From patchwork Sat Apr 22 15:54:33 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 22869
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B33C9C77B7F
	for <webhook@archiver.kernel.org>; Sat, 22 Apr 2023 15:54:59 +0000 (UTC)
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
 by mx.groups.io with SMTP id smtpd.web11.10293.1682178893075932394
 for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:54:53 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="signature has expired"
 header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208
 header.b=xbfSrBVS;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.179,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f179.google.com with SMTP id
 d9443c01a7336-1a67bcde3a7so34611585ad.3
        for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:54:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682178892;
 x=1684770892;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Ibe4sE/z4qA8aYoR3a3Ndn/KiaKklsxlSgZtqM9qlzs=;
        b=xbfSrBVS2160mvxCh7JSiXLEmLOi76f9zpkw/0xnZfA9C8njhkGz9rkgIQtBjOKkPB
         dEepJkUpatDu8N0LqSRYgXj54XpC+t7z5tjeIoPuyfNcmS1cVB3390WUKdq8ii4LGaOY
         ZXv3lQqhQw/BP0R6P/RqegYumjNP9Syoa+yOUFoGZkzr5+/df95jhdT1F1qCu7euAO6q
         QUIYkzHWJ16D4m/5BGCOr3n1MqdPKCzB8VVlBQYDjeWgIDe03I6lpNG47VAWV14WT8PJ
         KmxxJFt4usWu2szpVKHQlcvdKoasE0r+np1xfH/MFeIUc38/k9jEkEst93vQP9K9liJV
         X0mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682178892; x=1684770892;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Ibe4sE/z4qA8aYoR3a3Ndn/KiaKklsxlSgZtqM9qlzs=;
        b=Y5CfNjAQE0ciF3v607VdNyIo170NfKb/oCOGPOkr/EOFd0spvcoywFJSeFLmWcxHk1
         uExyjogyOopAw/sz+1kJsRgD6ZA0FopS57H7NWU+2ka0xDKwFlwIdyr1KLryqVVsQbaB
         tHo2hI0LuHgjNXwhkXjhBUVmpIrd0NOqCysgeiP0JzphMqLUu2cWCjdLat/AnVeAjZdJ
         PLuskQWxHMyE5d7l52P5c67f0a0AUMJi08tgBxd8afzCc+VLv3loYcvTA3N7+m8dryd7
         7lqy9vAwoWashQkiBkCW5Ytx4ZTqOSNRriW3vxeYXMH3I48cW6Ufzip9S3beVtFslOAB
         XluQ==
X-Gm-Message-State: AAQBX9dsuRZ8KMq6RoEdTWjdxuDsH0hFLJjyXzeJdKln8HA0vYwGTHWj
	mbQbMUR02exfxqDBcOBz8i1j7hZs9aL4boy6eI0=
X-Google-Smtp-Source: 
 AKy350Zaa49e99p84QXMY/g7qq9aR2c44jMAla3Oi2tKq2b+tGcVqg+eAR8HH3VpVxelQut/dqkRWA==
X-Received: by 2002:a17:902:e742:b0:1a9:1b4:9fd5 with SMTP id
 p2-20020a170902e74200b001a901b49fd5mr9793057plf.68.1682178892120;
        Sat, 22 Apr 2023 08:54:52 -0700 (PDT)
Received: from hexa.lan (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112])
        by smtp.gmail.com with ESMTPSA id
 e12-20020a170902d38c00b001a686578b44sm4205342pld.110.2023.04.22.08.54.51
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Apr 2023 08:54:51 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 1/8] ruby: CVE-2023-28756 ReDoS vulnerability in
 Time
Date: Sat, 22 Apr 2023 05:54:33 -1000
Message-Id: 
 <0f8eb0505e19ccd27e1b91f27285a9fc87f2aa93.1682178752.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1682178752.git.steve@sakoman.com>
References: <cover.1682178752.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 22 Apr 2023 15:54:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/180303

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ruby/ruby/CVE-2023-28756.patch            | 73 +++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |  1 +
 2 files changed, 74 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
new file mode 100644
index 0000000000..cf24b13f53
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
@@ -0,0 +1,73 @@
+From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Wed, 29 Mar 2023 13:28:25 +0900
+Subject: [PATCH] CVE-2023-28756
+
+CVE: CVE-2023-28756
+Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/time.gemspec  | 2 +-
+ lib/time.rb       | 6 +++---
+ test/test_time.rb | 9 +++++++++
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/lib/time.gemspec b/lib/time.gemspec
+index 72fba34..bada91a 100644
+--- a/lib/time.gemspec
++++ b/lib/time.gemspec
+@@ -1,6 +1,6 @@
+ Gem::Specification.new do |spec|
+   spec.name          = "time"
+-  spec.version       = "0.2.0"
++  spec.version       = "0.2.2"
+   spec.authors       = ["Tanaka Akira"]
+   spec.email         = ["akr@fsij.org"]
+ 
+diff --git a/lib/time.rb b/lib/time.rb
+index bd20a1a..6a13212 100644
+--- a/lib/time.rb
++++ b/lib/time.rb
+@@ -509,8 +509,8 @@ class Time
+           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+           (\d{2,})\s+
+           (\d{2})\s*
+-          :\s*(\d{2})\s*
+-          (?::\s*(\d{2}))?\s+
++          :\s*(\d{2})
++          (?:\s*:\s*(\d\d))?\s+
+           ([+-]\d{4}|
+            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+         # Since RFC 2822 permit comments, the regexp has no right anchor.
+@@ -701,7 +701,7 @@ class Time
+   #
+   # If self is a UTC time, Z is used as TZD.  [+-]hh:mm is used otherwise.
+   #
+-  # +fractional_digits+ specifies a number of digits to use for fractional
++  # +fraction_digits+ specifies a number of digits to use for fractional
+   # seconds.  Its default value is 0.
+   #
+   #     require 'time'
+diff --git a/test/test_time.rb b/test/test_time.rb
+index b50d841..23e8e10 100644
+--- a/test/test_time.rb
++++ b/test/test_time.rb
+@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
+     assert_equal(true, t.utc?)
+   end
+ 
++  def test_rfc2822_nonlinear
++    pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
++    assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s|
++      assert_raise(ArgumentError) do
++        Time.rfc2822(s)
++      end
++    end
++  end
++
+   if defined?(Ractor)
+     def test_rfc2822_ractor
+       assert_ractor(<<~RUBY, require: 'time')
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index c8454da3a9..92efc5db91 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
            file://0006-Make-gemspecs-reproducible.patch \
            file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
+           file://CVE-2023-28756.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
 

