From patchwork Tue Nov 28 22:52:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35321 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76CAAC46CA3 for ; Tue, 28 Nov 2023 22:52:57 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web11.10453.1701211970465535556 for ; Tue, 28 Nov 2023 14:52:50 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=XwYSXpkQ; spf=softfail (domain: sakoman.com, ip: 209.85.216.46, mailfrom: steve@sakoman.com) Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-285be6134ecso2340745a91.2 for ; Tue, 28 Nov 2023 14:52:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211969; x=1701816769; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FexOcoDSkXYDEod5NGKt0GrByzloKaTWN3utV/e9LPg=; b=XwYSXpkQDzV5x5sY/nbiP8TjMkw2THggenTMWeN/XegL27FovCuQxzAd6e8ImjBw2T 6MXQdwxSNFBxHld+FFRG8GwfRgqXVJOTa5MoPQ7/kbONjZQkVBQvOMswtm978CY573Yg SnapW7Wv8u88l30XIBt7elCLS3fJvfo5NwxtRerVO06de/oN1bl4Oukuo3lc5kMe4HpB w0iLJISJAxgkjrKpS0J4V95klsTGOP6P8DE779MSWZsA6Q21Vul6CzssQrtG8qCZSVUE OKQ1+FGqs/i5PRsqyJHr31wyeMsLkf8qBMs69EZrdCjVGf3n6kcl/7NTxZhsG1C2GrGe 6w8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211969; x=1701816769; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FexOcoDSkXYDEod5NGKt0GrByzloKaTWN3utV/e9LPg=; b=r1Ko+/Q4E66KMHcqyAD79WBwHDBvPX47J81IeRM8N4aqKB/tpdhd0M7dg6toAulzKb HWrl14nG7zosUva6Jw+U1hpNzkTjO7M+dxBb3pbCqVzQQF5izeZ+jvpwZFEx7TbEwhhp j4eQEUbUO6Ym0b3N/wP/n5sw3lrfRvNm5xSPMRpaSoxQ6XkSFVdDeXfvq+XvFKOYNump N40InIuSKDFwdP2Fhl3XVdSniwJyfnSW9NIJENld9IXHJGFKdfqYua6FnVm78DcXUPo4 U7GHbfjZWQUm+jnYv64ZE1gCQJapICmYrOswAzU5sGtGyNKfgb/+O9xZj2h9GJgSHMrt sGZA== X-Gm-Message-State: AOJu0YxZc7TDril1Enxr3gJObYUZEUVaTaFVvaEenEk+DvTyDl7sCOck tYp14TRtBSJlrqruaCqqsR1Y4DtT7iQ3AfxIE9C5iw== X-Google-Smtp-Source: AGHT+IG3IM+bxKu8V3E+JPtMYLZdfokM8Zz7hAzUcTSP7oDZ5h4nAM1oLFuJtGFCnGiX1nzbILXH6w== X-Received: by 2002:a17:90b:4aca:b0:285:ada5:8d56 with SMTP id mh10-20020a17090b4aca00b00285ada58d56mr10202428pjb.19.1701211968808; Tue, 28 Nov 2023 14:52:48 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.52.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:52:48 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/13] libx11: Fix for CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787 Date: Tue, 28 Nov 2023 12:52:28 -1000 Message-Id: <0ebeabda9096b44ead2293356c5947367c6042fe.1701210903.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:52:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191396 From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f & https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86 & https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a & https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b & https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] Reference: https://launchpad.net/ubuntu/+source/libx11/2:1.6.9-2ubuntu1.6 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xorg-lib/libx11/CVE-2023-43785.patch | 63 ++++++++++++++++++ .../xorg-lib/libx11/CVE-2023-43786-1.patch | 42 ++++++++++++ .../xorg-lib/libx11/CVE-2023-43786-2.patch | 46 +++++++++++++ .../xorg-lib/libx11/CVE-2023-43787-1.patch | 52 +++++++++++++++ .../xorg-lib/libx11/CVE-2023-43787-2.patch | 64 +++++++++++++++++++ .../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 5 ++ 6 files changed, 272 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..dbdf096fc8 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch @@ -0,0 +1,63 @@ +From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 17 Sep 2023 14:19:40 -0700 +Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in + _XkbReadKeySyms() + +Make sure we allocate enough memory in the first place, and +also handle error returns from _XkbReadBufferCopyKeySyms() when +it detects out-of-bounds issues. + +Reported-by: Gregory James DUCK +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] +CVE: CVE-2023-43785 +Signed-off-by: Vijay Anusuri +--- + src/xkb/XKBGetMap.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +index 2891d21e..31199e4a 100644 +--- a/src/xkb/XKBGetMap.c ++++ b/src/xkb/XKBGetMap.c +@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + if (offset + newMap->nSyms >= map->size_syms) { + register int sz; + +- sz = map->size_syms + 128; ++ sz = offset + newMap->nSyms; ++ sz = ((sz + (unsigned) 128) / 128) * 128; + _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); + if (map->syms == NULL) { + map->size_syms = 0; +@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + map->size_syms = sz; + } + if (newMap->nSyms > 0) { +- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], +- newMap->nSyms); ++ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], ++ newMap->nSyms) == 0) ++ return BadLength; + offset += newMap->nSyms; + } + else { +@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); + if (newSyms == NULL) + return BadAlloc; +- if (newMap->nSyms > 0) +- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); ++ if (newMap->nSyms > 0) { ++ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) ++ return BadLength; ++ } + else + newSyms[0] = NoSymbol; + oldMap->kt_index[0] = newMap->ktIndex[0]; +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch new file mode 100644 index 0000000000..31a99eb4ac --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch @@ -0,0 +1,42 @@ +From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:54:30 -0700 +Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite + recursion in PutSubImage() + +When splitting a single line of pixels into chunks to send to the +X server, be sure to take into account the number of bits per pixel, +so we don't just loop forever trying to send more pixels than fit in +the given request size and not breaking them down into a small enough +chunk to fix. + +Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86] +CVE: CVE-2023-43786 +Signed-off-by: Vijay Anusuri +--- + src/PutImage.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/PutImage.c b/src/PutImage.c +index 857ee916..a6db7b42 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -914,8 +914,9 @@ PutSubImage ( + req_width, req_height - SubImageHeight, + dest_bits_per_pixel, dest_scanline_pad); + } else { +- int SubImageWidth = (((Available << 3) / dest_scanline_pad) +- * dest_scanline_pad) - left_pad; ++ int SubImageWidth = ((((Available << 3) / dest_scanline_pad) ++ * dest_scanline_pad) - left_pad) ++ / dest_bits_per_pixel; + + PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, + (unsigned int) SubImageWidth, 1, +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch new file mode 100644 index 0000000000..4800bedf41 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch @@ -0,0 +1,46 @@ +From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:55:04 -0700 +Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width + allowed by protocol + +The PutImage request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), same as the maximum dimensions of an X11 +Drawable, which the image is being copied to. + +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a] +CVE: CVE-2023-43786 +Signed-off-by: Vijay Anusuri +--- + src/PutImage.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/PutImage.c b/src/PutImage.c +index a6db7b42..ba411e36 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include "Xlibint.h" + #include "Xutil.h" + #include ++#include + #include "Cr.h" + #include "ImUtil.h" + #include "reallocarray.h" +@@ -962,6 +963,10 @@ XPutImage ( + height = image->height - req_yoffset; + if ((width <= 0) || (height <= 0)) + return 0; ++ if (width > USHRT_MAX) ++ width = USHRT_MAX; ++ if (height > USHRT_MAX) ++ height = USHRT_MAX; + + if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { + dest_bits_per_pixel = 1; +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch new file mode 100644 index 0000000000..d35d96c4dc --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch @@ -0,0 +1,52 @@ +From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 16:12:27 -0700 +Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for + out-of-range dimensions + +The CreatePixmap request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), so if either is larger than that, set it to 0 +so the X server returns a BadValue error as the protocol requires. + +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b] +CVE: CVE-2023-43787 +Signed-off-by: Vijay Anusuri +--- + src/CrPixmap.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/CrPixmap.c b/src/CrPixmap.c +index cdf31207..3cb2ca6d 100644 +--- a/src/CrPixmap.c ++++ b/src/CrPixmap.c +@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. + #include + #endif + #include "Xlibint.h" ++#include + + #ifdef USE_DYNAMIC_XCURSOR + void +@@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( + Pixmap pid; + register xCreatePixmapReq *req; + ++ /* ++ * Force a BadValue X Error if the requested dimensions are larger ++ * than the X11 protocol has room for, since that's how callers expect ++ * to get notified of errors. ++ */ ++ if (width > USHRT_MAX) ++ width = 0; ++ if (height > USHRT_MAX) ++ height = 0; ++ + LockDisplay(dpy); + GetReq(CreatePixmap, req); + req->drawable = d; +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch new file mode 100644 index 0000000000..110bd445df --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch @@ -0,0 +1,64 @@ +From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi +Date: Thu, 7 Sep 2023 16:15:32 -0700 +Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage() + leading to a heap overflow + +When the format is `Pixmap` it calculates the size of the image data as: + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +There is no validation on the `width` of the image, and so this +calculation exceeds the capacity of a 4-byte integer, causing an overflow. + +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] +CVE: CVE-2023-43787 +Signed-off-by: Vijay Anusuri +--- + src/ImUtil.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/ImUtil.c b/src/ImUtil.c +index 36f08a03..fbfad33e 100644 +--- a/src/ImUtil.c ++++ b/src/ImUtil.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include + #include + #include ++#include + #include "ImUtil.h" + + static int _XDestroyImage(XImage *); +@@ -361,13 +362,22 @@ XImage *XCreateImage ( + /* + * compute per line accelerator. + */ +- { +- if (format == ZPixmap) ++ if (format == ZPixmap) { ++ if ((INT_MAX / bits_per_pixel) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +- else ++ ROUNDUP((bits_per_pixel * width), image->bitmap_pad); ++ } else { ++ if ((INT_MAX - offset) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((width + offset), image->bitmap_pad); ++ ROUNDUP((width + offset), image->bitmap_pad); + } + if (image_bytes_per_line == 0) { + image->bytes_per_line = min_bytes_per_line; +-- +2.39.3 + diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index 568162a911..248889a1d4 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb @@ -19,6 +19,11 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \ file://CVE-2022-3554.patch \ file://CVE-2022-3555.patch \ file://CVE-2023-3138.patch \ + file://CVE-2023-43785.patch \ + file://CVE-2023-43786-1.patch \ + file://CVE-2023-43786-2.patch \ + file://CVE-2023-43787-1.patch \ + file://CVE-2023-43787-2.patch \ " SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2" From patchwork Tue Nov 28 22:52:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35318 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7621BC4167B for ; Tue, 28 Nov 2023 22:52:57 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web10.10155.1701211972059116365 for ; Tue, 28 Nov 2023 14:52:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=HewEe7id; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-280351c32afso5610762a91.1 for ; Tue, 28 Nov 2023 14:52:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211971; x=1701816771; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZjyZLEiFiNQ8/QcODn2XDa0RMmIpeEUwFHfwyolihXM=; b=HewEe7idv5Lfdn4VRNzyAO+QNmazfXt6DFm9FsM2ayB3cEd7y9/4EOUDaLlVvLNeDr zPsuf5WnmH5OusUD1mIBsQAnDKuJlpqK2qGkKYIabrz3g2wDonz+MC0z+OchXeYtn12q k3EamXUfv3nNDzJcSdL8Y60OO7VaPWgDtAyPoLdbFodmiPZMZ9jU/kjH2g09Cnfjy8DF t2FLFnnRFLvbYlDg+Zobem+PkXfUxMoNUIxnbJnY2IC0VneWtQEP+r1HWrVdq6N8u/xs JxUNhDfmexvZGZhjj57JzHR5majIyQEC3W2q7u9+IWzWIb+YqCqPMwCa9J8lNbbsiSjw CqZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211971; x=1701816771; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZjyZLEiFiNQ8/QcODn2XDa0RMmIpeEUwFHfwyolihXM=; b=s3BqMh7/bUD6JdHpm34Tubbpwz5pcAjHS9pWhn/Igid7d0Irsb3mD5pevo6UKUIIU7 1dKLRP6PsRtO3HStmxZoyXo1m82+tvphyHiMNQt7MOxvoFXm5VOj5gVHipx5Wc/qFcPB bXVIpB6Ix8iDGRutZ4A5cQllvunv2BGjWzVLZGuqp7HDtmm1dclGvj/xXP+7QVPiwUkj Bbnb05I9fOl3BItht/eI8T/bEPOBVNVkloeyoqIFWszCrilr1CD4mFX2AaZjw9+QYblh 9Kab9Ny0ZK+rqqn+hyMXyVvBqO5nPyl2U3/ideSpy3qgUvIx6un7H+D6jNDUy0g+jfJ6 nbcA== X-Gm-Message-State: AOJu0YzsafRZ5Ha70dgRJs+cyoF/uxWI0EbBJ2NuechOsn6q1VZSQuB2 rpChIOFIgvXAs0HcZ3iSpi165Pik2GaiwK/4MRB1Cg== X-Google-Smtp-Source: AGHT+IHLuA2AVoJknoTcPjcfFyA7EZrOTUAnAy+oP/UoBSaltm6aNdbkeErnk9VMwr6+Ws/DHL+QZA== X-Received: by 2002:a17:90b:4c50:b0:285:8407:6152 with SMTP id np16-20020a17090b4c5000b0028584076152mr17807403pjb.8.1701211970652; Tue, 28 Nov 2023 14:52:50 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.52.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:52:50 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 02/13] wayland: fix CVE-2021-3782 Date: Tue, 28 Nov 2023 12:52:29 -1000 Message-Id: <9c3f494bf54c4d4b7ec776ab18d900bf9fbd042a.1701210903.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:52:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191397 From: Lee Chee Yang take CVE-2021-3782.patch from OE-core rev 09b8ff8d2361b2db001bc963f481db294ccf2170. Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../wayland/wayland/CVE-2021-3782.patch | 111 ++++++++++++++++++ .../wayland/wayland_1.18.0.bb | 1 + 2 files changed, 112 insertions(+) create mode 100644 meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch diff --git a/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch new file mode 100644 index 0000000000..df204508e9 --- /dev/null +++ b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch @@ -0,0 +1,111 @@ +From 5eed6609619cc2e4eaa8618d11c15d442abf54be Mon Sep 17 00:00:00 2001 +From: Derek Foreman +Date: Fri, 28 Jan 2022 13:18:37 -0600 +Subject: [PATCH] util: Limit size of wl_map + +Since server IDs are basically indistinguishable from really big client +IDs at many points in the source, it's theoretically possible to overflow +a map and either overflow server IDs into the client ID space, or grow +client IDs into the server ID space. This would currently take a massive +amount of RAM, but the definition of massive changes yearly. + +Prevent this by placing a ridiculous but arbitrary upper bound on the +number of items we can put in a map: 0xF00000, somewhere over 15 million. +This should satisfy pathological clients without restriction, but stays +well clear of the 0xFF000000 transition point between server and client +IDs. It will still take an improbable amount of RAM to hit this, and a +client could still exhaust all RAM in this way, but our goal is to prevent +overflow and undefined behaviour. + +Fixes #224 + +Signed-off-by: Derek Foreman + +Upstream-Status: Backport +CVE: CVE-2021-3782 + +Reference to upstream patch: +https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2 + +[DP: adjust context for wayland version 1.20.0] +Signed-off-by: Dragos-Marian Panait +--- + src/wayland-private.h | 1 + + src/wayland-util.c | 25 +++++++++++++++++++++++-- + 2 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/wayland-private.h b/src/wayland-private.h +index 9bf8cb7..35dc40e 100644 +--- a/src/wayland-private.h ++++ b/src/wayland-private.h +@@ -45,6 +45,7 @@ + #define WL_MAP_SERVER_SIDE 0 + #define WL_MAP_CLIENT_SIDE 1 + #define WL_SERVER_ID_START 0xff000000 ++#define WL_MAP_MAX_OBJECTS 0x00f00000 + #define WL_CLOSURE_MAX_ARGS 20 + + struct wl_object { +diff --git a/src/wayland-util.c b/src/wayland-util.c +index d5973bf..3e45d19 100644 +--- a/src/wayland-util.c ++++ b/src/wayland-util.c +@@ -195,6 +195,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) + union map_entry *start, *entry; + struct wl_array *entries; + uint32_t base; ++ uint32_t count; + + if (map->side == WL_MAP_CLIENT_SIDE) { + entries = &map->client_entries; +@@ -215,10 +216,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) + start = entries->data; + } + ++ /* wl_array only grows, so if we have too many objects at ++ * this point there's no way to clean up. We could be more ++ * pro-active about trying to avoid this allocation, but ++ * it doesn't really matter because at this point there is ++ * nothing to be done but disconnect the client and delete ++ * the whole array either way. ++ */ ++ count = entry - start; ++ if (count > WL_MAP_MAX_OBJECTS) { ++ /* entry->data is freshly malloced garbage, so we'd ++ * better make it a NULL so wl_map_for_each doesn't ++ * dereference it later. */ ++ entry->data = NULL; ++ return 0; ++ } + entry->data = data; + entry->next |= (flags & 0x1) << 1; + +- return (entry - start) + base; ++ return count + base; + } + + int +@@ -235,6 +251,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data) + i -= WL_SERVER_ID_START; + } + ++ if (i > WL_MAP_MAX_OBJECTS) ++ return -1; ++ + count = entries->size / sizeof *start; + if (count < i) + return -1; +@@ -269,8 +288,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i) + i -= WL_SERVER_ID_START; + } + +- count = entries->size / sizeof *start; ++ if (i > WL_MAP_MAX_OBJECTS) ++ return -1; + ++ count = entries->size / sizeof *start; + if (count < i) + return -1; + +-- +2.37.3 diff --git a/meta/recipes-graphics/wayland/wayland_1.18.0.bb b/meta/recipes-graphics/wayland/wayland_1.18.0.bb index 00be3aac27..e621abddbf 100644 --- a/meta/recipes-graphics/wayland/wayland_1.18.0.bb +++ b/meta/recipes-graphics/wayland/wayland_1.18.0.bb @@ -18,6 +18,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \ file://0001-build-Fix-strndup-detection-on-MinGW.patch \ file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \ + file://CVE-2021-3782.patch \ " SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65" SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d" From patchwork Tue Nov 28 22:52:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35319 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86683C46CA0 for ; Tue, 28 Nov 2023 22:52:57 +0000 (UTC) Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mx.groups.io with SMTP id smtpd.web10.10158.1701211975105918246 for ; Tue, 28 Nov 2023 14:52:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=clOLTfAy; spf=softfail (domain: sakoman.com, ip: 209.85.215.176, mailfrom: steve@sakoman.com) Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-5c2066accc5so4142942a12.3 for ; Tue, 28 Nov 2023 14:52:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211974; x=1701816774; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CQ1mXluv5sJH7Acdiwb8d46QZXH8nsjJlbmAve9YZtk=; b=clOLTfAy3EhYEsjxIK5Bg30EnfObfue/7I5DvNzDpX85wcMIB7y29aKhzBRRVQNA7Y qO63vcua0EkjsjlbNA1idxwmnPHFmFd+Lb/Bcdoxe7WeW9a9rXf9XupXv70sCWuhGUxm HUHL2gdUbwWCAWmaq/vMENcAMxVnvHrwdJ/7s+9Tkx+S6ChZeaLbwyE12nK9eHCVB9+X N66S77x6jCHFUSZvy9swd3Mf+ei5XMlWmZSNNfRo4zfGmgD6RNkBxJYB5rBVI8T+FBPx 8pJ+zzZap9umALwp0+YWGAPcO2R1fuw/EorMlLyG0hUhMrTYP+P+BoXYOJHyE2hZX67v p4Ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211974; x=1701816774; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CQ1mXluv5sJH7Acdiwb8d46QZXH8nsjJlbmAve9YZtk=; b=Pp6HsQEHTv8ZpngU/+OXfFYH+YsC47DnEBTFYoK7acDd8RjE9x2+Zk6uh8Cy3E/LCz zknngdbP20ozIih+pNoCLo2p9woenz/qbkYYS7Uj20huDGiIepAWP7B8tzSu23gi3TzN 4Q1wtLV7CIJOSSpSi4+wsMMzww8975Hnuvs+2GVB0QNEF/8p3O0ZRNk6ulksbeVIVRvw Hpg5r6znZn2seOVs57FrBA75aYHIsx0wLVzSs5pTZhUxhUfG598QyPt0QvtKw/yg+kZT q22mUAA7SnFvS/+O6RThKC3Qbct6vb1UaJqq7xAVN29ey2ihn9JSNZU+C345+LsZt6cZ lknQ== X-Gm-Message-State: AOJu0Yzx6P39Fyf3pvpNo7oI0LKvGNX8qWceCWh9/+UYT5lIb9R0Nm+e +X5Dh+qZUVWSuMuOkpLBhapd+bBqe1vE7A9N+qWn+Q== X-Google-Smtp-Source: AGHT+IEy11mvZ2RnR2Hf/IazWcm9UUaNqXSFLqBPfdnCs1w2DomJSwbrgKdBG2IjJTh+zXhO2ZH/oA== X-Received: by 2002:a17:90b:4a83:b0:27d:492e:137a with SMTP id lp3-20020a17090b4a8300b0027d492e137amr17152091pjb.45.1701211973618; Tue, 28 Nov 2023 14:52:53 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.52.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:52:53 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/13] python3-setuptools: fix CVE-2022-40897 Date: Tue, 28 Nov 2023 12:52:30 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:52:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191398 From: Lee Chee Yang import patch from ubuntu setuptools_45.2.0-1ubuntu0.1 . Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../python/python-setuptools.inc | 2 ++ .../python3-setuptools/CVE-2022-40897.patch | 29 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch diff --git a/meta/recipes-devtools/python/python-setuptools.inc b/meta/recipes-devtools/python/python-setuptools.inc index 29be852f66..5faf62bc3a 100644 --- a/meta/recipes-devtools/python/python-setuptools.inc +++ b/meta/recipes-devtools/python/python-setuptools.inc @@ -8,6 +8,8 @@ PYPI_PACKAGE_EXT = "zip" inherit pypi +SRC_URI += " file://CVE-2022-40897.patch " + SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch" SRC_URI[md5sum] = "0c956eea142af9c2b02d72e3c042af30" diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch new file mode 100644 index 0000000000..9150cea07e --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch @@ -0,0 +1,29 @@ +From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001 +From: "Jason R. Coombs" +Date: Fri, 4 Nov 2022 13:47:53 -0400 +Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes + #3659. + +CVE: CVE-2022-40897 +Upstream-Status: Backport [ +Upstream : https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be +Import from Ubuntu: http://archive.ubuntu.com/ubuntu/pool/main/s/setuptools/setuptools_45.2.0-1ubuntu0.1.debian.tar.xz +] +Signed-off-by: Lee Chee Yang + +--- + setuptools/package_index.py | 2 +- + setuptools/tests/test_packageindex.py | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- setuptools-45.2.0.orig/setuptools/package_index.py ++++ setuptools-45.2.0/setuptools/package_index.py +@@ -215,7 +215,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + From patchwork Tue Nov 28 22:52:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35320 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86547C07CA9 for ; Tue, 28 Nov 2023 22:52:57 +0000 (UTC) Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mx.groups.io with SMTP id smtpd.web10.10161.1701211976968546919 for ; Tue, 28 Nov 2023 14:52:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MjsJ8n7Z; spf=softfail (domain: sakoman.com, ip: 209.85.215.169, mailfrom: steve@sakoman.com) Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-5c604b092a6so92327a12.0 for ; Tue, 28 Nov 2023 14:52:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211975; x=1701816775; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PRM1H9H1O2N3FbjXXpZX8MNum0qtZ4+mntoYbE0DEIw=; b=MjsJ8n7ZqeEOoF0d5Gjvp69Xw4AuNscRJauDctLZIQyvas+wM2NbiGaldW0HbDPsBN JW+DPOyYpP1ncRdhMU67DZ/tPA7aBD5npYYUv1a8YHjSUOwqffYXuyDVv7hAiid1bjmt brHOHKme9C0kpzLjUKNaiZ2yGUI1+fyVPrwVLxuZx+7mg3C3s6ZxE5/4PHDFCKQl9GAC NEWPXZoj0V9ELjU47Xgwe9FeD6ZxcWi+axy1cygwanGF945vG5+8Ivx141TnWkA9wzTX GtLY3hQj5iQ8kroW81nLDGljhcOj9yyZjMbWFIcuOi/UxPO0PjguAwmmDpDRLnbISJR/ JlxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211975; x=1701816775; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PRM1H9H1O2N3FbjXXpZX8MNum0qtZ4+mntoYbE0DEIw=; b=ijI8NA4OYuay6yvW0vS5J7t5D/drQ3HMgjX2Q6uhVrz1wlRiRKAaSHPurOr91mtpMa +4hKujcqZfuAcLuzUG9UkK3iJOiZU7X6NBAnZxXYOv04OMvGCH3xOUn5igSjWcVOAiJ2 /JjIJymgapsFj9ncG1IvK5PMvCMtCe5ZYbQKHnKwRrj+MrevFpafRrDejWWRP6ZA4/If FVIVYlrgSKgQpFqYA5CwntN3e4GJmI7jVqOWUORYBGeElXC/5qQzfs1MoG3MhBPkL1fL GXPITJ4z9e2/eKl0XS7kCnODNcC4VSwuNuuGd/aiLL8Oon8yKV0bujw/Fe4x9os/TbEU 5rdg== X-Gm-Message-State: AOJu0Yz0x3Km7WtkioU6sgSVyvlBYT+zS/pa3zaJApvo8G2R6hPsQyj4 3JaKZsVBd88kzxcw3MyEaZlknGl9aqqKCfUx72xkNA== X-Google-Smtp-Source: AGHT+IFW0pRC67tATmc+0A+d9gIKLQX0Zc07anTiD3+Ao30vbneSrXKs9BJkABmz0VawKWKjVhsCpA== X-Received: by 2002:a17:90b:3a90:b0:285:8cb6:6153 with SMTP id om16-20020a17090b3a9000b002858cb66153mr21968170pjb.17.1701211975407; Tue, 28 Nov 2023 14:52:55 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.52.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:52:55 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 04/13] shadow: backport patch to fix CVE-2023-29383 Date: Tue, 28 Nov 2023 12:52:31 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:52:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191399 From: Vijay Anusuri The fix of CVE-2023-29383.patch contains a bug that it rejects all characters that are not control ones, so backup another patch named "0001-Overhaul-valid_field.patch" from upstream to fix it. (From OE-Core rev: ab48ab23de6f6bb1f05689c97724140d4bef8faa) Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d & https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../files/0001-Overhaul-valid_field.patch | 66 +++++++++++++++++++ .../shadow/files/CVE-2023-29383.patch | 54 +++++++++++++++ meta/recipes-extended/shadow/shadow.inc | 2 + 3 files changed, 122 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch new file mode 100644 index 0000000000..aea07ff361 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch @@ -0,0 +1,66 @@ +From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 31 Mar 2023 14:46:50 +0200 +Subject: [PATCH] Overhaul valid_field() + +e5905c4b ("Added control character check") introduced checking for +control characters but had the logic inverted, so it rejects all +characters that are not control ones. + +Cast the character to `unsigned char` before passing to the character +checking functions to avoid UB. + +Use strpbrk(3) for the illegal character test and return early. + +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] + +Signed-off-by: Xiangyu Chen +Signed-off-by: Vijay Anusuri +--- + lib/fields.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index fb51b582..53929248 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal) + + /* For each character of field, search if it appears in the list + * of illegal characters. */ ++ if (illegal && NULL != strpbrk (field, illegal)) { ++ return -1; ++ } ++ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { +- if (strchr (illegal, *cp) != NULL) { ++ unsigned char c = *cp; ++ if (!isprint (c)) { ++ err = 1; ++ } ++ if (iscntrl (c)) { + err = -1; + break; + } + } + +- if (0 == err) { +- /* Search if there are non-printable or control characters */ +- for (cp = field; '\0' != *cp; cp++) { +- if (!isprint (*cp)) { +- err = 1; +- } +- if (!iscntrl (*cp)) { +- err = -1; +- break; +- } +- } +- } +- + return err; + } + +-- +2.34.1 + diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch new file mode 100644 index 0000000000..dbf4a508e9 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch @@ -0,0 +1,54 @@ +From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 +From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> +Date: Thu, 23 Mar 2023 23:39:38 +0000 +Subject: [PATCH] Added control character check + +Added control character check, returning -1 (to "err") if control characters are present. + +CVE: CVE-2023-29383 +Upstream-Status: Backport + +Reference to upstream: +https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d + +Signed-off-by: Xiangyu Chen +Signed-off-by: Vijay Anusuri +--- + lib/fields.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index 640be931..fb51b582 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -21,9 +21,9 @@ + * + * The supplied field is scanned for non-printable and other illegal + * characters. +- * + -1 is returned if an illegal character is present. +- * + 1 is returned if no illegal characters are present, but the field +- * contains a non-printable character. ++ * + -1 is returned if an illegal or control character is present. ++ * + 1 is returned if no illegal or control characters are present, ++ * but the field contains a non-printable character. + * + 0 is returned otherwise. + */ + int valid_field (const char *field, const char *illegal) +@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) + } + + if (0 == err) { +- /* Search if there are some non-printable characters */ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { + if (!isprint (*cp)) { + err = 1; ++ } ++ if (!iscntrl (*cp)) { ++ err = -1; + break; + } + } +-- +2.34.1 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index bfe50c18f6..2ecab5073d 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -14,6 +14,8 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}. file://shadow-4.1.3-dots-in-usernames.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ file://shadow-relaxed-usernames.patch \ + file://CVE-2023-29383.patch \ + file://0001-Overhaul-valid_field.patch \ " SRC_URI_append_class-target = " \ From patchwork Tue Nov 28 22:52:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35323 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 917E5C07E97 for ; Tue, 28 Nov 2023 22:53:07 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.web10.10163.1701211979299105574 for ; Tue, 28 Nov 2023 14:52:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=01kmXOvW; spf=softfail (domain: sakoman.com, ip: 209.85.210.170, mailfrom: steve@sakoman.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-6cb9dd2ab56so5308837b3a.3 for ; Tue, 28 Nov 2023 14:52:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211978; x=1701816778; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=S0wRT1vi/SlZ87/L+bckUVMlBAdGvT0Jw6h+zYXGGwM=; b=01kmXOvWH8k2HisRBFPENLQd5XNW7jIKR5LRetzDVJoCVUbPoyiwpcGTcMDIC8l1Co dJZ4LHqRNj8uL4LMp3UyMRoCPKz5KBhpZRItHqBzkdVtg+RuBIg+aq3EvF/4ytyyaTvQ URcXDhNMWtmufixUN3pg1Nx9YGn5qkjXTyhEDYWkgJ6l/PH5tempnnTQy8vS0ZhaxCRO SxNwOrZExp5d9I8vv5izWM+NkEJlhOoR7gzcLedj0g6xG/7Cb597YP0rn7q7HeBCXd1L +AOxEgdkDx4ufHOlXJnnUwas13E4gZCHe+QR5i/2W6mCqneoJygVKLinwA2HwsyRsTSi KOqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211978; x=1701816778; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S0wRT1vi/SlZ87/L+bckUVMlBAdGvT0Jw6h+zYXGGwM=; b=CBIUiWzbg+9CsH9XvI1FjyTcQ1KqPjb5ueNMTuIkdSlVzVM3ISvvcZ1md4rzc7/8cb 7chZuRbrXvvLUuEAVtc+KdoWmii6HXM4k7XrK2UTNVwPbPDqLPVoDwTFBPiDfUsb5GPV g6i6plseLQUG2vbGOyk5rhekXMzkKfP9ukYxFpWCRlfZ41G66wyaiZgUlTRUJyPQ5JAE z7DUTFVOdq9zmIJaywse6VYXE1GJElApAQ65QsRHbQ8GUYld10zr5g4b4UUarhOwcFfa iE402847ewgu01W2CRIx0FBq79xIeRGz8ZiYVG8iUIU+p0gNinjJgrTMU+1RZn6q6Zr7 koMA== X-Gm-Message-State: AOJu0YyRXaiNFM58Jrs3fdhDgUZqwguSa2ZSCcTK3+y2RieNPEdNeg7x vw25oh6RpZeyzzh+YoZmLTlgmdW6vBVpo/5BmYjGgg== X-Google-Smtp-Source: AGHT+IHZAUWBO+Mbz4LrEJCF207huq5MikRREAvO1Rr0M8yLaw3eBowXWKQmoTvjEkat6RzhPzpGgw== X-Received: by 2002:a05:6a21:6215:b0:16c:b5ce:50f with SMTP id wm21-20020a056a21621500b0016cb5ce050fmr13254233pzb.32.1701211977461; Tue, 28 Nov 2023 14:52:57 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.52.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:52:57 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 05/13] curl: fix CVE-2023-28321 CVE-2023-28322 Date: Tue, 28 Nov 2023 12:52:32 -1000 Message-Id: <5cc1f487928df04c58709dd88ef6c17c171da7a5.1701210903.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191400 From: Lee Chee Yang import patch from ubuntu curl_7.68.0-1ubuntu2.20. minor change to CVE-2023-28321.patch tests/data/test1397 part so the patch can be apply. Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2023-28321.patch | 272 +++++++++++++ .../curl/curl/CVE-2023-28322.patch | 380 ++++++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 2 + 3 files changed, 654 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28321.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28322.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-28321.patch b/meta/recipes-support/curl/curl/CVE-2023-28321.patch new file mode 100644 index 0000000000..da1d1fdcd6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28321.patch @@ -0,0 +1,272 @@ +Upstream-Status: Backport [import from ubuntu curl_7.68.0-1ubuntu2.20 with +minor change to tests/data/test1397 part so the patch can be apply. +upstream: https://github.com/curl/curl/commit/199f2d440d8659b42 ] +CVE: CVE-2023-28321 +Signed-off-by: Lee Chee Yang + +This backport was obtained from SUSE. + +From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 24 Apr 2023 21:07:02 +0200 +Subject: [PATCH] hostcheck: fix host name wildcard checking + +The leftmost "label" of the host name can now only match against single +'*'. Like the browsers have worked for a long time. + +- extended unit test 1397 for this +- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc + +Reported-by: Hiroki Kurosawa +Closes #11018 +--- + lib/hostcheck.c | 50 +++++++-------- + tests/data/test1397 | 10 ++- + tests/unit/Makefile.am | 94 ---------------------------- + tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++ + tests/unit/unit1397.c | 134 ++++++++++++++++++++++++---------------- + 5 files changed, 202 insertions(+), 180 deletions(-) + +--- a/lib/hostcheck.c ++++ b/lib/hostcheck.c +@@ -58,15 +58,19 @@ + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * ++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor ++ * "*b". ++ * ++ * @unittest: 1397 ++ * + * NOTE: hostmatch() gets called with copied buffers so that it can modify the + * contents at will. + */ + + static int hostmatch(char *hostname, char *pattern) + { +- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; +- int wildcard_enabled; +- size_t prefixlen, suffixlen; ++ const char *pattern_label_end, *hostname_label_end; ++ size_t suffixlen; + struct in_addr ignored; + #ifdef ENABLE_IPV6 + struct sockaddr_in6 si6; +@@ -80,13 +84,12 @@ static int hostmatch(char *hostname, cha + if(pattern[len-1]=='.') + pattern[len-1] = 0; + +- pattern_wildcard = strchr(pattern, '*'); +- if(pattern_wildcard == NULL) ++ if(strncmp(pattern, "*.", 2)) + return strcasecompare(pattern, hostname) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; + + /* detect IP address as hostname and fail the match if so */ +- if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) ++ else if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) + return CURL_HOST_NOMATCH; + #ifdef ENABLE_IPV6 + if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0) +@@ -95,14 +98,9 @@ static int hostmatch(char *hostname, cha + + /* We require at least 2 dots in pattern to avoid too wide wildcard + match. */ +- wildcard_enabled = 1; + pattern_label_end = strchr(pattern, '.'); +- if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL || +- pattern_wildcard > pattern_label_end || +- strncasecompare(pattern, "xn--", 4)) { +- wildcard_enabled = 0; +- } +- if(!wildcard_enabled) ++ if(pattern_label_end == NULL || ++ strchr(pattern_label_end + 1, '.') == NULL) + return strcasecompare(pattern, hostname) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; + +@@ -117,11 +115,9 @@ static int hostmatch(char *hostname, cha + if(hostname_label_end - hostname < pattern_label_end - pattern) + return CURL_HOST_NOMATCH; + +- prefixlen = pattern_wildcard - pattern; +- suffixlen = pattern_label_end - (pattern_wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? ++ suffixlen = pattern_label_end - (pattern + 1); ++ return strncasecompare(pattern + 1, hostname_label_end - suffixlen, ++ suffixlen) ? + CURL_HOST_MATCH : CURL_HOST_NOMATCH; + } + +--- a/tests/data/test1397 ++++ b/tests/data/test1397 +@@ -2,8 +2,7 @@ + + + unittest +-ssl +-wildcard ++Curl_cert_hostcheck + + + +@@ -16,9 +15,8 @@ none + + unittest + +- +-Check wildcard certificate matching function Curl_cert_hostcheck +- ++ ++Curl_cert_hostcheck unit tests ++ + +- + +--- a/tests/unit/unit1397.c ++++ b/tests/unit/unit1397.c +@@ -21,8 +21,6 @@ + ***************************************************************************/ + #include "curlcheck.h" + +-#include "hostcheck.h" /* from the lib dir */ +- + static CURLcode unit_setup(void) + { + return CURLE_OK; +@@ -30,50 +28,94 @@ static CURLcode unit_setup(void) + + static void unit_stop(void) + { +- /* done before shutting down and exiting */ + } + +-UNITTEST_START ++* only these backends define the tested functions */ ++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || \ ++ defined(USE_SCHANNEL) ++#include "hostcheck.h" ++struct testcase { ++ const char *host; ++ const char *pattern; ++ bool match; ++}; ++ ++static struct testcase tests[] = { ++ {"", "", FALSE}, ++ {"a", "", FALSE}, ++ {"", "b", FALSE}, ++ {"a", "b", FALSE}, ++ {"aa", "bb", FALSE}, ++ {"\xff", "\xff", TRUE}, ++ {"aa.aa.aa", "aa.aa.bb", FALSE}, ++ {"aa.aa.aa", "aa.aa.aa", TRUE}, ++ {"aa.aa.aa", "*.aa.bb", FALSE}, ++ {"aa.aa.aa", "*.aa.aa", TRUE}, ++ {"192.168.0.1", "192.168.0.1", TRUE}, ++ {"192.168.0.1", "*.168.0.1", FALSE}, ++ {"192.168.0.1", "*.0.1", FALSE}, ++ {"h.ello", "*.ello", FALSE}, ++ {"h.ello.", "*.ello", FALSE}, ++ {"h.ello", "*.ello.", FALSE}, ++ {"h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo", " *.e.llo", FALSE}, ++ {" h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo", TRUE}, ++ {"*.e.llo.", "*.e.llo", TRUE}, ++ {"************.e.llo.", "*.e.llo", TRUE}, ++ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ++ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" ++ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" ++ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" ++ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ++ ".e.llo.", "*.e.llo", TRUE}, ++ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo.", TRUE}, ++ {"h.e.llo", "*.e.llo.", TRUE}, ++ {".h.e.llo", "*.e.llo.", FALSE}, ++ {"h.e.llo", "*.*.llo.", FALSE}, ++ {"h.e.llo", "h.*.llo", FALSE}, ++ {"h.e.llo", "h.e.*", FALSE}, ++ {"hello", "*.ello", FALSE}, ++ {"hello", "**llo", FALSE}, ++ {"bar.foo.example.com", "*.example.com", FALSE}, ++ {"foo.example.com", "*.example.com", TRUE}, ++ {"baz.example.net", "b*z.example.net", FALSE}, ++ {"foobaz.example.net", "*baz.example.net", FALSE}, ++ {"xn--l8j.example.local", "x*.example.local", FALSE}, ++ {"xn--l8j.example.net", "*.example.net", TRUE}, ++ {"xn--l8j.example.net", "*j.example.net", FALSE}, ++ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, ++ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, ++ {"xl8j.example.net", "*.example.net", TRUE}, ++ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, ++ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, ++ {NULL, NULL, FALSE} ++}; + +-/* only these backends define the tested functions */ +-#if defined(USE_OPENSSL) || defined(USE_GSKIT) ++UNITTEST_START ++{ ++ int i; ++ for(i = 0; tests[i].host; i++) { ++ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, ++ tests[i].host)) { ++ fprintf(stderr, ++ "HOST: %s\n" ++ "PTRN: %s\n" ++ "did %sMATCH\n", ++ tests[i].host, ++ tests[i].pattern, ++ tests[i].match ? "NOT ": ""); ++ unitfail++; ++ } ++ } ++} + +- /* here you start doing things and checking that the results are good */ ++UNITTEST_STOP ++#else + +-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"), +- "good 1"); +-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"), +- "good 2"); +-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"), +- "good 3"); +-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"), +- "good 4"); +-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"), +- "good 5"); +- +-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1"); +-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2"); +-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3"); +-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4"); +-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5"); +-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6"); +-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7"); +-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8"); +-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9"); +-fail_if(Curl_cert_hostcheck("", "www"), "bad 10"); +-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11"); +-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12"); +-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13"); +- +-#ifdef ENABLE_IPV6 +-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619", +- "fe80::3285:a9ff:fe46:b619"), "bad 14"); +-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619", +- "fe80::3285:a9ff:fe46:b619"), "good 6"); +-#endif ++UNITTEST_START + ++UNITTEST_STOP + #endif + +- /* you end the test code like this: */ +- +-UNITTEST_STOP diff --git a/meta/recipes-support/curl/curl/CVE-2023-28322.patch b/meta/recipes-support/curl/curl/CVE-2023-28322.patch new file mode 100644 index 0000000000..9351a2c286 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-28322.patch @@ -0,0 +1,380 @@ +CVE: CVE-2023-28322 +Upstream-Status: Backport [ import patch from ubuntu curl_7.68.0-1ubuntu2.20 +upstream https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de ] +Signed-off-by: Lee Chee Yang + +Backport of: + +From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2023 08:28:01 +0200 +Subject: [PATCH] lib: unify the upload/method handling + +By making sure we set state.upload based on the set.method value and not +independently as set.upload, we reduce confusion and mixup risks, both +internally and externally. + +Closes #11017 +--- + lib/curl_rtmp.c | 4 ++-- + lib/file.c | 4 ++-- + lib/ftp.c | 8 ++++---- + lib/http.c | 4 ++-- + lib/imap.c | 6 +++--- + lib/rtsp.c | 4 ++-- + lib/setopt.c | 6 ++---- + lib/smb.c | 6 +++--- + lib/smtp.c | 4 ++-- + lib/tftp.c | 8 ++++---- + lib/transfer.c | 4 ++-- + lib/urldata.h | 2 +- + lib/vssh/libssh.c | 6 +++--- + lib/vssh/libssh2.c | 6 +++--- + lib/vssh/wolfssh.c | 2 +- + 15 files changed, 36 insertions(+), 38 deletions(-) + +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -213,7 +213,7 @@ static CURLcode rtmp_connect(struct conn + /* We have to know if it's a write before we send the + * connect request packet + */ +- if(conn->data->set.upload) ++ if(conn->data->state.upload) + r->Link.protocol |= RTMP_FEATURE_WRITE; + + /* For plain streams, use the buffer toggle trick to keep data flowing */ +@@ -245,7 +245,7 @@ static CURLcode rtmp_do(struct connectda + if(!RTMP_ConnectStream(r, 0)) + return CURLE_FAILED_INIT; + +- if(conn->data->set.upload) { ++ if(conn->data->state.upload) { + Curl_pgrsSetUploadSize(data, data->state.infilesize); + Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); + } +--- a/lib/file.c ++++ b/lib/file.c +@@ -198,7 +198,7 @@ static CURLcode file_connect(struct conn + file->freepath = real_path; /* free this when done */ + + file->fd = fd; +- if(!data->set.upload && (fd == -1)) { ++ if(!data->state.upload && (fd == -1)) { + failf(data, "Couldn't open file %s", data->state.up.path); + file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE); + return CURLE_FILE_COULDNT_READ_FILE; +@@ -390,7 +390,7 @@ static CURLcode file_do(struct connectda + + Curl_pgrsStartNow(data); + +- if(data->set.upload) ++ if(data->state.upload) + return file_upload(conn); + + file = conn->data->req.protop; +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1371,7 +1371,7 @@ static CURLcode ftp_state_prepare_transf + data->set.str[STRING_CUSTOMREQUEST]: + (data->set.ftp_list_only?"NLST":"LIST")); + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file); + } + else { +@@ -3303,7 +3303,7 @@ static CURLcode ftp_done(struct connectd + /* the response code from the transfer showed an error already so no + use checking further */ + ; +- else if(data->set.upload) { ++ else if(data->state.upload) { + if((-1 != data->state.infilesize) && + (data->state.infilesize != data->req.writebytecount) && + !data->set.crlf && +@@ -3570,7 +3570,7 @@ static CURLcode ftp_do_more(struct conne + connected back to us */ + } + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE); + if(result) + return result; +@@ -4209,7 +4209,7 @@ CURLcode ftp_parse_url_path(struct conne + ftpc->file = NULL; /* instead of point to a zero byte, + we make it a NULL pointer */ + +- if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) { ++ if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) { + /* We need a file name when uploading. Return error! */ + failf(data, "Uploading to a URL without a file name!"); + free(rawPath); +--- a/lib/http.c ++++ b/lib/http.c +@@ -2080,7 +2080,7 @@ CURLcode Curl_http(struct connectdata *c + } + + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +- data->set.upload) { ++ data->state.upload) { + httpreq = HTTPREQ_PUT; + } + +@@ -2261,7 +2261,7 @@ CURLcode Curl_http(struct connectdata *c + if((conn->handler->protocol & PROTO_FAMILY_HTTP) && + (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && + http->postsize < 0) || +- ((data->set.upload || httpreq == HTTPREQ_POST) && ++ ((data->state.upload || httpreq == HTTPREQ_POST) && + data->state.infilesize == -1))) { + if(conn->bits.authneg) + /* don't enable chunked during auth neg */ +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1469,11 +1469,11 @@ static CURLcode imap_done(struct connect + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && !imap->custom && +- (imap->uid || imap->mindex || data->set.upload || ++ (imap->uid || imap->mindex || data->state.upload || + data->set.mimepost.kind != MIMEKIND_NONE)) { + /* Handle responses after FETCH or APPEND transfer has finished */ + +- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) ++ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) + state(conn, IMAP_FETCH_FINAL); + else { + /* End the APPEND command first by sending an empty line */ +@@ -1539,7 +1539,7 @@ static CURLcode imap_perform(struct conn + selected = TRUE; + + /* Start the first command in the DO phase */ +- if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) ++ if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) + /* APPEND can be executed directly */ + result = imap_perform_append(conn); + else if(imap->custom && (selected || !imap->mailbox)) +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -499,7 +499,7 @@ static CURLcode rtsp_do(struct connectda + rtspreq == RTSPREQ_SET_PARAMETER || + rtspreq == RTSPREQ_GET_PARAMETER) { + +- if(data->set.upload) { ++ if(data->state.upload) { + putsize = data->state.infilesize; + data->set.httpreq = HTTPREQ_PUT; + +@@ -518,7 +518,7 @@ static CURLcode rtsp_do(struct connectda + result = + Curl_add_bufferf(&req_buffer, + "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", +- (data->set.upload ? putsize : postsize)); ++ (data->state.upload ? putsize : postsize)); + if(result) + return result; + } +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -258,8 +258,8 @@ CURLcode Curl_vsetopt(struct Curl_easy * + * We want to sent data to the remote host. If this is HTTP, that equals + * using the PUT request. + */ +- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; +- if(data->set.upload) { ++ arg = va_arg(param, long); ++ if(arg) { + /* If this is HTTP, PUT is what's needed to "upload" */ + data->set.httpreq = HTTPREQ_PUT; + data->set.opt_no_body = FALSE; /* this is implied */ +@@ -486,7 +486,6 @@ CURLcode Curl_vsetopt(struct Curl_easy * + } + else + data->set.httpreq = HTTPREQ_GET; +- data->set.upload = FALSE; + break; + + case CURLOPT_COPYPOSTFIELDS: +@@ -797,7 +796,6 @@ CURLcode Curl_vsetopt(struct Curl_easy * + */ + if(va_arg(param, long)) { + data->set.httpreq = HTTPREQ_GET; +- data->set.upload = FALSE; /* switch off upload */ + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -516,7 +516,7 @@ static CURLcode smb_send_open(struct con + byte_count = strlen(req->path); + msg.name_length = smb_swap16((unsigned short)byte_count); + msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); +- if(conn->data->set.upload) { ++ if(conn->data->state.upload) { + msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); + msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); + } +@@ -792,7 +792,7 @@ static CURLcode smb_request_state(struct + smb_m = (const struct smb_nt_create_response*) msg; + req->fid = smb_swap16(smb_m->fid); + conn->data->req.offset = 0; +- if(conn->data->set.upload) { ++ if(conn->data->state.upload) { + conn->data->req.size = conn->data->state.infilesize; + Curl_pgrsSetUploadSize(conn->data, conn->data->req.size); + next_state = SMB_UPLOAD; +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1210,7 +1210,7 @@ static CURLcode smtp_done(struct connect + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && data->set.mail_rcpt && +- (data->set.upload || data->set.mimepost.kind)) { ++ (data->state.upload || data->set.mimepost.kind)) { + /* Calculate the EOB taking into account any terminating CRLF from the + previous line of the email or the CRLF of the DATA command when there + is "no mail data". RFC-5321, sect. 4.1.1.4. +@@ -1297,7 +1297,7 @@ static CURLcode smtp_perform(struct conn + smtp->eob = 2; + + /* Start the first command in the DO phase */ +- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) ++ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) + /* MAIL transfer */ + result = smtp_perform_mail(conn); + else +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -390,7 +390,7 @@ static CURLcode tftp_parse_option_ack(tf + + /* tsize should be ignored on upload: Who cares about the size of the + remote file? */ +- if(!data->set.upload) { ++ if(!data->state.upload) { + if(!tsize) { + failf(data, "invalid tsize -:%s:- value in OACK packet", value); + return CURLE_TFTP_ILLEGAL; +@@ -470,7 +470,7 @@ static CURLcode tftp_send_first(tftp_sta + return result; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + /* If we are uploading, send an WRQ */ + setpacketevent(&state->spacket, TFTP_EVENT_WRQ); + state->conn->data->req.upload_fromhere = +@@ -505,7 +505,7 @@ static CURLcode tftp_send_first(tftp_sta + if(!data->set.tftp_no_options) { + char buf[64]; + /* add tsize option */ +- if(data->set.upload && (data->state.infilesize != -1)) ++ if(data->state.upload && (data->state.infilesize != -1)) + msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, + data->state.infilesize); + else +@@ -559,7 +559,7 @@ static CURLcode tftp_send_first(tftp_sta + break; + + case TFTP_EVENT_OACK: +- if(data->set.upload) { ++ if(data->state.upload) { + result = tftp_connect_for_tx(state, event); + } + else { +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1405,6 +1405,7 @@ void Curl_init_CONNECT(struct Curl_easy + { + data->state.fread_func = data->set.fread_func_set; + data->state.in = data->set.in_set; ++ data->state.upload = (data->set.httpreq == HTTPREQ_PUT); + } + + /* +@@ -1816,7 +1817,7 @@ CURLcode Curl_retry_request(struct conne + + /* if we're talking upload, we can't do the checks below, unless the protocol + is HTTP as when uploading over HTTP we will still get a response */ +- if(data->set.upload && ++ if(data->state.upload && + !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) + return CURLE_OK; + +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1427,6 +1427,7 @@ struct UrlState { + BIT(stream_depends_e); /* set or don't set the Exclusive bit */ + BIT(previouslypending); /* this transfer WAS in the multi->pending queue */ + BIT(cookie_engine); ++ BIT(upload); /* upload request */ + }; + + +@@ -1762,7 +1763,6 @@ struct UserDefined { + BIT(http_auto_referer); /* set "correct" referer when following + location: */ + BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ +- BIT(upload); /* upload request */ + BIT(verbose); /* output verbosity */ + BIT(krb); /* Kerberos connection requested */ + BIT(reuse_forbid); /* forbidden to be reused, close after use */ +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1076,7 +1076,7 @@ static CURLcode myssh_statemach_act(stru + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(conn, SSH_SFTP_UPLOAD_INIT); + else { + if(protop->path[strlen(protop->path)-1] == '/') +@@ -1686,7 +1686,7 @@ static CURLcode myssh_statemach_act(stru + /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ + ssh_set_blocking(sshc->ssh_session, 1); + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -1787,7 +1787,7 @@ static CURLcode myssh_statemach_act(stru + break; + } + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(conn, SSH_SCP_SEND_EOF); + else + state(conn, SSH_SCP_CHANNEL_FREE); +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -1664,7 +1664,7 @@ static CURLcode ssh_statemach_act(struct + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(conn, SSH_SFTP_UPLOAD_INIT); + else { + if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') +@@ -2366,7 +2366,7 @@ static CURLcode ssh_statemach_act(struct + break; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -2504,7 +2504,7 @@ static CURLcode ssh_statemach_act(struct + break; + + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(conn, SSH_SCP_SEND_EOF); + else + state(conn, SSH_SCP_CHANNEL_FREE); diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 0141b780ee..82b07bc554 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -55,6 +55,8 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2023-32001.patch \ file://CVE-2023-38545.patch \ file://CVE-2023-38546.patch \ + file://CVE-2023-28321.patch \ + file://CVE-2023-28322.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" From patchwork Tue Nov 28 22:52:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35322 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A101C4167B for ; Tue, 28 Nov 2023 22:53:07 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web10.10166.1701211980766257077 for ; Tue, 28 Nov 2023 14:53:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=X71q39NX; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-6cbe5b6ec62so4926716b3a.1 for ; Tue, 28 Nov 2023 14:53:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211979; x=1701816779; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=c6/zveR1Rml0nD2PiBemrG+ZgQlizFCfVkJH4uQMySI=; b=X71q39NXmcJ8prBe7EhmPvJnKO8g+BHMOnizlHJiqUybKbdam0e5HR+x0OoacTKkaa 5uRof21peRKxEhJptt9gIBgLV1q5nkPXqolsBro6BawZYRrW7+/of54/CbrPOtrUwX0p 1V6kmJh2ux/1gNkJpyG4OtDnmOfS0rZiNoIozsep+6/qgbHifNExaA2p6hitUly7BrFk 2dKuxGRlCCeBtuKeV/mtTDIywit3MnhiiHufNX2c4uTuJybavKYIou07qWj8ebqVCJJm MvmQnxa2UQAaqHSAGBHRSGN8Vrf4sEm3e7zxZXfjiRqgbeKKxT7szOT3Uwa8pznOP5Fx Tb3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211979; x=1701816779; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=c6/zveR1Rml0nD2PiBemrG+ZgQlizFCfVkJH4uQMySI=; b=XFL80wguHzv3MQKzjCrJ5v/ZXkQCDjA1ma2goPOTUDToaTjP/wy/857BGvqu85QrrG ZyiplGxwlz+Ytyta3/cRz2vmIkU4+6jD3Q6vu5gRPRrtZzNogSc/7rTt9btHcICwfvwD er3VdpM0F5j8P7aV9hf4rog2fQVteObkIsoBBItbLbiZArrztvR5kl3hkpkFrwMX4zvr XdbyS7Y8BemwC9kTkIkYYgOJIuKFe3RNbeFnF2UC3/8eLXecbai5XfOFI5i0en0yRb37 AZh6+k9ff7ct5VPNq3ply0YpkAs1FhEq6YWjncugNTbwSnEPIZXDEOLw040f4+5XHAp/ bWVQ== X-Gm-Message-State: AOJu0YzKuy0QlT5Suv2ZR8k3o5bhxs40eFmXzAKqRIZsu0dyArMP9n1T xicsNmjo9ewKD49PrkV/+eK9vBl5ygdLMOH2KoZijg== X-Google-Smtp-Source: AGHT+IHZU11eWfjIxVraAWD3qQxeSmafJukFc1DUCNbACKmp90ncMptYwnnnELj4DpBJlT3Edhr0rQ== X-Received: by 2002:a05:6a20:d48b:b0:18b:8fd9:5ad4 with SMTP id im11-20020a056a20d48b00b0018b8fd95ad4mr17677403pzb.10.1701211979427; Tue, 28 Nov 2023 14:52:59 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.52.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:52:59 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 06/13] bind: Backport fix for CVE-2023-3341 Date: Tue, 28 Nov 2023 12:52:33 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191401 From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../bind/bind/CVE-2023-3341.patch | 175 ++++++++++++++++++ .../recipes-connectivity/bind/bind_9.11.37.bb | 1 + 2 files changed, 176 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch new file mode 100644 index 0000000000..be479cb00e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch @@ -0,0 +1,175 @@ +From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 20 Jun 2023 15:21:36 +1000 +Subject: [PATCH] Limit isccc_cc_fromwire recursion depth + +Named and rndc do not need a lot of recursion so the depth is +set to 10. + +Taken from BIND 9.16.44 change. + +Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71] +CVE: CVE-2023-3341 +Signed-off-by: Vijay Anusuri +--- + lib/isccc/cc.c | 38 +++++++++++++++++++++++--------- + lib/isccc/include/isccc/result.h | 4 +++- + lib/isccc/result.c | 4 +++- + 3 files changed, 34 insertions(+), 12 deletions(-) + +diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c +index e012685..8eac3d6 100644 +--- a/lib/isccc/cc.c ++++ b/lib/isccc/cc.c +@@ -53,6 +53,10 @@ + + #define MAX_TAGS 256 + #define DUP_LIFETIME 900 ++#ifndef ISCCC_MAXDEPTH ++#define ISCCC_MAXDEPTH \ ++ 10 /* Big enough for rndc which just sends a string each way. */ ++#endif + + typedef isccc_sexpr_t *sexpr_ptr; + +@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, + + static isc_result_t + table_fromwire(isccc_region_t *source, isccc_region_t *secret, +- uint32_t algorithm, isccc_sexpr_t **alistp); ++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); + + static isc_result_t +-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); ++list_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **listp); + + static isc_result_t +-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { ++value_fromwire(isccc_region_t *source, unsigned int depth, ++ isccc_sexpr_t **valuep) { + unsigned int msgtype; + uint32_t len; + isccc_sexpr_t *value; + isccc_region_t active; + isc_result_t result; + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + if (REGION_SIZE(*source) < 1 + 4) + return (ISC_R_UNEXPECTEDEND); + GET8(msgtype, source->rstart); +@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { + } else + result = ISC_R_NOMEMORY; + } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) +- result = table_fromwire(&active, NULL, 0, valuep); ++ result = table_fromwire(&active, NULL, 0, depth + 1, valuep); + else if (msgtype == ISCCC_CCMSGTYPE_LIST) +- result = list_fromwire(&active, valuep); ++ result = list_fromwire(&active, depth + 1, valuep); + else + result = ISCCC_R_SYNTAX; + +@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { + + static isc_result_t + table_fromwire(isccc_region_t *source, isccc_region_t *secret, +- uint32_t algorithm, isccc_sexpr_t **alistp) ++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) + { + char key[256]; + uint32_t len; +@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, + + REQUIRE(alistp != NULL && *alistp == NULL); + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + checksum_rstart = NULL; + first_tag = true; + alist = isccc_alist_create(); +@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, + GET_MEM(key, len, source->rstart); + key[len] = '\0'; /* Ensure NUL termination. */ + value = NULL; +- result = value_fromwire(source, &value); ++ result = value_fromwire(source, depth + 1, &value); + if (result != ISC_R_SUCCESS) + goto bad; + if (isccc_alist_define(alist, key, value) == NULL) { +@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, + } + + static isc_result_t +-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { ++list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) { + isccc_sexpr_t *list, *value; + isc_result_t result; + ++ if (depth > ISCCC_MAXDEPTH) { ++ return (ISCCC_R_MAXDEPTH); ++ } ++ + list = NULL; + while (!REGION_EMPTY(*source)) { + value = NULL; +- result = value_fromwire(source, &value); ++ result = value_fromwire(source, depth + 1, &value); + if (result != ISC_R_SUCCESS) { + isccc_sexpr_free(&list); + return (result); +@@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, + if (version != 1) + return (ISCCC_R_UNKNOWNVERSION); + +- return (table_fromwire(source, secret, algorithm, alistp)); ++ return (table_fromwire(source, secret, algorithm, 0, alistp)); + } + + static isc_result_t +diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h +index 6c79dd7..a85861c 100644 +--- a/lib/isccc/include/isccc/result.h ++++ b/lib/isccc/include/isccc/result.h +@@ -47,8 +47,10 @@ + #define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4) + /*% Duplicate */ + #define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5) ++/*% Maximum recursion depth */ ++#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6) + +-#define ISCCC_R_NRESULTS 6 /*%< Number of results */ ++#define ISCCC_R_NRESULTS 7 /*%< Number of results */ + + ISC_LANG_BEGINDECLS + +diff --git a/lib/isccc/result.c b/lib/isccc/result.c +index 8419bbb..325200b 100644 +--- a/lib/isccc/result.c ++++ b/lib/isccc/result.c +@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = { + "bad auth", /* 3 */ + "expired", /* 4 */ + "clock skew", /* 5 */ +- "duplicate" /* 6 */ ++ "duplicate", /* 6 */ ++ "max depth", /* 7 */ + }; + + static const char *ids[ISCCC_R_NRESULTS] = { +@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = { + "ISCCC_R_EXPIRED", + "ISCCC_R_CLOCKSKEW", + "ISCCC_R_DUPLICATE", ++ "ISCCC_R_MAXDEPTH", + }; + + #define ISCCC_RESULT_RESULTSET 2 +-- +2.25.1 + diff --git a/meta/recipes-connectivity/bind/bind_9.11.37.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb index 80fbcbfa36..95bb5be005 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.37.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb @@ -23,6 +23,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2022-38177.patch \ file://CVE-2022-38178.patch \ file://CVE-2023-2828.patch \ + file://CVE-2023-3341.patch \ " SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff" From patchwork Tue Nov 28 22:52:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35326 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A073FC07CA9 for ; Tue, 28 Nov 2023 22:53:07 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web11.10460.1701211982844887214 for ; Tue, 28 Nov 2023 14:53:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=YZAF38K2; spf=softfail (domain: sakoman.com, ip: 209.85.216.50, mailfrom: steve@sakoman.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-285949d46d0so238116a91.0 for ; Tue, 28 Nov 2023 14:53:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211982; x=1701816782; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lp8qchRZ/4puxHda9HIagGMFnSP+B4wpcTLJXQngEaY=; b=YZAF38K2O97nE3tw23qaW/laVWezmo8Kjvg+KZ18X2oQVbcChF11yrPSeyzKDHPGxU C8GCKNO8S4i7H9YoZjz1m6PT8TJsWvGuhZB+j13w8Dbw1SsB+b7ZU5BRR2+BWfml9Dwm wItgatGF1OYQdFMkmz3eH8Tid8J+jZKmtRk7i0x3XVCEs9n8iv5P9p6qtPeM2A0V43oz JeIz1hg7CVyjMVctqeQz3Mxmg1sMGk4y8GnvX8fV87vF1yoZo77umw4yQFnZMPQZbKK3 lkoBQ402qa1S4RgLOi9yUMTPzS0TNJ+aTKSp1yRY69BlZLSf2cFMoVvDJNAFlF+uUDRT lUDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211982; x=1701816782; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lp8qchRZ/4puxHda9HIagGMFnSP+B4wpcTLJXQngEaY=; b=V/5PxGwNxg1cQhCAtT1F6qQcwiolQHdN4V0BJUtoD2GMvNX94fiPVSSKlxPcZig59n UT0dqbysPz+LgMXvnYFuk9Wsq4fogJkgRBQge1cfDrGPnEZQE/7PUI7DQbO01nCXFhI9 m+nRVHTSqDlEZXctaxL9w9y5QJa/gR6tmRzhtJ2dhU6WqAkIX2912WhAtG28080hCQ2/ XEm8Nnb9+WhT6I5cM+FoHy7k2K4QR21gxWZeOnEpZ/dqh+DV7MxcY9a+z4AzCrqfqAtc z4Fu9npclMwiLMuWY8EVYrWYf6rJlDoq9NJ5TBnZWtW7ucgYeRlZV92ZBwVsPwfCTos1 GXkQ== X-Gm-Message-State: AOJu0YyxBXxIUsw8IHQwJz1XvO5NDSW0qqbflRWOHvYEM+tM/I16/5GW JDHRwCKuumsggtDNSpvAwDJ70B4JH/QPgxltI+r3Uw== X-Google-Smtp-Source: AGHT+IETpiolyi+wJxOtRku6E/DVFU6RjxGVeAK6UR/oSrBEgD4YO/t/91YVdpef7TUr7d9XvV6PNw== X-Received: by 2002:a17:90b:3e8d:b0:285:93d4:16c with SMTP id rj13-20020a17090b3e8d00b0028593d4016cmr21045437pjb.20.1701211981363; Tue, 28 Nov 2023 14:53:01 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.53.