported to commands + started by the $(shell ...) function. Now, all exported variables are + exported to $(shell ...). +[snip] + +[1] https://git.savannah.gnu.org/cgit/make.git/tree/NEWS?h=4.4&id=ed493f6c9116cc217b99c2cfa6a95f15803235a2#n74 + +Upstream-Status: Backport [d3dd51ba611802d7cbb28631cb943cb882fa4aac] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/makefile b/makefile +index 529d8a0..3db60fa 100644 +--- a/makefile ++++ b/makefile +@@ -15,7 +15,7 @@ + # with this program; if not, write to the Free Software Foundation, Inc., + # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +-KBUILD_OUTPUT = ++KBUILD_OUTPUT ?= + + DEBUG = + CC ?= $(CROSS_COMPILE)gcc +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb index c989767790..b848575e13 100644 --- a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb @@ -2,14 +2,14 @@ DESCRIPTION = "Precision Time Protocol (PTP) according to IEEE standard 1588 for LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v${PV}/linuxptp-${PV}.tgz \ +SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v2.0/linuxptp-${PV}.tgz \ file://build-Allow-CC-and-prefix-to-be-overriden.patch \ file://Use-cross-cpp-in-incdefs.patch \ file://time_t_maybe_long_long.patch \ + file://0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch \ " -SRC_URI[md5sum] = "d8bb7374943bb747db7786ac26f17f11" -SRC_URI[sha256sum] = "0a24d9401e87d4af023d201e234d91127d82c350daad93432106284aa9459c7d" +SRC_URI[sha256sum] = "6f4669db1733747427217a9e74c8b5ca25c4245947463e9cdb860ec8f5ec797a" EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} EXTRA_CFLAGS='${CFLAGS}'" diff --git a/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb b/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb index 4a91fa4f4d..ae93ff561c 100644 --- a/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb +++ b/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb @@ -14,5 +14,3 @@ SRC_URI[sha256sum] = "cffb5147021202b064eb0a9389d0db63d1bb2dcde5a896f7785f97b1b5 UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/ser2net/files/ser2net" inherit autotools pkgconfig - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb b/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb index 7c9a33e8c1..75d534ea66 100644 --- a/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb +++ b/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb @@ -27,6 +27,3 @@ PACKAGECONFIG[lz4] = ",-DCMAKE_DISABLE_FIND_PACKAGE_lz4=TRUE,lz4" PACKAGECONFIG[uuid] = ",-DCMAKE_DISABLE_FIND_PACKAGE_uuid=TRUE,util-linux" PACKAGECONFIG[curl] = ",-DCMAKE_DISABLE_FIND_PACKAGE_libcurl=TRUE,curl" PACKAGECONFIG[systemd] = ",-DCMAKE_DISABLE_FIND_PACKAGE_systemd=TRUE,systemd" - -BBCLASSEXTEND = "nativesdk" - diff --git a/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch b/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch index eb3dee4d31..31f6529225 100644 --- a/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch +++ b/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch @@ -19,8 +19,8 @@ Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -1210,7 +1210,7 @@ - target_link_libraries(libzmq ${OPTIONAL_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT}) +@@ -1440,7 +1440,7 @@ if(BUILD_SHARED) + endif() if(SODIUM_FOUND) - target_link_libraries(libzmq ${SODIUM_LIBRARIES}) @@ -28,8 +28,8 @@ Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> # On Solaris, libsodium depends on libssp if(${CMAKE_SYSTEM_NAME} MATCHES "SunOS") target_link_libraries(libzmq ssp) -@@ -1240,7 +1240,7 @@ - target_link_libraries(libzmq-static ${OPTIONAL_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT}) +@@ -1485,7 +1485,7 @@ if(BUILD_STATIC) + endif() if(SODIUM_FOUND) - target_link_libraries(libzmq-static ${SODIUM_LIBRARIES}) diff --git a/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.2.bb b/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.4.bb index 02a4c04fd7..4381f2d6d6 100644 --- a/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.2.bb +++ b/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.4.bb @@ -10,8 +10,8 @@ SRC_URI = "http://github.com/zeromq/libzmq/releases/download/v${PV}/zeromq-${PV} file://0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch \ file://run-ptest \ " -SRC_URI[md5sum] = "2047e917c2cc93505e2579bcba67a573" -SRC_URI[sha256sum] = "ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763" +SRC_URI[md5sum] = "c897d4005a3f0b8276b00b7921412379" +SRC_URI[sha256sum] = "c593001a89f5a85dd2ddf564805deb860e02471171b3f204944857336295c3e5" UPSTREAM_CHECK_URI = "https://github.com/${BPN}/libzmq/releases" diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch index 2c4ca057f2..1c2fc3813f 100644 --- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch +++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch @@ -21,7 +21,7 @@ index 009e4fd..f3f0d80 100644 if (!dbus_conn) - return; -+ DBUS_HANDLER_RESULT_NOT_YET_HANDLED; ++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; if (verbose) g_print ("New message from server: type='%d' path='%s' iface='%s'" diff --git a/meta-oe/recipes-core/emlog/emlog.inc b/meta-oe/recipes-core/emlog/emlog.inc index 948e18da4d..fb3cd3f712 100644 --- a/meta-oe/recipes-core/emlog/emlog.inc +++ b/meta-oe/recipes-core/emlog/emlog.inc @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http;branch=master;protocol=https" SRCREV = "aee53e8dee862f35291242ba41b0ca88010f6c71" - +PV = "0.70+git${SRCPV}" S = "${WORKDIR}/git" EXTRA_OEMAKE += " \ diff --git a/meta-oe/recipes-core/emlog/emlog_git.bb b/meta-oe/recipes-core/emlog/emlog_git.bb index 387dd67123..a503ab82b8 100644 --- a/meta-oe/recipes-core/emlog/emlog_git.bb +++ b/meta-oe/recipes-core/emlog/emlog_git.bb @@ -24,3 +24,16 @@ do_install() { } RRECOMMENDS_${PN} += "kernel-module-emlog" + +# The NVD database doesn't have a CPE for this product, +# the name of this product is exactly the same as github.com/emlog/emlog +# but it's not related in any way. The following CVEs are from that project +# so they can be safely ignored +CVE_CHECK_WHITELIST += "\ + CVE-2019-16868 \ + CVE-2019-17073 \ + CVE-2021-44584 \ + CVE-2022-1526 \ + CVE-2022-3968 \ + CVE-2023-43291 \ +" diff --git a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb index 67446ce579..1d86f48aee 100644 --- a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb +++ b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb @@ -6,7 +6,7 @@ SECTION = "base" S = "${WORKDIR}/git" SRCREV = "40c5d226c7c0706f0176884e9b94b3886679c983" -SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git;branch=master;protocol=https" +SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git;branch=main;protocol=https" do_configure[noexec] = "1" do_compile[noexec] = "1" diff --git a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb index 1396dc9bfa..de355d29d6 100644 --- a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb +++ b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb @@ -8,7 +8,7 @@ inherit pkgconfig cmake S = "${WORKDIR}/git" SRCREV = "b342ff7b7f70a4b3f2cfc53215af8fa20adc3d86" -SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git;branch=master;protocol=https" +SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git;branch=main;protocol=https" do_install () { install -d ${D}${bindir} diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb index b9668eb099..d303f27ebb 100644 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb @@ -21,8 +21,8 @@ RDEPENDS_${PN} = " \ " SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" -SRC_URI[md5sum] = "6e4ffb6d35a73f7539a5d0c1354654cd" -SRC_URI[sha256sum] = "a89e13dff0798fd0280e801d5f0cc8cfdb2aa5b1929bec1b7322e13d3eca95fb" +SRC_URI[md5sum] = "9c5952cebb836ee783b0b76c5380a964" +SRC_URI[sha256sum] = "61835132a5986217af17b8943013aa3fe6d47bdc1a07386343526765e2ce27a9" inherit autotools gettext pkgconfig @@ -54,7 +54,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev" +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't # recognized. diff --git a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb index bfc19ed150..48f2fd8ac1 100644 --- a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb +++ b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/google/leveldb" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=92d1b128950b11ba8495b64938fc164d" -SRC_URI = "git://github.com/google/${BPN}.git;branch=master;protocol=https \ +SRC_URI = "git://github.com/google/${BPN}.git;branch=main;protocol=https \ file://run-ptest" SRCREV = "78b39d68c15ba020c0d60a3906fb66dbf1697595" diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.28.bb index e1a038dfa3..e1a038dfa3 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.28.bb diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 0fb0c95ec3..e4eb48492a 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -15,12 +15,11 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz file://support-files-CMakeLists.txt-fix-do_populate_sysroot.patch \ file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ file://0001-disable-ucontext-on-musl.patch \ - file://c11_atomics.patch \ - file://clang_version_header_conflict.patch \ file://fix-arm-atomic.patch \ + file://CVE-2022-47015.patch \ " -SRC_URI[md5sum] = "c3bc7a3eca3b0bbae5748f7b22a55c0c" -SRC_URI[sha256sum] = "87d5e29ee1f18de153266ec658138607703ed2a05b3ffb1f89091d33f4abf545" + +SRC_URI[sha256sum] = "003fd23f3c6ee516176e1b62b0b43cdb6cdd3dcd4e30f855c1c5ab2baaf5a86c" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch new file mode 100644 index 0000000000..0ddcdc028c --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch @@ -0,0 +1,269 @@ +From be0a46b3d52b58956fd0d47d040b9f4514406954 Mon Sep 17 00:00:00 2001 +From: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com> +Date: Tue, 27 Sep 2022 15:22:57 +0900 +Subject: [PATCH] MDEV-29644 a potential bug of null pointer dereference in + spider_db_mbase::print_warnings() + +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954] +CVE: CVE-2022-47015 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + .../spider/bugfix/r/mdev_29644.result | 44 ++++++++++ + .../mysql-test/spider/bugfix/t/mdev_29644.cnf | 3 + + .../spider/bugfix/t/mdev_29644.test | 58 ++++++++++++ + storage/spider/spd_db_mysql.cc | 88 ++++++++----------- + storage/spider/spd_db_mysql.h | 4 +- + 5 files changed, 141 insertions(+), 56 deletions(-) + create mode 100644 spider/mysql-test/spider/bugfix/r/mdev_29644.result + create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.cnf + create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.test + +diff --git a/spider/mysql-test/spider/bugfix/r/mdev_29644.result b/spider/mysql-test/spider/bugfix/r/mdev_29644.result +new file mode 100644 +index 00000000..eb725602 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/r/mdev_29644.result +@@ -0,0 +1,44 @@ ++# ++# MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++# ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 ++connection child2_1; ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++CREATE TABLE tbl_a ( ++a CHAR(5) ++) ENGINE=InnoDB DEFAULT CHARSET=utf8; ++set @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++connection master_1; ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++CREATE TABLE tbl_a ( ++a CHAR(255) ++) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"'; ++SET @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++NOT FOUND /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++SET @orig_log_result_errors=@@global.spider_log_result_errors; ++SET GLOBAL spider_log_result_errors=4; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++FOUND 1 /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++connection master_1; ++SET GLOBAL spider_log_result_errors=@orig_log_result_errors; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_local; ++connection child2_1; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_remote; ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 +diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +new file mode 100644 +index 00000000..05dfd8a0 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +@@ -0,0 +1,3 @@ ++!include include/default_mysqld.cnf ++!include ../my_1_1.cnf ++!include ../my_2_1.cnf +diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.test b/spider/mysql-test/spider/bugfix/t/mdev_29644.test +new file mode 100644 +index 00000000..4ebdf317 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.test +@@ -0,0 +1,58 @@ ++--echo # ++--echo # MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++--echo # ++ ++# The test case below does not cause the potential null pointer dereference. ++# It is just for checking spider_db_mbase::fetch_and_print_warnings() works. ++ ++--disable_query_log ++--disable_result_log ++--source ../../t/test_init.inc ++--enable_result_log ++--enable_query_log ++ ++--connection child2_1 ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++eval CREATE TABLE tbl_a ( ++ a CHAR(5) ++) $CHILD2_1_ENGINE $CHILD2_1_CHARSET; ++set @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++ ++--connection master_1 ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++eval CREATE TABLE tbl_a ( ++ a CHAR(255) ++) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"'; ++ ++SET @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++ ++let SEARCH_FILE= $MYSQLTEST_VARDIR/log/mysqld.1.1.err; ++let SEARCH_PATTERN= \[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should not find ++ ++SET @orig_log_result_errors=@@global.spider_log_result_errors; ++SET GLOBAL spider_log_result_errors=4; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should find ++ ++--connection master_1 ++SET GLOBAL spider_log_result_errors=@orig_log_result_errors; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_local; ++ ++--connection child2_1 ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_remote; ++ ++--disable_query_log ++--disable_result_log ++--source ../t/test_deinit.inc ++--enable_query_log ++--enable_result_log +diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc +index 85f910aa..7d6bd599 100644 +--- a/storage/spider/spd_db_mysql.cc ++++ b/storage/spider/spd_db_mysql.cc +@@ -2197,7 +2197,7 @@ int spider_db_mbase::exec_query( + db_conn->affected_rows, db_conn->insert_id, + db_conn->server_status, db_conn->warning_count); + if (spider_param_log_result_errors() >= 3) +- print_warnings(l_time); ++ fetch_and_print_warnings(l_time); + } else if (log_result_errors >= 4) + { + time_t cur_time = (time_t) time((time_t*) 0); +@@ -2279,61 +2279,43 @@ bool spider_db_mbase::is_xa_nota_error( + DBUG_RETURN(xa_nota); + } + +-void spider_db_mbase::print_warnings( +- struct tm *l_time +-) { +- DBUG_ENTER("spider_db_mbase::print_warnings"); +- DBUG_PRINT("info",("spider this=%p", this)); +- if (db_conn->status == MYSQL_STATUS_READY) ++void spider_db_mbase::fetch_and_print_warnings(struct tm *l_time) ++{ ++ DBUG_ENTER("spider_db_mbase::fetch_and_print_warnings"); ++ ++ if (spider_param_dry_access() || db_conn->status != MYSQL_STATUS_READY || ++ db_conn->server_status & SERVER_MORE_RESULTS_EXISTS) ++ DBUG_VOID_RETURN; ++ ++ if (mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, ++ SPIDER_SQL_SHOW_WARNINGS_LEN)) ++ DBUG_VOID_RETURN; ++ ++ MYSQL_RES *res= mysql_store_result(db_conn); ++ if (!res) ++ DBUG_VOID_RETURN; ++ ++ uint num_fields= mysql_num_fields(res); ++ if (num_fields != 3) + { +-#if MYSQL_VERSION_ID < 50500 +- if (!(db_conn->last_used_con->server_status & SERVER_MORE_RESULTS_EXISTS)) +-#else +- if (!(db_conn->server_status & SERVER_MORE_RESULTS_EXISTS)) +-#endif +- { +- if ( +- spider_param_dry_access() || +- !mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, +- SPIDER_SQL_SHOW_WARNINGS_LEN) +- ) { +- MYSQL_RES *res = NULL; +- MYSQL_ROW row = NULL; +- uint num_fields; +- if ( +- spider_param_dry_access() || +- !(res = mysql_store_result(db_conn)) || +- !(row = mysql_fetch_row(res)) +- ) { +- if (mysql_errno(db_conn)) +- { +- if (res) +- mysql_free_result(res); +- DBUG_VOID_RETURN; +- } +- /* no record is ok */ +- } +- num_fields = mysql_num_fields(res); +- if (num_fields != 3) +- { +- mysql_free_result(res); +- DBUG_VOID_RETURN; +- } +- while (row) +- { +- fprintf(stderr, "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] " +- "from [%s] %ld to %ld: %s %s %s\n", ++ mysql_free_result(res); ++ DBUG_VOID_RETURN; ++ } ++ ++ MYSQL_ROW row= mysql_fetch_row(res); ++ while (row) ++ { ++ fprintf(stderr, ++ "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] from [%s] %ld " ++ "to %ld: %s %s %s\n", + l_time->tm_year + 1900, l_time->tm_mon + 1, l_time->tm_mday, +- l_time->tm_hour, l_time->tm_min, l_time->tm_sec, +- conn->tgt_host, (ulong) db_conn->thread_id, +- (ulong) current_thd->thread_id, row[0], row[1], row[2]); +- row = mysql_fetch_row(res); +- } +- if (res) +- mysql_free_result(res); +- } +- } ++ l_time->tm_hour, l_time->tm_min, l_time->tm_sec, conn->tgt_host, ++ (ulong) db_conn->thread_id, (ulong) current_thd->thread_id, row[0], ++ row[1], row[2]); ++ row= mysql_fetch_row(res); + } ++ mysql_free_result(res); ++ + DBUG_VOID_RETURN; + } + +diff --git a/storage/spider/spd_db_mysql.h b/storage/spider/spd_db_mysql.h +index 626bb4d5..82c7c0ec 100644 +--- a/storage/spider/spd_db_mysql.h ++++ b/storage/spider/spd_db_mysql.h +@@ -439,9 +439,7 @@ class spider_db_mbase: public spider_db_conn + bool is_xa_nota_error( + int error_num + ); +- void print_warnings( +- struct tm *l_time +- ); ++ void fetch_and_print_warnings(struct tm *l_time); + spider_db_result *store_result( + spider_db_result_buffer **spider_res_buf, + st_spider_db_request_key *request_key, +-- +2.25.1 diff --git a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch deleted file mode 100644 index b1ce963602..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch +++ /dev/null @@ -1,73 +0,0 @@ -Author: Vicențiu Ciorbaru <vicentiu@mariadb.org> -Date: Fri Dec 21 19:14:04 2018 +0200 - - Link with libatomic to enable C11 atomics support - - Some architectures (mips) require libatomic to support proper - atomic operations. Check first if support is available without - linking, otherwise use the library. - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Index: mariadb-10.4.17/configure.cmake -=================================================================== ---- mariadb-10.4.17.orig/configure.cmake -+++ mariadb-10.4.17/configure.cmake -@@ -863,7 +863,25 @@ int main() - long long int *ptr= &var; - return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); - }" --HAVE_GCC_C11_ATOMICS) -+HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) -+IF (HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) -+ SET(HAVE_GCC_C11_ATOMICS True) -+ELSE() -+ SET(OLD_CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES}) -+ LIST(APPEND CMAKE_REQUIRED_LIBRARIES "atomic") -+ CHECK_CXX_SOURCE_COMPILES(" -+ int main() -+ { -+ long long int var= 1; -+ long long int *ptr= &var; -+ return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); -+ }" -+ HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ IF(HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ SET(HAVE_GCC_C11_ATOMICS True) -+ ENDIF() -+ SET(CMAKE_REQUIRED_LIBRARIES ${OLD_CMAKE_REQUIRED_LIBRARIES}) -+ENDIF() - - IF(WITH_VALGRIND) - SET(HAVE_valgrind 1) -Index: mariadb-10.4.17/mysys/CMakeLists.txt -=================================================================== ---- mariadb-10.4.17.orig/mysys/CMakeLists.txt -+++ mariadb-10.4.17/mysys/CMakeLists.txt -@@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings - ${LIBNSL} ${LIBM} ${LIBRT} ${CMAKE_DL_LIBS} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY}) - DTRACE_INSTRUMENT(mysys) - -+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ TARGET_LINK_LIBRARIES(mysys atomic) -+ENDIF() -+ - IF(HAVE_BFD_H) - TARGET_LINK_LIBRARIES(mysys bfd) - ENDIF(HAVE_BFD_H) -Index: mariadb-10.4.17/sql/CMakeLists.txt -=================================================================== ---- mariadb-10.4.17.orig/sql/CMakeLists.txt -+++ mariadb-10.4.17/sql/CMakeLists.txt -@@ -196,6 +196,10 @@ ELSE() - SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL}) - ENDIF() - -+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ TARGET_LINK_LIBRARIES(sql atomic) -+ENDIF() -+ - - IF(MSVC AND NOT WITHOUT_DYNAMIC_PLUGINS) - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch b/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch deleted file mode 100644 index c77a869441..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch +++ /dev/null @@ -1,32 +0,0 @@ -libc++ also has a file called version and this file and how cflags are specified -it ends up including this file and resulting in compile errors - -fixes errors like -storage/mroonga/version:1:1: error: expected unqualified-id -7.07 -^ - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - ---- a/storage/mroonga/CMakeLists.txt -+++ b/storage/mroonga/CMakeLists.txt -@@ -80,7 +80,7 @@ else() - set(MRN_SOURCE_DIR ${CMAKE_SOURCE_DIR}) - endif() - --file(READ ${MRN_SOURCE_DIR}/version MRN_VERSION) -+file(READ ${MRN_SOURCE_DIR}/ver MRN_VERSION) - file(READ ${MRN_SOURCE_DIR}/version_major MRN_VERSION_MAJOR) - file(READ ${MRN_SOURCE_DIR}/version_minor MRN_VERSION_MINOR) - file(READ ${MRN_SOURCE_DIR}/version_micro MRN_VERSION_MICRO) ---- /dev/null -+++ b/storage/mroonga/ver -@@ -0,0 +1 @@ -+7.07 -\ No newline at end of file ---- a/storage/mroonga/version -+++ /dev/null -@@ -1 +0,0 @@ --7.07 -\ No newline at end of file diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.4.28.bb index c0b53379d9..c0b53379d9 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb_10.4.28.bb diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch index a1f5b2a7b4..e5fb85170b 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch @@ -9,10 +9,10 @@ extending the existing aarch64 macro works. src/include/storage/s_lock.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h -index 3fe29ce..7cd578f 100644 ---- a/src/include/storage/s_lock.h -+++ b/src/include/storage/s_lock.h +Index: postgresql-12.16/src/include/storage/s_lock.h +=================================================================== +--- postgresql-12.16.orig/src/include/storage/s_lock.h ++++ postgresql-12.16/src/include/storage/s_lock.h @@ -317,11 +317,12 @@ tas(volatile slock_t *lock) /* @@ -35,7 +35,4 @@ index 3fe29ce..7cd578f 100644 +#endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */ - /* --- -2.9.3 - + /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch index 32b7f42845..70c813adf5 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch @@ -19,11 +19,11 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> src/common/Makefile | 4 ---- 1 file changed, 4 deletions(-) -diff --git a/src/common/Makefile b/src/common/Makefile -index 1fc2c66..5e6c457 100644 ---- a/src/common/Makefile -+++ b/src/common/Makefile -@@ -27,10 +27,6 @@ include $(top_builddir)/src/Makefile.global +Index: postgresql-12.16/src/common/Makefile +=================================================================== +--- postgresql-12.16.orig/src/common/Makefile ++++ postgresql-12.16/src/common/Makefile +@@ -31,10 +31,6 @@ include $(top_builddir)/src/Makefile.glo # don't include subdirectory-path-dependent -I and -L switches STD_CPPFLAGS := $(filter-out -I$(top_srcdir)/src/include -I$(top_builddir)/src/include,$(CPPFLAGS)) STD_LDFLAGS := $(filter-out -L$(top_builddir)/src/common -L$(top_builddir)/src/port,$(LDFLAGS)) @@ -34,6 +34,3 @@ index 1fc2c66..5e6c457 100644 override CPPFLAGS += -DVAL_CFLAGS_SL="\"$(CFLAGS_SL)\"" override CPPFLAGS += -DVAL_LDFLAGS="\"$(STD_LDFLAGS)\"" override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\"" --- -2.7.4 - diff --git a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch index 22b62d9ded..eb6226b179 100644 --- a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch +++ b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch @@ -19,11 +19,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/configure.in b/configure.in -index b98b9bb..8584677 100644 ---- a/configure.in -+++ b/configure.in -@@ -2211,7 +2211,7 @@ Use --without-tcl to disable building PL/Tcl.]) +Index: postgresql-12.16/configure.in +=================================================================== +--- postgresql-12.16.orig/configure.in ++++ postgresql-12.16/configure.in +@@ -2357,7 +2357,7 @@ Use --without-tcl to disable building PL fi # check for <perl.h> @@ -32,6 +32,3 @@ index b98b9bb..8584677 100644 ac_save_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $perl_includespec" AC_CHECK_HEADER(perl.h, [], [AC_MSG_ERROR([header file <perl.h> is required for Perl])], --- -2.7.4 - diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.18.bb index b4c23ced24..44074a233c 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.18.bb @@ -1,6 +1,6 @@ require postgresql.inc -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=255f15687738db8068fbe9b938c90217" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89afbb2d7716371015101c2b2cb4297a" SRC_URI += "\ file://not-check-libperl.patch \ @@ -8,4 +8,4 @@ SRC_URI += "\ file://0001-Improve-reproducibility.patch \ " -SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce" +SRC_URI[sha256sum] = "4f9919725d941ce9868e07fe1ed1d3a86748599b483386547583928b74c3918a" diff --git a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb index cbeb99316e..1e474225a2 100644 --- a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb +++ b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb @@ -26,10 +26,10 @@ SRCREV_protobuf = "cb6dd4ef5f82e41e06179dcd57d3b1d9246ad6ac" SRCREV_lss = "8048ece6c16c91acfe0d36d1d3cc0890ab6e945c" SRCREV_gyp = "324dd166b7c0b39d513026fa52d6280ac6d56770" -SRC_URI = "git://github.com/google/breakpad;name=breakpad;branch=master;protocol=https \ - git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest;branch=master;protocol=https \ - git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf;branch=master;protocol=https \ - git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss;branch=master \ +SRC_URI = "git://github.com/google/breakpad;name=breakpad;branch=main;protocol=https \ + git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest;branch=main;protocol=https \ + git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf;branch=main;protocol=https \ + git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss;branch=main \ git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp;branch=master \ file://0001-include-sys-reg.h-to-get-__WORDSIZE-on-musl-libc.patch \ file://0003-Fix-conflict-between-musl-libc-dirent.h-and-lss.patch \ diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb index cb748d3cb6..fa1751e566 100644 --- a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb +++ b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb @@ -5,7 +5,9 @@ SECTION = "console/tools" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9" -SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https" +SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \ + file://CVE-2022-46149.patch \ +" SRCREV = "3f44c6db0f0f6c0cab0633f15f15d0a2acd01d19" S = "${WORKDIR}/git/c++" diff --git a/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch new file mode 100644 index 0000000000..b6b1fa6514 --- /dev/null +++ b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch @@ -0,0 +1,49 @@ +From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001 +From: Kenton Varda <kenton@cloudflare.com> +Date: Wed, 23 Nov 2022 12:02:29 -0600 +Subject: [PATCH] Apply data offset for list-of-pointers at access time rather + than ListReader creation time. + +Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected. + +CVE: CVE-2022-46149 +Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + c++/src/capnp/layout.c++ | 4 ---- + c++/src/capnp/layout.h | 6 +++++- + 2 files changed, 5 insertions(+), 5 deletions(-) + +Index: c++/src/capnp/layout.c++ +=================================================================== +--- c++.orig/src/capnp/layout.c++ ++++ c++/src/capnp/layout.c++ +@@ -2322,10 +2322,6 @@ struct WireHelpers { + break; + + case ElementSize::POINTER: +- // We expected a list of pointers but got a list of structs. Assuming the first field +- // in the struct is the pointer we were looking for, we want to munge the pointer to +- // point at the first element's pointer section. +- ptr += tag->structRef.dataSize.get(); + KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS, + "Expected a pointer list, but got a list of data-only structs.") { + goto useDefault; +Index: c++/src/capnp/layout.h +=================================================================== +--- c++.orig/src/capnp/layout.h ++++ c++/src/capnp/layout.h +@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V + } + + inline PointerReader ListReader::getPointerElement(ElementCount index) const { ++ // If the list elements have data sections we need to skip those. Note that for pointers to be ++ // present at all (which already must be true if we get here), then `structDataSize` must be a ++ // whole number of words, so we don't have to worry about unaligned reads here. ++ auto offset = structDataSize / BITS_PER_BYTE; + return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>( +- ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit); ++ ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit); + } + + // ------------------------------------------------------------------- diff --git a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb index db7a8d7933..d1b7134b83 100644 --- a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb +++ b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb @@ -7,7 +7,7 @@ SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master;protocol=htt SRCREV = "c5416adeb210154dc4ccc4c3e1c5297d83ebd41e" PV = "1.1" -SRC_URI_append_class-target = "file://oe-remote.repo.sample" +SRC_URI_append_class-target = " file://oe-remote.repo.sample" inherit distutils3-base diff --git a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb index 859d6a0b05..c4f3594f36 100644 --- a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb +++ b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb @@ -24,12 +24,17 @@ BUILD_CXXFLAGS += "-std=c++11 -fPIC" # BUILD_TYPE=Release is required, otherwise flatc is not installed EXTRA_OECMAKE += "\ -DCMAKE_BUILD_TYPE=Release \ - -DFLATBUFFERS_BUILD_TESTS=OFF \ + -DFLATBUFFERS_BUILD_TESTS=OFF \ -DFLATBUFFERS_BUILD_SHAREDLIB=ON \ " inherit cmake +rm_flatc_cmaketarget_for_target() { + rm -f "${SYSROOT_DESTDIR}/${libdir}/cmake/flatbuffers/FlatcTargets.cmake" +} +SYSROOT_PREPROCESS_FUNCS:class-target += "rm_flatc_cmaketarget_for_target" + S = "${WORKDIR}/git" FILES_${PN}-compiler = "${bindir}" diff --git a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb index fa4cbd0b47..8a055412f2 100644 --- a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb +++ b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb @@ -15,7 +15,7 @@ SRCREV_grpc = "2de2e8dd8921e1f7d043e01faf7fe8a291fbb072" SRCREV_upb = "9effcbcb27f0a665f9f345030188c0b291e32482" BRANCH = "v1.24.x" SRC_URI = "git://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BRANCH} \ - git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb;branch=master;protocol=https \ + git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb;branch=main;protocol=https \ file://0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch \ " SRCREV_FORMAT = "grpc_upb" @@ -63,6 +63,6 @@ do_configure_prepend_toolchain-clang_x86() { BBCLASSEXTEND = "native nativesdk" -SYSROOT_DIRS_BLACKLIST_append_class-target = "${baselib}/cmake/grpc" +SYSROOT_DIRS_BLACKLIST_append_class-target = " ${baselib}/cmake/grpc" FILES_${PN}-dev += "${bindir}" diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch b/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch new file mode 100644 index 0000000000..784f175eea --- /dev/null +++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch @@ -0,0 +1,52 @@ +From 2d5a94aeeab01f0448b5a0bb8d4a9a23a5b790d5 Mon Sep 17 00:00:00 2001 +From: Andrew Childs <lorne@cons.org.nz> +Date: Sat, 28 Dec 2019 16:04:24 +0900 +Subject: [PATCH] json_writer: fix inverted sense in isAnyCharRequiredQuoting + (#1120) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This bug is only affects platforms where `char` is unsigned. + +When char is a signed type, values >= 0x80 are also considered < 0, +and hence require escaping due to the < ' ' condition. + +When char is an unsigned type, values >= 0x80 match none of the +conditions and are considered safe to emit without escaping. + +This shows up as a test failure: + +* Detail of EscapeSequenceTest/writeEscapeSequence test failure: +/build/source/src/test_lib_json/main.cpp(3370): expected == result + Expected: '["\"","\\","\b","\f","\n","\r","\t","\u0278","\ud852\udf62"] + ' + Actual : '["\"","\\","\b","\f","\n","\r","\t","ɸ","𤭢"] + ' +Upstream-Status: Backport [https://github.com/open-source-parsers/jsoncpp/commit/f11611c8785082ead760494cba06196f14a06dcb] + +Signed-off-by: Viktor Rosendahl <Viktor.Rosendahl@bmw.de> + +--- + src/lib_json/json_writer.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/lib_json/json_writer.cpp b/src/lib_json/json_writer.cpp +index 519ce23..b68a638 100644 +--- a/src/lib_json/json_writer.cpp ++++ b/src/lib_json/json_writer.cpp +@@ -178,8 +178,9 @@ static bool isAnyCharRequiredQuoting(char const* s, size_t n) { + + char const* const end = s + n; + for (char const* cur = s; cur < end; ++cur) { +- if (*cur == '\\' || *cur == '\"' || *cur < ' ' || +- static_cast<unsigned char>(*cur) < 0x80) ++ if (*cur == '\\' || *cur == '\"' || ++ static_cast<unsigned char>(*cur) < ' ' || ++ static_cast<unsigned char>(*cur) >= 0x80) + return true; + } + return false; +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb index 629881f0cf..ae4b4c9840 100644 --- a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb +++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb @@ -14,7 +14,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=fa2a23dd1dc6c139f35105379d76df2b" SRCREV = "d2e6a971f4544c55b8e3b25cf96db266971b778f" -SRC_URI = "git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https" +SRC_URI = "\ + git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https \ + file://0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch \ + " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch new file mode 100644 index 0000000000..606c9ea98c --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch @@ -0,0 +1,73 @@ +From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001 +From: Steve Sakoman <steve@sakoman.com> +Date: Mon, 18 Apr 2022 09:04:08 -1000 +Subject: [PATCH] lua: fix CVE-2022-28805 + +singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup +call, leading to a heap-based buffer over-read that might affect a system that +compiles untrusted Lua code. + +https://nvd.nist.gov/vuln/detail/CVE-2022-28805 + +(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) +Signed-off-by: Omkar Patil <omkar.patil@kpit.com> +--- + .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++ + meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 + + 2 files changed, 29 insertions(+) + create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch + +diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +new file mode 100644 +index 000000000..0a21d1ce7 +--- /dev/null ++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +@@ -0,0 +1,28 @@ ++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 ++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> ++Date: Tue, 15 Feb 2022 12:28:46 -0300 ++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> ++ ++CVE: CVE-2022-28805 ++ ++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] ++ ++Signed-off-by: Sana Kazi <sana.kazi@kpit.com> ++Signed-off-by: Steve Sakoman <steve@sakoman.com> ++--- ++ src/lparser.c | 1 + ++ 1 files changed, 1 insertions(+) ++ ++diff --git a/src/lparser.c b/src/lparser.c ++index 3abe3d751..a5cd55257 100644 ++--- a/src/lparser.c +++++ b/src/lparser.c ++@@ -300,6 +300,7 @@ ++ expdesc key; ++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ ++ lua_assert(var->k != VVOID); /* this one must exist */ +++ luaK_exp2anyregup(fs, var); /* but could be a constant */ ++ codestring(ls, &key, varname); /* key is variable name */ ++ luaK_indexed(fs, var, &key); /* env[varname] */ ++ } ++ +diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +index 342ed1b54..0137cc3c5 100644 +--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb ++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ + file://CVE-2020-15888.patch \ + file://CVE-2020-15945.patch \ + file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ ++ file://CVE-2022-28805.patch \ + " + + # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch new file mode 100644 index 0000000000..0a21d1ce77 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch @@ -0,0 +1,28 @@ +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> + +CVE: CVE-2022-28805 + +Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +--- + src/lparser.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/src/lparser.c b/src/lparser.c +index 3abe3d751..a5cd55257 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -300,6 +300,7 @@ + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(ls, &key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } + diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb index 342ed1b547..d46d402aa3 100644 --- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb @@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ file://CVE-2020-15888.patch \ file://CVE-2020-15945.patch \ file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ + file://CVE-2022-28805.patch \ " # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. @@ -31,7 +32,7 @@ PACKAGECONFIG ??= "readline" PACKAGECONFIG[readline] = ",,readline" UCLIBC_PATCHES += "file://uclibc-pthread.patch" -SRC_URI_append_libc-uclibc = "${UCLIBC_PATCHES}" +SRC_URI_append_libc-uclibc = " ${UCLIBC_PATCHES}" TARGET_CC_ARCH += " -fPIC ${LDFLAGS}" EXTRA_OEMAKE = "'CC=${CC} -fPIC' 'MYCFLAGS=${CFLAGS} -fPIC' MYLDFLAGS='${LDFLAGS}'" diff --git a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb index 5b1e2dfbf7..9de6f8c99d 100644 --- a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb +++ b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb @@ -25,6 +25,6 @@ RDEPENDS_${PN} += "\ protobuf-compiler \ " -BBCLASSEXTEND = "native nativesdk" +BBCLASSEXTEND = "nativesdk" PNBLACKLIST[nanopb] = "Needs forward porting to use python3" diff --git a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb index 2749f44978..a7ba46c8d1 100644 --- a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb +++ b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=f5f7c71504da070bcf4f090205ce1080" -SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1;protocol=https \ +SRC_URI = "git://github.com/nlohmann/json.git;branch=develop;protocol=https \ file://0001-Templatize-basic_json-ctor-from-json_ref.patch \ file://0001-typo-fix.patch \ " diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch new file mode 100644 index 0000000000..c719c9c3b0 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch @@ -0,0 +1,22 @@ +From 7d94bfe53beeb2d25eb5f2ff6b1d509df7e6ab80 Mon Sep 17 00:00:00 2001 +From: Zuzana Svetlikova <zsvetlik@redhat.com> +Date: Thu, 27 Apr 2017 14:25:42 +0200 +Subject: [PATCH] Disable running gyp on shared deps + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 93d63110..79caaec2 100644 +--- a/Makefile ++++ b/Makefile +@@ -138,7 +138,7 @@ with-code-cache test-code-cache: + $(warning '$@' target is a noop) + + out/Makefile: config.gypi common.gypi node.gyp \ +- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ ++ deps/llhttp/llhttp.gyp \ + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp + $(PYTHON) tools/gyp_node.py -f make diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch new file mode 100644 index 0000000000..8c5f75112d --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch @@ -0,0 +1,40 @@ +From e1d838089cd461d9efcf4d29d9f18f65994d2d6b Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Sun, 3 Oct 2021 22:48:39 +0200 +Subject: [PATCH] jinja/tests.py: add py 3.10 fix + +Upstream-Status: Pending +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + deps/v8/third_party/jinja2/tests.py | 2 +- + tools/inspector_protocol/jinja2/tests.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/v8/third_party/jinja2/tests.py b/deps/v8/third_party/jinja2/tests.py +index 0adc3d4..b14f85f 100644 +--- a/deps/v8/third_party/jinja2/tests.py ++++ b/deps/v8/third_party/jinja2/tests.py +@@ -10,7 +10,7 @@ + """ + import operator + import re +-from collections import Mapping ++from collections.abc import Mapping + from jinja2.runtime import Undefined + from jinja2._compat import text_type, string_types, integer_types + import decimal +diff --git a/tools/inspector_protocol/jinja2/tests.py b/tools/inspector_protocol/jinja2/tests.py +index 0adc3d4..b14f85f 100644 +--- a/tools/inspector_protocol/jinja2/tests.py ++++ b/tools/inspector_protocol/jinja2/tests.py +@@ -10,7 +10,7 @@ + """ + import operator + import re +-from collections import Mapping ++from collections.abc import Mapping + from jinja2.runtime import Undefined + from jinja2._compat import text_type, string_types, integer_types + import decimal +-- +2.20.1 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch new file mode 100644 index 0000000000..ee287bf94a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch @@ -0,0 +1,27 @@ +From 0976af0f3b328436ea44a74a406f311adb2ab211 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 15 Jun 2021 19:01:31 -0700 +Subject: [PATCH] ppc64: Do not use -mminimal-toc with clang + +clang does not support this option + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + common.gypi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common.gypi b/common.gypi +index ee91fb1d..049c8f8c 100644 +--- a/common.gypi ++++ b/common.gypi +@@ -413,7 +413,7 @@ + 'ldflags': [ '-m32' ], + }], + [ 'target_arch=="ppc64" and OS!="aix"', { +- 'cflags': [ '-m64', '-mminimal-toc' ], ++ 'cflags': [ '-m64' ], + 'ldflags': [ '-m64' ], + }], + [ 'target_arch=="s390x"', { +-- +2.32.0 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch new file mode 100644 index 0000000000..c6fc2dcd76 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch @@ -0,0 +1,62 @@ +From 6c3ac20477a4bac643088f24df3c042e627fafa9 Mon Sep 17 00:00:00 2001 +From: Guillaume Burel <guillaume.burel@stormshield.eu> +Date: Fri, 3 Jan 2020 11:25:54 +0100 +Subject: [PATCH] Using native binaries + +--- + node.gyp | 4 ++-- + tools/v8_gypfiles/v8.gyp | 11 ++++------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/node.gyp ++++ b/node.gyp +@@ -487,6 +487,7 @@ + 'action_name': 'run_mkcodecache', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mkcodecache_exec)', + ], + 'outputs': [ +@@ -512,6 +513,7 @@ + 'action_name': 'node_mksnapshot', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(node_mksnapshot_exec)', + ], + 'outputs': [ +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -220,6 +220,7 @@ + { + 'action_name': 'run_torque_action', + 'inputs': [ # Order matters. ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)', + '<@(torque_files)', + ], +@@ -351,6 +352,7 @@ + { + 'action_name': 'generate_bytecode_builtins_list_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)bytecode_builtins_list_generator<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ +@@ -533,6 +535,7 @@ + ], + }, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mksnapshot_exec)', + ], + 'outputs': [ +@@ -1448,6 +1451,7 @@ + { + 'action_name': 'run_gen-regexp-special-case_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)gen-regexp-special-case<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch new file mode 100644 index 0000000000..3c4b2317d8 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch @@ -0,0 +1,84 @@ +From 5b22fac923d1ca3e9fefb97f5a171124a88f5e22 Mon Sep 17 00:00:00 2001 +From: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Date: Tue, 19 Mar 2019 23:22:40 -0400 +Subject: [PATCH] Install both binaries and use libdir. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows us to build with a shared library for other users while +still providing the normal executable. + +Taken from - https://src.fedoraproject.org/rpms/nodejs/raw/rawhide/f/0002-Install-both-binaries-and-use-libdir.patch + +Upstream-Status: Pending + +Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + configure.py | 7 +++++++ + tools/install.py | 21 +++++++++------------ + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/configure.py b/configure.py +index e6f7e4db..6cf5c45d 100755 +--- a/configure.py ++++ b/configure.py +@@ -626,6 +626,12 @@ parser.add_option('--shared', + help='compile shared library for embedding node in another project. ' + + '(This mode is not officially supported for regular applications)') + ++parser.add_option('--libdir', ++ action='store', ++ dest='libdir', ++ default='lib', ++ help='a directory to install the shared library into') ++ + parser.add_option('--without-v8-platform', + action='store_true', + dest='without_v8_platform', +@@ -1202,6 +1208,7 @@ def configure_node(o): + o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) + + o['variables']['node_shared'] = b(options.shared) ++ o['variables']['libdir'] = options.libdir + node_module_version = getmoduleversion.get_version() + + if options.dest_os == 'android': +diff --git a/tools/install.py b/tools/install.py +index 729b416f..9bfc6234 100755 +--- a/tools/install.py ++++ b/tools/install.py +@@ -121,22 +121,19 @@ def subdir_files(path, dest, action): + + def files(action): + is_windows = sys.platform == 'win32' +- output_file = 'node' + output_prefix = 'out/Release/' ++ output_libprefix = output_prefix + +- if 'false' == variables.get('node_shared'): +- if is_windows: +- output_file += '.exe' ++ if is_windows: ++ output_bin = 'node.exe' ++ output_lib = 'node.dll' + else: +- if is_windows: +- output_file += '.dll' +- else: +- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix') ++ output_bin = 'node' ++ output_lib = 'libnode.' + variables.get('shlib_suffix') + +- if 'false' == variables.get('node_shared'): +- action([output_prefix + output_file], 'bin/' + output_file) +- else: +- action([output_prefix + output_file], 'lib/' + output_file) ++ action([output_prefix + output_bin], 'bin/' + output_bin) ++ if 'true' == variables.get('node_shared'): ++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) + + if 'true' == variables.get('node_use_dtrace'): + action(['out/Release/node.d'], 'lib/dtrace/node.d') diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch new file mode 100644 index 0000000000..f7b4b61f47 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch @@ -0,0 +1,133 @@ +commit 48c5aa5cab718d04473fa2761d532657c84b8131 +Author: Tobias Nießen <tniessen@tnie.de> +Date: Fri May 27 21:18:49 2022 +0000 + + src: fix IPv4 validation in inspector_socket + + Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com> + PR-URL: https://github.com/nodejs-private/node-private/pull/320 + Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/325 + Reviewed-By: Matteo Collina <matteo.collina@gmail.com> + Reviewed-By: RafaelGSS <rafael.nunu@hotmail.com> + CVE-ID: CVE-2022-32212 + +CVE: CVE-2022-32212 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-32212.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/src/inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_socket.cc ++++ nodejs-12.22.12~dfsg/src/inspector_socket.cc +@@ -168,14 +168,22 @@ static std::string TrimPort(const std::s + static bool IsIPAddress(const std::string& host) { + if (host.length() >= 4 && host.front() == '[' && host.back() == ']') + return true; +- int quads = 0; ++ uint_fast16_t accum = 0; ++ uint_fast8_t quads = 0; ++ bool empty = true; ++ auto endOctet = [&accum, &quads, &empty](bool final = false) { ++ return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) && ++ (empty = true) && !(accum = 0); ++ }; + for (char c : host) { +- if (c == '.') +- quads++; +- else if (!isdigit(c)) ++ if (isdigit(c)) { ++ if ((accum = (accum * 10) + (c - '0')) > 0xff) return false; ++ empty = false; ++ } else if (c != '.' || !endOctet()) { + return false; ++ } + } +- return quads == 3; ++ return endOctet(true); + } + + // Constants for hybi-10 frame format. +Index: nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/test/cctest/test_inspector_socket.cc ++++ nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +@@ -851,4 +851,78 @@ TEST_F(InspectorSocketTest, HostCheckedF + expect_failure_no_delegate(UPGRADE_REQUEST); + } + ++TEST_F(InspectorSocketTest, HostIPChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 10.0.2.555:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostNegativeIPChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 10.0.-23.255:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpOctetOutOfIntRangeChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = ++ "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.4294967296:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpOctetFarOutOfIntRangeChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = ++ "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.18446744073709552000:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: .0.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127..0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpTooFewOctetsChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ + } // anonymous namespace diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch new file mode 100644 index 0000000000..e9c2e7404a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch @@ -0,0 +1,237 @@ +Origin: https://github.com/nodejs/node/commit/0c2a5723beff39d1f62daec96b5389da3d427e79 +Reviewed-by: Aron Xu <aron@debian.org> +Last-Update: 2022-01-05 +Comment: + Although WebCrypto is not implemented in 12.x series, this fix is introducing + enhancment to the crypto setup of V8:EntropySource(). + +commit 0c2a5723beff39d1f62daec96b5389da3d427e79 +Author: Ben Noordhuis <info@bnoordhuis.nl> +Date: Sun Sep 11 10:48:34 2022 +0200 + + crypto: fix weak randomness in WebCrypto keygen + + Commit dae283d96f from August 2020 introduced a call to EntropySource() + in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There + are two problems with that: + + 1. It does not check the return value, it assumes EntropySource() always + succeeds, but it can (and sometimes will) fail. + + 2. The random data returned byEntropySource() may not be + cryptographically strong and therefore not suitable as keying + material. + + An example is a freshly booted system or a system without /dev/random or + getrandom(2). + + EntropySource() calls out to openssl's RAND_poll() and RAND_bytes() in a + best-effort attempt to obtain random data. OpenSSL has a built-in CSPRNG + but that can fail to initialize, in which case it's possible either: + + 1. No random data gets written to the output buffer, i.e., the output is + unmodified, or + + 2. Weak random data is written. It's theoretically possible for the + output to be fully predictable because the CSPRNG starts from a + predictable state. + + Replace EntropySource() and CheckEntropy() with new function CSPRNG() + that enforces checking of the return value. Abort on startup when the + entropy pool fails to initialize because that makes it too easy to + compromise the security of the process. + + Refs: https://hackerone.com/bugs?report_id=1690000 + Refs: https://github.com/nodejs/node/pull/35093 + + Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> + Reviewed-By: Tobias Nießen <tniessen@tnie.de> + PR-URL: #346 + Backport-PR-URL: #351 + CVE-ID: CVE-2022-35255 + +CVE: CVE-2022-35255 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-35255.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/node.gyp +=================================================================== +--- nodejs-12.22.12~dfsg.orig/node.gyp ++++ nodejs-12.22.12~dfsg/node.gyp +@@ -743,6 +743,8 @@ + 'openssl_default_cipher_list%': '', + }, + ++ 'cflags': ['-Werror=unused-result'], ++ + 'defines': [ + 'NODE_ARCH="<(target_arch)"', + 'NODE_PLATFORM="<(OS)"', +Index: nodejs-12.22.12~dfsg/src/node_crypto.