From patchwork Sat Apr 22 15:54:34 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 22868
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B2613C7618E
	for <webhook@archiver.kernel.org>; Sat, 22 Apr 2023 15:54:59 +0000 (UTC)
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
 [209.85.214.170])
 by mx.groups.io with SMTP id smtpd.web11.10294.1682178895292994430
 for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:54:55 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="signature has expired"
 header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208
 header.b=BXm4X/HC;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.170,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f170.google.com with SMTP id
 d9443c01a7336-1a920d484bdso26676715ad.1
        for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:54:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682178894;
 x=1684770894;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=LjXmVFTycnpr4R+cY6KKuoIZsmox6wLPm8ej4ZUPvM0=;
        b=BXm4X/HCPLcSHixMTt6ZXMQ1aTdDRLfJSZ0IeBjVEA+W3PKavi0B4G+UIW6Qq7JGr4
         wd92gXkSqLpz5qervnos5sOqQOObgtxPPrlKu5VY5BrpjA/Sa1mKtsShHsfCTy3uqDr+
         aA8b4kJj0N/e9YuBwJ0AEFK5f8ekEumMthfC7DCvdOPtjxelBW6P+5ccY4eYTdRqsDbI
         c98VDOValBWMVvFVTplArzXxxCuM3y77l6bfxq544LBaGFnAMzXHwEWmsiio7WMyc11n
         sFwlM/Wsai82W++vOsR/dNFgIc5dZe2WsB+wqRTV/PaC2+aZbMya4zNOGA4yKHrC+Hdn
         m+TA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682178894; x=1684770894;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=LjXmVFTycnpr4R+cY6KKuoIZsmox6wLPm8ej4ZUPvM0=;
        b=Gi1Uka5ItwGGcpdv+ZT315C1+MMSrRoDGzy8xTsap0YUKtf8o4r+LVJHx2FFdqak39
         YxilV8YBIOrmtYuCayB1vcOjgnMvvBYHcNN9ME9T0bRMcWLgllxf9FO1E3+8efHI37iN
         IP+f4gw6ESrN9wCJ/1vkJHae/cp+CQ5xJzHwjthmr/Q+LHJbBilDBbB42n9B62B9Vkj+
         um+iJlr5PpuRfcZeG/7sJy3RqadCj3XSEbqUyWopDypFNHDrUUoWdk+CRBEXo3Edq/BE
         vEiFwiXfYi1YfxJ0CyJl9Y6v9IZKRNygrWGqa4BbAbv/nScx3da/TXZ0UYcngp3OEOH/
         IwVw==
X-Gm-Message-State: AAQBX9efKAMxLEGH+A+5BWjTJZ8/27b6mzCCitmwm3svEc7eoFv5GVN9
	6nH45zDrTXTKn73o82AyuQuJ6OTkqS3pkef0aBs=
X-Google-Smtp-Source: 
 AKy350bV7mw0v9ONzFaw1Fgy9mF+GQcTXhausQhndsjArzzodAE2WC8rCPWYoOYJD4Z326yUdsRkjQ==
X-Received: by 2002:a17:902:e886:b0:1a8:13fc:a654 with SMTP id
 w6-20020a170902e88600b001a813fca654mr10089478plg.25.1682178894162;
        Sat, 22 Apr 2023 08:54:54 -0700 (PDT)
Received: from hexa.lan (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112])
        by smtp.gmail.com with ESMTPSA id
 e12-20020a170902d38c00b001a686578b44sm4205342pld.110.2023.04.22.08.54.53
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Apr 2023 08:54:53 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 2/8] curl: Security fix for CVE-2023-27535,
 CVE-2023-27536, CVE-2023-27538
Date: Sat, 22 Apr 2023 05:54:34 -1000
Message-Id: 
 <0b35659c895e6ff2690d42f976169e4a65be07e6.1682178752.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1682178752.git.steve@sakoman.com>
References: <cover.1682178752.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 22 Apr 2023 15:54:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/180304

