From patchwork Sun Aug 13 21:18:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28742 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33AA2EB64DD for ; Sun, 13 Aug 2023 21:18:39 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web10.93996.1691961518829896993 for ; Sun, 13 Aug 2023 14:18:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=FkuLndzl; spf=softfail (domain: sakoman.com, ip: 209.85.216.47, mailfrom: steve@sakoman.com) Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-26934bc3059so3263364a91.1 for ; Sun, 13 Aug 2023 14:18:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961518; x=1692566318; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=G9TpSKyHIKB271Lc9+JiPqCdCBurjG3vixiJZtLO9WE=; b=FkuLndzlfh+l2AV36ajb7W6FCzEAR5nnp8QFAv8Pvww902cFuPGKRXDunujG16SccG oidlmEdOKk10bQLXnupxFl12Dyr3XZY/FrAkAk0oQ/9v7ZqxOMjBi9a2f9qedTqndxmH 6XXApd1k0NwKgjSYN9AbcXaxL4AYOdN8UxaW49B6jZAPTccbExxgPYuZpDK3L21F6n6Z OrdlBGaIdJ4kBI5GeAV4wvTSP7Chp38VvXVdNtUUAB+/5CxceYGBoxzHczdvw0O3N1Y4 SN5vPDTQMZye9u8V0Is7myUG2MzyhSK5a/hidWp5ZFCYCbkAhb4EMTGYqmFZzcWxQ+El eyVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961518; x=1692566318; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G9TpSKyHIKB271Lc9+JiPqCdCBurjG3vixiJZtLO9WE=; b=gmkHmz/mgrOV6ln3HSF1vcftN21CMJO/WRc9v7Bmp6RSVEU0LSghETl+iOAsvqE/dp pismle7RxFmsjRhR7eXjcg3hA+sE64CPLd3h1wEkRVMPjIc7LYnNxYpLsvdF76YZ9rH1 oXP/LjuR99I0WrrpPxnlD0arpvHpF1Rz6HSoVXnUOvkKoNe9M8tLkWiCqjI3hLvB14JP I3rpZUxqYzbyQvHb9fmQYiTS1Uh8USsERtkIo5KblWRXTWSIsmao7ngGtyfKMZTPEJR+ WLtRZ0rLruN6sT+vrfEZeikKOneDT4mH2F0YQAN5JXmofDLGtfPknpmldebujb4cD5AI AjKw== X-Gm-Message-State: AOJu0Yx4mwqC/Q/o2u3fu2t8YDDGjf08Xm5M5UqFythUjcda2QC74c8h NR1yBCFWNZ62GUWjwuEqcvwwy7rkthOv2CzrFVlgcA== X-Google-Smtp-Source: AGHT+IGVvkXflDFQa3m2r9+RBHSjyXBqNTbuPfLARJlQoH2anMmg5OG1UenTq9n/ditI8HFVvdNzUQ== X-Received: by 2002:a17:90b:388a:b0:26b:455b:8d61 with SMTP id mu10-20020a17090b388a00b0026b455b8d61mr4311754pjb.22.1691961517817; Sun, 13 Aug 2023 14:18:37 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.18.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:18:37 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/22] ruby/cgi-gem: CVE-2021-33621 HTTP response splitting in CGI Date: Sun, 13 Aug 2023 11:18:07 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:18:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185892 From: Hitendra Prajapati Upstream-Status: Backport from https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2021-33621.patch | 139 ++++++++++++++++++ meta/recipes-devtools/ruby/ruby_2.7.6.bb | 1 + 2 files changed, 140 insertions(+) create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch new file mode 100644 index 0000000000..cc2f9853db --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch @@ -0,0 +1,139 @@ +From 64c5045c0a6b84fdb938a8465a0890e5f7162708 Mon Sep 17 00:00:00 2001 +From: Yusuke Endoh +Date: Tue, 22 Nov 2022 10:49:27 +0900 +Subject: [PATCH] Prevent CRLF injection + +Throw a RuntimeError if the HTTP response header contains CR or LF to +prevent HTTP response splitting. + +https://hackerone.com/reports/1204695 + +Upstream-Status: Backport [https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708] +CVE: CVE-2021-33621 +Signed-off-by: Hitendra Prajapati +--- + lib/cgi/core.rb | 45 +++++++++++++++++++++++-------------- + test/cgi/test_cgi_header.rb | 8 +++++++ + 2 files changed, 36 insertions(+), 17 deletions(-) + +diff --git a/lib/cgi/core.rb b/lib/cgi/core.rb +index bec76e0..62e6068 100644 +--- a/lib/cgi/core.rb ++++ b/lib/cgi/core.rb +@@ -188,17 +188,28 @@ class CGI + # Using #header with the HTML5 tag maker will create a
element. + alias :header :http_header + ++ def _no_crlf_check(str) ++ if str ++ str = str.to_s ++ raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/ ++ str ++ else ++ nil ++ end ++ end ++ private :_no_crlf_check ++ + def _header_for_string(content_type) #:nodoc: + buf = ''.dup + if nph?() +- buf << "#{$CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'} 200 OK#{EOL}" ++ buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'} 200 OK#{EOL}" + buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}" +- buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}" ++ buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}" + buf << "Connection: close#{EOL}" + end +- buf << "Content-Type: #{content_type}#{EOL}" ++ buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}" + if @output_cookies +- @output_cookies.each {|cookie| buf << "Set-Cookie: #{cookie}#{EOL}" } ++ @output_cookies.each {|cookie| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" } + end + return buf + end # _header_for_string +@@ -213,9 +224,9 @@ class CGI + ## NPH + options.delete('nph') if defined?(MOD_RUBY) + if options.delete('nph') || nph?() +- protocol = $CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0' ++ protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0' + status = options.delete('status') +- status = HTTP_STATUS[status] || status || '200 OK' ++ status = HTTP_STATUS[status] || _no_crlf_check(status) || '200 OK' + buf << "#{protocol} #{status}#{EOL}" + buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}" + options['server'] ||= $CGI_ENV['SERVER_SOFTWARE'] || '' +@@ -223,38 +234,38 @@ class CGI + end + ## common headers + status = options.delete('status') +- buf << "Status: #{HTTP_STATUS[status] || status}#{EOL}" if status ++ buf << "Status: #{HTTP_STATUS[status] || _no_crlf_check(status)}#{EOL}" if status + server = options.delete('server') +- buf << "Server: #{server}#{EOL}" if server ++ buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server + connection = options.delete('connection') +- buf << "Connection: #{connection}#{EOL}" if connection ++ buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection + type = options.delete('type') +- buf << "Content-Type: #{type}#{EOL}" #if type ++ buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type + length = options.delete('length') +- buf << "Content-Length: #{length}#{EOL}" if length ++ buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length + language = options.delete('language') +- buf << "Content-Language: #{language}#{EOL}" if language ++ buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language + expires = options.delete('expires') + buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires + ## cookie + if cookie = options.delete('cookie') + case cookie + when String, Cookie +- buf << "Set-Cookie: #{cookie}#{EOL}" ++ buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" + when Array + arr = cookie +- arr.each {|c| buf << "Set-Cookie: #{c}#{EOL}" } ++ arr.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" } + when Hash + hash = cookie +- hash.each_value {|c| buf << "Set-Cookie: #{c}#{EOL}" } ++ hash.each_value {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" } + end + end + if @output_cookies +- @output_cookies.each {|c| buf << "Set-Cookie: #{c}#{EOL}" } ++ @output_cookies.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" } + end + ## other headers + options.each do |key, value| +- buf << "#{key}: #{value}#{EOL}" ++ buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}" + end + return buf + end # _header_for_hash +diff --git a/test/cgi/test_cgi_header.rb b/test/cgi/test_cgi_header.rb +index bab2d03..ec2f4de 100644 +--- a/test/cgi/test_cgi_header.rb ++++ b/test/cgi/test_cgi_header.rb +@@ -176,6 +176,14 @@ class CGIHeaderTest < Test::Unit::TestCase + end + + ++ def test_cgi_http_header_crlf_injection ++ cgi = CGI.new ++ assert_raise(RuntimeError) { cgi.http_header("text/xhtml\r\nBOO") } ++ assert_raise(RuntimeError) { cgi.http_header("type" => "text/xhtml\r\nBOO") } ++ assert_raise(RuntimeError) { cgi.http_header("status" => "200 OK\r\nBOO") } ++ assert_raise(RuntimeError) { cgi.http_header("location" => "text/xhtml\r\nBOO") } ++ end ++ + + instance_methods.each do |method| + private method if method =~ /^test_(.*)/ && $1 != ENV['TEST'] +-- +2.25.1 + diff --git a/meta/recipes-devtools/ruby/ruby_2.7.6.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb index 91ffde5fa3..7e6373bd24 100644 --- a/meta/recipes-devtools/ruby/ruby_2.7.6.bb +++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb @@ -8,6 +8,7 @@ SRC_URI += " \ file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ file://CVE-2023-28756.patch \ + file://CVE-2021-33621.patch \ " SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042" From patchwork Sun Aug 13 21:18:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28744 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F25C4EB64DD for ; Sun, 13 Aug 2023 21:18:58 +0000 (UTC) Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by mx.groups.io with SMTP id smtpd.web11.93765.1691961533193774004 for ; Sun, 13 Aug 2023 14:18:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=KHPiV0Fw; spf=softfail (domain: sakoman.com, ip: 209.85.215.171, mailfrom: steve@sakoman.com) Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-53fbf2c42bfso2827255a12.3 for ; Sun, 13 Aug 2023 14:18:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961532; x=1692566332; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=9dNKEzIv8K35X2oHbhtt1tirDQGddFh7kL0PwSNic7w=; b=KHPiV0FwSgj0oLB74MO9pnRjEqkuQmsqbA8mPnqL3kyHWFKki8zogE37Ku5wqX3UtI 2v9uRs81GWoWoL+WugqUyBq2/SxmSs9pri8rmGGsYCXRJsoRl8PS6NZFimEUWYpO4L7p D0ZppJoYUwY8MgmBpJ3Qo9r+mnP32ktOEdAkvxswULOoJtZLwA85wcio4yMp58DA6CPF mgPuM85XHl8/FHpLrjs3Nc93G61bhHQ/FxGwaWyVnNmBmqkItHkUE3uWpa/hTVPUCnP1 hPWGniAkGqCqbLdIVL2IrFuPEHZQEg+RsZl4PBQv6U1bYglqy2gelW9hAaT6cpIWqbyq +/og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961532; x=1692566332; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9dNKEzIv8K35X2oHbhtt1tirDQGddFh7kL0PwSNic7w=; b=Rn8NCRiQVNE0+gQHu1hCSWmOLlojCAj/CF9wfPmp/MStCdsZ5iUudy3QKeTCVTmZBU wzuDmEsokYNtIHYKfc4jvG36oERexuw9sxIlYj6BlZlh1e9RZeqk3uYZb7DXHPRwJ1Lu PJbanvUlNuVvs+nPaEt4grJTHeQSDld3KAb+mGUA7rutE2/w5YeF4eK7wM2Xb8o/4LXn MrBPg/oKcpWsP2Mw0kmEhNX+syPpK5MKmv3ilUHwwUvyAhWT3D+Ga0rluAdp9lBM6tr2 b2f1xoHhs5nIYwCesimw35mCnfNpx6F1wAOYnhcHlVo+gR/Lw/kDNwx+0LvZorPJ0bUk netA== X-Gm-Message-State: AOJu0YwQhPDdjD2iUFfUtYgdQJqH7BQksG+pV4e2+Ki3pDm64m+ccdg3 YhxEqMTIylpt+9q47lorjfGoJMNa8Kt9BCAhu9I/AQ== X-Google-Smtp-Source: AGHT+IHhkPY/gbKe5hvF58CK8aTaTKStWFeOrncFYLmVroZKNYUxWe7ILdCEtjmpAbUwhISjeOiQYw== X-Received: by 2002:a17:902:f68d:b0:1bc:14f0:b76c with SMTP id l13-20020a170902f68d00b001bc14f0b76cmr9294093plg.65.1691961532228; Sun, 13 Aug 2023 14:18:52 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.18.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:18:51 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 02/22] python3: ignore CVE-2023-36632 Date: Sun, 13 Aug 2023 11:18:08 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:18:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185893 From: Peter Marko This CVE shouldn't have been filed as the "exploit" is described in the documentation as how the library behaves. Signed-off-by: Ross Burton Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-devtools/python/python3_3.8.17.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3_3.8.17.bb b/meta/recipes-devtools/python/python3_3.8.17.bb index 8c00d65794..00c4ff497a 100644 --- a/meta/recipes-devtools/python/python3_3.8.17.bb +++ b/meta/recipes-devtools/python/python3_3.8.17.bb @@ -61,6 +61,8 @@ CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488" # The mailcap module is insecure by design, so this can't be fixed in a meaningful way. # The module will be removed in the future and flaws documented. CVE_CHECK_WHITELIST += "CVE-2015-20107" +# Not an issue, in fact expected behaviour +CVE_CHECK_WHITELIST += "CVE-2023-36632" PYTHON_MAJMIN = "3.8" From patchwork Sun Aug 13 21:18:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28745 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A98FC41513 for ; Sun, 13 Aug 2023 21:18:59 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web10.94006.1691961535558011088 for ; Sun, 13 Aug 2023 14:18:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=ucFmO9U8; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-53482b44007so2093577a12.2 for ; Sun, 13 Aug 2023 14:18:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961534; x=1692566334; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+8TMDY+xSITx+/BeUYw2zSYsyva/TX5g5lvqAtA+SNs=; b=ucFmO9U8hDMWj9seBEU4tU9COT4tcbMmpO432rqebCmrkHheDfNnuy60rnVdD/QzIE yZXz9uL67dV9YX2aCq9jP0Z0bydvS2rbEz3u1HL+3RZczcIdUP9VflltAtIqeHYBOluw xTKsjS58p4/kMVyyuwqQvX2+GVSCDUdax1zm5V7Z5pSWGWc8RzQY/6KK1zAjEbm44c5S Uho7Oj0JS7WPPDjWQgAuFDWtEOwqtFCNm/Ks479s+8YpodHqcqwM1V0lz77uPvSo6ttK q/en6gyjEL+somL0rDKdv5aSJivxr779QY+mIRMyhSHCc1uWscO2hnUGR9XZCX7lcO+6 u/Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961534; x=1692566334; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+8TMDY+xSITx+/BeUYw2zSYsyva/TX5g5lvqAtA+SNs=; b=ZwSULUrnoe7FAlrWypXppmqOi8lKyPA6zlCNb+gr+3KIVRHwVMbwdwxNR1vxkU1P3a ZgEqWgKt4dvkciaOpfsA1QvBHhqL+N3aYZX/GLh0EAGlQH68v2xSjKAbW/ktQoAImrLN nr1PRT+iXP8EPBFtTW7QW/ry2b+pc7lLCiINRX3lx0yuP4tZCi/MuVkKAPORTZRtFAdx pSjyEV72pi2iNR8CbWBkwUvNHQgj8Aj5CWW/q+pv9Il1XFgVJU7d8DN6NOR5gIc2TDmS 2R38xU2BymnB7JNKQrbjatBr1bjqN5BHNtCRs5JZNhTB3Fm+EEAmakfGZNci+3Z1D7TG nfSA== X-Gm-Message-State: AOJu0Yw1WWGrKDtUuQ32e7RAvp5xT3Kw3CJrDYjiEBS7HAMC5yzHULz4 0GSKAEpq40MIArP2wBnQZJbk2Seoa/KeSHspUbqWnQ== X-Google-Smtp-Source: AGHT+IH9ziTCymGEk4vKKRO7VaEakxaJOgZInjK8MxIndZ4hBCntc5ay4X6fc/0vi/yxx410Q8BfYA== X-Received: by 2002:a17:90a:cb09:b0:268:def:a322 with SMTP id z9-20020a17090acb0900b002680defa322mr4735136pjt.9.1691961534344; Sun, 13 Aug 2023 14:18:54 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.18.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:18:53 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/22] libjpeg-turbo: patch CVE-2023-2804 Date: Sun, 13 Aug 2023 11:18:09 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:18:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185894 From: Peter Marko Relevant links: * linked fronm NVD: * https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118 * follow-up analysis: * https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989 * picked commits fix all issues mentioned in this analysis Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../jpeg/files/CVE-2023-2804-1.patch | 97 +++++++++++++++++++ .../jpeg/files/CVE-2023-2804-2.patch | 75 ++++++++++++++ .../jpeg/libjpeg-turbo_2.0.4.bb | 2 + 3 files changed, 174 insertions(+) create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch new file mode 100644 index 0000000000..6668f6e41d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch @@ -0,0 +1,97 @@ +From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 4 Apr 2023 19:06:20 -0500 +Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565 + +The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565 +is the only 3-component colorspace that doesn't have 3-sample pixels, so +we need to treat it as a special case when determining whether to enable +2-pass color quantization. Otherwise, attempting to initialize 2-pass +color quantization with an RGB565 output buffer could cause +prescan_quantize() to read from uninitialized memory and subsequently +underflow/overflow the histogram array. + +djpeg is supposed to fail gracefully if both -rgb565 and -colors are +specified, because none of its destination managers (image writers) +support color quantization with RGB565. However, prescan_quantize() was +called before that could occur. It is possible but very unlikely that +these issues could have been reproduced in applications other than +djpeg. The issues involve the use of two features (12-bit precision and +RGB565) that are incompatible, and they also involve the use of two +rarely-used legacy features (RGB565 and color quantization) that don't +make much sense when combined. + +Fixes #668 +Fixes #671 +Fixes #680 + +CVE: CVE-2023-2804 +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d] + +Signed-off-by: Peter Marko +--- + ChangeLog.md | 6 ++++++ + jdmaster.c | 5 +++-- + jquant2.c | 5 +++-- + 3 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog.md b/ChangeLog.md +index e605abe73..de0c4d0dd 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -1,3 +1,9 @@ quality values. ++9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer ++overruns when attempting to decompress various specially-crafted malformed ++12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg ++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion ++enabled. ++ + 2.0.4 + ===== + +diff --git a/jdmaster.c b/jdmaster.c +index b20906438..8d8ef9956 100644 +--- a/jdmaster.c ++++ b/jdmaster.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1991-1997, Thomas G. Lane. + * Modified 2002-2009 by Guido Vollbeding. + * libjpeg-turbo Modifications: +- * Copyright (C) 2009-2011, 2016, D. R. Commander. ++ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander. + * Copyright (C) 2013, Linaro Limited. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg +@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo) + if (cinfo->raw_data_out) + ERREXIT(cinfo, JERR_NOTIMPL); + /* 2-pass quantizer only works in 3-component color space. */ +- if (cinfo->out_color_components != 3) { ++ if (cinfo->out_color_components != 3 || ++ cinfo->out_color_space == JCS_RGB565) { + cinfo->enable_1pass_quant = TRUE; + cinfo->enable_external_quant = FALSE; + cinfo->enable_2pass_quant = FALSE; +diff --git a/jquant2.c b/jquant2.c +index 6570613bb..c760380fb 100644 +--- a/jquant2.c ++++ b/jquant2.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1991-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2009, 2014-2015, D. R. Commander. ++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo) + cquantize->error_limiter = NULL; + + /* Make sure jdmaster didn't give me a case I can't handle */ +- if (cinfo->out_color_components != 3) ++ if (cinfo->out_color_components != 3 || ++ cinfo->out_color_space == JCS_RGB565) + ERREXIT(cinfo, JERR_NOTIMPL); + + /* Allocate the histogram/inverse colormap storage */ diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch new file mode 100644 index 0000000000..bcba0b513d --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch @@ -0,0 +1,75 @@ +From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Thu, 6 Apr 2023 18:33:41 -0500 +Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp + +When computing the downsampled width for a particular component, +jpeg_crop_scanline() needs to take into account the fact that the +libjpeg code uses a combination of IDCT scaling and upsampling to +implement 4x2 and 2x4 upsampling with certain decompression scaling +factors. Failing to account for that led to incomplete upsampling of +4x2- or 2x4-subsampled components, which caused the color converter to +read from uninitialized memory. With 12-bit data precision, this caused +a buffer overrun or underrun and subsequent segfault if the +uninitialized memory contained a value that was outside of the valid +sample range (because the color converter uses the value as an array +index.) + +Fixes #669 + +CVE: CVE-2023-2804 +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001] + +Signed-off-by: Peter Marko +--- + ChangeLog.md | 8 ++++++++ + jdapistd.c | 10 ++++++---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog.md b/ChangeLog.md +index de0c4d0dd..159bd1610 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed + (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion + enabled. + ++10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the ++downsampled width for components with 4x2 or 2x4 subsampling factors if ++decompression scaling was enabled. This caused the components to be upsampled ++incompletely, which caused the color converter to read from uninitialized ++memory. With 12-bit data precision, this caused a buffer overrun or underrun ++and subsequent segfault if the sample value read from unitialized memory was ++outside of the valid sample range. ++ + 2.0.4 + ===== + +diff --git a/jdapistd.c b/jdapistd.c +index 628626254..eb577928c 100644 +--- a/jdapistd.c ++++ b/jdapistd.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander. ++ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset, + /* Set downsampled_width to the new output width. */ + orig_downsampled_width = compptr->downsampled_width; + compptr->downsampled_width = +- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width * +- compptr->h_samp_factor), +- (long)cinfo->max_h_samp_factor); ++ (JDIMENSION)jdiv_round_up((long)cinfo->output_width * ++ (long)(compptr->h_samp_factor * ++ compptr->_DCT_scaled_size), ++ (long)(cinfo->max_h_samp_factor * ++ cinfo->_min_DCT_scaled_size)); + if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2) + reinit_upsampler = TRUE; + diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb index 630b20300f..fda425c219 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb @@ -16,6 +16,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ file://CVE-2021-46822.patch \ file://CVE-2020-35538-1.patch \ file://CVE-2020-35538-2.patch \ + file://CVE-2023-2804-1.patch \ + file://CVE-2023-2804-2.patch \ " SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" From patchwork Sun Aug 13 21:18:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28746 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BD2BC001E0 for ; Sun, 13 Aug 2023 21:18:59 +0000 (UTC) Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mx.groups.io with SMTP id smtpd.web11.93766.1691961537427160165 for ; Sun, 13 Aug 2023 14:18:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=R7lIC3jW; spf=softfail (domain: sakoman.com, ip: 209.85.215.169, mailfrom: steve@sakoman.com) Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-51b4ef5378bso2836665a12.1 for ; Sun, 13 Aug 2023 14:18:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961536; x=1692566336; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VxE1b5ft6mxqgqoiOQHLY5LwCkR+DWiCFO3p23KXVNY=; b=R7lIC3jWhbG4Yay87vB8z7GLpDS50IqZdmutnONJIN+1lVOe8uKc3WjsqcbrDXcREv cc392cso5/el0A5COd6l+nkjLyRvz0E9DfzOrj5mNqW9sRwnUgUd2L5lNrhuo+TyDYdj bsNTGYzNu2WvkFP3D1rw03GNox4MEG3FklHmd/k2NNIKIEV5TIqkOuoF9WweqV17TtQS 2JhImTR9GYz6yh5k4SEGqS9BQtbpOja1qCxoUgPkCQ/NeiO0rQkSUGYfrdzLjSX+vfQo ZYuCuJSpH3GprbaATUrjqJLzHQ6o8/CmI8FGnNDVoNtv4bP8e0QId02+w1+eGRMC50VG v8gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961536; x=1692566336; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VxE1b5ft6mxqgqoiOQHLY5LwCkR+DWiCFO3p23KXVNY=; b=KjLhNISanpy5f29FcTmi0S4OZdzo/DOIJvDCRLi50MKoFZpj0zUv7zHV0K2oJSZdOD /GaFHQ/BQeHawsExr2IspRgwWvIMwnPGvToYIKfQu/V4EyCdx7hXrv/oZ40D2cDolGvA dqKbjK7xSn+tlcRIAoP7UWFyMzVCzQERKih22cfYPlir93DlBc6cyr0NB4ykFeNuuuBv AMY+T3M7wHNEw0XwU0b9RXLgHAm9pR+ZdQrkoLJccuLj8hvfl8yetc8Z0ne66vyULh3D Piz75qph96keTncoeB9DhTFWDb4mP+ai59v3c+0IzAT32nkytOw6flSuo+aI5CTcc3Xc d/4w== X-Gm-Message-State: AOJu0YyfmVIuTW7gPVAwyTeUQATGhDdk4n59uMYV6OxSASrB2QqfKnty jxy8GlqtXfrAIBrJ+T/78AoloBzykiA/ImB7oDvLQQ== X-Google-Smtp-Source: AGHT+IEjiXVXQRnBTUtzkJy9C9pHIVnuuE4ywvMf0Cvaai/CoNsTo3qZaLw7q/IIJgkmoyYbGQxDLA== X-Received: by 2002:a17:90a:ee91:b0:262:e84f:ad80 with SMTP id i17-20020a17090aee9100b00262e84fad80mr7137513pjz.9.1691961536294; Sun, 13 Aug 2023 14:18:56 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.18.