From patchwork Wed Sep 14 02:25:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12825 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 531D6C54EE9 for ; Wed, 14 Sep 2022 02:26:10 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.web12.1765.1663122366454012307 for ; Tue, 13 Sep 2022 19:26:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=At6GNe/0; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id w2so3221440pfb.0 for ; Tue, 13 Sep 2022 19:26:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=1yCa51akGKnVw5PS3ty5ceOLJsCWaIhv/ZcHwT0uwi8=; b=At6GNe/0uikfYcbRpU8sNZrw/SH1Fqv2LriXvIsv+lS0bLOXz1J69jLJkzu87RKZEO isbc1R8MwZcPR3o7/FWWzbCGD2LtQ9PW4Xhm0VHTHrnssaB92VoV+QJd0NLVDOKQ+Pyz xPoZ9YKxQwcoW+Ecpoo3HUJxuyQl/xxNmszj6hLA244nCLJHLugFykqIr1qSm9Zsr06j uMGcgGpPq9MgzmZj3qOzHVnoeeALlsC30idKKj98grBIskaxnC2f+9l6Y8v7PPOs0Wq7 bIbbJPrU7jiPf53/UO2ucZT4PL3aiEsjKFqTCmqEz6x6Tln93c9hLRihr6isPorFy7bX mQJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=1yCa51akGKnVw5PS3ty5ceOLJsCWaIhv/ZcHwT0uwi8=; b=gEHzpHsJY1FdsKcwYcWkx/hiTlNN30W42pHDlq54O+Mt5EWJu6rIrybyRz86hidoAW wPhS/PfYBGqQrxE8P8eM2B/Cto0PACho3pluOtiaLa7IRvZRyQDO3EtFzLNDRRnq5NJK uRsgGB7rrxmgi5mRIBiT7spkwguZyLwRY8MPZIK7rlf1eK51qQKKQjsdhdM54mf+oYEO DkXVs8DLlPAf1du8WYSui9xhDFTAb0kzMxi+EAjyj2Asw6RF1xlCpjZQXMWR5X9+j2t6 kDSq7cWKjLcJ1i1qaNiWQh4ycBjB9TDvaTrLg64lWcsa6tmqDZI/09RKfisHGO0yltvK aEiQ== X-Gm-Message-State: ACgBeo2mZwopN8np+eWOH1FcQnLKKFzAxUPQRldjP3JoT6RZy77tvElf K5OWAHVrKllnCg/FmhwAdEL/JtQJ+6TfDu2q X-Google-Smtp-Source: AA6agR7RPdCvSIIGhCei4VllH31uiutbaIZ47+bXCOAhRQ2nSPhf1+jYzHTP8ykKhf3vzDTI+GqXdw== X-Received: by 2002:a63:db07:0:b0:439:2e24:df01 with SMTP id e7-20020a63db07000000b004392e24df01mr7695853pgg.221.1663122365130; Tue, 13 Sep 2022 19:26:05 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:04 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/9] python3: Fix CVE-2021-28861 for python3 Date: Tue, 13 Sep 2022 16:25:11 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170619 From: "Khan@kpit.com" Add patch to fix CVE-2021-28861 CVE-2021-28861.patch Link: https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672 Signed-off-by: Riyaz Khan Signed-off-by: Steve Sakoman --- .../python/python3/CVE-2021-28861.patch | 135 ++++++++++++++++++ .../recipes-devtools/python/python3_3.8.13.bb | 1 + 2 files changed, 136 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2021-28861.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2021-28861.patch b/meta/recipes-devtools/python/python3/CVE-2021-28861.patch new file mode 100644 index 0000000000..dc97c6b4eb --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2021-28861.patch @@ -0,0 +1,135 @@ +From 4dc2cae3abd75f386374d0635d00443b897d0672 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Wed, 22 Jun 2022 01:42:52 -0700 +Subject: [PATCH] gh-87389: Fix an open redirection vulnerability in + http.server. (GH-93879) (GH-94094) + +Fix an open redirection vulnerability in the `http.server` module when +an URI path starts with `//` that could produce a 301 Location header +with a misleading target. Vulnerability discovered, and logic fix +proposed, by Hamza Avvan (@hamzaavvan). + +Test and comments authored by Gregory P. Smith [Google]. +(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) + +Co-authored-by: Gregory P. Smith + +Signed-off-by: Riyaz Khan + +CVE: CVE-2021-28861 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672] + +--- + Lib/http/server.py | 7 +++ + Lib/test/test_httpservers.py | 53 ++++++++++++++++++- + ...2-06-15-20-09-23.gh-issue-87389.QVaC3f.rst | 3 ++ + 3 files changed, 61 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst + +diff --git a/Lib/http/server.py b/Lib/http/server.py +index 38f7accad7a3..39de35458c38 100644 +--- a/Lib/http/server.py ++++ b/Lib/http/server.py +@@ -332,6 +332,13 @@ def parse_request(self): + return False + self.command, self.path = command, path + ++ # gh-87389: The purpose of replacing '//' with '/' is to protect ++ # against open redirect attacks possibly triggered if the path starts ++ # with '//' because http clients treat //path as an absolute URI ++ # without scheme (similar to http://path) rather than a path. ++ if self.path.startswith('//'): ++ self.path = '/' + self.path.lstrip('/') # Reduce to a single / ++ + # Examine the headers and look for a Connection directive. + try: + self.headers = http.client.parse_headers(self.rfile, +diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py +index 87d4924a34b3..fb026188f0b4 100644 +--- a/Lib/test/test_httpservers.py ++++ b/Lib/test/test_httpservers.py +@@ -330,7 +330,7 @@ class request_handler(NoLogRequestHandler, SimpleHTTPRequestHandler): + pass + + def setUp(self): +- BaseTestCase.setUp(self) ++ super().setUp() + self.cwd = os.getcwd() + basetempdir = tempfile.gettempdir() + os.chdir(basetempdir) +@@ -358,7 +358,7 @@ def tearDown(self): + except: + pass + finally: +- BaseTestCase.tearDown(self) ++ super().tearDown() + + def check_status_and_reason(self, response, status, data=None): + def close_conn(): +@@ -414,6 +414,55 @@ def test_undecodable_filename(self): + self.check_status_and_reason(response, HTTPStatus.OK, + data=support.TESTFN_UNDECODABLE) + ++ def test_get_dir_redirect_location_domain_injection_bug(self): ++ """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location. ++ ++ //netloc/ in a Location header is a redirect to a new host. ++ https://github.com/python/cpython/issues/87389 ++ ++ This checks that a path resolving to a directory on our server cannot ++ resolve into a redirect to another server. ++ """ ++ os.mkdir(os.path.join(self.tempdir, 'existing_directory')) ++ url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory' ++ expected_location = f'{url}/' # /python.org.../ single slash single prefix, trailing slash ++ # Canonicalizes to /tmp/tempdir_name/existing_directory which does ++ # exist and is a dir, triggering the 301 redirect logic. ++ response = self.request(url) ++ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) ++ location = response.getheader('Location') ++ self.assertEqual(location, expected_location, msg='non-attack failed!') ++ ++ # //python.org... multi-slash prefix, no trailing slash ++ attack_url = f'/{url}' ++ response = self.request(attack_url) ++ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) ++ location = response.getheader('Location') ++ self.assertFalse(location.startswith('//'), msg=location) ++ self.assertEqual(location, expected_location, ++ msg='Expected Location header to start with a single / and ' ++ 'end with a / as this is a directory redirect.') ++ ++ # ///python.org... triple-slash prefix, no trailing slash ++ attack3_url = f'//{url}' ++ response = self.request(attack3_url) ++ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) ++ self.assertEqual(response.getheader('Location'), expected_location) ++ ++ # If the second word in the http request (Request-URI for the http ++ # method) is a full URI, we don't worry about it, as that'll be parsed ++ # and reassembled as a full URI within BaseHTTPRequestHandler.send_head ++ # so no errant scheme-less //netloc//evil.co/ domain mixup can happen. ++ attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}' ++ expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/' ++ response = self.request(attack_scheme_netloc_2slash_url) ++ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) ++ location = response.getheader('Location') ++ # We're just ensuring that the scheme and domain make it through, if ++ # there are or aren't multiple slashes at the start of the path that ++ # follows that isn't important in this Location: header. ++ self.assertTrue(location.startswith('https://pypi.org/'), msg=location) ++ + def test_get(self): + #constructs the path relative to the root directory of the HTTPServer + response = self.request(self.base_url + '/test') +diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst +new file mode 100644 +index 000000000000..029d437190de +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst +@@ -0,0 +1,3 @@ ++:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server ++when an URI path starts with ``//``. Vulnerability discovered, and initial ++fix proposed, by Hamza Avvan. diff --git a/meta/recipes-devtools/python/python3_3.8.13.bb b/meta/recipes-devtools/python/python3_3.8.13.bb index 040bacf97c..d87abe2351 100644 --- a/meta/recipes-devtools/python/python3_3.8.13.bb +++ b/meta/recipes-devtools/python/python3_3.8.13.bb @@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ file://makerace.patch \ + file://CVE-2021-28861.patch \ " SRC_URI_append_class-native = " \ From patchwork Wed Sep 14 02:25:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12824 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5349FC6FA86 for ; Wed, 14 Sep 2022 02:26:10 +0000 (UTC) Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by mx.groups.io with SMTP id smtpd.web11.1786.1663122368980848522 for ; Tue, 13 Sep 2022 19:26:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=T8row/zS; spf=softfail (domain: sakoman.com, ip: 209.85.216.43, mailfrom: steve@sakoman.com) Received: by mail-pj1-f43.google.com with SMTP id a5-20020a17090aa50500b002008eeb040eso2537682pjq.1 for ; Tue, 13 Sep 2022 19:26:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=qg+0Pi3H1OFNRlfNiTt4plnAS1HUnf/PeOoeMooCJqM=; b=T8row/zSuWiGz+Xx3DEXZerUEUsb7bFVxxEdzFPL2CwavmUcCRFKcBQmNDaiDuMesU 83qLfx/r3oDWZTy+8ZZ+dMCtpQTPM0wqOfI1ySsod1cnYT2otcOOmrdplnXpXGdKj/WY 97/w7ophUwrYKn06tnn/qbph26OVejrBBg0zppxo7SLwS5Wm54orbMChcaq7ueLCoIrl fiVDaKxbfn+c8EPsqXjR9cYU7ZQrHirykrNVNZCvnrpo8hAGxW8ugIOjosmMyVd8/yjo anxyb8HFRWR6mQl3Q4VWaQHei22OABR8k+s9xCMA9M8YD5MJsBh6oC29JQ/FK2jNnW4o htbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=qg+0Pi3H1OFNRlfNiTt4plnAS1HUnf/PeOoeMooCJqM=; b=kDOFP8gAsGaCzZFxm+DVN7oujFXjI14986weIaJpwY7Zc3BCkBuicGY5nTLajklLzd 0DEFWT3p83cuFgXCEu/HqSygQtyQKPsqp1/BpzplzrTEIFv9Zw9fZe8oeU8/Fb0VjD2t AhoU2IQ9HsHIDg/yhvmaZoWzkob9Er73TjFNNhp++pIjzaiv3y4K9wCMqMtQQB4dRIzI vXXTQtT5PpOcG5kG0yKgxdEpqduj40MujzOjp7oAefMIivptvVb+z9qh+tzM6y8smCu6 sFuA9wYSJibdItX6jVlLKHIla9AshW3SbFI8MW/6qyf42LfFs1jjQPrbOYZLk8p/OM1C Ycuw== X-Gm-Message-State: ACrzQf0HXlHmbLa9S/HhWnT5Syq41E/n7FUJCJJQPzn1lTc07L2TH1Wj nyu29xfgVnOZpjj8W9EhqSlDVb7iC0FVgADS X-Google-Smtp-Source: AMsMyM4jzAJmDBrIs9rvfqt/rIDgjycmVrYY/knanpZ1tlzV/Vr88HrY6vQDUbBE28hl1R6tjNUMXA== X-Received: by 2002:a17:90b:4c84:b0:203:20a:7afe with SMTP id my4-20020a17090b4c8400b00203020a7afemr2308293pjb.94.1663122367720; Tue, 13 Sep 2022 19:26:07 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:07 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/9] tiff: Fix for CVE-2022-2867/8/9 Date: Tue, 13 Sep 2022 16:25:12 -1000 Message-Id: <67df7488bf66183ffdb9f497f00ad291b79210d3.1663122098.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170620 From: Virendra Thakur Add Patch to fix CVE-2022-2867, CVE-2022-2868 CVE-2022-2869 Signed-off-by: Virendra Thakur Signed-off-by: Steve Sakoman --- ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 159 ++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + 2 files changed, 160 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000000..131ff94119 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch @@ -0,0 +1,159 @@ +From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 9 Feb 2022 21:31:29 +0000 +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting + uint32_t underflow. + +CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c] +Signed-off-by: Virendra Thakur +--- +Index: tiff-4.1.0/tools/tiffcrop.c +=================================================================== +--- tiff-4.1.0.orig/tools/tiffcrop.c ++++ tiff-4.1.0/tools/tiffcrop.c +@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else +- crop->regionlist[i].x1 = (uint32) (x1 - 1); ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) ++ */ ++ uint32_t aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); + + if (x2 > image->width - 1) + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32) (x2 - 1); +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; +- +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32) (y1 - 1); ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32) (y2 - 1); +- +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas + bmargin = (uint32) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32) 0; +@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + +@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image, + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image, + i + 1, (uint32)zwidth, (uint32)zlength, + crop->regionlist[i].x1, crop->regionlist[i].x2, + crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + +-- +GitLab diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index c061d2aaac..93a35230d6 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -26,6 +26,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-0924.patch \ file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ file://CVE-2022-34526.patch \ + file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" From patchwork Wed Sep 14 02:25:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12830 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48931ECAAD8 for ; Wed, 14 Sep 2022 02:26:20 +0000 (UTC) Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) by mx.groups.io with SMTP id smtpd.web08.1749.1663122370963869442 for ; Tue, 13 Sep 2022 19:26:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=gGJvNxo9; spf=softfail (domain: sakoman.com, ip: 209.85.216.54, mailfrom: steve@sakoman.com) Received: by mail-pj1-f54.google.com with SMTP id ge9so1593162pjb.1 for ; Tue, 13 Sep 2022 19:26:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=EGuODVjeiMZwsADkvMEE6BU8xs4FiR95UuWj0+pnYgM=; b=gGJvNxo9GPfRC8zzOL8TJpJjJWAOj77JH+FzfA9eULduSEzBlSPuX0MEYWOWjXoYRH jMiXceWHAx5nDM2ywtuzAYGKFhybOx4z51OQhOH5yN4Po5P5Ft1gQjp5YY8A/i6ZAKk0 pKxJy9mUTvBrlvGIEW/lvo7/rIkZKgFTqNsXFqeiH9DDQ+eI8wuc61F9sim4u3UQYilr zyHuMuadEqPdsUjUu9EVeLk0UOCHoaon6ZdlA9YKxeiZjjB20+hjxx/jcsjG6uP5ixKa 5iXSezViN3AEGEf4TQBb47twcrqcZavxzou/xiATASsxRWI2qY6EqloxTKvC7FE7NZs9 L/bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=EGuODVjeiMZwsADkvMEE6BU8xs4FiR95UuWj0+pnYgM=; b=MEkU9IM6Jt2twnM+lhSarUAO1WTq/iZNi/FaSu/bomxwBSj7z4yhfZA0h6B6GLtYtQ lQ8KbU6HyUZASQH3gBfKZVaK5d8otqNpbQHF0I7ny6zpR0Ym1ukArtJZMQQ7U4NScqaI IFByvILQF68kiI49FDi2iuG/VAXyMansXnJX4QizLYicYTM9UDtv3gLRfpsUuM9tF9l7 3Qhl0vvBG6utUESpOHRvUdq/IxV1fhKLL0T68DyYtYJZFwWnGdxeNti4pvLh4ygb0vwj FqAyhHxZPVlSeKie0hAvEuSDnJYRydS9MaU00tyexelukMZpuqQyI/v9hRcmbNT7mwZ2 8kcA== X-Gm-Message-State: ACgBeo17cKpHadXqLIzjfig4+je8GM8BpwiKuYM9FYrcysCkqEEfNeB/ RGBX9dDg8Ont7mZjuclyDQxq/APiTiJuV+WQ X-Google-Smtp-Source: AA6agR5e4C3JIVZv3tR5sUt2zjqe5Kt1ZjsaBRpWRxHlsXlHTaOpQyZjCKGHl/bRp9YHqLBEZfCchg== X-Received: by 2002:a17:902:e751:b0:178:2976:41a0 with SMTP id p17-20020a170902e75100b00178297641a0mr15061449plf.12.1663122369875; Tue, 13 Sep 2022 19:26:09 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:09 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/9] tiff: Security fixes CVE-2022-1354 and CVE-2022-1355 Date: Tue, 13 Sep 2022 16:25:13 -1000 Message-Id: <8414d39f3f89cc1176bd55c9455ad942db8ea4b1.1663122098.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170621 From: Yi Zhao References: https://nvd.nist.gov/vuln/detail/CVE-2022-1354 https://security-tracker.debian.org/tracker/CVE-2022-1354 https://nvd.nist.gov/vuln/detail/CVE-2022-1355 https://security-tracker.debian.org/tracker/CVE-2022-1355 Patches from: CVE-2022-1354: https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798 CVE-2022-1355: https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2 (From OE-Core rev: 6c373c041f1dd45458866408d1ca16d47cacbd86) Signed-off-by: Yi Zhao Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie Signed-off-by: Chee Yang Lee Signed-off-by: Steve Sakoman --- .../libtiff/tiff/CVE-2022-1354.patch | 212 ++++++++++++++++++ .../libtiff/tiff/CVE-2022-1355.patch | 62 +++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 2 + 3 files changed, 276 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch new file mode 100644 index 0000000000..71b85cac10 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch @@ -0,0 +1,212 @@ +From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 5 Dec 2021 14:37:46 +0100 +Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319) + +to avoid having the size of the strip arrays inconsistent with the +number of strips returned by TIFFNumberOfStrips(), which may cause +out-ouf-bounds array read afterwards. + +One of the OJPEG hack that alters SamplesPerPixel may influence the +number of strips. Hence compute tif_dir.td_nstrips only afterwards. + +CVE: CVE-2022-1354 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798] + +Signed-off-by: Yi Zhao +--- + libtiff/tif_dirread.c | 162 ++++++++++++++++++++++-------------------- + 1 file changed, 83 insertions(+), 79 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 8f434ef5..14c031d1 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif) + MissingRequired(tif,"ImageLength"); + goto bad; + } +- /* +- * Setup appropriate structures (by strip or by tile) +- */ +- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { +- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); +- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; +- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; +- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; +- tif->tif_flags &= ~TIFF_ISTILED; +- } else { +- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); +- tif->tif_flags |= TIFF_ISTILED; +- } +- if (!tif->tif_dir.td_nstrips) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Cannot handle zero number of %s", +- isTiled(tif) ? "tiles" : "strips"); +- goto bad; +- } +- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; +- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) +- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; +- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { +-#ifdef OJPEG_SUPPORT +- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && +- (isTiled(tif)==0) && +- (tif->tif_dir.td_nstrips==1)) { +- /* +- * XXX: OJPEG hack. +- * If a) compression is OJPEG, b) it's not a tiled TIFF, +- * and c) the number of strips is 1, +- * then we tolerate the absence of stripoffsets tag, +- * because, presumably, all required data is in the +- * JpegInterchangeFormat stream. +- */ +- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); +- } else +-#endif +- { +- MissingRequired(tif, +- isTiled(tif) ? "TileOffsets" : "StripOffsets"); +- goto bad; +- } +- } ++ + /* + * Second pass: extract other information. + */ +@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif) + } /* -- if (!dp->tdir_ignore) */ + } /* -- for-loop -- */ + +- if( tif->tif_mode == O_RDWR && +- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) +- { +- /* Directory typically created with TIFFDeferStrileArrayWriting() */ +- TIFFSetupStrips(tif); +- } +- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) +- { +- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) +- { +- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), +- tif->tif_dir.td_nstrips, +- &tif->tif_dir.td_stripoffset_p)) +- { +- goto bad; +- } +- } +- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) +- { +- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), +- tif->tif_dir.td_nstrips, +- &tif->tif_dir.td_stripbytecount_p)) +- { +- goto bad; +- } +- } +- } +- + /* + * OJPEG hack: + * - If a) compression is OJPEG, and b) photometric tag is missing, +@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif) + } + } + ++ /* ++ * Setup appropriate structures (by strip or by tile) ++ * We do that only after the above OJPEG hack which alters SamplesPerPixel ++ * and thus influences the number of strips in the separate planarconfig. ++ */ ++ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { ++ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); ++ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; ++ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; ++ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; ++ tif->tif_flags &= ~TIFF_ISTILED; ++ } else { ++ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); ++ tif->tif_flags |= TIFF_ISTILED; ++ } ++ if (!tif->tif_dir.td_nstrips) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot handle zero number of %s", ++ isTiled(tif) ? "tiles" : "strips"); ++ goto bad; ++ } ++ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; ++ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) ++ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; ++ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { ++#ifdef OJPEG_SUPPORT ++ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && ++ (isTiled(tif)==0) && ++ (tif->tif_dir.td_nstrips==1)) { ++ /* ++ * XXX: OJPEG hack. ++ * If a) compression is OJPEG, b) it's not a tiled TIFF, ++ * and c) the number of strips is 1, ++ * then we tolerate the absence of stripoffsets tag, ++ * because, presumably, all required data is in the ++ * JpegInterchangeFormat stream. ++ */ ++ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); ++ } else ++#endif ++ { ++ MissingRequired(tif, ++ isTiled(tif) ? "TileOffsets" : "StripOffsets"); ++ goto bad; ++ } ++ } ++ ++ if( tif->tif_mode == O_RDWR && ++ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) ++ { ++ /* Directory typically created with TIFFDeferStrileArrayWriting() */ ++ TIFFSetupStrips(tif); ++ } ++ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) ++ { ++ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) ++ { ++ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), ++ tif->tif_dir.td_nstrips, ++ &tif->tif_dir.td_stripoffset_p)) ++ { ++ goto bad; ++ } ++ } ++ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) ++ { ++ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), ++ tif->tif_dir.td_nstrips, ++ &tif->tif_dir.td_stripbytecount_p)) ++ { ++ goto bad; ++ } ++ } ++ } ++ + /* + * Make sure all non-color channels are extrasamples. + * If it's not the case, define them as such. +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch new file mode 100644 index 0000000000..e59f5aad55 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch @@ -0,0 +1,62 @@ +From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 2 Apr 2022 22:33:31 +0200 +Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) + +CVE: CVE-2022-1355 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2] + +Signed-off-by: Yi Zhao +--- + tools/tiffcp.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index fd129bb7..8d944ff6 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -274,19 +274,34 @@ main(int argc, char* argv[]) + deftilewidth = atoi(optarg); + break; + case 'B': +- *mp++ = 'b'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'b'; *mp = '\0'; ++ } + break; + case 'L': +- *mp++ = 'l'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'l'; *mp = '\0'; ++ } + break; + case 'M': +- *mp++ = 'm'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'm'; *mp = '\0'; ++ } + break; + case 'C': +- *mp++ = 'c'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'c'; *mp = '\0'; ++ } + break; + case '8': +- *mp++ = '8'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode)-1)) ++ { ++ *mp++ = '8'; *mp = '\0'; ++ } + break; + case 'x': + pageInSeq = 1; +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 93a35230d6..74ececb113 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -27,6 +27,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ file://CVE-2022-34526.patch \ file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \ + file://CVE-2022-1354.patch \ + file://CVE-2022-1355.