From patchwork Sun Apr 30 16:25:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23192 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA389C77B60 for ; Sun, 30 Apr 2023 16:26:22 +0000 (UTC) Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web10.72571.1682871973190224453 for ; Sun, 30 Apr 2023 09:26:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=TwtQvYrw; spf=softfail (domain: sakoman.com, ip: 209.85.216.45, mailfrom: steve@sakoman.com) Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-247399d518dso1024513a91.0 for ; Sun, 30 Apr 2023 09:26:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871972; x=1685463972; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UCExNNKy6/XIGFpSEJhRz0cSiQzyK6+YOvKvokOf+Ks=; b=TwtQvYrwDbJi0D4LoCpUp8y0BH5eAqXGTqKyCjG+X36ovB6M8slCibYl3sLpX2ykJv L9Q8EojIxplcPRRWzSspIk2k2tmJ5jO0WDPExz98Yf2uLzpR7O1j/Wb4Xxj4J8EoaqoO BqgFkBdBWKJqsFu4qz0TVmk4p9d5zWL9HHuFv/OkevKU47/kXUvxzlqLZRXgPp/EgpZy VcppWQbBlOjzx/+R/WVZsJ3kjPcCQ0WIjUl2cpWkJ9PUjJUdJTIOAA2HiYfRFpzKozym 5JZIUSoh3XraPSXhKA6+Yz3rYqYFP4of9aJPhl2wNv4B9+iS0g0j1wWFTUu50Bo4r9m5 BFwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871972; x=1685463972; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UCExNNKy6/XIGFpSEJhRz0cSiQzyK6+YOvKvokOf+Ks=; b=dDMr+T+9ZDAEW/38iTiwqQzKE6QVC0MWTWmQlBgwGImR0XVaSTn8f4Nfeyo/bF4FSH w+1v7Ayrhlaza5v7P0DpNFhYeHX59FD0QKxpp4MEzufHFszdtl8AmNLZOtsmWg0zN7x+ aiYb60dBvUmF58Khb1jCJOHmc9WJbhoCJopzu52JZ0/6m2IfDcrVg3gUkPCmEIi61RSX i3RanEmiSNvrekrn9Qzpvty4jT05El+/Ls7pPMCPsOl+E6FVOFsG9PtOW/3QrbP2yOog 5TQjKsb1SqrzY22xTZXex3gwVdwiBRz/WPqQiim4y8KXUT/7fLzFm49FML/+w6US/Aim 3AOg== X-Gm-Message-State: AC+VfDwMNkWBB4VFPd9ld012JveGGslbgDRIB2f/L0cX1bEhJAeasENr h/hL5p0tGZLi6SwnwuW0ixhBPSXE+QrStKYvAHM= X-Google-Smtp-Source: ACHHUZ6gnMk5KoCljobx4c+Nqg1bFnLzIZoNrlElTHskuaFj0Oxv5+cVEE4v/g0DVjNxZU+bLhz6Tw== X-Received: by 2002:a17:90b:817:b0:24d:d54f:5396 with SMTP id bk23-20020a17090b081700b0024dd54f5396mr5518516pjb.37.1682871971856; Sun, 30 Apr 2023 09:26:11 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:11 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/9] sudo: Security fix for CVE-2023-28486 and CVE-2023-28487 Date: Sun, 30 Apr 2023 06:25:52 -1000 Message-Id: <4870543273bef9831c075ee0bce108c54355a92f.1682871868.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180573 From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-28486 CVE-2023-28487 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches?h=ubuntu/focal-security Upstream commit https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca & https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../CVE-2023-28486_CVE-2023-28487-1.patch | 646 ++++++++++++++++++ .../CVE-2023-28486_CVE-2023-28487-2.patch | 26 + meta/recipes-extended/sudo/sudo_1.8.32.bb | 2 + 3 files changed, 674 insertions(+) create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch new file mode 100644 index 0000000000..bc6f8c19a6 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch @@ -0,0 +1,646 @@ +Origin: Backport obtained from SUSE. Thanks! + +From 334daf92b31b79ce68ed75e2ee14fca265f029ca Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Wed, 18 Jan 2023 08:21:34 -0700 +Subject: [PATCH] Escape control characters in log messages and "sudoreplay -l" + output. The log message contains user-controlled strings that could include + things like terminal control characters. Space characters in the command + path are now also escaped. + +Command line arguments that contain spaces are surrounded with +single quotes and any literal single quote or backslash characters +are escaped with a backslash. This makes it possible to distinguish +multiple command line arguments from a single argument that contains +spaces. + +Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv +(https://synacktiv.com). + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-1.patch?h=ubuntu/focal-security +Upstream commit https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca] +CVE: CVE-2023-28486 CVE-2023-28487 +Signed-off-by: Vijay Anusuri +--- + doc/sudoers.man.in | 33 +++++++-- + doc/sudoers.mdoc.in | 28 ++++++-- + doc/sudoreplay.man.in | 9 ++ + doc/sudoreplay.mdoc.in | 10 ++ + include/sudo_compat.h | 6 + + include/sudo_lbuf.h | 7 ++ + lib/util/lbuf.c | 106 +++++++++++++++++++++++++++++++ + lib/util/util.exp.in | 1 + plugins/sudoers/logging.c | 145 +++++++++++-------------------------------- + plugins/sudoers/sudoreplay.c | 44 +++++++++---- + 10 files changed, 257 insertions(+), 132 deletions(-) + +--- a/doc/sudoers.man.in ++++ b/doc/sudoers.man.in +@@ -4566,6 +4566,19 @@ can log events using either + syslog(3) + or a simple log file. + The log format is almost identical in both cases. ++Any control characters present in the log data are formatted in octal ++with a leading ++\(oq#\(cq ++character. ++For example, a horizontal tab is stored as ++\(oq#011\(cq ++and an embedded carriage return is stored as ++\(oq#015\(cq. ++In addition, space characters in the command path are stored as ++\(oq#040\(cq. ++Literal single quotes and backslash characters ++(\(oq\e\(cq) ++in command line arguments are escaped with a backslash. + .SS "Accepted command log entries" + Commands that sudo runs are logged using the following format (split + into multiple lines for readability): +@@ -4646,7 +4659,7 @@ A list of environment variables specifie + if specified. + .TP 14n + command +-The actual command that was executed. ++The actual command that was executed, including any command line arguments. + .PP + Messages are logged using the locale specified by + \fIsudoers_locale\fR, +@@ -4882,17 +4895,21 @@ with a few important differences: + 1.\& + The + \fIprogname\fR +-and +-\fIhostname\fR +-fields are not present. ++field is not present. + .TP 5n + 2.\& +-If the +-\fIlog_year\fR +-option is enabled, +-the date will also include the year. ++The ++\fIhostname\fR ++is only logged if the ++\fIlog_host\fR ++option is enabled. + .TP 5n + 3.\& ++The date does not include the year unless the ++\fIlog_year\fR ++option is enabled. ++.TP 5n ++4.\& + Lines that are longer than + \fIloglinelen\fR + characters (80 by default) are word-wrapped and continued on the +--- a/doc/sudoers.mdoc.in ++++ b/doc/sudoers.mdoc.in +@@ -4261,6 +4261,19 @@ can log events using either + .Xr syslog 3 + or a simple log file. + The log format is almost identical in both cases. ++Any control characters present in the log data are formatted in octal ++with a leading ++.Ql # ++character. ++For example, a horizontal tab is stored as ++.Ql #011 ++and an embedded carriage return is stored as ++.Ql #015 . ++In addition, space characters in the command path are stored as ++.Ql #040 . ++Literal single quotes and backslash characters ++.Pq Ql \e ++in command line arguments are escaped with a backslash. + .Ss Accepted command log entries + Commands that sudo runs are logged using the following format (split + into multiple lines for readability): +@@ -4328,7 +4341,7 @@ option is enabled. + A list of environment variables specified on the command line, + if specified. + .It command +-The actual command that was executed. ++The actual command that was executed, including any command line arguments. + .El + .Pp + Messages are logged using the locale specified by +@@ -4550,14 +4563,17 @@ with a few important differences: + .It + The + .Em progname +-and ++field is not present. ++.It ++The + .Em hostname +-fields are not present. ++is only logged if the ++.Em log_host ++option is enabled. + .It +-If the ++The date does not include the year unless the + .Em log_year +-option is enabled, +-the date will also include the year. ++option is enabled. + .It + Lines that are longer than + .Em loglinelen +--- a/doc/sudoreplay.man.in ++++ b/doc/sudoreplay.man.in +@@ -149,6 +149,15 @@ In this mode, + will list available sessions in a format similar to the + \fBsudo\fR + log file format, sorted by file name (or sequence number). ++Any control characters present in the log data are formated in octal ++with a leading ++\(oq#\(cq ++character. ++For example, a horizontal tab is displayed as ++\(oq#011\(cq ++and an embedded carriage return is displayed as ++\(oq#015\(cq. ++.sp + If a + \fIsearch expression\fR + is specified, it will be used to restrict the IDs that are displayed. +--- a/doc/sudoreplay.mdoc.in ++++ b/doc/sudoreplay.mdoc.in +@@ -142,6 +142,16 @@ In this mode, + will list available sessions in a format similar to the + .Nm sudo + log file format, sorted by file name (or sequence number). ++Any control characters present in the log data are formatted in octal ++with a leading ++.Ql # ++character. ++For example, a horizontal tab is displayed as ++.Ql #011 ++and an embedded carriage return is displayed as ++.Ql #015 . ++Space characters in the command name and arguments are also formatted in octal. ++.Pp + If a + .Ar search expression + is specified, it will be used to restrict the IDs that are displayed. +--- a/include/sudo_compat.h ++++ b/include/sudo_compat.h +@@ -79,6 +79,12 @@ + # endif + #endif + ++#ifdef HAVE_FALLTHROUGH_ATTRIBUTE ++# define FALLTHROUGH __attribute__((__fallthrough__)) ++#else ++# define FALLTHROUGH do { } while (0) ++#endif ++ + /* + * Given the pointer x to the member m of the struct s, return + * a pointer to