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node_crypto.cc ++++ nodejs-12.22.12~dfsg/src/node_crypto.cc +@@ -386,48 +386,14 @@ void ThrowCryptoError(Environment* env, + env->isolate()->ThrowException(exception); + } + ++MUST_USE_RESULT CSPRNGResult CSPRNG(void* buffer, size_t length) { ++ do { ++ if (1 == RAND_status()) ++ if (1 == RAND_bytes(static_cast<unsigned char*>(buffer), length)) ++ return {true}; ++ } while (1 == RAND_poll()); + +-// Ensure that OpenSSL has enough entropy (at least 256 bits) for its PRNG. +-// The entropy pool starts out empty and needs to fill up before the PRNG +-// can be used securely. Once the pool is filled, it never dries up again; +-// its contents is stirred and reused when necessary. +-// +-// OpenSSL normally fills the pool automatically but not when someone starts +-// generating random numbers before the pool is full: in that case OpenSSL +-// keeps lowering the entropy estimate to thwart attackers trying to guess +-// the initial state of the PRNG. +-// +-// When that happens, we will have to wait until enough entropy is available. +-// That should normally never take longer than a few milliseconds. +-// +-// OpenSSL draws from /dev/random and /dev/urandom. While /dev/random may +-// block pending "true" randomness, /dev/urandom is a CSPRNG that doesn't +-// block under normal circumstances. +-// +-// The only time when /dev/urandom may conceivably block is right after boot, +-// when the whole system is still low on entropy. That's not something we can +-// do anything about. +-inline void CheckEntropy() { +- for (;;) { +- int status = RAND_status(); +- CHECK_GE(status, 0); // Cannot fail. +- if (status != 0) +- break; +- +- // Give up, RAND_poll() not supported. +- if (RAND_poll() == 0) +- break; +- } +-} +- +- +-bool EntropySource(unsigned char* buffer, size_t length) { +- // Ensure that OpenSSL's PRNG is properly seeded. +- CheckEntropy(); +- // RAND_bytes() can return 0 to indicate that the entropy data is not truly +- // random. That's okay, it's still better than V8's stock source of entropy, +- // which is /dev/urandom on UNIX platforms and the current time on Windows. +- return RAND_bytes(buffer, length) != -1; ++ return {false}; + } + + void SecureContext::Initialize(Environment* env, Local<Object> target) { +@@ -649,9 +615,9 @@ void SecureContext::Init(const FunctionC + // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was + // exposed in the public API. To retain compatibility, install a callback + // which restores the old algorithm. +- if (RAND_bytes(sc->ticket_key_name_, sizeof(sc->ticket_key_name_)) <= 0 || +- RAND_bytes(sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_)) <= 0 || +- RAND_bytes(sc->ticket_key_aes_, sizeof(sc->ticket_key_aes_)) <= 0) { ++ if (CSPRNG(sc->ticket_key_name_, sizeof(sc->ticket_key_name_)).is_err() || ++ CSPRNG(sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_)).is_err() || ++ CSPRNG(sc->ticket_key_aes_, sizeof(sc->ticket_key_aes_)).is_err()) { + return env->ThrowError("Error generating ticket keys"); + } + SSL_CTX_set_tlsext_ticket_key_cb(sc->ctx_.get(), TicketCompatibilityCallback); +@@ -1643,7 +1609,7 @@ int SecureContext::TicketCompatibilityCa + + if (enc) { + memcpy(name, sc->ticket_key_name_, sizeof(sc->ticket_key_name_)); +- if (RAND_bytes(iv, 16) <= 0 || ++ if (CSPRNG(iv, 16).is_err() || + EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), nullptr, + sc->ticket_key_aes_, iv) <= 0 || + HMAC_Init_ex(hctx, sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_), +@@ -5867,8 +5833,7 @@ struct RandomBytesJob : public CryptoJob + : CryptoJob(env), rc(Nothing<int>()) {} + + inline void DoThreadPoolWork() override { +- CheckEntropy(); // Ensure that OpenSSL's PRNG is properly seeded. +- rc = Just(RAND_bytes(data, size)); ++ rc = Just(int(CSPRNG(data, size).is_ok())); + if (0 == rc.FromJust()) errors.Capture(); + } + +@@ -6318,8 +6283,8 @@ class GenerateKeyPairJob : public Crypto + } + + inline bool GenerateKey() { +- // Make sure that the CSPRNG is properly seeded so the results are secure. +- CheckEntropy(); ++ // Make sure that the CSPRNG is properly seeded. ++ CHECK(CSPRNG(nullptr, 0).is_ok()); + + // Create the key generation context. + EVPKeyCtxPointer ctx = config_->Setup(); +Index: nodejs-12.22.12~dfsg/src/node_crypto.h +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node_crypto.h ++++ nodejs-12.22.12~dfsg/src/node_crypto.h +@@ -840,7 +840,19 @@ class ECDH final : public BaseObject { + const EC_GROUP* group_; + }; + +-bool EntropySource(unsigned char* buffer, size_t length); ++struct CSPRNGResult { ++ const bool ok; ++ MUST_USE_RESULT bool is_ok() const { return ok; } ++ MUST_USE_RESULT bool is_err() const { return !ok; } ++}; ++ ++// Either succeeds with exactly |length| bytes of cryptographically ++// strong pseudo-random data, or fails. This function may block. ++// Don't assume anything about the contents of |buffer| on error. ++// As a special case, |length == 0| can be used to check if the CSPRNG ++// is properly seeded without consuming entropy. ++MUST_USE_RESULT CSPRNGResult CSPRNG(void* buffer, size_t length); ++ + #ifndef OPENSSL_NO_ENGINE + void SetEngine(const v8::FunctionCallbackInfo<v8::Value>& args); + #endif // !OPENSSL_NO_ENGINE +Index: nodejs-12.22.12~dfsg/src/inspector_io.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_io.cc ++++ nodejs-12.22.12~dfsg/src/inspector_io.cc +@@ -46,8 +46,7 @@ std::string ScriptPath(uv_loop_t* loop, + // Used ver 4 - with numbers + std::string GenerateID() { + uint16_t buffer[8]; +- CHECK(crypto::EntropySource(reinterpret_cast<unsigned char*>(buffer), +- sizeof(buffer))); ++ CHECK(crypto::CSPRNG(buffer, sizeof(buffer)).is_ok()); + + char uuid[256]; + snprintf(uuid, sizeof(uuid), "%04x%04x-%04x-%04x-%04x-%04x%04x%04x", +Index: nodejs-12.22.12~dfsg/src/node.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node.cc ++++ nodejs-12.22.12~dfsg/src/node.cc +@@ -969,9 +969,17 @@ InitializationResult InitializeOncePerPr + // the random source is properly initialized first. + OPENSSL_init(); + #endif // NODE_FIPS_MODE +- // V8 on Windows doesn't have a good source of entropy. Seed it from +- // OpenSSL's pool. +- V8::SetEntropySource(crypto::EntropySource); ++ // Ensure CSPRNG is properly seeded. ++ CHECK(crypto::CSPRNG(nullptr, 0).is_ok()); ++ ++ V8::SetEntropySource([](unsigned char* buffer, size_t length) { ++ // V8 falls back to very weak entropy when this function fails ++ // and /dev/urandom isn't available. That wouldn't be so bad if ++ // the entropy was only used for Math.random() but it's also used for ++ // hash table and address space layout randomization. Better to abort. ++ CHECK(crypto::CSPRNG(buffer, length).is_ok()); ++ return true; ++ }); + #endif // HAVE_OPENSSL + + per_process::v8_platform.Initialize( diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch new file mode 100644 index 0000000000..54da1fba99 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch @@ -0,0 +1,214 @@ +commit 2b433af094fb79cf80f086038b7f36342cb6826f +Author: Tobias Nießen <tniessen@tnie.de> +Date: Sun Sep 25 12:34:05 2022 +0000 + + inspector: harden IP address validation again + + Use inet_pton() to parse IP addresses, which restricts IP addresses + to a small number of well-defined formats. In particular, octal and + hexadecimal number formats are not allowed, and neither are leading + zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable. + + Refs: https://hackerone.com/reports/1710652 + CVE-ID: CVE-2022-43548 + PR-URL: https://github.com/nodejs-private/node-private/pull/354 + Reviewed-by: Michael Dawson <midawson@redhat.com> + Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com> + Reviewed-by: Rich Trott <rtrott@gmail.com> + +CVE: CVE-2022-43548 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-43548.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/src/inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_socket.cc ++++ nodejs-12.22.12~dfsg/src/inspector_socket.cc +@@ -10,6 +10,7 @@ + + #include "openssl/sha.h" // Sha-1 hash + ++#include <algorithm> + #include <cstring> + #include <map> + +@@ -166,25 +167,71 @@ static std::string TrimPort(const std::s + } + + static bool IsIPAddress(const std::string& host) { +- if (host.length() >= 4 && host.front() == '[' && host.back() == ']') ++ // TODO(tniessen): add CVEs to the following bullet points ++ // To avoid DNS rebinding attacks, we are aware of the following requirements: ++ // * the host name must be an IP address, ++ // * the IP address must be routable, and ++ // * the IP address must be formatted unambiguously. ++ ++ // The logic below assumes that the string is null-terminated, so ensure that ++ // we did not somehow end up with null characters within the string. ++ if (host.find('\0') != std::string::npos) return false; ++ ++ // All IPv6 addresses must be enclosed in square brackets, and anything ++ // enclosed in square brackets must be an IPv6 address. ++ if (host.length() >= 4 && host.front() == '[' && host.back() == ']') { ++ // INET6_ADDRSTRLEN is the maximum length of the dual format (including the ++ // terminating null character), which is the longest possible representation ++ // of an IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:ddd.ddd.ddd.ddd ++ if (host.length() - 2 >= INET6_ADDRSTRLEN) return false; ++ ++ // Annoyingly, libuv's implementation of inet_pton() deviates from other ++ // implementations of the function in that it allows '%' in IPv6 addresses. ++ if (host.find('%') != std::string::npos) return false; ++ ++ // Parse the IPv6 address to ensure it is syntactically valid. ++ char ipv6_str[INET6_ADDRSTRLEN]; ++ std::copy(host.begin() + 1, host.end() - 1, ipv6_str); ++ ipv6_str[host.length()] = '\0'; ++ unsigned char ipv6[sizeof(struct in6_addr)]; ++ if (uv_inet_pton(AF_INET6, ipv6_str, ipv6) != 0) return false; ++ ++ // The only non-routable IPv6 address is ::/128. It should not be necessary ++ // to explicitly reject it because it will still be enclosed in square ++ // brackets and not even macOS should make DNS requests in that case, but ++ // history has taught us that we cannot be careful enough. ++ // Note that RFC 4291 defines both "IPv4-Compatible IPv6 Addresses" and ++ // "IPv4-Mapped IPv6 Addresses", which means that there are IPv6 addresses ++ // (other than ::/128) that represent non-routable IPv4 addresses. However, ++ // this translation assumes that the host is interpreted as an IPv6 address ++ // in the first place, at which point DNS rebinding should not be an issue. ++ if (std::all_of(ipv6, ipv6 + sizeof(ipv6), [](auto b) { return b == 0; })) { ++ return false; ++ } ++ ++ // It is a syntactically valid and routable IPv6 address enclosed in square ++ // brackets. No client should be able to misinterpret this. + return true; +- uint_fast16_t accum = 0; +- uint_fast8_t quads = 0; +- bool empty = true; +- auto endOctet = [&accum, &quads, &empty](bool final = false) { +- return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) && +- (empty = true) && !(accum = 0); +- }; +- for (char c : host) { +- if (isdigit(c)) { +- if ((accum = (accum * 10) + (c - '0')) > 0xff) return false; +- empty = false; +- } else if (c != '.' || !endOctet()) { +- return false; +- } +- } +- return endOctet(true); +-} ++ } ++ ++ // Anything not enclosed in square brackets must be an IPv4 address. It is ++ // important here that inet_pton() accepts only the so-called dotted-decimal ++ // notation, which is a strict subset of the so-called numbers-and-dots ++ // notation that is allowed by inet_aton() and inet_addr(). This subset does ++ // not allow hexadecimal or octal number formats. ++ unsigned char ipv4[sizeof(struct in_addr)]; ++ if (uv_inet_pton(AF_INET, host.c_str(), ipv4) != 0) return false; ++ ++ // The only strictly non-routable IPv4 address is 0.0.0.0, and macOS will make ++ // DNS requests for this IP address, so we need to explicitly reject it. In ++ // fact, we can safely reject all of 0.0.0.0/8 (see Section 3.2 of RFC 791 and ++ // Section 3.2.1.3 of RFC 1122). ++ // Note that inet_pton() stores the IPv4 address in network byte order. ++ if (ipv4[0] == 0) return false; ++ ++ // It is a routable IPv4 address in dotted-decimal notation. ++ return true; ++ } + + // Constants for hybi-10 frame format. + +Index: nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/test/cctest/test_inspector_socket.cc ++++ nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +@@ -925,4 +925,84 @@ TEST_F(InspectorSocketTest, HostIpTooMan + expect_handshake_failure(); + } + ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 08.1.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.09.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.1.009:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 01.1.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.001.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.1.01:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6NonRoutable) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [::]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6NonRoutableDual) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [::0.0.0.0]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv4InSquareBrackets) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [127.0.0.1]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6InvalidAbbreviation) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [:::1]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ + } // anonymous namespace diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch new file mode 100644 index 0000000000..790cf92d2e --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch @@ -0,0 +1,4348 @@ +Reviewed-by: Aron Xu <aron@debian.org> +Last-Update: 2023-01-05 +Comment: + This patch updates the embeded copy of llhttp from version 2.1.4 to 2.1.6, + which is upstream's actual fix for CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, + CVE-2022-35256. + Test cases are ported to use mustCall() to replace the later introduced + mustSucceed(), to avoid pulling in too many dependent new test codes. +References: + * https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd + * https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 + +CVE: CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 CVE-2022-35256 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-llhttp.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +--- nodejs-12.22.12~dfsg/deps/llhttp/include/llhttp.h ++++ nodejs-12.22.12~dfsg/deps/llhttp/include/llhttp.h +@@ -3,7 +3,7 @@ + + #define LLHTTP_VERSION_MAJOR 2 + #define LLHTTP_VERSION_MINOR 1 +-#define LLHTTP_VERSION_PATCH 4 ++#define LLHTTP_VERSION_PATCH 6 + + #ifndef LLHTTP_STRICT_MODE + # define LLHTTP_STRICT_MODE 0 +@@ -58,6 +58,7 @@ + HPE_OK = 0, + HPE_INTERNAL = 1, + HPE_STRICT = 2, ++ HPE_CR_EXPECTED = 25, + HPE_LF_EXPECTED = 3, + HPE_UNEXPECTED_CONTENT_LENGTH = 4, + HPE_CLOSED_CONNECTION = 5, +@@ -78,7 +79,7 @@ + HPE_CB_CHUNK_COMPLETE = 20, + HPE_PAUSED = 21, + HPE_PAUSED_UPGRADE = 22, +- HPE_USER = 23 ++ HPE_USER = 24 + }; + typedef enum llhttp_errno llhttp_errno_t; + +@@ -153,6 +154,7 @@ + XX(0, OK, OK) \ + XX(1, INTERNAL, INTERNAL) \ + XX(2, STRICT, STRICT) \ ++ XX(25, CR_EXPECTED, CR_EXPECTED) \ + XX(3, LF_EXPECTED, LF_EXPECTED) \ + XX(4, UNEXPECTED_CONTENT_LENGTH, UNEXPECTED_CONTENT_LENGTH) \ + XX(5, CLOSED_CONNECTION, CLOSED_CONNECTION) \ +@@ -173,7 +175,7 @@ + XX(20, CB_CHUNK_COMPLETE, CB_CHUNK_COMPLETE) \ + XX(21, PAUSED, PAUSED) \ + XX(22, PAUSED_UPGRADE, PAUSED_UPGRADE) \ +- XX(23, USER, USER) \ ++ XX(24, USER, USER) \ + + + #define HTTP_METHOD_MAP(XX) \ +--- nodejs-12.22.12~dfsg/deps/llhttp/src/llhttp.c ++++ nodejs-12.22.12~dfsg/deps/llhttp/src/llhttp.c +@@ -325,6 +325,7 @@ + s_n_llhttp__internal__n_header_value_lws, + s_n_llhttp__internal__n_header_value_almost_done, + s_n_llhttp__internal__n_header_value_lenient, ++ s_n_llhttp__internal__n_error_25, + s_n_llhttp__internal__n_header_value_otherwise, + s_n_llhttp__internal__n_header_value_connection_token, + s_n_llhttp__internal__n_header_value_connection_ws, +@@ -332,14 +333,16 @@ + s_n_llhttp__internal__n_header_value_connection_2, + s_n_llhttp__internal__n_header_value_connection_3, + s_n_llhttp__internal__n_header_value_connection, +- s_n_llhttp__internal__n_error_26, + s_n_llhttp__internal__n_error_27, ++ s_n_llhttp__internal__n_error_28, + s_n_llhttp__internal__n_header_value_content_length_ws, + s_n_llhttp__internal__n_header_value_content_length, +- s_n_llhttp__internal__n_header_value_te_chunked_last, ++ s_n_llhttp__internal__n_error_30, ++ s_n_llhttp__internal__n_error_29, + s_n_llhttp__internal__n_header_value_te_token_ows, + s_n_llhttp__internal__n_header_value, + s_n_llhttp__internal__n_header_value_te_token, ++ s_n_llhttp__internal__n_header_value_te_chunked_last, + s_n_llhttp__internal__n_header_value_te_chunked, + s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1, + s_n_llhttp__internal__n_header_value_discard_ws, +@@ -734,7 +737,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_2( ++int llhttp__internal__c_update_header_state_3( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -742,7 +745,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_4( ++int llhttp__internal__c_update_header_state_1( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -750,7 +753,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_5( ++int llhttp__internal__c_update_header_state_6( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -758,7 +761,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_6( ++int llhttp__internal__c_update_header_state_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -766,7 +769,7 @@ + return 0; + } + +-int llhttp__internal__c_test_flags_6( ++int llhttp__internal__c_test_flags_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -807,6 +810,13 @@ + return 0; + } + ++int llhttp__internal__c_test_flags_8( ++ llhttp__internal_t* state, ++ const unsigned char* p, ++ const unsigned char* endp) { ++ return (state->flags & 8) == 8; ++} ++ + int llhttp__internal__c_or_flags_16( + llhttp__internal_t* state, + const unsigned char* p, +@@ -823,7 +833,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_7( ++int llhttp__internal__c_update_header_state_8( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -831,7 +841,7 @@ + return 0; + } + +-int llhttp__internal__c_or_flags_17( ++int llhttp__internal__c_or_flags_18( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -1554,7 +1564,7 @@ + goto s_n_llhttp__internal__n_header_value_discard_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_22; ++ goto s_n_llhttp__internal__n_error_23; + } + } + /* UNREACHABLE */; +@@ -1567,13 +1577,13 @@ + } + switch (*p) { + case 9: { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + case ' ': { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + default: { +- goto s_n_llhttp__internal__n_invoke_load_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_4; + } + } + /* UNREACHABLE */; +@@ -1590,7 +1600,7 @@ + goto s_n_llhttp__internal__n_header_value_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_23; ++ goto s_n_llhttp__internal__n_error_24; + } + } + /* UNREACHABLE */; +@@ -1603,10 +1613,10 @@ + } + switch (*p) { + case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; + } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; + } + default: { + p++; +@@ -1616,20 +1626,27 @@ + /* UNREACHABLE */; + abort(); + } ++ case s_n_llhttp__internal__n_error_25: ++ s_n_llhttp__internal__n_error_25: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } + case s_n_llhttp__internal__n_header_value_otherwise: + s_n_llhttp__internal__n_header_value_otherwise: { + if (p == endp) { + return s_n_llhttp__internal__n_header_value_otherwise; + } + switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; +- } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_test_flags_5; ++ goto s_n_llhttp__internal__n_invoke_test_flags_6; + } + } + /* UNREACHABLE */; +@@ -1692,10 +1709,10 @@ + } + case ',': { + p++; +- goto s_n_llhttp__internal__n_invoke_load_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_5; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_5; + } + } + /* UNREACHABLE */; +@@ -1713,7 +1730,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_2; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_3; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_1; +@@ -1737,7 +1754,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_5; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_6; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_2; +@@ -1761,7 +1778,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_6; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_7; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_3; +@@ -1806,8 +1823,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_26: +- s_n_llhttp__internal__n_error_26: { ++ case s_n_llhttp__internal__n_error_27: ++ s_n_llhttp__internal__n_error_27: { + state->error = 0xb; + state->reason = "Content-Length overflow"; + state->error_pos = (const char*) p; +@@ -1816,8 +1833,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_27: +- s_n_llhttp__internal__n_error_27: { ++ case s_n_llhttp__internal__n_error_28: ++ s_n_llhttp__internal__n_error_28: { + state->error = 0xb; + state->reason = "Invalid character in Content-Length"; + state->error_pos = (const char*) p; +@@ -1843,7 +1860,7 @@ + goto s_n_llhttp__internal__n_header_value_content_length_ws; + } + default: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6; + } + } + /* UNREACHABLE */; +@@ -1912,26 +1929,23 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_header_value_te_chunked_last: +- s_n_llhttp__internal__n_header_value_te_chunked_last: { +- if (p == endp) { +- return s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case 13: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case ' ': { +- p++; +- goto s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- default: { +- goto s_n_llhttp__internal__n_header_value_te_chunked; +- } +- } ++ case s_n_llhttp__internal__n_error_30: ++ s_n_llhttp__internal__n_error_30: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_error_29: ++ s_n_llhttp__internal__n_error_29: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; + /* UNREACHABLE */; + abort(); + } +@@ -2048,8 +2062,34 @@ + goto s_n_llhttp__internal__n_header_value_te_token_ows; + } + default: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ } ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_header_value_te_chunked_last: ++ s_n_llhttp__internal__n_header_value_te_chunked_last: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ switch (*p) { ++ case 10: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ } ++ case 13: { + goto s_n_llhttp__internal__n_invoke_update_header_state_8; + } ++ case ' ': { ++ p++; ++ goto s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ case ',': { ++ goto s_n_llhttp__internal__n_invoke_load_type_1; ++ } ++ default: { ++ goto s_n_llhttp__internal__n_header_value_te_token; ++ } + } + /* UNREACHABLE */; + abort(); +@@ -2101,7 +2141,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_header_value_discard_lws; ++ goto s_n_llhttp__internal__n_invoke_test_flags_5; + } + case 13: { + p++; +@@ -2128,7 +2168,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_2; + } + default: { +- goto s_n_llhttp__internal__n_error_28; ++ goto s_n_llhttp__internal__n_error_31; + } + } + /* UNREACHABLE */; +@@ -2218,7 +2258,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_10; + } + } + /* UNREACHABLE */; +@@ -2243,7 +2283,7 @@ + return s_n_llhttp__internal__n_header_field_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2268,7 +2308,7 @@ + return s_n_llhttp__internal__n_header_field_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2289,7 +2329,7 @@ + goto s_n_llhttp__internal__n_header_field_4; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2313,7 +2353,7 @@ + return s_n_llhttp__internal__n_header_field_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2338,7 +2378,7 @@ + return s_n_llhttp__internal__n_header_field_5; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2363,7 +2403,7 @@ + return s_n_llhttp__internal__n_header_field_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2388,7 +2428,7 @@ + return s_n_llhttp__internal__n_header_field_7; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2417,7 +2457,7 @@ + goto s_n_llhttp__internal__n_header_field_7; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2508,7 +2548,7 @@ + goto s_n_llhttp__internal__n_url_to_http_09; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -2533,7 +2573,7 @@ + goto s_n_llhttp__internal__n_url_skip_lf_to_http09_1; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -2550,7 +2590,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -2571,7 +2611,7 @@ + goto s_n_llhttp__internal__n_req_http_end_1; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -2634,7 +2674,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_31; ++ goto s_n_llhttp__internal__n_error_34; + } + } + /* UNREACHABLE */; +@@ -2651,7 +2691,7 @@ + goto s_n_llhttp__internal__n_req_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_32; ++ goto s_n_llhttp__internal__n_error_35; + } + } + /* UNREACHABLE */; +@@ -2714,7 +2754,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major; + } + default: { +- goto s_n_llhttp__internal__n_error_33; ++ goto s_n_llhttp__internal__n_error_36; + } + } + /* UNREACHABLE */; +@@ -2738,7 +2778,7 @@ + return s_n_llhttp__internal__n_req_http_start_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2762,7 +2802,7 @@ + return s_n_llhttp__internal__n_req_http_start_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2787,7 +2827,7 @@ + goto s_n_llhttp__internal__n_req_http_start_2; + } + default: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2878,7 +2918,7 @@ + goto s_n_llhttp__internal__n_url_fragment; + } + default: { +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + } + /* UNREACHABLE */; +@@ -2939,7 +2979,7 @@ + goto s_n_llhttp__internal__n_span_end_stub_query_3; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -2977,7 +3017,7 @@ + goto s_n_llhttp__internal__n_url_query; + } + default: { +- goto s_n_llhttp__internal__n_error_38; ++ goto s_n_llhttp__internal__n_error_41; + } + } + /* UNREACHABLE */; +@@ -3102,10 +3142,10 @@ + } + case 8: { + p++; +- goto s_n_llhttp__internal__n_error_39; ++ goto s_n_llhttp__internal__n_error_42; + } + default: { +- goto s_n_llhttp__internal__n_error_40; ++ goto s_n_llhttp__internal__n_error_43; + } + } + /* UNREACHABLE */; +@@ -3164,7 +3204,7 @@ + goto s_n_llhttp__internal__n_url_server_with_at; + } + default: { +- goto s_n_llhttp__internal__n_error_41; ++ goto s_n_llhttp__internal__n_error_44; + } + } + /* UNREACHABLE */; +@@ -3181,7 +3221,7 @@ + goto s_n_llhttp__internal__n_url_server; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -3199,7 +3239,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 12: { + p++; +@@ -3207,18 +3247,18 @@ + } + case 13: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case ' ': { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case '/': { + p++; + goto s_n_llhttp__internal__n_url_schema_delim_1; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -3264,7 +3304,7 @@ + } + case 2: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 3: { + goto s_n_llhttp__internal__n_span_end_stub_schema; +@@ -3274,7 +3314,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_44; ++ goto s_n_llhttp__internal__n_error_47; + } + } + /* UNREACHABLE */; +@@ -3310,7 +3350,7 @@ + } + case 2: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 3: { + goto s_n_llhttp__internal__n_span_start_stub_path_2; +@@ -3319,7 +3359,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_45; ++ goto s_n_llhttp__internal__n_error_48; + } + } + /* UNREACHABLE */; +@@ -3417,7 +3457,7 @@ + goto s_n_llhttp__internal__n_req_spaces_before_url; + } + default: { +- goto s_n_llhttp__internal__n_error_46; ++ goto s_n_llhttp__internal__n_error_49; + } + } + /* UNREACHABLE */; +@@ -3442,7 +3482,7 @@ + return s_n_llhttp__internal__n_start_req_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3467,7 +3507,7 @@ + return s_n_llhttp__internal__n_start_req_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3492,7 +3532,7 @@ + return s_n_llhttp__internal__n_start_req_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3517,7 +3557,7 @@ + return s_n_llhttp__internal__n_start_req_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3535,7 +3575,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3556,7 +3596,7 @@ + goto s_n_llhttp__internal__n_start_req_7; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3577,7 +3617,7 @@ + goto s_n_llhttp__internal__n_start_req_5; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3602,7 +3642,7 @@ + return s_n_llhttp__internal__n_start_req_8; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3627,7 +3667,7 @@ + return s_n_llhttp__internal__n_start_req_9; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3652,7 +3692,7 @@ + return s_n_llhttp__internal__n_start_req_10; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3677,7 +3717,7 @@ + return s_n_llhttp__internal__n_start_req_12; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3702,7 +3742,7 @@ + return s_n_llhttp__internal__n_start_req_13; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3723,7 +3763,7 @@ + goto s_n_llhttp__internal__n_start_req_13; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3748,7 +3788,7 @@ + return s_n_llhttp__internal__n_start_req_15; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3773,7 +3813,7 @@ + return s_n_llhttp__internal__n_start_req_16; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3798,7 +3838,7 @@ + return s_n_llhttp__internal__n_start_req_18; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3823,7 +3863,7 @@ + return s_n_llhttp__internal__n_start_req_20; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3841,7 +3881,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3862,7 +3902,7 @@ + goto s_n_llhttp__internal__n_start_req_21; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3883,7 +3923,7 @@ + goto s_n_llhttp__internal__n_start_req_19; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3908,7 +3948,7 @@ + return s_n_llhttp__internal__n_start_req_22; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3937,7 +3977,7 @@ + goto s_n_llhttp__internal__n_start_req_22; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3962,7 +4002,7 @@ + return s_n_llhttp__internal__n_start_req_23; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3987,7 +4027,7 @@ + return s_n_llhttp__internal__n_start_req_24; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4012,7 +4052,7 @@ + return s_n_llhttp__internal__n_start_req_26; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4037,7 +4077,7 @@ + return s_n_llhttp__internal__n_start_req_27; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4062,7 +4102,7 @@ + return s_n_llhttp__internal__n_start_req_31; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4087,7 +4127,7 @@ + return s_n_llhttp__internal__n_start_req_32; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4108,7 +4148,7 @@ + goto s_n_llhttp__internal__n_start_req_32; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4125,7 +4165,7 @@ + goto s_n_llhttp__internal__n_start_req_30; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4147,7 +4187,7 @@ + goto s_n_llhttp__internal__n_start_req_29; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4172,7 +4212,7 @@ + return s_n_llhttp__internal__n_start_req_34; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4194,7 +4234,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4223,7 +4263,7 @@ + goto s_n_llhttp__internal__n_start_req_33; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4248,7 +4288,7 @@ + return s_n_llhttp__internal__n_start_req_37; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4273,7 +4313,7 @@ + return s_n_llhttp__internal__n_start_req_38; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4294,7 +4334,7 @@ + goto s_n_llhttp__internal__n_start_req_38; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4311,7 +4351,7 @@ + goto s_n_llhttp__internal__n_start_req_36; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4336,7 +4376,7 @@ + return s_n_llhttp__internal__n_start_req_40; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4361,7 +4401,7 @@ + return s_n_llhttp__internal__n_start_req_41; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4386,7 +4426,7 @@ + return s_n_llhttp__internal__n_start_req_42; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4411,7 +4451,7 @@ + goto s_n_llhttp__internal__n_start_req_42; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4436,7 +4476,7 @@ + return s_n_llhttp__internal__n_start_req_43; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4461,7 +4501,7 @@ + return s_n_llhttp__internal__n_start_req_46; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4486,7 +4526,7 @@ + return s_n_llhttp__internal__n_start_req_48; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4511,7 +4551,7 @@ + return s_n_llhttp__internal__n_start_req_49; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4532,7 +4572,7 @@ + goto s_n_llhttp__internal__n_start_req_49; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4557,7 +4597,7 @@ + return s_n_llhttp__internal__n_start_req_50; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4582,7 +4622,7 @@ + goto s_n_llhttp__internal__n_start_req_50; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4599,7 +4639,7 @@ + goto s_n_llhttp__internal__n_start_req_45; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4672,7 +4712,7 @@ + goto s_n_llhttp__internal__n_start_req_44; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4689,7 +4729,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -4764,7 +4804,7 @@ + goto s_n_llhttp__internal__n_res_status_start; + } + default: { +- goto s_n_llhttp__internal__n_error_49; ++ goto s_n_llhttp__internal__n_error_52; + } + } + /* UNREACHABLE */; +@@ -4844,7 +4884,7 @@ + goto s_n_llhttp__internal__n_invoke_update_status_code; + } + default: { +- goto s_n_llhttp__internal__n_error_50; ++ goto s_n_llhttp__internal__n_error_53; + } + } + /* UNREACHABLE */; +@@ -4907,7 +4947,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor_1; + } + default: { +- goto s_n_llhttp__internal__n_error_51; ++ goto s_n_llhttp__internal__n_error_54; + } + } + /* UNREACHABLE */; +@@ -4924,7 +4964,7 @@ + goto s_n_llhttp__internal__n_res_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_52; ++ goto s_n_llhttp__internal__n_error_55; + } + } + /* UNREACHABLE */; +@@ -4987,7 +5027,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major_1; + } + default: { +- goto s_n_llhttp__internal__n_error_53; ++ goto s_n_llhttp__internal__n_error_56; + } + } + /* UNREACHABLE */; +@@ -5011,7 +5051,7 @@ + return s_n_llhttp__internal__n_start_res; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_56; ++ goto s_n_llhttp__internal__n_error_59; + } + } + /* UNREACHABLE */; +@@ -5036,7 +5076,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5060,7 +5100,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5081,7 +5121,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_3; + } + default: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5098,7 +5138,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5167,7 +5207,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_42: { ++ s_n_llhttp__internal__n_error_45: { + state->error = 0x7; + state->reason = "Invalid characters in url"; + state->error_pos = (const char*) p; +@@ -5655,7 +5695,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_21: { ++ s_n_llhttp__internal__n_error_22: { + state->error = 0xb; + state->reason = "Empty Content-Length"; + state->error_pos = (const char*) p; +@@ -5740,14 +5780,33 @@ + s_n_llhttp__internal__n_invoke_load_header_state: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 2: +- goto s_n_llhttp__internal__n_error_21; ++ goto s_n_llhttp__internal__n_error_22; + default: + goto s_n_llhttp__internal__n_invoke_load_header_state_1; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_22: { ++ s_n_llhttp__internal__n_error_21: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_5: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_header_value_discard_lws; ++ default: ++ goto s_n_llhttp__internal__n_error_21; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_error_23: { + state->error = 0x2; + state->reason = "Expected LF after CR"; + state->error_pos = (const char*) p; +@@ -5757,6 +5816,24 @@ + abort(); + } + s_n_llhttp__internal__n_invoke_update_header_state_1: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ switch (llhttp__internal__c_load_header_state(state, p, endp)) { ++ case 8: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_2: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_start; +@@ -5767,7 +5844,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_7: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5775,7 +5852,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_8: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5783,7 +5860,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_9: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5796,7 +5873,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ s_n_llhttp__internal__n_invoke_load_header_state_4: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_7; +@@ -5812,7 +5889,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_23: { ++ s_n_llhttp__internal__n_error_24: { + state->error = 0x3; + state->reason = "Missing expected LF after header value"; + state->error_pos = (const char*) p; +@@ -5830,6 +5907,24 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_header_value_almost_done; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; + state->error_pos = (const char*) p; + state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; + return s_error; +@@ -5838,7 +5933,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { + const unsigned char* start; + int err; + +@@ -5856,7 +5951,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { + const unsigned char* start; + int err; + +@@ -5865,35 +5960,25 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; +- state->error_pos = (const char*) (p + 1); +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_25; + return s_error; + } +- p++; +- goto s_n_llhttp__internal__n_header_value_almost_done; +- /* UNREACHABLE */; +- abort(); +- } +- s_n_llhttp__internal__n_error_24: { +- state->error = 0xa; +- state->reason = "Invalid header value char"; +- state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_error; +- return s_error; ++ goto s_n_llhttp__internal__n_error_25; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_5: { ++ s_n_llhttp__internal__n_invoke_test_flags_6: { + switch (llhttp__internal__c_test_flags_2(state, p, endp)) { + case 1: + goto s_n_llhttp__internal__n_header_value_lenient; + default: +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ s_n_llhttp__internal__n_invoke_update_header_state_4: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection; +@@ -5904,7 +5989,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_11: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5912,7 +5997,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_12: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5920,7 +6005,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_13: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5933,7 +6018,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_4: { ++ s_n_llhttp__internal__n_invoke_load_header_state_5: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_11; +@@ -5949,39 +6034,39 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_4: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_5: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_token; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_2: { +- switch (llhttp__internal__c_update_header_state_2(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ switch (llhttp__internal__c_update_header_state_3(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_5: { +- switch (llhttp__internal__c_update_header_state_5(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_6: { ++ switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_6: { +- switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_7: { ++ switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { + const unsigned char* start; + int err; + +@@ -5991,17 +6076,17 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_26; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_27; + return s_error; + } +- goto s_n_llhttp__internal__n_error_26; ++ goto s_n_llhttp__internal__n_error_27; + /* UNREACHABLE */; + abort(); + } + s_n_llhttp__internal__n_invoke_mul_add_content_length_1: { + switch (llhttp__internal__c_mul_add_content_length_1(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; + default: + goto s_n_llhttp__internal__n_header_value_content_length; + } +@@ -6016,7 +6101,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6: { + const unsigned char* start; + int err; + +@@ -6026,14 +6111,14 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_27; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_28; + return s_error; + } +- goto s_n_llhttp__internal__n_error_27; ++ goto s_n_llhttp__internal__n_error_28; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_25: { ++ s_n_llhttp__internal__n_error_26: { + state->error = 0x4; + state->reason = "Duplicate Content-Length"; + state->error_pos = (const char*) p; +@@ -6042,26 +6127,82 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_6: { +- switch (llhttp__internal__c_test_flags_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_7: { ++ switch (llhttp__internal__c_test_flags_7(state, p, endp)) { + case 0: + goto s_n_llhttp__internal__n_header_value_content_length; + default: +- goto s_n_llhttp__internal__n_error_25; ++ goto s_n_llhttp__internal__n_error_26; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_7: { +- switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_30; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_30; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_8: { ++ switch (llhttp__internal__c_update_header_state_8(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_otherwise; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_8: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_29; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_29; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_9: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_1: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_9; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_9: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -6076,6 +6217,34 @@ + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_invoke_or_flags_17: { ++ switch (llhttp__internal__c_or_flags_16(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_and_flags; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_10: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_2: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_10; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_or_flags_16: { + switch (llhttp__internal__c_or_flags_16(state, p, endp)) { + default: +@@ -6084,10 +6253,20 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_or_flags_17: { +- switch (llhttp__internal__c_or_flags_17(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_8: { ++ switch (llhttp__internal__c_test_flags_8(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_load_type_2; + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_or_flags_18: { ++ switch (llhttp__internal__c_or_flags_18(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; + } + /* UNREACHABLE */; + abort(); +@@ -6097,11 +6276,11 @@ + case 1: + goto s_n_llhttp__internal__n_header_value_connection; + case 2: +- goto s_n_llhttp__internal__n_invoke_test_flags_6; ++ goto s_n_llhttp__internal__n_invoke_test_flags_7; + case 3: +- goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ goto s_n_llhttp__internal__n_invoke_test_flags_8; + case 4: +- goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ goto s_n_llhttp__internal__n_invoke_or_flags_18; + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -6144,7 +6323,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_28: { ++ s_n_llhttp__internal__n_error_31: { + state->error = 0xa; + state->reason = "Invalid header token"; + state->error_pos = (const char*) p; +@@ -6153,8 +6332,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_9: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_10: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -6169,8 +6348,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_10: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_11: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -6210,7 +6389,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_29: { ++ s_n_llhttp__internal__n_error_32: { + state->error = 0x7; + state->reason = "Expected CRLF"; + state->error_pos = (const char*) p; +@@ -6236,7 +6415,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_30: { ++ s_n_llhttp__internal__n_error_33: { + state->error = 0x9; + state->reason = "Expected CRLF after version"; + state->error_pos = (const char*) p; +@@ -6253,7 +6432,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_31: { ++ s_n_llhttp__internal__n_error_34: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -6262,7 +6441,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_32: { ++ s_n_llhttp__internal__n_error_35: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -6279,7 +6458,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_33: { ++ s_n_llhttp__internal__n_error_36: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -6288,7 +6467,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_35: { ++ s_n_llhttp__internal__n_error_38: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -6297,7 +6476,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_34: { ++ s_n_llhttp__internal__n_error_37: { + state->error = 0x8; + state->reason = "Expected SOURCE method for ICE/x.x request"; + state->error_pos = (const char*) p; +@@ -6309,7 +6488,7 @@ + s_n_llhttp__internal__n_invoke_is_equal_method_1: { + switch (llhttp__internal__c_is_equal_method_1(state, p, endp)) { + case 0: +- goto s_n_llhttp__internal__n_error_34; ++ goto s_n_llhttp__internal__n_error_37; + default: + goto s_n_llhttp__internal__n_req_http_major; + } +@@ -6384,7 +6563,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_36: { ++ s_n_llhttp__internal__n_error_39: { + state->error = 0x7; + state->reason = "Invalid char in url fragment start"; + state->error_pos = (const char*) p; +@@ -6444,7 +6623,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_37: { ++ s_n_llhttp__internal__n_error_40: { + state->error = 0x7; + state->reason = "Invalid char in url query"; + state->error_pos = (const char*) p; +@@ -6453,7 +6632,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_38: { ++ s_n_llhttp__internal__n_error_41: { + state->error = 0x7; + state->reason = "Invalid char in url path"; + state->error_pos = (const char*) p; +@@ -6564,7 +6743,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_39: { ++ s_n_llhttp__internal__n_error_42: { + state->error = 0x7; + state->reason = "Double @ in url"; + state->error_pos = (const char*) p; +@@ -6573,7 +6752,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_40: { ++ s_n_llhttp__internal__n_error_43: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -6582,7 +6761,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_41: { ++ s_n_llhttp__internal__n_error_44: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -6591,7 +6770,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_43: { ++ s_n_llhttp__internal__n_error_46: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -6600,7 +6779,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_44: { ++ s_n_llhttp__internal__n_error_47: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -6609,7 +6788,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_45: { ++ s_n_llhttp__internal__n_error_48: { + state->error = 0x7; + state->reason = "Unexpected start char in url"; + state->error_pos = (const char*) p; +@@ -6628,7 +6807,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_46: { ++ s_n_llhttp__internal__n_error_49: { + state->error = 0x6; + state->reason = "Expected space after method"; + state->error_pos = (const char*) p; +@@ -6645,7 +6824,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_55: { ++ s_n_llhttp__internal__n_error_58: { + state->error = 0x6; + state->reason = "Invalid method encountered"; + state->error_pos = (const char*) p; +@@ -6654,7 +6833,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_47: { ++ s_n_llhttp__internal__n_error_50: { + state->error = 0xd; + state->reason = "Response overflow"; + state->error_pos = (const char*) p; +@@ -6666,14 +6845,14 @@ + s_n_llhttp__internal__n_invoke_mul_add_status_code: { + switch (llhttp__internal__c_mul_add_status_code(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + default: + goto s_n_llhttp__internal__n_res_status_code; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_48: { ++ s_n_llhttp__internal__n_error_51: { + state->error = 0x2; + state->reason = "Expected LF after CR"; + state->error_pos = (const char*) p; +@@ -6718,7 +6897,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_49: { ++ s_n_llhttp__internal__n_error_52: { + state->error = 0xd; + state->reason = "Invalid response status"; + state->error_pos = (const char*) p; +@@ -6735,7 +6914,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_50: { ++ s_n_llhttp__internal__n_error_53: { + state->error = 0x9; + state->reason = "Expected space after version"; + state->error_pos = (const char*) p; +@@ -6752,7 +6931,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_51: { ++ s_n_llhttp__internal__n_error_54: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -6761,7 +6940,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_52: { ++ s_n_llhttp__internal__n_error_55: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -6778,7 +6957,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_53: { ++ s_n_llhttp__internal__n_error_56: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -6787,7 +6966,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_56: { ++ s_n_llhttp__internal__n_error_59: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -6812,7 +6991,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_54: { ++ s_n_llhttp__internal__n_error_57: { + state->error = 0x8; + state->reason = "Invalid word encountered"; + state->error_pos = (const char*) p; +@@ -7244,6 +7423,7 @@ + s_n_llhttp__internal__n_header_value_lws, + s_n_llhttp__internal__n_header_value_almost_done, + s_n_llhttp__internal__n_header_value_lenient, ++ s_n_llhttp__internal__n_error_19, + s_n_llhttp__internal__n_header_value_otherwise, + s_n_llhttp__internal__n_header_value_connection_token, + s_n_llhttp__internal__n_header_value_connection_ws, +@@ -7251,14 +7431,16 @@ + s_n_llhttp__internal__n_header_value_connection_2, + s_n_llhttp__internal__n_header_value_connection_3, + s_n_llhttp__internal__n_header_value_connection, +- s_n_llhttp__internal__n_error_20, + s_n_llhttp__internal__n_error_21, ++ s_n_llhttp__internal__n_error_22, + s_n_llhttp__internal__n_header_value_content_length_ws, + s_n_llhttp__internal__n_header_value_content_length, +- s_n_llhttp__internal__n_header_value_te_chunked_last, ++ s_n_llhttp__internal__n_error_24, ++ s_n_llhttp__internal__n_error_23, + s_n_llhttp__internal__n_header_value_te_token_ows, + s_n_llhttp__internal__n_header_value, + s_n_llhttp__internal__n_header_value_te_token, ++ s_n_llhttp__internal__n_header_value_te_chunked_last, + s_n_llhttp__internal__n_header_value_te_chunked, + s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1, + s_n_llhttp__internal__n_header_value_discard_ws, +@@ -7648,7 +7830,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_2( ++int llhttp__internal__c_update_header_state_3( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7656,7 +7838,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_4( ++int llhttp__internal__c_update_header_state_1( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7664,7 +7846,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_5( ++int llhttp__internal__c_update_header_state_6( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7672,7 +7854,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_6( ++int llhttp__internal__c_update_header_state_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7680,7 +7862,7 @@ + return 0; + } + +-int llhttp__internal__c_test_flags_6( ++int llhttp__internal__c_test_flags_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7721,6 +7903,13 @@ + return 0; + } + ++int llhttp__internal__c_test_flags_8( ++ llhttp__internal_t* state, ++ const unsigned char* p, ++ const unsigned char* endp) { ++ return (state->flags & 8) == 8; ++} ++ + int llhttp__internal__c_or_flags_16( + llhttp__internal_t* state, + const unsigned char* p, +@@ -7737,7 +7926,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_7( ++int llhttp__internal__c_update_header_state_8( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7745,7 +7934,7 @@ + return 0; + } + +-int llhttp__internal__c_or_flags_17( ++int llhttp__internal__c_or_flags_18( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -8432,13 +8621,13 @@ + } + switch (*p) { + case 9: { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + case ' ': { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + default: { +- goto s_n_llhttp__internal__n_invoke_load_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_4; + } + } + /* UNREACHABLE */; +@@ -8455,7 +8644,7 @@ + goto s_n_llhttp__internal__n_header_value_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_17; ++ goto s_n_llhttp__internal__n_error_18; + } + } + /* UNREACHABLE */; +@@ -8468,10 +8657,10 @@ + } + switch (*p) { + case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; + } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; + } + default: { + p++; +@@ -8481,20 +8670,27 @@ + /* UNREACHABLE */; + abort(); + } ++ case s_n_llhttp__internal__n_error_19: ++ s_n_llhttp__internal__n_error_19: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } + case s_n_llhttp__internal__n_header_value_otherwise: + s_n_llhttp__internal__n_header_value_otherwise: { + if (p == endp) { + return s_n_llhttp__internal__n_header_value_otherwise; + } + switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; +- } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_test_flags_5; ++ goto s_n_llhttp__internal__n_invoke_test_flags_6; + } + } + /* UNREACHABLE */; +@@ -8557,10 +8753,10 @@ + } + case ',': { + p++; +- goto s_n_llhttp__internal__n_invoke_load_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_5; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_5; + } + } + /* UNREACHABLE */; +@@ -8578,7 +8774,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_2; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_3; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_1; +@@ -8602,7 +8798,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_5; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_6; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_2; +@@ -8626,7 +8822,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_6; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_7; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_3; +@@ -8671,8 +8867,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_20: +- s_n_llhttp__internal__n_error_20: { ++ case s_n_llhttp__internal__n_error_21: ++ s_n_llhttp__internal__n_error_21: { + state->error = 0xb; + state->reason = "Content-Length overflow"; + state->error_pos = (const char*) p; +@@ -8681,8 +8877,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_21: +- s_n_llhttp__internal__n_error_21: { ++ case s_n_llhttp__internal__n_error_22: ++ s_n_llhttp__internal__n_error_22: { + state->error = 0xb; + state->reason = "Invalid character in Content-Length"; + state->error_pos = (const char*) p; +@@ -8708,7 +8904,7 @@ + goto s_n_llhttp__internal__n_header_value_content_length_ws; + } + default: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6; + } + } + /* UNREACHABLE */; +@@ -8777,26 +8973,23 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_header_value_te_chunked_last: +- s_n_llhttp__internal__n_header_value_te_chunked_last: { +- if (p == endp) { +- return s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case 13: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case ' ': { +- p++; +- goto s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- default: { +- goto s_n_llhttp__internal__n_header_value_te_chunked; +- } +- } ++ case s_n_llhttp__internal__n_error_24: ++ s_n_llhttp__internal__n_error_24: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_error_23: ++ s_n_llhttp__internal__n_error_23: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; + /* UNREACHABLE */; + abort(); + } +@@ -8913,8 +9106,34 @@ + goto s_n_llhttp__internal__n_header_value_te_token_ows; + } + default: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ } ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_header_value_te_chunked_last: ++ s_n_llhttp__internal__n_header_value_te_chunked_last: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ switch (*p) { ++ case 10: { + goto s_n_llhttp__internal__n_invoke_update_header_state_8; + } ++ case 13: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ } ++ case ' ': { ++ p++; ++ goto s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ case ',': { ++ goto s_n_llhttp__internal__n_invoke_load_type_1; ++ } ++ default: { ++ goto s_n_llhttp__internal__n_header_value_te_token; ++ } + } + /* UNREACHABLE */; + abort(); +@@ -8966,7 +9185,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_header_value_discard_lws; ++ goto s_n_llhttp__internal__n_invoke_test_flags_5; + } + case 13: { + p++; +@@ -8993,7 +9212,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_2; + } + default: { +- goto s_n_llhttp__internal__n_error_22; ++ goto s_n_llhttp__internal__n_error_25; + } + } + /* UNREACHABLE */; +@@ -9083,7 +9302,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_10; + } + } + /* UNREACHABLE */; +@@ -9108,7 +9327,7 @@ + return s_n_llhttp__internal__n_header_field_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9133,7 +9352,7 @@ + return s_n_llhttp__internal__n_header_field_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9154,7 +9373,7 @@ + goto s_n_llhttp__internal__n_header_field_4; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9178,7 +9397,7 @@ + return s_n_llhttp__internal__n_header_field_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9203,7 +9422,7 @@ + return s_n_llhttp__internal__n_header_field_5; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9228,7 +9447,7 @@ + return s_n_llhttp__internal__n_header_field_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9253,7 +9472,7 @@ + return s_n_llhttp__internal__n_header_field_7; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9282,7 +9501,7 @@ + goto s_n_llhttp__internal__n_header_field_7; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9347,7 +9566,7 @@ + return s_n_llhttp__internal__n_url_skip_lf_to_http09; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_23; ++ goto s_n_llhttp__internal__n_error_26; + } + } + /* UNREACHABLE */; +@@ -9364,7 +9583,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_error_27; + } + } + /* UNREACHABLE */; +@@ -9385,7 +9604,7 @@ + goto s_n_llhttp__internal__n_req_http_end_1; + } + default: { +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_error_27; + } + } + /* UNREACHABLE */; +@@ -9448,7 +9667,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_25; ++ goto s_n_llhttp__internal__n_error_28; + } + } + /* UNREACHABLE */; +@@ -9465,7 +9684,7 @@ + goto s_n_llhttp__internal__n_req_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_26; ++ goto s_n_llhttp__internal__n_error_29; + } + } + /* UNREACHABLE */; +@@ -9528,7 +9747,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major; + } + default: { +- goto s_n_llhttp__internal__n_error_27; ++ goto s_n_llhttp__internal__n_error_30; + } + } + /* UNREACHABLE */; +@@ -9552,7 +9771,7 @@ + return s_n_llhttp__internal__n_req_http_start_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9576,7 +9795,7 @@ + return s_n_llhttp__internal__n_req_http_start_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9601,7 +9820,7 @@ + goto s_n_llhttp__internal__n_req_http_start_2; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9655,7 +9874,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_url_8; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -9712,7 +9931,7 @@ + goto s_n_llhttp__internal__n_span_end_stub_query_3; + } + default: { +- goto s_n_llhttp__internal__n_error_31; ++ goto s_n_llhttp__internal__n_error_34; + } + } + /* UNREACHABLE */; +@@ -9742,7 +9961,7 @@ + goto s_n_llhttp__internal__n_url_query; + } + default: { +- goto s_n_llhttp__internal__n_error_32; ++ goto s_n_llhttp__internal__n_error_35; + } + } + /* UNREACHABLE */; +@@ -9883,10 +10102,10 @@ + } + case 7: { + p++; +- goto s_n_llhttp__internal__n_error_33; ++ goto s_n_llhttp__internal__n_error_36; + } + default: { +- goto s_n_llhttp__internal__n_error_34; ++ goto s_n_llhttp__internal__n_error_37; + } + } + /* UNREACHABLE */; +@@ -9941,7 +10160,7 @@ + goto s_n_llhttp__internal__n_url_server_with_at; + } + default: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -9958,7 +10177,7 @@ + goto s_n_llhttp__internal__n_url_server; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -9972,22 +10191,22 @@ + switch (*p) { + case 10: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 13: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case ' ': { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case '/': { + p++; + goto s_n_llhttp__internal__n_url_schema_delim_1; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -10029,7 +10248,7 @@ + switch (lookup_table[(uint8_t) *p]) { + case 1: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 2: { + goto s_n_llhttp__internal__n_span_end_stub_schema; +@@ -10039,7 +10258,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_38; ++ goto s_n_llhttp__internal__n_error_41; + } + } + /* UNREACHABLE */; +@@ -10071,7 +10290,7 @@ + switch (lookup_table[(uint8_t) *p]) { + case 1: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 2: { + goto s_n_llhttp__internal__n_span_start_stub_path_2; +@@ -10080,7 +10299,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_39; ++ goto s_n_llhttp__internal__n_error_42; + } + } + /* UNREACHABLE */; +@@ -10136,7 +10355,7 @@ + goto s_n_llhttp__internal__n_req_spaces_before_url; + } + default: { +- goto s_n_llhttp__internal__n_error_40; ++ goto s_n_llhttp__internal__n_error_43; + } + } + /* UNREACHABLE */; +@@ -10161,7 +10380,7 @@ + return s_n_llhttp__internal__n_start_req_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10186,7 +10405,7 @@ + return s_n_llhttp__internal__n_start_req_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10211,7 +10430,7 @@ + return s_n_llhttp__internal__n_start_req_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10236,7 +10455,7 @@ + return s_n_llhttp__internal__n_start_req_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10254,7 +10473,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10275,7 +10494,7 @@ + goto s_n_llhttp__internal__n_start_req_7; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10296,7 +10515,7 @@ + goto s_n_llhttp__internal__n_start_req_5; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10321,7 +10540,7 @@ + return s_n_llhttp__internal__n_start_req_8; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10346,7 +10565,7 @@ + return s_n_llhttp__internal__n_start_req_9; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10371,7 +10590,7 @@ + return s_n_llhttp__internal__n_start_req_10; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10396,7 +10615,7 @@ + return s_n_llhttp__internal__n_start_req_12; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10421,7 +10640,7 @@ + return s_n_llhttp__internal__n_start_req_13; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10442,7 +10661,7 @@ + goto s_n_llhttp__internal__n_start_req_13; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10467,7 +10686,7 @@ + return s_n_llhttp__internal__n_start_req_15; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10492,7 +10711,7 @@ + return s_n_llhttp__internal__n_start_req_16; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10517,7 +10736,7 @@ + return s_n_llhttp__internal__n_start_req_18; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10542,7 +10761,7 @@ + return s_n_llhttp__internal__n_start_req_20; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10560,7 +10779,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10581,7 +10800,7 @@ + goto s_n_llhttp__internal__n_start_req_21; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10602,7 +10821,7 @@ + goto s_n_llhttp__internal__n_start_req_19; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10627,7 +10846,7 @@ + return s_n_llhttp__internal__n_start_req_22; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10656,7 +10875,7 @@ + goto s_n_llhttp__internal__n_start_req_22; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10681,7 +10900,7 @@ + return s_n_llhttp__internal__n_start_req_23; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10706,7 +10925,7 @@ + return s_n_llhttp__internal__n_start_req_24; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10731,7 +10950,7 @@ + return s_n_llhttp__internal__n_start_req_26; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10756,7 +10975,7 @@ + return s_n_llhttp__internal__n_start_req_27; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10781,7 +11000,7 @@ + return s_n_llhttp__internal__n_start_req_31; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10806,7 +11025,7 @@ + return s_n_llhttp__internal__n_start_req_32; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10827,7 +11046,7 @@ + goto s_n_llhttp__internal__n_start_req_32; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10844,7 +11063,7 @@ + goto s_n_llhttp__internal__n_start_req_30; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10866,7 +11085,7 @@ + goto s_n_llhttp__internal__n_start_req_29; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10891,7 +11110,7 @@ + return s_n_llhttp__internal__n_start_req_34; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10913,7 +11132,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10942,7 +11161,7 @@ + goto s_n_llhttp__internal__n_start_req_33; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10967,7 +11186,7 @@ + return s_n_llhttp__internal__n_start_req_37; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10992,7 +11211,7 @@ + return s_n_llhttp__internal__n_start_req_38; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11013,7 +11232,7 @@ + goto s_n_llhttp__internal__n_start_req_38; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11030,7 +11249,7 @@ + goto s_n_llhttp__internal__n_start_req_36; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11055,7 +11274,7 @@ + return s_n_llhttp__internal__n_start_req_40; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11080,7 +11299,7 @@ + return s_n_llhttp__internal__n_start_req_41; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11105,7 +11324,7 @@ + return s_n_llhttp__internal__n_start_req_42; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11130,7 +11349,7 @@ + goto s_n_llhttp__internal__n_start_req_42; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11155,7 +11374,7 @@ + return s_n_llhttp__internal__n_start_req_43; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11180,7 +11399,7 @@ + return s_n_llhttp__internal__n_start_req_46; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11205,7 +11424,7 @@ + return s_n_llhttp__internal__n_start_req_48; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11230,7 +11449,7 @@ + return s_n_llhttp__internal__n_start_req_49; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11251,7 +11470,7 @@ + goto s_n_llhttp__internal__n_start_req_49; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11276,7 +11495,7 @@ + return s_n_llhttp__internal__n_start_req_50; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11301,7 +11520,7 @@ + goto s_n_llhttp__internal__n_start_req_50; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11318,7 +11537,7 @@ + goto s_n_llhttp__internal__n_start_req_45; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11391,7 +11610,7 @@ + goto s_n_llhttp__internal__n_start_req_44; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11476,7 +11695,7 @@ + goto s_n_llhttp__internal__n_res_status_start; + } + default: { +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + } + /* UNREACHABLE */; +@@ -11556,7 +11775,7 @@ + goto s_n_llhttp__internal__n_invoke_update_status_code; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -11619,7 +11838,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor_1; + } + default: { +- goto s_n_llhttp__internal__n_error_44; ++ goto s_n_llhttp__internal__n_error_47; + } + } + /* UNREACHABLE */; +@@ -11636,7 +11855,7 @@ + goto s_n_llhttp__internal__n_res_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_45; ++ goto s_n_llhttp__internal__n_error_48; + } + } + /* UNREACHABLE */; +@@ -11699,7 +11918,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major_1; + } + default: { +- goto s_n_llhttp__internal__n_error_46; ++ goto s_n_llhttp__internal__n_error_49; + } + } + /* UNREACHABLE */; +@@ -11723,7 +11942,7 @@ + return s_n_llhttp__internal__n_start_res; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_49; ++ goto s_n_llhttp__internal__n_error_52; + } + } + /* UNREACHABLE */; +@@ -11748,7 +11967,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11772,7 +11991,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11793,7 +12012,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_3; + } + default: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11810,7 +12029,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11870,7 +12089,7 @@ + /* UNREACHABLE */ + abort(); + } +- s_n_llhttp__internal__n_error_36: { ++ s_n_llhttp__internal__n_error_39: { + state->error = 0x7; + state->reason = "Invalid characters in url"; + state->error_pos = (const char*) p; +@@ -12314,7 +12533,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_16: { ++ s_n_llhttp__internal__n_error_17: { + state->error = 0xb; + state->reason = "Empty Content-Length"; + state->error_pos = (const char*) p; +@@ -12399,14 +12618,51 @@ + s_n_llhttp__internal__n_invoke_load_header_state: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 2: +- goto s_n_llhttp__internal__n_error_16; ++ goto s_n_llhttp__internal__n_error_17; + default: + goto s_n_llhttp__internal__n_invoke_load_header_state_1; + } + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_error_16: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_5: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_header_value_discard_lws; ++ default: ++ goto s_n_llhttp__internal__n_error_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_update_header_state_1: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ switch (llhttp__internal__c_load_header_state(state, p, endp)) { ++ case 8: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_2: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_start; +@@ -12417,7 +12673,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_7: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12425,7 +12681,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_8: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12433,7 +12689,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_9: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12446,7 +12702,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ s_n_llhttp__internal__n_invoke_load_header_state_4: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_7; +@@ -12462,7 +12718,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_17: { ++ s_n_llhttp__internal__n_error_18: { + state->error = 0x3; + state->reason = "Missing expected LF after header value"; + state->error_pos = (const char*) p; +@@ -12480,6 +12736,24 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_header_value_almost_done; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; + state->error_pos = (const char*) p; + state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; + return s_error; +@@ -12488,7 +12762,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { + const unsigned char* start; + int err; + +@@ -12506,7 +12780,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { + const unsigned char* start; + int err; + +@@ -12515,35 +12789,25 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; +- state->error_pos = (const char*) (p + 1); +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_19; + return s_error; + } +- p++; +- goto s_n_llhttp__internal__n_header_value_almost_done; ++ goto s_n_llhttp__internal__n_error_19; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_18: { +- state->error = 0xa; +- state->reason = "Invalid header value char"; +- state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_error; +- return s_error; +- /* UNREACHABLE */; +- abort(); +- } +- s_n_llhttp__internal__n_invoke_test_flags_5: { ++ s_n_llhttp__internal__n_invoke_test_flags_6: { + switch (llhttp__internal__c_test_flags_2(state, p, endp)) { + case 1: + goto s_n_llhttp__internal__n_header_value_lenient; + default: +- goto s_n_llhttp__internal__n_error_18; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ s_n_llhttp__internal__n_invoke_update_header_state_4: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection; +@@ -12554,7 +12818,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_11: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12562,7 +12826,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_12: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12570,7 +12834,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_13: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12583,7 +12847,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_4: { ++ s_n_llhttp__internal__n_invoke_load_header_state_5: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_11; +@@ -12599,39 +12863,39 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_4: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_5: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_token; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_2: { +- switch (llhttp__internal__c_update_header_state_2(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ switch (llhttp__internal__c_update_header_state_3(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_5: { +- switch (llhttp__internal__c_update_header_state_5(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_6: { ++ switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_6: { +- switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_7: { ++ switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { + const unsigned char* start; + int err; + +@@ -12641,17 +12905,17 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_20; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_21; + return s_error; + } +- goto s_n_llhttp__internal__n_error_20; ++ goto s_n_llhttp__internal__n_error_21; + /* UNREACHABLE */; + abort(); + } + s_n_llhttp__internal__n_invoke_mul_add_content_length_1: { + switch (llhttp__internal__c_mul_add_content_length_1(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; + default: + goto s_n_llhttp__internal__n_header_value_content_length; + } +@@ -12666,7 +12930,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6: { + const unsigned char* start; + int err; + +@@ -12676,14 +12940,14 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_21; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_22; + return s_error; + } +- goto s_n_llhttp__internal__n_error_21; ++ goto s_n_llhttp__internal__n_error_22; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_19: { ++ s_n_llhttp__internal__n_error_20: { + state->error = 0x4; + state->reason = "Duplicate Content-Length"; + state->error_pos = (const char*) p; +@@ -12692,26 +12956,82 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_6: { +- switch (llhttp__internal__c_test_flags_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_7: { ++ switch (llhttp__internal__c_test_flags_7(state, p, endp)) { + case 0: + goto s_n_llhttp__internal__n_header_value_content_length; + default: +- goto s_n_llhttp__internal__n_error_19; ++ goto s_n_llhttp__internal__n_error_20; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_7: { +- switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_24; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_24; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_8: { ++ switch (llhttp__internal__c_update_header_state_8(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_otherwise; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_8: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_23; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_23; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_9: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_1: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_9; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_9: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -12726,6 +13046,34 @@ + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_invoke_or_flags_17: { ++ switch (llhttp__internal__c_or_flags_16(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_and_flags; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_10: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_2: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_10; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_or_flags_16: { + switch (llhttp__internal__c_or_flags_16(state, p, endp)) { + default: +@@ -12734,10 +13082,20 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_or_flags_17: { +- switch (llhttp__internal__c_or_flags_17(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_8: { ++ switch (llhttp__internal__c_test_flags_8(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_load_type_2; + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_or_flags_18: { ++ switch (llhttp__internal__c_or_flags_18(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; + } + /* UNREACHABLE */; + abort(); +@@ -12747,11 +13105,11 @@ + case 1: + goto s_n_llhttp__internal__n_header_value_connection; + case 2: +- goto s_n_llhttp__internal__n_invoke_test_flags_6; ++ goto s_n_llhttp__internal__n_invoke_test_flags_7; + case 3: +- goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ goto s_n_llhttp__internal__n_invoke_test_flags_8; + case 4: +- goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ goto s_n_llhttp__internal__n_invoke_or_flags_18; + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -12794,7 +13152,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_22: { ++ s_n_llhttp__internal__n_error_25: { + state->error = 0xa; + state->reason = "Invalid header token"; + state->error_pos = (const char*) p; +@@ -12803,8 +13161,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_9: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_10: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -12819,8 +13177,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_10: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_11: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -12860,7 +13218,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_23: { ++ s_n_llhttp__internal__n_error_26: { + state->error = 0x7; + state->reason = "Expected CRLF"; + state->error_pos = (const char*) p; +@@ -12886,7 +13244,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_24: { ++ s_n_llhttp__internal__n_error_27: { + state->error = 0x9; + state->reason = "Expected CRLF after version"; + state->error_pos = (const char*) p; +@@ -12903,7 +13261,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_25: { ++ s_n_llhttp__internal__n_error_28: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -12912,7 +13270,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_26: { ++ s_n_llhttp__internal__n_error_29: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -12929,7 +13287,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_27: { ++ s_n_llhttp__internal__n_error_30: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -12938,7 +13296,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_29: { ++ s_n_llhttp__internal__n_error_32: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -12947,7 +13305,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_28: { ++ s_n_llhttp__internal__n_error_31: { + state->error = 0x8; + state->reason = "Expected SOURCE method for ICE/x.x request"; + state->error_pos = (const char*) p; +@@ -12959,7 +13317,7 @@ + s_n_llhttp__internal__n_invoke_is_equal_method_1: { + switch (llhttp__internal__c_is_equal_method_1(state, p, endp)) { + case 0: +- goto s_n_llhttp__internal__n_error_28; ++ goto s_n_llhttp__internal__n_error_31; + default: + goto s_n_llhttp__internal__n_req_http_major; + } +@@ -13034,7 +13392,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_30: { ++ s_n_llhttp__internal__n_error_33: { + state->error = 0x7; + state->reason = "Invalid char in url fragment start"; + state->error_pos = (const char*) p; +@@ -13094,7 +13452,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_31: { ++ s_n_llhttp__internal__n_error_34: { + state->error = 0x7; + state->reason = "Invalid char in url query"; + state->error_pos = (const char*) p; +@@ -13103,7 +13461,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_32: { ++ s_n_llhttp__internal__n_error_35: { + state->error = 0x7; + state->reason = "Invalid char in url path"; + state->error_pos = (const char*) p; +@@ -13214,7 +13572,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_33: { ++ s_n_llhttp__internal__n_error_36: { + state->error = 0x7; + state->reason = "Double @ in url"; + state->error_pos = (const char*) p; +@@ -13223,7 +13581,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_34: { ++ s_n_llhttp__internal__n_error_37: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -13232,7 +13590,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_35: { ++ s_n_llhttp__internal__n_error_38: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -13241,7 +13599,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_37: { ++ s_n_llhttp__internal__n_error_40: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -13250,7 +13608,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_38: { ++ s_n_llhttp__internal__n_error_41: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -13259,7 +13617,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_39: { ++ s_n_llhttp__internal__n_error_42: { + state->error = 0x7; + state->reason = "Unexpected start char in url"; + state->error_pos = (const char*) p; +@@ -13278,7 +13636,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_40: { ++ s_n_llhttp__internal__n_error_43: { + state->error = 0x6; + state->reason = "Expected space after method"; + state->error_pos = (const char*) p; +@@ -13295,7 +13653,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_48: { ++ s_n_llhttp__internal__n_error_51: { + state->error = 0x6; + state->reason = "Invalid method encountered"; + state->error_pos = (const char*) p; +@@ -13304,7 +13662,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_41: { ++ s_n_llhttp__internal__n_error_44: { + state->error = 0xd; + state->reason = "Response overflow"; + state->error_pos = (const char*) p; +@@ -13316,7 +13674,7 @@ + s_n_llhttp__internal__n_invoke_mul_add_status_code: { + switch (llhttp__internal__c_mul_add_status_code(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_error_41; ++ goto s_n_llhttp__internal__n_error_44; + default: + goto s_n_llhttp__internal__n_res_status_code; + } +@@ -13359,7 +13717,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_42: { ++ s_n_llhttp__internal__n_error_45: { + state->error = 0xd; + state->reason = "Invalid response status"; + state->error_pos = (const char*) p; +@@ -13376,7 +13734,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_43: { ++ s_n_llhttp__internal__n_error_46: { + state->error = 0x9; + state->reason = "Expected space after version"; + state->error_pos = (const char*) p; +@@ -13393,7 +13751,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_44: { ++ s_n_llhttp__internal__n_error_47: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -13402,7 +13760,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_45: { ++ s_n_llhttp__internal__n_error_48: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -13419,7 +13777,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_46: { ++ s_n_llhttp__internal__n_error_49: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -13428,7 +13786,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_49: { ++ s_n_llhttp__internal__n_error_52: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -13453,7 +13811,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_47: { ++ s_n_llhttp__internal__n_error_50: { + state->error = 0x8; + state->reason = "Invalid word encountered"; + state->error_pos = (const char*) p; +--- nodejs-12.22.12~dfsg/test/parallel/test-http-invalid-te.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-invalid-te.js +@@ -13,7 +13,7 @@ Content-Type: text/plain; charset=utf-8 + Host: hacker.exploit.com + Connection: keep-alive + Content-Length: 10 +-Transfer-Encoding: chunked, eee ++Transfer-Encoding: eee, chunked + + HELLOWORLDPOST / HTTP/1.1 + Content-Type: text/plain; charset=utf-8 +--- nodejs-12.22.12~dfsg/test/parallel/test-http-missing-header-separator-cr.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-missing-header-separator-cr.js +@@ -0,0 +1,83 @@ ++'use strict'; ++ ++const common = require('../common'); ++const assert = require('assert'); ++ ++const http = require('http'); ++const net = require('net'); ++ ++function serverHandler(server, msg) { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++} ++ ++{ ++ const msg = [ ++ 'GET / HTTP/1.1', ++ 'Host: localhost', ++ 'Dummy: x\nContent-Length: 23', ++ '', ++ 'GET / HTTP/1.1', ++ 'Dummy: GET /admin HTTP/1.1', ++ 'Host: localhost', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} ++ ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: localhost', ++ 'x:x\nTransfer-Encoding: chunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} ++ ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: localhost', ++ 'x:\nTransfer-Encoding: chunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} +--- /dev/null ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-repeated-chunked.js +@@ -0,0 +1,51 @@ ++'use strict'; ++ ++const common = require('../common'); ++const assert = require('assert'); ++ ++const http = require('http'); ++const net = require('net'); ++ ++const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunkedchunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++].join('\r\n'); ++ ++const server = http.createServer(common.mustCall((req, res) => { ++ // Verify that no data is received ++ ++ req.on('data', common.mustNotCall()); ++ ++ req.on('end', common.mustNotCall(() => { ++ res.writeHead(200, { 'Content-Type': 'text/plain' }); ++ res.end(); ++ })); ++}, 1)); ++ ++server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++})); +--- nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-smuggling.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-smuggling.js +@@ -1,46 +1,89 @@ + 'use strict'; + + const common = require('../common'); +- + const assert = require('assert'); ++ + const http = require('http'); + const net = require('net'); + +-const msg = [ +- 'POST / HTTP/1.1', +- 'Host: 127.0.0.1', +- 'Transfer-Encoding: chunked', +- 'Transfer-Encoding: chunked-false', +- 'Connection: upgrade', +- '', +- '1', +- 'A', +- '0', +- '', +- 'GET /flag HTTP/1.1', +- 'Host: 127.0.0.1', +- '', +- '', +-].join('\r\n'); +- +-// Verify that the server is called only once even with a smuggled request. +- +-const server = http.createServer(common.mustCall((req, res) => { +- res.end(); +-}, 1)); +- +-function send(next) { +- const client = net.connect(server.address().port, 'localhost'); +- client.setEncoding('utf8'); +- client.on('error', common.mustNotCall()); +- client.on('end', next); +- client.write(msg); +- client.resume(); ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunked', ++ 'Transfer-Encoding: chunked-false', ++ 'Connection: upgrade', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ 'GET /flag HTTP/1.1', ++ 'Host: 127.0.0.1', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall((req, res) => { ++ res.end(); ++ }, 1)); ++ ++ server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ // Verify that the server listener is never called ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++ })); + } + +-server.listen(0, common.mustCall((err) => { +- assert.ifError(err); +- send(common.mustCall(() => { +- server.close(); ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunked', ++ ' , chunked-false', ++ 'Connection: upgrade', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ 'GET /flag HTTP/1.1', ++ 'Host: 127.0.0.1', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustCall((request, response) => { ++ assert.notStrictEqual(request.url, '/admin'); ++ response.end('hello world'); ++ }), 1); ++ ++ server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ client.on('end', common.mustCall(function() { ++ server.close(); ++ })); ++ ++ client.write(msg); ++ client.resume(); + })); +-})); ++} +--- nodejs-12.22.12~dfsg/test/parallel/test-http-header-overflow.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-header-overflow.js +@@ -1,3 +1,5 @@ ++// Flags: --expose-internals ++ + 'use strict'; + const { expectsError, mustCall } = require('../common'); + const assert = require('assert'); +@@ -8,7 +10,7 @@ const CRLF = '\r\n'; + const DUMMY_HEADER_NAME = 'Cookie: '; + const DUMMY_HEADER_VALUE = 'a'.repeat( + // Plus one is to make it 1 byte too big +- maxHeaderSize - DUMMY_HEADER_NAME.length - (2 * CRLF.length) + 1 ++ maxHeaderSize - DUMMY_HEADER_NAME.length + 2 + ); + const PAYLOAD_GET = 'GET /blah HTTP/1.1'; + const PAYLOAD = PAYLOAD_GET + CRLF + +@@ -21,7 +23,7 @@ server.on('connection', mustCall((socket + name: 'Error', + message: 'Parse Error: Header overflow', + code: 'HPE_HEADER_OVERFLOW', +- bytesParsed: maxHeaderSize + PAYLOAD_GET.length, ++ bytesParsed: maxHeaderSize + PAYLOAD_GET.length + (CRLF.length * 2) + 1, + rawPacket: Buffer.from(PAYLOAD) + })); + })); diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch b/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch new file mode 100644 index 0000000000..dd21af6b3a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch @@ -0,0 +1,63 @@ +From 576aed71db7b40c90b44c623580629792a606928 Mon Sep 17 00:00:00 2001 +From: Jiawen Geng <technicalcute@gmail.com> +Date: Fri, 14 Oct 2022 09:54:33 +0800 +Subject: [PATCH] deps: V8: cherry-pick c2792e58035f +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Original commit message: + + [base] Fix build with gcc-13 + + See https://gcc.gnu.org/gcc-13/porting_to.html#header-dep-changes. + + Also see Gentoo Linux bug report: https://bugs.gentoo.org/865981 + + Change-Id: I421f396b02ba37e12ee70048ee33e034f8113566 + Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934140 + Reviewed-by: Clemens Backes <clemensb@chromium.org> + Reviewed-by: Simon Zund <szuend@chromium.org> + Commit-Queue: Clemens Backes <clemensb@chromium.org> + Cr-Commit-Position: refs/heads/main@{#83587} + +Refs: https://github.com/v8/v8/commit/c2792e58035fcbaa16d0cb70998852fbeb5df4cc +PR-URL: https://github.com/nodejs/node/pull/44961 +Fixes: https://github.com/nodejs/node/issues/43642 +Reviewed-By: Michael Zasso <targos@protonmail.com> +Reviewed-By: Richard Lau <rlau@redhat.com> +Reviewed-By: Luigi Pinca <luigipinca@gmail.com> +Reviewed-By: Colin Ihrig <cjihrig@gmail.com> + +Upstream-Status: Backport [https://github.com/nodejs/node/commit/0be1c5728173ea9ac42843058e26b6268568acf0] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + deps/v8/AUTHORS | 1 + + deps/v8/src/base/logging.h | 1 + + deps/v8/src/inspector/v8-string-conversions.h | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/deps/v8/src/base/logging.h b/deps/v8/src/base/logging.h +index 08db24a9..38be165f 100644 +--- a/deps/v8/src/base/logging.h ++++ b/deps/v8/src/base/logging.h +@@ -5,6 +5,7 @@ + #ifndef V8_BASE_LOGGING_H_ + #define V8_BASE_LOGGING_H_ + ++#include <cstdint> + #include <cstring> + #include <sstream> + #include <string> +diff --git a/deps/v8/src/inspector/v8-string-conversions.h b/deps/v8/src/inspector/v8-string-conversions.h +index c1d69c18..eb33c681 100644 +--- a/deps/v8/src/inspector/v8-string-conversions.h ++++ b/deps/v8/src/inspector/v8-string-conversions.h +@@ -5,6 +5,7 @@ + #ifndef V8_INSPECTOR_V8_STRING_CONVERSIONS_H_ + #define V8_INSPECTOR_V8_STRING_CONVERSIONS_H_ + ++#include <cstdint> + #include <string> + + // Conversion routines between UT8 and UTF16, used by string-16.{h,cc}. You may diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch new file mode 100644 index 0000000000..cdf6bc8e23 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch @@ -0,0 +1,21 @@ +Link mksnapshot with libatomic on x86 + +Clang-12 on x86 emits atomic builtins + +Fixes +| module-compiler.cc:(.text._ZN2v88internal4wasm12_GLOBAL__N_123ExecuteCompilationUnitsERKSt10shared_ptrINS2_22BackgroundCompileTokenEEPNS0_8CountersEiNS2_19CompileBaselineOnlyE+0x558): un +defined reference to `__atomic_load' + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -1336,6 +1336,7 @@ + { + 'target_name': 'mksnapshot', + 'type': 'executable', ++ 'libraries': [ '-latomic' ], + 'dependencies': [ + 'v8_base_without_compiler', + 'v8_compiler_for_mksnapshot', diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch new file mode 100644 index 0000000000..21a2281231 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch @@ -0,0 +1,32 @@ +Description: mksnapshot uses too much memory on 32-bit mipsel +Author: Jérémy Lal <kapouer@melix.org> +Last-Update: 2020-06-03 +Forwarded: https://bugs.chromium.org/p/v8/issues/detail?id=10586 + +This ensures that we reserve 500M instead of 2G range for codegen +ensures that qemu-mips can allocate such large ranges + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/deps/v8/src/common/globals.h ++++ b/deps/v8/src/common/globals.h +@@ -224,7 +224,7 @@ constexpr size_t kMinimumCodeRangeSize = + constexpr size_t kMinExpectedOSPageSize = 64 * KB; // OS page on PPC Linux + #elif V8_TARGET_ARCH_MIPS + constexpr bool kPlatformRequiresCodeRange = false; +-constexpr size_t kMaximalCodeRangeSize = 2048LL * MB; ++constexpr size_t kMaximalCodeRangeSize = 512 * MB; + constexpr size_t kMinimumCodeRangeSize = 0 * MB; + constexpr size_t kMinExpectedOSPageSize = 4 * KB; // OS page. + #else +--- a/deps/v8/src/codegen/mips/constants-mips.h ++++ b/deps/v8/src/codegen/mips/constants-mips.h +@@ -140,7 +140,7 @@ const uint32_t kLeastSignificantByteInIn + namespace v8 { + namespace internal { + +-constexpr size_t kMaxPCRelativeCodeRangeInMB = 4096; ++constexpr size_t kMaxPCRelativeCodeRangeInMB = 1024; + + // ----------------------------------------------------------------------------- + // Registers and FPURegisters. diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch b/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch new file mode 100644 index 0000000000..588ffc1eee --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch @@ -0,0 +1,46 @@ +From e4d6f2e4091a4c7b6f3281be0e281b32ee6e5a33 Mon Sep 17 00:00:00 2001 +From: Christian Clauss <cclauss@me.com> +Date: Thu, 26 Nov 2020 12:39:11 +0100 +Subject: [PATCH] Fix ValueError: invalid mode: 'rU' while trying to load + binding.gyp + +Fixes nodejs/node-gyp#2219 +File mode `U` is deprecated in Python 3 https://docs.python.org/3/library/functions.html#open +https://github.com/asottile/pyupgrade#redundant-open-modes + +Upstream-Status: Backport [https://github.com/nodejs/gyp-next/commit/3f8cb33ea4d191df41f4fb7a1dfbd302507f7260] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py | 2 +- + tools/gyp/pylib/gyp/input.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py b/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py +index d174280..2f34bc0 100644 +--- a/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py ++++ b/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py +@@ -226,7 +226,7 @@ def LoadOneBuildFile(build_file_path, data, aux_data, includes, + # Open the build file for read ('r') with universal-newlines mode ('U') + # to make sure platform specific newlines ('\r\n' or '\r') are converted to '\n' + # which otherwise will fail eval() +- if sys.platform == 'zos': ++ if PY3 or sys.platform == 'zos': + # On z/OS, universal-newlines mode treats the file as an ascii file. But since + # node-gyp produces ebcdic files, do not use that mode. + build_file_contents = open(build_file_path, 'r').read() +diff --git a/tools/gyp/pylib/gyp/input.py b/tools/gyp/pylib/gyp/input.py +index 1f40abb..fd12e78 100644 +--- a/tools/gyp/pylib/gyp/input.py ++++ b/tools/gyp/pylib/gyp/input.py +@@ -226,7 +226,7 @@ def LoadOneBuildFile(build_file_path, data, aux_data, includes, + # Open the build file for read ('r') with universal-newlines mode ('U') + # to make sure platform specific newlines ('\r\n' or '\r') are converted to '\n' + # which otherwise will fail eval() +- if sys.platform == 'zos': ++ if PY3 or sys.platform == 'zos': + # On z/OS, universal-newlines mode treats the file as an ascii file. But since + # node-gyp produces ebcdic files, do not use that mode. + build_file_contents = open(build_file_path, 'r').read() +-- +2.38.1 + diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb index b9e3821776..f004671a6e 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb @@ -1,7 +1,7 @@ DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" HOMEPAGE = "http://nodejs.org" LICENSE = "MIT & BSD & Artistic-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8c66ff8861d9f96076a7cb61e3d75f54" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93997aa7a45ba0f25f9c61aaab153ab8" DEPENDS = "openssl" DEPENDS_append_class-target = " nodejs-native" @@ -22,14 +22,22 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://big-endian.patch \ file://mips-warnings.patch \ file://0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch \ + file://CVE-2022-32212.patch \ + file://CVE-2022-35255.patch \ + file://CVE-2022-43548.patch \ + file://CVE-llhttp.patch \ + file://python-3.11-invalid-mode-rU.patch \ + file://gcc13.patch \ " SRC_URI_append_class-target = " \ file://0002-Using-native-binaries.patch \ " -SRC_URI[sha256sum] = "052f37ace6f569b513b5a1154b2a45d3c4d8b07d7d7c807b79f1566db61e979d" +SRC_URI[sha256sum] = "bc42b7f8495b9bfc7f7850dd180bb02a5bdf139cc232b8c6f02a6967e20714f2" S = "${WORKDIR}/node-v${PV}" +CVE_PRODUCT += "node.js" + # v8 errors out if you have set CCACHE CCACHE = "" diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb new file mode 100644 index 0000000000..b64a57f941 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb @@ -0,0 +1,211 @@ +DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" +HOMEPAGE = "http://nodejs.org" +LICENSE = "MIT & BSD & Artistic-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=6768abdfc4dae4fde59d6b4df96930f3" + +DEFAULT_PREFERENCE = "-1" + +DEPENDS = "openssl" +DEPENDS:append:class-target = " qemu-native" +DEPENDS:append:class-native = " c-ares-native" + +inherit pkgconfig python3native qemu + +COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*" +COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*" +COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" + +COMPATIBLE_HOST:riscv64 = "null" +COMPATIBLE_HOST:riscv32 = "null" + +SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ + file://0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch \ + file://0003-Install-both-binaries-and-use-libdir-nodejs14.patch \ + file://0004-v8-don-t-override-ARM-CFLAGS.patch \ + file://big-endian.patch \ + file://mips-warnings.patch \ + file://mips-less-memory-nodejs14.patch \ + file://0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch \ + file://CVE-2022-32212.patch \ + file://CVE-2022-35255.patch \ + file://CVE-2022-43548.patch \ + file://gcc13.patch \ + " +SRC_URI:append:class-target = " \ + file://0002-Using-native-binaries-nodejs14.patch \ + " +SRC_URI:append:toolchain-clang:x86 = " \ + file://libatomic-nodejs14.patch \ + " +SRC_URI:append:toolchain-clang:powerpc64le = " \ + file://0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch \ + " +SRC_URI[sha256sum] = "3fa1d71adddfab2f5e3e41874b4eddbdf92b65cade4a43922fb1e437afcf89ed" + +S = "${WORKDIR}/node-v${PV}" + +CVE_PRODUCT += "node.js" + +# v8 errors out if you have set CCACHE +CCACHE = "" + +def map_nodejs_arch(a, d): + import re + + if re.match('i.86$', a): return 'ia32' + elif re.match('x86_64$', a): return 'x64' + elif re.match('aarch64$', a): return 'arm64' + elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64' + elif re.match('powerpc$', a): return 'ppc' + return a + +ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ + ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ + '--with-arm-fpu=vfp', d), d), d)}" +GYP_DEFINES:append:mipsel = " mips_arch_variant='r1' " +ARCHFLAGS ?= "" + +PACKAGECONFIG ??= "brotli icu zlib" + +PACKAGECONFIG[ares] = "--shared-cares,,c-ares" +PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" +PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" +PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" +PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" +PACKAGECONFIG[shared] = "--shared" +PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" + +# We don't want to cross-compile during target compile, +# and we need to use the right flags during host compile, +# too. +EXTRA_OEMAKE = "\ + CC.host='${CC}' \ + CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ + CXX.host='${CXX}' \ + CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ + LDFLAGS.host='${LDFLAGS}' \ + AR.host='${AR}' \ + \ + builddir_name=./ \ +" + +python do_unpack() { + import shutil + + bb.build.exec_func('base_do_unpack', d) + + if 'ares' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/cares', True) + if 'brotli' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/brotli', True) + if 'libuv' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/uv', True) + if 'nghttp2' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True) + if 'zlib' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/zlib', True) +} + +# V8's JIT infrastructure requires binaries such as mksnapshot and +# mkpeephole to be run in the host during the build. However, these +# binaries must have the same bit-width as the target (e.g. a x86_64 +# host targeting ARMv6 needs to produce a 32-bit binary). Instead of +# depending on a third Yocto toolchain, we just build those binaries +# for the target and run them on the host with QEMU. +python do_create_v8_qemu_wrapper () { + """Creates a small wrapper that invokes QEMU to run some target V8 binaries + on the host.""" + qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'), + d.expand('${STAGING_DIR_HOST}${base_libdir}')] + qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST', True), + qemu_libdirs) + wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh') + with open(wrapper_path, 'w') as wrapper_file: + wrapper_file.write("""#!/bin/sh + +# This file has been generated automatically. +# It invokes QEMU to run binaries built for the target in the host during the +# build process. + +%s "$@" +""" % qemu_cmd) + os.chmod(wrapper_path, 0o755) +} + +do_create_v8_qemu_wrapper[dirs] = "${B}" +addtask create_v8_qemu_wrapper after do_configure before do_compile + +# Work around compatibility issues with gcc-13 on host +BUILD_CXXFLAGS += "-fpermissive" + +LDFLAGS:append:x86 = " -latomic" + +# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi +do_configure () { + export LD="${CXX}" + GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES + # $TARGET_ARCH settings don't match --dest-cpu settings + python3 configure.py --prefix=${prefix} --cross-compiling \ + --without-dtrace \ + --without-etw \ + --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ + --dest-os=linux \ + --libdir=${D}${libdir} \ + ${ARCHFLAGS} \ + ${PACKAGECONFIG_CONFARGS} +} + +do_compile () { + export LD="${CXX}" + install -Dm 0755 ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh + oe_runmake BUILDTYPE=Release +} + +do_install () { + oe_runmake install DESTDIR=${D} + + # wasn't updated since 2009 and is the only thing requiring python2 in runtime + # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS:nodejs-npm? [file-rdeps] + rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples +} + +do_install:append:class-native() { + # use node from PATH instead of absolute path to sysroot + # node-v0.10.25/tools/install.py is using: + # shebang = os.path.join(node_prefix, 'bin/node') + # update_shebang(link_path, shebang) + # and node_prefix can be very long path to bindir in native sysroot and + # when it exceeds 128 character shebang limit it's stripped to incorrect path + # and npm fails to execute like in this case with 133 characters show in log.do_install: + # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node + # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js + # use sed on npm-cli.js because otherwise symlink is replaced with normal file and + # npm-cli.js continues to use old shebang + sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js + + # Install the native binaries to provide it within sysroot for the target compilation + install -d ${D}${bindir} + install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque + install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator + if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then + install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case + fi + install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache + install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot +} + +do_install:append:class-target() { + sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js +} + +PACKAGES =+ "${PN}-npm" +FILES:${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx" +RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \ + python3-misc python3-multiprocessing" + +PACKAGES =+ "${PN}-systemtap" +FILES:${PN}-systemtap = "${datadir}/systemtap" + +BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch b/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch new file mode 100644 index 0000000000..4bfd94c9fd --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch @@ -0,0 +1,48 @@ +From 789a37f14405e2d1a05a76c9fb4ed2d49d4580d5 Mon Sep 17 00:00:00 2001 +From: guoyiyuan <yguoaz@gmail.com> +Date: Wed, 13 Jul 2022 20:55:51 +0800 +Subject: [PATCH] Prevent potential buffer overflow for large value of + php_cli_server_workers_max + +Fixes #8989. +Closes #9000 + +Upstream-Status: Backport [https://github.com/php/php-src/commit/789a37f14405e2d1a05a76c9fb4ed2d49d4580d5] +CVE: CVE-2022-4900 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + sapi/cli/php_cli_server.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c +index c3097861..48f8309d 100644 +--- a/sapi/cli/php_cli_server.c ++++ b/sapi/cli/php_cli_server.c +@@ -517,13 +517,8 @@ static int sapi_cli_server_startup(sapi_module_struct *sapi_module) /* {{{ */ + if (php_cli_server_workers_max > 1) { + zend_long php_cli_server_worker; + +- php_cli_server_workers = calloc( +- php_cli_server_workers_max, sizeof(pid_t)); +- if (!php_cli_server_workers) { +- php_cli_server_workers_max = 1; +- +- return SUCCESS; +- } ++ php_cli_server_workers = pecalloc( ++ php_cli_server_workers_max, sizeof(pid_t), 1); + + php_cli_server_master = getpid(); + +@@ -2361,7 +2356,7 @@ static void php_cli_server_dtor(php_cli_server *server) /* {{{ */ + !WIFSIGNALED(php_cli_server_worker_status)); + } + +- free(php_cli_server_workers); ++ pefree(php_cli_server_workers, 1); + } + #endif + } /* }}} */ +-- +2.25.1 + diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch new file mode 100644 index 0000000000..db9e41796c --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch @@ -0,0 +1,87 @@ +From ac4254ad764c70cb1f05c9270d8d12689fc3aeb6 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sun, 16 Apr 2023 15:05:03 +0200 +Subject: [PATCH] Fix missing randomness check and insufficient random bytes + for SOAP HTTP Digest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If php_random_bytes_throw fails, the nonce will be uninitialized, but +still sent to the server. The client nonce is intended to protect +against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], +and bullet point 2 below. + +Tim pointed out that even though it's the MD5 of the nonce that gets sent, +enumerating 31 bits is trivial. So we have still a stack information leak +of 31 bits. + +Furthermore, Tim found the following issues: +* The small size of cnonce might cause the server to erroneously reject + a request due to a repeated (cnonce, nc) pair. As per the birthday + problem 31 bits of randomness will return a duplication with 50% + chance after less than 55000 requests and nc always starts counting at 1. +* The cnonce is intended to protect the client and password against a + malicious server that returns a constant server nonce where the server + precomputed a rainbow table between passwords and correct client response. + As storage is fairly cheap, a server could precompute the client responses + for (a subset of) client nonces and still have a chance of reversing the + client response with the same probability as the cnonce duplication. + + Precomputing the rainbow table for all 2^31 cnonces increases the rainbow + table size by factor 2 billion, which is infeasible. But precomputing it + for 2^14 cnonces only increases the table size by factor 16k and the server + would still have a 10% chance of successfully reversing a password with a + single client request. + +This patch fixes the issues by increasing the nonce size, and checking +the return value of php_random_bytes_throw(). In the process we also get +rid of the MD5 hashing of the nonce. + +[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 + +Co-authored-by: Tim Düsterhus <timwolla@php.net> + +Upstream-Status: Backport [https://github.com/php/php-src/commit/ac4254ad764c70cb1f05c9270d8d12689fc3aeb6] +CVE: CVE-2023-3247 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + ext/soap/php_http.