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" From patchwork Wed Sep 14 02:25:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12828 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51741C6FA89 for ; Wed, 14 Sep 2022 02:26:20 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web09.1755.1663122372909214641 for ; Tue, 13 Sep 2022 19:26:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=mnbVTwxG; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id e5so13506704pfl.2 for ; Tue, 13 Sep 2022 19:26:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=oAwnqHrvrnS+SyGh8ETlN+8EktBa5eaUHD+Dt6xr1Ws=; b=mnbVTwxGZy3PVJKefAUjym+2jBHsPmpNB6Dee2Zz/MUfkpsg3otar+w2mNn62/6Daw RyRMNys0u+P0ZaoMAIHMjoXd8CVuoue1isWOeNo+ZAv3YUDj/Re0+wluNd64e21BSFlE s+TvVnWcNlDSE1WwScKJ0ZHVdnf2TwiTnnws7KrZIChJARvN3L6HVAoumEZjPL7lRvQz iMHXa7N5omw8FrcKEQKcSrOQH80zHihFI/mooTgUIktNxke1DlVPBWgVVxiMqTfl348p idQv+y10ShDK5q8XQzpFdC1SDrF+eI4nU8Xv2fAJFboXLLGm2Z3VCI3x0DWfsNn+F3an fm+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=oAwnqHrvrnS+SyGh8ETlN+8EktBa5eaUHD+Dt6xr1Ws=; b=PBrey8fqHj/+rRB+E+le4UN7rcEfJ576b0XTOtGGMjE+ULINWdJ/ixgb0rqOpJgA3p ov09Tj78F12REIpEhYdLEyXP7GJxxy63ZtKft8p+G7by36b/azJR8c8dXS3JNtAGVIMd ztaBUTrCh3JAXiNkwOzGk47vQge1nftLf9YuNYFnLfLk3cOLRdLO0ClMzDkpYNYTWgXW fg4wVi8+tCcFbPg3wpDbLCMxd87rYs1oHLhUDhZDVOx6VA3ixLv2ZXU9ILj77ya2EXgj 3BgBv5Jes6mI3wc+uS6PGG+EzB9VPHjyLKDm0t88gALQcibDOZYtz8dtNsDmEoxJcFap 3x4g== X-Gm-Message-State: ACgBeo31DbIDJa1w5gai6hwXLdRAHAQ7quvUfCrtP/f3GA+Lo6KUU+kK SrqUAg4oHTqkxgUxhT/7hOnQ1/7eJ3yJsjx2 X-Google-Smtp-Source: AA6agR4g1cs0Pv6bZYBqTxdUV+htXGR0DcxB/1HXS7UxctYr+SrtWYWSP7xZTmwngccISPEjhZok5w== X-Received: by 2002:a05:6a00:852:b0:544:5907:7520 with SMTP id q18-20020a056a00085200b0054459077520mr10854134pfk.31.1663122371844; Tue, 13 Sep 2022 19:26:11 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:11 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 4/9] connman: fix CVE-2022-32292 Date: Tue, 13 Sep 2022 16:25:14 -1000 Message-Id: <380b6fb2583f875aad0cb28c91b1531e63eb2eeb.1663122098.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170622 From: Chee Yang Lee Signed-off-by: Chee Yang Lee Signed-off-by: Steve Sakoman --- .../connman/connman/CVE-2022-32292.patch | 37 +++++++++++++++++++ .../connman/connman_1.37.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch @@ -0,0 +1,37 @@ +From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 +From: Nathan Crandall +Date: Tue, 12 Jul 2022 08:56:34 +0200 +Subject: gweb: Fix OOB write in received_data() + +There is a mismatch of handling binary vs. C-string data with memchr +and strlen, resulting in pos, count, and bytes_read to become out of +sync and result in a heap overflow. Instead, do not treat the buffer +as an ASCII C-string. We calculate the count based on the return value +of memchr, instead of strlen. + +Fixes: CVE-2022-32292 + +Upstream-Status: Backport +https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b +CVE: CVE-2022-32292 +Signed-off-by: Lee Chee Yang +--- + gweb/gweb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gweb/gweb.c b/gweb/gweb.c +index 12fcb1d8..13c6c5f2 100644 +--- a/gweb/gweb.c ++++ b/gweb/gweb.c +@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, + } + + *pos = '\0'; +- count = strlen((char *) ptr); ++ count = pos - ptr; + if (count > 0 && ptr[count - 1] == '\r') { + ptr[--count] = '\0'; + bytes_read--; +-- +cgit + diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index bdd1e590ec..4f22c7ad49 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb @@ -12,6 +12,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://CVE-2021-33833.patch \ file://CVE-2022-23096-7.patch \ file://CVE-2022-23098.patch \ + file://CVE-2022-32292.patch \ " SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" From patchwork Wed Sep 14 02:25:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12829 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51795C6FA8D for ; Wed, 14 Sep 2022 02:26:20 +0000 (UTC) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web11.1787.1663122374977306337 for ; Tue, 13 Sep 2022 19:26:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=a3WJq6Z1; spf=softfail (domain: sakoman.com, ip: 209.85.216.51, mailfrom: steve@sakoman.com) Received: by mail-pj1-f51.google.com with SMTP id j6-20020a17090a694600b00200bba67dadso13065289pjm.5 for ; Tue, 13 Sep 2022 19:26:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=RldTtulFJLWQRnanyiQdDoxY2RswPlDD6vojyODelVs=; b=a3WJq6Z1hMnOK2ylE2IRH62Zi9mmmirsnhLcRbdFsaQ2Ht3wvd6aXsFkmYEp2gcOlQ O6VuCoHpsrJYR/ZBq00+/cU8lwhoc9ZCbC3o7YYYbBr9uq4Vgo+n57MPuBIWTH0SDV85 6GoO8iq2hY9K122csm00JjZzh0YmIYYP7Oc2uR8uXgSeiqQ77PjS2ifaJGPlPyGKY2sG ibYOUTnq9zMe9hIqaJB6UhO7CtkzXdENEEJ2YDTqAbAZcPubMWEcZBZ1x5vbmnQpwktc RB9Gec1UKptZcHx3je3otMYtIs/AwNieBCoqMv16Gluuq/IyJsI2tQvWfY3sM/uUG77Q zVlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=RldTtulFJLWQRnanyiQdDoxY2RswPlDD6vojyODelVs=; b=p0ATBWcu8qhp75p2Bl34mF2rNFzFR5sC8lYngZ7lfdwyYvcEkRWnd1TbsJcLrk/eVv IHUuqon1ZLb6B9qBSAanuSsQcSSp0tNTPOqVuOuTTFMymKRmJqhQEOi3+hvLhs0Q1T5H gspfmXKM5qbBOlXgjRkMJOGmU7IgSOeI6Ty1z1cQP6u7dR74AEVNLHDJVak7yfsVIRXZ ICWvZwzBhjMTAmEY/f8HzLfJsq4yiw2RPqtGBt7XpTHLizjZ3TBKAoPDU4FPSE5dmfd+ 3c6+eshooJnuNdN3PREXcmuxqx+3/z8vLwjJVATFqgt9TtffLSuv4RkikbI93P1Eppre lbAA== X-Gm-Message-State: ACrzQf1ybtundJFLTaobWVwuu/xybbpyjxh02hkgURvYHGYQh3DYrHYq KSg3Ejk1HdrpNwa55xRKurHZgW2L0MQlgpo7 X-Google-Smtp-Source: AMsMyM45Ca9joghytq4MeA0GisIotQymo92FnvP+4vIIMP2C1A+1F/pzmMI2Zo8oRaK8sjdQDWoiXA== X-Received: by 2002:a17:90b:1e0a:b0:202:e897:9bb3 with SMTP id pg10-20020a17090b1e0a00b00202e8979bb3mr2282086pjb.169.1663122374016; Tue, 13 Sep 2022 19:26:14 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:13 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 5/9] gnutls: fix CVE-2021-4209 Date: Tue, 13 Sep 2022 16:25:15 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170623 From: Chee Yang Lee Signed-off-by: Chee Yang Lee Signed-off-by: Steve Sakoman --- .../gnutls/gnutls/CVE-2021-4209.patch | 37 +++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch new file mode 100644 index 0000000000..0bcb55e573 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch @@ -0,0 +1,37 @@ +From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 22 Dec 2021 09:12:25 +0100 +Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length + input + +As Nettle's hash update functions internally call memcpy, providing +zero-length input may cause undefined behavior. + +Signed-off-by: Daiki Ueno + +https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568 +Upstream-Status: Backport +CVE: CVE-2021-4209 +Signed-off-by: Chee Yang Lee +--- + lib/nettle/mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c +index f9d4d7a8df..35e070fab0 100644 +--- a/lib/nettle/mac.c ++++ b/lib/nettle/mac.c +@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, + if (ret < 0) + return gnutls_assert_val(ret); + +- ctx.update(&ctx, text_size, text); ++ if (text_size > 0) { ++ ctx.update(&ctx, text_size, text); ++ } + ctx.digest(&ctx, ctx.length, digest); + + return 0; +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index e9af71c7bd..f1757871ce 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb @@ -26,6 +26,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2021-20231.patch \ file://CVE-2021-20232.patch \ file://CVE-2022-2509.patch \ + file://CVE-2021-4209.patch \ " SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" From patchwork Wed Sep 14 02:25:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12826 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 447ABC54EE9 for ; Wed, 14 Sep 2022 02:26:20 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web08.1750.1663122377134087184 for ; Tue, 13 Sep 2022 19:26:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=dPtS5zj0; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id k21so3166283pls.11 for ; Tue, 13 Sep 2022 19:26:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=QUpPtvLmF3/Dr/kRMK7dIZ+jsxQs9UeaIPEh978q5EQ=; b=dPtS5zj0zNo8guFL3srTm2SlCw3j76gqtEVNfApdKzH+l742OOdsjMGPEIpVMzOi8z 5t5H6umRpOC+ntmJ/34mdWVgLSn2HKVyWsPRz41PzXZ5RmV8zoqXsYoMeCB25Qk6R3Y9 FuAJajypSWYSvSEoMtepRBqPGPjar5dNKDKXLa8kXwkN40/ev1DiuLY/jjmiUu6z15Vw JYMgV+TlNM+04EYPenp9RVdia/TbYwb4XYEt7ytd4x+d96JjeRerzbXoGieJeUE0hqxh GDekMA4yePbRGapFO4OOvH8fLMSaRiJJXb1XIIktUumQaM0oFV7GpaSrGAtXP/dIDMje bZUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=QUpPtvLmF3/Dr/kRMK7dIZ+jsxQs9UeaIPEh978q5EQ=; b=OVebAhaNWM1YOK+9WEVpufHOw+Rus+qZbJxDc+t6rMxsYpPiQ9PqX68MEq1yzhCKLY iK+QrILojUgI+TOKR11RIJfTaM+kaWSDLX89svjj/YDXEfCv47rJibR3HGpKZWlj8wTp P/R+PrpE1zKO6ggBPFpvsjVepbly6CO6UhGcHGluNZYS8kRlb/1ZB242GmzO68eeGdgE /3An1ZYkRUYJP1qWfh6qFAFyqchArbI+RWs1nqLPM+3efUDMuE9q0aAMTPWLxBgaE/+J RRbJ6Q9xSEp1JRiDCb/afrvsMtOUcONT7vtsi5VxI2P3RmaI2zUDquBAJfQf4CAZvON3 ExwA== X-Gm-Message-State: ACrzQf18Kz/LEyU4CGj7bawHuUQH68uqiQfWC4BEDhpSsmSyYQNaXV4O pgg1+nlmASRA1HHZQX7uFVmx4kH3mxoRjQcC X-Google-Smtp-Source: AMsMyM4fbyAJENJ2D5PxTCqTZw/+uJYOLBvUVNlwusImWiRYwjc7wFCYyMw2Lz9RRB7nl5FbVLpSSA== X-Received: by 2002:a17:90a:8c8e:b0:202:883b:2644 with SMTP id b14-20020a17090a8c8e00b00202883b2644mr2282840pjo.89.1663122376177; Tue, 13 Sep 2022 19:26:16 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:15 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 6/9] virglrenderer: fix CVE-2022-0135 Date: Tue, 13 Sep 2022 16:25:16 -1000 Message-Id: <5eea0b24c6fcd90aab0737c7a3f7431535a02890.1663122098.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170624 From: Chee Yang Lee Signed-off-by: Chee Yang Lee Signed-off-by: Steve Sakoman --- .../virglrenderer/CVE-2022-0135.patch | 100 ++++++++++++++++++ .../virglrenderer/virglrenderer_0.8.2.bb | 1 + 2 files changed, 101 insertions(+) create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch new file mode 100644 index 0000000000..4a277bd4d0 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch @@ -0,0 +1,100 @@ +From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001 +From: Gert Wollny +Date: Tue, 30 Nov 2021 10:17:26 +0100 +Subject: [PATCH] vrend: Add test to resource OOB write and fix it + +v2: Also check that no depth != 1 has been send when none is due + +Closes: #250 +Signed-off-by: Gert Wollny +Reviewed-by: Chia-I Wu + +https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec +Upstream-Status: Backport +CVE: CVE-2022-0135 +Signed-off-by: Chee Yang Lee +--- + src/vrend_renderer.c | 3 +++ + tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c +index 28f669727..357b81b20 100644 +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx, + info->box->height) * elsize; + if (res->target == GL_TEXTURE_3D || + res->target == GL_TEXTURE_2D_ARRAY || ++ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY || + res->target == GL_TEXTURE_CUBE_MAP_ARRAY) + send_size *= info->box->depth; ++ else if (need_temp && info->box->depth != 1) ++ return EINVAL; + + if (need_temp) { + data = malloc(send_size); +diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c +index 59d6fb671..2de9a9a3f 100644 +--- a/tests/test_fuzzer_formats.c ++++ b/tests/test_fuzzer_formats.c +@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() { + virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); + } + ++/* Test adapted from yaojun8558363@gmail.com: ++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 ++*/ ++static void test_vrend_3d_resource_overflow() { ++ ++ struct virgl_renderer_resource_create_args resource; ++ resource.handle = 0x4c474572; ++ resource.target = PIPE_TEXTURE_2D_ARRAY; ++ resource.format = VIRGL_FORMAT_Z24X8_UNORM; ++ resource.nr_samples = 2; ++ resource.last_level = 0; ++ resource.array_size = 3; ++ resource.bind = VIRGL_BIND_SAMPLER_VIEW; ++ resource.depth = 1; ++ resource.width = 8; ++ resource.height = 4; ++ resource.flags = 0; ++ ++ virgl_renderer_resource_create(&resource, NULL, 0); ++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); ++ ++ uint32_t size = 0x400; ++ uint32_t cmd[size]; ++ int i = 0; ++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; ++ cmd[i++] = resource.handle; ++ cmd[i++] = 0; // level ++ cmd[i++] = 0; // usage ++ cmd[i++] = 0; // stride ++ cmd[i++] = 0; // layer_stride ++ cmd[i++] = 0; // x ++ cmd[i++] = 0; // y ++ cmd[i++] = 0; // z ++ cmd[i++] = 8; // w ++ cmd[i++] = 4; // h ++ cmd[i++] = 