the containing structure. +--- a/include/sudo_lbuf.h ++++ b/include/sudo_lbuf.h +@@ -36,9 +36,15 @@ struct sudo_lbuf { + + typedef int (*sudo_lbuf_output_t)(const char *); + ++/* Flags for sudo_lbuf_append_esc() */ ++#define LBUF_ESC_CNTRL 0x01 ++#define LBUF_ESC_BLANK 0x02 ++#define LBUF_ESC_QUOTE 0x04 ++ + __dso_public void sudo_lbuf_init_v1(struct sudo_lbuf *lbuf, sudo_lbuf_output_t output, int indent, const char *continuation, int cols); + __dso_public void sudo_lbuf_destroy_v1(struct sudo_lbuf *lbuf); + __dso_public bool sudo_lbuf_append_v1(struct sudo_lbuf *lbuf, const char *fmt, ...) __printflike(2, 3); ++__dso_public bool sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...) __printflike(3, 4); + __dso_public bool sudo_lbuf_append_quoted_v1(struct sudo_lbuf *lbuf, const char *set, const char *fmt, ...) __printflike(3, 4); + __dso_public void sudo_lbuf_print_v1(struct sudo_lbuf *lbuf); + __dso_public bool sudo_lbuf_error_v1(struct sudo_lbuf *lbuf); +@@ -47,6 +53,7 @@ __dso_public void sudo_lbuf_clearerr_v1( + #define sudo_lbuf_init(_a, _b, _c, _d, _e) sudo_lbuf_init_v1((_a), (_b), (_c), (_d), (_e)) + #define sudo_lbuf_destroy(_a) sudo_lbuf_destroy_v1((_a)) + #define sudo_lbuf_append sudo_lbuf_append_v1 ++#define sudo_lbuf_append_esc sudo_lbuf_append_esc_v1 + #define sudo_lbuf_append_quoted sudo_lbuf_append_quoted_v1 + #define sudo_lbuf_print(_a) sudo_lbuf_print_v1((_a)) + #define sudo_lbuf_error(_a) sudo_lbuf_error_v1((_a)) +--- a/lib/util/lbuf.c ++++ b/lib/util/lbuf.c +@@ -93,6 +93,112 @@ sudo_lbuf_expand(struct sudo_lbuf *lbuf, + } + + /* ++ * Escape a character in octal form (#0n) and store it as a string ++ * in buf, which must have at least 6 bytes available. ++ * Returns the length of buf, not counting the terminating NUL byte. ++ */ ++static int ++escape(unsigned char ch, char *buf) ++{ ++ const int len = ch < 0100 ? (ch < 010 ? 3 : 4) : 5; ++ ++ /* Work backwards from the least significant digit to most significant. */ ++ switch (len) { ++ case 5: ++ buf[4] = (ch & 7) + '0'; ++ ch >>= 3; ++ FALLTHROUGH; ++ case 4: ++ buf[3] = (ch & 7) + '0'; ++ ch >>= 3; ++ FALLTHROUGH; ++ case 3: ++ buf[2] = (ch & 7) + '0'; ++ buf[1] = '0'; ++ buf[0] = '#'; ++ break; ++ } ++ buf[len] = '\0'; ++ ++ return len; ++} ++ ++/* ++ * Parse the format and append strings, only %s and %% escapes are supported. ++ * Any non-printable characters are escaped in octal as #0nn. ++ */ ++bool ++sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...) ++{ ++ unsigned int saved_len = lbuf->len; ++ bool ret = false; ++ const char *s; ++ va_list ap; ++ debug_decl(sudo_lbuf_append_esc, SUDO_DEBUG_UTIL); ++ ++ if (sudo_lbuf_error(lbuf)) ++ debug_return_bool(false); ++ ++#define should_escape(ch) \ ++ ((ISSET(flags, LBUF_ESC_CNTRL) && iscntrl((unsigned char)ch)) || \ ++ (ISSET(flags, LBUF_ESC_BLANK) && isblank((unsigned char)ch))) ++#define should_quote(ch) \ ++ (ISSET(flags, LBUF_ESC_QUOTE) && (ch == '\'' || ch == '\\')) ++ ++ va_start(ap, fmt); ++ while (*fmt != '\0') { ++ if (fmt[0] == '%' && fmt[1] == 's') { ++ if ((s = va_arg(ap, char *)) == NULL) ++ s = "(NULL)"; ++ while (*s != '\0') { ++ if (should_escape(*s)) { ++ if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1)) ++ goto done; ++ lbuf->len += escape(*s++, lbuf->buf + lbuf->len); ++ continue; ++ } ++ if (should_quote(*s)) { ++ if (!sudo_lbuf_expand(lbuf, 2)) ++ goto done; ++ lbuf->buf[lbuf->len++] = '\\'; ++ lbuf->buf[lbuf->len++] = *s++; ++ continue; ++ } ++ if (!sudo_lbuf_expand(lbuf, 1)) ++ goto done; ++ lbuf->buf[lbuf->len++] = *s++; ++ } ++ fmt += 2; ++ continue; ++ } ++ if (should_escape(*fmt)) { ++ if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1)) ++ goto done; ++ if (*fmt == '\'') { ++ lbuf->buf[lbuf->len++] = '\\'; ++ lbuf->buf[lbuf->len++] = *fmt++; ++ } else { ++ lbuf->len += escape(*fmt++, lbuf->buf + lbuf->len); ++ } ++ continue; ++ } ++ if (!sudo_lbuf_expand(lbuf, 1)) ++ goto done; ++ lbuf->buf[lbuf->len++] = *fmt++; ++ } ++ ret = true; ++ ++done: ++ if (!ret) ++ lbuf->len = saved_len; ++ if (lbuf->size != 0) ++ lbuf->buf[lbuf->len] = '\0'; ++ va_end(ap); ++ ++ debug_return_bool(ret); ++} ++ ++/* + * Parse the format and append strings, only %s and %% escapes are supported. + * Any characters in set are quoted with a backslash. + */ +--- a/lib/util/util.exp.in ++++ b/lib/util/util.exp.in +@@ -79,6 +79,7 @@ sudo_gethostname_v1 + sudo_gettime_awake_v1 + sudo_gettime_mono_v1 + sudo_gettime_real_v1 ++sudo_lbuf_append_esc_v1 + sudo_lbuf_append_quoted_v1 + sudo_lbuf_append_v1 + sudo_lbuf_clearerr_v1 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -58,6 +58,7 @@ + #include + + #include "sudoers.h" ++#include "sudo_lbuf.h" + + #ifndef HAVE_GETADDRINFO + # include "compat/getaddrinfo.h" +@@ -940,14 +941,6 @@ should_mail(int status) + (def_mail_no_perms && !ISSET(status, VALIDATE_SUCCESS))); + } + +-#define LL_TTY_STR "TTY=" +-#define LL_CWD_STR "PWD=" /* XXX - should be CWD= */ +-#define LL_USER_STR "USER=" +-#define LL_GROUP_STR "GROUP=" +-#define LL_ENV_STR "ENV=" +-#define LL_CMND_STR "COMMAND=" +-#define LL_TSID_STR "TSID=" +- + #define IS_SESSID(s) ( \ + isalnum((unsigned char)(s)[0]) && isalnum((unsigned char)(s)[1]) && \ + (s)[2] == '/' && \ +@@ -962,14 +955,16 @@ should_mail(int status) + static char * + new_logline(const char *message, const char *errstr) + { +- char *line = NULL, *evstr = NULL; + #ifndef SUDOERS_NO_SEQ + char sessid[7]; + #endif + const char *tsid = NULL; +- size_t len = 0; ++ struct sudo_lbuf lbuf; ++ int i; + debug_decl(new_logline, SUDOERS_DEBUG_LOGGING) + ++ sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0); ++ + #ifndef SUDOERS_NO_SEQ + /* A TSID may be a sudoers-style session ID or a free-form string. */ + if (sudo_user.iolog_file != NULL) { +@@ -989,119 +984,55 @@ new_logline(const char *message, const c + #endif + + /* +- * Compute line length ++ * Format the log line as an lbuf, escaping control characters in ++ * octal form (#0nn). Error checking (ENOMEM) is done at the end. + */ +- if (message != NULL) +- len += strlen(message) + 3; +- if (errstr != NULL) +- len += strlen(errstr) + 3; +- len += sizeof(LL_TTY_STR) + 2 + strlen(user_tty); +- len += sizeof(LL_CWD_STR) + 2 + strlen(user_cwd); +- if (runas_pw != NULL) +- len += sizeof(LL_USER_STR) + 2 + strlen(runas_pw->pw_name); +- if (runas_gr != NULL) +- len += sizeof(LL_GROUP_STR) + 2 + strlen(runas_gr->gr_name); +- if (tsid != NULL) +- len += sizeof(LL_TSID_STR) + 2 + strlen(tsid); +- if (sudo_user.env_vars != NULL) { +- size_t evlen = 0; +- char * const *ep; +- +- for (ep = sudo_user.env_vars; *ep != NULL; ep++) +- evlen += strlen(*ep) + 1; +- if (evlen != 0) { +- if ((evstr = malloc(evlen)) == NULL) +- goto oom; +- evstr[0] = '\0'; +- for (ep = sudo_user.env_vars; *ep != NULL; ep++) { +- strlcat(evstr, *ep, evlen); +- strlcat(evstr, " ", evlen); /* NOTE: last one will fail */ +- } +- len += sizeof(LL_ENV_STR) + 2 + evlen; +- } +- } +- if (user_cmnd != NULL) { +- /* Note: we log "sudo -l command arg ..." as "list command arg ..." */ +- len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd); +- if (ISSET(sudo_mode, MODE_CHECK)) +- len += sizeof("list ") - 1; +- if (user_args != NULL) +- len += strlen(user_args) + 1; +- } +- +- /* +- * Allocate and build up the line. +- */ +- if ((line = malloc(++len)) == NULL) +- goto oom; +- line[0] = '\0'; + + if (message != NULL) { +- if (strlcat(line, message, len) >= len || +- strlcat(line, errstr ? " : " : " ; ", len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s%s", message, ++ errstr ? " : " : " ; "); + } + if (errstr != NULL) { +- if (strlcat(line, errstr, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; +- } +- if (strlcat(line, LL_TTY_STR, len) >= len || +- strlcat(line, user_tty, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; +- if (strlcat(line, LL_CWD_STR, len) >= len || +- strlcat(line, user_cwd, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s ; ", errstr); ++ } ++ if (user_tty != NULL) { ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ", user_tty); ++ } ++ if (user_cwd != NULL) { ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "PWD=%s ; ", user_cwd); ++ } + if (runas_pw != NULL) { +- if (strlcat(line, LL_USER_STR, len) >= len || +- strlcat(line, runas_pw->pw_name, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "USER=%s ; ", ++ runas_pw->pw_name); + } + if (runas_gr != NULL) { +- if (strlcat(line, LL_GROUP_STR, len) >= len || +- strlcat(line, runas_gr->gr_name, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ", ++ runas_gr->gr_name); + } + if (tsid != NULL) { +- if (strlcat(line, LL_TSID_STR, len) >= len || +- strlcat(line, tsid, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; +- } +- if (evstr != NULL) { +- if (strlcat(line, LL_ENV_STR, len) >= len || +- strlcat(line, evstr, len) >= len || +- strlcat(line, " ; ", len) >= len) +- goto toobig; +- free(evstr); +- evstr = NULL; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", tsid); ++ } ++ if (sudo_user.env_vars != NULL) { ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "ENV=%s", sudo_user.env_vars[0]); ++ for (i = 1; sudo_user.env_vars[i] != NULL; i++) { ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s", ++ sudo_user.env_vars[i]); ++ } + } + if (user_cmnd != NULL) { +- if (strlcat(line, LL_CMND_STR, len) >= len) +- goto toobig; +- if (ISSET(sudo_mode, MODE_CHECK) && strlcat(line, "list ", len) >= len) +- goto toobig; +- if (strlcat(line, user_cmnd, len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK, ++ "COMMAND=%s", user_cmnd); + if (user_args != NULL) { +- if (strlcat(line, " ", len) >= len || +- strlcat(line, user_args, len) >= len) +- goto toobig; ++ sudo_lbuf_append_esc(&lbuf, ++ LBUF_ESC_CNTRL|LBUF_ESC_QUOTE, ++ " %s", user_args); + } + } + +- debug_return_str(line); +-oom: +- free(evstr); ++ if (!sudo_lbuf_error(&lbuf)) ++ debug_return_str(lbuf.buf); ++ ++ sudo_lbuf_destroy(&lbuf); + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + debug_return_str(NULL); +-toobig: +- free(evstr); +- free(line); +- sudo_warnx(U_("internal error, %s overflow"), __func__); +- debug_return_str(NULL); + } +--- a/plugins/sudoers/sudoreplay.c ++++ b/plugins/sudoers/sudoreplay.c +@@ -71,6 +71,7 @@ + #include "sudo_conf.h" + #include "sudo_debug.h" + #include "sudo_event.h" ++#include "sudo_lbuf.h" + #include "sudo_util.h" + + #ifdef HAVE_GETOPT_LONG +@@ -1353,7 +1354,8 @@ match_expr(struct search_node_list *head + } + + static int +-list_session(char *logfile, regex_t *re, const char *user, const char *tty) ++list_session(struct sudo_lbuf *lbuf, char *logfile, regex_t *re, ++ const char *user, const char *tty) + { + char idbuf[7], *idstr, *cp; + const char *timestr; +@@ -1386,16 +1388,32 @@ list_session(char *logfile, regex_t *re, + } + /* XXX - print rows + cols? */ + timestr = get_timestr(li->tstamp, 1); +- printf("%s : %s : TTY=%s ; CWD=%s ; USER=%s ; ", +- timestr ? timestr : "invalid date", +- li->user, li->tty, li->cwd, li->runas_user); +- if (li->runas_group) +- printf("GROUP=%s ; ", li->runas_group); +- printf("TSID=%s ; COMMAND=%s\n", idstr, li->cmd); +- +- ret = 0; +- ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "%s : %s : ", ++ timestr ? timestr : "invalid date", li->user); ++ if (li->tty != NULL) { ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ", ++ li->tty); ++ } ++ if (li->cwd != NULL) { ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "CWD=%s ; ", ++ li->cwd); ++ } ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "USER=%s ; ", li->runas_user); ++ if (li->runas_group != NULL) { ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ", ++ li->runas_group); ++ } ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", idstr); ++ sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "COMMAND=%s", ++ li->cmd); ++ ++ if (!sudo_lbuf_error(lbuf)) { ++ puts(lbuf->buf); ++ ret = 0; ++ } + done: ++ lbuf->error = 0; ++ lbuf->len = 0; + free_log_info(li); + debug_return_int(ret); + } +@@ -1415,6 +1433,7 @@ find_sessions(const char *dir, regex_t * + DIR *d; + struct dirent *dp; + struct stat sb; ++ struct sudo_lbuf lbuf; + size_t sdlen, sessions_len = 0, sessions_size = 0; + unsigned int i; + int len; +@@ -1426,6 +1445,8 @@ find_sessions(const char *dir, regex_t * + #endif + debug_decl(find_sessions, SUDO_DEBUG_UTIL) + ++ sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0); ++ + d = opendir(dir); + if (d == NULL) + sudo_fatal(U_("unable to open %s"), dir); +@@ -1485,7 +1506,7 @@ find_sessions(const char *dir, regex_t * + + /* Check for dir with a log file. */ + if (lstat(pathbuf, &sb) == 0 && S_ISREG(sb.st_mode)) { +- list_session(pathbuf, re, user, tty); ++ list_session(&lbuf, pathbuf, re, user, tty); + } else { + /* Strip off "/log" and recurse if a dir. */ + pathbuf[sdlen + len - 4] = '\0'; +@@ -1496,6 +1517,7 @@ find_sessions(const char *dir, regex_t * + } + free(sessions); + } ++ sudo_lbuf_destroy(&lbuf); + + debug_return_int(0); + } diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch new file mode 100644 index 0000000000..d021873b70 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch @@ -0,0 +1,26 @@ +Backport of: + +From 12648b4e0a8cf486480442efd52f0e0b6cab6e8b Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Mon, 13 Mar 2023 08:04:32 -0600 +Subject: [PATCH] Add missing " ; " separator between environment variables and + command. This is a regression introduced in sudo 1.9.13. GitHub issue #254. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-2.patch?h=ubuntu/focal-security +Upstream commit https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b] +CVE: CVE-2023-28486 CVE-2023-28487 +Signed-off-by: Vijay Anusuri +--- + lib/eventlog/eventlog.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -1018,6 +1018,7 @@ new_logline(const char *message, const c + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s", + sudo_user.env_vars[i]); + } ++ sudo_lbuf_append(&lbuf, " ; "); + } + if (user_cmnd != NULL) { + sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK, diff --git a/meta/recipes-extended/sudo/sudo_1.8.32.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb index 5bc48ec6fa..e35bbfa789 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.32.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb @@ -6,6 +6,8 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ file://0001-Fix-includes-when-building-with-musl.patch \ file://CVE-2022-43995.patch \ file://CVE-2023-22809.patch \ + file://CVE-2023-28486_CVE-2023-28487-1.patch \ + file://CVE-2023-28486_CVE-2023-28487-2.patch \ " PAM_SRC_URI = "file://sudo.pam" From patchwork Sun Apr 30 16:25:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23196 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D27B2C7EE26 for ; Sun, 30 Apr 2023 16:26:22 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web11.72228.1682871974660663664 for ; Sun, 30 Apr 2023 09:26:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=Bi7psvJh; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-24b89b9a72cso1200929a91.1 for ; Sun, 30 Apr 2023 09:26:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871974; x=1685463974; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vGXyymn/jy/ByC108tbXe69KZLGDMnlCdpPgQceYakM=; b=Bi7psvJh+fkX6fuwpNJBKHhZSQww2QSK3WU4QDvGw1GWGqyTY9CtAuvXey7IFoDdwj p1p8LBHofw227NkpPM5ypOCfqMAyJNJe0sElJBS2wXWATUPUWJn6uZfnssSnCxGRQYBA iX2GIJd15QiirD3wuFNuul3svFQQ5fLSwBhK5kU0GUJTPrGKeizxc9/aqqMIzq2re55j SRXJ9wznbiKFfJIwvZZ/thiKEwkcPA9KOFwQJ+bGPPgVI6vQ6qY1B8CvoM5CUxptVge6 DvcPQUgtjaPv8GrACWpYf716KTk19HfXanXrGRRWEg/acTM1FZG3hwmRmIh9DUcfm6vy Se1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871974; x=1685463974; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vGXyymn/jy/ByC108tbXe69KZLGDMnlCdpPgQceYakM=; b=DA9Wv6otK/CbHMsSSFohdoSJJoCOPFkSftM6ra/+8dCnGFGQcAkvoTl6a5o0ttynrF hACtqB5wZ0MsqGAOjWhnU+H2BLTxEMGTNvcPFH7wZOIGVLyBUvxzv+PPcSjdyyH7UKd4 4OS2TSB6lyjPgR1binfFnyCmJhs4rFkoCLz0yvawNJYOvFHfTjIdWiYLJDxVUHomNzsO 9JWFuz6RXCZHef+IQGrpeSSk4shRHE+paZx6B8xtq8Y0g46whgR3FmBlVjhzwg8NY7Q/ AOPGzhnzWevLzvpnwqI4yPhiPFq0P20F+sfr5Jh+FTiMhFnrRxJ4F+CvEYtKrR6hq4wX Z5Dg== X-Gm-Message-State: AC+VfDymg4xynd3uaNeOS2B87USl05Xwgwbn/oU+x/DF2Fcr2/d5bKLC Ihi+iBlozY66EPo5CE/KxcCvBXRL5G8Bmn2bh3M= X-Google-Smtp-Source: ACHHUZ7p1CGfKYMg7E68/gF/5c4+Rsuuy6jnUQ5eeiLSSaUjJzN7qpg4uCxop55+iOvf8GYWaOJ5jA== X-Received: by 2002:a17:90a:b886:b0:247:2d9d:4722 with SMTP id o6-20020a17090ab88600b002472d9d4722mr11760113pjr.0.1682871973736; Sun, 30 Apr 2023 09:26:13 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:13 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/9] go: Ignore CVE-2022-1705 Date: Sun, 30 Apr 2023 06:25:53 -1000 Message-Id: <6e4a952efc94a3bb94216db1cbd738f4fb70217f.1682871868.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180574 From: Shubham Kulkarni The vulnerability was introduced in go1.15beta1 with commit d5734d4. Dunfell uses go1.14 version which does not contain the affected code. Ref: https://security-tracker.debian.org/tracker/CVE-2022-1705 Signed-off-by: Shubham Kulkarni Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 56f4f12c37..b1d7bc155a 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -87,3 +87,6 @@ CVE_CHECK_WHITELIST += "CVE-2022-30630" # This is specific to Microsoft Windows CVE_CHECK_WHITELIST += "CVE-2022-41716" + +# Issue introduced in go1.15beta1, does not exist in 1.14 +CVE_CHECK_WHITELIST += "CVE-2022-1705" From patchwork Sun Apr 30 16:25:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23195 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE062C7EE25 for ; Sun, 30 Apr 2023 16:26:22 +0000 (UTC) Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by mx.groups.io with SMTP id smtpd.web11.72229.1682871976889549467 for ; Sun, 30 Apr 2023 09:26:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=NKbMEHX3; spf=softfail (domain: sakoman.com, ip: 209.85.216.48, mailfrom: steve@sakoman.com) Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-24deb9c5ffcso416288a91.1 for ; Sun, 30 Apr 2023 09:26:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871976; x=1685463976; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=59DypPXb7XLmkP0LgcgFDyJ0euhUX/puTetB4yJxh30=; b=NKbMEHX3S2pCoxkv4NuTh9RCCGeI2l550iCy2TPRocKCKqIE803gGCP9xe5jlK26JW KEvw78AgOC6FJYs9IZ7WVPnSRKQgUXOdWcH1bOalNuAKmTflcv/CdwzyOT8lrLyDyKXh Rv48zqF9L7gySqy6pIofHio/KdGO6Acmf/3tlv8+okyyJ6h+tKAm+BZHWJXhhtix4wP9 EZAJTGJMm5tVw2NOJ9wg+0jbDIURQJpjdBdF6Qej1IdYXs07ZqY0KWC/4yf7TmVlJXhP FzXj1fqvJG+x2ofhlj7Oq8ipZnKs8M/++ejS3l207lB1C/pWTl+urVQlPQ2atbq+OT3F XIJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871976; x=1685463976; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=59DypPXb7XLmkP0LgcgFDyJ0euhUX/puTetB4yJxh30=; b=U1c2blbak27H6wBqlP78LtMf/FSDUJmEntlDZ0MzuFMj1fNtJsudtgmVIr8Fno23Ma K8dJuCtGcHXxUqjkQRGFU7ABirknvBx4IIu0rTCahXD79OLIAlGVND8eocvpu2Eq68oW hFfIzcLfEXf5GyIpYdfWa0DWpx9cgsELHrPAQm6eyJuoPA6i6Y+3ML358WUC/fmNeic5 FFOm4rfgPA8QvAIFCnU/u9EWCvPUbVAXDyMk/ru2G09ranOZLnwM696jvHPJC739kbld Aql8o4kZuRR5O+peVD0vr7jCnAaXMA1gz5QEdaM6SS9dRDYXKFNQw4IsuLRIkvh0KOQT YqEQ== X-Gm-Message-State: AC+VfDynVFXge51wi4q00SjRhMDqJW71fOxWzPfMY83gdOkdOOVXVcoo dUsRPzqDYs38IKQjIrKQ/ESYeu+HvNMcxPOIxdY= X-Google-Smtp-Source: ACHHUZ7FxU0//jSk+7P3xyTB+DEOiujsMDwSAewtgKCpPOLyZh9VKnHB35kEF7GBzPJXyDU41Z8qKw== X-Received: by 2002:a17:90a:5d0e:b0:247:a68d:7f22 with SMTP id s14-20020a17090a5d0e00b00247a68d7f22mr12239471pji.4.1682871975552; Sun, 30 Apr 2023 09:26:15 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:15 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/9] openssl: Fix CVE-2023-0464 Date: Sun, 30 Apr 2023 06:25:54 -1000 Message-Id: <0c50550e2c8fca3263776c2bb985a8c58b920b99.1682871868.