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 1da286ad875f..e796dba9619a 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -664,18 +664,23 @@ int make_http_soap_request(zval *this_ptr, + if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) { + if (Z_TYPE_P(digest) == IS_ARRAY) { + char HA1[33], HA2[33], response[33], cnonce[33], nc[9]; +- zend_long nonce; ++ unsigned char nonce[16]; + PHP_MD5_CTX md5ctx; + unsigned char hash[16]; + +- php_random_bytes_throw(&nonce, sizeof(nonce)); +- nonce &= 0x7fffffff; ++ if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { ++ ZEND_ASSERT(EG(exception)); ++ php_stream_close(stream); ++ convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr)); ++ convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr)); ++ convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr)); ++ smart_str_free(&soap_headers_z); ++ smart_str_free(&soap_headers); ++ return FALSE; ++ } + +- PHP_MD5Init(&md5ctx); +- snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, nonce); +- PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce)); +- PHP_MD5Final(hash, &md5ctx); +- make_digest(cnonce, hash); ++ php_hash_bin2hex(cnonce, nonce, sizeof(nonce)); ++ cnonce[32] = 0; + + if ((tmp = zend_hash_str_find(Z_ARRVAL_P(digest), "nc", sizeof("nc")-1)) != NULL && + Z_TYPE_P(tmp) == IS_LONG) { diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch new file mode 100644 index 0000000000..80c1961aa1 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch @@ -0,0 +1,29 @@ +From 32c7c433ac1983c4497349051681a4f361d3d33e Mon Sep 17 00:00:00 2001 +From: Pierrick Charron <pierrick@php.net> +Date: Tue, 6 Jun 2023 18:49:32 -0400 +Subject: [PATCH] Fix wrong backporting of previous soap patch + +Upstream-Status: Backport [https://github.com/php/php-src/commit/32c7c433ac1983c4497349051681a4f361d3d33e] +CVE: CVE-2023-3247 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + ext/soap/php_http.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 77ed21d4f0f4..37250a6bdcd1 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -672,9 +672,9 @@ int make_http_soap_request(zval *this_ptr, + if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { + ZEND_ASSERT(EG(exception)); + php_stream_close(stream); +- convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr)); +- convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr)); +- convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr)); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpurl", sizeof("httpurl")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpsocket", sizeof("httpsocket")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "_use_proxy", sizeof("_use_proxy")-1); + smart_str_free(&soap_headers_z); + smart_str_free(&soap_headers); + return FALSE; diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch new file mode 100644 index 0000000000..953b5258e1 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch @@ -0,0 +1,91 @@ +From 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Mon, 10 Jul 2023 13:25:34 +0200 +Subject: [PATCH] Fix buffer mismanagement in phar_dir_read() + +Fixes GHSA-jqcx-ccgc-xwhv. + +Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef] +CVE: CVE-2023-3824 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + ext/phar/dirstream.c | 15 ++++++++------ + ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++ + 2 files changed, 36 insertions(+), 6 deletions(-) + create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt + +diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c +index 4710703c..490b1452 100644 +--- a/ext/phar/dirstream.c ++++ b/ext/phar/dirstream.c +@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend + */ + static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */ + { +- size_t to_read; + HashTable *data = (HashTable *)stream->abstract; + zend_string *str_key; + zend_ulong unused; + ++ if (count != sizeof(php_stream_dirent)) { ++ return -1; ++ } ++ + if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) { + return 0; + } + + zend_hash_move_forward(data); +- to_read = MIN(ZSTR_LEN(str_key), count); + +- if (to_read == 0 || count < ZSTR_LEN(str_key)) { ++ php_stream_dirent *dirent = (php_stream_dirent *) buf; ++ ++ if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) { + return 0; + } + +- memset(buf, 0, sizeof(php_stream_dirent)); +- memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read); +- ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0'; ++ memset(dirent, 0, sizeof(php_stream_dirent)); ++ PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key)); + + return sizeof(php_stream_dirent); + } +diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt +new file mode 100644 +index 00000000..4e12f05f +--- /dev/null ++++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read()) ++--SKIPIF-- ++<?php if (!extension_loaded("phar")) die("skip"); ?> ++--INI-- ++phar.readonly=0 ++--FILE-- ++<?php ++$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar'); ++$phar->startBuffering(); ++$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.'); ++$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.'); ++$phar->stopBuffering(); ++ ++$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar'); ++var_dump(strlen(readdir($handle))); ++// Must not be a string of length PHP_MAXPATHLEN+1 ++var_dump(readdir($handle)); ++closedir($handle); ++?> ++--CLEAN-- ++<?php ++unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar'); ++?> ++--EXPECTF-- ++int(%d) ++bool(false) +-- +2.24.4 + diff --git a/meta-oe/recipes-devtools/php/php_7.4.21.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb index c7c00ac30e..74606e4883 100644 --- a/meta-oe/recipes-devtools/php/php_7.4.21.bb +++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb @@ -16,6 +16,8 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://debian-php-fixheader.patch \ file://0001-configure.ac-don-t-include-build-libtool.m4.patch \ file://0001-php.m4-don-t-unset-cache-variables.patch \ + file://CVE-2023-3824.patch \ + file://CVE-2022-4900.patch \ " SRC_URI_append_class-target = " \ @@ -30,10 +32,12 @@ SRC_URI_append_class-target = " \ file://phar-makefile.patch \ file://0001-opcache-config.m4-enable-opcache.patch \ file://xfail_two_bug_tests.patch \ + file://CVE-2023-3247-1.patch \ + file://CVE-2023-3247-2.patch \ " S = "${WORKDIR}/php-${PV}" -SRC_URI[sha256sum] = "36ec6102e757e2c2b7742057a700bbff77c76fa0ccbe9c860398c3d24e32822a" +SRC_URI[sha256sum] = "4e8117458fe5a475bf203128726b71bcbba61c42ad463dffadee5667a198a98a" inherit autotools pkgconfig python3native gettext diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch new file mode 100644 index 0000000000..bb9594e968 --- /dev/null +++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch @@ -0,0 +1,73 @@ +From f5ce0700d80c776186b0fb0414ef20966a3a6a03 Mon Sep 17 00:00:00 2001 +From: "Sana.Kazi" <Sana.Kazi@kpit.com> +Date: Wed, 23 Feb 2022 15:50:16 +0530 +Subject: [PATCH] protobuf: Fix CVE-2021-22570 + +CVE: CVE-2021-22570 +Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch] +Comment: Removed first and second hunk +Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> + +--- + src/google/protobuf/descriptor.cc | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc +index 6835a3cde..1514ae531 100644 +--- a/src/google/protobuf/descriptor.cc ++++ b/src/google/protobuf/descriptor.cc +@@ -2603,6 +2603,8 @@ void Descriptor::DebugString(int depth, std::string* contents, + const Descriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start + 1) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end > FieldDescriptor::kMaxNumber) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end - 1); +@@ -2815,6 +2817,8 @@ void EnumDescriptor::DebugString( + const EnumDescriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end == INT_MAX) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end); +@@ -4002,6 +4006,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + // Use its file as the parent instead. + if (parent == nullptr) parent = file_; + ++ if (full_name.find('\0') != std::string::npos) { ++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + full_name + "\" contains null character."); ++ return false; ++ } + if (tables_->AddSymbol(full_name, symbol)) { + if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) { + // This is only possible if there was already an error adding something of +@@ -4041,6 +4050,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + void DescriptorBuilder::AddPackage(const std::string& name, + const Message& proto, + const FileDescriptor* file) { ++ if (name.find('\0') != std::string::npos) { ++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + name + "\" contains null character."); ++ return; ++ } + if (tables_->AddSymbol(name, Symbol(file))) { + // Success. Also add parent package, if any. + std::string::size_type dot_pos = name.find_last_of('.'); +@@ -4354,6 +4368,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl( + } + result->pool_ = pool_; + ++ if (result->name().find('\0') != std::string::npos) { ++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + result->name() + "\" contains null character."); ++ return nullptr; ++ } ++ + // Add to tables. + if (!tables_->AddFile(result)) { + AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER, diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb index d2f22ba6b8..55d56ff08e 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \ file://0001-protobuf-fix-configure-error.patch \ file://0001-Makefile.am-include-descriptor.cc-when-building-libp.patch \ file://0001-examples-Makefile-respect-CXX-LDFLAGS-variables-fix-.patch \ + file://CVE-2021-22570.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb index 04ac93e92e..bc90bffe5e 100644 --- a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb +++ b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://license.txt;md5=ba04aa8f65de1396a7e59d1d746c2125" -SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1;protocol=https" +SRC_URI = "git://github.com/miloyip/rapidjson.git;branch=master;protocol=https" SRCREV = "0ccdbf364c577803e2a751f5aededce935314313" diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch new file mode 100644 index 0000000000..169784d427 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch @@ -0,0 +1,29 @@ +From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001 +From: "zhang.jiujiu" <282627424@qq.com> +Date: Tue, 7 Dec 2021 22:37:02 +0800 +Subject: [PATCH] fix memory leaks + +Upstream-Status: Backport [https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698] +CVE: CVE-2023-33460 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/yajl_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/yajl_tree.c b/src/yajl_tree.c +index 3d357a3..a71167e 100644 +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -445,6 +445,9 @@ yajl_val yajl_tree_parse (const char *input, + YA_FREE(&(handle->alloc), internal_err_str); + } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index cf8dbb183e..697f54d9fb 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb @@ -8,7 +8,9 @@ HOMEPAGE = "http://lloyd.github.com/yajl/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" -SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https" +SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \ + file://CVE-2023-33460.patch \ + " SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb index 926d8851d2..b2c41756e5 100644 --- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb +++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb @@ -32,7 +32,7 @@ BBCLASSEXTEND = "native" DEPENDS_class-native = "readline-native" PACKAGECONFIG_class-native = "" -SRC_URI_append_class-native = "file://0001-reduce-build-to-conversion-tools-for-native-build.patch" +SRC_URI_append_class-native = " file://0001-reduce-build-to-conversion-tools-for-native-build.patch" do_install_class-native() { install -d ${D}${bindir} diff --git a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb index e9c58bf589..5901057840 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb @@ -7,6 +7,7 @@ DEPENDS = "udev libusb1 libplist" inherit autotools pkgconfig gitpkgv PKGV = "${GITPKGVTAG}" +PV = "1.0.10+git${SRCPV}" SRCREV = "78df9be5fc8222ed53846cb553de9b5d24c85c6c" SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https;branch=master" diff --git a/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch b/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch new file mode 100644 index 0000000000..2aec818574 --- /dev/null +++ b/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch @@ -0,0 +1,38 @@ +From 790ff6dad16b70e68804a2d53ad54db40412e889 Mon Sep 17 00:00:00 2001 +From: Michael Heimpold <mhei@heimpold.de> +Date: Sat, 8 Jan 2022 20:00:50 +0100 +Subject: [PATCH] modbus_reply: fix copy & paste error in sanity check (fixes + #614) + +[ Upstream commit b4ef4c17d618eba0adccc4c7d9e9a1ef809fc9b6 ] + +While handling MODBUS_FC_WRITE_AND_READ_REGISTERS, both address offsets +must be checked, i.e. the read and the write address must be within the +mapping range. + +At the moment, only the read address was considered, it looks like a +simple copy and paste error, so let's fix it. + +CVE: CVE-2022-0367 + +Signed-off-by: Michael Heimpold <mhei@heimpold.de> +--- + src/modbus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modbus.c b/src/modbus.c +index 68a28a3..c871152 100644 +--- a/src/modbus.c ++++ b/src/modbus.c +@@ -961,7 +961,7 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + nb_write, nb, MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS); + } else if (mapping_address < 0 || + (mapping_address + nb) > mb_mapping->nb_registers || +- mapping_address < 0 || ++ mapping_address_write < 0 || + (mapping_address_write + nb_write) > mb_mapping->nb_registers) { + rsp_length = response_exception( + ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS, rsp, FALSE, +-- +2.39.1 + diff --git a/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb b/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb index 075487ae90..5c59312760 100644 --- a/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb +++ b/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb @@ -2,7 +2,10 @@ require libmodbus.inc SRC_URI += "file://f1eb4bc7ccb09cd8d19ab641ee37637f8c34d16d.patch \ file://Fix-float-endianness-issue-on-big-endian-arch.patch \ - file://Fix-typo.patch" + file://Fix-typo.patch \ + file://CVE-2022-0367.patch \ + " + SRC_URI[md5sum] = "15c84c1f7fb49502b3efaaa668cfd25e" SRC_URI[sha256sum] = "d7d9fa94a16edb094e5fdf5d87ae17a0dc3f3e3d687fead81835d9572cf87c16" diff --git a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb index a081cb17a8..27fe0e2c40 100644 --- a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb +++ b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb @@ -31,4 +31,4 @@ FILES_statgrab-dbg = "${bindir}/.debug/statgrab" FILES_saidar = "${bindir}/saidar" FILES_saidar-dbg = "${bindir}/.debug/saidar" FILES_${PN}-mrtg = "${bindir}/statgrab-make-mrtg-config ${bindir}/statgrab-make-mrtg-index" -RDEPENDS_${PN}-mrtg_append = "perl statgrab" +RDEPENDS_${PN}-mrtg_append = " perl statgrab" diff --git a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb index f635a9b138..e96c977453 100644 --- a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb +++ b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb @@ -17,7 +17,7 @@ REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "d8eba6cb6682b59d84ca1da67a523520b879ade6" -SRC_URI = "git://github.com/Openwsman/openwsman.git;branch=master;protocol=https \ +SRC_URI = "git://github.com/Openwsman/openwsman.git;branch=main;protocol=https \ file://libssl-is-required-if-eventint-supported.patch \ file://openwsmand.service \ file://0001-lock.c-Define-PTHREAD_MUTEX_RECURSIVE_NP-if-undefine.patch \ diff --git a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb index b8b86ed5a9..5b0171d8c8 100644 --- a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb +++ b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb @@ -181,7 +181,7 @@ RDEPENDS_${PN}-ptest += " \ " RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils glibc-localedata-en-us" -RRECOMMENDS_${PN} += "kernel-module-overlay" +RRECOMMENDS_${PN}_append_class-target = " kernel-module-overlay" SYSTEMD_SERVICE_${PN} = "ostree-remount.service ostree-finalize-staged.path" SYSTEMD_SERVICE_${PN}-switchroot = "ostree-prepare-root.service" diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch new file mode 100644 index 0000000000..98e186cbf0 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch @@ -0,0 +1,27 @@ +p7zip: Update CVE-2016-9296 patch URL. +From: Robert Luberda <robert@debian.org> +Date: Sat, 19 Nov 2016 08:48:08 +0100 +Subject: Fix nullptr dereference (CVE-2016-9296) + +Patch taken from https://sourceforge.net/p/p7zip/bugs/185/ +This patch file taken from Debian's patch set for p7zip + +Upstream-Status: Backport [https://sourceforge.net/p/p7zip/bugs/185/] +CVE: CVE-2016-9296 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +Index: p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Archive/7z/7zIn.cpp ++++ p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch new file mode 100644 index 0000000000..b6deb5d3a7 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch @@ -0,0 +1,226 @@ +From: Robert Luberda <robert@debian.org> +Date: Sun, 28 Jan 2018 23:47:40 +0100 +Subject: CVE-2018-5996 + +Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by +applying a few changes from 7Zip 18.00-beta. + +Bug-Debian: https://bugs.debian.org/#888314 + +Upstream-Status: Backport [https://sources.debian.org/data/non-free/p/p7zip-rar/16.02-3/debian/patches/06-CVE-2018-5996.patch] +CVE: CVE-2018-5996 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++---- + CPP/7zip/Compress/Rar1Decoder.h | 1 + + CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++- + CPP/7zip/Compress/Rar2Decoder.h | 1 + + CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++--- + CPP/7zip/Compress/Rar3Decoder.h | 2 ++ + 6 files changed, 42 insertions(+), 8 deletions(-) + +Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp +@@ -29,7 +29,7 @@ public: + }; + */ + +-CDecoder::CDecoder(): m_IsSolid(false) { } ++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { } + + void CDecoder::InitStructures() + { +@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialIn + InitData(); + if (!m_IsSolid) + { ++ _errorMode = false; + InitStructures(); + InitHuff(); + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (m_UnpackSize > 0) + { + GetFlagsBuf(); +@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialI + const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress) + { + try { return CodeReal(inStream, outStream, inSize, outSize, progress); } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(const CLzOutWindowException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + } + + STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size) +Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h +@@ -39,6 +39,7 @@ public: + + Int64 m_UnpackSize; + bool m_IsSolid; ++ bool _errorMode; + + UInt32 ReadBits(int numBits); + HRESULT CopyBlock(UInt32 distance, UInt32 len); +Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp +@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << + static const UInt32 kWindowReservSize = (1 << 22) + 256; + + CDecoder::CDecoder(): +- m_IsSolid(false) ++ m_IsSolid(false), ++ m_TablesOK(false) + { + } + +@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBi + + bool CDecoder::ReadTables(void) + { ++ m_TablesOK = false; ++ + Byte levelLevels[kLevelTableSize]; + Byte newLevels[kMaxTableSize]; + m_AudioMode = (ReadBits(1) == 1); +@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void) + } + + memcpy(m_LastLevels, newLevels, kMaxTableSize); ++ m_TablesOK = true; ++ + return true; + } + +@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialIn + return S_FALSE; + } + ++ if (!m_TablesOK) ++ return S_FALSE; ++ + UInt64 startPos = m_OutWindowStream.GetProcessedSize(); + while (pos < unPackSize) + { +Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h +@@ -139,6 +139,7 @@ class CDecoder : + + UInt64 m_PackSize; + bool m_IsSolid; ++ bool m_TablesOK; + + void InitStructures(); + UInt32 ReadBits(unsigned numBits); +Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp +@@ -92,7 +92,8 @@ CDecoder::CDecoder(): + _writtenFileSize(0), + _vmData(0), + _vmCode(0), +- m_IsSolid(false) ++ m_IsSolid(false), ++ _errorMode(false) + { + Ppmd7_Construct(&_ppmd); + } +@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + return InitPPM(); + } + ++ TablesRead = false; ++ TablesOK = false; ++ + _lzMode = true; + PrevAlignBits = 0; + PrevAlignCount = 0; +@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + } + } + } ++ if (InputEofError()) ++ return S_FALSE; ++ + TablesRead = true; + + // original code has check here: +@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize])); + + memcpy(m_LastLevels, newLevels, kTablesSizesSum); ++ ++ TablesOK = true; ++ + return S_OK; + } + +@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProg + PpmEscChar = 2; + PpmError = true; + InitFilters(); ++ _errorMode = false; + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (!m_IsSolid || !TablesRead) + { + bool keepDecompressing; +@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProg + bool keepDecompressing; + if (_lzMode) + { ++ if (!TablesOK) ++ return S_FALSE; + RINOK(DecodeLZ(keepDecompressing)) + } + else +@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialI + _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1; + return CodeReal(progress); + } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + // CNewException is possible here. But probably CNewException is caused + // by error in data stream. + } +Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h +@@ -192,6 +192,7 @@ class CDecoder: + UInt32 _lastFilter; + + bool m_IsSolid; ++ bool _errorMode; + + bool _lzMode; + bool _unsupportedFilter; +@@ -200,6 +201,7 @@ class CDecoder: + UInt32 PrevAlignCount; + + bool TablesRead; ++ bool TablesOK; + + CPpmd7 _ppmd; + int PpmEscChar; diff --git a/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch new file mode 100644 index 0000000000..dcde83e8a4 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch @@ -0,0 +1,27 @@ +fixes the below error + +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp: In member function 'virtual LONG NArchive::NWim::CHandler::GetArchiveProperty(PROPID, PROPVARIANT*)': +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:308:11: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 +| 308 | numMethods++; +| | ^~~~~~~~~~ +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:318:9: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 +| 318 | numMethods++; + + +use unsigned instead of bool +Signed-off-by: Nisha Parrakat <Nisha.Parrakat@kpit.com> + +Upstream-Status: Pending +Index: p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Archive/Wim/WimHandler.cpp ++++ p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp +@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchivePropert + + AString res; + +- bool numMethods = 0; ++ unsigned numMethods = 0; + for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++) + { + if (methodMask & ((UInt32)1 << i)) diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb index 13479a90fe..79677c6487 100644 --- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb +++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb @@ -9,6 +9,9 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al file://do_not_override_compiler_and_do_not_strip.patch \ file://CVE-2017-17969.patch \ file://0001-Fix-narrowing-errors-Wc-11-narrowing.patch \ + file://change_numMethods_from_bool_to_unsigned.patch \ + file://CVE-2018-5996.patch \ + file://CVE-2016-9296.patch \ " SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf" @@ -16,10 +19,26 @@ SRC_URI[sha256sum] = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6 S = "${WORKDIR}/${BPN}_${PV}" +do_compile_append() { + oe_runmake 7z +} +FILES_${PN} += "${libdir}/* ${bindir}/7z" + +FILES_SOLIBSDEV = "" +INSANE_SKIP_${PN} += "dev-so" + do_install() { install -d ${D}${bindir} - install -m 0755 ${S}/bin/* ${D}${bindir} + install -d ${D}${bindir}/Codecs + install -d ${D}${libdir} + install -d ${D}${libdir}/Codecs + install -m 0755 ${S}/bin/7za ${D}${bindir} ln -s 7za ${D}${bindir}/7z + install -m 0755 ${S}/bin/Codecs/* ${D}${libdir}/Codecs/ + install -m 0755 ${S}/bin/7z.so ${D}${libdir}/lib7z.so } -BBCLASSEXTEND = "native" +RPROVIDES_${PN} += "lib7z.so()(64bit) 7z lib7z.so" +RPROVIDES_${PN}-dev += "lib7z.so()(64bit) 7z lib7z.so" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch new file mode 100644 index 0000000000..cab1c83c09 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch @@ -0,0 +1,74 @@ +From ed8b418f1341cf7fc576f6b17de5c6dd4017e034 Mon Sep 17 00:00:00 2001 +From: "Jeremy A. Puhlman" <jpuhlman@mvista.com> +Date: Thu, 27 Jan 2022 00:01:27 +0000 +Subject: [PATCH] CVE-2021-4034: Local privilege escalation in pkexec due to + incorrect handling of argument vector + +Upstream-Status: Backport https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 +CVE: CVE-2021-4034 + +Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> +--- + src/programs/pkcheck.c | 6 ++++++ + src/programs/pkexec.c | 21 ++++++++++++++++++++- + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index f1bb4e1..aff4f60 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -363,6 +363,12 @@ main (int argc, char *argv[]) + local_agent_handle = NULL; + ret = 126; + ++ if (argc < 1) ++ { ++ help(); ++ exit(1); ++ } ++ + /* Disable remote file access from GIO. */ + setenv ("GIO_USE_VFS", "local", 1); + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 7698c5c..3ff4c58 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -488,6 +488,17 @@ main (int argc, char *argv[]) + pid_t pid_of_caller; + gpointer local_agent_handle; + ++ ++ /* ++ * If 'pkexec' is called wrong, just show help and bail out. ++ */ ++ if (argc<1) ++ { ++ clearenv(); ++ usage(argc, argv); ++ exit(1); ++ } ++ + ret = 127; + authority = NULL; + subject = NULL; +@@ -636,7 +647,15 @@ main (int argc, char *argv[]) + goto out; + } + g_free (path); +- argv[n] = path = s; ++ path = s; ++ ++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. ++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination ++ */ ++ if (argv[n] != NULL) ++ { ++ argv[n] = path; ++ } + } + if (access (path, F_OK) != 0) + { +-- +2.26.2 + diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch new file mode 100644 index 0000000000..37e0d6063c --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch @@ -0,0 +1,87 @@ +From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Mon, 21 Feb 2022 08:29:05 +0000 +Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix + +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7.patch] +CVE: CVE-2021-4115 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8ed1363..2fbf5f1 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -62,6 +62,10 @@ enum + PROP_NAME, + }; + ++ ++guint8 dbus_call_respond_fails; // has to be global because of callback ++ ++ + static void subject_iface_init (PolkitSubjectIface *subject_iface); + + G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT, +@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src, + if (!v) + { + data->caught_error = TRUE; ++ dbus_call_respond_fails += 1; + } + else + { +@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + tmp_context = g_main_context_new (); + g_main_context_push_thread_default (tmp_context); + ++ dbus_call_respond_fails = 0; ++ + /* Do two async calls as it's basically as fast as one sync call. + */ + g_dbus_connection_call (connection, +@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + on_retrieved_unix_uid_pid, + &data); + +- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) +- g_main_context_iteration (tmp_context, TRUE); ++ while (TRUE) ++ { ++ /* If one dbus call returns error, we must wait until the other call ++ * calls _call_finish(), otherwise fd leak is possible. ++ * Resolves: GHSL-2021-077 ++ */ + +- if (data.caught_error) +- goto out; ++ if ( (dbus_call_respond_fails > 1) ) ++ { ++ // we got two faults, we can leave ++ goto out; ++ } ++ ++ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid))) ++ { ++ // we got one fault and the other call finally finished, we can leave ++ goto out; ++ } ++ ++ if ( !(data.retrieved_uid && data.retrieved_pid) ) ++ { ++ g_main_context_iteration (tmp_context, TRUE); ++ } ++ else ++ { ++ break; ++ } ++ } + + if (out_uid) + *out_uid = data.uid; +-- +GitLab + diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch new file mode 100644 index 0000000000..76308ffdb9 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch @@ -0,0 +1,33 @@ +From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Wed, 2 Jun 2021 15:43:38 +0200 +Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit + +initial values returned if error caught + +CVE: CVE-2021-3560 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/polkit/polkitsystembusname.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8daa12c..8ed1363 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) + g_main_context_iteration (tmp_context, TRUE); + ++ if (data.caught_error) ++ goto out; ++ + if (out_uid) + *out_uid = data.uid; + if (out_pid) +-- +2.29.2 + diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb index ad1973b136..dd8e208616 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb @@ -25,6 +25,9 @@ PAM_SRC_URI = "file://polkit-1_pam.patch" SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0003-make-netgroup-support-optional.patch \ + file://CVE-2021-3560.patch \ + file://CVE-2021-4034.patch \ + file://CVE-2021-4115.patch \ " SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a" SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1" diff --git a/meta-oe/recipes-extended/sysdig/sysdig_git.bb b/meta-oe/recipes-extended/sysdig/sysdig_git.bb index d15ecdb03f..b06340f82f 100644 --- a/meta-oe/recipes-extended/sysdig/sysdig_git.bb +++ b/meta-oe/recipes-extended/sysdig/sysdig_git.bb @@ -15,7 +15,7 @@ JIT_mipsarchn64 = "" JIT_riscv64 = "" JIT_riscv32 = "" -DEPENDS += "lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native" +DEPENDS += "libb64 lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native" RDEPENDS_${PN} = "bash" SRC_URI = "git://github.com/draios/sysdig.git;branch=dev;protocol=https \ @@ -32,7 +32,6 @@ S = "${WORKDIR}/git" EXTRA_OECMAKE = "\ -DBUILD_DRIVER=OFF \ -DUSE_BUNDLED_DEPS=OFF \ - -DUSE_BUNDLED_B64=ON \ -DCREATE_TEST_TARGETS=OFF \ -DDIR_ETC=${sysconfdir} \ -DLUA_INCLUDE_DIR=${STAGING_INCDIR}/luajit-2.1 \ diff --git a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb index f8fa226f6f..0c564c0d1c 100644 --- a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb +++ b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb @@ -9,7 +9,7 @@ LICENSE = "BSD-3-Clause & GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \ file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0" -SRC_URI = "git://github.com/facebook/zstd.git;nobranch=1;protocol=https \ +SRC_URI = "git://github.com/facebook/zstd.git;branch=dev;protocol=https \ file://0001-Fix-legacy-build-after-2103.patch \ " diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb index 81ab86c762..72e2f5cc7a 100644 --- a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb +++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb @@ -55,6 +55,17 @@ do_install_append_class-native() { install -m755 ${B}/lib/gvpr/mkdefs ${D}${bindir} } +# create /usr/lib/graphviz/config6 +graphviz_sstate_postinst() { + mkdir -p ${SYSROOT_DESTDIR}${bindir} + dest=${SYSROOT_DESTDIR}${bindir}/postinst-${PN} + echo '#!/bin/sh' > $dest + echo '' >> $dest + echo 'dot -c' >> $dest + chmod 0755 $dest +} +SYSROOT_PREPROCESS_FUNCS_append_class-native = " graphviz_sstate_postinst" + PACKAGES =+ "${PN}-python ${PN}-perl ${PN}-demo" FILES_${PN}-python += "${libdir}/python*/site-packages/ ${libdir}/graphviz/python/" diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch new file mode 100644 index 0000000000..98988e686e --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch @@ -0,0 +1,72 @@ +From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001 +From: Young Xiao <YangX92@hotmail.com> +Date: Sat, 16 Mar 2019 19:57:27 +0800 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +See commit 8ee335227bbc for details. + +Signed-off-by: Young Xiao <YangX92@hotmail.com> + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2019-12973 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertbmp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 0af52f816..ec34f535b 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + } else { /* absolute mode */ + c = getc(IN); +@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + c1 = (OPJ_UINT8)getc(IN); + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ + getc(IN); +@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } + } + } /* while(y < height) */ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } + return OPJ_TRUE; + } + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch new file mode 100644 index 0000000000..2177bfdbdb --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch @@ -0,0 +1,86 @@ +From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001 +From: Young Xiao <YangX92@hotmail.com> +Date: Sat, 16 Mar 2019 20:09:59 +0800 +Subject: [PATCH] bmp_read_rle4_data(): avoid potential infinite loop + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2019-12973 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index ec34f535b..2fc4e9bc4 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + while (y < height) { + int c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c) { /* encoded mode */ +- int j; +- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); ++ int j, c1_int; ++ OPJ_UINT8 c1; ++ ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { +@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } else { /* absolute mode */ + c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c == 0x00) { /* EOL */ +@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + break; + } else if (c == 0x02) { /* MOVE by dxdy */ + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + x += (OPJ_UINT32)c; + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + y += (OPJ_UINT32)c; + pix = pData + y * stride + x; + } else { /* 03 .. 255 : absolute mode */ +@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + if ((j & 1) == 0) { +- c1 = (OPJ_UINT8)getc(IN); ++ int c1_int; ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ +- getc(IN); ++ c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + } + } + } diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch new file mode 100644 index 0000000000..f22e153b52 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch @@ -0,0 +1,43 @@ +From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 28 Jun 2020 14:19:59 +0200 +Subject: [PATCH] opj_decompress: fix double-free on input directory with mix + of valid and invalid images (CVE-2020-15389) + +Fixes #1261 + +Credits to @Ruia-ruia for reporting and analysis. + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-15389 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/opj_decompress.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c +index 7eeb0952f..2634907f0 100644 +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original) + int main(int argc, char **argv) + { + opj_decompress_parameters parameters; /* decompression parameters */ +- opj_image_t* image = NULL; +- opj_stream_t *l_stream = NULL; /* Stream */ +- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ +- opj_codestream_index_t* cstr_index = NULL; + + OPJ_INT32 num_images, imageno; + img_fol_t img_fol; +@@ -1393,6 +1389,10 @@ int main(int argc, char **argv) + + /*Decoding image one by one*/ + for (imageno = 0; imageno < num_images ; imageno++) { ++ opj_image_t* image = NULL; ++ opj_stream_t *l_stream = NULL; /* Stream */ ++ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ ++ opj_codestream_index_t* cstr_index = NULL; + + if (!parameters.quiet) { + fprintf(stderr, "\n"); diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch new file mode 100644 index 0000000000..da06db6db7 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch @@ -0,0 +1,29 @@ +From eaa098b59b346cb88e4d10d505061f669d7134fc Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 23 Nov 2020 13:49:05 +0100 +Subject: [PATCH] Encoder: grow buffer size in + opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in + opj_mqc_flush (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1235,9 +1235,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + + /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ ++ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch new file mode 100644 index 0000000000..9c5894c720 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch @@ -0,0 +1,27 @@ +From 15cf3d95814dc931ca0ecb132f81cb152e051bae Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 23 Nov 2020 18:14:02 +0100 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1237,9 +1237,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ + /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ + /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ ++ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch new file mode 100644 index 0000000000..1eb030af46 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch @@ -0,0 +1,30 @@ +From 649298dcf84b2f20cfe458d887c1591db47372a6 Mon Sep 17 00:00:00 2001 +From: yuan <zodf0055980@gmail.com> +Date: Wed, 25 Nov 2020 20:41:39 +0800 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1238,10 +1238,12 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ + /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ + /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ ++ /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */ ++ /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * +- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); ++ l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { + if (p_code_block->data) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch new file mode 100644 index 0000000000..1c267c313b --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch @@ -0,0 +1,27 @@ +From 4ce7d285a55d29b79880d0566d4b010fe1907aa9 Mon Sep 17 00:00:00 2001 +From: yuan <zodf0055980@gmail.com> +Date: Fri, 4 Dec 2020 19:00:22 +0800 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1240,9 +1240,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ + /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */ + /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */ ++ /* and +74 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -n 8 -s 7,7 -I) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 74 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch new file mode 100644 index 0000000000..e4373d0d32 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch @@ -0,0 +1,29 @@ +From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 30 Nov 2020 22:31:51 +0100 +Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is + used, that would result in a heap buffer overflow (fixes #1284) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27823 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertpng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c +index 328c91beb..00f596e27 100644 +--- a/src/bin/jp2/convertpng.c ++++ b/src/bin/jp2/convertpng.c +@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params) + image->x0 = (OPJ_UINT32)params->image_offset_x0; + image->y0 = (OPJ_UINT32)params->image_offset_y0; + image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32) +- params->subsampling_dx + 1 + image->x0); ++ params->subsampling_dx + 1); + image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32) +- params->subsampling_dy + 1 + image->y0); ++ params->subsampling_dy + 1); + + row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32)); + if (row32s == NULL) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch new file mode 100644 index 0000000000..5f3deb4dda --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch @@ -0,0 +1,24 @@ +From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 30 Nov 2020 22:37:07 +0100 +Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible + conversion when too many decomposition levels are specified (fixes #1286) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27824 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/dwt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/lib/openjp2/dwt.c ++++ b/src/lib/openjp2/dwt.c +@@ -1293,7 +1293,7 @@ void opj_dwt_calc_explicit_stepsizes(opj + if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) { + stepsize = 1.0; + } else { +- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level]; ++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient); + stepsize = (1 << (gain)) / norm; + } + opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0), diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch new file mode 100644 index 0000000000..db6d12dc2c --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch @@ -0,0 +1,238 @@ +From 00383e162ae2f8fc951f5745bf1011771acb8dce Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 2 Dec 2020 14:02:17 +0100 +Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs + https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27841 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++--------------- + src/lib/openjp2/pi.h | 10 +++++++-- + src/lib/openjp2/t2.c | 4 ++-- + 3 files changed, 42 insertions(+), 21 deletions(-) + +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -192,10 +192,12 @@ static void opj_get_all_encoding_paramet + * @param p_image the image used to initialize the packet iterator (in fact only the number of components is relevant. + * @param p_cp the coding parameters. + * @param tileno the index of the tile from which creating the packet iterator. ++ * @param manager Event manager + */ + static opj_pi_iterator_t * opj_pi_create(const opj_image_t *p_image, + const opj_cp_t *p_cp, +- OPJ_UINT32 tileno); ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager); + /** + * FIXME DOC + */ +@@ -230,12 +232,6 @@ static OPJ_BOOL opj_pi_check_next_level( + ========================================================== + */ + +-static void opj_pi_emit_error(opj_pi_iterator_t * pi, const char* msg) +-{ +- (void)pi; +- (void)msg; +-} +- + static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi) + { + opj_pi_comp_t *comp = NULL; +@@ -272,7 +268,7 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + /* include should be resized when a POC arises, or */ + /* the POC should be rejected */ + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -318,7 +314,7 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -449,7 +445,7 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -473,6 +469,13 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_pcrl(): invalid compno0/compno1"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -580,7 +583,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -604,6 +607,13 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_cprl(): invalid compno0/compno1"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -708,7 +718,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -981,7 +991,8 @@ static void opj_get_all_encoding_paramet + + static opj_pi_iterator_t * opj_pi_create(const opj_image_t *image, + const opj_cp_t *cp, +- OPJ_UINT32 tileno) ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager) + { + /* loop*/ + OPJ_UINT32 pino, compno; +@@ -1015,6 +1026,8 @@ static opj_pi_iterator_t * opj_pi_create + l_current_pi = l_pi; + for (pino = 0; pino < l_poc_bound ; ++pino) { + ++ l_current_pi->manager = manager; ++ + l_current_pi->comps = (opj_pi_comp_t*) opj_calloc(image->numcomps, + sizeof(opj_pi_comp_t)); + if (! l_current_pi->comps) { +@@ -1352,7 +1365,8 @@ static OPJ_BOOL opj_pi_check_next_level( + */ + opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, + opj_cp_t *p_cp, +- OPJ_UINT32 p_tile_no) ++ OPJ_UINT32 p_tile_no, ++ opj_event_mgr_t* manager) + { + OPJ_UINT32 numcomps = p_image->numcomps; + +@@ -1407,7 +1421,7 @@ opj_pi_iterator_t *opj_pi_create_decode( + } + + /* memory allocation for pi */ +- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); ++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); + if (!l_pi) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +@@ -1552,7 +1566,8 @@ opj_pi_iterator_t *opj_pi_create_decode( + opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, + opj_cp_t *p_cp, + OPJ_UINT32 p_tile_no, +- J2K_T2_MODE p_t2_mode) ++ J2K_T2_MODE p_t2_mode, ++ opj_event_mgr_t* manager) + { + OPJ_UINT32 numcomps = p_image->numcomps; + +@@ -1606,7 +1621,7 @@ opj_pi_iterator_t *opj_pi_initialise_enc + } + + /* memory allocation for pi*/ +- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); ++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); + if (!l_pi) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +--- a/src/lib/openjp2/pi.h ++++ b/src/lib/openjp2/pi.h +@@ -107,6 +107,8 @@ typedef struct opj_pi_iterator { + OPJ_INT32 x, y; + /** FIXME DOC*/ + OPJ_UINT32 dx, dy; ++ /** event manager */ ++ opj_event_mgr_t* manager; + } opj_pi_iterator_t; + + /** @name Exported functions */ +@@ -119,13 +121,15 @@ typedef struct opj_pi_iterator { + * @param cp the coding parameters. + * @param tileno index of the tile being encoded. + * @param t2_mode the type of pass for generating the packet iterator ++ * @param manager Event manager + * + * @return a list of packet iterator that points to the first packet of the tile (not true). + */ + opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *image, + opj_cp_t *cp, + OPJ_UINT32 tileno, +- J2K_T2_MODE t2_mode); ++ J2K_T2_MODE t2_mode, ++ opj_event_mgr_t* manager); + + /** + * Updates the encoding parameters of the codec. +@@ -161,12 +165,14 @@ Create a packet iterator for Decoder + @param image Raw image for which the packets will be listed + @param cp Coding parameters + @param tileno Number that identifies the tile for which to list the packets ++@param manager Event manager + @return Returns a packet iterator that points to the first packet of the tile + @see opj_pi_destroy + */ + opj_pi_iterator_t *opj_pi_create_decode(opj_image_t * image, + opj_cp_t * cp, +- OPJ_UINT32 tileno); ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager); + /** + * Destroys a packet iterator array. + * +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -244,7 +244,7 @@ OPJ_BOOL opj_t2_encode_packets(opj_t2_t* + l_image->numcomps : 1; + OPJ_UINT32 l_nb_pocs = l_tcp->numpocs + 1; + +- l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode); ++ l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode, p_manager); + if (!l_pi) { + return OPJ_FALSE; + } +@@ -405,7 +405,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t + #endif + + /* create a packet iterator */ +- l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no); ++ l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no, p_manager); + if (!l_pi) { + return OPJ_FALSE; + } diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch new file mode 100644 index 0000000000..6984aa8602 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch @@ -0,0 +1,31 @@ +From fbd30b064f8f9607d500437b6fedc41431fd6cdc Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 1 Dec 2020 19:51:35 +0100 +Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1294, + but likely not the proper fix + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27842 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/t2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -711,6 +711,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ + continue; + } + ++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1294 */ ++ /* but likely not a proper fix. */ ++ if (precno >= res->pw * res->ph) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", ++ precno, res->pw * res->ph); ++ return OPJ_FALSE; ++ } ++ + prc = &band->precincts[precno]; + opj_tgt_reset(prc->incltree); + opj_tgt_reset(prc->imsbtree); diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch new file mode 100644 index 0000000000..53c86ea5e4 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch @@ -0,0 +1,31 @@ +From 38d661a3897052c7ff0b39b30c29cb067e130121 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 2 Dec 2020 13:13:26 +0100 +Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1297, + but likely not the proper fix + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27843 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/t2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -787,6 +787,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ + continue; + } + ++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1297 */ ++ /* but likely not a proper fix. */ ++ if (precno >= res->pw * res->ph) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", ++ precno, res->pw * res->ph); ++ return OPJ_FALSE; ++ } ++ + prc = &band->precincts[precno]; + l_nb_blocks = prc->cw * prc->ch; + cblk = prc->cblks.enc; diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch new file mode 100644 index 0000000000..a1aa49a217 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch @@ -0,0 +1,74 @@ +From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Fri, 4 Dec 2020 20:45:25 +0100 +Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27845 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -238,6 +238,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_lrcp(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -291,6 +298,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_rlcp(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -337,6 +351,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_rpcl(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + goto LABEL_SKIP; + } else { +@@ -472,7 +493,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + if (pi->poc.compno0 >= pi->numcomps || + pi->poc.compno1 >= pi->numcomps + 1) { + opj_event_msg(pi->manager, EVT_ERROR, +- "opj_pi_next_pcrl(): invalid compno0/compno1"); ++ "opj_pi_next_pcrl(): invalid compno0/compno1\n"); + return OPJ_FALSE; + } + +@@ -610,7 +631,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + if (pi->poc.compno0 >= pi->numcomps || + pi->poc.compno1 >= pi->numcomps + 1) { + opj_event_msg(pi->manager, EVT_ERROR, +- "opj_pi_next_cprl(): invalid compno0/compno1"); ++ "opj_pi_next_cprl(): invalid compno0/compno1\n"); + return OPJ_FALSE; + } + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb index 2fdcec0ec2..9cf513f3f7 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb @@ -8,8 +8,21 @@ DEPENDS = "libpng tiff lcms zlib" SRC_URI = " \ git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ + file://CVE-2019-12973-1.patch \ + file://CVE-2019-12973-2.patch \ file://CVE-2020-6851.patch \ file://CVE-2020-8112.patch \ + file://CVE-2020-15389.patch \ + file://CVE-2020-27814-1.patch \ + file://CVE-2020-27814-2.patch \ + file://CVE-2020-27814-3.patch \ + file://CVE-2020-27814-4.patch \ + file://CVE-2020-27823.patch \ + file://CVE-2020-27824.patch \ + file://CVE-2020-27841.patch \ + file://CVE-2020-27842.patch \ + file://CVE-2020-27843.patch \ + file://CVE-2020-27845.patch \ " SRCREV = "57096325457f96d8cd07bd3af04fe81d7a2ba788" S = "${WORKDIR}/git" @@ -20,3 +33,17 @@ inherit cmake EXTRA_OECMAKE += "-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}" FILES_${PN} += "${libdir}/openjpeg*" + +# This flaw is introduced by +# https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 +# but the contents of this patch is not present in openjpeg_2.3.1 +# Hence, it can be whitelisted. +# https://security-tracker.debian.org/tracker/CVE-2020-27844 + +CVE_CHECK_WHITELIST += "CVE-2020-27844" + +# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg +# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present. +# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1 + +CVE_CHECK_WHITELIST += "CVE-2015-1239" diff --git a/meta-oe/recipes-graphics/spir/spirv-tools_git.bb b/meta-oe/recipes-graphics/spir/spirv-tools_git.bb index ec68edf098..362a250725 100644 --- a/meta-oe/recipes-graphics/spir/spirv-tools_git.bb +++ b/meta-oe/recipes-graphics/spir/spirv-tools_git.bb @@ -8,11 +8,11 @@ SECTION = "graphics" S = "${WORKDIR}/git" DEST_DIR = "${S}/external" -SRC_URI = "git://github.com/KhronosGroup/SPIRV-Tools.git;name=spirv-tools;branch=master;protocol=https \ - git://github.com/KhronosGroup/SPIRV-Headers.git;name=spirv-headers;destsuffix=${DEST_DIR}/spirv-headers;branch=master;protocol=https \ - git://github.com/google/effcee.git;name=effcee;destsuffix=${DEST_DIR}/effcee;branch=master;protocol=https \ - git://github.com/google/re2.git;name=re2;destsuffix=${DEST_DIR}/re2;branch=master;protocol=https \ - git://github.com/google/googletest.git;name=googletest;destsuffix=${DEST_DIR}/googletest;branch=master;protocol=https \ +SRC_URI = "git://github.com/KhronosGroup/SPIRV-Tools.git;name=spirv-tools;branch=main;protocol=https \ + git://github.com/KhronosGroup/SPIRV-Headers.git;name=spirv-headers;destsuffix=${DEST_DIR}/spirv-headers;branch=main;protocol=https \ + git://github.com/google/effcee.git;name=effcee;destsuffix=${DEST_DIR}/effcee;branch=main;protocol=https \ + git://github.com/google/re2.git;name=re2;destsuffix=${DEST_DIR}/re2;branch=main;protocol=https \ + git://github.com/google/googletest.git;name=googletest;destsuffix=${DEST_DIR}/googletest;branch=main;protocol=https \ file://0001-Respect-CMAKE_INSTALL_LIBDIR-in-installed-CMake-file.patch \ file://0001-Avoid-pessimizing-std-move-3124.patch \ " diff --git a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb index 7484c054c0..9fe61ae9c1 100644 --- a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb +++ b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb @@ -4,7 +4,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=9648bd7af63bd3cc4f5ac046d12c49e4" SRCREV = "590567f20dc044f6948a8e2c61afc714c360ad0e" -SRC_URI = "git://github.com/tesseract-ocr/tessdata.git;branch=master;protocol=https" +SRC_URI = "git://github.com/tesseract-ocr/tessdata.git;branch=main;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb index 03b9d6488f..de2d059061 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.tigervnc.com/" LICENSE = "GPLv2+" SECTION = "x11/utils" DEPENDS = "xserver-xorg gnutls jpeg libxtst gettext-native fltk" -RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl" +RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl xkbcomp" LIC_FILES_CHKSUM = "file://LICENCE.TXT;md5=75b02c2872421380bbd47781d2bd75d3" diff --git a/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb b/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb index 4949616ddc..df5979a094 100644 --- a/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb +++ b/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb @@ -9,7 +9,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ac9801b8423fd7a7699ccbd45cf134d8" DEPENDS += "libxxf86vm" -BBCLASSEXTEND = "native" - SRC_URI[md5sum] = "90b4305157c2b966d5180e2ee61262be" SRC_URI[sha256sum] = "0ef1c35b5c18b1b22317f455c8df13c0a471a8efad63c89c98ae3ce8c2b222d3" diff --git a/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb b/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb index 6a05e98e32..d394b33de2 100644 --- a/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb +++ b/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb @@ -13,7 +13,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=64322fab5239f5c8d97cf6e0e14f1c62" DEPENDS += "libxaw libxkbfile" -BBCLASSEXTEND = "native" - SRC_URI[md5sum] = "502b14843f610af977dffc6cbf2102d5" SRC_URI[sha256sum] = "d2a18ab90275e8bca028773c44264d2266dab70853db4321bdbc18da75148130" diff --git a/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb b/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb index 30a1e089e3..a9a8acf05c 100644 --- a/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb +++ b/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb @@ -8,7 +8,6 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=6ea29dbee22324787c061f039e0529de" DEPENDS += "xbitmaps libxcursor" -BBCLASSEXTEND = "native" SRC_URI[md5sum] = "5fe769c8777a6e873ed1305e4ce2c353" SRC_URI[sha256sum] = "10c442ba23591fb5470cea477a0aa5f679371f4f879c8387a1d9d05637ae417c" diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch new file mode 100644 index 0000000000..b7a5f297a5 --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch @@ -0,0 +1,84 @@ +From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 21 Jun 2022 10:53:01 +0530 +Subject: [PATCH] CVE-2022-24130 + +Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d] +CVE: CVE-2022-24130 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f + Check for out-of-bounds condition while drawing sixels, and quit that + operation (report by Nick Black, CVE-2022-24130). +Bug-Debian: https://bugs.debian.org/1004689 + +--- + graphics_sixel.