From patchwork Mon Feb 28 03:38:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 4376 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E74BC433EF for ; Mon, 28 Feb 2022 03:40:35 +0000 (UTC) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.16230.1646019633714561008 for ; Sun, 27 Feb 2022 19:40:34 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=j9EsgaxU; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646019633; x=1677555633; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=/o/SxMeuB2FjfuLj6zAuFmrltRocvLC8vPuBTkXWCYg=; b=j9EsgaxU/RohDCxaukja8pQxWNpeNp9XkoAWJ6yzSbih/nVjF88FQ5EU hejShvJKdpcUpIi2g7EeSvy3CP8JrH9+mlL8AOL4SGB7AdZ7J2ygX9tuN Ac6U88KnuSOyZ+TavuMsfJq37IsAH0KO6jvD0g4MkaabN3xcHir5v+kw+ glpW9YCl4ffvPg8Tt0RoVo2A7OJu5jEdeLaFHNwCNADeJaN3labURbpde 5wIzBQ3KIveMTJJlITDhANs5pA6BwfcoYum/MMjX9SlcLki13KXROgzgF Vl9jlsuvhkxmT69ZS2xdlWy3HwOk7y5l1g6PNqn3+X6gfkz9B5puexAkh Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10271"; a="252988312" X-IronPort-AV: E=Sophos;i="5.90,142,1643702400"; d="scan'208";a="252988312" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Feb 2022 19:40:32 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,142,1643702400"; d="scan'208";a="509942094" Received: from cheeyang-desk1.png.intel.com ([10.158.87.104]) by orsmga006.jf.intel.com with ESMTP; 27 Feb 2022 19:40:31 -0800 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [PATCH][hardknott 1/3] ruby : update to 3.0.3 Date: Mon, 28 Feb 2022 11:38:37 +0800 Message-Id: <20220228033839.2386940-1-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 28 Feb 2022 03:40:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/162448 From: Lee Chee Yang Do not tweak a file that is no longer installed. Ruby 3.0.3 includes security fixes. CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods CVE-2021-41816: Buffer Overrun in CGI.escape_html CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse Ruby 3.0.2 release includes security fixes. CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP CVE-2021-31799: A command injection vulnerability in RDoc Signed-off-by: Lee Chee Yang --- .../ruby/ruby/CVE-2021-31799.patch | 57 ---- .../ruby/ruby/CVE-2021-31810.patch | 258 ------------------ .../ruby/ruby/CVE-2021-32066.patch | 102 ------- .../ruby/{ruby_3.0.1.bb => ruby_3.0.3.bb} | 7 +- 4 files changed, 1 insertion(+), 423 deletions(-) delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch rename meta/recipes-devtools/ruby/{ruby_3.0.1.bb => ruby_3.0.3.bb} (90%) diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch deleted file mode 100644 index 83064e85ab..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2021-31799.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b1c73f239fe9af97de837331849f55d67c27561e Mon Sep 17 00:00:00 2001 -From: aycabta -Date: Sun, 2 May 2021 20:52:23 +0900 -Subject: [PATCH] [ruby/rdoc] Use File.open to fix the OS Command Injection - vulnerability in CVE-2021-31799 - -https://github.com/ruby/rdoc/commit/a7f5d6ab88 - -CVE: CVE-2021-31799 - -Upstream-Status: Backport[https://github.com/ruby/ruby/commit/b1c73f239fe9af97de837331849f55d67c27561e] - -Signed-off-by: Mingli Yu ---- - lib/rdoc/rdoc.rb | 2 +- - test/rdoc/test_rdoc_rdoc.rb | 12 ++++++++++++ - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb -index 680a8612f7..904625f105 100644 ---- a/lib/rdoc/rdoc.rb -+++ b/lib/rdoc/rdoc.rb -@@ -444,7 +444,7 @@ def remove_unparseable files - files.reject do |file, *| - file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or - (file =~ /tags$/i and -- open(file, 'rb') { |io| -+ File.open(file, 'rb') { |io| - io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ - }) - end -diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb -index 3910dd4656..a83d5a1b88 100644 ---- a/test/rdoc/test_rdoc_rdoc.rb -+++ b/test/rdoc/test_rdoc_rdoc.rb -@@ -456,6 +456,18 @@ def test_remove_unparseable_tags_vim - end - end - -+ def test_remove_unparseable_CVE_2021_31799 -+ temp_dir do -+ file_list = ['| touch evil.txt && echo tags'] -+ file_list.each do |f| -+ FileUtils.touch f -+ end -+ -+ assert_equal file_list, @rdoc.remove_unparseable(file_list) -+ assert_equal file_list, Dir.children('.') -+ end -+ end -+ - def test_setup_output_dir - Dir.mktmpdir {|d| - path = File.join d, 'testdir' --- -2.17.1 - diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch deleted file mode 100644 index 69d774e0b7..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch +++ /dev/null @@ -1,258 +0,0 @@ -From 8cebc092cd18f4cfb669f66018ea8ffc6f408584 Mon Sep 17 00:00:00 2001 -From: Yusuke Endoh -Date: Wed, 7 Jul 2021 11:57:15 +0900 -Subject: [PATCH] Ignore IP addresses in PASV responses by default, and add new - option use_pasv_ip - -This fixes CVE-2021-31810. -Reported by Alexandr Savca. - -Co-authored-by: Shugo Maeda - -CVE: CVE-2021-31810 - -Upstream-Status: Backport -[https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd] - -Signed-off-by: Yi Zhao ---- - lib/net/ftp.rb | 15 +++- - test/net/ftp/test_ftp.rb | 159 ++++++++++++++++++++++++++++++++++++++- - 2 files changed, 170 insertions(+), 4 deletions(-) - -diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb -index 88e8655..d6f5cc3 100644 ---- a/lib/net/ftp.rb -+++ b/lib/net/ftp.rb -@@ -98,6 +98,10 @@ module Net - # When +true+, the connection is in passive mode. Default: +true+. - attr_accessor :passive - -+ # When +true+, use the IP address in PASV responses. Otherwise, it uses -+ # the same IP address for the control connection. Default: +false+. -+ attr_accessor :use_pasv_ip -+ - # When +true+, all traffic to and from the server is written - # to +$stdout+. Default: +false+. - attr_accessor :debug_mode -@@ -206,6 +210,9 @@ module Net - # handshake. - # See Net::FTP#ssl_handshake_timeout for - # details. Default: +nil+. -+ # use_pasv_ip:: When +true+, use the IP address in PASV responses. -+ # Otherwise, it uses the same IP address for the control -+ # connection. Default: +false+. - # debug_mode:: When +true+, all traffic to and from the server is - # written to +$stdout+. Default: +false+. - # -@@ -266,6 +273,7 @@ module Net - @open_timeout = options[:open_timeout] - @ssl_handshake_timeout = options[:ssl_handshake_timeout] - @read_timeout = options[:read_timeout] || 60 -+ @use_pasv_ip = options[:use_pasv_ip] || false - if host - connect(host, options[:port] || FTP_PORT) - if options[:username] -@@ -1371,7 +1379,12 @@ module Net - raise FTPReplyError, resp - end - if m = /\((?\d+(?:,\d+){3}),(?\d+,\d+)\)/.match(resp) -- return parse_pasv_ipv4_host(m["host"]), parse_pasv_port(m["port"]) -+ if @use_pasv_ip -+ host = parse_pasv_ipv4_host(m["host"]) -+ else -+ host = @bare_sock.remote_address.ip_address -+ end -+ return host, parse_pasv_port(m["port"]) - else - raise FTPProtoError, resp - end -diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb -index 023e794..243d4ad 100644 ---- a/test/net/ftp/test_ftp.rb -+++ b/test/net/ftp/test_ftp.rb -@@ -61,7 +61,7 @@ class FTPTest < Test::Unit::TestCase - end - - def test_parse227 -- ftp = Net::FTP.new -+ ftp = Net::FTP.new(nil, use_pasv_ip: true) - host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)") - assert_equal("192.168.0.1", host) - assert_equal(3106, port) -@@ -80,6 +80,14 @@ class FTPTest < Test::Unit::TestCase - assert_raise(Net::FTPProtoError) do - ftp.send(:parse227, "227 ) foo bar (") - end -+ -+ ftp = Net::FTP.new -+ sock = OpenStruct.new -+ sock.remote_address = OpenStruct.new -+ sock.remote_address.ip_address = "10.0.0.1" -+ ftp.instance_variable_set(:@bare_sock, sock) -+ host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)") -+ assert_equal("10.0.0.1", host) - end - - def test_parse228 -@@ -2474,10 +2482,155 @@ EOF - end - end - -+ def test_ignore_pasv_ip -+ commands = [] -+ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 -+ server = create_ftp_server(nil, "127.0.0.1") { |sock| -+ sock.print("220 (test_ftp).\r\n") -+ commands.push(sock.gets) -+ sock.print("331 Please specify the password.\r\n") -+ commands.push(sock.gets) -+ sock.print("230 Login successful.\r\n") -+ commands.push(sock.gets) -+ sock.print("200 Switching to Binary mode.\r\n") -+ line = sock.gets -+ commands.push(line) -+ data_server = TCPServer.new("127.0.0.1", 0) -+ port = data_server.local_address.ip_port -+ sock.printf("227 Entering Passive Mode (999,0,0,1,%s).\r\n", -+ port.divmod(256).join(",")) -+ commands.push(sock.gets) -+ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n") -+ conn = data_server.accept -+ binary_data.scan(/.{1,1024}/nm) do |s| -+ conn.print(s) -+ end -+ conn.shutdown(Socket::SHUT_WR) -+ conn.read -+ conn.close -+ data_server.close -+ sock.print("226 Transfer complete.\r\n") -+ } -+ begin -+ begin -+ ftp = Net::FTP.new -+ ftp.passive = true -+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait -+ ftp.connect("127.0.0.1", server.port) -+ ftp.login -+ assert_match(/\AUSER /, commands.shift) -+ assert_match(/\APASS /, commands.shift) -+ assert_equal("TYPE I\r\n", commands.shift) -+ buf = ftp.getbinaryfile("foo", nil) -+ assert_equal(binary_data, buf) -+ assert_equal(Encoding::ASCII_8BIT, buf.encoding) -+ assert_equal("PASV\r\n", commands.shift) -+ assert_equal("RETR foo\r\n", commands.shift) -+ assert_equal(nil, commands.shift) -+ ensure -+ ftp.close if ftp -+ end -+ ensure -+ server.close -+ end -+ end -+ -+ def test_use_pasv_ip -+ commands = [] -+ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 -+ server = create_ftp_server(nil, "127.0.0.1") { |sock| -+ sock.print("220 (test_ftp).\r\n") -+ commands.push(sock.gets) -+ sock.print("331 Please specify the password.\r\n") -+ commands.push(sock.gets) -+ sock.print("230 Login successful.\r\n") -+ commands.push(sock.gets) -+ sock.print("200 Switching to Binary mode.\r\n") -+ line = sock.gets -+ commands.push(line) -+ data_server = TCPServer.new("127.0.0.1", 0) -+ port = data_server.local_address.ip_port -+ sock.printf("227 Entering Passive Mode (127,0,0,1,%s).\r\n", -+ port.divmod(256).join(",")) -+ commands.push(sock.gets) -+ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n") -+ conn = data_server.accept -+ binary_data.scan(/.{1,1024}/nm) do |s| -+ conn.print(s) -+ end -+ conn.shutdown(Socket::SHUT_WR) -+ conn.read -+ conn.close -+ data_server.close -+ sock.print("226 Transfer complete.