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180575 From: Nikhil R Fix CVE-2023-0464 for openssl A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service(DoS) attack on affected systems. Link: https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b Signed-off-by: Nikhil R Signed-off-by: Omkar Patil Signed-off-by: Steve Sakoman --- .../openssl/openssl/CVE-2023-0464.patch | 226 ++++++++++++++++++ .../openssl/openssl_1.1.1t.bb | 1 + 2 files changed, 227 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 0000000000..cce5bad9f0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,226 @@ +From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20569) + +CVE: CVE-2023-0464 +Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b] +Signed-off-by: Nikhil R + +--- + crypto/x509v3/pcy_local.h | 8 +++++++- + crypto/x509v3/pcy_node.c | 12 +++++++++--- + crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++---------- + 3 files changed, 43 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h +index 5daf78de45..344aa06765 100644 +--- a/crypto/x509v3/pcy_local.h ++++ b/crypto/x509v3/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++ /* The number of nodes in the tree */ ++ size_t node_count; ++ /* The maximum number of nodes in the tree */ ++ size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void policy_node_free(X509_POLICY_NODE *node); + int policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c +index e2d7b15322..d574fb9d66 100644 +--- a/crypto/x509v3/pcy_node.c ++++ b/crypto/x509v3/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++ return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +- if (level) { ++ if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + } + +- if (tree) { ++ if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + } + } + ++ tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c +index 6e8322cbc5..6c7fd35405 100644 +--- a/crypto/x509v3/pcy_tree.c ++++ b/crypto/x509v3/pcy_tree.c +@@ -13,6 +13,18 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined, set it to ++ * a generous default of 1000 nodes. ++ * ++ * Defining this to be zero means unlimited policy tree growth which opens the ++ * door on CVE-2023-0464. ++ */ ++ ++#ifndef OPENSSL_POLICY_TREE_NODES_MAX ++# define OPENSSL_POLICY_TREE_NODES_MAX 1000 ++#endif ++ + /* + * Enable this to print out the complete policy tree at various point during + * evaluation. +@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + return X509_PCY_TREE_INTERNAL; + } + ++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ ++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; ++ + /* + * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. + * +@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + level = tree->levels; + if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) + goto bad_tree; +- if (level_add_node(level, data, NULL, tree) == NULL) { ++ if (level_add_node(level, data, NULL, tree, 1) == NULL) { + policy_data_free(data); + goto bad_tree; + } +@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + * Return value: 1 on success, 0 otherwise + */ + static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, +- X509_POLICY_DATA *data) ++ X509_POLICY_DATA *data, ++ X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *last = curr - 1; + int i, matched = 0; +@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); + + if (policy_node_match(last, node, data->valid_policy)) { +- if (level_add_node(curr, data, node, NULL) == NULL) ++ if (level_add_node(curr, data, node, tree, 0) == NULL) + return 0; + matched = 1; + } + } + if (!matched && last->anyPolicy) { +- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) ++ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) + return 0; + } + return 1; +@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + * Return value: 1 on success, 0 otherwise. + */ + static int tree_link_nodes(X509_POLICY_LEVEL *curr, +- const X509_POLICY_CACHE *cache) ++ const X509_POLICY_CACHE *cache, ++ X509_POLICY_TREE *tree) + { + int i; + +@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); + + /* Look for matching nodes in previous level */ +- if (!tree_link_matching_nodes(curr, data)) ++ if (!tree_link_matching_nodes(curr, data, tree)) + return 0; + } + return 1; +@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; +- if (level_add_node(curr, data, node, tree) == NULL) { ++ if (level_add_node(curr, data, node, tree, 1) == NULL) { + policy_data_free(data); + return 0; + } +@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, + } + /* Finally add link to anyPolicy */ + if (last->anyPolicy && +- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) ++ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) + return 0; + return 1; + } +@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->qualifier_set = anyPolicy->data->qualifier_set; + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; +- node = level_add_node(NULL, extra, anyPolicy->parent, tree); ++ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) + + for (i = 1; i < tree->nlevel; i++, curr++) { + cache = policy_cache_set(curr->cert); +- if (!tree_link_nodes(curr, cache)) ++ if (!tree_link_nodes(curr, cache, tree)) + return X509_PCY_TREE_INTERNAL; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) +-- +2.34.1 diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb index a1956ad8c2..94cb458508 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb @@ -18,6 +18,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://afalg.patch \ file://reproducible.patch \ file://reproducibility.patch \ + file://CVE-2023-0464.patch \ " SRC_URI_append_class-nativesdk = " \ From patchwork Sun Apr 30 16:25:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23193 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC56FC7EE24 for ; Sun, 30 Apr 2023 16:26:22 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web10.72574.1682871978202042337 for ; Sun, 30 Apr 2023 09:26:18 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=IgP6WFGl; spf=softfail (domain: sakoman.com, ip: 209.85.216.46, mailfrom: steve@sakoman.com) Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-24df161f84bso387193a91.3 for ; Sun, 30 Apr 2023 09:26:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871977; x=1685463977; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=QbnhlS06ZE3k7X8Hvlbj/90mJBFeTgk2SnhWKGmDuWU=; b=IgP6WFGlIoXS5eWZzr//L4Ndp5PzHG4gp/o8FH2opzAZHIpyHXBABS2dgYrN5A38Xn HMcRFADILmCHzCZzFzbUSGfp0F5yZ9BW8/LiCvAhXFCDM4Pg94WUB2QPMZ5HhRoGi0m5 +pwOxoPx0WA29IfU96aMmPSIKNnGrW6NMl1fQRagVkAg5QjbtxfqH7Gy9tn6exDaoo+H QTVLRJlfegmK1zihT4DVKdO20FjWFmarRnbbsQw+3ElMBi8D53Oxi16DYvmQ+U9bZIce rwtaEWF8e9z+i4Ie0NBP1Yb8F1WgogxooqxFN/ud7DezKBSeGZbYgRbTs3ZfcG5I1uxW JUQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871977; x=1685463977; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QbnhlS06ZE3k7X8Hvlbj/90mJBFeTgk2SnhWKGmDuWU=; b=Pc9Lc+mS2RxcckiOIjFuRbBUgIs/4No2zdmRxe058ZwecqCV0crJ6dbFjmsFQTEPKu zYLzKyvRmmCC26tTK0pDJ+D9FkOFjP3KIRdg3cJIKSGM6iR7By4u3uPEMqDeg1LHlncJ zrbvVkYCNsxApc9jaNG6PgBoHl1VvW4ykYEK04dFX817HXbWRh6P2aDK7U37MPVWkA5V nl8wH/dmbrGcQ99ub+KftxRFLPUagGm8m5onDSGS2TocO1r2/XMU0yuuzL/Q5O2JvV1K RWugHZRkleYFyVR+0+v59ms9ra2OvC1Vji9KNQ0T4Dk361cTiATS11LJD7EpGuMPFpnS dj7w== X-Gm-Message-State: AC+VfDxmqNjefPXtqLEAtT2XZzDzx5ayntvZVMSUzC6NEsAD1UbJPq0v XuzU/MUYPPCUd5fC+YeCC+/kW5bf/H/6CBhMH8Q= X-Google-Smtp-Source: ACHHUZ4drDWvTyhZwEcV/VfdhPiKrre6FiH1zV7YQPzktcCCXdK7qIqTzCaImcoFRQvKZzmnCXyxlw== X-Received: by 2002:a17:90a:5513:b0:247:2680:2ad with SMTP id b19-20020a17090a551300b00247268002admr11908460pji.33.1682871977245; Sun, 30 Apr 2023 09:26:17 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:16 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 4/9] openssl: Fix CVE-2023-0465 Date: Sun, 30 Apr 2023 06:25:55 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180576 From: Omkar Patil Add patch to fix CVE-2023-0465 Link: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95 Signed-off-by: Omkar Patil Signed-off-by: Omkar Patil Signed-off-by: Steve Sakoman --- .../openssl/openssl/CVE-2023-0465.patch | 60 +++++++++++++++++++ .../openssl/openssl_1.1.1t.