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:18:55 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 04/22] go: fix CVE-2023-29406 net/http: insufficient sanitization of Host header Date: Sun, 13 Aug 2023 11:18:10 -1000 Message-Id: <07e03175de91739064ae5530b3df093b4d05510b.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:18:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185895 From: Vivek Kumbhar Signed-off-by: Vivek Kumbhar Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2023-29406.patch | 212 ++++++++++++++++++ 2 files changed, 213 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 33b53b1a34..b2cf805d2d 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -68,6 +68,7 @@ SRC_URI += "\ file://CVE-2023-29402.patch \ file://CVE-2023-29404.patch \ file://CVE-2023-29400.patch \ + file://CVE-2023-29406.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch new file mode 100644 index 0000000000..080def4682 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch @@ -0,0 +1,212 @@ +From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 28 Jun 2023 13:20:08 -0700 +Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before + sending + +Verify that the Host header we send is valid. +Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" +adding an X-Evil header to HTTP/1 requests. + +Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to +header injection in the way HTTP/1 is, but x/net/http2 doesn't validate +the header and will go into a retry loop when the server rejects it. +CL 506995 adds the necessary validation to x/net/http2. + +Updates #60374 +Fixes #61075 +For CVE-2023-29406 + +Change-Id: I05cb6866a9bead043101954dfded199258c6dd04 +Reviewed-on: https://go-review.googlesource.com/c/go/+/506996 +Reviewed-by: Tatiana Bradley +TryBot-Result: Gopher Robot +Run-TryBot: Damien Neil +(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2) +Reviewed-on: https://go-review.googlesource.com/c/go/+/507358 +Run-TryBot: Tatiana Bradley +Reviewed-by: Roland Shoemaker + +Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b] +CVE: CVE-2023-29406 +Signed-off-by: Vivek Kumbhar +--- + src/net/http/http_test.go | 29 --------------------- + src/net/http/request.go | 47 ++++++++-------------------------- + src/net/http/request_test.go | 11 ++------ + src/net/http/transport_test.go | 18 +++++++++++++ + 4 files changed, 31 insertions(+), 74 deletions(-) + +diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go +index f4ea52d..ea38cb4 100644 +--- a/src/net/http/http_test.go ++++ b/src/net/http/http_test.go +@@ -49,35 +49,6 @@ func TestForeachHeaderElement(t *testing.T) { + } + } + +-func TestCleanHost(t *testing.T) { +- tests := []struct { +- in, want string +- }{ +- {"www.google.com", "www.google.com"}, +- {"www.google.com foo", "www.google.com"}, +- {"www.google.com/foo", "www.google.com"}, +- {" first character is a space", ""}, +- {"[1::6]:8080", "[1::6]:8080"}, +- +- // Punycode: +- {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"}, +- {"bücher.de", "xn--bcher-kva.de"}, +- {"bücher.de:8080", "xn--bcher-kva.de:8080"}, +- // Verify we convert to lowercase before punycode: +- {"BÜCHER.de", "xn--bcher-kva.de"}, +- {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"}, +- // Verify we normalize to NFC before punycode: +- {"gophér.nfc", "xn--gophr-esa.nfc"}, // NFC input; no work needed +- {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input +- } +- for _, tt := range tests { +- got := cleanHost(tt.in) +- if tt.want != got { +- t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want) +- } +- } +-} +- + // Test that cmd/go doesn't link in the HTTP server. + // + // This catches accidental dependencies between the HTTP transport and +diff --git a/src/net/http/request.go b/src/net/http/request.go +index cb2edd2..2706300 100644 +--- a/src/net/http/request.go ++++ b/src/net/http/request.go +@@ -18,7 +18,6 @@ import ( + "io/ioutil" + "mime" + "mime/multipart" +- "net" + "net/http/httptrace" + "net/textproto" + "net/url" +@@ -26,7 +25,8 @@ import ( + "strconv" + "strings" + "sync" +- ++ ++ "golang.org/x/net/http/httpguts" + "golang.org/x/net/idna" + ) + +@@ -557,12 +557,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF + // is not given, use the host from the request URL. + // + // Clean the host, in case it arrives with unexpected stuff in it. +- host := cleanHost(r.Host) ++ host := r.Host + if host == "" { + if r.URL == nil { + return errMissingHost + } +- host = cleanHost(r.URL.Host) ++ host = r.URL.Host ++ } ++ host, err = httpguts.PunycodeHostPort(host) ++ if err != nil { ++ return err ++ } ++ if !httpguts.ValidHostHeader(host) { ++ return errors.New("http: invalid Host header") + } + + // According to RFC 6874, an HTTP client, proxy, or other +@@ -717,38 +724,6 @@ func idnaASCII(v string) (string, error) { + return idna.Lookup.ToASCII(v) + } + +-// cleanHost cleans up the host sent in request's Host header. +-// +-// It both strips anything after '/' or ' ', and puts the value +-// into Punycode form, if necessary. +-// +-// Ideally we'd clean the Host header according to the spec: +-// https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]") +-// https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host) +-// https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host) +-// But practically, what we are trying to avoid is the situation in +-// issue 11206, where a malformed Host header used in the proxy context +-// would create a bad request. So it is enough to just truncate at the +-// first offending character. +-func cleanHost(in string) string { +- if i := strings.IndexAny(in, " /"); i != -1 { +- in = in[:i] +- } +- host, port, err := net.SplitHostPort(in) +- if err != nil { // input was just a host +- a, err := idnaASCII(in) +- if err != nil { +- return in // garbage in, garbage out +- } +- return a +- } +- a, err := idnaASCII(host) +- if err != nil { +- return in // garbage in, garbage out +- } +- return net.JoinHostPort(a, port) +-} +- + // removeZone removes IPv6 zone identifier from host. + // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080" + func removeZone(host string) string { +diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go +index 461d66e..0d417ff 100644 +--- a/src/net/http/request_test.go ++++ b/src/net/http/request_test.go +@@ -676,15 +676,8 @@ func TestRequestBadHost(t *testing.T) { + } + req.Host = "foo.com with spaces" + req.URL.Host = "foo.com with spaces" +- req.Write(logWrites{t, &got}) +- want := []string{ +- "GET /after HTTP/1.1\r\n", +- "Host: foo.com\r\n", +- "User-Agent: " + DefaultUserAgent + "\r\n", +- "\r\n", +- } +- if !reflect.DeepEqual(got, want) { +- t.Errorf("Writes = %q\n Want = %q", got, want) ++ if err := req.Write(logWrites{t, &got}); err == nil { ++ t.Errorf("Writing request with invalid Host: succeded, want error") + } + } + +diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go +index fa0c370..0afb6b9 100644 +--- a/src/net/http/transport_test.go ++++ b/src/net/http/transport_test.go +@@ -6249,3 +6249,21 @@ func TestIssue32441(t *testing.T) { + t.Error(err) + } + } ++ ++func TestRequestSanitization(t *testing.T) { ++ setParallel(t) ++ defer afterTest(t) ++ ++ ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) { ++ if h, ok := req.Header["X-Evil"]; ok { ++ t.Errorf("request has X-Evil header: %q", h) ++ } ++ })).ts ++ defer ts.Close() ++ req, _ := NewRequest("GET", ts.URL, nil) ++ req.Host = "go.dev\r\nX-Evil:evil" ++ resp, _ := ts.Client().Do(req) ++ if resp != nil { ++ resp.Body.Close() ++ } ++} +-- +2.25.1 From patchwork Sun Aug 13 21:18:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28747 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 185F4C41513 for ; Sun, 13 Aug 2023 21:19:09 +0000 (UTC) Received: from mail-oo1-f52.google.com (mail-oo1-f52.google.com [209.85.161.52]) by mx.groups.io with SMTP id smtpd.web10.94007.1691961539470243027 for ; Sun, 13 Aug 2023 14:18:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=ZalNkhaT; spf=softfail (domain: sakoman.com, ip: 209.85.161.52, mailfrom: steve@sakoman.com) Received: by mail-oo1-f52.google.com with SMTP id 006d021491bc7-56cc461f34fso2406177eaf.0 for ; Sun, 13 Aug 2023 14:18:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961538; x=1692566338; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eeVydU5WQYXk+lwT6jFpP2bMny79fKZ2G4jaIJtDQ4k=; b=ZalNkhaTkZ+grtl/tF/GjjAb02BLB6g5kxa6G30Qr9mzvBeLLoglj0Hox2ldBQWYRj UhN3NiZrRWZnDW9IehAPzAX5YlHz5VhhuoJ3a1gbSIeKV6sffT8Wblw4xGQ09gqtMt2u 3YNtXP0zOwubLeLxERUsnf3brldWGTOSNLkGRIunJJa8/okZd0WVFLVpgQrXEtPyfV14 qwIOQQEcBi9fmjkgcwRAz3K4Tz7mJRPRYQie2TlCiko6Hfa10w+DhyzW5+hpzFaHTQ7n rWctZZgSyr8OHLgr5BpER8dagSlVzs1rliOgLcN4iN/sc4w5clOU1ynrkpD/dCqPs7dN 4UIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961538; x=1692566338; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eeVydU5WQYXk+lwT6jFpP2bMny79fKZ2G4jaIJtDQ4k=; b=SU9B8hfM7TD3c4Wt7mQPTfk7wJLnmfgs/HULQx1ENqRKfs2jblPhBFjbiwHqJdnj37 aADl5llCfF9VR4CE9g5MvIu0cu3wx+qQeYR0d32jq7oV/pqEl+bYs6s9+4g0dxb3Dodf 6ck9F38sPKY3jpOuEStdGmFrg/qkTL4w/HAb3IRMFK1wxht896qgFjR1yaNNMJMh6aHx jFxxFbBiLjzGyt/0a32KtJw4pFvkIA9fkf2kTJXL5IoBbIpxX8codMPDqdKK91AePavq LpGLxSGeArCdm5vMK0doWPgaT77/wLxi3fcToRzgvNMQT6s/SJ7gUU/ltHc45yxq9Gdi mGrQ== X-Gm-Message-State: AOJu0Yy4TAhB8AjdjF4zx8yJXcMhJajuH4MdCC6LIZHFN/5ZESy6rKRi WBHjsuW1HZCwGz8XfTEDYUyN8n0M9ZKt9qm4MyDn4w== X-Google-Smtp-Source: AGHT+IHboAZ5x84m7RQoxzhx0jYq0jj1QM2DAhgE5KTnAgv5jxSZpWzig8hZoTePY1ExAyQCKWyDZA== X-Received: by 2002:a05:6871:5d3:b0:1b0:3075:2f9d with SMTP id v19-20020a05687105d300b001b030752f9dmr7633165oan.34.1691961538399; Sun, 13 Aug 2023 14:18:58 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.18.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:18:58 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 05/22] libarchive: ignore CVE-2023-30571 Date: Sun, 13 Aug 2023 11:18:11 -1000 Message-Id: <9374e680ae2376589a9bfe4565dfcf4dc9791aa8.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185896 From: Peter Marko This issue was reported and discusses under [1] which is linked in NVD CVE report. It was already documented that some parts or libarchive are thread safe and some not. [2] was now merged to document that also reported function is not thread safe. So this CVE *now* reports thread race condition for non-thread-safe function. And as such the CVE report is now invalid. The issue is still not closed for 2 reasons: * better document what is and what is not thread safe * request to public if someone could make these functions thread safe This should however not invalidate above statment about ignoring this CVE. [1] https://github.com/libarchive/libarchive/issues/1876 [2] https://github.com/libarchive/libarchive/pull/1875 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-extended/libarchive/libarchive_3.4.2.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb index 582787d3f3..728eedc401 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb @@ -46,6 +46,9 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451" SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176" +# upstream-wontfix: upstream has documented that reported function is not thread-safe +CVE_CHECK_WHITELIST += "CVE-2023-30571" + inherit autotools update-alternatives pkgconfig CPPFLAGS += "-I${WORKDIR}/extra-includes" From patchwork Sun Aug 13 21:18:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28748 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 239B2C001DB for ; Sun, 13 Aug 2023 21:19:09 +0000 (UTC) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web11.93767.1691961541140431411 for ; Sun, 13 Aug 2023 14:19:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=K+jCZLoB; spf=softfail (domain: sakoman.com, ip: 209.85.216.51, mailfrom: steve@sakoman.com) Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-26b4c6a5e61so580181a91.1 for ; Sun, 13 Aug 2023 14:19:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961540; x=1692566340; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=c7z4reaK5/vTt9P5ZAzzcjAcAz2jBKQNHP5r2YSOy6s=; b=K+jCZLoBOQyzbXdvA3M0lTe4iKXcpREpk7vB09TP5MXXO36CA6IKNIMat9SFCo9p5A O8OCln69gHRMkVd6nI0UBRIBbISgSlqcvQCZmKqWqNqqCkQaPtIcx4a+TP7U5JOGSIY/ Zv2Oiqi2IuDXdUpOdImKQOiP+aQfybZkC7QeJAdI6vWUcGMDCHhbINB+eGogOpxhPEww wO8mFFwgh1kKM6oQpCEfcWJ8LdiG8viRy3sjlQ95KykaahbOCNx3iP7wcAOri0ldR4ss MjjdQ/cg9jSMifVssTkr4qKdKpt0S9owoSWJb1IpgOaj8MYEB7Ts1G9Yv/Zwu2+TZXD+ +LSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961540; x=1692566340; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=c7z4reaK5/vTt9P5ZAzzcjAcAz2jBKQNHP5r2YSOy6s=; b=aQzpO96M5k3GxBMnM4zjaFdHh4tx8zs5WbHJZaoujCFLKWucNpKR1v2SBG0bTO26f6 XKvRedzK92CFqWzQ2yzCsqwHa56gzHLW9PuEDD7MKdEwE0ZZTaTygEIGgHzRT/FjQscJ kv+FwPumlS4qtJsqQvqdnNmYpaJsLO9KWg9uBE53+NoXvu2V5cJzYFcKTLY59Riy2iTO vTGQC2YzYe6gGiXHQegFOakR7lQcsa4iictEQxE9Ira8tjHKQnmmu7CJCqHcWNR5PZjt wDSXMOpNVrvRBexqu9fKywZmKN6wDbtrvD6W2nbyGUD6LojOseoHQ6ZjKnsgbIhEAIak uMkw== X-Gm-Message-State: AOJu0YyuG8JYxwBUwHoaRVyOLBMuPGoXTbGzAe8OreVREhtaSyK/tLo4 o1dj3ABnhgWGGhfhGqNjV29eKWRT9YoP6BReBn7uHw== X-Google-Smtp-Source: AGHT+IHUI3+yyRKLBejM92zeG+cL4HxYxNIt8rXEm+dHoylCoTTSnf2oIfjD3LmSWKMzU0gPj2GflA== X-Received: by 2002:a17:90a:294e:b0:263:9816:fe0f with SMTP id x14-20020a17090a294e00b002639816fe0fmr6957206pjf.15.1691961540281; Sun, 13 Aug 2023 14:19:00 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.18.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:18:59 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 06/22] libpcre2: patch CVE-2022-41409 Date: Sun, 13 Aug 2023 11:18:12 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185897 From: Peter Marko Backport commit mentioned in NVD DB links. https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libpcre/libpcre2/CVE-2022-41409.patch | 74 +++++++++++++++++++ .../recipes-support/libpcre/libpcre2_10.34.bb | 1 + 2 files changed, 75 insertions(+) create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch new file mode 100644 index 0000000000..882277ae73 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch @@ -0,0 +1,74 @@ +From 94e1c001761373b7d9450768aa15d04c25547a35 Mon Sep 17 00:00:00 2001 +From: Philip Hazel +Date: Tue, 16 Aug 2022 17:00:45 +0100 +Subject: [PATCH] Diagnose negative repeat value in pcre2test subject line + +CVE: CVE-2022-41409 +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35] + +Signed-off-by: Peter Marko + +--- + ChangeLog | 3 +++ + src/pcre2test.c | 4 ++-- + testdata/testinput2 | 3 +++ + testdata/testoutput2 | 4 ++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index eab50eb7..276eb57a 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -7,6 +7,9 @@ fully read in caseless matching. + 24. Fixed an issue affecting recursions in JIT caused by duplicated data + transfers. + ++20. A negative repeat value in a pcre2test subject line was not being ++diagnosed, leading to infinite looping. ++ + + Version 10.34 21-November-2019 + ------------------------------ +diff --git a/src/pcre2test.c b/src/pcre2test.c +index 08f86096..f6f5d66c 100644 +--- a/src/pcre2test.c ++++ b/src/pcre2test.c +@@ -6700,9 +6700,9 @@ while ((c = *p++) != 0) + } + + i = (int32_t)li; +- if (i-- == 0) ++ if (i-- <= 0) + { +- fprintf(outfile, "** Zero repeat not allowed\n"); ++ fprintf(outfile, "** Zero or negative repeat not allowed\n"); + return PR_OK; + } + +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 655e519..14e00ed 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -5772,4 +5772,7 @@ a)"xI + /(a)?a/I + manm + ++-- ++ \[X]{-10} ++ + # End of testinput2 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index c733c12..958f246 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -17435,6 +17435,10 @@ Subject length lower bound = 1 + manm + 0: a + ++-- ++ \[X]{-10} ++** Zero or negative repeat not allowed ++ + # End of testinput2 + Error -70: PCRE2_ERROR_BADDATA (unknown error number) + Error -62: bad serialized data diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb index 254badf6f6..3e1b001c32 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.34.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb @@ -14,6 +14,7 @@ SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 file://pcre-cross.patch \ file://CVE-2022-1586.patch \ file://CVE-2022-1587.patch \ + file://CVE-2022-41409.patch \ " SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366" From patchwork Sun Aug 13 21:18:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28751 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23F77C04E69 for ; Sun, 13 Aug 2023 21:19:09 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web11.93769.1691961543587658624 for ; Sun, 13 Aug 2023 14:19:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=Y0L/K1c8; spf=softfail (domain: sakoman.com, ip: 209.85.215.172, mailfrom: steve@sakoman.com) Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-564a0d2d35eso2098285a12.0 for ; Sun, 13 Aug 2023 14:19:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961543; x=1692566343; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OS79c57jY+YMZh0ivbp668ZuukyRB7q3VdE9VIV0o20=; b=Y0L/K1c8DjXnaEXpV/22VbXTdNfupBmc2G76tWcmY8tBnmUufsDoVxRVDbGkEPfZLL JVHv+SEmvg8G23kKg1IkpRDA5OpWndFtx1KNvXaWnjtxcb5ViOVfXIVHafXBjGdGQ7f/ cFjEPbIly+LaKdUwFGW9TNTYFwXquPEalb/zVT7B6CI+YhtibMoM1ipKSYhWVUGLaK6V s+9mrNuX4l3/MJmW83GQ01tPMZ5W3kuWRdIAhek4XjeHztAjXaUxD77qrGcyf0+AliFq C9c5M4H/HhhhrXirlvNY6/3nOZ5lnpRnWWhGMwId9J5ZCQIJQYtkvS1UNMPQCarcK3rp FgWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961543; x=1692566343; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OS79c57jY+YMZh0ivbp668ZuukyRB7q3VdE9VIV0o20=; b=FynfHIT21Lba9YieqS/iyKEabWrgM2qwpCkObcbHxs/TiH3Qkw5lZj9Bp/doSBCMRO 2fnvjZ79ZUfKtGAJlU7VWPYrTQLz7ldZc8KX4JJwx9KF3TRAUhzD8l++JdHUPtzjG449 V35BYWDQ8iakPHYCfv5u2Ynz3eqEnAFjtB96VrVGYImLyd6MiYgACswnLwk/A35lWeQB HhFBnMw6VVa+DkQ28tLDlxYRJe1WQuUvRjWa/ucxNwKqX8OTDFscSB93vdtd9SuacBDn I8VSn6s8uhTWzu2/wN1QNBLcGGKwFt1MYSvavw8sC7xBGTPaPb8Rw8ev2QkLWZdREvcS YWmA== X-Gm-Message-State: AOJu0YxvKgoLp9cAU1fbhTbxkD87XUDmr2/up+7wiQ4QlNR0m8/ZseYs Jk+ROktkX8AjWwHrL/FdQwGlsy4UrEAEkNeHB8Hb8Q== X-Google-Smtp-Source: AGHT+IGZyJZYE5hWmCpo5ONovTUzatwJGgrWS/fCIr/b1h17sIpdA+YfyD77wl1NnX/IH/H9qDUxCg== X-Received: by 2002:a17:90b:1d89:b0:268:2d92:55d3 with SMTP id pf9-20020a17090b1d8900b002682d9255d3mr4961887pjb.39.1691961542441; Sun, 13 Aug 2023 14:19:02 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:01 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 07/22] tiff: fix multiple CVEs Date: Sun, 13 Aug 2023 11:18:13 -1000 Message-Id: <3d322227477f9e82fc22de6e896174d04513d72b.