From: Siddharth Doshi <sdoshi@mvista.com>

Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878, https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2023-27535-pre1.patch       | 196 ++++++++++++++++++
 .../CVE-2023-27535_and_CVE-2023-27538.patch   | 170 +++++++++++++++
 .../curl/curl/CVE-2023-27536.patch            |  52 +++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   3 +
 4 files changed, 421 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
new file mode 100644
index 0000000000..57e1cb9e13
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
@@ -0,0 +1,196 @@
+From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 00:49:10 +0200
+Subject: [PATCH] strcase: add and use Curl_timestrcmp
+
+This is a strcmp() alternative function for comparing "secrets",
+designed to take the same time no matter the content to not leak
+match/non-match info to observers based on how fast it is.
+
+The time this function takes is only a function of the shortest input
+string.
+
+Reported-by: Trail of Bits
+
+Closes #9658
+
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878]
+Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp.
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/netrc.c             |  6 +++---
+ lib/strcase.c           | 22 ++++++++++++++++++++++
+ lib/strcase.h           |  1 +
+ lib/url.c               | 33 +++++++++++++--------------------
+ lib/vauth/digest_sspi.c |  4 ++--
+ lib/vtls/vtls.c         |  4 ++--
+ 6 files changed, 43 insertions(+), 27 deletions(-)
+
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 0a4ae2c..b771b60 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -140,9 +140,9 @@ static int parsenetrc(const char *host,
+           /* we are now parsing sub-keywords concerning "our" host */
+           if(state_login) {
+             if(specific_login) {
+-              state_our_login = strcasecompare(login, tok);
++              state_our_login = !Curl_timestrcmp(login, tok);
+             }
+-            else if(!login || strcmp(login, tok)) {
++            else if(!login || Curl_timestrcmp(login, tok)) {
+               if(login_alloc) {
+                 free(login);
+                 login_alloc = FALSE;
+@@ -158,7 +158,7 @@ static int parsenetrc(const char *host,
+           }
+           else if(state_password) {
+             if((state_our_login || !specific_login)
+-                && (!password || strcmp(password, tok))) {
++               && (!password || Curl_timestrcmp(password, tok))) {
+               if(password_alloc) {
+                 free(password);
+                 password_alloc = FALSE;
+diff --git a/lib/strcase.c b/lib/strcase.c
+index 692a3f1..be085b3 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b)
+   return !a && !b;
+ }
+ 
++/*
++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
++ * function spends is a function of the shortest string, not of the contents.
++ */
++int Curl_timestrcmp(const char *a, const char *b)
++{
++  int match = 0;
++  int i = 0;
++
++  if(a && b) {
++    while(1) {
++      match |= a[i]^b[i];
++      if(!a[i] || !b[i])
++        break;
++      i++;
++    }
++  }
++  else
++    return a || b;
++  return match;
++}
++
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index 382b80a..c6979da 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+ 
+ bool Curl_safecmp(char *a, char *b);
++int Curl_timestrcmp(const char *first, const char *second);
+ 
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index df4377d..c397b57 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -930,19 +930,10 @@ socks_proxy_info_matches(const struct proxy_info *data,
+   /* the user information is case-sensitive
+      or at least it is not defined as case-insensitive
+      see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */
+-  if(!data->user != !needle->user)
+-    return FALSE;
+-  /* curl_strequal does a case insentive comparison, so do not use it here! */
+-  if(data->user &&
+-     needle->user &&
+-     strcmp(data->user, needle->user) != 0)
+-    return FALSE;
+-  if(!data->passwd != !needle->passwd)
+-    return FALSE;
++
+   /* curl_strequal does a case insentive comparison, so do not use it here! */
+-  if(data->passwd &&
+-     needle->passwd &&
+-     strcmp(data->passwd, needle->passwd) != 0)
++  if(Curl_timestrcmp(data->user, needle->user) ||
++     Curl_timestrcmp(data->passwd, needle->passwd))
+     return FALSE;
+   return TRUE;
+ }
+@@ -1341,10 +1332,10 @@ ConnectionExists(struct Curl_easy *data,
+       if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
+         /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+-        if(strcmp(needle->user, check->user) ||
+-           strcmp(needle->passwd, check->passwd) ||
+-           !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
+-           !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
++        if(Curl_timestrcmp(needle->user, check->user) ||
++           Curl_timestrcmp(needle->passwd, check->passwd) ||
++           Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) ||
++           Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) {
+           /* one of them was different */
+           continue;
+         }
+@@ -1420,8 +1411,8 @@ ConnectionExists(struct Curl_easy *data,
+            possible. (Especially we must not reuse the same connection if
+            partway through a handshake!) */
+         if(wantNTLMhttp) {
+-          if(strcmp(needle->user, check->user) ||
+-             strcmp(needle->passwd, check->passwd)) {
++          if(Curl_timestrcmp(needle->user, check->user) ||
++             Curl_timestrcmp(needle->passwd, check->passwd)) {
+ 
+             /* we prefer a credential match, but this is at least a connection
+                that can be reused and "upgraded" to NTLM */
+@@ -1443,8 +1434,10 @@ ConnectionExists(struct Curl_easy *data,
+           if(!check->http_proxy.user || !check->http_proxy.passwd)
+             continue;
+ 
+-          if(strcmp(needle->http_proxy.user, check->http_proxy.user) ||
+-             strcmp(needle->http_proxy.passwd, check->http_proxy.passwd))
++          if(Curl_timestrcmp(needle->http_proxy.user,
++                             check->http_proxy.user) ||
++             Curl_timestrcmp(needle->http_proxy.passwd,
++                             check->http_proxy.passwd))
+             continue;
+         }
+         else if(check->proxy_ntlm_state != NTLMSTATE_NONE) {
+diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
+index 94f8f8c..a413419 100644
+--- a/lib/vauth/digest_sspi.c
++++ b/lib/vauth/digest_sspi.c
+@@ -429,8 +429,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
+      has changed then delete that context. */
+   if((userp && !digest->user) || (!userp && digest->user) ||
+      (passwdp && !digest->passwd) || (!passwdp && digest->passwd) ||
+-     (userp && digest->user && strcmp(userp, digest->user)) ||
+-     (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) {
++     (userp && digest->user && Curl_timestrcmp(userp, digest->user)) ||
++     (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) {
+     if(digest->http_context) {
+       s_pSecFn->DeleteSecurityContext(digest->http_context);
+       Curl_safefree(digest->http_context);
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e2d3438..881c8d2 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -146,8 +146,8 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
+      Curl_safecmp(data->random_file, needle->random_file) &&
+      Curl_safecmp(data->egdsocket, needle->egdsocket) &&
+ #ifdef USE_TLS_SRP
+-     Curl_safecmp(data->username, needle->username) &&
+-     Curl_safecmp(data->password, needle->password) &&
++     !Curl_timestrcmp(data->username, needle->username) &&
++     !Curl_timestrcmp(data->password, needle->password) &&
+      (data->authtype == needle->authtype) &&
+ #endif
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+-- 
+2.35.7
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
new file mode 100644
index 0000000000..4e701edfff
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
@@ -0,0 +1,170 @@
+From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 17:47:06 +0100
+Subject: [PATCH] ftp: add more conditions for connection reuse
+
+Reported-by: Harry Sintonen
+Closes #10730
+
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+Comment: Backport for CVE-2023-27535 also fixes CVE-2023-27538 in the file "lib/url.c".
+CVE: CVE-2023-27535, CVE-2023-27538 
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/ftp.c     | 28 ++++++++++++++++++++++++++--
+ lib/ftp.h     |  5 +++++
+ lib/setopt.c  |  2 +-
+ lib/url.c     | 19 ++++++++++++++++---
+ lib/urldata.h |  4 ++--
+ 5 files changed, 50 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index c6efaed..93bbaeb 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -4097,6 +4097,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data,
+   }
+ 
+   freedirs(ftpc);
++  Curl_safefree(ftpc->account);
++  Curl_safefree(ftpc->alternative_to_user);
+   Curl_safefree(ftpc->prevpath);
+   Curl_safefree(ftpc->server_os);
+   Curl_pp_disconnect(pp);
+@@ -4364,11 +4366,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+ {
+   char *type;
+   struct FTP *ftp;
++  struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+-  data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1);
++  ftp = calloc(sizeof(struct FTP), 1);
+   if(!ftp)
+     return CURLE_OUT_OF_MEMORY;
+ 
++  /* clone connection related data that is FTP specific */
++  if(data->set.str[STRING_FTP_ACCOUNT]) {
++    ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
++    if(!ftpc->account) {
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
++    ftpc->alternative_to_user =
++      strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
++    if(!ftpc->alternative_to_user) {
++      Curl_safefree(ftpc->account);
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  data->req.p.ftp = ftp;
++
+   ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
+ 
+   /* FTP URLs support an extension like ";type=<typecode>" that
+@@ -4403,7 +4425,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+   /* get some initial data into the ftp struct */
+   ftp->transfer = PPTRANSFER_BODY;
+   ftp->downloadsize = 0;
+-  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
++  ftpc->known_filesize = -1; /* unknown size for now */
++  ftpc->use_ssl = data->set.use_ssl;
++  ftpc->ccc = data->set.ftp_ccc;
+ 
+   return CURLE_OK;
+ }
+diff --git a/lib/ftp.h b/lib/ftp.h
+index 1cfdac0..afca25b 100644
+--- a/lib/ftp.h
++++ b/lib/ftp.h
+@@ -115,6 +115,8 @@ struct FTP {
+    struct */
+ struct ftp_conn {
+   struct pingpong pp;
++  char *account;
++  char *alternative_to_user;
+   char *entrypath; /* the PWD reply when we logged on */
+   char *file;    /* url-decoded file name (or path) */
+   char **dirs;   /* realloc()ed array for path components */
+@@ -144,6 +146,9 @@ struct ftp_conn {
+   ftpstate state; /* always use ftp.c:state() to change state! */
+   ftpstate state_saved; /* transfer type saved to be reloaded after
+                            data connection is established */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
++  unsigned char ccc;       /* ccc level for this connection */
+   curl_off_t retr_size_saved; /* Size of retrieved file saved */
+   char *server_os;     /* The target server operating system. */
+   curl_off_t known_filesize; /* file size is different from -1, if wildcard
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 29a78a4..89d0150 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2304,7 +2304,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     arg = va_arg(param, long);
+     if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST))
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+-    data->set.use_ssl = (curl_usessl)arg;
++    data->set.use_ssl = (unsigned char)arg;
+     break;
+ 
+   case CURLOPT_SSL_OPTIONS:
+diff --git a/lib/url.c b/lib/url.c
+index c397b57..280171c 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1347,11 +1347,24 @@ ConnectionExists(struct Curl_easy *data,
+          (check->httpversion >= 20) &&
+          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+         continue;
+-
+-      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+-        if(!ssh_config_matches(needle, check))
++#ifdef USE_SSH
++      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
++      if(!ssh_config_matches(needle, check))
+           continue;
+       }
++#endif
++#ifndef CURL_DISABLE_FTP
++      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) {
++        /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
++        if(Curl_timestrcmp(needle->proto.ftpc.account,
++                           check->proto.ftpc.account) ||
++           Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
++                           check->proto.ftpc.alternative_to_user) ||
++           (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
++           (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
++          continue;
++      }
++#endif
+ 
+       if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 69eb2ee..6e6122a 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1748,8 +1748,6 @@ struct UserDefined {
+   enum CURL_NETRC_OPTION
+        use_netrc;        /* defined in include/curl.h */
+ #endif
+-  curl_usessl use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+-                            IMAP or POP3 or others! */
+   long new_file_perms;    /* Permissions to use when creating remote files */
+   long new_directory_perms; /* Permissions to use when creating remote dirs */
+   long ssh_auth_types;   /* allowed SSH auth types */
+@@ -1877,6 +1875,8 @@ struct UserDefined {
+   BIT(http09_allowed); /* allow HTTP/0.9 responses */
+   BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some
+                                 recipients */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
+ };
+ 
+ struct Names {
+-- 
+2.35.7
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
new file mode 100644
index 0000000000..fb3ee6a14d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
@@ -0,0 +1,52 @@
+From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 09:22:43 +0100
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+CVE: CVE-2023-27536
+Signed-off-by: Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/url.c     | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 280171c..c6413a1 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1341,6 +1341,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
++      /* GSS delegation differences do not actually affect every connection
++         and auth method, but this check takes precaution before efficiency */
++      if(needle->gssapi_delegation != check->gssapi_delegation)
++        continue;
++
+       /* If multiplexing isn't enabled on the h2 connection and h1 is
+          explicitly requested, handle it: */
+       if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
+@@ -1813,6 +1818,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+   conn->lastused = Curl_now(); /* used now */
++  conn->gssapi_delegation = data->set.gssapi_delegation;
+ 
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 6e6122a..602c735 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1131,6 +1131,7 @@ struct connectdata {
+   int socks5_gssapi_enctype;
+ #endif
+   unsigned short localport;
++  long gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+ 
+ /* The end of connectdata. */
+-- 
+2.35.7
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 4c18afe293..70ceb9f370 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -42,6 +42,9 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-23916.patch \
            file://CVE-2023-27533.patch \
            file://CVE-2023-27534.patch \
+           file://CVE-2023-27535-pre1.patch \
+           file://CVE-2023-27535_and_CVE-2023-27538.patch \
+           file://CVE-2023-27536.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 