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/graphics_sixel.c b/graphics_sixel.c +index 00ba3ef..6a82295 100644 +--- a/graphics_sixel.c ++++ b/graphics_sixel.c +@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context) + graphic->color_registers_used[context->background] = 1; + } + +-static void ++static Boolean + set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + { + const int mh = graphic->max_height; +@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + ((color != COLOR_HOLE) + ? (unsigned) graphic->color_registers[color].b : 0U))); + for (pix = 0; pix < 6; pix++) { +- if (context->col < mw && context->row + pix < mh) { ++ if (context->col >= 0 && ++ context->col < mw && ++ context->row + pix >= 0 && ++ context->row + pix < mh) { + if (sixel & (1 << pix)) { + if (context->col + 1 > graphic->actual_width) { + graphic->actual_width = context->col + 1; +@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + } + } else { + TRACE(("sixel pixel %d out of bounds\n", pix)); ++ return False; + } + } ++ return True; + } + + static void +@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string) + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- set_sixel(graphic, &context, sixel); ++ if (!set_sixel(graphic, &context, sixel)) { ++ context.col = 0; ++ break; ++ } + context.col++; + } else if (ch == '$') { /* DECGCR */ + /* ignore DECCRNLM in sixel mode */ +@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string) + graphic->valid = 1; + } + for (i = 0; i < Pcount; i++) { +- set_sixel(graphic, &context, sixel); +- context.col++; ++ if (set_sixel(graphic, &context, sixel)) { ++ context.col++; ++ } else { ++ context.col = 0; ++ break; ++ } + } + } else if (ch == '#') { /* DECGCI */ + ANSI color_params; +-- +2.25.1 + diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch new file mode 100644 index 0000000000..e63169a209 --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch @@ -0,0 +1,776 @@ +From 787636674918873a091e7a4ef5977263ba982322 Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" <dickey@invisible-island.net> +Date: Sun, 23 Oct 2022 22:59:52 +0000 +Subject: [PATCH] snapshot of project "xterm", label xterm-374c + +Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/787636674918873a091e7a4ef5977263ba982322] +CVE: CVE-2022-45063 + +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + button.c | 16 +-- + charproc.c | 9 +- + doublechr.c | 4 +- + fontutils.c | 266 ++++++++++++++++++++++++++----------------------- + fontutils.h | 4 +- + misc.c | 7 +- + screen.c | 2 +- + xterm.h | 2 +- + xterm.log.html | 6 ++ + 9 files changed, 164 insertions(+), 152 deletions(-) + +diff --git a/button.c b/button.c +index 66a6181..e05ca50 100644 +--- a/button.c ++++ b/button.c +@@ -1619,14 +1619,9 @@ static void + UnmapSelections(XtermWidget xw) + { + TScreen *screen = TScreenOf(xw); +- Cardinal n; + +- if (screen->mappedSelect) { +- for (n = 0; screen->mappedSelect[n] != 0; ++n) +- free((void *) screen->mappedSelect[n]); +- free(screen->mappedSelect); +- screen->mappedSelect = 0; +- } ++ free(screen->mappedSelect); ++ screen->mappedSelect = 0; + } + + /* +@@ -1662,14 +1657,11 @@ MapSelections(XtermWidget xw, String *params, Cardinal num_params) + if ((result = TypeMallocN(String, num_params + 1)) != 0) { + result[num_params] = 0; + for (j = 0; j < num_params; ++j) { +- result[j] = x_strdup((isSELECT(params[j]) ++ result[j] = (String) (isSELECT(params[j]) + ? mapTo +- : params[j])); ++ : params[j]); + if (result[j] == 0) { + UnmapSelections(xw); +- while (j != 0) { +- free((void *) result[--j]); +- } + free(result); + result = 0; + break; +diff --git a/charproc.c b/charproc.c +index 55f0108..b07de4c 100644 +--- a/charproc.c ++++ b/charproc.c +@@ -12548,7 +12548,6 @@ DoSetSelectedFont(Widget w, + Bell(xw, XkbBI_MinorError, 0); + } else { + Boolean failed = False; +- int oldFont = TScreenOf(xw)->menu_font_number; + char *save = TScreenOf(xw)->SelectFontName(); + char *val; + char *test; +@@ -12593,10 +12592,6 @@ DoSetSelectedFont(Widget w, + failed = True; + } + if (failed) { +- (void) xtermLoadFont(xw, +- xtermFontName(TScreenOf(xw)->MenuFontName(oldFont)), +- True, +- oldFont); + Bell(xw, XkbBI_MinorError, 0); + } + free(used); +@@ -12605,7 +12600,7 @@ DoSetSelectedFont(Widget w, + } + } + +-void ++Bool + FindFontSelection(XtermWidget xw, const char *atom_name, Bool justprobe) + { + TScreen *screen = TScreenOf(xw); +@@ -12645,7 +12640,7 @@ FindFontSelection(XtermWidget xw, const char *atom_name, Bool justprobe) + DoSetSelectedFont, NULL, + XtLastTimestampProcessed(XtDisplay(xw))); + } +- return; ++ return (screen->SelectFontName() != NULL) ? True : False; + } + + Bool +diff --git a/doublechr.c b/doublechr.c +index a60f5bd..f7b6bae 100644 +--- a/doublechr.c ++++ b/doublechr.c +@@ -294,7 +294,7 @@ xterm_DoubleGC(XTermDraw * params, GC old_gc, int *inxp) + temp.flags = (params->attr_flags & BOLD); + temp.warn = fwResource; + +- if (!xtermOpenFont(params->xw, name, &temp, False)) { ++ if (!xtermOpenFont(params->xw, name, &temp, NULL, False)) { + XTermDraw local = *params; + char *nname; + +@@ -303,7 +303,7 @@ xterm_DoubleGC(XTermDraw * params, GC old_gc, int *inxp) + nname = xtermSpecialFont(&local); + if (nname != 0) { + found = (Boolean) xtermOpenFont(params->xw, nname, &temp, +- False); ++ NULL, False); + free(nname); + } + } else { +diff --git a/fontutils.c b/fontutils.c +index 4b0ef85..d9bfaf8 100644 +--- a/fontutils.c ++++ b/fontutils.c +@@ -92,9 +92,9 @@ + } + + #define FREE_FNAME(field) \ +- if (fonts == 0 || myfonts.field != fonts->field) { \ +- FREE_STRING(myfonts.field); \ +- myfonts.field = 0; \ ++ if (fonts == 0 || new_fnames.field != fonts->field) { \ ++ FREE_STRING(new_fnames.field); \ ++ new_fnames.field = 0; \ + } + + /* +@@ -573,7 +573,7 @@ open_italic_font(XtermWidget xw, int n, FontNameProperties *fp, XTermFonts * dat + if ((name = italic_font_name(fp, slant[pass])) != 0) { + TRACE(("open_italic_font %s %s\n", + whichFontEnum((VTFontEnum) n), name)); +- if (xtermOpenFont(xw, name, data, False)) { ++ if (xtermOpenFont(xw, name, data, NULL, False)) { + result = (data->fs != 0); + #if OPT_REPORT_FONTS + if (resource.reportFonts) { +@@ -1006,13 +1006,14 @@ cannotFont(XtermWidget xw, const char *who, const char *tag, const char *name) + } + + /* +- * Open the given font and verify that it is non-empty. Return a null on ++ * Open the given font and verify that it is non-empty. Return false on + * failure. + */ + Bool + xtermOpenFont(XtermWidget xw, + const char *name, + XTermFonts * result, ++ XTermFonts * current, + Bool force) + { + Bool code = False; +@@ -1020,7 +1021,12 @@ xtermOpenFont(XtermWidget xw, + + TRACE(("xtermOpenFont %d:%d '%s'\n", + result->warn, xw->misc.fontWarnings, NonNull(name))); ++ + if (!IsEmpty(name)) { ++ Bool existing = (current != NULL ++ && current->fs != NULL ++ && current->fn != NULL); ++ + if ((result->fs = XLoadQueryFont(screen->display, name)) != 0) { + code = True; + if (EmptyFont(result->fs)) { +@@ -1039,9 +1045,13 @@ xtermOpenFont(XtermWidget xw, + } else { + TRACE(("xtermOpenFont: cannot load font '%s'\n", name)); + } +- if (force) { ++ if (existing) { ++ TRACE(("...continue using font '%s'\n", current->fn)); ++ result->fn = x_strdup(current->fn); ++ result->fs = current->fs; ++ } else if (force) { + NoFontWarning(result); +- code = xtermOpenFont(xw, DEFFONT, result, True); ++ code = xtermOpenFont(xw, DEFFONT, result, NULL, True); + } + } + } +@@ -1289,6 +1299,7 @@ static Bool + loadNormFP(XtermWidget xw, + char **nameOutP, + XTermFonts * infoOut, ++ XTermFonts * current, + int fontnum) + { + Bool status = True; +@@ -1298,7 +1309,7 @@ loadNormFP(XtermWidget xw, + if (!xtermOpenFont(xw, + *nameOutP, + infoOut, +- (fontnum == fontMenu_default))) { ++ current, (fontnum == fontMenu_default))) { + /* + * If we are opening the default font, and it happens to be missing, + * force that to the compiled-in default font, e.g., "fixed". If we +@@ -1333,10 +1344,10 @@ loadBoldFP(XtermWidget xw, + if (fp != 0) { + NoFontWarning(infoOut); + *nameOutP = bold_font_name(fp, fp->average_width); +- if (!xtermOpenFont(xw, *nameOutP, infoOut, False)) { ++ if (!xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)) { + free(*nameOutP); + *nameOutP = bold_font_name(fp, -1); +- xtermOpenFont(xw, *nameOutP, infoOut, False); ++ xtermOpenFont(xw, *nameOutP, infoOut, NULL, False); + } + TRACE(("...derived bold '%s'\n", NonNull(*nameOutP))); + } +@@ -1354,7 +1365,7 @@ loadBoldFP(XtermWidget xw, + TRACE(("...did not get a matching bold font\n")); + } + free(normal); +- } else if (!xtermOpenFont(xw, *nameOutP, infoOut, False)) { ++ } else if (!xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)) { + xtermCopyFontInfo(infoOut, infoRef); + TRACE(("...cannot load bold font '%s'\n", NonNull(*nameOutP))); + } else { +@@ -1408,7 +1419,7 @@ loadWideFP(XtermWidget xw, + } + + if (check_fontname(*nameOutP)) { +- if (xtermOpenFont(xw, *nameOutP, infoOut, False) ++ if (xtermOpenFont(xw, *nameOutP, infoOut, NULL, False) + && is_derived_font_name(*nameOutP) + && EmptyFont(infoOut->fs)) { + xtermCloseFont2(xw, infoOut - fWide, fWide); +@@ -1452,7 +1463,7 @@ loadWBoldFP(XtermWidget xw, + + if (check_fontname(*nameOutP)) { + +- if (xtermOpenFont(xw, *nameOutP, infoOut, False) ++ if (xtermOpenFont(xw, *nameOutP, infoOut, NULL, False) + && is_derived_font_name(*nameOutP) + && !compatibleWideCounts(wideInfoRef->fs, infoOut->fs)) { + xtermCloseFont2(xw, infoOut - fWBold, fWBold); +@@ -1505,6 +1516,10 @@ loadWBoldFP(XtermWidget xw, + } + #endif + ++/* ++ * Load a given bitmap font, along with the bold/wide variants. ++ * Returns nonzero on success. ++ */ + int + xtermLoadFont(XtermWidget xw, + const VTFontNames * fonts, +@@ -1514,33 +1529,37 @@ xtermLoadFont(XtermWidget xw, + TScreen *screen = TScreenOf(xw); + VTwin *win = WhichVWin(screen); + +- VTFontNames myfonts; +- XTermFonts fnts[fMAX]; ++ VTFontNames new_fnames; ++ XTermFonts new_fonts[fMAX]; ++ XTermFonts old_fonts[fMAX]; + char *tmpname = NULL; + Boolean proportional = False; ++ Boolean recovered; ++ int code = 0; + +- memset(&myfonts, 0, sizeof(myfonts)); +- memset(fnts, 0, sizeof(fnts)); ++ memset(&new_fnames, 0, sizeof(new_fnames)); ++ memset(new_fonts, 0, sizeof(new_fonts)); ++ memcpy(&old_fonts, screen->fnts, sizeof(old_fonts)); + + if (fonts != 0) +- myfonts = *fonts; +- if (!check_fontname(myfonts.f_n)) +- return 0; ++ new_fnames = *fonts; ++ if (!check_fontname(new_fnames.f_n)) ++ return code; + + if (fontnum == fontMenu_fontescape +- && myfonts.f_n != screen->MenuFontName(fontnum)) { +- if ((tmpname = x_strdup(myfonts.f_n)) == 0) +- return 0; ++ && new_fnames.f_n != screen->MenuFontName(fontnum)) { ++ if ((tmpname = x_strdup(new_fnames.f_n)) == 0) ++ return code; + } + +- TRACE(("Begin Cgs - xtermLoadFont(%s)\n", myfonts.f_n)); ++ TRACE(("Begin Cgs - xtermLoadFont(%s)\n", new_fnames.f_n)); + releaseWindowGCs(xw, win); + + #define DbgResource(name, field, index) \ + TRACE(("xtermLoadFont #%d "name" %s%s\n", \ + fontnum, \ +- (fnts[index].warn == fwResource) ? "*" : " ", \ +- NonNull(myfonts.field))) ++ (new_fonts[index].warn == fwResource) ? "*" : " ", \ ++ NonNull(new_fnames.field))) + DbgResource("normal", f_n, fNorm); + DbgResource("bold ", f_b, fBold); + #if OPT_WIDE_CHARS +@@ -1549,16 +1568,17 @@ xtermLoadFont(XtermWidget xw, + #endif + + if (!loadNormFP(xw, +- &myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_n, ++ &new_fonts[fNorm], ++ &old_fonts[fNorm], + fontnum)) + goto bad; + + if (!loadBoldFP(xw, +- &myfonts.f_b, +- &fnts[fBold], +- myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_b, ++ &new_fonts[fBold], ++ new_fnames.f_n, ++ &new_fonts[fNorm], + fontnum)) + goto bad; + +@@ -1570,20 +1590,20 @@ xtermLoadFont(XtermWidget xw, + if_OPT_WIDE_CHARS(screen, { + + if (!loadWideFP(xw, +- &myfonts.f_w, +- &fnts[fWide], +- myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_w, ++ &new_fonts[fWide], ++ new_fnames.f_n, ++ &new_fonts[fNorm], + fontnum)) + goto bad; + + if (!loadWBoldFP(xw, +- &myfonts.f_wb, +- &fnts[fWBold], +- myfonts.f_w, +- &fnts[fWide], +- myfonts.f_b, +- &fnts[fBold], ++ &new_fnames.f_wb, ++ &new_fonts[fWBold], ++ new_fnames.f_w, ++ &new_fonts[fWide], ++ new_fnames.f_b, ++ &new_fonts[fBold], + fontnum)) + goto bad; + +@@ -1593,30 +1613,30 @@ xtermLoadFont(XtermWidget xw, + * Normal/bold fonts should be the same width. Also, the min/max + * values should be the same. + */ +- if (fnts[fNorm].fs != 0 +- && fnts[fBold].fs != 0 +- && (!is_fixed_font(fnts[fNorm].fs) +- || !is_fixed_font(fnts[fBold].fs) +- || differing_widths(fnts[fNorm].fs, fnts[fBold].fs))) { ++ if (new_fonts[fNorm].fs != 0 ++ && new_fonts[fBold].fs != 0 ++ && (!is_fixed_font(new_fonts[fNorm].fs) ++ || !is_fixed_font(new_fonts[fBold].fs) ++ || differing_widths(new_fonts[fNorm].fs, new_fonts[fBold].fs))) { + TRACE(("Proportional font! normal %d/%d, bold %d/%d\n", +- fnts[fNorm].fs->min_bounds.width, +- fnts[fNorm].fs->max_bounds.width, +- fnts[fBold].fs->min_bounds.width, +- fnts[fBold].fs->max_bounds.width)); ++ new_fonts[fNorm].fs->min_bounds.width, ++ new_fonts[fNorm].fs->max_bounds.width, ++ new_fonts[fBold].fs->min_bounds.width, ++ new_fonts[fBold].fs->max_bounds.width)); + proportional = True; + } + + if_OPT_WIDE_CHARS(screen, { +- if (fnts[fWide].fs != 0 +- && fnts[fWBold].fs != 0 +- && (!is_fixed_font(fnts[fWide].fs) +- || !is_fixed_font(fnts[fWBold].fs) +- || differing_widths(fnts[fWide].fs, fnts[fWBold].fs))) { ++ if (new_fonts[fWide].fs != 0 ++ && new_fonts[fWBold].fs != 0 ++ && (!is_fixed_font(new_fonts[fWide].fs) ++ || !is_fixed_font(new_fonts[fWBold].fs) ++ || differing_widths(new_fonts[fWide].fs, new_fonts[fWBold].fs))) { + TRACE(("Proportional font! wide %d/%d, wide bold %d/%d\n", +- fnts[fWide].fs->min_bounds.width, +- fnts[fWide].fs->max_bounds.width, +- fnts[fWBold].fs->min_bounds.width, +- fnts[fWBold].fs->max_bounds.width)); ++ new_fonts[fWide].fs->min_bounds.width, ++ new_fonts[fWide].fs->max_bounds.width, ++ new_fonts[fWBold].fs->min_bounds.width, ++ new_fonts[fWBold].fs->max_bounds.width)); + proportional = True; + } + }); +@@ -1635,13 +1655,13 @@ xtermLoadFont(XtermWidget xw, + screen->ifnts_ok = False; + #endif + +- xtermCopyFontInfo(GetNormalFont(screen, fNorm), &fnts[fNorm]); +- xtermCopyFontInfo(GetNormalFont(screen, fBold), &fnts[fBold]); ++ xtermCopyFontInfo(GetNormalFont(screen, fNorm), &new_fonts[fNorm]); ++ xtermCopyFontInfo(GetNormalFont(screen, fBold), &new_fonts[fBold]); + #if OPT_WIDE_CHARS +- xtermCopyFontInfo(GetNormalFont(screen, fWide), &fnts[fWide]); +- if (fnts[fWBold].fs == NULL) +- xtermCopyFontInfo(GetNormalFont(screen, fWide), &fnts[fWide]); +- xtermCopyFontInfo(GetNormalFont(screen, fWBold), &fnts[fWBold]); ++ xtermCopyFontInfo(GetNormalFont(screen, fWide), &new_fonts[fWide]); ++ if (new_fonts[fWBold].fs == NULL) ++ xtermCopyFontInfo(GetNormalFont(screen, fWide), &new_fonts[fWide]); ++ xtermCopyFontInfo(GetNormalFont(screen, fWBold), &new_fonts[fWBold]); + #endif + + xtermUpdateFontGCs(xw, getNormalFont); +@@ -1672,7 +1692,7 @@ xtermLoadFont(XtermWidget xw, + unsigned ch; + + #if OPT_TRACE +-#define TRACE_MISS(index) show_font_misses(#index, &fnts[index]) ++#define TRACE_MISS(index) show_font_misses(#index, &new_fonts[index]) + TRACE_MISS(fNorm); + TRACE_MISS(fBold); + #if OPT_WIDE_CHARS +@@ -1689,8 +1709,8 @@ xtermLoadFont(XtermWidget xw, + if ((n != UCS_REPL) + && (n != ch) + && (screen->fnt_boxes & 2)) { +- if (xtermMissingChar(n, &fnts[fNorm]) || +- xtermMissingChar(n, &fnts[fBold])) { ++ if (xtermMissingChar(n, &new_fonts[fNorm]) || ++ xtermMissingChar(n, &new_fonts[fBold])) { + UIntClr(screen->fnt_boxes, 2); + TRACE(("missing graphics character #%d, U+%04X\n", + ch, n)); +@@ -1702,12 +1722,12 @@ xtermLoadFont(XtermWidget xw, + #endif + + for (ch = 1; ch < 32; ch++) { +- if (xtermMissingChar(ch, &fnts[fNorm])) { ++ if (xtermMissingChar(ch, &new_fonts[fNorm])) { + TRACE(("missing normal char #%d\n", ch)); + UIntClr(screen->fnt_boxes, 1); + break; + } +- if (xtermMissingChar(ch, &fnts[fBold])) { ++ if (xtermMissingChar(ch, &new_fonts[fBold])) { + TRACE(("missing bold char #%d\n", ch)); + UIntClr(screen->fnt_boxes, 1); + break; +@@ -1724,8 +1744,8 @@ xtermLoadFont(XtermWidget xw, + screen->enbolden = screen->bold_mode; + } else { + screen->enbolden = screen->bold_mode +- && ((fnts[fNorm].fs == fnts[fBold].fs) +- || same_font_name(myfonts.f_n, myfonts.f_b)); ++ && ((new_fonts[fNorm].fs == new_fonts[fBold].fs) ++ || same_font_name(new_fnames.f_n, new_fnames.f_b)); + } + TRACE(("Will %suse 1-pixel offset/overstrike to simulate bold\n", + screen->enbolden ? "" : "not ")); +@@ -1741,7 +1761,7 @@ xtermLoadFont(XtermWidget xw, + update_font_escape(); + } + #if OPT_SHIFT_FONTS +- screen->menu_font_sizes[fontnum] = FontSize(fnts[fNorm].fs); ++ screen->menu_font_sizes[fontnum] = FontSize(new_fonts[fNorm].fs); + #endif + } + set_cursor_gcs(xw); +@@ -1756,20 +1776,21 @@ xtermLoadFont(XtermWidget xw, + FREE_FNAME(f_w); + FREE_FNAME(f_wb); + #endif +- if (fnts[fNorm].fn == fnts[fBold].fn) { +- free(fnts[fNorm].fn); ++ if (new_fonts[fNorm].fn == new_fonts[fBold].fn) { ++ free(new_fonts[fNorm].fn); + } else { +- free(fnts[fNorm].fn); +- free(fnts[fBold].fn); ++ free(new_fonts[fNorm].fn); ++ free(new_fonts[fBold].fn); + } + #if OPT_WIDE_CHARS +- free(fnts[fWide].fn); +- free(fnts[fWBold].fn); ++ free(new_fonts[fWide].fn); ++ free(new_fonts[fWBold].fn); + #endif + xtermSetWinSize(xw); + return 1; + + bad: ++ recovered = False; + if (tmpname) + free(tmpname); + +@@ -1780,15 +1801,15 @@ xtermLoadFont(XtermWidget xw, + SetItemSensitivity(fontMenuEntries[fontnum].widget, True); + #endif + Bell(xw, XkbBI_MinorError, 0); +- myfonts.f_n = screen->MenuFontName(old_fontnum); +- return xtermLoadFont(xw, &myfonts, doresize, old_fontnum); +- } else if (x_strcasecmp(myfonts.f_n, DEFFONT)) { +- int code; +- +- myfonts.f_n = x_strdup(DEFFONT); +- TRACE(("...recovering for TrueType fonts\n")); +- code = xtermLoadFont(xw, &myfonts, doresize, fontnum); +- if (code) { ++ new_fnames.f_n = screen->MenuFontName(old_fontnum); ++ if (xtermLoadFont(xw, &new_fnames, doresize, old_fontnum)) ++ recovered = True; ++ } else if (x_strcasecmp(new_fnames.f_n, DEFFONT) ++ && x_strcasecmp(new_fnames.f_n, old_fonts[fNorm].fn)) { ++ new_fnames.f_n = x_strdup(old_fonts[fNorm].fn); ++ TRACE(("...recovering from failed font-load\n")); ++ if (xtermLoadFont(xw, &new_fnames, doresize, fontnum)) { ++ recovered = True; + if (fontnum != fontMenu_fontsel) { + SetItemSensitivity(fontMenuEntries[fontnum].widget, + UsingRenderFont(xw)); +@@ -1797,15 +1818,15 @@ xtermLoadFont(XtermWidget xw, + FontHeight(screen), + FontWidth(screen))); + } +- return code; + } + #endif +- +- releaseWindowGCs(xw, win); +- +- xtermCloseFonts(xw, fnts); +- TRACE(("Fail Cgs - xtermLoadFont\n")); +- return 0; ++ if (!recovered) { ++ releaseWindowGCs(xw, win); ++ xtermCloseFonts(xw, new_fonts); ++ TRACE(("Fail Cgs - xtermLoadFont\n")); ++ code = 0; ++ } ++ return code; + } + + #if OPT_WIDE_ATTRS +@@ -1853,7 +1874,7 @@ xtermLoadItalics(XtermWidget xw) + } else { + xtermOpenFont(xw, + getNormalFont(screen, n)->fn, +- data, False); ++ data, NULL, False); + } + } + } +@@ -4317,7 +4338,7 @@ lookupOneFontSize(XtermWidget xw, int fontnum) + + memset(&fnt, 0, sizeof(fnt)); + screen->menu_font_sizes[fontnum] = -1; +- if (xtermOpenFont(xw, screen->MenuFontName(fontnum), &fnt, True)) { ++ if (xtermOpenFont(xw, screen->MenuFontName(fontnum), &fnt, NULL, True)) { + if (fontnum <= fontMenu_lastBuiltin + || strcmp(fnt.fn, DEFFONT)) { + screen->menu_font_sizes[fontnum] = FontSize(fnt.fs); +@@ -4722,13 +4743,14 @@ HandleSetFont(Widget w GCC_UNUSED, + } + } + +-void ++Bool + SetVTFont(XtermWidget xw, + int which, + Bool doresize, + const VTFontNames * fonts) + { + TScreen *screen = TScreenOf(xw); ++ Bool result = False; + + TRACE(("SetVTFont(which=%d, f_n=%s, f_b=%s)\n", which, + (fonts && fonts->f_n) ? fonts->f_n : "<null>", +@@ -4737,34 +4759,31 @@ SetVTFont(XtermWidget xw, + if (IsIcon(screen)) { + Bell(xw, XkbBI_MinorError, 0); + } else if (which >= 0 && which < NMENUFONTS) { +- VTFontNames myfonts; ++ VTFontNames new_fnames; + +- memset(&myfonts, 0, sizeof(myfonts)); ++ memset(&new_fnames, 0, sizeof(new_fnames)); + if (fonts != 0) +- myfonts = *fonts; ++ new_fnames = *fonts; + + if (which == fontMenu_fontsel) { /* go get the selection */ +- FindFontSelection(xw, myfonts.f_n, False); ++ result = FindFontSelection(xw, new_fnames.f_n, False); + } else { +- int oldFont = screen->menu_font_number; +- + #define USE_CACHED(field, name) \ +- if (myfonts.field == 0) { \ +- myfonts.field = x_strdup(screen->menu_font_names[which][name]); \ +- TRACE(("set myfonts." #field " from menu_font_names[%d][" #name "] %s\n", \ +- which, NonNull(myfonts.field))); \ ++ if (new_fnames.field == NULL) { \ ++ new_fnames.field = x_strdup(screen->menu_font_names[which][name]); \ ++ TRACE(("set new_fnames." #field " from menu_font_names[%d][" #name "] %s\n", \ ++ which, NonNull(new_fnames.field))); \ + } else { \ +- TRACE(("set myfonts." #field " reused\n")); \ ++ TRACE(("set new_fnames." #field " reused\n")); \ + } + #define SAVE_FNAME(field, name) \ +- if (myfonts.field != 0) { \ +- if (screen->menu_font_names[which][name] == 0 \ +- || strcmp(screen->menu_font_names[which][name], myfonts.field)) { \ +- TRACE(("updating menu_font_names[%d][" #name "] to %s\n", \ +- which, myfonts.field)); \ +- FREE_STRING(screen->menu_font_names[which][name]); \ +- screen->menu_font_names[which][name] = x_strdup(myfonts.field); \ +- } \ ++ if (new_fnames.field != NULL \ ++ && (screen->menu_font_names[which][name] == NULL \ ++ || strcmp(screen->menu_font_names[which][name], new_fnames.field))) { \ ++ TRACE(("updating menu_font_names[%d][" #name "] to \"%s\"\n", \ ++ which, new_fnames.field)); \ ++ FREE_STRING(screen->menu_font_names[which][name]); \ ++ screen->menu_font_names[which][name] = x_strdup(new_fnames.field); \ + } + + USE_CACHED(f_n, fNorm); +@@ -4774,7 +4793,7 @@ SetVTFont(XtermWidget xw, + USE_CACHED(f_wb, fWBold); + #endif + if (xtermLoadFont(xw, +- &myfonts, ++ &new_fnames, + doresize, which)) { + /* + * If successful, save the data so that a subsequent query via +@@ -4786,10 +4805,8 @@ SetVTFont(XtermWidget xw, + SAVE_FNAME(f_w, fWide); + SAVE_FNAME(f_wb, fWBold); + #endif ++ result = True; + } else { +- (void) xtermLoadFont(xw, +- xtermFontName(screen->MenuFontName(oldFont)), +- doresize, oldFont); + Bell(xw, XkbBI_MinorError, 0); + } + FREE_FNAME(f_n); +@@ -4802,7 +4819,8 @@ SetVTFont(XtermWidget xw, + } else { + Bell(xw, XkbBI_MinorError, 0); + } +- return; ++ TRACE(("...SetVTFont: %d\n", result)); ++ return result; + } + + #if OPT_RENDERFONT +diff --git a/fontutils.h b/fontutils.h +index 9d530c5..ceaf44a 100644 +--- a/fontutils.h ++++ b/fontutils.h +@@ -37,7 +37,7 @@ + /* *INDENT-OFF* */ + + extern Bool xtermLoadDefaultFonts (XtermWidget /* xw */); +-extern Bool xtermOpenFont (XtermWidget /* xw */, const char */* name */, XTermFonts * /* result */, Bool /* force */); ++extern Bool xtermOpenFont (XtermWidget /* xw */, const char */* name */, XTermFonts * /* result */, XTermFonts * /* current */, Bool /* force */); + extern XTermFonts * getDoubleFont (TScreen * /* screen */, int /* which */); + extern XTermFonts * getItalicFont (TScreen * /* screen */, int /* which */); + extern XTermFonts * getNormalFont (TScreen * /* screen */, int /* which */); +@@ -50,7 +50,7 @@ extern int lookupRelativeFontSize (XtermWidget /* xw */, int /* old */, int /* r + extern int xtermGetFont (const char * /* param */); + extern int xtermLoadFont (XtermWidget /* xw */, const VTFontNames */* fonts */, Bool /* doresize */, int /* fontnum */); + extern void HandleSetFont PROTO_XT_ACTIONS_ARGS; +-extern void SetVTFont (XtermWidget /* xw */, int /* i */, Bool /* doresize */, const VTFontNames */* fonts */); ++extern Bool SetVTFont (XtermWidget /* xw */, int /* i */, Bool /* doresize */, const VTFontNames */* fonts */); + extern void allocFontList (XtermWidget /* xw */, const char * /* name */, XtermFontNames * /* target */, VTFontEnum /* which */, const char * /* source */, Bool /* ttf */); + extern void copyFontList (char *** /* targetp */, char ** /* source */); + extern void initFontLists (XtermWidget /* xw */); +diff --git a/misc.c b/misc.c +index cc323f8..6c5e938 100644 +--- a/misc.c ++++ b/misc.c +@@ -3787,9 +3787,9 @@ ChangeFontRequest(XtermWidget xw, String buf) + { + memset(&fonts, 0, sizeof(fonts)); + fonts.f_n = name; +- SetVTFont(xw, num, True, &fonts); +- if (num == screen->menu_font_number && +- num != fontMenu_fontescape) { ++ if (SetVTFont(xw, num, True, &fonts) ++ && num == screen->menu_font_number ++ && num != fontMenu_fontescape) { + screen->EscapeFontName() = x_strdup(name); + } + } +@@ -6237,7 +6237,6 @@ xtermSetenv(const char *var, const char *value) + + found = envindex; + environ[found + 1] = NULL; +- environ = environ; + } + + environ[found] = TextAlloc(1 + len + strlen(value)); +diff --git a/screen.c b/screen.c +index 690e3e2..f84254f 100644 +--- a/screen.c ++++ b/screen.c +@@ -1497,7 +1497,7 @@ ScrnRefresh(XtermWidget xw, + screen->topline, toprow, leftcol, + nrows, ncols, + force ? " force" : "")); +- ++ (void) recurse; + ++recurse; + + if (screen->cursorp.col >= leftcol +diff --git a/xterm.h b/xterm.h +index ec70e43..aa71f96 100644 +--- a/xterm.h ++++ b/xterm.h +@@ -967,7 +967,7 @@ extern Bool CheckBufPtrs (TScreen * /* screen */); + extern Bool set_cursor_gcs (XtermWidget /* xw */); + extern char * vt100ResourceToString (XtermWidget /* xw */, const char * /* name */); + extern int VTInit (XtermWidget /* xw */); +-extern void FindFontSelection (XtermWidget /* xw */, const char * /* atom_name */, Bool /* justprobe */); ++extern Bool FindFontSelection (XtermWidget /* xw */, const char * /* atom_name */, Bool /* justprobe */); + extern void HideCursor (void); + extern void RestartBlinking(XtermWidget /* xw */); + extern void ShowCursor (void); +diff --git a/xterm.log.html b/xterm.log.html +index 47d590b..e27dc31 100644 +--- a/xterm.log.html ++++ b/xterm.log.html +@@ -991,6 +991,12 @@ + 2020/02/01</a></h1> + + <ul> ++ <li>improve error-recovery when setting a bitmap font for the ++ VT100 window, e.g., in case <em>OSC 50</em> failed, ++ restoring the most recent valid font so that a subsequent ++ <em>OSC 50</em> reports this correctly (report by David ++ Leadbeater).</li> ++ + <li>amend change in <a href="#xterm_352">patch #352</a> for + button-events to fix a case where some followup events were not + processed soon enough (report/patch by Jimmy Aguilar +-- +2.24.4 + diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb index 264320212c..4e2b0c9d53 100644 --- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb +++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb @@ -7,8 +7,9 @@ LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \ file://0001-Add-configure-time-check-for-setsid.patch \ file://CVE-2021-27135.patch \ + file://CVE-2022-24130.patch \ + file://CVE-2022-45063.patch \ " - SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f" SRC_URI[sha256sum] = "e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768" PACKAGECONFIG ?= "" diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index 589bb90e6e..ff1b9ec875 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -7,7 +7,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=516215fd57564996d70327db19b368ff" SECTION = "console/utils" DEPENDS = "cups glib-2.0 glib-2.0-native dbus dbus-glib lcms ghostscript poppler qpdf libpng" -DEPENDS_class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-native gettext-native libpng-native" SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz" @@ -23,13 +22,6 @@ EXTRA_OECONF += " --enable-ghostscript --disable-ldap \ --with-rcdir=no \ --without-php" -EXTRA_OECONF_class-native += " --with-pdftops=pdftops \ - --disable-avahi --disable-ghostscript \ - --disable-ldap \ - --with-png --without-jpeg --without-tiff" - -BBCLASSEXTEND = "native" - PACKAGECONFIG[jpeg] = "--with-jpeg,--without-jpeg,jpeg" PACKAGECONFIG[png] = "--with-png,--without-png,libpng" PACKAGECONFIG[tiff] = "--with-tiff,--without-tiff,tiff" diff --git a/meta-oe/recipes-support/anthy/anthy_9100h.bb b/meta-oe/recipes-support/anthy/anthy_9100h.bb index a65d324eae..b464c00003 100644 --- a/meta-oe/recipes-support/anthy/anthy_9100h.bb +++ b/meta-oe/recipes-support/anthy/anthy_9100h.bb @@ -10,8 +10,8 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/anthy/37536/anthy-9100h.tar.gz \ file://2ch_t.patch \ " -SRC_URI_append_class-target = "file://target-helpers.patch" -SRC_URI_append_class-native = "file://native-helpers.patch" +SRC_URI_append_class-target = " file://target-helpers.patch" +SRC_URI_append_class-native = " file://native-helpers.patch" SRC_URI[md5sum] = "1f558ff7ed296787b55bb1c6cf131108" SRC_URI[sha256sum] = "d256f075f018b4a3cb0d165ed6151fda4ba7db1621727e0eb54569b6e2275547" diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch deleted file mode 100644 index 8f15f8424c..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f2f1e134bf5d9d0789942848e03006af8d926cf8 Mon Sep 17 00:00:00 2001 -From: Wang Mingyu <wangmy@cn.fujitsu.com> -Date: Tue, 17 Mar 2020 12:53:35 +0800 -Subject: [PATCH] fix configure error : mv libcares.pc.cmakein to - libcares.pc.cmake - -Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> ---- - CMakeLists.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 3a5878d..c2e5740 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -563,7 +563,7 @@ IF (CARES_STATIC) - ENDIF() - - # Write ares_config.h configuration file. This is used only for the build. --CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+CONFIGURE_FILE (libcares.pc.cmake ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) - - - --- -2.17.1 - diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch new file mode 100644 index 0000000000..fb0aee372f --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch @@ -0,0 +1,67 @@ +From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow + (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul + +CVE: CVE-2022-4904 +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index 51668a5c..3f9cec65 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index 63c6a228..ee845181 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch new file mode 100644 index 0000000000..603d2687d5 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch @@ -0,0 +1,329 @@ +From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:34 -0400 +Subject: [PATCH] Merge pull request from GHSA-x6mf-cxr9-8q6v + +* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares. +* Always use our own IP conversion functions now, do not delegate to OS + so we can have consistency in testing and fuzzing. +* Removed bogus test cases that never should have passed. +* Add new test case for crash bug found. + +Fix By: Brad House (@bradh352) + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2] +CVE: CVE-2023-31130 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/inet_net_pton.c | 155 ++++++++++++++++++++----------------- + test/ares-test-internal.cc | 7 +- + 2 files changed, 86 insertions(+), 76 deletions(-) + +diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c +index 840de506..fc50425b 100644 +--- a/src/lib/inet_net_pton.c ++++ b/src/lib/inet_net_pton.c +@@ -1,19 +1,20 @@ + + /* +- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2012 by Gilles Chehade <gilles@openbsd.org> + * Copyright (c) 1996,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * +- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE ++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL ++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR ++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS ++ * SOFTWARE. + */ + + #include "ares_setup.h" +@@ -35,9 +36,6 @@ + + const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }; + +- +-#ifndef HAVE_INET_NET_PTON +- + /* + * static int + * inet_net_pton_ipv4(src, dst, size) +@@ -60,7 +58,7 @@ const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0, + * Paul Vixie (ISC), June 1996 + */ + static int +-inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) ++ares_inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) + { + static const char xdigits[] = "0123456789abcdef"; + static const char digits[] = "0123456789"; +@@ -261,19 +259,14 @@ getv4(const char *src, unsigned char *dst, int *bitsp) + } + + static int +-inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++ares_inet_pton6(const char *src, unsigned char *dst) + { + static const char xdigits_l[] = "0123456789abcdef", +- xdigits_u[] = "0123456789ABCDEF"; ++ xdigits_u[] = "0123456789ABCDEF"; + unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; + const char *xdigits, *curtok; +- int ch, saw_xdigit; ++ int ch, saw_xdigit, count_xdigit; + unsigned int val; +- int digits; +- int bits; +- size_t bytes; +- int words; +- int ipv4; + + memset((tp = tmp), '\0', NS_IN6ADDRSZ); + endp = tp + NS_IN6ADDRSZ; +@@ -283,22 +276,22 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + if (*++src != ':') + goto enoent; + curtok = src; +- saw_xdigit = 0; ++ saw_xdigit = count_xdigit = 0; + val = 0; +- digits = 0; +- bits = -1; +- ipv4 = 0; + while ((ch = *src++) != '\0') { + const char *pch; + + if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) + pch = strchr((xdigits = xdigits_u), ch); + if (pch != NULL) { ++ if (count_xdigit >= 4) ++ goto enoent; + val <<= 4; +- val |= aresx_sztoui(pch - xdigits); +- if (++digits > 4) ++ val |= (pch - xdigits); ++ if (val > 0xffff) + goto enoent; + saw_xdigit = 1; ++ count_xdigit++; + continue; + } + if (ch == ':') { +@@ -308,78 +301,107 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + goto enoent; + colonp = tp; + continue; +- } else if (*src == '\0') ++ } else if (*src == '\0') { + goto enoent; ++ } + if (tp + NS_INT16SZ > endp) +- return (0); +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ goto enoent; ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + saw_xdigit = 0; +- digits = 0; ++ count_xdigit = 0; + val = 0; + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && +- getv4(curtok, tp, &bits) > 0) { +- tp += NS_INADDRSZ; ++ ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) { ++ tp += INADDRSZ; + saw_xdigit = 0; +- ipv4 = 1; ++ count_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } +- if (ch == '/' && getbits(src, &bits) > 0) +- break; + goto enoent; + } + if (saw_xdigit) { + if (tp + NS_INT16SZ > endp) + goto enoent; +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + } +- if (bits == -1) +- bits = 128; +- +- words = (bits + 15) / 16; +- if (words < 2) +- words = 2; +- if (ipv4) +- words = 8; +- endp = tmp + 2 * words; +- + if (colonp != NULL) { + /* + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ +- const ares_ssize_t n = tp - colonp; +- ares_ssize_t i; ++ const int n = tp - colonp; ++ int i; + + if (tp == endp) + goto enoent; + for (i = 1; i <= n; i++) { +- *(endp - i) = *(colonp + n - i); +- *(colonp + n - i) = 0; ++ endp[- i] = colonp[n - i]; ++ colonp[n - i] = 0; + } + tp = endp; + } + if (tp != endp) + goto enoent; + +- bytes = (bits + 7) / 8; +- if (bytes > size) +- goto emsgsize; +- memcpy(dst, tmp, bytes); +- return (bits); ++ memcpy(dst, tmp, NS_IN6ADDRSZ); ++ return (1); + +- enoent: ++enoent: + SET_ERRNO(ENOENT); + return (-1); + +- emsgsize: ++emsgsize: + SET_ERRNO(EMSGSIZE); + return (-1); + } + ++static int ++ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++{ ++ struct ares_in6_addr in6; ++ int ret; ++ int bits; ++ size_t bytes; ++ char buf[INET6_ADDRSTRLEN + sizeof("/128")]; ++ char *sep; ++ const char *errstr; ++ ++ if (strlen(src) >= sizeof buf) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ strncpy(buf, src, sizeof buf); ++ ++ sep = strchr(buf, '/'); ++ if (sep != NULL) ++ *sep++ = '\0'; ++ ++ ret = ares_inet_pton6(buf, (unsigned char *)&in6); ++ if (ret != 1) ++ return (-1); ++ ++ if (sep == NULL) ++ bits = 128; ++ else { ++ if (!getbits(sep, &bits)) { ++ SET_ERRNO(ENOENT); ++ return (-1); ++ } ++ } ++ ++ bytes = (bits + 7) / 8; ++ if (bytes > size) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ memcpy(dst, &in6, bytes); ++ return (bits); ++} ++ + /* + * int + * inet_net_pton(af, src, dst, size) +@@ -403,18 +425,15 @@ ares_inet_net_pton(int af, const char *src, void *dst, size_t size) + { + switch (af) { + case AF_INET: +- return (inet_net_pton_ipv4(src, dst, size)); ++ return (ares_inet_net_pton_ipv4(src, dst, size)); + case AF_INET6: +- return (inet_net_pton_ipv6(src, dst, size)); ++ return (ares_inet_net_pton_ipv6(src, dst, size)); + default: + SET_ERRNO(EAFNOSUPPORT); + return (-1); + } + } + +-#endif /* HAVE_INET_NET_PTON */ +- +-#ifndef HAVE_INET_PTON + int ares_inet_pton(int af, const char *src, void *dst) + { + int result; +@@ -434,11 +453,3 @@ int ares_inet_pton(int af, const char *src, void *dst) + return 0; + return (result > -1 ? 1 : -1); + } +-#else /* HAVE_INET_PTON */ +-int ares_inet_pton(int af, const char *src, void *dst) +-{ +- /* just relay this to the underlying function */ +- return inet_pton(af, src, dst); +-} +- +-#endif +diff --git a/test/ares-test-internal.cc b/test/ares-test-internal.cc +index 96d4edec..161f0a5c 100644 +--- a/test/ares-test-internal.cc ++++ b/test/ares-test-internal.cc +@@ -81,6 +81,7 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "12:34::ff/0", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "12:34::ffff:0.2", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); ++ EXPECT_EQ(2, ares_inet_net_pton(AF_INET6, "0::00:00:00/2", &a6, sizeof(a6))); + + // Various malformed versions + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET, "", &a4, sizeof(a4))); +@@ -118,11 +119,9 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234:", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678", &a6, sizeof(a6))); +- // TODO(drysdale): check whether the next two tests should give -1. +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:257.2.3.4", &a6, sizeof(a6))); +- EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:002.2.3.4", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5.6", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.z", &a6, sizeof(a6))); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch new file mode 100644 index 0000000000..ba17721a58 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch @@ -0,0 +1,717 @@ +From 823df3b989e59465d17b0a2eb1239a5fc048b4e5 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:06 -0400 +Subject: [PATCH] Merge pull request from GHSA-8r8p-23f3-64c2 + +* segment random number generation into own file + +* abstract random code to make it more modular so we can have multiple backends + +* rand: add support for arc4random_buf() and also direct CARES_RANDOM_FILE reading + +* autotools: fix detection of arc4random_buf + +* rework initial rc4 seed for PRNG as last fallback + +* rc4: more proper implementation, simplified for clarity + +* clarifications + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5] +CVE: CVE-2023-31147 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CMakeLists.txt | 2 + + configure.ac | 1 + + m4/cares-functions.m4 | 85 +++++++++++ + src/lib/Makefile.inc | 1 + + src/lib/ares_config.h.cmake | 3 + + src/lib/ares_destroy.c | 3 + + src/lib/ares_init.c | 82 ++--------- + src/lib/ares_private.h | 19 ++- + src/lib/ares_query.c | 36 +---- + src/lib/ares_rand.c | 274 ++++++++++++++++++++++++++++++++++++ + 10 files changed, 387 insertions(+), 119 deletions(-) + create mode 100644 src/lib/ares_rand.c + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 194485a3..1fb9af55 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -386,6 +386,8 @@ CHECK_SYMBOL_EXISTS (strncasecmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCAS + CHECK_SYMBOL_EXISTS (strncmpi "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCMPI) + CHECK_SYMBOL_EXISTS (strnicmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNICMP) + CHECK_SYMBOL_EXISTS (writev "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_WRITEV) ++CHECK_SYMBOL_EXISTS (arc4random_buf "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_ARC4RANDOM_BUF) ++ + + # On Android, the system headers may define __system_property_get(), but excluded + # from libc. We need to perform a link test instead of a header/symbol test. +diff --git a/configure.ac b/configure.ac +index 1d0fb5ce..9a763696 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -683,6 +683,7 @@ CARES_CHECK_FUNC_STRNCASECMP + CARES_CHECK_FUNC_STRNCMPI + CARES_CHECK_FUNC_STRNICMP + CARES_CHECK_FUNC_WRITEV ++CARES_CHECK_FUNC_ARC4RANDOM_BUF + + + dnl check for AF_INET6 +diff --git a/m4/cares-functions.m4 b/m4/cares-functions.m4 +index 0f3992c7..d4f4f994 100644 +--- a/m4/cares-functions.m4 ++++ b/m4/cares-functions.m4 +@@ -3753,3 +3753,88 @@ AC_DEFUN([CARES_CHECK_FUNC_WRITEV], [ + ac_cv_func_writev="no" + fi + ]) ++ ++dnl CARES_CHECK_FUNC_ARC4RANDOM_BUF ++dnl ------------------------------------------------- ++dnl Verify if arc4random_buf is available, prototyped, and ++dnl can be compiled. If all of these are true, and ++dnl usage has not been previously disallowed with ++dnl shell variable cares_disallow_arc4random_buf, then ++dnl HAVE_ARC4RANDOM_BUF will be defined. ++ ++AC_DEFUN([CARES_CHECK_FUNC_ARC4RANDOM_BUF], [ ++ AC_REQUIRE([CARES_INCLUDES_STDLIB])dnl ++ # ++ tst_links_arc4random_buf="unknown" ++ tst_proto_arc4random_buf="unknown" ++ tst_compi_arc4random_buf="unknown" ++ tst_allow_arc4random_buf="unknown" ++ # ++ AC_MSG_CHECKING([if arc4random_buf can be linked]) ++ AC_LINK_IFELSE([ ++ AC_LANG_FUNC_LINK_TRY([arc4random_buf]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_links_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_links_arc4random_buf="no" ++ ]) ++ # ++ if test "$tst_links_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is prototyped]) ++ AC_EGREP_CPP([arc4random_buf],[ ++ $cares_includes_stdlib ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_proto_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_proto_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_proto_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is compilable]) ++ AC_COMPILE_IFELSE([ ++ AC_LANG_PROGRAM([[ ++ $cares_includes_stdlib ++ ]],[[ ++ arc4random_buf(NULL, 0); ++ return 1; ++ ]]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_compi_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_compi_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_compi_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf usage allowed]) ++ if test "x$cares_disallow_arc4random_buf" != "xyes"; then ++ AC_MSG_RESULT([yes]) ++ tst_allow_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ tst_allow_arc4random_buf="no" ++ fi ++ fi ++ # ++ AC_MSG_CHECKING([if arc4random_buf might be used]) ++ if test "$tst_links_arc4random_buf" = "yes" && ++ test "$tst_proto_arc4random_buf" = "yes" && ++ test "$tst_compi_arc4random_buf" = "yes" && ++ test "$tst_allow_arc4random_buf" = "yes"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE_UNQUOTED(HAVE_ARC4RANDOM_BUF, 1, ++ [Define to 1 if you have the arc4random_buf function.]) ++ ac_cv_func_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ ac_cv_func_arc4random_buf="no" ++ fi ++]) ++ +diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc +index a3b060c2..72a7673c 100644 +--- a/src/lib/Makefile.inc ++++ b/src/lib/Makefile.inc +@@ -45,6 +45,7 @@ CSOURCES = ares__addrinfo2hostent.c \ + ares_platform.c \ + ares_process.c \ + ares_query.c \ ++ ares_rand.c \ + ares_search.c \ + ares_send.c \ + ares_strcasecmp.c \ +diff --git a/src/lib/ares_config.h.cmake b/src/lib/ares_config.h.cmake +index fddb7853..798820a3 100644 +--- a/src/lib/ares_config.h.cmake ++++ b/src/lib/ares_config.h.cmake +@@ -346,6 +346,9 @@ + /* Define to 1 if you need the memory.h header file even with stdlib.h */ + #cmakedefine NEED_MEMORY_H + ++/* Define if have arc4random_buf() */ ++#cmakedefine HAVE_ARC4RANDOM_BUF ++ + /* a suitable file/device to read random data from */ + #cmakedefine CARES_RANDOM_FILE "@CARES_RANDOM_FILE@" + +diff --git a/src/lib/ares_destroy.c b/src/lib/ares_destroy.c +index fed2009a..0447af4c 100644 +--- a/src/lib/ares_destroy.c ++++ b/src/lib/ares_destroy.c +@@ -90,6 +90,9 @@ void ares_destroy(ares_channel channel) + if (channel->resolvconf_path) + ares_free(channel->resolvconf_path); + ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); ++ + ares_free(channel); + } + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index de5d86c9..2607ed6f 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -72,7 +72,6 @@ static int config_nameserver(struct server_state **servers, int *nservers, + static int set_search(ares_channel channel, const char *str); + static int set_options(ares_channel channel, const char *str); + static const char *try_option(const char *p, const char *q, const char *opt); +-static int init_id_key(rc4_key* key,int key_data_len); + + static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str); +@@ -149,6 +148,7 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + channel->sock_funcs = NULL; + channel->sock_func_cb_data = NULL; + channel->resolvconf_path = NULL; ++ channel->rand_state = NULL; + + channel->last_server = 0; + channel->last_timeout_processed = (time_t)now.tv_sec; +@@ -202,9 +202,13 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + /* Generate random key */ + + if (status == ARES_SUCCESS) { +- status = init_id_key(&channel->id_key, ARES_ID_KEY_LEN); ++ channel->rand_state = ares__init_rand_state(); ++ if (channel->rand_state == NULL) { ++ status = ARES_ENOMEM; ++ } ++ + if (status == ARES_SUCCESS) +- channel->next_id = ares__generate_new_id(&channel->id_key); ++ channel->next_id = ares__generate_new_id(channel->rand_state); + else + DEBUGF(fprintf(stderr, "Error: init_id_key failed: %s\n", + ares_strerror(status))); +@@ -224,6 +228,8 @@ done: + ares_free(channel->lookups); + if(channel->resolvconf_path) + ares_free(channel->resolvconf_path); ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); + ares_free(channel); + return status; + } +@@ -2495,76 +2501,6 @@ static int sortlist_alloc(struct apattern **sortlist, int *nsort, + return 1; + } + +-/* initialize an rc4 key. If possible a cryptographically secure random key +- is generated using a suitable function (for example win32's RtlGenRandom as +- described in +- http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx +- otherwise the code defaults to cross-platform albeit less secure mechanism +- using rand +-*/ +-static void randomize_key(unsigned char* key,int key_data_len) +-{ +- int randomized = 0; +- int counter=0; +-#ifdef WIN32 +- BOOLEAN res; +- if (ares_fpSystemFunction036) +- { +- res = (*ares_fpSystemFunction036) (key, key_data_len); +- if (res) +- randomized = 1; +- } +-#else /* !WIN32 */ +-#ifdef CARES_RANDOM_FILE +- FILE *f = fopen(CARES_RANDOM_FILE, "rb"); +- if(f) { +- setvbuf(f, NULL, _IONBF, 0); +- counter = aresx_uztosi(fread(key, 1, key_data_len, f)); +- fclose(f); +- } +-#endif +-#endif /* WIN32 */ +- +- if (!randomized) { +- for (;counter<key_data_len;counter++) +- key[counter]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */ +- } +-} +- +-static int init_id_key(rc4_key* key,int key_data_len) +-{ +- unsigned char index1; +- unsigned char index2; +- unsigned char* state; +- short counter; +- unsigned char *key_data_ptr = 0; +- +- key_data_ptr = ares_malloc(key_data_len); +- if (!key_data_ptr) +- return ARES_ENOMEM; +- memset(key_data_ptr, 0, key_data_len); +- +- state = &key->state[0]; +- for(counter = 0; counter < 256; counter++) +- /* unnecessary AND but it keeps some compilers happier */ +- state[counter] = (unsigned char)(counter & 0xff); +- randomize_key(key->state,key_data_len); +- key->x = 0; +- key->y = 0; +- index1 = 0; +- index2 = 0; +- for(counter = 0; counter < 256; counter++) +- { +- index2 = (unsigned char)((key_data_ptr[index1] + state[counter] + +- index2) % 256); +- ARES_SWAP_BYTE(&state[counter], &state[index2]); +- +- index1 = (unsigned char)((index1 + 1) % key_data_len); +- } +- ares_free(key_data_ptr); +- return ARES_SUCCESS; +-} +- + void ares_set_local_ip4(ares_channel channel, unsigned int local_ip) + { + channel->local_ip4 = local_ip; +diff --git a/src/lib/ares_private.h b/src/lib/ares_private.h +index 60d69e08..518b5c33 100644 +--- a/src/lib/ares_private.h ++++ b/src/lib/ares_private.h +@@ -101,8 +101,6 @@ W32_FUNC const char *_w32_GetHostsFile (void); + + #endif + +-#define ARES_ID_KEY_LEN 31 +- + #include "ares_ipv6.h" + #include "ares_llist.h" + +@@ -262,12 +260,8 @@ struct apattern { + unsigned short type; + }; + +-typedef struct rc4_key +-{ +- unsigned char state[256]; +- unsigned char x; +- unsigned char y; +-} rc4_key; ++struct ares_rand_state; ++typedef struct ares_rand_state ares_rand_state; + + struct ares_channeldata { + /* Configuration data */ +@@ -302,8 +296,8 @@ struct ares_channeldata { + + /* ID to use for next query */ + unsigned short next_id; +- /* key to use when generating new ids */ +- rc4_key id_key; ++ /* random state to use when generating new ids */ ++ ares_rand_state *rand_state; + + /* Generation number to use for the next TCP socket open/close */ + int tcp_connection_generation; +@@ -359,7 +353,10 @@ void ares__close_sockets(ares_channel channel, struct server_state *server); + int ares__get_hostent(FILE *fp, int family, struct hostent **host); + int ares__read_line(FILE *fp, char **buf, size_t *bufsize); + void ares__free_query(struct query *query); +-unsigned short ares__generate_new_id(rc4_key* key); ++ ++ares_rand_state *ares__init_rand_state(void); ++void ares__destroy_rand_state(ares_rand_state *state); ++unsigned short ares__generate_new_id(ares_rand_state *state); + struct timeval ares__tvnow(void); + int ares__expand_name_validated(const unsigned char *encoded, + const unsigned char *abuf, +diff --git a/src/lib/ares_query.c b/src/lib/ares_query.c +index 508274db..42323bec 100644 +--- a/src/lib/ares_query.c ++++ b/src/lib/ares_query.c +@@ -33,32 +33,6 @@ struct qquery { + + static void qcallback(void *arg, int status, int timeouts, unsigned char *abuf, int alen); + +-static void rc4(rc4_key* key, unsigned char *buffer_ptr, int buffer_len) +-{ +- unsigned char x; +- unsigned char y; +- unsigned char* state; +- unsigned char xorIndex; +- int counter; +- +- x = key->x; +- y = key->y; +- +- state = &key->state[0]; +- for(counter = 0; counter < buffer_len; counter ++) +- { +- x = (unsigned char)((x + 1) % 256); +- y = (unsigned char)((state[x] + y) % 256); +- ARES_SWAP_BYTE(&state[x], &state[y]); +- +- xorIndex = (unsigned char)((state[x] + state[y]) % 256); +- +- buffer_ptr[counter] = (unsigned char)(buffer_ptr[counter]^state[xorIndex]); +- } +- key->x = x; +- key->y = y; +-} +- + static struct query* find_query_by_id(ares_channel channel, unsigned short id) + { + unsigned short qid; +@@ -78,7 +52,6 @@ static struct query* find_query_by_id(ares_channel channel, unsigned short id) + return NULL; + } + +- + /* a unique query id is generated using an rc4 key. Since the id may already + be used by a running query (as infrequent as it may be), a lookup is + performed per id generation. In practice this search should happen only +@@ -89,19 +62,12 @@ static unsigned short generate_unique_id(ares_channel channel) + unsigned short id; + + do { +- id = ares__generate_new_id(&channel->id_key); ++ id = ares__generate_new_id(channel->rand_state); + } while (find_query_by_id(channel, id)); + + return (unsigned short)id; + } + +-unsigned short ares__generate_new_id(rc4_key* key) +-{ +- unsigned short r=0; +- rc4(key, (unsigned char *)&r, sizeof(r)); +- return r; +-} +- + void ares_query(ares_channel channel, const char *name, int dnsclass, + int type, ares_callback callback, void *arg) + { +diff --git a/src/lib/ares_rand.c b/src/lib/ares_rand.c +new file mode 100644 +index 00000000..a564bc23 +--- /dev/null ++++ b/src/lib/ares_rand.c +@@ -0,0 +1,274 @@ ++/* Copyright 1998 by the Massachusetts Institute of Technology. ++ * Copyright (C) 2007-2013 by Daniel Stenberg ++ * ++ * Permission to use, copy, modify, and distribute this ++ * software and its documentation for any purpose and without ++ * fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright ++ * notice and this permission notice appear in supporting ++ * documentation, and that the name of M.I.T. not be used in ++ * advertising or publicity pertaining to distribution of the ++ * software without specific, written prior permission. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" ++ * without express or implied warranty. ++ */ ++ ++#include "ares_setup.h" ++#include "ares.h" ++#include "ares_private.h" ++#include "ares_nowarn.h" ++#include <stdlib.h> ++ ++typedef enum { ++ ARES_RAND_OS = 1, /* OS-provided such as RtlGenRandom or arc4random */ ++ ARES_RAND_FILE = 2, /* OS file-backed random number generator */ ++ ARES_RAND_RC4 = 3 /* Internal RC4 based PRNG */ ++} ares_rand_backend; ++ ++typedef struct ares_rand_rc4 ++{ ++ unsigned char S[256]; ++ size_t i; ++ size_t j; ++} ares_rand_rc4; ++ ++struct ares_rand_state ++{ ++ ares_rand_backend type; ++ union { ++ FILE *rand_file; ++ ares_rand_rc4 rc4; ++ } state; ++}; ++ ++ ++/* Define RtlGenRandom = SystemFunction036. This is in advapi32.dll. There is ++ * no need to dynamically load this, other software used widely does not. ++ * http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx ++ * https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom ++ */ ++#ifdef _WIN32 ++BOOLEAN WINAPI SystemFunction036(PVOID RandomBuffer, ULONG RandomBufferLength); ++# ifndef RtlGenRandom ++# define RtlGenRandom(a,b) SystemFunction036(a,b) ++# endif ++#endif ++ ++ ++#define ARES_RC4_KEY_LEN 32 /* 256 bits */ ++ ++static unsigned int ares_u32_from_ptr(void *addr) ++{ ++ if (sizeof(void *) == 8) { ++ return (unsigned int)((((size_t)addr >> 32) & 0xFFFFFFFF) | ((size_t)addr & 0xFFFFFFFF)); ++ } ++ return (unsigned int)((size_t)addr & 0xFFFFFFFF); ++} ++ ++ ++/* initialize an rc4 key as the last possible fallback. */ ++static void ares_rc4_generate_key(ares_rand_rc4 *rc4_state, unsigned char *key, size_t key_len) ++{ ++ size_t i; ++ size_t len = 0; ++ unsigned int data; ++ struct timeval tv; ++ ++ if (key_len != ARES_RC4_KEY_LEN) ++ return; ++ ++ /* Randomness is hard to come by. Maybe the system randomizes heap and stack addresses. ++ * Maybe the current timestamp give us some randomness. ++ * Use rc4_state (heap), &i (stack), and ares__tvnow() ++ */ ++ data = ares_u32_from_ptr(rc4_state); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ data = ares_u32_from_ptr(&i); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ tv = ares__tvnow(); ++ data = (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ srand(ares_u32_from_ptr(rc4_state) | ares_u32_from_ptr(&i) | (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF)); ++ ++ for (i=len; i<key_len; i++) { ++ key[i]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */ ++ } ++} ++ ++ ++static void ares_rc4_init(ares_rand_rc4 *rc4_state) ++{ ++ unsigned char key[ARES_RC4_KEY_LEN]; ++ size_t i; ++ size_t j; ++ ++ ares_rc4_generate_key(rc4_state, key, sizeof(key)); ++ ++ for (i = 0; i < sizeof(rc4_state->S); i++) { ++ rc4_state->S[i] = i & 0xFF; ++ } ++ ++ for(i = 0, j = 0; i < 256; i++) { ++ j = (j + rc4_state->S[i] + key[i % sizeof(key)]) % 256; ++ ARES_SWAP_BYTE(&rc4_state->S[i], &rc4_state->S[j]); ++ } ++ ++ rc4_state->i = 0; ++ rc4_state->j = 0; ++} ++ ++/* Just outputs the key schedule, no need to XOR with any data since we have none */ ++static void ares_rc4_prng(ares_rand_rc4 *rc4_state, unsigned char *buf, int len) ++{ ++ unsigned char *S = rc4_state->S; ++ size_t i = rc4_state->i; ++ size_t j = rc4_state->j; ++ size_t cnt; ++ ++ for (cnt=0; cnt<len; cnt++) { ++ i = (i + 1) % 256; ++ j = (j + S[i]) % 256; ++ ++ ARES_SWAP_BYTE(&S[i], &S[j]); ++ buf[cnt] = S[(S[i] + S[j]) % 256]; ++ } ++ ++ rc4_state->i = i; ++ rc4_state->j = j; ++} ++ ++ ++static int ares__init_rand_engine(ares_rand_state *state) ++{ ++ memset(state, 0, sizeof(*state)); ++ ++#if defined(HAVE_ARC4RANDOM_BUF) || defined(_WIN32) ++ state->type = ARES_RAND_OS; ++ return 1; ++#elif defined(CARES_RANDOM_FILE) ++ state->type = ARES_RAND_FILE; ++ state->state.rand_file = fopen(CARES_RANDOM_FILE, "rb"); ++ if (state->state.rand_file) { ++ setvbuf(state->state.rand_file, NULL, _IONBF, 0); ++ return 1; ++ } ++ /* Fall-Thru on failure to RC4 */ ++#endif ++ ++ state->type = ARES_RAND_RC4; ++ ares_rc4_init(&state->state.rc4); ++ ++ /* Currently cannot fail */ ++ return 1; ++} ++ ++ ++ares_rand_state *ares__init_rand_state() ++{ ++ ares_rand_state *state = NULL; ++ ++ state = ares_malloc(sizeof(*state)); ++ if (!state) ++ return NULL; ++ ++ if (!ares__init_rand_engine(state)) { ++ ares_free(state); ++ return NULL; ++ } ++ ++ return state; ++} ++ ++ ++static void ares__clear_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++ break; ++ case ARES_RAND_FILE: ++ fclose(state->state.rand_file); ++ break; ++ case ARES_RAND_RC4: ++ break; ++ } ++} ++ ++ ++static void ares__reinit_rand(ares_rand_state *state) ++{ ++ ares__clear_rand_state(state); ++ ares__init_rand_engine(state); ++} ++ ++ ++void ares__destroy_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ ares__clear_rand_state(state); ++ ares_free(state); ++} ++ ++ ++static void ares__rand_bytes(ares_rand_state *state, unsigned char *buf, size_t len) ++{ ++ ++ while (1) { ++ size_t rv; ++ size_t bytes_read = 0; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++#ifdef _WIN32 ++ RtlGenRandom(buf, len); ++ return; ++#elif defined(HAVE_ARC4RANDOM_BUF) ++ arc4random_buf(buf, len); ++ return; ++#else ++ /* Shouldn't be possible to be here */ ++ break; ++#endif ++ ++ case ARES_RAND_FILE: ++ while (1) { ++ size_t rv = fread(buf + bytes_read, 1, len - bytes_read, state->state.rand_file); ++ if (rv == 0) ++ break; /* critical error, will reinit rand state */ ++ ++ bytes_read += rv; ++ if (bytes_read == len) ++ return; ++ } ++ break; ++ ++ case ARES_RAND_RC4: ++ ares_rc4_prng(&state->state.rc4, buf, len); ++ return; ++ } ++ ++ /* If we didn't return before we got here, that means we had a critical rand ++ * failure and need to reinitialized */ ++ ares__reinit_rand(state); ++ } ++} ++ ++unsigned short ares__generate_new_id(ares_rand_state *state) ++{ ++ unsigned short r=0; ++ ++ ares__rand_bytes(state, (unsigned char *)&r, sizeof(r)); ++ return r; ++} ++ +-- +2.25.1 + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch new file mode 100644 index 0000000000..63192d3c81 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch @@ -0,0 +1,84 @@ +From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:49 -0400 +Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc + +Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae] +CVE: CVE-2023-32067 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_process.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c +index bf0cde464..6cac0a99f 100644 +--- a/src/lib/ares_process.c ++++ b/src/lib/ares_process.c +@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + { + struct server_state *server; + int i; +- ares_ssize_t count; ++ ares_ssize_t read_len; + unsigned char buf[MAXENDSSZ + 1]; + #ifdef HAVE_RECVFROM + ares_socklen_t fromlen; +@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + /* To reduce event loop overhead, read and process as many + * packets as we can. */ + do { +- if (server->udp_socket == ARES_SOCKET_BAD) +- count = 0; +- +- else { +- if (server->addr.family == AF_INET) ++ if (server->udp_socket == ARES_SOCKET_BAD) { ++ read_len = -1; ++ } else { ++ if (server->addr.family == AF_INET) { + fromlen = sizeof(from.sa4); +- else ++ } else { + fromlen = sizeof(from.sa6); +- count = socket_recvfrom(channel, server->udp_socket, (void *)buf, +- sizeof(buf), 0, &from.sa, &fromlen); ++ } ++ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf, ++ sizeof(buf), 0, &from.sa, &fromlen); + } + +- if (count == -1 && try_again(SOCKERRNO)) ++ if (read_len == 0) { ++ /* UDP is connectionless, so result code of 0 is a 0-length UDP ++ * packet, and not an indication the connection is closed like on ++ * tcp */ + continue; +- else if (count <= 0) ++ } else if (read_len < 0) { ++ if (try_again(SOCKERRNO)) ++ continue; ++ + handle_error(channel, i, now); ++ + #ifdef HAVE_RECVFROM +- else if (!same_address(&from.sa, &server->addr)) ++ } else if (!same_address(&from.sa, &server->addr)) { + /* The address the response comes from does not match the address we + * sent the request to. Someone may be attempting to perform a cache + * poisoning attack. */ +- break; ++ continue; + #endif +- else +- process_answer(channel, buf, (int)count, i, 0, now); +- } while (count > 0); ++ ++ } else { ++ process_answer(channel, buf, (int)read_len, i, 0, now); ++ } ++ } while (read_len >= 0); + } + } + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch new file mode 100644 index 0000000000..2887634289 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch @@ -0,0 +1,32 @@ +From: a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 11 Mar 2024 14:29:39 +0000 +Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q + +CVE: CVE-2024-25629 +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183] +Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/lib/ares__read_line.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c +index c62ad2a..d6625a3 100644 +--- a/src/lib/ares__read_line.c ++++ b/src/lib/ares__read_line.c +@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize) + if (!fgets(*buf + offset, bytestoread, fp)) + return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; + len = offset + strlen(*buf + offset); ++ ++ /* Probably means there was an embedded NULL as the first character in ++ * the line, throw away line */ ++ if (len == 0) { ++ offset = 0; ++ continue; ++ } ++ + if ((*buf)[len - 1] == '\n') + { + (*buf)[len - 1] = 0; +-- diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch deleted file mode 100644 index d1cb54aefb..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-fix-formatting-and-handling-of-root.patch +++ /dev/null @@ -1,115 +0,0 @@ -From: bradh352 <brad@brad-house.com> -Date: Fri, 11 Jun 2021 12:39:24 -0400 -Subject: [2/2] ares_expand_name(): fix formatting and handling of root name - response -Origin: https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 - -Fixes issue introduced in prior commit with formatting and handling -of parsing a root name response which should not be escaped. - -Fix By: Brad House -CVE: CVE-2021-3672 -Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz] -Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> ---- - ares_expand_name.c | 62 ++++++++++++++++++++++++-------------- - 1 file changed, 40 insertions(+), 22 deletions(-) - -diff --git a/ares_expand_name.c b/ares_expand_name.c -index f1c874a97cfc..eb9268c1ff0a 100644 ---- a/ares_expand_name.c -+++ b/ares_expand_name.c -@@ -127,27 +127,37 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, - } - else - { -- len = *p; -+ int name_len = *p; -+ len = name_len; - p++; -+ - while (len--) - { -- if (!isprint(*p)) { -- /* Output as \DDD for consistency with RFC1035 5.1 */ -- *q++ = '\\'; -- *q++ = '0' + *p / 100; -- *q++ = '0' + (*p % 100) / 10; -- *q++ = '0' + (*p % 10); -- } else if (is_reservedch(*p)) { -- *q++ = '\\'; -- *q++ = *p; -- } else { -- *q++ = *p; -- } -+ /* Output as \DDD for consistency with RFC1035 5.1, except -+ * for the special case of a root name response */ -+ if (!isprint(*p) && !(name_len == 1 && *p == 0)) -+ { -+ -+ *q++ = '\\'; -+ *q++ = '0' + *p / 100; -+ *q++ = '0' + (*p % 100) / 10; -+ *q++ = '0' + (*p % 10); -+ } -+ else if (is_reservedch(*p)) -+ { -+ *q++ = '\\'; -+ *q++ = *p; -+ } -+ else -+ { -+ *q++ = *p; -+ } - p++; - } - *q++ = '.'; - } -- } -+ } -+ - if (!indir) - *enclen = aresx_uztosl(p + 1U - encoded); - -@@ -194,21 +204,29 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, - } - else if (top == 0x00) - { -- offset = *encoded; -+ int name_len = *encoded; -+ offset = name_len; - if (encoded + offset + 1 >= abuf + alen) - return -1; - encoded++; -+ - while (offset--) - { -- if (!isprint(*encoded)) { -- n += 4; -- } else if (is_reservedch(*encoded)) { -- n += 2; -- } else { -- n += 1; -- } -+ if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0)) -+ { -+ n += 4; -+ } -+ else if (is_reservedch(*encoded)) -+ { -+ n += 2; -+ } -+ else -+ { -+ n += 1; -+ } - encoded++; - } -+ - n++; - } - else --- -2.32.0 - diff --git a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch b/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch deleted file mode 100644 index 3603ef1278..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/ares_expand_name-should-escape-more-characters.patch +++ /dev/null @@ -1,90 +0,0 @@ -From: bradh352 <brad@brad-house.com> -Date: Fri, 11 Jun 2021 11:27:45 -0400 -Subject: [1/2] ares_expand_name() should escape more characters -Origin: https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3672 - -RFC1035 5.1 specifies some reserved characters and escaping sequences -that are allowed to be specified. Expand the list of reserved characters -and also escape non-printable characters using the \DDD format as -specified in the RFC. - -Bug Reported By: philipp.jeitner@sit.fraunhofer.de -Fix By: Brad House (@bradh352) -CVE: CVE-2021-3672 -Upstream-Status: Backport [http://snapshot.debian.org/archive/debian-security/20210810T064453Z/pool/updates/main/c/c-ares/c-ares_1.17.1-1%2Bdeb11u1.debian.tar.xz] -Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> ---- - ares_expand_name.c | 41 +++++++++++++++++++++++++++++++++++--- - 1 file changed, 38 insertions(+), 3 deletions(-) - -diff --git a/ares_expand_name.c b/ares_expand_name.c -index 407200ef5b4b..f1c874a97cfc 100644 ---- a/ares_expand_name.c -+++ b/ares_expand_name.c -@@ -32,6 +32,26 @@ - static int name_length(const unsigned char *encoded, const unsigned char *abuf, - int alen); - -+/* Reserved characters for names that need to be escaped */ -+static int is_reservedch(int ch) -+{ -+ switch (ch) { -+ case '"': -+ case '.': -+ case ';': -+ case '\\': -+ case '(': -+ case ')': -+ case '@': -+ case '$': -+ return 1; -+ default: -+ break; -+ } -+ -+ return 0; -+} -+ - /* Expand an RFC1035-encoded domain name given by encoded. The - * containing message is given by abuf and alen. The result given by - * *s, which is set to a NUL-terminated allocated buffer. *enclen is -@@ -111,9 +131,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf, - p++; - while (len--) - { -- if (*p == '.' || *p == '\\') -+ if (!isprint(*p)) { -+ /* Output as \DDD for consistency with RFC1035 5.1 */ -+ *q++ = '\\'; -+ *q++ = '0' + *p / 100; -+ *q++ = '0' + (*p % 100) / 10; -+ *q++ = '0' + (*p % 10); -+ } else if (is_reservedch(*p)) { - *q++ = '\\'; -- *q++ = *p; -+ *q++ = *p; -+ } else { -+ *q++ = *p; -+ } - p++; - } - *q++ = '.'; -@@ -171,7 +200,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf, - encoded++; - while (offset--) - { -- n += (*encoded == '.' || *encoded == '\\') ? 2 : 1; -+ if (!isprint(*encoded)) { -+ n += 4; -+ } else if (is_reservedch(*encoded)) { -+ n += 2; -+ } else { -+ n += 1; -+ } - encoded++; - } - n++; --- -2.32.0 - diff --git a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch b/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch deleted file mode 100644 index 0eb7e4bbb3..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 12414304245cce6ef0e8b9547949be5109845353 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Tue, 24 Jul 2018 13:33:33 +0800 -Subject: [PATCH] cmake: Install libcares.pc - -Prepare and install libcares.pc file during cmake build, so libraries -using pkg-config to find libcares will not fail. - -Signed-off-by: Alexey Firago <alexey_firago@mentor.com> - -update to 1.14.0, fix patch warning - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - CMakeLists.txt | 28 +++++++++++++++++++++++----- - 1 file changed, 23 insertions(+), 5 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fd123e1..3a5878d 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -214,22 +214,25 @@ ADD_DEFINITIONS(${SYSFLAGS}) - - - # Tell C-Ares about libraries to depend on -+# Also pass these libraries to pkg-config file -+SET(CARES_PRIVATE_LIBS_LIST) - IF (HAVE_LIBRESOLV) -- LIST (APPEND CARES_DEPENDENT_LIBS resolv) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lresolv") - ENDIF () - IF (HAVE_LIBNSL) -- LIST (APPEND CARES_DEPENDENT_LIBS nsl) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lnsl") - ENDIF () - IF (HAVE_LIBSOCKET) -- LIST (APPEND CARES_DEPENDENT_LIBS socket) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lsocket") - ENDIF () - IF (HAVE_LIBRT) -- LIST (APPEND CARES_DEPENDENT_LIBS rt) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lrt") - ENDIF () - IF (WIN32) -- LIST (APPEND CARES_DEPENDENT_LIBS ws2_32 Advapi32) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lws2_32") - ENDIF () - -+string (REPLACE ";" " " CARES_PRIVATE_LIBS "${CARES_PRIVATE_LIBS_LIST}") - - # When checking for symbols, we need to make sure we set the proper - # headers, libraries, and definitions for the detection to work properly -@@ -554,6 +557,15 @@ CONFIGURE_FILE (ares_build.h.cmake ${PROJECT_BINARY_DIR}/ares_build.h) - # Write ares_config.h configuration file. This is used only for the build. - CONFIGURE_FILE (ares_config.h.cmake ${PROJECT_BINARY_DIR}/ares_config.h) - -+# Pass required CFLAGS to pkg-config in case of static library -+IF (CARES_STATIC) -+ SET (CPPFLAG_CARES_STATICLIB "-DCARES_STATICLIB") -+ENDIF() -+ -+# Write ares_config.h configuration file. This is used only for the build. -+CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+ -+ - - # TRANSFORM_MAKEFILE_INC - # -@@ -728,6 +740,12 @@ IF (CARES_INSTALL) - INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" COMPONENT Devel DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") - ENDIF () - -+# pkg-config file -+IF (CARES_INSTALL) -+ SET (PKGCONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/pkgconfig") -+ INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" DESTINATION ${PKGCONFIG_INSTALL_DIR}) -+ENDIF () -+ - # Legacy chain-building variables (provided for compatibility with old code). - # Don't use these, external code should be updated to refer to the aliases directly (e.g., Cares::cares). - SET (CARES_FOUND 1 CACHE INTERNAL "CARES LIBRARY FOUND") --- -2.17.1 - diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb deleted file mode 100644 index b77604797d..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (c) 2012-2014 LG Electronics, Inc. -SUMMARY = "c-ares is a C library that resolves names asynchronously." -HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" -SECTION = "libs" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" - -PV = "1.16.0+gitr${SRCPV}" - -SRC_URI = "\ - git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ - file://cmake-install-libcares.pc.patch \ - file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \ - file://ares_expand_name-should-escape-more-characters.patch \ - file://ares_expand_name-fix-formatting-and-handling-of-root.patch \ -" -SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e" - -UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" - -S = "${WORKDIR}/git" - -inherit cmake pkgconfig - -PACKAGES =+ "${PN}-utils" - -FILES_${PN}-utils = "${bindir}" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb new file mode 100644 index 0000000000..b5936e1ad0 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb @@ -0,0 +1,31 @@ +# Copyright (c) 2012-2014 LG Electronics, Inc. +SUMMARY = "c-ares is a C library that resolves names asynchronously." +HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" +SECTION = "libs" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" + +SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ + file://CVE-2022-4904.patch \ + file://CVE-2023-31130.patch \ + file://CVE-2023-31147.patch \ + file://CVE-2023-32067.patch \ + file://CVE-2024-25629.patch \ + " +SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed" + +UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig + +PACKAGES =+ "${PN}-utils" + +FILES_${PN}-utils = "${bindir}" + +BBCLASSEXTEND = "native nativesdk" + +# this vulneribility applies only when cross-compiling using autotools +# yocto cross-compiles via cmake which is also listed as official workaround +CVE_CHECK_WHITELIST += "CVE-2023-31124" diff --git a/meta-oe/recipes-support/cli11/cli11_1.8.0.bb b/meta-oe/recipes-support/cli11/cli11_1.8.0.bb index 9e1c2d6214..a49eab72fd 100644 --- a/meta-oe/recipes-support/cli11/cli11_1.8.0.bb +++ b/meta-oe/recipes-support/cli11/cli11_1.8.0.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b73927b18d5c6cd8d2ed28a6ad539733" SRCREV = "13becaddb657eacd090537719a669d66d393b8b2" PV .= "+git${SRCPV}" -SRC_URI += "gitsm://github.com/CLIUtils/CLI11;branch=master;protocol=https \ +SRC_URI += "gitsm://github.com/CLIUtils/CLI11;branch=main;protocol=https \ file://0001-Add-CLANG_TIDY-check.patch \ file://0001-Use-GNUInstallDirs-instead-of-hard-coded-path.patch \ " diff --git a/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb b/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb index ac46b5676c..ac46b5676c 100644 --- a/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb +++ b/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb index 26a5d4a4d2..21f51ff155 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb @@ -10,7 +10,7 @@ DEPENDS = "lcms bzip2 jpeg libpng tiff zlib fftw freetype libtool" BASE_PV := "${PV}" PV .= "_13" -SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=master;protocol=https" +SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=https" SRCREV = "15b935d64f613b5a0fc9d3fead5c6ec1b0e3908f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/lcov/lcov_1.14.bb b/meta-oe/recipes-support/lcov/lcov_1.14.bb index 0cc8b31b3f..5e8fb938cf 100755 --- a/meta-oe/recipes-support/lcov/lcov_1.14.bb +++ b/meta-oe/recipes-support/lcov/lcov_1.14.bb @@ -59,7 +59,7 @@ SRC_URI[md5sum] = "0220d01753469f83921f8f41ae5054c1" SRC_URI[sha256sum] = "14995699187440e0ae4da57fe3a64adc0a3c5cf14feab971f8db38fb7d8f071a" do_install() { - oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} + oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} LCOV_PERL_PATH="/usr/bin/env perl" } BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch b/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch new file mode 100644 index 0000000000..ea3ddfb64b --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch @@ -0,0 +1,27 @@ +From 68f66d1583be670eb8d5f3f38dbd5dd1d63b733c Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 21:41:04 -0700 +Subject: [PATCH] example: Do not run the tests + +Upstream-Status: Inappropritate [Cross-compile specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + examples/Makefile | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/examples/Makefile b/examples/Makefile +index d9667a5..554b346 100644 +--- a/examples/Makefile ++++ b/examples/Makefile +@@ -33,11 +33,8 @@ depend: $(SOURCES) + makedepend -f- $(CFLAGS) $(SOURCES) 2> /dev/null 1> depend + + test-c-example1: c-example1 +- ./c-example1 + + test-c-example2: c-example2 +- ./c-example2 loremgibson.txt encoded.txt decoded.txt +- diff -q loremgibson.txt decoded.txt + + test: test-c-example1 test-c-example2 + diff --git a/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch b/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch new file mode 100644 index 0000000000..10ec8e14a8 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch @@ -0,0 +1,57 @@ +From ee03e265804a07a0da5028b86960031bd7ab86b2 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:01:13 -0700 +Subject: [PATCH] use BUFSIZ as buffer size + +Author: Jakub Wilk <jwilk@debian.org> +Bug: http://sourceforge.net/tracker/?func=detail&atid=785907&aid=3591336&group_id=152942 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + include/b64/decode.h | 3 ++- + include/b64/encode.h | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/b64/decode.h b/include/b64/decode.h +index 12b16ea..e9019f3 100644 +--- a/include/b64/decode.h ++++ b/include/b64/decode.h +@@ -8,6 +8,7 @@ For details, see http://sourceforge.net/projects/libb64 + #ifndef BASE64_DECODE_H + #define BASE64_DECODE_H + ++#include <cstdio> + #include <iostream> + + namespace base64 +@@ -22,7 +23,7 @@ namespace base64 + base64_decodestate _state; + int _buffersize; + +- decoder(int buffersize_in = BUFFERSIZE) ++ decoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) + {} + +diff --git a/include/b64/encode.h b/include/b64/encode.h +index 5d807d9..e7a7035 100644 +--- a/include/b64/encode.h ++++ b/include/b64/encode.h +@@ -8,6 +8,7 @@ For details, see http://sourceforge.net/projects/libb64 + #ifndef BASE64_ENCODE_H + #define BASE64_ENCODE_H + ++#include <cstdio> + #include <iostream> + + namespace base64 +@@ -22,7 +23,7 @@ namespace base64 + base64_encodestate _state; + int _buffersize; + +- encoder(int buffersize_in = BUFFERSIZE) ++ encoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) + {} + diff --git a/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch b/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch new file mode 100644 index 0000000000..8854bb6af4 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch @@ -0,0 +1,77 @@ +From 7b30fbc3d47dfaf38d8ce8b8949a69d2984dac76 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:06:03 -0700 +Subject: [PATCH] fix integer overflows + +Author: Jakub Wilk <jwilk@debian.org> +Bug: http://sourceforge.net/tracker/?func=detail&aid=3591129&group_id=152942&atid=785907 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cdecode.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/cdecode.c b/src/cdecode.c +index a6c0a42..4e47e9f 100644 +--- a/src/cdecode.c ++++ b/src/cdecode.c +@@ -9,10 +9,11 @@ For details, see http://sourceforge.net/projects/libb64 + + int base64_decode_value(char value_in) + { +- static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; ++ static const signed char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; + static const char decoding_size = sizeof(decoding); ++ if (value_in < 43) return -1; + value_in -= 43; +- if (value_in < 0 || value_in >= decoding_size) return -1; ++ if (value_in > decoding_size) return -1; + return decoding[(int)value_in]; + } + +@@ -26,7 +27,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + { + const char* codechar = code_in; + char* plainchar = plaintext_out; +- char fragment; ++ int fragment; + + *plainchar = state_in->plainchar; + +@@ -42,7 +43,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar = (fragment & 0x03f) << 2; + case step_b: +@@ -53,7 +54,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x030) >> 4; + *plainchar = (fragment & 0x00f) << 4; +@@ -65,7 +66,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x03c) >> 2; + *plainchar = (fragment & 0x003) << 6; +@@ -77,7 +78,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x03f); + } diff --git a/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch b/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch new file mode 100644 index 0000000000..e19dbad08d --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch @@ -0,0 +1,26 @@ +From 8144fd9e02bd5ccd1e080297b19a1e9eb4d3ff96 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:07:15 -0700 +Subject: [PATCH] Fix off by one error + +Launchpad bug #1501176 reported by William McCall on 2015-09-30 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cdecode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cdecode.c b/src/cdecode.c +index 4e47e9f..45da4e1 100644 +--- a/src/cdecode.c ++++ b/src/cdecode.c +@@ -13,7 +13,7 @@ int base64_decode_value(char value_in) + static const char decoding_size = sizeof(decoding); + if (value_in < 43) return -1; + value_in -= 43; +- if (value_in > decoding_size) return -1; ++ if (value_in >= decoding_size) return -1; + return decoding[(int)value_in]; + } + diff --git a/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch b/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch new file mode 100644 index 0000000000..e93015ee48 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch @@ -0,0 +1,40 @@ +From a7914d5ffee6ffdfb3f2b8ebcc22c8367d078301 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:08:43 -0700 +Subject: [PATCH] make overriding CFLAGS possible + +Author: Jakub Wilk <jwilk@debian.org> + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + base64/Makefile | 2 +- + src/Makefile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base64/Makefile b/base64/Makefile +index 30a2c5c..783a248 100644 +--- a/base64/Makefile ++++ b/base64/Makefile +@@ -3,7 +3,7 @@ BINARIES = base64 + # Build flags (uncomment one) + ############################# + # Release build flags +-CFLAGS += -O3 ++CFLAGS ?= -O3 + ############################# + # Debug build flags + #CFLAGS += -g +diff --git a/src/Makefile b/src/Makefile +index 28b2382..48801fc 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -3,7 +3,7 @@ LIBRARIES = libb64.a + # Build flags (uncomment one) + ############################# + # Release build flags +-CFLAGS += -O3 ++CFLAGS ?= -O3 + ############################# + # Debug build flags + #CFLAGS += -g diff --git a/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch b/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch new file mode 100644 index 0000000000..9ba08c87ee --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch @@ -0,0 +1,27 @@ +From a1b9bb4af819ed389675f16e4a521efeda4cc3f3 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:10:48 -0700 +Subject: [PATCH] do not export the CHARS_PER_LINE variable + +The library exports a variable named "CHARS_PER_LINE". This is a generic name that could conflict with a name in user's code. +Please either rename the variable or make it static. + +Upstream-Status: Submitted [http://sourceforge.net/tracker/?func=detail&aid=3591420&group_id=152942&atid=785907] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cencode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cencode.c b/src/cencode.c +index 03ba5b6..3df62a8 100644 +--- a/src/cencode.c ++++ b/src/cencode.c +@@ -7,7 +7,7 @@ For details, see http://sourceforge.net/projects/libb64 + + #include <b64/cencode.h> + +-const int CHARS_PER_LINE = 72; ++static const int CHARS_PER_LINE = 72; + + void base64_init_encodestate(base64_encodestate* state_in) + { diff --git a/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch b/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch new file mode 100644 index 0000000000..fdf8339bed --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch @@ -0,0 +1,44 @@ +From c1ba44d83cc7d9d756cfb063717852eae9d03328 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:12:41 -0700 +Subject: [PATCH] initialize encoder/decoder state in the constructors + +Author: Jakub Wilk <jwilk@debian.org> + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + include/b64/decode.h | 4 +++- + include/b64/encode.h | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/include/b64/decode.h b/include/b64/decode.h +index e9019f3..aefb7bc 100644 +--- a/include/b64/decode.h ++++ b/include/b64/decode.h +@@ -25,7 +25,9 @@ namespace base64 + + decoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) +- {} ++ { ++ base64_init_decodestate(&_state); ++ } + + int decode(char value_in) + { +diff --git a/include/b64/encode.h b/include/b64/encode.h +index e7a7035..33848b3 100644 +--- a/include/b64/encode.h ++++ b/include/b64/encode.h +@@ -25,7 +25,9 @@ namespace base64 + + encoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) +- {} ++ { ++ base64_init_encodestate(&_state); ++ } + + int encode(char value_in) + { diff --git a/meta-oe/recipes-support/libb64/libb64_1.2.1.bb b/meta-oe/recipes-support/libb64/libb64_1.2.1.bb new file mode 100644 index 0000000000..64a34fece7 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64_1.2.1.bb @@ -0,0 +1,39 @@ +SUMMARY = "Base64 Encoding/Decoding Routines" +DESCRIPTION = "base64 encoding/decoding library - runtime library \ +libb64 is a library of ANSI C routines for fast encoding/decoding data into \ +and from a base64-encoded format" +HOMEPAGE = "http://libb64.sourceforge.net/" +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ce551aad762074c7ab618a0e07a8dca3" + +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}/${BP}.zip \ + file://0001-example-Do-not-run-the-tests.patch \ + file://0002-use-BUFSIZ-as-buffer-size.patch \ + file://0003-fix-integer-overflows.patch \ + file://0004-Fix-off-by-one-error.patch \ + file://0005-make-overriding-CFLAGS-possible.patch \ + file://0006-do-not-export-the-CHARS_PER_LINE-variable.patch \ + file://0007-initialize-encoder-decoder-state-in-the-constructors.patch \ + " +SRC_URI[sha256sum] = "20106f0ba95cfd9c35a13c71206643e3fb3e46512df3e2efb2fdbf87116314b2" + +PARALLEL_MAKE = "" + +CFLAGS += "-fPIC" + +do_configure () { + : +} + +do_compile () { + oe_runmake + ${CC} ${LDFLAGS} ${CFLAGS} -shared -Wl,-soname,${BPN}.so.0 src/*.o -o src/${BPN}.so.0 +} + +do_install () { + install -d ${D}${includedir}/b64 + install -Dm 0644 ${B}/src/libb64.a ${D}${libdir}/libb64.a + install -Dm 0644 ${B}/src/libb64.so.0 ${D}${libdir}/libb64.so.0 + ln -s libb64.so.0 ${D}${libdir}/libb64.so + install -Dm 0644 ${S}/include/b64/*.h ${D}${includedir}/b64/ +} diff --git a/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-oe/recipes-support/libiio/libiio_git.bb index 0892a3693e..8fbe474485 100644 --- a/meta-oe/recipes-support/libiio/libiio_git.bb +++ b/meta-oe/recipes-support/libiio/libiio_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c" SRCREV = "5f5af2e417129ad8f4e05fc5c1b730f0694dca12" PV = "0.19+git${SRCPV}" -SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=master" +SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=main" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch new file mode 100644 index 0000000000..2944a44622 --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch @@ -0,0 +1,40 @@ +From 533d881b0f4b24c72b35ecc97fa35d295d063e53 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:04:09 +0200 +Subject: [PATCH] sftpserver: Add missing NULL check for ssh_buffer_new() + +Thanks to Ramin Farajpour Cami for spotting this. + +Fixes T232 + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/sftpserver.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index 5a2110e58..b639a2ce3 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { + + /* take a copy of the whole packet */ + msg->complete_message = ssh_buffer_new(); ++ if (msg->complete_message == NULL) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } ++ + ssh_buffer_add_data(msg->complete_message, + ssh_buffer_get(payload), + ssh_buffer_get_len(payload)); +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch new file mode 100644 index 0000000000..3c4ff0c614 --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch @@ -0,0 +1,42 @@ +From 2782cb0495b7450bd8fe43ce4af886b66fea6c40 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:05:51 +0200 +Subject: [PATCH] sftpserver: Add missing return check for + ssh_buffer_add_data() + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/sftpserver.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b639a2ce3..9117f155f 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { + return NULL; + } + +- ssh_buffer_add_data(msg->complete_message, +- ssh_buffer_get(payload), +- ssh_buffer_get_len(payload)); ++ rc = ssh_buffer_add_data(msg->complete_message, ++ ssh_buffer_get(payload), ++ ssh_buffer_get_len(payload)); ++ if (rc < 0) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } + + ssh_buffer_get_u32(payload, &msg->id); + +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch new file mode 100644 index 0000000000..03a8ac156a --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch @@ -0,0 +1,70 @@ +From 10b3ebbe61a7031a3dae97f05834442220447181 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:10:11 +0200 +Subject: [PATCH] buffer: Reformat ssh_buffer_add_data() + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/buffer.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/src/buffer.c b/src/buffer.c +index a2e6246af..476bc1358 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { +- buffer_verify(buffer); ++ buffer_verify(buffer); + +- if (data == NULL) { +- return -1; +- } ++ if (data == NULL) { ++ return -1; ++ } + +- if (buffer->used + len < len) { +- return -1; +- } ++ if (buffer->used + len < len) { ++ return -1; ++ } + +- if (buffer->allocated < (buffer->used + len)) { +- if(buffer->pos > 0) +- buffer_shift(buffer); +- if (realloc_buffer(buffer, buffer->used + len) < 0) { +- return -1; ++ if (buffer->allocated < (buffer->used + len)) { ++ if (buffer->pos > 0) { ++ buffer_shift(buffer); ++ } ++ if (realloc_buffer(buffer, buffer->used + len) < 0) { ++ return -1; ++ } + } +- } + +- memcpy(buffer->data+buffer->used, data, len); +- buffer->used+=len; +- buffer_verify(buffer); +- return 0; ++ memcpy(buffer->data + buffer->used, data, len); ++ buffer->used += len; ++ buffer_verify(buffer); ++ return 0; + } + + /** +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch new file mode 100644 index 0000000000..8e9a4c3f5c --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch @@ -0,0 +1,34 @@ +From 245ad744b5ab0582fef7cf3905a717b791d7e08b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:11:21 +0200 +Subject: [PATCH] buffer: Add NULL check for 'buffer' argument + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 476bc1358..ce12f491a 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { ++ if (buffer == NULL) { ++ return -1; ++ } ++ + buffer_verify(buffer); + + if (data == NULL) { +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 39ed8a8fbb..0fb07a0eb7 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -6,7 +6,13 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" DEPENDS = "zlib openssl libgcrypt" -SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8" +SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8 \ + file://CVE-2020-16135-1.patch \ + file://CVE-2020-16135-2.patch \ + file://CVE-2020-16135-3.patch \ + file://CVE-2020-16135-4.patch \ + " + SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch b/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch new file mode 100644 index 0000000000..49dbde737f --- /dev/null +++ b/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch @@ -0,0 +1,39 @@ +From 642eec48ff3adfdb7a9e562b6d7fc865d1733f45 Mon Sep 17 00:00:00 2001 +From: lutianxiong <lutianxiong@huawei.com> +Date: Fri, 29 May 2020 01:25:40 +0800 +Subject: [PATCH] transport.c: fix use-of-uninitialized-value (#476) + +file:transport.c + +notes: +return error if malloc(0) + +credit: +lutianxiong + +Bug: https://github.com/libssh2/libssh2/pull/476 +Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 +& +https://github.com/libssh2/libssh2/commit/0b44e558f311671f6e6d14c559bc1c9bda59b8df] +CVE: CVE-2020-22218 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index 45e445c..35e7df3 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -465,7 +465,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + * or less (including length, padding length, payload, + * padding, and MAC.)." + */ +- if(total_num > LIBSSH2_PACKET_MAXPAYLOAD) { ++ if(total_num > LIBSSH2_PACKET_MAXPAYLOAD || total_num == 0) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb index c1f337a440..e11e663769 100644 --- a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb +++ b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://CVE-2019-17498.patch \ + file://CVE-2020-22218.patch \ " SRC_URI[md5sum] = "1beefafe8963982adc84b408b2959927" SRC_URI[sha256sum] = "d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd" diff --git a/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch new file mode 100644 index 0000000000..d06ef44f68 --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch @@ -0,0 +1,154 @@ +From cb57b930fa690ab79b3904846634681685e3470f Mon Sep 17 00:00:00 2001 +From: Martin Wilck <mwilck@suse.com> +Date: Thu, 1 Sep 2022 19:21:30 +0200 +Subject: [PATCH] multipath-tools: use /run instead of /dev/shm + +/dev/shm may have unsafe permissions. Use /run instead. +Use systemd's tmpfiles.d mechanism to create /run/multipath +early during boot. + +For backward compatibilty, make the runtime directory configurable +via the "runtimedir" make variable. + +Signed-off-by: Martin Wilck <mwilck@suse.com> +Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com> + +CVE: CVE-2022-41973 +Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + .gitignore | 2 ++ + Makefile.inc | 7 ++++++- + libmultipath/defaults.h | 3 +-- + multipath/Makefile | 11 ++++++++--- + multipath/{multipath.rules => multipath.rules.in} | 4 ++-- + multipath/tmpfiles.conf.in | 1 + + 6 files changed, 20 insertions(+), 8 deletions(-) + rename multipath/{multipath.rules => multipath.rules.in} (95%) + create mode 100644 multipath/tmpfiles.conf.in + +diff --git a/.gitignore b/.gitignore +index 9926756b..f90b0350 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -8,6 +8,8 @@ + *.d + kpartx/kpartx + multipath/multipath ++multipath/multipath.rules ++multipath/tmpfiles.conf + multipathd/multipathd + mpathpersist/mpathpersist + .nfs* +diff --git a/Makefile.inc b/Makefile.inc +index 4eb08eed..648f91b4 100644 +--- a/Makefile.inc ++++ b/Makefile.inc +@@ -44,6 +44,7 @@ exec_prefix = $(prefix) + usr_prefix = $(prefix) + bindir = $(exec_prefix)/usr/sbin + libudevdir = $(prefix)/$(SYSTEMDPATH)/udev ++tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d + udevrulesdir = $(libudevdir)/rules.d + multipathdir = $(TOPDIR)/libmultipath + man8dir = $(prefix)/usr/share/man/man8 +@@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp + nvmedir = $(TOPDIR)/libmultipath/nvme + includedir = $(prefix)/usr/include + pkgconfdir = $(usrlibdir)/pkgconfig ++runtimedir := /$(RUN) + + GZIP = gzip -9 -c + RM = rm -f +@@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \ + -Wno-unused-parameter -Werror=cast-qual \ + -Werror=discarded-qualifiers + +-CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2 ++CPPFLAGS := $(FORTIFY_OPT) \ ++ -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \ ++ -DRUNTIME_DIR=\"$(runtimedir)\" \ ++ -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP + CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \ + -MMD -MP $(CFLAGS) + BIN_CFLAGS = -fPIE -DPIE +diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h +index c2164c16..908e0ca3 100644 +--- a/libmultipath/defaults.h ++++ b/libmultipath/defaults.h +@@ -64,8 +64,7 @@ + #define DEFAULT_WWIDS_FILE "/etc/multipath/wwids" + #define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys" + #define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d" +-#define MULTIPATH_SHM_BASE "/dev/shm/multipath/" +- ++#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/" + + static inline char *set_default(char *str) + { +diff --git a/multipath/Makefile b/multipath/Makefile +index e720c7f6..28976546 100644 +--- a/multipath/Makefile ++++ b/multipath/Makefile +@@ -12,7 +12,7 @@ EXEC = multipath + + OBJS = main.o + +-all: $(EXEC) ++all: $(EXEC) multipath.rules tmpfiles.conf + + $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so + $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS) +@@ -26,7 +26,9 @@ install: + $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/ + $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir) + $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir) +- $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules ++ $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules ++ $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir) ++ $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir) +@@ -43,9 +45,12 @@ uninstall: + $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz + + clean: dep_clean +- $(RM) core *.o $(EXEC) *.gz ++ $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf + + include $(wildcard $(OBJS:.o=.d)) + + dep_clean: + $(RM) $(OBJS:.o=.d) ++ ++%: %.in ++ sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@ +diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in +similarity index 95% +rename from multipath/multipath.rules +rename to multipath/multipath.rules.in +index 0486bf70..5fb499e6 100644 +--- a/multipath/multipath.rules ++++ b/multipath/multipath.rules.in +@@ -1,8 +1,8 @@ + # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath + SUBSYSTEM!="block", GOTO="end_mpath" + KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath" +-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \ +- RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor" ++ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \ ++ RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor" + ACTION!="add|change", GOTO="end_mpath" + + IMPORT{cmdline}="nompath" +diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in +new file mode 100644 +index 00000000..21be438a +--- /dev/null ++++ b/multipath/tmpfiles.conf.in +@@ -0,0 +1 @@ ++d @RUNTIME_DIR@/multipath 0700 root root - +-- +2.25.1 + diff --git a/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch new file mode 100644 index 0000000000..dcc2cd49ef --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch @@ -0,0 +1,162 @@ +From 0168696f95b5c610c3861ced8ef98accd1a83b91 Mon Sep 17 00:00:00 2001 +From: Benjamin Marzinski <bmarzins@redhat.com> +Date: Tue, 27 Sep 2022 12:36:37 +0200 +Subject: [PATCH] multipathd: ignore duplicated multipathd command keys + +multipath adds rather than or-s the values of command keys. Fix this. +Also, return an invalid fingerprint if a key is used more than once. + +References: +https://nvd.nist.gov/vuln/detail/CVE-2022-41974 +https://github.com/opensvc/multipath-tools/issues/59 + +Upstream-Status: Backport [https://github.com/openSUSE/multipath-tools/commit/fbbf280a0e26026c19879d938ebb2a8200b6357c] +CVE: CVE-2022-41974 + +Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + multipathd/cli.c | 8 ++-- + multipathd/main.c | 104 +++++++++++++++++++++++----------------------- + 2 files changed, 57 insertions(+), 55 deletions(-) + +diff --git a/multipathd/cli.c b/multipathd/cli.c +index 800c0fbe..0a266761 100644 +--- a/multipathd/cli.c ++++ b/multipathd/cli.c +@@ -336,9 +336,11 @@ fingerprint(vector vec) + if (!vec) + return 0; + +- vector_foreach_slot(vec, kw, i) +- fp += kw->code; +- ++ vector_foreach_slot(vec, kw, i) { ++ if (fp & kw->code) ++ return (uint64_t)-1; ++ fp |= kw->code; ++ } + return fp; + } + +diff --git a/multipathd/main.c b/multipathd/main.c +index 8baf9abe..975287d2 100644 +--- a/multipathd/main.c ++++ b/multipathd/main.c +@@ -1522,61 +1522,61 @@ uxlsnrloop (void * ap) + /* Tell main thread that thread has started */ + post_config_state(DAEMON_CONFIGURE); + +- set_handler_callback(LIST+PATHS, cli_list_paths); +- set_handler_callback(LIST+PATHS+FMT, cli_list_paths_fmt); +- set_handler_callback(LIST+PATHS+RAW+FMT, cli_list_paths_raw); +- set_handler_callback(LIST+PATH, cli_list_path); +- set_handler_callback(LIST+MAPS, cli_list_maps); +- set_handler_callback(LIST+STATUS, cli_list_status); +- set_unlocked_handler_callback(LIST+DAEMON, cli_list_daemon); +- set_handler_callback(LIST+MAPS+STATUS, cli_list_maps_status); +- set_handler_callback(LIST+MAPS+STATS, cli_list_maps_stats); +- set_handler_callback(LIST+MAPS+FMT, cli_list_maps_fmt); +- set_handler_callback(LIST+MAPS+RAW+FMT, cli_list_maps_raw); +- set_handler_callback(LIST+MAPS+TOPOLOGY, cli_list_maps_topology); +- set_handler_callback(LIST+TOPOLOGY, cli_list_maps_topology); +- set_handler_callback(LIST+MAPS+JSON, cli_list_maps_json); +- set_handler_callback(LIST+MAP+TOPOLOGY, cli_list_map_topology); +- set_handler_callback(LIST+MAP+FMT, cli_list_map_fmt); +- set_handler_callback(LIST+MAP+RAW+FMT, cli_list_map_fmt); +- set_handler_callback(LIST+MAP+JSON, cli_list_map_json); +- set_handler_callback(LIST+CONFIG+LOCAL, cli_list_config_local); +- set_handler_callback(LIST+CONFIG, cli_list_config); +- set_handler_callback(LIST+BLACKLIST, cli_list_blacklist); +- set_handler_callback(LIST+DEVICES, cli_list_devices); +- set_handler_callback(LIST+WILDCARDS, cli_list_wildcards); +- set_handler_callback(RESET+MAPS+STATS, cli_reset_maps_stats); +- set_handler_callback(RESET+MAP+STATS, cli_reset_map_stats); +- set_handler_callback(ADD+PATH, cli_add_path); +- set_handler_callback(DEL+PATH, cli_del_path); +- set_handler_callback(ADD+MAP, cli_add_map); +- set_handler_callback(DEL+MAP, cli_del_map); +- set_handler_callback(SWITCH+MAP+GROUP, cli_switch_group); ++ set_handler_callback(LIST|PATHS, cli_list_paths); ++ set_handler_callback(LIST|PATHS|FMT, cli_list_paths_fmt); ++ set_handler_callback(LIST|PATHS|RAW|FMT, cli_list_paths_raw); ++ set_handler_callback(LIST|PATH, cli_list_path); ++ set_handler_callback(LIST|MAPS, cli_list_maps); ++ set_handler_callback(LIST|STATUS, cli_list_status); ++ set_unlocked_handler_callback(LIST|DAEMON, cli_list_daemon); ++ set_handler_callback(LIST|MAPS|STATUS, cli_list_maps_status); ++ set_handler_callback(LIST|MAPS|STATS, cli_list_maps_stats); ++ set_handler_callback(LIST|MAPS|FMT, cli_list_maps_fmt); ++ set_handler_callback(LIST|MAPS|RAW|FMT, cli_list_maps_raw); ++ set_handler_callback(LIST|MAPS|TOPOLOGY, cli_list_maps_topology); ++ set_handler_callback(LIST|TOPOLOGY, cli_list_maps_topology); ++ set_handler_callback(LIST|MAPS|JSON, cli_list_maps_json); ++ set_handler_callback(LIST|MAP|TOPOLOGY, cli_list_map_topology); ++ set_handler_callback(LIST|MAP|FMT, cli_list_map_fmt); ++ set_handler_callback(LIST|MAP|RAW|FMT, cli_list_map_fmt); ++ set_handler_callback(LIST|MAP|JSON, cli_list_map_json); ++ set_handler_callback(LIST|CONFIG|LOCAL, cli_list_config_local); ++ set_handler_callback(LIST|CONFIG, cli_list_config); ++ set_handler_callback(LIST|BLACKLIST, cli_list_blacklist); ++ set_handler_callback(LIST|DEVICES, cli_list_devices); ++ set_handler_callback(LIST|WILDCARDS, cli_list_wildcards); ++ set_handler_callback(RESET|MAPS|STATS, cli_reset_maps_stats); ++ set_handler_callback(RESET|MAP|STATS, cli_reset_map_stats); ++ set_handler_callback(ADD|PATH, cli_add_path); ++ set_handler_callback(DEL|PATH, cli_del_path); ++ set_handler_callback(ADD|MAP, cli_add_map); ++ set_handler_callback(DEL|MAP, cli_del_map); ++ set_handler_callback(SWITCH|MAP|GROUP, cli_switch_group); + set_unlocked_handler_callback(RECONFIGURE, cli_reconfigure); +- set_handler_callback(SUSPEND+MAP, cli_suspend); +- set_handler_callback(RESUME+MAP, cli_resume); +- set_handler_callback(RESIZE+MAP, cli_resize); +- set_handler_callback(RELOAD+MAP, cli_reload); +- set_handler_callback(RESET+MAP, cli_reassign); +- set_handler_callback(REINSTATE+PATH, cli_reinstate); +- set_handler_callback(FAIL+PATH, cli_fail); +- set_handler_callback(DISABLEQ+MAP, cli_disable_queueing); +- set_handler_callback(RESTOREQ+MAP, cli_restore_queueing); +- set_handler_callback(DISABLEQ+MAPS, cli_disable_all_queueing); +- set_handler_callback(RESTOREQ+MAPS, cli_restore_all_queueing); ++ set_handler_callback(SUSPEND|MAP, cli_suspend); ++ set_handler_callback(RESUME|MAP, cli_resume); ++ set_handler_callback(RESIZE|MAP, cli_resize); ++ set_handler_callback(RELOAD|MAP, cli_reload); ++ set_handler_callback(RESET|MAP, cli_reassign); ++ set_handler_callback(REINSTATE|PATH, cli_reinstate); ++ set_handler_callback(FAIL|PATH, cli_fail); ++ set_handler_callback(DISABLEQ|MAP, cli_disable_queueing); ++ set_handler_callback(RESTOREQ|MAP, cli_restore_queueing); ++ set_handler_callback(DISABLEQ|MAPS, cli_disable_all_queueing); ++ set_handler_callback(RESTOREQ|MAPS, cli_restore_all_queueing); + set_unlocked_handler_callback(QUIT, cli_quit); + set_unlocked_handler_callback(SHUTDOWN, cli_shutdown); +- set_handler_callback(GETPRSTATUS+MAP, cli_getprstatus); +- set_handler_callback(SETPRSTATUS+MAP, cli_setprstatus); +- set_handler_callback(UNSETPRSTATUS+MAP, cli_unsetprstatus); +- set_handler_callback(FORCEQ+DAEMON, cli_force_no_daemon_q); +- set_handler_callback(RESTOREQ+DAEMON, cli_restore_no_daemon_q); +- set_handler_callback(GETPRKEY+MAP, cli_getprkey); +- set_handler_callback(SETPRKEY+MAP+KEY, cli_setprkey); +- set_handler_callback(UNSETPRKEY+MAP, cli_unsetprkey); +- set_handler_callback(SETMARGINAL+PATH, cli_set_marginal); +- set_handler_callback(UNSETMARGINAL+PATH, cli_unset_marginal); +- set_handler_callback(UNSETMARGINAL+MAP, cli_unset_all_marginal); ++ set_handler_callback(GETPRSTATUS|MAP, cli_getprstatus); ++ set_handler_callback(SETPRSTATUS|MAP, cli_setprstatus); ++ set_handler_callback(UNSETPRSTATUS|MAP, cli_unsetprstatus); ++ set_handler_callback(FORCEQ|DAEMON, cli_force_no_daemon_q); ++ set_handler_callback(RESTOREQ|DAEMON, cli_restore_no_daemon_q); ++ set_handler_callback(GETPRKEY|MAP, cli_getprkey); ++ set_handler_callback(SETPRKEY|MAP|KEY, cli_setprkey); ++ set_handler_callback(UNSETPRKEY|MAP, cli_unsetprkey); ++ set_handler_callback(SETMARGINAL|PATH, cli_set_marginal); ++ set_handler_callback(UNSETMARGINAL|PATH, cli_unset_marginal); ++ set_handler_callback(UNSETMARGINAL|MAP, cli_unset_all_marginal); + + umask(077); + uxsock_listen(&uxsock_trigger, ux_sock, ap); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb index 3cff3b90e5..e14e494366 100644 --- a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb +++ b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb @@ -29,7 +29,7 @@ DEPENDS = "libdevmapper \ LICENSE = "GPLv2" -SRC_URI = "git://git.opensvc.com/multipath-tools/.git;protocol=http;branch=master \ +SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=master \ file://multipathd.oe \ file://multipath.conf.example \ file://0021-RH-fixup-udev-rules-for-redhat.patch \ @@ -45,6 +45,8 @@ SRC_URI = "git://git.opensvc.com/multipath-tools/.git;protocol=http;branch=maste file://0031-Always-use-devmapper-for-kpartx.patch \ file://0001-fix-bug-of-do_compile-and-do_install.patch \ file://0001-add-explicit-dependency-on-libraries.patch \ + file://CVE-2022-41973.patch \ + file://CVE-2022-41974.