diff options
Diffstat (limited to 'meta/recipes-support')
144 files changed, 10422 insertions, 508 deletions
diff --git a/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch deleted file mode 100644 index 57e7453312..0000000000 --- a/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Wed, 12 Sep 2018 17:16:36 +0800 -Subject: [PATCH] Fix error handling in gdbm - -Only check for gdbm_errno if the return value of the called gdbm_* -function says so. This fixes apr-util with gdbm 1.14, which does not -seem to always reset gdbm_errno. - -Also make the gdbm driver return error codes starting with -APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is -what the berkleydb driver already does. - -Also ensure that dsize is 0 if dptr == NULL. - -Upstream-Status: Backport[https://svn.apache.org/viewvc? -view=revision&revision=1825311] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------ - 1 file changed, 29 insertions(+), 18 deletions(-) - -diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c -index 749447a..1c86327 100644 ---- a/dbm/apr_dbm_gdbm.c -+++ b/dbm/apr_dbm_gdbm.c -@@ -36,13 +36,25 @@ - static apr_status_t g2s(int gerr) - { - if (gerr == -1) { -- /* ### need to fix this */ -- return APR_EGENERAL; -+ if (gdbm_errno == GDBM_NO_ERROR) -+ return APR_SUCCESS; -+ return APR_OS_START_USEERR + gdbm_errno; - } - - return APR_SUCCESS; - } - -+static apr_status_t gdat2s(datum d) -+{ -+ if (d.dptr == NULL) { -+ if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND) -+ return APR_SUCCESS; -+ return APR_OS_START_USEERR + gdbm_errno; -+ } -+ -+ return APR_SUCCESS; -+} -+ - static apr_status_t datum_cleanup(void *dptr) - { - if (dptr) -@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr) - - static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said) - { -- apr_status_t rv = APR_SUCCESS; - -- /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */ -+ dbm->errcode = dbm_said; - -- if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) { -+ if (dbm_said == APR_SUCCESS) - dbm->errmsg = NULL; -- } -- else { -- dbm->errmsg = gdbm_strerror(gdbm_errno); -- rv = APR_EGENERAL; /* ### need something better */ -- } -- -- /* captured it. clear it now. */ -- gdbm_errno = GDBM_NO_ERROR; -+ else -+ dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR); - -- return rv; -+ return dbm_said; - } - - /* -------------------------------------------------------------------------- -@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname, - NULL); - - if (file == NULL) -- return APR_EGENERAL; /* ### need a better error */ -+ return APR_OS_START_USEERR + gdbm_errno; /* ### need a better error */ - - /* we have an open database... return it */ - *pdb = apr_pcalloc(pool, sizeof(**pdb)); -@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key, - if (pvalue->dptr) - apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup, - apr_pool_cleanup_null); -+ else -+ pvalue->dsize = 0; - - /* store the error info into DBM, and return a status code. Also, note - that *pvalue should have been cleared on error. */ -- return set_error(dbm, APR_SUCCESS); -+ return set_error(dbm, gdat2s(rd)); - } - - static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key, -@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey) - if (pkey->dptr) - apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup, - apr_pool_cleanup_null); -+ else -+ pkey->dsize = 0; - - /* store any error info into DBM, and return a status code. */ -- return set_error(dbm, APR_SUCCESS); -+ return set_error(dbm, gdat2s(rd)); - } - - static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey) -@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey) - if (pkey->dptr) - apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup, - apr_pool_cleanup_null); -+ else -+ pkey->dsize = 0; - - /* store any error info into DBM, and return a status code. */ -- return set_error(dbm, APR_SUCCESS); -+ return set_error(dbm, gdat2s(rd)); - } - - static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data) --- -2.7.4 - diff --git a/meta/recipes-support/apr/apr-util_1.6.1.bb b/meta/recipes-support/apr/apr-util_1.6.3.bb index f7d827a1d8..3d9d619c7b 100644 --- a/meta/recipes-support/apr/apr-util_1.6.1.bb +++ b/meta/recipes-support/apr/apr-util_1.6.3.bb @@ -13,11 +13,9 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \ file://configfix.patch \ file://configure_fixes.patch \ file://run-ptest \ - file://0001-Fix-error-handling-in-gdbm.patch \ -" + " -SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f" -SRC_URI[sha256sum] = "b65e40713da57d004123b6319828be7f1273fbc6490e145874ee1177e112c459" +SRC_URI[sha256sum] = "2b74d8932703826862ca305b094eef2983c27b39d5c9414442e9976a9acf1983" EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ --without-odbc \ @@ -35,6 +33,7 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'" do_configure_append() { if [ "${CLASSOVERRIDE}" = "class-target" ]; then cp ${STAGING_DATADIR}/apr/apr_rules.mk ${B}/build/rules.mk + sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${B}/build/rules.mk fi } do_configure_prepend_class-native() { @@ -49,6 +48,7 @@ do_configure_append_class-native() { do_configure_prepend_class-nativesdk() { cp ${STAGING_DATADIR}/apr/apr_rules.mk ${S}/build/rules.mk + sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${S}/build/rules.mk } do_configure_append_class-nativesdk() { diff --git a/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch b/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch index abff4e9331..a274f3a16e 100644 --- a/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch +++ b/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch @@ -1,14 +1,15 @@ -From 2bbe20b4f69e84e7a18bc79d382486953f479328 Mon Sep 17 00:00:00 2001 +From 225abf37cd0b49960664b59f08e515a4c4ea5ad0 Mon Sep 17 00:00:00 2001 From: Jeremy Puhlman <jpuhlman@mvista.com> Date: Thu, 26 Mar 2020 18:30:36 +0000 Subject: [PATCH] Add option to disable timed dependant tests -The disabled tests rely on timing to pass correctly. On a virtualized +The disabled tests rely on timing to pass correctly. On a virtualized system under heavy load, these tests randomly fail because they miss a timer or other timing related issues. Upstream-Status: Pending Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> + --- configure.in | 6 ++++++ include/apr.h.in | 1 + @@ -16,10 +17,10 @@ Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/configure.in b/configure.in -index d9f32d6..f0c5661 100644 +index bfd488b..3663220 100644 --- a/configure.in +++ b/configure.in -@@ -2886,6 +2886,12 @@ AC_ARG_ENABLE(timedlocks, +@@ -3023,6 +3023,12 @@ AC_ARG_ENABLE(timedlocks, ) AC_SUBST(apr_has_timedlocks) @@ -45,10 +46,10 @@ index ee99def..c46a5f4 100644 #define APR_PROCATTR_USER_SET_REQUIRES_PASSWORD @apr_procattr_user_set_requires_password@ diff --git a/test/testlock.c b/test/testlock.c -index a43f477..6233d0b 100644 +index e3437c1..04e01b9 100644 --- a/test/testlock.c +++ b/test/testlock.c -@@ -396,13 +396,13 @@ abts_suite *testlock(abts_suite *suite) +@@ -535,7 +535,7 @@ abts_suite *testlock(abts_suite *suite) abts_run_test(suite, threads_not_impl, NULL); #else abts_run_test(suite, test_thread_mutex, NULL); @@ -56,6 +57,8 @@ index a43f477..6233d0b 100644 +#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS abts_run_test(suite, test_thread_timedmutex, NULL); #endif + abts_run_test(suite, test_thread_nestedmutex, NULL); +@@ -543,7 +543,7 @@ abts_suite *testlock(abts_suite *suite) abts_run_test(suite, test_thread_rwlock, NULL); abts_run_test(suite, test_cond, NULL); abts_run_test(suite, test_timeoutcond, NULL); @@ -63,7 +66,4 @@ index a43f477..6233d0b 100644 +#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS abts_run_test(suite, test_timeoutmutex, NULL); #endif - #endif --- -2.23.0 - + #ifdef WIN32 diff --git a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch new file mode 100644 index 0000000000..a78b16284f --- /dev/null +++ b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch @@ -0,0 +1,58 @@ +From 316b81c462f065927d7fec56aadd5c8cb94d1cf0 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Fri, 26 Aug 2022 00:28:08 -0700 +Subject: [PATCH] configure: Remove runtime test for mmap that can map + /dev/zero + +This never works for cross-compile moreover it ends up disabling +ac_cv_file__dev_zero which then results in compiler errors in shared +mutexes + +Upstream-Status: Inappropriate [Cross-compile specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- + configure.in | 30 ------------------------------ + 1 file changed, 30 deletions(-) + +diff --git a/configure.in b/configure.in +index 3663220..dce9789 100644 +--- a/configure.in ++++ b/configure.in +@@ -1303,36 +1303,6 @@ AC_CHECK_FUNCS([mmap munmap shm_open shm_unlink shmget shmat shmdt shmctl \ + APR_CHECK_DEFINE(MAP_ANON, sys/mman.h) + AC_CHECK_FILE(/dev/zero) + +-# Not all systems can mmap /dev/zero (such as HP-UX). Check for that. +-if test "$ac_cv_func_mmap" = "yes" && +- test "$ac_cv_file__dev_zero" = "yes"; then +- AC_CACHE_CHECK([for mmap that can map /dev/zero], +- [ac_cv_mmap__dev_zero], +- [AC_TRY_RUN([#include <sys/types.h> +-#include <sys/stat.h> +-#include <fcntl.h> +-#ifdef HAVE_SYS_MMAN_H +-#include <sys/mman.h> +-#endif +- int main() +- { +- int fd; +- void *m; +- fd = open("/dev/zero", O_RDWR); +- if (fd < 0) { +- return 1; +- } +- m = mmap(0, sizeof(void*), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); +- if (m == (void *)-1) { /* aka MAP_FAILED */ +- return 2; +- } +- if (munmap(m, sizeof(void*)) < 0) { +- return 3; +- } +- return 0; +- }], [], [ac_cv_file__dev_zero=no], [ac_cv_file__dev_zero=no])]) +-fi +- + # Now we determine which one is our anonymous shmem preference. + haveshmgetanon="0" + havemmapzero="0" diff --git a/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch b/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch index 72e706f966..d63423f3a1 100644 --- a/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch +++ b/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch @@ -1,8 +1,7 @@ -From 5925b20da8bbc34d9bf5a5dca123ef38864d43c6 Mon Sep 17 00:00:00 2001 +From 689a8db96a6d1e1cae9cbfb35d05ac82140a6555 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu.jia@windriver.com> Date: Tue, 30 Jan 2018 09:39:06 +0800 -Subject: [PATCH 2/7] apr: Remove workdir path references from installed apr - files +Subject: [PATCH] apr: Remove workdir path references from installed apr files Upstream-Status: Inappropriate [configuration] @@ -14,20 +13,23 @@ packages at target run time, the workdir path caused confusion. Rebase to 1.6.3 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> + --- - apr-config.in | 26 ++------------------------ - 1 file changed, 2 insertions(+), 24 deletions(-) + apr-config.in | 32 ++------------------------------ + 1 file changed, 2 insertions(+), 30 deletions(-) diff --git a/apr-config.in b/apr-config.in -index 84b4073..bbbf651 100644 +index bed47ca..47874e5 100644 --- a/apr-config.in +++ b/apr-config.in -@@ -152,14 +152,7 @@ while test $# -gt 0; do +@@ -164,16 +164,7 @@ while test $# -gt 0; do flags="$flags $LDFLAGS" ;; --includes) - if test "$location" = "installed"; then flags="$flags -I$includedir $EXTRA_INCLUDES" +- elif test "$location" = "crosscompile"; then +- flags="$flags -I$APR_TARGET_DIR/$includedir $EXTRA_INCLUDES" - elif test "$location" = "source"; then - flags="$flags -I$APR_SOURCE_DIR/include $EXTRA_INCLUDES" - else @@ -37,13 +39,15 @@ index 84b4073..bbbf651 100644 ;; --srcdir) echo $APR_SOURCE_DIR -@@ -181,29 +174,14 @@ while test $# -gt 0; do +@@ -197,33 +188,14 @@ while test $# -gt 0; do exit 0 ;; --link-ld) - if test "$location" = "installed"; then - ### avoid using -L if libdir is a "standard" location like /usr/lib - flags="$flags -L$libdir -l${APR_LIBNAME}" +- elif test "$location" = "crosscompile"; then +- flags="$flags -L$APR_TARGET_DIR/$libdir -l${APR_LIBNAME}" - else - ### this surely can't work since the library is in .libs? - flags="$flags -L$APR_BUILD_DIR -l${APR_LIBNAME}" @@ -62,6 +66,8 @@ index 84b4073..bbbf651 100644 - # Since the user is specifying they are linking with libtool, we - # *know* that -R will be recognized by libtool. - flags="$flags -L$libdir -R$libdir -l${APR_LIBNAME}" +- elif test "$location" = "crosscompile"; then +- flags="$flags -L${APR_TARGET_DIR}/$libdir -l${APR_LIBNAME}" - else - flags="$flags $LA_FILE" - fi @@ -69,6 +75,3 @@ index 84b4073..bbbf651 100644 ;; --shlib-path-var) echo "$SHLIBPATH_VAR" --- -1.8.3.1 - diff --git a/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch b/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch deleted file mode 100644 index 4dd53bd8eb..0000000000 --- a/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d5028c10f156c224475b340cfb1ba025d6797243 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Fri, 2 Feb 2018 15:51:42 +0800 -Subject: [PATCH 3/7] Makefile.in/configure.in: support cross compiling - -While cross compiling, the tools/gen_test_char could not -be executed at build time, use AX_PROG_CC_FOR_BUILD to -build native tools/gen_test_char - -Upstream-Status: Submitted [https://github.com/apache/apr/pull/8] - -Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> ---- - Makefile.in | 10 +++------- - configure.in | 3 +++ - 2 files changed, 6 insertions(+), 7 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 5fb760e..8675f90 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -46,7 +46,7 @@ LT_VERSION = @LT_VERSION@ - - CLEAN_TARGETS = apr-config.out apr.exp exports.c export_vars.c .make.dirs \ - build/apr_rules.out tools/gen_test_char@EXEEXT@ \ -- tools/gen_test_char.o tools/gen_test_char.lo \ -+ tools/gen_test_char.o \ - include/private/apr_escape_test_char.h - DISTCLEAN_TARGETS = config.cache config.log config.status \ - include/apr.h include/arch/unix/apr_private.h \ -@@ -131,13 +131,9 @@ check: $(TARGET_LIB) - etags: - etags `find . -name '*.[ch]'` - --OBJECTS_gen_test_char = tools/gen_test_char.lo $(LOCAL_LIBS) --tools/gen_test_char.lo: tools/gen_test_char.c -+tools/gen_test_char@EXEEXT@: tools/gen_test_char.c - $(APR_MKDIR) tools -- $(LT_COMPILE) -- --tools/gen_test_char@EXEEXT@: $(OBJECTS_gen_test_char) -- $(LINK_PROG) $(OBJECTS_gen_test_char) $(ALL_LIBS) -+ $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $< -o $@ - - include/private/apr_escape_test_char.h: tools/gen_test_char@EXEEXT@ - $(APR_MKDIR) include/private -diff --git a/configure.in b/configure.in -index 719f331..361120f 100644 ---- a/configure.in -+++ b/configure.in -@@ -183,6 +183,9 @@ dnl can only be used once within a configure script, so this prevents a - dnl preload section from invoking the macro to get compiler info. - AC_PROG_CC - -+dnl Check build CC for gen_test_char compiling which is executed at build time. -+AX_PROG_CC_FOR_BUILD -+ - dnl AC_PROG_SED is only avaliable in recent autoconf versions. - dnl Use AC_CHECK_PROG instead if AC_PROG_SED is not present. - ifdef([AC_PROG_SED], --- -1.8.3.1 - diff --git a/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch b/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch deleted file mode 100644 index d1a2ebe881..0000000000 --- a/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 49661ea3858cf8494926cccf57d3e8c6dcb47117 Mon Sep 17 00:00:00 2001 -From: Dengke Du <dengke.du@windriver.com> -Date: Wed, 14 Dec 2016 18:13:08 +0800 -Subject: [PATCH] apr: fix off_t size doesn't match in glibc when cross - compiling - -In configure.in, it contains the following: - - APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8) - -the macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4, -it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross -compiling enable. - -So it was hardcoded for cross compiling, we should detect it dynamic based on -the sysroot's glibc. We change it to the following: - - AC_CHECK_SIZEOF(off_t) - -The same for the following hardcoded types for cross compiling: - - pid_t 8 - ssize_t 8 - size_t 8 - off_t 8 - -Change the above correspondingly. - -Signed-off-by: Dengke Du <dengke.du@windriver.com> - -Upstream-Status: Pending - ---- - configure.in | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/configure.in b/configure.in -index 27b8539..fb408d1 100644 ---- a/configure.in -+++ b/configure.in -@@ -1801,7 +1801,7 @@ else - socklen_t_value="int" - fi - --APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], pid_t, 8) -+AC_CHECK_SIZEOF(pid_t) - - if test "$ac_cv_sizeof_pid_t" = "$ac_cv_sizeof_short"; then - pid_t_fmt='#define APR_PID_T_FMT "hd"' -@@ -1873,7 +1873,7 @@ APR_CHECK_TYPES_FMT_COMPATIBLE(size_t, unsigned long, lu, [size_t_fmt="lu"], [ - APR_CHECK_TYPES_FMT_COMPATIBLE(size_t, unsigned int, u, [size_t_fmt="u"]) - ]) - --APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], ssize_t, 8) -+AC_CHECK_SIZEOF(ssize_t) - - dnl the else cases below should no longer occur; - AC_MSG_CHECKING([which format to use for apr_ssize_t]) -@@ -1891,7 +1891,7 @@ fi - - ssize_t_fmt="#define APR_SSIZE_T_FMT \"$ssize_t_fmt\"" - --APR_CHECK_SIZEOF_EXTENDED([#include <stddef.h>], size_t, 8) -+AC_CHECK_SIZEOF(size_t) - - # else cases below should no longer occur; - AC_MSG_CHECKING([which format to use for apr_size_t]) -@@ -1909,7 +1909,7 @@ fi - - size_t_fmt="#define APR_SIZE_T_FMT \"$size_t_fmt\"" - --APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8) -+AC_CHECK_SIZEOF(off_t) - - if test "${ac_cv_sizeof_off_t}${apr_cv_use_lfs64}" = "4yes"; then - # Enable LFS diff --git a/meta/recipes-support/apr/apr/libtoolize_check.patch b/meta/recipes-support/apr/apr/libtoolize_check.patch index 740792e6b0..80ce43caa4 100644 --- a/meta/recipes-support/apr/apr/libtoolize_check.patch +++ b/meta/recipes-support/apr/apr/libtoolize_check.patch @@ -1,6 +1,7 @@ +From 17835709bc55657b7af1f7c99b3f572b819cf97e Mon Sep 17 00:00:00 2001 From: Helmut Grohne <helmut@subdivi.de> -Subject: check for libtoolize rather than libtool -Last-Update: 2014-09-19 +Date: Tue, 7 Feb 2023 07:04:00 +0000 +Subject: [PATCH] check for libtoolize rather than libtool libtool is now in package libtool-bin, but apr only needs libtoolize. @@ -8,14 +9,22 @@ Upstream-Status: Pending [ from debian: https://sources.debian.org/data/main/a/a Signed-off-by: Robert Yang <liezhi.yang@windriver.com> ---- apr.orig/build/buildcheck.sh -+++ apr/build/buildcheck.sh -@@ -39,11 +39,11 @@ fi +--- + build/buildcheck.sh | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/build/buildcheck.sh b/build/buildcheck.sh +index 44921b5..08bc8a8 100755 +--- a/build/buildcheck.sh ++++ b/build/buildcheck.sh +@@ -39,13 +39,11 @@ fi # ltmain.sh (GNU libtool 1.1361 2004/01/02 23:10:52) 1.5a # output is multiline from 1.5 onwards -# Require libtool 1.4 or newer --libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14` +-if test -z "$libtool"; then +- libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14` +-fi -lt_pversion=`$libtool --version 2>/dev/null|sed -e 's/([^)]*)//g;s/^[^0-9]*//;s/[- ].*//g;q'` +# Require libtoolize 1.4 or newer +libtoolize=`build/PrintPath glibtoolize1 glibtoolize libtoolize libtoolize15 libtoolize14` diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.2.bb index 432fa3255c..807dce21da 100644 --- a/meta/recipes-support/apr/apr_1.7.0.bb +++ b/meta/recipes-support/apr/apr_1.7.2.bb @@ -16,17 +16,15 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ file://run-ptest \ file://0002-apr-Remove-workdir-path-references-from-installed-ap.patch \ - file://0003-Makefile.in-configure.in-support-cross-compiling.patch \ file://0004-Fix-packet-discards-HTTP-redirect.patch \ file://0005-configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \ - file://0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch \ file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \ file://libtoolize_check.patch \ file://0001-Add-option-to-disable-timed-dependant-tests.patch \ + file://0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch \ " -SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7" -SRC_URI[sha256sum] = "e2e148f0b2e99b8e5c6caa09f6d4fb4dd3e83f744aa72a952f94f5a14436f7ea" +SRC_URI[sha256sum] = "75e77cc86776c030c0a5c408dfbd0bf2a0b75eed5351e52d5439fa1e5509a43e" inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script @@ -34,17 +32,30 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'" # Added to fix some issues with cmake. Refer to https://github.com/bmwcarit/meta-ros/issues/68#issuecomment-19896928 CACHED_CONFIGUREVARS += "apr_cv_mutex_recursive=yes" - +# Enable largefile +CACHED_CONFIGUREVARS += "apr_cv_use_lfs64=yes" +# Additional AC_TRY_RUN tests which will need to be cached for cross compile +CACHED_CONFIGUREVARS += "apr_cv_epoll=yes epoll_create1=yes apr_cv_sock_cloexec=yes \ + ac_cv_struct_rlimit=yes \ + ac_cv_func_sem_open=yes \ + apr_cv_process_shared_works=yes \ + apr_cv_mutex_robust_shared=yes \ + " # Also suppress trying to use sctp. # CACHED_CONFIGUREVARS += "ac_cv_header_netinet_sctp_h=no ac_cv_header_netinet_sctp_uio_h=no" -CACHED_CONFIGUREVARS += "ac_cv_sizeof_struct_iovec=yes" +# ac_cv_sizeof_struct_iovec is deduced using runtime check which will fail during cross-compile +CACHED_CONFIGUREVARS += "${@['ac_cv_sizeof_struct_iovec=16','ac_cv_sizeof_struct_iovec=8'][d.getVar('SITEINFO_BITS') != '32']}" + CACHED_CONFIGUREVARS += "ac_cv_file__dev_zero=yes" +CACHED_CONFIGUREVARS:append:libc-musl = " ac_cv_strerror_r_rc_int=yes" PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" +PACKAGECONFIG:append:libc-musl = " xsi-strerror" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," PACKAGECONFIG[timed-tests] = "--enable-timed-tests,--disable-timed-tests," +PACKAGECONFIG[xsi-strerror] = "ac_cv_strerror_r_rc_int=yes,ac_cv_strerror_r_rc_int=no," do_configure_prepend() { # Avoid absolute paths for grep since it causes failures diff --git a/meta/recipes-support/aspell/aspell_0.60.8.bb b/meta/recipes-support/aspell/aspell_0.60.8.bb index 6548c54b64..9147c820e7 100644 --- a/meta/recipes-support/aspell/aspell_0.60.8.bb +++ b/meta/recipes-support/aspell/aspell_0.60.8.bb @@ -13,7 +13,9 @@ HOMEPAGE = "http://aspell.net/" LICENSE = "LGPLv2 | LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" -SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz" +SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \ + file://CVE-2019-25051.patch \ +" SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3" SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2" diff --git a/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/meta/recipes-support/aspell/files/CVE-2019-25051.patch new file mode 100644 index 0000000000..8513f6de79 --- /dev/null +++ b/meta/recipes-support/aspell/files/CVE-2019-25051.patch @@ -0,0 +1,101 @@ +From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 +From: Kevin Atkinson <kevina@gnu.org> +Date: Sat, 21 Dec 2019 20:32:47 +0000 +Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk + to prevent a buffer overflow + +Bug found using OSS-Fuze. + +Upstream-Status: Backport +[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a] +CVE: CVE-2019-25051 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + common/objstack.hpp | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/common/objstack.hpp b/common/objstack.hpp +index 3997bf7..bd97ccd 100644 +--- a/common/objstack.hpp ++++ b/common/objstack.hpp +@@ -5,6 +5,7 @@ + #include "parm_string.hpp" + #include <stdlib.h> + #include <assert.h> ++#include <stddef.h> + + namespace acommon { + +@@ -26,6 +27,12 @@ class ObjStack + byte * temp_end; + void setup_chunk(); + void new_chunk(); ++ bool will_overflow(size_t sz) const { ++ return offsetof(Node,data) + sz > chunk_size; ++ } ++ void check_size(size_t sz) { ++ assert(!will_overflow(sz)); ++ } + + ObjStack(const ObjStack &); + void operator=(const ObjStack &); +@@ -56,7 +63,7 @@ class ObjStack + void * alloc_bottom(size_t size) { + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} ++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} + return tmp; + } + // This alloc_bottom will insure that the object is aligned based on the +@@ -66,7 +73,7 @@ class ObjStack + align_bottom(align); + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); goto loop;} ++ if (bottom > top) {check_size(size); new_chunk(); goto loop;} + return tmp; + } + char * dup_bottom(ParmString str) { +@@ -79,7 +86,7 @@ class ObjStack + // always be aligned as such. + void * alloc_top(size_t size) { + top -= size; +- if (top < bottom) {new_chunk(); top -= size;} ++ if (top < bottom) {check_size(size); new_chunk(); top -= size;} + return top; + } + // This alloc_top will insure that the object is aligned based on +@@ -88,7 +95,7 @@ class ObjStack + {loop: + top -= size; + align_top(align); +- if (top < bottom) {new_chunk(); goto loop;} ++ if (top < bottom) {check_size(size); new_chunk(); goto loop;} + return top; + } + char * dup_top(ParmString str) { +@@ -117,6 +124,7 @@ class ObjStack + void * alloc_temp(size_t size) { + temp_end = bottom + size; + if (temp_end > top) { ++ check_size(size); + new_chunk(); + temp_end = bottom + size; + } +@@ -131,6 +139,7 @@ class ObjStack + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; +@@ -150,6 +159,7 @@ class ObjStack + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; diff --git a/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb b/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb index 986f0124e2..6a93cacc18 100644 --- a/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb +++ b/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb @@ -9,7 +9,7 @@ SECTION = "console/utils" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/intel/${BPN}" +SRC_URI = "git://github.com/intel/${BPN};branch=main;protocol=https" SRCREV = "db7087b883bf52cbff063ad17a41cc1cbb85104d" S = "${WORKDIR}/git" diff --git a/meta/recipes-support/boost/boost.inc b/meta/recipes-support/boost/boost.inc index 829e728b6d..1c13fb3599 100644 --- a/meta/recipes-support/boost/boost.inc +++ b/meta/recipes-support/boost/boost.inc @@ -165,7 +165,7 @@ do_configure() { # D2194:Fixing the failure of "error: duplicate initialization of gcc with the following parameters" during compilation. rm -f ${WORKDIR}/user-config.jam - echo 'using gcc : 4.3.1 : ${CXX} : <cflags>"${CFLAGS}" <cxxflags>"${CXXFLAGS}" <linkflags>"${LDFLAGS}" ;' >> ${WORKDIR}/user-config.jam + echo 'using gcc : : ${CXX} : <cflags>"${CFLAGS}" <cxxflags>"${CXXFLAGS}" <linkflags>"${LDFLAGS}" ;' >> ${WORKDIR}/user-config.jam # If we want Python then we need to tell Boost *exactly* where to find it if ${@bb.utils.contains('BOOST_LIBS', 'python', 'true', 'false', d)}; then diff --git a/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch b/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch new file mode 100644 index 0000000000..46c706931b --- /dev/null +++ b/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch @@ -0,0 +1,32 @@ +From f9d0e594d43afcb4ab0043117249feb266ba4515 Mon Sep 17 00:00:00 2001 +From: Romain Geissler <romain.geissler@amadeus.com> +Date: Tue, 10 Aug 2021 14:22:28 +0000 +Subject: [PATCH] Fix -Wsign-compare warning with glibc 2.34 on Linux + platforms. + +In file included from /data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/thread_only.hpp:17, + from /data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/thread.hpp:12, + from src/GetTest.cpp:12: +/data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/pthread/thread_data.hpp: In member function 'void boost::thread_attributes::set_stack_size(std::size_t)': +/data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/pthread/thread_data.hpp:61:19: error: comparison of integer expressions of different signedness: 'std::size_t' {aka 'long unsigned int'} and 'long int' [-Werror=sign-compare] + 61 | if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN; + | ^ + +Upstream-Status: Backport [1.78.0 https://github.com/boostorg/thread/commit/f9d0e594d43afcb4ab0043117249feb266ba4515] +--- + boost/thread/pthread/thread_data.hpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/boost/thread/pthread/thread_data.hpp b/boost/thread/pthread/thread_data.hpp +index bc9b1367..c43b276d 100644 +--- a/boost/thread/pthread/thread_data.hpp ++++ b/boost/thread/pthread/thread_data.hpp +@@ -58,7 +58,7 @@ namespace boost + std::size_t page_size = ::sysconf( _SC_PAGESIZE); + #endif + #ifdef PTHREAD_STACK_MIN +- if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN; ++ if (size<static_cast<std::size_t>(PTHREAD_STACK_MIN)) size=PTHREAD_STACK_MIN; + #endif + size = ((size+page_size-1)/page_size)*page_size; + int res = pthread_attr_setstacksize(&val_, size); diff --git a/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch b/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch new file mode 100644 index 0000000000..3784cf9165 --- /dev/null +++ b/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch @@ -0,0 +1,24 @@ +From 74fb0a26099bc51d717f5f154b37231ce7df3e98 Mon Sep 17 00:00:00 2001 +From: Rob Boehne <robb@datalogics.com> +Date: Wed, 20 Nov 2019 11:25:20 -0600 +Subject: [PATCH] Revert change to elide a warning that caused Solaris builds + to fail. + +Upstream-Status: Backport [1.73.0 https://github.com/boostorg/thread/commit/74fb0a26099bc51d717f5f154b37231ce7df3e98] +--- + boost/thread/pthread/thread_data.hpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/boost/thread/pthread/thread_data.hpp b/boost/thread/pthread/thread_data.hpp +index aefbeb43..bc9b1367 100644 +--- a/boost/thread/pthread/thread_data.hpp ++++ b/boost/thread/pthread/thread_data.hpp +@@ -57,7 +57,7 @@ namespace boost + #else + std::size_t page_size = ::sysconf( _SC_PAGESIZE); + #endif +-#if PTHREAD_STACK_MIN > 0 ++#ifdef PTHREAD_STACK_MIN + if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN; + #endif + size = ((size+page_size-1)/page_size)*page_size; diff --git a/meta/recipes-support/boost/boost_1.72.0.bb b/meta/recipes-support/boost/boost_1.72.0.bb index df1cc16937..b3ec11933c 100644 --- a/meta/recipes-support/boost/boost_1.72.0.bb +++ b/meta/recipes-support/boost/boost_1.72.0.bb @@ -9,4 +9,6 @@ SRC_URI += " \ file://0001-dont-setup-compiler-flags-m32-m64.patch \ file://0001-revert-cease-dependence-on-range.patch \ file://0001-added-typedef-executor_type.patch \ + file://0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch \ + file://0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch \ " diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch new file mode 100644 index 0000000000..5c4a32f526 --- /dev/null +++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch @@ -0,0 +1,80 @@ +From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Mon, 18 Oct 2021 12:05:49 +0200 +Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired + certificates." + +This avoids a dependency on python3-cryptography, and only checks +for expired certs (which is upstream concern, but not ours). + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + debian/changelog | 1 - + debian/control | 2 +- + mozilla/certdata2pem.py | 11 ----------- + 3 files changed, 1 insertion(+), 13 deletions(-) + +diff --git a/debian/changelog b/debian/changelog +index 531e4d0..4006509 100644 +--- a/debian/changelog ++++ b/debian/changelog +@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low + - "Trustis FPS Root CA" + - "Staat der Nederlanden Root CA - G3" + * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) +- * mozilla/certdata2pem.py: print a warning for expired certificates. + + -- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200 + +diff --git a/debian/control b/debian/control +index 4434b7a..5c6ba24 100644 +--- a/debian/control ++++ b/debian/control +@@ -3,7 +3,7 @@ Section: misc + Priority: optional + Maintainer: Julien Cristau <jcristau@debian.org> + Build-Depends: debhelper-compat (= 13), po-debconf +-Build-Depends-Indep: python3, openssl, python3-cryptography ++Build-Depends-Indep: python3, openssl + Standards-Version: 4.5.0.2 + Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git + Vcs-Browser: https://salsa.debian.org/debian/ca-certificates +diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py +index ede23d4..7d796f1 100644 +--- a/mozilla/certdata2pem.py ++++ b/mozilla/certdata2pem.py +@@ -21,16 +21,12 @@ + # USA. + + import base64 +-import datetime + import os.path + import re + import sys + import textwrap + import io + +-from cryptography import x509 +- +- + objects = [] + + # Dirty file parser. +@@ -121,13 +117,6 @@ for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue +- +- cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) +- if cert.not_valid_after < datetime.datetime.now(): +- print('!'*74) +- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL']) +- print('!'*74) +- + bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ +-- +2.20.1 + diff --git a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch deleted file mode 100644 index f343ebf16e..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch +++ /dev/null @@ -1,26 +0,0 @@ -sbin/Makefile: Allow the sbin path to be configurable - -Some project sharing ca-certificates from Debian allow configuration -of the installation location. Make the sbin location configurable. - -Also ensure the target directory exists - -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> -Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5] - ---- ca-certificates-20130119.orig/sbin/Makefile -+++ ca-certificates-20130119/sbin/Makefile -@@ -3,9 +3,12 @@ - # - # - -+SBINDIR = /usr/sbin -+ - all: - - clean: - - install: -- install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/ -+ install -d $(DESTDIR)$(SBINDIR) -+ install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/ diff --git a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch deleted file mode 100644 index f78790923c..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch +++ /dev/null @@ -1,33 +0,0 @@ -update-ca-certificates: Replace deprecated mktemp -t with mktemp --tmpdir - -According to coreutils docs, mktemp -t is deprecated, switch to the ---tmpdir option instead. - -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> -Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/5] - -[This was originally for compatibility with toybox but toybox now -supports -t] ---- - sbin/update-ca-certificates | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates -index 79c41bb..ae9e3f1 100755 ---- a/sbin/update-ca-certificates -+++ b/sbin/update-ca-certificates -@@ -113,9 +113,9 @@ trap cleanup 0 - - # Helper files. (Some of them are not simple arrays because we spawn - # subshells later on.) --TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")" --ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" --REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" -+TEMPBUNDLE="$(mktemp --tmpdir "${CERTBUNDLE}.tmp.XXXXXX")" -+ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")" -+REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")" - - # Adds a certificate to the list of trusted ones. This includes a symlink - # in /etc/ssl/certs to the certificate file and its inclusion into the --- -2.1.4 diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb index 7dcc86fdc1..a54d6b458a 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb @@ -14,15 +14,14 @@ DEPENDS_class-nativesdk = "openssl-native" # Need rehash from openssl and run-parts from debianutils PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" -SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144" +SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8" -SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ +SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \ file://0002-update-ca-certificates-use-SYSROOT.patch \ file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \ - file://update-ca-certificates-support-Toybox.patch \ file://default-sysroot.patch \ - file://sbindir.patch \ file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ + file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \ " UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)" diff --git a/meta/recipes-support/curl/curl/CVE-2021-22898.patch b/meta/recipes-support/curl/curl/CVE-2021-22898.patch new file mode 100644 index 0000000000..0800e10175 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22898.patch @@ -0,0 +1,26 @@ +From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <sintonen@iki.fi> +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE: CVE-2021-22898 +Upstream-Status: Backport +Link: https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde +Bug: https://curl.se/docs/CVE-2021-22898.html +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 26e0658ba9cc..fdd137fb0c04 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch new file mode 100644 index 0000000000..68fde45ddf --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch @@ -0,0 +1,226 @@ +Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and + case sensitivity CVE-2021-22924 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2021-22924.html +CVE: CVE-2021-22924 +Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 +Signed-off-by: Mike Crowe <mac@mcrowe.com> +--- + lib/url.c | 5 +++-- + lib/urldata.h | 2 +- + lib/vtls/gtls.c | 10 +++++----- + lib/vtls/nss.c | 4 ++-- + lib/vtls/openssl.c | 12 ++++++------ + lib/vtls/vtls.c | 23 ++++++++++++++++++----- + 6 files changed, 35 insertions(+), 21 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 47fc66aed..eebad8d32 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; + data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; ++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; ++ data->set.proxy_ssl.primary.issuercert = ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.proxy_ssl.primary.random_file = + data->set.str[STRING_SSL_RANDOM_FILE]; +@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data, + + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; +- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; +diff --git a/lib/urldata.h b/lib/urldata.h +index fbb8b645e..615fbf369 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -224,6 +224,7 @@ struct ssl_primary_config { + long version_max; /* max supported version the client wants to use*/ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ ++ char *issuercert; /* optional issuer certificate filename */ + char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ +@@ -240,7 +241,6 @@ struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ + char *CRLfile; /* CRL to check certificate revocation */ +- char *issuercert;/* optional issuer certificate filename */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert; /* client certificate file name */ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 46e149c7d..8c051024f 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn, + if(!chainp) { + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || +- SSL_SET_OPTION(issuercert)) { ++ SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_TLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL +@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn, + gnutls_x509_crt_t format */ + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + gnutls_x509_crt_init(&x509_issuer); +- issuerp = load_file(SSL_SET_OPTION(issuercert)); ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); + gnutls_x509_crt_deinit(x509_issuer); + unload_file(issuerp); + if(rc <= 0) { + failf(data, "server certificate issuer check failed (IssuerCert: %s)", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + gnutls_x509_crt_deinit(x509_cert); + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + } + + size = sizeof(certbuf); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index ef51b0d91..375c78b1b 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) + if(result) + goto error; + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + SECStatus ret = SECFailure; +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + if(nickname) { + /* we support only nicknames in case of issuercert for now */ + ret = check_issuer_cert(BACKEND->handle, nickname); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 64f43605a..7e81fd3a0 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn, + deallocating the certificate. */ + + /* e.g. match issuer name with provided issuer certificate */ +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + fp = BIO_new(BIO_s_file()); + if(fp == NULL) { + failf(data, +@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn, + return CURLE_OUT_OF_MEMORY; + } + +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(strict) + failf(data, "SSL: Unable to open issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(BACKEND->server_cert); + BACKEND->server_cert = NULL; +@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn, + if(!issuer) { + if(strict) + failf(data, "SSL: Unable to read issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(BACKEND->server_cert); +@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn, + if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) { + if(strict) + failf(data, "SSL: Certificate issuer check failed (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(BACKEND->server_cert); +@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn, + } + + infof(data, " SSL certificate issuer check ok (%s)\n", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index aaf73ef8f..8c681da14 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -82,6 +82,16 @@ + else \ + dest->var = NULL; + ++static bool safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ else if(!a && !b) ++ return TRUE; /* match */ ++ return FALSE; /* no match */ ++} ++ ++ + bool + Curl_ssl_config_matches(struct ssl_primary_config* data, + struct ssl_primary_config* needle) +@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && ++ safecmp(data->CApath, needle->CApath) && ++ safecmp(data->CAfile, needle->CAfile) && ++ safecmp(data->issuercert, needle->issuercert) && ++ safecmp(data->clientcert, needle->clientcert) && ++ safecmp(data->random_file, needle->random_file) && ++ safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) +@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + + CLONE_STRING(CApath); + CLONE_STRING(CAfile); ++ CLONE_STRING(issuercert); + CLONE_STRING(clientcert); + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); +@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) + { + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->CAfile); ++ Curl_safefree(sslc->issuercert); + Curl_safefree(sslc->clientcert); + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); +-- +2.30.2 + diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch new file mode 100644 index 0000000000..13b55f76be --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch @@ -0,0 +1,43 @@ +Subject: [PATCH] telnet: fix option parser to not send uninitialized + contents CVE-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html +CVE: CVE-2021-22925 +Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6 +Signed-off-by: Mike Crowe <mac@mcrowe.com> +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 4bf4c652c..3347ad6d1 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- msnprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + msnprintf((char *)&temp[len], sizeof(temp) - len, +-- +2.30.2 + diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch new file mode 100644 index 0000000000..4afd755149 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch @@ -0,0 +1,86 @@ +Backport of: + +From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 21 Sep 2020 09:15:51 +0200 +Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy" + +When using HTTPS proxy, SSL is used but not in the view of the FTP +protocol handler itself so separate the connection's use of SSL from the +FTP control connection's sue. + +Reported-by: Mingtao Yang +Fixes #5523 +Closes #6006 + +Upstream-Status: backport from 7.68.0-1ubuntu2.7 +Signed-off-by: Mike Crowe <mac@mcrowe.com> +--- + lib/ftp.c | 13 ++++++------- + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 3382772..677527f 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + +- if(conn->ssl[FIRSTSOCKET].use) { ++ if(conn->bits.ftp_use_control_ssl) { + /* PBSZ = PROTECTION BUFFER SIZE. + + The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says: +@@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + } + #endif + +- if(data->set.use_ssl && +- (!conn->ssl[FIRSTSOCKET].use || +- (conn->bits.proxy_ssl_connected[FIRSTSOCKET] && +- !conn->proxy_ssl[FIRSTSOCKET].use))) { +- /* We don't have a SSL/TLS connection yet, but FTPS is ++ if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) { ++ /* We don't have a SSL/TLS control connection yet, but FTPS is + requested. Try a FTPS connection now */ + + ftpc->count3 = 0; +@@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + result = Curl_ssl_connect(conn, FIRSTSOCKET); + if(!result) { + conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */ ++ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */ + result = ftp_state_user(conn); + } + } +@@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn) + * + */ + static CURLcode ftp_connect(struct connectdata *conn, +- bool *done) /* see description above */ ++ bool *done) /* see description above */ + { + CURLcode result; + struct ftp_conn *ftpc = &conn->proto.ftpc; +@@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn, + result = Curl_ssl_connect(conn, FIRSTSOCKET); + if(result) + return result; ++ conn->bits.ftp_use_control_ssl = TRUE; + } + + Curl_pp_init(pp); /* init the generic pingpong data */ +diff --git a/lib/urldata.h b/lib/urldata.h +index ff2d686..d1fb4a9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -461,6 +461,7 @@ struct ConnectBits { + EPRT doesn't work we disable it for the forthcoming + requests */ + BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */ ++ BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */ + #endif + BIT(netrc); /* name+password provided by netrc */ + BIT(userpwd_in_url); /* name+password found in url */ diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch new file mode 100644 index 0000000000..98032d8b78 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch @@ -0,0 +1,328 @@ +Backport of: + +From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat <patrick@monnerat.net> +Date: Wed, 8 Sep 2021 11:56:22 +0200 +Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd + +In imap and pop3, check if TLS is required even when capabilities +request has failed. + +In ftp, ignore preauthentication (230 status of server greeting) if TLS +is required. + +Bug: https://curl.se/docs/CVE-2021-22946.html +Upstream-Status: backport from 7.68.0-1ubuntu2.7 +Signed-off-by: Mike Crowe <mac@mcrowe.com> +CVE: CVE-2021-22946 +--- + lib/ftp.c | 9 ++++--- + lib/imap.c | 24 ++++++++---------- + lib/pop3.c | 33 +++++++++++------------- + tests/data/Makefile.inc | 2 ++ + tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ + tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ + 7 files changed, 195 insertions(+), 36 deletions(-) + create mode 100644 tests/data/test984 + create mode 100644 tests/data/test985 + create mode 100644 tests/data/test986 + +diff --git a/lib/ftp.c b/lib/ftp.c +index 677527f..91b43d8 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + /* we have now received a full FTP server response */ + switch(ftpc->state) { + case FTP_WAIT220: +- if(ftpcode == 230) +- /* 230 User logged in - already! */ +- return ftp_state_user_resp(conn, ftpcode, ftpc->state); ++ if(ftpcode == 230) { ++ /* 230 User logged in - already! Take as 220 if TLS required. */ ++ if(data->set.use_ssl <= CURLUSESSL_TRY || ++ conn->bits.ftp_use_control_ssl) ++ return ftp_state_user_resp(conn, ftpcode, ftpc->state); ++ } + else if(ftpcode != 220) { + failf(data, "Got a %03d ftp-server response when 220 was expected", + ftpcode); +diff --git a/lib/imap.c b/lib/imap.c +index 66172bd..9880ce1 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn, + line += wordlen; + } + } +- else if(imapcode == IMAP_RESP_OK) { +- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { +- /* We don't have a SSL/TLS connection yet, but SSL is requested */ +- if(imapc->tls_supported) +- /* Switch to TLS connection now */ +- result = imap_perform_starttls(conn); +- else if(data->set.use_ssl == CURLUSESSL_TRY) +- /* Fallback and carry on with authentication */ +- result = imap_perform_authentication(conn); +- else { +- failf(data, "STARTTLS not supported."); +- result = CURLE_USE_SSL_FAILED; +- } ++ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { ++ /* PREAUTH is not compatible with STARTTLS. */ ++ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { ++ /* Switch to TLS connection now */ ++ result = imap_perform_starttls(conn); + } +- else ++ else if(data->set.use_ssl <= CURLUSESSL_TRY) + result = imap_perform_authentication(conn); ++ else { ++ failf(data, "STARTTLS not available."); ++ result = CURLE_USE_SSL_FAILED; ++ } + } + else + result = imap_perform_authentication(conn); +diff --git a/lib/pop3.c b/lib/pop3.c +index 57c1373..145b2b4 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code, + } + } + } +- else if(pop3code == '+') { +- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { +- /* We don't have a SSL/TLS connection yet, but SSL is requested */ +- if(pop3c->tls_supported) +- /* Switch to TLS connection now */ +- result = pop3_perform_starttls(conn); +- else if(data->set.use_ssl == CURLUSESSL_TRY) +- /* Fallback and carry on with authentication */ +- result = pop3_perform_authentication(conn); +- else { +- failf(data, "STLS not supported."); +- result = CURLE_USE_SSL_FAILED; +- } +- } +- else +- result = pop3_perform_authentication(conn); +- } + else { + /* Clear text is supported when CAPA isn't recognised */ +- pop3c->authtypes |= POP3_TYPE_CLEARTEXT; ++ if(pop3code != '+') ++ pop3c->authtypes |= POP3_TYPE_CLEARTEXT; + +- result = pop3_perform_authentication(conn); ++ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) ++ result = pop3_perform_authentication(conn); ++ else if(pop3code == '+' && pop3c->tls_supported) ++ /* Switch to TLS connection now */ ++ result = pop3_perform_starttls(conn); ++ else if(data->set.use_ssl <= CURLUSESSL_TRY) ++ /* Fallback and carry on with authentication */ ++ result = pop3_perform_authentication(conn); ++ else { ++ failf(data, "STLS not supported."); ++ result = CURLE_USE_SSL_FAILED; ++ } + } + + return result; +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index f9535a6..0fa6799 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 \ + \ ++test984 test985 test986 \ ++\ + test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ + test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ + test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ +diff --git a/tests/data/test984 b/tests/data/test984 +new file mode 100644 +index 0000000..e573f23 +--- /dev/null ++++ b/tests/data/test984 +@@ -0,0 +1,56 @@ ++<testcase> ++<info> ++<keywords> ++IMAP ++STARTTLS ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<servercmd> ++REPLY CAPABILITY A001 BAD Not implemented ++</servercmd> ++</reply> ++ ++# ++# Client-side ++<client> ++<features> ++SSL ++</features> ++<server> ++imap ++</server> ++ <name> ++IMAP require STARTTLS with failing capabilities ++ </name> ++ <command> ++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd ++</command> ++<file name="log/upload%TESTNUMBER"> ++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) ++From: Fred Foobar <foobar@example.COM> ++Subject: afternoon meeting ++To: joe@example.com ++Message-Id: <B27397-0100000@example.COM> ++MIME-Version: 1.0 ++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII ++ ++Hello Joe, do you think we can meet at 3:30 tomorrow? ++</file> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++# 64 is CURLE_USE_SSL_FAILED ++<errorcode> ++64 ++</errorcode> ++<protocol> ++A001 CAPABILITY ++</protocol> ++</verify> ++</testcase> +diff --git a/tests/data/test985 b/tests/data/test985 +new file mode 100644 +index 0000000..d0db4aa +--- /dev/null ++++ b/tests/data/test985 +@@ -0,0 +1,54 @@ ++<testcase> ++<info> ++<keywords> ++POP3 ++STARTTLS ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<servercmd> ++REPLY CAPA -ERR Not implemented ++</servercmd> ++<data nocheck="yes"> ++From: me@somewhere ++To: fake@nowhere ++ ++body ++ ++-- ++ yours sincerely ++</data> ++</reply> ++ ++# ++# Client-side ++<client> ++<features> ++SSL ++</features> ++<server> ++pop3 ++</server> ++ <name> ++POP3 require STARTTLS with failing capabilities ++ </name> ++ <command> ++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd ++ </command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++# 64 is CURLE_USE_SSL_FAILED ++<errorcode> ++64 ++</errorcode> ++<protocol> ++CAPA ++</protocol> ++</verify> ++</testcase> +diff --git a/tests/data/test986 b/tests/data/test986 +new file mode 100644 +index 0000000..a709437 +--- /dev/null ++++ b/tests/data/test986 +@@ -0,0 +1,53 @@ ++<testcase> ++<info> ++<keywords> ++FTP ++STARTTLS ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<servercmd> ++REPLY welcome 230 Welcome ++REPLY AUTH 500 unknown command ++</servercmd> ++</reply> ++ ++# Client-side ++<client> ++<features> ++SSL ++</features> ++<server> ++ftp ++</server> ++ <name> ++FTP require STARTTLS while preauthenticated ++ </name> ++<file name="log/test%TESTNUMBER.txt"> ++data ++ to ++ see ++that FTPS ++works ++ so does it? ++</file> ++ <command> ++--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++# 64 is CURLE_USE_SSL_FAILED ++<errorcode> ++64 ++</errorcode> ++<protocol> ++AUTH SSL ++AUTH TLS ++</protocol> ++</verify> ++</testcase> diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch new file mode 100644 index 0000000000..070a328e27 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch @@ -0,0 +1,352 @@ +Backport of: + +From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat <patrick@monnerat.net> +Date: Tue, 7 Sep 2021 13:26:42 +0200 +Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response + pipelining + +If a server pipelines future responses within the STARTTLS response, the +former are preserved in the pingpong cache across TLS negotiation and +used as responses to the encrypted commands. + +This fix detects pipelined STARTTLS responses and rejects them with an +error. + +Bug: https://curl.se/docs/CVE-2021-22947.html +Upstream-Status: backport from 7.68.0-1ubuntu2.7 +Signed-off-by: Mike Crowe <mac@mcrowe.com> +CVE: CVE-2021-22947 + +--- + lib/ftp.c | 3 +++ + lib/imap.c | 4 +++ + lib/pop3.c | 4 +++ + lib/smtp.c | 4 +++ + tests/data/Makefile.inc | 2 ++ + tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ + tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ + tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ + 9 files changed, 237 insertions(+) + create mode 100644 tests/data/test980 + create mode 100644 tests/data/test981 + create mode 100644 tests/data/test982 + create mode 100644 tests/data/test983 + +diff --git a/lib/ftp.c b/lib/ftp.c +index 91b43d8..31a34e8 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + case FTP_AUTH: + /* we have gotten the response to a previous AUTH command */ + ++ if(pp->cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ ++ + /* RFC2228 (page 5) says: + * + * If the server is willing to accept the named security mechanism, +diff --git a/lib/imap.c b/lib/imap.c +index 9880ce1..0ca700f 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn, + + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.imapc.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(imapcode != IMAP_RESP_OK) { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied"); +diff --git a/lib/pop3.c b/lib/pop3.c +index 145b2b4..8a2d52e 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn, + + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.pop3c.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(pop3code != '+') { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied"); +diff --git a/lib/smtp.c b/lib/smtp.c +index e187287..66183e2 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn, + + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.smtpc.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(smtpcode != 220) { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied, code %d", smtpcode); +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 0fa6799..60e8176 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 \ + \ ++test980 test981 test982 test983 \ ++\ + test984 test985 test986 \ + \ + test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ +diff --git a/tests/data/test980 b/tests/data/test980 +new file mode 100644 +index 0000000..97567f8 +--- /dev/null ++++ b/tests/data/test980 +@@ -0,0 +1,52 @@ ++<testcase> ++<info> ++<keywords> ++SMTP ++STARTTLS ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<servercmd> ++CAPA STARTTLS ++AUTH PLAIN ++REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted ++REPLY AUTH 535 5.7.8 Authentication credentials invalid ++</servercmd> ++</reply> ++ ++# ++# Client-side ++<client> ++<features> ++SSL ++</features> ++<server> ++smtp ++</server> ++ <name> ++SMTP STARTTLS pipelined server response ++ </name> ++<stdin> ++mail body ++</stdin> ++ <command> ++smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - ++</command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++# 8 is CURLE_WEIRD_SERVER_REPLY ++<errorcode> ++8 ++</errorcode> ++<protocol> ++EHLO %TESTNUMBER ++STARTTLS ++</protocol> ++</verify> ++</testcase> +diff --git a/tests/data/test981 b/tests/data/test981 +new file mode 100644 +index 0000000..2b98ce4 +--- /dev/null ++++ b/tests/data/test981 +@@ -0,0 +1,59 @@ ++<testcase> ++<info> ++<keywords> ++IMAP ++STARTTLS ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<servercmd> ++CAPA STARTTLS ++REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted ++REPLY LOGIN A003 BAD Authentication credentials invalid ++</servercmd> ++</reply> ++ ++# ++# Client-side ++<client> ++<features> ++SSL ++</features> ++<server> ++imap ++</server> ++ <name> ++IMAP STARTTLS pipelined server response ++ </name> ++ <command> ++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl ++</command> ++<file name="log/upload%TESTNUMBER"> ++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) ++From: Fred Foobar <foobar@example.COM> ++Subject: afternoon meeting ++To: joe@example.com ++Message-Id: <B27397-0100000@example.COM> ++MIME-Version: 1.0 ++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII ++ ++Hello Joe, do you think we can meet at 3:30 tomorrow? ++</file> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++# 8 is CURLE_WEIRD_SERVER_REPLY ++<errorcode> ++8 ++</errorcode> ++<protocol> ++A001 CAPABILITY ++A002 STARTTLS ++</protocol> ++</verify> ++</testcase> +diff --git a/tests/data/test982 b/tests/data/test982 +new file mode 100644 +index 0000000..9e07cc0 +--- /dev/null ++++ b/tests/data/test982 +@@ -0,0 +1,57 @@ ++<testcase> ++<info> ++<keywords> ++POP3 ++STARTTLS ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<servercmd> ++CAPA STLS USER ++REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated ++REPLY PASS -ERR Authentication credentials invalid ++</servercmd> ++<data nocheck="yes"> ++From: me@somewhere ++To: fake@nowhere ++ ++body ++ ++-- ++ yours sincerely ++</data> ++</reply> ++ ++# ++# Client-side ++<client> ++<features> ++SSL ++</features> ++<server> ++pop3 ++</server> ++ <name> ++POP3 STARTTLS pipelined server response ++ </name> ++ <command> ++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl ++ </command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++# 8 is CURLE_WEIRD_SERVER_REPLY ++<errorcode> ++8 ++</errorcode> ++<protocol> ++CAPA ++STLS ++</protocol> ++</verify> ++</testcase> +diff --git a/tests/data/test983 b/tests/data/test983 +new file mode 100644 +index 0000000..300ec45 +--- /dev/null ++++ b/tests/data/test983 +@@ -0,0 +1,52 @@ ++<testcase> ++<info> ++<keywords> ++FTP ++STARTTLS ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<servercmd> ++REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete ++REPLY PASS 530 Login incorrect ++</servercmd> ++</reply> ++ ++# Client-side ++<client> ++<features> ++SSL ++</features> ++<server> ++ftp ++</server> ++ <name> ++FTP STARTTLS pipelined server response ++ </name> ++<file name="log/test%TESTNUMBER.txt"> ++data ++ to ++ see ++that FTPS ++works ++ so does it? ++</file> ++ <command> ++--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++# 8 is CURLE_WEIRD_SERVER_REPLY ++<errorcode> ++8 ++</errorcode> ++<protocol> ++AUTH SSL ++</protocol> ++</verify> ++</testcase> diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch new file mode 100644 index 0000000000..13479e7f0e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-22576.patch @@ -0,0 +1,148 @@ +From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat <patrick@monnerat.net> +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +CVE: CVE-2022-22576 +Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch] +Comment: Refreshed patch +Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1ba0e5..692a3f14aee7 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -251,6 +251,16 @@ + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b234d3815220..2635f5117e99 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -48,4 +48,6 @@ + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index 9a988b4d58d8..e1647b133854 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -730,6 +730,7 @@ + Curl_safefree(conn->allocptr.host); + Curl_safefree(conn->allocptr.cookiehost); + Curl_safefree(conn->allocptr.rtsp_transport); ++ Curl_safefree(conn->oauth_bearer); + Curl_safefree(conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1251,7 +1252,9 @@ + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3392,6 +3395,14 @@ + result = CURLE_OUT_OF_MEMORY; + goto out; + } ++ } ++ ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } + } + + #ifdef USE_UNIX_SOCKETS +diff --git a/lib/urldata.h b/lib/urldata.h +index 07eb19b87034..1d89b8d7fa68 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -949,6 +949,8 @@ + + char *sasl_authzid; /* authorisation identity string, allocated */ + ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ ++ + int httpversion; /* the HTTP version*10 reported by the server */ + int rtspversion; /* the RTSP version*10 reported by the server */ + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba065e5..a40ac06f684f 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -82,15 +82,6 @@ + else \ + dest->var = NULL; + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config* data, +@@ -101,12 +101,12 @@ + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch new file mode 100644 index 0000000000..063c11712a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch @@ -0,0 +1,45 @@ +From 2a797e099731facf62a2c675396334bc2ad3bc7c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. + +Prerequisite for the patches that address CVE-2022-27774. + +Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index b3d4057..a977d67 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -624,6 +624,7 @@ void Curl_persistconninfo(struct connectdata *conn) + conn->data->info.conn_scheme = conn->handler->scheme; + conn->data->info.conn_protocol = conn->handler->protocol; + conn->data->info.conn_primary_port = conn->primary_port; ++ conn->data->info.conn_remote_port = conn->remote_port; + conn->data->info.conn_local_port = conn->local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index fafb7a3..ab1b267 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1148,7 +1148,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- long conn_primary_port; ++ long conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ long conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + long conn_local_port; + const char *conn_scheme; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch new file mode 100644 index 0000000000..c64d614194 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch @@ -0,0 +1,80 @@ +From 5c2f3b3a5f115625134669d90d591de9c5aafc8e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] transfer: redirects to other protocols or ports clear auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 744e1c0..ac69d27 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1627,10 +1627,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->set.str[STRING_USERNAME]); ++ Curl_safefree(data->set.str[STRING_PASSWORD]); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch new file mode 100644 index 0000000000..a585f6a8fa --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch @@ -0,0 +1,83 @@ +From 5dccf21ad49eed925e8f76b0cb844877239ce23d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 8b16c09..5291c07 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -732,10 +732,10 @@ output_auth_headers(struct connectdata *conn, + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -816,7 +816,7 @@ Curl_http_output_auth(struct connectdata *conn, + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + || conn->bits.netrc + ) + result = output_auth_headers(conn, authhost, request, path, FALSE); +@@ -1891,7 +1891,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare); +diff --git a/lib/http.h b/lib/http.h +index 4c1825f..4fbae1d 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -273,4 +273,10 @@ Curl_http_output_auth(struct connectdata *conn, + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 006a8c8..a14cecc 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2739,7 +2739,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + #endif + + #ifdef USE_TLS_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(username); + + infof(data, "Using TLS-SRP username: %s\n", ssl_username); diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch new file mode 100644 index 0000000000..2258681cab --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch @@ -0,0 +1,35 @@ +From 7395752e2f7b87dc8c8f2a7137075e2da554aaea Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 26 Apr 2022 07:46:19 +0200 +Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects + +Follow-up to 620ea21410030 and 139a54ed0a172a + +Reported-by: Harry Sintonen +Closes #8752 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/vtls/gtls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 8c05102..3d0758d 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -581,11 +581,11 @@ gtls_connect_step1(struct connectdata *conn, + } + + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); + +- rc = gnutls_srp_allocate_client_credentials( +- &BACKEND->srp_client_cred); ++ rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_allocate_client_cred() failed: %s", + gnutls_strerror(rc)); diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch new file mode 100644 index 0000000000..b3fe7b4494 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27775.patch @@ -0,0 +1,39 @@ +From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +CVE: CVE-2022-27775 +Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705.patch] +Comment: Refreshed patch +Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> + +diff --git a/lib/conncache.c b/lib/conncache.c +index ec669b971dc3..8948b53fa500 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -156,8 +156,12 @@ + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + } + + /* Returns number of connections currently held in the connection cache. diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch new file mode 100644 index 0000000000..1a13df2d95 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch @@ -0,0 +1,114 @@ +From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 +--- + lib/http.c | 34 ++++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +CVE: CVE-2022-27776 +Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch] +Comment: Refreshed patch +Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> + +diff --git a/lib/http.c b/lib/http.c +index ce79fc4e31c8..f0476f3b9272 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -731,6 +731,21 @@ + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -799,15 +799,12 @@ + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || +- conn->bits.netrc || +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) ++ || conn->bits.netrc ++ ) + result = output_auth_headers(conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1879,10 +1891,7 @@ + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare); +@@ -2065,6 +2074,7 @@ + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +diff --git a/lib/urldata.h b/lib/urldata.h +index 1d89b8d7fa68..ef2174d9e727 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1342,13 +1342,15 @@ + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ +- int first_remote_port; /* remote port of the first (not followed) request */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */ diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch new file mode 100644 index 0000000000..ea1bc22928 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27781.patch @@ -0,0 +1,46 @@ +From 7a1f183039a6a6c9099a114f5e5c94777413c767 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 9 May 2022 10:07:15 +0200 +Subject: [PATCH] nss: return error if seemingly stuck in a cert loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2022-27781 + +Reported-by: Florian Kohnhäuser +Bug: https://curl.se/docs/CVE-2022-27781.html +Closes #8822 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/vtls/nss.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 375c78b..86102f7 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -950,6 +950,9 @@ static void display_cert_info(struct Curl_easy *data, + PR_Free(common_name); + } + ++/* A number of certs that will never occur in a real server handshake */ ++#define TOO_MANY_CERTS 300 ++ + static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) + { + CURLcode result = CURLE_OK; +@@ -986,6 +989,11 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) + cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); + while(cert2) { + i++; ++ if(i >= TOO_MANY_CERTS) { ++ CERT_DestroyCertificate(cert2); ++ failf(data, "certificate loop"); ++ return CURLE_SSL_CERTPROBLEM; ++ } + if(cert2->isRoot) { + CERT_DestroyCertificate(cert2); + break; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch new file mode 100644 index 0000000000..6b6d0e1938 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch @@ -0,0 +1,363 @@ +From 907a16c832d9ce0ffa7e9b2297548063095a7242 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 17 ++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 30 ++++++++++++++++-------------- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 6 +++--- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 1 + + 8 files changed, 60 insertions(+), 48 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 4648c87..bebb2e4 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2130,6 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = + (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); +@@ -2139,6 +2140,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = + (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); +@@ -2541,44 +2543,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + break; + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #ifdef USE_ARES +diff --git a/lib/url.c b/lib/url.c +index efa3dc7..6518be9 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -482,7 +482,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -3594,8 +3594,9 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.pinned_key = + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; + +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; +@@ -3609,10 +3610,12 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + + if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, +diff --git a/lib/urldata.h b/lib/urldata.h +index ab1b267..ad0ef8f 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -231,6 +231,13 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ ++ #ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++ #endif ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -240,7 +247,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert; /* client certificate file name */ +@@ -248,11 +254,6 @@ struct ssl_config_data { + char *key; /* private key file name */ + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 3d0758d..92c301c 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -581,9 +581,10 @@ gtls_connect_step1(struct connectdata *conn, + } + + #ifdef USE_TLS_SRP +- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); ++ infof(data, "Using TLS-SRP username: %s\n", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -593,8 +594,8 @@ gtls_connect_step1(struct connectdata *conn, + } + + rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred, +- SSL_SET_OPTION(username), +- SSL_SET_OPTION(password)); ++ SSL_SET_OPTION(primary.username), ++ SSL_SET_OPTION(primary.password)); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_set_client_cred() failed: %s", + gnutls_strerror(rc)); +@@ -648,19 +649,19 @@ gtls_connect_step1(struct connectdata *conn, + } + #endif + +- if(SSL_SET_OPTION(CRLfile)) { ++ if(SSL_SET_OPTION(primary.CRLfile)) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred, +- SSL_SET_OPTION(CRLfile), ++ SSL_SET_OPTION(primary.CRLfile), + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + failf(data, "error reading crl file %s (%s)", +- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); ++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + return CURLE_SSL_CRL_BADFILE; + } + else + infof(data, "found %d CRL in %s\n", +- rc, SSL_SET_OPTION(CRLfile)); ++ rc, SSL_SET_OPTION(primary.CRLfile)); + } + + /* Initialize TLS session as a client */ +@@ -879,7 +880,7 @@ gtls_connect_step1(struct connectdata *conn, + + #ifdef USE_TLS_SRP + /* put the credentials to the current session */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, + BACKEND->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -1061,8 +1062,8 @@ gtls_connect_step3(struct connectdata *conn, + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -1116,7 +1117,8 @@ gtls_connect_step3(struct connectdata *conn, + failf(data, "server certificate verification failed. CAfile: %s " + "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "none", +- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); ++ SSL_SET_OPTION(primary.CRLfile) ? ++ SSL_SET_OPTION(primary.CRLfile) : "none"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else +@@ -1703,8 +1705,8 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) + gnutls_certificate_free_credentials(BACKEND->cred); + + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(BACKEND->srp_client_cred); + #endif + +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 19df847..62d2b00 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -245,7 +245,7 @@ mbed_connect_step1(struct connectdata *conn, + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(cert); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 86102f7..62fd7a2 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1955,13 +1955,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(cert)) { +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index a14cecc..ec5a8f5 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2454,14 +2454,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_TLS_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(cert); + const char * const ssl_cert_type = SSL_SET_OPTION(cert_type); + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + + DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); +@@ -2741,15 +2741,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + #ifdef USE_TLS_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s\n", ssl_username); + + if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e38f74e..e8cb70f 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -89,6 +89,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch new file mode 100644 index 0000000000..3d56025210 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch @@ -0,0 +1,71 @@ +From 0a115a8903dffc7f723d1d4d71fb821d69eb8761 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] url: check SSH config match on connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/url.c | 11 +++++++++++ + lib/vssh/ssh.h | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 6518be9..8da0245 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1027,6 +1027,12 @@ static void prune_dead_connections(struct Curl_easy *data) + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1260,6 +1266,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || + needle->bits.tunnel_proxy) { + /* The requested connection does not use a HTTP proxy or it uses SSL or +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 0d4ee52..8f2632e 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -120,8 +120,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + sshstate state; /* always use ssh.c:state() to change state! */ + sshstate nextstate; /* the state to goto after stopping */ diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch new file mode 100644 index 0000000000..3d76aeb43d --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch @@ -0,0 +1,52 @@ +From 25e7be39be5f8ed696b6085ced9cf6c17e6128f4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH] content_encoding: return error on too many compression steps + +The max allowed steps is arbitrarily set to 5. + +Bug: https://curl.se/docs/CVE-2022-32206.html +CVE-2022-32206 +Reported-by: Harry Sintonen +Closes #9049 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index 6d47537..91e621f 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len) + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct connectdata *conn, +@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, + { + struct Curl_easy *data = conn->data; + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(conn, encoding, k->writer_stack); + if(!writer) diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch new file mode 100644 index 0000000000..f75aaecd64 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch @@ -0,0 +1,284 @@ +From af92181055d7d64dfc0bc9d5a13c8b98af3196be Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files + +Bug: https://curl.se/docs/CVE-2022-32207.html +CVE-2022-32207 +Reported-by: Harry Sintonen +Closes #9050 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + CMakeLists.txt | 1 + + configure.ac | 1 + + lib/Makefile.inc | 4 +- + lib/cookie.c | 19 ++----- + lib/curl_config.h.cmake | 3 ++ + lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 30 +++++++++++ + 7 files changed, 155 insertions(+), 16 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 73b053b..cc587b0 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -869,6 +869,7 @@ elseif(HAVE_LIBSOCKET) + set(CMAKE_REQUIRED_LIBRARIES socket) + endif() + ++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) + check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) + check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) + check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) +diff --git a/configure.ac b/configure.ac +index d090622..7071077 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -4059,6 +4059,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se + + + AC_CHECK_FUNCS([fnmatch \ ++ fchmod \ + geteuid \ + getpass_r \ + getppid \ +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index 46ded90..79307d8 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -63,7 +63,7 @@ LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ + curl_multibyte.c hostcheck.c conncache.c dotdot.c \ + x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c \ + mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c \ +- doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c ++ doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c fopen.c + + LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \ + formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h \ +@@ -84,7 +84,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \ + x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h \ + curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h \ + curl_path.h curl_ctype.h curl_range.h psl.h doh.h urlapi-int.h \ +- curl_get_line.h altsvc.h quic.h socketpair.h rename.h ++ curl_get_line.h altsvc.h quic.h socketpair.h rename.h fopen.h + + LIB_RCFILES = libcurl.rc + +diff --git a/lib/cookie.c b/lib/cookie.c +index 68054e1..a9ad20a 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -97,8 +97,8 @@ Example set of cookies: + #include "curl_memrchr.h" + #include "inet_pton.