3; // d ++ memset(&cmd[i], 0, size - i); ++ ++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); ++} ++ ++ + int main() + { + initialize_environment(); +@@ -979,6 +1021,7 @@ int main() + test_cs_nullpointer_deference(); + test_vrend_set_signle_abo_heap_overflow(); + ++ test_vrend_3d_resource_overflow(); + + virgl_renderer_context_destroy(ctx_id); + virgl_renderer_cleanup(&cookie); +-- +GitLab + diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb index 31c45ef89c..8185d6f7e8 100644 --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb @@ -13,6 +13,7 @@ SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985" SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \ file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \ file://0001-meson.build-use-python3-directly-for-python.patch \ + file://CVE-2022-0135.patch \ " S = "${WORKDIR}/git" From patchwork Wed Sep 14 02:25:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12827 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 447E4C6FA86 for ; Wed, 14 Sep 2022 02:26:20 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.1788.1663122379267986142 for ; Tue, 13 Sep 2022 19:26:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=LueMdS03; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id b21so13702968plz.7 for ; Tue, 13 Sep 2022 19:26:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=wLTcUPV99ak5fcHCe3y0Nl+akjK88iNScgO+M/8qSL8=; b=LueMdS036vpn3y79gDBrgRFuoxz3xBiqU5MMfRzx2OlSg4DaMR0OIHLZyNcWA90GDg D2A5IPv9EhNA0UeZACSLQvLzOmbri6n7Bzd4zYTuWZwe2nyEx1yUKpAeG50MTX62CprZ w8We9QSm3Q20MZmTAioENHvuXRxJzuKsC6Vi1W3cGhsLQX3F5oAbeEtK58mH2SnOl7VE ghCpo7oAfMKhBEiYqihkjPO/xwCXDKrchs3SjybNqjsjVlWZHF3nGYqKtyYaq0fDdRx8 6XLUO6lmGiE4J00a1qXR2zw3W80ZiaCyFUqYwKlLkPyaUzZnNNz1VBwRkd3kuIl051+A EhWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=wLTcUPV99ak5fcHCe3y0Nl+akjK88iNScgO+M/8qSL8=; b=VYHbgK4X+LnISnZM6uf43G7kF6SRsGLIxFaNa1ztYm05pdVmb5pXUK9dsTuhUq139K crlS0MohIbGbIwZ7pG8u2UjjrFQi38PcnvvaxRcY079PgGOALI8rpPN4dMNcOzVgxWT5 VXPrGmKCqwFDp/1zRzNDkZU2bvkgSpY14p4bqKbha4M/PJ+Zmyy22lRFZQ5oKNP3/M4z d23iw1G8zwJeLf0uBHuSJkbaW98sqjUdwqXnqgp+VQ6Z/urv8A5nWP4HLKZvJp7U6iTj zsMGJFtjRO+szNcwxcwunqwUvwVa2CviWMlpS6k6xerWtND0mTGXgp/fRlV/2s1IO+SP LVJA== X-Gm-Message-State: ACgBeo3H4BeXLWE3H+flG4lvOKXBXEMXZVXtE4vTobSnoMq3AUGQt2Mw 9pPjm3NRSg6M4DBdOY3iNyza83LRIpbxKrIj X-Google-Smtp-Source: AA6agR4nwUaUf/nmKxUVgfb87flga4ct+lXCUSn5qnnWNgi+Ui38dPhPPUuWjDhot07SJgsxAWBTWg== X-Received: by 2002:a17:902:f549:b0:176:c033:db03 with SMTP id h9-20020a170902f54900b00176c033db03mr33957818plf.109.1663122378319; Tue, 13 Sep 2022 19:26:18 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:17 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 7/9] systemd: Fix unwritable /var/lock when no sysvinit handling Date: Tue, 13 Sep 2022 16:25:17 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170625 From: "niko.mauno@vaisala.com" Commit 8089cefed8e83c0348037768c292058f1bcbbbe5 ("systemd: Add PACKAGECONFIG for sysvinit") decoupled enabling of systemd's sysvinit handling behavior behind a distinct PACKAGECONFIG feature. This new option affects among other things the installing of tmpfiles.d/legacy.conf, which is responsible for creating /run/lock directory, which is pointed to by /var/lock symlink provided by base-files package. In case the option is not enabled, then base-files provided /var/lock is a dangling symlink on resulting rootfs, causing problems with certain Linux userspace components that rely on existence of writable /var/lock directory. As an example: # fw_printenv Error opening lock file /var/lock/fw_printenv.lock Since Filesystem Hierarchy Standard Version 3.0 states in https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s09.html that Lock files should be stored within the /var/lock directory structure. Ensure the /run/lock directory is always created, so that lock files can be stored under /var/lock also when 'sysvinit' handling is disabled. (From OE-Core rev: 85e5ee2c35cf5778c3aefda45f526e8f6a511131) Signed-off-by: Niko Mauno Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-core/systemd/systemd/00-create-volatile.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/systemd/systemd/00-create-volatile.conf b/meta/recipes-core/systemd/systemd/00-create-volatile.conf index 87cbe1e7d3..c4277221a2 100644 --- a/meta/recipes-core/systemd/systemd/00-create-volatile.conf +++ b/meta/recipes-core/systemd/systemd/00-create-volatile.conf @@ -3,5 +3,6 @@ # inside /var/log. +d /run/lock 1777 - - - d /var/volatile/log - - - - d /var/volatile/tmp 1777 - - From patchwork Wed Sep 14 02:25:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12832 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43281C54EE9 for ; Wed, 14 Sep 2022 02:26:30 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.1788.1663122379267986142 for ; Tue, 13 Sep 2022 19:26:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=WMfCn0fe; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id b21so13703018plz.7 for ; Tue, 13 Sep 2022 19:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=TpjW3N1clB3i3nrCPwVh1SZAU5PhSyoBE3LDBqFYKMo=; b=WMfCn0feouseTzOJ99AeQYYFR3iTjS2wB6uPjOrB6B1oMcn2YW9V/NuUbM8cT5q/06 FtGJjh2UhH2XRn5kSK6YZHQnt7uGc3FzyqFTajZeuifnMoLuL5115P/BB9JYdkkzWjpw gn2GfT8+Y5ptL0ZjbN0BfQW+CTH/0jWmhUiPXSOMwfUofkCcX5FB1Q/YHEz2x4+qO+80 IdL7UZk2TbI4avDgUb7tO483l+ubmeEo6RdFhd4V+U/4uSFfHYV7qDraB6OJDMxuLf8F rFOO074brOHe31u9h/zgBo3Mbkq69SMipvQHoelLRFWViNnK/Rwz8cwKXKIYGNv5F2We 5eBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=TpjW3N1clB3i3nrCPwVh1SZAU5PhSyoBE3LDBqFYKMo=; b=w2WZG/Qe6skYwt2JyeEof6zJRVgi+XVyoAHsg2mfUPvjdCnhHkoWrE05tw+4MFcluH XruqgQUI/+M6KEHcPfmbtL+rsRiRr2V+8a8m4pY6CFJdT6vj6sqHIZ/f2qgMMLYj0cu/ xdTZDPNy7+vrum2npZHY8JM+/e+OID+JuPDI9yqLPlOClqqx837Wm4vt1hKmQZWRAB1R KgJm+vprUw/nnGu3qVpZaYZ0SVICSMNyXGHm4Dqw9tOK/zjchXmqcGGSoadORbHNURAa HYxUIfOr/S5C0iThM9R+Y2CQyxrC+nqLybVi65yH4IvDjstuZ4KwOliQbWd7gwEb9K5I c+Pg== X-Gm-Message-State: ACrzQf1brRFKuXFaxg8W4TTV3G0HHPCr2kvERBnanNs+KeiC52N0NIMr tbUpgiH94flyUFV2YH6FHviET+pEB3790Hbp X-Google-Smtp-Source: AA6agR7ZNOr3gH0viPtq+U6rK/ZeWu6pTTJLCkCfDumEbU4MeWv5vvFz8fVo+vgjjx3SRYFx0zYKnA== X-Received: by 2002:a17:90a:4a91:b0:1fd:64ce:f8d5 with SMTP id f17-20020a17090a4a9100b001fd64cef8d5mr2331243pjh.40.1663122380264; Tue, 13 Sep 2022 19:26:20 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:19 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 8/9] systemd: Add 'no-dns-fallback' PACKAGECONFIG option Date: Tue, 13 Sep 2022 16:25:18 -1000 Message-Id: <834ccad676b3d8d58d1a66bbe813a331599435b4.1663122098.