\r\n") -+ } -+ begin -+ begin -+ ftp = Net::FTP.new -+ ftp.passive = true -+ ftp.use_pasv_ip = true -+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait -+ ftp.connect("127.0.0.1", server.port) -+ ftp.login -+ assert_match(/\AUSER /, commands.shift) -+ assert_match(/\APASS /, commands.shift) -+ assert_equal("TYPE I\r\n", commands.shift) -+ buf = ftp.getbinaryfile("foo", nil) -+ assert_equal(binary_data, buf) -+ assert_equal(Encoding::ASCII_8BIT, buf.encoding) -+ assert_equal("PASV\r\n", commands.shift) -+ assert_equal("RETR foo\r\n", commands.shift) -+ assert_equal(nil, commands.shift) -+ ensure -+ ftp.close if ftp -+ end -+ ensure -+ server.close -+ end -+ end -+ -+ def test_use_pasv_invalid_ip -+ commands = [] -+ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 -+ server = create_ftp_server(nil, "127.0.0.1") { |sock| -+ sock.print("220 (test_ftp).\r\n") -+ commands.push(sock.gets) -+ sock.print("331 Please specify the password.\r\n") -+ commands.push(sock.gets) -+ sock.print("230 Login successful.\r\n") -+ commands.push(sock.gets) -+ sock.print("200 Switching to Binary mode.\r\n") -+ line = sock.gets -+ commands.push(line) -+ sock.print("227 Entering Passive Mode (999,0,0,1,48,57).\r\n") -+ commands.push(sock.gets) -+ } -+ begin -+ begin -+ ftp = Net::FTP.new -+ ftp.passive = true -+ ftp.use_pasv_ip = true -+ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait -+ ftp.connect("127.0.0.1", server.port) -+ ftp.login -+ assert_match(/\AUSER /, commands.shift) -+ assert_match(/\APASS /, commands.shift) -+ assert_equal("TYPE I\r\n", commands.shift) -+ assert_raise(SocketError) do -+ ftp.getbinaryfile("foo", nil) -+ end -+ ensure -+ ftp.close if ftp -+ end -+ ensure -+ server.close -+ end -+ end -+ - private - -- def create_ftp_server(sleep_time = nil) -- server = TCPServer.new(SERVER_ADDR, 0) -+ def create_ftp_server(sleep_time = nil, addr = SERVER_ADDR) -+ server = TCPServer.new(addr, 0) - @thread = Thread.start do - if sleep_time - sleep(sleep_time) --- -2.17.1 - diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch deleted file mode 100644 index b78a74a4b5..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch +++ /dev/null @@ -1,102 +0,0 @@ -From e2ac25d0eb66de99f098d6669cf4f06796aa6256 Mon Sep 17 00:00:00 2001 -From: Shugo Maeda -Date: Tue, 11 May 2021 10:31:27 +0900 -Subject: [PATCH] Fix StartTLS stripping vulnerability - -This fixes CVE-2021-32066. -Reported by Alexandr Savca in . - -CVE: CVE-2021-32066 - -Upstream-Status: Backport -[https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256] - -Signed-off-by: Yi Zhao ---- - lib/net/imap.rb | 8 +++++++- - test/net/imap/test_imap.rb | 31 +++++++++++++++++++++++++++++++ - 2 files changed, 38 insertions(+), 1 deletion(-) - -diff --git a/lib/net/imap.rb b/lib/net/imap.rb -index 505b4c8950..d45304f289 100644 ---- a/lib/net/imap.rb -+++ b/lib/net/imap.rb -@@ -1218,12 +1218,14 @@ def get_tagged_response(tag, cmd) - end - resp = @tagged_responses.delete(tag) - case resp.name -+ when /\A(?:OK)\z/ni -+ return resp - when /\A(?:NO)\z/ni - raise NoResponseError, resp - when /\A(?:BAD)\z/ni - raise BadResponseError, resp - else -- return resp -+ raise UnknownResponseError, resp - end - end - -@@ -3719,6 +3721,10 @@ class BadResponseError < ResponseError - class ByeResponseError < ResponseError - end - -+ # Error raised upon an unknown response from the server. -+ class UnknownResponseError < ResponseError -+ end -+ - RESPONSE_ERRORS = Hash.new(ResponseError) - RESPONSE_ERRORS["NO"] = NoResponseError - RESPONSE_ERRORS["BAD"] = BadResponseError -diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb -index 8b924b524e..85fb71d440 100644 ---- a/test/net/imap/test_imap.rb -+++ b/test/net/imap/test_imap.rb -@@ -127,6 +127,16 @@ def test_starttls - imap.disconnect - end - end -+ -+ def test_starttls_stripping -+ starttls_stripping_test do |port| -+ imap = Net::IMAP.new("localhost", :port => port) -+ assert_raise(Net::IMAP::UnknownResponseError) do -+ imap.starttls(:ca_file => CA_FILE) -+ end -+ imap -+ end -+ end - end - - def start_server -@@ -834,6 +844,27 @@ def starttls_test - end - end - -+ def starttls_stripping_test -+ server = create_tcp_server -+ port = server.addr[1] -+ start_server do -+ sock = server.accept -+ begin -+ sock.print("* OK test server\r\n") -+ sock.gets -+ sock.print("RUBY0001 BUG unhandled command\r\n") -+ ensure -+ sock.close -+ server.close -+ end -+ end -+ begin -+ imap = yield(port) -+ ensure -+ imap.disconnect if imap && !imap.disconnected? -+ end -+ end -+ - def create_tcp_server - return TCPServer.new(server_addr, 0) - end --- -2.25.1 - diff --git a/meta/recipes-devtools/ruby/ruby_3.0.1.bb b/meta/recipes-devtools/ruby/ruby_3.0.3.bb similarity index 90% rename from meta/recipes-devtools/ruby/ruby_3.0.1.bb rename to meta/recipes-devtools/ruby/ruby_3.0.3.bb index a348946972..a781f69534 100644 --- a/meta/recipes-devtools/ruby/ruby_3.0.1.bb +++ b/meta/recipes-devtools/ruby/ruby_3.0.3.bb @@ -6,16 +6,13 @@ SRC_URI += " \ file://remove_has_include_macros.patch \ file://run-ptest \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ - file://CVE-2021-31810.patch \ - file://CVE-2021-32066.patch \ - file://CVE-2021-31799.patch \ file://0003-rdoc-build-reproducible-documentation.patch \ file://0004-lib-mkmf.rb-sort-list-of-object-files-in-generated-M.patch \ file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \ file://0006-Make-gemspecs-reproducible.patch \ " -SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727" +SRC_URI[sha256sum] = "3586861cb2df56970287f0fd83f274bd92058872d830d15570b36def7f1a92ac" PACKAGECONFIG ??= "" PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" @@ -81,8 +78,6 @@ do_install_ptest () { -i ${D}${PTEST_PATH}/test/erb/test_erb_command.rb cp -r ${S}/include ${D}/${libdir}/ruby/ - test_case_rb=`grep rubygems/test_case.rb ${B}/.installed.list` - sed -i -e 's:../../../test/:../../../ptest/test/:g' ${D}/$test_case_rb } PACKAGES =+ "${PN}-ri-docs ${PN}-rdoc" From patchwork Mon Feb 28 03:38:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 4375 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F839C433FE for ; Mon, 28 Feb 2022 03:40:35 +0000 (UTC) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.16230.1646019633714561008 for ; Sun, 27 Feb 2022 19:40:34 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=TcgrH1z7; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646019634; x=1677555634; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=WI0PH5tBcC1+f4iMsOYKWGsuOikQBGPGBdyMDgT8Zic=; b=TcgrH1z7JGDraqxaFwxAnlCLb+x1te0933kHO4cQSLn+3Ak59tU7mQM3 ESpJ4UYLyv+z/CNDff8xO+J1Wys5IMXLQVNCxTm6GVkwGQWGkN+V2qGng dn6sa4p+RChAqY/l3rL7wLq1nX7q3LY8t0ikzyKzjuJhFFuTKd0AWlaQB 05luN0UhasFI7eZoTaNMPgMTKeD7eQpattRybQsVAdI3RP/YrvYGgB0DP RA0zhO2nIDNh6pyXdppzZohcgVeLwD9K2pem21XkCKLqExCnzGjQu1GkS TBb9+clubUGhX/FB8dH/uNV1WsTng3w/fYaWmHtZY0aI3RFtgDSt6VZ+n g==; X-IronPort-AV: E=McAfee;i="6200,9189,10271"; a="252988317" X-IronPort-AV: E=Sophos;i="5.90,142,1643702400"; d="scan'208";a="252988317" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Feb 2022 19:40:33 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,142,1643702400"; d="scan'208";a="509942099" Received: from cheeyang-desk1.png.intel.com ([10.158.87.104]) by orsmga006.jf.intel.com with ESMTP; 27 Feb 2022 19:40:32 -0800 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [PATCH][hardknott 2/3] ghostscript: fix CVE-2021-45949 Date: Mon, 