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:53:01 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 07/13] avahi: backport Debian patches to fix multiple CVE's Date: Tue, 28 Nov 2023 12:52:34 -1000 Message-Id: <4771e335cd4d95e734d7f07a718319f4543ce2f1.1701210903.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191402 From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f & https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf & https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237 & https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c & https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24 & https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09 & https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460 & https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40 & https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- meta/recipes-connectivity/avahi/avahi.inc | 9 ++ .../avahi/files/CVE-2023-1981.patch | 60 ++++++++++ .../avahi/files/CVE-2023-38469-1.patch | 48 ++++++++ .../avahi/files/CVE-2023-38469-2.patch | 65 +++++++++++ .../avahi/files/CVE-2023-38470-1.patch | 57 +++++++++ .../avahi/files/CVE-2023-38470-2.patch | 53 +++++++++ .../avahi/files/CVE-2023-38471-1.patch | 73 ++++++++++++ .../avahi/files/CVE-2023-38471-2.patch | 52 +++++++++ .../avahi/files/CVE-2023-38472.patch | 45 ++++++++ .../avahi/files/CVE-2023-38473.patch | 109 ++++++++++++++++++ 10 files changed, 571 insertions(+) create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc index 25bb41b738..e1dfc7a861 100644 --- a/meta/recipes-connectivity/avahi/avahi.inc +++ b/meta/recipes-connectivity/avahi/avahi.inc @@ -22,6 +22,15 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \ file://fix-CVE-2017-6519.patch \ file://CVE-2021-3468.patch \ + file://CVE-2023-1981.patch \ + file://CVE-2023-38469-1.patch \ + file://CVE-2023-38469-2.patch \ + file://CVE-2023-38470-1.patch \ + file://CVE-2023-38470-2.patch \ + file://CVE-2023-38471-1.patch \ + file://CVE-2023-38471-2.patch \ + file://CVE-2023-38472.patch \ + file://CVE-2023-38473.patch \ " UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/" diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch new file mode 100644 index 0000000000..1209864402 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch @@ -0,0 +1,60 @@ +Backport of: + +From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 17 Nov 2022 01:51:53 +0100 +Subject: [PATCH] Emit error if requested service is not found + +It currently just crashes instead of replying with error. Check return +value and emit error instead of passing NULL pointer to reply. + +Fixes #375 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f] +CVE: CVE-2023-1981 +Signed-off-by: Vijay Anusuri +--- + avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/avahi-daemon/dbus-protocol.c ++++ b/avahi-daemon/dbus-protocol.c +@@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl + } + + t = avahi_alternative_host_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); +- +- return DBUS_HANDLER_RESULT_HANDLED; ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); ++ ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); ++ } + + } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "GetAlternativeServiceName")) { + char *n, *t; +@@ -405,10 +409,14 @@ static DBusHandlerResult msg_server_impl + } + + t = avahi_alternative_service_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); +- +- return DBUS_HANDLER_RESULT_HANDLED; ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); ++ ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); ++ } + + } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "EntryGroupNew")) { + Client *client; diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch new file mode 100644 index 0000000000..12dad9ef6f --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch @@ -0,0 +1,48 @@ +From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Mon, 23 Oct 2023 20:29:31 +0000 +Subject: [PATCH] core: reject overly long TXT resource records + +Closes https://github.com/lathiat/avahi/issues/455 + +CVE-2023-38469 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-1.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf] +CVE: CVE-2023-38469 +Signed-off-by: Vijay Anusuri +--- + avahi-core/rr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +Index: avahi-0.7/avahi-core/rr.c +=================================================================== +--- avahi-0.7.orig/avahi-core/rr.c ++++ avahi-0.7/avahi-core/rr.c +@@ -32,6 +32,7 @@ + #include + #include + ++#include "dns.h" + #include "rr.h" + #include "log.h" + #include "util.h" +@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r + case AVAHI_DNS_TYPE_TXT: { + + AvahiStringList *strlst; ++ size_t used = 0; + +- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) ++ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { + if (strlst->size > 255 || strlst->size <= 0) + return 0; + ++ used += 1+strlst->size; ++ if (used > AVAHI_DNS_RDATA_MAX) ++ return 0; ++ } ++ + return 1; + } + } diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch new file mode 100644 index 0000000000..a62c718ebe --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch @@ -0,0 +1,65 @@ +From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Wed, 25 Oct 2023 18:15:42 +0000 +Subject: [PATCH] tests: pass overly long TXT resource records + +to make sure they don't crash avahi any more. +It reproduces https://github.com/lathiat/avahi/issues/455 + +Canonical notes: +nickgalanis> removed first hunk since there is no .github dir in this release + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237] +CVE: CVE-2023-38469 +Signed-off-by: Vijay Anusuri +--- + avahi-client/client-test.c | 14 ++++++++++++++ + 1 files changed, 14 insertions(+) + +Index: avahi-0.7/avahi-client/client-test.c +=================================================================== +--- avahi-0.7.orig/avahi-client/client-test.c ++++ avahi-0.7/avahi-client/client-test.c +@@ -22,6 +22,7 @@ + #endif + + #include ++#include + #include + + #include +@@ -33,6 +34,8 @@ + #include + #include + ++#include ++ + static const AvahiPoll *poll_api = NULL; + static AvahiSimplePoll *simple_poll = NULL; + +@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + uint32_t cookie; + struct timeval tv; + AvahiAddress a; ++ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1]; ++ AvahiStringList *txt = NULL; ++ int r; + + simple_poll = avahi_simple_poll_new(); + poll_api = avahi_simple_poll_get(simple_poll); +@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); + printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); + ++ memset(rdata, 1, sizeof(rdata)); ++ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt); ++ assert(r >= 0); ++ assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata)); ++ error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt); ++ assert(error == AVAHI_ERR_INVALID_RECORD); ++ avahi_string_list_free(txt); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch new file mode 100644 index 0000000000..82fb1ab40b --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch @@ -0,0 +1,57 @@ +From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 11 Apr 2023 15:29:59 +0200 +Subject: [PATCH] Ensure each label is at least one byte long + +The only allowed exception is single dot, where it should return empty +string. + +Fixes #454. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-1.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c] +CVE: CVE-2023-38470 +Signed-off-by: Vijay Anusuri +--- + avahi-common/domain-test.c | 14 ++++++++++++++ + avahi-common/domain.c | 2 +- + 2 files changed, 15 insertions(+), 1 deletion(-) + +Index: avahi-0.7/avahi-common/domain-test.c +=================================================================== +--- avahi-0.7.orig/avahi-common/domain-test.c ++++ avahi-0.7/avahi-common/domain-test.c +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); + avahi_free(s); + ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); ++ avahi_free(s); ++ ++ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." ++ "}.?.?.?.}.=.?.?.}"); ++ assert(s == NULL); ++ + printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); + printf("%i\n", avahi_domain_equal("A", "a")); + +Index: avahi-0.7/avahi-common/domain.c +=================================================================== +--- avahi-0.7.orig/avahi-common/domain.c ++++ avahi-0.7/avahi-common/domain.c +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s + } + + if (!empty) { +- if (size < 1) ++ if (size < 2) + return NULL; + + *(r++) = '.'; diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch new file mode 100644 index 0000000000..403ed6fd6a --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch @@ -0,0 +1,53 @@ +From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Tue, 19 Sep 2023 03:21:25 +0000 +Subject: [PATCH] [common] bail out when escaped labels can't fit into ret + +Fixes: +``` +==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8 +READ of size 1110 at 0x7f9e76f14c16 thread T0 + #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba) + #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12 + #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12 +``` +and +``` +fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed. +==101571== ERROR: libFuzzer: deadly signal + #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9 +``` + +It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24] +CVE: CVE-2023-38470 #Follow-up patch +Signed-off-by: Vijay Anusuri +--- + avahi-common/domain.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: avahi-0.7/avahi-common/domain.c +=================================================================== +--- avahi-0.7.orig/avahi-common/domain.c ++++ avahi-0.7/avahi-common/domain.c +@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s + } else + empty = 0; + +- avahi_escape_label(label, strlen(label), &r, &size); ++ if (!(avahi_escape_label(label, strlen(label), &r, &size))) ++ return NULL; + } + + return ret_s; diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch new file mode 100644 index 0000000000..c8d6a66174 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch @@ -0,0 +1,73 @@ +From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 23 Oct 2023 13:38:35 +0200 +Subject: [PATCH] core: extract host name using avahi_unescape_label() + +Previously we could create invalid escape sequence when we split the +string on dot. For example, from valid host name "foo\\.bar" we have +created invalid name "foo\\" and tried to set that as the host name +which crashed the daemon. + +Fixes #453 + +CVE-2023-38471 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] +CVE: CVE-2023-38471 +Signed-off-by: Vijay Anusuri +--- + avahi-core/server.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +Index: avahi-0.7/avahi-core/server.c +=================================================================== +--- avahi-0.7.orig/avahi-core/server.c ++++ avahi-0.7/avahi-core/server.c +@@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s) + } + + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { +- char *hn = NULL; ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; ++ char label[AVAHI_LABEL_MAX]; ++ char *hn = NULL, *h; ++ size_t len; ++ + assert(s); + + AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); +@@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ + else + hn = avahi_normalize_name_strdup(host_name); + +- hn[strcspn(hn, ".")] = 0; ++ h = hn; ++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { ++ avahi_free(h); ++ return AVAHI_ERR_INVALID_HOST_NAME; ++ } ++ ++ avahi_free(h); + +- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { +- avahi_free(hn); ++ h = label_escaped; ++ len = sizeof(label_escaped); ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) ++ return AVAHI_ERR_INVALID_HOST_NAME; ++ ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +- } + + withdraw_host_rrs(s); + + avahi_free(s->host_name); +- s->host_name = hn; ++ s->host_name = avahi_strdup(label_escaped); ++ if (!s->host_name) ++ return AVAHI_ERR_NO_MEMORY; + + update_fqdn(s); + diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch new file mode 100644 index 0000000000..a789b144ed --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch @@ -0,0 +1,52 @@ +From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Tue, 24 Oct 2023 22:04:51 +0000 +Subject: [PATCH] core: return errors from avahi_server_set_host_name properly + +It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460] +CVE: CVE-2023-38471 #Follow-up Patch +Signed-off-by: Vijay Anusuri +--- + avahi-core/server.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +Index: avahi-0.7/avahi-core/server.c +=================================================================== +--- avahi-0.7.orig/avahi-core/server.c ++++ avahi-0.7/avahi-core/server.c +@@ -1267,10 +1267,13 @@ int avahi_server_set_host_name(AvahiServ + else + hn = avahi_normalize_name_strdup(host_name); + ++ if (!hn) ++ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); ++ + h = hn; + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { + avahi_free(h); +- return AVAHI_ERR_INVALID_HOST_NAME; ++ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); + } + + avahi_free(h); +@@ -1278,7 +1281,7 @@ int avahi_server_set_host_name(AvahiServ + h = label_escaped; + len = sizeof(label_escaped); + if (!avahi_escape_label(label, strlen(label), &h, &len)) +- return AVAHI_ERR_INVALID_HOST_NAME; ++ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); + + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +@@ -1288,7 +1291,7 @@ int avahi_server_set_host_name(AvahiServ + avahi_free(s->host_name); + s->host_name = avahi_strdup(label_escaped); + if (!s->host_name) +- return AVAHI_ERR_NO_MEMORY; ++ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); + + update_fqdn(s); + diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch new file mode 100644 index 0000000000..f49d990a42 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch @@ -0,0 +1,45 @@ +From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 19 Oct 2023 17:36:44 +0200 +Subject: [PATCH] core: make sure there is rdata to process before parsing it + +Fixes #452 + +CVE-2023-38472 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40] +CVE: CVE-2023-38472 +Signed-off-by: Vijay Anusuri +--- + avahi-client/client-test.c | 3 +++ + avahi-daemon/dbus-entry-group.