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1524,18 +1524,9 @@ static int cookie_output(struct Curl_easy *data, + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return 1; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- goto error; ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) ++ goto error; + } + + fputs("# Netscape HTTP Cookie File\n" +@@ -1581,7 +1572,7 @@ static int cookie_output(struct Curl_easy *data, + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + goto error; + } +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake +index 98cdf51..fe43751 100644 +--- a/lib/curl_config.h.cmake ++++ b/lib/curl_config.h.cmake +@@ -124,6 +124,9 @@ + /* Define to 1 if you have the <assert.h> header file. */ + #cmakedefine HAVE_ASSERT_H 1 + ++/* Define to 1 if you have the `fchmod' function. */ ++#cmakedefine HAVE_FCHMOD 1 ++ + /* Define to 1 if you have the `basename' function. */ + #cmakedefine HAVE_BASENAME 1 + +diff --git a/lib/fopen.c b/lib/fopen.c +new file mode 100644 +index 0000000..ad3691b +--- /dev/null ++++ b/lib/fopen.c +@@ -0,0 +1,113 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ ++ !defined(CURL_DISABLE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include <fcntl.h> ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++#ifdef HAVE_FCHMOD ++ { ++ struct_stat nsb; ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ } ++#endif ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +diff --git a/lib/fopen.h b/lib/fopen.h +new file mode 100644 +index 0000000..289e55f +--- /dev/null ++++ b/lib/fopen.h +@@ -0,0 +1,30 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch new file mode 100644 index 0000000000..2939314d09 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch @@ -0,0 +1,72 @@ +From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/krb5.c | 5 +---- + lib/security.c | 13 ++++++++++--- + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index f50287a..5b77e35 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +diff --git a/lib/security.c b/lib/security.c +index fbfa707..3542210 100644 +--- a/lib/security.c ++++ b/lib/security.c +@@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch new file mode 100644 index 0000000000..8e662abd3a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch @@ -0,0 +1,29 @@ +From 75c04a3e75e8e3025a17ca3033ca307da9691cd0 Mon Sep 17 00:00:00 2001 +From: Vivek Kumbhar <vkumbhar@mvista.com> +Date: Fri, 11 Nov 2022 10:49:58 +0530 +Subject: [PATCH] CVE-2022-32221 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6] +CVE: CVE-2022-32221 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> + +setopt: when POST is set, reset the 'upload' field. +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index bebb2e4..4d96f6b 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -486,6 +486,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.httpreq = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_COPYPOSTFIELDS: +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2022-35252.patch b/meta/recipes-support/curl/curl/CVE-2022-35252.patch new file mode 100644 index 0000000000..a5160c01f4 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-35252.patch @@ -0,0 +1,72 @@ +From c9212bdb21f0cc90a1a60dfdbb716deefe78fd40 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb] + +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index a9ad20a..66c7715 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -412,6 +412,30 @@ static bool bad_domain(const char *domain) + return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /**************************************************************************** + * + * Curl_cookie_add() +@@ -558,6 +582,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* this was a "<name>=" with no content, and we must allow +-- +2.35.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch new file mode 100644 index 0000000000..476c996b0a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch @@ -0,0 +1,68 @@ +From 3ff3989ec53d9ddcf4bdd99f5d5788dd87486768 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 4 Oct 2022 14:37:24 +0200 +Subject: [PATCH] netrc: replace fgets with Curl_get_line + +Upstream-Status: Backport +CVE: CVE-2022-35260 +Reference to upstream patch: https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c + +Make the parser only accept complete lines and avoid problems with +overly long lines. + +Reported-by: Hiroki Kurosawa + +Closes #9789 +--- + lib/curl_get_line.c | 4 ++-- + lib/netrc.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c +index c4194851ae09..4b9eea9e631c 100644 +--- a/lib/curl_get_line.c ++++ b/lib/curl_get_line.c +@@ -28,8 +28,8 @@ + #include "memdebug.h" + + /* +- * get_line() makes sure to only return complete whole lines that fit in 'len' +- * bytes and end with a newline. ++ * Curl_get_line() makes sure to only return complete whole lines that fit in ++ * 'len' bytes and end with a newline. + */ + char *Curl_get_line(char *buf, int len, FILE *input) + { +diff --git a/lib/netrc.c b/lib/netrc.c +index 1c9da31993c9..93239132c9d8 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -31,6 +31,7 @@ + #include "netrc.h" + #include "strtok.h" + #include "strcase.h" ++#include "curl_get_line.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -83,7 +84,7 @@ static int parsenetrc(const char *host, + char netrcbuffer[4096]; + int netrcbuffsize = (int)sizeof(netrcbuffer); + +- while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { ++ while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { + tok = strtok_r(netrcbuffer, " \t\n", &tok_buf); + if(tok && *tok == '#') + /* treat an initial hash as a comment line */ +@@ -169,7 +170,7 @@ static int parsenetrc(const char *host, + + tok = strtok_r(NULL, " \t\n", &tok_buf); + } /* while(tok) */ +- } /* while fgets() */ ++ } /* while Curl_get_line() */ + + out: + if(!retcode) { +-- +2.34.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch new file mode 100644 index 0000000000..d729441454 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch @@ -0,0 +1,82 @@ +rom 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +CVE: CVE-2022-43552 +Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 12f9925..8db3b27 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done); + static CURLcode smb_connection_state(struct connectdata *conn, bool *done); + static CURLcode smb_do(struct connectdata *conn, bool *done); + static CURLcode smb_request_state(struct connectdata *conn, bool *done); +-static CURLcode smb_done(struct connectdata *conn, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct connectdata *conn, bool dead); + static int smb_getsock(struct connectdata *conn, curl_socket_t *socks); + static CURLcode smb_parse_url_path(struct connectdata *conn); +@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -99,7 +97,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct connectdata *conn, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(conn->data->req.protop); +- return status; +-} +- + static CURLcode smb_disconnect(struct connectdata *conn, bool dead) + { + struct smb_conn *smbc = &conn->proto.smbc; +diff --git a/lib/telnet.c b/lib/telnet.c +index 3347ad6..e3b9208 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(conn->data->req.protop); +- + return CURLE_OK; + } + +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch new file mode 100644 index 0000000000..054615963e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch @@ -0,0 +1,231 @@ +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat <patrick@monnerat.net> +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH] content_encoding: do not reset stage counter for each header + +Test 418 verifies + +Closes #10492 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9] +CVE: CVE-2023-23916 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 157 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test418 + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index 91e621f..7e098a5 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -944,7 +944,6 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, + { + struct Curl_easy *data = conn->data; + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -979,9 +978,9 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +diff --git a/lib/urldata.h b/lib/urldata.h +index ad0ef8f..168f874 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -648,6 +648,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata doh; /* DoH specific data for this request */ + #endif ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 60e8176..40de8bc 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -63,7 +63,7 @@ test350 test351 test352 test353 test354 test355 test356 test357 \ + test393 test394 test395 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ +-test409 \ ++test409 test418 \ + \ + test490 test491 test492 \ + \ +diff --git a/tests/data/test418 b/tests/data/test418 +new file mode 100644 +index 0000000..50e974e +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++gzip ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<data nocheck="yes"> ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++</data> ++</reply> ++ ++# ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++Response with multiple Transfer-Encoding headers ++ </name> ++ <command> ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++</command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++<protocol crlf="yes"> ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++</protocol> ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++<errorcode> ++61 ++</errorcode> ++<stderr mode="text"> ++curl: (61) Reject response due to more than 5 content encodings ++</stderr> ++</verify> ++</testcase> +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch new file mode 100644 index 0000000000..64ba135056 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch @@ -0,0 +1,59 @@ +Backport of: + +From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684] +CVE: CVE-2023-27533 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct connectdata *conn) + { + struct curl_slist *head; +@@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str + /* Add the user name as an environment variable if it + was given on the command line */ + if(conn->bits.user_passwd) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { + ++ if(str_is_nonascii(option_arg)) ++ continue; ++ + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { + strncpy(tn->subopt_ttype, option_arg, 31); diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000..46c57afb73 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch @@ -0,0 +1,51 @@ +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 +From: Eric Vigeant <evigeant@gmail.com> +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +CVE: CVE-2023-27534 +Note: +- The upstream patch for CVE-2023-27534 does three things: +1) creates new path with dynbuf(dynamic buffer) +2) solves the tilde error which causes CVE-2023-27534 +3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf. +- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions. +- This patch completes the 3rd task of the patch which was implemented without using dynbuf +Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..40b92ee 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } +-- +2.24.4 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch new file mode 100644 index 0000000000..3ecd181290 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -0,0 +1,33 @@ +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH] curl_path: create the new path with dynbuf + +Closes #10729 + +CVE: CVE-2023-27534 +Note: This patch is needed to backport CVE-2023-27534 +Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + lib/curl_path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 40b92ee..598c5dd 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + memcpy(real_path, working_path, 1 + working_path_len); + } + else if(conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { ++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { + size_t homelen = strlen(homedir); + real_path = malloc(homelen + working_path_len + 1); + if(real_path == NULL) { +-- +2.24.4 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch new file mode 100644 index 0000000000..034b72f7e6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch @@ -0,0 +1,236 @@ +From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH] strcase: add and use Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] +Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp. +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/netrc.c | 6 +++--- + lib/strcase.c | 22 ++++++++++++++++++++++ + lib/strcase.h | 1 + + lib/url.c | 33 +++++++++++++-------------------- + lib/vauth/digest_sspi.c | 4 ++-- + lib/vtls/vtls.c | 21 ++++++++++++++++++++- + 6 files changed, 61 insertions(+), 26 deletions(-) + +diff --git a/lib/netrc.c b/lib/netrc.c +index 9323913..fe3fd1e 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -124,9 +124,9 @@ static int parsenetrc(const char *host, + /* we are now parsing sub-keywords concerning "our" host */ + if(state_login) { + if(specific_login) { +- state_our_login = strcasecompare(login, tok); ++ state_our_login = !Curl_timestrcmp(login, tok); + } +- else if(!login || strcmp(login, tok)) { ++ else if(!login || Curl_timestrcmp(login, tok)) { + if(login_alloc) { + free(login); + login_alloc = FALSE; +@@ -142,7 +142,7 @@ static int parsenetrc(const char *host, + } + else if(state_password) { + if((state_our_login || !specific_login) +- && (!password || strcmp(password, tok))) { ++ && (!password || Curl_timestrcmp(password, tok))) { + if(password_alloc) { + free(password); + password_alloc = FALSE; +diff --git a/lib/strcase.c b/lib/strcase.c +index 70bf21c..ec776b3 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index 8929a53..8077108 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index 9f14a7b..dfbde3b 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -886,19 +886,10 @@ socks_proxy_info_matches(const struct proxy_info* data, + /* the user information is case-sensitive + or at least it is not defined as case-insensitive + see https://tools.ietf.org/html/rfc3986#section-3.2.1 */ +- if((data->user == NULL) != (needle->user == NULL)) +- return FALSE; +- /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->user && +- needle->user && +- strcmp(data->user, needle->user) != 0) +- return FALSE; +- if((data->passwd == NULL) != (needle->passwd == NULL)) +- return FALSE; ++ + /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->passwd && +- needle->passwd && +- strcmp(data->passwd, needle->passwd) != 0) ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) + return FALSE; + return TRUE; + } +@@ -1257,10 +1248,10 @@ ConnectionExists(struct Curl_easy *data, + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd) || +- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || +- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd) || ++ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || ++ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -1326,8 +1317,8 @@ ConnectionExists(struct Curl_easy *data, + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd)) { + + /* we prefer a credential match, but this is at least a connection + that can be reused and "upgraded" to NTLM */ +@@ -1348,8 +1339,10 @@ ConnectionExists(struct Curl_easy *data, + if(!check->http_proxy.user || !check->http_proxy.passwd) + continue; + +- if(strcmp(needle->http_proxy.user, check->http_proxy.user) || +- strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) ++ if(Curl_timestrcmp(needle->http_proxy.user, ++ check->http_proxy.user) || ++ Curl_timestrcmp(needle->http_proxy.passwd, ++ check->http_proxy.passwd)) + continue; + } + else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { +diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c +index a109056..3986386 100644 +--- a/lib/vauth/digest_sspi.c ++++ b/lib/vauth/digest_sspi.c +@@ -450,8 +450,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, + has changed then delete that context. */ + if((userp && !digest->user) || (!userp && digest->user) || + (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || +- (userp && digest->user && strcmp(userp, digest->user)) || +- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { ++ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || ++ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { + if(digest->http_context) { + s_pSecFn->DeleteSecurityContext(digest->http_context); + Curl_safefree(digest->http_context); +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e8cb70f..70a9391 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -98,9 +98,15 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + Curl_safecmp(data->issuercert, needle->issuercert) && + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && +- Curl_safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ !Curl_timestrcmp(data->username, needle->username) && ++ !Curl_timestrcmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -117,6 +123,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_STRING(CApath); + CLONE_STRING(CAfile); +@@ -127,6 +136,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list); + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -142,6 +156,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) + Curl_safefree(sslc->cipher_list); + Curl_safefree(sslc->cipher_list13); + Curl_safefree(sslc->pinned_key); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535.patch b/meta/recipes-support/curl/curl/CVE-2023-27535.patch new file mode 100644 index 0000000000..e38390a57c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535.patch @@ -0,0 +1,170 @@ +From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27535.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1] +CVE: CVE-2023-27535 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/ftp.c | 30 ++++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 16 +++++++++++++++- + lib/urldata.h | 4 ++-- + 5 files changed, 51 insertions(+), 6 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 31a34e8..7a82a74 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4059,6 +4059,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection) + } + + freedirs(ftpc); ++ free(ftpc->account); ++ ftpc->account = NULL; ++ free(ftpc->alternative_to_user); ++ ftpc->alternative_to_user = NULL; + free(ftpc->prevpath); + ftpc->prevpath = NULL; + free(ftpc->server_os); +@@ -4326,11 +4330,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + struct Curl_easy *data = conn->data; + char *type; + struct FTP *ftp; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(NULL == ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ conn->data->req.protop = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=<typecode>" that +@@ -4366,7 +4390,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + /* get some initial data into the ftp struct */ + ftp->transfer = FTPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 984347f..163dcb3 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -116,6 +116,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char **dirs; /* realloc()ed array for path components */ + int dirdepth; /* number of entries used in the 'dirs' array */ +@@ -141,6 +143,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index 4d96f6b..a91bb70 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2126,7 +2126,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index dfbde3b..f84375c 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1257,10 +1257,24 @@ ConnectionExists(struct Curl_easy *data, + } + } + +- if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || + needle->bits.tunnel_proxy) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 168f874..51b793b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1730,8 +1730,6 @@ struct UserDefined { + void *ssh_keyfunc_userp; /* custom pointer to callback */ + enum CURL_NETRC_OPTION + use_netrc; /* defined in include/curl.h */ +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + long new_file_perms; /* Permissions to use when creating remote files */ + long new_directory_perms; /* Permissions to use when creating remote dirs */ + long ssh_auth_types; /* allowed SSH auth types */ +@@ -1851,6 +1849,8 @@ struct UserDefined { + BIT(http09_allowed); /* allow HTTP/0.9 responses */ + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some + recipients */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + }; + + struct Names { +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch new file mode 100644 index 0000000000..b04a77de25 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch @@ -0,0 +1,55 @@ +From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5] +CVE: CVE-2023-27536 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index f84375c..87f4eb0 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1257,6 +1257,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + #ifdef USE_SSH + else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) +@@ -1708,6 +1713,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index 51b793b..b8a611b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1118,6 +1118,7 @@ struct connectdata { + handle */ + BIT(sock_accepted); /* TRUE if the SECONDARYSOCKET was created with + accept() */ ++ long gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch new file mode 100644 index 0000000000..6c40989d3b --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch @@ -0,0 +1,31 @@ +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 + +CVE: CVE-2023-27538 +Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 8da0245..9f14a7b 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1266,7 +1266,7 @@ ConnectionExists(struct Curl_easy *data, + } + } + +- if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) { ++ if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch new file mode 100644 index 0000000000..eaa6fdc327 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch @@ -0,0 +1,197 @@ +From f446258f0269a62289cca0210157cb8558d0edc3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 16 May 2023 23:40:42 +0200 +Subject: [PATCH] hostip: include easy_lock.h before using + GLOBAL_INIT_IS_THREADSAFE + +Since that header file is the only place that define can be defined. + +Reported-by: Marc Deslauriers + +Follow-up to 13718030ad4b3209 + +Closes #11121 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3] +CVE: CVE-2023-28320 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + lib/easy_lock.h | 109 ++++++++++++++++++++++++++++++++++++++++++++++++ + lib/hostip.c | 10 ++--- + lib/hostip.h | 9 ---- + 3 files changed, 113 insertions(+), 15 deletions(-) + create mode 100644 lib/easy_lock.h + +diff --git a/lib/easy_lock.h b/lib/easy_lock.h +new file mode 100644 +index 0000000..6399a39 +--- /dev/null ++++ b/lib/easy_lock.h +@@ -0,0 +1,109 @@ ++#ifndef HEADER_CURL_EASY_LOCK_H ++#define HEADER_CURL_EASY_LOCK_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#define GLOBAL_INIT_IS_THREADSAFE ++ ++#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 ++ ++#ifdef __MINGW32__ ++#ifndef __MINGW64_VERSION_MAJOR ++#if (__MINGW32_MAJOR_VERSION < 5) || \ ++ (__MINGW32_MAJOR_VERSION == 5 && __MINGW32_MINOR_VERSION == 0) ++/* mingw >= 5.0.1 defines SRWLOCK, and slightly different from MS define */ ++typedef PVOID SRWLOCK, *PSRWLOCK; ++#endif ++#endif ++#ifndef SRWLOCK_INIT ++#define SRWLOCK_INIT NULL ++#endif ++#endif /* __MINGW32__ */ ++ ++#define curl_simple_lock SRWLOCK ++#define CURL_SIMPLE_LOCK_INIT SRWLOCK_INIT ++ ++#define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m) ++#define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m) ++ ++#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H) ++#include <stdatomic.h> ++#if defined(HAVE_SCHED_YIELD) ++#include <sched.h> ++#endif ++ ++#define curl_simple_lock atomic_int ++#define CURL_SIMPLE_LOCK_INIT 0 ++ ++/* a clang-thing */ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++#ifndef __INTEL_COMPILER ++/* The Intel compiler tries to look like GCC *and* clang *and* lies in its ++ __has_builtin() function, so override it. */ ++ ++/* if GCC on i386/x86_64 or if the built-in is present */ ++#if ( (defined(__GNUC__) && !defined(__clang__)) && \ ++ (defined(__i386__) || defined(__x86_64__))) || \ ++ __has_builtin(__builtin_ia32_pause) ++#define HAVE_BUILTIN_IA32_PAUSE ++#endif ++ ++#endif ++ ++static inline void curl_simple_lock_lock(curl_simple_lock *lock) ++{ ++ for(;;) { ++ if(!atomic_exchange_explicit(lock, true, memory_order_acquire)) ++ break; ++ /* Reduce cache coherency traffic */ ++ while(atomic_load_explicit(lock, memory_order_relaxed)) { ++ /* Reduce load (not mandatory) */ ++#ifdef HAVE_BUILTIN_IA32_PAUSE ++ __builtin_ia32_pause(); ++#elif defined(__aarch64__) ++ __asm__ volatile("yield" ::: "memory"); ++#elif defined(HAVE_SCHED_YIELD) ++ sched_yield(); ++#endif ++ } ++ } ++} ++ ++static inline void curl_simple_lock_unlock(curl_simple_lock *lock) ++{ ++ atomic_store_explicit(lock, false, memory_order_release); ++} ++ ++#else ++ ++#undef GLOBAL_INIT_IS_THREADSAFE ++ ++#endif ++ ++#endif /* HEADER_CURL_EASY_LOCK_H */ +diff --git a/lib/hostip.c b/lib/hostip.c +index 5231a74..d5bf881 100644 +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -68,6 +68,8 @@ + #include "curl_memory.h" + #include "memdebug.h" + ++#include "easy_lock.h" ++ + #if defined(CURLRES_SYNCH) && \ + defined(HAVE_ALARM) && \ + defined(SIGALRM) && \ +@@ -77,10 +79,6 @@ + #define USE_ALARM_TIMEOUT + #endif + +-#ifdef USE_ALARM_TIMEOUT +-#include "easy_lock.h" +-#endif +- + #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ + + /* +@@ -259,8 +257,8 @@ void Curl_hostcache_prune(struct Curl_easy *data) + /* Beware this is a global and unique instance. This is used to store the + return address that we can jump back to from inside a signal handler. This + is not thread-safe stuff. */ +-sigjmp_buf curl_jmpenv; +-curl_simple_lock curl_jmpenv_lock; ++static sigjmp_buf curl_jmpenv; ++static curl_simple_lock curl_jmpenv_lock; + #endif + + /* lookup address, returns entry if found and not stale */ +diff --git a/lib/hostip.h b/lib/hostip.h +index baf1e58..d7f73d9 100644 +--- a/lib/hostip.h ++++ b/lib/hostip.h +@@ -196,15 +196,6 @@ Curl_cache_addr(struct Curl_easy *data, Curl_addrinfo *addr, + #define CURL_INADDR_NONE INADDR_NONE + #endif + +-#ifdef HAVE_SIGSETJMP +-/* Forward-declaration of variable defined in hostip.c. Beware this +- * is a global and unique instance. This is used to store the return +- * address that we can jump back to from inside a signal handler. +- * This is not thread-safe stuff. +- */ +-extern sigjmp_buf curl_jmpenv; +-#endif +- + /* + * Function provided by the resolver backend to set DNS servers to use. + */ +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/meta/recipes-support/curl/curl/CVE-2023-28320.patch new file mode 100644 index 0000000000..0c9b67440a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28320.patch @@ -0,0 +1,86 @@ +From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen <sintonen@iki.fi> +Date: Tue, 25 Apr 2023 09:22:26 +0200 +Subject: [PATCH] hostip: add locks around use of global buffer for alarm() + +When building with the sync name resolver and timeout ability we now +require thread-safety to be present to enable it. + +Closes #11030 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2] +CVE: CVE-2023-28320 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + lib/hostip.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/lib/hostip.c b/lib/hostip.c +index f5bb634..5231a74 100644 +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -68,12 +68,19 @@ + #include "curl_memory.h" + #include "memdebug.h" + +-#if defined(CURLRES_SYNCH) && \ +- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP) ++#if defined(CURLRES_SYNCH) && \ ++ defined(HAVE_ALARM) && \ ++ defined(SIGALRM) && \ ++ defined(HAVE_SIGSETJMP) && \ ++ defined(GLOBAL_INIT_IS_THREADSAFE) + /* alarm-based timeouts can only be used with all the dependencies satisfied */ + #define USE_ALARM_TIMEOUT + #endif + ++#ifdef USE_ALARM_TIMEOUT ++#include "easy_lock.h" ++#endif ++ + #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ + + /* +@@ -248,11 +255,12 @@ void Curl_hostcache_prune(struct Curl_easy *data) + Curl_share_unlock(data, CURL_LOCK_DATA_DNS); + } + +-#ifdef HAVE_SIGSETJMP ++#ifdef USE_ALARM_TIMEOUT + /* Beware this is a global and unique instance. This is used to store the + return address that we can jump back to from inside a signal handler. This + is not thread-safe stuff. */ + sigjmp_buf curl_jmpenv; ++curl_simple_lock curl_jmpenv_lock; + #endif + + /* lookup address, returns entry if found and not stale */ +@@ -614,7 +622,6 @@ enum resolve_t Curl_resolv(struct connectdata *conn, + static + RETSIGTYPE alarmfunc(int sig) + { +- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ + (void)sig; + siglongjmp(curl_jmpenv, 1); + } +@@ -695,6 +702,8 @@ enum resolve_t Curl_resolv_timeout(struct connectdata *conn, + This should be the last thing we do before calling Curl_resolv(), + as otherwise we'd have to worry about variables that get modified + before we invoke Curl_resolv() (and thus use "volatile"). */ ++ curl_simple_lock_lock(&curl_jmpenv_lock); ++ + if(sigsetjmp(curl_jmpenv, 1)) { + /* this is coming from a siglongjmp() after an alarm signal */ + failf(data, "name lookup timed out"); +@@ -763,6 +772,8 @@ clean_up: + #endif + #endif /* HAVE_SIGACTION */ + ++ curl_simple_lock_unlock(&curl_jmpenv_lock); ++ + /* switch back the alarm() to either zero or to what it was before minus + the time we spent until now! */ + if(prev_alarm) { +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-28321.patch b/meta/recipes-support/curl/curl/CVE-2023-28321.patch new file mode 100644 index 0000000000..da1d1fdcd6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28321.patch @@ -0,0 +1,272 @@ +Upstream-Status: Backport [import from ubuntu curl_7.68.0-1ubuntu2.20 with +minor change to tests/data/test1397 part so the patch can be apply. +upstream: https://github.com/curl/curl/commit/199f2d440d8659b42 ] +CVE: CVE-2023-28321 +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +This backport was obtained from SUSE. + +From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 24 Apr 2023 21:07:02 +0200 +Subject: [PATCH] hostcheck: fix host name wildcard checking + +The leftmost "label" of the host name can now only match against single +'*'. Like the browsers have worked for a long time. + +- extended unit test 1397 for this +- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc + +Reported-by: Hiroki Kurosawa +Closes #11018 +--- + lib/hostcheck.c | 50 +++++++-------- + tests/data/test1397 | 10 ++- + tests/unit/Makefile.am | 94 ---------------------------- + tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++ + tests/unit/unit1397.c | 134 ++++++++++++++++++++++++---------------- + 5 files changed, 202 insertions(+), 180 deletions(-) + +--- a/lib/hostcheck.c ++++ b/lib/hostcheck.c +@@ -58,15 +58,19 @@ + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * ++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor ++ * "*b". ++ * ++ * @unittest: 1397 ++ * + * NOTE: hostmatch() gets called with copied buffers so that it can modify the + * contents at will. + */ + + static int hostmatch(char *hostname, char *pattern) + { +- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; +- int wildcard_enabled; +- size_t prefixlen, suffixlen; ++ const char *pattern_label_end, *hostname_label_end; ++ size_t suffixlen; + struct in_addr ignored; + #ifdef ENABLE_IPV6 + struct sockaddr_in6 si6; +@@ -80,13 +84,12 @@ static int hostmatch(char *hostname, cha + if(pattern[len-1]=='.') + pattern[len-1] = 0; + +- pattern_wildcard = strchr(pattern, '*'); +- if(pattern_wildcard == NULL) ++ if(strncmp(pattern, "*.", 2)) + return strcasecompare(pattern, hostname) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; + + /* detect IP address as hostname and fail the match if so */ +- if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) ++ else if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) + return CURL_HOST_NOMATCH; + #ifdef ENABLE_IPV6 + if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0) +@@ -95,14 +98,9 @@ static int hostmatch(char *hostname, cha + + /* We require at least 2 dots in pattern to avoid too wide wildcard + match. */ +- wildcard_enabled = 1; + pattern_label_end = strchr(pattern, '.'); +- if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL || +- pattern_wildcard > pattern_label_end || +- strncasecompare(pattern, "xn--", 4)) { +- wildcard_enabled = 0; +- } +- if(!wildcard_enabled) ++ if(pattern_label_end == NULL || ++ strchr(pattern_label_end + 1, '.') == NULL) + return strcasecompare(pattern, hostname) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; + +@@ -117,11 +115,9 @@ static int hostmatch(char *hostname, cha + if(hostname_label_end - hostname < pattern_label_end - pattern) + return CURL_HOST_NOMATCH; + +- prefixlen = pattern_wildcard - pattern; +- suffixlen = pattern_label_end - (pattern_wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? ++ suffixlen = pattern_label_end - (pattern + 1); ++ return strncasecompare(pattern + 1, hostname_label_end - suffixlen, ++ suffixlen) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; + } + +--- a/tests/data/test1397 ++++ b/tests/data/test1397 +@@ -2,8 +2,7 @@ + <info> + <keywords> + unittest +-ssl +-wildcard ++Curl_cert_hostcheck + </keywords> + </info> + +@@ -16,9 +15,8 @@ none + <features> + unittest + </features> +- <name> +-Check wildcard certificate matching function Curl_cert_hostcheck +- </name> ++<name> ++Curl_cert_hostcheck unit tests ++</name> + </client> +- + </testcase> +--- a/tests/unit/unit1397.c ++++ b/tests/unit/unit1397.c +@@ -21,8 +21,6 @@ + ***************************************************************************/ + #include "curlcheck.h" + +-#include "hostcheck.h" /* from the lib dir */ +- + static CURLcode unit_setup(void) + { + return CURLE_OK; +@@ -30,50 +28,94 @@ static CURLcode unit_setup(void) + + static void unit_stop(void) + { +- /* done before shutting down and exiting */ + } + +-UNITTEST_START ++* only these backends define the tested functions */ ++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || \ ++ defined(USE_SCHANNEL) ++#include "hostcheck.h" ++struct testcase { ++ const char *host; ++ const char *pattern; ++ bool match; ++}; ++ ++static struct testcase tests[] = { ++ {"", "", FALSE}, ++ {"a", "", FALSE}, ++ {"", "b", FALSE}, ++ {"a", "b", FALSE}, ++ {"aa", "bb", FALSE}, ++ {"\xff", "\xff", TRUE}, ++ {"aa.aa.aa", "aa.aa.bb", FALSE}, ++ {"aa.aa.aa", "aa.aa.aa", TRUE}, ++ {"aa.aa.aa", "*.aa.bb", FALSE}, ++ {"aa.aa.aa", "*.aa.aa", TRUE}, ++ {"192.168.0.1", "192.168.0.1", TRUE}, ++ {"192.168.0.1", "*.168.0.1", FALSE}, ++ {"192.168.0.1", "*.0.1", FALSE}, ++ {"h.ello", "*.ello", FALSE}, ++ {"h.ello.", "*.ello", FALSE}, ++ {"h.ello", "*.ello.", FALSE}, ++ {"h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo", " *.e.llo", FALSE}, ++ {" h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo", TRUE}, ++ {"*.e.llo.", "*.e.llo", TRUE}, ++ {"************.e.llo.", "*.e.llo", TRUE}, ++ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ++ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" ++ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" ++ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" ++ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ++ ".e.llo.", "*.e.llo", TRUE}, ++ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo.", TRUE}, ++ {"h.e.llo", "*.e.llo.", TRUE}, ++ {".h.e.llo", "*.e.llo.", FALSE}, ++ {"h.e.llo", "*.*.llo.", FALSE}, ++ {"h.e.llo", "h.*.llo", FALSE}, ++ {"h.e.llo", "h.e.*", FALSE}, ++ {"hello", "*.ello", FALSE}, ++ {"hello", "**llo", FALSE}, ++ {"bar.foo.example.com", "*.example.com", FALSE}, ++ {"foo.example.com", "*.example.com", TRUE}, ++ {"baz.example.net", "b*z.example.net", FALSE}, ++ {"foobaz.example.net", "*baz.example.net", FALSE}, ++ {"xn--l8j.example.local", "x*.example.local", FALSE}, ++ {"xn--l8j.example.net", "*.example.net", TRUE}, ++ {"xn--l8j.example.net", "*j.example.net", FALSE}, ++ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, ++ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, ++ {"xl8j.example.net", "*.example.net", TRUE}, ++ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, ++ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, ++ {NULL, NULL, FALSE} ++}; + +-/* only these backends define the tested functions */ +-#if defined(USE_OPENSSL) || defined(USE_GSKIT) ++UNITTEST_START ++{ ++ int i; ++ for(i = 0; tests[i].host; i++) { ++ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, ++ tests[i].host)) { ++ fprintf(stderr, ++ "HOST: %s\n" ++ "PTRN: %s\n" ++ "did %sMATCH\n", ++ tests[i].host, ++ tests[i].pattern, ++ tests[i].match ? "NOT ": ""); ++ unitfail++; ++ } ++ } ++} + +- /* here you start doing things and checking that the results are good */ ++UNITTEST_STOP ++#else + +-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"), +- "good 1"); +-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"), +- "good 2"); +-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"), +- "good 3"); +-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"), +- "good 4"); +-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"), +- "good 5"); +- +-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1"); +-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2"); +-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3"); +-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4"); +-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5"); +-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6"); +-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7"); +-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8"); +-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9"); +-fail_if(Curl_cert_hostcheck("", "www"), "bad 10"); +-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11"); +-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12"); +-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13"); +- +-#ifdef ENABLE_IPV6 +-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619", +- "fe80::3285:a9ff:fe46:b619"), "bad 14"); +-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619", +- "fe80::3285:a9ff:fe46:b619"), "good 6"); +-#endif ++UNITTEST_START + ++UNITTEST_STOP + #endif + +- /* you end the test code like this: */ +- +-UNITTEST_STOP diff --git a/meta/recipes-support/curl/curl/CVE-2023-28322.patch b/meta/recipes-support/curl/curl/CVE-2023-28322.patch new file mode 100644 index 0000000000..9351a2c286 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28322.patch @@ -0,0 +1,380 @@ +CVE: CVE-2023-28322 +Upstream-Status: Backport [ import patch from ubuntu curl_7.68.0-1ubuntu2.20 +upstream https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +Backport of: + +From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 25 Apr 2023 08:28:01 +0200 +Subject: [PATCH] lib: unify the upload/method handling + +By making sure we set state.upload based on the set.method value and not +independently as set.upload, we reduce confusion and mixup risks, both +internally and externally. + +Closes #11017 +--- + lib/curl_rtmp.c | 4 ++-- + lib/file.c | 4 ++-- + lib/ftp.c | 8 ++++---- + lib/http.c | 4 ++-- + lib/imap.c | 6 +++--- + lib/rtsp.c | 4 ++-- + lib/setopt.c | 6 ++---- + lib/smb.c | 6 +++--- + lib/smtp.c | 4 ++-- + lib/tftp.c | 8 ++++---- + lib/transfer.c | 4 ++-- + lib/urldata.h | 2 +- + lib/vssh/libssh.c | 6 +++--- + lib/vssh/libssh2.c | 6 +++--- + lib/vssh/wolfssh.c | 2 +- + 15 files changed, 36 insertions(+), 38 deletions(-) + +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -213,7 +213,7 @@ static CURLcode rtmp_connect(struct conn + /* We have to know if it's a write before we send the + * connect request packet + */ +- if(conn->data->set.upload) ++ if(conn->data->state.upload) + r->Link.protocol |= RTMP_FEATURE_WRITE; + + /* For plain streams, use the buffer toggle trick to keep data flowing */ +@@ -245,7 +245,7 @@ static CURLcode rtmp_do(struct connectda + if(!RTMP_ConnectStream(r, 0)) + return CURLE_FAILED_INIT; + +- if(conn->data->set.upload) { ++ if(conn->data->state.upload) { + Curl_pgrsSetUploadSize(data, data->state.infilesize); + Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); + } +--- a/lib/file.c ++++ b/lib/file.c +@@ -198,7 +198,7 @@ static CURLcode file_connect(struct conn + file->freepath = real_path; /* free this when done */ + + file->fd = fd; +- if(!data->set.upload && (fd == -1)) { ++ if(!data->state.upload && (fd == -1)) { + failf(data, "Couldn't open file %s", data->state.up.path); + file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE); + return CURLE_FILE_COULDNT_READ_FILE; +@@ -390,7 +390,7 @@ static CURLcode file_do(struct connectda + + Curl_pgrsStartNow(data); + +- if(data->set.upload) ++ if(data->state.upload) + return file_upload(conn); + + file = conn->data->req.protop; +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1371,7 +1371,7 @@ static CURLcode ftp_state_prepare_transf + data->set.str[STRING_CUSTOMREQUEST]: + (data->set.ftp_list_only?"NLST":"LIST")); + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file); + } + else { +@@ -3303,7 +3303,7 @@ static CURLcode ftp_done(struct connectd + /* the response code from the transfer showed an error already so no + use checking further */ + ; +- else if(data->set.upload) { ++ else if(data->state.upload) { + if((-1 != data->state.infilesize) && + (data->state.infilesize != data->req.writebytecount) && + !data->set.crlf && +@@ -3570,7 +3570,7 @@ static CURLcode ftp_do_more(struct conne + connected back to us */ + } + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE); + if(result) + return result; +@@ -4209,7 +4209,7 @@ CURLcode ftp_parse_url_path(struct conne + ftpc->file = NULL; /* instead of point to a zero byte, + we make it a NULL pointer */ + +- if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) { ++ if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) { + /* We need a file name when uploading. Return error! */ + failf(data, "Uploading to a URL without a file name!"); + free(rawPath); +--- a/lib/http.c ++++ b/lib/http.c +@@ -2080,7 +2080,7 @@ CURLcode Curl_http(struct connectdata *c + } + + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +- data->set.upload) { ++ data->state.upload) { + httpreq = HTTPREQ_PUT; + } + +@@ -2261,7 +2261,7 @@ CURLcode Curl_http(struct connectdata *c + if((conn->handler->protocol & PROTO_FAMILY_HTTP) && + (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && + http->postsize < 0) || +- ((data->set.upload || httpreq == HTTPREQ_POST) && ++ ((data->state.upload || httpreq == HTTPREQ_POST) && + data->state.infilesize == -1))) { + if(conn->bits.authneg) + /* don't enable chunked during auth neg */ +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1469,11 +1469,11 @@ static CURLcode imap_done(struct connect + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && !imap->custom && +- (imap->uid || imap->mindex || data->set.upload || ++ (imap->uid || imap->mindex || data->state.upload || + data->set.mimepost.kind != MIMEKIND_NONE)) { + /* Handle responses after FETCH or APPEND transfer has finished */ + +- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) ++ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) + state(conn, IMAP_FETCH_FINAL); + else { + /* End the APPEND command first by sending an empty line */ +@@ -1539,7 +1539,7 @@ static CURLcode imap_perform(struct conn + selected = TRUE; + + /* Start the first command in the DO phase */ +- if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) ++ if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) + /* APPEND can be executed directly */ + result = imap_perform_append(conn); + else if(imap->custom && (selected || !imap->mailbox)) +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -499,7 +499,7 @@ static CURLcode rtsp_do(struct connectda + rtspreq == RTSPREQ_SET_PARAMETER || + rtspreq == RTSPREQ_GET_PARAMETER) { + +- if(data->set.upload) { ++ if(data->state.upload) { + putsize = data->state.infilesize; + data->set.httpreq = HTTPREQ_PUT; + +@@ -518,7 +518,7 @@ static CURLcode rtsp_do(struct connectda + result = + Curl_add_bufferf(&req_buffer, + "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", +- (data->set.upload ? putsize : postsize)); ++ (data->state.upload ? putsize : postsize)); + if(result) + return result; + } +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -258,8 +258,8 @@ CURLcode Curl_vsetopt(struct Curl_easy * + * We want to sent data to the remote host. If this is HTTP, that equals + * using the PUT request. + */ +- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; +- if(data->set.upload) { ++ arg = va_arg(param, long); ++ if(arg) { + /* If this is HTTP, PUT is what's needed to "upload" */ + data->set.httpreq = HTTPREQ_PUT; + data->set.opt_no_body = FALSE; /* this is implied */ +@@ -486,7 +486,6 @@ CURLcode Curl_vsetopt(struct Curl_easy * + } + else + data->set.httpreq = HTTPREQ_GET; +- data->set.upload = FALSE; + break; + + case CURLOPT_COPYPOSTFIELDS: +@@ -797,7 +796,6 @@ CURLcode Curl_vsetopt(struct Curl_easy * + */ + if(va_arg(param, long)) { + data->set.httpreq = HTTPREQ_GET; +- data->set.upload = FALSE; /* switch off upload */ + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -516,7 +516,7 @@ static CURLcode smb_send_open(struct con + byte_count = strlen(req->path); + msg.name_length = smb_swap16((unsigned short)byte_count); + msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); +- if(conn->data->set.upload) { ++ if(conn->data->state.upload) { + msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); + msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); + } +@@ -792,7 +792,7 @@ static CURLcode smb_request_state(struct + smb_m = (const struct smb_nt_create_response*) msg; + req->fid = smb_swap16(smb_m->fid); + conn->data->req.offset = 0; +- if(conn->data->set.upload) { ++ if(conn->data->state.upload) { + conn->data->req.size = conn->data->state.infilesize; + Curl_pgrsSetUploadSize(conn->data, conn->data->req.size); + next_state = SMB_UPLOAD; +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1210,7 +1210,7 @@ static CURLcode smtp_done(struct connect + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && data->set.mail_rcpt && +- (data->set.upload || data->set.mimepost.kind)) { ++ (data->state.upload || data->set.mimepost.kind)) { + /* Calculate the EOB taking into account any terminating CRLF from the + previous line of the email or the CRLF of the DATA command when there + is "no mail data". RFC-5321, sect. 4.1.1.4. +@@ -1297,7 +1297,7 @@ static CURLcode smtp_perform(struct conn + smtp->eob = 2; + + /* Start the first command in the DO phase */ +- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) ++ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) + /* MAIL transfer */ + result = smtp_perform_mail(conn); + else +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -390,7 +390,7 @@ static CURLcode tftp_parse_option_ack(tf + + /* tsize should be ignored on upload: Who cares about the size of the + remote file? */ +- if(!data->set.upload) { ++ if(!data->state.upload) { + if(!tsize) { + failf(data, "invalid tsize -:%s:- value in OACK packet", value); + return CURLE_TFTP_ILLEGAL; +@@ -470,7 +470,7 @@ static CURLcode tftp_send_first(tftp_sta + return result; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + /* If we are uploading, send an WRQ */ + setpacketevent(&state->spacket, TFTP_EVENT_WRQ); + state->conn->data->req.upload_fromhere = +@@ -505,7 +505,7 @@ static CURLcode tftp_send_first(tftp_sta + if(!data->set.tftp_no_options) { + char buf[64]; + /* add tsize option */ +- if(data->set.upload && (data->state.infilesize != -1)) ++ if(data->state.upload && (data->state.infilesize != -1)) + msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, + data->state.infilesize); + else +@@ -559,7 +559,7 @@ static CURLcode tftp_send_first(tftp_sta + break; + + case TFTP_EVENT_OACK: +- if(data->set.upload) { ++ if(data->state.upload) { + result = tftp_connect_for_tx(state, event); + } + else { +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1405,6 +1405,7 @@ void Curl_init_CONNECT(struct Curl_easy + { + data->state.fread_func = data->set.fread_func_set; + data->state.in = data->set.in_set; ++ data->state.upload = (data->set.httpreq == HTTPREQ_PUT); + } + + /* +@@ -1816,7 +1817,7 @@ CURLcode Curl_retry_request(struct conne + + /* if we're talking upload, we can't do the checks below, unless the protocol + is HTTP as when uploading over HTTP we will still get a response */ +- if(data->set.upload && ++ if(data->state.upload && + !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) + return CURLE_OK; + +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1427,6 +1427,7 @@ struct UrlState { + BIT(stream_depends_e); /* set or don't set the Exclusive bit */ + BIT(previouslypending); /* this transfer WAS in the multi->pending queue */ + BIT(cookie_engine); ++ BIT(upload); /* upload request */ + }; + + +@@ -1762,7 +1763,6 @@ struct UserDefined { + BIT(http_auto_referer); /* set "correct" referer when following + location: */ + BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ +- BIT(upload); /* upload request */ + BIT(verbose); /* output verbosity */ + BIT(krb); /* Kerberos connection requested */ + BIT(reuse_forbid); /* forbidden to be reused, close after use */ +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1076,7 +1076,7 @@ static CURLcode myssh_statemach_act(stru + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(conn, SSH_SFTP_UPLOAD_INIT); + else { + if(protop->path[strlen(protop->path)-1] == '/') +@@ -1686,7 +1686,7 @@ static CURLcode myssh_statemach_act(stru + /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ + ssh_set_blocking(sshc->ssh_session, 1); + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -1787,7 +1787,7 @@ static CURLcode myssh_statemach_act(stru + break; + } + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(conn, SSH_SCP_SEND_EOF); + else + state(conn, SSH_SCP_CHANNEL_FREE); +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -1664,7 +1664,7 @@ static CURLcode ssh_statemach_act(struct + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(conn, SSH_SFTP_UPLOAD_INIT); + else { + if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') +@@ -2366,7 +2366,7 @@ static CURLcode ssh_statemach_act(struct + break; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -2504,7 +2504,7 @@ static CURLcode ssh_statemach_act(struct + break; + + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(conn, SSH_SCP_SEND_EOF); + else + state(conn, SSH_SCP_CHANNEL_FREE); diff --git a/meta/recipes-support/curl/curl/CVE-2023-32001.patch b/meta/recipes-support/curl/curl/CVE-2023-32001.patch new file mode 100644 index 0000000000..f533992bcd --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-32001.patch @@ -0,0 +1,38 @@ +From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001 +From: SaltyMilk <soufiane.elmelcaoui@gmail.com> +Date: Mon, 10 Jul 2023 21:43:28 +0200 +Subject: [PATCH] fopen: optimize + +Closes #11419 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/0c667188e0c6cda615a036b8a2b4125f2c404dde] +CVE: CVE-2023-32001 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + lib/fopen.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index c9c9e3d6e73a2..b6e3cadddef65 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + int fd = -1; + *tempname = NULL; + +- if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { +- /* a non-regular file, fallback to direct fopen() */ +- *fh = fopen(filename, FOPEN_WRITETEXT); +- if(*fh) +- return CURLE_OK; ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(!*fh) + goto fail; +- } ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ return CURLE_OK; ++ fclose(*fh); ++ *fh = NULL; + + result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); + if(result) diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch new file mode 100644 index 0000000000..c6b6726886 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch @@ -0,0 +1,148 @@ +From 600a1caeb2312fdee5ef1caf7d613c12a8b2424a Mon Sep 17 00:00:00 2001 +From: Mike Crowe <mac@mcrowe.com> +Date: Wed, 11 Oct 2023 20:50:28 +0100 +Subject: [PATCH] socks: return error if hostname too long for remote resolve +To: libcurl development <curl-library@cool.haxx.se> + +Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue. + +Name resolvers cannot resolve hostnames longer than 255 characters. + +Bug: https://curl.se/docs/CVE-2023-38545.html + +Unfortunately CURLE_PROXY and CURLPX_LONG_HOSTNAME were introduced in +7.73.0 so they can't be used in 7.69.1. Let's use +CURLE_COULDNT_RESOLVE_HOST as the best available alternative and update +the test appropriately. + +libcurl's test support has been improved considerably since 7.69.1 which +means that the test must be modified to remove use of %VERSION and +%TESTNUMBER and the stderr output can no longer be checked. + +CVE: CVE-2023-38545 +Upstream-Status: Backport [fb4415d8aee6c1045be932a34fe6107c2f5ed147] +Signed-off-by: Mike Crowe <mac@mcrowe.com> +--- + lib/socks.c | 13 +++++---- + tests/data/Makefile.inc | 2 +- + tests/data/test728 | 60 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test728 + +diff --git a/lib/socks.c b/lib/socks.c +index 37099130e..f3bf40533 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -521,11 +521,14 @@ CURLcode Curl_SOCKS5(const char *proxy_user, + infof(conn->data, "SOCKS5: connecting to HTTP proxy %s port %d\n", + hostname, remote_port); + +- /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ ++ /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet. */ + if(!socks5_resolve_local && hostname_len > 255) { +- infof(conn->data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]\n", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ /* This version of libcurl doesn't have CURLE_PROXY and ++ * therefore CURLPX_LONG_HOSTNAME, so let's report the best we ++ * can. */ ++ return CURLE_COULDNT_RESOLVE_HOST; + } + + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) +@@ -837,7 +840,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user, + + if(!socks5_resolve_local) { + socksreq[len++] = 3; /* ATYP: domain name = 3 */ +- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ + memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */ + len += hostname_len; + infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n", +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 3d8565c36..5ee2284ff 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -89,7 +89,7 @@ test662 test663 test664 test665 test666 test667 test668 \ + test670 test671 test672 test673 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ +-test709 test710 test711 test712 test713 test714 test715 test716 test717 \ ++test709 test710 test711 test712 test713 test714 test715 test716 test717 test728 \ + \ + test800 test801 test802 test803 test804 test805 test806 test807 test808 \ + test809 test810 test811 test812 test813 test814 test815 test816 test817 \ +diff --git a/tests/data/test728 b/tests/data/test728 +new file mode 100644 +index 000000000..7b1d8b2f3 +--- /dev/null ++++ b/tests/data/test728 +@@ -0,0 +1,60 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++SOCKS5 ++SOCKS5h ++followlocation ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++# The hostname in this redirect is 256 characters and too long (> 255) for ++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. ++<data> ++HTTP/1.1 301 Moved Permanently ++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ++Content-Length: 0 ++Connection: close ++ ++</data> ++</reply> ++ ++# ++# Client-side ++<client> ++<features> ++proxy ++</features> ++<server> ++http ++socks5 ++</server> ++ <name> ++SOCKS5h with HTTP redirect to hostname too long ++ </name> ++ <command> ++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/728 ++</command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++<strip> ++^User-Agent:.* ++</strip> ++<protocol> ++GET /728 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++ ++</protocol> ++<errorcode> ++6 ++</errorcode> ++</verify> ++</testcase> +-- +2.39.2 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch new file mode 100644 index 0000000000..30ef2fd038 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch @@ -0,0 +1,132 @@ +From 7b67721f12cbe6ed1a41e7332f3b5a7186a5e23f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH] cookie: remove unnecessary struct fields +To: libcurl development <curl-library@cool.haxx.se> + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 + +This patch taken from Debian's 7.64.0-4+deb10u7 package which applied with +only a little fuzz. + +CVE: CVE-2023-38546 +Upstream-Status: Backport [61275672b46d9abb32857404] +Signed-off-by: Mike Crowe <mac@mcrowe.com> +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 7 ++----- + lib/easy.c | 4 +--- + 3 files changed, 4 insertions(+), 20 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 68054e1c4..a378f28e1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -114,7 +114,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -641,11 +640,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if(strcasecompare("version", name)) { +- strstore(&co->version, whatptr); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if(strcasecompare("max-age", name)) { + /* Defined in RFC2109: +@@ -1042,7 +1037,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1111,9 +1105,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + } + else { + /* we got an already existing one, use that */ +@@ -1241,7 +1232,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1457,7 +1447,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index b3865e601..2e667cda0 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -36,8 +36,6 @@ struct Cookie { + char *expirestr; /* the plain text version */ + bool tailmatch; /* whether we do tail-matching of the domain name */ + +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = <value> */ + char *maxage; /* Max-Age = <value> */ + + bool secure; /* whether the 'secure' keyword was used */ +@@ -54,15 +52,14 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; + +- char *filename; /* file we read from/write to */ + bool running; /* state info, for cookie adding information */ +- long numcookies; /* number of cookies in the "jar" */ ++ int numcookies; /* number of cookies in the "jar" */ + bool newsession; /* new session, discard session cookies on load */ + int lastct; /* last creation-time used in the jar */ + }; +diff --git a/lib/easy.c b/lib/easy.c +index b648e80c1..cdca0fb03 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -840,9 +840,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; +-- +2.39.2 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-46218.patch b/meta/recipes-support/curl/curl/CVE-2023-46218.patch new file mode 100644 index 0000000000..c9677b6a84 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46218.patch @@ -0,0 +1,52 @@ +CVE: CVE-2023-46218 +Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.68.0-1ubuntu2.21.debian.tar.xz upstream https://github.com/curl/curl/commit/2b0994c29a721c91c57 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +Backport of: + +From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 23 Nov 2023 08:15:47 +0100 +Subject: [PATCH] cookie: lowercase the domain names before PSL checks + +Reported-by: Harry Sintonen + +Closes #12387 +--- + lib/cookie.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -967,15 +967,23 @@ Curl_cookie_add(struct Curl_easy *data, + #ifdef USE_LIBPSL + /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */ + if(domain && co->domain && !isip(co->domain)) { +- const psl_ctx_t *psl = Curl_psl_use(data); +- int acceptable; +- +- if(psl) { +- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); +- Curl_psl_release(data); ++ bool acceptable = FALSE; ++ char lcase[256]; ++ char lcookie[256]; ++ size_t dlen = strlen(domain); ++ size_t clen = strlen(co->domain); ++ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { ++ const psl_ctx_t *psl = Curl_psl_use(data); ++ if(psl) { ++ /* the PSL check requires lowercase domain name and pattern */ ++ Curl_strntolower(lcase, domain, dlen + 1); ++ Curl_strntolower(lcookie, co->domain, clen + 1); ++ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); ++ Curl_psl_release(data); ++ } ++ else ++ acceptable = !bad_domain(domain); + } +- else +- acceptable = !bad_domain(domain); + + if(!acceptable) { + infof(data, "cookie '%s' dropped, domain '%s' must not " diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch new file mode 100644 index 0000000000..a3840336f0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch @@ -0,0 +1,88 @@ +Backport of: + +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <stefan@eissing.org> +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] +CVE: CVE-2024-2398 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc + } + + ++static void free_push_headers(struct HTTP *stream) ++{ ++ size_t i; ++ for(i = 0; i<stream->push_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static int push_promise(struct Curl_easy *data, + struct connectdata *conn, + const nghttp2_push_promise *frame) +@@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; i<stream->push_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + /* denied, kill off the new handle again */ +@@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +@@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d + if(http->header_recvbuf) { + Curl_add_buffer_free(&http->header_recvbuf); + Curl_add_buffer_free(&http->trailer_recvbuf); +- if(http->push_headers) { +- /* if they weren't used and then freed before */ +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; +- } ++ free_push_headers(http); + } + + if(!httpc->h2) /* not HTTP/2 ? */ diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 13ab29cf69..2f351d585a 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -19,6 +19,46 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2020-8286.patch \ file://CVE-2021-22876.patch \ file://CVE-2021-22890.patch \ + file://CVE-2021-22898.patch \ + file://CVE-2021-22924.patch \ + file://CVE-2021-22925.patch \ + file://CVE-2021-22946-pre1.patch \ + file://CVE-2021-22946.patch \ + file://CVE-2021-22947.patch \ + file://CVE-2022-27776.patch \ + file://CVE-2022-27775.patch \ + file://CVE-2022-22576.patch \ + file://CVE-2022-27774-1.patch \ + file://CVE-2022-27774-2.patch \ + file://CVE-2022-27774-3.patch \ + file://CVE-2022-27774-4.patch \ + file://CVE-2022-27781.patch \ + file://CVE-2022-27782-1.patch \ + file://CVE-2022-27782-2.patch \ + file://CVE-2022-32206.patch \ + file://CVE-2022-32207.patch \ + file://CVE-2022-32208.patch \ + file://CVE-2022-35252.patch \ + file://CVE-2022-32221.patch \ + file://CVE-2022-35260.patch \ + file://CVE-2022-43552.patch \ + file://CVE-2023-23916.patch \ + file://CVE-2023-27534-pre1.patch \ + file://CVE-2023-27534.patch \ + file://CVE-2023-27538.patch \ + file://CVE-2023-27533.patch \ + file://CVE-2023-27535-pre1.patch \ + file://CVE-2023-27535.patch \ + file://CVE-2023-27536.patch \ + file://CVE-2023-28320.patch \ + file://CVE-2023-28320-fol1.patch \ + file://CVE-2023-32001.patch \ + file://CVE-2023-38545.patch \ + file://CVE-2023-38546.patch \ + file://CVE-2023-28321.patch \ + file://CVE-2023-28322.patch \ + file://CVE-2023-46218.patch \ + file://CVE-2024-2398.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" @@ -26,6 +66,15 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5 # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" +CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-22945" + +# As per link https://security-tracker.debian.org/tracker/CVE-2021-22897 +# and https://ubuntu.com/security/CVE-2021-22897 +# This CVE issue affects Windows only Hence whitelisting this CVE +CVE_CHECK_WHITELIST += "CVE-2021-22897" + +# This CVE reports that apple had to upgrade curl because of other already reported CVEs +CVE_CHECK_WHITELIST += "CVE-2023-42915" inherit autotools pkgconfig binconfig multilib_header diff --git a/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb b/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb index 1623285fd0..ea34e4c7a3 100644 --- a/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb +++ b/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb @@ -8,7 +8,7 @@ SECTION = "support" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYING.txt;md5=0c977b18f0a384d03597a517d7d03e32" -SRC_URI = "git://git.code.sf.net/p/dos2unix/dos2unix" +SRC_URI = "git://git.code.sf.net/p/dos2unix/dos2unix;branch=master" UPSTREAM_CHECK_GITTAGREGEX = "dos2unix-(?P<pver>(\d+(\.\d+)+))" SRCREV = "0490f0723b1a0851b17343f6164915f3474b5197" diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch new file mode 100644 index 0000000000..8f2c2ade0e --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch @@ -0,0 +1,50 @@ +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 +From: Akira TAGOH <akira@tagoh.org> +Date: Thu, 17 Feb 2022 17:30:12 +0900 +Subject: [PATCH] Fix the stack buffer overflow issue + +strlen() could returns 0. Without a conditional check for len, +accessing S_ pointer with len - 1 may causes a stack buffer overflow. + +AddressSanitizer reports this like: +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 +43b30 sp 0x7ffdce043b28 +READ of size 1 at 0x7ffdce043c1f thread T0 + #0 0x403546 in main ../bin/fribidi-main.c:393 + #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) + #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) + #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) + +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame + #0 0x4022bf in main ../bin/fribidi-main.c:193 + + This frame has 5 object(s): + [32, 36) 'option_index' (line 233) + [48, 52) 'base' (line 386) + [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable + [65328, 130328) 'outstring' (line 385) + [130592, 390592) 'logical' (line 384) + +This fixes https://github.com/fribidi/fribidi/issues/181 + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> + +--- + bin/fribidi-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c +index 3cf9fe1..3ae4fb6 100644 +--- a/bin/fribidi-main.c ++++ b/bin/fribidi-main.c +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS + S_[sizeof (S_) - 1] = 0; + len = strlen (S_); + /* chop */ +- if (S_[len - 1] == '\n') ++ if (len > 0 && S_[len - 1] == '\n') + { + len--; + S_[len] = '\0'; diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch new file mode 100644 index 0000000000..0efba3d05c --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch @@ -0,0 +1,31 @@ +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld <dov.grobgeld@gmail.com> +Date: Fri, 25 Mar 2022 09:09:49 +0300 +Subject: [PATCH] Protected against garbage in the CapRTL encoder + +CVE: CVE-2022-25309 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> + +--- + lib/fribidi-char-sets-cap-rtl.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +index b0c0e4a..f74e010 100644 +--- a/lib/fribidi-char-sets-cap-rtl.c ++++ b/lib/fribidi-char-sets-cap-rtl.c +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( + } + } + else +- us[j++] = caprtl_to_unicode[(int) s[i]]; ++ { ++ if ((int)s[i] < 0) ++ us[j++] = '?'; ++ else ++ us[j++] = caprtl_to_unicode[(int) s[i]]; ++ } + } + + return j; diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch new file mode 100644 index 0000000000..d79a82d648 --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch @@ -0,0 +1,30 @@ +From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001 +From: Akira TAGOH <akira@tagoh.org> +Date: Thu, 17 Feb 2022 19:06:10 +0900 +Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks + +Escape from fribidi_remove_bidi_marks() immediately if str is null. + +This fixes https://github.com/fribidi/fribidi/issues/183 + +CVE: CVE-2022-25310 +Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> + +--- + lib/fribidi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/fribidi.c b/lib/fribidi.c +index f5da0da..70bdab2 100644 +--- a/lib/fribidi.c ++++ b/lib/fribidi.c +@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks ( + fribidi_boolean status = false; + + if UNLIKELY +- (len == 0) ++ (len == 0 || str == NULL) + { + status = true; + goto out; diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb b/meta/recipes-support/fribidi/fribidi_1.0.9.bb index ac9ef88e27..62b7d72812 100644 --- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb +++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb @@ -10,6 +10,9 @@ LICENSE = "LGPLv2.1+" LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ + file://CVE-2022-25308.patch \ + file://CVE-2022-25309.patch \ + file://CVE-2022-25310.patch \ " SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc" SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7" diff --git a/meta/recipes-support/gmp/gmp/cve-2021-43618.patch b/meta/recipes-support/gmp/gmp/cve-2021-43618.patch new file mode 100644 index 0000000000..095fb21eaa --- /dev/null +++ b/meta/recipes-support/gmp/gmp/cve-2021-43618.patch @@ -0,0 +1,27 @@ +CVE: CVE-2021-43618 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +# HG changeset patch +# User Marco Bodrato <bodrato@mail.dm.unipi.it> +# Date 1634836009 -7200 +# Node ID 561a9c25298e17bb01896801ff353546c6923dbd +# Parent e1fd9db13b475209a864577237ea4b9105b3e96e +mpz/inp_raw.c: Avoid bit size overflows + +diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c +--- a/mpz/inp_raw.c Tue Dec 22 23:49:51 2020 +0100 ++++ b/mpz/inp_raw.c Thu Oct 21 19:06:49 2021 +0200 +@@ -88,8 +88,11 @@ + + abs_csize = ABS (csize); + ++ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8)) ++ return 0; /* Bit size overflows */ ++ + /* round up to a multiple of limbs */ +- abs_xsize = BITS_TO_LIMBS (abs_csize*8); ++ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8); + + if (abs_xsize != 0) + { diff --git a/meta/recipes-support/gmp/gmp_6.2.0.bb b/meta/recipes-support/gmp/gmp_6.2.0.bb index a19c74fca8..d29b74f829 100644 --- a/meta/recipes-support/gmp/gmp_6.2.0.bb +++ b/meta/recipes-support/gmp/gmp_6.2.0.bb @@ -12,6 +12,7 @@ SRC_URI = "https://gmplib.org/download/${BPN}/${BP}${REVISION}.tar.bz2 \ file://use-includedir.patch \ file://0001-Append-the-user-provided-flags-to-the-auto-detected-.patch \ file://0001-confiure.ac-Believe-the-cflags-from-environment.patch \ + file://cve-2021-43618.patch \ " SRC_URI[md5sum] = "c24161e0dd44cae78cd5f67193492a21" SRC_URI[sha256sum] = "f51c99cb114deb21a60075ffb494c1a210eb9d7cb729ed042ddb7de9534451ea" diff --git a/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb b/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb index e5c69c0c46..19f32e8d1f 100644 --- a/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb +++ b/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb @@ -9,7 +9,7 @@ LICENSE = "LGPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7 \ file://src/gnome-desktop-testing-runner.c;beginline=1;endline=20;md5=7ef3ad9da2ffcf7707dc11151fe007f4" -SRC_URI = "git://gitlab.gnome.org/GNOME/gnome-desktop-testing.git;protocol=http" +SRC_URI = "git://gitlab.gnome.org/GNOME/gnome-desktop-testing.git;protocol=http;branch=master" SRCREV = "4decade67b29ad170fcf3de148e41695fc459f48" DEPENDS = "glib-2.0" diff --git a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch index 2c204e0245..a0af2d48dc 100644 --- a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch +++ b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch @@ -1,4 +1,4 @@ -From e7ad11cf54475e455fdb84d118e4782961698567 Mon Sep 17 00:00:00 2001 +From abc5c396aaddaef2e6811362e3e0cc0da28c2b34 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Mon, 22 Jan 2018 18:00:21 +0200 Subject: [PATCH] configure.ac: use a custom value for the location of @@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 919ab31..cd58fdb 100644 +index 64cb8c6..3fe9027 100644 --- a/configure.ac +++ b/configure.ac -@@ -1855,7 +1855,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf", +@@ -1824,7 +1824,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf", AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool]) diff --git a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch index 3e798efd06..a13b4d5fb5 100644 --- a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch +++ b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch @@ -1,7 +1,7 @@ -From 9c3858ffda6246bf9e1e6aeeb920532a56b19408 Mon Sep 17 00:00:00 2001 +From 6c75656b68cb6e38b039ae532bd39437cd6daec5 Mon Sep 17 00:00:00 2001 From: Saul Wold <sgw@linux.intel.com> Date: Wed, 16 Aug 2017 11:18:01 +0800 -Subject: [PATCH 3/4] dirmngr uses libgpg error +Subject: [PATCH] dirmngr uses libgpg error Upstream-Status: Pending Signed-off-by: Saul Wold <sgw@linux.intel.com> @@ -9,24 +9,20 @@ Signed-off-by: Saul Wold <sgw@linux.intel.com> Rebase to 2.1.23 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> + --- - dirmngr/Makefile.am | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + dirmngr/Makefile.am | 1 + + 1 file changed, 1 insertion(+) diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am -index b404165..d3f916e 100644 +index 00d3c42..450d873 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am -@@ -82,7 +82,8 @@ endif - dirmngr_LDADD = $(libcommonpth) \ +@@ -101,6 +101,7 @@ dirmngr_LDADD = $(libcommonpth) \ $(DNSLIBS) $(LIBASSUAN_LIBS) \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \ -- $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) -+ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) \ -+ $(GPG_ERROR_LIBS) + $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS) \ ++ $(GPG_ERROR_LIBS) \ + $(dirmngr_robj) if USE_LDAP dirmngr_LDADD += $(ldaplibs) - endif --- -1.8.3.1 - diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch b/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch new file mode 100644 index 0000000000..5992949d35 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch @@ -0,0 +1,44 @@ +From 2f05fc96b1332caf97176841b1152da3f0aa16a8 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Fri, 22 Jul 2022 17:52:36 +0530 +Subject: [PATCH] CVE-2022-34903 + +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b] +CVE: CVE-2022-34903 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + g10/cpr.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/g10/cpr.c b/g10/cpr.c +index d502e8b..bc4b715 100644 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) ++ for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; + if (wrap && ++count > wrap) +- { +- dowrap=1; +- break; +- } +- } +- if (esc) +- { +- s--; n++; ++ dowrap=1; ++ if (esc || dowrap) ++ break; + } + if (s != buffer) + es_fwrite (buffer, s-buffer, 1, statusfp); +-- +2.25.1 + diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch index e5a82aa76d..7f7812cd46 100644 --- a/meta/recipes-support/gnupg/gnupg/relocate.patch +++ b/meta/recipes-support/gnupg/gnupg/relocate.patch @@ -1,4 +1,4 @@ -From 59c077f32e81190955910cae02599c7a3edfa7fb Mon Sep 17 00:00:00 2001 +From bd66af2ac7bb6d9294ac8055a55462ba7c4f9c9b Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@intel.com> Date: Wed, 19 Sep 2018 14:44:40 +0100 Subject: [PATCH] Allow the environment to override where gnupg looks for its @@ -12,10 +12,10 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/common/homedir.c b/common/homedir.c -index e9e75d0..19140aa 100644 +index 4b6e46e..58989b4 100644 --- a/common/homedir.c +++ b/common/homedir.c -@@ -760,7 +760,7 @@ gnupg_socketdir (void) +@@ -763,7 +763,7 @@ gnupg_socketdir (void) if (!name) { unsigned int dummy; @@ -24,7 +24,7 @@ index e9e75d0..19140aa 100644 } return name; -@@ -786,7 +786,7 @@ gnupg_sysconfdir (void) +@@ -789,7 +789,7 @@ gnupg_sysconfdir (void) } return name; #else /*!HAVE_W32_SYSTEM*/ @@ -33,7 +33,7 @@ index e9e75d0..19140aa 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -815,7 +815,7 @@ gnupg_bindir (void) +@@ -818,7 +818,7 @@ gnupg_bindir (void) else return rdir; #else /*!HAVE_W32_SYSTEM*/ @@ -42,7 +42,7 @@ index e9e75d0..19140aa 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -828,7 +828,7 @@ gnupg_libexecdir (void) +@@ -831,7 +831,7 @@ gnupg_libexecdir (void) #ifdef HAVE_W32_SYSTEM return gnupg_bindir (); #else /*!HAVE_W32_SYSTEM*/ @@ -51,7 +51,7 @@ index e9e75d0..19140aa 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -842,7 +842,7 @@ gnupg_libdir (void) +@@ -845,7 +845,7 @@ gnupg_libdir (void) name = xstrconcat (w32_rootdir (), DIRSEP_S "lib" DIRSEP_S "gnupg", NULL); return name; #else /*!HAVE_W32_SYSTEM*/ @@ -60,7 +60,7 @@ index e9e75d0..19140aa 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -856,7 +856,7 @@ gnupg_datadir (void) +@@ -859,7 +859,7 @@ gnupg_datadir (void) name = xstrconcat (w32_rootdir (), DIRSEP_S "share" DIRSEP_S "gnupg", NULL); return name; #else /*!HAVE_W32_SYSTEM*/ @@ -69,7 +69,7 @@ index e9e75d0..19140aa 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -872,7 +872,7 @@ gnupg_localedir (void) +@@ -875,7 +875,7 @@ gnupg_localedir (void) NULL); return name; #else /*!HAVE_W32_SYSTEM*/ @@ -78,7 +78,7 @@ index e9e75d0..19140aa 100644 #endif /*!HAVE_W32_SYSTEM*/ } -@@ -940,7 +940,7 @@ gnupg_cachedir (void) +@@ -943,7 +943,7 @@ gnupg_cachedir (void) } return dir; #else /*!HAVE_W32_SYSTEM*/ diff --git a/meta/recipes-support/gnupg/gnupg_2.2.20.bb b/meta/recipes-support/gnupg/gnupg_2.2.27.bb index 6629fc8556..bd09b02017 100644 --- a/meta/recipes-support/gnupg/gnupg_2.2.20.bb +++ b/meta/recipes-support/gnupg/gnupg_2.2.27.bb @@ -20,19 +20,20 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0003-dirmngr-uses-libgpg-error.patch \ file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ + file://CVE-2022-34903.patch \ " SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ file://relocate.patch" SRC_URI_append_class-nativesdk = " file://relocate.patch" -SRC_URI[md5sum] = "4ff88920cf52b35db0dedaee87bdbbb1" -SRC_URI[sha256sum] = "04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30" +SRC_URI[sha256sum] = "34e60009014ea16402069136e0a5f63d9b65f90096244975db5cea74b3d02399" EXTRA_OECONF = "--disable-ldap \ --disable-ccid-driver \ --with-zlib=${STAGING_LIBDIR}/.. \ --with-bzip2=${STAGING_LIBDIR}/.. \ --with-readline=${STAGING_LIBDIR}/.. \ + --with-mailprog=${sbindir}/sendmail \ --enable-gpg-is-gpg2 \ " diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch new file mode 100644 index 0000000000..0bcb55e573 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch @@ -0,0 +1,37 @@ +From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Wed, 22 Dec 2021 09:12:25 +0100 +Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length + input + +As Nettle's hash update functions internally call memcpy, providing +zero-length input may cause undefined behavior. + +Signed-off-by: Daiki Ueno <ueno@gnu.org> + +https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568 +Upstream-Status: Backport +CVE: CVE-2021-4209 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + lib/nettle/mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c +index f9d4d7a8df..35e070fab0 100644 +--- a/lib/nettle/mac.c ++++ b/lib/nettle/mac.c +@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, + if (ret < 0) + return gnutls_assert_val(ret); + +- ctx.update(&ctx, text_size, text); ++ if (text_size > 0) { ++ ctx.update(&ctx, text_size, text); ++ } + ctx.digest(&ctx, ctx.length, digest); + + return 0; +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch new file mode 100644 index 0000000000..f8954945d0 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch @@ -0,0 +1,282 @@ +From 9835638d4e1f37781a47e777c76d5bb14218929b Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 16 Aug 2022 12:23:14 +0530 +Subject: [PATCH] CVE-2022-2509 + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2] +CVE: CVE-2022-2509 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + NEWS | 4 + + lib/x509/pkcs7.c | 3 +- + tests/Makefile.am | 2 +- + tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++ + 4 files changed, 222 insertions(+), 2 deletions(-) + create mode 100644 tests/pkcs7-verify-double-free.c + +diff --git a/NEWS b/NEWS +index 755a67c..ba70bb3 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,6 +7,10 @@ See the end for copying conditions. + + * Version 3.6.14 (released 2020-06-03) + ++** libgnutls: Fixed double free during verification of pkcs7 signatures. ++ Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium] ++ [CVE-2022-2509] ++ + ** libgnutls: Fixed insecure session ticket key construction, since 3.6.4. + The TLS server would not bind the session ticket encryption key with a + value supplied by the application until the initial key rotation, allowing +diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c +index 98669e8..ccbc69d 100644 +--- a/lib/x509/pkcs7.c ++++ b/lib/x509/pkcs7.c +@@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl, + issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags); + + if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) { +- if (prev) gnutls_x509_crt_deinit(prev); ++ if (prev && prev != signer) ++ gnutls_x509_crt_deinit(prev); + prev = issuer; + break; + } +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 11a083c..cd43a0f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -219,7 +219,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei + tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \ + sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \ + tls13-without-timeout-func buffer status-request-revoked \ +- set_x509_ocsp_multi_cli kdf-api keylog-func \ ++ set_x509_ocsp_multi_cli kdf-api keylog-func pkcs7-verify-double-free \ + dtls_hello_random_value tls_hello_random_value x509cert-dntypes + + if HAVE_SECCOMP_TESTS +diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c +new file mode 100644 +index 0000000..fadf307 +--- /dev/null ++++ b/tests/pkcs7-verify-double-free.c +@@ -0,0 +1,215 @@ ++/* ++ * Copyright (C) 2022 Red Hat, Inc. ++ * ++ * Author: Zoltan Fridrich ++ * ++ * This file is part of GnuTLS. ++ * ++ * GnuTLS is free software: you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuTLS is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif ++ ++#include <stdio.h> ++#include <gnutls/pkcs7.h> ++#include <gnutls/x509.h> ++ ++#include "utils.h" ++ ++static char rca_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n" ++ "cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n" ++ "VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n" ++ "v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n" ++ "v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n" ++ "ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n" ++ "t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n" ++ "/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n" ++ "5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n" ++ "DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n" ++ "BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n" ++ "i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n" ++ "l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n" ++ "jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n" ++ "FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n" ++ "MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n" ++ "LirBWjg89RoAjFQ7bTE=\n" ++ "-----END CERTIFICATE-----\n"; ++ ++static char ca_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n" ++ "cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n" ++ "VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n" ++ "ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n" ++ "ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n" ++ "4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n" ++ "RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n" ++ "obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n" ++ "bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n" ++ "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n" ++ "o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n" ++ "DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n" ++ "W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n" ++ "lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n" ++ "248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n" ++ "+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n" ++ "NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n" ++ "-----END CERTIFICATE-----\n"; ++ ++static char ee_pem[] = ++ "-----BEGIN CERTIFICATE-----\n" ++ "MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n" ++ "cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n" ++ "NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n" ++ "ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n" ++ "eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n" ++ "QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n" ++ "g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n" ++ "Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n" ++ "68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n" ++ "AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n" ++ "kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n" ++ "VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n" ++ "Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n" ++ "dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n" ++ "PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n" ++ "l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n" ++ "G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n" ++ "-----END CERTIFICATE-----\n"; ++ ++static char msg_pem[] = ++ "-----BEGIN PKCS7-----\n" ++ "MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n" ++ "hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n" ++ "A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n" ++ "MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" ++ "ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n" ++ "31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n" ++ "fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n" ++ "XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n" ++ "bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n" ++ "W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n" ++ "AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n" ++ "mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n" ++ "CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n" ++ "5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n" ++ "mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n" ++ "qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n" ++ "GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n" ++ "BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n" ++ "9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n" ++ "DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n" ++ "ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n" ++ "pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n" ++ "91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n" ++ "WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n" ++ "lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n" ++ "C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n" ++ "Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n" ++ "HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n" ++ "Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n" ++ "og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n" ++ "S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n" ++ "7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n" ++ "JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n" ++ "E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n" ++ "0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n" ++ "eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n" ++ "MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n" ++ "BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n" ++ "F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n" ++ "9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n" ++ "tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n" ++ "XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n" ++ "JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n" ++ "BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n" ++ "31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n" ++ "KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n" ++ "nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n" ++ "mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n" ++ "j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n" ++ "Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n" ++ "nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n" ++ "TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n" ++ "CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n" ++ "8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n" ++ "7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n" ++ "2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n" ++ "B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n" ++ "QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n" ++ "-----END PKCS7-----\n"; ++ ++const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 }; ++const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 }; ++const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 }; ++const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 }; ++ ++static void tls_log_func(int level, const char *str) ++{ ++ fprintf(stderr, "%s |<%d>| %s", "err", level, str); ++} ++ ++#define CHECK(X)\ ++{\ ++ r = X;\ ++ if (r < 0)\ ++ fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\ ++}\ ++ ++void doit(void) ++{ ++ int r; ++ gnutls_x509_crt_t rca_cert = NULL; ++ gnutls_x509_crt_t ca_cert = NULL; ++ gnutls_x509_crt_t ee_cert = NULL; ++ gnutls_x509_trust_list_t tlist = NULL; ++ gnutls_pkcs7_t pkcs7 = NULL; ++ gnutls_datum_t data = { (unsigned char *)"xxx", 3 }; ++ ++ if (debug) { ++ gnutls_global_set_log_function(tls_log_func); ++ gnutls_global_set_log_level(4711); ++ } ++ ++ // Import certificates ++ CHECK(gnutls_x509_crt_init(&rca_cert)); ++ CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM)); ++ CHECK(gnutls_x509_crt_init(&ca_cert)); ++ CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM)); ++ CHECK(gnutls_x509_crt_init(&ee_cert)); ++ CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM)); ++ ++ // Setup trust store ++ CHECK(gnutls_x509_trust_list_init(&tlist, 0)); ++ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0)); ++ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0)); ++ CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0)); ++ ++ // Setup pkcs7 structure ++ CHECK(gnutls_pkcs7_init(&pkcs7)); ++ CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM)); ++ ++ // Signature verification ++ gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0); ++ ++ gnutls_x509_crt_deinit(rca_cert); ++ gnutls_x509_crt_deinit(ca_cert); ++ gnutls_x509_crt_deinit(ee_cert); ++ gnutls_x509_trust_list_deinit(tlist, 0); ++ gnutls_pkcs7_deinit(pkcs7); ++} +-- +2.25.1 + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch new file mode 100644 index 0000000000..943f4ca704 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch @@ -0,0 +1,85 @@ +From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin <asosedkin@redhat.com> +Date: Tue, 9 Aug 2022 16:05:53 +0200 +Subject: [PATCH] auth/rsa: side-step potential side-channel + +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com> +Signed-off-by: Hubert Kario <hkario@redhat.com> +Tested-by: Hubert Kario <hkario@redhat.com> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a + https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558] +CVE: CVE-2023-0361 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + lib/auth/rsa.c | 30 +++--------------------------- + 1 file changed, 3 insertions(+), 27 deletions(-) + +diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c +index 8108ee8..858701f 100644 +--- a/lib/auth/rsa.c ++++ b/lib/auth/rsa.c +@@ -155,13 +155,10 @@ static int + proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + size_t _data_size) + { +- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n"; + gnutls_datum_t ciphertext; + int ret, dsize; + ssize_t data_size = _data_size; + volatile uint8_t ver_maj, ver_min; +- volatile uint8_t check_ver_min; +- volatile uint32_t ok; + + #ifdef ENABLE_SSL3 + if (get_num_version(session) == GNUTLS_SSL3) { +@@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + + ver_maj = _gnutls_get_adv_version_major(session); + ver_min = _gnutls_get_adv_version_minor(session); +- check_ver_min = (session->internals.allow_wrong_pms == 0); + + session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE); + if (session->key.key.data == NULL) { +@@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + return ret; + } + +- ret = +- gnutls_privkey_decrypt_data2(session->internals.selected_key, +- 0, &ciphertext, session->key.key.data, +- session->key.key.size); ++ gnutls_privkey_decrypt_data2(session->internals.selected_key, ++ 0, &ciphertext, session->key.key.data, ++ session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side + * channel that can be used as an oracle, so treat very carefully */ +@@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. + */ + +- /* ok is 0 in case of error and 1 in case of success. */ +- +- /* if ret < 0 */ +- ok = CONSTCHECK_EQUAL(ret, 0); +- /* session->key.key.data[0] must equal ver_maj */ +- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj); +- /* if check_ver_min then session->key.key.data[1] must equal ver_min */ +- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) & +- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min); +- +- if (ok) { +- /* call logging function unconditionally so all branches are +- * indistinguishable for timing and cache access when debug +- * logging is disabled */ +- _gnutls_no_log("%s", attack_error); +- } else { +- _gnutls_debug_log("%s", attack_error); +- } +- + /* This is here to avoid the version check attack + * discussed above. + */ +-- +2.25.1 + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch new file mode 100644 index 0000000000..c518cfa0ac --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch @@ -0,0 +1,206 @@ +Backport of: + +From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Mon, 23 Oct 2023 09:26:57 +0900 +Subject: [PATCH] auth/rsa_psk: side-step potential side-channel + +This removes branching that depends on secret data, porting changes +for regular RSA key exchange from +4804febddc2ed958e5ae774de2a8f85edeeff538 and +80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the +allow_wrong_pms as it was used sorely to control debug output +depending on the branching. + +Signed-off-by: Daiki Ueno <ueno@gnu.org> + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz +Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d] +CVE: CVE-2023-5981 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/auth/rsa.c | 2 +- + lib/auth/rsa_psk.c | 90 ++++++++++++++++++---------------------------- + lib/gnutls_int.h | 4 --- + lib/priority.c | 1 - + 4 files changed, 35 insertions(+), 62 deletions(-) + +--- a/lib/auth/rsa.c ++++ b/lib/auth/rsa.c +@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess + session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +- * channel that can be used as an oracle, so treat very carefully */ ++ * channel that can be used as an oracle, so tread carefully */ + + /* Error handling logic: + * In case decryption fails then don't inform the peer. Just use the +--- a/lib/auth/rsa_psk.c ++++ b/lib/auth/rsa_psk.c +@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + { + gnutls_datum_t username; + psk_auth_info_t info; +- gnutls_datum_t plaintext; + gnutls_datum_t ciphertext; + gnutls_datum_t pwd_psk = { NULL, 0 }; + int ret, dsize; +- int randomize_key = 0; + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; + gnutls_datum_t premaster_secret = { NULL, 0 }; ++ volatile uint8_t ver_maj, ver_min; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred(session, GNUTLS_CRD_PSK); +@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + } + ciphertext.size = dsize; + +- ret = +- gnutls_privkey_decrypt_data(session->internals.selected_key, 0, +- &ciphertext, &plaintext); +- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { +- /* In case decryption fails then don't inform +- * the peer. Just use a random key. (in order to avoid +- * attack against pkcs-1 formatting). +- */ +- gnutls_assert(); +- _gnutls_debug_log +- ("auth_rsa_psk: Possible PKCS #1 format attack\n"); +- if (ret >= 0) { +- gnutls_free(plaintext.data); +- } +- randomize_key = 1; +- } else { +- /* If the secret was properly formatted, then +- * check the version number. +- */ +- if (_gnutls_get_adv_version_major(session) != +- plaintext.data[0] +- || (session->internals.allow_wrong_pms == 0 +- && _gnutls_get_adv_version_minor(session) != +- plaintext.data[1])) { +- /* No error is returned here, if the version number check +- * fails. We proceed normally. +- * That is to defend against the attack described in the paper +- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, +- * Ondej Pokorny and Tomas Rosa. +- */ +- gnutls_assert(); +- _gnutls_debug_log +- ("auth_rsa: Possible PKCS #1 version check format attack\n"); +- } +- } ++ ver_maj = _gnutls_get_adv_version_major(session); ++ ver_min = _gnutls_get_adv_version_minor(session); + ++ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); ++ if (premaster_secret.data == NULL) { ++ gnutls_assert(); ++ return GNUTLS_E_MEMORY_ERROR; ++ } ++ premaster_secret.size = GNUTLS_MASTER_SIZE; + +- if (randomize_key != 0) { +- premaster_secret.size = GNUTLS_MASTER_SIZE; +- premaster_secret.data = +- gnutls_malloc(premaster_secret.size); +- if (premaster_secret.data == NULL) { +- gnutls_assert(); +- return GNUTLS_E_MEMORY_ERROR; +- } +- +- /* we do not need strong random numbers here. +- */ +- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, +- premaster_secret.size); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- } else { +- premaster_secret.data = plaintext.data; +- premaster_secret.size = plaintext.size; ++ /* Fallback value when decryption fails. Needs to be unpredictable. */ ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, ++ premaster_secret.size); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } + ++ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, ++ &ciphertext, premaster_secret.data, ++ premaster_secret.size); ++ /* After this point, any conditional on failure that cause differences ++ * in execution may create a timing or cache access pattern side ++ * channel that can be used as an oracle, so tread carefully */ ++ ++ /* Error handling logic: ++ * In case decryption fails then don't inform the peer. Just use the ++ * random key previously generated. (in order to avoid attack against ++ * pkcs-1 formatting). ++ * ++ * If we get version mismatches no error is returned either. We ++ * proceed normally. This is to defend against the attack described ++ * in the paper "Attacking RSA-based sessions in SSL/TLS" by ++ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. ++ */ ++ + /* This is here to avoid the version check attack + * discussed above. + */ +- +- premaster_secret.data[0] = _gnutls_get_adv_version_major(session); +- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session); ++ premaster_secret.data[0] = ver_maj; ++ premaster_secret.data[1] = ver_min; + + /* find the key of this username + */ +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -989,7 +989,6 @@ struct gnutls_priority_st { + bool _no_etm; + bool _no_ext_master_secret; + bool _allow_key_usage_violation; +- bool _allow_wrong_pms; + bool _dumbfw; + unsigned int _dh_prime_bits; /* old (deprecated) variable */ + +@@ -1007,7 +1006,6 @@ struct gnutls_priority_st { + (x)->no_etm = 1; \ + (x)->no_ext_master_secret = 1; \ + (x)->allow_key_usage_violation = 1; \ +- (x)->allow_wrong_pms = 1; \ + (x)->dumbfw = 1 + + #define ENABLE_PRIO_COMPAT(x) \ +@@ -1016,7 +1014,6 @@ struct gnutls_priority_st { + (x)->_no_etm = 1; \ + (x)->_no_ext_master_secret = 1; \ + (x)->_allow_key_usage_violation = 1; \ +- (x)->_allow_wrong_pms = 1; \ + (x)->_dumbfw = 1 + + /* DH and RSA parameters types. +@@ -1141,7 +1138,6 @@ typedef struct { + bool no_etm; + bool no_ext_master_secret; + bool allow_key_usage_violation; +- bool allow_wrong_pms; + bool dumbfw; + + /* old (deprecated) variable. This is used for both srp_prime_bits +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t ses + COPY_TO_INTERNALS(no_etm); + COPY_TO_INTERNALS(no_ext_master_secret); + COPY_TO_INTERNALS(allow_key_usage_violation); +- COPY_TO_INTERNALS(allow_wrong_pms); + COPY_TO_INTERNALS(dumbfw); + COPY_TO_INTERNALS(dh_prime_bits); + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch new file mode 100644 index 0000000000..f15c470879 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch @@ -0,0 +1,125 @@ +From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Wed, 10 Jan 2024 19:13:17 +0900 +Subject: [PATCH] rsa-psk: minimize branching after decryption + +This moves any non-trivial code between gnutls_privkey_decrypt_data2 +and the function return in _gnutls_proc_rsa_psk_client_kx up until the +decryption. This also avoids an extra memcpy to session->key.key. + +Signed-off-by: Daiki Ueno <ueno@gnu.org> + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e] +CVE: CVE-2024-0553 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++---------------------- + 1 file changed, 35 insertions(+), 33 deletions(-) + +diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +index 93c2dc9..c6cfb92 100644 +--- a/lib/auth/rsa_psk.c ++++ b/lib/auth/rsa_psk.c +@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + int ret, dsize; + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; +- gnutls_datum_t premaster_secret = { NULL, 0 }; + volatile uint8_t ver_maj, ver_min; + + cred = (gnutls_psk_server_credentials_t) +@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + ver_maj = _gnutls_get_adv_version_major(session); + ver_min = _gnutls_get_adv_version_minor(session); + +- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); +- if (premaster_secret.data == NULL) { ++ /* Find the key of this username. A random value will be ++ * filled in if the key is not found. ++ */ ++ ret = _gnutls_psk_pwd_find_entry(session, info->username, ++ strlen(info->username), &pwd_psk); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ /* Allocate memory for premaster secret, and fill in the ++ * fields except the decryption result. ++ */ ++ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size; ++ session->key.key.data = gnutls_malloc(session->key.key.size); ++ if (session->key.key.data == NULL) { + gnutls_assert(); ++ _gnutls_free_key_datum(&pwd_psk); ++ /* No need to zeroize, as the secret is not copied in yet */ ++ _gnutls_free_datum(&session->key.key); + return GNUTLS_E_MEMORY_ERROR; + } +- premaster_secret.size = GNUTLS_MASTER_SIZE; + + /* Fallback value when decryption fails. Needs to be unpredictable. */ +- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, +- premaster_secret.size); ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2, ++ GNUTLS_MASTER_SIZE); + if (ret < 0) { + gnutls_assert(); +- goto cleanup; ++ _gnutls_free_key_datum(&pwd_psk); ++ /* No need to zeroize, as the secret is not copied in yet */ ++ _gnutls_free_datum(&session->key.key); ++ return ret; + } + ++ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data); ++ _gnutls_write_uint16(pwd_psk.size, ++ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]); ++ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data, ++ pwd_psk.size); ++ _gnutls_free_key_datum(&pwd_psk); ++ + gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, +- &ciphertext, premaster_secret.data, +- premaster_secret.size); ++ &ciphertext, session->key.key.data + 2, ++ GNUTLS_MASTER_SIZE); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side + * channel that can be used as an oracle, so tread carefully */ +@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + /* This is here to avoid the version check attack + * discussed above. + */ +- premaster_secret.data[0] = ver_maj; +- premaster_secret.data[1] = ver_min; ++ session->key.key.data[2] = ver_maj; ++ session->key.key.data[3] = ver_min; + +- /* find the key of this username +- */ +- ret = +- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- ret = +- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- ret = 0; +- cleanup: +- _gnutls_free_key_datum(&pwd_psk); +- _gnutls_free_temp_key_datum(&premaster_secret); +- +- return ret; ++ return 0; + } + + static int +-- +2.25.1 + diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 0c68da7c54..a1451daf2c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb @@ -25,6 +25,11 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2020-24659.patch \ file://CVE-2021-20231.patch \ file://CVE-2021-20232.patch \ + file://CVE-2022-2509.patch \ + file://CVE-2021-4209.patch \ + file://CVE-2023-0361.patch \ + file://CVE-2023-5981.patch \ + file://CVE-2024-0553.patch \ " SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch new file mode 100644 index 0000000000..9a8ceecbe7 --- /dev/null +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch @@ -0,0 +1,45 @@ +From 22fd12b290adea788122044cb58dc9e77754644f Mon Sep 17 00:00:00 2001 +From: Vivek Kumbhar <vkumbhar@mvista.com> +Date: Thu, 17 Nov 2022 12:07:50 +0530 +Subject: [PATCH] CVE-2021-46848 + +Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5] +CVE: CVE-2021-46848 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> + +Fix ETYPE_OK off by one array size check. +--- + NEWS | 4 ++++ + lib/int.h | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index f042481..d8f684e 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,9 @@ + GNU Libtasn1 NEWS -*- outline -*- + ++* Noteworthy changes in release ?.? (????-??-??) [?] ++- Fix ETYPE_OK out of bounds read. Closes: #32. ++- Update gnulib files and various maintenance fixes. ++ + * Noteworthy changes in release 4.16.0 (released 2020-02-01) [stable] + - asn1_decode_simple_ber: added support for constructed definite + octet strings. This allows this function decode the whole set of +diff --git a/lib/int.h b/lib/int.h +index ea16257..c877282 100644 +--- a/lib/int.h ++++ b/lib/int.h +@@ -97,7 +97,7 @@ typedef struct tag_and_class_st + #define ETYPE_TAG(etype) (_asn1_tags[etype].tag) + #define ETYPE_CLASS(etype) (_asn1_tags[etype].class) + #define ETYPE_OK(etype) (((etype) != ASN1_ETYPE_INVALID && \ +- (etype) <= _asn1_tags_size && \ ++ (etype) < _asn1_tags_size && \ + _asn1_tags[(etype)].desc != NULL)?1:0) + + #define ETYPE_IS_STRING(etype) ((etype == ASN1_ETYPE_GENERALSTRING || \ +-- +2.25.1 + diff --git a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb b/meta/recipes-support/gnutls/libtasn1_4.16.0.bb index 8d3a14506a..d2b3c492ec 100644 --- a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb +++ b/meta/recipes-support/gnutls/libtasn1_4.16.0.bb @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \ SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \ file://dont-depend-on-help2man.patch \ + file://CVE-2021-46848.patch \ " DEPENDS = "bison-native" diff --git a/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch b/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch new file mode 100644 index 0000000000..1c46684c6d --- /dev/null +++ b/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch @@ -0,0 +1,24 @@ +From adb1d4e5498a19e9d591ac8f42f9ddfdb23a1354 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Thu, 15 Jul 2021 12:33:13 -0700 +Subject: [PATCH] use closefrom() on linux and glibc 2.34+ + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/posix-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/posix-io.c b/src/posix-io.c +index e712ef2..ab8ded9 100644 +--- a/src/posix-io.c ++++ b/src/posix-io.c +@@ -570,7 +570,7 @@ _gpgme_io_spawn (const char *path, char *const argv[], unsigned int flags, + if (fd_list[i].fd > fd) + fd = fd_list[i].fd; + fd++; +-#if defined(__sun) || defined(__FreeBSD__) ++#if defined(__sun) || defined(__FreeBSD__) || (defined(__GLIBC__) && __GNUC_PREREQ(2, 34)) + closefrom (fd); + max_fds = fd; + #else /*!__sun */ diff --git a/meta/recipes-support/gpgme/gpgme_1.13.1.bb b/meta/recipes-support/gpgme/gpgme_1.13.1.bb index 6e945d3165..dacc9896e4 100644 --- a/meta/recipes-support/gpgme/gpgme_1.13.1.bb +++ b/meta/recipes-support/gpgme/gpgme_1.13.1.bb @@ -20,7 +20,8 @@ SRC_URI = "${GNUPG_MIRROR}/gpgme/${BP}.tar.bz2 \ file://0006-fix-build-path-issue.patch \ file://0007-python-Add-variables-to-tests.patch \ file://0008-do-not-auto-check-var-PYTHON.patch \ - " + file://0001-use-closefrom-on-linux-and-glibc-2.34.patch \ + " SRC_URI[md5sum] = "198f0a908ec3cd8f0ce9a4f3a4489645" SRC_URI[sha256sum] = "c4e30b227682374c23cddc7fdb9324a99694d907e79242a25a4deeedb393be46" diff --git a/meta/recipes-support/libbsd/libbsd_0.10.0.bb b/meta/recipes-support/libbsd/libbsd_0.10.0.bb index 5b32b9af41..58925738cb 100644 --- a/meta/recipes-support/libbsd/libbsd_0.10.0.bb +++ b/meta/recipes-support/libbsd/libbsd_0.10.0.bb @@ -29,6 +29,12 @@ HOMEPAGE = "https://libbsd.freedesktop.org/wiki/" # License: public-domain-Colin-Plumb LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD" LICENSE_${PN} = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-dbg = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-dev = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-doc = "BSD-3-Clause & BSD-4-Clause & ISC & PD" +LICENSE:${PN}-locale = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-src = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-staticdev = "BSD-3-Clause & ISC & PD" LIC_FILES_CHKSUM = "file://COPYING;md5=2120be0173469a06ed185b688e0e1ae0" SECTION = "libs" diff --git a/meta/recipes-support/libcap/files/CVE-2023-2602.patch b/meta/recipes-support/libcap/files/CVE-2023-2602.patch new file mode 100644 index 0000000000..ca04d7297a --- /dev/null +++ b/meta/recipes-support/libcap/files/CVE-2023-2602.patch @@ -0,0 +1,52 @@ +Backport of: + +From bc6b36682f188020ee4770fae1d41bde5b2c97bb Mon Sep 17 00:00:00 2001 +From: "Andrew G. Morgan" <morgan@kernel.org> +Date: Wed, 3 May 2023 19:18:36 -0700 +Subject: Correct the check of pthread_create()'s return value. + +This function returns a positive number (errno) on error, so the code +wasn't previously freeing some memory in this situation. + +Discussion: + + https://stackoverflow.com/a/3581020/14760867 + +Credit for finding this bug in libpsx goes to David Gstir of +X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security +audit of the libcap source code in April of 2023. The audit +was sponsored by the Open Source Technology Improvement Fund +(https://ostif.org/). + +Audit ref: LCAP-CR-23-01 (CVE-2023-2602) + +Signed-off-by: Andrew G. Morgan <morgan@kernel.org> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2602.patch?h=ubuntu/focal-security +Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb] +CVE: CVE-2023-2602 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + psx/psx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/libcap/psx.c ++++ b/libcap/psx.c +@@ -272,7 +272,7 @@ int psx_pthread_create(pthread_t *thread + + psx_wait_for_idle(); + int ret = pthread_create(thread, attr, start_routine, arg); +- if (ret != -1) { ++ if (ret == 0) { + psx_do_registration(*thread); + } + psx_resume_idle(); +@@ -287,7 +287,7 @@ int __wrap_pthread_create(pthread_t *thr + void *(*start_routine) (void *), void *arg) { + psx_wait_for_idle(); + int ret = __real_pthread_create(thread, attr, start_routine, arg); +- if (ret != -1) { ++ if (ret == 0) { + psx_do_registration(*thread); + } + psx_resume_idle(); diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch b/meta/recipes-support/libcap/files/CVE-2023-2603.patch new file mode 100644 index 0000000000..cf86ac2a46 --- /dev/null +++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch @@ -0,0 +1,58 @@ +Backport of: + +From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001 +From: "Andrew G. Morgan" <morgan@kernel.org> +Date: Wed, 3 May 2023 19:44:22 -0700 +Subject: Large strings can confuse libcap's internal strdup code. + +Avoid something subtle with really long strings: 1073741823 should +be enough for anybody. This is an improved fix over something attempted +in libcap-2.55 to address some static analysis findings. + +Reviewing the library, cap_proc_root() and cap_launcher_set_chroot() +are the only two calls where the library is potentially exposed to a +user controlled string input. + +Credit for finding this bug in libcap goes to Richard Weinberger of +X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit +of the libcap source code in April of 2023. The audit was sponsored +by the Open Source Technology Improvement Fund (https://ostif.org/). + +Audit ref: LCAP-CR-23-02 (CVE-2023-2603) + +Signed-off-by: Andrew G. Morgan <morgan@kernel.org> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2603.patch?h=ubuntu/focal-security +Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18] +CVE: CVE-2023-2603 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libcap/cap_alloc.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/libcap/cap_alloc.c ++++ b/libcap/cap_alloc.c +@@ -76,13 +76,22 @@ cap_t cap_init(void) + char *_libcap_strdup(const char *old) + { + __u32 *raw_data; ++ size_t len; + + if (old == NULL) { + errno = EINVAL; + return NULL; + } + +- raw_data = malloc( sizeof(__u32) + strlen(old) + 1 ); ++ len = strlen(old); ++ if ((len & 0x3fffffff) != len) { ++ _cap_debug("len is too long for libcap to manage"); ++ errno = EINVAL; ++ return NULL; ++ } ++ len += sizeof(__u32) + 1; ++ ++ raw_data = malloc(len); + if (raw_data == NULL) { + errno = ENOMEM; + return NULL; diff --git a/meta/recipes-support/libcap/libcap_2.32.bb b/meta/recipes-support/libcap/libcap_2.32.bb index 325fa87a1b..64d5190aa7 100644 --- a/meta/recipes-support/libcap/libcap_2.32.bb +++ b/meta/recipes-support/libcap/libcap_2.32.bb @@ -4,7 +4,7 @@ These allow giving various kinds of specific privileges to individual \ users, without giving them full root permissions." HOMEPAGE = "http://sites.google.com/site/fullycapable/" # no specific GPL version required -LICENSE = "BSD | GPLv2" +LICENSE = "BSD-3-Clause | GPLv2" LIC_FILES_CHKSUM = "file://License;md5=3f84fd6f29d453a56514cb7e4ead25f1" DEPENDS = "hostperl-runtime-native gperf-native" @@ -13,6 +13,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${ file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \ file://0002-tests-do-not-run-target-executables.patch \ file://0001-tests-do-not-statically-link-a-test.patch \ + file://CVE-2023-2602.patch \ + file://CVE-2023-2603.patch \ " SRC_URI[md5sum] = "7416119c9fdcfd0e8dd190a432c668e9" SRC_URI[sha256sum] = "1005e3d227f2340ad1e3360ef8b69d15e3c72a29c09f4894d7aac038bd26e2be" diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch new file mode 100644 index 0000000000..bf26486d8b --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch @@ -0,0 +1,77 @@ +From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Tue, 13 Apr 2021 10:00:00 +0900 +Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding + too. + +* cipher/elgamal.c (do_encrypt): Also do exponent blinding. + +-- + +Base blinding had been introduced with USE_BLINDING. This patch add +exponent blinding as well to mitigate side-channel attack on mpi_powm. + +GnuPG-bug-id: 5328 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> + +Upstream-Status: Backport +CVE: CVE-2021-33560 +Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> +--- + cipher/elgamal.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/cipher/elgamal.c b/cipher/elgamal.c +index 4eb52d62..9835122f 100644 +--- a/cipher/elgamal.c ++++ b/cipher/elgamal.c +@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) + static void + decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) + { +- gcry_mpi_t t1, t2, r; ++ gcry_mpi_t t1, t2, r, r1, h; + unsigned int nbits = mpi_get_nbits (skey->p); ++ gcry_mpi_t x_blind; + + mpi_normalize (a); + mpi_normalize (b); +@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) + + t2 = mpi_snew (nbits); + r = mpi_new (nbits); ++ r1 = mpi_new (nbits); ++ h = mpi_new (nbits); ++ x_blind = mpi_snew (nbits); + + /* We need a random number of about the prime size. The random + number merely needs to be unpredictable; thus we use level 0. */ + _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM); + ++ /* Also, exponent blinding: x_blind = x + (p-1)*r1 */ ++ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM); ++ mpi_set_highbit (r1, nbits - 1); ++ mpi_sub_ui (h, skey->p, 1); ++ mpi_mul (x_blind, h, r1); ++ mpi_add (x_blind, skey->x, x_blind); ++ + /* t1 = r^x mod p */ +- mpi_powm (t1, r, skey->x, skey->p); ++ mpi_powm (t1, r, x_blind, skey->p); + /* t2 = (a * r)^-x mod p */ + mpi_mulm (t2, a, r, skey->p); +- mpi_powm (t2, t2, skey->x, skey->p); ++ mpi_powm (t2, t2, x_blind, skey->p); + mpi_invm (t2, t2, skey->p); + /* t1 = (t1 * t2) mod p*/ + mpi_mulm (t1, t1, t2, skey->p); + ++ mpi_free (x_blind); ++ mpi_free (h); ++ mpi_free (r1); + mpi_free (r); + mpi_free (t2); + +-- +2.11.0 + diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch new file mode 100644 index 0000000000..b3a18bc5aa --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch @@ -0,0 +1,109 @@ +From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 21 May 2021 11:15:07 +0900 +Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. + +* cipher/elgamal.c (gen_k): Remove support of smaller K. +(do_encrypt): Never use smaller K. +(sign): Folllow the change of gen_k. + +-- + +Cherry-pick master commit of: + 632d80ef30e13de6926d503aa697f92b5dbfbc5e + +This change basically reverts encryption changes in two commits: + + 74386120dad6b3da62db37f7044267c8ef34689b + 78531373a342aeb847950f404343a05e36022065 + +Use of smaller K for ephemeral key in ElGamal encryption is only good, +when we can guarantee that recipient's key is generated by our +implementation (or compatible). + +For detail, please see: + + Luca De Feo, Bertram Poettering, Alessandro Sorniotti, + "On the (in)security of ElGamal in OpenPGP"; + in the proceedings of CCS'2021. + +CVE-id: CVE-2021-33560 +GnuPG-bug-id: 5328 +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> + +Upstream-Status: Backport +CVE: CVE-2021-40528 +Signed-off-by: Armin Kuster <akuster@mvista.com> +--- + cipher/elgamal.c | 24 ++++++------------------ + 1 file changed, 6 insertions(+), 18 deletions(-) + +diff --git a/cipher/elgamal.c b/cipher/elgamal.c +index 4eb52d62..ae7a631e 100644 +--- a/cipher/elgamal.c ++++ b/cipher/elgamal.c +@@ -66,7 +66,7 @@ static const char *elg_names[] = + + + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); ++static gcry_mpi_t gen_k (gcry_mpi_t p); + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, + gcry_mpi_t **factors); + static int check_secret_key (ELG_secret_key *sk); +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) + + /**************** + * Generate a random secret exponent k from prime p, so that k is +- * relatively prime to p-1. With SMALL_K set, k will be selected for +- * better encryption performance - this must never be used signing! ++ * relatively prime to p-1. + */ + static gcry_mpi_t +-gen_k( gcry_mpi_t p, int small_k ) ++gen_k( gcry_mpi_t p ) + { + gcry_mpi_t k = mpi_alloc_secure( 0 ); + gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) + unsigned int nbits, nbytes; + char *rndbuf = NULL; + +- if (small_k) +- { +- /* Using a k much lesser than p is sufficient for encryption and +- * it greatly improves the encryption performance. We use +- * Wiener's table and add a large safety margin. */ +- nbits = wiener_map( orig_nbits ) * 3 / 2; +- if( nbits >= orig_nbits ) +- BUG(); +- } +- else +- nbits = orig_nbits; +- ++ nbits = orig_nbits; + + nbytes = (nbits+7)/8; + if( DBG_CIPHER ) +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) + * error code. + */ + +- k = gen_k( pkey->p, 1 ); ++ k = gen_k( pkey->p ); + mpi_powm (a, pkey->g, k, pkey->p); + + /* b = (y^k * input) mod p +@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) + * + */ + mpi_sub_ui(p_1, p_1, 1); +- k = gen_k( skey->p, 0 /* no small K ! */ ); ++ k = gen_k( skey->p ); + mpi_powm( a, skey->g, k, skey->p ); + mpi_mul(t, skey->x, a ); + mpi_subm(t, input, t, p_1 ); +-- +2.30.2 + diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb index 16a58ad9b8..8045bab9ed 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb @@ -28,6 +28,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ file://determinism.patch \ + file://CVE-2021-33560.patch \ + file://CVE-2021-40528.patch \ " SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" diff --git a/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb b/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb index 710ef0172d..841edc6829 100644 --- a/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb +++ b/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a95aadbdfae7ed812bb2b7b86eb5981c \ file://COPYING.gplv2;md5=eb723b61539feef013de476e68b5c50a \ file://COPYING.bsd;md5=66a5cedaf62c4b2637025f049f9b826f \ " -SRC_URI = "git://github.com/smuellerDD/jitterentropy-library.git \ +SRC_URI = "git://github.com/smuellerDD/jitterentropy-library.git;branch=master;protocol=https \ file://0001-Makefile-cleanup-install-for-rebuilds.patch \ file://0001-Make-man-pages-reproducible.patch" SRCREV = "933a44f33ed3d6612f7cfaa7ad1207c8da4886ba" diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch new file mode 100644 index 0000000000..ff9f2f9275 --- /dev/null +++ b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch @@ -0,0 +1,47 @@ +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Wed, 5 Oct 2022 14:19:06 +0200 +Subject: [PATCH] Detect a possible overflow directly in the TLV parser. + +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly +used sum. +-- + +It is quite common to have checks like + + if (ti.nhdr + ti.length >= DIM(tmpbuf)) + return gpg_error (GPG_ERR_TOO_LARGE); + +This patch detects possible integer overflows immmediately when +creating the TI object. + +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 + + +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=patch;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b] +CVE: CVE-2022-3515 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + src/ber-help.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/ber-help.c b/src/ber-help.c +index 81c31ed..56efb6a 100644 +--- a/src/ber-help.c ++++ b/src/ber-help.c +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti) + ti->length = len; + } + ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) ++ { ++ ti->err_string = "header+length would overflow"; ++ return gpg_error (GPG_ERR_EOVERFLOW); ++ } ++ + /* Without this kludge some example certs can't be parsed */ + if (ti->class == CLASS_UNIVERSAL && !ti->tag) + ti->length = 0; +-- +2.11.0 + diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch b/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch new file mode 100644 index 0000000000..b09d0eb557 --- /dev/null +++ b/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch @@ -0,0 +1,69 @@ +From b17444b3c47e32c77a3ba5335ae30ccbadcba3cf Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Tue, 22 Nov 2022 16:36:46 +0100 +Subject: [PATCH] Fix an integer overflow in the CRL signature parser. + +* src/crl.c (parse_signature): N+N2 now checked for overflow. + +* src/ocsp.c (parse_response_extensions): Do not accept too large +values. +(parse_single_extensions): Ditto. +-- + +The second patch is an extra safegourd not related to the reported +bug. + +GnuPG-bug-id: 6284 +Reported-by: Joseph Surin, elttam +CVE: CVE-2022-47629 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + src/crl.c | 2 +- + src/ocsp.