28 Feb 2022 11:38:38 +0800 Message-Id: <20220228033839.2386940-2-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220228033839.2386940-1-chee.yang.lee@intel.com> References: <20220228033839.2386940-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 28 Feb 2022 03:40:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/162449 From: Minjae Kim Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp). To apply this CVE-2021-45959 patch, the check-stack-limits-after-function-evalution.patch should be applied first. References: https://nvd.nist.gov/vuln/detail/CVE-2021-45949 (From OE-Core rev: 5fb43ed64ae32abe4488f2eb37c1b82f97f83db0) Signed-off-by: Minjae Kim Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie Signed-off-by: Lee Chee Yang --- .../ghostscript/CVE-2021-45949.patch | 65 +++++++++++++++++++ ...tack-limits-after-function-evalution.patch | 51 +++++++++++++++ .../ghostscript/ghostscript_9.53.3.bb | 2 + 3 files changed, 118 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch new file mode 100644 index 0000000000..f312f89e04 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch @@ -0,0 +1,65 @@ +From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Fri, 28 Jan 2022 08:21:19 +0000 +Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in + sampled_data_continue() + +Replace pop() (which does no checking, and doesn't handle stack extension +blocks) with ref_stack_pop() which does do all that. + +We still use pop() in one case (it's faster), but we have to later use +ref_stack_pop() before calling sampled_data_sample() which also accesses the +op stack. + +Fixes: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 + +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7] +CVE: CVE-2021-45949 +Signed-off-by: Minjae Kim +--- + psi/zfsample.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 0023fa4..f84671f 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8)); /* MSB first */ + } + pop(num_out); /* Move op to base of result values */ +- ++ /* From here on, we have to use ref_stack_pop() rather than pop() ++ so that it handles stack extension blocks properly, before calling ++ sampled_data_sample() which also uses the op stack. ++ */ + /* Check if we are done collecting data. */ + + if (increment_cube_indexes(params, penum->indexes)) { + if (stack_depth_adjust == 0) +- pop(O_STACK_PAD); /* Remove spare stack space */ ++ ref_stack_pop(&o_stack, O_STACK_PAD); /* Remove spare stack space */ + else +- pop(stack_depth_adjust - num_out); ++ ref_stack_pop(&o_stack, stack_depth_adjust - num_out); + /* Execute the closing procedure, if given */ + code = 0; + if (esp_finish_proc != 0) +@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + if ((O_STACK_PAD - stack_depth_adjust) < 0) { + stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust); + check_op(stack_depth_adjust); +- pop(stack_depth_adjust); ++ ref_stack_pop(&o_stack, stack_depth_adjust); + } + else { + check_ostack(O_STACK_PAD - stack_depth_adjust); +- push(O_STACK_PAD - stack_depth_adjust); ++ ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust); + for (i=0;i +Date: Fri, 12 Feb 2021 10:34:23 +0000 +Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation. + +During function result sampling, after the callout to the Postscript +interpreter, make sure there is enough stack space available before pushing +or popping entries. + +In thise case, the Postscript procedure for the "function" is totally invalid +(as a function), and leaves the op stack in an unrecoverable state (as far as +function evaluation is concerned). We end up popping more entries off the +stack than are available. + +To cope, add in stack limit checking to throw an appropriate error when this +happens. + +Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25] +Signed-off-by: Minjae Kim +--- + psi/zfsample.