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch new file mode 100644 index 0000000000..be5068074e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch @@ -0,0 +1,60 @@ +From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 7 Mar 2023 16:52:55 +0000 +Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf + certs + +Even though we check the leaf cert to confirm it is valid, we +later ignored the invalid flag and did not notice that the leaf +cert was bad. + +Fixes: CVE-2023-0465 + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20588) + +CVE: CVE-2023-0465 +Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95] +Comment: Refreshed first hunk +Signed-off-by: Omkar Patil + +--- + crypto/x509/x509_vfy.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 925fbb5412..1dfe4f9f31 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1649,18 +1649,25 @@ + } + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +- int i; ++ int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +- for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++ for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + + if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) + continue; ++ cbcalled = 1; + if (!verify_cb_cert(ctx, x, i, + X509_V_ERR_INVALID_POLICY_EXTENSION)) + return 0; + } ++ if (!cbcalled) { ++ /* Should not be able to get here */ ++ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ /* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { +-- +2.34.1 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb index 94cb458508..254cc9bc8d 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb @@ -19,6 +19,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://reproducible.patch \ file://reproducibility.patch \ file://CVE-2023-0464.patch \ + file://CVE-2023-0465.patch \ " SRC_URI_append_class-nativesdk = " \ From patchwork Sun Apr 30 16:25:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23194 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4F6BC7EE21 for ; Sun, 30 Apr 2023 16:26:22 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web11.72232.1682871979968398454 for ; Sun, 30 Apr 2023 09:26:20 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=xifCtdvz; spf=softfail (domain: sakoman.com, ip: 209.85.210.175, mailfrom: steve@sakoman.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-63b733fd00bso1270964b3a.0 for ; Sun, 30 Apr 2023 09:26:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871979; x=1685463979; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BLAED5D4fua5UKTfnfGy8W2MkiveLTmRXfRxYMgz4vo=; b=xifCtdvzil7xeEHNC8FFd0SN+iX/S6hi62/Oo4Q1za5IBFAER+EaqZsqOWK3YNqkDM XEFvsOvUqEhkvYzWJDzkWrf6KiCMbqsZBnNWV9ew2u4/6bTizPo+9XEvXjTMH73m9Utj PSVOl3cAscKsB7r9JL11eS9wdhv/uBm5G1/kSnZCQLTFvDymuVC/b3aZCKqC82GYkszP w8sigW8WceDpaghTQ0qQhsPUsGIeuFG01JPFJrFtwDwALnhhfBlZ3s9gK0qVHXzFNjmP am3uol50bOF2l73PfISwO2HbXo8g2hIQ9xqBpSDi4XTjFw2DVMm1xe49ZoO5ayJPPqwf KLVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871979; x=1685463979; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BLAED5D4fua5UKTfnfGy8W2MkiveLTmRXfRxYMgz4vo=; b=Qdr/Lfit40txis6Rj1CSES4+Vz4g+isofZVPvreWgG9yKemtFTKJCqeb4B4zCAFyS6 HNVsI52NMIXufxJX4/E1Fe837m7ljKiVhe9krkRHRV4bL9rp3iwhJBT3Tmy6tKmYCIPr Ok5a1WWv3swjIoQMEWHVN7QE4ClaaIKGcecQ8htH8Ih6TDuldoatJWzYYioBV5Cl0Fzc 0D0fPcBiUhl2LaNk79g72F+pIjm79hlgOjnEHy7/k6ktyC8z26zKBuJKs7R9PZAB0pqk JeaNH9Vc+0cUu4+MEiRoFAqlXs9sK7B5FRn0lty+0UhVBJaegliK+kXSgHHHXGjl6nYt 2wtQ== X-Gm-Message-State: AC+VfDxAQdPoDIFyfxxdLfytPVkSbQQDDu2DL1zh616p+sl+PO9ffW5q WyIuatbh64+kwzCn4bs61a3bwBmhSYE9QNgvP+0= X-Google-Smtp-Source: ACHHUZ7Lo1ilJeLzB7WbvwyR7yU1kUvRTzRn2PItbwYY4UMMuUoQQNs/y6eEHudTsX/FknsbGx1Qhg== X-Received: by 2002:a05:6a20:7da6:b0:f5:5232:4bde with SMTP id v38-20020a056a207da600b000f552324bdemr11067897pzj.23.1682871978963; Sun, 30 Apr 2023 09:26:18 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:18 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 5/9] openssl: Fix CVE-2023-0466 Date: Sun, 30 Apr 2023 06:25:56 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180577 From: Omkar Patil Add patch to fix CVE-2023-0466 Link: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Signed-off-by: Omkar Patil Signed-off-by: Omkar Patil Signed-off-by: Steve Sakoman --- .../openssl/openssl/CVE-2023-0466.patch | 82 +++++++++++++++++++ .../openssl/openssl_1.1.1t.bb | 1 + 2 files changed, 83 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch new file mode 100644 index 0000000000..f042aa5da1 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch @@ -0,0 +1,82 @@ +From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 21 Mar 2023 16:15:47 +0100 +Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy() + +The function was incorrectly documented as enabling policy checking. + +Fixes: CVE-2023-0466 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/20564) + +CVE: CVE-2023-0466 +Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a] +Comment: Refreshed first hunk from CHANGE and NEWS +Signed-off-by: Omkar Patil + +--- + CHANGES | 5 +++++ + NEWS | 1 + + doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/CHANGES b/CHANGES +index efccf7838e..b19f1429bb 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -9,6 +9,11 @@ + + Changes between 1.1.1s and 1.1.1t [7 Feb 2023] + ++ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention ++ that it does not enable policy checking. Thanks to ++ David Benjamin for discovering this issue. (CVE-2023-0466) ++ [Tomas Mraz] ++ + *) Fixed X.400 address type confusion in X.509 GeneralName. + + There is a type confusion vulnerability relating to X.400 address processing +diff --git a/NEWS b/NEWS +index 36a9bb6890..62615693fa 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,6 +7,7 @@ + + Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023] + ++ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) + o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) + o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215) + o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450) +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index f6f304bf7b..aa292f9336 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -92,8 +92,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -377,6 +378,10 @@ and has no effect. + + The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation was changed to align with the implementation. ++ + =head1 COPYRIGHT + + Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +-- +2.34.1 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb index 254cc9bc8d..46875b525c 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb @@ -20,6 +20,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://reproducibility.patch \ file://CVE-2023-0464.patch \ file://CVE-2023-0465.patch \ + file://CVE-2023-0466.patch \ " SRC_URI_append_class-nativesdk = " \ From patchwork Sun Apr 30 16:25:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23191 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A567EC77B73 for ; Sun, 30 Apr 2023 16:26:22 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web10.72575.1682871982008271818 for ; Sun, 30 Apr 2023 09:26:22 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=rUqBVT1M; spf=softfail (domain: sakoman.com, ip: 209.85.210.181, mailfrom: steve@sakoman.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-64115e652eeso22478896b3a.0 for ; Sun, 30 Apr 2023 09:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871981; x=1685463981; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dUzi/sx64nhcuNkrxgz1rTvmtGOQFUFi5ZlnC+r5hmU=; b=rUqBVT1MZZ30SEVGXEusPrMOiWLpQbwb0qy6f/MsUxZQiV5RlcRHVf4F1VKR8K17CW WTacIRnetSNkEsCovqOCgrt2nOvwkW0vz22BWVK0LHyl6pynS1DhCstpe/cnL/DBwLpB vHNDnN0FmtdKsvpReOHDW3nphK2KtDbqJQhDASQAhANd2FGh+B9qO2UBcIVpRn/kmpS3 RbegL921evmzoEnoz5tKFja3YbAqwiK5BM5fh69HGqEHwlDbHsbPiB7X6JkCob8uahT2 MD7+qt5pMrB3DELYaR3y61tZo77S2DBnqGW8wk3WMJB9eQeXS7RcL9QJ5U7WWEw/kN9W Nzbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871981; x=1685463981; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dUzi/sx64nhcuNkrxgz1rTvmtGOQFUFi5ZlnC+r5hmU=; b=UbciWa12OXNtKKIC5cftZLE1zuD/ZvXM2tMQ1wCiqDUYJZw/+6QmJ7DJW1YccEiP7A McfwuCIV2Di5f+OFLX8aMomdl7mTTd9R5byPeGa22EmDhUjBO7ev7c9GUCAw6LBk4nOM T/aK/buY3NWggAcqrqw05H+npLy4tLl+XHwyhzngk9xFoi430NAl/ESJqqP6VndKjVIz di5XxY1cJkHqOhcupIWFhd4DmoMrwSiidzw1jD/7jwziqsP3Fqq6qnrZhtGmicsQQq7W GdDyK47+ubUIJuHCA8gPBY2U9XabtYASrrZL1qpWVXzoxgB2yj+zAQNOfPP6NvYUiaT7 iLTg== X-Gm-Message-State: AC+VfDwXxeZhv40UzMJvD1GNosVFR19P9DhQxkDvSXBCN6SXh1SidT3p +0x9QWZ3QQ2ethdbc4wEannDN/2hb/xi9HqLUuo= X-Google-Smtp-Source: ACHHUZ7CFMtBofe7kBcLurv60lpG4lLR0jD/zbqQlXJV2kTPKyQf7G6ZZY3nT7p+/bxWv+2qr5dwug== X-Received: by 2002:a05:6a21:32a2:b0:f0:5d68:e977 with SMTP id yt34-20020a056a2132a200b000f05d68e977mr19705198pzb.9.1682871980722; Sun, 30 Apr 2023 09:26:20 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:20 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 6/9] qemu: Whitelist CVE-2023-0664 Date: Sun, 30 Apr 2023 06:25:57 -1000 Message-Id: <8efb0fc7e7db4bad3dbc40d8f890a6c2e7be38fa.1682871869.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180578 From: Virendra Thakur This CVE is related to Windows. Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0664 Signed-off-by: Virendra Thakur Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3b1bd3b656..8d6c4050f7 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -157,6 +157,11 @@ CVE_CHECK_WHITELIST += "CVE-2018-18438" # the issue introduced in v5.1.0-rc0 CVE_CHECK_WHITELIST += "CVE-2020-27661" +# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664 +# https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +# this bug related to windows specific. +CVE_CHECK_WHITELIST += "CVE-2023-0664" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" From patchwork Sun Apr 30 16:25:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23199 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA999C77B73 for ; Sun, 30 Apr 2023 16:26:32 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web10.72577.1682871983918164434 for ; Sun, 30 Apr 2023 09:26:24 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=08Kly/cL; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-1aaf70676b6so1223695ad.3 for ; Sun, 30 Apr 2023 09:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871983; x=1685463983; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=B4xEX/4LTW5hE/uaCo7q6EyRkDRgDxDqAqJjej+F5CU=; b=08Kly/cL71FBgWSgMPgDG5SWMjSgBirx6FuPbJsA6QvNOZLmIfcKUgzwLK5M+WlfhA Zyf+9XRA278Kj8q2c5Za4/kR0FI0DvPv/6a7E5rwonn9wZkLQ9eBn/WibAlhDORiHtbt aGyW5Eaw6dIhZscsL2azxgRgBZBMj0CL17b6+YANdE6E0bPGWPiyGKyeF6DBOxwGN11t q1QzcBgiS5Fvitu0AQ+dtQ0OEHOe6RgKpUjdFO9wlPAt9VadELOHIDL/R3bS7WbSRj7U CLjdXLRSziF3ap1dlNjMiMEC8OHvfgdoXDUpf6haY4WGqN2yXpi4W1/4794sTwX+3EJ/ f1OA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871983; x=1685463983; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B4xEX/4LTW5hE/uaCo7q6EyRkDRgDxDqAqJjej+F5CU=; b=hFv5+hMFTTM1cs/kQIy2dHDHkFPvgyuWgmbMoNFCJGFrFFtGcwchh6WqM6pW7N5MR0 tpwLsu8X3KqSOI3+S0YPZiqBvrFhGlE2awwfb0r+qn22CR2o6zW+jaKVQATayI+2FKpB iaveU/GBR5zcvJ8J/D/X9pjuyJVAAgPae+JCJZql/vxd/jPTxI6iJHEs/gbZd7VFH6ai 9Pf2LE74yBqx5tAyxcDdrHp1EbD5WaHqVMbH/BXQLMd51JJDF6PuPxNTS3AaH9WJU44j Fiwq9kVE6x8OFvtt2B4qbPvYMm4OAUTzSQZHB+MggBBgpTk5ZT2l3feUDcjJwid+7IsJ Jebw== X-Gm-Message-State: AC+VfDzN1/J4+01Xxz75fTCNc6SNpbAUCglTHFXNMyhTeoMYm6CPBnK0 nF/7Lp9RPSP3QgHbJfXVXfZlTBN5MZuN3MveOlk= X-Google-Smtp-Source: ACHHUZ6M2s5xLE66tbQMz39mYS7tyKg5SCsrhyuucY2Kcv0NJzXLCwevXUerJcuOEdApACvavxwqbQ== X-Received: by 2002:a17:903:41c3:b0:1aa:eefb:2076 with SMTP id u3-20020a17090341c300b001aaeefb2076mr2117609ple.11.1682871982550; Sun, 30 Apr 2023 09:26:22 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:22 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 7/9] curl: Security fix CVE-2023-27533, CVE-2023-27535 and CVE-2023-27536 Date: Sun, 30 Apr 2023 06:25:58 -1000 Message-Id: <08ffa2437967a642a4c8e35e2158bb369454764a.1682871869.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180579 From: Vijay Anusuri Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches?h=ubuntu/focal-security & https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 & https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c & https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 & https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2023-27533.patch | 59 +++++ .../curl/curl/CVE-2023-27535-pre1.patch | 236 ++++++++++++++++++ .../curl/curl/CVE-2023-27535.patch | 170 +++++++++++++ .../curl/curl/CVE-2023-27536.patch | 55 ++++ meta/recipes-support/curl/curl_7.69.1.bb | 4 + 5 files changed, 524 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27533.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch new file mode 100644 index 0000000000..64ba135056 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch @@ -0,0 +1,59 @@ +Backport of: + +From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684] +CVE: CVE-2023-27533 +Signed-off-by: Vijay Anusuri +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct connectdata *conn) + { + struct curl_slist *head; +@@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str + /* Add the user name as an environment variable if it + was given on the command line */ + if(conn->bits.user_passwd) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { + ++ if(str_is_nonascii(option_arg)) ++ continue; ++ + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { + strncpy(tn->subopt_ttype, option_arg, 31); diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch new file mode 100644 index 0000000000..034b72f7e6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch @@ -0,0 +1,236 @@ +From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH] strcase: add and use Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] +Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp. +Signed-off-by: Vijay Anusuri +--- + lib/netrc.c | 6 +++--- + lib/strcase.c | 22 ++++++++++++++++++++++ + lib/strcase.h | 1 + + lib/url.c | 33 +++++++++++++-------------------- + lib/vauth/digest_sspi.c | 4 ++-- + lib/vtls/vtls.c | 21 ++++++++++++++++++++- + 6 files changed, 61 insertions(+), 26 deletions(-) + +diff --git a/lib/netrc.c b/lib/netrc.c +index 9323913..fe3fd1e 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -124,9 +124,9 @@ static int parsenetrc(const char *host, + /* we are now parsing sub-keywords concerning "our" host */ + if(state_login) { + if(specific_login) { +- state_our_login = strcasecompare(login, tok); ++ state_our_login = !Curl_timestrcmp(login, tok); + } +- else if(!login || strcmp(login, tok)) { ++ else if(!login || Curl_timestrcmp(login, tok)) { + if(login_alloc) { + free(login); + login_alloc = FALSE; +@@ -142,7 +142,7 @@ static int parsenetrc(const char *host, + } + else if(state_password) { + if((state_our_login || !specific_login) +- && (!password || strcmp(password, tok))) { ++ && (!password || Curl_timestrcmp(password, tok))) { + if(password_alloc) { + free(password); + password_alloc = FALSE; +diff --git a/lib/strcase.c b/lib/strcase.c +index 70bf21c..ec776b3 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index 8929a53..8077108 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index 9f14a7b..dfbde3b 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -886,19 +886,10 @@ socks_proxy_info_matches(const struct proxy_info* data, + /* the user information is case-sensitive + or at least it is not defined as case-insensitive + see https://tools.ietf.org/html/rfc3986#section-3.2.1 */ +- if((data->user == NULL) != (needle->user == NULL)) +- return FALSE; +- /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->user && +- needle->user && +- strcmp(data->user, needle->user) != 0) +- return FALSE; +- if((data->passwd == NULL) != (needle->passwd == NULL)) +- return FALSE; ++ + /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->passwd && +- needle->passwd && +- strcmp(data->passwd, needle->passwd) != 0) ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) + return FALSE; + return TRUE; + } +@@ -1257,10 +1248,10 @@ ConnectionExists(struct Curl_easy *data, + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd) || +- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || +- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd) || ++ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || ++ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -1326,8 +1317,8 @@ ConnectionExists(struct Curl_easy *data, + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd)) { + + /* we prefer a credential match, but this is at least a connection + that can be reused and "upgraded" to NTLM */ +@@ -1348,8 +1339,10 @@ ConnectionExists(struct Curl_easy *data, + if(!check->http_proxy.user || !check->http_proxy.passwd) + continue; + +- if(strcmp(needle->http_proxy.user, check->http_proxy.user) || +- strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) ++ if(Curl_timestrcmp(needle->http_proxy.user, ++ check->http_proxy.user) || ++ Curl_timestrcmp(needle->http_proxy.passwd, ++ check->http_proxy.passwd)) + continue; + } + else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { +diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c +index a109056..3986386 100644 +--- a/lib/vauth/digest_sspi.c ++++ b/lib/vauth/digest_sspi.c +@@ -450,8 +450,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, + has changed then delete that context. */ + if((userp && !digest->user) || (!userp && digest->user) || + (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || +- (userp && digest->user && strcmp(userp, digest->user)) || +- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { ++ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || ++ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { + if(digest->http_context) { + s_pSecFn->DeleteSecurityContext(digest->http_context); + Curl_safefree(digest->http_context); +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e8cb70f..70a9391 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -98,9 +98,15 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + Curl_safecmp(data->issuercert, needle->issuercert) && + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && +- Curl_safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ !Curl_timestrcmp(data->username, needle->username) && ++ !Curl_timestrcmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -117,6 +123,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_STRING(CApath); + CLONE_STRING(CAfile); +@@ -127,6 +136,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list); + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -142,6 +156,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) + Curl_safefree(sslc->cipher_list); + Curl_safefree(sslc->cipher_list13); + Curl_safefree(sslc->pinned_key); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535.patch b/meta/recipes-support/curl/curl/CVE-2023-27535.patch new file mode 100644 index 0000000000..e38390a57c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27535.patch @@ -0,0 +1,170 @@ +From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27535.