From patchwork Sat Apr 22 15:54:35 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 22870
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8CB99C6FD18
	for <webhook@archiver.kernel.org>; Sat, 22 Apr 2023 15:54:59 +0000 (UTC)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
 by mx.groups.io with SMTP id smtpd.web11.10296.1682178896861703920
 for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:54:56 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208
 header.b=BrV+8Yzy;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.176,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-1a686260adcso34946035ad.0
        for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:54:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682178896;
 x=1684770896;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=oiU/+OJ1+NTRsOIuMwE2sdY2j7LBza6ASYTNd6CifPA=;
        b=BrV+8YzyGBnES7qyyEc80GtjrbMk4iXsLAavS1840W7Ra1dLOI7Po64XGNAXymqpQf
         cva5GDl0K3J7g1k7On1C3HlM9BAcYT7WDHZc3MeEPy9rMl2npPG393qAJszHwpyKYUvz
         1SdG4wGw/TVL/vt+Hf2xAaowKGLSvsDvqKPTCzideSXKq+gOxtkcBTfcnJRUFZtdm6d3
         mRpSRh3zTPMihr8tj09kJzxiaj1xJlx636VXhFZupVATrXq6ls9qOB4J/dnQVavrnYP7
         gEafaARNGUr7ka/fO8ephgSyhVjRgUWb4rcYgD9hW/BCQFZUhGzoEEYJo+QwvwaVI5HG
         uwtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682178896; x=1684770896;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=oiU/+OJ1+NTRsOIuMwE2sdY2j7LBza6ASYTNd6CifPA=;
        b=jgGnttH4oMJg9VqrT4CgsWhb68lXezqEFIMXcV7I8729Dy2hNG5/H8wNPhWP92l4jX
         zOdC+GK6CrsdMLstYWtqnQjOMFt+Jo8LGDPAitT/Of7uItoQGl6eKfs6wmZZjYMFcNno
         XULiN0B7ZHIwQxpYwC5eBeAksPQUpRsrFK6ANx8ODYLSzk/n6FOd5PmqtfFYqWmQfGTn
         Hb8YhgRKBK4LYFKQli0ZVeyu1lEHYzwDKYMgqQyJECC8j0nelFdJs6q6d6qj7qsmjfHc
         Kf5AdG+ngbRkyx0o0EITI36PTVYD0gkAQT9hOLfHPyL0/gW7K14vFZ7unOXlI+Rip8m7
         zn7A==
X-Gm-Message-State: AAQBX9ci6cN8Z99y+8PL/kGeNAe7vtsrF+fQhDbc3tX7tr5eV2pjK1wd
	7akFjlZPpw/WO5M4Ke/5QNXF/+oK9gxWwc089Uw=
X-Google-Smtp-Source: 
 AKy350bpUsaw9/0skuBeeQFozQqDMbyM7BKJddozsMG/YGWQn9MUaSlcPtIJUHRmKOskKZ6aWf12Kw==
X-Received: by 2002:a17:902:f292:b0:1a6:b247:4316 with SMTP id
 k18-20020a170902f29200b001a6b2474316mr8300774plc.62.1682178895969;
        Sat, 22 Apr 2023 08:54:55 -0700 (PDT)
Received: from hexa.lan (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112])
        by smtp.gmail.com with ESMTPSA id
 e12-20020a170902d38c00b001a686578b44sm4205342pld.110.2023.04.22.08.54.55
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Apr 2023 08:54:55 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 3/8] cargo : non vulnerable cve-2022-46176 added
 to excluded list
Date: Sat, 22 Apr 2023 05:54:35 -1000
Message-Id: 
 <7e4037fd0a66a860b4809be72a89e2de97960a17.1682178752.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1682178752.git.steve@sakoman.com>
References: <cover.1682178752.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 22 Apr 2023 15:54:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/180305

From: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>

This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.

Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..cb2d920441 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,6 +15,11 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #
 
+#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
+#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
+#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
+#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
+CVE_CHECK_IGNORE += "CVE-2022-46176"
 
 # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
 # CVE is more than 20 years old with no resolution evident

From patchwork Sat Apr 22 15:54:36 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 22867
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8D86EC77B76
	for <webhook@archiver.kernel.org>; Sat, 22 Apr 2023 15:54:59 +0000 (UTC)
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
 [209.85.214.170])
 by mx.groups.io with SMTP id smtpd.web11.10297.1682178898671847750
 for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:54:58 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208
 header.b=b2tNoiTX;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.170,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f170.google.com with SMTP id
 d9443c01a7336-1a920d4842bso24825205ad.2
        for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:54:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682178898;
 x=1684770898;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5NsYoHmSpFhGLNUMaq5XY7XF+QrwJ+Wgxo+l/+FM70E=;
        b=b2tNoiTXm/8ehCt61fgo1/beDmALmqW/H1QhzMwf4gA36rMSaFgVmnjNs/vGYiB7kk
         SrBoOV3NhfGjHTpoudyXPPs6Fk/ceE3wJvgQC/a2Ml1LWJRzmZ7lKTkgg46ETMw+QPUb
         5URjEmgkNyNOIOZfzOTQFdHY+/MsGQENjpYhIFNBTEfhVD9HAWrS8d/v0cILPWuwz2j0
         OH/NMgA5Pi7xvn72FBgwWK7Bx+YK6S1kY7zI0JuIw2RPaVzh/3s5QI45bPzWUD6b/26L
         Kxi1gJzWvcpXGwGLZVsWaWBsigiTi62zdmBlLRzgWKlyQc+RJjavYRLN0gJLiZK1jkWh
         7YBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682178898; x=1684770898;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=5NsYoHmSpFhGLNUMaq5XY7XF+QrwJ+Wgxo+l/+FM70E=;
        b=Ww70mRnYUvXI02g9aJLwudXuAgypPvjuUhQJFkML60AFz2DEhd2VVvKxO96VEf4YUa
         g/K3uniw5JUPfl4UW8P2s3ap+oLfHkTr58S/iI9ONKZmXEiDdm4h07QdGETxrSo1hF4F
         V3z6wEo5EGdz6jkzKm3onpPjPcNjZRMuYO6mgDejXAF1OX0PphvuclAeFQ8k0mfrFtFm
         L4ro3oeWsSXLJvtRzV2QeGi5s9CzkqcJ1Apa6VlGreo08mIqj3/e3eobUlEgzkB1mEdq
         2Y5tL/JxDEiTjm+yH6FfEpgcGAmpQiWxvKDRoI2tPM8cZk3iLYmnSKzoW90wcH+lrRCt
         AChg==
X-Gm-Message-State: AAQBX9faDWaKb0BL11bFUC18GhRlYL/F1w+2HbF2MM56/z1H1eOkmwiv
	zEhJd60RcVirnQR6wlGPU1x27YC0Pf7LxEGkvc8=
X-Google-Smtp-Source: 
 AKy350ZNqxnumj84n84QnP6BgONpivJMI0YdrQAPmPgHRex18oaVbaB9EojSBtgfzgKTv5TMtDcq2Q==
X-Received: by 2002:a17:902:dac4:b0:1a9:5c41:3f8e with SMTP id
 q4-20020a170902dac400b001a95c413f8emr2805297plx.42.1682178897689;
        Sat, 22 Apr 2023 08:54:57 -0700 (PDT)
Received: from hexa.lan (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112])
        by smtp.gmail.com with ESMTPSA id
 e12-20020a170902d38c00b001a686578b44sm4205342pld.110.2023.04.22.08.54.56
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Apr 2023 08:54:57 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 4/8] go-runtime: Security fix for CVE-2022-41722
Date: Sat, 22 Apr 2023 05:54:36 -1000
Message-Id: 
 <f60637b3c9045656047d6ffcfaadbef5ad1d3d06.1682178752.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1682178752.git.steve@sakoman.com>
References: <cover.1682178752.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 22 Apr 2023 15:54:59 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/180306

From: Shubham Kulkarni <skulkarni@mvista.com>

path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c

Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.18/CVE-2022-41722.patch           | 103 ++++++++++++++++++
 2 files changed, 104 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 23380f04c3..15d19ed124 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -26,6 +26,7 @@ SRC_URI += "\
     file://cve-2022-41724.patch \
     file://add_godebug.patch \
     file://cve-2022-41725.patch \
+    file://CVE-2022-41722.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
new file mode 100644
index 0000000000..426a4f925f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
@@ -0,0 +1,103 @@
+From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 12 Dec 2022 16:43:37 -0800
+Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
+
+Do not permit Clean to convert a relative path into one starting
+with a drive reference. This change causes Clean to insert a .
+path element at the start of a path when the original path does not
+start with a volume name, and the first path element would contain
+a colon.
+
+This may introduce a spurious but harmless . path element under
+some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
+
+This reverts CL 401595, since the change here supersedes the one
+in that CL.
+
+Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
+
+Updates #57274
+Fixes #57276
+Fixes CVE-2022-41722
+
+Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
+Reviewed-by: Than McIntosh <thanm@google.com>
+Run-TryBot: Michael Pratt <mpratt@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2022-41722
+Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/path/filepath/path.go | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 8300a32..94621a0 100644
+--- a/src/path/filepath/path.go
++++ b/src/path/filepath/path.go
+@@ -15,6 +15,7 @@ import (
+	"errors"
+	"io/fs"
+	"os"
++	"runtime"
+	"sort"
+	"strings"
+ )
+@@ -117,21 +118,9 @@ func Clean(path string) string {
+		case os.IsPathSeparator(path[r]):
+			// empty path element
+			r++
+-		case path[r] == '.' && r+1 == n:
++		case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+			// . element
+			r++
+-		case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+-			// ./ element
+-			r++
+-
+-			for r < len(path) && os.IsPathSeparator(path[r]) {
+-				r++
+-			}
+-			if out.w == 0 && volumeNameLen(path[r:]) > 0 {
+-				// When joining prefix "." and an absolute path on Windows,
+-				// the prefix should not be removed.
+-				out.append('.')
+-			}
+		case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+			// .. element: remove to last separator
+			r += 2
+@@ -157,6 +146,18 @@ func Clean(path string) string {
+			if rooted && out.w != 1 || !rooted && out.w != 0 {
+				out.append(Separator)
+			}
++			// If a ':' appears in the path element at the start of a Windows path,
++			// insert a .\ at the beginning to avoid converting relative paths
++			// like a/../c: into c:.
++			if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 {
++				for i := r; i < n && !os.IsPathSeparator(path[i]); i++ {
++					if path[i] == ':' {
++						out.append('.')
++						out.append(Separator)
++						break
++					}
++				}
++			}
+			// copy element
+			for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+				out.append(path[r])
+--
+2.7.4