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/psi/zfsample.c b/psi/zfsample.c +index 290809405..652ae02c6 100644 +--- a/psi/zfsample.c ++++ b/psi/zfsample.c +@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p) + } else { + if (stack_depth_adjust) { + stack_depth_adjust -= num_out; +- push(O_STACK_PAD - stack_depth_adjust); +- for (i=0;i X-Patchwork-Id: 4377 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4612BC4332F for ; Mon, 28 Feb 2022 03:40:36 +0000 (UTC) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.16230.1646019633714561008 for ; Sun, 27 Feb 2022 19:40:35 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=inxfjBPE; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646019635; x=1677555635; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=ZnM6gZ7/VAQO5lmDRUa+E99X6DVSMTOeNHancMzEjQU=; b=inxfjBPEkHOadW46Nev2/QVEOiKcLgQF9tkRsfo0D43tBSHhRqhU7YNq ON9VQCCh71MZ0OG0SnOaxobI9ho9VDdCDHj73AE1dQ7SBxFOqcY8F4VR6 P70aazhSRWUyXewXPf+nle2/H9sb9r28rv+MJwM8OqrGEa0QjUQwEnIh+ 7mHcMnc/mBFR2gGDlkWHKNfJF9eCo3VZX9ozrWN+StTctti27CDp5dSUq vVC0EjRRpbn1/yQF/BN/WeBy0L9NsEktTHy/g/2E0SKltRPusf/5dsgdl vt9HyXqCRDGewO+D7q/O/H3QnrBhPtqNkMtFvAFbbA1NbsxhDQdGvZMAP A==; X-IronPort-AV: E=McAfee;i="6200,9189,10271"; a="252988324" X-IronPort-AV: E=Sophos;i="5.90,142,1643702400"; d="scan'208";a="252988324" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Feb 2022 19:40:34 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,142,1643702400"; d="scan'208";a="509942100" Received: from cheeyang-desk1.png.intel.com ([10.158.87.104]) by orsmga006.jf.intel.com with ESMTP; 27 Feb 2022 19:40:33 -0800 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [PATCH][hardknott 3/3] libgcrypt: Upgrade 1.9.3 -> 1.9.4 Date: Mon, 28 Feb 2022 11:38:39 +0800 Message-Id: <20220228033839.2386940-3-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220228033839.2386940-1-chee.yang.lee@intel.com> References: <20220228033839.2386940-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 28 Feb 2022 03:40:36 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/162450 From: Richard Purdie Includes a fix for CVE-2021-40528. (From OE-Core rev: 24664297abd3844902fa40c21e4e975d89f40383) Signed-off-by: Richard Purdie Signed-off-by: Lee Chee Yang --- .../libgcrypt/{libgcrypt_1.9.3.bb => libgcrypt_1.9.4.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-support/libgcrypt/{libgcrypt_1.9.3.bb => libgcrypt_1.9.4.bb} (96%) diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.9.3.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb similarity index 96% rename from meta/recipes-support/libgcrypt/libgcrypt_1.9.3.bb rename to meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb index fd3d8e09f2..c212d02651 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.9.3.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb @@ -27,7 +27,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \ file://0001-Makefile.am-add-a-missing-space.patch \ " -SRC_URI[sha256sum] = "97ebe4f94e2f7e35b752194ce15a0f3c66324e0ff6af26659bbfb5ff2ec328fd" +SRC_URI[sha256sum] = "ea849c83a72454e3ed4267697e8ca03390aee972ab421e7df69dfe42b65caaf7" # Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro. CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"