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +Index: avahi-0.7/avahi-client/client-test.c +=================================================================== +--- avahi-0.7.orig/avahi-client/client-test.c ++++ avahi-0.7/avahi-client/client-test.c +@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + assert(error == AVAHI_ERR_INVALID_RECORD); + avahi_string_list_free(txt); + ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); ++ assert(error != AVAHI_OK); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); +Index: avahi-0.7/avahi-daemon/dbus-entry-group.c +=================================================================== +--- avahi-0.7.orig/avahi-daemon/dbus-entry-group.c ++++ avahi-0.7/avahi-daemon/dbus-entry-group.c +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); + +- if (avahi_rdata_parse (r, rdata, size) < 0) { ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { + avahi_record_unref (r); + return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); + } diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..59f6806c85 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch @@ -0,0 +1,109 @@ +From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 11 Oct 2023 17:45:44 +0200 +Subject: [PATCH] common: derive alternative host name from its unescaped + version + +Normalization of input makes sure we don't have to deal with special +cases like unescaped dot at the end of label. + +Fixes #451 #487 +CVE-2023-38473 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security +Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] +CVE: CVE-2023-38473 +Signed-off-by: Vijay Anusuri +--- + avahi-common/alternative-test.c | 3 +++ + avahi-common/alternative.c | 27 +++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 8 deletions(-) + +Index: avahi-0.7/avahi-common/alternative-test.c +=================================================================== +--- avahi-0.7.orig/avahi-common/alternative-test.c ++++ avahi-0.7/avahi-common/alternative-test.c +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH + const char* const test_strings[] = { + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", ++ ").", ++ "\\.", ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", + "gurke", + "-", + " #", +Index: avahi-0.7/avahi-common/alternative.c +=================================================================== +--- avahi-0.7.orig/avahi-common/alternative.c ++++ avahi-0.7/avahi-common/alternative.c +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c + } + + char *avahi_alternative_host_name(const char *s) { ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; ++ char *alt, *r, *ret; + const char *e; +- char *r; ++ size_t len; + + assert(s); + + if (!avahi_is_valid_host_name(s)) + return NULL; + +- if ((e = strrchr(s, '-'))) { ++ if (!avahi_unescape_label(&s, label, sizeof(label))) ++ return NULL; ++ ++ if ((e = strrchr(label, '-'))) { + const char *p; + + e++; +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const + + if (e) { + char *c, *m; +- size_t l; + int n; + + n = atoi(e)+1; + if (!(m = avahi_strdup_printf("%i", n))) + return NULL; + +- l = e-s-1; ++ len = e-label-1; + +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; + +- if (!(c = avahi_strndup(s, l))) { ++ if (!(c = avahi_strndup(label, len))) { + avahi_free(m); + return NULL; + } +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const + } else { + char *c; + +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) + return NULL; + + drop_incomplete_utf8(c); +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const + avahi_free(c); + } + ++ alt = alternative; ++ len = sizeof(alternative); ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); ++ ++ avahi_free(r); ++ r = avahi_strdup(ret); ++ + assert(avahi_is_valid_host_name(r)); + + return r; From patchwork Tue Nov 28 22:52:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35324 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A66FAC46CA0 for ; Tue, 28 Nov 2023 22:53:07 +0000 (UTC) Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) by mx.groups.io with SMTP id smtpd.web11.10462.1701211984246474743 for ; Tue, 28 Nov 2023 14:53:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=G8GzfYiI; spf=softfail (domain: sakoman.com, ip: 209.85.215.178, mailfrom: steve@sakoman.com) Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-5c5f0e325a6so649965a12.1 for ; Tue, 28 Nov 2023 14:53:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211983; x=1701816783; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WHKxngkCkOR7Bdy9eVtfTzUuPYOkDGk2B9u0KGl3PPQ=; b=G8GzfYiIyJJSfKFUKtzQVeJoXqh0mRff//PmoHuhAU/ekE2geCsP8AryOVHZ6dW+zQ SQpoSypPD+i22xkqxPZPQGqPSsf6YNBg6DsORpqDo9YyUPv7PjrNtI4YZ4CAvpCv1M2X 9nDQsrtg4K/qqIayswha4WDRT869tIYgeXS9i9WvnoQCqPUoqix/T4xln+j/RV8+llDo ksg0WjUM7yd8tXHjA5QpU3z74HkyqgwMozRSlMPG6kzXJG44dWdVclolD26yT1YsCh8c pIz3mPkeGmbcBMkMbm76xX1ltxSoh9qst8qpe4C6GwEQcZMHaLklQeMI/ui86ggPfMGa TOEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211983; x=1701816783; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WHKxngkCkOR7Bdy9eVtfTzUuPYOkDGk2B9u0KGl3PPQ=; b=Uc99WiZuV6iy8qujZSyeicJeYeRwANxIF6CKiS/hSDEohqjUfgogakOodV+lIMOWL+ t4rQXNhX6NYpnIpnh8OOi1ziqHXw/fSATw24Vk4RlU99+OWW2Kwhganqs5yagPGz9Fjx FHnlpOrP8TpRXbhdvSWcBRjJ88wfU7pvmozUzcUzsoj0ebkt7of6gfcG/ULsNKBOFpYb xVjlNGeHgqQQnwSX/TAnqoaii3R3W+k+T9ZcyjmaMkoL4mqzZHR/rPXs62e8m1+l1/+A d+7gowE7MUqkQ9Y6CnKww0sJoEayG1ZcXnswh2DWj7iRkXFB7AqsOPpu+jUglttwxxeY 32FQ== X-Gm-Message-State: AOJu0Yyemy+onE+EJJfYMmdzUCNj0wxzf97Ds7Qb9Iw3hWnRNuHZaoQ/ JbK/OBHLXrjhPpn3C8jjrp2B5ZL+QZU+CKrXjGhbzA== X-Google-Smtp-Source: AGHT+IG6i8D6+fGjN71YQb4WdB+rd6VLQC/UI/3a2ihDmN/Dho2fTfH+EtmEZTuhdW1YeNtpuMZ4ag== X-Received: by 2002:a17:90b:4f48:b0:285:bb77:1f79 with SMTP id pj8-20020a17090b4f4800b00285bb771f79mr9437269pjb.30.1701211983267; Tue, 28 Nov 2023 14:53:03 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.53.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:53:02 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 08/13] grub: fix CVE-2023-4692 & CVE-2023-4693 Date: Tue, 28 Nov 2023 12:52:35 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191403 From: Hitendra Prajapati Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../grub/files/CVE-2023-4692.patch | 97 +++++++++++++++++++ .../grub/files/CVE-2023-4693.patch | 62 ++++++++++++ meta/recipes-bsp/grub/grub2.inc | 2 + 3 files changed, 161 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4692.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch new file mode 100644 index 0000000000..0e74870ebf --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch @@ -0,0 +1,97 @@ +From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001 +From: Maxim Suhanov +Date: Mon, 28 Aug 2023 16:31:57 +0300 +Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST + attribute for the $MFT file + +When parsing an extremely fragmented $MFT file, i.e., the file described +using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer +containing bytes read from the underlying drive to store sector numbers, +which are consumed later to read data from these sectors into another buffer. + +These sectors numbers, two 32-bit integers, are always stored at predefined +offsets, 0x10 and 0x14, relative to first byte of the selected entry within +the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. + +However, when parsing a specially-crafted file system image, this may cause +the NTFS code to write these integers beyond the buffer boundary, likely +causing the GRUB memory allocator to misbehave or fail. These integers contain +values which are controlled by on-disk structures of the NTFS file system. + +Such modification and resulting misbehavior may touch a memory range not +assigned to the GRUB and owned by firmware or another EFI application/driver. + +This fix introduces checks to ensure that these sector numbers are never +written beyond the boundary. + +Fixes: CVE-2023-4692 + +Reported-by: Maxim Suhanov +Signed-off-by: Maxim Suhanov +Reviewed-by: Daniel Kiper + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea] +CVE: CVE-2023-4692 +Signed-off-by: Hitendra Prajapati +--- + grub-core/fs/ntfs.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index 2f34f76..c8d3683 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + } + if (at->attr_end) + { +- grub_uint8_t *pa; ++ grub_uint8_t *pa, *pa_end; + + at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); + if (at->emft_buf == NULL) +@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + } + at->attr_nxt = at->edat_buf; + at->attr_end = at->edat_buf + u32at (pa, 0x30); ++ pa_end = at->edat_buf + n; + } + else + { + at->attr_nxt = at->attr_end + u16at (pa, 0x14); + at->attr_end = at->attr_end + u32at (pa, 4); ++ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR); + } + at->flags |= GRUB_NTFS_AF_ALST; + while (at->attr_nxt < at->attr_end) +@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + at->flags |= GRUB_NTFS_AF_GPOS; + at->attr_cur = at->attr_nxt; + pa = at->attr_cur; ++ ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); ++ return NULL; ++ } ++ + grub_set_unaligned32 ((char *) pa + 0x10, + grub_cpu_to_le32 (at->mft->data->mft_start)); + grub_set_unaligned32 ((char *) pa + 0x14, +@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr) + { + if (*pa != attr) + break; ++ ++ if ((pa >= pa_end) || (pa_end - pa < 0x18)) ++ { ++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list"); ++ return NULL; ++ } ++ + if (read_attr + (at, pa + 0x10, + u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR), +-- +2.25.1 + diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch new file mode 100644 index 0000000000..1e6b6efdec --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch @@ -0,0 +1,62 @@ +From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001 +From: Maxim Suhanov +Date: Mon, 28 Aug 2023 16:32:33 +0300 +Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident + $DATA attribute + +When reading a file containing resident data, i.e., the file data is stored in +the $DATA attribute within the NTFS file record, not in external clusters, +there are no checks that this resident data actually fits the corresponding +file record segment. + +When parsing a specially-crafted file system image, the current NTFS code will +read the file data from an arbitrary, attacker-chosen memory offset and of +arbitrary, attacker-chosen length. + +This allows an attacker to display arbitrary chunks of memory, which could +contain sensitive information like password hashes or even plain-text, +obfuscated passwords from BS EFI variables. + +This fix implements a check to ensure that resident data is read from the +corresponding file record segment only. + +Fixes: CVE-2023-4693 + +Reported-by: Maxim Suhanov +Signed-off-by: Maxim Suhanov +Reviewed-by: Daniel Kiper + +Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94] +CVE: CVE-2023-4693 +Signed-off-by: Hitendra Prajapati +--- + grub-core/fs/ntfs.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index c8d3683..4d1fe42 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest, + { + if (ofs + len > u32at (pa, 0x10)) + return grub_error (GRUB_ERR_BAD_FS, "read out of range"); +- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len); ++ ++ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large"); ++ ++ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR)) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); ++ ++ if (u16at (pa, 0x14) + u32at (pa, 0x10) > ++ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa) ++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range"); ++ ++ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len); + return 0; + } + +-- +2.25.1 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index bfcda76c24..bea03f4fc1 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -109,6 +109,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2020-27749.patch \ file://CVE-2021-20225.patch \ file://CVE-2021-20233.patch \ + file://CVE-2023-4692.patch \ + file://CVE-2023-4693.patch \ " SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" From patchwork Tue Nov 28 22:52:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35325 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC4C5C07E98 for ; Tue, 28 Nov 2023 22:53:07 +0000 (UTC) Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web11.10464.1701211986950869792 for ; Tue, 28 Nov 2023 14:53:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Tr3ySwX/; spf=softfail (domain: sakoman.com, ip: 209.85.215.180, mailfrom: steve@sakoman.com) Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-5c239897895so4144931a12.2 for ; Tue, 28 Nov 2023 14:53:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211986; x=1701816786; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JuK0rXc0pvuknDehKoHn5yJXxo8k7q+CNsrX2CBIUiY=; b=Tr3ySwX/YBhPa2vFBH4WoP/Z3BN/x8Vi0PjWSUmkoJCrsYyYQfsAfMjY9a+ggsneZ/ 6Wj9y2tVsl/dvn0nxvxbighxW/TDRcYzcLPZClwk8ynUFj0vC4lJnDWsGtkfk6m6zYS3 dqeB4bmfaNeoa9WBcQ1Mttxbrn5JP19URFbkdD6OOUq+OuJuaaELcudoE9lr+t1tD6XZ QBMr1d30JRwhru2bOJcBwN0eRjsnoM52xepuSVPHfd/IYrtzd8XfkPpmj5cOaRVp818M 7MKrw55wXeDtFvbCBP7pewEApwX+i328YgTc19gYCczQu2BESrjBWhYws80TQeLsZjR9 s+Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211986; x=1701816786; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JuK0rXc0pvuknDehKoHn5yJXxo8k7q+CNsrX2CBIUiY=; b=R61kIJ3u9ohfwRCEjy7smmCKyw9LvToIWnUmqwW8TxUvPLfZM6DxwbyroPPH+vZRcX KvrIsLuu+JfkM3zHLlEIoyxdkec0pfuej5UhIbzMvsXEMjAwO5x9VrAuUpPbkgaelIyf ULfCOdcFRhHbioMdZgEtsbaX4beuS6e29may9+4VKLDYujzh+fDKbn14nJG7iyXVIBUQ eHSf8QqBxp7JtzXz8e1XFe8aMAIRuwRFWK8tqv9Sq6UdYgRxAsoYJG0bKiVTVcjUgm0m 4dASGc5xf1Uymi7i2DE19Xqj0mboNixpLzJX9TDp+DNRY7isOEoFxXvImcyCUFRH9gyj MwAQ== X-Gm-Message-State: AOJu0YzBCk2F25RlzPQYraVhlawgJiPuW+DfWSDiKmi7pBQ0p1laN8XX cRwI3Fsl2d+978u0ykzLYXKM4StH8xq7nNlNpMuvoQ== X-Google-Smtp-Source: AGHT+IEzkPk1pVf/DTyv0bz7IAz/VpCcWrMmiIujKMWfuSXaWPAVaM1vpPY5zuC8YHcpwvVFT8nwHA== X-Received: by 2002:a17:90b:4c50:b0:285:5dc3:a5bd with SMTP id np16-20020a17090b4c5000b002855dc3a5bdmr13609084pjb.24.1701211985758; Tue, 28 Nov 2023 14:53:05 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.53.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:53:04 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 09/13] tiff: backport Debian patch to fix CVE-2022-40090 Date: Tue, 28 Nov 2023 12:52:36 -1000 Message-Id: <999af9858676a0f5112ef3a9d9156be349f90cb4.1701210903.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191404 From: Vijay Anusuri import patch from ubuntu to fix CVE-2022-40090 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libtiff/files/CVE-2022-40090.patch | 548 ++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + 2 files changed, 549 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch new file mode 100644 index 0000000000..0a88f59553 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch @@ -0,0 +1,548 @@ +From d385738335deb0c4bb70449f12e411f2203c0d01 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 2 Sep 2022 21:20:28 +0200 +Subject: [PATCH 1/4] Improved IFD-Loop Handling (fixes #455) + +Basic approach: +- The order in the entire chain must be checked, and not only whether an offset has already been read once. +- To do this, pairs of directory number and offset are stored and checked. +- The offset of a directory number can change. +- TIFFAdvanceDirectory() must also perform an IFD loop check. +- TIFFCheckDirOffset() is replaced by _TIFFCheckDirNumberAndOffset(). + +Rules for the check: +- If an offset is already in the list, it must have the same IFD number. Otherwise it is an IDF loop. +- If the offset is not in the list and the IFD number is greater than there are list entries, a new list entry is added. +- Otherwise, the offset of the IFD number is updated. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2022-40090.patch?h=ubuntu/focal-security +Upstream commit +https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41] +CVE: CVE-2022-40090 +Signed-off-by: Vijay Anusuri +--- + libtiff/tif_close.c | 6 ++- + libtiff/tif_dir.c | 91 +++++++++++++++++++++++++---------------- + libtiff/tif_dir.h | 1 + + libtiff/tif_dirread.c | 94 ++++++++++++++++++++++++++++++------------- + libtiff/tif_open.c | 3 +- + libtiff/tiffiop.h | 3 +- + 6 files changed, 131 insertions(+), 67 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_close.c ++++ tiff-4.1.0+git191117/libtiff/tif_close.c +@@ -52,8 +52,10 @@ TIFFCleanup(TIFF* tif) + (*tif->tif_cleanup)(tif); + TIFFFreeDirectory(tif); + +- if (tif->tif_dirlist) +- _TIFFfree(tif->tif_dirlist); ++ if (tif->tif_dirlistoff) ++ _TIFFfree(tif->tif_dirlistoff); ++ if (tif->tif_dirlistdirn) ++ _TIFFfree(tif->tif_dirlistdirn); + + /* + * Clean up client info links. +--- tiff-4.1.0+git191117.orig/libtiff/tif_dir.c ++++ tiff-4.1.0+git191117/libtiff/tif_dir.c +@@ -1463,12 +1463,22 @@ TIFFDefaultDirectory(TIFF* tif) + } + + static int +-TIFFAdvanceDirectory(TIFF* tif, uint64* nextdir, uint64* off) ++TIFFAdvanceDirectory(TIFF* tif, uint64* nextdiroff, uint64* off, uint16* nextdirnum) + { + static const char module[] = "TIFFAdvanceDirectory"; ++ ++ /* Add this directory to the directory list, if not already in. */ ++ if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) { ++ TIFFErrorExt(tif->tif_clientdata, module, "Starting directory %hu at offset 0x%lx (%lu) might cause an IFD loop", ++ *nextdirnum, *nextdiroff, *nextdiroff); ++ *nextdiroff = 0; ++ *nextdirnum = 0; ++ return(0); ++ } ++ + if (isMapped(tif)) + { +- uint64 poff=*nextdir; ++ uint64 poff=*nextdiroff; + if (!