From patchwork Sat Apr 22 15:54:37 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 22874
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 93C50C77B7C
	for <webhook@archiver.kernel.org>; Sat, 22 Apr 2023 15:55:09 +0000 (UTC)
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
 by mx.groups.io with SMTP id smtpd.web11.10298.1682178900648142951
 for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:55:00 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208
 header.b=10I6vNPZ;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.179,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-63b73203e0aso19660151b3a.1
        for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:55:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682178900;
 x=1684770900;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=mTLWl2pHVib6XJG3fOALlLGD3BkwUCGUQrMv1qNfcZg=;
        b=10I6vNPZj1pcIyMfL8BEfo1qVMXiJEe9h430Yw2T/xkwoOSidyx6zSr7h/ATPiXq3B
         SprOj0KpZBFFUTpINDJk0htO8wxJeN/h+EzeyNY4ro354mP7Jqgug6WXe6NBqKSFeUZo
         56semXUqIodtN3eKYaPIuSKiDy9DHywIT5bqcAYk6p7qHsFSORETIAhxeE7nudqo1CDx
         F3vuSocqfZXiE/zcxNVYHLrtVuajemvQ7X6ufETd/5jVbDgUyGYujYhOW8N+AXMoIZYo
         k2mBxuy1cDYY6t5JUmhhGZEU2DVS1BGqc1/8QjmtBb9jG3PwX9eZF6PoP43IKkhRDLx8
         93kQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682178900; x=1684770900;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=mTLWl2pHVib6XJG3fOALlLGD3BkwUCGUQrMv1qNfcZg=;
        b=Pg4GXPVLaQn+l5xA9wGksf0V/GtvSNkQ8wPAF2zRUFNh7x0OaRdhpu2aMCkmPsUdIQ
         Iq/10ou8CDRdNsx3KyBmOKytdEllDutwj7RtYwwsD9I+F3+7BHCUvJ8XJh1WZaE66sJp
         X6jgChP60fhnNI7xOd3zdNUJB0j2JJRzkV6dSQ9DBYYqEda+yeqj0YudPUTlS2dv9b2z
         ZFvnjWQtc2DQFsIHY7/pourRaWTDkXe+CGJ/NF2qxp5pXuyT7S8x8LmCe1cOpurQwlgU
         Nm6RNmaEGrjvGSpokAaz0RXcfO81RyEUYpGSltHWwO2OR04aGF82WbyNLpUvr5IiwMMX
         S4xQ==
X-Gm-Message-State: AAQBX9e21/jTygJaD/MJNXKSIq0aoTLNHpz+p0FNC7pZbl5c2EV6Ci8O
	3DbBTVySML+mkk8Lgp1ZM6nRn5Rz5aFPl5dQUZs=
X-Google-Smtp-Source: 
 AKy350Y5MIf6131GOITiV89zv71AJ/Gm22bkYi0uG5Oep4kKiEYGT7T+6xxWEFvbVKQAad2VFM/nzQ==
X-Received: by 2002:a17:902:cecb:b0:1a6:8527:8e0f with SMTP id
 d11-20020a170902cecb00b001a685278e0fmr9186319plg.10.1682178899518;
        Sat, 22 Apr 2023 08:54:59 -0700 (PDT)
Received: from hexa.lan (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112])
        by smtp.gmail.com with ESMTPSA id
 e12-20020a170902d38c00b001a686578b44sm4205342pld.110.2023.04.22.08.54.58
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Apr 2023 08:54:59 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 5/8] shadow: backport patch to fix CVE-2023-29383
Date: Sat, 22 Apr 2023 05:54:37 -1000
Message-Id: 
 <ab48ab23de6f6bb1f05689c97724140d4bef8faa.1682178752.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1682178752.git.steve@sakoman.com>
References: <cover.1682178752.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 22 Apr 2023 15:55:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/180307

From: Xiangyu Chen <xiangyu.chen@windriver.com>

The fix of CVE-2023-29383.patch contains a bug that it rejects all
characters that are not control ones, so backup another patch named
"0001-Overhaul-valid_field.patch" from upstream to fix it.

Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../files/0001-Overhaul-valid_field.patch     | 65 +++++++++++++++++++
 .../shadow/files/CVE-2023-29383.patch         | 53 +++++++++++++++
 meta/recipes-extended/shadow/shadow.inc       |  2 +
 3 files changed, 120 insertions(+)
 create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch

diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 0000000000..ac08be515b
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,65 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are non-printable or control characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-			}
+-			if (!iscntrl (*cp)) {
+-				err = -1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 0000000000..f53341d3fc
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,53 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+
+CVE: CVE-2023-29383
+Upstream-Status: Backport
+
+Reference to upstream:
+https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ 	}
+ 
+ 	if (0 == err) {
+-		/* Search if there are some non-printable characters */
++		/* Search if there are non-printable or control characters */
+ 		for (cp = field; '\0' != *cp; cp++) {
+ 			if (!isprint (*cp)) {
+ 				err = 1;
++			}
++			if (!iscntrl (*cp)) {
++				err = -1;
+ 				break;
+ 			}
+ 		}
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 5106b95571..3c1dd2f98e 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -16,6 +16,8 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP}
            ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://shadow-relaxed-usernames.patch \
            file://useradd \
+           file://CVE-2023-29383.patch \
+           file://0001-Overhaul-valid_field.patch \
            "
 
 SRC_URI:append:class-target = " \

From patchwork Sat Apr 22 15:54:38 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 22873
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AB21EC77B7F
	for <webhook@archiver.kernel.org>; Sat, 22 Apr 2023 15:55:09 +0000 (UTC)
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
 by mx.groups.io with SMTP id smtpd.web10.10323.1682178902317085064
 for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:55:02 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="signature has expired"
 header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208
 header.b=G8cwwbMW;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.178,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-1a66b9bd7dfso34676365ad.2
        for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682178901;
 x=1684770901;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=eTOTDB7XEAqViUkxWYNGvLVB+/hrlrK8hB9lw/W5nt0=;
        b=G8cwwbMW7vrsgR2OjGhmJCU/qz/eLr7HJMmcGI7cWnjr1eVGT2zNCOsXt7Yf9TJYw1
         hNRNADK/nWuXt3UUhQIe/FV1eHCflHjp3zhxgyMqL6pJQD8gCfJB4sYO7M1GGTpld8ju
         mzdnJ/5FOU30hKe8Z9UBhkHq27dTiFqTiKhA0AS2sEIKsC/6GqELuxvKkqusLSHSbgPo
         tRrO2V9bmYsWBKTmDEit5q5it21DIAANQZo/PEu8eOxVurw6eYbwg38jn1NrJANyrRHt
         AxuAk7Fa458r1XufIKlUIRal0P1mDlxz9tra3DBf1mNJFaS9woRIuR61FNXE4/WPN0FS
         0z/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682178901; x=1684770901;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=eTOTDB7XEAqViUkxWYNGvLVB+/hrlrK8hB9lw/W5nt0=;
        b=jDb2O4PeV9Na2ZZETuKsEKFU3srAYbH+9fS53KS7guuK0hcknUAckoPCa8VbEMRqX+
         vQY/rnKsBGzFg27rkoEjrsIZpj7C2zuFEdQDcBh+LZTaLu8o+sDEgukyS4F+hd+Pvudb
         vl6f795ET35FcP0vRj7I1IJPdmiMcFN2BSDjIc0zbM5Zx4P2j2uJ7jlcQNYbmvYSkHNV
         Ecgusx0/ja9sw0MQmHq1F+cwiKUNjZ4VVyiQsJm2mh+K/J0KucY9CfCj5xzjtiKYOJXT
         zxTgHEW0xkBoJvTKC5r2I+g6nq05EMkylXGSuM6I0XJyLtFT1sMqQeGzWL440QRfwxLc
         aGMw==
X-Gm-Message-State: AAQBX9e9krexORoQ7ESxR18gf09uuyiCZH3ZIz9qcOxVWEqTUZwfsQvW
	SgecyUgckwu+81N5TE9MiJhypfYln9+E1vn4i9I=
X-Google-Smtp-Source: 
 AKy350YRw+XZ0vZlxU1Op10GrMCn62/xymW3ZDJMRmhFpZOx1vpOaJERWYWngxFVBCVZ7Eet12VooQ==
X-Received: by 2002:a17:903:1cf:b0:19f:a694:6d3c with SMTP id
 e15-20020a17090301cf00b0019fa6946d3cmr10265453plh.55.1682178901411;
        Sat, 22 Apr 2023 08:55:01 -0700 (PDT)
Received: from hexa.lan (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112])
        by smtp.gmail.com with ESMTPSA id
 e12-20020a170902d38c00b001a686578b44sm4205342pld.110.2023.04.22.08.55.00
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Apr 2023 08:55:01 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 6/8] go: ignore CVE-2022-41716
Date: Sat, 22 Apr 2023 05:54:38 -1000
Message-Id: 
 <ae8167754ff1c02f2d92af03de804754ea77a3e5.1682178752.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1682178752.git.steve@sakoman.com>
References: <cover.1682178752.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 22 Apr 2023 15:55:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/180308