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170626 From: "niko.mauno@vaisala.com" systemd defines a default set of fallback DNS servers in https://github.com/systemd/systemd/blob/v251/meson_options.txt#L328-L330 By adding a PACKAGECONFIG knob providing a convenient way to opt out, and then adding that value to systemd's PACKAGECONFIG, the output from runtime 'resolvectl status' command no longer contains the following line: Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google (From OE-Core rev: 2b300d6b9ec6288a99d9dacb24a86949caf99e55) Signed-off-by: Niko Mauno Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-core/systemd/systemd_244.5.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb index a648272bc0..f3e5395465 100644 --- a/meta/recipes-core/systemd/systemd_244.5.bb +++ b/meta/recipes-core/systemd/systemd_244.5.bb @@ -162,6 +162,7 @@ PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native xmlto-native do PACKAGECONFIG[microhttpd] = "-Dmicrohttpd=true,-Dmicrohttpd=false,libmicrohttpd" PACKAGECONFIG[myhostname] = "-Dnss-myhostname=true,-Dnss-myhostname=false,,libnss-myhostname" PACKAGECONFIG[networkd] = "-Dnetworkd=true,-Dnetworkd=false" +PACKAGECONFIG[no-dns-fallback] = "-Ddns-servers=" PACKAGECONFIG[nss] = "-Dnss-systemd=true,-Dnss-systemd=false" PACKAGECONFIG[nss-mymachines] = "-Dnss-mymachines=true,-Dnss-mymachines=false" PACKAGECONFIG[nss-resolve] = "-Dnss-resolve=true,-Dnss-resolve=false" From patchwork Wed Sep 14 02:25:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 12831 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 432DFC6FA86 for ; Wed, 14 Sep 2022 02:26:30 +0000 (UTC) Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mx.groups.io with SMTP id smtpd.web11.1790.1663122383210231220 for ; Tue, 13 Sep 2022 19:26:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=rC2P1Hvk; spf=softfail (domain: sakoman.com, ip: 209.85.215.176, mailfrom: steve@sakoman.com) Received: by mail-pg1-f176.google.com with SMTP id bh13so13049136pgb.4 for ; Tue, 13 Sep 2022 19:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=kjFgVOmRytCE1DgIntT80nOHDFyElxQeAoID7z/PAAk=; b=rC2P1Hvkz2940uRkUsVppsoQKhFFbyQCD7uEHDCxgu9XkKE6s3vpBrMQvyTfw7vobf NfwoFNwFSYq1FIFJrAzAQtrMInX4y7BYmaIEPDa5S1dz36slZsSucwCD9Ko1bi/qMDU8 5+ckc8+0hFjuuTT+5UJwXBQO2eFicCgBiPKfQqF/allk3FhhRRmDHGNHlhLpX8DZsmcM HnXGTm+QOJKf5X79hP3S5hU3vil5o3XOcEQuo5kZ4IRw+LmQg7Tk/a6ZqBj2JkSBM7Ma 8ANHO6Y6K+wavCsHG6/fv6UwfhRWEDakkc7R9J9TnVi8JVjwYs213SjRUSF1wMwSDrNd bN0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=kjFgVOmRytCE1DgIntT80nOHDFyElxQeAoID7z/PAAk=; b=DGDNJFioHf21gMVBD9+jVQkuld7DU3MdEcUyqBdBvH09BlA78zhqPehVr7pc1xvBMX jzrjNGc3VbNrgCj6OZ+2EjSacZ6GQR6hoy1V5L0bTmAg+RdNLzE+NpbKeNaNVuoRrWuP SLyfgOsXjRPjl0836BBzfboMTGz2nPqRDqBI+ZYY8stGo0QExkT/vJmgvI4gSZ4te6ip I+tuw3Sxw57/OIlO8xq8SLfjFjFmFYbYIhKcpYhkGoR9SUTB8Vtxo/u7WpsMcYf3mYkJ XOMGIZC5LI9FVN8uLtGdTUEFS1JMMnAPKw5Oxb1hV85lVk2SE2/D2eHdw/n8NLnBq3YF bnXw== X-Gm-Message-State: ACgBeo0YO7B94Hsd29Neuz8Q4Ic72/ivKTyF+DlGME9eX9lHJGTwij2v Pm6iB2LTu3tUfQaDketeEDMckI+fFUdhdmux X-Google-Smtp-Source: AA6agR626KkkBFT1qO1aJ6a/5v4goIW9ZdVRAmzut4UBUnEK4LKk90WNp5z2bXFzynZlDQ2rq/rHbA== X-Received: by 2002:a05:6a00:1308:b0:53a:9663:1c19 with SMTP id j8-20020a056a00130800b0053a96631c19mr35835474pfu.60.1663122382229; Tue, 13 Sep 2022 19:26:22 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id s14-20020a65644e000000b00438fe64d61esm5259871pgv.0.2022.09.13.19.26.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 19:26:21 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 9/9] binutils : CVE-2022-38533 Date: Tue, 13 Sep 2022 16:25:19 -1000 Message-Id: <2cf26e2e5a83d2b2efd01de34c11da07eeb9c8f9.1663122098.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Sep 2022 02:26:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170627 From: Florin Diaconescu Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797] Signed-off-by: Florin Diaconescu Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.34.inc | 1 + .../binutils/binutils/CVE-2022-38533.patch | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 6a55de2d45..ff0d467132 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -52,5 +52,6 @@ SRC_URI = "\ file://CVE-2021-3549.patch \ file://CVE-2020-16593.patch \ file://0001-CVE-2021-45078.patch \ + file://CVE-2022-38533.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch new file mode 100644 index 0000000000..102d65f8a6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch @@ -0,0 +1,37 @@ +From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 13 Aug 2022 15:32:47 +0930 +Subject: [PATCH] PR29482 - strip: heap-buffer-overflow + + PR 29482 + * coffcode.h (coff_set_section_contents): Sanity check _LIB. + +CVE: CVE-2022-38533 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797] + +Signed-off-by: Florin Diaconescu + +--- + bfd/coffcode.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/bfd/coffcode.h b/bfd/coffcode.h +index dec2e9c6370..75c18d88602 100644 +--- a/bfd/coffcode.h ++++ b/bfd/coffcode.h +@@ -4170,10 +4170,13 @@ coff_set_section_contents (bfd * abfd, + + rec = (bfd_byte *) location; + recend = rec + count; +- while (rec < recend) ++ while (recend - rec >= 4) + { ++ size_t len = bfd_get_32 (abfd, rec); ++ if (len == 0 || len > (size_t) (recend - rec) / 4) ++ break; ++ rec += len * 4; + ++section->lma; +- rec += bfd_get_32 (abfd, rec) * 4; + } + + BFD_ASSERT (rec == recend);