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1] +CVE: CVE-2023-27535 +Signed-off-by: Vijay Anusuri +--- + lib/ftp.c | 30 ++++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 16 +++++++++++++++- + lib/urldata.h | 4 ++-- + 5 files changed, 51 insertions(+), 6 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 31a34e8..7a82a74 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4059,6 +4059,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection) + } + + freedirs(ftpc); ++ free(ftpc->account); ++ ftpc->account = NULL; ++ free(ftpc->alternative_to_user); ++ ftpc->alternative_to_user = NULL; + free(ftpc->prevpath); + ftpc->prevpath = NULL; + free(ftpc->server_os); +@@ -4326,11 +4330,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + struct Curl_easy *data = conn->data; + char *type; + struct FTP *ftp; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(NULL == ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ conn->data->req.protop = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=" that +@@ -4366,7 +4390,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + /* get some initial data into the ftp struct */ + ftp->transfer = FTPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 984347f..163dcb3 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -116,6 +116,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char **dirs; /* realloc()ed array for path components */ + int dirdepth; /* number of entries used in the 'dirs' array */ +@@ -141,6 +143,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index 4d96f6b..a91bb70 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2126,7 +2126,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index dfbde3b..f84375c 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1257,10 +1257,24 @@ ConnectionExists(struct Curl_easy *data, + } + } + +- if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || + needle->bits.tunnel_proxy) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 168f874..51b793b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1730,8 +1730,6 @@ struct UserDefined { + void *ssh_keyfunc_userp; /* custom pointer to callback */ + enum CURL_NETRC_OPTION + use_netrc; /* defined in include/curl.h */ +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + long new_file_perms; /* Permissions to use when creating remote files */ + long new_directory_perms; /* Permissions to use when creating remote dirs */ + long ssh_auth_types; /* allowed SSH auth types */ +@@ -1851,6 +1849,8 @@ struct UserDefined { + BIT(http09_allowed); /* allow HTTP/0.9 responses */ + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some + recipients */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + }; + + struct Names { +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch new file mode 100644 index 0000000000..b04a77de25 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch @@ -0,0 +1,55 @@ +From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5] +CVE: CVE-2023-27536 +Signed-off-by: Vijay Anusuri +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index f84375c..87f4eb0 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1257,6 +1257,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + #ifdef USE_SSH + else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) +@@ -1708,6 +1713,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index 51b793b..b8a611b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1118,6 +1118,7 @@ struct connectdata { + handle */ + BIT(sock_accepted); /* TRUE if the SECONDARYSOCKET was created with + accept() */ ++ long gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 46ee25da3a..32d18ddb3a 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -45,6 +45,10 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2023-23916.patch \ file://CVE-2023-27534.patch \ file://CVE-2023-27538.patch \ + file://CVE-2023-27533.patch \ + file://CVE-2023-27535-pre1.patch \ + file://CVE-2023-27535.patch \ + file://CVE-2023-27536.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" From patchwork Sun Apr 30 16:25:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23198 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE6E0C7EE21 for ; Sun, 30 Apr 2023 16:26:32 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web11.72239.1682871985520625194 for ; Sun, 30 Apr 2023 09:26:25 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=NF2BM0+D; spf=softfail (domain: sakoman.com, ip: 209.85.216.46, mailfrom: steve@sakoman.com) Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-2470e93ea71so1215294a91.0 for ; Sun, 30 Apr 2023 09:26:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871984; x=1685463984; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=2+Da8MtLlBNuRTkYc/aBGlKmv2eRTCT2UdonhDdZJ1A=; b=NF2BM0+DPESy7AtMiaSEMb7ca+TIAUJNyhSCmxJDCRzendvL2Go8Ng3YWfKGKDMsgV EvXKzgh59H0XGU/gJfUuer0s/AMyOtuU3MBWc+s4Jj9tDeEgCjo1g2NiPjKPlZee9cf+ ihCZiDsMAuzfSTq41PdGZnXGDSfUmrMDStCvVRFoOD06sErij4rSbADQiuuwp+t0CcMw 3B+rEpOjy3cko6BBCBXCly0CpMinCrLcz+m8Qpb2PcrOKY6sBnEqRlMXNKVItWqm6Cpl nO5RAFEOzRD8PVWQUJLmokSMZL1U2Tfa6Ac5dy+dAjZQYhbvzg+jeMJcWlD6HrefStWP e+kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871984; x=1685463984; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2+Da8MtLlBNuRTkYc/aBGlKmv2eRTCT2UdonhDdZJ1A=; b=Rim/Nlhw7JpjTOASa87RR7OG67vOfxoRBrIorlPB8N0j7cAGUOOrEr4vPtYb1v0WXN OTP7a8ig3pql1lmg4HsGkBfzKY7XsFqu9tPqmXSD562AoBzF7t0K7MzRX6ONbgZgiOkE lzqjAZRS7iH3xU852pv+WHeIpOBjxLLA6BBQoNjfNWht3Zm2ouds4RELn+q00Gvm+oKH uxknKP1gzUPJm+jBlzjLoyX78/39tn/Slr1umb4ocpg1kTTD/rPuX0e+SfenCWGmL2d9 JYa6C1OzKgUpbQCL6blFnNUPZ8wC/entWVdoceX4agpwCsAPhlAP3jrTtlsDp44hfo7U lYEQ== X-Gm-Message-State: AC+VfDxH9eqNI624wk1WVBGak9eCQj79txnRMWZI7O1SfICxEa2IMorG j3pJtYklIu0Q2KvAR+iNFFlgSDi1uLdmFwF/6Y8= X-Google-Smtp-Source: ACHHUZ4X4UDJB5AygW3cmKfkSdFKcmQsMt4WAWdxyRcAFzS9Agy8mXWNMQ3r+nkhj7/BYyB5d/zCWw== X-Received: by 2002:a17:90a:e610:b0:24d:ed4b:2e7e with SMTP id j16-20020a17090ae61000b0024ded4b2e7emr3010177pjy.32.1682871984351; Sun, 30 Apr 2023 09:26:24 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:24 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 8/9] go: fix CVE-2023-24534 denial of service from excessive memory allocation Date: Sun, 30 Apr 2023 06:25:59 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180580 From: Vivek Kumbhar A parsed MIME header is a map[string][]string. In the common case, a header contains many one-element []string slices. To avoid allocating a separate slice for each key, ReadMIMEHeader looks ahead in the input to predict the number of keys that will be parsed, and allocates a single []string of that length. The individual slices are then allocated out of the larger one. The prediction of the number of header keys was done by counting newlines in the input buffer, which does not take into account header continuation lines (where a header key/value spans multiple lines) or the end of the header block and the start of the body. This could lead to a substantial amount of overallocation, for example when the body consists of nothing but a large block of newlines. Fix header key count prediction to take into account the end of the headers (indicated by a blank line) and continuation lines (starting with whitespace). Thanks to Jakob Ackermann (@das7pad) for reporting this issue. Fixes CVE-2023-24534 For #58975 Fixes #59267 Signed-off-by: Vivek Kumbhar Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2023-24534.patch | 200 ++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index b1d7bc155a..3b99b8fe7e 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -57,6 +57,7 @@ SRC_URI += "\ file://CVE-2022-41722-2.patch \ file://CVE-2020-29510.patch \ file://CVE-2023-24537.patch \ + file://CVE-2023-24534.