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185898 From: Hitendra Prajapati Backport fixes for: * CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44 * CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 * CVE-2023-26965 & CVE-2023-26966 - Upstream-Status: Backport from import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../libtiff/files/CVE-2023-25433.patch | 173 ++++++++++++++++++ .../files/CVE-2023-25434-CVE-2023-25435.patch | 94 ++++++++++ .../libtiff/files/CVE-2023-26965.patch | 90 +++++++++ .../libtiff/files/CVE-2023-26966.patch | 35 ++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 4 + 5 files changed, 396 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch new file mode 100644 index 0000000000..7d6d40f25a --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch @@ -0,0 +1,173 @@ +From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 3 Feb 2023 15:31:31 +0100 +Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() + fix#520 rotateImage() set up a new buffer and calculates its size + individually. Therefore, seg_buffs[] size needs to be updated accordingly. + Before this fix, the seg_buffs buffer size was calculated with a different + formula than within rotateImage(). + +Closes #520. + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44] +CVE: CVE-2023-25433 +Signed-off-by: Hitendra Prajapati +--- + tools/tiffcrop.c | 69 +++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 56 insertions(+), 13 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 742615a..aab0ec6 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, + static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, + uint32, uint32, uint8 *, uint8 *); + static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, +- unsigned char **, int); ++ unsigned char **, size_t *); + static int mirrorImage(uint16, uint16, uint16, uint32, uint32, + unsigned char *); + static int invertImage(uint16, uint16, uint16, uint32, uint32, +@@ -6384,7 +6384,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + * but switch xres, yres there. */ + uint32_t width = image->width; + uint32_t length = image->length; +- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE)) ++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL)) + { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -7607,8 +7607,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { ++ /* rotateImage() set up a new buffer and calculates its size ++ * individually. Therefore, seg_buffs size needs to be updated ++ * accordingly. */ ++ size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff, FALSE)) ++ &crop->combined_length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %d degrees", crop->rotation); +@@ -7713,8 +7717,13 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { +- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff, FALSE)) ++ /* Furthermore, rotateImage() set up a new buffer and calculates ++ * its size individually. Therefore, seg_buffs size needs to be ++ * updated accordingly. */ ++ size_t rot_buf_size = 0; ++ if (rotateImage( ++ crop->rotation, image, &crop->regionlist[i].width, ++ &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %d degrees", crop->rotation); +@@ -7725,8 +7734,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + crop->combined_width = total_width; + crop->combined_length = total_length; + seg_buffs[i].buffer = crop_buff; +- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) +- * image->spp) * crop->regionlist[i].length; ++ seg_buffs[i].size = rot_buf_size; + } + } + } +@@ -7735,7 +7743,6 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + /* Copy the crop section of the data from the current image into a buffer + * and adjust the IFD values to reflect the new size. If no cropping is +- * required, use the origial read buffer as the crop buffer. + * + * There is quite a bit of redundancy between this routine and the more + * specialized processCropSelections, but this provides +@@ -7846,7 +7853,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr, TRUE)) ++ &crop->combined_length, crop_buff_ptr, NULL)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %d degrees", crop->rotation); +@@ -8515,7 +8522,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, + uint32 bytes_per_pixel, bytes_per_sample; + uint32 row, rowsize, src_offset, dst_offset; + uint32 i, col, width, length; +- uint32 colsize, buffsize, col_offset, pix_offset; ++ uint32 colsize, col_offset, pix_offset; ++ tmsize_t buffsize; + unsigned char *ibuff; + unsigned char *src; + unsigned char *dst; +@@ -8528,12 +8536,41 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, + spp = image->spp; + bps = image->bps; + ++ if ((spp != 0 && bps != 0 && ++ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) || ++ (spp != 0 && bps != 0 && ++ length > (uint32_t)((UINT32_MAX - 7) / spp / bps))) ++ { ++ TIFFError("rotateImage", "Integer overflow detected."); ++ return (-1); ++ } ++ + rowsize = ((bps * spp * width) + 7) / 8; + colsize = ((bps * spp * length) + 7) / 8; + if ((colsize * width) > (rowsize * length)) +- buffsize = (colsize + 1) * width; ++{ ++ if (((tmsize_t)colsize + 1) != 0 && ++ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / ++ ((tmsize_t)colsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } ++ buffsize = ((tmsize_t)colsize + 1) * width; ++ } + else +- buffsize = (rowsize + 1) * length; ++ { ++ if (((tmsize_t)rowsize + 1) != 0 && ++ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / ++ ((tmsize_t)rowsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } ++ buffsize = (rowsize + 1) * length; ++ } + + bytes_per_sample = (bps + 7) / 8; + bytes_per_pixel = ((bps * spp) + 7) / 8; +@@ -8556,11 +8593,17 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ + if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) + { +- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ TIFFError("rotateImage", ++ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT ++ " bytes ", ++ buffsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); + ++ if (rot_buf_size != NULL) ++ *rot_buf_size = buffsize; ++ + ibuff = *ibuff_ptr; + switch (rotation) + { +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch new file mode 100644 index 0000000000..6a6596f092 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch @@ -0,0 +1,94 @@ +From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sun, 29 Jan 2023 11:09:26 +0100 +Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) + image width and length parameters when only cropped image sections are + rotated. Remove buffptr from region structure because never used. + +Closes #492 #493 #494 #495 #499 #518 #519 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38] +CVE: CVE-2023-25434 & CVE-2023-25435 +Signed-off-by: Hitendra Prajapati +--- + tools/tiffcrop.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index aab0ec6..ce84414 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32, + static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, + uint32, uint32, uint8 *, uint8 *); + static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *, +- unsigned char **, size_t *); ++ unsigned char **, size_t *, int); + static int mirrorImage(uint16, uint16, uint16, uint32, uint32, + unsigned char *); + static int invertImage(uint16, uint16, uint16, uint32, uint32, +@@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + /* Dummy variable in order not to switch two times the + * image->width,->length within rotateImage(), + * but switch xres, yres there. */ +- uint32_t width = image->width; +- uint32_t length = image->length; +- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL)) +- { ++ uint32_t width = image->width; ++ uint32_t length = image->length; ++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, ++ TRUE)) ++ { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); + } +@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + * accordingly. */ + size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff, &rot_buf_size)) ++ &crop->combined_length, &crop_buff, &rot_buf_size, ++ FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %d degrees", crop->rotation); +@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + * its size individually. Therefore, seg_buffs size needs to be + * updated accordingly. */ + size_t rot_buf_size = 0; +- if (rotateImage( +- crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) ++ if (rotateImage(crop->rotation, image, ++ &crop->regionlist[i].width, ++ &crop->regionlist[i].length, &crop_buff, ++ &rot_buf_size, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %d degrees", crop->rotation); +@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr, NULL)) ++ &crop->combined_length, crop_buff_ptr, NULL, TRUE)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %d degrees", crop->rotation); +@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width, + + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int +-rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, +- uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params) ++rotateImage(uint16 rotation, struct image_data *image, ++ uint32 *img_width, uint32 *img_length, ++ unsigned char **ibuff_ptr, size_t *rot_buf_size, ++ int rot_image_params) + { + int shift_width; + uint32 bytes_per_pixel, bytes_per_sample; +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch new file mode 100644 index 0000000000..b7a7e93764 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch @@ -0,0 +1,90 @@ +From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Tue, 14 Feb 2023 20:43:43 +0100 +Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. + Fix issue 527 + +Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. + +Closes #527 + +Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] +CVE: CVE-2023-26965 +Signed-off-by: Hitendra Prajapati +--- + tools/tiffcrop.c | 40 ++++++++++------------------------------ + 1 file changed, 10 insertions(+), 30 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index ce84414..a533089 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + uint32 tw = 0, tl = 0; /* Tile width and length */ + tmsize_t tile_rowsize = 0; + unsigned char *read_buff = NULL; +- unsigned char *new_buff = NULL; + int readunit = 0; +- static tmsize_t prev_readsize = 0; + + TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); +@@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + read_buff = *read_ptr; + /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ + /* outside buffer */ +- if (!read_buff) ++ if (read_buff) + { +- if( buffsize > 0xFFFFFFFFU - 3 ) +- { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); +- return (-1); +- } +- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ _TIFFfree(read_buff); + } +- else +- { +- if (prev_readsize < buffsize) +- { +- if( buffsize > 0xFFFFFFFFU - 3 ) +- { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); +- return (-1); +- } +- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); +- if (!new_buff) +- { +- free (read_buff); +- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); +- } +- else +- read_buff = new_buff; +- } +- } ++ if (buffsize > 0xFFFFFFFFU - 3) ++ { ++ TIFFError("loadImage", "Required read buffer size too large"); ++ return (-1); ++ } ++ read_buff = ++ (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (!read_buff) + { +- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); ++ TIFFError("loadImage", "Unable to allocate read buffer"); + return (-1); + } + +@@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + read_buff[buffsize+1] = 0; + read_buff[buffsize+2] = 0; + +- prev_readsize = buffsize; + *read_ptr = read_buff; + + /* N.B. The read functions used copy separate plane data into a buffer as interleaved +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch new file mode 100644 index 0000000000..48657e6aa4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch @@ -0,0 +1,35 @@ +From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Thu, 16 Feb 2023 12:03:16 +0100 +Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode(). + +Closes #530 + +Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz] +CVE: CVE-2023-26966 +Signed-off-by: Hitendra Prajapati +--- + libtiff/tif_luv.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c +index 6fe4858..8b2c5f1 100644 +--- a/libtiff/tif_luv.c ++++ b/libtiff/tif_luv.c +@@ -923,6 +923,13 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */ + { + register int vi, ui; + ++ /* check for NaN */ ++ if (u != u || v != v) ++ { ++ u = U_NEU; ++ v = V_NEU; ++ } ++ + if (v < UV_VSTART) + return oog_encode(u, v); + vi = itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em); +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 4b48d81e2b..fcb2ce1ae4 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -36,6 +36,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-48281.patch \ file://CVE-2023-0795_0796_0797_0798_0799.patch \ file://CVE-2023-0800_0801_0802_0803_0804.patch \ + file://CVE-2023-25433.patch \ + file://CVE-2023-25434-CVE-2023-25435.patch \ + file://CVE-2023-26965.patch \ + file://CVE-2023-26966.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" From patchwork Sun Aug 13 21:18:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28749 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15D0FEB64DD for ; Sun, 13 Aug 2023 21:19:09 +0000 (UTC) Received: from mail-oa1-f45.google.com (mail-oa1-f45.google.com [209.85.160.45]) by mx.groups.io with SMTP id smtpd.web11.93772.1691961545767022358 for ; Sun, 13 Aug 2023 14:19:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=RsrorvXo; spf=softfail (domain: sakoman.com, ip: 209.85.160.45, mailfrom: steve@sakoman.com) Received: by mail-oa1-f45.google.com with SMTP id 586e51a60fabf-1c0fcbf7ae4so2467269fac.0 for ; Sun, 13 Aug 2023 14:19:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961545; x=1692566345; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LrJJIbB1QnK3GcH/x6fPXDDntI4a1aIF2XuzuztGURE=; b=RsrorvXoTUkqXymqmFraT2XY0Id+tLKx72z/ZK50//X+7dixBZ7mBCEfqwg3/1JpKj tbO6um6FTdWTJ6VukYYIazv5UQDfCJZ+boBSauTtyBNzbz7Zy1GcwZxugdNSjKjnblsr 4WPs0Jyi65KHroHSh8RjA0xFZ9ewW1gJPiUSIHYEAfaqC60jsBaO/jHhRf143iHUpVof ym2dsTGJnrXP8pQCcPgsM7oHqT6awMrVWWC/DmULEngtVmlpbYWjXfgm9oLx3eIoozeM GmkzXedW78iCq6yYkoLwKTFR7ZTVkJ/KT46d4+y77R4+qpHl+oaeMZcv057KNd/oFUos dIiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961545; x=1692566345; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LrJJIbB1QnK3GcH/x6fPXDDntI4a1aIF2XuzuztGURE=; b=e6/+maSFGsRBuxgh3FMKL7kAlwlJ+ROQNq5I+y4hLYrxBdAcAMguwepZbu0aVXqAWG cu8BU42TxNWkS6EwLb9dXA7xX8vpMpaMPDMy3YSvq5YJMnFUO4FXILg40S8BsyUdm5/b MlSagpb8Q0dmSlhW2pQLFobpVylmUhKyB3j5ZTaN5rjVAsOZCM4oxfbiAQYdfBp415s9 RBAUotuFkhJVr1SfzBmNXbs+EWJBvcP7ZF6ZjO7aHfKxsvedm27S9U/n7CWEhSrKCsLd u+O9lqLR6YJ9GusJxvFa6av31wZinAQO3dkOzbW89yuWCGAtnDLqj8S2qTxgQBgD/ZXw EPLg== X-Gm-Message-State: AOJu0YzhPBOHbi4uzSwCq/Lyl4odkpVoiBNVPGNL9wZXEmG0ihazFXUd afRtUAu6Ln6YsBxibdUju7nkRMJi0yyZZcl4c9rCYQ== X-Google-Smtp-Source: AGHT+IEDuMYCxidgNwmjCTFas6CSWuTvcIbHitFeqMiriBsMN4xoBEyo5JSZvE8OzCOWenLGw2ZTbg== X-Received: by 2002:a05:6870:4593:b0:1b0:2ded:bd7 with SMTP id y19-20020a056870459300b001b02ded0bd7mr7423940oao.26.1691961544549; Sun, 13 Aug 2023 14:19:04 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:04 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 08/22] tiff: fix multiple CVEs Date: Sun, 13 Aug 2023 11:18:14 -1000 Message-Id: <4929d08cefac9ae2ebbdf94ccdc51a0f67f28164.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185899 From: Hitendra Prajapati Backport fixes for: * CVE-2023-2908 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f * CVE-2023-3316 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536 * CVE-2023-3618 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37 && https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../libtiff/files/CVE-2023-2908.patch | 33 +++++++++++ .../libtiff/files/CVE-2023-3316.patch | 59 +++++++++++++++++++ .../libtiff/files/CVE-2023-3618-1.patch | 34 +++++++++++ .../libtiff/files/CVE-2023-3618-2.patch | 47 +++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 4 ++ 5 files changed, 177 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch new file mode 100644 index 0000000000..62a5e1831c --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch @@ -0,0 +1,33 @@ +From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001 +From: xiaoxiaoafeifei +Date: Fri, 21 Apr 2023 13:01:34 +0000 +Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`: + applying zero offset to null pointer + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f] +CVE: CVE-2023-2908 +Signed-off-by: Hitendra Prajapati +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 9d8267a..6389b40 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -145,10 +145,10 @@ static uint16 + countInkNamesString(TIFF *tif, uint32 slen, const char *s) + { + uint16 i = 0; +- const char *ep = s + slen; +- const char *cp = s; + + if (slen > 0) { ++ const char *ep = s + slen; ++ const char *cp = s; + do { + for (; cp < ep && *cp != '\0'; cp++) {} + if (cp >= ep) +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch new file mode 100644 index 0000000000..8db24fc714 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch @@ -0,0 +1,59 @@ +From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 3 Feb 2023 17:38:55 +0100 +Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515 + +Closes #515 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536] +CVE: CVE-2023-3316 +Signed-off-by: Hitendra Prajapati +--- + libtiff/tif_close.c | 11 +++++++---- + tools/tiffcrop.c | 5 ++++- + 2 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c +index e4228df..335e80f 100644 +--- a/libtiff/tif_close.c ++++ b/libtiff/tif_close.c +@@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif) + */ + + void +-TIFFClose(TIFF* tif) ++TIFFClose(TIFF *tif) + { +- TIFFCloseProc closeproc = tif->tif_closeproc; +- thandle_t fd = tif->tif_clientdata; ++ if (tif != NULL) ++ { ++ TIFFCloseProc closeproc = tif->tif_closeproc; ++ thandle_t fd = tif->tif_clientdata; + + TIFFCleanup(tif); +- (void) (*closeproc)(fd); ++ (void)(*closeproc)(fd); ++ } + } + + /* vim: set ts=8 sts=8 sw=8 noet: */ +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index a533089..f14bb0c 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2526,7 +2526,10 @@ main(int argc, char* argv[]) + } + } + +- TIFFClose(out); ++ if (out != NULL) ++ { ++ TIFFClose(out); ++ } + + return (0); + } /* end main */ +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch new file mode 100644 index 0000000000..35ed852519 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch @@ -0,0 +1,34 @@ +From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001 +From: zhailiangliang +Date: Tue, 7 Mar 2023 15:02:08 +0800 +Subject: [PATCH] Fix memory leak in tiffcrop.c + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37] +CVE: CVE-2023-3618 +Signed-off-by: Hitendra Prajapati +--- + tools/tiffcrop.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f14bb0c..7121c7c 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7746,8 +7746,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + + read_buff = *read_buff_ptr; + ++ /* Memory is freed before crop_buff_ptr is overwritten */ ++ if (*crop_buff_ptr != NULL) ++ { ++ _TIFFfree(*crop_buff_ptr); ++ } ++ + /* process full image, no crop buffer needed */ +- crop_buff = read_buff; + *crop_buff_ptr = read_buff; + crop->combined_width = image->width; + crop->combined_length = image->length; +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch new file mode 100644 index 0000000000..fd67305c0b --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch @@ -0,0 +1,47 @@ +From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 5 May 2023 19:43:46 +0200 +Subject: [PATCH] Consider error return of writeSelections(). Fixes #553 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8] +CVE: CVE-2023-3618 +Signed-off-by: Hitendra Prajapati +--- + tools/tiffcrop.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 7121c7c..93b7f96 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2437,9 +2437,15 @@ main(int argc, char* argv[]) + { /* Whole image or sections not based on output page size */ + if (crop.selections > 0) + { +- writeSelections(in, &out, &crop, &image, &dump, seg_buffs, +- mp, argv[argc - 1], &next_page, total_pages); +- } ++ if (writeSelections(in, &out, &crop, &image, &dump, ++ seg_buffs, mp, argv[argc - 1], ++ &next_page, total_pages)) ++ { ++ TIFFError("main", ++ "Unable to write new image selections"); ++ exit(EXIT_FAILURE); ++ } ++ } + else /* One file all images and sections */ + { + if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1], +@@ -7749,7 +7755,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + /* Memory is freed before crop_buff_ptr is overwritten */ + if (*crop_buff_ptr != NULL) + { +- _TIFFfree(*crop_buff_ptr); ++ _TIFFfree(*crop_buff_ptr); + } + + /* process full image, no crop buffer needed */ +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index fcb2ce1ae4..e3daaf1007 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -40,6 +40,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-25434-CVE-2023-25435.patch \ file://CVE-2023-26965.patch \ file://CVE-2023-26966.patch \ + file://CVE-2023-2908.patch \ + file://CVE-2023-3316.patch \ + file://CVE-2023-3618-1.patch \ + file://CVE-2023-3618-2.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" From patchwork Sun Aug 13 21:18:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28750 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1911BC001E0 for ; Sun, 13 Aug 2023 21:19:09 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web10.94016.1691961547687155247 for ; Sun, 13 Aug 2023 14:19:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=m0X+AnoM; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-26b4bdc76dfso611982a91.2 for ; Sun, 13 Aug 2023 14:19:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961547; x=1692566347; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JolKgpyWSUdxk5X5HbD+OT+K2BesoMwrZ+3KF3+rxt4=; b=m0X+AnoM1J3k6k17fSvhy6HWeBos3hE4AVvU4PN+Vsy93CF/BuaUDo9+3xtYDmtnms z3rHACVe5FkM7o3LQL/tp/ceDrpNYlRL8YwMdJIRypS4I3pMd/3jTlrVzY+zVAJvJO9C IYhYHqo7sONE3YZa1t7HTqZMssLuFmAip7JSzxPhTXuEyJMgwoBkOgD1jmiBBCnryfs+ +E7lXwzqPbaoM7VilSQTSMbFOaKM2RH+Ud1Q8Fu5IYq52HwqS3dWoFy39Pj35NX+VBSB iwZL8XQZttlsAU33pFBzTISfWvqj2N4P636B9m8wWyo2OF2noOjmn8swA+Qlzovb+BNq kOVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961547; x=1692566347; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JolKgpyWSUdxk5X5HbD+OT+K2BesoMwrZ+3KF3+rxt4=; b=K9QSRCBZVff+d6xoTM3ceK2+AEO1o55hbWewwTMtQ4p4CX2HNtZhjZUcH951TpZjb7 +hb/lCqbTg3nspWi34IjAvhM4lOuQXDZdvlrbin9rkacK2EWGpkTGzp/zkOwqFL+sP9j +LzaKkKG8+VVlD9hg2J9iOwd84ZmWMN9U/+akkILIjBVNmnifeVduCtr+n9sYxGJKfs9 jfXJLNuzh10Dal5FF5Zs2L7FSwltPK6zsG0QHqZ2Yye6kIxLdIPqi6K0/NzZSwxZxIHa mqKbXw+V2dbMSu904PuW12YJGO467o4TXdlfHLQYA7LUDMOFjsOfzUhsyo244Jlxrt6m 5/SA== X-Gm-Message-State: AOJu0Yz7NXz3Ux+9Uf0+YBgnKPndBCF3bH3gjiOTiVfF2LT9K5G9SbFX /y9nM2QBOunS0xQ7Klg5U24BwHpPUal0CLSCXYw2xw== X-Google-Smtp-Source: AGHT+IG0WKZVTaOGP6VSVafG4NhAMrI2vlzyWptK1RVjI55CLHsQE6Hl9C+xGHNeQRSB/GUb/Lonug== X-Received: by 2002:a17:90a:664a:b0:268:34b1:a5a9 with SMTP id f10-20020a17090a664a00b0026834b1a5a9mr6864931pjm.8.1691961546462; Sun, 13 Aug 2023 14:19:06 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:06 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 09/22] dmidecode 3.2: Fix CVE-2023-30630 Date: Sun, 13 Aug 2023 11:18:15 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185900 From: Dhairya Nagodra Upstream Repository: https://git.savannah.gnu.org/git/dmidecode.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30630 Type: Security Fix CVE: CVE-2023-30630 Score: 7.8 Patch: https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c Signed-off-by: Dhairya Nagodra Signed-off-by: Steve Sakoman --- .../CVE-2023-30630-dependent_p1.patch | 236 ++++++++++++++++++ .../CVE-2023-30630-dependent_p2.patch | 198 +++++++++++++++ .../dmidecode/dmidecode/CVE-2023-30630.patch | 62 +++++ .../dmidecode/dmidecode_3.2.bb | 3 + 4 files changed, 499 insertions(+) create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch new file mode 100644 index 0000000000..f1d449acbe --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch @@ -0,0 +1,236 @@ +From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Mon, 20 Feb 2023 14:53:21 +0100 +Subject: [PATCH] dmidecode: Split table fetching from decoding + +Clean up function dmi_table so that it does only one thing: +* dmi_table() is renamed to dmi_table_get(). It now retrieves the + DMI table, but does not process it any longer. +* Decoding or dumping the table is now done in smbios3_decode(), + smbios_decode() and legacy_decode(). +No functional change. + +A side effect of this change is that writing the header and body of +dump files is now done in a single location. This is required to +further consolidate the writing of dump files. + +CVE-ID: CVE-2023-30630 +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7] + +Backport Changes: +- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces + pr_info(). This is backported to printf() as per v3.2. + +Signed-off-by: Jean Delvare +Reviewed-by: Jerry Hoemann +(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808) +Signed-off-by: Dhairya Nagodra +--- + dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 62 insertions(+), 24 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index a3e9d6c..d6eedd1 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) + } + } + +-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, +- u32 flags) ++/* Allocates a buffer for the table, must be freed by the caller */ ++static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver, ++ const char *devmem, u32 flags) + { + u8 *buf; + +@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, + { + if (num) + printf("%u structures occupying %u bytes.