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/crl.c b/src/crl.c +index 87a3fa3..9d3028e 100644 +--- a/src/crl.c ++++ b/src/crl.c +@@ -1434,7 +1434,7 @@ parse_signature (ksba_crl_t crl) + && !ti.is_constructed) ) + return gpg_error (GPG_ERR_INV_CRL_OBJ); + n2 = ti.nhdr + ti.length; +- if (n + n2 >= DIM(tmpbuf)) ++ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) + return gpg_error (GPG_ERR_TOO_LARGE); + memcpy (tmpbuf+n, ti.buf, ti.nhdr); + err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); +diff --git a/src/ocsp.c b/src/ocsp.c +index 4b26f8d..c41234e 100644 +--- a/src/ocsp.c ++++ b/src/ocsp.c +@@ -912,6 +912,12 @@ parse_response_extensions (ksba_ocsp_t ocsp, + else + ocsp->good_nonce = 1; + } ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { +@@ -979,6 +985,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri, + err = parse_octet_string (&data, &datalen, &ti); + if (err) + goto leave; ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { diff --git a/meta/recipes-support/libksba/libksba_1.3.5.bb b/meta/recipes-support/libksba/libksba_1.3.5.bb index 7f9ab4f5fc..5293aa91e1 100644 --- a/meta/recipes-support/libksba/libksba_1.3.5.bb +++ b/meta/recipes-support/libksba/libksba_1.3.5.bb @@ -22,7 +22,10 @@ inherit autotools binconfig-disabled pkgconfig texinfo UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ - file://ksba-add-pkgconfig-support.patch" + file://ksba-add-pkgconfig-support.patch \ + file://CVE-2022-47629.patch \ + file://CVE-2022-3515.patch \ +" SRC_URI[md5sum] = "8302a3e263a7c630aa7dea7d341f07a2" SRC_URI[sha256sum] = "41444fd7a6ff73a79ad9728f985e71c9ba8cd3e5e53358e70d5f066d35c1a340" diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch new file mode 100644 index 0000000000..42ee417fe7 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch @@ -0,0 +1,30 @@ +From 5d1e62b0155292b994aa1c96d4ed8ce4346ef4c2 Mon Sep 17 00:00:00 2001 +From: Zoltan Herczeg <hzmester@freemail.hu> +Date: Thu, 24 Mar 2022 05:34:42 +0000 +Subject: [PATCH] Fix incorrect value reading in JIT. + +CVE: CVE-2022-1586 +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3] + +(cherry picked from commit d4fa336fbcc388f89095b184ba6d99422cfc676c) +Signed-off-by: Shinu Chandran <shinucha@cisco.com> +--- + src/pcre2_jit_compile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index 493c96d..fa57942 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -7188,7 +7188,7 @@ while (*cc != XCL_END) + { + SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP); + cc++; +- if (*cc == PT_CLIST && *cc == XCL_PROP) ++ if (*cc == PT_CLIST && cc[-1] == XCL_PROP) + { + other_cases = PRIV(ucd_caseless_sets) + cc[1]; + while (*other_cases != NOTACHAR) +-- +2.25.1 + diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch new file mode 100644 index 0000000000..fbbbc9ca77 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch @@ -0,0 +1,59 @@ +From 233c4248550d0c1d9bfee42198d5ee0855b7d413 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Mon, 23 May 2022 13:52:39 +0530 +Subject: [PATCH] CVE-2022-1586 + +Upstream-Status: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + ChangeLog | 3 +++ + src/pcre2_jit_compile.c | 2 +- + src/pcre2_jit_test.c | 4 ++++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index 0926c29..b5d72dc 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,6 +1,9 @@ + Change Log for PCRE2 + -------------------- + ++23. Fixed a unicode properrty matching issue in JIT. The character was not ++fully read in caseless matching. ++ + + Version 10.34 21-November-2019 + ------------------------------ +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index f564127..5d43865 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -7119,7 +7119,7 @@ while (*cc != XCL_END) + { + SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP); + cc++; +- if (*cc == PT_CLIST) ++ if (*cc == PT_CLIST && *cc == XCL_PROP) + { + other_cases = PRIV(ucd_caseless_sets) + cc[1]; + while (*other_cases != NOTACHAR) +diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c +index a9b3880..9df87fd 100644 +--- a/src/pcre2_jit_test.c ++++ b/src/pcre2_jit_test.c +@@ -408,6 +408,10 @@ static struct regression_test_case regression_test_cases[] = { + { MUP, A, 0, 0 | F_PROPERTY, "[\xc3\xa2-\xc3\xa6\xc3\x81-\xc3\x84\xe2\x80\xa8-\xe2\x80\xa9\xe6\x92\xad\\p{Zs}]{2,}", "\xe2\x80\xa7\xe2\x80\xa9\xe6\x92\xad \xe6\x92\xae" }, + { MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" }, + { PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB baaa" }, ++ { MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " }, ++ { MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" }, ++ { MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" }, ++ { CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" }, + + /* Possible empty brackets. */ + { MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" }, +-- +2.25.1 + diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch new file mode 100644 index 0000000000..70f9f9f079 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch @@ -0,0 +1,660 @@ +From aa5aac0d209e3debf80fc2db924d9401fc50454b Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Mon, 23 May 2022 14:11:11 +0530 +Subject: [PATCH] CVE-2022-1587 + +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0] +CVE: CVE-2022-1587 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +--- + ChangeLog | 3 + + src/pcre2_jit_compile.c | 290 ++++++++++++++++++++++++++-------------- + src/pcre2_jit_test.c | 1 + + 3 files changed, 194 insertions(+), 100 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index b5d72dc..de82de9 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -4,6 +4,9 @@ Change Log for PCRE2 + 23. Fixed a unicode properrty matching issue in JIT. The character was not + fully read in caseless matching. + ++24. Fixed an issue affecting recursions in JIT caused by duplicated data ++transfers. ++ + + Version 10.34 21-November-2019 + ------------------------------ +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index 5d43865..493c96d 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -407,6 +407,9 @@ typedef struct compiler_common { + /* Locals used by fast fail optimization. */ + sljit_s32 fast_fail_start_ptr; + sljit_s32 fast_fail_end_ptr; ++ /* Variables used by recursive call generator. */ ++ sljit_s32 recurse_bitset_size; ++ uint8_t *recurse_bitset; + + /* Flipped and lower case tables. */ + const sljit_u8 *fcc; +@@ -2109,19 +2112,39 @@ for (i = 0; i < RECURSE_TMP_REG_COUNT; i++) + + #undef RECURSE_TMP_REG_COUNT + ++static BOOL recurse_check_bit(compiler_common *common, sljit_sw bit_index) ++{ ++uint8_t *byte; ++uint8_t mask; ++ ++SLJIT_ASSERT((bit_index & (sizeof(sljit_sw) - 1)) == 0); ++ ++bit_index >>= SLJIT_WORD_SHIFT; ++ ++mask = 1 << (bit_index & 0x7); ++byte = common->recurse_bitset + (bit_index >> 3); ++ ++if (*byte & mask) ++ return FALSE; ++ ++*byte |= mask; ++return TRUE; ++} ++ + static int get_recurse_data_length(compiler_common *common, PCRE2_SPTR cc, PCRE2_SPTR ccend, + BOOL *needs_control_head, BOOL *has_quit, BOOL *has_accept) + { + int length = 1; +-int size; ++int size, offset; + PCRE2_SPTR alternative; + BOOL quit_found = FALSE; + BOOL accept_found = FALSE; + BOOL setsom_found = FALSE; + BOOL setmark_found = FALSE; +-BOOL capture_last_found = FALSE; + BOOL control_head_found = FALSE; + ++memset(common->recurse_bitset, 0, common->recurse_bitset_size); ++ + #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD + SLJIT_ASSERT(common->control_head_ptr != 0); + control_head_found = TRUE; +@@ -2144,15 +2167,17 @@ while (cc < ccend) + setsom_found = TRUE; + if (common->mark_ptr != 0) + setmark_found = TRUE; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE; + break; + + case OP_KET: +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0) + { +- length++; ++ if (recurse_check_bit(common, offset)) ++ length++; + SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0); + cc += PRIVATE_DATA(cc + 1); + } +@@ -2169,39 +2194,55 @@ while (cc < ccend) + case OP_SBRA: + case OP_SBRAPOS: + case OP_SCOND: +- length++; + SLJIT_ASSERT(PRIVATE_DATA(cc) != 0); ++ if (recurse_check_bit(common, PRIVATE_DATA(cc))) ++ length++; + cc += 1 + LINK_SIZE; + break; + + case OP_CBRA: + case OP_SCBRA: +- length += 2; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; +- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0) ++ offset = GET2(cc, 1 + LINK_SIZE); ++ if (recurse_check_bit(common, OVECTOR(offset << 1))) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1))); ++ length += 2; ++ } ++ if (common->optimized_cbracket[offset] == 0 && recurse_check_bit(common, OVECTOR_PRIV(offset))) ++ length++; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + length++; + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_CBRAPOS: + case OP_SCBRAPOS: +- length += 2 + 2; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ if (recurse_check_bit(common, OVECTOR(offset << 1))) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1))); ++ length += 2; ++ } ++ if (recurse_check_bit(common, OVECTOR_PRIV(offset))) ++ length++; ++ if (recurse_check_bit(common, PRIVATE_DATA(cc))) ++ length++; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_COND: + /* Might be a hidden SCOND. */ + alternative = cc + GET(cc, 1); +- if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) ++ if ((*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) && recurse_check_bit(common, PRIVATE_DATA(cc))) + length++; + cc += 1 + LINK_SIZE; + break; + + CASE_ITERATOR_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length++; + cc += 2; + #ifdef SUPPORT_UNICODE +@@ -2210,8 +2251,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 2; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2219,8 +2264,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 2 + IMM2_SIZE; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2228,20 +2277,29 @@ while (cc < ccend) + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length++; + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 1 + IMM2_SIZE; + break; + +@@ -2253,7 +2311,9 @@ while (cc < ccend) + #else + size = 1 + 32 / (int)sizeof(PCRE2_UCHAR); + #endif +- if (PRIVATE_DATA(cc) != 0) ++ ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length += get_class_iterator_size(cc + size); + cc += size; + break; +@@ -2288,8 +2348,7 @@ while (cc < ccend) + case OP_THEN: + SLJIT_ASSERT(common->control_head_ptr != 0); + quit_found = TRUE; +- if (!control_head_found) +- control_head_found = TRUE; ++ control_head_found = TRUE; + cc++; + break; + +@@ -2309,8 +2368,6 @@ SLJIT_ASSERT(cc == ccend); + + if (control_head_found) + length++; +-if (capture_last_found) +- length++; + if (quit_found) + { + if (setsom_found) +@@ -2343,14 +2400,12 @@ sljit_sw shared_srcw[3]; + sljit_sw kept_shared_srcw[2]; + int private_count, shared_count, kept_shared_count; + int from_sp, base_reg, offset, i; +-BOOL setsom_found = FALSE; +-BOOL setmark_found = FALSE; +-BOOL capture_last_found = FALSE; +-BOOL control_head_found = FALSE; ++ ++memset(common->recurse_bitset, 0, common->recurse_bitset_size); + + #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD + SLJIT_ASSERT(common->control_head_ptr != 0); +-control_head_found = TRUE; ++recurse_check_bit(common, common->control_head_ptr); + #endif + + switch (type) +@@ -2438,11 +2493,10 @@ while (cc < ccend) + { + case OP_SET_SOM: + SLJIT_ASSERT(common->has_set_som); +- if (has_quit && !setsom_found) ++ if (has_quit && recurse_check_bit(common, OVECTOR(0))) + { + kept_shared_srcw[0] = OVECTOR(0); + kept_shared_count = 1; +- setsom_found = TRUE; + } + cc += 1; + break; +@@ -2450,33 +2504,31 @@ while (cc < ccend) + case OP_RECURSE: + if (has_quit) + { +- if (common->has_set_som && !setsom_found) ++ if (common->has_set_som && recurse_check_bit(common, OVECTOR(0))) + { + kept_shared_srcw[0] = OVECTOR(0); + kept_shared_count = 1; +- setsom_found = TRUE; + } +- if (common->mark_ptr != 0 && !setmark_found) ++ if (common->mark_ptr != 0 && recurse_check_bit(common, common->mark_ptr)) + { + kept_shared_srcw[kept_shared_count] = common->mark_ptr; + kept_shared_count++; +- setmark_found = TRUE; + } + } +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { + shared_srcw[0] = common->capture_last_ptr; + shared_count = 1; +- capture_last_found = TRUE; + } + cc += 1 + LINK_SIZE; + break; + + case OP_KET: +- if (PRIVATE_DATA(cc) != 0) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0) + { +- private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0); + cc += PRIVATE_DATA(cc + 1); + } +@@ -2493,50 +2545,66 @@ while (cc < ccend) + case OP_SBRA: + case OP_SBRAPOS: + case OP_SCOND: +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + cc += 1 + LINK_SIZE; + break; + + case OP_CBRA: + case OP_SCBRA: +- offset = (GET2(cc, 1 + LINK_SIZE)) << 1; +- shared_srcw[0] = OVECTOR(offset); +- shared_srcw[1] = OVECTOR(offset + 1); +- shared_count = 2; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ shared_srcw[0] = OVECTOR(offset << 1); ++ if (recurse_check_bit(common, shared_srcw[0])) ++ { ++ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1])); ++ shared_count = 2; ++ } + +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { +- shared_srcw[2] = common->capture_last_ptr; +- shared_count = 3; +- capture_last_found = TRUE; ++ shared_srcw[shared_count] = common->capture_last_ptr; ++ shared_count++; + } + +- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0) ++ if (common->optimized_cbracket[offset] == 0) + { +- private_count = 1; +- private_srcw[0] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE)); ++ private_srcw[0] = OVECTOR_PRIV(offset); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + } ++ + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_CBRAPOS: + case OP_SCBRAPOS: +- offset = (GET2(cc, 1 + LINK_SIZE)) << 1; +- shared_srcw[0] = OVECTOR(offset); +- shared_srcw[1] = OVECTOR(offset + 1); +- shared_count = 2; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ shared_srcw[0] = OVECTOR(offset << 1); ++ if (recurse_check_bit(common, shared_srcw[0])) ++ { ++ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1])); ++ shared_count = 2; ++ } + +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { +- shared_srcw[2] = common->capture_last_ptr; +- shared_count = 3; +- capture_last_found = TRUE; ++ shared_srcw[shared_count] = common->capture_last_ptr; ++ shared_count++; + } + +- private_count = 2; + private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE)); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; ++ ++ offset = OVECTOR_PRIV(offset); ++ if (recurse_check_bit(common, offset)) ++ { ++ private_srcw[private_count] = offset; ++ private_count++; ++ } + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + +@@ -2545,18 +2613,17 @@ while (cc < ccend) + alternative = cc + GET(cc, 1); + if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) + { +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + } + cc += 1 + LINK_SIZE; + break; + + CASE_ITERATOR_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc)) +- { ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); +- } + cc += 2; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2564,11 +2631,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw); ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 2; + #ifdef SUPPORT_UNICODE +@@ -2577,11 +2645,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw); ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 2 + IMM2_SIZE; + #ifdef SUPPORT_UNICODE +@@ -2590,30 +2659,30 @@ while (cc < ccend) + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc)) +- { ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); +- } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); + private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); + private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 1 + IMM2_SIZE; + break; +@@ -2630,14 +2699,17 @@ while (cc < ccend) + switch(get_class_iterator_size(cc + i)) + { + case 1: +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); + break; + + case 2: +- private_count = 2; + private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ if (recurse_check_bit(common, private_srcw[0])) ++ { ++ private_count = 2; ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); ++ } + break; + + default: +@@ -2652,28 +2724,25 @@ while (cc < ccend) + case OP_PRUNE_ARG: + case OP_THEN_ARG: + SLJIT_ASSERT(common->mark_ptr != 0); +- if (has_quit && !setmark_found) ++ if (has_quit && recurse_check_bit(common, common->mark_ptr)) + { + kept_shared_srcw[0] = common->mark_ptr; + kept_shared_count = 1; +- setmark_found = TRUE; + } +- if (common->control_head_ptr != 0 && !control_head_found) ++ if (common->control_head_ptr != 0 && recurse_check_bit(common, common->control_head_ptr)) + { + shared_srcw[0] = common->control_head_ptr; + shared_count = 1; +- control_head_found = TRUE; + } + cc += 1 + 2 + cc[1]; + break; + + case OP_THEN: + SLJIT_ASSERT(common->control_head_ptr != 0); +- if (!control_head_found) ++ if (recurse_check_bit(common, common->control_head_ptr)) + { + shared_srcw[0] = common->control_head_ptr; + shared_count = 1; +- control_head_found = TRUE; + } + cc++; + break; +@@ -2681,7 +2750,7 @@ while (cc < ccend) + default: + cc = next_opcode(common, cc); + SLJIT_ASSERT(cc != NULL); +- break; ++ continue; + } + + if (type != recurse_copy_shared_to_global && type != recurse_copy_kept_shared_to_global) +@@ -13262,7 +13331,7 @@ SLJIT_ASSERT(!(common->req_char_ptr != 0 && common->start_used_ptr != 0)); + common->cbra_ptr = OVECTOR_START + (re->top_bracket + 1) * 2 * sizeof(sljit_sw); + + total_length = ccend - common->start; +-common->private_data_ptrs = (sljit_s32 *)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data); ++common->private_data_ptrs = (sljit_s32*)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data); + if (!common->private_data_ptrs) + { + SLJIT_FREE(common->optimized_cbracket, allocator_data); +@@ -13304,6 +13373,7 @@ if (!compiler) + common->compiler = compiler; + + /* Main pcre_jit_exec entry. */ ++LJIT_ASSERT((private_data_size & (sizeof(sljit_sw) - 1)) == 0); + sljit_emit_enter(compiler, 0, SLJIT_ARG1(SW), 5, 5, 0, 0, private_data_size); + + /* Register init. */ +@@ -13524,20 +13594,40 @@ common->fast_fail_end_ptr = 0; + common->currententry = common->entries; + common->local_quit_available = TRUE; + quit_label = common->quit_label; +-while (common->currententry != NULL) ++if (common->currententry != NULL) + { +- /* Might add new entries. */ +- compile_recurse(common); +- if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) ++ /* A free bit for each private data. */ ++ common->recurse_bitset_size = ((private_data_size / (int)sizeof(sljit_sw)) + 7) >> 3; ++ SLJIT_ASSERT(common->recurse_bitset_size > 0); ++ common->recurse_bitset = (sljit_u8*)SLJIT_MALLOC(common->recurse_bitset_size, allocator_data);; ++ ++ if (common->recurse_bitset != NULL) ++ { ++ do ++ { ++ /* Might add new entries. */ ++ compile_recurse(common); ++ if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) ++ break; ++ flush_stubs(common); ++ common->currententry = common->currententry->next; ++ } ++ while (common->currententry != NULL); ++ ++ SLJIT_FREE(common->recurse_bitset, allocator_data); ++ } ++ ++ if (common->currententry != NULL) + { ++ /* The common->recurse_bitset has been freed. */ ++ SLJIT_ASSERT(sljit_get_compiler_error(compiler) || common->recurse_bitset == NULL); ++ + sljit_free_compiler(compiler); + SLJIT_FREE(common->optimized_cbracket, allocator_data); + SLJIT_FREE(common->private_data_ptrs, allocator_data); + PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data); + return PCRE2_ERROR_NOMEMORY; + } +- flush_stubs(common); +- common->currententry = common->currententry->next; + } + common->local_quit_available = FALSE; + common->quit_label = quit_label; +diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c +index 9df87fd..2f84834 100644 +--- a/src/pcre2_jit_test.c ++++ b/src/pcre2_jit_test.c +@@ -746,6 +746,7 @@ static struct regression_test_case regression_test_cases[] = { + { MU, A, 0, 0, "((?(R)a|(?1)){1,3}?)M", "aaaM" }, + { MU, A, 0, 0, "((.)(?:.|\\2(?1))){0}#(?1)#", "#aabbccdde# #aabbccddee#" }, + { MU, A, 0, 0, "((.)(?:\\2|\\2{4}b)){0}#(?:(?1))+#", "#aaaab# #aaaaab#" }, ++ { MU, A, 0, 0 | F_NOMATCH, "(?1)$((.|\\2xx){1,2})", "abc" }, + + /* 16 bit specific tests. */ + { CM, A, 0, 0 | F_FORCECONV, "\xc3\xa1", "\xc3\x81\xc3\xa1" }, +-- +2.25.1 + diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch new file mode 100644 index 0000000000..882277ae73 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch @@ -0,0 +1,74 @@ +From 94e1c001761373b7d9450768aa15d04c25547a35 Mon Sep 17 00:00:00 2001 +From: Philip Hazel <Philip.Hazel@gmail.com> +Date: Tue, 16 Aug 2022 17:00:45 +0100 +Subject: [PATCH] Diagnose negative repeat value in pcre2test subject line + +CVE: CVE-2022-41409 +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> + +--- + ChangeLog | 3 +++ + src/pcre2test.c | 4 ++-- + testdata/testinput2 | 3 +++ + testdata/testoutput2 | 4 ++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index eab50eb7..276eb57a 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -7,6 +7,9 @@ fully read in caseless matching. + 24. Fixed an issue affecting recursions in JIT caused by duplicated data + transfers. + ++20. A negative repeat value in a pcre2test subject line was not being ++diagnosed, leading to infinite looping. ++ + + Version 10.34 21-November-2019 + ------------------------------ +diff --git a/src/pcre2test.c b/src/pcre2test.c +index 08f86096..f6f5d66c 100644 +--- a/src/pcre2test.c ++++ b/src/pcre2test.c +@@ -6700,9 +6700,9 @@ while ((c = *p++) != 0) + } + + i = (int32_t)li; +- if (i-- == 0) ++ if (i-- <= 0) + { +- fprintf(outfile, "** Zero repeat not allowed\n"); ++ fprintf(outfile, "** Zero or negative repeat not allowed\n"); + return PR_OK; + } + +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 655e519..14e00ed 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -5772,4 +5772,7 @@ a)"xI + /(a)?a/I + manm + ++-- ++ \[X]{-10} ++ + # End of testinput2 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index c733c12..958f246 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -17435,6 +17435,10 @@ Subject length lower bound = 1 + manm + 0: a + ++-- ++ \[X]{-10} ++** Zero or negative repeat not allowed ++ + # End of testinput2 + Error -70: PCRE2_ERROR_BADDATA (unknown error number) + Error -62: bad serialized data diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb index fa8655e027..53277270d2 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.34.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb @@ -10,8 +10,12 @@ SECTION = "devel" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37" -SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ +SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 \ file://pcre-cross.patch \ + file://CVE-2022-1586.patch \ + file://CVE-2022-1586-regression.patch \ + file://CVE-2022-1587.patch \ + file://CVE-2022-41409.patch \ " SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366" diff --git a/meta/recipes-support/libpcre/libpcre_8.44.bb b/meta/recipes-support/libpcre/libpcre_8.44.bb index cd80dc7345..3267c5ad72 100644 --- a/meta/recipes-support/libpcre/libpcre_8.44.bb +++ b/meta/recipes-support/libpcre/libpcre_8.44.bb @@ -7,7 +7,7 @@ HOMEPAGE = "http://www.pcre.org" SECTION = "devel" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENCE;md5=3bb381a66a5385b246d4877922e7511e" -SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \ +SRC_URI = "${SOURCEFORGE_MIRROR}/pcre/pcre-${PV}.tar.bz2 \ file://run-ptest \ file://Makefile \ " diff --git a/meta/recipes-support/libpsl/libpsl_0.21.0.bb b/meta/recipes-support/libpsl/libpsl_0.21.0.bb index b2dda191ce..66e64f785c 100644 --- a/meta/recipes-support/libpsl/libpsl_0.21.0.bb +++ b/meta/recipes-support/libpsl/libpsl_0.21.0.bb @@ -19,11 +19,10 @@ SRC_URI[sha256sum] = "41bd1c75a375b85c337b59783f5deb93dbb443fb0a52d257f403df7bd6 UPSTREAM_CHECK_URI = "https://github.com/rockdaboot/libpsl/releases" -DEPENDS = "libidn2" - inherit autotools gettext gtk-doc manpages pkgconfig lib_package -PACKAGECONFIG ??= "" +PACKAGECONFIG ?= "idn2" PACKAGECONFIG[manpages] = "--enable-man,--disable-man,libxslt-native" - +PACKAGECONFIG[icu] = "--enable-runtime=libicu --enable-builtin=libicu,,icu" +PACKAGECONFIG[idn2] = "--enable-runtime=libidn2 --enable-builtin=libidn2,,libidn2 libunistring" BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb index 65b32557e7..e42ac30bf2 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb @@ -7,7 +7,7 @@ SECTION = "x11/gnome/libs" LICENSE = "LGPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" -DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 intltool-native libpsl" +DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl" SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" diff --git a/meta/recipes-support/libunistring/libunistring_0.9.10.bb b/meta/recipes-support/libunistring/libunistring_0.9.10.bb index 97fac4ecfa..2197b6656d 100644 --- a/meta/recipes-support/libunistring/libunistring_0.9.10.bb +++ b/meta/recipes-support/libunistring/libunistring_0.9.10.bb @@ -18,6 +18,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=6a6a8e020838b23406c81b19c1d46df6 \ file://README;beginline=45;endline=65;md5=08287d16ba8d839faed8d2dc14d7d6a5 \ file://doc/libunistring.texi;md5=287fa6075f78a3c85c1a52b0a92547cd \ " +DEPENDS = "gperf-native" SRC_URI = "${GNU_MIRROR}/libunistring/libunistring-${PV}.tar.gz \ file://iconv-m4-remove-the-test-to-convert-euc-jp.patch \ diff --git a/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch b/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch new file mode 100644 index 0000000000..34a1f46b0f --- /dev/null +++ b/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch @@ -0,0 +1,420 @@ +From 51112447b316813ad1ae50ea66feca4eb755a424 Mon Sep 17 00:00:00 2001 +From: Yichao Yu <yyc1992@gmail.com> +Date: Tue, 31 Mar 2020 00:43:32 -0400 +Subject: [PATCH] Fix compilation with -fno-common. + +[Khem Raj] +Making all other archs consistent with IA64 which should not have this problem. +Also move the FIXME to the correct place. + +Also add some minimum comments about this... + +[Philippe Coval] + +Patch ported to v1.3-stable branch, +patch to be used used in openembedded-core dunfell branch (on v1.3.1) +for oniro project. + +Upstream-Status: Backport [https://github.com/libunwind/libunwind/pull/166] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Thanks-to: Yichao Yu <yyc1992@gmail.com> +Origin: https://github.com/libunwind/libunwind/commit/29e17d8d2ccbca07c423e3089a6d5ae8a1c9cb6e +Relate-to: https://booting.oniroproject.org/distro/oniro/-/issues/191 +Forwarded: https://github.com/libunwind/libunwind/pull/312 +Last-Update: 2021-11-25 +Signed-off-by: Philippe Coval <philippe.coval@huawei.com> +--- + src/aarch64/Ginit.c | 15 +++++++-------- + src/arm/Ginit.c | 15 +++++++-------- + src/coredump/_UPT_get_dyn_info_list_addr.c | 5 +++++ + src/hppa/Ginit.c | 15 +++++++-------- + src/ia64/Ginit.c | 1 + + src/mi/Gfind_dynamic_proc_info.c | 1 + + src/mips/Ginit.c | 15 +++++++-------- + src/ppc32/Ginit.c | 11 +++++++---- + src/ppc64/Ginit.c | 11 +++++++---- + src/ptrace/_UPT_get_dyn_info_list_addr.c | 5 +++++ + src/sh/Ginit.c | 15 +++++++-------- + src/tilegx/Ginit.c | 15 +++++++-------- + src/x86/Ginit.c | 15 +++++++-------- + src/x86_64/Ginit.c | 15 +++++++-------- + 14 files changed, 82 insertions(+), 72 deletions(-) + +diff --git a/src/aarch64/Ginit.c b/src/aarch64/Ginit.c +index 9c4eae82..cb954b15 100644 +--- a/src/aarch64/Ginit.c ++++ b/src/aarch64/Ginit.c +@@ -61,13 +61,6 @@ tdep_uc_addr (ucontext_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +-/* XXX fix me: there is currently no way to locate the dyn-info list +- by a remote unwinder. On ia64, this is done via a special +- unwind-table entry. Perhaps something similar can be done with +- DWARF2 unwind info. */ +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -78,7 +71,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/arm/Ginit.c b/src/arm/Ginit.c +index 2720d063..0bac0d72 100644 +--- a/src/arm/Ginit.c ++++ b/src/arm/Ginit.c +@@ -57,18 +57,17 @@ tdep_uc_addr (unw_tdep_context_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +-/* XXX fix me: there is currently no way to locate the dyn-info list +- by a remote unwinder. On ia64, this is done via a special +- unwind-table entry. Perhaps something similar can be done with +- DWARF2 unwind info. */ +- + static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/coredump/_UPT_get_dyn_info_list_addr.c b/src/coredump/_UPT_get_dyn_info_list_addr.c +index 0d119055..739ed056 100644 +--- a/src/coredump/_UPT_get_dyn_info_list_addr.c ++++ b/src/coredump/_UPT_get_dyn_info_list_addr.c +@@ -74,6 +74,11 @@ get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg, + + #else + ++/* XXX fix me: there is currently no way to locate the dyn-info list ++ by a remote unwinder. On ia64, this is done via a special ++ unwind-table entry. Perhaps something similar can be done with ++ DWARF2 unwind info. */ ++ + static inline int + get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg, + int *countp) +diff --git a/src/hppa/Ginit.c b/src/hppa/Ginit.c +index 461e4b93..265455a6 100644 +--- a/src/hppa/Ginit.c ++++ b/src/hppa/Ginit.c +@@ -64,13 +64,6 @@ _Uhppa_uc_addr (ucontext_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +-/* XXX fix me: there is currently no way to locate the dyn-info list +- by a remote unwinder. On ia64, this is done via a special +- unwind-table entry. Perhaps something similar can be done with +- DWARF2 unwind info. */ +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -81,7 +74,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/ia64/Ginit.c b/src/ia64/Ginit.c +index b09a2ad5..8601bb3c 100644 +--- a/src/ia64/Ginit.c ++++ b/src/ia64/Ginit.c +@@ -68,6 +68,7 @@ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + if (!_U_dyn_info_list_addr) + return -UNW_ENOINFO; + #endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. + *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } +diff --git a/src/mi/Gfind_dynamic_proc_info.c b/src/mi/Gfind_dynamic_proc_info.c +index 98d35012..2e7c62e5 100644 +--- a/src/mi/Gfind_dynamic_proc_info.c ++++ b/src/mi/Gfind_dynamic_proc_info.c +@@ -49,6 +49,7 @@ local_find_proc_info (unw_addr_space_t as, unw_word_t ip, unw_proc_info_t *pi, + return -UNW_ENOINFO; + #endif + ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. + list = (unw_dyn_info_list_t *) (uintptr_t) _U_dyn_info_list_addr (); + for (di = list->first; di; di = di->next) + if (ip >= di->start_ip && ip < di->end_ip) +diff --git a/src/mips/Ginit.c b/src/mips/Ginit.c +index 3df170c7..bf7a8f5a 100644 +--- a/src/mips/Ginit.c ++++ b/src/mips/Ginit.c +@@ -69,13 +69,6 @@ tdep_uc_addr (ucontext_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +-/* XXX fix me: there is currently no way to locate the dyn-info list +- by a remote unwinder. On ia64, this is done via a special +- unwind-table entry. Perhaps something similar can be done with +- DWARF2 unwind info. */ +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -86,7 +79,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) (intptr_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/ppc32/Ginit.c b/src/ppc32/Ginit.c +index ba302448..7b454558 100644 +--- a/src/ppc32/Ginit.c ++++ b/src/ppc32/Ginit.c +@@ -91,9 +91,6 @@ tdep_uc_addr (ucontext_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -104,7 +101,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/ppc64/Ginit.c b/src/ppc64/Ginit.c +index 4c88cd6e..7bfb395a 100644 +--- a/src/ppc64/Ginit.c ++++ b/src/ppc64/Ginit.c +@@ -95,9 +95,6 @@ tdep_uc_addr (ucontext_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -108,7 +105,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/ptrace/_UPT_get_dyn_info_list_addr.c b/src/ptrace/_UPT_get_dyn_info_list_addr.c +index cc5ed044..16671d45 100644 +--- a/src/ptrace/_UPT_get_dyn_info_list_addr.c ++++ b/src/ptrace/_UPT_get_dyn_info_list_addr.c +@@ -71,6 +71,11 @@ get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg, + + #else + ++/* XXX fix me: there is currently no way to locate the dyn-info list ++ by a remote unwinder. On ia64, this is done via a special ++ unwind-table entry. Perhaps something similar can be done with ++ DWARF2 unwind info. */ ++ + static inline int + get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg, + int *countp) +diff --git a/src/sh/Ginit.c b/src/sh/Ginit.c +index 52988a72..9fe96d2b 100644 +--- a/src/sh/Ginit.c ++++ b/src/sh/Ginit.c +@@ -58,13 +58,6 @@ tdep_uc_addr (ucontext_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +-/* XXX fix me: there is currently no way to locate the dyn-info list +- by a remote unwinder. On ia64, this is done via a special +- unwind-table entry. Perhaps something similar can be done with +- DWARF2 unwind info. */ +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -75,7 +68,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/tilegx/Ginit.c b/src/tilegx/Ginit.c +index 7564a558..925e6413 100644 +--- a/src/tilegx/Ginit.c ++++ b/src/tilegx/Ginit.c +@@ -64,13 +64,6 @@ tdep_uc_addr (ucontext_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +-/* XXX fix me: there is currently no way to locate the dyn-info list +- by a remote unwinder. On ia64, this is done via a special +- unwind-table entry. Perhaps something similar can be done with +- DWARF2 unwind info. */ +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -81,7 +74,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) (intptr_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/x86/Ginit.c b/src/x86/Ginit.c +index f6b8dc27..3cec74a2 100644 +--- a/src/x86/Ginit.c ++++ b/src/x86/Ginit.c +@@ -54,13 +54,6 @@ tdep_uc_addr (ucontext_t *uc, int reg) + + # endif /* UNW_LOCAL_ONLY */ + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +-/* XXX fix me: there is currently no way to locate the dyn-info list +- by a remote unwinder. On ia64, this is done via a special +- unwind-table entry. Perhaps something similar can be done with +- DWARF2 unwind info. */ +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -71,7 +64,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +diff --git a/src/x86_64/Ginit.c b/src/x86_64/Ginit.c +index b7e8e462..fe6bcc33 100644 +--- a/src/x86_64/Ginit.c ++++ b/src/x86_64/Ginit.c +@@ -49,13 +49,6 @@ static struct unw_addr_space local_addr_space; + + unw_addr_space_t unw_local_addr_space = &local_addr_space; + +-HIDDEN unw_dyn_info_list_t _U_dyn_info_list; +- +-/* XXX fix me: there is currently no way to locate the dyn-info list +- by a remote unwinder. On ia64, this is done via a special +- unwind-table entry. Perhaps something similar can be done with +- DWARF2 unwind info. */ +- + static void + put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg) + { +@@ -66,7 +59,13 @@ static int + get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr, + void *arg) + { +- *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list; ++#ifndef UNW_LOCAL_ONLY ++# pragma weak _U_dyn_info_list_addr ++ if (!_U_dyn_info_list_addr) ++ return -UNW_ENOINFO; ++#endif ++ // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so. ++ *dyn_info_list_addr = _U_dyn_info_list_addr (); + return 0; + } + +-- +2.32.0 + diff --git a/meta/recipes-support/libunwind/libunwind_1.3.1.bb b/meta/recipes-support/libunwind/libunwind_1.3.1.bb index 037e04c3c0..8ae94a834c 100644 --- a/meta/recipes-support/libunwind/libunwind_1.3.1.bb +++ b/meta/recipes-support/libunwind/libunwind_1.3.1.bb @@ -7,6 +7,7 @@ SRC_URI = "http://download.savannah.nongnu.org/releases/libunwind/libunwind-${PV file://0004-Fix-build-on-mips-musl.patch \ file://0005-ppc32-Consider-ucontext-mismatches-between-glibc-and.patch \ file://0006-Fix-for-X32.patch \ + file://0001-Fix-compilation-with-fno-common.patch \ " SRC_URI_append_libc-musl = " file://musl-header-conflict.patch" diff --git a/meta/recipes-support/libusb/libusb1_1.0.22.bb b/meta/recipes-support/libusb/libusb1_1.0.22.bb index a4fe4de2cb..ffa8f0320c 100644 --- a/meta/recipes-support/libusb/libusb1_1.0.22.bb +++ b/meta/recipes-support/libusb/libusb1_1.0.22.bb @@ -1,7 +1,7 @@ SUMMARY = "Userspace library to access USB (version 1.0)" DESCRIPTION = "A cross-platform library to access USB devices from Linux, \ macOS, Windows, OpenBSD/NetBSD, Haiku and Solaris userspace." -HOMEPAGE = "http://libusb.sf.net" +HOMEPAGE = "https://libusb.info" BUGTRACKER = "http://www.libusb.org/report" SECTION = "libs" @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" BBCLASSEXTEND = "native nativesdk" -SRC_URI = "${SOURCEFORGE_MIRROR}/libusb/libusb-${PV}.tar.bz2 \ +SRC_URI = "https://github.com/libusb/libusb/releases/download/v${PV}/libusb-${PV}.tar.bz2 \ file://no-dll.patch \ file://run-ptest \ " diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch new file mode 100644 index 0000000000..614047ea7a --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch @@ -0,0 +1,201 @@ +From 50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 12 Jun 2021 20:02:53 +0200 +Subject: [PATCH] Fix use-after-free in xsltApplyTemplates + +xsltApplyTemplates without a select expression could delete nodes in +the source document. + +1. Text nodes with strippable whitespace + +Whitespace from input documents is already stripped, so there's no +need to strip it again. Under certain circumstances, xsltApplyTemplates +could be fooled into deleting text nodes that are still referenced, +resulting in a use-after-free. + +2. The DTD + +The DTD was only unlinked, but there's no good reason to do this just +now. Maybe it was meant as a micro-optimization. + +3. Unknown nodes + +Useless and dangerous as well, especially with XInclude nodes. +See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268 + +Simply stop trying to uselessly delete nodes when applying a template. +This part of the code is probably a leftover from a time where +xsltApplyStripSpaces wasn't implemented yet. Also note that +xsltApplyTemplates with a select expression never tried to delete +nodes. + +Also stop xsltDefaultProcessOneNode from deleting nodes for the same +reasons. + +This fixes CVE-2021-30560. + +CVE: CVE-2021-30560 +Upstream-Status: Backport [https://github.com/GNOME/libxslt/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8.patch] +Comment: No change in any hunk +Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com> + +--- + libxslt/transform.c | 119 +++----------------------------------------- + 1 file changed, 7 insertions(+), 112 deletions(-) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 04522154..3aba354f 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1895,7 +1895,7 @@ static void + xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStackElemPtr params) { + xmlNodePtr copy; +- xmlNodePtr delete = NULL, cur; ++ xmlNodePtr cur; + int nbchild = 0, oldSize; + int childno = 0, oldPos; + xsltTemplatePtr template; +@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + return; + } + /* +- * Handling of Elements: first pass, cleanup and counting ++ * Handling of Elements: first pass, counting + */ + cur = node->children; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_ELEMENT_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- nbchild++; +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: skipping node type %d\n", +- cur->type)); +-#endif +- delete = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ nbchild++; + cur = cur->next; +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; +- } +- } +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; + } + + /* +@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp; + #endif + int i; +- xmlNodePtr cur, delNode = NULL, oldContextNode; ++ xmlNodePtr cur, oldContextNode; + xmlNodeSetPtr list = NULL, oldList; + xsltStackElemPtr withParams = NULL; + int oldXPProximityPosition, oldXPContextSize; +@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + else + cur = NULL; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- if ((IS_BLANK_NODE(cur)) && +- (cur->parent != NULL) && +- (cur->parent->type == XML_ELEMENT_NODE) && +- (ctxt->style->stripSpaces != NULL)) { +- const xmlChar *val; +- +- if (cur->parent->ns != NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, +- cur->parent->ns->href); +- if (val == NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- BAD_CAST "*", +- cur->parent->ns->href); +- } +- } else { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, NULL); +- } +- if ((val != NULL) && +- (xmlStrEqual(val, (xmlChar *) "strip"))) { +- delNode = cur; +- break; +- } +- } +- /* Intentional fall-through */ +- case XML_ELEMENT_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- xmlXPathNodeSetAddUnique(list, cur); +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable +- * using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- case XML_NAMESPACE_DECL: +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: skipping cur type %d\n", +- cur->type)); +-#endif +- delNode = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ xmlXPathNodeSetAddUnique(list, cur); + cur = cur->next; +- if (delNode != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: removing ignorable blank cur\n")); +-#endif +- xmlUnlinkNode(delNode); +- xmlFreeNode(delNode); +- delNode = NULL; +- } + } + } + diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb index 63cce6fe06..4755677bec 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb @@ -14,6 +14,7 @@ SECTION = "libs" DEPENDS = "libxml2" SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ + file://CVE-2021-30560.patch \ " SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a" @@ -21,6 +22,10 @@ SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar" +# We have libxml2 2.9.10 and we don't link statically with it anyway +# so this isn't an issue. +CVE_CHECK_WHITELIST += "CVE-2022-29824" + S = "${WORKDIR}/libxslt-${PV}" BINCONFIG = "${bindir}/xslt-config" diff --git a/meta/recipes-support/lz4/files/CVE-2021-3520.patch b/meta/recipes-support/lz4/files/CVE-2021-3520.patch new file mode 100644 index 0000000000..5ac8f6691f --- /dev/null +++ b/meta/recipes-support/lz4/files/CVE-2021-3520.patch @@ -0,0 +1,27 @@ +From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001 +From: Jasper Lievisse Adriaanse <j@jasper.la> +Date: Fri, 26 Feb 2021 15:21:20 +0100 +Subject: [PATCH] Fix potential memory corruption with negative memmove() size + +Upstream-Status: Backport +https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7#diff-7055e9cf14c488aea9837aaf9f528b58ee3c22988d7d0d81d172ec62d94a88a7 +CVE: CVE-2021-3520 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + lib/lz4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: git/lib/lz4.c +=================================================================== +--- git.orig/lib/lz4.c ++++ git/lib/lz4.c +@@ -1665,7 +1665,7 @@ LZ4_decompress_generic( + const size_t dictSize /* note : = 0 if noDict */ + ) + { +- if (src == NULL) { return -1; } ++ if ((src == NULL) || (outputSize < 0)) { return -1; } + + { const BYTE* ip = (const BYTE*) src; + const BYTE* const iend = ip + srcSize; diff --git a/meta/recipes-support/lz4/lz4_1.9.2.bb b/meta/recipes-support/lz4/lz4_1.9.2.bb index 20719fcc58..bc11a57eb5 100644 --- a/meta/recipes-support/lz4/lz4_1.9.2.bb +++ b/meta/recipes-support/lz4/lz4_1.9.2.bb @@ -12,8 +12,13 @@ PE = "1" SRCREV = "fdf2ef5809ca875c454510610764d9125ef2ebbd" -SRC_URI = "git://github.com/lz4/lz4.git;branch=dev \ +# remove at next version upgrade or when output changes +PR = "r1" +HASHEQUIV_HASH_VERSION .= ".1" + +SRC_URI = "git://github.com/lz4/lz4.git;branch=dev;protocol=https \ file://run-ptest \ + file://CVE-2021-3520.patch \ " UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)" @@ -22,7 +27,7 @@ S = "${WORKDIR}/git" # Fixed in r118, which is larger than the current version. CVE_CHECK_WHITELIST += "CVE-2014-4715" -EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" +EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" do_install() { oe_runmake install diff --git a/meta/recipes-support/lzo/lzo_2.10.bb b/meta/recipes-support/lzo/lzo_2.10.bb index 85b14b3c5c..f0c8631aea 100644 --- a/meta/recipes-support/lzo/lzo_2.10.bb +++ b/meta/recipes-support/lzo/lzo_2.10.bb @@ -18,6 +18,8 @@ SRC_URI[sha256sum] = "c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b42 inherit autotools ptest +CVE_PRODUCT = "lzo oberhumer:lzo2" + EXTRA_OECONF = "--enable-shared" do_install_ptest() { diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch new file mode 100644 index 0000000000..cfc0f382fa --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch @@ -0,0 +1,215 @@ +Backport of: + +From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> +Date: Thu, 11 Mar 2021 19:37:41 +0100 +Subject: [PATCH] New functions ecc_mod_mul_canonical and + ecc_mod_sqr_canonical. + +* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): +New functions. +* ecc-internal.h: Declare and document new functions. +* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. +* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. +* ecc-eh-to-a.c (ecc_eh_to_a): Likewise. +* ecc-j-to-a.c (ecc_j_to_a): Likewise. +* ecc-mul-m.c (ecc_mul_m): Likewise. + +(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c) + +Upstream-Status: Backport +https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch +CVE: CVE-2021-20305 dep1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 11 +++++++++++ + curve25519-eh-to-x.c | 6 +----- + curve448-eh-to-x.c | 5 +---- + ecc-eh-to-a.c | 12 ++---------- + ecc-internal.h | 15 +++++++++++++++ + ecc-j-to-a.c | 15 +++------------ + ecc-mod-arith.c | 24 ++++++++++++++++++++++++ + ecc-mul-m.c | 6 ++---- + 8 files changed, 59 insertions(+), 35 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index fd138d82..5cc5c188 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,3 +1,14 @@ +#+2021-03-11 Niels Möller <nisse@lysator.liu.se> +#+ +#+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): +#+ New functions. +#+ * ecc-internal.h: Declare and document new functions. +#+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. +#+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. +#+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. +#+ * ecc-j-to-a.c (ecc_j_to_a): Likewise. +#+ * ecc-mul-m.c (ecc_mul_m): Likewise. +#+ +# 2021-02-17 Niels Möller <nisse@lysator.liu.se> +# +# * Released Nettle-3.7.1. +Index: nettle-3.5.1/curve25519-eh-to-x.c +=================================================================== +--- nettle-3.5.1.orig/curve25519-eh-to-x.c ++++ nettle-3.5.1/curve25519-eh-to-x.c +@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const + #define t2 (scratch + 2*ecc->p.size) + + const struct ecc_curve *ecc = &_nettle_curve25519; +- mp_limb_t cy; + + /* If u = U/W and v = V/W are the coordiantes of the point on the + Edwards curve we get the curve25519 x coordinate as +@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const + ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); + + ecc_modp_add (ecc, t0, wp, vp); +- ecc_modp_mul (ecc, t2, t0, t1); +- +- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); +- cnd_copy (cy, xp, t2, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2); + #undef vp + #undef wp + #undef t0 +Index: nettle-3.5.1/ecc-eh-to-a.c +=================================================================== +--- nettle-3.5.1.orig/ecc-eh-to-a.c ++++ nettle-3.5.1/ecc-eh-to-a.c +@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc + /* Needs 2*size + scratch for the invert call. */ + ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); + +- ecc_modp_mul (ecc, tp, xp, izp); +- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); +- cnd_copy (cy, r, tp, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); + + if (op) + { +@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc + } + return; + } +- ecc_modp_mul (ecc, tp, yp, izp); +- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); +- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); + } +Index: nettle-3.5.1/ecc-internal.h +=================================================================== +--- nettle-3.5.1.orig/ecc-internal.h ++++ nettle-3.5.1/ecc-internal.h +@@ -49,6 +49,8 @@ + #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 + #define ecc_mod_mul _nettle_ecc_mod_mul + #define ecc_mod_sqr _nettle_ecc_mod_sqr ++#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical ++#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical + #define ecc_mod_random _nettle_ecc_mod_random + #define ecc_mod _nettle_ecc_mod + #define ecc_mod_inv _nettle_ecc_mod_inv +@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m, + #define ecc_modq_mul(ecc, r, a, b) \ + ecc_mod_mul (&(ecc)->q, (r), (a), (b)) + ++/* These mul and sqr functions produce a canonical result, 0 <= R < M. ++ Requirements on input and output areas are similar to the above ++ functions, except that it is *not* allowed to pass rp = rp + ++ m->size. ++ */ ++void ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); ++ ++void ++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, mp_limb_t *tp); ++ + /* mod q operations. */ + void + ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, +Index: nettle-3.5.1/ecc-j-to-a.c +=================================================================== +--- nettle-3.5.1.orig/ecc-j-to-a.c ++++ nettle-3.5.1/ecc-j-to-a.c +@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc, + #define izBp (scratch + 3*ecc->p.size) + #define tp scratch + +- mp_limb_t cy; +- + if (ecc->use_redc) + { + /* Set v = (r_z / B^2)^-1, +@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc, + ecc_modp_sqr (ecc, iz2p, izp); + } + +- ecc_modp_mul (ecc, iz3p, iz2p, p); +- /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so +- do a conditional subtraction. */ +- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); +- cnd_copy (cy, r, iz3p, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); + + if (op) + { + /* Skip y coordinate */ + if (op > 1) + { ++ mp_limb_t cy; + /* Also reduce the x coordinate mod ecc->q. It should + already be < 2*ecc->q, so one subtraction should + suffice. */ +@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc, + return; + } + ecc_modp_mul (ecc, iz3p, iz2p, izp); +- ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); +- /* And a similar subtraction. */ +- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); +- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p); + + #undef izp + #undef up +Index: nettle-3.5.1/ecc-mod-arith.c +=================================================================== +--- nettle-3.5.1.orig/ecc-mod-arith.c ++++ nettle-3.5.1/ecc-mod-arith.c +@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m, + } + + void ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) ++{ ++ mp_limb_t cy; ++ mpn_mul_n (tp + m->size, ap, bp, m->size); ++ m->reduce (m, tp + m->size); ++ ++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); ++ cnd_copy (cy, rp, tp + m->size, m->size); ++} ++ ++void ++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, mp_limb_t *tp) ++{ ++ mp_limb_t cy; ++ mpn_sqr (tp + m->size, ap, m->size); ++ m->reduce (m, tp + m->size); ++ ++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); ++ cnd_copy (cy, rp, tp + m->size, m->size); ++} ++ ++void + ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap) + { diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch new file mode 100644 index 0000000000..bb56b14c8c --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch @@ -0,0 +1,53 @@ +Backport of: + +From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> +Date: Sat, 13 Mar 2021 17:26:37 +0100 +Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison. + +* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. + +(cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906) + +Upstream-Status: Backport +https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch +CVE: CVE-2021-20305 dep2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 4 ++++ + eddsa-verify.c | 9 ++------- + 2 files changed, 6 insertions(+), 7 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index 5cc5c188..2a9217a6 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,3 +1,7 @@ +#+2021-03-13 Niels Möller <nisse@lysator.liu.se> +#+ +#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. +#+ +# 2021-03-11 Niels Möller <nisse@lysator.liu.se> +# +# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): +Index: nettle-3.5.1/eddsa-verify.c +=================================================================== +--- nettle-3.5.1.orig/eddsa-verify.c ++++ nettle-3.5.1/eddsa-verify.c +@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p, + #define t0 scratch + #define t1 (scratch + p->size) + +- ecc_mod_mul (p, t0, x1, z2); +- if (mpn_cmp (t0, p->m, p->size) >= 0) +- mpn_sub_n (t0, t0, p->m, p->size); +- +- ecc_mod_mul (p, t1, x2, z1); +- if (mpn_cmp (t1, p->m, p->size) >= 0) +- mpn_sub_n (t1, t1, p->m, p->size); ++ ecc_mod_mul_canonical (p, t0, x1, z2, t0); ++ ecc_mod_mul_canonical (p, t1, x2, z1, t1); + + return mpn_cmp (t0, t1, p->size) == 0; + diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch new file mode 100644 index 0000000000..15a892ecdf --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch @@ -0,0 +1,122 @@ +Backport of: + +From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> +Date: Sat, 13 Mar 2021 15:19:19 +0100 +Subject: [PATCH] Fix bug in ecc_ecdsa_verify. + +* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical +to compute the scalars used for ecc multiplication. +* testsuite/ecdsa-verify-test.c (test_main): Add test case that +triggers an assert on 64-bit platforms, without above fix. +* testsuite/ecdsa-sign-test.c (test_main): Test case generating +the same signature. + +(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f) + +Upstream-Status: Backport +https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch +CVE: CVE-2021-20305 dep3 +[Minor fixup on _nettle_secp_224r1] +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 10 +++++++++- + ecc-ecdsa-verify.c | 4 ++-- + testsuite/ecdsa-sign-test.c | 13 +++++++++++++ + testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++ + 4 files changed, 44 insertions(+), 3 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index 2a9217a6..63848f53 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,7 +1,15 @@ +# 2021-03-13 Niels Möller <nisse@lysator.liu.se> +# +#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. +#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical +#+ to compute the scalars used for ecc multiplication. +#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that +#+ triggers an assert on 64-bit platforms, without above fix. +#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating +#+ the same signature. +#+ +#+2021-03-13 Niels Möller <nisse@lysator.liu.se> +# +#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. +# 2021-03-11 Niels Möller <nisse@lysator.liu.se> +# +# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): +Index: nettle-3.5.1/ecc-ecdsa-verify.c +=================================================================== +--- nettle-3.5.1.orig/ecc-ecdsa-verify.c ++++ nettle-3.5.1/ecc-ecdsa-verify.c +@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve + + /* u1 = h / s, P1 = u1 * G */ + ecc_hash (&ecc->q, hp, length, digest); +- ecc_modq_mul (ecc, u1, hp, sinv); ++ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); + + /* u2 = r / s, P2 = u2 * Y */ +- ecc_modq_mul (ecc, u2, rp, sinv); ++ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); + + /* Total storage: 5*ecc->p.size + ecc->mul_itch */ + ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); +Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c +=================================================================== +--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c ++++ nettle-3.5.1/testsuite/ecdsa-sign-test.c +@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc, + void + test_main (void) + { ++ /* Producing the signature for corresponding test in ++ ecdsa-verify-test.c, with special u1 and u2. */ ++ test_ecdsa (&_nettle_secp_224r1, ++ "99b5b787484def12894ca507058b3bf5" ++ "43d72d82fa7721d2e805e5e6", ++ "2", ++ SHEX("cdb887ac805a3b42e22d224c85482053" ++ "16c755d4a736bb2032c92553"), ++ "706a46dc76dcb76798e60e6d89474788" ++ "d16dc18032d268fd1a704fa6", /* r */ ++ "3a41e1423b1853e8aa89747b1f987364" ++ "44705d6d6d8371ea1f578f2e"); /* s */ ++ + /* Test cases for the smaller groups, verified with a + proof-of-concept implementation done for Yubico AB. */ + test_ecdsa (&_nettle_secp_192r1, +Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c +=================================================================== +--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c ++++ nettle-3.5.1/testsuite/ecdsa-verify-test.c +@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc, + void + test_main (void) + { ++ /* Corresponds to nonce k = 2 and private key z = ++ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and ++ hash are chosen so that intermediate scalars in the verify ++ equations are u1 = 0x6b245680e700, u2 = ++ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical ++ reduction of the scalars. Bug caused by missing canonical ++ reduction reported by Guido Vranken. */ ++ test_ecdsa (&_nettle_secp_224r1, ++ "9e7e6cc6b1bdfa8ee039b66ad85e5490" ++ "7be706a900a3cba1c8fdd014", /* x */ ++ "74855db3f7c1b4097ae095745fc915e3" ++ "8a79d2a1de28f282eafb22ba", /* y */ ++ ++ SHEX("cdb887ac805a3b42e22d224c85482053" ++ "16c755d4a736bb2032c92553"), ++ "706a46dc76dcb76798e60e6d89474788" ++ "d16dc18032d268fd1a704fa6", /* r */ ++ "3a41e1423b1853e8aa89747b1f987364" ++ "44705d6d6d8371ea1f578f2e"); /* s */ ++ + /* From RFC 4754 */ + test_ecdsa (&_nettle_secp_256r1, + "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch new file mode 100644 index 0000000000..54b4fa584c --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch @@ -0,0 +1,48 @@ +Backport of: + +From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> +Date: Sat, 13 Mar 2021 16:27:50 +0100 +Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced. + +* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to +canonical range. + +(cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398) + +Upstream-Status: Backport +https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch +CVE: CVE-2021-20305 dep4 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 3 +++ + ecc-ecdsa-sign.c | 3 +-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index 63848f53..fb2d7f66 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,5 +1,8 @@ +# 2021-03-13 Niels Möller <nisse@lysator.liu.se> +# +#+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to +#+ canonical range. +#+ +# * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical +# to compute the scalars used for ecc multiplication. +# * testsuite/ecdsa-verify-test.c (test_main): Add test case that +--- a/ecc-ecdsa-sign.c ++++ b/ecc-ecdsa-sign.c +@@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve * + + ecc_modq_mul (ecc, tp, zp, rp); + ecc_modq_add (ecc, hp, hp, tp); +- ecc_modq_mul (ecc, tp, hp, kinv); ++ ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); + +- mpn_copyi (sp, tp, ecc->p.size); + #undef P + #undef hp + #undef kinv diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch new file mode 100644 index 0000000000..468ff66266 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch @@ -0,0 +1,53 @@ +Backport of: + +From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> +Date: Sat, 13 Mar 2021 16:42:21 +0100 +Subject: [PATCH] Similar fix for eddsa. + +* eddsa-hash.c (_eddsa_hash): Ensure result is canonically +reduced. Two of the three call sites need that. + +(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288) + + +Upstream-Status: Backport +https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch +CVE: CVE-2021-20305 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 3 +++ + eddsa-hash.c | 10 +++++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index 5f8a22c2..ce330831 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,5 +1,8 @@ +# 2021-03-13 Niels Möller <nisse@lysator.liu.se> +# +#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically +#+ reduced. Two of the three call sites need that. +#+ +# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical +# to compute the scalars used for ecc multiplication. +# +Index: nettle-3.5.1/eddsa-hash.c +=================================================================== +--- nettle-3.5.1.orig/eddsa-hash.c ++++ nettle-3.5.1/eddsa-hash.c +@@ -46,7 +46,12 @@ void + _eddsa_hash (const struct ecc_modulo *m, + mp_limb_t *rp, const uint8_t *digest) + { ++ mp_limb_t cy; + size_t nbytes = 1 + m->bit_size / 8; + mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes); + m->mod (m, rp); ++ mpn_copyi (rp + m->size, rp, m->size); ++ /* Ensure canonical reduction. */ ++ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); ++ cnd_copy (cy, rp, rp + m->size, m->size); + } diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch new file mode 100644 index 0000000000..ac3a638e72 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch @@ -0,0 +1,277 @@ +From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> +Date: Tue, 8 Jun 2021 21:31:39 +0200 +Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size. + +Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug. + +(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c) + +Upstream-Status: Backport +CVE: CVE-2021-3580 dep#1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 17 +++++++++- + rsa-decrypt-tr.c | 7 ++--- + rsa-internal.h | 4 +-- + rsa-sec-decrypt.c | 9 ++++-- + rsa-sign-tr.c | 61 +++++++++++++++++------------------- + testsuite/rsa-encrypt-test.c | 14 ++++++++- + 6 files changed, 69 insertions(+), 43 deletions(-) + +Index: nettle-3.5.1/rsa-decrypt-tr.c +=================================================================== +--- nettle-3.5.1.orig/rsa-decrypt-tr.c ++++ nettle-3.5.1/rsa-decrypt-tr.c +@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k + mp_size_t key_limb_size; + int res; + +- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); ++ key_limb_size = mpz_size(pub->n); + + TMP_GMP_ALLOC (m, key_limb_size); + TMP_GMP_ALLOC (em, key->size); ++ mpz_limbs_copy(m, gibberish, key_limb_size); + +- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, +- mpz_limbs_read(gibberish), +- mpz_size(gibberish)); ++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); + + mpn_get_base256 (em, key->size, m, key_limb_size); + +Index: nettle-3.5.1/rsa-internal.h +=================================================================== +--- nettle-3.5.1.orig/rsa-internal.h ++++ nettle-3.5.1/rsa-internal.h +@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p + mp_limb_t *scratch); + + /* Safe side-channel silent variant, using RSA blinding, and checking the +- * result after CRT. */ ++ * result after CRT. In-place calls, with x == m, is allowed. */ + int + _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, +- mp_limb_t *x, const mp_limb_t *m, size_t mn); ++ mp_limb_t *x, const mp_limb_t *m); + + #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */ +Index: nettle-3.5.1/rsa-sec-decrypt.c +=================================================================== +--- nettle-3.5.1.orig/rsa-sec-decrypt.c ++++ nettle-3.5.1/rsa-sec-decrypt.c +@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_ + TMP_GMP_ALLOC (m, mpz_size(pub->n)); + TMP_GMP_ALLOC (em, key->size); + +- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, +- mpz_limbs_read(gibberish), +- mpz_size(gibberish)); ++ /* We need a copy because m can be shorter than key_size, ++ * but _rsa_sec_compute_root_tr expect all inputs to be ++ * normalized to a key_size long buffer length */ ++ mpz_limbs_copy(m, gibberish, mpz_size(pub->n)); ++ ++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); + + mpn_get_base256 (em, key->size, m, mpz_size(pub->n)); + +Index: nettle-3.5.1/rsa-sign-tr.c +=================================================================== +--- nettle-3.5.1.orig/rsa-sign-tr.c ++++ nettle-3.5.1/rsa-sign-tr.c +@@ -131,35 +131,34 @@ int + _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, +- mp_limb_t *x, const mp_limb_t *m, size_t mn) ++ mp_limb_t *x, const mp_limb_t *m) + { ++ mp_size_t nn; + mpz_t mz; + mpz_t xz; + int res; + +- mpz_init(mz); + mpz_init(xz); + +- mpn_copyi(mpz_limbs_write(mz, mn), m, mn); +- mpz_limbs_finish(mz, mn); ++ nn = mpz_size (pub->n); + +- res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz); ++ res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, ++ mpz_roinit_n(mz, m, nn)); + + if (res) +- mpz_limbs_copy(x, xz, mpz_size(pub->n)); ++ mpz_limbs_copy(x, xz, nn); + +- mpz_clear(mz); + mpz_clear(xz); + return res; + } + #else + /* Blinds m, by computing c = m r^e (mod n), for a random r. Also +- returns the inverse (ri), for use by rsa_unblind. */ ++ returns the inverse (ri), for use by rsa_unblind. Must have c != m, ++ no in-place operation.*/ + static void + rsa_sec_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func *random, +- mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m, +- mp_size_t mn) ++ mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m) + { + const mp_limb_t *ep = mpz_limbs_read (pub->e); + const mp_limb_t *np = mpz_limbs_read (pub->n); +@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k + + /* c = m*(r^e) mod n */ + itch = mpn_sec_powm_itch(nn, ebn, nn); +- i2 = mpn_sec_mul_itch(nn, mn); ++ i2 = mpn_sec_mul_itch(nn, nn); + itch = MAX(itch, i2); +- i2 = mpn_sec_div_r_itch(nn + mn, nn); ++ i2 = mpn_sec_div_r_itch(2*nn, nn); + itch = MAX(itch, i2); + i2 = mpn_sec_invert_itch(nn); + itch = MAX(itch, i2); + +- TMP_GMP_ALLOC (tp, nn + mn + itch); +- scratch = tp + nn + mn; ++ TMP_GMP_ALLOC (tp, 2*nn + itch); ++ scratch = tp + 2*nn; + + /* ri = r^(-1) */ + do +@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k + while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch)); + + mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch); +- /* normally mn == nn, but m can be smaller in some cases */ +- mpn_sec_mul (tp, c, nn, m, mn, scratch); +- mpn_sec_div_r (tp, nn + mn, np, nn, scratch); ++ mpn_sec_mul (tp, c, nn, m, nn, scratch); ++ mpn_sec_div_r (tp, 2*nn, np, nn, scratch); + mpn_copyi(c, tp, nn); + + TMP_GMP_FREE (r); +@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k + TMP_GMP_FREE (tp); + } + +-/* m = c ri mod n */ ++/* m = c ri mod n. Allows x == c. */ + static void + rsa_sec_unblind (const struct rsa_public_key *pub, + mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c) +@@ -299,7 +297,7 @@ int + _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, + void *random_ctx, nettle_random_func *random, +- mp_limb_t *x, const mp_limb_t *m, size_t mn) ++ mp_limb_t *x, const mp_limb_t *m) + { + TMP_GMP_DECL (c, mp_limb_t); + TMP_GMP_DECL (ri, mp_limb_t); +@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs + size_t key_limb_size; + int ret; + +- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); ++ key_limb_size = mpz_size(pub->n); + + /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the + key is invalid and rejected by rsa_private_key_prepare. However, +@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs + } + + assert(mpz_size(pub->n) == key_limb_size); +- assert(mn <= key_limb_size); + + TMP_GMP_ALLOC (c, key_limb_size); + TMP_GMP_ALLOC (ri, key_limb_size); + TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); + +- rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn); ++ rsa_sec_blind (pub, random_ctx, random, c, ri, m); + +- _rsa_sec_compute_root(key, c, x, scratch); ++ _rsa_sec_compute_root(key, x, c, scratch); + +- ret = rsa_sec_check_root(pub, c, x); ++ ret = rsa_sec_check_root(pub, x, c); + +- rsa_sec_unblind(pub, x, ri, c); ++ rsa_sec_unblind(pub, x, ri, x); + + cnd_mpn_zero(1 - ret, x, key_limb_size); + +@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub + mpz_t x, const mpz_t m) + { + TMP_GMP_DECL (l, mp_limb_t); ++ mp_size_t nn = mpz_size(pub->n); + int res; + +- mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); +- TMP_GMP_ALLOC (l, l_size); ++ TMP_GMP_ALLOC (l, nn); ++ mpz_limbs_copy(l, m, nn); + +- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, +- mpz_limbs_read(m), mpz_size(m)); ++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l); + if (res) { +- mp_limb_t *xp = mpz_limbs_write (x, l_size); +- mpn_copyi (xp, l, l_size); +- mpz_limbs_finish (x, l_size); ++ mp_limb_t *xp = mpz_limbs_write (x, nn); ++ mpn_copyi (xp, l, nn); ++ mpz_limbs_finish (x, nn); + } + + TMP_GMP_FREE (l); +Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c +=================================================================== +--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c ++++ nettle-3.5.1/testsuite/rsa-encrypt-test.c +@@ -19,6 +19,7 @@ test_main(void) + uint8_t after; + + mpz_t gibberish; ++ mpz_t zero; + + rsa_private_key_init(&key); + rsa_public_key_init(&pub); +@@ -101,6 +102,17 @@ test_main(void) + ASSERT(decrypted[decrypted_length] == after); + ASSERT(decrypted[0] == 'A'); + ++ /* Test zero input. */ ++ mpz_init_set_ui (zero, 0); ++ decrypted_length = msg_length; ++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero)); ++ ASSERT(!rsa_decrypt_tr(&pub, &key, ++ &lfib, (nettle_random_func *) knuth_lfib_random, ++ &decrypted_length, decrypted, zero)); ++ ASSERT(!rsa_sec_decrypt(&pub, &key, ++ &lfib, (nettle_random_func *) knuth_lfib_random, ++ decrypted_length, decrypted, zero)); ++ ASSERT(decrypted_length == msg_length); + + /* Test invalid key. */ + mpz_add_ui (key.q, key.q, 2); +@@ -112,6 +124,6 @@ test_main(void) + rsa_private_key_clear(&key); + rsa_public_key_clear(&pub); + mpz_clear(gibberish); ++ mpz_clear(zero); + free(decrypted); + } +- diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch new file mode 100644 index 0000000000..18e952ddf7 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch @@ -0,0 +1,163 @@ +From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> +Date: Tue, 8 Jun 2021 21:32:38 +0200 +Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions. + +(cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe) + +Upstream-Status: Backport +CVE: CVE-2021-3580 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 10 +++++++++- + rsa-decrypt-tr.c | 4 ++++ + rsa-decrypt.c | 10 ++++++++++ + rsa-sec-decrypt.c | 4 ++++ + rsa.h | 5 +++-- + testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------ + 6 files changed, 62 insertions(+), 9 deletions(-) + +Index: nettle-3.5.1/rsa-decrypt-tr.c +=================================================================== +--- nettle-3.5.1.orig/rsa-decrypt-tr.c ++++ nettle-3.5.1/rsa-decrypt-tr.c +@@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k + mp_size_t key_limb_size; + int res; + ++ /* First check that input is in range. */ ++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) ++ return 0; ++ + key_limb_size = mpz_size(pub->n); + + TMP_GMP_ALLOC (m, key_limb_size); +Index: nettle-3.5.1/rsa-decrypt.c +=================================================================== +--- nettle-3.5.1.orig/rsa-decrypt.c ++++ nettle-3.5.1/rsa-decrypt.c +@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key + int res; + + mpz_init(m); ++ ++ /* First check that input is in range. Since we don't have the ++ public key available here, we need to reconstruct n. */ ++ mpz_mul (m, key->p, key->q); ++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0) ++ { ++ mpz_clear (m); ++ return 0; ++ } ++ + rsa_compute_root(key, m, gibberish); + + res = pkcs1_decrypt (key->size, m, length, message); +Index: nettle-3.5.1/rsa-sec-decrypt.c +=================================================================== +--- nettle-3.5.1.orig/rsa-sec-decrypt.c ++++ nettle-3.5.1/rsa-sec-decrypt.c +@@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_ + TMP_GMP_DECL (em, uint8_t); + int res; + ++ /* First check that input is in range. */ ++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) ++ return 0; ++ + TMP_GMP_ALLOC (m, mpz_size(pub->n)); + TMP_GMP_ALLOC (em, key->size); + +Index: nettle-3.5.1/rsa.h +=================================================================== +--- nettle-3.5.1.orig/rsa.h ++++ nettle-3.5.1/rsa.h +@@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_ + size_t length, uint8_t *message, + const mpz_t gibberish); + +-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */ ++/* Compute x, the e:th root of m. Calling it with x == m is allowed. ++ It is required that 0 <= m < n. */ + void + rsa_compute_root(const struct rsa_private_key *key, + mpz_t x, const mpz_t m); + + /* Safer variant, using RSA blinding, and checking the result after +- CRT. */ ++ CRT. It is required that 0 <= m < n. */ + int + rsa_compute_root_tr(const struct rsa_public_key *pub, + const struct rsa_private_key *key, +Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c +=================================================================== +--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c ++++ nettle-3.5.1/testsuite/rsa-encrypt-test.c +@@ -19,11 +19,12 @@ test_main(void) + uint8_t after; + + mpz_t gibberish; +- mpz_t zero; ++ mpz_t bad_input; + + rsa_private_key_init(&key); + rsa_public_key_init(&pub); + mpz_init(gibberish); ++ mpz_init(bad_input); + + knuth_lfib_init(&lfib, 17); + +@@ -103,15 +104,40 @@ test_main(void) + ASSERT(decrypted[0] == 'A'); + + /* Test zero input. */ +- mpz_init_set_ui (zero, 0); ++ mpz_set_ui (bad_input, 0); + decrypted_length = msg_length; +- ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero)); ++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_decrypt_tr(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, +- &decrypted_length, decrypted, zero)); ++ &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_sec_decrypt(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, +- decrypted_length, decrypted, zero)); ++ decrypted_length, decrypted, bad_input)); ++ ASSERT(decrypted_length == msg_length); ++ ++ /* Test input that is slightly larger than n */ ++ mpz_add(bad_input, gibberish, pub.n); ++ decrypted_length = msg_length; ++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ++ ASSERT(!rsa_decrypt_tr(&pub, &key, ++ &lfib, (nettle_random_func *) knuth_lfib_random, ++ &decrypted_length, decrypted, bad_input)); ++ ASSERT(!rsa_sec_decrypt(&pub, &key, ++ &lfib, (nettle_random_func *) knuth_lfib_random, ++ decrypted_length, decrypted, bad_input)); ++ ASSERT(decrypted_length == msg_length); ++ ++ /* Test input that is considerably larger than n */ ++ mpz_mul_2exp (bad_input, pub.n, 100); ++ mpz_add (bad_input, bad_input, gibberish); ++ decrypted_length = msg_length; ++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ++ ASSERT(!rsa_decrypt_tr(&pub, &key, ++ &lfib, (nettle_random_func *) knuth_lfib_random, ++ &decrypted_length, decrypted, bad_input)); ++ ASSERT(!rsa_sec_decrypt(&pub, &key, ++ &lfib, (nettle_random_func *) knuth_lfib_random, ++ decrypted_length, decrypted, bad_input)); + ASSERT(decrypted_length == msg_length); + + /* Test invalid key. */ +@@ -124,6 +150,6 @@ test_main(void) + rsa_private_key_clear(&key); + rsa_public_key_clear(&pub); + mpz_clear(gibberish); +- mpz_clear(zero); ++ mpz_clear(bad_input); + free(decrypted); + } diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb index b2ec24b36c..192fd295e9 100644 --- a/meta/recipes-support/nettle/nettle_3.5.1.bb +++ b/meta/recipes-support/nettle/nettle_3.5.1.bb @@ -18,6 +18,13 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ file://Add-target-to-only-build-tests-not-run-them.patch \ file://run-ptest \ file://check-header-files-of-openssl-only-if-enable_.patch \ + file://CVE-2021-3580_1.patch \ + file://CVE-2021-3580_2.patch \ + file://CVE-2021-20305-1.patch \ + file://CVE-2021-20305-2.patch \ + file://CVE-2021-20305-3.patch \ + file://CVE-2021-20305-4.patch \ + file://CVE-2021-20305-5.patch \ " SRC_URI_append_class-target = "\ diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb index 623afccb5e..5f1b73ee16 100644 --- a/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb +++ b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb @@ -10,7 +10,7 @@ DEPENDS = "libtasn1 libtasn1-native libffi" DEPENDS_append = "${@' glib-2.0' if d.getVar('GTKDOC_ENABLED') == 'True' else ''}" -SRC_URI = "git://github.com/p11-glue/p11-kit;branch=0.23" +SRC_URI = "git://github.com/p11-glue/p11-kit;branch=0.23;protocol=https" SRCREV = "bd97afbfe28d5fbbde95ce36ff7a8834fc0291ee" S = "${WORKDIR}/git" diff --git a/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb b/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb index 7290dc90e5..3401b7b39e 100644 --- a/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb +++ b/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=751419260aa954499f7abaabaa882bbe" SRCREV = "834670317bd3f6e427e1ac461c07ada6b8936dfd" PV .= "+git${SRCPV}" -SRC_URI = "git://git.yoctoproject.org/ptest-runner2 \ +SRC_URI = "git://git.yoctoproject.org/ptest-runner2;branch=master \ " UPSTREAM_VERSION_UNKNOWN = "1" diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch new file mode 100644 index 0000000000..b7dcaefad3 --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch @@ -0,0 +1,347 @@ +From fd634998f813340768c333cdad638498602856e5 Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Tue, 21 Apr 2020 21:28:32 +0100 +Subject: [PATCH] Rewrite recursion into iteration (Tarjan's SCC algorithm and + YYFILL states). + +This is to avoid stack overflow on large RE (especially on instrumented +builds that have larger stack frames, like AddressSanitizer). + +Stack overflow reported by Agostino Sarubbo. +Related to #219 "overflow-1.re test fails on system with small stack". + +Upstram-Status: Backport: +https://github.com/skvadrik/re2c/commit/fd634998f813340768c333cdad638498602856e5 + +CVE: CVE-2018-21232 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- +diff --git a/src/dfa/fillpoints.cc b/src/dfa/fillpoints.cc +--- a/src/dfa/fillpoints.