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch new file mode 100644 index 0000000000..d50db04bed --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch @@ -0,0 +1,200 @@ +From d6759e7a059f4208f07aa781402841d7ddaaef96 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Fri, 10 Mar 2023 14:21:05 -0800 +Subject: [PATCH] [release-branch.go1.19] net/textproto: avoid overpredicting + the number of MIME header keys + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802452 +Run-TryBot: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-by: Julie Qiu +(cherry picked from commit f739f080a72fd5b06d35c8e244165159645e2ed6) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802393 +Reviewed-by: Damien Neil +Run-TryBot: Roland Shoemaker +Change-Id: I675451438d619a9130360c56daf529559004903f +Reviewed-on: https://go-review.googlesource.com/c/go/+/481982 +Run-TryBot: Michael Knyszek +TryBot-Result: Gopher Robot +Reviewed-by: Matthew Dempsky +Auto-Submit: Michael Knyszek + +Upstream-Status: Backport [https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96] +CVE: CVE-2023-24534 +Signed-off-by: Vivek Kumbhar +--- + src/bytes/bytes.go | 13 +++++++ + src/net/textproto/reader.go | 31 +++++++++++------ + src/net/textproto/reader_test.go | 59 ++++++++++++++++++++++++++++++++ + 3 files changed, 92 insertions(+), 11 deletions(-) + +diff --git a/src/bytes/bytes.go b/src/bytes/bytes.go +index e872cc2..1f0d760 100644 +--- a/src/bytes/bytes.go ++++ b/src/bytes/bytes.go +@@ -1078,6 +1078,19 @@ func Index(s, sep []byte) int { + return -1 + } + ++// Cut slices s around the first instance of sep, ++// returning the text before and after sep. ++// The found result reports whether sep appears in s. ++// If sep does not appear in s, cut returns s, nil, false. ++// ++// Cut returns slices of the original slice s, not copies. ++func Cut(s, sep []byte) (before, after []byte, found bool) { ++ if i := Index(s, sep); i >= 0 { ++ return s[:i], s[i+len(sep):], true ++ } ++ return s, nil, false ++} ++ + func indexRabinKarp(s, sep []byte) int { + // Rabin-Karp search + hashsep, pow := hashStr(sep) +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index a505da9..8d547fe 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -486,8 +487,11 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) { + // large one ahead of time which we'll cut up into smaller + // slices. If this isn't big enough later, we allocate small ones. + var strs []string +- hint := r.upcomingHeaderNewlines() ++ hint := r.upcomingHeaderKeys() + if hint > 0 { ++ if hint > 1000 { ++ hint = 1000 // set a cap to avoid overallocation ++ } + strs = make([]string, hint) + } + +@@ -562,9 +566,11 @@ func mustHaveFieldNameColon(line []byte) error { + return nil + } + +-// upcomingHeaderNewlines returns an approximation of the number of newlines ++var nl = []byte("\n") ++ ++// upcomingHeaderKeys returns an approximation of the number of keys + // that will be in this header. If it gets confused, it returns 0. +-func (r *Reader) upcomingHeaderNewlines() (n int) { ++func (r *Reader) upcomingHeaderKeys() (n int) { + // Try to determine the 'hint' size. + r.R.Peek(1) // force a buffer load if empty + s := r.R.Buffered() +@@ -572,17 +578,20 @@ func (r *Reader) upcomingHeaderNewlines() (n int) { + return + } + peek, _ := r.R.Peek(s) +- for len(peek) > 0 { +- i := bytes.IndexByte(peek, '\n') +- if i < 3 { +- // Not present (-1) or found within the next few bytes, +- // implying we're at the end ("\r\n\r\n" or "\n\n") +- return ++ for len(peek) > 0 && n < 1000 { ++ var line []byte ++ line, peek, _ = bytes.Cut(peek, nl) ++ if len(line) == 0 || (len(line) == 1 && line[0] == '\r') { ++ // Blank line separating headers from the body. ++ break ++ } ++ if line[0] == ' ' || line[0] == '\t' { ++ // Folded continuation of the previous line. ++ continue + } + n++ +- peek = peek[i+1:] + } +- return ++ return n + } + + // CanonicalMIMEHeaderKey returns the canonical format of the +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 3124d43..3ae0de1 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -9,6 +9,7 @@ import ( + "bytes" + "io" + "reflect" ++ "runtime" + "strings" + "testing" + ) +@@ -127,6 +128,42 @@ func TestReadMIMEHeaderSingle(t *testing.T) { + } + } + ++// TestReaderUpcomingHeaderKeys is testing an internal function, but it's very ++// difficult to test well via the external API. ++func TestReaderUpcomingHeaderKeys(t *testing.T) { ++ for _, test := range []struct { ++ input string ++ want int ++ }{{ ++ input: "", ++ want: 0, ++ }, { ++ input: "A: v", ++ want: 1, ++ }, { ++ input: "A: v\r\nB: v\r\n", ++ want: 2, ++ }, { ++ input: "A: v\nB: v\n", ++ want: 2, ++ }, { ++ input: "A: v\r\n continued\r\n still continued\r\nB: v\r\n\r\n", ++ want: 2, ++ }, { ++ input: "A: v\r\n\r\nB: v\r\nC: v\r\n", ++ want: 1, ++ }, { ++ input: "A: v" + strings.Repeat("\n", 1000), ++ want: 1, ++ }} { ++ r := reader(test.input) ++ got := r.upcomingHeaderKeys() ++ if test.want != got { ++ t.Fatalf("upcomingHeaderKeys(%q): %v; want %v", test.input, got, test.want) ++ } ++ } ++} ++ + func TestReadMIMEHeaderNoKey(t *testing.T) { + r := reader(": bar\ntest-1: 1\n\n") + m, err := r.ReadMIMEHeader() +@@ -223,6 +260,28 @@ func TestReadMIMEHeaderTrimContinued(t *testing.T) { + } + } + ++// Test that reading a header doesn't overallocate. Issue 58975. ++func TestReadMIMEHeaderAllocations(t *testing.T) { ++ var totalAlloc uint64 ++ const count = 200 ++ for i := 0; i < count; i++ { ++ r := reader("A: b\r\n\r\n" + strings.Repeat("\n", 4096)) ++ var m1, m2 runtime.MemStats ++ runtime.ReadMemStats(&m1) ++ _, err := r.ReadMIMEHeader() ++ if err != nil { ++ t.Fatalf("ReadMIMEHeader: %v", err) ++ } ++ runtime.ReadMemStats(&m2) ++ totalAlloc += m2.TotalAlloc - m1.TotalAlloc ++ } ++ // 32k is large and we actually allocate substantially less, ++ // but prior to the fix for #58975 we allocated ~400k in this case. ++ if got, want := totalAlloc/count, uint64(32768); got > want { ++ t.Fatalf("ReadMIMEHeader allocated %v bytes, want < %v", got, want) ++ } ++} ++ + type readResponseTest struct { + in string + inCode int +-- +2.25.1 From patchwork Sun Apr 30 16:26:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 23197 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD827C77B60 for ; Sun, 30 Apr 2023 16:26:32 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web11.72228.1682871974660663664 for ; Sun, 30 Apr 2023 09:26:27 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=SeGQbYKr; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-24b89b9a72cso1200975a91.1 for ; Sun, 30 Apr 2023 09:26:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1682871986; x=1685463986; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+XI2qiVstMq/uLeXnE2JTRl0DsbVgaA95H50pkETksw=; b=SeGQbYKrT9IZ/uinIVJb9KrwTnaQqxX5lJtkBNYKnVSekMIn7vaaUNqFRy5m+lA/k+ oL/dhtWK3Zi63oDtQKCLdcWvS41Bs5rg2nXNurxOqD+PADMLZgF8jJISWOegdyyMF2bO pqD8foXuY39tzu82xWG3qz2rzBP9wuAXC6CdJBtWmaxHnAijdrwpglOfixCt42TkeYj8 SBVtcAAoxr+UWbABtij8MP8E69sJuWT8aHniXvkxuZZFFtnApLTQAcuPadzjee+TnINK OJfBtsG6zsUKDch0rQ9WAHCDFlUqmFEzpj7LshXuDwCAW6Ql7iqaPJnPkvB7Weh6h5em 4XWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682871986; x=1685463986; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+XI2qiVstMq/uLeXnE2JTRl0DsbVgaA95H50pkETksw=; b=Sfp+YJax10Lg8zmaJQPvNlwcmPAm24wMjtezSxV8iVhjCJ6U4Es3m8k9+i6DBD3YzH metjHSYsYofbbyfTQ99F4oWKX+nOA6aTgpjHqgrF/P0uQqjA50PtdmOpypYwM/D7NJ4W bqQIOLqcMOU7m8uDlW7DA1WGlbntJ0IpFkpimvLb7re7L2i2EERmnWhryCC8qUNuagxu K+Al8Q2oNelPrKOPdSzvFsxhMZVSQDv2n2igpzuouwQnId5CrYT+tpRHFE5+Q+jv7b1W i2Z24kLCGj1q7uSCcrbhTeGwNojNYs/uQ/I9bApCoOntYN7n4i0I3WB8S2bul1mGtla4 fIJw== X-Gm-Message-State: AC+VfDyzm7UnhcfsAnxHbi4zziFaUDDQ7JVZdJRznSRD58vbsuZlOAfB GCOjevevA+gj0pe7b4Tv4Xj5oUsw3CnP8BaX2Yo= X-Google-Smtp-Source: ACHHUZ78/cKJB/6xSN7ctPpLk4jtyAAC/Hzgl1gktEcFOmbO8ncOZkOSwiOcID4F4VvHwBTV0PthfA== X-Received: by 2002:a17:90a:d3d5:b0:24b:b22d:c78c with SMTP id d21-20020a17090ad3d500b0024bb22dc78cmr11896503pjw.9.1682871986198; Sun, 30 Apr 2023 09:26:26 -0700 (PDT) Received: from hexa.lan (rrcs-66-91-142-162.west.biz.rr.com. [66.91.142.162]) by smtp.gmail.com with ESMTPSA id w8-20020a17090abc0800b0024b9e62c1d9sm4443811pjr.41.2023.04.30.09.26.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 09:26:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 9/9] populate_sdk_base: add zip options Date: Sun, 30 Apr 2023 06:26:00 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 30 Apr 2023 16:26:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180581 From: Christoph Lauer Add SDK_ZIP_OPTIONS to remove symbolic link creation in zip archive or add options, e.g. for encryption of the zip archive. (From OE-Core rev: 04b62f9459b401c276255f166d0738b6f902a576) Signed-off-by: Christoph Lauer Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/classes/populate_sdk_base.bbclass | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass index 396792f0f7..49fdfaa93d 100644 --- a/meta/classes/populate_sdk_base.bbclass +++ b/meta/classes/populate_sdk_base.bbclass @@ -51,6 +51,8 @@ TOOLCHAIN_OUTPUTNAME ?= "${SDK_NAME}-toolchain-${SDK_VERSION}" SDK_ARCHIVE_TYPE ?= "tar.xz" SDK_XZ_COMPRESSION_LEVEL ?= "-9" SDK_XZ_OPTIONS ?= "${XZ_DEFAULTS} ${SDK_XZ_COMPRESSION_LEVEL}" +SDK_ZIP_OPTIONS ?= "-y" + # To support different sdk type according to SDK_ARCHIVE_TYPE, now support zip and tar.xz python () { @@ -58,7 +60,7 @@ python () { d.setVar('SDK_ARCHIVE_DEPENDS', 'zip-native') # SDK_ARCHIVE_CMD used to generate archived sdk ${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} from input dir ${SDK_OUTPUT}/${SDKPATH} to output dir ${SDKDEPLOYDIR} # recommand to cd into input dir first to avoid archive with buildpath - d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; zip -r -y ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} .') + d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; zip -r ${SDK_ZIP_OPTIONS} ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} .') else: d.setVar('SDK_ARCHIVE_DEPENDS', 'xz-native') d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; tar ${SDKTAROPTS} -cf - . | xz ${SDK_XZ_OPTIONS} > ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE}')