\n", +- num, len); ++ num, *len); + if (!(opt.flags & FLAG_FROM_DUMP)) + printf("Table at 0x%08llX.\n", + (unsigned long long)base); +@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, + * would be the result of the kernel truncating the table on + * parse error. + */ +- size_t size = len; ++ size_t size = *len; + buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base, + &size, devmem); +- if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len) ++ if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len) + { + fprintf(stderr, "Wrong DMI structures length: %u bytes " + "announced, only %lu bytes available.\n", +- len, (unsigned long)size); ++ *len, (unsigned long)size); + } +- len = size; ++ *len = size; + } + else +- buf = mem_chunk(base, len, devmem); ++ buf = mem_chunk(base, *len, devmem); + + if (buf == NULL) + { +@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, + fprintf(stderr, + "Try compiling dmidecode with -DUSE_MMAP.\n"); + #endif +- return; + } + +- if (opt.flags & FLAG_DUMP_BIN) +- dmi_table_dump(buf, len); +- else +- dmi_table_decode(buf, len, num, ver >> 8, flags); +- +- free(buf); ++ return buf; + } + + +@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf) + + static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + { +- u32 ver; ++ u32 ver, len; + u64 offset; ++ u8 *table; + + /* Don't let checksum run beyond the buffer */ + if (buf[0x06] > 0x20) +@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + return 0; + } + +- dmi_table(((off_t)offset.h << 32) | offset.l, +- DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT); ++ /* Maximum length, may get trimmed */ ++ len = DWORD(buf + 0x0C); ++ table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver, ++ devmem, flags | FLAG_STOP_AT_EOT); ++ if (table == NULL) ++ return 1; + + if (opt.flags & FLAG_DUMP_BIN) + { +@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_smbios3_address(crafted); + ++ dmi_table_dump(table, len); + if (!(opt.flags & FLAG_QUIET)) + printf("# Writing %d bytes to %s.\n", crafted[0x06], + opt.dumpfile); + write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); + } ++ else ++ { ++ dmi_table_decode(table, len, 0, ver >> 8, ++ flags | FLAG_STOP_AT_EOT); ++ } ++ ++ free(table); + + return 1; + } + + static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + { +- u16 ver; ++ u16 ver, num; ++ u32 len; ++ u8 *table; + + /* Don't let checksum run beyond the buffer */ + if (buf[0x05] > 0x20) +@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + printf("SMBIOS %u.%u present.\n", + ver >> 8, ver & 0xFF); + +- dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C), +- ver << 8, devmem, flags); ++ /* Maximum length, may get trimmed */ ++ len = WORD(buf + 0x16); ++ num = WORD(buf + 0x1C); ++ table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8, ++ devmem, flags); ++ if (table == NULL) ++ return 1; + + if (opt.flags & FLAG_DUMP_BIN) + { +@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_dmi_address(crafted + 0x10); + ++ dmi_table_dump(table, len); + if (!(opt.flags & FLAG_QUIET)) + printf("# Writing %d bytes to %s.\n", crafted[0x05], + opt.dumpfile); + write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); + } ++ else ++ { ++ dmi_table_decode(table, len, num, ver, flags); ++ } ++ ++ free(table); + + return 1; + } + + static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + { ++ u16 ver, num; ++ u32 len; ++ u8 *table; ++ + if (!checksum(buf, 0x0F)) + return 0; + ++ ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F); + if (!(opt.flags & FLAG_QUIET)) + printf("Legacy DMI %u.%u present.\n", + buf[0x0E] >> 4, buf[0x0E] & 0x0F); + +- dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C), +- ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8), +- devmem, flags); ++ /* Maximum length, may get trimmed */ ++ len = WORD(buf + 0x06); ++ num = WORD(buf + 0x0C); ++ table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8, ++ devmem, flags); ++ if (table == NULL) ++ return 1; + + if (opt.flags & FLAG_DUMP_BIN) + { +@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 16); + overwrite_dmi_address(crafted); + ++ dmi_table_dump(table, len); + if (!(opt.flags & FLAG_QUIET)) + printf("# Writing %d bytes to %s.\n", 0x0F, + opt.dumpfile); + write_dump(0, 0x0F, crafted, opt.dumpfile, 1); + } ++ else ++ { ++ dmi_table_decode(table, len, num, ver, flags); ++ } ++ ++ free(table); + + return 1; + } diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch new file mode 100644 index 0000000000..353c2553f5 --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch @@ -0,0 +1,198 @@ +From 58e8a07b1aef0e53af1642b30248255e53e42790 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Mon, 20 Feb 2023 14:53:25 +0100 +Subject: [PATCH] dmidecode: Write the whole dump file at once + +When option --dump-bin is used, write the whole dump file at once, +instead of opening and closing the file separately for the table +and then for the entry point. + +As the file writing function is no longer generic, it gets moved +from util.c to dmidecode.c. + +One minor functional change resulting from the new implementation is +that the entry point is written first now, so the messages printed +are swapped. + +CVE: CVE-2023-30630 +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f38] + +Backport Changes: +- In the file dmidecode.c, the commit [2241f1d] in v3.3 introduces + pr_info(). This is backported to printf() as per v3.2. + +Signed-off-by: Jean Delvare +Reviewed-by: Jerry Hoemann +(cherry picked from commit d8cfbc808f387e87091c25e7d5b8c2bb348bb206) +Signed-off-by: Dhairya Nagodra + +--- + dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++-------------- + util.c | 40 ------------------------------- + util.h | 1 - + 3 files changed, 51 insertions(+), 59 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index d6eedd1..b91e53b 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5094,11 +5094,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver + } + } + +-static void dmi_table_dump(const u8 *buf, u32 len) ++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, ++ u32 table_len) + { ++ FILE *f; ++ ++ f = fopen(opt.dumpfile, "wb"); ++ if (!f) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fopen"); ++ return -1; ++ } ++ ++ if (!(opt.flags & FLAG_QUIET)) ++ printf("# Writing %d bytes to %s.\n", ep_len, opt.dumpfile); ++ if (fwrite(ep, ep_len, 1, f) != 1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fwrite"); ++ goto err_close; ++ } ++ ++ if (fseek(f, 32, SEEK_SET) != 0) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fseek"); ++ goto err_close; ++ } ++ + if (!(opt.flags & FLAG_QUIET)) +- printf("# Writing %d bytes to %s.\n", len, opt.dumpfile); +- write_dump(32, len, buf, opt.dumpfile, 0); ++ printf("# Writing %d bytes to %s.\n", table_len, opt.dumpfile); ++ if (fwrite(table, table_len, 1, f) != 1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fwrite"); ++ goto err_close; ++ } ++ ++ if (fclose(f)) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fclose"); ++ return -1; ++ } ++ ++ return 0; ++ ++err_close: ++ fclose(f); ++ return -1; + } + + static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) +@@ -5351,11 +5396,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_smbios3_address(crafted); + +- dmi_table_dump(table, len); +- if (!(opt.flags & FLAG_QUIET)) +- printf("# Writing %d bytes to %s.\n", crafted[0x06], +- opt.dumpfile); +- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, crafted[0x06], table, len); + } + else + { +@@ -5427,11 +5468,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_dmi_address(crafted + 0x10); + +- dmi_table_dump(table, len); +- if (!(opt.flags & FLAG_QUIET)) +- printf("# Writing %d bytes to %s.\n", crafted[0x05], +- opt.dumpfile); +- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, crafted[0x05], table, len); + } + else + { +@@ -5472,11 +5509,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 16); + overwrite_dmi_address(crafted); + +- dmi_table_dump(table, len); +- if (!(opt.flags & FLAG_QUIET)) +- printf("# Writing %d bytes to %s.\n", 0x0F, +- opt.dumpfile); +- write_dump(0, 0x0F, crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, 0x0F, table, len); + } + else + { +diff --git a/util.c b/util.c +index eeffdae..2e1931c 100644 +--- a/util.c ++++ b/util.c +@@ -247,46 +247,6 @@ out: + return p; + } + +-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add) +-{ +- FILE *f; +- +- f = fopen(dumpfile, add ? "r+b" : "wb"); +- if (!f) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fopen"); +- return -1; +- } +- +- if (fseek(f, base, SEEK_SET) != 0) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fseek"); +- goto err_close; +- } +- +- if (fwrite(data, len, 1, f) != 1) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fwrite"); +- goto err_close; +- } +- +- if (fclose(f)) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fclose"); +- return -1; +- } +- +- return 0; +- +-err_close: +- fclose(f); +- return -1; +-} +- + /* Returns end - start + 1, assuming start < end */ + u64 u64_range(u64 start, u64 end) + { +diff --git a/util.h b/util.h +index 3094cf8..ef24eb9 100644 +--- a/util.h ++++ b/util.h +@@ -27,5 +27,4 @@ + int checksum(const u8 *buf, size_t len); + void *read_file(off_t base, size_t *len, const char *filename); + void *mem_chunk(off_t base, size_t len, const char *devmem); +-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add); + u64 u64_range(u64 start, u64 end); diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch new file mode 100644 index 0000000000..bf4d060c8c --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch @@ -0,0 +1,62 @@ +From b7dacccff32294ea522df32a9391d0218e7600ea Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Mon, 20 Feb 2023 14:53:31 +0100 +Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file + +Make sure that the file passed to option --dump-bin does not already +exist. In practice, it is rather unlikely that an honest user would +want to overwrite an existing dump file, while this possibility +could be used by a rogue user to corrupt a system file. + +CVE: CVE-2023-30630 +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c] + +Backport Changes: +- Ignored changes in man/dmidecode.8 file. + +Signed-off-by: Jean Delvare +Reviewed-by: Jerry Hoemann +(cherry picked from commit 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2) +Signed-off-by: Dhairya Nagodra + +--- + dmidecode.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index b91e53b..846d9a1 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -60,6 +60,7 @@ + * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf + */ + ++#include + #include + #include + #include +@@ -5097,13 +5098,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver + static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, + u32 table_len) + { ++ int fd; + FILE *f; + +- f = fopen(opt.dumpfile, "wb"); ++ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); ++ if (fd == -1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("open"); ++ return -1; ++ } ++ ++ f = fdopen(fd, "wb"); + if (!f) + { + fprintf(stderr, "%s: ", opt.dumpfile); +- perror("fopen"); ++ perror("fdopen"); + return -1; + } + diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb index 8caffb5cc3..1e7c38dc8a 100644 --- a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb +++ b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb @@ -6,6 +6,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ file://0001-Committing-changes-from-do_unpack_extra.patch \ + file://CVE-2023-30630-dependent_p1.patch \ + file://CVE-2023-30630-dependent_p2.patch \ + file://CVE-2023-30630.patch \ " COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux" From patchwork Sun Aug 13 21:18:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28752 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0678EEB64DD for ; Sun, 13 Aug 2023 21:19:19 +0000 (UTC) Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web11.93774.1691961549218496684 for ; Sun, 13 Aug 2023 14:19:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=W/xzgBpu; spf=softfail (domain: sakoman.com, ip: 209.85.215.180, mailfrom: steve@sakoman.com) Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-517ab9a4a13so2909305a12.1 for ; Sun, 13 Aug 2023 14:19:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961548; x=1692566348; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=1HbHOx+zJdT6iwc3IM/rCQe9e26KodarbW7qhcf3O9w=; b=W/xzgBpuUQQ5+2/5z3C7MpF2HO4SgDztivqeNPd3BOeqcUgK59fuhHB0teywpto0iJ W/6B2hNvaHjaQ4jnFhoG1cAWpN3FSFsQCjPsPZDIVxttJ0pR3nMb53TcwH+bBiWkFW+c h/rFU/41tDXZ9c4lSI34R1CBgbV1tLc2Hjja/igiqQH5l7/EZr9PKnLoL7095t6OqyqH rUhspjlOy5+HDjlJyFvHfVqxJCkTXdS7IfdYJNvv4kbiqwwtzrMKhVrt6POenPzm4Pfl mqIe56Kb3xbGNa2+gmFnS9vuRqD9s8OPsQt29RXtkqwOEW3r/r1dwseW5NkqOYI2k8qe 229Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961548; x=1692566348; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1HbHOx+zJdT6iwc3IM/rCQe9e26KodarbW7qhcf3O9w=; b=Q6s573uY4ODc8y7JPGLUgWtJGtBqLfgq4COJ7L2qNJRGZCl1nkWRlfFp9QJf0m4Ucz W7mlZm1Z75C39xH98c8cda7cwg4KWeKnPwD1C1ng1HFTF+ogu1HrF/B/QPCARJiihpNS F2t6FZIB1Dazs88h2CXPROWxdRteNW3X8wuibf30HhQQgn6CfgLIU+nyn05XFfPuGkZe lxRtmNzfWFcsES2Lc8LWyNTDg+TwoFcG0j7JszESacC8r70BLPoNE8rtS4OZQFk++jq3 s/pXPTB7s4o5uh329mJUp6XWBea0tolMbfy+BeMe4VSpPX9PYdYPhENSBBh0bFitP05t pe9A== X-Gm-Message-State: AOJu0YyGuZko/y5dmylqfDVVpTYIz50kUCQPwZkBqwzxrZjNQ0tW0ttP k8iaBEh4/XHPwYv5fjkIAtCsQTUSE3vs3lyvEgJblg== X-Google-Smtp-Source: AGHT+IEhgv4rjNWgQZ4NLXx3nW+35TAebgrzMHP5vhW6aqG71PM+mWTXMt1YHYf+m+J8MRkIDmKJxg== X-Received: by 2002:a17:90a:5a4d:b0:269:18f5:683e with SMTP id m13-20020a17090a5a4d00b0026918f5683emr6567183pji.3.1691961548284; Sun, 13 Aug 2023 14:19:08 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:07 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 10/22] qemu: CVE-ID correction for CVE-2020-35505 Date: Sun, 13 Aug 2023 11:18:16 -1000 Message-Id: <9d54930a0c37e2878bbbe221341ebbd2bdd78a22.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185901 From: Emily Vekariya - The commit [https://github.com/qemu/qemu/commit/995457517340] ("esp: ensure cmdfifo is not empty and current_dev is non-NULL") fixes CVE-2020-35505 instead of CVE-2020-35504. - Hence, corrected the CVE-ID in CVE-2020-35505.patch. - Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1909769 Signed-off-by: Emily Vekariya Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch index c5ff6e89ff..40c0b1e74f 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch @@ -20,16 +20,19 @@ Reviewed-by: Philippe Mathieu-Daudé Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> -CVE: CVE-2020-35504 +CVE: CVE-2020-35505 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ] Signed-off-by: Chee Yang Lee +Signed-off-by: Emily Vekariya --- - hw/scsi/esp.c | 3 +++ - 1 file changed, 3 insertions(+) + hw/scsi/esp.c | 4 ++++ + 1 file changed, 4 insertions(+) +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index c7d701bf..c2a67bc8 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c -@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, ui +@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) trace_esp_do_busid_cmd(busid); lun = busid & 7; From patchwork Sun Aug 13 21:18:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28757 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14A19C3DA40 for ; Sun, 13 Aug 2023 21:19:19 +0000 (UTC) Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web10.94019.1691961551273907568 for ; Sun, 13 Aug 2023 14:19:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=LEL7bPBZ; spf=softfail (domain: sakoman.com, ip: 209.85.215.173, mailfrom: steve@sakoman.com) Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-564d6aa9abdso3254328a12.1 for ; Sun, 13 Aug 2023 14:19:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961550; x=1692566350; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mGlWB35IW0aK3bSQlMc+n2us/mqGC42a92Sv5nQJtEc=; b=LEL7bPBZ6S94gOcA7IvoEwJc62BlRqt/8XXVUygQ5g6w6bQ9WHX91d+DcTBj4lzVYX uB812gpBj64+kUa7tmFRc4+7S8t/IYgSmTThXmZNifNXrO435eJE859iHKc9lh8SlvX8 ZfjJ2M9nyV1/8mtQ0pBKZh2P7n870fwxavxfw5pvduIBAHnHy3RxGd4A8ZvMEFGAJrUA hW2uu/L1KNDZujVjzPHYbEHtrXnLeH/UWRUErkTlW+sQzk7xnZdCMo4YoZQAPUaBkAMk 8la9v+FJSyOUtndYW9AACODumoRdZRp5Vh4DcgE8pljvihLPbMC8Etll26pSnfZUv3O1 dBDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961550; x=1692566350; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mGlWB35IW0aK3bSQlMc+n2us/mqGC42a92Sv5nQJtEc=; b=It1jpJhW6H28A4+XZIfrZEwWqHQnPsLvYbXLOSK+4bLA8VxhmV7aeIvilQFoRkK8Eb DzTY5Dq2ms49AKGGWYisYguFgKCLpg+hTml5wI8MxIuS5lMMkv9uOteqddodbYARdvC5 YwA9lNBxkO2wAQrT4vVIHd1QvvsFiHvzY111/kSfdvpA8GJWrrgSU1wlJq6kHb4Jvl+2 KcfbWBwOoWZpP84OsK7iIMK1mwd91afRXfvQm+ZBIjhTvHYRbkcNIEhi/le7j8i+e7o8 QL6fWlFR19f4XwS2TXfidzb7CxzdqQ5SjCelHFGsmAzd6grM0yWB0QJa7tCpwhlE6K1B epNA== X-Gm-Message-State: AOJu0Yw7vt7wG7a6od36xblMxbL4PkIAHwyXA+UlUHZPjpemnq98JIMr v8Zjylk6wDrNQc/b5IDvVNIf1dXNIZyc2ioEc09TWg== X-Google-Smtp-Source: AGHT+IHzON8apBU4m10TO+PKv5DvBhvxL/IjaxeqCighxvh90E0o0fCTYG0UUG1Hg/77nwkQ98R8hw== X-Received: by 2002:a17:90b:68f:b0:269:3757:54bb with SMTP id m15-20020a17090b068f00b00269375754bbmr9614339pjz.11.1691961550318; Sun, 13 Aug 2023 14:19:10 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:09 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 11/22] qemu:fix CVE-2023-3354 VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service Date: Sun, 13 Aug 2023 11:18:17 -1000 Message-Id: <447bab76f9ac465ad36540e3bfb9a2a3cdbfa6b6.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185902 From: Vivek Kumbhar Signed-off-by: Vivek Kumbhar Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2023-3354.patch | 87 +++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 352277573b..2871818cb1 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -138,6 +138,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3409-5.patch \ file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ file://CVE-2023-0330.patch \ + file://CVE-2023-3354.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..2942e84cac --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch @@ -0,0 +1,87 @@ +From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 20 Jun 2023 09:45:34 +0100 +Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TLS handshake make take some time to complete, during which time an +I/O watch might be registered with the main loop. If the owner of the +I/O channel invokes qio_channel_close() while the handshake is waiting +to continue the I/O watch must be removed. Failing to remove it will +later trigger the completion callback which the owner is not expecting +to receive. In the case of the VNC server, this results in a SEGV as +vnc_disconnect_start() tries to shutdown a client connection that is +already gone / NULL. + +CVE-2023-3354 +Reported-by: jiangyegen +Signed-off-by: Daniel P. Berrangé + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] +CVE: CVE-2023-3354 +Signed-off-by: Vivek Kumbhar +--- + include/io/channel-tls.h | 1 + + io/channel-tls.c | 18 ++++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h +index fdbdf12f..e49e2831 100644 +--- a/include/io/channel-tls.h ++++ b/include/io/channel-tls.h +@@ -49,6 +49,7 @@ struct QIOChannelTLS { + QIOChannel *master; + QCryptoTLSSession *session; + QIOChannelShutdown shutdown; ++ guint hs_ioc_tag; + }; + + /** +diff --git a/io/channel-tls.c b/io/channel-tls.c +index 7ec8ceff..8b32fbde 100644 +--- a/io/channel-tls.c ++++ b/io/channel-tls.c +@@ -194,12 +194,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, + } + + trace_qio_channel_tls_handshake_pending(ioc, status); +- qio_channel_add_watch_full(ioc->master, +- condition, +- qio_channel_tls_handshake_io, +- data, +- NULL, +- context); ++ ioc->hs_ioc_tag = ++ qio_channel_add_watch_full(ioc->master, ++ condition, ++ qio_channel_tls_handshake_io, ++ data, ++ NULL, ++ context); + } + } + +@@ -214,6 +215,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, + QIOChannelTLS *tioc = QIO_CHANNEL_TLS( + qio_task_get_source(task)); + ++ tioc->hs_ioc_tag = 0; + g_free(data); + qio_channel_tls_handshake_task(tioc, task, context); + +@@ -371,6 +373,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, + { + QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); + ++ if (tioc->hs_ioc_tag) { ++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); ++ } ++ + return qio_channel_close(tioc->master, errp); + } + +-- +2.25.1 + From patchwork Sun Aug 13 21:18:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28755 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14484C001E0 for ; Sun, 13 Aug 2023 21:19:19 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web11.93776.1691961553192421325 for ; Sun, 13 Aug 2023 14:19:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=RdNzqQh5; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-268bc714ce0so3278846a91.0 for ; Sun, 13 Aug 2023 14:19:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961552; x=1692566352; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SViTr2GEW6vIkK5R2YvMUBOkbRPreyAxVr1BdIBCh5c=; b=RdNzqQh5/n5/nmMvWWDEybTrO9jjXnPxZP8jCHyr/T/L5xRbwr5EkSYMw7JxS5YSR9 enJUGNksZJYgCDxhOtpuC/DyETbmTxLzJ8iFbR1m+N55PL1LfhEiEpwY3/0zNe3/GDOi Q1cf5yQng6ci+E4s6+jFLPafl9LsBBaGHKWLc3TarJVq8JSfjCJz6hdeopqNKnNmbHON RuRoyUu3GimQCH2jeYep5PoUgHbrqD3ql3ZtifbNjotfSa85uukNJaUkRQM9dnr9IDV1 k+T8kEjnaKhYuxKkAa2ydipklXcx0ZI3GN8x1DTsVy4/PFMVNgvCCtUiv6KjVcyYHUmh 8pLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961552; x=1692566352; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SViTr2GEW6vIkK5R2YvMUBOkbRPreyAxVr1BdIBCh5c=; b=dLTa6yby3mvjUscXcQZYhpNEi9wGyQtaQ8eLGREnKH9q+fT0aS6PDhpYQU3EsrhJYQ ftA0ZAGxPklZYL9Zk9/8PSD86mZ91VxS0i5dZAUSPwVt7COMtFufRLsKjSDooSxIdpbS eTMdLWXjXWPdI77ib1LVFT9dRQ+lSPtx2TaXatUpb6+ZrTlHhg+XYEylL5ANBCOZQM9G xNuIc3IlLqX1nK8NBE+yGKaduPtyW7ZHGWhFBL9W9XuJlHFUA4mbXprfYZnM921W3oBA 2dlVUbJxPM67UeMYFO4bWqhSrIevGmZeWBMDDQVpnyJWTiLdoL6dVmqmNWST62vqM+w5 NVXQ== X-Gm-Message-State: AOJu0YxZFInmC8xIosF1dMq7mmCQ3wvdYIrco33zX2xq1fXgkQvcoZtE VTBNMetYhD9DolsJhZctOQeXhz0XmdcypCFp4td1cg== X-Google-Smtp-Source: AGHT+IFNkXRaBjTst2QOvsFqXjG3CzRHBsZdAHAtYe/OoaeoOY/ksI2D60eeIQ9zkOgjoukdkKQvvg== X-Received: by 2002:a17:90a:5a85:b0:268:808:8e82 with SMTP id n5-20020a17090a5a8500b0026808088e82mr9733552pji.1.1691961552246; Sun, 13 Aug 2023 14:19:12 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:11 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 12/22] ghostscript: backport fix for CVE-2023-38559 Date: Sun, 13 Aug 2023 11:18:18 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185903 From: Vijay Anusuri Upstream-Status: Backport from https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- ...pcx-buffer-overrun-fix-from-devices-.patch | 31 +++++++++++++++++++ .../ghostscript/ghostscript_9.52.