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" @@ -117,3 +119,6 @@ FILES_kpartx = "${base_sbindir}/kpartx \ RDEPENDS_${PN} += "kpartx" PARALLEL_MAKE = "" + +FILES:${PN}-libs += "usr/lib/*.so.*" +FILES:${PN}-libs += "usr/lib/tmpfiles.d/*" diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch new file mode 100644 index 0000000000..b935d9eec5 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch @@ -0,0 +1,46 @@ +From 4e7e332b25a2794f381323518e52d8d95273b69e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?= <fkrenzel@redhat.com> +Date: Mon, 30 Jan 2023 12:59:20 +0000 +Subject: [PATCH] Bug 1812671 - build failure while implicitly casting + SECStatus to PRUInt32. r=nss-reviewers,mt + +Author of the patch: Bob Relyea <rrelyea@redhat.com> + +Differential Revision: https://phabricator.services.mozilla.com/D167983 + +--HG-- +extra : moz-landing-system : lando +--- + lib/ssl/ssl3exthandle.c | 2 +- + lib/ssl/sslsnce.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c +index b5ae62f39..7134447bf 100644 +--- a/lib/ssl/ssl3exthandle.c ++++ b/lib/ssl/ssl3exthandle.c +@@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData *xtnData) + * Clients sends a filled in session ticket if one is available, and otherwise + * sends an empty ticket. Servers always send empty tickets. + */ +-PRInt32 ++SECStatus + ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, + sslBuffer *buf, PRBool *added) + { +diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c +index 56edafa1f..49f041c97 100644 +--- a/lib/ssl/sslsnce.c ++++ b/lib/ssl/sslsnce.c +@@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKey **pubKey, + return SECSuccess; + } + +-static PRBool ++static SECStatus + ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, + PK11SymKey **aesKey, PK11SymKey **macKey); + +-- +2.40.1 + diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch new file mode 100644 index 0000000000..dc7e172aae --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch @@ -0,0 +1,75 @@ +From cbf5a2bce75ca2c2fd3e247796b9892f5298584e Mon Sep 17 00:00:00 2001 +From: "John M. Schanck" <jschanck@mozilla.com> +Date: Thu, 13 Apr 2023 17:43:46 +0000 +Subject: [PATCH] Bug 1826650 - cmd/ecperf: fix dangling pointer warning on gcc + 13. r=djackson + +Differential Revision: https://phabricator.services.mozilla.com/D174822 + +--HG-- +extra : moz-landing-system : lando +--- + cmd/ecperf/ecperf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/cmd/ecperf/ecperf.c b/cmd/ecperf/ecperf.c +index 705d68f35..a07004d8e 100644 +--- a/cmd/ecperf/ecperf.c ++++ b/cmd/ecperf/ecperf.c +@@ -53,6 +53,7 @@ PKCS11Thread(void *data) + SECItem sig; + CK_SESSION_HANDLE session; + CK_RV crv; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; +@@ -68,6 +69,7 @@ PKCS11Thread(void *data) + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + +@@ -79,6 +81,10 @@ PKCS11Thread(void *data) + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + +@@ -89,6 +95,7 @@ genericThread(void *data) + int iters = threadData->iters; + unsigned char sigData[256]; + SECItem sig; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; +@@ -96,6 +103,7 @@ genericThread(void *data) + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + +@@ -107,6 +115,10 @@ genericThread(void *data) + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + +-- +2.40.1 + diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch new file mode 100644 index 0000000000..f30d4d32cd --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch @@ -0,0 +1,163 @@ +# HG changeset patch +# User Daiki Ueno <dueno@redhat.com> +# Date 1602524521 0 +# Node ID 57bbefa793232586d27cee83e74411171e128361 +# Parent 6e3bc17f05086854ffd2b06f7fae9371f7a0c174 +Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt + +This makes the server reject CCS when the client doesn't indicate the +use of the middlebox compatibility mode with a non-empty +ClientHello.legacy_session_id, or it sends multiple CCS in a row. + +Differential Revision: https://phabricator.services.mozilla.com/D79994 + +Upstream-Status: Backport +CVE: CVE-2020-25648 +Reference to upstream patch: https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 +Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> + +diff --color -Naur nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc +--- nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:05:47.447142660 +0100 ++++ nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:12:32.645932052 +0100 +@@ -348,6 +348,85 @@ + client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); + } + ++// The server rejects a ChangeCipherSpec if the client advertises an ++// empty session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The server rejects multiple ChangeCipherSpec even if the client ++// indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ // Send CCS twice in a row ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS. ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects a ChangeCipherSpec if it advertises an empty ++// session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // Send CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects multiple ChangeCipherSpec in a row even if the ++// client indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterServerHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // the ServerHello is followed by CCS ++ // Send another CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ + // If we negotiate 1.2, we abort. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) { + EnsureTlsSetup(); +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/ssl3con.c nss-3.51.1/nss/lib/ssl/ssl3con.c +--- nss-3.51.1_old/nss/lib/ssl/ssl3con.c 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/ssl3con.c 2022-12-08 16:12:42.037994262 +0100 +@@ -6711,7 +6711,11 @@ + + /* TLS 1.3: We sent a session ID. The server's should match. */ + if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { +- return sidMatch; ++ if (sidMatch) { ++ ss->ssl3.hs.allowCcs = PR_TRUE; ++ return PR_TRUE; ++ } ++ return PR_FALSE; + } + + /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ +@@ -8730,6 +8734,7 @@ + errCode = PORT_GetError(); + goto alert_loser; + } ++ ss->ssl3.hs.allowCcs = PR_TRUE; + } + + /* TLS 1.3 requires that compression include only null. */ +@@ -13058,8 +13063,15 @@ + ss->ssl3.hs.ws != idle_handshake && + cText->buf->len == 1 && + cText->buf->buf[0] == change_cipher_spec_choice) { +- /* Ignore the CCS. */ +- return SECSuccess; ++ if (ss->ssl3.hs.allowCcs) { ++ /* Ignore the first CCS. */ ++ ss->ssl3.hs.allowCcs = PR_FALSE; ++ return SECSuccess; ++ } ++ ++ /* Compatibility mode is not negotiated. */ ++ alert = unexpected_message; ++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); + } + + if (IS_DTLS(ss) || +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/sslimpl.h nss-3.51.1/nss/lib/ssl/sslimpl.h +--- nss-3.51.1_old/nss/lib/ssl/sslimpl.h 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/sslimpl.h 2022-12-08 16:12:45.106014567 +0100 +@@ -711,6 +711,10 @@ + * or received. */ + PRBool receivedCcs; /* A server received ChangeCipherSpec + * before the handshake started. */ ++ PRBool allowCcs; /* A server allows ChangeCipherSpec ++ * as the middlebox compatibility mode ++ * is explicitly indicarted by ++ * legacy_session_id in TLS 1.3 ClientHello. */ + PRBool clientCertRequested; /* True if CertificateRequest received. */ + ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def + * we use for TLS 1.3 */ diff --git a/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch new file mode 100644 index 0000000000..cccb73187d --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch @@ -0,0 +1,63 @@ +# HG changeset patch +# User John M. Schanck <jschanck@mozilla.com> +# Date 1633990165 0 +# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0 +# Parent f80fafd04cf82b4d315c8fe42bb4639703f6ee4f +Bug 1735028 - check for missing signedData field r=keeler + +Differential Revision: https://phabricator.services.mozilla.com/D128112 + +Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0] +CVE: CVE-2022-22747 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc +--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc ++++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc +@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage + unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, + 0x05, 0xa0, 0x02, 0x30, 0x00}; + EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage( + reinterpret_cast<char*>(emptyCertPackage), + sizeof(emptyCertPackage))); + EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError()); + } ++ ++TEST_F(DecodeCertsTest, EmptySignedData) { ++ // This represents a PKCS#7 ContentInfo of contentType ++ // 1.2.840.113549.1.7.2 (signedData) with missing content. ++ unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, ++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, ++ 0x02, 0x00, 0x00, 0x05, 0x00}; ++ ++ EXPECT_EQ(nullptr, ++ CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData), ++ sizeof(emptySignedData))); ++ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError()); ++} +diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c +--- a/nss/lib/pkcs7/certread.c ++++ b/nss/lib/pkcs7/certread.c +@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C + pkcs7Item) != SECSuccess) { + goto done; + } + + if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) { + goto done; + } + ++ if (contentInfo.content.signedData == NULL) { ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ goto done; ++ } ++ + rv = SECSuccess; + + certs = contentInfo.content.signedData->certificates; + if (certs) { + count = 0; + + while (*certs) { + count++; diff --git a/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch b/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch new file mode 100644 index 0000000000..ec3b4a092a --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch @@ -0,0 +1,124 @@ + +# HG changeset patch +# User John M. Schanck <jschanck@mozilla.com> +# Date 1675974326 0 +# Node ID 62f6b3e9024dd72ba3af9ce23848d7573b934f18 +# Parent 52b4b7d3d3ebdb25fbf2cf1c101bfad3721680f4 +Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D167443 + +CVE: CVE-2023-0767 +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/nss/2:3.35-2ubuntu2.16/nss_3.35-2ubuntu2.16.debian.tar.xz] +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c +--- a/nss/lib/pkcs12/p12d.c ++++ b/nss/lib/pkcs12/p12d.c +@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void + unsigned long len, int depth, + SEC_ASN1EncodingPart data_kind) + { + sec_PKCS12SafeContentsContext *safeContentsCtx = + (sec_PKCS12SafeContentsContext *)arg; + SEC_PKCS12DecoderContext *p12dcx; + SECStatus rv; + +- /* make sure that we are not skipping the current safeBag, +- * and that there are no errors. If so, just return rather +- * than continuing to process. +- */ +- if (!safeContentsCtx || !safeContentsCtx->p12dcx || +- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { + return; + } + p12dcx = safeContentsCtx->p12dcx; + ++ /* make sure that there are no errors and we are not skipping the current safeBag */ ++ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ goto loser; ++ } ++ + rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); + if (rv != SECSuccess) { + p12dcx->errorValue = PORT_GetError(); ++ p12dcx->error = PR_TRUE; ++ goto loser; ++ } ++ ++ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we ++ * may not get another opportunity to clean up the decoder context. ++ */ ++ if (safeContentsCtx->skipCurrentSafeBag) { + goto loser; + } + + return; + + loser: +- /* set the error, and finish the decoder context. because there ++ /* Finish the decoder context. Because there + * is not a way of returning an error message, it may be worth + * while to do a check higher up and finish any decoding contexts + * that are still open. + */ +- p12dcx->error = PR_TRUE; + SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); + safeContentsCtx->currentSafeBagA1Dcx = NULL; + return; + } + + /* notify function for decoding safeBags. This function is + * used to filter safeBag types which are not supported, + * initiate the decoding of nested safe contents, and decode +diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h +--- a/nss/lib/pkcs12/p12t.h ++++ b/nss/lib/pkcs12/p12t.h +@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr { + /* Dependent upon the type of bag being used. */ + union { + SECKEYPrivateKeyInfo *pkcs8KeyBag; + SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; + sec_PKCS12CertBag *certBag; + sec_PKCS12CRLBag *crlBag; + sec_PKCS12SecretBag *secretBag; + sec_PKCS12SafeContents *safeContents; ++ SECItem *unknownBag; + } safeBagContent; + + sec_PKCS12Attribute **attribs; + + /* used locally */ + SECOidData *bagTypeTag; + PLArenaPool *arena; + unsigned int nAttribs; +diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c +--- a/nss/lib/pkcs12/p12tmpl.c ++++ b/nss/lib/pkcs12/p12tmpl.c +@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr + if (src_or_dest == NULL) { + return NULL; + } + + safeBag = (sec_PKCS12SafeBag *)src_or_dest; + + oiddata = SECOID_FindOID(&safeBag->safeBagType); + if (oiddata == NULL) { +- return SEC_ASN1_GET(SEC_AnyTemplate); ++ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); + } + + switch (oiddata->offset) { + default: +- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); ++ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); + break; + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); + break; + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + theTemplate = sec_PKCS12PointerToCertBagTemplate; + break; + case SEC_OID_PKCS12_V1_CRL_BAG_ID: + diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb index f03473b1a0..af842ee67c 100644 --- a/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -39,7 +39,12 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://CVE-2020-6829_12400.patch \ file://CVE-2020-12403_1.patch \ file://CVE-2020-12403_2.patch \ + file://CVE-2020-25648.patch \ file://CVE-2021-43527.patch \ + file://CVE-2022-22747.patch \ + file://CVE-2023-0767.patch \ + file://0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch;patchdir=nss \ + file://0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch;patchdir=nss \ " SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233" @@ -290,5 +295,11 @@ RDEPENDS_${PN}-smime = "perl" BBCLASSEXTEND = "native nativesdk" +CVE_PRODUCT += "network_security_services" + # CVE-2006-5201 affects only Sun Solaris CVE_CHECK_WHITELIST += "CVE-2006-5201" + +# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect +# the legacy db (libnssdbm), only compiled with --enable-legacy-db. +CVE_CHECK_WHITELIST += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch new file mode 100644 index 0000000000..38daa05817 --- /dev/null +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch @@ -0,0 +1,35 @@ +From 7f3cced1e140ed36c6f8f66d7f4098323b0463b2 Mon Sep 17 00:00:00 2001 +From: Katy Feng <fkaty@vmware.com> +Date: Fri, 25 Aug 2023 11:58:48 -0700 +Subject: [PATCH] Allow only X509 certs to verify the SAML token signature. + +Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16 +CVE: CVE-2023-20900 +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index 2906d29..57db3b8 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.7.4 + diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch new file mode 100644 index 0000000000..1c6657ae9f --- /dev/null +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch @@ -0,0 +1,39 @@ +From d16eda269413bdb04e85c242fa28db264697c45f Mon Sep 17 00:00:00 2001 +From: John Wolfe <jwolfe@vmware.com> +Date: Sun, 21 Aug 2022 07:56:49 -0700 +Subject: [PATCH] Properly check authorization on incoming guestOps requests. + +Fix public pipe request checks. Only a SessionRequest type should +be accepted on the public pipe. + +Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745 +CVE: CVE-2022-31676 +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> +--- + open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/proto.c b/open-vm-tools/vgauth/serviceImpl/proto.c +index f097fb6..0ebaa7b 100644 +--- a/open-vm-tools/vgauth/serviceImpl/proto.c ++++ b/open-vm-tools/vgauth/serviceImpl/proto.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016,2019 VMware, Inc. All rights reserved. ++ * Copyright (C) 2011-2016,2019-2022 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -1202,6 +1202,10 @@ Proto_SecurityCheckRequest(ServiceConnection *conn, + VGAuthError err; + gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn); + ++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) { ++ return VGAUTH_E_PERMISSION_DENIED; ++ } ++ + switch (req->reqType) { + /* + * This comes over the public connection; alwsys let it through. +-- +2.7.4 diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb index 3cf0aa8292..e3b15e35b6 100644 --- a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb @@ -43,6 +43,8 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=maste file://0002-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \ file://0001-utilBacktrace-Ignore-Warray-bounds.patch;patchdir=.. \ file://0001-hgfsmounter-Makefile.am-support-usrmerge.patch;patchdir=.. \ + file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ + file://0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch;patchdir=.. \ " SRCREV = "d3edfd142a81096f9f58aff17d84219b457f4987" diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch new file mode 100644 index 0000000000..c6bac80061 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch @@ -0,0 +1,31 @@ +From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Sat, 6 Feb 2021 20:52:06 +0000 +Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck + + +Signed-off-by: Howard Chu <hyc@openldap.org> + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30] +CVE: CVE-2021-27212 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + servers/slapd/schema_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 31be115..8b1e255 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck( + break; + } + } ++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX; ++ + x.bv_val += tu->bv_len + 1; + x.bv_len -= tu->bv_len + 1; + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch new file mode 100644 index 0000000000..2860b95220 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch @@ -0,0 +1,277 @@ +From 11e136f15085a4bda5701e910988966bed699977 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 18 May 2022 13:57:59 +0530 +Subject: [PATCH] CVE-2022-29155 + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134] +CVE: CVE-2022-29155 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +--- + servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++----- + 1 file changed, 105 insertions(+), 18 deletions(-) + +diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c +index bb0f1e2..1770bde 100644 +--- a/servers/slapd/back-sql/search.c ++++ b/servers/slapd/back-sql/search.c +@@ -63,6 +63,38 @@ static void send_paged_response( + ID *lastid ); + #endif /* ! BACKSQL_ARBITRARY_KEY */ + ++/* Look for chars that need to be escaped, return count of them. ++ * If out is non-NULL, copy escape'd val to it. ++ */ ++static int ++backsql_val_escape( Operation *op, struct berval *in, struct berval *out ) ++{ ++ char *ptr, *end; ++ int q = 0; ++ ++ ptr = in->bv_val; ++ end = ptr + in->bv_len; ++ while (ptr < end) { ++ if ( *ptr == '\'' ) ++ q++; ++ ptr++; ++ } ++ if ( q && out ) { ++ char *dst; ++ out->bv_len = in->bv_len + q; ++ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx ); ++ ptr = in->bv_val; ++ dst = out->bv_val; ++ while (ptr < end ) { ++ if ( *ptr == '\'' ) ++ *dst++ = '\''; ++ *dst++ = *ptr++; ++ } ++ *dst = '\0'; ++ } ++ return q; ++} ++ + static int + backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad ) + { +@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private; + int i; + int casefold = 0; ++ int escaped = 0; ++ struct berval escval, *fvalue; + + if ( !f ) { + return 0; +@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + + BER_BVZERO( &bv ); + if ( f->f_sub_initial.bv_val ) { +- bv.bv_len += f->f_sub_initial.bv_len; ++ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL ); + } + if ( f->f_sub_any != NULL ) { + for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) { +- bv.bv_len += f->f_sub_any[ a ].bv_len; ++ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL ); + } + } + if ( f->f_sub_final.bv_val ) { +- bv.bv_len += f->f_sub_final.bv_len; ++ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL ); + } + bv.bv_len = 2 * bv.bv_len - 1; + bv.bv_val = ch_malloc( bv.bv_len + 1 ); + + s = 0; + if ( !BER_BVISNULL( &f->f_sub_initial ) ) { +- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) { ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + if ( f->f_sub_any != NULL ) { + for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) { +- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) { ++ fvalue = &f->f_sub_any[ a ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + } + + if ( !BER_BVISNULL( &f->f_sub_final ) ) { +- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) { ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } +- bv.bv_val[ s + 2 * i - 1 ] = '%'; ++ bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + bv.bv_val[ s - 1 ] = '\0'; +@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + f->f_sub_initial.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_initial ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + i, f->f_sub_any[ i ].bv_val ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_any[ i ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "bc", +- &f->f_sub_any[ i ], ++ fvalue, + '%' ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + /* + * Note: toupper('%') = '%' +@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + f->f_sub_final.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_final ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -1183,6 +1253,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r + struct berval *filter_value = NULL; + MatchingRule *matching_rule = NULL; + struct berval ordering = BER_BVC("<="); ++ struct berval escval; ++ int escaped = 0; + + Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); +@@ -1237,6 +1309,10 @@ equality_match:; + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* FIXME: directoryString filtering should use a similar + * approach to deal with non-prettified values like + * " A non prettified value ", by using a LIKE +@@ -1317,6 +1393,10 @@ equality_match:; + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* + * FIXME: should we uppercase the operands? + */ +@@ -1350,7 +1430,7 @@ equality_match:; + &at->bam_sel_expr, + &ordering, + '\'', +- &f->f_av_value, ++ filter_value, + (ber_len_t)STRLENOF( /* (' */ "')" ), + /* ( */ "')" ); + } +@@ -1374,13 +1454,17 @@ equality_match:; + case LDAP_FILTER_APPROX: + /* we do our best */ + ++ filter_value = &f->f_av_value; ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; + /* + * maybe we should check type of at->sel_expr here somehow, + * to know whether upper_func is applicable, but for now + * upper_func stuff is made for Oracle, where UPPER is + * safely applicable to NUMBER etc. + */ +- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value ); ++ (void)backsql_process_filter_like( bsi, at, 1, filter_value ); + break; + + default: +@@ -1394,6 +1478,9 @@ equality_match:; + + } + ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); ++ + Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch new file mode 100644 index 0000000000..f4b4eb95d5 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch @@ -0,0 +1,30 @@ +From 752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Wed, 24 Aug 2022 14:40:51 +0100 +Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure + +Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce] +CVE: CVE-2023-2953 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libraries/libldap/fetch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c +index 9e426dc647..536871bcfe 100644 +--- a/libraries/libldap/fetch.c ++++ b/libraries/libldap/fetch.c +@@ -69,6 +69,8 @@ ldif_open_url( + } + + p = ber_strdup( urlstr ); ++ if ( p == NULL ) ++ return NULL; + + /* But we should convert to LDAP_DIRSEP before use */ + if ( LDAP_DIRSEP[0] != '/' ) { +-- +GitLab + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch new file mode 100644 index 0000000000..02c43bc445 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch @@ -0,0 +1,76 @@ +From 6563fab9e2feccb0a684d0398e78571d09fb808b Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Thu, 25 Aug 2022 16:13:21 +0100 +Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure + +Avoid unnecessary strdup in IPv6 addr parsing, check for strdup +failure when dup'ing scheme. + +Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59 + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b] +CVE: CVE-2023-2953 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libraries/libldap/url.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c +index dcf2aac9e8..493fd7ce47 100644 +--- a/libraries/libldap/url.c ++++ b/libraries/libldap/url.c +@@ -1385,24 +1385,22 @@ ldap_url_parsehosts( + } + ludp->lud_port = port; + ludp->lud_host = specs[i]; +- specs[i] = NULL; + p = strchr(ludp->lud_host, ':'); + if (p != NULL) { + /* more than one :, IPv6 address */ + if ( strchr(p+1, ':') != NULL ) { + /* allow [address] and [address]:port */ + if ( *ludp->lud_host == '[' ) { +- p = LDAP_STRDUP(ludp->lud_host+1); +- /* copied, make sure we free source later */ +- specs[i] = ludp->lud_host; +- ludp->lud_host = p; +- p = strchr( ludp->lud_host, ']' ); ++ p = strchr( ludp->lud_host+1, ']' ); + if ( p == NULL ) { + LDAP_FREE(ludp); + ldap_charray_free(specs); + return LDAP_PARAM_ERROR; + } +- *p++ = '\0'; ++ /* Truncate trailing ']' and shift hostname down 1 char */ ++ *p = '\0'; ++ AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host ); ++ p++; + if ( *p != ':' ) { + if ( *p != '\0' ) { + LDAP_FREE(ludp); +@@ -1428,14 +1426,19 @@ ldap_url_parsehosts( + } + } + } +- ldap_pvt_hex_unescape(ludp->lud_host); + ludp->lud_scheme = LDAP_STRDUP("ldap"); ++ if ( ludp->lud_scheme == NULL ) { ++ LDAP_FREE(ludp); ++ ldap_charray_free(specs); ++ return LDAP_NO_MEMORY; ++ } ++ specs[i] = NULL; ++ ldap_pvt_hex_unescape(ludp->lud_host); + ludp->lud_next = *ludlist; + *ludlist = ludp; + } + + /* this should be an array of NULLs now */ +- /* except entries starting with [ */ + ldap_charray_free(specs); + return LDAP_SUCCESS; + } +-- +GitLab + diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb index a282523a3c..7c2ea7c452 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.57.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb @@ -23,8 +23,11 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$ file://thread_stub.patch \ file://openldap-CVE-2015-3276.patch \ file://remove-user-host-pwd-from-version.patch \ + file://CVE-2022-29155.patch \ + file://CVE-2023-2953-1.patch \ + file://CVE-2023-2953-2.patch \ + file://CVE-2021-27212.patch \ " - SRC_URI[md5sum] = "e3349456c3a66e5e6155be7ddc3f042c" SRC_URI[sha256sum] = "c7ba47e1e6ecb5b436f3d43281df57abeffa99262141aec822628bc220f6b45a" diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch new file mode 100644 index 0000000000..74e547298f --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch @@ -0,0 +1,55 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7 +From: Frank Morgner <frankmorgner@gmail.com> +Date: Wed, 21 Jun 2023 12:27:23 +0200 +Subject: Fixed PIN authentication bypass + +If two processes are accessing a token, then one process may leave the +card usable with an authenticated PIN so that a key may sign/decrypt any +data. This is especially the case if the token does not support a way of +resetting the authentication status (logout). + +We have some tracking of the authentication status in software via +PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a +PIN-prompt will appear even though the card may technically be unlocked +as described in the above example. However, before this change, an empty +PIN was not verified (likely yielding an error during PIN-verification), +but it was just checked whether the PIN is authenticated. This defeats +the purpose of the PIN verification, because an empty PIN is not the +correct one. Especially during OS Logon, we don't want that kind of +shortcut, but we want the user to verify the correct PIN (even though +the token was left unattended and authentication at the computer). + +This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864. + +CVE: CVE-2023-40660 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/940e8bc764047c873f88bb1396933a5368d03533] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + src/libopensc/pkcs15-pin.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c +index 80a185fecd..393234efe4 100644 +--- a/src/libopensc/pkcs15-pin.c ++++ b/src/libopensc/pkcs15-pin.c +@@ -307,19 +307,6 @@ + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE); + auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; + +- /* +- * if pin cache is disabled, we can get here with no PIN data. +- * in this case, to avoid error or unnecessary pin prompting on pinpad, +- * check if the PIN has been already verified and the access condition +- * is still open on card. +- */ +- if (pinlen == 0) { +- r = sc_pkcs15_get_pin_info(p15card, pin_obj); +- +- if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN) +- LOG_FUNC_RETURN(ctx, r); +- } +- + r = _validate_pin(p15card, auth_info, pinlen); + + if (r) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch new file mode 100644 index 0000000000..3ecff558cf --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch @@ -0,0 +1,47 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 17 Aug 2023 13:54:42 +0200 +Subject: pkcs15: Avoid buffer overflow when getting last update + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 + +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. + +--- + src/libopensc/pkcs15.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c +index eb7fc6afcd..4215b733a8 100644 +--- a/src/libopensc/pkcs15.c ++++ b/src/libopensc/pkcs15.c +@@ -528,7 +528,7 @@ + struct sc_context *ctx = p15card->card->ctx; + struct sc_file *file = NULL; + struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE]; +- unsigned char *content, last_update[32]; ++ unsigned char *content, last_update[32] = {0}; + size_t lupdate_len = sizeof(last_update) - 1; + int r, content_len; + size_t size; +@@ -564,9 +564,11 @@ + if (r < 0) + return NULL; + +- p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); +- if (!p15card->tokeninfo->last_update.gtime) +- return NULL; ++ if (asn1_last_update[0].flags & SC_ASN1_PRESENT) { ++ p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); ++ if (!p15card->tokeninfo->last_update.gtime) ++ return NULL; ++ } + done: + sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime); + return p15card->tokeninfo->last_update.gtime; + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch new file mode 100644 index 0000000000..39e729c5a9 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch @@ -0,0 +1,32 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 17 Aug 2023 13:41:36 +0200 +Subject: setcos: Avoid buffer underflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-setcos.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c +index 1b56afe6d9..1907b47f9d 100644 +--- a/src/pkcs15init/pkcs15-setcos.c ++++ b/src/pkcs15init/pkcs15-setcos.c +@@ -346,6 +346,10 @@ + + /* Replace the path of instantiated key template by the path from the object data. */ + memcpy(&file->path, &key_info->path, sizeof(file->path)); ++ if (file->path.len < 2) { ++ sc_file_free(file); ++ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path"); ++ } + file->id = file->path.value[file->path.len - 2] * 0x100 + + file->path.value[file->path.len - 1]; + + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch new file mode 100644 index 0000000000..7950cf91df --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch @@ -0,0 +1,31 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e +From: Jakub Jelen <jjelen@redhat.com> +Date: Wed, 20 Sep 2023 10:13:57 +0200 +Subject: oberthur: Avoid buffer overflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-oberthur.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c +index ad2cabd530..c441ab1e76 100644 +--- a/src/pkcs15init/pkcs15-oberthur.c ++++ b/src/pkcs15init/pkcs15-oberthur.c +@@ -688,6 +688,9 @@ + if (object->type != SC_PKCS15_TYPE_PRKEY_RSA) + LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported"); + ++ if (key_info->path.len < 2) ++ LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long"); ++ + sc_log(ctx, "create private key ID:%s", sc_pkcs15_print_id(&key_info->id)); + /* Here, the path of private key file should be defined. + * Nevertheless, we need to instantiate private key to get the ACLs. */ + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch new file mode 100644 index 0000000000..797f8ad3b1 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch @@ -0,0 +1,28 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec +From: Frank Morgner <frankmorgner@gmail.com> +Date: Thu, 8 Dec 2022 00:27:18 +0100 +Subject: sc_pkcs15init_rmdir: prevent out of bounds write + +fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index 91cee37310..3df03c6e1f 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -666,6 +666,8 @@ + + path = df->path; + path.len += 2; ++ if (path.len > SC_MAX_PATH_SIZE) ++ return SC_ERROR_INTERNAL; + + nfids = r / 2; + while (r >= 0 && nfids--) { + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch new file mode 100644 index 0000000000..e173e65575 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch @@ -0,0 +1,30 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/c449a181a6988cc1e8dc8764d23574e48cdc3fa6 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com> +Date: Mon, 19 Jun 2023 16:14:51 +0200 +Subject: pkcs15-cflex: check path length to prevent underflow + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-cflex.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c +index d06568073d..ce1d48e62c 100644 +--- a/src/pkcs15init/pkcs15-cflex.c ++++ b/src/pkcs15init/pkcs15-cflex.c +@@ -56,6 +56,9 @@ + int r = 0; + /* Select the parent DF */ + path = df->path; ++ if (path.len < 2) { ++ return SC_ERROR_INVALID_ARGUMENTS; ++ } + path.len -= 2; + r = sc_select_file(p15card->card, &path, &parent); + if (r < 0) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch new file mode 100644 index 0000000000..abb524de29 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch @@ -0,0 +1,30 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 +From: Veronika Hanulikova <xhanulik@fi.muni.cz> +Date: Fri, 10 Feb 2023 11:47:34 +0100 +Subject: Check array bounds + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/libopensc/muscle.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c +index 61a4ec24d8..9d01e0c113 100644 +--- a/src/libopensc/muscle.c ++++ b/src/libopensc/muscle.c +@@ -183,6 +183,9 @@ + sc_apdu_t apdu; + int r; + ++ if (dataLength + 9 > MSC_MAX_APDU) ++ return SC_ERROR_INVALID_ARGUMENTS; ++ + sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00); + apdu.lc = dataLength + 9; + if (card->ctx->debug >= 2) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch new file mode 100644 index 0000000000..858a996ed7 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch @@ -0,0 +1,40 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/5631e9843c832a99769def85b7b9b68b4e3e3959 +From: Veronika Hanulikova <xhanulik@fi.muni.cz> +Date: Fri, 3 Mar 2023 16:07:38 +0100 +Subject: Check length of string before making copy + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/profile.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c +index 2b793b0282..3bad1e8536 100644 +--- a/src/pkcs15init/profile.c ++++ b/src/pkcs15init/profile.c +@@ -1465,6 +1465,8 @@ + while (argc--) { + unsigned int op, method, id; + ++ if (strlen(*argv) >= sizeof(oper)) ++ goto bad; + strlcpy(oper, *argv++, sizeof(oper)); + if ((what = strchr(oper, '=')) == NULL) + goto bad; +@@ -2128,6 +2130,9 @@ + return get_uint(cur, value, type); + } + ++ if (strlen(value) >= sizeof(temp)) ++ return 1; ++ + n = strcspn(value, "0123456789x"); + strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp)); + + diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb index b8cf203b7f..3eb0c1e558 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb @@ -14,6 +14,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" #v0.19.0 SRCREV = "45e29056ccde422e70ed3585084a7f150c632515" SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ + file://CVE-2023-40660.patch \ + file://CVE-2023-40661-1.patch \ + file://CVE-2023-40661-2.patch \ + file://CVE-2023-40661-3.patch \ + file://CVE-2023-40661-4.patch \ + file://CVE-2023-40661-5.patch \ + file://CVE-2023-40661-6.patch \ + file://CVE-2023-40661-7.patch \ " DEPENDS = "virtual/libiconv openssl" diff --git a/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch b/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch new file mode 100644 index 0000000000..4a09c8c7fa --- /dev/null +++ b/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch @@ -0,0 +1,629 @@ +From 73b5c300b8fde5e7a4824baa83a04931279abb37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= + <laszlo.varady@protonmail.com> +Date: Sat, 20 Aug 2022 12:42:38 +0200 +Subject: [PATCH] CVE-2022-38725 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: László Várady <laszlo.varady@protonmail.com> +Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> + +Upstream-Status: Backport from [https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8 && https://github.com/syslog-ng/syslog-ng/commit/81a07263f1e522a376d3a30f96f51df3f2879f8a && https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d && https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37 && https://github.com/syslog-ng/syslog-ng/commit/45f051239312e43bd4f92b9339fe67c6798a0321 && https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4 && https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 && https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d] +CVE: CVE-2022-38725 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/timeutils/scan-timestamp.c | 68 +++++---- + lib/timeutils/tests/test_scan-timestamp.c | 133 ++++++++++++++++-- + modules/syslogformat/CMakeLists.txt | 2 + + modules/syslogformat/Makefile.am | 2 + + modules/syslogformat/syslog-format.c | 12 +- + modules/syslogformat/tests/CMakeLists.txt | 1 + + modules/syslogformat/tests/Makefile.am | 9 ++ + .../syslogformat/tests/test_syslog_format.c | 104 ++++++++++++++ + 8 files changed, 284 insertions(+), 47 deletions(-) + create mode 100644 modules/syslogformat/tests/CMakeLists.txt + create mode 100644 modules/syslogformat/tests/Makefile.am + create mode 100644 modules/syslogformat/tests/test_syslog_format.c + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index 41ead1a..ec9746b 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -34,41 +34,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday) + { + *wday = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'S': +- if (strncasecmp(*buf, "Sun", 3) == 0) ++ if (strncasecmp(*buf, "Sun", abbrev_length) == 0) + *wday = 0; +- else if (strncasecmp(*buf, "Sat", 3) == 0) ++ else if (strncasecmp(*buf, "Sat", abbrev_length) == 0) + *wday = 6; + break; + case 'M': +- if (strncasecmp(*buf, "Mon", 3) == 0) ++ if (strncasecmp(*buf, "Mon", abbrev_length) == 0) + *wday = 1; + break; + case 'T': +- if (strncasecmp(*buf, "Tue", 3) == 0) ++ if (strncasecmp(*buf, "Tue", abbrev_length) == 0) + *wday = 2; +- else if (strncasecmp(*buf, "Thu", 3) == 0) ++ else if (strncasecmp(*buf, "Thu", abbrev_length) == 0) + *wday = 4; + break; + case 'W': +- if (strncasecmp(*buf, "Wed", 3) == 0) ++ if (strncasecmp(*buf, "Wed", abbrev_length) == 0) + *wday = 3; + break; + case 'F': +- if (strncasecmp(*buf, "Fri", 3) == 0) ++ if (strncasecmp(*buf, "Fri", abbrev_length) == 0) + *wday = 5; + break; + default: + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -77,57 +79,59 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon) + { + *mon = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'J': +- if (strncasecmp(*buf, "Jan", 3) == 0) ++ if (strncasecmp(*buf, "Jan", abbrev_length) == 0) + *mon = 0; +- else if (strncasecmp(*buf, "Jun", 3) == 0) ++ else if (strncasecmp(*buf, "Jun", abbrev_length) == 0) + *mon = 5; +- else if (strncasecmp(*buf, "Jul", 3) == 0) ++ else if (strncasecmp(*buf, "Jul", abbrev_length) == 0) + *mon = 6; + break; + case 'F': +- if (strncasecmp(*buf, "Feb", 3) == 0) ++ if (strncasecmp(*buf, "Feb", abbrev_length) == 0) + *mon = 1; + break; + case 'M': +- if (strncasecmp(*buf, "Mar", 3) == 0) ++ if (strncasecmp(*buf, "Mar", abbrev_length) == 0) + *mon = 2; +- else if (strncasecmp(*buf, "May", 3) == 0) ++ else if (strncasecmp(*buf, "May", abbrev_length) == 0) + *mon = 4; + break; + case 'A': +- if (strncasecmp(*buf, "Apr", 3) == 0) ++ if (strncasecmp(*buf, "Apr", abbrev_length) == 0) + *mon = 3; +- else if (strncasecmp(*buf, "Aug", 3) == 0) ++ else if (strncasecmp(*buf, "Aug", abbrev_length) == 0) + *mon = 7; + break; + case 'S': +- if (strncasecmp(*buf, "Sep", 3) == 0) ++ if (strncasecmp(*buf, "Sep", abbrev_length) == 0) + *mon = 8; + break; + case 'O': +- if (strncasecmp(*buf, "Oct", 3) == 0) ++ if (strncasecmp(*buf, "Oct", abbrev_length) == 0) + *mon = 9; + break; + case 'N': +- if (strncasecmp(*buf, "Nov", 3) == 0) ++ if (strncasecmp(*buf, "Nov", abbrev_length) == 0) + *mon = 10; + break; + case 'D': +- if (strncasecmp(*buf, "Dec", 3) == 0) ++ if (strncasecmp(*buf, "Dec", abbrev_length) == 0) + *mon = 11; + break; + default: + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -302,7 +306,7 @@ __parse_usec(const guchar **data, gint *length) + src++; + (*length)--; + } +- while (isdigit(*src)) ++ while (*length > 0 && isdigit(*src)) + { + src++; + (*length)--; +@@ -316,19 +320,21 @@ __parse_usec(const guchar **data, gint *length) + static gboolean + __has_iso_timezone(const guchar *src, gint length) + { +- return (length >= 5) && ++ return (length >= 6) && + (*src == '+' || *src == '-') && + isdigit(*(src+1)) && + isdigit(*(src+2)) && + *(src+3) == ':' && + isdigit(*(src+4)) && + isdigit(*(src+5)) && +- !isdigit(*(src+6)); ++ (length < 7 || !isdigit(*(src+6))); + } + + static guint32 + __parse_iso_timezone(const guchar **data, gint *length) + { ++ g_assert(*length >= 6); ++ + gint hours, mins; + const guchar *src = *data; + guint32 tz = 0; +@@ -338,8 +344,10 @@ __parse_iso_timezone(const guchar **data, gint *length) + hours = (*(src + 1) - '0') * 10 + *(src + 2) - '0'; + mins = (*(src + 4) - '0') * 10 + *(src + 5) - '0'; + tz = sign * (hours * 3600 + mins * 60); ++ + src += 6; + (*length) -= 6; ++ + *data = src; + return tz; + } +@@ -393,7 +401,7 @@ __parse_bsd_timestamp(const guchar **data, gint *length, WallClockTime *wct) + if (!scan_pix_timestamp((const gchar **) &src, &left, wct)) + return FALSE; + +- if (*src == ':') ++ if (left && *src == ':') + { + src++; + left--; +@@ -444,7 +452,7 @@ scan_rfc3164_timestamp(const guchar **data, gint *length, WallClockTime *wct) + * looking at you, skip that as well, so we can reliably detect IPv6 + * addresses as hostnames, which would be using ":" as well. */ + +- if (*src == ':') ++ if (left && *src == ':') + { + ++src; + --left; +diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c +index 4508139..ad657c6 100644 +--- a/lib/timeutils/tests/test_scan-timestamp.c ++++ b/lib/timeutils/tests/test_scan-timestamp.c +@@ -49,17 +49,21 @@ fake_time_add(time_t diff) + } + + static gboolean +-_parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc3164(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + +- ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc3164_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -70,16 +74,21 @@ _parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc5424(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc5424_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -90,31 +99,60 @@ _parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_rfc3164_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc3164_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc3164(ts, converted)); ++ cr_assert(_parse_rfc3164(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + static gboolean +-_rfc5424_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc5424_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc5424(ts, converted)); ++ cr_assert(_parse_rfc5424(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + #define _expect_rfc3164_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc3164_timestamp_eq(ts, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc3164_timestamp_eq(ts, -1, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc3164_timestamp_eq(ts, len, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc3164_timestamp(&data, &length, &wct)); \ + }) + + #define _expect_rfc5424_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc5424_timestamp_eq(ts, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc5424_timestamp_eq(ts, -1, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc5424_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc5424_timestamp_eq(ts, len, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ + }) + ++#define _expect_rfc5424_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc5424_timestamp(&data, &length, &wct)); \ ++ }) ++ ++ + Test(parse_timestamp, standard_bsd_format) + { + _expect_rfc3164_timestamp_eq("Oct 1 17:46:12", "2017-10-01T17:46:12.000+02:00"); +@@ -148,6 +186,75 @@ Test(parse_timestamp, standard_bsd_format_year_in_the_past) + _expect_rfc3164_timestamp_eq("Dec 31 17:46:12", "2017-12-31T17:46:12.000+01:00"); + } + ++Test(parse_timestamp, non_zero_terminated_rfc3164_iso_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc3164_bsd_pix_or_asa_input_is_handled_properly) ++{ ++ gchar *ts = "Aug 17 2022 05:02:28: whatever"; ++ gint ts_len = 21; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.000+02:00"); ++ ++ /* no ":" at the end, that's a problem, unrecognized */ ++ _expect_rfc3164_fails(ts, ts_len - 1); ++ ++ for (gint i = 1; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc5424_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc5424_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_timestamp_only) ++{ ++ const gchar *ts = "2022-08-17T05:02:28.417+03:00"; ++ gint ts_len = strlen(ts); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, ts); ++} ++ + + Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones) + { +diff --git a/modules/syslogformat/CMakeLists.txt b/modules/syslogformat/CMakeLists.txt +index fb55ea4..a2a92bb 100644 +--- a/modules/syslogformat/CMakeLists.txt ++++ b/modules/syslogformat/CMakeLists.txt +@@ -24,4 +24,6 @@ target_include_directories(syslogformat + ) + target_link_libraries(syslogformat PRIVATE syslog-ng) + ++add_test_subdirectory(tests) ++ + install(TARGETS syslogformat LIBRARY DESTINATION lib/syslog-ng/) +diff --git a/modules/syslogformat/Makefile.am b/modules/syslogformat/Makefile.am +index f13f88c..14cdf58 100644 +--- a/modules/syslogformat/Makefile.am ++++ b/modules/syslogformat/Makefile.am +@@ -31,3 +31,5 @@ modules_syslogformat_libsyslogformat_la_DEPENDENCIES = \ + modules/syslogformat modules/syslogformat/ mod-syslogformat: \ + modules/syslogformat/libsyslogformat.la + .PHONY: modules/syslogformat/ mod-syslogformat ++ ++include modules/syslogformat/tests/Makefile.am +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index 6d53a32..a69f39f 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -200,7 +200,7 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len + + /* if the next char is not space, then we may try to read a date */ + +- if (*src != ' ') ++ if (!left || *src != ' ') + return; + + log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1); +@@ -216,6 +216,9 @@ log_msg_parse_cisco_timestamp_attributes(LogMessage *self, const guchar **data, + const guchar *src = *data; + gint left = *length; + ++ if (!left) ++ return; ++ + /* Cisco timestamp extensions, the first '*' indicates that the clock is + * unsynced, '.' if it is known to be synced */ + if (G_UNLIKELY(src[0] == '*')) +@@ -564,7 +567,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + open_sd++; + do + { +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + /* read sd_id */ + pos = 0; +@@ -598,7 +601,8 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + strcpy(sd_value_name, logmsg_sd_prefix); + /* this strcat is safe, as sd_id_name is at most 32 chars */ + strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len); +- if (*src == ']') ++ ++ if (left && *src == ']') + { + log_msg_set_value_by_name(self, sd_value_name, "", 0); + } +@@ -615,7 +619,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + else + goto error; + +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + + /* read sd-param */ +diff --git a/modules/syslogformat/tests/CMakeLists.txt b/modules/syslogformat/tests/CMakeLists.txt +new file mode 100644 +index 0000000..2e45b71 +--- /dev/null ++++ b/modules/syslogformat/tests/CMakeLists.txt +@@ -0,0 +1 @@ ++add_unit_test(CRITERION TARGET test_syslog_format DEPENDS syslogformat) +diff --git a/modules/syslogformat/tests/Makefile.am b/modules/syslogformat/tests/Makefile.am +new file mode 100644 +index 0000000..7ee66a5 +--- /dev/null ++++ b/modules/syslogformat/tests/Makefile.am +@@ -0,0 +1,9 @@ ++modules_syslogformat_tests_TESTS = \ ++ modules/syslogformat/tests/test_syslog_format ++ ++check_PROGRAMS += ${modules_syslogformat_tests_TESTS} ++ ++EXTRA_DIST += modules/syslogformat/tests/CMakeLists.txt ++ ++modules_syslogformat_tests_test_syslog_format_CFLAGS = $(TEST_CFLAGS) -I$(top_srcdir)/modules/syslogformat ++modules_syslogformat_tests_test_syslog_format_LDADD = $(TEST_LDADD) $(PREOPEN_SYSLOGFORMAT) +diff --git a/modules/syslogformat/tests/test_syslog_format.c b/modules/syslogformat/tests/test_syslog_format.c +new file mode 100644 +index 0000000..d0f5b40 +--- /dev/null ++++ b/modules/syslogformat/tests/test_syslog_format.c +@@ -0,0 +1,104 @@ ++/* ++ * Copyright (c) 2022 One Identity ++ * Copyright (c) 2022 László Várady ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 as published ++ * by the Free Software Foundation, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ * As an additional exemption you are allowed to compile & link against the ++ * OpenSSL libraries as published by the OpenSSL project. See the file ++ * COPYING for details. ++ * ++ */ ++ ++#include <criterion/criterion.h> ++ ++#include "apphook.h" ++#include "cfg.h" ++#include "syslog-format.h" ++#include "logmsg/logmsg.h" ++#include "msg-format.h" ++#include "scratch-buffers.h" ++ ++#include <string.h> ++ ++GlobalConfig *cfg; ++MsgFormatOptions parse_options; ++ ++static void ++setup(void) ++{ ++ app_startup(); ++ syslog_format_init(); ++ ++ cfg = cfg_new_snippet(); ++ msg_format_options_defaults(&parse_options); ++} ++ ++static void ++teardown(void) ++{ ++ scratch_buffers_explicit_gc(); ++ app_shutdown(); ++ cfg_free(cfg); ++} ++ ++TestSuite(syslog_format, .init = setup, .fini = teardown); ++ ++Test(syslog_format, parser_should_not_spin_on_non_zero_terminated_input, .timeout = 10) ++{ ++ const gchar *data = "<182>2022-08-17T05:02:28.217 mymachine su: 'su root' failed for lonvick on /dev/pts/8"; ++ /* chosen carefully to reproduce a bug */ ++ gsize data_length = 27; ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} ++ ++Test(syslog_format, cisco_sequence_id_non_zero_termination) ++{ ++ const gchar *data = "<189>65536: "; ++ gsize data_length = strlen(data); ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ cr_assert_str_eq(log_msg_get_value_by_name(msg, ".SDATA.meta.sequenceId", NULL), "65536"); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} ++ ++Test(syslog_format, minimal_non_zero_terminated_numeric_message_is_parsed_as_program_name) ++{ ++ const gchar *data = "<189>65536"; ++ gsize data_length = strlen(data); ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ cr_assert_str_eq(log_msg_get_value_by_name(msg, "PROGRAM", NULL), "65536"); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} +-- +2.25.1 + diff --git a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb index 10bf00fdce..6e90dabd14 100644 --- a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb +++ b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb @@ -9,6 +9,7 @@ SRC_URI += " \ file://0001-syslog-ng-fix-segment-fault-during-service-start.patch \ file://shebang.patch \ file://syslog-ng-tmp.conf \ + file://CVE-2022-38725.patch \ " SRC_URI[md5sum] = "ef9de066793f7358af7312b964ac0450" diff --git a/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch new file mode 100644 index 0000000000..0189833b49 --- /dev/null +++ b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch @@ -0,0 +1,63 @@ +From 2517b8feb13919c382e53ab5f9b63c5b5ee5b063 Mon Sep 17 00:00:00 2001 +From: Emilio Pozuelo Monfort <pochu@debian.org> +Date: Fri, 5 Nov 2021 09:29:13 +0100 +Subject: [PATCH] udisks2 security update + +mount options: Always use errors=remount-ro for ext filesystems + +Stefan Walter found that udisks2, a service to access and manipulate +storage devices, could cause denial of service via system crash if a +corrupted or specially crafted ext2/3/4 device or image was mounted, +which could happen automatically on certain environments. + +For Debian 9 stretch, this problem has been fixed in version +2.1.8-1+deb9u1. + +Default mount options are focused primarily on data safety, mounting +damaged ext2/3/4 filesystem as readonly would indicate something's wrong. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/u/udisks2/udisks2_2.1.8-1+deb9u1.debian.tar.xz] +CVE: CVE-2021-3802 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/udiskslinuxfilesystem.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/udiskslinuxfilesystem.c b/src/udiskslinuxfilesystem.c +index a5a3898c..eac8cab3 100644 +--- a/src/udiskslinuxfilesystem.c ++++ b/src/udiskslinuxfilesystem.c +@@ -421,6 +421,21 @@ static const gchar *hfsplus_allow[] = { "creator", "type", "umask", "session", " + static const gchar *hfsplus_allow_uid_self[] = { "uid", NULL }; + static const gchar *hfsplus_allow_gid_self[] = { "gid", NULL }; + ++/* ---------------------- ext2 -------------------- */ ++ ++static const gchar *ext2_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext2_allow[] = { "errors=remount-ro", NULL }; ++ ++/* ---------------------- ext3 -------------------- */ ++ ++static const gchar *ext3_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext3_allow[] = { "errors=remount-ro", NULL }; ++ ++/* ---------------------- ext4 -------------------- */ ++ ++static const gchar *ext4_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext4_allow[] = { "errors=remount-ro", NULL }; ++ + /* ------------------------------------------------ */ + /* TODO: support context= */ + +@@ -434,6 +449,9 @@ static const FSMountOptions fs_mount_options[] = + { "udf", udf_defaults, udf_allow, udf_allow_uid_self, udf_allow_gid_self }, + { "exfat", exfat_defaults, exfat_allow, exfat_allow_uid_self, exfat_allow_gid_self }, + { "hfsplus", hfsplus_defaults, hfsplus_allow, hfsplus_allow_uid_self, hfsplus_allow_gid_self }, ++ { "ext2", ext2_defaults, ext2_allow, NULL, NULL }, ++ { "ext3", ext3_defaults, ext3_allow, NULL, NULL }, ++ { "ext4", ext4_defaults, ext4_allow, NULL, NULL }, + }; + + /* ------------------------------------------------ */ diff --git a/meta-oe/recipes-support/udisks/udisks2_git.bb b/meta-oe/recipes-support/udisks/udisks2_git.bb index c4d0fa75ee..58c8a9899a 100644 --- a/meta-oe/recipes-support/udisks/udisks2_git.bb +++ b/meta-oe/recipes-support/udisks/udisks2_git.bb @@ -18,6 +18,7 @@ RDEPENDS_${PN} = "acl" SRC_URI = " \ git://github.com/storaged-project/udisks.git;branch=master;protocol=https \ + file://CVE-2021-3802.patch \ " PV = "2.8.4+git${SRCREV}" SRCREV = "db5f487345da2eaa87976450ea51c2c465d9b82e" diff --git a/meta-oe/recipes-test/catch2/catch2_2.9.2.bb b/meta-oe/recipes-test/catch2/catch2_2.9.2.bb index 9d449a23a6..50188937d5 100644 --- a/meta-oe/recipes-test/catch2/catch2_2.9.2.bb +++ b/meta-oe/recipes-test/catch2/catch2_2.9.2.bb @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/catchorg/Catch2" LICENSE = "BSL-1.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c" -SRC_URI = "git://github.com/catchorg/Catch2.git;branch=master;protocol=https" +SRC_URI = "git://github.com/catchorg/Catch2.git;branch=v2.x;protocol=https" SRCREV = "2c869e17e4803d30b3d5ca5b0d76387b9db97fa5" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-test/googletest/googletest_git.bb b/meta-oe/recipes-test/googletest/googletest_git.bb index 898f23fafb..35fe1bed00 100644 --- a/meta-oe/recipes-test/googletest/googletest_git.bb +++ b/meta-oe/recipes-test/googletest/googletest_git.bb @@ -11,7 +11,7 @@ PROVIDES += "gmock gtest" S = "${WORKDIR}/git" SRCREV = "703bd9caab50b139428cea1aaff9974ebee5742e" -SRC_URI = "git://github.com/google/googletest.git;branch=master;protocol=https" +SRC_URI = "git://github.com/google/googletest.git;branch=main;protocol=https" inherit cmake diff --git a/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb b/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb index afd26fa1c4..40bb586449 100644 --- a/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb +++ b/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb @@ -38,4 +38,4 @@ S = "${WORKDIR}/Config-AutoConf-${PV}" inherit cpan ptest-perl -BBCLASSEXTEND = "native nativesdk" +BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb b/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb index fc9786beca..9322db4085 100644 --- a/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb +++ b/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb @@ -43,5 +43,3 @@ do_install_ptest () { cp -r ${B}/t ${D}${PTEST_PATH} cp -r ${B}/certs ${D}${PTEST_PATH} } - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb b/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb index 8994f692b4..6d300ea9f5 100644 --- a/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb +++ b/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb @@ -62,5 +62,3 @@ python __anonymous () { raise bb.parse.SkipRecipe("incompatible with %s C library" % d.getVar('TCLIBC')) } - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb b/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb index 26c7c389d8..77c91c86cc 100644 --- a/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb +++ b/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb @@ -41,5 +41,3 @@ RDEPENDS_${PN}-ptest += " \ perl-module-perlio \ perl-module-test-more \ " - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb b/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb index a1bb4a399e..c281dfa5fe 100644 --- a/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb +++ b/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb @@ -34,5 +34,3 @@ SRC_URI[sha256sum] = "16a29f7acaeec081bf0e7303ba5ee24fda1d21a1104669b837745f3ea6 S = "${WORKDIR}/Unix-Statgrab-${PV}" inherit cpan pkgconfig ptest-perl - -BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-core/images/meta-python-image.bb b/meta-python/recipes-core/images/meta-python-image.bb index cc75fe6e4b..6353d389b5 100644 --- a/meta-python/recipes-core/images/meta-python-image.bb +++ b/meta-python/recipes-core/images/meta-python-image.bb @@ -2,5 +2,4 @@ require meta-python-image-base.bb SUMMARY = "meta-python build test image" -IMAGE_INSTALL += "packagegroup-meta-python \ - packagegroup-meta-python3" +IMAGE_INSTALL += "packagegroup-meta-python3" diff --git a/meta-python/recipes-core/images/meta-python-ptest-image.bb b/meta-python/recipes-core/images/meta-python-ptest-image.bb index 7ee15354a2..d497016d41 100644 --- a/meta-python/recipes-core/images/meta-python-ptest-image.bb +++ b/meta-python/recipes-core/images/meta-python-ptest-image.bb @@ -2,4 +2,4 @@ require meta-python-image-base.bb SUMMARY = "meta-python ptest test image" -IMAGE_INSTALL += "packagegroup-meta-python-ptest" +IMAGE_INSTALL += "packagegroup-meta-python3-ptest" diff --git a/meta-python/recipes-devtools/python/python-lxml.inc b/meta-python/recipes-devtools/python/python-lxml.inc index 05b5eae462..0276a3e81a 100644 --- a/meta-python/recipes-devtools/python/python-lxml.inc +++ b/meta-python/recipes-devtools/python/python-lxml.inc @@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \ DEPENDS += "libxml2 libxslt" +SRC_URI += "file://CVE-2022-2309.patch" + SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11" SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60" diff --git a/meta-python/recipes-devtools/python/python-pint.inc b/meta-python/recipes-devtools/python/python-pint.inc index d022c41a57..5d880a0397 100644 --- a/meta-python/recipes-devtools/python/python-pint.inc +++ b/meta-python/recipes-devtools/python/python-pint.inc @@ -14,8 +14,6 @@ SRC_URI[sha256sum] = "308f1070500e102f83b6adfca6db53debfce2ffc5d3cbe3f6c367da359 DEPENDS += "python3-setuptools-scm-native" -BBCLASSEXTEND = "native nativesdk" - SRC_URI += " \ file://run-ptest \ " diff --git a/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb b/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb index 803ca4a404..24e38cfb4e 100644 --- a/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb +++ b/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb @@ -16,5 +16,3 @@ RDEPENDS_${PN} += "\ ${PYTHON_PN}-pyperclip \ ${PYTHON_PN}-wcwidth \ " - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch new file mode 100644 index 0000000000..c5d7ca3860 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch @@ -0,0 +1,99 @@ +From 7dee5927eb528f7ddebd62fbab31232d505acc22 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer <paul.l.kehrer@gmail.com> +Date: Sun, 23 Aug 2020 23:41:33 -0500 +Subject: [PATCH] chunked update_into (#5419) + +* chunked update_into + +* all pointer arithmetic all the time + +* review feedback + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/f90ba1808ee9bd9a13c5673b776484644f29d7ba] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + .../hazmat/backends/openssl/ciphers.py | 31 +++++++++++++------ + tests/hazmat/primitives/test_ciphers.py | 17 ++++++++++ + 2 files changed, 38 insertions(+), 10 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 94b48f52..86bc94b3 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,6 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 ++ _MAX_CHUNK_SIZE = 2 ** 31 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend +@@ -125,22 +126,32 @@ class _CipherContext(object): + return bytes(buf[:n]) + + def update_into(self, data, buf): +- if len(buf) < (len(data) + self._block_size_bytes - 1): ++ total_data_len = len(data) ++ if len(buf) < (total_data_len + self._block_size_bytes - 1): + raise ValueError( + "buffer must be at least {} bytes for this " + "payload".format(len(data) + self._block_size_bytes - 1) + ) + +- buf = self._backend._ffi.cast( +- "unsigned char *", self._backend._ffi.from_buffer(buf) +- ) ++ data_processed = 0 ++ total_out = 0 + outlen = self._backend._ffi.new("int *") +- res = self._backend._lib.EVP_CipherUpdate( +- self._ctx, buf, outlen, +- self._backend._ffi.from_buffer(data), len(data) +- ) +- self._backend.openssl_assert(res != 0) +- return outlen[0] ++ baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseinbuf = self._backend._ffi.from_buffer(data) ++ ++ while data_processed != total_data_len: ++ outbuf = baseoutbuf + total_out ++ inbuf = baseinbuf + data_processed ++ inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed) ++ ++ res = self._backend._lib.EVP_CipherUpdate( ++ self._ctx, outbuf, outlen, inbuf, inlen ++ ) ++ self._backend.openssl_assert(res != 0) ++ data_processed += inlen ++ total_out += outlen[0] ++ ++ return total_out + + def finalize(self): + # OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions) +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index f29ba9a9..b88610e7 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -309,3 +309,20 @@ class TestCipherUpdateInto(object): + buf = bytearray(5) + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) ++ ++ def test_update_into_auto_chunking(self, backend, monkeypatch): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ # Lower max chunk size so we can test chunking ++ monkeypatch.setattr(encryptor._ctx, "_MAX_CHUNK_SIZE", 40) ++ buf = bytearray(527) ++ pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16 # 512 bytes ++ processed = encryptor.update_into(pt, buf) ++ assert processed == 512 ++ decryptor = c.decryptor() ++ # Change max chunk size to verify alternate boundaries don't matter ++ monkeypatch.setattr(decryptor._ctx, "_MAX_CHUNK_SIZE", 73) ++ decbuf = bytearray(527) ++ decprocessed = decryptor.update_into(buf[:processed], decbuf) ++ assert decbuf[:decprocessed] == pt diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch new file mode 100644 index 0000000000..f28f414197 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch @@ -0,0 +1,43 @@ +From 7c72190620c3ccaeeab53fdd93547ca4d37b2f6b Mon Sep 17 00:00:00 2001 +From: Paul Kehrer <paul.l.kehrer@gmail.com> +Date: Sun, 25 Oct 2020 06:15:18 -0700 +Subject: [PATCH] chunking didn't actually work (#5499) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/836a92a28fbe9df8c37121e340b91ed9cd519ddd] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 86bc94b3..2b7da80c 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 ++ _MAX_CHUNK_SIZE = 2 ** 31 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index b88610e7..fd9048b7 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -326,3 +326,12 @@ class TestCipherUpdateInto(object): + decbuf = bytearray(527) + decprocessed = decryptor.update_into(buf[:processed], decbuf) + assert decbuf[:decprocessed] == pt ++ ++ def test_max_chunk_size_fits_in_int32(self, backend): ++ # max chunk must fit in signed int32 or else a call large enough to ++ # cause chunking will result in the very OverflowError we want to ++ # avoid with chunking. ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ backend._ffi.new("int *", encryptor._ctx._MAX_CHUNK_SIZE) diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch new file mode 100644 index 0000000000..449dd692e6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch @@ -0,0 +1,37 @@ +From 6d0a76521abe287f5ddb5cd1cfbc799d35f08cf9 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Sun, 7 Feb 2021 11:36:56 -0500 +Subject: [PATCH] correct buffer overflows cause by integer overflow in openssl + (#5747) + +* correct buffer overflows cause by integer overflow in openssl + +frustratingly, there is no test for this -- that's because testing this +requires allocating more memory than is available in CI. + +fixes #5615. + +* backport CI fixes + +* another CI backport + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 2b7da80c..7ef5f1ea 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 - 1 ++ _MAX_CHUNK_SIZE = 2 ** 30 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend diff --git a/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch new file mode 100644 index 0000000000..6ef50a0084 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch @@ -0,0 +1,45 @@ +From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Tue, 7 Feb 2023 11:34:18 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696] +CVE: CVE-2023-23931 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch new file mode 100644 index 0000000000..c0acb9066b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch @@ -0,0 +1,66 @@ +From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Mon, 19 Feb 2024 11:50:28 -0500 +Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't +match (#10423) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55] +CVE: CVE-2024-26130 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + .../hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 7e9fa20..ce3fc8c 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -1046,6 +1046,15 @@ class Backend(object): + raise NotImplementedError( + 'Extension not supported: {}'.format(extension.oid) + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + ext_struct = encode(self, extension.value) + nid = self._lib.OBJ_txt2nid( +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index f084d57..c4160b0 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -17,6 +17,24 @@ from cryptography.hazmat.primitives.serialization.pkcs12 import ( + + from .utils import load_vectors_from_file + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + + @pytest.mark.requires_backend_interface(interface=DERSerializationBackend) + class TestPKCS12(object): +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb b/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb index c75dabb974..63bc0e0d6d 100644 --- a/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb +++ b/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb @@ -11,6 +11,11 @@ SRC_URI[sha256sum] = "3cda1f0ed8747339bbdf71b9f38ca74c7b592f24f65cdb3ab3765e4b02 SRC_URI += " \ file://run-ptest \ + file://0001-chunked-update_into-5419.patch \ + file://0002-chunking-didn-t-actually-work-5499.patch \ + file://0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch \ + file://CVE-2023-23931.patch \ + file://CVE-2024-26130.patch \ " inherit pypi setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch new file mode 100644 index 0000000000..ff3fcee6e2 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch @@ -0,0 +1,94 @@ +From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Fri, 29 Jul 2022 10:16:59 +0530 +Subject: [PATCH] CVE-2022-2309 + +Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f] +CVE: CVE-2022-2309 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lxml/apihelpers.pxi | 7 ++++--- + src/lxml/iterparse.pxi | 11 ++++++----- + src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++ + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi +index 5eb3416..88a031d 100644 +--- a/src/lxml/apihelpers.pxi ++++ b/src/lxml/apihelpers.pxi +@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node): + while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE: + c_ns = c_node.nsDef + while c_ns is not NULL: +- prefix = funicodeOrNone(c_ns.prefix) +- if prefix not in nsmap: +- nsmap[prefix] = funicodeOrNone(c_ns.href) ++ if c_ns.prefix or c_ns.href: ++ prefix = funicodeOrNone(c_ns.prefix) ++ if prefix not in nsmap: ++ nsmap[prefix] = funicodeOrNone(c_ns.href) + c_ns = c_ns.next + c_node = c_node.parent + return nsmap +diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi +index 4c20506..3da7485 100644 +--- a/src/lxml/iterparse.pxi ++++ b/src/lxml/iterparse.pxi +@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node): + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- count += 1 ++ count += (c_ns.href is not NULL) + c_ns = c_ns.next + return count + +@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1: + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '', +- funicode(c_ns.href)) +- event_list.append( (u"start-ns", ns_tuple) ) +- count += 1 ++ if c_ns.href: ++ ns_tuple = (funicodeOrEmpty(c_ns.prefix), ++ funicode(c_ns.href)) ++ event_list.append( (u"start-ns", ns_tuple) ) ++ count += 1 + c_ns = c_ns.next + return count +diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py +index b997e4d..69e1bf1 100644 +--- a/src/lxml/tests/test_etree.py ++++ b/src/lxml/tests/test_etree.py +@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase): + [1,2,1,4], + counts) + ++ def test_walk_after_parse_failure(self): ++ # This used to be an issue because libxml2 can leak empty namespaces ++ # between failed parser runs. iterwalk() failed to handle such a tree. ++ try: ++ etree.XML('''<anot xmlns="1">''') ++ except etree.XMLSyntaxError: ++ pass ++ else: ++ assert False, "invalid input did not fail to parse" ++ ++ et = etree.XML('''<root> </root>''') ++ try: ++ ns = next(etree.iterwalk(et, events=('start-ns',))) ++ except StopIteration: ++ # This would be the expected result, because there was no namespace ++ pass ++ else: ++ # This is a bug in libxml2 ++ assert not ns, repr(ns) ++ + def test_itertext_comment_pi(self): + # https://bugs.launchpad.net/lxml/+bug/1844674 + XML = self.etree.XML +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb b/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb index f6d8c53d05..57d38e60ba 100644 --- a/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb @@ -32,6 +32,5 @@ RDEPENDS_${PN} = "\ python3-dateutil \ python3-kiwisolver \ python3-pytz \ + python3-pillow \ " - -BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch new file mode 100644 index 0000000000..0f0cfa7804 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch @@ -0,0 +1,26 @@ +From 7df88fc2319852ace202a650703d631200080e3b Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Thu, 30 Jun 2022 12:47:35 +1000 +Subject: [PATCH] Added GIF decompression bomb check + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/884437f8a2b953a0abd2a3b130a87fcfb438092e] +CVE: CVE-2022-45198 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/PIL/GifImagePlugin.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py +index 9d8e96f..c477fdd 100644 +--- a/src/PIL/GifImagePlugin.py ++++ b/src/PIL/GifImagePlugin.py +@@ -238,6 +238,7 @@ class GifImageFile(ImageFile.ImageFile): + x1, y1 = x0 + i16(s[4:]), y0 + i16(s[6:]) + if x1 > self.size[0] or y1 > self.size[1]: + self._size = max(x1, self.size[0]), max(y1, self.size[1]) ++ Image._decompression_bomb_check(self._size) + self.dispose_extent = x0, y0, x1, y1 + flags = i8(s[8]) + +-- +2.7.4 diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 0000000000..f9e3c49505 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch @@ -0,0 +1,31 @@ +From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001 +From: Eric Soroos <eric-github@soroos.net> +Date: Fri, 27 Oct 2023 11:21:18 +0200 +Subject: [PATCH] Don't allow __ or builtins in env dictionarys for + ImageMath.eval + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/PIL/ImageMath.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 392151c10..4cea3855e 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw): + args.update(_dict) + args.update(kw) + for k, v in list(args.items()): ++ if '__' in k or hasattr(__builtins__, k): ++ msg = f"'{k}' not allowed" ++ raise ValueError(msg) ++ + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch new file mode 100644 index 0000000000..9c5d3fbcdc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch @@ -0,0 +1,54 @@ +From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat, 28 Oct 2023 15:58:52 +1100 +Subject: [PATCH] Allow ops + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Tests/test_imagemath.py | 4 ++++ + src/PIL/ImageMath.py | 9 +++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index da41b3a12..14a58a532 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -56,6 +56,10 @@ class TestImageMath(PillowTestCase): + pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0" + ) + ++ def test_prevent_double_underscores(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("1", {"__": None}) ++ + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) + self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 4cea3855e..776604e3f 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -258,13 +258,14 @@ def eval(expression, _dict={}, **kw): + + # build execution namespace + args = ops.copy() +- args.update(_dict) +- args.update(kw) +- for k, v in list(args.items()): +- if '__' in k or hasattr(__builtins__, k): ++ for k in list(_dict.keys()) + list(kw.keys()): ++ if "__" in k or hasattr(__builtins__, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + ++ args.update(_dict) ++ args.update(kw) ++ for k, v in list(args.items()): + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch new file mode 100644 index 0000000000..b93425ee58 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch @@ -0,0 +1,44 @@ +From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat, 30 Dec 2023 09:30:12 +1100 +Subject: [PATCH] Include further builtins + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Tests/test_imagemath.py | 4 ++++ + src/PIL/ImageMath.py | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index 14a58a532..5bba832e2 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase): + with pytest.raises(ValueError): + ImageMath.eval("1", {"__": None}) + ++ def test_prevent_builtins(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) ++ + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) + self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 776604e3f..c6bc22180 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw): + # build execution namespace + args = ops.copy() + for k in list(_dict.keys()) + list(kw.keys()): +- if "__" in k or hasattr(__builtins__, k): ++ if "__" in k or hasattr(builtins, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb index 80b7e941ae..6567b32d0d 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb @@ -8,6 +8,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=55c0f320370091249c1755c0d2b48e89" SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https \ file://0001-support-cross-compiling.patch \ file://0001-explicitly-set-compile-options.patch \ + file://0001-CVE-2022-45198.patch \ + file://CVE-2023-50447-1.patch \ + file://CVE-2023-50447-2.patch \ + file://CVE-2023-50447-3.patch \ " SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6" @@ -34,5 +38,3 @@ CVE_PRODUCT = "pillow" S = "${WORKDIR}/git" RPROVIDES_${PN} += "python3-imaging" - -BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb b/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb index c138822400..6636fda839 100644 --- a/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb @@ -12,5 +12,3 @@ RDEPENDS_${PN} += " \ ${PYTHON_PN}-prettytable \ ${PYTHON_PN}-cmd2 \ ${PYTHON_PN}-pyparsing" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb b/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb index b6de42f7c1..60a26f58bc 100644 --- a/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb +++ b/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb @@ -16,5 +16,3 @@ RDEPENDS_${PN} += " \ ${PYTHON_PN}-pyserial \ ${PYTHON_PN}-robotframework \ " - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch new file mode 100644 index 0000000000..3cc8bcd02a --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch @@ -0,0 +1,72 @@ +From 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson <sethmichaellarson@gmail.com> +Date: Mon, 17 Feb 2020 15:34:48 -0600 +Subject: [PATCH] Raise ValueError if method contains control characters + (#1800) + +CVE: CVE-2020-26137 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b.patch] +Signed-off-by: Nikhil R <nikhil.r@kpit.com> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comment: Removed one hunk in CHANGES.rst and refresh other to remove +patch fuzz warnings + +--- + src/urllib3/connection.py | 14 ++++++++++++++ + test/with_dummyserver/test_connectionpool.py | 6 ++++++ + 2 files changed, 20 insertions(+) + +diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py +index 71e6790b1b..f7b1760938 100644 +--- a/src/urllib3/connection.py ++++ b/src/urllib3/connection.py +@@ -1,4 +1,5 @@ + from __future__ import absolute_import ++import re + import datetime + import logging + import os +@@ -58,6 +59,8 @@ port_by_scheme = {"http": 80, "https": 443} + # (ie test_recent_date is failing) update it to ~6 months before the current date. + RECENT_DATE = datetime.date(2019, 1, 1) + ++_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") ++ + + class DummyConnection(object): + """Used to detect a failed ConnectionCls import.""" +@@ -184,6 +187,17 @@ class HTTPConnection(_HTTPConnection, object): + conn = self._new_conn() + self._prepare_conn(conn) + ++ def putrequest(self, method, url, *args, **kwargs): ++ """Send a request to the server""" ++ match = _CONTAINS_CONTROL_CHAR_RE.search(method) ++ if match: ++ raise ValueError( ++ "Method cannot contain non-token characters %r (found at least %r)" ++ % (method, match.group()) ++ ) ++ ++ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs) ++ + def request_chunked(self, method, url, body=None, headers=None): + """ + Alternative to the common request method, which sends the +diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py +index 57f0dbd2f4..79cbd27185 100644 +--- a/test/with_dummyserver/test_connectionpool.py ++++ b/test/with_dummyserver/test_connectionpool.py +@@ -677,6 +677,12 @@ class TestConnectionPool(HTTPDummyServerTestCase): + with pytest.raises(MaxRetryError): + pool.request("GET", "/test", retries=2) + ++ @pytest.mark.parametrize("char", [" ", "\r", "\n", "\x00"]) ++ def test_invalid_method_not_allowed(self, char): ++ with pytest.raises(ValueError): ++ with HTTPConnectionPool(self.host, self.port) as pool: ++ pool.request("GET" + char, "/") ++ + def test_percent_encode_invalid_target_chars(self): + with HTTPConnectionPool(self.host, self.port) as pool: + r = pool.request("GET", "/echo_params?q=\r&k=\n \n") diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch new file mode 100644 index 0000000000..838add9555 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch @@ -0,0 +1,67 @@ +From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson <sethmichaellarson@gmail.com> +Date: Wed, 26 May 2021 10:43:12 -0500 +Subject: [PATCH] Improve performance of sub-authority splitting in URL + +CVE: CVE-2021-33503 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec.patch] +Signed-off-by: Nikhil R <nikhil.r@kpit.com> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comment: Refresh hunks to remove patch fuzz warnings + +--- + src/urllib3/util/url.py | 8 +++++--- + test/test_util.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 6ff238fe3c..81a03da9e3 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, + ) +-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL) ++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL) + + UNRESERVED_CHARS = set( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~" +@@ -368,7 +368,9 @@ def parse_url(url): + scheme = scheme.lower() + + if authority: +- auth, host, port = SUBAUTHORITY_RE.match(authority).groups() ++ auth, _, host_port = authority.rpartition("@") ++ auth = auth or None ++ host, port = _HOST_PORT_RE.match(host_port).groups() + if auth and normalize_uri: + auth = _encode_invalid_chars(auth, USERINFO_CHARS) + if port == "": +diff --git a/test/test_util.py b/test/test_util.py +index a5b68a084b..88409e2d6c 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -425,6 +425,16 @@ class TestUtil(object): + query="%0D%0ASET%20test%20failure12%0D%0A:8080/test/?test=a", + ), + ), ++ # Tons of '@' causing backtracking ++ ("https://" + ("@" * 10000) + "[", False), ++ ( ++ "https://user:" + ("@" * 10000) + "example.com", ++ Url( ++ scheme="https", ++ auth="user:" + ("%40" * 9999), ++ host="example.com", ++ ), ++ ), + ] + + @pytest.mark.parametrize("url, expected_url", url_vulnerabilities) diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb index 8d987a1f30..73399d9439 100644 --- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb +++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb @@ -8,8 +8,10 @@ SRC_URI[sha256sum] = "f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e4 inherit pypi setuptools3 -SRC_URI += "file://CVE-2020-7212.patch" - +SRC_URI += "file://CVE-2020-7212.patch \ + file://CVE-2020-26137.patch \ + file://CVE-2021-33503.patch \ + " RDEPENDS_${PN} += "\ ${PYTHON_PN}-certifi \ ${PYTHON_PN}-cryptography \ diff --git a/meta-python/recipes-extended/python-cson/python3-cson_git.bb b/meta-python/recipes-extended/python-cson/python3-cson_git.bb index 4d234d311d..8e8f3fb2a6 100644 --- a/meta-python/recipes-extended/python-cson/python3-cson_git.bb +++ b/meta-python/recipes-extended/python-cson/python3-cson_git.bb @@ -12,8 +12,7 @@ SRC_URI = "git://github.com/gt3389b/python-cson.git;branch=master;protocol=https S = "${WORKDIR}/git" -RDEPENDS_${PN}_class-native = "" -DEPENDS_append_class-native = " python-native " +RDEPENDS_${PN} = "python3-json" inherit setuptools3 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch index 6c0286457c..50775be533 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch @@ -1,44 +1,43 @@ -From d2cedfa3394365689a3f7c8cfe8e0dd56b29bed9 Mon Sep 17 00:00:00 2001 +From ba9015386cbc044e111d7c266f13e2be045e4bf1 Mon Sep 17 00:00:00 2001 From: Koen Kooi <koen.kooi@linaro.org> Date: Tue, 17 Jun 2014 09:10:57 +0200 Subject: [PATCH] configure: use pkg-config for PCRE detection -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Koen Kooi <koen.kooi@linaro.org> --- - configure.in | 27 +++++---------------------- - 1 file changed, 5 insertions(+), 22 deletions(-) + configure.in | 26 +++++--------------------- + 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/configure.in b/configure.in -index 9feaceb..dc6ea15 100644 +index 38c1d0a..c799aec 100644 --- a/configure.in +++ b/configure.in -@@ -215,28 +215,11 @@ fi - AC_ARG_WITH(pcre, - APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library)) +@@ -221,27 +221,11 @@ else if which $with_pcre 2>/dev/null; then :; else + fi + fi --AC_PATH_PROG(PCRE_CONFIG, pcre-config, false) --if test -d "$with_pcre" && test -x "$with_pcre/bin/pcre-config"; then -- PCRE_CONFIG=$with_pcre/bin/pcre-config --elif test -x "$with_pcre"; then -- PCRE_CONFIG=$with_pcre --fi +-AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config], +- [`which $with_pcre 2>/dev/null`], $with_pcre) - --if test "$PCRE_CONFIG" != "false"; then +-if test "x$PCRE_CONFIG" != "x"; then - if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else -- AC_MSG_ERROR([Did not find pcre-config script at $PCRE_CONFIG]) +- AC_MSG_ERROR([Did not find working script at $PCRE_CONFIG]) - fi - case `$PCRE_CONFIG --version` in +- [1[0-9].*]) +- AC_DEFINE(HAVE_PCRE2, 1, [Detected PCRE2]) +- ;; - [[1-5].*]) - AC_MSG_ERROR([Need at least pcre version 6.0]) - ;; - esac - AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) - APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) -- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) +- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) -else -- AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) +- AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) -fi +PKG_CHECK_MODULES([PCRE], [libpcre], [ + AC_DEFINE([HAVE_PCRE], [1], [Define if you have PCRE library]) @@ -49,5 +48,5 @@ index 9feaceb..dc6ea15 100644 AC_MSG_NOTICE([]) -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch b/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch index 85fe6ae4bd..bbe8b325b5 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch @@ -1,8 +1,8 @@ -From 7df207ad4d0dcda2ad36e5642296e0dec7e13647 Mon Sep 17 00:00:00 2001 +From 5074ab3425e5f1e01fd9cfa2d9b7300ea1b3f38f Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] apache2: bump up the core size limit if CoreDumpDirectory - is configured +Subject: [PATCH] apache2: bump up the core size limit if CoreDumpDirectory is + configured Bump up the core size limit if CoreDumpDirectory is configured. @@ -11,16 +11,15 @@ Upstream-Status: Pending Note: upstreaming was discussed but there are competing desires; there are portability oddities here too. - --- server/core.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/server/core.c b/server/core.c -index eacb54f..7aa841f 100644 +index 090e397..3020090 100644 --- a/server/core.c +++ b/server/core.c -@@ -4965,6 +4965,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte +@@ -5107,6 +5107,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, apr_pool_cleanup_null); @@ -47,5 +46,5 @@ index eacb54f..7aa841f 100644 } -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch b/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch index 081a02baa3..adb728ba31 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch @@ -1,8 +1,8 @@ -From ddd560024a6d526187fd126f306b59533ca3f7e2 Mon Sep 17 00:00:00 2001 +From 9c03ed909b8da0e1a288f53fda535a3f15bcf791 Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] apache2: do not export apr/apr-util symbols when using - shared libapr +Subject: [PATCH] apache2: do not export apr/apr-util symbols when using shared + libapr There is no need to "suck in" the apr/apr-util symbols when using a shared libapr{,util}, it just bloats the symbol table; so don't. @@ -10,13 +10,12 @@ a shared libapr{,util}, it just bloats the symbol table; so don't. Upstream-Status: Pending Note: EXPORT_DIRS change is conditional on using shared apr - --- server/Makefile.in | 3 --- 1 file changed, 3 deletions(-) diff --git a/server/Makefile.in b/server/Makefile.in -index 1fa3344..f635d76 100644 +index 8111877..8c0c396 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -60,9 +60,6 @@ export_files: @@ -30,5 +29,5 @@ index 1fa3344..f635d76 100644 exports.c: export_files -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch index 78a04d9af4..3b080f54f6 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch @@ -1,4 +1,4 @@ -From dfa834ebd449df299f54e98f0fb3a7bb4008fb03 Mon Sep 17 00:00:00 2001 +From e47cc405eadcbe37a579c375e824e20a5c53bfad Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 Subject: [PATCH] Log the SELinux context at startup. @@ -15,10 +15,10 @@ Note: unlikely to be any interest in this upstream 2 files changed, 31 insertions(+) diff --git a/configure.in b/configure.in -index dc6ea15..caa6f54 100644 +index ea6cec3..92b74b7 100644 --- a/configure.in +++ b/configure.in -@@ -466,6 +466,11 @@ getloadavg +@@ -491,6 +491,11 @@ getloadavg dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -31,10 +31,10 @@ index dc6ea15..caa6f54 100644 [AC_TRY_RUN(#define _GNU_SOURCE #include <unistd.h> diff --git a/server/core.c b/server/core.c -index 7aa841f..79f34db 100644 +index 4da7209..d3ca25b 100644 --- a/server/core.c +++ b/server/core.c -@@ -59,6 +59,10 @@ +@@ -65,6 +65,10 @@ #include <unistd.h> #endif @@ -44,8 +44,8 @@ index 7aa841f..79f34db 100644 + /* LimitRequestBody handling */ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4984,6 +4988,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ +@@ -5126,6 +5130,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } #endif @@ -74,6 +74,3 @@ index 7aa841f..79f34db 100644 return OK; } --- -2.7.4 - diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch index 47320a9ee5..7b4a1b932b 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch @@ -1,4 +1,4 @@ -From 7db1b650bb4b01a5194a34cd7573f915656a595b Mon Sep 17 00:00:00 2001 +From e59aab44a28c654e518080693d573ca472ca5a08 Mon Sep 17 00:00:00 2001 From: Yulong Pei <Yulong.pei@windriver.com> Date: Thu, 1 Sep 2011 01:03:14 +0800 Subject: [PATCH] replace lynx to curl in apachectl script @@ -48,5 +48,5 @@ index 3281c2e..6ab4ba5 100644 *) $HTTPD "$@" -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch b/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch index 227d04064b..dbaf01d2c5 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch @@ -1,4 +1,4 @@ -From 4f4d7d6b88b6e440263ebeb22dfb40c52bb30fd8 Mon Sep 17 00:00:00 2001 +From fb09f1fe4525058b16b3d4edb2e3ae693154026e Mon Sep 17 00:00:00 2001 From: Zhenhua Luo <zhenhua.luo@freescale.com> Date: Fri, 25 Jan 2013 18:10:50 +0800 Subject: [PATCH] apache2: fix the race issue of parallel installation @@ -31,5 +31,5 @@ index e2d5bb6..dde5ae0 100755 pathcomp="$pathcomp/" done -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch index fed6b5010b..3ff6894409 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch @@ -1,4 +1,4 @@ -From 964ef2c1af74984602f46e7db938d3b95b148385 Mon Sep 17 00:00:00 2001 +From 0686564f64130f230870db8b4846973e3edbd646 Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Mon, 1 Dec 2014 02:08:27 -0500 Subject: [PATCH] apache2: allow to disable selinux support @@ -11,10 +11,10 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/configure.in b/configure.in -index caa6f54..eab2090 100644 +index 76811e7..4df3ff3 100644 --- a/configure.in +++ b/configure.in -@@ -466,10 +466,16 @@ getloadavg +@@ -491,10 +491,16 @@ getloadavg dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -36,5 +36,5 @@ index caa6f54..eab2090 100644 AC_CACHE_CHECK([for gettid()], ac_cv_gettid, [AC_TRY_RUN(#define _GNU_SOURCE -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch b/meta-webserver/recipes-httpd/apache2/apache2/0008-Fix-perl-install-directory-to-usr-bin.patch index 61669e3641..dc5b5c88f2 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0008-Fix-perl-install-directory-to-usr-bin.patch @@ -1,4 +1,4 @@ -From 5412077c398dec74321388fe6e593a44c4c80de6 Mon Sep 17 00:00:00 2001 +From 443d15b91d4e4979d92405610303797663f31102 Mon Sep 17 00:00:00 2001 From: echo <fei.geng@windriver.com> Date: Tue, 28 Apr 2009 03:11:06 +0000 Subject: [PATCH] Fix perl install directory to /usr/bin @@ -11,16 +11,15 @@ error: bad interpreter: No such file or directory Signed-off-by: Changqing Li <changqing.li@windriver.com> - --- configure.in | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/configure.in b/configure.in -index d828512..be7bd25 100644 +index 4df3ff3..4eeb609 100644 --- a/configure.in +++ b/configure.in -@@ -855,10 +855,7 @@ AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", +@@ -903,10 +903,7 @@ AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types", [Location of the MIME types config file, relative to the Apache root directory]) @@ -32,3 +31,6 @@ index d828512..be7bd25 100644 AC_SUBST(perlbin) dnl If we are running on BSD/OS, we need to use the BSD .include syntax. +-- +2.25.1 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-support-apxs.in-force-destdir-to-be-empty-string.patch b/meta-webserver/recipes-httpd/apache2/apache2/0009-support-apxs.in-force-destdir-to-be-empty-string.patch index bdedd146c2..d1f9bb0f43 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0001-support-apxs.in-force-destdir-to-be-empty-string.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0009-support-apxs.in-force-destdir-to-be-empty-string.patch @@ -1,10 +1,10 @@ -From 705c0a7e9d9c1e64ee09fc0b54f6b5a4e27de1ca Mon Sep 17 00:00:00 2001 +From 43a4ad04e0d8771267a73f98b5918bcd10b167ec Mon Sep 17 00:00:00 2001 From: Trevor Gamblin <trevor.gamblin@windriver.com> Date: Fri, 17 Apr 2020 06:31:35 -0700 Subject: [PATCH] support/apxs.in: force destdir to be empty string -If destdir is assigned to anything other than the empty string, the -search path for apache2 config files is appended to itself, and +If destdir is assigned to anything other than the empty string, the +search path for apache2 config files is appended to itself, and related packages like apache-websocket will be unable to locate them: | cannot open @@ -24,7 +24,7 @@ Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/support/apxs.in b/support/apxs.in -index 65e1288527..9d96e33728 100644 +index b2705fa..781f2ab 100644 --- a/support/apxs.in +++ b/support/apxs.in @@ -28,10 +28,12 @@ package apxs; @@ -45,5 +45,5 @@ index 65e1288527..9d96e33728 100644 my %config_vars = (); -- -2.17.1 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch b/meta-webserver/recipes-httpd/apache2/apache2/0010-apache2-do-not-use-relative-path-for-gen_test_char.patch index 82e9e8c35f..ced8469f3a 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0010-apache2-do-not-use-relative-path-for-gen_test_char.patch @@ -1,16 +1,15 @@ -From b62c4cd2295c98b2ebe12641e5f01590bd96ae94 Mon Sep 17 00:00:00 2001 +From d9993cbc33565c0acd29b0127d651dafa2a16975 Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 Subject: [PATCH] apache2: do not use relative path for gen_test_char Upstream-Status: Inappropriate [embedded specific] - --- server/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/Makefile.in b/server/Makefile.in -index f635d76..0d48924 100644 +index 8c0c396..3544f55 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -29,7 +29,7 @@ gen_test_char: $(gen_test_char_OBJECTS) @@ -23,5 +22,5 @@ index f635d76..0d48924 100644 util.lo: test_char.h -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.51.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.58.bb index d6e736d31d..746db4ac0a 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.51.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.58.bb @@ -13,12 +13,12 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://0005-replace-lynx-to-curl-in-apachectl-script.patch \ file://0006-apache2-fix-the-race-issue-of-parallel-installation.patch \ file://0007-apache2-allow-to-disable-selinux-support.patch \ - file://apache-configure_perlbin.patch \ - file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \ + file://0008-Fix-perl-install-directory-to-usr-bin.patch \ + file://0009-support-apxs.in-force-destdir-to-be-empty-string.patch \ " -SRC_URI_append_class-target = " \ - file://0008-apache2-do-not-use-relative-path-for-gen_test_char.patch \ +SRC_URI:append:class-target = " \ + file://0010-apache2-do-not-use-relative-path-for-gen_test_char.patch \ file://init \ file://apache2-volatile.conf \ file://apache2.service \ @@ -26,7 +26,7 @@ SRC_URI_append_class-target = " \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" -SRC_URI[sha256sum] = "20e01d81fecf077690a4439e3969a9b22a09a8d43c525356e863407741b838f4" +SRC_URI[sha256sum] = "fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5" S = "${WORKDIR}/httpd-${PV}" diff --git a/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch b/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch new file mode 100644 index 0000000000..7dd1e721c0 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch @@ -0,0 +1,92 @@ +From 2b9667f36551406169e3e2a6a774466ac70a83c0 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Tue, 10 Oct 2023 15:13:39 +0300 +Subject: [PATCH] HTTP/2: per-iteration stream handling limit. + +To ensure that attempts to flood servers with many streams are detected +early, a limit of no more than 2 * max_concurrent_streams new streams per one +event loop iteration was introduced. This limit is applied even if +max_concurrent_streams is not yet reached - for example, if corresponding +streams are handled synchronously or reset. + +Further, refused streams are now limited to maximum of max_concurrent_streams +and 100, similarly to priority_limit initial value, providing some tolerance +to clients trying to open several streams at the connection start, yet +low tolerance to flooding attempts. + +Upstream-Status: Backport +[https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9] + +Reduces the impact of HTTP/2 Stream Reset flooding in the nginx product +(CVE-2023-44487). + +See: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ + +This patch only reduces the impact and does not completely mitigate the CVE +in question, the latter being due to a design flaw in the HTTP/2 protocol +itself. For transparancy reasons I therefore opted to not mark the +CVE as resolved, so that integrators can decide for themselves, wheither to +enable HTTP/2 support or allow HTTP/1.1 connections only. + +Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> +--- + src/http/v2/ngx_http_v2.c | 15 +++++++++++++++ + src/http/v2/ngx_http_v2.h | 2 ++ + 2 files changed, 17 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 3611a2e50..291677aca 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); + + h2c->blocked = 1; ++ h2c->new_streams = 0; + + if (c->close) { + c->close = 0; +@@ -1320,6 +1321,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + goto rst_stream; + } + ++ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many streams at once"); ++ ++ status = NGX_HTTP_V2_REFUSED_STREAM; ++ goto rst_stream; ++ } ++ + if (!h2c->settings_ack + && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) + && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) +@@ -1385,6 +1394,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + + rst_stream: + ++ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many refused streams"); ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); ++ } ++ + if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 349229711..6a7aaa62c 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -125,6 +125,8 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t new_streams; ++ ngx_uint_t refused_streams; + ngx_uint_t priority_limit; + + ngx_uint_t pushing; +-- +2.42.1 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch new file mode 100644 index 0000000000..45653e422e --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch @@ -0,0 +1,39 @@ +From 6511195c023bf03e0fb19a36f41f42f4edde6e88 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov <ru@nginx.com> +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. + +Upstream-Status: Backport +CVE: CVE-2019-20372 + +Reference to upstream patch: +https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e + +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + src/http/ngx_http_special_response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 4ffb2cc8..76e67058 100644 +--- a/src/http/ngx_http_special_response.c ++++ b/src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) { +-- +2.17.1 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch new file mode 100644 index 0000000000..8a8a35b2dd --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch @@ -0,0 +1,319 @@ +From 9563a2a08c007d78a6796b0232201bf7dc4a8103 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 16 Nov 2022 10:28:24 +0530 +Subject: [PATCH] CVE-2022-41741, CVE-2022-41742 + +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea] +CVE: CVE-2022-41741, CVE-2022-41742 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +Mp4: disabled duplicate atoms. + +Most atoms should not appear more than once in a container. Previously, +this was not enforced by the module, which could result in worker process +crash, memory corruption and disclosure. +--- + src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++ + 1 file changed, 147 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 618bf78..7b7184d 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -1076,6 +1076,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + return NGX_ERROR; + } + ++ if (mp4->ftyp_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + ftyp_atom = ngx_palloc(mp4->request->pool, atom_size); +@@ -1134,6 +1140,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + return NGX_DECLINED; + } + ++ if (mp4->moov_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module); + + if (atom_data_size > mp4->buffer_size) { +@@ -1201,6 +1213,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom"); + ++ if (mp4->mdat_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + data = &mp4->mdat_data_buf; + data->file = &mp4->file; + data->in_file = 1; +@@ -1327,6 +1345,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom"); + ++ if (mp4->mvhd_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_header = ngx_mp4_atom_header(mp4); + mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header; + mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header; +@@ -1592,6 +1616,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->tkhd_size = atom_size; + + ngx_mp4_set_32value(tkhd_atom->size, atom_size); +@@ -1630,6 +1661,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->mdia_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1753,6 +1790,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->mdhd_size = atom_size; + trak->timescale = timescale; + +@@ -1795,6 +1839,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->hdlr_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1823,6 +1873,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->minf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1866,6 +1922,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->vmhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1897,6 +1962,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->smhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1928,6 +2002,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->dinf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1956,6 +2036,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stbl_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2024,6 +2110,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stsd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2092,6 +2184,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->time_to_sample_entries = entries; + + atom = &trak->stts_atom_buf; +@@ -2297,6 +2396,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sync sample entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sync_samples_entries = entries; + + atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t); +@@ -2495,6 +2601,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "composition offset entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->composition_offset_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t); +@@ -2698,6 +2811,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_to_chunk_entries = entries; + + atom = &trak->stsc_atom_buf; +@@ -3030,6 +3150,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample uniform size:%uD, entries:%uD", size, entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_sizes_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t); +@@ -3199,6 +3326,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(uint32_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->stco_atom_buf; +@@ -3383,6 +3520,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(uint64_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->co64_atom_buf; +-- +2.25.1 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb index 207642575b..39cfd3a67b 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb @@ -4,3 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" SRC_URI[md5sum] = "45a80f75336c980d240987badc3dcf60" SRC_URI[sha256sum] = "f11c2a6dd1d3515736f0324857957db2de98be862461b5a542a3ac6188dbe32b" + +SRC_URI += "file://CVE-2019-20372.patch \ + file://CVE-2022-41741-CVE-2022-41742.patch \ + file://0001-HTTP-2-per-iteration-stream-handling-limit.patch \ + " diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb index 3d2a5edd26..9fd6d73428 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb @@ -8,3 +8,5 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" SRC_URI[md5sum] = "29cd861a13aae69a058cbabaae86177b" SRC_URI[sha256sum] = "97d23ecf6d5150b30e284b40e8a6f7e3bb5be6b601e373a4d013768d5a25965b" + +SRC_URI += "file://0001-HTTP-2-per-iteration-stream-handling-limit.patch" |