From patchwork Tue Jan 25 13:45:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2912 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B1CEC433FE for ; Tue, 25 Jan 2022 13:46:34 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:33 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=iSZpFt/q; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118393; x=1674654393; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=c/uysYOS+QF2WotYgbXx5FQq1Ncp6tZ2hY1Onva6csU=; b=iSZpFt/qWsJHcRiRV5uZqfF3ah9tyT3sFdHHg/+Mk3ZzYT+VXK1h3JFk D1LvO9YzHosNd13kJGW1weY8UmO8rpP31b7neVD9waiSMLDD73lEkq+T/ E2NWTyGYtuLnXjzWGhDueRdq0/ZnFs66yk98V4AAi3xhiE+DNQxTPMsat FsBvlBDtqzChxuw5mVOCtqR64DswUFMCEsjwfppKMzalY4ZPR9Tlfxfgg IFj8Nimc8GjyUmw0+Y3OU9QmJEKBMkMOnKKyJ+lts3bGhIjibAQRSKe5e 9KPV2sOfWk/bKYzT3inGVB9o8ospmoAcmC+WySjghCHezRPLoXR6KG62o Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016434" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016434" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:33 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494303" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:32 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 01/13] pigz: fix one failure of command "unpigz -l" Date: Tue, 25 Jan 2022 21:45:55 +0800 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160922 From: Changqing Li Refer [1], "unpigz -l" failed with error: $ ./unpigz -l test.txt.gz compressed original reduced name 228799 209715200 99.9% test.txt unpigz: can't destroy locked resource (pigz.c:2622:mutex_destroy) unpigz: abort: internal threads error or $ ./unpigz -l test.txt.gz unpigz: skipping: test.txt.gz unrecognized format unpigz: can't destroy locked resource (pigz.c:2622:mutex_destroy) unpigz: abort: internal threads error [1] https://github.com/madler/pigz/issues/96 Signed-off-by: Changqing Li Signed-off-by: Anuj Mittal --- ...0001-Fix-bug-when-combining-l-with-d.patch | 50 +++++++++++++++++++ meta/recipes-extended/pigz/pigz_2.6.bb | 3 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch diff --git a/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch b/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch new file mode 100644 index 0000000000..9c301f2054 --- /dev/null +++ b/meta/recipes-extended/pigz/files/0001-Fix-bug-when-combining-l-with-d.patch @@ -0,0 +1,50 @@ +From 65986f3d12d434b9bc428ceb6fcb1f6eeeb2c47d Mon Sep 17 00:00:00 2001 +From: Changqing Li +Date: Mon, 17 Jan 2022 15:36:56 +0800 +Subject: [PATCH] Fix bug when combining -l with -d. + +Though it makes no sense to do pigz -ld, that is implicit when +doing unpigz -l. This commit fixes a bug for that combination. + +Upstream-Status: Backport [https://github.com/madler/pigz/commit/326bba44aa102c707dd6ebcd2fc3f413b3119db0] + +Signed-off-by: Changqing Li +--- + pigz.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/pigz.c b/pigz.c +index f90157f..d648216 100644 +--- a/pigz.c ++++ b/pigz.c +@@ -4007,6 +4007,13 @@ local void process(char *path) { + } + SET_BINARY_MODE(g.ind); + ++ // if requested, just list information about the input file ++ if (g.list && g.decode != 2) { ++ list_info(); ++ load_end(); ++ return; ++ } ++ + // if decoding or testing, try to read gzip header + if (g.decode) { + in_init(); +@@ -4048,13 +4055,6 @@ local void process(char *path) { + } + } + +- // if requested, just list information about input file +- if (g.list) { +- list_info(); +- load_end(); +- return; +- } +- + // create output file out, descriptor outd + if (path == NULL || g.pipeout) { + // write to stdout +-- +2.17.1 + diff --git a/meta/recipes-extended/pigz/pigz_2.6.bb b/meta/recipes-extended/pigz/pigz_2.6.bb index 3566e18b7e..d490a6a722 100644 --- a/meta/recipes-extended/pigz/pigz_2.6.bb +++ b/meta/recipes-extended/pigz/pigz_2.6.bb @@ -8,7 +8,8 @@ SECTION = "console/utils" LICENSE = "Zlib & Apache-2.0" LIC_FILES_CHKSUM = "file://pigz.c;md5=9ae6dee8ceba9610596ed0ada493d142;beginline=7;endline=21" -SRC_URI = "http://zlib.net/${BPN}/fossils/${BP}.tar.gz" +SRC_URI = "http://zlib.net/${BPN}/fossils/${BP}.tar.gz \ + file://0001-Fix-bug-when-combining-l-with-d.patch" SRC_URI[sha256sum] = "2eed7b0d7449d1d70903f2a62cd6005d262eb3a8c9e98687bc8cbb5809db2a7d" PROVIDES:class-native += "gzip-native" From patchwork Tue Jan 25 13:45:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2918 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77843C433FE for ; Tue, 25 Jan 2022 13:46:44 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:35 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ZGX4AABm; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118395; x=1674654395; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=ekx45G9IhhXpv/8fmjUuWNFYu6vlbjs1U2jJRU3iXAA=; b=ZGX4AABm9m+GLh03Mt1WI0d+HU2748ofPiJz3xFf0FFlW/nwCJqHHIB8 7s42xTwjJSnchqypU2u1NRb26Ua10VV0HuAnVnf9Zlpshdc9aVwNhDUy/ NnDle5bDpn3/mRQTi+NiAjfioEwxknMyznG/FQM/CzlMzETJdklY5wfzs Xn22rnHt0colGAtx5jtvKqBR1R1id9gAdeAiE1XbFShNkrsbZ6WTtOl+G 0P0qiCjienpjFERoFI/qn6jGIEsOG4gqyoQV2MtsTkl4PihvrbrFfONcD f60G4vzThpyjn8uu0/W0jWGnIjh09S4UC3KnQN9i46TgEApAW1I3iJ+Kd Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016445" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016445" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:35 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494310" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:33 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 02/13] socat: update SRC_URI Date: Tue, 25 Jan 2022 21:45:56 +0800 Message-Id: <0014b0d5d1fe503387ecbcc078916830a8e6c307.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160923 From: Mingli Yu The orginal one is unaccessible now. Signed-off-by: Mingli Yu Signed-off-by: Anuj Mittal --- meta/recipes-connectivity/socat/socat_1.7.4.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb b/meta/recipes-connectivity/socat/socat_1.7.4.1.bb index 1ad5f15b93..41c8552f25 100644 --- a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb +++ b/meta/recipes-connectivity/socat/socat_1.7.4.1.bb @@ -9,7 +9,7 @@ LICENSE = "GPL-2.0-with-OpenSSL-exception" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86" -SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \ +SRC_URI = "http://www.dest-unreach.org/socat/download/Archive/socat-${PV}.tar.bz2 \ " SRC_URI[md5sum] = "36cad050ecf4981ab044c3fbd75c643f" From patchwork Tue Jan 25 13:45:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2913 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B1EFC433F5 for ; Tue, 25 Jan 2022 13:46:38 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:37 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=IxT2FHSZ; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118397; x=1674654397; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=vij3WhfwMaXQQlzJ5Ffz1jH/po512SXNtsnI9OiQeW0=; b=IxT2FHSZrxW9BNAna7gOuUJHoPDd1LbxxwfGCax22F75Ks1Bqi5HJLeU WebSnyxJ9Ly3B3/DDgBt6xks1ZgL/1FyhswukELzAx1beAeEmFw1yyqHz pmakU2ZTzjRXGEE+GPsyr99oDUM8tCk+arocNWqlcCFV2oea69GiO4pG5 upQjsAA+8iZxZtr98V5TnN4n7x/DPnpjTPzG3eED1DVrPHoNaIDlteG2I dYTII5b4YquWsWoimGhN4NEwuvwkIiajzTMShMHkbA01QMkF2tED075wQ n1v3grzMRNjRl4ht371C6tZ5tSDKbry3+m45e+RQ5I1eFAKUwo770cjHa Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016457" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016457" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:36 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494320" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:35 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 03/13] linux-yocto/5.10: amdgpu: updates for CVE-2021-42327 Date: Tue, 25 Jan 2022 21:45:57 +0800 Message-Id: <8e8c21e25c831f2279a2dbdc0bcc90cd7661d174.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160924 From: Bruce Ashfield Integrating the following commit(s) to linux-yocto/5.10: fd84b99a8ccb drm/amd/display: Don't allow partial copy_from_user 024f4ff63d55 drm/amdgpu: Fix even more out of bound writes from debugfs Signed-off-by: Paul Gortmaker Signed-off-by: Bruce Ashfield Signed-off-by: Richard Purdie (cherry picked from commit f5488466ea1b332a0bfc0d27dcc5378edd842d16) Signed-off-by: Anuj Mittal --- .../linux/linux-yocto-rt_5.10.bb | 4 ++-- .../linux/linux-yocto-tiny_5.10.bb | 6 ++--- meta/recipes-kernel/linux/linux-yocto_5.10.bb | 22 +++++++++---------- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb index 52ba3b9f61..75beee3a04 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb @@ -11,8 +11,8 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "e137d5d92c05530840f2e191ec471f8f0ea2d62e" -SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5" +SRCREV_machine ?= "fbed4064df813f01c1a862548f28b2050ee9b09e" +SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb index d0166f6c4f..c8787085fe 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine:qemuarm ?= "c0774ebd6bc1c7541deb4f9a649a1a6bfa42853f" -SRCREV_machine ?= "ab201bf6e3f9d187c7c26a0ec6537fadb41de918" -SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5" +SRCREV_machine:qemuarm ?= "ca2928bf9b108b45a8ecfe6c76ae9d66b9527f0c" +SRCREV_machine ?= "5d7922b2755129e1066944a25675a4f9bdbbe706" +SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb index 43274a318f..9bc6511ec2 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb @@ -13,17 +13,17 @@ KBRANCH:qemux86 ?= "v5.10/standard/base" KBRANCH:qemux86-64 ?= "v5.10/standard/base" KBRANCH:qemumips64 ?= "v5.10/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "d9597fe71e155c5a96452d23694188d6d4091673" -SRCREV_machine:qemuarm64 ?= "210fcd9ee603afb731beaa5833e7e3f1d1918786" -SRCREV_machine:qemumips ?= "8688d3707cea38bd7ed115a12005079c2215f77d" -SRCREV_machine:qemuppc ?= "933b47667b7549bb36a809cca90bc372a7182620" -SRCREV_machine:qemuriscv64 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_machine:qemuriscv32 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_machine:qemux86 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_machine:qemux86-64 ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_machine:qemumips64 ?= "25fcfe4f5c4be9bbb67498f09b2dd088f8bb6dfd" -SRCREV_machine ?= "2a2f4a19d9d77ad40b9d079be860f736846f5d55" -SRCREV_meta ?= "65d66ac9789372923b42be0683a87955e52705a5" +SRCREV_machine:qemuarm ?= "dbf49e7b0801b1b92994f7bc3c6bba943340e273" +SRCREV_machine:qemuarm64 ?= "0b092f0c4e3471ef22aef0343477519b0ba8b533" +SRCREV_machine:qemumips ?= "1806335706c3549985836385bb400c1d80819d73" +SRCREV_machine:qemuppc ?= "270ee670f95ad200c7c32bf8a8ffbf6ed43d7964" +SRCREV_machine:qemuriscv64 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" +SRCREV_machine:qemuriscv32 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" +SRCREV_machine:qemux86 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" +SRCREV_machine:qemux86-64 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" +SRCREV_machine:qemumips64 ?= "ea456bce3f1ed65b1ab00a0cf8cf551b5967aec3" +SRCREV_machine ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" +SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e" # remap qemuarm to qemuarma15 for the 5.8 kernel # KMACHINE:qemuarm ?