(tif->tif_flags&TIFF_BIGTIFF)) + { + tmsize_t poffa,poffb,poffc,poffd; +@@ -1479,7 +1489,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* + if (((uint64)poffa!=poff)||(poffbtif->tif_size)) + { + TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count"); +- *nextdir=0; ++ *nextdiroff=0; + return(0); + } + _TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16)); +@@ -1497,7 +1507,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* + _TIFFmemcpy(&nextdir32,tif->tif_base+poffc,sizeof(uint32)); + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabLong(&nextdir32); +- *nextdir=nextdir32; ++ *nextdiroff=nextdir32; + } + else + { +@@ -1529,11 +1539,10 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* + } + if (off!=NULL) + *off=(uint64)poffc; +- _TIFFmemcpy(nextdir,tif->tif_base+poffc,sizeof(uint64)); ++ _TIFFmemcpy(nextdiroff,tif->tif_base+poffc,sizeof(uint64)); + if (tif->tif_flags&TIFF_SWAB) +- TIFFSwabLong8(nextdir); ++ TIFFSwabLong8(nextdiroff); + } +- return(1); + } + else + { +@@ -1541,7 +1550,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* + { + uint16 dircount; + uint32 nextdir32; +- if (!SeekOK(tif, *nextdir) || ++ if (!SeekOK(tif, *nextdiroff) || + !ReadOK(tif, &dircount, sizeof (uint16))) { + TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count", + tif->tif_name); +@@ -1562,13 +1571,13 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* + } + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabLong(&nextdir32); +- *nextdir=nextdir32; ++ *nextdiroff=nextdir32; + } + else + { + uint64 dircount64; + uint16 dircount16; +- if (!SeekOK(tif, *nextdir) || ++ if (!SeekOK(tif, *nextdiroff) || + !ReadOK(tif, &dircount64, sizeof (uint64))) { + TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count", + tif->tif_name); +@@ -1588,17 +1597,27 @@ TIFFAdvanceDirectory(TIFF* tif, uint64* + else + (void) TIFFSeekFile(tif, + dircount16*20, SEEK_CUR); +- if (!ReadOK(tif, nextdir, sizeof (uint64))) { ++ if (!ReadOK(tif, nextdiroff, sizeof (uint64))) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Error fetching directory link", + tif->tif_name); + return (0); + } + if (tif->tif_flags & TIFF_SWAB) +- TIFFSwabLong8(nextdir); ++ TIFFSwabLong8(nextdiroff); + } +- return (1); + } ++ if (*nextdiroff != 0) { ++ (*nextdirnum)++; ++ /* Check next directory for IFD looping and if so, set it as last directory. */ ++ if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) { ++ TIFFWarningExt(tif->tif_clientdata, module, "the next directory %hu at offset 0x%lx (%lu) might be an IFD loop. Treating directory %hu as last directory", ++ *nextdirnum, *nextdiroff, *nextdiroff, *nextdirnum-1); ++ *nextdiroff = 0; ++ (*nextdirnum)--; ++ } ++ } ++ return (1); + } + + /* +@@ -1608,14 +1627,16 @@ uint16 + TIFFNumberOfDirectories(TIFF* tif) + { + static const char module[] = "TIFFNumberOfDirectories"; +- uint64 nextdir; ++ uint64 nextdiroff; ++ uint16 nextdirnum; + uint16 n; + if (!(tif->tif_flags&TIFF_BIGTIFF)) +- nextdir = tif->tif_header.classic.tiff_diroff; ++ nextdiroff = tif->tif_header.classic.tiff_diroff; + else +- nextdir = tif->tif_header.big.tiff_diroff; ++ nextdiroff = tif->tif_header.big.tiff_diroff; ++ nextdirnum = 0; + n = 0; +- while (nextdir != 0 && TIFFAdvanceDirectory(tif, &nextdir, NULL)) ++ while (nextdiroff != 0 && TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum)) + { + if (n != 65535) { + ++n; +@@ -1638,28 +1659,30 @@ TIFFNumberOfDirectories(TIFF* tif) + int + TIFFSetDirectory(TIFF* tif, uint16 dirn) + { +- uint64 nextdir; ++ uint64 nextdiroff; ++ uint16 nextdirnum; + uint16 n; + + if (!(tif->tif_flags&TIFF_BIGTIFF)) +- nextdir = tif->tif_header.classic.tiff_diroff; ++ nextdiroff = tif->tif_header.classic.tiff_diroff; + else +- nextdir = tif->tif_header.big.tiff_diroff; +- for (n = dirn; n > 0 && nextdir != 0; n--) +- if (!TIFFAdvanceDirectory(tif, &nextdir, NULL)) ++ nextdiroff = tif->tif_header.big.tiff_diroff; ++ nextdirnum = 0; ++ for (n = dirn; n > 0 && nextdiroff != 0; n--) ++ if (!TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum)) + return (0); +- tif->tif_nextdiroff = nextdir; ++ /* If the n-th directory could not be reached (does not exist), ++ * return here without touching anything further. */ ++ if (nextdiroff == 0 || n > 0) ++ return (0); ++ ++ tif->tif_nextdiroff = nextdiroff; + /* + * Set curdir to the actual directory index. The + * -1 is because TIFFReadDirectory will increment + * tif_curdir after successfully reading the directory. + */ + tif->tif_curdir = (dirn - n) - 1; +- /* +- * Reset tif_dirnumber counter and start new list of seen directories. +- * We need this to prevent IFD loops. +- */ +- tif->tif_dirnumber = 0; + return (TIFFReadDirectory(tif)); + } + +@@ -1672,13 +1695,42 @@ TIFFSetDirectory(TIFF* tif, uint16 dirn) + int + TIFFSetSubDirectory(TIFF* tif, uint64 diroff) + { +- tif->tif_nextdiroff = diroff; +- /* +- * Reset tif_dirnumber counter and start new list of seen directories. +- * We need this to prevent IFD loops. ++ /* Match nextdiroff and curdir for consistent IFD-loop checking. ++ * Only with TIFFSetSubDirectory() the IFD list can be corrupted with invalid offsets ++ * within the main IFD tree. ++ * In the case of several subIFDs of a main image, ++ * there are two possibilities that are not even mutually exclusive. ++ * a.) The subIFD tag contains an array with all offsets of the subIFDs. ++ * b.) The SubIFDs are concatenated with their NextIFD parameters. ++ * (refer to https://www.awaresystems.be/imaging/tiff/specification/TIFFPM6.pdf.) + */ +- tif->tif_dirnumber = 0; +- return (TIFFReadDirectory(tif)); ++ int retval; ++ uint16 curdir = 0; ++ int8 probablySubIFD = 0; ++ if (diroff == 0) { ++ /* Special case to invalidate the tif_lastdiroff member. */ ++ tif->tif_curdir = 65535; ++ } else { ++ if (!_TIFFGetDirNumberFromOffset(tif, diroff, &curdir)) { ++ /* Non-existing offsets might point to a SubIFD or invalid IFD.*/ ++ probablySubIFD = 1; ++ } ++ /* -1 because TIFFReadDirectory() will increment tif_curdir. */ ++ tif->tif_curdir = curdir - 1; ++ } ++ ++ tif->tif_nextdiroff = diroff; ++ retval = TIFFReadDirectory(tif); ++ /* If failed, curdir was not incremented in TIFFReadDirectory(), so set it back. */ ++ if (!retval )tif->tif_curdir++; ++ if (retval && probablySubIFD) { ++ /* Reset IFD list to start new one for SubIFD chain and also start SubIFD chain with tif_curdir=0. */ ++ tif->tif_dirnumber = 0; ++ tif->tif_curdir = 0; /* first directory of new chain */ ++ /* add this offset to new IFD list */ ++ _TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir, diroff); ++ } ++ return (retval); + } + + /* +@@ -1702,12 +1754,15 @@ TIFFLastDirectory(TIFF* tif) + + /* + * Unlink the specified directory from the directory chain. ++ * Note: First directory starts with number dirn=1. ++ * This is different to TIFFSetDirectory() where the first directory starts with zero. + */ + int + TIFFUnlinkDirectory(TIFF* tif, uint16 dirn) + { + static const char module[] = "TIFFUnlinkDirectory"; + uint64 nextdir; ++ uint16 nextdirnum; + uint64 off; + uint16 n; + +@@ -1731,19 +1786,21 @@ TIFFUnlinkDirectory(TIFF* tif, uint16 di + nextdir = tif->tif_header.big.tiff_diroff; + off = 8; + } ++ nextdirnum = 0; /* First directory is dirn=0 */ ++ + for (n = dirn-1; n > 0; n--) { + if (nextdir == 0) { + TIFFErrorExt(tif->tif_clientdata, module, "Directory %d does not exist", dirn); + return (0); + } +- if (!TIFFAdvanceDirectory(tif, &nextdir, &off)) ++ if (!TIFFAdvanceDirectory(tif, &nextdir, &off, &nextdirnum)) + return (0); + } + /* + * Advance to the directory to be unlinked and fetch + * the offset of the directory that follows. + */ +- if (!TIFFAdvanceDirectory(tif, &nextdir, NULL)) ++ if (!TIFFAdvanceDirectory(tif, &nextdir, NULL, &nextdirnum)) + return (0); + /* + * Go back and patch the link field of the preceding +--- tiff-4.1.0+git191117.orig/libtiff/tif_dir.h ++++ tiff-4.1.0+git191117/libtiff/tif_dir.h +@@ -300,6 +300,8 @@ extern int _TIFFMergeFields(TIFF*, const + extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType); + extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType); + extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag); ++extern int _TIFFCheckDirNumberAndOffset(TIFF *tif, uint16 dirn, uint64 diroff); ++extern int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64 diroff, uint16 *dirn); + + #if defined(__cplusplus) + } +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -158,7 +158,6 @@ static void TIFFReadDirectoryFindFieldIn + + static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount); + static void MissingRequired(TIFF*, const char*); +-static int TIFFCheckDirOffset(TIFF* tif, uint64 diroff); + static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32); + static uint16 TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, uint64* nextdiroff); + static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover); +@@ -3584,12 +3583,19 @@ TIFFReadDirectory(TIFF* tif) + int bitspersample_read = FALSE; + int color_channels; + +- tif->tif_diroff=tif->tif_nextdiroff; +- if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff)) +- return 0; /* last offset or bad offset (IFD looping) */ +- (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */ +- tif->tif_curdir++; +- nextdiroff = tif->tif_nextdiroff; ++ if (tif->tif_nextdiroff == 0) { ++ /* In this special case, tif_diroff needs also to be set to 0. */ ++ tif->tif_diroff = tif->tif_nextdiroff; ++ return 0; /* last offset, thus no checking necessary */ ++ } ++ ++ nextdiroff = tif->tif_nextdiroff; ++ /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL reading of the directory. Otherwise, invalid IFD offsets could corrupt the IFD list. */ ++ if (!_TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir + 1, nextdiroff)) { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Didn't read next directory due to IFD looping at offset 0x%lx (%lu) to offset 0x%lx (%lu)", tif->tif_diroff, tif->tif_diroff, nextdiroff, nextdiroff); ++ return 0; /* bad offset (IFD looping) */ ++ } + dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff); + if (!dircount) + { +@@ -3597,6 +3603,11 @@ TIFFReadDirectory(TIFF* tif) + "Failed to read directory at offset " TIFF_UINT64_FORMAT,nextdiroff); + return 0; + } ++ /* Set global values after a valid directory has been fetched. ++ * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the beginning. */ ++ tif->tif_curdir++; ++ (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */ ++ + TIFFReadDirectoryCheckOrder(tif,dir,dircount); + + /* +@@ -4628,13 +4639,17 @@ MissingRequired(TIFF* tif, const char* t + } + + /* +- * Check the directory offset against the list of already seen directory +- * offsets. This is a trick to prevent IFD looping. The one can create TIFF +- * file with looped directory pointers. We will maintain a list of already +- * seen directories and check every IFD offset against that list. ++ * Check the directory number and offset against the list of already seen ++ * directory numbers and offsets. This is a trick to prevent IFD looping. ++ * The one can create TIFF file with looped directory pointers. We will ++ * maintain a list of already seen directories and check every IFD offset ++ * and its IFD number against that list. However, the offset of an IFD number ++ * can change - e.g. when writing updates to file. ++ * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered, ++ * or an error has occured. + */ +-static int +-TIFFCheckDirOffset(TIFF* tif, uint64 diroff) ++int ++_TIFFCheckDirNumberAndOffset(TIFF* tif, uint16 dirn, uint64 diroff) + { + uint16 n; + +@@ -4646,35 +4661,64 @@ TIFFCheckDirOffset(TIFF* tif, uint64 dir + return 0; + } + +- for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) { +- if (tif->tif_dirlist[n] == diroff) +- return 0; ++ /* Check if offset is already in the list: ++ * - yes: check, if offset is at the same IFD number - if not, it is an IFD loop ++ * - no: add to list or update offset at that IFD number ++ */ ++ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff; n++) { ++ if (tif->tif_dirlistoff[n] == diroff) { ++ if (tif->tif_dirlistdirn[n] == dirn) { ++ return 1; ++ } else { ++ TIFFWarningExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset", ++ "TIFF directory %hu has IFD looping to directory %hu at offset 0x%lx (%lu)", ++ dirn-1, tif->tif_dirlistdirn[n], diroff, diroff); ++ return 0; ++ } ++ } ++ } ++ /* Check if offset of an IFD has been changed and update offset of that IFD number. */ ++ if (dirn < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff) { ++ /* tif_dirlistdirn can have IFD numbers dirn in random order */ ++ for (n = 0; n < tif->tif_dirnumber; n++) { ++ if (tif->tif_dirlistdirn[n] == dirn) { ++ tif->tif_dirlistoff[n] = diroff; ++ return 1; ++ } ++ } + } + ++ /* Add IFD offset and dirn to IFD directory list */ + tif->tif_dirnumber++; + +- if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) { +- uint64* new_dirlist; +- ++ if (tif->tif_dirlistoff == NULL || tif->tif_dirlistdirn == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) { ++ uint64 *new_dirlist; + /* + * XXX: Reduce memory allocation granularity of the dirlist + * array. + */ +- new_dirlist = (uint64*)_TIFFCheckRealloc(tif, tif->tif_dirlist, +- tif->tif_dirnumber, 2 * sizeof(uint64), "for IFD list"); ++ if (tif->tif_dirnumber >= 32768) ++ tif->tif_dirlistsize = 65535; ++ else ++ tif->tif_dirlistsize = 2 * tif->tif_dirnumber; ++ ++ new_dirlist = (uint64 *)_TIFFCheckRealloc(tif, tif->tif_dirlistoff, ++ tif->tif_dirlistsize, sizeof(uint64), "for IFD offset list"); + if (!new_dirlist) + return 0; +- if( tif->tif_dirnumber >= 32768 ) +- tif->tif_dirlistsize = 65535; +- else +- tif->tif_dirlistsize = 2 * tif->tif_dirnumber; +- tif->tif_dirlist = new_dirlist; ++ tif->tif_dirlistoff = new_dirlist; ++ new_dirlist = (uint64 *)_TIFFCheckRealloc(tif, tif->tif_dirlistdirn, ++ tif->tif_dirlistsize, sizeof(uint16), "for IFD dirnumber list"); ++ if (!new_dirlist) ++ return 0; ++ tif->tif_dirlistdirn = (uint16 *)new_dirlist; + } + +- tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff; ++ tif->tif_dirlistoff[tif->tif_dirnumber - 1] = diroff; ++ tif->tif_dirlistdirn[tif->tif_dirnumber - 1] = dirn; + + return 1; +-} ++} /* --- _TIFFCheckDirNumberAndOffset() ---*/ + + /* + * Check the count field of a directory entry against a known value. The +@@ -4703,6 +4747,47 @@ CheckDirCount(TIFF* tif, TIFFDirEntry* d + } + + /* ++ * Retrieve the matching IFD directory number of a given IFD offset ++ * from the list of directories already seen. ++ * Returns 1 if the offset was in the list and the directory number ++ * can be returned. ++ * Otherwise returns 0 or if an error occured. ++ */ ++int ++_TIFFGetDirNumberFromOffset(TIFF *tif, uint64 diroff, uint16* dirn) ++{ ++ uint16 n; ++ ++ if (diroff == 0) /* no more directories */ ++ return 0; ++ if (tif->tif_dirnumber == 65535) { ++ TIFFErrorExt(tif->tif_clientdata, "_TIFFGetDirNumberFromOffset", ++ "Cannot handle more than 65535 TIFF directories"); ++ return 0; ++ } ++ ++ /* Check if offset is already in the list and return matching directory number. ++ * Otherwise update IFD list using TIFFNumberOfDirectories() ++ * and search again in IFD list. ++ */ ++ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) { ++ if (tif->tif_dirlistoff[n] == diroff) { ++ *dirn = tif->tif_dirlistdirn[n]; ++ return 1; ++ } ++ } ++ TIFFNumberOfDirectories(tif); ++ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) { ++ if (tif->tif_dirlistoff[n] == diroff) { ++ *dirn = tif->tif_dirlistdirn[n]; ++ return 1; ++ } ++ } ++ return 0; ++} /*--- _TIFFGetDirNumberFromOffset() ---*/ ++ ++ ++/* + * Read IFD structure from the specified offset. If the pointer to + * nextdiroff variable has been specified, read it too. Function returns a + * number of fields in the directory or 0 if failed. +--- tiff-4.1.0+git191117.orig/libtiff/tif_open.c ++++ tiff-4.1.0+git191117/libtiff/tif_open.c +@@ -353,7 +353,8 @@ TIFFClientOpen( + if (!TIFFDefaultDirectory(tif)) + goto bad; + tif->tif_diroff = 0; +- tif->tif_dirlist = NULL; ++ tif->tif_dirlistoff = NULL; ++ tif->tif_dirlistdirn = NULL; + tif->tif_dirlistsize = 0; + tif->tif_dirnumber = 0; + return (tif); +--- tiff-4.1.0+git191117.orig/libtiff/tiffiop.h ++++ tiff-4.1.0+git191117/libtiff/tiffiop.h +@@ -145,7 +145,8 @@ struct tiff { + #define TIFF_CHOPPEDUPARRAYS 0x4000000U /* set when allocChoppedUpStripArrays() has modified strip array */ + uint64 tif_diroff; /* file offset of current directory */ + uint64 tif_nextdiroff; /* file offset of following directory */ +- uint64* tif_dirlist; /* list of offsets to already seen directories to prevent IFD looping */ ++ uint64* tif_dirlistoff; /* list of offsets to already seen directories to prevent IFD looping */ ++ uint16* tif_dirlistdirn; /* list of directory numbers to already seen directories to prevent IFD looping */ + uint16 tif_dirlistsize; /* number of entries in offset list */ + uint16 tif_dirnumber; /* number of already seen directories */ + TIFFDirectory tif_dir; /* internal rep of current directory */ diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 2697a28463..8b130826e3 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -47,6 +47,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-3618.patch \ file://CVE-2023-40745.patch \ file://CVE-2023-41175.patch \ + file://CVE-2022-40090.