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch new file mode 100644 index 0000000000..91b9f6df50 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch @@ -0,0 +1,31 @@ +From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Mon, 17 Jul 2023 14:06:37 +0100 +Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from + devices/gdevpcx.c + +Bounds check the buffer, before dereferencing the pointer. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f] +CVE: CVE-2023-38559 +Signed-off-by: Vijay Anusuri +--- + base/gdevdevn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gdevdevn.c b/base/gdevdevn.c +index 3b019d6..2888776 100644 +--- a/base/gdevdevn.c ++++ b/base/gdevdevn.c +@@ -1980,7 +1980,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file + byte data = *from; + + from += step; +- if (data != *from || from == end) { ++ if (from >= end || data != *from) { + if (data >= 0xc0) + gp_fputc(0xc1, file); + } else { +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 57f0b51ad3..37e9ed8e84 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb @@ -40,6 +40,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2021-3781_2.patch \ file://CVE-2021-3781_3.patch \ file://CVE-2023-28879.patch \ + file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Sun Aug 13 21:18:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28756 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 144AAC04E69 for ; Sun, 13 Aug 2023 21:19:19 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web10.94022.1691961554899775654 for ; Sun, 13 Aug 2023 14:19:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=clgmshUJ; spf=softfail (domain: sakoman.com, ip: 209.85.215.172, mailfrom: steve@sakoman.com) Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-564b8ea94c1so2211098a12.1 for ; Sun, 13 Aug 2023 14:19:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961554; x=1692566354; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Bk+mM/C+6/q79N6S80yVVGbbOtAGH6Bdbf2eCPFuZPQ=; b=clgmshUJPiNqZW5cMlZhBUzC3S+eGn5CYisBKd0DbZ++tMsNyOIWHGFU9U/xSMSbsN jc3+bEUeEtyAeeqDoJeV/fCBtqsHpoYQLH7M/g4MTmqh3e4y2sJqVx9EFe7ApeMj33ru kCuOflx8hSiXE1IwUL22wVVn2x/o+XBXIIfRJMSG08g/+zaCtJfBF3qAb5S3hp/nVKyA o1+LVq362gl+NeKgN2xsQJQOKg6HYa8ZBdne/LTysrhXbtxk3xXHpbhRqjCg5tC6uEen qdiDyZ/F7K62WCad3FpzmUWhPYCI0hacKn7r9ZjOxc9BX7F3uq0kOvi+5IczmNTRlvxG JPTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961554; x=1692566354; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Bk+mM/C+6/q79N6S80yVVGbbOtAGH6Bdbf2eCPFuZPQ=; b=UTSbEcHdZkUMnG9sDBah8UYIcVgnocOggZOznF1wjRosSjKG87bvrwt4kvythxsb7z mIrqI04cJl4fiNQqMtTnyqAufdEbgphxmMyJNOSQLUS8Mo2dYSpDSWjYbmFuIKmy1g9x lLRCag+Vk/AtiRh2oiuyQ2mbYpAgud9jxmM9pODky55WRQKNisd36HrxCyd99FtK5f2n wMXeaaa7+JvQuuQy7sYxg/UjlnovciE70Pmqf31COQYc8HAOGDR96B2nZp6eT9mmDPLf Ska28SwS/w3l9AvkbKHG1wlcSW9Ueh2YDOLmoMIWx3Mf4T1Z+yS+5vrrpyvHudoCtaSa OBlQ== X-Gm-Message-State: AOJu0Yw9aeoFMJzbObymMlaAUBKzizellAZybxsjDvGgOPSiRFo4RAWG 0xlqDttirO0sO7L4TkncHysSBp3VcAv1n/7uH7k5Lw== X-Google-Smtp-Source: AGHT+IF5YVcrjX4K7JNZRVrhrX30U5rPxxq4/2wDbcJBMXBurlzRwVzU8MCPolFclPtoQjUKX8aABQ== X-Received: by 2002:a17:90a:6d43:b0:268:5fd8:d8ff with SMTP id z61-20020a17090a6d4300b002685fd8d8ffmr5344035pjj.0.1691961553968; Sun, 13 Aug 2023 14:19:13 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:13 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 13/22] procps: patch CVE-2023-4016 Date: Sun, 13 Aug 2023 11:18:19 -1000 Message-Id: <1632c7223b2f8cd595e1ba20bc006c68fc833295.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185904 From: Peter Marko Backport patch from upstream master. There were three changes needed to apply the patch: * move NEWS change to start of the file * change file location from src/ps/ to ps/ * change xmalloc/xcmalloc to malloc/cmalloc The x*malloc functions were introduced in commit in future version. https://gitlab.com/procps-ng/procps/-/commit/584028dbe513127ef68c55aa631480454bcc26bf They call the original function plus additionally throw error when out of memory. https://gitlab.com/procps-ng/procps/-/blob/v4.0.3/local/xalloc.h?ref_type=tags So this replacement is correct in context of our version. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../procps/procps/CVE-2023-4016.patch | 85 +++++++++++++++++++ meta/recipes-extended/procps/procps_3.3.16.bb | 1 + 2 files changed, 86 insertions(+) create mode 100644 meta/recipes-extended/procps/procps/CVE-2023-4016.patch diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch new file mode 100644 index 0000000000..50582a8649 --- /dev/null +++ b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch @@ -0,0 +1,85 @@ +From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001 +From: Craig Small +Date: Thu, 10 Aug 2023 21:18:38 +1000 +Subject: [PATCH] ps: Fix possible buffer overflow in -C option + +ps allocates memory using malloc(length of arg * len of struct). +In certain strange circumstances, the arg length could be very large +and the multiplecation will overflow, allocating a small amount of +memory. + +Subsequent strncpy() will then write into unallocated memory. +The fix is to use calloc. It's slower but this is a one-time +allocation. Other malloc(x * y) calls have also been replaced +by calloc(x, y) + +References: + https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016 + https://nvd.nist.gov/vuln/detail/CVE-2023-4016 + https://gitlab.com/procps-ng/procps/-/issues/297 + https://bugs.debian.org/1042887 + +Signed-off-by: Craig Small + +CVE: CVE-2023-4016 +Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413] + +Signed-off-by: Peter Marko + +--- + NEWS | 1 + + ps/parser.c | 8 ++++---- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/NEWS b/NEWS +index b9509734..64fa3da8 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,3 +1,5 @@ ++ * ps: Fix buffer overflow in -C option CVE-2023-4016 Debian #1042887, issue #297 ++ + procps-ng-3.3.16 + ---------------- + * library: Increment to 8:2:0 +diff --git a/ps/parser.c b/ps/parser.c +index 248aa741..15873dfa 100644 +--- a/ps/parser.c ++++ b/ps/parser.c +@@ -184,7 +184,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + const char *err; /* error code that could or did happen */ + /*** prepare to operate ***/ + node = malloc(sizeof(selection_node)); +- node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ + node->n = 0; + buf = strdup(arg); + /*** sanity check and count items ***/ +@@ -205,6 +204,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + } while (*++walk); + if(need_item) goto parse_error; + node->n = items; ++ node->u = calloc(items, sizeof(sel_union)); + /*** actually parse the list ***/ + walk = buf; + while(items--){ +@@ -1031,15 +1031,15 @@ static const char *parse_trailing_pids(void){ + thisarg = ps_argc - 1; /* we must be at the end now */ + + pidnode = malloc(sizeof(selection_node)); +- pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ pidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */ + pidnode->n = 0; + + grpnode = malloc(sizeof(selection_node)); +- grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ grpnode->u = calloc(i,sizeof(sel_union)); /* waste is insignificant */ + grpnode->n = 0; + + sidnode = malloc(sizeof(selection_node)); +- sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ sidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */ + sidnode->n = 0; + + while(i--){ +-- +GitLab + diff --git a/meta/recipes-extended/procps/procps_3.3.16.bb b/meta/recipes-extended/procps/procps_3.3.16.bb index 3a8289b359..ac27734a6f 100644 --- a/meta/recipes-extended/procps/procps_3.3.16.bb +++ b/meta/recipes-extended/procps/procps_3.3.16.bb @@ -14,6 +14,7 @@ inherit autotools gettext pkgconfig update-alternatives SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \ file://sysctl.conf \ + file://CVE-2023-4016.patch \ " SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f" From patchwork Sun Aug 13 21:18:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28754 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07752C001DB for ; Sun, 13 Aug 2023 21:19:19 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web11.93780.1691961556794522084 for ; Sun, 13 Aug 2023 14:19:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=cUd9Qv5C; spf=softfail (domain: sakoman.com, ip: 209.85.215.172, mailfrom: steve@sakoman.com) Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-56546b45f30so2914477a12.3 for ; Sun, 13 Aug 2023 14:19:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961556; x=1692566356; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WOa7PDJ3FLLFj5CqJb7EZ2kH1HjlXGrArLuMP1Ci5/g=; b=cUd9Qv5C0E7RUSvOZydaAtR7sWorExLjs8XQ/0ZLgPyyZkg135sfRBILAaa6YpK1Ud fqhFuqLGzsDIcZCqCNd0YyUr13oXhXSgZ8vQ2E6fJTKVWCuiojI2rO6ipFuQ8Q2okYwP EJznGLxUxwL/dndYK6pJlFFu+Rx2fDjrogvxR35cFZiFie9D+AQvl1D7lDfm2ynD8y+z v0tEAKMjruPDUOupRnqAcR1E2R+nHWdPmbHXKrsu2JRgQ0ObGSGaaNu9iUx3/MA7g9Cz SUVpWc4yMYI9zkfUQwYBEje+THZcEa/a6SaLulgY0g1S4hbDsiyrNInhbmpo+Mz9fAN6 eHdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961556; x=1692566356; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WOa7PDJ3FLLFj5CqJb7EZ2kH1HjlXGrArLuMP1Ci5/g=; b=JzKFo8EdcQfdel1moUejI64CaJ9UbBicwMyQITK2DI2j136e55rfyTowuqHgWz63uW QWqNLJCN5bp0bQbkcDi0bLu7BC9qvborLjyynVTC2G7ZOcPFOoWJGWnHJNMqTAtCHR9P BD4CVrfAfTGi5wnJFoSo2C6QrvY1wHAqOVhGtsvFshxWS4+ykpbHG2+bq51vIVxh51Cf fWLa68S1yBPnj3dUm0MUdNg03JsUQPUyWbHKmqlw8UtbajGL7yJOj7VopmJoPSLY++bt IohM/oEheGPF8XLF9r2XZwSD7qDFxml5mQU1KvDcvmScKDl2jqvmOzSuR+C9iH40o3/O BFgg== X-Gm-Message-State: AOJu0YxFkwdw0WJo4JP9mro1Vk2t9rGB4muAaQZz+eGyQXymgGyUdNYK SMH9OKeC3kIMP0E1/p5qp6LobUrmuLapP7CL9C/FJw== X-Google-Smtp-Source: AGHT+IHHJ+zV5DuVpwlGutBI3Sg/fDFDOJdNUwIADoJPJG6Ljq1botZctYJW7VNUcRekyGBptlg7AQ== X-Received: by 2002:a17:90a:bc01:b0:26b:1da1:58af with SMTP id w1-20020a17090abc0100b0026b1da158afmr7212078pjr.47.1691961555912; Sun, 13 Aug 2023 14:19:15 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:15 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 14/22] cve-update-nvd2-native: always pass str for json.loads() Date: Sun, 13 Aug 2023 11:18:20 -1000 Message-Id: <4efdf7a93254056b9ac47de470740ac113b031f2.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185905 From: Yuta Hayama Currently json.loads() accepts one of the types str, bytes, or bytearray as an argument, but bytes and bytearrays have only been allowed since python 3.6. The version of Python3 provided by default on Ubuntu 16.04 and Debian 9.x is 3.5, so make raw_data type str to work correctly on these build hosts. Signed-off-by: Yuta Hayama Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2f7dad7e82..67d76f75dd 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -136,7 +136,7 @@ def nvd_request_next(url, api_key, args): if (r.headers['content-encoding'] == 'gzip'): buf = r.read() - raw_data = gzip.decompress(buf) + raw_data = gzip.decompress(buf).decode("utf-8") else: raw_data = r.read().decode("utf-8") From patchwork Sun Aug 13 21:18:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28753 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06859C41513 for ; Sun, 13 Aug 2023 21:19:19 +0000 (UTC) Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by mx.groups.io with SMTP id smtpd.web11.93783.1691961558748763467 for ; Sun, 13 Aug 2023 14:19:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=Wdgya5cS; spf=softfail (domain: sakoman.com, ip: 209.85.216.48, mailfrom: steve@sakoman.com) Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-26b51d4c985so234544a91.3 for ; Sun, 13 Aug 2023 14:19:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961558; x=1692566358; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3VkXUUoURN1SXWEqDxtGVFoIjO8ZMUeIQ1piKhpeMfE=; b=Wdgya5cSJLCVk1HXB9BrMDtL2s/FOcPjvkQvaHZbcgguG0S7pe1xa/7bJWgpvjDsHV yr82FcpZzYnmpMMGb1KrXilulQxq48s3xKecSeeg0QC7Bu/UxS+P++8Oowswtx5xgkJR HIRHETa79UsDwMSGZJb6gfKE/WW568Ad4Oaf2C8B9ZG4HP+MLA2+45oFxW/UwBUs8MeT BgPozaVJdLcwnHKDXxL3Xenxhd/1PjUQ7xE14Xp0FVJ24urRlRl/VTrHhX+9PIkAUvPX +b+lDKVKwIaeR2c1YG/bD3/YSLaBrvTSjF55vKVQ3MC/GuRyaaBVuLxEnpUfggDcU9iq mThw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961558; x=1692566358; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3VkXUUoURN1SXWEqDxtGVFoIjO8ZMUeIQ1piKhpeMfE=; b=Nugk/kFXU+sXipRyXl32NLPvqODh2mCO1EPx651qwLDv50KO590abR4MkhMTmIf7+P xR1OK/Qy81B6dRRJDCmo0G1djsN7OWMcJT77jWynydACU2ac3rw2eSf1NL/19NWu0Yh3 jS4qS1tJ7+WQrNFkkiIysDVL+Y93gFXhInHoxnfdWY1zK32u4AtHHn3+LeEsCftgF+2K rXWUd/3vDqRPhzjl/Wy5YlqK8MeDXJoSsxqJp6o0DVVsGGQzTq5GmDIH9vTc1kbN74/0 UZZ+n4Px9ZW+kZFgaEtwXH3zkzmD+7FrLqonQZOLNPVEuJ+l5Wux5aPtPlMPtOivaPTE Moow== X-Gm-Message-State: AOJu0YwSUnRvjVY0UYvCNIKv1iLDT6fnWdborl+Lgv+LoQ07VwaA4pVu TBqWRwv4Lns5nfhjvhkpDiNJMy2hk7KgAHW4SRiSTg== X-Google-Smtp-Source: AGHT+IH26PX/xwCc4bWNsNAdPfa1aC7GGt741+7Kr/EpyczBceMcHyfK4rtPHZ6Lbi6x240NX7Thqg== X-Received: by 2002:a17:90a:bd91:b0:268:a691:412f with SMTP id z17-20020a17090abd9100b00268a691412fmr5255186pjr.39.1691961557722; Sun, 13 Aug 2023 14:19:17 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:17 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 15/22] harfbuzz: Resolve backported commit bug. Date: Sun, 13 Aug 2023 11:18:21 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185906 From: Dhairya Nagodra The commit [https://github.com/openembedded/openembedded-core/commit/c22bbe9b45e3] backports fix for CVE-2023-25193 for version 2.6.4. The apply() in src/hb-ot-layout-gpos-table.hh ends prematurely. The if block in apply() has an extra return statement, which causes it to return w/o executing buffer->unsafe_to_concat_from_outbuffer() function. Signed-off-by: Dhairya Nagodra Signed-off-by: Steve Sakoman --- .../harfbuzz/harfbuzz/CVE-2023-25193.patch | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch index 8243117551..e4ac13dbad 100644 --- a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch +++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch @@ -1,4 +1,4 @@ -From 8708b9e081192786c027bb7f5f23d76dbe5c19e8 Mon Sep 17 00:00:00 2001 +From 9c8e972dbecda93546038d24444d8216397d75a3 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Mon, 6 Feb 2023 14:51:25 -0700 Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment @@ -8,13 +8,15 @@ Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be87 Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00 CVE: CVE-2023-25193 Signed-off-by: Siddharth Doshi +Signed-off-by: Dhairya Nagodra + --- - src/hb-ot-layout-gpos-table.hh | 101 ++++++++++++++++++++++++--------- + src/hb-ot-layout-gpos-table.hh | 103 +++++++++++++++++++++++---------- src/hb-ot-layout-gsubgpos.hh | 5 +- - 2 files changed, 77 insertions(+), 29 deletions(-) + 2 files changed, 78 insertions(+), 30 deletions(-) diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh -index 024312d..88df13d 100644 +index 024312d..db5f9ae 100644 --- a/src/hb-ot-layout-gpos-table.hh +++ b/src/hb-ot-layout-gpos-table.hh @@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1 @@ -102,8 +104,9 @@ index 024312d..88df13d 100644 + //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); } - unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint); +- if (base_index == NOT_COVERED) return_trace (false); + unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint); - if (base_index == NOT_COVERED) return_trace (false); ++ if (base_index == NOT_COVERED) + { + buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1); + return_trace (false); @@ -174,6 +177,3 @@ index 5a7e564..437123c 100644 void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } void set_random (bool random_) { random = random_; } --- -2.25.1 - From patchwork Sun Aug 13 21:18:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28759 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 038F6C41513 for ; Sun, 13 Aug 2023 21:19:29 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web11.93784.1691961560597500312 for ; Sun, 13 Aug 2023 14:19:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=f/HSvIuj; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-26b0b4a7ccbso1885531a91.2 for ; Sun, 13 Aug 2023 14:19:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961560; x=1692566360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=wuGRqhO1hi8xwfoYnPivNrbuIgcklRorD9zS1UuxYlk=; b=f/HSvIujsMNXWqzWh+ojhjgeK8LQ9TglofWAZLphtfmewpfNwWcyLu2JU1Pnik/4No c24bUZwPwPpR62dqsYPqm8ksJ63xtGYZ4WfqPn97iS1q7etIfawr1GPUNJXzy0MDL0eR iBf0+JwGdlx/lZK3a8cVgwCaMWsRRJ7J9oO1xrMe+4DFxecGxt93wbyHnxEWd+4UCrOZ hSLrFwWOgRTRv/y9shDiaPPJvQpKwSv8wLYpyLPBMkmGWw5rBGHTQMBykl7XsIWayUrn 49fCJuwfh9zeogKrcnOib5koXmh54dk31hakqPT8XPcS4CN51w+VTQ5YXgo3PBQdq7Zc i9Fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961560; x=1692566360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wuGRqhO1hi8xwfoYnPivNrbuIgcklRorD9zS1UuxYlk=; b=gBosnqkFGsdCltgfkaMPm8wDjwuOqd3dMeLJCrozDgI4SWFaTN0F94Lca2/YBkCwyr 7Q6etOS8jOU4rLUe+j/HXOYopxUSYIvRfipxiVRdTvFoC94e/SMOBt3g6kYCC5wZlG5P fv6SHWuZz9lLaX4ReszRzxGBkCdu0kesxv9764XwnSSrwxXy2tP9XelqYUO0FBbXt8Td Sg1dKDaITt6XUBAWzvHxvOvfOYlda33C1IbjD+Uhv1sVy+e8gsmKXdxssWrWv0TWK9bG BvGNcpPAkM4yOAczgijvELGXicK91wIZDd7nY8vOcHvGTw43VAWPR+IkLvvYmPjId5K0 I4KA== X-Gm-Message-State: AOJu0Ywrv9adQkFc5hlA4Uo4cFfcO3ONAelK5Gz3B2knjMuv0nArnyOU 2HXSDYKtVLIBd2cntlZ8JLjQR5CpdAsCxws586vuyQ== X-Google-Smtp-Source: AGHT+IHjOpDH5hm1ohMj1CsAkMF10MuE9Knt4hO3Wt7dwMPE/yHnusqZNAgLpykWdAAlu/T9P0H7lw== X-Received: by 2002:a17:90a:ad8a:b0:26b:2576:1e48 with SMTP id s10-20020a17090aad8a00b0026b25761e48mr5723416pjq.34.1691961559644; Sun, 13 Aug 2023 14:19:19 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:19 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 16/22] linux-yocto/5.4: update to v5.4.249 Date: Sun, 13 Aug 2023 11:18:22 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185907 From: Bruce Ashfield Updating to the latest korg -stable release that comprises the following commits: b30db4f7e45f Linux 5.4.249 c87439055174 xfs: verify buffer contents when we skip log replay 72ab3d39b443 mm: make wait_on_page_writeback() wait for multiple pending writebacks 9ea42ba3e695 mm: fix VM_BUG_ON(PageTail) and BUG_ON(PageWriteback) dffd25725e99 i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle f89bcf03e90c x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys a43c763f9cbe drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl 45f574d8dfc1 drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl c81a542e45a0 drm/exynos: vidi: fix a wrong error return 948b8b5fd0f3 ARM: dts: Fix erroneous ADS touchscreen polarities 8d6f9f5f3bfc ASoC: nau8824: Add quirk to active-high jack-detect d6fd1b3f7648 s390/cio: unregister device when the only path is gone 0de32d3dd39d usb: gadget: udc: fix NULL dereference in remove() 823dd7de8213 nfcsim.c: Fix error checking for debugfs_create_dir c32b39d0707b media: cec: core: don't set last_initiator if tx in progress a69a15a1e789 arm64: Add missing Set/Way CMO encodings 99de9a18e646 HID: wacom: Add error check to wacom_parse_and_register() 2af8d9637270 scsi: target: iscsi: Prevent login threads from racing between each other 321a81d26c8d sch_netem: acquire qdisc lock in netem_change() 91274bbe78a2 Revert "net: phy: dp83867: perform soft reset and retain established link" 25c8d38c7560 netfilter: nfnetlink_osf: fix module autoload 476c617e4dd4 netfilter: nf_tables: disallow element updates of bound anonymous sets d3b110395fea be2net: Extend xmit workaround to BE3 chip 789d5286060f net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch 35373d602bd4 ipvs: align inner_mac_header for encapsulation ee155675bda8 mmc: usdhi60rol0: fix deferred probing 0bd483fb95ce mmc: sh_mmcif: fix deferred probing 6160d37db171 mmc: sdhci-acpi: fix deferred probing b25875cf5e3b mmc: omap_hsmmc: fix deferred probing cbb0118f8aa0 mmc: omap: fix deferred probing e0d505356973 mmc: mvsdio: fix deferred probing c2e675509ff8 mmc: mvsdio: convert to devm_platform_ioremap_resource 3ef787d61972 mmc: mtk-sd: fix deferred probing 3c01d64996be net: qca_spi: Avoid high load if QCA7000 is not available bf7a4fd33669 xfrm: Linearize the skb after offloading if needed. d0fe8a733fa7 ieee802154: hwsim: Fix possible memory leaks dfcac203a36a rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer() 94199d4727f6 x86/mm: Avoid using set_pgd() outside of real PGD pages be178a5eae0f cifs: Fix potential deadlock when updating vol in cifs_reconnect() 8a5aaa4562a9 cifs: Merge is_path_valid() into get_normalized_path() 339134c15c64 cifs: Introduce helpers for finding TCP connection cf8c7aa90618 cifs: Get rid of kstrdup_const()'d paths 3fa4c08104c4 cifs: Clean up DFS referral cache b73539b887a4 nilfs2: prevent general protection fault in nilfs_clear_dirty_page() 1cc7dcfdeb5e writeback: fix dereferencing NULL mapping->host on writeback_page_template 18a0202bec17 ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN ab530c9bec51 mmc: meson-gx: remove redundant mmc_request_done() call from irq context 88b373d1c5e9 cgroup: Do not corrupt task iteration when rebinding subsystem c06c568e43e7 PCI: hv: Fix a race condition bug in hv_pci_query_relations() f02a67690777 Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs 966708ed9dd9 nilfs2: fix buffer corruption due to concurrent device reads a93ae93e9f1b media: dvb-core: Fix use-after-free due to race at dvb_register_device() 225bd8cc9c3f media: dvbdev: fix error logic at dvb_register_device() 5bc971f0435f media: dvbdev: Fix memleak in dvb_register_device 40d7530bc7fd tick/common: Align tick period during sched_timer setup b9b61fd1f74d x86/purgatory: remove PGO flags 4d02a166cbee tracing: Add tracing_reset_all_online_cpus_unlocked() function e14e9cc588bd epoll: ep_autoremove_wake_function should use list_del_init_careful e77e5481d5bf list: add "list_del_init_careful()" to go with "list_empty_careful()" c32ab1c1959a mm: rewrite wait_on_page_bit_common() logic 559cefc7c25f nilfs2: reject devices with insufficient block count Signed-off-by: Bruce Ashfield Signed-off-by: Steve Sakoman --- .../linux/linux-yocto-rt_5.4.bb | 6 ++--- .../linux/linux-yocto-tiny_5.4.bb | 8 +++---- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++---------- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index d775a60e9f..8e2ac6f853 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "8d8179549a233e7517523ac12887016451da2e20" -SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc" +SRCREV_machine ?