= "qemuarma15" From patchwork Tue Jan 25 13:45:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2914 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7ABCAC433EF for ; Tue, 25 Jan 2022 13:46:39 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:38 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=gPazYy3t; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118398; x=1674654398; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=Yx+YTBDqHjel9xX3wvlaV1F1NFKRbJLgTxL76oDMDc8=; b=gPazYy3tYECSr3P+yd0dZZ/MRkGzzOGAyTH11w6lktSKVOaihkCYmFEV u52MKk9QBcQ86GgjEXwwqvyGLIMaUDV4kgRXTm/Om73dGN/JqhzpFiOR1 5awMMtNqH8ntMGAuB886AtSYkOQdke4TrP20/60dySYWLwcGnfwgkLRF6 n9RHg1NVfl5F5G+b/pT46UEdPMWYkaTw/VjofpHY73QGMH5rQ6rZorO4G O1oV5+e2r3MPolR+U8WBiXg9NMiDf9ghmOJzSGWuknzH5fHEAUJXX4fqN CWjvIHTnBde0VBATI6liSfbAoqqq2RmSkej41cjKUP3du/7nKQ0rC9XhN Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016462" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016462" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:38 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494328" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:37 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 04/13] linux-yocto/5.10: update to v5.10.91 Date: Tue, 25 Jan 2022 21:45:58 +0800 Message-Id: <029a3624f8a2f19bdde5fab6a9df10d422a010df.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160925 From: Bruce Ashfield Updating linux-yocto/5.10 to the latest korg -stable release that comprises the following commits: df395c763ba0 Linux 5.10.91 674071c9eb26 Input: zinitix - make sure the IRQ is allocated before it gets enabled ef81f7d406c2 ARM: dts: gpio-ranges property is now required f63fa1a0d4df ipv6: raw: check passed optlen before reading cf07884e6bec drm/amd/display: Added power down for DCN10 10b9ccd0674d mISDN: change function names to avoid conflicts dd8a09cfbb99 atlantic: Fix buff_ring OOB in aq_ring_rx_clean c2f4bb251eb4 net: udp: fix alignment problem in udp4_seq_show() f82b48d1d86b ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate 8c87a83ef891 scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() b798b677f94d usb: mtu3: fix interval value for intr and isoc 498d77fc5e38 ipv6: Do cleanup if attribute validation fails in multipath route 72b0d14a0a88 ipv6: Continue processing multipath route even if gateway attribute is invalid 5a7d650bb181 power: bq25890: Enable continuous conversion for ADC at charging 4f260ea5537d phonet: refcount leak in pep_sock_accep 61952934608c rndis_host: support Hytera digital radios 62cbde77d9c1 power: reset: ltc2952: Fix use of floating point literals 998d157e3b2a power: supply: core: Break capacity loop 16d8568378f9 xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate aa606b82cdfb net: ena: Fix error handling when calculating max IO queues number e7f5480978fd net: ena: Fix undefined state when tx request id is out of bounds 2de3d961f8e7 sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc 4c34d5fd8c96 batman-adv: mcast: don't send link-local multicast to mcast routers f403b5f96e9a lwtunnel: Validate RTA_ENCAP_TYPE attribute length 48d5adb08d60 ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route 173bfa2782fa ipv6: Check attribute length for RTA_GATEWAY in multipath route 914420a2a6c5 ipv4: Check attribute length for RTA_FLOW in multipath route a8fe915be6c2 ipv4: Check attribute length for RTA_GATEWAY in multipath route 786a335fef18 ftrace/samples: Add missing prototypes direct functions c859c4de0bd7 i40e: Fix incorrect netdev's real number of RX/TX queues d0ad64438fb5 i40e: Fix for displaying message regarding NVM version 32845aa60203 i40e: fix use-after-free in i40e_sync_filters_subtask() f7edb6b9438b sfc: The RX page_ring is optional 2b3f34da0d79 mac80211: initialize variable have_higher_than_11mbit 16e5cad6eca1 RDMA/uverbs: Check for null return of kmalloc_array a7c2cae997db netrom: fix copying in user data in nr_setsockopt beeb0fdedae8 RDMA/core: Don't infoleak GRH fields 3ca132e6b065 iavf: Fix limit of total number of queues to active queues of VF 396e3016905d i40e: Fix to not show opcode msg on unsuccessful VF MAC change 7f13d14e563c ieee802154: atusb: fix uninit value in atusb_set_extended_addr 7db1e245cb71 tracing: Tag trace_percpu_buffer as a percpu pointer 760c6a625506 tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() c1e2da4b3f72 selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv() 384111e12367 f2fs: quota: fix potential deadlock Signed-off-by: Bruce Ashfield Signed-off-by: Richard Purdie (cherry picked from commit 13b53d922df1a53913fbe7a0dfbf2adaedfe5dfd) Signed-off-by: Anuj Mittal --- .../linux/linux-yocto-rt_5.10.bb | 6 ++--- .../linux/linux-yocto-tiny_5.10.bb | 8 +++---- meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++---------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb index 75beee3a04..420d67031e 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "fbed4064df813f01c1a862548f28b2050ee9b09e" -SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e" +SRCREV_machine ?= "85c14e209f1ab7cee673735c4561e656b4e65217" +SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.10.90" +LINUX_VERSION ?= "5.10.91" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb index c8787085fe..dabcb97a79 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.10.90" +LINUX_VERSION ?= "5.10.91" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine:qemuarm ?= "ca2928bf9b108b45a8ecfe6c76ae9d66b9527f0c" -SRCREV_machine ?= "5d7922b2755129e1066944a25675a4f9bdbbe706" -SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e" +SRCREV_machine:qemuarm ?= "2227ab16358ca3193f03d0cd8509092076aeffbb" +SRCREV_machine ?= "b3fdab7a9f3c11a61565cead0445883a61081583" +SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/meta/recipes-kernel/linux/linux-yocto_5.10.bb index 9bc6511ec2..9c43738135 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.10.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.10.bb @@ -13,17 +13,17 @@ KBRANCH:qemux86 ?= "v5.10/standard/base" KBRANCH:qemux86-64 ?= "v5.10/standard/base" KBRANCH:qemumips64 ?= "v5.10/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "dbf49e7b0801b1b92994f7bc3c6bba943340e273" -SRCREV_machine:qemuarm64 ?= "0b092f0c4e3471ef22aef0343477519b0ba8b533" -SRCREV_machine:qemumips ?= "1806335706c3549985836385bb400c1d80819d73" -SRCREV_machine:qemuppc ?= "270ee670f95ad200c7c32bf8a8ffbf6ed43d7964" -SRCREV_machine:qemuriscv64 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" -SRCREV_machine:qemuriscv32 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" -SRCREV_machine:qemux86 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" -SRCREV_machine:qemux86-64 ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" -SRCREV_machine:qemumips64 ?= "ea456bce3f1ed65b1ab00a0cf8cf551b5967aec3" -SRCREV_machine ?= "fd84b99a8ccbfae11300c3a72183616bc0560870" -SRCREV_meta ?= "ad119826536616f28e4309e825b61e16357f4c7e" +SRCREV_machine:qemuarm ?= "fb570663823bd492e4c8d4339be825bda4210dc6" +SRCREV_machine:qemuarm64 ?= "5a52b700c1693a95b8efa54cb65bec7807a75cd2" +SRCREV_machine:qemumips ?= "8eb8a801f5f4764c362aefd5e97e704755cf740b" +SRCREV_machine:qemuppc ?= "21b014e385a6b54a2fd7d667a1b556c69cda77de" +SRCREV_machine:qemuriscv64 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a" +SRCREV_machine:qemuriscv32 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a" +SRCREV_machine:qemux86 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a" +SRCREV_machine:qemux86-64 ?= "77c8d144b066f69e009ce2ee540a593b11eb736a" +SRCREV_machine:qemumips64 ?= "5468343e50389dba73b5d441289d5094bd0dc9f0" +SRCREV_machine ?= "77c8d144b066f69e009ce2ee540a593b11eb736a" +SRCREV_meta ?= "de35f8006d0f932924752ddda94dd24e2da67fbc" # remap qemuarm to qemuarma15 for the 5.8 kernel # KMACHINE:qemuarm ?= "qemuarma15" @@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.10.90" +LINUX_VERSION ?= "5.10.91" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" From patchwork Tue Jan 25 13:45:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2915 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B805C433FE for ; Tue, 25 Jan 2022 13:46:40 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:40 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=IvbQyjqe; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118399; x=1674654399; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=V8BCzzgUsa0zedbzHZ9vuVZjd0telVoboeRUc5ATOxk=; b=IvbQyjqeoNJekJyjFeYwaKDlrvHYi6D6/wItQ3eqVSpL/QUybbm1dKkU rQYbdXsQLwluR3tH5v4FFgSF9NLI9eNyzg9HzHUx/Dd2LqN7+MxPkggdM fKh/pW7e6YZ8HNqLucdwNnewFyA32ZkXnz0P/kRba5LqdjnzkGqBGL5i/ 4P/1G+btjObv5XyUOKWYURql9S7pPPuWNcwEUR+i7NjxGwE60pErDV3k9 krwR/QDJnnRCXV4C6XFwlTEs4Hd+GjGREyxS87Kj0jMbpAAjziOO5Ff3i HfjiK8Czi+9gxpiv7Qbk1nsIPF91v1fE2IGgh1RNbyYfTEJsO0yWvfug3 w==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016477" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016477" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:39 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494332" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:38 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 05/13] bootchart2: Add missing python3-math dependency Date: Tue, 25 Jan 2022 21:45:59 +0800 Message-Id: <2dff7f8630e4db75fb6c57e165376e43eca7ba28.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160926 From: Marek Vasut Without this dependency, generating the bootchart may fail with: " ModuleNotFoundError: No module named 'random' " Signed-off-by: Marek Vasut Cc: Mingli Yu Cc: Richard Purdie Signed-off-by: Richard Purdie (cherry picked from commit 487e9f16a00f895159b79f1865fe8b626b47ddc2) Signed-off-by: Anuj Mittal --- meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb index 59fcd8c78a..413c9b9499 100644 --- a/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb +++ b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb @@ -150,7 +150,7 @@ do_install () { PACKAGES =+ "pybootchartgui" FILES:pybootchartgui += "${PYTHON_SITEPACKAGES_DIR}/pybootchartgui ${bindir}/pybootchartgui" -RDEPENDS:pybootchartgui = "python3-pycairo python3-compression python3-image python3-shell python3-compression python3-codecs" +RDEPENDS:pybootchartgui = "python3-pycairo python3-compression python3-image python3-math python3-shell python3-compression python3-codecs" RDEPENDS:${PN}:class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'sysvinit-pidof', 'procps', d)}" RDEPENDS:${PN}:class-target += "lsb-release" DEPENDS:append:class-native = " python3-pycairo-native" From patchwork Tue Jan 25 13:46:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2917 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C5C8C4332F for ; Tue, 25 Jan 2022 13:46:44 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:41 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=i152O4er; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118401; x=1674654401; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=zhkA560S/UwPnKt5X7JAg94QBXUWwJuDd9sJhU83vkU=; b=i152O4erXwTPcHKged0psmpSTM0HqGQRvJp8Eev645TYCexgNOgGZRlc LtkWwFswXHZpf2H1IENAcl00HmrkwSFcRvoZKtBDytcqCavnG3gkx5tpg w/OSE+QsbNVqt9pnjbYP6uDG3dRBZNProOc9tpr79WPJtmi2K67/T8Stc eZ8E5lT3Nx92ysO3GPrz5MMhTM8W7JwxMjwk6JMNDGpfkRsbR+MLSDbj2 zESNs5kxKfdOcS6ivUEWIxmNXBRV0OpG/ELIU/X8wyM6bhrEwUdGKvbJN 8O4zbeIe7ErmjssfQP4lq/pAmK+5WPkuiVYfyWsoXSEYz9hf+0HGg7XHN Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016485" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016485" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:41 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494335" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:39 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 06/13] speex: fix CVE-2020-23903 Date: Tue, 25 Jan 2022 21:46:00 +0800 Message-Id: <1818c3c24fcd42103468a3de01b35c6c9a8228bd.