From: Peter Marko <peter.marko@siemens.com>

This CVE is specific to Microsoft Windows, ignore it.

Patch fixing it (https://go-review.googlesource.com/c/go/+/446916)
also adds a redundant check to generic os/exec which
could be backported but it should not be necessary as
backport always takes a small risk to break old code.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 15d19ed124..34d58aec2f 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -34,3 +34,6 @@ SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784
 # fix in 1.17 onwards where we can drop this.
 # https://github.com/golang/go/issues/30999#issuecomment-910470358
 CVE_CHECK_IGNORE += "CVE-2021-29923"
+
+# This is specific to Microsoft Windows
+CVE_CHECK_IGNORE += "CVE-2022-41716"

From patchwork Sat Apr 22 15:54:39 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 22872
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8C505C77B76
	for <webhook@archiver.kernel.org>; Sat, 22 Apr 2023 15:55:09 +0000 (UTC)
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
 by mx.groups.io with SMTP id smtpd.web10.10324.1682178904265425835
 for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:55:04 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="signature has expired"
 header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208
 header.b=HWkl4YBT;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.175,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1a677dffb37so27912185ad.2
        for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:55:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682178903;
 x=1684770903;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ZMPnC5HK7Q8zQY9dcJ7VzfVHBf59pKM4g7Vvw4DJt20=;
        b=HWkl4YBTgvqJzJfr3XBtl6n4J9F8mngwXc6sPKdvQox66gAhW+OtVZ/3yIBgeDvsfl
         5uz/57ALQmgW5nZ9bMkifJVfPyYh255cBEGn6sj8ty56e/dbEMn33dUfmTfnhPIQvGeD
         3ZbaBM5Qx65uymOMasP5CT7bgYLR4nqRhVYKftg94YE4XDN3Vx7A98/jXEh5kbAIq10U
         A6DLhSymmVh/gxTwiPh8veNdL08nP03qzr/e9BQV20eySTqbIea0HplAV7MniVTQX0x1
         CkRC04QM0hPGLGWiJulgJT5wrcrxIJXLNOYMPpNoZzlhM7PdWsND5u2aFWBA+bTjDWc8
         Qeqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682178903; x=1684770903;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ZMPnC5HK7Q8zQY9dcJ7VzfVHBf59pKM4g7Vvw4DJt20=;
        b=ef9tzOKWGpQcGQTQNS9t2mfD3tiP+UJt/icQ6iL2Wgd7HNcSMByEFQ5ZfmgGG2DElU
         s0CSC6drvi/Zmsm+kWUHlsMHHl6fwFh14jhjfJvisvOQVvZxGK4lAq1I9mBl2vJc7LIJ
         T9sT5lRgGFS3U1o4gqTui7FFJWrxonjYnJwgABWEbdXMyUOoiwjOjnD8gB37tHKqN8S6
         LQtdf8leVXrA6WYJW3okddKPvd3C+qYaspahOCaJSSqeodGoVJGzJ8WthgiwyE0rbkMe
         nJuQkwwAHWMsMGQ29Lov4ZLGLvl3uOwN4llc0koK5wywriJ+O0EdX4ZjM4juBhB5sFVL
         vG/A==
X-Gm-Message-State: AAQBX9d1nrLNvJpBYtsmugYNoTSVUd5YSHyj9Zg3/rLj5+WZXPU+qH9w
	eDF2eErR+/rmJXfrJDqZLPj60gUeVqg9Qvb8jyw=
X-Google-Smtp-Source: 
 AKy350Z7qtK2kCwoQIZK+y6Utc+ZemKhr91PRGChY0kMkiTUUNvYypWwPzdW4LPooYg3BsBGjtNHzQ==
X-Received: by 2002:a17:902:e886:b0:1a1:f0cb:1055 with SMTP id
 w6-20020a170902e88600b001a1f0cb1055mr10663937plg.28.1682178903289;
        Sat, 22 Apr 2023 08:55:03 -0700 (PDT)
Received: from hexa.lan (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112])
        by smtp.gmail.com with ESMTPSA id
 e12-20020a170902d38c00b001a686578b44sm4205342pld.110.2023.04.22.08.55.02
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Apr 2023 08:55:02 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 7/8] screen: CVE-2023-24626 allows sending SIGHUP
 to arbitrary PIDs
Date: Sat, 22 Apr 2023 05:54:39 -1000
Message-Id: 
 <cf6348b5778c9409fc330808effc69e9939e6857.1682178752.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1682178752.git.steve@sakoman.com>
References: <cover.1682178752.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 22 Apr 2023 15:55:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/180309

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../screen/screen/CVE-2023-24626.patch        | 40 +++++++++++++++++++
 meta/recipes-extended/screen/screen_4.9.0.bb  |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch

diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
new file mode 100644
index 0000000000..73caf9d81b
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
@@ -0,0 +1,40 @@
+From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001
+From: Alexander Naumov <alexander_naumov@opensuse.org>
+Date: Mon, 30 Jan 2023 17:22:25 +0200
+Subject: fix: missing signal sending permission check on failed query messages
+
+Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org>
+
+CVE: CVE-2023-24626
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ socket.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/socket.c b/socket.c
+index bb68b35..9d87445 100644
+--- a/socket.c
++++ b/socket.c
+@@ -1285,11 +1285,16 @@ ReceiveMsg()
+           else
+             queryflag = -1;
+ 
+-          Kill(m.m.command.apid,
++          if (CheckPid(m.m.command.apid)) {
++            Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
++          }
++          else {
++            Kill(m.m.command.apid,
+                (queryflag >= 0)
+                    ? SIGCONT
+                    : SIG_BYE); /* Send SIG_BYE if an error happened */
+-          queryflag = -1;
++            queryflag = -1;
++          }
+         }
+         break;
+       case MSG_COMMAND:
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/screen/screen_4.9.0.bb b/meta/recipes-extended/screen/screen_4.9.0.bb
index b36173b8de..19070d87d8 100644
--- a/meta/recipes-extended/screen/screen_4.9.0.bb
+++ b/meta/recipes-extended/screen/screen_4.9.0.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
            file://0002-comm.h-now-depends-on-term.h.patch \
            file://0001-fix-for-multijob-build.patch \
            file://0001-Remove-more-compatibility-stuff.patch \
+           file://CVE-2023-24626.patch \
           "
 