= "7c1c3e523391507938420fb93bfafbbf1788e6b1" +SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.248" +LINUX_VERSION ?= "5.4.249" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 5e2b2ab6cf..710fc63d47 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.248" +LINUX_VERSION ?= "5.4.249" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "ca5368c73bab4eb276a8e721df28c02ceb8f3eeb" -SRCREV_machine ?= "abb579170926348d1518bc1a2de8cb1cdf403808" -SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc" +SRCREV_machine_qemuarm ?= "532857ef9f2014098015fa9ba30501639f8840ee" +SRCREV_machine ?= "de0d74f8949990ebd464742fbb4b4e5bfaace7b3" +SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 336e72eede..3e4c1ca08b 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "68775a8671944b96c6a1ee795809f81149951f2d" -SRCREV_machine_qemuarm64 ?= "54bc3d459501d8df9baf093a34d8bb676c207a07" -SRCREV_machine_qemumips ?= "ba2d346cc66307fa6332b9fb86eb8ca66f30ebcd" -SRCREV_machine_qemuppc ?= "6703d4c7c75fab78e0c72227a98aba8071d5b1c3" -SRCREV_machine_qemuriscv64 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0" -SRCREV_machine_qemux86 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0" -SRCREV_machine_qemux86-64 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0" -SRCREV_machine_qemumips64 ?= "66cac7d41a43594760f6ac48e848d73315cc5dd3" -SRCREV_machine ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0" -SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc" +SRCREV_machine_qemuarm ?= "05e04a6628f7da8169ee7c46288bdcf5694de623" +SRCREV_machine_qemuarm64 ?= "23ac11eda9c661a3d01fc0142a6e23aad03f2b08" +SRCREV_machine_qemumips ?= "08adf55a99423b9a86b9cf0b11dcf1f6bf0a280d" +SRCREV_machine_qemuppc ?= "5b29dfbf9af0afb45cc588154a9ac6c7f68f4d81" +SRCREV_machine_qemuriscv64 ?= "19998b76926cac29365e10bc1abc976ff2481cb5" +SRCREV_machine_qemux86 ?= "19998b76926cac29365e10bc1abc976ff2481cb5" +SRCREV_machine_qemux86-64 ?= "19998b76926cac29365e10bc1abc976ff2481cb5" +SRCREV_machine_qemumips64 ?= "a70b5911861ec339487b3fd3edc49983d3e46669" +SRCREV_machine ?= "19998b76926cac29365e10bc1abc976ff2481cb5" +SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.248" +LINUX_VERSION ?= "5.4.249" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" From patchwork Sun Aug 13 21:18:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28760 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10882C3DA40 for ; Sun, 13 Aug 2023 21:19:29 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web11.93787.1691961562532650124 for ; Sun, 13 Aug 2023 14:19:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=2Glfbutl; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-686be28e1a8so2603725b3a.0 for ; Sun, 13 Aug 2023 14:19:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961561; x=1692566361; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=z2eNvUu7ZRwcx7rhIcgOyI5ek/PdTjuljXGkzHkrrLk=; b=2GlfbutlLrNabOcV6JrG7oVPUsvfx5ZNLxfp8X2d34UE+a2vD2zt/WcUnwpYe6zMSu paSzxggz8gLtrkYSY/ju+eqx/wBrpmtaksMYrfVX4qK6Gxa4AFFRZGpUzpCLrxs/pfdA wAisaSWvu/GdBDRA2VmhPdklSDic/mCeRVw9i0QumGK/HP2YJho7ISqo7BYBrG7so1dp oVSYn4xELE5FbGRTO0lMqvZUn+L1OzvsHqPBsYQh1Hw8I7/yarXEPw0XoiPaM3HaSaiV 8ki40j7lQj8kgbkhzDPzIwoDwuBy/OQsPIVGlDL6QdN3JVQwno81pHyRCgviTnoCxaW1 VUiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961561; x=1692566361; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z2eNvUu7ZRwcx7rhIcgOyI5ek/PdTjuljXGkzHkrrLk=; b=be62V088PcSsSMeJacIs+CiVkfo0qM9hjQSnts3Fn6Nvxe2jItWgwpBdhekQ9NPzHX HEbp2ToFEX8sBF/cGeAYn9HYFNjXqlCV/f0GFW6iVtJlMZYpjoTlpzcZ9OkTi1ODtAV3 Q9Ehx8M7vDWs412kLRwzNF5xdft4jf3jnji0Glgdf0FwSqXxIg2htf2pWZ6iS9pCLN4N 2TGeLfntBtoiFC0pELXWURnBq1LwvGoEebtXR4QvEl58F9WKDb6LR67jSKXOgbH8Xqxr eSlyrIAf52gSWY/l0iKCdbANWuIBvC1WGgJKNYEDbVR505XuMEUaqR6xwDmUgb4QZGFN nIDg== X-Gm-Message-State: AOJu0Yzn2PTHWgW+3OaVjdYfZ4UlWzaF1fJOUbJYhJ9FT6bj5rrHqv/g QZ2xpF94UBt5YdJkKFhRVrc+aPePPrjr/PvZQ+JRhA== X-Google-Smtp-Source: AGHT+IEXBphudV+4VU4cTgExQv2rR5jJj3rW3WY379lUkHDoXvyYpHDrfv1PX9rLmrR9/YmjqFeBWQ== X-Received: by 2002:a17:90a:34ca:b0:268:38f5:86ac with SMTP id m10-20020a17090a34ca00b0026838f586acmr5289767pjf.24.1691961561619; Sun, 13 Aug 2023 14:19:21 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:21 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 17/22] linux-yocto/5.4: update to v5.4.250 Date: Sun, 13 Aug 2023 11:18:23 -1000 Message-Id: <55f3f04896f1c301bbc7e18360ac05ff583b7a1d.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185908 From: Bruce Ashfield Updating to the latest korg -stable release that comprises the following commits: 27745d94abe1 Linux 5.4.250 00363ef30797 x86/cpu/amd: Add a Zenbleed fix 92b292bed627 x86/cpu/amd: Move the errata checking functionality up 4d4112e2845c x86/microcode/AMD: Load late on both threads too Signed-off-by: Bruce Ashfield Signed-off-by: Steve Sakoman --- .../linux/linux-yocto-rt_5.4.bb | 6 ++--- .../linux/linux-yocto-tiny_5.4.bb | 8 +++---- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++---------- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index 8e2ac6f853..f31b920ca7 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "7c1c3e523391507938420fb93bfafbbf1788e6b1" -SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736" +SRCREV_machine ?= "0057180769503ac049b495a794f864053965c7ea" +SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.249" +LINUX_VERSION ?= "5.4.250" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 710fc63d47..6f94fe3bd6 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.249" +LINUX_VERSION ?= "5.4.250" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "532857ef9f2014098015fa9ba30501639f8840ee" -SRCREV_machine ?= "de0d74f8949990ebd464742fbb4b4e5bfaace7b3" -SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736" +SRCREV_machine_qemuarm ?= "f0ae300728e87e4b1e51305737b9f4dda383e7bf" +SRCREV_machine ?= "de7c8d928de44e1c130760bf11d741d25e1c0213" +SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 3e4c1ca08b..9589ca280a 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "05e04a6628f7da8169ee7c46288bdcf5694de623" -SRCREV_machine_qemuarm64 ?= "23ac11eda9c661a3d01fc0142a6e23aad03f2b08" -SRCREV_machine_qemumips ?= "08adf55a99423b9a86b9cf0b11dcf1f6bf0a280d" -SRCREV_machine_qemuppc ?= "5b29dfbf9af0afb45cc588154a9ac6c7f68f4d81" -SRCREV_machine_qemuriscv64 ?= "19998b76926cac29365e10bc1abc976ff2481cb5" -SRCREV_machine_qemux86 ?= "19998b76926cac29365e10bc1abc976ff2481cb5" -SRCREV_machine_qemux86-64 ?= "19998b76926cac29365e10bc1abc976ff2481cb5" -SRCREV_machine_qemumips64 ?= "a70b5911861ec339487b3fd3edc49983d3e46669" -SRCREV_machine ?= "19998b76926cac29365e10bc1abc976ff2481cb5" -SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736" +SRCREV_machine_qemuarm ?= "fb7218e03f4d75e77f3bc50217855e043e32b06a" +SRCREV_machine_qemuarm64 ?= "9561485ac053a0ea76ee95fa8dead1da30a41a8a" +SRCREV_machine_qemumips ?= "7bd91d1af3b4a24e1f34e3a9583d02d7f08aaf53" +SRCREV_machine_qemuppc ?= "f4145ff9d93b0e0b0393d16c1889bcf3c6e13e15" +SRCREV_machine_qemuriscv64 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1" +SRCREV_machine_qemux86 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1" +SRCREV_machine_qemux86-64 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1" +SRCREV_machine_qemumips64 ?= "72944e165489f0dc5121461bfc74fb2bfaa3d7d7" +SRCREV_machine ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1" +SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.249" +LINUX_VERSION ?= "5.4.250" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" From patchwork Sun Aug 13 21:18:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28761 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10857C04A94 for ; Sun, 13 Aug 2023 21:19:29 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web11.93788.1691961564950427105 for ; Sun, 13 Aug 2023 14:19:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=q/e13lnb; spf=softfail (domain: sakoman.com, ip: 209.85.216.50, mailfrom: steve@sakoman.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-2680a031283so2073340a91.3 for ; Sun, 13 Aug 2023 14:19:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961564; x=1692566364; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5Zmt8i/eaVN6MPcfbI09cgqIadlxHxITgyn3hA95XlY=; b=q/e13lnbmY/WHxfxm81hKIFjsik+ItxvSEzG7pC9HzsT4Yn1hm/Sa1QGnjVeiDNrLo Sr8q8TcFau46ACJkCHXfPsv7GcLg0o/bNoQIhXmKF2woAWnFvC56J8yP9nLE+cRNOeHw i3Y3pBic4EyAqkjQVcQ6qlDR5ake+RmpfXYn8IrckrxoGgpaIETw8t75tLCAbBtr32JO nhvgscb756J5GWWYgj8DoKL5uI3g7R3CavUnpHjoBIUsTDxmUVFEVU2q+LBK8Yq0LlUT DOW+P/sE4iW0dp5zn3R3JNZlHP1QSOhI2ufkS/N1OOediiyNUkx993nBXA9veVQbmKcH RHqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961564; x=1692566364; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5Zmt8i/eaVN6MPcfbI09cgqIadlxHxITgyn3hA95XlY=; b=AELREHqJisaKGXypgh7hrjZn847KC1g9xNUuyV7FIzqbJBUkPOaZ/WX5fRoxIa50rT BtQCE4TADotSQKkwgFXW3iY2+IX5ypzRXLuDN3Owxy8JB7lYU3b01BZKIFphsXAGiqz6 gvA/rPsrG1aAN3B4Awt7RwAo52BHZtejP7wGfn61tn/jqZumswuu/5auOsUqqBlQhT6M a1xlUmPaCB5yJtPsd4lTGXtJ+OnYfL5ddGxJgvojcdLV+xdToviX/JePlB5sUDcbKFbH JhTHd8VlD6I9ipRYAleliarTY04a8PDh7/ugi1fiuzdLmhK2FRFO7gHZCVQhF2suX6H6 fnxg== X-Gm-Message-State: AOJu0Yw5v+sg7csE7Re3cpG+QXClEXtJYFwwVIBr5bMx6REBYF370JmQ 38ytuVeup1n7Cx20lcSxK7fNaAaDqA9xGTLWFoS11w== X-Google-Smtp-Source: AGHT+IF6A7Y0wntmsgUDZ5K+kS45fyOCrniVlJJWKLTakF7ws7IvcAWau+pXCYyRH+S07nszvNQn7g== X-Received: by 2002:a17:90a:4903:b0:26b:5ccb:4bd2 with SMTP id c3-20020a17090a490300b0026b5ccb4bd2mr728799pjh.38.1691961563522; Sun, 13 Aug 2023 14:19:23 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:23 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 18/22] linux-yocto/5.4: update to v5.4.251 Date: Sun, 13 Aug 2023 11:18:24 -1000 Message-Id: <9d509daf5fdae6b5dd8a81490ee40ea119a42024.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185909 From: Bruce Ashfield Updating to the latest korg -stable release that comprises the following commits: 887433e4bc93 Linux 5.4.251 1e02fbe4f0ed tracing/histograms: Return an error if we fail to add histogram to hist_vars list b1062596556e tcp: annotate data-races around fastopenq.max_qlen 21c325d01ecc tcp: annotate data-races around tp->notsent_lowat 7175277b4d0b tcp: annotate data-races around rskq_defer_accept 3121d649e4c6 tcp: annotate data-races around tp->linger2 b1cd5655fc13 net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX 8ce44cf35ef6 tcp: annotate data-races around tp->tcp_tx_delay c822536b3e41 netfilter: nf_tables: can't schedule in nft_chain_validate caa228792fb5 netfilter: nf_tables: fix spurious set element insertion failure b8944e53ee70 llc: Don't drop packet from non-root netns. b07e31824df6 fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe 6d39e9fc5934 Revert "tcp: avoid the lookup process failing to get sk in ehash table" 0c0bd9789a8d net:ipv6: check return value of pskb_trim() 17046107ca15 iavf: Fix use-after-free in free_netdev 765e1eaf42de net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field() 3b6f56021af6 pinctrl: amd: Use amd_pinconf_set() for all config options 951f4e9730f1 fbdev: imxfb: warn about invalid left/right margin 3e03319ab97d spi: bcm63xx: fix max prepend length c9f56f3c7bc9 igb: Fix igb_down hung on surprise removal 7d80e834625c wifi: iwlwifi: mvm: avoid baid size integer overflow 41d149376078 wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point() 970c7035f4b0 devlink: report devlink_port_type_warn source device e09a285ea1e8 bpf: Address KCSAN report on bpf_lru_list cec1857b1ea5 sched/fair: Don't balance task to its current running CPU 9d8d3df71516 arm64: mm: fix VA-range sanity check 8ad6679a5bb9 posix-timers: Ensure timer ID search-loop limit is valid d0345f7c7dbc md/raid10: prevent soft lockup while flush writes 09539f9e2076 md: fix data corruption for raid456 when reshape restart while grow up 4181c30a2c55 nbd: Add the maximum limit of allocated index in nbd_dev_add d4f1cd9b9d66 debugobjects: Recheck debug_objects_enabled before reporting 0afcebcec057 ext4: correct inline offset when handling xattrs in inode body 5d580017bdb9 drm/client: Fix memory leak in drm_client_modeset_probe 52daf6ba2e0d drm/client: Fix memory leak in drm_client_target_cloned 9533dbfac0ff can: bcm: Fix UAF in bcm_proc_show() 5dd838be69e4 selftests: tc: set timeout to 15 minutes 7f83199862c2 fuse: revalidate: don't invalidate if interrupted ae91ab710d8e btrfs: fix warning when putting transaction with qgroups enabled after abort e217a3d19e10 perf probe: Add test for regression introduced by switch to die_get_decl_file() 380c7ceabdde drm/atomic: Fix potential use-after-free in nonblocking commits b7084ebf4f54 scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue 3f22f9ddbb29 scsi: qla2xxx: Pointer may be dereferenced a1c5149a82de scsi: qla2xxx: Correct the index of array 1b7e5bdf2be2 scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() 4f90a8b04816 scsi: qla2xxx: Fix potential NULL pointer dereference d25fded78d88 scsi: qla2xxx: Wait for io return on terminate rport 056fd1820724 tracing/probes: Fix not to count error code to total length 93114cbc7cb1 tracing: Fix null pointer dereference in tracing_err_log_open() 597eb52583d4 xtensa: ISS: fix call to split_if_spec e84829522fc7 ring-buffer: Fix deadloop issue on reading trace_pipe 481535905608 tracing/histograms: Add histograms to hist_vars if they have referenced variables 46574e5a0a2a tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk 30962268fa1a tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error 0697a1a592c7 Revert "8250: add support for ASIX devices with a FIFO bug" 45e55e9cac13 meson saradc: fix clock divider mask length 2cdced57bc00 ceph: don't let check_caps skip sending responses for revoke msgs 1883a484c87e hwrng: imx-rngc - fix the timeout for init and self check e3373e6b6c79 firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool() 826c7bfe5c49 serial: atmel: don't enable IRQs prematurely 15d4bd0f0a6b drm/rockchip: vop: Leave vblank enabled in self-refresh 6bc6ec8b0a0b drm/atomic: Allow vblank-enabled + self-refresh "disable" f86942709b0e fs: dlm: return positive pid value for F_GETLK ecfd1f82c4f5 md/raid0: add discard support for the 'original' layout dac4afa3efae misc: pci_endpoint_test: Re-init completion for every test dd2210379205 misc: pci_endpoint_test: Free IRQs before removing the device 9cfa4ef25de5 PCI: rockchip: Set address alignment for endpoint mode 35aec6bc0c04 PCI: rockchip: Use u32 variable to access 32-bit registers 13b93891308c PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core c049b20655f6 PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked a1f311d430f2 PCI: rockchip: Write PCI Device ID to correct register 592795119f2b PCI: rockchip: Assert PCI Configuration Enable bit after probe 35c95eda7b6d PCI: qcom: Disable write access to read only registers for IP v2.3.3 b0aac7792525 PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 f450388d8b6d PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold a4855aeb13e4 jfs: jfs_dmap: Validate db_l2nbperpage while mounting ee2fd448608e ext4: only update i_reserved_data_blocks on successful block allocation 02543d1ddd77 ext4: fix wrong unit use in ext4_mb_clear_bb 96a85becb811 erofs: fix compact 4B support for 16k block size 42725e5c1b18 SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 29a560437f67 misc: fastrpc: Create fastrpc scalar with correct buffer count b157987242bd powerpc: Fail build if using recordmcount with binutils v2.37 2b59740ebc86 net: bcmgenet: Ensure MDIO unregistration has clocks enabled 1fe96568e78b mtd: rawnand: meson: fix unaligned DMA buffers handling 86b9820395f2 tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation 96a16069a81d pinctrl: amd: Only use special debounce behavior for GPIO 0 6dcb493fc478 pinctrl: amd: Detect internal GPIO0 debounce handling a1a443651569 pinctrl: amd: Fix mistake in handling clearing pins at startup cf57a0853ba5 net/sched: make psched_mtu() RTNL-less safe 96391959a99e net/sched: flower: Ensure both minimum and maximum ports are specified 166fa538e0dd cls_flower: Add extack support for src and dst port range options aadca5f08aef wifi: airo: avoid uninitialized warning in airo_get_rate() cc2c06ca7fbf erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF b55c38fe2441 platform/x86: wmi: Break possible infinite loop when parsing GUID cb8a256202b9 platform/x86: wmi: move variables 669c488cb25a platform/x86: wmi: use guid_t and guid_equal() fd8049d6553f platform/x86: wmi: remove unnecessary argument 4c8e26fc3302 platform/x86: wmi: Fix indentation in some cases 8717326e4362 platform/x86: wmi: Replace UUID redefinitions by their originals c7eeba470585 ipv6/addrconf: fix a potential refcount underflow for idev 7a06554214fe NTB: ntb_tool: Add check for devm_kcalloc 88e243618e4c NTB: ntb_transport: fix possible memory leak while device_register() fails b5b9e041eb04 ntb: intel: Fix error handling in intel_ntb_pci_driver_init() 0ae4fac8fe33 NTB: amd: Fix error handling in amd_ntb_pci_driver_init() bb17520c0383 ntb: idt: Fix error handling in idt_pci_driver_init() 4e64ef41c6cf udp6: fix udp6_ehashfn() typo 61b4c4659746 icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). 4c7276a6daf7 ionic: remove WARN_ON to prevent panic_on_warn 3e77647acdcf ionic: ionic_intr_free parameter change f0dc38bdef52 ionic: move irq request to qcq alloc 7cf21fba1bf8 ionic: clean irq affinity on queue deinit ef7fc26b6a19 ionic: improve irq numa locality 808211a8d427 net/sched: cls_fw: Fix improper refcount update leads to use-after-free d98ac5bce2d5 net: mvneta: fix txq_map in case of txq_number==1 58cd168825b4 scsi: qla2xxx: Fix error code in qla2x00_start_sp() b49b55a7d578 igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings a45afb07121c igc: Remove delay during TX ring configuration 59c190082a01 drm/panel: simple: Add connector_type for innolux_at043tn24 64b76abfe32d drm/panel: Add and fill drm_panel type field 362940f8e40f drm/panel: Initialise panel dev and funcs through drm_panel_init() 6d5172a3ab8f workqueue: clean up WORK_* constant types, clarify masking 003d33924911 net: lan743x: Don't sleep in atomic context 373b9475ea8c block/partition: fix signedness issue for Amiga partitions 22df19fee7b9 tty: serial: fsl_lpuart: add earlycon for imx8ulp platform b7d636c924eb netfilter: nf_tables: prevent OOB access in nft_byteorder_eval 61c7a5256543 netfilter: conntrack: Avoid nf_ct_helper_hash uses after free 565bdccdded3 netfilter: nf_tables: fix scheduling-while-atomic splat 7c4610ac3b41 netfilter: nf_tables: unbind non-anonymous set if rule construction fails 90d54ee329d2 netfilter: nf_tables: reject unbound anonymous set before commit phase 1df28fde1270 netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain 1adb5c272b20 netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE 077ef851f0a3 netfilter: nf_tables: add rescheduling points during loop detection walks 11352851944c netfilter: nf_tables: use net_generic infra for transaction data d59ed9dc0058 netfilter: add helper function to set up the nfnetlink header and use it fa498dead9ee netfilter: nftables: add helper function to set the base sequence number ef35dd70a340 netfilter: nf_tables: fix nat hook table deletion d1b7fe307c75 block: add overflow checks for Amiga partition support 2b71cbf7ab48 fanotify: disallow mount/sb marks on kernel internal pseudo fs 9a6ce27a5d61 fs: no need to check source c1c41cda0ab1 ARM: orion5x: fix d2net gpio initialization 679c34821ab7 btrfs: fix race when deleting quota root from the dirty cow roots list f0fbbd405a94 fs: Lock moved directories b97ac51f8492 fs: Establish locking order for unrelated directories d95dc41ad181 Revert "f2fs: fix potential corruption when moving a directory" a9a926423a63 ext4: Remove ext4 locking of moved directory eefebf8877d3 fs: avoid empty option when generating legacy mount string e9a3310bc2fc jffs2: reduce stack usage in jffs2_build_xattr_subsystem() a249a61ac528 integrity: Fix possible multiple allocation in integrity_inode_get() 0729029e6472 bcache: Remove unnecessary NULL point check in node allocations 4be68f1c7076 mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. 