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160927 From: Kai Kang Backport patch to fix CVE-2020-23903. CVE: CVE-2020-23903 Signed-off-by: Kai Kang Signed-off-by: Richard Purdie (cherry picked from commit b8f56e5e9eef32c1e01742f913e205d93548de1f) Signed-off-by: Anuj Mittal --- .../speex/speex/CVE-2020-23903.patch | 30 +++++++++++++++++++ meta/recipes-multimedia/speex/speex_1.2.0.bb | 4 ++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch diff --git a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch new file mode 100644 index 0000000000..eb16e95ffc --- /dev/null +++ b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch @@ -0,0 +1,30 @@ +Backport patch to fix CVE-2020-23903. + +CVE: CVE-2020-23903 +Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84] + +Signed-off-by: Kai Kang + +From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001 +From: Tristan Matthews +Date: Mon, 13 Jul 2020 23:25:03 -0400 +Subject: [PATCH] wav_io: guard against invalid channel numbers + +Fixes #13 +--- + src/wav_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wav_io.c b/src/wav_io.c +index b5183015..09d62eb0 100644 +--- a/src/wav_io.c ++++ b/src/wav_io.c +@@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32 + stmp = le_short(stmp); + *channels = stmp; + +- if (stmp>2) ++ if (stmp>2 || stmp<1) + { + fprintf (stderr, "Only mono and (intensity) stereo supported\n"); + return -1; diff --git a/meta/recipes-multimedia/speex/speex_1.2.0.bb b/meta/recipes-multimedia/speex/speex_1.2.0.bb index 3a0911d6f8..ea475f0f1b 100644 --- a/meta/recipes-multimedia/speex/speex_1.2.0.bb +++ b/meta/recipes-multimedia/speex/speex_1.2.0.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \ file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50" DEPENDS = "libogg speexdsp" -SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz" +SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \ + file://CVE-2020-23903.patch \ + " UPSTREAM_CHECK_REGEX = "speex-(?P\d+(\.\d+)+)\.tar" SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c" From patchwork Tue Jan 25 13:46:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2916 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76F54C433F5 for ; Tue, 25 Jan 2022 13:46:43 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:42 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=iOX/InFT; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118402; x=1674654402; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=ZEB8Urtk65oxRjXaGOqJCxfm/4mopJMxaCQavX5caC4=; b=iOX/InFTpxCCk7R2j4lHQO1dk0nWw7s9/MrJBM8UXJk8EgaZZNtxeOnV Pk2xW4f2FHJxEi0EAEFdqV9fJ1Tui1xaHof4q7fEZ3q/T1lL5Kx1u+DoB u5nHauIyT+I5wEgEHD2CLa78WqzBhxx9JHONU8P6+llcmia+uDeaw4Wae Qe2GgiUw7fBJrcBz+uPgoqRq/itz8qOWKrhXfQLwtfy9sLQg2QGtW/S7o 0sABp/J9SWfxa1d4B43Qp5aM9hAkgjw/G1cN7y/fWOJJvrAiH971SmgkK 8GlgFsviJjGABs62TADR+YYn4SwcekWAAOypik3hSI6v+VKQBEm15g5Of Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016490" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016490" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:42 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494354" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:41 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 07/13] expat: upgrade 2.4.1 -> 2.4.2 Date: Tue, 25 Jan 2022 21:46:01 +0800 Message-Id: <2a5e1b617678c148d96f767493cb08e9cb2fc9e7.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160928 From: wangmy Changelog: ========= #509 #510 Link againgst libm for function "isnan" #513 #514 Include expat_config.h as early as possible #498 Autotools: Include files with release archives: - buildconf.sh - fuzz/*.c #507 #519 Autotools: Sync CMake templates #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) - multi-config CMake generators (e.g. Ninja Multi-Config) #502 #503 docs: Document that function XML_GetBuffer may return NULL when asking for a buffer of 0 (zero) bytes size #522 #523 docs: Fix return value docs for both XML_SetBillionLaughsAttackProtection* functions #525 #526 Version info bumped from 9:1:8 to 9:2:8; see https://verbump.de/ for what these numbers do Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie (cherry picked from commit 98a87bcfa50fc46ea86a085d330f5cbc41ddaaa5) Signed-off-by: Anuj Mittal --- meta/recipes-core/expat/{expat_2.4.1.bb => expat_2.4.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/expat/{expat_2.4.1.bb => expat_2.4.2.bb} (91%) diff --git a/meta/recipes-core/expat/expat_2.4.1.bb b/meta/recipes-core/expat/expat_2.4.2.bb similarity index 91% rename from meta/recipes-core/expat/expat_2.4.1.bb rename to meta/recipes-core/expat/expat_2.4.2.bb index 14e5aca9e6..771f14eb3e 100644 --- a/meta/recipes-core/expat/expat_2.4.1.bb +++ b/meta/recipes-core/expat/expat_2.4.2.bb @@ -15,7 +15,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" -SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40" +SRC_URI[sha256sum] = "e40737134bdc08b8ea7d23a2c0a5cd11c04d5be152fe562d3253c1e4a0be6686" EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF" From patchwork Tue Jan 25 13:46:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2919 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77B26C433EF for ; Tue, 25 Jan 2022 13:46:45 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:44 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=B/tiK30K; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118404; x=1674654404; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=eFNr3OMtk5TL6mzIRfz+982qC+YccEfDNZvBTuicaaM=; b=B/tiK30Kyv9bUziyVdstjP5X/A9VMcjV4idZ3Egd7W1YDZrExt3SMlQy KpTC+spe7r4erHgfpipPm31VTuzChng3DaSKs1K0dlYRvChwScUoFZoJO XD9+CY6PQw73W/kz0tLWS0dDUZTmH5FC0eWyyQjBIYe3GyAPJofc4zy45 t+2CHmAn4djxpJSsFGUSSiUXY3RdpcEPnJRySaNpwZDXeJceivDUjQeYe sywK626NulLNRsyk7q+eIbciOTATaQ3Vsjb8lwBeMTjBLgv34cnsgKZ7Y TYR3phwymnFmWHXS0F4DTrlg39UGeRRqcVx80vREiwdE+GvZLnixhyrf0 w==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016500" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016500" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:44 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494357" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:42 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 08/13] expat: Upgrade 2.4.2 -> 2.4.3 Date: Tue, 25 Jan 2022 21:46:02 +0800 Message-Id: <226d8ae449366379c3f9704b0c9f284d9c3baf2d.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160929 From: Richard Purdie Primarily a security fix release which includes: CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 Signed-off-by: Richard Purdie (cherry picked from commit 9dbd9540f3e19d92ef38c8537792bd028ed174ad) Signed-off-by: Anuj Mittal --- meta/recipes-core/expat/{expat_2.4.2.bb => expat_2.4.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/expat/{expat_2.4.2.bb => expat_2.4.3.bb} (91%) diff --git a/meta/recipes-core/expat/expat_2.4.2.bb b/meta/recipes-core/expat/expat_2.4.3.bb similarity index 91% rename from meta/recipes-core/expat/expat_2.4.2.bb rename to meta/recipes-core/expat/expat_2.4.3.bb index 771f14eb3e..088ce81500 100644 --- a/meta/recipes-core/expat/expat_2.4.2.bb +++ b/meta/recipes-core/expat/expat_2.4.3.bb @@ -15,7 +15,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" -SRC_URI[sha256sum] = "e40737134bdc08b8ea7d23a2c0a5cd11c04d5be152fe562d3253c1e4a0be6686" +SRC_URI[sha256sum] = "6f262e216a494fbf42d8c22bc841b3e117c21f2467a19dc4c27c991b5622f986" EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF" From patchwork Tue Jan 25 13:46:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 14146 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Anuj Mittal" Subject: [honister][PATCH 09/13] vim: upgrade to 8.2 patch 3752 Date: Tue, 25 Jan 2022 21:46:03 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org From: Ross Burton There's a fairly constant flow of CVEs being fixed in Vim, which are getting increasing non-trivial to backport. Instead of trying to backport (and potentially introduce more bugs), or just ignoring them entirely, upgrade vim to the latest patch in the hope that vim 8.3 will be released before we release Kirkstone. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit 78a4796de27d710f97c336d288d797557a58694e) Signed-off-by: Anuj Mittal --- ...1-reading-character-past-end-of-line.patch | 62 ------ ...src-Makefile-improve-reproducibility.patch | 13 +- ...28-using-freed-memory-when-replacing.patch | 83 ------- ...eading-uninitialized-memory-when-giv.patch | 63 ------ ...rash-when-using-CTRL-W-f-without-fin.patch | 92 -------- ...llegal-memory-access-if-buffer-name-.patch | 86 -------- ...ml_get-error-after-search-with-range.patch | 72 ------ ...nvalid-memory-access-when-scrolling-.patch | 97 -------- .../vim/files/CVE-2021-3778.patch | 61 ------ ...1e135a16091c93f6f5f7525a5c58fb7ca9f9.patch | 207 ------------------ .../vim/files/disable_acl_header_check.patch | 15 +- .../vim/files/no-path-adjust.patch | 8 +- meta/recipes-support/vim/files/racefix.patch | 6 +- ...m-add-knob-whether-elf.h-are-checked.patch | 13 +- meta/recipes-support/vim/vim.inc | 15 +- 15 files changed, 28 insertions(+), 865 deletions(-) delete mode 100644 meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch delete mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch delete mode 100644 meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch delete mode 100644 meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch delete mode 100644 meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch delete mode 100644 meta/recipes-support/vim/files/CVE-2021-3778.patch delete mode 100644 meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch diff --git a/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch b/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch deleted file mode 100644 index 28c61cd782..0000000000 --- a/meta/recipes-support/vim/files/0001-patch-8.2.3581-reading-character-past-end-of-line.patch +++ /dev/null @@ -1,62 +0,0 @@ -CVE: CVE-2021-3927 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From 93b427c6e729260d0700c3b2804ec153bc8284fa Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Thu, 4 Nov 2021 15:10:11 +0000 -Subject: [PATCH] patch 8.2.3581: reading character past end of line - -Problem: Reading character past end of line. -Solution: Correct the cursor column. ---- - src/ex_docmd.c | 1 + - src/testdir/test_put.vim | 12 ++++++++++++ - src/version.c | 2 ++ - 3 files changed, 15 insertions(+) - -diff --git a/src/ex_docmd.c b/src/ex_docmd.c -index fde726477..59e245bee 100644 ---- a/src/ex_docmd.c -+++ b/src/ex_docmd.c -@@ -6905,6 +6905,7 @@ ex_put(exarg_T *eap) - eap->forceit = TRUE; - } - curwin->w_cursor.lnum = eap->line2; -+ check_cursor_col(); - do_put(eap->regname, eap->forceit ? BACKWARD : FORWARD, 1L, - PUT_LINE|PUT_CURSLINE); - } -diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim -index 225ebd1f3..922e5b269 100644 ---- a/src/testdir/test_put.vim -+++ b/src/testdir/test_put.vim -@@ -113,3 +113,15 @@ func Test_put_p_indent_visual() - call assert_equal('select that text', getline(2)) - bwipe! - endfunc -+ -+func Test_put_above_first_line() -+ new -+ let @" = 'text' -+ silent! normal 0o00 -+ 0put -+ call assert_equal('text', getline(1)) -+ bwipe! -+endfunc -+ -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index a9e8be0e7..df4ec9a47 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3581, - /**/ - 3564, - /**/ diff --git a/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch b/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch index 63a7b78f12..2fc11dbdc2 100644 --- a/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch +++ b/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch @@ -16,11 +16,11 @@ Signed-off-by: Mingli Yu src/Makefile | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) -diff --git a/src/Makefile b/src/Makefile -index f2fafa4dc..7148d4bd9 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -2845,16 +2845,10 @@ auto/pathdef.c: Makefile auto/config.mk +Index: git/src/Makefile +=================================================================== +--- git.orig/src/Makefile ++++ git/src/Makefile +@@ -3101,16 +3101,10 @@ auto/pathdef.c: Makefile auto/config.mk -@echo '#include "vim.h"' >> $@ -@echo 'char_u *default_vim_dir = (char_u *)"$(VIMRCLOC)";' | $(QUOTESED) >> $@ -@echo 'char_u *default_vimruntime_dir = (char_u *)"$(VIMRUNTIMEDIR)";' | $(QUOTESED) >> $@ @@ -41,6 +41,3 @@ index f2fafa4dc..7148d4bd9 100644 -@sh $(srcdir)/pathdef.sh GUI_GTK_RES_INPUTS = \ --- -2.17.1 - diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch deleted file mode 100644 index ecfae0301e..0000000000 --- a/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch +++ /dev/null @@ -1,83 +0,0 @@ -CVE: CVE-2021-3796 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From 1160e5f74b229336502fc376416f21108d36cfc2 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Sat, 11 Sep 2021 21:14:20 +0200 -Subject: [PATCH] patch 8.2.3428: using freed memory when replacing - -Problem: Using freed memory when replacing. (Dhiraj Mishra) -Solution: Get the line pointer after calling ins_copychar(). ---- - src/normal.c | 10 +++++++--- - src/testdir/test_edit.vim | 14 ++++++++++++++ - src/version.c | 2 ++ - 3 files changed, 23 insertions(+), 3 deletions(-) - -diff --git a/src/normal.c b/src/normal.c -index c4963e621..d6333b948 100644 ---- a/src/normal.c -+++ b/src/normal.c -@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap) - { - /* - * Get ptr again, because u_save and/or showmatch() will have -- * released the line. At the same time we let know that the -- * line will be changed. -+ * released the line. This may also happen in ins_copychar(). -+ * At the same time we let know that the line will be changed. - */ -- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); - if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y) - { - int c = ins_copychar(curwin->w_cursor.lnum - + (cap->nchar == Ctrl_Y ? -1 : 1)); -+ -+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); - if (c != NUL) - ptr[curwin->w_cursor.col] = c; - } - else -+ { -+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE); - ptr[curwin->w_cursor.col] = cap->nchar; -+ } - if (p_sm && msg_silent == 0) - showmatch(cap->nchar); - ++curwin->w_cursor.col; -diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim -index 4e29e7fe1..f94e6c181 100644 ---- a/src/testdir/test_edit.vim -+++ b/src/testdir/test_edit.vim -@@ -1519,3 +1519,17 @@ func Test_edit_noesckeys() - bwipe! - set esckeys - endfunc -+ -+" Test for getting the character of the line below after "p" -+func Test_edit_put_CTRL_E() -+ set encoding=latin1 -+ new -+ let @" = '' -+ sil! norm orggRx -+ sil! norm pr -+ call assert_equal(['r', 'r'], getline(1, 2)) -+ bwipe! -+ set encoding=utf-8 -+endfunc -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 85bdfc601..1046993d6 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3428, - /**/ - 3409, - /**/ diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch deleted file mode 100644 index d117a98893..0000000000 --- a/meta/recipes-support/vim/files/0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch +++ /dev/null @@ -1,63 +0,0 @@ -CVE: CVE-2021-3928 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From ade0f0481969f1453c60e7c8354b00dfe4238739 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Thu, 4 Nov 2021 15:46:05 +0000 -Subject: [PATCH] patch 8.2.3582: reading uninitialized memory when giving - spell suggestions - -Problem: Reading uninitialized memory when giving spell suggestions. -Solution: Check that preword is not empty. ---- - src/spellsuggest.c | 2 +- - src/testdir/test_spell.vim | 8 ++++++++ - src/version.c | 2 ++ - 3 files changed, 11 insertions(+), 1 deletion(-) - -diff --git a/src/spellsuggest.c b/src/spellsuggest.c -index 9d6df7930..8615d5280 100644 ---- a/src/spellsuggest.c -+++ b/src/spellsuggest.c -@@ -1600,7 +1600,7 @@ suggest_trie_walk( - // char, e.g., "thes," -> "these". - p = fword + sp->ts_fidx; - MB_PTR_BACK(fword, p); -- if (!spell_iswordp(p, curwin)) -+ if (!spell_iswordp(p, curwin) && *preword != NUL) - { - p = preword + STRLEN(preword); - MB_PTR_BACK(preword, p); -diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim -index 79fb8927c..e435e9172 100644 ---- a/src/testdir/test_spell.vim -+++ b/src/testdir/test_spell.vim -@@ -498,6 +498,14 @@ func Test_spell_screendump() - call delete('XtestSpell') - endfunc - -+func Test_spell_single_word() -+ new -+ silent! norm 0R00 -+ spell! ß -+ silent 0norm 0r$ Dvz= -+ bwipe! -+endfunc -+ - let g:test_data_aff1 = [ - \"SET ISO8859-1", - \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", -diff --git a/src/version.c b/src/version.c -index df4ec9a47..e1bc0d09b 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3582, - /**/ - 3581, - /**/ diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch deleted file mode 100644 index 58d3442677..0000000000 --- a/meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch +++ /dev/null @@ -1,92 +0,0 @@ -CVE: CVE-2021-3973 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From b6154e9f530544ddc3130d981caae0dabc053757 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Wed, 17 Nov 2021 18:00:31 +0000 -Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a - file name Problem: Crash when using CTRL-W f without finding - a file name. Solution: Bail out when the file name length is zero. - ---- - src/findfile.c | 8 ++++++++ - src/normal.c | 6 ++++-- - src/testdir/test_visual.vim | 8 ++++++++ - src/version.c | 2 ++ - 4 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/src/findfile.c b/src/findfile.c -index dba547da1..5764fd7b8 100644 ---- a/src/findfile.c -+++ b/src/findfile.c -@@ -1727,6 +1727,9 @@ find_file_in_path_option( - proc->pr_WindowPtr = (APTR)-1L; - # endif - -+ if (len == 0) -+ return NULL; -+ - if (first == TRUE) - { - // copy file name into NameBuff, expanding environment variables -@@ -2094,7 +2097,12 @@ find_file_name_in_path( - int c; - # if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) - char_u *tofree = NULL; -+# endif - -+ if (len == 0) -+ return NULL; -+ -+# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) - if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL) - { - tofree = eval_includeexpr(ptr, len); -diff --git a/src/normal.c b/src/normal.c -index 7cb959257..f0084f2ac 100644 ---- a/src/normal.c -+++ b/src/normal.c -@@ -3778,8 +3778,10 @@ get_visual_text( - *pp = ml_get_pos(&VIsual); - *lenp = curwin->w_cursor.col - VIsual.col + 1; - } -- if (has_mbyte) -- // Correct the length to include the whole last character. -+ if (**pp == NUL) -+ *lenp = 0; -+ if (has_mbyte && *lenp > 0) -+ // Correct the length to include all bytes of the last character. - *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1; - } - reset_VIsual_and_resel(); -diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim -index ae281238e..0705fdb57 100644 ---- a/src/testdir/test_visual.vim -+++ b/src/testdir/test_visual.vim -@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs() - bwipe! - endfunc - -+func Test_visual_block_ctrl_w_f() -+ " Emtpy block selected in new buffer should not result in an error. -+ au! BufNew foo sil norm f -+ edit foo -+ -+ au! BufNew -+endfunc -+ - " vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 52be3c39d..59a314b3a 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3611, - /**/ - 3582, - /**/ diff --git a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch deleted file mode 100644 index 576664f436..0000000000 --- a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch +++ /dev/null @@ -1,86 +0,0 @@ -CVE: CVE-2021-3872 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Fri, 8 Oct 2021 18:39:28 +0100 -Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very - long - -Problem: Illegal memory access if buffer name is very long. -Solution: Make sure not to go over the end of the buffer. ---- - src/drawscreen.c | 10 +++++----- - src/testdir/test_statusline.vim | 11 +++++++++++ - src/version.c | 2 ++ - 3 files changed, 18 insertions(+), 5 deletions(-) - -diff --git a/src/drawscreen.c b/src/drawscreen.c -index 3a88ee979..9acb70552 100644 ---- a/src/drawscreen.c -+++ b/src/drawscreen.c -@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) - *(p + len++) = ' '; - if (bt_help(wp->w_buffer)) - { -- STRCPY(p + len, _("[Help]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]")); - len += (int)STRLEN(p + len); - } - #ifdef FEAT_QUICKFIX - if (wp->w_p_pvw) - { -- STRCPY(p + len, _("[Preview]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]")); - len += (int)STRLEN(p + len); - } - #endif -@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED) - #endif - ) - { -- STRCPY(p + len, "[+]"); -- len += 3; -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]"); -+ len += (int)STRLEN(p + len); - } - if (wp->w_buffer->b_p_ro) - { -- STRCPY(p + len, _("[RO]")); -+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]")); - len += (int)STRLEN(p + len); - } - -diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim -index 1f705b847..91bce1407 100644 ---- a/src/testdir/test_statusline.vim -+++ b/src/testdir/test_statusline.vim -@@ -393,3 +393,14 @@ func Test_statusline_visual() - bwipe! x1 - bwipe! x2 - endfunc -+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes. -+func Test_statusline_verylong_filename() -+ let fname = repeat('x', 4090) -+ exe "new " .. fname -+ set buftype=help -+ set previewwindow -+ redraw -+ bwipe! -+endfunc -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 1046993d6..2b5de5ccf 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3487, - /**/ - 3428, - /**/ diff --git a/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch deleted file mode 100644 index 045081579c..0000000000 --- a/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch +++ /dev/null @@ -1,72 +0,0 @@ -CVE: CVE-2021-3875 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From b8968e26d7508e7d64bfc86808142818b0a9288c Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Sat, 9 Oct 2021 13:58:55 +0100 -Subject: [PATCH] patch 8.2.3489: ml_get error after search with range - -Problem: ml_get error after search with range. -Solution: Limit the line number to the buffer line count. ---- - src/ex_docmd.c | 6 ++++-- - src/testdir/test_search.vim | 17 +++++++++++++++++ - src/version.c | 2 ++ - 3 files changed, 23 insertions(+), 2 deletions(-) - -diff --git a/src/ex_docmd.c b/src/ex_docmd.c -index fb07450f8..fde726477 100644 ---- a/src/ex_docmd.c -+++ b/src/ex_docmd.c -@@ -3586,8 +3586,10 @@ get_address( - - // When '/' or '?' follows another address, start from - // there. -- if (lnum != MAXLNUM) -- curwin->w_cursor.lnum = lnum; -+ if (lnum > 0 && lnum != MAXLNUM) -+ curwin->w_cursor.lnum = -+ lnum > curbuf->b_ml.ml_line_count -+ ? curbuf->b_ml.ml_line_count : lnum; - - // Start a forward search at the end of the line (unless - // before the first line). -diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim -index 187671305..e142c3547 100644 ---- a/src/testdir/test_search.vim -+++ b/src/testdir/test_search.vim -@@ -1366,3 +1366,20 @@ func Test_searchdecl() - - bwipe! - endfunc -+ -+func Test_search_with_invalid_range() -+ new -+ let lines =<< trim END -+ /\%.v -+ 5/ -+ c -+ END -+ call writefile(lines, 'Xrangesearch') -+ source Xrangesearch -+ -+ bwipe! -+ call delete('Xrangesearch') -+endfunc -+ -+ -+" vim: shiftwidth=2 sts=2 expandtab -diff --git a/src/version.c b/src/version.c -index 2b5de5ccf..092864bbb 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3489, - /**/ - 3487, - /**/ diff --git a/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch deleted file mode 100644 index 7184b37cad..0000000000 --- a/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch +++ /dev/null @@ -1,97 +0,0 @@ -CVE: CVE-2021-3903 -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From b15919c1fe0f7fc3d98ff5207ed2feb43c59009d Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Mon, 25 Oct 2021 17:07:04 +0100 -Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without - valid screen - -Problem: Invalid memory access when scrolling without a valid screen. -Solution: Do not set VALID_BOTLINE in w_valid. ---- - src/move.c | 1 - - src/testdir/test_normal.vim | 23 ++++++++++++++++++++--- - src/version.c | 2 ++ - 3 files changed, 22 insertions(+), 4 deletions(-) - -diff --git a/src/move.c b/src/move.c -index 8e53d8bcb..10165ef4d 100644 ---- a/src/move.c -+++ b/src/move.c -@@ -198,7 +198,6 @@ update_topline(void) - { - curwin->w_topline = curwin->w_cursor.lnum; - curwin->w_botline = curwin->w_topline; -- curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP; - curwin->w_scbind_pos = 1; - return; - } -diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim -index d45cf4159..ca87928f5 100644 ---- a/src/testdir/test_normal.vim -+++ b/src/testdir/test_normal.vim -@@ -33,14 +33,14 @@ func CountSpaces(type, ...) - else - silent exe "normal! `[v`]y" - endif -- let g:a=strlen(substitute(@@, '[^ ]', '', 'g')) -+ let g:a = strlen(substitute(@@, '[^ ]', '', 'g')) - let &selection = sel_save - let @@ = reg_save - endfunc - - func OpfuncDummy(type, ...) - " for testing operatorfunc -- let g:opt=&linebreak -+ let g:opt = &linebreak - - if a:0 " Invoked from Visual mode, use gv command. - silent exe "normal! gvy" -@@ -51,7 +51,7 @@ func OpfuncDummy(type, ...) - endif - " Create a new dummy window - new -- let g:bufnr=bufnr('%') -+ let g:bufnr = bufnr('%') - endfunc - - fun! Test_normal00_optrans() -@@ -718,6 +718,23 @@ func Test_normal17_z_scroll_hor2() - bw! - endfunc - -+ -+func Test_scroll_in_ex_mode() -+ " This was using invalid memory because w_botline was invalid. -+ let lines =<< trim END -+ diffsplit -+ norm os00( -+ call writefile(['done'], 'Xdone') -+ qa! -+ END -+ call writefile(lines, 'Xscript') -+ call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript')) -+ call assert_equal(['done'], readfile('Xdone')) -+ -+ call delete('Xscript') -+ call delete('Xdone') -+endfunc -+ - func Test_normal18_z_fold() - " basic tests for foldopen/folddelete - if !has("folding") -diff --git a/src/version.c b/src/version.c -index 092864bbb..a9e8be0e7 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3564, - /**/ - 3489, - /**/ diff --git a/meta/recipes-support/vim/files/CVE-2021-3778.patch b/meta/recipes-support/vim/files/CVE-2021-3778.patch deleted file mode 100644 index 544af04458..0000000000 --- a/meta/recipes-support/vim/files/CVE-2021-3778.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 6d351cec5b97cb72b226d03bd727e453a235ed8d Mon Sep 17 00:00:00 2001 -From: Minjae Kim -Date: Sun, 26 Sep 2021 23:48:00 +0000 -Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8 - character - -Problem: Reading beyond end of line with invalid utf-8 character. -Solution: Check for NUL when advancing. - -Upstream-Status: Accepted [https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f] -CVE: CVE-2021-3778 -Signed-off-by: Minjae Kim - ---- - src/regexp_nfa.c | 3 ++- - src/testdir/test_regexp_utf8.vim | 7 +++++++ - src/version.c | 2 ++ - 3 files changed, 11 insertions(+), 1 deletion(-) - -diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c -index fb512f961..ace83a1a3 100644 ---- a/src/regexp_nfa.c -+++ b/src/regexp_nfa.c -@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text) - match = FALSE; - break; - } -- len2 += MB_CHAR2LEN(c2); -+ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2) -+ : MB_CHAR2LEN(c2); - } - if (match - // check that no composing char follows -diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim -index 19ff882be..e0665818b 100644 ---- a/src/testdir/test_regexp_utf8.vim -+++ b/src/testdir/test_regexp_utf8.vim -@@ -215,3 +215,10 @@ func Test_optmatch_toolong() - set re=0 - endfunc - -+func Test_match_invalid_byte() -+ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid') -+ new -+ source Xinvalid -+ bwipe! -+ call delete('Xinvalid') -+endfunc -diff --git a/src/version.c b/src/version.c -index 8912f6215..85bdfc601 100644 ---- a/src/version.c -+++ b/src/version.c -@@ -742,6 +742,8 @@ static char *(features[]) = - - static int included_patches[] = - { /* Add new patch number below this line */ -+/**/ -+ 3409, - /**/ - 3402, - /**/ diff --git a/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch deleted file mode 100644 index 1cee759502..0000000000 --- a/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch +++ /dev/null @@ -1,207 +0,0 @@ -From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001 -From: Bram Moolenaar -Date: Sat, 4 Sep 2021 18:47:28 +0200 -Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with - large value - -Problem: Invalid memory access when using :retab with large value. -Solution: Check the number is positive. - -CVE: CVE-2021-3770 -Signed-off-by: Richard Purdie -Upstream-Status: Backport [https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9] ---- - src/indent.c | 34 +++++++++++++++++++++------------- - src/option.c | 12 ++++++------ - src/optionstr.c | 4 ++-- - src/testdir/test_retab.vim | 3 +++ - src/version.c | 2 ++ - 5 files changed, 34 insertions(+), 21 deletions(-) - -Index: git/src/indent.c -=================================================================== ---- git.orig/src/indent.c -+++ git/src/indent.c -@@ -18,18 +18,19 @@ - /* - * Set the integer values corresponding to the string setting of 'vartabstop'. - * "array" will be set, caller must free it if needed. -+ * Return FAIL for an error. - */ - int - tabstop_set(char_u *var, int **array) - { -- int valcount = 1; -- int t; -- char_u *cp; -+ int valcount = 1; -+ int t; -+ char_u *cp; - - if (var[0] == NUL || (var[0] == '0' && var[1] == NUL)) - { - *array = NULL; -- return TRUE; -+ return OK; - } - - for (cp = var; *cp != NUL; ++cp) -@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array) - if (cp != end) - emsg(_(e_positive)); - else -- emsg(_(e_invarg)); -- return FALSE; -+ semsg(_(e_invarg2), cp); -+ return FAIL; - } - } - -@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array) - ++valcount; - continue; - } -- emsg(_(e_invarg)); -- return FALSE; -+ semsg(_(e_invarg2), var); -+ return FAIL; - } - - *array = ALLOC_MULT(int, valcount + 1); - if (*array == NULL) -- return FALSE; -+ return FAIL; - (*array)[0] = valcount; - - t = 1; - for (cp = var; *cp != NUL;) - { -- (*array)[t++] = atoi((char *)cp); -- while (*cp != NUL && *cp != ',') -+ int n = atoi((char *)cp); -+ -+ if (n < 0 || n > 9999) -+ { -+ semsg(_(e_invarg2), cp); -+ return FAIL; -+ } -+ (*array)[t++] = n; -+ while (*cp != NUL && *cp != ',') - ++cp; - if (*cp != NUL) - ++cp; - } - -- return TRUE; -+ return OK; - } - - /* -@@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap) - - #ifdef FEAT_VARTABS - new_ts_str = eap->arg; -- if (!tabstop_set(eap->arg, &new_vts_array)) -+ if (tabstop_set(eap->arg, &new_vts_array) == FAIL) - return; - while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',') - ++(eap->arg); -Index: git/src/option.c -=================================================================== ---- git.orig/src/option.c -+++ git/src/option.c -@@ -2292,9 +2292,9 @@ didset_options2(void) - #endif - #ifdef FEAT_VARTABS - vim_free(curbuf->b_p_vsts_array); -- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array); -+ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array); - vim_free(curbuf->b_p_vts_array); -- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array); -+ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array); - #endif - } - -@@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags) - buf->b_p_vsts = vim_strsave(p_vsts); - COPY_OPT_SCTX(buf, BV_VSTS); - if (p_vsts && p_vsts != empty_option) -- tabstop_set(p_vsts, &buf->b_p_vsts_array); -+ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array); - else - buf->b_p_vsts_array = 0; - buf->b_p_vsts_nopaste = p_vsts_nopaste -@@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags) - buf->b_p_isk = save_p_isk; - #ifdef FEAT_VARTABS - if (p_vts && p_vts != empty_option && !buf->b_p_vts_array) -- tabstop_set(p_vts, &buf->b_p_vts_array); -+ (void)tabstop_set(p_vts, &buf->b_p_vts_array); - else - buf->b_p_vts_array = NULL; - #endif -@@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags) - buf->b_p_vts = vim_strsave(p_vts); - COPY_OPT_SCTX(buf, BV_VTS); - if (p_vts && p_vts != empty_option && !buf->b_p_vts_array) -- tabstop_set(p_vts, &buf->b_p_vts_array); -+ (void)tabstop_set(p_vts, &buf->b_p_vts_array); - else - buf->b_p_vts_array = NULL; - #endif -@@ -6634,7 +6634,7 @@ paste_option_changed(void) - if (buf->b_p_vsts_array) - vim_free(buf->b_p_vsts_array); - if (buf->b_p_vsts && buf->b_p_vsts != empty_option) -- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); -+ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array); - else - buf->b_p_vsts_array = 0; - #endif -Index: git/src/optionstr.c -=================================================================== ---- git.orig/src/optionstr.c -+++ git/src/optionstr.c -@@ -2166,7 +2166,7 @@ did_set_string_option( - if (errmsg == NULL) - { - int *oldarray = curbuf->b_p_vsts_array; -- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array))) -+ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK) - { - if (oldarray) - vim_free(oldarray); -@@ -2205,7 +2205,7 @@ did_set_string_option( - { - int *oldarray = curbuf->b_p_vts_array; - -- if (tabstop_set(*varp, &(curbuf->b_p_vts_array))) -+ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK) - { - vim_free(oldarray); - #ifdef FEAT_FOLDING -Index: git/src/testdir/test_retab.vim -=================================================================== ---- git.orig/src/testdir/test_retab.vim -+++ git/src/testdir/test_retab.vim -@@ -74,4 +74,7 @@ endfunc - func Test_retab_error() - call assert_fails('retab -1', 'E487:') - call assert_fails('retab! -1', 'E487:') -+ call assert_fails('ret -1000', 'E487:') -+ call assert_fails('ret 10000', 'E475:') -+ call assert_fails('ret 80000000000000000000', 'E475:') - endfunc -Index: git/src/version.c -=================================================================== ---- git.orig/src/version.c -+++ git/src/version.c -@@ -743,6 +743,8 @@ static char *(features[]) = - static int included_patches[] = - { /* Add new patch number below this line */ - /**/ -+ 3402, -+/**/ - 0 - }; - diff --git a/meta/recipes-support/vim/files/disable_acl_header_check.patch b/meta/recipes-support/vim/files/disable_acl_header_check.patch index 33089162b4..533138245d 100644 --- a/meta/recipes-support/vim/files/disable_acl_header_check.patch +++ b/meta/recipes-support/vim/files/disable_acl_header_check.patch @@ -13,11 +13,11 @@ Signed-off-by: Changqing Li src/configure.ac | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/src/configure.ac b/src/configure.ac -index 2d409b3ca06a..dbcaf6140263 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -3257,7 +3257,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h string.h \ +Index: git/src/configure.ac +=================================================================== +--- git.orig/src/configure.ac ++++ git/src/configure.ac +@@ -3292,7 +3292,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h strin sys/systeminfo.h locale.h sys/stream.h termios.h \ libc.h sys/statfs.h poll.h sys/poll.h pwd.h \ utime.h sys/param.h sys/ptms.h libintl.h libgen.h \ @@ -26,7 +26,7 @@ index 2d409b3ca06a..dbcaf6140263 100644 sys/access.h sys/sysinfo.h wchar.h wctype.h) dnl sys/ptem.h depends on sys/stream.h on Solaris -@@ -3886,6 +3886,7 @@ AC_ARG_ENABLE(acl, +@@ -3974,6 +3974,7 @@ AC_ARG_ENABLE(acl, , [enable_acl="yes"]) if test "$enable_acl" = "yes"; then AC_MSG_RESULT(no) @@ -34,6 +34,3 @@ index 2d409b3ca06a..dbcaf6140263 100644 AC_CHECK_LIB(posix1e, acl_get_file, [LIBS="$LIBS -lposix1e"], AC_CHECK_LIB(acl, acl_get_file, [LIBS="$LIBS -lacl" AC_CHECK_LIB(attr, fgetxattr, LIBS="$LIBS -lattr",,)],,),) --- -2.7.4 - diff --git a/meta/recipes-support/vim/files/no-path-adjust.patch b/meta/recipes-support/vim/files/no-path-adjust.patch index 05c2d803f6..9d6da80913 100644 --- a/meta/recipes-support/vim/files/no-path-adjust.patch +++ b/meta/recipes-support/vim/files/no-path-adjust.patch @@ -7,9 +7,11 @@ Upstream-Status: Pending Signed-off-by: Joe Slater ---- a/src/Makefile -+++ b/src/Makefile -@@ -2507,11 +2507,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_ +Index: git/src/Makefile +=================================================================== +--- git.orig/src/Makefile ++++ git/src/Makefile +@@ -2565,11 +2565,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_ rm -rf $$cvs; \ fi -chmod $(FILEMOD) $(DEST_TOOLS)/* diff --git a/meta/recipes-support/vim/files/racefix.patch b/meta/recipes-support/vim/files/racefix.patch index 48dca44cad..1cb8fb442f 100644 --- a/meta/recipes-support/vim/files/racefix.patch +++ b/meta/recipes-support/vim/files/racefix.patch @@ -9,9 +9,9 @@ Index: git/src/po/Makefile =================================================================== --- git.orig/src/po/Makefile +++ git/src/po/Makefile -@@ -165,17 +165,16 @@ $(PACKAGE).pot: ../*.c ../if_perl.xs ../ - po/gvim.desktop.in po/vim.desktop.in - mv -f ../$(PACKAGE).po $(PACKAGE).pot +@@ -207,17 +207,16 @@ $(PACKAGE).pot: $(PO_INPUTLIST) $(PO_VIM + # Delete the temporary files + rm *.js -vim.desktop: vim.desktop.in $(POFILES) +LINGUAS: diff --git a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch index 37914d4cd9..5284ba45b6 100644 --- a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch +++ b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch @@ -14,11 +14,11 @@ Signed-off-by: Changqing Li src/configure.ac | 7 +++++++ 1 file changed, 7 insertions(+) -diff --git a/src/configure.ac b/src/configure.ac -index 0ee86ad..64736f0 100644 ---- a/src/configure.ac -+++ b/src/configure.ac -@@ -3192,11 +3192,18 @@ AC_TRY_COMPILE([#include ], [int x __attribute__((unused));], +Index: git/src/configure.ac +=================================================================== +--- git.orig/src/configure.ac ++++ git/src/configure.ac +@@ -3264,11 +3264,18 @@ AC_TRY_COMPILE([#include ], [in AC_MSG_RESULT(no)) dnl Checks for header files. @@ -37,6 +37,3 @@ index 0ee86ad..64736f0 100644 AC_HEADER_DIRENT --- -2.7.4 - diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 6cdf157cb6..0ddf95ab72 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -8,8 +8,9 @@ BUGTRACKER = "https://github.com/vim/vim/issues" DEPENDS = "ncurses gettext-native" # vimdiff doesn't like busybox diff RSUGGESTS:${PN} = "diffutils" + LICENSE = "vim" -LIC_FILES_CHKSUM = "file://runtime/doc/uganda.txt;endline=287;md5=a19edd7ec70d573a005d9e509375a99a" +LIC_FILES_CHKSUM = "file://runtime/doc/uganda.txt;endline=287;md5=909f1394892b7e0f9c2a95306c0c552b" SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://disable_acl_header_check.patch \ @@ -17,18 +18,10 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ file://racefix.patch \ - file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \ - file://CVE-2021-3778.patch \ - file://0002-patch-8.2.3428-using-freed-memory-when-replacing.patch \ - file://0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch \ - file://0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch \ - file://0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch \ - file://0001-patch-8.2.3581-reading-character-past-end-of-line.patch \ - file://0002-patch-8.2.3582-reading-uninitialized-memory-when-giv.patch \ - file://0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch \ " -SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" +PV .= ".3752" +SRCREV = "8603be338ac810446f23c092f21bc6082f787519" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" From patchwork Tue Jan 25 13:46:04 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2920 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77EE6C433F5 for ; Tue, 25 Jan 2022 13:46:48 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:48 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ldESTyWR; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118407; x=1674654407; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=LvBnfWk9zJrO3rZKYFfkAmn6tESUCLEJPrXrqBr7rS4=; b=ldESTyWROQ7pMsWHasT6dDZZgjAtZX1KG/Yexum+HKa9PE0pNJ8SzbAT mv6hYPiTgfZMCVE9R+3btj7kt+mhq3LLhQLYfxwT9UmdDkpKIY4muDH0l 8X4ctil8jgIq9opxvH0kHblzYT6ejd3Cmvgm118oAKTzAmSlri5v5VZJ/ 2oQyoyoDrdHUiBlUWh+25Ewsu3cOnSHT6+b6D+h+yn1udRO9wuJGnhaSY zJ4R3PBrEV4h8naVRlbttYVgz/CxDuY7FMuqVYRZlF5QUNCPI0qnIkNlD axqYvgT0C09KS8GnItDex8xGkm6p08h+k9xI1cAtmpRHwAxuZdbnHtGWJ g==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016514" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016514" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:47 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494374" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:46 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 10/13] vim: update to include latest CVE fixes Date: Tue, 25 Jan 2022 21:46:04 +0800 Message-Id: <10e6043aa5a11675127760097580b78a8cac4515.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160931 From: Ross Burton Update the version to 4.2.4118, which incorporates the following CVE fixes: - CVE-2021-4187 - CVE-2022-0128 - CVE-2022-0156 - CVE-2022-0158 Also remove the explicit whitelisting of CVE-2021-3968 as this is now handled with an accurate CPE specifying the fixed version. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit 764519ad0da6b881918667ca272fcc273b56168a) Signed-off-by: Anuj Mittal --- meta/recipes-support/vim/vim.inc | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 0ddf95ab72..d68fade26a 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -20,15 +20,12 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://racefix.patch \ " -PV .= ".3752" -SRCREV = "8603be338ac810446f23c092f21bc6082f787519" +PV .= ".4118" +SRCREV = "0023f82a76cf43a12b41e71f97a2e860d0444e1b" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" -# CVE-2021-3968 is related to an issue which was introduced after 8.2, this can be removed after 8.3. -CVE_CHECK_WHITELIST += "CVE-2021-3968" - S = "${WORKDIR}/git" VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}" From patchwork Tue Jan 25 13:46:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2921 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81F05C433F5 for ; Tue, 25 Jan 2022 13:46:50 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:49 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ANlMWXzS; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118409; x=1674654409; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=LnW4B3beqeZTzERLi2IpGgCk8dFqJfwRZiSiO0af534=; b=ANlMWXzSL+dtvcw23l2MNRtGavMcH52C/YwPEd1sKLnEoMsi/g/if/3R o7Yfqs82yWZz26RKxRD8c+BUjBe8LcNRm8n3UKvTOhCcebseZ568mXrt7 9PbwgjtFWVtOEoW4iaKMNtYXYzauY1WHiaDAa+sBriVWRpSlpou/jDI/j UZoezPConCZAjY5wJxwaCOOqwla1jV6j6KwmZ/clNpYn67sEiBD8EINmK x7+jECNLV7sKApfX9pY1TnevjEQQdQ7AX4F55+/ZGDpuYCbZgEgbhEApb Z2qnWWjLMLlHovz3ImCDFZXH3huG6U0AdYuPT32AcAKbIV+istlUSv0mf g==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016522" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016522" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:49 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494379" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:48 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 11/13] lighttpd: backport a fix for CVE-2022-22707 Date: Tue, 25 Jan 2022 21:46:05 +0800 Message-Id: <6e90764934722e527c3a326faa62054e68e4d2f6.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160932 From: Ross Burton Backport the fix for CVE-2022-22707, a buffer overflow in mod_extforward. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit 7758596613cc442f647fd4625b36532f30e6129f) Signed-off-by: Anuj Mittal --- ...ix-out-of-bounds-OOB-write-fixes-313.patch | 97 +++++++++++++++++++ .../lighttpd/lighttpd_1.4.59.bb | 1 + 2 files changed, 98 insertions(+) create mode 100644 meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch new file mode 100644 index 0000000000..f4e93d1065 --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch @@ -0,0 +1,97 @@ +Upstream-Status: Backport +CVE: CVE-2022-22707 +Signed-off-by: Ross Burton + +From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 +From: povcfe +Date: Wed, 5 Jan 2022 11:11:09 +0000 +Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) + +(thx povcfe) + +(edited: gstrauss) + +There is a potential remote denial of service in lighttpd mod_extforward +under specific, non-default and uncommon 32-bit lighttpd mod_extforward +configurations. + +Under specific, non-default and uncommon lighttpd mod_extforward +configurations, a remote attacker can trigger a 4-byte out-of-bounds +write of value '-1' to the stack. This is not believed to be exploitable +in any way beyond triggering a crash of the lighttpd server on systems +where the lighttpd server has been built 32-bit and with compiler flags +which enable a stack canary -- gcc/clang -fstack-protector-strong or +-fstack-protector-all, but bug not visible with only -fstack-protector. + +With standard lighttpd builds using -O2 optimization on 64-bit x86_64, +this bug has not been observed to cause adverse behavior, even with +gcc/clang -fstack-protector-strong. + +For the bug to be reachable, the user must be using a non-default +lighttpd configuration which enables mod_extforward and configures +mod_extforward to accept and parse the "Forwarded" header from a trusted +proxy. At this time, support for RFC7239 Forwarded is not common in CDN +providers or popular web server reverse proxies. It bears repeating that +for the user to desire to configure lighttpd mod_extforward to accept +"Forwarded", the user must also be using a trusted proxy (in front of +lighttpd) which understands and actively modifies the "Forwarded" header +sent to lighttpd. + +lighttpd natively supports RFC7239 "Forwarded" +hiawatha natively supports RFC7239 "Forwarded" + +nginx can be manually configured to add a "Forwarded" header +https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ + +A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) +in front of another 32-bit lighttpd will detect and reject a malicious +"Forwarded" request header, thereby thwarting an attempt to trigger +this bug in an upstream 32-bit lighttpd. + +The following servers currently do not natively support RFC7239 Forwarded: +nginx +apache2 +caddy +node.js +haproxy +squid +varnish-cache +litespeed + +Given the general dearth of support for RFC7239 Forwarded in popular +CDNs and web server reverse proxies, and given the prerequisites in +lighttpd mod_extforward needed to reach this bug, the number of lighttpd +servers vulnerable to this bug is estimated to be vanishingly small. +Large systems using reverse proxies are likely running 64-bit lighttpd, +which is not known to be adversely affected by this bug. + +In the future, it is desirable for more servers to implement RFC7239 +Forwarded. lighttpd developers would like to thank povcfe for reporting +this bug so that it can be fixed before more CDNs and web servers +implement RFC7239 Forwarded. + +x-ref: + "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" + https://redmine.lighttpd.net/issues/3134 + (not yet written or published) + CVE-2022-22707 +--- + src/mod_extforward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mod_extforward.c b/src/mod_extforward.c +index ba957e04..fdaef7f6 100644 +--- a/src/mod_extforward.c ++++ b/src/mod_extforward.c +@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c + while (s[i] == ' ' || s[i] == '\t') ++i; + if (s[i] == ';') { ++i; continue; } + if (s[i] == ',') { +- if (j >= (int)(sizeof(offsets)/sizeof(int))) break; ++ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; + offsets[++j] = -1; /*("offset" separating params from next proxy)*/ + ++i; + continue; +-- +2.25.1 + diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb index 8cb3a9a18c..12d3db937d 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.59.bb @@ -14,6 +14,7 @@ RRECOMMENDS:${PN} = "lighttpd-module-access \ lighttpd-module-accesslog" SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ + file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \ file://index.html.lighttpd \ file://lighttpd.conf \ file://lighttpd \ From patchwork Tue Jan 25 13:46:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2922 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D151C433EF for ; Tue, 25 Jan 2022 13:46:51 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:51 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=f0rAvp7l; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118410; x=1674654410; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=sklVjC9DYjJsgaHdPNE/3KAJe2heIWr+BEz+KMLjJfQ=; b=f0rAvp7l8VB9dmeQLfqnys4Oxr6Sm6av/mEYVL5/3Nk3tvJ3ei9XpCEq +bWIpeI3/1ql5/Eh/JA723BMny4orFXvf9psqNbpKpWDVCwKTkhXqW+dz GpT0tH0Ztn+7VIgpAlAW7Y/l0i4LQbwjCeZPopr20596KoUO/tpiRTzYn 0mIFtpOrsSob7pd+ImZ2ws1XZ+ojYTPDlPw/rjfUiEbF4I37h9X9kDYJ5 VNR/vIAD/v4aei4VWSiemmvdQxkCClSbsoB2XCCG+L64fjjvZzzWtNrVH ISktrXRk6XfNevkbcbpl8aFg9Zzgn26U2uJrjQ1LkAvsVaJCJZD1rs8xT w==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016526" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016526" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:50 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494381" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:49 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 12/13] glibc : Fix CVE-2022-23218 Date: Tue, 25 Jan 2022 21:46:06 +0800 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160933 From: Sundeep KOKKONDA Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=e368b12f6c16b6888dda99ba641e999b9c9643c8] Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=f545ad4928fa1f27a3075265182b38a4f939a5f7] Signed-off-by: pgowda Signed-off-by: Richard Purdie (cherry picked from commit 83fa93b5fdb10a589bad2a9fc83552df8f1dbf28) Signed-off-by: Anuj Mittal --- .../glibc/glibc/0001-CVE-2022-23218.patch | 178 ++++++++++++++++++ .../glibc/glibc/0002-CVE-2022-23218.patch | 126 +++++++++++++ meta/recipes-core/glibc/glibc_2.34.bb | 2 + 3 files changed, 306 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch create mode 100644 meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch new file mode 100644 index 0000000000..4eb1fb7fbe --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2022-23218.patch @@ -0,0 +1,178 @@ +From e368b12f6c16b6888dda99ba641e999b9c9643c8 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Jan 2022 10:21:34 +0100 +Subject: [PATCH] socket: Add the __sockaddr_un_set function + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=e368b12f6c16b6888dda99ba641e999b9c9643c8] +CVE: CVE-2022-23219 + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Pgowda +--- + include/sys/un.h | 12 +++++++ + socket/Makefile | 6 +++- + socket/sockaddr_un_set.c | 41 ++++++++++++++++++++++++ + socket/tst-sockaddr_un_set.c | 62 ++++++++++++++++++++++++++++++++++++ + 4 files changed, 120 insertions(+), 1 deletion(-) + create mode 100644 socket/sockaddr_un_set.c + create mode 100644 socket/tst-sockaddr_un_set.c + +diff --git a/include/sys/un.h b/include/sys/un.h +index bdbee99980..152afd9fc7 100644 +--- a/include/sys/un.h ++++ b/include/sys/un.h +@@ -1 +1,13 @@ + #include ++ ++#ifndef _ISOMAC ++ ++/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME. ++ Return 0 on success or -1 on failure (due to overlong PATHNAME). ++ The caller should always use sizeof (struct sockaddr_un) as the ++ socket address length, disregaring the length of PATHNAME. ++ Only concrete (non-abstract) pathnames are supported. */ ++int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) ++ attribute_hidden; ++ ++#endif /* _ISOMAC */ +diff --git a/socket/Makefile b/socket/Makefile +index 39333e10ca..156eec6c85 100644 +--- a/socket/Makefile ++++ b/socket/Makefile +@@ -29,13 +29,17 @@ headers := sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \ + routines := accept bind connect getpeername getsockname getsockopt \ + listen recv recvfrom recvmsg send sendmsg sendto \ + setsockopt shutdown socket socketpair isfdtype opensock \ +- sockatmark accept4 recvmmsg sendmmsg ++ sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set + + tests := \ + tst-accept4 \ + tst-sockopt \ + # tests + ++tests-internal := \ ++ tst-sockaddr_un_set \ ++ # tests-internal ++ + tests-time64 := \ + tst-sockopt-time64 \ + # tests +diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c +new file mode 100644 +index 0000000000..0bd40dc34e +--- /dev/null ++++ b/socket/sockaddr_un_set.c +@@ -0,0 +1,41 @@ ++/* Set the sun_path member of struct sockaddr_un. ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++ ++int ++__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) ++{ ++ size_t name_length = strlen (pathname); ++ ++ /* The kernel supports names of exactly sizeof (addr->sun_path) ++ bytes, without a null terminator, but userspace does not; see the ++ SUN_LEN macro. */ ++ if (name_length >= sizeof (addr->sun_path)) ++ { ++ __set_errno (EINVAL); /* Error code used by the kernel. */ ++ return -1; ++ } ++ ++ addr->sun_family = AF_UNIX; ++ memcpy (addr->sun_path, pathname, name_length + 1); ++ return 0; ++} +diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c +new file mode 100644 +index 0000000000..29c2a81afd +--- /dev/null ++++ b/socket/tst-sockaddr_un_set.c +@@ -0,0 +1,62 @@ ++/* Test the __sockaddr_un_set function. ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Re-compile the function because the version in libc is not ++ exported. */ ++#include "sockaddr_un_set.c" ++ ++#include ++ ++static int ++do_test (void) ++{ ++ struct sockaddr_un sun; ++ ++ memset (&sun, 0xcc, sizeof (sun)); ++ __sockaddr_un_set (&sun, ""); ++ TEST_COMPARE (sun.sun_family, AF_UNIX); ++ TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0); ++ ++ memset (&sun, 0xcc, sizeof (sun)); ++ TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0); ++ TEST_COMPARE_STRING (sun.sun_path, "/example"); ++ ++ { ++ char pathname[108]; /* Length of sun_path (ABI constant). */ ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ memset (&sun, 0xcc, sizeof (sun)); ++ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0); ++ TEST_COMPARE (sun.sun_family, AF_UNIX); ++ TEST_COMPARE_STRING (sun.sun_path, pathname); ++ } ++ ++ { ++ char pathname[109]; ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ memset (&sun, 0xcc, sizeof (sun)); ++ errno = 0; ++ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1); ++ TEST_COMPARE (errno, EINVAL); ++ } ++ ++ return 0; ++} ++ ++#include +-- +2.27.0 + diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch b/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch new file mode 100644 index 0000000000..00fb3266c6 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-CVE-2022-23218.patch @@ -0,0 +1,126 @@ +From f545ad4928fa1f27a3075265182b38a4f939a5f7 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Jan 2022 10:21:34 +0100 +Subject: [PATCH] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug + 28768) + +The sunrpc function svcunix_create suffers from a stack-based buffer +overflow with overlong pathname arguments. + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=f545ad4928fa1f27a3075265182b38a4f939a5f7] +CVE: CVE-2022-23218 + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Pgowda +--- + NEWS | 3 +++ + sunrpc/Makefile | 2 +- + sunrpc/svc_unix.c | 11 ++++------- + sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 50 insertions(+), 8 deletions(-) + create mode 100644 sunrpc/tst-bug28768.c + +diff --git a/NEWS b/NEWS +index 38a9ddb2cf..38802f0673 100644 +--- a/NEWS ++++ b/NEWS +@@ -203,6 +203,9 @@ Security related changes: + parameter number when processing the expansion resulting in a crash. + Reported by Philippe Antoine. + ++ CVE-2022-23218: Passing an overlong file name to the svcunix_create ++ legacy function could result in a stack-based buffer overflow. ++ + The following bugs are resolved with this release: + + [4737] libc: fork is not async-signal-safe +diff --git a/sunrpc/Makefile b/sunrpc/Makefile +index 183ef3dc55..a79a7195fc 100644 +--- a/sunrpc/Makefile ++++ b/sunrpc/Makefile +@@ -65,7 +65,7 @@ shared-only-routines = $(routines) + endif + + tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ +- tst-udp-nonblocking ++ tst-udp-nonblocking tst-bug28768 + xtests := tst-getmyaddr + + ifeq ($(have-thread-library),yes) +diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c +index f2280b4c49..67177a2e78 100644 +--- a/sunrpc/svc_unix.c ++++ b/sunrpc/svc_unix.c +@@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize + SVCXPRT *xprt; + struct unix_rendezvous *r; + struct sockaddr_un addr; +- socklen_t len = sizeof (struct sockaddr_in); ++ socklen_t len = sizeof (addr); ++ ++ if (__sockaddr_un_set (&addr, path) < 0) ++ return NULL; + + if (sock == RPC_ANYSOCK) + { +@@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize + } + madesock = TRUE; + } +- memset (&addr, '\0', sizeof (addr)); +- addr.sun_family = AF_UNIX; +- len = strlen (path) + 1; +- memcpy (addr.sun_path, path, len); +- len += sizeof (addr.sun_family); +- + __bind (sock, (struct sockaddr *) &addr, len); + + if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 +diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c +new file mode 100644 +index 0000000000..35a4b7b0b3 +--- /dev/null ++++ b/sunrpc/tst-bug28768.c +@@ -0,0 +1,42 @@ ++/* Test to verify that long path is rejected by svcunix_create (bug 28768). ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++/* svcunix_create does not have a default version in linkobj/libc.so. */ ++compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); ++ ++static int ++do_test (void) ++{ ++ char pathname[109]; ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ ++ errno = 0; ++ TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); ++ TEST_COMPARE (errno, EINVAL); ++ ++ return 0; ++} ++ ++#include diff --git a/meta/recipes-core/glibc/glibc_2.34.bb b/meta/recipes-core/glibc/glibc_2.34.bb index 7efc1ec1ef..742ab61a2b 100644 --- a/meta/recipes-core/glibc/glibc_2.34.bb +++ b/meta/recipes-core/glibc/glibc_2.34.bb @@ -59,6 +59,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0002-CVE-2021-38604.patch \ file://0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ file://CVE-2021-43396.patch \ + file://0001-CVE-2022-23218.patch \ + file://0002-CVE-2022-23218.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" From patchwork Tue Jan 25 13:46:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mittal, Anuj" X-Patchwork-Id: 2923 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D976C433EF for ; Tue, 25 Jan 2022 13:46:53 +0000 (UTC) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.7230.1643118392810459867 for ; Tue, 25 Jan 2022 05:46:52 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ZmFfhEPq; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: anuj.mittal@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1643118412; x=1674654412; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=k7C2mxiRvpO0A/V0J8ljQg/gloDGSFeG1DnwwkXCuwU=; b=ZmFfhEPqIt2ks3u+DAVdTRYwJMIYCziExbTtiR74dT+T6PvHEioGeYqV D3S0sRAPV3hxuzMQG2eInhPLRlB6eZH1PSpNbNaA7uDzGUmBub2NnHlZx wAaFeSYKE/2ER61Apw97Aim2Vz4B1FuCyUPtzrsIwLA6+DgVaHeaUZ+Z4 qAnQLjwXLj6Q3TwSzstruC4sQHUFDpk7jFy+RcHdgikNbcvR7iP0VZCPU cKihjkyClXObku4UPH3coykc/a4MojZ0FSfsnarr9li+Vw+rflecJKm7W iyrCd7i+vCQbgY6xBNX29RKxl8zCiwQPOmv0f0ZHPSmrujgV4w9+cDOQI A==; X-IronPort-AV: E=McAfee;i="6200,9189,10237"; a="307016532" X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="307016532" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:52 -0800 X-IronPort-AV: E=Sophos;i="5.88,315,1635231600"; d="scan'208";a="479494388" Received: from gleong3-mobl.gar.corp.intel.com (HELO anmitta2-mobl3.intel.com) ([10.215.227.175]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jan 2022 05:46:51 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Subject: [honister][PATCH 13/13] glibc : Fix CVE-2022-23219 Date: Tue, 25 Jan 2022 21:46:07 +0800 Message-Id: <2d3c5b078feb34cb729902292d2805c9288ebc4c.1643113252.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Jan 2022 13:46:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/160934 From: Sundeep KOKKONDA Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=226b46770c82899b555986583294b049c6ec9b40] Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=ef972a4c50014a16132b5c75571cfb6b30bef136] Signed-off-by: pgowda Signed-off-by: Richard Purdie (cherry picked from commit 6ad7240c732dd63e74ac32588b92241030c194ae) Signed-off-by: Anuj Mittal --- .../glibc/glibc/0001-CVE-2022-23219.patch | 55 ++++++++++++ .../glibc/glibc/0002-CVE-2022-23219.patch | 89 +++++++++++++++++++ meta/recipes-core/glibc/glibc_2.34.bb | 2 + 3 files changed, 146 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2022-23219.patch create mode 100644 meta/recipes-core/glibc/glibc/0002-CVE-2022-23219.patch diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2022-23219.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2022-23219.patch new file mode 100644 index 0000000000..261c2909db --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2022-23219.patch @@ -0,0 +1,55 @@ +From 226b46770c82899b555986583294b049c6ec9b40 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 17 Jan 2022 10:21:34 +0100 +Subject: [PATCH] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for + "unix" (bug 22542) + +Processing an overlong pathname in the sunrpc clnt_create function +results in a stack-based buffer overflow. + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=226b46770c82899b555986583294b049c6ec9b40] +CVE: CVE-2022-23219 + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Pgowda +--- + NEWS | 4 +++- + sunrpc/clnt_gen.c | 10 +++++++--- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/NEWS b/NEWS +index ddd95a8329..38a9ddb2cf 100644 +--- a/NEWS ++++ b/NEWS +@@ -206,6 +206,10 @@ Security related changes: + CVE-2022-23218: Passing an overlong file name to the svcunix_create + legacy function could result in a stack-based buffer overflow. + ++ CVE-2022-23219: Passing an overlong file name to the clnt_create ++ legacy function could result in a stack-based buffer overflow when ++ using the "unix" protocol. Reported by Martin Sebor. ++ + The following bugs are resolved with this release: + + [4737] libc: fork is not async-signal-safe +diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c +index 13ced8994e..b44357cd88 100644 +--- a/sunrpc/clnt_gen.c ++++ b/sunrpc/clnt_gen.c +@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_lon + + if (strcmp (proto, "unix") == 0) + { +- memset ((char *)&sun, 0, sizeof (sun)); +- sun.sun_family = AF_UNIX; +- strcpy (sun.sun_path, hostname); ++ if (__sockaddr_un_set (&sun, hostname) < 0) ++ { ++ struct rpc_createerr *ce = &get_rpc_createerr (); ++ ce->cf_stat = RPC_SYSTEMERROR; ++ ce->cf_error.re_errno = errno; ++ return NULL; ++ } + sock = RPC_ANYSOCK; + client = clntunix_create (&sun, prog, vers, &sock, 0, 0); + if (client == NULL) diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2022-23219.patch b/meta/recipes-core/glibc/glibc/0002-CVE-2022-23219.patch new file mode 100644 index 0000000000..6779e9afdf --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-CVE-2022-23219.patch @@ -0,0 +1,89 @@ +From ef972a4c50014a16132b5c75571cfb6b30bef136 Mon Sep 17 00:00:00 2001 +From: Martin Sebor +Date: Mon, 17 Jan 2022 10:21:34 +0100 +Subject: [PATCH] sunrpc: Test case for clnt_create "unix" buffer overflow (bug + 22542) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=ef972a4c50014a16132b5c75571cfb6b30bef136] +CVE: CVE-2022-23219 + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Pgowda +--- + sunrpc/Makefile | 5 ++++- + sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 48 insertions(+), 1 deletion(-) + create mode 100644 sunrpc/tst-bug22542.c + +diff --git a/sunrpc/Makefile b/sunrpc/Makefile +index 9a31fe48b9..183ef3dc55 100644 +--- a/sunrpc/Makefile ++++ b/sunrpc/Makefile +@@ -65,7 +65,7 @@ shared-only-routines = $(routines) + endif + + tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ +- tst-udp-nonblocking tst-bug28768 ++ tst-udp-nonblocking tst-bug22542 tst-bug28768 + xtests := tst-getmyaddr + + ifeq ($(have-thread-library),yes) +@@ -110,6 +110,8 @@ $(objpfx)tst-udp-nonblocking: $(common-o + $(objpfx)tst-udp-garbage: \ + $(common-objpfx)linkobj/libc.so $(shared-thread-library) + ++$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so ++ + else # !have-GLIBC_2.31 + + routines = $(routines-for-nss) +diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c +new file mode 100644 +index 0000000000..d6cd79787b +--- /dev/null ++++ b/sunrpc/tst-bug22542.c +@@ -0,0 +1,44 @@ ++/* Test to verify that overlong hostname is rejected by clnt_create ++ and doesn't cause a buffer overflow (bug 22542). ++ ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ /* Create an arbitrary hostname that's longer than fits in sun_path. */ ++ char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; ++ memset (name, 'x', sizeof name - 1); ++ name [sizeof name - 1] = '\0'; ++ ++ errno = 0; ++ CLIENT *clnt = clnt_create (name, 0, 0, "unix"); ++ ++ TEST_VERIFY (clnt == NULL); ++ TEST_COMPARE (errno, EINVAL); ++ return 0; ++} ++ ++#include diff --git a/meta/recipes-core/glibc/glibc_2.34.bb b/meta/recipes-core/glibc/glibc_2.34.bb index 742ab61a2b..92787097aa 100644 --- a/meta/recipes-core/glibc/glibc_2.34.bb +++ b/meta/recipes-core/glibc/glibc_2.34.bb @@ -61,6 +61,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://CVE-2021-43396.patch \ file://0001-CVE-2022-23218.patch \ file://0002-CVE-2022-23218.patch \ + file://0001-CVE-2022-23219.patch \ + file://0002-CVE-2022-23219.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}"