 SRC_URI[sha256sum] = "f9335281bb4d1538ed078df78a20c2f39d3af9a4e91c57d084271e0289c730f4"

From patchwork Sat Apr 22 15:54:40 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 22871
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8C4D0C7618E
	for <webhook@archiver.kernel.org>; Sat, 22 Apr 2023 15:55:09 +0000 (UTC)
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com
 [209.85.214.172])
 by mx.groups.io with SMTP id smtpd.web11.10303.1682178906146855925
 for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:55:06 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="signature has expired"
 header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208
 header.b=xN/p/eG3;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.172,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f172.google.com with SMTP id
 d9443c01a7336-1a526aa3dd5so34658985ad.3
        for <openembedded-core@lists.openembedded.org>;
 Sat, 22 Apr 2023 08:55:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682178905;
 x=1684770905;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=TvMMPuPSTdFfFZKgO4zayv+MN3L6LTmbCTuNRnPypC8=;
        b=xN/p/eG3OGOkF5jKdt41+j107lOct9FPBVvqbuuJyFWv5zQ9m7fTn5EGPp5xYS2skl
         euPLpwi7n0HTkJuS+9cGg4RtsXaQ8xs8K3fNSg79R2In8JI6WnJDCS4SUApI/a8iOfkA
         FumnTlzv27M4IAswNrx6W3Pz/wGsfmK5livNXIm7yLwdPCtwHjoc+A2Xgmgdi9Jqi1Sc
         x//CLWcRkSGGSJnKd2I3OkCXFzHkhVrRSKHLUc70LNcu63fx/2n5KHCi7pEu1MmKjhYb
         ySbSveU7I/kt0HYoAEOEvctkZeBh0vgWtRsI2xV3cmtMdHKBa1zXD4B8WXO+ZKIHs9/c
         Vu/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682178905; x=1684770905;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=TvMMPuPSTdFfFZKgO4zayv+MN3L6LTmbCTuNRnPypC8=;
        b=ZbTjX7Q5NAhgjuBtNXB1koqXIjcw56uuIKzv27VReOj/w6UOtqpQ2o3lKgoGLetguZ
         ru+UyL+ONaltf5x9jjJlHnIwvnwyWX0aAKuP1QigSqOV0nr/MgnJ2zB5ed8/rRh/RbKG
         7007P2c5leIbDmoFmC+PajrM7sz10vivvmhEYQmnpxcansORITsMZPi3rug/x9BcYbpW
         7uqH3dZJm7JHI4ChkFmh3rYljdUXBbyqfZaou96uqOkchpFPs+5Q8rRn+e7A0HlCF1XD
         4w2y7ylS6c6jmG882ySkB5DG/YgRPbKpznxla38mjr59hcngVQYX6uwnlZrqOikmafza
         kBXw==
X-Gm-Message-State: AAQBX9exyIjbZsBiTjC5rQnW+ekwl7CQJ+a5mGJvz8gwtxehM/biYh90
	u0HMzJ//0OI5sirKZ+Kew5BdqX4gqhynAScOwA0=
X-Google-Smtp-Source: 
 AKy350Z4PFIJtWs6dJhGeOb7zLhAoRX5kYMUfc7gdqKjEbl4ZhBSBO3rQu7IHFSIeWOvf9BmHgJH8g==
X-Received: by 2002:a17:903:1106:b0:1a9:2e10:4028 with SMTP id
 n6-20020a170903110600b001a92e104028mr11593607plh.24.1682178905153;
        Sat, 22 Apr 2023 08:55:05 -0700 (PDT)
Received: from hexa.lan (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112])
        by smtp.gmail.com with ESMTPSA id
 e12-20020a170902d38c00b001a686578b44sm4205342pld.110.2023.04.22.08.55.04
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Apr 2023 08:55:04 -0700 (PDT)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 8/8] go: fix CVE-2023-24537 Infinite loop in
 parsing
Date: Sat, 22 Apr 2023 05:54:40 -1000
Message-Id: 
 <15c07dff384ce4fb0e90f4f32c182a82101a1c82.1682178752.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <cover.1682178752.git.steve@sakoman.com>
References: <cover.1682178752.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 22 Apr 2023 15:55:09 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/180310

From: Vivek Kumbhar <vkumbhar@mvista.com>

Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.

Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.

Fixes CVE-2023-24537
Fixes #59273
For #59180

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.18/CVE-2023-24537.patch           | 75 +++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 34d58aec2f..cda9227042 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -27,6 +27,7 @@ SRC_URI += "\
     file://add_godebug.patch \
     file://cve-2022-41725.patch \
     file://CVE-2022-41722.patch \
+    file://CVE-2023-24537.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
new file mode 100644
index 0000000000..4521f159ea
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
@@ -0,0 +1,75 @@
+From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 20 Mar 2023 10:43:19 -0700
+Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime
+ message sizes
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802611
+Reviewed-by: Damien Neil <dneil@google.com>
+Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481986
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104]
+CVE: CVE-2023-24537
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/go/parser/parser_test.go | 16 ++++++++++++++++
+ src/go/scanner/scanner.go    |  5 ++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 1a46c87..993df63 100644
+--- a/src/go/parser/parser_test.go
++++ b/src/go/parser/parser_test.go
+@@ -746,3 +746,19 @@ func TestScopeDepthLimit(t *testing.T) {
+		}
+	}
+ }
++
++// TestIssue59180 tests that line number overflow doesn't cause an infinite loop.
++func TestIssue59180(t *testing.T) {
++	testcases := []string{
++		"package p\n//line :9223372036854775806\n\n//",
++		"package p\n//line :1:9223372036854775806\n\n//",
++		"package p\n//line file:9223372036854775806\n\n//",
++	}
++
++	for _, src := range testcases {
++		_, err := ParseFile(token.NewFileSet(), "", src, ParseComments)
++		if err == nil {
++			t.Errorf("ParseFile(%s) succeeded unexpectedly", src)
++		}
++	}
++}
+diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go
+index f08e28c..ff847b5 100644
+--- a/src/go/scanner/scanner.go
++++ b/src/go/scanner/scanner.go
+@@ -251,13 +251,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) {
+		return
+	}
+
++	// Put a cap on the maximum size of line and column numbers.
++	// 30 bits allows for some additional space before wrapping an int32.
++	const maxLineCol = 1<<30 - 1
+	var line, col int
+	i2, n2, ok2 := trailingDigits(text[:i-1])
+	if ok2 {
+		//line filename:line:col
+		i, i2 = i2, i
+		line, col = n2, n
+-		if col == 0 {
++		if col == 0 || col > maxLineCol {
+			s.error(offs+i2, "invalid column number: "+string(text[i2:]))
+			return
+		}
+--
+2.25.1