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e) ++++ b/src/dfa/fillpoints.cc (date 1646929180243) +@@ -5,151 +5,186 @@ + + #include "src/dfa/dfa.h" + +-namespace re2c +-{ ++ ++/* ++ * note [finding strongly connected components of DFA] ++ * ++ * A slight modification of Tarjan's algorithm. ++ * ++ * The algorithm traverses the DFA in depth-first order. It maintains a stack ++ * of states that have already been visited but haven't been assigned to an SCC ++ * yet. For each state the algorithm calculates 'lowlink': index of the highest ++ * ancestor state reachable in one step from a descendant of this state. ++ * Lowlink is used to determine when a set of states should be popped off stack ++ * into a new SCC. ++ * ++ * We use lowlink to hold different kinds of information: ++ * - values in range [0 .. stack size] mean that the state is on stack (a ++ * link to a state with the smallest index reachable from this one) ++ * - SCC_UND means that this state has not been visited yet ++ * - SCC_INF means that this state has already been popped off stack ++ * ++ * We use stack size (rather than topological sort index) as a unique index of ++ * the state on stack. This is safe because the indices of states on stack are ++ * unique and less than the indices of states that have been popped off stack ++ * (SCC_INF). ++ */ ++ ++namespace re2c { ++ namespace { + +-static const size_t SCC_INF = std::numeric_limits<size_t>::max(); +-static const size_t SCC_UND = SCC_INF - 1; ++ static const size_t SCC_INF = std::numeric_limits<size_t>::max(); ++ static const size_t SCC_UND = SCC_INF - 1; + +-static bool loopback(size_t node, size_t narcs, const size_t *arcs) +-{ +- for (size_t i = 0; i < narcs; ++i) +- { +- if (arcs[i] == node) +- { +- return true; +- } +- } +- return false; +-} ++ static bool loopback(size_t state, size_t narcs, const size_t *arcs) ++ { ++ for (size_t i = 0; i < narcs; ++i) { ++ if (arcs[i] == state) return true; ++ } ++ return false; ++ } + +-/* +- * node [finding strongly connected components of DFA] +- * +- * A slight modification of Tarjan's algorithm. +- * +- * The algorithm walks graph in deep-first order. It maintains a stack +- * of nodes that have already been visited but haven't been assigned to +- * SCC yet. For each node the algorithm calculates 'lowlink': index of +- * the highest ancestor node reachable in one step from a descendant of +- * the node. Lowlink is used to determine when a set of nodes should be +- * popped off the stack into a new SCC. +- * +- * We use lowlink to hold different kinds of information: +- * - values in range [0 .. stack size] mean that this node is on stack +- * (link to a node with the smallest index reachable from this one) +- * - SCC_UND means that this node has not been visited yet +- * - SCC_INF means that this node has already been popped off stack +- * +- * We use stack size (rather than topological sort index) as unique index +- * of a node on stack. This is safe because indices of nodes on stack are +- * still unique and less than indices of nodes that have been popped off +- * stack (SCC_INF). +- * +- */ +-static void scc( +- const dfa_t &dfa, +- std::stack<size_t> &stack, +- std::vector<size_t> &lowlink, +- std::vector<bool> &trivial, +- size_t i) +-{ +- const size_t link = stack.size(); +- lowlink[i] = link; +- stack.push(i); ++ struct StackItem { ++ size_t state; // current state ++ size_t symbol; // next arc to be visited in this state ++ size_t link; // Tarjan's "lowlink" ++ }; ++ ++// Tarjan's algorithm ++ static void scc(const dfa_t &dfa, std::vector<bool> &trivial, ++ std::vector<StackItem> &stack_dfs) ++ { ++ std::vector<size_t> lowlink(dfa.states.size(), SCC_UND); ++ std::stack<size_t> stack; ++ ++ StackItem x0 = {0, 0, 0}; ++ stack_dfs.push_back(x0); ++ ++ while (!stack_dfs.empty()) { ++ const size_t i = stack_dfs.back().state; ++ size_t c = stack_dfs.back().symbol; ++ size_t link = stack_dfs.back().link; ++ stack_dfs.pop_back(); ++ ++ const size_t *arcs = dfa.states[i]->arcs; ++ ++ if (c == 0) { ++ // DFS recursive enter ++ //DASSERT(lowlink[i] == SCC_UND); ++ link = lowlink[i] = stack.size(); ++ stack.push(i); ++ } ++ else { ++ // DFS recursive return (from one of successor states) ++ const size_t j = arcs[c - 1]; ++ //DASSERT(lowlink[j] != SCC_UND); ++ lowlink[i] = std::min(lowlink[i], lowlink[j]); ++ } + +- const size_t *arcs = dfa.states[i]->arcs; +- for (size_t c = 0; c < dfa.nchars; ++c) +- { +- const size_t j = arcs[c]; +- if (j != dfa_t::NIL) +- { +- if (lowlink[j] == SCC_UND) +- { +- scc(dfa, stack, lowlink, trivial, j); +- } +- if (lowlink[j] < lowlink[i]) +- { +- lowlink[i] = lowlink[j]; +- } +- } +- } ++ // find the next successor state that hasn't been visited yet ++ for (; c < dfa.nchars; ++c) { ++ const size_t j = arcs[c]; ++ if (j != dfa_t::NIL) { ++ if (lowlink[j] == SCC_UND) { ++ break; ++ } ++ lowlink[i] = std::min(lowlink[i], lowlink[j]); ++ } ++ } + +- if (lowlink[i] == link) +- { +- // SCC is non-trivial (has loops) iff it either: +- // - consists of multiple nodes (they all must be interconnected) +- // - consists of single node which loops back to itself +- trivial[i] = i == stack.top() +- && !loopback(i, dfa.nchars, arcs); ++ if (c < dfa.nchars) { ++ // recurse into the next successor state ++ StackItem x1 = {i, c + 1, link}; ++ stack_dfs.push_back(x1); ++ StackItem x2 = {arcs[c], 0, SCC_UND}; ++ stack_dfs.push_back(x2); ++ } ++ else if (lowlink[i] == link) { ++ // all successors have been visited ++ // SCC is non-trivial (has loops) if either: ++ // - it contains multiple interconnected states ++ // - it contains a single self-looping state ++ trivial[i] = i == stack.top() && !loopback(i, dfa.nchars, arcs); + +- size_t j; +- do +- { +- j = stack.top(); +- stack.pop(); +- lowlink[j] = SCC_INF; +- } +- while (j != i); +- } +-} ++ for (;;) { ++ const size_t j = stack.top(); ++ stack.pop(); ++ lowlink[j] = SCC_INF; ++ if (i == j) break; ++ } ++ } ++ } ++ } + +-static void calc_fill( +- const dfa_t &dfa, +- const std::vector<bool> &trivial, +- std::vector<size_t> &fill, +- size_t i) +-{ +- if (fill[i] == SCC_UND) +- { +- fill[i] = 0; +- const size_t *arcs = dfa.states[i]->arcs; +- for (size_t c = 0; c < dfa.nchars; ++c) +- { +- const size_t j = arcs[c]; +- if (j != dfa_t::NIL) +- { +- calc_fill(dfa, trivial, fill, j); +- size_t max = 1; +- if (trivial[j]) +- { +- max += fill[j]; +- } +- if (max > fill[i]) +- { +- fill[i] = max; +- } +- } +- } +- } +-} +- +-void fillpoints(const dfa_t &dfa, std::vector<size_t> &fill) +-{ +- const size_t size = dfa.states.size(); +- +- // find DFA states that belong to non-trivial SCC +- std::stack<size_t> stack; +- std::vector<size_t> lowlink(size, SCC_UND); +- std::vector<bool> trivial(size, false); +- scc(dfa, stack, lowlink, trivial, 0); +- +- // for each DFA state, calculate YYFILL argument: +- // maximal path length to the next YYFILL state +- fill.resize(size, SCC_UND); +- calc_fill(dfa, trivial, fill, 0); ++ static void calc_fill(const dfa_t &dfa, const std::vector<bool> &trivial, ++ std::vector<StackItem> &stack_dfs, std::vector<size_t> &fill) ++ { ++ const size_t nstates = dfa.states.size(); ++ fill.resize(nstates, SCC_UND); ++ ++ StackItem x0 = {0, 0, SCC_INF}; ++ stack_dfs.push_back(x0); ++ ++ while (!stack_dfs.empty()) { ++ const size_t i = stack_dfs.back().state; ++ size_t c = stack_dfs.back().symbol; ++ stack_dfs.pop_back(); ++ ++ const size_t *arcs = dfa.states[i]->arcs; ++ ++ if (c == 0) { ++ // DFS recursive enter ++ if (fill[i] != SCC_UND) continue; ++ fill[i] = 0; ++ } ++ else { ++ // DFS recursive return (from one of successor states) ++ const size_t j = arcs[c - 1]; ++ //DASSERT(fill[i] != SCC_UND && fill[j] != SCC_UND); ++ fill[i] = std::max(fill[i], 1 + (trivial[j] ? fill[j] : 0)); ++ } ++ ++ // find the next successor state that hasn't been visited yet ++ for (; c < dfa.nchars; ++c) { ++ const size_t j = arcs[c]; ++ if (j != dfa_t::NIL) break; ++ } ++ ++ if (c < dfa.nchars) { ++ // recurse into the next successor state ++ StackItem x1 = {i, c + 1, SCC_INF}; ++ stack_dfs.push_back(x1); ++ StackItem x2 = {arcs[c], 0, SCC_INF}; ++ stack_dfs.push_back(x2); ++ } ++ } + +- // The following states must trigger YYFILL: +- // - inital state +- // - all states in non-trivial SCCs +- // for other states, reset YYFILL argument to zero +- for (size_t i = 1; i < size; ++i) +- { +- if (trivial[i]) +- { +- fill[i] = 0; +- } +- } +-} ++ // The following states must trigger YYFILL: ++ // - inital state ++ // - all states in non-trivial SCCs ++ // for other states, reset YYFILL argument to zero ++ for (size_t i = 1; i < nstates; ++i) { ++ if (trivial[i]) { ++ fill[i] = 0; ++ } ++ } ++ } + ++ } // anonymous namespace ++ ++ void fillpoints(const dfa_t &dfa, std::vector<size_t> &fill) ++ { ++ const size_t nstates = dfa.states.size(); ++ std::vector<bool> trivial(nstates, false); ++ std::vector<StackItem> stack_dfs; ++ stack_dfs.reserve(nstates); ++ ++ // find DFA states that belong to non-trivial SCC ++ scc(dfa, trivial, stack_dfs); ++ ++ // for each DFA state, calculate YYFILL argument: ++ // maximal path length to the next YYFILL state ++ calc_fill(dfa, trivial, stack_dfs, fill); ++ } ++ + } // namespace re2c diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch new file mode 100644 index 0000000000..820a6decbc --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch @@ -0,0 +1,243 @@ +From 7b5643476bd99c994c4f51b8143f942982d85521 Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Wed, 22 Apr 2020 22:37:24 +0100 +Subject: [PATCH] Rewrite recursion into iteration (fixed tags computation). + +This is to avoid stack overflow on large RE (especially on instrumented +builds that have larger stack frames, like AddressSanitizer). + +Partial fix for #219 "overflow-1.re test fails on system with small stack". + +Upstream-Stauts: Backport: +https://github.com/skvadrik/re2c/commit/7b5643476bd99c994c4f51b8143f942982d85521 + +CVE: CVE-2018-21232 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- +diff --git a/src/re/tag.cc b/src/re/tag.cc +--- a/src/re/tag.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e) ++++ b/src/re/tag.cc (date 1646986908580) +@@ -6,7 +6,7 @@ + { + + const size_t Tag::RIGHTMOST = std::numeric_limits<size_t>::max(); +-const size_t Tag::VARDIST = std::numeric_limits<size_t>::max(); ++const uint32_t Tag::VARDIST = std::numeric_limits<uint32_t>::max(); + const size_t Tag::FICTIVE = Tag::RIGHTMOST - 1; + + } // namespace re2c + + +diff --git a/src/re/tag.h b/src/re/tag.h +--- a/src/re/tag.h (revision e58939b34bb4c37cd990f82dc286f21cb405743e) ++++ b/src/re/tag.h (date 1646986922376) +@@ -19,7 +19,7 @@ + struct Tag + { + static const size_t RIGHTMOST; +- static const size_t VARDIST; ++ static const uint32_t VARDIST; + static const size_t FICTIVE; + + const std::string *name; + + +diff --git a/src/re/fixed_tags.cc b/src/re/fixed_tags.cc +--- a/src/re/fixed_tags.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e) ++++ b/src/re/fixed_tags.cc (date 1646991137317) +@@ -7,78 +7,131 @@ + #include "src/re/tag.h" + + namespace re2c { ++namespace { + + /* note [fixed and variable tags] + * +- * If distance between two tags is constant (equal for all strings that +- * match the given regexp), then lexer only needs to track one of them: +- * the second tag equals the first tag plus static offset. ++ * If distance between two tags is constant (equal for all strings that match ++ * the given regexp), then lexer only needs to track one of them: the second ++ * tag equals the first tag plus static offset. + * +- * However, this optimization is applied only to tags in top-level +- * concatenation, because other tags may be uninitialized and we don't +- * want to mess with conditional calculation of fixed tags. +- * ++ * This optimization is applied only to tags in top-level concatenation, ++ * because in other cases the base tag may be NULL, and the calculation of ++ * the fixed tag value is not as simple as substracting a fixed offset. + * Furthermore, fixed tags are fobidden with generic API because it cannot +- * express fixed offsets. +- * +- * Tags with history also cannot be fixed. ++ * express fixed offsets. M-tags (with history) also cannot be fixed. + * + * Another special case is fictive tags (those that exist only to impose +- * hierarchical laws of POSIX disambiguation). We treat them as fixed +- * in order to suppress code generation. ++ * hierarchical laws of POSIX disambiguation). We treat them as fixed in order ++ * to suppress code generation. + */ + +-static void find_fixed_tags(RE *re, std::vector<Tag> &tags, +- size_t &dist, size_t &base, bool toplevel) ++struct StackItem { ++ RE *re; // current sub-RE ++ uint32_t dist; // distance backup for alternative, unused for other RE ++ uint8_t succ; // index of the next successor to be visited ++ bool toplevel; // if this sub-RE is in top-level concatenation ++}; ++ ++static void find_fixed_tags(RESpec &spec, std::vector<StackItem> &stack, RE *re0) + { +- switch (re->type) { +- case RE::NIL: break; +- case RE::SYM: +- if (dist != Tag::VARDIST) ++dist; +- break; +- case RE::ALT: { +- size_t d1 = dist, d2 = dist; +- find_fixed_tags(re->alt.re1, tags, d1, base, false); +- find_fixed_tags(re->alt.re2, tags, d2, base, false); +- dist = (d1 == d2) ? d1 : Tag::VARDIST; +- break; +- } +- case RE::CAT: +- find_fixed_tags(re->cat.re2, tags, dist, base, toplevel); +- find_fixed_tags(re->cat.re1, tags, dist, base, toplevel); +- break; +- case RE::ITER: +- find_fixed_tags(re->iter.re, tags, dist, base, false); +- dist = Tag::VARDIST; +- break; +- case RE::TAG: { +- // see note [fixed and variable tags] +- Tag &tag = tags[re->tag.idx]; +- if (fictive(tag)) { +- tag.base = tag.dist = 0; +- } else if (toplevel && dist != Tag::VARDIST && !history(tag)) { +- tag.base = base; +- tag.dist = dist; +- } else if (toplevel) { +- base = re->tag.idx; +- dist = 0; +- } +- if (trailing(tag)) dist = 0; +- break; +- } +- } ++ static const uint32_t VARDIST = Tag::VARDIST; ++ bool toplevel = spec.opts->input_api != INPUT_CUSTOM; ++ ++ // base tag, intially the fake "rightmost tag" (the end of RE) ++ size_t base = Tag::RIGHTMOST; ++ ++ // the distance to the nearest top-level tag to the right (base tag) ++ uint32_t dist = 0; ++ ++ const StackItem i0 = {re0, VARDIST, 0, toplevel}; ++ stack.push_back(i0); ++ ++ while (!stack.empty()) { ++ const StackItem i = stack.back(); ++ stack.pop_back(); ++ RE *re = i.re; ++ ++ if (re->type == RE::SYM) { ++ if (dist != VARDIST) ++dist; ++ } ++ else if (re->type == RE::ALT) { ++ if (i.succ == 0) { ++ // save the current distance on stack (from the alternative end ++ // to base) and recurse into the left sub-RE ++ StackItem k = {re, dist, 1, i.toplevel}; ++ stack.push_back(k); ++ StackItem j = {re->alt.re1, VARDIST, 0, false}; ++ stack.push_back(j); ++ } ++ else if (i.succ == 1) { ++ // save the current distance on stack (from the left sub-RE to ++ // base), reset distance to the distance popped from stack (from ++ // the alternative end to base), recurse into the right sub-RE ++ StackItem k = {re, dist, 2, i.toplevel}; ++ stack.push_back(k); ++ StackItem j = {re->alt.re2, VARDIST, 0, false}; ++ stack.push_back(j); ++ dist = i.dist; ++ } ++ else { ++ // both sub-RE visited, compare the distance on stack (from the ++ // left sub-RE to base) to the current distance (from the right ++ // sub-RE to base), if not equal set variable distance ++ dist = (i.dist == dist) ? i.dist : VARDIST; ++ } ++ } ++ else if (re->type == RE::ITER) { ++ if (i.succ == 0) { ++ // recurse into the sub-RE ++ StackItem k = {re, VARDIST, 1, i.toplevel}; ++ stack.push_back(k); ++ StackItem j = {re->iter.re, VARDIST, 0, false}; ++ stack.push_back(j); ++ } ++ else { ++ // sub-RE visited, assume unknown number of iterations ++ // TODO: find precise distance for fixed repetition counter ++ dist = VARDIST; ++ } ++ } ++ else if (re->type == RE::CAT) { ++ // the right sub-RE is pushed on stack after the left sub-RE and ++ // visited earlier (because distance is computed from right to left) ++ StackItem j1 = {re->cat.re1, VARDIST, 0, i.toplevel}; ++ stack.push_back(j1); ++ StackItem j2 = {re->cat.re2, VARDIST, 0, i.toplevel}; ++ stack.push_back(j2); ++ } ++ else if (re->type == RE::TAG) { ++ // see note [fixed and variable tags] ++ Tag &tag = spec.tags[re->tag.idx]; ++ if (fictive(tag)) { ++ tag.base = tag.dist = 0; ++ } ++ else if (i.toplevel && dist != VARDIST && !history(tag)) { ++ tag.base = base; ++ tag.dist = dist; ++ } ++ else if (i.toplevel) { ++ base = re->tag.idx; ++ dist = 0; ++ } ++ if (trailing(tag)) { ++ dist = 0; ++ } ++ } ++ } + } ++ ++} // anonymous namespace + +-void find_fixed_tags(RESpec &spec) +-{ +- const bool generic = spec.opts->input_api == INPUT_CUSTOM; +- std::vector<RE*>::iterator +- i = spec.res.begin(), +- e = spec.res.end(); +- for (; i != e; ++i) { +- size_t base = Tag::RIGHTMOST, dist = 0; +- find_fixed_tags(*i, spec.tags, dist, base, !generic); +- } +-} ++ void find_fixed_tags(RESpec &spec) ++ { ++ std::vector<StackItem> stack; ++ for (std::vector<RE*>::iterator i = spec.res.begin(); i != spec.res.end(); ++i) { ++ find_fixed_tags(spec, stack, *i); ++ } ++ } + +-} // namespace re2c ++} // namespace re2c +\ No newline at end of file diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch new file mode 100644 index 0000000000..f942e21cba --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch @@ -0,0 +1,156 @@ +From 4d9c809355b574f2a58eac119f5e076c48e4d1e2 Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Thu, 23 Apr 2020 22:16:51 +0100 +Subject: [PATCH] Rewrite recursion into iteration (nullable RE). + +This is to avoid stack overflow on large RE (especially on instrumented +builds that have larger stack frames, like AddressSanitizer). + +Partial fix for #219 "overflow-1.re test fails on system with small stack". + +Upstream-Status: Backport: +https://github.com/skvadrik/re2c/commit/4d9c809355b574f2a58eac119f5e076c48e4d1e2 + +CVE: CVE-2018-21232 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- +diff --git a/src/re/nullable.cc b/src/re/nullable.cc +--- a/src/re/nullable.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e) ++++ b/src/re/nullable.cc (date 1647253886226) +@@ -9,43 +9,100 @@ + #include "src/re/tag.h" + + namespace re2c { ++ namespace { ++ ++ struct StackItem { ++ const RE *re; // current sub-RE ++ uint8_t succ; // index of the next sucessor to be visited ++ }; + +-static bool nullable(const RESpec &spec, const RE *re, bool &trail) +-{ +- if (trail) return true; ++ static bool nullable(const RESpec &spec, std::vector<StackItem> &stack, const RE *re0) ++ { ++ // the "nullable" status of the last sub-RE visited by DFS ++ bool null = false; + +- switch (re->type) { +- case RE::NIL: return true; +- case RE::SYM: return false; +- case RE::ITER: +- return nullable(spec, re->iter.re, trail); +- case RE::TAG: +- trail |= trailing(spec.tags[re->tag.idx]); +- return true; +- case RE::ALT: +- return nullable(spec, re->alt.re1, trail) +- || nullable(spec, re->alt.re2, trail); +- case RE::CAT: +- return nullable(spec, re->cat.re1, trail) +- && nullable(spec, re->cat.re2, trail); +- } +- return false; /* unreachable */ +-} ++ const StackItem i0 = {re0, 0}; ++ stack.push_back(i0); ++ ++ while (!stack.empty()) { ++ const StackItem i = stack.back(); ++ stack.pop_back(); ++ ++ const RE *re = i.re; ++ if (re->type == RE::NIL) { ++ null = true; ++ } ++ else if (re->type == RE::SYM) { ++ null = false; ++ } ++ else if (re->type == RE::TAG) { ++ null = true; + +-/* +- * warn about rules that match empty string +- * (including rules with nonempty trailing context) +- * false positives on partially self-shadowed rules like [^]? +- */ +-void warn_nullable(const RESpec &spec, const std::string &cond) +-{ +- const size_t nre = spec.res.size(); +- for (size_t i = 0; i < nre; ++i) { +- bool trail = false; +- if (nullable(spec, spec.res[i], trail)) { +- spec.warn.match_empty_string(spec.rules[i].code->fline, cond); +- } +- } +-} ++ // Trailing context is always in top-level concatenation, and sub-RE ++ // are visited from left to right. Since we are here, sub-RE to the ++ // left of the trailing context is nullable (otherwise we would not ++ // recurse into the right sub-RE), therefore the whole RE is nullable. ++ if (trailing(spec.tags[re->tag.idx])) { ++ //DASSERT(stack.size() == 1 && stack.back().re->type == RE::CAT); ++ stack.pop_back(); ++ break; ++ } ++ } ++ else if (re->type == RE::ALT) { ++ if (i.succ == 0) { ++ // recurse into the left sub-RE ++ StackItem k = {re, 1}; ++ stack.push_back(k); ++ StackItem j = {re->alt.re1, 0}; ++ stack.push_back(j); ++ } ++ else if (!null) { ++ // if the left sub-RE is nullable, so is alternative, so stop ++ // recursion; otherwise recurse into the right sub-RE ++ StackItem j = {re->alt.re2, 0}; ++ stack.push_back(j); ++ } ++ } ++ else if (re->type == RE::CAT) { ++ if (i.succ == 0) { ++ // recurse into the left sub-RE ++ StackItem k = {re, 1}; ++ stack.push_back(k); ++ StackItem j = {re->cat.re1, 0}; ++ stack.push_back(j); ++ } ++ else if (null) { ++ // if the left sub-RE is not nullable, neither is concatenation, ++ // so stop recursion; otherwise recurse into the right sub-RE ++ StackItem j = {re->cat.re2, 0}; ++ stack.push_back(j); ++ } ++ } ++ else if (re->type == RE::ITER) { ++ // iteration is nullable if the sub-RE is nullable ++ // (zero repetitions is represented with alternative) ++ StackItem j = {re->iter.re, 0}; ++ stack.push_back(j); ++ } ++ } ++ ++ //DASSERT(stack.empty()); ++ return null; ++ } ++ ++ } // anonymous namespace ++ ++// Warn about rules that match empty string (including rules with nonempty ++// trailing context). False positives on partially self-shadowed rules like [^]? ++ void warn_nullable(const RESpec &spec, const std::string &cond) ++ { ++ std::vector<StackItem> stack; ++ const size_t nre = spec.res.size(); ++ for (size_t i = 0; i < nre; ++i) { ++ if (nullable(spec, stack, spec.res[i])) { ++ spec.warn.match_empty_string(spec.rules[i].code->fline, cond); ++ } ++ } ++ } + + } // namespace re2c diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch new file mode 100644 index 0000000000..ee8d84b1bc --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch @@ -0,0 +1,166 @@ +From 89be91f3df00657261870adbc590209fdb2bc405 Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Thu, 23 Apr 2020 23:02:21 +0100 +Subject: [PATCH] Rewrite recursion into iteration (estimation of NFA size for + RE). + +This is to avoid stack overflow on large RE (especially on instrumented +builds that have larger stack frames, like AddressSanitizer). + +Partial fix for #219 "overflow-1.re test fails on system with small stack". + +Upstram-Status: Backport: +https://github.com/skvadrik/re2c/commit/89be91f3df00657261870adbc590209fdb2bc405 + +CVE: CVE-2018-21232 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- +diff --git a/src/nfa/estimate_size.cc b/src/nfa/estimate_size.cc +--- a/src/nfa/estimate_size.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e) ++++ b/src/nfa/estimate_size.cc (date 1647005399735) +@@ -6,41 +6,113 @@ + #include "src/re/re.h" + + namespace re2c { ++namespace { ++ ++struct StackItem { ++ const RE *re; // current sub-RE ++ uint32_t size; // size of the sub-RE (only for alternative and concatenation) ++ uint8_t succ; // index of the next sucessor to be visited ++}; + +-static size_t estimate(const RE *re) ++static uint32_t estimate_re_size(const RE *re0, std::vector<StackItem> &stack) + { +- switch (re->type) { +- case RE::NIL: return 0; +- case RE::SYM: return 1; +- case RE::TAG: return 1; +- case RE::ALT: +- return estimate(re->alt.re1) +- + estimate(re->alt.re2) +- + 1; +- case RE::CAT: +- return estimate(re->cat.re1) +- + estimate(re->cat.re2); +- case RE::ITER: { +- const size_t +- iter = estimate(re->iter.re), +- min = re->iter.min, +- max = re->iter.max; +- return max == AST::MANY +- ? iter * min + 1 +- : iter * max + (max - min); +- } +- } +- return 0; /* unreachable */ +-} ++ // the estimated size of the last sub-RE visited by DFS ++ uint32_t size = 0; ++ ++ const StackItem i0 = {re0, 0, 0}; ++ stack.push_back(i0); ++ ++ while (!stack.empty()) { ++ const StackItem i = stack.back(); ++ stack.pop_back(); ++ ++ const RE *re = i.re; ++ if (re->type == RE::NIL) { ++ size = 0; ++ } ++ else if (re->type == RE::SYM || re->type == RE::TAG) { ++ size = 1; ++ } ++ else if (re->type == RE::ALT) { ++ if (i.succ == 0) { ++ // recurse into the left sub-RE ++ StackItem k = {re, 0, 1}; ++ stack.push_back(k); ++ StackItem j = {re->alt.re1, 0, 0}; ++ stack.push_back(j); ++ } ++ else if (i.succ == 1) { ++ // recurse into the right sub-RE ++ StackItem k = {re, size, 2}; ++ stack.push_back(k); ++ StackItem j = {re->alt.re2, 0, 0}; ++ stack.push_back(j); ++ } ++ else { ++ // both sub-RE visited, recursive return ++ size = i.size // left sub-RE (saved on stack) ++ + size // right sub-RE (just visited by DFS) ++ + 1; // additional state for alternative ++ } ++ } ++ else if (re->type == RE::CAT) { ++ if (i.succ == 0) { ++ // recurse into the left sub-RE ++ StackItem k = {re, 0, 1}; ++ stack.push_back(k); ++ StackItem j = {re->cat.re1, 0, 0}; ++ stack.push_back(j); ++ } ++ else if (i.succ == 1) { ++ // recurse into the right sub-RE ++ StackItem k = {re, size, 2}; ++ stack.push_back(k); ++ StackItem j = {re->cat.re2, 0, 0}; ++ stack.push_back(j); ++ } ++ else { ++ // both sub-RE visited, recursive return ++ size = i.size // left sub-RE (saved on stack) ++ + size; // right sub-RE (just visited by DFS) ++ } ++ } ++ else if (re->type == RE::ITER) { ++ if (i.succ == 0) { ++ // recurse into the sub-RE ++ StackItem k = {re, 0, 1}; ++ stack.push_back(k); ++ StackItem j = {re->iter.re, 0, 0}; ++ stack.push_back(j); ++ } ++ else { ++ // sub-RE visited, recursive return ++ const uint32_t min = re->iter.min, max = re->iter.max; ++ size = max == AST::MANY ++ ? size * min + 1 ++ : size * max + (max - min); ++ } ++ } ++ } ++ ++ //DASSERT(stack.empty()); ++ return size; ++} ++ ++} // anonymous namespace + + size_t estimate_size(const std::vector<RE*> &res) + { +- const size_t nre = res.size(); +- size_t size = nre - 1; +- for (size_t i = 0; i < nre; ++i) { +- size += estimate(res[i]) + 1; +- } +- return size; ++ std::vector<StackItem> stack; ++ ++ const size_t nre = res.size(); ++ //DASSERT(nre > 0); ++ size_t size = nre - 1; ++ ++ for (size_t i = 0; i < nre; ++i) { ++ size += estimate_re_size(res[i], stack) + 1; ++ } ++ ++ return size; + } + + } // namespace re2c + diff --git a/meta/recipes-support/re2c/re2c_1.0.1.bb b/meta/recipes-support/re2c/re2c_1.0.1.bb index faeb496a1a..ca5c33f151 100644 --- a/meta/recipes-support/re2c/re2c_1.0.1.bb +++ b/meta/recipes-support/re2c/re2c_1.0.1.bb @@ -7,7 +7,11 @@ SECTION = "devel" LICENSE = "PD" LIC_FILES_CHKSUM = "file://README;beginline=146;md5=881056c9add17f8019ccd8c382ba963a" -SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.gz" +SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.gz \ +file://CVE-2018-21232-1.patch \ +file://CVE-2018-21232-2.patch \ +file://CVE-2018-21232-3.patch \ +file://CVE-2018-21232-4.patch" SRC_URI[md5sum] = "e2c6cf52fc6a21595f21bc82db5324f8" SRC_URI[sha256sum] = "605058d18a00e01bfc32aebf83af35ed5b13180b4e9f279c90843afab2c66c7c" UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases" diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service index aaaaa29074..f296a99e1f 100644 --- a/meta/recipes-support/rng-tools/rng-tools/rngd.service +++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service @@ -3,6 +3,7 @@ Description=Hardware RNG Entropy Gatherer Daemon DefaultDependencies=no After=systemd-udev-settle.service Before=sysinit.target shutdown.target +Wants=systemd-udev-settle.service Conflicts=shutdown.target [Service] diff --git a/meta/recipes-support/rng-tools/rng-tools_6.9.bb b/meta/recipes-support/rng-tools/rng-tools_6.9.bb index b8c6f022f3..58b58fbb3c 100644 --- a/meta/recipes-support/rng-tools/rng-tools_6.9.bb +++ b/meta/recipes-support/rng-tools/rng-tools_6.9.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS = "sysfsutils" SRC_URI = "\ - git://github.com/nhorman/rng-tools.git \ + git://github.com/nhorman/rng-tools.git;branch=master;protocol=https \ file://0001-rngd_jitter-fix-O_NONBLOCK-setting-for-entropy-pipe.patch \ file://0002-rngd_jitter-initialize-AES-key-before-setting-the-en.patch \ file://0003-rngd_jitter-always-read-from-entropy-pipe-before-set.patch \ diff --git a/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb b/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb index 6b3ebf1cdc..05c7d32965 100644 --- a/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb +++ b/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS = "libxml2 itstool-native glib-2.0 shared-mime-info-native" -SRC_URI = "git://gitlab.freedesktop.org/xdg/shared-mime-info.git;protocol=https" +SRC_URI = "git://gitlab.freedesktop.org/xdg/shared-mime-info.git;protocol=https;branch=master" SRCREV = "829b26d85e7d89a0caee03046c3bce373f04c80a" PV = "1.15" S = "${WORKDIR}/git" diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35525.patch b/meta/recipes-support/sqlite/files/CVE-2020-35525.patch new file mode 100644 index 0000000000..27d81d42d9 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-35525.patch @@ -0,0 +1,21 @@ +From: drh <drh@noemail.net> +Date: Thu, 20 Feb 2020 14:08:51 +0000 +Subject: [PATCH] Early-out on the INTERSECT query processing following an + error. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz] +CVE: CVE-2020-35525 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -130767,6 +130767,7 @@ static int multiSelect( + /* Generate code to take the intersection of the two temporary + ** tables. + */ ++ if( rc ) break; + assert( p->pEList ); + iBreak = sqlite3VdbeMakeLabel(pParse); + iCont = sqlite3VdbeMakeLabel(pParse); diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch new file mode 100644 index 0000000000..d1dae389b0 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch @@ -0,0 +1,22 @@ +From: dan <dan@noemail.net> +Date: Mon, 26 Oct 2020 13:24:36 +0000 +Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested + FROM clause. Ticket [f50af3e8a565776b]. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz] +CVE: CVE-2020-35527 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke + pNew = sqlite3ExprListAppend(pParse, pNew, pExpr); + sqlite3TokenInit(&sColname, zColname); + sqlite3ExprListSetName(pParse, pNew, &sColname, 0); +- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){ ++ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){ + struct ExprList_item *pX = &pNew->a[pNew->nExpr-1]; + sqlite3DbFree(db, pX->zEName); + if( pSub ){ diff --git a/meta/recipes-support/sqlite/files/CVE-2021-20223.patch b/meta/recipes-support/sqlite/files/CVE-2021-20223.patch new file mode 100644 index 0000000000..e9d2e04d30 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2021-20223.patch @@ -0,0 +1,23 @@ +From d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b Mon Sep 17 00:00:00 2001 +From: dan <dan@noemail.net> +Date: Mon, 26 Oct 2020 13:24:36 +0000 +Subject: [PATCH] Prevent fts5 tokenizer unicode61 from considering '\0' to be + a token characters, even if other characters of class "Cc" are. + +FossilOrigin-Name: b7b7bde9b7a03665e3691c6d51118965f216d2dfb1617f138b9f9e60e418ed2f + +CVE: CVE-2021-20223 +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b.patch] +Comment: Removed manifest, manifest.uuid and fts5tok1.test as these files are not present in the amalgamated source code +Signed-Off-by: Sana.Kazi@kpit.com +--- +--- a/sqlite3.c 2022-09-09 13:54:30.010768197 +0530 ++++ b/sqlite3.c 2022-09-09 13:56:25.458769142 +0530 +@@ -227114,6 +227114,7 @@ + } + iTbl++; + } ++ aAscii[0] = 0; /* 0x00 is never a token character */ + } + + /* diff --git a/meta/recipes-support/sqlite/files/CVE-2022-35737.patch b/meta/recipes-support/sqlite/files/CVE-2022-35737.patch new file mode 100644 index 0000000000..341e002913 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2022-35737.patch @@ -0,0 +1,29 @@ +From 2bbf4c999dbb4b520561a57e0bafc19a15562093 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Fri, 2 Sep 2022 11:22:29 +0530 +Subject: [PATCH] CVE-2022-35737 + +Upstream-Status: Backport [https://www.sqlite.org/src/info/aab790a16e1bdff7] +CVE: CVE-2022-35737 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + sqlite3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sqlite3.c b/sqlite3.c +index f664217..33dfb78 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -28758,7 +28758,8 @@ SQLITE_API void sqlite3_str_vappendf( + case etSQLESCAPE: /* %q: Escape ' characters */ + case etSQLESCAPE2: /* %Q: Escape ' and enclose in '...' */ + case etSQLESCAPE3: { /* %w: Escape " characters */ +- int i, j, k, n, isnull; ++ i64 i, j, k, n; ++ int isnull; + int needQuote; + char ch; + char q = ((xtype==etSQLESCAPE3)?'"':'\''); /* Quote character */ +-- +2.25.1 + diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch new file mode 100644 index 0000000000..01ff29ff5e --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch @@ -0,0 +1,46 @@ +From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001 +From: dan <Dan Kennedy> +Date: Thu, 7 Sep 2023 13:53:09 +0000 +Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset. + +Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47] +CVE: CVE-2023-7104 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + sqlite3.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 972ef18..c645ac8 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -203301,15 +203301,19 @@ static int sessionReadRecord( + } + } + if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){ +- sqlite3_int64 v = sessionGetI64(aVal); +- if( eType==SQLITE_INTEGER ){ +- sqlite3VdbeMemSetInt64(apOut[i], v); ++ if( (pIn->nData-pIn->iNext)<8 ){ ++ rc = SQLITE_CORRUPT_BKPT; + }else{ +- double d; +- memcpy(&d, &v, 8); +- sqlite3VdbeMemSetDouble(apOut[i], d); ++ sqlite3_int64 v = sessionGetI64(aVal); ++ if( eType==SQLITE_INTEGER ){ ++ sqlite3VdbeMemSetInt64(apOut[i], v); ++ }else{ ++ double d; ++ memcpy(&d, &v, 8); ++ sqlite3VdbeMemSetDouble(apOut[i], d); ++ } ++ pIn->iNext += 8; + } +- pIn->iNext += 8; + } + } + } +-- +2.25.1 + diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 877e80f5a3..0e7bcfa5a7 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -13,6 +13,11 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-13630.patch \ file://CVE-2020-13631.patch \ file://CVE-2020-13632.patch \ + file://CVE-2022-35737.patch \ + file://CVE-2020-35525.patch \ + file://CVE-2020-35527.patch \ + file://CVE-2021-20223.patch \ + file://CVE-2023-7104.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" diff --git a/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch b/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch index 63a7b78f12..2fc11dbdc2 100644 --- a/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch +++ b/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch @@ -16,11 +16,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com> src/Makefile | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) -diff --git a/src/Makefile b/src/Makefile -index f2fafa4dc..7148d4bd9 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -2845,16 +2845,10 @@ auto/pathdef.c: Makefile auto/config.mk +Index: git/src/Makefile +=================================================================== +--- git.orig/src/Makefile ++++ git/src/Makefile +@@ -3101,16 +3101,10 @@ auto/pathdef.c: Makefile auto/config.mk -@echo '#include "vim.h"' >> $@ -@echo 'char_u *default_vim_dir = (char_u *)"$(VIMRCLOC)";' | $(QUOTESED) >> $@ -@echo 'char_u *default_vimruntime_dir = (char_u *)"$(VIMRUNTIMEDIR)";' | $(QUOTESED) >> $@ @@ -41,6 +41,3 @@ index f2fafa4dc..7148d4bd9 100644 -@sh $(srcdir)/pathdef.sh GUI_GTK_RES_INPUTS = \ --- -2.17.1 - diff --git a/meta/recipes-support/vim/files/disable_acl_header_check.patch b/meta/recipes-support/vim/files/disable_acl_header_check.patch index 33089162b4..533138245d 100644 --- a/meta/recipes-support/vim/files/disable_acl_header_check.patch +++ b/meta/recipes-support/vim/files/disable_acl_header_check.patch @@ -13,11 +13,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> src/configure.ac | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/src/configure.ac b/src/configure.ac -index 2d409b3ca06a..dbcaf6140263 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -3257,7 +3257,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h string.h \ +Index: git/src/configure.ac +=================================================================== +--- git.orig/src/configure.ac ++++ git/src/configure.ac +@@ -3292,7 +3292,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h strin sys/systeminfo.h locale.h sys/stream.h termios.h \ libc.h sys/statfs.h poll.h sys/poll.h pwd.h \ utime.h sys/param.h sys/ptms.h libintl.h libgen.h \ @@ -26,7 +26,7 @@ index 2d409b3ca06a..dbcaf6140263 100644 sys/access.h sys/sysinfo.h wchar.h wctype.h) dnl sys/ptem.h depends on sys/stream.h on Solaris -@@ -3886,6 +3886,7 @@ AC_ARG_ENABLE(acl, +@@ -3974,6 +3974,7 @@ AC_ARG_ENABLE(acl, , [enable_acl="yes"]) if test "$enable_acl" = "yes"; then AC_MSG_RESULT(no) @@ -34,6 +34,3 @@ index 2d409b3ca06a..dbcaf6140263 100644 AC_CHECK_LIB(posix1e, acl_get_file, [LIBS="$LIBS -lposix1e"], AC_CHECK_LIB(acl, acl_get_file, [LIBS="$LIBS -lacl" AC_CHECK_LIB(attr, fgetxattr, LIBS="$LIBS -lattr",,)],,),) --- -2.7.4 - diff --git a/meta/recipes-support/vim/files/no-path-adjust.patch b/meta/recipes-support/vim/files/no-path-adjust.patch index 05c2d803f6..9d6da80913 100644 --- a/meta/recipes-support/vim/files/no-path-adjust.patch +++ b/meta/recipes-support/vim/files/no-path-adjust.patch @@ -7,9 +7,11 @@ Upstream-Status: Pending Signed-off-by: Joe Slater <joe.slater@windriver.com> ---- a/src/Makefile -+++ b/src/Makefile -@@ -2507,11 +2507,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_ +Index: git/src/Makefile +=================================================================== +--- git.orig/src/Makefile ++++ git/src/Makefile +@@ -2565,11 +2565,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_ rm -rf $$cvs; \ fi -chmod $(FILEMOD) $(DEST_TOOLS)/* diff --git a/meta/recipes-support/vim/files/racefix.patch b/meta/recipes-support/vim/files/racefix.patch deleted file mode 100644 index 48dca44cad..0000000000 --- a/meta/recipes-support/vim/files/racefix.patch +++ /dev/null @@ -1,33 +0,0 @@ -The creation of the LINGUAS file is duplicated for each desktop file -which can lead the commands to race against each other. Rework -the makefile to avoid this as the expense of leaving the file on disk. - -Upstream-Status: Pending -RP 2021/2/15 - -Index: git/src/po/Makefile -=================================================================== ---- git.orig/src/po/Makefile -+++ git/src/po/Makefile -@@ -165,17 +165,16 @@ $(PACKAGE).pot: ../*.c ../if_perl.xs ../ - po/gvim.desktop.in po/vim.desktop.in - mv -f ../$(PACKAGE).po $(PACKAGE).pot - --vim.desktop: vim.desktop.in $(POFILES) -+LINGUAS: - echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS -+ -+vim.desktop: vim.desktop.in $(POFILES) LINGUAS - $(MSGFMT) --desktop -d . --template vim.desktop.in -o tmp_vim.desktop -- rm -f LINGUAS - if command -v desktop-file-validate; then desktop-file-validate tmp_vim.desktop; fi - mv tmp_vim.desktop vim.desktop - --gvim.desktop: gvim.desktop.in $(POFILES) -- echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS -+gvim.desktop: gvim.desktop.in $(POFILES) LINGUAS - $(MSGFMT) --desktop -d . --template gvim.desktop.in -o tmp_gvim.desktop -- rm -f LINGUAS - if command -v desktop-file-validate; then desktop-file-validate tmp_gvim.desktop; fi - mv tmp_gvim.desktop gvim.desktop - diff --git a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch index 37914d4cd9..5284ba45b6 100644 --- a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch +++ b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch @@ -14,11 +14,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> src/configure.ac | 7 +++++++ 1 file changed, 7 insertions(+) -diff --git a/src/configure.ac b/src/configure.ac -index 0ee86ad..64736f0 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -3192,11 +3192,18 @@ AC_TRY_COMPILE([#include <stdio.h>], [int x __attribute__((unused));], +Index: git/src/configure.ac +=================================================================== +--- git.orig/src/configure.ac ++++ git/src/configure.ac +@@ -3264,11 +3264,18 @@ AC_TRY_COMPILE([#include <stdio.h>], [in AC_MSG_RESULT(no)) dnl Checks for header files. @@ -37,6 +37,3 @@ index 0ee86ad..64736f0 100644 AC_HEADER_DIRENT --- -2.7.4 - diff --git a/meta/recipes-support/vim/vim-tiny_8.2.bb b/meta/recipes-support/vim/vim-tiny_9.0.bb index e4c26d23f6..e4c26d23f6 100644 --- a/meta/recipes-support/vim/vim-tiny_8.2.bb +++ b/meta/recipes-support/vim/vim-tiny_9.0.bb diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 878d0f18ae..6d62bd67af 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -8,26 +8,30 @@ BUGTRACKER = "https://github.com/vim/vim/issues" DEPENDS = "ncurses gettext-native" # vimdiff doesn't like busybox diff RSUGGESTS_${PN} = "diffutils" + LICENSE = "vim" -LIC_FILES_CHKSUM = "file://runtime/doc/uganda.txt;endline=287;md5=a19edd7ec70d573a005d9e509375a99a" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d1a651ab770b45d41c0f8cb5a8ca930e" -SRC_URI = "git://github.com/vim/vim.git \ +SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://disable_acl_header_check.patch \ file://vim-add-knob-whether-elf.h-are-checked.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ - file://racefix.patch \ -" -SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" + " + +PV .= ".2190" +SRCREV = "6a950da86d7a6eb09d5ebeab17657986420d07ac" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0" +# Ignore that the upstream version .z in x.y.z is always newer +UPSTREAM_VERSION_UNKNOWN = "1" S = "${WORKDIR}/git" VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}" -inherit autotools-brokensep update-alternatives mime-xdg +inherit autotools-brokensep update-alternatives mime-xdg pkgconfig CLEANBROKEN = "1" @@ -36,29 +40,24 @@ do_configure () { cd src rm -f auto/* touch auto/config.mk + # git timestamps aren't reliable, so touch the shipped .po files so they aren't regenerated + touch -c po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po + # ru.cp1251.po uses CP1251 rather than cp1251, fix that + sed -i -e s/CP1251/cp1251/ po/ru.cp1251.po aclocal autoconf cd .. oe_runconf touch src/auto/configure touch src/auto/config.mk src/auto/config.h + # need a native tool, not a target one + ${BUILD_CC} src/po/sjiscorr.c -o src/po/sjiscorr } -do_compile() { - # We do not support fully / correctly the following locales. Attempting - # to use these with msgfmt in order to update the ".desktop" files exposes - # this problem and leads to the compile failing. - for LOCALE in cs fr ko pl sk zh_CN zh_TW;do - echo -n > src/po/${LOCALE}.po - done - autotools_do_compile -} - -#Available PACKAGECONFIG options are gtkgui, acl, x11, tiny -PACKAGECONFIG ??= "" -PACKAGECONFIG += " \ +PACKAGECONFIG ??= "\ ${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtkgui', '', d)} \ + nls \ " PACKAGECONFIG[gtkgui] = "--enable-gui=gtk3,--enable-gui=no,gtk+3" @@ -67,6 +66,7 @@ PACKAGECONFIG[x11] = "--with-x,--without-x,xt," PACKAGECONFIG[tiny] = "--with-features=tiny,--with-features=big,," PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux," PACKAGECONFIG[elfutils] = "--enable-elf-check,,elfutils," +PACKAGECONFIG[nls] = "--enable-nls,--disable-nls,," EXTRA_OECONF = " \ --disable-gpm \ @@ -75,6 +75,7 @@ EXTRA_OECONF = " \ --disable-netbeans \ --disable-desktop-database-update \ --with-tlib=ncurses \ + --with-modified-by='${MAINTAINER}' \ ac_cv_small_wchar_t=no \ ac_cv_path_GLIB_COMPILE_RESOURCES=no \ vim_cv_getcwd_broken=no \ @@ -87,6 +88,11 @@ EXTRA_OECONF = " \ STRIP=/bin/true \ " +# Some host distros don't have it, disable consistently +# also disable on dunfell target builds +EXTRA_OECONF_append_class-native = " vim_cv_timer_create=no" +EXTRA_OECONF_append_class-target = " vim_cv_timer_create=no" + do_install() { autotools_do_install diff --git a/meta/recipes-support/vim/vim_8.2.bb b/meta/recipes-support/vim/vim_9.0.bb index 709b6ddb55..709b6ddb55 100644 --- a/meta/recipes-support/vim/vim_8.2.bb +++ b/meta/recipes-support/vim/vim_9.0.bb |