2f6c76994646 mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M c491e27151c1 mmc: core: disable TRIM on Kingston EMMC04G-M627 ce7278dedab7 NFSD: add encoding of op_recall flag for write delegation 5016511287dc ALSA: jack: Fix mutex call in snd_jack_report() c64fda48a3ad i2c: xiic: Don't try to handle more interrupt events after error 696e470e910e i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process() 498962715773 sh: dma: Fix DMA channel offset calculation 58b1b3c54e16 net: dsa: tag_sja1105: fix MAC DA patching from meta frames 67a67e258407 net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX ab0085bd7902 xsk: Honor SO_BINDTODEVICE on bind 9347e432297e xsk: Improve documentation for AF_XDP e63dc31b9452 tcp: annotate data races in __tcp_oow_rate_limited() e9c2687988b7 net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode fffa51e786ce powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y 45b34500f3ef f2fs: fix error path handling in truncate_dnode() 860d9b717f65 mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 398e6a015877 spi: bcm-qspi: return error if neither hif_mspi nor mspi is available 18d50fb44109 Add MODULE_FIRMWARE() for FIRMWARE_TG357766. 4d8fc6137749 sctp: fix potential deadlock on &net->sctp.addr_wq_lock 999ff7fe492b rtc: st-lpc: Release some resources in st_rtc_probe() in case of error d5c39cca4d03 pwm: sysfs: Do not apply state to already disabled PWMs 5375c024f8ae pwm: imx-tpm: force 'real_period' to be zero in suspend d252c74b8b7a mfd: stmpe: Only disable the regulators if they are enabled d9db18addf42 KVM: s390: vsie: fix the length of APCB bitmap baec796723b7 mfd: stmfx: Fix error path in stmfx_chip_init 5d26f134efa8 serial: 8250_omap: Use force_suspend and resume for system suspend 337073cacad4 mfd: intel-lpss: Add missing check for platform_get_resource 0a6afc83b028 usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove() becd09685d44 KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes 151b0dd6d1a0 mfd: rt5033: Drop rt5033-battery sub-device 8e8dae8eb230 usb: hide unused usbfs_notify_suspend/resume functions fe9cdc198619 usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() 1531ba3fab51 extcon: Fix kernel doc of property capability fields to avoid warnings 257daec29dcd extcon: Fix kernel doc of property fields to avoid warnings 648a163cff21 usb: dwc3: qcom: Fix potential memory leak d485150c9a52 media: usb: siano: Fix warning due to null work_func_t function pointer 619e6f9a564a media: videodev2.h: Fix struct v4l2_input tuner index comment e9586c49bdd4 media: usb: Check az6007_read() return value fd869bdb5f12 sh: j2: Use ioremap() to translate device tree address into kernel memory 85f4c53849e4 w1: fix loop in w1_fini() dc88382c1d44 block: change all __u32 annotations to __be32 in affs_hardblocks.h fa8548d1a0a4 block: fix signed int overflow in Amiga partition support bec218258cbd usb: dwc3: gadget: Propagate core init errors to UDC during pullup f55127df9918 USB: serial: option: add LARA-R6 01B PIDs bac502cd472a hwrng: st - keep clock enabled while hwrng is registered 071560202a52 hwrng: st - Fix W=1 unused variable warning 18fa56ca4cb8 NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION c182d87c67e2 ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard 02dc8e8bdbe4 modpost: fix off by one in is_executable_section() 1030c0c30968 crypto: marvell/cesa - Fix type mismatch warning ad3c4ecff00b modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} 084bf580019c modpost: fix section mismatch message for R_ARM_ABS32 c893658d9ce6 crypto: nx - fix build warnings when DEBUG_FS is not enabled a43bcb0b661c hwrng: virtio - Fix race on data_avail and actual data b70315e44f03 hwrng: virtio - always add a pending request 102a354d52ca hwrng: virtio - don't waste entropy f2a7dfd35f0c hwrng: virtio - don't wait on cleanup 6fe732764a58 hwrng: virtio - add an internal buffer 2cbfb51d2c7e powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary aa3932eb0739 pinctrl: at91-pio4: check return value of devm_kasprintf() e297350c33f6 perf dwarf-aux: Fix off-by-one in die_get_varname() 7f822c8036fe pinctrl: cherryview: Return correct value if pin in push-pull mode 1768e362f20f PCI: Add pci_clear_master() stub for non-CONFIG_PCI 5d3955bc32d4 PCI: ftpci100: Release the clock resources 331dce61c0d4 PCI: pciehp: Cancel bringup sequence if card is not present f58c8563686b scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() 666e7f9d60ce PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free 961c8370c5f7 scsi: qedf: Fix NULL dereference in error handling 6f64558b43cf ASoC: imx-audmix: check return value of devm_kasprintf() 35455616110b clk: keystone: sci-clk: check return value of kasprintf() ffe6ad17cf14 clk: cdce925: check return value of kasprintf() 5f13d67027fa ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer 801c8341f7af clk: tegra: tegra124-emc: Fix potential memory leak 262db3ff58e2 drm/radeon: fix possible division-by-zero errors cacc0506e571 drm/amdkfd: Fix potential deallocation of previously deallocated memory. 9e3858f82e3c fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe() 5541d1856c87 arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 40ac5cb6cbb0 IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors 68e0033dee72 soc/fsl/qe: fix usb.c build errors b756eb5eb9b0 ASoC: es8316: Do not set rate constraints for unsupported MCLKs d1c1ca27cac0 ASoC: es8316: Increment max value for ALC Capture Target Volume control b54bac970b54 memory: brcmstb_dpfe: fix testing array offset after use f54142ed16b5 ARM: ep93xx: fix missing-prototype warnings c2324c5aa247 drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H 4a23954279fc arm64: dts: qcom: msm8916: correct camss unit address 97dcb8dfefaa ARM: dts: gta04: Move model property out of pinctrl node 25bbd1c7bef8 RDMA/bnxt_re: Fix to remove an unnecessary log ed039ad88ab0 drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` 87ccaf56097a Input: adxl34x - do not hardcode interrupt trigger type c7a8cc9140cf ARM: dts: BCM5301X: Drop "clock-names" from the SPI node c516c00847f5 Input: drv260x - sleep between polling GO bit 3e789aee218b radeon: avoid double free in ci_dpm_init() bc5b57a23087 netlink: Add __sock_i_ino() for __netlink_diag_dump(). 1c405b3d3769 ipvlan: Fix return value of ipvlan_queue_xmit() 1d2ab3d4383e netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. 337fdce45063 netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one 32deadf89430 lib/ts_bm: reset initial match offset for every block of text dd6ff3f38627 net: nfc: Fix use-after-free caused by nfc_llcp_find_local edc5d8776a32 nfc: llcp: simplify llcp_sock_connect() error paths 9c9662e2512b gtp: Fix use-after-free in __gtp_encap_destroy(). 08d8ff1bc688 selftests: rtnetlink: remove netdevsim device after ipsec offload test bd1de6107f10 netlink: do not hard code device address lenth in fdb dumps 8f6652ed2ad9 netlink: fix potential deadlock in netlink_set_err() 88d89b4a3102 wifi: ath9k: convert msecs to jiffies where needed 76d5bda2c3af wifi: cfg80211: rewrite merging of inherited elements e4c33144fc75 wifi: iwlwifi: pull from TXQs with softirqs disabled 2ba902da9090 rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO 786e264b37d2 wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() 68305a19bada memstick r592: make memstick_debug_get_tpc_name() static 6f4454ccbea9 kexec: fix a memory leak in crash_shrink_memory() 4503261ab97b watchdog/perf: more properly prevent false positives with turbo modes d5fa3918dfce watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config 7874fb3bef8b wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown 4dc3560561a0 wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes f432198058a6 wifi: ray_cs: Fix an error handling path in ray_probe() 8fe51dce8bdc wifi: ray_cs: Drop useless status variable in parse_addr() 0dec0ad304d4 wifi: ray_cs: Utilize strnlen() in parse_addr() ee73ad566a29 wifi: wl3501_cs: Fix an error handling path in wl3501_probe() b7df4e0cb4ed wl3501_cs: use eth_hw_addr_set() 24f34f67be24 net: create netdev->dev_addr assignment helpers dd5dca10d806 wl3501_cs: Fix misspelling and provide missing documentation 051d70773b9c wl3501_cs: Remove unnecessary NULL check 91c3c9eaf1ed wl3501_cs: Fix a bunch of formatting issues related to function docs add539f7d16b wifi: atmel: Fix an error handling path in atmel_probe() 5b06f702805d wifi: orinoco: Fix an error handling path in orinoco_cs_probe() ca4a2955d866 wifi: orinoco: Fix an error handling path in spectrum_cs_probe() 91c3325da240 regulator: core: Streamline debugfs operations 1bb38ef697e4 regulator: core: Fix more error checking for debugfs_create_dir() 6ca0c94f2b02 nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect() 66a1be74230b nfc: constify several pointers to u8, char and sk_buff fea2104e752a wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan() bc5099512057 spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG f394d204d640 samples/bpf: Fix buffer overflow in tcp_basertt 90e3c1017757 wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx be3989d93be3 wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation 717e4277ddf7 ima: Fix build warnings 8430a8e8e854 pstore/ram: Add check for kstrdup 540cdd720772 evm: Complete description of evm_inode_setattr() 568b73406d93 ARM: 9303/1: kprobes: avoid missing-declaration warnings ba6da16eefb1 powercap: RAPL: Fix CONFIG_IOSF_MBI dependency c97460ce1f7c PM: domains: fix integer overflow issues in genpd_parse_state() 54cc10a0f4b0 clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe 38ca169d66c3 clocksource/drivers/cadence-ttc: Use ttc driver as platform driver 8af3b8d770da tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode(). 7b0c664541cd irqchip/jcore-aic: Fix missing allocation of IRQ descriptors d244927e350e irqchip/jcore-aic: Kill use of irq_create_strict_mappings() be481881753b md/raid10: fix io loss while replacement replace rdev 45fa023b3334 md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request 31c805a44b75 md/raid10: fix wrong setting of max_corr_read_errors 283f4a63fee3 md/raid10: fix overflow of md/safe_mode_delay b0b971fe7d61 md/raid10: check slab-out-of-bounds in md_bitmap_get_counter 484104918305 x86/resctrl: Only show tasks' pid in current pid namespace 7206eca1ac44 x86/resctrl: Use is_closid_match() in more places 6f2bb37da468 bgmac: fix *initial* chip reset to support BCM5358 794bfb6fd992 drm/amdgpu: Validate VM ioctl flags. 2a4cfd5b0354 scripts/tags.sh: Resolve gtags empty index generation fff826d665f9 drm/i915: Initialise outparam for error return from wait_for_register 99036f1aed7e HID: wacom: Use ktime_t rather than int when dealing with timestamps 815c95d82b79 fbdev: imsttfb: Fix use after free bug in imsttfb_probe a7c8d2f3753d video: imsttfb: check for ioremap() failures f042d80a631f x86/smp: Use dedicated cache-line for mwait_play_dead() 23f98fe887ce gfs2: Don't deref jdesc in evict Signed-off-by: Bruce Ashfield Signed-off-by: Steve Sakoman --- .../linux/linux-yocto-rt_5.4.bb | 6 ++--- .../linux/linux-yocto-tiny_5.4.bb | 8 +++---- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++---------- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index f31b920ca7..3a44375824 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "0057180769503ac049b495a794f864053965c7ea" -SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4" +SRCREV_machine ?= "6a552f5822442183d2487c91903f27085183ca0e" +SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.250" +LINUX_VERSION ?= "5.4.251" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 6f94fe3bd6..3136b0defc 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.250" +LINUX_VERSION ?= "5.4.251" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "f0ae300728e87e4b1e51305737b9f4dda383e7bf" -SRCREV_machine ?= "de7c8d928de44e1c130760bf11d741d25e1c0213" -SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4" +SRCREV_machine_qemuarm ?= "29ae0b5c67d29249bf00cb8eaaae5914d928bbd6" +SRCREV_machine ?= "16db12c2685020aa6347a18df5099f40a9176366" +SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 9589ca280a..848d9a339d 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "fb7218e03f4d75e77f3bc50217855e043e32b06a" -SRCREV_machine_qemuarm64 ?= "9561485ac053a0ea76ee95fa8dead1da30a41a8a" -SRCREV_machine_qemumips ?= "7bd91d1af3b4a24e1f34e3a9583d02d7f08aaf53" -SRCREV_machine_qemuppc ?= "f4145ff9d93b0e0b0393d16c1889bcf3c6e13e15" -SRCREV_machine_qemuriscv64 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1" -SRCREV_machine_qemux86 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1" -SRCREV_machine_qemux86-64 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1" -SRCREV_machine_qemumips64 ?= "72944e165489f0dc5121461bfc74fb2bfaa3d7d7" -SRCREV_machine ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1" -SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4" +SRCREV_machine_qemuarm ?= "9a096c043b453855252aece3716d50fdf4111a77" +SRCREV_machine_qemuarm64 ?= "25499e5c52ebb2111a3dd7dd863937f56cf2a39d" +SRCREV_machine_qemumips ?= "12e990899599d1aac8dd8007a8864db68135d6f0" +SRCREV_machine_qemuppc ?= "19d91ad471bb87a464520283e58d5ff83c7151fa" +SRCREV_machine_qemuriscv64 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5" +SRCREV_machine_qemux86 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5" +SRCREV_machine_qemux86-64 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5" +SRCREV_machine_qemumips64 ?= "854f6bee15babf95445644cba59691cd45173180" +SRCREV_machine ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5" +SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.250" +LINUX_VERSION ?= "5.4.251" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" From patchwork Sun Aug 13 21:18:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28762 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B165C001E0 for ; Sun, 13 Aug 2023 21:19:29 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web11.93791.1691961566855592885 for ; Sun, 13 Aug 2023 14:19:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=r9FIVzwj; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-5656a5c6721so1551105a12.1 for ; Sun, 13 Aug 2023 14:19:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961566; x=1692566366; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=l9OksR38qOYEglwaJOnknNYpLi6tmXK9QmGbfWz2jaU=; b=r9FIVzwjZmcgzdtdBeJzNioVHXD9eBnNyl+ziGYDEzOqQR8itd43faxeZCXTSUx9DV BIwPpPlCLysPZumabgQQ7Qmh7fL7rKXSgUdIe0zEaXX4NLoH+/ysR0A0kezBt3hzr05o Dz0aE5x+q5Bb5MBuUaKL7Z8E9uEuLq0u4lPuDNx3AoFrStPjaYJCnkYHueftYvm05mUW G9B0rK3Mi2SzeT6aVaeI82angSbwbPi9vl8EsOPkBXj2Ka770ZbefOpKPxOjxF8kfs5/ MU7mLcYDmIwZ9a0rhdvDuxuq9Ls2/5WgDB9dB/rAyygx1Q8iJqh/+L4E+xmfyK3n2opM IPjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961566; x=1692566366; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=l9OksR38qOYEglwaJOnknNYpLi6tmXK9QmGbfWz2jaU=; b=SBC6B8c04KY3yH+tv3J75jsEjJCcA9Lrc+19Ji0uJf4VnjNP0nu7F1pUe0akGl15ga j+joImsNbZKTRiM/ALOF1MnuOo8mqJGktSSkRqasc9UA2FicUgTLIbM2SHYbMQikGpnL f+Lbt3mqehkFWrtpsDmr9cRtG+AXcc5YV8GxtNWGWSoRP35oZfqS6Hvyg//nvzZfw7Da gphIcHhntq4/abv+4ZXkEOMiZiWLLD1ExsLBWRodKp0XAUMkc9lXugqsiRPqUlp4J8az Tot1gt68pY6hI7iAbpFeSgy5an2emyEn5sXZ5mXylg5zI315zU3ui/thmxcPwGjWlhg0 tUYA== X-Gm-Message-State: AOJu0YzlMOSwexrFesOaUPoE4t/eexIDcIFi8S1AIuC9pL8nHV4gqS7m xwBHLGbEEVO9JF7u4zUCnsXuGBP8VsHFQbws5wKztQ== X-Google-Smtp-Source: AGHT+IEPo3gJ2+alRR2SO/+Tilu8tg/Eu+0AWIzFxl/1aK2zGGwRUgsF1jkhVUO4254N4+nfmKqhNA== X-Received: by 2002:a17:90a:ea82:b0:268:f38:b2a1 with SMTP id h2-20020a17090aea8200b002680f38b2a1mr4636104pjz.41.1691961565471; Sun, 13 Aug 2023 14:19:25 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 19/22] openssl: Upgrade 1.1.1t -> 1.1.1v Date: Sun, 13 Aug 2023 11:18:25 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185910 From: Peter Marko https://www.openssl.org/news/openssl-1.1.1-notes.html Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] * Fix excessive time spent checking DH q parameter value (CVE-2023-3817) * Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023] * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) All CVEs for upgrade to 1.1.1u were already patched, so effectively this will apply patches for CVE-2023-3446 and CVE-2023-3817 plus several non-CVE fixes. Because of mips build changes were backported to openssl 1.1.1 branch, backport of a patch from kirkstone is necessary. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...1-Configure-do-not-tweak-mips-cflags.patch | 37 +++ .../openssl/openssl/CVE-2023-0464.patch | 226 ------------------ .../openssl/openssl/CVE-2023-0465.patch | 60 ----- .../openssl/openssl/CVE-2023-0466.patch | 82 ------- .../openssl/openssl/CVE-2023-2650.patch | 122 ---------- .../{openssl_1.1.1t.bb => openssl_1.1.1v.bb} | 7 +- 6 files changed, 39 insertions(+), 495 deletions(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch rename meta/recipes-connectivity/openssl/{openssl_1.1.1t.bb => openssl_1.1.1v.bb} (96%) diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch new file mode 100644 index 0000000000..b3f6a942d5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -0,0 +1,37 @@ +From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Tue, 14 Sep 2021 12:18:25 +0200 +Subject: [PATCH] Configure: do not tweak mips cflags + +This conflicts with mips machine definitons from yocto, +e.g. +| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2 + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin +Signed-off-by: Peter Marko +--- + Configure | 10 ---------- + 1 file changed, 10 deletions(-) + +Index: openssl-3.0.4/Configure +=================================================================== +--- openssl-3.0.4.orig/Configure ++++ openssl-3.0.4/Configure +@@ -1243,16 +1243,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) + push @{$config{shared_ldflag}}, "-mno-cygwin"; + } + +-if ($target =~ /linux.*-mips/ && !$disabled{asm} +- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- # minimally required architecture flags for assembly modules +- my $value; +- $value = '-mips2' if ($target =~ /mips32/); +- $value = '-mips3' if ($target =~ /mips64/); +- unshift @{$config{cflags}}, $value; +- unshift @{$config{cxxflags}}, $value if $config{CXX}; +-} +- + # If threads aren't disabled, check how possible they are + unless ($disabled{threads}) { + if ($auto_threads) { diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch deleted file mode 100644 index cce5bad9f0..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Wed, 8 Mar 2023 15:28:20 +1100 -Subject: [PATCH] x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/20569) - -CVE: CVE-2023-0464 -Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b] -Signed-off-by: Nikhil R - ---- - crypto/x509v3/pcy_local.h | 8 +++++++- - crypto/x509v3/pcy_node.c | 12 +++++++++--- - crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++---------- - 3 files changed, 43 insertions(+), 14 deletions(-) - -diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h -index 5daf78de45..344aa06765 100644 ---- a/crypto/x509v3/pcy_local.h -+++ b/crypto/x509v3/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+ /* The number of nodes in the tree */ -+ size_t node_count; -+ /* The maximum number of nodes in the tree */ -+ size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree); -+ X509_POLICY_TREE *tree, -+ int extra_data); - void policy_node_free(X509_POLICY_NODE *node); - int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); -diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c -index e2d7b15322..d574fb9d66 100644 ---- a/crypto/x509v3/pcy_node.c -+++ b/crypto/x509v3/pcy_node.c -@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree) -+ X509_POLICY_TREE *tree, -+ int extra_data) - { - X509_POLICY_NODE *node; - -+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ -+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) -+ return NULL; -+ - node = OPENSSL_zalloc(sizeof(*node)); - if (node == NULL) { - X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); -@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - node->data = data; - node->parent = parent; -- if (level) { -+ if (level != NULL) { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; -@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - } - -- if (tree) { -+ if (extra_data) { - if (tree->extra_data == NULL) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (tree->extra_data == NULL){ -@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - } - -+ tree->node_count++; - if (parent) - parent->nchild++; - -diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c -index 6e8322cbc5..6c7fd35405 100644 ---- a/crypto/x509v3/pcy_tree.c -+++ b/crypto/x509v3/pcy_tree.c -@@ -13,6 +13,18 @@ - - #include "pcy_local.h" - -+/* -+ * If the maximum number of nodes in the policy tree isn't defined, set it to -+ * a generous default of 1000 nodes. -+ * -+ * Defining this to be zero means unlimited policy tree growth which opens the -+ * door on CVE-2023-0464. -+ */ -+ -+#ifndef OPENSSL_POLICY_TREE_NODES_MAX -+# define OPENSSL_POLICY_TREE_NODES_MAX 1000 -+#endif -+ - /* - * Enable this to print out the complete policy tree at various point during - * evaluation. -@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - return X509_PCY_TREE_INTERNAL; - } - -+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ -+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; -+ - /* - * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. - * -@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - level = tree->levels; - if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) - goto bad_tree; -- if (level_add_node(level, data, NULL, tree) == NULL) { -+ if (level_add_node(level, data, NULL, tree, 1) == NULL) { - policy_data_free(data); - goto bad_tree; - } -@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - * Return value: 1 on success, 0 otherwise - */ - static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, -- X509_POLICY_DATA *data) -+ X509_POLICY_DATA *data, -+ X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *last = curr - 1; - int i, matched = 0; -@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (policy_node_match(last, node, data->valid_policy)) { -- if (level_add_node(curr, data, node, NULL) == NULL) -+ if (level_add_node(curr, data, node, tree, 0) == NULL) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { -- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) -+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) - return 0; - } - return 1; -@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - * Return value: 1 on success, 0 otherwise. - */ - static int tree_link_nodes(X509_POLICY_LEVEL *curr, -- const X509_POLICY_CACHE *cache) -+ const X509_POLICY_CACHE *cache, -+ X509_POLICY_TREE *tree) - { - int i; - -@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); - - /* Look for matching nodes in previous level */ -- if (!tree_link_matching_nodes(curr, data)) -+ if (!tree_link_matching_nodes(curr, data, tree)) - return 0; - } - return 1; -@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; -- if (level_add_node(curr, data, node, tree) == NULL) { -+ if (level_add_node(curr, data, node, tree, 1) == NULL) { - policy_data_free(data); - return 0; - } -@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, - } - /* Finally add link to anyPolicy */ - if (last->anyPolicy && -- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) -+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) - return 0; - return 1; - } -@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - extra->qualifier_set = anyPolicy->data->qualifier_set; - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; -- node = level_add_node(NULL, extra, anyPolicy->parent, tree); -+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); -@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = policy_cache_set(curr->cert); -- if (!tree_link_nodes(curr, cache)) -+ if (!tree_link_nodes(curr, cache, tree)) - return X509_PCY_TREE_INTERNAL; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) --- -2.34.1 diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch deleted file mode 100644 index be5068074e..