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" From patchwork Tue Nov 28 22:52:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35328 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A991CC4167B for ; Tue, 28 Nov 2023 22:53:17 +0000 (UTC) Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by mx.groups.io with SMTP id smtpd.web11.10465.1701211988885806370 for ; Tue, 28 Nov 2023 14:53:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=xEambc6K; spf=softfail (domain: sakoman.com, ip: 209.85.215.170, mailfrom: steve@sakoman.com) Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-5bdbe2de25fso4711206a12.3 for ; Tue, 28 Nov 2023 14:53:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211988; x=1701816788; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VziZnKsfvAXzAHyDZ0SPpJD0tYAuq31f4xb/HzfPFXc=; b=xEambc6KLg+owEIURY8PZNUm4f8fV0ZBqKLDR3VOSkDyBdehBl0wfO86iFlG5Azil6 0FmTiP12XZk1DHShGUQk1LxaSOuiGFPwMrw+M/hnFuuTH0RrUvntDyBYw75eIljn+yQx A5HZ8C0rdhw8z7y9Crb789xCyX3tNBaAWjvOlBYslHcnb+DFt0zrqvD5Rod31b3LhPgL /0dXHBsCrTDYFCUJoAAOLIx6dBVfudGV95I9CdKfkFA4XMUObLQ/URdsliRXj3DlNG9b EZcHYOTAMJ+17VJkEsT4jylNUkcWgkg3b18DVBAJV6PPlw2+RWcAXGg3EnBvMQGV/Bu6 xI/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211988; x=1701816788; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VziZnKsfvAXzAHyDZ0SPpJD0tYAuq31f4xb/HzfPFXc=; b=nR6zCfAT2dyr6BnQmErM0IsIp7JE6jI5s8SMnxI/Qv4VCc0bjXcUxraDRFnK7pXpOP 0tCUwTFUuVyY6cENkgPoQH/NOFw8hFixsv83MnTih/S7Q0sCJ577EWOhVisDAN0evIZz eROjRfW8hQkKrq6/K3197LKk3j30WkZj/xv9HG9tPVyWfF02vjy2joVbu7qLnGurpQbr UXE3/zwquTykRxhHDgMJ4QWSY6Ibk7Q5wC3pNc4NjIEoXdR4nixv5jKhvzQ7cyyy7EDh SNdFTOHTbY63+RpQ3qmPgthBEC7CeMAGq+bTy65oSKn5G6KptW85nRext7GhUyiiy6qd fEVQ== X-Gm-Message-State: AOJu0Ywx0iDx189eSMpcZTM22ffAXsG4CuW+48mUBCGTHgnJ8N6cTixp MJNl/2TP2YfxF9ukh7/ndqBM+f+CJ3d7fFYDZhrUIA== X-Google-Smtp-Source: AGHT+IGnQDATNh8SVvuTPpeK5rXtMp3Vtoks/gC4qZC6N/Y4cLoPyTPDQU8juOZJaNHNzqozv8/nIw== X-Received: by 2002:a17:90b:224b:b0:27d:880d:8645 with SMTP id hk11-20020a17090b224b00b0027d880d8645mr17058990pjb.49.1701211987790; Tue, 28 Nov 2023 14:53:07 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.53.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:53:07 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 10/13] vim: Improve locale handling Date: Tue, 28 Nov 2023 12:52:37 -1000 Message-Id: <14982eabcdb96c2f7ef9e28d6c0daedb53aa96c4.1701210903.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191405 From: Richard Purdie When making checkouts from git, the timestamps can vary and occasionally two files can end up with the same stamp. This triggers make to regenerate ru.cp1251.po from ru.po for example. If it isn't regenerated, the output isn't quite the same leading to reproducibility issues (CP1251 vs cp1251). Since we added all locales to buildtools tarball now, we can drop the locale restrictions too. We need to generate a native binary for the sjis conversion tool so also tweak that. Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index d8e88af22e..1464c4f4f4 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -41,22 +41,16 @@ do_configure () { cd src rm -f auto/* touch auto/config.mk + # git timestamps aren't reliable and we want to consistently regenerate these generated files + rm -f po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po aclocal autoconf cd .. oe_runconf touch src/auto/configure touch src/auto/config.mk src/auto/config.h -} - -do_compile() { - # We do not support fully / correctly the following locales. Attempting - # to use these with msgfmt in order to update the ".desktop" files exposes - # this problem and leads to the compile failing. - for LOCALE in cs fr ko pl sk zh_CN zh_TW;do - echo -n > src/po/${LOCALE}.po - done - autotools_do_compile + # need a native tool, not a target one + ${BUILD_CC} src/po/sjiscorr.c -o src/po/sjiscorr } PACKAGECONFIG ??= "\ From patchwork Tue Nov 28 22:52:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35327 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B360DC07E97 for ; Tue, 28 Nov 2023 22:53:17 +0000 (UTC) Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by mx.groups.io with SMTP id smtpd.web11.10466.1701211990595616269 for ; Tue, 28 Nov 2023 14:53:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=nsHuj2pg; spf=softfail (domain: sakoman.com, ip: 209.85.215.177, mailfrom: steve@sakoman.com) Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-5c210e34088so4508386a12.2 for ; Tue, 28 Nov 2023 14:53:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211990; x=1701816790; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zfjAlF4azDb/5wfuX2hhZTXgJAgN6cxAudmW/sWG1LU=; b=nsHuj2pgLkVI+zjPXOvejIeOLBzUOw9cOPmq8Jiakr4MPSTUoBjgbJ2UH84BjRvE99 kOB2reFBDy5JbzX+57mN2DfTqTgPumo8pNtpum/NZfZzVoH0vne2LZMInnA5HI/9nc8F Kg+WmVeefrzIFYKhk7PuXhQgTUBLgsJ4hIZnZ1T6ZuMTzmeIZnxns/m6BLjep/ZmGdJQ Yfe9ozLgmplHVDYWwc1/R2qGUlxK6S9YeCLFQdLfGnoMvGlOo2BBSeTMD76hwbKPJYXN aDJqdEkRsboI/57Yhk8mdKQwADAB58BXh2QSYZkvym6JkwkkxCeS+qw001zXg0Ny/hLY vm+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211990; x=1701816790; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zfjAlF4azDb/5wfuX2hhZTXgJAgN6cxAudmW/sWG1LU=; b=qe/1vUb8W3B7m9gSVaGtXzMKJQ4pqA4pFl3g+AvWmwhx4MP/S32r+0ildqxSNAg8yd v5cuxGHnz8J7HAZUkd3v87ljBqP62MdtUbvNtpcL7SRZPe3x/28kfItrB1MIy5DaqCCO myORaiVhtvRp/JJ77c/KKlTq/j3pT0ChPbQ9DB/VhYuJRsmskQ1zMFQVUcx2Hpo6Kl11 f0GSwFumdf9Czxp2JjlAXi6eShaiANpg+OhbXRqbe2HMDdiT42NwBnuiv8lmR8apCMa9 memKIvaPM5BiZWM/CD44A96SNldkqshmxKPuZ3CgjxOUbRWmUo6TVSjMxAK7kppEDedi Zf1g== X-Gm-Message-State: AOJu0YznpRNEVZCR1CWtCXAOxQ+YnVbb0j0bseCrB2XzozquHWJAukDP eGzPLnJ2X+2/MrARXb6mGya9BL7+MSxHGgN1H1R5Lw== X-Google-Smtp-Source: AGHT+IErTQQtxbnSDYFe0bSFdMSnv6JGACw3o61AMI831xg7L/u4PrMsGI5ff8dxw3t+OqRx3+lHSw== X-Received: by 2002:a17:90b:4c05:b0:285:9d5d:709d with SMTP id na5-20020a17090b4c0500b002859d5d709dmr14396602pjb.49.1701211989813; Tue, 28 Nov 2023 14:53:09 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.53.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:53:09 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 11/13] vim: update obsolete comment Date: Tue, 28 Nov 2023 12:52:38 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191406 From: Etienne Cordonnier vim 8.3 has been out for a long time, so this comment is obsolete. However we still need UPSTREAM_VERSION_UNKNOWN, since we ignore the last digit of the upstream version number. Test result: $ devtool check-upgrade-status vim ... INFO: vim 9.0.1592 UNKNOWN Tom Rini c0370529c027abc5b1698d53fcfb8c02a0c515da (From OE-Core rev: 65f5de85c3f488136d1ec2b1f7fe8d8426d6c5b3) Signed-off-by: Etienne Cordonnier Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 868a19357841470eb55fb7f1c4ab1af09dea99ed) Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 1464c4f4f4..a12e3c8d89 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -22,11 +22,10 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ PV .= ".2048" SRCREV = "982ef16059bd163a77271107020defde0740bbd6" -# Remove when 8.3 is out -UPSTREAM_VERSION_UNKNOWN = "1" - # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" +# Ignore that the upstream version .z in x.y.z is always newer +UPSTREAM_VERSION_UNKNOWN = "1" S = "${WORKDIR}/git" From patchwork Tue Nov 28 22:52:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35329 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6E65C07CA9 for ; Tue, 28 Nov 2023 22:53:17 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web11.10467.1701211992823925451 for ; Tue, 28 Nov 2023 14:53:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=g5dOBcTj; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-1cf8c462766so44422025ad.1 for ; Tue, 28 Nov 2023 14:53:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211991; x=1701816791; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=70Z7z+Dc5mmHICn6hDFdmM95h93ri59HkHmPPpIXg58=; b=g5dOBcTj5p38NvVTwPxiVcFRcEAM1cviHlWq0DC0ZZfRQ3L7pUe6SweskuXCovWh5P FV3qFwuuyAVL2n7Nx7yTbOkb/TpJsNs3s5K4ZZORXtqM0+NfkxjPOpQhf4So62O5xvKV FbY5qF3eCM7b5mbE+oOGd0G0CHFRhGaQCEKO3Q+nileMhchj8ggPHvr9yQZaJR4wt/s9 1yX1Uaq3ONFt+k+V8i/PAy1w992FsavyIBwIwroPiw8E32Q8/CgJ1DYTsS0EOuy56s0k 1Xeui0/AytstT0dTQ8cNJbjpiV5LxK5FjOGNYFDZ1+8G6phX0wvwhJIKNTDEE+C7pUhV TM4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211991; x=1701816791; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=70Z7z+Dc5mmHICn6hDFdmM95h93ri59HkHmPPpIXg58=; b=xTPeu18wBFX/rQPnN/AIuxQrtkAHxYLE5JnVE8mtfmU4k6/bGjgIeM6FlpUuM/v3cQ hteD0skvhhoxLxep7TYo2ipdwN55AcGhGokvmNgHHN2N8xFAcixZV4L0M1aBcvf2LMWT z3pL1fIet7nWIOR+dYE7v0rBy0tJLe103HR7UZg1vN/2YX0ky/vG1dXSz5KRaCHFbIlN LMaImZHJ3VPQMc24ObUMehN18fpi6S6gmICaCnol8XgwlhMSTwbizho8oSnNjQefljs3 faDXfP2HG7DwEfjLBkDpW4S/DOkA7HBq1DnJ/PagThFdHl3JDJsOSLclUDmFwOd85Ek1 w2+Q== X-Gm-Message-State: AOJu0YwJVEbmAJubGZt5XooYbn5/sTRpis+ss6VOqX5fd4mQPw8wW8N6 eCUxORPlcuU82cxo00Sd64+BDnJDevd9YhAO3UEYwA== X-Google-Smtp-Source: AGHT+IG2rZkhenwVDgtHTGbaX7ZvLwpa9uOKVe7IMG7p6djBoXOCz8okTb4G/S4NL2TtYFjnQG9POA== X-Received: by 2002:a17:90b:4d8b:b0:27d:c36:e12c with SMTP id oj11-20020a17090b4d8b00b0027d0c36e12cmr16915671pjb.9.1701211991602; Tue, 28 Nov 2023 14:53:11 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.53.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:53:11 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 12/13] vim: Upgrade 9.0.2048 -> 9.0.2068 Date: Tue, 28 Nov 2023 12:52:39 -1000 Message-Id: <2854c285ebf615ea71ecfc6fc559419e72005c5e.1701210903.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191407 From: Archana Polampalli This includes CVE fix for CVE-2023-46246. 9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history References: https://nvd.nist.gov/vuln/detail/CVE-2023-46246 Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index a12e3c8d89..9a74a52b52 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2048" -SRCREV = "982ef16059bd163a77271107020defde0740bbd6" +PV .= ".2068" +SRCREV = "9198c1f2b1ddecde22af918541e0de2a32f0f45a" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0" From patchwork Tue Nov 28 22:52:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 35330 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C095EC07E98 for ; Tue, 28 Nov 2023 22:53:17 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web11.10468.1701211994171981538 for ; Tue, 28 Nov 2023 14:53:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=akvg1Eey; spf=softfail (domain: sakoman.com, ip: 209.85.216.47, mailfrom: steve@sakoman.com) Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-285196556fcso4892983a91.0 for ; Tue, 28 Nov 2023 14:53:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1701211993; x=1701816793; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PiGJbOGn6iZSAbSE35tCbhpFw36mA4YXhD3+EnK2g7s=; b=akvg1EeyNR3HpsNgP3TK0FXswDQHL8UwR7/8vHhGSv4V8OdbLuvwT9pT1OOUtyvBTA 4LJ0OV2JcRs1nGJwn9yhdks8o+WO+widvcc7e1NZopnaXVKWjKYUBO9UOqMEi69/W8g9 y+4jnZgiEHZbnecZqhIqBUecah6KJbfVtN7bVWvCXwSXKpGi3uyevwLNByq2UWZa9nXr OMSrIxp4mvfytzxSD7PhYxJmy2AYe337IBk/IGqZnFGUf34pmV+tq/sH5XfqTZpDbgcb yVzTzukXBLCVv4b8Tm+XJOYlbMiwkUCU9z5NVG26xt6pBIeWTjPE8UDOOrk776dl7H4t jfAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701211993; x=1701816793; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PiGJbOGn6iZSAbSE35tCbhpFw36mA4YXhD3+EnK2g7s=; b=TYpWkqmtCI7NllUnnbKXe5wNdCubYntSyUCbNwJEIe8uwgSYWJXAc/dv0rw4zmQEGc X8ncXb80zBwpmmpBFfX7Jssh90B+YCtJ0769ZPD+vLc30VE5TbV6EwQ8UepVWvtaWRbf i+KqdMqYjYuM2YxXYk4kUypl50xZniIrIFjgXq39MBR5CGmbBKpVDQBfiWmfuYQ8gNy1 nMfbK17RE+uNRwpqXHT7h2wXn5LfHaq/UIAmOh8XhzjXbq3hTA1lheGd/5vahKbW8Kj0 l0xKm60YbmEClCkNZhT6qphWgBZGTn6DmPULOhhXplm6e19aXj9YxfHCbWSSpBYZlWVX sxpQ== X-Gm-Message-State: AOJu0YzhYt3Tnf99yFNXqi0MtM9x7PAMFCLumHcnUAS27JTGDUUy0KQ5 vQ+Ao5S8/TuhJ/FxK7JbtW4R9QT9gbL4giS0VAI3oA== X-Google-Smtp-Source: AGHT+IFaziuPp1oCFlp4sR6EWJZSutG2HVpRzzAyIv2lKHQE2CKujnRc2YWj/9grvPkj53A3VrAfAg== X-Received: by 2002:a17:90b:1bd2:b0:285:da91:69c2 with SMTP id oa18-20020a17090b1bd200b00285da9169c2mr8281118pjb.45.1701211993323; Tue, 28 Nov 2023 14:53:13 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id cu20-20020a17090afa9400b00282ecb631a9sm9621898pjb.25.2023.11.28.14.53.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 14:53:13 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 13/13] vim: use upstream generated .po files Date: Tue, 28 Nov 2023 12:52:40 -1000 Message-Id: <0764da7e3f1d71eb390e5eb8a9aa1323c24d1c19.1701210903.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Nov 2023 22:53:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191408 A previous commit attempted to fix reproducibility errors by forcing regeneration of .po files. Unfortunately this triggered a different type of reproducibility issue. Work around this by adjusting the timestamps of the troublesome .po files so they are not regenerated and we use the shipped upstream versions of the files. The shipped version of ru.cp1251.po doesn't seem to have been created with the vim tooling and specifies CP1251 instead of cp1251, fix that. Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 9a74a52b52..0662822202 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -40,8 +40,10 @@ do_configure () { cd src rm -f auto/* touch auto/config.mk - # git timestamps aren't reliable and we want to consistently regenerate these generated files - rm -f po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po + # git timestamps aren't reliable, so touch the shipped .po files so they aren't regenerated + touch -c po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po + # ru.cp1251.po uses CP1251 rather than cp1251, fix that + sed -i -e s/CP1251/cp1251/ po/ru.cp1251.po aclocal autoconf cd ..