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 7 Mar 2023 16:52:55 +0000 -Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf - certs - -Even though we check the leaf cert to confirm it is valid, we -later ignored the invalid flag and did not notice that the leaf -cert was bad. - -Fixes: CVE-2023-0465 - -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/20588) - -CVE: CVE-2023-0465 -Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95] -Comment: Refreshed first hunk -Signed-off-by: Omkar Patil - ---- - crypto/x509/x509_vfy.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 925fbb5412..1dfe4f9f31 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -1649,18 +1649,25 @@ - } - /* Invalid or inconsistent extensions */ - if (ret == X509_PCY_TREE_INVALID) { -- int i; -+ int i, cbcalled = 0; - - /* Locate certificates with bad extensions and notify callback. */ -- for (i = 1; i < sk_X509_num(ctx->chain); i++) { -+ for (i = 0; i < sk_X509_num(ctx->chain); i++) { - X509 *x = sk_X509_value(ctx->chain, i); - - if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) - continue; -+ cbcalled = 1; - if (!verify_cb_cert(ctx, x, i, - X509_V_ERR_INVALID_POLICY_EXTENSION)) - return 0; - } -+ if (!cbcalled) { -+ /* Should not be able to get here */ -+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ /* The callback ignored the error so we return success */ - return 1; - } - if (ret == X509_PCY_TREE_FAILURE) { --- -2.34.1 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch deleted file mode 100644 index f042aa5da1..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 21 Mar 2023 16:15:47 +0100 -Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy() - -The function was incorrectly documented as enabling policy checking. - -Fixes: CVE-2023-0466 - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/20564) - -CVE: CVE-2023-0466 -Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a] -Comment: Refreshed first hunk from CHANGE and NEWS -Signed-off-by: Omkar Patil - ---- - CHANGES | 5 +++++ - NEWS | 1 + - doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++-- - 3 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/CHANGES b/CHANGES -index efccf7838e..b19f1429bb 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -9,6 +9,11 @@ - - Changes between 1.1.1s and 1.1.1t [7 Feb 2023] - -+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention -+ that it does not enable policy checking. Thanks to -+ David Benjamin for discovering this issue. (CVE-2023-0466) -+ [Tomas Mraz] -+ - *) Fixed X.400 address type confusion in X.509 GeneralName. - - There is a type confusion vulnerability relating to X.400 address processing -diff --git a/NEWS b/NEWS -index 36a9bb6890..62615693fa 100644 ---- a/NEWS -+++ b/NEWS -@@ -7,6 +7,7 @@ - - Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023] - -+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) - o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) - o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215) - o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450) -diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -index f6f304bf7b..aa292f9336 100644 ---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod -+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -@@ -92,8 +92,9 @@ B. - X509_VERIFY_PARAM_set_time() sets the verification time in B to - B. Normally the current time is used. - --X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled --by default) and adds B to the acceptable policy set. -+X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. -+Contrary to preexisting documentation of this function it does not enable -+policy checking. - - X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled - by default) and sets the acceptable policy set to B. Any existing -@@ -377,6 +378,10 @@ and has no effect. - - The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. - -+The function X509_VERIFY_PARAM_add0_policy() was historically documented as -+enabling policy checking however the implementation has never done this. -+The documentation was changed to align with the implementation. -+ - =head1 COPYRIGHT - - Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. --- -2.34.1 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch deleted file mode 100644 index ef344dda7f..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 12 May 2023 10:00:13 +0200 -Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will - translate - -OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical -numeric text form. For gigantic sub-identifiers, this would take a very -long time, the time complexity being O(n^2) where n is the size of that -sub-identifier. - -To mitigate this, a restriction on the size that OBJ_obj2txt() will -translate to canonical numeric text form is added, based on RFC 2578 -(STD 58), which says this: - -> 3.5. OBJECT IDENTIFIER values -> -> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers. -> For the SMIv2, each number in the list is referred to as a sub-identifier, -> there are at most 128 sub-identifiers in a value, and each sub-identifier -> has a maximum value of 2^32-1 (4294967295 decimal). - -Fixes otc/security#96 -Fixes CVE-2023-2650 - -Reviewed-by: Matt Caswell -Reviewed-by: Tomas Mraz - -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098] -CVE: CVE-2023-2650 -Signed-off-by: Hitendra Prajapati ---- - CHANGES | 28 +++++++++++++++++++++++++++- - NEWS | 2 ++ - crypto/objects/obj_dat.c | 19 +++++++++++++++++++ - 3 files changed, 48 insertions(+), 1 deletion(-) - -diff --git a/CHANGES b/CHANGES -index 1eaaf4e..f2cf38f 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -7,7 +7,33 @@ - https://github.com/openssl/openssl/commits/ and pick the appropriate - release branch. - -- Changes between 1.1.1s and 1.1.1t [7 Feb 2023] -+ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx] -+ -+ *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic -+ OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. -+ -+ OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical -+ numeric text form. For gigantic sub-identifiers, this would take a very -+ long time, the time complexity being O(n^2) where n is the size of that -+ sub-identifier. (CVE-2023-2650) -+ -+ To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT -+ IDENTIFIER to canonical numeric text form if the size of that OBJECT -+ IDENTIFIER is 586 bytes or less, and fail otherwise. -+ -+ The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT -+ IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at -+ most 128 sub-identifiers, and that the maximum value that each sub- -+ identifier may have is 2^32-1 (4294967295 decimal). -+ -+ For each byte of every sub-identifier, only the 7 lower bits are part of -+ the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with -+ these restrictions may occupy is 32 * 128 / 7, which is approximately 586 -+ bytes. -+ -+ Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 -+ -+Changes between 1.1.1s and 1.1.1t [7 Feb 2023] - - *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention - that it does not enable policy checking. Thanks to -diff --git a/NEWS b/NEWS -index a86220a..41922c4 100644 ---- a/NEWS -+++ b/NEWS -@@ -7,6 +7,8 @@ - - Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023] - -+ o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic -+ OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) - o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) - o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) - o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215) -diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c -index 7e8de72..d699915 100644 ---- a/crypto/objects/obj_dat.c -+++ b/crypto/objects/obj_dat.c -@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) - first = 1; - bl = NULL; - -+ /* -+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: -+ * -+ * > 3.5. OBJECT IDENTIFIER values -+ * > -+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative -+ * > numbers. For the SMIv2, each number in the list is referred to as a -+ * > sub-identifier, there are at most 128 sub-identifiers in a value, -+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 -+ * > decimal). -+ * -+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), -+ * i.e. 586 bytes long. -+ * -+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 -+ */ -+ if (len > 586) -+ goto err; -+ - while (len > 0) { - l = 0; - use_bn = 0; --- -2.25.1 - diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb similarity index 96% rename from meta/recipes-connectivity/openssl/openssl_1.1.1t.bb rename to meta/recipes-connectivity/openssl/openssl_1.1.1v.bb index eea8ef64af..d1222dc470 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb @@ -19,17 +19,14 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://reproducible.patch \ file://reproducibility.patch \ file://0001-Configure-add-2-missing-key-sorts.patch \ - file://CVE-2023-0464.patch \ - file://CVE-2023-0465.patch \ - file://CVE-2023-0466.patch \ - file://CVE-2023-2650.patch \ + file://0001-Configure-do-not-tweak-mips-cflags.patch \ " SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b" +SRC_URI[sha256sum] = "d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Sun Aug 13 21:18:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28758 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03907EB64DD for ; Sun, 13 Aug 2023 21:19:29 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web10.94028.1691961568497354800 for ; Sun, 13 Aug 2023 14:19:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=DrqcGUAT; spf=softfail (domain: sakoman.com, ip: 209.85.210.181, mailfrom: steve@sakoman.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-686d8c8fc65so2514293b3a.0 for ; Sun, 13 Aug 2023 14:19:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961567; x=1692566367; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=H6SH0H01iEuGJNeLm+GcBokOeiK5ryM18KkUk+9hirE=; b=DrqcGUATp3eYlxCsFJcus83E7n/GJbWa3qRPQC7w0Pb2PkRLw5CnvSB5gYrcP5LbPh Z3vS9RESM6NT1yH6kaxO9AXDG9o+9XX2ZJoijlW+2To7OavxD5A3LSbVBWrLq8qK639e DNAQAy8Q2qiGLhRriQzRd3s7vYvtCqj2kef7wY/K09UNBgYg91FQtX+mgqQ1uLfFv9Wk fgdixsAF+bUKw4cHva8RHQYWrHW5eKRI2O+t9b2sJDT1syAb2cPqCSozuyNbapDdwgYD xlL0/XO//pmmYhR55u7OaKO77uFDGFKKUuJ1Wuc56dvrs2/AwNxPVDzv62d2Cb1bg7Nm 1nnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961567; x=1692566367; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H6SH0H01iEuGJNeLm+GcBokOeiK5ryM18KkUk+9hirE=; b=TxIT8KoDao/xWcPoUPwQfMHnMfT2nN+TfvlQS4EqLW4vL5FAQU9Ul6IkuOZ6UF16hi O8CfLHG3O/PRhCmqk1ceQcgQQGupWwfJgVU1upZg6Ocl9D9NeLAUsuDfxSwpJug05bvn KS0UpNq1fOvQjjDNiyoYGgapZU8CmnvKoi9FkbZvRVeKqud9879/c83AVFhlJfFrB7Td hcOG+Rz764AYI6vlU1CT9Qnql6gnnpyqjEwoHqYupUcTVY5kHiqzikEgDGgiSW8pEsb4 IEia0XKO01bFqWmbxS2vJOZdEMNd3tdty2eTM3+V3tFICKsq0q0t47RSCGtf+r49Y5PV 26GA== X-Gm-Message-State: AOJu0YxUyn8LNB1b+R0WE6l7UnG84f7HB7+P/uCzHUm6U4pjSjlgL7Mi XsHjB2qgdpVaIgYXtlgrB9WlhPB+0hDBauF/6ZWnVw== X-Google-Smtp-Source: AGHT+IEAH8O+SdUhWlAZb+CSYciSAM3UOp63TO31mgGL30OG50Z4h0Yho5FJPhH7DP/3dFhPf+UNsA== X-Received: by 2002:a17:90a:cf96:b0:268:1b7f:257c with SMTP id i22-20020a17090acf9600b002681b7f257cmr5251094pju.6.1691961567573; Sun, 13 Aug 2023 14:19:27 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:27 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 20/22] linux-firmware: Fix mediatek mt7601u firmware path Date: Sun, 13 Aug 2023 11:18:26 -1000 Message-Id: <2d56adfd53b0ea3b938c60bf57fd40f3d48b5c68.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185911 From: Marek Vasut The following linux-firmware commit moved the mt7601u firmware blob into a mediatek/ subdirectory, update the path accordingly. 8451c2b1 ("mt76xx: Move the old Mediatek WiFi firmware to mediatek") (From OE-Core rev: 6fa5c4967a7e70192e9233c92534f27ec3e394c8) Fixes: 64603f602d ("linux-firmware: upgrade 20230404 -> 20230515") Signed-off-by: Marek Vasut Signed-off-by: Steve Sakoman --- meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb index a367a9fd01..206de1bcd1 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb @@ -411,7 +411,7 @@ LICENSE_${PN}-mt7601u-license = "Firmware-ralink_a_mediatek_company_firmware" FILES_${PN}-mt7601u-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink_a_mediatek_company_firmware" FILES_${PN}-mt7601u = " \ - ${nonarch_base_libdir}/firmware/mt7601u.bin \ + ${nonarch_base_libdir}/firmware/mediatek/mt7601u.bin \ " RDEPENDS_${PN}-mt7601u += "${PN}-mt7601u-license" From patchwork Sun Aug 13 21:18:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28764 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3DB2EB64DD for ; Sun, 13 Aug 2023 21:19:38 +0000 (UTC) Received: from mail-oo1-f52.google.com (mail-oo1-f52.google.com [209.85.161.52]) by mx.groups.io with SMTP id smtpd.web10.94030.1691961570365240132 for ; Sun, 13 Aug 2023 14:19:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=xTqYB0S4; spf=softfail (domain: sakoman.com, ip: 209.85.161.52, mailfrom: steve@sakoman.com) Received: by mail-oo1-f52.google.com with SMTP id 006d021491bc7-56ca9a337caso2396544eaf.1 for ; Sun, 13 Aug 2023 14:19:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961569; x=1692566369; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Xm82rfetiK3CeESt2UM0aIrjwOvhInQifKNcULQ3RS0=; b=xTqYB0S4F96PGmdjCUX+Zvqpj/NPTqXKZxEmtPluPAOcuCATLJLgrQzzb5rMNvvOBS GsIlkY0e5mhN+hmytX/CS9p1VW6ZSnOynnNCVOFSlgZ9zh7Bty2Sp7aR1H0ow3+Tj7KF KIaq5bIgSkmb2QPkVqKsxlescmCHagMXv8u7LKk2EgjZIqQ0xtk0fF4qULp0tiEdej9Z ADSimcKfftJf771vXx06TUg964QPi5mylNVfNl1urhZhr0M0iD+3yqpmdtpYMaxe6JmJ Pkx/XD6NzWtR0N8fJ54s9c3dA+HMs8lKk6oIMCB/IBlpzGDnDXuFmEp7u71vqcNCfSYM siNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961569; x=1692566369; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xm82rfetiK3CeESt2UM0aIrjwOvhInQifKNcULQ3RS0=; b=Ta5Hgoi+Tw5xOpks8tBv2HpwgetRfJ1XvZRKzajmFx9mH/hnkSEDAruwddMaWUw2tv tdHJ8rPt+Zlbv9YlC3QaXlvzRoQBzRpXKrAA7FeWjeCriBldRlcVgeWjT8vtsgkSvnmv 8JKhGgOSdlmCsQAp6QtLbkh2I9/5q3PZecnRShaBJ6j7rZwXudoGQaiMg5MCHhNOhive BiG7deXmjmTSEBuFrfPCWiIF8grn+2akxVLzEfDBdHr4bHyf3oxWoqn+qMiRD06im+a+ RoC0zBh34HVk7zuG92+dQMZjGgJfzK4vrUayPloDosee7djEWDoVHXZgKYtApUEUUaC1 +fVg== X-Gm-Message-State: AOJu0YworZrXOAVv+tD2rj5ePa9U/8StVkZgdDxHdA0GyeQFxUwaKqN5 KN6IRG9shy/SCZXHlxH+6A85RiOZ3QJ1eshN4rlL1A== X-Google-Smtp-Source: AGHT+IE6AgSan62Iy0GD0pTmb5Nxcu3so5bsrI/3Q+Y3pW8jgINr41D1bizP0dYtOk7CVc1XuPynxA== X-Received: by 2002:a05:6870:4593:b0:1b0:2ded:bd7 with SMTP id y19-20020a056870459300b001b02ded0bd7mr7424618oao.26.1691961569383; Sun, 13 Aug 2023 14:19:29 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 21/22] systemd-systemctl: fix errors in instance name expansion Date: Sun, 13 Aug 2023 11:18:27 -1000 Message-Id: <682e094e6af67e67873f7f08dd8d52b40fcdbded.1691961051.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185912 From: Yuta Hayama If the instance name indicated by %i begins with a number, the meaning of the replacement string "\\1{}".format(instance) is ambiguous. To indicate group number 1 regardless of the instance name, use "\g<1>". (From OE-Core rev: d18b939fb08b37380ce95934da38e6522392621c) Signed-off-by: Yuta Hayama Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-core/systemd/systemd-systemctl/systemctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/systemd/systemd-systemctl/systemctl b/meta/recipes-core/systemd/systemd-systemctl/systemctl index b890bdd6f0..e003c860e3 100755 --- a/meta/recipes-core/systemd/systemd-systemctl/systemctl +++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl @@ -189,7 +189,7 @@ class SystemdUnit(): try: for dependent in config.get('Install', prop): # expand any %i to instance (ignoring escape sequence %%) - dependent = re.sub("([^%](%%)*)%i", "\\1{}".format(instance), dependent) + dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(instance), dependent) wants = systemdir / "{}.{}".format(dependent, dirstem) / service add_link(wants, target) From patchwork Sun Aug 13 21:18:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 28763 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 053DAC41513 for ; Sun, 13 Aug 2023 21:19:39 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web10.94032.1691961573003920662 for ; Sun, 13 Aug 2023 14:19:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=jfFbBFRu; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-26b2beae166so1048920a91.0 for ; Sun, 13 Aug 2023 14:19:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1691961572; x=1692566372; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4rYc7kv+dgfhVqEz0nerYFTgWRXqoVC91sGIfVqWqb4=; b=jfFbBFRunH0bsZum+W+wDbJx5dCyMb3ilrkGldV4sY0DDKnHp9Rojzb+/9ijVfNXRt PFkPyVWKPS7QbHTuRxFSmwMio3EqPoDfNO3Wh7vn5OkvK7rSpLLHX6RyeS1sLKH5CE1f v+SZms7rn4hX4kNB+EaEc00IPX9TNJHobh9a5HwTFyQvTt9kLAc1vnxMoKDxQXSf8QkN vlqpZ0TkTfcMxh71rGsTt32/o/On3dVT/iRMKPxqB3Fu/ZYQWisRCSNp6QOiQb3h9i+U uJ81f4Xp7Qfi/Y3bOdBu2P5+1OikeWrKstA1g3OE6k+ls4LYVEcGKKMWXHfTb3L0eQOV YHnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691961572; x=1692566372; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4rYc7kv+dgfhVqEz0nerYFTgWRXqoVC91sGIfVqWqb4=; b=gpEMD+3E05kA/eWulKHSw247dGnpP5YsgGOGRxu6/s7dkmqQkfcZ6jvnxznpiyaUGj 6GD29KNZb3LcorpEVajxbBqa2YmrKQhcZvOGZZWGPUnfpZqVbGRD8ZzvzF/QJOy24QSu KdpitnuX9/cGujdMPokiLyRWOMU7sj6gMavB4hib8Gv40CLoCtXvAVIEbhOlhRM+IV2U u733FJokfEZZcpGeeIFD+dEP4TAjV9/dddNuCDAlvbDeymwQBFh5vRy9LjIFqSe6PlmI NE/o2o1Uuqrv1l+vedjGVD4s6YPxhsMYrZxsHtSXrf6yR10t0RGHZOfexPiuMJZ3bt+X J0Ag== X-Gm-Message-State: AOJu0Yw+MKCA5nXOqJufrI3PK6eIj4jv6p1PRdtROyWfJys0Gp8o4ccN XfzpTupouGERTnw45d7YSbNgvPvjWILnwVoeIQnH6w== X-Google-Smtp-Source: AGHT+IEHPxa2biKFl3vrgFTAOezjLbFCyFn/KXSlmqmuf0zAcwXRUwikQdkNKvUOafC8UMUIl9sc9Q== X-Received: by 2002:a17:90b:8d1:b0:26b:4f2f:6da7 with SMTP id ds17-20020a17090b08d100b0026b4f2f6da7mr1895474pjb.1.1691961572074; Sun, 13 Aug 2023 14:19:32 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id qa2-20020a17090b4fc200b00263dfe9b972sm8690578pjb.0.2023.08.13.14.19.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Aug 2023 14:19:31 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 22/22] kernel: skip installing fitImage when using Initramfs bundles Date: Sun, 13 Aug 2023 11:18:28 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 13 Aug 2023 21:19:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/185913 From: Abdellatif El Khlifi When including an initramfs bundle inside a FIT image, the fitImage is created after the install task by do_assemble_fitimage_initramfs. This happens after the generation of the initramfs bundle (done by do_bundle_initramfs). So, at the level of the install task we should not try to install the fitImage. The fitImage is still not generated yet. After the generation of the fitImage, the deploy task copies the fitImage from the build directory to the deploy folder. Change-Id: I3eaa6bba1412f388f710fa0f389f66631c1c4826 Signed-off-by: Abdellatif El Khlifi Signed-off-by: Richard Purdie (cherry picked from commit 1b67fd9ac74935fa41e960478c54e45422339138) Signed-off-by: Frederic Martinsons Signed-off-by: Steve Sakoman --- meta/classes/kernel.bbclass | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass index c6310d8de7..5d8b3b062a 100644 --- a/meta/classes/kernel.bbclass +++ b/meta/classes/kernel.bbclass @@ -417,12 +417,26 @@ kernel_do_install() { # install -d ${D}/${KERNEL_IMAGEDEST} install -d ${D}/boot + + # + # When including an initramfs bundle inside a FIT image, the fitImage is created after the install task + # by do_assemble_fitimage_initramfs. + # This happens after the generation of the initramfs bundle (done by do_bundle_initramfs). + # So, at the level of the install task we should not try to install the fitImage. fitImage is still not + # generated yet. + # After the generation of the fitImage, the deploy task copies the fitImage from the build directory to + # the deploy folder. + # + for imageType in ${KERNEL_IMAGETYPES} ; do - install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION} - if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then - ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType} + if [ $imageType != "fitImage" ] || [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ] ; then + install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION} + if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then + ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType} + fi fi done + install -m 0644 System.map ${D}/boot/System.map-${KERNEL_VERSION} install -m 0644 .config ${D}/boot/config-${KERNEL_VERSION} install -m 0644 vmlinux ${D}/boot/vmlinux-${KERNEL_VERSION}